This chapter covers organizational planning for security, which you might want to think of as planning for what we will do if everything goes right. The next chapter covers contingency planning, which is more about what we will do when something goes wrong.
The text tells us, in a round about fashion, that we need to include
all of our stakeholders in our plans. What is a stakeholder?
A stakeholder is anyone affected by our plans, such as
management, employees, and stockholders of our company (if it has any).
A stakeholder, with regard to anything, is anyone who is affected by that
thing's success or failure.
When making our security plans we should consider five environments that our company operates in:
The text tells us that strategic planning is typically
preceded by creating a values statement, a vision
statement, a mission statement, a strategy,
and plans for "sub-units" of the company. In some organizations
this is called a vision, mission, and values approach. It is created at
the highest levels of the company first, and lower levels create their
more specific versions based on the higher level work, making this a top-down
Whether you believe in the value of such elements or not, you must deal
with this as an operational reality if the people in charge of your organization
have made it a part of your environment. For example, all plans made by
departments in the state of Michigan (my day employer) must fit with and
refer to higher level plans made for the state in general. The concept
is meant to lead to consistency and to keep the organization focused on
the big picture. An organization will suffer if the high level or lower
level statements fail to apply to lower level activities.
A mission statement can be concise and meaningful, defining what a company is about, like the one sentence example (page 40) in the text. This is a company that designs and produces quality products and associated equipment for use in business environments. That statement says what they do, what they make, and what their market is without being so specific that it could be unusable next year. It is not full of grandiose adjectives that praise the company instead of describing it.
The example of a mission statement for an IT security department that follows is much longer, and reads more like a position description for a jack-of-all-trades job in the department. The example fails to relate to the first example, which it should if the two mission statements are documents in the same company.
The text moves on to discuss strategic planning, which relates to tactical planning, and operational planning, as discussed in the first chapter. The text points out that objectives in a strategic plan should be SMART objectives. The meaning of that acronym varies from source to source. Some alternative versions are listed and explained on the Wikipedia page for SMART.
When planning your objectives for your strategic plan, you should make sure that these characteristics apply to each objective.
A tactical plan should cover a shorter time span than a strategic plan, address objectives for a smaller part of your organization, and should break down appropriate strategic objectives into a series of objectives.
An operational plan is on an even shorter time scale, is for even smaller parts of the organization, and seeks to meet more immediate objectives. A strategic plan should translate to a series of tactical plans. Each tactical plan should translate to a series of operational plans.
Moving ahead to page 55, the text uses the rest of the chapter
to discuss a Security Systems
Development Life Cycle, which it abbreviates as SecSDLC. This is a variation of the
standard SDLC that is used in
software development. The text reminds us that an SDLC can be triggered
by plans or events, events being external causes for changes in a
system. The text warns us that projects are often triggered by security
The model shown in figure 2-10 has six steps that loop back to the beginning, indicating that any system must be reevaluated from time to time.
The text spends many pages on the analysis phase above. Risk analysis
is a large portion of it. The following material is from my notes for
CSS 211,chapters 1 and 2, as well as this chapter.
Goals of information security that could also be considered as benefits of it:
Categories used to classify attackers:
Twelve categories of threats, from our text (the list is not exhaustive). This list appears on page 57 of the 4th edition of our text:
Five defenses against attacks, from the CSS 211 text:
The term malware means any software that does something harmful to a system. The CSS 211 text breaks malware in to three types, based on which of three objectives the malware follows: infecting a system, concealing its actions, or bringing profit from its actions.
Infecting software is divided into viruses and worms. A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. The ones that cause damage to a system are categorized by the method they use or the damage they cause:
Virus protection programs typically recognize viruses by signatures, the way they look. This recognition method is complicated by metamorphic viruses that change the way they look over time, and polymorphic viruses that change their signature and their encryption methods.
Worms are described on page 44. The text tells us a major difference between worms and viruses: once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on: it does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done.
The text lists four types of malware that are first concerned with remaining hidden from the user and from security personnel: Trojan horses, rootkits, logic bombs (not a terribly accurate name), and privilege escalators.
Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.
Students should become familiar with the methods to turn off "Hide extensions for known file types" in common versions of Windows.
The text continues with a discussion of rootkits. At first, the rootkit sounds like a resident virus that replaces operating system files with its own. There are similarities, but one difference is that a rootkit is much more extensive, and another is that the rootkit obtains elevated privileges to carry out its stealth actions. The resident virus may replace one program on the computer, which will then do some harm to the system. The rootkit opens a door for lots of malware. How?
Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware doing whatever it wants on the other.
The intention of the rootkit programmer may not be malicious. The text discusses the example of Sony, who in 2005 installed a rootkit installer on their audio CDs which had the goal of preventing computer users from copying those CDs. Their intent was not malicious, but it changed a PC without the user's consent, and it made the PC vulnerable to security exploits. The first is just wrong, and the second is worse. As the saying goes, the road to hell is paved with good intentions.
Detection and removal of a rootkit can be difficult, but it is worth trying before following the text's scenario of formatting the hard drive and starting over. The Sophos company, for example, has a free download that is supposed to be good at finding and removing these problems. Here is another one from Kaspersky. Students should do an Internet search for tools from the vendor of their choice.
A logic bomb is not a bomb. It is malware that waits for a logical condition to occur before it executes its mission. A classic case was the Michelangelo virus that only executed on the birthday of Michelangelo Buonarroti (which, as everyone knows, is March 6th). Other examples are given in the text. Some act like "dead man switches", where the malware engages if it is not regularly reset, or if a person's ID is removed from a network. A logic bomb can be hidden in a much larger program, making it difficult to find.
Privilege escalation is a technique, not a type. The technique is commonly use by system administrators. They log in to networks with an ID that has normal privileges on the system, but they execute administrative tasks with an ID that has elevated privileges. Of course, these are authorized users who are supposed to do such things. When malware does this, it may do it in one of two ways. It may use an exploit to escalate its own privileges, or it may access the privileges of another account which are greater than its own.
Malware for Profit
The first type in this category is spam. Spam that is sent for profit is sent to as many addresses as possible to maximize the potential of getting a sale. The cost to the spammer is minimal (until they are arrested) and the returns are very large.
Some techniques to make a spam email that will get by spam filters in many security products:
Spyware is defined as software that violates a user's security. More informatively, spyware typically has one of three missions: advertising, collection of personal information, or changing configuration settings. If other software did what spyware does with the user's permission, that software would not be spyware. So the issue is not what it does, as much as the fact that it is done in secret.
Another type of malware is adware.
As its name suggests, adware is concerned with presenting
advertisements to the computer user.
Another subcategory of spyware: Keyloggers can be implemented through hardware or software. The idea is that the program (or device) captures every key press the user makes, which can be analyzed later for by someone who reads the key log. Obviously, capturing IDs and passwords would be one use of such a product. Keeping a log of all activity on a computer would be another. Some viruses contain a key logging function which sends its log to the virus originator.
A newer wrinkle in malware is the botnet. This has been around for a while, but it is a refinement and a step back from the others at the same time. A botnet is a network of computers that have been infected, turned into robots (aka zombies), that can be used for any of several kinds of attacks. The refinement is the creation of a network of infected machines on one mission. The step back is the brute force aspect of the attacks. The attacker (the bot herder) does not depend on finesse or subtlety, he uses more points of attack to meet his goal.
All PCs have BIOS chips or chip sets. They control the computer hardware at a very basic level and are still important to computer systems. As the text explains, once upon a time (let's say the 1970s), BIOS chips were read-only and had to be replaced if you were going to update them. The text reviews the history of BIOS chips becoming flashable (rewritable). A virus that overwrites the BIOS and the Master Boot Record of a computer has the potential to make the computer unusable until the BIOS is physically replaced. Other viruses will attack the BIOS and coopt it with malware or a rootkit. For these reasons, the text recommends setting the BIOS chip to be write protected.
The phrase USB device can mean any device that attaches through a USB port, but the text is concerned with those that contain memory chips or hard drives that could contain viruses. This is not to say that other devices can't be modified to become exploit devices. At the 2011 DEFCON conference, a pair of hackers demonstrated that they could rig a mouse to hold a USB stick that contained malware that could compromise a network. In a sense, this is just another instance of a hack involving a memory stick, but it is more in that most people can be made aware of the dangers of flash memory, and few would generalize that awareness to other devices that they would normally consider safe. The text lists three methods to disable USB devices:
Of the three, only the third is practical. How many of you connect a mouse or a printer by any means other than a USB port? Wireless, maybe, but you still insert a transceiver in a USB port in most cases. A good security program can be configured to scan devices as they are attached or used to minimize this risk.