SECTION 2 ©

Prevention, Detection, Reaction
Internal Threats
Logic bombs
Risks with Business Partners
Business Partners may pass on viruses
Types of attacks
- Criminal Attacks
- Privacy Violations
    - Traffic Analysis
- Publicity Attacks
- Legal Attacks
Virus Protection
Viruses and web browsers
Denial of Service
White House DNS attack
Intranet risks

changes last made to this page 2003 Feb 18th

In Section Two  we will use material from the following texts
 
1st Edition
Chpt 5
2nd Edition
Chpt 7
Chpt 2
Chpt 3
Chpt 4
Chpt 1
Chpt 2
Chpt 2

course author:Tim Richardson
 
 
. Learning Objectives for Section 2

Section 2 is organized such that after completing this section participants will be able to

  • understand that good security involves more than just prevention
  • identify what a company can do beyond prevention
    • detection
    • reaction
  • identify the risks of insecure systems faced by business partners
  • appreciate that business partners can pass on vulnerabilities to your clients
  • differentiate between the relative risk benefits of intranets, extranets and the Internet
  • understand the risk management paradigm and methodology
  • differentiate between control weakness and control risk
.
Secrets & Lies: Digital Security in a Networked  World
Schneier talking about the "relationship between prevention, detection and reaction.

"Good security encompasses all three"
  • prevention - facilities and systems to prevent people getting in and taking information
  • detection - to find out if anybody has gotten in, and compromised important information or processes
  • reaction - to allow the "bad guys" to be identified and their activity stopped
Schneier points out widely that "digital security tends to reply wholly on prevention: cryptography, firewalls and so forth. There's generally no detection, and there's almost never any response or auditing"
 
. Schneier's statement about the relationship between prevention, detection and reaction is very important. The reason it is important is that most companies are focusing on e-commerce security by spending money to develop firewalls, filtering etc. - but if someone is successful in getting past that - very few organizations will know about it.

This is like putting steel bars on your patio sliding doors hoping your house will not be broken into - but not knowing whether or not someone has snuck in through a basement window.

Security doesn't work - if you cannot determine if it is working !!!

.
.
Chpt 5
1st Edition

 

Chpt 7
2nd Edition

 
 
 
 
 
 
 
 
 
 
 

Chpt 5
1st Edition

 

Chpt 7
2nd Edition

 
 
 
 
 
 
 
 
 
 

Chpt 5
1st Edition

 

Chpt 7
2nd Edition

"Electronic Commerce": 
Greenstein & Feinman, (1st Edition) Chpt 5 The Risks of Insecure Systems
Greenstein & Vasarhelyi, (2nd Edition) Chpt 7 The Risks of Insecure Systems

the powerpoints for Chpt 5 (1st Ed) can be obtained from
http://homepages.cambrianc.on.ca/timrichardson/ecommerce/ECP1220/greensteinchap5.ppt
 
 

Before you begin reading Chapter 5 (7) in the Greenstein book, it would be a good idea to go to the website for the book and scan through the online list of "Key Terms"

clicking on the screen capture to the right will take you directly to this "glossary"

http://www.mhhe.com/business/accounting/greenstein/keyterms.mhtml#five
Page 133 Greenstein Text - 1st Edition
Page 215 Greenstein Text - 2nd Edition

"Until recently, most information security breaches were initiated by insiders. However a study by the CSI Computer Security Institute and FBI indicates that this trend is rapidly changing. The findings indicate that the number of external attacks is growing because if the increased use of the Internet"

Overview of Risks Associated with Internet Transactions

  • Internet Associated Risks
    • Risks to Customers
      • False or Malicious Websites (p. 218 2nd Edition)
        • Stealing Visitor's ID's and Passwords
        • Stealing Visitors's Credit Card information
        • "man-in-the-middle" attacks to monitor a Visitor's activity
        • Spying on a Visitor's hard drive
        • Uploading from the Visitor's hard drive
      • Theft of Customer Data
        • from Selling Agents
        • from ISPs
      • Cookies (see special section) p. 220-222   2nd ed.
      • Web Bugs
        • embedded within the HTML code on a page
        • used to track visitor's online movements
        • unlike cookies, cannot be turned off
    • Risks to Selling Agents and Vendors, p. 223   2nd ed.
      • customer impersonation
        • used to obtain product and service without paying
        • used also to create negative publicity situations
      • Denial of service (DNS) Attacks,  p. 224   2nd ed
        • explanation of PINGING a DNS
        • SYN flooding
  • Intranet Associated Risks
    • Sabotage by Employees
    • former employees
    • threats from current employees
    • social engineering
  • B2B Risks

  • risks associated with transactions between business partners
    • Data Interception
  • Archives

  • risks associated with confidentially-maintained archival, master file and reference data
  • Viruses

  • risks associated with viruses and malicious code overflows
    (in addition to the information in the Greenstein text, scroll down to viruses)
    • trojan horses
    • hoaxes

    • buffer overflows
.
http://www.witiger.com/ecommerce/DNSattacks.htm screen capture leading to a special section on witiger.com about DNS Attacks
http://www.witiger.com/ecommerce/cookies.htm screen capture leading to a special section on witiger.com about cookies


.

Chpt 3

Types of
Attacks
 
 
 
 
 
 
 
 
 
 


Chpt 3

Types of
Attacks

Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier

Chpt 3 Attacks
 
. Schneier's third chapter in the book is an excellent overview of the different classes of attacks. You are strongly encouraged to read the entire chapter. The main themes, summarized in point form, are arranged below.

The reason for knowing many of the terms on this list is so that you may understand the depth and range of the types of risks that can effect your organization.

WTGR

.
  • Criminal Attacks
    • fraud
    • scams
    • destructive attacks
    • intellectual property attacks 
      • piracy
      • unauthorized copy of text and images from one site to another
    • identity theft
    • brand theft
    • prosecution
  • Privacy Violations
    • data harvesting
    • surveillance
    • databases
    • traffic analysis
    • massive electronic surveillance
  • Publicity Attacks
    • denial of service attacks
    • defacing web pages
  • Legal Attacks
.
 

 
 
 
 
 
 
 


 
 
 
 
 
 
 

Principles of Information Security
by Michael Whitman and Herbert Mattord
Chpt 2 The Need for Security
 
. This chapter provides an excellent list of all the types of things that can go wrong with IT security. 

WTGR.

.
A summary of the Threats described in Chpt 2 is listed below

Five groups of "real and present" danger

  • Inadvertent acts (malicious intent is absent)
    • Human error or failure of the product/system to operate
    • Deviations in quality of service by service providers
  • Deliberate acts
    • Competitive Intelligence
    • Industrial Espionage
    • Trespass
      • hacking
    • Information extortion
    • Sabotage ad vandalism
    • Theft
    • Software attacks
      • DNS attacks
      • Virus attacks
        • Trojan Horse
        • Worms
    • Compromises to Intellectual Property
  • Acts of God
    • Forces of Nature
      • Fire
      • Flood
      • Earthquake
      • Lightning
      • Tornado / Hurricane
  • Technical failures
    • Hardware Failures
    • Softare Failures
  • Management failures
    • Technological Obsolescence
.
 
Principles of Information Security
by Michael Whitman and Herbert Mattord
Chpt 2 The Need for Security
 
.  We have a CD with the powerpoints for this book and the powerpoint for Chpt 2 is available at the link below
 www.witiger.com/powerpoints/IT~security/
WTGR.
.
.
 

Chpt 3

Types of
Attacks

- Frauds

In addition to the resources of the National Consumers League, you can also access the web page of the National Fraud Information Center. The NFIC also has a special section on their web site dealing with Internet Fraud
 www.fraud.org
http://www.fraud.org/
In their own words "Internet Fraud Watch was launched in March of 1996 enabling the NFIC to expand its services to help consumers distinguish between legitimate and fraudulent promotions in cyberspace and route reports of suspected fraud to the appropriate law enforcement agencies. "
 
. The NFIC web site is very extensive and you should time looking at the various links and read about some of the types of scams and frauds.

They also have an "Internet Tips" page which is simply worded, but useful.

You could earn some class contribution points by thoroughly reviewing this site and picking out some additional information which could be added in to this page.

.
.
 

Chpt 3

Types of
Attacks

- Scams

Scams
Schneier quotes the National Consumers League (Chpt 3, page 24)
"the five most common online scams are
  • sale of internet services
  • sale of general merchandise
  • auctions
  • pyramid and multi-level marketing schemes
  • business opportunities"
  • .
    the National Consumers League (Chpt 3, page 24)
    http://www.natlconsumersleague.org/essentials/index.html
    It would be very worthwhile for ECP participants to spend some time on this site since
    it has some links and tips that are helpful
    .

    Privacy Violations

    In many countries, people do not own the information which is collected about them, that is to say, their personal data.

    This information is considered the property of whatever credit card company, insurance firm, educational institution that collected the information.

    As a consequence of some outrageous violations of collecting and disseminating personal information, Canada, New Zealand and other countries have enacted tough laws which are binding on the companies that collect and pass on personal profile information (which we noted in Section 1 of this course when we presented the federal and provincial legislation dealing with this).

    Privacy violations are not, strictly speaking, criminal activity, but, depending on what is done with the information, it can be used for criminal purposes - such as assuming an identity for the purposes of obtaining credit, which could then be used to fraudulently buy products and services.

    As a person studying IT security, it would be your responsibility to understand that protecting the private personal information of people that have data held within your firm's IT systems, is critical to conduct effectively and without risk.

    .

    Chpt 3

    Types of
    Attacks

    - Privacy Violations

    Privacy Violations

    Schneier, page 29
    "There are two types of privacy violations 

    • Targeted Attacks, and
    • Data Harvesting"
    Targeted Attacks
    If the attacker wants to know everything about 
    • a person, it is called stalking
    • a company, it is called industrial espionage and corporate intelligence
    • a country, it is called  national intelligence gathering, or spying
    Data Harvesting
    As Schneier says, "this attack harnesses the power of correlation"

    Data harvesting is only worthwhile doing if it can be automated, and computers allow the automation process to be done very effectively. Using good cryptography will thwart harvesters since they will not be easily able to identify if what they are looking for is in the target they are attacking.
     

    .
     

    Chpt 3

    Types of
    Attacks
    - Traffic Analysis
     
     
     
     
     
     
     
     
     
     


    Chpt 3

    Types of
    Attacks
    - Traffic Analysis

     

    Secrets & Lies: Digital Security in a Networked  World
    by Bruce Schneier
    Chpt 3 Attacks
    • Privacy Violations
      • traffic analysis
    "Traffic analysis is the study of communication patterns. Not the content of the messages themselves, but characteristics about them"
     
    . Explanation:

    If Joe sends a long message to Bill, then Bill sends a short reply back to Joe, and additionally a long message to Sue, Kevin, Greg and Alice, then we can assume there is some degree of hiearchy in this structure and regardless of the content, there must be some directions coming from Big Joe, which need to be passed on. If you wanted to spend time hacking these messages, the most effective thing to do is hack the single message from Joe to Bill since the information in that would probably tell you what Sue, Kevin, Greg and Alice received from Bill.

    The purpose of this explanation is to show that sometimes the patterns of communication are just as important to understanding as the actual text of the message sent.

    .
    Schneier gives an amusing example noting that in the hours leading up to the 1991 bombing of Iraq, pizza deliveries to the Pentagon increased one hundredfold - even if you did not know what the generals and admirals were talking about, it had to be something important from which there would be some serious time spent on decision making.
     
    . Although we have cautioned in ECP 1220 that it is wise to encrypt your communications, we also have to mention that sometimes people can figure out what you are doing anyway because even if the message is encrypted, people could know the volume of traffic and this might be an indicator of something important - depending on the context.

    Therefore: not only do you prevent people knowing the content of your messages, you should endeavour to let people know the messages even exist !!!

    .
    .
    Internal
    Threats
    Internal Threats
     
    "The threat that is most often overlooked, yet is most likely to occur, is the inside threat. Provding internal access to an organization's digital assets can be the Achille's heel of many security plans through either malicious intention or carelessness... Few modern systems can withstand attacks from  users who are logged on to internal machines"
    page 9, Chpt 1

     
    . Dr. Gnosh's book, E-Commerce Security, and other books and several on-line resources emphasize that good security requires a blend of computer security tools with policies that are judiciously applied - meaning if situation "x" requires the person only has a password to section"1", then do not give them a password for all sections just because it is too time consuming to block them off from thos they should not have access to.

    Gnosh says "The principles of need-to-know and compartmented information can be useful in determining to whom privaleged accounts and paswords should be given".

    .
    .
     
    Internal
    Threats
    .
    Communications & Networking, January 2003, Vol. 6 No. 1 
    "Guarding against threats from within"
    by Grant Buckler
    "A careless employee is just as much of a threat as a hacker"
    .
    . The reason why we selected this article is because it contains many of the things we discuss in this course, particular the point about policies and procedures being just as important as spending money on firewalls and hardware. This article also explains well that sometimes internal threats are not from "bad employees", just simply employees that make mistakes, or employees who do not follow proper procedures which allow vulnerable situations to arrive.

    WTGR

    .
    " A firewall is not enough. Proper network security requires at least one (if not several) firewalls, anti-virus software and  intrusion detection. That's just the technology, which is not even the most important part. Security also depends on policies and procedures, and without those, all the gadgets in the  world will not be enough... external threats are just a small part of the security picture.... threats from outside have increased in the last couple of years, but insiders still pose a more serious risk than outsiders"

    Threats come from

    • Former Employees who were fired or laid off
    • Angry, frustrated current employees who want to damage the company
    • Employees who have nothing against the company, but make a critical mistake
    "... guarding against security breaches from inside starts with the hiring process. When hiring new employees, employers should check references and conduct background checks. Then, the organization needs clear policies telling employees what they should and should not do. This may do little good against malicious attacks, but it can help guard against the many security breaches that occur through simple thoughtlessness."
    .
    Internal
    Threats
    Chpt 7, 2nd Edition p. 227

    Sabotage by Former Employees
    "former employees who leave under bad circumstances are very troubling because of their knowledge... in many cases, the employee becomes suspicious and begins collecting internal information in advance"

    Threats from Current Employees
    The 2000 CSI/FBI report found that 38% of the firms studied experienced internal attacks

    .
    .
    Handling
    Internal
    Threats
    .
    Communications & Networking, January 2003, Vol. 6 No. 1 
    "Guarding against threats from within"
    by Grant Buckler
    "A careless employee is just as much of a threat as a hacker"
    .
    Handling Internal Threats by initiating policies and procedures to cut down on risk situations developing.

    "Deloitte Consulting LLC prohibits employees from storing documents from  work on their home computers, says Karim Zerhouni, head of the consulting firm's Canadian internetworking practice. That policy makes it less likely confidential information  will fall into the wrong hands.  Yet policies and procedures are not the complete answer either. Hardware and software can  help enforce the rules and make it easier for employees to comply with them.   Access controls and passwords can be used to limit employees' access to the applications  and data they need to do their jobs and keep them away from privileged material.  Authentication technology can ensure that e-mails come from whom they appear to come  from and that documents have not been tampered with."
     

    . Access controls and passwords have to handled carefully. If they are implimented, without monitoring their effect on job performance, you may find that following the procedures may be very frustrating for employees and the invent ways of circumventing the controls eg. if the organization required employees to change password every tenth time they logged in, this frequency may be too difficult for employees to remember the password so they end up writing it on 3M stickies and sticking the password on the monitor in plain site.

    WTGR

    .
    .
     
    Internal
    Threats
    Internal Threats, Logic Bombs
     
    Examples
    of how
    internal
    threats
    are 
    carried out
    by
    disgruntled
    employees
    A true story.

    "Lloyd built the Novell NetWare computer network at Omega South and  then blew it up with a software time bomb after he fell from corporate grace and was ultimately fired  for performance and behavioral problems....Ralph Michel, Omega's chief financial officer, testified that the software bomb destroyed all the programs and code generators that allowed the company to  manufacture 25,000 different products"

    CNN 
     www.cnn.com/2000/TECH/computing/06/27/omega.files.idg/

    "On May 9, the U.S. District Court jury in Newark, N.J., found Tim Lloyd, 37, of Wilmington, Del., guilty of setting a software time bomb that crippled his  former employer's manufacturing capabilities and cost the company more  than U.S.$12 million.
     www.rsasecurity.com/newsletter/v1n1/securitywatch.html

    "Omega Engineering learned firsthand the dangers of the disgruntled employee after a timed virus, known as a logic bomb, wiped out all of its research, development, and production programs in one fell swoop. The tape backup also was destroyed."
     www.computingsa.co.za/1998/04/27/ANALYSIS/NAN01.htm
     


     
    . The story of Tim Lloyd is well known and appears in several online news sites. Finds some additional information which targets how companies are dealing with this risk once the sensationalism of the story had passed.
    .
    .
     
    The disgruntled employee poses but one of many  insider threats to information systems and the valuable data stored therein. Unauthorised access from  insiders, rather than outside hackers, accounted for 44% of network security breaches last year, according to the March 2000 survey by Computer Security Institute (CSI) and the FBI.

    "The greatest exposure to any organisation is what I call the knowledgeable insider - anybody from a  janitor to a vendor or an active or ex-employee," says  Steve Dougherty, director of information security at  the Fulsom, California-based California Independent  System Operator, which is taking over management of power grid transmissions for 27m Californians with the state’s recent industry deregulation.

    American Society for Industrial Security’s (ASIS).  89% of respondents to the ASIS 1997/1998 Intellectual Property Loss Special Report indicated that their  biggest concern regarding system security is  retaliation from disgruntled employees..

    .
     
    University
    College
    computers
    - a weak link
    . Several columnists and experts have spoken and written about one of the more distasteful sources of IT risk and that is namely the hackers from within colleges and universities.

    The very nature of academic institutions fosters freedom and access together with learning. It is also at universities and colleges that people have access to massive computing power with very little human security measures.

    Since some of the more spectacular security breaches require lots of computing power, it has happened in the past, and will happen again that people will use interconnected computers in campus labs to launch attacks, either for the thrill of the process, or to accomplish a criminal act.

    You can earn some class participation / contribution points by finding an online news story about any recent attacks that originated from a college or university. It would be particularly useful if the story also included the "what happened later" information so that it can be known what was the consequence of the event being made public.

    .
    .
    Risks with Business Partners
     
    Risks
    With
    Business
    Partners

    they may
    pass on
    infections
    to your clients
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     

    Risks
    With
    Business
    Partners

    they may
    pass on
    infections
    to your clients

    A SANS Institute email alert about a "fix" which itself contains a virus
    Medium and large size companies make themselves vulnerable to risk when they outsource various services to intermediary parties.

    Microsoft - which one would presume is very very careful about who they partner with, is often vulnerable when the partner makes a bad mistake.

    Some of these mistakes happen when the intermediary is responsible for dispensing some service, such as making downloads available. In the screen capture below, you can see Prof. Richardson has received an email from SANS. This email details how Microsoft Hotfixes downloaded from the Premier Support and Gold Certified Partner web sites were infected with the Fun Love virus. 

    http://homepages.cambrianc.on.ca/timrichardson/ecommerce/SANalert1.htm

    The original email has been uploaded to the ECP site and you can read the full text, including other warnings and info at
     http://homepages.cambrianc.on.ca/timrichardson/ecommerce/SANalert1.htm
     

    . So the irony of the situation is almost funny if it weren't so dangerous - here is the world's most powerful softare company providing "fixes", through an intermediary, and the "fixes" themselves contain a virus !!

    One of the ways you protect yourself from these situations is being very diligent and reading all the email from organizations like SAN, which provide news and info on these vulnerabilities..

    .
    Risks
    With
    Business
    Partners

    Hacking
    - example of vulnerability to 3rd parties
     
     
     
     
     
     
     
     
     
     
     
     

    Risks
    With
    Business
    Partners

    Hacking
    - example of vulnerability to 3rd parties

    .
    . Your vulnerability to hackers is not just direct between you and the threat, it can also involve third parties who process business information for you. Many companies trying to run "lean and mean" to cut costs, outsource specialty services to call centers. There have been some examples where these third party players get hacked, which in turn means the hacker comes into possession of confidential information of the clients.

    WTGR

    ...
     
    A perfect example of a chain is as strong as its weakest link

     
    .
    .
    http://www.witiger.com/ecommerce/viruses.htm screen capture leading to a section on witiger.com about Viruses

    ..
    Printers vulnerable? - sure. NATIONAL
    INFRASTRUCTURE
    PROTECTION
    CENTER
    (United States)
    - noted page 214 in Greenstein Text - 2nd Ed.
    NATIONAL INFRASTRUCTURE PROTECTION CENTER
    "Intrusion Techniques: Networked printers are prime targets for denial of service attacks and root access intrusion attempts
    Networks are only as strong as their weakest link, and printers are often overlooked when assessing and implementing network security measures.

    Vulnerabilities associated with widely used name-brand networked printers (NPs) may allow intruders to perform denial-of-service (DoS) attacks, and possibly gain root access to network administrative services if left undetected."
     www.nipc.gov/publications/
    highlights/2001/highlight-01-01.htm

    .
    http://www.witiger.com/ecommerce/hackingexample.htm We have our own example of hacked, and original pages which you can view by clicking on the screen capture to the left.
     .
     
    In the on-line version of Chpt 6 of his book,  The Business of the Internet Neil Hannon, notes a link to an article about Netscape Communications Corp. white paper that deals with the issue of intranet security and some of its many challenges.
    "Cryptography Is The Key To Intranet Security Needs"
     http://www.techweb.com/se/directlink.cgi?CRN19970630S0089
    Copyright (c) 1997 CMP Media Inc.
    http://www.techweb.com/se/directlink.cgi?CRN19970630S0089

    You can read the original article on CRN's site at
     www.techweb.com/se/directlink.cgi?CRN19970630S0089
    The following is a summary of some of the main points in case the article is no longer available online.

    "There are many challenges in building a full-service intranet that provides safe communications and collaboration. As the exponential growth of the publicInternet demonstrates, TCP/IP solves many problems in a remarkably scalable way. However, TCP/IP was not designed to offer secure  communication services. Because TCP/IP was not designed with security in mind, we must bring additional technology and policies to bear to solve typical security problems..."

    If you go to the web site you can read further about the problems and the cryptographic solutions

    .

    This quiz was created for another course - students of FCA 240 could try it too since much of the material os covered herein. 
     
    Online Quiz 
    for the preceeding material
      www.witiger.com
    /senecacollege/
    IEC818/
    quiz~IEC818~2.htm

    1. Could you explain to someone what the Trojan Horse virus is (as explained in Greenstein text, Chpt 5, page 162)
    2. Why do most companies not report IT security situations to authorities?
    3. Why are macro viruses so troubling, and how can they be prevented? (as explained in Greenstein text, Chpt 5)