NET 101 - Networking Essentials I

Chapter 5, Digital Safety and Security

Objectives:

This lesson discusses security issues that relate to information systems and devices. Objectives important to this lesson:

  1. Cybercrime
  2. Network attacks
  3. Unauthorized access
  4. Types of theft: software, information, hardware
  5. Wireless security
  6. Information privacy
Concepts:
Introduction

The chapter begins with a discussion of digital security risks, which it defines as:

  • events or actions
  • which could cause loss or damage
  • to a computing device's hardware, software, data/information, or ability to function.

Note that the first phrase includes two possibilities. Actions require an actor, often a villain, but sometimes just a person being inattentive. Events do not require an actor: they only require that something happen. Risks come in both types. As I write these notes, I am conscious of not being able to post them on my website, due to a loss of access to my ISP, caused by a windstorm. This is an example of an event, one which I might overcome by using a disaster plan which could be to use a computer at school to upload the file. That would be a good plan if it were not true that the school is presently worse off than my home: it has no power at this time. (About a day later, my access to my ISP was restored. About two days later, the school had power again.)

The chapter continues with a discussion of computer crime and cybercrime, which are more interesting than natural disasters to most students. Different texts and different web sites have different definitions, and some terms have several meanings, like most information system terms. Some items related to the list on page 204:

  • hackers - one of the buzzwords of computer system geeks, this one can mean anything; it is generally accepted to mean someone with more skill than an average user, may be a white hat (good guy) or black hat (bad guy). A hacker may break in to a system for a thrill, to show off, or to cause some kind of damage.
  • cracker - according to your text, a hacker whose intent is to damage a system or steal data.
  • script kiddies - attackers who use hacking tools that they don't really understand
  • spies - computer attackers who are looking for specific data from specific systems
  • employees - Computer security includes the concept of protecting data from people who aren't authorized to access it. What about protecting it from authorized users who want to give or sell it to someone else? What about authorized users who give out their password because someone asks for it? What about users who are no good at protecting their secrets?
  • computer criminal - someone who uses a computer in the commission of a crime
  • cybercriminals - a computer criminal whose crime also involves a network. They are often after some financial gain, which could be from data they can sell, actual fund transfers, or theft of financial instruments.
  • cyberextortionists - a cybercriminal who may attempt to hold a system or its data hostage (extorting money for its release), or may threaten a system with damage unless money is paid to prevent it
  • cyberterrorists - a cyberterrorist is defined as a system attacker whose motivations are ideological.
Network Attacks

The next several pages discuss some of the kinds of attacks that networks need to guard against. Note that some cannot be defended against except by each user.

  • Malware comes in many types, and the topic is too large to include all of them here. A short list should include:
    • viruses and worms - two kinds of infecting malware, whose purpose is to damage a system
    • trojans and rootkits - two kinds of concealing malware, whose purpose is to do things the user will not notice
    • spyware - any program that violates a user's privacy or security
  • A botnet is a network of computers that have been infected, turned into robots (aka zombies), that can be used for any of several kinds of attacks.
  • In a Denial of Service (DoS) attack, multiple computers are typically used to tie up all available connections to a system, preventing real users from making a connection or receiving a service. When a botnet is used, the attack can be called a Distributed Denial of Service (DDoS) attack.
  • A back door is often a separate account that is used in case of emergency to get access to a system, usually as a user with administrator privileges. The text says that this is an account that is set up without the administrator's knowledge or permission. Yes, an attacker would do that, but the administrator might set up his own back door so that he could get into the system in case it is hacked.
  • Spoofing attacks involve pretending to be someone else. Email spoofing involves sending email that looks like it is from a known or legitimate source. IP spoofing make it look like traffic is coming from a unit on a local network, or from a unit on a list of trusted sources.
The text provides a short discussion about defending against network attacks. The advice in the bullets on page 208 provides some value to users as well as to network administrators.
  • antivirus software - keep it up to date and pay attention to its warnings
  • email, attachments, and links - don't believe every email you see, or follow every link you receive
  • scan removable media - we have seen many viruses brought to class on a student flash drive; reliable antivirus software should scan any file before it is used
  • firewalls - antivirus solutions are typically sold with firewall software as well, which is meant to deny unauthorized access to devices and data
Unauthorized Access

The text describes an Acceptable Use Policy, which may be general or specific, as a document or memorandum sent to staff that tells them what is or is not appropriate use of company equipment and data, in the work environment and outside it. The heading over this section (on page 210) implies that such a policy is a "safeguard against unauthorized access and use". It is not. Telling people not to do something does not mean they will not do it. Telling them not to do something, however, will keep many employees out of trouble, and allows the company to use a legal argument that the employees were told, therefore violation of such a rule is not the company's fault.

Networks typically require users to log in before they can access network resources. This process looks simple, but it has several parts. One of our security textbooks presents a story that serves as a metaphor for the process. A baby sitter is instructed to allow a package service to pick up a package from the home where she is watching a child. She follows four steps to accomplish this, and she messes up one of them. If this was a horror movie, there would be a bad result.

  1. Identification - The babysitter asks for identification from the driver (e.g. FedEx, UPS). This would be like asking for a user ID and a password. The driver provides it, which is a metaphor for the user logging in.
  2. Authentication - The baby sitter reads the driver's badge and decides it is real. Really? No one can drive a painted delivery van and make a fake ID? If this were a network, this would be like accepting any data as a user ID and any password that met our complexity requirements, without checking for a match on the system. A real network holds a database that can be checked for a match with the user ID and password.
  3. Authorization - The babysitter tells the driver he can access the porch, where the package is waiting. In a network, the user is granted access to network resources because those rights have been previously assigned to the user's account. Having authenticated, the rights are now usable.
  4. Access - The babysitter opens the door to the porch. On the network, the user is now allowed to access some resources, but not others. The user is not told which resources are available. The user must know what to do next.
  5. Exploit - The serial killer, who disposed of the real FedEx driver down the street, enters the house and the musical score rises. On the network, the hacker with stolen credentials accesses data he has no right to access. Does he sell it? Send it to CNN? Call Edward Snowden for advice?

Could the babysitter have called FedEx to check on the identity of the supposed driver? Yes, and in most circumstances she would have been thought paranoid. If you are not protecting important assets, you are not expected to take precautions. When you are protecting a network, you must take precautions, or make use of the ones the network provides. (And if you are protecting a child in a monster movie, grab a baseball bat and give the killer one chance to come back next week. Insert appropriate heroic scenario here.)

The text discusses some stricter methods of identifying users:

  • multipart ID - the classic formula is something you have, something you are, and something you know. I may know an ID and a password, and I may have a SecurID device that generates a new numeric code on a schedule (often once a minute), and this may be secure enough. If it is not, then a biometric ID may be required.
  • biometric - a physical scan of a fingerprint, a face, a hand, an eye, or a voice may be used to identify a user. It should be noted that unless the system performing this sort of scan is fairly sophisticated, it may not provide any real security.
  • CAPTCHA - CAPTCHA (page 212) is meant to present a distorted text image that a human can read, but a machine cannot. I find CAPTCHA is often difficult to read. The example in the text is not as bad as some I have tried to use. Look at the Wikipedia article on the subject. The third version of distorted text is more like what I commonly see: letters and numbers stretched and smashed so much that I can't tell what they are supposed to be. Mission accomplished, I suppose, but if a company makes my life hard enough, I will go elsewhere for the service I wanted. Then what have they gained?
Types of Theft

The chapter continues with several types of theft that can be associated with computers and networks.

  • Software theft may not seem like a relevant concern unless you work for a software publisher. In fact, it is not uncommon for employees of any organization to assume that they can copy the software they use at work and install it on their home computers. The belief that the employer has paid for unlimited licenses for such software is usually wrong. Even if the employer has paid for more licenses than are currently in use, the license agreement usually includes only machines owned by the employer. One way to manage this is to manage all devices. If the user is not allowed to install software on "his" work computer, it is unlikely that the user will have access to media to install it elsewhere.
  • Information theft is more understandable. All employers have some information they do not want handed out to unauthorized people. The text discusses encryption of data to make it useless without a decryption method. A drawback to this is that authorized users can and do decrypt data for use, which makes that data vulnerable to theft by such users. Some common simple schemes are listed to introduce the subject. For those with more interest, try the Khan Academy section on cryptography.
  • The text also introduces the concepts of private key encryption and public key encryption. Private key encryption is also called symmetric key encryption because the same key is used for encrypting and decrypting a message (or file, or hard drive).

    Asymmetric (not symmetric) systems use different keys. These systems use public key cryptography. This name does not describe the method well. A person must have two keys in such a system, a public key and a private key. The keys are created so that whatever is encrypted with one must be decrypted with the other. The owner of the keys gives the public key to anyone who wants it: that's the part that makes that key public. The key owner lets no one have the private key, unless they need to decrypt that data, which is what makes the system work.

    This is how SSL encryption on a web site works. I connect to a vendor's web site. My browser obtains the vendor's public key by making the secure connection. My browser encrypts my credit card data with the public key and sends the ciphertext to the vendor. If the vendor's private key is secure, the vendor is the only one who can decrypt the data sent through the public key. In this way, a key is made available to anyone who wants it, but using it makes the data unintelligible to everyone who does not have the private key.

  • Hardware theft is a common method of stealing information. A lost laptop that is not encrypted is not a nightmare for security people, only because it happens so often. Laptops are most often stolen at work, according to data from Kensington. The best methods of protection involve encryption of mobile devices and physical protection of them. As Mark Twain said, "Put all your eggs in one basket and then watch that basket."
Wireless Security
On page 221, the text turns to security concerns about wireless devices. Read the Ethics and Issues sidebar on that page to find a revelation. Most wireless users are aware that they can connect to wireless access points at many restaurants, malls, airports, and more locations. Users may even be aware that such connections usually are not encrypted connections. The point in the sidebar is less common information, that it is not illegal to eavesdrop on wireless transmissions that pass through systems that are "readily accessible to the general public". Not wanting to take the author's word alone on this, I looked on a Federal web site for confirmation. See page 2, the item listed as item 16 in the document behind that link. The author's point is valid. One should think several times before connecting to a network by an unsecured channel.

The text offers several suggestions about actions or decisions that might enhance your mobile security. The best may be to install and use security and antivirus software. Security standards change over time, so make sure your choices are still valid on a regular schedule.

Information Privacy

The chapter ends with a section on privacy that makes it clearer to the casual technology user how many of our actions and choices display information about ourselves to others. Consider the list of recommendations on page 228. Some of them are impractical, but others may be worth considering.

It may be more useful to concentrate on the Phishing section on page 231 and the discussion of Social Engineering on page 232. Phishing is the solicitation of personal or company information, typically through an official looking email. Your text includes phone call probes in this category, but most people would consider that to be social engineering. Some variations on phishing:

  • spear phishing - sending the email to specific people, customizing it to look like a message sent to them by an entity with some of their personal information already
  • pharming - sending an email that takes the person directly to a web site (the phisher's site) instead of asking the reader to follow a link
  • Google phishing - the phisher sets up a fake search engine that will send people to the phishing web site on specific searches (presumably it returns real search results on searches that would not lead to a page the phisher has prepared)

Some suggestions are made about teaching people to avoid falling for phishing scams. Some are better than others:

  • When an email has a web link in it, hover over the link and read the URL. It should go to a real web site, and should not contain web scripting commands or @ signs. This presumes that the user will recognize script commands and knows the real address of the entity being spoofed.
  • Generic greetings can be an indicator of phishing, but real vendors might use them in a mass email.
  • A message that asks for personal information and contains a link that goes to a web site that does not use https as its protocol is suspect, but that is not actually definitive. A user might be given a web address that will redirect them to a site using the proper protocol. Click if you must, but read the screen when you get there. That's when to check for https and the padlock icon.
  • The author does not mention it, but lots of bogus emails have terrible spelling and grammar, which should never appear in an official email from a reputable organization. I wonder if this is done on purpose in the Bank Manager emails, so the reader thinks he/she might take advantage of the writer. If you could get a mark (meaning 13) to think he is the grifter, the swindle would probably be easier.

Social engineering is simply working the users of a system like a con artist. Think of Leonardo DiCaprio in Catch Me If You Can, interviewing an airline official to get the information he needed to impersonate a pilot. In the same way, a hacker can ask people for account information and get it because they often put no effort in keeping the information secret. It is probably true that people are the weakest link in any security chain.

Assignment 1: Discuss the questions about ethics on page 224 and the advice about personal information on page 228. Pick three from each group that seem more useful, interesting, or relevant to security. Submit your responses to those questions in an email to me.

This is a group assignment.

Assignment 2: Study for the final exam next week.