Third Edition
Corporate Computer
Security
Randall J. Boyle
University of Utah
Raymond R. Panko
University of Hawai`i at Manoa
Boston Columbus Indianapolis New York San Francisco Upper Saddle River
Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montreal Toronto
Delhi Mexico City Sao Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo
To Courtney Boyle, thank you for your patience, kindness,
and perspective on what’s most important in life.
—Randy Boyle
To Julia Panko, my long-time networking and security editor
and one of the best technology minds I’ve ever encountered.
—Ray Panko
Editorial Director: Sally Yagan
Executive Editor: Bob Horan
Director of Editorial Services: Ashley Santora
Senior Project Manager: Kelly Loftus
Production Project Manager: Debbie Ryan
Director of Marketing: Maggie Moylan
Executive Marketing Manager: Anne Fahlgren
Creative Director: Jayne Conte
Cover Designer: Suzanne Behnke
Full-Service Project Management: George Jacob
Composition: Integra
Printer/Binder: Courier/Westford
Cover Printer: Lehigh
Text Font: Palatino 10/12
Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this
textbook appear on the appropriate page within text.
Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the U.S.A. and other
countries. Screen shots and icons reprinted with permission from the Microsoft Corporation. This book
is not sponsored or endorsed by or affiliated with the Microsoft Corporation.
Copyright © 2013, 2010, 2004 by Pearson Education, Inc., publishing as Prentice Hall. All rights reserved.
Manufactured in the United States of America. This publication is protected by Copyright, and permission
should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or
transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To
obtain permission(s) to use material from this work, please submit a written request to Pearson Education,
Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you may fax your
request to 201-236-3290.
Many of the designations by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and the publisher was aware of a trademark
claim, the designations have been printed in initial caps or all caps.
Library of Congress Cataloging-in-Publication Data
Boyle, Randall J.
Corporate computer security.—3rd ed. / Randall J. Boyle, Raymond R. Panko.
p. cm.
Panko’s name appears first on the earlier edition.
ISBN-13: 978-0-13-214535-0
ISBN-10: 0-13-214535-9
1. Computer security. 2. Computer networks—Security measures. 3. Electronic data processing
departments—Security measures. I. Panko, Raymond R. II. Title.
QA76.9.A25P36 2013
005.8—dc23
2011035372
10 9 8 7 6 5 4 3 2 1
ISBN 10:
0-13-214535-9
ISBN 13: 978-0-13-214535-0
CONTENTS
Preface xviii
About the Authors
xxiv
Chapter 1 The Threat Environment
1
1.1 Introduction 1
Basic Security Terminology 2
THE THREAT ENVIRONMENT 2
SECURITY GOALS 3
COMPROMISES 3
COUNTERMEASURES 3
Case Study: The TJX Data Breach 4
THE TJX COMPANIES, INC. 4
DISCOVERY 4
THE BREAK-INS 6
THE PAYMENT CARD INDUSTRY–DATA
SECURITY STANDARD 7
THE FALLOUT: LAWSUITS AND
INVESTIGATIONS 8
PROSECUTION 8
1.2 Employee and Ex-employee
Threats 9
Why Employees Are Dangerous 10
Employee Sabotage 10
Employee Hacking 12
Employee Financial Theft and Theft of
Intellectual Property 13
Employee Extortion 14
Employee Sexual or Racial
Harassment 15
Employee Computer and Internet
Abuse 15
INTERNET ABUSE 15
NON-INTERNET COMPUTER ABUSE 16
Data Loss 16
Other “Internal” Attackers 17
1.3 Malware 17
Malware Writers 18
Viruses 18
Worms 20
Blended Threats 21
Payloads 21
Trojan Horses and Rootkits 22
NONMOBILE MALWARE 22
TROJAN HORSES 22
REMOTE ACCESS TROJANS 23
DOWNLOADERS 24
SPYWARE 24
ROOTKITS 24
Mobile Code 25
Social Engineering in Malware 25
SPAM 26
PHISHING 26
SPEAR PHISHING 29
HOAXES 29
1.4 Hackers and Attacks 30
Traditional Motives 30
Anatomy of a Hack 32
TARGET SELECTION 32
RECONNAISSANCE PROBES
THE EXPLOIT 33
SPOOFING 33
32
Social Engineering in an Attack 35
Denial-of-Service Attacks 37
Skill Levels 38
1.5 The Criminal Era 40
Dominance by Career Criminals 40
CYBERCRIME 40
INTERNATIONAL GANGS 41
BLACK MARKETS AND MARKET
SPECIALIZATION 42
Fraud, Theft, and Extortion 45
FRAUD 46
FINANCIAL AND INTELLECTUAL PROPERTY
THEFT 46
EXTORTION AGAINST CORPORATIONS 47
Stealing Sensitive Data about
Customers and Employees 48
CARDING
48
iii
iv
Contents
BANK ACCOUNT THEFT 48
ONLINE STOCK ACCOUNT THEFT 48
IDENTITY THEFT 48
THE CORPORATE CONNECTION 49
CORPORATE IDENTITY THEFT 49
1.6 Competitor Threats 50
Commercial Espionage 50
Denial-of-Service Attacks 52
1.7 Cyberwar and Cyberterror 53
Cyberwar 53
Cyberterror 54
1.8 Conclusion 55
Thought Questions 56 • Hands-on
Projects 57 • Project Thought
Questions 58 • Perspective
Questions 58
Chapter 2 Planning and Policy
59
2.1 Introduction 60
Defense 60
Management Processes 61
MANAGEMENT IS THE HARD PART 61
COMPREHENSIVE SECURITY 61
WEAKEST LINKS FAILURES 61
THE NEED TO PROTECT MANY
RESOURCES 63
The Need for a Disciplined Security
Management Process 63
The Plan–Protect–Respond Cycle 64
PLANNING 64
PROTECTION 64
RESPONSE 66
Vision in Planning 66
VIEWING SECURITY AS AN ENABLER 66
DEVELOPING POSITIVE VISIONS OF USERS 67
Strategic IT Security Planning 68
2.2 Compliance Laws and
Regulations 69
Driving Forces 69
Sarbanes–Oxley 70
Privacy Protection Laws 72
Data Breach Notification Laws 74
The Federal Trade Commission 75
Industry Accreditation 75
PCI-DSS 75
Fisma 75
2.3 Organization 76
Chief Security Officers 76
ShouldYou Place Security within IT? 76
LOCATING SECURITY WITHIN IT 78
PLACING SECURITY OUTSIDE IT 78
A HYBRID SOLUTION 78
Top Management Support 79
Relationships with Other
Departments 79
SPECIAL RELATIONSHIPS 79
ALL CORPORATE DEPARTMENTS 80
BUSINESS PARTNERS 80
Outsourcing IT Security 81
E-MAIL OUTSOURCING 81
MANAGED SECURITY SERVICE
PROVIDER 84
2.4 Risk Analysis 85
Reasonable Risk 86
Classic Risk Analysis Calculations 86
ASSET VALUE 86
EXPOSURE FACTOR 87
SINGLE LOSS EXPECTANCY 87
ANNUALIZED PROBABILITY (OR RATE)
OF OCCURRENCE 87
ANNUALIZED LOSS EXPECTANCY 87
COUNTERMEASURE IMPACT 87
ANNUALIZED COUNTERMEASURE COST
AND NET VALUE 88
Problems with Classic Risk Analysis
Calculations 90
UNEVEN MULTIYEAR CASH FLOWS 90
TOTAL COST OF INCIDENT 90
MANY-TO-MANY RELATIONSHIPS BETWEEN
COUNTERMEASURES AND RESOURCES 90
THE IMPOSSIBILITY OF COMPUTING
ANNUALIZED RATES OF OCCURRENCE 90
THE PROBLEM WITH “HARD-HEADED
THINKING” 92
PERSPECTIVE 92
Responding to Risk 93
RISK REDUCTION 93
RISK ACCEPTANCE 93
RISK TRANSFERENCE (INSURANCE) 94
RISK AVOIDANCE 94
v
Contents
2.5 Technical Security Architecture 94
Technical Security Architectures 94
ARCHITECTURAL DECISIONS 95
DEALING WITH LEGACY SECURITY
TECHNOLOGY 95
Principles 95
DEFENSE IN DEPTH 95
DEFENSE IN DEPTH VERSUS WEAKEST
LINKS 97
SINGLE POINTS OF VULNERABILITY 97
MINIMIZING SECURITY BURDENS 97
REALISTIC GOALS 97
Elements of a Technical Security
Architecture 98
BORDER MANAGEMENT 98
INTERNAL SITE SECURITY MANAGEMENT 98
MANAGEMENT OF REMOTE
CONNECTIONS 98
INTERORGANIZATIONAL SYSTEMS 99
CENTRALIZED SECURITY MANAGEMENT 99
2.6 Policy-Driven Implementation 99
Policies 99
WHAT ARE POLICIES? 99
WHAT, NOT HOW 99
CLARITY 100
Categories of Security Policies 100
CORPORATE SECURITY POLICY 100
MAJOR POLICIES 101
ACCEPTABLE USE POLICY 101
POLICIES FOR SPECIFIC COUNTERMEASURES
OR RESOURCES 102
Policy-Writing Teams 103
Implementation Guidance 103
NO GUIDANCE 105
STANDARDS AND GUIDELINES 105
Types of Implementation
Guidance 105
PROCEDURES 105
PROCESSES 106
BASELINES 106
BEST PRACTICES AND RECOMMENDED
PRACTICES 107
ACCOUNTABILITY 107
ETHICS 107
Exception Handling 109
Oversight 110
POLICIES AND OVERSIGHT 110
PROMULGATION 110
ELECTRONIC MONITORING 111
SECURITY METRICS 111
AUDITING 113
ANONYMOUS PROTECTED HOTLINE 113
BEHAVIORAL AWARENESS 114
FRAUD 114
SANCTIONS 116
2.7 Governance Frameworks 117
COSO 118
THE COSO FRAMEWORK 118
OBJECTIVES 118
REASONABLE ASSURANCE 118
COSO FRAMEWORK COMPONENTS
118
CobiT 120
THE COBIT FRAMEWORK 121
DOMINANCE IN THE UNITED STATES 121
The ISO/IEC 27000 Family 122
ISO/IEC 27002 122
ISO/IEC 27001 122
OTHER 27000 STANDARDS
122
2.8 Conclusion 123
Thought Questions 124 Hands-on
Projects 124 • Project Thought
Questions 125 • Perspective
Questions 125
Chapter 3 Cryptography
127
3.1 What is Cryptography? 128
Encryption for Confidentiality 129
Terminology 129
PLAINTEXT 129
ENCRYPTION AND CIPHERTEXT 129
CIPHER 130
KEY 130
KEEPING THE KEY SECRET 130
The Simple Cipher 130
Cryptanalysis 131
Substitution and Transposition
Ciphers 132
Substitution Ciphers 132
Transposition Ciphers 132
Real-world Encryption 133
Ciphers and Codes 133
vi
Contents
Symmetric Key Encryption 134
KEY LENGTH 135
Human Issues in Cryptography 137
3.2 Symmetric Key Encryption
Ciphers 139
RC4 139
The Data Encryption Standard
(DES) 140
56-BIT KEY SIZE 140
BLOCK ENCRYPTION 141
Triple DES (3DES) 141
168-BIT 3DES OPERATION 141
112-BIT 3DES 141
PERSPECTIVE ON 3DES 141
Advanced Encryption Standard
(AES) 142
Other Symmetric Key Encryption
Ciphers 143
3.3 Cryptographic System
Standards 145
Cryptographic Systems 145
Initial Handshaking Stages 145
NEGOTIATION 145
INITIAL AUTHENTICATION 146
KEYING 147
Ongoing Communication 147
3.4 The Negotiation Stage 147
Cipher Suite Options 148
Cipher Suite Policies 148
3.5 Initial Authentication Stage 149
HIGH COST AND SHORT MESSAGE
LENGTHS 154
RSA AND ECC 154
KEY LENGTH 154
Symmetric Key Keying Using Public
Key Encryption 155
Symmetric Key Keying Using
Diffie–Hellman Key Agreement 156
3.7 Message-By-Message
Authentication 157
Electronic Signatures 157
Public Key Encryption for
Authentication 157
Message-by-Message Authentication
with Digital Signatures 158
DIGITAL SIGNATURES 158
HASHING TO PRODUCE THE MESSAGE
DIGEST 158
SIGNING THE MESSAGE DIGEST TO PRODUCE
THE DIGITAL SIGNATURE 158
SENDING THE MESSAGE WITH
CONFIDENTIALITY 159
VERIFYING THE SUPPLICANT 160
MESSAGE INTEGRITY 160
PUBLIC KEY ENCRYPTION FOR
CONFIDENTIALITY AND
AUTHENTICATION 160
Digital Certificates 161
CERTIFICATE AUTHORITIES 161
DIGITAL CERTIFICATE 162
VERIFYING THE DIGITAL CERTIFICATE 163
THE ROLES OF THE DIGITAL CERTIFICATE
AND DIGITAL SIGNATURE 164
Authentication Terminology 149
Hashing 149
Initial Authentication with
MS-CHAP 151
Key-Hashed Message Authentication
Codes (HMACs) 166
ON THE SUPPLICANT’S MACHINE:
HASHING 151
ON THE VERIFIER SERVER 151
Creating and Testing the HMAC 166
Nonrepudiation 166
3.6 The Keying Stage 152
Session Keys 152
Public Key Encryption for
Confidentiality 153
TWO KEYS 153
PROCESS 153
PADLOCK AND KEY ANALOGY
153
THE PROBLEM WITH DIGITAL
SIGNATURES 166
3.8 Quantum Security 169
3.9 Cryptographic Systems 170
Virtual Private Networks (VPNs) 171
Why VPNs? 172
Host-to-Host VPNs 172
Remote Access VPNs 172
Site-to-Site VPNs 173
Contents
3.10 SSL/TLS 173
Nontransparent Protection 174
Inexpensive Operation 174
SSL/TLS Gateways and Remote Access
VPNs 175
VPN GATEWAY STANDARDS 175
AUTHENTICATION 175
CONNECTING THE CLIENT PC TO AUTHORIZED
RESOURCES 175
SECURITY FOR SERVICES 176
BROWSER ON THE CLIENT 177
ADVANCED SERVICES REQUIRE
ADMINISTRATOR PRIVILEGES ON PCS 178
PERSPECTIVE 179
3.11 IPsec 179
SSL/TLS GIVES NONTRANSPARENT
TRANSPORT LAYER SECURITY 180
IPSEC: TRANSPARENT INTERNET LAYER
SECURITY 180
IPSEC IN BOTH IPV4 AND IPV6 181
IPsec Transport Mode 181
HOST-TO-HOST SECURITY 181
END-TO-END PROTECTION 182
COST OF SETUP 182
IPSEC IN TRANSPORT MODE AND
FIREWALLS 182
IPsec Tunnel Mode 183
Future of Secure Networks 193
DEATH OF THE PERIMETER
RISE OF THE CITY 194
194
4.2 DoS Attacks 195
Denial of Service . . . But Not an
Attack 195
FAULTY CODING 195
REFERRALS FROM LARGE SITES 196
Goal of DoS Attacks 196
STOP CRITICAL SERVICES 196
DEGRADE SERVICES 196
DIRECT AND INDIRECT ATTACKS 198
INTERMEDIARY 200
REFLECTED ATTACK 203
SENDING MALFORMED PACKETS 204
Defending Against Denial-of-Service
Attacks 205
BLACK HOLING 205
VALIDATING THE HANDSHAKE 206
RATE LIMITING 206
4.3 ARP Poisoning 207
Normal ARP Operation 209
THE PROBLEM
PROTECTION IS PROVIDED BY IPSEC
GATEWAYS 183
LESS EXPENSIVE THAN TRANSPORT
MODE 183
FIREWALL-FRIENDLY PROTECTION 183
NO PROTECTION WITHIN THE TWO SITES 183
IPsec Security Associations (SAs) 184
SEPARATE SAS IN THE TWO DIRECTIONS 184
POLICY-BASED SA 184
3.12 Conclusion 185
Thought Questions 187 • Handson Projects 188 • Project Thought
Questions 190 • Perspective
Questions 190
191
4.1 Introduction 191
Creating Secure Networks 192
AVAILABILITY 192
CONFIDENTIALITY 192
FUNCTIONALITY 193
ACCESS CONTROL 193
Methods of DoS Attacks 198
Attractions of IPsec 180
Chapter 4 Secure Networks
vii
209
ARP Poisoning 210
ARP DoS Attack 211
Preventing ARP Poisoning 212
STATIC TABLES 212
LIMIT LOCAL ACCESS 212
4.4 Access Control for Networks 214
LAN Connections 214
Access Control Threats 215
Eavesdropping Threats 215
4.5 Ethernet Security 216
Ethernet and 802.1X 216
COST SAVINGS 217
CONSISTENCY 217
IMMEDIATE CHANGES 217
The Extensible Authentication
Protocol (EAP) 217
EAP OPERATION
218
viii
Contents
EXTENSIBILITY 219
RADIUS Servers 219
RADIUS AND EAP 219
4.6 Wireless Security 220
Wireless Attacks 221
Unauthorized Network Access 221
PREVENTING UNAUTHORIZED ACCESS 222
Evil Twin Access Points 224
Wireless Denial of Service 226
FLOOD THE FREQUENCY 226
FLOOD THE ACCESS POINT 227
SEND ATTACK COMMANDS 227
Wireless LAN Security with
802.11i 228
EAP’S NEED FOR SECURITY 228
ADDING SECURITY TO EAP 229
EAP-TLS AND PEAP 229
Core Wireless Security Protocols 230
Wired Equivalent Privacy (WEP) 230
Cracking WEP 231
SHARED KEYS AND OPERATIONAL
SECURITY 231
EXPLOITING WEP’S WEAKNESS 231
Perspective 231
Wi-Fi Protected Access (WPA™) 232
Pre-Shared Key (PSK) Mode 235
Wireless Intrusion Detection
Systems 237
False 802.11 Security Measures 238
SPREAD SPECTRUM OPERATION AND
SECURITY 238
TURNING OFF SSID BROADCASTING 239
MAC ACCESS CONTROL LISTS 239
Implementing 802.11i or WPA
Is Easier 240
4.7 Conclusion 240
Thought Questions 241 • Handson Projects 242 • Project Thought
Questions 243 • Perspective
Questions 243
Chapter 5 Access Control
5.1 Introduction 246
Access Control 246
245
Authentication, Authorizations,
and Auditing 246
Authentication 246
Beyond Passwords 247
Two-Factor Authentication 248
Individual and Role-Based Access
Control 248
Organizational and Human
Controls 248
Military and National Security
Organization Access Controls 249
Multilevel Security 249
5.2 Physical Access and Security 250
Risk Analysis 250
ISO/IEC 9.1: Secure Areas 251
PHYSICAL SECURITY PERIMETER 251
PHYSICAL ENTRY CONTROLS 252
PUBLIC ACCESS, DELIVERY, AND LOADING
AREAS 252
SECURING OFFICES, ROOMS,
AND FACILITIES 252
PROTECTING AGAINST EXTERNAL
AND ENVIRONMENTAL THREATS 252
RULES FOR WORKING IN SECURE AREAS 256
ISO/IEC 9.2 Equipment Security 256
EQUIPMENT SITING AND PROTECTION 256
SUPPORTING UTILITIES 257
CABLING SECURITY 257
SECURITY DURING OFF-SITE EQUIPMENT
MAINTENANCE 257
SECURITY OF EQUIPMENT
OFF-PREMISES 257
SECURE DISPOSAL OR REUSE
OF EQUIPMENT 257
REMOVAL OF PROPERTY 258
Other Physical Security Issues 258
TERRORISM 258
PIGGYBACKING 258
MONITORING EQUIPMENT 259
DUMPSTER™ DIVING 260
DESKTOP PC SECURITY 260
NOTEBOOK SECURITY 260
5.3 Passwords 260
Password-Cracking Programs 260
Password Policies 261
Contents
Password Use and Misuse 261
NOT USING THE SAME PASSWORD
AT MULTIPLE SITES 261
PASSWORD DURATION POLICIES 262
POLICIES PROHIBITING SHARED
ACCOUNTS 263
DISABLING PASSWORDS THAT ARE NO
LONGER VALID 263
LOST PASSWORDS 263
PASSWORD STRENGTH 266
PASSWORD AUDITING 266
The End of Passwords? 267
5.4 Access Cards and Tokens 268
Access Cards 268
MAGNETIC STRIPE CARDS 269
SMART CARDS 269
CARD READER COSTS 269
Tokens 269
FACE RECOGNITION 282
HAND GEOMETRY 283
VOICE RECOGNITION 287
OTHER FORMS OF BIOMETRIC
AUTHENTICATION 287
5.6 Cryptographic Authentication 287
Key Points from Chapter 3 287
Public Key Infrastructures 288
THE FIRM AS A CERTIFICATE AUTHORITY 288
CREATING PUBLIC KEY–PRIVATE KEY
PAIRS 289
DISTRIBUTING DIGITAL CERTIFICATES 289
ACCEPTING DIGITAL CERTIFICATES 289
CERTIFICATE REVOCATION STATUS 290
PROVISIONING 290
THE PRIME AUTHENTICATION
PROBLEM 290
5.7 Authorization 290
ONE-TIME-PASSWORD TOKENS
USB TOKENS 270
270
Proximity Access Tokens 270
Addressing Loss and Theft 270
PHYSICAL DEVICE CANCELLATION 270
TWO-FACTOR AUTHENTICATION 272
5.5 Biometric Authentication 273
Biometrics 273
Biometric Systems 274
INITIAL ENROLLMENT 274
SUBSEQUENT ACCESS ATTEMPTS 275
ACCEPTANCE OR REJECTION 276
Biometric Errors 276
FALSE ACCEPTANCE RATE 276
FALSE REJECTION RATE 277
WHICH IS WORSE? 277
VENDOR CLAIMS 277
FAILURE TO ENROLL 278
Verification, Identification, and
Watch Lists 278
VERIFICATION 278
IDENTIFICATION 279
WATCH LISTS 280
The Principle of Least
Permissions 291
5.8 Auditing 292
Logging 292
Log Reading 293
REGULAR LOG READING 293
PERIODIC EXTERNAL AUDITS OF LOG FILE
ENTRIES 293
AUTOMATIC ALERTS 293
5.9 Central Authentication Servers 294
The Need for Centralized
Authentication 294
Kerberos 295
5.10 Directory Servers 296
What Are Directory Servers? 297
Hierarchical Data Organization 297
Lightweight Data Access Protocol 298
Use by Authentication Servers 298
Active Directory 298
ACTIVE DIRECTORY DOMAINS 299
Trust 300
5.11 Full Identity Management 301
Biometric Deception 280
Biometric Methods 282
FINGERPRINT RECOGNITION
IRIS RECOGNITION 282
ix
282
Other Directory Servers and
Metadirectories 301
Federated Identity Management 302
x
Contents
THE SECURITY ASSERTION MARKUP
LANGUAGE 304
PERSPECTIVE 304
Identity Management 304
BENEFITS OF IDENTITY MANAGEMENT 304
WHAT IS IDENTITY? 306
IDENTITY MANAGEMENT 306
Trust and Risk 307
5.12 Conclusion 307
Thought Questions 309 • Handson Projects 310 • Project Thought
Questions 311 • Perspective
Questions 311
Chapter 6 Firewalls
313
6.1 Introduction 314
Basic Firewall Operation 314
The Danger of Traffic Overload 319
Firewall Filtering Mechanisms 320
6.2 Static Packet Filtering 321
Looking at Packets One at a Time 321
Looking Only at Some Fields in the
Internet and Transport Headers 321
Usefulness of Static Packet
Filtering 321
Perspective on SPI Firewalls 334
LOW COST 334
SAFETY 334
DOMINANCE 335
6.4 Network Address Translation 335
Sniffers 335
NAT OPERATION 335
PACKET CREATION 336
NETWORK AND PORT ADDRESS
TRANSLATION 336
TRANSLATION TABLE 336
RESPONSE PACKET 336
RESTORATION 336
PROTECTION 337
Perspective on NAT 337
NAT/PAT 337
TRANSPARENCY 337
NAT TRAVERSAL 337
6.5 Application Proxy Firewalls and
Content Filtering 337
Application Proxy Firewall
Operation 338
Perspective 322
6.3 Stateful Packet Inspection
ACCESS CONTROL LISTS (ACLS) FOR
INGRESS FILTERING 332
IF-THEN FORMAT 332
PORTS AND SERVER ACCESS 332
DISALLOW ALL CONNECTIONS 333
323
Basic Operation 323
CONNECTIONS 323
STATES 324
STATEFUL PACKET INSPECTION WITH TWO
STATES 324
REPRESENTING CONNECTIONS 325
Packets That Do Not Attempt to Open
Connections 326
TCP CONNECTIONS 329
UDP AND ICMP CONNECTIONS 329
ATTACK ATTEMPTS 329
PERSPECTIVE 329
Packets That Do Attempt to Open
a Connection 330
Access Control Lists (ACLs) for
Connection-Opening Attempts 331
WELL-KNOWN PORT NUMBERS 331
OPERATIONAL DETAILS 338
APPLICATION PROXY PROGRAMS VERSUS
APPLICATION PROXY FIREWALLS 338
PROCESSING-INTENSIVE OPERATION 338
ONLY A FEW APPLICATIONS CAN BE
PROXIED 339
TWO COMMON USES 339
Application Content Filtering in Stateful
Packet Inspection Firewalls 340
Application Content Filtering for
HTTP 341
Client Protections 341
Server Protections 341
Other Protections 344
6.6 Intrusion Detection Systems and
Intrusion Prevention Systems 345
Intrusion Detection Systems 345
FIREWALLS VERSUS IDSS
347
Contents
FALSE POSITIVES (FALSE ALARMS) 347
HEAVY PROCESSING REQUIREMENTS 347
Intrusion Prevention Systems 348
ASICS FOR FASTER PROCESSING 348
THE ATTACK IDENTIFICATION CONFIDENCE
SPECTRUM 348
IPS Actions 349
DROPPING PACKETS 349
LIMITING TRAFFIC 349
6.7 Antivirus Filtering and Unified
Threat Management 349
6.8 Firewall Architectures 354
Types of Firewalls 354
MAIN BORDER FIREWALLS 354
SCREENING BORDER ROUTERS 354
INTERNAL FIREWALLS 354
HOST FIREWALLS 355
DEFENSE IN DEPTH 355
The Demilitarized Zone 355
SECURITY IMPLICATIONS 356
HOSTS IN THE DMZ 356
6.9 Firewall Management 357
Defining Firewall Policies 357
WHY USE POLICIES? 357
EXAMPLES OF POLICIES 359
Implementation 359
FIREWALL HARDENING 359
CENTRAL FIREWALL MANAGEMENT
SYSTEMS 359
FIREWALL POLICY DATABASE 360
VULNERABILITY TESTING AFTER
CONFIGURATION 361
CHANGE AUTHORIZATION AND
MANAGEMENT 361
READING FIREWALL LOGS 362
Reading Firewall Logs 363
Log Files 363
Sorting the Log File by Rule 363
Echo Probes 363
External Access to All Internal
FTP Servers 365
Attempted Access to Internal
Webservers 365
xi
Incoming Packet with a Private
IP Source Address 365
Lack of Capacity 365
Perspective 365
Sizes of Log Files 366
Logging All Packets 366
6.10 Firewall Filtering Problems 367
The Death of the Perimeter 367
AVOIDING THE BORDER FIREWALL 367
EXTENDING THE PERIMETER 368
PERSPECTIVE 368
Attack Signatures versus Anomaly
Detection 368
ZERO-DAY ATTACKS 368
ANOMALY DETECTION 369
ACCURACY 369
6.11 Conclusion 369
Thought Questions 372 • Handson Projects 372 • Project Thought
Questions 374 • Perspective
Questions 374
Chapter 7 Host Hardening
375
7.1 Introduction 375
What Is a Host? 376
The Elements of Host Hardening 376
Security Baselines and Images 377
Virtualization 377
VIRTUALIZATION ANALOGY 379
BENEFITS OF VIRTULAIZATION 380
Systems Administrators 380
7.2 Important Server Operating
Systems 385
Windows Server Operating
Systems 386
THE WINDOWS SERVER USER
INTERFACE 386
START : ADMINISTRATIVE TOOLS 386
MICROSOFT MANAGEMENT CONSOLES
(MMCS) 387
UNIX (Including Linux) Servers 388
MANY VERSIONS 389
LINUX 390
UNIX USER INTERFACES 391
xii
Contents
7.3 Vulnerabilities and Patches 392
Vulnerabilities and Exploits 392
Fixes 392
WORK-AROUNDS 397
PATCHES 397
SERVICE PACKS 397
VERSION UPGRADES 397
The Mechanics of Patch
Installation 398
MICROSOFT WINDOWS SERVER
LINUX RPM PROGRAM 398
398
Problems with Patching 399
THE NUMBER OF PATCHES 399
COST OF PATCH INSTALLATION 399
PRIORITIZING PATCHES 399
PATCH MANAGEMENT SERVERS 399
THE RISKS OF PATCH INSTALLATION 400
7.4 Managing Users and Groups 401
The Importance of Groups in Security
Management 401
Creating and Managing Users and
Groups in Windows 401
THE ADMINISTRATOR ACCOUNT 401
MANAGING ACCOUNTS 402
CREATING USERS 402
WINDOWS GROUPS 402
7.5 Managing Permissions 404
Permissions 404
Assigning Permissions in
Windows 404
DIRECTORY PERMISSIONS 404
WINDOWS PERMISSIONS 405
ADDING USERS AND GROUPS 405
INHERITANCE 405
DIRECTORY ORGANIZATION 406
Assigning Groups and Permissions
in UNIX 407
NUMBER OF PERMISSIONS 407
NUMBER OF ACCOUNTS OR GROUPS 408
7.6 Creating Strong Passwords 408
Creating and Storing Passwords 409
CREATING A PASSWORD HASH 409
STORING PASSWORDS 409
STEALING PASSWORDS 410
Password-Cracking Techniques 410
BRUTE-FORCE GUESSING 410
DICTIONARY ATTACKS ON COMMON WORD
PASSWORDS 412
HYBRID DICTIONARY ATTACKS 413
RAINBOW TABLES 414
TRULY RANDOM PASSWORDS 415
TESTING AND ENFORCING THE STRENGTH
OF PASSWORDS 415
OTHER PASSWORD THREATS 415
7.7 Testing for Vulnerabilities 416
Windows Client PC Security 417
Client PC Security Baselines 418
The Windows Action Center 418
Windows Firewall 420
Automatic Updates 420
Antivirus and Spyware Protection 420
Implementing Security Policy 421
PASSWORD POLICIES 421
ACCOUNT POLICIES 421
AUDIT POLICIES 422
Protecting Notebook Computers 423
THREATS 423
BACKUP 423
POLICIES FOR SENSITIVE DATA 424
TRAINING 425
COMPUTER RECOVERY SOFTWARE 425
Centralized PC Security
Management 425
STANDARD CONFIGURATIONS 425
NETWORK ACCESS CONTROL 426
WINDOWS GROUP POLICY OBJECTS
426
7.8 Conclusion 429
Thought Questions 430 • Handson Projects 430 • Project Thought
Questions 432 • Perspective
Questions 432
Chapter 8 Application Security
433
8.1 Application Security And
Hardening 433
Executing Commands with the
Privileges of a Compromised
Application 434
Contents
Buffer Overflow Attacks 434
BUFFERS AND OVERFLOWS 434
STACKS 435
RETURN ADDRESS 435
THE BUFFER AND BUFFER OVERFLOW 435
EXECUTING ATTACK CODE 435
AN EXAMPLE: THE IIS IPP BUFFER
OVERFLOW ATTACK 436
Few Operating Systems, Many
Applications 436
Hardening Applications 437
UNDERSTAND THE SERVER’S ROLE AND
THREAT ENVIRONMENT 437
THE BASICS 438
MINIMIZE APPLICATIONS 438
SECURITY BASELINES FOR APPLICATION
MINIMIZATION 439
CREATE A SECURE CONFIGURATION 439
INSTALL APPLICATION PATCHES
AND UPDATES 439
MINIMIZE THE PERMISSIONS OF
APPLICATIONS 440
ADD APPLICATION-LEVEL AUTHENTICATION,
AUTHORIZATIONS, AND AUDITING 440
IMPLEMENT CRYPTOGRAPHIC
SYSTEMS 440
Securing Custom Applications 440
NEVER TRUST USER INPUT 441
BUFFER OVERFLOW ATTACKS 441
LOGIN SCREEN BYPASS ATTACKS 442
CROSS-SITE SCRIPTING ATTACKS 442
SQL INJECTION ATTACKS 423
AJAX MANIPULATION 423
TRAINING IN SECURE COMPUTING 423
8.2 WWW and E-Commerce
Security 446
The Importance of WWW and
E-Commerce Security 446
WWW Service versus E-Commerce
Service 446
E-COMMERCE SERVICE 447
EXTERNAL ACCESS 448
CUSTOM PROGRAMS 448
Some Webserver Attacks 449
WEBSITE DEFACEMENT 449
BUFFER OVERFLOW ATTACK TO LAUNCH
A COMMAND SHELL 449
xiii
DIRECTORY TRAVERSAL ATTACK 449
THE DIRECTORY TRAVERSAL WITH
HEXADECIMAL CHARACTER ESCAPES 450
UNICODE DIRECTORY TRAVERSAL 451
Patching the Webserver and
E-Commerce Software and Its
Components 451
E-COMMERCE SOFTWARE
VULNERABILITIES 451
Other Website Protections 452
WEBSITE VULNERABILITY ASSESSMENT
TOOLS 452
WEBSITE ERROR LOGS 452
WEBSERVER-SPECIFIC APPLICATION PROXY
FIREWALLS 453
Controlling Deployment 453
DEVELOPMENT SERVERS 454
TESTING SERVERS 454
PRODUCTION SERVERS 454
8.3 Web Browser Attacks 454
BROWSER THREATS 454
MOBILE CODE 454
MALICIOUS LINKS 456
OTHER CLIENT-SIDE ATTACKS
456
Enhancing Browser Security 458
PATCHING AND UPGRADING
CONFIGURATION 458
INTERNET OPTIONS 458
SECURITY TAB 459
PRIVACY TAB 462
458
8.4 E-Mail Security 463
E-Mail Content Filtering 463
MALICIOUS CODE IN ATTACHMENTS AND
HTML BODIES 463
SPAM 464
INAPPROPRIATE CONTENT 465
EXTRUSION PREVENTION 465
PERSONALLY IDENTIFIABLE
INFORMATION (PII) 465
Where to Do E-Mail Malware and
Spam Filtering 465
E-Mail Encryption 466
TRANSMISSION ENCRYPTION 466
MESSAGE ENCRYPTION 466
8.5 Voice over IP Security 468
Sending Voice between Phones 468
xiv
Contents
Transport and Signaling 469
SIP and H.323 470
Registration 470
SIP Proxy Servers 470
PSTN Gateway 470
VoIP Threats 471
Eavesdropping 471
Denial-of-Service (DoS) Attacks 471
Caller Impersonation 472
Hacking and Malware Attacks 472
Toll Fraud 472
Spam over IP Telephony (SPIT) 473
New Threats 473
Implementing VoIP Security 473
Authentication 473
Encryption for Confidentiality 473
Firewalls 474
NAT Problems 475
Separation: Anticonvergence 475
The Skype VoIP Service 475
8.6 Other User Applications 477
Instant Messaging (IM) 477
TCP/IP Supervisory Applications 479
8.7 Conclusion 480
Thought Questions 481 • Handson Projects 481 • Project Thought
Questions 483 • Perspective
Questions 483
Chapter 9 Data Protection
485
9.1 Introduction 485
Data’s Role in Business 486
SONY DATA BREACHES 486
Securing Data 486
9.2 Data Protection: Backup 487
The Importance of Backup 487
Threats 487
Scope of Backup 487
FILE/DIRECTORY DATA BACKUP 488
IMAGE BACKUP 488
SHADOWING 489
Full versus Incremental Backups 491
Backup Technologies 493
LOCAL BACKUP 493
CENTRALIZED BACKUP 493
CONTINUOUS DATA PROTECTION 494
INTERNET BACKUP SERVICE 494
MESH BACKUP 494
9.3 Backup Media and Raid 495
MAGNETIC TAPE 495
CLIENT PC BACKUP 496
Disk Arrays—RAID 497
Raid Levels 497
NO RAID 497
RAID 0 498
RAID 1 499
RAID 5 500
9.4 Data Storage Policies 503
BACKUP CREATION POLICIES 504
RESTORATION POLICIES 504
MEDIA STORAGE LOCATION POLICIES 504
ENCRYPTION POLICIES 505
ACCESS CONTROL POLICIES 505
RETENTION POLICIES 505
AUDITING BACKUP POLICY COMPLIANCE 505
E-Mail Retention 506
THE BENEFIT OF RETENTION 506
THE DANGERS OF RETENTION 506
ACCIDENTAL RETENTION 506
THIRD-PARTY E-MAIL RETENTION 508
LEGAL ARCHIVING REQUIREMENTS 508
U.S. FEDERAL RULES OF CIVIL
PROCEDURE 508
MESSAGE AUTHENTICATION 509
DEVELOPING POLICIES AND PROCESSES 509
User Training 509
Spreadsheets 510
VAULT SERVER ACCESS CONTROL 510
OTHER VAULT SERVER PROTECTIONS 511
9.5 Database Security 511
Relational Databases 512
LIMITING THE VIEW OF DATA 512
Database Access Control 516
DATABASE ACCOUNTS 516
SQL INJECTION ATTACKS 516
Database Auditing 517
Contents
WHAT TO AUDIT 518
TRIGGERS 518
Database Placement and
Configuration 520
CHANGE THE DEFAULT PORT 520
Data Encryption 520
KEY ESCROW 521
FILE/DIRECTORY ENCRYPTION VERSUS
WHOLE-DISK ENCRYPTION 522
PROTECTING ACCESS TO THE COMPUTER 522
DIFFICULTIES IN FILE SHARING 522
9.6 Data Loss Prevention 523
Data Collection 523
PERSONALLY IDENTIFIABLE INFORMATION 23
DATA MASKING 524
Information Triangulation 526
BUY OR SELL DATA
527
Document Restrictions 528
DIGITAL RIGHTS MANAGEMENT (DRM) 528
DATA EXTRUSION MANAGEMENT 530
EXTRUSION PREVENTION 530
Data Loss Prevention Systems 530
DLP AT THE GATEWAY 530
DLP ON CLIENTS 530
DLP FOR DATA STORAGE 531
DLP MANAGER 531
WATERMARKS 531
REMOVABLE MEDIA CONTROLS 532
PERSPECTIVE 533
Employee Training 533
SOCIAL NETWORKING 533
Data Destruction 534
NOMINAL DELETION 534
BASIC FILE DELETION 535
WIPING/CLEARING 536
DESTRUCTION 536
9.7 Conclusion 537
Thought Questions 538 • Handson Projects 538 • Project Thought
Questions 539 • Perspective
Questions 539
Chapter 10 Incident and Disaster
Response 541
10.1 Introduction 541
Walmart and Hurricane Katrina 541
xv
Incidents Happen 542
Incident Severity 543
FALSE ALARMS 544
MINOR INCIDENTS 544
MAJOR INCIDENTS 545
DISASTERS 546
Speed and Accuracy 546
SPEED IS OF THE ESSENCE 546
SO IS ACCURACY 546
PLANNING 546
REHEARSAL 547
10.2 The Intrusion Response Process
For Major Incidents 548
Detection, Analysis, and Escalation 548
DETECTION 548
ANALYSIS 548
ESCALATION 550
Containment 550
DISCONNECTION 550
BLACK-HOLING THE ATTACKER 550
CONTINUING TO COLLECT DATA 550
Recovery 551
REPAIR DURING CONTINUING SERVER
OPERATION 551
RESTORATION FROM BACKUP TAPES 551
TOTAL SOFTWARE REINSTALLATION 551
Apology 552
Punishment 553
PUNISHING EMPLOYEES 553
THE DECISION TO PURSUE PROSECUTION 553
COLLECTING AND MANAGING EVIDENCE 553
Postmortem Evaluation 556
Organization of the CSIRT 556
Legal Considerations 557
Criminal versus Civil Law 557
Jurisdictions 558
The U.S. Federal Judicial System 559
U.S. State and Local Laws 559
International Law 561
Evidence and Computer Forensics 562
U.S. Federal Cybercrime Laws 564
Computer Hacking, Malware Attacks,
Denial-of-Service Attacks, and Other
Attacks (18 U.S.C. § 1030) 564
xvi
Contents
HACKING 565
DENIAL-OF-SERVICE AND MALWARE
ATTACKS 565
DAMAGE THRESHOLDS 566
Confidentiality in Message
Transmission 566
Other Federal Laws 566
10.3 Intrusion Detection Systems 566
Functions of an IDS 567
LOGGING (DATA COLLECTION) 567
AUTOMATED ANALYSIS BY THE IDS 568
ACTIONS 568
LOG SUMMARY REPORTS 568
SUPPORT FOR INTERACTIVE MANUAL LOG
ANALYSIS 568
Distributed IDSs 569
AGENTS 569
MANAGER AND INTEGRATED LOG
FILE 570
BATCH VERSUS REAL-TIME DATA
TRANSFER 570
SECURE MANAGER–AGENT
COMMUNICATION 570
VENDOR COMMUNICATION 570
Network IDSs 570
STAND-ALONE NIDSS 571
SWITCH AND ROUTER NIDSS 571
STRENGTHS OF NIDSS 571
WEAKNESSES OF NIDSS 571
HOST IDSS 571
ATTRACTION OF HIDSS 571
WEAKNESSES OF HOST IDSS 572
HOST IDSS: OPERATING SYSTEM
MONITORS 572
Log Files 573
TIME-STAMPED EVENTS 573
INDIVIDUAL LOGS 573
INTEGRATED LOGS 573
MANUAL ANALYSIS 575
Principles of Business Continuity
Management 583
PEOPLE FIRST 583
REDUCED CAPACITY IN DECISION
MAKING 583
AVOIDING RIGIDITY 583
COMMUNICATION, COMMUNICATION,
COMMUNICATION 584
Business Process Analysis 584
IDENTIFICATION OF BUSINESS PROCESSES
AND THEIR INTERRELATIONSHIPS 584
PRIORITIZATION OF BUSINESS
PROCESSES 584
SPECIFY RESOURCE NEEDS 584
SPECIFY ACTIONS AND SEQUENCES
10.5 It Disaster Recovery 585
Types of Backup Facilities 587
HOT SITES 587
COLD SITES 587
SITE SHARING WITH CONTINUOUS DATA
PROTECTION (CDP) 587
LOCATION OF THE SITES 587
Office PCs 590
DATA BACKUP 590
NEW COMPUTERS 591
WORK ENVIRONMENT 591
Restoration of Data and
Programs 591
Testing the IT Disaster Recovery
Plan 591
10.6 Conclusion 591
Thought Questions 592 • Handson Projects 593 • Perspective
Questions 594 • Project Thought
Questions 594
Module A Networking Concepts
595
Managing IDSs 575
A.1 Introduction 595
TUNING FOR PRECISION 576
A.2 A Sampling of Networks 596
Honeypots 577
10.4 Business Continuity
Planning 581
584
Testing and Updating the Plan 585
A Simple Home Network 596
THE ACCESS ROUTER 596
PERSONAL COMPUTERS 597
Contents
UTP WIRING 597
INTERNET ACCESS LINE 597
A Building LAN 598
A Firm’s Wide Area Networks 600
The Internet 601
Applications 604
A.3 Network Protocols and
Vulnerabilities 604
Inherent Security 605
Security Explicitly Designed into the
Standard 605
xvii
IP Version 6 615
IPsec 616
A.9 The Transmission Control
Protocol 616
TCP: A Connection-Oriented and
Reliable Protocol 617
CONNECTIONLESS AND CONNECTIONORIENTED PROTOCOLS 617
RELIABILITY 619
Flag Fields 620
Sequence Number Field 620
Security in Older Versions of the
Standard 605
Acknowledgment Number Field 621
Defective Implementation 605
Options 622
A.4 Core Layers in Layered Standards
Architectures 605
A.5 Standards Architectures 606
The TCP/IP Standards Architecture 607
The OSI Standards Architecture 607
The Hybrid TCP/IP–OSI
Architecture 608
A.6 Single-Network Standards 608
The Data Link Layer 609
The Physical Layer 609
UTP 609
OPTICAL FIBER 609
WIRELESS TRANSMISSION 609
SWITCH SUPERVISORY FRAMES 610
A.7 Internetworking Standards 610
A.8 The Internet Protocol 611
The IP Version 4 Packet 611
The First Row 612
The Second Row 613
The Third Row 613
Options 613
Window Field 622
Port Numbers 622
PORT NUMBERS ON SERVERS 622
PORT NUMBERS ON CLIENTS 623
SOCKETS 623
TCP Security 624
A.10 The User Datagram Protocol 625
A.11 TCP/IP Supervisory Standards 626
Internet Control Message Protocol 626
The Domain Name System 627
Dynamic Host Configuration
Protocol 629
Dynamic Routing Protocols 629
Simple Network Management
Protocol 631
A.12 Application Standards 632
HTTP AND HTML 632
E-MAIL 633
TELNET, FTP, AND SSH 633
OTHER APPLICATION STANDARDS
633
A.13 Conclusion 634
Hands-on Projects 634 • Project
Thought Questions 636 •
Perspective Questions 636
The Source and Destination IP
Addresses 614
Glossary 637
Masks 614
index 655
PREFACE
The IT security industry has seen dramatic changes in the past decades. Security
breaches, data theft, cyber attacks, and information warfare are now common news
stories in the mainstream media. IT security expertise that was traditionally the
domain of a few experts in large organizations has now become a concern for almost
everyone.
These rapid changes in the IT security industry have necessitated more recent
editions of this text. Old attacks are being used in new ways, and new attacks are
becoming commonplace. We hope the changes to this new edition have captured some
of these changes in the industry.
What’s New in This Edition?
If you have used prior editions to this text, you will notice that almost all of the material
you are familiar with remains intact. New additions to the text have been driven by
requests from reviewers. More specifically, reviewers asked for a text that is more
business focused, has more hands-on projects, has more coverage of wireless and data
security, and has additional case studies.
In addition to these changes in content, we have tried to add supplements that
make the book easier to use and more engaging for students. Below is a list of the
significant changes to this edition of the text.
Business Focus—This edition has tried to have more of a business focus. Emphasis
has been placed on securing corporate information systems, rather than just hosts
in general. The concepts, principles, and terminology have remained the same.
However, the implications of each topic are more focused on the business
environment.
Hands-on Projects—Each chapter has hands-on projects that use contemporary
software. Each project relates directly to the chapter material. Students take a
screenshot to show they have completed the project.
Expanded Content —Material from prior chapters has been reorganized and
expanded to create new chapters covering Secure Networks (Chapter 4) and Data
Protection (Chapter 9). Reviewers wanted more coverage of networking and wireless security concepts, as well as more discussion of data security. These chapters
contain substantial amounts of new material in each of these areas.
Comprehensive Framework—We have included a comprehensive security framework to tie all of the chapters together. It will serve as a roadmap to guide students
through the book. Our hope is that it will increase retention of the material by
illustrating how topic areas relate to each other.
Case Studies and Focus Articles—Each chapter includes 2–4 new applied case
studies or focus articles. A wide range of topics are covered in these focus articles.
These include examples of high-profile security incidents, technical security
topics, profiles of industry professionals, security certifications, new types of
attacks, and articles by industry leaders.
xviii
Preface
The goal of these articles is to expose students to a broad range of topics that
are not covered in traditional IT security texts, but are currently being discussed
by industry professionals. We hope these articles are interesting, informative, and
encourage active class discussion.
We also included a few profiles of industry professionals to give students an
idea of the type of work they might be doing after they graduate. Students are
often interested in IT security, but are unsure about what an actual job in the
industry would look like on a daily basis. We hope these provide some insight.
Embedded PowerPoint Videos—New to this edition are embedded PowerPoint
videos. A supplemental set of 125+ PowerPoint slides contain embedded videos
linked to content hosted on YouTube®. These videos include IT security–related
current news stories, technical demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new
security products.
The embedded videos relate to material in each chapter and can be copied
directly into your regular lectures. These videos can be used as “hooks” to introduce new chapters, integrated directly into lectures, or assigned as out-of-class
homework.
Updated News Articles —Each chapter contains expanded and updated IT
security news articles. Over 90 percent of the news articles in this book reference
stories that have occurred since the second edition was published.
Why Use This Book?
This book is written for a one-term introductory course in IT
security. The primary audience is upper-division BS majors in Information Systems,
Computer Science, or Computer Information Systems. This book is also intended for
graduate students in Masters of Information Systems (MSIS), Master of Business
Administration (MBA), Master of Accountancy (MAcc), or other MS programs that are
seeking a broader knowledge of IT security.
It is designed to provide students with IT security knowledge as it relates to corporate security. It will give students going into the IT security field a solid foundation.
It can also serve as a network security text.
INTENDED AUDIENCE
PREREQUISITES The book can be used by students who have taken an introductory
course in information systems. However, taking a networking course before using this
book is strongly advisable. For students who have not taken a networking course,
Module A is a review of networking with a special focus on security aspects of network
concepts.
Even if networking is a prerequisite or corequisite at your school, we recommend
covering Module A. It helps refresh and reinforce networking concepts.
Our students are going to
need jobs. When you ask working IT security professionals what they are looking for in
a new hire, they give similar responses. They want proactive workers who can take
initiative, learn on their own, have strong technical skills, and have a business focus.
BALANCING TECHNICAL AND MANAGERIAL CONTENT
xix
xx
Preface
A business focus does not mean a purely managerial focus. Companies want a
strong understanding of security management. But they also want a really solid understanding of defensive security technology. A common complaint is that students who
have taken managerial courses don’t even know how stateful packet inspection firewalls operate, or what other types of firewalls are available. “We aren’t hiring these kids
as security managers” is a common comment. This is usually followed by, “They need
to start as worker bees, and worker bees start with technology.”
Overall, we have attempted to provide a strong managerial focus along with a solid
technical understanding of security tools. Most of this book deals with the technical
aspects of protective countermeasures. But even the countermeasure chapters reflect what
students need to know to manage these technologies. You can “throttle” the amount of
technical content by using or not using the Hands-on Projects at the end of each chapter.
How Is This Book Organized?
The book starts by looking at the threat environment facing corporations today. This
gets the students’ attention levels up, and introduces terminology that will be used
throughout the rest of the book. Discussing the threat environment demonstrates the
need for the defenses mentioned in later chapters.
The rest of the book follows the good old plan–protect–respond cycle. Chapter 2 deals
with planning, and Chapter 10 deals with incident and disaster response. All of the chapters
in the middle deal with countermeasures designed to protect information systems.
The countermeasures section starts with a chapter on cryptography because
cryptographic protections are part of many other countermeasures. Subsequent
chapters introduce secure networks, access control, firewalls, host hardening, application security, and data protection. In general, the book follows the flow of data from
networks, through firewalls, and eventually to hosts to be processed and stored.
Plan
Respond
Planning &
Policy
Chapter 2
Incident
Response
Chapter 10
Threat
Environment
Chapter 1
Protect
Cryptography
Chapter 3
Secure
Networks
Chapter 4
Access
Control
Chapter 5
1
Internet
ABC
DEF
2
3
GHI
JKL
MNO
4
5
6
PQRS
TUV
WXYZ
7
8
0
9
#
*
Firewalls
Chapter 6
Host
Hardening
Chapter 7
Application
Security
Chapter 8
Data
Protection
Chapter 9
Preface
Chapters in this book are designed to be covered in a
semester week. This leaves a few classes for exams, presentations, guest speakers,
hands-on activities, or material in the module. Starting each class with a demonstration
of one of the hands-on projects is a good way to get students attention.
It’s important for students to read each chapter before it’s covered in class. The
chapters contain technical and conceptual material that needs to be closely studied. We
recommend either giving a short reading quiz or requiring students to turn in Test Your
Understanding questions before covering each chapter.
USING THE BOOK IN CLASS
The PowerPoint lectures cover nearly
everything, as do the study figures in the book. Study figures even summarize main
points from the text. This makes the PowerPoint presentations and the figures in the
book great study aids.
POWERPOINT SLIDES AND STUDY FIGURES
TEST YOUR UNDERSTANDING QUESTIONS After each section or subsection, there
are Test Your Understanding questions. This lets students check if they really
understood what they just read. If not, they can go back and master that small chunk of
material before going on. The test item file questions are linked to particular Test Your
Understanding questions. If you cut some material out, it is easy to know what
multiple-choice questions not to use.
At the end of each chapter, there are integrative
Thought Questions which require students to synthesize what they have learned. They
are more general in nature, and require the application of the chapter material beyond
rote memorization.
INTEGRATIVE THOUGHT QUESTIONS
Students often comment that their favorite part of the course
is the Hands-on Projects. Students like the Hands-on Projects because they get to use
contemporary IT security software that relates to the chapter material. Each chapter has
at least two applied projects and subsequent Project Thought Questions.
Each project requires students to take a unique screenshot at the end of the project
as proof they completed the project. Each student’s screenshot will include a time
stamp, the student’s name, or another unique identifier.
HANDS-ON PROJECTS
Finally, there are two general questions that ask students
to reflect on what they have studied. These questions give students a chance to think
comprehensively about the chapter material at a higher level.
PERSPECTIVE QUESTIONS
This book does not teach students how to
break into computers. There is software designed specifically to exploit vulnerabilities
and gain access to systems. This book does not cover this type of software. Rather, the
focus of the book is how to proactively defend corporate systems from attacks.
Effectively securing corporate information systems is a complicated process.
Learning how to secure corporate information systems requires the entire book. Once
students have a good understanding of how to secure corporate systems, they might be
ready to look at penetration testing software.
HEY! WHERE’S ALL THE ATTACK SOFTWARE?
xxi
xxii
Preface
With ten chapters, you do have time to introduce some offense. However, if you
do teach offense, do it carefully. Attack tools are addictive, and students are rarely
satisfied using them in small labs that are carefully air-gapped from the broader school
network and the Internet. A few publicized attacks by your students can get IT security
barred from the curriculum.
Instructor Supplements
This is a hard course to teach. We have tried to build in as much teacher support as possible. Our goal was to reduce the total amount of preparation time instructors had to
spend getting ready to teach this course.
Learning new course material, monitoring current events, and managing an active
research agenda is time-consuming. We hope the instructor supplements make it easier
to teach a high-quality course with less prep time.
The Pearson Prentice-Hall website (http://www.
pearsonhighered.com) has all of the supplements discussed below. These include the
PowerPoint lectures, PowerPoint embedded videos, answer keys, test item files,
TestGen software, and the other usual suspects.
ONLINE INSTRUCTOR RESOURCES
There is a PowerPoint lecture for each chapter. They aren’t
“a few selected slides.” They are full lectures with detailed figures and explanations.
And they aren’t made from figures that look pretty in the book but that are invisible on
slides. We have tried to create the PowerPoint slides to be pretty self-explanatory.
POWERPOINT LECTURES
An important part of a great lecture is to start each
class with a “hook.” The hook captures students’ interest and acts as an introduction to
the rest of the lecture. We have created a set of PowerPoint slides that contain embedded videos that can act as a hook for each chapter.
There are over 125 PowerPoint slides containing embedded videos linked to
content hosted on YouTube®. These videos include current news stories, technical
demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new security products. The embedded
videos relate to material in each chapter and can be copied directly into your regular
lectures.
POWERPOINT EMBEDDED VIDEOS
TEST ITEM FILE The test item file for this book makes creating, or supplementing, an
exam with challenging multiple-choice questions easy. Questions in the test item file
refer directly to the Test Your Understanding questions located throughout each
chapter. This means exams will be tied directly to concepts discussed in the chapter.
The Teachers Manual has suggestions on how to teach the
chapters. For instance, the book begins with threats. In the first class, you could
have students list everybody who might attack them. Then have them come up with
ways each group is likely to attack them. Along the way, the class discussion naturally can touch on chapter concepts such as the distinction between viruses and
worms.
TEACHERS MANUAL
Preface
SAMPLE SYLLABUS We have included a sample syllabus if you are teaching this
course for the first time. It can serve as a guide to structuring the course and reduce
your prep time.
Please feel free to e-mail us. You can reach Randy at Randy.Boyle@utah.edu,
or Ray at Ray@Panko.com. Your Pearson Sales Representative can provide you with
support, but if you have a question, please also feel free to contact us. We’d also love
suggestions for the next edition of the book and for additional support for this edition.
E-MAIL US
Acknowledgments
We would like to thank all of the reviewers of prior editions. They have used this book for
years and know it well. Their suggestions, recommendations, and criticisms helped shape
this edition. This book really is a product of a much larger community of academics and
researchers.
We would also like to thank the industry experts who contributed to this edition.
Their expertise and perspective added a real-world perspective that can only come from
years of practical experience. Thank you to Matt Christensen, Dan McDonald at Utah
Valley University, Amber Schroader at Paraben Corp., Chris Larsen at BlueCoat Systems,
Inc., David Glod at Grant Thornton, Andrew Yenchik, Stephen Burton, and Susan Jensen at
Digital Ranch, Inc., Lisa Cradit at L-1 Identity Solutions, and Bruce Wignall at
Teleperformance Group.
Thanks go to our editor Bob Horan for his support and guidance. A good editor
can produce good books. Bob is a great editor who produces great books. And he has
done so for many years. We feel privileged to be able to work with Bob.
Special thanks go to Debbie Ryan, Kelly Loftus and the production team that
actually makes the book. Thank you George Jacob, for your detailed and exceptional
copy editing. Most readers won’t fully appreciate the hard work and dedication it takes
to transform the “raw” content provided by authors into the finished copy you’re
holding in your hands. Debbie, Kelly, George, and the Pearson production team’s
commitment and attention to detail have made this into a great book.
Lastly, and most importantly, I (Randy) would like to thank Ray. Like many of
you, I have used Ray’s books for years. Ray has a writing style that students find accessible and intuitive. Ray’s books are popular and widely adopted by instructors across
the country. His books have been the source of networking and security knowledge for
many workers currently in the industry.
I’d like to thank Ray for allowing me to contribute to this edition. I’m grateful that
Ray trusted me enough to work on one of his books. I hope this edition continues in the
legacy of great texts Ray has produced. It’s an honor to work with a generous person
like Ray.
Randy Boyle
Ray Panko
xxiii
ABOUT THE AUTHORS
Randy Boyle is a professor at the David Eccles School of
Business at the University of Utah. He received his PhD
in Management Information Systems (MIS) from Florida
State University in 2003. He also has a master’s degree in
Public Administration, and a BS in Finance. His research
areas include deception detection in computer-mediated
environments, information assurance policy, the effects
of IT on cognitive biases, and the effects of IT on knowledge workers. He has received college teaching awards
at the University of Alabama in Huntsville and the
Marvin J. Ashton Teaching Excellence Award at the
University of Utah. His teaching is primarily focused on
information security, networking, and management
information systems. He is the author of Applied
Information Security: A Hands-on Guide to Information
Security Software and Applied Networking Labs.
Ray Panko is a professor of IT Management at the
University of Hawai`i’s Shidler College of Business.
His main courses are networking and security. Before
coming to the university, he was a project manager at
Stanford Research Institute (now SRI International),
where he worked for Doug Englebart (the inventor
of the mouse). He received his BS in Physics and
his MBA. from Seattle University. He received his
doctorate from Stanford University, where his dissertation was conducted under contract to the Office of
the President of the United States. He has been
awarded the Shidler College of Business’s Dennis Ching award as the outstanding
teacher among senior faculty. He is also a Shidler Fellow.
xxiv
1
THE THREAT ENVIRONMENT
Chapter Outline
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
Introduction
Employee and Ex-Employee Threats
Malware
Hackers and Attacks
The Criminal Era
Competitor Threats
Cyberwar and Cyberterror
Conclusion
Learning Objectives:
After studying this chapter, you should be able to:
䊏
䊏
䊏
䊏
䊏
Define the term threat environment.
Use basic security terminology.
Describe threats from employees and ex-employees.
Describe threats from malware writers.
Describe traditional external hackers and their attacks, including break-in processes, social engineering,
and denial-of-service attacks.
䊏 Know that criminals have become the dominant attackers today, describe the types of attacks they make,
and discuss their methods of cooperation.
䊏 Distinguish between cyberwar and cyberterror.
1.1 INTRODUCTION
The world today is a dangerous place for corporations. The Internet has
given firms access to billions of customers and other business partners, but it
has also given criminals access to hundreds of millions of corporations and
individuals. Criminals are able to attack websites, databases, and critical
information systems without ever entering the corporation’s host country.
1
2
Chapter 1 • The Threat Environment
Corporations have become critically dependent on information technology (IT) as
part of their overall competitive advantage. In order to protect their IT infrastructure from
a variety of threats, and subsequent profitability, corporations must have comprehensive
IT security policies, well-established procedures, hardened applications, and secure
hardware.
Basic Security Terminology
THE THREAT ENVIRONMENT
If companies are to be able to defend themselves, they need an understanding of the
threat environment—that is, the types of attackers and attacks companies face.
“Understanding the threat environment” is a fancy way of saying “Know your enemy.”
If you do not know how you may be attacked, you cannot plan to defend yourself.
This chapter will focus almost exclusively on the threat environment.
The threat environment consists of the types of attackers and attacks that companies face.
The Threat Environment
The threat environment consists of the types of attackers and attacks that companies face
Security Goals
Confidentiality
Confidentiality means that people cannot read sensitive information, either while it is on a
computer or while it is traveling across a network
Integrity
Integrity means that attackers cannot change or destroy information, either while it is on a
computer or while it is traveling across a network. Or, at least, if information is changed or
destroyed, then the receiver can detect the change or restore destroyed data
Availability
Availability means that people who are authorized to use information are not prevented from doing so
Compromises
Successful attacks
Also called incidents and breaches
Countermeasures
Tools used to thwart attacks
Also called safeguards, protections, and controls
Types of countermeasures
Preventative
Detective
Corrective
FIGURE 1-1 Basic Security Terminology (Study Figure)
Chapter 1 • The Threat Environment
SECURITY GOALS
Corporations and subgroups in corporations have security goals—conditions that the
security staff wishes to achieve. Three common core goals are referred to collectively as
CIA. This is not the Central Intelligence Agency. Rather, CIA stands for confidentiality,
integrity, and availability.
• Confidentiality—Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network.
• Integrity—Integrity means that attackers cannot change or destroy information,
either while it is on a computer or while it is traveling across a network. Or, at
least, if information is changed or destroyed, then the receiver can detect the
change or restore destroyed data.
• Availability—Availability means that people who are authorized to use information
are not prevented from doing so. Neither a computer attack nor a network attack will
keep them away from the information they are authorized to access.
Many security specialists are unhappy with the simplistic CIA goal taxonomy because
they feel that companies have many other security goals. However, the CIA goals are a
good place to begin thinking about security goals.
COMPROMISES
When a threat succeeds in causing harm to a business, this is called an incident, breach,
or compromise. Companies try to deter incidents, of course, but they usually have to
face several breaches each year, so response to incidents is a critical skill. In terms of the
business process model, threats push the business process away from meeting one or
more of its goals.
When a threat succeeds in causing harm to a business, this is called an incident, breach,
or compromise.
COUNTERMEASURES
Naturally, security professionals try to stop threats. The methods they use to thwart
attacks are called countermeasures, safeguards, protections, or controls. The goal of
countermeasures is to keep business processes on track for meeting their business goals
despite the presence of threats and actual compromises.
Tools used to thwart attacks are called countermeasures, safeguards, or controls.
Countermeasures can be technical, human, or (most commonly) a mixture of the two.
Typically, countermeasures are classified into three types:
• Preventative—Preventative countermeasures keep attacks from succeeding.
Most controls are preventative controls.
• Detective—Detective countermeasures identify when a threat is attacking and
especially when it is succeeding. Fast detection can minimize damage.
3
4
Chapter 1 • The Threat Environment
• Corrective—Corrective countermeasures get the business process back on track
after a compromise. The faster the business process can get back on track, the
more likely the business process will be to meet its goals.
TEST YOUR UNDERSTANDING
1. a .
b.
c.
d.
e.
f.
g.
h.
i.
Why is it important for firms to understand the threat environment?
Name the three common security goals.
Briefly explain each.
What is an incident?
What are the synonyms for incidents?
What are countermeasures?
What are the synonyms for countermeasure?
What are the goals of countermeasures?
What are the three types of countermeasures?
Case Study: The TJX Data Breach
If this terminology seems abstract, it may help to look at a specific attack to put these
terms into context and to show how complex security attacks can be. We will begin with
one of the largest losses of private customer information. This is the TJX data breach.
THE TJX COMPANIES, INC.
The TJX Companies, Inc. (TJX) is a group of over 2,500 retail stores operating in the United
States, Canada, England, Ireland, and several other countries. These companies do
business under such names as TJ Maxx and Marshalls. In its literature, TJX describes itself
as “the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.”
With this type of mission statement, there is strong pressure to minimize costs.
DISCOVERY
On December 18, 2006, TJX detected “suspicious software” on its computer systems. Three
days later, TJX called in security consultants to examine the situation. On December 21, the
consultants confirmed that an intrusion had actually occurred. The next day, the company
informed law enforcement authorities in the United States and Canada. Five days later, the
security consultants determined that customer data had been stolen.
The consultants initially determined that the intrusion software had been
working for seven months when it was discovered. A few weeks later, the consultants
discovered that the company had also been breached several times in 2005. All told,
the consultants estimated that 45.7 million customer records had been stolen.1
This was by far the largest number of personal customer records stolen from any
company at that time.
The thieves did not steal these records for the thrill of breaking in or to enhance
their reputations among other hackers. They did it so that they could use the information
to make fraudulent credit card purchases, withdraw thousands of dollars from ATMs,
1
Associated Press, “T.J. Maxx Data Theft Worse than First Reported,” MSNBC.com, March 29, 2007. http://
www.msnbc.msn.com/id/17853440/.
Chapter 1 • The Threat Environment
The TJX Companies, Inc. (TJX)
A group of over 2,500 retail stores companies operating in the United States, Canada, England,
Ireland, and several other countries
Does business under such names as TJ Maxx and Marshalls
Discovery
On December 18, 2006, TJX detected “suspicious software” on its computer systems
Called in security experts who confirmed an intrusion and probable data loss
Notified law enforcement immediately
Notified consumers only a month later to get time to fix system and to allow law enforcement to
investigate
Two waves of attacks, in 2005 and 2006
Company estimated that 45.7 million records with limited personal information had been stolen
Much more information was stolen from 455,000 of these customers
The Break-Ins
Broke into poorly protected wireless networks in retail stores
Used this entry to break into central processing system in Massachusetts
Not detected despite long presence, 80 GB data exfiltration
Canadian Privacy Commission assessment: poor encryption, keeping data that should not have been kept
The Payment Card Industry–Data Security Standard (PCI-DSS)
Rules for companies that accept credit card purchases
If noncompliant, can lose the ability to process credit cards
12 required control objectives
TJX knew it was not in compliance (later found to meet only 3 of 12 control objectives)
Visa gave an extension to TJX in 2005, subject to progress report in June 2006
The Fallout: Lawsuits and Investigations
Settled with most banks and banking associations for $40.9 million to cover card reissuing and other costs
Visa levied $880,000 fine, which may later have been increased or decreased
Proposed settlement with consumers
Under investigation by U.S. Federal Trade Commission and 37 state attorneys general
TJX has prepared for damages of $256 million as of August 2007
FIGURE 1-2 The TJX Data Breach (Study Figure)
and sell stolen credit card information to other criminals. Stolen funds were
subsequently laundered through international bank accounts.2
In its defense, TJX noted that in most of the records stolen, most user’s personal information had been masked (replaced by asterisks). It also noted that most of the credit cards
about which information had been stored had expired and that the company generally did
not collect social security numbers (SSNs). However, for 455,000 customers who had been
2
ConsumerAffairs.com, “Ring Charged with Hacking Major US Retailers,” August 6, 2008. http://www.
consumeraffairs.com/news04/2008/08/hacker_ring.html.
5
6
Chapter 1 • The Threat Environment
given refunds without a receipt, a much larger amount of personal information had been
collected, and this information had been stolen as well.
TJX did not inform customers about the data breach until nearly a month later.
The company said that it needed time to beef up its security. The company also said that
law enforcement officials had told TJX not to release information about the breach
immediately to avoid tipping off the data thieves about the investigation. Of course, the
delay also left the customers ignorant of the danger they faced.
THE BREAK-INS
How did the breaches occur? It is believed that the data thieves broke into poorly
protected wireless networks in some retail stores to get into the central TJX credit and
debit card processing system in Massachusetts.3 There, poor firewall protections4
allowed the data thieves to enter several systems and to install a sniffer that listened to
the company’s poorly encrypted traffic passing into and out of the processing center.
Another problem was that TJX retained some sensitive credit card information that
should not have been retained; it is this improperly retained information that the data
thieves found valuable.5
How did the thieves remain undetected despite having a sniffer operate for over
half a year and despite exfiltrating over 80 GB6 of data? And how did the attackers
place a sniffer on the TJX network that went undetected for seven months?7 The answer
to that question appears to be that TJX did not have an organized intrusion detection
capability.
In its defense, the company said that it “believes our security was comparable to
many other major retailers.”8 Its purpose in saying this may have been to prepare for a
defense against lawsuits based on negligence. Proving negligence usually requires
proof that a perpetrator was lax based on general practice in the field.
The Canadian Privacy Commission, which was the first governmental bureau to
release findings about the break-in, gave the following assessment of TJX’s security at
the time of the breach:
The company collected too much personal information, kept it too long and
relied on weak encryption technology to protect it—putting the privacy of
millions of its customers at risk . . . The company did not manage the risk of
a breach, it failed to encrypt data strongly enough, it did not monitor its
systems well enough, it did not act in accordance with payment card industry
standards and it collected too much information.9
3
Mark Jewel, “Encryption Faulted in TJX Hacking,” MSNBC.com, September 25, 2007. http://www.msnbc.
msn.com/id/20979359.
4
Ross Kerber, “Details Emerge on TJX Breach,” The Boston Globe, October 25, 2007.
5
Mark Jewel, op. cit. http://www.msnbc.msn.com/id/20979359.
6
SANS Institute, “Unflattering Details Emerge in TJX Case,” SANS Newsbytes, e-mail newsletter (9:86)
October 20, 2007.
7
Ibid.
8
Kerber, “Details Emerge on TJX Breach.”
9
OUT-LAW.com, “Canadian Privacy Commissioner Slams TJ X Data Policy” (OUT-LAW.COM is part of
international law firm Pinsent Masons.), THEREGISTER.CO.UK, September 27, 2007. http://www.theregister.
co.uk/2007/09/27/tjx_data_leak_report/.
Chapter 1 • The Threat Environment
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update antivirus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
FIGURE 1-3 Payment Card Industry Data Security Standards (PCI-DSS) (Study Figure)
THE PAYMENT CARD INDUSTRY–DATA SECURITY STANDARD
A number of earlier (and smaller) data breaches had prompted the major credit card
companies to create the Payment Card Industry–Data Security Standard (PCI-DSS).
This standard specified 12 required control objectives that must be implemented by
companies that accept credit card purchases. Failure to implement PCI-DSS control
objectives can result in fines and even the revocation of a company’s ability to accept
credit card payments.
At the time the data breach was discovered, TJX was far behind in its PCI-DSS
compliance program. The company only complied with 3 of the 12 required control
objectives. Internal memos10 revealed that the company knew that it was in violation of
the PCI-DSS requirements, particularly with respect to its weak encryption in retail
store wireless networks. However, the company deliberately decided not to move
rapidly to fix this problem.
In November 2005, a staff member noted prophetically that “saving money and
being PCI-compliant is important to us, but equally important is protecting ourselves
against intruders. Even though we have some breathing room with PCI, we are still
10
Evan Schuman, “VISA Fined TJX Processor for Security Breach,” Eweek.com, October 28, 2007. http://www.
eweek.com/article2/0,1895,2208615,00.asp.
7
8
Chapter 1 • The Threat Environment
vulnerable with WEP as our security key. It must be a risk we are willing to take for the
sake of saving money and hoping we do not get compromised.”
When the staff member noted that “we have some breathing room with PCI,” he
probably was referring to the fact that TJX had been given an extension allowing it to
be compliant beyond the standard’s specified compliance date.11 This additional
time, ironically, was given after the data breaches had already begun. This extension
was dependent upon evaluation of a TJX report on its compliance project by
June 2006. It is unknown whether TJX complied with this requirement. The letter that
authorized the extension was sent by a fraud control vice president for Visa. It ended
with “I appreciate your continued support and commitment to safeguarding the
payment industry.”
THE FALLOUT: LAWSUITS AND INVESTIGATIONS
The company quickly became embroiled in commercial lawsuits and government
investigations. These lawsuits involved the filing of briefs that shed additional light
on the break-ins. For instance, sealed evidence from Visa and MasterCard placed
the number of account records stolen at 94 million—roughly double TJX’s
estimates.12
TJX was sued by several individual banks and bank associations. TJX settled by
paying $24 million to MasterCard-issuing lenders and $41 million to Visa. They also
paid $9.75 million to settle cases with 41 individual states.13
In this battle of corporate giants, consumers were handled last. At the time of
this writing, TJX has proposed a settlement that would only involve active measures
such as help with ID theft through insurance and other measures for the roughly
455,000 victims who had given personally identifiable information when they
returned goods without a receipt. Other victims would be given a modest voucher
($30) or the opportunity to buy TJX merchandise at sale prices.14
PROSECUTION
On August 25, 2008, the Department of Justice charged 11 individuals with the TJX
break-in and the subsequent use of the stolen information.15 Three were Americans, and
they were jailed rapidly. Two more were in China. The rest were in Eastern Europe.
The indictment underscores the international nature of cybercrime. Although the
three Americans conducted the actual data theft, they fenced the stolen information
overseas. Two of the American defendants rapidly entered plea deals to testify against
the alleged ringleader Albert Gonzalez of Miami, Florida.
11
Evan Schuman, “In 2005, Visa Agreed to Give TJX Until 2009 to Get PCI Compliant,” StorefrontBacktalk,
November 9, 2007. http://storefrontbacktalk.com/story/110907visaletter.
Ross Kerber, “Court Filing in TJX Breach Doubles Toll,” The Boston Globe, October 24, 2007.
Martin H. Bosworth, “TJX to Pay MasterCard $24 million for Data Breach,” ConsumerAffairs.com, April 6,
2008. http://www.consumeraffairs.com/news04/2008/04/tjx_mc.html.
14
John Leyden, “TJX Consumer Settlement Sale Offer Draws Scorn,” TheRegister.com, November 20, 2007.
http://www.theregister.co.uk/2007/11/20/tjx_settlement_offer_kerfuffle/.
15
U.S. Department of Justice, “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit
Card Numbers from Major U.S. Retailers,” August 5, 2008. http://www.usdoj.gov/criminal/cybercrime/
gonzalezIndict.pdf.
12
13
Chapter 1 • The Threat Environment
FIGURE 1-4 Albert Gonzalez
Credit: U.S Government
On March 25, 2010, Gonzalez was sentenced to 20 years in prison. The sentencing
resulted from a combined case that added OfficeMax, Dave & Buster’s, and Barnes & Noble
to the list of businesses affected. At the time of this writing, this is the longest sentence ever
imposed for identity theft.16
On March 26, 2010, Gonzalez was again sentenced to 20 years and one day in
prison for stealing an estimated 130 million additional credit card numbers from
Heartland Payment Systems. Since this sentence is to be served concurrently with his
prior conviction it adds only one day to his sentence. Gonzalez used a SQL injection
attack against Heartland to steal credit card numbers. Companies affected include
7-Eleven, J.C. Penny, and Wet Seal. This is the largest known identity theft to date.17
TEST YOUR UNDERSTANDING
2. a . Who were the victims in the TJX breach? (The answer is not in the text, and this is not a
trivial question.)
b. Was the TJX break-in due to a single security weakness or multiple security weaknesses?
Explain.
c . Why would meeting the PCI-DSS control objectives probably have prevented the TJX data
breach? This is not a trivial question.
d. Would meeting the PCI-DSS control objectives have ensured that the data breach would
not have occurred? Think about this carefully. The answer is not in the text.
e . Which of the CIA goals did TJX fail to achieve in this attack?
1.2 EMPLOYEE AND EX-EMPLOYEE THREATS
Having looked at threats in general, at key security terminology, and at a particular
compromise, we will now look at specific elements of the corporate threat environment.
We will begin by looking inside the firm, at the threats created by employees.
16
Kim Zetter, “TJX Hacker Gets 20 Years in Prison,” Wired.com, March 25, 2010. http://www.wired.com/
threatlevel/2010/03/tjx-sentencing/.
17
Kim Zetter, “Hacker Sentenced to 20 Years for Breach of Credit Card Processor,” Wired.com, March 25, 2010.
http://www.wired.com/threatlevel/tag/heartland-payment-systems/.
9
10
Chapter 1 • The Threat Environment
When firms began getting their own computers in the 1960s, they soon found that
disgruntled and greedy employees and ex-employees are serious security threats.
As firms have become more dependent on information technology, the threats from
insiders have become more perilous.
Why Employees Are Dangerous
Employees and ex-employees are very dangerous for four reasons:
• They usually have extensive knowledge of systems.
• They often have the credentials needed to access sensitive parts of systems.
• They know corporate control mechanisms and so often know how to avoid
detection.
• Finally, companies tend to trust their employees. In fact, when security insists that
an employee behave in a particular way or explain an apparent security violation,
it is common for the employee’s manager to protect the employee against
“security interference.”
Employees and ex-employees are very dangerous because they have extensive knowledge of systems, have the credentials needed to access sensitive parts of systems, often
know how to avoid detection, and can benefit from the trust that usually is accorded to
“our people.”
These factors often eliminate the need for sophisticated computer knowledge.
In fact, in 23 financial services cybercrimes committed between 1996 and 2002, 87 percent
were accomplished without any sophisticated programming.18
IT employees are particularly dangerous because of their extraordinary knowledge
and access. IT security employees are the most dangerous of all. The Department of
Justice has a website, http://www.cybercrime.gov, which lists federal cybercrime
prosecutions. Roughly half the cases have defendants who are IT professionals and even
security employees and ex-employees. The Romans asked, Quis custodiet custodes?
This translates as “Who watches the watchers?” This is one of the most difficult issues in
IT security management.
Employee Sabotage
One of the oldest concerns about employees is sabotage, which is the destruction of
hardware, software, or data. Sabotage comes from the French word for shoe because disgruntled workers in the early years of the Industrial Revolution supposedly threw their
wooden shoes into machines to stop production.
18
Keeney, et al., Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, U.S. Secret Service
and the Carnegie Mellon Software Engineering Institute, August 2004.
Chapter 1 • The Threat Environment
Employees and Ex-Employees Are Dangerous
Dangerous because
They have knowledge of internal systems
They often have the permissions to access systems
They often know how to avoid detection
Employees generally are trusted
IT and especially IT security professionals are the greatest employee threats (Quis custodiet custodes?)
Employee Sabotage
Destruction of hardware, software, or data
Plant time bomb or logic bomb on computer
Employee Hacking
Hacking is intentionally accessing a computer resource without authorization or in excess of authorization
Authorization is the key
Employee Financial Theft
Misappropriation of assets
Theft of money
Employee Theft of Intellectual Property (IP)
Copyrights and patents (formally protected)
Trade secrets: plans, product formulations, business processes, and other info that a company
wishes to keep secret from competitors
Employee Extortion
Perpetrator tries to obtain money or other goods by threatening to take actions that would be against
the victim’s interest
Sexual or Racial Harassment of Other Employees
Via e-mail
Displaying pornographic material
Employee Computer and Internet Abuse
Downloading pornography, which can lead to sexual harassment lawsuits and viruses
Downloading pirated software, music, and video, which can lead to copyright violation penalties
Excessive personal use of the Internet at work
Non-Internet Computer Abuse
Access to sensitive personal information motivated by curiosity
In one survey at a security conference, one in three admitted to looking at confidential or personal
information in ways unrelated to their jobs
Data Loss
Loss of laptops and storage media
Other “Internal” Attackers
Contract workers
Workers in contracting companies
FIGURE 1-5 Employee and Ex-Employee Threats (Study Figure)
11
12
Chapter 1 • The Threat Environment
In the News
Tim Lloyd, a computer systems administrator, was fired for being threatening and
disruptive. In retaliation, Lloyd planted a logic bomb program on a critical server.
When pre-set conditions occurred, the logic bomb destroyed the programs that ran
the company’s manufacturing machines. Lloyd also took home and erased the firm’s
backup tapes to prevent recovery. Lloyd’s sabotage resulted in $10 million in
immediate business losses, $2 million in reprogramming costs, and 80 layoffs.
The attack led to a permanent loss of the company’s competitive status in the
high-tech instruments and measurements market because the company could not
rebuild the proprietary design software it had been using.19
Sabotage can also have financial motives. When Roger Duronio sabotaged 2,000
servers at UBS PaineWebber, he was not just punishing his ex-employer. He also sold
UBS PaineWebber shares short to take advantage of the subsequent drop in the
company’s share price. Although the attack did extensive damage, the stock price did
not drop, and Duronio lost money. Found guilty of computer sabotage and securities
fraud, 63-year-old Duronio was sentenced to eight years in federal prison.20
In the News
In another case, two traffic engineers working for the city of Los Angeles pleaded
guilty to hacking the city’s traffic center and disconnecting signals at four of LA’s
busiest intersections. They then locked out the controls for these intersections, so
that it took four days to restore control. They did this a few hours before their
union’s scheduled job action against the city in support of contract negotiations.
For this infraction, they received 240 days of community service and were required
to have their computers at home and work monitored.21
Employee Hacking
Another concern is that employees will hack (break into) the company’s computers using
stolen credentials, flaws in internal systems, or some other fraudulent scheme. They can
then embezzle money, steal intellectual property, or just look up embarrassing information.
19
Sharon Gaudin, “Computer Saboteur Sentenced to Federal Prison,” Computerworld, February 26, 2002.
http://www.computerworld.com/s/article/68624/Computer_saboteur_sentenced_to_federal_prison.
Sharon Gaudin, “Ex-UBS Systems Admin Sentenced to 97 Months in Jail,” InformationWeek, December 13,
2006. http://www.informationweek.com/news/showArticle.jhtml?articleID=196603888.
21
Dan Goodin, “LA Engineers Cop to Traffic System Sabotage,” November 6, 2008. http://www.theregister.
co.uk/2008/11/06/traffic_control_system_sabotage/.
20
Chapter 1 • The Threat Environment
As we will see in Chapter 10, U.S. law provides the following definition of hacking—
intentionally accessing a computer resource without authorization or in excess of authorization. Definitions of hacking in other jurisdictions tend to be very similar.22
Hacking is intentionally accessing a computer resource without authorization or in excess
of authorization.
Note that the key issue is authorization.23 Were you explicitly (or implicitly)
authorized to use the resource that you accessed? Were you authorized to use part of
the resource but not the specific part that you accessed? The motivation for hacking is
irrelevant. Penalties are the same whether you were attempting to steal a million dollars
or were merely “testing security.”24
Employee Financial Theft and Theft of Intellectual Property
There are many reasons for employees to access resources without permission or in
excess of permission. Sometimes employees do so out of mere curiosity or to find
information that could embarrass the company. At other times, however, they have
purely criminal goals, such as financial theft, which involves the misappropriation of
assets (say by assigning them via computer to themselves) or the theft of money (such
as the manipulation of an application in order to be paid a bonus).
In the News
In one case of financial theft, two accountants at Cisco Systems illegally accessed a
corporate computer to issue themselves $8 million worth of Cisco stock. In fact, they
successfully issued themselves stocks three times before being caught. They committed
the crime by exploiting the company’s poorly controlled procedures for issuing
stock to employees.25
22
The first documented use of the term hacker was in Steve Levy’s book Hackers, in 1984 (Penguin Books).
Levy actually decried the use of the term hacker to mean someone who breaks into computers illicitly. Rather,
he argued that hackers were people who managed to hack out creative solutions to difficult computer
problems. Some people in security continue to argue for Levy’s viewpoint, using the term cracker as someone
who breaks into computers. However, this is not the dominant usage in security and is certainly not
widespread in the popular literature. The term cracking is now used primarily to refer to the breaking of
passwords or encryption keys.
23
In their defense, hackers can claim that they did not realize that authorization was required because the
computer system that they hacked was public, like a free news website. Consequently, firms that have login
screens or even public home pages should have a prominent warning that specific authorization is needed to
use a site.
24
Most hacking laws require damage to pass a certain level before the hacking can be prosecuted. However,
it is quite possible for a hacker to do the requisite amount of damage accidentally, even if he or she did not
intend to do so. While access has to be intentional, damage does not.
25
U.S. Department of Justice, “Former Cisco Systems Accountants Sentenced for Unauthorized Access to
Computer Systems to Illegally Issue $8 Million in Cisco Stock to Themselves,” November 26, 2001. http://www.
cybercrime.gov/Osowski_TangSent.htm.
13
14
Chapter 1 • The Threat Environment
Another criminal motive is the theft of the company’s intellectual property (IP),
which is information owned by the company and protected by law. IP includes formally
protected information such as copyrights, patents, trade names, and trademarks.
Although many companies have no such formal intellectual assets, IP also includes
trade secrets, which are pieces of sensitive information that a firm acts to keep secret.
These include plans, product formulations, business processes, price lists, customer
lists, and many other types of information that a company wishes to keep secret from
competitors. If another company obtains trade secrets in an illicit way that company
will be subject to prosecution. Nevertheless, some employees steal trade secrets to sell
to another company.
Intellectual property (IP) is information that is owned by the company and protected by
law. Trade secrets are pieces of sensitive information that a firm acts to keep secret.
In the News
When scientists and engineers change jobs, there is always a danger that they will
take trade secret information with them. One former DuPont research scientist
admitted downloading trade secrets worth $400 million. Only when he announced
his intention to leave was his downloading behavior analyzed. The analysis found
that he had downloaded 16,700 documents and even more abstract—15 times the
volume of the second-highest downloader. Most of these documents had nothing to
do with his primary research area.26
Employee Extortion
In some cases, an employee or ex-employee will use his or her ability to damage
systems or access confidential information to extort the firm. In extortion, the perpetrator
tries to obtain money or other goods by threatening to take actions that would be
against the victim’s interest. For instance, an employee might plant a logic bomb on the
company’s computer. If the employee or ex-employee tells the company to pay money
to avoid suffering damage, this is extortion. Stealing intellectual property and demanding
money in exchange for not passing on the information is also extortion.
In extortion, the perpetrator tries to obtain money or other goods by threatening to take
actions that would be against the victim’s interest.
26
Jaikumar Vijayan, “Scientist Admits Stealing Valuable Trade Secrets,” PC World, February 16, 2007.
http://www.pcworld.com/article/129116-1/article.html?tk=nl_dnxnws.
Chapter 1 • The Threat Environment
Employee Sexual or Racial Harassment
Although hacking, theft, and extortion are critical issues, employee sexual or racial
harassment is an even more common problem. Sexual harassment, for example, can
include making physical threats, taking revenge after a romantic break-up, downloading
and displaying pornography, or retaliating against an unwilling sexual partner by
withholding promotions and raises.
In the News
One such case began when a female employee spurned a male employee,
Washington Leung. He left the firm and later logged into his ex-firm’s servers using
passwords given to him while employed there. He deleted over 900 files related to
employee compensation. To frame the female employee, he gave her a $40,000
annual raise and a $100,000 bonus. In addition, he created a Hotmail account in her
name and used the account to send senior managers at the company an e-mail
containing some information from the deleted files. However, the frame failed. In his
work computer at his new place of employment, authorities found evidence of the
e-mail he sent to senior managers.27
Employee Computer and Internet Abuse
INTERNET ABUSE
The term abuse is used for activities that violate a company’s IT use policies or ethics
policies. In some cases, employees abuse their Internet access, most commonly by
downloading pornography, downloading pirated media or software, or wasting many
hours surfing the Internet for personal purposes. Abuse ranges from mildly damaging
behavior to criminal acts.
Abuse consists of activities that violate a company’s IT use policies or ethics policies.
Downloading pornography can lead to sexual harassment lawsuits against the
firm as well as against the responsible individual. Downloading pirated music, videos,
and software, in turn, can result in extensive copyright violation penalties.28
Downloading any unapproved files can also lead to expensive malware infections.
While many employers do not mind a small amount of personal Internet use,
some employees become addicted to Internet use and spend tens of hours a week on
27
U.S. Department of Justice, “U.S [sic] Sentences Computer Operator for Breaking into Ex-Employer’s
Database,” March 27, 2002. www.cybercrime.gov/leungSent.htm.
28
In addition, pirated software often contains viruses that infect the downloader’s computer and then infect
other computers in the firm.
15
16
Chapter 1 • The Threat Environment
personal Web surfing at work.29 In addition, when employees download numerous files
from the Internet, they are likely to download a virus or some other malicious software.
IT security departments usually dislike searching for evidence of pornography
and excessive personal websurfing, but this is part of the job in most firms.
NON-INTERNET COMPUTER ABUSE
Another aspect of employee abuse is unauthorized access to private personal data on
internal systems by curious employees. This type of behavior was detected in the 2008
U.S. presidential election campaign and in several celebrity hospitalizations.30
In the News
During the 2008 presidential campaign, contract employees at the State Department
looked at the passport histories of candidates Obama, Clinton, and McCain without
permission.31 “According to Infoworld.com: a breach was flagged by the State
Department’s in-house computer system; but supervisors downplayed the alarm.”32
Two of the contract workers have been fired by their employers. Later, Verizon
announced that Obama’s phone records had been accessed illegally.33
The abuse of internal corporate systems for voyeuristic purposes is not limited to
general office employees. For example, a survey of 300 senior IT administrators in a
London security conference and trade show found that one in three admitted to looking
at confidential or personal information in ways unrelated to their jobs.34
Data Loss
The damaging employee behaviors we have looked at so far involve deliberate
improper actions. Employees can also endanger the security of their firms through
simple carelessness, by losing laptops, optical disks, and USB drives. The unauthorized release of data on these computers and media can be devastating to the firm.
Even if the data is not actually used, the fact that it could be used may require the firm
to take expensive actions.
29
Raymond R. Panko and Hazel Beh. “Monitoring for Performance and Sexual Harassment,” Communications
of the ACM, in a special section on Internet Abuse in the Workplace, January 2002.
30
Charles Ornestein, “UCLA Workers Snooped in Spears’ Medical Records,” Los Angeles Times, March 15,
2008. http://www.latimes.com/news/local/la-me-britney15mar15,0,1421107.story.
31
Anne Flaherty and Desmond Butler, “Obama, Clinton and McCain’s Passports Breached: Two State Dept
Officials Fired, Investigation Underway,” Associated Press, March 21, 2008 07:53 p.m. EST; published in the
Huffington Post, January 14, 2009.
32
Prolog, “Obama’s Phone Records, Passport Documents Breached by Verizon Employees, Dept. of State
Contractors,” Press Release, December 14, 2008.
33
Ibid.
34
Gregg Keizer, “One in Three IT Admins Admit Snooping,” Computerworld, June 22, 2008. http://www.
computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101498.
Chapter 1 • The Threat Environment
A Ponemon survey in 2010 found that the total cost of a noncatastrophic data
breach was $3.4 million. Primary causes of data loss were malicious or criminal attacks,
negligence, system glitches, or third-party errors.35
Other “Internal” Attackers
Employees are not the only threats inside a firm’s walls. Many businesses hire contract
workers, who work for the firm for brief periods of time. Contract workers often get
access credentials that are not deleted after their engagement ends. In fact, companies
often hire other companies to do contracting work that takes place inside the original
company’s walls. These contracting companies and their employees also often receive
temporary credentials. These contract workers and contracting firms create risks almost
identical to those created by employees.
In the News
Claude Carpenter, a 19-year-old employee of a firm managing servers for the U.S.
Internal Revenue Service (IRS), planted a logic bomb on the servers when he learned
he was about to be fired. Although he was seeking vengeance on his own company,
the IRS would have been the real victim had his logic bomb succeeded. He also
planted the code on his supervisor’s computer to frame the supervisor. The
company successfully defused the logic bomb, but other firms in similar situations
have not been so lucky.36
TEST YOUR UNDERSTANDING
3. a .
b.
c.
d.
e.
f.
g.
h.
i.
j.
Give four reasons why employees are especially dangerous.
What type of employee is the most dangerous?
What is sabotage?
Give the book’s definition of hacking.
What is intellectual property?
What two types of things are employees likely to steal?
Distinguish between intellectual property in general and trade secrets.
What is extortion?
What is employee computer and Internet abuse?
Who besides employees constitute potential “internal” threats
1.3 MALWARE
Although employees and other “internal” threats can be extremely dangerous, firms
must also be concerned with traditional external attackers, who use the Internet to send
malware into corporations, hack into corporate computers, and do other damage.
35
36
Ponemon Institute, “Global Cost of a Data Breach,” April 19, 2010. http://www.ponemon.org/data-security.
U.S. Department of Justice, “Lusby, Maryland Man Pleads Guilty to Sabotaging IRS Computers,” July 24,
2001. http://www.cybercrime.gov/carpenterPlea.htm.
17
18
Chapter 1 • The Threat Environment
Malware Writers
The first external malware attackers were malware writers. The term malware generically
means “evil software.” The most widely known type of malware is the computer virus.
Malware also includes worms, Trojan horses, RATs (remote access Trojans), spam, and
several other types that we will see in this section.
Malware is a generic term for evil software.
Malware is a very serious threat. In June 2006, Microsoft reported results from a
survey of users who allowed their computers to be scanned for malware. The scan
found 16 million pieces of malware on the 5.7 million machines examined.
Viruses
Viruses are programs that attach themselves to legitimate programs on the victim’s
machine. Later, when infected programs are transferred to other computers and run,
the virus attaches itself to other programs on those machines.
Viruses are programs that attach themselves to legitimate programs.
Initially, most viruses were spread through the transfer of programs via floppy
disks. Today, viruses are spread via e-mail with infected attachments, instant messaging,
file sharing programs, infected programs from malicious websites, and users deliberately
downloading “free software” or pornography. Virus writers target popular operating
systems and applications in order to maximize their damage. Through networked
applications, viruses can spread very rapidly today.
In the News
When Macintosh users searched BitTorrent sites in early 2009, they found that they
were able to download the newly released Adobe Photoshop CS4. They would also
download a program installed on the download CS4 on the downloader’s computer.
The copy of CS4 was clean, but when the downloader ran the cracking program, he
or she got a dialog box saying that “Adobe CS4 Crack [intel] requires that you type
your password.” The dialog box had Name and Password data entry boxes, plus
some cryptic details that made it look more authentic.37
37
Andrew Nusca, “Mac Trojan Horse Found in Pirated Adobe Photoshop CS4,” January 26, 2009. http://blogs.
zdnet.com/gadgetreviews/?p=856&tag=nl.e539.
FIGURE 1-6 Code for the
ILOVEYOU Virus
Malware
A generic name for any “evil software”
Viruses
Programs that attach themselves to legitimate programs on the victim’s machine
Spread today primarily by e-mail
Also by instant messaging, file transfers, etc.
Worms
Full programs that do not attach themselves to other programs
Also spread by e-mail, instant messaging, and file transfers
In addition, direct-propagation worms can jump to from one computer to another without human
intervention on the receiving computer
Computer must have a vulnerability for direct propagation to work
Direct-propagation worms can spread extremely rapidly
Blended Threats
Malware propagates in several ways—like worms, viruses, compromised webpages containing
mobile code, etc.
Payloads
Pieces of code that do damage
Implemented by viruses and worms after propagation
Malicious payloads are designed to do heavy damage
FIGURE 1-7 Classic Malware: Viruses and Worms (Study Figure)
19
20
Chapter 1 • The Threat Environment
Worms
Viruses are not the only type of malware. One particularly important type of malware is
the worm. Unlike viruses, worms are stand-alone programs that do not attach themselves
to other programs.
Worms are stand-alone programs that do not attach themselves to other programs.
In general, worms act much like viruses and can propagate in many of the same
ways. However, some worms have a far more aggressive spreading mode—jumping
directly from one computer to another without user intervention on the receiving
computer. Such direct-propagation worms take advantage of vulnerabilities (security
weaknesses) in software. When a direct-propagation worm jumps to a computer that
has the specific vulnerability for which the worm was designed, the worm can ...
Purchase answer to see full
attachment