Chapter 5

Pharming

A attack that attempts to redirect web traffic to a counterfeit page, usually by corrupting the way the computer resolves the website name used in the web address to the IP address of a particular server.

Malware

A catch-all term to describe malicious software threats and tools designed to vandalize or compromise computer systems.

Impersonation

A common attack is where a person will attempt to figure out a password or other credentials to gain access to a host. The attacker can then hijack the authorizations allocated to the account and generally masquerade as that user.

Hardware Token

A device held by a user that displays a number or a password that changes frequently, such as every 60 seconds. The number is synchronized with a server and used as a onetime password.

Password Reset

A mechanism that allows a user to reset the forgotten password to a new one. This mechanism must be protected well and usually is used with personal email or cell numbers. If these access points are corrupted, than the attacker could reset it through them as well. Keep passwords difficult and do not repeat, especially on password recovery mechanisms.

Administrator User Account

A member of the Administrators group this account has complete control over the local computer. This account should be protected by a strong password. The account is disabled by default.

Spyware

A program that monitors user activity and sends the information to someone else. It may be installed with or without the user's knowledge. Aggressive spyware or Trojans known as "key loggers" actively attempt to steal confidential information; capturing a credit card number by recording key strokes entered into a web form for example. Another spyware technique is to spawn browser pop-up windows to try to direct the user to other websites, often of dubious provenance.

Trojan Horse

A program that pretends to be something else to gain access to the users system. For example, you might download what you think is a new game, but when you run it, it deletes files on your hard drive; or when you install what you think is a screensaver, the program includes a hidden process that sends your saved passwords to another person.

Device Hardening

A set of policies that make mobile and workstation computers and network appliances more secure.

Hash

A short representation of data; you take a variable amount of information and hash functions converts it to a fixed string.

Encryption

A technique for hiding information. Someone obtaining an encrypted document, or cipher text, cannot understand that information unless they possess a key. The use of encryption allows sensitive data to travel across a public network, such as the Internet, and remain private. Even if an eavesdropper could intercept and examine the data packets, the content would be unreadable. The following terminology is used to discuss cryptography: ■ Plain text (or clear text)—this is an unencrypted message. ■ Cipher text—an encrypted message. ■ Cipher—this is the process (or algorithm) used to encrypt and decrypt a message.

Phising

A technique for tricking a user into revealing confidential information by requesting it in an official-looking email. The email will contain a link to a counterfeit site or to a valid site that the attacker has been able to compromise. The user is prompted to input confidential data, such as online bank account numbers and passwords, which are then stolen. Even if you are expecting an email always hover the mouse button over the link, this will reveals the website it will take you to and is usually different than the one "officially sending" you the email.

Rule-Based

A term that can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users.

Objects

Are resources; these could be networks, servers, and databases, files and so on.

ACL

Access Control List. The basis of computer security for access control. Has four main categories: Identification, Authentication, Authorization, and Accounting.

ACS

Access Control System. A set of technical controls that govern how subjects may interact with objects.

Snooping

Any attempt to get access to information on a host or storage device (data at rest) that you are not authorized to view. An attacker might steal a password or find an unlocked workstation with a logged-on user account, or they might install some sort of spyware on the host.

Disabling Unused Features

Any features, services, or network protocols that are not used should be disabled. This reduces the attack surface of a network device or OS. Attack surface means the range of things that an attacker could possibly exploit in order to compromise the device. It is particularly important to disable unused administration interfaces (and to secure those that are used).

Service Outage

Any of the situations above can lead to service unavailability. Many organizations use online, cloud-based apps and services these days. You need to consider how third-party service failures may affect your data processing systems. When you decide which cloud provider to use, consider the options they provide for service availability and fault tolerance.

SSO

Single Sign-On. A user has to authenticate one system to gain access to the entire system. It is useful to reduce the amount of passwords they have to manage. However, the big downside is if the one password is breached, the attacker gains access to the entire system.

Security Threats

Attempts to circumvent your security that come from within and without your network. These attacks could be malicious or simply implemented by the curious. They could be very technically sophisticated, or laughably simple, exploiting an oversight on your part for instance.

Access Controls

Authorization, Authentication, and Auditing.

CIA

Confidentiality, Integrity, Availability. The three main properties of security.

Load Balancing

Connections can be spread between cards.

Security Updates

Software vendors release security updates or patches when vulnerabilities and exploits are identified.

VPN

Virtual Private Network. Connects the components and resources of two private networks over another public network or connects a remote host with an Internet connection to a private local network. A VPN is a "tunnel" through the Internet or any other network. It uses special connection protocols and encryption technology to ensure that the tunnel is secure and the user is properly authenticated.

Email Attached Viruses

Viruses sent through email files and links. They usually replicate through a persons email address book. Once a single person is infected the virus can send automated emails to the others in the address book and continue to spread through each individual who opens it.

VoIP

Voice Over IP. A technology that allows individuals to use the Internet to make calls using local area codes. The attacker may be in a different country but make a call as if they are in the neighboring city or town to have the victim lower their guard towards the individual. Used in social engineering attacks.

On-Access Scan

When a user or system process accesses a file, the anti-virus software scans the file and blocks access if it detects anything suspicious. This reduces performance somewhat but is essential to maintaining effective protection against malware.

Identification

Creating an account or ID that identifies the user or process on the computer system.

Authorization

Creating one or more barriers around the resource such that only authenticated users can gain access. Each resource has a permissions list specifying what users can do. Resources often have different access levels, for example, being able to read a file or being able to read and edit it.

DoS

Denial of Service. This is any situation where an attacker targets the availability of a service. A DoS attack might tamper with a system or try to overload it in some way. On the web, a Distributed Denial of Service (DDoS) uses hosts compromised with bot malware to launch a coordinated attack against a web service. The size of the botnet determines how easily the attacker can overwhelm the service.

Power Redundancy

Deploying systems to ensure that equipment is protected against power events (blackouts and brownouts) and that network operations can either continue uninterrupted or be recovered quickly.

Cryptographic Hash

Designed to make it impossible to recover the original data from the hash and ensure that no two pieces of information produce the same hash.

Authorization

Determining what rights or permissions subjects should have on each resource and enforcing those rights.

DAC

Discretionary Access Control. Stresses the importance of the owner. The owner is originally the creator of the resource, though ownership can be assigned to another user. The owner is granted full control over the resource, meaning that he or she can modify its ACL to grant rights to others.

User Account

Ensures that the identity of someone using a computer is validated by the operating system at log on. This validation is typically achieved by entering a user account name and a secret password but could use a different type of credentials. Requiring the user to log on before accessing the computer or network is called mandatory logon.

Fault Tolerance

Fault tolerant systems are those that contain additional components to help avoid single points of failure. Business continuity plans will start with analysis of business processes and assets to identify critical workflows and resources plus vulnerabilities in those systems.

Software Token

Generated by an application and stored on the user's computer or smartphone, as a web cookie for instance. It is important that such tokens use encryption so that they cannot be misused.

Social Engineering/Dumpster Diving

Getting users to reveal information or finding printed information (most commonly in the trash).

MitM

Man-in-the-Middle. A host sits between two communicating nodes, and transparently monitors, captures, and relays all communications between them. A MitM may be able to change the messages exchanged between a sender and receiver without them realizing. To protect against this, senders and receivers must authenticate themselves and use encryption to validate messages.

Hardware Failure

If a component in a server fails, then the server often fails. A hard disk contains moving parts and will eventually fail. If a disk fails, you will likely lose access to the data on the failed disk and quite possibly lose the data. You can compensate against hardware failure by provisioning redundant components and servers. The service is then configured to failover to a working component or server without interruption.

Quarantine

If the anti-virus software detects a virus within a program while detecting for a virus, it will quarantine the program, file, or software. While quarantined it is not possible to open the item, and usually removing the virus by erasing it is the recommended solution.

Power Outage

If you lose power, then clearly your computers cannot run. Using standby power can help mitigate this issue. It's also common for data corruption to occur when a computer is turned off rather than being shut down. Using an Uninterruptible Power Supply (UPS) can provide a means to safely close down a server if building power is interrupted.

Asymmetric Encryption

In asymmetric encryption, or Public Key Cryptography, a secret private key is used to decrypt data. A mathematically related public key is used to encrypt data. This public key can be widely and safely distributed to anyone with whom the host wants to communicate, because the private key cannot be derived from the public key. Also, the public key cannot be used to decrypt a message that it has just encrypted.

Symmetric Encryption

In symmetric encryption, a single secret key is used to both encrypt and decrypt data. The secret key is so-called because it must be kept secret. If the key is lost or stolen, the security is breached.

Patching/Updates

OS files, driver software, and firmware may be exploitable by malware in the same way as applications software. It is important to keep computers and other devices configured with up-to-date patches and firmware.

Authentication

One or more methods of proving that a user is who they say they are and associates that person with a unique computer or network user account.

Availability

Keeping a service running so that authorized users can access and process data whenever necessary.

RAID 1

Known also as disk mirroring. RAID 1 uses two disks. Each write operation is performed on both disks so that one is a mirror of the other. Read operations can use either disk. If one of the disks fails, the array will continue to work.

RAID 5

Known as striping with parity. At least three disks are combined into a single logical drive. Data is written in stripes across all disks in the set. A calculation is performed to determine what is known as parity information. The parity data is written to a different disk with each write operation. In the event of a single disk failure, the parity information in each stripe of data is used to determine the missing data. If a second disk fails however, then the whole array will fail.

Strong Authentication

Making a persons authentication credentials more specific to that one user to reduce the chance for a malicious individual to gain access to that account.

Anti-Virus/Anti-Malware

Malware is software that aims to damage a computer or steal information from it. Anti-malware software can detect the presence of malware and prevent it from running.

Accounting

Recording when and by whom a resource was accessed.

MAC

Mandatory Access Control. Based on the idea of security clearance levels. Rather than defining access control lists on resources, each object and each subject is granted a clearance level, referred to as a label. If the model used is a hierarchical one (that is, high clearance users are trusted to access low clearance objects), subjects are only permitted to access objects at their own clearance level or below.

Worms

Memory-resident viruses that replicate over network resources, such as email, by exploiting faults in software programs.

Enabling Passwords

Most operating systems allow the use of an account without a password, PIN, or screen lock, but this does not mean it is a good idea to do so. It makes the device highly exploitable in the event of theft. It could also allow other users to impersonate the user. All computing devices should be protected by requiring the user to input credentials to gain access.

Network Redundancy

Network cabling should be designed to allow for multiple paths between the various servers, so that during a failure of one part of the network, the rest remains operational (redundant connections).

Default/Weak Passwords

Network devices such as wireless access points, switches, and routers ship with a default management password, such as "password," "admin," or the device vendor's name. These should be changed on installation. Also, the password used should be a strong one—most devices do not enforce complexity rules so the onus is on the user to choose something secure.

Removing Unwanted/Unnecessary Software

New computers ship with a large amount of pre-installed software, often referred to as bloatware. These applications should be removed if they are not going to be used. Similarly, if an application has been installed in the past but is no longer necessary, it should be removed too.

RAID

Redundant Array of Independent Disks. Combining hard disks into an array of disks can help to avoid service unavailability due to one or more disks failing.

PII

Personally Identifiable Information. Often used as security questions for password reset mechanisms and to confirm identity over the telephone. For example, PII may be defined as responses to challenge questions, such as "What is your favorite color/pet/movie?"

Contingency Plans

Plans that allow the system to be resilient to failures and unexpected outages.

Viruses

Programs designed to replicate and spread amongst computers. Viruses are classified by different ways they can infect the computer. Examples: Program Viruses, Macro Viruses, Worms.

Authentication

Proving that a subject is who or what it claims to be when it attempts to access the resource.

PKI

Public Key Infrastructure. PKI is a solution to the problem of authenticating subjects on public networks. Under PKI, users or server computers are validated by a Certificate Authority (CA), which issues the subject a digital certificate. The digital certificate contains a public key associated with the subject embedded in it. The certificate has also been signed by the CA, guaranteeing its validity. Therefore, if a client trusts the signing CA, they can also trust the user or server presenting the certificate.

Challenge Questions

Questions asking personal questions that only the user would know through life experience.

Cleartext Credentials

Readable data transmitted or stored "in the clear" (unencrypted).

RBAC

Role-Based Access Control. Adds an extra degree of administrative control to the DAC model. Under RBAC, a set of organizational roles are defined and users allocated to those roles. You can see a simple version of RBAC working in the division of Windows user account types into Administrators and Standard Users.

Shoulder Surfing

Stealing a password or PIN, or other secure information, by watching the user type it. Despite the name, the attacker may not have to be in close proximity to the target. They could use high-power binoculars or CCTV to directly observe the target remotely.

Biometric

Storing an individuals unique biometric signature to identify who they are. Main types are fingerprint, retinal (eye) or facial scans. False positives and false negatives are a possibility with the system and can cause either a breach in security or lockout of the actual individual.

Payload

The different actions viruses perform on the computer system.

Availability

The information is accessible to those authorized to view or modify it.

Integrity

The information is stored and transferred as intended and that any modification is authorized.

Confidentiality

The information should only be known to authorized users.

Destruction

The loss of a service or data through destruction can occur for a number of reasons. At one extreme, you might lose a data center through a fire or even an act of terrorism. At the other end of the spectrum, you might lose access to a server when a person accidentally spills coffee on a server or a malicious person deliberately smashes a computer. Either way, putting your servers in a physically secure room and controlling access to that room can help protect against these issues.

Least Privilege

The more privileges and permissions that you allocate to more users, the more you increase the risk that a privilege will be misused. Authorization policies help to reduce risk by limiting the allocation of privileges as far as possible. This means that a user should be granted rights necessary to perform their job and no more.

Security

The practice of controlling access to something (a resource).

Anti-Virus Software Detection

The primary means of detection is to use a database of known virus patterns, called definition, signatures, or patterns.

Vector

The route by which malware infects a computer. ■ Visiting "unsavory" websites with an unpatched browser, low security settings, and no anti-virus software. ■ Opening links in unsolicited email. ■ Infection from another compromised machine on the same network. ■ Executing a file of unknown provenance—email attachments are still the most popular vector, but others include file sharing sites, websites generally, attachments sent via chat/Instant Messaging, autorun USBsticks and CDs, and so on. ■ Becoming victim to a "zero day" exploit. A zero day is some infection mechanism that is was unknown to software and anti-virus vendors. This means that there may be a substantial delay before the vendors can develop a software patch or anti-virus detection signatures that can mitigate the exploit mechanism.

Non-Repudiation

The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place. Logging events in the system is a simple way to ensure accurate information on who did what. ■ Video—surveillance cameras can record who goes in or out of a particular area. ■ Biometrics—strong authentication can prove that a person was genuinely operating their user account and that an intruder had not hijacked the account. ■ Signature—similarly, a physical or digital signature can prove that the user was an author of a document (they cannot deny writing it). ■ Receipt—issuing a token or receipt with respect to some product or service is proof that a user requested that product and that it was delivered in a timely manner.

Subjects

The users or software processes or anything else that can request and be granted access to a resource.

Program Viruses

These are sequences of code that insert themselves into another executable program or script. When the application is executed, the virus code becomes active.

Macro Viruses

These viruses affect Microsoft Office documents exploiting the macro programming language Visual Basic for Applications (VBA) used to automate tasks.

Guest User Account

This account is also disabled by default. It can be enabled on "professional" versions of Windows but should not generally be used. If the guest account is enabled, anyone can use the computer without needing to enter a password.

Location-Based Authentication

Using GPS or IPS (Indoor Positioning System) to validate ones location. Useful in preventing an attacker in a distant location from gaining access.

Botnet

Using an infected computer to run a DDoS attack without the computer users knowledge.

Eavesdropping/Wiretapping

This is snooping on data or telephone conversations as they pass over the network. Snooping on traffic passing over a network is also often called sniffing. It can be relatively easy for an attacker to "tap" a wired network or intercept unencrypted wireless transmissions. Networks can use segmentation and encryption to protect data in-transit.

Data In Transit

This is the state when data is transmitted over a network, such as communicating with a web page via HTTPS or sending an email. In this state, data can be protected by a transport encryption protocol, such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS).

Data At Rest

This state means that the data is in some sort of persistent storage media. In this state, it is usually possible to encrypt the data using techniques such as whole disk encryption, mobile device encryption, database encryption, and file- or folder-level encryption.

Accounting

Tracking authorized and unauthorized usage of a resource or use of rights by a subject.

Backdoor

Trojans usually create a backdoor for the malicious individual to utilize the victims computer. Once a backdoor is connected the attacker can upload files or install malicious software that can copy passwords.

Ransomware

Type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as suggesting that Windows must be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism. This may block access to the computer by installing a different shell program, but this sort of attack is usually relatively simple to fix. Another class of ransomware attempts to encrypt data files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate unless the user has up-to-date backups of the encrypted files.

Implicit Deny

Unless there is a rule specifying that access should be granted (explicit authorization), any request for access is denied.

Spam

Unsolicited email messages, the content of which is usually advertising a great opportunity that can only be accessed if you click on that email (the email should be deleted and never opened). Spam is also used to launch phishing attacks and spread viruses, Trojans, and worms, either through a file attachment or using a link to a malicious website.

Multifactor and Two-Factor Authentication

Using more than one authentication type. Example: combining something like a smart card or biometric mechanism with "something you know," such as a password or PIN. Three-factor authentication combines all three technologies. An example of this would be a smart card with integrated thumb or fingerprint reader. This means that to authenticate, the user must possess the card, the user's fingerprint must match the template stored on the card, and the user must input a PIN.

Replay

Where a host captures another host's response to some server and replays that response in an effort to gain unauthorized access. Replay attacks often involve exploiting an access token generated by an application. The application needs to use encryption and time-stamping to ensure that the tokens cannot be misused.

Password Crackers

■ Dictionary—the software matches the hash to those produced by ordinary words found in a dictionary. This could also include information such as user and company names, pet names, or any other words or simple phrases that people might naively use as passwords. ■ Brute force—the software tries to match the hash against one of every possible combination it could be. If the password is short (under seven characters) and non-complex (using only letters for instance), a password might be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to run—to years if the password is long and complex enough.

Password Best Practices

■ Length—a longer password is more secure. Around 9-12 characters is suitable for an ordinary user account. Administrative accounts should have longer passwords (14 or more characters). ■ Complexity can improve the security of a password: ● No single words—better to use word and number/punctuation combinations. ● No obvious phrases in a simple form—birthday, user name, job title, and so on. ● Mix upper and lowercase (assuming the software uses case-sensitive passwords). ■ Memorability—artificial complexity makes a password hard to remember, meaning users write them down or have to reset them often. Using a long phrase, perhaps with one or two symbols and numerals mixed into it, can offer a good balance between complexity and memorability. ■ Maintain confidentiality—do not write down a password or share it with other users. ■ History/expiration—change the password periodically. Many systems can automatically enforce password expiration, meaning users have to choose a new password. Such a system may also keep a history of previously used passwords and prevent the user from choosing the same one again. ■ Reuse across sites—a typical user might be faced with having to remember tens of logons for different services at work and on the Internet and resort to reusing the same password for each. This is unsecure, as your security becomes dependent on the security of these other (unknown) organizations. Users must be trained to practice good password management, or at the very least not to re-use work passwords for web accounts.

Workplace Surveillance

■ Security assurance—monitoring data communications and employees' behavior to ensure they do not divulge confidential information or compromise the security of the organization. Employers may also use security systems such as CCTV to prevent theft. ■ Monitoring data—analyzing data communications to measure an employee's productivity. For example, a contact management system may record the frequency and duration of telephone contacts. ■ Physical monitoring—recording employees' movement, location, and behavior within the workplace, often using CCTV and drugs/alcohol testing.