Third Edition Corporate Computer Security Randall J. Boyle University of Utah Raymond R. Panko University of Hawai`i at Manoa Boston Columbus Indianapolis New York San Francisco Upper Saddle River Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montreal Toronto Delhi Mexico City Sao Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo To Courtney Boyle, thank you for your patience, kindness, and perspective on what’s most important in life. —Randy Boyle To Julia Panko, my long-time networking and security editor and one of the best technology minds I’ve ever encountered. —Ray Panko Editorial Director: Sally Yagan Executive Editor: Bob Horan Director of Editorial Services: Ashley Santora Senior Project Manager: Kelly Loftus Production Project Manager: Debbie Ryan Director of Marketing: Maggie Moylan Executive Marketing Manager: Anne Fahlgren Creative Director: Jayne Conte Cover Designer: Suzanne Behnke Full-Service Project Management: George Jacob Composition: Integra Printer/Binder: Courier/Westford Cover Printer: Lehigh Text Font: Palatino 10/12 Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on the appropriate page within text. Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the U.S.A. and other countries. Screen shots and icons reprinted with permission from the Microsoft Corporation. This book is not sponsored or endorsed by or affiliated with the Microsoft Corporation. Copyright © 2013, 2010, 2004 by Pearson Education, Inc., publishing as Prentice Hall. All rights reserved. Manufactured in the United States of America. This publication is protected by Copyright, and permission should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission(s) to use material from this work, please submit a written request to Pearson Education, Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you may fax your request to 201-236-3290. Many of the designations by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps. Library of Congress Cataloging-in-Publication Data Boyle, Randall J. Corporate computer security.—3rd ed. / Randall J. Boyle, Raymond R. Panko. p. cm. Panko’s name appears first on the earlier edition. ISBN-13: 978-0-13-214535-0 ISBN-10: 0-13-214535-9 1. Computer security. 2. Computer networks—Security measures. 3. Electronic data processing departments—Security measures. I. Panko, Raymond R. II. Title. QA76.9.A25P36 2013 005.8—dc23 2011035372 10 9 8 7 6 5 4 3 2 1 ISBN 10: 0-13-214535-9 ISBN 13: 978-0-13-214535-0 CONTENTS Preface xviii About the Authors xxiv Chapter 1 The Threat Environment 1 1.1 Introduction 1 Basic Security Terminology 2 THE THREAT ENVIRONMENT 2 SECURITY GOALS 3 COMPROMISES 3 COUNTERMEASURES 3 Case Study: The TJX Data Breach 4 THE TJX COMPANIES, INC. 4 DISCOVERY 4 THE BREAK-INS 6 THE PAYMENT CARD INDUSTRY–DATA SECURITY STANDARD 7 THE FALLOUT: LAWSUITS AND INVESTIGATIONS 8 PROSECUTION 8 1.2 Employee and Ex-employee Threats 9 Why Employees Are Dangerous 10 Employee Sabotage 10 Employee Hacking 12 Employee Financial Theft and Theft of Intellectual Property 13 Employee Extortion 14 Employee Sexual or Racial Harassment 15 Employee Computer and Internet Abuse 15 INTERNET ABUSE 15 NON-INTERNET COMPUTER ABUSE 16 Data Loss 16 Other “Internal” Attackers 17 1.3 Malware 17 Malware Writers 18 Viruses 18 Worms 20 Blended Threats 21 Payloads 21 Trojan Horses and Rootkits 22 NONMOBILE MALWARE 22 TROJAN HORSES 22 REMOTE ACCESS TROJANS 23 DOWNLOADERS 24 SPYWARE 24 ROOTKITS 24 Mobile Code 25 Social Engineering in Malware 25 SPAM 26 PHISHING 26 SPEAR PHISHING 29 HOAXES 29 1.4 Hackers and Attacks 30 Traditional Motives 30 Anatomy of a Hack 32 TARGET SELECTION 32 RECONNAISSANCE PROBES THE EXPLOIT 33 SPOOFING 33 32 Social Engineering in an Attack 35 Denial-of-Service Attacks 37 Skill Levels 38 1.5 The Criminal Era 40 Dominance by Career Criminals 40 CYBERCRIME 40 INTERNATIONAL GANGS 41 BLACK MARKETS AND MARKET SPECIALIZATION 42 Fraud, Theft, and Extortion 45 FRAUD 46 FINANCIAL AND INTELLECTUAL PROPERTY THEFT 46 EXTORTION AGAINST CORPORATIONS 47 Stealing Sensitive Data about Customers and Employees 48 CARDING 48 iii iv Contents BANK ACCOUNT THEFT 48 ONLINE STOCK ACCOUNT THEFT 48 IDENTITY THEFT 48 THE CORPORATE CONNECTION 49 CORPORATE IDENTITY THEFT 49 1.6 Competitor Threats 50 Commercial Espionage 50 Denial-of-Service Attacks 52 1.7 Cyberwar and Cyberterror 53 Cyberwar 53 Cyberterror 54 1.8 Conclusion 55 Thought Questions 56 • Hands-on Projects 57 • Project Thought Questions 58 • Perspective Questions 58 Chapter 2 Planning and Policy 59 2.1 Introduction 60 Defense 60 Management Processes 61 MANAGEMENT IS THE HARD PART 61 COMPREHENSIVE SECURITY 61 WEAKEST LINKS FAILURES 61 THE NEED TO PROTECT MANY RESOURCES 63 The Need for a Disciplined Security Management Process 63 The Plan–Protect–Respond Cycle 64 PLANNING 64 PROTECTION 64 RESPONSE 66 Vision in Planning 66 VIEWING SECURITY AS AN ENABLER 66 DEVELOPING POSITIVE VISIONS OF USERS 67 Strategic IT Security Planning 68 2.2 Compliance Laws and Regulations 69 Driving Forces 69 Sarbanes–Oxley 70 Privacy Protection Laws 72 Data Breach Notification Laws 74 The Federal Trade Commission 75 Industry Accreditation 75 PCI-DSS 75 Fisma 75 2.3 Organization 76 Chief Security Officers 76 ShouldYou Place Security within IT? 76 LOCATING SECURITY WITHIN IT 78 PLACING SECURITY OUTSIDE IT 78 A HYBRID SOLUTION 78 Top Management Support 79 Relationships with Other Departments 79 SPECIAL RELATIONSHIPS 79 ALL CORPORATE DEPARTMENTS 80 BUSINESS PARTNERS 80 Outsourcing IT Security 81 E-MAIL OUTSOURCING 81 MANAGED SECURITY SERVICE PROVIDER 84 2.4 Risk Analysis 85 Reasonable Risk 86 Classic Risk Analysis Calculations 86 ASSET VALUE 86 EXPOSURE FACTOR 87 SINGLE LOSS EXPECTANCY 87 ANNUALIZED PROBABILITY (OR RATE) OF OCCURRENCE 87 ANNUALIZED LOSS EXPECTANCY 87 COUNTERMEASURE IMPACT 87 ANNUALIZED COUNTERMEASURE COST AND NET VALUE 88 Problems with Classic Risk Analysis Calculations 90 UNEVEN MULTIYEAR CASH FLOWS 90 TOTAL COST OF INCIDENT 90 MANY-TO-MANY RELATIONSHIPS BETWEEN COUNTERMEASURES AND RESOURCES 90 THE IMPOSSIBILITY OF COMPUTING ANNUALIZED RATES OF OCCURRENCE 90 THE PROBLEM WITH “HARD-HEADED THINKING” 92 PERSPECTIVE 92 Responding to Risk 93 RISK REDUCTION 93 RISK ACCEPTANCE 93 RISK TRANSFERENCE (INSURANCE) 94 RISK AVOIDANCE 94 v Contents 2.5 Technical Security Architecture 94 Technical Security Architectures 94 ARCHITECTURAL DECISIONS 95 DEALING WITH LEGACY SECURITY TECHNOLOGY 95 Principles 95 DEFENSE IN DEPTH 95 DEFENSE IN DEPTH VERSUS WEAKEST LINKS 97 SINGLE POINTS OF VULNERABILITY 97 MINIMIZING SECURITY BURDENS 97 REALISTIC GOALS 97 Elements of a Technical Security Architecture 98 BORDER MANAGEMENT 98 INTERNAL SITE SECURITY MANAGEMENT 98 MANAGEMENT OF REMOTE CONNECTIONS 98 INTERORGANIZATIONAL SYSTEMS 99 CENTRALIZED SECURITY MANAGEMENT 99 2.6 Policy-Driven Implementation 99 Policies 99 WHAT ARE POLICIES? 99 WHAT, NOT HOW 99 CLARITY 100 Categories of Security Policies 100 CORPORATE SECURITY POLICY 100 MAJOR POLICIES 101 ACCEPTABLE USE POLICY 101 POLICIES FOR SPECIFIC COUNTERMEASURES OR RESOURCES 102 Policy-Writing Teams 103 Implementation Guidance 103 NO GUIDANCE 105 STANDARDS AND GUIDELINES 105 Types of Implementation Guidance 105 PROCEDURES 105 PROCESSES 106 BASELINES 106 BEST PRACTICES AND RECOMMENDED PRACTICES 107 ACCOUNTABILITY 107 ETHICS 107 Exception Handling 109 Oversight 110 POLICIES AND OVERSIGHT 110 PROMULGATION 110 ELECTRONIC MONITORING 111 SECURITY METRICS 111 AUDITING 113 ANONYMOUS PROTECTED HOTLINE 113 BEHAVIORAL AWARENESS 114 FRAUD 114 SANCTIONS 116 2.7 Governance Frameworks 117 COSO 118 THE COSO FRAMEWORK 118 OBJECTIVES 118 REASONABLE ASSURANCE 118 COSO FRAMEWORK COMPONENTS 118 CobiT 120 THE COBIT FRAMEWORK 121 DOMINANCE IN THE UNITED STATES 121 The ISO/IEC 27000 Family 122 ISO/IEC 27002 122 ISO/IEC 27001 122 OTHER 27000 STANDARDS 122 2.8 Conclusion 123 Thought Questions 124 Hands-on Projects 124 • Project Thought Questions 125 • Perspective Questions 125 Chapter 3 Cryptography 127 3.1 What is Cryptography? 128 Encryption for Confidentiality 129 Terminology 129 PLAINTEXT 129 ENCRYPTION AND CIPHERTEXT 129 CIPHER 130 KEY 130 KEEPING THE KEY SECRET 130 The Simple Cipher 130 Cryptanalysis 131 Substitution and Transposition Ciphers 132 Substitution Ciphers 132 Transposition Ciphers 132 Real-world Encryption 133 Ciphers and Codes 133 vi Contents Symmetric Key Encryption 134 KEY LENGTH 135 Human Issues in Cryptography 137 3.2 Symmetric Key Encryption Ciphers 139 RC4 139 The Data Encryption Standard (DES) 140 56-BIT KEY SIZE 140 BLOCK ENCRYPTION 141 Triple DES (3DES) 141 168-BIT 3DES OPERATION 141 112-BIT 3DES 141 PERSPECTIVE ON 3DES 141 Advanced Encryption Standard (AES) 142 Other Symmetric Key Encryption Ciphers 143 3.3 Cryptographic System Standards 145 Cryptographic Systems 145 Initial Handshaking Stages 145 NEGOTIATION 145 INITIAL AUTHENTICATION 146 KEYING 147 Ongoing Communication 147 3.4 The Negotiation Stage 147 Cipher Suite Options 148 Cipher Suite Policies 148 3.5 Initial Authentication Stage 149 HIGH COST AND SHORT MESSAGE LENGTHS 154 RSA AND ECC 154 KEY LENGTH 154 Symmetric Key Keying Using Public Key Encryption 155 Symmetric Key Keying Using Diffie–Hellman Key Agreement 156 3.7 Message-By-Message Authentication 157 Electronic Signatures 157 Public Key Encryption for Authentication 157 Message-by-Message Authentication with Digital Signatures 158 DIGITAL SIGNATURES 158 HASHING TO PRODUCE THE MESSAGE DIGEST 158 SIGNING THE MESSAGE DIGEST TO PRODUCE THE DIGITAL SIGNATURE 158 SENDING THE MESSAGE WITH CONFIDENTIALITY 159 VERIFYING THE SUPPLICANT 160 MESSAGE INTEGRITY 160 PUBLIC KEY ENCRYPTION FOR CONFIDENTIALITY AND AUTHENTICATION 160 Digital Certificates 161 CERTIFICATE AUTHORITIES 161 DIGITAL CERTIFICATE 162 VERIFYING THE DIGITAL CERTIFICATE 163 THE ROLES OF THE DIGITAL CERTIFICATE AND DIGITAL SIGNATURE 164 Authentication Terminology 149 Hashing 149 Initial Authentication with MS-CHAP 151 Key-Hashed Message Authentication Codes (HMACs) 166 ON THE SUPPLICANT’S MACHINE: HASHING 151 ON THE VERIFIER SERVER 151 Creating and Testing the HMAC 166 Nonrepudiation 166 3.6 The Keying Stage 152 Session Keys 152 Public Key Encryption for Confidentiality 153 TWO KEYS 153 PROCESS 153 PADLOCK AND KEY ANALOGY 153 THE PROBLEM WITH DIGITAL SIGNATURES 166 3.8 Quantum Security 169 3.9 Cryptographic Systems 170 Virtual Private Networks (VPNs) 171 Why VPNs? 172 Host-to-Host VPNs 172 Remote Access VPNs 172 Site-to-Site VPNs 173 Contents 3.10 SSL/TLS 173 Nontransparent Protection 174 Inexpensive Operation 174 SSL/TLS Gateways and Remote Access VPNs 175 VPN GATEWAY STANDARDS 175 AUTHENTICATION 175 CONNECTING THE CLIENT PC TO AUTHORIZED RESOURCES 175 SECURITY FOR SERVICES 176 BROWSER ON THE CLIENT 177 ADVANCED SERVICES REQUIRE ADMINISTRATOR PRIVILEGES ON PCS 178 PERSPECTIVE 179 3.11 IPsec 179 SSL/TLS GIVES NONTRANSPARENT TRANSPORT LAYER SECURITY 180 IPSEC: TRANSPARENT INTERNET LAYER SECURITY 180 IPSEC IN BOTH IPV4 AND IPV6 181 IPsec Transport Mode 181 HOST-TO-HOST SECURITY 181 END-TO-END PROTECTION 182 COST OF SETUP 182 IPSEC IN TRANSPORT MODE AND FIREWALLS 182 IPsec Tunnel Mode 183 Future of Secure Networks 193 DEATH OF THE PERIMETER RISE OF THE CITY 194 194 4.2 DoS Attacks 195 Denial of Service . . . But Not an Attack 195 FAULTY CODING 195 REFERRALS FROM LARGE SITES 196 Goal of DoS Attacks 196 STOP CRITICAL SERVICES 196 DEGRADE SERVICES 196 DIRECT AND INDIRECT ATTACKS 198 INTERMEDIARY 200 REFLECTED ATTACK 203 SENDING MALFORMED PACKETS 204 Defending Against Denial-of-Service Attacks 205 BLACK HOLING 205 VALIDATING THE HANDSHAKE 206 RATE LIMITING 206 4.3 ARP Poisoning 207 Normal ARP Operation 209 THE PROBLEM PROTECTION IS PROVIDED BY IPSEC GATEWAYS 183 LESS EXPENSIVE THAN TRANSPORT MODE 183 FIREWALL-FRIENDLY PROTECTION 183 NO PROTECTION WITHIN THE TWO SITES 183 IPsec Security Associations (SAs) 184 SEPARATE SAS IN THE TWO DIRECTIONS 184 POLICY-BASED SA 184 3.12 Conclusion 185 Thought Questions 187 • Handson Projects 188 • Project Thought Questions 190 • Perspective Questions 190 191 4.1 Introduction 191 Creating Secure Networks 192 AVAILABILITY 192 CONFIDENTIALITY 192 FUNCTIONALITY 193 ACCESS CONTROL 193 Methods of DoS Attacks 198 Attractions of IPsec 180 Chapter 4 Secure Networks vii 209 ARP Poisoning 210 ARP DoS Attack 211 Preventing ARP Poisoning 212 STATIC TABLES 212 LIMIT LOCAL ACCESS 212 4.4 Access Control for Networks 214 LAN Connections 214 Access Control Threats 215 Eavesdropping Threats 215 4.5 Ethernet Security 216 Ethernet and 802.1X 216 COST SAVINGS 217 CONSISTENCY 217 IMMEDIATE CHANGES 217 The Extensible Authentication Protocol (EAP) 217 EAP OPERATION 218 viii Contents EXTENSIBILITY 219 RADIUS Servers 219 RADIUS AND EAP 219 4.6 Wireless Security 220 Wireless Attacks 221 Unauthorized Network Access 221 PREVENTING UNAUTHORIZED ACCESS 222 Evil Twin Access Points 224 Wireless Denial of Service 226 FLOOD THE FREQUENCY 226 FLOOD THE ACCESS POINT 227 SEND ATTACK COMMANDS 227 Wireless LAN Security with 802.11i 228 EAP’S NEED FOR SECURITY 228 ADDING SECURITY TO EAP 229 EAP-TLS AND PEAP 229 Core Wireless Security Protocols 230 Wired Equivalent Privacy (WEP) 230 Cracking WEP 231 SHARED KEYS AND OPERATIONAL SECURITY 231 EXPLOITING WEP’S WEAKNESS 231 Perspective 231 Wi-Fi Protected Access (WPA™) 232 Pre-Shared Key (PSK) Mode 235 Wireless Intrusion Detection Systems 237 False 802.11 Security Measures 238 SPREAD SPECTRUM OPERATION AND SECURITY 238 TURNING OFF SSID BROADCASTING 239 MAC ACCESS CONTROL LISTS 239 Implementing 802.11i or WPA Is Easier 240 4.7 Conclusion 240 Thought Questions 241 • Handson Projects 242 • Project Thought Questions 243 • Perspective Questions 243 Chapter 5 Access Control 5.1 Introduction 246 Access Control 246 245 Authentication, Authorizations, and Auditing 246 Authentication 246 Beyond Passwords 247 Two-Factor Authentication 248 Individual and Role-Based Access Control 248 Organizational and Human Controls 248 Military and National Security Organization Access Controls 249 Multilevel Security 249 5.2 Physical Access and Security 250 Risk Analysis 250 ISO/IEC 9.1: Secure Areas 251 PHYSICAL SECURITY PERIMETER 251 PHYSICAL ENTRY CONTROLS 252 PUBLIC ACCESS, DELIVERY, AND LOADING AREAS 252 SECURING OFFICES, ROOMS, AND FACILITIES 252 PROTECTING AGAINST EXTERNAL AND ENVIRONMENTAL THREATS 252 RULES FOR WORKING IN SECURE AREAS 256 ISO/IEC 9.2 Equipment Security 256 EQUIPMENT SITING AND PROTECTION 256 SUPPORTING UTILITIES 257 CABLING SECURITY 257 SECURITY DURING OFF-SITE EQUIPMENT MAINTENANCE 257 SECURITY OF EQUIPMENT OFF-PREMISES 257 SECURE DISPOSAL OR REUSE OF EQUIPMENT 257 REMOVAL OF PROPERTY 258 Other Physical Security Issues 258 TERRORISM 258 PIGGYBACKING 258 MONITORING EQUIPMENT 259 DUMPSTER™ DIVING 260 DESKTOP PC SECURITY 260 NOTEBOOK SECURITY 260 5.3 Passwords 260 Password-Cracking Programs 260 Password Policies 261 Contents Password Use and Misuse 261 NOT USING THE SAME PASSWORD AT MULTIPLE SITES 261 PASSWORD DURATION POLICIES 262 POLICIES PROHIBITING SHARED ACCOUNTS 263 DISABLING PASSWORDS THAT ARE NO LONGER VALID 263 LOST PASSWORDS 263 PASSWORD STRENGTH 266 PASSWORD AUDITING 266 The End of Passwords? 267 5.4 Access Cards and Tokens 268 Access Cards 268 MAGNETIC STRIPE CARDS 269 SMART CARDS 269 CARD READER COSTS 269 Tokens 269 FACE RECOGNITION 282 HAND GEOMETRY 283 VOICE RECOGNITION 287 OTHER FORMS OF BIOMETRIC AUTHENTICATION 287 5.6 Cryptographic Authentication 287 Key Points from Chapter 3 287 Public Key Infrastructures 288 THE FIRM AS A CERTIFICATE AUTHORITY 288 CREATING PUBLIC KEY–PRIVATE KEY PAIRS 289 DISTRIBUTING DIGITAL CERTIFICATES 289 ACCEPTING DIGITAL CERTIFICATES 289 CERTIFICATE REVOCATION STATUS 290 PROVISIONING 290 THE PRIME AUTHENTICATION PROBLEM 290 5.7 Authorization 290 ONE-TIME-PASSWORD TOKENS USB TOKENS 270 270 Proximity Access Tokens 270 Addressing Loss and Theft 270 PHYSICAL DEVICE CANCELLATION 270 TWO-FACTOR AUTHENTICATION 272 5.5 Biometric Authentication 273 Biometrics 273 Biometric Systems 274 INITIAL ENROLLMENT 274 SUBSEQUENT ACCESS ATTEMPTS 275 ACCEPTANCE OR REJECTION 276 Biometric Errors 276 FALSE ACCEPTANCE RATE 276 FALSE REJECTION RATE 277 WHICH IS WORSE? 277 VENDOR CLAIMS 277 FAILURE TO ENROLL 278 Verification, Identification, and Watch Lists 278 VERIFICATION 278 IDENTIFICATION 279 WATCH LISTS 280 The Principle of Least Permissions 291 5.8 Auditing 292 Logging 292 Log Reading 293 REGULAR LOG READING 293 PERIODIC EXTERNAL AUDITS OF LOG FILE ENTRIES 293 AUTOMATIC ALERTS 293 5.9 Central Authentication Servers 294 The Need for Centralized Authentication 294 Kerberos 295 5.10 Directory Servers 296 What Are Directory Servers? 297 Hierarchical Data Organization 297 Lightweight Data Access Protocol 298 Use by Authentication Servers 298 Active Directory 298 ACTIVE DIRECTORY DOMAINS 299 Trust 300 5.11 Full Identity Management 301 Biometric Deception 280 Biometric Methods 282 FINGERPRINT RECOGNITION IRIS RECOGNITION 282 ix 282 Other Directory Servers and Metadirectories 301 Federated Identity Management 302 x Contents THE SECURITY ASSERTION MARKUP LANGUAGE 304 PERSPECTIVE 304 Identity Management 304 BENEFITS OF IDENTITY MANAGEMENT 304 WHAT IS IDENTITY? 306 IDENTITY MANAGEMENT 306 Trust and Risk 307 5.12 Conclusion 307 Thought Questions 309 • Handson Projects 310 • Project Thought Questions 311 • Perspective Questions 311 Chapter 6 Firewalls 313 6.1 Introduction 314 Basic Firewall Operation 314 The Danger of Traffic Overload 319 Firewall Filtering Mechanisms 320 6.2 Static Packet Filtering 321 Looking at Packets One at a Time 321 Looking Only at Some Fields in the Internet and Transport Headers 321 Usefulness of Static Packet Filtering 321 Perspective on SPI Firewalls 334 LOW COST 334 SAFETY 334 DOMINANCE 335 6.4 Network Address Translation 335 Sniffers 335 NAT OPERATION 335 PACKET CREATION 336 NETWORK AND PORT ADDRESS TRANSLATION 336 TRANSLATION TABLE 336 RESPONSE PACKET 336 RESTORATION 336 PROTECTION 337 Perspective on NAT 337 NAT/PAT 337 TRANSPARENCY 337 NAT TRAVERSAL 337 6.5 Application Proxy Firewalls and Content Filtering 337 Application Proxy Firewall Operation 338 Perspective 322 6.3 Stateful Packet Inspection ACCESS CONTROL LISTS (ACLS) FOR INGRESS FILTERING 332 IF-THEN FORMAT 332 PORTS AND SERVER ACCESS 332 DISALLOW ALL CONNECTIONS 333 323 Basic Operation 323 CONNECTIONS 323 STATES 324 STATEFUL PACKET INSPECTION WITH TWO STATES 324 REPRESENTING CONNECTIONS 325 Packets That Do Not Attempt to Open Connections 326 TCP CONNECTIONS 329 UDP AND ICMP CONNECTIONS 329 ATTACK ATTEMPTS 329 PERSPECTIVE 329 Packets That Do Attempt to Open a Connection 330 Access Control Lists (ACLs) for Connection-Opening Attempts 331 WELL-KNOWN PORT NUMBERS 331 OPERATIONAL DETAILS 338 APPLICATION PROXY PROGRAMS VERSUS APPLICATION PROXY FIREWALLS 338 PROCESSING-INTENSIVE OPERATION 338 ONLY A FEW APPLICATIONS CAN BE PROXIED 339 TWO COMMON USES 339 Application Content Filtering in Stateful Packet Inspection Firewalls 340 Application Content Filtering for HTTP 341 Client Protections 341 Server Protections 341 Other Protections 344 6.6 Intrusion Detection Systems and Intrusion Prevention Systems 345 Intrusion Detection Systems 345 FIREWALLS VERSUS IDSS 347 Contents FALSE POSITIVES (FALSE ALARMS) 347 HEAVY PROCESSING REQUIREMENTS 347 Intrusion Prevention Systems 348 ASICS FOR FASTER PROCESSING 348 THE ATTACK IDENTIFICATION CONFIDENCE SPECTRUM 348 IPS Actions 349 DROPPING PACKETS 349 LIMITING TRAFFIC 349 6.7 Antivirus Filtering and Unified Threat Management 349 6.8 Firewall Architectures 354 Types of Firewalls 354 MAIN BORDER FIREWALLS 354 SCREENING BORDER ROUTERS 354 INTERNAL FIREWALLS 354 HOST FIREWALLS 355 DEFENSE IN DEPTH 355 The Demilitarized Zone 355 SECURITY IMPLICATIONS 356 HOSTS IN THE DMZ 356 6.9 Firewall Management 357 Defining Firewall Policies 357 WHY USE POLICIES? 357 EXAMPLES OF POLICIES 359 Implementation 359 FIREWALL HARDENING 359 CENTRAL FIREWALL MANAGEMENT SYSTEMS 359 FIREWALL POLICY DATABASE 360 VULNERABILITY TESTING AFTER CONFIGURATION 361 CHANGE AUTHORIZATION AND MANAGEMENT 361 READING FIREWALL LOGS 362 Reading Firewall Logs 363 Log Files 363 Sorting the Log File by Rule 363 Echo Probes 363 External Access to All Internal FTP Servers 365 Attempted Access to Internal Webservers 365 xi Incoming Packet with a Private IP Source Address 365 Lack of Capacity 365 Perspective 365 Sizes of Log Files 366 Logging All Packets 366 6.10 Firewall Filtering Problems 367 The Death of the Perimeter 367 AVOIDING THE BORDER FIREWALL 367 EXTENDING THE PERIMETER 368 PERSPECTIVE 368 Attack Signatures versus Anomaly Detection 368 ZERO-DAY ATTACKS 368 ANOMALY DETECTION 369 ACCURACY 369 6.11 Conclusion 369 Thought Questions 372 • Handson Projects 372 • Project Thought Questions 374 • Perspective Questions 374 Chapter 7 Host Hardening 375 7.1 Introduction 375 What Is a Host? 376 The Elements of Host Hardening 376 Security Baselines and Images 377 Virtualization 377 VIRTUALIZATION ANALOGY 379 BENEFITS OF VIRTULAIZATION 380 Systems Administrators 380 7.2 Important Server Operating Systems 385 Windows Server Operating Systems 386 THE WINDOWS SERVER USER INTERFACE 386 START : ADMINISTRATIVE TOOLS 386 MICROSOFT MANAGEMENT CONSOLES (MMCS) 387 UNIX (Including Linux) Servers 388 MANY VERSIONS 389 LINUX 390 UNIX USER INTERFACES 391 xii Contents 7.3 Vulnerabilities and Patches 392 Vulnerabilities and Exploits 392 Fixes 392 WORK-AROUNDS 397 PATCHES 397 SERVICE PACKS 397 VERSION UPGRADES 397 The Mechanics of Patch Installation 398 MICROSOFT WINDOWS SERVER LINUX RPM PROGRAM 398 398 Problems with Patching 399 THE NUMBER OF PATCHES 399 COST OF PATCH INSTALLATION 399 PRIORITIZING PATCHES 399 PATCH MANAGEMENT SERVERS 399 THE RISKS OF PATCH INSTALLATION 400 7.4 Managing Users and Groups 401 The Importance of Groups in Security Management 401 Creating and Managing Users and Groups in Windows 401 THE ADMINISTRATOR ACCOUNT 401 MANAGING ACCOUNTS 402 CREATING USERS 402 WINDOWS GROUPS 402 7.5 Managing Permissions 404 Permissions 404 Assigning Permissions in Windows 404 DIRECTORY PERMISSIONS 404 WINDOWS PERMISSIONS 405 ADDING USERS AND GROUPS 405 INHERITANCE 405 DIRECTORY ORGANIZATION 406 Assigning Groups and Permissions in UNIX 407 NUMBER OF PERMISSIONS 407 NUMBER OF ACCOUNTS OR GROUPS 408 7.6 Creating Strong Passwords 408 Creating and Storing Passwords 409 CREATING A PASSWORD HASH 409 STORING PASSWORDS 409 STEALING PASSWORDS 410 Password-Cracking Techniques 410 BRUTE-FORCE GUESSING 410 DICTIONARY ATTACKS ON COMMON WORD PASSWORDS 412 HYBRID DICTIONARY ATTACKS 413 RAINBOW TABLES 414 TRULY RANDOM PASSWORDS 415 TESTING AND ENFORCING THE STRENGTH OF PASSWORDS 415 OTHER PASSWORD THREATS 415 7.7 Testing for Vulnerabilities 416 Windows Client PC Security 417 Client PC Security Baselines 418 The Windows Action Center 418 Windows Firewall 420 Automatic Updates 420 Antivirus and Spyware Protection 420 Implementing Security Policy 421 PASSWORD POLICIES 421 ACCOUNT POLICIES 421 AUDIT POLICIES 422 Protecting Notebook Computers 423 THREATS 423 BACKUP 423 POLICIES FOR SENSITIVE DATA 424 TRAINING 425 COMPUTER RECOVERY SOFTWARE 425 Centralized PC Security Management 425 STANDARD CONFIGURATIONS 425 NETWORK ACCESS CONTROL 426 WINDOWS GROUP POLICY OBJECTS 426 7.8 Conclusion 429 Thought Questions 430 • Handson Projects 430 • Project Thought Questions 432 • Perspective Questions 432 Chapter 8 Application Security 433 8.1 Application Security And Hardening 433 Executing Commands with the Privileges of a Compromised Application 434 Contents Buffer Overflow Attacks 434 BUFFERS AND OVERFLOWS 434 STACKS 435 RETURN ADDRESS 435 THE BUFFER AND BUFFER OVERFLOW 435 EXECUTING ATTACK CODE 435 AN EXAMPLE: THE IIS IPP BUFFER OVERFLOW ATTACK 436 Few Operating Systems, Many Applications 436 Hardening Applications 437 UNDERSTAND THE SERVER’S ROLE AND THREAT ENVIRONMENT 437 THE BASICS 438 MINIMIZE APPLICATIONS 438 SECURITY BASELINES FOR APPLICATION MINIMIZATION 439 CREATE A SECURE CONFIGURATION 439 INSTALL APPLICATION PATCHES AND UPDATES 439 MINIMIZE THE PERMISSIONS OF APPLICATIONS 440 ADD APPLICATION-LEVEL AUTHENTICATION, AUTHORIZATIONS, AND AUDITING 440 IMPLEMENT CRYPTOGRAPHIC SYSTEMS 440 Securing Custom Applications 440 NEVER TRUST USER INPUT 441 BUFFER OVERFLOW ATTACKS 441 LOGIN SCREEN BYPASS ATTACKS 442 CROSS-SITE SCRIPTING ATTACKS 442 SQL INJECTION ATTACKS 423 AJAX MANIPULATION 423 TRAINING IN SECURE COMPUTING 423 8.2 WWW and E-Commerce Security 446 The Importance of WWW and E-Commerce Security 446 WWW Service versus E-Commerce Service 446 E-COMMERCE SERVICE 447 EXTERNAL ACCESS 448 CUSTOM PROGRAMS 448 Some Webserver Attacks 449 WEBSITE DEFACEMENT 449 BUFFER OVERFLOW ATTACK TO LAUNCH A COMMAND SHELL 449 xiii DIRECTORY TRAVERSAL ATTACK 449 THE DIRECTORY TRAVERSAL WITH HEXADECIMAL CHARACTER ESCAPES 450 UNICODE DIRECTORY TRAVERSAL 451 Patching the Webserver and E-Commerce Software and Its Components 451 E-COMMERCE SOFTWARE VULNERABILITIES 451 Other Website Protections 452 WEBSITE VULNERABILITY ASSESSMENT TOOLS 452 WEBSITE ERROR LOGS 452 WEBSERVER-SPECIFIC APPLICATION PROXY FIREWALLS 453 Controlling Deployment 453 DEVELOPMENT SERVERS 454 TESTING SERVERS 454 PRODUCTION SERVERS 454 8.3 Web Browser Attacks 454 BROWSER THREATS 454 MOBILE CODE 454 MALICIOUS LINKS 456 OTHER CLIENT-SIDE ATTACKS 456 Enhancing Browser Security 458 PATCHING AND UPGRADING CONFIGURATION 458 INTERNET OPTIONS 458 SECURITY TAB 459 PRIVACY TAB 462 458 8.4 E-Mail Security 463 E-Mail Content Filtering 463 MALICIOUS CODE IN ATTACHMENTS AND HTML BODIES 463 SPAM 464 INAPPROPRIATE CONTENT 465 EXTRUSION PREVENTION 465 PERSONALLY IDENTIFIABLE INFORMATION (PII) 465 Where to Do E-Mail Malware and Spam Filtering 465 E-Mail Encryption 466 TRANSMISSION ENCRYPTION 466 MESSAGE ENCRYPTION 466 8.5 Voice over IP Security 468 Sending Voice between Phones 468 xiv Contents Transport and Signaling 469 SIP and H.323 470 Registration 470 SIP Proxy Servers 470 PSTN Gateway 470 VoIP Threats 471 Eavesdropping 471 Denial-of-Service (DoS) Attacks 471 Caller Impersonation 472 Hacking and Malware Attacks 472 Toll Fraud 472 Spam over IP Telephony (SPIT) 473 New Threats 473 Implementing VoIP Security 473 Authentication 473 Encryption for Confidentiality 473 Firewalls 474 NAT Problems 475 Separation: Anticonvergence 475 The Skype VoIP Service 475 8.6 Other User Applications 477 Instant Messaging (IM) 477 TCP/IP Supervisory Applications 479 8.7 Conclusion 480 Thought Questions 481 • Handson Projects 481 • Project Thought Questions 483 • Perspective Questions 483 Chapter 9 Data Protection 485 9.1 Introduction 485 Data’s Role in Business 486 SONY DATA BREACHES 486 Securing Data 486 9.2 Data Protection: Backup 487 The Importance of Backup 487 Threats 487 Scope of Backup 487 FILE/DIRECTORY DATA BACKUP 488 IMAGE BACKUP 488 SHADOWING 489 Full versus Incremental Backups 491 Backup Technologies 493 LOCAL BACKUP 493 CENTRALIZED BACKUP 493 CONTINUOUS DATA PROTECTION 494 INTERNET BACKUP SERVICE 494 MESH BACKUP 494 9.3 Backup Media and Raid 495 MAGNETIC TAPE 495 CLIENT PC BACKUP 496 Disk Arrays—RAID 497 Raid Levels 497 NO RAID 497 RAID 0 498 RAID 1 499 RAID 5 500 9.4 Data Storage Policies 503 BACKUP CREATION POLICIES 504 RESTORATION POLICIES 504 MEDIA STORAGE LOCATION POLICIES 504 ENCRYPTION POLICIES 505 ACCESS CONTROL POLICIES 505 RETENTION POLICIES 505 AUDITING BACKUP POLICY COMPLIANCE 505 E-Mail Retention 506 THE BENEFIT OF RETENTION 506 THE DANGERS OF RETENTION 506 ACCIDENTAL RETENTION 506 THIRD-PARTY E-MAIL RETENTION 508 LEGAL ARCHIVING REQUIREMENTS 508 U.S. FEDERAL RULES OF CIVIL PROCEDURE 508 MESSAGE AUTHENTICATION 509 DEVELOPING POLICIES AND PROCESSES 509 User Training 509 Spreadsheets 510 VAULT SERVER ACCESS CONTROL 510 OTHER VAULT SERVER PROTECTIONS 511 9.5 Database Security 511 Relational Databases 512 LIMITING THE VIEW OF DATA 512 Database Access Control 516 DATABASE ACCOUNTS 516 SQL INJECTION ATTACKS 516 Database Auditing 517 Contents WHAT TO AUDIT 518 TRIGGERS 518 Database Placement and Configuration 520 CHANGE THE DEFAULT PORT 520 Data Encryption 520 KEY ESCROW 521 FILE/DIRECTORY ENCRYPTION VERSUS WHOLE-DISK ENCRYPTION 522 PROTECTING ACCESS TO THE COMPUTER 522 DIFFICULTIES IN FILE SHARING 522 9.6 Data Loss Prevention 523 Data Collection 523 PERSONALLY IDENTIFIABLE INFORMATION 23 DATA MASKING 524 Information Triangulation 526 BUY OR SELL DATA 527 Document Restrictions 528 DIGITAL RIGHTS MANAGEMENT (DRM) 528 DATA EXTRUSION MANAGEMENT 530 EXTRUSION PREVENTION 530 Data Loss Prevention Systems 530 DLP AT THE GATEWAY 530 DLP ON CLIENTS 530 DLP FOR DATA STORAGE 531 DLP MANAGER 531 WATERMARKS 531 REMOVABLE MEDIA CONTROLS 532 PERSPECTIVE 533 Employee Training 533 SOCIAL NETWORKING 533 Data Destruction 534 NOMINAL DELETION 534 BASIC FILE DELETION 535 WIPING/CLEARING 536 DESTRUCTION 536 9.7 Conclusion 537 Thought Questions 538 • Handson Projects 538 • Project Thought Questions 539 • Perspective Questions 539 Chapter 10 Incident and Disaster Response 541 10.1 Introduction 541 Walmart and Hurricane Katrina 541 xv Incidents Happen 542 Incident Severity 543 FALSE ALARMS 544 MINOR INCIDENTS 544 MAJOR INCIDENTS 545 DISASTERS 546 Speed and Accuracy 546 SPEED IS OF THE ESSENCE 546 SO IS ACCURACY 546 PLANNING 546 REHEARSAL 547 10.2 The Intrusion Response Process For Major Incidents 548 Detection, Analysis, and Escalation 548 DETECTION 548 ANALYSIS 548 ESCALATION 550 Containment 550 DISCONNECTION 550 BLACK-HOLING THE ATTACKER 550 CONTINUING TO COLLECT DATA 550 Recovery 551 REPAIR DURING CONTINUING SERVER OPERATION 551 RESTORATION FROM BACKUP TAPES 551 TOTAL SOFTWARE REINSTALLATION 551 Apology 552 Punishment 553 PUNISHING EMPLOYEES 553 THE DECISION TO PURSUE PROSECUTION 553 COLLECTING AND MANAGING EVIDENCE 553 Postmortem Evaluation 556 Organization of the CSIRT 556 Legal Considerations 557 Criminal versus Civil Law 557 Jurisdictions 558 The U.S. Federal Judicial System 559 U.S. State and Local Laws 559 International Law 561 Evidence and Computer Forensics 562 U.S. Federal Cybercrime Laws 564 Computer Hacking, Malware Attacks, Denial-of-Service Attacks, and Other Attacks (18 U.S.C. § 1030) 564 xvi Contents HACKING 565 DENIAL-OF-SERVICE AND MALWARE ATTACKS 565 DAMAGE THRESHOLDS 566 Confidentiality in Message Transmission 566 Other Federal Laws 566 10.3 Intrusion Detection Systems 566 Functions of an IDS 567 LOGGING (DATA COLLECTION) 567 AUTOMATED ANALYSIS BY THE IDS 568 ACTIONS 568 LOG SUMMARY REPORTS 568 SUPPORT FOR INTERACTIVE MANUAL LOG ANALYSIS 568 Distributed IDSs 569 AGENTS 569 MANAGER AND INTEGRATED LOG FILE 570 BATCH VERSUS REAL-TIME DATA TRANSFER 570 SECURE MANAGER–AGENT COMMUNICATION 570 VENDOR COMMUNICATION 570 Network IDSs 570 STAND-ALONE NIDSS 571 SWITCH AND ROUTER NIDSS 571 STRENGTHS OF NIDSS 571 WEAKNESSES OF NIDSS 571 HOST IDSS 571 ATTRACTION OF HIDSS 571 WEAKNESSES OF HOST IDSS 572 HOST IDSS: OPERATING SYSTEM MONITORS 572 Log Files 573 TIME-STAMPED EVENTS 573 INDIVIDUAL LOGS 573 INTEGRATED LOGS 573 MANUAL ANALYSIS 575 Principles of Business Continuity Management 583 PEOPLE FIRST 583 REDUCED CAPACITY IN DECISION MAKING 583 AVOIDING RIGIDITY 583 COMMUNICATION, COMMUNICATION, COMMUNICATION 584 Business Process Analysis 584 IDENTIFICATION OF BUSINESS PROCESSES AND THEIR INTERRELATIONSHIPS 584 PRIORITIZATION OF BUSINESS PROCESSES 584 SPECIFY RESOURCE NEEDS 584 SPECIFY ACTIONS AND SEQUENCES 10.5 It Disaster Recovery 585 Types of Backup Facilities 587 HOT SITES 587 COLD SITES 587 SITE SHARING WITH CONTINUOUS DATA PROTECTION (CDP) 587 LOCATION OF THE SITES 587 Office PCs 590 DATA BACKUP 590 NEW COMPUTERS 591 WORK ENVIRONMENT 591 Restoration of Data and Programs 591 Testing the IT Disaster Recovery Plan 591 10.6 Conclusion 591 Thought Questions 592 • Handson Projects 593 • Perspective Questions 594 • Project Thought Questions 594 Module A Networking Concepts 595 Managing IDSs 575 A.1 Introduction 595 TUNING FOR PRECISION 576 A.2 A Sampling of Networks 596 Honeypots 577 10.4 Business Continuity Planning 581 584 Testing and Updating the Plan 585 A Simple Home Network 596 THE ACCESS ROUTER 596 PERSONAL COMPUTERS 597 Contents UTP WIRING 597 INTERNET ACCESS LINE 597 A Building LAN 598 A Firm’s Wide Area Networks 600 The Internet 601 Applications 604 A.3 Network Protocols and Vulnerabilities 604 Inherent Security 605 Security Explicitly Designed into the Standard 605 xvii IP Version 6 615 IPsec 616 A.9 The Transmission Control Protocol 616 TCP: A Connection-Oriented and Reliable Protocol 617 CONNECTIONLESS AND CONNECTIONORIENTED PROTOCOLS 617 RELIABILITY 619 Flag Fields 620 Sequence Number Field 620 Security in Older Versions of the Standard 605 Acknowledgment Number Field 621 Defective Implementation 605 Options 622 A.4 Core Layers in Layered Standards Architectures 605 A.5 Standards Architectures 606 The TCP/IP Standards Architecture 607 The OSI Standards Architecture 607 The Hybrid TCP/IP–OSI Architecture 608 A.6 Single-Network Standards 608 The Data Link Layer 609 The Physical Layer 609 UTP 609 OPTICAL FIBER 609 WIRELESS TRANSMISSION 609 SWITCH SUPERVISORY FRAMES 610 A.7 Internetworking Standards 610 A.8 The Internet Protocol 611 The IP Version 4 Packet 611 The First Row 612 The Second Row 613 The Third Row 613 Options 613 Window Field 622 Port Numbers 622 PORT NUMBERS ON SERVERS 622 PORT NUMBERS ON CLIENTS 623 SOCKETS 623 TCP Security 624 A.10 The User Datagram Protocol 625 A.11 TCP/IP Supervisory Standards 626 Internet Control Message Protocol 626 The Domain Name System 627 Dynamic Host Configuration Protocol 629 Dynamic Routing Protocols 629 Simple Network Management Protocol 631 A.12 Application Standards 632 HTTP AND HTML 632 E-MAIL 633 TELNET, FTP, AND SSH 633 OTHER APPLICATION STANDARDS 633 A.13 Conclusion 634 Hands-on Projects 634 • Project Thought Questions 636 • Perspective Questions 636 The Source and Destination IP Addresses 614 Glossary 637 Masks 614 index 655 PREFACE The IT security industry has seen dramatic changes in the past decades. Security breaches, data theft, cyber attacks, and information warfare are now common news stories in the mainstream media. IT security expertise that was traditionally the domain of a few experts in large organizations has now become a concern for almost everyone. These rapid changes in the IT security industry have necessitated more recent editions of this text. Old attacks are being used in new ways, and new attacks are becoming commonplace. We hope the changes to this new edition have captured some of these changes in the industry. What’s New in This Edition? If you have used prior editions to this text, you will notice that almost all of the material you are familiar with remains intact. New additions to the text have been driven by requests from reviewers. More specifically, reviewers asked for a text that is more business focused, has more hands-on projects, has more coverage of wireless and data security, and has additional case studies. In addition to these changes in content, we have tried to add supplements that make the book easier to use and more engaging for students. Below is a list of the significant changes to this edition of the text. Business Focus—This edition has tried to have more of a business focus. Emphasis has been placed on securing corporate information systems, rather than just hosts in general. The concepts, principles, and terminology have remained the same. However, the implications of each topic are more focused on the business environment. Hands-on Projects—Each chapter has hands-on projects that use contemporary software. Each project relates directly to the chapter material. Students take a screenshot to show they have completed the project. Expanded Content —Material from prior chapters has been reorganized and expanded to create new chapters covering Secure Networks (Chapter 4) and Data Protection (Chapter 9). Reviewers wanted more coverage of networking and wireless security concepts, as well as more discussion of data security. These chapters contain substantial amounts of new material in each of these areas. Comprehensive Framework—We have included a comprehensive security framework to tie all of the chapters together. It will serve as a roadmap to guide students through the book. Our hope is that it will increase retention of the material by illustrating how topic areas relate to each other. Case Studies and Focus Articles—Each chapter includes 2–4 new applied case studies or focus articles. A wide range of topics are covered in these focus articles. These include examples of high-profile security incidents, technical security topics, profiles of industry professionals, security certifications, new types of attacks, and articles by industry leaders. xviii Preface The goal of these articles is to expose students to a broad range of topics that are not covered in traditional IT security texts, but are currently being discussed by industry professionals. We hope these articles are interesting, informative, and encourage active class discussion. We also included a few profiles of industry professionals to give students an idea of the type of work they might be doing after they graduate. Students are often interested in IT security, but are unsure about what an actual job in the industry would look like on a daily basis. We hope these provide some insight. Embedded PowerPoint Videos—New to this edition are embedded PowerPoint videos. A supplemental set of 125+ PowerPoint slides contain embedded videos linked to content hosted on YouTube®. These videos include IT security–related current news stories, technical demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new security products. The embedded videos relate to material in each chapter and can be copied directly into your regular lectures. These videos can be used as “hooks” to introduce new chapters, integrated directly into lectures, or assigned as out-of-class homework. Updated News Articles —Each chapter contains expanded and updated IT security news articles. Over 90 percent of the news articles in this book reference stories that have occurred since the second edition was published. Why Use This Book? This book is written for a one-term introductory course in IT security. The primary audience is upper-division BS majors in Information Systems, Computer Science, or Computer Information Systems. This book is also intended for graduate students in Masters of Information Systems (MSIS), Master of Business Administration (MBA), Master of Accountancy (MAcc), or other MS programs that are seeking a broader knowledge of IT security. It is designed to provide students with IT security knowledge as it relates to corporate security. It will give students going into the IT security field a solid foundation. It can also serve as a network security text. INTENDED AUDIENCE PREREQUISITES The book can be used by students who have taken an introductory course in information systems. However, taking a networking course before using this book is strongly advisable. For students who have not taken a networking course, Module A is a review of networking with a special focus on security aspects of network concepts. Even if networking is a prerequisite or corequisite at your school, we recommend covering Module A. It helps refresh and reinforce networking concepts. Our students are going to need jobs. When you ask working IT security professionals what they are looking for in a new hire, they give similar responses. They want proactive workers who can take initiative, learn on their own, have strong technical skills, and have a business focus. BALANCING TECHNICAL AND MANAGERIAL CONTENT xix xx Preface A business focus does not mean a purely managerial focus. Companies want a strong understanding of security management. But they also want a really solid understanding of defensive security technology. A common complaint is that students who have taken managerial courses don’t even know how stateful packet inspection firewalls operate, or what other types of firewalls are available. “We aren’t hiring these kids as security managers” is a common comment. This is usually followed by, “They need to start as worker bees, and worker bees start with technology.” Overall, we have attempted to provide a strong managerial focus along with a solid technical understanding of security tools. Most of this book deals with the technical aspects of protective countermeasures. But even the countermeasure chapters reflect what students need to know to manage these technologies. You can “throttle” the amount of technical content by using or not using the Hands-on Projects at the end of each chapter. How Is This Book Organized? The book starts by looking at the threat environment facing corporations today. This gets the students’ attention levels up, and introduces terminology that will be used throughout the rest of the book. Discussing the threat environment demonstrates the need for the defenses mentioned in later chapters. The rest of the book follows the good old plan–protect–respond cycle. Chapter 2 deals with planning, and Chapter 10 deals with incident and disaster response. All of the chapters in the middle deal with countermeasures designed to protect information systems. The countermeasures section starts with a chapter on cryptography because cryptographic protections are part of many other countermeasures. Subsequent chapters introduce secure networks, access control, firewalls, host hardening, application security, and data protection. In general, the book follows the flow of data from networks, through firewalls, and eventually to hosts to be processed and stored. Plan Respond Planning & Policy Chapter 2 Incident Response Chapter 10 Threat Environment Chapter 1 Protect Cryptography Chapter 3 Secure Networks Chapter 4 Access Control Chapter 5 1 Internet ABC DEF 2 3 GHI JKL MNO 4 5 6 PQRS TUV WXYZ 7 8 0 9 # * Firewalls Chapter 6 Host Hardening Chapter 7 Application Security Chapter 8 Data Protection Chapter 9 Preface Chapters in this book are designed to be covered in a semester week. This leaves a few classes for exams, presentations, guest speakers, hands-on activities, or material in the module. Starting each class with a demonstration of one of the hands-on projects is a good way to get students attention. It’s important for students to read each chapter before it’s covered in class. The chapters contain technical and conceptual material that needs to be closely studied. We recommend either giving a short reading quiz or requiring students to turn in Test Your Understanding questions before covering each chapter. USING THE BOOK IN CLASS The PowerPoint lectures cover nearly everything, as do the study figures in the book. Study figures even summarize main points from the text. This makes the PowerPoint presentations and the figures in the book great study aids. POWERPOINT SLIDES AND STUDY FIGURES TEST YOUR UNDERSTANDING QUESTIONS After each section or subsection, there are Test Your Understanding questions. This lets students check if they really understood what they just read. If not, they can go back and master that small chunk of material before going on. The test item file questions are linked to particular Test Your Understanding questions. If you cut some material out, it is easy to know what multiple-choice questions not to use. At the end of each chapter, there are integrative Thought Questions which require students to synthesize what they have learned. They are more general in nature, and require the application of the chapter material beyond rote memorization. INTEGRATIVE THOUGHT QUESTIONS Students often comment that their favorite part of the course is the Hands-on Projects. Students like the Hands-on Projects because they get to use contemporary IT security software that relates to the chapter material. Each chapter has at least two applied projects and subsequent Project Thought Questions. Each project requires students to take a unique screenshot at the end of the project as proof they completed the project. Each student’s screenshot will include a time stamp, the student’s name, or another unique identifier. HANDS-ON PROJECTS Finally, there are two general questions that ask students to reflect on what they have studied. These questions give students a chance to think comprehensively about the chapter material at a higher level. PERSPECTIVE QUESTIONS This book does not teach students how to break into computers. There is software designed specifically to exploit vulnerabilities and gain access to systems. This book does not cover this type of software. Rather, the focus of the book is how to proactively defend corporate systems from attacks. Effectively securing corporate information systems is a complicated process. Learning how to secure corporate information systems requires the entire book. Once students have a good understanding of how to secure corporate systems, they might be ready to look at penetration testing software. HEY! WHERE’S ALL THE ATTACK SOFTWARE? xxi xxii Preface With ten chapters, you do have time to introduce some offense. However, if you do teach offense, do it carefully. Attack tools are addictive, and students are rarely satisfied using them in small labs that are carefully air-gapped from the broader school network and the Internet. A few publicized attacks by your students can get IT security barred from the curriculum. Instructor Supplements This is a hard course to teach. We have tried to build in as much teacher support as possible. Our goal was to reduce the total amount of preparation time instructors had to spend getting ready to teach this course. Learning new course material, monitoring current events, and managing an active research agenda is time-consuming. We hope the instructor supplements make it easier to teach a high-quality course with less prep time. The Pearson Prentice-Hall website (http://www. pearsonhighered.com) has all of the supplements discussed below. These include the PowerPoint lectures, PowerPoint embedded videos, answer keys, test item files, TestGen software, and the other usual suspects. ONLINE INSTRUCTOR RESOURCES There is a PowerPoint lecture for each chapter. They aren’t “a few selected slides.” They are full lectures with detailed figures and explanations. And they aren’t made from figures that look pretty in the book but that are invisible on slides. We have tried to create the PowerPoint slides to be pretty self-explanatory. POWERPOINT LECTURES An important part of a great lecture is to start each class with a “hook.” The hook captures students’ interest and acts as an introduction to the rest of the lecture. We have created a set of PowerPoint slides that contain embedded videos that can act as a hook for each chapter. There are over 125 PowerPoint slides containing embedded videos linked to content hosted on YouTube®. These videos include current news stories, technical demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new security products. The embedded videos relate to material in each chapter and can be copied directly into your regular lectures. POWERPOINT EMBEDDED VIDEOS TEST ITEM FILE The test item file for this book makes creating, or supplementing, an exam with challenging multiple-choice questions easy. Questions in the test item file refer directly to the Test Your Understanding questions located throughout each chapter. This means exams will be tied directly to concepts discussed in the chapter. The Teachers Manual has suggestions on how to teach the chapters. For instance, the book begins with threats. In the first class, you could have students list everybody who might attack them. Then have them come up with ways each group is likely to attack them. Along the way, the class discussion naturally can touch on chapter concepts such as the distinction between viruses and worms. TEACHERS MANUAL Preface SAMPLE SYLLABUS We have included a sample syllabus if you are teaching this course for the first time. It can serve as a guide to structuring the course and reduce your prep time. Please feel free to e-mail us. You can reach Randy at Randy.Boyle@utah.edu, or Ray at Ray@Panko.com. Your Pearson Sales Representative can provide you with support, but if you have a question, please also feel free to contact us. We’d also love suggestions for the next edition of the book and for additional support for this edition. E-MAIL US Acknowledgments We would like to thank all of the reviewers of prior editions. They have used this book for years and know it well. Their suggestions, recommendations, and criticisms helped shape this edition. This book really is a product of a much larger community of academics and researchers. We would also like to thank the industry experts who contributed to this edition. Their expertise and perspective added a real-world perspective that can only come from years of practical experience. Thank you to Matt Christensen, Dan McDonald at Utah Valley University, Amber Schroader at Paraben Corp., Chris Larsen at BlueCoat Systems, Inc., David Glod at Grant Thornton, Andrew Yenchik, Stephen Burton, and Susan Jensen at Digital Ranch, Inc., Lisa Cradit at L-1 Identity Solutions, and Bruce Wignall at Teleperformance Group. Thanks go to our editor Bob Horan for his support and guidance. A good editor can produce good books. Bob is a great editor who produces great books. And he has done so for many years. We feel privileged to be able to work with Bob. Special thanks go to Debbie Ryan, Kelly Loftus and the production team that actually makes the book. Thank you George Jacob, for your detailed and exceptional copy editing. Most readers won’t fully appreciate the hard work and dedication it takes to transform the “raw” content provided by authors into the finished copy you’re holding in your hands. Debbie, Kelly, George, and the Pearson production team’s commitment and attention to detail have made this into a great book. Lastly, and most importantly, I (Randy) would like to thank Ray. Like many of you, I have used Ray’s books for years. Ray has a writing style that students find accessible and intuitive. Ray’s books are popular and widely adopted by instructors across the country. His books have been the source of networking and security knowledge for many workers currently in the industry. I’d like to thank Ray for allowing me to contribute to this edition. I’m grateful that Ray trusted me enough to work on one of his books. I hope this edition continues in the legacy of great texts Ray has produced. It’s an honor to work with a generous person like Ray. Randy Boyle Ray Panko xxiii ABOUT THE AUTHORS Randy Boyle is a professor at the David Eccles School of Business at the University of Utah. He received his PhD in Management Information Systems (MIS) from Florida State University in 2003. He also has a master’s degree in Public Administration, and a BS in Finance. His research areas include deception detection in computer-mediated environments, information assurance policy, the effects of IT on cognitive biases, and the effects of IT on knowledge workers. He has received college teaching awards at the University of Alabama in Huntsville and the Marvin J. Ashton Teaching Excellence Award at the University of Utah. His teaching is primarily focused on information security, networking, and management information systems. He is the author of Applied Information Security: A Hands-on Guide to Information Security Software and Applied Networking Labs. Ray Panko is a professor of IT Management at the University of Hawai`i’s Shidler College of Business. His main courses are networking and security. Before coming to the university, he was a project manager at Stanford Research Institute (now SRI International), where he worked for Doug Englebart (the inventor of the mouse). He received his BS in Physics and his MBA. from Seattle University. He received his doctorate from Stanford University, where his dissertation was conducted under contract to the Office of the President of the United States. He has been awarded the Shidler College of Business’s Dennis Ching award as the outstanding teacher among senior faculty. He is also a Shidler Fellow. xxiv 1 THE THREAT ENVIRONMENT Chapter Outline 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 Introduction Employee and Ex-Employee Threats Malware Hackers and Attacks The Criminal Era Competitor Threats Cyberwar and Cyberterror Conclusion Learning Objectives: After studying this chapter, you should be able to: 䊏 䊏 䊏 䊏 䊏 Define the term threat environment. Use basic security terminology. Describe threats from employees and ex-employees. Describe threats from malware writers. Describe traditional external hackers and their attacks, including break-in processes, social engineering, and denial-of-service attacks. 䊏 Know that criminals have become the dominant attackers today, describe the types of attacks they make, and discuss their methods of cooperation. 䊏 Distinguish between cyberwar and cyberterror. 1.1 INTRODUCTION The world today is a dangerous place for corporations. The Internet has given firms access to billions of customers and other business partners, but it has also given criminals access to hundreds of millions of corporations and individuals. Criminals are able to attack websites, databases, and critical information systems without ever entering the corporation’s host country. 1 2 Chapter 1 • The Threat Environment Corporations have become critically dependent on information technology (IT) as part of their overall competitive advantage. In order to protect their IT infrastructure from a variety of threats, and subsequent profitability, corporations must have comprehensive IT security policies, well-established procedures, hardened applications, and secure hardware. Basic Security Terminology THE THREAT ENVIRONMENT If companies are to be able to defend themselves, they need an understanding of the threat environment—that is, the types of attackers and attacks companies face. “Understanding the threat environment” is a fancy way of saying “Know your enemy.” If you do not know how you may be attacked, you cannot plan to defend yourself. This chapter will focus almost exclusively on the threat environment. The threat environment consists of the types of attackers and attacks that companies face. The Threat Environment The threat environment consists of the types of attackers and attacks that companies face Security Goals Confidentiality Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network Integrity Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network. Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data Availability Availability means that people who are authorized to use information are not prevented from doing so Compromises Successful attacks Also called incidents and breaches Countermeasures Tools used to thwart attacks Also called safeguards, protections, and controls Types of countermeasures Preventative Detective Corrective FIGURE 1-1 Basic Security Terminology (Study Figure) Chapter 1 • The Threat Environment SECURITY GOALS Corporations and subgroups in corporations have security goals—conditions that the security staff wishes to achieve. Three common core goals are referred to collectively as CIA. This is not the Central Intelligence Agency. Rather, CIA stands for confidentiality, integrity, and availability. • Confidentiality—Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network. • Integrity—Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network. Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data. • Availability—Availability means that people who are authorized to use information are not prevented from doing so. Neither a computer attack nor a network attack will keep them away from the information they are authorized to access. Many security specialists are unhappy with the simplistic CIA goal taxonomy because they feel that companies have many other security goals. However, the CIA goals are a good place to begin thinking about security goals. COMPROMISES When a threat succeeds in causing harm to a business, this is called an incident, breach, or compromise. Companies try to deter incidents, of course, but they usually have to face several breaches each year, so response to incidents is a critical skill. In terms of the business process model, threats push the business process away from meeting one or more of its goals. When a threat succeeds in causing harm to a business, this is called an incident, breach, or compromise. COUNTERMEASURES Naturally, security professionals try to stop threats. The methods they use to thwart attacks are called countermeasures, safeguards, protections, or controls. The goal of countermeasures is to keep business processes on track for meeting their business goals despite the presence of threats and actual compromises. Tools used to thwart attacks are called countermeasures, safeguards, or controls. Countermeasures can be technical, human, or (most commonly) a mixture of the two. Typically, countermeasures are classified into three types: • Preventative—Preventative countermeasures keep attacks from succeeding. Most controls are preventative controls. • Detective—Detective countermeasures identify when a threat is attacking and especially when it is succeeding. Fast detection can minimize damage. 3 4 Chapter 1 • The Threat Environment • Corrective—Corrective countermeasures get the business process back on track after a compromise. The faster the business process can get back on track, the more likely the business process will be to meet its goals. TEST YOUR UNDERSTANDING 1. a . b. c. d. e. f. g. h. i. Why is it important for firms to understand the threat environment? Name the three common security goals. Briefly explain each. What is an incident? What are the synonyms for incidents? What are countermeasures? What are the synonyms for countermeasure? What are the goals of countermeasures? What are the three types of countermeasures? Case Study: The TJX Data Breach If this terminology seems abstract, it may help to look at a specific attack to put these terms into context and to show how complex security attacks can be. We will begin with one of the largest losses of private customer information. This is the TJX data breach. THE TJX COMPANIES, INC. The TJX Companies, Inc. (TJX) is a group of over 2,500 retail stores operating in the United States, Canada, England, Ireland, and several other countries. These companies do business under such names as TJ Maxx and Marshalls. In its literature, TJX describes itself as “the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.” With this type of mission statement, there is strong pressure to minimize costs. DISCOVERY On December 18, 2006, TJX detected “suspicious software” on its computer systems. Three days later, TJX called in security consultants to examine the situation. On December 21, the consultants confirmed that an intrusion had actually occurred. The next day, the company informed law enforcement authorities in the United States and Canada. Five days later, the security consultants determined that customer data had been stolen. The consultants initially determined that the intrusion software had been working for seven months when it was discovered. A few weeks later, the consultants discovered that the company had also been breached several times in 2005. All told, the consultants estimated that 45.7 million customer records had been stolen.1 This was by far the largest number of personal customer records stolen from any company at that time. The thieves did not steal these records for the thrill of breaking in or to enhance their reputations among other hackers. They did it so that they could use the information to make fraudulent credit card purchases, withdraw thousands of dollars from ATMs, 1 Associated Press, “T.J. Maxx Data Theft Worse than First Reported,” MSNBC.com, March 29, 2007. http:// www.msnbc.msn.com/id/17853440/. Chapter 1 • The Threat Environment The TJX Companies, Inc. (TJX) A group of over 2,500 retail stores companies operating in the United States, Canada, England, Ireland, and several other countries Does business under such names as TJ Maxx and Marshalls Discovery On December 18, 2006, TJX detected “suspicious software” on its computer systems Called in security experts who confirmed an intrusion and probable data loss Notified law enforcement immediately Notified consumers only a month later to get time to fix system and to allow law enforcement to investigate Two waves of attacks, in 2005 and 2006 Company estimated that 45.7 million records with limited personal information had been stolen Much more information was stolen from 455,000 of these customers The Break-Ins Broke into poorly protected wireless networks in retail stores Used this entry to break into central processing system in Massachusetts Not detected despite long presence, 80 GB data exfiltration Canadian Privacy Commission assessment: poor encryption, keeping data that should not have been kept The Payment Card Industry–Data Security Standard (PCI-DSS) Rules for companies that accept credit card purchases If noncompliant, can lose the ability to process credit cards 12 required control objectives TJX knew it was not in compliance (later found to meet only 3 of 12 control objectives) Visa gave an extension to TJX in 2005, subject to progress report in June 2006 The Fallout: Lawsuits and Investigations Settled with most banks and banking associations for $40.9 million to cover card reissuing and other costs Visa levied $880,000 fine, which may later have been increased or decreased Proposed settlement with consumers Under investigation by U.S. Federal Trade Commission and 37 state attorneys general TJX has prepared for damages of $256 million as of August 2007 FIGURE 1-2 The TJX Data Breach (Study Figure) and sell stolen credit card information to other criminals. Stolen funds were subsequently laundered through international bank accounts.2 In its defense, TJX noted that in most of the records stolen, most user’s personal information had been masked (replaced by asterisks). It also noted that most of the credit cards about which information had been stored had expired and that the company generally did not collect social security numbers (SSNs). However, for 455,000 customers who had been 2 ConsumerAffairs.com, “Ring Charged with Hacking Major US Retailers,” August 6, 2008. http://www. consumeraffairs.com/news04/2008/08/hacker_ring.html. 5 6 Chapter 1 • The Threat Environment given refunds without a receipt, a much larger amount of personal information had been collected, and this information had been stolen as well. TJX did not inform customers about the data breach until nearly a month later. The company said that it needed time to beef up its security. The company also said that law enforcement officials had told TJX not to release information about the breach immediately to avoid tipping off the data thieves about the investigation. Of course, the delay also left the customers ignorant of the danger they faced. THE BREAK-INS How did the breaches occur? It is believed that the data thieves broke into poorly protected wireless networks in some retail stores to get into the central TJX credit and debit card processing system in Massachusetts.3 There, poor firewall protections4 allowed the data thieves to enter several systems and to install a sniffer that listened to the company’s poorly encrypted traffic passing into and out of the processing center. Another problem was that TJX retained some sensitive credit card information that should not have been retained; it is this improperly retained information that the data thieves found valuable.5 How did the thieves remain undetected despite having a sniffer operate for over half a year and despite exfiltrating over 80 GB6 of data? And how did the attackers place a sniffer on the TJX network that went undetected for seven months?7 The answer to that question appears to be that TJX did not have an organized intrusion detection capability. In its defense, the company said that it “believes our security was comparable to many other major retailers.”8 Its purpose in saying this may have been to prepare for a defense against lawsuits based on negligence. Proving negligence usually requires proof that a perpetrator was lax based on general practice in the field. The Canadian Privacy Commission, which was the first governmental bureau to release findings about the break-in, gave the following assessment of TJX’s security at the time of the breach: The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk . . . The company did not manage the risk of a breach, it failed to encrypt data strongly enough, it did not monitor its systems well enough, it did not act in accordance with payment card industry standards and it collected too much information.9 3 Mark Jewel, “Encryption Faulted in TJX Hacking,” MSNBC.com, September 25, 2007. http://www.msnbc. msn.com/id/20979359. 4 Ross Kerber, “Details Emerge on TJX Breach,” The Boston Globe, October 25, 2007. 5 Mark Jewel, op. cit. http://www.msnbc.msn.com/id/20979359. 6 SANS Institute, “Unflattering Details Emerge in TJX Case,” SANS Newsbytes, e-mail newsletter (9:86) October 20, 2007. 7 Ibid. 8 Kerber, “Details Emerge on TJX Breach.” 9 OUT-LAW.com, “Canadian Privacy Commissioner Slams TJ X Data Policy” (OUT-LAW.COM is part of international law firm Pinsent Masons.), THEREGISTER.CO.UK, September 27, 2007. http://www.theregister. co.uk/2007/09/27/tjx_data_leak_report/. Chapter 1 • The Threat Environment Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update antivirus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security FIGURE 1-3 Payment Card Industry Data Security Standards (PCI-DSS) (Study Figure) THE PAYMENT CARD INDUSTRY–DATA SECURITY STANDARD A number of earlier (and smaller) data breaches had prompted the major credit card companies to create the Payment Card Industry–Data Security Standard (PCI-DSS). This standard specified 12 required control objectives that must be implemented by companies that accept credit card purchases. Failure to implement PCI-DSS control objectives can result in fines and even the revocation of a company’s ability to accept credit card payments. At the time the data breach was discovered, TJX was far behind in its PCI-DSS compliance program. The company only complied with 3 of the 12 required control objectives. Internal memos10 revealed that the company knew that it was in violation of the PCI-DSS requirements, particularly with respect to its weak encryption in retail store wireless networks. However, the company deliberately decided not to move rapidly to fix this problem. In November 2005, a staff member noted prophetically that “saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still 10 Evan Schuman, “VISA Fined TJX Processor for Security Breach,” Eweek.com, October 28, 2007. http://www. eweek.com/article2/0,1895,2208615,00.asp. 7 8 Chapter 1 • The Threat Environment vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping we do not get compromised.” When the staff member noted that “we have some breathing room with PCI,” he probably was referring to the fact that TJX had been given an extension allowing it to be compliant beyond the standard’s specified compliance date.11 This additional time, ironically, was given after the data breaches had already begun. This extension was dependent upon evaluation of a TJX report on its compliance project by June 2006. It is unknown whether TJX complied with this requirement. The letter that authorized the extension was sent by a fraud control vice president for Visa. It ended with “I appreciate your continued support and commitment to safeguarding the payment industry.” THE FALLOUT: LAWSUITS AND INVESTIGATIONS The company quickly became embroiled in commercial lawsuits and government investigations. These lawsuits involved the filing of briefs that shed additional light on the break-ins. For instance, sealed evidence from Visa and MasterCard placed the number of account records stolen at 94 million—roughly double TJX’s estimates.12 TJX was sued by several individual banks and bank associations. TJX settled by paying $24 million to MasterCard-issuing lenders and $41 million to Visa. They also paid $9.75 million to settle cases with 41 individual states.13 In this battle of corporate giants, consumers were handled last. At the time of this writing, TJX has proposed a settlement that would only involve active measures such as help with ID theft through insurance and other measures for the roughly 455,000 victims who had given personally identifiable information when they returned goods without a receipt. Other victims would be given a modest voucher ($30) or the opportunity to buy TJX merchandise at sale prices.14 PROSECUTION On August 25, 2008, the Department of Justice charged 11 individuals with the TJX break-in and the subsequent use of the stolen information.15 Three were Americans, and they were jailed rapidly. Two more were in China. The rest were in Eastern Europe. The indictment underscores the international nature of cybercrime. Although the three Americans conducted the actual data theft, they fenced the stolen information overseas. Two of the American defendants rapidly entered plea deals to testify against the alleged ringleader Albert Gonzalez of Miami, Florida. 11 Evan Schuman, “In 2005, Visa Agreed to Give TJX Until 2009 to Get PCI Compliant,” StorefrontBacktalk, November 9, 2007. http://storefrontbacktalk.com/story/110907visaletter. Ross Kerber, “Court Filing in TJX Breach Doubles Toll,” The Boston Globe, October 24, 2007. Martin H. Bosworth, “TJX to Pay MasterCard $24 million for Data Breach,” ConsumerAffairs.com, April 6, 2008. http://www.consumeraffairs.com/news04/2008/04/tjx_mc.html. 14 John Leyden, “TJX Consumer Settlement Sale Offer Draws Scorn,” TheRegister.com, November 20, 2007. http://www.theregister.co.uk/2007/11/20/tjx_settlement_offer_kerfuffle/. 15 U.S. Department of Justice, “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers,” August 5, 2008. http://www.usdoj.gov/criminal/cybercrime/ gonzalezIndict.pdf. 12 13 Chapter 1 • The Threat Environment FIGURE 1-4 Albert Gonzalez Credit: U.S Government On March 25, 2010, Gonzalez was sentenced to 20 years in prison. The sentencing resulted from a combined case that added OfficeMax, Dave & Buster’s, and Barnes & Noble to the list of businesses affected. At the time of this writing, this is the longest sentence ever imposed for identity theft.16 On March 26, 2010, Gonzalez was again sentenced to 20 years and one day in prison for stealing an estimated 130 million additional credit card numbers from Heartland Payment Systems. Since this sentence is to be served concurrently with his prior conviction it adds only one day to his sentence. Gonzalez used a SQL injection attack against Heartland to steal credit card numbers. Companies affected include 7-Eleven, J.C. Penny, and Wet Seal. This is the largest known identity theft to date.17 TEST YOUR UNDERSTANDING 2. a . Who were the victims in the TJX breach? (The answer is not in the text, and this is not a trivial question.) b. Was the TJX break-in due to a single security weakness or multiple security weaknesses? Explain. c . Why would meeting the PCI-DSS control objectives probably have prevented the TJX data breach? This is not a trivial question. d. Would meeting the PCI-DSS control objectives have ensured that the data breach would not have occurred? Think about this carefully. The answer is not in the text. e . Which of the CIA goals did TJX fail to achieve in this attack? 1.2 EMPLOYEE AND EX-EMPLOYEE THREATS Having looked at threats in general, at key security terminology, and at a particular compromise, we will now look at specific elements of the corporate threat environment. We will begin by looking inside the firm, at the threats created by employees. 16 Kim Zetter, “TJX Hacker Gets 20 Years in Prison,” Wired.com, March 25, 2010. http://www.wired.com/ threatlevel/2010/03/tjx-sentencing/. 17 Kim Zetter, “Hacker Sentenced to 20 Years for Breach of Credit Card Processor,” Wired.com, March 25, 2010. http://www.wired.com/threatlevel/tag/heartland-payment-systems/. 9 10 Chapter 1 • The Threat Environment When firms began getting their own computers in the 1960s, they soon found that disgruntled and greedy employees and ex-employees are serious security threats. As firms have become more dependent on information technology, the threats from insiders have become more perilous. Why Employees Are Dangerous Employees and ex-employees are very dangerous for four reasons: • They usually have extensive knowledge of systems. • They often have the credentials needed to access sensitive parts of systems. • They know corporate control mechanisms and so often know how to avoid detection. • Finally, companies tend to trust their employees. In fact, when security insists that an employee behave in a particular way or explain an apparent security violation, it is common for the employee’s manager to protect the employee against “security interference.” Employees and ex-employees are very dangerous because they have extensive knowledge of systems, have the credentials needed to access sensitive parts of systems, often know how to avoid detection, and can benefit from the trust that usually is accorded to “our people.” These factors often eliminate the need for sophisticated computer knowledge. In fact, in 23 financial services cybercrimes committed between 1996 and 2002, 87 percent were accomplished without any sophisticated programming.18 IT employees are particularly dangerous because of their extraordinary knowledge and access. IT security employees are the most dangerous of all. The Department of Justice has a website, http://www.cybercrime.gov, which lists federal cybercrime prosecutions. Roughly half the cases have defendants who are IT professionals and even security employees and ex-employees. The Romans asked, Quis custodiet custodes? This translates as “Who watches the watchers?” This is one of the most difficult issues in IT security management. Employee Sabotage One of the oldest concerns about employees is sabotage, which is the destruction of hardware, software, or data. Sabotage comes from the French word for shoe because disgruntled workers in the early years of the Industrial Revolution supposedly threw their wooden shoes into machines to stop production. 18 Keeney, et al., Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, U.S. Secret Service and the Carnegie Mellon Software Engineering Institute, August 2004. Chapter 1 • The Threat Environment Employees and Ex-Employees Are Dangerous Dangerous because They have knowledge of internal systems They often have the permissions to access systems They often know how to avoid detection Employees generally are trusted IT and especially IT security professionals are the greatest employee threats (Quis custodiet custodes?) Employee Sabotage Destruction of hardware, software, or data Plant time bomb or logic bomb on computer Employee Hacking Hacking is intentionally accessing a computer resource without authorization or in excess of authorization Authorization is the key Employee Financial Theft Misappropriation of assets Theft of money Employee Theft of Intellectual Property (IP) Copyrights and patents (formally protected) Trade secrets: plans, product formulations, business processes, and other info that a company wishes to keep secret from competitors Employee Extortion Perpetrator tries to obtain money or other goods by threatening to take actions that would be against the victim’s interest Sexual or Racial Harassment of Other Employees Via e-mail Displaying pornographic material Employee Computer and Internet Abuse Downloading pornography, which can lead to sexual harassment lawsuits and viruses Downloading pirated software, music, and video, which can lead to copyright violation penalties Excessive personal use of the Internet at work Non-Internet Computer Abuse Access to sensitive personal information motivated by curiosity In one survey at a security conference, one in three admitted to looking at confidential or personal information in ways unrelated to their jobs Data Loss Loss of laptops and storage media Other “Internal” Attackers Contract workers Workers in contracting companies FIGURE 1-5 Employee and Ex-Employee Threats (Study Figure) 11 12 Chapter 1 • The Threat Environment In the News Tim Lloyd, a computer systems administrator, was fired for being threatening and disruptive. In retaliation, Lloyd planted a logic bomb program on a critical server. When pre-set conditions occurred, the logic bomb destroyed the programs that ran the company’s manufacturing machines. Lloyd also took home and erased the firm’s backup tapes to prevent recovery. Lloyd’s sabotage resulted in $10 million in immediate business losses, $2 million in reprogramming costs, and 80 layoffs. The attack led to a permanent loss of the company’s competitive status in the high-tech instruments and measurements market because the company could not rebuild the proprietary design software it had been using.19 Sabotage can also have financial motives. When Roger Duronio sabotaged 2,000 servers at UBS PaineWebber, he was not just punishing his ex-employer. He also sold UBS PaineWebber shares short to take advantage of the subsequent drop in the company’s share price. Although the attack did extensive damage, the stock price did not drop, and Duronio lost money. Found guilty of computer sabotage and securities fraud, 63-year-old Duronio was sentenced to eight years in federal prison.20 In the News In another case, two traffic engineers working for the city of Los Angeles pleaded guilty to hacking the city’s traffic center and disconnecting signals at four of LA’s busiest intersections. They then locked out the controls for these intersections, so that it took four days to restore control. They did this a few hours before their union’s scheduled job action against the city in support of contract negotiations. For this infraction, they received 240 days of community service and were required to have their computers at home and work monitored.21 Employee Hacking Another concern is that employees will hack (break into) the company’s computers using stolen credentials, flaws in internal systems, or some other fraudulent scheme. They can then embezzle money, steal intellectual property, or just look up embarrassing information. 19 Sharon Gaudin, “Computer Saboteur Sentenced to Federal Prison,” Computerworld, February 26, 2002. http://www.computerworld.com/s/article/68624/Computer_saboteur_sentenced_to_federal_prison. Sharon Gaudin, “Ex-UBS Systems Admin Sentenced to 97 Months in Jail,” InformationWeek, December 13, 2006. http://www.informationweek.com/news/showArticle.jhtml?articleID=196603888. 21 Dan Goodin, “LA Engineers Cop to Traffic System Sabotage,” November 6, 2008. http://www.theregister. co.uk/2008/11/06/traffic_control_system_sabotage/. 20 Chapter 1 • The Threat Environment As we will see in Chapter 10, U.S. law provides the following definition of hacking— intentionally accessing a computer resource without authorization or in excess of authorization. Definitions of hacking in other jurisdictions tend to be very similar.22 Hacking is intentionally accessing a computer resource without authorization or in excess of authorization. Note that the key issue is authorization.23 Were you explicitly (or implicitly) authorized to use the resource that you accessed? Were you authorized to use part of the resource but not the specific part that you accessed? The motivation for hacking is irrelevant. Penalties are the same whether you were attempting to steal a million dollars or were merely “testing security.”24 Employee Financial Theft and Theft of Intellectual Property There are many reasons for employees to access resources without permission or in excess of permission. Sometimes employees do so out of mere curiosity or to find information that could embarrass the company. At other times, however, they have purely criminal goals, such as financial theft, which involves the misappropriation of assets (say by assigning them via computer to themselves) or the theft of money (such as the manipulation of an application in order to be paid a bonus). In the News In one case of financial theft, two accountants at Cisco Systems illegally accessed a corporate computer to issue themselves $8 million worth of Cisco stock. In fact, they successfully issued themselves stocks three times before being caught. They committed the crime by exploiting the company’s poorly controlled procedures for issuing stock to employees.25 22 The first documented use of the term hacker was in Steve Levy’s book Hackers, in 1984 (Penguin Books). Levy actually decried the use of the term hacker to mean someone who breaks into computers illicitly. Rather, he argued that hackers were people who managed to hack out creative solutions to difficult computer problems. Some people in security continue to argue for Levy’s viewpoint, using the term cracker as someone who breaks into computers. However, this is not the dominant usage in security and is certainly not widespread in the popular literature. The term cracking is now used primarily to refer to the breaking of passwords or encryption keys. 23 In their defense, hackers can claim that they did not realize that authorization was required because the computer system that they hacked was public, like a free news website. Consequently, firms that have login screens or even public home pages should have a prominent warning that specific authorization is needed to use a site. 24 Most hacking laws require damage to pass a certain level before the hacking can be prosecuted. However, it is quite possible for a hacker to do the requisite amount of damage accidentally, even if he or she did not intend to do so. While access has to be intentional, damage does not. 25 U.S. Department of Justice, “Former Cisco Systems Accountants Sentenced for Unauthorized Access to Computer Systems to Illegally Issue $8 Million in Cisco Stock to Themselves,” November 26, 2001. http://www. cybercrime.gov/Osowski_TangSent.htm. 13 14 Chapter 1 • The Threat Environment Another criminal motive is the theft of the company’s intellectual property (IP), which is information owned by the company and protected by law. IP includes formally protected information such as copyrights, patents, trade names, and trademarks. Although many companies have no such formal intellectual assets, IP also includes trade secrets, which are pieces of sensitive information that a firm acts to keep secret. These include plans, product formulations, business processes, price lists, customer lists, and many other types of information that a company wishes to keep secret from competitors. If another company obtains trade secrets in an illicit way that company will be subject to prosecution. Nevertheless, some employees steal trade secrets to sell to another company. Intellectual property (IP) is information that is owned by the company and protected by law. Trade secrets are pieces of sensitive information that a firm acts to keep secret. In the News When scientists and engineers change jobs, there is always a danger that they will take trade secret information with them. One former DuPont research scientist admitted downloading trade secrets worth $400 million. Only when he announced his intention to leave was his downloading behavior analyzed. The analysis found that he had downloaded 16,700 documents and even more abstract—15 times the volume of the second-highest downloader. Most of these documents had nothing to do with his primary research area.26 Employee Extortion In some cases, an employee or ex-employee will use his or her ability to damage systems or access confidential information to extort the firm. In extortion, the perpetrator tries to obtain money or other goods by threatening to take actions that would be against the victim’s interest. For instance, an employee might plant a logic bomb on the company’s computer. If the employee or ex-employee tells the company to pay money to avoid suffering damage, this is extortion. Stealing intellectual property and demanding money in exchange for not passing on the information is also extortion. In extortion, the perpetrator tries to obtain money or other goods by threatening to take actions that would be against the victim’s interest. 26 Jaikumar Vijayan, “Scientist Admits Stealing Valuable Trade Secrets,” PC World, February 16, 2007. http://www.pcworld.com/article/129116-1/article.html?tk=nl_dnxnws. Chapter 1 • The Threat Environment Employee Sexual or Racial Harassment Although hacking, theft, and extortion are critical issues, employee sexual or racial harassment is an even more common problem. Sexual harassment, for example, can include making physical threats, taking revenge after a romantic break-up, downloading and displaying pornography, or retaliating against an unwilling sexual partner by withholding promotions and raises. In the News One such case began when a female employee spurned a male employee, Washington Leung. He left the firm and later logged into his ex-firm’s servers using passwords given to him while employed there. He deleted over 900 files related to employee compensation. To frame the female employee, he gave her a $40,000 annual raise and a $100,000 bonus. In addition, he created a Hotmail account in her name and used the account to send senior managers at the company an e-mail containing some information from the deleted files. However, the frame failed. In his work computer at his new place of employment, authorities found evidence of the e-mail he sent to senior managers.27 Employee Computer and Internet Abuse INTERNET ABUSE The term abuse is used for activities that violate a company’s IT use policies or ethics policies. In some cases, employees abuse their Internet access, most commonly by downloading pornography, downloading pirated media or software, or wasting many hours surfing the Internet for personal purposes. Abuse ranges from mildly damaging behavior to criminal acts. Abuse consists of activities that violate a company’s IT use policies or ethics policies. Downloading pornography can lead to sexual harassment lawsuits against the firm as well as against the responsible individual. Downloading pirated music, videos, and software, in turn, can result in extensive copyright violation penalties.28 Downloading any unapproved files can also lead to expensive malware infections. While many employers do not mind a small amount of personal Internet use, some employees become addicted to Internet use and spend tens of hours a week on 27 U.S. Department of Justice, “U.S [sic] Sentences Computer Operator for Breaking into Ex-Employer’s Database,” March 27, 2002. www.cybercrime.gov/leungSent.htm. 28 In addition, pirated software often contains viruses that infect the downloader’s computer and then infect other computers in the firm. 15 16 Chapter 1 • The Threat Environment personal Web surfing at work.29 In addition, when employees download numerous files from the Internet, they are likely to download a virus or some other malicious software. IT security departments usually dislike searching for evidence of pornography and excessive personal websurfing, but this is part of the job in most firms. NON-INTERNET COMPUTER ABUSE Another aspect of employee abuse is unauthorized access to private personal data on internal systems by curious employees. This type of behavior was detected in the 2008 U.S. presidential election campaign and in several celebrity hospitalizations.30 In the News During the 2008 presidential campaign, contract employees at the State Department looked at the passport histories of candidates Obama, Clinton, and McCain without permission.31 “According to Infoworld.com: a breach was flagged by the State Department’s in-house computer system; but supervisors downplayed the alarm.”32 Two of the contract workers have been fired by their employers. Later, Verizon announced that Obama’s phone records had been accessed illegally.33 The abuse of internal corporate systems for voyeuristic purposes is not limited to general office employees. For example, a survey of 300 senior IT administrators in a London security conference and trade show found that one in three admitted to looking at confidential or personal information in ways unrelated to their jobs.34 Data Loss The damaging employee behaviors we have looked at so far involve deliberate improper actions. Employees can also endanger the security of their firms through simple carelessness, by losing laptops, optical disks, and USB drives. The unauthorized release of data on these computers and media can be devastating to the firm. Even if the data is not actually used, the fact that it could be used may require the firm to take expensive actions. 29 Raymond R. Panko and Hazel Beh. “Monitoring for Performance and Sexual Harassment,” Communications of the ACM, in a special section on Internet Abuse in the Workplace, January 2002. 30 Charles Ornestein, “UCLA Workers Snooped in Spears’ Medical Records,” Los Angeles Times, March 15, 2008. http://www.latimes.com/news/local/la-me-britney15mar15,0,1421107.story. 31 Anne Flaherty and Desmond Butler, “Obama, Clinton and McCain’s Passports Breached: Two State Dept Officials Fired, Investigation Underway,” Associated Press, March 21, 2008 07:53 p.m. EST; published in the Huffington Post, January 14, 2009. 32 Prolog, “Obama’s Phone Records, Passport Documents Breached by Verizon Employees, Dept. of State Contractors,” Press Release, December 14, 2008. 33 Ibid. 34 Gregg Keizer, “One in Three IT Admins Admit Snooping,” Computerworld, June 22, 2008. http://www. computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101498. Chapter 1 • The Threat Environment A Ponemon survey in 2010 found that the total cost of a noncatastrophic data breach was $3.4 million. Primary causes of data loss were malicious or criminal attacks, negligence, system glitches, or third-party errors.35 Other “Internal” Attackers Employees are not the only threats inside a firm’s walls. Many businesses hire contract workers, who work for the firm for brief periods of time. Contract workers often get access credentials that are not deleted after their engagement ends. In fact, companies often hire other companies to do contracting work that takes place inside the original company’s walls. These contracting companies and their employees also often receive temporary credentials. These contract workers and contracting firms create risks almost identical to those created by employees. In the News Claude Carpenter, a 19-year-old employee of a firm managing servers for the U.S. Internal Revenue Service (IRS), planted a logic bomb on the servers when he learned he was about to be fired. Although he was seeking vengeance on his own company, the IRS would have been the real victim had his logic bomb succeeded. He also planted the code on his supervisor’s computer to frame the supervisor. The company successfully defused the logic bomb, but other firms in similar situations have not been so lucky.36 TEST YOUR UNDERSTANDING 3. a . b. c. d. e. f. g. h. i. j. Give four reasons why employees are especially dangerous. What type of employee is the most dangerous? What is sabotage? Give the book’s definition of hacking. What is intellectual property? What two types of things are employees likely to steal? Distinguish between intellectual property in general and trade secrets. What is extortion? What is employee computer and Internet abuse? Who besides employees constitute potential “internal” threats 1.3 MALWARE Although employees and other “internal” threats can be extremely dangerous, firms must also be concerned with traditional external attackers, who use the Internet to send malware into corporations, hack into corporate computers, and do other damage. 35 36 Ponemon Institute, “Global Cost of a Data Breach,” April 19, 2010. http://www.ponemon.org/data-security. U.S. Department of Justice, “Lusby, Maryland Man Pleads Guilty to Sabotaging IRS Computers,” July 24, 2001. http://www.cybercrime.gov/carpenterPlea.htm. 17 18 Chapter 1 • The Threat Environment Malware Writers The first external malware attackers were malware writers. The term malware generically means “evil software.” The most widely known type of malware is the computer virus. Malware also includes worms, Trojan horses, RATs (remote access Trojans), spam, and several other types that we will see in this section. Malware is a generic term for evil software. Malware is a very serious threat. In June 2006, Microsoft reported results from a survey of users who allowed their computers to be scanned for malware. The scan found 16 million pieces of malware on the 5.7 million machines examined. Viruses Viruses are programs that attach themselves to legitimate programs on the victim’s machine. Later, when infected programs are transferred to other computers and run, the virus attaches itself to other programs on those machines. Viruses are programs that attach themselves to legitimate programs. Initially, most viruses were spread through the transfer of programs via floppy disks. Today, viruses are spread via e-mail with infected attachments, instant messaging, file sharing programs, infected programs from malicious websites, and users deliberately downloading “free software” or pornography. Virus writers target popular operating systems and applications in order to maximize their damage. Through networked applications, viruses can spread very rapidly today. In the News When Macintosh users searched BitTorrent sites in early 2009, they found that they were able to download the newly released Adobe Photoshop CS4. They would also download a program installed on the download CS4 on the downloader’s computer. The copy of CS4 was clean, but when the downloader ran the cracking program, he or she got a dialog box saying that “Adobe CS4 Crack [intel] requires that you type your password.” The dialog box had Name and Password data entry boxes, plus some cryptic details that made it look more authentic.37 37 Andrew Nusca, “Mac Trojan Horse Found in Pirated Adobe Photoshop CS4,” January 26, 2009. http://blogs. zdnet.com/gadgetreviews/?p=856&tag=nl.e539. FIGURE 1-6 Code for the ILOVEYOU Virus Malware A generic name for any “evil software” Viruses Programs that attach themselves to legitimate programs on the victim’s machine Spread today primarily by e-mail Also by instant messaging, file transfers, etc. Worms Full programs that do not attach themselves to other programs Also spread by e-mail, instant messaging, and file transfers In addition, direct-propagation worms can jump to from one computer to another without human intervention on the receiving computer Computer must have a vulnerability for direct propagation to work Direct-propagation worms can spread extremely rapidly Blended Threats Malware propagates in several ways—like worms, viruses, compromised webpages containing mobile code, etc. Payloads Pieces of code that do damage Implemented by viruses and worms after propagation Malicious payloads are designed to do heavy damage FIGURE 1-7 Classic Malware: Viruses and Worms (Study Figure) 19 20 Chapter 1 • The Threat Environment Worms Viruses are not the only type of malware. One particularly important type of malware is the worm. Unlike viruses, worms are stand-alone programs that do not attach themselves to other programs. Worms are stand-alone programs that do not attach themselves to other programs. In general, worms act much like viruses and can propagate in many of the same ways. However, some worms have a far more aggressive spreading mode—jumping directly from one computer to another without user intervention on the receiving computer. Such direct-propagation worms take advantage of vulnerabilities (security weaknesses) in software. When a direct-propagation worm jumps to a computer that has the specific vulnerability for which the worm was designed, the worm can ...
Purchase answer to see full attachment