Information Security Management Case Question
-
To register or access your online learning solution or purchase materials for your course, visit www.cengagebrain.com.
Security+ Guide to Network Security Fundamentals
INFORMATION SECURITY
Sixth Edition
Mark Ciampa
Sixth Edition
CIAMPA
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CompTIA Security+ SY0-501 Exam Objectives
Security+ Exam Domain/Objectives Chapter Bloom’s Taxonomy 1.0: Threats, Attacks, and Vulnerabilities 1.1 Given a scenario, analyze indicators of compromise and determine the type of
malware. 2 Analyze
1.2 Compare and contrast types of attacks. 2 3 5 8
11 15
Understand Analyze Understand Apply/Understand Create Apply
1.3 Explain threat actor types and attributes. 1 Analyze/Apply 1.4 Explain penetration testing concepts. 13 Apply 1.5 Explain vulnerability scanning concepts. 13 Apply 1.6 Explain the impact associated with types of vulnerabilities. 1
3 4 5 9
10
Understand Understand Understand Understand Understand Understand
2.0: Technologies and Tools 2.1 Install and configure network components, both hardware- and software-based,
to support organizational security. 4 6 7 8
Apply Analyze Apply Analyze/Evaluate
2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization.
8 13 14
Evaluate Analyze/Evaluate Evaluate
2.3 Given a scenario, troubleshoot common security issues. 15 Analyze 2.4 Given a scenario, analyze and interpret output from security technologies. 6
7 9
Analyze Analyze Analyze
2.5 Given a scenario, deploy mobile devices securely. 8 10 11
Apply/Evaluate Analyze/Create Analyze
2.6 Given a scenario, implement secure protocols. 4 5
Apply Analyze
3.0: Architecture and Design 3.1 Explain use cases and purpose for frameworks, best practices and secure
configuration guides. 1
15 Analyze Understand
3.2 Given a scenario, implement secure network architecture concepts. 6 7 8
13
Analyze Apply Apply/Evaluate Apply
88781_ifc_hr.indd 2 8/9/17 3:41 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Australia • Brazil • Mexico • Singapore • United Kingdom • United States
INFORMATION SECURITY
Mark Ciampa, Ph.D.
Sixth Edition
SECURITY+ GUIDE TO NETWORK SECURITY
CompTIA ®
FUNDAMENTALS
88781_fm_hr_i-xxvi.indd 1 8/16/17 7:00 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
© 2018, 2015 Cengage Learning Unless otherwise noted, all content is © Cengage.
Security+ Guide to Network Security Fundamentals, Sixth Edition
Mark Ciampa
SVP, GM Skills: Jonathan Lau
Product Team Manager: Kristin McNary
Associate Product Manager: Amy Savino
Executive Director of Development: Marah Bellegarde
Senior Product Development Manager: Leigh Hefferon
Senior Content Developer: Michelle Ruelos Cannistraci
Product Assistant: Jake Toth
Marketing Director: Michelle McTighe
Production Director: Patty Stephan
Senior Content Project Manager: Brooke Greenhouse
Art Director: Diana Graham
Cover image(s): iStockPhoto.com/ supernitram
Printed in the United States of America Print Number: 01 Print Year: 2017
ALL RIGHTS RESERVED. No part of this work covered by the copy- right herein may be reproduced or distributed in any form or by any means, except as permitted by U.S. copyright law, without the prior written permission of the copyright owner.
Library of Congress Control Number: 2017950178
ISBN: 978-1-337-28878-1 LLF ISBN: 978-1-337-68585-6
Notice to the Reader Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis in connection with any of the product information contained herein. Publisher does not assume, and expressly disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly assumes all risks in connection with such instructions. The publisher makes no representations or warranties of any kind, including but not limited to, the warranties of fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth herein, and the publisher takes no responsibility with respect to such material. The publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or part, from the readers’ use of, or reliance upon, this material.
Cengage 20 Channel Center Street Boston, MA 02210 USA
Cengage is a leading provider of customized learning solutions with employees residing in nearly 40 different countries and sales in more than 125 countries around the world. Find your local representative at www.cengage.com.
Cengage products are represented in Canada by Nelson Education, Ltd.
To learn more about Cengage platforms and services, visit www.cengage.com
Purchase any of our products at your local college store or at our preferred online store www.cengagebrain.com
For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706.
For permission to use material from this text or product, submit all requests online at www.cengage.com/permissions.
Further permissions questions can be e-mailed to permissionrequest@cengage.com.
Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers. Windows® is a registered trademark of Microsoft Corporation. Microsoft.is registered trademark of Microsoft Corporation in the United States and/or other countries. Cengage is an independent entity from Microsoft Corporation and not affiliated with Microsoft in any manner.
88781_fm_hr_i-xxvi.indd 2 8/16/17 7:00 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Brief Contents INTRODUCTION…………………………………………………………………………………xv
PART 1
SECURITY AND ITS THREATS ………………………………………………………………..1
CHAPTER 1
Introduction to Security ……………………………………………………………………..3
CHAPTER 2
Malware and Social Engineering Attacks …………………………………………. 51
PART 2
CRYPTOGRAPHY ……………………………………………………………………………… 97
CHAPTER 3
Basic Cryptography …………………………………………………………………………. 99
CHAPTER 4
Advanced Cryptography and PKI …………………………………………………… 145
PART 3
NETWORK ATTACKS AND DEFENSES ………………………………………………. 189
CHAPTER 5
Networking and Server Attacks …………………………………………………….. 191
CHAPTER 6
Network Security Devices, Design, and Technology ……………………….. 233
CHAPTER 7
Administering a Secure Network …………………………………………………… 281
CHAPTER 8
Wireless Network Security …………………………………………………………….. 321
PART 4
DEVICE SECURITY…………………………………………………………………………… 371
CHAPTER 9
Client and Application Security ……………………………………………………… 373
iii
88781_fm_hr_i-xxvi.indd 3 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Brief Contents
CHAPTER 10
Mobile and Embedded Device Security ……………………………………………421
PART 5
IDENTITY AND ACCESS MANAGEMENT …………………………………………….469
CHAPTER 11
Authentication and Account Management ……………………………………..471
CHAPTER 12
Access Management ……………………………………………………………………….521
PART 6
RISK MANAGEMENT ………………………………………………………………………..563
CHAPTER 13
Vulnerability Assessment and Data Security …………………………………..565
CHAPTER 14
Business Continuity ………………………………………………………………………..607
CHAPTER 15
Risk Mitigation ……………………………………………………………………………….651
APPENDIX A
CompTIA SY0-501 Certification Exam Objectives ……………………………..691
GLOSSARY …………………………………………………………………………………………… 713
INDEX …………………………………………………………………………………………………..741
iv
88781_fm_hr_i-xxvi.indd 4 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents INTRODUCTION……………………………………………………………………………………………..xv
PART 1
SECURITY AND ITS THREATS ……………………………………………..1
CHAPTER 1
Introduction to Security …………………………………………………..3 Challenges of Securing Information ………………………………………………………… 8
Today’s Security Attacks …………………………………………………………………………8 Reasons for Successful Attacks ………………………………………………………………12 Difficulties in Defending Against Attacks ………………………………………………. 14
What Is Information Security? ……………………………………………………………….. 17 Understanding Security …………………………………………………………………………18 Defining Information Security ……………………………………………………………….18 Information Security Terminology …………………………………………………………21 Understanding the Importance of Information Security ………………………….. 24
Who Are the Threat Actors? …………………………………………………………………… 28 Script Kiddies ……………………………………………………………………………………… 29 Hactivists …………………………………………………………………………………………… 29 Nation State Actors ………………………………………………………………………………30 Insiders ………………………………………………………………………………………………30 Other Threat Actors ………………………………………………………………………………31
Defending Against Attacks ……………………………………………………………………. 32 Fundamental Security Principles ………………………………………………………….. 32 Frameworks and Reference Architectures ……………………………………………… 35
Chapter Summary …………………………………………………………………………………. 35
Key Terms …………………………………………………………………………………………….. 37
Review Questions………………………………………………………………………………….. 37
Case Projects ………………………………………………………………………………………… 46
CHAPTER 2
Malware and Social Engineering Attacks ………………………..51 Attacks Using Malware ………………………………………………………………………….. 53
Circulation………………………………………………………………………………………….. 55 Infection …………………………………………………………………………………………….. 61
v
88781_fm_hr_i-xxvi.indd 5 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contentsvi
Concealment ………………………………………………………………………………………. 65 Payload Capabilities ……………………………………………………………………………..66
Social Engineering Attacks …………………………………………………………………….. 73 Psychological Approaches ……………………………………………………………………. 74 Physical Procedures ……………………………………………………………………………..80
Chapter Summary …………………………………………………………………………………. 82
Key Terms …………………………………………………………………………………………….. 84
Review Questions …………………………………………………………………………………. 84
Case Projects ………………………………………………………………………………………… 92
PART 2
CRYPTOGRAPHY …………………………………………………………….97
CHAPTER 3
Basic Cryptography ………………………………………………………..99 Defining Cryptography ………………………………………………………………………… 101
What Is Cryptography? ……………………………………………………………………….. 101 Cryptography and Security …………………………………………………………………. 105 Cryptography Constraints …………………………………………………………………….107
Cryptographic Algorithms ……………………………………………………………………. 108 Hash Algorithms …………………………………………………………………………………110 Symmetric Cryptographic Algorithms ………………………………………………….. 113 Asymmetric Cryptographic Algorithms ………………………………………………… 116
Cryptographic Attacks …………………………………………………………………………. 123 Algorithm Attacks ………………………………………………………………………………. 123 Collision Attacks ………………………………………………………………………………… 125
Using Cryptography …………………………………………………………………………….. 126 Encryption through Software ………………………………………………………………. 127 Hardware Encryption ………………………………………………………………………….128
Chapter Summary ……………………………………………………………………………….. 130
Key Terms …………………………………………………………………………………………… 132
Review Questions………………………………………………………………………………… 133
Case Projects ………………………………………………………………………………………. 142
CHAPTER 4
Advanced Cryptography and PKI ………………………………….145 Implementing Cryptography ……………………………………………………………….. 147
Key Strength ……………………………………………………………………………………….147 Secret Algorithms ……………………………………………………………………………….148
88781_fm_hr_i-xxvi.indd 6 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents vii
Block Cipher Modes of Operation ……………………………………………………….. 149 Crypto Service Providers…………………………………………………………………….. 150 Algorithm Input Values ………………………………………………………………………. 151
Digital Certificates ………………………………………………………………………………. 152 Defining Digital Certificates …………………………………………………………………. 152 Managing Digital Certificates ……………………………………………………………….154 Types of Digital Certificates ………………………………………………………………….158
Public Key Infrastructure (PKI) …………………………………………………………….. 165 What Is Public Key Infrastructure (PKI)? ………………………………………………. 166 Trust Models …………………………………………………………………………………….. 166 Managing PKI ……………………………………………………………………………………..168 Key Management ……………………………………………………………………………….. 171
Cryptographic Transport Protocols ……………………………………………………… 174 Secure Sockets Layer (SSL) …………………………………………………………………… 174 Transport Layer Security (TLS) …………………………………………………………….. 175 Secure Shell (SSH) ……………………………………………………………………………….176 Hypertext Transport Protocol Secure (HTTPS) ………………………………………..176 Secure/Multipurpose Internet Mail Extensions (S/MIME) ………………………. 177 Secure Real-time Transport Protocol (SRTP) ………………………………………….. 177 IP Security (IPsec) ………………………………………………………………………………. 177
Chapter Summary ……………………………………………………………………………….. 179
Key Terms …………………………………………………………………………………………… 181
Review Questions………………………………………………………………………………… 181
Case Projects ………………………………………………………………………………………. 187
PART 3
NETWORK ATTACKS AND DEFENSES ………………………………189
CHAPTER 5
Networking and Server Attacks ……………………………………191 Networking-Based Attacks ………………………………………………………………….. 193
Interception ……………………………………………………………………………………….194 Poisoning …………………………………………………………………………………………. 196
Server Attacks …………………………………………………………………………………….. 201 Denial of Service (DoS) ………………………………………………………………………..201 Web Server Application Attacks ………………………………………………………….. 203 Hijacking …………………………………………………………………………………………..209 Overflow Attacks ……………………………………………………………………………….. 213 Advertising Attacks …………………………………………………………………………….. 215 Browser Vulnerabilities ……………………………………………………………………….218
Chapter Summary ……………………………………………………………………………….. 222
88781_fm_hr_i-xxvi.indd 7 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contentsviii
Key Terms …………………………………………………………………………………………… 223
Review Questions………………………………………………………………………………… 223
Case Projects ………………………………………………………………………………………. 229
CHAPTER 6
Network Security Devices, Design, and Technology ………233 Security Through Network Devices ……………………………………………………… 235
Standard Network Devices …………………………………………………………………. 236 Network Security Hardware ……………………………………………………………….. 246
Security Through Network Architecture ………………………………………………. 260 Security Zones …………………………………………………………………………………..260 Network Segregation …………………………………………………………………………. 263
Security Through Network Technologies ……………………………………………… 265 Network Access Control (NAC) ……………………………………………………………. 265 Data Loss Prevention (DLP)…………………………………………………………………. 267
Chapter Summary ……………………………………………………………………………….. 269
Key Terms …………………………………………………………………………………………… 271
Review Questions………………………………………………………………………………… 271
Case Projects ………………………………………………………………………………………. 279
CHAPTER 7
Administering a Secure Network ………………………………….281 Secure Network Protocols …………………………………………………………………… 283
Simple Network Management Protocol (SNMP) ……………………………………. 285 Domain Name System (DNS) ……………………………………………………………… 286 File Transfer Protocol (FTP)…………………………………………………………………. 288 Secure Email Protocols ……………………………………………………………………….290 Using Secure Network Protocols …………………………………………………………..291
Placement of Security Devices and Technologies …………………………………. 292
Analyzing Security Data ………………………………………………………………………. 295 Data from Security Devices ………………………………………………………………… 296 Data from Security Software ………………………………………………………………. 297 Data from Security Tools ……………………………………………………………………. 298 Issues in Analyzing Security Data ……………………………………………………….. 298
Managing and Securing Network Platforms ………………………………………… 300 Virtualization …………………………………………………………………………………….300 Cloud Computing ……………………………………………………………………………….304 Software Defined Network (SDN) …………………………………………………………306
Chapter Summary ……………………………………………………………………………….. 309
88781_fm_hr_i-xxvi.indd 8 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents ix
Key Terms …………………………………………………………………………………………… 310
Review Questions………………………………………………………………………………… 311
Case Projects ………………………………………………………………………………………. 318
CHAPTER 8
Wireless Network Security …………………………………………..321 Wireless Attacks ………………………………………………………………………………….. 324
Bluetooth Attacks………………………………………………………………………………. 324 Near Field Communication (NFC) Attacks ……………………………………………..327 Radio Frequency Identification (RFID) Attacks ……………………………………… 330 Wireless Local Area Network Attacks …………………………………………………….332
Vulnerabilities of IEEE Wireless Security ………………………………………………. 341 Wired Equivalent Privacy …………………………………………………………………… 342 Wi-Fi Protected Setup ………………………………………………………………………… 343 MAC Address Filtering ……………………………………………………………………….. 344 SSID Broadcasting ……………………………………………………………………………… 345
Wireless Security Solutions …………………………………………………………………. 346 Wi-Fi Protected Access (WPA) …………………………………………………………….. 347 Wi-Fi Protected Access 2 (WPA2) …………………………………………………………. 349 Additional Wireless Security Protections ……………………………………………….352
Chapter Summary ……………………………………………………………………………….. 356
Key Terms …………………………………………………………………………………………… 359
Review Questions………………………………………………………………………………… 359
Case Projects ………………………………………………………………………………………. 368
PART 4
DEVICE SECURITY ………………………………………………………….371
CHAPTER 9
Client and Application Security …………………………………….373 Client Security …………………………………………………………………………………….. 375
Hardware System Security …………………………………………………………………..375 Securing the Operating System Software ……………………………………………… 379 Peripheral Device Security ………………………………………………………………….. 388
Physical Security …………………………………………………………………………………. 392 External Perimeter Defenses ………………………………………………………………. 393 Internal Physical Access Security ………………………………………………………… 395 Computer Hardware Security …………………………………………………………….. 400
Application Security …………………………………………………………………………….. 401 Application Development Concepts ……………………………………………………..402
88781_fm_hr_i-xxvi.indd 9 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contentsx
Secure Coding Techniques …………………………………………………………………..404 Code Testing ………………………………………………………………………………………405
Chapter Summary ……………………………………………………………………………….. 406
Key Terms …………………………………………………………………………………………… 409
Review Questions………………………………………………………………………………… 410
Case Projects ………………………………………………………………………………………. 417
CHAPTER 10
Mobile and Embedded Device Security …………………………421 Mobile Device Types and Deployment …………………………………………………. 423
Types of Mobile Devices …………………………………………………………………….. 424
Mobile Device Risks …………………………………………………………………………….. 432 Mobile Device Vulnerabilities……………………………………………………………… 432 Connection Vulnerabilities …………………………………………………………………. 436 Accessing Untrusted Content ……………………………………………………………… 436 Deployment Model Risks ……………………………………………………………………. 438
Securing Mobile Devices ……………………………………………………………………… 439 Device Configuration …………………………………………………………………………. 439 Mobile Management Tools ………………………………………………………………….446 Mobile Device App Security ………………………………………………………………..448
Embedded Systems and the Internet of Things ……………………………………. 449 Embedded Systems…………………………………………………………………………….449 Internet of Things ……………………………………………………………………………….451 Security Implications …………………………………………………………………………. 452
Chapter Summary ……………………………………………………………………………….. 455
Key Terms …………………………………………………………………………………………… 457
Review Questions………………………………………………………………………………… 457
Case Projects ………………………………………………………………………………………. 465
PART 5
IDENTITY AND ACCESS MANAGEMENT …………………………..469
CHAPTER 11
Authentication and Account Management …………………..471 Authentication Credentials …………………………………………………………………. 473
What You Know: Passwords ……………………………………………………………….. 475 What You Have: Tokens, Cards, and Cell Phones …………………………………… 489 What You Are: Biometrics ………………………………………………………………….. 492 What You Do: Behavioral Biometrics …………………………………………………… 498
88781_fm_hr_i-xxvi.indd 10 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents xi
Where You Are: Geolocation ……………………………………………………………….499
Single Sign-on ……………………………………………………………………………………… 500
Account Management …………………………………………………………………………. 502
Chapter Summary ……………………………………………………………………………….. 505
Key Terms ……………………………………………………………………………………………. 506
Review Questions………………………………………………………………………………… 507
Case Projects ………………………………………………………………………………………. 517
CHAPTER 12
Access Management …………………………………………………….521 What Is Access Control? ………………………………………………………………………. 523
Access Control Terminology ……………………………………………………………….. 524 Access Control Models …………………………………………………………………………527
Managing Access Through Account Management………………………………… 533 Account Setup …………………………………………………………………………………….533 Account Auditing ………………………………………………………………………………. 539
Best Practices for Access Control …………………………………………………………. 540 Separation of Duties …………………………………………………………………………..540 Job Rotation ………………………………………………………………………………………540 Mandatory Vacations…………………………………………………………………………..541 Clean Desk Policy ………………………………………………………………………………..541
Implementing Access Control ……………………………………………………………… 542 Access Control Lists (ACLs) …………………………………………………………………. 542 Group-Based Access Control ………………………………………………………………. 543
Identity and Access Services ……………………………………………………………….. 544 RADIUS …………………………………………………………………………………………….. 545 Kerberos …………………………………………………………………………………………… 547 Terminal Access Control Access Control System+ (TACACS+) …………………. 548 Lightweight Directory Access Protocol (LDAP) ………………………………………. 549 Security Assertion Markup Language (SAML) ……………………………………….. 550 Authentication Framework Protocols …………………………………………………… 551
Chapter Summary ……………………………………………………………………………….. 552
Key Terms …………………………………………………………………………………………… 554
Review Questions………………………………………………………………………………… 554
Case Projects ………………………………………………………………………………………. 561
88781_fm_hr_i-xxvi.indd 11 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contentsxii
PART 6
RISK MANAGEMENT ……………………………………………………..563
CHAPTER 13
Vulnerability Assessment and Data Security ………………..565 Assessing the Security Posture ……………………………………………………………. 567
What Is Vulnerability Assessment? ……………………………………………………… 567 Vulnerability Assessment Tools ……………………………………………………………573
Vulnerability Scanning ………………………………………………………………………… 584
Penetration Testing …………………………………………………………………………….. 586
Practicing Data Privacy and Security ……………………………………………………. 588 What Is Privacy? ………………………………………………………………………………… 589 Risks Associated with Private Data ………………………………………………………590 Maintaining Data Privacy and Security ………………………………………………… 592
Chapter Summary ……………………………………………………………………………….. 596
Key Terms …………………………………………………………………………………………… 598
Review Questions………………………………………………………………………………… 598
Case Projects ………………………………………………………………………………………. 604
CHAPTER 14
Business Continuity ……………………………………………………..607 What Is Business Continuity? ………………………………………………………………. 609
Business Continuity Planning (BCP) …………………………………………………….609 Business Impact Analysis (BIA) ……………………………………………………………. 611 Disaster Recovery Plan (DRP) ……………………………………………………………….612
Fault Tolerance Through Redundancy …………………………………………………. 615 Servers …………………………………………………………………………………………….. 616 Storage ………………………………………………………………………………………………617 Networks ……………………………………………………………………………………………621 Power ………………………………………………………………………………………………. 622 Recovery Sites …………………………………………………………………………………… 622 Data …………………………………………………………………………………………………. 623
Environmental Controls ………………………………………………………………………. 628 Fire Suppression ……………………………………………………………………………….. 628 Electromagnetic Disruption Protection ………………………………………………….631 HVAC …………………………………………………………………………………………………631
Incident Response ………………………………………………………………………………. 633 What Is Forensics? …………………………………………………………………………….. 633
88781_fm_hr_i-xxvi.indd 12 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents xiii
Incident Response Plan ……………………………………………………………………… 633 Forensics Procedures …………………………………………………………………………. 634
Chapter Summary ……………………………………………………………………………….. 640
Key Terms …………………………………………………………………………………………… 642
Review Questions………………………………………………………………………………… 643
Case Projects ………………………………………………………………………………………. 649
CHAPTER 15
Risk Mitigation …………………………………………………………….651 Managing Risk …………………………………………………………………………………….. 653
Threat Assessment ……………………………………………………………………………. 654 Risk Assessment ……………………………………………………………………………….. 656
Strategies for Reducing Risk ………………………………………………………………… 664 Using Control Types……………………………………………………………………………664 Distributing Allocation ……………………………………………………………………….666 Implementing Technology ………………………………………………………………….666
Practices for Reducing Risk………………………………………………………………….. 668 Security Policies …………………………………………………………………………………669 Awareness and Training …………………………………………………………………….. 675 Agreements ………………………………………………………………………………………. 677 Personnel Management ……………………………………………………………………… 679
Troubleshooting Common Security Issues …………………………………………… 679
Chapter Summary ……………………………………………………………………………….. 680
Key Terms …………………………………………………………………………………………… 682
Review Questions………………………………………………………………………………… 682
Case Projects ………………………………………………………………………………………. 688
APPENDIX A
CompTIA SY0-501 Certification Exam Objectives …………..691
GLOSSARY …………………………………………………………………………………………… 713
INDEX ………………………………………………………………………………………………….. 741
88781_fm_hr_i-xxvi.indd 13 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
88781_fm_hr_i-xxvi.indd 14 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
The number one concern of computer professionals today continues to be information security, and with good reason. Consider the evidence: over 1.5 billion Yahoo user accounts were compromised in just two separate attacks.1 A ransom of $1 million dollars was paid to unlock files that had been encrypted by ransomware.2 A global payment sys- tem used to transfer money between countries was compromised by attackers who stole $81 billion from the central bank of Bangladesh.3 It is estimated that global spending on products and services to prevent these attacks will exceed $1 trillion cumulatively between 2017 and 2021. But despite the huge sum spent on protection, cybercrime will still cost businesses over $6 trillion by 2021.4
As attacks continue to escalate, the need for trained security per- sonnel also increases. It is estimated that there are currently over 1.5 million unfilled security jobs worldwide and this will grow by 20 percent to 1.8 million by the year 2022.5 According to the U.S. Bureau of Labor Statistics (BLS) “Occupational Outlook Handbook,” the job out- look for information security analysts through 2024 is expected to grow by 18 percent, faster than the average growth rate.6
To verify security competency, most organizations use the Comput- ing Technology Industry Association (CompTIA) Security+ certification, a vendor-neutral credential. Security+ is one of the most widely recog- nized security certifications and has become the security foundation for today’s IT professionals. It is internationally recognized as validat- ing a foundation level of security skills and knowledge. A successful Security+ candidate has the knowledge and skills required to identify threats, attacks and vulnerabilities; use security technologies and tools; understand security architecture and design; perform identity and access management; know about risk management; and use cryptography.
Security+ Guide to Network Security Fundamentals, Sixth Edition is designed to equip learners with the knowledge and skills needed to be information security professionals. Yet it is more than an “exam prep” book. While teaching the fundamentals of information security by using the CompTIA Security+ exam objectives as its framework, it takes a comprehensive view of security by examining in-depth the attacks against networks and computer systems and the necessary defense mechanisms. Security+ Guide to Network Security Fundamen- tals, Sixth Edition is a valuable tool for those who want to learn about security and who desire to enter the field of information security. It also provides the foundation that will help prepare for the CompTIA Security+ certification exam.
xv
INTRODUCTION
88781_fm_hr_i-xxvi.indd 15 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introductionxvi
Intended Audience This book is designed to meet the needs of students and professionals who want to master basic information security. A fundamental knowledge of computers and net- works is all that is required to use this book. Those seeking to pass the CompTIA Secu- rity+ certification exam will find the text’s approach and content especially helpful; all Security+ SY0-501 exam objectives are covered in the text (see Appendix A). Security+ Guide to Network Security Fundamentals, Sixth Edition covers all aspects of network and computer security while satisfying the Security+ objectives.
The book’s pedagogical features are designed to provide a truly interactive learning experience to help prepare you for the challenges of network and computer security. In addition to the information presented in the text, each chapter includes Hands-On Projects that guide you through implementing practical hardware, software, network, and Internet security configurations step by step. Each chapter also contains case stud- ies that place you in the role of problem solver, requiring you to apply concepts pre- sented in the chapter to achieve successful solutions.
Chapter Descriptions Here is a summary of the topics covered in each chapter of this book:
Chapter 1, “Introduction to Security,” introduces the network security fundamen- tals that form the basis of the Security+ certification. It begins by examining the cur- rent challenges in computer security and why security is so difficult to achieve. It then defines information security in detail and explores why it is important. Finally, the chapter looks at the fundamental attacks, including who is responsible for them, and defenses.
Chapter 2, “Malware and Social Engineering Attacks,” examines attacks that use different types of malware, such as viruses, worms, Trojans, and botnets. It also looks at the different types of social engineering attacks.
Chapter 3, “Basic Cryptography,” explores how encryption can be used to protect data. It covers what cryptography is and how it can be used for protection, and then examines how to protect data using three common types of encryption algorithms: hashing, symmetric encryption, and asymmetric encryption. It also covers how to use cryptography on files and disks to keep data secure.
Chapter 4, “Advanced Cryptography and PKI,” examines how to implement cryp- tography and use digital certificates. It also looks at public key infrastructure and key management. This chapter covers different transport cryptographic algorithms to see how cryptography is used on data that is being transported.
Chapter 5, “Networking and Server Attacks,” explores the different attacks that are directed at enterprises. It includes networking-based attacks as well as server attacks.
88781_fm_hr_i-xxvi.indd 16 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction xvii
Chapter 6, “Network Security Devices, Design, and Technology,” examines how to protect networks through standard network devices and network security hard- ware. It also covers implementing security through network architectures and network technologies.
Chapter 7, “Administering a Secure Network,” looks at the techniques for admin- istering a network. This includes understanding common network protocols and the proper placement of security devices and technologies. It also looks at analyzing secu- rity data and securing network platforms such as virtualization, cloud computing, and software defined networks.
Chapter 8, “Wireless Network Security,” investigates the attacks on wireless devices that are common today and explores different wireless security mechanisms that have proven to be vulnerable. It also covers several secure wireless protections.
Chapter 9, “Client and Application Security,” examines securing the client through hardware and peripherals through hardware and the operating system. It also looks at physical security to create external perimeter defenses and internal physical access security. This chapter also covers application security vulnerabilities and the development of secure apps.
Chapter 10, “Mobile and Embedded Device Security,” looks at the different types of mobile devices and the risks associated with these devices. It also explores how to secure these devices and the applications running on them. Finally, it examines how embedded systems and the Internet of Things devices can be secured.
Chapter 11, “Authentication and Account Management,” looks at authentication and the secure management of user accounts to enforce authentication. It covers the different types of authentication credentials that can be used to verify a user’s identity and how a single sign-on might be used. It also examines the techniques and technol- ogy used to manage user accounts in a secure fashion.
Chapter 12, “Access Management,” introduces the principles and practices of access control by examining access control terminology, the standard control mod- els, and managing access through account management. It also covers best practices, implementing access control, and identity and access services.
Chapter 13, “Vulnerability Assessment and Data Security,” explains what vulner- ability assessment is and examines the tools and techniques associated with it. It also explores the differences between vulnerability scanning and penetration testing. The chapter concludes with an examination of data privacy.
Chapter 14, “Business Continuity,” covers the importance of keeping business processes and communications operating normally in the face of threats and disrup- tions. It explores business continuity, fault tolerance, environmental controls, and inci- dent response.
Chapter 15, “Risk Mitigation,” looks at how organizations can establish and main- tain security in the face of risk. It defines risk and the strategies to control it. This chap- ter also covers practices for reducing risk and troubleshooting common security issues.
88781_fm_hr_i-xxvi.indd 17 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introductionxviii
Appendix A, “CompTIA SY0-501 Certification Examination Objectives,” provides a complete listing of the latest CompTIA Security+ certification exam objectives and shows the chapters and headings in the book that cover material associated with each objective, as well as the Bloom’s Taxonomy level of that coverage.
Features To aid you in fully understanding computer and network security, this book includes many features designed to enhance your learning experience.
• Maps to CompTIA Objectives. The material in this text covers all the CompTIA Security+ SY0-501 exam objectives.
• Chapter Objectives. Each chapter begins with a detailed list of the concepts to be mastered in that chapter. This list provides you with both a quick reference to the chapter’s contents and a useful study aid.
• Today’s Attacks and Defenses. Each chapter opens with a vignette of an actual security attack or defense mechanism that helps to introduce the material covered in that chapter.
• Illustrations and Tables. Numerous illustrations of security vulnerabilities, attacks, and defenses help you visualize security elements, theories, and concepts. In addition, the many tables provide details and comparisons of practical and theoretical information.
• Chapter Summaries. Each chapter’s text is followed by a summary of the concepts introduced in that chapter. These summaries provide a helpful way to review the ideas covered in each chapter.
• Key Terms. All the terms in each chapter that were introduced with bold text are gathered in a Key Terms list, providing additional review and highlighting key con- cepts. Key Term definitions are included in the Glossary at the end of the text.
• Review Questions. The end-of-chapter assessment begins with a set of review questions that reinforce the ideas introduced in each chapter. These questions help you evaluate and apply the material you have learned. Answering these questions will ensure that you have mastered the important concepts and provide valuable practice for taking CompTIA’s Security+ exam.
• Hands-On Projects. Although it is important to understand the theory behind network security, nothing can improve on real-world experience. To this end, each chapter provides several Hands-On Projects aimed at providing you with practical security software and hardware implementation experience. These proj- ects use the Windows 10 operating system, as well as software downloaded from the Internet.
• Case Projects. Located at the end of each chapter are several Case Projects. In these extensive exercises, you implement the skills and knowledge gained in the chapter through real design and implementation scenarios.
88781_fm_hr_i-xxvi.indd 18 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction xix
New to This Edition • Maps fully to the latest CompTIA Security+ exam SY0-501 • Completely revised and updated with expanded coverage on attacks and defenses • New chapter units: Security and Its Threats, Cryptography, Network Attacks and
Defenses, Device Security, Identity and Access Management, and Risk Management • Earlier coverage of cryptography and advanced cryptography • All new “Today’s Attacks and Defenses” opener in each chapter • New and updated Hands-On Projects in each chapter covering some of the latest
security software • More Case Projects in each chapter • Expanded Information Security Community Site activity in each chapter allows
learners to interact with other learners and security professionals from around the world
• All SY0-501 exam topics fully defined • Linking of each exam sub-domain to Bloom’s Taxonomy (see Appendix A)
Text and Graphic Conventions Wherever appropriate, additional information and exercises have been added to this book to help you better understand the topic at hand. Icons throughout the text alert you to additional materials. The following icons are0 used in this textbook:
The Note icon draws your attention to additional helpful material related to the subject being described.
Tips based on the author’s experience provide extra informa- tion about how to attack a problem or what to do in real-world situations.
The Caution icons warn you about potential mistakes or prob- lems, and explain how to avoid them.
Hands-On Projects help you understand the theory behind network security with activities using the latest security software and hardware.
The Case Projects icon marks Case Projects, which are scenario- based assignments. In these extensive case examples, you are asked to implement independently what you have learned.
Certification icons indicate CompTIA Security+ objectives covered under major chapter headings.
Hands-On Projects
Case Projects
Certification
Note
Tip
Caution
88781_fm_hr_i-xxvi.indd 19 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introductionxx
Instructor’s Materials Everything you need for your course in one place. This collection of book-specific lecture and class tools is available online. Please visit login.cengage.com and log in to access instructor-specific resources on the Instructor Companion Site, which includes the Instructor’s Manual, Solutions Manual, test creation tools, PowerPoint Presenta- tions, Syllabus, and figure files.
• Electronic Instructor’s Manual. The Instructor’s Manual that accompanies this textbook includes the following items: additional instructional material to assist in class preparation, including suggestions for lecture topics.
• Solutions Manual. The instructor’s resources include solutions to all end-of- chapter material, including review questions and case projects.
• Cengage Testing Powered by Cognero. This flexible, online system allows you to do the following: • Author, edit, and manage test bank content from multiple Cengage solutions. • Create multiple test versions in an instant. • Deliver tests from your LMS, your classroom, or wherever you want.
• PowerPoint Presentations. This book comes with a set of Microsoft PowerPoint slides for each chapter. These slides are meant to be used as a teaching aid for classroom presentations, to be made available to students on the network for chapter review, or to be printed for classroom distribution. Instructors are also at liberty to add their own slides for other topics introduced.
• Figure Files. All the figures and tables in the book are reproduced. Similar to Power- Point presentations, these are included as a teaching aid for classroom presentation, to make available to students for review, or to be printed for classroom distribution.
Total Solutions For Security To access additional course materials, please visit www.cengagebrain.com. At the cengagebrain.com home page, search for the ISBN of your title (from the back cover of your book) using the search box at the top of the page. This will take you to the product page where these resources can be found.
MindTap MindTap for Security+ Guide to Network Security Fundamentals, Sixth Edition is a per- sonalized, fully online digital learning platform of content, assignments, and services that engages students and encourages them to think critically, while allowing you to easily set your course through simple customization options.
MindTap is designed to help students master the skills they need in today’s workforce. Research shows employers need critical thinkers, troubleshooters, and creative problem solv- ers to stay relevant in our fast paced, technology-driven world. MindTap helps you achieve this with assignments and activities that provide hands-on practice, real-life relevance, and certification test prep. Students are guided through assignments that help them master basic knowledge and understanding before moving on to more challenging problems.
88781_fm_hr_i-xxvi.indd 20 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction xxi
The live virtual machine labs provide real-life application and practice as well as more advanced learning. Students work in a live environment via the Cloud with real servers and networks that they can explore. The IQ certification test preparation engine allows students to quiz themselves on specific exam domains, and the pre- and post-course assessments measure exactly how much they have learned. Readings, lab simulations, capstone projects, and videos support the lecture, while “In the News” assignments encourage students to stay current.
MindTap is designed around learning objectives and provides the analytics and reporting to easily see where the class stands in terms of progress, engagement, and completion rates.
Students can access eBook content in the MindTap Reader, which offers highlighting, note-taking, search and audio, as well as mobile access. Learn more at www.cengage.com/mindtap/.
Instant Access Code: (ISBN: 9781337289306) Printed Access Code: (ISBN: 9781337289313)
Lab Manual Hands-on learning is necessary to master the security skills needed for both Comp- TIA’s Security+ Exam and for a career in network security. Security+ Guide to Network Security Fundamentals Lab Manual, 6th Edition contains hands-on exercises that use fundamental networking security concepts as they are applied in the real world. Each chapter offers review questions to reinforce your mastery of network security topics and to sharpen your critical thinking and problem-solving skills. (ISBN: 9781337288798)
Bloom’s Taxonomy Bloom’s Taxonomy is an industry-standard classification system used to help iden- tify the level of ability that learners need to demonstrate proficiency. It is often used to classify educational learning objectives into different levels of complexity. Bloom’s Taxonomy reflects the “cognitive process dimension.” This represents a continuum of increasing cognitive complexity, from remember (lowest level) to create (highest level). There are six categories in Bloom’s Taxonomy as seen in Figure A.
In all instances, the level of coverage the domains in Security+ Guide to Network Security Fundamentals, Sixth Edition meets or exceeds the Bloom’s Taxonomy level indicated by CompTIA for that objective. See Appendix A for more detail.
Information Security Community Site Stay secure with the Information Security Community Site. Connect with students, profes- sors, and professionals from around the world, and stay on top of this ever-changing field.
Visit http://community.cengage.com/Infosec2/ to: • Download resources such as instructional videos and labs. • Ask authors, professors, and students the questions that are on your mind in the
Discussion Forums. • See up-to-date news, videos, and articles.
88781_fm_hr_i-xxvi.indd 21 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introductionxxii
Domain % of Examination 1.0 Threats, Attacks & Vulnerabilities 21%
2.0 Technologies & Tools 22%
3.0 Architecture & Design 15%
4.0 Identity & Access Management 16%
5.0 Risk Management 14%
6.0 Cryptography & PKI 12%
Total 100%
• Read regular blogs from author Mark Ciampa. • Listen to podcasts on the latest Information Security topics. • Review textbook updates and errata.
Each chapter’s Case Projects include information on a current security topic and ask the learner to post reactions and comments to the Information Security Com- munity Site. This allows users from around the world to interact and learn from other users as well as security professionals and researchers.
What’s New With Comptia Security+ Certification The CompTIA Security+ SY0-501 exam was updated in October 2017. Several significant changes have been made to the exam objectives. The exam objectives have been sig- nificantly expanded to more accurately reflect current security issues and knowledge requirements. These exam objectives place importance on knowing “how to” rather than just knowing or recognizing security concepts.
Here are the domains covered on the new Security+ exam:
Produce new or original work Design, assemble, construct, conjecture, develop, formulate, author, investigatecreate
Bloom’s Taxonomy
evaluate
analyze
apply
understand
remember
Justify a stand or decision appraise, argue, defend, judge, select, support, value, critique, weigh
Draw connections among ideas differentiate, organize, relate, compare, contrast, distinguish, examine, experiment, question, test
Use information in new situations execute, implement, solve, use, demonstrate, interpret, operate, schedule, sketch
Explain ideas or concepts classify, describe, discuss, explain, identify, locate, recognize, report, select, translate
Recall facts and basic concepts define, duplicate, list, memorize, repeat, state
Figure A Bloom’s taxonomy
88781_fm_hr_i-xxvi.indd 22 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction xxiii
88781_fm_hr_i-xxvi.indd 23 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introductionxxiv
About The Author Dr. Mark Ciampa is an Associate Professor of Information Systems in the Gordon Ford Col- lege of Business at Western Kentucky University in Bowling Green, Kentucky. Prior to this, he was an Associate Professor and served as the Director of Academic Computing at Vol- unteer State Community College in Gallatin, Tennessee for 20 years. Mark has worked in the IT industry as a computer consultant for businesses, government agencies, and educa- tional institutions. He has published over 20 articles in peer-reviewed journals and is also the author of 25 technology textbooks, including Security+ Guide to Network Security Fun- damentals 6e, CWNA Guide to Wireless LANs 3e, Guide to Wireless Communications, Security Awareness: Applying Practical Security in Your World 5e, and Networking BASICS. Dr. Ciampa holds a PhD in technology management with a specialization in digital communication systems from Indiana State University and has certifications in Security+ and HIT.
Acknowledgments A large team of dedicated professionals all contributed to the creation of this book. I am honored to be part of such an outstanding group of professionals. First, thanks go to Product Manager Kristin McNary for giving me the opportunity to work on this project and for providing her continual support, and to Associate Product Manager Amy Savino for answering all my questions. Also thanks to Senior Content Developer Michelle Ruelos Cannistraci who was very supportive, to Senior Content Product Manager Brooke Green- house who helped keep this fast-moving project on track, and to Dr. Andy Hurd who performed the technical reviews. To everyone on the team I extend my sincere thanks.
Special recognition again goes to the very best developmental editor, Deb Kaufmann, who is a true professional in every sense of the word. She made many helpful suggestions, found all my errors, watched every small detail, and even took on additional responsibilities so that this project could accelerate to be completed even before its deadlines. Without question, Deb is simply the very best there is.
And finally, I want to thank my wonderful wife, Susan. Her love, interest, support, and patience gave me what I needed to complete this project. I could not have written this book without her.
Dedication To Braden, Mia, Abby, Gabe, Cora, and Will.
To The User This book should be read in sequence, from beginning to end. Each chapter builds on those that precede it to provide a solid understanding of networking security funda- mentals. The book may also be used to prepare for CompTIA’s Security+ certification exam. Appendix A pinpoints the chapters and sections in which specific Security+ exam objectives are covered.
Hardware and Software Requirements Following are the hardware and software requirements needed to perform the end-of- chapter Hands-On Projects.
88781_fm_hr_i-xxvi.indd 24 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction
• Microsoft Windows 10 • An Internet connection and web browser • Microsoft Office
Free Downloadable Software Requirements Free, downloadable software is required for the Hands-On Projects in the following chapters.
Chapter 1: • Microsoft Safety Scanner • Oracle VirtualBox
Chapter 2: • Irongeek Thumbscrew • Refog Keylogger
Chapter 3: • OpenPuff Steganography • HashCalc • Jetico BestCrypt
Chapter 4: • Comodo Secure Email Certificate
Chapter 5: • Qualys Browser Check • GRC Securable
Chapter 6: • GlassWire • K9 Web Protection
Chapter 7: • VMware vCenter Converter • VMware Workstation Player
Chapter 8: • Xirrus Wi-Fi Inspector • Vistumbler
Chapter 9: • EICAR AntiVirus Test File
Chapter 10: • Prey Project • Bluestacks • Andy Android emulator • Lookout Security & Antivirus
xxv
88781_fm_hr_i-xxvi.indd 25 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction
Chapter 11: • Hashcat • HashcatGUI • BioID Facial Recognition Authenticator • GreyC-Keystroke • KeePass
Chapter 13: • Flexera Personal Software Inspector • Macrium Reflect • Nmap
Chapter 14: • Directory Snoop • Nmap
Chapter 15: • Browzar • UNetbootin • Linux Mint
References 1. Newman, Lilly, “Hack brief: Hackers breach a billion Yahoo accounts,” Wired, Dec. 14, 2016,
retrieved Jul. 3, 2017, https://www.wired.com/2016/12/yahoo-hack-billion-users/. 2. Chang, Ziv, Sison, Gilbert, Jocson, Jeanne, “Erebus resurfaces as Linux ransomware,”
TrendLabs Security Intelligence Blog, Jun. 19, 2017, retrieved Jul. 3, 2017, http://blog.trendmicro .com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/.
3. Corkery, Michael, and Goldstein, Matthew, “North Korea said to be target of inquiry over $81 million cyberheist,” New York Times, Mar. 22, 2017, retrieved Jul. 3, 2017, https://www. nytimes.com/2017/03/22/business/dealbook/north-korea-said-to-be-target-of-inquiry -over-81-million-cyberheist.html.
4. “Cybersecurity market report,” Cybersecurity Ventures, Q2 2017, retrieved Jul. 3, 2017, http://cybersecurityventures.com/cybersecurity-market-report/.
5. Nash, Kim, “Firms vie in hiring of cyber experts,” Wall Street Journal, May 15, 2017, retrieved Jul. 10, 2017, https://www.wsj.com/articles/for-many-companies-a- good-cyber-chief-is-hard-to-find-1494849600.
6. “Information security analysts: Occupational outlook handbook,” Bureau of Labor Statistics, Dec. 17, 2015, retrieved Jul. 3, 2017, https://www.bls.gov/ooh/computer-and-information -technology/information-security-analysts.htm.
xxvi
88781_fm_hr_i-xxvi.indd 26 8/16/17 7:01 PM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
SECURITY AND ITS THREATS Chapter 1 Introduction to Security Chapter 2 Malware and Social Engineering Attacks
The security of the data and information contained on computers and digital devices today is threatened more than ever before, and the attacks are escalating every day. The chapters in this part introduce security and outline many of these threats. The chapters in later parts will give you the understanding and tools you need to defend against these attacks.
1
P A R T I
88781_ch01_hr_001-050.indd 1 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
88781_ch01_hr_001-050.indd 2 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
INTRODUCTION TO SECURITY
After completing this chapter you should be able to do the following:
Explain the challenges of securing information
Define information security and explain why it is important
Identify the types of threat actors that are common today
Describe how to defend against attacks
CHAPTER 1
Today’s Attacks and Defenses
Almost everyone would assume that the director of the Central Intelligence Agency (CIA) would be well-versed in security procedures and would practice these to the letter of the law. This is because of the extreme danger that would result from a compromise or theft of highly classified information about active CIA agents or sensitive activities that are underway. The exposure of this information could result in a serious international incident or even the capture and torture of secret agents. However, a former CIA director who failed to follow basic security procedures put sensitive CIA information at risk.
Former CIA Director John Brennan had recently completed a sensitive 47-page SF-86 application to update his own top-secret government security clearance. These applications are used by the federal government for conducting a background check on individuals
3
88781_ch01_hr_001-050.indd 3 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security4
requesting such a security clearance. The forms contain a wealth of sensitive data about the person—criminal history, psychological records, any past drug use, information about the applicant’s interactions with foreign nationals—as well as information on their spouses, family members, and even friends. In the wrong hands this information could easily be used as blackmail material. Despite government restrictions Brennan routinely forwarded classified emails from his CIA email account to his less-secure personal AOL email account. One of the emails contained his own SF-86 application as an attachment, a serious breach of CIA security protocol.
An attacker who claimed to be under the age of 20 along with two friends decided to see if they could uncover classified CIA documents. The attacker first did a reverse lookup of Brennan’s public phone number to reveal that the phone was served by the carrier Verizon Wireless. The attacker called Verizon’s customer service number and pretended to be a Verizon technician. He said he had a customer lined up on a scheduled callback but was unable to access Verizon’s customer database on his own because “our tools were down.” So, could Verizon customer service give him the email address that was linked to Brennan’s phone number? The friendly and helpful Verizon customer service representative said, “Sure, no problem.” The pretender then asked if the Verizon representative would also give him the last four digits of the customer’s bank card that was on file. Once again, the representative was glad to help. By the time the call was over the pretender had Brennan’s Verizon account number, his four-digit personal identification number, the backup private mobile cellphone number on the account, his AOL email address, and the last four digits on his bank card.
The attacker now had the information that he needed. Knowing that Brennan had an AOL email account he next called AOL and said he was locked out of that account. The AOL representative asked him to verify his identity by answering two questions: the name and phone number associated with the account and the last four digits of the bank card on file— all of which had been provided by Verizon. The AOL representative then reset the password on the email account to a new password for the attacker.
The attacker then logged into Brennan’s AOL email account, where he read several dozen emails, some of which the director had forwarded from his government work email and that contained attachments. Among the attachments was Brennan’s own SF-86 application and a spreadsheet containing names and Social Security numbers of several U.S. intelligence officials. It is speculated that the spreadsheet might have been a list of guests who were visiting the White House when Brennan was the President’s counter- terrorism adviser. Another attachment was a letter from the U.S. Senate asking the CIA to halt its controversial use of torture tactics as interrogation techniques. The hacker posted screenshots of some of the documents on a Twitter account along with portions of the director’s AOL email contact list.
88781_ch01_hr_001-050.indd 4 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 5
Today our world is one in which citizens from all nations are compelled to continually protect themselves and their property from attacks by adversaries. Random shootings, suicide bombings, assassinations, and other types of physical violence occur almost daily around the world with no end in sight. To counteract this violence, new types of security defenses have been implemented. Passengers using public transportation are routinely searched. Borders are closely watched. Telephone calls are secretly monitored. These attacks and security defenses have significantly impacted how all of us work, play, and live.
These attacks are not just physical. One area that has also been an especially frequent target of attacks is information technology (IT). A seemingly endless array of attacks is directed at individuals, schools, businesses, and governments through desktop computers, laptops, and smartphones. Internet web servers must resist thousands of attacks every day. Identity theft using stolen electronic data has skyrocketed. An unprotected computer connected to the Internet may be infected in fewer than 60 seconds. Viruses, phishing, worms, and botnets—virtually unheard of just a few years ago—are now part of our everyday technology vocabulary.
The need to defend against these attacks directed toward our technology devices has created an element of IT that is now at the very core of the industry. Known as information security, it is focused on protecting the electronic information of enterprises and users.
Two broad categories of information security personnel are responsible for providing protection for an enterprise like a business or nonprofit organization. Information security managerial personnel administer and manage plans, policies, and people, while information security technical personnel are concerned with designing, configuring, installing, and maintaining technical security equipment. Within these two broad categories are four generally recognized security positions:
• Chief Information Security Officer (CISO). This person reports directly to the CIO (large enterprises may have more layers of management between this person and the CIO). This person is responsible for assessing, managing, and implementing security.
When Brennan realized that this information came from his AOL email account and that it had been compromised, he reset his AOL password. However, he failed to change the cell phone number and bank card number on file that was used to reset the password. Once the attacker discovered the password had been changed, he simply reset the password again, locking out Brennan. This back-and-forth of password resets was repeated three times between the attacker and the CIA director until he finally deleted the email account.
In one last act, the attacker called Brennan’s private mobile phone number that he had received from Verizon and told the former director of the CIA that he had been hacked. According to the attacker, the conversation was brief.1
88781_ch01_hr_001-050.indd 5 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security6
• Security manager. The security manager reports to the CISO and supervises technicians, administrators, and security staff. Typically, a security manager works on tasks identified by the CISO and resolves issues identified by technicians. This position requires an understanding of configuration and operation but not necessarily technical mastery.
• Security administrator. The security administrator has both technical knowledge and managerial skills. A security administrator manages daily operations of security technology, and may analyze and design security solutions within a specific entity as well as identifying users’ needs.
• Security technician. This position is generally an entry-level position for a person who has the necessary technical skills. Technicians provide technical support to configure security hardware, implement security software, and diagnose and troubleshoot problems.
Note
Individuals in these positions provide protection but are not the only employees responsible for security. It is the job of every employee—both IT and non-IT—to know and practice basic security defenses.
Note
The job outlook for security professionals is exceptionally strong. According to the U.S. Bureau of Labor Statistics (BLS) “Occupational Outlook Handbook,” the job outlook for information security analysts through 2024 is expected to grow by 18 percent, much faster than the average growth rate.2 One report states that by the end of the decade demand for security professionals worldwide will rise to 6 million, with a projected shortfall of 1.5 million unfilled positions.3
As attacks continue to escalate, the need for trained security personnel also increases. Unlike some IT positions, security is rarely offshored or outsourced: because security is such a critical element, security positions generally remain within the enterprise. In addition, security jobs typically do not involve “on-the-job training” where employees can learn as they go; the risk is simply too great.
Employment trends indicate that security personnel who also have a certification in security are in high demand. IT employers want and pay a premium for certified security personnel. An overwhelming majority of enterprises use the Computing
88781_ch01_hr_001-050.indd 6 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 7
Technology Industry Association (CompTIA) Security+ certification to verify security competency. Of the hundreds of security certifications currently available, Security+ is one of the most widely acclaimed. Because it is internationally recognized as validating a foundation level of security skills and knowledge, the Security+ certification has become the security baseline for today’s IT professionals.
Note
The value for an IT professional who holds a security certification is significant. The extra pay awarded to IT professions who hold an IT certification is 3.5 percent over someone who does not hold that certification. However, those who hold a security certification earn 8.7 percent more than their counterparts who do not have a security certification.4
The CompTIA Security+ certification is a vendor-neutral credential that requires passing the current certification exam SY0-501. A successful candidate has the knowledge and skills required to identify risks and participate in risk mitigation activities; provide infrastructure, application, operational and information security; apply security controls to maintain confidentiality, integrity, and availability; identify appropriate technologies and products; troubleshoot security events and incidents; and operate with an awareness of applicable policies, laws, and regulations. The CompTIA Security+ certification is aimed at an IT security professional who has a recommended background of a minimum of two years’ experience in IT administration with a focus on security.
Note
CompTIA Security+ meets the ISO 17024 standard and is approved by U.S. Department of Defense to fulfill Directive 8570.01-M requirements. It is also compliant with government regulations under the Federal Information Security Management Act (FISMA).
This chapter introduces the security fundamentals that form the basis of the Security+ certification. It begins by examining the current challenges in computer security. It then defines information security in detail and explores why it is important. Finally, the chapter looks at who is responsible for these attacks and the fundamental defenses against such attacks.
88781_ch01_hr_001-050.indd 7 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security8
Challenges of Securing Information Certification
1.6 Explain the impact associated with types of vulnerabilities.
A silver bullet refers to an action that provides an immediate solution to a problem by cutting through the complexity that surrounds it. Why shouldn’t there be such a silver bullet for securing computers? Why can’t users just install an improved hardware device or use a more secure version of software to stop attacks? Unfortunately, no single and simple solution exists for securing devices. This can be illustrated by looking at the different types of attacks that users face today as well as the reasons why these attacks are successful and the difficulties in defending against attacks.
Today’s Security Attacks Even though information security continues to rank as the number one concern of IT managers and tens of billions of dollars are spent annually on computer security, the number of successful attacks continues to increase. Consider the following examples of recent attacks:
• In order to demonstrate how easy it is to remotely control a car, a reporter drove a Jeep Cherokee outside St. Louis while two security researchers 10 miles away remotely connected to it and started manipulating its controls. The air conditioning on the Jeep suddenly switched to its maximum setting. Next, the car’s radio changed stations and the volume increased, even though the driver repeatedly tried to turn the volume down and change the station to no avail. Then the windshield wipers suddenly turned on and wiper fluid squirted out. While on an Interstate highway the driver pressed the accelerator but the Jeep instead started slowing down so that is was almost rammed from behind by a large truck. The researchers even remotely disabled the brakes so that the Jeep finally ended up in a ditch. The security researchers had taken advantage of the car’s Internet-connection feature that controls its entertainment and navigation systems, enables phone calls, and can be used to create a Wi-Fi hot spot. Due to a vulnerability, anyone could gain access remotely to the car’s control systems from virtually anywhere. This demonstration immediately caused the National Highway Traffic Safety Administration (NHTSA) to recall 1.4 million vehicles to patch this vulnerability. This was the first time a car was recalled because of a security vulnerability.5
• A security researcher boarded a United Airlines flight from Denver to Syracuse with a stop in Chicago. On the second leg of the trip the researcher tweeted that he was probing the aircraft systems of his flight. The United Airlines’
88781_ch01_hr_001-050.indd 8 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 9
Cyber Security Intelligence Department, which monitors social media, saw the tweet, and alerted the FBI. According to the FBI, a special agent later examined the first-class cabin seat where the researcher was seated and found that he had tampered with the Seat Electronic Box (SEB), which is located under some passenger seats. This allowed him to connect his laptop to the in-flight entertainment (IFE) system via the SEB. Once he accessed the IFE he could then access other systems on the plane. The researcher claimed that he could have caused the airplane to change altitude after manipulating its software. United Airlines has permanently banned him from any future flights.6
• Yahoo announced that a then-record half a billion Yahoo accounts were compromised by attackers who gained unauthorized access to its web servers. Information stolen included names, email addresses, phone numbers, birth dates, answers to security questions, and passwords. Yahoo believed the breach occurred two years prior but had only recently discovered it. Two months later Yahoo announced that after an investigation into data provided by law enforcement officials and outside experts they determined that yet another previously undetected data breach compromised over 1 billion Yahoo user accounts three years earlier. It was not known how law enforcement officials came across this evidence, but security researchers speculate that it was discovered by someone who was watching for data on underground “dark web” markets that attackers use to buy and sell stolen data. If that was the case, then this data had been for sale for several years, and likely had been used by attackers in targeted attacks to gain access to other web accounts. Yahoo’s response to the attacks was, “We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”7
• It is not uncommon for attackers to install their malware onto a USB flash drive and then leave it in a parking lot, cafeteria, or another public place. An unsuspecting victim finds the drive and inserts it into her computer, either to discover the rightful owner or to snoop around its contents, suddenly finds her computer infected. Now the results can be even worse if the drive is a device called the USB Killer. Resembling a regular flash drive, the USB Killer, if inserted into any USB port, starts drawing power from the computer using a DC-to-DC converter. The flash drive stores the electricity in its capacitors, and when those reach a certain voltage level then USB Killer sends all the stored electricity back to the computer in a single burst. The result is that the computer is destroyed, typically burning up the motherboard. And if the computer is not destroyed on the first attempt, USB Killer will keep charging and sending the electricity over and over until the computer is “fried.”8
• The AVS WINVote voting machine passed state voting system standards and has been used in Virginia, Pennsylvania, and Mississippi. However, the security
88781_ch01_hr_001-050.indd 9 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security10
on the machine was alarmingly weak. Easily guessed passwords like admin, abcde, and shoup were used to lock down its administrator account and wireless network settings, as well as the voting results database. Because these passwords were hard-coded into the machines they could not be changed. The wireless network settings used to transmit results relied upon a configuration that could easily be broken in fewer than 10 minutes. These tabulating machines lacked even basic security like a firewall and exposed several Internet openings to attackers. In addition, WINVote ran a version of an operating system that had not received a security update since 2004.9
• The educational toy maker VTech revealed that millions of accounts containing information on children were stolen. Approximately 11.6 million accounts were compromised in an attack that included information on 6.4 million children. The data on children that was stolen included name, gender, birth date, profile photo, and progress log. As with many recent breaches, VTech did not know that it had been a victim until it was approached by a security research firm that had discovered the attack.10
• The European Space Agency (ESA) is an intergovernmental organization made up of 22 countries and states that explores space. They are involved in the International Space Station and launch unmanned space exploration missions to different planets through their spaceport in French Guiana. A group of attackers stole data from the ESA, including information on 8107 of its users, and then posted it online. Even though the ESA information regarding space exploration needed to be kept secure so that it was not altered, the passwords used by ESA scientists were alarmingly weak. Of the passwords exposed, 39 percent (or 3191) were only three characters long, such as 410, 832, 808, and 281. Only 22 total users had a strong password of a recommended length of 20 characters.11
• The Internal Revenue Service (IRS) reported that through its online Get Transcript program, used by taxpayers who need a transcript to view tax account transactions or line-by-line tax return information for a specific tax year, attackers were able to steal 104,000 tax transcripts while an additional 100,000 attempts were unsuccessful. The attacks were made possible because in order to access the information online the inquirer had only to prove their identity by entering personal information (Social Security number, date of birth, tax filing status, and street address) and out-of-wallet information (such as the amount of a current car payment). Both types of information can be easily obtained online from a variety of sources. Once attackers had the information they began filing fake tax returns under the victim’s name and stealing their tax refund. The IRS later revealed that the situation was much worse than first reported: up to 390,000 individuals had their tax information stolen out of 600,000 attempts.12
• Hyatt Hotels Corporation reported that cybercriminals successfully attacked restaurants, front desks, spas, and parking facilities at 250 of their hotels
88781_ch01_hr_001-050.indd 10 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 11
worldwide over a four-month period. The attacker’s software was installed on the Hyatt computers and could capture payment card details like cardholder names, card numbers, expiration dates, and verification codes when the cards were swiped. Other hotel chains have likewise been compromised. Security researchers speculate that attackers are keenly interested in attacking the hospitality industry. Hotels today are rarely owned by the big companies themselves, but instead the hotels are owned by separate investors with the hotel chains simply collecting management and franchise fees. This creates uneven security at the different hotels, and even within the hotels: hotel-based restaurants, spas, and gift shops are often owned and managed by third-party companies. While the hotel brands may require property owners to follow specific standards—such as using pillowcases of 100 percent Egyptian cotton with a 1500 thread count—they often do not have the same requirements for security. There is even speculation that the hotel brands are hesitant to mandate strict security guidelines, because if a hotel is attacked then the hotel brand may be legally liable. Another reason for the popularity of hacking hotels is that hotel brands cater to high-end, frequent business travelers. These customers often make charges on their trips using a corporate credit card and can be slower to spot unusual transactions compared to using their personal card. And many hotels keep multiple cards on file for their frequent guests. This makes it easy to not only check in and out, but also allows guests to use their door key card to make purchases instead of giving a specific credit card. Having multiple instances of credit card data scattered throughout the hotel makes for multiple targets for attackers.13
• Apple recently announced in one month a long list of security update patches. One of its operating systems patched 11 security vulnerabilities, most of them rated as critical while several vulnerabilities were ranked as serious. Another of its operating systems fixed 18 security flaws, with 13 of them related to its web browser. Apple also announced that it will pay those who uncover critical vulnerabilities found in the latest version of iOS and the newest iPhones. The rewards range up to $200,000 for critical flaws discovered in its hardware and software.14
Note
Like many software and hardware vendors, Apple maintains a lengthy online list of security vulnerabilities that have been corrected. Apple’s list going back to 2003 and earlier is at support.apple.com/en-us/HT201222.
The number of security breaches that have exposed users’ digital data to attackers continues to rise. From 2005 through early 2017, over 907 million electronic data records in the United States had been breached, exposing to attackers a range of
88781_ch01_hr_001-050.indd 11 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security12
personal electronic data, such as addresses, Social Security numbers, health records, and credit card numbers. Table 1-1 lists some recent major security breaches, according to the Privacy Rights Clearinghouse.15
Organization Description of security breach Number of identities exposed
Michigan State University, MI
A database was compromised that contained names, Social Security numbers, MSU identification numbers, and date of birth of current and former students and employees.
Potentially 400,000
Poway Unified School District, CA
The district inadvertently sent information to unauthorized recipients that included children’s names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results, and occupation of parents.
70,000
University of Central Florida, FL
Unauthorized access to the university’s system exposed financial records, medical records, grades, and Social Security numbers.
63,000
Southern New Hampshire University, NH
Due to a third-party vendor’s configuration error a database that contained student information—student names, email addresses, and IDs, course name, course selection, assignment details and assignment score, instructor names and email addresses—was exposed.
140,000
Quest Diagnostics, NJ
An unknown error resulted in the exposure of the name, date of birth, lab results, and telephone numbers of customers.
34,000
Anchor Loans, CA A publicly exposed database revealed customers’ name, address, email address, Social Security number, check routing number, bank account number, bank statement data, birth date, and birth place.
Unknown
United States Navy Career Waypoints Database, DC
A re-enlistment approval database was stolen from a contractor’s laptop, which included the names and Social Security numbers of 134,386 current and former sailors.
134,000
Internal Revenue Service, DC
IRS employees sent unencrypted emails that contained different taxpayers’ personally identifiable information.
Potentially 28 million
Selected security breaches involving personal information in a one-month period
Table 1-1
Reasons for Successful Attacks Why do attacks like these continue to be successful, despite all the efforts to stop them? There are several reasons:
• Widespread vulnerabilities. Because vulnerabilities are so common in hardware and software, attackers can virtually choose which vulnerability to exploit for
88781_ch01_hr_001-050.indd 12 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 13
an attack. And because of the sheer number of vulnerabilities it is difficult to identify and correct all of them. This is made even worse by the fact that not all hardware and software can be corrected once a vulnerability is uncovered. Some devices, particularly consumer devices, have no support from the company that made the device (called lack of vendor support). This means that no effort is made to fix any vulnerabilities that are found. Other systems have no capabilities to receive security updates when a vulnerability is found. And some systems are so old (called end-of-life systems) that vendors have dropped all support for security updates, or else charge an exorbitant fee to provide updates.
Note
Microsoft provides two types of security support for its software. It offers mainstream support for a minimum of five years from the date of a product’s general availability and extended support for an additional five years. For example, Windows 10, which was released in July 2015, will have mainstream support until October 2020 and extended support until October 2025. After this time, Microsoft will no longer provide security updates, automatic fixes, updates, or online technical assistance.
• Configuration issues. Hardware and software that does have security features often are not properly configured, thus allowing attacks to be successful. Almost all devices come with out-of-the-box configuration settings, or default configurations. These are generally simple configurations that are intended to be changed by the user; however, often they are left in place. Some devices have weak configuration options that provide limited security choices. Users who incorrectly configure devices, known as a misconfiguration, find that these errors allow the device to be compromised. Misconfiguration is commonly seen in improperly configured accounts that are set up for a user that provide more access than is necessary, such as providing total access over the entire device when the access should be more limited.
• Poorly designed software. Successful attacks are often the result of software that is poorly designed and has architecture/design weaknesses. Software that allows the user to enter data but has improper input handling features does not filter or validate user input to prevent a malicious action. For example, a webpage on a web server with improper input handling that asks for the user’s email address could allow an attacker to instead enter a direct command that the server would then execute. Other software may not properly trap an error condition and thus provide an attacker with underlying access to the system. This is known as improper error handling. Suppose an attacker enters a string of characters that is much longer than expected. Because the software has not been designed for this event the program
88781_ch01_hr_001-050.indd 13 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security14
could crash or suddenly halt its execution and then display an underlying operating system prompt, giving an attacker access to the computer. A race condition in software occurs when two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences. For example, in a program with two threads that have access to the same location in memory, Thread #1 stores the value A in that memory location. But since Thread #2 is also executing it may overwrite the same memory location with the value Z. When Thread #1 retrieves the value stored it is then given Thread #2’s Z instead of its own A.
• Hardware limitations. Hardware with limited resources (CPU, memory, file system storage, etc.) could be exploited by an attacker who intentionally tries to consume more resources than intended. This might cause the system to become slow or even unable to respond to other users, thus prevent valid users from accessing the device. This is called resource exhaustion.
• Enterprise-based issues. Often attacks are successful not because of compromised technology but because of the manipulation of processes that an enterprise performs. Vulnerable business processes, also called business process compromise (BPC), occurs when an attacker manipulates commonplace actions that are routinely performed. For example, late on a Friday afternoon an attacker in India could make a request to New York to have money transferred to Taiwan. Because these transactions are in different countries, time zones, and even on different days, it can be difficult for this process to be quickly verified. Another problem in the enterprise is the rapid acquisition and deployment of technology devices without proper documentation. This results in undocumented assets, or devices that are not formally identified, and results in system sprawl, or the widespread proliferation of devices across the enterprise. Often servers, computers, and other devices are purchased and quickly installed without adequate forethought regarding how they can be protected.
Difficulties in Defending Against Attacks The challenge of keeping computers secure has never been greater, not only because of continual attacks but also because of the difficulties faced in defending against these attacks. These difficulties include the following:
• Universally connected devices. Today virtually every technology device—not only traditional computers but even programmable thermostats and light bulbs—is connected to the Internet. Although this provides enormous benefits, it also makes it easy for an attacker halfway around world to silently launch an attack against a connected device.
• Increased speed of attacks. With modern tools at their disposal, attackers can quickly scan millions of devices to find weaknesses and launch attacks with unprecedented speed. Most attack tools initiate new attacks without any human participation, thus increasing the speed at which systems are attacked.
88781_ch01_hr_001-050.indd 14 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 15
• Greater sophistication of attacks. Attacks are becoming more complex, making it more difficult to detect and defend against them. Many attackers use common protocols to distribute their attacks, making it more difficult to distinguish an attack from legitimate traffic. Other attack tools vary their behavior so the same attack appears differently each time, further complicating detection.
• Availability and simplicity of attack tools. At one time an attacker needed to have an extensive technical knowledge of networks and computers as well as the ability to write a program to generate an attack. Today that is no longer the case. Modern software attack tools do not require sophisticated knowledge on the part of the attacker. In fact, many of the tools, such as the Kali Linux interface shown in Figure 1-1, have a graphical user interface (GUI) that allows the user to easily select options from a menu. These tools are generally freely available.
Figure 1-1 Menu of attack tools Source: Kali Linux
88781_ch01_hr_001-050.indd 15 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security16
In addition, attackers who create attacks tools will often then sell these tools to other attackers.
• Faster detection of vulnerabilities. Weaknesses in hardware and software can be more quickly uncovered and exploited with new software tools and techniques. Often an attacker may find a vulnerability and initiate an attack taking advantage of it even before users or security professionals are aware of the vulnerability. This is called a zero day attack, since there are no days of warning ahead of this new threat.
• Delays in security updating. Hardware and software vendors are overwhelmed trying to keep pace with updating their products against attacks. One antivirus software security institute receives more than 390,000 submissions of potential malware each day.16 At this rate the antivirus vendors would have to create and distribute updates every few seconds to keep users fully protected. This delay in distributing security updates adds to the difficulties in defending against attacks.
• Weak security update distribution. Vendors of mainstream products, such as Microsoft, Apple, and Adobe, have a system for notifying users of security updates for their products and distributing them on a regular basis, but few other software vendors have invested in these costly distribution systems. Users are generally unaware that a security update even exists for a product because there is no reliable means for the vendor to alert the user. Also, these vendors often do not create small security updates that patch the existing software; instead, they fix the problem in an entirely new version of the software—and then require the user to pay for the updated version that contains the patch.
Note
Smartphones, unlike computers and laptops, do not give the owner of the device the ability to download security updates. Instead, these must be sent out from the wireless carriers. Many carriers do not provide security updates on a timely basis, if at all.
• Distributed attacks. Attackers can use millions of computers or devices under their control in an attack against a single server or network. This “many against one” approach makes it virtually impossible to stop an attack by identifying and blocking a single source.
• Use of personal devices. Many enterprises allow employees to use and connect their personal devices to the company’s network. This has made it difficult for IT departments to provide adequate security for an almost endless array of devices that they do not own.
• User confusion. Increasingly, users are called upon to make difficult security decisions regarding their computer systems, sometimes with little or no
88781_ch01_hr_001-050.indd 16 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 17
What Is Information Security? Certification
5.3 Explain risk management processes and concepts.
Reason Description
Universally connected devices Attackers from anywhere in the world can send attacks.
Increased speed of attacks Attackers can launch attacks against millions of computers within minutes.
Greater sophistication of attacks Attack tools vary their behavior so the same attack appears differently each time.
Availability and simplicity of attack tools
Attacks are no longer limited to highly skilled attackers.
Faster detection of vulnerabilities Attackers can discover security holes in hardware or software more quickly.
Delays in security updating Vendors are overwhelmed trying to keep pace updating their products against the latest attacks.
Weak security update distribution Many software products lack a means to distribute security updates in a timely fashion.
Distributed attacks Attackers use thousands of computers in an attack against a single computer or network.
Use of personal devices Enterprises are having difficulty providing security for a wide array of personal devices.
User confusion Users are required to make difficult security decisions with little or no instruction.
Difficulties in defending against attacks Table 1-2
Before it is possible to defend against attacks, it is necessary to understand exactly what security is and how it relates to information security. Also, knowing the terminology used can be helpful when creating defenses for computers. Understanding the importance of information security is also critical.
information to guide them. It is not uncommon for a user to be asked security questions such as Do you want to view only the content that was delivered securely? or Is it safe to quarantine this attachment? or Do you want to install this add-on? With little or no direction, these untrained users are inclined to provide answers to questions without understanding the security risks.
Table 1-2 summarizes the reasons why it is difficult to defend against today’s attacks.
88781_ch01_hr_001-050.indd 17 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security18
Understanding Security What is security? The word comes from the Latin, meaning free from care. Sometimes security is defined as the state of being free from danger, which is the goal of security. It is also defined as the measures taken to ensure safety, which is the process of security. Since complete security can never be fully achieved, the focus of security is more often on the process instead of the goal. In this light, security can be defined as the necessary steps to protect from harm.
It is important to understand the relationship between security and convenience. As security is increased, convenience is often decreased. That is, the more secure something is, the less convenient it may become to use (security is said to be inversely proportional to convenience). This is illustrated in Figure 1-2. Consider a typical house. A homeowner might install an automated alarm system that requires a code to be entered on a keypad within 30 seconds of entering the house. Although the alarm system makes the house more secure, it is less convenient than just walking into the house. Thus, security may be understood as sacrificing convenience for safety.
Figure 1-2 Relationship of security to convenience
Security
Convenience
Defining Information Security Several terms are used when describing security in an IT environment: computer security, IT security, cybersecurity, and information assurance, to name just a few. Whereas each has its share of proponents and slight variations of meanings, the term information security may be the most appropriate because it is the broadest: protecting information from harm. Information security is often used to describe the tasks of securing information that is in a digital format, whether it be manipulated by a microprocessor (such as on a personal computer), preserved on a storage device (like a hard drive or USB flash drive), or transmitted over a network (such as a local area network or the Internet).
Information security cannot completely prevent successful attacks or guarantee that a system is totally secure, just as the security measures taken for a house can
88781_ch01_hr_001-050.indd 18 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 19
never guarantee complete safety from a burglar. The goal of information security is to ensure that protective measures are properly implemented to ward off attacks and prevent the total collapse of the system when a successful attack does occur. Thus, information security is first protection.
Second, information security is intended to protect information that provides value to people and enterprises. There are three protections that must be extended over information: confidentiality, integrity, and availability—or CIA:
1. Confidentiality. It is important that only approved individuals can access important information. For example, the credit card number used to make an online purchase must be kept secure and not made available to other parties. Confidentiality ensures that only authorized parties can view the information. Providing confidentiality can involve several different security tools, ranging from software to scramble the credit card number stored on the web server to door locks to prevent access to those servers.
2. Integrity. Integrity ensures that the information is correct and no unauthor- ized person or malicious software has altered the data. In the example of the online purchase, an attacker who could change the amount of a purchase from $10,000.00 to $1.00 would violate the integrity of the information.
3. Availability. Information has value if the authorized parties who are assured of its integrity can access the information. Availability ensures that data is accessible to authorized users. This means that the information cannot be “locked up” so tight that no one can access it. It also means that attackers have not performed an attack so that the data cannot be reached. In this example the total number of items ordered as the result of an online purchase must be made available to an employee in a warehouse so that the correct items can be shipped to the customer.
Because this information is stored on computer hardware, manipulated by software, and transmitted by communications, each of these areas must be protected. The third objective of information security is to protect the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information.
This protection is achieved through a process that is a combination of three entities. As shown in Figure 1-3 and Table 1-3, information and the hardware, software,
Note
Information security should not be viewed as a war to be won or lost. Just as crimes such as burglary can never be completely eradicated, neither can attacks against technology devices. The goal is not a complete victory but instead maintaining equilibrium: as attackers take advantage of a weakness in a defense, defenders must respond with an improved defense. Information security is an endless cycle between attacker and defender.
88781_ch01_hr_001-050.indd 19 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security20
Figure 1-3 Information security layers
yAvv
y
Transmitted
Policies and procedures
People
Products
Confidentiality Integrity
Information
Availabilityit
StoredProcessed
ailabil
Layer Description
Products Form the security around the data. May be as basic as door locks or as complicated as network security equipment.
People Those who implement and properly use security products to protect data.
Policies and procedures Plans and policies established by an enterprise to ensure that people correctly use the products.
Information security layers Table 1-3
88781_ch01_hr_001-050.indd 20 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 21
and communications are protected in three layers: products, people, and policies and procedures. The procedures enable people to understand how to use products to protect information.
Thus, information security may be defined as that which protects the integrity, confidentiality, and availability of information through products, people, and procedures on the devices that store, manipulate, and transmit the information.
Information Security Terminology As with many advanced subjects, information security has its own set of terminology. The following scenario helps to illustrate information security terms and how they are used.
Suppose that Ellie wants to purchase a new motorized Italian scooter to ride from her apartment to school and work. However, because several scooters have been stolen near her apartment she is concerned about its protection. Although she parks the scooter in the gated parking lot in front of her apartment, a hole in the fence surrounding the apartment complex makes it possible for someone to access the parking lot without restriction. The threat to Ellie’s scooter is illustrated in Figure 1-4.
Ellie’s new scooter is an asset, which is defined as an item that has value. In an enterprise, assets have the following qualities: they provide value to the enterprise; they cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources; and they can form part of the enterprise’s corporate identity. Based on these qualities not all elements of an enterprise’s information technology infrastructure may be classified as an asset. For example, a faulty desktop computer that can easily be replaced would generally not be considered an asset, yet the information contained on that computer can be an asset. Table 1-4 lists a description of the elements of an enterprise’s information technology infrastructure and whether they would normally be considered as an asset.
Figure 1-4 Information security components analogy
Stolen scooter (risk) Attack vector (go through fence hole)
Thief (threat actor)
Scooter (asset)
Theft of scooter (threat)
Fence hole (vulnerability)
88781_ch01_hr_001-050.indd 21 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security22
What Ellie is trying to protect her scooter from is a threat, which is a type of action that has the potential to cause harm. Information security threats are events or actions that represent a danger to information assets. A threat by itself does not mean that security has been compromised; rather, it simply means that the potential for creating a loss is real. For Ellie, the threat could result in the theft of her scooter; in information security, a threat can result in the corruption or theft of information, a delay in information being transmitted, or even the loss of good will or reputation.
A threat actor is a person or element that has the power to carry out a threat. For Ellie, the threat actor is a thief. In information security, a threat actor could be a person attempting to break into a secure computer network. It could also be malicious software that attacks the computer network, or even a force of nature such as a hurricane that could destroy computer equipment and its information.
Ellie wants to protect her scooter and is concerned about a hole in the fencing around her apartment. The hole in the fencing is a vulnerability, which is a flaw or weakness that allows a threat actor to bypass security. An example of a vulnerability that information security must deal with is a software defect in an operating system that allows an unauthorized user to gain control of a computer without the user’s knowledge or permission.
If a thief can get to Ellie’s scooter because of the hole in the fence, then that thief is taking advantage of the vulnerability. This is known as exploiting the vulnerability through an attack vector, or the means by which an attack can occur. The attack surface is the sum of all the different attack vectors. An attacker, knowing that a flaw in a web
Element name Description Example Critical asset?
Information Data that has been collected, classified, organized, and stored in various forms
Customer, personnel, production, sales, marketing, and finance databases
Yes: Extremely difficult to replace
Customized business software
Software that supports the business processes of the enterprise
Customized order transaction application
Yes: Unique and customized for the enterprise
System software Software that provides the foundation for application software
Operating system No: Can be easily replaced
Physical items Computers equipment, communications equipment, storage media, furniture, and fixtures
Servers, routers, DVDs, and power supplies
No: Can be easily replaced
Services Outsourced computing services
Voice and data communications
No: Can be easily replaced
Information technology assets Table 1-4
88781_ch01_hr_001-050.indd 22 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 23
server’s operating system has not been patched, is using the attack vector (exploiting the vulnerability) to steal user passwords.
Ellie must decide: what is the likelihood that the threat will come to fruition and her scooter stolen? This can be understood in terms of risk. A risk is a situation that involves exposure to some type of danger. There are different options available when dealing with risks, called risk response techniques:
• Accept. To accept risk simply means that the risk is acknowledged but no steps are taken to address it. In Ellie’s case, she could accept the risk and buy the new scooter, knowing there is the chance of it being stolen by a thief entering through a hole in the fence.
• Transfer. Ellie could transfer the risk to a third party. She can do this by purchasing insurance so that the insurance company absorbs the loss and pays if the scooter is stolen. This is known as risk transfer.
• Avoid. To avoid risk involves identifying the risk but making the decision to not engage in the activity. Ellie could decide based on the risk of the scooter being stolen that she will not purchase the new scooter.
• Mitigate. To mitigate risk is the attempt to address risk by making the risk less serious. Ellie could complain to the apartment manager about the hole in the fence to have it repaired.
Note
If the apartment manager posted signs in the area that said “Trespassers will be punished to the full extent of the law” this would be called risk deterrence. Risk deterrence involves understanding something about attackers and then informing them of the harm that could come their way if they attack an asset.
Table 1-5 summarizes these information security terms.
Term Example in Ellie’s scenario Example in information security
Asset Scooter Employee database
Threat Steal scooter Steal data
Threat actor Thief Attacker, hurricane
Vulnerability Hole in fence Software defect
Attack vector Climb through hole in fence Access web server passwords through flaw in operating system
Likelihood Probability of scooter stolen Likelihood of virus infection
Risk Stolen scooter Virus infection or stolen data
Information security terminology Table 1-5
88781_ch01_hr_001-050.indd 23 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security24
Understanding the Importance of Information Security Information security is important to enterprises as well as to individuals. That is because information security can be helpful in preventing data theft, thwarting identity theft, avoiding the legal consequences of not securing information, maintaining productivity, and foiling cyberterrorism.
Preventing Data Theft Security is often associated with theft prevention: Ellie could park her scooter in a locked garage to prevent it from being stolen. The same is true with information security: preventing data from being stolen is often cited by enterprises as a primary objective of their information security. Enterprise data theft involves stealing proprietary business information, such as research for a new drug or a list of customers that competitors would be eager to acquire. Stealing user personal data such as credit card numbers is also a prime action of attackers. This data can then be used to purchase thousands of dollars of merchandise online before the victim is even aware the number has been stolen.
Note
There are different types of fraud associated with credit card theft. Creating counterfeit debit and credit cards is called existing-card fraud, while new-account fraud occurs when new card accounts are opened in the name of the victim without their knowledge. Card-not-present fraud occurs when a thief uses stolen card information in an online purchase and does not actually have the card in hand.
Note
In some instances, thieves have bought cars and even houses by taking out loans in someone else’s name.
Thwarting Identity Theft Identity theft involves stealing another person’s personal information, such as a Social Security number, and then using the information to impersonate the victim, generally for financial gain. The thieves often create new bank or credit card accounts under the victim’s name and then large purchases are charged to these accounts, leaving the victim responsible for the debts and ruining his credit rating.
One of the areas of identity theft that is growing most rapidly involves identity thieves filing fictitious income tax returns with the U.S. Internal Revenue Service (IRS). Identity thieves who steal a filer’s Social Security number will then file a fake income
88781_ch01_hr_001-050.indd 24 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 25
tax return claiming a large refund—often larger than the victim is entitled to—that is sent to the attacker. Because the IRS has been sending refunds more quickly than in the past, thieves can receive the refund and then disappear before the victim files a legitimate return and the fraud is detected. The IRS delivered over $5.8 billion in refund checks to identity thieves who filed fraudulent tax returns in one year, even though it stopped about 3 million fraudulent returns for that year.17 Tax identity thieves are also known to set up fake tax preparation service centers to steal tax information from victims. One group filed $3.4 million worth of fraudulent returns through a sham tax preparation business.18
Note
There have also been instances of identity thieves filing fake tax returns while using the victims’ actual mailing addresses, then bribing postal workers to intercept the refund checks before they are delivered. One postal employee was convicted of stealing over 100 refund envelopes sent to addresses along his route.19
Avoiding Legal Consequences Several federal and state laws have been enacted to protect the privacy of electronic data. Businesses that fail to protect data they possess may face serious financial penalties. Some of these laws include the following:
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare enterprises must guard protected healthcare information and implement policies and procedures to safeguard it, whether it be in paper or electronic format. Those who wrongfully disclose individually identifiable health information can be fined up to $50,000 for each violation up to a maximum of $1.5 million per calendar year and sentenced up to 10 years in prison.
Note
HIPAA regulations have been expanded to include all third-party business associate organizations that handle protected healthcare information. Business associates are defined as any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered HIPAA entity. These associates must now comply with the same HIPAA security and privacy procedures.
88781_ch01_hr_001-050.indd 25 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security26
• The Sarbanes-Oxley Act of 2002 (Sarbox). As a reaction to a rash of corporate fraud, the Sarbanes-Oxley Act (Sarbox) is an attempt to fight corporate corruption. Sarbox covers the corporate officers, auditors, and attorneys of publicly traded companies. Stringent reporting requirements and internal controls on electronic financial reporting systems are required. Corporate officers who willfully and knowingly certify a false financial report can be fined up to $5 million and serve 20 years in prison.
• The Gramm-Leach-Bliley Act (GLBA). Like HIPAA, the Gramm-Leach-Bliley Act (GLBA) passed in 1999 protects private data. GLBA requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. All electronic and paper data containing personally identifiable financial information must be protected. The penalty for noncompliance for a class of individuals is up to $500,000.
• Payment Card Industry Data Security Standard (PCI DSS). The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that all companies that process, store, or transmit credit or debit card information must follow. PCI applies to any enterprise or merchant, regardless of its size or number of card transactions, that processes transactions either online or in person. The maximum penalty for not complying is $100,000 per month.
• State notification and security laws. Since the passage of California’s Database Security Breach Notification Act in 2003, all other states (except for Alabama, New Mexico, and South Dakota) have passed similar notification laws. These laws typically require businesses to inform residents within a specific period (typically 48 hours) if a breach of personal information has or is believed to have occurred. In addition, several states are strengthening their information security laws. For example, Connecticut requires any enterprise doing business in the state to scramble (encrypt) all sensitive personal data that is being transmitted over a public Internet connection or stored on portable devices like a USB flash drive, and companies must notify any potential victims of a data breach within 90 days of the attack and offer at least one year of identity theft prevention services. Oregon’s law includes protection of an individual’s healthcare information while New Hampshire requires the state’s education department to notify students and teachers if their personal data was possibly stolen.
The penalties for violating these laws can be sizeable. Enterprises must make every effort to keep electronic data secure from hostile outside forces to ensure compliance with these laws and avoid serious legal consequences.
Maintaining Productivity Cleaning up after an attack diverts time, money, and other resources away from normal activities. Employees cannot be productive and complete important tasks during or after an attack because computers and networks cannot function properly. Table 1-6
88781_ch01_hr_001-050.indd 26 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 27
provides a sample estimate of the lost wages and productivity during an attack and the subsequent cleanup.
Number of total employees
Average hourly salary
Number of employees to combat attack
Hours required to stop attack and clean up
Total lost salaries
Total lost hours of productivity
100 $25 1 48 $4066 81
250 $25 3 72 $17,050 300
500 $30 5 80 $28,333 483
1000 $30 10 96 $220,000 1293
Cost of attacks Table 1-6
Note
One of the challenges in combatting cyberterrorism is that many of the prime targets are not owned and managed by the federal government. Because these are not centrally controlled, it is difficult to coordinate and maintain security.
Note
The single most expensive malicious attack was the Love Bug in 2000, which cost an estimated $8.7 billion.20
Foiling Cyberterrorism The FBI defines cyberterrorism as any “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against noncombatant targets by subnational groups or clandestine agents.”21 Unlike an attack that is designed to steal information or erase a user’s hard disk drive, cyberterrorism attacks are intended to cause panic or provoke violence among citizens. Attacks are directed at targets such as the banking industry, military installations, power plants, air traffic control centers, and water systems. These are desirable targets because they can significantly disrupt the normal activities of a large population. For example, disabling an electrical power plant could cripple businesses, homes, transportation services, and communications over a wide area.
88781_ch01_hr_001-050.indd 27 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security28
Note
Some security experts maintain that East European threat actors are mostly focused on activities to steal money from individuals, whereas cybercriminals from East Asia are more interested in stealing data from governments or enterprises. This results in different approaches to their attacks. East European cybercriminals tend to use custom-built, highly complex malware while East Asian attackers use off-the-shelf malware and simpler techniques. Also, East European attackers work in small, tightly knit teams that directly profit from their attacks. East Asian threat actors usually are part of a larger group of attackers who work at the direction of large institutions from which they receive instructions and financial backing.
Who Are the Threat Actors? Certification
1.3 Explain threat actor types and attributes.
Threat actor is a generic term used to describe individuals who launch attacks against other users and their computers (another generic word is simply attackers). Many threat actors belong to organized gangs of young attackers, often clustered in Eastern European, Asian, and Third World regions, who meet in hidden online dark web forums to trade information, buy and sell stolen data and attacker tools, and even coordinate attacks.
Whereas at one time the reason for attacking a computer was to show off their technology skills (fame), today threat actors have a more focused goal of financial gain: to exploit vulnerabilities that can generate income (fortune). This financial cybercrime is often divided into two categories. The first category focuses on individuals as the victims. The threat actors steal and use stolen data, credit card numbers, online financial account information, or Social Security numbers to profit from its victims or send millions of spam emails to peddle counterfeit drugs, pirated software, fake watches, and pornography. The second category focuses on enterprises and governments. Threat actors attempt to steal research on a new product from an enterprise so that they can sell it to an unscrupulous foreign supplier who will then build an imitation model of the product to sell worldwide. This deprives the legitimate business of profits after investing hundreds of millions of dollars in product development, and because these foreign suppliers are in a different country they are beyond the reach of domestic enforcement agencies and courts. Governments are also the targets of threat actors: if the latest information on a new missile defense system can be stolen it can be sold—at a high price—to that government’s enemies.
The attributes, or characteristic features, of the different groups of threat actors can vary widely. Some groups are very sophisticated (have developed a high degree of
88781_ch01_hr_001-050.indd 28 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 29
complexity) and have created a massive network of resources, while others are simply individuals just seeing what they can do. In addition, some groups have deep funding and resources while others have none. And whereas some groups of threat actors may work within the enterprise (internal) others are strictly external. Finally, the intent and motivation—the reason “why” behind the attacks—of the threat actors vary widely.
In the past, the term hacker referred to a person who used advanced computer skills to attack computers, and variations of that term were also introduced (black hat hackers, white hat hackers, gray hat hackers). However, that term did not accurately reflect the different motives and goals of the attackers. Today threat actors are recognized in more distinct categories, such as script kiddies, hactivists, nation state actors, insiders, and others.
Script Kiddies Script kiddies are individuals who want to attack computers yet they lack the knowledge of computers and networks needed to do so. Script kiddies instead do their work by downloading freely available automated attack software (called open-source intelligence or scripts) from websites and using it to perform malicious acts. Figure 1-5 illustrates the skills needed for creating attacks. Over 40 percent of attacks require low or no skills and are frequently conducted by script kiddies.
Figure 1-5 Skills needed for creating attacks
Low skills (28%)
High skills (15%)
No skills (13%)
Moderate skills (44%)
Hactivists A group that is strongly motivated by ideology (for the sake of their principles or beliefs) is hactivists. Hactivists (a combination of the words hack and activism) are generally not considered to be a well-defined and well-organized group of threat agents. Attacks by hactivists can involve breaking into a website and changing the contents on the site as a means of making a political statement (one hactivist group changed the website of the U.S. Department of Justice to read Department of Injustice). In addition to attacks as a means of protest or to promote a political agenda, other attacks can be retaliatory. For example, hactivists may disable the website belonging to a bank because that bank stopped accepting online payments that were deposited into accounts belonging to the hactivists.
88781_ch01_hr_001-050.indd 29 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security30
Note
Most hactivists do not explicitly call themselves hacktivists. The term is more commonly used by security researchers and journalists to distinguish them from other types of threat actors.
Note
Many security researchers believe that nation state actors might be the deadliest of any threat actors. When fortune motivates a threat actor but the target’s defenses are too strong, the attacker simply moves on to another promising target with less-effective defenses. With nation state actors, however, the target is very specific and the attackers keep working until they are successful, showing both deep resources and tenacity. This is because state- sponsored attackers are highly skilled and have enough government resources to breach almost any security defense.
It is estimated that there are thousands of hacktivist groups worldwide supporting a wide variety of causes. Some groups are opposing a specific government, country, or other entity, while others express no particular allegiances.
Nation State Actors Instead of using an army to march across the battlefield to strike an adversary, governments are increasingly employing their own using state-sponsored attackers for launching computer attacks against their foes. These are known as nation state actors. Their foes may be foreign governments or even citizens of its own nation that the government considers hostile or threatening. A growing number of attacks from nation states actors are directed toward businesses in foreign countries with the goal of causing financial harm or damage to the enterprise’s reputation.
Nation state actors are known for being well-resourced and highly trained attackers. They often are involved in multiyear intrusion campaigns targeting highly sensitive economic, proprietary, or national security information. This has created a new class of attacks called Advanced Persistent Threat (APT). These attacks use innovative attack tools (advanced) and once a system is infected it silently extracts data over an extended period (persistent). APTs are most commonly associated with nation state actors.
Insiders Another serious threat to an enterprise comes from its own employees, contractors, and business partners, called insiders. For example, a healthcare worker disgruntled about being passed over for a promotion might illegally gather health records on
88781_ch01_hr_001-050.indd 30 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 31
celebrities and sell them to the media, or a securities trader who loses billions of dollars on bad stock bets could use her knowledge of the bank’s computer security system to conceal the losses through fake transactions. In one study, it was determined that 58 percent of the breaches of an enterprise were attributed to insiders who abused their right to access corporate information.22 These attacks are harder to recognize because they come from within the enterprise yet may be costlier than attacks from the outside.
Although some insider attacks consist of sabotage (from employees who have been formally reprimanded or demoted) or the result of bribery or blackmail, most insider attackers involve the theft of data. Because most of these thefts occur within 30 days of an employee resigning, the offenders may actually believe that the accumulated data is owned by them and not the enterprise.
Note
In recent years insiders have stolen large volumes of sensitive information and then published it. The purpose is to alert citizens about clandestine governmental actions and to pressure the government to change its policies.
Other Threat Actors In addition, there are other categories of threat actors. These are summarized in Table 1-7.
Threat Actor Description Explanation
Competitors Launch attack against an opponents’ system to steal classified information.
Competitors may steal new product research or a list of current customers to gain a competitive advantage.
Organized crime
Moving from traditional criminal activities to more rewarding and less risky online attacks.
Criminal networks are usually run by a small number of experienced online criminal networks who do not commit crimes themselves but act as entrepreneurs.
Brokers Sell their knowledge of a vulnerability to other attackers or governments.
Individuals who uncover vulnerabilities do not report it to the software vendor but instead sell them to the highest bidder, who are willing to pay a high price for the unknown vulnerability.
Cyberterrorists Attack a nation’s network and computer infrastructure to cause disruption and panic among citizens.
Targets may include a small group of computers or networks that can affect the largest number of users, such as the computers that control the electrical power grid of a state or region.
Descriptions of other attackers Table 1-7
88781_ch01_hr_001-050.indd 31 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security32
Defending Against Attacks Certification
3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides.
How can a computer or network be defended against the many attacks from a variety of threat actors? Protection calls for following five fundamental security principles. In addition, following established frameworks and architectures is important.
Fundamental Security Principles Although multiple defenses may be necessary to withstand an attack, these defenses should be based on five fundamental security principles: layering, limiting, diversity, obscurity, and simplicity. These principles provide a foundation for building a secure system.
Layering The Crown Jewels of England, which are worn during coronations and important state functions, have a dollar value of over $32 million yet are virtually priceless as symbols of English culture. How are precious stones like the Crown Jewels protected from theft? They are not openly displayed on a table for anyone to pick up. Instead, they are enclosed in protective cases with 2-inch thick glass that is bullet-proof, smash-proof, and resistant to almost any outside force. The cases are in a special room with massive walls and sensors that can detect slight movements or vibrations. The doors to the room are monitored around the clock by remote security cameras, and the video images from each camera are recorded. The room itself is in the Tower of London, surrounded by roaming guards and fences. In short, these precious stones are protected by layers of security. If one layer is penetrated—such as the thief getting into the building—several more layers must still be breached, and each layer is often more difficult or complicated than the previous. A layered approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks.
Note
The Jewel House, which holds the Crown Jewels in the Tower of London, is actually located inside an Army barracks that is staffed with soldiers.
Likewise, information security must be created in layers. If only one defense mechanism is in place, an attacker only has to circumvent that single defense. Instead, a security system must have layers, making it unlikely that an attacker has the tools
88781_ch01_hr_001-050.indd 32 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 33
and skills to break through all the layers of defenses. A layered security approach, also called defense-in-depth, can be useful in resisting a variety of attacks. Layered security provides the most comprehensive protection.
Limiting Consider again protecting the Crown Jewels of England. Although the jewels may be on display for the general public to view, permitting anyone to touch them increases the chances that they will be stolen. Only approved personnel should be authorized to handle the jewels. Limiting who can access the jewels reduces the threat against them.
The same is true with information security. Limiting access to information reduces the threat against it. This means that only those personnel who must use the data should have access to it. In addition, the type of access they have should be limited to what those people need to perform their jobs. For example, access to the human resource database for an enterprise should be limited to only employees who have a genuine need to access it, such as human resource personnel or vice presidents. And, the type of access also should be restricted: human resource employees may be able to view employee salaries but not change them.
Note
What level of access should users have? The correct answer is the least amount necessary to do their jobs, and no more.
Some ways to limit access are technology-based, such as assigning file permissions so that a user can only read but not modify a file, while others are procedural, such as prohibiting an employee from removing a sensitive document from the premises. The key is that access must be restricted to the bare minimum. And although some personnel may balk at not being able to freely access any file or resource that they may choose, it is important that user training help instruct the employees as to the security reasons behind the restrictions.
Diversity Diversity is closely related to layering. Just as it is important to protect data with layers of security, the layers also must be different (diverse). This means that if attackers penetrate one layer, they cannot use the same techniques to break through all other layers. A jewel thief, for instance, might be able to foil the security camera by dressing in black clothing but should not be able to use the same technique to trick the motion detection system. Using diverse layers of defense means that breaching one security layer does not compromise the whole system.
Information security diversity may be achieved in several ways. For example, some enterprises use security products provided by different manufacturers (vendor diversity).
88781_ch01_hr_001-050.indd 33 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security34
An attacker who can circumvent a security device from Manufacturer A could then use those same skills and knowledge to defeat all of the same devices used by the enterprise. However, if devices from Manufacturer A and similar devices from Manufacturer B were both used by the same enterprise, the attacker would have more difficulty trying to break through both types of devices because they would be different. Or, the groups who are responsible for regulating access to a system (control diversity) are also different, so that those who perform technical controls (using technology as a basis for controlling the access and usage of sensitive data) are different from those personnel who administer the broad administrative controls (regulating the human factors of security).
Obscurity Suppose a thief plans to steal the Crown Jewels during a shift change of the security guards. When the thief observes the guards, however, she finds that the guards do not change shifts at the same time each night. On a given Monday they rotate shifts at 2:13 AM, while on Tuesday they rotate at 1:51 AM, and the following Monday at 2:24 AM. Because the shift changes cannot be known for certain in advance, the planned attack cannot be carried out. This technique is sometimes called security by obscurity: obscuring to the outside world what is on the inside makes attacks that much more difficult.
An example of obscurity in information security would be not revealing the type of computer, version of operating system, or brand of software that is used. An attacker who knows that information could use it to determine the vulnerabilities of the system to attack it. However, if this information is concealed it is more difficult to attack the system, since nothing is known about it and it is hidden from the outside. Obscuring information can be an important means of protection.
Note
Although obscurity is an important element of defense, it is not the only element. Sometimes the design or implementation of a device is kept secret with the thinking that if attackers do not know how it works, then it is secure. This attempt at security through obscurity is flawed because it depends solely on secrecy as a defense.
Simplicity Because attacks can come from a variety of sources and in many ways, information security is by its very nature complex. Yet the more complex it becomes, the more difficult it is to understand. A security guard who does not understand how motion detectors interact with infrared trip lights may not know what to do when one system alarm shows an intruder but the other does not. In addition, complex systems allow many opportunities for something to go wrong. In short, complex systems can be a thief’s ally.
88781_ch01_hr_001-050.indd 34 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 35
The same is true with information security. Complex security systems can be hard to understand, troubleshoot, and even feel secure about. As much as possible, a secure system should be simple for those on the inside to understand and use. Complex security schemes are often compromised to make them easier for trusted users to work with, yet this can also make it easier for the attackers. In short, keeping a system simple from the inside, but complex on the outside, can sometimes be difficult but reaps a major benefit.
Frameworks and Reference Architectures The field of information security contains various supporting structures for implementing security. Known as industry-standard frameworks and reference architectures, these provide a resource of how to create a secure IT environment. Some frameworks/architectures give an overall program structure and security management guidance to implement and maintain an effective security program, while others contain in-depth technical guidelines. Various frameworks/architectures are specific to a particular sector (industry-specific frameworks) such as the financial industry and may be required by external agencies that regulate the industry (regulatory), others are not required (non-regulatory). Finally, some of the framework/ architectures are domestic while others are world wide (national vs. international).
Note
Common security frameworks include ISO, NIST, COBIT, ETSI, RFC, and ISA/IEC.
Chapter Summary • Attacks against information security
have grown exponentially in recent years, even though billions of dollars are spent annually on security. No computer system is immune from attacks or can be considered completely secure.
• There are many reasons for the high number of successful attacks. One reason is the number of widespread vulnerabilities that exist today. Because
of the sheer number of vulnerabilities, it is difficult to identify and correct all of them. And not all hardware and software can even be corrected once a vulnerability is uncovered. Another reason is that hardware and software are not always properly configured, either because the default configurations are not strengthened or there is a misconfiguration, allowing the device to be compromised. Successful
88781_ch01_hr_001-050.indd 35 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
attacks are often the result of software that is poorly designed and has architecture/ design weaknesses. These weaknesses include not properly handling input or handling errors. Hardware limitations can be exploited by attackers who consume more resources than intended, causing the system to become slow or even unable to respond to other users. There are also enterprise-based issues, such as vulnerable business processes that an attacker can exploit or the widespread “sprawl” of devices that have not been properly protected.
• It is difficult to defend against today’s attacks for several reasons. These reasons include the fact that virtually all devices are connected to the Internet, the speed of the attacks, greater sophistication of attacks, the availability and simplicity of attack tools, faster detection of vulnerabilities by attackers, delays in security updating, weak security update distribution, distributed attacks coming from multiple sources, and user confusion.
• Information security can be defined as that which protects the integrity, confidentiality, and availability of information through products, people, and procedures on the devices that store, manipulate, and transmit the information. As with many advanced subjects, information security has its own set of terminology. A threat is an event or action that represents a danger to information assets, which is something that has value. A threat actor is a person or element that has the power to carry
out a threat, usually by exploiting a vulnerability, which is a flaw or weakness, through a threat vector. A risk is the likelihood that a threat agent will exploit a vulnerability.
• The main goals of information security are to prevent data theft, thwart identify theft, avoid the legal consequences of not securing information, maintain productivity, and foil cyberterrorism.
• The threat actors, or individuals behind computer attacks, fall into several categories and exhibit different attributes. Script kiddies do their work by downloading automated attack software from websites and then using it to break into computers. Hactivists are strongly motivated by their ideology and often attack to make a political statement. Nation state actors are employed by governments as state-sponsored attackers for launching computer attacks against foes. One serious threat to an enterprise comes from its employees, contractors, and business partners, known as insiders. Other threat actors include competitors, organized crime, brokers, and cyberterrorists.
• Although multiple defenses may be necessary to withstand the steps of an attack, these defenses should be based on five fundamental security principles: layering, limiting, diversity, obscurity, and simplicity. In addition, there are various industry-standard frameworks and reference architectures that provide resources for how to create a secure IT environment.
CHAPTER 1 Introduction to Security36
88781_ch01_hr_001-050.indd 36 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Key Terms accept administrative controls Advanced Persistent
Threat (APT) architecture/design
weaknesses asset attributes availability avoid competitors confidentiality control diversity default configurations defense-in-depth end-of-life system external funding and resources hactivists improper error
handling improper input handling
improperly configured accounts
industry-specific frameworks
industry-standard frameworks
insiders integrity intent and motivation internal international lack of vendor support layered security misconfiguration mitigate nation state actors national new threat non-regulatory open-source intelligence organized crime race condition
reference architectures regulatory resource exhaustion risk risk response
techniques script kiddies sophisticated system sprawl technical controls threat threat actor transfer undocumented assets untrained users user training vendor diversity vulnerability vulnerable business
processes weak configuration zero day
Review Questions 1. Ian recently earned his security
certification and has been offered a promotion to a position that requires him to analyze and design security solutions as well as identifying users’ needs. Which of these generally recognized security positions has Ian been offered? a. Security administrator b. Security technician c. Security officer d. Security manager
2. Alyona has been asked by her supervisor to give a presentation regarding reasons why security attacks continue to be successful. She has decided to focus on the issue of widespread vulnerabilities. Which of the following would Alyona NOT include in her presentation? a. Large number of vulnerabilities b. End-of-life systems c. Lack of vendor support d. Misconfigurations
CHAPTER 1 Introduction to Security 37
88781_ch01_hr_001-050.indd 37 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
3. Tatyana is discussing with her supervisor potential reasons why a recent attack was successful against one of their systems. Which of the following configuration issues would NOT covered? a. Default configurations b. Weak configurations c. Vulnerable business
processes d. Misconfigurations
4. What is a race condition? a. When a vulnerability is discovered
and there is a race to see if it can be patched before it is exploited by attackers.
b. When two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences.
c. When an attack finishes its operation before antivirus can complete its work.
d. When a software update is distributed prior to a vulnerability being discovered.
5. Which the following is NOT a reason why it is difficult to defend against today’s attackers? a. Delays in security updating b. Greater sophistication of defense
tools c. Increased speed of attacks d. Simplicity of attack tools
6. Which of the following is NOT true regarding security? a. Security is a goal. b. Security includes the necessary steps
to protect from harm. c. Security is a process. d. Security is a war that must be won at
all costs.
7. Adone is attempting to explain to his friend the relationship between security and convenience. Which of the following statements would he use? a. “Security and convenience are not
related.” b. “Convenience always outweighs
security.” c. “Security and convenience are
inversely proportional.” d. “Whenever security and convenience
intersect, security always wins.” 8. Which of the following ensures that only
authorized parties can view protected information? a. Authorization b. Confidentiality c. Availability d. Integrity
9. Which of the following is NOT a successive layer in which information security is achieved? a. Products b. People c. Procedures d. Purposes
10. Complete this definition of information security: That which protects the integrity, confidentiality, and availability of information . a. on electronic digital devices and limited
analog devices that can connect via the Internet or through a local area network
b. through a long-term process that results in ultimate security
c. using both open-sourced as well as supplier-sourced hardware and software that interacts appropriately with limited resources
d. through products, people, and procedures on the devices that store, manipulate, and transmit the information
CHAPTER 1 Introduction to Security38
88781_ch01_hr_001-050.indd 38 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
11. Which of the following is an enterprise critical asset? a. System software b. Information c. Outsourced computing services d. Servers, routers, and power supplies
12. Gunnar is creating a document that explains risk response techniques. Which of the following would he NOT list and explain in his document? a. Extinguish risk b. Transfer risk c. Mitigate risk d. Avoid risk
13. Which act requires banks and financial institutions to alert their customers of their policies in disclosing customer information? a. Sarbanes-Oxley Act (Sarbox) b. Financial and Personal Services
Disclosure Act c. Health Insurance Portability and
Accountability Act (HIPAA) d. Gramm-Leach-Bliley Act (GLBA)
14. Why do cyberterrorists target power plants, air traffic control centers, and water systems? a. These targets are government-
regulated and any successful attack would be considered a major victory.
b. These targets have notoriously weak security and are easy to penetrate.
c. They can cause significant disruption by destroying only a few targets.
d. The targets are privately owned and cannot afford high levels of security.
15. Which tool is most commonly associated with nation state threat actors? a. Closed-Source Resistant and
Recurrent Malware (CSRRM) b. Advanced Persistent Threat (APT) c. Unlimited Harvest and Secure Attack
(UHSA) d. Network Spider and Worm Threat
(NSAWT)
16. An organization that practices purchasing products from different vendors is demonstrating which security principle? a. Obscurity b. Diversity c. Limiting d. Layering
17. What is an objective of state-sponsored attackers? a. To right a perceived wrong b. To amass fortune over of fame c. To spy on citizens d. To sell vulnerabilities to the highest
bidder 18. Signe wants to improve the security of
the small business where she serves as a security manager. She determines that the business needs to do a better job of not revealing the type of computer, operating system, software, and network connections they use. What security principle does Signe want to use? a. Obscurity b. Layering c. Diversity d. Limiting
19. What are industry-standard frameworks and reference architectures that are required by external agencies known as? a. Compulsory b. Mandatory c. Required d. Regulatory
20. What is the category of threat actors that sell their knowledge of vulnerabilities to other attackers or governments? a. Cyberterrorists b. Competitors c. Brokers d. Resource managers
CHAPTER 1 Introduction to Security 39
88781_ch01_hr_001-050.indd 39 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
40 CHAPTER 1 Introduction to Security
Hands-On Projects
Project 1-1: Examining Data Breaches—Textual
The Privacy Rights Clearinghouse (PRC) is a nonprofit organization whose goals are to raise consumers’ awareness of how technology affects personal privacy and empower consumers to take action to control their own personal information. The PRC maintains a searchable database of security breaches that impact consumer’s privacy. In this project, you gather information from the PRC website.
1. Open a web browser and enter the URL www.privacyrights.org (if you are no longer able to access the site through the web address, use a search engine to search for “Privacy Rights Clearinghouse data breach.”
2. First spend time reading about the PRC by clicking LEARN MORE. 3. Click Data Breaches at the top of the page. 4. In the search bar enter a school, organization, or business with which you are familiar
to determine if it has been the victim of an attack in which your data has been compromised.
5. Click Data Breaches to return to the main Data Breaches page. 6. Now create a customized list of the data that will only list data breaches of educational
institutions. Under Select organization type(s), check only EDU- Educational Institutions.
7. Click Search Data Breaches. 8. Read the Breach Subtotal information. How many breaches that were made public
pertain to educational institutions? How many total records were stolen? 9. Scroll down and observe the breaches for educational institutions.
10. Scroll back to the top of the page. Click New Data Breach Search. 11. Now search for breaches that were a result of lost, discarded, or stolen equipment
that belonged to the government and military. Under Choose the type of breaches to display, check Portable device (PORT) – Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc.
12. Under Select organization type(s), check GOV – Government & Military. 13. Click Search Data Breaches. 14. Read the Breach Subtotal by clicking the Download Results (CSV) file. 15. Open the file and then scroll down the different breaches. What should the government
be doing to limit these breaches? 16. Scroll back to the top of the page. Click New Data Breach Search. 17. Now create a search based on criteria that you are interested in, such as the Payment
Card Fraud against Retail/Merchants during the current year. 18. When finished, close all windows.
88781_ch01_hr_001-050.indd 40 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
CHAPTER 1 Introduction to Security 41
Project 1-2: Examining Data Breaches—Visual
In this project, you view the biggest data breaches resulting in stolen information through a visual format.
1. Open your web browser and enter the URL http://www.informationisbeautiful.net /visualizations/worlds-biggest-data-breaches-hacks/ (if you are no longer able to access the site through this web address, use a search engine to search for “Information Is Beautiful World’s Biggest Data Breaches.”
2. Click Hide Filter to display a visual graphic of the data breaches, as shown in Figure 1-6.
3. Scroll down the page to view the data breaches. Note that the size of the breach is indicated by the size of the bubble.
4. Scroll back up to the top and note the color of the bubbles that have an “Interesting Story.” Click one of the bubbles and read the story.
5. Click Read a bit more. 6. Click Click to see the original report. 7. Read about the data breach. When finished, close only this tab in your browser. 8. Click Show Filter to display the filter menu. 9. Under Organisation, click Government.
Figure 1-6 World’s biggest data breaches Source: Information is Beautiful
88781_ch01_hr_001-050.indd 41 8/10/17 4:10 AM
Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
