ISDS705: Chapter 13: Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

(T/F): While dangerous, a number of tools and techniques can be used to identify phishing scams, limiting their likelihood of success.

True

(T/F): • Cybercriminals operate in an increasingly sophisticated ecosystem where data harvesters and tool peddlers leverage sophisticated online markets to sell to cash-out fraudsters and other crooks.

True

Lock down systems

. Audit for SQL injection and other application exploits. The security team must constantly scan exploits and then probe its systems to see if it's susceptible, advising and enforcing action if problems are uncovered. This kind of auditing should occur with all of a firm's partners.

What factors were responsible for the TJX breach? Who was responsible for the breach? How do you think the firm should have responded?

A number of factors led to and amplified the severity of the TJX breach. There was a personnel betrayal: the mastermind was an alleged FBI informant who previously helped bring down a massive credit card theft scheme but then double-crossed the Feds and used insider information to help his gang outsmart the law and carry out subsequent hacks (Goldman, 2009). There was a technology lapse: TJX made itself an easy mark by using WEP, a wireless security technology less secure than the stuff many consumers use in their homes—one known for years to be trivially compromised by the kind of "drive-by" hacking initiated by the perpetrators. And there was a procedural gaffe: retailers were in the process of rolling out a security rubric known as the Payment Card Industry Data Security Standard. Despite an industry deadline, however, TJX had requested and received an extension, delaying the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in

What is dumpster diving?

Anything valuable that reaches the trash in a recoverable state is also a potential security breach. Hackers and spies sometimes practice dumpster diving, sifting through trash in an effort to uncover valuable data or insights that can be stolen or used to launch a security attack

What are honeypots?

Attractive, unprotected computer whose sole purpose is to trap potential attackers

What is a botnet? What sorts of exploits would use a botnet? Why would a botnet be useful to cybercriminals?

Botnets of zombie computers (networks of infiltrated and compromised machines controlled by a central command) are used for all sorts of nefarious activity. This includes sending spam from thousands of difficult-to-shut-down accounts, launching tough-to-track click fraud efforts or staging what's known as distributed denial of service (DDoS) attacks (effectively shutting down Web sites by overwhelming them with a crushing load of seemingly legitimate requests sent simultaneously by thousands of machines). Botnets have been discovered that are capable of sending out 100 billion spam messages a day (Higgins, 2008), and botnets as large as 10 million zombies have been identified. Such systems theoretically control more computing power than the world's fastest supercomputers. Extortionists might leverage botnets or hacked data to demand payment to avoid retribution.

What is social engineering?

Con games that trick employees into revealing information or performing other tasks that compromise a firm

What has become a legitimate threat?

Cyberwarfare has become a legitimate threat, with several attacks demonstrating how devastating technology disruptions by terrorists or a foreign power might be.

(T/F): Frameworks such as ISO27k can provide a road map to help organizations plan and implement an effective security regime.

True

Why might someone leverage botnets?

Extortionists might leverage botnets or hacked data to demand payment to avoid retribution.

What does spoofed mean?

Faked

(T/F): Information security is everyone's business and needs to be made a top organizational priority.

True

What is a firewall?

Firms employ firewalls to examine traffic as it enters and leaves the network, potentially blocking certain types of access, while permitting approved communication

Patch

Firms must be especially vigilant to pay attention to security bulletins and install software updates that plug existing holes, (often referred to as patches). Firms that don't plug known problems will be vulnerable to trivial and automated attacks. Unfortunately, many firms aren't updating all components of their systems with consistent attention. With operating systems automating security update installations, hackers have moved on to application targets. But a major study recently found that organizations took at least twice as long to patch application vulnerabilities as they take to patch operating system holes (Wildstrom, 2009). And remember, software isn't limited to conventional PCs and servers. Embedded systems abound, and connected, yet unpatched devices are vulnerable. Malware has infected everything from unprotected ATM machines (Lilly, 2009) to restaurant pointof-sale systems (McMillan, 2009) to fighter plane navigation systems (Matyszczyk, 2009).

Lock down hardware

Firms range widely in the security regimes used to govern purchase through disposal system use. While some large firms such as Kraft are allowing employees to select their own hardware (Mac or PC, desktop or notebook, iPhone or BlackBerry) (Wingfield, 2009), others issue standard systems that prevent all unapproved software installation and force file saving to hardened, backed-up, scanned, and monitored servers. Firms in especially sensitive industries such as financial services may regularly reimage the hard drive of end-user PCs, completely replacing all the bits on a user's hard drive with a pristine, current version—effectively wiping out malware that might have previously sneaked onto a user's PC. Other lock-down methods might disable the boot capability of removable media (a common method for spreading viruses via inserted discs or USBs), prevent Wi-Fi use or require VPN encryption before allowing any network transmissions, and more. The cloud helps here, too. Employers can also require workers to run all of their corporate applications inside a remote desktop where the actual executing hardware and software is elsewhere (likely hosted as a virtual machine session on the organization's servers), and the user is simply served an image of what is executing remotely. This seals the virtual PC off in a way that can be thoroughly monitored, updated, backed up, and locked down by the firm.

(T/F): Information security is not simply a technical fix. Education, audit, and enforcement regarding firm policies are critical. The security team is broadly skilled and constantly working to identify and incorporate new technologies and methods into their organizations. Involvement and commitment is essential from the boardroom to frontline workers, and out to customers and partners.

True

Lock down partners

Insist partner firms are compliant, and audit them to ensure this is the case. This includes technology providers and contract firms, as well as value chain participants such as suppliers and distributors. Anyone who touches your network is a potential point of weakness. Many firms will build security expectations and commitments into performance guarantees known as service level agreements (SLAs).

Can someone be 100% secure?

Let's be clear from the start: no text can provide an approach that 375 will guarantee that you'll be 100 percent secure

(T/F): Information security isn't just a technology problem; a host of personnel and procedural factors can create and amplify a firm's vulnerability.

True

Lockdown the network

Network monitoring is a critical part of security, and a host of technical tools can help. Firms employ firewalls to examine traffic as it enters and leaves the network, potentially blocking certain types of access, while permitting approved communication. Intrusion detection systems specifically look for unauthorized behavior, sounding the alarm and potentially taking action if something seems amiss. Some firms deploy honeypots—bogus offerings meant to distract attackers. If attackers take honeypot bait, firms may gain an opportunity to recognize the hacker's exploits, identify the IP address of intrusion, and take action to block further attacks and alert authorities

What are Botnets?

Networks of compromised computers controlled remotely; use techniques similar to legitimate businesses, including the involvement of personnel with various specialties, feature-based pricing structures, modularization, and software copy protection.

What should you never do?

Never click on a link or download a suspicious, unexpected enclosure without verifying the authenticity of the sender. If something looks suspicious, don't implicitly trust the "from" link in an e-mail. It's possible that the e-mail address has been spoofed (faked) or that it was sent via a colleague's compromised account. If unsure, contact the sender or your security staff.

What is another attempt at phishing?

Other phishing attempts might dupe a user into unwittingly downloading dangerous software (malware) that can do things like record passwords and keystrokes, provide hackers with deeper access to your corporate network, or enlist your PC as part of a botnet

(T/F): Many law enforcement agencies are underfunded, underresourced, and underskilled to deal with the growing hacker threat.

True

What should be a top organizational priority?

Security

(T/F): Many organizations are bound by security compliance commitments and will face fines and retribution if they fail to meet these commitments.

True

Why are threats to the power grid potentially so concerning? What are the implications of power-grid failure and of property damage? Who might execute these kinds of attacks? What are the implications for firms and governments planning for the possibility of cyberwarfare and cyberterror?

Taking out key components of the vulnerable U.S. power grid may be particularly devastating, as the equipment is expensive, much of it is no longer made in the United States, and some components may take three to four months to replace. Other threats come from malicious pranksters, like the group that posted seizure-inducing images on Web sites frequented by epilepsy sufferers (Schwartz, 2008). Others are hacktivists, targeting firms, Web sites, or even users as a protest measure. In 2009, Twitter was brought down and Facebook and LiveJournal were hobbled as Russiansympathizing hacktivists targeted the social networking and blog accounts of the Georgian blogger known as Cyxymu. The silencing of millions of accounts was simply collateral damage in a massive DDoS attack meant to mute this single critic of the Russian government

(T/F): Most users employ inefficient and insecure password systems; however, techniques were offered to improve Information Systems one's individual password regime.

True

(T/F): SQL injection and related techniques show the perils of poor programming. Software developers must design for security from the start—considering potential security weaknesses, and methods that improve end-user security (e.g., in areas such as installation and configuration).

True

(T/F): Security is about trade-offs—economic and intangible. Firms need to understand their assets and risks in order to best allocate resources and address needs.

True

What is a hacker/hack?

The terms hacker and hack are widely used, but their meaning is often based on context. When referring to security issues, the media widely refers to hackers as bad guys who try to break into (hack) computer systems. Some geezer geeks object to this use, as the term hack in computer circles originally referred to a clever (often technical) solution and Information Systems the term hacker referred to a particularly skilled programmer. Expect to see the terms used both positively and negatively.

What is the difference between a white hat hacker and a black hat hacker?

The white hats are the good guys who probe for weaknesses, but don't exploit them. Instead, they share their knowledge in hopes that the holes they've found will be plugged and security will be improved. Many firms hire consultants to conduct "white hat" hacking expeditions on their own assets as part of their auditing and security process. "Black hats" are the bad guys. Some call them "crackers." There's even a well-known series of hacker conventions known as the Black Hat conference.

(T/F): Social engineering attempts to trick or con individuals into providing information, while phishing techniques are cons conducted through technology.

True

(T/F): Social media sites may assist hackers in crafting phishing or social engineering threats, provide information to password crackers, and act as conduits for unwanted dissemination of proprietary information.

True

(T/F): Technical and legal complexity make pursuit and prosecution difficult.

True

(T/F): The use of frameworks and being compliant is not equal to security. Security is a continued process that must be constantly addressed and deeply ingrained in an organization's culture.

True

(T/F): Threats can come from both within the firm as well as from the outside.

True

(T/F): Viruses, worms, and Trojans are types of infecting malware. Other types of malware might spy on users, enlist the use of computing assets for committing crimes, steal assets, destroy property, serve unwanted ads, and more.

True

(T/F): An organization's information assets are vulnerable to attack from several points of weakness, including users and administrators, its hardware and software, its networking systems, and various physical threats.

True

(T/F): Computer security threats have moved beyond the curious teen with a PC and are now sourced from a number of motivations, including theft, leveraging compromised computing assets, extortion, espionage, warfare, terrorism, pranks, protest, and revenge.

True

(T/F): Encryption can render a firm's data assets unreadable, even if copied or stolen. While potentially complex to administer and resource intensive, encryption is a critical tool for securing an organization's electronic assets.

True

(T/F): End users can engage in several steps to improve the information security of themselves and their organizations. These include surfing smart, staying vigilant, updating software and products, using a comprehensive security suite, managing settings and passwords responsibly, backing up, properly disposing of sensitive assets, and seeking education.

True

(T/F): Examples of attacks and scams launched through advertising on legitimate Web pages highlight the need for end-user caution, as well as for firms to ensure the integrity of their participating online partners.

True

(T/F): Firms suffering a security breach can experience direct financial loss, exposed proprietary information, fines, legal payouts, court costs, damaged reputations, plummeting stock prices, and more.

True

What other names does Malware go by?

Virus, worms, or trojans.

Have failure and recovery plans

While firms work to prevent infiltration attempts, they should also have provisions in place that plan for the worst. If a compromise has taken place, what needs to be done? Do stolen assets need to be devalued (e.g., accounts terminated, new accounts issued)? What should be done to notify customers and partners, educate them, and advise them through any necessary responses? Who should work with law enforcement and with the media? Do off-site backups or redundant systems need to be activated? Can systems be reliably restored without risking further damage?

Are security attacks on the rise?

Yes, Attacks are on the rise. In 2008, more electronic records were breached than in the previous four years combined (King, 2009). While the examples and scenarios presented here are shocking, the good news is that the vast majority of security breaches can be prevented.

What are whitelists?

are even more restrictive—permitting communication only with approved entities or in an approved manner.

What are Biometrics?

are often thought of as a solution, but technologies that replace conventionally typed passwords with things like fingerprint readers, facial recognition, or iris scans are still rarely used, and PCs that include such technologies are widely viewed as novelties.

What is distributed denial of service (DDoS)?

attacks (effectively shutting down Web sites by overwhelming them with a crushing load of seemingly legitimate requests sent simultaneously by thousands of machines)

What is a Cash-out fraudster?

criminals who might purchase data from the harvesters in order to buy (then resell) goods using stolen credit cards or create false accounts via identity theft. These collection and resale operations are efficient and sophisticated. Law enforcement has taken down sites like DarkMarket and ShadowCrew, in which card thieves and hacking tool peddlers received eBay-style seller ratings vouching for the "quality" of their wares

What is data harvesting?

is a process where a small script, also known as a malicious bot, is used to automatically extract large amount of data from websites and use it for other purposes.

What should an organization consider?

make you aware of vulnerabilities; improve your critical thinking regarding current and future security issues; and help you consider whether a firm has technologies, training, policies, and procedures in place to assess risks, lessen the likelihood of damage, and respond in the event of a breach.

What is malware?

software that is intended to damage or disable computers and computer systems. Malicious Software

What is Intrusion detection systems?

specifically look for unauthorized behavior, sounding the alarm and potentially taking action if something seems amiss.

What are brute-force attacks?

demonstration hacks launched by grids of simultaneous codecracking computers working in unison, haven't come close to breaking the type of encryption used to scramble transmissions that most browsers use when communicating with banks and shopping sites. The problem occurs when data is nabbed before encryption or after decrypting, or in rare cases, if the encrypting key itself is compromised.

What are blacklists?

denying the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions.

What is public key encryption?

he system works with two keys—a public key and a private key. The public key can "lock" or encrypt data, but it can't unlock it: that can only be performed by the private key. So a Web site that wants you to transmit secure information will send you a public key—you use this to lock the data, and no one that intercepts that transmission can break in unless they've got the private key. If the Web site does its job, it will keep the private key out of reach of all potentially prying eyes.

What is Phishing?

refers to cons executed through technology. The goal of phishing is to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information. The cons are crafty. Many have masqueraded as a security alert from a bank or e-commerce site ("Our Web site has been compromised, click to log in and reset your password."), a message from an employer, or even a notice from the government ("Click here to update needed information to receive your tax refund transfer."). Sophisticated con artists will lift logos, mimic standard layouts, and copy official language from legitimate Web sites or prior e-mails. Gartner estimates that these sorts phishing attacks cost consumers $3.2 billion in 2007

What is encryption?

scrambles data, making it essentially unreadable to any program that doesn't have the descrambling password, known as a key. Simply put, the larger the key, the more difficult it is for a brute-force attack to exhaust all available combinations and crack the code. When well implemented, encryption can be the equivalent of a rock solid vault.

What is shoulder surfing?

simply looking over someone's shoulder to glean a password or see other proprietary information that might be displayed on a worker's screen.

What are Spear Phishing Attacks?

specifically target a given organization or group of users. In one incident, employees of a medical center received e-mails purportedly from the center itself, indicating that the recipient was being laid off and offering a link to job counseling resources. The link really offered a software payload that recorded and forwarded any keystrokes on the victim's PC (Garretson, 2006). And with this type of phishing, the more you know about a user, the more convincing it is to con them

What is certificate authority?

verified by a trusted third party firm

What are the motivations of those trying to compromise an organization's security?

• Account theft and illegal funds transfer • Stealing personal or financial data • Compromising computing assets for use in other crimes • Extortion • Espionage • Cyberwarfare • Terrorism • Pranksters • Protest hacking (hacktivism) • Revenge (disgruntled employees)

What are the goals of malware?

• Botnets or zombie networks. Hordes of surreptitiously infected computers linked and controlled remotely by a central command. Botnets are used in crimes where controlling many difficult-toidentify PCs is useful, such as when perpetrating click fraud, sending spam, registering accounts that use CAPTCHAs (those scrambled character images meant to thwart things like automated account Information Systems setup or ticket buying), executing "dictionary" password cracking attempts, or launching denial-ofservice attacks. • Malicious adware. Programs installed without full user consent or knowledge that later serve unwanted advertisements. • Spyware. Software that surreptitiously monitors user actions, network traffic, or scans for files. • Keylogger. Type of spyware that records user keystrokes. Keyloggers can be either software-based or hardware, such as a recording "dongle" that is plugged in between a keyboard and a PC. • Screen capture. Variant of the keylogger approach. This category of software records the pixels that appear on a user's screen for later playback in hopes of identifying proprietary information. • Blended threats. Attacks combining multiple malware or hacking exploits.

What are examples of someone using social engineering?

• Impersonating senior management, a current or new end user needing help with access to systems, investigators, or staff (fake uniforms, badges) • Identifying a key individual by name or title as a supposed friend or acquaintance • Making claims with confidence and authority ("Of course I belong at this White House dinner.") • Baiting someone to add, deny, or clarify information that can help an attacker • Using harassment, guilt, or intimidation • Using an attractive individual to charm others into gaining information, favors, or access • Setting off a series of false alarms that cause the victim to disable alarm systems • Answering bogus surveys (e.g., "Win a free trip to Hawaii—just answer three questions about your network.")

Security considerations then become more common sense than high tech. Here's a brief list of major issues to consider:

• Surf smart. Think before you click—question links, enclosures, download request, and the integrity of Web sites that you visit. Avoid suspicious e-mail attachments and Internet downloads. Be on guard for phishing, and other attempts to con you into letting in malware. Verify anything that looks suspicious before acting. Avoid using public machines (libraries, coffee shops) when accessing sites that contain your financial data or other confidential information. • Stay vigilant. Social engineering con artists and rogue insiders are out there. An appropriate level of questioning applies not only to computer use, but also to personal interactions, be it in person, on the phone, or electronically. • Stay updated. Turn on software update features for your operating system and any application you use (browsers, applications, plug-ins, and applets), and manually check for updates when needed. Malware toolkits specifically scan for older, vulnerable systems, so working with updated programs that address prior concerns lowers your vulnerable attack surface. • Stay armed. Install a full suite of security software. Many vendors offer a combination of products that provide antivirus software that blocks infection, personal firewalls that repel unwanted intrusion, malware scanners that seek out bad code that might already be nesting on your PC, antiphishing software that identifies if you're visiting questionable Web sites, and more. Such tools are increasingly being built into operating systems, browsers, and are deployed at the ISP or service provider (e-mail firm, social network) level. But every consumer should make it a priority to understand the state of the art for personal protection. In the way that you regularly balance your investment portfolio to accountfor economic shifts, or take your car in for an oil change to keep it in top running condition, make it a priority to periodically scan the major trade press or end-user computing sites for reviews and commentary on the latest tools and techniques for protecting yourself (and your firm). • Be settings smart. Don't turn on risky settings like unrestricted folder sharing that may act as an invitation for hackers to drop off malware payloads. Secure home networks with password protection and a firewall. Encrypt hard drives—especially on laptops or other devices that might be lost or stolen. Register mobile devices for location identification or remote wiping. Don't click the "Remember me" or "Save password" settings on public machines, or any device that might be shared or accessed by others. Similarly, if your machine might be used by others, turn off browser settings that auto-fill fields with prior entries—otherwise you make it easy for someone to use that machine to track your entries and impersonate you. And when using public hotspots, be sure to turn on your VPN software to encrypt transmission and hide from network eavesdroppers. • Be password savvy. Change the default password on any new products that you install. Update your passwords regularly. Using guidelines outlined earlier, choose passwords that are tough to guess, but easy for you (and only you) to remember. Federate your passwords so that you're not using the same access codes for your most secure sites. Never save passwords in nonsecured files, e-mail, or written down in easily accessed locations. • Be disposal smart. Shred personal documents. Wipe hard drives with an industrial strength software tool before recycling, donating, or throwing away—remember in many cases "deleted" files can still be recovered. Destroy media such as CDs and DVDs that may contain sensitive information. Erase USB drives when they are no longer needed. • Back up. The most likely threat to your data doesn't come from hackers; it comes from hardware failure (Taylor, 2009). Yet most users still don't regularly back up their systems. This is another do-itnow priority. Cheap, plug-in hard drives work with most modern operating systems to provide continual backups, allowing for quick rollback to earlier versions if you've accidentally ruined some vital work. And services like EMC's Mozy provide monthly, unlimited backup over the Internet for less than what you probably spent on your last lunch (a fire, theft, or similar event could also result in the loss of any backups stored on-site, but Internet backup services can provide off-site storage and access if disaster strikes). • Check with your administrator. All organizations that help you connect to the Internet—your ISP, firm, or school—should have security pages. Many provide free security software tools. Use them as resources. Remember—it's in their interest to keep you safe, too!

Describe Viruses, Worms, and Trojans.

• Viruses. Programs that infect other software or files. They require an executable (a running program) to spread, attaching to other executables. Viruses can spread via operating systems, programs, or the boot sector or auto-run feature of media such as DVDs or USB drives. Some applications have executable languages (macros) that can also host viruses that run and spread when a file is open. • Worms. Programs that take advantage of security vulnerability to automatically spread, but unlike viruses, worms do not require an executable. Some worms scan for and install themselves on vulnerable systems with stunning speed (in an extreme example, the SQL Slammer worm infected 90 percent of vulnerable software worldwide within just ten minutes) (Broersma, 2003). • Trojans. Exploits that, like the mythical Trojan horse, try to sneak in by masquerading as something they're not. The payload is released when the user is duped into downloading and installing the malware cargo, oftentimes via phishing exploits.