Documente Academic
Documente Profesional
Documente Cultură
Chapter 1
Review Questions
7. Describe the critical characteristics of information. How are they used in the study
of computer security?
The critical characteristics of information define the value of information. Changing any
one of its characteristics changes the value of the information itself. There are seven
characteristics of information:
Availability enables authorized users - either persons or computer systems - to
access information without interference or obstruction, and to receive it in the
required format.
Accuracy occurs when information is free from mistakes or errors and it has the
value that the end user expects.
Authenticity of information is the quality or state of being genuine or original,
rather than a reproduction or fabrication. Information is authentic when it is in the
same state in which it was created, placed, stored, or transferred.
Confidentiality is achieved when disclosure or exposure of information to
unauthorized individuals or systems is prevented. Confidentiality ensures that
only those with the rights and privileges to access information are able to do so.
Integrity of information is maintained when it is whole, complete, and
uncorrupted.
Utility of information is the quality or state of that information having value for
some purpose or end. Information has value when it serves a particular purpose.
Possession of information is the quality or state of ownership or control of some
object or item. Information is said to be in one’s possession if one obtains it,
independent of format or other characteristics.
8. Identify the six components of an information system. Which are most directly
affected by the study of computer security? Which are most commonly associated
with its study?
The six components are software, hardware, data, people, procedures, and networks.
People would be impacted most by the study of computer security. People can be the
weakest link in an organization’s information security program. And unless policy,
education and training, awareness, and technology are properly employed to prevent
people from accidentally or intentionally damaging or losing information, they will
remain the weakest link. Social engineering can prey on the tendency to cut corners and
the commonplace nature of human error. It can be used to manipulate the actions of
people to obtain access information about a system.
Procedures, written instructions for accomplishing a specific task, could be another
component, which will be impacted. The information system will be effectively secured
by teaching employees to both follow and safeguard the procedures. Following procedure
reduces the likelihood of employees erroneously creating information insecurities. Proper
education about the protection of procedures can avoid unauthorized access gained using
social engineering. Hardware and software are the components that are historically
associated with the study of computer security. However, the IS component that created
much of the need for increased computer and information security is networking.
9. What system is the farther of almost all modern multiuser systems?
_____________________________________________________________________________________________
Page: 2
______________________________________________________________________________
MULTICS
10. Which paper is the foundation of all subsequent studies of computer security?
Rand Report R-609, sponsored by the Department of Defense.
11. Why is the top-down approach to information security superior to the bottom-up
approach?
The top-down approach, in which the project is initiated by upper-level managers who
issue policy, procedures and processes, dictate the goals and expected outcomes, and
determine accountability for each required action, has a higher probability of success.
This approach has strong upper-management support, a dedicated champion, usually
dedicated funding, a clear planning and implementation process, and the means of
influencing organizational culture. The most successful kind of top-down approach also
involves a formal development strategy referred to as a systems development life cycle.
12. Why is a methodology important in the implementation of information security?
How does a methodology improve the process?
A methodology is a formal technique that has a structured sequence of procedures that is
used to solve a problem. Methodology is important in the implementation of information
security because it ensures that development is structured in an orderly, comprehensive
fashion. The methodology unifies the process of identifying specific threats and the
creation of specific controls to counter those threats into a coherent program. Thus, a
methodology is important in the implementation of information security for two main
reasons.
First, it entails all the rigorous steps for the organizations’ employees to follow,
therefore avoiding any unnecessary mistakes that may compromise the end goal
(i.e., to have a comprehensive security posture). An example of this is that a
methodology guides an organization to solve the root cause of the information
security problem, not just its symptoms.
Second, methodology increases the probability of success. Once a methodology
is adopted, the personnel selected will be responsible for establishing key
milestones and made accountable for achieving the project goals.
The methodology can greatly improve the process. For example, following the six steps
of the SDLC (Systems Development Life Cycle) (investigation, analysis, logical design,
physical design, implementation, and maintenance and change) allows developments to
proceed in an orderly, comprehensive fashion. Individuals or groups assigned to do the
analysis step do not have to initiate their work until the investigation step is completely
finished. Moreover, each step of the methodology may determine whether the project
should be continued, discontinued, outsourced, or postponed. For example, the physical
design step may need to be postponed or outsourced if the organization does not possess
the technology needed.
13. Which members of an organization are involved in the security system development
life cycle? Who leads the process?
Initiation and control of the SecSDLC is the responsibility of upper management.
Responsible managers, contractors and employees are then utilized to execute the
SecSDLC. The process is usually led by a senior executive, sometimes called the
_____________________________________________________________________________________________
Page: 3
______________________________________________________________________________
champion, that promotes the project and secures financial, administrative, and company
wide backing of the project, then a project manager is assigned the task of managing the
project.
14. How can the practice of information security be described as both an art and a
science? How does security as a social science influence its practice?
The practice of information security is a never-ending process. An effective information
security practice must be considered as a tripod that relates to three important aspects
(science, art, and social science):
First, information security is a science because it requires various kinds of tools
and technologies used for technical purposes. It can also include sound
information security plans and policies that may dictate the needs of particular
technologies.
Second, information security is also an art because there are no clear-cut rules on
how to install various security mechanisms. Different factors such as budgets,
time, threats, risks, vulnerabilities, and asset values can significantly affect the
numbers and types of passive and active controls an organization needs. The
overall goal is for the organization to have a sound information security posture
that can reduce the risks of being attacked as much as possible.
Third, and most importantly, information security must be looked at as a social
science mainly because social science deals with people, and information security
is primarily a people issue, not a technology issue. Through the eye of a social
scientist, an organization can greatly benefit from the Security Education,
Training, and Awareness program (SETA), which can help employees (1)
understand how to perform their jobs more securely, (2) be fully aware of the
security issues within the organization, and (3) be accountable for their actions.
Therefore, information security must be viewed as having all three natures, with the most
emphasis on the social science perspective. After all, people are the ones who make the
other five components of information assets (software, hardware, data, procedures and
networks) possible.
15. Who is ultimately responsible for the security of information in the organization?
The Chief Information Security Officer (CISO) is primarily responsible for the
assessment, management, and implementation of information security in the organization.
The CISO usually reports directly to the CIO, although in larger organizations it is not
uncommon for one or more layers of management to exist between the two. However, the
recommendations of the CISO to the CIO must be given equal, if not greater, priority
than other technology and information-related proposals.
16. What is the relationship between the MULTICS project and early development of
computer security?
MULTICS, Multiplexed Information and Computing Service, was the first operating
system created with security as its primary goal. It was a mainframe, time-sharing
operating system developed through a partnership between GE, Bell Labs and MIT.
Much of the early focus for research on computer security was centered on this system.
17. How has computer security evolved into modern information security?
_____________________________________________________________________________________________
Page: 4
______________________________________________________________________________
Before the creation and use of networking technologies computer security consisted of
securing the physical location of the system by the use of badges, keys and facial
recognition. With the creation of ARPANET and the increasing popularity of networked
systems, it was no longer adequate to merely physically secure a system. In order to
insure total security, the information itself, as well as the hardware used to transmit and
store that information, needed to be addressed. Information security developed from this
need. Eventually, computer security became just another component of information
security.
18. What was important about Rand Report R-609?
The movement toward security that went beyond protecting physical locations began
with the Rand Report R-609, a paper sponsored by the Department of Defense. This
report attempted to address the multiple controls and mechanisms necessary for the
protection of a multilevel computer system. In addition, the Rand Report was the first to
identify the role of management and policy issues in the expanding arena of computer
security. It noted that the wide utilization of networking components in information
systems in the military introduced security risks that could not be mitigated by the routine
practices then used to secure these systems. This paper signaled a pivotal moment in
computer security history—when the scope of computer security expanded significantly
from the safety of physical locations and hardware to include securing the data, limiting
random and unauthorized access to that data, and involving personnel from multiple
levels of the organization in matters pertaining to information security
19. Who decides how and when data in an organization will be used and or controlled?
Who is responsible for seeing these wishes are carried out?
The three types of data ownership and their respective responsibilities are:
Data owners: Those responsible for the security and use of a particular set of information.
They are usually members of senior management and could be CIOs. The data owners
usually determine the level of data classification (discussed later) associated with the
data, as well as the changes to that classification required by organizational change. The
data owners work with subordinate managers to oversee the day-to-day administration of
the data.
Data custodians: Working directly with data owners, data custodians are responsible for
the storage, maintenance, and protection of the information. Depending on the size of the
organization, this may be a dedicated position, such as the CISO, or it may be an
additional responsibility of a systems administrator or other technology manager. The
duties of a data custodian often include overseeing data storage and backups,
implementing the specific procedures and policies laid out in the security policies and
plans, and reporting to the data owner.
Data users: End users who work with the information to perform their daily jobs
supporting the mission of the organization. Everyone in the organization is responsible
for the security of data, so data users are included here as individuals with an information
security role.
20. Who should lead a security team? Should the approach to security be more
managerial or technical?
_____________________________________________________________________________________________
Page: 5
______________________________________________________________________________
A project manager, who may be a departmental line manager or staff unit manager, would
lead a security team. Typically, that person would understand project management,
personnel management, and information security technical requirements. The approach to
security should be more managerial than technical, although, the technical ability of the
resources actually performing the day-to-day activities is critical. The top-down approach
to security implementation is by far the best. It has strong upper management support, a
dedicated champion, dedicated funding, clear planning and the opportunity to influence
organizational culture.
_____________________________________________________________________________________________
Page: 6
______________________________________________________________________________
Exercises
1. Look up “the paper that started the study of computer security.” Prepare a
summary of the key points. What in this paper specifically addresses security in
areas previously unexamined?
Rand Report R-609 noted that security for computers had moved beyond the physical
security of locking the computers behind closed doors. With the rise in computer
networking, multiple users using resource-sharing systems could gain access to
confidential information. New forms of security had to be implemented that could protect
the safety of data, limit access, and handle different levels of personnel accessing the
system. In order to accomplish this, R-609 pointed out that a task force was being
implemented by ARPA in order to focus on the potential security risks of multi-access
computer systems. The paper points out that security is no longer as simple as moving the
system to a secure location, and new measures must be implemented to provide
acceptable security.
The key points are: security control in resource-sharing systems; increase in the number
of resource-sharing systems; protection of information in multi-access, resource-sharing
computer systems; and necessity for the application of security rules and regulations.
The growing need to have resources available to a larger number of users, led in the
1960's to the implementation of resource-sharing computer systems. Sharing data among
a larger number of users highlighted the need for an appropriate security system because
data, in a multi-access computer environment, was no longer considered secure. Above
all, the lack of control demonstrated by random and unauthorized access to shared data
started being seen as one of the biggest threats to the data itself. Another important issue
that specifically addressed security was the lack of security rules and regulations. Rand
Report R-609 was the first report to identify the important role of management and policy
issues in computer security.
The Rand Report R-609 attempted to cover the broader aspect of protecting a computer
system. It was the first to identify the role of management and policy issues in computer
security. R-609 focused on the protection of information in a multi-access, resource
sharing computer system, more specifically: safety of data, limiting random and
unauthorized access, as well as the involvement of personnel from multiple levels of the
organization in matters pertaining to information security.
2. Assume that a security model is needed for protection of information in your class.
Using the NSTISSC model, examine each of the cells and write a brief statement on
how you would address the three components represented in that cell.
Confidentiality – Policy – Storage: An example of protecting the confidentiality of class
information in storage by means of policy could be simply issuing rules to keep
unauthorized viewers access restricted, such as a rule to lock file cabinets that contain the
information.
Confidentiality – Policy – Processing: An example of protecting the confidentiality of
class information in processing by means of policy could be simply issuing rules to keep
unauthorized viewers access restricted while information is being processed, such as only
allowing registered students in the class to attend and listen to lecture.
_____________________________________________________________________________________________
Page: 7
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 8
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 9
______________________________________________________________________________
by the teacher providing the PowerPoint files available to the student on the Internet to
study.
Availability – Technology – Transmission: An example of protecting the availability of
class information that is being transmitted by means of technology could be
accomplished by the teacher using a microphone so the lecture is loud enough for all
students to hear.
3. Consider the information stored on your personal computer. For each of the terms
listed, find an example and document it: threat, threat agent, vulnerability,
exposure, risk, attack, and exploit.
Note: Due to a compositional error this question is based on information from Chapter 2,
and as such the answers are drawn from there.
Answers will vary greatly depending on the information stored on the individual’s
systems: An example is provided. (Note you can also answer this question from the
reverse as illustrated)
Answer method one (data based)
Data: Electronic Checkbook (and associated banking information): Threats would
include: Acts of Human Failure – Threat agent would be my wife/husband, vulnerability
would be data is susceptible to deletion. Exposure would be I let my wife/husband use
my computer, on which the files reside. Risk would be loss of financial and banking
information. Attack would include my wife/husband realizing I am in class, and using
my computer to surf the Web or play computer games on my computer, and then
accidentally deleting the file to make more room on the hard drive for their game or
download. The exploit would be simplistic – my wife/husband opens windows explorer,
sees the files marked “Stuff”, right clicking on the folder and selecting DELETE.
Alternate answer method:
Threat – Acts of Human Error or Failure (user mistakes), Acts of Espionage or Tresspass
(Hackers), Deliberate Software Attacks (Email viruses and worms), Technological
Obsolescence (my computer is OLD!)
Threat Agent – Wife/Husband/Kids, neighbor’s kids, hackers, Microsoft
Vulnerability – lack of password protection on system, insufficient protection on Internet
connection, OS vulnerabilities (Microsoft!),
Exposure – no password set on firewall, new patch on OS deletes system password, etc.
Risk – loss of personal and confidential info, compromise of systems as zombie, etc.
Attack – significant other deletes files, hacker hacks network router and system, kids
copy files to friends computers.
Exploit – downloaded scripts from hacker sites, detailed descriptions of how to set up a
DDOS tested by kids.
4. Using the Web, identify the CIO, CISO and SA of an organization of your choice.
Who represents the data owner, data custodian?
_____________________________________________________________________________________________
Page: 10
______________________________________________________________________________
Each organization will have its own specific answer set depending on the policies that
organization has in place.
5. Using the web, find out who Kevin Mitnick was. What did he do? Who caught him?
Write a short summary of his activities and why he is famous.
Kevin Mitnick was one of the most notorious computer hackers in computer history. He
began his "hacking" career by using a personal computer and a modem to gain access to a
digital central office switch of a local telephone company. He, as well as several other
members of a phone phreak gang, would make prank calls, answer operator assisted calls
and eavesdrop on conversations. This, however, didn't satisfy them for long. In 1981,
over Memorial Day weekend, Kevin and his gang talked their way past a security guard
at Pacific Bell's COSMOS center. Once inside, they stole passwords, operating manuals
and combinations to doors at other Pacific Bell offices. They also did a little "social
engineering" while inside and left fake names and phone numbers for later use. The gang
was eventually caught when a girlfriend of one of the gang members went to the police.
The gang was charged with stealing and destroying data. Kevin Mitnick was only 17 at
the time and was sentenced to three months in juvenile detention and one year probation.
In 1983, Kevin was arrested again, but this time by the campus police at the University of
Southern California. This time he used one of the school's computers to break into the
Pentagon using ARPAnet. His sentence was six months in a juvenile prison. In 1987, he
received three years probation for stealing software from the Santa Cruz Operation. He
was caught by the use of illegal telephone credit card numbers.
In 1989, he was again arrested and charged with one count of possession of illegal long
distance access codes and one count of computer fraud. He and a friend tried to gain
access to Digital Equipment's Palo Alto research laboratory with the hope of acquiring a
copy of the VMS minicomputer operating system. He was later caught when his
accomplice became frustrated with him and turned him in to the FBI and DEC. Kevin
received jail time and was required to undergo counseling at a halfway house. In 1992, an
arrest warrant was issued on him for violating the terms of his probation. He violated
probation by associating with members of his original phone phreak gang and illegally
accessing a computer. Kevin was arrested in 1995.
Alternate Answer
Kevin Mitnick, aka Condor, is one of the most famous computer hackers in the history of
computers. This famous hacker was so prolific that it earned him a place on the FBI’s
Most Wanted List. Mitnick started out as a phone phreaker, someone who breaks into
phone switches, but later turned his attention to computer systems. Mitnick was brought
up on charges numerous times, but it was not until he went on a computer hacking spree
in 1995 that he made national attention. Mitnick was finally tracked down after two years
on the run as a fugitive. Tsutomu Shimomura played a major role in the capture of
Mitnick, after Mitnick hacked into Shimomura’s computer system. Mitnick was jailed for
5 years without a trial or bond, and is said to be the longest held prisoner without a trial.
Mitnick was later released in Sept. of 2000 but was not allowed to use any type of
electronic device as part of the terms of his probation.
_____________________________________________________________________________________________
Page: 11
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 12
______________________________________________________________________________
When an attacker is able to control access to an asset, it can be held hostage to the
attacker’s demands. For example, if an attacker is able to gain access to a set of data in a
database and then encrypt that data, they may extort money or other value from the owner
in order to share the encryption key so that the data can be used by the owner.
6. Why do employees constitute one of the greatest threats to information security?
Employees are the greatest threats since they are the closest to the organizational data and
will have access by nature of their assignments. They are the ones who use it in everyday
activities, and employee mistakes represent a very serious threat to the confidentiality,
integrity, and availability of data. Employee mistakes can easily lead to the revelation of
classified data, entry of erroneous data, accidental deletion or modification of data,
storage of data in unprotected areas, and failure to protect information.
7. What measures can individuals take to protect against shoulder surfing?
The best way for an individual to avoid shoulder surfing is to avoid, as far as possible, the
accessing of confidential information when another person is present. The individual
should limit the number of times he/she accesses confidential data, and do it only when
he/she is sure that nobody can observe them. One should be constantly aware of who is
around when accessing sensitive information.
8. How has the perception of the hacker changed over recent years? What is the profile
of a hacker today?
The classic perception of the hacker is frequently glamorized in fictional accounts as
someone who stealthily manipulates their way through a maze of computer networks,
systems, and data to find the information that resolves the dilemma posed in the plot and
saves the day. However, in reality, a hacker frequently spends long hours examining the
types and structures of the targeted systems because he or she has to use skill, guile, or
fraud to attempt to bypass the controls placed around information that is the property of
someone else.
The perception of a hacker has evolved over the years. The traditional hacker profile was
male, age 13-18, with limited parental supervision who spent all his free time at the
computer. The current profile of a hacker is a male or female, age 12 – 60, with varying
technical skill levels, and can be internal or external to the organization. Today there are
both expert hackers and unskilled hackers. The expert hackers create the software and
schemes to attack computer systems while the novice hackers are the ones who merely
utilize the software created by the expert hacker.
9. What is the difference between a skilled hacker and an unskilled hacker (other then
the lack of skill)? How does protection against each differ?
An expert hacker in one who develops software scripts and codes to exploit relatively
unknown vulnerabilities. The expert hacker is usually a master of several programming
languages, networking protocols, and operating systems.
An unskilled hacker is one who uses scripts and code developed by skilled hackers. They
rarely create or write their own hacks, and are often relatively unskilled in programming
languages, networking protocols, and operating systems.
_____________________________________________________________________________________________
Page: 13
______________________________________________________________________________
Protecting against an expert hacker is much more difficult, due in part to the fact that
most of the time the expert hacker is using new, undocumented attack code. This makes it
almost impossible to guard against these attacks at first. Conversely, an unskilled hacker
generally uses hacking tools that have been made publicly available. Therefore,
protection against these hacks can be maintained by staying up-to-date on the latest
patches and being aware of hacking tools that have been published by expert hackers.
10. What are the various types of Malware? How do worms differ from viruses? Do
Trojan horses carry viruses or worms?
Common types of malware are viruses, worms, Trojan horses, logic bombs, and back
doors.
Computer viruses are segments of code that induce other programs to perform actions.
Worms are malicious programs that replicate themselves constantly without requiring
another program to provide a safe environment for replication.
Once a trusting user executes a Trojan horse program it will unleash viruses or worms to
the local workstation and the network as a whole.
11. Why does polymorphism cause greater concern than traditional malware? How
does it affect detection?
Polymorphism causes greater concern because it makes malicious code more difficult to
detect.
The code changes over time, which means commonly used anti-virus software, which
uses preconfigured signatures for detection, will be unable to detect the newly changed
attack. This makes polymorphic threats harder to protect against.
12. What is the most common form of violation of intellectual property? How does an
organization protect against it? What agencies fight it?
The most common violations involve the unlawful use or duplication of software-based
intellectual property known as software piracy.
Some organizations have used such security measures as digital watermarks and
embedded code, copyright codes, and even the intentional placement of bad sectors on
software media. Also, most companies file patents, trademarks or copyrights which can
allow a company to legally pursue a violator. Another effort to combat piracy is the
online registration process. During installation, software users are asked or even required
to register their software to obtain technical support, or the use of all features.
There are two major organizations that investigate allegations of software abuse:
Software and Information Industry Association (SIIA) and the Business Software
Alliance (BSA).
13. What are the various types of force majeure? Which type is of greatest concern to an
organization in Las Vegas? Oklahoma City? Miami? Los Angeles?
Force majeure refers to forces of nature or acts of God that pose a risk, not only to the
lives of individuals, but also to information security. Force majeure includes fire, flood,
earthquake, lightning, landslide or mudslide, tornado or severe windstorm, hurricane or
typhoon, tsunami, electrostatic discharge (ESD), and/or dust contamination.
_____________________________________________________________________________________________
Page: 14
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 15
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 16
______________________________________________________________________________
Deliberate acts are the main threat category for this type of attack because the
hacker is deliberately trying to cause harm. Different sub-categories that this
attack could fall under are deliberate acts of espionage or trespass, deliberate acts
of sabotage or vandalism, and deliberate acts of theft.
Compromises to intellectual property – copying of files, defacing the web page,
and stealing credit card numbers.
2. Using the web, determine what was the extent of Mafiaboy's exploits. How many
sites did he compromise and how? How was he caught?
Mafiaboy's exploits consisted of a series of DDoS (Distributed Denial of Service) attacks
on 11 corporate networks. The attacks caused, according to investigators, approximately
1.7 billion dollars in loss for these companies but there is dispute regarding the accuracy
of that figure. The attacks caused some of these companies' websites and networks to be
difficult to reach. In some cases, they crashed completely, remaining offline from mere
hours to as long as several days. Since the attacks were so large, it prompted the
authorities to investigate. Authorities found that someone by the name of Mafiaboy was
bragging about the attacks on websites, message boards and even on his own site. In
addition to this, the authorities were able to associate an IP address to the attacks, which
in turn linked to the ISP, and then, with the ISP's help, they linked the IP address to an
account whose phone numbers linked to Mafiaboy's father's number.
Alternate Answer
One example of a novice using pre-coded exploits was that of Mafiaboy, a teen that
launched distributed denial-of-service attacks against several high profile websites.
MafiaBoy’s denial-of-service attacks brought down many of the Internet's largest sites.
The tools used for these attacks are widely available on the Internet and require little
computer knowledge to use, being simple enough for use by script kiddies. Mafiaboy
simply ran a computer script that clogged networks full of garbage data. He was deemed
an unskilled attacker because of a number of indicators, primarily that he failed to take
basic steps to cover his tracks, such as erasing logs. A series of computer taps led to
Mafiaboy’s arrest.
Nonetheless, his skill deficit did not stop him from successfully shutting down a number
of prominent websites. MafiaBoy gained illegal access to 75 computers in 52 different
networks and planted a DoS tool on them which he then activated and used to attack 11
Internet sites by sending up to 10,700 phony information requests in 10 seconds.
Amazon.com, Yahoo!, Buy.com, CNN.com as well as more than 1,200 other sites CNN
hosts worldwide, Dell.com and eBay are among the sites Mafiaboy was able to cripple.
The cost to these companies is estimated to be in the millions, perhaps even billions, of
dollars. For example, for a company whose only storefront is web-based, this type of
_____________________________________________________________________________________________
Page: 17
______________________________________________________________________________
attack can be a disaster, as it is estimated that thousands of dollars of revenue is lost per
hour of non-operation. Because Amazon.com’s website was inaccessible for more than a
day, it is estimated they lost several million dollars. Buy.com and Yahoo! offered more
concrete numbers; each company lost a million dollars every four hours that their
networks were inaccessible.
References:
1. “DoS Attacks Cripple Yahoo, CNN, Amazon and Buy.com” Irish News. February 9,
2001. http://www.iol.ie/~kooltek/dosattacks.html
2. “One year after DoS attacks, vulnerabilities remain.” February 8, 2001.
http://www.cnn.com/2001/TECH/internet/02/08/ddos.anniversary.idg/index.html#2
3. Search the Web for “The Official Phreaker’s Manual”. What information contained
in this manual can help a security administrator to protect a communications
system.
Phone phreaking is the act of using mischievous and mostly illegal methods in order to
avoid having to pay for some sort of telecommunications invoice, order, transfer, or other
service. It often involves usage of highly illegal boxes and machines in order to defeat the
security that is set up to avoid this sort of tactic. This security includes “blocking
networks.” A blocking network is a network that, under certain conditions, may be unable
to form a transmission path from one end of the network to the other. In general, all
networks used within the Bell Systems are of the blocking type.
A security administrator could benefit from studying "The Official Phreaker's Manual" as
it could allow them to better protect their communications system. From the system
administrator's point of view, this information would prove useful due to the fact that it
provides many common ways of finding loop-holes and alternate ways around different
communications system security measures. Equipped with this information, a system
administrator would be aware of and could utilize different approaches in implementing a
more extensive security program.
4. The chapter discussed many threats and vulnerabilities to information security.
Using the Web, find at least two other sources of information on threat and
vulnerabilities. Begin with www.securityfocus.com. Using a keyword search on
“threats.”
HYPERLINK "http://csrc.ncsl.nist.gov/"http://csrc.ncsl.nist.gov/ - This site
has details about new security standards that should be adopted by
organizations and the reasons for the security standards ranging from
cryptology to network security.
HYPERLINK "http://icat.nist.gov/icat.cfm"http://icat.nist.gov/icat.cfm - This site
is a searchable index of information on computer vulnerabilities.
HYPERLINK
"http://security1.gartner.com/section.php.id.19.s.1.jsp"http://security1.gart
ner.com/section.php.id.19.s.1.jsp - This site has a number of articles with
information security concerns for various industry experts on a wide
variety of issues especially in the corporate world.
_____________________________________________________________________________________________
Page: 18
______________________________________________________________________________
HYPERLINK "http://www.cerias.purdue.edu/"http://www.cerias.purdue.edu/
HYPERLINK "http://www.cert.org/stats"http://www.cert.org/stats
HYPERLINK "http://www.fedcirc.gov/"http://www.fedcirc.gov/ - Information on
reported threats.
HYPERLINK "http://www.gocsi.com/"http://www.gocsi.com
HYPERLINK "http://www.idc.com/"http://www.idc.com
HYPERLINK
"http://www.infomaticsonline.co.uk/"http://www.infomaticsonline.co.uk,
HYPERLINK
"http://www.iss.net/security_center/"http://www.iss.net/security_center/
HYPERLINK
"http://www.microsoft.com/security/"http://www.microsoft.com/security/ -
Microsoft’s listing of important announcements for security and privacy
HYPERLINK "http://www.riptech.com/"http://www.riptech.com
HYPERLINK "http://www.securityfocus.com/"http://www.securityfocus.com/ -
Securityfocus.com lists threats, vulnerabilities, and advisories
HYPERLINK "http://www.siliconvalley.com/"http://www.siliconvalley.com
HYPERLINK
"http://www.symantec.com/avcenter/"http://www.symantec.com/avcenter/
- This site has information on the latest viruses and security advisories.
HYPERLINK
"http://www.theregister.co.uk/content/55/index.html"http://www.theregiste
r.co.uk/content/55/index.html - The Register’s listing of the latest threats
HYPERLINK "http://www.theregus.com/"http://www.theregus.com - This site
has information on any new information about the Technology industry
including breaches of security of various companies information systems.
HYPERLINK "http://www.washtimes.com/"http://www.washtimes.com
HYPERLINK "http://zdreviews.search.com/"http://zdreviews.search.com
HYPERLINK "https://www.security-survey.gov.uk/"https://www.security-
survey.gov.uk
5. Using the categories of threats mentioned here, as well as the various attacks
described, review several newspapers and locate examples of each.
Potential acts of human error or failure HYPERLINK
"http://www.nwfusion.com/columnists/2001/00379820.html"http://www.nwfusion
.com/columnists/2001/00379820.html
Compromises to intellectual property - HYPERLINK
"http://www.wired.com/news/politics/0,1283,54681,00.html"http://www.wired.co
m/news/politics/0,1283,54681,00.html
_____________________________________________________________________________________________
Page: 19
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 20
______________________________________________________________________________
Worm Attack:
W32.Efno.Worm is a worm that attempts to spread using the popular
KaZaA file-sharing program. The worm is written in Visual Basic, and
therefore it requires Visual Basic runtime libraries (Msvbvm60.dll) to run.
When this worm runs, it changes several KaZaA registry keys. This causes
the worm to be accessible to other users on the KaZaA network. The worm
spreads using the file name "Win XP SP1 cracker.exe." However, it is
possible to change the file name to other names that may appeal to people.
http://securityresponse.symantec.com/avcenter/venc/data/w32.efno.worm.
html
Trojan Horse:
Trojan.IrcBounce is the detection for a collection of programs that a
hacker can use to conceal intrusion and obtain administrator-level access
to Microsoft Windows environments. These programs can be used to
attack Windows environments that
Have the default installation, in which the Administrator account has no password
Use user names and passwords that are very common.
After it is installed into victim's system, it gives a remote attacker unobstructed access to
the compromised computer.
Back Door:
Backdoor.FunFactory allows unauthorized access to an infected computer.
It also allows voice communication from the intruder to the user of the
compromised computer.
_____________________________________________________________________________________________
Page: 21
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 22
______________________________________________________________________________
The Security and Freedom Through Encryption Act of 1999 clarifies use of encryption
for people in the US, and permits all persons in the U.S. to buy or sell any encryption
product.
6. What is privacy in an information security context?
Privacy is not absolute freedom from observation, but rather it is a more precise “state of
being free from unsanctioned intrusion.”
7. What is another name for the Kennedy-Kassebaum Act (1996) and why is it
important to organizations that are not in the health-care industry?
The Health Insurance Portability and Accountability Act Of 1996 (HIPAA) protects the
confidentiality and security of health-care data by establishing and, enforcing standards
and by standardizing electronic data interchange. It impacts all health-care organizations
including doctors' practices, health clinics, life insurers, and universities, as well as some
organizations which have self-insured employee health programs or manage data related
to health-care.
Beyond the basic privacy guidelines, the act requires organizations that retain health-care
information to use information security mechanisms to protect this information, as well
as policies and procedures to maintain this security. It also requires a comprehensive
assessment of the organization’s information security systems, policies, and procedures.
HIPAA provides guidelines for the use of electronic signatures based on security
standards that ensure message integrity, user authentication, and nonrepudiation. There is
no specification of particular security technologies for each of the security requirements,
only that security must be implemented to ensure the privacy of health-care information.
The privacy standards of HIPAA severely restrict the dissemination and distribution of
private health information without documented consent. The standards provide patients
with the right to know who has access to their information and who has accessed it. The
standards also restrict the use of health information to the minimum necessary for the
health-care services required.
8. If you work for a financial service organization such as a bank or credit union,
which law from 1999 affects your use of customer data? What impact does it have?
The law from 1999 that affects the use of customer data by financial institutions is the
Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999. Specifically,
this act requires all financial institutions to disclose their privacy policies on the sharing
of nonpublic personal information. It also requires due notice to customers, so that they
can request that their information not be shared with third parties. In addition, the act
ensures that the privacy policies in effect in an organization are both fully disclosed when
a customer initiates a business relationship, and distributed at least annually for the
duration of the professional association.
9. What is the primary purpose of the USA PATRIOT Act?
U.S.A. PATRIOT Act of 2001 modified a wide range of existing laws to provide law
enforcement agencies with broader latitude in order to combat terrorism-related activities.
The laws modified by the Patriot Act include some of the earliest laws created to deal
with electronic technology.
_____________________________________________________________________________________________
Page: 23
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 24
______________________________________________________________________________
An organization increases its liability if it refuses to take measures known as due care.
Due care has been taken when an organization makes sure that every employee knows
what is acceptable or unacceptable behavior, and knows the consequences of illegal or
unethical actions. The more active a role an organization takes in observing the due care
concept; the less likely it will be liable for its employees’ illegal and/or unethical actions.
14. How does due diligence differ from due care? Why are both important?
Due diligence requires that an organization make a valid effort to protect others and
continually maintain this level of effort. Due care has been taken when an organization
makes sure that every employee knows what is acceptable or unacceptable behavior, and
knows the consequences of illegal or unethical actions. They are both important because
an organization not practicing both due diligence and due care increase their chance of
being found liable should an incident occur.
15. What is a policy? How does it differ from a law?
A policy is a formalized body of expectations that describe acceptable and unacceptable
employee behaviors in the workplace. The difference between a policy and a law is that
ignorance of a policy is an acceptable defense.
16. What are the three general categories of unethical and illegal behavior?
Software License Infringement, Illicit Use and Misuse of Corporate Resources
17. What is the best method for preventing an illegal or unethical activity?
Deterrence is the best method for preventing an illegal or unethical activity. In order for
deterrence to be effective, those affected by the deterrence must a) fear the penalty, b)
have an expectation of detection/apprehension and c) expect that if apprehended, the
penalty will be applied.
18. Of the information security organizations listed that have codes of ethics, which has
been established for the longest time? When was it founded?
_____________________________________________________________________________________________
Page: 25
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 26
______________________________________________________________________________
Exercises
What does CISSP Stand for? Use the Internet to identify the ethical rules CISSP holders
have agreed to follow.
CISSP is an acronym for Certified Information Systems Security Professional.
The code can be found at https://www.isc2.org/ethics/ (as of October 2010).
2. For what kind of information security jobs does the NSA recruit? Use the Internet
to visit their Web page and find out.
Computer Science / Electrical Engineering:
Information Assurance Research with these skills:
o Secure Network Technology
Biometrics
Intrusion Detection
Wireless Security
High Speed Networking Security
o Secure Systems Research
o Secure Network Technology
o Cryptology Research
Information Assurance Directorate with these skills:
■ Network Security
■ Vulnerability Analysis
■ Public Key Infrastructure (PKI)
■ Security Testing/Red Teaming
■ Firewalls/Router security
■ Security Software Design/Development (object oriented
programming – C++/Java)
■ Firewalls/Router Security
■ Security Hardware Design/Development
■ Customer Support
■ Defense Information Operations (DIO)
■ Special Processing Laboratory (SPL) {now part of IAD}
■ Microelectronics Research Laboratory (MRL) {now part of
IAD}
Networking with theses skills:
_____________________________________________________________________________________________
Page: 27
______________________________________________________________________________
■ Packet Based
■ Internet/Intranets
■ Protocol Development
■ Optical Network Management
■ Advanced Research
Alternate Answer
The NSA’s ongoing mission involves monitoring, gathering, and decoding foreign
communication signals from around the world, as well as information assurance.
To meet this goal, they actively recruit individuals with computer and engineering
backgrounds as well as those with foreign language capabilities. From their
website, some of the current job titles include: Inspector General Auditor/IT
Specialist; Mathematician; Computer Scientist; Cryptanalyst; Electronic and
Computer Engineer; Signals Analyst; Signals Intelligence (SIGINT) Systems
Engineering Architect; and Linguist.
3. Using the resources available in your library, find out what laws your state has
passed to prosecute computer crime.
(Note that each state will have different answers. Answers from the State of
Georgia are given as a representative.)
The Georgia Computer Systems Protection Act was enacted by the 1991 Georgia
General Assembly and signed into law by the Governor effective July 1, 1991. It
repealed and replaced an act having the same name enacted by the 1981 Georgia
General Assembly and signed into law by the Governor effective July 1, 1981.
This act establishes certain acts involving computer fraud or abuse as crimes
punishable by defined fines or imprisonment or both. A modification to this Act
was passed by the 1996 session of the Georgia General Assembly.
The following specific computer crimes are defined by state law (Georgia Code
16-9-90 et seq.).
Computer theft -- including theft of computer services, intellectual property such
as copyrighted material, and any other property.
Computer trespass -- unauthorized use of computers to delete or alter data or
interfere with others' usage.
Computer invasion of privacy -- unauthorized access to financial or personal data
or the like.
Computer forgery -- forgery as defined by other laws, but committed on a
computer rather than on paper.
Computer password disclosure -- unauthorized disclosure of a password resulting
in damages exceeding $500. In practice, this includes any disclosure that requires
a system security audit afterward.
_____________________________________________________________________________________________
Page: 28
______________________________________________________________________________
Maximum penalties are a $5,000 fine and 1 year of imprisonment for password
disclosure, and a $50,000 fine and 15 years of imprisonment for the other
computer crimes, plus civil liability. This code is contained in the House senate
bill number 822 – also contains codes 16-9-91 contains the Ga. Assemblies
findings that previous laws made it difficult to prosecute computer crimes. Code
16-9-92 – Definitions of computer, computer network, computer operation,
computer program, data, financial instruments, property, services, use, victim
expenditure, and without authority. Code 16-9-93 goes into detail about the
following: computer theft, computer trespass, computer invasion of privacy,
computer forgery, computer password disclosure, Article of exclusion, civil relief
damages, criminal penalties. 16-9-94 sums up codes 16-9-90 through 16-9-93.
4. Using a Web browser go to www.eff.org. What are the current top concerns of this
organization?
Expanded Surveillance with Reduced Checks and Balances.
Be careful what you put in that Goggle search.
Nationwide roving wiretaps.
ISPs hand over more user information.
New definitions of terrorism expand scope of surveillance.
Over breadth with a lack of focus on terrorism.
Government spying on suspected computer trespassers with no need for court
order. Sec. 217.
Adding samples to DNA database for those convicted of "any crime of
violence."
Wiretaps now allowed for suspected violations of the Computer Fraud and
Abuse Act.
Dramatic increases to the scope and penalties of the Computer Fraud and
Abuse Act.
Allows Americans to be More Easily Spied Upon by US Foreign Intelligence
Agencies.
General Expansion of FISA Authority.
Increased information sharing between domestic law enforcement and
intelligence.
FISA detour around federal domestic surveillance limitations; domestic detour
around FISA limitations.
Alternate Answer
_____________________________________________________________________________________________
Page: 29
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 30
______________________________________________________________________________
1. What is risk management? Why is identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to ensure the confidentiality,
integrity, and availability of all the components in the organization’s information system.
To protect assets, which are defined here as information and the systems that use, store,
and transmit information, you must understand what they are, how they add value to the
organization, and to which vulnerabilities they are susceptible. Once you know what you
have, you can identify what you are already doing to protect it. Just because you have a
control in place to protect an asset does not necessarily mean that the asset is protected.
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
2. According to Sun Tzu, what two key understandings must you achieve to be
successful?
An observation made by Chinese General Sun Tzu Wu stated, “If you know the enemy
and know yourself, you need not fear the result of a hundred battles. If you know yourself
but not the enemy, for every victory gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in every battle. In short, know yourself
and know the enemy.
3. Who is responsible for risk management in an organization? Which community of
interest usually takes the lead in information security risk management?
In an organization, it is the responsibility of each community of interest to manage the
risks that organization encounters. Each community of interest has a role to play. Since
the members of the information security community best understand the threats and
attacks that introduce risk into the organization, they often take a leadership role in
addressing risk.
4. In risk management strategies, why must periodic review be a part of the process?
Frequently, organizations implement control mechanisms, but then neglect the necessary
periodic review, revision, and maintenance. The policies, education and training
programs, and technologies that protect information must be carefully maintained and
administered to ensure that they are still effective.
5. Why do networking components need more examination from an information
security perspective than from a systems development perspective?
_____________________________________________________________________________________________
Page: 31
______________________________________________________________________________
Since networking subsystems are often the focal point of attacks against the system, they
should be considered as special cases rather than combined with general hardware and
software components.
Additionally, some networking components require examination from an information
security perspective due to the fact that they must be reconfigured from their default
settings to both serve their required purpose and maintain security requirements. From
the systems development perspective, the networking component may function perfectly,
as is, right out of the box. However, without information security oversight, potential
vulnerabilities could go unnoticed.
6. What value does an automated asset inventory system have for the risk
identification process?
Automated tools can sometimes identify the system elements that make up hardware,
software, and network components. The inventory listing is usually available in a
database, or can be exported to a database for custom information on security assets.
Once stored, the inventory listing must be kept current, often by means of a tool that
periodically refreshes the data.
When you move to the later steps of risk management, which involve calculations of loss
and projections of costs, the case for the use of automated risk management tools for
tracking information assets becomes stronger.
7. What information attribute is often of great value for networking equipment when
DHCP is not used?
The IP address is a useful attribute for networking equipment. Note that many
organizations use the dynamic host control protocol (DHCP) within TCP/IP that reassigns
IP numbers to devices as needed, making the use of IP numbers as part of the asset
identification process problematic. As a result, IP address use in inventory is usually
limited to those devices that use static IP addresses.
8. Which is more important to the systems components classification scheme, that the
list be comprehensive or mutually exclusive?
It is more important that the list be comprehensive than mutually exclusive. It would be
far better to have a component assessed in an incorrect category rather than to have it go
completely unrecognized during a risk assessment.
9. What’s the difference between an asset’s ability to generate revenue and its ability to
generate profit?
Revenue is the recognition of income from an activity supported by the system. Profit is
the amount of revenue that exceeds operating costs. Some systems may cost more to
operate than they contribute to revenue.
10. What are vulnerabilities and how do you identify them?
Vulnerabilities are specific avenues that threat agents can exploit to attack an information
asset. They are chinks in the armor of the information asset—a flaw or weakness in an
information asset, security procedure, design, or control that could be exploited
accidentally or on purpose to breach security.
_____________________________________________________________________________________________
Page: 32
______________________________________________________________________________
Analyzing all components of an Information System and evaluating the risk to each
component should identify any vulnerabilities.
11. What is competitive disadvantage? Why has it emerged as a factor?
A competitive disadvantage occurs when a company falls behind the competition in its
ability to maintain the highly responsive services required in today’s marketplaces.
This is a factor because almost all organizations have an IT system in this day and time.
Therefore, organizations need to obtain or improve their IT systems to avoid falling
behind all others.
12. What are the strategies from controlling risk as described in this chapter?
Defend - The defend control strategy attempts to prevent the exploitation of the
vulnerability.
Transfer - The transfer control strategy attempts to shift risk to other assets, other
processes, or other organizations.
Mitigate - The mitigate control strategy attempts to reduce the impact caused by the
exploitation of vulnerability through planning and preparation.
Accept - The accept control strategy is the choice to do nothing to protect a
vulnerability and to accept the outcome of its exploitation.
Terminate - The terminate control strategy directs the organization to avoid those
business activities that introduce uncontrollable risks.
13. Describe the “defend” strategy. List and describe the three common methods.
The defend control strategy attempts to prevent the exploitation of the vulnerability. This
Is the preferred approach, and is accomplished by means of countering threats, removing
vulnerabilities from assets, limiting access to assets, and adding protective safeguards.
There are three common methods used to defend:
Application of policy
Education and training
Application of technology
14. Describe the “transfer” strategy. Describe how outsourcing can be used for this
purpose.
The transfer strategy is the control approach that attempts to shift risk to other assets,
other processes, or other organizations. This may be accomplished by rethinking how
services are offered, revising deployment models, outsourcing to other organizations,
purchasing insurance, or implementing service contracts with providers.
Outsourcing allows an organization to transfer the risk associated with the management
of complex systems to another organization that has experience in dealing with those
risks. One of the benefits of outsourcing is that the service provider is responsible for
disaster recovery when recovery efforts are needed.
15. Describe the “mitigate” strategy. What three planning approaches are discussed in
the text as opportunities to mitigate risk?
_____________________________________________________________________________________________
Page: 33
______________________________________________________________________________
The mitigate strategy is the control approach that attempts to reduce the impact caused by
the exploitation of vulnerability through planning and preparation. Mitigation begins with
the early detection that an attack is in progress and the ability of the organization to
respond quickly, efficiently, and effectively.
This approach requires the creation of three types of plans: the incident response plan, the
disaster recovery plan, and the business continuity plan. Each of these plans depends on
the ability to detect and respond to an attack as quickly as possible and relies on the
existence and quality of the other plans.
Incident Response Plan (IRP) – Defines the actions an organization can and perhaps
should take while an incident is in progress. The IR plan focuses on intelligence
gathering, information analysis, coordinated decision making, and urgent, concrete
actions.
Disaster recovery plan (DRP) - Includes the entire spectrum of activities used to prepare
for and recover from an incident. The DR plan focuses more on preparations completed
before and actions taken after the incident.
Business Continuity Plan (BCP) – Encompasses the continuation of business activities
if a catastrophic event occurs. The BC plan includes planning the steps necessary to
ensure the continuation of the organization when the scope or scale of a disaster exceeds
the ability of the DR plan to restore operations.
16. How is an incident response plan different from a disaster recovery plan?
The DR plan focuses more on preparations completed before and actions taken for
disasters – often escalated incidents; to reestablish operations at the primary site. The IR
plan focuses on Incident Response: intelligence gathering, information analysis,
coordinated decision making, and urgent, concrete actions taken while an incident is
occurring.
17. What is risk appetite? Explain why risk appetite varies from organization to
organization?
Risk appetite defines the quantity and nature of risk that organizations are willing to
accept as they evaluate the trade offs between perfect security and unlimited accessibility.
Risk appetite varies from organization to organization because different organizations
maintain different balances between the expense of controlling vulnerabilities and the
losses possible if these vulnerabilities were exploited. The key for each organization is to
find the balance in its decision-making processes and in its feasibility analyses, therefore
assuring that an organization’s risk appetite is based on experience and facts and not on
ignorance or wishful thinking.
18. What is a Cost Benefit Analysis?
Cost benefit analysis is the formal decision-making process used by an organization to
evaluate whether or not the benefit gained from a given project is worth the expense its
undertaking incurs.
19. What is the definition of single loss expectancy? What is annual loss expectancy?
_____________________________________________________________________________________________
Page: 34
______________________________________________________________________________
A single loss expectancy is the value associated with the most likely loss from an attack.
It is a calculation based on the value of the asset and the expected percentage of loss that
would occur from a single occurrence of a particular attack.
Annual loss expectancy is the expected loss from exploitation of a vulnerability for a
specific information asset over the course of a year. It is calculated by multiplying the
single loss expectancy for a particular information asset by the annualized rate of
occurrence.
20. What is residual risk?
Even when vulnerabilities have been controlled as much as possible, there is often still
some risk that has not been completely removed, shifted, or planned for. This remainder
is called residual risk.
_____________________________________________________________________________________________
Page: 35
______________________________________________________________________________
Exercises
1. If an organization has three information assets to evaluate for risk management as
shown in the accompanying data, which vulnerability should be evaluated for
additional controls first? Which one should be evaluated last?
An evaluation of the provided asset vulnerabilities results in:
Asset A:
This is a switch that has two vulnerabilities. The first involves a hardware failure
likelihood of 0.2 and the second involves a buffer attack likelihood of 0.1. The
switch has an impact rating of 90. Assumptions made on this asset have a 75%
certainty.
Asset B:
This is a web server that deals with e-commerce transactions. It has one
vulnerability with a likelihood of 0.1. However it has an impact rating of 100.
Assumptions made on this asset have an 80% certainty.
Asset C:
This is a control console with no password protection with a likelihood of attack
of 0.1. It has no controls and an impact rating of 5. Assumptions made on this
asset have a 90% certainty.
Based on the above information, the vulnerability that should be evaluated first is the web
server risk of attack of asset B. This device has an impact rating of 100 and 80%
certainty of the stated assumptions. The device obviously plays an important part in the
business and any down time would result in a loss of customers, which translates directly
into a financial loss. Additionally, when compared to the other two assets. This is the
only one that has direct contact with customers and a high visibility profile.
The last risk that should be investigated for additional controls would be the attack of the
control console of Asset C. Even though there are no controls currently in place on this
asset, it only has an impact rating of 5 and is mostly operated by what should be trusted
employees.
2. Using the data classification scheme presented in this chapter, identify and classify the
information contained in your personal computer or personal digital assistant. Based on
your potential for misuse or embarrassment, what information would be Confidential,
Sensitive but Unclassified, Public Release? (the answer here is representative)
Confidential Sensitive but Unclassified Public Release
Microsoft Money Favorites
Outlook PST Files My Documents
Word Documents Digital Photos
Application Files
Alternate Answer
_____________________________________________________________________________________________
Page: 36
______________________________________________________________________________
Personal X
Identification
Calendar X
IP/MAC Address X
Personal X
Documents
School Papers X
Personal Schedule X
Email Messages X
Contacts X
Web Favorites X
Income Tax X
Worksheets
Music Files X
Picture Files X
Alternate Answer
Confidential – Client Bank and Credit card statements, Tax information
Sensitive but Unclassified- Client contact information (addresses, phone numbers, etc.)
Public- General company documents
3. Suppose XYZ Software Company has a new application development project, with
projected revenues of $1,200,000. Using the following table, calculate ARO and ALE
for each threat category that XYZ Software Company faces for this project.
_____________________________________________________________________________________________
Page: 37
______________________________________________________________________________
XYZ Software Company, major Cost per Frequency of SLE ARO ALE
threat categories for new Incident Occurrence
applications development
4. How might XYZ Software Company arrive at the values in the above table? For
each entry, describe the process of determining the cost per incident and frequency
of occurrence
It is most likely that the XYZ Software Company employed an economic feasibility
study or cost benefit analysis to arrive at the values in their cost\incident table.
For each of the entries in the chart, the cost per incident and the frequency of
occurrence could have been reached through several, varied methods. Businesses
often use benchmarking, best practices, and baselining to determine the values of cost
per incident and frequency of occurrence. These techniques take in to account internal
investigation and asset valuation, along with information that has been gathered by
other sources in the industry, such as frequency of virus, worm, or Trojan attacks. All
of these methods combined could provide the numbers for the costs and frequency for
the chart listed.
_____________________________________________________________________________________________
Page: 38
______________________________________________________________________________
5. Assume a year has passed and XYZ has improved security by applying a number of
controls. Using the information from Exercise 3 and the following table, calculate
the post-control ARO and ALE for each threat category listed.
_____________________________________________________________________________________________
Page: 39
______________________________________________________________________________
1. How can a security framework assist in the design and implementation of a security
infrastructure? What is information security governance? Who in the organization should
plan for it?
Designing a working plan for securing the organization’s information assets begins by
creating or validating an existing security blueprint for the implementation of needed
security controls to protect the information assets. A framework is the outline from
which a more detailed blueprint evolves. The blueprint is the basis for the design,
selection, and implementation of all subsequent security policies, education and training
programs, and technologies. The blueprint provides scaleable, upgradeable, and
comprehensive security for the coming years. The blueprint is used to plan the tasks to
be accomplished and the order in which to proceed.
_____________________________________________________________________________________________
Page: 40
______________________________________________________________________________
27000
Series
Standard
27000 Planned Series Overview and Terminology
27001 2005 Information Security Management System Specification
27002 2007 Code of Practice for Information Security Management
27003 Planned Information Security Management Systems Implementation
Guidelines
27004 Planned Information Security Measurements and Metrics
27005 Planned ISMS Risk Management
27006 2007 Requirements for Bodies Providing Audit and Certification
of an ISMS
4. What are the inherent problems with ISO 17799, and why hasn’t the U.S. adopted
it? What are the recommended alternatives?
The problems include:
The global information security community has not defined any justification for a
code of practice as identified in the ISO/IEC 17799.
ISO/IEC 1799 lacks “the necessary measurement precision of a technical
standard.”
There is no reason to believe that ISO/IEC 17799 is more useful than any other
approach currently available.
ISO/IEC 17799 is not as complete as other frameworks available.
ISO/IEC 17799 is perceived to have been hurriedly prepared given the
tremendous impact its adoption could have on industry information security
controls.
The recommended alternative is to use the many documents available from the Computer
Security Resource Center of the National Institute for Standards and Technology. These
documents are publicly available at no charge, and have been available for some time and
therefore have been broadly reviewed by government and industry professionals.
5. What documents are available from the NIST Computer Resource Center, and how
can they support the development of a security framework?
The documents available from the NIST Computer Resource Center that can assist in the
design of a security framework are:
SP 800-12: An Introduction to Computer Security: The NIST Handbook
SP 800-14: Generally Accepted Security Principles and Practices for Securing
Information Technology Systems
SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information
Systems
SP 800-26: Security Self-Assessment Guide for Information Technology Systems
SP 800-30: Risk Management Guide for Information Technology Systems
These documents can support the development of a computer framework because they
provide organizations with a basic skeleton for planning a blueprint.
6. What benefit can a private, for-profit agency derive from best practices designed for
_____________________________________________________________________________________________
Page: 41
______________________________________________________________________________
federal agencies?
Private organization can take advantage of best practices designed for federal agencies by
adapting many of the same methodologies and practices into its own organization. These
best practices can facilitate an organization by helping them piece together the desired
outcome of the security process, and therefore work backwards to an effective design.
7. What web resources can aid an organization in developing best practices as part of a
security framework?
The web offers a variety of information sources for a security framework. Of course,
many of the security framework documents are available via the web, but in addition the
government offers a web site (fasp.nist.gov) that offers security frameworks and best
practices.
Other sources include:
the Internet Security Trask Force (www.ca.com/ISTF), offering a collection of
parties interested in Internet security,
the Computer Emergency Response Team (www.cert.org), offering a series of
modules with links and practices of security methodologies
the Technology Manager’s Forum (www.techforum.com)
the Information Security Forum (www.isfsecuritystandard.com)
the Information Systems Audit and Control Association (www.isaca.com)
the Professional Security Consultants (www.iapsc.org)
the Global Grid Forum (www.gridforum.org)
8. Briefly describe a management, an operational, and a technical control, and explain
when would each be applied as part of a security framework?
Management controls cover security processes that are designed by strategic planners and
implemented by the security administration of the organization. These include setting the
direction and scope of the security processes and provide detailed instruction for its
conduct.
Operational controls deal with the operational functionality of security in the organization
including disaster recovery and incident response planning.
Technical controls address the tactical and technical issues related to designing and
implementing security in the organization, as well as issues related to examining and
selecting the technologies appropriate to protecting information.
9. What are the differences between a policy, a standard, and a practice? What are the
three types of security policies? Where would each be used? What type of policy would be
needed to guide use of the Web? E-mail? Office equipment for personal use?
A policy is a plan or course of action intended to influence and determine decisions,
actions, and other matters. Policies are organizational laws because they dictate
acceptable and unacceptable behavior within the context of the organization’s culture. A
standard, like a policy, has the same requirement for compliance, but it provides more
detail as to what must be done to comply with policy. The level of acceptance of
standards may be informal (as in de facto standards) or formal (as in de jure standards).
Finally, practices, procedures, and guidelines effectively explain how to comply with
_____________________________________________________________________________________________
Page: 42
______________________________________________________________________________
policy.
Policies provide instructions on what technologies can and cannot be used for. Three
criteria for shaping sound policies are:
Never conflict with law
Stand up in court, if challenged
Be properly administered through dissemination and documented acceptance
For these reasons, it is important for policy to be adequately detailed to ensure proper
implementation.
Policy that is not well defined can cause significant liability for the company if it finds
itself defending policy in a court of law. Unless a particular use is clearly prohibited, the
organization cannot penalize an employee for its misuse.
Policy has the ultimate responsibility for managing technology. System administrators
and users are responsible for enforcing policy.
Based on The National Institute of Standards and Technology’s (NIST) Special
Publication 800-14, there are three types of information security policies. First are
general or security program policies (SPP), which are usually drafted by the chief
information officer of the organization. The SPP are used to directly support the mission,
vision, and direction of the organization and set the strategic direction, scope, and tone
for all security efforts within the organization. Second are issue-specific security policies
(ISSP) that are formally written to instruct employees to properly use the technologies of
the organization such as use of the Internet, electronic email, and use of photocopy
equipment. The ISSP requires frequent updates and must contain a statement on the
organization’s position on a specific issue. Third are system-specific security policies
(SysSP). The SysSP are not formal documents but are usually codified as standards and
procedures used when configuring or maintaining systems. The SysSP fall into two
groups: access control lists and configuration rules.
Office equipment for personal use - An issue specific security policy would be needed to
guide use of the web, e-mail, and office equipment for personal use.
10. Who is ultimately responsible for managing a technology? Who is responsible for
enforcing policy that affects the use of a technology?
Senior Management. Everyone in a supervisory position.
11. What is contingency planning? How is it different from routine management
planning? What are components of contingency planning?
Contingency planning encompasses all planning conducted by the organization to prepare
for, react to, and recover from events that threaten the security of information and
information assets in the organization, and the subsequent restoration to normal modes of
business operations.
Each part of contingency planning is different in scope, applicability, and design
compared to routine management planning.
Contingency planning is composed of three plans: Incident Response Plan, Disaster
_____________________________________________________________________________________________
Page: 43
______________________________________________________________________________
Recovery Plan, and Business Continuity Plan. Contingency planning is all the planning
conducted by the organization to prepare for, react to, and recover from events that
threaten the security of information and information assets in the organization.
12. When is the IR Plan used?
An Incident Response Planning (IRP) covers the identification, classification, response
to, and recovery from an incident. It should be used when an incident in progress is first
detected by an organization. IRP is more reactive, than proactive, with the exception of
the planning that must occur to prepare the IR teams to be ready to react to an incident.
13. When is the DR Plan used?
A disaster recovery plan addresses the preparation for and recovery from a disaster,
whether natural or man-made. It is used before a disaster, in preparation for the
occurrence, and after a disaster to rebuild and recover organizational functionality.
14. When is the BC Plan used? How do you determine when to use IRP, DRP, or BCP
plans?
Business Continuity Planning (BCP) will be needed if a disaster has rendered the current
location of the business unusable for continued operation. BCP outlines the
reestablishment of critical business operations during a disaster that impacts operations at
the primary site.
An Incident Response Plan is used as soon as an incident in progress has been identified.
An attack is identified as an incident if:
1. It is directed against information assets.
2. It has a realistic chance of success.
3. It could threaten the confidentiality, integrity, or availability of information
resources.
A Disaster Recovery Plan is used if an incident escalates or is disastrous. It typically
focuses on restoring systems at the original site after disasters occur.
A Business Continuity Plan is used concurrently with the Disaster Recovery Plan when
the damage is major or long term, requiring more than simple restoration of information
and information resources.
15. What are the five elements of a business impact analysis?
The five elements of a business impact analysis are:
a. Threat attack identification
b. Business unit analysis
c. Attack success scenario development
d. Potential damage assessment
e. Subordinate plan classification
16. What are Pipkin’s three categories of incident indicators?
Possible
Probable
Definite
17. What is containment and why is it part of the planning process?
_____________________________________________________________________________________________
Page: 44
______________________________________________________________________________
Containment is the process of determining what systems have been attacked and
removing their ability to attack non-compromised systems.
Containment is part of the planning process because the containment of an attack could
prevent the attack from escalating into a disaster. It is focused on stopping the incident
and recovering control of the systems.
18. What is computer forensics? When are the results of computer forensics used?
Computer forensics is the process of collecting, analyzing and preserving computer-
related evidence.
This information is used in informal proceedings when dealing with internal
administrative, criminal or civil legal proceedings, if the perpetrator is brought to justice.
19. What is an after-action review? When is it performed? Why is it done?
Part of the incident recovery process, the after action review is performed by the IR team.
It is a detailed examination of the events that occurred from the first detection to final
recovery. All key players review their notes, and verify that the IR documentation is
accurate and precise. This document serves as a training case for future actions.
20. List and describe the six continuity strategies identified in the text.
Hot sites - A hot site is a fully configured computer facility, with all services,
communications links, and physical plant operations including heating and air
conditioning. Hot sites duplicate computing resources, peripherals, phone systems,
applications, and workstations. A hot site is the pinnacle of contingency planning, a
duplicate facility that needs only the latest data backups and personnel to become a fully
operational twin of the original. A hot site can be operational in a matter of minutes, and
in some cases may be built to perform a fail-over seamlessly by picking up the processing
load from a failing site. The hot site is therefore the most expensive alternative available.
Warm sites - A warm site provides many of the same services and options of the hot site.
However, it typically does not include the actual applications the company needs, or the
applications may not yet be installed and configured. A warm site frequently includes
computing equipment and peripherals with servers but not client workstations. A warm
site has many of the advantages of a hot site, but at a lower cost. The downside is that it
requires hours, if not days, to make a warm site fully functional.
Cold sites - A cold site provides only rudimentary services and facilities. No computer
hardware or peripherals are provided. All communications services must be installed after
the site is occupied. Basically a cold site is an empty room with heating, air conditioning,
and electricity. Everything else is an option. Although the obvious disadvantages may
preclude its selection, a cold site is better than nothing. The main advantage of cold sites
over hot and warm sites is the cost.
Time-shares - A time-share is a hot, warm, or cold site that is leased in conjunction with a
business partner or sister organization. The time-share allows the organization to maintain
a disaster recovery and business continuity option, but at a reduced overall cost. The
advantages are identical to the type of site selected (hot, warm, or cold). The primary
disadvantage is the possibility that more than one organization involved in the time-share
may need the facility simultaneously. Other disadvantages include the need to stock the
_____________________________________________________________________________________________
Page: 45
______________________________________________________________________________
facility with the equipment and data from all organizations involved, the negotiations for
arranging the time-share, and associated agreements, should one or more parties decide to
cancel the agreement or to sublease its options.
Service-bureaus - A service bureau is an agency that provides a service for a fee. In the
case of disaster recovery and continuity planning, the service is the agreement to provide
physical facilities in the event of a disaster. These types of agencies also frequently
provide off-site data storage for a fee. With service bureaus, contracts can be carefully
created, specifying exactly what the organization needs, without the need to reserve
dedicated facilities. A service agreement usually guarantees space when needed, even if
the service bureau has to acquire additional space in the event of a widespread disaster.
Mutual agreements - A mutual agreement is a contract between two or more organizations
that specifies how each will assist the other in the event of a disaster. It stipulates that
each organization is obligated to provide the necessary facilities, resources, and services
until the receiving organization is able to recover from the disaster. While this may seem
like a viable solution, many organizations balk at the idea of having to fund (even in the
short term) duplicate services and resources should the other agreeing parties need them.
Still, mutual agreements between divisions of the same parent company, between
subordinate and superior organizations, or between business partners may be a cost-
effective solution.
_____________________________________________________________________________________________
Page: 46
______________________________________________________________________________
Exercises
1. Using a graphics program, design several security awareness posters on the
following themes: updating anti-virus signatures, protecting sensitive information,
watching out for e-mail viruses, prohibiting use of company equipment for personal
matters, changing and protecting passwords, avoiding social engineering, and protecting
software copyrights. What other areas can you come up with?
Additions: Upcoming security classes, addition of new security personnel, reduce
employee accidents and failure increases.
Keep Protected
E-Mail Awareness
Do you know the person sending you that attachment? You can't be too careful these
days. There are new breeds of software viruses that disguise themselves in E-Mail
documents. Better safe than sorry…..
Social Engineering
Be on your guard for calls trying to get sensitive information. They may not be who they
appear to be, this is social engineering, a way to break into systems. If anyone attempts
to solicit user id or password information………..say NO!!!
Passwords
Please regard the use of passwords as sensitive information. Follow the standards on
changing every 3 months. Be careful where you store password information.
_____________________________________________________________________________________________
Page: 47
______________________________________________________________________________
2. Search the Web for security education and training programs in your area. Keep a
list and see which category has the most examples. See if you can determine the costs
associated with each example. Which do you feel would be more cost effective in terms of
both time and money?
Examples will vary over time.
For a security professional the education would be the most effective because the
education would give a person the background to learn security principles and then be
able to apply those in situations. Training on the other hand would be specific to the
product or topic in information security and would have a limited scope of material. This
would be beneficial to someone that administered a specific type of system but would not
give them the background needed to make plans for the information security of the
organization as a whole.
While there are courses and training programs offered in all areas, there does seem to be a
larger focus on incident response. They seem to be more expensive on average than the
security awareness training programs. The security awareness training would be the most
cost-effective measure in terms of time and money.
3. Search the Web for examples of issue-specific security policies. What types of
policies can you find? Draft a simple issue-specific policy using the format provided in the
text that outline “Fair and Responsible Use of College Computers,” and is based on the
rules and regulations you have been provided in your institution. Does your school have a
similar policy? Does it contain all the elements listed in the text?
Policy Statement
This policy has been adopted to outline the acceptable use of all campus computers.
Strong adherence to this policy is a must and any student not doing so will be considered
to be in violation of campus policy. Violators are subject to disciplinary actions
established by administration and the IT department.
User Responsibility
The following guidelines are to be followed by all authorized users accessing university
owned computers.
General Computer Usage
As a registered student, you are responsible for the protection of all information and data
that you have access to, whether directly or indirectly. It is also the responsibility of the
student to recognize what, if any, of that data or information is sensitive and take the
necessary measures to keep it that way.
To help in the protection of all data, sensitive or otherwise choose a user name and
password that is easy to remember, but hard for others to guess.
Never under any circumstance share or disclose your username and/or password.
At no time is gaming permitted on campus computers. No exceptions.
Respect all legal protections such as copyright and licenses. Never copy software or use
shareware without written permission from the author or an IT administrator.
_____________________________________________________________________________________________
Page: 48
______________________________________________________________________________
Log off all workstations or computers when you have completed your task.
In the classroom environment, properly shut down all computers at the end of the period
prior to leaving.
Only registered students and faculty are permitted to use campus machines.
Inform an IT administrator if you observe or learn of any suspicious activity.
Internet Use
Access to the Internet is only permitted through the campus firewall, router and content
scanning software. Access through any other means is not permitted.
Only authorized personnel are permitted to install modems, software, or any other types
of hardware.
Internet users should never visit web sites that are offensive to others, contain sexual
content, or are in violation of the law. Remember that you are responsible for anything
that you do on the system. The school reserves the right to keep and maintain logs on all
Internet usage, as well as, block any web sites that are deemed offensive or in violation of
the law.
If you have any doubt about Internet use or content, consult an IT administrator before
proceeding.
Electronic Mail
It is the responsibility of the student to maintain his or her own mailboxes; if an email is
no longer needed delete it in order to reduce memory usage and storage space.
Do not send excessively large attachments.
Scan all transmissions for viruses.
Refrain from offensive, racist, or lewd language when constructing emails.
Emails should never contain information relating to an extreme political nature, violence,
and hatred or illegal activity.
All electronic transmissions are monitored and scanned for viruses, and offensive content.
The school reserves the right to keep and maintain logs on all electronic mail usage.
* Note: All data, information, hardware and software belongs solely to the school, treat it
with respect and keep security in mind at all times.
* Your computer, workstation and all logins to the network are monitored regularly.
* Logs are audited and maintained regularly.
Kennesaw State does have a similar policy and contains the elements as described above.
Alternate Answer
POLICY FOR “FAIR AND RESPOSIBLE USE OF COLLEGE COMPUTERS”
October 20, 2002
ACWORTH STATE UNIVERSITY
_____________________________________________________________________________________________
Page: 49
______________________________________________________________________________
Statement of policy
This document describes policies for use of Acworth State University computer resources
by faculty, staff, and students.
Computer resources are defined as all publicly available networks, processors,
peripherals and supplies under the administration of the Office of Computing Services
and various academic departments and colleges.
Authorized access and usage of equipment
Unauthorized access to computer resources is prohibited. No one should use the ID or
password of another; nor should anyone provide his/her ID or password to another,
except in the case necessaries to facilitate computer maintenance and repairs.
Computer university resources are to be used predominately for university related
activities. However, personal use is permitted as long as it conforms to this policy and
does not interfere with university operations.
Programs and files stored in users' private directories are considered private unless their
owners have explicitly made them available. However, in the case of system problems or
clear policy violations, system managers may examine user files and system logs in order
to gather sufficient information to diagnose and correct system problems and investigate
policy violations.
Prohibited usage of equipment
No one should deliberately attempt to degrade the performance of a computer system or
to deprive authorized personnel of resources or access to any university computer
systems.
Electronic communications facilities (such as e-mail) are for college related activities
only. Fraudulent, harassing or obscene messages and/or materials are not to be sent or
stored.
The use of Acworth State University’s computer resources for the conduct of a business
or any other commercial purposes is prohibited.
Computer software protected by copyright is not to be copied from, into, or by using
campus-computing facilities, except as permitted by law or by the contract with the
owner of the copyright. This means that such computer and microcomputer software may
only be copied in order to make back-up copies, if permitted by the copyright owner.
Systems management
Personal user files -- whether stored on disk or backup tape -- are considered private and
will not be scanned or read by computer center staff except as specifically authorized
below:
If System Managers discover private information as an incidental result of performing
their duties, they are obligated to keep this information confidential. However, such
information, if it is evidence of policy violations, may be used in disciplinary
proceedings.
System Managers are authorized to examine user files or processes only as far as
_____________________________________________________________________________________________
Page: 50
______________________________________________________________________________
necessary to ensure reliable and secure system operation. If reliable system operation is in
jeopardy, system operators are also authorized to kill or suspend user processes, move
user files to alternate storage media or delete files that can be easily recovered (for
instance, from off the Internet). The users affected will be promptly notified of the actions
taken and the reasons why. System Managers will make every reasonable attempt to
assist users in recovering work files that were destroyed in the process of attempting to
keep the system running properly.
System Managers are authorized to examine user files to collect evidence of specific
college policy violations, provided that probable cause exists for such a search. Any
examination of this sort must be reported promptly to the Director of Computing.
Violations of policy
Depending on the nature and severity of the policy violation, the university may take one
or more of the following disciplinary actions:
Send a verbal, written, or electronic mail warning.
Allow only restricted computer privileges.
Temporarily suspend the computer account.
Revoke all computer privileges.
Policy review and modification
All policies and procedures outlined are intended to serve for the current academic year;
however, Acworth State University reserves the right to make such modifications as are
deemed necessary. If and when changes are made, appropriate effort such as faxing
updates to all campus departments and posting changes on the university's web page will
be made to notify the university community.
Limitations of liability
Acworth State University provides computer accounts and access to technology resources
for all faculties, students, and staff for educationally related purposes. The university
assumes full responsibility for the accuracy and appropriateness of official university
WWW pages.
Individual's personal pages (as denoted by "~username" in the URL) are provided as
professional and educational work areas. These individual pages are reviewed for
adherence to technical standards only. Individual page content is determined by the page
owner, is not reviewed by the university, and is subject to review upon formal complaint
by a responsible party.
Acworth State University assumes no responsibility for, nor does it endorse, the contents
of any personal/individual's World Wide Web page. However, if you believe the content
of an individual's page is offensive, obscene, or inconsistent with the generally accepted
norms for WWW page content, please register a formal complaint by contacting
webmaster@acworth.edu
Acworth State University adopted this policy on October 20, 2002. Send all comments
and questions to: jtweed@acworth.edu
_____________________________________________________________________________________________
Page: 51
______________________________________________________________________________
4. Use your library or the Web to find a reported natural disaster that occurred at
least 180 days ago. From the news accounts, determine if local or national officials had
prepared disaster plans and if they were used. See if you can determine how the plans
helped the officials improve the response to the disaster. How do the plans help the
recovery?
On February 14, 2000, tornadoes blasted rural southern Georgia early in the morning,
killing at least 19 people and injuring more than 100 others. The violent weather that hit
southwestern Georgia with at least five tornadoes was part of a storm system that also hit
Arkansas, Tennessee, Mississippi, Alabama and northeastern Florida before moving into
the Carolinas. Thousands of people in the region lost power and Georgia Gov. Roy
Barnes declared a state of emergency.
Emergency shelters were set up in Camilla and Moultrie, the main town in neighboring
Colquitt County. The Red Cross was also sent to the area to provide aid to the victims
and their families and federal aid was also being dispersed. The area involved did have
an emergency disaster plan to implement upon being notified by the national weather
service incase of approaching storms. However, the tornadoes came without warning and
the towns where unable to prepare. All efforts were turned towards recovery and
rebuilding.
Alternate Answer
Earlier this year the Vltava and Elbe rivers flooded many European towns and cities. Due
to the path of these rivers and current economic conditions, these floods occurred in
many countries that greatly differed in economic status. The deaths and damage that
occurred appears to be greatest in countries with weak economies that were ill prepared
for such an event such as Romania or the Czech Republic. In comparison, countries with
better-funded and organized response teams such as Germany and Austria had a lower
death and damage toll.
_____________________________________________________________________________________________
Page: 52
______________________________________________________________________________
a. A hacker gets into the network and deletes files from a server. - Incident. No
business continuity plans is called to play.
b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some
computers are damaged, but the fire is contained before it moves out of the area. -
Disaster. No business continuity plans is called to play.
c. A tornado hits a local power company, and the company will be without power for
three to five days. - Disaster. Business continuity plan is called to play.
d. Employees go on strike, and the company could be without critical workers for
weeks. - Disaster. Business continuity plans is called to play.
e. A disgruntled employee takes a critical server home, sneaking it out after hours.
-Incident. No business continuity plans is called to play.
Alternate Answer
a. A hacker gets into the network and deletes files from a server. - This would be
considered an incident unless the deleted files were crucial to the continuation of
the business and the business was unprepared (i.e., without backups), at which
point it would be considered a disaster.
b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some
computers are damaged, but the fire is contained before it moves out of the area. -
This would be considered an incident.
c. A tornado hits a local power company, and the company will be without power for
three to five days. - This would be considered a disaster where the business
continuity plans would be called into play.
d. Employees go on strike, and the company could be without critical workers for a
week. - This would be considered a disaster where the business continuity plans
would be called into play.
e. A disgruntled employee takes a critical server home, sneaking it out after hours. -
If the server could not be replaced in an acceptable amount of time, this would be
considered a disaster. Depending on the nature of the business, this could call into
play the business continuity plans.
_____________________________________________________________________________________________
Page: 53
______________________________________________________________________________
Chapter 6
Review Questions
1. What is the typical relationship among the un-trusted network, the firewall, and the
trusted network?
The un-trusted network is usually the Internet or another segment of public access
network while the trusted network is typically a privately owned network. The firewall
serves as a mechanism to filter traffic from the untrusted network that comes into the
trusted network to gain some assurance that that traffic is legitimate.
2. What is the relationship between a TCP and UDP packet? Will any specific
transaction usually involve both types of packets?
UDP packets are, by design, connectionless. TCP packets usually involve the creation of
a connection from one host computer to another. It would be unusual for a single
transaction to involve both TCP and UPD ports.
3. How is an application layer firewall different from a packet filtering firewall? Why
is an application layer firewall sometimes called a proxy server?
The application layer firewall takes into consideration the nature of the applications that
are being run (the type and timing of the network connection requests, the type and nature
of the traffic that is generated) whereas the packet filtering firewall simply looks at the
packets as they are transferred. The application firewall is also known as a proxy server,
since it runs special software that acts as a proxy for a service request.
_____________________________________________________________________________________________
Page: 54
______________________________________________________________________________
receives an incoming packet that it cannot match in its state table, it defaults to its ACL to
determine whether to allow the packet to pass. The primary disadvantage of this type of
firewall is the additional processing required to manage and verify packets against the
state table, which can leave the system vulnerable to a DoS or DDoS attack.
State information is preserved using a state table that looks similar to a firewall rule set
but has additional information. The state table contains the familiar source IP and port,
and destination IP and port, but adds information on the protocol used (i.e., UDP or TCP),
total time in seconds, and time remaining in seconds.
6. What is a circuit gateway, and how does it differ from the other forms of firewalls?
The circuit gateway firewall operates at the transport layer. Again, connections are
authorized based on addresses. Like filtering firewalls, circuit gateway firewalls do not
usually look at data traffic flowing between one network and another, but they do prevent
direct connections between one network and another. They accomplish this by creating
tunnels connecting specific processes or systems on each side of the firewall, and then
allow only authorized traffic, such as a specific type of TCP connection for only
authorized users, in these tunnels. A circuit gateway is a firewall component often
included in the category of application gateway, but it is in fact a separate type of
firewall.
7. What special function does a cache server perform? Why is this useful for larger
organizations?
These types of servers can store the most recently accessed pages in their internal cache
memory, and thus can provide content for heavily accessed pages without the level of
traffic required when pages are not cached. Larger organizations often find that just a few
web sites account for a large quantity of traffic and can lower total network traffic
measurably by using a cache server.
8. Describe how the various types of firewalls interact with the network traffic at
various levels of the OSI model.
Packet filtering firewalls scan network data packets looking for compliance with or
violation of the rules of the firewall’s database. Filtering firewalls inspect packets at the
network layer, or Layer 3, of the OSI model. MAC layer firewalls are designed to operate
at the media access control layer (layer 2) of the OSI network mode. Application level
firewalls will operate at OSI layers above layer 3, using specific knowledge of various
protocols and applications to make more informed decisions about packet forwarding.
_____________________________________________________________________________________________
Page: 55
______________________________________________________________________________
At the present time, there are five generally recognized generations of firewalls, and these
generations can be implemented in a wide variety of architectures.
First Generation. First generation firewalls are static packet filtering firewalls—that is,
simple networking devices that filter packets according to their headers as the packets
travel to and from the organization’s networks.
Third Generation. Third generation firewalls are stateful inspection firewalls, which, as
you may recall, monitor network connections between internal and external systems
using state tables.
Fourth Generation. While static filtering firewalls, such as first and third generation
firewalls, allow entire sets of one type of packet to enter in response to authorized
requests, the fourth generation firewalls, which are also known as dynamic packet
filtering firewalls, allow only a particular packet with a particular source, destination, and
port address to enter.
Fifth Generation. The fifth generation firewall is the kernel proxy, a specialized form that
works under the Windows NT Executive, which is the kernel of Windows NT.
Most modern firewalls combine features from more than one generation.
12. Explain the basic technology that makes residential/SOHO firewall appliances
effective in protecting a local network. Why is this usually adequate for protection?
Network Address Translation (NAT) assigns non-routing local addresses to the computer
systems in the local area network and uses the single ISP assigned address to
communicate with the Internet. Since the internal computers are not visible to the public
network, they are much less likely to be scanned or compromised.
13. What key features point to the superiority of residential/SOHO firewall appliances
over personal computer-based firewall software?
When the protective control fails, the appliance will most often fail in a safe mode, while
the software is likely to stop working, leaving the protected system vulnerable.
_____________________________________________________________________________________________
Page: 56
______________________________________________________________________________
14. How do screened host architectures for firewalls differ from screened subnet
firewall architectures? Which of these offers more security for the information
assets that remain on the trusted network?
In fact, they operate in much the same way. The specialized design of the screened subnet
is perceived to offer more security for the trusted network.
16. What is a DMZ? Is this really an appropriate name for the technology, considering
the function this type of subnet performs?
It is named for the security buffer often found after an armed conflict. In fact it is a poor
name, since the network segment so named is often home to the most heavily armored
systems the organization can prepare.
17. What are the questions that must be addressed when selecting a firewall for a
specific organization?
1. What type of firewall technology offers the right balance between protection and cost for
the needs of the organization?
2. What features are included in the base price? What features are available at extra cost?
Are all cost factors known?
3. How easy is it to set up and configure the firewall? How accessible are the staff
technicians who can competently configure the firewall?
4. Can the candidate firewall adapt to the growing network in the target organization?
19. What is a content filter? Where is it placed in the network to gain the best result for
the organization?
A content filter is a software filter—technically not a firewall—that allows administrators
to restrict access to content from within a network. It is essentially a set of scripts or
programs that restricts user access to certain networking protocols and Internet locations,
or restricts users from receiving general types or specific examples of Internet content.
Some refer to content filters as reverse firewalls, as their primary focus is to restrict
internal access to external material.
To gain the best result, it should be placed on the primary connection used to gain access
to the Internet.
_____________________________________________________________________________________________
Page: 57
______________________________________________________________________________
20. What is a VPN? What are some reasons why it is widely popular in many
organizations?
A Virtual Private Network (VPN) is a private and secure network connection between
systems that uses the data communication capability of an unsecured and public network.
VPNs are popular since they are simple to set up and maintain and usually require only
that the tunneling points be dual-homed—that is, connecting a private network to the
Internet or to another outside connection point. There is VPN support built into most
Microsoft server software, including NT and 2000, as well as client support for VPN
services built into XP. While true private network services connections can cost hundreds
of thousands of dollars to lease, configure, and maintain, a VPN can cost next to nothing.
_____________________________________________________________________________________________
Page: 58
______________________________________________________________________________
Exercises
1. Using the Web, search for “software firewalls.” Examine the various alternatives
available and compare their functionality, cost, features, and type of protection.
Create a weighted ranking according to your own evaluation of the features and
specifications of each software package.
Will vary by class.
2. Using Figure 6-14, create rule(s) necessary for both the internal and external
firewalls to allow a remote user to access an internal machine from the Internet
using the software Timbuktu. This requires researching the ports used by this
software packet.
Exact rules will vary, but the following information is necessary: Timbuktu uses UDP
407 and 1419 for Connection setup and handshaking, TCP 1417 for Send commands,
TCP 1418 for View screen, TCP 1419 for Send file, and TCP 1420 for Receive file
3. Using Figure 6-15, suppose management wants to create a “server farm” that is
configured to allow a proxy firewall in the DMZ to access an internal Web server
(rather than a Web server in the DMZ). Do you foresee any technical difficulties in
deploying this architecture? What advantages and disadvantages are there to this
implementation?
This is a good solution to place the Web servers containing critical data inside the
network and use proxy services from a DMZ (screened network segment). This protects
the Web servers themselves from compromise, and places proxies in the DMZ to carry
requests. This also accomplishes two things: it allows HTTP traffic to reach the Web server,
and it prevents non-HTTP traffic from reaching the Web server.
Advantages: Screens Web server from external attacks and non-Web traffic
Disadvantages: Slows Web response time, and increases traffic through the internal firewall.
_____________________________________________________________________________________________
Page: 59
______________________________________________________________________________
In Internet Explorer, click Internet Options on the Tools menu. Click the Content tab.
Under Content Advisor, click Enable to open the Content Advisor dialog box.
(source: http://support.microsoft.com/kb/310401)
b) You can configure your privacy settings in Internet Explorer 6 by clicking Internet
Options on the Tools menu, and then clicking the Privacy tab.
NOTE: An administrator can customize your privacy settings and remove the Privacy tab
from the interface in the Internet Options dialog box. If the Privacy tab is not available,
contact your administrator, or see the "Information for Advanced Users and IT
Professionals" section.
The Privacy settings slider has six settings: Block All Cookies, High, Medium High,
Medium (default level), Low, and Accept All Cookies.
(source: http://support.microsoft.com/kb/283185)
_____________________________________________________________________________________________
Page: 60
______________________________________________________________________________
1. What common security system is an IDPS most like? In what ways are these systems
similar?
IDPSs are much like burglar alarms. They both will monitor an area for actions that may
represent a threat and sound an alarm when those actions are detected.
2. How does a false positive alarm differ from a false negative one? From a security
perspective, which is least desirable?
A false positive seems like an alert, but is in fact, routine activity. A false negative seems
like normal activity and is in fact an alert-level action. From a security viewpoint, false
positives are just a nuisance but false negatives are a failure in the mission of the system.
6. List and describe the three control strategies proposed for IDPS control.
The three commonly utilized control strategies are centralized, partially distributed, and
fully distributed. With a centralized IDPS control strategy all IDPS control functions are
implemented and managed in a central location. Using a fully distributed IDPS control
strategy is the opposite of the centralized strategy. Each monitoring site uses its own
paired sensors to perform its own control functions to achieve the necessary detection,
reaction, and response functions. Thus, each sensor/agent is best configured to deal with
its own environment. In a partially distributed IDPS control strategy the better parts of
the other two strategies are combined. While the individual agents can still analyze and
respond to local threats, their reporting to a hierarchical central facility enables the
organization to detect widespread attacks. This blended approach to reporting is one of
the more effective methods of detecting intelligent attackers, especially those who probe
an organization through multiple points of entry, trying to scope out the systems’
configurations and weaknesses, before they launch a concerted attack.
_____________________________________________________________________________________________
Page: 61
______________________________________________________________________________
10. Why do many organizations ban port scanning activities on their internal networks?
Why would ISPs ban outbound port scanning by their customers?
There are few legitimate business reasons that require port scanning and it is a high-
impact and highly intensive use of network resources. It is most often used by attackers
as a prelude to a concerted attack. ISPs do not want to be liable for the actions of
attackers who may use their network resources.
11. What is an open port? Why is it important to limit the number of open ports a
system has to only those that are absolutely essential?
An open port is a TCP or UDP service port that accepts traffic and responds with services
at that port address. Ports that are not required are often poorly configured and subject to
misuse. Only essential services should be offered on secure networks.
_____________________________________________________________________________________________
Page: 62
______________________________________________________________________________
service being offered and evaluates the security of that service, perhaps by compromising
the service. When an improperly configured or weak service port is found, it can be
removed or repaired to reduce risk.
13. What is the difference between active and passive vulnerability scanners?
An active scanner will initiate network traffic to find and evaluate service ports. A passive
scanner uses traffic from the target network segment to evaluate the service ports
available from hosts on the network segment.
14. What kind of data and information can be found using a packet sniffer?
All network traffic that is visible on the network connection of the packet sniffer is
visible. If the data in such packets is not encrypted, all contents are also viewable.
16. What is biometric authentication? What does the term biometric mean?
Biometric authentication encompasses a set of technical means that measure one or
more physical characteristics in order to verify a person’s identity. Biometric means
literally, life measurement or to measure the characteristics of the person requesting
access.
17. Are any biometric recognition characteristics considered more reliable than others?
Which are the most reliable?
Yes, each characteristic has a known degree of reliability. Among the most reliable are
retina, fingerprint and iris recognition.
18. What is a false reject rate? What is a false accept rate? What is their relationship to
the crossover error rate?
The false reject rate is the percentage of or value associated with the rate at which
supplicants who are authentic users are denied or prevented access to authorized areas as
a result of a failure in the biometric device. This error rate is also known as a Type I error.
The false accept rate is the percentage of or value associated with the rate at which
supplicants who are not legitimate users are allowed access to systems or areas as a result
of a failure in the biometric device. This error rate is also known as a Type II error. This
type of error is unacceptable to security professionals, as it represents a clear breach of
access. The crossover error rate (CER) is the level at which the number of false rejections
equals the false acceptances, also known as the equal error rate. This is possibly the most
common and important overall measure of the accuracy of a biometric system.
19. What is the most widely accepted biometric authorization technology noted in the
text? Why do you think this technology is so acceptable to users?
Keystroke pattern recognition. It is the least invasive.
_____________________________________________________________________________________________
Page: 63
______________________________________________________________________________
20. What is the most effective biometric authorization technology noted in the text?
Why do you think this technology is deemed to be most effective by security
professionals?
Retina pattern recognition. It is the most reliable and the most secure.
_____________________________________________________________________________________________
Page: 64
______________________________________________________________________________
Exercises
1. A key feature of hybrid IDPS systems is event correlation. After researching event
correlation online, define the following terms as they are used in this process:
compression, suppression, and generalization.
Compression is the degree to which redundant or inconsequential data can be removed to
compress the resulting dataset. Suppression is the ability of a correlation engine to
suppress false positive triggers from raising an unwarranted alarm. Generalization is the
ability to extrapolate a known exploit signature into a general purpose alert.
2. ZoneAlarm is a PC-based firewall and IDPS tool. Visit the product manufacturer at
www.zonelabs.com, and find the product specification for the IDPS features of
ZoneAlarm. Which of the ZoneAlarm products offer these features?
ZoneAlarm Pro and ZoneAlarm Security Suite include IDPS features (as of 12/07/2004).
3. Using the Internet, search for commercial IDPS systems. What classification systems
and descriptions are used, and how can these be used to compare the features and
components of each IDPS? Create a comparison spreadsheet identifying the
classification systems you find.
Answer will vary for each student.
4. Use the Internet to find vendors of thumbprint and iris scanning tools. Which of
these tools is more economical? Which of these is least intrusive?
Answer will vary for each student.
5. There are several online passphrase generators available. Locate at least two of
them on the Internet, and try them out. What did you observe?
Answer will vary for each student.
_____________________________________________________________________________________________
Page: 65
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 66
______________________________________________________________________________
Due to the number of keys involved in asymmetric encryption, it is not as efficient to use
as symmetric encryptions in terms of CPU computations and key management.
8. How does Public Key Infrastructure protect information assets?
By making the use of cryptographic systems more convenient.
9. What are the components of PKI?
A certificate authority (CA), which issues, manages, authenticates, signs, and revokes
users’ digital certificates, which typically contain the user’s name, public key, and other
identifying information.
A registration authority (RA), which operates under the trusted collaboration of the
certificate authority and can be delegated day-to-day certification functions, such as
verifying registration information about new registrants, generating end-user keys,
revoking certificates, and validating that users possess a valid certificate.
Certificate directories, which are central locations for certificate storage that provide
a single access point for administration and distribution.
Management protocols, which organize and manage the communications between CAs,
RAs, and end users. This includes the functions and procedures for setting up new users,
issuing keys, recovering keys, updating keys, revoking keys, and enabling the transfer of
certificates and status information among the parties involved in the PKI’s area of
authority.
Policies and procedures that assist an organization in the application and management of
certificates, the formalization of legal liabilities and limitations, and actual business
practice use.
10. What is the difference between digital signatures and digital certificates?
A certificate is a wrapper for a key value. A signature is a combination of a message
digest and other information used to assure non-repudiation.
11. What drawbacks to symmetric and asymmetric encryption are resolved by using a
hybrid method like Diffie-Hellman?
It allows use without out-of-band key exchange.
12. What is steganography, and what may it be used for?
Steganography is a process used to hide messages within digital encoding of pictures and
graphics. This is a concern for the security professional because hidden messages are not
easily detected and can contain sensitive information that needs to be protected.
13. What security protocols are predominantly used in Web-based electronic
commerce?
S-HTTP, SET, SSL, SSH-2, and IPSec
14. What security protocols are used to protect e-mail?
S/MIME, PEM and PGP.
_____________________________________________________________________________________________
Page: 67
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 68
______________________________________________________________________________
Exercises
1. Go to a popular online electronic commerce site like Amazon.com. Select several
items for your shopping cart. Go to check out. When you get to the screen that asks for
your credit card number, right-click on the Web browser and select “Properties.” What can
you find out about the cryptosystems and protocols in use to protect this transaction?
Each student will prepare a different answer.
2. Repeat Exercise 1 on a different Web site. Does this site use similar or different
protocols? Describe them.
Each student will prepare a different answer.
3. Go to the Web site for PGP,
http://www.pgp.com/downloads/desktoptrial/index.html. Download and install the trial
version of PGP. Using PGP and your favorite e-mail program, send a PGP-signed e-mail to
your instructor. What looks different in this e-mail compared to your previous e-mails?
Note: Since publication PGP has changes this web site – it still defaults from the above
URL, but now the student should download the “Desktop Trial Software” instead of the
“freeware version”
5. Search the Web for steganography tools. What do you find? Download and install a
trial version of one of the tools. Embed a text file within an image. In a side-by-side
comparison of the two images, can you tell the difference between the original image and
the image with the embedded file?
Each student will prepare a different answer.
_____________________________________________________________________________________________
Page: 69
______________________________________________________________________________
1. What is physical security? What are the primary threats to physical security? How
are they manifested in attacks against the organization?
Physical security addresses the design, implementation, and maintenance of
countermeasures that protect the physical resources of an organization. This means the
physical protection of the people, hardware, and the supporting system elements and
resources associated with the management of information in all its states: transmission,
storage, and processing.
The primary threats to physical security include the following: inadvertent acts - potential
acts of human error or failure, potential deviations in quality of service by service
providers, and power irregularities; deliberate acts – acts of espionage or trespass, acts of
information extortion, acts of sabotage or vandalism, acts of theft, software attacks, and
compromises to intellectual property; acts of God – forces of nature; technical failures –
technical hardware failures or errors and technical software failures or errors; and
management failures – technical obsolescence.
In the physical environment a potential act of human error or failure can be represented
by an employee accidentally spilling coffee on his or her laptop computer. A compromise
to intellectual property can include an employee without an appropriate security
clearance copying a classified marketing plan. A deliberate act of espionage or trespass
could be exemplified by a competitor sneaking into a facility with a camera. Deliberate
acts of sabotage or vandalism can be physical attacks on individuals or property with the
intent to sabotage or deface; deliberate acts of theft are perhaps the most common of
these threats. Examples include employees stealing computer equipment, credentials,
passwords, and laptops. Acts of God include lightning hitting a building and causing a
fire. Quality of service deviations from service providers, especially power and water,
also represent physical security threats. Technical hardware failures or errors and
technological obsolescence both have common examples in physical security.
2. What are the roles of IT, security, and general management with regard to physical
security?
Physical security is designed and implemented in several layers. Each community of
interest in the organization is responsible for components within these layers.
General management: Responsible for the security of the facility in which the
organization is housed and the policies and standards for secure operation. This
includes exterior security, building access, as well as other controls.
IT management and professionals: Responsible for environmental and access
security in technology equipment locations and for the policies and standards of
secure equipment operation. This includes access to server rooms, server room
temperature and humidity controls.
_____________________________________________________________________________________________
Page: 70
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 71
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 72
______________________________________________________________________________
a. Thermal detection systems, which contain a sophisticated heat sensor, that operate
in one of two ways. The first is fixed temperature where the sensor detects when
the ambient temperature in an area reaches a predetermined level (135-165
degrees Fahrenheit or 57-74 degrees Centigrade. The second is rate of rise, where
the sensor detects an unusual rapid increase in the area temperature within a short
period of time.
b. Smoke detection systems are the most common means of detecting a potential
dangerous fire and they are required by building codes in most residential
dwellings and commercial buildings. They consist of photoelectric sensor-project
and detect an infrared beam across an area, ionization sensor-contains a small
amount of a harmless radioactive material within a detection chamber, and air-
aspirating detectors-used in high sensitivity areas.
c. Flame detector is a sensor that detects the infrared or ultraviolet light produced by
an open flame.
The most commonly used today is the smoke detector.
14. List and describe the four classes of fire described in the text. Does the class of the
fire dictate how to control the fire?
Class A – Fires that involve ordinary combustible fuels such as wood, paper, textiles,
rubber, cloth, and trash. Class A fires are extinguished by agents that interrupt the ability
of the fuel to be ignited. Water and multipurpose dry chemical fire extinguishers are ideal
for these types of fires.
Class B- fires fueled by combustible liquids or gases, such as solvents, gasoline, paint,
lacquer, and oil. Class B fires are extinguished by agents that remove oxygen from the
fire. Carbon dioxide, multipurpose dry chemical fire extinguishers, and halon fire
extinguishers are ideal for these types of fires.
Class C- Fires with energized electrical equipment or appliances. Class C fires are
extinguished with agents that must be non-conducting. Carbon dioxide, multipurpose dry
chemical fire extinguishers, and halon fire extinguishers are ideal for these types of fires.
Class D- Fires fueled by combustible metals, such as magnesium, lithium, and sodium.
Fires of this type require specials extinguishing agents and techniques.
Note: students may research and report a new “Class K” designation for cooking oil fires.
15. What is Halon and why is its use restricted?
Halon is an effective gaseous fire suppression agent, introduced in the 1960’s.
The problem with Halon is that it is an ozone-depleting substance. Under the Clean Air
Act (CAA), the United States banned the production and import of Halons 1211, 1301,
and 2402 beginning January 1, 1994, in compliance with the Montreal Protocol on
Substances that Deplete the Ozone Layer.
_____________________________________________________________________________________________
Page: 73
______________________________________________________________________________
16. What is the relationship between HVAC and physical security? What four physical
characteristics of the indoor environment are controlled by a properly designed HVAC
system? What are the optimal temperature and humidity ranges for computing systems?
HVAC is a concern for physical security because of several reasons. The first is
temperature. Temperature must be controlled because electronic equipment is subject to
damage caused by extreme temperatures or rapid changes in temperature. Humidity and
static can also cause damage to electronic equipment. Ventilation shafts should be
properly built and maintained in order to prevent a person from climbing through the
shafts to gain access to secure rooms that contain computers or data.
The four physical characteristics of the indoor environment that are controlled by a
properly designed HVAC are temperature, humidity, static and filtration.
The optimal temperature range for computing systems is between 70 and 74 degrees
Fahrenheit and the optimal level of humidity level is between 40 and 60 percent.
17. List and describe the four primary types of UPS systems. Which is the most effective
and the most expensive and why?
UPSs (Uninterruptible Power Supplies) is a backup power source for major computer
systems. For basic configurations of UPS are: (1) a standby or offline UPS, which is an
offline batter backup that detects the interruption of power to the power equipment; (2) a
ferroresonant standby UPS, which is also an offline UPS that provides power through
electrical service and uses the UPS as a battery backup; (3) the line-interactive UPS,
which also uses a battery backup as source of power but generates power through
inverters and converters inside the model; and (4) the true online UPS, which works in
the opposite fashion to a standby UPS since the primary power source is the battery. The
last type of UPS (the true online UPS) is the most expensive and the most effective one
because it allows constant feed to the system, while completely eliminating power
problems. Power failure does not affect the computer system as long as the batteries hold
out.
18. What two critical factors are impacted when water is not available in a facility?
Why are these factors important to the operation of the organization’s information assets?
Fire-safety and air conditioning. If fire safety systems are not in place, no humans can
occupy the building (under most fire codes). A/C is needed for continued operation of
most computer equipment.
19. List and describe the three fundamental ways that data can be intercepted. How
does a physical security program protect against each of these data interception methods?
Three methods of data interception are (1) direct observation, which requires close
enough distance between an individual and the information to breach confidentiality; (2)
interception of data transmission, which can be done in several ways such as through
sniffer software or tapping into a LAN; and (3) electromagnetic interception, which
occurs when an individual eavesdrop on electromagnetic signals that move through
cables. Data interception is considered part of physical security because it addresses the
design, implementation, and maintenance of countermeasures that protect data, one of the
critical components of the computer system.
_____________________________________________________________________________________________
Page: 74
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 75
______________________________________________________________________________
Exercises
1. Assume that your organization is planning to have a server room that functions
without human beings—in other words, the functions are automated (such a room is often
called a lights-out server room). Describe the fire control system(s) you would install in that
room.
An automatic fire detection system would certainly be the best choice for a lights-out
server room in the data center, where no human beings are physically present.
As for the type of fire detection system, I would probably opt for a very sophisticated
system like the air-aspirating detector system, since the server room is certainly a high-
sensitive area where critical devices are stored. This system works by taking in air,
filtering it, and moving it through a chamber containing a laser beam. If the laser beam is
diverted or refracted by smoke particles, the system is activated.
Another key element I would consider is the type of fire suppressor to adopt. In this kind
of decision, very important is to consider the type of fire that has to be combated. Class C
includes fires with energized electrical equipment or appliances, that is, fires that are
extinguished with agents that must be nonconducting. Since this is the type of fire that
would interest a server room, the attention must be focused on a gaseous emission
system, and in particular on a system that uses a clean chemical agent (like it was Halon
before it got prohibited in commercial and residential locations). Clean agents are those
that don't leave any residue when dry, and don't interfere with the operation of electrical
or electronic equipment. Alternative clean agents (even if they are reported to be less
effective than Halon) are FM-200, Inergen, Carbon Dioxide, and FE-13 (one of the
newest and safest clean agent variations of the most commonly used clean agents).
2. Assume you have converted part of a former area of general office space into a
server room. Describe the factors you would consider for each of the following topics:
Walls and doors
Access control
Fire detection
Fire suppression
Heating, ventilating, and air conditioning
Power quality and distribution
ANSWER:
a. Walls and doors
Due to the construction of the walls and doors of the facility, the security of
information assets can sometimes be compromised. In high security areas such as a
server room, the firewalls and doors with either mechanical or electromechanical
locks should be used.
_____________________________________________________________________________________________
Page: 76
______________________________________________________________________________
b. Access control
For physical security, a secure facility is an ideal location that has been engineered
with a number of controls designed to minimize the risk of attacks from physical
threats. An organization should consider using as many security controls as possible
in order to secure a server room. Typical physical security controls include:
Walls, fencing, and gates: Deter unauthorized access to the facility
Guards: Evaluate each situation as it arises and make reasoned responses
Dogs: Detect intrusions that human guards can’t
ID Cards and badges: Authenticate an authorized individual with access to the
facility
Locks and keys: Avoid an intruder to gain access to the secured location
Mantraps: Deny unauthorized entry and trap an intruder in a small enclosure
Electronic monitoring: Record events within a specific area that guard and
dogs might miss, or to record events in areas where other types of physical
controls are not practical
Alarms and alarm systems: Notify the appropriate individual when a
predetermined event or activity occurs
Computer rooms and wiring closets: Disallow unauthorized individuals to
gain information
Interior walls and doors: Provide not only physical security from potential
intruders but from fires
c. Fire detection
Either manual or automatic fire detection systems need to be installed. Manual fire
detection systems include human responses, such as calling the fire department, as
well as manually activated alarms, such as sprinklers and gaseous systems. Automatic
detection systems include thermal detections systems, smoke detection systems, and
flame detector. An organization should consider placing one of these fire detections
systems depending on its budget.
d. Fire suppression
There are a variety of fire suppression systems commonly used in many organizations
including portable, manual, and automatic apparatus. One or more fire suppression
systems should be prepared in case of emergency.
_____________________________________________________________________________________________
Page: 77
______________________________________________________________________________
Since the operation of the heating, ventilation, and air conditioning (HVAC) system
can have dramatic impact on information systems operations and protection, four
areas (temperature, filtration, humidity, and static electricity) within HVAC system
should properly managed.
f. Power quality and distribution
The most critical factor for power systems used by information-processing equipment
is that the power infrastructure be properly installed and correctly grounded. In case
of power outage, an Uninterruptible Power Supplies (UPS) is a backup power source
for major computer systems. Grounding ensures that the returning flow of current is
properly discharged to the ground.
Another important aspect of power management is the need to be able to stop power
immediately. A server room should equipped with an emergency power shutoff,
which is usually a large red button, prominently placed to facilitate access, with an
accident-proof cover to prevent unintentional use.
3. Assume you have been asked to review the power needs for a standalone computer
system which processes important but noncritical data and does not have to be online at all
times, and which stores valuable data that could be corrupted if the power system were
suddenly interrupted. Which UPS features are most important to such a system? Which
type of UPS do you recommend for this system?
There are four basic configurations of UPS: the standby, ferroresonant standby, line-interactive,
and the true online. Factors of the various UPS systems include switch time, the amount of
electricity that the UPS supplies, and costs. Switch time refers to the amount of time it takes for
the UPS to activate a transfer switch. Also the wattage needed to keep the equipment on for a
certain period of time should be precisely calculated to select a proper UPS to meet the
organization’s power supply needs. Finally, the more sophisticated the UPS becomes, the more
costly it becomes. So the best way is to select the smallest UPS necessary to provide the needed
support. In this scenario, a ferroresonant standby UPS would be the best selection among a
number of UPS configurations.
4. Using a floor plan from a building you are familiar with, design an electronic
monitoring plan that includes closed-circuit television, burglar alarms with appropriate
sensors, fire detectors, and suppression and access controls for key entrances.
Solution will be location and situation dependent.
5. Define the required wattage for a UPS for the following systems:
a. Monitor: 2 amps; CPU: 3 amps; printer: 3 amps
b. Monitor: 3 amps; CPU: 4 amps; printer: 3 amps
c. Monitor: 3 amps; CPU: 4 amps; printer: 4 amps
Assuming operation in USA at standard voltage of 120volts at 60 Hz:
a. (2 * 120) + (3 * 120) + (3 * 120) = 960 Watts
b. (3 * 120) + (4 * 120) + (3 * 120) = 1,200 Watts
c. (3 * 120) + (4 * 120) + (4 * 120) = 1,320 Watts
_____________________________________________________________________________________________
Page: 78
______________________________________________________________________________
Search the Web for a UPS that provides the wattage necessary to run the systems
above for at least 15 minutes during a power outage.
The specific products that students may find can be evaluated by the common practice of
vendors of rating the unit in VA hours. So a unit rated at 200 VA hours will support 800
watts for 15 minutes (1/4 hour). Using this process, the minimum VA hour rating for UPS
units that meet the require are:
a. 240 VA hours
b. 300 VA hours
c. 330 VA hours
_____________________________________________________________________________________________
Page: 79
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 80
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 81
______________________________________________________________________________
expenses for the task, subtask, or action item (a recovery charge for staff time for
some organizations, for example, or contract or consulting time for others).
7. Identification of task interdependencies. Planners should note wherever possible
the dependencies of other tasks or action steps on the task or action step at hand.
The tasks or action steps that come before the specific task at hand are called
predecessors. Those tasks or action steps that come after the task at hand are
called successors.
8. How does a planner know when a task has been subdivided to an adequate degree
and can be classified as an action step?
When the task can be completed by one individual or skill set and when it includes a
single deliverable.
9. What is a deliverable? Name two uses for deliverables.
A deliverable is a completed document or program module that can serve either as the
beginning point for a later task or become an element in the finished project.
_____________________________________________________________________________________________
Page: 82
______________________________________________________________________________
It is always good practice to ask the individuals who are most familiar with the work or
familiar with similar types of work to make the estimates. Then, all individuals assigned
to action steps should review the estimated effort hours, understand the tasks, and agree
with the estimates.
15. Within project management, what is a dependency? What is a predecessor? What is
a successor?
A dependency is a relationship between a task or action step where one is dependent on
the completion of the other for the task to begin.
A predecessor is a task or action step that precedes the one at hand.
A successor is a task or action step that comes after the one at hand.
16. What is a negative feedback loop? How is it used to keep a project in control?
It is a process to manage a project to completion. The measured results are compared to
the expected results. When a significant deviation occurs, corrective action is taken to
bring the task that is deviating from plan back into compliance with the projection, or else
the estimate is revised in light of the new information.
17. When a task is not meeting the plan, what two circumstances are likely to be
involved?
The two likely circumstance involved with a task not meeting the plan can be that the
estimate of the task is flawed or the performance of the task has lagged. Corrective action
needs to be taken if either of the two situations occurs.
18. List and describe the four basic conversion strategies (as described in the chapter)
that are used when converting to a new system. Under which circumstances is each of these
the best approach?
Direct changeover: Also known as going “cold turkey,” a direct changeover involves
stopping the old method and beginning the new. This could be as simple as having
employees follow the existing procedure one week, and then use a new procedure the
next. Some cases of direct changeover are simple, such as a change that involves
requiring employees to use a new password (which uses a stronger degree of
authentication) beginning on an announced date; some may be more complex, such as
requiring the entire company to change procedures when the network team disables an
old firewall and activates a new one. The primary drawback to the direct changeover
approach is that if the new system fails or needs modification, users may be without
services while the system’s bugs are worked out. Complete testing of the new system in
advance of the direct changeover helps to reduce the probability of these problems.
Phased implementation: A phased implementation is the most common conversion
strategy and involves rolling out a piece of the system across the entire organization. This
could mean that the security group implements only a small portion of the new security
profile, giving users a chance to get used to it and resolving small issues as they arise.
This is usually the best approach to security project implementation. For example, if a
new VPN solution that employees can use to connect to the organization’s network while
they’re traveling is to be introduced, then each week one department might be added to
the group allowed to use the new VPN, and this process would continue until all
_____________________________________________________________________________________________
Page: 83
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 84
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 85
______________________________________________________________________________
Exercises
1. Create a first draft of a WBS from the scenario below. Make assumptions as needed
based on the section about project planning considerations and constraints in the chapter.
In your WBS, describe the skill sets required for the tasks you have planned.
Scenario
Sequential Label and Supply is having a problem with employees surfing the Web to access
material the company has deemed inappropriate for use in a professional environment. The
technology exists to insert a filtering device in the company Internet connection that blocks
certain Web locations and certain Web content. The vendor has provided you with some
initial information about the filter. The hardware is an appliance that costs $18,000 and
requires a total of 150 effort-hours to install and configure. Technical support on the
appliance costs 18 percent of the purchase price and includes a training allowance for the
year. A software component is needed for administering the appliance that runs on the
administrator’s desktop computer and it costs $550. A monthly subscription provides the
list of sites to be blocked and costs $250 per month. The administrator must spend an
estimated four hours per week for ongoing administrative functions.
Items you should consider:
Your plan requires two sections, one for deployment and another for ongoing operation
after implementation.
The vendor offers a contracting service for installation at $140 per hour.
Your change control process requires a 17-day lead time for change requests.
The manufacturer has a 14-day order time and a 7-day delivery time for this device.
Implementation WBS
Non-
Start & Effort Capital
Item TASK Resources Capital Dep.
End Dates Hours Expense
Exp.
Contact
Network team
to ensure
hardware Network S: 11/25
1 2 $0 $100
device will Engineers E:11/27
work with
network
infrastructure
Network
Purchase Web Engineer & S:11/28
2 1 $18,000 $0 1
Filter Purchasing E:12/19
Group
_____________________________________________________________________________________________
Page: 86
______________________________________________________________________________
Purchase
Technical Purchasing S:11/28
3 1 $3,240 $0 1
Support Group E:12/19
Contract
Purchase
additional Purchasing S:11/28
4 1 $800 $0 1
software Group E:12/19
components
Submit
change
Change S:12/19
5 request to 1 $0 $0 2
control board E:01/06
implement
hardware
Send
Training
administrator S:01/06
6 center and 40 $0 $0 3
to training on E:01/10
Administrator
device
Install
hardware and Outside S:01/06
7 150 $0 $21,000 2,4
software vendors E:01/20
componenets.
Ongoing Support
Start & Non-
Effort Capital
Item TASK Resources End Capital Dep.
Hours Expense
Dates Exp.
Ongoing
1 adminstration Administrator Ongoing 4/WK $0 $0
of device
Monthly Administrator/Purchasing
2 Ongoing 250/Month $0
subscription Group
_____________________________________________________________________________________________
Page: 87
______________________________________________________________________________
3. Write a job description for Kelvin Urich, the project manager described in the
opening vignette of this chapter. Be sure to identify key characteristics of the ideal
candidate as well as work experience and educational background. Also, justify why your
job description is suitable for potential candidates of this position.
This job description is suitable for potential candidates of this position because it
_____________________________________________________________________________________________
Page: 88
______________________________________________________________________________
describes all aspects that should be thought of when soliciting a new employee for a
position in your organization. For example, this candidate should be able to
communicate with others in the organization before drafting a project together.
_____________________________________________________________________________________________
Page: 89
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 90
______________________________________________________________________________
Review Questions
_____________________________________________________________________________________________
Page: 91
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 92
______________________________________________________________________________
Security Technician
The technical qualifications and position requirements for a security technician vary.
Organizations prefer the expert, certified, proficient technician. Regardless of the area,
the particular job description covers some level of experience with a particular hardware
and software package. Sometimes familiarity with a technology secures an applicant an
interview; however, actual experience in using the technology is usually required.
4. What are some of the factors that influence an organization’s information security
hiring decisions?
When hiring information security professionals, organizations frequently look for
individuals who understand:
How an organization operates at all levels
Information security is usually a management problem and is seldom an
exclusively technical problem
People and have strong communications and writing skills
The roles of policy and education and training
The threats and attacks facing an organization
How to protect the organization from attacks
How business solutions can be applied to solve specific information security
problems
Many of the most common mainstream IT technologies as generalists
The terminology of IT and information security
Each candidate for the position must have a wide range of knowledge to bring to the
organizations security sector.
1. Definers – develop the product and technical architectures and do consulting and
risk assessment.
2. Builders – create and install security solutions.
3. Administrators – operate and administrate the security tools and the security
monitoring and try to continuously improve processes.
5. What general attributes do organizations seek in a candidate when hiring
information security professionals across all positions? Prioritize the list and justify your
ranking.
Many organizations look for a technically qualified information security generalist, with
a solid understanding of how an organization operates. When hiring information security
professionals, organizations will look for the following attributes in the order of
importance.
Organizations will seek an individual who understands:
How to protect the organization from information security attacks
_____________________________________________________________________________________________
Page: 93
______________________________________________________________________________
The terminology of IT and information security; this is the basis for subsequent
knowledge and skill needed for the specific positions.
The threats facing an organization and how these threats can become attacks
Most mainstream IT technologies (not necessarily as experts, but as generalists)
How an organization operates at all levels
That information security is usually a management problem and is seldom an
exclusively technical problem
How to work with people and collaborate with end-users, and have string
communications and writing skills
The role of policy in guiding security efforts, and the role of education and
training in making the user part of the solution, rather than part of the problem
How business solutions (including technology-based solutions) can be applied to
solve specific information security problems
6. What are the critical considerations when dismissing an employee? Do these change
based on whether the departure is friendly or hostile or according to which position the
employee is departing from?
When an employee prepares to leave an organization, the following tasks must be
performed:
Access to the organization’s systems must be disabled
Removable media must be returned
Hard drives must be secured
File cabinet locks must be changed
Office door lock must be changed
Keycard access must be revoked
Personal effects must be removed from the organization’s premises
In reality, most employees are allowed to clean out their own offices and collect their
personal belongings, and simply asked to return their keys. From a security standpoint,
these procedures are/would be considered risky and lax, for they expose the
organization’s information to disclosure and theft. To minimize such risks, an
organization should ideally have security-minded termination procedures that are
followed consistently—in other words, they are followed regardless of what level of trust
the organization had placed in the employee and what the level of cordiality is generally
maintained in the office environment. But this kind of universally consistent approach is
a difficult and awkward practice to implement (which is why it’s not often applied).
Given the realities of workplaces, the simplest and best method for handling the out-
processing of an employee may be to select, based on the employee’s reasons for leaving,
one of the scenarios that follows.
_____________________________________________________________________________________________
Page: 94
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 95
______________________________________________________________________________
_____________________________________________________________________________________________
Page: 96
______________________________________________________________________________
The key qualifications of the security manager include the ability to draft middle and
lower level policies and standards and guidelines. The security manager often holds a
CISSP, but is not required. The security manager is required to have experience in
traditional business matters and must be able to manage technicians in the assigning of
tasks and monitoring activities.
12. What functions does the security technician perform, and what are the key
qualifications and requirements for the position?
Functions:
Configure security hardware and software and coordinate with administrators to ensure
security is properly implemented.
Configure firewalls, implement security software, diagnose and troubleshoot problems,
and coordinate with systems and network administrators to ensure security technology is
properly implemented. Key Qualifications require the individual to be an expert,
certified proficient, technician.
Qualifications and requirements:
The technical qualifications and position requirements for a security technician are
varied.
Organizations prefer the expert, certified, proficient technician.
Regardless of the area, the particular job description covers some level of experience with
a particular hardware and software package.
Sometimes familiarity with a technology secures an applicant an interview; however,
experience in using the technology is usually required.
13. What rationale should an aspiring information security professional use in
acquiring professional credentials?
Most companies desire to have a measurable means of judging how well suited a person
is for a particular job before making a decision on whether or not to extend a job offer.
Professional certifications allow decision makers to gauge how well versed an individual
is on a particular subject matter during the recruiting phase. Although professional
certifications do not guarantee a job, it does help an individual gain an amount of respect
from the decision makers and a chance for at least an interview.
14. List and describe the credentials of the various information security certifications
listed in this chapter.
The certification credentials available to the information security professional are CISSP
(Certified Information Systems Security Professional), SSCP (Systems Security Certified
Practitioner, GIAC (Global Information Assurance Certification), Security Certified
Professional, T.I.C.S.A. (TruuSecure ICSA Certified Security Associate) and T.I.C.S.E.
(TruSecure ICSA Certified Security Expert, Security+, CISA (Certified Information
Systems Auditor, and Certified Information Systems Forensics Investigator.
15. Who should pay for the expenses of certification? Why?
_____________________________________________________________________________________________
Page: 97
______________________________________________________________________________
It depends. Individuals not currently working in the field of the certification being
pursued should have to pay for the certification themselves. If management is mandating
the certification for an individual already performing the job functions, then the company
should have to bear the responsibilities of the certification.
16. List and describe the standard personnel practices that are part of the information
security function. What happens to these practices when they are integrated with
information security concepts?
Reviewing and updating all job descriptions to verify that access privileges are
not revealed to prospective employees when advertising positions.
Educate HR to limit the information provided which is provided to the candidate
on the responsibilities and access rights the new hire would have during an
interview.
Discuss with HR Manager what (if any) background checks should be performed
against prospective new hires
Have new employees sign the fair and responsible use policies regarding
information and information resources
Explain all major policies and procedures during new hire orientation
On the job security training
Verify that all access to the organization’s systems are disabled, hard drives
secured, file cabinet locks are changed, office door locks changed, keycard access
revoked, and personal effects removed after the termination of an employee.
17. Why shouldn’t an organization give an employee candidate a tour of secure areas
during the candidate’s interview?
Candidates who are shown around can retain enough information about the operations or
information security functions to represent a potential threat.
18. List and describe the typical relationships that organizations have with
nonemployees. What are the special security precautions that an organization must
consider for workers involved in these associations, and why are they significant?
Temporary Employees – access to information should be limited to that necessary to
perform their duties.
Contract Employees – Most contracted employees should not have access to information
or information resources (unless they are contracted to service computing resources).
Also contracted employees should be escorted in secured facilities.
Consultants – consultants should be handled the same as contract employees, with special
requirements for information or facility access requirements integrated into the contract
before these individuals are allowed outside the conference room.
Business Partners – there must be a meticulous deliberate process of determining what
information is to be exchanged, in what format, and to whom.
_____________________________________________________________________________________________
Page: 98
______________________________________________________________________________
All of these considerations must be taken into account to prevent accidental or intentional
breaches of confidentiality, integrity, or availability that could negatively affect the
organization.
19. What is separation of duties? How can it be used to improve an organization’s
information security practices?
Separation of duties is a control used to reduce the chance of an individual violating
information security and breaching the confidentiality, integrity, or availability of the
information.
It is used to improve an organization’s information security practices by requiring two
people to complete a significant task that involves sensitive information. If one person
has the authorization to access a particular set of information, there may be nothing to
prevent this individual from copying it and removing it from the premises.
20. What is job rotation, and what benefits does it offer an organization?
Job rotation or task rotation is the requirement that every employee be able to perform the
work of another employee. If it is not feasible that one employee learn the entire job of
another, then the organization should at least try to ensure that for each critical task it has
multiple individuals on staff who are capable of performing it. Job or task rotations such
as these can greatly increase the chance that an employee’s misuse of the system or abuse
of the information will be detected by another. They also ensure that no one employee is
performing actions that cannot be physically audited by another employee. In general,
this method makes good business sense.
_____________________________________________________________________________________________
Page: 99
______________________________________________________________________________
Exercises
1. Search your library’s database and the Web for an article related to individuals
violating their organization’s policy and being terminated. Did you find many? Why or
why not?
Answer will be unique for each student.
Students will not locate many articles, if any, since these are frequently considered
“internal actions” and not externally reported. They also reveal weakness in the
organization and possible poor judgment in the hiring and or retention of the terminated
employees.
2. Go to the (ISC)2 Web site at www.isc2.org. Research the knowledge areas included
in the tests for both the CISSP and the SSCP. What areas must you study that are not
included in this text?
CISSP Certification candidates must meet the following requirements prior to taking the
CISSP examination.
Subscribe to the (ISC)2 Code of Ethics.
Have a minimum 3 years of direct full-time security professional work experience in one
or more of the ten test domains of the information systems security Common Body of
Knowledge (CBK). Valid experience includes information systems security-related work
performed as a practitioner, auditor, consultant, vendor, investigator or instructor, or that
which requires IS security knowledge and involves direct application of that knowledge.
CISSP – Information not covered in this text:
Applications & Systems Development
Law, Investigation & Ethics
Cryptography
SSCP Certification candidates must meet the following requirements prior to taking the
SSCP examination.
Subscribe to the (ISC)2 Code of Ethics.
Have at least 1 year of cumulative work experience in one or more of the seven test
domains in information systems [IS] security. Valid experience includes information
systems security-related work performed as a practitioner or that which requires IS
security knowledge and involves direct application of that knowledge.
SSCP – Information not covered in this text:
Audit and Monitoring
Cryptography
Malicious Code/Malware
_____________________________________________________________________________________________
Page: 100
______________________________________________________________________________
3. Using the Web, identify some certifications with an information security component
that were not discussed in this chapter.
Answer will be unique for each student.
4. Search the Web for at least five job postings for a security administrator. What
qualifications do the listings have in common?
Application Security Architect
Security consultant to handle the following:
* Application Security
* LDAP to third party synch (RDBMS, RACF etc.)
* Directory services
* Single Sign on
Required Skills:
LDAP-Active Directory, Netscape Directory, or Open LDAP
UNIX Security Architect
Responsibilities include:
Assessing the existing environment, planning a comprehensive security approach, and
executing the plan to completion. The candidate's tasks will include the following...
Dynamic Technology firm is seeking a "Top Notch" Security Engineer to implement the
latest in security technologies into production environments. This candidate must have a
strong customer focus! This candidate MUST have solid experience working in large
enterprise environment ... More
Required Skills:
_____________________________________________________________________________________________
Page: 101
______________________________________________________________________________
MUST have exp. w/ real world implementations w/ the Radware Product line, to include
installing the product in many environs. Must have solid knowledge of Radware product
line, to include: Linkproof, fireproof, web server director, network proximity & SSL
accelerator. 3+ yrs exp: Implementing security systems, networking infrastructure, strong
hands on firewall exp. in one or more of the following: Symantec Rapture, Cyberguard,
Checkpoint, & Sonic wall. Exp. w/ Intrusion Detection Tools (ISS, NFR etc)
WAN / Cyber Security Engineer
Required Skills:
PLEASE DO NOT APPLY IF YOU DO NOT HAVE A MINIMUM OF A CCNP
CERTIFICATION OR EQUIVALENT EXPERIENCE EQUAL TO A CCIE!!!! BS
Engineering or equivalent 4-6 years WAN & CYBER SECURITY experience CCNP &
Lucent/Avaya Certifications
All job postings had the following qualifications in common:
Bachelors degree in IS or related field
4+ years of experience in IT or Information Security
Others that were not common between all five included:
Professional certifications and technical writing skills.
5. Search the Web for three different employee hiring and termination policies. Review
each and look carefully for inconsistencies. Do each of the policies have sections addressing
information security requirements? What clauses should a termination policy contain to
prevent disclosure of an organization’s information? Create your own version of either a
hiring or termination policy.
Of the three hiring/termination policies reviewed, none of them contained any
information regarding information security requirements. All of them included
information about benefits, payment information, and other corporate policy information.
At most, the policies included information about an exit interview.
A termination policy should include clauses about taking and revealing corporate
information that they have learned or been privileged to while employed. It should also
include clauses concerning deleting or altering company information for malicious
purposes. All the clauses should clearly define the consequences and lengths to which the
company is willing to ensure that the company is protected.
_____________________________________________________________________________________________
Page: 102
______________________________________________________________________________
Review Questions
1. List and define the factors that are likely to shift in an organization’s information
security environment.
Factors that are likely to shift the information security environment include:
New assets acquired – additional hardware added to the environment.
New vulnerabilities associated with the new or existing assets emerge – constantly
learning of new exploits.
Business priorities shift – a change in the organizational focus
New partnerships are formed – new relationships that need to be evaluated.
Old partnerships dissolve – removing access from old partnerships
Organizational divestiture and acquisitions occur – changes in company structure.
Employees who are trained, educated, and made aware of the new policies,
procedures, and technologies leave – ensuring corporate date is safe
New personnel are hired, thus possibly creating new vulnerabilities – background
checks of new hires along with training on company procedures.
2. Who decides if the information security program can adapt to change adequately?
The CISO determines whether the information security group can adapt adequately and
maintain the information security profile of the organization or whether the macroscopic
process of the SecSDLC must start anew to redevelop a fundamentally new information
security profile.
3. List and briefly describe the five domains of the maintenance model.
External Monitoring – provide early awareness of new and emerging threats, threat
agents, vulnerabilities, and attacks that is needed to mount an effective and timely
defense.
Internal Monitoring – maintain an informed awareness of the state of all of the
organizations networks.
Planning and risk assessment – keep a weather eye on the entire information security
program.
_____________________________________________________________________________________________
Page: 103
______________________________________________________________________________
4. What are the three primary aspects of information security risk management? Why
is each important?
These aspects include threats, assets, and vulnerabilities. This triple is used to carefully
evaluate the security posture of the organization via security maintenance and readiness.
By carefully monitoring these three aspects of the organizations security, the organization
will be more prepared for possible problems. By creating an aggressive monitoring
policy, the organization can stay abreast of changes in the environment.
7. What are the ongoing responsibilities security managers have in securing the
SDLC?
The ongoing responsibilities of security management involve the maintenance of the
contingency plan. The contingency plan must always be in a ready state for use
immediately upon notification. Periodic reviews of the plan must be conducted for
currency of key personnel and vendor information, system components and
dependencies, the recovery strategy, vital records, and operational requirements.
_____________________________________________________________________________________________
Page: 104
______________________________________________________________________________
12. What is the difference between vulnerability assessment and penetration testing?
The primary goal of the vulnerability assessment is to identify specific, documented
vulnerabilities. Using the inventory of environment characteristics stored in the risk,
threat, and attack database, the vulnerability assessment processes identify and document
vulnerabilities. These vulnerabilities are stored, tracked, and reported within the
vulnerability database until they are remediated. Penetration testing, a level beyond
vulnerability testing, is a set of security tests and evaluations that simulate attacks by a
malicious external source (hacker). A penetration test, or pen test, is usually performed
periodically as part of a full security audit. While in most security tests, such as
vulnerability assessments, great care is taken not to disrupt normal business operations, in
pen testing the analyst tries to get as far as possible, simulating the actions of an attacker.
13. What are the objectives of the external monitoring domain of the maintenance
model?
The objective of the external monitoring domain within the maintenance model is to
provide the early awareness of new and emerging threats, threat agents, vulnerabilities,
and attacks that the organization needs in order to mount an effective and timely defense.
Figure 12-2 shows the primary components of the external monitoring process.
14. List and describe four vulnerability inte\lligence sources. Of those that you listed,
which seems the most effective? Why?
_____________________________________________________________________________________________
Page: 105
______________________________________________________________________________
Bugtraq is a mailing list for detailed, full disclosure discussions and announcements of
computer security vulnerabilities.
CERT is a website and has a mailing list. The website is considered definitive when
emerging threats become demonstrated vulnerabilities. The mailing list just sends
advisories.
ISS is a website that has a focus on their commercial IDS and other security products.
NESSUS-DEVEL is a mailing list and is dedicated to the Nessus vulnerability test
product. It contains information about emerging threats and how to test for them.
Vulnerabilities ISS – Commercial site with a focus on their commercial IDS and other
security products.
Packet Storm – Commercial site with a focus on current security tool resources
The most effective of these seems to be Bugtraq because it gives you information such as
identifying the vulnerabilities, documenting how they are exploited, and reports on how
to remediate them.
CERT is also effective because it provides vulnerability information and has no
commercial affiliation. However it is a slow source of information due to the approval
process that takes place to declare a vulnerability to be true.
15. What does CERT stand for? Is there more than one CERT?
CERT stands for Computer Emergency Response Teams and there are several varying
forms of CERT, including USCERT.
16. What are the primary objectives of the internal monitoring domain?
The primary objective of the internal monitoring domain is to maintain an informed
awareness of the state of all of the organizations networks, information systems and
information system defenses.
17. What is the objective of the planning and risk assessment domain of the
maintenance model? Why is this important?
The objective of the planning and risk assessment domain is to keep a lookout over the
entire information security program. It is important because it allows them to identify
any risks from projects going on or that already may be in the environment and then take
steps to reduce those risks.
18. What is the primary goal of the vulnerability assessment and remediation domain of
the maintenance model? Is this important to an organization with an Internet presence?
Why?
_____________________________________________________________________________________________
Page: 106
______________________________________________________________________________
The primary goal of the vulnerability assessment and remediation domain of the
maintenance model is the identification of specific, documented vulnerabilities and their
timely remediation. It is important to an organization with an Internet presence because
attackers can take advantage of any loophole or flaw that may be present in the public
facing network.
19. List and describe the five vulnerability assessment processes described in the text.
Can you think of some other assessment processes that might exist?
Internet Vulnerability Assessment is a process designed to find and document the
vulnerabilities that may be present in the public-facing network of the organization.
Intranet Vulnerability Assessment is a process designed to find and document selected
vulnerabilities that are likely to be present on the internal network of the organization.
Platform Security Validation is a process designed to find and document the
vulnerabilities that may be present because of misconfigured systems in use within the
organization.
Wireless Vulnerability Assessment is the process designed to find and document the
vulnerabilities that may be present in the wireless local area networks of the organization.
Modem Vulnerability Assessment is the process designed to find and document any
vulnerability that is present on dial-up modems connected to the organization’s networks.
_____________________________________________________________________________________________
Page: 107
______________________________________________________________________________
Exercises
1. Search the World Wide Web for the Forum of Incident Response and Security
Teams (FIRST). In your own words, what is the forum’s mission?
The Forum of Incident Response and Security Teams (FIRST) is an international
consortium of computer incident response and security teams who work together to
handle computer security incidents and to promote preventive activities.
The mission of FIRST (http://www.first.org) is to provide its members with technical
information and tools, methods, assistance, and guidance. It also coordinates proactive
liaison activities and analytical support.
FIRST encourages the development of quality products and services and works to
improve national and international information security for government, private industry,
academia and the individual.
The forum also enhances the image and status of the incident response and security teams
(IRST) community in the outside world.
2. Search the World Wide Web for two or more sites that discuss the ISO management
model. What other components of network management, as outlined by this model, can be
adapted for use in the security management model?
Following sites discuss ISO management model:
Solstice Enterprise Manager Application Development Guide
http://www.dkrz.de/~k202046/em/products/sem/Manuals/dev_guide/network.doc.html#4
70
HP Open View Performance Insight Courses: Student Pre-course Study Guide
http://www.hp.com/education/briefs/u1614s_prestudy.pdf
The ISO network management model addresses management and operation through five
topics:
· Fault management
· Configuration and name management
· Accounting management
· Performance management
· Security management
_____________________________________________________________________________________________
Page: 108
______________________________________________________________________________
A major component of the network management that can be adapted to the security
management model is a firewall that serves dual role to keep external intrusion from
entering an organizations internal data for the confidential, integrity and availability of
the system. Fault management is a component of the network that can be adapted to the
security model by detecting, log, notify users of, and automatically fix network problems
to keep the network running effectively. Because faults can cause downtime or
unacceptable network degradation, fault management is perhaps the most widely
implemented of the ISO network management elements. Security management model
identifies sensitive network resources (including systems, files, and other entities) and
determine mappings between sensitive network resources and user sets. They also
monitor access points to sensitive network resources and log inappropriate access to
sensitive network resources.
3. This chapter lists five tools that can be used by security administrators, network
administrators, and hackers alike. Search the World Wide Web for three to five other tools
that fit this same description. Who do the sites promoting these tools claim to support?
Answer will vary over time.
4. Using the names of the tools you found in Exercise 3, and a browser on the World
Wide Web, find a site that claims to be dedicated to supporting hackers. Do you find any
references to any other hacker tools? If you do, create a list of the tools with their names
and a short description of what they do and how they work.
In looking at the hacker sites the funny occurrence was that many of the sites are no
longer functional (broken links). The only similar tool I noticed several times on both
types of sites was Nmap ("Network Mapper"). I did notice similar topics on the sites.
For example, where the hacker site would tell how to compromise a system such as NT
Web Server, the sites geared toward security administrators would bring up security
issues for NT Web Server and how to protect against known vulnerabilities.
_____________________________________________________________________________________________
Page: 109
______________________________________________________________________________
Case Studies
Case Study #1
The next day at SLS found everyone in technical support busy restoring computer systems to
their former state and installing new virus and worm control software. Amy found herself
learning how to install desktop computer operating systems and applications as SLS made a
heroic effort to recover from the attack of the previous day.
Q1. Do you think this event was caused by an insider or outsider? Why do you think this?
A. I would say either or. An insider could have been involved, unfortunately, but
unintentionally, by attaching a personal usb flash removable drive to the office computer,
that unbeknownst to the owner, was infected elsewhere with a virus or worm. But, more
than likely the culprit was an outsider because it was stated in narrative that the problems
started when the users clicked their e-mail attachments. And most e-mails normally come
from the outside.
Q2. Other than installing virus and worm control software, what can SLS do to prepare for
the next incident?
A. They should install an industry-standard firewall into their systems. Actually they should
have had one already, otherwise this problem would not have happened. But I guess they do
not have a robust security policy in place. Also, the fact that they were installing NEW virus
software tells me that they either had a cheap one installed before or that they never had one
in the first place.
Q3. Do you think this attack was the result of a virus or a worm? Why do you think this?
A. It would have to be both. A virus can destroy your computer system and a worm is used to
spread it. The fact that Amy received a bunch of infected e-mails simultaneously tells me
that this is a devastating worm that propagates a virus and spreads it rapidly through the e-
mails via their attachments.
_____________________________________________________________________________________________
Page: 110
______________________________________________________________________________
Case Study #2
Soon after the board of directors meeting, Charlie was promoted to Chief Information Security
Officer, a new position that reports to the CIO, Gladys Williams, and that was created to provide
leadership for SLS’s efforts to improve its security profile.
Q1. How do Fred, Gladys, and Charlie perceive the scope and scale of the new information
security effort?
A. Charlie’s proposed Information Security plan aims at securing business software, data, the
networks and computers which store information. The scope of the Information Security effort is
quite vast, aiming at securing each vulnerability. In addition to the aforementioned, the new
Information Security system plan also focuses on the company’s staff. Since extra effort will be
required to implement the new managerial plan and install new software security and tools, the
scale of this operation is quite large.
Q2. How will Fred measure success when he evaluates Gladys’ performance for this
project? How will he evaluate Charlie’s performance?
A. Gladys is appointed as CIO of the team, which is gathered to improve the security of the
company due to virus attack that caused a loss in the company; I believe Fred will measure
Gladys success by her ability to lead, keep the plan on track (i.e. time management) and
successfully sticking to the proposed budget. Charlie was promoted to CISO, a new position that
reports to the CIO; I believe Fred will Charlie’s success by his ability to implement the new plan,
report his/their progress and the overall success of the new system.
Q3. Which of the threats discussed in this chapter should receive Charlie’s attention early
in his planning process?
A. Portable Media Management (Ex. USB, DVD-R/W) should receive Charlie’s attention early
in his planning process.
_____________________________________________________________________________________________
Page: 111
______________________________________________________________________________
Case Study #3
Iris called the company security hotline. The hotline was an anonymous way to report any
suspicious activity or abuse of company policy, although Iris chose to identify herself. The next
morning, she was called to a meeting with an investigator from corporate security, which led to
more meetings with others in corporate security, and then finally a meeting with the director of
human resources and Gladys Williams, the CIO of SLS.
Q1. Why was Iris justified in determining who the owner of the CD was?
A. Iris is justified in determining who the owner of the CD was because she followed the norms
of an ethical behavior and followed the protocol installed by her organization.
Q2. Should Iris have approached Henry directly, or was the hotline the most effective way
to take action? Why do you think so?
A. If Iris had approached Henry, it might had become a personal matter rather than professional.
Following the proper protocol is the best way to report in any organization.
Q3. Should Iris have placed the CD back at the coffee station and forgotten the whole
thing? Explain why that action would have been ethical or unethical.
A. In my opinion this would not have been a good professional practice. In any organization,
every employee is expected of adopting to an ethical behavior. In the current circumstances, Iris
made the correct ethical decision.
_____________________________________________________________________________________________
Page: 112
______________________________________________________________________________
Case Study #4
As Charlie wrapped up the meeting, he ticked off a few key reminders for everyone involved in
the asset identification project. “Okay, everyone, before we finish, please remember that you
should try to make your asset lists complete, but be sure to focus your attention on the more
valuable assets first. Also, remember that we evaluate our assets based on business impact to
profitability first, and then economic cost of replacement. Make sure you check with me about
any questions that come up. We will schedule our next meeting in two weeks, so please have
your draft inventories ready.”
Q1. Did Charlie effectively organize the work before the meeting? Why or why not? Make
a list of the important issues you think should be covered by the work plan. For each issue,
provide a short explanation.
A. Yes Charlie did effectively organize the work before the meeting because he went through
each important item that the team should focus on and was clearly specific in what everybody
should do and not do until the next meeting arrives. Charlie clearly states that everyone should
try and make their assets list complete and more importantly focus on the valuable assets and that
should be the main objective until the next meeting.
Q2. Will the company get useful information from the team it has assembled? Why or why
not?
A. If the assembled team follows instructions, does their assigned tasks efficiently and produces
positive outcomes then there is a lot of useful information the company can acquire from this
group of individuals.
Q3. Why might some attendees resist the goals of the meeting? Does it seem that each
person invited was briefed on the importance of the event and the issues behind it?
A. Some attendees could resist the goals of the meeting due to an ongoing quarrel or
disagreement with the team manager, they might have some better and more innovative ideas, or
because they weren’t fully debriefed regarding the objectives of the meeting.
_____________________________________________________________________________________________
Page: 113
______________________________________________________________________________
Case Study #5
Charlie sat at his desk the morning after his nightmare. He had answered the most pressing e-
mail in his Inbox and had a piping hot cup of coffee at his elbow. He looked down at a blank
legal pad ready to make notes about what to do in case his nightmare became reality.
Q1. What would be the first note you would write down if you were Charlie?
A. If I was Charlie, the very first note I would write is what caused the problem Charlie is so
worried about and how to avoid it. I would then make a list of ideas on how to avoid the
impending disaster.
_____________________________________________________________________________________________
Page: 114
______________________________________________________________________________
Case Study #6
The next morning at 8 o’clock, Kelvin called the meeting to order. The first person to address the
group was the network design consultant, Susan Hamir. She reviewed the critical points from her
earlier design report, going over the options it had presented and outlining the tradeoffs in those
design choices. When she finished, she sat down and Kelvin addressed the group again: “We
need to break the logjam on this design issue. We have all the right people in this room to make
the right choice for the company. Now here are the questions I want us to consider over the next
three hours.” Kelvin pressed the key on his PC to show a slide with a list of discussion questions
on the projector screen.
Q1. What questions do you think Kelvin should have included on his slide to start the
discussion?
A. The questions that should have been in his presentation are: What is the cause of the issue?
What should be the solution? How are we going to find the solution? Does anyone have any
suggestions?
Q2. If the questions to be answered were broken down into two categories, they would be
cost versus maintaining high security while keeping flexibility. Which is most important for
SLS?
A. I think the most important thing for SLS is to maintain a high level of security because of how
sensitive and important the information is to the company’s assets. Such information should
always be classified and never be shared with anyone and hence it is important for SLS to
maintain a relatively high level of security regarding its information.
_____________________________________________________________________________________________
Page: 115
______________________________________________________________________________
Case Study #7
Miller Harrison was still working his way down his attack protocol. Nmap started out as it
usually did: giving the program identification and version number. Then it started reporting back
on the first host in the SLS network. It reported all of the open ports on this server. Then the
program moved on to a second host and began reporting back the open ports on that system, too.
Once it reached the third host, however, it suddenly stopped. Miller restarted Nmap, using the
last host IP as the starting point for the next scan. No response. He opened up another command
window and tried to ping the first host he had just port-scanned. No luck. He tried to ping the
SLS firewall. Nothing. He happened to know the IP address for the SLS edge router. He pinged
that and got the same result. He had been black holed—meaning his IP address had been put on a
list of addresses from which the SLS edge router would no longer accept packets. This was,
ironically, his own doing. The IDPS he had been helping SLS configure seemed to be working
just fine at the moment. His attempt to hack the SLS network was shut down cold.
Q1. Do you think Miller is out of options as he pursues his vendetta? If you think there are
additional actions he could take in his effort to damage the SLS network, what are they?
A. I think Miller had one more attempt left and that would be to damage the SLS network and
that would be to give the system a complete reboot and start over.
Q2. Suppose a system administrator at SLS happened to read the details of this case. What
steps should he or she take to improve the company’s information security program?
A. One important step that should be undertaken when developing an attack protocol in the
future is to make sure to not try and give too much security to the system as it will create the risk
of the administrator to be locked out himself.
_____________________________________________________________________________________________
Page: 116
______________________________________________________________________________
Case Study #8
Charlie was just getting ready to head home when the phone rang. Caller ID showed it was Peter.
“Hi, Peter,” he said into the receiver. “Want me to start the file cracker on your spreadsheet?”
“No, thanks,” Peter answered, taking the joke well. “I remembered my passphrase. But I want to
get your advice on what we need to do to make the use of encryption more effective and to get it
properly licensed for the whole company. I see the value in using it for certain kinds of
information, but I’m worried about forgetting a passphrase again or even worse, that someone
else forgets a passphrase or leaves the company. How would we get their files back?” “We need
to use a feature called key recovery, which is usually part of PKI software,” said Charlie.
“Actually, if we invest in PKI software, we could solve that problem as well as several others.”
“OK,” said Peter. “Can you see me tomorrow at 10 o’clock to talk about this PKI solution and
how we can make better use of encryption?”
Q1. Was Charlie exaggerating when he gave Peter an estimate for the time that would be
required to crack the encryption key using a brute force attack?
A. Yes Charlie was exaggerating because a brute force attack generally takes much longer to be
executed then what Charlie suggested to Peter.
Q2. Are there any tools that someone like Peter can use safely, other than key recovery, to
avoid losing his or her passphrase?
A. The best tool or method to avoid losing one’s passphrase other than key recovery is to safely
store all important PIN numbers, passcodes, passwords in one designated place so should
someone ever forget his or her passphrase, he or she can just search it up from that location
where he or she stored a backup.
_____________________________________________________________________________________________
Page: 117
______________________________________________________________________________
Case Study #9
Amy walked into her office cubicle and sat down. The entire episode with the blond man had
taken well over two hours of her day. Plus, the police officers had told her the district attorney
would also be calling to make an appointment to speak to her, which meant she would have to
spend even more time dealing with this incident. She hoped her manager would understand.
Q1. Based on this case study, what security awareness and training documents and posters
had an impact in this event?
A. I think that the threat of some kind of security breach is what had a major impact on this event
and is what led to all these meetings with the blond man as well as the district attorney for Amy.
Q2. Do you think Amy should have done anything differently? What would you have done
in the situation in which Amy found herself to be in?
A. Yes Amy should have taken a different approach. If I were in her shoes, I would have
consulted my manager beforehand and if we came to an agreement then I would arranged any
meetings with outside individuals just so my manager was satisfied and would be able to
understand once the meetings were over.
_____________________________________________________________________________________________
Page: 118