IEC 818 SECTION 3 ©
RSA and Cyber Crimes growing
Internet Security  Standards 
Security Policies  and   Countermeasures
Threat  Modeling &  Risk  Assessment 
Tiger Teams
Disaster Recovery Plans
weak points
Security  Processes 
  • compartmentalize
  • secure weak link 
  • use choke points 
  • defense in depth 
  • enlist users 
  • detect attacks
Threats - "Who"
-Hackers
-Crackers
The Human Factor
Social Engineering
After the attack
Incident Handling and Hacker Exploits"

changes last made to this page 2001, May 3rd
 

In Section Three we will use material from the following texts
 
Chpt 6
Chpt 7
Chpt 4 
Chpt 17 
Chpt 19 
Chpt 20 
Chpt 24

course author:Tim Richardson
.
 
. Learning Objectives for Section 3

After completing this section participants will be able to

  • Substantiate, through media coverage and other resources, that cyber threats are real, and growing, and therefore need to be dealt
  • understand the meaning of, and apply the concept that "Security is a process, not a product"
  • identify the weak points of security procedures
  • describe the methodology of Risk Management
  • understand the fundamentals of social controls and culture management
  • identify the five different categories of adversaries and describe how they can be further sub-divided
  • explain to a non-IT person the difference between hackers and crackers
  • appreciate the importance of electronic "evidence" and the special requirements of leaving it untouched 
.
In addition to the textbooks selected for this course, we would identify an excellent on-line resource
In the screen capture below you can see the splash page for the SANS Institute. This should be a prominent "bookmark" for you and in addition to the specific information from SANS that we refer to , you should, on your own, spend time on this site.
http://www.sans.org
 
 

Before we begin this section, it is perhaps wise to pause and reflect on whether the precautions we are about to discuss are necessary - that is to say "why deal with the trouble of security procedures if the threat, in actuality, is not very big?"

The answer to this question is a resounding YES - the threat is real and it is growing. 

We searched for an authoritative voice on threat trends and found the  article below - this article discusses a survey conducted by the Computer Security Institute (a legitimate and credible organization) and the FBI's Computer Intrusion squad based in San Francisco. The survey concludes that cyber crimes are rising substantially - therefore the threat is real and it needs to be dealt with.
.
 
"The results of the sixth annual [2001]"Computer Crime and Security Survey," conducted by the Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigations (FBI)  Computer Intrusion squad, were released mid-March [2001] with some startling findings.  "Based on responses from 538 computer security practitioners in U.S. corporations, government  agencies, financial institutions, medical institutions and universities, the findings of the 2001 Computer Crime and Security Survey confirm that the threat from computer crime and other information security  breaches continues unabated and that the financial toll is mounting," the report states."
 www.rsasecurity.com/newsletter/v2n2/cybercrime.html 		 http://www.rsasecurity.com/newsletter/v2n2/cybercrime.html
.
 
. After reading the story in the RSA page about the Survey concluding Cyber Crime is growing, you should pause and reflect if 
1. Cyber Crime is growing, 
or is it also partly
2. Companies are simply getting better about detecting cyber crime.
.
Security 
Considerations
 

Proper
Procedures

 In addition to the SANS web site, Bruce Schneier's company, Counterpane, has a very extensive web site, within which is a lot of material, especially related to the topic of security procedures, which is an important theme in IEC 818
http://www.counterpane.com/ "Security is a process, not a product"

Bruce Schneier, CTO of Counterpane and
Author of the book Applied Cryptography
.
 
Counter
measures
 
 
 
 
 
 
 
 
 
 

Counter
measures

 Responding to a security risk, or a threat of a security risk
 
. One of the things you can do is to be on mailing lists from different security related organizations
  • government security organizations
  • national industry associations
  • large security IT companies
that provide information on current threats, and remedies to deal with the threat.
The remedies sometimes involve obtaining the latest patches to use in software that has vulnerabilities..
Being on the SANS mailing list can be very useful. As this course was being prepared, the author of the course received an email from SANS about East-European hackers extorting North American businesses. To read about this real-life example, click on the link below.

 http://www.witiger.com/ecommerce/SANwarning.htm
http://www.witiger.com/ecommerce/SANwarning.htm
The email is quite lengthy - however a simple summary would be that they advise companies at risk, pay attention to a "patch" that Microsoft made available in the past -and use this patch since failing to make this update will leave your system vulnerable.
 
.
Security 
Considerations
 

Proper
Procedures
http://www.esafe.com/company.html Aladdin Knowledge Systems
Internet Security Unit
is based in Seattle

From their main web site
 http://www.eAladdin.com
you can also see a link to "Glossary of terms" on their main page
Shimon Gruper is the Chief Technology Officer of  Aladdin's Internet Security Unit
Gruper has had a list of Top 10 Security Tips on Aladdin's web site for quite some time and the list is quite valuable to refer to. 

The point form list of the 10 tips is to the right.

 Was at 
http://www.esafe.com/shimonsays/index.html#top10
but this link was not active November 2000

1. The Safe use of Email Attachments 
2.Vandals in Word Documents? 
3.Setting Browser Security Options 
4.Buying Products over the Web 
5.Protecting your Personal Information 
6.What about Cookies? 
7.Are Java and ActiveX Safe? 
8.Are Plug-ins and Push Clients Safe? 
9.What about Viruses? 
10.How to handle Spam Mail 
.
 
Security 
Considerations
 

Proper
Procedures

 Security Procedures: Weak Points
 
http://www.plesman.com/eb/home.html Matthew Friedman, writing in the Plesman publication e-Business, authored an article in April 2000 about Hackers in which he said that "Security Managers are confident in the security postures of their organizations.But a recent report suggests they might not be getting the whole picture"
 http://www.plesman.com/eb/news.html
?CONTENT=news/eb020425a
Friedman explains that in Feb 2000 the publicized stories of hackers overloading some well known sites like Yahoo raised awareness of security issues but Friedman goes on to cite some experts who say not enough is being done, and more importantly, key people don't understand the implications of security vulnerabilities. Friedman notes Steven Ross, Deloitte & Touche's director of e-business technologies and security - quoting Ross "there's a feeling among the security people themselves that management doesn't understand the issues  like they do." 

Friedman's article is a very good report on the key issues and you are strongly encouraged to read it thoroughly.
.
 

Chpt 6
Risk
Management
 
 
 
 


Chpt 6
Risk
Management
 
 
 
 
 
 
 
 
 


Chpt 6
Risk
Management
 
 
 
 
 
 
 
 
 
 

 

 "Electronic Commerce": Greenstein & Feinman, Chpt 6 Risk Management
 
 
Before you begin reading Chapter 6 in the Greenstein book, it would be a good idea to go to the website for the book and scan through the online list of "Key Terms"

clicking on the screen capture to the right will take you directly to this "glossary"

 http://www.mhhe.com/business/accounting/greenstein/keyterms.mhtml#six

Greenstein page 171

"Risk Management is a methodology for

  • assessing the potential of future events that can cause adverse effects; and
  • implementing cost-efficient strategies that can deal with these risks"
. This "quote" above describing Risk Management is loaded with meaning.
1. potential refers to the effect that you are  concerned with to what degree future events can cause a big problem or little problem, if it is a little problem, then it is not a problem
2. future refers to the fact that Risk Management can't do anything for the present screw-ups in the company, it can only salvage things from happening in the future if people start to follow certain policies and procedures
3. adverse refers to the distinction between things that happen that are not a problem because no damage is caused, and things that happen that cause damage
4. cost-efficient is important because you have to relate the cost of security to the cost of the damage risk. You can't have an excess of money spent protecting information which is of less value than the cost of the protection, otherwise it would be better to take the risk that the information won't be harmed and don't protect it, or protect it with something less expensive
5. deal with the risks implies that it is not good enough to just know when bad things happen, you have to have the ability to respond and deter the existing threat, which might include intervention by police and other authorities
.
.

Chpt 6

Culture
Management

 "Electronic Commerce": Greenstein & Feinman, Chpt 6 Risk Management page 174

Culture Management
 

. A key point of this whole course is that security is human based, not silicon based, and in this next part of Section 3 we will discuss an important part related to the human factor in IT security.
.
"Controls over the human factor are called social controls and managing these controls is called culture management. The human element of managing risk is the most troublesome aspect to many information technology professionals. The major risks of the human factor are
  • bad judgment
  • honest errors
  • fraud
  • virus damage"
.
 

Chpt 6

Risk
Management
Paradigm

 "Electronic Commerce": Greenstein & Feinman, Chpt 6 Risk Management page 176

Risk Management Paradigm
 

. It seems like a lot of management oriented books and texts like to use the word paradigm at some point or other in the course of the chapters - however in Greenstein's book it is appropriate since it is indeed an appropriate use of the word - that being a situation in which there are several interlinked processes, and the dealing with these situations is an ongoing problem. 
.
You should carefully review the pages from 176-178.

The key point is that
"risk management is an ongoing process ... they key is to be proactive, rather than reactive... one objective of the paradigm is to minimize reactive solutions and seek out proactive designs"
.
Risk 
Assessment		 Risk Assessment
 
Risk Assessment
"How the Pros Help You Probe the Strength of Your Ramparts"
article written by Dario Forte, August 1, 2000
 www.internetworld.com/080100/8.01.00internettech1.jsp
"Most assessments today focus on the Web user interface, Web server setup, links to company databases, and server scripts. The checks  should include planning of countermeasures regarding DDoS, defacement, and "hijacking" - the intrusion of a non-authorized third party into a two-party transaction, as recently occurred at nike.com,  bali.com, and web.net, which were deprived of their virtual identities. Evaluate the ability of the security analyst to assess Web server setup  vulnerabilities, in terms of administration privileges and software modules such as CGI, ASP, etc. This analysis is usually performed by a "tiger team," which may be made up of ex-crackers or reformed  wayward university students. Or it may consist of properly trained  security engineers."
 

Tiger
Teams		 In the computer industry, a tiger team is a group of programmers or "reformed" hackers who volunteer, or are hired, to expose errors or security holes in a web site or network. They don't simply try to hack their way in, the document the different methods and attempts they make, and then provide a report to the client to allow them to know how to fix their vulnerabilities.

"In every case, a security assessment service must provide an analysis of the effectiveness of a company's security controls. Global Integrity,  for example, recommends a periodic assessment based on a review of  current documentation, policies, and practices; interviews with key personnel; and comparisons against industry "best practices" and other  benchmarks.  A thorough review should not stop with the infrastructure. You also need  to test your defenses against social engineering - the set of techniques  used to subvert systems by exploiting human nature. One bank I studied paid no attention to managing the e-mail relationship with the system administrators. By spoofing an internal e-mail address, an intruder could contact bank employees with a request to "check the correct password," and 90 percent of the time they responded with the correct information without taking any steps to verify the sender's identity."
.

Chpt 19

Threat Modeling
and
Risk Assessment

Chpt 19

Threat Modeling
and
Risk Assessment

 Secrets & Lies: Digital Security in a Networked  World      by Bruce Schneier

Chpt 19 Threat Modeling and Risk Assessment
 

. People reading Chpt 19 may find to their amusement, that although Schneier is a brilliant security genius, he does have a sense of humour, and is not afraid to use humourous methods in getting his point across in his books - you should not be put off by this since he seems to be an example of a person who takes his work very seriously but doesn't take himself seriously.

"Threat modeling is the first step in any security solution. It's a way to make sense of the vulnerability landscape... It involves thinking about a system and imagining ... how you can attack this system".

Risk Assessment
 

. The point is, it does not mater if you are able to identify various threats and categorize them and describe them if you have no idea of the magnitude of the damage they can cause. Risk assessment is an important part of threat modeling because it is at this point that you are able to say "we know this threat "A"- but it is OK because the damage will be small; we know this threat "B" and the damage potential is large so we better deal with it".

Chpt 19, page 301
"It's not enough to simply list a bunch of threats, you need to know how much to worry about each one of them. This is were risk assessment comes in. The basic idea is to take all the threats, estimate the expected loss per incident and the expected number of incidents per year, and then calculate the annual loss expectancy (ALE)"

Risk Assessment and Estimating Security Costs

"Some risks have a very low probability of incidence. If the risk is a network intrusion by an industrial competitor out to steal the new design plans, the expected loss per incident might be $10 million but the number of incidents per year might be 0.0001 - there's a 0.1% chance of this happening per year. This means that the annual loss expectancy (ALE) is $10,000, and a countermeasure costing $25,000 isn't such a bargain".
.
 

Chpt 6

Disaster
Recovery
Plans

 "Electronic Commerce": Greenstein & Feinman, Chpt 6 Risk Management page 178

Disaster Recovery Plans

You should carefully review the pages from 178 - 181.

Good Planning involves considering the following objectives

  • assessment of vulnerabilities
  • prevention and reduction of risk
  • creation of cost-effective solutions
  • minimization of business interruption and assurance of business continuity
  • securing alternative Internet access modes
.
 

Chpt 4

"Who"
- from where comes the threat
 
 
 
 
 
 
 
 
 
 


Chpt 4

"Who"
- from where comes the threat
 
 
 
 
 
 
 
 
 
 
 
 
 


Chpt 4

"Who"
- from where comes the threat

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier

Chpt 4 Adversaries
 

. Schneier's fourth chapter in the book is a very good presentation of the whole panoply of "bad guys" in internet security - you are strongly encouraged to read every word in the entire chapter since dealing with threats successfully depends on a decent understand of what and who the threat is.

Schneier's premis for this chapter, and one we agree with, is that threats in the online world are similar to the offline world - the only difference is that in the online world the tools are faster and the magnitude of the damage is proportionately higher.

Schneier begins the chapter by categorizing adversaries in several ways. Adversaries can be differentiated according to their

  • Objectives
  • Access
  • Resources
  • Expertise
  • Risk
1. Objectives can vary, they can include people trying to
  • inflict raw damage
  • obtain financial gain
  • access information
  • patriotism
  • political purposes


2. Access. People trying to obtain access can be further subdivided into the following categories (according to Tim Richardson)

  • insiders
  • associated and affiliated persons
  • complete outsiders and strangers
Schneier cautions "insiders are not necessarily employees. They can be consultants and contractors...". During the Y2K scare, many people with suspect expertise were given wide access to IT networks in hopes that they could fix the bugs in time.
3. Resources. Adversaries can be categorized according to whether they have money, or know how, or ideally both
  • financial
    • large amount of money
    • restricted amount of money tied to returns
  • technical
    • sophisticated with appropriate equipment
    • amateur (script kiddies)
4. Expertise.  Adversaries can be categorized according to whether they know a lot, or a little about how to infiltrate your networks and damage your company
  • comprehensive
    • advanced
    • beginner
  • specialist
    • advanced
    • beginner
5. Risk. People who are distinguished by the degree of risk they will take are categorized by a function which is equivalent to the reward they seek less the cost of being stopped.
  • terrorists - accept a high degree of personal risk
  • criminals - accept the risk of jail time
  • wealthy adversaries - accept the risk of losing a lot of money (hiring criminals and terrorists)
. It was author Bruce Schneier who wrote the preceding 5 categories in his book in Chapter 4, it was Prof. Tim Richardson who wrote the further subdivisions and annotations describing the breakdown.

A summary of the "participants" in the IT threat community

  • hackers and crackers
  • lone criminals
  • malicious insiders and disgruntled employees
  • industrial espionage
  • press (offline and online)
  • organized crime
  • police, regional and national
  • terrorists
  • national intelligence agencies
  • information warriors
    • a relatively new word to describe a military person who works at undermining the target's ability to wage war by attacking their information or network infrastructure
    • Schneier notes that in 1999 NATO targeted Belgrade's electric plants - in retaliation, Serbian hackers attacked hundreds of U.S. military and NATO computer sites
.
 

Chpt 4

"Hackers"
"Crackers"

a subtle
distinction

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier

Chpt 4 Adversaries

"The word Hacker has several definitions, ranging from a corporate system administrator adept enough to figure out how computers really work to an ethically inept teenage criminal... The word has been co-opted by the media and stripped of its meaning. It used to be a compliment, then it became an insult. Lately people use "cracker" for the bad guys and "hacker" for the good guys."

Schneier page 43

"I define a hacker as an individual who experiments with the limitations of systems for intellectual curiosity or sheer pleasure; the word describes a person with a particular set of skills and not a particular set of morals"
.
 

Chpt 17

The
Human
Factor

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier

Chpt 17 The Human Factors
 

. If we said "read Chapter 17 thoroughly because it is really important", we are not implying that the other chapters aren't important - rather, it is a key theme in understanding the whole ECP 1220 course.

In Chpt 17, Schneier goes to great length to explain the weaknesses in the human side of IT security, and this should be absorbed fully by you.

Schneier
page 256

"Information never stays in computers; it moves onto paper all the time. Information is information and, for an attacker, information in paper files is just as good as information in computer files. Many times paper in trash is more valuable than the same data in a computer: It's easier to steal and less likely to be missed. A company that encrypts all of its data on computers, but doesn't lock its file cabinets or shred its trash, is leaving itself open to attack."

Human Weaknesses

page 258
"One danger of computerized systems is that they make mistakes to rarely that people don't know how to deal with them. It's the "This computer never makes mistakes, so you must be lying," mentality. The fact is that computers make all sorts of mistakes all the time"

Social Engineering

page 266-268

"Social Engineering is the hacker term for a con game: persuade the other person to do what you want". Schneier discusses various examples of social engineering over a few pages. It is a term that can be found throughout the web related to IT security situations. You could earn some class participation / contribution marks by finding some specific examples of social engineering used in some hacking situations, which have been reported on by the media, and make a summary of what happened, and email this to the professor running the course.
.
 

Chpt 20

Security
Policies and
Countermeasures

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier
Chpt 20 Security Policies and Countermeasures

Schneier
page 308

".. every organization needs a security policy for its computer network. The policy should outline

  • who is responsible for what
    • implementation
    • enforcement
    • audit
    • review
  • what the basic network security policies are
  • and why they are the way they are."
"The security policy is how you determine what countermeasures to use"
.

 

Chpt 24

Security
Policies and
Countermeasures


 
 
 

Chpt 24

Security
Policies and
Countermeasures


 
 
 

Chpt 24

Security
Policies and
Countermeasures

Chpt 24

Security
Policies and
Countermeasures

 Secrets & Lies: Digital Security in a Networked  World      by Bruce Schneier

Chpt 24 Security Processes

Following his axiom that security is a process, not a product, Schneier opens Chapter 24 saying that

page 367
"Technology alone cannot save us. Products have problem, and they are getting worse. The only thing reasonable to do is to create processes that accept this reality, and allow us to go about our lives the best we can. It's no different from any other aspect of our society".

The Principles of the Security Process which is presented by Schneier p. 367-374 
 
  • compartmentalize
  • secure weakest link
  • use choke points
  • defense in depth 
  • fail securely
  • leverage unpredictability
  • embrace simplicity
  • enlist users 
  • assurance
  • question
  • detect attacks

  • compartmentalize
    • don't put all the vulnerable assets in one location, divide things up so attackers have to make more of an effort to "capture" the critical information
  • secure weakest link
    • the weakest link is where the attack is most likely to take place so make sure countermeasures are applied here, and not just at the strong points
  • use choke points
    • limiting the places people "can go", and forcing users into a narrow channel makes it easier for monitoring traffic, etc. to spot unusual activity that could be the beginnings of an attack
  • defense in depth 
    • a universal security principle is to make security strong from the initial point of contact, all the way back to the vulnerable target
    • "example: a network protected by two firewalls, one each at two different network ingresses, is not defense in depth ... a network protected by two firewalls, one behind the other, is defense in depth: an attacker has to penetrate one firewall and then the other in order to attack the network
  • fail securely
    • Schneier trys to explain that is a system fails, it should do so in a way that does not release information, or money etc. in the process of failing, it should just shut down
  • Leverage unpredictability
    • don't give people information they do not need to know, it will make an attack more difficult if they have absolutely nothing to go on
  • embrace simplicity
    • if a system is as secure as its weakest link, then the fewer number of links, the better!
  • enlist users 
    • users have to be incorporated as assets. "Security measures that aren't understood and agreed to by everyone, don't work
  • assurance
  • question
    • Schneier advises to constantly question security, assumptions and decisions
  • detect attacks
    • "It's not enough to put up a firewall... you need to detect attacks"
    • you have to detect attacks in order to know if your security is working, and how it might need to be strengthened according to the type of attacks you are receiving
You should also read the section in Chpt 24 on Counterattacks
 
. Schneier makes that point that a good deterrent to criminal behaviour is the threat of getting caught and punished. One of the things hackers count on is their believe, rightly or wrongly, that they cannot be caught easily, or they will be out of the legal jurisdiction of the entity they are attacking. Schneier recommends that effective counterattacks, through legal means, be taken up as a dis-incentive to hacking in the future.
.
 
 

Chpt 7
 
 
 
 
 
 
 
 


Chpt 7

 "Electronic Commerce": Greenstein & Feinman, Chpt 7
 
 
Before you begin reading Chapter 7 in the Greenstein book, it would be a good idea to go to the website for the book and scan through the online list of "Key Terms"

clicking on the screen capture to the right will take you directly to this "glossary"

 
. Chapter 7 is an optional read. If you have already taken an IEC course with Prof. Kanitz, or have an equivalent understanding, than you may already be familiar with the content of Chapter 7. One way to determine this quickly is run through the glossary online (noted in the screen capture above)
.
The reason why you should cover Chpt 7, if you are not familiar with the content, is so that you know something about TCP/IP, IP addresses, FTP and the basics of messaging protocols on age 214.
.
 

After
the 
Attack		 "Cracking cybercrime 
Don't touch electronic evidence until you call in the cops or a cyberforensics expert."

is the title of an October 1998 article in Network World written by Deborah Radcliff 
 http://www.infowar.com/LAW/law_110298a_j.shtml

"Thou shalt not bungle computer evidence intended for a court of law"
 

. This is a rather old article, by internet timeline standards, but the message is just as relevant and you are encouraged to read the original online version. We have made some summary points below.
.
"Crimes committed via computer leave distinct evidence trails. If you so much as access, download or open suspect files, you could taint the evidence and render it inadmissible. That type of activity alters backup files and system logs and overwrites date and time stamps... Draft a contingency plan for when cybercrime strikes and take the proactive measures ... regularly print and save log files from critical servers. Establish a tamper-proof backup system to capture activity and audit trials."
 
 


FYI, the SANS Institute offers training and courses on 
" Incident Handling and Hacker Exploits"

Some of the courses are given at conferences, others are online.

 http://www.sans.org/giactc/IHHE_info.htm
..
.
Online Quiz # 3
for the preceding material
 www.witiger.com
/senecacollege/
IEC818/
quiz~IEC818~3.htm 

1. If asked to describe "from where threats come", could you answer with a list categorizing adversaries in five ways?
2. If you were challenged to give an specific example of how a hacker penetrated a system, could you provide one? Sometimes people know threats are a problem but they have an easier time believing it if you can provide a real example.
3. Could you explain to a non-IT person what a tiger team is and why you might need to use one?
4. Would you be able to speak about at least 5 of the Principles of the Security Process which is presented by Schneier