CSS 111 - Introduction to Information System Security

Chapter 1, An Introduction to Information Security; Chapter 2, The Need for Security

Objectives:

This lesson introduces the student to concepts about information systems and information system security. Objectives important to this lesson:

  1. Understand that information security affects everyone
  2. Understand the Information Security Systems Development Life Cycle
  3. Define business needs for information security
  4. Differentiating threats from attacks
Concepts:
Chapter 1

Our authors like to begin chapters with stories that illustrate major points. This chapter begins with a few minutes in the life of a help desk employee whose company is at the start of a bad day. Read through this short section and ask yourself a few questions.

Assignment 1: Welcome to the help desk

  1. Assume that the data on phone calls in the second paragraph is for the whole help desk. How many calls a day does the Sequential Label and Supply Company help desk usually get? Knowing the usual number of calls enables you to judge when something unusual is happening.
  2. The state of Michigan often gets around a thousand calls a day from over 50,000 employees. Given that ratio, how many employees may we estimate Sequential Label and Supply has? Knowing how many users you have might give you an idea of the upper limit to the number of problem reports to expect in a crisis/disaster.
  3. Amy asked the first caller what the problem was, and whether he had tried rebooting. That apparently exhausted her script of things to try before passing the trouble ticket along. What else could she have asked that might have helped document/diagnose the situation?
  4. Amy proceeds to infect herself with an email attachment. Other employees probably did the same. Any thoughts on an IT security policy that might have minimized this?
  5. What should the IT security people have looked for if they suddenly got a lot of emails at the same time?
  6. By the way, what does it mean that Amy's phone quit working?

If you don't have good answers for some of those questions yet, you are in the right place. We will build up some knowledge that will help you form good answers to them. We will come back to Amy later.

Having deployed a teaser to get your interest (like the first minute or so of a TV show), the text makes the classic mistake of abruptly switching topics and it begins a history lesson. Actually, the authors do not go back far enough. They state that information security begins with computer security. Have you ever heard of the Caesar cipher? It had nothing to do with Your Show of Shows, and everything to do with information security in the first century BC. There was information long before there were computers. Let's indulge the authors, and grant that electronic computers were invented during World War II. We are treated to a photo of a German Enigma machine (page 4), but that was mostly a mechanical cipher device, not an electronic one. The authors' point may be that we did not need information system security until we began using information systems. Okay. Information systems typically evolved in safe environments, but became less safe as they grew and as their number of users grew.

  • 1950s and 60s - Computer systems began as standalone computers, which were then connected to networks.
  • 1970s - Personal computers became affordable, then they were connected to networks, and networks were connected to networks.
  • 1990s - The Internet became accessible to average people and began to include commerce.

The text continues with a series of attempts to define security. Let's look at some of their key words:

  • there are several specialized areas of security listed (Some of these overlap.):
    • physical
    • personal
    • operations
    • communications
    • network
    • information
  • information security has three classic characteristics/elements, commonly referred to as CIA
    • confidentiality - information should only be accessible to users who have been granted access to it for valid reasons. Only authorized users can access data if it is protected properly, and if authorized users do not violate security policy
    • integrity - data/information may not be changed except by authorized users or processes. This means that data must be protected from alteration, deletion, or other changes to its intended form.
    • availability - authorized users can access data when they need to do so. Some people misunderstand this concept. Availability means that proper access methods are provided only to authorized users, not to everyone.

  • the authors throw in a few more characteristics, some of which overlap CIA:
    • accuracy -related to integrity, but also meaning that it is correct
    • authenticity - meaning that the source is proven and trusted, which is related to confidentiality
    • utility - information must be good for something, or it is only data, raw and not useful
    • possession - a characteristic that relates to more than just information; unauthorized possession is theft

The classic CIA concept defines security from the point of view of the IT Security staff. The text explains that an expansion of this concept is called by several names, one being the McCumber Cube. It provides three different perspectives on security, which should be considered together to make better security decisions. This does not mean this tool covers all situations, but we should consider the ones it does cover:

  • IT Security perspective: Confidentiality, Integrity, Availability
    This is the perspective of the IT security staff. How do we protect the information, make sure it is not tampered with, and provide access to those who need it?
  • IT Operations perspective: Storage, Processing, Transmission
    This is the perspective of any IT staff who do not work for the security division. How do we perform the basic IT functions of storing, processing, and transmitting data? Under storage, we should include data collection and data entry.
  • Business perspective: Policy, Education, Technology
    This is the perspective of managers over the core operations of the business. How do we make the rules for employees about protecting information, educate our staff about protecting it, and safely use the technology we have to do our business?

It feels a bit off that the first two bullets above seem to relate to the primary activities of the respective entities, but the third does not. All three perspectives relate to IT security, from the point of view of that entity. Each is different from the others, and each should be considered a necessary aspect of the security process.

The text lists six components of an information system. We should remind ourselves again that people used information before computers were invented, and some people do not need a computer to do their primary job, but the focus of this text is about computer information systems, so that's what the authors spend the most time on. The six elements of computer information systems:

  • software
  • hardware
  • data
  • people
  • procedures
  • networks

All of these elements need protection, partly because each can be the focus of an attack. In some cases, we need protection from these elements. The text discusses the fact that attackers often begin their attack by gathering information from unsuspecting staff. This method is called social engineering. It takes many forms, but usually the attacker begins by asking politely for some information which is then freely given.

Some other terms may be helpful. Some are defined in the text, some are not.

  • asset - something that we care about, typically information related
  • threat - a potential form of loss or damage; many threats are only potential threats
  • threat agent - a vector for the threat, a way for the threat to occur; could be a person, an event, or a program running an attack
  • attack - an act that uses a vulnerability to do damage of some sort to a system
  • incident - an event that damages a system in some way; note that an incident may or may not be an attack; an incident does not require an attacker
  • object of an attack - an asset that is being attacked
  • subject of an attack - a threat agent that is actually attacking us
  • risk - the probability of a loss
  • vulnerability - a weak spot where an attack is more likely to succeed
  • exposure - when a vulnerability is known, such as when Microsoft announces a patch for a vulnerability
  • exploit - a method of attack
  • control, safeguard, countermeasure - could be software, hardware, or a policy that serves to reduce the probability of a successful attack

The text begins a discussion of a Systems Development Life Cycle (SDLC). This is one of many methods of developing an information system. It is a classic method that you should know about. Like most such methods, it is a cycle because any system should be reviewed periodically to see what needs to be changed or updated. In the diagram on page 22, the phases are shown as a series of descending steps (like a staircase) to emphasize that this version is also a waterfall model: the output of each step serves as an input for the next step. The steps/phases listed in the text:

  1. Investigation - What is the problem? What is the customer asking for? Can we do it?
  2. Analysis - Can we design a system to solve the problem?
  3. Logical design - What must the system do? What will be the necessary parts of it?
  4. Physical design - How will the system be built, and how will it work?
  5. Implementation - Write the programs, buy and install the hardware, load the programs, make it work, train the users
  6. Maintenance and change - What needs to be changed, fixed, or uppdatted?

One aspect that the diagram on page 22 does not show is that it is always possible to detect a problem in any phase that requires backing up to an earlier phase for correction. When this is done, the flow continues from the phase where the correction was made.

This general plan also works for developing a security system. The text discusses the Security Systems Development Life Cycle, which can be abbreviated as SecSDLC. This is a variation of the standard SDLC. An SDLC can be triggered by a project or by changes in plans or events, events being external causes for changes in a system. Projects are often triggered by security breaches. The authors observe that it is much better if security measures are designed into a system when it is created. Adding security afterward is often messy, time consuming, and unpopular with the users. In fact, any security measure will meet with some displeasure from users. The text tells us that we must try to strike a balance between a system that any user can ruin, and a system that is so secure no one can use it.

When security is made part of a system, it should comply with the organization's security policies, the general and specific rules about security in that workplace. In some cases, the system will cause the organization to create security policies to cover it. Security policies should be created by a cooperative effort from committees that are formed by three parts of the organization:

  • IT managers and professionals
  • IT security managers and professionals
  • Business managers and professionals

The first two groups look like the same people, but they are not.

  • IT staff are responsible for meeting the IT needs of the business. It might be better to call these people the IT Operations staff, although that phrase may have a different specific definition in some organizations.
  • IT Security staff are responsible for protecting information.
  • Business staff are responsible for the core interests of the business.
Chapter 2

The second chapter begins with a less illustrative story. It tells us that the example company survived their problem from the first chapter, but it does not tell us how they did it. The purpose of the introductory story seems to be to remind us that information systems need protection for all six of their elements, named in chapter 1.

This is said in a slightly different way on page 41, in the four statements about what value an organization gets from information system security:

  • Protecting an organization's ability to function. The business needs to operate to stay in business.
  • Enabling safe operation of an organizations software. Email, messaging applications, office applications, data and reporting applications all need to work. Ask me about sending files that don't display correctly.
  • Protecting the organization's data. Protection from theft, corruption, errors, and more. Note that the text differentiates between protection of data in motion and data at rest. These functions are likely to be done by different parts of the organization.
  • Protecting the organization's technology assets. Most businesses rely on some kind of technology, especially their Internet presences. Compromised technology leads to loss of trust and loss of revenue.

The text begins a general discussion about threats on page 42. It goes on to quote Sun Tzu (the third quote on the linked page), and to use his observation that you must know yourself and your enemy. The quote is from the end of chapter 3 of The Art of War. The observation is valid. We must know something about ourselves, our assets, and our potential attackers to prepare for and to survive their attacks.

The text presents a list of fourteen kinds of threats on page 44. The world changes daily, so I will not tell you that these fourteen categories are all you will ever encounter. They are, however, a good place to start. They seem to cover most of the stories you find on security news web sites.

  • compromised intellectual property
  • software attack
  • reduced quality of service
  • espionage and trespass
  • force of nature
  • human error
  • extortion
  • missing, inadequate, or incomplete data
  • missing, inadequate, or incomplete controls
  • sabotage or vandalism
  • theft
  • hardware failure or error
  • software failure or error
  • obsolescence

The text says that losses are down and security is better. Tell that to Target, or any other store whose data was compromised in 2013. Average statistics about losses being down are not comforting to someone who has suffered a loss.

The text proceeds to discuss each of the bullet points above for several pages. We will discuss some of the more interesting ones in class. If you are not familiar with the material in this section, go over it before our discussion. Some of the material may be arguable.

Violation of intellectual property does not sound like something you get up in the morning with a plan to do. If we call it bootlegging software, it may sound more familiar. As 2014 began, there was an ongoing story in the news about retail stores being hacked by people who stole customers' name and credit card information. One of the interesting things about this story relates to this topic: a company that contracted with one of the retailers was using a free version of an anti-virus program. That particular program is available for free to individuals, but not to commercial entities, which means that whoever installed the program on their computers violated the intellectual property rights of that software publisher. The text describes a case in which a community college was found in violation of software licensing rules, and had to pay fines for doing so. In a corporate environment, it is not uncommon to have the ability to install software on as many machines as have, but care must be taken to have the correct number of licenses to avoid this situation.

Software attacks take many forms. The text discusses viruses and worms, which are similar in that they both cause harm. A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A major difference between worms and viruses: once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. If a worm-infected computer is on a network, the worm can attack any running computer connected to that network: it does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done.

Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. A file may have a .exe extension, but the characters .docx may occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document. I always tell my computers to show me the entire file name. It's lazy and dangerous to do otherwise.

Degradation of service can happen if a system is attacked and not taken down but kept from running well. If an attacker keeps the target system's web servers too busy to conduct business as usual, customers will tire of the wait and shop elsewhere. That, by the way, is if the attacker is being nice. If the attacker is more serious, the attack becomes a Denial of Service (DoS) attack, whose goal is to keep the system so busy that no real customers can use it.

The text discusses some categories used to classify attackers:

  • phreaker - an "ancient" category, it refers to hackers who used tone or line frequency devices to hack telephone systems in the 1970s and earlier
  • hackers, expert hackers, elite hackers - one of the buzzwords of computer system geeks, hacker can mean anything; it is generally accepted to mean someone with more skill than an average user, may be a white hat (good guy) or black hat (bad guy). A hacker may break into a system for a thrill, to show off, or to cause some kind of damage.
  • script kiddies, novice hackers - attackers who use hacking tools that ttheyy don't really understand
  • spies - computer attackers who are looking for specific data from specific systems
  • employees - Computer security includes the concept of protecting data from people who aren't authorized to access it. What about protecting it from authorized users who want to give or sell it to someone else? What about authorized users who give out their password because someone asks for it? What about users who are no good at protecting their secrets?
  • cybercriminals - The text does not discuss this category in this chapter. The bottom line is that they are after some financial gain. This could be data they can sell, actual fund transfers, or theft of financial instruments.
  • cyberterrorists - A cyberterrorist is defined as a system attacker whose motivations are ideological.

The authors spend a couple of pages discussing forces of nature, most of which are self explanatory. A couple of them seem out of place.

  • fire - If your business is located in the hills of California, wildfires seem to be a yearly event, but for most of the world a fire is not an expected natural occurrence. Keeping your computer system cool, so that a fire will not ignite, is your most effective form of firefighting: don't let it start.
  • electrostatic discharge (ESD), static electricity - This one is more natural, but still requires some human action to happen. Some numbers from a previous text may help you understand the situation:
    • A human can't feel a static discharge until it is 3,000 volts or more.
    • Normal motion, like moving a chair or a foot can generate 1,000 volts.
    • Simply walking across a carpeted area can generate 1,500 to 35,000 volts.
    • Handling a plastic envelope can generate 600 to 7,000 volts.
    • Picking up a plastic bag can generate 1,200 to 20,000 volts.
    • Damage can be done to computer parts with 20 to 30 volts. The damage from low voltage may not cause immediate failure so you may never know the cause of the failure that eventually happens.

Human error is discussed as being a major cause of problems that we can often prevent. Many times, errors are caused by carelessness, but they can also be caused by lack of training, lack of experience, and invalid assumptions. Another way of saying this is the user does not know how the system works, the user has no experience with the (new) system, or the user is wrong about how the system works. Training and practice can overcome these problems. Errors can also be caused by users being too busy or too kind or trusting to follow proper secure procedures.

Moving ahead, the text discusses several types of attacks that occur often enough that an informed IT person should be aware of them:

  • malicious code, malware - we have already discussed viruses, worms, and Trojan horses
  • hoaxes - this topic actually has two variants: one is a time waster and the other is more evil
    First, sometimes an email goes around that asks the reader to forward the message to everyone they know. The message may be a political rant, a plea for support, or a warning about some threat. The thing those email messages have in common is that they are all false. They only serve to cause fear, uncertainty, and doubt (FUD) which lowers productivity and clogs mail servers.
    The second type is far less common: the sender warns the reader about a virus or a vulnerability that must be fixed by clicking the attachment that came with the email, or by following a link in the email. In either case, if the user follows the instruction, that will be the trigger to infect the computer. I received three instances of a more recent variation, the funeral announcement virus, last month. Follow the link to an explanation on the Snopes web site, and don't open it if you get one.
  • The text talks about three variations on guessing a user's password.
    If the attacker can access the Security Account Manager data file on a workstation or server (Windows), that's helpful because it contains the encrypted passwords for known users. Those encrypted passwords can be compared to tables of known words and their encrypted versions. If there is a match, that password is now known. For obvious reasons, we restrict access to this file.
    The Brute Force method is simple, but tedious. The attacker tries to log in to a system with every possible combination of characters. This can take a long time, especially if the system restricts the number of times a user can try to log in unsuccessfully.
    The Dictionary attack is shorter than the brute force method. It only uses words from a file (the dictionary) as possible passwords, working on the assumption that a user will probably use a real word as a password. Complexity rules, such as requiring a password to have upper and lower case letters, numerals, and symbols will make this kind of attack more time to find a result.
  • denial of service - in a Denial of Service (DoS) attack, multiple computers are typically used to tie up all available connections to a system, preventing real users from making a connection or receiving a service. When a botnet is used, the attack can be called a Distributed Denial of Service (DDoS) attack. A botnet is a network of computers that have been infected, turned into robots (aka zombies), that can be used for any of several kinds of attacks.
  • A back door is often a separate account that is used in case of emergency to get access to a system, usually as a user with administrator privileges. The text says that this is an account that is set up without the administrator's knowledge or permission. Yes, an attacker would do that, but the administrator might set up his own back door so that he could get into the system in case it is hacked.
  • spoofing attacks involve pretending to be someone else. Email spoofing involves sending email that looks like it is from a known or legitimate source. IP spoofing make it look like traffic is coming from a unit on a local network, or from a unit on a list of trusted sources.
  • man-in-the-middle attack - Students should be able to find information about this kind of attack on voting machines. A passive attack intercepts messages, saves and transmits them to an attacker, and passes the messages on to the intended receiver right away. An active attack would intercept a message, change it, and then send the changed version along. You can see how this kind of attack on election data would have effective results.
  • phishing is the solicitation of personal or company information, typically through an official looking email. Your text includes phone call probes in this category, but most people would consider that to be social engineering. Some variations on phishing:
    • spear phishing - sending the email to specific people, customizing it to look like a message sent to them by an entity with some of their personal information already
    • pharming - sending an email that takes the person directly to a web site (the phisher's site) instead of asking the reader to follow a link
    • Google phishing - the phisher sets up a fake search engine that will send people to the phishing web site on specific searches (presumably it returns real search results on searches that would not lead to a page the phisher has prepared)
  • social engineering is simply working the users of a system like a con artist. Think of Leonardo DiCaprio in Catch Me If You Can, interviewing an airline official to get the information he needed to impersonate a pilot. In the same way, a hacker can ask people for account information and get it because they often put no effort in keeping the information secret. It is probably true that people are the weakest link in any security chain. The text mentions shoulder surfing, watching a user type to learn ID, password, and other useful information. This is also social engineering, and so is paying attention to what people do. A classic example is tailgating, following an authorized user through a door that requires you to scan an ID to pass through it. The hacker in question has his hands full of briefcase, coffee cup, keys, and a box of doughnuts. He smiles and asks for help getting through the door. People usually oblige that request. Around holidays, presents are also a good ruse, as well as anything else allowed in the office, like a potted plant, or a bouquet of flowers. Anything to make you look like a nice person whose hands are too full to use your own ID to open the door.

The chapter concludes with a discussion about developing software with security in mind.The student learning objectives do not address this section of the chapter.

Assignment 2: Review questions for chapter 2

  1. This chapter covered a lot of ground. Turn in answers to the even numbered review questions found on pages 83 and 84.