Security Trends This chapter presents the following: • Evolution of computing and how it relates to security • Different areas that fall under the security umbrella • The definition of i
Trang 1Security Trends
This chapter presents the following:
• Evolution of computing and how it relates to security
• Different areas that fall under the security umbrella
• The definition of information warfare
• Examples of security exploits
• A layered approach to security
• Politics that affect security
Security is a fascinating topic because it covers so many different areas (physical,
net-work, platform, application, and so on), each with its own risks, threats, and solutions
When information security is discussed, the theme is usually hackers and software
vul-nerabilities Although these are big security concerns, they are only two components
within the larger field of security issues Hacking is foremost in people’s minds with
regard to security because that is what usually fascinates the media and thus makes the
headlines Hacking is considered flashy and newsworthy, whereas not much coverage is
given to what is going on behind the scenes with corporations’ global security issues
and the Internet as a whole
How Security Became an Issue
It is interesting to pick up various computer books and see there is usually a history
section that sets the stage for where society is today pertaining to computing and data
processing Unlike histories that tell of times long past, the history of computing
typi-cally begins in the 1960s A lot has happened in a short period of time, and computer
security is just starting to reach its time in the limelight
Roughly 25 years ago, the only computers were mainframes They were few and far
between and used for specialized tasks, usually running large batch jobs, one at a time,
and carrying out complex computations If users were connected to the mainframes, it
was through “dumb” terminals that had limited functionality and were totally
depen-dent on the mainframe for their operations and processing environment This was a
closed environment with little threat of security breaches or vulnerabilities being
exploit-ed This does not mean things were perfect, that security vulnerabilities did not exist,
and that people were in a computing utopia Instead, it meant there were a handful of
19
Trang 2people working in a “glass house” who knew how to operate the mainframe They cided who could access the mainframe and when This provided a much more secure environment, because of its simplicity, than what we see in today’s distributed and in-terconnected world.
de-In the days of mainframes, web sites describing the steps of how to break into a specific application or operating system did not exist The network stacks and protocols used were understood by very few people relative to the vast number of individuals that understand stacks and protocols today Point-and-click utilities that can overwhelm buffers or interrogate ports did not exist This was a truly closed environment that only
a select few understood
If networks were connected, it was done in a crude fashion for specific tasks, and corporations did not totally depend on data processing as they do today The operating systems of that time had problems, software bugs, and vulnerabilities, but not many people were interested in taking advantage of them Mainframe operators were at the command line and if they encountered a software problem, they usually just went in and manually changed the programming code All this was not that long ago, consider-ing where we are today
As companies became more dependent on the computing power of mainframes, the functionality of the systems grew and various applications were developed It was clear that giving employees only small time slices of access to the mainframes was not
as productive as it could be Processing and computing power was brought closer to the employees, enabling them to run small jobs on their desktop computers while the big jobs still took place within the “glass house.” This trend continued and individual com-puters became more independent and autonomous, only needing to access the main-frame for specific functionality
As individual personal computers became more efficient, they continually took on more tasks and responsibilities It was shown that several users accessing a mainframe was an inefficient model; some major components needed to be more readily available
so users could perform their tasks in an efficient and effective way This thinking led to the birth of the client/server model Although many individual personal computers had the processing power to compute their own calculations and perform their own logic operations, it did not make sense that each computer held information needed by all other computers Thus, programs and data were centralized on servers, with indi-vidual computers accessing them when necessary and accessing the mainframes less frequently, as shown in Figure 2-1
With the increasing exposure to computing and processing, individuals who used computers learned more about using the technology and getting the most out of it However, the good things in life often have a darker side Taking technology down from the pedestal of the mainframe and putting it into so many individuals’ hands led to many issues never before dealt with in the mainframe days Now there were thousands
of inexperienced users who had much more access to important data and processes Barriers and protection mechanisms were not in place to protect employees and sys-tems from mistakes, so important data got corrupted accidentally, and individual mis-takes affected many other systems instead of just one
Trang 3Because so many more people were using systems, the software had to be made
more “idiot-proof” so that a larger audience could use the same platform Computer
operators in the mainframe days understood what the systems expected, how to format
input, and how to properly read output When this power was put into individuals’
desktops, every imaginable (and unimaginable) input was used, which corrupted
infor-mation and mangled operating systems
Companies soon realized that employees had to be protected from themselves and
that data had to be protected from mishaps and mistakes The employees needed layers
of software between them and the operating system components and data they could
potentially destroy Implementing these layers not only enhanced security—by
separat-ing users from the core of the operatseparat-ing systems and files—but also increased
produc-tivity as functionality continued to be inserted to make computers more useful to
businesses and individuals
As the computing world evolved, symbiotic relationships grew among the
techno-logical advances of hardware, circuitry, processing power, and software Once a
break-through was made that enabled a computer to contain more memory and hard drive
space, new software was right on its heels to use it and demand more When software
hit a wall because it was not supplied with the necessary registers and control units, the
hardware industry was Johnny-on-the-spot to develop and engineer the missing pieces
to the equations As the hardware end grew to provide a stable and rich platform for
software, programmers developed software that provided functionality and
possibili-ties not even conceived of a few years earlier It has been a wonderful game of leapfrog
that does not seem to have any end in sight
Lovely story, but what does it mean to security?
Figure 2-1 The relationship between a mainframe, servers, and workstations
Trang 4In the beginning, the issues associated with bringing computing closer to als brought along many mistakes, technological hurdles, and operational issues not encountered in the workforce before Computers are tools Just as a knife can be a use-ful tool to cut meat and vegetables, it can also be a dangerous tool if it is in the hands
individu-of someone with malicious intent The vast capabilities and functionality that ers have brought to society have also brought complex and troubling methods of de-struction, fraud, abuse, and insecurity
comput-Because computers are built on layers (hardware platform, chips, operating tems, kernels, network stacks, services, and applications), these complex issues have been interwoven throughout the strata of computing environments Plugging the holes, writing better software, and providing better perimeter security are often easier said than done because of the density of functionality within an infrastructure, interopera-bility issues, and the availability requirements of the necessary functionality
sys-Over a short period of time, people and businesses have come to depend greatly upon computer technology and automation in many different aspects of their lives Computers run public utilities, military defense systems, financial institutions, and medical equipment, and are heavily used in every possible business sector Almost ev-ery company relies on data processing for one reason or another This level of depen-dence and the extent of integration that technology has attained in our lives have made security a much more necessary and essential discipline
Computer security is a marathon to be run at a consistent and continual pace It is not a short sprint, and it is not for those who lack dedication or discipline
Areas of Security
Security has a wide base that touches on several different areas The developers of the CISSP exam had the vision to understand this and demand that an individual who claims to be a security expert and wants to achieve this certification must also show that his expertise does not just lie in one area of security Many areas of security affect each other Physical security is interrelated with information security, database security lies
on top of operating system security, operations security affects how computer systems are used, disaster recovery deals with systems in emergency situations, and almost every instance has some type of legal or liability issue tied to it Technology, hardware, peo-ple, and procedures are woven together as a security fabric, as illustrated in Figure 2-2 When it is time to identify and resolve a specific problem, several strands of the secu-rity fabric may need to be unraveled and scrutinized so the best and most effective solu-tion can be provided
This chapter addresses some specific security issues regarding computers, tion, and organizations This is not an attempt to cover all relevant subjects, but rather
informa-to show specific instances informa-to give you an idea of the vast area that security encompasses The information in these sections is provided to set the stage for the deeper levels of coverage that will be addressed in the following chapters
Trang 5Benign to Scary
Computers and networks touch every facet of modern life We are increasingly
depen-dent on computer/network technology for communication, funds transfers, utility
management, government services, military action, and maintaining confidential
in-formation We use technology to provide energy, water supplies, emergency services,
defense systems, electronic banking, and public health services At the same time, this
technology is being abused to perform illegal or malicious activities, such as to steal
credit card numbers, use telephone systems fraudulently, illegally transmit trade secrets
and intellectual property, deface web sites for political reasons, disrupt
communica-tions, reveal critical national secrets and strategies, and even commit extortion
The term “information warfare” covers many different activities that pertain to
in-dividuals, organizations, and nations Information warfare can be defined as any action
to deny, exploit, corrupt, or destroy the enemy’s information and its function, while at
the same time protecting oneself against those same actions Governments have used
information warfare techniques to gather tactical information for years Organizations
have stolen competitors’ trade secrets and plans for new products before they were
re-leased Individuals have also used computers to steal money, access personal financial
information, steal individual identification information, deface web sites, and cause
destruction to draw attention to a particular cause
There once was a time when hacking activities, viruses, and malware incidents were
relatively benign Many hackers carried out such activities to impress their peers and
show they were clever enough to disrupt some businesses here and there, but overall
their intent was not to inflict massive damages to an entity
Figure 2-2 Technology, hardware, people, and procedures are woven together as a security fabric.
Trang 6But where once the developer of a worm or virus received only the self-satisfaction
of overcoming a challenge, things today have changed dramatically The trend of ing for “fun” is disappearing, to be quickly replaced by hacking with profit-driven mo-tives There is an old saying that goes, “Why did the thief rob the bank?” Answer:
hack-“Because that was where the money was kept.” If we apply that to today’s world, it may
go more like this: “Why are the thieves hacking computers?” Answer: “Because today that is where the financial information and critical data are kept.”
Today, security breaches, malware, and hacking often target specific victims and have specific goals Viruses used to spread via users opening attachments, followed by the virus sending copies of itself to the victim’s contact list Thus, it simply replicated itself—big deal Now, hackers work together to steal data used for identity theft, they raid funds from online accounts, and carry out extortion when holes are discovered in
a company’s security program Some individuals are even being hired by organized crime rings for just such objectives
In short, hacking is constantly evolving In an industry driven by continual logical innovation, hackers remain abreast of these changes and often are a step ahead
techno-of the good guys who are trying to protect company assets The level techno-of sophistication has increased as well because the stakes are now that much higher It is not unheard of for organizations to secretly employ hackers to perpetrate all kinds of maliciousness against their competitors Everything from business contracts, customer lists, industrial secrets, product blueprints, and financial data can be culled from an organization’s computer systems by those with the necessary technological skills if aided by security weaknesses at the target organization Routinely, news stories arise about international crime rings targeting banks and credit card companies through cyberattacks, the results
of which are the loss of millions of dollars, through identity fraud and outright theft of funds In many cases, the greatest damage done to these companies is to their reputa-tions and the confidence consumers have in the organizations
Evidence of the Evolution of Hacking
Several incidents indicate that not only is hacking activity on the rise, but the cation of the attacks is advancing rapidly Alarmingly, a majority of attacks are using methods that have been understood for quite some time and for which fixes have been readily available This proves that not enough network maintainers have kept up-to-date on security changes and installed the necessary patches or configurations
sophisti-It is an unfortunate, but common occurrence to see hackers exploiting the various computer vulnerabilities in order to steal millions of credit card and account numbers from systems associated with e-commerce, online banking, or the retail sector Some hackers will extort the organization with the threat of releasing the sensitive data to others The hackers will offer a “security service” to fix the systems they have attacked for a fee, and if the institutions do not agree to pay, the attackers will threaten to do even more damage by posting the customers’ credit card numbers on web sites avail-able to the public Some organizations call the hacker’s bluff and refuse to pay, while some organizations pay the “hush money” and get the FBI involved
The public is often very much in the dark about the kinds of damages worms, viruses, and hacks have done to companies Unless these events make the news, the attacked or-
Trang 7ganization usually only notifies their customers when absolutely necessary, or just sends
them new cards and account numbers without any real explanation as to why they are
being issued It is usually only when more and more people are affected by attacks that
they make the news and the general public becomes aware of them Because of this
com-mon secrecy of security breaches, a majority of the states in America have privacy laws
that require customers to be told of these issues that could directly affect them
Organizations have their own motivation behind keeping the news about these
kinds of attacks as quiet as possible First, they don’t want to lose their customers due
to a lack of confidence and thereby lose their revenue Secondly, they don’t want to
an-nounce to the world that they have holes in their enterprises that lead right to the
com-pany jewels Public knowledge of these vulnerabilities can bring about a storm of new
attackers It is similar to being attacked by a shark in the ocean only to have more sharks
appear for their afternoon snack It is not pretty
Most of us know about Paris Hilton’s stint in jail; yet we are not aware of the
con-tinuous computer crimes that are taking place around us The following sections show
just some examples of activities that take place Visit www.cybercrime.gov to see other
convictions that have taken place
There have been many reported and unreported financially motivated attacks It
was reported on February 2, 2007 that a former state contractor allegedly accessed a
workers’ compensation data file at the Massachusetts Department of Industrial
Acci-dents and stole personal information, including Social Security numbers The thief is
known to have used that information to commit identity theft on at least three of the
individuals whose information was stolen It is believed that as many as 1200 people
have been affected by this theft
On February 28, 2006, Kenneth J Flury, a 41-year-old man from Cleveland, Ohio
was sentenced to 32 months in prison and three years of supervised release as a result
of his convictions for bank fraud and conspiracy Flury was ordered to pay CitiBank
$300,748.64 in restitution after having been found guilty of trying to defraud CitiBank
between April 15, 2004 and May 4, 2004 He had obtained stolen CitiBank debit card
numbers and PINs and then used them to encode blank ATM cards He then used the
counterfeit ATM cards to obtain cash advances totaling over $384,000 from ATM
ma-chines located in the Cleveland area during a three-week period To pay off his
accom-plices, $167,000 of the stolen funds was transferred by Flury to the criminals who
provided him with the stolen CitiBank account information These individuals were
later located in Europe and Asia An additional $32,345 was seized by law enforcement
officials before it could be transferred to accomplices in Russia
Though company-to-company espionage usually flies under the public’s radar,
there is nonetheless a great deal of activity in this area also On August 25, 2006, a man
in Michigan was sentenced to 30 months in prison for conducting computer attacks
upon a competitor of his online sportswear business Jason Salah Arabo, 19, of
South-field, Michigan was ordered to make restitutions of $504,495 to his victim Arabo and
an accomplice remotely controlled some 2000 personal computers they had infected
with malware to conduct distributed Denial-of-Service attacks upon their competitor’s
servers and web sites, thus completely disrupting the victim’s business
Early in 2005, the MyDoom virus infected hundreds of thousands of computers,
which were then used to launch an attack on the SCO Group The attack was successful
Trang 8and kept the Utah-based Unix vendor from conducting business for several days though no official reason for the attack was ever uncovered, it is believed to have some-thing to do with the fact that IBM was being sued by SCO for $5 billion.
Al-One of the most frustrating aspects of these kinds of extortion attacks is that they aren’t limited to what are considered traditional borders On Valentine’s Day of 2006,
a group of animal activists organized an event where they encouraged people to log in
to their chat room Every word typed during this “chat” then triggered an e-mail to a list
of predetermined organizations in the fur industry, and other companies that ducted animal vivisection Such examples demonstrate that cyber-extortion isn’t solely motivated by money, and can arise for any number of reasons
con-In June of 2006, the Department of Justice (“DOJ”) (in an operation appropriately named “Operation French Fry”) arrested eight persons (a ninth was indicted and de-clared a fugitive) in an identity theft ring where waiters had “skimmed” debit card in-formation from more than 150 customers at restaurants in the Los Angeles area The thieves had used access device-making equipment to re-stripe their own cards with the stolen account information, thus creating counterfeit debit cards After requesting new PIN numbers for the compromised accounts, they would proceed to withdraw money from the accounts and use the funds to purchase postal money orders Through this scheme, the group was allegedly able to steal over $1 million in cash and money or-ders
A recent attack in Louisiana shows how worms can cause damage to users, but not
in the typical e-mail attachment delivery system we’re used to The case, United States v Jeansonne, involved users who subscribed to WebTV services, which allow Internet capa-
bilities to be executed over normal television connections
The hacker sent an e-mail to these subscribers that contained a malicious worm When users opened the e-mail, the worm reset their Internet dial-in number to 911, the emergency services number As a result, several areas, from New York to Los Angeles, experienced false 911 calls whenever a user attempted to connect to their web services The trick the hacker used was an executable worm When launched, the users thought
a simple display change was being made to their monitor, such as a color setting In reality, however, the dial-in configuration setting was altered
In some cases, the loss of information that can have a detrimental effect upon an organization and its customers is done accidentally On January 26, 2007, a woman in Bossier purchased a used desk from a furniture store Once the desk was delivered, she discovered a 165-page spreadsheet in one of the drawers, containing the names and Social Security numbers of current and former employees of Chase Bank in Shreveport, Louisiana Although the document was returned immediately, the information on these 4100 individuals could have been used for illegal, and perhaps devastating, un-dertakings had the finder of the list been less honest
In early 2005, Choicepoint, a data gathering company, allowed individuals, who they thought were representing legitimate companies, access to 145,000 records within their database The records held extensive private information on American citizens that could easily be used for identify theft These individuals created several phony compa-nies and used Choicepoint’s information service to gather personal data Each phony company collected the data over a period of time, thus keeping the whole operation under Choicepoint’s radar The individuals pieced together the information and com-
Trang 9piled essentially full financial information on the victims, from credit reports to Social
Security numbers Only one person was arrested and received 16 months in jail
In March 2005, hackers obtained 1.4 million credit card numbers by carrying out
an attack on DSW Shoe Warehouse’s database In addition to obtaining credit card
in-formation, the attackers gained driver’s license numbers and checking account
num-bers from 96,000 accounts
In 2005, LexisNexis notified around 280,000 people that their passwords and IDs
may have been accessed and stolen, and Bank of America lost their data backup tapes,
which contained credit card account information for at least 1.2 million federal
em-ployees, many of whom worked at the Pentagon
Examples of attempts to gain personal information are rampant After discovering
that fraudulent e-mail messages purporting to be from the Internal Revenue Service
were being sent in an attempt to gain personal information, the IRS issued a notice that
it does not use e-mail to contact taxpayers about issues related to their accounts Yahoo
.com issued warnings to its members to be careful about which web page they attempt
to sign in on Yahoo cautioned that the http://mail.yahoo.com/ address must include
the trailing slash after the yahoo.com designation, otherwise the address that appears
in the browser page could be bogus, an attempt to impersonate the official web site’s
sign-in page—as in the following, which was cited by Yahoo: http://www.yahoo.com:
login&mode=secure&i=b35870c196e2fd4a&q=1@16909060
The nonprofit organization Identity Theft Resource Center (www.idtheftcenter.org)
issues notices about the latest scams and consumer alerts and states that identity theft
is the fastest growing crime in America today Many of the compromises come from
fraudulent e-mails (scams) and carelessly developed online shopping and online
bank-ing software A variation of the scams includes the account verification schemes in
which the thief attempts to obtain information from unsuspecting e-mail recipients by
sending a mass e-mail message, purporting to be from eBay, PayPal, a bank, or some
other legitimate organization, with an “Urgent” request for account verification and a
warning that their account is about to expire A link is provided that, when clicked,
leads the victim to a web page that looks legitimate and asks for account information
These are known as phisher scams.
These examples sadly represent only a small percentage of the hacking activity
go-ing on These attacks were identified and reported Most are not Many organizations
do not report hacking activity because they are afraid of damaging their reputation,
los-ing the faith of their customer base, and adversely affectlos-ing their shareholders and stock
prices Other attacks go unnoticed or unidentified, and thus are not reported, while
international attacks against military and government systems typically go unreported
to the public So, even though computers and networks remain great tools and have
brought society much advancement, like many other tools, they are often used for
sin-ister purposes
How Are Nations Affected?
The art of war requires soldiers to outmaneuver the enemy and strike them down if
necessary In traditional warfare, the enemy was usually easily detectable They were
driving a tank, bombing from an airplane, attacking from a submarine, or shooting
Trang 10missiles Today, the enemy may be harder to find, some attacks are harder to track, and the objectives of the attacker are at times more nebulous Many governments’ military intelligence agencies have had to develop new methods of collecting information on potential foreign enemy movement, conducting surveillance, and proving guilt in crim-inal activities.
Although militaries still train most soldiers how to shoot, fight in combat, and practice evasive maneuvers, a new type of training is being incorporated Because a majority of the military vehicles, weapons systems, and communication systems are controlled by technology, new soldiers must know how to use these technological tools
to achieve the same goal of the soldier of the past—to win in war Today’s soldiers not only need to know how to operate the new technology-driven weapons systems, but how to defend these systems from attacks and possibly use them to attack the enemy’s defense systems
Disrupting communication has always been an important tactic in war because it impedes proper planning and warnings of imminent attacks Knocking out communi-cation lines is one of the first steps in the recipe of a successful attack Today, most military communication is handled through computer-based systems, and the tools to disrupt communication of the enemy have changed For example, the CIA reported to
a U.S congressional committee that foreign nations include information warfare in their military arsenal and provide defensive and offensive attack methods These na-tions are devising documentation, strategic plans, and tools to carry out information warfare on other nations
During the Persian Gulf War in 1991, it was reported that hackers from the lands penetrated 34 American military sites that supported Operation Desert Storm activities They extracted information about the exact location of military troops, weap-
Nether-on details, and movement of American warships It could have been a different war if Saddam Hussein had actually bought this information when it was offered to him, but
he did not—he thought it was a trick
In another example, it was reported that the Irish Republican Army stole telephone bills to determine the addresses of potential targets in their political attacks Authorities seized a batch of computer disks in Belfast and were able to decrypt the information after months of effort This information was most likely gained by successfully hacking into the telephone company’s database
A report declassified in May 1995 stated that prior to the August 1991 coup attempt
in the Soviet Union, the KGB had been writing and developing viruses to disrupt puter systems during times of war Another report, by the U.S Defense Intelligence Agency, indicated that Cuba had developed viruses to infect and damage U.S civilian computers There is no proof these viruses were released and actually caused damage,
com-but there is no proof they weren’t released either It has also been reported that during
the 1999 Kosovo Air Campaign, fake messages were injected into Yugoslavia’s puter-integrated air defense systems to point the weapons at false targets Examples like these make it clear that military use of computer-based tools and attacks is growing in sophistication and utilization
com-Critical to the function of the Internet are the 13 root DNS servers that participate
in managing Internet traffic If some of these go down, some web sites may become
Trang 11unreachable and some e-mail may not delivered If they all came down, the Internet
would basically stop functioning On February 6, 2007, another cyberattack occurred
that targeted the 13 root DNS servers Three computers used in this capacity were
over-whelmed, but to the great relief of many, the attack went largely unnoticed by most
computer users around the globe Computer scientists involved claim this is due to the
increased resiliency of the Internet and the sharing of duties that has taken place since
the last major attack upon these computers in 2002
Today, reports indicate that many terrorists groups are now using propaganda on
the Internet to find prospective recruits Luckily, these tactics have also spawned their
cyber opposites, such as the cyber-antiterrorist group, Internet Haganah, founded by
Aaron Weisburd Weisburd, and others like him, now track down terrorist-related web
sites and pose as individuals sympathetic to the web sites’ creators They then gather as
much information as they can and pass it along to various law enforcement agencies in
order to shut down the web sites and, when possible, prosecute those responsible
In another aspect of cyberterrorism, the U.S Department of Defense believes at least
20-some countries have now established Cyber War organizations in an effort to create
and develop the tools and techniques needed to attack other national militaries and
ci-vilian targets via the Internet Possible Cyber Wars like this are already a reality The
number of attacks and intrusion attempts on the Department of Defense (DoD) has
continued to rise in recent years In some cases, the DoD has endured more than 500
cyberattacks a day Fortunately, the number of successful attempts has declined due to a
strategic effort to train personnel and implement the best security measures available
Almost every task in an individual’s day interrelates with a technology that is
con-trolled or monitored by a computer-based system Turning on the lights, paying a gas
bill, flying on a plane, talking on the telephone, and receiving medical treatment are all
events that depend on large computer systems monitoring and providing a flow of
ser-vice Even sophisticated military defense systems rely on commercial power,
communi-cation, transportation, and monitoring capabilities that are computer-based A country’s
strength depends on its privately owned critical infrastructures and industries These
private-sector infrastructures have already been victimized by computer attacks, and a
concerted attack on any of these key economic sectors or governmental services could
have widespread ramifications Most governments have recognized this vulnerability
and have started taking the necessary defense steps because it is very likely that in future
wars a country’s entire infrastructure could be targeted via these new
methods—com-puter-generated attacks
NOTE
NOTE The examples here are U.S.-centric, but the CISSP exam is not It has
evolved over the years to have a greater international focus
How Are Companies Affected?
Many companies fail to understand how security implementations help their bottom
line After all, businesses are created to turn a profit, and if there is no direct correlation
for an item—tying it in neatly to the linear concept of cost and profit—that item is
Trang 12often given low priority Thankfully, more companies today are discovering how rity affects their bottom line in ways they never expected.
secu-If a company suffers a security breach, it must deal with a wide range of issues it likely wasn’t prepared for Several companies recently had their databases attacked and their customers’ information compromised Once customers find out that a company
is not protecting their confidential and financial information properly, they will often take their business elsewhere If the number of customers affected is in the range wit-nessed over the last year (10,000 to 1.4 million credit cards stolen at a time), and if the company loses a similar number of customers at one time, the company could go out
of business Of course, these events also affect the reputation of the company, its holders, and its stock price In addition, the customers can sue the company, which could result in punitive damages and court fees This would definitely impact the bot-tom line
share-NOTE NOTE Companies have added detailed security questions to requests from
business partners Many request for proposals (RFPs) now include questions regarding security practices, infrastructure, and how data will be protected.Organizations have had trade secrets and intellectual property stolen by employees who left to work for a competitor In such instances, unless the original company has taken the proper steps to protect this data and inform its employees that this action is wrong, the company has no legal recourse The company must practice due care both inside and outside its walls to protect its intellectual property from competitors (For more information on legal issues, see Chapter 10.)
The industry is seeing more and more cases of employees being fired for improper use of computer systems Many large companies have instituted policies of zero toler-ance with respect to unauthorized or improper computer and Internet usage However,
if companies do not take the proper steps by having a comprehensive security policy in place and providing security awareness to the employees, they are often successfully sued for unfairly ending employment
Companies and organizations are increasingly finding themselves responsible for compliance with more and more regulations pertaining to how they handle their data and personal information The following is a short list of different privacy and confi-dentiality regulations:
• Electronic Communications Policy (ECP)
• Health Insurance Portability and Accountability Act (HIPAA)
• Public Records Act (PRA)
• Information Practices Act (IPA)
• Family Educational Rights and Privacy Act (FERPA)
• Children’s Online Privacy Protection Act (COPPA)
• Fair Credit Reporting Act (FCRA)
• Gramm-Leach-Bliley Act
• Sarbanes-Oxley Act of 2002
Trang 13Many other regulations are imposed at the state and federal levels, which
compa-nies need to comply with in how they conduct their business It is important to know
that many of these regulations go much further than to just dictate the levels of
protec-tion a company must provide for the data they are responsible for It is becoming more
common to see these newer regulations requiring that CEOs and CFOs of
organiza-tions be held personally responsible, and perhaps criminally negligent, if anything
un-toward occurred in regards to the data they have been entrusted with Long gone are the
days where upper management can claim they didn’t realize what was going on at
lower levels of their organization These regulations and laws can hold them directly
accountable, and require them to sign off on regular reports and audits pertaining to
the financial health and security of their organizations
Another way a company can lose money and time is by being ill-prepared to react
to a situation If a network does not have properly configured security mechanisms, the
company’s IT staff usually spends unnecessary time and resources putting out fires In
addition, when they are racing in a chaotic manner to find a solution, they may be
creating more open doors into the network without realizing it Without proper
secu-rity planning, a lot of money, staff productivity, and time are wasted that could be used
for other tasks As discussed in subsequent chapters in this book, companies that have
a solid incident response plan or disaster recovery plan in place will know what to do
in the event of a physical intrusion or cyberattack
Many companies are covered by insurance in case of a natural disaster or a major
security breach However, to get a good insurance rate, companies must prove they have
a solid security program and that they are doing all they can to protect their own
invest-ments In some cases, insurance providers refused to pay for a company’s loss because
the company failed to have the correct security measures in place A recent legal case
involved a company that did not have a security policy, proper security mechanisms,
and an updated disaster recovery plan in place When disaster struck, the insurance
company refused to pay The case went to court and the insurance company won;
how-ever, the greater loss to the company was not the court case
Every business market is full of competition If a company endures a security
com-promise that makes the press—which has been happening almost every month over the
last year—it will have an even harder time attracting new business A company wants to
be in a position where all the customers come to it when another company suffers a
security compromise, not the other way around
The U.S Government’s Actions
One of the U.S government’s responsibilities is to protect American resources, people,
and their way of life One complex task the government has been faced with recently is
protecting several critical infrastructures from computer-based attacks Because
com-puter technology is relatively young and changing rapidly, and because security has
only come into real focus over the last few years, all these core infrastructures contain
their own vulnerabilities If attackers disrupt these infrastructures, the ramifications
may be far reaching For example, if attackers were able to take down electrical grids,
thus forcing the government to concentrate on that crisis, they could then launch
mili-tary strikes on other fronts This might sound like a John Grisham novel, but the U.S
government must consider such scenarios and devise defensive plans to respond One
Trang 14of the biggest threats the United States faces is that terrorists or a hostile nation will tempt to inflict economic damage, disrupt business or productivity, and degrade our defense response by attacking the critical infrastructures.
at-On July 15, 1996, President Clinton approved the establishment of the President’s Commission on Critical Infrastructure Protection (PCCIP) The responsibility of this commission was to investigate the types of attacks that were happening, extrapolate how attacks could evolve in the future, determine how they could affect the nation’s computer infrastructures, and assess how vulnerable these structures were to such at-tacks at that time
The PCCIP published its sobering report, “Critical Foundations: Protecting ca’s Infrastructures,” in 1997 The report outlined the current vulnerability level of crit-ical U.S infrastructures pertaining to criminal activity, natural disasters, international terrorists, hackers, foreign national intelligence, and information warfare Longstand-ing security weaknesses, placing federal operations at serious risk, were identified and reported In response to this report, President Clinton signed two orders, Presidential Decision Directives (PDDs) 62 and 63, to improve the nation’s defenses against terror-ism, other computer-based attacks, and information warfare activities The focus of these directives was to address cyberattacks at a national level
Ameri-The report recognized that many of the nation’s critical infrastructures were vately owned and operated It was obvious the government and the private sector had
pri-to work pri-together pri-to properly and successfully defend against cyberattacks In fact, it was
recognized that these government departments could not provide this level of
protec-tion without the help and sharing of informaprotec-tion with the public sector The posiprotec-tion
of National Coordinator was created within the Executive Office of the President to facilitate a partnership between the government and the private sector The goal was for the government and the private sector to work together to strengthen the nation’s de-fenses against cyberterrorism, theft, fraud, and other criminal activity Out of this came the Critical Infrastructure Assurance Office (CIAO) under the Department of Com-merce, Information Sharing and Analysis Centers (ISACs), and the National Infrastruc-ture Protection Center (NIPC) under the sponsorship of the FBI Recently, the NIPC was fully integrated into the Information Analysis and Infrastructure Protection Direc-torate of the Department of Homeland Security (DHS) Thus, the former NIPC’s re-sponsibilities of physical and cyber-critical infrastructure assessment are now being addressed by two new divisions
ISACs provide a mechanism that enables information sharing among members of
a particular industry sector The information comes from public-sector organizations and government agencies, and is shared by both Sources of information can be authen-ticated or anonymous, and the information can pertain to vulnerabilities, incidents, threats, and solutions Submitted information is directed to the appropriate team mem-bers, who then investigate each submittal, quantify the seriousness of the vulnerability, and perform a trend analysis to identify steps that might thwart this type of attack The intent is to enhance the security of individual organizations, as well as the entire na-tion, one industry sector at a time
In 2002, President Bush created the Office of Homeland Security in response to the attack on the United States on September 11, 2001 Departments of information tech-
Trang 15nology and cybersecurity were included, and specific committees and roles were
devel-oped to protect against attacks that could negatively affect the nation’s infrastructure
The bill was signed November 25, 2002, and allocated $2.12 billion for technology and
cybersecurity
Much like the position of Drug Czar in the War on Drugs, in many countries in
re-cent years there has also been a call for the appointment of a Cyber Czar—that is, a
government official responsible for keeping the critical infrastructure of a country’s
cy-berworld secure and protected In the U.S., it has proved to be a revolving-door post at
the White House, with no real worth The position is part of the Department of
Home-land Security and actually oversees two other divisions: the National Communications
System division and the National Cyber Security division Many experts in the security
industry feel that ever since President Bush issued his national strategy to secure
cyber-space in February of 2003, nothing has really been done, and that those policies that
have been created have been non-starters Since 2001, more than four people have held
the position of Cyber Czar, and in one instance (Howard Schmitt), for only two months
Many of the Cyber Czars have quit due to a lack of support or a feeling that the position
and its division weren’t being taken seriously by other government agencies Late into
2006, the position still remained open (and had remained open for more than a year),
with the Bush Administration claiming they were whittling down the list of possible
candidates The position was eventually filled, but why should there be such difficulty
in filling what, in reality, is such an important and essential job?
Critics and industry insiders claim it is tough to fill this position for several reasons
The first is the strong perception that the job holds no real power or influence in
gov-ernment circles Critics cite that the Bush Administration talks a big game, but in reality
does very little—if nothing at all—in regards to fighting cyberterrorism The second
reason is the need to find people who are properly qualified to hold the position This
is difficult due to the specific requirements of the job, such as having a strong
under-standing, not only of the nature of current threats and the technology involved, but
also in having the foresight to implement strategies that will protect the nation’s
com-puter infrastructure in the future as well Such undertakings require both active and
proactive planning, and a forceful implementation of policies The third reason for the
difficulties in hiring is that the private sector at this time pays more, and offers more, to
those individuals best suited for the position
Government leadership also often claims that the private sector is doing enough to
secure the nation’s infrastructure To this, though, the private sector usually responds that
the government still must do more, and take their own initiatives, and claims that the
government is doing little, if anything at all, in these areas Many criticisms of this type
focus on the lack of leadership and cohesive policies coming from the Department of
Homeland Security Audits of both the DHS and the Department of Defense’s security
procedures have given failing scores in recent evaluations, leaving the private sector
ques-tioning the government’s leadership abilities The government, in turn, criticizes the
eval-uation process they’ve undergone At the end of the day, however, both the public and
government sectors must work together and grow stronger in these areas because the
threats to the nation’s cyber-infrastructure are becoming more dangerous all the time
Trang 16So What Does This Mean to Us?
Evidence and trend analyses show that people, businesses, and countries are becoming increasingly dependent on computer/network technology for communication, funds transfers, utility management, government services, and military action If any of these experienced a major disruption, millions of people could be affected As our depen-dence grows, so should our protective measures
The reality of the world today is that the majority of computer attacks, hacks, and cracks are no longer done for kicks and thrills It’s no longer about the measure of skills Greed and financial gain are the greatest motivators for most attacks these days The perpetrators are no longer just individuals trying to make a name for themselves; in-stead, there is more organized crime and financial motivation behind these attacks The gambit runs from botnets to spammers to identity theft The lure of fast money through anonymous means brings all kinds of malicious elements out of the woodwork to take
a crack at hacking and cybercrime The fact that many organizations don’t want to port these kinds of crimes and have the public know about these attacks occurring against them only sweetens the lure for criminals to steal and extort every possible dime out of their victims
Militaries are quietly growing their information warfare units This growth is a sponse to the computer-related military actions that have already occurred and reflects
re-an awareness of the need to plre-an for the future Computer networks, communication systems, and other resources not only are prime targets to reconfigure or destroy in the time of war or crisis, they are also good tools to use to watch other nations’ movements and estimate their intentions during peacetime
The antes are being raised, security issues are becoming more serious, and the fects are more detrimental Take the necessary steps to protect yourself, your company, and your country
ef-Hacking and Attacking
There has been a definite and distinct evolution of hacking, cracking, and attacking At one time, it was a compliment to be called a hacker because it meant you took the time
to learn things about computers that others did not know and had the discipline and desire to find out what makes a computer tick These people did not perform malicious acts, but rather were the ones called upon when really tough problems left everyone else scratching their heads
As computers became more widespread as tools, this definition started to change The new hackers took on a profile of geeky young men who would rather spend their time pinging computers all over the Internet than looking for dates Even this profile has evolved Girls and women have joined this once all-male club and are just as knowledge-able and dangerous as the guys Hacking is on the rise, and the profile of an attacker is changing However, the real change in the profile is that the serious attackers indulge themselves for specific reasons and have certain types of damage or fraud in mind.The dangerous attacker is the one who is willing to do his homework He will build
a profile about the victim, find all the necessary information, and uncover many ble ways of getting into an environment before actually attempting it The more an at-
Trang 17possi-tacker knows about the environment, the more access points he has at his disposal These
are usually groups of determined and knowledgeable individuals that are hard to stop
Another dangerous evolutionary pattern is that the tools available to hackers these
days are easy to use It used to take a certain skill set to be able to enter a computer
through a port, reconfigure system files, find the hidden data, and get out without
be-ing noticed Today, there are many tools with graphical user interface (GUI) front-ends
that only require a person to enter an IP address or range, and then click the Start
but-ton Some of these tools provide a quiet mode, which means the interrogations and
exploit attempts will use methods and protocols that may not show up on intrusion
detection systems (IDSs) or cause the user of that computer to recognize something is
going on These tools enable people to carry out sophisticated attacks even if they do
not understand the tool or the attack itself
The proliferation of tools on the Internet, the ease of use of these tools, and the
availability of web sites and books describing exactly how to exploit vulnerabilities
have greatly increased the hacker population So, some attack tools whose creation may
have required in-depth knowledge of protocol behaviors or expert programming skills
are now available to a wide range of people who have not necessarily ever heard of
Transmission Control Protocol/Internet Protocol (TCP/IP)
As more vulnerabilities are uncovered every week, many more people are interested
in trying out the exploits Some just want to satisfy their curiosity, some want bragging
rights over other hackers, and some have distinct destructive goals to accomplish
There is another aspect to hacking and attacking, though It is natural to focus on
the evil aspects, but hacking can also be looked at as a continuous challenge to the
computing society to come up with better products, practices, and procedures If
hack-ers were not continually trying to break products, the products would not necessarily
continue to evolve in the way they have Sure, products would continue to grow in
functionality, but not necessarily in security
So maybe instead of looking at hackers as selfish individuals out to cause harm and
destruction, they can be looked at as the thorn in the side of the computing society that
keeps it on its toes and ensures that the next product will provide greater functionality,
but in a secure manner
Management
Security is a complex matter for many companies Management usually feels the IT
department is responsible for choosing the correct technologies, installing and
main-taining them, and keeping the environment secure In general, management has never
really been pulled inside the realm of computers and the issues that surround them
This distance and mentality hurts many companies when it comes to dealing with
se-curity effectively
Historically, management has been responsible only for hitting its
numbers—wheth-er it be profit margins, sales goals, or productivity marks—and for managing people and
projects It has not had to think much about firewalls, hackers, and security breaches
However, this mindset is fading, and the new trend demands that management be much
more involved in security and aware of how it affects the company as a whole