This lesson reviews relevant laws, access controls, and some security
breaches. Objectives important to this lesson:
US laws and regulations concerning information theft
Costs of inadequate access controls
Access control failure
Security breaches
Concepts:
Chapter 5
Laws
The text begins with the idea that spying on a business has changed since
the data when a file had to be stolen or copied physically to gain unauthorized
access to it. Laws have actually been catching up to technology for several
decades, and most that are place are adequate if people would take reasonable
precautions. The laws discussed in the previous chapter were more about
business responsibilities. These are more about the theft of information,
Computer Fraud and Abuse Act
(CFAA, 1984, 1994, 1996) - Makes
it illegal to steal information from government computer systems, financial
computer systems, and any computer systems having to do with interstate
or foreign commerce that involves an entity buying or selling
in the United States. This law was revised by the Identity Theft
and Restitution Act (ITERA, 2008). Revisions over time have added
more powers to this law:
Added sections about spyware and cyberextortion
Sections making unauthorized access a crime
Sections making trafficking (selling) computer passwords
a crime
Sections making intentional damage to a system a crime
Sections making identity theft a crime
Digital Millennium Copyright Act
(DMCA, 1998) - an amendment to US copyright law that includes
elements of two treaties from the World Intellectual Property Organization
It says that an Internet Service Provider is not liable
for any crimes that a subscriber might commit on the Internet, but
that they must receive and respond to reports of copyright
infringement
It also makes it a crime to bypass encryption or other
means of preserving copyright
Normally, I would present an illustrative video here. The nice folks
at YouTube have updated their copyright information, and provided
a page of resources, which is much better than just a video.
Please take
a trip to their page, watch the video, and learn more about
copyright and fair use.
California
Identity Theft Statute (1998, 1999) - Established
that businesses are required to notify their customers when identity
information has been stolen from them. Customers may sue to recover
financial loss from the data breach, or from failure to disclose it
to them. It also establishes penalties for the person or persons who
steal such information.
This law is an example of a well constructed state law. Other states
have similar laws in place.
Costs of Poor Access Controls
As noted above, there are penalties for theft of data and for failure
to protect data in our possession. There are also costs to replacing and
upgrading systems that have been compromised, which must often be done
in a hurry, as opposed to budgeting it reasonably over time. Loss of business
due to the notoriety of being breached is difficult to measure, but it
is reasonable to expect. The text offers some suggestions about good policies
about physical security. We should examine them and propose some about
logical security:
Physical security must comply with applicable regulations, such as
building and fire codes. (How will we know we have done this?)
Access to secure facilities will be granted only to those with legitimate
needs. (What are those needs? Who says a need is legitimate, or that
someone has one?)
Visitors to secure facilities must be logged. (What proof of identity
is required? Who determines what they will do in the facility?)
Visitors must be escorted at all times. (All times? And how
will that keep them from breaching our data?)
The text explains that the recommendations for government installations
are not really different, just stricter because of federal, state,
and municipal laws requiring adherence to best practices.
The text continues on the same theme for several pages, quoting more
standards that mean the same thing: identify, protect, and preserve.
Do the right thing. There is no IT category that requires no security
at all.
Access Control Failures
On page 96, the text turns to two areas of access control failure. Causes
may be related to people or to technology.
The authors begin with a story about people being let in to a
dinner at the White House. The story shows a failure, but we do not know
what caused it or what to do about it. A little more analysis of the story
would be more illustrative of how the system is supposed to work, and
what the people in charge of it should be doing about it. A better analysis
is available on the Wikipedia
article about the event. According to that source, there were several
failures that we should address in class.
Was there failure on the part of the security people? Where
did it or they occur?
Was there an element of social engineering by the couple?
Was the situation complicated by it being a dinner for a diplomat?
Should security have been heavier or lighter because of it?
Was the social situation of the dinner gathering itself part
of the problem?
A second story in this section is more enlightening. Two agents on a
penetration test team were able to gain access to restrooms, one
in a secure area. The one in the secure area was able to insert a wireless
access point into the target network by using a network cable in the ceiling.
Why was there a network cable in the ceiling of the restroom? Can you
think of a reason it might be there? Can you think of a control that would
prevent the insertion of the rogue access point?
Having accessed the target network, the team intercepted unencrypted
transmissions, including customers' account numbers and identifiers.
The text tells us that this breach was due to a human element, the people
being allowed into the restrooms. However, couldn't it have been avoided
by a better routing design for their network drops, or by an IT solution
of not allowing new switches, routers, or other equipment to simply be
attached to their network?
The text moves on to discuss the actions of rogue or unhappy employees.
The advice given in the text is not very useful. Assign the fewest privileges
to each employee? We should be doing that already. What about the employees
who must have elevated access rights? Don't they pose a risk as well?
We might do better to audit the actions of high level users regularly,
to make sure they know they would be noticed conducting improper actions.
The people section ends with a discussion of four other common threats:
Phishing scams - Phishing
is the solicitation of personal or company information, typically through
an official looking email. Some variations on phishing:
spear phishing - sending
the email to specific people,
customizing it to look like
a message sent to them by an entity with some of their personal
information already
whaling - This is spear
phishing but it focuses on big (wealthy or data rich) targets.
pharming - sending an
email that takes the person directly to a web site (the phisher's
site) instead of asking the reader to follow a link
Google phishing - the
phisher sets up a fake search engine that will send people to the
phishing web site on specific searches (presumably it returns real
search results on searches that would not lead to a page the phisher
has prepared)
Poor security - Theft of devices that are not locked down is
common. The text does not mention it, but a proper standard is to encrypt
data at rest, as well as in transit.
Physically stored passwords - How many people still leave their
password on a note on the monitor or under the keyboard? Any number other
than zero is too many. Teach people to make good passwords that they
can remember.
File sharing and social networking - Social engineering attacks
often start with social networking sites. People think they can post
anything on such sites, and often do so. File sharing is meant to be
for only the invited, but sometimes they are exploited.
The text moves on to technology based problems. It begins with
a discussion of hashing, which is a good thing, but there are complications.
Hashing is defined as creating a unique encrypted
result from a data set. The encrypted result is called a hash,
a signature, or a digest, all of which
mean the same thing. The hash should not resemble the plaintext in appearance
or in length. Hashing can be referred to as using a one-way
hash, which means that the hash resulting from the algorithm
is not meant to be unencrypted. This is the purpose of
any hash: there should never be a hash that is reversible.
Local or domain passwords entered on a computer running Windows
are converted by a hash program and compared to a stored hashed version
of the user's current password. The text discusses the two hash versions
used in different versions of Windows: LM hash and NTLM
hash. LM hash is not considered a "real" hash because
its result is cryptographic (character substitution)
instead of numeric (hexadecimal digits). It was used
in versions of Windows before Windows NT. NTLM
is used in later versions, but passwords shorter than 14 characters are
stored both ways, which does not solve the problem. Password hashes are
now stored in files that are unavailable to users, as the text states,
but that does not keep a determined hacker from accessing them.
RFID chips are often added to credit cards and ID cards, which
is supposed to make the cards more secure. The problem with any RFID chip
is that there are devices that can capture their ID signals from the distance
of a personal network. Watch the video below for a demonstration.
As the text recommends, requiring more authentication factors would be
a better choice.
The text spends a few pages talking about a Privacy Impact Assessment
(PIA), a an analysis of a system or an organization that looks
for gaps in security protection. It should include the following steps,
and should be done by an entity that is independent from the entity being
analyzed:
Determine how Personally Identifying Information (PII)
is gathered and secured.
Analyze the processes and products used.
It should make its findings known to appropriate stakeholders.
(The text says "public exposure", but this is not appropriate
in highly secure environments.)
The outputs of the assessment should be delivered to decision makers
who should base appropriate plans on it.
Security Breaches
To introduce the topic, the text gives us list of important security
breach types:
System exploits - typically viruses and worms
Eavesdropping - packet capture and other signal interception
Social engineering - This one is an entire subject in itself.
They may be the nicest or meanest thieves you will ever meet. These
are some techniques used by talented social engineers:
authority - pretend to be someone who has the right to make the
request
intimidation - in an oppressive environment, it may be easy to
use fear of what would happen if the request is not granted
consensus/social proof - tell a believable lie that others have
granted this request in the past
scarcity - tell the victim that you are short on time, or
you have to get this before it can't be done
urgency - tell the victim that you need this right now,
and that you will complete the red tape later
familiarity/liking - act like one of the family, especially one
who appreciate the work the victim does for the company
trust - use details about the organization to make it seem like
you are a part of it
Denial of Service (DoS) attacks - typically
a huge number of requests are sent to a system to keep it from answering
any legitimate requests
Indirect attacks - an attack may start through a related entity,
like the vendor, a contractor, or a supplier to the real target
Physical attacks - unauthorized entry, theft, damage, and key logging
are in this category
The text attempts to explain the motivation behind attacks of any kind,
but it is a little short. There are many motives that are possible. These
are just examples:
money from sale or ransom
competitive business advantage
political agenda
theft of service, such as a spammer using someone else's computers
fun or challenge
Assignments for Chapter 5
Review Questions from Chapter 5, 1 - 12
Do some thinking about the physical access controls and the
questions I asked about them. What modifications would you make
to each of those control policies to make them more workable and
effective.
Research a newer security breach, tell me what the problem seems
to have been, and what should be done to prevent one like it.
