275 35 3MB
English Pages 249 Year 2005
Managerial Guide for Handling Cyber-Terrorism and Information Warfare Lech J. Janczewski University of Auckland, New Zealand Andrew M. Colarik AndrewColarik.com, USA
IDEA GROUP PUBLISHING Hershey • London • Melbourne • Singapore
Acquisitions Editor: Senior Managing Editor: Managing Editor: Development Editor: Copy Editor: Typesetter: Cover Design: Printed at:
Mehdi Khosrow-Pour Jan Travers Amanda Appicello Michele Rossi Sue VanderHook Kristin Roth Lisa Tosheff Yurchak Printing Inc.
Published in the United States of America by Idea Group Publishing (an imprint of Idea Group Inc.) 701 E. Chocolate Avenue, Suite 200 Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: [email protected] Web site: http://www.idea-group.com and in the United Kingdom by Idea Group Publishing (an imprint of Idea Group Inc.) 3 Henrietta Street Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 3313 Web site: http://www.eurospan.co.uk Copyright © 2005 by Idea Group Inc. All rights reserved. No part of this book may be reproduced in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Library of Congress Cataloging-in-Publication Data
eISBN
British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the authors, but not necessarily of the publisher.
Dedication
To the memory of all those who were lost in the September 11, 2001 attacks, the Bali and Madrid attacks, and many other attacks as a result of the senseless determination by a small minority of people.
To the memory of my father who taught me understanding of the complexity and beauty of the world. Lech J. Janczewski
To everyone who gave me encouragement and support throughout this and many other of life’s projects, may God’s blessings be upon you. Andrew M. Colarik
Managerial Guide for Handling Cyber-Terrorism and Information Warfare Table of Contents Preface ............................................................................................. viii PART 1: FROM INFORMATION SECURITY TO CYBER-TERRORISM Chapter 1: Information and Computer Security ............................. 1 Definitions ........................................................................................ 2 Historical Security Brief .................................................................. 4 Implementing Information Security ............................................. 10 Issues Requiring Attention ............................................................ 20 Conclusion ..................................................................................... 21 Bibliography ................................................................................... 21 Chapter 2: The Nature of Terrorism .............................................. 24 Definition of Terrorism .................................................................. 25 Primary Terrorism Drivers ........................................................... 27 Overview of Terrorist Acts ............................................................ 33 The Link between Terrorism and Information Technology ........ 34 Prognosis on Terrorist Activities .................................................. 35 Bibliography ................................................................................... 37 Chapter 3: Cyber-Terrorism ............................................................ 40 Possible Terrorist Activities Against IT ....................................... 41 Definition of Cyber-Terrorism and Information Warfare ........... 43
Why Do Cyber-Terrorists Strike? ................................................. 44 Correlations between Cyber and Corporeal Conflicts ............... 47 Planning Security Systems: Overall Principles ........................... 48 Conclusion ..................................................................................... 57 Bibliography ................................................................................... 57 PART 2: ATTACKS AGAINST INFORMATION TECHNOLOGY Chapter 4: Physical Security ........................................................... 61 Issues in Physical Security ............................................................ 64 Advertising the Location ............................................................... 65 Securing the Perimeter ................................................................. 67 Protection of Equipment from External Disturbances ............... 75 Theft of Equipment ........................................................................ 78 Protection Against Eavesdropping ............................................... 79 New Form of Attack ...................................................................... 81 Retrieval of Information from Magnetic Media .......................... 83 Conclusion ..................................................................................... 83 Bibliography ................................................................................... 84 Chapter 5: Denial of Service Threat .............................................. 85 The Nature of DOS and DDOS Attacks ....................................... 86 Mechanics of the DOS/DDOS Attacks ......................................... 88 Conclusion ..................................................................................... 94 Bibliography ................................................................................... 95 Chapter 6: Web Defacements and Semantic Attacks .................. 97 Political Orientation ...................................................................... 99 Protections .................................................................................. 102 Conclusion .................................................................................. 103 Bibliography ................................................................................ 104
Chapter 7: DNS Attacks ............................................................... Launching an Attack .................................................................. Handling DNS Attacks ............................................................... Bibliography ................................................................................
106 107 108 109
Chapter 8: Routing Vulnerabilities .............................................. 110 How to Eliminate Router Threats ............................................... 114 Importance of Routing Vulnerabilities for Prevention .............. 115 Bibliography ................................................................................. 117 Chapter 9: Identity Stealing Attacks ............................................ 119 Examples of Identity Theft Attacks ........................................... 119 Conclusion .................................................................................. 123 Bibliography ................................................................................ 125 PART 3: HANDLING INFORMATION SECURITY ISSUES Chapter 10: Identification, Authentication, and Access Control ............................................................................................ 129 A Question of Proper Identification .......................................... 129 Key Definitions ........................................................................... 131 Security of the Authentication Methods ................................... 132 Access Control ............................................................................ 143 Monitoring System Access and Usage ...................................... 155 Mobile Computing ...................................................................... 157 Conclusion .................................................................................. 160 Bibliography ................................................................................ 160 Chapter 11: Personnel Security ................................................... Hiring New Staff ......................................................................... Security Duty During Employment ........................................... Terminating Employment ...........................................................
163 164 169 170
Conclusion .................................................................................. 172 Bibliography ................................................................................ 173 Chapter 12: Operations Management ........................................ Operational Procedures and Responsibilities ........................... System Planning and Acceptance .............................................. Protection Against Malicious Software .................................... Housekeeping .............................................................................. Network Management ................................................................ Media Handling and Security .................................................... Exchange of Information and Software .................................... System Development and Maintenance .................................... Compliance ................................................................................. Conclusion .................................................................................. Bibliography ................................................................................
175 175 177 179 181 182 183 186 187 193 198 198
Chapter 13: Information Security Policy .................................... 199 How to Generate an ISP ............................................................ 202 Example of Information Security Policy .................................. 205 Implementation of ISP ............................................................... 209 Conclusion .................................................................................. 210 Bibliography ................................................................................. 211 Chapter 14: Business Continuity Management ......................... 213 Business Continuity Management Process ............................... 214 Commentary ............................................................................... 220 Bibliography ................................................................................ 220 Epilogue: Thoughts for the Future .............................................. 222 About the Authors ......................................................................... 226 Index ............................................................................................... 227
viii
Preface
Introduction In 1988, Cliff Stoll published a remarkable book entitled the Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. The book was a report on the project in which he was involved in the course of the previous couple of years. Starting with the discovery of a fraction of a dollar imbalance in some computer accounts and through hundreds of computers in many countries, Stoll traced a spy operating from West Germany. The objectives of the spy, which were partially accomplished, were to penetrate the most secret details of the American defense system. From the reading of this book, we gained two very powerful impressions. •
•
At that time, the United States and its Western Allies were completely unaware and, surprisingly, not willing to entertain the possibility that their enemies might penetrate their computer installations in search of confidential information. Only persistency of such people as Stoll raised their awareness of this fact. Take note that this lack of awareness is related to the year 1988 and before. Stoll was employed at the University of Berkley, California, as an astronomer. He was a good example of a very specific type of person, who could be described as a scientist/hippy. It was remarkable to notice how the search for an invisible hacker changed his mentality and his attitude towards life.
ix
The awareness of the viability of the American military system to be attacked started to germinate. In the mid 1990s, the term information warfare became quite popular. Many studies were conducted and published. Most of them drummed for alarm, concluding that the United States was not ready for this new type of warfare. Perhaps the best summarization was in a report prepared in 1998 by the Center for Strategic and International Studies entitled “Cybercrime, Cyberterrorism, Cyberwarfare, Averting an Electronic Waterloo.” Similar voices were on the rise in Western Europe. Following the tragedies of the September 11, 2001 attacks on the World Trade Center and the Pentagon, the realm of security received considerable attention, and there was increased awareness among wider groups of contemporary society. Shortly thereafter, the U.S. Patriot Act was enacted. This legislation brought about wide sweeping changes to a host of existing laws resulting in the enhancement of domestic security against terrorism and additional powers of surveillance, investigation, and international money laundering. It also emphasized the need for information sharing in order to protect the critical infrastructures of telecommunications, energy, financial services, water, and transportation. But it was not only the U.S. that responded; most westernized countries passed similar legislations to address this growing threat. These acts have been met with quite a mixed reaction from contemporary society. The reaction of a significant portion of the population indicates deep confusion. On the one hand, they are worried about decreased security of living conditions, but on the other, they are against national governments introducing limitations on widely understood personal freedoms. The fact that terrorists can strike us at work without warning and with decisive focus has had an enormous impact on how we plan our activities. The use of everyday technologies turned against us is a horrific image, especially when we are unwilling participants. In 1991, Dr. Stephen Sloan put terrorism and technology into a broader context in his article entitled “Technology & Terrorism: Privatizing Public Violence.” He stated that the erosion of state-centric politics and the emergence of non-state actors, which includes regional intergovernmental, transnational guerrilla, and terrorist groups, has changed the interaction landscape. He goes on to suggest that the line between terrorism and states is becoming increasingly blurred as sympathy by portions of a populace for political subgroups increases. This will further develop the union between state-organized terrorism and non-state terrorists, forming alliances of conveniences. Ten years later, we have witnessed this expectation in action. Within this context, technology will facilitate the communication and collaboration of these relationships. In 2002, in a statement to the Joint Inquiry of the Senate Select Committee on Intelligence and the House Permanent Select
x
Committee on Intelligence, Lieutenant General Hayden, Director of the National Security Agency, stated, “The volume, variety, and velocity of human communication make our mission more difficult each day.” He went on to say, “We had to keep pace with a global telecommunications revolution, probably the most dramatic revolution in human communications since Gutenberg’s invention of movable type.” He also stated that al Qaeda need only harvest the products of the U.S. $3 trillion per year telecommunications industry to facilitate its activities in a globally instantaneous and encrypted manner. Remember, it is not just terrorists that use technology to enact political agendas. It has been estimated that over 30 nations have developed the capacity to actively participate in cyberwarfare, including the United Kingdom, China, Russia, France, Israel, India, Brazil, and Iran. Countries are developing cyber strategies to effect early warning systems and other information flows. These capacities, when combined with independent terrorist organizations, pose a considerable threat to all nations and their citizens. Information technology has become a critical component in defending against terrorism by accessing the intelligence of potential actors and their activities. However, as a result, it has also become a key point of attack. A key component in homeland security (anyone’s homeland) is the protection of the critical information infrastructure. The inclusion of remote communication properties in electronics (i.e., alarm and environmental control systems, location identification of Global Positioning Systems [GPS] that can be used to route a vehicle in an emergency, and global Internet banking access) has implications for security and stability. Information technology increasingly is being integrated into military, civil, and business systems. As a result, cyberspace will become the next major battleground. Cyber intruders continue to steal proprietary technical and commercial information. They have shown an ability to establish “back doors” into systems they have penetrated for later use in data retrieval and coordinated cyberattacks on bigger systems. The capacity to engage in such acts is relatively inexpensive and readily available to large numbers of individuals and groups. In the public domain, there are many proofs of these capabilities. There are groups of people whose life mission is to inform society about this (e.g., the group from California that calls itself The Cult of a Death Cow). The use of the Internet by terrorist groups is a growing concern by many experts. Is this hype, or are we seeing the emergence of a new terrorist attack form? It has been reported that al Qaeda uses the Internet for planning and coordination through the use of restricted accesses and encryption, recruitment of proIslamic hackers, and the measurement of potential infrastructure targets. In
xi
addition, Shieikh Omar Bakri Muhammad, a London-based Islamic cleric, spoke publicly about al Qaeda’s plans to use the Internet for cyberattacks. Remember, several of the September 11th terrorists had master’s degrees granted by western countries. Terrorist groups are able and willing to acquire whatever skills that are required to accomplish their goals, and can do so within the borders of democratic, open countries. Later, these educated terrorists may then launch a series of coordinated attacks from within and without jurisdictional control of the intended targets as a pre-emptive or coordinated assault. Geographic isolation is no longer a reality with global networks. In 1996, Bruce Schneier released his highly acclaimed book, Applied Cryptography, detailing the need and approach to utilizing cryptography to secure all digital transmissions. Some four years later, he wrote Secrets & Lies, in which he recants many of his original assertions that technology will solve our security needs. Technology alone cannot prevent attacks. He goes on to say that “what is required is detection and response,” and that “there are no technical solutions for social problems.” Therefore, all we can do is to make it as hard as possible for intruders and continuously improve our situation. This requires a pro-active approach that involves people, processes, and response procedures. In the coming years, organizations will discover that protecting systems through redundancy alone is only effective if the foundational systems are secured. Otherwise, cascading events can cripple an organization’s capacity to perform its functions. The required security changes in business practices and policies are needed today to prepare for the future. Those that become a part of these changes will gain knowledge and experience, and ultimately will assist in guiding the direction that such measures will offer. It is in our own best interest in such changing times to direct our future operating environment through active participation. Communication networks only can be protected against attacks if all stakeholders participate. The multiplier effect can be effective for an economic infrastructure’s defense. We must protect ourselves and not rely solely on government. Securing our systems must come from a bottom-up process and not be delayed while we wait for a top-down initiative. The National Strategy to Secure Cyberspace, issued by the President’s Critical Infrastructure Protection Board in 2002, states that “government alone cannot secure cyberspace.” It requires individuals, businesses, governments, and educational institutions to jointly work towards this common goal. Plans must be established and enacted to respond to this global threat, not only at a governmental level, but throughout the private sector. Until new technologies are developed to combat cyberattacks, businesses must establish procedures and policies that harness their existing infrastructure. It is a business decision
xii
that simply requires persistence. We as a community of individuals and business leaders must take aggressive action now. In light of the synthesis of the world situation presented above, and in relation to the security of information systems, let us formulate the following observations. • There is a growing interest in security issues and, in particular, information security issues. • A rising wave of terrorist attacks against civilian targets and information systems has added a new dimension to information security issues. • There is a considerable richness of publications about various aspects of information security, detailing this or that vulnerability and suggesting possible remedies. • There are few publications, however, that explain to what extent information technology (IT) managers should include in their agenda issues related to the rising wave of the terrorists and cyber-terrorist attacks. This book provides Information Technology (IT) managers with an understanding of cyber-terrorism and information warfare and how to handle the problems associated with them. We would like to emphasize that this book examines security issues and recommends solutions from the point of view of typical Information Technology (IT) managers. It does not address security issues from the national or governmental point of view. There are, of course, frequent references to national policies or laws, but they are made within the context of an IT manager’s needs. To provide this information, we divided the content of this book into three parts. The first part is a short introduction to information security. We believe that understanding the processes that laid the foundation of this discipline and led us through the years will help others assess current and future security issues. For the same reasons, we explain the roots of terrorism and how this planted the seeds of cyber-terrorism. Cyber-terrorism and cyberwarfare have many faces. In the second part, we present the most probable forms of cyber-terrorism and cyberwarfare attacks. We define these attacks, describe how they work, and explain the most effective ways to combat them from the IT management point of view.
xiii
Many tools of the trade of cyberwarriors and cyber-terrorists are common. Therefore, limiting the book to the discussion of these attacks would be significantly incomplete for IT managers. For these reasons, we wrote part three of the book, which defines other security measures that may not be directly related to fighting cyber-terrorism, but can generally decrease an organization’s information vulnerabilities to any type of attack, including cyber-terrorists’ attacks. In the epilogue of the book, we present our thoughts about the future of terrorism and cyber-terrorism. This book is designed for IT professionals and IT managers, in particular. Hence, we took considerable effort to enhance our thoughts with the presentation of case studies, which explain in practical terms the points we are making. All the cases are real; either we have witnessed the stories ourselves, they were told to us by our friends, or we found them in literature. As many of these cases could be embarrassing to some people or organizations, we have hidden the relevant names or changed the stories somewhat without changing their merits. Some parts of the text are framed. This is an indication of an especially important message we would like to pass on to our readers. From time to time, when quoting some important statement or fact, we have inserted the reference directly into the text, but to smooth the reading process, we have decided not to reference every item we quote. Of course, we can provide detailed references if there would be a need. We understand, however, that some topics discussed in the book may raise the special interests of a reader. Therefore, after each chapter, we have provided a commented list of publications covering the issues raised in a given chapter.
xiv
Acknowledgments
The authors would like to thank the University of Auckland, the head of the Department of Information Systems and Operations Management, the dean and faculty of the School of Business, and all those too many to mention here for their contributions and/or support in producing this book. We would also like to personally thank Smokecloak Limited, Esphion Limited, and Professor H. Wolfe for their gracious contributions towards this book. Special thanks are directed to our families who were deprived of our mental presence during the time of writing this book. LJ & AC
xiv
Part 1 From Information Security to Cyber-Terrorism
Information and Computer Security 1
Chapter 1
Information and Computer Security
The current state of the information security domain in the United States and much of the rest of the industrialized world can best be characterized as overly optimistic. The protection of computing systems and telecommunication infrastructures from unauthorized usage, manipulation, and sabotage faces serious challenges to ensure ongoing serviceability. This is especially true when we consider our growing dependence on these infrastructures. The state of affairs regarding the security aspects of these systems is even worse. Peter G. Neumann of the Computer Science Laboratory at SRI International in Menlo Park, California states: There is a seemingly never-ending stream of old and new security flaws, as well as markedly increased security threats and risks, such as viruses, Trojan horses, penetrations, insider misuse, identity theft, and fraud. Today’s systems, applications, and networking tend to largely ignore security concerns—including such issues as integrity, confidentiality, availability, authentication, authorization, accountability, and the spread of malicious code and e-mail spam—and would-be attackers and misusers have significantly wider knowledge and experience. Moreover, there is a general naiveté whereby many people seem to believe that
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
2 Janczewski & Colarik
technology is the answer to all security questions, irrespective of what the questions are. In addition to security concerns, there are serious problems relating to system dependability in the face of a wide range of adversities. Such adversities include not only misuse but also hardware malfunctions, software flaws, power disruptions, environmental hazards, so-called “acts of God,” and human errors. The nation seems to have evolved into having a rather blind faith in technologies that often are misunderstood or misapplied, and into placing trust in systems and the people involved with them, even though they have not proven entirely trust “worthy”. (http://www.nap.edu/ issues/19.4/neumann.html) This perspective regarding the state of security seems quite negative on the surface but serves as a point of reference for focusing efforts on resolving some of the more predominant security issues that face us today. Before proceeding further on the discussion of security, we need to have a shared understanding of the core fundamentals, distinctions, and definitions that comprise information security. Therefore, we start this chapter with the essential security definitions followed by an historical brief in order to begin further discussions from the same reference points. An outline of implementing information security principles in an efficient manner is also presented, and we conclude this chapter with our assessment of the current state of affairs in the field of information security.
Definitions For the purpose of defining the core information security concepts, we shall draw on those suggested by D. Gollmann and based on the ITSEC Evaluation Criteria. Gollmann states that information security covers the following: •
Confidentiality. The prevention of unauthorized disclosure of information. Traditionally, confidentiality meant controlled access to information. This term means that the access to data is a function of the person seeking access and the type of access. For one person, access could be read only, and for others it could be read and write. Other access rights can be formulated as well.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 3
•
•
Integrity. The prevention of unauthorized modification of information. This means that only the nominated operator of a system is able to introduce changes. Neither by accident nor by an unauthorized party are such changes possible. The notion of integrity relates directly to the reliability of the information system. Availability. The prevention of unauthorized withholding of information or resources. Information must be available anytime it is required, and the underlying technology should prevent the creation of situations when an operator of a system is unable to access the data or system resources.
The current development in the theory and practice of information security discipline needs to be expanded to include these parameters: • • •
Authenticity. The proper identification of parties participating in the data exchange. Accountability. The defining and enforcement of the responsibilities of the parties. Non-Repudiation. The proof that information was indeed sent to the recipient and that the sender was indeed who sent the information.
In other words, the objective of information security is that during any data processing, transmission, or storage, the information is available when it is required, only to those authorized users, and may not be changed without their authority. This also means that the user is assured that the data they are using is an accurate representation. To eliminate any confusion about the difference between the terms information security and computer security, we need to make this explicit. Computer security deals with issues involved in attaining the objectives that are listed above, but limited to the electronic data processing environment. Information security deals with these same issues, but encompasses the whole organization. For instance, computer security would not be concerned with the way paper documents are dispatched or stored, while information security would. In fact, it is sometimes this distinction between the two that creates weaknesses in the overall security policies of an organization. Also, we would like to point out that the term information technology security is being frequently used. This term is practically synonymous with computer security and will be used interchangeably throughout the text. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
4 Janczewski & Colarik
Historical Security Brief The domain of information security has changed significantly throughout the electronic computer era. At the dawn of computing, security issues were basically limited to the following: • •
The physical security of the place and location where a computer was installed and preformed its function. The verification of the trustworthiness of the staff operating the facilities.
Perhaps the best example of an early security system was the Colossus project. The objective of project Colossus was to build and run the first truly electronic computer (see Figure 1.1). The project was implemented at Blechley Park near London during the second half of World War II. Blechley Park was built to facilitate the decryption of messages that were exchanged among various units of the Axis Alliance (Germany, Italy, and Japan). During World War II, Germany used various models of an electric encryption/decryption machine called Enigma (see Figure 1.2). To speed up the decryption process of the
Figure 1.1: The colossus control panel
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 5
Figure 1.2: Enigma machine
intercepted messages, Blechley Park used electromagnetic calculators called Bombs. These Bombs were based on blueprints that were prepared by a team of Polish mathematicians led by Dr. M. Rejewski from Warsaw University. In Poland, these blueprints were used to build the Bomb’s prototype just before the outbreak of World War II and later were carried away to Great Britain by Dr. Alan Turing. At Blechley Park, several thousand men and women worked on this project for many years. Throughout the war, the Germans never learned about the facility. The project was so well wrapped in secrecy that the first information about the project emerged in the 1970s. One can only be impressed when reading about the security procedures implemented and the shear determination of the people involved. Several participants (i.e., Catherine Caughey) recently published their diaries. Caughey’s book has the approval of the British Ministry of Defence with an included Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
6 Janczewski & Colarik
statement that the content of the book does not disclose confidential information about the project. Caughey’s husband, who died in the 1970s, never learned about his wife’s involvement in this project. One consequence of this level of secrecy resulted in a historical fiction that has been shared by a majority of people who believe that the computer known as ENIAC, built in 1946 at the Pennsylvania University, was the world’s first electronic computer. This type of devotion to secrecy is certainly hard to capture in today’s workforce. Secrecy surrounding computer installations was greatly reduced in post-war times. Computing facilities became symbols of the modern approach to managing organizational resources. Many companies took great pride in showing the world their computer divisions at work. Those of us old enough to remember the mainframes and mini-computers of the 1970s may also remember that such systems were showcased in glass-enclosed structures for employees and visitors alike to watch as technicians operated rows of tape and cylinder-shaped disk equipped systems. One such Danish computer manufacturer named Regnecentrallen had its information centre installed at ground level with a glass wall that separated it from the street. Even today, there are computing facilities, such as the ZETO building in Warsaw, Poland, that purposely have their facilities designed in this way. Looking back, it seems almost comical to see behind these glass structures the preachers (system operators) of this new religion (electronic data processing) dressed in appropriate frocks (white overalls), performing their rituals (controlling the computer) at purposely-built altars (system consoles). More currently, a pragmatic approach to limiting access to these facilities has emerged that places computer installations deep in the interior of the companies’ facilities, thus hiding them away again as an aspect of physical protection. In the 1970s, the attention of computer facility administrators was focused predominately on the physical security of the building and suitable motivation of the operations staff. The security issues on their agendas were limited to the following: • •
Protection against such calamities as fire, flood, power fluctuations, etc. (for obvious reasons). Protection against information disclosures. During this time period, telecommunication systems were typically not utilized for the entry and transfer of data between facilities. Hence, the data was brought to the computing facilities in the form of paper documents that had to be entered at the computing facility site. Disclosures of information were generally
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 7
•
limited to preventing illegal copies of information stored on magnetic media or hard documents. To eliminate these types of fraud, the staff’s motivations were very high on the administrator’s agenda. Protection against errors resulting from the malfunction of hardware. During this time period, technology was much more unstable than it is today, in the same way that software is unstable today. Computer components could fail almost every day, and mean time between failures was measured in hours rather than days.
Manufacturers of these systems profited heavily from the initial sale, as well as the maintenance and support of these systems. Fundamentally being a manufacturer of mainframes and provider of supporting services, IBM was the first to recognize the importance of information security problems and set up a special interest group dealing with these issues during the early 1970s. As we moved through the 1980s and 1990s, several developments laid the foundation for a new perspective on information security issues. Among these developments were the following: • • •
•
The rapid expansion of telecommunication systems. Security breaches could now originate from nearly anywhere on the planet. The introduction of the personal computer and, in particular, the distributed computing environment through telecommunication infrastructures. Following Moore’s Law, we observed a rapid increase in the computing power of computer systems. This infers a growing complexity in these systems’ functional capabilities. As a result, the formation of security holes in the defence mechanisms became relatively easier. During the last decade, we saw dramatic increases in the number of installed computers, doubling almost every eight months and numbering in the hundreds of millions. Information technology entered almost every aspect of our lives. Our civilization became dependent on this technology, and its proper functioning became essential to ongoing growth (i.e., reliability).
Reliability has two aspects: physical reliability and resistance against unauthorized interference. Electronic Engineering and Computer Science has done a lot to increase the reliability of computer equipment. The most visible progress we
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
8 Janczewski & Colarik
observe has been in the production of reliable hardware. However, it is the state of software today that worries us the most. Bruce Schneier, one of the world’s well-known security gurus, estimates that there is, on the average, 10 to 15 programming errors in 1,000 lines of code. This leads to software manufacturers issuing patches and updates to correct flawed operating systems and application programs. What is much more important regarding security is the impact that these faults, bugs, and holes have on ensuring the information security objective. During the development of software in the current paradigm, designers cannot practically predict which fault properties can be exploited to cause damage to system functions. In our opinion, a classic example of this is the handshake principle of the majority of telecommunication protocols. This handshake determines that each message sent to a recipient should be acknowledged. This principle is based on the mutual trust of both parties (the transmitter and the receiver) participating in the data exchange. It assumes that the main objective of a telecommunication protocol is to provide error-free transmission between systems. However, this principle can be an effective way of disabling the receiver through a series of false requests that flood the receiver with an avalanche of messages that exceeds its data processing capabilities. The intension of sending these false messages is to create a processing overflow by providing inaccurate and unexpected answers to each message request. This handshake principle is the foundation for many of the Denial of Service attacks (DOS), and are discussed in detail in Chapter 5. In addition to the technical and organizational issues that we bring forth, there are aspects of people and their specific uses of technology that should be brought to light. A predictable consequence of the mass usage and dependence of information technology is the fact that there are a lot of people who feel that it is their right to freely access and utilize other organizations’ or other people’s systems for their own use. The reported number of unauthorized computer usage is rising, and many in the field feel that we as an industry are losing the battle in preventing the resultant losses. A report produced by the CERT Coordination Centre (Carnegie-Mellon University) shows that between 1988 and 2003, the number of reported vulnerabilities or incidents rose from six to more than 137,000. Every year the Computer Security Institute, in conjunction with the FBI in the United States, conducts one of the dominant surveys on the status of information security (see http://www.gocsi.com). The Institute publishes its results after an analysis of the results of responses from hundreds of computer security practitioners employed by US corporations, government
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 9
agencies, financial institutions, medical institutions, and universities. The 2003 Computer Crime and Security Survey (CCSS) confirms that the threat from computer crime and other information security breaches continues to be a major factor in mitigating the financial consequences. Below are several key extracts from the report. Take note that this report is based on 500+ responses, covering a small fraction of US businesses. For the whole country, the level of losses could be several magnitudes higher. •
• •
•
•
•
The total annual losses reported in the 2003 survey were $201,797,340.00, a figure that is down 56% from the high-water mark of $455 million reported last year. It should be noted, though, that this figure is in line with figures reported prior to 2001. The overall number of significant incidents remained roughly the same as last year, despite a drop in financial losses. As in prior years, theft of proprietary information caused the greatest financial loss ($70,195,900 was lost, with the average reported loss being approximately $2.7 million). In a shift from previous years, the second most expensive computer crime among survey respondents was denial of service, with a cost of $65,643,300.00. Losses reported for financial fraud were drastically lower, at $10,186,400.00. This compares to nearly $116 million reported last year. As in previous years, virus incidents (82%) and insider abuse of network access (80%) were the most cited forms of attack or abuse.
Similar results were obtained in Australia. Deloitte Touche Tohmatsu, AusCERT, and New South Wales conducted a survey in 2002 of 300 of Australia’s biggest companies. In several of the survey categories, the level of incidents surpassed those reported by the CCSS in the United States. Sixty-seven percent of organizations surveyed reported that they had been attacked in 2002, which doubled the 1999 level, and 35% of these organizations experienced six or more incidents. This survey concluded, “Although organizations find it difficult to estimate the broader financial losses associated with computer security incidents it is clear computer crime is no longer just a nuisance value, but a serious threat to customer relationships and ultimately bottom line profitability.”
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
10 Janczewski & Colarik
We spoke with a security expert for the New Zealand company DataBank (now defunct) specializing in clearing banking transactions on behalf of several major New Zealand banks. He estimated that cleaning his firm’s computers after a virus infection occurred in the early 1990s cost his company around $20,000 U.S. In the current context, such a cost could easily reach $500,000. These surveys are well known among security specialists, but the general public tends to be bombarded by the media only when some spectacular security breach or usage of information technology occurs for some clandestine purpose (i.e., drama). There are two such examples that illustrate our point. Case 1.1 demonstrates that vulnerabilities in one infrastructure can easily become the vulnerability of another infrastructure when the underlying technologies are the same. Case 1.2 demonstrates that proactive prevention and responsive corrective action can minimize even the worst of attacks, despite the fact that the original attack infected over 430,000 computers around the world. During the time that this text was written, denial of service attacks appeared to be the most popular news by mass media and, by some accounts, reached over 43% of all the attacks reported by news agencies. Regardless of news outlets, these and other attacks need to be addressed because the underlying infrastructures and technologies are essentially uniform around the world. Worldwide access to computer networks allows us to assume that many of the attacks, issues, and problems are relatively the same around the world.
Implementing Information Security The domain of information security was defined at the beginning of this chapter, followed by a brief presentation of some historical developments. Now let us discuss some of the major issues in implementing information security (IS). There are several ways to examine and categorize the information systems domain. We choose to approach IS classification based on the nature of the security mechanisms used to fulfil the security objective. These categories are as follows: •
Organizational. These security mechanisms include setting proper procedures for handling security issues, such as the development of an Information Security Policy or the principles of imbedding systems with security mechanisms.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 11
Case 1.1: Spectacular breach On May 1, an anonymous hacker posted a message on an online security mailing list stating that he had discovered holes in the wireless LANs operated by Best Buy. Later that day, Jonas Luster, co-founder of the security consultancy Dfensive Networks Inc. in Campbell, California, told Computerworld that he had conducted a test of networks operated by a San Jose outlet of Home Depot and found similar vulnerabilities. Best Buy said it shut down its wireless LANs shortly after the initial report surfaced. The San Jose Home Depot network, which Luster said exposed what appeared to be SQL database queries, shut down on May 2, he said. http://www.cnn.com/2002/TECH/internet/05/08/retail.security.idg/ index.html
Case 1.2: Spectacular breach with follow-up drama August 16, 2003 marked the second wave of an Internet attack by the “blaster” worm, but it barely caused a ripple. Microsoft Corporation said it had no major problems from the worm’s attempt to turn thousands of infected computers into instruments targeting the software company’s Web site and network. The Redmond-based company had not noticed any extraordinary network congestion, spokesman Sean Sundwall said. There were also no reports of customers having major problems accessing the targeted Web site, which houses a software patch that fixes the flaw exploited by the worm. “So far we have seen no impact on our Web sites or any other Web sites due to the ‘blaster’ worm,” Sundwall said. Still, he urged people to take precautions to protect their computers. The virus-like infection, also dubbed “LovSan” or “MSBlast,” exploits a flaw in the most current versions of Microsoft’s Windows operating system for personal computers, laptops, and server computers. Although Microsoft posted a software patch to fix the flaw on July 16, many users failed to download it, leaving them vulnerable. http://www.cnn.com/2003/TECH/internet/08/16/microsoft.blaster.ap/ index.html
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
12 Janczewski & Colarik
•
• •
Hardware. This includes all equipment that could enhance the security of the information processing process, such as firewalls and smart cards, but also includes items such as mechanical locks, surveillance cameras, and so forth. Software. The prime examples of this category are virus scanners and intrusion detection systems. People. This includes any arrangements dealing with human issues related to security, such as methods of hiring, managing, and discharging employees.
The above categories, which are more appropriately viewed at a detailed level when the assignment of functional duties is required to ensure the overall protection of the business, cover the following topics: •
•
•
•
•
•
Security Organization. This is directly equivalent to the Organizational category above, except it does not include the content of one of the most important security documents—an Information Security Policy. Security Policy. This is a method of developing and implementing the Information Security Policy, which is the organizational document listing the basic security-related duties of the personnel. Assets Classification and Control. This is a method of conducting the inventory of all company assets, including all the hardware and software assets, and having a system for keeping these records updated. Personnel Security. This is a collection of all the personnel matters having an impact on the security of information within a company. This item mostly corresponds to the People category above. Physical and Environmental Security. This a security arrangement dealing with the physical security of the premises, such as procedures and methods of allowing visitors to enter the company grounds, designing and maintaining fire protection systems, providing the continuous supply of power to the company facility, and so forth. Communication and Operating Management. This function includes all security measurements that assure that the exchange of information through electronic media with the outside world is done in a way that does not violate the security of the internal systems. This also includes any protection against malicious software and exploitation of possible soft-
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 13
•
•
•
ware-originating security holes. In our opinion, this is an essential part of the information security domain. Access Control. This function is composed of the facilities allowing access to resources for only authorized personnel, and then only within their security privileges. This is where all logon, password, and similar procedures are managed. Business Continuity Management. This governs any contingency planning and enactment if a disaster were to strike. The staff must be prepared and trained in emergency situation handling procedures and be able to follow them swiftly. The creation of business continuity planning procedures is the essence of this function. Compliance. This function governs a growing number of regulations— international, national, local, bylaws—related to security issues. Company management must be familiar with, follow, and enforce theses rules and regulations or the consequence can be quite severe. Examples of the laws directly related to information security are national privacy acts.
When implementing information security, understanding the relationship between terrorist attacks and IT becomes even more important in today’s uncertain environment. This relationship can best be thought of as follows: • •
Direct, when damaging an IT installation could result in significant losses; or Collateral, when terrorist attacks against some target could result in distortions of the regular IT working conditions.
Terrorists choose their targets very carefully. Their objective is to create widespread confusion and fear. IT facilities are potential targets.
The rising wave of terrorist attacks culminating in the 2001 destruction of the World Trade Center in New York caught the world by surprise. But the phenomenon of terror is not new. For many decades, there have been many executed terrorist attacks throughout the world, but they were, for the most part, ignored by the majority of the population. The rising wave of terrorist attacks has also caught the information security domain by surprise. While there Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
14 Janczewski & Colarik
were voices from the mid-1990s that IT-supported terrorist activities were possible, again the majority never took such warnings seriously. As a result, IT managers were faced with responding to post 9/11 damages, reestablishing operations, and planning future responses. These are not imaginary threats and must be incorporated into the information security implementation. We would like to stress the importance of the system approach to problem solving and contrast it with very the popular piecemeal approach. The piecemeal approach means that when a problem occurs, a solution to this problem is evaluated, designed, and implemented. In the case of the system approach, the search for the solution also examines possible interactions with other processes. The piecemeal approach generates some solutions, but these solutions can be contradictory with the functioning of other components in a system, and can make the whole system not function in an optimal manner. The system approach avoids this pitfall. Now that we have an understanding of the basic components of the information security domain, the next logical question is, How do we design and implement an effective and efficient information security system? In the following sections, we present some of the fundamental issues and procedures for securing systems. Further information about this will be presented in Part 3, especially Chapter 12 on operational control.
Awareness Perhaps the most important factor in building a good information security system is a supporting attitude from top management. At present, all of the known surveys indicate that the issue of security has been elevated on the managerial priority list. This is a byproduct of the September 11th tragedies and a result of higher social alertness by the general public triggered by terrorist activities, despite the recent wave of the DOS attack occurrences. In the past, interest in security issues was relatively low compared to current trends and reprioritizations. Companies were reluctant to spend the funds needed to ensure a secure information system unless they absolutely were required to do so for daily operations. In one Australian survey, we found that a company was spending more money on coffee than on information security. The typical reluctance in the past to funding security activities can be summarized in a popular managerial statement: Why should we invest in information security, as we have never registered any security breaches? The best response
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 15
could be perhaps, How do you know that an intrusion occurred if an intrusion detection system has not been installed? We had a chance to observe in action a detector of DOS attacks (see Chapter 5) installed for a major Internet Service Provider (ISP). The detector reported an almost continuous string of such attacks. Fortunately for the ISP, its technical capabilities were able to absorb these attacks. To overcome such attitudes, a good awareness program aimed at top management must be established and executed. It is best to start such a program with what we call a mild “burning fingers” experiment. One of our security friends approached this experiment in an interesting manner. He used to start his campaign on security awareness by arranging an appointment with the company’s CEO. He would arrive a little early, and, before entering the CEO’s office and in the vicinity of the office, he would use his wireless-enabled laptop to intercept the company’s communication messages. Once with the CEO, he would demonstrate just how much this company needed him. Another approach to security awareness is demonstrating to managers the interception of messages sent to pagers or displaying live transactions passing through the corporate firewall. Such demonstrations are usually eye openers for most people, regardless of whether they have disclosed corporate or personal information through these channels. A survey performed recently in Auckland, New Zealand indicated that within the Central Business District, over 60% of the wireless networks were functioning without any protection; that is, accesses to the companies’ Local Area Networks was possible for anyone having mobile computing facilities.
Readers must be warned that in many countries, such demonstrations of intercepted messages from paging and wireless systems may be a violation of law. Check before attempting them.
Responsibility for Information Security Understanding the importance of information security and its relevant issues is very important. However, of equal value is the appointment of a person or persons responsible for the development and implementation of the company’s information security system. Despite popular slogans like “Safety is our top priority” or “All of us are responsible for security,” there must be somebody Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
16 Janczewski & Colarik
placed in charge of managing and overseeing company security issues. The size of a company does not lessen the necessity of the appointment of a full-time security officer. If a small company’s activities depend strongly on information technology, then the organization puts itself at risk by not having such an individual. If the organization is a middle-to-large sized company, then a team of specialists should be appointed to support the work of the security manager. A comparable measure of the staffing requirements for a commercial bank with a staff of approximately 2,000 people, for example, would be a team of about eight people responsible for handling the information security issues. This obviously will vary, depending on the specific security needs of an organization.
Risk Management Analysis Before designing an information security system, company management must find out what information resources are at its disposal, how critical those resources are, how difficult (or easy) it would be to damage those resources, and, finally, what the probabilities of such unwanted events are. This procedure is called a risk management analysis. In other words, risk management is the term applied to a logical and systematic method of establishing the context of identifying, analyzing, evaluating, treating, monitoring, and communicating risks associated with any activity, function, or process in a way that will enable organizations to minimize losses. In order to have a successful risk management approach in relation to information resources, we need to: • • • • • •
Identify assets. Determine vulnerabilities. Estimate the likelihood of asset and system exploitation. Estimate expected losses. Survey applicable controls and their costs. Project annual savings of controls.
These steps are functions of risk management analysis and include the finances, time, and staff restrictions that must be considered throughout the process.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 17
There are many methods of performing risk management, which are discussed in Chapter 3.
Increasing Understanding All of the above sections and their respective fine points contain a considerable amount of information, which, in order to be thoroughly understood in detail, may require additional reading. Even the best security books cannot encompass every detail regarding concepts and implementations. While we appreciate that you are reading this book to expand your knowledge base, we realistically must admit that there are other sources available and encourage all security practitioners, regardless of skill level, to increase their understanding of security. We recommend that further examination of information security be pursued through the use of publications such as books, journals, conference proceedings, and Internet sites (with caution). In this section, we provide a review of the available resources in the field of information and computer security. Books Books are generally divided into three categories: •
•
Publications that are clearly an introduction to the security issues or a subclass of the security issues such as Network Security for Dummies, Primer in Information Security, and so forth. These publications are usually very good as a first step to understanding the main issues of the domain. Despite often being labelled by security specialists as trivial, their role is very important to raising awareness. We recommend these types of books for all beginners. Publications dealing with some definitive area of information technology and having part of the text relating security issues to the main topic. The best examples of this category are books on database management systems and operating systems that add a few chapters on security. These books (or rather the chapters on security) are a reading must for designers of similar systems.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
18 Janczewski & Colarik
•
Books on specific aspects of information security, presenting in-depth information on the topic. Books on cryptography and telecommunication security are good examples of such publications. These publications are mainly for security specialists or people who would like to gain intimate knowledge of the security issues in a specific domain of information technology.
Journal-type publications vary in type and shape, and it is sometimes very difficult to direct readers toward a specific title. The best overall primary selection criterion is determined by the publisher. We recommend journals edited and printed by the following publishers: • • • •
IEEE Transaction on Computers, Telecommunications, and so forth (USA) Elsevier (UK) MCB University Press (UK) Computer Security Institute (USA)
There are also many high quality conferences sponsored by prominent security industry leaders that are devoted entirely to information security. These conferences vary in frequency and content from year to year, which therefore makes them difficult to recommend. The first criterion of assessing conferences is the name of the organizer. We believe that all conferences organized by any of the organizations listed below and their respective proceedings elicit a closer look: • • • • • •
IEEE IFIP (especially conferences organized by their Technical Committee No 11) Computer Security Institute (USA) British Computer Society (UK) Association for Computing Machinery (USA) Computer Security Institute (USA)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 19
Training in Information Security There are established training courses that provide foundational, intermediate, and advanced training. These programs, which often lead to certifications and advanced degrees, can be broken down into two basic groupings: •
•
Short Courses. The most popular are courses on specific hardware or software security systems offered by manufacturers of these products (e.g., Symantec, Cisco, Novell, or Microsoft). In addition, educational institutions offer short courses and seminars, which are usually an introduction to a specific field of the information security domain. Longer Lasting Training. This type of training is usually offered by educational institutions such as universities and polytechnics. The highest level of training available in this group resides within masters programs in Information Security. There are numerous attempts (especially in Europe) to standardize the curricula of such trainings. The growth of this area is tied to the availability of qualified security professionals who are willing to teach.
Other Sources of Information Another important source for training in the field of information security is research and information dissemination centres that collect, evaluate, and publish information on discovered computer viruses, threats, and vulnerabilities. There are hundreds of organizations throughout the world whose sole purpose is to deal with information security issues and disseminate their findings. There are general organizations and ones dedicated to specific problems such as cryptography, public key infrastructure, industry standards setting, and so forth. These organizations can be independent or form a special interest group of information technology organizations. Perhaps the most well known is the CERT centre of the Carnegie Mellon University in Pittsburgh, Pennsylvania. Finally, there are Internet-based discussion groups and forums dealing with information security issues for both the general public and specialized user bases.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
20 Janczewski & Colarik
Issues Requiring Attention We started this chapter with a very negative picture of the information security domain. The losses quoted by the FBI/CSI survey are substantial. Of the 251 organizations reported in 2003, losses in excess of $200 million U.S. occurred. As was stated before, we need to remember that 251 organizations comprise a fraction of all business organizations operating in the United States, and that fraction is even less than that when considering the rest of the world. The nationwide losses (not including non-U.S. countries) would be much higher by an order of several magnitudes. This is further exasperated by the pressures of the competitive software market on manufacturers to release products that may be predisposed to future faults. The real issue here is who is responsible for conducting tests on IT products? The answer is that the manufacturer is responsible but has the advantage of ignoring or minimizing its own results. However, the reality is that the user (i.e., the organization) bares the responsibility for the consequences of licensed software because of the licensure agreement. If the user is the responsible party, then it is even more important to institute information security in order to mitigate future risks. We believe that software licences must be revised by external pressures such as legal channels so that a balanced approach to responsibility may be struck. This, in turn, would facilitate the declaration of what a product proposes to perform and under what conditions it will perform to a certain standard. As a result, manufacturers of IT products, in order to reduce their liabilities, would encourage more rigorous testing of their products before releasing them to the market. The possibility of creating relatively fault-free software products already has an existing approach by which to model a comparable system. In the U.S., there is an established partnership known as the National Information Assurance Partnership, which determines the rules for contractors supplying IT products to the Department of Defence (DOD). The underlying principle of the Partnership is that products must get a positive opinion issued by an authorized laboratory before being delivered to the DOD. These laboratories verify the product according to the common criteria standard. Common criteria is an internationally accepted standard of assessing security capabilities of an IT product and will be elaborated on in later chapters.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 21
Conclusion The objective of this chapter was to present a short introduction to information security, its brief history, and its major mode of operation. The fact is that the rapid growth of terrorist activities during the last 15 years and its impact on the IT infrastructure have taken the security domain mostly by surprise. All of us are bombarded every day by news about new security alerts or attacks caused by terrorist activities. Our reactions to that flood of information is predictable— How will these activities affect us? In particular, how will IT managers manage such issues as cyber-terrorism and information warfare? Hence, the information security domain needs to quickly find answers as to how to react to this and the next wave of terrorist attacks, regardless of their form. We assert that several major changes and corrections of existing IT security procedures and policies need to be considered in order to prepare for the contingencies required in an uncertain world. The rest of this book is a guide to accomplishing these changes.
Bibliography Please note that the listing below represents individual preferences of the authors. Books are listed by groups. General – For Beginners Anderson, R. (2001). Security engineering. Wiley. A similar profile to Proctor’s book, but much more detailed. Cobb, C. (2003). Network security for dummies. Wiley. Highly recommended text for all beginners in network security. Gollmann, D. (1999). Computer security. Wiley. Academic textbook concentrating on computer security. Proctor, P., & Byrnes, C. (2002). The secured enterprise. Prentice Hall. One of the best introductory texts on information security management. Schneier, B. (2000). Secrets & lies. Wiley. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
22 Janczewski & Colarik
In his previous books, Schneier said that cryptography is the solution to computer security issues. In this book, he denounces his previous statement and indicates that the issue is far more complex and that the human factor is more important. Not a technical book, but highly recommended to any IT manager. Singh, S. (1999). The code book. Fourth Estate. This is an absolutely fascinating book about the secret history of codes and code breaking throughout the centuries. It contains a bit of mathematics, but overall, it is almost a bedtime book, bringing a lot of stories behind the scenes of code development and breaking activities. Stallings, W. (2000). Network security essentials. Prentice Hall. A very good book describing in reasonable detail the most popular ciphers, hash functions, and security protocols. Whitman, M., & Mattord, H. (2002). Principles of information security. Thomson Technology. A very good academic textbook with a strong emphasis on the systems approach to security technology implementations. For Specialists Cox, P. (2001). Windows 2000 security handbook. McGraw-Hill. Same as Weber, but related to Windows 2000. Doss, G. (2001). Learn red hat, LINUX security. Wordware Publishing. Same as Cox, but related to Linux. Kruse, W. (2002). Computer forensics. Addison Wesley. Crime committed with the help of information technology requires handling IT in a different way, following procedures typical for conducting traditional evaluation of physical evidence. Hence, this book is an introduction to “computer forensics”. Nash (2001). PKI implementation and managing. McGraw-Hill. At present, the Public Key Infrastructure is one of the hottest topics discussed among security specialists. Nash’s book presents a very well written overview of the problem.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information and Computer Security 23
Weber. Windows XP professional security. McGraw-Hill. Highly technical book about the security issues related to using the Windows XP operating system. A must for a system administrator. Other Useful Readings Bhimani. (1996, June). Securing the commercial Internet, Communications of the ACM. Gwin, P. (2001, October). Is the Internet the next front in the terror war? Europe. Information security breaches survey 2002 technical report. (2002). PriceWaterhouseCoopers. Kabay, M. Understanding studies and surveys of computer crime. Retrieved from http://www2.norwich.edu/mkabay/methodology/crime_ stats_methods.htm Landwehr, C. et al. (1994, September). A taxonomy of computer program security flaws. ACM Computing Surveys. Trembly. (2001, October). The next terrorist attack: Coming soon to a computer near you? National Underwriter.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
24 Janczewski & Colarik
Chapter 2
The Nature of Terrorism
The events surrounding the attacks against the World Trade Center (February 26, 1993 and September 11, 2001) and the Pentagon (September 11, 2001) generated enormous interest in terrorist activities. The global society and, in particular, North America realized how vulnerable they are to the subversive activities of small groups of determined people. President George W. Bush’s announcement of launching the “War on Terror” was an answer to these fears. The steady rebroadcasting of these events terrified most of us to the degree that we now want to find answers to the following questions: Why did this happen? What can we do to keep ourselves safe? What is the future impact of terrorism on our lives? In this chapter we will present our point of view on this phenomenon. We believe that in understanding the motifs that drive modern-day terrorists, we can help our civilization deal with these types of threats. This knowledge is also important for IT managers. They are managing not only the technical facilities and IT staff of their respective organizations, but they are also facilitating the links between organizations. They need to be vigilant and detect any symptoms of discontent or other activities that may indicate the possibility of potential terrorist acts. What is even more important is that they understand that terrorist groups use IT to support their activities. Global communications facilitate the coordination of distributed independent groups, as well as other activities. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 25
Every normal human being is against terrorism. But it is impossible to find at present an example of a terrorist attack that would not be supported by a significant group of people. There are substantial parts of the population in several countries for whom Osama bin Laden is a very positive hero, while in other parts of the world, he is considered an outcast. The authors of this text are not free to have our own preferences. Despite this, in the following analysis of terrorist activities, we have made a substantial effort to put aside our own associations (religious, ethnic, and ethical) and concentrate on formulating an answer to the most important question: What are the roots of terrorist activities at the beginning of the 21st century? Very few can deny that this unprecedented wave of terrorist activities spanning the whole globe is targeting mainly products and people of what can be described as the Western Civilization.
Definition of Terrorism Throughout this book, we present key definitions at the beginning of each chapter to facilitate a shared understanding of perspective. As usual, we start this chapter with the definition of terrorism, followed by our analysis and opinions on its root causes. One of the best definitions of terrorism is the one contained in Title 22 of the United States Code, Section 2656f(d): The term “terrorism” means premeditated, politically motivated violence perpetrated against non-combatant targets by sub-national groups or clandestine agents, usually intended to influence an audience. Even this definition has some deficiency. It assumes that terrorist activities are the products of some organizations and their representatives. This may not be necessarily true. There are known cases of individuals acting alone who were engaged in terrorist-influencing activities. The best example of this is Theodore Kaczynski, the infamous Unabomber. He acted alone in the design, manufacture, and delivery via U.S. mail of explosive packages to organizations and individuals he decided to attack. Such an approach to creating terror must be included in this legal definition. What we believe is that the core of terrorism is the creation of terror. Terror can be thought of as: Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
26 Janczewski & Colarik
• • • •
An intense, overpowering fear. An object that instills intense fear (e.g., a rabid dog that is the terror of the neighborhood—a terrorist). The ability to instill intense fear (e.g., the terror of military jackboots pounding down the street). The violence committed or threatened by a group to intimidate or coerce a population for military or political purposes. (This definition is similar to the one in Title 22.)
There is a substantial but not widely understood difference between terrorism and warfare. Warfare is defined as: • • • •
The waging of war against an enemy (e.g., armed conflict). Military operations marked by a specific characteristic (e.g., guerrilla, chemical, or electronic warfare). A state of disharmony or conflict; strife (e.g., constant warfare in the household). Acts undertaken to destroy or undermine the strength of another (e.g., political warfare).
The difference between terrorism and warfare is in the motives of the attackers rather than in the technology or tactics used. The major objective of terrorist activities is to demonstrate the strength of the terrorist(s) by creating fear among its opposition. Terrorist activities can be associated with a particular government (e.g., the downing of the Pan American plane over Lockerbie by Libya on December 21, 1988). Ability to create fear must not be necessarily the end product of terrorist activities. Many military operations are devised and conducted specifically to raise fear among enemy troops. As stated above, warfare and terrorism may use similar methods, materials, and means, but their objectives are different. It is worth comparing the attacks against the World Trade Center in New York with kamikaze attacks in the final stage of World War II. In later chapters, we will apply these concepts to information system security. Analyzing the kamikaze attacks from a purely technical point of view brings quite negative results.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 27
Taking into account how many resources were used to conduct these attacks versus their efficiency (i.e., U.S. Navy tonnage drowned), the outcome was not impressive; other techniques used by the Japanese were more efficient (e.g., artillery barrage or torpedoes). Kamikaze pilots’ sacrifices of life did not influence the course of the war on the Pacific front. But it was widely known that nothing scared U.S. sailors more than these attacks. Kamikaze technique was developed by the Japanese military and used against Allied forces; because of that, it cannot be labeled as a terrorist activity, despite the creation of fear. Hence, from a technical point of view, the activities of the kamikazes (i.e., flying against the U.S. Navy) and of the al Qaeda pilots (flying against the World Trade Center) were the same, but their motives were dramatically different.
Primary Terrorism Drivers What triggers some people to be involved in terrorist activities? Let us make and examine four observations. 1.
2.
Claims of aggression against some countries. Very often, we witness spontaneous accusations of American or European aggression against numerous countries in Africa, the Far East, or the Middle East. But in the military sense, these countries were not being invaded in recent history. Of course, this does not include the military activities in Afghanistan and Iraq. Many people from various parts of the world breathe hatred toward the United States and its Western allies. The authors had a chance to speak with a highly educated person from Tunisia and were surprised by an outburst of hatred that the man was harboring against the United States. During the conversation, which took place before the Afghanistan campaign, he frequently used the term aggression to define the United State’s policies. Such deep-seeded hatred spawns a variety of extremist activities. Reactions to terrorist outcomes. Pictures of smouldering mountains of rubble where the World Trade Center stood in New York City, a gaping hole in the pristine walls of the Pentagon, and badly injured patrons of the restaurants wrecked in Bali deeply disturbed onlookers and television viewers alike. There is no doubt that these events were the result of
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
28 Janczewski & Colarik
3.
4.
activities by groups of radical Muslims and that the mass media coverage of these scenes was hailed with great joy by the terrorist groups and their sympathizers. Despite all of the collected and presented evidence, there are groups of people convinced that the evidence related to these attacks was fabricated by foreign powers. The demonstrations in Pakistan condemning the U.S. for launching its hunt for the terrorist Osama binLaden gathered huge crowds. CNN reported that on some occasions 100,000 people took part in them. The societies of the Western World were now faced with a choice: accept such behavior or respond to it. A significant part of the effort is directed against these radical groups located in various countries of the world. Immigration trends. The immigration authorities of the United States, Canada, Western Europe, Australia, and New Zealand are besieged with applications of people wanting to emigrate from lesser-developed countries. There are proportionally high numbers of illegal emigrants for whom the legal immigration channels are not available. Many of these people spend their life savings risking their lives to be smuggled across borders and high seas to enter the lands of promise. It is not uncommon for Westerners traveling to developing countries like Africa to be asked how easy it is to immigrate to their respective home country. There is also a distinct hierarchy of immigration choice among Western countries. Despite being condemned by many individuals and organizations as a source of any possible evil, the U.S. and Great Britain appear to be the first choices of many potential immigrants. Technology’s social and technical environment. Every technology product is a bearer of its creator’s ideas; that is, in order to operate a technology optimally, each product must be surrounded not only by a proper technical environment, but also by adequate societal support. For instance, a typical computer requires a consistent quality supply of power and a relatively dust-free, low-humidity environment in order to function properly. To fully utilize its capabilities, a telecommunications network is simply plugged in, and the world suddenly becomes a smaller place. Added to this are the technical support mechanisms that are available to assist in troubleshooting and educating the user. However, in developing countries, power supplies fluctuate, environmental controls are sometimes non-existent, telecommunication infrastructures are not plug-andplay, and finding a technical support specialist for free is difficult in the middle of the desert. This sounds like a commercial for several serviceoriented companies, but it is true.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 29
Technology Culture These observations indicate that there is a cultural orientation to westernized countries that allows for the deployment and support of information technology developed there. Through this technology, a competitive advantage emerges that lesser developed countries just cannot overcome. The truth of the matter is that democratic-type societies provide the organizational, technical, and cultural support for IT in order to receive the realized economic benefits. Ask yourself this question: How can the Internet be exploited effectively and efficiently by a society that is founded on poverty-induced slavery and where an opinion is grounds for jail or worse? While the number of World Wide Web connected computers continues to grow, we must remember that the majority of the world’s population does not have access to this network, and any access may be highly restricted due to political rather than economic constraints. To utilize IT technology in an effective way, many societies have three choices: • • •
To create a societal/technical oasis for deployment of that technology. To upgrade their general technological capabilities, which is extremely costly. To change their culture, which is incredibly hard to do and would take many generations.
Hence, countries based on non-democratic social processes may not enjoy all the benefits of IT. Countries that have embraced true democratic processes and civil liberties for its citizens have been able to exploit IT in all kinds of capacities. As a result, these countries have seen considerable economic growth and have become the production supply centres for the big eight economic countries (the U.S., Japan, Germany, the United Kingdom, France, Canada, Holland, and Italy). However, the incorporation of these technologies to produce these products forces many nations to introduce Western customs and culture. This cultural change produces resentment towards the technology and, to some extent, towards the originating country of the product (i.e., a Westernized country).
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
30 Janczewski & Colarik
This book has concentrated on IT, but the following example illustrates perhaps in the best way the sociological and technological impact imposed by a Western technology on other societies. In a Westernized country, freedom of movement is often personified by the ownership of a passenger car. Traditionally, there are societies in which freedom of movement for some members is restricted (i.e., women in some Middle Eastern countries). It sounds odd to us, but public statements such as, “Cars destroy the fabric of our society” occur when women from these societies seek the freedom of car ownership. As such, exposure to these Western thoughts of liberty is treated like societal diseases that require directed focus on the source of these ideas. Another factor in how Westernized countries are viewed is the mass production approach to commercialization of even the simplest industries. American fastfood chains with their profit-oriented operations have opened outlets all over the world. It can be viewed that this approach represents an economic invasion by the Western world without the use of militaries at their deposal. This socalled economic imperialism creates a localized economic and physical aggression against the company’s source country. In the extreme, it may contribute to international terrorism by being a constant reminder of economic superiority. It is an established fact that wealth is used to create power. The efficient implementation of modern technology by the Western world speeds up the development processes, thereby making the catching up process for other countries more difficult. Wealth and power that is created by the Western world has a magnetic power to many citizens of lesser-developed countries (i.e., if you can’t beat them, join them). It is the loss of talent to more developed countries that provides a lack of forward thinking leadership and gives rise to great resentment by those who are left behind. This is mostly because these societies will not embrace the cultural changes required by technology.
Religious Culture Another aspect of the current wave of terrorist attacks has a religious background. At present, the majority of terrorist attacks are planned and carried out by various groups that have strong affiliations with something commonly referred to as radical Muslims. The three major religions—Christianity, Judaism, and Islam—all have common root beliefs. Their messages are all quite similar. However, the nature of people being that they adopt concepts to their own means has created a multitude of factions that compose these
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 31
religions. The basic differences are based on different interpretations of the same Holy Scriptures. These interpretations lead to emphasizing key aspects of the written texts that alter the enactment process of practicing the religion. As a result, we have Muslims groups wanting to introduce a strict implementation of Sharia (the Koran rules) to the whole of society; Orthodox Jews following the literary adherence to Torah rules; and Amish communities living by a narrow interpretation of the Bible. These types of religious groups are engaged in intensive training of their youth, but their efforts to spread their message outside their groups vary. These efforts come in the form of visits to private homes (e.g., Jehovah’s Witnesses), the organization of youth festivals by various Christian groups, or demands directed to the rest of society to follow the group’s decrees (e.g., Orthodox Jews in Israel). In most cases, these efforts only contribute to the whole of societal organization rather than have a significant effect on the nation. In current history, the exception to this impact lies within some Islamic groups. In August 2003, a story was released in the media informing the general public that there were thousands of boarding schools in Indonesia and Malaysia (socalled Madrases) teaching its youth the orthodox form of Islam. Many of these schools are anti-Western and, as such, are breeding grounds for terrorists. Strong links between these schools and leading terrorist organizations were also reported. For many, these schools represent the only opportunity to receive an education that will better their lives. Acceptance to these schools is based on the embracement of the core Islamic teachings offered. These teachings are based on a particular sub-denomination’s social and political orientation.
Religious Conflict in Action In the last 14 years, we have witnessed several major military conflicts involving Western powers: Kuwait, former Yugoslavia, Somalia, Afghanistan, and Iraq. The reasons behind each of these conflicts were all different; starting a discussion about the roots and issues of these conflicts (i.e., justifications) is too far removed from the main topic of this book. However, we would like to point out one very important common denominator of all these conflicts. All of the military activities were carried out by nations with Christianity as their major religion, against nations predominately Muslim. When viewed in this context, it becomes obvious that these wars boost anti-Western attitudes among Muslims.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
32 Janczewski & Colarik
For many, the destruction of the United Nations headquarters in Baghdad in August 2003 by a truck loaded with explosives was astonishing. However, throughout Islamic nations, the UN is not an international organization, but an agency for Western powers to enforce its collective will. It is a fact that no single Muslim-dominated country is a permanent member of the UN’s Security Council. We are not suggesting a solution here, but simply an observation of fact. It is also a fact that the majority of UN funds comes from North America and Europe. Again, wealth creates power, and this perception is one contributing factor in extremist reactions.
Additional Aspects An important aspect in the spread of terrorism is the advancements in telecommunication and mass media industries. The telecommunication networks that span the globe are constantly improving their accessibility, transmission quality, bandwidth, and consumer costs. In the early 1920s, a three-minute call across the Atlantic cost approximately $500 U.S. by current measures. By 1970, the cost was reduced to around $15 U.S. These days, calls across the Atlantic can be arranged for a couple of cents. The quality of these connections is comparably better than previous generations. Bandwidth increases permit the transmission of photos, music, and movies easily across national borders. In addition, travel itineraries can be placed relatively cheaply and efficiently. This progress means that it is easier for terrorist organizations or individuals to coordinate, plan, and execute their malevolent objectives. This point is best illustrated by looking at the preparations of the terrorist group al Qaeda, which executed the September 11th attacks. This particular cell traveled and communicated almost without restriction using individual phones and Internet cafés. They were mainly funded by one person transferring funds through other individuals and banking institutions located throughout the world. These individuals were recruited from, transported to, and trained in various countries. It is because of these activities that significant changes have occurred in monitoring and regulating these technologies. It is also through the legitimate use of these technologies that terrorist activities are publicized. The scope and nature of modern terrorism would not be possible without one critical factor: the mass media presentations through a global telecommunication network. All of the attacks against the World Trade Center, the Pentagon, and various clubs, hotels, and embassies have one
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 33
central outcome—horrifying pictures of demolished structures and bloodied bodies brought into our safe homes via television, only minutes after the tragic event occurs. The objective of terror is fully facilitated by the media. The mass media are carriers and amplifiers of the main terrorist message, which is to inflict fear on those witnessing these events.
Overview of Terrorist Acts Let us now collect all this information into a summary characteristic of terrorist activities in order to answer several questions. What are the primary reasons for people being engaged in these types of acts? What purpose do these acts serve? What are the forms of terrorist acts? What are the expected results? In our opinion, the primary roots of terrorist activities at the present time lay in three phenomena: • • •
Export of technology. Through the creation of social tensions in the developing countries using technology not tailored to their social customs. Haves and have not societies. Classic conflict between rich and poor. Military surplus. Not many people realize that military activities bring lots of military hardware to the region of conflict. Not all equipment is used during the conflict, and the entire surplus can be used very effectively later for terrorist activities.
In addition, there are so-called collateral or secondary drivers for terrorist activities that support and re-enforce terrorism as follows: • • •
Cultural/religious differences, as discussed previously. Orthodox training of the youth in religious schools. Media reporting about terrorist activities and the results of these activities.
As a result of these drivers, terrorist acts are carried out with specific expected results, among which is a rise of fear as the dominant effect. This overview is summarized in Figure 2.1.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
34 Janczewski & Colarik
The Link between Terrorism and Information Technology Currently, terrorist attacks directly against IT facilities are very rare. Instead, there is a greater potential for much more collateral damage that will impact the IT infrastructure, including the following events: • •
The interruption of the power supply and communication services as a result of a terrorist attack in the general neighborhood of a facility. The destruction of a building that houses the organization, including the IT facilities.
Figure 2.1: Model of terrorist war
Export of technology
Cultural / religious differences
Bombing of an object (any trigger)
Rise of fear (in general)
Haves and have not societies
Orthodox religious schools
Chemical attack (release of poisonous gases)
Disabling of a facility
The last decade of wars
Mass media reporting
Biological attack (release of germs or viruses)
Mass panic
Cyber attack (activity against IT resources)
Creation of cascading effect of disabilities
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 35
• •
The use of company facilities, including the IT infrastructure, to carry out or facilitate terrorist activities. The impact of threats (real and perceived) against an organization’s staff.
The first two items belong to the category of physical protection and require adequate emergency handling procedures. These are discussed in detail in Chapters 4 and 14. Another broader area of concern is supervisory control and data acquisition (SCADA) systems. SCADA defines an industrial measurement and control system consisting of a centralized computerized system used for monitoring and controlling remotely located field components of industrial processes. These systems usually cover the vast territory of a country and control some very sensitive processes. These processes might include a power grid or its components, traffic flow control in a city, automated air traffic control, and the like. The characteristics of SCADA systems make them a potential target for terrorists, as well as cyber-terrorists. Disabling the main controller could be done by physical means (i.e., bombing), soft measures (i.e., planting a computer virus), or both. Hence, the protection of SCADA systems is important for the entire society. Most of the elements of protecting SCADA systems, such as physical protection or protection against unauthorized software, will be discussed further in the text. As we wrote in the Introduction, this book is designed for IT managers of typical business or production facilities, and we believe that the overall philosophy of SCADA systems is a bit different from the main thrust of this book.
Prognosis on Terrorist Activities After the September 11th events, President Bush proclaimed a “War on Terror” campaign. He declared that the war would be long and painful. At the time of the writing of this text, two years have already passed. The questions we hear about the war on terror are: How long will it last? Can we really win? What price will be paid in order to win? By comparison, the last two World Wars lasted
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
36 Janczewski & Colarik
six years each. In this light, there is the potential for another four years of conflict to bring this conflict to an end, if all participants and supporters are treated as rational, not including the rebuilding process. We believe this conflict is not what Westerners call rational and, therefore, will last much longer. History shows that, in the past, conflicts end up generally in the following ways: • • •
Victory for the party that utilizes better technological resources. One side of the conflict loses interest in the continuation of the conflict. The root cause of the conflict becomes irrelevant.
The utilization and integration of technology is a two-edged sword. By making technology a critical component to Westernized societies, we grant terrorists access to those same technologies. The thought that these Islamic extremists will lose interest in continuing the conflict is yet to be seen. As soon as one is eliminated, a new generation replaces those lost, such as in the deaths of the Hamas leaders in the Palestinian conflict with Israel. What we feel will ultimately resolve the conflicts are solutions to the root causes. We defer our opinion on the solutions in order not to dilute the main focus of this book. What we do state is that the ramifications of terrorism must be addressed by the IT manager, as these solutions will take time, resources, and the will to implement. In the meantime, the IT manager should consider an example from history in dealing with fear and potential disasters. During World War II, the level of casualties sustained by Londoners at that time was very high. However, the British government launched an extremely successful campaign to keep the spirit of its population high. The main motif of the campaign was to preserve a “normal” life as much as possible and not to allow the effects of the bombardments to disturb everyday activities. We believe that a similar approach to daily operations would be one of many contributing factors towards managing the manifestations of terror. Remember, it is fear that must be managed first in order to execute any future responses that may occur.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 37
Bibliography The following are supplemental reading sources on terrorism and are intended for readers seeking additional information. The positions stated by these sources are not placed in any particular order and reflect the individual preferences of the authors. http://jurist.law.pitt.edu/terrorism.htm Terrorism law and policy guide from JURIST: Information on antiterrorism law, counterterrorism policy, and legal issues relating to bioterrorism, run by the University of Pittsburgh, School of Law. http://www.emergency.com/cntrterr.htm ERRI Counterterrorism Archive, Summary of Worldwide Terrorism Events, Groups, and Terrorist Strategies and Tactics. http://www.fbi.gov/terrorinfo/terrorism.htm FBI portal on fighting terrorism (including partnerships with other agencies, intelligence and analysis, and achievements in the war on terrorism). http://www.homeoffice.gov.uk/terrorism/ Information about terrorism, including the nature of the threat, what you can do to protect yourself, what government is doing behind the scenes, and frequently asked questions; run by the British government. http://www.ict.org.il/ International Policy Institute for Counter-Terrorism. Information on terrorist activities. http://www.lib.umich.edu/govdocs/usterror.html Similar to the above site, run by the University of Michigan. http://www.nato.int/terrorism/ North Atlantic Territorial Organization (NATO) on terrorism. http://www.nssg.gov/Reports/NWC.pdf The Phase I Report on the Emerging Global Security Environment, for the First Quarter of the 21st Century, The United States Commission on National Security/21st Century, September 15, 1999, pre 9/11 document, but still actual.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
38 Janczewski & Colarik
http://www.terrorism.com/ Terrorism Research Center, Inc. / Information on terrorist activities. http://www.un.org/terrorism/ Web pages of the United Nations related to terrorist activities. Other Interesting Readings Alexander, Dean, & Alexander, Y. Terrorism and Business: The impact of September 11, 2001. Transnational Publishers. Elshtain, J. (2001, October). Just war tradition and the new war on terrorism. The Pew Forum on Religion & Public Life. Jones, W., & Geppert, L. (2002, September). Taking on terrorism: U.S. response to terrorism puts technology center stage. IEEE Spectrum. Kun, L. (2002, September/October). Homeland security: The possible, probable, and perils of information technology. IEEE Engineering in Medicine and Biology. Laing, J. (2001, October). The shadow CIA. Barron’s. Mann, T. The war on terror (for the common man). Xlibris Corporation. Mulligan, G. 1997 Congressional hearings intelligence and security: Security through containment—A white paper. Retrieved from http://www.fas.org/ irp/congress/1997_hr/h970211gm.htm The national security strategy of the United States of America (2002, September). Office of the President. Patterns of global terrorism (2000, April). United States Department of State. Post 9-11 attitudes: Religion more prominent, Muslim-Americans more accepted (2001, December). The Pew Research Center. Pye, L. (1990, Fall). China: Erratic state, frustrated society. Foreign Affairs. Rothkopf, D. (2002, May/June). Business versus terror. Foreign Policy. What the world thinks in 2002. The Pew Research Center for the People & the Press.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
The Nature of Terrorism 39
Zorpette, G. (2001, October). A new world of terror: Experts ponder technology’s place in a changed counterterrorism landscape. IEEE Spectrum.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
40 Janczewski & Colarik
Chapter 3
Cyber-Terrorism
In this time of increased threats of terrorist attacks, are IT professionals really facing a new type of danger resulting from these activities? In our opinion, the answer is both yes and no. Let us explain. Major information system users, such as government agencies, military installations, major banks, and so forth, were and are prepared for handling such attacks. The destruction of part of the Pentagon in Washington, D.C. did not stop the U.S. Department of Defense from functioning, nor did the collapse of the Twin Towers create a permanent crisis on Wall Street. The fact is, however, that trading on the New York Stock Exchange was suspended for some time, and many small companies with offices in the Twin Towers did not survive the disaster. But no long-term nationwide disruption was triggered, in an economical sense. Similar attacks have happened to other large corporations, and their consequences have been minimized through redundancy implementations and considerable resources. On the other hand, most businesses are small to medium sized and, as such, may not be prepared to handle terrorist threats due to the lack of resources (i.e., specialized skill sets, facilities, etc.). The word terrorism brings to mind a picture of bearded men throwing a pouch filled with explosives. But in the context of IT security, terrorists can come in many forms, such as politically motivated anti-government, anti-world trade, and pro-environmental extremists. If given the opportunity, such activists would gladly disrupt trade and legislative meetings by attacking a facility’s communications server, especially if the media were standing by to report what happened. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 41
In previous chapters, we outlined the domains of information security and terrorism, and also demonstrated why they are important for IT managers. In this chapter, we will discuss how terrorism may influence the functioning of IT in a typical business organization. We also will present the most important activities that need to be undertaken by an IT manager to handle this new type of threat.
Possible Terrorist Activities Against IT Terrorist activities can have an impact on IT in three primary ways. 1.
2.
Direct attack on IT facilities. The probability of launching a direct attack on IT facilities depends on the nature of those facilities; that is, the more important they are, the higher the chance that they could be targeted. The most probable result of a terrorist attack on IT facilities would be at least a temporary suspension of the regular workload of those facilities. Depending on the direct goal of the attackers, the consequences could range from amusing to deadly. The amusing sort (i.e., annoyance) consists of changes to Web pages, such as changing a corporate motto from “The Most Experienced Company” to “The Most Unexperienced Company.” While this attack creates some image difficulties, it is relatively non-life threatening. On the other end of the scale, changes to information systems that control human lives could be dire. Discussions about cyberattacks on critical infrastructures such as air traffic control systems and the electrical power grids throughout the world (e.g., the SCADA systems) are important. But there is also a host of smaller attacks that have focused consequences. Imagine the situation where an important or wealthy person is undergoing open-heart surgery at a hospital or specialized clinic, and a terrorist manages to crash the computerized equipment being used or supporting the operating theatre. Therefore, installation and operations secrecy becomes an important defence against such attacks. Collateral IT damages resulting from terrorist attacks against other targets. Terrorist attacks may take a physical form in the use of explosives to blow up a structure (i.e., a building, a motor vehicle, etc.). Such an attack creates collateral damage to the IT infrastructure and installations. In the aftermath of the destruction of the Twin Towers in New York, many
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
42 Janczewski & Colarik
companies exhibited substantial losses due to the destruction of their electronic records and backups housed in the Towers. This means that two aspects of IT installations are becoming much more important: • •
Physical security of the systems. Planning for business continuity and handling emergency situations.
We will elaborate and discuss preventative methods for these issues in future chapters. 3.
Using IT facilities for organizational purposes of terrorist organizations. After September 11th, law enforcement authorities reported that the al Qaeda organization was using the Internet to plan and carry out the attacks. A lot of data processing equipment was confiscated from the suspects, and, as a result, considerable evidence was uncovered. It is not a surprise that even the most deadly of organizations require organizing and may utilize computer resources to accomplish their objectives.
Because of the use and exploitation by terrorist organizations of IT in their activities, law enforcement is eager to have access to any possible usage in order to prevent and combat future attacks. As a result, many of the world’s governments have passed special legislation that demands organizations to cooperate in the pursuit of these groups. The level of cooperation ranges from permitting law enforcement agencies to conduct surveillance and operations within an organization, to forcing configuration changes to a system in such a way that would allow easier access to specific information processes performed by a system (i.e., IP and user history logs). We have noticed that government tends to impose the costs of such changes on the required companies. This can mean substantial costs to those who are unprepared. In most cases, the requirements will be contained in a court order and left to the ordered company to comply.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 43
Consult your attorney to ensure legality and the specific level of compliance outlined in the court order before acting to minimize your corporate and personal liabilities.
Definition of Cyber-Terrorism and Information Warfare The term cyber-terrorism was coined in 1996 by combining the terms cyberspace and terrorism. The term has become widely accepted after being embraced by the United States Armed Forces. In a report generated in 1998 by the Center for Strategic and International Studies entitled “Cybercrime, Cyberterrorism, Cyberwarfare, Averting an Electronic Waterloo,” the probabilities of such activities affecting a nation (the U.S., in particular) were discussed, followed by a discussion of the outcomes of such attacks and methods to limit the occurrences of such events. In this text, cyber-terrorism will be defined as: Premeditated, politically motivated attacks by subnational groups, clandestine agents, or individuals against information and computer systems, computer programs, and data that result in violence against noncombatant targets. Parallel to the term cyber-terrorism is an older term known as information warfare. We define information warfare in the following way: Information warfare is defined as a planned attack by nations or their agents against information and computer systems, computer programs, and data that result in enemy losses. The practical difference between these two terms is that cyber-terrorism is about causing fear and harm to anyone in the vicinity (i.e., bystanders), while information warfare has a defined target in a war (ideological or declared). Along with these terms, there is a phenomenon of cybercrime, a term used frequently by law enforcement agencies. Cybercrime is a crime committed through the use of IT.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
44 Janczewski & Colarik
We must point out that the physical form of cyber-terrorism and information warfare very often look alike. Imagine that an individual gains access to a hospital’s medical database and changes the medication of a pro-business, anti-environmental business executive of a Fortune 500 company to one that the executive is dangerously allergic to, and then removes the allergy from the record. The nurse administers the drug, and the patient dies. In this case, which definition applies? In our opinion, the answer lies not in the mechanics of the event, but rather in the intent that drove the person who changed the patient’s information. •
•
• •
If it were done intentionally, for instance, as a result of bad relations between these two persons, then it would be murder in addition to a cybercrime. If the executor later would announce that he or she is ready to commit more such acts if specific demands are not met, then it could be labeled cyber-terrorism. If the activities were carried out by an agent of a foreign power, then it could be labeled information warfare. What about an irresponsible teenager introducing such changes into the medical system? We would hardly call the teenager a cyber-terrorist.
We think that what is much more important is to find out if the culprit was acting alone or what type of publicity was associated with the event, rather than to determine the motive. The above considerations lead us to the conclusion that the mechanics of an attack are not strongly connected with motive for conducting a security breach by a benevolent or destructive hacker (i.e., a cyber-warrior or cyber-terrorist).
Why Do Cyber-Terrorists Strike? When building protections against cyber-terrorist attacks, we must understand why cyber-terrorists launch their attacks and what they are counting on. Understanding is the first step in reducing or eliminating attacks. The following are the most probable reasons for cyber-terrorist attacks.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 45
•
•
•
Fear Factor. The most common denominator of the majority of terrorist attacks is that a terrorist wishes to create fear in individuals, groups, or societies. Perhaps the best example of this drive was the bombing of a Bali nightclub in 2002. This nightclub was nothing more than a watering hole for foreign tourists (Australians, in particular), and inflicting casualties and fear among them was the main objective of the attackers. The same applies to attacks against IT installations. Spectacular Factor. Whatever the actual damage of an attack, it should have a spectacular nature. By spectacular, we mean attacks aimed either at creating huge direct losses and/or resulting in a lot of negative publicity. In 1999, the Amazon.com Web site was closed for some time due to a Denial of Service (DOS) attack. Amazon.com incurred losses due to suspended trading, but the publicity the attack created was widespread. More about DOS attacks will be presented in Chapter 5. Vulnerability Factor. Cyber-Terrorist activities do not necessarily result in huge financial losses. Some of the most effective ways to demonstrate an organization’s vulnerability is to cause a denial of service to the commercial server (discussed in Chapter 5) or something as simple as the defacement of an organization’s Web page, very often referred to as computer graffiti.
Computer graffiti can have the following serious, confusing, or even comical effects: •
•
•
It can force someone to believe that they are dealing with a genuine Web page and extract logon and password information, which could have serious future consequences. It could create confusion; for instance, a Web page could include a client survey, and someone could have changed the address of where to send the completed questionnaire. It could create a smile when the defacement changes the name and logo of the respective agency into something absolutely outrageous, such as what was done many years ago when the Central Intelligence Agency logo was converted to read Central Stupidity Agency. We believe that the CIA has a sense of humor, and if you don’t, please accept our apologies.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
46 Janczewski & Colarik
Possible Cyber-Terrorist Attacks The previous section presented the possible reasons why cyber-terrorists may launch their attacks. These attacks against IT may be carried out in many ways. The most probable are the following. •
•
•
•
•
Physical intrusion. A common component of these attacks is unauthorized physical access to a premises or a part of a premise to carry out activities not authorized by the owner of the premises. These activities may be of many types, from the creation of physical damages to stealing equipment or accessing information through direct access to that information, such as photocopying files or observing screen contents. The physical protection issues will be discussed in detail in Chapter 4. Launching denial of service and distributed denial of service attacks (DOS/DDOS) and worms. These attacks are not intended to penetrate resources of the victims, but to force them to performed transactions above their processing capabilities limits. The attackers expect neither positive nor negative results of the processing; they simply want to block the facilities with needless work. The DOS/DDOS attacks will be discussed in detail in Chapter 5. WEB defacements and semantic attacks. Web defacements were mentioned previously. The most dangerous attack is forcing the user to believe that the site he or she is dealing with is a genuine one. This attack is generally used to extract confidential information from the user such as credit card, banking, or medical information. These attacks will be covered in Chapter 6. DNS attacks. Domain Name System (DNS) is a mechanism of recognizing Internet addresses. One can imagine the consequences of messages being forwarded to the wrong addresses. The existing procedures have limited authentication capabilities, and a well designed DNS attack can create havoc in the world network. Discussion on DNS attacks is the subject of Chapter 7. Routing vulnerabilities. These are attacks against routing mechanisms (i.e., the means of transferring message packets and data streams across the Internet). Exploitation of known vulnerabilities can have worldwide consequences. Chapter 8 will present these issues in detail.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 47
•
Identity theft attacks. With the identity of an individual comes a set of information that represents the history of a given person. Theft of key aspects of this history permits an attacker to penetrate system defenses through social means. In Chapter 9, this type of attack will be discussed.
Correlations between Cyber and Corporeal Conflicts There are several important correlations between cyberattacks and current national and international corporeal situations. Any IT manager should be aware of the following existing consistencies. •
•
•
Physical attacks are usually followed by cyberattacks. Immediately after the downing of an American plane near the coast of China, individuals from both countries began cyberattacks against facilities of the other side. Similarly, an increased wave of cyberattacks was observed during the Pakistan/India conflict, throughout the Israeli/Palestinian conflict, and in the Balkans War (i.e., the collapse of Yugoslavia). Cyberattacks are aimed at targets representing high publicity value. Cyberattacks are carried out in such a way that they either inflict serious losses or generate high publicity. All installations attached to top administrative and military units are primary targets. Apart from government organizations, cyberattacks are launched against the most visible and dominant multinational corporations. Favorite targets by attackers are top IT and transportation industry companies such as Microsoft, Boeing, and Ford. Increases in cyberattacks having clear political and terrorist foundations. Available statistics indicate that any of the previously mentioned conflicts resulted in a steady increase in cyberattacks. For instance, attacks by Chinese hackers and the Israeli/Palestinian conflict show a pattern of phased escalation.
As an IT manager, you cannot prevent world events unless you have connections, and most mortals do not. However, an awareness of possible threats can lead to the preparation of a program of activities aimed at setting up effective Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
48 Janczewski & Colarik
defences against potential threats. These fortifications generally fall into the following four categories: • • • •
Physical defences that control physical access to facilities; System defences that limit the capabilities of unauthorized changes to data stored and transmitted over a network; Personal defences that limit the chances of inappropriate staff behavior; and Organizational defences that create and implement an information security plan.
Planning Security Systems: Overall Principles To protect installations against possible attacks, including terrorist attacks, the IT manager needs to define the possible threats, estimate the potential losses resulting from materialization of these threats, design a line of defence, and implement it. Cyber-Terrorism and information warfare are becoming new and important threats against IT resources, and must be a part of the overall planning, design, and implementation process aimed at providing overall protection. The most significant part of building an overall protection plan for a business is founded on risk management analysis. It is feasible to secure all assets from all parties given highly restrictive access and unlimited resources. However, the real world must embrace a set of priorities that has a rational foundation for deciding priorities and any subsequent decisions based on that rationale. The process is derived from a basic understanding that is easiest to explain by asking some of the following simple questions: • • • • •
How important is it that our operations not be disrupted? How much is company information worth to us and to others? What will it cost to replace our systems and information? What are the consequences of not protecting our systems? How much are we willing to spend to protect our assets?
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 49
The reality is that it is nearly impossible to fully assess the business loss in value resulting from information being destroyed or made public. This is due to two reasons: 1.
2.
It is hard to associate value to an event that may not happen and has never happened before. Imagine a case in which a company’s marketing plan is stolen. This is a first occurrence, and, as such, who can predict the financial consequences of such a theft? The intent of the act can greatly impact the loss in value factor. At the beginning of the 1990 Gulf War, a laptop containing detailed information on the Allied Forces’ plans for the liberation of Kuwait was stolen. Fortunately, the information on the machine did not reach the Iraqis. One can imagine the possible costs of changing such battle plans or human losses resulting from the Iraqi military acquiring these plans.
Another important parameter for the IT manager is what funds a company is ready to spend on the physical protection of its premises. A fingertip scanner installed at the door would definitely decrease the chances of unauthorized access to the premises, but the company simply may not be able to afford it. All of this leads us to a conclusion that prior to launching the development of any security program, a thorough IT risk analysis must be performed by every organization. It should be performed to: • • • •
Justify the implementation of controls. Provide assurance against unacceptable risk. Access compliance with regulations, laws, and corporate policy. Balance the controls with the risks.
There are many methods of conducting risk assessment, such as the Delphi Approach or using dedicated software (e.g., @RISK4 packaged by Palisade Corp). Risk assessment is discussed in books, by standards, or at forums, and we have provided a list at the end of this chapter for your use. Some assessment methods require a significant amount of work and are not suitable for small business organizations. The basic components of the risk management process are illustrated in Figure 3.1.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
50 Janczewski & Colarik
Figure 3.1: Components of the risk management process
The first part of the risk management process is the identification of risks comprising asset valuation, threat analysis, and vulnerability analysis. The assets usually are grouped into three domains: 1.
2.
3.
Book values: referring to the actual expenses the company incurred in the process of buying, licensing, developing, servicing, and supporting given assets. Organizational values: a cobweb of both tangible and intangible costs of obtaining, creating, and maintaining information within the company. It also includes the values related to maintaining and protecting information about the company personnel and their well being. External values: almost always intangible benefits related to maintaining proper public image, business reputation, and keeping company secrets secret.
This part is relatively easy to perform. The small business’s identification of assets is not a big issue. Company management usually knows what information is important both internally and for the outside world. But if an organization
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 51
starts expanding, especially by creating new branch offices or establishing close contacts with other bodies, that simple task becomes quite complex. Also, the book values may be not as important as the loss of external values. For a trading bank, a fraudulent VISA transaction (with a well-defined tangible loss) may not be as important as the publication of the bank’s fraudulent operations statistics. Threats identification depends strongly on the company type and its history. Some threats are closely associated with a type of business. Also, if a company faced a cyberattack of a given type in the past, it would remember this and record it. Some threats are not well known to general managers, but a security specialist would consider them especially dangerous. This is especially true in the case of Domain Name Server vulnerabilities. Hence, the identification of threats should be done not on the basis of company experience, but rather on the cumulative experience of the given domain of which the organization is a member. Vulnerabilities are the weak parts of the defence system that would form an attack entry point. The comments about threats identification apply here as well. The next phase is the analysis of risks. The organizational resource threats and vulnerabilities collected in the previous stage form the foundation of this process. The outcome of the analysis is generating answers to a number of questions: • • • •
What are the most probable dangers the IT domain is facing? What are the most probable methods of attacking the organizational IT resources? What is the expected amount of damages to the organization, both in quantitative and qualitative values? What remedies exist to limit these damages?
As a result of this analysis, the organization is able to make rational decisions about its line of defence against possible cyberattacks. These decisions will include such issues as to how much they will spend on an information security system, what security measures will be introduced, and how these investments would change the operational foundation of the organization. It may even establish a new, improved, and quantifiable level of security protection.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
52 Janczewski & Colarik
Difficulties in Performing Risk Management Analysis The second part of the identification phase—the threat analysis—is the most difficult. The threat analysis includes four basic steps: 1. 2. 3. 4.
Identification of the threat. Estimation of possible influence (i.e., losses) of the threat if the threat would occur. Estimation of the probable frequency of a threat. Estimation of the probability that a threat will actually materialize.
All the threats are either natural, such as earthquakes, fires, or floods, or they are man-made, such as terrorist acts, hackers, and viruses. Managing the process of threat analysis is difficult for two reasons: 1.
2.
Many events leading to serious disasters may never happen or are so rare that it is difficult to estimate the probability of them occurring and the possible level of damages. Consider earthquakes, for example. The European continent is generally earthquake-free except for some regions of Italy. Almost no one in the rest of Europe is erecting structures based on the possibility of an earthquake. But during the mid-1970s, a mass tremor leveled the centre of Bucharest, the Rumanian capital, killing thousands of people. On the other hand are the Japanese isles, which are known as earthquake zones. In spite of that, 20% of businesses in the city of Kyoto did not survive the last major tremor due to the lack of proper backups. People performing the risk analysis may not be well trained in this field. In our opinion, the best approach for small- and medium-sized organizations is to use a methodology based on canvasing opinions of experts in the field. This method is also known as the Delphi approach, which will be commented on further in this chapter.
The rise of terrorist attacks has made the threat analysis even more complex. Before starting an inventory, management must find an answer to a new and very difficult question: Are we a possible target of terrorist and cyber-terrorist activities? Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 53
A software house in an off-USA country that develops medical information systems seems to be quite safe. But a public announcement that this company has become a supplier of software for use by the U.S. Department of Defense for implementation by U.S. forces in the Middle East and Asia could destroy that safety position. We think that the most important factor in this equation is the psychological distance of that company from other organizations that are the primary targets for terrorist organizations. The most dangerous seems to be those known that have close cooperation with major world military powers, then those unpopular governments, and then those with mass media. Decisions on implementing particular safeguards are based on the vulnerability assessment. During that stage, the company must evaluate if its assets are already properly protected. If during the threat analysis it was estimated that the probability of a computer virus attack is high and the effects could have disastrous effects, then obviously good and updated virus scanners need to be implemented. But if the company has already installed such a system, then no additional safeguards may be necessary. As it was said in the previous section, the risk analysis is split into two parts: the quantitative analysis (tangible costs) and the qualitative risk analysis (related to intangible losses and costs). The risk management assessment methods must address both. An example of such a procedure is shown later in this chapter. The final part of the risk management process is establishing risk controls, components, or methods that would decrease the potential risk for the business organization. It is not a simple task, either. Whatever controls that would be put in place to achieve 100% security are impossible. The cost of safety raises measures exponentially by approaching a 100% value. Hence, management must decide quite early in the process how many resources it is ready to invest in the process of risk management in relation to its overall budget and percentage of the achieved assurance. For instance, management may evaluate a graph shown in the Figure 3.2 and decide to stay on the 80% security level. This means practical implementation of the Pareto principle (80% of results for 20% of efforts). The general rule is that the cost of introducing a safeguard should be equal or lower than the value of the assets. It is often summarized by the statement that a padlock should not be more expensive than the bicycle it protects. But if the bicycle is used as the only means of transportation available for its owner, then it may be worthwhile to buy and install a quite expensive padlock. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
54 Janczewski & Colarik
Figure 3.2: Relative position of the security budget
Security
Half a year turnover
Optimum: around 80%
$ Costs
Implementation of Risk Management Controls Implementation of risk management controls is the last phase of the risk analysis process. Before implementing risk management controls, policies on the controls need to be formulated. An example of a component of such a policy (i.e., one on budget limitations) was just mentioned. The implementation of risk controls may achieve one or more of three possible outcomes: 1.
2.
3.
Risk reduction. Through the introduction of a safeguard, the probability of losses can be reduced by a significant amount. The most obvious example is the installation of a latest version of a virus scanner. Risk transfer. The introduction of a safeguard does not reduce the probability of the occurrence of an undesirable event, but the consequences are no longer negatively influencing the organization. A typical risk transfer activity is the procurement of an insurance policy against a risk. Risk acceptance. The acceptance of a loss associated with a particular risk is acknowledged. Earthquakes can happen anywhere, but most regions are relatively quake-free. Therefore, it may not be sensible to
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 55
introduce safeguards against earthquakes in the non-seismic regions. However, the company is taking a calculated risk by not having protection against this type of calamity. The successful performance of the risk management process is the key to the establishment of an efficient information security system.
Example of a Risk Assessment Method References to the most popular risk assessment methodologies were presented earlier in the chapter. These methodologies follow the framework described earlier in this chapter. The differences concentrate mostly on two aspects of the process: • •
The taxonomy used for defining the area of the risk assessment analysis. The algorithm used for arriving at numerical values associated with the possible losses.
The most important issue in defining the taxonomy of the risk assessment analysis is to use taxonomy, which would encompass all the possible aspects of IT operations and would not have overlapping categories. Almost every researcher has developed such a taxonomy, and we, the authors, are also guilty of this. To avoid bias in this book, we have decided to define the possible vulnerabilities as well as the known international standard ISO 17799. In this standard, the assessment of security arrangements is performed by examining issues such as: • • • • • •
Security policy. Security organization. Assets classification and control. Personnel security. Physical and environmental security. Communications and operations management.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
56 Janczewski & Colarik
• • • •
Access control. Systems development and maintenance. Business continuity management. Compliance.
How does one calculate the amount of the possible losses? The following formula for determining the Annualized Loss Expectancy (ALE) is being used widely: SLE * ARO = ALE Where: •
• •
SLE (Single Loss Expectancy) is a measure of the loss incurred from a single realized threat or event expressed in dollars; it is calculated as Asset Value * Exposure Factor (EF). EF is a measure of negative effect or impact that a realized threat or event would have on a specific asset; it is expressed as a percentage. ARO (Annualized Rate of Occurrence) is the estimated annual frequency of occurrence for a threat or event.
Mathematically, the above method is sound, but assessment of the values of SLE, EF, and ARO factors could be quite difficult. If it were impossible to set up these factors, then the best way would be to use the Delphi approach, which is based on collecting and equalizing opinions of a number of experts in the given domain. The bigger the group is, the better its knowledge of the subject; then the setup values are more probable. The calculation of numerical values of risk parameters, as stated above, makes sense for big business organizations. However, for small- to medium-sized businesses, it could be a waste of time. A big transportation company may carefully evaluate the advantages of using specific seatbelts in the vehicles they own. But for a family car or a business having a fleet of three cars, the policy should simply be to check if the seatbelts are of the approved type and to belt yourself in. We are following a similar approach.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 57
Conclusion The end of the 20th century and the beginning years of the next century brought a rising wave of terrorist attacks. These attacks are influencing the IT domain. The most probable now are the collateral effects, such as the destruction of a building housing an organization’s headquarters and its IT centre. Up until now, we have not witnessed any spectacular worldwide cyber-terrorist attacks, but the probability of such attacks is on the rise. This real threat is forcing IT managers to find answers to obvious questions: • •
To what extent is my installation vulnerable to cyber-terrorist attacks? What do I need to do to protect my systems?
These are unknown territories for IT managers. Finding answers to these questions could be done by following probable lines of thought of terrorists and cyber-terrorists and examining the connections between traditional terrorist attacks and cyber-based attacks. In the text, we have outlined the possible behavioral drivers of the attackers. We think that the predominant wish of a terrorist of any type is to create fear in the widest group of society possible. We also suggested that the most important activities that should be undertaken by IT managers are those that will reduce the possibility of terrorist attacks and their results. Finally, we identified the most probable types of cyber-terrorist attacks, which we will cover in detail in the following chapters.
Bibliography The following are supplemental reading sources on terrorism and are intended for readers seeking additional information. The positions stated by these sources are not placed in any particular order and reflect the individual preferences of the authors.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
58 Janczewski & Colarik
British Standards Institute, BS7799 (1993). Code of practice for information security management. PD0003. Center for Strategic and International Studies (1998). Cybercrime, cyberterrorism, cyberwarfare, averting electronic Waterloo. Colin, B. (1996). The future of cyberterrorism. Proceedings of the 11th Annual International Symposium on Criminal Justice Issues, University of Illinois, Chicago. Convention on cybercrime, council of Europe (2001). Proceedings of Convention. Denning, D. (1999). Information warfare and security. Addison Wesley. Journal of Information Warfare (since 2001). Australia. Molander, R., Riddle, A., & Wilson, P. (1996). Strategic information warfare, a new face of war. Rand National Defence Institute. National security telecommunications and information systems security policy no. 11. Retrieved from http://niap.nist.gov and http://nistissc.gov The national strategy to secure cyberspace (2002). The President’s Critical Infrastructure Protection Board. Other Interesting Readings Alvey, J. (2002, March). Digital terrorism: Hole in the firewall? Public Utilities Fortnightly. Critical infrastructure protection: Efforts of the financial services sector to address cyberthreats (2003, January). United States General Accounting Office. Cyber security research and development agenda (2003, January). Institute for Information Infrastructure Protection. Draft interim report: Technology and terrorism. NATO Parliamentary Assembly, Science and Technology Sub-Committee on the Proliferation of Military Technology. Retrieved from http://www.nato-pa.int/publications/comrep/2001/au-121-e.html#3 Draft report: Technology and terrorism – A post-September 11 assessment. NATO Parliamentary Assembly, Science and Technology Sub-Committee on the Proliferation of Military Technology. Retrieved from http:// www.nato-pa.int/publications/comrep/2002/av-118-e.html#3
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Cyber-Terrorism 59
Harper, D. (2002, January). Cyberterror: A fact of life. Industrial Distribution. Haugh, R. (2003, June). Cyber terror. Hospitals & Health Networks. Langnau, L. (2003, May). Cyberterrorism: Threat or hype? Material Handling Management. Levack, K. (2003, March). The e-government act of 2002: A stab at cyber security. EContent. McCollum, T. (2003, February). Report targets U.S. cyber-security. The Internal Auditor. Mearian, L. (2002, March). Wall Street seeks cyberterror defenses. Computerworld. Misra, S. (2003, June). High-tech terror. The American City & Country. The national strategy to secure cyberspace (2002, September). The President’s Critical Infrastructure Protection Board. New world coming: American security in the 21st century: Major themes and implications (1999, September). The United States Commission on National Security. Shimeall, T., Williams, P., & Dunlevy, C. (2001/2002, Winter). Countering cyberwar, NATO Review. Solomon, H. (2003, January). War in Iraq could cripple Internet. IDC, Computing Canada. Spencer, V. (2002, February). Cyber terrorism: Mass destruction or mass disruption? Canadian Underwriter. Statement for the record by Lieutenant General Michael V. Hayden, USAF, Director (2002, October). Joint Inquiry of the Senate Select Committee on Intelligence and the House Permanent Select Committee, National Security Agency. Thibodeau, P. (2001, September). War against terrorism raises IT security stakes. Computerworld. Vatis, M. (2001, September 22). Cyber attacks during the war on terrorism: A predictive analysis. Institute for Security Technology Studies at Dartmouth College. Verton, D. (2002, July). Experts predict major cyberattack coming. Computerworld. Wheatman, V., Leskela, L., & To, C. (2001, August). The myths and realities of “cybersecurity” in China. Gartner. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
60 Janczewski & Colarik
Part 2 Attacks Against Information Technology
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 61
Chapter 4
Physical Security
The final stage in the execution of the majority of the current waves of terrorist attacks is in the form of an intruder positioning a bomb in the proximity of the target. While terrorists may not directly target IT systems, attacks against computer facilities do happen. These attacks are in addition to telecommunication-based attacks and fall into the realm of physical security.
Case 4.1: Wanganui Computer Centre
In 1976, the Parliament of New Zealand passed a law entitled the Wanganui Computer Centre Act. The Act laid the foundation to build a powerful computing facility in the city of Wanganui (hence the name of the Act) for supporting the activities of the New Zealand Police. The main idea behind the project was to create a databank on criminals and their particular offenses in order to help the police with enforcement and prevention activities. The designers of the facility understood the importance of the data that would be stored and processed at the facility and, as such, made provisions for physical security measures. In 1982, Neil Roberts, a 22 year old anarchist punk rocker, detonated a bomb he was carrying at the doors of the facilities. The damages were restricted to the reception area. The operation centre was undamaged and uninterrupted as a direct result of the designers’ security measures.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
62 Janczewski & Colarik
Before we can establish physical security measures, let us first understand the areas of concern and identify what we consider to be the most important aspects of the physical security domain. Our explanation of physical security, as it applies to information security, considers the activities undertaken and the equipment installed to accomplish the following objectives: 1.
2.
3.
4.
Protection against unauthorized persons to penetrate the designated offlimit areas of the company premises. This definition implies that there may be several classes of unauthorized persons, and the company premises may have security zones with different access rights. Some areas, such as the reception area, could be open to virtually anyone, while other areas might be accessible only to a limited number of company employees. Protection against the theft of company IT equipment, especially that containing sensitive information. This protection extends to company equipment that may be physically outside of the company’s premises. Protection against the physical destruction of company IT equipment. This can include the protection against such acts as the planting of explosives within the company premises. This also covers the protection measures against such events as fire, floods, and earthquakes. Protection against the unauthorized reading of information, regardless of its form (i.e., visual, acoustic, or analogue signals). Security measures must prevent unauthorized persons from reading sensitive data from a computer screen from intercepting spoken messages, from tapping telephone lines, or similar acts.
The security measures discussed here do not include security breaches such as the unauthorized system access to data through a broken password subsystem or the breaking of a cryptographic message. It also does not cover breaches resulting from wrongly deployed mobile telecommunications systems, such as a mobile Local Area Network. We will discuss this area in further detail later in the book. In our presentation of physical security, we shall follow the OECD recommendations that relate to Proportional Control measure. The OECD measures are based on common sense and human psychology. This particular principle means that our defenses should be appropriate to resources that they are
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 63
supposed to protect. No one would be surprised to raise concerns about the implementation of defenses not providing proper control. Equally, we would be surprised to see protection mechanisms exceeding many times (in their value) the values of the resources they are protecting. This concept of Proportional Control is expanded further in the following example: Imagine a typical accounting clerk who accesses sensitive financial information on the computer approximately 100 times per day. Now imagine that each time this information is accessed, the use of a thumb scanner must be employed. After just one day in such an office environment, it is obvious that even the most scrupulous of employees would start thinking about disabling or circumventing the thumb scanner in order to remain sane. Thus, to prevent noncompliance and destructive behavior, most security measures need to be as nonintrusive as possible, which will help honest personnel perform their duties without jeopardizing security measures. The best measures of nonintrusiveness are verifications that do not take much effort and are not actively repetitive; that is, the employee has to do very little. Sensor-based ID cards that permit access to equipment while residing in a slot and must be carried in order to access doors and corridors of a building is one such example of nonintrusiveness. In other words, a measure of nonintrusiveness is an amount of time required to comply with the security measures. The shorter the time, the better level of nonintrusiveness accomplished. The concept of Proportional Control needs even further extension. The controls need not be only proportional and nonintrusive, but must also be in line with the overall company business policy. We illustrate this in the following example: Once we visited a local company specializing in information security. At the reception desk, we needed to sign the guest log, surrender our mobile phones, and wear an appropriate name tag. The procedure seemed quite adequate and reasonable. But the entire company occupied a small bungalow consisting of the reception area, a conference room, three offices, and a small laboratory. On questioning the company director about a sense of Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
64 Janczewski & Colarik
introducing such overkill security measures, we received an answer that this was to demonstrate a proper physical security arrangement. We agreed.
Any physical protection mechanisms introduced by a company must be a derivative of the overall security policy of the business organization.
Issues in Physical Security At the beginning of this chapter, we outlined four major areas of interest in physical security: protection against unauthorized access, theft, destruction of equipment, and unauthorized reading of information. However, this taxonomy is too general and must be divided further to accommodate a number of specific issues requiring special attention. But, as we have already indicated, all the security measures must service the overall company business policy. These specific security issues include the following: • •
•
•
•
Knowledge of location of specific facilities. To what extent should a business inform the public about its presence in a particular location? Physical security perimeter. These are issues related to the nature of a physical barrier (or several physical barriers) that would prevent unauthorized people from entering areas in which their presence (and possibly activities) could create unwanted or damaging effects to the company and/ or its employees. Physical entry controls. These are facilities that would allow authorized personnel to enter restricted areas, including procedures for granting these authorizations. Working in secure areas. Specific facilities, rooms, or systems may require more intensive protection (i.e., server rooms). Personnel working in such places must follow the designated security procedures. Isolated delivery and loading areas. This issue is closely related to setting up the perimeter security. It deals with controlling the flow of incoming and
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 65
•
•
•
outgoing goods from the company premises and introducing measures that limit any possible use of such channels for unauthorized entry of outsiders. Protection of equipment from external disturbances. Under this heading, such issues as fire, flood, earthquake, fluctuation in the power supply, and so forth are addressed. Protection against eavesdropping. Eavesdropping is a process of reading information, either directly or by means of some equipment. We make the assertion that the owner or sender of the data does not undertake any specific efforts to hide the content of the data, such as using any form of encryption. Other issues related to physical security. This includes proper equipment maintenance, the security of equipment off-premises, secure disposal, clear desk, and clear screen policies.
In the following sections, these issues will be discussed at length.
Advertising the Location The usual practice for any business is to advertise its presence in a particular building or set of buildings with a big sign outside the premises that says something like ABC World Headquarters. The potential for terrorist attacks has raised an important issue. To what extent should the public be made aware of who occupies a given building or suite? This issue is a two-edged sword. On the one hand, we want to help visitors easily find the company’s location. On the other hand, we might not want to advertise some facilities whose existence may, in fact, become the target of an attack by extremists. Case 4.2: Local FBI headquarters During a recent visit to a U.S. state capital, it was noticed that a set of buildings was surrounded by high fences topped with razor wires, flood lights, and video cameras. It was obvious to any observer that something very important was inside. Indeed, on closer inspection, it was discovered that it was the FBI state headquarters; the FBI logo was attached to the main entrance.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
66 Janczewski & Colarik
Case 4.3: Center handling emergency calls Emergency phone calls in New Zealand are processed by three centers spread evenly around the country. The Auckland centre is located in a plain looking, nondescript building. From the outside, there is no indication of what kind of business is performed and no indication of what company owns or leases the building. There are no special floodlights, TV cameras, or barbed wire visible from the outside. It is just a plain looking building with an entry door and reception area. Nowhere was any company logo or name displayed.
The simplest conclusion is that if the operations are of a sensitive nature or are a mission critical to a company’s infrastructure, then the company name should not be included on the building or lobby nameplate, nor should the address be accessible in telephone directories. Cases 4.2 and 4.3 are illustrations of implementing this solution. On the other hand, in many places there are big signs pointing to the location of sensitive facilities such as a computer center (this is especially the case at teaching institutions). The question derived from this is, which approach is better? There are a number of components that may influence the decision about the type of advertising information that should be considered. These are as follows: •
•
Is there any need to advertise the presence of specific facilities? The display of the company logo costs both for preparation and maintenance. Is there any need to bear these expenses? If all users of the facilities are well known and the traffic is limited, then there is no need to do any advertising. But if a company may have a random set of clients, it must advertise its location. The higher level of randomness, the more visible displays need to be. Of course, it may work against the security of the organization, but an alternative is simple: no clients = no business. Visible security measures could work as a deterrent. Many security measures are exactly this: to discourage a potential perpetrator. But overplaying such security measures can be deceiving and ultimately ineffective.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 67
In our opinion, a reasonable solution might be to minimize the exterior company labeling, utilize common perimeter fences with hidden security measures such as sensors (if needed), and place hidden surveillance. Unless you need to show off your defenses, do not, but have them just the same. If there is a considerable flow of random visitors to your office, you may split your facilities into two parts: one open for visitors and widely advertised, and the second physically separated where sensitive equipment and operations are carried out. The site bears no company markings.
Securing the Perimeter There is no doubt that every company must evaluate the protection of its perimeter. This may include several things: • •
The definition of the company boundaries. This is not always so simple, especially when a company is sharing a building with other occupants. What is the bottom line of the entry policy (i.e., who should be allowed to enter and who should not)? There must be some guidelines given by top management. This guidance then needs to be empowered.
The policy of securing the perimeter and its implementation is extremely important from the security point of view. Visible components of the policy are usually the first contacts of the clients with the organization and may formulate a positive or, unfortunately, a negative impression of the whole organization. Case 4.4 illustrates this. To design and implement a rational policy related to securing the perimeter of an organization, a number of rules need to be followed. •
Double Challenge Protection. This means that access to the premises must be controlled by at least two physically independent access mechanisms. For instance, all visitors need to be scrutinized by the security guards, and the doors should be unlocked by the receptionist. Failure of one mechanism would not automatically provide free access to the premises.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
68 Janczewski & Colarik
Case 4.4: Poor security measures I hear you’re looking for examples of pointless and intrusive security. Post-9/ 11 San Francisco General Hospital (the primary and, for many homeless or poor San Franciscans, the only emergency and critical care facility in San Francisco), instituted a new security regime. Basic behaviour included putting armed security guards at the front doors of the hospital, who for several months would not let anyone without photo ID enter the building. San Francisco has a large homeless population (more than 15,000), most of whom either (a) do not have photo ID, (b) are wanted for probation or parole violations, or (c) are in fear of arrest for some other reason. The end result: hundreds of homeless people in search of urgent medical care were turned away either directly by security guards or indirectly when they chose not to “run the gauntlet” out of fear of possible arrest. The cost of health care to the city went up as people later needed ambulance and emergency room care for conditions that could have been dealt with earlier, more humanely, and more cheaply. It is also possible, but unproven, that specific individuals died. Now, for the funny part. While the security goons were harassing those seeking medical care at the main entrance in the name of “terrorism prevention,” all side entrances were left completely unguarded. Hospital staff, rather than having to constantly fish for ID, started using the side entrances in increasing numbers, as did those seeking medical care. So, instead of people fronting the triage desk to be most appropriately directed to whatever service they need, the corridors of minor side departments started to fill with people stumbling around lost, looking for anyone who might be able to help them. The must-have-photo-ID phase only lasted a couple of months; however, the armed guards remain at the front entrance to this day, continuing to deter those in need of medical care from getting it. And side entrances remain open to any who care to wander in. http://pi.greennet.org.uk/activities/stupidsecurity
•
•
Total Solutions. The security mechanisms must cover all possible entry points and all possible types of visitors, and they must be operational 24 hours a day, seven days a week. What sense is there in having a very scrupulous receptionist if parties can simply bypass this mechanism by other paths? Solution Update. Whatever solutions are deployed, they need to be perpetually revised in view of possible changes to the organization, personnel, or physical structure of a company.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 69
Office Security Configuration To illustrate all of these principles, we will examine security arrangements in two of the most typical office arrangements that may be found anywhere in the world. • •
An organization occupying a floor or several floors in a multi-story building. An organization housed in a freestanding building.
In either case, internal physical security precautions must be enacted. First, we will evaluate office security of a typical layout in a multi-story building. This is illustrated in Figure 4.1.
Figure 4.1: Typical security arrangements in an office building
Stairs Toilet
Kitchen
Elevators
Conference Room
Reception
Server, telecommunications
Security camera
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
70 Janczewski & Colarik
Basic Security Arrangements The core of the building is occupied by several elevators, a set of stairs, toilets, and various service rooms. The reception desk usually faces the elevator bank. The core is surrounded by a circular hall with access to adjoining offices. Around the reception area is a sort of free access space accommodating conference rooms or similar facilities. This solution is recommended for companies having an intensive flow of visitors. Further access inside the premises should be controlled by separate means, such as a lockable door that is activated by another person other than the receptionist’s mechanism. This is the practical realization of the before-mentioned double challenge protection principle. Permitting the receptionist to open the door would violate that principle. In the most security-conscious institutions, a caged solution is utilized. After leaving the elevator, the visitor must enter a glass cage with two doors that cannot be opened simultaneously. The first door closes, and then the second door may be opened by various means. While this approach is quite secure, it does have queuing problems in high traffic areas. Securing the Stairwell The stairwell is usually located on the opposite side of the reception area and requires special protection. Each floor of the building must have lockable doors that may be opened from the inside but require a key to open from the stairwell. In addition, an alarm can be added to alert the facility to any unauthorized exits. Toilets Access to the toilets can be a compromising issue. The situation is simple enough if the facilities are accessible from the reception area. But, again, in many buildings, access to the toilet facilities is via the stairwell. All permanent staff would use their own keys to open the stairwell doors. Visitors may be provided with a key in addition to being observed for entry and exit via a surveillance camera installed near the door to the stairwell.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 71
Infrastructure Housing Special care is necessary for rooms housing sensitive equipment such as telephone exchanges, power boards, and servers. Management must identify, design, and introduce procedures to limit access to this infrastructure. It is recommended that in addition to locks, motion detectors should be placed inside these rooms. The procedures must also address the issue of noncompany employees entering these rooms (i.e., contract personnel for servicing purposes). Cameras Another important component is the use of internal video cameras. Apart from the reception area and any special rooms (e.g., server room), cameras in the hallways should be installed in a manner that forms a chain of vision. In other words, each camera must be able to be seen by another camera. This permits the recording of any tampering with the cameras. No one should object to the installation of surveillance cameras in all public spaces, such as the reception area or hallways. These are excellent crime deterrents. The other issue is installation of cameras in offices or places like dressing rooms or toilets. There may be social pressures not to install such devices there, or even local laws forbidding it. Recently, there was a case in a local school where the theft of student items left in lockers was prolific. To curb the theft, the school management installed hidden cameras to trace the culprits. They were traced, but the school was reprimanded by the authorities that such installation violated the students’ privacy. Personally, we believe that it is political correctness at the extreme, but the law is the law and should be actively reviewed. Check with the local authorities on regulations related to the installation of surveillance cameras. Not all locations are possible!
Security at the Main Entrance to the Building. In office buildings occupied by many different organizations, there is no access control at the ground floor to scrutinize incoming and outgoing traffic. This means that all visitors could enter (or leave) without record or obstruction. The
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
72 Janczewski & Colarik
recent waves of terrorist attacks have introduced some changes to this policy in many high-rise buildings. Security checks are being installed to verify if people are carrying objectionable items inside. A summary of the major security measures in a multi-floor building follows. •
The reception area faces the elevator bank.
•
The conference rooms are accessible from the reception area without further checks. Access to other rooms is through locked doors. The server room and telecommunication equipment is placed far away from common access rooms.
• •
Figure 4.2: Free-standing building
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 73
• •
•
Video cameras cover all hall spaces and each other. All visitors who need use of the toilets are to be given a key by the receptionist and asked to return it as soon as possible after use. When possible, toilets that are accessible from the reception area are preferred. The staircase doors are one-way locked, with no key required to enter the staircase from the hallway. An alarm should be in place for unauthorized exits.
Now we will examine the layout of a freestanding building as it might be represented in Figure 4.2. The points of access are the main entrance, the parking facility, the loading ramp, and potentially any ground floor window access. These points must be protected against exploitation as a part of the physical security procedures. The following must be considered. •
• •
• • •
The door to the loading ramp must be kept closed and locked when not in use. The key must be with a person authorized to accept or dispatch shipments. In the event that outside couriers are given such keys, great care must be given in the enforcement of courier security protocol (i.e., audits). Loading ramps form huge openings to the building and on hot days are frequently left open to improve ventilation inside. But this constitutes a substantial security breach. A person (or a designate) must be physically present during ramp usage. All staff may have a pass key for the parking doors, but may not use it if accompanied by a visitor. In such cases, they must enter via the main entrance with their guest(s). All windows on the ground floor must be inspected for the possibility of unauthorized entry into the building. The building exterior must be examined to check if it does not provide a convenient way for a Spiderman-type of intruder to climb it. All the garbage dumps must be accessible only by authorized personnel (for cleaning purposes).
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
74 Janczewski & Colarik
Secure Movement of Staff and Visitors The most important overall rule is that regardless of the size of a company, the importance of its IT resources, or the topology of its site, management must not allow unauthorized people to wander around the company premises. This task can be accomplished through the use of any of the following procedures. •
• • • •
All visitors (with rare exceptions) must be permitted only in visitordesignated areas such as the reception area, conference rooms, and so forth. Every visitor not authorized to enter an area must get permission to do so. Usually, granting this permission is in the form of signing a log. Every visitor must be accompanied by a staff member at all times. Every visitor must wear an identity badge. Exit procedures must be defined, such as what kind of checks are required when a person is leaving the premises.
A separate policy needs to be set up for permanent staff. The policy needs to cover problems such as the following:
Figure 4.3: Personalized badge
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 75
• • •
The granting of authority to access a premise. This is a separate issue and will be discussed at length in Chapter 11. Method of identification at the entry to the premises. Method of identification when inside.
There are many ways to address all these problems, and some of them are quite sophisticated. The most practical for bigger organizations is to ask the staff to wear badges that include their names and photos. An example of such a badge is in Figure 4.3. There is a tendency to place on such badges a lot of written details, such as personnel ID, function, division, and the like. This should be avoided, as it is difficult to read from a distance. A much better way is to introduce color coding for the important information. Color fields on the badge inform security from a distance of specific access rights of the bearer or his or her status. The barcode could be used for machine verification of the bearer’s credentials. We opt for the badge to be carried on a string from the neck rather than as a pin or clip, since these methods of attachment may be difficult on some types of clothing. The internal badge may also be used as a way of limiting access of staff to particular areas. For instance, all badges with a red strip renders unconditional access to all parts of the premises, while a green one grants access to the production areas and blue to the administration areas. The colors also may be used for determining the validity period of a badge. The use of all these conventions would improve the security of a premise and may reduce the chances of unwanted visitors launching undesirable activities. However, any of these measures may not stop a very determined and desperate terrorist or similar person from forcing entry into the premises. The probability of such an attack against an IT oriented installation is very low; nevertheless, some preparation for such an unlikely event should be taken.
Protection of Equipment from External Disturbances When planning the arrangement of IT equipment, it is important to remember that there are several risks that can render the equipment destroyed or cause some very expensive repairs. Among the risks are fire, water, dust, vibration, chemical effects, explosives, electromagnetic radiation, and earthquakes. As Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
76 Janczewski & Colarik
Case 4.5: Power failure 1 In 1999, the central business district of Auckland, New Zealand was deprived of power resulting from a major transmission fault that cascaded. Most businesses were closed for two weeks. During this time, all major banks utilized backup power generators and operated with minimal disruption.
Case4.6: Power failure 2 A similar case that occurred on a much wider scale happened in the summer of 2003 in the northeastern part of the United States. Perhaps the best illustration of the area of impact can be seen in the following satellite photo (Figure 4.4).
we have discussed, the probability of a direct terrorist attack against an IT facility is very low, but collateral damage resulting from terrorist attacks against the other more general targets is significantly higher. The outages presented in Cases 4.5 and 4.6 give a clear illustration of the importance of having a reliable power source for IT equipment. There is an interesting common aspect of both occurrences. Companies that had in-house emergency power generators survived a crisis without special problems. They had only two worries: if the backup generators would continue to function during the power shortage, and if there was enough of an accessible fuel supply. Those without backup power sources had significant problems acquiring auxiliary power generators once the event occurred. Providing power is one issue; the other is its quality. Significant fluctuations of voltage can easily damage the delicate electronic circuits of modern computers. Therefore, management must evaluate the power supply and put in place measures that handle such fluctuations. Uninterruptible power supply units can provide power for several hours if not days, and industrial-grade surge protectors help to minimize damages from low power and surge conditions. In addition, it is essential that the company have at least two feeds of power and redundant switching equipment for backup. Also, emergency lighting systems should be installed and maintained. Even dual sources of power may not be enough. We know of a case at an IT installation where the switch controlling the power source was blown up by an Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 77
Figure 4.4: Size of the August 14, 2003, blackout (National Oceanic & Atmospheric Administration)
electrical arc when a mouse shorted the power rails inside. The switch was of unique design, and the facility waited several days for a replacement. Similar care should be extended to power and telecommunication cables. It is surprising how some businesses organizations are reckless in laying cables without any care for protecting them from accidental or deliberate damage. Steel or aluminium conduit works well, and redundancy, while rarely considered, should be considered. The conduit must be inaccessible in order to prevent the disabling of an entire system with a mere set of wire cutters or a common shovel. The protection of the premises against such calamities as power supply interruptions, chemical effects, and so forth, is quite important. The event could be triggered by a natural disaster such as an earthquake or fire, but also by an arsonist or a terrorist. The consequences could be the same. Therefore, we have devoted a substantial part of the text to discuss these issues.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
78 Janczewski & Colarik
Theft of Equipment Recently, we bought several new laptops. They came with the standard set of cables, plugs, and attachments. An interesting point is that, for the first time, the anchoring cable for physically securing it was added to the accessories. This indicates a rising need by consumers to have such equipment. Indeed, the probability of computer equipment being stolen from a company’s premises is very high. Theft is performed by opportunists that remove unguarded items and by professionals that have a predetermined objective. The CSI/FBI reports laptop theft as one of the primary cybercrimes. Many of these acts are aimed at achieving financial gains from the selling of stolen goods, but in the opinion of the majority of security specialists, the main objective is to get access to data from the equipment. Some of the anti-theft solutions are basic (e.g., the previously mentioned anchor cables); some are quite sophisticated (e.g., miniature radio transmitters indicating the location of the equipment); and some are quite exotic (e.g., smoke screens). There are many methods to limit equipment theft; a full discussion of this topic would take away from the main stream of the book. However, we were recently introduced to an ingenious system falling into the category of smoke screens, and we were quite fascinated with the demonstration of its capabilities. It is based on several simple yet effective principles. A good security system may trigger an alarm, but the time between the activation of an alarm and the arrival of security officers may be long enough to allow thieves to grab some goods and run away. Stores selling computer equipment
Figure 4.5: Smokeclock (by permission of Smokecloak Ltd)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 79
are very aware of this problem. The solution is in a box that is installed at the premises, as shown in Figure 4.5. The smokeclock is essentially the source of a thick, non-toxic white smoke that can completely fill a room in a few seconds to the extent that a person is unable to see the end of his or her hand. The smoke is triggered when the alarm is raised. Along with the smoke, an extremely powerful strobe light is switched on, which is reflected by the smoke and practically blinds anyone inside. Very few thieves could resist such an assault against their senses.
Protection Against Eavesdropping Eavesdropping is essentially an attempt to extract unauthorized information through the monitoring of transmitted information. This monitored data may contain intelligence that can be used against the company in a number of ways: meeting and work schedules, shift changes, VIP visitors, and so forth, that in turn can be acted upon by those doing the monitoring. As previously stated, eavesdropping is a process of reading information, either directly or by means of some equipment. Any system that broadcasts or displays data can be subjected to possible eavesdropping. The essence of Figure 4.6: Placements of eavesdropping devices Phone Instrument
Phone Point (BT/RJ11)
Places where eavesdropping devices may be attached to intercept phone conversations
Main distribution Frame PABX
Street Connector
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
80 Janczewski & Colarik
eavesdropping is the interception of all spoken or transmitted information by electronic media (i.e., wires and radio transmission) such as mobile phones, pagers, and similar devices. The most popular forms of eavesdropping are interceptions of telephone conversations, spoken words, and electromagnetic waves generated by electronic devices. Specialists in telephone networks agree that telephone conversations can be intercepted at every stage in the process of transmitting signals between two parties. Places where eavesdropping devices may be attached to intercept phone conversations and digital transmissions are shown in Figure 4.6. The planting of listening devices is a relatively simple process, and such devices are easily concealed. They tend to be small, and the process of detecting them can be difficult and expensive. For quite some time, there has been great interest in laser-based listening systems. These systems conceptually utilize a laser beam that is focused on a window of the intended target. The conversation is modulated by the vibration of the glass and is read via the laser. The usefulness of such a system is fairly limited, as the window also vibrates at the sounds of outside noise, and reading such vibrations is more difficult than at first glance. Also, it is not easy to find the reflected beam if the window pane is perfectly across the beam path. Hence, despite being technologically advanced, such a method of eavesdropping has not gained popularity. Electromagnetic signals generated by electronics can be intercepted quite easily, but the range of the signals is relatively short. Knowledge of the message exchanges within an organization could raise the interest of many external parties such as thieves and terrorists and therefore needs to be eliminated. If a company wishes to reduce its risks, the following actions are recommended: • •
•
Visitors to the company should be restricted to conference rooms for meetings, and said rooms should be without windows. All company premises and internal conference rooms especially should be swept periodically for the existence of audio-bugs, especially before strictly confidential meetings. A director of a company specializing in such swaps told us that in about 4% of their hunts, they end up finding some unauthorized equipment that was planted. The threat is quite real. All visitors should be asked to leave their mobile phones at the reception area.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 81
Case 4.7: Eavesdropping approach In the 1950s, personnel of the U.S. Embassy in Moscow had suspicions that the premises was bugged by Russia’s KGB. They could not locate any such listening devices. One day, a big wooden carving depicting the Great Seal of the United States fell off of a wall and broke. The seal was a Russian gift to the Ambassador and had been hanging in the office of the U.S. Ambassador for a long period of time. The seal is presented in Figure 4.7. The staff found something inside that looked suspicious, but no one was able to identify what it was. This something was sent to U.S. laboratories for inspection. The something was in the form of a hollow tube having a membrane on one side and a wire on the other. There were no batteries and no electronics. Eventually, the lab technicians found that the something was an ingenious listening bug. It worked on the principle that if the tube were placed in the stream of a specific, very powerful electromagnetic beam, it would start to vibrate. The vibrations could be modulated by the membrane, which in turn was activated by conversation in the room. In this way, the Russians were able to listen for years to the conversations carried on in the Ambassador’s office. The staff of the Embassy previously noticed that the building was frequently exposed to high-energy electromagnetic beams, but they were unable to find any reasons for this.
•
All staff should be warned not to discuss any confidential matters over the phone, which applies both to internal and external calls.
In Chapter 12, we will return to the issue of the interception of mobile digital transmissions and Internet communications.
New Form of Attack The technical part of eavesdropping is closely associated with an entirely opposite application that uses high-power microwaves in electronic sabotage. Eavesdropping has been around for quite some time in all kinds of forms. Case 4.7 illustrates this point. The high-powered microwave source was used for eavesdropping in the case above. However, the same high-powered signal can be used for damaging computer circuits or magnetic media. High-powered beams can be also used to inflict many other damages such as the following:
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
82 Janczewski & Colarik
Figure 4.7: Great seal of the USA (courtesy of Prof H. Wolfe): Front of the carving and the bug (much bigger scale than the seal photo)
• • • • •
The destruction of automotive electronics (cars rely more and more on electronics circuits). The halting of safety systems such as elevator controls. The creation of fires. These beams can be so powerful that they could ignite combustible materials. The detonation of explosive materials. The ionizing radiation exposure of people.
Case 4.8: Computer forensic retrieval A husband presented to his wife a life-threatening letter that he wrote on his PC. The wife was shocked, but before she could do anything, the husband took the letter from her. She felt threatened and reported the event to the police. The police investigation found nothing. They examined the husband’s computer and found no traces of the letter in question. The case was dropped. A year later, the brother of the husband was accused of a violent crime. The police dug up the dropped case, as they suspected that both brothers might have the same type of violent personalities. At this stage, the original PC was found in the hands of a third person with an entirely different operating system installed. Forensic examination of the hard drive rendered not only one copy of the discriminating letter, but several copies in various stages of completion. On the basis of this evidence, the husband was charged and convicted.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Physical Security 83
The protective measures against these attack forms are similar to those used for screening electromagnetic radiation such as filters and protective shields. Even an entire room can be shielded against such effects.
Retrieval of Information from Magnetic Media The development of computer forensics shows that it is possible to retrieve information from magnetic media, even when that media is overwritten several times. Hence, care must be taken in the removal of data from disposed computer media, especially hard disk drives. Case 4.8 illustrates the capabilities of computer forensics. The case is not related to cyber-terrorism, but instead reveals a simpler application of computer forensics. The content of the retrieved message is not of importance, but it illustrates that law enforcement agencies are able to read a lot of information from any intercepted electronic data processing equipment. The simple deletion of files removes only the internal reference to the drive data and leaves the file intact. It usually requires approximately eight times of overwriting the storage space to destroy all traces of the original data. There are numerous special programs available for such retrievals and for disk cleansing. Therefore, when a company disposes of its equipment, either due to replacement or upgrading, these systems should be cleansed, even when the equipment is given to employees for use at home. A few years ago, a number of confidential documents written by a high ranking New Zealand government official were leaked to the press. The investigation revealed that the data on government-owned computer equipment before disposal were not properly erased. Only a simple “delete” operation was performed, which only destroyed the directories, and not the files.
Conclusion In this chapter, we have discussed the problems related to the physical protection of information within company premises. Currently, the wave of terrorist attacks has triggered a wave of interest in physical security, as physical attacks are perhaps the most common and visible aspect of terrorism.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
84 Janczewski & Colarik
We need to be realistic when it comes to protection against physical terrorist and cyber-terrorist attacks in that they are fairly limited. Physical terrorist attacks are carried out these days by armed, extreme people. Resistance to them is very limited. Even very well equipped and well trained military units are unable to contain all such attacks. However, many terrorist attacks may use the physical attack as the first step towards their final objectives. Therefore, building resistance against these types of attacks is very important. Physical attacks are of many different types, and we have discussed only those that appear to be the most frequent. But, as elsewhere in this book, we once again must underline the importance of the system approach. The business objectives of an organization should be the foundation of the risk analysis, including the possibility of physical attacks. Only on this basis can the handling of these types of attacks be decided in order to assure proper security.
Bibliography Bomb threats and physical security planning (1998). U.S. Department of the Treasury, Bureau of Alcohol, Tobacco and Firearms (SuDoc T 70). Conrath E. et al. (Eds.) (1999). Structural design for physical security: State of the practice. American Society of Civil Engineers. Fennelly, L. (2003). Effective physical security. Butterworth-Heinemann. Garcia, M. (2001). The design and evaluation of physical protection systems. Guide for electric power substation physical and electronic security (2000). IEEE Standards Publications. Keuren, E., Wilkenfeld, J., & Knighten, J. (1991). Utilization of high-power microwave sources in electronic sabotage and terrorism. IEEE. Murray, N. (1995). Evaluation of automatic explosive detection systems. IEEE. Pastore, M. (2003). Security+ study guide, Sybex. Physical security standard. Retrieved from http://www.tbs-sct.gc.ca/ pubs_pol/gospubs/TBM_12A/CHAPT2_2_e.asp Tyska, L., & Fennelly, L. (2000). Physical security: 150 things you should know. BH Security.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Denial of Service Threat 85
Chapter 5
Denial of Service Threat
In the early 1960s, programmers used to play memory games on a computer. The objective of the game was to disable as much of the operating system memory as possible in order to make their opponents unable to run their applications. In those days it was not anticipated that the whole idea would reemerge some 35 years later to become one of the most treacherous concepts in disabling vast computer networks. Denial of Service (DOS) attacks are here to stay for the foreseeable future. In the previous chapter, we discussed the issue of physical protection as perhaps the most direct threat to IT from terrorist groups or individuals. The attacks could be either direct against the IT resources, which is less probable, or collateral, resulting from attacks against the other targets physically located nearby. On the other hand, DOS attacks are purely IT-based and may be classified as a typical information warfare tool. They can also be used by cyberterrorists. So what classification of DOS attacks is justified? To be employed as a suitable cyber-terrorist tool, we believe that a number of conditions must apply. Among them are the following: • •
An attack should not involve lengthy preparations and should not require a considerable amount of funds. The essence of a terrorist attack is to inflict as much damage as possible.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
86 Janczewski & Colarik
•
The damage should be spectacular, noticeable, and understandable by a wide audience. Unauthorized electronic transfer of funds may cause a lot of damage to the bank, but may not be noticed. As a matter of fact, banks usually try to keep the publicity about such attacks at a minimum.
DOS attacks and their offspring, Distributed Denial of Service (DDOS) attacks fulfill these conditions in the IT domain, they are relatively easy to launch, and the destruction they inflict can be spectacular.
The Nature of DOS and DDOS Attacks The idea behind DOS and DDOS attacks is very simple: to force a target system to become overloaded with activities that reduce its capacity to process legitimate tasks. These activities are arranged in such a way that starting one triggers an avalanche of other activities. An example of a DOS attack is the socalled Christmas Tree worm. When it was first launched through the IBM network in Europe in the early 1970s, it was not intended as a DOS attack. The initial idea was to spread the picture of a Christmas tree on the screens of computers connected to the network. To accomplish this task, the Christmas Tree software extracted the addresses of the correspondents from the target machine and forwarded to them the tree picture. As a result, the whole network was saturated with pictures of a Christmas tree on every screen, and there was no room in memory for any other jobs to be processed. A typical DOS attack may be successful against a small Web site, but a powerful site like Amazon.com or eBay.com can easily handle such a flood of messages. As a result, the idea of the DDOS attack was conceived. The DDOS concept is as follows: •
•
The attacker first decides which type of DDOS attack to use, against which site to use it, and when it will be implemented. There are many different DDOS attacks (e.g., UDP flood, ICMP flood, SYN flood, SMURF), which will be presented later in the text. The attacker then must find a number of hosts that are used later as launching pads against the victim site. Security of these sites must be questionable and allow the implantation of the attacking software (usually
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Denial of Service Threat 87
•
by external or viral means). These machines are called zombies. Finding zombies and planting the software on them is done automatically through scanning the entire Web space. It is important to note that the attacking software basically is not hostile to the zombie machine, and the user of the zombie machine may not be aware that the computer is infected with DDOS attacking software. Besides, the software is inactive and waits for a specific trigger or a pre-specified time. Even during the subsequent attacks, the operator of the zombie machine may not notice that his or her machine is in an attacking state. The owner of the zombie machine may learn about such unwanted guests in a dramatic way. Without any warning, the owner may receive a considerable bill from his or her Internet Service Provider (ISP). We have seen many such cases. When the infection phase of the zombie machine is concluded, the attacker sends a triggering signal to all the zombies to start the attack, or the attack is launched at the predefined time. The structure of the DDOS attack is shown in Figure 5.1.
The first real DOS attacks that we know of were launched in August 1999 against the University of Minnesota, flooding its relay chat server, lasting two days, and involving 214 connected systems. The next major set of attacks was in February 2000 where Yahoo!, eBay, and other sites were attacked. These
Figure 5.1: Structure of the DDOS attack
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
88 Janczewski & Colarik
attacks continue to date on a whole host of public targets, including the White House.
Mechanics of the DOS/DDOS Attacks The DOS/DDOS attacks are designed to limit system resources for legitimate jobs by performing unnecessary operations that consume such resources as memory on servers, router packet forwarding capacity, name servers, and network bandwidth. There are plenty of available techniques, but the majority of them are based on the handshake principle of telecommunication protocols. This principle demands that every message sent must be acknowledged with a corresponding response to the message source. Thus, the essence of a DOS/ DDOS attack is to send a flood of messages to the victim machine that demands the processing of these messages without concluding the entirety of the handshake. All transmitted messages have unique IP addresses that represent the originating location or machine. To prevent the discovery of the location of the machine that is sending a set of messages, the sending machine may change the IP address of the outgoing messages. Below are examples of the most commonly known DOS/DDOS attacks. •
SYN Flood Attack. This is the most well known type of DOS attack, which is launched from a single machine against a single site. When a connection is established between two machines, the Transmission Control Protocol (TCP) requests the exchange of three messages of the Synchronization (SYN) type. The first is a SYN message to the called machine (#1), which is used to confirm receiving a message. Then the called machine issues a confirmation of the message (#2), and the sending machine returns an acknowledgment (#3). The SYN attack occurs when the calling machine never returns the acknowledgment (#3), which causes the called machine to wait for the acknowledgment or to resend its original acknowledgment (#2). The sequence of these events is presented in Figure 5.2. Upon receiving the first SYN message, the target system reserves the space for handling the incoming transactions. Mass floods of SYN messages may easily overflow the buffer reserved for handling the
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Denial of Service Threat 89
Figure 5.2: SYN flood DOS attack Normal mode during connection
SYN flood DOS attack
attempt
•
incoming transactions. A tool to disable the SYN flood attacks addresses that problem. In response to this attack, the new communication sequence reduces the chances of a buffer overflow by keeping only a short note that the initial SYN message was received from a specific address and is promptly answered. Only if the third SYN message is received is memory space for handling the transaction reserved. Otherwise, after a short period of time, the note is deleted. The above example clearly illustrates the underlying problems with many cyberattacks. It is not the issue that the initial design was wrong; it is that the designers did not predict that somebody could exploit characteristics of operation on the target system to launch an attack. The remedy for handling the SYN flood attacks has been developed, but there are no guarantees that a new generation of these attacks will not emerge. Ping of Death Attack. This type of DOS attack is similar to a SYN flood attack. It is based on processing an unusually large message block of the PING command. The PING command is an Internet Control Message Protocol (ICMP) Echo-Request packet that is sent to detect the existence of a remote machine. It usually contains two to four frames of irrelevant data. The Ping of Death package contains a huge amount of data that causes the target system to crash due to the system’s input buffer
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
90 Janczewski & Colarik
•
overflow. Patches were developed to protect systems against this type of DOS attack, and successful Pings of Death attacks are quite rare at present. Smurf Attack. A Smurf attack is the DDOS version of the SYN attacks. The difference is that the attacking system broadcasts ICMP EchoRequests to many zombie stations on the network and changes the source IP address from its own to that of the target system. As a result, the target system is flooded with an enormous number of Echo-Request frames, as illustrated in Figure 5.3.
The above methods of attacks are very simple and were presented here to illustrate the DOS/DDOS principle of operations. The problem is that since 1999, we have observed a steady stream of new and improved tools to launch these attacks. The improvements include the possibility of launching an attack simultaneously using several different types of attacks, while hiding their internal programming structure to fool anti-virus scanners. This is usually done via encryption. The most well known attacking tools are the following: • •
Various versions of Trinity (UDP flood). Various versions of Tribe Flood Network (UDP flood, ICMP flood, SYN flood, SMURF).
Figure 5.3: The principle of a smurf attack
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Denial of Service Threat 91
• •
Various versions of Stacheldraht (Barbed-wire in German) (UDP flood, ICMP flood, SYN flood, SMURF). Shaft (UDP flood, ICMP flood, SYN flood).
The danger is that these tools are becoming more and more efficient, while any beginner may download them from the Internet and launch attacks at will. These tools are easily included in self-propagating systems (i.e., viruses), and their effect can be quite significant. So how do we detect that a system is under a DOS or DDOS attack, and how do we minimize the resulting damages? What types of warnings are there? When an attack is in full swing, can we perform any actions that will counter the attack? Is it ever too late to do any preventive actions such as patching, IP address switching, and the like? These issues are becoming more and more difficult to resolve as these attack tools become more and more sophisticated, especially when the attack tools are designed to hide an attacker’s identity and the presence of the software. What are the symptoms of a system under attack? Changes in the volume of traffic is an indicator, but this alone cannot be relied on, as these volume Figure 5.4: Typical changes in volume of messages (by permission of Esphion Ltd, www.eshpion.com)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
92 Janczewski & Colarik
changes may fluctuate due to quite legitimate traffic reasons. An example of such a flow is presented in Figure 5.4. Specialists consider that instead of monitoring the gross volume of transactions, a much more sophisticated analysis needs to be done based on discovering any suspicious anomalies of a traffic pattern. For instance, referring to the previously described SYN flood, discovery of such an attack is relatively simple when we compare the ratio of inbound to outbound traffic. Figure 5.5 gives an example of such an anomaly and triggers a warning that the system is under a SYN attack. Specialists say that monitoring networks for DOS or DDOS attacks should be done on a high level of the telecommunication network (i.e., the level of major nodes rather than at individual sites). This is sensible in that an individual site may not have the ability to react quickly enough to incoming DOS or DDOS attacks before becoming saturated with messages. But the capabilities of highlevel nodes are much bigger and better able to handle such a flood. Handling DOS and DDOS attacks is not easy. There are number of parameters of these attacks that make them so dangerous.
Figure 5.5: Example of an SYN attack (by permission of Esphion Ltd, www.eshpion.com)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Denial of Service Threat 93
•
•
•
The escalation of the value of traffic under the DOS or DDOS attack is so rapid that it may easily reach the saturation level of the incoming channel. This, in turn, would prevent an application of any reasonable measure to avoid the outcomes of the attack. The rapid increase in the volume of transactions may not necessarily indicate an attack. It could be an outcome of legitimate processes such as the beginning of business hours in a country. Any analysis must be extremely rapid, as the monitors must be connected to the high-speed transmission channels. This usually requires specialized hardware and software monitors. Very few companies around the world have the capacity to design and build such devices.
DOS and DDOS specialists have many different opinions on how to handle these attacks, but they usually agree on the following principles: •
• •
•
The essence of the problem is to monitor incoming traffic for signs of a DOS or DDOS attack. This applies to all Internet users—end users, ISP operators, and operators of huge networks. The bigger the volume handled, the more difficult it is to monitor. As of 2003, several thousand different attacking signatures were discovered. The general rule is that if suspicious traffic is discovered, it should be negated or removed from the network. The end users have limited options to remove such traffic from the network, since by definition they are on the receiving end. Thus, one possible option is for the end user to negate such traffic and inform the ISP about being attacked. This would allow the ISP to remove the offending traffic from the transmission channel, giving the end user breathing space. Some other actions are also possible, such as temporarily changing the IP address or changing the configuration of the system. To accomplish such objectives, the end user needs to install a tool that monitors the traffic for incoming attacks, raises an alarm, and provides recommendations of what to do. Such tools have already been designed. Both the ISP and the main node operation’s jobs are a bit different—their processing capacities are usually so high that they are able to sustain substantial DDOS attacks. But in the interest of their clients and their own needs, they need to monitor incoming traffic for any signs of DOS or DDOS attacks. Then, if such attacks are detected, they need to remove
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
94 Janczewski & Colarik
the suspicious traffic from the network. The good news is that more and more Internet operations are aware of this and have begun installing such detectors. Just after the first appearance of these attacks in 1999, the interest in DOS and DDOS attacks was growing steadily. New methods of attacks were announced, as well as methods of handling them. After about two years, the situation was stabilized. More recently, it has been observed that there is a strong correlation between world events and the number of these attacks.
Conclusion The DOS and DDOS attacks may be launched against any site, but the capability of crashing dominant sites makes it very attractive, as successful attacks against such sites would be widely reported. The nature of the attack makes it the most convenient network weapon. Therefore, DOS or DDOS attacks are a preferred tool of information warfare specialists and cyberterrorists. Launching such attacks does not require much knowledge. The attacking software is available for downloading from the Internet. Some of these sites are very well known and accessed around the world. Since the first wave of DOS and DDOS attacks were launched in 1999, hackers have prepared a number of attacking tools with growing effectiveness. The security industry has responded by building and testing a number of tools that are able to detect such attacks and issue warnings, suggest changes to the network configuration, or even introduce such changes. DOS and DDOS monitors are effective, but quite expensive. They require a highly trained staff that can set them up and run them. Therefore, their main domains of implementation are ISP and node sites. An end user may install such a system, but we need to be realistic. The probability of being targeted by a DOS or DDOS attack is quite remote if you are not an attractive target. Several attack tools can be detected by virus scanners, and strict control of IT resources is the main action that an average end user can take. We need to remember that we may not be directly hit by a DOS or DDOS attack, but we may harbor the software that has been put on our system without our knowledge in preparation of an attack against other Internet users. Therefore,
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Denial of Service Threat 95
we have serious social responsibilities to provide such a control, not to mention the following investigations by legal authorities. Also, it literally may cost you a lot if your system is used as a zombie machine against some other site.
Bibliography Web Sites http://securityresponse.symantec.com/avcenter/venc/data/dos.attack.html Symantec on DOS attacks. http://staff.washington.edu/dittrich/misc/ddos/ Highly recommended source of information on DDOS. http://www.cert.org/tech_tips/denial_of_service.html Basic CERT info on DOS attacks. http://www.cisco.com/warp/public/707/newsflash.html Cisco on DDOS attacks. http://www.denialinfo.com/ Collection of information on DOS attacks. http://www.pcworld.com/news/article/0,aid,15199,00.asp Basic information about DDOS attacks. http://www.webopedia.com/TERM/D/DoS_attack.html Basic information on DOS attacks. Other Publications Abouzakhar N., & Manson, G. (2002, October). An intelligent approach to prevent distributed system attacks. Information Management & Computer Security. Karig, D., & Lee, R. (2001, October). Remote denial of service attacks and countermeasures. Princeton University Department of Electrical Engineering Technical Report CE-L2001-002.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
96 Janczewski & Colarik
Rose, M. (1993, November). Challenges in network management. IEEE Network. Xiong, Y., Liu, S., & Sun, P. (2001, July). On the defense of the distributed denial of service attacks: An on-off feedback control approach: Transactions on systems, man, and cybernetics – Part A: Systems and humans. IEEE.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Web Defacements and Semantic Attacks 97
Chapter 6
Web Defacements and Semantic Attacks
The mass use of the Internet as a trade and distribution tool has become the source of a new type of attack—the defacement of Web page content. Due to the nature of this activity, it is frequently referred to as Web graffiti. Indeed, there is a lot of commonality between real graffiti sprayed on walls and fences and its computer-based Web counterpart. Graffiti can be considered a form of news publishing, and not just in its traditional form that causes irritation to the onlooker and some costs to clean it up. When graffiti is viewed from the perspective of disseminating information, some serious consequences can occur. In the city of Auckland, New Zealand, there are special garbage collection days (twice per year) on which residents may place items such as furniture and washers for pickup and disposal. One day, a flyer was distributed to residents stating that there would be a special additional pickup for such items. The residents happily loaded up their sidewalks with the understanding that the city would come and remove those items. The problem was that the flyer was a clever hoax. It rains quite a bit in Auckland, and, as a result, these items became wet and were not welcome back into people’s homes. The city’s sanitation engineers were effectively forced to remove the trash, as it would remain on the curbs indefinitely if they didn’t. You can imagine the additional costs and impact to the city’s budget. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
98 Janczewski & Colarik
The same applies to Web graffiti. The threat of Web graffiti is very real. According to mi2g, a British company, the number of vandalized sites reached approximately more than 185,000 in 2003, which is more than double the number in 2002. It is estimated that the direct cost of each incident to an institution is around $14,000 (USD). This cost is made up of the known wage costs of the staff involved in setting up the temporary server and restoring the original one, plus an estimate of the business lost as a result of the main Web server being made unavailable. Examples of Web graffiti are shown in Figure 6.1 (before) and Figure 6.2 (after).
Figure 6.1: Original Web page before defacement
Figure 6.2: Web page after defacement
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Web Defacements and Semantic Attacks 99
There are special exploit tools to perform such defacements. The tools search for certain types of vulnerabilities in Web servers and generate a list from which to choose. All a person needs to do is to nominate the Web page he or she wants to change, select the changes desired, and the program does the rest. It can literally be done in seconds. Why it is so simple to do? It is based on two facts: 1.
2.
For obvious reasons, Web pages have been made easily accessible. They are usually located outside an organization’s protected zone because access is encouraged. Therefore, penetration of the Web server’s internal structure is not as well protected as internal networks. In the past, the design of Web pages required considerable programming skills. Today, Microsoft includes a simple Web page design tool with every copy of Internet Explorer, which dramatically reduces the need for these advanced skills. The design and maintenance of Web pages are done often by people who have limited IT skills, especially in security. Therefore, they use only the most popular and simple design techniques rather than focusing on producing unbreakable systems.
Web graffiti can be abstractly entertaining, as mentioned in the discussion in Chapter 3 about defacing the CIA Web pages. However, it can also be a source of considerable damage. Web defacement presented in Case 6.1 illustrates this point.
Political Orientation So why are people doing this type of damaging behavior? As in the case of traditional graffiti, they might do it just for fun; they might do it to introduce an interesting correlation between the original message and their own; they may be driven by a grudge or hatred against the owner of the Web page; or there may be a host of other reasons. We found an interesting answer to this question on the Internet, published by independent group who call themselves “a.f.r.i.k.a. gruppe” from Germany. Here’s what they promote, as presented in Case 6.2. The reality of this case is that there are groups of people who would like to use existing communications channels as a way to piggyback their own political and other agendas. Why piggyback? There are multiples of millions of different
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
100 Janczewski & Colarik
Case 6.1: Web defacement One weekend, the server providing the public Web site of an educational institution was broken into and the home page replaced by a message accusing the system administrators of incompetence. Visitors to the page were not only greeted by a derogatory message about the institution, but were unable to reach other pages by following links on the home page. When IT staff discovered the problem, they took the machine out of service and built a small temporary server to replace it. This contained only part of the information and functionality provided by the main server, but at least it allowed the links to other servers to be restored. An investigation of the compromised system revealed that it had been broken into using a known vulnerability for which patches had been announced some time before the attack. The vulnerability had been used to create new accounts on the machine that had super-user privileges permitting unlimited modification of any files on the system. To ensure that the attack could not be repeated and that any other modifications were removed, the server was reinstalled from the distribution CD, and up-todate patches were installed from the vendor’s Web site. All unnecessary services were removed from the machine before it was reconnected to the network. Files on the server were restored from a backup taken before the date of the break-in. The full Web service was reestablished four days after the incident. http://www.ja.net/CERT/JANET-CERT/prevention/case-studies/ web_deface.html
Case 6.2: Manifest of a political group Communication guerrillas attack the power-relations that are inscribed into the social organization of space and time, into rules and manners, into the order of public conduct and discourse. Everywhere in this “Cultural Grammar” of a society there are legitimations and naturalizations of economic, political, and cultural power and inequality. Communication guerrillas use the knowledge of “Cultural Grammar,” which is accessible to everyone, in order to cause irritations by distorting the rules of normality. It is precisely this kind of irritation that puts into question seemingly natural aspects of social life by making the hidden power relations visible and offering the possibility to deconstruct them. Using a term coined by Pierre Bourdieu, one might say that guerrilla communication aims at a temporary expropriation of Cultural Capital, at a disturbance of the symbolic economy of social relations. http://subsol.c3.hu/subsol_2/contributors/afrikatext.html
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Web Defacements and Semantic Attacks 101
Web pages. While you may generally publish whatever you like, the chances that your message will be spread around the world is very slim. On the other hand, if some large company is hosting a very popular Web page, the visibility of an implanted message within those popular pages is greatly enhanced. Thus, the popularity of the defacement attacks has and will continue to be a target by politically oriented groups and individuals. Another, more dangerous defacement is the introduction of changes to a Web page in a way that pretends to be a part of someone else’s system, and encourages an innocent user of the system to act (usually against the user’s interests). Recently, there has been a wave of such attacks aimed at financial institutions. The essence of the attack is that using the original Web page of a reputable organization like a bank or trust, the attacker, through the use of a popup browser window, asks the client to submit sensitive information (i.e., login name and password). This type of attack is also called phishing. A similar example of this is presented in Chapter 10. As we will present later, the most fundamental protection against this type of attack is to supply users with irrevocable instructions on what to do in case such messages appear on the screen. Very closely related to Web graffiti or phishing are semantic attacks. The essence of the attack is that someone issues authentic-looking information through the Internet (i.e., e-mail, newsgroups, false Web sites, etc.), claiming something like “CNN announced today that ABC Corp sustained massive losses for the last quarter.” Instantly, ABC Corp’s stock price plummets, maybe even triggering a complete market selloff. As soon as the word gets out that the CNN release was a hoax, the market recovers, and the stock gains almost all of its value back. Yet timed strategically, combined with a volley of similar hoaxes, could spawn chaos, panic, and profits with far-reaching effects. This is due to the fact that many individuals without verification are happily broadcasting such messages. Many of us may have received a message of this type: “Yesterday, Microsoft announced the discovery of a substantial hole in their Internet Explorer. This security hole may cause your system to crash.…” A quick scan of the relevant Microsoft pages would reveal the non-existence of such a message. Last year the popularity of these hoaxes was so high that people developed a disregard for such messages. These kind of semantic attacks cause little more than temporary inconvenience. Other attacks against Web servers can be quite substantial. Case 6.3 illustrates this point.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
102 Janczewski & Colarik
Case 6.3: Web hosting Thousands of clients of Alphamega, the Dutch hosting service provider, found themselves without Web sites after hackers attacked the hosting companies’ Web servers last weekend, destroying software required to run the sites and stealing data. Although Alphamega’s clients were informed that access to their Web site was temporarily disrupted and would be restored shortly, they were not given the real facts surrounding the incident. Alphamega claims that it backs up all relevant information on its Web servers’ computer discs to magnetic tape every 24 hours. Contrary to this claim, Alphamega’s last backup was apparently made sometime in January (comments from the authors indicate that the message was posted in August). http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/ csNews.cgi?command=viewnews&database=JanZ%2edb
A similar misfortune happened in 2002 in New Zealand when around 4,000 Web pages were wiped out from an ISP server. Financial loses were substantial, because the ISP did not run the backup service, and many of their clients did not keep backups either. This shows that to limit losses resulting from attacks on Web pages, a close cooperation between the users, Web managers, and the ISP is required.
Protections The simplicity of a Web page design makes preventions against these types of attacks quite difficult. However, it is possible to introduce measures that will reduce to a minimum the consequences of these defacement attacks. These are as follows: 1.
Watch your own resources. The elimination of defacement is practically impossible. It may happen anytime, and the owners must be ready to act immediately when it does happen. The administrator of a Web page must install a system that can detect unauthorized modifications very quickly and make the corrupted content unavailable until restoration can occur.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Web Defacements and Semantic Attacks 103
2.
3.
Develop a contingency plan. Following the removal of the defaced Web pages, there must be an action plan for how to handle the restoration process. At the time of a predicament, the procedures must be in place for how to handle the emergency and get the site up and running quickly. Be proactive. Consider reexamining the security requirements for your Web site server system based on the attacks that are dominant for gaining access. Periodic Web server and page updates may simply overwrite any annoying changes.
Remedies for the average organization to handle Web server attacks are limited mainly to actions mentioned previously. However, there is a significant amount of research being done by organizations specializing in IT security to discover potential vulnerabilities of Web design and to develop ways to eliminate them. One of the techniques that is becoming more and more popular is building a socalled honeypot. A real honeypot attracts insects; the concept here is exactly the same—to develop a site full of goodies that will attract possible hackers. Monitoring tools are set up around such a Web site and allow hacker behavior and the tools they are using to penetrate the site to be observed and recorded. There are two general types of these traps: production and research. Production honeypots are easy to use; they capture only limited information and are used primarily by companies or corporations. Research honeypots are complex to deploy and maintain, they capture extensive information, and they are used primarily by research, military, or government organizations. One example of a honeypot is a system used to simulate one or more network services that a person designates on the computer’s ports. An attacker assumes the user is running vulnerable services that can be used to break into the machine. This kind of honeypot can be used to log access attempts to those ports, including the attacker’s keystrokes. This could give a person advanced warning of a more concerted attack (see http://www.honeypots.net). ISS X-Force is an example of a research facility specializing in such research (see http:// xforce.iss.net).
Conclusion Web defacements and semantic attacks are a fact of life. They may create confusion, but if the reaction to them is swift, then the negative consequences Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
104 Janczewski & Colarik
can be minimal. This type of attack is attractive to many individuals and organizations in order to spread information about their philosophies, objectives, and intentions. Mentally, we associate terrorist activities with acts of violence and substantial damages. However, an integral part of terrorists’ activities is to inform society about their existence and their objectives. Throwing bombs is senseless if it is not accompanied by an information campaign explaining the reasons behind it. Spreading printed leaflets is typically a traditional way to accomplish such objectives, and Web defacement is becoming the modern-day equivalent. Hence, we must consider this method of attacking IT resources as a significant tool in the hands of cyber-terrorists. On the other hand, the phishing attacks on Web pages, when additional information is inserted to benefit the perpetrator, are not very attractive for cyber-terrorists. Such attacks do not cause widespread damages and panic. They target individuals, and their contexts are not having an “advertisement effect” on the public. Phishing attacks should not have any indication that changes were made by non-legitimate authors to be successful. Therefore, we should be aware of these attacks, but we may not consider them a typical cyber-terrorist method of carrying out objectives.
Bibliography http://www.axial.co.uk/mcafee/wp_2000hollanderdefacement.pdf Research on protection of Web defacement. http://www.ccpartnersltd.com/Web/wa-system1.html Example of a tool limiting Web defacement. http://www.etest-associates.com/pressroom/pr _website_defacement_artcl.htm Basic information about the mechanics of Web defacement. http://www.google.com/newsalerts?q=phishing&hl=en Google page devoted to phishing. http://www.healthhacker.org/research/archives/000226.html Report on Web defacement in relation to the war in Iraq.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Web Defacements and Semantic Attacks 105
http://www.honeypots.net http://www.iwar.org.uk/pipermail/infocon/2004-March/001154.html Bruce Schneier on semantic attacks. http://www.ja.net/CERT/JANET-CERT/prevention/case-studies/ web_deface.html Case study of a Web defacement. http://www.net-security.org/article.php?id=672 Nature of phishing. http://www.securitystats.com/webdeface.html Web defacement statistic. http://xforce.iss.net ISS X-Force is an example of a research facility specializing in such research. Other Publications Howard, M., & LeBlanc, D. (2002). Writing secure code. Microsoft Press. Papazoglou, M., & Yang, J. (2002). Design methodology for Web services and business processes. Proceedings of the Third International Workshop on Technologies for E-Services. London: Springer-Verlag. Rogers, M. Psychology of hackers: Steps towards a new taxonomy. Retrieved from http://www.infowar.com/hacker/99/HackerTaxonomy.doc Schiffman, M. et al (2002). Hacker’s challenge 2: Test your network security & forensic skills. McGraw-Hill Osborne Media. Shumway, R. Common-sense: An alternative approach to Web security. Retrieved from www.globalintegrity.com Wang, W. (2003). Steal this computer book 3: What they won’t tell you about the Internet. No Starch Press.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
106 Janczewski & Colarik
Chapter 7
DNS Attacks
The Domain Name Service (DNS) is a mechanism for recognizing and translating domain name addresses. These operations are carried out by devices called Domain Name Servers. Thus, DNS attacks are attacks against the Domain Name Servers. As human beings, we prefer to operate with addresses such as www.auckland.ac.nz rather than 130.216.96.3. The numeric representation is harder for us to remember than a meaningful representation. However, the underlying protocols of the Internet prefer 1s and 0s. To help us, a DNS is used to map the domain name to the numeric equivalent address (i.e., www, ftp, email, etc.) where a given server awaits our request. When a request is made to a given domain, the request is translated by the DNS, and the equivalent IP address of the host server is returned. Internet DNS servers are arranged in a distributed manner so that if one server does not have the mapping, it may request the mapping from other DNS servers. If the mapping is requested from another server, then the requesting server stores a cached copy of the mapping for a limited period of time to be used for providing subsequent queries. Figure 7.1 shows the logic of the DNS operation.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
DNS Attacks 107
Figure 7.1: Logic of DNS operations
Launching an Attack How can a DNS attack be launched? The DNS protocol has virtually no authentication method that provides a means to ensure the identity of both sides of a given transaction (i.e., the requesting client and the DNS server). In the headers of the DNS query and response, there is a 16-bit field that is used for the identification of a query. However, there is no way of determining if the returned message contains a real IP address or if the entire message was sent by a real DNS server. So the whole game is about convincing the DNS client that the received message is genuine. The query IP is generated (in this 16-bit field) sequentially, and predicting future values is trivial through monitoring the communications. When the next query is sent, an attacker can send an
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
108 Janczewski & Colarik
impersonated response using the predicted sequence number; the response contains false information about the requested IP address. Additionally, an attacker may spoof (i.e., provide a false IP address for) the address of the DNS. This will make it appear as though the response actually came from the real DNS. Later versions of the protocol (called BIND) randomize the identification number in an attempt to disable this attack, but if the attacker is able to read the content of the message containing the request for the IP address, the attacker must only generate and send its own message before the response from the real server. Without going into more technical details, it becomes obvious that the lack of authentication of the queries allows for the redirection of messages to places other than the source of the query or the substitution of a legitimate IP address, which could open the door for many different types of attacks.
Handling DNS Attacks The conclusion is obvious. To stop or at least to eliminate the primary sources of DNS attacks, authentication of parties participating in the DNS process is essential. Existing technology allows this through the introduction of the IPSec protocol between the client and DNS server. The Authentication Header mode of IPSec provides this, and the Encapsulated Payload mode may even make the message unreadable for monitoring parties. But to implement this solution, all users and the DNS servers need to use the IPSec protocol. The other solution is to equip the DNS protocol with some sort of authentication. Such a version is called DNSSEC and was already announced and incorporated into the BIND version 9 software. But unfortunately, not every Internet user has implemented it. Until then, we will continue to see DNS server attacks. Combining the nature of DNS attacks with the DDOS concept makes a very dangerous tool in the hands of determined hackers, cybercriminals, information warriors, and cyber-terrorists. Luckily, we know the remedies, but unfortunately, not all users have implemented them.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
DNS Attacks 109
Bibliography http://news.zdnet.co.uk/internet/0,39020369,2111375,00.htm Case of a DNS attack. http://www.cert.org/security-improvement/implementations/i025.04.html CERT on DNS attacks. http://www.crime-research.org/eng/news/2002/10/Mess2301.htm Case of a DNS attack. http://www.nominum.com/content/documents/DRV_whitepaper2.pdf How to handle DNS attacks. Other Interesting Readings Bagnall, B. & Stanger, J. (2000). E-mail virus protection handbook: Protect your e-mail from viruses, trojan horses, and mobile code attacks. Rockland, MA: Syngress Publishing. Chirillo, J. (2002). Hack attacks revealed: A complete reference for UNIX, Windows, and Linux with custom security toolkit. John Wiley & Sons. Chirillo, J. (2002). Hack attacks testing: How to conduct your own security audit. John Wiley & Sons. Kabir, M. (2001). Red hat Linux security and optimization. John Wiley & Sons. Smith, B., & Komar, B. (2003). Microsoft Windows security resource kit. Microsoft Press.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
110 Janczewski & Colarik
Chapter 8
Routing Vulnerabilities
The graphic visualization of the Internet is usually presented as a mesh of connections among millions of nodes engaged in the transmission of billions of messages. These connections can be local (administered by the owner of the systems connected to the node) or general (the owner is responsible for a node or several nodes). The primary difference is the extent of control over the connected systems to the node(s). The major nodes’ job is to transmit messages, but, depending on the node type, they could be labeled a bridge, repeater, hub, or router. The most important of these are the routers. Routers are not only intermediaries for transmitting messages, but they may be used as separators between various networks. This means that some messages circulating in one network may be prevented from penetrating another. In handling the messages, routers know which destination addresses lie on which networks it is connected to, and it does not let traffic spread into irrelevant parts of the system. A visual representation of such a network is presented in Figure 8.1. To a large extent, this structure resembles traditional mail activities. Similar to traditional postal services, Internet messages are accepted without much verification as to the authenticity of a sender or detailed verification of the message content prior to accepting a message delivery. The underlying nature of the Internet infrastructure can be summarized by stating that the nodes are to be considered trustworthy and cooperative. There are, however, the following significant differences.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Routing Vulnerabilities
•
•
111
In the traditional mail system, within one country there is usually only one agency transporting the mail (excluding courier and similar agencies), while on the Internet, there are many. The traditional mail system usually transports the mail via the same routes. In the Internet, the messages may travel various routes that are chosen according to traffic conditions and other operational parameters. In addition, the total package (file) can be fragmented and each fragment dispatched through different routes.
Anyone interested in telecommunication protocols may notice that the major concern of the designers is to deliver messages from the source to a destination in the quickest way without changes in content. These honest assumptions were discovered by people who intended to use the telecommunication facilities for
Figure 8.1: Visual representation of a network (retrieved from http:// starlight.pnl.gov)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
112 Janczewski & Colarik
their own activities, and not necessarily legal activities. As a result, a number of unauthorized actions can be performed on telecommunication networks such as the following: 1.
2.
Eavesdropping. A user of the Internet may listen to the exchange of messages between neighboring systems (in the logical neighborhood sense, not necessary physically located nearby), and then use that information for their own purposes. One of the most well known cases of such eavesdropping resulted in an attack called MIG-in-the-middle, described in Case 8.1. This case illustrates that sometimes the simple replaying of a message can be used against another party. Session hijacking. A hitchhiker user may block a session between another two users and replace the legitimate information with its own. A good illustration of this is in the case of TCP/IP session hijacking, in which a hacker takes over a TCP session between two machines. The hijacking is possible because authentication of the parties only occurs at the start of a TCP session, allowing the hacker to gain access to a machine. If source-routed IP packets are used, this allows a hacker to participate in a conversation between two other network users by encouraging the IP packets to pass through its machine. If source routing is turned off, the
Case 8.1: MIG-in-the-middle attack
This case refers to the conflict between Namibia and Angola during the late 1980s. South African planes were supporting the Namibians in their fight against the Cubans, who flew sorties on Angola’s behalf. At one point in the war, the South Africans incurred heavy losses due to effective bombardment of the South African camps in northern Namibia. The attack was successful because the Cubans forced the South African ground defenses to believe that the approaching planes were South African and not Namibian. The whole idea was based on intercepting the exchange of signals between South African planes and their ground defenses that were used to determine if the approaching plane is a friend or a foe. The Cubans then commenced their attack run on the camps, and were challenged by the South African defense system to identify themselves. They simply replayed the recorded transmissions, and the defenses stood down. As result of these successful attacks, South Africa withdrew their support to Namibia.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Routing Vulnerabilities
113
hacker can use “blind” hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command but can never see the response. An example of another possible attack follows. It is based on intercepting messages that precede two parties’ exchanging a symmetric key used for encryption for further communication. The interception of such a key would allow a hacker to read all the subsequent correspondence, until it would change that symmetric key. 1. User A wants to communicate with B. 2. A sends a message to B, informing him that he would like to set up a secure transmission channel. To accomplish this, he includes in his message his public key, which then may be used by B to encrypt a message sent to A. There is no need to encrypt the message, since the public key is, as the name implies, public. 3. This message is hijacked by C, who may read the message and find out what A wants from B. 4. C then may replace A’s public key with his own public key, and A’s address with his own. Such a modified message is then sent to B. 5. B replies with a message that includes the symmetric key for the further correspondence, and encrypts that message with C’s public key without the knowledge that this is, in fact, C’s key rather than A’s. In this way, C now owns the symmetric key intended for use between A and B. 6. C then may resend B’s message (modified as needed) to A, using A’s original public key. 7. A may start using the received symmetric key without the knowledge that C knows it. This means that C can act as a man-in-the-middle for further correspondence between A and B. This process is illustrated in Figure 8.2. In Chapter 5, we discussed the DOS and DDOS attacks. It is important to note that router vulnerabilities can be used as launching pads for such attacks (e.g., the Smurf attack). The attacking system broadcasts ICMP Echo-Requests to many zombie stations on the network and changes the source IP address from its own to that of the target system. As a result, the target system is flooded with Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
114 Janczewski & Colarik
Figure 8.2: Session hijacking for intercepting the symmetric key A: User
C: Hijacker
B: User
A B: R, PA
Replaced by: A B: R, Pc
B A: {R, K}C Replaced by: B A: {R, K}A At this point, A and B will start using the K symmetric key C reading their correspondence
R: request for key exchange PA: A’s public key {A}C: message encrypted with C’s public key K: symmetric key
an enormous number of Echo-Request frames. This is possible because the router, during handling the Echo-Requests packages, is not verifying if the source IP address corresponds to the place from which the packet was sent. In other words, the router is not doing the authentication of the incoming messages and stopping those that are fraudulent. All of these unauthorized actions can happen at the nodes or at the routers controlling the flow of information across the network. Hence, these types of threats are commonly referred to as router vulnerabilities and vulnerabilities of the routing protocols.
How to Eliminate Router Threats Eliminating router threats is easier said than done. The Internet infrastructure is founded on an open access infrastructure, and its resulting protocols represent this approach. A strong authentication mechanism needs to be introduced so that each router can detect any changes in the following: • •
The content of each message or packet. The address of its sender.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Routing Vulnerabilities
• •
115
Unreasonable changes in the routing algorithms that govern path and usage. Unreasonable delays in the transmission of a message or packet.
The introduction of these restrictions is advocated by many security specialists, and many current initiatives are following these recommendations. The IPSec protocol addresses these issues. However, the implementation of this protocol for handling all data by network router transactions would dramatically increase the messages overhead and slow down the whole operation. It could be compared to the situation that all distribution centers of traditional mail systems would treat every letter they process as registered. This would not be very sensible. In our opinion, it is the role of end users’ systems to take care of any potential elimination of message interceptions or modifications. As a matter of fact, Public Key Infrastructure (PKI) systems have been developed and introduced to eliminate these threats. But it is a relatively new technology and is still not in widespread use. Router vulnerabilities not only can be exploited, but also can be introduced through illegitimate products or patches into a system or server node. This indicates the need to establish methods of secure notification, downloading, and installation of patches to existing systems. Substantial research on a worldwide scale is being conducted presently in this field. In view of the growing importance of telecommunication systems, perhaps it is time now to go back to the drawing board and redevelop the complete infrastructure for forwarding packets.
Importance of Routing Vulnerabilities for Prevention The vulnerabilities of routing protocols can be exploited by hackers, including cyber-terrorists and cyber-warriors. This could lead, for instance, to DOS and DDOS attacks. We must understand that mass attacks to disable well-known targets are not the only method attackers may use to accomplish their objectives. An attack could be much more sophisticated. Imagine an attack against the IT facilities of air traffic controllers at a major international airport, an attack that could increase by a factor of 30% the readings of the planes’
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
116 Janczewski & Colarik
altitude along the landing path. How many deaths would result from such an attack? As a matter of fact, such an attack was described in one of the Bruce Willis’ films. Router vulnerabilities may not necessarily be used for carrying out direct attacks. They can also be used as a tool to collect the necessary information for the preparation of an attack. It could be as simple as the analysis of the volume of traffic around a router to find out which paths are the most frequently used, and then to try to disable these connections in order to increase disturbances of regular network activities. Routers’ vulnerabilities are usually the stepping-stone to launching a significant part of cyberattacks. The elimination of the source of these attacks is very difficult for a number of reasons. • • •
•
Existing telecommunication protocols are poorly designed for the elimination/prevention of these attacks. The hardware of the nodes is not standardized. There are many manufacturers, and usually they use different design principles. The nodes are installed all over the world, and national governments are enforcing different laws. For instance, in several countries, there are laws that ISPs must provide access to their facilities for law enforcement agencies to install eavesdropping equipment (e.g., so-called RIP Act in United Kingdom). The introduction of stricter authentication rules could lead to a significant increase in traffic overhead.
From the perspective of the IT manager, the way to reduce the danger of router vulnerabilities is to introduce stricter restriction on traffic leaving and entering the organization. Use of stronger mutual authentication with corresponding parties, wider use of encryption, and/or a system approach via the introduction of PKI would be a way to reach this objective.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Routing Vulnerabilities
117
Bibliography http://iepg.isc.org/advs.html IEPG Operational Advisory Notes on network vulnerabilities. http://iepg.isc.org/docs/IEPG-March94.html Position of Internet Engineering and Planning Group (IEPG) on network vulnerabilities. http://staff.washington.edu/dittrich/talks/qsm-sec/hijack.html Demonstration of session hijacking. http://www.bankersonline.com/technology/mbg_possibleattacks.html Article on protection of your cyber-borders. http://www.iss.net/security_center/advice/Exploits/TCP/ session_hijacking/default.htm Brief on session hijacking methods. http://www.nta-monitor.com/services/regular%20monitor.htm Tools for checking your network vulnerabilities. http://www.wabot.com/productservices/security/services/pene trationtesting.html Tools for checking your network vulnerabilities. http://www.webkreator.com/cms/view.php?id=1686 How to use the features of the HTTP protocol to stop or at least detect session hijacking attempts. http://www.xchangemag.com/articles/1B1front4.html Interesting overview of the U.S. Government and industry’s move to protect the Internet from cyberattacks. Other Interesting Readings Martin, R. (2001, November). Managing vulnerabilities in networked systems. Computer. McCarty, B. (2002). Red hat Linux firewalls. John Wiley & Sons. Rajesh, K.S. (2002). Cisco(r) security bible. John Wiley & Sons.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
118 Janczewski & Colarik
Security complete. (2002). Sybex Inc. Shepard, S. (2001). Telecom crash course. McGraw-Hill Professional. Shimonski, R. (2002). Security+ study guide and DVD training system. Syngress. Written testimony of Timothy R. Graham, Executive Vice President & General Counsel, Winstar Communications, Inc. (2001, December). United States Senate Committee on Commerce, Science and Transportation.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identity Stealing Attacks 119
Chapter 9
Identity Stealing Attacks
In recent years, several feature films have been produced based on the concept of stealing an identity. As a result of deliberate or accidental changes to personal records, a person can cease to exist on paper, or someone else can acquire a person’s identity. These film directors’ concepts are not products of their rich imaginations, but are a reflection of reality. Quite often, we read about such accidents happening. Stealing an identity is a favorite step in the preparation of terrorist and cyber-terrorist attacks, and all of us, IT managers in particular, should be vigilant about such possibilities.
Examples of Identity Theft Attacks Stealing an identity can vary from simple impersonations to elaborate electronic scams. An example of a traditional impersonation occurred during the first half of 2003 when a person of Middle Eastern origin was attending a private airplane pilot program in New Zealand. Towards the end of the training, this person left the country, but someone else arrived at the examination site and pretended to be that person. Fortunately, the fraud was discovered before the examination for the license was over. The impersonator claimed that all he wanted to do was help the stranger get the licence. The case is under considerable investigation at the time of writing this text. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
120 Janczewski & Colarik
Cases of stealing people’s identity via e-mail are quite popular. There is a recent surge in the sending of spam messages that look as though the message comes from a reputable company. It is quite easy to fake the sender’s IP address (spoof) in such correspondence, as mentioned in a previous chapter. Typically, these e-mails tell you the following: • • • •
Your account has had some issues. New policies and procedures need your authorization. You need to participate in some customer satisfaction survey (for a reward). We are offering great deals, if you register now.
If you register, you will need to supply some of your personal data, which then can be used to the advantage of the person behind such a scheme. An example of such a scam is presented in Case 9.1. The term phishing is used to describes identity theft activities.
Case 9.1: Example of phishing: Westpac Bank In November 2003, many Westpac Bank customers in New Zealand received an e-mail with the following content: --------------------------------------------------------------------------------------------------------Dear Westpac Bank Member, This e-mail was sent by the Westpac server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Westpac Banking Customer ID and Password. This is done for your protection – because some of our members no longer have access to their e-mail addresses, and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link, copy and paste the link into the address bar of your Web browser. http://www.westpac.com.nz:[email protected]. rU/?on9Pji4ztg0qAw1 --------------------------------------------- ----Thank you for using Westpac Bank! -------------------------------------------------This automatic e-mail sent to: (hubby’s email address) Do not reply to this e-mail. Oxie (Lyn)
(case continued on the following page)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identity Stealing Attacks 121
Case 9.1: Example of phishing: Westpac Bank (continued) The trusting Westpack Bank customer would then click on the link and the following screen would appear:
The background screen was indeed that of Westpac Bank. But the pop-up window that had appeared on the lower right corner (“Welcome to Westpac Internet Banking”) is a part of the scam. Unsuspecting customers gladly entered their customer number and password to receive a polite thank you from the scammers.
This case represents several issues that all e-commerce providers must acknowledge. The first is that despite the bank’s usage agreement stating that customers should never give out their passwords, people will defer to what appears to be a legitimate authority without additional conditioning or training. The second is that an educated e-mail user may notice that the letter is a scam. The link indicated in the initial e-mail is pointing not to a New Zealand domain (letters .nz), but rather a Russian domain (.ru). The next warning is that after the initial click by the user, a blank screen appears briefly with the address http://rk3bcj0tu.da.ru/?on9Pji%204ztg0qAw1, indicating again that this is a redirected Web page.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
122 Janczewski & Colarik
The proliferation of stolen identities is growing. Angel Verdejo from the Shorthorn (USA) summarized this in the following way: Federal government reports estimate that between 500,000 and 700,000 incidents of identity theft occur nationwide each year. The Federal Bureau of Investigation calls it the “fastest growing white-collar crime.” People are using students’ identification cards and Social Security numbers to steal identities and wreak havoc on credit reports and accounts. Though some students say they are not aware of the problem, James Ferguson, a university assistant police chief, said the smartest thing anyone can do is to use common sense and think twice before handing over personal information. “Students need to know that there are people out there who will take your wallet if they can get it,” he said. When purses and wallets are stolen, Ferguson said that the first call everyone makes is to their credit card company. What they don’t realize is that Social Security cards and other personal identification are just as important as the credit cards. Universities and colleges nationwide use Social Security numbers as student identification numbers. This can leave some students open to identity theft. Police reported an incident this semester in which a person acting as a telephone representative was able to obtain a student’s Social Security number, birth date, and credit card number. The student later received a bill for a loan taken out in her name to purchase a computer. Ferguson said this incident could have easily been avoided. “The bank doesn’t need to call you for your information,” he said. “They can get it other ways. This problem isn’t new. It’s been going on for years.” (http://www.theshorthorn.com/archive/ 2002/spring/02-jan-23/n012302-02.html) So how is such an attack prevented? Here are the common lines of defence suggested in the same Internet correspondence. •
If you maintain an account online (i.e., bank, merchant, etc.), bookmark a link to the login page that you trust. Whenever someone asks you for your personal information, verify that the location in the top bar of the browser displays the site you trust.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identity Stealing Attacks 123
•
If your account is with Paypal.com, Figure 9.1: Warning about make sure the URL in the location bar identity theft has paypal.com as the ending part before the first /, after the http://. The following are examples of scams: • http://whatever.paypal.us/ • http://paypal.customer service.com/ • http://security.paypal.info/ The same applies for other institutions such as banks, Amazon.com, and so forth.
•
It is best to be very cautious when you fill out a form online. The majority of these scams seem to come from African countries, Eastern Europe, and China. Exploring legal options overseas might be a tough problem.
Many law enforcement agencies and voluntary organizations are preparing information warnings about the danger of stealing identities. Figure 9.1 is an example of such a message prepared by the Asia-Pacific Economic Cooperation organization.
Conclusion Indeed, incidents of identity theft occur nationwide, and it is the fastest growing white-collar crime. All of us, IT mangers in particular, need to be especially vigilant about this issue. Identity theft has many forms, from the very traditional (forging signatures) to the very sophisticated (electronic frauds).
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
124 Janczewski & Colarik
The motifs of the attackers may differ from efforts to get access to someone’s account (Case 9.1) to highly sophisticated approaches. Stealing an identity may allow a cybercriminal to cause a lot of damage to innocent persons or organizations. Unfortunately, it may also become a very important weapon in the hand of a cyber-terrorist. The possibilities are endless and real. For instance, the electronic identity of a field commander could be stolen and used to mobilize troops to undertake an action suggested by the attacker. The allied forces use electronic communication for coordination activities. Obviously, we are oversimplifying the exhaustive security procedures in place by military forces, but one can never know how information will be used in times of conflict or ignorance. Again, the objective of cyber-terrorist attacks is either to destroy (physically) the IT facilities or to render them unfit to carry out their designated goals. The second objective of the attacker is to get electronic access to the facilities. There are many methods of accomplishing such objectives; the methods broadly fall into two groups: technical and social. The most well known world hacker, Kevin Mitnik, stated that he found social engineering the easiest way to get unauthorized access to IT resources. Identity theft attacks are one of the social engineering methods. It is the simplest way to launch an attack against IT resources. It can be used by any hacker, including a cyber-terrorist. In conclusion, we must state that there is a very high probability that an identity theft attack may be just a first step for many cyber-terrorist attacks. Defences against identity theft attacks should be based on two correlated domains: • •
Technical security measures, including all encryption, identification, and authentication procedures. Social engineering considerations, including informing all systems users of the possible tricks an attacker may use, and implementing strict rules of behavior under such situations.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identity Stealing Attacks 125
Bibliography http://grc.com/optout.htm Home page of an organization dealing with spyware issues. http://vsbabu.org/mt/archives/2003/05/01/identity _stealing_scams_via_email.html Anatomy of identity theft attacks. http://www.consumer.gov/idtheft/law_investigate.html ID Theft Investigations. http://www.fbi.gov/congress/congress02/idtheft.htm FBI Congressional Testimony on Identity Theft and Terrorism. http://www.keyisit.com/newsletter/2003/september.html Biometrics as a tool for reducing identity theft. http://www.theregister.co.uk/2001/03/05/stomp_the_identity_thieves/ Overview of identity theft problems. http://www.tipz.net/identity.htm Tips on avoiding identity theft. http://waysandmeans.house.gov/media/pdf/ss/factsheet.pdf U.S. House Ways and Means Committee Social Security Identity Theft Fact Sheet. Other Interesting Readings Hammond, R. (2003). Identity theft: How to protect your most valuable asset. Career Press. Lake, S. (2004). Identity theft: How to protect your name, your credit and your vital information, and what to do when someone hijacks any of these. Silver Lake. May, J. (2001). The guide to identity theft prevention. 1stBooks Library. Vacca, J. (2003). Identity theft. Momentum Media.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
126 Janczewski & Colarik
Part 3 Handling Information Security Issues
In Chapter 1, we reviewed the security problems faced by IT managers. In Chapters 4 through 9, we presented the most probable cyberterrorist attacks against computer installations and discussed what steps need to be taken to reduce an organization’s vulnerabilities against these attacks. In doing so, we have shown and will continue to demonstrate that we are stringent followers of the systems approach to problem solving. This approach implies that if one is facing an issue requiring a solution, the search for it must accommodate not only the main problem, but also any potential impacts with other parts of the environment. Focusing on a direct solution to a problem is the essence of what is known as the piecemeal approach, which is known for its lack of optimization of efforts and effects. The lack of collective unity in the piecemeal approach often leads to a number of individual solutions that contradict and interfere with each other. There are many possible cyberattacks. Not discussing additional approaches to securing the organization from these types of attacks will only expose an organization to additional unnecessary risks from other forms of attacks that may be carried out by information warriors and cyberterrorists alike. We would like to emphasize that this book is not an all-encompassing text on managing
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Part III: Handling Information Security Issues 127
information security issues. We are not discussing all the issues related to the subject. However, what we are addressing in this section of the text are several security-related issues related to handling terrorism and cyberterrorism attacks against IT that, through their resolution, would not only significantly increase the security of information technology, but increase resistance to cyberterrorist attacks. Among these issues are the following: •
•
•
•
Identification, authentication, and access control. A significant part of a cyberterrorism attack requires access to part of the information system that is restricted by the owner of the system. An unauthorized operator can be an innocent operator, a hacker, or a cyberterrorist. All of these operators have the potential to cause a lot of damage. Thus, there is a need to establish stringent rules on how to identify persons and systems wanting to get access to the system, as well as how to determine which system resources should be made available to a given person or system. Personnel security. There is a saying that the best protection mechanisms within an organization are its employees. Creation of a security-conscious atmosphere will greatly increase resistance of an organization against any possible security breaches, including cyberterrorist attacks. This requires careful vetting of all applicants and employees, as well as establishing and enforcing rules of employee termination. Operations security management. To minimize the risk of system failures as a result of security incidents, a set of rules should be introduced that govern daily preventative measures that an organization must perform as a matter of consistency. More importantly, these rules significantly improve an organized response by the firm as a result of security incidents. These rules cover such activities as operational procedures and responsibilities, systems planning and acceptance, protection against unauthorized software, and similar housekeeping issues. Information security policy and business continuity planning. Each company needs to develop its overall strategy for dealing with information security issues. This can be done through developing or enhancing its information security policy to include and manage information security against possible cyberattacks. These are capstone issues of information security development and implementation. Because this is a capstone issue, we have placed it at the end of the text to permit a robust understanding of its implementation.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
128 Janczewski & Colarik
In this section, we will discuss these issues in detail. In Parts I & II of the book, we have been addressing cyberterrorism and information warfare. In Chapter 3 we defined cyberterrorism and cyberwarfare. We concluded that the differences between these two phenomena are mainly the motifs of the attackers rather than the way they carry out their activities. Therefore, in the following chapters, we will focus on an overall approach to prevention, irrespective of which intention is enacted.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 129
Chapter 10
Identification, Authentication, and Access Control
It is a known fact that terrorists are developing a keen set of technology skills to further their agendas. As previously stated, they use IT for their operational purposes as well as for launching attacks. In the IT domain, identification/ authentication of a user is the first step in gaining access to system resources. Identity theft attacks are the simplest way to accomplish this objective, as was discussed in the preceding chapter. In these times of increased security awareness, IT managers must examine very carefully their identification and authentication subsystems to prevent the disabling or bypassing of the system by an unauthorized party. In this section, we will discuss identification, authentication methods, access control, and how to strengthen these methods for added resistance against possible attacks.
A Question of Proper Identification We will start this chapter with two cases that identify the need for authenticating a party’s identification in a terrorism environment.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
130 Janczewski & Colarik
Case 10.1: Al Qaeda announcement On August 12, 2003, CNN made the following announcement: JAKARTA, Indonesia (CNN) – The al Qaeda terrorist network has claimed responsibility for last week’s bombing of the Marriott Hotel in the Indonesian capital of Jakarta, terror experts have confirmed for CNN. The claim comes amid reports the Marriott bomber may have been a member of a new 15-strong suicide strike brigade, which is preparing more attacks. Bomber Asmar Latin San was a member of Laskar Khos, a group whose members were prepared to die in their attacks, Indonesian police told the Sydney Morning Herald newspaper. Laskar Khos is an Arabic phrase which means “special force,” they said. The new group is reported to have formed inside the al Qaeda-linked Jemaah Islamiyah group which is believed responsible for the Marriott blast and the Bali attacks of October 12th which killed more than 200 people. The al Qaeda claim of responsibility was released to Arab media sites over the weekend in an unsigned statement.
It is worth examining this announcement from the information security specialist’s point of view. Objectively, a non-disputable fact that we can draw from this story is that the world’s mass media network received a message about the activities in the above case. No more, no less. The identification and authentication of the message from al Qaeda was weak, based on the content of the original message. The attack was carried out using methods implemented previously by al Qaeda units, and, more importantly, the public was waiting for such an announcement. It is obvious that anyone could have generated such a
Case 10.2: IRA communication channel It is not a widely known fact that during the period of the highest IRA attacks in Northern Ireland, the British government established a sort of communication channel with the IRA command. At that time, the typical IRA policy was to plant a bomb and inform the authorities shortly before the timed explosion about the bomb’s location. Both sides of the conflict wanted to be sure that the warning message was genuine. Because blind terror was not the IRA’s primary objective, and the British government was unable to respond to every bomb alert, both sides accepted a specific delivery method of a warning to assure its authenticity.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 131
claim. There may be situations in which such messages would be announced by publicity-seeking groups or individuals, while the real actors remain silent. These two cases illustrate the point that it is not enough to examine the correctness of a message. The handling of a message must also be verified prior to its acceptance and release by the source from which it is claiming to come. Otherwise, we may have situations such as those frequently reported from the Israeli-Palestinian front that occur after a suicide bombing where several groups claim responsibility simultaneously.
Key Definitions As in the previous chapters, we need a common reference point for discussions related to identification and authentication procedures. They are as follows: • • •
Identification: Procedures and mechanisms that allow agents external to a system to notify the system about their identity. Authentication: Procedures and mechanisms that allow a system to ensure that the stated identity of an external agent is correct. Access Control: Rights to access-given resources with regard to computer systems, the specific rights to read, write, or process.
In a typical and integrated identification and authentication approach, it is common to use a user login and password like the following example: login: password:
lech chrzaszcz (used under protest by the other author)
The login usually is set up by the system administrator, and the user normally has few opportunities to change it, although the password may be periodically changed. However, this approach is not the only method to deliver proof of a user’s authenticity. These proofs fall into three categories:
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
132 Janczewski & Colarik
•
• •
Personal knowledge. This can be simply a password or an association. An association is something the user knows, but very few other people know. This is usually accomplished by providing prior knowledge of some specific topic, such as your birth date, name of your partner, name of your pet, and so forth. Something possessed. This usually means a magnetic card or smart card with specific information on it, or some other type of token. Biometric verification. The authentication subsystem compares recorded physical parameters of the person with the stored data. The most popular of these methods at the moment are scans of fingerprints, facial features, and retinal comparators.
Once the identity of an entity has been authenticated or verified, access control governs the granting of access to system resources assigned to a given entity.
Security of the Authentication Methods Design of the authentication subsystem must provide adequate protection of the system against possible break-in. Case 10.3 illustrates the perils of such a design. An important question is how easy or difficult is it to break any of these authentication methods? Also, what methods should be implemented to reduce such a probability? In the following section, we will present the most important limitations and the ways of handling them.
Personal Knowledge and Passwords Regardless of the type of key used to unlock and access information, it is always a string of characters and/or numbers. On average, humans have limited memorization abilities. As a result, we tend to be able to remember up to a 10digit code. Because most password systems are designed with this in mind, and many people prefer not to memorize complicated passwords, people tend to use words and values that have already been memorized earlier in life or are an established sequence of characters.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 133
Case 10.3: Passwords that are easy to find Some time ago, one of the authors was approached by a worried Internet user. He presented three slips of paper on which there were notes of password information sent by a local ISP to three different Internet users. The ISP had a practice that after receiving a registration form (sent via traditional mail), the user’s ID and password had to be generated and sent to the client through courier post. An important point is that both the user ID and the password were printed on one document about the size and format of a regular payslip. Reading the three slips of paper allowed us to draw three conclusions: 1.
The ISP client’s ID was abbreviations of the client’s name.
2.
The password was generated by a simple substitution of the ID with the other letters.
3.
On the slip there was no information that you should or could change the password during the first login.
This constitutes a typical security hole, and we informed the ISP about our findings. The ISP ignored the call. In order to protect the customers, we went public. The mass media loved the story and gave it significant publicity. We were counterattacked by the ISP that we were not sensible about creating a scare, but we stood firm in our findings. As a result, the ISP was forced to put Internet services on hold and courier away several thousands slips with new passwords. The ISP sustained significant losses, both in finances and in trust.
The problem with this approach is that an attacker can launch a “brute force” attack (trying all possible character combinations), a “dictionary” attack (using common words and phrases), or a “QWERTY” attack (using keyboard patterns). These password attacks have been automated and are usually free for downloading from the Internet. Using such tools, a five-character password is usually broken in a few minutes, and longer passwords are broken with more time. The first set of rules in generating a good quality password is as follows: • •
Make them as long as possible, and no larger than 10 characters. Do not pick a word in any popular language, as that would make a dictionary attack successful. By the way, we violated this rule in the
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
134 Janczewski & Colarik
•
example given earlier in the text: chrzaszcz means cockchafer in the Polish language. Generate a good quality password by using one of the two procedures below: 1. Take a dictionary word and add characters (numbers or letters) somewhere in the word (e.g., pictu34re or 9hercules8). Make a mental note of what type of characters you are adding and where they would be inserted in the word (i.e., I was dressed as Hercules at the 1998 Halloween party). 2. Use a sentence to generate a password (e.g., Little cow jumped over the moon during the weekend) and take the third letter of each word (i.e., twmeeoree).
Using personal associations is a two-edged sword. It is estimated that the average U.S. citizen is recorded in over 200 databases. Dates and places of birth, family and friends, and even pet names have been recorded for future use. With some investigation, personal associations can be deduced and loaded into an attack tool for an intended target. If such associations are unavailable electronically, they may be acquired from friends, family, or individuals by asking questions in what is commonly referred to as social engineering. Some systems permit the usage or incorporation of a question that can be used to prompt a user for a lost or forgotten password. These may also be used to guide a user in the selection of a password. Questions such as, “What is the location of your optometrist who prescribed your first glasses?” are stronger than “What is your date of birth?” After using such a question to create a new password, the system administrator should ask the owner to generate a new question and answer.
Password Mechanisms and Processes All passwords are stored in a password file, and it is obvious that anyone who wants to have unauthorized access to the system would try to read the information stored in these files. There are many methods that make such a
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 135
reading difficult. Among them is the most common approach, which is to encrypt the contents of the file. In standard encryption, a cryptographic key is used to encrypt and decrypt. In password encryption, the file is protected through the use of a one-way encryption algorithm known as a hash product. This encryption approach takes the password and encrypts it in such a way that the result cannot be decrypted to deduce the original password (i.e., it is computationally infeasible to find the original password from the hash product). Thus, with this approach, the password file stores the hash product of the password rather than the password itself. The password is not protected by the content of the file, but by the power of the hashing algorithm. The following is an example of another simple technique that can make a successful direct attack on the password file difficult. How does such a system work? • • • •
• • •
The accessed system generates the hash of the password and stores it in a password file. The password itself is not stored anywhere. If a user wants to get access to the system, a login request must be made to the system. The system replies with a randomly generated number sequence. The user’s terminal produces a hash of the password given by the user and then encrypts that hash using the received random number as a symmetric key. This message is sent to the system and compared with the password hash stored and encrypted with that random number. If these two data strings match, access is provided. It is assumed that both sides of the communication know the password.
The process is presented graphically in Figure 10.1. Such a system eliminates sending any password information in the open and discovering any regularity in the messages containing password data. Also, this means that the system administrators do not know the password used by their system users. The practicality of such solutions indicates that the only feasible methods of obtaining someone’s password are restricted to one of the following scenarios:
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
136 Janczewski & Colarik
1. 2.
Intercepting the password at the source, during the password entry. Intercepting the password through social engineering.
The first scenario could result in adding Trojan software to the system and making it the first point of contact with the system. During the login procedure, the user is asked by the Trojan to provide the login and the password. Then the Trojan informs the user that the password is invalid and asks for it to be done again. Only after this step (and after verifying the login and password) is control passed to the original identification or authentication facilities. This is why Microsoft Windows allows password entry only after pressing Ctrl+Alt+Del keys, as this procedure would eliminate such a Trojan. The interception of a password through social engineering is illustrated by an incident involving a clever thief and an overly cooperative person (Case 10.4).
Figure 10.1: Authentication using random numbers
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 137
Case 10.4: Simple and effective social engineering A university staff member stepped out of her office for a few minutes to go to the bathroom and then returned to her office. In those few minutes, her wallet was stolen from her bag. Not realizing that this occurred, the rest of the afternoon was uneventful, and she returned home. Once home, she discovered that the wallet was missing and returned to the office. The phone rang as she searched the office for the wallet. It was a pleasant gentleman who claimed to be from the bank. This gentleman told the woman that her debit card had been found, and that the procedure to cancel her card required her pin number. Having been taken completely off guard, she gave him the pin number. This well-spoken gentleman then stated that a new card would be issued promptly. It was at this point that she had second doubts about revealing her pin number and pressured the gentleman for some answers. In return, she received a bank contact phone number. She called this number, which appeared to be the number of an expensive hotel in town. So she decided quickly to call the bank, only to discover that there was no such gentleman working for the bank, that there was no such procedure for cancellation, and that the clever thief withdrew $500 using her pin number before the bank was able to cancel the card.
Because a password system is only as strong as its weakest human link, it is nearly impossible to develop a secure password system, regardless of the mechanisms used. Thus, all users must be warned that under no circumstances are they to release their password to anyone. If a password is lost or needs to be reset, the system administrator must invalidate the user password and establish the introduction of a replacement password, followed by a mandatory change of that password by the user. Social engineering is a very strong tool in the hands of any cyber-warrior. Many security specialists and hackers indicate that the easiest way to get unauthorized entry to a system is to convince an individual to release some specific information.
Password System Policy The use of weak passwords is notorious. Passwords like password, guest, or host are quite common, especially in newly installed servers and devices. To combat this, Microsoft Windows and many other operating systems have
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
138 Janczewski & Colarik
powerful facilities to enforce a sensible password policy approach. It is possible to accept only passwords of specific minimal length, specific content so that dictionary entries are prohibited, and password re-use prevention. An example is presented in Figure 10.2 for establishing the settings of a password policy format in Windows XP. To eliminate the use of brute force attacks, the system may limit the number of attempts to access to the system. Again, Windows XP is used as an example of setting such parameters. It is shown in Figure 10.3. These settings prevent recirculation of old passwords, establish the minimum and maximum password age, password length, complexity of the format, and the method of storage.
Something Possessed In its simplest form, an entry token can take the form of a magnetic strip on the back of a card (i.e., a credit card). The strip contains the user ID and a password. Smart cards are similar but are able to do some computation on received and stored data. At present, authentication tokens are becoming quite
Figure 10.2: Windows XP password settings
Figure 10.3: Windows XP account policy settings
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 139
Figure 10.4: Authentication token
popular (see Figure 10.4). Once the identification data stored on the token has been accessed, the authentication process is the same as previously discussed. The advantage of the token is that it does not require the person to remember the password or any associations. The disadvantage is that the token can be lost or stolen and then used by a hacker or cyber-terrorist. Another security approach for the use of passwords is accomplished by using so-called crypto cards (see Figure 10.5). Crypto cards are essentially a generator of one-time passwords. It works in the following way:
Figure 10.5: Crypto card
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
140 Janczewski & Colarik
1.
2.
3. 4. 5.
6. 7. 8.
Both the card and the system to be accessed contain synchronized generators of random numbers. Synchronized means that when using a given input, both generators generate the same number. When a user wants to access a system, the user switches on the cryptocard and enters a pin number. The cryptocard checks for the last time the card was used and, as the result, generates the challenge number. This is displayed on the card. Then the user enters the user’s logon to the system. The system performs exactly the same computations as the cryptocard and ends up displaying a number on the monitor. If the number on the cryptocard display matches the number on the monitor, then it means that no one has activated the cryptocard, or no one has gained access to the system. The user then presses the Enter key on the cryptocard, which produces a response number on the card display. The user reads the response number and enters it into the system. The system performs the same calculations, and the same response number should be calculated by the system. If both numbers match, then the user is allowed access to the system.
This system offers a very high level of security for the following reasons: •
•
•
No passwords are stored on the system. If someone tries three times to enter an incorrect password on the cryptocard, the card becomes locked, and unlocking it requires the intervention of the system administrator. Lack of synchronization of the card and the accessible system is an indicator of unsuccessful attempts to enter the system or to use the cryptocard. It is computationally infeasible to find the challenge and the response numbers.
The basic disadvantage of the solution is a lengthy and elaborate procedure leading to successful access to a system. There are also some problems with the issuing of crypto cards (i.e., cost, handling lost or locked cards, batteries
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 141
for cards, etc.). Recently there was a successful attempt to replace a dedicated crypto card with a mobile phone or PDA (Optimation Ltd., New Zealand).
Biometric Verification Progress in the design of sensors or scanners using biometric parameters as the method of verifying the authenticity of a person is making the utilization of these methods more feasible. Quality of the biometric verification is based on two important parameters: • •
Ratio of acceptance of invalid ID to the total number of attempted logons. Ratio of false alarms to the total number of attempted logons.
It is obvious that both parameters should be as low as possible. Indeed, current improvements in biometric technology are reducing both of these ratios. Depending on the type of biometric verification, the ratio could be as little as a percent difference (e.g., voice recognition) to a fraction of a percent difference (e.g., fingertips scan). Many governments plan to introduce the encoding of facial features to passports to increase the quality of identity verification as a means to discover unwanted individuals at national borders. This would be one more layer in the arsenal of identifying people on national alert lists entering at border checkpoints. From the perspective of immigration and security authorities, such steps are quite warranted. First, it allows for identification of the bearer of a passport, and secondly, it is (at least theoretically) possible to identify unwanted individuals regardless of what document they may have in their possession. Osama bin Laden’s facial characteristics are well known and could be entered into such a database. Then, at a border, he would be identified despite any passport he would present. Many businessoriented organizations are evaluating the capabilities of biometric verification and considering its application for internal uses. Despite all of this, the applicability of biometric-based authentication for typical information systems is, in our opinion, questionable. The following is why we think our opinion is justified. All authentication methods are based on a threephase process.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
142 Janczewski & Colarik
1. 2. 3.
Generation of the template for verification (i.e., password, PIN, record of fingerprints, etc.). Storage of the template. Comparing the supplied template with the one stored in the database.
To compromise the system (i.e., to get acceptance of an unauthorized party), the security of one of these processes must be violated. The biometric template is usually much longer than a standard password. This means that a brute force attack against the template file is much more difficult. Also, breaching the security of the template is not strongly related to the length of its record (template). On the other hand, replication of the template through social engineering is relatively easy (e.g., “Oh, we need to take your eye scan for security purposes.”). No one can claim that the current technology is 100% secure, especially with regard to someone’s biometric template. It is possible that a personal template can be compromised and therefore, the biometric identity of a person duplicated, leading to the need to invalidate the authentication process. As a result, a victim of this kind of theft would forever lose the chance to gain access to a given system based on the person’s biometric fingerprint template. Imagine this new form of denial of service that prevents a professional from ever having access to biometrically secured systems. For this reason, we recommend that biometrics not be utilized in regular business information systems.
Possible Leaks of a Password or Authentication Template At the present level of technology regarding non-encrypted passwords, the authentication token or template exists only between the input device and the nearest terminal. These issues were discussed earlier in this chapter. Successful attacks on the password during transmission (in the encrypted format) are practically non-existent as a result. The attention of the staff must therefore concentrate on eliminating the possibility of leaks during the early stages of the password life cycle, that is, between its generation and the first encryption or hashing. Therefore, we should lessen the exchanges between the password collection and its encryption or hashing. If a password must be entered via a terminal, then there is always the possibility that some Trojan software may
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 143
Figure 10.6: Portable cryptographic device
intercept it. The current trend of using cordless keyboards is contrary to security needs, since remote interception of the transmission between the keyboard and the terminal is easier than going through a hard-wired connection. One of the most secure methods to eliminate such a leak is to use a cryptographic tool switched in series between the keyboard (or other input device) and the terminal. The tool takes all the signals generated by the operator on the keyboard and converts them to a ciphertext before it is delivery to the terminal. An example of such a device is a portable cryptographic tool presented in Figure 10.6. The cryptographic process is performed on a smart card plugged into the device, and, as such, the process is very safe.
Access Control The next step after determining the identification of an entity and authenticating its credentials is associating the entity with some form of access rights to files
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
144 Janczewski & Colarik
or system resources and then providing that access. These associations come in the form of read-only, read/write, or execute (or combinations of them). Access rights may be permanently or periodically granted, depending on the security requirements of a system. Access rights must be governed by a set of strict rules based on business requirements. These requirements usually fall somewhere between two extremes: •
•
A “Need-to-Know” policy, which states that management supplies only the information that is necessary to perform a given task. This is often called the military-style approach. The business approach, which is based on the principle that everything is to be made available in the course of performing a task unless it is explicitly restricted.
All access rights are accumulated as part of a system called a reference monitor. Positively authenticated users of a system are directed to the reference monitor to have their access rights defined. These access rights can be determined in two ways: through the resources or through the users. In the first case, each file or procedure has a list of all users with their corresponding access rights. In the second, each user has an associated list of files and resources that the user can access. Both solutions lead to enormous matrixes that are nearly impossible to administer effectively. Thus, the process of allocating resources to specific persons is done through a staging process, first by setting privileges, then by collecting them into roles, which in turn are assigned to individuals. The best way to explain this is by examining the process of a medical care facility. In such a facility, there is a huge number of files that are associated with patients, containing information such as the following: • • • •
Personal details (name, date of birth, address, etc.). Family status (married, number of dependents, etc.). Results of tests. Medical condition and treatment, and so forth.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 145
These files are grouped into privileges, such as reading all files but having rights to write only the results of tests, reading or writing personal details only, and reading medical conditions only. Note that privileges can overlap the access to a particular resource. These privileges can then be put together into specific roles (i.e., the doctor could have read or write access to all files but is not allowed to delete a file; the administrative staff could have read or write access to personal data and nothing else. As a result, each user of the system must be granted a role (or set of roles) that permits the individual to fulfill the user’s duties. Once this is done, a simple assignment to a given role or set of roles is performed by the system administrator to grant access to the required resources. This allows for the monitoring and ease of change to these roles in a centralized manner. The rest of this chapter describes in detail how to set up such a role-based access system and how to efficiently and effectively control it. We will discuss the following essential processes: • • • • •
How to register the user and control the user’s privileges. Network access control (the rules and monitoring of access to both internal and external networks). Operating system access control. Applications access control. Mobile computing.
Registration of Users and Controlling Privileges Management must establish strict rules for registering and deregistering access privileges to all available resources, whether information or services. The rules must include conventions related to the following activities: •
Each class of users must have predetermined roles that may be assigned to them. These roles should be determined using the Rule of the Least Privileges. This means that the role or roles assigned to a user should cover as few privileges as possible to fulfill that person’s duty properly. An example of determining such role sets is illustrated in Figure 10.7. The existing roles are indicated by the dotted line. Assume that a job needs to
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
146 Janczewski & Colarik
•
•
•
have privileges A, C, and E. Many sets of roles are possible. According to Figure 10.7, it is obvious that to fulfill the least privileged rule, roles 2 and 4 should be picked up. Rule of the Least Privilege is more or less equivalent to the Need to Know Policy in which management restricts information only to those who need to know any given information to fulfill their duties. In the military environment, this principle is applied in a strict manner, but in the business environment, the volume of knowledge may be much bigger. Anyone applying for registration as a user of the system is required to provide positive identification by an authorized person. Identification in this case means the verification of identity using non-electronic means. A new employee should register in person before someone like the managing director or staff officer, and provide positive proof of who they claim to be. Remote registration can lead to false identity claims and, as such, should be limited to extreme cases or not at all. Upon registration, each user is assigned a system ID. Formats can range from all numeric, abbreviated names like jsmi02 (i.e., John Smith who is the 2nd John Smith within the organization), or a full name ID like JohnSmith2. ID requirements vary, depending on the quantity of similar user names, and should be explored before determining such an approach. There must be a procedure for the periodic revision of all authorized users and their access rights. It is especially important to eliminate the use of all
Figure 10.7: Least privilege rule
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 147
•
temporary accounts, and delete user accounts promptly upon employment separation. All new users are to be given a written statement of their rights and obligations, and it is recommended that this be confirmed with a signature acknowledgment. A more detailed discussion of these issues will be presented in the next three chapters.
Access Control Tools and Regulations The design of a reference monitor is a daunting task. Some overall concepts like the very popular Role-Based Access Rights model were just described. However, there are still tools needed to convert to IT standards and the organizational requirements. Many tools were developed in this field to ease up these objectives. Among them is the popular XRML, the eXtensible rights Markup Language™ (XrML™, a general-purpose XML-based specification grammar for expressing the rights and conditions associated with digital content, services, or any digital resource. The goal of XrML is to expand the usefulness of digital content, resources, and Web services to rights holders, technology developers, service providers, and users by providing a flexible, extensible, and interoperable industry standard language that is platform, media, and format independent. According to the developers, XrML does the following: • • • • • • •
Leverages other standards to specify digital signatures, digital identifiers, content metadata, etc. Supports digital products and Web services. Defines entities to allow interoperability across multiple systems and applications. Is independent of media type, format, and platform and delivery architecture. Is secure—all XrML labels and licenses are digitally signed. Has tools available now to assist with development. Provides a comprehensive framework for specifying rights (i.e., tools, documentation, examples, tutorials, use cases, etc.) from http:// www.xrml.org.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
148 Janczewski & Colarik
Apart from these tools allowing easier design of the reference monitor, IT managers must be aware that access to IT resources is regulated by many laws and bylaws, which are usually very specific to a given environment. Generally, we will discuss the issue of compliance in Chapter 12. Here, we would like to underline the importance of providing proper access rights in terms of the limits imposed by the following two groups of the law that are in existence in practically every country of the world and often contradict each other: • •
Protection of privacy regulated by privacy acts (or similar acts). Protection against terrorists activities (e.g., the U.S. Patriot Act).
The first group of laws sets up regulations on how information about individuals should be protected. It is especially strong in the medical sector. A good example of this is the U.S. Health Insurance Portability & Accountability Act of 1996 (HIPAA), which includes a section (Title II) entitled Administrative Simplification. This results in the following: • •
Improved efficiency in healthcare delivery by standardizing electronic data interchange. Protection of confidentiality and security of health data by setting and enforcing standards.
Similar laws such as New Zealand’s Health Information Privacy Code exist in many other countries. In contrast, the anti-terrorist laws introduced in many countries after September 11th tend to allow easier access for law enforcement agencies to private information about individuals. As we have emphasized already in this book, it is not our role to comment if such privileges should or should not be granted to these agencies. But one obvious warning must be formulated. If a legal channel of communication has been created, then there is an increased chance that some individuals of an organization may be tempted to use such a channel in an unauthorized way.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 149
Operating System Access Control The statement that the identification and authentication of the end user should be performed is not good enough. It must be supported by a secondary level of authentication procedures. The first part of these procedures is covered in the text below. These controls are mainly related to secure authentication of the system users. Among these controls are the following: •
•
•
•
Automatic terminal identification. The idea behind this security measure is that before attempting any end-user identification, a special procedure is launched to verify that a particular terminal is permitted to initiate or receive specific transactions. For instance, a payroll administrator should not have any reason to seek access to a particular application outside the payroll office. Terminal logon procedures. It is very important how the terminal logon process is performed. For instance, one of the common mistakes is to design the authentication system as a stream verifier. This means that the system is examining the input string of characters and, immediately after discovering an error, declines the connection. The most complicated stream verifier can be broken easily. What someone has to do is enter the password characters very slowly. Then the error message will indicate that the last character is wrong. All a person has to do then is to start again, entering the password and changing the last character. Hence, in the case of a literal eight-character password, someone needs to do no more than 25 * eight trials. This means that the decoder must have the block format. Information about an error must not be the function of the error with time and limits on number and timing of the password entry imposed. A message like Wrong Password should not be used; instead, a noncommittal message like The system cannot log you in should be used. All the logins and failed login attempts should be recorded in the audit trail. The majority of all these basic requirements can be set up by popular operating systems such as Windows or Linux. Limitations of using system resources. Simply identify what resources need to be limited and at what times. All information systems have at least two modes of operations: regular user and system administrator. Regular users are allowed to run their typical applications, while system administrators can do practically everything with the system (i.e., configuration,
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
150 Janczewski & Colarik
installations, usage settings, etc.). Regular users require some minimal rights to invoke some basic system administrator capabilities, such as invoking a procedure for changing their passwords, and are, therefore, generally restricted. Thus, efforts by attackers are aimed at attaining system administrator rights, either by elevating a regular user’s rights or by gaining access to an administrator equivalent account. If overall limitation is imposed, that may prevent a hacker or cyber-terrorist from gaining access to a specific part of the system during the execution of some innocent looking procedures. Apart from these detailed requirements, the security of the operating system environment would be increased if the following recommendations were enforced: • •
•
Install only legal copies of your system software. Register your software promptly with the original software producer to validate its originality. Be sure that your system software is installed properly, tailored to your needs, and done with consideration to the organization’s security requirements. If you are not familiar with a particular software, call for help first from a reputable professional. Monitor sites like CERT (www.cert.com) and Microsoft (www.microsoft.com/security) that publish information about discovered vulnerabilities. If a given vulnerability relates to the software you have installed, check the corresponding software manufacturer for patches handling this vulnerability. If such patches have been developed, consider their installation. Not all patches are appropriate, and some may cause newly created conflicts with other aspects of your system. Always do a backup before their installation.
Managing the process of upgrading system software with announced patches is not as simple as it may seem. There are many myths surrounding this. One of them is that the upgrades are always compatible with an older version of the software. Theoretically, it should always be the case, but in reality, some conflicts occur. Also, finding the real update may be a problem. Imagine that someone announces an upgrade of the Windows XP operating system that is especially designed to close a security hole earlier discovered and announced. A message could include:
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 151
• • •
This is a patch to eliminate a vulnerability announced by CERT at (date) and announced in (reference to a real CERT Web page). The patch is also recognized by Microsoft as a viable solution (reference to a real Microsoft Web page). You may download the patch from Microsoft (link to a place, which looks like the original Microsoft location but was set up by the culprits). The patch would contain (perhaps) the software to close the hole, but it also may include a Trojan to allow the culprits easy access into the system on which that patch is installed.
Do not acquire patches or software that were recommended as part of an alert message. Go to the manufacturer’s site directly for such downloads. If possible, install the patches on a development machine first, test it out thoroughly, and then install it on production systems.
Application Access Control Application access controls are aimed at preventing unauthorized access to application programs. What we are referring to here is a specific problem that privileges and roles (discussed in the previous chapter) should not collide with each other during execution, and that they provide enough information to users to do their job properly. In a typical health information system (application), many privileges can be defined. For instance, a privilege to read or write into a patient’s personal details can be assigned. In the following example, let’s assume that we have generated two privileges in relation to patients’ records. One privilege allows an operator to read/write, while another allows an operator to read only, while both privileges may have some other set of access rights for accessing other parts of a patient’s record. This is illustrated in Figure 10.8. What would happen if the privileges for 1 and 2 were combined as one role? The question would then need to be asked, Is the holder of this role entitled to write into file A? According to privilege set 1, the answer is no; and according to set 2, the answer is yes. The conclusion that can be drawn here is that there must be an additional rule governing cases of conflicting privileges. Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
152 Janczewski & Colarik
Figure 10.8: Example of privileges
(R): read only access, (W): read/write access, (R/W): read/write access
Handling Sensitive Outputs The system administrator must ensure that sensitive and/or confidential information outputs of a system (e.g., printouts and electronic correspondence) are directed only to other systems, devices, or persons authorized to handle them. One of our colleagues had an embarrassing accident. After writing an exam script for the course he was teaching, he posted the file for printing to a printer located in a laboratory that was accessible to all students. He noticed the error after an hour and was terrified of the possible consequences. To his relief, he found out that the lab was closed at that particular time. Such errors could be used to the advantage of a hacker by supplying the hacker with confidential information.
Handling Sensitive Applications Some applications have a confidentiality level that requires them to be handled by a dedicated (isolated) environment. When this is required, a number of the following issues need to be resolved: •
Applications need to be denoted and set up in such a way that their processing cannot be performed in any other environment.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 153
•
All necessary steps must be taken to eliminate the sending of results to an unauthorized location.
Some organizations, especially of military or security origin, are solving these problems by physically separating their networks. One network is used for contacting the outside world, while another is used for internal communications. Also, confidential information is not allowed to reside or to be processed on the network connected to the outside world.
Network Access Control The interface between computers and networks includes a number of message handlers called ports. These ports are software designed to handle a specific type of transaction (i.e., a port is designed to handle file transfers, electronic mail, Web pages, etc.). Inadequate handling of these ports may lead to the successful mounting of attacks against a particular system. Let us look at a description of one of these attacks in Case 10.5. This particular type of attack could have been prevented if there had been site block specific unused ports. This is one of the most important issues for securing networks and controlling access. On a more general note, secure networks must force users to access specific paths in order to utilize system resources. In particularly, ISO 17799 recommends the following:
Case 10.5: Properties of W32/Blaster worm CERT/CC continues to receive reports of systems being compromised by a new worm referred to as “W32/Blaster” or “W32/Lovsan.” This activity is related to a recently discovered vulnerability in the Microsoft Remote Procedure Call (RPC) service. Microsoft has produced a patch for this vulnerability that can be found at MS03-026. CERT/CC has produced an advisory addressing this issue. Please refer to CERT Advisory CA-2003-20, “W32/Blaster worm.” Sites are strongly encouraged to apply the patch and block access to systems with open Microsoft RPC ports (135, 139, 445). http://www.cert.org/advisories/CA-2003-20.html
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
154 Janczewski & Colarik
• • • • • • •
Strict rules on allocating dedicated lines or telephone numbers. Automatically connecting ports to specified application systems or security gateways. Limiting menu and submenu options for individual users. Preventing unlimited network roaming. Enforcing the use of specified application systems and/or security gateways for external network users. Actively controlling allowed source to destination communications via security gateways (e.g., firewalls, switches, etc.). Restricting network access by setting up separate logical domains, such as virtual private networks for user groups within the organization.
Expanding and applying the above, a company must establish a policy for its network services. This, in turn, allows and establishes guidance for the following: • • •
•
•
Firewall settings. Deactivation of all of unused ports and services. Authentication of the remote users. Strong methods should be used (i.e., in the distribution of cryptographic keys). Dial-up connection protection. Dial-up connections that bypass or have unrestricted access through firewalls must not be allowed. Sometimes there is a need to have a remote dial-up diagnostic port available. Maintaining security of this access point is paramount and needs to be considered carefully. At the very least, a dial-back procedure (i.e., the device calls back to a specified location after contact has been requested) should be implemented. Authentication at both ends. All of us are convinced of the necessity of remote users to authenticate themselves to the server. However, the opposite is equally important. The user should be sure that it is dealing with the intended site and not a faked or spoofed one. Segregation in networks. Boundaries between organizations are softening. It is customary that the main supplier of raw materials is granted direct access to the information system. This is done to simplify and speed up the ordering and delivery of goods between organizations. Careful consideration is required to divide this connectivity into logical parts with clear-cut
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 155
•
boundaries that allow better control of the information exchange between the networks (i.e., through authentication and/or filtering). Security of network services. Many business organizations are using network services provided by others, such as Internet Service Providers (ISPs). Embarking on such services requires an analysis in order to validate that such a service is secure.
The processes listed above have a crucial impact on the proper functioning of a telecommunication network. These processes are very complicated, unstable, and regulated by a multitude of standards that sometimes conflict. These processes constitute what may be called a virtual window to the world of every computer installation. For these reasons, they are also the first barrier to potential attackers. Hence, careful management of these processes is essential to the well being of any organization.
Monitoring System Access and Usage Security cameras do not stop burglars from breaking into a building, but sometimes they can be used to identify the culprit(s) or to act as a deterrent. This is the main role of access monitoring systems. Essentially, they record all transactions and permit conclusions to be drawn. We believe that monitoring becomes beneficial to an organization only when there is both event logging and analysis of these logs. Unfortunately, in many organizations, there is a considerable effort to recode the events, but no one is doing an analysis of these recordings. An organization must determine what parameters of events are to be recorded. In the majority of cases, there is no need to record every transaction or event. The transactions worth monitoring are the follows: •
•
Unauthorized access attempts. Failed attempts, access policy violations, other network notifications (i.e., network gateways and firewalls), and alerts from intrusion detection systems. System alerts or failures. Console alerts and messages, system log exceptions, and network management alarms.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
156 Janczewski & Colarik
• •
All privileged operations. Use of a supervisor account, system start-ups and stops, and I/0 device attachments/detachments. Authorized access. The user ID, the date and time of key events, the types of events, the files accessed, and the programs/utilities used.
An example of such a record is shown in Figure 10.9. In this particular example, the file shows a record of the transactions allowed to pass through a firewall, including sources and destination addresses and rules which were invoked to provide the transmission. All audit reports need to be analyzed on a periodic basis. The analysis can involve quite a large amount of data. Hence, we recommend the use of tools that summarize the results. An example of such a summary is presented in Figure 10.10. Such a summary allows the noticing of anomalies in the traffic and leads to the detection of potential attacks. Increased traffic could mean nothing, but may also indicate that a hacker is downloading some confidential files or depositing Trojan software. It is a common fact that an attacker can be located within the organization and that any increased traffic from the attacker’s location is an indicator of a transfer of company files.
Figure 10.9: Example of an audit report
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 157
Figure 10.10: Example of an audit trail summary: The most active terminals
Mobile Computing Using mobile computing significantly enhances the capabilities of information systems, but brings with it the danger of exposing an organization’s data. Virus detectors, intrusion detectors, firewalls, and the like are being installed throughout a company’s infrastructure, but portable devices are not so well protected. First, they simply may be stolen; second, they may be a source of infecting the main system with some unauthorized software; and third, the existence of such communication channels may allow attackers to spoof being a legitimate remote user. Even if mobile communications are sent in their secure mode, the fact is that a new communication channel has been created. It becomes another possible entry avenue to the organization’s IT facilities. While a total ban on
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
158 Janczewski & Colarik
mobile communication is not practical for many businesses, every organization should carefully examine the real need for such communication channels. More information about the security of mobile computing is in Chapter 12, especially Case 12.2, and also in the section below on the interception of communication.
Theft of Mobile Equipment By its nature, portable equipment rarely contains and stores all available company data, but the equipment contains data that are most important to an individual’s related work function. Any managerial-looking person sporting mobile equipment is subject to theft. Indeed, the 2003 CSI/FBI survey indicates that the theft of laptops has become one of the most serious computer crimes.
Interception of Communication Most mobile communication systems broadcast data in either the open or in an encrypted mode (i.e., transmissions via electromagnetic waves). Many organizations appear to be quite happy with the concept of a mobile network, but they have not bothered to use it in the encrypted mode. This means that anyone having a typical laptop with mobile capabilities can easily intercept a company’s messages. Many experiments in various locations around the world support that statement. In the city of Auckland, a security researcher did some wardriving, which is driving a car around a town and collecting information about functioning mobile LANs. The results indicated that over 60% of LANs had no WEP encryption enabled, and thereby were exposed to the public and possible external attacks. The trial also revealed that about 54% of organizations used identifiable wireless network names (SSID) and 13% left the SSID in their default setting. This is the equivalent of a street advertisement designating access to all information circulating throughout a company network, with obvious consequences.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 159
Mobile Setup Issues Before launching any mobile network, a number of organizational and technical questions need to be answered. Apart from the obvious technical questions related to the technology, management should discuss these business issues: • • • • •
Who should have overall responsibility on mobile computing? Which systems or data may be used in mobile computing? Who should be authorized to use mobile computing? What restrictions should be imposed on such modes of work? What is the responsibility of each party (e.g., end user, technical staff, etc.) involved in mobile computing?
You may notice that we are advocating that prior to establishing mobile computing, the organization must evaluate its business needs to launch such a service. The organization must also establish an organizational and technical framework for such a system. This is an example of the system approach to planning information security. It should start from the analysis of the business objectives of the organization and answer the question of how mobile computing may help in accomplishing such objectives. After answering the questions listed above, mobile computing can be implemented. Only after this step are the technical aspects of mobile computing worth being examined.
Mobile Computing Before you start to use mobile computing, examine if you really need it, and then set up these rules: Who is entitled to that service? What information should be available on the mobile network? What technical rigours must be followed?
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
160 Janczewski & Colarik
Conclusion The issues presented in this chapter on authentication and access control can be summarized through a number of basic requirements: •
• • • •
All the needs for specific access rights must have foundations in the business requirements of the organization. These business requirements should be analyzed and decided upon prior to searching for any technical and organizational solutions. Access rights should be done through creation of privileges and roles. Individuals can be differentiated only at the roles level and not below. Access rights should be subject to frequent review and any changes reflecting an organization’s environment. Organizations should adopt the principle of limiting knowledge to a level necessary for proper performance of the individual employee’s duties. Organizations must introduce a method of monitoring access to each resource and do periodic analyses of these listings to ensure system security.
In this chapter, we have discussed the managerial aspects of managing authentication and access control. However, there are numerous questions regarding the technical aspect of providing that access. In the chapter on operation management, we will cover those problems.
Bibliography http://archive.ncsa.uiuc.edu/General/GridForum/SWG/taxonomy.html Security Services and Products Taxonomy. http://csrc.nist.gov/rbac/ NIST on Role Based Access Control. http://mtechit.com/concepts/access_control.html Definition of access control.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Identification, Authentication, and Access Control 161
http://securitysolutions.com/ Set of articles on access control. http://www.access-control-software.com/ Example of access control products. http://www.microsoft.com/windowsxp/pro/using/howto/security/ accesscontrol.asp http://www.rsbac.org/ Home page for Rule Set Based Access Control (RSBAC) for Linux. Microsoft’s Windows XP access control defined. http://www-1.ibm.com/servers/eserver/zseries/zos/racf/ IBM on Resource Access Control Facility. Other Interesting Readings Burrows, et al. (1990). A logic of authentication. ACM Transactions of the Computer. Carroll, B. (2004). Cisco access control security: AAA administration services. Pearson Higher Education. Carver, C. & Pooch, U. (2000, June). An intrusion response taxonomy and its role in automatic intrusion response. Proceedings of the 2000 IEEE Workshop on Information Assurance and Security. Common criteria for information technology security evaluation, part I: Introduction and general model, version 2.1 (1999, August). Common Criteria Management Committee. Ferraiolo, D., & Kuhn, R. (1992). Role-based access control. Proceedings of the 15th National Computer Security Conference. Ferraiolo, D. et al. (2003). Role-based access control. Artech House. Halme, L., & Bauer, R. AINT misbehaving: A taxonomy of anti-intrusion techniques. Retrieved from http://www.sans.org/newlook/resources/ IDFAQ/aint.htm Honey, G. (2001). Electronic access control. Newnes. Konicek, J., & Little, K. (1997). Security, ID systems and locks : The book on electronic access control. Butterworth-Heinemann.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
162 Janczewski & Colarik
Needham, R., & Schroeder, M. (1978). Using encryption for authentication in large networks of computers. Communications of the ACM. Sedayao, J. (2001). Cisco IOS access lists. O’Reilly. Smith, B., & Komar, B. (2003). Microsoft Windows security resource kit I. Microsoft Press. Strassberg, K. (2002). Firewalls: The complete reference. McGraw-Hill Osborne Media.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Personnel Security 163
Chapter 11
Personnel Security
The importance of security issues relating to personnel policies has and continues to be a factor in the overall protection of organizational systems. Apart from the general managerial issues related to information security discussed earlier in the book, this chapter will concentrate on discussing the security issues related to contractual agreements between companies and their employees, and what the implications are. These issues include the following: • • • •
Personnel screening prior to employment. Application of a security policy and establishing confidentiality agreements. Establishment and execution of a user training program in security. Establishing and execution of a policy dealing with handling security incidents and malfunctions.
In our opinion, the importance of the above issues has significantly risen as a result of the current wave of terrorist attacks. Terrorists are not living in an isolated vacuum. Many are highly educated. They may seek regular employment for the following reasons: •
To carry out their sinister objectives by having access to their employer’s facilities.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
164 Janczewski & Colarik
•
•
To build their cover story. A person without any legitimate employment or source of money is first on the suspect list. Hence, any person wishing to carry out non-legal activities usually tries to be as average as possible. Regular employment by a reputable organization opens doors to future opportunities, both good and evil; To finance their illegal operations. Terrorism can be quite an expensive activity, and financing by external sources is being identified, tracked, and terminated by governments worldwide.
The discussion of personnel security issues is divided into three parts: procedures related to hiring a new staff member; procedures to be followed during employment; and procedures to be followed when terminating an employment contract. This discussion should be considered an emphasis or addition to wellestablished hiring practices and procedures in the human resource domain.
Hiring New Staff The first step in hiring new staff is the formation of the qualification requirements. This aspect of the problem is well known and beyond the boundaries of this book as it deals with the security issues. In the real world, many organizations establish an ideal profile (consciously or unconsciously) of the most suitable candidate, apart from determining the candidate’s qualifications. This profile may also be composed of such parameters as age range, sex, ethnicity, prohibited disabilities, and so forth. Setting up a desirable profile of a candidate becomes a complex issue for a company, as many countries have regulations prohibiting doing just that. Differentiations on the basis of ethnicity, religion, disabilities, or sex are strictly forbidden in the U.S. and many other countries. However, these are only deterrents and do not prevent selective profiling and discrimination. We do not believe that it is appropriate for this book to go further into other justifications for profiling, but instead we wish to make a point. When people are afraid of a group, they become suspect of others that appear to belong to the same or similar group. Legal or not, the aftermath of the September 11th attacks reactivated profiling in the sense that candidates for employment are
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Personnel Security 165
now being subjected to much more intensive scrutiny when their national or ethnic origin is the same as the hijackers. Thus, profiling has two clearly visible sides. The first is the protection of a company profile in the terms of the image a company would like to create or maintain. The second is based on the fears of any troubles resulting from employing people belonging to a group who could cause trouble, whatever the nature of the trouble. We think that the best way to reduce troublemakers is to conduct a detailed background check of each candidate, including character references, verification of the completeness and accuracy of the candidate’s résumé, verification of all academic and professional qualifications, a credit and police records check, and a confirmation of identity by multiple sources. The range and depth of the process depend on the position that the candidate is going to hold and the candidate’s security exposure during the normal course of duties. Reliance on employment and placement firms is not an error-free solution and should be avoided. A real problem that is not easily resolved is any criminal record that may exist overseas with well-travelled citizens and recent immigrants. Knowing travel patterns and legal history requires access to global customs and police records. For some applicants, they may have quite a stained record due to the fact that they were in opposition to another government’s regime. Others may simply hide from their past by relocating to a new country for a time, gaining citizenship, and then moving on to new countries with clean records. Perhaps another layer of privacy will need to be stripped away in order to ascertain the background history of global travellers and immigrants. We leave this judgement to the populace of free nations. But whatever search we do, there is always a chance that something could escape our attention. Case 11.1 is a good illustration of this point.
Hiring Requirements Upon accepting employment, each new hire must accept, apart from the employment contract, two other important documents: the Information Security Policy and the Confidentiality Disclosure Agreement. The basic conditions of employment are usually consistent during the term of the contract. If a job were to change significantly, a new contract would need to be negotiated and issued. On the other hand, the two documents mentioned are (and should be)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
166 Janczewski & Colarik
Case 11.1: Verification of credentials
This is the case of Mr. John Davy. He is a Canadian citizen who, in 2002, was nominated to the position of Director for a government-sponsored TV channel in New Zealand. The inspection of his credentials was performed by a Wellingtonbased employment agency. In his CV he claimed to be a holder of an MBA degree from a Colorado State university and a consultant to some highly respected business organizations in the U.S. After a few months on the job, the New Zealand Herald discovered that Mr. Davy’s university was a “money-fordegree” institution, and significant parts of his business experiences were faked. He was removed from the post, charged with fraud, and, after a brief stay in jail, expelled from the country. The employment agency that examined his credentials no longer exists, and the taxpayers of New Zealand footed the hundred-thousand-dollar bill resulting from the incident.
living documents, reflecting the operational mode of a company and resulting in frequent changes. Such documents should not be a part of the employment contract. The Information Security Policy is a very important document to which Chapter 13 is dedicated. We will concentrate on the Confidentiality Disclosure Agreement here. The Confidentiality Disclosure Agreement formalizes the employee’s duties relating to the protection against unauthorized disclosure and publication of all information that a company considers of limited circulation. Such a document ranges in length from a few lines to as many as 20 pages, depending on company policy and a country’s contractual legal limitations. In our opinion, a person should consult a good lawyer and consider the limitations of overly long agreements. Figure 11.1 is an example of a confidentiality agreement. Every country and organization have different rules about confidentiality agreements. Also, there are different procedures for what a new employee should sign (i.e., the document itself or a statement that he or she has read the policy and agrees to follow it). We present this document as an indicator of the issues that need to be covered in the security clause, and it is up to an organization to change and tailor it to its own specific requirements. The following are examples of clauses that were not covered in the above document, but are worth considering.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Personnel Security 167
Figure 11.1: Confidentiality agreement example
This CONFIDENTIAL DISCLOSURE AGREEMENT (the “Agreement”) is made this __day of ______, 20__, between ___________________(“Receiver”), having a place of business at_________________, and (company name) _____, a company having a place of business at (company address)_____. (company name) _____and Receiver hereby agree that the following terms and conditions shall govern the disclosure of information by each party to the other for the following purposes: (e.g., permanent employment, dated employment, specific project, etc.) 1) Receiver acknowledges and agrees that it will receive or have access to certain information that is proprietary or confidential (“Proprietary Information”) to (company name) _____, or both, or their licensors, including, but not limited to, trade secrets, processes, techniques, inventions, improvements, software programs, computer programs, copyrightable material, data, and knowhow. 2) Receiver acknowledges and agrees that no intellectual property rights to any disclosed material will pass to the Receiver by virtue of disclosure. 3) Receiver acknowledges and agrees that: a) The right to all Proprietary Information shall remain with (company name) _____and/or its licensors, and all physical property shall be returned to (company name) _____promptly upon request with all copies made thereof; b) It shall keep in confidence and trust all Proprietary Information; c) It shall not use, publish, or disclose to any third party any Proprietary Information or anything related to it without express prior written approval of (company name) _____; and d) It shall take all reasonable precautions to hold the Proprietary Information in confidence and trust. 4) Material is specifically excluded from this Agreement if it is: a) In the public domain; b) Published by a third party without violation of property rights; c) Freely and legally available from a third parry; d) Required to be disclosed by law. 5) Receiver agrees that it will return, destroy, or cease to use all disclosed material at the request of (company name) _____. 6) Receiver acknowledges and agrees that (company name) _____ is providing the Proprietary Information solely for the foregoing said purpose and shall not use any Proprietary Information for any other purpose. (figure continued on the following page)
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
168 Janczewski & Colarik
Figure 11.1: Confidentiality agreement example (continued)
7) Receiver acknowledges, agrees, and accepts that the Agreement is for the benefit of (company name) _____ and any licensor having ownership of or beneficial interest in any Proprietary Information and their respective successors and assigns, AND, further, Receiver acknowledges and agrees that the Agreement shall be binding on (company name) _____, Receiver, and their respective management, employees, contractors, successors, or assigns for a period of three (3) years from the above Effective Date hereof. 8) In the event litigation arises in connection with this Agreement, the prevailing party shall be entitled to recover its attorney’s fees and court costs, in addition to any other relief or judgement such party is entitled to receive. 9) This Agreement shall be governed by and construed under the laws of (country/state name) and the (country/state name) courts shall have exclusive jurisdiction over not only the Agreement, but also the parties hereto. Accepted by: (company name) _____ , By (name and authorised signature) Receiver: By __________(name and authorised signature)
• • •
Security clearance level of the employee. The assignment of a security clearance and any requirement for maintaining it must be defined. Referral to the security policy. A clause or acknowledgment that the employee will follow the policy must exist. Work outside company premises and normal work hours. The whole issue of work outside of the company’s premises and the hours worked should be examined.
A knowledgeable lawyer should be consulted about the content of the initial document.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Personnel Security 169
Security Duty During Employment The acceptance of the above regulations by a new employee is not good enough to ensure security compliance. It must be supported by adequate training in all security matters mentioned in any company documentation. For instance, an employee should know how to logon to the system, protect his or her password, and perform relevant backup of files. Many procedures can be quite complicated in their execution, and performing them incorrectly could cause serious problems. The classic example of this is the deletion of files. Many employees think that pressing the Delete key deletes the file in question, while in most cases the file is sitting in the recycle bin awaiting permanent deletion. Even this action does not delete the file from the hard drive, but marks the space it resides in as available for additional storage. The potential consequences could be quite serious if the file contains data that is of a confidential nature. It could then be possible to retrieve that information without proper authorization if, perhaps, the computer is transferred to another user or permitted to be taken home for personal use. These possibilities were presented in Case 4.8. In every organization, there are security incidents (i.e., occurrences when breaches in security occur). These incidents range from minor to substantial. The impacts also range from having an insignificant bearing on the well being of a company to resulting in dramatic consequences. A company must be ready to handle these incidents when they occur in a manner that requires little discussion of what course of action is needed. Usually, these incidents have progressive properties that grow and encompass more and more of a company’s activities. As a result, a decisive, fast response that is well planned needs to be in place to minimize such occurrences. These procedures are usually divided into two domains: those of a personal nature and those that are operational. The operational procedures are established by the Business Continuity Planning process, which is presented in Chapter 14. Here, we would like to mention the importance of planning procedures in dealing with security incidents related to personnel. For instance, what should happen if a person were to leave a confidential file in a public place? Business Continuity Planning usually deals with the handling of security issues, but it should not cover what specific action should be taken against the employee. Rush decisions made at such moments are rarely optimal. Most of the information systems are equipped with auditing facilities that collect information about the processes they are controlling or performing, and the Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
170 Janczewski & Colarik
usage of resources they provide. Unfortunately, we have observed that most people are just unaware of or uninterested in utilizing such monitoring. For example, firewalls are equipment with quite an extensive set of reporting capabilities, which we mentioned in Chapter 10. The collection itself of such reporting information is insufficient, and every business organization must have a procedure to learn from all reported incidents and malfunctions, namely the following: • •
•
Reporting security incidents. Who should report what incident to whom, in what format, what is the escalation procedure, etc.? Reporting security weaknesses. Again, the same questions: Who should report what weakness to whom, in what format, what is the escalation procedure, etc.? Reporting hardware and software errors. Instructions should be prepared on how to classify an error and how to handle it. The individuals required should also be included.
BE FAIR! Whatever policy you plan to enforce, it must be communicated well in advance to the staff.
Terminating Employment What task managers hate most is the termination of employees. In such cases, the well being of the organization takes precedence over the well being of the fired person. It is this simple fact that is the main source of security problems. Facing such a task, the manager needs to be well prepared and maintain a very rational mindset. The major security issues arising from the termination of employment must be examined well before the act, and an optimal course of action determined. An example of the problems related to this is presented in Case 11.2. How often does a person who was discharged still have his or her accounts active and accessible within an organization? One of the authors was working
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Personnel Security 171
Case 11.2: Forceful discharge of a staff member
During a security audit of a business organization (a design office), we asked the CEO if he had a policy relating to the handling of hiring and firing staff. The answer was an affirmative yes. So we continued, “Okay, let us assume that you have the very unpleasant task of firing an employee on the spot. How would you handle this?” The answer was, “Well, I would like to convey the message as softly as possible.” We were persistent and asked, “Okay, but would you allow the person to leave the room at the end of the conversation?” The answer came back, “Yes, of course, why not?” So we said, “The fired person is presumably under significant stress. Would you guarantee that this person would not rush to his or her PC and wipe out the hard drive in an act of anger?” The answer was, “Thank you. Now I know why I ordered a security audit.”
at a European university for a short period of time. About a year after leaving the post, it was noticed that the account was still active. These unfrozen or undeleted accounts constitute a known and substantial security hole in a system. Many hackers rely on these accounts to gain access to a system. Considering all of the above, there must be a strict policy formulated for what must be done with the accounts of personnel who have left the organization. Strict does not necessarily mean the immediate suspension of an account. In many organizations, it is a rule that the departure is sometimes a friendly type, and, as such, the account is kept alive for a specific period of time. But, on the other hand, if the departure is hostile, the immediate suspension of the account must be performed. During such a hostile departure, tempers tend to be high, and there is not much room for rational planning. Therefore, all departure procedures need to be well established in advance. A tricky problem related to personnel security is the protection of privacy of individuals. All major countries have introduced and passed laws protecting this privacy. However, the open question is to what extent that privacy may and could be protected in a workplace. For instance, what data on a company’s workstation belongs to the employee, and does the employer have the right to access it? During a time of rising public awareness of possible cyber-terrorist activities, such a question is not trivial. To our knowledge, only in Germany is there a law that allows the maintaining of a sort of private zone on company computers. In all other countries, all data stored and processed on company computers belongs to the company. Many Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
172 Janczewski & Colarik
workers seem to forget this simple truth, and it is worth it to remind them about it, starting by placing a clause in individual contracts or in the security policy, which will be discussed at length in Chapter 13.
Conclusion The role of personnel security issues is growing rapidly these days. In the past, the major concern of the potential employer was the evaluation of a candidate’s qualifications and character. Currently, the initial evaluation must also include assessing any possible security threats. These evaluations are very difficult to conduct due to the formal restrictions imposed by law and by international records. These laws were set up to protect the interests of individuals. Unfortunately, these limitations permit the exploitation of the lack of knowledge by potential troublemakers. However, most of them are still present, which makes activities of the hiring officer a very tight-roped job. Both authors of this book have extensive managerial experience. Drawing from this experience, we must say that the most powerful factor in building and maintaining high quality secure information systems is to create high motivation in all of the company’s employees. Motivated staff is the best guardian of the company’s well being, including security issues. Building such an atmosphere is not an easy task, and it is impossible to accomplish this in a short period of time. It requires a lot of managerial and psychological skills. There is a lot of literature about this topic, and we strongly recommend our readers to do some additional reading. However, these simple rules need to be followed: • • •
Personnel must be convinced that the organization’s mission, goals, and the means to accomplish them are correct. Personnel must be given a level of independence of operation. Of course, adequate controlling procedures must be also implemented. Salaries of the staff must be above the median level (for each given position) and working conditions must be adequate.
We would like to stress that all these rules must be followed and not just some of them. It may be summarized by a slogan: Make them content!
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Personnel Security 173
Information technology is practically the same all over the world. System analysts, programmers, IT managers, and the like may talk different languages, follow different religions, or belong to different cultures, but their duties are quite the same. This makes the transfer of IT specialists between countries and continents very easy. We may find ourselves sharing facilities with dramatically different people, at least in terms of their appearance or behavior. This could be a positive or negative factor, and it makes the job of hiring officers even more difficult. We leave our readers with the concluding commentary: All aspects of the staff policy, including hiring, continuation of employment, and discharge, must be enhanced with information security components. These components should be planned well before any of the above activities take place.
Bibliography There is a significant number of U.S. Department of Defense publications relating to personnel security issues and covering all aspects of the problem. However, these publications are often restricted in circulation. http://www.ag.gov.au/www/psccTrainingHome.nsf/Alldocs/RWP11F2 2E2F5891CC4BCA256BB4000C9CFD?OpenDocument An example of training in personnel security (Australia). http://www.ciisd.gc.ca/text/ps/pss-e.asp Canadian government guidance for personnel screening. http://www.dss.mil/psi/ Military guidance for personnel checks. http://www.dtic.mil/jstc/disciplines/personnel.html Joint Security Training Consortium’s guidance for personnel security.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
174 Janczewski & Colarik
http://www.e-government.govt.nz/docs/see-pki-cert-policy-v2/chapter5 .html New Zealand government for Certification Authority physical, procedural, and personnel security checks (Certification Authority is a part of the Public Key Infrastructure). http://www.vascan.org/categories/personnel.html Security tools and the best practice in relation to personnel security. Other Interesting Readings Cobb, C. (2003). Network security for dummies. For Dummies. Fay, J. (2001). Contemporary Security Management. ButterworthHeinemann. Newman, E. (1998). Security Clearance Law and Procedure. Dewey Publishing. Shumway, R. (2003). Wireless security end to end. McGraw-Hill Professional. Smith, J. (1990). Secure people: A report on corporate personnel security. Hyperion Books.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
175
Chapter 12
Operations Management
A major focus of this book is guiding IT managers on how to secure the operations of their facilities due to increased threats from terrorist oriented attacks. As it was presented in the earlier part of the text, there are many procedures that would decrease such threats. However, the best protection is just to run the facilities, keeping in mind the systems approach to information security. In this way, we are able to optimize the protection of the workplace from any form of attack, including those from cyber-warriors and cyberterrorists. In this chapter, we will present the essence of managing IT facilities from the security point of view.
Operational Procedures and Responsibilities The rational management of IT facilities is based on carefully prepared and implemented documentation of all operating procedures. Among those tasks are instructions about information processing, as well as the scheduling of jobs, advice on how to handle emergencies, location of help desks in case of errors, handling results, and so forth. It is important that these instructions be kept current and regularly updated. Especially important are the solution sets for handling emergencies.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
176 Janczewski & Colarik
In setting up the operational procedures, it is very important to arrange the segregation of duties. The essence of this is that the operator should not be the one benefiting from the operation. An example of this is that the designer of a payroll system should not be on an access list that distributes checks to employees. This is well illustrated by a case that happened many years ago at a university in the United Kingdom (Case 12.1). While this example is not earth threatening, it illustrates what may become a tremendous issue when an individual seeks to be harmful. Subversive coding can sometimes be extremely difficult to discover. One such example of this approach to system disruption is called a salami attack. The programmer introduces into the system design a counter or collector of changes. If these changes reach a setup limit, this routine launches a series of unauthorized activities. The trick to these types of attacks is that a series of events must occur over time before anything happens. The classic example of a salami attack is preserving the remainder of financial transactions such as pay calculations. These remainders are accumulated and forwarded to an account for later disbursement. While the amounts appear to be fractions of a cent, their accumulation can become sizeable over time. The only way to discover such an attack is to monitor deposit transactions. It is precisely why segregation of duties is critical to auditing actions and transactions that such attacks can be prevented.
Case 12.1: Disgruntled programmer A British University had a computer that was used for administration purposes. With more and more advanced equipment available, fewer jobs were being processed on this machine. Finally, only one faithful man remained to run the machine. The computer was processing only a small part of the financial transactions of the University. But as time passed, the man was eventually discharged. Obviously, he was not very happy about it and promised revenge. During the next run after his departure, the machine stopped and displayed a message to the surprised operator: “The Phantom Strikes Again.” Upon restarting the process, the program ran without a problem. This harmless bug reoccurred at random until the machine was finally retired. It just was not economically feasible to hunt for the coding of the bug.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
177
System Planning and Acceptance If you copy files or save them to a floppy disk, you may have opened the Properties task bar in Windows to find out if there is enough space on the disk. This is the most elementary example of System Planning. It is this mindset that must be applied to everyday processes to ensure capacity (in any form) and future planning. Otherwise, system users may pay dearly for not foreseeing the consequences of poor planning. Capacity planning is about avoiding a system crash due to excessive demands for resources for a given operation and the optimization of utilizing these resources. Perhaps the most devastating effect of poor system capacity planning is the results from an activity known as a buffer overflow. During various stages of processing, a given portion of data or program code may be too big to be placed in a memory allocation space. When this happens, the system must decide what to do in order to continue the process. In most cases, an adjacent memory space is overwritten with the overflow. This results in some part of the data or program code potentially being stored at a memory location that is not directly controlled by the system process and, as such, provides an opening to unrestricted or controlled program execution. Buffer overflows are a favorite starting point to hack applications. In the past, elaborate testing would discover most of these. Currently, it occurs mainly for two reasons: • •
Applications are rarely tested under full system load before being released for normal operations. If a buffer overflow does happen and a system was not designed to issue a warning or preventative response, the user would not know if it actually happened. This, in turn, may result in some data being written into unprotected space. Analyzing a system for this result is no simple matter.
The consequences of a buffer overflow may lead to a system crash or to the writing of sensitive data in unprotected locations. If an organization plans to run an application containing sensitive data, detailed process checks need to be conducted to eliminate the probability of a buffer overflow occurrence. In the case where an organization is designing its applications, this can be controlled relatively easily by introducing buffer overflow control into the process. The
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
178 Janczewski & Colarik
overall approach is to check the functioning of the system under loads similar to the maximum available and then to search for any possible faults in the system. If the organization is using a product developed by someone else, such verifications are very difficult to perform, as the product and underlying operating system are outside a user’s range of control. In these cases, installation of a new patch to correct this flaw should be done promptly upon release. Buffer overflows may also result in DOS and DDOS attacks, as described in Chapter 5. There is, however, a significant difference between these attacks and a “classic buffer overflow” attack. In the case of DOS/DDOS attacks, the objective is simply to crash the system due to the buffer overflow. Here, on the other hand, the attacker does not want the system even to notice the attack. Rather, the objective is to force the system to write some sensitive data in an unprotected space, outside the buffer, and to use that data later. Apart from the buffer overflow and available memory space, capacity planning examines many other parameters such as the following: •
•
The number of transactions processed or transmitted versus any recommended levels. This should include both the typical level, as well as the maximum load. Very few systems function properly when approaching their maximum capacities, and such situations should be predicted and avoided. In some systems, there may be limits related to the static number of files, transactions, and the like. This is due to a system limitation on the size of transaction identifiers. Databases are perhaps the best example of these static limitations. Reaching such limits should be predicted in advance and a solution found.
The above may be summarized by a statement that strict rules need to be introduced that govern the installation and running of all new applications. Especially important is that a thorough test emulating the full load of the application should be conducted before putting an application into production. If you want to avoid serious problems when running an application, before launching it into operation, test it under the full load.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
179
Protection Against Malicious Software Protection against viruses and other subversive software is essential for every organization. It is worth presenting taxonomy (see Figure 12.1) of all these unwanted additions to regular applications. For the average IT user, the title of this section is strongly associated with antivirus scanning software. This is not surprising, as viruses constitute the largest percentage of all attacks against IT. Here, we will look at the problem from the managerial perspective. Management must formulate rules for dealing with this issue, communicate them to the staff, and incorporate them into the Information Security Policy. The basic rules for minimizing the possibility of being infected by unauthorized software, apart from installing a good quality virus scanner and keeping it updated, are the following:
Figure 12.1: Taxonomy of unauthorized software
Unauthorized Software: Software not needed for running an application, loaded without the operator’s consent. Possible Carriers of Unauthorized Software: Software that carries legitimate activities, aimed at customizing the application performance, but also performs other functions that could violate security of the customer application. Java Applets, ActiveX, PostScript, and RealAudio are the best examples of such packages. Hostile Software: Software exclusively built for running illegal operations on the target machine. Traps: Program switch activated by an event (e.g., date or PC status). Bomb: Action associated with a trap. Worms: Software, which, when activated, saturates the system with specific activities. Virus: Combination of a trap with a bomb (sometime called a “payload”) and capabilities of multiplication into non-infected systems. Bootstrap, Polymorphic, Stealth, and Macro are the most popular virus types.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
180 Janczewski & Colarik
•
•
•
• •
•
The introduction of an automatic download of the latest virus scanner definition files and operating system software updates to all machines on the network. Many employees do not have the time, knowledge, or desire to be bothered with manual updates. In mid-2003, many organizations around the world were infected with the Blaster virus. The updates to detect this virus were prepared for some time before the infection was unleashed, but a significant percentage of organizations did not download and install it, even after being urged to do so. There should be a strict policy on the use of the Internet, especially in relation to attachments (in general), SPAM, and the installation of “free” software. It is a known fact that many such packages, apart from the functions defined officially by the developer or distributor, may contain nasty Trojans or create covert channels that are used to violate the security of a network. There must be detailed instruction on handling specific files and their types that may be downloaded by users, such as rules relating to handling any ftp file types. Use of file quarantine facilities to check and clean files before use is also a part of these procedures. In some organizations with very strict security rules (e.g., banks), a standard practice is to disable input and output devices that are not absolutely required. This discourages computer use for anything except job functions. There must be specific procedures and instructions on what must be done when unauthorized software is discovered. Such actions can limit the possible range of damages resulting from the infection.
Computer viruses demonstrate properties closely associated with biological viruses. They can do damage to the system that they are in at the moment, and they also can be transmitted to the other systems or users, like a real virus infection. Thus, all the procedures relating to the handling of viruses must include both aspects of virus prevention activities: system restoration and the prevention of spreading. Fixing a problem on an individual computer or workstation may be very short lived if the viral code is not disabled on all other connected systems belonging to the network.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
181
Housekeeping Housekeeping relates to the availability and integrity of information. It includes activities like producing regular backups, logs, and fault recording. The issue of backups will be discussed later in Chapter 14. Here, we will focus on the two most important logs: operational and fault. Logs are reports with information collected about given activities. An operational log contains information collected about such activities as what application was launched, by whom and where, while fault logs are events related to occurrences of faults and their handling. In the past, these logs were manually updated and were the source of extensive wars between management and individual operators to keep them updated and relevant. The required reporting and non-incentive additional workload in keeping these logs were the center of these disputes, but that should not inhibit or detract from the usefulness of these logs. In our opinion, there are three basic reasons to maintain these logs: 1. 2.
3.
In the case of any faults, these logs can be a good source of information as to what has happened, and may be useful in further decision-making. Periodic analyses of the logs can help identify the weakest links in the operations or potential points of attack. For instance, frequent reports of transmission faults would indicate that there is a need to check the quality of the links between the organization and its ISP provider. In some rare cases, the logs may be used as evidence if the organization’s infrastructure has been unintentionally used by an attacker.
Keeping up-to-date logs and analyzing their content allow management to understand the quality of operations in the facility. These logs provide a lot of useful information. It is a known fact that locating trouble spots sooner rather than later can reduce the exploits of hackers or cyber-warriors.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
182 Janczewski & Colarik
Network Management Network management may be examined from two perspectives: the technical and the managerial. Here, we present the issues from the managerial perspective; a thorough discussion of the technical aspects of network management would require a separate study. However, managing the technical is an important aspect in securing networks. To properly administer networks, the following decisions need to be made: 1.
2.
3.
4.
5.
All managerial decisions related to the network’s management must be based on the overall company objectives. This is a result of accepting the system approach to managing security. There needs to be a clear boundary between the responsibilities related to managing computer operations and networking operations. Computer operations are about transforming data; network operations are about transporting data. Both operations require different attitudes and a different set of skills. The responsibility for managing all remote equipment such as remote LANs and dialup facilities should be established. In many organizations, remote facilities have not gained enough attention with respect to security. Part of network management is the issue of confidentiality. Encryption of the facilities, storage, and communications must be incorporated to reduce breaches in confidentiality. The implementation of any security protocols and packages such as IPSec, PGP, and the like must be evaluated and implemented using the overall business perspective of the organization. The interfaces between the network and any mobile computing need to be secured. What we have in mind is the encryption of the communications within a wireless LAN on a company’s premises. The danger is quite real. Around the world there is a new foolishness called wardriving (described in Chapter 10) and warchalking illustrated by Case 12.2.
In previous parts of the text, we indicated various ways that hackers and cyberwarriors could gain unauthorized access to the computing resources of organizations. The use of non-encrypted mobile LANs is perhaps the best example
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
183
of offering such opportunities. The concept of wireless LAN warchalking was a hot topic during 2003. As a consequence of such activities, one fact is irrefutable. Too many organizations are not properly protecting their mobile LANs. There is no excuse for not doing this, as all reputable mobile LANs are equipped with the facilities to provide at least a reasonable level of confidentiality. Unfortunately, these features are simply switched off.
Media Handling and Security At present, organizations consume a considerable amount of computer media such as tapes, disks, cassettes, zip drives, and so forth. Some of these devices are able to store information measured in Terabits. When these devices are replaced or upgraded, it is customary to permit older computer equipment to be released to employees for home use, donated to charity, or simply disposed of in the trash. Equally important are paper documents. Most people usually throw away old printouts, intermediate or work-in-progress documents, and the like into rubbish bins without much thought as to what happens to them. These
Case 12.2: Wireless LAN warchalking
An iconic sign in a storefront window along downtown San Francisco’s busy Folsom Street is there to alert any passersby to the presence of an available 802.11b wireless network. London information architect Matt Jones proposed and named the concept last month. Wireless wanderers who stumble across open networks, Jones suggested, should mark their location with a recognizable symbol on nearby walls. That way, others following in their footsteps could find them even with laptops closed. The idea, he said, was to “put something in the right place to add some visibility to this invisible nervous system that’s growing around us. You don’t have to have four walls and a roof around you to tap into it.” Jones said he envisioned the marks as a modern version of the hobo sign language used by low-tech kings of the road to alert each other to shelter, food, and potential trouble. http://www.wired.com/news/wireless/0,1382,53638,00.html
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
184 Janczewski & Colarik
documents can be retrieved and their content analyzed by various people inside and outside the company grounds. There are people called dumpster divers who specialize in doing exactly this. Their efforts have resulted and continue to result in the release of confidential and embarrassing management documents found in rubbish bins. Therefore, the management of any organization must set up and implement a strict policy for handling the use, storage, and disposal of all information media, both physical and electronic. At a minimum, it is recommended that management set up two types of bins for the collection and disposal of used magnetic media and for any documents that can be considered confidential. These bins are then emptied by a service that specializes in the secure disposal of whatever is contained inside. These bins should be anchored to prevent them from being removed, and bins must reside inside the company premises. Otherwise, these bins become an easy target for theft by dumpster divers. Ordering the installation and emptying of these secure bins is not as simple of a task as it may seem. We noted a number of cases when a company or the employees in charge of these cleaning procedures were approached by third parties offering financial rewards for providing access to these bins before the destruction of their content. Hence, to avoid any temptation, destruction of some especially sensitive documents should be arranged on site through the installation and use of document shredders. The authors may look like prophets of doom, but even the use of shredding devices may not be sufficient. This is illustrated in Case 12.3. Case 12.3 simply illustrates that shredders should be a subject of critical evaluation, as well.
Backing Things Up The importance of having backup facilities was the first recognition of information security issues. The majority of businesses have learned to embrace daily backups of system-wide systems and information storehouses. However, even in the most technically advanced organizations, backup facilities often overlook some very fundamental issues. Among the issues worth examining are the following:
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
185
Case12.3: Poor shredding of documents in the Teheran US Embassy Some of you may recall when the staff of the U.S. embassy in Iran was taken hostage in the 1980s. Before the staff was taken prisoner, they managed to shred many secret embassy documents. Unfortunately, the Iranian police were able to recover a significant number of these documents, since the shredders cut the documents in strips of around 4mm wide, therefore making it possible to reconstruct the original documents.
•
•
•
•
The physical distance between the main site and the backup site. The shorter the distance, the quicker the response time in case of a disaster. However, close proximity can also result in both sites being affected by the same calamity. Backup procedures need to be active and consistent. This means that if the organization decides to update its backup records once a day, then this must be performed every day and not at someone’s discretion. Backup procedures must be thoroughly tested, especially for their capabilities of restoring the original systems or files. In our practice, we have witnessed a number of cases when backup disks and tapes appeared to be working, but they would not permit the restoration to occur. Backups need to be bidirectional. The most frequent problem is that the backup files are recorded in a non-original system state. When a system restore is required due to equipment failure, the restore may not work on the replacement equipment. This is overcome by redundancy systems such as RAID arrays and off-site mirror servers that continuously replicate the original system’s information.
Most of the surveys that we are aware of report that organizations are engaged in recording their backup files. On the other hand, we also found that the backup systems very often are not of adequate quality (i.e., the organizations are not following the rules outlined above). To be any real help in the case of a disaster, management must evaluate the procedures and test the operations of the backup facilities. From time to time (at least once per year), run your installations from the backup files and evaluate the functionality of the whole procedure.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
186 Janczewski & Colarik
Physical File Storage Another matter is the storage of important files, both in hard and soft copy forms. Among these files are such documents as contracts, copies and originals of installed software, essential databases (i.e., customers, vendors, and subcontractors), and the like. Preventing the destruction of these documents or their alternative is essential. These documents must be stored in proper facilities. The best way to physically solve this problem is to install specially designed data safes. These safes are built to sustain substantial environmental disasters such as fires and the collapse of the building, as long as they are fully closed and sealed. These safes must withstand heat testing for several hours (oven temperature) and then survive a drop against a concrete floor from a height of 10 meters. There are international standards relating to such safes, and they should not be purchased without such certification.
Exchange of Information and Software In today’s interconnected world, organizations maintain close contacts with other organizations and individuals. Through these contacts, various information and software exchanges are taking place. These exchanges should be controlled and procedures established from the security point of view. Several decisions need to be made regarding arrangements of these contacts. •
•
Message dispatches. Methods of notifying a recipient about messages being dispatched and ways of handling any expected confirmations of the dispatches must be established. A person may deliver a legitimate looking package that appears to have been sent by an organization’s client, while, in fact, it may contain explosives or other destructive contents. If the arrival of a courier is anticipated, the probabilities of such an attack are substantially reduced. Message format. This includes both traditional and electronic messages. In the case of a traditional message or package, the organization must insist on a particular format of packaging and display of the company’s
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
•
187
logos, sensitivity of the contents, and so forth, for the same reasons as in the previous point. In the case of electronic messages, the company may require the inclusion of specific disclaimer notices relating to protection of privacy and confidentiality. Division of transport responsibilities. The organization must set up and implement a policy defining the borders of its responsibilities in the case of any received or dispatched mail or cargo. It is especially important from an insurance perspective.
An analysis should include all forms of information exchange and all possible contacts and transportation media, as well as compliance with any relevant legislation. Once a comprehensive list has been assembled, then a set of procedures can be formulated.
System Development and Maintenance We strongly advocate the system approach to information security. Perhaps in no other area is the system approach of such importance. This stems from this observation of the IT industry: more and more managers are convinced that information security is, indeed, an issue. Their reaction is predictable: they are announcing this new approach to the staff and demanding analysis and inclusion in the system of adequate security measures. It is predictable that such action would increase resistance of IT against possible security attacks, but it may not necessarily offer an optimal solution. Let us illustrate that phenomenon in the example of the design of a database. If a designer were to face a task to develop a database system from scratch, then the simplest way to do so would be as follows: 1. 2. 3.
Determine what information would be stored in the database. Determine what mechanisms for data entry, editing, and retrieval would be needed. In the case of multiple users, which is almost always the case, extensive analysis needs to be done to reduce the possibility of errors resulting from simultaneous use of the database by many users (deadlocks).
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
188 Janczewski & Colarik
4.
5.
If the database contained confidential information, then the design must decide what level of protection is required to extract information through direct or intelligent queries. Finally, all the remaining security issues need to be solved.
That approach eventually may lead to a database working quite well, but not necessarily in the most optimal way. All these issues are added one by one, while almost at any stage the security issues need to be examined. In other words, analysis of the security requirements should be done prior to starting the design and required solutions added at every stage of the development process. In particular, the analysis and specification of security requirements should encompass the following parts of the design process: •
•
Input data validation. This is one of the most well known domains of security—the assurance that the entered information indeed represents the real data. The controls may include any obviously out-of-the-range values, as well as verification that all the characters were entered correctly. In the past, that problem was solved by repeating the data entry, but that method proved to be too labor intensive. Much more effective is grouping entered data on clusters and using a set of sum characters. Apart from direct control of the data entry processes, some care needs to be taken to inspect the original hard-copy documents for any obvious errors or unauthorized changes. It is important to introduce the responsibilities of all personnel involved in the data input process, as well as the procedures on how to deal with any discovered errors. Over 10 years ago, a few cents error in the data entry at the University of Berkley, California was left undetected for some time until Dr. Clifford Stoll started searching for the source of that error and ended up discovering a multi-national conspiracy (described in the book Cuckoo’s Egg). We mentioned this book at the beginning of the Introduction. Control of internal processing. Data that have been correctly entered can be corrupted by processing errors or through deliberate acts. Validation checks should be incorporated into systems to detect such corruption. The design of applications should ensure that restrictions are implemented to minimize the risk of processing failures leading to a loss of integrity. Specific areas to consider include:
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
189
1. The use and location in programs of add and delete functions to implement changes to data. 2. The procedures to prevent programs running in the wrong order or running after failure of prior processing. 3. The use of correct programs to recover from failures to ensure the correct processing of data. •
• •
Message authentication. While sending a message between applications, it is important to assure that it is not changed during the transport phase. The issue is not to keep that message encrypted; the issue is that any interference with the content should be detected. This message authentication issue is becoming more and more important in these days of dispersed processing facilities. The most effective protective security measure here is the electronic signing of messages. Output data validation. All that was written about input data validation applies to the control of the results. Cryptographic controls. Cryptographic technology allows protecting not only the confidentiality of data, but also its authenticity and integrity. The cryptographic technology is neutral to the user and provides specific benefits, but it also demands some requirements and adds some costs. Hence, any technical decision related to the cryptographic processes needs to be preceded. Following the ISO 17799 standards, that policy may include: 1. Setting up the management approach for the use of cryptographic controls across the organization, including the general principles under which business information should be protected. 2. An approach to key management that includes methods to deal with the recovery of encrypted information in the case of lost, compromised, or damaged keys. 3. Roles and responsibilities; for example, who is responsible for: a. The implementation of the policy? b. The key management? 4. How the appropriate level of cryptographic protection is to be determined.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
190 Janczewski & Colarik
5. The standards to be adopted for effective implementation throughout the organization (which solution is used for which business processes). Closely associated with cryptographic controls is the issue of digital signatures. The technical part of it is based on encryption technologies, but there are many managerial problems relating directly to the digital signature issue. Especially important is the issue of standards used for generation of the signature. In turn, the cryptographic and digital signature technologies allow implementation of the non-repudiation techniques. Non-repudiation is a procedure that allows resolving possible disputes about occurrence or nonoccurrence of an event or action (i.e., if given messages reach or do not reach the destination). There is a trend to combine all of the above controls into one logical unit, commonly referred to as the Public Key Infrastructure (PKI), as the public’s key encryption technology forms the backbone of the whole technology. The interest of the specialists of PKI is very high at the moment; there are many international conferences, publications, journals, and so forth that are devoted entirely to this topic. There is also a lot of negative opinion about it, basically stating that the technology supporting PKI is not stable. We think that the technology is sufficient to handle the cryptographic processes, but there is not enough business practice behind it. In other words, most of the negative experience with PKI was based on the inadequate analysis of the requirement before launching the PKI implementation projects. In designing all of the cryptographic controls mentioned before, the management should take note about existing legislation, especially legislation that relates to: • • •
Limits of use of strong cryptography. Legality of digital signature. Various laws relating to cooperation with law enforcement authorities (i.e., installation of the equipment monitoring content and destination of messages, releasing of crypto-graphic keys, etc.). Recently, many countries have been in the process of introducing very stringent legal requirements in this field.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
•
191
Security of system files. System files are the essential part of any IT system and need to be very well protected. Most of the software-based attacks are, in the end, executed on the operating system level. Hence, protection of these files is very important. It should include (after the ISO 17799) among other controls, that the updating of operational program libraries should be performed only by the nominated librarian upon appropriate authorization. That includes: 1. If possible, operational systems should hold only executable code. 2. Executable code should not be implemented on an operational system until evidence of successful testing and user acceptance is obtained, and the corresponding program source libraries have been updated. 3. An audit log should be maintained of all updates to operational libraries. 4. Previous versions of software should be retained as contingency measures.
•
Overall security in development and support processes. A previous part of this text promoted a system approach to system development of security controls. The process should include not only the effective security controls of the product, but also the creation of a secure environment during that activity. Among other tasks, the following seems to be the most important: 1. Security of the change controls. All changes should be carefully analyzed prior to their introduction for the possibility of conflicts, followed by a detailed documentation of the changes. In the past, such changes were recorded manually, but today they could be completely automated. 2. Technical review of operating system changes. From time to time, a software manufacturer announces a new version of its operating system or patches to it. Such information must be examined carefully, since the introduction of changes could have positive as well as adverse effects on the functioning of the system. Theoretically, all the upgrades should work properly with the older version of application software, but the practice dictates that this is not always the case. It
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
192 Janczewski & Colarik
is recommended that the changes first be implemented on the development machine and only after a clean bill of health is granted, allowing the changes to be introduced to the production system. One of the major New Zealand banks demonstrated to us exactly how this procedure works. They are using two independent systems to process their transactions. One is the main production machine, and the other is used for testing and development. However, in the case of main machine failure, the development system is able, within a few minutes, to take over the entire control of the bank’s transactions processing. 3. Limiting changes to software packages. Any organization should limit the trend of modifying the vendor-supplier software packages. It is not only a question of having enough knowledge to do the sensible changes; it is also the possibility of having substantial problems with the introduction of upgrades prepared by the vendor. Such changes must be done after consultation with the vendor, who should approve the changes under the existing licence agreement and confirm that these changes will not create difficulties with the installation of the next version of the application prepared by the original vendor. 4. Analysis for the existence of covert channels and Trojan procedures. Analysis of a system for existence of Trojan procedures is extremely difficult. (Trojan procedure or software is a part of the system, which existence was not communicated to the user, and which execution could bring adverse effects to the proper functioning of the system). In the case of using software developed by a reputable vendor, doing such an analysis is, in our opinion, a waste of time. Many software packages contain some hidden options, but probabilities of these options having intentionally adverse effects on the system are very remote. Besides, if such Trojan would be found, the creation of bad publicity for the vendor would be extreme. Much more important is performing an analysis for the existence of a covert channel. A covert channel is a way of communicating with the system outside the regular access methods introduced by the designer of the system. The simplest way to examine the existence of covert channels is to install the application in question in a test environment, populate it with the test data, and conduct a series of trials to trace any symptoms of the existence of such channels. We would like to stress that even the most rigorous experiment may not reveal the existence of some quite unusual covert communication channels. During our visit to
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
193
England, one person told us that the British Telecom had once discovered that anyone may get a toll signal after dialing a specific number and then pressing the cradle 24 times. It would be very difficult to find out about such a covert channel through the regular tests. 5. Security of outsourced software development. Many organizations are outsourcing software development. This is fine, but the contractual arrangement with the third party, verification of its development procedures, and the final product should undergo the same security scrutiny as in-house products go through.
Compliance Every organization must adhere to regulations imposed by local, national, and international organizations. Some parts of this were covered in Chapter 11 on personnel security. The regulations are governed by two types of requirements: • •
Those resulting from contractual agreements between a given organization and its clients, contractors, partners, and so forth. Those resulting from being a part of an organized society (law and custom law).
Each company should identify all of the regulations that may affect its operations in terms of the security of information processing. Among the most important regulations are: •
Intellectual property rights. Intellectual property rights generally relate to traditional documents, but become a bit vague in relation to software copyrights. Many users of shrink-wrapped packages assume that by the simple act of registering the legal purchase of a software package, they may use it in any way they want. However, in most cases, a client is not really buying a working copy, but rather a permission to use that software in a specified environment. Hence, there should be a careful examination of all the software used by an organization, and care should be taken not
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
194 Janczewski & Colarik
to break the limitations imposed by the software licence. Three aspects always need to be verified. • • •
•
How many copies of the software can be used legally? On how many installations can the software be installed? What is the purpose of the installed system?
Recently, software manufacturers have joined forces to trace violations of software licence agreements, and users must be much more vigilant than in the past. Educational institutions are especially vulnerable to this new enforcement, as unauthorized copies are rampant there. The best way to handle the copyright issue is to maintain a central registry of all copyright materials with a listing of the major restrictions. This registry should also contain all information relating to the licensed product. What is especially important is to keep the registration keys of all the software in one secure location. Safeguarding organizational records. We advocate that all documents be classified in terms of their level of confidentiality, and soft forms of documents should be safeguarded. Keeping these documents under tight control is not only beneficial to the company’s operations, but allows organized access to the content. This is also important from a legal point of view (i.e., when files contain trade secrets or personal information). The most classic example of this is the countless attacks on companies that keep the details of credit card accounts. The perpetrator may eventually be traced and charged, but losses that the victim and the organization sustain can be staggering, both in lost funds and in trust. It is impossible to build a totally safe environment for the safe storage of organizational data. Legislators are aware of this, which is the reason that all regulations relating to safekeeping includes a phrase, with due care. Case 12.4 illustrates the meaning of this phrase. As a result, collected evidence may or may not be accepted by a court of law. The safeguard used must conform to the regular business practice in a given circumstance. This is based on the basic objective of proportionality control introduced by the Organization for Economic Cooperation and Development (OECD). Information Security Principles Proportionality control means that the arrangements for providing the means of controlling
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
•
•
195
resources should be more or less proportional to the value of the information. Misuse of IT facilities. Organizations must make it clear that IT facilities are to be used only for the business purposes relating to the objectives of the organization. This should be done by placing an appropriate clause in the employment contract and also by reminding all employees about their obligations. One of our friends, an IT specialist, suggests that an appropriate warning about user obligations should be installed on every terminal and activated anytime the operator logs in. Such a warning can be designed and utilized to require the user to click “I Agree” in order to gain access to the system and continue. Personally, we think that frequently repeated warnings tend to be totally ignored. However, such a warning could be broadcast from a central location from time to time. Control of cryptography. Management must impose strict control on cryptographic tools used within the organization. This requirement is based on three reasons: • •
•
Keeping company secrets secret is obvious, and was covered earlier in this chapter. In several countries like the United Kingdom and New Zealand, there are laws that demand the release of the cryptographic key in the case of a search warrant being issued by appropriate authorities. Even if an organization is not located in such a country, but it maintains business contacts with them, this could result in the opening of very confidential files. Most of the developed countries, including Northern America, Western Europe, Australia, and New Zealand, signed an agreement about limiting distribution of strong cryptographic tools (at the time of this writing, 124-bit key length). Usage of such packages without government authority could be a source of serious trouble.
Control of cryptography can be done in many ways. One of the best but costly ways is to install a reputable Public Key Infrastructure (PKI) System.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
196 Janczewski & Colarik
Case 12.4: Need for maintaining duecare A criminal offense was committed with the use of a computer, or, more precisely, a desktop machine. The constable in charge of the investigation arrived in the office and secured the computer. Upon leaving the premises, the machine was transferred to the trunk of the police cruiser. It remained there for the rest of the day while the constable was performing some other duties that required him to leave the car unattended. In the evening, the machine was transferred to the police station storage room. Later, during the court proceedings, the evidence collected from the machine was dismissed, since the court ruled that the chain of due care was broken by the fact that the constable left the machine in the trunk of his car while performing other duties.
•
Collection of evidence. For the majority of IT people, the collection of evidence means an audit trail, which is the recoding of all the particulars of each transaction done by data processing equipment in a safe place. Setting up an audit trail is a complicated task and includes the following decisions: •
•
What information should be recorded? Storage of all data about transactions can be very costly in terms of required space and any related difficulties with a huge database. On the other hand, small, noncomprehensive records may be useless. Some sort of compromise is needed. Where should the audit trail records be stored? The storage place must be safe in terms of technical quality (i.e., eliminating the possibility of changing or erasing audit trail records).
These decisions are extremely important. A good example of the possible problems related to this is a new phenomenon of e-mail/telephone snatching. This results in an innocent victim receiving huge telephone bills for a conversation that he or she did not make. The mechanics of the fraud are simple. The attacker plants on the victim’s computer a set of instructions that may be executed remotely, on demand, and without the knowledge of the victim. The instructions constitute a system requesting a telecom operator to set up a connection with a remote location and send
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Operations Management
197
the charges to the victim’s account. Then the attacker may activate the code whenever it wishes, enjoying any long distance conversation and paying nothing for it. Establishing a good audit trail on the victim’s machine would help to trace back such a Trojan. One important aspect of establishing the audit trail is testing it for complicity of the work (i.e., if all the transactions are being properly recorded and if the audit trail records are readable by the authorized staff). Once, doing a security audit for a prestigious company, we discovered that they never read the audit trail record. When we insisted on doing so, they discovered an incompatibility between their systems that prevented them from reading the files. You may hear or read many complaints about the MS Windows operating system. Many of these complaints are, unfortunately, true. However, the truth is also that many attacks on Windows-based systems have their origin in the fact that many existing features, which would dramatically improve the security of their installations, are not used at all. The users may not even be aware of, nor care about it. Many users simply are using their Windows system straight out of the box, without bothering to change the default values. The most classic example is the audit trail. Windows has a very powerful audit trail capability. However, all of them are switched off during installation. The final and very important issue within the subject of evidence collection is the preservation of evidence in criminal activities. In other words, the staff should be trained in what to do if it is discovered that someone is tampering with their systems. The power of computer forensics was illustrated in Case 4.8, in which it was possible to read information that was deleted and overwritten several times. Despite the fact that computer forensics has its own limitations, all users should be instructed in what to do in case they discover any criminal activities. These rules can be reduced to two major points: •
Do nothing. This means that if traces of criminal activities are discovered, the staff should leave the machine as it is without trying to do anything, as an act of preserving the evidence. Not many people are aware that the simple switching on and off of a computer changes the content of over 20 registers. Any additional activities would make the job of a computer forensic specialist much more difficult.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
198 Janczewski & Colarik
•
Maintain the chain of due care. Case 12.4 illustrates this basic requirement for preserving the due care of the equipment.
Conclusion This chapter covered security procedures relating to the organization of information processing from the development phase to everyday activities. It clearly indicated that the best way to protect an installation against any type of attack is to anticipate all possible threats, design adequate protective measures, and deploy them. To be effective, these measures need to be set up in a systematic way, first taking into consideration the main objectives of an organization. There are enough documents, guides, and standards to help IT managers design and run these security mechanisms. In our opinion, one of the best is the ISO standard 17799 on Information Security Management. In the next chapter we will illustrate the use of this standard for the development of the most important security-related document—the Information Security Policy.
Bibliography This chapter is a digest of the major issues related to managing information security resources. We believe that it would be non-productive to list all the possible publications related to the content of this chapter. As the primary source of information about the issues tackled within this chapter, we recommend the list of publications mentioned at the end of Chapter 1 on Information Security. If the information found there is insufficient, then we suggest using any search engines, such as Google.com or Yahoo.com as a supplement.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information Security Policy 199
Chapter 13
Information Security Policy
In Chapter 12, we discussed most of the information security issues that are important to IT managers, especially in the current situation of increased attacks. Perhaps the most visible and important document that relates to the attitude of management towards security issues is the Information Security Policy (ISP). (Please note that the most common understanding of the abbreviation ISP is Internet Services Provider. For clarity within this chapter only, ISP means Information Security Policy.) This document reflects all the decisions and activities required to set up a clear set of rules and procedures for company employees in terms of protecting information assets. The ISP is also used to: • • • •
Place security on an equal footing with all of the other company’s business issues. Demonstrate top management support for the protection of company information. Create a security-conscious atmosphere within the company. Provide proactive preparation against possible lawsuits based on breaches of laws, such as privacy acts or contractual obligations like confidentiality agreements.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
200 Janczewski & Colarik
To function properly, the ISP document must be based on the company’s general business policy. The ISP document should exist in three different formats. •
•
•
General ISP Policy. A general ISP policy may be a very short document (i.e., less than one page) stating that the security of information is important to the company, and that all staff members are responsible for assuring that data will be accessible only to those authorized, and not changed without authorization. More or less, it is an ISP mission statement. Practical ISP Rules. Practical ISP rules is a collection of basic rules on how to handle company documents and resources in order to maintain a high level of security. These rules are top-level concepts of security dos and don’ts. For instance, it could contain a statement that all company files need to have backups performed at the end of each working day, or that no staff member is allowed to disclose his or her password to anyone, and so forth. Practical ISP rules usually are a few pages in length. It is a good custom to present this document to all employees and to ask them to sign an acknowledgment. Detailed ISP Procedures. A detailed ISP procedures document is an extension of the practical rules and contains details of all the procedures mentioned in the practical ISP rules document. It is also a detailed instructional breakdown of those rules (i.e., how to do a proper backup). Obviously, the development of such a document can have an initial cost, but once created, it can provide a basis for employee training and consistency.
The practical ISP rules are perhaps the most important part of the ISP, and the rest of the chapter will concentrate on this. Because of the variations in hardware, software, and network infrastructures, we must defer the detailed procedures for internal development on a company-by-company basis. Just keep in mind that such procedures will come from a thorough rules document. An ISP should address a number of issues, and the following seem to be the most important (not necessarily in any order of importance). •
Secure communications. Any issues related to the importing and/or exporting of data from the company is a process to which access should be given only to authorized persons and systems.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information Security Policy 201
•
• •
•
• •
•
Isolation infrastructure. A clear delineation of the internal and external borders of a company for the purposes of assigning access rights for changes of data; assigning storage responsibilities; and designating employee, vendor, and supplier boundaries. Identity infrastructure. The methods used in the authentication of users and systems seeking access to the company system. Permission infrastructure. A system that establishes the rights of individual systems or operators to read, write, or execute specific system resources and information. Isolation infrastructure determines who is able to gain access rights to IT resources, while permission infrastructure determines those rights. Configuration management. A collection of all the rules and procedures related to introducing changes to the topology of the system (i.e., all installations, upgrades, patches of software, changes to hardware and network, etc.). User management. All activities related to providing the end users with all the resources they would need in their regular work. Threat management. The procedures for handling information about all identified threats, including the fixing of discovered vulnerabilities, reviews, system audit analyses, and so forth. Conformance monitoring. Many installations should not only follow the internal rules of operating in a secure mode, but must also follow the rules imposed by contractual agreements and national or international laws. The most widespread example is the illegal use of software by corporations, which is in direct violation of international copyright laws. Lack of enforcement creates a host of litigation and public relation issues for the company and its officers.
A good ISP must be driven by the company’s mission statement. Management may decide which issues are more or less important, and which issues should be given an adequate amount of attention in the document. But we would like to emphasize again that all of these issues should be evaluated.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
202 Janczewski & Colarik
How to Generate an ISP As it was explained earlier, any ISP needs to be based on the company’s business policy, and the development of such a document requires wide cooperation of all the staff and division or departmental managers. ISP must be considered with regard to the inventory of a company’s systems and connected components, associated risks resulting from the usage of these systems, and the security budget. It is these three areas that help a development team to create a comprehensive, workable ISP. The question of risk analysis was presented in Chapter 3. In the following section, we make an assumption that the risk analysis results have been completed and are known to the ISP development team. This permits the development team to suggest a number of variable solutions, utilizing any optimal business practices and available resources that a company already established. On this basis, the following steps are recommended: •
•
•
•
A set of requirements that reflect the business response to company threats, generated on the basis of risk assessment. The business manager may create this. Collect the central, common policies into a base policy document. Evolution is always much more efficient than revolution in terms of economic and human responses. Taking from previously created rule sets has great efficiency implications. If the company has several business divisions, and these divisions have already developed a local ISP, it is recommended that they be collected and used as a basis for the new ISP. Produce an outline of the policies that will be needed in each security domain. Each department or division (i.e., domain) should have an ISP tailored to its own needs. This document is in addition to the core rules of the company as a whole. For instance, different ISPs can be generated for staff servicing clients and for staff servicing the administrative staff, while all employees will follow the same core set of rules. Present the threats, costs, and impact of various mitigation approaches. During negotiation with a branch management, such a presentation is a must. On one side of the coin are the gut feelings of the management; on the other side is a solid research of the problem. This may require the assistance of a knowledgeable security officer. In other words, the overall policy and branch policy need to be set up not only in cooperation with the
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information Security Policy 203
branch management, but with the support of any direct research of the problem. The process of creating such a policy is relatively straightforward when following the ISO standard 17799 on Information Security Management. ISO 17799 was developed by information security specialists and accepted as a national standard by such countries as the United Kingdom, Canada, Australia, and New Zealand before becoming an international standard. This standard deals not with computer security, but with information security, and therefore reinforces the business perspective. The areas requiring resolution are covered in the standard and are presented here. 1.
2. 3.
4.
5.
6.
Terms and definitions. a. Information security. b. Risk assessment. c. Risk management. d. Security policy. Information security policy. Security organization. a. Information security infrastructure. b. Security of third party access. c. Outsourcing. Asset classification and control. a. Accountability for assets. b. Information classification. Personnel security. a. Security in job definition and resourcing. b. User training. c. Responding to security incidents and malfunctions. Physical and environmental security. a. Secure areas. b. Equipment security. c. General controls.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
204 Janczewski & Colarik
7.
Communications and operations management. a. Operational procedures and responsibilities b. System planning and acceptance. c. Protection against malicious software. d. Housekeeping. e. Network management. f. Media handling and security. g. Exchanges of information and software. 8. Access control. a. Business requirement for access control. b. User access management. c. User responsibilities. d. Network access control. e. Operating system access control. f. Application access control. g. Monitoring system access and use. h. Mobile computing and teleworking. 9. Systems development and maintenance. a. Security requirements of systems. b. Security in application systems. c. Cryptographic controls. d. Security of system files. e. Security in development and support processes. f. Business continuity management. g. Aspects of business continuity management. 10. Compliance. a. Compliance with legal requirements. b. Reviews of security policy and technical compliance. c. System audit considerations.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information Security Policy 205
To assist in the development of a typical ISP, we are presenting an example of a real policy. Due to confidentiality reasons, we have deleted the company name and changed the names of the departments.
Example of Information Security Policy •
•
•
•
Access to information/systems. Staff accessing (Company Name) information systems must, where the facility is provided by the system, use a unique user ID and password. Access to (Company Name) systems is restricted to users who must be formally authorized by (Company Name) management. Remote access to (Company Name) systems must use (Company Name) approved access software. Staff must not access systems or use access privileges they have not been formally authorized to use or access. Password controls. Passwords must be selected in accordance with Section XX of the IS Security Handbook, they must not be written down and must be changed if disclosed. Sharing of passwords between staff is not permitted. Passwords must never be disclosed to any other individual(s). For example, Help Desk and Systems Administrators will never request disclosure of passwords. Internet access. Internet access is provided to authorized staff as a (Company Name) business tool. Staff must respect copyright, censorship, decency, privacy, and licensing laws with respect to both software and information obtained. E-mail usage. Information classified as “highly protected” or “confidential” must not be communicated unprotected over the Internet. Where email is sent to external parties, staff must ensure that they maintain a professional standard of communication and do not bring (Company Name) into disrepute –this includes, but is not limited to, the forwarding of jokes, chain mail, and/or inappropriate pictures and movies. Care should be taken when forwarding mail messages from other staff to external parties to ensure that the content is appropriate and that it does not contain comments not intended for external use. Note: (Company Name) reserves the right to review staff usage of Internet e-mail and access to Internet Web sites, as well as any other use of (Company Name) systems.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
206 Janczewski & Colarik
•
• • • • •
•
•
•
•
General computer usage policies. Workstations should be protected with (Company Name) standard password enabled screen savers when not in use. At the end of the day, all staff should terminate all applications and log off from the network, leaving PCs at the login prompt. Note: It is not necessary to completely power down the machine. Staff must use only (Company Name) owned and licensed software. Staff-owned computer devices are not permitted to be connected to the (Company Name) network, unless exemption is obtained from CIO. Unauthorized executable files such as games are not permitted to be installed or run on any (Company Name) PCs. Pornography and offensive material is not permitted on any (Company Name) hardware. No software, including shareware, freeware, and demonstration software should be downloaded from the Internet (or other sources) and installed by staff on (Company Name) PCs without express written authorization from the CIO. Staff must not change the configuration settings of their PCs or any applications (e.g., virus detection software) except where directed by IT Help Desk. Viruses. All diskettes and other data media received by staff members must be scanned for viruses using the (Company Name) standard virus protection software. If a virus is suspected or detected, staff should call IT Help Desk immediately. Viruses can also be received via e-mail; therefore, staff should use all due care to ensure that they do not open harmful e-mail attachments. Mobile device security. Mobile devices such as laptops, cell phones, and PDAs must be physically secured when at home or in transit. Information stored on these devices must also be secured to prevent theft and unauthorized use of data. Printed and magnetic information. “Highly protected” and “confidential” information stored on electronic (i.e., tape, diskette, and CD) and printed (i.e., paper, microfiche) media must be securely stored and/or destroyed to protect against unauthorized disclosure. If (Company Name) information must be taken home, staff must ensure that it is appropriately secured. Under no circumstances should “live” or production data be stored on a home PC.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information Security Policy 207
•
•
•
•
• • •
Remote access to (Company Name) systems. PINs and physical tokens associated with the (Company Name) Remote Access Systems must be secured to prevent unauthorized access. Copyright and control. Staff is only permitted to make copies of any (Company Name) software for backup purposes. Copies made for any other reason must have express written approval from the CIO. Secure destruction. All hard copies of “highly protected” information must be shredded when no longer required. “Confidential” information no longer required must be either shredded or placed in one of the secure destruction bins in your department/branch. Backup. All company information must be backed up. Network backups are performed automatically. Critical information stored locally on a workstation’s hard disk must be backed up manually by staff or local systems administration staff. Lost or stolen computer and telephony hardware. IT Help Desk must be informed if any hardware is lost or stolen. Software evaluation. Unless an exemption has been obtained, all software for valuation or purchase must be approved by the CIO. Breaches of policy. Serious breaches of policy can result in action up to and including dismissal. • Common breaches of policy. • Opening unsolicited e-mail. Staff should not open or run unknown files from external sources unless they are expecting an attached file, as it is possible that e-mails of this nature could contain a virus. If you have any concerns about the nature of the e-mail, then please delete it. • Chain mail. Electronic chain mails are designed to clog mail systems by reporting nonexistent viruses or nonexistent competitions. They are characterized by asking the recipient to send a copy to all their friends and coworkers and, in some instances, proposing bad luck if these instructions are not followed. These types of e-mails have crashed mail servers and, in some cases, resulted in staff dismissals where a staff member has been offended by the implications of the e-mail. Never forward these types of chain mail under any circumstances. • Unauthorized downloading of software. Downloading and installing of unauthorized software from the Internet can cause
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
208 Janczewski & Colarik
•
•
•
•
•
a staff member’s machine to crash. This activity opens (Company Name) up to the risk of viruses and Trojans, and also carries a significant cost implication when the machines are required to be rebuilt. Staff should not download any software from the Internet. Inappropriate Web site access. Accessing and downloading images from pornographic or other inappropriate sites is not permitted. Staff members have been dismissed for this activity. All of this activity is logged and reviewed. Staff should ensure Internet use is in line with policy. Access to Hotmail or other free Internet e-mail services. These present a significant security risk, as they bypass mechanisms to detect viruses and unauthorized attachments (e.g., a user retrieved an attachment in this way and infected the user’s own machine plus three others). Accessing Internet e-mail services is prohibited. E-mails to external parties. “Highly protected” and “confidential” information should not be e-mailed to external parties, as this channel of communication offers no security over who can view and use this information. For example, sensitive documents have been e-mailed to copy centres who have no confidentiality agreements, or to friends at other companies to print out (e.g., branch sales figures). “Highly protected” and “confidential” information should not be sent via e-mail. Inappropriate use of (Company Name) resources. Staff should not use (Company Name) resources for reasons other than (Company Name) related work (e.g., a staff member was working on a contract for another company and running a separate business using (Company Name) hardware and software). Staff should use (Company Name) resources for (Company Name) work purposes. Sharing of passwords. Passwords provide the first level of control in preventing unauthorized access to (Company Name) owned systems. The sharing of a password leads to unauthorized events or transactions taking place on the system. Each individual is accountable for every event or transaction that takes place under the individual’s account. Sharing of passwords is prohibited.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information Security Policy 209
•
Inappropriate e-mail use. The forwarding of pornographic and other inappropriate material such as chain mail, movies, jokes, or sound files is not permitted, as is excessive personal use. All of this activity is logged and reviewed, and abuse of e-mail policy has resulted in staff dismissals. Staff should ensure that e-mail use is in line with policy.
Implementation of ISP The generation of the ISP at the procedural level is not simple, but its importance is obvious. However, the generation of any ISP makes sense only if it is followed by effective implementation. The implementation process includes three important activities: •
•
•
Communicating the ISP to the staff. In Chapter 11, we suggested that all employees must sign the policy upon starting employment. This solution is perhaps the most popular. There are voices in the IT community that say that the ISP should be signed every year, but we believe that this is an exaggeration. Issuing reminders of the importance of the security issues and policy changes within the company’s ISP seems to be more proper. Enforcing clauses of the ISP. Management must demonstrate a clear understanding of the ISP content and consistently demonstrate their willingness to follow and enforce it. Nothing would be more discouraging and counterproductive for the staff than to see the managers not following ISP regulations. One of the most typical examples of such policy breaches is the exchange of illegally copied computer games and videos. Keeping the ISP updated. We expressed ISP update requirements a number of times in the previous text. If some clauses of the ISP have not been changed as a result of the environmental changes, then there is a tendency to neglect the whole document and all the concepts behind it. Every year, the IT manager should examine the ISP and introduce any necessary changes. Communicating these changes usually has a very positive reception among the employees; they see that management does care about the security issues.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
210 Janczewski & Colarik
Managers: Remember that your staff is watching you! Give them a good example and follow the Information Security Policy. Otherwise, your information security will go down the drain.
The generation of an ISP in terms of time and effort, especially for smaller organizations, could be prohibitive. On the other hand, an ISP is the most important document related to organizational information security issues. We have already suggested this, but we are repeating it again that the ISP should be generated as a result of the following: • • •
Performing company-wide information risk assessment analysis. Cooperation and support of all the company’s management team. Using ISO 17799 standard as a backbone of the ISP structure.
Conclusion The typical ISP may not necessarily address the core issues of cyber-terrorist and information warfare attacks against IT directly. However, its role is very important, as it guides the company in the practical implementation of the company information security system and lays the foundation for a responsive system in combating a host of potential attacks. A well designed and implemented ISP will, without any doubt, increase a company’s overall resistance to the disruption of its IT resources. Therefore, the development, implementation, and update of the company ISP are essential for every organization. In Chapters 4-9, we defined the most probable cyber-terrorist and information warfare attacks against information systems. However, the nature of these attacks might not necessarily have a terrorist background. Personal grievances may lead to many of these attacks. Hence, there is no need to directly address such types of attacks in the ISP document.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Information Security Policy 211
Bibliography http://secinf.net/info/policy/hk_polic.html Introduction to Computer Security Policy. http://www.computerworld.com/securitytopics/security/story/0,1080 1,84767,00.html Practical voice about the design and implementation of information security policy. http://www.information-security-policies-and-standards.com/ Directory of information security policies, computer security standards, and information security policy template. http://www.open.ac.uk/university-documents/information_security _policy.html Example of a university security policy. http://www.pacificis.com/p4/index.html Information Security Policy Manual. http://www.techdirectory.ws/Computer_Security/Intrusion_Detection _Systems/default.aspx A directory of Web sites offering information on security policies. http://www.windowsecurity.com/whitepapers/Building_Implementing_ Security_Policy1228.html Building and implementing a successful information security policy. Other Interesting Readings Barman, S. (2001). Writing information security policies. Que. Flynn, N., & Kahn, R. (2003). E-mail rules: A business guide to managing policies, security, and legal issues for e-mail and digital communication. AMACOM. Fugini, M., & Bellettini, C. (2004). Information security policies and actions in modern integrated. Hershey, PA: Idea Group Publishing. Jones, E. (2001). Information security policy manual. Rothstein Associates.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
212 Janczewski & Colarik
Peltier, T. (2001). Information security policies, procedures, and standards: Guidelines for effective information security management. CRC Press. Wood, C. (2002). Information security policies made easy. Baseline Software.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Business Continuity Management
213
Chapter 14
Business Continuity Management
Business continuity management is a process aimed at reducing disruptions caused by disasters and security failures that could be the results of natural phenomena, accidents, failure of equipment, or deliberate human acts. Among the last of the results are cyber-terrorist attacks or acts of information warfare. A long time ago, it was proven that the present level of technology allows for the elimination of pilots from the cockpits of large commercial jets. A huge jumbo jet is able to take off, fly to the opposite side of the globe, and land safely without human intervention. With this knowledge, we must wonder why airline pilots spend so much time on flight simulators, and why pilots are still needed in the front of the plane. The answer is really quite simple: they are rigorously trained to handle emergency situations. The same approach to emergency preparation applies to IT. In these times of terrorism, we need to design and implement plans on how to react in such crises, and what to do to minimize the possible results of attacks against the information resources of an organization. In Chapter 3, we discussed the possibilities of being hit by a terrorist or cyberterrorist attack. Let us summarize here again the main points of this discussion. •
The most probable form of any attack is being infected by a computer virus. According to every available survey, only a small number of systems have never faced such a threat.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
214 Janczewski & Colarik
•
•
•
•
The next most popular threat is the theft of laptops, which may result in providing an access point into a company, furnishing critical security data, or losing confidential information. The probability of disasters like floods and fire is next on the list of possible threats. Depending on the location of your organization, other natural disasters must be considered (i.e., earthquakes or tsunamis). The probability of a cyber-terrorist attack depends largely on the public profile that your organization maintains. It is obvious, as it was mentioned before, that government or military agencies are primary targets, but any well known organization could be such a target (well known international corporations, in particular). If your IT facilities are servicing or located near a government, military, or other highly sensitive operation, then there is a high chance of collateral damage resulting from conventional terrorist attacks against the organization. This also depends on where the operation is located. Currently, the Middle East is perhaps the most dangerous zone.
A decade ago, a large earthquake shook Kyoto, Japan. Significant parts of the downtown were totally destroyed. It is estimated at that time that about 20% of businesses did not survive the quake due to the destruction of their computer-located records. On the other hand, we read a report on actions taken by management of a major U.S. West Coast bank whose headquarters were destroyed in a fire. Within a day they were able to resume basic operations, and within a week resume all regular activities. This was made possible because management had prepared a solid business continuity management program.
Business Continuity Management Process Preparation of a quality business continuity plan requires a systems approach consisting of three phases:
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Business Continuity Management
• • •
215
Risk analysis. Preparation of the business continuity plan. Implementation of the plan.
Again, we stress the importance of the system approach to dealing with information security issues. Planning for business continuity is one of the best examples. It must be based on the overall business objective of an organization and woven into the security system. We will illustrate this through the discussion of these three phases of the process.
Risk Analysis Phase In this phase, management must identify the events that can cause disruptions of the regular business processes. Management must assess the probability of all these events and the possible range of damages resulting from their occurrence. Risk analysis should include providing answers to four connected questions: 1. 2. 3. 4.
What type of disaster can strike, and what is the probability of it? In what way can the disaster be detected? In what ways can the disaster spread and cause additional damages? What overall damages are possible in the physical, financial, and marketing aspects?
In Chapter 3, we outlined the risk analysis framework. A thorough risk analysis performed at the beginning for the preparation of the information security system can be used for the preparation of the business continuity plan. It needs to be enhanced only by providing answers to the above questions. In this way, there will be no need to perform a highly detailed analysis. Such a solution is one of the best examples of optimization offered by the system approach to information security.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
216 Janczewski & Colarik
Designing the Business Continuity Plan The reaction of an organization depends on the nature of the disaster. The first point in the development of a business continuity plan is determining how a particular disaster is recognized and who is responsible for the overall action plan to handle it. This must be followed by precise yet flexible instructions on what to do next. These instructions cover a number of activities with assigned priorities, starting from the safety of the personnel, then the safety of the resources, and finally, the safety of the business objectives of the organization. A business continuity plan can include such components as standby staff, secondary facilities, and procedures. Many components of the business continuity plan must be considered for public services such as fire departments, ambulance services, police, and so forth. The designers of the plan must be aware that, in the case of a general disaster, receiving help from the outside may be limited, and the plan must be based first on all internal resources at the disposal of the organization. All business continuity plans need to be built with the escalation principle in mind. This means that the type of defending activities strongly depends not only on the nature of the disaster, but also the way it is spreading and how successful (or, unfortunately, not successful) the efforts are to stop its spread. Not every possible risk can be properly assessed, nor all correction mechanisms implemented. Thus, each organization must evaluate arranging a suitable insurance as a part of the business continuity plan. A good business continuity plan should address the following issues: •
•
• •
Procedures for the activation of emergency procedures must include who is involved, what sort of authority is required, and who is going to assess the situation. A description of the basic emergency procedures relating to a particular accident type. The plans should include arrangements for cooperation with appropriate public authorities (e.g., fire, police, local government, etc.) and tasks for public relations officers. Escalation procedures including the possibility of moving the essential services to a backup location and launching operations from there. After a direct danger ceases to exist, there must be plans for activities leading to the return to normal business operations.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Business Continuity Management
• • •
217
Training of staff for handling the emergency procedures. A plan for implementing the business continuity plans and the methods of verification and introduction of updates. Listing of the people responsible for a particular part of the plan.
There may not need to be a reason to ask everyone to read every section of the business continuity plan, as many aspects of the plan may be irrelevant to a substantial portion of company employees. However, if a disaster strikes, everyone should know what to do first, and especially those responsible for managing the business continuity plans. One of the most important components of a good business continuity plan is training the staff to handle the emergency procedures. This must include many quite different aspects of handling information processing. Of course, the most important is a fire drill, but other training should also be included. Two examples of such training are presented in Cases 14.1 and 14.2. When designing a plan for handling emergency procedures, there is a tendency to rely on existing public services like the power supply, telephone network, fire brigade, and the like. We recently saw such a set of procedures, which governed the functioning of a mobile telephone service. When we challenged the author, the response was: “The U.S. mobile system is built with such redundancy that it may handle any foreseeable emergency. The mobile system around the Twin Towers was restored within 40 min. of the attack.” This may be true, but we must realize that despite the amount of damage caused by the 9/11 events, this was very limited in comparison to the enormity of the size of the city involved. The same may not be true in the case of a major earthquake such as in Los Angeles, or in the case of a less developed country setting. Hence, a real business continuity plan must accommodate the possibility of losing basic public services.
Implementation of the Plan Implementation of the business continuity plan contains two very important components: • •
Testing of the plan. Maintenance and verification of the plan.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
218 Janczewski & Colarik
Case 14.1: Adequate fire drill training In an unnamed particular computer centre, the threat of fire was substantial. The facility is located on the ground floor of a multi-story office building housing some very important institutions. The manager of the facility noticed the lack of proper fire drill training. Understanding the damage that may result from a fire, he ordered a real fire-fighting exercise for his whole crew. Group after group of employees was led to a courtyard where a bucket full of petrol was ignited. One by one, everyone had to put out the fire. At the time, many in the office felt that the manager was wasting time and money. But less than a year later, there was a fire ignited by faulty equipment in the computer room. One of the trainees remembered what to do, picked up a fire extinguisher, and doused the fire before it had a chance to spread.
Case 14.2: Training in upgrades of system software In a software development house, the importance of having a backup facility is clearly recognized. The backup facility usually must have the same type of equipment and operating system in order to maintain parity between the two locations. In one such organization, the facility manager initiated a series of tests to ensure that a total recovery was indeed capable of happening. The initial results were a total disaster. While both organizational units were using the same equipment and operating software, one system was several upgrades behind. This, in turn, generated incompatibilities that were severe enough to stop the transfer of processing. After this experience, rigorous arrangements were set up to train the staff of both facilities in simultaneous upgrades of both installations with new software patches.
Testing of the plan is aimed at finding incorrect assumptions, oversights, and changes in the conditions of organizational functions and personnel. Testing includes the whole plan or its component parts. Testing rigor can occur at various levels, such as office discussion of the plans or including various levels of simulations (i.e., fire drills) (see Case 14.1). Periodic testing is very important, but should disturb the regular functioning of the organization as little as possible. Testing must include not only testing the technical operation of the organization, but also testing the supplier, services, and contact with clients of the organization (similar to the situation described in Case 14.2). In our opinion,
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Business Continuity Management
219
such testing should be done at least once a year and cover all the aspects of the activities of the organization. In more detail, testing of the plans may include the following elements: • • • • •
Holding discussions of the plans among people responsible for directing the business continuity plan’s execution. Performing simulations of specific emergencies, which may include only some parts of the plan or complete rehearsals. Testing of the technical aspects of the plan, as mentioned in the chapter on the testing of backup procedures. Testing of suppliers and externally provided services (i.e., how efficiently the replacement of damaged equipment is delivered to the premises). Testing of the backup location facilities.
Business continuity plans work if they reflect the reality of the organization. Any changes to this may render the plan completely useless. Case 14.3 illustrates this. Management must review its plans frequently and introduce all changes (e.g., changes in names, contact people, organizations that are part of the plan, legislation that could influence the plan, operational procedures, and risks).
Case 14.3: Repair shop for faulty equipment During the auditing of a local branch of an international bank, we queried about the way they were handling faulty equipment. They showed us instructions prepared for such an event, where the procedure for handling the broken equipment was outlined. The procedure contained all the steps, including the telephone and the address of the authorized shop in charge of the repairs. We were impressed. Later, we were discussing some other matters with an employee of that bank, and we referred to that particular procedure. We learned then that since about a year ago, the bank changed the designated repair shop with an entirely different one, but did not reflect this change in the instructions.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
220 Janczewski & Colarik
Commentary Throughout this text, we have outlined procedures, policies, and implementations that would increase the security of information processing. The general concept of business continuity is well known. However, it is surprising that only the largest organizations such as banks are seriously dealing with this issue. Smaller organizations are doing almost nothing and are taking unnecessary risks. We believe that business continuity planning is an issue that should be taken seriously by organizations of every type and size. The foundation of business continuity planning is the risk analysis performed during the initial stage of building the security system of an organization. Findings of the risk analysis can then be used to build a comprehensive plan following the rules outlined earlier in this chapter. Unpredictable methods used by cyber-terrorists increase the important role of business continuity planning, which at present should be an indispensable component of the security system for every organization.
Bibliography http://www.disasterrecoveryworld.com/ Directory of software for business continuity planning and disaster recovery planning. http://www.enera.com/rr_aw_rapidreach_link.htm An example of business continuity tools. http://www.yourwindow.to/business-continuity Disaster Recovery Planning, an online guide. http://info-center.ccit.arizona.edu/~bcis/BusCon.html CCIT disaster recovery plan. http://www.contingencyplanning.com/ Newsletter devoted to business continuity planning. http://www.business-continuity-and-disaster-recovery-world.co.uk/ British business continuity planning and disaster recovery planning practitioner’s directory.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Business Continuity Management
221
http://www.umassp.edu/policy/data/busines.html University of Massachusetts business continuity planning guidelines. Other Interesting Readings Barnes, J. (2002). A guide to business continuity planning. John Wiley & Sons. Best practices–Business continuity planning: Giga Research Digest (2000). Giga Information Group Inc. Doughty, K. et al. (2000). Business continuity planning: Protecting your organization’s life. CRC Press. Elliott, D. et al. (2001). Business continuity management. Routledge. Fulmer, K., & Fulmer, K. (2000). Business continuity planning, a step-bystep guide with planning forms. Rothstein Associates. Laye, J. (2002). Avoiding disaster: How to keep your business going when catastrophe strikes. John Wiley & Sons. Myers, K. (1999). Manager’s guide to contingency planning for disasters: Protecting vital facilities and critical operations. John Wiley & Sons. Syed, A, & Syed, A. (2003). Business continuity planning methodology. Sentryx.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
222 Janczewski & Colarik
Epilogue: Thoughts for the Future
The current state of affairs in the realm of information security and, in particular, the focus of this text in the area of cyber-terrorism and information warfare, make us aware that there is a growing attentiveness to security issues. There is a lot of information on combating various forms of electronic warfare and sabotage derived from the existing vulnerabilities of connected, open systems. Security is an ongoing endeavor that must continually improve against a dynamic environment of threats. As a result, there will be new innovations as we continually evolve and reexamine our responses to an ever-increasing series of attacks on our systems. We have discussed here many of the consequences of the physical aspects of terrorist attacks, and have proposed solutions for permitting an organization to survive such devastation by protecting its information resources. Information resources are a key objective to an organization’s surviving an attack. They are also a fundamental target. Following the September 11th attacks, new laws have been introduced to curtail the rise of terrorism throughout the world, and this will ultimately alter how we manage organizational relationships. One aspect of this changing landscape is an emerging threat of cyber-terrorism. While there are those that feel this new threat is simply a bunch of hype due to the infrequency of such attacks, we believe that in coming years, global information networks will become the next battleground as they function in a similar manner as political
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Epilogue: Thoughts for the Future 223
democracies. They are a target because they are the fruit of political democracies and represent the means of sustaining our ideology. Here is why. Historically, Western democracy has been the bringing together of diverse ideas and approaches with the principles of equality and respect through power sharing for the individual within a community. Fundamentalists claim that they respect individuals, as well, but on the point of power sharing, there can be no contention. In democracies, individuals are empowered to act, question, and decide. They create an environment where individual discretion makes a considerable impact on such acts and encourages individuals to work together to assert greater control over various power-oriented aspects of their lives. All this is brought to bear for the general well being of its participating citizens. To support the general well being in Western democracies, the people who make the decisions, raise the questions, perform the actions needed, and access the information satisfy themselves that their well being is being well looked after. To stop an ideology, its actions must be shown to be weak, its decisions poor, and its questions outdated. The flow of information in a democracy is a key source of nourishment for the Westernized way of life. Less developed countries sometimes take on the title of a democracy by lessening their authoritarian approaches to governing by granting greater levels of expression. However, the failed test of a democracy occurs the moment that the majority of people want to take charge of their own lives by installing representatives into the government structure, and despotism and authoritarian rule reassert themselves and revoke what was granted. The truest test of a democracy is the complete restraint of the government to revoke the unalienable rights of its citizens. In this way, the legislative branches and information flows are kept open to those who choose to question, decide, and act upon the individual ideas about a country’s future. Technology in a democracy brings relevant information to individuals so that they may make informed actions; it assists in implementing these actions and facilitates the monitoring of actions. It also assists its citizens by the free exchange of ideas and thoughts, the dissemination of unlawful or destructive governmental actions, and other human rights of free association. Technology is creating a convergence of cultures, approaches, and governmental processes on a global basis. Technology and culture convergence is driving each of them forward. Through changing hierarchies into networks and centralized control into distributed participation, communication technologies are changing how we make decisions at all levels of an open society.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
224 Janczewski & Colarik
With regard to nations and how they govern themselves and protect their citizens, the emergence of trans-governmental relationships is founded on technology. In fact, the war on terror has only served to strengthen these lines of communication and cooperation with friendly Westernized countries. The sharing of intelligence, individual histories, and governmental initiatives on a global scale simply reinforce the need for the underlying communications technologies. An effort to reduce, minimize, and eliminate any form of terrorism also creates civil liberty issues that make a populace nervous about eroding rights. The reality is that some changes in how we approach the prevention of terrorism must be considered for an open society to ensure an appropriate level of security to its citizens. Whether these changes come from active participation from its individuals, directives from the governing bodies, or a combination of the two, change is still a fact of continued existence. These changes in themselves create further resistance. From an historical perspective, true democratic and open systems do not attack other open systems. While there are always areas of dispute, such conflicts are generally resolved agreeably and with little harm to its citizens. Attacks of aggression are initiated by authoritarian or dictatorial systems against other dictatorial or democratic systems. Both democracies and communication technologies (e.g., the Internet) are fundamentally open systems that are designed to operate in an open environment (i.e., transparency). In both systems, there will always be individuals or groups ready to challenge the system. We cannot stop them from launching challenges, but we must be ready to handle their challenges. This book describes the interactions between technology and society in relation to information security and cyber-terrorism in particular. The role of technology was summarized and discussed in other parts of the text. On this note, we would like to point out to our readers the issue that may arise from the growing complexity of information systems (or more precisely, computer networks). Information systems are performing their primary function—processing, storage, and transmission of data. In order to accommodate an ever-expanding set of functions, the designers are incorporating into the design of the systems additional abilities that allow networks to modify their operations without human intervention. We may infer from this that information systems continue to have more and more self-correcting and self-associating capabilities. This allows us to make another long-range prediction: The continued evolution of networks may additionally produce inadvertent malware-like code that Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Epilogue: Thoughts for the Future 225
could spread to other connecting networks in a similar manner as computer viruses. Computer viruses that are developed by humans are labeled viruses because their nature and behavior approximates that of biological viruses. Using this same analogy, we believe that very soon we shall see the beginnings of self-generating or self-destructing software, or what we call software cancers. These cancers, like those found in the human body, will be aided by poor life style (i.e., system maintenance), reckless behavior (i.e., lack of protective systems), and added stresses on weaknesses in a system (i.e., information warriors and cyber-terrorists). Another very important aspect of human activities is the perception of danger. We are not afraid to use our cars, despite the fact that a large number of road causalities happen. Only the most spectacular road accidents are reported in the mass media. The same applies to terrorism. First, there has been widespread coverage of terrorism activities in Northern Ireland as a result of IRA attacks; then there was an increase in terrorist activities reported in the Middle East; then there was September 11th, followed by Bali and a train attack in Madrid. Such reports are increasing the level of fear within society and work for the benefit of terrorist organizations. The reduction of public attention to terrorist activities would lessen the effectiveness of the attacks from the terrorists’ and cyber-terrorists’ points of view due to reduced visibility. Unfortunately, the mass media are thriving on the reporting of terrorist activities, and there is no foreseeable way of limiting such coverage in democratic societies. All the above leads us to the final prognosis that cyber-terrorism will continue to grow in frequency and will be with us for a long time to come.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
226 About the Authors
About the Authors
Lech J. Janczewski has more than 35 years of experience in information technology. He is an associate professor of the Department of Information Systems and Operations Management at the University of Auckland, New Zealand. His area of research includes management of IS resources with a special emphasis on data security. Janczewski has written more than 100 publications that have been presented in scientific journals, conference proceedings, and books. He is the chairperson of the New Zealand Information Security Forum and a fellow of the New Zealand Computer Society. Andrew M. Colarik has accumulated more than 20 years experience of knowledge utilizing computer information systems. He continues to provide systems design, network administration, equipment review and selection, troubleshooting, and hands-on training of installed systems for businesses in the financial, manufacturing, and government industries. As a researcher, author, and inventor, he has been published in top-tier security conferences, and is an inventor of both utility and design patents. He is the holder of a PhD in information systems from the University of Auckland, New Zealand, an MBA from Kent State University, USA, and a BA from Hiram College, USA.
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Index 227
Index
A
C
access control 13, 131, 143 accountability 3 annualized loss expectancy (ALE) 56 ARO (Annualized Rate of Occurrence) 56 assets classification and control 12 audit trail 196 authentication 131 authentication method 132 authenticity 3 availability 3 awareness 14
cameras 71 Christmas Tree worm 86 Colossus project 4 common criteria standard 21 communication and operating management 12 compliance 13 Computer Crime and Security Survey (CCSS) 9 computer graffiti 45 computer security 1 computing facilities 6 conferences 18 confidentiality 2 Confidentiality Disclosure Agreement 166 configuration management 201 conformance monitoring 201 corporeal conflicts 47 crypto card 139 cultural differences 33 cybercrime 43 cyber-terrorism 40, 43 cyber-terrorist attack 214 cyber-terrorists 115 cyber-warriors 115
B backup procedure 185 BIND 108 biometric verification 132, 141 book values 50 books 17 bridge 110 buffer overflow 177 business approach 144 business continuity management 13, 213 business continuity plan 216
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
228 Index
D DDOS 108, 113 defacement 97 denial of service (DOS) 46, 85, 113 detailed ISP procedures 200 digital signature 190 distributed denial of service attacks (DDOS) 46, 86 DNS 46 DNSSEC 108 Domain Name Servers 106 Domain Name Service (DNS) 106 double challenge protection 67
E Eavesdropping 65, 79, 112 EF 56 encapsulated payload mode 108 export of technology 33 external disturbances 64, 75 external values 50
F fear 26 fear factor 45 file storage 186
H hardware 12 haves and have not societies 33 hiring requirements 165 honeypot 103 housekeeping 181 hub 110
I ICMP Echo-Request 89, 113 identification 129, 131 Identity infrastructure 201 identity theft 47, 119 information security 1 Information Security Policy (ISP) 199, 205 information technology security 3
information warfare 43 integrity 3 Internet control message protocol (ICMP) 89 Internet service provider (ISP) 15 IP 112 IPSec protocol 108 isolation infrastructure 201
J journals 18
M magnetic media 82 media reporting 33 MIG-in-the-middle 112 military surplus 33 mobile computing 157
N Need-to-Know policy 144 network 110 network management 182 node 110 non-repudiation 3
O office security 68 operations management 175 organizational 10 organizational values 50 orthodox training 33
P password 132 people 12 perimeter 67 permission infrastructure 201 personal knowledge 132 personnel security 12, 163 phishing 101 physical and environmental security 12 physical destruction 62 physical intrusion 46 physical security 61
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Index 229
piecemeal approach 14 ping of death attack 89 practical ISP rules 200 primary terrorism drivers 27 proportional control 62, 63 protection 6 Public Key Infrastructure (PKI) 190
R reference monitor 144 reliability 7 religious conflict 31 religious culture 30 repeater 110 responsibility 16 risk assessment method 55 risk management analysis 16 risk management controls 54 risk management process 50 role-based access rights 147 router 110 router threats 114 routing 46 routing vulnerabilities 110 Rule of the Least Privileges 145
system approach 14, 187 system planning 177
T TCP 112 technology culture 29 terrorism 24 terrorist 13, 61 terrorist acts 33 terrorist attacks 40, 61 Terrorists 163 theft 62, 77 threat management 201 total solutions 67 training 19 transmission control protocol (TCP) 88 Tribe Flood Network 90 Trinity 90
U user management 201
V vulnerability factor 45
S
W
salami attack 176 secure communications 200 security organization 12 security policy 12 security systems 48 semantic 46 session hijacking 112 shaft 91 SLE (single loss expectancy) 56 smurf attack 90 Social Security numbers 122 software 8, 12 solution update 68 something possessed 132, 138 spectacular factor 45 Stacheldraht 91 supervisory control and data acquisition (SCADA) 35 SYN flood attack 88
war 26 warchalking 182 warfare 26 WEB defacements 46 Web graffiti 97
X XRML, the eXtensible rights Markup Language™ 147
Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Instant access to the latest offerings of Idea Group, Inc. in the fields of INFORMATION SCIENCE , T ECHNOLOGY AND MANAGEMENT!
InfoSci-Online Database BOOK CHAPTERS JOURNAL AR TICLES C ONFERENCE PROCEEDINGS C ASE STUDIES
“
The Bottom Line: With easy to use access to solid, current and in-demand information, InfoSci-Online, reasonably priced, is recommended for academic libraries.
The InfoSci-Online database is the most comprehensive collection of full-text literature published by Idea Group, Inc. in:
”
- Excerpted with permission from Library Journal, July 2003 Issue, Page 140
n n n n n n n n n
Distance Learning Knowledge Management Global Information Technology Data Mining & Warehousing E-Commerce & E-Government IT Engineering & Modeling Human Side of IT Multimedia Networking IT Virtual Organizations
BENEFITS n Instant Access n Full-Text n Affordable n Continuously Updated n Advanced Searching Capabilities
Start exploring at www.infosci-online.com
Recommend to your Library Today! Complimentary 30-Day Trial Access Available! A product of:
Information Science Publishing* Enhancing knowledge through information science
*A company of Idea Group, Inc. www.idea-group.com
BROADEN YOUR IT COLLECTION WITH IGP JOURNALS
Idea Group Publishing
is an innovative international publishing company, founded in 1987, specializing in information science, technology and management books, journals and teaching cases. As a leading academic/scholarly publisher, IGP is pleased to announce the introduction of 14 new technology-based research journals, in addition to its existing 11 journals published since 1987, which began with its renowned Information Resources Management Journal. Free Sample Journal Copy Should you be interested in receiving a free sample copy of any of IGP's existing or upcoming journals please mark the list below and provide your mailing information in the space provided, attach a business card, or email IGP at [email protected].
Upcoming IGP Journals January 2005 Int. Journal of Data Warehousing & Mining
Int. Journal of Enterprise Information Systems
Int. Journal of Business Data Comm. & Networking
Int. Journal of Intelligent Information Technologies
International Journal of Cases on E-Commerce
Int. Journal of Knowledge Management
International Journal of E-Business Research
Int. Journal of Info. & Comm. Technology Education
International Journal of E-Collaboration
Int. Journal of Technology & Human Interaction
Int. Journal of Electronic Government Research
Int. J. of Web-Based Learning & Teaching Tech.'s
Established IGP Journals Annals of Cases on Information Technology
International Journal of Web Services Research
Information Management
Journal of Database Management
Information Resources Management Journal
Journal of Electronic Commerce in Organizations
Information Technology Newsletter
Journal of Global Information Management
Int. Journal of Distance Education Technologies
Journal of Organizational and End User Computing
Int. Journal of IT Standards and Standardization Research
Name:____________________________________ Affiliation: __________________________ Address: ______________________________________________________________________ _____________________________________________________________________________ E-mail:______________________________________ Fax: _____________________________
Visit the IGI website for more information on these journals at www.idea-group.com/journals/ IDEA GROUP PUBLISHING A company of Idea Group Inc. 701 East Chocolate Avenue, Hershey, PA 17033-1240, USA Tel: 717-533-8845; 866-342-6657 • 717-533-8661 (fax)
[email protected]
www.idea-group.com
IT Solutions Series – New Releases! Humanizing Information Technology: Advice from Experts Authored by: Shannon Schelin, PhD, North Carolina State University, USA G. David Garson, PhD, North Carolina State University, USA With the alarming rate of information technology changes over the past two decades, it is not unexpected that there is an evolution of the human side of IT that has forced many organizations to rethink their strategies in dealing with the human side of IT. People, just like computers, are main components of any information systems. And just as successful organizations must be willing to upgrade their equipment and facilities, they must also be alert to changing their viewpoints on various aspects of human behavior. New and emerging technologies result in human behavior responses, which must be addressed with a view toward developing better theories about people and IT. This book brings out a variety of views expressed by practitioners from corporate and public settings offer their experiences in dealing with the human byproduct of IT.
ISBN 1-59140-245-X (s/c) • US$29.95 • eISBN 1-59140-246-8 • 186 pages • Copyright © 2004
Information Technology Security: Advice from Experts Edited by: Lawrence Oliva, PhD, Intelligent Decisions LLC, USA As the value of the information portfolio has increased, IT security has changed from a product focus to a business management process. Today, IT security is not just about controlling internal access to data and systems but managing a portfolio of services including wireless networks, cyberterrorism protection and business continuity planning in case of disaster. With this new perspective, the role of IT executives has changed from protecting against external threats to building trusted security infrastructures linked to business processes driving financial returns. As technology continues to expand in complexity, databases increase in value, and as information privacy liability broadens exponentially, security processes developed during the last century will not work. IT leaders must prepare their organizations for previously unimagined situations. IT security has become both a necessary service and a business revenue opportunity. Balancing both perspectives requires a business portfolio approach to managing investment with income, user access with control, and trust with authentication. This book is a collection of interviews of corporate IT security practitioners offering various viewpoint on successes and failures in managing IT security in organizations.
ISBN 1-59140-247-6 (s/c) • US$29.95 • eISBN 1-59140-248-4 • 182 pages • Copyright © 2004
Managing Data Mining: Advice from Experts Edited by: Stephan Kudyba, PhD, New Jersey Institute of Technology, USA Foreword by Dr. Jim Goodnight, SAS Inc, USA Managing Data Mining: Advice from Experts is a collection of leading business applications in the data mining and multivariate modeling spectrum provided by experts in the field at leading US corporations. Each contributor provides valued insights as to the importance quantitative modeling provides in helping their corresponding organizations manage risk, increase productivity and drive profits in the market in which they operate. Additionally, the expert contributors address other important areas which are involved in the utilization of data mining and multivariate modeling that include various aspects in the data management spectrum (e.g. data collection, cleansing and general organization).
ISBN 1-59140-243-3 (s/c) • US$29.95 • eISBN 1-59140-244-1 • 278 pages • Copyright © 2004
E-Commerce Security: Advice from Experts Edited by: Mehdi Khosrow-Pour, D.B.A., Information Resources Management Association, USA The e-commerce revolution has allowed many organizations around the world to become more effective and efficient in managing their resources. Through the use of e-commerce many businesses can now cut the cost of doing business with their customers in a speed that could only be imagined a decade ago. However, doing business on the Internet has opened up business to additional vulnerabilities and misuse. It has been estimated that the cost of misuse and criminal activities related to e-commerce now exceeds 10 billion dollars per year, and many experts predict that this number will increase in the future. This book provides insight and practical knowledge obtained from industry leaders regarding the overall successful management of e-commerce practices and solutions.
ISBN 1-59140-241-7 (s/c) • US$29.95 • eISBN 1-59140-242-5 • 194 pages • Copyright © 2004
Its Easy to Order! Order online at www.cybertech-pub.com, www.idea-group.com or call 717/533-8845 x10 Mon-Fri 8:30 am-5:00 pm (est) or fax 24 hours a day 717/533-8661
CyberTech Publishing Hershey • London • Melbourne • Singapore
Excellent additions to your library!