Information Security and IT Risk Management Manish Agrawal, Ph.D. Associate Professor Information Systems and Decision Sciences University of South Florida
Alex Campoe, CISSP Director, Information Security University of South Florida
Eric Pierce Associate Director, Information Security University of South Florida
Vice President and Executive Publisher Don Fowley Executive Editor Beth Lang Golub Editorial Assistant Jayne Ziemba Photo Editor Ericka Millbrand Associate Production Manager Joyce Poh Cover Designer Kenji Ngieng
This book was set by MPS Limited.
Founded in 1807, John Wiley & Sons, Inc. has been a valued source of knowledge and understanding for more than 200 years, helping people around the world meet their needs and fulfi ll their aspirations. Our company is built on a foundation of principles that include responsibility to the communities we serve and where we live and work. In 2008, we launched a Corporate Citizenship Initiative, a global effort to address the environmental, social, economic, and ethical challenges we face in our business. Among the issues we are addressing are carbon impact, paper specifi cations and procurement, ethical conduct within our business and among our vendors, and community and charitable support. For more information, please visit our website: www.wiley.com/go/citizenship.
Copyright © 2014 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc. 222 Rosewood Drive, Danvers, MA 01923, website www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201)748-6011, fax (201)748-6008, website http://www.wiley.com/go/permissions.
Evaluation copies are provided to qualifi ed academics and professionals for review purposes only, for use in their courses during the next academic year. These copies are licensed and may not be sold or transferred to a third party. Upon completion of the review period, please return the evaluation copy to Wiley. Return instructions and a free of charge return mailing label are available at www.wiley.com/ go/returnlabel. If you have chosen to adopt this textbook for use in your course, please accept this book as your complimentary desk copy. Outside of the United States, please contact your local sales representative.
ISBN 978-1-118-33589-5 (paperback)
Printed in the United States of America 10 9 8 7 6 5 4 3 2 1
http://www.wiley.com/go/citizenship
http://www.copyright.com
http://www.wiley.com/go/permissions
http://www.wiley.com/go/returnlabel
http://www.wiley.com/go/returnlabel
iii
Table of Contents
List of Figures xi Preface xvii
Chapter 1 — Introduction 1
Overview ................................................................................................................ 1
Professional utility of information security knowledge ......................................... 1
Brief history ............................................................................................................ 5
Defi nition of information security ........................................................................ 11
Summary .............................................................................................................. 14
Example case – Wikileaks, Cablegate, and free reign over classifi ed networks ........................................................................................... 14
Chapter review questions...................................................................................... 15
Example case questions ........................................................................................ 16
Hands-on activity – Software Inspector, Steganography...................................... 16
Critical thinking exercise: identifying CIA area(s) affected by sample real-life hacking incidents.................................................................... 21
Design case ........................................................................................................... 21
Chapter 2 — System Administration (Part 1) 26
Overview .............................................................................................................. 26
Introduction .......................................................................................................... 26
What is system administration? ............................................................................ 27
System administration and information security .................................................. 28
Common system administration tasks .................................................................. 29
System administration utilities ............................................................................. 33
Summary .............................................................................................................. 37
Example case – T. J. Maxx ................................................................................... 37
Chapter review questions...................................................................................... 39
iv Table of Contents
Example case questions ........................................................................................ 40
Hands-on Activity – Linux system installation .................................................... 40
Critical thinking exercise – Google executives sentenced to prison over video ............................................................................................. 48
Design case ........................................................................................................... 49
Chapter 3 — System Administration (Part 2) 51
Overview .............................................................................................................. 51
Operating system structure ................................................................................... 51
The command-line interface ................................................................................. 53
Files and directories .............................................................................................. 53
Moving around the fi lesystem – pwd, cd ............................................................. 54
Listing fi les and directories .................................................................................. 55
Shell expansions ................................................................................................... 56
File management .................................................................................................. 57
Viewing fi les ......................................................................................................... 59
Searching for fi les ................................................................................................. 60
Access control and user management .................................................................. 61
Access control lists ............................................................................................... 64
File ownership ...................................................................................................... 65
Editing fi les ........................................................................................................... 66
Software installation and updates ......................................................................... 67
Account management ........................................................................................... 72
Command-line user administration ...................................................................... 75
Example case – Northwest Florida State College ................................................ 77
Summary .............................................................................................................. 78
Chapter review questions...................................................................................... 78
Example case questions ........................................................................................ 79
Hands-on activity – basic Linux system administration ....................................... 79
Critical thinking exercise – offensive cyber effects operations (OCEO) .......................................................................................... 80
Design Case .......................................................................................................... 80
Table of Contents v
Chapter 4 — The Basic Information Security Model 82
Overview .............................................................................................................. 82
Introduction .......................................................................................................... 82
Components of the basic information security model .......................................... 82
Common vulnerabilities, threats, and controls ..................................................... 90
Example case – ILOVEYOU virus ....................................................................... 99
Summary ............................................................................................................ 100
Chapter review questions.................................................................................... 100
Example case questions ...................................................................................... 101
Hands-on activity – web server security ............................................................ 101
Critical thinking exercise – the internet, “American values,” and security ........ 102
Design case ......................................................................................................... 103
Chapter 5 — Asset Identifi cation and Characterization 104
Overview ............................................................................................................ 104
Assets overview .................................................................................................. 104
Determining assets that are important to the organization ................................. 105
Asset types .......................................................................................................... 109
Asset characterization ......................................................................................... 114
IT asset life cycle and asset identifi cation .......................................................... 119
System profi ling ................................................................................................. 124
Asset ownership and operational responsibilities ............................................... 127
Example case – Stuxnet ...................................................................................... 130
Summary ............................................................................................................ 130
Chapter review questions.................................................................................... 131
Example case questions ...................................................................................... 131
Hands-on activity – course asset identifi cation .................................................. 132
Critical thinking exercise – uses of a hacked PC ............................................... 132
Design case ......................................................................................................... 133
Chapter 6 — Threats and Vulnerabilities 135
Overview ............................................................................................................ 135
Introduction ........................................................................................................ 135
vi Table of Contents
Threat models ..................................................................................................... 136
Threat agent ........................................................................................................ 137
Threat action ....................................................................................................... 149
Vulnerabilities..................................................................................................... 162
Example case – Gozi .......................................................................................... 167
Summary ............................................................................................................ 168
Chapter review questions.................................................................................... 168
Example case questions ...................................................................................... 168
Hands-on activity – Vulnerability scanning ....................................................... 169
Critical thinking exercise – Iraq cyberwar plans in 2003 ................................... 174
Design case ......................................................................................................... 174
Chapter 7 — Encryption Controls 176
Overview ............................................................................................................ 176
Introduction ........................................................................................................ 176
Encryption basics ............................................................................................... 177
Encryption types overview ................................................................................. 181
Encryption types details ..................................................................................... 187
Encryption in use ................................................................................................ 194
Example case – Nation technologies .................................................................. 197
Summary ............................................................................................................ 198
Chapter review questions.................................................................................... 198
Example case questions ...................................................................................... 199
Hands-on activity – encryption .......................................................................... 199
Critical thinking exercise – encryption keys embed business models ............................................................................................. 205
Design case ......................................................................................................... 206
Chapter 8 — Identity and Access Management 207
Overview ............................................................................................................ 207
Identity management .......................................................................................... 207
Access management ........................................................................................... 212
Authentication .................................................................................................... 213
Table of Contents vii
Single sign-on ..................................................................................................... 221
Federation ........................................................................................................... 228
Example case – Markus Hess ............................................................................. 237
Summary ............................................................................................................ 239
Chapter review questions.................................................................................... 239
Example case questions ...................................................................................... 240
Hands-on activity – identity match and merge ................................................... 240
Critical thinking exercise – feudalism the security solution for the internet? ............................................................................................. 244
Design case ......................................................................................................... 245
Chapter 9 — Hardware and Software Controls 247
Overview ............................................................................................................ 247
Password management ....................................................................................... 247
Access control .................................................................................................... 251
Firewalls ............................................................................................................. 252
Intrusion detection/prevention systems .............................................................. 256
Patch management for operating systems and applications ............................... 261
End-point protection ........................................................................................... 264
Example case – AirTight networks ..................................................................... 266
Chapter review questions.................................................................................... 270
Example case questions ...................................................................................... 270
Hands-on activity – host-based IDS (OSSEC) ................................................... 271
Critical thinking exercise – extra-human security controls ................................ 275
Design case ......................................................................................................... 275
Chapter 10 — Shell Scripting 277
Overview ............................................................................................................ 277
Introduction ........................................................................................................ 277
Output redirection ............................................................................................... 279
Text manipulation ............................................................................................... 280
Variables ............................................................................................................. 283
Conditionals ........................................................................................................ 287
viii Table of Contents
User input ........................................................................................................... 290
Loops .................................................................................................................. 292
Putting it all together .......................................................................................... 299
Example case – Max Butler ................................................................................ 301
Summary ............................................................................................................ 302
Chapter review questions.................................................................................... 303
Example case questions ...................................................................................... 303
Hands-on activity – basic scripting .................................................................... 303
Critical thinking exercise – script security ......................................................... 304
Design case ......................................................................................................... 305
Chapter 11 — Incident Handling 306
Introduction ........................................................................................................ 306
Incidents overview .............................................................................................. 306
Incident handling ................................................................................................ 307
The disaster ......................................................................................................... 327
Example case – on-campus piracy ..................................................................... 328
Summary ............................................................................................................ 330
Chapter review questions.................................................................................... 330
Example case questions ...................................................................................... 331
Hands-on activity – incident timeline using OSSEC ......................................... 331
Critical thinking exercise – destruction at the EDA ........................................... 331
Design case ......................................................................................................... 332
Chapter 12 — Incident Analysis 333
Introduction ........................................................................................................ 333
Log analysis ........................................................................................................ 333
Event criticality .................................................................................................. 337
General log confi guration and maintenance ....................................................... 345
Live incident response ........................................................................................ 347
Timelines ............................................................................................................ 350
Other forensics topics ......................................................................................... 352
Example case – backup server compromise ....................................................... 353
Table of Contents ix
Chapter review questions.................................................................................... 355
Example case questions ...................................................................................... 356
Hands-on activity – server log analysis .............................................................. 356
Critical thinking exercise – destruction at the EDA ........................................... 358
Design case ......................................................................................................... 358
Chapter 13 — Policies, Standards, and Guidelines 360
Introduction ........................................................................................................ 360
Guiding principles .............................................................................................. 360
Writing a policy .................................................................................................. 367
Impact assessment and vetting ........................................................................... 371
Policy review ...................................................................................................... 373
Compliance ......................................................................................................... 374
Key policy issues ................................................................................................ 377
Example case – HB Gary ................................................................................... 378
Summary ............................................................................................................ 379
Reference ............................................................................................................ 379
Chapter review questions.................................................................................... 379
Example case questions ...................................................................................... 380
Hands-on activity – create an AUP ..................................................................... 380
Critical thinking exercise – Aaron Swartz .......................................................... 380
Design case ......................................................................................................... 381
Chapter 14 — IT Risk Analysis and Risk Management 382
Overview ............................................................................................................ 382
Introduction ........................................................................................................ 382
Risk management as a component of organizational management .................................................................................................. 383
Risk-management framework ............................................................................ 384
The NIST 800-39 framework ............................................................................. 385
Risk assessment .................................................................................................. 387
Other risk-management frameworks .................................................................. 389
IT general controls for Sarbanes–Oxley compliance ......................................... 391
x Table of Contents
Compliance versus risk management ................................................................. 398
Selling security ................................................................................................... 399
Example case – online marketplace purchases ................................................... 399
Summary ............................................................................................................ 400
Chapter review questions.................................................................................... 400
Hands-on activity – risk assessment using lsof ................................................. 401
Critical thinking exercise – risk estimation biases ............................................. 403
Design case ......................................................................................................... 403
Appendix A — Password List for the Linux Virtual Machine 404 Glossary 405 Index 413
xi
List of Figures
Figure 1.1: Classifi cation of information security analysts 2
Figure 1.2: Time-consuming activities for information security professionals 4
Figure 1.3: Training needs identifi ed by information security professionals 4
Figure 1.4: ILOVEYOU virus 7
Figure 1.5: T.J. Maxx 8
Figure 1.6: Defaced Georgian foreign ministry website 9
Figure 1.7: Google-China offi ces 10
Figure 1.8: Online Software Inspector 17
Figure 1.9: PC audit report 18
Figure 1.10: Contents of Downloads folder for Steganography exercise 19
Figure 1.11: Commands to hide text fi les at the end of image fi les 19
Figure 1.12: Manipulated images among original images 20
Figure 1.13: Opening image fi les in Notepad 20
Figure 1.14: Secret message hidden at the end of the image fi le 21
Figure 1.15: Sunshine State University funding sources 23
Figure 1.16: Extract from the organization structure of Sunshine State University 24
Figure 2.1: Paul Ceglia 32
Figure 2.2: Windows desktop usage—April 2013 33
Figure 2.3: System Center Operation Manager 34
Figure 2.4: Unix family tree 36
Figure 2.5: Albert Gonzalez, at the time of his indictment in August 2009 38
Figure 2.6: T J Maxx sales (2005–2010) 39
Figure 2.7: Virtual machine structure 41
Figure 2.8: VirtualBox download page 41
Figure 2.9: VirtualBox installer welcome screen 42
Figure 2.10: Default install Location 42
Figure 2.11: VirtualBox install confi rmation 43
Figure 2.12: VirtualBox manager 43
Figure 2.13: Default setting for OS import 44
Figure 2.14: Virtual machine in Virtual machine manager 45
Figure 2.15: CPU error 45
xii List of Figures
Figure 2.16: Enabling PAE 46
Figure 2.17: Attach the VM to NAT 46
Figure 2.18: CentOS VM login screen 47
Figure 2.19: CentOS Linux desktop 47
Figure 2.20: Sunshine State University email infrastructure 50
Figure 3.1: Operating system structure 51
Figure 3.2: Reaching the command prompt window 53
Figure 3.3: Unix fi le hierarchy 54
Figure 3.4: vimtutor interface 67
Figure 3.5: Reaching users and groups manager 73
Figure 3.6: Adding users 74
Figure 3.7: Group manager 74
Figure 4.1: The basic information security model 83
Figure 4.2: Example CVE listing at the time of reporting 85
Figure 4.3: NVD entry for the CVE listing 86
Figure 4.4: ATLAS web interface 88
Figure 4.5: Phishing example 95
Figure 4.6: …