Topic 1: Module IntroductionUMUC Cyberspace & Cybersecurity CSEC 610 © UMUC 2013 Page 1 of 37 Contents Topic 1: Worm Scenario..... 2

UMUC Cyberspace & Cybersecurity CSEC 610

© UMUC 2013 Page 1 of 37

Contents

Topic 1: Worm Scenario ................................................................................................................................ 2 Topic 2: Module 3 Introduction ...................................................................................................................... 4

Introduction ................................................................................................................................................ 4 Topic 3: Information System Infrastructures ................................................................................................. 5

Components of an Information System Infrastructure ............................................................................... 5 Topic 4: Threats to Information System Infrastructures ................................................................................ 7

Types of Threats ........................................................................................................................................ 7 Activity: Identifying Threats........................................................................................................................ 8 Other Software and Human Threats ....................................................................................................... 12 Open-Source vs. Proprietary Software .................................................................................................... 14

Topic 5: Information System Controls ......................................................................................................... 16 Types of Information System Controls .................................................................................................... 16 Disaster Recovery Planning .................................................................................................................... 18 Auditing .................................................................................................................................................... 21 Activity: Identifying Information Systems ................................................................................................. 22

Topic 6: Password Protection ..................................................................................................................... 31 Why Is Password Protection Important? ................................................................................................. 31 Password-Cracking Techniques .............................................................................................................. 33 Password-Cracking Tools ........................................................................................................................ 34

Topic 7: Summary ....................................................................................................................................... 36 Glossary ...................................................................................................................................................... 37



Topic 1: Worm Scenario

Information Systems Infrastructure CSEC 610 – Module 3

Investigating the Worm Joe Smith is a cybersecurity analyst with Cyber Hawks, a company that provides cybercrime prevention and mitigation services. Joe has been contacted by Fly High Airlines. The company's network was recently attacked by the Slammer worm, rendering its computers inoperable for customer services for more than 24 hours. The airline has asked Cyber Hawks to conduct an investigation of the incident and submit a report of its findings. As Joe prepares for the investigation, he recalls the brutal Slammer attack on the Davis-Besse Nuclear Power Station in Ohio, which caused a massive blackout in the Midwest in January 2003. Disclaimer: The Cyber Hawks storyline and characters in this module are fictitious and were developed for the purposes of this course. No association with any real persons, places, or events is intended or should be inferred from the use of the fictitious names. Join Joe as he recalls the events of the Slammer worm attack. 9:00 a.m. One of the contractors of the Davis-Besse Nuclear Power Station accessed the company’s corporate network. The connection was made through an unsecured network, and the Slammer worm traveled from this unsecured network to the business network of the nuclear plant. The performance of the Davis-Besse business network started to slow down considerably. 9:15 a.m. From the business network, the worm spread to the power plant’s network, where the worm exploited the vulnerability of an unpatched Microsoft SQL Server. 4:00 p.m. Employees noticed that the systems in the nuclear power plant were working very slowly. 4:50 p.m. The systems in the nuclear power plant continued slowing down until their screens blacked out. The safety parameter display system at the plant crashed. 5:13 p.m. The plant’s process computer system crashed. Critical network indicators identified an extremely high level of congested network traffic. This was helpful to IT management, as it warned them that the process control systems needed to be shut down. However, the worm spread so rapidly, and did such a great deal of damage in such a short period of time, that these systems crashed before IT personnel were able to bring them down in a controlled manner. 5.30 p.m. All major systems crashed, and there was a total blackout as the lights went out at the power plant. The crashes created a power outage for millions of customers. Luckily, in this case, the breach did not pose a safety hazard.



How Did This Happen? About six months prior to the incident, Microsoft released a software patch for Microsoft SQL Server and Microsoft SQL Server 2000 Desktop Engine (MSDE 2000). Microsoft requested that all its customers download the patch from its Web site. The system administrator at the Davis-Besse Nuclear Power Station neglected to install the patch on one of the servers on the network. The Slammer worm exploited the vulnerability of this unpatched server and attacked the entire network. Reference: Poulsen, K. (2003, August). Slammer worm crashed Ohio nuke plant network. SecurityFocus. Retrieved from http://www.securityfocus.com/news/6767

http://www.securityfocus.com/news/6767



Topic 2: Module 3 Introduction Introduction

“Imagine driving to work one morning and finding that the bridge you use every day has collapsed…” “…or, upon reaching the office, finding that a power failure has stopped all work.” Infrastructure components such as roads, bridges, water supply, electricity, and emergency services are critical for the functioning of a city, state, or country. The Slammer worm attack in January 2003 not only caused large-scale devastation to the U.S. electricity infrastructure, but affected airlines, banks, and other industries. Businesses today rely heavily on information system (IS) infrastructures to support their core processes, and it is vital that these IS infrastructure components be secure. In this module, you will learn about technology-based and human-based controls designed to protect an organization’s mission-critical IS from cyberintrusions. Reference: Poulsen, K. (2003, August). Slammer worm crashed Ohio nuke plant network. SecurityFocus. Retrieved

from http://www.securityfocus.com/news/6767

http://www.securityfocus.com/news/6767



Topic 3: Information System Infrastructures Components of an Information System Infrastructure

For an organization to function smoothly, the core and supporting business processes must be efficiently and effectively performed. Each business process requires the support of the organization's infrastructure components. These components include not only the IS—hardware, software, data, telecommunications networks, people, and polices—but other components, such as facilities, human resources, and services.

Facilities

Human Resources

Services

For what is this component used?

Facilities comprise the physical infrastructure required to house the hardware and software of the organization.

Although computers help to automate business processes, trained human resources are required to run and maintain the systems.

Business services that the organization needs may be provided by internal personnel. However, the organization may outsource some business processes, such as IT and payroll services.

What are the critical questions regarding this component?

As an organization expands its operations, it must answer these questions:

What is the best location for the facility? Should it be located closer to the main office?

What approach should we take to ensure the security of the facility?

How much can we afford for the installation and maintenance of the facility?

Regarding human resources, the organization must answer the following questions:

How many trained resources do we need to keep our IS infrastructure running?

How much should we spend on employing trained staff?

Should we employ trained staff or should we make use of the services of an external employment agency?

What is the organizational structure that will best support the IT infrastructure?

Regarding services, the organization must address these questions:

Which services fall into the category of core services of the company?

Which business processes can the company outsource?

Is the vendor capable of ensuring security for these services?

What are the costs and benefits of outsourcing the services?



Facilities

Human Resources

Services

What could be the impact of a security incident on the component?

A security incident such as the Slammer worm attack could halt all operations in the organization.

A compromise in security at the human resources level could impact the organization. Employees who do not adequately protect the system will need to be trained or replaced. If a disgruntled employee initiated a security attack, the impact could be very high.

Usually, noncritical business processes that are not part of the organization’s core competencies are outsourced. A compromise in security for this component would likely have only a moderate impact.



Topic 4: Threats to Information System Infrastructures Types of Threats

Threats to an IS infrastructure vary depending on the nature of the operations of an organization. However, most threats fall into one of three categories: physical, software, and human. Physical threats range from natural disasters—such as floods and earthquakes, which could cause evacuation of the facility—to power outages, which would lead to temporary or permanent disruption of services. The reality of physical threats has been driven home by events such as the 9/11 attacks on the United States in 2001, the 7/26 Mumbai floods in 2005, and the 7/7 attacks in London in 2005. Physical attacks perpetrated by humans are not always launched with the intent of causing harm to the general population. Many of these attacks target a specific infrastructure, and organizations must consider this in evaluating the potential impact of a physical attack on the continuity of business processes.



Topic 4: Threats to Information System Infrastructures Activity: Identifying Threats

Try this activity to explore some software and human threats in familiar, everyday situations. This activity presents four scenarios. Assess the situation in each scenario and determine whether or not the situation could pose a threat to the IS infrastructure. Scenario 1: Richard Brown, chief technical officer at Triangle Engineering, Inc., is having a heated discussion with his junior engineer, Jason Baker.

Richard Brown: Jason, this delay in the project is inexcusable. I can give you only one day, and no more, to finish the report. If you’ll excuse me now, I have a meeting in 10 minutes. A disgruntled Jason Baker returns to his cubicle, and fellow employees see him furiously typing at his computer. Question 1: Do you think Jason Baker’s frustration could pose a threat to the company?

o Yes o No

Now, consider the following situation. Jason is scanning the company’s financial forecast for the next two quarters. He also has an unfinished e-mail message open on his computer screen. Does the situation now appear threatening?

o Yes o No

Feedback: Yes, Jason is clearly upset, and he could be thinking about getting even with his boss. Jason could be planning to pass on confidential information to a competitor, and although this breach is only a possibility, it is worth considering. Contrary to popular belief, disgruntled and dishonest employees pose a prominent risk to network security. To ensure a low risk level, the organization must match the IS controls for dealing with human threats with its security policy. This policy should include stringent access controls and rigorous audit mechanisms.



Scenario 2: During the holiday weekend, Linda Parker, a senior associate with Visual Park Companies, is working from home to complete a presentation for the next day. She wants to modify a flowchart done in Adobe Photoshop, and she does not have the software installed on her computer.

Question 2: Linda runs down to a local store and uses her corporate credit card to purchase a copy of the software. Does this situation pose a security threat?

o Yes o No

What if Linda does not install the software properly or, after installing, finds that the software is incompatible with her system? Will the situation then cause a security issue?

o Yes o No

Feedback: Although any software purchase requires some caution, this situation is highly unlikely to pose any serious security threat to Linda or her organization. Linda may have violated her company’s policy by buying the software with her corporate credit card, but she is purchasing a licensed copy of the software. Of course, Linda may not install the software properly, or the software may be incompatible with her system or another system when she connects to her office network, but this situation still cannot be considered serious. With proper backup controls in place, such an incident would cause only minor damage and not pose any serious security threat to Linda’s organization.

Scenario 3: Sarah Young, the receptionist at New, Inc., is about to leave for the day when she receives an e-mail with an attachment that appears to be from her colleague Sharon Evans, who has recently had a baby. The e-mail does not have a subject, and the message simply says, “Attached.” Sarah assumes that the attachment is a baby picture.

Question 3: Excited to see the picture, Sarah hurriedly clicks the attachment to download it. Do you think that what Sarah has done is appropriate?

o Yes o No

After Sarah clicks the attachment to download it, strangely enough, instead of seeing the regular Open or Save the File message, she sees a flicker on her screen, as if a program has just been executed, and then the file disappears.



Is the e-mail message infected with a virus? o Yes o No

Feedback: E-mail attachments must always be opened with utmost caution, even when they seem to come from a known sender. Most virus writers attach their viruses to e-mail messages. For a virus to infect a computer, the user has to run it. This security measure forces virus writers to forge the FROM address in the e-mail so that the user is misled into opening and running the attachment. A message without a subject line and with only a brief message body must be treated with suspicion, as it has a high chance of containing a virus. Sarah should have checked the sender’s address before downloading the attachment. Most organizations ensure that e-mail messages are automatically scanned before they reach your inbox. Virus writers, however, have found ways to counteract the automatic scans. Additional scans on the local machine as mandated by the organization can prevent the spread of viruses.

Scenario 4: Susan John, a curriculum developer, is absorbed in her work when a Microsoft Windows update alert message pops onto her screen. Keen on finishing her work without any interruptions, Susan selects the option to remind her about the update later.

Question 4: Is this a wise decision? o Yes o No

Feedback: Most users tend to overlook security update or new patch release messages that pop onto their screens. Often, nothing goes significantly wrong. Should Susan have spent time on this matter right now, when she is so focused on her work? Consider what happens next. To continue with her research on a particular curriculum, Susan browses the Internet and comes across a forum of curriculum developers. She decides to join this forum, and starts visiting the Web site regularly. After a few days, Susan’s observes that her computer is running more slowly than usual and informs the IT helpdesk at her company. Could something have gone wrong?

o Yes o No

Feedback: Yes, Susan could have visited either a malicious Web site or a legitimate one that is infected with a virus and that, in turn, got her computer infected. The slow performance of her computer could also be the result of a genuine hardware or software malfunction. Many security breach incidents have been the result of an attacker exploiting vulnerabilities in software, as was the case in the Slammer worm incident. Software vendors release security updates and patches from time to time to remediate these



vulnerabilities. Susan must not overlook any update alerts and must promptly install updates on her machine.



Topic 4: Threats to Information System Infrastructures Other Software and Human Threats

You’ve learned about some of the innumerable threats to information systems—physical, software, and human. Often, physical threats are devastating to the organization’s livelihood. However, other types of threats must not be overlooked, and appropriate actions must be taken against these threats. Organizations owe it to their employees, customers, and investors to take security seriously and stay abreast of current trends in combating threats. Here are some other human and software threats that can be found in an organization. Improperly Configured Applications: Network administrators who are inadequately equipped or trained can sometimes expose the network to vulnerabilities. Common lapses include making configuration errors and failing to download or install software updates or new device drivers, which can make systems unstable. Connectivity: Registering a network host is like listing the system’s phone number in a telephone directory. This number is a tempting lure for hackers on the lookout for insecure networks. In 2003, the Slammer worm infected insecure hosts on a large scale across the world. The effects were widespread in the United States, and included the disruption of 911 services, the cancellation of airline flights, election interference, and ATM failures. The Slammer effects highlight how critical it is to secure modem lines with dial-back modems and/or encryption units.

Improper Patch Management System: An organization’s patch management system is an online system that checks a Web service for available patches. When a software vendor offers a new patch, it recommends that users download and install the patch. The patches are remedies to fix bugs and security holes, which can otherwise be exploited by malicious hackers. Negligence: Pressing the wrong key, unplugging the wrong cord, spilling liquid on equipment, causing radio frequency interference, creating pollution, and overloading electrical outlets are only a few examples of negligence and human error. The 80-20 rule applies here—if the lock on the door represents 20 percent of security for your home, then remembering to lock the door, checking after locking it, and keeping the keys safe represent the remaining 80 percent. Social Engineering and Corporate Espionage: Social engineering is becoming more prevalent as hackers become more subtle and sophisticated in their methods. In today’s competitive world, unscrupulous companies utilize corporate espionage to penetrate a competitor’s IS infrastructure and obtain sensitive documents. Phone “phreaks” are a potent breed of hackers who attack the network systems through the phone systems that support the network operations. Phishing attacks are another common type of social engineering attack, where the hacker sends you an enticing e-mail about your bank account, winning the lottery, or a free credit card. When you reply to this e-mail, your PC is infected with some type of computer malware. Political Events: Power struggles between governments can lead to violence in the form of bombings, riots, and espionage wars. The Internet is often viewed as a low-cost and convenient means of waging political attacks. These attacks affect business continuity as well as the capability of an organization to operate normally.



Information and Identity Theft: Information theft is another rising security threat for organizations that store large amounts of consumer data. According to a report published by Booz | Allen | Hamilton for the Alliance for Enterprise Security Risk Management (AESRM), “One company indicated that individual identity records are worth $60 on the black market, and one backup tape full of these records can be worth more than $1 million.” Employees carrying powerful mobile communication devices—such as mobile phones, laptops, and flash drives—with sensitive information are on the rise. These devices usually lack standard security features, making them susceptible to information theft. Reference: Booz | Allen | Hamilton. (2005, November). Convergence of enterprise security organizations. Retrieved

from http://www.boozallen.com/media/file/Convergence_of_Enterprise_Security_Organizations_v2.pdf

http://www.boozallen.com/media/file/Convergence_of_Enterprise_Security_Organizations_v2.pdf



Topic 4: Threats to Information System Infrastructures Open-Source vs. Proprietary Software

Among the various software-related topics of discussion in an organization is one that revolves around the use of open-source software (OSS) versus proprietary software. A number of factors, such as cost, functionality, reliability, and security concerns, help decide the suitability of one type of software over the other. The key difference between the two types of software is that OSS is freely available for downloading and customizing, whereas proprietary software is purchased with the right to use it in a specific way. In most cases, the software is owned by the company that developed it. Microsoft Windows operating systems are examples of proprietary software. Some distributions of Linux are OSS. Consider this scenario. New, Inc., an IT services organization, requires HR management software in order to manage the records of its employees. Should the company select an open-source program or buy a proprietary one? Susan Prentice, IT security manager; Larry Jordon, CIO; and Dennis Marks, director of HR, are having a discussion around this topic. They are considering three parameters: cost, requirements, and security. Cost

Larry: In my opinion, we should definitely consider open-source software as an option. One, most open-source solutions are available for free or at low cost; two, you have the source code with you; and three, you can modify it any which way you like. To me, it’s a win-win all the way. Dennis: Larry, I don’t want to jump the gun. I agree with you that the low cost of open-source is a plus. I don’t want to invest in anything that’s going to stretch our budget at this point in time. But if we go in for open-source, we may need to spend time on training. I have too much on my plate right now for that. I’d rather leave training to the vendor. Larry: Yeah, with open-source software, you don’t get any vendor support. But, we could put together our own support team that can take care of training as well. That would still be inexpensive compared to buying proprietary software. Susan: Well, if we are talking about cost, then there are several proprietary software systems available at low cost. Besides, we need to consider the security of sensitive employee data. Do we really need to take an unnecessary risk with open-source?

Dennis: That’s true. I want to keep the costs low, but I don’t want to compromise on data security. Susan: Open-source software is not always reliable. We could set up our own support team, but fixing some of these bugs could take a lot of our energy. Larry: Several online communities and freelance software developers are ready to help fix these bugs, sometimes at no cost.



Susan: But Larry, what if these bugs are used as security holes to steal data? I’d say security should be our primary concern here and the key deciding factor.

Requirements

Dennis: What about our functional requirements and availability, Larry? Can you come up with a list of software that meets our requirements? Larry: Yes, I had identified some and passed them on to Susan. Have you had a chance to take a look at it, Susan? Susan: Yes, I have shortlisted two options. I think these meet our requirements closely, though they would need some amount of customization. Dennis: That’s great! If we decide to go with either of the two options that Susan has shortlisted, how soon do you think we can have it up and running?

Susan: Requirements in open-source software can be very difficult to analyze and determine, whereas with proprietary software, we know exactly what functional requirements are in the software that we purchased.

Security

Larry: You might not want to believe this, but open-source software can be more secure than proprietary software. Because the source code is available to all, scores of programmers are constantly tweaking it to make it more secure. Makers of proprietary software, on the other hand, have a limited number of programmers to plug the holes in their software. Susan: Larry, I am not too convinced about that security of open-source. We cannot simply assume that open software is secure because a large number of programmers are tweaking it. There could be many others out there trying to find vulnerabilities in it. Dennis: Hey guys, I don’t really understand the technology issues here. What I do know is that the data that I have is sensitive and cannot be compromised. I need to find a solution that is cost-effective and secure at the same time. Larry: I have seen a number of white papers on how open-source software improves security. And, it is only a myth that closed software is more secure because the source code is not available. Attackers don’t need access to the source code to find vulnerabilities. All software, whether open or closed, will always come with its own set of problems. The unique advantage of open software is that we can modify it the way we want. Susan: I’d just like to say that it’s critical we spend some time evaluating the software for security, whether open or closed, before we decide to use it. Dennis: Yeah, I think we need to zero in on a solution that offers low cost and high security. It might be a good idea to employ a security expert to advise us on the suitability of open-source software.



Topic 5: Information System Controls Types of Information System Controls

Among threats such as floods, fire, virus attacks, and data threats, some are more likely to occur than others. In any event, an organization must put certain IS controls in place. IS controls fall into one of three categories: preventative, detective, and corrective—all three types of controls are required to maintain security in an infrastructure. Not every calamity or error can be prevented, but with detective and corrective controls in place, risks can be mitigated. Given below are examples of different types of IS controls. Check the box next to the correct category for each control. Hint: There are eight preventative controls, three detective controls, and three corrective controls.

Examples Categories

Background Check of Potential Employees Preventive

Detective

Corrective

Restricted Access to a Data Center Preventive

Detective

Corrective

Acceptable Use Policy Preventive

Detective

Corrective

Firewall Preventive

Detective

Corrective

Software or Hardware Patch Installation Preventive

Detective

Corrective

Payment Card Industry Data Security Standards

Preventive

Detective

Corrective

Password and Security Policies Preventive

Detective

Corrective

Power and Air-Conditioning Control Systems

Preventive

Detective

Corrective

Policies Related to Security Permissions Preventive

Detective

Corrective



Examples Categories

System-Generated Alerts in a Data Center Preventive

Detective

Corrective

Intrusion Detection System

Preventive

Detective

Corrective

Closed-Circuit Television (CCTV) System in a Data Center

Preventive

Detective

Corrective

Computer System Event Logs Preventive

Detective

Corrective

Hot Site for Disaster Recovery

Preventive

Detective

Corrective

Feedback The answers are given below. Preventive Controls:

Background Check of Potential Employees Restricted Access to a Data Center Acceptable Use Policy Firewall Payment Card Industry Data Security Standards Password and Security Policies Power and Air-Conditioning Control Systems Policies Related to Security Permissions

Detective Controls:

Intrusion Detection System Closed-Circuit Television System (CCTV) in a Data Center Computer System Event Logs

Corrective Controls:

System-Generated Alerts in a Data Center Hot Site for Disaster Recovery Software or Hardware Patch Installation



Topic 5: Information System Controls Disaster Recovery Planning

Consider this scenario. You are working on your laptop and have a folder named “Orion Project - Root” open in front of you. All your important documents for the Orion project are saved in this folder. You want to transfer this folder from drive C to drive D on your laptop. To transfer the files, you simply copy the folder and paste it into the desired drive. When you access the folder on that drive, you see that most of the contents are gone! The files that remain open up to show garbled text. What is the first thought that crosses your mind? Write it here. Backup? Recovery? IT? Aren’t these words close to the thought that crossed your mind? Well, then you’ve already taken the first step toward disaster recovery. Despite all the measures taken to ensure the safety and security of IS, disasters do happen, and the systems of an organization are often affected. Organizations must have a plan for recovering from an event that has an impact on their functioning. Steps for Planning a Disaster Recovery Step 1 The first step in planning a recovery is to create the disaster recovery plan itself. Having a backup site appears to be the most critical step in a recovery; however, a disaster recovery plan must go beyond the backup site and include every step in the procedure of recovery. Typically, a disaster recovery plan includes all roles and responsibilities of assigned personnel, the chain of command, and all components necessary for a full recovery. Here are some questions regarding the disaster recovery plan for you to answer.

Is it important to store backup copies of the recovery plan? Yes No

Should the recovery plan be detailed? Yes No

Is it important to test the recovery plan? Yes No

Do you need to update the recovery plan often? Yes No Answer: When a disaster hits your organization, all the records, including your disaster recovery plan and its copies, could be destroyed. Therefore, you must store a backup copy of the disaster recovery plan separately from the original. The disaster plan should include every minute detail because it could be the only document left after the disaster. As the organization can confirm the effectiveness of the recovery plan only after it has tested the plan, the organization must test all the steps and carry them out exactly as if a disaster had struck. Remember to update the disaster recovery plan whenever the information systems in the organization are updated. This update will ensure that the plan is current and will enable you to resume operations quickly.



Step 2 A backup site is a location where an organization relocates its business temporarily when disaster strikes. Organizations have the choice of having a hot backup site or a cold backup site. A hot backup site is a fully functional office that requires only the organization’s staff for work to begin. This option is more costly, but it saves time. A cold backup site, on the other hand, is an empty building with connections for communication and electricity. This option saves costs, but increases the time required to set up business operations. An organization can also select a warm site for backup, which has the hardware and telecommunications networks already installed. Given below is a list of organizations. Can you recommend which type of backup site is appropriate for each organization?

Bank Hot Cold

Online ticket booking center of an airline Hot Cold

Troubleshooting center of an IT company Hot Cold

Stock exchange Hot Cold

Department of Defense (DoD) headquarters Hot Cold Answer: The decision on the type of backup site usually depends on the criticality of the business operations and information systems. Banks, stock exchanges, and defense organizations should ideally have a hot backup site, because their services affect not only the viability of the business, but the economy and security of the country. Organizations that do not provide highly critical services or do not affect the economy or security of individuals can choose to have a cold backup site. Businesses have no rule of thumb regarding backup sites. Organizations often choose their site by comparing the cost of lost productivity with the cost of site maintenance. Step 3 After selecting the backup site for your organization, you need to set it up (if it is a hot backup site) or make provisions for setting it up in case of a disaster (if it is a cold backup site). What is required to ensure that the backup site is functional?

Telecommunication lines

Hardware and software

Personnel

Network connectivity

Furniture Answer: You require telecommunication lines, hardware, software, personnel, network connectivity, and furniture to set up your backup site. If you select the hot backup site option, you will have to regularly update the data at the backup site; otherwise, the purpose of having a hot backup site is defeated. Similarly, if you select a cold backup site, you must ensure that the data has adequate backup, which may be kept at another location so that all data is not lost. In this scenario, recovered



data may be a week or 15 days old, depending on the interval at which you take the data backups.



Topic 5: Information System Controls Auditing

Organizations can suffer a loss or security breach when some IS controls are not in place. The Slammer worm virus attack on the Davis-Besse plant occurred because an engineer forgot to download the patch. IS controls are usually tested by auditors, but IT management is responsible for having these controls in place and also for managing them. As an auditor for the Davis-Besse plant, which of the following controls would you implement?

Install systems software controls to detect human error on the part of the engineer.

Set up a process by which the system administrator can verify that the patch is downloaded, installed, and configured properly.

Create a means of documentation such as a checklist to ensure that all necessary actions have been performed.

Create a backup and recovery plan to ensure that there is minimal data and/or financial loss.

Install strong firewalls and controls to protect the network from any kind of worm, virus, or Trojan.

Answer: All the options are desirable. An audit must involve evaluating the organization’s information systems, practices, and operations. This audit is done to determine the safety of assets, the integrity of data, and the achievement of organizational goals and objectives. An audit helps the organization to reduce costs and remain competitive. The U.S. government has made audits mandatory via the Sarbanes-Oxley Act of 2002. This act came into existence to regulate financial practice and governance. As per this act, auditors are required not only to look at finances, but also to assess the effectiveness of all controls (including IT controls) put in place by management. Reference: Sarbanes-Oxley Act, 15 U.S.C. § 7201 (2002).



Topic 5: Information System Controls Activity: Identifying Information Systems

The state of Louisiana has decided to invest in an additional nuclear facility. A new plant called Five Mile Island is being proposed and will be located on the outskirts of Shreveport. Skylight Construction is preparing a proposal in response to the request for proposal (RFP). One of the sections of the RFP relates to cybersecurity, and Skylight needs an expert to provide recommendations for all stages of the project, from the design of the facility to the commencement of plant operations. Your firm is short-listed, and you now need to make your recommendations for the RFP. Skylight has prepared an excerpt of the original RFP, which provides brief background information on the security environment of the facility. Five Mile Island Nuclear Power Plant Request for Proposal

Executive Summary The state of Louisiana has decided to invest in an additional nuclear facility. A new plant called Five Mile Island is being proposed and will be located on the outskirts of Shreveport. The bidding vendor will need to provide recommendations pertaining to the cybersecurity requirements of the nuclear facility. The U.S. power grid includes three independently operating sections: the eastern interconnection, the western interconnection, and the Electric Reliability Council of Texas (ERCOT). The Five Mile Island nuclear power plant will be part of the western interconnection. Regulations for the power grid have been reduced in recent years in order to promote competition in power generation and transmission. This has reduced costs, but it has also reduced the strength of the power grid. Two main agencies that influence and control the power grid are the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC). FERC is concerned mainly with regulation of the power industry, while NERC is a nonprofit organization that focuses on the protection and reliability of the power industry and supply. Nuclear energy makes up 20 percent of the total energy used in the United States. Coal is our main source of power, providing 50 percent of the total. The remaining sources of energy include natural gas, petroleum, and renewable resources. There are two types of nuclear power plants—pressurized water reactors and boiling water reactors. Five Mile Island will be a pressurized water reactor and will have the typical components in its substations, including circuit breakers, transformers, and switches. The Nuclear Regulatory Commission (NRC) controls the design and regulates the security and safety measures of nuclear plants in the United States. Security requirements are higher for nuclear power plants than for other types of energy plants, and include requirements for scrupulous background checks on all employees and security staff. The NRC also performs regular inspections of safety measures to ensure that the staff is capable of dealing with any dangerous scenario. The NRC's design requirements address physical threats to the safety of the nuclear plant, including possible attacks by airplanes or trucks that could result in radioactive pollution.



Five Mile Island will include a main control center that will house a monitoring system for the whole plant. The control center will be divided into different sections, each devoted to monitoring and managing a specific area of the plant, and each staffed by several operators. Proposed Information Systems and Data Center The data center will measure 5,000 square feet and will include bulletproof glass and comprehensive environmental and physical controls. Access will be strictly limited to only those employees who will work in this location. Furthermore, proper policies and procedures will be developed for visitors and for the third-party service providers who will service the hardware (e.g., mainframes, numerous servers, and infrastructure components) in this location. The organization will maintain a wide variety of information systems. Some of these IS will be of a general business nature, such as the enterprise resource planning (ERP) system, decision support system, and knowledge management system, and will use commercial off-the-shelf (COTS) software. Some of the IS will be custom-developed, such as the standalone customer billing system. The organization will also own and maintain a variety of other industry-centric IS. These will be COTS products that will need to be customized in order to meet specific demands for safety, efficiency, and effectiveness. Lastly, Five Mile Island will have a range of state-of-the-art supervisory control and data acquisition (SCADA) systems that will help ensure that the facility's infrastructure and computer systems are well-controlled and constantly monitored. From a financial perspective, the organization has budgeted ten million dollars for these systems. The physical facility of the data center will have an extremely strong security posture. This will include fences, reinforced walls, cipher locks, security guards, video surveillance systems, motion detectors, and alarm systems. Security elements will also include security guards in patrol vehicles and special lighting systems and protective landscaping for the plant. The budget for the construction of the data center is still under development, but a preliminary estimate by the chief financial officer is four million dollars. Personnel working in the data center will undergo background investigations similar to those undergone by employees in the U.S. intelligence community. These personnel will include not only nuclear engineers and facility staff, but all the computer operators, other IT professionals, and maintenance staff whose job requires them to have access to the data center. Cybersecurity Requirements At a minimum, the requirements for cybersecurity include all of the following safeguards: security awareness training, CCTV systems, disaster recovery planning, intrusion detection systems, firewalls, perimeter and facilities security, data center security at the highest level of protection possible, antivirus software, network monitoring, and audit logging of all key system and user events. The most common types of cyberattacks include viruses, system penetration, and Denial of Service. Attackers use tools such password crackers, war dialers, ping sweep and port scan programs, packet sniffers, protocol analyzers, and Denial of Service (DoS) tools.



While system penetration allows an attacker to change data, plant malicious code, or plant viruses, it is not necessary for an attack to succeed. An attacker can simply flood a system with so much illegitimate traffic that the legitimate traffic cannot navigate through the network. Passwords need to be strong and encrypted in order to be as effective as possible as a defense tool. Strong passwords tend to be more than six letters long and to not form words or acronyms. Passwords that are reusable—that do not change for long periods of time—are not as strong as they could be. Firewalls help set up a buffer that controls the traffic coming in and out of the network. To supplement the work of a firewall, which is static, another defense tool is employed—the intrusion detection system (IDS). This system can detect unauthorized use of a network computer. An important defense is access control, both physical and electronic. In theory, the most secure system would incorporate three levels of security—a physical ID card, knowledge of a password, and biometric proof of ID, such as a fingerprint. However, research has shown that biometrics can be spoofed relatively easily. Systems that use the two other factors are the most secure—for example, the smart cards provided by RSA. In the power industry, many of these methods of defense have not been implemented, but the NERC has been working on, and continues to work on, developing standards that will provide the electronic and physical protection required. Activity To begin providing your recommendations, answer the questions given below. Please note: This is a branched scenario. In some cases, a question may branch out into two parts. Here, the two parts will be labeled a and b, respectively. For example, 6a and 6b. Question 1: Which of the following entities are most likely to launch a cyberattack on the facility?

A. Foreign governments, foreign corporations, and professional hackers B. Amateur hackers C. Contractors

Answer: The correct answer is A. The nuclear power plant is going to be one-of-a-kind, using state-of-the-art technology. This may entice certain foreign governments and corporations to try to penetrate through to the critical components of the facility. Foreign governments and corporations may hire independent hackers who may try to sabotage the power supply by accessing the controls of the plant through the Internet. Amateur hackers are unlikely to launch an attack, as the systems will be too sophisticated for them to easily penetrate. Vendors and contractors also will not launch a cyberattack, as they will not want to lose business from the government.



Question 2: What types of attacks are foreign governments, corporations, and professional hackers most likely to perpetrate?

A. Bomb threats, bypassing of armed security, and employee impersonation B. Laptop theft, telecommunications fraud, and financial fraud C. System penetration, theft of proprietary information, virus attacks, and Denial of Service

(DoS) Answer: The correct answer is C. Attacks such as system penetration, theft of proprietary information, virus attacks, and DoS are the most likely attacks to be perpetrated by foreign governments, corporations, and professional hackers. In an attempt to ruin the state’s reputation, independent hackers might introduce a virus into the network. They might also try to prevent the Internet from functioning efficiently to obstruct communication between the user and the Web site. Although this is not the most likely scenario, hackers could try to access confidential information from the laptops of individuals. They could also try to disrupt communication by moving telecommunications satellites. Hackers can infect networks and access personal and financial information, which can be used to commit fraud. Foreign governments, corporations, and professional hackers would not openly send out a bomb threat or physically try to enter facility premises by bypassing armed security guards or impersonating employees. Question 3: Now that you have identified the likeliest attackers and their most likely methods of attack, rank each method below as more likely, somewhat likely, or less likely.

Viruses

Financial fraud

Sabotage

Telecommunications fraud

Laptop theft

System penetration

Theft of proprietary information

Web site defacement

Denial of Service

Answer: Given the current situation, the attacks should be ranked as follows: More Likely:

Viruses

Denial of Service

System penetration



Somewhat Likely:

Theft of proprietary information

Sabotage

Web site defacement

Less Likely:

Laptop theft

Financial fraud

Telecommunications fraud

Question 4: Now, which assets will your firm prioritize first in its protection efforts?

A. Web server, telecommunications link, and LAN for finance department B. Data center, corporate enterprise network, sensitive areas of the nuclear reactors, and

building with master controls C. Front entrance to the facility, parking facilities, and loading dock

Answer: The correct answer is B. Protecting assets such as the data center, corporate enterprise network, sensitive areas of the nuclear reactors, and the building with the master controls should be your firm's first priority, as these assets are the most sensitive and the most susceptible to direct attack. The Web server, telecommunications link, and finance department LAN are susceptible to attack, and you should implement controls to protect them. However, your first priority should be to protect assets such as the data center, the corporate enterprise network, sensitive areas of the nuclear reactors, and the building with the master controls. Protecting the front entrance, parking facilities, and loading dock will provide only physical, and not cyber, security. Question 5: What do you believe will be the most critical vulnerabilities of the facility?

A. Lack of limited user rights, lack of redundant power supplies, lack of disaster recovery plan, untrained staff members, and no log of critical network events

B. Unpatched operating systems, unpatched software applications, lack of firewall configuration, and lack of network monitoring

C. No security staff, no employee IDs, no CCTV, and no intrusion detection system (IDS) Answer: The correct answer is B. Unpatched operating systems, unpatched software applications, a lack of firewall configuration, and lack of network monitoring will be the most critical vulnerabilities in the facility. Lack of limited user rights, lack of redundant power supplies, lack of disaster recovery plan, untrained staff members, and no log of critical network events represent vulnerabilities in the facility, but the organization will have to tackle them over a period of time.



The lack of security staff, employee IDs, CCTV, and IDS does not represent critical vulnerabilities. Question 6a: What kinds of controls will your firm recommend as a safeguard against vulnerabilities arising from unpatched operating systems, unpatched software applications, lack of firewall configuration, and lack of network monitoring?

A. Testing and prompt patching of the OS and software applications on all user computers and servers, review of firewall settings for possible improvements, and use of network management software for monitoring network traffic and activity

B. Immediate installation of patches for the OS and software applications for all user computers, installation of firewall settings according to default instructions provided by vendors, and allocation of responsibilities to the local area network (LAN) administrators

C. Installation of licensed copies of software, attainment of new firewall hardware and software, and hiring of more IT personnel to monitor network activity

Answer: The correct answer is A. Testing and promptly patching the OS and software applications on all user computers and servers, reviewing firewall settings for possible improvements, and using network management software to monitor network traffic and activity should be top-priority. Installing patches is an important practice, but remember that patches should also be tested before installation. Configuring firewalls according to vendor instructions does not take into account specific organizational polices and requirements. You will need to understand the network and its requirements and fine-tune the configuration. Assigning responsibilities to LAN administrators might not be effective in itself. The LAN administrators should use network management software to generate logs that can be easily and regularly reviewed. Installing licensed copies of operating systems and application software is mandatory, and procuring new hardware or software or hiring more personnel will not safeguard against vulnerabilities arising from unpatched operating systems, unpatched software applications, lack of firewall configuration, and lack of network monitoring. Question 6b: What kinds of controls will your firm recommend to handle the following issues?

lack of limited user rights

lack of redundant power supplies

lack of disaster recovery plan

untrained staff members

no log of critical network events

A. Review of the access control list for the top ten managers, purchasing of diesel generators,

placement of security awareness posters in the company cafeteria, and overwriting of computer logs every seven days

B. Discussion of the need for hot-site planning with the CIO, organization of a meeting with facilities personnel and the local public utility for backup power generators, and posting of IT security policies on the company intranet



C. Review of the access control list for all users, generation and review of daily logs of critical network events, and development of staff security awareness program for employee orientation

Answer: The correct answer is C. Reviewing the access control list for all users, generating and reviewing daily logs of critical network events, and developing a staff security awareness program for employee orientation should be top-priority. Discussing the need for hot-site planning with the CIO, conducting a meeting with facilities personnel and the local public utility for backup power generators, and posting IT security policies on the company intranet are necessary controls. Reviewing the access control list for the top ten managers, purchasing diesel generators, placing security awareness posters in the company cafeteria, and overwriting computer logs every seven days are not the appropriate controls for these issues. Question 7a: Remember that the second level of vulnerabilities also needs to be addressed. This includes lack of limited user rights, lack of redundant power supplies, lack of a disaster recovery plan, untrained staff members, and no log of critical network events. What controls will you recommend to handle these vulnerabilities? A. Review of the access control list for all users, generation and review of daily logs of critical

network events, and development of a staff security awareness program for employee orientation

B. Discussion of the need for hot-site planning with the CIO, organization of a meeting with facilities personnel and the local public utility for backup power generators, and posting of IT security policies on the company intranet

C. Review of the access control list for the top ten managers, purchasing of diesel generators, placement of security awareness posters in the company cafeteria, and overwriting of computer logs every seven days

Answer: The correct answer is A. Reviewing the access control list for all users, generating and reviewing daily logs of critical network events, and developing a staff security awareness program for employee orientation should be top-priority. Discussing the need for hot-site planning with the CIO, conducting a meeting with facilities personnel and the local public utility for backup power generators, and posting IT security policies on the company intranet are necessary controls. Reviewing the access control list for the top ten managers, purchasing diesel generators, placing security awareness posters in the company cafeteria, and overwriting computer logs every seven days are not appropriate controls for these vulnerabilities. Question 7b: You identified the controls for limited user rights, the lack of a disaster recovery plan, and untrained staff. However, before you address these issues, you will want to address more critical issues, such as unpatched operating systems and software applications, the lack of firewall configuration, and the lack of network monitoring. What controls will you implement to address these vulnerabilities?



A. Installation of licensed copies of software, attainment of new firewall hardware and software, and hiring of more IT personnel to monitor network activity

B. Immediate installation of patches for the OS and software applications for all user computers, installation of firewall settings according to default instructions provided by vendors, and allocation of responsibilities to the local area network (LAN) administrators

C. Testing and prompt patching of the OS and software applications on all user computers and servers, review of firewall settings for possible improvements, and use of network-management software for monitoring network traffic and activity

Answer: The correct answer is C. Testing and promptly patching the OS and software applications on all user computers and servers, reviewing firewall settings for possible improvements, and using network management software to monitor network traffic and activity should be top-priority. Installing patches is an important practice, but remember that patches should be tested before installation. Configuring firewalls according to vendor instructions does not take into account specific organizational polices and requirements. You will need to understand the network and its requirements and fine-tune the configuration. Assigning responsibilities to LAN administrators might not be effective in itself. The LAN administrators should use network management software to generate logs that can be easily and regularly reviewed. Installing licensed copies of operating systems and application software is mandatory, and procuring new hardware or software or hiring more personnel will not safeguard against vulnerabilities arising from unpatched operating systems, unpatched software applications, a lack of firewall configuration, or a lack of network monitoring. Question 8: You are reviewing the access control list for all users and need to understand the requirements of different user groups. Which of the following groups will you choose first?

A. All employees B. IT personnel, including LAN administrators C. Only the personnel in the finance department

Answer: The correct answer is A. Before you get down to reviewing the access control list for the organization, you should understand the specific requirements of all employees. Question 9: Which could be critical events in the daily system logs?

A. Logon times between 12:00 midnight and 6:00 a.m. B. Multiple unsuccessful logons by a user C. The logon duration of key management personnel

Answer: The correct answer is B. Multiple unsuccessful logons by one user must be tracked. An unauthorized user may try to hack into one of the user machines to access confidential data.



You may track logon times between certain hours, but this is not essential to be tracked. Logon duration is not critical information. Question 10: What kind of budget will you require for the implementation of cybersecurity measures?

A. Two to four million dollars B. Less than one million dollars C. Over four million dollars

Answer: The correct answer is A. The ballpark budget should be in the two-to-four million-dollar range. Your estimate can be analyzed later with the budget department. Less than one million dollars is quite a small budget for such a large project. Over four million dollars is a lot of money. The company will not be able to spend that amount of money on this project. Question 11: What is the most likely duration of implementation?

A. About 12 to 18 months B. About six months C. Three years

Answer: The correct answer is A. In about 12 to 18 months, if you can assemble the right team, you are on the right track. Six months is not enough time to complete this type of project. You cannot expect the company to wait for three years; security is high-priority.



Topic 6: Password Protection Why Is Password Protection Important?

Passwords are the primary means of authenticating user IDs on a network and on individual computers. If your password is cracked, the attacker can gain access not only to your system, but to other systems on the local network as well as on external networks. In light of the range of password-cracking tools available today, the single-most important step you can take to protect your systems is to set a strong password. Most companies adopt policies that force users to set strong passwords. Passwords that include only numbers or alphabetical characters, that are shorter than six characters, and that do not contain any special characters, are generally not accepted. Additionally, users are prompted to change their passwords at regular intervals (for example, every 30 days). Verifying Passwords System administrators use various applications and tools to verify that your password is strong. You will receive many requests to share your credentials in e-mail messages or on Web sites. Remember that you must not ever share your password with anyone, no matter how trustworthy the person or site may seem to be. Here’s a set of rules that will help you to ensure that the password you set is secure.

Do not use any personal information, such as your last name, first name, nickname, birth date, spouse name, pet name, car model, favorite sports team, or hobbies.

Do not use any words contained in English or foreign-language dictionaries.

Do not use a password shorter than six characters.

Do not use a word spelled backwards.

Do not use a logical sequence of numbers or letters.

Do not reuse old passwords.

Do not write down your password. If you cannot remember the password, then ensure that the written password is stored safely.

Do not use the same password for all your accounts. Setting Strong Passwords Several techniques are used to create strong passwords, and you might have come up with a unique technique yourself, but a common method involves the use of acronyms. Here are the steps to creating a strong password using acronyms. Step 1: Think of a phrase that you can remember easily. Example: I go to work daily at 8:00 a.m. Step 2: Now, create a word using only the first letter of each word in either all lowercase or uppercase. Example: igtwda8 or IGTWDA8



Step 3: Replace some letters with numbers and special characters. Example: 1gtwd@8 or 1GTWD@8 Step 4: Add complexity by reversing the case of some letters. Example: 1gtWd@8 or 1GTwD@8 Now you’ve got a password that is less susceptible to attack.



Topic 6: Password Protection Password-Cracking Techniques

Attackers use password-cracking to gain unauthorized access to systems. However, some password-cracking goals are legitimate—for example, to gain access to digital evidence in cases of fraud or to recover a forgotten administrator password. The following are common techniques used to crack passwords. Brute Force This technique tries every combination of numeric, alphanumeric, and special characters until the password is broken or the user is locked out. Dictionary This technique runs given passwords against each of the words in a dictionary (file of words) until a match is found or the end of the dictionary is reached. Many dictionaries are available on the Internet and in languages other than English. A simple word or a combination of simple words is easy to crack with this method. Hybrid This technique adds a number or special character to the end of the words in a dictionary. The technique exploits the common trend of altering a dictionary word by simply adding an extra number or symbol at the end.



Topic 6: Password Protection Password-Cracking Tools

Various password-cracking tools are available on the market; some of these tools are free to download from the Internet. Password-cracking tools vary according to the OS, type of server, and type of device. Password-Cracking Tools for Windows

Cain & Abel: This password-cracking tool for Windows recovers passwords by sniffing the network, cracking encrypted passwords, decoding scrambled passwords, uncovering cached passwords, and analyzing routing protocols. PwDump: This tool extracts LAN manager and NT LAN manager hashes (encoded passwords) from the security account manager (SAM) on Windows machines. It also displays password histories, if available. L0phtCrack: This tool audits and recovers Windows passwords from stand-alone Windows workstations, networked servers, primary domain controllers, and Active Directory. Brutus: This password-cracking tool for Windows uses brute-force authentication cracking that tries to retrieve passwords from remote systems using a dictionary.

Password-Cracking Tools for Macs

Rainbow Crack: This tool is a kind of brute-force password-cracker that can be used on Windows, UNIX, and Linux, as well as on Mac operating systems. It contains pre-computed tables (rainbow tables), which speed the process. RainbowCrack uses a time-memory trade-off to compute and store the results in the rainbow tables. This is a much faster technique than that used in brute-force attacks, which try all possible plaintexts one by one, making it a highly time-consuming approach, especially for complex passwords.

Password-Cracking Tools for UNIX

John the Ripper: This is a fast, powerful, and flexible password-recovery tool that can be used on multiple platforms, including UNIX, Linux, Windows, and Mac. It is primarily used for detecting weak passwords in UNIX operating systems. Currently, it supports more than 11 UNIX versions and many different UNIX architectures.

Password-Cracking Tools for Database Servers

THC Hydra: This tool is a network authentication-cracker that can be used on multiple platforms. It can perform rapid dictionary attacks for as many as 30 protocols and many types of databases.



Password-Cracking Tools for Wireless Networks

Aircrack-ng: This tool is the fastest available wireless-enabled protection (WEP) and Wi-Fi Protected Access (WPA) password-cracking tool. After gathering enough encrypted packets, it can recover a 40- to 512-bit WEP key. AirSnort: This is another WEP tool. It is a wireless LAN (WLAN) that recovers encryption keys. It also monitors transmission and is chiefly used for cracking 802.11 WEP encryption.

Password-Cracking Tools for Routers

Solar Winds: This tool monitors networks and attacks on networks. It includes network-discovery scanners and allows for router password decryption. It is one of the easiest and fastest router-configuration applications that allows uploads and downloads.



Topic 7: Summary

We have come to the end of Module 3. The key concepts covered in this module are listed below.

Securing the components of the IS infrastructure is important, as these keep critical infrastructure running.

Most threats to IS infrastructure are categorized as physical, software, or human.

The main difference between open-source software (OSS) and proprietary software is that the former has source code that is available for customization, whereas the latter has source code that is owned by the developers and that is meant to be used in a specific way.

A disaster recovery plan should include information such as the roles and responsibilities of company personnel and the chain of command.

A backup site is a physical place where an organization relocates its business temporarily when disaster strikes. The three types of backup sites are hot, cold, and warm.

Password protection is one of the controls implemented to secure an information system in an organization. The three techniques for cracking a password are brute force, dictionary, and hybrid.



Glossary

Term Definition

Backup Site A backup site is a place where an organization relocates its business temporarily when disaster strikes.

Brute-Force Attack In a brute-force attack, every combination of numeric, alphanumeric, and special characters is tried until the password is broken or the user gets locked out.

Cold Backup Site A cold backup site is an empty building containing connections for communication and electricity.

Dictionary Attack In a dictionary attack, a file of words is run against all user accounts on a network.

Hot Backup Site A hot backup site is a fully functional office that requires only the staff for business operations to continue as usual.

Hybrid Attack In a hybrid attack, a number or special character is added at the end of the words appearing in a dictionary so as to uncover a hybrid password.

Open-Source Software Open-source software (OSS) is software that is available in source-code form, for which the license permits the user to study, use, change, and improve the software.

Proprietary Software Proprietary software is software that is licensed so as to protect the exclusive rights of its owner. The purchaser agrees to certain terms and conditions.

Warm Backup Site A warm backup site is a location at which the hardware and connectivity equipment of a company are installed. The data backups are stored at another site and delivered to the backup site.

Worm A worm is a type of self-replicating virus.

Documents

Topic 1: Module IntroductionUMUC Cyberspace & Cybersecurity CSEC 610 © UMUC 2013 Page 1 of 37 Contents Topic 1: Worm Scenario..... 2