The InfoSec Handbook
[book]
Umesh Hodeghatta Rao, Umesha Nayak
2014
IntroduCtIon xxvii information about some of the applicable standards and certifications such as ISO27001:2013, PCI DSS by PCI Security Standards Council, and COBIT from ISACA. Chapter 2 focuses on the history of computer security, including the purpose as to why computer security evolved, the role of the world wars in its evolution, the initial forms of security of communication, including initial cipher usage like the Caesar cipher and initial cipher machines like Enigma and the greatest
more »
... rs and crackers in the field of computer security. Chapter 3 focuses on key concepts behind information security, such as confidentiality, integrity, availability, possession or control, authenticity, and utility as well as the principles of information security to be applied at the organization level, including key responsibilities and accountability. We also deliberate the role of processes, people, and technology in meeting information security needs. Chapter 4 focuses on the important aspects of access controls, the need for those controls, the importance of control, and various access control models. Chapter 5 focuses on aspects of information systems management such as risk management, incident response, disaster recovery, and the business continuity. Chapter 6 focuses on software application security and web security. We also discuss the web browser, web server, and web applications related information security issues. We also provide the best practices to protect the individuals / organizations from such information security issues. Chapter 7 focuses on an in-depth analysis of discussion on malicious software, different types of malicious software, how they propagate, and the historical aspects of malware. We also discuss what an anti-virus is, what its benefits are, and how to manage most effectively the anti-virus software and common anti-virus platforms that are used in the industry. Chapter 8 focuses on cryptography, one of the important ways of preserving the confidentiality of the message or communication and also its authentication. In this chapter, we also focus on what is meant by cryptography, encryption, cryptoalgorithm, and encryption/decryption keys. We also discuss symmetric cryptography and asymmetric cryptography. In this context we discuss on public key infrastructure. We also discuss how these cryptography aspects are used, the value of the certificates like digital certificates and digital signature in the field of cryptography, various hashing algorithms, and the disk/drive encryption tools that are used. Chapter 9 focuses on an introduction to basics of networking, communication concepts, networking models like OSI and TCP/IP models, comparison between them and the protocols used by different layers. We also discuss the information security issues related to networking. Chapter 10 focuses on firewalls which are essential in today's world to protect organizations. This chapter covers the basics of firewalls and their functionality, the importance of the firewalls, the types and different generations of firewalls, and how the firewalls are used. We also discuss best practices. Chapter 11 focuses on an introduction to intrusion detection and prevention systems (IDS/IPS), their purpose and uses, various detection methodologies employed by these systems, types of IDS/IPS methodologies that are available and popular, and the typical responses by these. Chapter 12 focuses on the introduction to the Virtual Private Network (VPN), their uses, types of VPNs, and the protocols used to make the VPNs effective. Chapter 13 focuses on the importance of data backups, the benefits of using a backup, the dangers of not having backups, and various types of backups. This chapter also covers the current hot topic of cloud computing and related models, and issues of privacy and compliance that are related to them. Chapter 14 focuses on physical security in general including fire safety and one of the important aspects of physical security: biometrics. This chapter introduces biometrics, why it is gaining popularity, its functionality, the multi-modal biometric systems, issues, and controversies pertaining to biometric systems. Chapter 15 focuses on another important topic in the current world: social engineering. This chapter covers the introduction to social engineering, how social engineering attacks are made possible, and typical social engineering scenarios, We also discuss various techniques that are used in the field of social engineering, such as pretexting, phishing, baiting, and tailgating and the steps to be taken to avoid falling prey to social engineering. Chapter 16 focuses on two of the current and important trends in information security: wireless security and mobile security. We also cover bluetooth security. functional components 4 ; ISO/IEC 15408-3 -Information technology -Security techniques -Evaluation criteria for IT security -Part 3: Security assurance components 4 ; ISO/IEC 18405:2008 -Information technology -Security techniques -Methodology for IT security evaluation 4 . The International Organization for Standardization has also published many more guidelines for security professionals 4 . Furthermore, organizations like Information Systems Audit and Control Association in the U.S. have published many useful models and papers on information security. We will elaborate on the above as it becomes relevant in subsequent chapters of this book. The Role of a Security Program Typically, a lack of awareness is one of the prime reasons for not adhering to requisite security guidelines and consequential security breaches. For instance, when a person ignores an advisory about how laptops left visibly in cars can be stolen or a travel advisory warning against travelling by taxi or other unknown vehicle, there is an increased risk for information security breach. Similarly, failure to create a strong password on your work computer can result in information security breaches at many levels, endangering you and your organization's reputation. Awareness is the number one step in ensuring security, both physical security and information security. Awareness ensures that the chances or risks of vulnerability and threats to security are reduced considerably. Toward this end, it is essential to provide organizationwide security awareness programs to all employees (permanent or temporary), contractors, suppliers/vendors, customers, and all other relevant stakeholders who have access to the organization or its information. In order to achieve this, organizations need to ensure regular security awareness programs spanning various aspects of their life in the organization, clearly explaining what can go wrong. However, to ensure that all these stakeholders understand why security is important, it is essential for the success of any security program. Still, as the saying goes, "Knowing but not doing is equivalent to not knowing at all", and it is up to the individual participants of these programs to take the message and content of these programs seriously and implement them in letter and in spirit. It is not enough that such a security program is in place and is conducted only once for the entire organization. This has to be an ongoing process to ensure that any new stakeholders, including new employees, are trained invariably. In addition, the organizational structure and environment (internal and/or external) may undergo changes which may lead to different vulnerabilities and threats. Hence, it is necessary that these programs are regularly reviewed, updated, and all the relevant stakeholders are trained on the changed scenarios and made aware of new risks. All programs should take into account the risks the organization is currently undertaking and the controls they have painstakingly put in place for any security violation which defeats the very purpose of such controls. Involving each and every person is important for the success of any Security Program. Any person who is not aware of the security requirements, like a new security guard, employee, system administrator, or a new manager, can endanger the entire organization. Moreover, in addition to the regular security programs as mentioned above, strong audits/assessments/compliance checks to ensure compliance to the policies, processes, and instructions of the company towards its security are to be adhered to without fail. A good execution is required to ensure the success of any well-intended program. However, execution is possibly the weakest link when it comes to most of the entities as well as most countries. Hence, regular checks carried out by competent and independent personnel of the organization or external agencies who do it not for the sake of just checking, but carry them out with the true intention and goal of bringing out any compliance weaknesses to the fore, is essential. Many times, reports of such compliance checks are beautifully made and wonderfully presented to the management but more often are totally forgotten, which could eventually lead to these documents creating liabilities when the suggested resolutions are not acted upon. Any compliance check with actions not being taken seriously on weaknesses found during the check is as good as a compliance check not being carried out in the first place! The better the compliance check carried out with extreme focus by the competent personnel and with extreme focus on the actions to be taken (and actually taken), the better the entity will be! In the 1980s, the TCP/IP network protocol Transmission Control Protocol (TCP) and the Internet Protocol (IP), and Personal Computers (PC) brought computing to homes where more and more people connected to the Internet. The 1983 fictional movie, "War Games," was watched by millions of people and popularized hacking and made it glamorous. In 1981, Ian Murphy broke into AT&T's computers and changed billing rates of meters. He was later convicted. 1 Kevin Mitnick stole computer manuals of Pacific Bells' switching center in Los Angeles, California, and was prosecuted for this crime. 1 Bill Landreth was convicted for breaking into NASA's Department of Defense computers through GTE's e-mail network. In 1988, Kevin Mitnick was held for stealing software that was worth $1 million, and also caused damages of around $4 million. With increasing threats to security, government agencies in charge of ARPANET came up with the Computer Emergency Response Team (CERT): the first network security organization in 1988. 2 The purpose of CERT is to spread security awareness among users and find ways to mitigate security breaches. As the Internet became popular, with more and more users becoming active, it became an appealing target for the "hackers" around the world. The 1990s saw more hacking activities such as the "Michelangelo" virus and the arrest of notorious hacker Kevin Mitnick for stealing credit card data, and the 1998 Solar Sunrise attack targeting Pentagon computers by Ehud Tenebaum. 3 Today we are living in the Internet and World Wide Web (WWW) era, where everyone is connected. The Internet has changed the way we communicate with each other. The Web allowed information to be accessed instantly from anywhere in the world. First-generation web 1.0 was just a static web. Web 2.0, called interactive web, allowed the users to communicate by emphasizing online collaboration. Web 3.0 technology called 'the intelligent Web' emphasized machine-facilitated understanding of information to provide a more intuitive user experience. The Web has become a social medium where we can interact with one another, which has unfortunately resulted in many threats and vulnerabilities and an increasing number of security breaches. Some of the popular attacks include "Mellisa, the love bug," the "killer resume," and "The code red." Communication Communication is about conveying messages to the other party or to a group. These messages carry certain information. The medium through which information is communicated can be words or signs. The basic need to communicate has evolved languages, and language is used as a medium to share information, ideas, and feelings. There are three main types of communication: oral communication, written or verbal communication, and non-verbal communication. During oral communication, parties communicate through voice as a medium. The parties involved in the oral communication are expected to be able to convey the message, which clearly expresses all their feelings, needs, wants, values, beliefs, and thoughts. Again, both the sender and the receiver use the same language so that both can understand. The sender can speak and the receiver can listen and vice versa, in order to exchange information. The tone of voice or the gap of silence makes a huge difference in oral communication. During non-verbal communication, the communication is through the use of body language, gestures, facial expressions, and signs. These expressions may be well structured or unstructured. The semaphores that were used by military, sign language used by deaf persons, and gestures, postures, facial expression, and eye contact used by humans are a few of the examples. Semaphore Flags are the telegraphy system that conveys information at a distance by means of visual signals with handheld flags, rods, disks, paddles, or occasionally bare or gloved hands. Information is encoded by the position of the flags and is read when the flag is in a fixed position. Semaphores were adopted and widely used (with hand-held flags replacing the mechanical arms of shutter semaphores) in the maritime world in the nineteenth century. It is still used during underway replenishment at sea and is acceptable for emergency communication in the daylight or while using lighted wands instead of flags at night. Even verbal communication may have underlying non-verbal signals like stress, rhythm, and intonation, which may convey a different meaning to the person tuned to such signals or intended recipients of such signals. Non-verbal communications can be considered coded and may have different meanings to different recipients. Many times, non-verbal communication or gestures complement or negate the words spoken and may emphasize the words spoken or give them a different meaning than the meaning of the words spoken. Strong observation and hearing is required to understand the non-verbal communications, particularly if they are embedded with secret signals. Draper popularized this device and became infamous for hacking into telephone systems. He was arrested in May of 1972 for toll fraud charges and was sentenced to a five-year probation. In 1976, he was arrested again for wired fraud charges and spent four months in prison. Kevin Mitnick By the 1980s, technology advancement in computers shifted the attention of hackers from phones to computers. With mini-computers, PCs gained popularity and the Internet became a key invention for sharing information. Bulletin Board Systems (BBS) made its appearance where people could post messages on any topic. The BBS became a platform for hackers for their hacking activity. Hackers got into the BBS as normal users and collected users' discussion information, such as credit card numbers, telephone numbers, and e-mail IDs, and pass it on to the hacking community. The BBS was also used by hackers to discuss how to use stolen credit cards, guess computer passwords, and share other users' passwords. In 1986, the government realized the threats to information security and passed the Computer Fraud and Abuse Act, making computer-related abuse a crime across the United States of America. During the days of ARPANET (before the Internet), users shared jokes and annoying messages with each other, which was not considered a major security issue. Also, the network was small and users knew and trusted each other. Even connecting to the remote system was not considered a major security risk until 1986 when Cliff Stoll published his experience in a book, called The Cuckoo's Egg, which described how he connected to a remote computer and copied data from the remote machine without having authorized access. This was the first ever security incident that was formally reported upon. In 1988, Robert T. Morris wrote a computer program that could connect to a remote machine and copy data to another computer and repeat this action over the network. This self-replicating tool, now popularly known as the Morris Worm, exploded on the ARPANET. The worm used up the CPU and system resources of the victim's computer, which after the hack, could not function properly. As a result of this widespread worm, nearly 10% of the computers on the network stopped functioning at the same time. The damage of this worm initiated the Defense Advanced Research Project Agency (DARPA) to form a team to handle computer emergencies called CERT (Computer Emergency Response Team) in 1988. Morris was reprimanded by the U.S. government, was fined $10,000 for damages, put on probation, and was sentenced to community services. In the 1990s, the Internet gained momentum. The Department of Defense and DARPA made the ARPANET public. A version of the ARPANET protocol, called the TCP/IP, has evolved and the ARPANET became the Internet, connecting thousands of users. After the Internet became public, millions of users and many organizations, universities, and commercial entities became connected to the Internet as well. As the number of Internet users grew, it became difficult for users to trust the network. Resources shared data on the network with other users, thus causing the Internet to become vulnerable to attacks. Kevin Mitnick, wrote his first hacking program when he was in high school. When a teacher asked the class to write a program to print the Fibonacci number, Kevin wrote a program that could get the passwords of students. His teacher gave him an A for writing this program. His passion for writing programs to crack computers continued. He cracked the computer systems of many companies, such as Digital Equipment Corporation, Motorola, and SUN; all mostly for fun. However, when companies found out that he hacked into their computer systems without authorization, he became a wanted man by the U.S. government. In 1988, he was convicted of copying software from a Digital Equipment Corporation (DEC) and was sentenced with twelve months imprisonment and three years of supervised parole. While he was on parole, he hacked into several computer systems, including Pacific Bell system's voicemail server -the largest telephone network -and stole computer passwords and broke into e-mail servers. After a warrant was issued to arrest him, he fled and became a fugitive for 2 ½ years. Finally, he was arrested in 1995. In 1999, Mitnick confessed to computer fraud and illegally intercepting the communication network and was sentenced to almost four years in prison. 17 Though Mitnick claimed he did not hack the computer systems for monetary gain, it was still considered illegal according to the U.S. government. Despite his run-ins with the law, Mitnick has influenced modern-day hackers, including WikiLeaks. Today, he spends his time advising companies about the security vulnerabilities in their networks.
doi:10.1007/978-1-4302-6383-8
fatcat:4wzukqlztzgbbof6ppfjwtd3ku