ITS 4210 - Access Control, Authentication, and PKI

Chapter 5, Security Breaches and the Law

Objectives:

This lesson concerns chapter 5. Objectives important to this lesson:

  1. US laws and regulations concerning information theft
  2. Costs of inadequate access controls
  3. Access control failure
  4. Security breaches
Concepts:

Chapter 5

The text begins with the idea that spying on a business has changed since the data when a file had to be stolen or copied physically to gain unauthorized access to it. Laws have actually been catching up to technology for several decades, and most that are place are adequate if people would take reasonable precautions. The laws discussed in the previous chapter were more about business responsibilities. These are more about the theft of information,

  • Computer Fraud and Abuse Act (CFAA, 1984, 1994, 1996) - Makes it illegal to steal information from government computer system, financial computer systems, and any computer systems having to do with interstate or foreign commerce that involves an entity buying or selling in the United States. This law was revised by the Identity Theft and Restitution Act (ITERA, 2008). Revisions over time have added more powers to this law:
    • Added sections about spyware and cyberextortion
    • Sections making unauthorized access a crime
    • Sections making trafficking (selling) computer passwords a crime
    • Sections making intentional damage to a system a crime
    • Sections making identity theft a crime

  • Digital Millennium Copyright Act (DMCA, 1998) - an amendment to US copyright law that includes elements of two treaties from the World Intellectual Property Organization
    • It says that an Internet Service Provider is not liable for any crimes that a subscriber might commit on the Internet, but that they must receive and respond to reports of copyright infringement
    • It also makes it a crime to bypass encryption or other means of preserving copyright

      Normally, I would present an illustrative video here. The nice folks at YouTube have updated their copyright information, and provided a page of resources, which is much better than just a video. Please take a trip to their page, watch the video, and learn more about copyright and fair use.
  • California Identity Theft Statute (1998, 1999) - Established that businesses are required to notify their customers when identity information has been stolen from them. Customers may sue to recover financial loss from the data breach, or from failure to disclose it to them. It also establishes penalties for the person or persons who steal such information.

    This law is an example of a well constructed state law. Other states have similar laws in place.
Costs of Poor Access Controls

As noted above, there are penalties for theft of data and for failure to protect data in our possession. There are also costs to replacing and upgrading systems that have been compromised, which must often be done in a hurry, as opposed to budgeting it reasonably over time. Loss of business due to the notoriety of being breached is difficult to measure, but it is reasonable to expect. The text offers some suggestions about good policies about physical security. We should examine them and propose some about logical security:

  • Physical security must comply with applicable regulations, such as building and fire codes. (How will we know we have done this?)
  • Access to secure facilities will be granted only to those with legitimate needs. (What are those needs? Who says a need is legitimate, or that someone has one?)
  • Visitors to secure facilities must be logged. (What proof of identity is required? Who determines what they will do in the facility?)
  • Visitors must be escorted at all times. (All times? And how will that keep them from breaching our data?)
    The text explains that the recommendations for government installations are not really different, just stricter because of federal, state, and municipal laws requiring adherence to best practices. The text continues on the same theme for several pages, quoting more standards that mean the same thing: identify, protect, and preserve. Do the right thing. There is no IT category that requires no security at all.
Access Control Failures

On page 96, the text turns to two areas of access control failure. Causes may be related to people or to technology.

The authors begin with a story about people being let in to a dinner at the White House. The story shows a failure, but we do not know what caused it or what to do about it. A little more analysis of the story would be more illustrative of how the system is supposed to work, and what the people in charge of it should be doing about it. A better analysis is available on the Wikipedia article about the event. According to that source, there were several failures that we should address in class.

  • Was there failure on the part of the security people? Where did it or they occur?
  • Was there an element of social engineering by the couple?
  • Was the situation complicated by it being a dinner for a diplomat? Should security have been heavier or lighter because of it?
  • Was the social situation of the dinner gathering itself part of the problem?

A second story in this section is more enlightening. Two agents on a penetration test team were able to gain access to restrooms, one in a secure area. The one in the secure area was able to insert a wireless access point into the target network by using a network cable in the ceiling.
Why was there a network cable in the ceiling of the restroom? Can you think of a reason it might be there? Can you think of a control that would prevent the insertion of the rogue access point?

Having accessed the target network, the team intercepted unencrypted transmissions, including customers' account numbers and identifiers. The text tells us that this breach was due to a human element, the people being allowed into the restrooms. However, couldn't it have been avoided by a better routing design for their network drops, or by an IT solution of not allowing new switches, routers, or other equipment to simply be attached to their network?

The text moves on to discuss the actions of rogue or unhappy employees. The advice given in the text is not very useful. Assign the fewest privileges to each employee? We should be doing that already. What about the employees who must have elevated access rights? Don't they pose a risk as well? We might do better to audit the actions of high level users regularly, to make sure they know they would be noticed conducting improper actions.

The people section ends with a discussion of four other common threats:

  • Phishing scams - Phishing is the solicitation of personal or company information, typically through an official looking email. Some variations on phishing:
    • spear phishing - sending the email to specific people, customizing it to look like a message sent to them by an entity with some of their personal information already
    • whaling - This is spear phishing but it focuses on big (wealthy or data rich) targets.
    • pharming - sending an email that takes the person directly to a web site (the phisher's site) instead of asking the reader to follow a link
    • Google phishing - the phisher sets up a fake search engiine that will send people to the phishing web site on specific searches (presumably it returns real search results on searches that would not lead to a page the phisher has prepared)
  • Poor security - Theft of devices that are not locked down is common. The text does not mention it, but a proper standard is to encrypt data at rest, as well as in transit.
  • Physically stored passwords - How many people still leave their password on a note on the monitor or under the keyboard? Any number other than zero is too many. Teach people to make good passwords that they can remember.
  • File sharing and social networking - Social engineering attacks often start with social networking sites. People think they can post anything on such sites, and often do so. File sharing is meant to be for only the invited, but sometimes they are exploited.

The text moves on to technology based problems. It begins with a discussion of hashing, which is a good thing, but there are complications. Hashing is defined as creating a unique encrypted result from a data set. The encrypted result is called a hash, a signature, or a digest, all of which mean the same thing. The hash should not resemble the plaintext in appearance or in length. Hashing can be referred to as using a one-way hash, which means that the hash resulting from the algorithm is not meant to be unencrypted. This is the purpose of any hash: there should never be a hash that is reversible.

Local or domain passwords entered on a computer running Windows are converted by a hash program and compared to a stored hashed version of the user's current password. The text discusses the two hash versions used in different versions of Windows: LM hash and NTLM hash. LM hash is not considered a "real" hash because its result is cryptographic (character substitution) instead of numeric (hexadecimal digits). It was used in versions of Windows before Windows NT. NTLM is used in later versions, but passwords shorter than 14 characters are stored both ways, which does not solve the problem. Password hashes are now stored in files that are unavailable to users, as the text states, but that does not keep a determined hacker from accessing them.

RFID chips are often added to credit cards and ID cards, which is supposed to make the cards more secure. The problem with any RFID chip is that there are devices that can capture their ID signals from the distance of a personal network. Watch the video below for a demonstration. And contnue watching for more information about how it works.

As the text recommends, requiring more authentication factors would be a better choice.

The text spends a few pages talking about a Privacy Impact Assessment (PIA), a an analysis of a system or an organization that looks for gaps in security protection. It should include the following steps, and should be done by an entity that is independent from the entity being analyzed:

  • Determine how Personally Identifying Information (PII) is gathered and secured.
  • Analyze the processes and products used.
  • It should make its findings known to appropriate stakeholders. (The text says "public exposure", but this is not appropriate in highly secure environments.)
  • The outputs of the assessment should be delivered to decision makers who should base appropriate plans on it.
Security Breaches

To introduce the topic, the text gives us list of important security breach types:

  • System exploits - typically viruses and worms
  • Eavesdropping - packet capture and other signal interception
  • Social engineering - This one is an entire subject in itself. They may be the nicest or meanest thieves you will ever meet. These are some techniques used by talented social engineers:
    • authority - pretend to be someone who has the right to make the request
    • intimidation - in an oppressive environment, it may be easy to use fear of what would happen if the request is not granted
    • consensus/social proof - tell a believable lie that others have granted this request in the past
    • scarcity -  tell the victim that you are short on time, or you have to get this before it can't be done
    • urgency -  tell the victim that you need this right now, and that you will complete the red tape later
    • familiarity/liking - act like one of the family, especially one who appreciate the work the victim does for the company
    • trust - use details about the organization to make it seem like you are a part of it
  • Denial of Service (DoS) attacks - typically a huge number of requests are sent to a system to keep it from answering any legitimate requests
  • Indirect attacks - an attack may start through a related entity, like the vendor, a contractor, or a supplier to the real target
  • Physical attacks - unauthorized entry, theft, damage, and key logging are in this category

The text attempts to explain the motivation behind attacks of any kind, but it is a little short. There are many motives that are possible. These are just examples:

  • money from sale or ransom
  • competitive business advantage
  • political agenda
  • theft of service, such as a spammer using someone else's computers
  • fun or challenge

Assignments for Chapter 5

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module.