Regardless of whether computer and network data are transmitted on a wired or wireless medium, the basic security concepts remain much the same. Some of the content presented here has been excerpted from the Cybersecurity Operations Handbook [1] with the permission of Digital Press, an imprint of Elsevier Science.
For those among us who are tasked with managing business, and for that ever-shrinking number of Information Technology (IT) professionals who are not directly involved in the daily struggles coping with cybersecurity issues, one might be tempted to ask,
“What is the big deal about cybersecurity, really?”
“How does it affect our company infrastructure?”
“How does it affect users in our organization?”
“Is it something our management team should worry about?”
These are all legitimate questions. More and more today, IT professionals face an ever-growing and daunting task. Attacks occur every single day [2]. The only question to be asked in today’s modern computing environment is, “Are we prepared to deal with an attack?” This book provides guidance on how to prepare for such assaults against organizational infrastructure. It will help network and systems administrators prepare to answer these types of questions and provide compelling information that can help even the most reluctant manager or administrator come to terms with the changed, threatening computing environment we face today.
Vast data stores in myriad organizations hold personal information about each of us. The accumulation of such large amounts of electronic information, combined with the increased ability of computers to monitor, process, and aggregate this information about people, creates a massive threat to our individual privacy. The reality of today is that all of this information and technology now available can be electronically linked together, allowing unknown entities to gain unabated access to even our most private information. This situation should give us reason to pause and ask ourselves if we have not created a modern information age with an unwanted byproduct some have often referred to as “Big Brother.”
Although the magnitude and cost of the threat to our personal privacy is very difficult to determine, it is readily apparent that information technology is becoming powerful enough to warrant fears of the emergence of both government and corporate “Big Brothers.” More awareness of the situation is needed at the organizational and personal level. With the increased accessibility of such information, we have created an ever-growing vulnerability that someone, such as a cyberterrorist, is likely to exploit. Another consideration of late is the recently legislated “Privacy Acts” that many different countries have enacted in order to try to protect the data assets of their citizenry. Such legislation has become an ever-growing part of this modern information age. All companies using computing resources today now need to be keenly aware of both these threats and the legal ramifications that ensue when they attempt to monitor, prevent, or provide access to their information resources.
Computer systems can be exploited for conducting fraudulent activities and for outright theft. Such criminal acts are accomplished by “automating” traditional methods of fraud and by inventing and using new methods that are constantly being created by enterprising criminal minds. For example, individuals carrying out such criminal activity may use computers to transfer a company’s proprietary customer data to computer systems that reside outside the company premises, or they may try to use or sell this valuable customer data to that company’s competitors. Their motive may be profit or inflicting damage to the victimized company to compensate for some perceived injustice, or it may just be an act of malicious behavior for entertainment or bragging rights. Computer fraud and theft can be committed by both company insiders and outsiders, but studies have shown that most corporate fraud is committed by company insiders. [3]
In addition to the use of technology to commit fraud, computer hardware and software resources may be vulnerable to theft. Actual examples include the theft of unreleased software and storage of customer data in insecure places such as anonymous FTP accounts so that it can be accessed and stolen by outsiders. Data being exposed to these threats generates a secondary threat for a company: the loss of credibility and possible liability for damages as a result of premature release of information, exposure or loss of information, and so on. Preventive measures that should be taken here are quite simple, but are often overlooked. Implementation of efficient access control methodologies, periodic auditing, and firewall usage can, in most cases, prevent fraud from occurring or at least make it more easily detected.
The meteoric rise in fraud perpetrated over the Internet has brought about the classification of nine types of fraud, developed from the data reported to the Internet Fraud Complaint Center (IFCC) [4]. Analysts at the IFCC determine a fraud type for each Internet fraud complaint received. IFCC analysts sort complaints into one of the following nine fraud categories:
The Nigerian Letter Scam [13] has been around since the early 1980s. The scam is effected when a correspondence outlining an opportunity to receive nonexistent government funds from alleged dignitaries is sent to a “victim,” but there is a catch. The scam letter is designed to collect advance fees from the victim. This most often requires payoff money to be sent from the victim to the “dignitary” in order to bribe government officials. Although other countries may be mentioned, the correspondence typically indicates “The Government of Nigeria” as the nation of origin. This scam is also referred to as “419 Fraud” after the relevant section of the Criminal Code of Nigeria, as well as “Advance Fee Fraud.” Because of this scam, the country of Nigeria ranks second for total complaints reported at the IFCC on businesses by country. The IFCC has a policy of forwarding all Nigerian Letter Scam complaints to the U.S. Secret Service. The scam works as follows:
Probably the easiest form of employee sabotage known to all system administrators would be “accidental” spillage. The act of intentionally spilling coffee or soda on a keyboard to make the computer unusable for some time is a criminal offense. Proving the spillage was deliberate, however, is next to impossible without the aid of hidden cameras or other surveillance techniques. Some administrators have even experienced severe cases where servers have been turned off over a weekend, resulting in unavailability, data loss, and the incurred, but needless cost, of hours of troubleshooting by someone. Employees are the people who are most familiar with their employer’s computers and applications. They know what actions can cause damage, mischief, or sabotage. The number of incidents of employee sabotage is believed to be much smaller than the instances of theft, but the cost of such incidents can be quite high. [14]
As long as people feel unjustly treated, cheated, bored, harassed, endangered, or betrayed at work, sabotage will be used as a method to achieve revenge or a twisted sense of job satisfaction. Later in this book, we show how serious sabotage acts can be prevented by implementing methods of strict access control.
Devastating results can occur from the loss of supporting infrastructure. This infrastructure loss can include power failures (outages, spikes, and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, and strikes. A loss of infrastructure often results in system downtime, sometimes in the most unexpected ways. Countermeasures against loss of physical and infrastructure support include adding redundant systems and establishing recurring backup processes. Because of the damage these types of threats can cause, the Critical Infrastructure Protection Act was enacted.
The term malicious hacker refers to those who break into computers without authorization. They can include both outsiders and insiders. The hacker threat should be considered in terms of past and potential future damage. Although current losses caused by hacker attacks are significantly smaller than losses caused by insider theft and sabotage, the hacker problem is widespread and serious. One example of malicious hacker activity is that directed against the public telephone system (which is, by the way, quite common, and the targets are usually employee voice mailboxes or special “internal-only” numbers allowing free calls to company insiders). Another common method is for hackers to attempt to gather information about internal systems by using port scanners and sniffers, password attacks, denial-of-service attacks, and various other attempts to break publicly exposed systems such as File Transfer Protocol (FTP) and World Wide Web (WWW) servers. By implementing efficient firewalls and auditing/alerting mechanisms, external hackers can be thwarted. Internal hackers are extremely difficult to contend with because they have already been granted access; however, conducting internal audits on a frequent and recurring basis will help organizations detect these activities.
Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other “uninvited” software. Sometimes mistakenly associated just with personal computers, such types of malicious code can attack other platforms. The actual costs that have been attributed to the presence of malicious code most often include the cost of system outages and the cost of staff time for those who are involved in finding the malware and repairing the systems. Frequently, these costs are quite significant.
Today, we are subject to a vast number of virus incidents. This has generated much discussion about the issues of organizational liability and must be taken into account. Viruses are the most common case of malicious code. In today’s modern computing platform, some form of antivirus software must be included in order to cope with this threat. To do otherwise can be extremely costly. In 1999, a virus named Melissa was released with devastating results. [15] The Melissa virus caused an estimated $80 million in damage and disrupted computer and network operations worldwide.
Melissa was especially damaging as viruses go because its author had deliberately created the virus to evade existing antivirus software and to exploit specific weaknesses in corporate and personal e-mail software, as well as server and desktop operating systems software. Melissa infected e-mail and propagated itself in that infected state to 50 other e-mail addresses it obtained from the existing e-mail address book it found on the victim’s machine. It immediately began sending out these infectious e-mails from every machine it touched. The Melissa infection spread across the Internet at an exponential rate. Systems were literally brought down from overload as a result of exponential propagation.
A company might be subject to industrial espionage simply because competitors share some level of sensitive customer information, which might be worth millions for interested parties ranging from governments to corporate and private entities. It is not only the press who would be willing to pay for information. This situation might be encouraging enough for many hackers to tempt fate and attempt to obtain such information. Internal staff might consider the risk minimal and give away such information. There could be active attempts to retrieve information without authorization by hacking, sniffing, and other measures. A case of espionage can have serious consequences for a company, in terms of incurring the cost of lawsuits and resulting damage awards. This situation can also devastate a company’s reputation in the marketplace.
Formally defined, industrial espionage is the act of gathering proprietary data from private companies or governments to aid others. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is often referred to as economic espionage. Because information is processed and stored on computer systems, computer security can help protect against such threats; it can do little, however, to reduce the threat of authorized employees selling that information.
Cases of industrial espionage are on the rise, especially after the end of the Cold War, when many intelligence agencies changed their orientation toward industrial targets. A 1992 study sponsored by the American Society for Industrial Security (ASIS) found that proprietary business information theft had increased 260 percent since 1985. The data indicated that 30 percent of the reported losses in 1991 and 1992 had foreign involvement. The study also found that 58% of thefts were perpetrated by current or former employees. The three most damaging types of stolen information were pricing information, manufacturing process information, and product development and specification information. Other types of information stolen included customer lists, basic research, sales data, personnel data, compensation data, cost data, proposals, and strategic plans.
Within the area of economic espionage, the Central Intelligence Agency (CIA) has stated that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target. The Federal Bureau of Investigation (FBI) concurs that technology-related information is the main target, but also lists corporate proprietary information, such as negotiating positions and other contracting data, as targets.
Because of the increasing rise in economic and industrial espionage cases over the last decade, the Economic and Espionage Act of 1996 was passed by the U.S. government. This law, coded as 18 U.S.C. §1832, provides:
In a recent case, [16] against violators of 18 U.S.C. § 1832, convictions were upheld in the appeal of Mr. Pin-Yen Yang and his daughter Hwei Chen Yang (Sally) for industrial espionage, among other crimes. Mr. Yang owned the Four Pillars Enterprise Company, Ltd., based in Taiwan. This company specialized in the manufacture of adhesives. Mr. Yang and his daughter conspired to illegally obtain trade secrets from their chief U.S. competitor, Avery Dennison Corporation, by hiring an ex-employee of Avery Dennison, a Dr. Lee. Lee was retained as a consultant by Yang, and the group conspired to pass confidential trade secrets from Avery to Four Pillars. When the FBI confronted Lee on the matter, he agreed to be videotaped in a meeting with Mr. Yang and his daughter. During the meeting, enough evidence was gathered to result in a conviction. [17]
Measures against industrial espionage consist of the same measures companies take to counter hackers, with the added security obtained by using data encryption technology. Where this is not possible because of government regulations (e.g., in France), proprietary compression or hashing algorithms can be used, which result in the same effect as encryption, but with a higher chance of being broken by a determined adversary. Legal protections exist, of course, but were once very difficult to dissect from the vast amount of legislation in Title 18 of the U.S. Code. Congress amended the many laws dotted throughout Title 18 into a comprehensive set of laws known as the 1996 National Information Infrastructure Protection Act.
The weakest link in security will always be people, and the easiest way to break into a system is to engineer your way into it through the human interface. Almost every hacker group has engaged in some form of social engineering over the years, and in combination with other activities, they have been able to break into many corporations as a result. In this type of attack, the attacker chooses a mark he or she can scam to gain a password, user ID, or other usable information. Because most administrators and employees of companies are more concerned with providing efficiency and helping users, they may be unaware that the person they are speaking to is not a legitimate user. And because there are no formal procedures for establishing whether an end user is legitimate, the attacker often gains a tremendous amount of information in a very short time, and often with no way to trace the information leak back to the attacker.
Social engineering begins with a goal of obtaining information about a person or business and can range in activities from dumpster diving to cold calls or impersonations. As acknowledged in the movies, many hackers and criminals have realized that a wealth of valuable information often lays in the trash bins waiting to be emptied by a disposal company. Most corporations do not adequately dispose of information, and trash bins often contain information that may identify employees or customers. This information is not secured and is available to anyone who is willing to dive into the dumpster at night and look for it—hence, the term dumpster diving.
Other information is readily available via deception. Most corporations do not contain security measures that address deception adequately. What happens when the protocol is followed properly, but the person being admitted is not who he says he is? Many groups utilize members of their group in a fashion that would violate protocols to gather information about a corporate admittance policy. Often, the multiperson attack results in gaining admittance to the company and ultimately the information desired. Using the bathroom or going for a drink of water is always a great excuse for exiting from a meeting, and you often will not have an escort. Most corporations do not have terminal locking policies, and this is another way an attacker can gain access or load software that may pierce the company’s firewall. So long as the people entering the corporation can act according to the role they have defined for their access and they look the part, it is unlikely that they will be detected.
Remotely, social engineering actually becomes less challenging. There are no visual expectations to meet, and people are very willing to participate with a little coaxing. As is often the case, giving away something free can always be a method for entry. Many social engineering situations involve sending along a free piece of software or something of value for free. Embedded within free software, Trojans, viruses, and worms can go undetected and can bypass system and network security. Because most security that protects the local machine has a hard time differentiating between real and fake software, it is often not risky for the attacker to deliver a keylogger or Trojan to the victim machine. Also equally effective, the customer support or employee support personnel can be duped into aiding a needy user with their passwords and access to information they do not necessarily know about.
According to NIST Publication SP800-12, [18] the purpose of computer security awareness, training, and education is to enhance security by
By making computer system users aware of their security responsibilities and teaching them correct practices, it helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and how to use them), users cannot be truly accountable for their actions. The importance of this training is emphasized in the Computer Security Act, which requires training for those involved with the management, use, and operation of federal computer systems.
Awareness stimulates and motivates those being trained to care about security and reminds them of important security practices. By understanding what happens to an organization, its mission, customers, and employees when security fails, people are often motivated to take security more seriously. Awareness can take on different forms for particular audiences. Appropriate awareness for management officials might stress management’s pivotal role in establishing organizational attitudes toward security. Appropriate awareness for other groups, such as system programmers or information analysts, should address the need for security as it relates to their jobs. In today’s systems environment, almost everyone in an organization may have access to system resources and, therefore, may have the potential to cause harm.
Both dissemination and enforcement of policy are critical issues that are implemented and strengthened through training programs. Employees cannot be expected to follow policies and procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance when they are caught doing something wrong. Training employees may also be necessary to show that a standard of due care has been taken in protecting information. Simply issuing policy, with no follow-up to implement that policy, may not suffice. Many organizations use acknowledgment statements that employees have read and understand computer security requirements.
Awareness is used to reinforce the fact that security supports the organization’s mission by protecting valuable resources. If employees view security measures as just bothersome rules and procedures, they are more likely to ignore them. In addition, they may not make needed suggestions about improving security or recognize and report security threats and vulnerabilities. Awareness is also used to remind people of basic security practices, such as logging off a computer system or locking doors. A security awareness program can use many teaching methods, including videotapes, newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short reminder notices at logon, talks, or lectures. Awareness is often incorporated into basic security training and can use any method that can change employees’ attitudes. Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning-out process (also known as acclimation). For example, after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed.
Security education is more in-depth than security training and is targeted for security professionals and those whose jobs require expertise in security. Security education is normally outside the scope of most organizational awareness and training programs. It is more appropriately a part of employee career development. Security education is obtained through college or graduate classes or through specialized training programs. Because of this, most computer security programs focus primarily on awareness. An effective Computer Security Awareness and Training (CSAT) program requires proper planning, implementation, maintenance, and periodic evaluation. The following seven steps constitute one approach for developing a CSAT program:
When you begin the process of building a corporate policy for social engineering, several important considerations need to be included in the policy. Ensure that employees are aware of the data they are making available to others and what hackers might do with the knowledge they gain from that data. Train end users in the proper handling of social engineering tactics such as the following:
Teach employees how to prevent intrusion attempts by verifying identification, using secure communications methods, reporting suspicious activity, establishing procedures, and shredding corporate documents. It is important to define a simple, concise set of established procedures for employees to report or respond to when they encounter any of these types of attacks.
It is a good idea to periodically employ external consultants to perform audits and social engineering attempts to test employees and the network security readiness of your organization. Define the regularity of audits conducted by external consultants in a manner that cannot become predictable, such as a rotation of the month in each quarter an audit would occur. For example, if your external audits are conducted semiannually, the first audit of the year may occur in month one of quarter one. The next audit may occur in month three of quarter three. Then, when the next year comes around, you have rotated to another month or even changed to quarters two and four. The point is not which months and quarters audits are conducted, but that they are done in an unpredictable fashion that only you and your trusted few will know.