Critical Thinking: Facility Network Security: Assessment and Recommendations

User Generated

fnxno_uuz

Computer Science

Description

Critical Thinking: Facility Network Security: Assessment and Recommendations (130 points)

You are the chief information technology officer at a small outpatient health care facility in Riyadh. The medical facility employs five specialist physicians, ten certified nurses, five administrative assistants, and two technicians. There are 25 clinical rooms. Each room is equipped with a computer. In addition, five computers are used by the administrative assistants for patients’ appointments and records. All of these computers are connected using a local area network. Physicians are supplied with portable devices that they can use to write e-prescriptions. These devices are connected wirelessly to the rest of the network.

As the chief information technology officer, you are charged with the task of evaluating the security status of the facility network and developing a report to recommend the directions that should be followed in the near future.

Your report should include the following materials:

  • Existing and potential vulnerabilities and threats
  • Suggestions and discussions of methods or tools that can be used to overcome the existing and potential security threats
  • Discussion of encryption techniques that can be used for the wireless network and the selection and justification of a proper technique for this facility
  • Discussion of the prevention of cyber-attacks and the proper maintenance needed to achieve this goal.

Your well-written paper should meet the following requirements:

  • Be six to eight pages in length
  • Contain illustrative diagrams for the considered systems
  • Include at least five credible external references in addition to the textbook.
  • Include a proper intriduction and conclusion.
  • Formatted according to Saudi Electronic University and APA writing guidelines.

Unformatted Attachment Preview

Running head: IDENTIFYING THE BEST PRACTICES IN STRATEGIC The Running head is required for CSU-Global APA Requirements. Make sure the words “Running head:” are on the title page, but not subsequent pages. After the words “Running head:” you need the first 50 characters (this includes spaces) of your papers’ title in all caps. Do not break a word, use less than 50 characters if necessary. For instructions on how to set up a running head, see the “APA Guide & Resources” link on the Library’s website. 1 Page numbers should be inserted in the top right corner. SAMPLE PAPER Identifying the Best Practices in Strategic Management Gertrude Steinbeck ORG 500 – Foundations of Effective Management Colorado State University – Global Campus Dr. Stephanie Allong Information on the Title Page is centered in the top half of the paper. All major words should be capitalized and not bold. August 6, 2010 Papers should be typed in a 12 pt, Times New Roman font with 1 inch margins on all 4 sides and the entire paper is double spaced. IDENTIFYING THE BEST PRACTICES IN STRATEGIC 2 Identifying the Best Practices in Strategic Management Strategic management and corporate sustainability are two important dynamics of Repeat the title of your paper at the modern-day organizations. It is important for organizational leaders toThis have an understanding of beginning. is not a header; Each paragraph therefore, it is not to be bold. Do not the theoretical applications of strategic management as a means of addressing corporate should be indented ½ add a header at the beginning of your inch or five spaces paper, as the first paragraph should sustainability. The purpose of this paper is to provide definitions and an understanding of from the left margin. clearly identify the objective of your paper. of the Walgreen Company, the strategic management and corporate sustainability. An overview organization of study, is also provided in order to understand how the company has utilized Level 1 header should be bold, strategic management to implement sustainability initiatives for long-termAfinancial performance. centered and all major words capitalized. All headers are to be used for CSU-Global papers, The function of management is to plan, organize, lead, and control depending the operations ofassignment. an on the For more information on headers, see organization (Robbins & Coulter, 2007) and includes strategic management. Strategic Purdue OWL http://owl.english.purdue.edu/owl/ management is an approach in which organizations create a competitive advantage, enhance resource/560/16/ Strategic Management productivity, and establish long-term financial performance. Chandler (as cited by Whittington, 2008) defined strategy as “the determination of the basic long-term goals and objectives of an enterprise, and the adoption of courses of action and the allocation of resources necessary for carrying out these goals” (p. 268). Similarly, Wheelen and Hunger (2008) define strategic This is an example of how to cite a quote with a narrative citation. management as the managerial decisions and the actions of anwith organization that long-run First start sentence the authors lastachieve name (never use authors first names as APA feels this could lead to a gender bias) and year performance of the business, with benefits such as: (this example is of a secondary citation where the author of the paper is using a quote within another source) then at the end of the  clearer sense of vision for the organization; quotation, you need to place the page (p. x) or paragraph (para. x) of where important; the quote was  sharper focus on whatnumber is strategically andfound.  improved understanding of a changing environment. The Strategic Management Model (SMM) provides the framework for integrating strategic planning into an organization sophrase that the benefits are realized. Spell outaforementioned the first time in document with acronym in parentheses. From that point forward, the acronym can be used. IDENTIFYING THE BEST PRACTICES IN STRATEGIC 3 Strategic Management Model Research indicates as the concept of strategic management evolved, many theoretical When citing 3-5 authors, list all the A Level 2 header When authors the first time and thenciting use et al. should be bold, models were proposed. Ginter, Ruck, and Duncan (1985) indentify eight elements of the3-5 authors, for the following in-text citations. If you left-justified and all have 6 orenvironmental more authors,list usealletthe al. for all normative major words strategic model: vision and mission; objective setting; external authors the in-text citations. This is an example of capitalized. first time and scanning; internal environmental scanning; strategic authors used at thealternatives; strategy selection; then use et beginning of a sentence. implementation; and control (French, 2009). Wheelen and Hunger stated that normativeal. for the The year must follow the following inauthor’s last name in strategic management models are an “explicit, planned and rational approach” (as cited in Ginter text citations. parentheses. The authors being used as a part of Wheelen established the SMM (see et al., 1985, p. 581) to management.areSimilar to Ginter et al., a sentence, therefore the Figure 1) which includes four mainword elements: “and” environmental is used and not scanning, strategy formulation, the symbol “&.” When quoting, you must strategy implementation, and evaluation and control. Environmental scanning is the monitoring, include the page number or the paragraph number of evaluating, and extracting of information from the external and internal environments in order where you found the quote and cite source and/or for the management to establish plans and make decisions. Strategy formulation includes creating page number immediately plans for the organization, including the mission, objectives, strategies, and policies. afterlong-term the quotation marks even it if it is in the middle of Strategy implementation is the process of executing policies and strategies in order to achieve the a sentence. mission and objectives. Evaluation and control require monitoring the performance of the organization and adjusting the process as necessary in order to achieve desired results (Wheelen & Hunger, 2008). The SMM assumes the organizational learning theory, which states that an organization adapts to the changing environment and uses gathered knowledge to improve the fit between itself and the environment. The SMM also assumes the organization be a learning organization in which the gathered knowledge can be used to change behavior and reflect new knowledge (Wheelen & Hunger, 2008). If you have a figure or table in your paper, it is best to cite them in the paragraph before the figure or table. IDENTIFYING THE BEST PRACTICES IN STRATEGIC Environmental Scanning External: Opportunities Threats Societal Environmental Task Environmental Strategy Formulation 4 Strategy Implementation Evaluation and Control Mission Objectives Strategies Policies Programs Budgets Internal: Strengths Procedu res Performanc e Weaknesses Structure Culture Resources Figure 1. The strategic management model was adapted from Strategic management and business policy (11th ed.) by T. L. Wheelen, & J. D. Hunger, 2008, Upper Saddle River, NJ: Pearson Prentice Hall. When using a Figure in your paper, make sure there is no title above Corporate sustainability. In addition to enhancing financial performance through the figure. Underneath the figure you must haveshareholder the word, “Figure” strategic management, organizational leaders have the responsibility of increasing A Level 3 header italicized and the figure number in should be indented, value through corporate sustainability (Epstein, 2008). Corporate sustainability definedbyina aperiod. your paper is followed boldface, lowercase Then mention where the heading with a variety of ways. Hollingworth (2009) described a sustainable organization as “one that strivesor general information was adapted period. information about the figure. for and achieves 360-organizational sustainability” (p. 1). He claimed an organization is Follow the example above. Notice does not follow the reference sustainable when it can endure, or maintain, over a long-term without itpermanently damaging or citation format. depleting resources including: the organization itself; its human resources (internal and external); the community/society/ethno-sphere; and the planet’s environment. He then claimed that if one of the four resources is not sustainable, issues with the remaining resources will eventually develop (Hollingworth, 2009). Brundtland (as cited by Epstein, 2008) described sustainability as the economic development that addresses the needs of the present generation without depleting IDENTIFYING THE BEST PRACTICES IN STRATEGIC 5 resources needed by future generations Epstein adds to the definition from a business perspective by including corporate social responsibility. He stated that organizations have a responsibility to stakeholders to improve management practices in order to add value by addressing corporate social, environmental, and economic impacts (Epstein, 2008). Organizational leaders are the strategic decision makers of a company and have a responsibility to stakeholders (Wheelen & Hunger, 2008). Therefore, it is important to have an understanding of why corporate sustainability is important, and how the nine principles of sustainability performance guide strategic management. Importance of Corporate Sustainability In addition to making a profit, organizations have a responsibility to society, which This is another example of an author used at the beginning of a sentence. This is an example of a “narrative responsibility. Friedman and Carroll had two opposing views of corporate social responsibility. citation.” The year must follow the author’s name. Friedman argued that the sole responsibility of business was last to use resources and activities that includes addressing its economic, social, and environmental impacts, otherwise known as social enhanced profits (Wheelen & Hunger, 2008). Carroll (1979) argued that social responsibility includedThis much that of making a profit; is anmore example the author usedhe at proposed the end businesses must include the economic, of a sentence. It includes the authors’ last names and the year. If there was a quotation, a page or Economic paragraph number would also be producing goods and services to meet the responsibilities include included. Notice that the period is at the end of the parentheses. Thisof is society considered a needs/wants in order to make a profit; “parenthetical citation.” legal, ethical, and discretionary categories of business performance.  legal responsibilities are the laws and regulations the company is expected to abide by;  ethical responsibilities are included in the previous two statements, but also include the norms and beliefs held by society; and IDENTIFYING THE BEST PRACTICES IN STRATEGIC  6 Discretionary responsibilities are other responsibilities taken on by the organization including voluntary activities and philanthropic contributions (Carroll, 1979). The importance of corporate sustainability, therefore, is that an organization is responsible for financial performance, but it also has additional responsibilities to stakeholders and society in general. The Nine Principles of Sustainability Performance The nine principles (see Table 1), as presented by Epstein and Roy (2003), further define sustainability, are measureable, and can easily be incorporated into strategic management (Epstein, 2008). These principles include ethics, governance, transparency, business relationships, financial return, community involvement, value of products and services, employment practices and protection of the environment. A table or figure should fit all on one page even if there is a gap left in your paper. It is easier for the reader to view the table or figure when presented as a whole instead of split on two pages. IDENTIFYING THE BEST PRACTICES IN STRATEGIC 7 Table 1 The Nine Principles of Sustainability Performance 1. Ethics The company establishes, promotes, monitors and maintains ethical standards and practices in dealing with all of the company stakeholders. 2. Governance The company manages all of its resources conscientiously and effectively, recognizing the fiduciary duty of corporate boards and managers to focus on the interests of all company stakeholders. 3. Transparency The company provides timely disclosure of information about its products, services and activities, thus permitting stakeholders to make informed decisions. 4. Business The company engages in fair-trading practices with suppliers, When using a Table in your paper, make relationships distributors and partners. sure the word “Table” with the table 5. Financial return The company compensates providers of capital with a competitive return on investment and the protection of company assets. number in your paper. Then insert the 6. Community The company fosters title a mutually beneficial relationship between of the Table in italics, with all major involvement/econom the corporation and community in which it is sensitive to the words capitalized. Underneath the Table ic development culture, context and needs of the community. you must have the word, “Note” italicized 7. Value of products The company respects the needs, desires and rights of its followed by a period. Then mention and services customers and strives to provide the highest levels of product and where the information was adapted or service values. information about the figure.practices 8. Employment The company engagesgeneral in human-resource management the exampleemployee above. Notice it does practices that promote personalFollow and professional development, not follow the reference citation format. diversity and empowerment. 9. Protection of the The company strives to protect and restore the environment and environment promote sustainable development with products, processes, services and other activities. Note. There should be a general note about the table here. Adapted from “Improving sustainability performance: Specifying, implementing and measuring key principles” by M. Epstein, & M. Roy, 2003, Journal of General Management, 29(1), pp.15-31. Walgreens Company Walgreens Company is a retail drugstore that is in the primary business of prescription and non-prescription drugs, and general merchandise including beauty care, personal care, household items, photofinishing, greeting cards, and seasonal items (Reuters, 2010). More recently, the organization diversified its offerings through worksite healthcare facilities, home care facilities, specialty pharmacies, and mail service pharmacies (Walgreens Company, 2010). IDENTIFYING THE BEST PRACTICES IN STRATEGIC 8 Walgreen Company established a strong organizational culture focusing on consumer and employee satisfaction. The mission of Walgreens is: We will provide the most convenient access to consumer goods and services . . . and pharmacy, health and wellness services . . . in America. We will earn the trust of our customers and build shareholder value. We will treat each other with respect and dignity and do the same for all we serve. We will offer employees of all backgrounds a place to build a career. (“Mission Statement,” 2010, para. 1) Walgreens was established in 1901 If a quotation is longer than 40 words, it by pharmacist Charles R. Walgreen Sr. (“Our Past,” If you are using information must be in a block format. The block from multiple web pages from 2010). Prior to establishing the5company, Mr. Walgreen struggled with the direction the format is indented ½ inch (or spaces one website, it is better to use from the left) from the left margin. Do not title and of the webfor page to pharmacy industry was headed; the lack of quality customer the service care people use quotation marks for this quote. replace the author. For in-text concerned him. Today, Walgreens is the largest drugstore chain in theput United States employing citations, quotation marks around the first couple of words over 238,000 people. Sales in 2009 exceeded $63 billion, in of which 65% of sales were from the title of the web page. All major words are capitalized in prescriptions drugs. The organization has expanded into all 50 states, as well as the District of the in-text citation. Colombia and Puerto Rico, for a total of 7,496 stores and 350 Take Care clinics (Walgreens Company, 2010). Conclusion The conclusion is a Level 1 header. Strategic management and corporate sustainability are two important practices in today’s competitive global environment. In order to implement effectively strategic management in light of corporate sustainability, leaders must have an understanding of such concepts. This paper has provided a background and understanding of strategic management and corporate sustainability. An overview and history of Walgreen Company was also presented in order to identify best practices in strategic management that enhance corporate sustainability. List sources in alphabetical order. The word, References should be capitalized, centered, but not bold. IDENTIFYING THE BEST PRACTICES IN STRATEGIC 9 References Carroll, A. B. (1979). A three-dimensional conceptual model of corporate performance. The When a reference citation does not fit on one line, the Collins, J. (2001). Good to great. New York, NY: HarperCollins Publishers Inc. subsequent lines are Epstein, M. J. (2008). Making sustainability work. San Francisco, CA: Greenleaf Publishing indented ½ inch or 5 spaces to the right. Limited. This is considered a “hanging indent.” Academy of Management Review, 4(4), 497. Epstein, M., & Roy, M. (2003). Improving sustainability performance: Specifying, implementing and measuring key principles. Journal of General Management, 29(1), 15-31. French, S. (2009). Critiquing the language of strategic management. The Journal of Management Development, 28(1), 6-17. doi: 10.1108/02621710910923836 Use a doi number if available. Ginter, P., Ruck, A., & Duncan, W. (1985). Planners’ perceptions of the strategic management process. Journal of Management Studies, 22(6), 581-596. Hollingworth, M. (2009, November/December). Building 360 organizational sustainability. Ivey Business Journal, 73(6), 2. Mission statement. (2010). Retrieved from http://news.walgreens.com/ article_display.cfm?article_id=1042 past. (2010). Retrieved from http://www.walgreens.com/marketing/about/history/ default.html If you areOur using information from Reuters. multiple web pages(2010). Walgreen Co. Retrieved from http://www.reuters.com/finance/stocks/ from one website, it is Make sure that the links companyProfile?symbol=WAG.N better to use the title of are not live (you should the web page to replace be able click on Robbins, S. P., & Coulter, M. (2007). Management River, NJ:to Pearson After a URL or doi,(9th ed.). Upper Saddlenot the corporate author. them to go to the not insert a period. In the reference citation website). If they are live, Prentice Hall. only the first word, first in Word right click and word after a colon and then click on “Remove proper nouns are Hyperlink.” capitalized unlike the in-text citation. IDENTIFYING THE BEST PRACTICES IN STRATEGIC 10 Walgreens Company. (2010). 2009 annual report. Retrieved from https://materials.proxyvote.com/Approved/931422/20091116/AR_48630/images/Walgree ns-AR2009.pdf Example of a website citation. Wheelen, T. L., & Hunger, J. D. (2008). Strategic management and business policy (11th ed.). Upper Saddle River, NJ: Pearson Prentice Hall. Example of a book citation. S Whittington, R. (2008). Alfred Chandler, founder of strategy: Lost tradition and renewed inspiration. Business History Review, 82(2), 267-277. Example of a journal article citation. Chapter 8 Copyright © 2015 Pearson Education, Inc. 8-2  Explain why attackers increasingly focus on applications.  List the main steps in securing applications.  Know how to secure WWW services and e-commerce services.  Describe vulnerabilities in web browsers.  Explain the process of securing e-mail.  Explain how to secure voice over IP (VoIP).  Describe threats from Skype VoIP service.  Describe how to secure other user applications.  Know how to secure TCP/IP supervisory applications. Copyright © 2015 Pearson Education, Inc. 8-3 Copyright © 2015 Pearson Education, Inc.     8-4 Some attacks inevitably get through network protections and reach individual hosts In Chapter 7, we looked at host hardening In Chapter 8, we look at application hardening In Chapter 9, we will look at data protection Copyright © 2015 Pearson Education, Inc. 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 8-5 Copyright © 2015 Pearson Education, Inc.  Executing Commands with the Privileges of a Compromised Application ◦ If an attacker takes over an application, the attacker can execute commands with the privileges of that application ◦ Many applications run with super user (root) privileges 8-6 Copyright © 2015 Pearson Education, Inc.  Buffer Overflow Attacks ◦ Vulnerabilities, exploits, fixes (e.g., patches, manual work-arounds or upgrades) (Chapter 7) ◦ Buffers are places where data is stored temporarily ◦ If an attacker sends too much data, a buffer might overflow, overwriting an adjacent section of RAM 8-7 Copyright © 2015 Pearson Education, Inc. 8-8 Copyright © 2015 Pearson Education, Inc.  Few Operating Systems but Many Applications ◦ Application hardening is more total work than operating system hardening  Understanding the Server’s Role and Threat Environment ◦ If it runs only one or a few services, easy to disallow irrelevant things 8-9 Copyright © 2015 Pearson Education, Inc.  Basics ◦ Physical Security ◦ Backup ◦ Harden the Operating System ◦ Etc.  Minimize Applications ◦ Main applications ◦ Subsidiary applications ◦ Guided by security baselines 8-10 Copyright © 2015 Pearson Education, Inc. 8-11 Copyright © 2015 Pearson Education, Inc. 8-12 Copyright © 2015 Pearson Education, Inc.  Create Secure Application Program Configurations ◦ Use baselines to go beyond default installation configurations for high-value targets ◦ Avoid blank passwords or well-known default passwords  Install Patches for All Applications  Minimize the Permissions of Applications ◦ If an attack compromises an application with low permissions, it will not own the computer 8-13 Copyright © 2015 Pearson Education, Inc.  Add Application Layer Authentication, Authorizations, and Auditing ◦ More specific to the needs of the application than general operating system logins ◦ Can lead to different permissions for different users  Implement Cryptographic Systems ◦ For communication with users 8-14 Copyright © 2015 Pearson Education, Inc.  Custom Applications ◦ Written by a firm’s programmers ◦ Not likely to be well-trained in secure coding  The Key Principle ◦ Never trust user input ◦ Filter user input for inappropriate content 8-15 Copyright © 2015 Pearson Education, Inc.  Buffer Overflow Attacks ◦ In some languages, specific actions are needed ◦ In other languages, not a major problem  Login Screen Bypass Attacks ◦ Website user gets to a login screen ◦ Instead of logging in, enters a URL for a page that should only be accessible to authorized users 8-16 Copyright © 2015 Pearson Education, Inc.  Cross-Site Scripting (XSS) Attacks ◦ One user’s input can go to another user’s webpage ◦ Usually caused if a website sends back information sent to it without checking for data type, scripts, etc. ◦ Example: If you type your username, it may include something like “Hello username” in the webpage it sends you 8-17 Copyright © 2015 Pearson Education, Inc.  Example ◦ Attacker sends the intended victim an e-mail message with a link to a legitimate website ◦ However, the link includes a script that is not visible in the browser window because it is beyond the end of the window ◦ The intended victim clicks on the link and is taken to the legitimate webpage ◦ The URL’s script is sent to the webserver with the HTTP GET command to retrieve the legitimate webpage 8-18 Copyright © 2015 Pearson Education, Inc.  Example ◦ The webserver sends back a webpage including the script ◦ The script is invisible to the user (browsers do not display scripts) ◦ The script executes ◦ The script may exploit a vulnerability in the browser or another part of the user’s software 8-19 Copyright © 2015 Pearson Education, Inc.  SQL Injection Attacks ◦ For database access ◦ Programmer expects an input value—a text string, number, etc.  May use it as part of an SQL query or operation against the database  May accept a last name as input and return the person’s telephone number 8-20 Copyright © 2015 Pearson Education, Inc.  SQL Injection Attacks ◦ Attacker enters an unexpected string  Example: A last name followed by a full SQL query string  The program may execute both the telephone number lookup command and the extra SQL query  This may look up information that should not be available to the attacker  It may even delete an entire table 8-21 Copyright © 2015 Pearson Education, Inc. 8-22 Copyright © 2015 Pearson Education, Inc. 8-23 Copyright © 2015 Pearson Education, Inc.  Must Require Strong Secure Programming Training ◦ General principles ◦ Programming-language-specific information ◦ Application-specific threats and countermeasures 8-24 Copyright © 2015 Pearson Education, Inc. 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 8-25 Copyright © 2015 Pearson Education, Inc.  Importance of WWW Service and E-Commerce Security ◦ Cost of disruptions, harm to reputation, and market capitalization ◦ Customer fraud ◦ Exposure of sensitive private information 8-26 Copyright © 2015 Pearson Education, Inc.  Webservice versus E-Commerce Service ◦ WWW service provides basic user interactions  Microsoft Internet Information Server (IIS), Apache on UNIX, other webserver programs ◦ E-commerce servers add functionality—order entry, shopping cart, payment, etc.  Links to internal corporate databases and external services, such as credit card checking  Custom programs written for special purposes 8-27 Copyright © 2015 Pearson Education, Inc. 8-28 Copyright © 2015 Pearson Education, Inc. 8-29 Copyright © 2015 Pearson Education, Inc.  Website Defacement  Numerous IIS buffer overflow attacks ◦ Many of which take over the computer  8-30 IIS directory traversal attacks Copyright © 2015 Pearson Education, Inc. Users should only be able to reach files below the WWW root, which is below the true system..root. root etc passw d WWW Root Reports Reports Quarterly.htm l URL: /Reports/Quarterly.html 8-31 etc URL: /../etc/passw d Public TechReports m icroslo.doc Copyright © 2015 Pearson Education, Inc. root .. WWW Root Reports Reports Quarterly.htm l URL: /Reports/Quarterly.html 8-32 In URLs, .. means move up one level. If allowed, user can get outside the WWW root box, into other directories. Public etc etc passw d URL: /../etc/passw d TechReports m icroslo.doc Copyright © 2015 Pearson Education, Inc.  IIS directory traversal attacks (Figure 8-11) ◦ Companies filter out “..” ◦ Attackers respond with hexadecimal and UNICODE representations for “..” and “..” ◦ Typical of the constant “arms race” between attackers and defenders 8-33 Copyright © 2015 Pearson Education, Inc.  Patching the WWW and E-Commerce Software and Their Components ◦ Patching the webserver software is not enough ◦ Must also patch e-commerce software ◦ E-commerce software might use third-party component software that must be patched 8-34 Copyright © 2015 Pearson Education, Inc.  Other Website Protections ◦ Website vulnerability assessment tools, such as Whisker ◦ Reading website error logs ◦ Placing a webserver-specific application proxy server in front of the webserver 8-35 Copyright © 2015 Pearson Education, Inc. An internal employee (10.10.10.10) may be blindly searching for confidential directories (bolded) on an internal webserver (10.0.0.1). 8-36 Copyright © 2015 Pearson Education, Inc. 8-37 Copyright © 2015 Pearson Education, Inc. 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 8-38 Copyright © 2015 Pearson Education, Inc.  PCs Are Major Targets ◦ Have interesting information and can be attacked through the browser  Client-Side Scripting (Mobile Code) ◦ Java applets: small Java programs  Usually run in a “sandbox” that limits their access to most of the system ◦ Active-X from Microsoft; highly dangerous because it can do almost everything 8-39 Copyright © 2015 Pearson Education, Inc.  Client-Side Scripting (Mobile Code) ◦ Scripting languages (not full programming languages)  A script is a series of commands in a scripting language  JavaScript (not scripted form of Java)  VBScript (Visual Basic scripting from Microsoft)  A script usually is invisible to users 8-40 Copyright © 2015 Pearson Education, Inc. 8-41 Copyright © 2015 Pearson Education, Inc.  Malicious Links You like beef? Click here. ◦ User usually must click on them to execute (but not always) ◦ Tricking users to visit attacker websites  Social engineering to persuade the victim to click on a link  Uses domain names that are common misspellings of popular domain names http://www.micosoft.com 8-42 Copyright © 2015 Pearson Education, Inc.  Other Client-Side Attacks ◦ File reading: turns the computer into an unintended file server ◦ Executing a single command  The single command may open a command shell on the user’s computer  The attacker can now enter many commands C:> 8-43 Copyright © 2015 Pearson Education, Inc.  Other Client-Side Attacks ◦ Automatic redirection to unwanted webpage ◦ On compromised systems, the user may be automatically directed to a specific malicious website if they later make any typing error 8-44 Copyright © 2015 Pearson Education, Inc.  Other Client-Side Attacks ◦ Cookies  Cookies are placed on user computer; can be retrieved by website  Can be used to track users at a website  Can contain private information  Accepting cookies is necessary to use many websites 8-45 Copyright © 2015 Pearson Education, Inc. 8-46 Copyright © 2015 Pearson Education, Inc.  Enhancing Browser Security ◦ Patches and updates ◦ Set strong security configuration options for Microsoft Internet Explorer ◦ Set strong privacy configuration options for Microsoft Internet Explorer 8-47 Copyright © 2015 Pearson Education, Inc. 8-48 Copyright © 2015 Pearson Education, Inc. 8-49 Copyright © 2015 Pearson Education, Inc. 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 8-50 Copyright © 2015 Pearson Education, Inc.  Content Filtering ◦ Malicious code in attachments and HTML bodies (scripts) ◦ Spam: unsolicited commercial e-mail ◦ Volume is growing rapidly; slowing PCs and annoying users (pornography and fraud) ◦ Filtering for spam also rejects some legitimate messages 8-51 Copyright © 2015 Pearson Education, Inc.  Inappropriate Content ◦ Companies often filter for sexually or racially harassing messages ◦ Could be sued for not doing so   8-52 Extrusion Prevention for Intellectual Property (IP) Stopping the Transmission of Sensitive Personally Identifiable Information (PII) Copyright © 2015 Pearson Education, Inc. 8-53 Copyright © 2015 Pearson Education, Inc.  Employee training ◦ E-mail is not private; company has right to read ◦ Your messages may be forwarded without permission ◦ Never put anything in a message the sender would not want to see in court, printed in the newspapers, or read by his or her boss ◦ Never forward messages without permission 8-54 Copyright © 2015 Pearson Education, Inc. 8-55 Copyright © 2015 Pearson Education, Inc. 8-56 Copyright © 2015 Pearson Education, Inc. 8-57 Copyright © 2015 Pearson Education, Inc. 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 8-58 Copyright © 2015 Pearson Education, Inc. 8-59 Copyright © 2015 Pearson Education, Inc. 8-60 Concept Transport Meaning The carriage of voice between the two parties Signaling Communication to manage the network Call setup Call teardown Accounting Etc. Copyright © 2015 Pearson Education, Inc.  Eavesdropping  Denial-of-Service Attacks ◦ Even small increases in latency and jitter can be highly disruptive  Caller Impersonation ◦ Useful in social engineering ◦ Attacker can appear to be the president based on a falsified source address 8-61 Copyright © 2015 Pearson Education, Inc.  Hacking and Malware Attacks ◦ Compromised clients can send attacks ◦ Compromised servers can send disruptive signaling  Toll Fraud ◦ Attacker uses corporate VoIP network to place free calls  Spam over IP Telephony (SPIT) ◦ Especially disruptive because it interrupts the called party in real time 8-62 Copyright © 2015 Pearson Education, Inc.  Basic Corporate Security Must Be Strong  Authentication ◦ SIP Identity (RFC 4474) provides strong authentication assurance between second-level domains  Encryption for Confidentiality ◦ Can add to latency 8-63 Copyright © 2015 Pearson Education, Inc.  Firewalls ◦ Many short packets ◦ Firewall must prioritize VoIP traffic ◦ Must handle ports for signaling  SIP uses Port 5060  H.323 uses Ports 1719 and 1720  Must create an exception for each conversation, which is assigned a specific port  Must close the transport port immediately after conversation ends 8-64 Copyright © 2015 Pearson Education, Inc.  NAT Problems ◦ NAT firewall must handle VoIP NAT traversal ◦ NAT adds a small amount of latency  Separation: Anticonvergence ◦ The convergence goal for data and voice ◦ Virtual LANs (VLANs)  Separate voice and data traffic on different VLANs  Separate VoIP servers from VoIP phones on different VLANs 8-65 Copyright © 2015 Pearson Education, Inc.  Widely Used, Public VoIP Service  Uses Proprietary Protocols and Code ◦ Vulnerabilities? Backdoors? Etc. ◦ Firewalls have a difficult time even recognizing Skype traffic  Encryption for Confidentiality ◦ Skype reportedly uses strong security ◦ However, Skype keeps encryption keys, allowing it to do eavesdropping 8-66 Copyright © 2015 Pearson Education, Inc.  Inadequate Authentication ◦ Uncontrolled user registration; can use someone else’s name and appear to be them  Peer-to-Peer (P2P) Service ◦ Uses this architecture and its proprietary and rapidly changing protocol to get through corporate firewalls ◦ Bad for corporate security control  Skype File Sharing ◦ Does not work with antivirus programs 8-67 Copyright © 2015 Pearson Education, Inc. 8.1 Application Security and Hardening 8.2 WWW and E-Commerce Security 8.3 Web Browser Attacks 8.4 E-Mail Security 8.5 Voice over IP (VoIP) Security 8.6 Other User Applications 8-68 Copyright © 2015 Pearson Education, Inc. Presence servers merely tell the clients that others exist and what their IP addresses are. 8-69 Copyright © 2015 Pearson Education, Inc. All transmissions go through relay servers when relay servers are used. 8-70 Copyright © 2015 Pearson Education, Inc.  TCP/IP Supervisory Protocols ◦ Many supervisory protocols in TCP/IP  ARP, ICMP, DNS, DHCP, LDAP, RIP, OSPF, BGP, SNMP, etc. ◦ The targets of many attacks ◦ The IETF has a program to improve security in all (the Danvers Doctrine) 8-71 Copyright © 2015 Pearson Education, Inc.  Example ◦ Simple Network Management Protocol (SNMP) ◦ Messages  GET messages to get information from a managed object  SET messages to change the configuration of a managed object  SET is often turned off because it is dangerous 8-72 Copyright © 2015 Pearson Education, Inc.  Example ◦ SNMP versions and security  Version 1: No security  Version 2: Weak authentication with a community string shared by the manager and managed devices  Version 3: Pair-shared secrets, optional confidentiality, message integrity, and antireplay protection  Still needed: public key authentication 8-73 Copyright © 2015 Pearson Education, Inc.  IT Security People Must Work with the Networking Staff ◦ Ensure that appropriate security is being applied to supervisory protocols ◦ Not a traditional area for IT security in most firms 8-74 Copyright © 2015 Pearson Education, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2015 Pearson Education, Inc. Third Edition Corporate Computer Security Randall J. Boyle University of Utah Raymond R. Panko University of Hawai`i at Manoa Boston Columbus Indianapolis New York San Francisco Upper Saddle River Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montreal Toronto Delhi Mexico City Sao Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo To Courtney Boyle, thank you for your patience, kindness, and perspective on what’s most important in life. —Randy Boyle To Julia Panko, my long-time networking and security editor and one of the best technology minds I’ve ever encountered. —Ray Panko Editorial Director: Sally Yagan Executive Editor: Bob Horan Director of Editorial Services: Ashley Santora Senior Project Manager: Kelly Loftus Production Project Manager: Debbie Ryan Director of Marketing: Maggie Moylan Executive Marketing Manager: Anne Fahlgren Creative Director: Jayne Conte Cover Designer: Suzanne Behnke Full-Service Project Management: George Jacob Composition: Integra Printer/Binder: Courier/Westford Cover Printer: Lehigh Text Font: Palatino 10/12 Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on the appropriate page within text. Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the U.S.A. and other countries. Screen shots and icons reprinted with permission from the Microsoft Corporation. This book is not sponsored or endorsed by or affiliated with the Microsoft Corporation. Copyright © 2013, 2010, 2004 by Pearson Education, Inc., publishing as Prentice Hall. All rights reserved. Manufactured in the United States of America. This publication is protected by Copyright, and permission should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission(s) to use material from this work, please submit a written request to Pearson Education, Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you may fax your request to 201-236-3290. Many of the designations by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps. Library of Congress Cataloging-in-Publication Data Boyle, Randall J. Corporate computer security.—3rd ed. / Randall J. Boyle, Raymond R. Panko. p. cm. Panko’s name appears first on the earlier edition. ISBN-13: 978-0-13-214535-0 ISBN-10: 0-13-214535-9 1. Computer security. 2. Computer networks—Security measures. 3. Electronic data processing departments—Security measures. I. Panko, Raymond R. II. Title. QA76.9.A25P36 2013 005.8—dc23 2011035372 10 9 8 7 6 5 4 3 2 1 ISBN 10: 0-13-214535-9 ISBN 13: 978-0-13-214535-0 CONTENTS Preface xviii About the Authors xxiv Chapter 1 The Threat Environment 1 1.1 Introduction 1 Basic Security Terminology 2 THE THREAT ENVIRONMENT 2 SECURITY GOALS 3 COMPROMISES 3 COUNTERMEASURES 3 Case Study: The TJX Data Breach 4 THE TJX COMPANIES, INC. 4 DISCOVERY 4 THE BREAK-INS 6 THE PAYMENT CARD INDUSTRY–DATA SECURITY STANDARD 7 THE FALLOUT: LAWSUITS AND INVESTIGATIONS 8 PROSECUTION 8 1.2 Employee and Ex-employee Threats 9 Why Employees Are Dangerous 10 Employee Sabotage 10 Employee Hacking 12 Employee Financial Theft and Theft of Intellectual Property 13 Employee Extortion 14 Employee Sexual or Racial Harassment 15 Employee Computer and Internet Abuse 15 INTERNET ABUSE 15 NON-INTERNET COMPUTER ABUSE 16 Data Loss 16 Other “Internal” Attackers 17 1.3 Malware 17 Malware Writers 18 Viruses 18 Worms 20 Blended Threats 21 Payloads 21 Trojan Horses and Rootkits 22 NONMOBILE MALWARE 22 TROJAN HORSES 22 REMOTE ACCESS TROJANS 23 DOWNLOADERS 24 SPYWARE 24 ROOTKITS 24 Mobile Code 25 Social Engineering in Malware 25 SPAM 26 PHISHING 26 SPEAR PHISHING 29 HOAXES 29 1.4 Hackers and Attacks 30 Traditional Motives 30 Anatomy of a Hack 32 TARGET SELECTION 32 RECONNAISSANCE PROBES THE EXPLOIT 33 SPOOFING 33 32 Social Engineering in an Attack 35 Denial-of-Service Attacks 37 Skill Levels 38 1.5 The Criminal Era 40 Dominance by Career Criminals 40 CYBERCRIME 40 INTERNATIONAL GANGS 41 BLACK MARKETS AND MARKET SPECIALIZATION 42 Fraud, Theft, and Extortion 45 FRAUD 46 FINANCIAL AND INTELLECTUAL PROPERTY THEFT 46 EXTORTION AGAINST CORPORATIONS 47 Stealing Sensitive Data about Customers and Employees 48 CARDING 48 iii iv Contents BANK ACCOUNT THEFT 48 ONLINE STOCK ACCOUNT THEFT 48 IDENTITY THEFT 48 THE CORPORATE CONNECTION 49 CORPORATE IDENTITY THEFT 49 1.6 Competitor Threats 50 Commercial Espionage 50 Denial-of-Service Attacks 52 1.7 Cyberwar and Cyberterror 53 Cyberwar 53 Cyberterror 54 1.8 Conclusion 55 Thought Questions 56 • Hands-on Projects 57 • Project Thought Questions 58 • Perspective Questions 58 Chapter 2 Planning and Policy 59 2.1 Introduction 60 Defense 60 Management Processes 61 MANAGEMENT IS THE HARD PART 61 COMPREHENSIVE SECURITY 61 WEAKEST LINKS FAILURES 61 THE NEED TO PROTECT MANY RESOURCES 63 The Need for a Disciplined Security Management Process 63 The Plan–Protect–Respond Cycle 64 PLANNING 64 PROTECTION 64 RESPONSE 66 Vision in Planning 66 VIEWING SECURITY AS AN ENABLER 66 DEVELOPING POSITIVE VISIONS OF USERS 67 Strategic IT Security Planning 68 2.2 Compliance Laws and Regulations 69 Driving Forces 69 Sarbanes–Oxley 70 Privacy Protection Laws 72 Data Breach Notification Laws 74 The Federal Trade Commission 75 Industry Accreditation 75 PCI-DSS 75 Fisma 75 2.3 Organization 76 Chief Security Officers 76 ShouldYou Place Security within IT? 76 LOCATING SECURITY WITHIN IT 78 PLACING SECURITY OUTSIDE IT 78 A HYBRID SOLUTION 78 Top Management Support 79 Relationships with Other Departments 79 SPECIAL RELATIONSHIPS 79 ALL CORPORATE DEPARTMENTS 80 BUSINESS PARTNERS 80 Outsourcing IT Security 81 E-MAIL OUTSOURCING 81 MANAGED SECURITY SERVICE PROVIDER 84 2.4 Risk Analysis 85 Reasonable Risk 86 Classic Risk Analysis Calculations 86 ASSET VALUE 86 EXPOSURE FACTOR 87 SINGLE LOSS EXPECTANCY 87 ANNUALIZED PROBABILITY (OR RATE) OF OCCURRENCE 87 ANNUALIZED LOSS EXPECTANCY 87 COUNTERMEASURE IMPACT 87 ANNUALIZED COUNTERMEASURE COST AND NET VALUE 88 Problems with Classic Risk Analysis Calculations 90 UNEVEN MULTIYEAR CASH FLOWS 90 TOTAL COST OF INCIDENT 90 MANY-TO-MANY RELATIONSHIPS BETWEEN COUNTERMEASURES AND RESOURCES 90 THE IMPOSSIBILITY OF COMPUTING ANNUALIZED RATES OF OCCURRENCE 90 THE PROBLEM WITH “HARD-HEADED THINKING” 92 PERSPECTIVE 92 Responding to Risk 93 RISK REDUCTION 93 RISK ACCEPTANCE 93 RISK TRANSFERENCE (INSURANCE) 94 RISK AVOIDANCE 94 v Contents 2.5 Technical Security Architecture 94 Technical Security Architectures 94 ARCHITECTURAL DECISIONS 95 DEALING WITH LEGACY SECURITY TECHNOLOGY 95 Principles 95 DEFENSE IN DEPTH 95 DEFENSE IN DEPTH VERSUS WEAKEST LINKS 97 SINGLE POINTS OF VULNERABILITY 97 MINIMIZING SECURITY BURDENS 97 REALISTIC GOALS 97 Elements of a Technical Security Architecture 98 BORDER MANAGEMENT 98 INTERNAL SITE SECURITY MANAGEMENT 98 MANAGEMENT OF REMOTE CONNECTIONS 98 INTERORGANIZATIONAL SYSTEMS 99 CENTRALIZED SECURITY MANAGEMENT 99 2.6 Policy-Driven Implementation 99 Policies 99 WHAT ARE POLICIES? 99 WHAT, NOT HOW 99 CLARITY 100 Categories of Security Policies 100 CORPORATE SECURITY POLICY 100 MAJOR POLICIES 101 ACCEPTABLE USE POLICY 101 POLICIES FOR SPECIFIC COUNTERMEASURES OR RESOURCES 102 Policy-Writing Teams 103 Implementation Guidance 103 NO GUIDANCE 105 STANDARDS AND GUIDELINES 105 Types of Implementation Guidance 105 PROCEDURES 105 PROCESSES 106 BASELINES 106 BEST PRACTICES AND RECOMMENDED PRACTICES 107 ACCOUNTABILITY 107 ETHICS 107 Exception Handling 109 Oversight 110 POLICIES AND OVERSIGHT 110 PROMULGATION 110 ELECTRONIC MONITORING 111 SECURITY METRICS 111 AUDITING 113 ANONYMOUS PROTECTED HOTLINE 113 BEHAVIORAL AWARENESS 114 FRAUD 114 SANCTIONS 116 2.7 Governance Frameworks 117 COSO 118 THE COSO FRAMEWORK 118 OBJECTIVES 118 REASONABLE ASSURANCE 118 COSO FRAMEWORK COMPONENTS 118 CobiT 120 THE COBIT FRAMEWORK 121 DOMINANCE IN THE UNITED STATES 121 The ISO/IEC 27000 Family 122 ISO/IEC 27002 122 ISO/IEC 27001 122 OTHER 27000 STANDARDS 122 2.8 Conclusion 123 Thought Questions 124 Hands-on Projects 124 • Project Thought Questions 125 • Perspective Questions 125 Chapter 3 Cryptography 127 3.1 What is Cryptography? 128 Encryption for Confidentiality 129 Terminology 129 PLAINTEXT 129 ENCRYPTION AND CIPHERTEXT 129 CIPHER 130 KEY 130 KEEPING THE KEY SECRET 130 The Simple Cipher 130 Cryptanalysis 131 Substitution and Transposition Ciphers 132 Substitution Ciphers 132 Transposition Ciphers 132 Real-world Encryption 133 Ciphers and Codes 133 vi Contents Symmetric Key Encryption 134 KEY LENGTH 135 Human Issues in Cryptography 137 3.2 Symmetric Key Encryption Ciphers 139 RC4 139 The Data Encryption Standard (DES) 140 56-BIT KEY SIZE 140 BLOCK ENCRYPTION 141 Triple DES (3DES) 141 168-BIT 3DES OPERATION 141 112-BIT 3DES 141 PERSPECTIVE ON 3DES 141 Advanced Encryption Standard (AES) 142 Other Symmetric Key Encryption Ciphers 143 3.3 Cryptographic System Standards 145 Cryptographic Systems 145 Initial Handshaking Stages 145 NEGOTIATION 145 INITIAL AUTHENTICATION 146 KEYING 147 Ongoing Communication 147 3.4 The Negotiation Stage 147 Cipher Suite Options 148 Cipher Suite Policies 148 3.5 Initial Authentication Stage 149 HIGH COST AND SHORT MESSAGE LENGTHS 154 RSA AND ECC 154 KEY LENGTH 154 Symmetric Key Keying Using Public Key Encryption 155 Symmetric Key Keying Using Diffie–Hellman Key Agreement 156 3.7 Message-By-Message Authentication 157 Electronic Signatures 157 Public Key Encryption for Authentication 157 Message-by-Message Authentication with Digital Signatures 158 DIGITAL SIGNATURES 158 HASHING TO PRODUCE THE MESSAGE DIGEST 158 SIGNING THE MESSAGE DIGEST TO PRODUCE THE DIGITAL SIGNATURE 158 SENDING THE MESSAGE WITH CONFIDENTIALITY 159 VERIFYING THE SUPPLICANT 160 MESSAGE INTEGRITY 160 PUBLIC KEY ENCRYPTION FOR CONFIDENTIALITY AND AUTHENTICATION 160 Digital Certificates 161 CERTIFICATE AUTHORITIES 161 DIGITAL CERTIFICATE 162 VERIFYING THE DIGITAL CERTIFICATE 163 THE ROLES OF THE DIGITAL CERTIFICATE AND DIGITAL SIGNATURE 164 Authentication Terminology 149 Hashing 149 Initial Authentication with MS-CHAP 151 Key-Hashed Message Authentication Codes (HMACs) 166 ON THE SUPPLICANT’S MACHINE: HASHING 151 ON THE VERIFIER SERVER 151 Creating and Testing the HMAC 166 Nonrepudiation 166 3.6 The Keying Stage 152 Session Keys 152 Public Key Encryption for Confidentiality 153 TWO KEYS 153 PROCESS 153 PADLOCK AND KEY ANALOGY 153 THE PROBLEM WITH DIGITAL SIGNATURES 166 3.8 Quantum Security 169 3.9 Cryptographic Systems 170 Virtual Private Networks (VPNs) 171 Why VPNs? 172 Host-to-Host VPNs 172 Remote Access VPNs 172 Site-to-Site VPNs 173 Contents 3.10 SSL/TLS 173 Nontransparent Protection 174 Inexpensive Operation 174 SSL/TLS Gateways and Remote Access VPNs 175 VPN GATEWAY STANDARDS 175 AUTHENTICATION 175 CONNECTING THE CLIENT PC TO AUTHORIZED RESOURCES 175 SECURITY FOR SERVICES 176 BROWSER ON THE CLIENT 177 ADVANCED SERVICES REQUIRE ADMINISTRATOR PRIVILEGES ON PCS 178 PERSPECTIVE 179 3.11 IPsec 179 SSL/TLS GIVES NONTRANSPARENT TRANSPORT LAYER SECURITY 180 IPSEC: TRANSPARENT INTERNET LAYER SECURITY 180 IPSEC IN BOTH IPV4 AND IPV6 181 IPsec Transport Mode 181 HOST-TO-HOST SECURITY 181 END-TO-END PROTECTION 182 COST OF SETUP 182 IPSEC IN TRANSPORT MODE AND FIREWALLS 182 IPsec Tunnel Mode 183 Future of Secure Networks 193 DEATH OF THE PERIMETER RISE OF THE CITY 194 194 4.2 DoS Attacks 195 Denial of Service . . . But Not an Attack 195 FAULTY CODING 195 REFERRALS FROM LARGE SITES 196 Goal of DoS Attacks 196 STOP CRITICAL SERVICES 196 DEGRADE SERVICES 196 DIRECT AND INDIRECT ATTACKS 198 INTERMEDIARY 200 REFLECTED ATTACK 203 SENDING MALFORMED PACKETS 204 Defending Against Denial-of-Service Attacks 205 BLACK HOLING 205 VALIDATING THE HANDSHAKE 206 RATE LIMITING 206 4.3 ARP Poisoning 207 Normal ARP Operation 209 THE PROBLEM PROTECTION IS PROVIDED BY IPSEC GATEWAYS 183 LESS EXPENSIVE THAN TRANSPORT MODE 183 FIREWALL-FRIENDLY PROTECTION 183 NO PROTECTION WITHIN THE TWO SITES 183 IPsec Security Associations (SAs) 184 SEPARATE SAS IN THE TWO DIRECTIONS 184 POLICY-BASED SA 184 3.12 Conclusion 185 Thought Questions 187 • Handson Projects 188 • Project Thought Questions 190 • Perspective Questions 190 191 4.1 Introduction 191 Creating Secure Networks 192 AVAILABILITY 192 CONFIDENTIALITY 192 FUNCTIONALITY 193 ACCESS CONTROL 193 Methods of DoS Attacks 198 Attractions of IPsec 180 Chapter 4 Secure Networks vii 209 ARP Poisoning 210 ARP DoS Attack 211 Preventing ARP Poisoning 212 STATIC TABLES 212 LIMIT LOCAL ACCESS 212 4.4 Access Control for Networks 214 LAN Connections 214 Access Control Threats 215 Eavesdropping Threats 215 4.5 Ethernet Security 216 Ethernet and 802.1X 216 COST SAVINGS 217 CONSISTENCY 217 IMMEDIATE CHANGES 217 The Extensible Authentication Protocol (EAP) 217 EAP OPERATION 218 viii Contents EXTENSIBILITY 219 RADIUS Servers 219 RADIUS AND EAP 219 4.6 Wireless Security 220 Wireless Attacks 221 Unauthorized Network Access 221 PREVENTING UNAUTHORIZED ACCESS 222 Evil Twin Access Points 224 Wireless Denial of Service 226 FLOOD THE FREQUENCY 226 FLOOD THE ACCESS POINT 227 SEND ATTACK COMMANDS 227 Wireless LAN Security with 802.11i 228 EAP’S NEED FOR SECURITY 228 ADDING SECURITY TO EAP 229 EAP-TLS AND PEAP 229 Core Wireless Security Protocols 230 Wired Equivalent Privacy (WEP) 230 Cracking WEP 231 SHARED KEYS AND OPERATIONAL SECURITY 231 EXPLOITING WEP’S WEAKNESS 231 Perspective 231 Wi-Fi Protected Access (WPA™) 232 Pre-Shared Key (PSK) Mode 235 Wireless Intrusion Detection Systems 237 False 802.11 Security Measures 238 SPREAD SPECTRUM OPERATION AND SECURITY 238 TURNING OFF SSID BROADCASTING 239 MAC ACCESS CONTROL LISTS 239 Implementing 802.11i or WPA Is Easier 240 4.7 Conclusion 240 Thought Questions 241 • Handson Projects 242 • Project Thought Questions 243 • Perspective Questions 243 Chapter 5 Access Control 5.1 Introduction 246 Access Control 246 245 Authentication, Authorizations, and Auditing 246 Authentication 246 Beyond Passwords 247 Two-Factor Authentication 248 Individual and Role-Based Access Control 248 Organizational and Human Controls 248 Military and National Security Organization Access Controls 249 Multilevel Security 249 5.2 Physical Access and Security 250 Risk Analysis 250 ISO/IEC 9.1: Secure Areas 251 PHYSICAL SECURITY PERIMETER 251 PHYSICAL ENTRY CONTROLS 252 PUBLIC ACCESS, DELIVERY, AND LOADING AREAS 252 SECURING OFFICES, ROOMS, AND FACILITIES 252 PROTECTING AGAINST EXTERNAL AND ENVIRONMENTAL THREATS 252 RULES FOR WORKING IN SECURE AREAS 256 ISO/IEC 9.2 Equipment Security 256 EQUIPMENT SITING AND PROTECTION 256 SUPPORTING UTILITIES 257 CABLING SECURITY 257 SECURITY DURING OFF-SITE EQUIPMENT MAINTENANCE 257 SECURITY OF EQUIPMENT OFF-PREMISES 257 SECURE DISPOSAL OR REUSE OF EQUIPMENT 257 REMOVAL OF PROPERTY 258 Other Physical Security Issues 258 TERRORISM 258 PIGGYBACKING 258 MONITORING EQUIPMENT 259 DUMPSTER™ DIVING 260 DESKTOP PC SECURITY 260 NOTEBOOK SECURITY 260 5.3 Passwords 260 Password-Cracking Programs 260 Password Policies 261 Contents Password Use and Misuse 261 NOT USING THE SAME PASSWORD AT MULTIPLE SITES 261 PASSWORD DURATION POLICIES 262 POLICIES PROHIBITING SHARED ACCOUNTS 263 DISABLING PASSWORDS THAT ARE NO LONGER VALID 263 LOST PASSWORDS 263 PASSWORD STRENGTH 266 PASSWORD AUDITING 266 The End of Passwords? 267 5.4 Access Cards and Tokens 268 Access Cards 268 MAGNETIC STRIPE CARDS 269 SMART CARDS 269 CARD READER COSTS 269 Tokens 269 FACE RECOGNITION 282 HAND GEOMETRY 283 VOICE RECOGNITION 287 OTHER FORMS OF BIOMETRIC AUTHENTICATION 287 5.6 Cryptographic Authentication 287 Key Points from Chapter 3 287 Public Key Infrastructures 288 THE FIRM AS A CERTIFICATE AUTHORITY 288 CREATING PUBLIC KEY–PRIVATE KEY PAIRS 289 DISTRIBUTING DIGITAL CERTIFICATES 289 ACCEPTING DIGITAL CERTIFICATES 289 CERTIFICATE REVOCATION STATUS 290 PROVISIONING 290 THE PRIME AUTHENTICATION PROBLEM 290 5.7 Authorization 290 ONE-TIME-PASSWORD TOKENS USB TOKENS 270 270 Proximity Access Tokens 270 Addressing Loss and Theft 270 PHYSICAL DEVICE CANCELLATION 270 TWO-FACTOR AUTHENTICATION 272 5.5 Biometric Authentication 273 Biometrics 273 Biometric Systems 274 INITIAL ENROLLMENT 274 SUBSEQUENT ACCESS ATTEMPTS 275 ACCEPTANCE OR REJECTION 276 Biometric Errors 276 FALSE ACCEPTANCE RATE 276 FALSE REJECTION RATE 277 WHICH IS WORSE? 277 VENDOR CLAIMS 277 FAILURE TO ENROLL 278 Verification, Identification, and Watch Lists 278 VERIFICATION 278 IDENTIFICATION 279 WATCH LISTS 280 The Principle of Least Permissions 291 5.8 Auditing 292 Logging 292 Log Reading 293 REGULAR LOG READING 293 PERIODIC EXTERNAL AUDITS OF LOG FILE ENTRIES 293 AUTOMATIC ALERTS 293 5.9 Central Authentication Servers 294 The Need for Centralized Authentication 294 Kerberos 295 5.10 Directory Servers 296 What Are Directory Servers? 297 Hierarchical Data Organization 297 Lightweight Data Access Protocol 298 Use by Authentication Servers 298 Active Directory 298 ACTIVE DIRECTORY DOMAINS 299 Trust 300 5.11 Full Identity Management 301 Biometric Deception 280 Biometric Methods 282 FINGERPRINT RECOGNITION IRIS RECOGNITION 282 ix 282 Other Directory Servers and Metadirectories 301 Federated Identity Management 302 x Contents THE SECURITY ASSERTION MARKUP LANGUAGE 304 PERSPECTIVE 304 Identity Management 304 BENEFITS OF IDENTITY MANAGEMENT 304 WHAT IS IDENTITY? 306 IDENTITY MANAGEMENT 306 Trust and Risk 307 5.12 Conclusion 307 Thought Questions 309 • Handson Projects 310 • Project Thought Questions 311 • Perspective Questions 311 Chapter 6 Firewalls 313 6.1 Introduction 314 Basic Firewall Operation 314 The Danger of Traffic Overload 319 Firewall Filtering Mechanisms 320 6.2 Static Packet Filtering 321 Looking at Packets One at a Time 321 Looking Only at Some Fields in the Internet and Transport Headers 321 Usefulness of Static Packet Filtering 321 Perspective on SPI Firewalls 334 LOW COST 334 SAFETY 334 DOMINANCE 335 6.4 Network Address Translation 335 Sniffers 335 NAT OPERATION 335 PACKET CREATION 336 NETWORK AND PORT ADDRESS TRANSLATION 336 TRANSLATION TABLE 336 RESPONSE PACKET 336 RESTORATION 336 PROTECTION 337 Perspective on NAT 337 NAT/PAT 337 TRANSPARENCY 337 NAT TRAVERSAL 337 6.5 Application Proxy Firewalls and Content Filtering 337 Application Proxy Firewall Operation 338 Perspective 322 6.3 Stateful Packet Inspection ACCESS CONTROL LISTS (ACLS) FOR INGRESS FILTERING 332 IF-THEN FORMAT 332 PORTS AND SERVER ACCESS 332 DISALLOW ALL CONNECTIONS 333 323 Basic Operation 323 CONNECTIONS 323 STATES 324 STATEFUL PACKET INSPECTION WITH TWO STATES 324 REPRESENTING CONNECTIONS 325 Packets That Do Not Attempt to Open Connections 326 TCP CONNECTIONS 329 UDP AND ICMP CONNECTIONS 329 ATTACK ATTEMPTS 329 PERSPECTIVE 329 Packets That Do Attempt to Open a Connection 330 Access Control Lists (ACLs) for Connection-Opening Attempts 331 WELL-KNOWN PORT NUMBERS 331 OPERATIONAL DETAILS 338 APPLICATION PROXY PROGRAMS VERSUS APPLICATION PROXY FIREWALLS 338 PROCESSING-INTENSIVE OPERATION 338 ONLY A FEW APPLICATIONS CAN BE PROXIED 339 TWO COMMON USES 339 Application Content Filtering in Stateful Packet Inspection Firewalls 340 Application Content Filtering for HTTP 341 Client Protections 341 Server Protections 341 Other Protections 344 6.6 Intrusion Detection Systems and Intrusion Prevention Systems 345 Intrusion Detection Systems 345 FIREWALLS VERSUS IDSS 347 Contents FALSE POSITIVES (FALSE ALARMS) 347 HEAVY PROCESSING REQUIREMENTS 347 Intrusion Prevention Systems 348 ASICS FOR FASTER PROCESSING 348 THE ATTACK IDENTIFICATION CONFIDENCE SPECTRUM 348 IPS Actions 349 DROPPING PACKETS 349 LIMITING TRAFFIC 349 6.7 Antivirus Filtering and Unified Threat Management 349 6.8 Firewall Architectures 354 Types of Firewalls 354 MAIN BORDER FIREWALLS 354 SCREENING BORDER ROUTERS 354 INTERNAL FIREWALLS 354 HOST FIREWALLS 355 DEFENSE IN DEPTH 355 The Demilitarized Zone 355 SECURITY IMPLICATIONS 356 HOSTS IN THE DMZ 356 6.9 Firewall Management 357 Defining Firewall Policies 357 WHY USE POLICIES? 357 EXAMPLES OF POLICIES 359 Implementation 359 FIREWALL HARDENING 359 CENTRAL FIREWALL MANAGEMENT SYSTEMS 359 FIREWALL POLICY DATABASE 360 VULNERABILITY TESTING AFTER CONFIGURATION 361 CHANGE AUTHORIZATION AND MANAGEMENT 361 READING FIREWALL LOGS 362 Reading Firewall Logs 363 Log Files 363 Sorting the Log File by Rule 363 Echo Probes 363 External Access to All Internal FTP Servers 365 Attempted Access to Internal Webservers 365 xi Incoming Packet with a Private IP Source Address 365 Lack of Capacity 365 Perspective 365 Sizes of Log Files 366 Logging All Packets 366 6.10 Firewall Filtering Problems 367 The Death of the Perimeter 367 AVOIDING THE BORDER FIREWALL 367 EXTENDING THE PERIMETER 368 PERSPECTIVE 368 Attack Signatures versus Anomaly Detection 368 ZERO-DAY ATTACKS 368 ANOMALY DETECTION 369 ACCURACY 369 6.11 Conclusion 369 Thought Questions 372 • Handson Projects 372 • Project Thought Questions 374 • Perspective Questions 374 Chapter 7 Host Hardening 375 7.1 Introduction 375 What Is a Host? 376 The Elements of Host Hardening 376 Security Baselines and Images 377 Virtualization 377 VIRTUALIZATION ANALOGY 379 BENEFITS OF VIRTULAIZATION 380 Systems Administrators 380 7.2 Important Server Operating Systems 385 Windows Server Operating Systems 386 THE WINDOWS SERVER USER INTERFACE 386 START : ADMINISTRATIVE TOOLS 386 MICROSOFT MANAGEMENT CONSOLES (MMCS) 387 UNIX (Including Linux) Servers 388 MANY VERSIONS 389 LINUX 390 UNIX USER INTERFACES 391 xii Contents 7.3 Vulnerabilities and Patches 392 Vulnerabilities and Exploits 392 Fixes 392 WORK-AROUNDS 397 PATCHES 397 SERVICE PACKS 397 VERSION UPGRADES 397 The Mechanics of Patch Installation 398 MICROSOFT WINDOWS SERVER LINUX RPM PROGRAM 398 398 Problems with Patching 399 THE NUMBER OF PATCHES 399 COST OF PATCH INSTALLATION 399 PRIORITIZING PATCHES 399 PATCH MANAGEMENT SERVERS 399 THE RISKS OF PATCH INSTALLATION 400 7.4 Managing Users and Groups 401 The Importance of Groups in Security Management 401 Creating and Managing Users and Groups in Windows 401 THE ADMINISTRATOR ACCOUNT 401 MANAGING ACCOUNTS 402 CREATING USERS 402 WINDOWS GROUPS 402 7.5 Managing Permissions 404 Permissions 404 Assigning Permissions in Windows 404 DIRECTORY PERMISSIONS 404 WINDOWS PERMISSIONS 405 ADDING USERS AND GROUPS 405 INHERITANCE 405 DIRECTORY ORGANIZATION 406 Assigning Groups and Permissions in UNIX 407 NUMBER OF PERMISSIONS 407 NUMBER OF ACCOUNTS OR GROUPS 408 7.6 Creating Strong Passwords 408 Creating and Storing Passwords 409 CREATING A PASSWORD HASH 409 STORING PASSWORDS 409 STEALING PASSWORDS 410 Password-Cracking Techniques 410 BRUTE-FORCE GUESSING 410 DICTIONARY ATTACKS ON COMMON WORD PASSWORDS 412 HYBRID DICTIONARY ATTACKS 413 RAINBOW TABLES 414 TRULY RANDOM PASSWORDS 415 TESTING AND ENFORCING THE STRENGTH OF PASSWORDS 415 OTHER PASSWORD THREATS 415 7.7 Testing for Vulnerabilities 416 Windows Client PC Security 417 Client PC Security Baselines 418 The Windows Action Center 418 Windows Firewall 420 Automatic Updates 420 Antivirus and Spyware Protection 420 Implementing Security Policy 421 PASSWORD POLICIES 421 ACCOUNT POLICIES 421 AUDIT POLICIES 422 Protecting Notebook Computers 423 THREATS 423 BACKUP 423 POLICIES FOR SENSITIVE DATA 424 TRAINING 425 COMPUTER RECOVERY SOFTWARE 425 Centralized PC Security Management 425 STANDARD CONFIGURATIONS 425 NETWORK ACCESS CONTROL 426 WINDOWS GROUP POLICY OBJECTS 426 7.8 Conclusion 429 Thought Questions 430 • Handson Projects 430 • Project Thought Questions 432 • Perspective Questions 432 Chapter 8 Application Security 433 8.1 Application Security And Hardening 433 Executing Commands with the Privileges of a Compromised Application 434 Contents Buffer Overflow Attacks 434 BUFFERS AND OVERFLOWS 434 STACKS 435 RETURN ADDRESS 435 THE BUFFER AND BUFFER OVERFLOW 435 EXECUTING ATTACK CODE 435 AN EXAMPLE: THE IIS IPP BUFFER OVERFLOW ATTACK 436 Few Operating Systems, Many Applications 436 Hardening Applications 437 UNDERSTAND THE SERVER’S ROLE AND THREAT ENVIRONMENT 437 THE BASICS 438 MINIMIZE APPLICATIONS 438 SECURITY BASELINES FOR APPLICATION MINIMIZATION 439 CREATE A SECURE CONFIGURATION 439 INSTALL APPLICATION PATCHES AND UPDATES 439 MINIMIZE THE PERMISSIONS OF APPLICATIONS 440 ADD APPLICATION-LEVEL AUTHENTICATION, AUTHORIZATIONS, AND AUDITING 440 IMPLEMENT CRYPTOGRAPHIC SYSTEMS 440 Securing Custom Applications 440 NEVER TRUST USER INPUT 441 BUFFER OVERFLOW ATTACKS 441 LOGIN SCREEN BYPASS ATTACKS 442 CROSS-SITE SCRIPTING ATTACKS 442 SQL INJECTION ATTACKS 423 AJAX MANIPULATION 423 TRAINING IN SECURE COMPUTING 423 8.2 WWW and E-Commerce Security 446 The Importance of WWW and E-Commerce Security 446 WWW Service versus E-Commerce Service 446 E-COMMERCE SERVICE 447 EXTERNAL ACCESS 448 CUSTOM PROGRAMS 448 Some Webserver Attacks 449 WEBSITE DEFACEMENT 449 BUFFER OVERFLOW ATTACK TO LAUNCH A COMMAND SHELL 449 xiii DIRECTORY TRAVERSAL ATTACK 449 THE DIRECTORY TRAVERSAL WITH HEXADECIMAL CHARACTER ESCAPES 450 UNICODE DIRECTORY TRAVERSAL 451 Patching the Webserver and E-Commerce Software and Its Components 451 E-COMMERCE SOFTWARE VULNERABILITIES 451 Other Website Protections 452 WEBSITE VULNERABILITY ASSESSMENT TOOLS 452 WEBSITE ERROR LOGS 452 WEBSERVER-SPECIFIC APPLICATION PROXY FIREWALLS 453 Controlling Deployment 453 DEVELOPMENT SERVERS 454 TESTING SERVERS 454 PRODUCTION SERVERS 454 8.3 Web Browser Attacks 454 BROWSER THREATS 454 MOBILE CODE 454 MALICIOUS LINKS 456 OTHER CLIENT-SIDE ATTACKS 456 Enhancing Browser Security 458 PATCHING AND UPGRADING CONFIGURATION 458 INTERNET OPTIONS 458 SECURITY TAB 459 PRIVACY TAB 462 458 8.4 E-Mail Security 463 E-Mail Content Filtering 463 MALICIOUS CODE IN ATTACHMENTS AND HTML BODIES 463 SPAM 464 INAPPROPRIATE CONTENT 465 EXTRUSION PREVENTION 465 PERSONALLY IDENTIFIABLE INFORMATION (PII) 465 Where to Do E-Mail Malware and Spam Filtering 465 E-Mail Encryption 466 TRANSMISSION ENCRYPTION 466 MESSAGE ENCRYPTION 466 8.5 Voice over IP Security 468 Sending Voice between Phones 468 xiv Contents Transport and Signaling 469 SIP and H.323 470 Registration 470 SIP Proxy Servers 470 PSTN Gateway 470 VoIP Threats 471 Eavesdropping 471 Denial-of-Service (DoS) Attacks 471 Caller Impersonation 472 Hacking and Malware Attacks 472 Toll Fraud 472 Spam over IP Telephony (SPIT) 473 New Threats 473 Implementing VoIP Security 473 Authentication 473 Encryption for Confidentiality 473 Firewalls 474 NAT Problems 475 Separation: Anticonvergence 475 The Skype VoIP Service 475 8.6 Other User Applications 477 Instant Messaging (IM) 477 TCP/IP Supervisory Applications 479 8.7 Conclusion 480 Thought Questions 481 • Handson Projects 481 • Project Thought Questions 483 • Perspective Questions 483 Chapter 9 Data Protection 485 9.1 Introduction 485 Data’s Role in Business 486 SONY DATA BREACHES 486 Securing Data 486 9.2 Data Protection: Backup 487 The Importance of Backup 487 Threats 487 Scope of Backup 487 FILE/DIRECTORY DATA BACKUP 488 IMAGE BACKUP 488 SHADOWING 489 Full versus Incremental Backups 491 Backup Technologies 493 LOCAL BACKUP 493 CENTRALIZED BACKUP 493 CONTINUOUS DATA PROTECTION 494 INTERNET BACKUP SERVICE 494 MESH BACKUP 494 9.3 Backup Media and Raid 495 MAGNETIC TAPE 495 CLIENT PC BACKUP 496 Disk Arrays—RAID 497 Raid Levels 497 NO RAID 497 RAID 0 498 RAID 1 499 RAID 5 500 9.4 Data Storage Policies 503 BACKUP CREATION POLICIES 504 RESTORATION POLICIES 504 MEDIA STORAGE LOCATION POLICIES 504 ENCRYPTION POLICIES 505 ACCESS CONTROL POLICIES 505 RETENTION POLICIES 505 AUDITING BACKUP POLICY COMPLIANCE 505 E-Mail Retention 506 THE BENEFIT OF RETENTION 506 THE DANGERS OF RETENTION 506 ACCIDENTAL RETENTION 506 THIRD-PARTY E-MAIL RETENTION 508 LEGAL ARCHIVING REQUIREMENTS 508 U.S. FEDERAL RULES OF CIVIL PROCEDURE 508 MESSAGE AUTHENTICATION 509 DEVELOPING POLICIES AND PROCESSES 509 User Training 509 Spreadsheets 510 VAULT SERVER ACCESS CONTROL 510 OTHER VAULT SERVER PROTECTIONS 511 9.5 Database Security 511 Relational Databases 512 LIMITING THE VIEW OF DATA 512 Database Access Control 516 DATABASE ACCOUNTS 516 SQL INJECTION ATTACKS 516 Database Auditing 517 Contents WHAT TO AUDIT 518 TRIGGERS 518 Database Placement and Configuration 520 CHANGE THE DEFAULT PORT 520 Data Encryption 520 KEY ESCROW 521 FILE/DIRECTORY ENCRYPTION VERSUS WHOLE-DISK ENCRYPTION 522 PROTECTING ACCESS TO THE COMPUTER 522 DIFFICULTIES IN FILE SHARING 522 9.6 Data Loss Prevention 523 Data Collection 523 PERSONALLY IDENTIFIABLE INFORMATION 23 DATA MASKING 524 Information Triangulation 526 BUY OR SELL DATA 527 Document Restrictions 528 DIGITAL RIGHTS MANAGEMENT (DRM) 528 DATA EXTRUSION MANAGEMENT 530 EXTRUSION PREVENTION 530 Data Loss Prevention Systems 530 DLP AT THE GATEWAY 530 DLP ON CLIENTS 530 DLP FOR DATA STORAGE 531 DLP MANAGER 531 WATERMARKS 531 REMOVABLE MEDIA CONTROLS 532 PERSPECTIVE 533 Employee Training 533 SOCIAL NETWORKING 533 Data Destruction 534 NOMINAL DELETION 534 BASIC FILE DELETION 535 WIPING/CLEARING 536 DESTRUCTION 536 9.7 Conclusion 537 Thought Questions 538 • Handson Projects 538 • Project Thought Questions 539 • Perspective Questions 539 Chapter 10 Incident and Disaster Response 541 10.1 Introduction 541 Walmart and Hurricane Katrina 541 xv Incidents Happen 542 Incident Severity 543 FALSE ALARMS 544 MINOR INCIDENTS 544 MAJOR INCIDENTS 545 DISASTERS 546 Speed and Accuracy 546 SPEED IS OF THE ESSENCE 546 SO IS ACCURACY 546 PLANNING 546 REHEARSAL 547 10.2 The Intrusion Response Process For Major Incidents 548 Detection, Analysis, and Escalation 548 DETECTION 548 ANALYSIS 548 ESCALATION 550 Containment 550 DISCONNECTION 550 BLACK-HOLING THE ATTACKER 550 CONTINUING TO COLLECT DATA 550 Recovery 551 REPAIR DURING CONTINUING SERVER OPERATION 551 RESTORATION FROM BACKUP TAPES 551 TOTAL SOFTWARE REINSTALLATION 551 Apology 552 Punishment 553 PUNISHING EMPLOYEES 553 THE DECISION TO PURSUE PROSECUTION 553 COLLECTING AND MANAGING EVIDENCE 553 Postmortem Evaluation 556 Organization of the CSIRT 556 Legal Considerations 557 Criminal versus Civil Law 557 Jurisdictions 558 The U.S. Federal Judicial System 559 U.S. State and Local Laws 559 International Law 561 Evidence and Computer Forensics 562 U.S. Federal Cybercrime Laws 564 Computer Hacking, Malware Attacks, Denial-of-Service Attacks, and Other Attacks (18 U.S.C. § 1030) 564 xvi Contents HACKING 565 DENIAL-OF-SERVICE AND MALWARE ATTACKS 565 DAMAGE THRESHOLDS 566 Confidentiality in Message Transmission 566 Other Federal Laws 566 10.3 Intrusion Detection Systems 566 Functions of an IDS 567 LOGGING (DATA COLLECTION) 567 AUTOMATED ANALYSIS BY THE IDS 568 ACTIONS 568 LOG SUMMARY REPORTS 568 SUPPORT FOR INTERACTIVE MANUAL LOG ANALYSIS 568 Distributed IDSs 569 AGENTS 569 MANAGER AND INTEGRATED LOG FILE 570 BATCH VERSUS REAL-TIME DATA TRANSFER 570 SECURE MANAGER–AGENT COMMUNICATION 570 VENDOR COMMUNICATION 570 Network IDSs 570 STAND-ALONE NIDSS 571 SWITCH AND ROUTER NIDSS 571 STRENGTHS OF NIDSS 571 WEAKNESSES OF NIDSS 571 HOST IDSS 571 ATTRACTION OF HIDSS 571 WEAKNESSES OF HOST IDSS 572 HOST IDSS: OPERATING SYSTEM MONITORS 572 Log Files 573 TIME-STAMPED EVENTS 573 INDIVIDUAL LOGS 573 INTEGRATED LOGS 573 MANUAL ANALYSIS 575 Principles of Business Continuity Management 583 PEOPLE FIRST 583 REDUCED CAPACITY IN DECISION MAKING 583 AVOIDING RIGIDITY 583 COMMUNICATION, COMMUNICATION, COMMUNICATION 584 Business Process Analysis 584 IDENTIFICATION OF BUSINESS PROCESSES AND THEIR INTERRELATIONSHIPS 584 PRIORITIZATION OF BUSINESS PROCESSES 584 SPECIFY RESOURCE NEEDS 584 SPECIFY ACTIONS AND SEQUENCES 10.5 It Disaster Recovery 585 Types of Backup Facilities 587 HOT SITES 587 COLD SITES 587 SITE SHARING WITH CONTINUOUS DATA PROTECTION (CDP) 587 LOCATION OF THE SITES 587 Office PCs 590 DATA BACKUP 590 NEW COMPUTERS 591 WORK ENVIRONMENT 591 Restoration of Data and Programs 591 Testing the IT Disaster Recovery Plan 591 10.6 Conclusion 591 Thought Questions 592 • Handson Projects 593 • Perspective Questions 594 • Project Thought Questions 594 Module A Networking Concepts 595 Managing IDSs 575 A.1 Introduction 595 TUNING FOR PRECISION 576 A.2 A Sampling of Networks 596 Honeypots 577 10.4 Business Continuity Planning 581 584 Testing and Updating the Plan 585 A Simple Home Network 596 THE ACCESS ROUTER 596 PERSONAL COMPUTERS 597 Contents UTP WIRING 597 INTERNET ACCESS LINE 597 A Building LAN 598 A Firm’s Wide Area Networks 600 The Internet 601 Applications 604 A.3 Network Protocols and Vulnerabilities 604 Inherent Security 605 Security Explicitly Designed into the Standard 605 xvii IP Version 6 615 IPsec 616 A.9 The Transmission Control Protocol 616 TCP: A Connection-Oriented and Reliable Protocol 617 CONNECTIONLESS AND CONNECTIONORIENTED PROTOCOLS 617 RELIABILITY 619 Flag Fields 620 Sequence Number Field 620 Security in Older Versions of the Standard 605 Acknowledgment Number Field 621 Defective Implementation 605 Options 622 A.4 Core Layers in Layered Standards Architectures 605 A.5 Standards Architectures 606 The TCP/IP Standards Architecture 607 The OSI Standards Architecture 607 The Hybrid TCP/IP–OSI Architecture 608 A.6 Single-Network Standards 608 The Data Link Layer 609 The Physical Layer 609 UTP 609 OPTICAL FIBER 609 WIRELESS TRANSMISSION 609 SWITCH SUPERVISORY FRAMES 610 A.7 Internetworking Standards 610 A.8 The Internet Protocol 611 The IP Version 4 Packet 611 The First Row 612 The Second Row 613 The Third Row 613 Options 613 Window Field 622 Port Numbers 622 PORT NUMBERS ON SERVERS 622 PORT NUMBERS ON CLIENTS 623 SOCKETS 623 TCP Security 624 A.10 The User Datagram Protocol 625 A.11 TCP/IP Supervisory Standards 626 Internet Control Message Protocol 626 The Domain Name System 627 Dynamic Host Configuration Protocol 629 Dynamic Routing Protocols 629 Simple Network Management Protocol 631 A.12 Application Standards 632 HTTP AND HTML 632 E-MAIL 633 TELNET, FTP, AND SSH 633 OTHER APPLICATION STANDARDS 633 A.13 Conclusion 634 Hands-on Projects 634 • Project Thought Questions 636 • Perspective Questions 636 The Source and Destination IP Addresses 614 Glossary 637 Masks 614 index 655 PREFACE The IT security industry has seen dramatic changes in the past decades. Security breaches, data theft, cyber attacks, and information warfare are now common news stories in the mainstream media. IT security expertise that was traditionally the domain of a few experts in large organizations has now become a concern for almost everyone. These rapid changes in the IT security industry have necessitated more recent editions of this text. Old attacks are being used in new ways, and new attacks are becoming commonplace. We hope the changes to this new edition have captured some of these changes in the industry. What’s New in This Edition? If you have used prior editions to this text, you will notice that almost all of the material you are familiar with remains intact. New additions to the text have been driven by requests from reviewers. More specifically, reviewers asked for a text that is more business focused, has more hands-on projects, has more coverage of wireless and data security, and has additional case studies. In addition to these changes in content, we have tried to add supplements that make the book easier to use and more engaging for students. Below is a list of the significant changes to this edition of the text. Business Focus—This edition has tried to have more of a business focus. Emphasis has been placed on securing corporate information systems, rather than just hosts in general. The concepts, principles, and terminology have remained the same. However, the implications of each topic are more focused on the business environment. Hands-on Projects—Each chapter has hands-on projects that use contemporary software. Each project relates directly to the chapter material. Students take a screenshot to show they have completed the project. Expanded Content —Material from prior chapters has been reorganized and expanded to create new chapters covering Secure Networks (Chapter 4) and Data Protection (Chapter 9). Reviewers wanted more coverage of networking and wireless security concepts, as well as more discussion of data security. These chapters contain substantial amounts of new material in each of these areas. Comprehensive Framework—We have included a comprehensive security framework to tie all of the chapters together. It will serve as a roadmap to guide students through the book. Our hope is that it will increase retention of the material by illustrating how topic areas relate to each other. Case Studies and Focus Articles—Each chapter includes 2–4 new applied case studies or focus articles. A wide range of topics are covered in these focus articles. These include examples of high-profile security incidents, technical security topics, profiles of industry professionals, security certifications, new types of attacks, and articles by industry leaders. xviii Preface The goal of these articles is to expose students to a broad range of topics that are not covered in traditional IT security texts, but are currently being discussed by industry professionals. We hope these articles are interesting, informative, and encourage active class discussion. We also included a few profiles of industry professionals to give students an idea of the type of work they might be doing after they graduate. Students are often interested in IT security, but are unsure about what an actual job in the industry would look like on a daily basis. We hope these provide some insight. Embedded PowerPoint Videos—New to this edition are embedded PowerPoint videos. A supplemental set of 125+ PowerPoint slides contain embedded videos linked to content hosted on YouTube®. These videos include IT security–related current news stories, technical demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new security products. The embedded videos relate to material in each chapter and can be copied directly into your regular lectures. These videos can be used as “hooks” to introduce new chapters, integrated directly into lectures, or assigned as out-of-class homework. Updated News Articles —Each chapter contains expanded and updated IT security news articles. Over 90 percent of the news articles in this book reference stories that have occurred since the second edition was published. Why Use This Book? This book is written for a one-term introductory course in IT security. The primary audience is upper-division BS majors in Information Systems, Computer Science, or Computer Information Systems. This book is also intended for graduate students in Masters of Information Systems (MSIS), Master of Business Administration (MBA), Master of Accountancy (MAcc), or other MS programs that are seeking a broader knowledge of IT security. It is designed to provide students with IT security knowledge as it relates to corporate security. It will give students going into the IT security field a solid foundation. It can also serve as a network security text. INTENDED AUDIENCE PREREQUISITES The book can be used by students who have taken an introductory course in information systems. However, taking a networking course before using this book is strongly advisable. For students who have not taken a networking course, Module A is a review of networking with a special focus on security aspects of network concepts. Even if networking is a prerequisite or corequisite at your school, we recommend covering Module A. It helps refresh and reinforce networking concepts. Our students are going to need jobs. When you ask working IT security professionals what they are looking for in a new hire, they give similar responses. They want proactive workers who can take initiative, learn on their own, have strong technical skills, and have a business focus. BALANCING TECHNICAL AND MANAGERIAL CONTENT xix xx Preface A business focus does not mean a purely managerial focus. Companies want a strong understanding of security management. But they also want a really solid understanding of defensive security technology. A common complaint is that students who have taken managerial courses don’t even know how stateful packet inspection firewalls operate, or what other types of firewalls are available. “We aren’t hiring these kids as security managers” is a common comment. This is usually followed by, “They need to start as worker bees, and worker bees start with technology.” Overall, we have attempted to provide a strong managerial focus along with a solid technical understanding of security tools. Most of this book deals with the technical aspects of protective countermeasures. But even the countermeasure chapters reflect what students need to know to manage these technologies. You can “throttle” the amount of technical content by using or not using the Hands-on Projects at the end of each chapter. How Is This Book Organized? The book starts by looking at the threat environment facing corporations today. This gets the students’ attention levels up, and introduces terminology that will be used throughout the rest of the book. Discussing the threat environment demonstrates the need for the defenses mentioned in later chapters. The rest of the book follows the good old plan–protect–respond cycle. Chapter 2 deals with planning, and Chapter 10 deals with incident and disaster response. All of the chapters in the middle deal with countermeasures designed to protect information systems. The countermeasures section starts with a chapter on cryptography because cryptographic protections are part of many other countermeasures. Subsequent chapters introduce secure networks, access control, firewalls, host hardening, application security, and data protection. In general, the book follows the flow of data from networks, through firewalls, and eventually to hosts to be processed and stored. Plan Respond Planning & Policy Chapter 2 Incident Response Chapter 10 Threat Environment Chapter 1 Protect Cryptography Chapter 3 Secure Networks Chapter 4 Access Control Chapter 5 1 Internet ABC DEF 2 3 GHI JKL MNO 4 5 6 PQRS TUV WXYZ 7 8 0 9 # * Firewalls Chapter 6 Host Hardening Chapter 7 Application Security Chapter 8 Data Protection Chapter 9 Preface Chapters in this book are designed to be covered in a semester week. This leaves a few classes for exams, presentations, guest speakers, hands-on activities, or material in the module. Starting each class with a demonstration of one of the hands-on projects is a good way to get students attention. It’s important for students to read each chapter before it’s covered in class. The chapters contain technical and conceptual material that needs to be closely studied. We recommend either giving a short reading quiz or requiring students to turn in Test Your Understanding questions before covering each chapter. USING THE BOOK IN CLASS The PowerPoint lectures cover nearly everything, as do the study figures in the book. Study figures even summarize main points from the text. This makes the PowerPoint presentations and the figures in the book great study aids. POWERPOINT SLIDES AND STUDY FIGURES TEST YOUR UNDERSTANDING QUESTIONS After each section or subsection, there are Test Your Understanding questions. This lets students check if they really understood what they just read. If not, they can go back and master that small chunk of material before going on. The test item file questions are linked to particular Test Your Understanding questions. If you cut some material out, it is easy to know what multiple-choice questions not to use. At the end of each chapter, there are integrative Thought Questions which require students to synthesize what they have learned. They are more general in nature, and require the application of the chapter material beyond rote memorization. INTEGRATIVE THOUGHT QUESTIONS Students often comment that their favorite part of the course is the Hands-on Projects. Students like the Hands-on Projects because they get to use contemporary IT security software that relates to the chapter material. Each chapter has at least two applied projects and subsequent Project Thought Questions. Each project requires students to take a unique screenshot at the end of the project as proof they completed the project. Each student’s screenshot will include a time stamp, the student’s name, or another unique identifier. HANDS-ON PROJECTS Finally, there are two general questions that ask students to reflect on what they have studied. These questions give students a chance to think comprehensively about the chapter material at a higher level. PERSPECTIVE QUESTIONS This book does not teach students how to break into computers. There is software designed specifically to exploit vulnerabilities and gain access to systems. This book does not cover this type of software. Rather, the focus of the book is how to proactively defend corporate systems from attacks. Effectively securing corporate information systems is a complicated process. Learning how to secure corporate information systems requires the entire book. Once students have a good understanding of how to secure corporate systems, they might be ready to look at penetration testing software. HEY! WHERE’S ALL THE ATTACK SOFTWARE? xxi xxii Preface With ten chapters, you do have time to introduce some offense. However, if you do teach offense, do it carefully. Attack tools are addictive, and students are rarely satisfied using them in small labs that are carefully air-gapped from the broader school network and the Internet. A few publicized attacks by your students can get IT security barred from the curriculum. Instructor Supplements This is a hard course to teach. We have tried to build in as much teacher support as possible. Our goal was to reduce the total amount of preparation time instructors had to spend getting ready to teach this course. Learning new course material, monitoring current events, and managing an active research agenda is time-consuming. We hope the instructor supplements make it easier to teach a high-quality course with less prep time. The Pearson Prentice-Hall website (http://www. pearsonhighered.com) has all of the supplements discussed below. These include the PowerPoint lectures, PowerPoint embedded videos, answer keys, test item files, TestGen software, and the other usual suspects. ONLINE INSTRUCTOR RESOURCES There is a PowerPoint lecture for each chapter. They aren’t “a few selected slides.” They are full lectures with detailed figures and explanations. And they aren’t made from figures that look pretty in the book but that are invisible on slides. We have tried to create the PowerPoint slides to be pretty self-explanatory. POWERPOINT LECTURES An important part of a great lecture is to start each class with a “hook.” The hook captures students’ interest and acts as an introduction to the rest of the lecture. We have created a set of PowerPoint slides that contain embedded videos that can act as a hook for each chapter. There are over 125 PowerPoint slides containing embedded videos linked to content hosted on YouTube®. These videos include current news stories, technical demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new security products. The embedded videos relate to material in each chapter and can be copied directly into your regular lectures. POWERPOINT EMBEDDED VIDEOS TEST ITEM FILE The test item file for this book makes creating, or supplementing, an exam with challenging multiple-choice questions easy. Questions in the test item file refer directly to the Test Your Understanding questions located throughout each chapter. This means exams will be tied directly to concepts discussed in the chapter. The Teachers Manual has suggestions on how to teach the chapters. For instance, the book begins with threats. In the first class, you could have students list everybody who might attack them. Then have them come up with ways each group is likely to attack them. Along the way, the class discussion naturally can touch on chapter concepts such as the distinction between viruses and worms. TEACHERS MANUAL Preface SAMPLE SYLLABUS We have included a sample syllabus if you are teaching this course for the first time. It can serve as a guide to structuring the course and reduce your prep time. Please feel free to e-mail us. You can reach Randy at Randy.Boyle@utah.edu, or Ray at Ray@Panko.com. Your Pearson Sales Representative can provide you with support, but if you have a question, please also feel free to contact us. We’d also love suggestions for the next edition of the book and for additional support for this edition. E-MAIL US Acknowledgments We would like to thank all of the reviewers of prior editions. They have used this book for years and know it well. Their suggestions, recommendations, and criticisms helped shape this edition. This book really is a product of a much larger community of academics and researchers. We would also like to thank the industry experts who contributed to this edition. Their expertise and perspective added a real-world perspective that can only come from years of practical experience. Thank you to Matt Christensen, Dan McDonald at Utah Valley University, Amber Schroader at Paraben Corp., Chris Larsen at BlueCoat Systems, Inc., David Glod at Grant Thornton, Andrew Yenchik, Stephen Burton, and Susan Jensen at Digital Ranch, Inc., Lisa Cradit at L-1 Identity Solutions, and Bruce Wignall at Teleperformance Group. Thanks go to our editor Bob Horan for his support and guidance. A good editor can produce good books. Bob is a great editor who produces great books. And he has done so for many years. We feel privileged to be able to work with Bob. Special thanks go to Debbie Ryan, Kelly Loftus and the production team that actually makes the book. Thank you George Jacob, for your detailed and exceptional copy editing. Most readers won’t fully appreciate the hard work and dedication it takes to transform the “raw” content provided by authors into the finished copy you’re holding in your hands. Debbie, Kelly, George, and the Pearson production team’s commitment and attention to detail have made this into a great book. Lastly, and most importantly, I (Randy) would like to thank Ray. Like many of you, I have used Ray’s books for years. Ray has a writing style that students find accessible and intuitive. Ray’s books are popular and widely adopted by instructors across the country. His books have been the source of networking and security knowledge for many workers currently in the industry. I’d like to thank Ray for allowing me to contribute to this edition. I’m grateful that Ray trusted me enough to work on one of his books. I hope this edition continues in the legacy of great texts Ray has produced. It’s an honor to work with a generous person like Ray. Randy Boyle Ray Panko xxiii ABOUT THE AUTHORS Randy Boyle is a professor at the David Eccles School of Business at the University of Utah. He received his PhD in Management Information Systems (MIS) from Florida State University in 2003. He also has a master’s degree in Public Administration, and a BS in Finance. His research areas include deception detection in computer-mediated environments, information assurance policy, the effects of IT on cognitive biases, and the effects of IT on knowledge workers. He has received college teaching awards at the University of Alabama in Huntsville and the Marvin J. Ashton Teaching Excellence Award at the University of Utah. His teaching is primarily focused on information security, networking, and management information systems. He is the author of Applied Information Security: A Hands-on Guide to Information Security Software and Applied Networking Labs. Ray Panko is a professor of IT Management at the University of Hawai`i’s Shidler College of Business. His main courses are networking and security. Before coming to the university, he was a project manager at Stanford Research Institute (now SRI International), where he worked for Doug Englebart (the inventor of the mouse). He received his BS in Physics and his MBA. from Seattle University. He received his doctorate from Stanford University, where his dissertation was conducted under contract to the Office of the President of the United States. He has been awarded the Shidler College of Business’s Dennis Ching award as the outstanding teacher among senior faculty. He is also a Shidler Fellow. xxiv 1 THE THREAT ENVIRONMENT Chapter Outline 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 Introduction Employee and Ex-Employee Threats Malware Hackers and Attacks The Criminal Era Competitor Threats Cyberwar and Cyberterror Conclusion Learning Objectives: After studying this chapter, you should be able to: 䊏 䊏 䊏 䊏 䊏 Define the term threat environment. Use basic security terminology. Describe threats from employees and ex-employees. Describe threats from malware writers. Describe traditional external hackers and their attacks, including break-in processes, social engineering, and denial-of-service attacks. 䊏 Know that criminals have become the dominant attackers today, describe the types of attacks they make, and discuss their methods of cooperation. 䊏 Distinguish between cyberwar and cyberterror. 1.1 INTRODUCTION The world today is a dangerous place for corporations. The Internet has given firms access to billions of customers and other business partners, but it has also given criminals access to hundreds of millions of corporations and individuals. Criminals are able to attack websites, databases, and critical information systems without ever entering the corporation’s host country. 1 2 Chapter 1 • The Threat Environment Corporations have become critically dependent on information technology (IT) as part of their overall competitive advantage. In order to protect their IT infrastructure from a variety of threats, and subsequent profitability, corporations must have comprehensive IT security policies, well-established procedures, hardened applications, and secure hardware. Basic Security Terminology THE THREAT ENVIRONMENT If companies are to be able to defend themselves, they need an understanding of the threat environment—that is, the types of attackers and attacks companies face. “Understanding the threat environment” is a fancy way of saying “Know your enemy.” If you do not know how you may be attacked, you cannot plan to defend yourself. This chapter will focus almost exclusively on the threat environment. The threat environment consists of the types of attackers and attacks that companies face. The Threat Environment The threat environment consists of the types of attackers and attacks that companies face Security Goals Confidentiality Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network Integrity Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network. Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data Availability Availability means that people who are authorized to use information are not prevented from doing so Compromises Successful attacks Also called incidents and breaches Countermeasures Tools used to thwart attacks Also called safeguards, protections, and controls Types of countermeasures Preventative Detective Corrective FIGURE 1-1 Basic Security Terminology (Study Figure) Chapter 1 • The Threat Environment SECURITY GOALS Corporations and subgroups in corporations have security goals—conditions that the security staff wishes to achieve. Three common core goals are referred to collectively as CIA. This is not the Central Intelligence Agency. Rather, CIA stands for confidentiality, integrity, and availability. • Confidentiality—Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network. • Integrity—Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network. Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data. • Availability—Availability means that people who are authorized to use information are not prevented from doing so. Neither a computer attack nor a network attack will keep them away from the information they are authorized to access. Many security specialists are unhappy with the simplistic CIA goal taxonomy because they feel that companies have many other security goals. However, the CIA goals are a good place to begin thinking about security goals. COMPROMISES When a threat succeeds in causing harm to a business, this is called an incident, breach, or compromise. Companies try to deter incidents, of course, but they usually have to face several breaches each year, so response to incidents is a critical skill. In terms of the business process model, threats push the business process away from meeting one or more of its goals. When a threat succeeds in causing harm to a business, this is called an incident, breach, or compromise. COUNTERMEASURES Naturally, security professionals try to stop threats. The methods they use to thwart attacks are called countermeasures, safeguards, protections, or controls. The goal of countermeasures is to keep business processes on track for meeting their business goals despite the presence of threats and actual compromises. Tools used to thwart attacks are called countermeasures, safeguards, or controls. Countermeasures can be technical, human, or (most commonly) a mixture of the two. Typically, countermeasures are classified into three types: • Preventative—Preventative countermeasures keep attacks from succeeding. Most controls are preventative controls. • Detective—Detective countermeasures identify when a threat is attacking and especially when it is succeeding. Fast detection can minimize damage. 3 4 Chapter 1 • The Threat Environment • Corrective—Corrective countermeasures get the business process back on track after a compromise. The faster the business process can get back on track, the more likely the business process will be to meet its goals. TEST YOUR UNDERSTANDING 1. a . b. c. d. e. f. g. h. i. Why is it important for firms to understand the threat environment? Name the three common security goals. Briefly explain each. What is an incident? What are the synonyms for incidents? What are countermeasures? What are the synonyms for countermeasure? What are the goals of countermeasures? What are the three types of countermeasures? Case Study: The TJX Data Breach If this terminology seems abstract, it may help to look at a specific attack to put these terms into context and to show how complex security attacks can be. We will begin with one of the largest losses of private customer information. This is the TJX data breach. THE TJX COMPANIES, INC. The TJX Companies, Inc. (TJX) is a group of over 2,500 retail stores operating in the United States, Canada, England, Ireland, and several other countries. These companies do business under such names as TJ Maxx and Marshalls. In its literature, TJX describes itself as “the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.” With this type of mission statement, there is strong pressure to minimize costs. DISCOVERY On December 18, 2006, TJX detected “suspicious software” on its computer systems. Three days later, TJX called in security consultants to examine the situation. On December 21, the consultants confirmed that an intrusion had actually occurred. The next day, the company informed law enforcement authorities in the United States and Canada. Five days later, the security consultants determined that customer data had been stolen. The consultants initially determined that the intrusion software had been working for seven months when it was discovered. A few weeks later, the consultants discovered that the company had also been breached several times in 2005. All told, the consultants estimated that 45.7 million customer records had been stolen.1 This was by far the largest number of personal customer records stolen from any company at that time. The thieves did not steal these records for the thrill of breaking in or to enhance their reputations among other hackers. They did it so that they c...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Facility Network Security - Outline
Thesis statement: It creates an environment that is focused on the security of the facilities and
the identification of the vulnerabilities of the organization.
I.

Existing and Potential Vulnerabilities
A. Injection
B. Overflow of the Buffer
C. Misconfiguration

II.

Methods of Overcoming Threats
A. Increase in the number of the security officers
B. Evaluation of the Policy of Security
C. Training
D. Response Rates
E. System Monitoring

III.

Encryption Techniques

A. Wired Equivalent Privacy
B. Wi-Fi Protected Access
IV.

Cyber-Attack Prevention

A. Computer update.
B. Use of passwords.


Running head: FACILITY NETWORK SECURITY

Critical Thinking: Facility Network Security: Assessment and Recommendations
Name
Institution

1

FACILITY NETWORK SECURITY

2

Critical Thinking: Facility Network Security: Assessment and Recommendations
Facilities face different types of risks, and their identification is necessary as it ensures
that there is the management of the risks and the threats that they face. The number of risks
seems to increase due to the growth in technology, and this means that there is the identification
of the responsibilities of the management in the protection of the data and ensuring that there is
the determination of the potential risks likely to take place in the organization. It is important
there is the determination of the number of employees in the organization as it is through this
that there is the enabling of training on the risks that the company is likely to face and the
mitigation elements that all the employees should implements. It creates an environment that is
focused on the security of the facilities and the identification of the vulnerabilities of the
organization.
Existing and Potential Vulnerabilities
There are different vulnerabilities that the systems are likely to face, and this includes
that potential of the hackers on the system. It is where there is the damaging of the computer
system that is enabled by the stealing of data and this leads to the need to secure the systems.
With the increase in the number of hackers, there is the need to ensure that [proper infrastructure
is in place as it is through this that there is the management of the risks that the system is
vulnerable. Some of the vulnerabilities that the system is likely to face include
Injection
It is evident where there is the sending of data that is entrusted to the interpreter. It brings
about different flaws to the systems, and these are likely to affect the operation of the system.
The flaws of the injection are recognized through the use of codes that help in the analysis of the
exposure of the organization to the hackers. There is the testing of the systems as it is through

FACILITY NETWORK SECURITY

3

this that there is the identification of the environment of operation and the enhancement of the
production of the systems. The use of injection is the exposure of the sensitive data of the facility
to the hackers, and this means that there are the decreased accountability and the lack of access
to the relevant data (Dahbur, Bashabsheh & Bashabsheh, 2017). Where there is injection by the
attacker, there is the compromising of the system, and this leads to the lack of control over the
operations of the company as the hackers are in control of the situation. The impact of the attacks
is known to affect the systems legacy and the access to the data internally. There is the
observation of the different flaws of the systems and the techniques that are important for the
identification of the severe attacks that the organization is likely to face,
Overflow of the Buffer
It is a vulnerability that occurs where there is an attempt to increase the overflow of data
in the buffer. The process allows an attacker to overwrite the information that is sensitive to the
operation of the organization. It is important that there is the identification of the various ways
that the attackers are likely to corrupt the organization information, as it is through this that there
is the detection of the codes that they use maliciously. The identification of the cause of the
overwriting is important as it gives the management the security measures that they should apply
to make sure that there is the functioning of the systems. It is through this that there is the
application of there is the control of the operation of the systems in the organization and the
analysis of the applications most vulnerable to the attacks (D'Arcy, Herath & Shoss, 2014). The
considerations of the attacks that are going to help in the identification of the frequency of the
exploits as it is through this that there is the creation of the kits that help in managing the attacks
that are likely to occur.

FACILITY NETWORK SECURITY

4
Existing Threats

The existing threats in the organization are important, as it is through this that there is
cautioning of the employees in the operation of the systems. There is the identification of the
measures that the company should apply in the managing of the risks and that the employees are
aware of the functioning of the systems. Sensitivity in data is one of the actual threat that
happens where the unauthorized personnel accesses the data. The storing of data should be
focused on security as this show that there is the need to back up the relevant information and the
data that they use for browsing. It means that the authorized personnel should access the data and
the protection is through the use of passwords for the people that have access to the
information.it is important that there is the determination of the flaws of the systems as they are
the ones that give the attackers the right to the information (Skitsko & Ignatova, 2016). It is
important that there is the coordination of the employees as it is through this that there is the
rectification of the issues that the organization faces and the protection of the data through the
use of encryption.
Misconfiguration of the security is also one of the existing vulnerabilities that are
considered to be dangerous as it allows the hackers to identify the weakness of the system. Some
of the misconfiguration includes the outdating of the software of the company, and this means
that the hackers quickly identify the weakness of the system and they are likely to encounter. It
gives them easy access to the system, and this necessitates for the increase in the number of the
security measures that the company should implement. It makes sure that there is the
configuration of the data and that the use of the passwords is enhanced. It is also important that
different rights are given to the employees as it ensures that they are aware of the role that they
play in the protection of the data (Gao & Zhong, 2015). Having default accounts in the

FACILITY NETWORK SECURITY

5

management of the system should be considered as the insecurity that is likely to occur leading
to the increase in the vulnerabilities of the system. It is important that there is the focus on the
issues that the company is likely to face as it is through this that there is the minimization of the
exposure. It also means that there is the use of the different software to help in the correction of
the flaws of the organization. It also ensures that there is there are the mitigation aspect of the
threats and the consideration of the impact that it is likely to have.
Methods of Overcoming Threats
The challenges that the organization faces regarding compliance are critical as they allow
for the important measure to be implemented and that there is the control of the security of the
information in the organization. In the safeguarding of the reputation of the organization and
making sure that there is the maintenance of safety in the organization, it is important that the
following measure are implemented
Increase in the number of the security officers
The nature of the organization dictates the number of the employees be hired in the
security department and this is where there is the allocation of the duties that they should handle.
It helps in making sure that the other employees are educated on the need to observe the security
of the organization and the use of the different incentives in increasing the responsibility of the
employees (Karlsson, Hedström & Goldkuhl, 2017). It ensures that there is the focus on the
compromise that they are likely to face as it is through this that there is an enhancement of the
success of the organization.
Evaluation of the Policy of Security
The measure is important as it ensures that there is the assessment of the needs of the
organization. It is important as there is the laying out of the update of the security of the

FACILITY NETWORK SECURITY

6

organization and the provision of direction to the functioning of the organization. The use of the
different policies set is necessary in the defining of the security measures to use in the reduction
of the risks of the organization. There is the determination of the breaches likely to take place
and the handling of the same given the networks of the organization. The guidelines for the users
are well i...


Anonymous
Nice! Really impressed with the quality.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags