ITS 4210 - Access Control, Authentication, and PKI
Chapter 5, Security Breaches and the Law
This lesson concerns chapter 5.
Objectives important to this lesson:
US laws and regulations concerning information theft
Costs of inadequate access controls
Access control failure
The text begins with the idea that spying on a business has
changed since the data when a file had to be stolen or copied
physically to gain unauthorized access to it. Laws have actually been
catching up to technology for several decades, and most that are place
are adequate if people would take reasonable precautions. The laws
discussed in the previous chapter were more about business
responsibilities. These are more about the theft of information,
Computer Fraud and
Abuse Act (CFAA, 1984,
1994, 1996) - Makes it illegal to steal information from government
computer system, financial computer systems, and any computer systems
having to do with interstate or foreign commerce that involves
an entity buying or selling in the United States. This law was revised
by the Identity Theft and Restitution Act (ITERA, 2008).
Revisions over time have added more powers to this law:
Added sections about spyware and cyberextortion
Sections making unauthorized access a crime
Sections making trafficking (selling)
computer passwords a crime
Sections making intentional damage to a
system a crime
Sections making identity theft a crime
Copyright Act (DMCA, 1998) - an amendment to US copyright
law that includes elements of two treaties from the World Intellectual
It says that an Internet Service Provider is not
liable for any crimes that a subscriber might commit on the Internet,
but that they must receive and respond to reports of
It also makes it a crime to bypass encryption
or other means of preserving copyright
Normally, I would present an illustrative video here. The nice folks at
YouTube have updated their copyright information, and provided a page
of resources, which is much better than just a video. Please take a
trip to their page, watch the video, and learn more about
copyright and fair use.
California Identity Theft Statute (1998, 1999) - Established
that businesses are required to notify their customers when identity
information has been stolen from them. Customers may sue to
recover financial loss from the data breach, or from failure to
disclose it to them. It also establishes penalties for the person or
persons who steal such information.
This law is an example of a well constructed state law. Other states
have similar laws in place.
Costs of Poor Access Controls
As noted above, there are penalties for theft of data and
for failure to protect data in our possession. There are also costs to
replacing and upgrading systems that have been compromised, which must
often be done in a hurry, as opposed to budgeting it reasonably over
time. Loss of business due to the notoriety of being breached is
difficult to measure, but it is reasonable to expect. The text offers
some suggestions about good policies about physical security. We should
examine them and propose some about logical security:
Physical security must comply with applicable
regulations, such as building and fire codes. (How will we know we have
Access to secure facilities will be granted only to those
with legitimate needs. (What are those needs? Who says a need is
legitimate, or that someone has one?)
Visitors to secure facilities must be logged. (What proof
of identity is required? Who determines what they will do in the
Visitors must be escorted at all times. (All
times? And how will that keep them from breaching our data?)
The text explains that the recommendations for government
installations are not really different, just stricter because
of federal, state, and municipal laws requiring adherence
to best practices. The text continues on the same theme for several
pages, quoting more standards that mean the same thing: identify,
protect, and preserve. Do the right thing. There is no IT category that
requires no security at all.
Access Control Failures
On page 96, the text turns to two areas of access control
failure. Causes may be related to people or to technology.
The authors begin with a story about people being
let in to a dinner at the White House. The story shows a failure, but
we do not know what caused it or what to do about it. A little more
analysis of the story would be more illustrative of how the system is
supposed to work, and what the people in charge of it should be doing
about it. A better analysis is available on the Wikipedia
article about the event. According to that source, there were
several failures that we should address in class.
Was there failure on the part of the security
people? Where did it or they occur?
Was there an element of social engineering by the
Was the situation complicated by it being a dinner
for a diplomat? Should security have been heavier or lighter
because of it?
Was the social situation of the dinner gathering
itself part of the problem?
A second story in this section is more enlightening. Two
agents on a penetration test team were able to gain access to
restrooms, one in a secure area. The one in the secure area was able to
insert a wireless access point into the target network by using a
network cable in the ceiling.
Why was there a network cable in the ceiling of the restroom? Can you
think of a reason it might be there? Can you think of a control that
would prevent the insertion of the rogue access point?
Having accessed the target network, the team intercepted unencrypted
transmissions, including customers' account numbers and
identifiers. The text tells us that this breach was due to a human
element, the people being allowed into the restrooms. However, couldn't
it have been avoided by a better routing design for their network
drops, or by an IT solution of not allowing new switches, routers, or
other equipment to simply be attached to their network?
The text moves on to discuss the actions of rogue or
unhappy employees. The advice given in the text is not very useful.
Assign the fewest privileges to each employee? We should be doing that
already. What about the employees who must have elevated access rights?
Don't they pose a risk as well? We might do better to audit the actions
of high level users regularly, to make sure they know they would be
noticed conducting improper actions.
The people section ends with a discussion of four other
Phishing scams - Phishing
is the solicitation of personal or company information, typically
through an official looking email. Some variations on phishing:
- sending the email to specific
people, customizing it to look
like a message sent to them by an entity with some of their personal
This is spear phishing but it focuses on big (wealthy or data rich)
sending an email that takes the person directly to a web site (the
phisher's site) instead of asking the reader to follow a link
- the phisher sets up a fake search engiine that will send people to the
phishing web site on specific searches (presumably it returns real
search results on searches that would not lead to a page the phisher
Poor security - Theft of devices that are not
locked down is common. The text does not mention it, but a proper
standard is to encrypt data at rest, as well as in transit.
Physically stored passwords - How many people
still leave their password on a note on the monitor or under the
keyboard? Any number other than zero is too many. Teach people to make
good passwords that they can remember.
File sharing and social networking - Social
engineering attacks often start with social networking sites. People
think they can post anything on such sites, and often do so. File
sharing is meant to be for only the invited, but sometimes they are
The text moves on to technology based problems. It
begins with a discussion of hashing, which is a good thing, but there
are complications. Hashing is defined as creating a unique
encrypted result from a data set. The encrypted result is
called a hash, a signature, or a digest,
all of which mean the same thing. The hash should not resemble the
plaintext in appearance or in length.
Hashing can be referred to as using a one-way hash,
which means that the hash resulting from the algorithm is not
meant to be unencrypted. This is the purpose of any hash: there should
never be a hash that is reversible.
Local or domain passwords entered on a computer running Windows
are converted by a hash program and compared to a stored hashed version
of the user's current password. The text discusses the two hash
versions used in different versions of Windows: LM
hash and NTLM hash. LM hash is not considered
a "real" hash because its result is cryptographic
(character substitution) instead of numeric
(hexadecimal digits). It was used in versions of Windows before
Windows NT. NTLM is used in later versions, but passwords
shorter than 14 characters are stored both ways, which does not solve
the problem. Password hashes are now stored in files that are
unavailable to users, as the text states, but that does not keep a
determined hacker from accessing them.
RFID chips are often added to credit cards and ID
cards, which is supposed to make the cards more secure. The problem
with any RFID chip is that there are devices that can capture their ID
signals from the distance of a personal network. Watch the video below
for a demonstration. And contnue watching for more information about how it works.
As the text recommends, requiring more authentication
factors would be a better choice.
The text spends a few pages talking about a Privacy
Impact Assessment (PIA), a an analysis of a system or an
organization that looks for gaps in security protection. It should
include the following steps, and should be done by an entity that is
independent from the entity being analyzed:
Determine how Personally Identifying Information (PII)
is gathered and secured.
Analyze the processes and products used.
It should make its findings known to appropriate stakeholders.
(The text says "public exposure", but this is not appropriate in highly
The outputs of the assessment should be delivered to
decision makers who should base appropriate plans on it.
To introduce the topic, the text gives us list of important
security breach types:
System exploits - typically viruses and worms
Eavesdropping - packet capture and other signal
Social engineering - This one is an entire subject
in itself. They may be the nicest or meanest thieves you will ever
meet. These are some techniques used by talented social engineers:
authority - pretend to be someone who has the right
to make the request
intimidation - in an oppressive environment, it may
be easy to use fear of what would happen if the request is not granted
consensus/social proof - tell a believable lie that
others have granted this request in the past
scarcity - tell the victim that you are short
on time, or you have to get this before it can't be done
urgency - tell the victim that you need this
right now, and that you will complete the red tape later
familiarity/liking - act like one of the family,
especially one who appreciate the work the victim does for the company
trust - use details about the organization to make it
seem like you are a part of it
Denial of Service (DoS) attacks -
typically a huge number of requests are sent to a system to keep it
from answering any legitimate requests
Indirect attacks - an attack may start through a
related entity, like the vendor, a contractor, or a supplier to the
Physical attacks - unauthorized entry, theft,
damage, and key logging are in this category
The text attempts to explain the motivation behind attacks
of any kind, but it is a little short. There are many motives that are
possible. These are just examples:
money from sale or ransom
competitive business advantage
theft of service, such as a spammer using someone else's
fun or challenge
Assignments for Chapter 5
Continue the reading assignments for the course.
Complete the assignments and class discussion made
in this module.