Running head: IDENTIFYING THE BEST PRACTICES IN STRATEGIC
The Running head is required for CSU-Global APA Requirements. Make
sure the words “Running head:” are on the title page, but not
subsequent pages. After the words “Running head:” you need the first
50 characters (this includes spaces) of your papers’ title in all caps. Do
not break a word, use less than 50 characters if necessary. For
instructions on how to set up a running head, see the “APA Guide &
Resources” link on the Library’s website.
1
Page numbers should
be inserted in the top
right corner.
SAMPLE PAPER
Identifying the Best Practices in Strategic Management
Gertrude Steinbeck
ORG 500 – Foundations of Effective Management
Colorado State University – Global Campus
Dr. Stephanie Allong
Information on the Title
Page is centered in the top
half of the paper. All
major words should be
capitalized and not bold.
August 6, 2010
Papers should be
typed in a 12 pt, Times
New Roman font with
1 inch margins on all 4
sides and the entire
paper is double
spaced.
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
2
Identifying the Best Practices in Strategic Management
Strategic management and corporate sustainability are two important dynamics of
Repeat the title of your paper at the
modern-day organizations. It is important for organizational
leaders toThis
have
an understanding
of
beginning.
is not
a header;
Each paragraph
therefore, it is not to be bold. Do not
the theoretical
applications
of strategic management as a means
of addressing corporate
should
be indented
½
add a header at the beginning of your
inch or five spaces
paper, as the first paragraph should
sustainability. The purpose of this paper is to provide definitions and an understanding of
from the left margin.
clearly identify the objective of your
paper. of the Walgreen Company, the
strategic management and corporate sustainability. An overview
organization of study, is also provided in order to understand how the company has utilized
Level 1 header
should be bold,
strategic management to implement sustainability initiatives for long-termAfinancial
performance.
centered and all major words
capitalized. All headers are to be
used for CSU-Global papers,
The function of management is to plan, organize, lead, and control depending
the operations
ofassignment.
an
on the
For
more information on headers, see
organization (Robbins & Coulter, 2007) and includes strategic management. Strategic
Purdue OWL http://owl.english.purdue.edu/owl/
management is an approach in which organizations create a competitive advantage,
enhance
resource/560/16/
Strategic Management
productivity, and establish long-term financial performance. Chandler (as cited by Whittington,
2008) defined strategy as “the determination of the basic long-term goals and objectives of an
enterprise, and the adoption of courses of action and the allocation of resources necessary for
carrying out these goals” (p. 268). Similarly, Wheelen and Hunger (2008) define strategic
This is an example of how to cite a quote with a narrative citation.
management as the managerial decisions
and the
actions
of anwith
organization
that
long-run
First start
sentence
the authors
lastachieve
name (never
use authors
first names as APA feels this could lead to a gender bias) and year
performance of the business, with benefits
such as:
(this example is of a secondary citation where the author of the
paper is using a quote within another source) then at the end of the
clearer sense of vision for the organization;
quotation, you need to place the page (p. x) or paragraph (para. x)
of where important;
the quote was
sharper focus on whatnumber
is strategically
andfound.
improved understanding of a changing environment.
The Strategic Management Model (SMM) provides the framework for integrating strategic
planning into an organization
sophrase
that the
benefits are realized.
Spell
outaforementioned
the first
time in document with
acronym in parentheses.
From that point forward,
the acronym can be used.
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
3
Strategic Management Model
Research indicates as the concept of strategic management evolved, many theoretical
When citing 3-5 authors, list all the
A Level 2 header
When
authors the first time and
thenciting
use et al.
should
be bold,
models
were proposed. Ginter, Ruck, and Duncan (1985) indentify eight elements of the3-5 authors,
for the following in-text citations. If you
left-justified and all
have 6 orenvironmental
more authors,list
usealletthe
al. for all
normative
major
words strategic model: vision and mission; objective setting; external
authors
the
in-text citations.
This is an example of
capitalized.
first time and
scanning; internal environmental scanning;
strategic
authors used
at thealternatives; strategy selection;
then use et
beginning of a sentence.
implementation; and control (French,
2009). Wheelen and Hunger stated that normativeal. for the
The year must follow the
following inauthor’s last name in
strategic management models are an “explicit, planned and rational approach” (as cited in
Ginter
text
citations.
parentheses. The authors
being used
as a part
of Wheelen established the SMM (see
et al., 1985, p. 581) to management.areSimilar
to Ginter
et al.,
a sentence, therefore the
Figure 1) which includes four mainword
elements:
“and” environmental
is used and not scanning, strategy formulation,
the symbol “&.”
When quoting, you must
strategy implementation, and evaluation and control. Environmental scanning is the monitoring,
include the page number or
the paragraph number of
evaluating, and extracting of information from the external and internal environments in order
where you found the quote
and cite
source and/or
for the
management
to establish plans and make decisions. Strategy formulation includes creating
page number immediately
plans
for the organization, including the mission, objectives, strategies, and policies.
afterlong-term
the quotation
marks
even it if it is in the middle of
Strategy implementation is the process of executing policies and strategies in order to achieve the
a sentence.
mission and objectives. Evaluation and control require monitoring the performance of the
organization and adjusting the process as necessary in order to achieve desired results (Wheelen
& Hunger, 2008).
The SMM assumes the organizational learning theory, which states that an organization
adapts to the changing environment and uses gathered knowledge to improve the fit between
itself and the environment. The SMM also assumes the organization be a learning organization
in which the gathered knowledge can be used to change behavior and reflect new knowledge
(Wheelen & Hunger, 2008).
If you have a figure or table
in your paper, it is best to
cite them in the paragraph
before the figure or table.
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
Environmental
Scanning
External:
Opportunities
Threats
Societal
Environmental
Task Environmental
Strategy
Formulation
4
Strategy Implementation
Evaluation
and
Control
Mission
Objectives
Strategies
Policies
Programs
Budgets
Internal:
Strengths
Procedu
res
Performanc
e
Weaknesses
Structure
Culture
Resources
Figure 1. The strategic management model was adapted from Strategic management and
business policy (11th ed.) by T. L. Wheelen, & J. D. Hunger, 2008, Upper Saddle River, NJ:
Pearson Prentice Hall.
When using a Figure in your paper,
make sure there is no title above
Corporate sustainability. In addition to enhancing financial performance
through
the figure. Underneath the figure
you
must haveshareholder
the word, “Figure”
strategic management, organizational leaders have the responsibility of
increasing
A Level 3 header
italicized and the figure number in
should
be
indented,
value through corporate sustainability (Epstein, 2008). Corporate sustainability
definedbyina aperiod.
your paper is
followed
boldface, lowercase
Then mention where the
heading
with
a
variety of
ways.
Hollingworth (2009) described a sustainable organization
as “one
that
strivesor general
information
was
adapted
period.
information about the figure.
for and achieves 360-organizational sustainability” (p. 1). He claimed an organization is
Follow the example above. Notice
does not follow
the reference
sustainable when it can endure, or maintain, over a long-term without itpermanently
damaging
or
citation format.
depleting resources including: the organization itself; its human resources (internal and external);
the community/society/ethno-sphere; and the planet’s environment. He then claimed that if one
of the four resources is not sustainable, issues with the remaining resources will eventually
develop (Hollingworth, 2009). Brundtland (as cited by Epstein, 2008) described sustainability as
the economic development that addresses the needs of the present generation without depleting
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
5
resources needed by future generations Epstein adds to the definition from a business perspective
by including corporate social responsibility. He stated that organizations have a responsibility to
stakeholders to improve management practices in order to add value by addressing corporate
social, environmental, and economic impacts (Epstein, 2008). Organizational leaders are the
strategic decision makers of a company and have a responsibility to stakeholders (Wheelen &
Hunger, 2008). Therefore, it is important to have an understanding of why corporate
sustainability is important, and how the nine principles of sustainability performance guide
strategic management.
Importance of Corporate Sustainability
In addition to making a profit, organizations have a responsibility to society, which
This is another example of an author
used at the beginning of a sentence.
This is an example of a “narrative
responsibility. Friedman and Carroll had two opposing
views of corporate social responsibility.
citation.” The year must follow the
author’s
name.
Friedman argued that the sole responsibility of business
was last
to use
resources and activities that
includes addressing its economic, social, and environmental impacts, otherwise known as social
enhanced profits (Wheelen & Hunger, 2008). Carroll (1979) argued that social responsibility
includedThis
much
that of
making
a profit;
is anmore
example
the author
usedhe
at proposed
the end businesses must include the economic,
of a sentence. It includes the authors’ last
names and the year. If there was a quotation, a
page or Economic
paragraph number
would also
be producing goods and services to meet the
responsibilities
include
included. Notice that the period is at the end of
the parentheses.
Thisof
is society
considered
a
needs/wants
in order
to make a profit;
“parenthetical citation.”
legal, ethical, and discretionary categories of business performance.
legal responsibilities are the laws and regulations the company is expected to
abide by;
ethical responsibilities are included in the previous two statements, but also
include the norms and beliefs held by society; and
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
6
Discretionary responsibilities are other responsibilities taken on by the
organization including voluntary activities and philanthropic contributions
(Carroll, 1979).
The importance of corporate sustainability, therefore, is that an organization is responsible for
financial performance, but it also has additional responsibilities to stakeholders and society in
general.
The Nine Principles of Sustainability Performance
The nine principles (see Table 1), as presented by Epstein and Roy (2003), further define
sustainability, are measureable, and can easily be incorporated into strategic management
(Epstein, 2008). These principles include ethics, governance, transparency, business
relationships, financial return, community involvement, value of products and services,
employment practices and protection of the environment.
A table or figure should fit all on one page
even if there is a gap left in your paper. It
is easier for the reader to view the table or
figure when presented as a whole instead
of split on two pages.
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
7
Table 1
The Nine Principles of Sustainability Performance
1. Ethics
The company establishes, promotes, monitors and maintains
ethical standards and practices in dealing with all of the company
stakeholders.
2. Governance
The company manages all of its resources conscientiously and
effectively, recognizing the fiduciary duty of corporate boards
and managers to focus on the interests of all company
stakeholders.
3. Transparency
The company provides timely disclosure of information about its
products, services and activities, thus permitting stakeholders to
make informed decisions.
4. Business
The company engages in fair-trading practices with suppliers,
When using a Table in your paper, make
relationships
distributors and partners.
sure the
word “Table”
with the
table
5. Financial return
The company compensates
providers
of capital
with
a competitive
return on investment and
the
protection
of
company
assets.
number in your paper. Then insert the
6. Community
The company fosters title
a mutually
beneficial
relationship
between
of the Table
in italics,
with all major
involvement/econom the corporation and community
in which
it is sensitive
to the
words capitalized.
Underneath
the Table
ic development
culture, context and needs
of
the
community.
you must have the word, “Note” italicized
7. Value of products
The company respects the needs, desires and rights of its
followed by a period. Then mention
and services
customers and strives to provide the highest levels of product and
where the information was adapted or
service values.
information about
the figure.practices
8. Employment
The company engagesgeneral
in human-resource
management
the exampleemployee
above. Notice
it does
practices
that promote personalFollow
and professional
development,
not follow the reference citation format.
diversity and empowerment.
9. Protection of the
The company strives to protect and restore the environment and
environment
promote sustainable development with products, processes,
services and other activities.
Note. There should be a general note about the table here. Adapted from “Improving
sustainability performance: Specifying, implementing and measuring key principles” by M.
Epstein, & M. Roy, 2003, Journal of General Management, 29(1), pp.15-31.
Walgreens Company
Walgreens Company is a retail drugstore that is in the primary business of prescription
and non-prescription drugs, and general merchandise including beauty care, personal care,
household items, photofinishing, greeting cards, and seasonal items (Reuters, 2010). More
recently, the organization diversified its offerings through worksite healthcare facilities, home
care facilities, specialty pharmacies, and mail service pharmacies (Walgreens Company, 2010).
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
8
Walgreen Company established a strong organizational culture focusing on consumer and
employee satisfaction. The mission of Walgreens is:
We will provide the most convenient access to consumer goods and services . . .
and pharmacy, health and wellness services . . . in America. We will earn the
trust of our customers and build shareholder value. We will treat each other with
respect and dignity and do the same for all we serve. We will offer employees of
all backgrounds a place to build a career. (“Mission Statement,” 2010, para. 1)
Walgreens
was established
in 1901
If a quotation
is longer
than 40 words,
it by pharmacist Charles R. Walgreen Sr. (“Our Past,”
If you are using information
must be in a block format. The block
from multiple
web
pages from
2010).
Prior
to establishing
the5company,
Mr. Walgreen struggled
with the
direction
the
format
is indented
½ inch (or
spaces
one website, it is better to use
from the left) from the left margin. Do not
title and
of the
webfor
page
to
pharmacy industry was headed; the lack of quality customer the
service
care
people
use quotation marks for this quote.
replace the author. For in-text
concerned him. Today, Walgreens is the largest drugstore chain
in theput
United
States
employing
citations,
quotation
marks
around the first couple of words
over 238,000 people. Sales in 2009 exceeded $63 billion, in of
which
65% of sales were from
the title of the web page. All
major words are capitalized in
prescriptions drugs. The organization has expanded into all 50 states, as well as the District of
the in-text citation.
Colombia and Puerto Rico, for a total of 7,496 stores and 350 Take Care clinics (Walgreens
Company, 2010).
Conclusion
The conclusion is a
Level 1 header.
Strategic management and corporate sustainability are two important practices in today’s
competitive global environment. In order to implement effectively strategic management in light
of corporate sustainability, leaders must have an understanding of such concepts. This paper has
provided a background and understanding of strategic management and corporate sustainability.
An overview and history of Walgreen Company was also presented in order to identify best
practices in strategic management that enhance corporate sustainability.
List sources in
alphabetical
order.
The word, References
should be capitalized,
centered, but not bold.
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
9
References
Carroll, A. B. (1979). A three-dimensional conceptual model of corporate performance. The
When a reference
citation does not fit on
one line, the
Collins, J. (2001). Good to great. New York, NY: HarperCollins Publishers Inc.
subsequent lines are
Epstein, M. J. (2008). Making sustainability work. San Francisco, CA: Greenleaf
Publishing
indented
½ inch or 5
spaces to the right.
Limited.
This is considered a
“hanging indent.”
Academy of Management Review, 4(4), 497.
Epstein, M., & Roy, M. (2003). Improving sustainability performance: Specifying, implementing
and measuring key principles. Journal of General Management, 29(1), 15-31.
French, S. (2009). Critiquing the language of strategic management. The Journal of Management
Development, 28(1), 6-17. doi: 10.1108/02621710910923836
Use a doi number if available.
Ginter, P., Ruck, A., & Duncan, W. (1985). Planners’ perceptions of the strategic management
process. Journal of Management Studies, 22(6), 581-596.
Hollingworth, M. (2009, November/December). Building 360 organizational sustainability. Ivey
Business Journal, 73(6), 2.
Mission statement. (2010). Retrieved from http://news.walgreens.com/
article_display.cfm?article_id=1042
past. (2010). Retrieved from http://www.walgreens.com/marketing/about/history/ default.html
If you areOur
using
information from
Reuters.
multiple web
pages(2010). Walgreen Co. Retrieved from http://www.reuters.com/finance/stocks/
from one website, it is
Make sure that the links
companyProfile?symbol=WAG.N
better to use the title of
are not live (you should
the web page
to
replace
be able
click on
Robbins, S. P., & Coulter, M. (2007).
Management
River,
NJ:to
Pearson
After
a URL or doi,(9th ed.). Upper Saddlenot
the corporate author.
them to go to the
not insert a period.
In the reference citation
website). If they are live,
Prentice Hall.
only the first word, first
in Word right click and
word after a colon and
then click on “Remove
proper nouns are
Hyperlink.”
capitalized unlike the
in-text citation.
IDENTIFYING THE BEST PRACTICES IN STRATEGIC
10
Walgreens Company. (2010). 2009 annual report. Retrieved from
https://materials.proxyvote.com/Approved/931422/20091116/AR_48630/images/Walgree
ns-AR2009.pdf
Example of a website citation.
Wheelen, T. L., & Hunger, J. D. (2008). Strategic management and business policy (11th ed.).
Upper Saddle River, NJ: Pearson Prentice Hall.
Example of a book citation.
S
Whittington, R. (2008). Alfred Chandler, founder of strategy: Lost tradition and renewed
inspiration. Business History Review, 82(2), 267-277.
Example of a journal article citation.
Chapter 8
Copyright © 2015 Pearson Education, Inc.
8-2
Explain why attackers increasingly focus on applications.
List the main steps in securing applications.
Know how to secure WWW services and e-commerce
services.
Describe vulnerabilities in web browsers.
Explain the process of securing e-mail.
Explain how to secure voice over IP (VoIP).
Describe threats from Skype VoIP service.
Describe how to secure other user applications.
Know how to secure TCP/IP supervisory applications.
Copyright © 2015 Pearson Education, Inc.
8-3
Copyright © 2015 Pearson Education, Inc.
8-4
Some attacks inevitably get through network
protections and reach individual hosts
In Chapter 7, we looked at host hardening
In Chapter 8, we look at application
hardening
In Chapter 9, we will look at data protection
Copyright © 2015 Pearson Education, Inc.
8.1 Application Security and Hardening
8.2 WWW and E-Commerce Security
8.3 Web Browser Attacks
8.4 E-Mail Security
8.5 Voice over IP (VoIP) Security
8.6 Other User Applications
8-5
Copyright © 2015 Pearson Education, Inc.
Executing Commands with the Privileges of a
Compromised Application
◦ If an attacker takes over an application, the attacker
can execute commands with the privileges of that
application
◦ Many applications run with super user (root)
privileges
8-6
Copyright © 2015 Pearson Education, Inc.
Buffer Overflow Attacks
◦ Vulnerabilities, exploits, fixes (e.g., patches,
manual work-arounds or upgrades) (Chapter 7)
◦ Buffers are places where data is stored temporarily
◦ If an attacker sends too much data, a buffer might
overflow, overwriting an adjacent section of RAM
8-7
Copyright © 2015 Pearson Education, Inc.
8-8
Copyright © 2015 Pearson Education, Inc.
Few Operating Systems but Many
Applications
◦ Application hardening is more total work than
operating system hardening
Understanding the Server’s Role and Threat
Environment
◦ If it runs only one or a few services, easy to disallow
irrelevant things
8-9
Copyright © 2015 Pearson Education, Inc.
Basics
◦ Physical Security
◦ Backup
◦ Harden the Operating System
◦ Etc.
Minimize Applications
◦ Main applications
◦ Subsidiary applications
◦ Guided by security baselines
8-10
Copyright © 2015 Pearson Education, Inc.
8-11
Copyright © 2015 Pearson Education, Inc.
8-12
Copyright © 2015 Pearson Education, Inc.
Create Secure Application Program
Configurations
◦ Use baselines to go beyond default installation
configurations for high-value targets
◦ Avoid blank passwords or well-known default
passwords
Install Patches for All Applications
Minimize the Permissions of Applications
◦ If an attack compromises an application with low
permissions, it will not own the computer
8-13
Copyright © 2015 Pearson Education, Inc.
Add Application Layer Authentication,
Authorizations, and Auditing
◦ More specific to the needs of the application than
general operating system logins
◦ Can lead to different permissions for different users
Implement Cryptographic Systems
◦ For communication with users
8-14
Copyright © 2015 Pearson Education, Inc.
Custom Applications
◦ Written by a firm’s programmers
◦ Not likely to be well-trained in secure coding
The Key Principle
◦ Never trust user input
◦ Filter user input for inappropriate content
8-15
Copyright © 2015 Pearson Education, Inc.
Buffer Overflow Attacks
◦ In some languages, specific actions are needed
◦ In other languages, not a major problem
Login Screen Bypass Attacks
◦ Website user gets to a login screen
◦ Instead of logging in, enters a URL for a page that
should only be accessible to authorized users
8-16
Copyright © 2015 Pearson Education, Inc.
Cross-Site Scripting (XSS) Attacks
◦ One user’s input can go to another user’s webpage
◦ Usually caused if a website sends back information
sent to it without checking for data type, scripts,
etc.
◦ Example: If you type your username, it may include
something like “Hello username” in the webpage it
sends you
8-17
Copyright © 2015 Pearson Education, Inc.
Example
◦ Attacker sends the intended victim an e-mail
message with a link to a legitimate website
◦ However, the link includes a script that is not visible
in the browser window because it is beyond the end
of the window
◦ The intended victim clicks on the link and is taken
to the legitimate webpage
◦ The URL’s script is sent to the webserver with the
HTTP GET command to retrieve the legitimate
webpage
8-18
Copyright © 2015 Pearson Education, Inc.
Example
◦ The webserver sends back a webpage including the
script
◦ The script is invisible to the user (browsers do not
display scripts)
◦ The script executes
◦ The script may exploit a vulnerability in the browser
or another part of the user’s software
8-19
Copyright © 2015 Pearson Education, Inc.
SQL Injection Attacks
◦ For database access
◦ Programmer expects an input value—a text string,
number, etc.
May use it as part of an SQL query or operation
against the database
May accept a last name as input and return the
person’s telephone number
8-20
Copyright © 2015 Pearson Education, Inc.
SQL Injection Attacks
◦ Attacker enters an unexpected string
Example: A last name followed by a full SQL
query string
The program may execute both the telephone
number lookup command and the extra SQL
query
This may look up information that should not
be available to the attacker
It may even delete an entire table
8-21
Copyright © 2015 Pearson Education, Inc.
8-22
Copyright © 2015 Pearson Education, Inc.
8-23
Copyright © 2015 Pearson Education, Inc.
Must Require Strong Secure Programming
Training
◦ General principles
◦ Programming-language-specific information
◦ Application-specific threats and countermeasures
8-24
Copyright © 2015 Pearson Education, Inc.
8.1 Application Security and Hardening
8.2 WWW and E-Commerce Security
8.3 Web Browser Attacks
8.4 E-Mail Security
8.5 Voice over IP (VoIP) Security
8.6 Other User Applications
8-25
Copyright © 2015 Pearson Education, Inc.
Importance of WWW Service and E-Commerce
Security
◦ Cost of disruptions, harm to reputation, and market
capitalization
◦ Customer fraud
◦ Exposure of sensitive private information
8-26
Copyright © 2015 Pearson Education, Inc.
Webservice versus E-Commerce Service
◦ WWW service provides basic user interactions
Microsoft Internet Information Server (IIS),
Apache on UNIX, other webserver programs
◦ E-commerce servers add functionality—order entry,
shopping cart, payment, etc.
Links to internal corporate databases and
external services, such as credit card checking
Custom programs written for special purposes
8-27
Copyright © 2015 Pearson Education, Inc.
8-28
Copyright © 2015 Pearson Education, Inc.
8-29
Copyright © 2015 Pearson Education, Inc.
Website Defacement
Numerous IIS buffer overflow attacks
◦ Many of which take over the computer
8-30
IIS directory traversal attacks
Copyright © 2015 Pearson Education, Inc.
Users should only be able to reach
files below the WWW root, which is
below the true system..root.
root
etc
passw d
WWW Root
Reports
Reports
Quarterly.htm l
URL:
/Reports/Quarterly.html
8-31
etc
URL:
/../etc/passw d
Public
TechReports
m icroslo.doc
Copyright © 2015 Pearson Education, Inc.
root
..
WWW Root
Reports
Reports
Quarterly.htm l
URL:
/Reports/Quarterly.html
8-32
In URLs, .. means
move up one level.
If allowed, user can
get outside the WWW
root box, into other
directories.
Public
etc
etc
passw d
URL:
/../etc/passw d
TechReports
m icroslo.doc
Copyright © 2015 Pearson Education, Inc.
IIS directory traversal attacks (Figure 8-11)
◦ Companies filter out “..”
◦ Attackers respond with hexadecimal and UNICODE
representations for “..” and “..”
◦ Typical of the constant “arms race” between
attackers and defenders
8-33
Copyright © 2015 Pearson Education, Inc.
Patching the WWW and E-Commerce Software
and Their Components
◦ Patching the webserver software is not enough
◦ Must also patch e-commerce software
◦ E-commerce software might use third-party
component software that must be patched
8-34
Copyright © 2015 Pearson Education, Inc.
Other Website Protections
◦ Website vulnerability assessment tools, such as
Whisker
◦ Reading website error logs
◦ Placing a webserver-specific application proxy
server in front of the webserver
8-35
Copyright © 2015 Pearson Education, Inc.
An internal employee (10.10.10.10)
may be blindly searching for
confidential directories (bolded) on
an internal webserver (10.0.0.1).
8-36
Copyright © 2015 Pearson Education, Inc.
8-37
Copyright © 2015 Pearson Education, Inc.
8.1 Application Security and Hardening
8.2 WWW and E-Commerce Security
8.3 Web Browser Attacks
8.4 E-Mail Security
8.5 Voice over IP (VoIP) Security
8.6 Other User Applications
8-38
Copyright © 2015 Pearson Education, Inc.
PCs Are Major Targets
◦ Have interesting information and can be attacked
through the browser
Client-Side Scripting (Mobile Code)
◦ Java applets: small Java programs
Usually run in a “sandbox” that limits their
access to most of the system
◦ Active-X from Microsoft; highly dangerous because
it can do almost everything
8-39
Copyright © 2015 Pearson Education, Inc.
Client-Side Scripting (Mobile Code)
◦ Scripting languages (not full programming
languages)
A script is a series of commands in a scripting
language
JavaScript (not scripted form of Java)
VBScript (Visual Basic scripting from Microsoft)
A script usually is invisible to users
8-40
Copyright © 2015 Pearson Education, Inc.
8-41
Copyright © 2015 Pearson Education, Inc.
Malicious Links
You like beef?
Click here.
◦ User usually must click on them to execute (but not
always)
◦ Tricking users to visit attacker websites
Social engineering to persuade the victim to
click on a link
Uses domain names that are common
misspellings of popular domain names
http://www.micosoft.com
8-42
Copyright © 2015 Pearson Education, Inc.
Other Client-Side Attacks
◦ File reading: turns the computer into an
unintended file server
◦ Executing a single command
The single command may open a command
shell on the user’s computer
The attacker can now enter many commands
C:>
8-43
Copyright © 2015 Pearson Education, Inc.
Other Client-Side Attacks
◦ Automatic redirection to unwanted webpage
◦ On compromised systems, the user may be
automatically directed to a specific malicious
website if they later make any typing error
8-44
Copyright © 2015 Pearson Education, Inc.
Other Client-Side Attacks
◦ Cookies
Cookies are placed on user computer; can be
retrieved by website
Can be used to track users at a website
Can contain private information
Accepting cookies is necessary to use many
websites
8-45
Copyright © 2015 Pearson Education, Inc.
8-46
Copyright © 2015 Pearson Education, Inc.
Enhancing Browser Security
◦ Patches and updates
◦ Set strong security configuration options for
Microsoft Internet Explorer
◦ Set strong privacy configuration options for
Microsoft Internet Explorer
8-47
Copyright © 2015 Pearson Education, Inc.
8-48
Copyright © 2015 Pearson Education, Inc.
8-49
Copyright © 2015 Pearson Education, Inc.
8.1 Application Security and Hardening
8.2 WWW and E-Commerce Security
8.3 Web Browser Attacks
8.4 E-Mail Security
8.5 Voice over IP (VoIP) Security
8.6 Other User Applications
8-50
Copyright © 2015 Pearson Education, Inc.
Content Filtering
◦ Malicious code in attachments and HTML bodies
(scripts)
◦ Spam: unsolicited commercial e-mail
◦ Volume is growing rapidly; slowing PCs and
annoying users (pornography and fraud)
◦ Filtering for spam also rejects some legitimate
messages
8-51
Copyright © 2015 Pearson Education, Inc.
Inappropriate Content
◦ Companies often filter for sexually or racially
harassing messages
◦ Could be sued for not doing so
8-52
Extrusion Prevention for Intellectual Property
(IP)
Stopping the Transmission of Sensitive
Personally Identifiable Information (PII)
Copyright © 2015 Pearson Education, Inc.
8-53
Copyright © 2015 Pearson Education, Inc.
Employee training
◦ E-mail is not private; company has right to read
◦ Your messages may be forwarded without
permission
◦ Never put anything in a message the sender would
not want to see in court, printed in the newspapers,
or read by his or her boss
◦ Never forward messages without permission
8-54
Copyright © 2015 Pearson Education, Inc.
8-55
Copyright © 2015 Pearson Education, Inc.
8-56
Copyright © 2015 Pearson Education, Inc.
8-57
Copyright © 2015 Pearson Education, Inc.
8.1 Application Security and Hardening
8.2 WWW and E-Commerce Security
8.3 Web Browser Attacks
8.4 E-Mail Security
8.5 Voice over IP (VoIP) Security
8.6 Other User Applications
8-58
Copyright © 2015 Pearson Education, Inc.
8-59
Copyright © 2015 Pearson Education, Inc.
8-60
Concept
Transport
Meaning
The carriage of voice between the two
parties
Signaling
Communication to manage the network
Call setup
Call teardown
Accounting
Etc.
Copyright © 2015 Pearson Education, Inc.
Eavesdropping
Denial-of-Service Attacks
◦ Even small increases in latency and jitter can be
highly disruptive
Caller Impersonation
◦ Useful in social engineering
◦ Attacker can appear to be the president based on a
falsified source address
8-61
Copyright © 2015 Pearson Education, Inc.
Hacking and Malware Attacks
◦ Compromised clients can send attacks
◦ Compromised servers can send disruptive signaling
Toll Fraud
◦ Attacker uses corporate VoIP network to place free
calls
Spam over IP Telephony (SPIT)
◦ Especially disruptive because it interrupts the called
party in real time
8-62
Copyright © 2015 Pearson Education, Inc.
Basic Corporate Security Must Be Strong
Authentication
◦ SIP Identity (RFC 4474) provides strong
authentication assurance between second-level
domains
Encryption for Confidentiality
◦ Can add to latency
8-63
Copyright © 2015 Pearson Education, Inc.
Firewalls
◦ Many short packets
◦ Firewall must prioritize VoIP traffic
◦ Must handle ports for signaling
SIP uses Port 5060
H.323 uses Ports 1719 and 1720
Must create an exception for each conversation,
which is assigned a specific port
Must close the transport port immediately after
conversation ends
8-64
Copyright © 2015 Pearson Education, Inc.
NAT Problems
◦ NAT firewall must handle VoIP NAT traversal
◦ NAT adds a small amount of latency
Separation: Anticonvergence
◦ The convergence goal for data and voice
◦ Virtual LANs (VLANs)
Separate voice and data traffic on different
VLANs
Separate VoIP servers from VoIP phones on
different VLANs
8-65
Copyright © 2015 Pearson Education, Inc.
Widely Used, Public VoIP Service
Uses Proprietary Protocols and Code
◦ Vulnerabilities? Backdoors? Etc.
◦ Firewalls have a difficult time even recognizing
Skype traffic
Encryption for Confidentiality
◦ Skype reportedly uses strong security
◦ However, Skype keeps encryption keys, allowing it
to do eavesdropping
8-66
Copyright © 2015 Pearson Education, Inc.
Inadequate Authentication
◦ Uncontrolled user registration; can use someone
else’s name and appear to be them
Peer-to-Peer (P2P) Service
◦ Uses this architecture and its proprietary and
rapidly changing protocol to get through corporate
firewalls
◦ Bad for corporate security control
Skype File Sharing
◦ Does not work with antivirus programs
8-67
Copyright © 2015 Pearson Education, Inc.
8.1 Application Security and Hardening
8.2 WWW and E-Commerce Security
8.3 Web Browser Attacks
8.4 E-Mail Security
8.5 Voice over IP (VoIP) Security
8.6 Other User Applications
8-68
Copyright © 2015 Pearson Education, Inc.
Presence servers merely tell the clients that others exist and what
their IP addresses are.
8-69
Copyright © 2015 Pearson Education, Inc.
All transmissions go through relay servers when relay servers are used.
8-70
Copyright © 2015 Pearson Education, Inc.
TCP/IP Supervisory Protocols
◦ Many supervisory protocols in TCP/IP
ARP, ICMP, DNS, DHCP, LDAP, RIP, OSPF, BGP,
SNMP, etc.
◦ The targets of many attacks
◦ The IETF has a program to improve security in all
(the Danvers Doctrine)
8-71
Copyright © 2015 Pearson Education, Inc.
Example
◦ Simple Network Management Protocol (SNMP)
◦ Messages
GET messages to get information from a
managed object
SET messages to change the configuration of a
managed object
SET is often turned off because it is dangerous
8-72
Copyright © 2015 Pearson Education, Inc.
Example
◦ SNMP versions and security
Version 1: No security
Version 2: Weak authentication with a
community string shared by the manager and
managed devices
Version 3: Pair-shared secrets, optional
confidentiality, message integrity, and antireplay protection
Still needed: public key authentication
8-73
Copyright © 2015 Pearson Education, Inc.
IT Security People Must Work with the
Networking Staff
◦ Ensure that appropriate security is being applied to
supervisory protocols
◦ Not a traditional area for IT security in most firms
8-74
Copyright © 2015 Pearson Education, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written
permission of the publisher. Printed in the United States of America.
Copyright © 2015 Pearson Education, Inc.
Third Edition
Corporate Computer
Security
Randall J. Boyle
University of Utah
Raymond R. Panko
University of Hawai`i at Manoa
Boston Columbus Indianapolis New York San Francisco Upper Saddle River
Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montreal Toronto
Delhi Mexico City Sao Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo
To Courtney Boyle, thank you for your patience, kindness,
and perspective on what’s most important in life.
—Randy Boyle
To Julia Panko, my long-time networking and security editor
and one of the best technology minds I’ve ever encountered.
—Ray Panko
Editorial Director: Sally Yagan
Executive Editor: Bob Horan
Director of Editorial Services: Ashley Santora
Senior Project Manager: Kelly Loftus
Production Project Manager: Debbie Ryan
Director of Marketing: Maggie Moylan
Executive Marketing Manager: Anne Fahlgren
Creative Director: Jayne Conte
Cover Designer: Suzanne Behnke
Full-Service Project Management: George Jacob
Composition: Integra
Printer/Binder: Courier/Westford
Cover Printer: Lehigh
Text Font: Palatino 10/12
Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this
textbook appear on the appropriate page within text.
Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the U.S.A. and other
countries. Screen shots and icons reprinted with permission from the Microsoft Corporation. This book
is not sponsored or endorsed by or affiliated with the Microsoft Corporation.
Copyright © 2013, 2010, 2004 by Pearson Education, Inc., publishing as Prentice Hall. All rights reserved.
Manufactured in the United States of America. This publication is protected by Copyright, and permission
should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or
transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To
obtain permission(s) to use material from this work, please submit a written request to Pearson Education,
Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you may fax your
request to 201-236-3290.
Many of the designations by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and the publisher was aware of a trademark
claim, the designations have been printed in initial caps or all caps.
Library of Congress Cataloging-in-Publication Data
Boyle, Randall J.
Corporate computer security.—3rd ed. / Randall J. Boyle, Raymond R. Panko.
p. cm.
Panko’s name appears first on the earlier edition.
ISBN-13: 978-0-13-214535-0
ISBN-10: 0-13-214535-9
1. Computer security. 2. Computer networks—Security measures. 3. Electronic data processing
departments—Security measures. I. Panko, Raymond R. II. Title.
QA76.9.A25P36 2013
005.8—dc23
2011035372
10 9 8 7 6 5 4 3 2 1
ISBN 10:
0-13-214535-9
ISBN 13: 978-0-13-214535-0
CONTENTS
Preface xviii
About the Authors
xxiv
Chapter 1 The Threat Environment
1
1.1 Introduction 1
Basic Security Terminology 2
THE THREAT ENVIRONMENT 2
SECURITY GOALS 3
COMPROMISES 3
COUNTERMEASURES 3
Case Study: The TJX Data Breach 4
THE TJX COMPANIES, INC. 4
DISCOVERY 4
THE BREAK-INS 6
THE PAYMENT CARD INDUSTRY–DATA
SECURITY STANDARD 7
THE FALLOUT: LAWSUITS AND
INVESTIGATIONS 8
PROSECUTION 8
1.2 Employee and Ex-employee
Threats 9
Why Employees Are Dangerous 10
Employee Sabotage 10
Employee Hacking 12
Employee Financial Theft and Theft of
Intellectual Property 13
Employee Extortion 14
Employee Sexual or Racial
Harassment 15
Employee Computer and Internet
Abuse 15
INTERNET ABUSE 15
NON-INTERNET COMPUTER ABUSE 16
Data Loss 16
Other “Internal” Attackers 17
1.3 Malware 17
Malware Writers 18
Viruses 18
Worms 20
Blended Threats 21
Payloads 21
Trojan Horses and Rootkits 22
NONMOBILE MALWARE 22
TROJAN HORSES 22
REMOTE ACCESS TROJANS 23
DOWNLOADERS 24
SPYWARE 24
ROOTKITS 24
Mobile Code 25
Social Engineering in Malware 25
SPAM 26
PHISHING 26
SPEAR PHISHING 29
HOAXES 29
1.4 Hackers and Attacks 30
Traditional Motives 30
Anatomy of a Hack 32
TARGET SELECTION 32
RECONNAISSANCE PROBES
THE EXPLOIT 33
SPOOFING 33
32
Social Engineering in an Attack 35
Denial-of-Service Attacks 37
Skill Levels 38
1.5 The Criminal Era 40
Dominance by Career Criminals 40
CYBERCRIME 40
INTERNATIONAL GANGS 41
BLACK MARKETS AND MARKET
SPECIALIZATION 42
Fraud, Theft, and Extortion 45
FRAUD 46
FINANCIAL AND INTELLECTUAL PROPERTY
THEFT 46
EXTORTION AGAINST CORPORATIONS 47
Stealing Sensitive Data about
Customers and Employees 48
CARDING
48
iii
iv
Contents
BANK ACCOUNT THEFT 48
ONLINE STOCK ACCOUNT THEFT 48
IDENTITY THEFT 48
THE CORPORATE CONNECTION 49
CORPORATE IDENTITY THEFT 49
1.6 Competitor Threats 50
Commercial Espionage 50
Denial-of-Service Attacks 52
1.7 Cyberwar and Cyberterror 53
Cyberwar 53
Cyberterror 54
1.8 Conclusion 55
Thought Questions 56 • Hands-on
Projects 57 • Project Thought
Questions 58 • Perspective
Questions 58
Chapter 2 Planning and Policy
59
2.1 Introduction 60
Defense 60
Management Processes 61
MANAGEMENT IS THE HARD PART 61
COMPREHENSIVE SECURITY 61
WEAKEST LINKS FAILURES 61
THE NEED TO PROTECT MANY
RESOURCES 63
The Need for a Disciplined Security
Management Process 63
The Plan–Protect–Respond Cycle 64
PLANNING 64
PROTECTION 64
RESPONSE 66
Vision in Planning 66
VIEWING SECURITY AS AN ENABLER 66
DEVELOPING POSITIVE VISIONS OF USERS 67
Strategic IT Security Planning 68
2.2 Compliance Laws and
Regulations 69
Driving Forces 69
Sarbanes–Oxley 70
Privacy Protection Laws 72
Data Breach Notification Laws 74
The Federal Trade Commission 75
Industry Accreditation 75
PCI-DSS 75
Fisma 75
2.3 Organization 76
Chief Security Officers 76
ShouldYou Place Security within IT? 76
LOCATING SECURITY WITHIN IT 78
PLACING SECURITY OUTSIDE IT 78
A HYBRID SOLUTION 78
Top Management Support 79
Relationships with Other
Departments 79
SPECIAL RELATIONSHIPS 79
ALL CORPORATE DEPARTMENTS 80
BUSINESS PARTNERS 80
Outsourcing IT Security 81
E-MAIL OUTSOURCING 81
MANAGED SECURITY SERVICE
PROVIDER 84
2.4 Risk Analysis 85
Reasonable Risk 86
Classic Risk Analysis Calculations 86
ASSET VALUE 86
EXPOSURE FACTOR 87
SINGLE LOSS EXPECTANCY 87
ANNUALIZED PROBABILITY (OR RATE)
OF OCCURRENCE 87
ANNUALIZED LOSS EXPECTANCY 87
COUNTERMEASURE IMPACT 87
ANNUALIZED COUNTERMEASURE COST
AND NET VALUE 88
Problems with Classic Risk Analysis
Calculations 90
UNEVEN MULTIYEAR CASH FLOWS 90
TOTAL COST OF INCIDENT 90
MANY-TO-MANY RELATIONSHIPS BETWEEN
COUNTERMEASURES AND RESOURCES 90
THE IMPOSSIBILITY OF COMPUTING
ANNUALIZED RATES OF OCCURRENCE 90
THE PROBLEM WITH “HARD-HEADED
THINKING” 92
PERSPECTIVE 92
Responding to Risk 93
RISK REDUCTION 93
RISK ACCEPTANCE 93
RISK TRANSFERENCE (INSURANCE) 94
RISK AVOIDANCE 94
v
Contents
2.5 Technical Security Architecture 94
Technical Security Architectures 94
ARCHITECTURAL DECISIONS 95
DEALING WITH LEGACY SECURITY
TECHNOLOGY 95
Principles 95
DEFENSE IN DEPTH 95
DEFENSE IN DEPTH VERSUS WEAKEST
LINKS 97
SINGLE POINTS OF VULNERABILITY 97
MINIMIZING SECURITY BURDENS 97
REALISTIC GOALS 97
Elements of a Technical Security
Architecture 98
BORDER MANAGEMENT 98
INTERNAL SITE SECURITY MANAGEMENT 98
MANAGEMENT OF REMOTE
CONNECTIONS 98
INTERORGANIZATIONAL SYSTEMS 99
CENTRALIZED SECURITY MANAGEMENT 99
2.6 Policy-Driven Implementation 99
Policies 99
WHAT ARE POLICIES? 99
WHAT, NOT HOW 99
CLARITY 100
Categories of Security Policies 100
CORPORATE SECURITY POLICY 100
MAJOR POLICIES 101
ACCEPTABLE USE POLICY 101
POLICIES FOR SPECIFIC COUNTERMEASURES
OR RESOURCES 102
Policy-Writing Teams 103
Implementation Guidance 103
NO GUIDANCE 105
STANDARDS AND GUIDELINES 105
Types of Implementation
Guidance 105
PROCEDURES 105
PROCESSES 106
BASELINES 106
BEST PRACTICES AND RECOMMENDED
PRACTICES 107
ACCOUNTABILITY 107
ETHICS 107
Exception Handling 109
Oversight 110
POLICIES AND OVERSIGHT 110
PROMULGATION 110
ELECTRONIC MONITORING 111
SECURITY METRICS 111
AUDITING 113
ANONYMOUS PROTECTED HOTLINE 113
BEHAVIORAL AWARENESS 114
FRAUD 114
SANCTIONS 116
2.7 Governance Frameworks 117
COSO 118
THE COSO FRAMEWORK 118
OBJECTIVES 118
REASONABLE ASSURANCE 118
COSO FRAMEWORK COMPONENTS
118
CobiT 120
THE COBIT FRAMEWORK 121
DOMINANCE IN THE UNITED STATES 121
The ISO/IEC 27000 Family 122
ISO/IEC 27002 122
ISO/IEC 27001 122
OTHER 27000 STANDARDS
122
2.8 Conclusion 123
Thought Questions 124 Hands-on
Projects 124 • Project Thought
Questions 125 • Perspective
Questions 125
Chapter 3 Cryptography
127
3.1 What is Cryptography? 128
Encryption for Confidentiality 129
Terminology 129
PLAINTEXT 129
ENCRYPTION AND CIPHERTEXT 129
CIPHER 130
KEY 130
KEEPING THE KEY SECRET 130
The Simple Cipher 130
Cryptanalysis 131
Substitution and Transposition
Ciphers 132
Substitution Ciphers 132
Transposition Ciphers 132
Real-world Encryption 133
Ciphers and Codes 133
vi
Contents
Symmetric Key Encryption 134
KEY LENGTH 135
Human Issues in Cryptography 137
3.2 Symmetric Key Encryption
Ciphers 139
RC4 139
The Data Encryption Standard
(DES) 140
56-BIT KEY SIZE 140
BLOCK ENCRYPTION 141
Triple DES (3DES) 141
168-BIT 3DES OPERATION 141
112-BIT 3DES 141
PERSPECTIVE ON 3DES 141
Advanced Encryption Standard
(AES) 142
Other Symmetric Key Encryption
Ciphers 143
3.3 Cryptographic System
Standards 145
Cryptographic Systems 145
Initial Handshaking Stages 145
NEGOTIATION 145
INITIAL AUTHENTICATION 146
KEYING 147
Ongoing Communication 147
3.4 The Negotiation Stage 147
Cipher Suite Options 148
Cipher Suite Policies 148
3.5 Initial Authentication Stage 149
HIGH COST AND SHORT MESSAGE
LENGTHS 154
RSA AND ECC 154
KEY LENGTH 154
Symmetric Key Keying Using Public
Key Encryption 155
Symmetric Key Keying Using
Diffie–Hellman Key Agreement 156
3.7 Message-By-Message
Authentication 157
Electronic Signatures 157
Public Key Encryption for
Authentication 157
Message-by-Message Authentication
with Digital Signatures 158
DIGITAL SIGNATURES 158
HASHING TO PRODUCE THE MESSAGE
DIGEST 158
SIGNING THE MESSAGE DIGEST TO PRODUCE
THE DIGITAL SIGNATURE 158
SENDING THE MESSAGE WITH
CONFIDENTIALITY 159
VERIFYING THE SUPPLICANT 160
MESSAGE INTEGRITY 160
PUBLIC KEY ENCRYPTION FOR
CONFIDENTIALITY AND
AUTHENTICATION 160
Digital Certificates 161
CERTIFICATE AUTHORITIES 161
DIGITAL CERTIFICATE 162
VERIFYING THE DIGITAL CERTIFICATE 163
THE ROLES OF THE DIGITAL CERTIFICATE
AND DIGITAL SIGNATURE 164
Authentication Terminology 149
Hashing 149
Initial Authentication with
MS-CHAP 151
Key-Hashed Message Authentication
Codes (HMACs) 166
ON THE SUPPLICANT’S MACHINE:
HASHING 151
ON THE VERIFIER SERVER 151
Creating and Testing the HMAC 166
Nonrepudiation 166
3.6 The Keying Stage 152
Session Keys 152
Public Key Encryption for
Confidentiality 153
TWO KEYS 153
PROCESS 153
PADLOCK AND KEY ANALOGY
153
THE PROBLEM WITH DIGITAL
SIGNATURES 166
3.8 Quantum Security 169
3.9 Cryptographic Systems 170
Virtual Private Networks (VPNs) 171
Why VPNs? 172
Host-to-Host VPNs 172
Remote Access VPNs 172
Site-to-Site VPNs 173
Contents
3.10 SSL/TLS 173
Nontransparent Protection 174
Inexpensive Operation 174
SSL/TLS Gateways and Remote Access
VPNs 175
VPN GATEWAY STANDARDS 175
AUTHENTICATION 175
CONNECTING THE CLIENT PC TO AUTHORIZED
RESOURCES 175
SECURITY FOR SERVICES 176
BROWSER ON THE CLIENT 177
ADVANCED SERVICES REQUIRE
ADMINISTRATOR PRIVILEGES ON PCS 178
PERSPECTIVE 179
3.11 IPsec 179
SSL/TLS GIVES NONTRANSPARENT
TRANSPORT LAYER SECURITY 180
IPSEC: TRANSPARENT INTERNET LAYER
SECURITY 180
IPSEC IN BOTH IPV4 AND IPV6 181
IPsec Transport Mode 181
HOST-TO-HOST SECURITY 181
END-TO-END PROTECTION 182
COST OF SETUP 182
IPSEC IN TRANSPORT MODE AND
FIREWALLS 182
IPsec Tunnel Mode 183
Future of Secure Networks 193
DEATH OF THE PERIMETER
RISE OF THE CITY 194
194
4.2 DoS Attacks 195
Denial of Service . . . But Not an
Attack 195
FAULTY CODING 195
REFERRALS FROM LARGE SITES 196
Goal of DoS Attacks 196
STOP CRITICAL SERVICES 196
DEGRADE SERVICES 196
DIRECT AND INDIRECT ATTACKS 198
INTERMEDIARY 200
REFLECTED ATTACK 203
SENDING MALFORMED PACKETS 204
Defending Against Denial-of-Service
Attacks 205
BLACK HOLING 205
VALIDATING THE HANDSHAKE 206
RATE LIMITING 206
4.3 ARP Poisoning 207
Normal ARP Operation 209
THE PROBLEM
PROTECTION IS PROVIDED BY IPSEC
GATEWAYS 183
LESS EXPENSIVE THAN TRANSPORT
MODE 183
FIREWALL-FRIENDLY PROTECTION 183
NO PROTECTION WITHIN THE TWO SITES 183
IPsec Security Associations (SAs) 184
SEPARATE SAS IN THE TWO DIRECTIONS 184
POLICY-BASED SA 184
3.12 Conclusion 185
Thought Questions 187 • Handson Projects 188 • Project Thought
Questions 190 • Perspective
Questions 190
191
4.1 Introduction 191
Creating Secure Networks 192
AVAILABILITY 192
CONFIDENTIALITY 192
FUNCTIONALITY 193
ACCESS CONTROL 193
Methods of DoS Attacks 198
Attractions of IPsec 180
Chapter 4 Secure Networks
vii
209
ARP Poisoning 210
ARP DoS Attack 211
Preventing ARP Poisoning 212
STATIC TABLES 212
LIMIT LOCAL ACCESS 212
4.4 Access Control for Networks 214
LAN Connections 214
Access Control Threats 215
Eavesdropping Threats 215
4.5 Ethernet Security 216
Ethernet and 802.1X 216
COST SAVINGS 217
CONSISTENCY 217
IMMEDIATE CHANGES 217
The Extensible Authentication
Protocol (EAP) 217
EAP OPERATION
218
viii
Contents
EXTENSIBILITY 219
RADIUS Servers 219
RADIUS AND EAP 219
4.6 Wireless Security 220
Wireless Attacks 221
Unauthorized Network Access 221
PREVENTING UNAUTHORIZED ACCESS 222
Evil Twin Access Points 224
Wireless Denial of Service 226
FLOOD THE FREQUENCY 226
FLOOD THE ACCESS POINT 227
SEND ATTACK COMMANDS 227
Wireless LAN Security with
802.11i 228
EAP’S NEED FOR SECURITY 228
ADDING SECURITY TO EAP 229
EAP-TLS AND PEAP 229
Core Wireless Security Protocols 230
Wired Equivalent Privacy (WEP) 230
Cracking WEP 231
SHARED KEYS AND OPERATIONAL
SECURITY 231
EXPLOITING WEP’S WEAKNESS 231
Perspective 231
Wi-Fi Protected Access (WPA™) 232
Pre-Shared Key (PSK) Mode 235
Wireless Intrusion Detection
Systems 237
False 802.11 Security Measures 238
SPREAD SPECTRUM OPERATION AND
SECURITY 238
TURNING OFF SSID BROADCASTING 239
MAC ACCESS CONTROL LISTS 239
Implementing 802.11i or WPA
Is Easier 240
4.7 Conclusion 240
Thought Questions 241 • Handson Projects 242 • Project Thought
Questions 243 • Perspective
Questions 243
Chapter 5 Access Control
5.1 Introduction 246
Access Control 246
245
Authentication, Authorizations,
and Auditing 246
Authentication 246
Beyond Passwords 247
Two-Factor Authentication 248
Individual and Role-Based Access
Control 248
Organizational and Human
Controls 248
Military and National Security
Organization Access Controls 249
Multilevel Security 249
5.2 Physical Access and Security 250
Risk Analysis 250
ISO/IEC 9.1: Secure Areas 251
PHYSICAL SECURITY PERIMETER 251
PHYSICAL ENTRY CONTROLS 252
PUBLIC ACCESS, DELIVERY, AND LOADING
AREAS 252
SECURING OFFICES, ROOMS,
AND FACILITIES 252
PROTECTING AGAINST EXTERNAL
AND ENVIRONMENTAL THREATS 252
RULES FOR WORKING IN SECURE AREAS 256
ISO/IEC 9.2 Equipment Security 256
EQUIPMENT SITING AND PROTECTION 256
SUPPORTING UTILITIES 257
CABLING SECURITY 257
SECURITY DURING OFF-SITE EQUIPMENT
MAINTENANCE 257
SECURITY OF EQUIPMENT
OFF-PREMISES 257
SECURE DISPOSAL OR REUSE
OF EQUIPMENT 257
REMOVAL OF PROPERTY 258
Other Physical Security Issues 258
TERRORISM 258
PIGGYBACKING 258
MONITORING EQUIPMENT 259
DUMPSTER™ DIVING 260
DESKTOP PC SECURITY 260
NOTEBOOK SECURITY 260
5.3 Passwords 260
Password-Cracking Programs 260
Password Policies 261
Contents
Password Use and Misuse 261
NOT USING THE SAME PASSWORD
AT MULTIPLE SITES 261
PASSWORD DURATION POLICIES 262
POLICIES PROHIBITING SHARED
ACCOUNTS 263
DISABLING PASSWORDS THAT ARE NO
LONGER VALID 263
LOST PASSWORDS 263
PASSWORD STRENGTH 266
PASSWORD AUDITING 266
The End of Passwords? 267
5.4 Access Cards and Tokens 268
Access Cards 268
MAGNETIC STRIPE CARDS 269
SMART CARDS 269
CARD READER COSTS 269
Tokens 269
FACE RECOGNITION 282
HAND GEOMETRY 283
VOICE RECOGNITION 287
OTHER FORMS OF BIOMETRIC
AUTHENTICATION 287
5.6 Cryptographic Authentication 287
Key Points from Chapter 3 287
Public Key Infrastructures 288
THE FIRM AS A CERTIFICATE AUTHORITY 288
CREATING PUBLIC KEY–PRIVATE KEY
PAIRS 289
DISTRIBUTING DIGITAL CERTIFICATES 289
ACCEPTING DIGITAL CERTIFICATES 289
CERTIFICATE REVOCATION STATUS 290
PROVISIONING 290
THE PRIME AUTHENTICATION
PROBLEM 290
5.7 Authorization 290
ONE-TIME-PASSWORD TOKENS
USB TOKENS 270
270
Proximity Access Tokens 270
Addressing Loss and Theft 270
PHYSICAL DEVICE CANCELLATION 270
TWO-FACTOR AUTHENTICATION 272
5.5 Biometric Authentication 273
Biometrics 273
Biometric Systems 274
INITIAL ENROLLMENT 274
SUBSEQUENT ACCESS ATTEMPTS 275
ACCEPTANCE OR REJECTION 276
Biometric Errors 276
FALSE ACCEPTANCE RATE 276
FALSE REJECTION RATE 277
WHICH IS WORSE? 277
VENDOR CLAIMS 277
FAILURE TO ENROLL 278
Verification, Identification, and
Watch Lists 278
VERIFICATION 278
IDENTIFICATION 279
WATCH LISTS 280
The Principle of Least
Permissions 291
5.8 Auditing 292
Logging 292
Log Reading 293
REGULAR LOG READING 293
PERIODIC EXTERNAL AUDITS OF LOG FILE
ENTRIES 293
AUTOMATIC ALERTS 293
5.9 Central Authentication Servers 294
The Need for Centralized
Authentication 294
Kerberos 295
5.10 Directory Servers 296
What Are Directory Servers? 297
Hierarchical Data Organization 297
Lightweight Data Access Protocol 298
Use by Authentication Servers 298
Active Directory 298
ACTIVE DIRECTORY DOMAINS 299
Trust 300
5.11 Full Identity Management 301
Biometric Deception 280
Biometric Methods 282
FINGERPRINT RECOGNITION
IRIS RECOGNITION 282
ix
282
Other Directory Servers and
Metadirectories 301
Federated Identity Management 302
x
Contents
THE SECURITY ASSERTION MARKUP
LANGUAGE 304
PERSPECTIVE 304
Identity Management 304
BENEFITS OF IDENTITY MANAGEMENT 304
WHAT IS IDENTITY? 306
IDENTITY MANAGEMENT 306
Trust and Risk 307
5.12 Conclusion 307
Thought Questions 309 • Handson Projects 310 • Project Thought
Questions 311 • Perspective
Questions 311
Chapter 6 Firewalls
313
6.1 Introduction 314
Basic Firewall Operation 314
The Danger of Traffic Overload 319
Firewall Filtering Mechanisms 320
6.2 Static Packet Filtering 321
Looking at Packets One at a Time 321
Looking Only at Some Fields in the
Internet and Transport Headers 321
Usefulness of Static Packet
Filtering 321
Perspective on SPI Firewalls 334
LOW COST 334
SAFETY 334
DOMINANCE 335
6.4 Network Address Translation 335
Sniffers 335
NAT OPERATION 335
PACKET CREATION 336
NETWORK AND PORT ADDRESS
TRANSLATION 336
TRANSLATION TABLE 336
RESPONSE PACKET 336
RESTORATION 336
PROTECTION 337
Perspective on NAT 337
NAT/PAT 337
TRANSPARENCY 337
NAT TRAVERSAL 337
6.5 Application Proxy Firewalls and
Content Filtering 337
Application Proxy Firewall
Operation 338
Perspective 322
6.3 Stateful Packet Inspection
ACCESS CONTROL LISTS (ACLS) FOR
INGRESS FILTERING 332
IF-THEN FORMAT 332
PORTS AND SERVER ACCESS 332
DISALLOW ALL CONNECTIONS 333
323
Basic Operation 323
CONNECTIONS 323
STATES 324
STATEFUL PACKET INSPECTION WITH TWO
STATES 324
REPRESENTING CONNECTIONS 325
Packets That Do Not Attempt to Open
Connections 326
TCP CONNECTIONS 329
UDP AND ICMP CONNECTIONS 329
ATTACK ATTEMPTS 329
PERSPECTIVE 329
Packets That Do Attempt to Open
a Connection 330
Access Control Lists (ACLs) for
Connection-Opening Attempts 331
WELL-KNOWN PORT NUMBERS 331
OPERATIONAL DETAILS 338
APPLICATION PROXY PROGRAMS VERSUS
APPLICATION PROXY FIREWALLS 338
PROCESSING-INTENSIVE OPERATION 338
ONLY A FEW APPLICATIONS CAN BE
PROXIED 339
TWO COMMON USES 339
Application Content Filtering in Stateful
Packet Inspection Firewalls 340
Application Content Filtering for
HTTP 341
Client Protections 341
Server Protections 341
Other Protections 344
6.6 Intrusion Detection Systems and
Intrusion Prevention Systems 345
Intrusion Detection Systems 345
FIREWALLS VERSUS IDSS
347
Contents
FALSE POSITIVES (FALSE ALARMS) 347
HEAVY PROCESSING REQUIREMENTS 347
Intrusion Prevention Systems 348
ASICS FOR FASTER PROCESSING 348
THE ATTACK IDENTIFICATION CONFIDENCE
SPECTRUM 348
IPS Actions 349
DROPPING PACKETS 349
LIMITING TRAFFIC 349
6.7 Antivirus Filtering and Unified
Threat Management 349
6.8 Firewall Architectures 354
Types of Firewalls 354
MAIN BORDER FIREWALLS 354
SCREENING BORDER ROUTERS 354
INTERNAL FIREWALLS 354
HOST FIREWALLS 355
DEFENSE IN DEPTH 355
The Demilitarized Zone 355
SECURITY IMPLICATIONS 356
HOSTS IN THE DMZ 356
6.9 Firewall Management 357
Defining Firewall Policies 357
WHY USE POLICIES? 357
EXAMPLES OF POLICIES 359
Implementation 359
FIREWALL HARDENING 359
CENTRAL FIREWALL MANAGEMENT
SYSTEMS 359
FIREWALL POLICY DATABASE 360
VULNERABILITY TESTING AFTER
CONFIGURATION 361
CHANGE AUTHORIZATION AND
MANAGEMENT 361
READING FIREWALL LOGS 362
Reading Firewall Logs 363
Log Files 363
Sorting the Log File by Rule 363
Echo Probes 363
External Access to All Internal
FTP Servers 365
Attempted Access to Internal
Webservers 365
xi
Incoming Packet with a Private
IP Source Address 365
Lack of Capacity 365
Perspective 365
Sizes of Log Files 366
Logging All Packets 366
6.10 Firewall Filtering Problems 367
The Death of the Perimeter 367
AVOIDING THE BORDER FIREWALL 367
EXTENDING THE PERIMETER 368
PERSPECTIVE 368
Attack Signatures versus Anomaly
Detection 368
ZERO-DAY ATTACKS 368
ANOMALY DETECTION 369
ACCURACY 369
6.11 Conclusion 369
Thought Questions 372 • Handson Projects 372 • Project Thought
Questions 374 • Perspective
Questions 374
Chapter 7 Host Hardening
375
7.1 Introduction 375
What Is a Host? 376
The Elements of Host Hardening 376
Security Baselines and Images 377
Virtualization 377
VIRTUALIZATION ANALOGY 379
BENEFITS OF VIRTULAIZATION 380
Systems Administrators 380
7.2 Important Server Operating
Systems 385
Windows Server Operating
Systems 386
THE WINDOWS SERVER USER
INTERFACE 386
START : ADMINISTRATIVE TOOLS 386
MICROSOFT MANAGEMENT CONSOLES
(MMCS) 387
UNIX (Including Linux) Servers 388
MANY VERSIONS 389
LINUX 390
UNIX USER INTERFACES 391
xii
Contents
7.3 Vulnerabilities and Patches 392
Vulnerabilities and Exploits 392
Fixes 392
WORK-AROUNDS 397
PATCHES 397
SERVICE PACKS 397
VERSION UPGRADES 397
The Mechanics of Patch
Installation 398
MICROSOFT WINDOWS SERVER
LINUX RPM PROGRAM 398
398
Problems with Patching 399
THE NUMBER OF PATCHES 399
COST OF PATCH INSTALLATION 399
PRIORITIZING PATCHES 399
PATCH MANAGEMENT SERVERS 399
THE RISKS OF PATCH INSTALLATION 400
7.4 Managing Users and Groups 401
The Importance of Groups in Security
Management 401
Creating and Managing Users and
Groups in Windows 401
THE ADMINISTRATOR ACCOUNT 401
MANAGING ACCOUNTS 402
CREATING USERS 402
WINDOWS GROUPS 402
7.5 Managing Permissions 404
Permissions 404
Assigning Permissions in
Windows 404
DIRECTORY PERMISSIONS 404
WINDOWS PERMISSIONS 405
ADDING USERS AND GROUPS 405
INHERITANCE 405
DIRECTORY ORGANIZATION 406
Assigning Groups and Permissions
in UNIX 407
NUMBER OF PERMISSIONS 407
NUMBER OF ACCOUNTS OR GROUPS 408
7.6 Creating Strong Passwords 408
Creating and Storing Passwords 409
CREATING A PASSWORD HASH 409
STORING PASSWORDS 409
STEALING PASSWORDS 410
Password-Cracking Techniques 410
BRUTE-FORCE GUESSING 410
DICTIONARY ATTACKS ON COMMON WORD
PASSWORDS 412
HYBRID DICTIONARY ATTACKS 413
RAINBOW TABLES 414
TRULY RANDOM PASSWORDS 415
TESTING AND ENFORCING THE STRENGTH
OF PASSWORDS 415
OTHER PASSWORD THREATS 415
7.7 Testing for Vulnerabilities 416
Windows Client PC Security 417
Client PC Security Baselines 418
The Windows Action Center 418
Windows Firewall 420
Automatic Updates 420
Antivirus and Spyware Protection 420
Implementing Security Policy 421
PASSWORD POLICIES 421
ACCOUNT POLICIES 421
AUDIT POLICIES 422
Protecting Notebook Computers 423
THREATS 423
BACKUP 423
POLICIES FOR SENSITIVE DATA 424
TRAINING 425
COMPUTER RECOVERY SOFTWARE 425
Centralized PC Security
Management 425
STANDARD CONFIGURATIONS 425
NETWORK ACCESS CONTROL 426
WINDOWS GROUP POLICY OBJECTS
426
7.8 Conclusion 429
Thought Questions 430 • Handson Projects 430 • Project Thought
Questions 432 • Perspective
Questions 432
Chapter 8 Application Security
433
8.1 Application Security And
Hardening 433
Executing Commands with the
Privileges of a Compromised
Application 434
Contents
Buffer Overflow Attacks 434
BUFFERS AND OVERFLOWS 434
STACKS 435
RETURN ADDRESS 435
THE BUFFER AND BUFFER OVERFLOW 435
EXECUTING ATTACK CODE 435
AN EXAMPLE: THE IIS IPP BUFFER
OVERFLOW ATTACK 436
Few Operating Systems, Many
Applications 436
Hardening Applications 437
UNDERSTAND THE SERVER’S ROLE AND
THREAT ENVIRONMENT 437
THE BASICS 438
MINIMIZE APPLICATIONS 438
SECURITY BASELINES FOR APPLICATION
MINIMIZATION 439
CREATE A SECURE CONFIGURATION 439
INSTALL APPLICATION PATCHES
AND UPDATES 439
MINIMIZE THE PERMISSIONS OF
APPLICATIONS 440
ADD APPLICATION-LEVEL AUTHENTICATION,
AUTHORIZATIONS, AND AUDITING 440
IMPLEMENT CRYPTOGRAPHIC
SYSTEMS 440
Securing Custom Applications 440
NEVER TRUST USER INPUT 441
BUFFER OVERFLOW ATTACKS 441
LOGIN SCREEN BYPASS ATTACKS 442
CROSS-SITE SCRIPTING ATTACKS 442
SQL INJECTION ATTACKS 423
AJAX MANIPULATION 423
TRAINING IN SECURE COMPUTING 423
8.2 WWW and E-Commerce
Security 446
The Importance of WWW and
E-Commerce Security 446
WWW Service versus E-Commerce
Service 446
E-COMMERCE SERVICE 447
EXTERNAL ACCESS 448
CUSTOM PROGRAMS 448
Some Webserver Attacks 449
WEBSITE DEFACEMENT 449
BUFFER OVERFLOW ATTACK TO LAUNCH
A COMMAND SHELL 449
xiii
DIRECTORY TRAVERSAL ATTACK 449
THE DIRECTORY TRAVERSAL WITH
HEXADECIMAL CHARACTER ESCAPES 450
UNICODE DIRECTORY TRAVERSAL 451
Patching the Webserver and
E-Commerce Software and Its
Components 451
E-COMMERCE SOFTWARE
VULNERABILITIES 451
Other Website Protections 452
WEBSITE VULNERABILITY ASSESSMENT
TOOLS 452
WEBSITE ERROR LOGS 452
WEBSERVER-SPECIFIC APPLICATION PROXY
FIREWALLS 453
Controlling Deployment 453
DEVELOPMENT SERVERS 454
TESTING SERVERS 454
PRODUCTION SERVERS 454
8.3 Web Browser Attacks 454
BROWSER THREATS 454
MOBILE CODE 454
MALICIOUS LINKS 456
OTHER CLIENT-SIDE ATTACKS
456
Enhancing Browser Security 458
PATCHING AND UPGRADING
CONFIGURATION 458
INTERNET OPTIONS 458
SECURITY TAB 459
PRIVACY TAB 462
458
8.4 E-Mail Security 463
E-Mail Content Filtering 463
MALICIOUS CODE IN ATTACHMENTS AND
HTML BODIES 463
SPAM 464
INAPPROPRIATE CONTENT 465
EXTRUSION PREVENTION 465
PERSONALLY IDENTIFIABLE
INFORMATION (PII) 465
Where to Do E-Mail Malware and
Spam Filtering 465
E-Mail Encryption 466
TRANSMISSION ENCRYPTION 466
MESSAGE ENCRYPTION 466
8.5 Voice over IP Security 468
Sending Voice between Phones 468
xiv
Contents
Transport and Signaling 469
SIP and H.323 470
Registration 470
SIP Proxy Servers 470
PSTN Gateway 470
VoIP Threats 471
Eavesdropping 471
Denial-of-Service (DoS) Attacks 471
Caller Impersonation 472
Hacking and Malware Attacks 472
Toll Fraud 472
Spam over IP Telephony (SPIT) 473
New Threats 473
Implementing VoIP Security 473
Authentication 473
Encryption for Confidentiality 473
Firewalls 474
NAT Problems 475
Separation: Anticonvergence 475
The Skype VoIP Service 475
8.6 Other User Applications 477
Instant Messaging (IM) 477
TCP/IP Supervisory Applications 479
8.7 Conclusion 480
Thought Questions 481 • Handson Projects 481 • Project Thought
Questions 483 • Perspective
Questions 483
Chapter 9 Data Protection
485
9.1 Introduction 485
Data’s Role in Business 486
SONY DATA BREACHES 486
Securing Data 486
9.2 Data Protection: Backup 487
The Importance of Backup 487
Threats 487
Scope of Backup 487
FILE/DIRECTORY DATA BACKUP 488
IMAGE BACKUP 488
SHADOWING 489
Full versus Incremental Backups 491
Backup Technologies 493
LOCAL BACKUP 493
CENTRALIZED BACKUP 493
CONTINUOUS DATA PROTECTION 494
INTERNET BACKUP SERVICE 494
MESH BACKUP 494
9.3 Backup Media and Raid 495
MAGNETIC TAPE 495
CLIENT PC BACKUP 496
Disk Arrays—RAID 497
Raid Levels 497
NO RAID 497
RAID 0 498
RAID 1 499
RAID 5 500
9.4 Data Storage Policies 503
BACKUP CREATION POLICIES 504
RESTORATION POLICIES 504
MEDIA STORAGE LOCATION POLICIES 504
ENCRYPTION POLICIES 505
ACCESS CONTROL POLICIES 505
RETENTION POLICIES 505
AUDITING BACKUP POLICY COMPLIANCE 505
E-Mail Retention 506
THE BENEFIT OF RETENTION 506
THE DANGERS OF RETENTION 506
ACCIDENTAL RETENTION 506
THIRD-PARTY E-MAIL RETENTION 508
LEGAL ARCHIVING REQUIREMENTS 508
U.S. FEDERAL RULES OF CIVIL
PROCEDURE 508
MESSAGE AUTHENTICATION 509
DEVELOPING POLICIES AND PROCESSES 509
User Training 509
Spreadsheets 510
VAULT SERVER ACCESS CONTROL 510
OTHER VAULT SERVER PROTECTIONS 511
9.5 Database Security 511
Relational Databases 512
LIMITING THE VIEW OF DATA 512
Database Access Control 516
DATABASE ACCOUNTS 516
SQL INJECTION ATTACKS 516
Database Auditing 517
Contents
WHAT TO AUDIT 518
TRIGGERS 518
Database Placement and
Configuration 520
CHANGE THE DEFAULT PORT 520
Data Encryption 520
KEY ESCROW 521
FILE/DIRECTORY ENCRYPTION VERSUS
WHOLE-DISK ENCRYPTION 522
PROTECTING ACCESS TO THE COMPUTER 522
DIFFICULTIES IN FILE SHARING 522
9.6 Data Loss Prevention 523
Data Collection 523
PERSONALLY IDENTIFIABLE INFORMATION 23
DATA MASKING 524
Information Triangulation 526
BUY OR SELL DATA
527
Document Restrictions 528
DIGITAL RIGHTS MANAGEMENT (DRM) 528
DATA EXTRUSION MANAGEMENT 530
EXTRUSION PREVENTION 530
Data Loss Prevention Systems 530
DLP AT THE GATEWAY 530
DLP ON CLIENTS 530
DLP FOR DATA STORAGE 531
DLP MANAGER 531
WATERMARKS 531
REMOVABLE MEDIA CONTROLS 532
PERSPECTIVE 533
Employee Training 533
SOCIAL NETWORKING 533
Data Destruction 534
NOMINAL DELETION 534
BASIC FILE DELETION 535
WIPING/CLEARING 536
DESTRUCTION 536
9.7 Conclusion 537
Thought Questions 538 • Handson Projects 538 • Project Thought
Questions 539 • Perspective
Questions 539
Chapter 10 Incident and Disaster
Response 541
10.1 Introduction 541
Walmart and Hurricane Katrina 541
xv
Incidents Happen 542
Incident Severity 543
FALSE ALARMS 544
MINOR INCIDENTS 544
MAJOR INCIDENTS 545
DISASTERS 546
Speed and Accuracy 546
SPEED IS OF THE ESSENCE 546
SO IS ACCURACY 546
PLANNING 546
REHEARSAL 547
10.2 The Intrusion Response Process
For Major Incidents 548
Detection, Analysis, and Escalation 548
DETECTION 548
ANALYSIS 548
ESCALATION 550
Containment 550
DISCONNECTION 550
BLACK-HOLING THE ATTACKER 550
CONTINUING TO COLLECT DATA 550
Recovery 551
REPAIR DURING CONTINUING SERVER
OPERATION 551
RESTORATION FROM BACKUP TAPES 551
TOTAL SOFTWARE REINSTALLATION 551
Apology 552
Punishment 553
PUNISHING EMPLOYEES 553
THE DECISION TO PURSUE PROSECUTION 553
COLLECTING AND MANAGING EVIDENCE 553
Postmortem Evaluation 556
Organization of the CSIRT 556
Legal Considerations 557
Criminal versus Civil Law 557
Jurisdictions 558
The U.S. Federal Judicial System 559
U.S. State and Local Laws 559
International Law 561
Evidence and Computer Forensics 562
U.S. Federal Cybercrime Laws 564
Computer Hacking, Malware Attacks,
Denial-of-Service Attacks, and Other
Attacks (18 U.S.C. § 1030) 564
xvi
Contents
HACKING 565
DENIAL-OF-SERVICE AND MALWARE
ATTACKS 565
DAMAGE THRESHOLDS 566
Confidentiality in Message
Transmission 566
Other Federal Laws 566
10.3 Intrusion Detection Systems 566
Functions of an IDS 567
LOGGING (DATA COLLECTION) 567
AUTOMATED ANALYSIS BY THE IDS 568
ACTIONS 568
LOG SUMMARY REPORTS 568
SUPPORT FOR INTERACTIVE MANUAL LOG
ANALYSIS 568
Distributed IDSs 569
AGENTS 569
MANAGER AND INTEGRATED LOG
FILE 570
BATCH VERSUS REAL-TIME DATA
TRANSFER 570
SECURE MANAGER–AGENT
COMMUNICATION 570
VENDOR COMMUNICATION 570
Network IDSs 570
STAND-ALONE NIDSS 571
SWITCH AND ROUTER NIDSS 571
STRENGTHS OF NIDSS 571
WEAKNESSES OF NIDSS 571
HOST IDSS 571
ATTRACTION OF HIDSS 571
WEAKNESSES OF HOST IDSS 572
HOST IDSS: OPERATING SYSTEM
MONITORS 572
Log Files 573
TIME-STAMPED EVENTS 573
INDIVIDUAL LOGS 573
INTEGRATED LOGS 573
MANUAL ANALYSIS 575
Principles of Business Continuity
Management 583
PEOPLE FIRST 583
REDUCED CAPACITY IN DECISION
MAKING 583
AVOIDING RIGIDITY 583
COMMUNICATION, COMMUNICATION,
COMMUNICATION 584
Business Process Analysis 584
IDENTIFICATION OF BUSINESS PROCESSES
AND THEIR INTERRELATIONSHIPS 584
PRIORITIZATION OF BUSINESS
PROCESSES 584
SPECIFY RESOURCE NEEDS 584
SPECIFY ACTIONS AND SEQUENCES
10.5 It Disaster Recovery 585
Types of Backup Facilities 587
HOT SITES 587
COLD SITES 587
SITE SHARING WITH CONTINUOUS DATA
PROTECTION (CDP) 587
LOCATION OF THE SITES 587
Office PCs 590
DATA BACKUP 590
NEW COMPUTERS 591
WORK ENVIRONMENT 591
Restoration of Data and
Programs 591
Testing the IT Disaster Recovery
Plan 591
10.6 Conclusion 591
Thought Questions 592 • Handson Projects 593 • Perspective
Questions 594 • Project Thought
Questions 594
Module A Networking Concepts
595
Managing IDSs 575
A.1 Introduction 595
TUNING FOR PRECISION 576
A.2 A Sampling of Networks 596
Honeypots 577
10.4 Business Continuity
Planning 581
584
Testing and Updating the Plan 585
A Simple Home Network 596
THE ACCESS ROUTER 596
PERSONAL COMPUTERS 597
Contents
UTP WIRING 597
INTERNET ACCESS LINE 597
A Building LAN 598
A Firm’s Wide Area Networks 600
The Internet 601
Applications 604
A.3 Network Protocols and
Vulnerabilities 604
Inherent Security 605
Security Explicitly Designed into the
Standard 605
xvii
IP Version 6 615
IPsec 616
A.9 The Transmission Control
Protocol 616
TCP: A Connection-Oriented and
Reliable Protocol 617
CONNECTIONLESS AND CONNECTIONORIENTED PROTOCOLS 617
RELIABILITY 619
Flag Fields 620
Sequence Number Field 620
Security in Older Versions of the
Standard 605
Acknowledgment Number Field 621
Defective Implementation 605
Options 622
A.4 Core Layers in Layered Standards
Architectures 605
A.5 Standards Architectures 606
The TCP/IP Standards Architecture 607
The OSI Standards Architecture 607
The Hybrid TCP/IP–OSI
Architecture 608
A.6 Single-Network Standards 608
The Data Link Layer 609
The Physical Layer 609
UTP 609
OPTICAL FIBER 609
WIRELESS TRANSMISSION 609
SWITCH SUPERVISORY FRAMES 610
A.7 Internetworking Standards 610
A.8 The Internet Protocol 611
The IP Version 4 Packet 611
The First Row 612
The Second Row 613
The Third Row 613
Options 613
Window Field 622
Port Numbers 622
PORT NUMBERS ON SERVERS 622
PORT NUMBERS ON CLIENTS 623
SOCKETS 623
TCP Security 624
A.10 The User Datagram Protocol 625
A.11 TCP/IP Supervisory Standards 626
Internet Control Message Protocol 626
The Domain Name System 627
Dynamic Host Configuration
Protocol 629
Dynamic Routing Protocols 629
Simple Network Management
Protocol 631
A.12 Application Standards 632
HTTP AND HTML 632
E-MAIL 633
TELNET, FTP, AND SSH 633
OTHER APPLICATION STANDARDS
633
A.13 Conclusion 634
Hands-on Projects 634 • Project
Thought Questions 636 •
Perspective Questions 636
The Source and Destination IP
Addresses 614
Glossary 637
Masks 614
index 655
PREFACE
The IT security industry has seen dramatic changes in the past decades. Security
breaches, data theft, cyber attacks, and information warfare are now common news
stories in the mainstream media. IT security expertise that was traditionally the
domain of a few experts in large organizations has now become a concern for almost
everyone.
These rapid changes in the IT security industry have necessitated more recent
editions of this text. Old attacks are being used in new ways, and new attacks are
becoming commonplace. We hope the changes to this new edition have captured some
of these changes in the industry.
What’s New in This Edition?
If you have used prior editions to this text, you will notice that almost all of the material
you are familiar with remains intact. New additions to the text have been driven by
requests from reviewers. More specifically, reviewers asked for a text that is more
business focused, has more hands-on projects, has more coverage of wireless and data
security, and has additional case studies.
In addition to these changes in content, we have tried to add supplements that
make the book easier to use and more engaging for students. Below is a list of the
significant changes to this edition of the text.
Business Focus—This edition has tried to have more of a business focus. Emphasis
has been placed on securing corporate information systems, rather than just hosts
in general. The concepts, principles, and terminology have remained the same.
However, the implications of each topic are more focused on the business
environment.
Hands-on Projects—Each chapter has hands-on projects that use contemporary
software. Each project relates directly to the chapter material. Students take a
screenshot to show they have completed the project.
Expanded Content —Material from prior chapters has been reorganized and
expanded to create new chapters covering Secure Networks (Chapter 4) and Data
Protection (Chapter 9). Reviewers wanted more coverage of networking and wireless security concepts, as well as more discussion of data security. These chapters
contain substantial amounts of new material in each of these areas.
Comprehensive Framework—We have included a comprehensive security framework to tie all of the chapters together. It will serve as a roadmap to guide students
through the book. Our hope is that it will increase retention of the material by
illustrating how topic areas relate to each other.
Case Studies and Focus Articles—Each chapter includes 2–4 new applied case
studies or focus articles. A wide range of topics are covered in these focus articles.
These include examples of high-profile security incidents, technical security
topics, profiles of industry professionals, security certifications, new types of
attacks, and articles by industry leaders.
xviii
Preface
The goal of these articles is to expose students to a broad range of topics that
are not covered in traditional IT security texts, but are currently being discussed
by industry professionals. We hope these articles are interesting, informative, and
encourage active class discussion.
We also included a few profiles of industry professionals to give students an
idea of the type of work they might be doing after they graduate. Students are
often interested in IT security, but are unsure about what an actual job in the
industry would look like on a daily basis. We hope these provide some insight.
Embedded PowerPoint Videos—New to this edition are embedded PowerPoint
videos. A supplemental set of 125+ PowerPoint slides contain embedded videos
linked to content hosted on YouTube®. These videos include IT security–related
current news stories, technical demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new
security products.
The embedded videos relate to material in each chapter and can be copied
directly into your regular lectures. These videos can be used as “hooks” to introduce new chapters, integrated directly into lectures, or assigned as out-of-class
homework.
Updated News Articles —Each chapter contains expanded and updated IT
security news articles. Over 90 percent of the news articles in this book reference
stories that have occurred since the second edition was published.
Why Use This Book?
This book is written for a one-term introductory course in IT
security. The primary audience is upper-division BS majors in Information Systems,
Computer Science, or Computer Information Systems. This book is also intended for
graduate students in Masters of Information Systems (MSIS), Master of Business
Administration (MBA), Master of Accountancy (MAcc), or other MS programs that are
seeking a broader knowledge of IT security.
It is designed to provide students with IT security knowledge as it relates to corporate security. It will give students going into the IT security field a solid foundation.
It can also serve as a network security text.
INTENDED AUDIENCE
PREREQUISITES The book can be used by students who have taken an introductory
course in information systems. However, taking a networking course before using this
book is strongly advisable. For students who have not taken a networking course,
Module A is a review of networking with a special focus on security aspects of network
concepts.
Even if networking is a prerequisite or corequisite at your school, we recommend
covering Module A. It helps refresh and reinforce networking concepts.
Our students are going to
need jobs. When you ask working IT security professionals what they are looking for in
a new hire, they give similar responses. They want proactive workers who can take
initiative, learn on their own, have strong technical skills, and have a business focus.
BALANCING TECHNICAL AND MANAGERIAL CONTENT
xix
xx
Preface
A business focus does not mean a purely managerial focus. Companies want a
strong understanding of security management. But they also want a really solid understanding of defensive security technology. A common complaint is that students who
have taken managerial courses don’t even know how stateful packet inspection firewalls operate, or what other types of firewalls are available. “We aren’t hiring these kids
as security managers” is a common comment. This is usually followed by, “They need
to start as worker bees, and worker bees start with technology.”
Overall, we have attempted to provide a strong managerial focus along with a solid
technical understanding of security tools. Most of this book deals with the technical
aspects of protective countermeasures. But even the countermeasure chapters reflect what
students need to know to manage these technologies. You can “throttle” the amount of
technical content by using or not using the Hands-on Projects at the end of each chapter.
How Is This Book Organized?
The book starts by looking at the threat environment facing corporations today. This
gets the students’ attention levels up, and introduces terminology that will be used
throughout the rest of the book. Discussing the threat environment demonstrates the
need for the defenses mentioned in later chapters.
The rest of the book follows the good old plan–protect–respond cycle. Chapter 2 deals
with planning, and Chapter 10 deals with incident and disaster response. All of the chapters
in the middle deal with countermeasures designed to protect information systems.
The countermeasures section starts with a chapter on cryptography because
cryptographic protections are part of many other countermeasures. Subsequent
chapters introduce secure networks, access control, firewalls, host hardening, application security, and data protection. In general, the book follows the flow of data from
networks, through firewalls, and eventually to hosts to be processed and stored.
Plan
Respond
Planning &
Policy
Chapter 2
Incident
Response
Chapter 10
Threat
Environment
Chapter 1
Protect
Cryptography
Chapter 3
Secure
Networks
Chapter 4
Access
Control
Chapter 5
1
Internet
ABC
DEF
2
3
GHI
JKL
MNO
4
5
6
PQRS
TUV
WXYZ
7
8
0
9
#
*
Firewalls
Chapter 6
Host
Hardening
Chapter 7
Application
Security
Chapter 8
Data
Protection
Chapter 9
Preface
Chapters in this book are designed to be covered in a
semester week. This leaves a few classes for exams, presentations, guest speakers,
hands-on activities, or material in the module. Starting each class with a demonstration
of one of the hands-on projects is a good way to get students attention.
It’s important for students to read each chapter before it’s covered in class. The
chapters contain technical and conceptual material that needs to be closely studied. We
recommend either giving a short reading quiz or requiring students to turn in Test Your
Understanding questions before covering each chapter.
USING THE BOOK IN CLASS
The PowerPoint lectures cover nearly
everything, as do the study figures in the book. Study figures even summarize main
points from the text. This makes the PowerPoint presentations and the figures in the
book great study aids.
POWERPOINT SLIDES AND STUDY FIGURES
TEST YOUR UNDERSTANDING QUESTIONS After each section or subsection, there
are Test Your Understanding questions. This lets students check if they really
understood what they just read. If not, they can go back and master that small chunk of
material before going on. The test item file questions are linked to particular Test Your
Understanding questions. If you cut some material out, it is easy to know what
multiple-choice questions not to use.
At the end of each chapter, there are integrative
Thought Questions which require students to synthesize what they have learned. They
are more general in nature, and require the application of the chapter material beyond
rote memorization.
INTEGRATIVE THOUGHT QUESTIONS
Students often comment that their favorite part of the course
is the Hands-on Projects. Students like the Hands-on Projects because they get to use
contemporary IT security software that relates to the chapter material. Each chapter has
at least two applied projects and subsequent Project Thought Questions.
Each project requires students to take a unique screenshot at the end of the project
as proof they completed the project. Each student’s screenshot will include a time
stamp, the student’s name, or another unique identifier.
HANDS-ON PROJECTS
Finally, there are two general questions that ask students
to reflect on what they have studied. These questions give students a chance to think
comprehensively about the chapter material at a higher level.
PERSPECTIVE QUESTIONS
This book does not teach students how to
break into computers. There is software designed specifically to exploit vulnerabilities
and gain access to systems. This book does not cover this type of software. Rather, the
focus of the book is how to proactively defend corporate systems from attacks.
Effectively securing corporate information systems is a complicated process.
Learning how to secure corporate information systems requires the entire book. Once
students have a good understanding of how to secure corporate systems, they might be
ready to look at penetration testing software.
HEY! WHERE’S ALL THE ATTACK SOFTWARE?
xxi
xxii
Preface
With ten chapters, you do have time to introduce some offense. However, if you
do teach offense, do it carefully. Attack tools are addictive, and students are rarely
satisfied using them in small labs that are carefully air-gapped from the broader school
network and the Internet. A few publicized attacks by your students can get IT security
barred from the curriculum.
Instructor Supplements
This is a hard course to teach. We have tried to build in as much teacher support as possible. Our goal was to reduce the total amount of preparation time instructors had to
spend getting ready to teach this course.
Learning new course material, monitoring current events, and managing an active
research agenda is time-consuming. We hope the instructor supplements make it easier
to teach a high-quality course with less prep time.
The Pearson Prentice-Hall website (http://www.
pearsonhighered.com) has all of the supplements discussed below. These include the
PowerPoint lectures, PowerPoint embedded videos, answer keys, test item files,
TestGen software, and the other usual suspects.
ONLINE INSTRUCTOR RESOURCES
There is a PowerPoint lecture for each chapter. They aren’t
“a few selected slides.” They are full lectures with detailed figures and explanations.
And they aren’t made from figures that look pretty in the book but that are invisible on
slides. We have tried to create the PowerPoint slides to be pretty self-explanatory.
POWERPOINT LECTURES
An important part of a great lecture is to start each
class with a “hook.” The hook captures students’ interest and acts as an introduction to
the rest of the lecture. We have created a set of PowerPoint slides that contain embedded videos that can act as a hook for each chapter.
There are over 125 PowerPoint slides containing embedded videos linked to
content hosted on YouTube®. These videos include current news stories, technical
demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new security products. The embedded
videos relate to material in each chapter and can be copied directly into your regular
lectures.
POWERPOINT EMBEDDED VIDEOS
TEST ITEM FILE The test item file for this book makes creating, or supplementing, an
exam with challenging multiple-choice questions easy. Questions in the test item file
refer directly to the Test Your Understanding questions located throughout each
chapter. This means exams will be tied directly to concepts discussed in the chapter.
The Teachers Manual has suggestions on how to teach the
chapters. For instance, the book begins with threats. In the first class, you could
have students list everybody who might attack them. Then have them come up with
ways each group is likely to attack them. Along the way, the class discussion naturally can touch on chapter concepts such as the distinction between viruses and
worms.
TEACHERS MANUAL
Preface
SAMPLE SYLLABUS We have included a sample syllabus if you are teaching this
course for the first time. It can serve as a guide to structuring the course and reduce
your prep time.
Please feel free to e-mail us. You can reach Randy at Randy.Boyle@utah.edu,
or Ray at Ray@Panko.com. Your Pearson Sales Representative can provide you with
support, but if you have a question, please also feel free to contact us. We’d also love
suggestions for the next edition of the book and for additional support for this edition.
E-MAIL US
Acknowledgments
We would like to thank all of the reviewers of prior editions. They have used this book for
years and know it well. Their suggestions, recommendations, and criticisms helped shape
this edition. This book really is a product of a much larger community of academics and
researchers.
We would also like to thank the industry experts who contributed to this edition.
Their expertise and perspective added a real-world perspective that can only come from
years of practical experience. Thank you to Matt Christensen, Dan McDonald at Utah
Valley University, Amber Schroader at Paraben Corp., Chris Larsen at BlueCoat Systems,
Inc., David Glod at Grant Thornton, Andrew Yenchik, Stephen Burton, and Susan Jensen at
Digital Ranch, Inc., Lisa Cradit at L-1 Identity Solutions, and Bruce Wignall at
Teleperformance Group.
Thanks go to our editor Bob Horan for his support and guidance. A good editor
can produce good books. Bob is a great editor who produces great books. And he has
done so for many years. We feel privileged to be able to work with Bob.
Special thanks go to Debbie Ryan, Kelly Loftus and the production team that
actually makes the book. Thank you George Jacob, for your detailed and exceptional
copy editing. Most readers won’t fully appreciate the hard work and dedication it takes
to transform the “raw” content provided by authors into the finished copy you’re
holding in your hands. Debbie, Kelly, George, and the Pearson production team’s
commitment and attention to detail have made this into a great book.
Lastly, and most importantly, I (Randy) would like to thank Ray. Like many of
you, I have used Ray’s books for years. Ray has a writing style that students find accessible and intuitive. Ray’s books are popular and widely adopted by instructors across
the country. His books have been the source of networking and security knowledge for
many workers currently in the industry.
I’d like to thank Ray for allowing me to contribute to this edition. I’m grateful that
Ray trusted me enough to work on one of his books. I hope this edition continues in the
legacy of great texts Ray has produced. It’s an honor to work with a generous person
like Ray.
Randy Boyle
Ray Panko
xxiii
ABOUT THE AUTHORS
Randy Boyle is a professor at the David Eccles School of
Business at the University of Utah. He received his PhD
in Management Information Systems (MIS) from Florida
State University in 2003. He also has a master’s degree in
Public Administration, and a BS in Finance. His research
areas include deception detection in computer-mediated
environments, information assurance policy, the effects
of IT on cognitive biases, and the effects of IT on knowledge workers. He has received college teaching awards
at the University of Alabama in Huntsville and the
Marvin J. Ashton Teaching Excellence Award at the
University of Utah. His teaching is primarily focused on
information security, networking, and management
information systems. He is the author of Applied
Information Security: A Hands-on Guide to Information
Security Software and Applied Networking Labs.
Ray Panko is a professor of IT Management at the
University of Hawai`i’s Shidler College of Business.
His main courses are networking and security. Before
coming to the university, he was a project manager at
Stanford Research Institute (now SRI International),
where he worked for Doug Englebart (the inventor
of the mouse). He received his BS in Physics and
his MBA. from Seattle University. He received his
doctorate from Stanford University, where his dissertation was conducted under contract to the Office of
the President of the United States. He has been
awarded the Shidler College of Business’s Dennis Ching award as the outstanding
teacher among senior faculty. He is also a Shidler Fellow.
xxiv
1
THE THREAT ENVIRONMENT
Chapter Outline
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
Introduction
Employee and Ex-Employee Threats
Malware
Hackers and Attacks
The Criminal Era
Competitor Threats
Cyberwar and Cyberterror
Conclusion
Learning Objectives:
After studying this chapter, you should be able to:
䊏
䊏
䊏
䊏
䊏
Define the term threat environment.
Use basic security terminology.
Describe threats from employees and ex-employees.
Describe threats from malware writers.
Describe traditional external hackers and their attacks, including break-in processes, social engineering,
and denial-of-service attacks.
䊏 Know that criminals have become the dominant attackers today, describe the types of attacks they make,
and discuss their methods of cooperation.
䊏 Distinguish between cyberwar and cyberterror.
1.1 INTRODUCTION
The world today is a dangerous place for corporations. The Internet has
given firms access to billions of customers and other business partners, but it
has also given criminals access to hundreds of millions of corporations and
individuals. Criminals are able to attack websites, databases, and critical
information systems without ever entering the corporation’s host country.
1
2
Chapter 1 • The Threat Environment
Corporations have become critically dependent on information technology (IT) as
part of their overall competitive advantage. In order to protect their IT infrastructure from
a variety of threats, and subsequent profitability, corporations must have comprehensive
IT security policies, well-established procedures, hardened applications, and secure
hardware.
Basic Security Terminology
THE THREAT ENVIRONMENT
If companies are to be able to defend themselves, they need an understanding of the
threat environment—that is, the types of attackers and attacks companies face.
“Understanding the threat environment” is a fancy way of saying “Know your enemy.”
If you do not know how you may be attacked, you cannot plan to defend yourself.
This chapter will focus almost exclusively on the threat environment.
The threat environment consists of the types of attackers and attacks that companies face.
The Threat Environment
The threat environment consists of the types of attackers and attacks that companies face
Security Goals
Confidentiality
Confidentiality means that people cannot read sensitive information, either while it is on a
computer or while it is traveling across a network
Integrity
Integrity means that attackers cannot change or destroy information, either while it is on a
computer or while it is traveling across a network. Or, at least, if information is changed or
destroyed, then the receiver can detect the change or restore destroyed data
Availability
Availability means that people who are authorized to use information are not prevented from doing so
Compromises
Successful attacks
Also called incidents and breaches
Countermeasures
Tools used to thwart attacks
Also called safeguards, protections, and controls
Types of countermeasures
Preventative
Detective
Corrective
FIGURE 1-1 Basic Security Terminology (Study Figure)
Chapter 1 • The Threat Environment
SECURITY GOALS
Corporations and subgroups in corporations have security goals—conditions that the
security staff wishes to achieve. Three common core goals are referred to collectively as
CIA. This is not the Central Intelligence Agency. Rather, CIA stands for confidentiality,
integrity, and availability.
• Confidentiality—Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network.
• Integrity—Integrity means that attackers cannot change or destroy information,
either while it is on a computer or while it is traveling across a network. Or, at
least, if information is changed or destroyed, then the receiver can detect the
change or restore destroyed data.
• Availability—Availability means that people who are authorized to use information
are not prevented from doing so. Neither a computer attack nor a network attack will
keep them away from the information they are authorized to access.
Many security specialists are unhappy with the simplistic CIA goal taxonomy because
they feel that companies have many other security goals. However, the CIA goals are a
good place to begin thinking about security goals.
COMPROMISES
When a threat succeeds in causing harm to a business, this is called an incident, breach,
or compromise. Companies try to deter incidents, of course, but they usually have to
face several breaches each year, so response to incidents is a critical skill. In terms of the
business process model, threats push the business process away from meeting one or
more of its goals.
When a threat succeeds in causing harm to a business, this is called an incident, breach,
or compromise.
COUNTERMEASURES
Naturally, security professionals try to stop threats. The methods they use to thwart
attacks are called countermeasures, safeguards, protections, or controls. The goal of
countermeasures is to keep business processes on track for meeting their business goals
despite the presence of threats and actual compromises.
Tools used to thwart attacks are called countermeasures, safeguards, or controls.
Countermeasures can be technical, human, or (most commonly) a mixture of the two.
Typically, countermeasures are classified into three types:
• Preventative—Preventative countermeasures keep attacks from succeeding.
Most controls are preventative controls.
• Detective—Detective countermeasures identify when a threat is attacking and
especially when it is succeeding. Fast detection can minimize damage.
3
4
Chapter 1 • The Threat Environment
• Corrective—Corrective countermeasures get the business process back on track
after a compromise. The faster the business process can get back on track, the
more likely the business process will be to meet its goals.
TEST YOUR UNDERSTANDING
1. a .
b.
c.
d.
e.
f.
g.
h.
i.
Why is it important for firms to understand the threat environment?
Name the three common security goals.
Briefly explain each.
What is an incident?
What are the synonyms for incidents?
What are countermeasures?
What are the synonyms for countermeasure?
What are the goals of countermeasures?
What are the three types of countermeasures?
Case Study: The TJX Data Breach
If this terminology seems abstract, it may help to look at a specific attack to put these
terms into context and to show how complex security attacks can be. We will begin with
one of the largest losses of private customer information. This is the TJX data breach.
THE TJX COMPANIES, INC.
The TJX Companies, Inc. (TJX) is a group of over 2,500 retail stores operating in the United
States, Canada, England, Ireland, and several other countries. These companies do
business under such names as TJ Maxx and Marshalls. In its literature, TJX describes itself
as “the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.”
With this type of mission statement, there is strong pressure to minimize costs.
DISCOVERY
On December 18, 2006, TJX detected “suspicious software” on its computer systems. Three
days later, TJX called in security consultants to examine the situation. On December 21, the
consultants confirmed that an intrusion had actually occurred. The next day, the company
informed law enforcement authorities in the United States and Canada. Five days later, the
security consultants determined that customer data had been stolen.
The consultants initially determined that the intrusion software had been
working for seven months when it was discovered. A few weeks later, the consultants
discovered that the company had also been breached several times in 2005. All told,
the consultants estimated that 45.7 million customer records had been stolen.1
This was by far the largest number of personal customer records stolen from any
company at that time.
The thieves did not steal these records for the thrill of breaking in or to enhance
their reputations among other hackers. They did it so that they c...
Purchase answer to see full
attachment