IAS - Module.pdf
Document Details
Uploaded by FrugalOrphism
2021
Tags
Full Transcript
INTE 30063: Information Assurance and Security 1 Compiled by: JOHN DUSTIN D. SANTOS INFORMATION ASSURANCE AND SECURITY 1 I Revision Table Revision No. Date Revised by Version 1 January 13...
INTE 30063: Information Assurance and Security 1 Compiled by: JOHN DUSTIN D. SANTOS INFORMATION ASSURANCE AND SECURITY 1 I Revision Table Revision No. Date Revised by Version 1 January 13, 2021 John Dustin D. Santos Version 2 March 26, 2022 John Dustin D. Santos INFORMATION ASSURANCE AND SECURITY 1 II Table of Contents Chapter 1: Introduction to Information Security 1 Overview Learning Objectives The History of Information Security 1 What is Information Security? 2 Key Information Security Concepts 3 Critical Characteristics of Information 4 Components of an Information System 5 Software 5 Hardware 5 Data 5 People 5 Procedures 6 Networks 6 Approaches to Information Security Implementation 6 Bottom-up Approach 6 Top-down Approach 6 The Systems Development Life Cycle 7 Methodology and Phases 7 Investigation 7 Analysis 8 Logical Design 8 Physical Design 8 Implementation 8 Maintenance and Change 8 The Security Systems Development Cycle 8 Investigation 9 Analysis 9 Logical Design 9 Physical Design 9 Implementation 9 Maintenance and Change 9 Security Professionals and the Organization 10 Senior Management 11 Information Security Project Team 11 Data Responsibilities 11 Communities of Interest 12 Information Security Management and Professionals 12 Information Technology Management and Professionals 12 Organization Management and Professionals 12 Information Security: Is it an Art or a Science? 12 Security as Art 12 Security as Science 12 Security as Social Science 12 INFORMATION ASSURANCE AND SECURITY 1 III Assessment References Chapter 2: The Need for Security 14 Overview Learning Objectives Business Needs First 14 Protecting the Functionality of an Organization 14 Enabling Safe Operating of Applications 14 Protecting Data that Organizations Collect and Use 15 Safeguarding Technology Assets in Organization 15 Threats 15 14 Categories of Threat 15 1. Comprises to Intellectual Property 15 2. Deliberate Software Attacks 16 3. Deviations in Quality of Service 17 4. Espionage or Trespass 18 5. Forces of Nature 18 6. Human Error or Failure 20 7. Information Extortion 20 8. Missing, Inadequate, or Incomplete Organizational Policy or Planning 20 9. Missing, Inadequate, or Incomplete Controls 20 10. Sabotage or Vandalism 20 11. Theft 21 12. Technical Hardware Failures or Errors 21 13. Technical Software Failures or Errors 21 14. Technological Obsolescence 21 Attacks 22 1. Malicious Code 22 2. Hoaxes 22 3. Back Doors 23 4. Password Crack 23 5. Brute Force 23 6. Dictionary Attack 23 7. DoS and DDoS 23 8. Spoofing 23 9. Man-in-the-Middle 24 10. Spam 24 11. Mail Bombing 24 12. Sniffers 24 13. Social Engineering 24 14. Phishing 24 15. Pharming 25 16. Timing Attack 25 Secure Software Development 25 Software Assurance and the SA Common Body of Knowledge 25 Software Design Principles 26 INFORMATION ASSURANCE AND SECURITY 1 IV Software Development Security Problems 26 Assessment References Chapter 3: Legal, Ethical, and Professional Issues in Information Security 31 Overview Learning Objectives Law and Ethics in Information Security 31 Organizational Liability and the Need for Counsel 31 Policy versus Law 31 Types of Law 32 International Laws and Legal Bodies 32 Council of Europe Convention on Cybercrime 33 Agreement on Trade-Related Aspects of Intellectual Property Rights 33 Digital Millennium Copyright Act 33 Ethics and Information Security 33 Ten Commandments of Computer Ethics 33 Ethical Differences across Cultures 34 Ethics and Education 35 Deterring Unethical and Illegal Behavior 35 Assessment Exercise References Chapter 4: Risk Management 38 Overview Learning Objectives An Overview of Risk Management 38 Know Yourself 39 Know the Enemy 39 The Roles of the Communities of Interest 40 Risk Identification 40 Plan and Organize the Process 40 Asset Identification and Inventory 41 Classifying and Prioritizing Information Assets 45 Information Asset Valuation 46 Information Asset Prioritization 47 Identifying and Prioritizing Threats 48 Vulnerability Identification 50 Risk Assessment 50 Likelihood 51 Risk Determination 51 Identify Possible Controls 52 Risk Control Strategies 52 Defend 52 Implementing Defend Strategy 53 INFORMATION ASSURANCE AND SECURITY 1 V Transfer 53 Mitigate 53 Accept 54 Terminate 54 Select a Risk Control Strategy 54 Feasibility Studies 55 Cost Benefit Analysis 56 Evaluation, Assessment, and Maintenance of Risk Controls 56 Risk Management Discussion Points 57 Risk Appetite 57 Residual Risk 57 Documenting Results 58 Assessment References Chapter 5: Planning for Security 60 Overview Learning Objectives Information Security Planning and Governance 60 Planning Levels 60 Planning and the CISO 61 Information Security Governance 61 Information Security Governance Outcomes 62 Information Security Policy, Standards, and Practices 62 Definitions 63 Enterprise Information Security Policy 64 Issue-Specific Security Policy 65 Violations of Policy 66 Policy, Review, and Modification 66 Limitations of Liability 66 Systems-Specific Policy 67 Policy Management 68 The Information Security Blueprint 69 The ISO 27000 Series 69 NIST Security Models 70 IETF Security Architecture 70 Baselining and Best Business Practices 70 Security Education, Training, and Awareness Program 70 Security Education 71 Security Training 71 Security Awareness 71 Continuity Strategies 72 Business Impact Analysis 73 Incident Response Planning 74 Disaster Recovery Planning 74 Business Continuity Planning 75 Crisis Management 75 INFORMATION ASSURANCE AND SECURITY 1 VI Assessment Exercise References INFORMATION ASSURANCE AND SECURITY 1 1 Chapter 1: Introduction to Information Security Overview This chapter establishes the foundation for understanding the broader field of information security. This is accomplished by defining key terms, explaining essential concepts, and providing a review of the origins of the field and its impact on the understanding of information security. Learning Objectives Upon completion of this material, you should be able to: Define information security Recount the history of computer security, and explain how it evolved into information security. Define key terms and critical concepts of information security. Enumerate the phases of the security systems development life cycle. Describe the information security roles of professionals within an organization. The History of Information Security The history of information security begins with computer security. The need for computer security – that is, the need to secure physical locations, hardware, and software from threats – arose during World War II when the first mainframes, developed to aid computations form communication code breaking, were put to see. Multiple levels of security were implemented to protect these mainframes and maintain the integrity of their data. Access to sensitive military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards. The growing need to maintain national security eventually led to more complex and more technologically sophisticated computer security safeguards. Let’s look at the main events happened which contribute to the development of information security. The 1960s Advanced Research Procurement Agency (ARPA) began examining the feasibility of a redundant networked communications system designed to support the military’s need to exchange information. Larry Roberts, known as the Founder of the Internet, developed the project called ARPANET from inception. The 1970s and 80s During the next decade, the ARPANET grew in popularity as did its potential for misuse. In December of 1973, Robert M. Metcalfe, indicated that there were fundamental problems with ARPANET security: o Individual remote users’ sites did not have sufficient controls and safeguards to protect data against unauthorized remote users. o There were no safety procedures for dial-up connections to the ARPANET. o User identification and authorization to the system were non-existent. INFORMATION ASSURANCE AND SECURITY 1 2 o Phone numbers were widely distributed and openly publicized on the walls of rest rooms and phone booths, giving hackers easy access to ARPANET. In the late 1970s, the microprocessor brought a new age of computing capabilities and security threats as these microprocessors were networked. Information security began with Rand Report R-609, sponsored by the Department of Defense, which attempted to define multiple controls and mechanisms necessary for the protection of a multi-level computer system. o The score of computer security grew from physical security to include: Safety of the data itself Limiting of random and unauthorized access to that data Involvement of personnel from multiple levels of the organization o At this stage, the concept of computer security evolved into more sophisticated system we call information security. The 1990s At the close of the 20th century, as networks of computers became more common, so too did the need to connect the networks to each other. This gave rise to the Internet, the first manifestation of a global network of networks. There has been a price of the phenomenal growth of the internet, however. When security was considered at all, early internet deployment treated it as a low priority. As the requirement for networked computers became the dominant style of computing, the ability to physically secure that physical computer was lost, and the stored information became more exposed to security threats. 2000 to Present Today, the Internet has brought millions of unsecured computer networks into communication with each other. Our ability to secure each computer’s stored information is now influenced by the security on each computer to which it is connected. What is Information Security? In general, security is “the quality or state of being secure – to be free from danger.” It means that to be protected from adversaries – from those who would do harm, intentionally or otherwise. A successful organization should have the following multiple layers of security in place for the protection of its operations: Physical security – to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security – to protect the individual or group of individuals who are authorized to access the organization and its operations. Operations security – to protect the details of a particular operation or series of activities. Communications security – to protect an organization’s communications media, technology, and content. Network security – to protect networking components, connections, and contents. INFORMATION ASSURANCE AND SECURITY 1 3 Information security, therefore, is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. But to protect the information and its related systems from danger, tools, such as policy, awareness, training, education, and technology are necessary. The C.I.A. triangle has been considered the industry standard for computer security since the development of the mainframe. It was solely based on three characteristics that described the utility of information: confidentiality, integrity, and availability. The C.I.A. triangle has expanded into a list of critical characteristics of information. Key Information Security Concepts Here are some terms and concepts that are essential to any discussion of information security: Access – A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability. Asset – The organizational resource that is being protected. An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect. Attack – An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. An attack is an information security threat that involves an attempt to obtain, alter, destroy, remove, implant or reveal information without authorized access or permission. It happens to both individuals and organizations. There are many different kinds of attacks, including but not limited to passive, active, targeted, clickjacking, brandjacking, botnet, phishing, spamming, inside and outside. Control, safeguard, or countermeasure – Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. The various levels and types of controls are discussed more fully in the following chapters. Exploit – A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker. Exploits make use of existing software tools or custom-made software components. Exposure – A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present. Loss – A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organization’s information is stolen, it has suffered a loss. Protection profile or security posture – The entire set of controls and standards, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the term security program, although the security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs. INFORMATION ASSURANCE AND SECURITY 1 4 Risk – The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetite – the quantity and nature of risk the organization is willing to accept. Subjects and objects – A computer can be either the subject of an attack – an agent entity used to conduct the attack – or the object of an attack – the target entity. A computer can be both the subject and object of an attack, when, for example, it is compromised by an attack (object), and then used to attack other systems (subject). Threat – A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected. For example, hackers purposely threaten unprotected information systems, while severe storms incidentally threaten buildings and their contents. Threat agent – The specific instance or a component of a threat. For example, all hackers in the world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms. Vulnerability – A weakness or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Critical Characteristics of Information The value of information comes from the characteristics it possesses. Availability – enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format. Accuracy – free from mistake or error and having the value that the end-user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate. Authenticity – the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred. Confidentiality – the quality or state of preventing disclosure or exposure to unauthorized individuals or systems. Integrity – the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. Utility – the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end- user, it is not useful. Possession – the quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of INFORMATION ASSURANCE AND SECURITY 1 5 confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. Components of an Information System An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization. To fully understand the importance of information security, it is necessary to briefly review the elements of an information system. Software The software component of the IS comprises applications, operating systems, and assorted command utilities. Software is perhaps the most difficult IS component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The information technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, form smartphones that crash to flawed automotive control computers that lead to recalls. Software carries the lifeblood of information through an organization. Unfortunately, software programs are often created under the constraints of project management, which limit time, cost, and manpower. Information security is all too often implemented as an after-thought, rather than developed as an integral component from the beginning. In this way, software programs become an easy target of accidental or intentional attacks. Hardware Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible. Data Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. Systems developed in recent years are likely to make use of database management systems. When done properly, this should improve the security of the data and the application. Unfortunately, many system development projects do not make full use of the database management system’s security capabilities, and in some cases the database is implemented in ways that are less secure than traditional file systems. People Though often overlooked in computer security considerations, people have always been a threat to information security. People can be the weakest link in an organization’s information security program. And unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest INFORMATION ASSURANCE AND SECURITY 1 6 link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error. It can be used to manipulate the actions of people to obtain access information about a system. Procedures Another frequently overlooked component of an IS is procedures. Procedures are written instructions for accomplishing a specific task. When an unauthorized user obtains an organization’s procedures, this poses a threat to the integrity of the information. Most organizations distribute procedures to their legitimate employees so they can access the information system, but many of these companies often fail to provide proper education on the protection of the procedures. Educating employees about safeguarding procedures is as important as physically securing the information system. After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of the organization only on a need-to-know basis. Networks The IS component that created much of the need for increased computer and information security is networking. When information systems are connected to each other to form local area networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. The physical technology that enables network functions is becoming more and more accessible to organizations of every size. Applying the traditional tools of physical security, such as locks and keys, to restrict access to and interaction with the hardware components of an information system are still important; but when computer systems are networked, this approach is no longer enough. Steps to provide network security are essential, as is the implementation of alarm and intrusion systems to make system owners aware of ongoing compromises. Approaches to Information Security Implementation Bottom-up Approach Security can begin as a grass-roots effort when systems administrators attempt to improve the security of their systems. This is referred to as the bottom-up approach. The key advantage of the bottom-up approach is the technical expertise of the individual administrators. Unfortunately, this approach seldom works, as it lacks a number of critical features, such as participant support and organizational staying power. Top-down Approach An alternative approach, which has a higher probability of success, is called the top-down approach. The project is initiated by upper management who issue policy, procedures and processes, dictate the goals and expected outcomes of the project, and determine who is accountable for each of the required actions. The top-down approach has strong upper management support, a dedicated champion, dedicated funding, clear planning and the opportunity to influence organizational culture. The most successful top-down approach also involves a formal development strategy referred to as a systems development life cycle. INFORMATION ASSURANCE AND SECURITY 1 7 The Systems Development Life Cycle Information security must be managed in a manner similar to any other major system implemented in the organization. The best approach for implementing an information security system in an organization with little or no formal security in place, is to use a variation of the Systems Development Life Cycle (SDLC): the Security Systems Development Life Cycle (SecSDLC). Methodology and Phases The SDLC is a methodology for the design and implementation of an information system in an organization. A methodology is a formal approach to solving a problem based on a structured sequence of procedures. Using a methodology ensures a rigorous process, and avoids missing those steps that can lead to compromising the end goal. The goal is creating a comprehensive security posture. The traditional SLDC consists of six general phases. SLDC models range from having three to twelve phases, all of which have been mapped into the six presented here. The waterfall model whose image shown below illustrates that each phase begins with the results and information gained from the previous phase. Investigation The first phase, investigation, is the most important. What problem is the system being developed to solve? The investigation phase begins with an examination of the event or plan that initiates the process. During the investigation phase, the objectives, constraints, and scope of the project are specified. A preliminary cost-benefit analysis evaluates the perceived benefits and the appropriate levels of cost for those benefits. As the conclusion of this phase, and at every phase following, a feasibility analysis assesses the economic, INFORMATION ASSURANCE AND SECURITY 1 8 technical, and behavioral feasibilities of the process and ensures that implementation is worth the organization’s time and effort. Analysis The analysis phase begins with the information gained during the investigation phase. This phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. Analysts begin by determining what the new system is expected to do and how it will interact with existing systems. This phase ends with the documentation of the findings and an update of the feasibility analysis. Logical Design In the logical design phase, the information gained from the analysis phase is used to begin creating a solution system for a business problem. Then, based on the business need, select applications capable of providing needed services. Based on the applications needed, select data support and structures capable of providing the needed inputs. Finally, based on all of the above, select specific technologies to implement the physical solution. In the end, another feasibility analysis is performed. Physical Design During the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision (develop in-house or purchase from a vendor). Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the end-user representatives for approval. Implementation In the implementation phase, any needed software is created or purchased. Components are ordered, received and tested. Afterwards, users are trained and supporting documentation created. Again a feasibility analysis is prepared, and the users are then presented with the system for a performance review and acceptance test. Maintenance and Change The maintenance and change phase is the longest and most expensive phase of the process. This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase. When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented. The Security Systems Development Cycle The same phases used in the traditional SDLC can be adapted to support the specialized implementation of a security project. The fundamental process is the identification of specific threats and the creation of specific controls to counter those threats. The SecSDLC unifies the process and makes it a coherent program rather than a series of random, seemingly unconnected actions. INFORMATION ASSURANCE AND SECURITY 1 9 Investigation The investigation of the SecSDLC begins with a directive from upper management, dictating the process, outcomes and goals of the project, as well as the constraints placed on the activity. Frequently, this phase begins with a statement of program security policy that outlines the implementation of security. Teams of responsible managers, employees and contractors are organized, problems analyzed, and scope defined, including goals objectives, and constraints not covered in the program policy. Finally, an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design. Analysis In the analysis phase, the documents from the investigation phase are studied. The development team conducts a preliminary analysis of existing security policies or programs, along with documented current threats and associated controls. This phase also includes an analysis of relevant legal issues that could impact the design of the security solution. Risk management is the process of identifying, assessing and evaluating the levels of risk facing the organization, also begins in this stage. Logical Design The logical design phase creates and develops the blueprints for security, and examines and implements key policies that influence later decisions. Also at this stage, critical planning is developed for incident response actions to be taken in the event of partial or catastrophic loss. The planning answers the following questions: Continuity planning: How will business continue in the event of a loss? Incident response: What steps are taken an attack occurs? Disaster recovery: What must be done to recover information and vital systems immediately after a disastrous event? Next, a feasibility analysis determines whether or not the project should continue or should be outsourced. Physical Design In the physical design phase, the security technology needed to support the blueprint outlined in the logical design is evaluated, alternative solutions generated, and a final design agreed upon. The security blueprint may be revisited to keep it synchronized with the changes needed when the physical design is completed. Criteria needed to determine the definition of successful solutions is also prepared during this phase. Included at this time are the designs for physical security measures to support the proposed technological solutions. At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project, and then the champion and users are presented with the design. At this time, all parties involved have a chance to approve the project before implementation begins. Implementation The implementation phase is similar to the traditional SDLC. The security solutions are acquired (made or bought), tested, and implemented, and tested again. Personnel issues are evaluated and specific training and education programs conducted. Finally, the entire tested package is presented to upper management for final approval. Maintenance and Change The maintenance and change phase, though last, is perhaps most important, given the high level of ingenuity in today’s threats. The reparation and restoration of information is a constant duel with an often-unseen INFORMATION ASSURANCE AND SECURITY 1 10 adversary. As new threats emerge and old threats evolve, the information security profile of an organization requires constant adaptation to prevent threats from successfully penetrating sensitive data. Below is a table of SDLC and SecDLC Phase Summary Security Professionals and the Organization It takes a wide range of professionals to support a diverse information security program. To develop and execute specific security policies and procedures, additional administrative support and technical expertise is required. The following describes the typical information security responsibilities of various professional roles in an organization. INFORMATION ASSURANCE AND SECURITY 1 11 Senior Management The senior technology officer is typically the Chief Information Officer (CIO), although other titles such as Vice President of Information, VP for Information Technology, and VP for Systems may be used. The CIO is primarily responsible for advising the Chief Executive Officer, President or company owner on the strategic planning that affects the management of information in the organization. The Chief Information Security Officer (CISO) has primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the Manager for Security, the Security Administrator, or a similar title. Information Security Project Team The information security project team should consist of a number of individuals who are experienced in one or multiple facets of the required technical and nontechnical areas. Many of the same skills needed to manage and implement security are also needed to design it. Members of the security project team fill the following roles: Champion: a senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. Team leader: a project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements. Security policy developers: individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies. Risk assessment specialists: individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used. Security professionals: dedicated, trained, and well-educated specialists in all aspects of information security from both technical and non-technical standpoints. Systems administrators: individuals with the primary responsibility for administering the systems that house the information used by the organization. End users: those the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard. Data Responsibilities Now that you understand the responsibilities of both senior management and the security project team, we can define the roles of those who own and safeguard the data. Data Owner - responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organization change. Data Custodian - responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. Data Users - the end systems users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role. INFORMATION ASSURANCE AND SECURITY 1 12 Communities of Interest Each organization develops and maintains its own unique culture and values. Within each organization culture, there are communities of interest to develop and evolve. Community of interest is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. These communities of interest include: Information Security Management and Professionals Their roles are aligned with the goals and mission of the information security community of interest. These job functions and organizational roles focus on protecting the organization’s information systems and stored information from attacks. Information Technology Management and Professionals The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines has many of the same objectives as the information security community. However, its members focus more on costs of system creation and operation, ease of use for system users, and timeliness of system creation, as well as transaction response time. The goals of the IT community and the information security community are not always in complete alignment, and depending on the organization structure, this may cause conflict. Organizational Management and Professionals The organization’s general management team and the rest of the resources in the organization make up the other major community of interest. This larger group is almost always made up of subsets of other interest as well, including executive management, production management, human resources, accounting, and legal, to name just a few. Information Security: Is it an Art or a Science? Security as Art The administrators and technicians who implement security can be compared to a painter applying oils to canvas. There are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. Security as Science Technology developed by computer scientist and engineers – which is designed for rigorous performance levels – makes information security a science as well as an art. Almost every fault, security hole, and systems malfunction is a result of the interaction of specific hardware and software. Security as Social Science Social science examines the behavior of individuals as they interact with systems, whether these are societal systems or, as information systems. Information security begins and ends with the people inside the organization and the people that interact with the system, intentionally or otherwise. By understanding some of the behavioral aspects of organizational science and change management, security administrators can greatly reduce the levels of risk cause by end users and create more acceptable and supportable security profiles. These measures, coupled with appropriate policy and training issues, can substantially improve the performance of end users and result in a more secure information system. INFORMATION ASSURANCE AND SECURITY 1 13 Assessment 1. What is the difference between a threat agent and a threat? 2. What is the difference between vulnerability and exposure? 3. What type of security was dominant in the early years of computing? 4. What are the three components of the CIA triangle? What are they used for? 5. Describe the critical characteristics of information. How are they used in the study of computer security? 6. Identify the six components of an information system. Which are the most directly affected by the study of computer security? Which are the most commonly associated with its study? 7. Why is the top-down approach to information security superior to the bottom-up approach? 8. Why is a methodology important in the implementation of information security? How does a methodology improve the process? 9. How can the practice of information security be described as both an art and a science? How does as security as a social science influence its practice? 10. How has computer security evolved into modern information security? References 1. Whitman, Michael, Principles of Information Security, 6th Ed., 2018 2. Lynett, M. (2015). A History of Information Security From Past to Present. Mesltd.Ca. https://blog.mesltd.ca/a-history-of-information-security-from-past-to-present 3. What is an Attack? - Definition from Techopedia. (2012). Techopedia.com. https://www.techopedia.com/definition/6060/attack 4. The History of Cybersecurity: CompTIA’s Future of Tech. (2012). CompTIA’s Future of Tech. https://www.futureoftech.org/cybersecurity/2-history-of-cybersecurity/ INFORMATION ASSURANCE AND SECURITY 1 14 Chapter 2: The Need for Security Overview This chapter examines the business drivers behind the information security analysis design process. It examines current organizational and technological security needs, and emphasizes and builds on the concepts presented in the previous chapter. This chapter also examines the various threats facing organizations and present methods for ranking these threats that organizations can use when they begin their security planning process. Learning Objectives Upon completion of this material, you should be able to: Demonstrate that organizations have a business need for information security Explain why a successful information security program is the responsibility of both an organization’s general management and IT management Identify the threats posed to information security and the more common attacks associated with those threats, and differentiate threats to the information within systems form attacks against the information within systems Describe the issues facing software developers, as well as the common errors made by developers, and explain how software development programs can create software that is more secure and reliable. Business Needs First There are four (4) important functions of an organization that the information security performs: 1. Protecting the organization’s ability to function 2. Enabling the safe operation of applications running on the organization’s IT systems 3. Protecting the data the organization collects and uses 4. Safeguarding the organization’s technology assets Protecting the Functionality of an Organization Shared responsibility between general management and IT management. o Set security policy in compliance with legal requirements. o Not really a technology issue. Address information security in terms of o Business impact o Cost of business interruption Enabling Safe Operating of Applications Operation requires integrated, efficient, and capable applications. A modern organization needs to create an environment that protect critical applications such as o Operating system platforms o Electronic mail o Instant messaging These can be acquired by outsourcing to a service provider or can be developed internally. INFORMATION ASSURANCE AND SECURITY 1 15 Protection of the infrastructure must be overseen by management. Protecting Data that Organizations Collect and Use Data provides o Record of transactions (e.g. banking) o Ability to deliver value to customers o Enable creation and movement of goods and services Information systems and the data they process enable the creation and movement of goods and services. Therefore, protecting data in motion (online transactions) and data at rest (offline transactions) are both critical aspects of information security. An effective information security program implemented by management protects the integrity and value of the organization’s data. Safeguarding Technology Assets in Organizations Organizations must have secure infrastructure services based on the size and scope of the enterprise. o Smaller businesses may require less protections such as email service provided by an ISP and augmented with a personal encryption tool. o Additional services are required for larger businesses such as Public Key Infrastructure (PKI), an integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure. In general, as an organization’s network grows to accommodate changing needs, more robust technology solutions should replace security programs the organization has outgrown. Threats 500 B.C. – Chinese general Sun Tzu Wu wrote The Art of War, a military treatise that emphasizes the importance of knowing yourself as well as the threats you face. To protect your organization’s information, you must: 1. Know yourself; that is, be familiar with the information to be protected and the systems that store, transport, and process it; and 2. Know the threats you face. Threat – is an object, person, or entity that represents a constant danger to an asset. 14 Categories of Threat There are 14 categories of threat, which is discussed below. 1. Compromises to Intellectual Property Intellectual Property – defined as “the ownership of ideas and control over the tangible or virtual representation of those ideas. Use of another person’s intellectual property may or may not involve royalty payments or permission, but should always include proper credit to the source.” These can be trade secrets, copyrights, trademarks, and patents. Software piracy – Unlawful use or duplication of software-based intellectual property. It is also the most common IP breach. INFORMATION ASSURANCE AND SECURITY 1 16 A number of technical mechanisms have been used to enforce copyright law. This includes Digital watermarks and embedded code Copyright codes Intentional placement of bad sectors on software media License agreement – a window that usually pops up during the installation of new software. This is the most common tool used to establish that the user has read and agrees to the license agreement. Online registration process – Another effort to combat piracy. Individuals who install software are often asked or even required to register their software to obtain technical support or the use of all features. 2. Deliberate Software Attacks Deliberate software attacks occur when an individual or group designs and deploys software to attack a system. Malicious code (sometimes known as malicious software or malware) – software components or programs designed to damage, destroy, or deny service to the target systems. The following are some common instances of malicious code. 1. Virus – a computer virus is designed to spread from host to host and has the ability to replicate itself. Similarly, in the same way that the flu viruses cannot reproduce without a host cell, computer viruses cannot reproduce and spread without programming such as a file or document. A virus operates by inserting or attaching itself to a legitimate program or document that supports macros in order to execute its code. In the process, a virus has the potential to cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data. (What Is A Computer Virus?, 2020). 2. Worm - A computer worm is a type of malware that spreads copies of itself from computer to computer. A worm can replicate itself without any human interaction, and it does not need to attach itself to a software program in order to cause damage. Worms can modify and delete files, and they can even inject additional malicious software onto a computer. Sometimes a computer worm’s purpose is only to make copies of itself over and over — depleting system resources, such as hard drive space or bandwidth, by overloading a shared network. In addition to wreaking havoc on a computer’s resources, worms can also steal data, install a backdoor, and allow a hacker to gain control over a computer and its system settings. (What is a computer worm and how does it work?, 2019). 3. Trojan Horses - A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include deleting data, blocking data, modifying data, copying data, and disrupting the performance of computers or computer networks. (Kaspersky, 2019) 4. Back Door or Trap Door – A virus or worm can have a payload that installs a back door or trap door component in a system, which allows the attacker to access the system at will with special privileges. Examples of these kinds of payloads include Subeven and Back Orifice. INFORMATION ASSURANCE AND SECURITY 1 17 5. Polymorphic Threats – A polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures. These viruses and worms actually evolve, changing their size and other external file characteristics to elude detection by antivirus software programs. 6. Virus and Worm Hoaxes – These are messages with false warning about a computer virus or worm. Typically, the warning arrives in an e-mail note or is distributed through a note in a company's internal network. These notes are usually forwarded using distribution lists and they will typically suggest that the recipient forward the note to other distribution lists. (TechTarget Contributors, 2017). 3. Deviations in Quality of Service Companies rely on a number of service providers: power, water, sewage, internet, and phone, just to name a few. If one of these providers has irregular service, it could disrupt business operations and threaten the security of information. We refer to this condition as an availability disruption and interruption in service, usually from a service provider, which can cause an adverse event within the organization. 1. Power – One of the most important services to the organization’s IT equipment is electrical power. Too much or not enough power can cause major issues with computer equipment. Some common conditions include: a. Blackout – long-term interruption or outage in electrical power availability. b. Brownout – a long-term decrease in the quality of electrical power availability. c. Fault – a short-term interruption in electrical power availability. d. Noise – the presence of additional and disruptive signals in network communications or electrical power delivery. e. Sag – a short-term decrease in electrical power availability. f. Spike – a short term increase in electrical power availability. g. Surge – a long-term increase in electrical power availability. 2. Internet – Many organizations today rely heavily on their Internet and web services to both communicate with supplier and clients, and to acquire and deliver products and services. A failure of this connection would negatively impact the organization. Specific threats or attacks to this connection involve both physical disruptions, like a contractor digging up a cable, or a tree falling on a line, as well as electronic disruptions. Many electrical disruptions, intentional, or accidental, cover multiple threat categories. In order to minimize the impact and probability of availabilities disruptions, we expect documented commitment from our service providers that they will provide quality service or provide some form of restitution should they fail. The document that specifies the expected level of service from a service provider is known as a Service Level Agreement, or SLA. An SLA usually contains provisions for a minimum acceptable availability and penalties for remediation procedures for downtime. 3. Communications and Other Service Provider Issues – Other utility services can affect organizations as well. Among these are telephone, water, wastewater, trash pickup, cable television, natural or propane gas, and custodial services. The loss of these services can impair the ability of an organization to function. For instance, most facilities require water service to operate an air- conditioning system. If a wastewater system fails, an organization might be prevented from allowing employees into the building. INFORMATION ASSURANCE AND SECURITY 1 18 4. Espionage or Trespass Espionage or trespass is a well-known and broad category of electronic and human activities that can breach the confidentiality of information. When an unauthorized individual gains access to the information an organization is trying to protect, data is categorized as espionage or trespass. Attackers can use many different methods to access the information stored in an information system. Some information gathering techniques are quite legal, for example, using a web browser to perform market research. These legal techniques are called, collectively, competitive intelligence. When an information gatherers employ techniques that cross the threshold what is legal or ethical, they are conducting industrial espionage. Acts of trespass can lead to an authorized real our virtual actions that enable information gatherers to enter premises or systems they have not pin authorized to enter. Controls sometimes mark the boundaries of an organization's virtual territory. These boundaries give notice to trespassers that they are encroaching on the organization's cyberspace. Sound principles of authentication and authorization can help organizations protect valuable information and systems. This control methods and methodologies employ multiple layers or factors to protect against unauthorized access. Forms of espionage include: 1. Shoulder surfing - this technique is used in public or semipublic settings when individuals gather information that they are not authorized so have by looking over another individual's shoulder or viewing the information from a distance. Instances of shoulder surfing occur at computer terminals, desks, ATM machines, on the bus for subway where people use smartphones and tablet PCs, or other places where a person is accessing confidential information. 2. Hackers - these are "people who use and create computer software to gain access to information illegally." Hackers are frequently glamorized in fictional accounts as people who stealthily manipulate a maze of computer networks, systems, and data to find the information that solves the mystery or saves the day. 3. Phreaker - A phreaker hacks the public telephone network to make free calls or disrupt services. Phreakers grew in fame in the 1970s when they developed devices called blue boxes that enabled free calls from pay phones. Later, red boxes were developed to simulate the tones of coins falling in a pay phone, and finally black boxes emulated the line voltage. With the advent of digital communications, these boxes became practically obsolete. Even with the loss of the colored box technologies, phreakers continue to cause problems for all telephone systems. 5. Forces of Nature Forces of nature, force majeure, or acts of God can present some of the most dangerous threats, because they usually occur with very little warning and are beyond the control of people. These threats, which include events such as fires, floods, earthquakes, and lightning as well as volcanic eruptions and insect infestations, can disrupt not only the lives of individuals but also the storage, transmission, and use of information. Some of the more common threats in this group are listed here. 1. Fire - In this context, usually a structural fire that damages a building housing computing equipment that comprises all or part of an information system, as well as smoke damage and/or water damage from sprinkler systems or firefighters. This threat can usually be mitigated with fire casualty insurance and/or business interruption insurance. 2. Flood - An overflowing of water onto an area that is normally dry, causing direct damage to all or part of the information system or to the building that houses all or part of the information system. A flood might also disrupt operations through interruptions in access to the buildings that house all INFORMATION ASSURANCE AND SECURITY 1 19 or part of the information system. This threat can sometimes be mitigated with flood insurance and/or business interruption insurance. 3. Earthquake - A sudden movement of the earth’s crust caused by the release of stress accumulated along geologic faults or by volcanic activity. Earthquakes can cause direct damage to all or part of the information system or, more often, to the building that houses it, and can also disrupt operations through interruptions in access to the buildings that house all or part of the information system. This threat can sometimes be mitigated with specific casualty insurance and/or business interruption insurance, but is usually a separate policy. 4. Lightning - An abrupt, discontinuous natural electric discharge in the atmosphere. Lightning usually directly damages all or part of the information system an/or its power distribution components. It can also cause fires or other damage to the building that houses all or part of the information system, and disrupt operations by interfering with access to the buildings that house all or part of the information system. This threat can usually be mitigated with multipurpose casualty insurance and/or business interruption insurance. 5. Landslide or mudslide - The downward sliding of a mass of earth and rock directly damaging all or part of the information system or, more likely, the building that houses it. Land- or mudslides also disrupt operations by interfering with access to the buildings that house all or part of the information system. This threat can sometimes be mitigated with casualty insurance and/or business interruption insurance. 6. Tornado or severe windstorm - A rotating column of air ranging in width from a few yards to more than a mile and whirling at destructively high speeds, usually accompanied by a funnel- shaped downward extension of a cumulonimbus cloud. Storms can directly damage all or part of the information system or, more likely, the building that houses it, and can also interrupt access to the buildings that house all or part of the information system. This threat can sometimes be mitigated with casualty insurance and/or business interruption insurance. 7. Hurricane or typhoon - These storms may disrupt operations by interrupting access to the buildings that house all or part of the information system. This threat can sometimes be mitigated with casualty insurance and/or business interruption insurance. 8. Tsunami - A very large ocean wave caused by an underwater earthquake or volcanic eruption. These events can directly damage all or part of the information system or, more likely, the building that houses it. Organizations located in coastal areas may experience tsunamis. Tsunamis may also cause disruption to operations through interruptions in access or electrical power to the buildings that house all or part of the information system. This threat can sometimes be mitigated with casualty insurance and/or business interruption insurance. 9. Electronic discharge (ESD) - Usually, static electricity and ESD are little more than a nuisance. Unfortunately, however, the mild static shock we receive when walking across a carpet can be costly or dangerous when it ignites flammable mixtures and damages costly electronic components. Static electricity can draw dust into clean-room environments or cause products to stick together. The cost of ESD-damaged electronic devices and interruptions to service can range from only a few cents to several millions of dollars for critical systems. Loss of production time in information processing due to ESD impact is significant. While not usually viewed as a threat, ESD can disrupt information systems, but it is not usually an insurable loss unless covered by business interruption insurance. INFORMATION ASSURANCE AND SECURITY 1 20 10. Dust contamination - Some environments are not friendly to the hardware components of information systems. Because dust contamination can shorten the life of information systems or cause unplanned downtime, this threat can disrupt normal operations. Since it is not possible to avoid force of nature threats, organizations must implement controls to limit damage, and they must also prepare contingency plans for continued operations, such as disaster recovery plans, business continuity plans, and incident response plans. 6. Human Error or Failure This category includes acts performed without intent or malicious purpose by an authorized user. When people use information systems, mistakes happen. Inexperience, improper training, and the incorrect assumptions are just a few things that can cause these misadventures. Regardless of the cause, even innocuous mistakes can produce extensive damage. One of the greatest threats to an organization’s information security is the organization’s own employees. Employees are the threat agents closest to the organizational data. Because employees use data in everyday activities to conduct the organization’s business, their mistakes represent a serious threat to the confidentiality, integrity, and availability of data, relative to threats from outsiders. Much human error or failure can be prevented with training and ongoing awareness activities, but also with controls, ranging from simple procedures, such as requiring the user to type a critical command twice, to more complex procedures, such as the verification of commands by a second party. 7. Information Extortion Information extortion occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. Extortion is common in credit card number theft. 8. Missing, Inadequate, or Incomplete Organizational Policy or Planning. Missing, inadequate, or incomplete organizational policy or planning makes an organization vulnerable to loss, damage, or disclosure of information assets when other threats lead to attacks. Information security is, at its core, a management function. The organization’s executive leadership is responsible for strategic planning for security as well as for IT and business functions—a task known as governance. 9. Missing, Inadequate, or Incomplete Controls Missing, inadequate, or incomplete controls—that is, security safeguards and information asset protection controls that are missing, misconfigured, antiquated, or poorly designed or managed—make an organization more likely to suffer losses when other threats lead to attacks. For example, if a small organization installs its first network using small office/home office (SOHO) equipment (which is similar to the equipment you might have on your home network) and fails to upgrade its network equipment as it becomes larger, the increased traffic can affect performance and cause information loss. Routine security audits to assess the current levels of protection help to ensure the continuous protection of organization’s assets. 10. Sabotage or Vandalism This category of threat involves the deliberate sabotage of a computer system or business, or acts of vandalism to either destroy an asset or damage the image of an organization. These acts can range from petty vandalism by employees to organized sabotage against an organization. INFORMATION ASSURANCE AND SECURITY 1 21 Although not necessarily financially devastating, attacks on the image of an organization are serious. Vandalism to a Web site can erode consumer confidence, thus diminishing an organization’s sales and net worth, as well as its reputation. There are innumerable reports of hackers accessing systems and damaging or destroying critical data. Hacked Web sites once made front-page news, as the perpetrators intended. The impact of these acts has lessened as the volume has increased. Compared to Web site defacement, vandalism within a network is more malicious in intent and less public. Today, security experts are noticing a rise in another form of online vandalism, hacktivist or cyberactivist operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. A much more sinister form of hacking is cyberterrorism. Cyberterrorists hack systems to conduct terrorist activities via network or Internet pathways. The United States and other governments are developing security measures intended to protect the critical computing and communications networks as well as the physical and power utility infrastructures. 11. Theft The threat of theft—the illegal taking of another’s property, which can be physical, electronic, or intellectual—is a constant. The value of information is diminished when it is copied without the owner’s knowledge. Physical theft can be controlled quite easily by means of a wide variety of measures, from locked doors to trained security personnel and the installation of alarm systems. Electronic theft, however, is a more complex problem to manage and control. When someone steals a physical object, the loss is easily detected; if it has any importance at all, its absence is noted. When electronic information is stolen, the crime is not always readily apparent. If thieves are clever and cover their tracks carefully, no one may ever know of the crime until it is far too late. 12. Technical Hardware Failures or Errors Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. Some errors are terminal—that is, they result in the unrecoverable loss of the equipment. Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily repeated, and thus, equipment can sometimes stop working, or work in unexpected ways. 13. Technical Software Failures or Errors Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved. Sometimes, combinations of certain software and hardware reveal new bugs. These failures range from bugs to untested failure conditions. Sometimes these bugs are not errors, but rather purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes into programs that bypass security checks are called trap doors and can cause serious security breaches. 14. Technological Obsolescence Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity from attacks. INFORMATION ASSURANCE AND SECURITY 1 22 Management’s strategic planning should always include an analysis of the technology currently in use. Ideally, proper planning by management should prevent technology from becoming obsolete, but when obsolescence is manifest, management must take immediate action. IT professionals play a large role in the identification of probable obsolescence. Attacks An attack is an act that takes advantage of a vulnerability to compromise a controlled system. It is accomplished by a threat agent that damages or steals an organization’s information or physical asset. A vulnerability is an identified weakness in a controlled system, where controls are not present or are no longer effective. Unlike threats, which are always present, attacks only exist when a specific act may cause a loss. The following are the major types of attacks used against controlled systems: 1. Malicious Code The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. The state-of-the-art malicious code attack is the polymorphic, or multivector, worm. These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in commonly found information system devices. Other forms of malware include covert software applications—bots, spyware, and adware— that are designed to work out of sight of users or via an apparently innocuous user action. A bot (an abbreviation of robot) is an automated software program that executes certain commands when it receives a specific input. Bots are often the technology used to implement Trojan horses, logic bombs, back doors, and spyware. Spyware is “any technology that aids in gathering information about a person or organization without their knowledge. Spyware is placed on a computer to secretly gather information about the user and report it. The various types of spyware include: o a Web bug, a tiny graphic on a Web site that is referenced within the Hypertext Markup Language (HTML) content of a Web page or e-mail to collect information about the user viewing the HTML content; o a tracking cookie, which is placed on the user’s computer to track the user’s activity on different Web sites and create a detailed profile of the user’s behavior. Adware is any software program intended for marketing purposes such as that used to deliver and display advertising banners or popups to the user’s screen or tracking the user’s online usage or purchasing activity. 2. Hoaxes A more devious attack on computer systems is the transmission of a virus hoax with a real virus attached. When the attack is masked in a seemingly legitimate message, unsuspecting users more readily distribute it. Even though these users are trying to do the right thing to avoid infection, they end up sending the attack on to their coworkers and friends and infecting many users along the way. INFORMATION ASSURANCE AND SECURITY 1 23 3. Back Doors Using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Sometimes these entries are left behind by system designers or maintenance staff, and thus are called trap doors. A trap door is hard to detect, because very often the programmer who puts it in place also makes the access exempt from the usual audit logging features of the system. 4. Password Crack Attempting to reverse-calculate a password is often called cracking. A cracking attack is a component of many dictionary attacks. It is used when a copy of the Security Account Manager (SAM) data file, which contains hashed representation of the user’s password, can be obtained. A password can be hashed using the same algorithm and compared to the hashed results. If they are the same, the password has been cracked. 5. Brute Force The application of computing and network resources to try every possible password combination is called a brute force attack. Since the brute force attack is often used to obtain passwords to commonly used accounts, it is sometimes called a password attack. If attackers can narrow the field of target accounts, they can devote more time and resources to these accounts. That is one reason to always change the manufacturer’s default administrator account names and passwords. 6. Dictionary Attack The dictionary attack is a variation of the brute force attack which narrows the field by selecting specific target accounts and using a list of commonly used passwords (the dictionary) instead of random combinations. Organizations can use similar dictionaries to disallow passwords during the reset process and thus guard against easy-to-guess passwords. In addition, rules requiring numbers and/or special characters in passwords make the dictionary attack less effective. 7. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target. So many requests are made that the target system becomes overloaded and cannot respond to legitimate requests for service. The system may crash or simply become unable to perform ordinary functions. A distributed denial-of- service (DDoS) is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised. The compromised machines are turned into zombies, machines that are directed remotely (usually by a transmitted command) by the attacker to participate in the attack. 8. Spoofing Spoofing is a technique used to gain unauthorized access to computers, wherein the intruder sends messages with a source IP address that has been forged to indicate that the messages are coming from a trusted host. To engage in IP spoofing, hackers use a variety of techniques to obtain trusted IP addresses, and then modify the packet headers to insert these forged addresses. Newer routers and firewall arrangements can offer protection against IP spoofing. INFORMATION ASSURANCE AND SECURITY 1 24 9. Man-in-the-Middle In the well-known man-in-the-middle or TCP hijacking attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. This type of attack uses IP spoofing to enable an attacker to impersonate another entity on the network. It allows the attacker to eavesdrop as well as to change, delete, reroute, add, forge, or divert data. A variant of TCP hijacking, involves the interception of an encryption key exchange, which enables the hacker to act as an invisible man-in-the-middle—that is, an eavesdropper—on encrypted communications. 10. Spam Spam is unsolicited commercial e-mail. While many consider spam a trivial nuisance rather than an attack, it has been used as a means of enhancing malicious code attacks. The most significant consequence of spam, however, is the waste of computer and human resources. Many organizations attempt to cope with the flood of spam by using e-mail filtering technologies. Other organizations simply tell the users of the mail system to delete unwanted messages. 11. Mail Bombing Another form of e-mail attack that is also a DoS is called a mail bomb, in which an attacker routes large quantities of e-mail to the target. This can be accomplished by means of social engineering or by exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP). The target of the attack receives an unmanageably large volume of unsolicited e-mail. By sending large e-mails with forged header information, attackers can take advantage of poorly configured e-mail systems on the Internet and trick them into sending many e-mails to an address chosen by the attacker. If many such systems are tricked into participating in the event, the target e-mail address is buried under thousands or even millions of unwanted e-mails. 12. Sniffers A sniffer is a program or device that can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information. Unauthorized sniffers can be extremely dangerous to a network’s security, because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker’s arsenal. Sniffers often work on TCP/IP networks, where they’re sometimes called packet sniffers. Sniffers add risk to the network, because many systems and users send information on local networks in clear text. A sniffer program shows all the data going by, including passwords, the data inside files—such as word-processing documents—and screens full of sensitive data from applications. 13. Social Engineering Social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker. There are several social engineering techniques, which usually involve a perpetrator posing as a person higher in the organizational hierarchy than the victim. To prepare for this false representation, the perpetrator may have used social engineering tactics against others in the organization to collect seemingly unrelated information that, when used together, makes the false representation more credible. 14. Phishing Phishing is an attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity. Phishing attacks use three primary techniques, often in combination with one another: URL manipulation, Web site forgery, and phone phishing. URL manipulation, attackers send an HTML embedded e-mail message, or a hyperlink whose HTML code opens a forged Web site. INFORMATION ASSURANCE AND SECURITY 1 25 In the forged Web site, phishers publish a website by copying the design, content, and user interface of a legitimate website. Phone phishing is pure social engineering. The attacker calls a victim on the telephone and pretends to be someone they are not (a practice sometimes called pretexting) in order to gain access to private or confidential information such as health or employment records or financial information. They may impersonate someone who is known to the potential victim only by reputation. 15. Pharming Pharming is the redirection of legitimate Web traffic (e.g., browser requests) to an illegitimate site for the purpose of obtaining private information. Pharming often uses Trojans, worms, or other virus technologies to attack the Internet browser’s address bar so that the valid URL typed by the user is modified to that of the illegitimate Web site. Pharming may also exploit the Domain Name System (DNS) by causing it to transform the legitimate host name into the invalid site’s IP address; this form of pharming is also known as DNS cache poisoning. 16. Timing Attack A timing attack explores the contents of a Web browser’s cache and stores a malicious cookie on the client’s system. The cookie (which is a small quantity of data stored by the Web browser on the local system, at the direction of the Web server) can allow the designer to collect information on how to access password-protected sites. Another attack by the same name involves the interception of cryptographic elements to determine keys and encryption algorithms. Secure Software Development Systems consist of hardware, software, networks, data, procedures, and people using the system. Many of the information security issues described in this chapter have their root cause in the software elements of the system. Secure systems require secure, or at least securable, software. The development of systems and the software they use is often accomplished using a methodology, such as the systems development life cycle (SDLC). Many organizations recognize the need to include planning for security objectives in the SDLC they use to create systems, and have put in place procedures to create software that is more able to be deployed in a secure fashion. This approach to software development is known as software assurance, or SA. Software Assurance and the SA Common Body of Knowledge The U.S. Department of Defense (DoD) launched a Software Assurance Initiative in 2003. This initial process was led by Joe Jarzombek and was endorsed and supported by the Department of Homeland Security (DHS), which joined the program in 2004. This program initiative resulted in the publication of the Secure Software Assurance (SwA) Common Body of Knowledge (CBK).47 A working group drawn from industry, government, and academia was formed to examine two key questions: 1. What are the engineering activities or aspects of activities that are relevant to achieving secure software? 2. What knowledge is needed to perform these activities or aspects? Based on the findings of this working group, and a host of existing external documents and standards, the SwA CBK was developed and published to serve as a guideline. While this work has not yet been adopted INFORMATION ASSURANCE AND SECURITY 1 26 as a standard or even a policy requirement of government agencies, it serves as a strongly recommended guide to developing more secure applications. The SwA CBK, which is a work in progress, contains the following sections: Nature of Dangers Fundamental Concepts and Principles Ethics, Law, and Governance Secure Software Requirements Secure Software Design Secure Software Construction Secure Software Verification, Validation, and Evaluation Secure Software Tools and Methods Secure Software Processes Secure Software Project Management Acquisition of Secure Software Secure Software Sustainment The following sections provides insight into the stages that should be incorporated into the software SDLC. Software Design Principles Economy of mechanism: Keep the design as simple and small as possible. Fail-safe defaults: Base access decisions on permission rather than exclusion. Complete mediation: Every access to every object must be checked for authority. Open design: The design should not be secret, but rather depend on the possession of keys or passwords. Separation of privilege: Where feasible, a protection mechanism should require two keys to unlock, rather than one. Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Least common mechanism: Minimize mechanisms (or shared variables) common to more than one user and depended on by all users. Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Software Development Security Problems Some software development problems that result in software that is difficult or impossible to deploy in a secure fashion have been identified as “deadly sins in software security.” These twenty problem areas in software development (which is also called software engineering) were originally categorized by John Viega, upon request of Amit Youran, who at the time was the Director of the Department of Homeland Security’s National Cyber Security Division. These problem areas are the following: 1. Buffer Overruns - Buffers are used to manage mismatches in the processing rates between two entities involved in a communication process. A buffer overrun (or buffer overflow) is an application error that occurs when more data is sent to a program buffer than it is designed to handle. During a buffer overrun, an attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure. Sometimes this is limited to a denial-of-service attack. In any case, data on the attacked system loses integrity. INFORMATION ASSURANCE AND SECURITY 1 27 2. Command Injection - Command injection problems occur when user input is passed directly to a compiler or interpreter. The underlying issue is the developer’s failure to ensure that command input is validated before it is used in the program. 3. Cross-site Scripting - Cross site scripting (or XSS) occurs when an application running on a Web server gathers data from a user in order to steal it. An attacker can use weaknesses in the Web server environment to insert commands into a user’s browser session, so that users ostensibly connected to a friendly Web server are, in fact, sending information to a hostile server. This allows the attacker to acquire valuable information, such as account credentials, account numbers, or other critical data. Often an attacker encodes a malicious link and places it in the target server, making it look less suspicious. After the data is collected by the hostile application, it sends what appears to be a valid response from the intended server. 4. Failure to Handle Errors - What happens when a system or application encounters a scenario that it is not prepared to handle? Does it attempt to complete the operation (reading or writing data or performing calculations)? Does it issue a cryptic message that only a programmer could understand? Or does it simply stop functioning? Failure to handle errors can cause a variety of unexpected system behaviors. Programmers are expected to anticipate problems and prepare their application code to handle them. 5. Failure to Protect Network Traffic - Traffic on a wired network is also vulnerable to interception in some situations. On networks using hubs instead of switches, any user can install a packet sniffer and collect communications to and from users on that network. Periodic scans for unauthorized packet sniffers, unauthorized connections to the network, and general awareness of the threat can mitigate this problem. 6. Failure to Store and Protect Data Securely - Storing and protecting data securely is a large enough issue to be the core subject of this entire text. Programmers are responsible for integrating access controls into, and keeping secret information out of, programs. Access controls, the subject of later chapters, regulate who, what, when, where, and how individuals and systems interact with data. Failure to properly implement sufficiently strong access controls makes the data vulnerable. Overly strict access controls hinder business users in the performance of their duties, and as a result the controls may be administratively removed or bypassed. 7. Failure to Use Cryptographically Strong Random Numbers - Most modern cryptosystems, like many other computer systems, use random number generators. Howev