Cybersecurity Powerpoint
Information Security and IT Risk Management Manish Agrawal, Ph.D. Associate Professor Information Systems and Decision Sciences University of South Florida
Alex Campoe, CISSP Director, Information Security University of South Florida
Eric Pierce Associate Director, Information Security University of South Florida
Vice President and Executive Publisher Don Fowley Executive Editor Beth Lang Golub Editorial Assistant Jayne Ziemba Photo Editor Ericka Millbrand Associate Production Manager Joyce Poh Cover Designer Kenji Ngieng
This book was set by MPS Limited.
Founded in 1807, John Wiley & Sons, Inc. has been a valued source of knowledge and understanding for more than 200 years, helping people around the world meet their needs and fulfi ll their aspirations. Our company is built on a foundation of principles that include responsibility to the communities we serve and where we live and work. In 2008, we launched a Corporate Citizenship Initiative, a global effort to address the environmental, social, economic, and ethical challenges we face in our business. Among the issues we are addressing are carbon impact, paper specifi cations and procurement, ethical conduct within our business and among our vendors, and community and charitable support. For more information, please visit our website: www.wiley.com/go/citizenship.
Copyright © 2014 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc. 222 Rosewood Drive, Danvers, MA 01923, website www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201)748-6011, fax (201)748-6008, website http://www.wiley.com/go/permissions.
Evaluation copies are provided to qualifi ed academics and professionals for review purposes only, for use in their courses during the next academic year. These copies are licensed and may not be sold or transferred to a third party. Upon completion of the review period, please return the evaluation copy to Wiley. Return instructions and a free of charge return mailing label are available at www.wiley.com/ go/returnlabel. If you have chosen to adopt this textbook for use in your course, please accept this book as your complimentary desk copy. Outside of the United States, please contact your local sales representative.
ISBN 978-1-118-33589-5 (paperback)
Printed in the United States of America 10 9 8 7 6 5 4 3 2 1
http://www.wiley.com/go/citizenship
http://www.copyright.com
http://www.wiley.com/go/permissions
http://www.wiley.com/go/returnlabel
http://www.wiley.com/go/returnlabel
iii
Table of Contents
List of Figures xi Preface xvii
Chapter 1 — Introduction 1
Overview ................................................................................................................ 1
Professional utility of information security knowledge ......................................... 1
Brief history ............................................................................................................ 5
Defi nition of information security ........................................................................ 11
Summary .............................................................................................................. 14
Example case – Wikileaks, Cablegate, and free reign over classifi ed networks ........................................................................................... 14
Chapter review questions...................................................................................... 15
Example case questions ........................................................................................ 16
Hands-on activity – Software Inspector, Steganography...................................... 16
Critical thinking exercise: identifying CIA area(s) affected by sample real-life hacking incidents.................................................................... 21
Design case ........................................................................................................... 21
Chapter 2 — System Administration (Part 1) 26
Overview .............................................................................................................. 26
Introduction .......................................................................................................... 26
What is system administration? ............................................................................ 27
System administration and information security .................................................. 28
Common system administration tasks .................................................................. 29
System administration utilities ............................................................................. 33
Summary .............................................................................................................. 37
Example case – T. J. Maxx ................................................................................... 37
Chapter review questions...................................................................................... 39
iv Table of Contents
Example case questions ........................................................................................ 40
Hands-on Activity – Linux system installation .................................................... 40
Critical thinking exercise – Google executives sentenced to prison over video ............................................................................................. 48
Design case ........................................................................................................... 49
Chapter 3 — System Administration (Part 2) 51
Overview .............................................................................................................. 51
Operating system structure ................................................................................... 51
The command-line interface ................................................................................. 53
Files and directories .............................................................................................. 53
Moving around the fi lesystem – pwd, cd ............................................................. 54
Listing fi les and directories .................................................................................. 55
Shell expansions ................................................................................................... 56
File management .................................................................................................. 57
Viewing fi les ......................................................................................................... 59
Searching for fi les ................................................................................................. 60
Access control and user management .................................................................. 61
Access control lists ............................................................................................... 64
File ownership ...................................................................................................... 65
Editing fi les ........................................................................................................... 66
Software installation and updates ......................................................................... 67
Account management ........................................................................................... 72
Command-line user administration ...................................................................... 75
Example case – Northwest Florida State College ................................................ 77
Summary .............................................................................................................. 78
Chapter review questions...................................................................................... 78
Example case questions ........................................................................................ 79
Hands-on activity – basic Linux system administration ....................................... 79
Critical thinking exercise – offensive cyber effects operations (OCEO) .......................................................................................... 80
Design Case .......................................................................................................... 80
Table of Contents v
Chapter 4 — The Basic Information Security Model 82
Overview .............................................................................................................. 82
Introduction .......................................................................................................... 82
Components of the basic information security model .......................................... 82
Common vulnerabilities, threats, and controls ..................................................... 90
Example case – ILOVEYOU virus ....................................................................... 99
Summary ............................................................................................................ 100
Chapter review questions.................................................................................... 100
Example case questions ...................................................................................... 101
Hands-on activity – web server security ............................................................ 101
Critical thinking exercise – the internet, “American values,” and security ........ 102
Design case ......................................................................................................... 103
Chapter 5 — Asset Identifi cation and Characterization 104
Overview ............................................................................................................ 104
Assets overview .................................................................................................. 104
Determining assets that are important to the organization ................................. 105
Asset types .......................................................................................................... 109
Asset characterization ......................................................................................... 114
IT asset life cycle and asset identifi cation .......................................................... 119
System profi ling ................................................................................................. 124
Asset ownership and operational responsibilities ............................................... 127
Example case – Stuxnet ...................................................................................... 130
Summary ............................................................................................................ 130
Chapter review questions.................................................................................... 131
Example case questions ...................................................................................... 131
Hands-on activity – course asset identifi cation .................................................. 132
Critical thinking exercise – uses of a hacked PC ............................................... 132
Design case ......................................................................................................... 133
Chapter 6 — Threats and Vulnerabilities 135
Overview ............................................................................................................ 135
Introduction ........................................................................................................ 135
vi Table of Contents
Threat models ..................................................................................................... 136
Threat agent ........................................................................................................ 137
Threat action ....................................................................................................... 149
Vulnerabilities..................................................................................................... 162
Example case – Gozi .......................................................................................... 167
Summary ............................................................................................................ 168
Chapter review questions.................................................................................... 168
Example case questions ...................................................................................... 168
Hands-on activity – Vulnerability scanning ....................................................... 169
Critical thinking exercise – Iraq cyberwar plans in 2003 ................................... 174
Design case ......................................................................................................... 174
Chapter 7 — Encryption Controls 176
Overview ............................................................................................................ 176
Introduction ........................................................................................................ 176
Encryption basics ............................................................................................... 177
Encryption types overview ................................................................................. 181
Encryption types details ..................................................................................... 187
Encryption in use ................................................................................................ 194
Example case – Nation technologies .................................................................. 197
Summary ............................................................................................................ 198
Chapter review questions.................................................................................... 198
Example case questions ...................................................................................... 199
Hands-on activity – encryption .......................................................................... 199
Critical thinking exercise – encryption keys embed business models ............................................................................................. 205
Design case ......................................................................................................... 206
Chapter 8 — Identity and Access Management 207
Overview ............................................................................................................ 207
Identity management .......................................................................................... 207
Access management ........................................................................................... 212
Authentication .................................................................................................... 213
Table of Contents vii
Single sign-on ..................................................................................................... 221
Federation ........................................................................................................... 228
Example case – Markus Hess ............................................................................. 237
Summary ............................................................................................................ 239
Chapter review questions.................................................................................... 239
Example case questions ...................................................................................... 240
Hands-on activity – identity match and merge ................................................... 240
Critical thinking exercise – feudalism the security solution for the internet? ............................................................................................. 244
Design case ......................................................................................................... 245
Chapter 9 — Hardware and Software Controls 247
Overview ............................................................................................................ 247
Password management ....................................................................................... 247
Access control .................................................................................................... 251
Firewalls ............................................................................................................. 252
Intrusion detection/prevention systems .............................................................. 256
Patch management for operating systems and applications ............................... 261
End-point protection ........................................................................................... 264
Example case – AirTight networks ..................................................................... 266
Chapter review questions.................................................................................... 270
Example case questions ...................................................................................... 270
Hands-on activity – host-based IDS (OSSEC) ................................................... 271
Critical thinking exercise – extra-human security controls ................................ 275
Design case ......................................................................................................... 275
Chapter 10 — Shell Scripting 277
Overview ............................................................................................................ 277
Introduction ........................................................................................................ 277
Output redirection ............................................................................................... 279
Text manipulation ............................................................................................... 280
Variables ............................................................................................................. 283
Conditionals ........................................................................................................ 287
viii Table of Contents
User input ........................................................................................................... 290
Loops .................................................................................................................. 292
Putting it all together .......................................................................................... 299
Example case – Max Butler ................................................................................ 301
Summary ............................................................................................................ 302
Chapter review questions.................................................................................... 303
Example case questions ...................................................................................... 303
Hands-on activity – basic scripting .................................................................... 303
Critical thinking exercise – script security ......................................................... 304
Design case ......................................................................................................... 305
Chapter 11 — Incident Handling 306
Introduction ........................................................................................................ 306
Incidents overview .............................................................................................. 306
Incident handling ................................................................................................ 307
The disaster ......................................................................................................... 327
Example case – on-campus piracy ..................................................................... 328
Summary ............................................................................................................ 330
Chapter review questions.................................................................................... 330
Example case questions ...................................................................................... 331
Hands-on activity – incident timeline using OSSEC ......................................... 331
Critical thinking exercise – destruction at the EDA ........................................... 331
Design case ......................................................................................................... 332
Chapter 12 — Incident Analysis 333
Introduction ........................................................................................................ 333
Log analysis ........................................................................................................ 333
Event criticality .................................................................................................. 337
General log confi guration and maintenance ....................................................... 345
Live incident response ........................................................................................ 347
Timelines ............................................................................................................ 350
Other forensics topics ......................................................................................... 352
Example case – backup server compromise ....................................................... 353
Table of Contents ix
Chapter review questions.................................................................................... 355
Example case questions ...................................................................................... 356
Hands-on activity – server log analysis .............................................................. 356
Critical thinking exercise – destruction at the EDA ........................................... 358
Design case ......................................................................................................... 358
Chapter 13 — Policies, Standards, and Guidelines 360
Introduction ........................................................................................................ 360
Guiding principles .............................................................................................. 360
Writing a policy .................................................................................................. 367
Impact assessment and vetting ........................................................................... 371
Policy review ...................................................................................................... 373
Compliance ......................................................................................................... 374
Key policy issues ................................................................................................ 377
Example case – HB Gary ................................................................................... 378
Summary ............................................................................................................ 379
Reference ............................................................................................................ 379
Chapter review questions.................................................................................... 379
Example case questions ...................................................................................... 380
Hands-on activity – create an AUP ..................................................................... 380
Critical thinking exercise – Aaron Swartz .......................................................... 380
Design case ......................................................................................................... 381
Chapter 14 — IT Risk Analysis and Risk Management 382
Overview ............................................................................................................ 382
Introduction ........................................................................................................ 382
Risk management as a component of organizational management .................................................................................................. 383
Risk-management framework ............................................................................ 384
The NIST 800-39 framework ............................................................................. 385
Risk assessment .................................................................................................. 387
Other risk-management frameworks .................................................................. 389
IT general controls for Sarbanes–Oxley compliance ......................................... 391
x Table of Contents
Compliance versus risk management ................................................................. 398
Selling security ................................................................................................... 399
Example case – online marketplace purchases ................................................... 399
Summary ............................................................................................................ 400
Chapter review questions.................................................................................... 400
Hands-on activity – risk assessment using lsof ................................................. 401
Critical thinking exercise – risk estimation biases ............................................. 403
Design case ......................................................................................................... 403
Appendix A — Password List for the Linux Virtual Machine 404 Glossary 405 Index 413
xi
List of Figures
Figure 1.1: Classifi cation of information security analysts 2
Figure 1.2: Time-consuming activities for information security professionals 4
Figure 1.3: Training needs identifi ed by information security professionals 4
Figure 1.4: ILOVEYOU virus 7
Figure 1.5: T.J. Maxx 8
Figure 1.6: Defaced Georgian foreign ministry website 9
Figure 1.7: Google-China offi ces 10
Figure 1.8: Online Software Inspector 17
Figure 1.9: PC audit report 18
Figure 1.10: Contents of Downloads folder for Steganography exercise 19
Figure 1.11: Commands to hide text fi les at the end of image fi les 19
Figure 1.12: Manipulated images among original images 20
Figure 1.13: Opening image fi les in Notepad 20
Figure 1.14: Secret message hidden at the end of the image fi le 21
Figure 1.15: Sunshine State University funding sources 23
Figure 1.16: Extract from the organization structure of Sunshine State University 24
Figure 2.1: Paul Ceglia 32
Figure 2.2: Windows desktop usage—April 2013 33
Figure 2.3: System Center Operation Manager 34
Figure 2.4: Unix family tree 36
Figure 2.5: Albert Gonzalez, at the time of his indictment in August 2009 38
Figure 2.6: T J Maxx sales (2005–2010) 39
Figure 2.7: Virtual machine structure 41
Figure 2.8: VirtualBox download page 41
Figure 2.9: VirtualBox installer welcome screen 42
Figure 2.10: Default install Location 42
Figure 2.11: VirtualBox install confi rmation 43
Figure 2.12: VirtualBox manager 43
Figure 2.13: Default setting for OS import 44
Figure 2.14: Virtual machine in Virtual machine manager 45
Figure 2.15: CPU error 45
xii List of Figures
Figure 2.16: Enabling PAE 46
Figure 2.17: Attach the VM to NAT 46
Figure 2.18: CentOS VM login screen 47
Figure 2.19: CentOS Linux desktop 47
Figure 2.20: Sunshine State University email infrastructure 50
Figure 3.1: Operating system structure 51
Figure 3.2: Reaching the command prompt window 53
Figure 3.3: Unix fi le hierarchy 54
Figure 3.4: vimtutor interface 67
Figure 3.5: Reaching users and groups manager 73
Figure 3.6: Adding users 74
Figure 3.7: Group manager 74
Figure 4.1: The basic information security model 83
Figure 4.2: Example CVE listing at the time of reporting 85
Figure 4.3: NVD entry for the CVE listing 86
Figure 4.4: ATLAS web interface 88
Figure 4.5: Phishing example 95
Figure 4.6: Adobe Flash zero-day exploit launched on February 28, 2011 96
Figure 4.7: Exploit usage 98
Figure 4.8: Using a browser on the VM 102
Figure 5.1: J-20 fi ghter 108
Figure 5.2: The elements of asset characterization 118
Figure 5.3: Generic IT asset life cycle 119
Figure 5.4: Student Information System 125
Figure 5.5: Uses of a hacked PC 133
Figure 6.1: Threat model 136
Figure 6.2: Threat agents over time by percent of breaches 137
Figure 6.3: External agents 137
Figure 6.4A: Chinese J-20 jet 138
Figure 6.4B: Lockheed F-22 jet 138
Figure 6.5: Internal agents 144
Figure 6.6: Partners 146
Figure 6.7: Edward Snowden 147
Figure 6.8: Datagram ISP goes down with Hurricane Sandy 149
Figure 6.9: Melissa error message 150
Figure 6.10: High level XSS attack 155
List of Figures xiii
Figure 6.11: Bonzi buddy 158
Figure 6.12: Top vendor vulnerability breakdown 163
Figure 6.13: Firefox certifi cate exception 171
Figure 6.14: GSA main screen 171
Figure 6.15: New Task confi guration 172
Figure 6.16: Starting a new scan 172
Figure 6.17: Viewing scan details 173
Figure 6.18: Report page 173
Figure 7.1: Encryption and decryption in context 177
Figure 7.2: Reference to Caesar cipher 178
Figure 7.3: Secret key cryptography overview 182
Figure 7.4: Public-key cryptography overview for data transmission 183
Figure 7.5: Using public-key encryption for digital signatures 184
Figure 7.6: Checksums example 186
Figure 7.7: Generic form of block encryption 188
Figure 7.8: Electronic code book 189
Figure 7.9: Cipher block chaining 190
Figure 7.10: Hash functions 194
Figure 7.11: Public-key certifi cation process 195
Figure 7.12: CAs in browser 196
Figure 7.13: Untrusted certifi cate 197
Figure 7.14: GPG passphrase dialog 202
Figure 8.1: Identity and access management 208
Figure 8.2: Match/Merge fl owchart 211
Figure 8.3: Smart card in a USB card reader 215
Figure 8.4: Hardware token 216
Figure 8.5: Fingerprint with minutia highlighted 219
Figure 8.6: Iris scanning in the Dubai Airport 220
Figure 8.7: Kerberos ticket exchange 224
Figure 8.8: Token-based authentication 226
Figure 8.9: Central authentication service 227
Figure 8.10: Discovery service for the InCommon federation 229
Figure 8.11: SSO with a SAML federation 230
Figure 8.12: OpenID 233
Figure 8.13: OpenID 2.0 provider selection screen 234
Figure 8.14: http://trendsmap.com 235
Figure 8.15: OAuth token passing 236
http://trendsmap.com
xiv List of Figures
Figure 8.16: Application UserId and ProviderUserId 237
Figure 8.17: Intruder’s attack path to military establishments 238
Figure 8.18: Confi guration QR code 243
Figure 8.19: Google Authenticator (iOS) 244
Figure 9.1: Access matrix example 252
Figure 9.2: Typical fi rewall 253
Figure 9.3: Perimeter fi rewalls and demilitarized zones 255
Figure 9.4: Windows fi rewall blocking http 257
Figure 9.5: Windows fi rewall allowing http 258
Figure 9.6: Typical competitor console, circa 2003 267
Figure 9.7: AirTight console, circa 2005 268
Figure 9.8: /var/ossec/etc/ossec.conf (after change) 273
Figure 9.9: OSSEC-WebUI 274
Figure 9.10: Superb Fairy-Wrens, 40% success rate with security controls 275
Figure 11.1: IRT interactions 311
Figure 11.2: IRT communications 313
Figure 11.3: DollSays 314
Figure 11.4: Website defacement example 318
Figure 11.5: PII search 319
Figure 11.6: OSSEC, a popular fi le integrity tool 320
Figure 11.7: Typical logs consolidated 321
Figure 11.8: Log analysis 322
Figure 11.9: End point protection example 323
Figure 11.10: Containment, eradication, and recovery timeline 325
Figure 12.1: Event Viewer Screen on Windows 8 334
Figure 12.2: Summary of Administrative Events pane 335
Figure 12.3: Recently viewed nodes 335
Figure 12.4: Log Summary pane 335
Figure 12.5: - Informational event screenshot 336
Figure 12.6: Windows Administrative Events view 337
Figure 12.7: syslog fi le evidence 339
Figure 12.8: auth.log fi le 340
Figure 12.9: Sample run of last 342
Figure 12.10: Output of w command 343
Figure 12.11: Security Log snapshot 346
Figure 12.12: Log consolidation 347
Figure 12.13: Output of system info program 348
Figure 12.14: The sfc command 349
Figure 12.15: Windows MAC timestamps 351
Figure 12.16: File Explorer with timestamps 351
Figure 12.17: Sample timeline 352
Figure 12.18: Information Security and IT Risk Management is not affi liated with or otherwise sponsored by Dropbox, Inc. 353
Figure 13.1: Policy, standard, and guideline 364
Figure 13.2: Compliance 374
Figure 14.1: NIST 800-39 risk-management framework 386
Figure 14.2: Threat model 388
Figure 14.3: Risk assessment model 389
Figure 14.4: Sarbanes–Oxley auditing guidelines workfl ow for impact on IT 397
List of Figures xv
xvii
Preface
Unlike the problem facing the Superb Fairy-Wren (front cover), most information security problems we humans face are not matters of life and death (for more on the Wren’s problem, please see the critical thinking question in chapter 9). However, they are vexing, expensive and frequent enough to make information security a contemporary profession and the topic of infor- mation security a worthwhile subject to study.
This book is designed to serve as the textbook for a one-semester course devoted to infor- mation security. It is focused on helping students acquired the skills sought in the professional workforce.
We start by introducing the professional environment of information security. After the student is convinced of the merits of the subject, the book introduces the basic model of infor- mation security consisting of assets, vulnerabilities, threats and controls. The rest of the course is devoted to characterizing assets, vulnerabilities and threats and responding to them using security controls. The book ends by integrating all these topics within the general umbrella of organizational risk management. At the end of the course, students should have an awareness of how information security concerns have evolved in our society and how they can use contem- porary frameworks to respond to these concerns in a professional environment.
The book comes with a full set of end-of-chapter exercises. There are fi ve kinds of exer- cises at the end of every chapter:
1. Traditional end-of-chapter questions are designed to improve student understanding and recall of common topics in information security.
2. An example case at the end of each chapter allows students to apply the knowledge in the chapter to business contexts.
3. There is a threaded design case running through all the chapters in the book. In this case, students play the role of the Chief Information Security offi cer of a typical state univer- sity and are confronted with situations related to the topics discussed in the chapter. They are required to analyze and evaluate the situation in light of the knowledge in the chapter to create a solution that addresses the present problem.
4. A critical thinking exercise introduces students to analogous situations and relate the ideas from the chapter to these situations. The problem confronting the Superb Fairy- Wren falls in this category.
5. Finally, each chapter has a detailed hands-on activity using a customized distribution of the CentOS Linux OS to be installed as a virtual machine using VirtualBox. We take great pride in this aspect of the book. We have carefully selected exercises that will help students become familiar not only with rudimentary information security tasks, but also with Linux systems administration. Eric in particular, has spent countless hours testing,
xviii Preface
curating and maintaining the distribution. You may download the distribution from the textbook’s companion website.
While the book is self-suffi cient without the hands-on activity, this content is in direct response to employer demands and we do hope you will give your students the advantage of this aspect of the text. Chapters 2 and 3 introduce the basic setup and usage of the virtual machine. The instructions are detailed enough for students to be able to complete the exercises on their own.
When using the book, class time may be used in various ways. A traditional lecture for- mat will work very well. Instructors interested in using class-time for more interactive activities will fi nd that the end-of-chapter activities are a very useful way to use class time.
The author team integrates the different perspectives necessary to teach information secu- rity to an aspiring professional. Manish Agrawal is an MIS faculty member who designed this course and has taught it to MIS and Accounting students at the University of South Florida for over 5 years now. Alex Campoe is the Director of Information Security at the University of South Florida where he is at the frontline of the university’s information security activities including incident response, policy development and compliance. Eric Pierce is responsible for identity management at the university. Many of the topics covered in the book are informed by their knowledge of the most important day-to-day activities that fall under the information security umbrella.
The Superb Fairy-Wren, though not strictly facing an information security problem, hap- pens to use a solution that adopts many of the information security controls discussed in the text. The context also includes all the components of our basic information security model – assets in the form of the life of offspring, vulnerabilities in the form of delayed hatching, threats in the form of parasitic birds and controls including passwords. We think it succinctly describes the text.
We are eager to hear any comments you may have about the book – suggestions for improvement, errors and omissions, bugs in the virtual machine, and any other issues you may encounter. We will do our best to respond directly to you with corrections, and also address them as errata to be published on the textbook companion site. We obviously would also like to hear complementary things if the book helped improve your understanding of the subject, improved your teaching, helped you land a job, or helped you on the job. Those comments can give us indications on how to strengthen future editions of the book. Comments may be sent to the fi rst author at magrawal@usf.edu.
mailto:magrawal@usf.edu
1
CHAPTER 12
Overview This chapter motivates the topic of information security and lays out the structure for the rest of the text. At the outset, we describe why information security is a useful area of study with the hope of getting you excited in the topic. We then provide a brief history of the subject, highlight- ing important developments that have led to the current state of the industry. Finally, we outline the procedures adopted by the industry to maintain information security. These procedures will be examined in detail in the rest of the book. At the end of this chapter, you should know:
• Why information security is an important topic for everyone today • The important developments that led to the current state of the information security
industry • Key terms used in information security • Broad outlines of the procedures used in the industry to maintain information
security
Professional utility of information security knowledge If you are reading this book as part of a college course, it is probably offered by a profes- sional school – business, information, or engineering for example. These schools are expected to graduate students who can hit the ground running when they join the work force. Naturally, we expect that the question foremost on the minds of students in these college is – where are the jobs? What is the professional relevance of this subject? What is the demand for professionals in this subject? What drives organizations to hire graduates with skills in this subject? When hired, what are graduates in this subject typically expected to do? What competencies will help graduates meet or exceed these expectations of employers? Before you decide to spend any more time with this book or the subject of information security, we would like to take this topic head-on and address these issues.
Demand estimates
The standard source for employment estimates is the Bureau of Labor Statistics 1 (BLS), a government agency that gathers employment statistics from extensive surveys of employers. BLS has created a taxonomy called the “standard occupational classifi cation (SOC)” for all the major occupational categories. Information security analysts are given the SOC identifi er 15-1122 (Figure 1.1 ). They fall under the major group of “Computer and mathematical occupa- tions (15-0000).” Statistics for information security analysts is aggregated along with those for
Introduction CHAPTER 1
1 http://www.bls.gov/
http://www.bls.gov/
2 CHAPTER 1 Introduction
web developers and computer network architects and may be obtained from the BLS website. 2 The total employment for this group in May 2010 was estimated to be 243,330, with a mean annual wage of $79,370.
Other sources for obtaining estimates of the demand for information security profession- als are the professional certifi cate action organizations involved in the industry. One of the lead- ing organizations is (ISC). 2 Based on a survey of over 10,000 information security professionals around the globe, this organization estimated that there were approximately 2.28 million infor- mation security professionals worldwide in 2010, of who over 900,000 were in the Americas. This number was also estimated to be growing at over 13%. 3 The average annual compensation was estimated at over $78,000. The wide difference in estimated employment between the two surveys could be attributed to a difference in the characteristics of the organizations sampled by the two surveys. It may however be noted that both surveys are quite consistent in their esti- mates of average annual compensation.
Demand drivers
A number of factors are driving the demand for information security professionals. Primary among these is the increasing criticality of information to individuals and organizations and the resulting increase in the amounts of information gathered by organizations and stored in com- puter systems for easy retrieval. Possession of a username and password combination could be more useful to a thief today than possession of a $100 bill. A successful attack at a bank or other commercial establishment could yield hundreds of thousands of vetted username and password combinations. The most motivated attackers are therefore increasingly targeting information stores rather than physical stores.
2 http://www.bls.gov/oes/current/oes151179.htm 3 https://www.isc2.org/uploadedFiles/Landing_Pages/NO_form/2011GISWS.pdf
F IGURE 1 .1 Classifi cation of information security analysts
All occupations
11-0000 Management occupations
...
15-0000 Computer and mathematical
occupations
15-1110 Computer and information
research scientists
15-1120 Computer and information
analysts
15-1121 Computer
systems analysts
15-1122 Information
security analysts 15-1130 Software developers and programmers
...
...
55-0000 Military specific
occupations
http://www.bls.gov/oes/current/oes151179.htm
https://www.isc2.org/uploadedFiles/Landing_Pages/NO_form/2011GISWS.pdf
Professional utility of information security knowledge 3
Even as information is becoming more valuable, unwittingly, users are also making it easier for attackers to obtain this valuable information. For example, most users use a small set of usernames and passwords wherever usernames and passwords are required. They also often prefer that their devices remember these usernames and passwords to save typing effort at websites. Now consider what happens if an attacker is able to lay their hands on a laptop, tablet, or other mobile device belonging to a user in possession of sensitive information. The attacker could easily get access to hundreds of thousands of records with minimal effort. With millions of knowledge workers leaving their workplaces with billions of mobile devices every day, organizations are compelled to act proactively to ensure that they do not appear on the front pages of newspapers and TV channels for losing customer information or other sensitive data.
The value of information described above is just one of the demand drivers for informa- tion security professionals. Other factors include dealing with application vulnerabilities, the constant stream of viruses and worms reaching organizations, regulations, customer expecta- tions of privacy, and disgruntled employees.
The demand drivers for information security professionals have also been changing very rapidly. For example, until as recently as 2008, mobile devices such as smart phones and tab- lets were not common in companies. Having a company-issued phone was a matter of pride for executives. Then by 2010, most employees preferred to use their personal smart phones and tablets to do company work rather than the company-issued phones that did not have web browsers and other desirable features. Information security professionals had to scramble to deal with the far-reaching implications of this change. Whereas earlier they could issue phones such as Blackberries and impose the desired security policies on these devices, the security poli- cies on personal devices were controlled by the users, not by the companies they worked for. As a result, information security professionals reported in 2010 that dealing with mobile device security was one of their top concerns. These concerns, and hence the demand for information security professionals, are only likely to increase in the near future, securing the professional prospects for information security professionals.
Professional activities
What do information security professionals do? The BLS website describes the role of informa- tion security analysts as:
Plan, implement, upgrade, or monitor security measures for the protection of computer networks and information. May ensure appropriate security controls are in place that will safeguard digital fi les and vital electronic infrastructure. May respond to computer security breaches and viruses .
Illustrative examples: Computer Security Specialist, Network Security Analyst, Internet Security Specialist
This is a fairly technical set of activities. However, a lot of the work done by information security professionals is non-technical in nature. Figure 1.2 shows the distribution of the top four most time-consuming activities reported by respondents to the (ISC) 2 survey. 4 It is seen that regulatory issues, policy development, and managerial issues constitute the bulk of information security work.
4 https://www.isc2.org/uploadedFiles/Landing_Pages/NO_form/2011GISWS.pdf
https://www.isc2.org/uploadedFiles/Landing_Pages/NO_form/2011GISWS.pdf
4 CHAPTER 1 Introduction
Desired competencies
The primary responsibilities of information security professionals are to anticipate information- related problems and to minimize their impact. Responses to the ISC 2 survey highlighted the eight areas with the greatest need for training, as shown in Figure 1.3 . These are very good indi- cators of the competencies expected of information security professionals. It can be seen that successful information security professionals are expected to have expertise in systems analy- sis and design to identify possible vulnerabilities entering homegrown applications, system administration skills to examine systems and identify traces left behind by hackers (forensics), and risk management. In addition, the business continuity and disaster recovery expectations require that information security professionals also have a very good understanding of the busi- ness as well as the IT infrastructure to be able to identify the most mission-critical applications in the organization so that these can be quickly brought up online in the event of a natural or man-made disaster.
F IGURE 1 .2 Time-consuming activities for information security professionals
39%
45%
46%
49%
Developing internal security policies, standards and procedures
Meeting regulatory compliance
Internal/political issues
Researching new technologies
F IGURE 1 .3 Training needs identifi ed by information security professionals
Planning for business continuity and disaster recovery
Security management practices
Access control
Security architecture
End-user awareness
Forensics
Secure SDLC
Risk management
Brief history 5
The intent of this section was to satisfy you that information security is a viable profes- sion. Hopefully, it has also conveyed that information security is a very exciting profession. Further, since information security lapses attract a lot of public scrutiny, the activities of infor- mation security professionals are of great interest to top management of organizations, probably more so than those of many other parts of an organization ’s IT infrastructure. In fact, according to the ISC 2 survey, the information security group reports to executive management, i.e., the CEO, CIO, or equivalent, in almost 25% of the organizations.
Brief history From this point on, we assume that you are interested in learning about information security from a professional perspective. That is, you are interested in learning about the subject for use in your career. Almost everything we do today regarding information security is the result of famous lapses that have occurred over the years and the responses by industry to these experi- ences. Many of these incidents are now part of the professional folklore. It is useful for you to know about these incidents in order to better appreciate regulatory requirements, the concerns of managers as well as to build your vocabulary in the profession. The list below is not intended to be comprehensive; 5 it only captures the major incidents that led to regulatory or industry actions or serve as a barometer for information security concerns at the time.
1981 – Development of the core Internet technologies (TCP and IP): The core technolo- gies of the Internet were fi nalized in 1981. There was no mention of security in these technolo- gies, indicating that at that time the technology world was not concerned about information security. Since TCP and IP were available for free, they became the preferred networking tech- nology for UNIX systems, widely used at universities and various intensive organizations such as hospitals and banks.
1982–1983 – Gang of 414 ’s: Computer intrusions began soon after TCP and IP were inte- grated into industrial equipment. The most highly publicized incident of this time was the gang of 414 ’s, a group of six teenagers from Milwaukee, who got their name from the telephone area code for Milwaukee. These teenagers found it exciting to get into systems that were supposed to be out of their reach. Using home computers, phone lines, and default passwords, this group was able to break into approximately 60 high-profi le computer systems, including those at the Los Alamos Laboratories and the Memorial Sloan-Kettering Cancer Center in New York. The incident received wide coverage, including a Newsweek cover story titled “Beware: Hackers at play.” This is believed to be fi rst use of the term “hacker” in the mainstream media in the context of computer security. While the teenagers themselves did no harm, it was easy for the industry to see that the simple techniques used by the kids could easily be replicated by others. As a result, the US Congress held hearings on computer security. After more such incidents, Congress passed the Computer Fraud and Abuse Act of 1986, which made it a crime to break into federal or commercial computer systems.
1988 – Morris worm: Robert Morris, then a graduate student at Cornell, and now a Professor of Computer Science and Artifi cial Intelligence at MIT, released a 99-line self- replicating program on November 2, 1988, to measure the size of the then nascent Internet. As a result of a design feature of the program, it brought down many systems it infected, and
5 A more comprehensive source is Wikipedia: http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
6 CHAPTER 1 Introduction
achieved several landmarks in the process. It is considered the fi rst Internet worm. In percent- age terms, it is estimated to have brought down the largest fraction of the Internet ever (10%). It also resulted in the fi rst conviction under the 1986 Computer Fraud and Abuse Act. Robert Morris was sentenced to probation, community service and a fi ne. The Morris worm prompted the US Government to establish the CERT/CC (CERT coordination center) 6 at Carnegie Mellon University as a single point to coordinate industry–government response to Internet emergen- cies. Prof. Morris was also a co-founder of Viaweb, an e-commerce fi rm bought by Yahoo!, and renamed it as Yahoo! Store.
As an interesting anecdote, Robert Morris ’ father, Bob Morris, designed the password encryption system for the UNIX operating system that is used even today. Even more interestingly, at the time of this incident, the senior Bob Morris was the chief scientist for the National Computer Security Center (NCSC) of the National Security Agency (NSA), 7 , 8 the federal agency responsible for design- ing secure computers.
1995–1998 – Windows 95/98: Microsoft released Windows 95 on August 24, 1995. The operating system had a graphical interface and was designed to run on relatively inexpensive computers ). The release was supported with a heavy marketing push, and within a very short time, it became the most successful operating system ever produced, and drove most other oper- ating systems out of the market. Windows 95 was designed primarily as a stand-alone single- user desktop operating system and therefore had almost no security precautions. Most users ran Windows 95 without passwords and most applications ran on Windows 95 with administrative privileges for convenience. However, Windows 95 supported TCP/IP, thereby bringing TCP/ IP into mainstream businesses. This combination of a security-agnostic networking technol- ogy (TCP/IP) combined with an equally security-agnostic business desktop created a fertile environment for information security compromises to fl ourish. In talks, security experts some- times refer to this environment as the source of the information security profession. 9 Even the introduction of Windows 98 on June 25, 1998, made no change to the basic security design of Windows desktops.
1996 – Health Insurance Portability and Accountability Act (HIPAA): This Act which primarily focused on protecting health insurance for US workers when they change or lose jobs also had important information security implications. Many government leaders believed at the time that electronic health records (EHR) were an important instrument to lower rising healthcare costs in America. The Act therefore also pushed for electronic health records. Since information security was getting recognized as an important concern, the law had provisions to make organizations responsible for maintaining the confi dentiality of patient records in the healthcare industry. At the current time, the healthcare industry has until 2014 to move over
6 While CERT typically stands for Computer Emergency Response Team, CMU has registered the name as a service mark with the US Patents and Trademark Offi ce 7 http://cm.bell-labs.com/cm/cs/who/dmr/crypt.html 8 For another very interesting account of Bob Morris, read the amazingly humorous book by Cliff Stoll, “The Cuckoo ’s Egg,” ISBN 0671726889 9 For example, Dan Geer (chief information security offi cer for In-Q-Tel, the venture capital arm of CIA) referred to this in his talk at the ISSA meeting in Tampa, December 2011.
http://cm.bell-labs.com/cm/cs/who/dmr/crypt.html
Brief history 7
completely to EHR. This is a major driver of demand for information security at the time of writing this edition (2012–2013).
2000 – ILOVEYOU virus: On May 5, 2000, this virus was released by a student in the Philippines (Figure 1.4 ). The virus deleted images on infected computers and automati- cally sent itself as an email attachment to the Outlook contacts list of infected computers. The virus infected millions of computers worldwide, and caused billions of dollars in damage. The creators of the virus, Reomel Ramores and Onel de Guzman, were traced within hours of the release of the virus. However, investigators realized very quickly that Philippines had no law against writing computer viruses, and had to drop all charges against the students. 10 This inci- dent led to the realization that information security was a global phenomenon and led to a push from developed countries for developing countries to revamp their information security laws. However, even today there are signifi cant differences between countries regarding information security laws. For example, while writing a virus can lead to fi nes of up to $250,000 and 10 years of imprisonment in the United States, the punishment in the Philippines can range from 100,000 Pesos (about $2,500) and up to an amount commensurate to the damage and up to 3 years in prison. 11
2002 – Sarbanes–Oxley Act: During 2000–2002, America witnessed many unpleas- ant incidents of corporate fraud involving such legendary companies as Enron, Tyco, and WorldCom. For example, Enron claimed revenues of over $100 billion in 2000 and declared bankruptcy the next year. MCI-WorldCom revealed in 2002 that it had overstated its earnings by over $72 billion in the past fi ve quarters. These frauds were enabled by fraudulent manipulation of accounting systems, believed to be at the behest of fi rm leadership. However during trials, the CEOs consistently tried to escape blame by pleading ignorance of accounting procedures, and blind trust in their highly paid and well-educated lieutenants. Since the retirements of most Americans are invested in large publicly traded fi rms, their downfall affects most American families. Compelled to act and ensure correctness in fi nancial reporting, Congress enacted the Sarbanes–Oxley Act in 2002. The Act focused on making the key executives personally
10 Arnold, W. “TECHNOLOGY: Philippines to drop charges on e-mail virus,” New York Times, August 22, 2000. 11 http://www.chanrobles.com/ecommerceimplementingrules.htm (accessed 02/28/2012)
F IGURE 1 .4 ILOVEYOU virus
http://www.chanrobles.com/ecommerceimplementingrules.htm
8 CHAPTER 1 Introduction
accountable for the correctness of fi nancial reports fi led by publicly traded companies. The Act had three major provisions. Section 302 of the Act requires the CEO and CFO of fi rms to sign a declaration of personal knowledge of all the information in annual fi lings. Section 906 of the Act imposes criminal penalties including imprisonment of up to 20 years for incorrect certifi cation. Section 404 of the Act has had a major impact on the information security profession because it requires that the certifi cation in Section 302 be based on formal internal controls. This has led to signifi cant investments in internal controls over fi nancial reporting in publicly traded fi rms.
2005–2007 – Retailer attacks: In December 2006, T.J.Maxx reported that its computer systems, which processed credit card payments, had been breached (Figure 1.5 ). On investi- gation, it was found that the breach had started a year and a half ago in July 2005 and over 45 million credit card and debit card numbers had been stolen. It turned out that the leader of the group involved in the breach was Albert Gonzalez, an informer for the US Secret Service and in fact Albert was cooperating with the Secret Service in connection with another case at the time of these attacks. Investigations also revealed that the group had also hacked into the systems at other retailers such as BJ ’s Wholesale Club, DSW, Offi ce Max, Boston Market, Barnes & Noble, and Sports Authority. The modus operandi of the group was to drive along US Route 1 in Miami and seek out an insecure store with wireless networks to enter the corporate networks. Later the group improved its methodology and used SQL injection attacks to enter the networks at Hannaford Brothers and Heartland Payment Systems, a credit card payments processing company. Over 125 million credit card numbers were estimated to have been sto- len from Heartland, and the company estimated damages at over $12 million. In March 2010, Albert Gonzalez was sentenced to 20 years in prison. He also forfeited over $1.65 million that he had earned from selling fake credit cards based on the stolen information. These incidents highlighted that even large fi rms had glaring information security weaknesses, which could lead to serious embarrassment and losses. The SQL injection attacks in particular created an awareness of the need to pay attention to information security during software development, and introduced the term “secure SDLC” to the IT lexicon.
2008 – Denial of service attacks in Georgia: Coinciding with the military war between Georgia and Russia in 2008, Georgia was the victim of massive distributed denial of service
F IGURE 1 .5 T.J.Maxx
© M
ic ha
el N
ee lo
n( m
is c)
/A la
m y
Brief history 9
attacks. The attacks defaced the websites of many media and government organizations, limit- ing their ability to communicate their viewpoints about the war to their citizens (Figure 1.6 ). The circumstances of the incident led many people to believe that the cyber-attacks 12 were caused by Russia as part of a war strategy. If so, these were the fi rst known incidents of cyber- war being used as an instrument of warfare.
June 2009 – Establishment of the US Cyber Command: In April 2009, the Wall Street Journal reported that intruders had broken into the computer networks of defense contractors developing the Joint Strike Fighter, also called the F-35 Lightning II. 13 The $300 billion pro- ject was the Defense Department ’s costliest weapons program ever, and used 7.5 million lines of computer code. Intruders had stolen terabytes of data related to the aircraft ’s design and electronics. It was believed that the theft would help enemies plan their defenses against the fi ghter. The contractors involved in the project include Lockheed Martin, Northrop Grumman, and BAE Systems. Also in April, the Wall Street Journal reported that the US electricity grid had been penetrated by spies from China, Russia, and other countries. The spies also inserted computer software in the grid, which could be used to cause damage by remote control. 14
Soon thereafter, on June 23, 2009, the US Cyber Command was created to defend US military computer networks against attacks from adversaries and also to respond in cyberspace as necessary ). At the time of creation of the new command, there were concerns that the initia- tive might impose undue restrictions on the civilian Internet under the pretext of defense.
2010 – Operation Aurora and Google-China: On January 12, 2010, a blog post by Google ’s Chief Legal Offi cer reported that the company had detected an attempt to steal its intellec- tual property originating from China (Figure 1.7 ). The attacks were also aimed at accessing emails of Chinese human-rights activists. The US Government soon escalated the incident with Congress announcing its intention to investigate the allegations and the Secretary of State labe- ling the Chinese censorship of the Internet to an information-age Berlin Wall. Further investiga- tions traced the attacks to two educational institutions in China – Shanghai Jiaotong University and the Lanxiang Vocational School. Jiaotong is home to one of China ’s elite computer science programs, and Lanxiang is involved in training computer scientists for the Chinese military. 15
12 Cyber is a prefi x that refers to anything related to computers or networking 13 Gorman, S., Cole, A. and Draezen, Y. “Computer spies breach fi ghter-jet project,” Wall Street Journal, April 21, 2009. 14 Gorman, S. “Electricity grid in US penetrated by spies,” Wall Street Journal, April 8, 2009.
F IGURE 1 .6 Defaced Georgian foreign ministry website
10 CHAPTER 1 Introduction
China has however denied formal government involvement and called the attacks simply an attempt by students to refi ne their computer skills.
April 17, 2011 – Sony PlayStation Network (PSN): Sony announced that an external intrusion had compromised its PlayStation Network and Qriocity service ), and that hackers had obtained personal information on the 70 million subscribers of the network. The company could not rule out the possibility that credit card numbers may also have been stolen. In response, the company took the network offl ine while it tried to ensure that all traces of the offending soft- ware had been removed from the network. During the time, millions of kids all over the world who had planned their summer breaks around catching up with online gaming on PSN had to fi nd alternate ways to pass their time. For this reason, while the intrusion affected a relatively innocuous network, the impact on families around the world was huge and almost every family with kids followed the daily developments around the attacks.
This brief chronology highlights how information security attacks have evolved from technical proofs-of-concept to commercially driven attacks to steal credit card information. Of late even governments are being suspected of pursuing their agendas through cybercrime. In Europe, a remote Romanian town, Râmnicu Vâlcea, has emerged as the focal point in global cyber money laundering. In the middle of nowhere, this town has car dealerships selling Mercedes-Benz and other expensive cars. 16 Social response has evolved as well, from judges merely warning intruders and laws making specifi c exceptions for juveniles in spite of their known involvement in cyber-attacks (414 ’s) to governments establishing entire military com- mands to deal with cyber security.
F IGURE 1 .7 Google-China offi ces
© L
ou -F
ot o/
A la
m y
15 Markoff, J. and Barboza, D. “2 China schools said to be tied to online attacks,” New York Times, February 18, 2010, http:// www.nytimes.com/2010/02/19/technology/19china.html (accessed January 8, 2012). 16 Bhattacharjee, Y. “How a remote town in Romania has become cybercrime central,” Wired Magazine, January 31, 2011, http://www.wired.com/magazine/2011/01/ff_hackerville_romania/all/1 (accessed January 8, 2012).
http://www.nytimes.com/2010/02/19/technology/19china.html
http://www.nytimes.com/2010/02/19/technology/19china.html
http://www.wired.com/magazine/2011/01/ff_hackerville_romania/all/1
Defi nition of information security 11
Definition of information security That is the background which has defi ned organizations ’ concerns about information security. If you were observant, you may have noted that the incidents had different impacts on information security. In the case of the 414 ’s, the primary concern was loss of privacy. In the Enron case, it was accuracy of information, and in the case of Georgia, it was the ability of citizens to access relevant information. Information security can mean different things to different people.
Information security is now defi ned as protecting information and information systems from unauthorized access, use, disclosure, disruption, modifi cation, or destruction in order to provide integrity, confi dentiality and availability .
While the above defi nition is based on the code of law of the United States (section 3542, Chapter 35, title 44), 17 the defi nition is remarkably consistent across the industry. For example, RFC 2196 18 , 19 on information security states that the basic goals of security are availability, confi dentiality, and integrity.
The CIA triad
The law writes the dimensions of information security in the sequence – integrity, confi dential- ity, and availability. However, these three dimensions are better remembered in a slightly different sequence as the CIA triad, where C stands for confi dentiality, I for integrity, and A for availability. To maintain symmetry with this popular phrase, we will henceforth discuss the information security dimensions in the sequence of this triad – confi dentiality, integrity, and availability.
Confidentiality
According to section 3542 of the US code, Confi dentiality means preserving authorized restric- tions on access and disclosure, including means for protecting personal privacy and proprietary information .
The law recognizes the right of individuals to privacy, and such right extends to informa- tion which, if made public, could cause harm or embarrassment to the person. Confi dentiality is the responsibility of custodians of information to provide that privacy to the individuals whose information they have in their possession. All the examples of credit card theft discussed in this chapter relate to the failure of organizations to maintain confi dentiality of the information in their possession.
If you ask most people to defi ne information security, they typically will respond with some variant of “information security means not losing credit card information.” Most people associate information security with confi dentiality.
17 The US code is available online from many sources, though the publishers frequently change the URLs to their sites. It is best to simply Google for “US code 3542” to fi nd a site. As of January 8, 2012, the top result was the Cornell University Law School at http://www.law.cornell.edu/uscode/usc_sec_44_00003542----000-.html 18 RFCs or requests for comments are the documents published by the Internet Engineering Task Force, the group that defi nes Internet standards including TCP and IP. 19 Fraser, B. RFC 2196 site security handbook, September 1997, http://www.ietf.org/rfc/rfc2196.txt
http://www.law.cornell.edu/uscode/usc_sec_44_00003542----000-.html
http://www.ietf.org/rfc/rfc2196.txt
12 CHAPTER 1 Introduction
Integrity
Integrity means guarding against improper information modifi cation or destruction, and includes ensuring information non-repudiation and authenticity .
When you pull information from an information system, for example, your grades from the university, or the monthly statement from your bank account, you trust that the information provided is reliable and actionable. For example, when the bank reports the balance in your checking account, you do not think it necessary to tally the totals of credits, debits, and interest income yourself to verify the amount. Rather, you trust that the bank has made the right calcu- lations. Imagine how complex life would be if the information you received from IT systems could not be trusted to be accurate. Integrity is the aspect of information security that prevents that from happening.
In the examples above, the inability of IT systems to prevent senior executives at Enron and WorldCom from manipulating company records to serve their personal interests were examples of failure of integrity.
Availability
Availability means ensuring timely and reliable access to and use of information .
When you log into your course site online, you expect it to be online. That in essence is availability. The relevance of availability to information security is self-explanatory. An infor- mation system that is unavailable is an information system that is not useful. In the example above, the response of the Sony PSN was an example of failure of availability. Most viruses also have the same impact – they typically delete important fi les, causing a loss of availability. Even if the fi les can ultimately be recovered from backup systems or other sources, the time lost in recovering those fi les represents time not spent doing useful work, i.e., lack of availability.
The right to privacy
Of the three dimensions of information security, confi dentiality is probably the most diffi cult to defi ne precisely. This is because the social expectations of privacy are very dynamic. What one person considers private, photographs for example, another may consider public. What was once considered private may now be considered public. While organizations may fi ercely protect the privacy of their employees, the same employees may willingly share much of the same information voluntarily on social networks and other websites.
In fact, the right to privacy is fairly recent in US law. The fi rst modern reference came in an 1890 article in the Harvard Law Review, where Louis Brandeis (who later became a Supreme Court Justice) and his law partner Samuel Warren wrote: 20
Recent inventions and business methods call attention to the next step which must be taken for the protec- tion of the person, and for securing to the individual what Judge Cooley calls the right “to be let alone.”
20 Brandeis, L.D. and Warren, S.S. “The right to privacy,” Harvard Law Review, December 15, 1890, 4(5): http://groups.csail. mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html (accessed 1/12/2012)
http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
Defi nition of information security 13
In recent years, as organizational concerns over information security have intensifi ed, many experts have proposed expanding the defi nition to include aspects of information security such as non-deniability (if a company charges a service ordered by phone to your credit card and you deny ordering for the service, how do you prove that you did indeed place the order?). However, for the purposes of this text, we will focus on the traditional defi nition of information security of integrity, confi dentiality, and availability.
Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.” For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons; . . . The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery . . . modern enterprise and invention have, through invasions upon his privacy, sub- jected him to mental pain and distress, far greater than could be infl icted by mere bodily injury .
The article was an outburst by Samuel Warren in response to media coverage of high society events of the time, including events in the Warren family which following the social conventions of the time, greatly embarrassed the Warren family. 21 Readers may fi nd an eerie similarity between these thoughts from the 19th century and the privacy debates of the 21st century surrounding Facebook and other social media websites. 22
Personal guide to maintaining information security
If you are studying information security, perhaps it is a good idea to develop a 2-minute elevator speech on information security that answers the question, “how can I best maintain my information security.” You may get this question from friends and family members who are concerned about their own information security. Every professional will give you a different answer, based on their own experiences. Here is ours.
If you wish to maintain your information security, you will get the best returns for your efforts from the following:
Antivirus : Make sure that you are using antivirus software and that its subscription is current. Many people can get the software and subscription for free as part of their ISP subscription or from their employers or school.
Automating software updates : Wherever possible, confi gure your operating system and application software to apply updates automatically.
Passwords : If possible, use a different password at each site that requires a password. If this is diffi - cult, at the very least, use two passwords – one for the “fun” sites such as newsletters, email etc and
21 Gordon Crovitz, L. “The right to privacy from Brandeis to Flickr,” Wall Street Journal, 7/25/11. 22 Facebook has a very well-written “Guide to Facebook security,” at https://www.facebook.com/notes/facebook-security/ ownyourspace-a-guide-to-facebook-security/10150261846610766
https://www.facebook.com/notes/facebook-security/ownyourspace-a-guide-to-facebook-security/10150261846610766
https://www.facebook.com/notes/facebook-security/ownyourspace-a-guide-to-facebook-security/10150261846610766
14 CHAPTER 1 Introduction
S U M M A R Y
This chapter provided an overview of information security. We started by looking at why companies have found it nec- essary to invest in information security and what activities information security professionals spend their time on. There was a quick review of the important information security inci- dents in the last quarter century. We saw how based on these experiences, the industry has defi ned information security as the CIA triad – confi dentiality, integrity, and availability.
In the rest of this book, we will focus on developing skills to implement information security. We start with essential
system administration and scripting so that students can experi- ment with technology throughout the semester. We do this because in our opinion, system administration and scripting skills are extremely important differentiators in the workplace, particularly for entry-level positions. We then move on to more conceptual issues in Part 2. To implement information security, we present the framework composed of assets, vulnerabilities, threats, and controls and show how assets are determined, threats are identifi ed, and incidents are handled. Finally, in Part 3, we examine the managerial and regulatory context.
E X A M P L E C A S E – W I K I L E A K S , C A B L E G AT E , A N D F R E E R E I G N O V E R
C L A S S I F I E D N E T W O R K S
In February 2010, the then relatively unknown WikiLeaks began releasing classifi ed memos from the archives of the US State Department. In summer 2010, Wikileaks reached an agreement with leading newspapers around the world, including the New York Times in the United States and Der Spiegel in Germany, to publish selected cables from the archives in redacted form, i.e., after removing identifying information. The fi rst of these were published in November 2010. By September 2011, the security on the fi les at Wikileaks had been compromised and all memos were visible online in full text form to anyone. About half the leaked memos were classifi ed as “unconfi dential,” 45% were “confi dential,” and the remaining were marked “secret.” None of the leaked memos was classifi ed as “top secret.” The incident had acquired the moniker “Cablegate.”
Wikileaks is a non-profi t organization launched in 2007. The leading force behind Wikileaks is Julian Assange, an exceptionally competent computer programmer from Australia, who has a strong zeal for reform using the freedom
of the press. Accordingly, the mission of Wikileaks is to help whistleblowers reach journalists anonymously by providing a secure and anonymous electronic drop box. It is motivated by the principles of freedom of speech and media publish- ing. It is proud of its record of defending its journalists and anonymous sources against legal and political attacks aimed at obtaining the identities of these sources.
The memos leaked by Wikileaks were the result of decades of information collection effort by US diplomatic offi ces from around the world. The earliest memo dates back to 1966 and the leak was a source of considerable embar- rassment to the US State Department. The leaked memos summarized analysis by world leaders and US diplomats. Refl ecting geopolitical realities, often these analyses were at odds with the leaders ’ public positions. The leaders shared their analyses based primarily upon complete trust in the ability of the US State Department to maintain the con- fi dentiality of the information and their identities. With no
23 This recommendation comes from the fact that many compromises occur when websites store passwords without encryption. If the website is com- promised, the hacker will get access to your password and will defi nitely use it at all bank and brokerage sites. For an interesting, but lengthy account, read the article by James Fallows, “Hacked!,” The Atlantic, November 2011, http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/ (accessed 01/13/12)
another for fi nancial organizations such as banks and brokerages. Never share the fi nancial password anywhere or with anyone. 23 For an easy way to add security, pad your chosen password with charac- ters, e.g., pass – word is not very diffi cult to remember, but it is vastly more secure than password .
http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/
Defi nition of information security 15
known information leaks in the past, US diplomats around the world had a high degree of credibility in the diplomatic community. This gave them unparalleled access to sensitive and privileged information.
In fact, once the memos were leaked, leading news- papers in many countries published excerpts from memos that related to their country to satisfy their readers ’ curiosity about what the United States knew about their country.
The source – Pfc Bradley Manning
Private First Class (Pfc) Bradley Manning is a US army sol- dier, 23 years of age at the time of Cablegate. He enlisted in the Army in 2007 and trained as an Intelligence analyst. Around this time, through friends, he also came in touch with the programmer-enthusiast community at Brandeis University near Boston. In 2008, when he was deployed to Iraq, his job gave him access to two information networks – SIPRNet and the Joint Worldwide Intelligence Communication System (JWICS). More than 3 million US Government personnel and soldiers have access to these networks. The wide access to these networks was the result of the 9/11 attacks where it was believed that gaps in information-sharing within the govern- ment was responsible at least in part for the failure of the US Government to prevent the attacks.
Through these networks, Pfc Manning obtained access to the leaked memos. Sometime in 2009–2010, he decided to pass these confi dential memos on to Wikileaks. In May 2010 Adrian Lamo, a former hacker and information source about the hacker community was profi led in Wired maga- zine. Probably as a result of the article, Pfc Manning con- tacted Lamo and chatted with him on AOL Instant Messenger (IM). During the chat, Manning revealed that he had leaked the memos and suggested his motivations for doing so. Lamo decided to report this to the authorities, which led to Pfc Manning ’s arrest and the revelation of the identity of the Wikileaks source. Wired magazine published the transcripts of the chats between Pfc Manning and Adrian Lamo. 24 One of the most memorable lines in the transcript is (12:15:11 PM): hypothetical question: if you had free reign over classifi ed networks for long periods of time . . . say, 8–9 months . . . and you saw incredible things, awful things . . . things that belonged in the public domain, and not on some server stored in a dark room in Washington DC . . . what would you do?
Pfc Manning was charged before a military court on February 23, 2012, with offenses including aiding the enemy. Though aiding the enemy is a capital offense (i.e., can lead to the death penalty), prosecutors did not seek the death penalty in this case.
R E F E R E N C E S
http://en.wikipedia.org/wiki/United_States_diplomatic_cables_leak
http://en.wikipedia.org/wiki/Bradley_Manning
http://www.bbc.co.uk/news/world-11047811
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
http://www.cablegatesearch.net/
C H A P T E R R E V I E W Q U E S T I O N S
1. What are some of the strengths of information security as a career choice?
2. What are some of the ways in which stolen information can be used for profi t?
3. What are some of the most common ways in which the carelessness of end users can lead to a loss of sensitive information?
4. What are some of the common professional responsi- bilities of information security professionals?
5. Provide a brief description of the activities on which infor- mation security professionals spend most of their time.
6. Briefl y describe the most important skills that informa- tion security professionals are expected to possess to succeed in their job.
7. How did the development of inexpensive computer net- working technology (TCP/IP) affect information security?
8. Briefl y describe the activities of the gang of 414 ’s.
9. Briefl y describe the impact of the gang of 414 ’s on infor- mation security.
10. Briefl y describe the Morris worm. What are some of the factors that make it a landmark in the evolution of infor- mation security?
24 http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
http://en.wikipedia.org/wiki/United_States_diplomatic_cables_leak
http://en.wikipedia.org/wiki/Bradley_Manning
http://www.bbc.co.uk/news/world-11047811
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
http://www.cablegatesearch.net/
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
16 CHAPTER 1 Introduction
11. What was the impact of Windows 95/98 on information security?
12. How does HIPAA (the Health Insurance Portability and Accountability Act) affect the profession of information security?
13. What are the provisions in the Sarbanes–Oxley act that are related to information security?
14. What were some of the immediate factors that led to the creation of the US Cyber Command?
15. Provide a brief description of the US Cyber Command and its activities.
16. What was operation Aurora?
17. Briefl y describe the outage that affected the Sony PlayStation Network in 2011.
18. What is information security?
19. What is confi dentiality?
20. What is integrity?
21. What is availability?
22. Provide an example of a violation of confi dentiality.
23. Provide an example of a violation of integrity.
24. Provide an example of a violation of availability.
25. Which in your opinion is the most important of the three components of information security? Why?
E X A M P L E C A S E Q U E S T I O N S
1. Of the three dimensions of information security, which was/were affected by Cablegate?
2. What do you think motivated Pfc Bradley Manning to release the memos to Wikileaks, and then discuss his actions with Adrian Lamo, well aware of the risks of these actions?
3. Based on publicly available information, what were some of the measures taken by the US Government to secure the memos?
4. To what extent were these measures effective?
5. If you were responsible for the information security of these memos, what would you have done to prevent an incident such as Cablegate from happening?
6. Why do you think the recommended actions above were not taken by the experts responsible for the information security of these memos?
H A N D S - O N A C T I V I T Y – S O F T W A R E I N S P E C T O R , S T E G A N O G R A P H Y
The hands-on activities in every chapter are designed to help you become familiar with the common tools used by infor- mation security professionals. These activities also help you apply the material covered in the chapter within the context of real systems.
Secunia Online Software Inspector
As the fi rst hands-on activity, you will use a simple, free resource to identify the most important security problems in the computers you use for daily work. This process is called an audit, and PC audit tools are available from many software
companies and ISPs. While this exercise uses the tool pro- vided by one such fi rm – Secunia, you are free to use similar tools from a provider of your choice.
The Secunia Online Software Inspector is available from the fi rm ’s website. 25 The product ’s webpage appears as in Figure 1.8 .
Using the software is straightforward. Clicking on the “Start Scanner” button on the page starts the scan with default options and the scan takes a few minutes to complete. When it is done, the report appears at the bottom of the page. A sample report is shown in Figure 1.9 .
25 URLs are very volatile. As of 02/12/12, the URL was http://secunia.com/vulnerability_scanning/online/ . The most reliable method of course is to use a search engine to fi nd “Secunia Online Software Inspector.”
http://secunia.com/vulnerability_scanning/online/
Defi nition of information security 17
The report shows that the scanned computer had many software applications that needed to be updated to their latest versions. We have seen in this chapter how older versions of soft- ware typically have known vulnerabilities that can be exploited by viruses and hackers. It is a good idea to periodically run an audit tool such as this and update or remove outdated software.
PC audit questions
1. Run a PC audit tool such as Secunia ’s Online Software Inspector on one of your home computers. Submit a screenshot such as the one shown in Figure 1.9 .
2. What are some actions you are considering after view- ing the results of your PC audit?
Steganography 26
This exercise gives you the opportunity to take a look at the “dark side” of information security. You will act as a revolu- tionary trying to secretly send a message to a friend. You are trying to fi x the time and place of a meeting with a group of friends. You believe that all your emails are being scanned.
While there a numerous ways of doing this, in this exercise you will use a particularly easy and interesting method – you will hide the text with the relevant information inside an image (say your university ’s logo) and send it to your friends. If your friends know where to look for, they can easily get the information.
The goal of the exercise is to demonstrate how easy it is to create information security challenges and therefore
F IGURE 1 .8 Online Software Inspector
26 Source: http://lifehacker.com/230915/geek-to-live--hide-data-in-fi les-with-easy-steganography-tools
http://lifehacker.com/230915/geek-to-live--hide-data-in-files-with-easy-steganography-tools
18 CHAPTER 1 Introduction
how challenging it can be to eliminate information security problems.
To do the exercise, you will need the following:
1. An image fi le. While almost any image will do, it is most convenient to take a small .jpg or .gif fi le. Usually your school ’s logo will work fi ne. Save the fi le on your com- puter. In this exercise, we will assume that all fi les are saved in the Downloads folder. It is a particularly conve- nient location on Windows and Mac computers. For this example, the fi le is called logo.gif (if gif image) or logo. jpg (if jpg image).
2. A text fi le containing the date, place, and time of the meeting. Save the fi le in the same folder as the image
above (an easy way to create this fi le is to open Notepad, type in the contents and save the fi le in the Downloads folder). For this example, the fi le is called msg.txt.
When you complete the above, your Downloads folder will look as in Figure 1.10 .
We are now ready to hide the text fi le inside the image fi les. You will need to open the Command prompt for this. In Windows, this is accessed from All programs → Accessories → Command Prompt. On Mac, this is accessed from Applications → Utilities → Terminal. To reach the Downloads folder, type in the command:
Cd Documents\Downloads
F IGURE 1 .9 PC audit report
Defi nition of information security 19
On Windows, the following command will append fi le2 at the end of fi le1 and save the results as fi le3:
Copy /B file1+file2 file3
To use this command to hide our text fi le in the image fi le, we can use the following commands:
Copy /B logo.jpg+msg.txt ico.jpg (for the jpg image) Copy /B logo.gif+msg.txt ico.gif (for the gif image)
The sequence of commands is shown in Figure 1.11 . After you run these commands, the contents of your
Downloads folder appear as shown in Figure 1.15 (to preview the images, you can select Views → Large icons).