CIS2750 - Securing Information Systems


Chapter 11, Network Scanning and Vulnerability Scanning; Chapter 12, Cyber Terrorism and Information Warfare

Objectives:

Chapter 11 focuses on system security. Objectives important to this lesson:

  1. Securing a system
  2. Testing for vulnerabilities
  3. Scanning for vulnerabilities
  4. Security consultants
Concepts:
Chapter 11

The chapter begins with some good advice about looking for potential system problems. The author tells us to look at six areas each of which is labelled with a word that starts with the letter P:

  • Patch - Check every part of your software for available patches, security or otherwise. Norton now has a software scanning feature to alert you about drivers, applications, and operating system patches you should apply. This does not remove the necessity of checking patches for their possible negative effects on necessary enterprise software. A test environment for such testing is recommended.
  • Ports -The text has put an FYI box about ports on routers in the Patch section. Don't ignore it.The general advice is to close all ports you do not use on every computer. You may need to open a port for a specific, temporary reason. If so, watch what you are doing, and close the port again afterward.
    In this discussion, the text advises you to shut down services (associated with ports) that you do not intend to use on a computer. It walks you through shutting down and disabling services on a device running Windows, where this can more often be a problem. Shutting down/disabling a service that you do not want to make available to an attacker is analogous to shutting down the port it is associated with. Shutting down the port alone may not be enough.
  • Protect - This category covers running firewalls and Intrusion Detection Software (IDS). The text offers advice about finding a firewall and using it.
  • Policies -The policies section of this list seems very familiar since is was covered in the previous chapter. The author seems to be working from the idea that he does not know the order in which his chapters will be covered. If this is the case for these notes, the author reviews password policies, access rights policies, acceptable use policies, and on-boarding/off-boarding policies as the most important in this context.
  • Probe - This is not so much a category as it is a procedure to be followed. Check your network by attempting your own penetration testing, or by hiring experts to do it.
  • Physical - This section is often overlooked by IT staff, but it should not be. Doors exist for two reasons: to allow passage, and to deny it. Shut the doors to your secure buildings and rooms, and lock them. Don't let people "social engineer" their way into secure locations. Use locks, fences, guards, and other physical security means to protect your assets.

The text moves on to securing (hardening) a system. Standard hardening in a particular enterprise may include items from several of the bullet points above.

  • No unnecessary rights to the hardware for users. This is an extension of the least privilege principle. If the user does not have the rights to install software, it is less likely that they will install something containing viruses. Such rights should be used by qualified staff or by tested and trusted install packages.
  • If vulnerable ports and services are shut off by default, devices are less likely to fall prey to attacks that use those ports and services.
  • Device-level firewalls should be used, regardless of their being part of the operating system or being an additional application.
  • Servers get the same care, but they must have some ports open and some services running, so they take more care, more watchfulness, and more monitoring.

The text discusses hardware that is going to be retired. Its example is old backup media that is no longer going to be re-used. This applies just as well to computers, hard drives, and any other medium used for data storage. The text cautions us to break optical discs, to burn or melt tapes, and to randomly magnetize magnetic storage. I knew a man who ran a warehouse that received, deployed, and disposed of computer equipment. His policy for hard drives was more strict. For hard drives that were being trashed, he had his staff drill holes through the hard drive cases and disks, put the damaged equipment in buckets of salt water overnight, then run over the drives with a large truck the next day. Dumpster diving for hard drives was a waste of time on his watch.

The text finishes this topic with a list of ideas for protecting a network. Read through it. If it is news to you, learn some of it. If it is not news, good for you.

The text moves on to discussing scanning a network for trouble. The text is pretty good, but I know you prefer hands on. The following video is essentially a lab from Josh Madakor about using Nessus to scan a network. He is a good speaker and I hope you liked the last video I showed you from him.


The text also has a walk-through about Nessus, so you can download the material with Josh and follow him, follow the text, or do both.

In this section, the text walks through other products but you have the most to learn from Josh Madakor.

The chapter ends with a section on relevant certifications, whether you are looking for a professional who already has them, or you are looking to get particular certifications yourself to become more knowledgeable or more marketable. Look through this section, whichever goal you may be following.

Chapter 12, Cyber Terrorism and Information Warfare

Objectives:

Chapter 12 discusses encounters with nation states what you may have to do to counter them. Objectives important to this lesson:

  1. What is cyber terrorism
  2. What is information warfare
  3. How might you encounter cyber terrorism
  4. What may cyber terrorism bring to you
Concepts:

This chapter begins with a discussion of the nature of cyber terrorism. It can resemble cyber espionage in terms of hacking skills needed, but it goes past that in terms of damage done to the target system, and in terms of publicity. A terrorist often has a national or political agenda, which means that an additional goal is to make successful attacks known to others who are likely to fear attacks as well. Terror, as an objective, is more effective on a larger scale.

The text presents some examples of cyber terrorism conducted by elements of several nation states. It also makes a distinction between terrorism and warfare. The use of the Stuxnet virus by the United States was not an act of terrorism, it was an act of cyber warfare. It was not designed to create fear. It was designed to disable a capability to create weapons. The distinction between the two concepts is blurred when the effects of the attack affect more than military assets.

The video below is one version of the story of Stuxnet.


The chapter also discusses two related concepts: Supervisory Control and Data Acquisition (SCADA) and Process Control Systems (PCS) . A Process Control System can be like the feedback loop between a thermostat and a furnace. In this example, it is meant to control the process of maintaining the temperature in a room. It measures the output of the system, and runs it as needed to reach and stay in a range of desired output. This kind of control system takes a setting from an operator, but runs automatically once it is set, A SCADA system is a large PCS. An example is a system that monitors and controls the flow of power and water to utility customers. Systems that adjust traffic lights to accommodate changing traffic flow into and out of a city are also examples. You may see that this kind of system is used to make social infrastructure work, making it a target for politically motivated hackers. For another explanation, take a trip to this article from TechNewsWorld. It should be clear that the access controls for these systems must be very secure, and that they must be limited to only the people meant to access them.

The author goes down a rabbit hole in his discussion of information warfare. He is correct, that propaganda is information, or misinformation, that is often meant to advance a political agenda. This discussion is a bit off target, however, for the objectives of this chapter. Our focus is not the same as college in a military academy. His discussions of propaganda, misinformation, and news sites with a political or otherwise influence agenda are valid and useful, just off topic.

The text returns to its point on page 361, talking about defense against cyber terrorism. The author makes four recommendations which all have some merit. I am interested by the idea of a common reporting site about attacks, although the major vendors of protection software already have their own such sites, which makes them unlikely to stop having them. I think it would be best to pursue both ideas, which would make it more likely that there would be reports somewhere about relevant details.

The chapter ends with a discussion of the Internet being used as the main component of much of the world's information sharing. The problem with that is that no one owns the Internet, as such, and no one is accountable for anything but their own contributions to it. The Internet was invented as a private line of communication between five research universities. It has become much more, but it is like any source of information and news: it can be wrong. You need to verify that what you have been told is true. Most people trust too readily, some do not trust at all. As information professionals, we must learn to trust provisionally. Do not trust blindly, Prove what you can, and reserve trust on what you cannot prove. This is one of the tenets of the scientific method.

I will trust Sal Khan to talk to you about it.