An Engineer’s Primer on

Information Security

A White Paper by:

Brent Scott LaReau,

Consultant
www.designsbylareau.com

Revised: September 8, 2006

Copyright c 2006 by Brent Scott LaReau Brent Scott LaReau, Consultant
Voice/FAX (U.S.A.): 847-428-4923
This document and its content is protected by copy- E-mail: [email protected]
right, regardless of how this document or its content is Web: www.DesignsByLaReau.com
printed, viewed, encoded, stored or transmitted. Per- Mail (U.S.A.): 2413 W. Algonquin Road, PMB #258
mission to paraphrase, reproduce or copy any part, or Algonquin, IL 60102-9776
all, of this document or its content is granted only if:

1. The reproduction or copy is not achieved for profit

without this author’s express consent, and. . .
2. Sufficient information is included to identify this
document and its author. Specifically:

• The full title of this document plus its copy-

right date(s), and. . .
• This author’s full name (Brent Scott
LaReau) and his brief or complete contact
information.

About the Author

Disclaimer
Brent Scott LaReau has been an independent consul-
tant since 1987.
Information in this document is subject to change without
notice and is distributed on an “as is” basis, without war-
ranty. Although every precaution has been taken in the He provides design and development services in elec-
preparation of this document, its author shall not have any tronics, software, embedded systems and devices, web
liability to any person or entity with respect to any loss or and intranet sites, knowledge base construction, tech-
damage caused or alleged to be caused directly or indirectly nical writing and on-site training/mentoring. He
by the information contained in this document. is proficient in heterogeneous system design, where
diverse components use different programming lan-
guages, interfaces, databases, networks and commu-
nications protocols.

Brent earned his BSEE at Marquette University, grad-

uating first in his class. His academic awards include
the International Engineering Consortium’s (IEC’s)
William L. Everitt Award, Marquette University’s Top
Scholars in Curriculum Award, and the College of Lake
Trademark Information County’s Outstanding Academic Excellence in Mathe-
matics and Outstanding Scholar Award.
Trademarked names may appear in this document. Rather
than use a trademark symbol with every occurrence of a He is a member of the Institute of Electrical and Elec-
trademarked name, such names are used in an editorial tronics Engineers (IEEE), the Association of Comput-
fashion and to the benefit of the trademark owner, with no ing Machinery (ACM), and American Mensa, Ltd.
intention of infringement of the trademark.

2
Contents

1 Introduction and Overview 6

2 Introduction to Information Security 7

2.1 Information? Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.5 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.6 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.7 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.8 Security Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.9 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.10 Laws and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.11 Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.12 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3 Best Practices 10

4 Cybercriminals and Their Attack Vehicles 12

4.1 Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.2 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.1 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.2 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.3 Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.2.4 Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.5 Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3
 CONTENTS

4.2.6 Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.2.7 Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.3 Zero-day Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.4 Zombies and Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.5 Anti-virus Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.6 The Writing on the Wall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Internet & Network Threats 18

5.1 Targeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.2 Networking Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.3 Diagnostic Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.4 Vulnerabilities, Exploits & Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.5 Port Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.6 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.7 Safe Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.7.1 Good Habits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.7.2 Web Page Landmines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5.7.3 Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.7.4 E-mail Landmines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.7.5 Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.7.6 PDF Landmines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.7.7 Flash Landmines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.7.8 Multimedia Landmines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.7.9 Passwords and User IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.7.10 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.8 Threats to Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6 Non-technological Threats 30

6.1 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.2 Facility Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.3 Property Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4
 CONTENTS

7 Data Leaks, Data Loss & Privacy 32

7.1 Data Leaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

7.1.1 Meta-data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.1.2 E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.1.3 Corporate Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.1.4 Voice-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.1.5 Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.1.6 Equipment Disposal & Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

7.1.7 Bluetooth Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

7.1.8 Shredding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

7.1.9 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

7.2 Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

7.2.1 Paper Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

7.2.2 Computers, Cell Phones, PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

7.2.3 Media and Memory Sticks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

7.2.4 Backup & Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

7.2.5 Storage of Backup Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

7.2.6 Uninterruptible Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

7.3 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

7.4 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

8 Glossary 40

5
Part 1

Introduction and Overview

Corporations, engineers and nontechnical people alike Finally, engineers know that a company’s end prod-
rely on globally available digital information having a ucts can contain computers, custom software and site-
definite dollar value. This has spurred cybercrimi- specific data. In a classic case of “finger-pointing”,
nals1 to use computers and software to steal personal customers will assume that vendors ”lock down” their
identities, hold enterprise databases for ransom, and products and that data is backed up automatically,
commit other information-related crimes. while vendors will assume that customers will some-
how perform these tasks themselves. Legal trends in-
In the U.S. alone, cybercrime costs companies roughly dicate that vendors, and eventually engineers them-
$67 billion per year, and costs individuals an extra $40 selves, may soon be liable for security breaches or
billion. On average, each U.S. wage earner 21 to 65 enterprise-crippling data loss at customer sites.
years old pays cybercriminals about $1500 each year,
directly or indirectly. This White Paper introduces the field of infor-
mation security—sometimes abbreviated InfoSec—
which deals with the protection of critical data and the
Today, cybercriminals use malware such as viruses,
digital information systems that store such data. Also
worms and spyware, as well as social engineer-
introduced are “best practices”in information security,
ing (psychological) techniques, to achieve their goals
which are tried-and-true security-related guidelines for
worldwide. Their primary vector is the Internet. Anti-
designing, implementing and maintaining any kind of
virus software is becoming irrelevant, as new types of
information system.
attacks occur long before anti-virus companies can is-
sue updates.
On a more detailed and practical level, this White Pa-
per brings into focus security and privacy issues af-
Even without falling prey to cybercriminals, companies fecting individuals and corporations. It describes com-
and individuals can accidentally allow important infor- mon attacks and their defenses; data leaks and their
mation to fall into the wrong hands. Consequences of prevention; effective individual and corporate policies;
such data leaks include embarrassment, termination, and technological solutions and their shortcomings. A
blackmail, lawsuits or even financial ruin. Simply e- glossary and a list of references are included.
mailing a spreadsheet to a customer, or failing to erase
a discarded hard drive, or using a wireless computer at As you read this White Paper, remember—
a coffee shop, can provide someone with enough con-
fidential data to bring down you or your company.
Praemonitus, praemunitus
For example, in 2004 The SCO Group submitted a (Forewarned is forearmed)
Microsoft Word document as part of a lawsuit against
DaimlerChrysler and AutoZone. An analysis of that
document’s hidden “meta-data” revealed that SCO’s
lawyers had originally planned to target Bank of Amer-
ica instead. This data leak seriously weakened SCO’s
legal position.
1 Most boldfaced words can be found in the Glossary located

near the end of this White Paper.

6
Part 2

Introduction to Information Security

Billy Blanks, creator of the Tae Bo physical fitness 2.2 Overview

method, said that once you have consumed calo-
ries you only have two choices: burn them off, or
wear them. In the same vein, once you have stored In the past two decades we have increasingly used digi-
information you only have two choices: protect it, or tal information systems to store all kinds of data: desk-
lose it. top computers, laptop computers, cell phones, PDAs,
MP3 players, web servers, e-mail servers, file servers,
USB memory sticks, CDROMs, DVDs, floppy disks,
tape cartridges, hard drives, network storage devices
and other devices.
2.1 Information? Security?
Most people use these devices without blinking, as if
all of these devices cannot corrupt or lose data, and
will last forever, and cannot be lost or stolen, and can
What types of information do you—or your company—
resist any stranger’s attempts to copy stored data, and
rely on every day?
can be replaced at any time with another device that
will somehow store the same data automatically.

• Bids and contracts? Fortunately, a few people did blink, and consequently
tried to minimize those problems by inventing a new
• Documents and specifications? methodology.
• Schematics, bills of materials and CAD drawings? The field of information security (InfoSec) deals
with the protection of information systems and the
• Software and databases?
information stored in such systems. It applies equally
• Financial data? well to personal electronic devices, file cabinets, com-
puter centers, web sites, and the home or automobile.
• Addresses and phone numbers?

• Bank accounts?
2.3 Definition
• E-mail archives?
• Passwords? The U.S. National Information Systems Security Glos-
sary defines information security as: “The protection
of information systems against unauthorized access to
or modification of information, whether in storage, pro-
What would happen if such information was lost, cessing or transit, and against the denial of service to
stolen, corrupted, sold, fell into your competitor’s authorized users or the provision of service to unau-
hands, held for ransom, or put on public display? thorized users, including those measures necessary to
detect, document, and counter such threats” [14]1
All right, then! Let’s talk about preventing those 1 Numbers inside square brackets denote one or more cited

things from happening. references, which can be found at the end of this White Paper.

7
 PART 2. INTRODUCTION TO INFORMATION SECURITY

2.4 Objectives the ongoing process of identifying risks and implement-

ing mitigation plans to address them.

Widely accepted objectives of information security [14] Risks can be managed only if they are known [15,
include: 26]. A discovery process is necessary to identify
information-related risks. Following established guide-
• Assurance - Confidence that security measures lines is better than going it alone, for two reasons.
work as intended to protect an information sys- First, a lot of time can be saved by following in some-
tem. Vulnerability assessments and testing must one else’s footsteps. Second, litigation often focuses
be performed to establish a confidence level. on whether industry“best practices”were used, as men-
tioned in Part 3 .
• Availability - Information systems should not
break down when attacked. This requires knowl-
edge of how attacks are performed.
2.7 Scope
• Confidentiality - Information should be acces-
sible only to authorized parties. Generally, this
requires access controls and encryption (see sec- Information security considerations are commonly, but
tion 7.1.9). incorrectly, thought to apply only to digital data stored
on servers located behind corporate firewalls. In
• Integrity - Confidence that data was not altered
fact, information security considerations apply to every
by unauthorized parties, or was not lost due to
piece of information, regardless of encoding, storage
equipment malfunction. Tools such as checksum
media or physical form.
generators can be used to verify data integrity.
• Accountability - Responsibility and liability is- For example, hardcopy of your company’s internal e-
sues regarding information systems. Impetus mail directory should not become publicly available
must come from effective management and legal through theft or carelessness. Confidential informa-
council. tion stored in a PDA should not be readable by a thief
who steals that PDA.

While it is obvious that enterprise information systems

2.5 Security Considerations must be protected from unauthorized access, it is less
obvious that a company’s for-sale digital products are
also information systems, which customers will rely on
Five main security considerations exist [14], corre- to securely store and process their personal or enter-
sponding to information security objectives mentioned prise data. Legal trends show that vendors who do not
in section 2.4: employ information security “best practices” may one
day be liable for security breaches suffered by their
• Vulnerability assessments and testing. customers [11].
• Education on attack methodology.
• Encryption and access controls.
• Data integrity checks and alarms. 2.8 Security Technology
• Responsibility and liability policies.
Information security certainly involves the use of hard-
ware and software technology to establish safeguards
for information:
2.6 Risk Management
• Encryption (see section 7.1.9).
It is important to realize that information security is • Integrity checkers.
not about establishing absolute protection for impor-
tant information, which is impossible. Instead, infor- • Locks and other access controls.
mation security is about risk management, which is • Alarm systems.

8
 2.11. SECURITY STANDARDS

• Vulnerability analyzers. 2.11 Security Standards

• Network firewalls.
• Intrusion detection systems. In the absence of laws we can rely upon numerous in-
dustry standards to guide us. Popular standards and
industry “best practices” published by various organi-
zations are shown in Part 3.

2.9 Security Policies

2.12 Implementation
Technology alone is insufficient to protect information
systems. Policies for human behavior must also be Establishing a formal information security methodol-
established to protect critical information [28], as ex- ogy can require a great deal of time, labor and/or ex-
emplified by the old military slogan, “Loose Lips Sink pense.
Ships”.
At the corporate level, this requires many departments
Security policies, which guide human behavior, will be- to work together. Specialists may be hired on a full-
come ever more important as cybercriminals increas- time or consulting basis, to oversee the design, im-
ingly use social engineering techniques to bypass plementation, management and auditing of the corpo-
technological protection methods (see section 5.7.10). ration’s top-to-bottom information security strategies.
Such personnel will undoubtedly use industry “best
Policies also help us to prevent accidental data leaks practices”recommended by various organizations (such
that could bring harm to ourselves, our companies or as those shown in Part 3). But be careful when hiring
employers, or our customers, as discussed in Part 7. an outsider to perform security audits and vulnerability
assessments, for who watches the watchmen?
Finally, policies can define an“incident response”strat-
egy, which is essential for any organization that de- In contrast to an elaborate and time-consuming formal
pends on an information system for day-to-day busi- methodology, this White Paper condenses “best prac-
ness activities. Incident response strategies should tices” mentioned in Part 3 to create a simple, “hands-
encompass preparation, identification, containment, on” approach that both individuals and corporations
eradication, recovery and follow-up phases. can immediately employ on a day-to-day basis.

The remainder of this document will cover topics re-

lated to information security considerations mentioned
in section 2.5. Topics include:
2.10 Laws and Regulations
• Best practices.
An increasing number of Federal and state laws and
• Cybercriminals and their attack vehicles.
regulations affect how enterprise information security
must be managed on a day-to-day basis, as well as how • Internet and network threats.
security breaches must be dealt with. Initially, laws • Non-technological threats.
and regulations such as the Health Insurance Portabil-
ity and Accountability Act (HIPAA) were enacted to • Data leaks, data loss and privacy.
protect consumers, and others such as Sarbanes-Oxley
Act were created to protect investors.

Currently there are no laws dictating how enterprise in-

formation security must be managed. However, infor-
mation security-specific legislation is expected at any
moment, with the Department of Homeland Security’s
National Strategy for Securing Cyberspace acting as a
springboard.

9
Part 3

Best Practices

Industry standard “best practices” are commonly used 100 companies. The ISF aims to deliver practical
during design, development and implementation activ- guidance and solutions to overcome today’s
ities of all kinds. Information security activities involve wide-ranging security challenges. Best practices
the same types of tasks, and therefore benefit from are defined in their massive 247-page document,
the use of best practices as well. There is no reason The Standard of Good Practice for Information
to “reinvent the wheel”. Security. URL: http://www.securityforum.org

According to one study, organizations that employed The Standard of Good Practice for Information
best practices enjoyed greater success in their informa- Security covers:
tion security efforts than those that did not do so [35].
In specific, organizations that employed best practices 1. Enterprise-wide security management.
saw a decrease in: 2. Critical business applications.
3. Computer installations.
• Exploitation of operating system vulnerabilities. 4. Networks.
5. Systems development.
• Network security incidents.
• Customer/employee records being compromised. • International Organization for Standardiza-
tion (ISO) and International Electrotechnical
• Alteration of system and application files.
Commission (IEC): ISO is an international
• E-mail system downtime. standard-setting body composed of representa-
• Downtime due to security breaches. tives from national standards bodies. Similarly,
IEC is an international standards organization
• Financial loss due to security incidents. dealing with electrical, electronic and related
technologies. ISO and IEC often jointly pub-
lish standards documents. ISO/IEC 17799
Also, litigation often focuses on “due diligence” and contains guidelines for best practices in infor-
whether best practices were used during product (or mation security. URLs: http://www.iso.org and
infrastructure) design and development activities. This http://www.iec.ch
is true regardless of whether a lawsuit involves a ven-
dor, a customer, a competitor, an employee or former ISO/IEC 17799 deals with:
employee, or a“script kiddie”who launched a“denial
1. Security policy.
of service” attack on your web site.
2. Organization of information security.
The following organizations publish industry “best 3. Asset Management.
practices” guidelines for dealing with information se- 4. Human resources security.
curity issues: 5. Physical and environmental security.
6. Communications/operations management.
• Information Security Forum (ISF): A leading 7. Access control.
independent and international authority on infor- 8. Acquisition, development and maintenance.
mation security, with members in 50% of Fortune 9. Information security incident management.

10
 10. Business continuity management. of information security, and it operates the Inter-
11. Compliance. net’s early warning system: the Internet Storm
Center. SANS also publishes its own news digest
• The Computer Security Division (CSD) is one (NewsBites), a vulnerability digest (@RISK), and
of eight divisions within the Information Tech- flash security alerts. URL: http://sans.org
nology Laboratory of the National Institute
of Standards and Technology (NIST). CSD Noteworthy documents published by SANS
include:
acts to improve information systems security
by raising awareness, devising techniques, and
developing standards and validation programs. Information Technology System Security Plan -
Development Assistance Guide
CSD publishes many general and specific doc-
uments relating to information security. For (http://sans.org/projects/systemsecurity.php).
example, its “800 series” of Special Publications This covers:
deals specifically with security guidelines. URL: 1. System identification.
http://csrc.nist.gov 2. Management controls.
3. Operational controls.
Noteworthy documents published by NIST
4. Technical controls.
and its divisions include:

Special Publication 800-30: Risk Manage- Information Security Management - SANS Audit
ment Guide for Information Technology Systems. Check List. This summarizes the same 11 sub-
Topics include: jects as the ISO/IEC 17799 specification (see pre-
vious).
1. Risk management overview.
2. Risk assessment. • Information Systems Audit and Control As-
3. Risk Mitigation. sociation (ISACA) and IT Governance Insti-
4. Evaluation and assessment. tute (ITGI): ISACA is a global organization for
information governance, control, security and
audit professionals. ITGI is a research think
NIST Special Publication 800-26: Security Self-
tank that exists to be the leading reference on
Assessment Guide for Information Technology IT-enabled business systems governance for the
Systems. This covers: global business community. Jointly they pub-
1. Management controls. lish Control Objectives for Information and Re-
2. Operational controls. lated Technology (COBIT), which is a set of best
practices for information management. URLs:
3. Technical controls.
http://www.isaca.org and http://www.itgi.org

Engineering Principles for Information Technology • The CERT Coordination Center of Carnegie
Security (A Baseline for Achieving Security). This Mellon University’s Software Engineering Insti-
deals with: tute studies Internet security vulnerabilities, re-
searches long-term changes in networked sys-
1. Security foundation.
tems, and develops information and training
2. Risk. to help improve security. They created the
3. Ease of use. OCTAVE (Operationally Critical Threat, Asset,
4. Resilience.
and Vulnerability Evaluation) method for defin-
5. Vulnerabilities.
ing essential components of a security risk
6. Networking.
evaluation. Using the OCTAVE Method, ex-
ecutives and IT departments can work to-
• The SANS Institute was established in 1989 as gether to make information-protection decisions
a cooperative research and education organiza- and address information security needs. URL:
tion. SANS (an acronym for Sysadmin, Audit, http://www.cert.org
Network, Security) is now a widely-trusted
worldwide source for information security training
and certification. It maintains more than 1,200
freely available, original papers on various aspects

11
Part 4

Cybercriminals and Their Attack Vehicles

For thousands of years, security threats consisted of of malware called ransomware to take enterprise in-
physical attacks such as break-ins and hold-ups. The formation hostage [18], or will destroy or corrupt data
nearly sequential births of computer science and the as an act of sabotage or revenge, or will drain funds
Internet have forever changed the way criminals—such from bank accounts.
as thieves, con artists and corporate spies—commit
their crimes. The Federal Bureau of Investigation (FBI) has reported
that cybercriminals have attacked almost every For-
tune 500 company at some time [12].
4.1 Cybercrime Recently, cybercriminals are finding it more
profitable—and less risky—to sell their malware
For thousands of years people have sought to obtain to other cybercriminals, instead of directly mounting
physical goods such as food, weapons, jewelry, or more an attack themselves.
recently, automobiles. But in recent decades there has
been an explosion of globally available digital informa- Cybercriminals are not always shadowy outsiders who
tion that is increasingly seen to have a definite dollar do their dirty work from afar. Indeed, roughly half
value. of cybercriminals are (or were) employees of the very
firms from which they steal [1]. Such“inside jobs”cost
Hence today, people will pay good money for informa- U.S. business $400 billion per year, according to the
tion, whether such was obtained legally or not. Worse, Association of Certified Fraud Examiners. Of that,
companies themselves are now starting to buy stolen $348 billion can be tied directly to employees who
enterprise information from corporate spies [39], and had been assigned higher-than-average computer ac-
to hire script kiddies [13] to attack another company’s cess privileges [18].
web site [22], to gain a competitive edge.
On a more personal level, cybercriminals sell stolen
This new demand for information has spawned cyber- information such as credit card numbers to unscrupu-
criminals, who are commonly but incorrectly known lous individuals who intend to use this information for
as hackers. True hackers have a passion for learning personal gain. According to a Federal Trade Survey,
a technology so that they can innovate, regardless of around 9.9 million Americans were victims of identity
whether they gain financially or not. Cybercriminals theft in 2003. In 2005 at least 55 million Americans
have a passion only for achieving illegal financial gain were exposed to potential identity theft [7], and losses
by learning a technology well enough to exploit it. due to Internet fraud in the first four months of 2005
alone totalled $1.5 billion ($800 million more than for
While hackers may be a nuisance, cybercrime is a se- all of 2004).
vere and costly problem. The US Treasury Depart-
ment’s Office of Technical Assistance estimated that A less-personal but more widespread form of criminal
cybercriminals reaped $105 billion in 2004—more than activity is the production of ordinary malware such as
illegal drug sales provided! [18] viruses, worms and spyware, which routinely cripple
enterprise information systems, computer-based prod-
After gaining access to a computer, cybercriminals will ucts, and personal computers alike, forcing victims to
steal copies of saleable information, or will use a type repeatedly perform costly mitigation activities.

12
 4.2. MALWARE

4.2 Malware Table 4.1: Malware Attributes

Self- Primary Common
Cybercriminals often use malicious software replicating Vector Malware
(malware) as attack vehicles to break into, or
Spyware,
cripple, computers and other types of information Physical
No adware, Trojans
systems [2, 3]. Today, malware is spread almost media
and rootkits
entirely through computer networks, both private and
Rootkits,
Internet. Therefore, network security—a subset
No Network spyware, adware
of information security—is becoming ever more
and Trojans
important.
Physical
Yes Viruses
media
How widespread is the malware problem? In June
Yes Network Worms
2006, security firm Sophos identified more than
180,000 different types of malware traversing the In-
ternet, which is 40,000 more than was found in June
2005 [10]. then immediately seek other victim computers on the
network.
Microsoft’s Malicious Software Removal Tool, which is
distributed by Microsoft as part of its critical updates Additionally, modern worms contain a payload de-
each month, removed more than 16 million pieces of signed to allow cybercriminals to profit from the
malware from 5.7 million Windows computers during worm’s presence inside a computer. For example, a
the 15 months prior to June, 2006 [8]. About 3.5 worm may turn infected computers into zombies as
million of those Windows computers also had at least described in section 4.4.
one “backdoor Trojan” installed—usually of the “bot-
net”variety—placing such computers under cybercrim- Worms do not need human help to infect a vulnerable
inals’ direct control. device. They simply need a network connection to
that device. Hence, simply unplugging or disabling
Common types of malware include worms, viruses, a device’s network and Internet connections (creating
spyware, adware, ransomware, rootkits and Tro- an air gap) would absolutely prevent worms from ever
jans. infecting that device. Obviously, that would reduce a
device’s usefulness in today’s networked environment.
Malware has two basic attributes: self-replication abil-
ity, and primary vector type. Self-replication is the Worms replicate and propagate extremely quickly. In
ability of software to make copies of itself; software 2003, the Slammer worm infected every vulnerable
can either self-replicate or it can’t. A vector is the computer in the world within 15 minutes of being re-
delivery medium used to carry software to its destina- leased [33].
tion; software can be carried by physical media such
as disks, or it can be transmitted over a network such You should be aware that in 2005-2006 cybercriminals
as the Internet [4]. began to create proof-of-concept worms designed to
find and infect Bluetooth-enabled cell phones that use
Typical attributes of common malware are shown in Symbian’s embedded operating system. Bluetooth is
table 4.1. a form of wireless network used by mobile devices such
as cell phones and PDAs. Future Bluetooth worms
could infect quite a few types of mobile devices, in-
4.2.1 Worms cluding automobiles.

A worm is self-replicating software that can automat- 4.2.2 Viruses

ically find and penetrate remote computers or infor-
mation systems on a network, by exploiting a vulner-
ability known to exist in application software running A virus is self-replicating software that, when acti-
on those targets. Once penetration is accomplished, vated, is able to attach copies of itself to other compat-
a worm will permanently install itself in its victim and ible files that are found within reach. A virus becomes

13
 PART 4. CYBERCRIMINALS AND THEIR ATTACK VEHICLES

active and replicates itself only when its host file is ex- • Information about your buying habits.
ecuted (opened). Hence viruses most often replicate
• Your passwords and account numbers.
only with human help. A virus can replicate without
human help only if someone has set up a means for a • Your bank accounts and balances.
computer to automatically execute (open) an infected
• Your credit card numbers and expiration dates.
file, possibly by using a scheduler program.
• Addresses of web sites you visit.
Aside from self-replication, a virus can be manually
• Your search engine queries.
replicated by simply making a copy of its host file.
This can even happen during routine backups, where
infected files are copied from one computer to another.
However, copies are in fact dormant and benign unless Common sources of spyware are spam e-mail attach-
executed (opened). ments, disreputable or hacked-into web sites, disrep-
utable application software, free games, and third-
While the primary purpose of a virus is to replicate party screensavers.
itself, some viruses carry a payload designed to cause
damage by deleting or corrupting files. A large number Spyware can enter a computer only when someone
of viruses carry a payload that is simply annoying. For opens infected e-mail attachments, visits infected web
example, some viruses display an egotistical or political sites, installs infected application software, or installs
message of some kind. infected screensavers. Otherwise spyware would never
enter your computer.
Viruses were once the most important and extensive
type of malware, but worms now have that title be- The National Cyber Security Alliance reported that
cause worms are much faster and more effective. 91% of computers in a studied group had been infected
by spyware. Webroot Software (in association with In-
ternet service provider EarthLink) scanned more than
4.2.3 Spyware one million Internet-connected computers and found
an average of 28 spyware programs on each computer
[18]. Some people actually have many hundreds of
Spyware is surveillance software that gains entry to a spyware programs on their computer.
computer only with human help. Once entry is gained,
spyware will permanently install itself in its new host,
often not only hiding itself but also rigging the com-
puter to automatically re-install itself should someone 4.2.4 Adware
remove it. Once installed, spyware will automatically
start running every day as soon as your computer is Adware is closely related to spyware in terms of its
powered up. source, technical characteristics, and operation. But
whereas spyware informs someone else about you, ad-
Spyware has only one purpose: to collect specific in- ware is designed to inform you about products or ser-
formation about you, and then transmit that informa- vices offered by someone else.
tion to someone who can profit from that information.
For example, in 2005 researchers found evidence of A computer infected by adware may:
a massive spyware-base identity theft ring that used
keystroke loggers to obtain personal information [37].
• Display“pop-up”advertisements for products, ser-
Collected information can include anything stored on vices or pornography.
your hard drive, anything you type on your keyboard,
and anything you view on web pages: • Hijack your web browser so that you will be ex-
posed to specific online shopping sites.

• Your contact information (name, address, phone • Notify disreputable companies of your e-mail ad-
number, etc.). dress so that they can send you unsolicited mail
(spam) containing all types of offers.
• Your demographic information (age, sex, race,
sexual preference, city, state, income, etc.). • Attempt to influence your political position.

14
 4.3. ZERO-DAY EXPLOITS

4.2.5 Ransomware own [32]. Rootkits are undetectable by many experts

and usually cannot be removed without destroying the
operating system’s capability to function normally.
First seen in 2006, ransomware is designed to take a
victim’s data hostage by encrypting one or more spe-
Traditionally, rootkits have been used by cybercrimi-
cific types of data files stored on a victim’s computer.
nals to gain unrestricted“super-user”access to remote
After this is accomplished a ransom demand will be
computers. But recently, some companies like Sony
made known to the victim.
have begun to use rootkit technology for Digital Rights
Management purposes to control access to digital data
Money is usually demanded in exchange for a de-
such as software, music and movies.
cryption key with which to restore the victim’s data.
Small-time ransomware demands as little as $10.99
or as much as a few hundred dollars per computer—
payable through PayPal or Western Union—which in-
creases the likelihood that someone will pay the ran-
4.3 Zero-day Exploits
som [18]. Big-time ransomware can immobilize enter-
prise databases until tens (or hundreds) of thousands
In 1995, new malware spread so slowly that software
of dollars are paid.
companies and anti-virus vendors had sufficient time
to roll out patches and anti-virus updates before that
An interesting aspect of ransomware is that it can’t
new malware got out of control.
propagate by itself. It must be carried as a payload by
an attack vehicle such as a virus or worm.
Ten years later it took mere hours for cybercriminals
to roll out malware that took advantage of the newly
discovered Windows Metafile vulnerability, but it took
4.2.6 Trojans Microsoft nine days to release a patch to fix that vul-
nerability [18]. As mentioned in section 4.2.1, mal-
A Trojan is an appealing or seemingly useful software ware can infect every vulnerable computer in the world
program, usually free, that actually contains some type within minutes of being released. As a result, those
of malware. cybercriminals were able to wreak havoc around the
globe for the entire nine day time period.
A Trojan cannot infect a computer unless someone
deliberately obtains and installs such software. Hence, The immediate exploitation of the Windows Metafile
a Trojan is a clever way to entice victims to voluntarily vulnerability was a prime example of a zero-day ex-
install malware on their computer. ploit. Unfortunately, zero-day exploits are becoming
more common as time goes by.
Trojan programs usually fall into the following cate-
gories:

4.4 Zombies and Botnets

• Games and related programs.
• Screensavers.
A zombie is an Internet-connected computer that was
• Anti-virus or anti-spyware programs (ironically). successfully attacked in a manner designed to place
• Pirated software (“warez”). it under the remote control of a cybercriminal. Such
attacks are usually performed automatically by worms
• Trendy software for children and teens. carrying a specific type of payload, although a cyber-
criminal may choose to accomplish that deed manu-
ally. Owners of zombies are usually unaware that their
computers were compromised.
4.2.7 Rootkits
A single worm can quickly turn a large number of com-
A rootkit is software that hides itself in a com- puters into zombies. This will form a botnet, which
puter, obtains administrative privileges and then re- is a special-purpose distributed computing farm with
places some normal operating system functions with its a very high-bandwidth connection to the Internet.

15
 PART 4. CYBERCRIMINALS AND THEIR ATTACK VEHICLES

Today, most cybercriminals do not personally use the • Automatic deactivation of detected malware.
botnets they create. Instead, they find it much more
profitable to sell or rent their botnets to other cyber- • Periodic updates to signature databases and
criminals who don’t possess technical skills required to heuristics engines.
create botnets themselves. Sadly, some botnet cre-
ators are even advertising “first hour free” sales to po- • Widespread availability of free or inexpensive ver-
tential customers. sions.

Botnets are usually put to two primary (and profitable)

uses, although their possibilities are many:
Disadvantages of anti-virus software include:

• Spam e-mail generation. According to esti-

mates, in 2006 between 50% and 75% of all
• Each vendor’s anti-virus software produces
spam worldwide originated from zombies. Dis-
slightly different results. None has “100% cov-
reputable businesses use zombies or botnets to
erage” of all known viruses.
produce spam that cannot usually be traced back
to its source.
• Generally, you cannot install more than one anti-
• Distributed Denial Of Service (DDOS) at- virus software package at a time (which would
tacks. Disreputable businesses use botnets to have increased coverage).
disable a competitor’s web site or e-mail server
in a manner that cannot usually be traced back • Today, detected malware can no longer be re-
to its source [18]. moved from infected files. Instead, infected files
can only be deleted or quarantined, possibly re-
sulting in data loss, data corruption, or the inabil-
Everyone faces the risk of having their computer be- ity of application software to run.
come a member of a botnet. During one investigation,
the U.S. Justice Department found that hundreds of
• It doesn’t protect a computer against all known
Department of Defense and U.S. Senate computers
types of malware. This is usually deliberate, as
were botnet members, generating spam under outside
vendors would rather sell you two or more types
control [18].
of protection software instead of just one. Also,
certain types of malware such as rootkits have
never been (and may never be) detected by anti-
4.5 Anti-virus Software virus or other protection software.

• Updates to signature databases and heuristics en-

Anti-virus software is hyped by its vendors as a“cost- gines always lag hours or days behind the arrival
effective” solution to the very large problem of mal- of new types of malware [18]. The increasing use
ware. Contrary to what its name implies, most anti- of zero-day exploits is making anti-virus and other
virus software is designed to fight several types of mal- protection software irrelevant.
ware, not just viruses.
• Updates are usually not free; they often require a
Anti-virus software uses a malware “signature” paid yearly subscription.
database combined with a heuristics engine to detect
other, similar types of viruses. In practice, heuristics • Using anti-virus software gives people a false sense
engines are not as effective as one might think, merely of security because of marketing hype, blind trust
because vendors would receive too many complaints in technology, and ignorance of anti-virus software
about “false positives” if heuristics engines erred on limitations.
the side of caution.
• Anti-virus itself is vulnerable to attack [18]. New
Advantages of anti-virus software include: types of malware have been known to silently de-
activate or cripple anti-virus and other protection
• Detection of thousands of known kinds of mal- software, so that the malware can permanently
ware. escape detection.

16
 4.6. THE WRITING ON THE WALL

4.6 The Writing on the Wall Side Note: For four years this author has run his
business exclusively on Linux. Results: No licenses,
no patches, no updates, no anti-virus, no fears, no
Ponder This: What good is protection software such blue screens, no “pop-up” advertisements, no spyware,
as anti-virus or anti-spyware software, when their de- no adware, no worms, no crashes, no downtime, no
tection signatures and heuristics engines can only be expenses.
updated hours or days after new malware has attacked
your computer? Isn’t that like slamming the barn door
after the horse has bolted?

Now, consider these facts (as of July, 2006):

• Microsoft Windows has a 90% market share

worldwide.
• Obviously, the remaining 10% do not run Win-
dows.
• Almost 100% of the roughly 180,000 known types
of malware can only target computers running
Windows. They have no effect on non-Windows
computers.
• The number of known types of malware that
target non-Windows operating systems can be
counted on one hand. Security firms estimate
that for each of these, the number of infections
found “in the wild” are in the 0-49 range.

Possible Conclusions:

• Microsoft and/or anti-virus companies will save

us somehow. Or. . .
• We’re doomed. Or. . .
• It’s OK to suffer, since everyone else in the world
is suffering too. Or. . .
• Keep using Windows computers, just don’t store
anything important on them. Or. . .
• Don’t use the Internet at all. Or. . .
• Use two Windows computers instead of one,
where one is used only for Internet access and
the other is protected by an “air gap”. Or. . .
• Stop using Microsoft Windows. Duh!

News Flash: Sophos, a security software vendor that

caters primarily to corporate users of Microsoft Win-
dows, now recommends that home users replace their
Windows PCs with Apple Mac computers [29]. This
is the proverbial “writing on the wall”.

17
Part 5

Internet & Network Threats

The rise of ubiquitous data communications • A computer can obviously execute software that
networks—such as corporate networks, wireless communicates over the network with another
networks, and the Internet—coincides with the rise computer running compatible software. That’s
of network-borne attack vehicles and the decline of how you“surf the web”. But you can run an e-mail
simple viruses. program at the same time as a web browser. A
computer prevents communications conflicts be-
tween programs by assigning a unique port num-
ber to each program. A port number is expressed
5.1 Targeting as a single decimal number between 1 and 65,535
inclusive, and is analogous to an apartment num-
ber within a building. Well-known port numbers
As mentioned in Part 4, cybercriminals and worms use are those traditionally used for a specific func-
a network such as the Internet to find vulnerable com- tion. For example, web server programs normally
puters. But exactly how is this accomplished, and what use port 80.
can be done to stop it?
• A program running on one computer, can commu-
A review of four basic networking concepts, plus an nicate with a program running on another com-
introduction to three common diagnostic programs, is puter, only by first establishing a “connection”. It
required before we can address that question. does so by transmitting a connection request to a
specific port number at the other computer’s IP
address or name. A connection request is received
by a program only if it is actually“listening”on its
5.2 Networking Concepts assigned port number. For example, web servers
listen on port 80 for connection requests from re-
• Every computer on a network is assigned a unique mote web browsers. When a program is listening
network address, commonly called an IP address. on a port, that port is said to be “open”.
A computer’s IP address is analogous to a build-
ing’s street address. IP addresses are commonly
expressed as four decimal numbers, each between At this point we are on the verge of understanding
zero and 255 inclusive, separated by a period. how cybercriminals or worms locate computers on a
“216.109.112.135”is an example of an IP address. network. However, a quick look at some common net-
• The Domain Name System (DNS) was developed working tools would add some clarity to our discussion.
to allow human-readable computer names (such
as “google.com” or “yahoo.com”) to be specified
instead of IP addresses. DNS “servers” are pro-
vided as part of Internet and network infrastruc- 5.3 Diagnostic Software
tures to translate such names into corresponding
IP addresses. For example, “google.com” might
be translated into “72.14.207.99”, from which we Networking specialists use several types of diagnos-
can deduce that the computer serving Google’s tic programs to accomplish common network-related
web page has an IP address of “72.14.207.99”. tasks, such as:

18
 5.3. DIAGNOSTIC SOFTWARE

• Verifying network connectivity between two com- Netstat

puters.

• Determining whether any computer has been as- Another diagnostic program called netstat is built into
signed a particular IP address or name. every computer operating system. It lets you see which
ports are open on your computer, and which network
• Discovering which, if any, ports are open at a spe- connections to other computers are established [4].
cific IP address.
Netstat is not a beginner’s tool, but once you learn
how to use it you can:

Ping
• Discover certain types of malware running on your
computer. For example, the so-called Nachi worm
One such diagnostic program is built into every com- will open port 707 for malicious purposes once the
puter operating system. That program is called ping worm has infected a computer.
and it’s quite easy to use. You can try it right now :
• Identify potential security risks by identifying
which standard ports are open. For example, port
21 indicates the presence of an FTP server run-
1. In Windows, click Start - Run and then type
ning on that computer, and FTP servers are a
cmd into the “Open” textbox. Click OK. A black
known security risk.
command-line window will appear. If this fails,
use another means to bring up an MS-DOS com-
mand window.
Nmap
2. Type ping google.com and then press Enter.
If your computer is set up in the normal manner, Another diagnostic program is called Nmap, which is a
you will see something like this: free third-party program (not provided with Windows).
Nmap falls into the port scanner category even though
Pinging google.com [72.14.207.99] with it performs many other functions [2].
32 bytes of data:
Reply from 72.14.207.99: bytes=32 A port scanner is an automated means to determine
time=71ms TTL=245 which ports at an IP address are open. A port scanner
does its job by sending thousands of connection re-
quest messages to thousands of port numbers at a tar-
From this response we can infer that: get IP address, hoping to receive some replies. When
finished, port scanners will display a list of open ports
if any were found.
• A DNS server was able to translate “google.com”
into a specific IP address, and. . . Nmap can also perform a ping sweep. A ping sweep is
an automated means to find computers on a network,
• The ping program was able to send a request over by blindly running the equivalent of a ping command
the Internet to a remote computer at that IP ad- against every IP address within a given range. When
dress, and. . . finished, a ping sweeper will display a list of IP ad-
dresses for which ping succeeded.
• A program at that IP address was listening on the
appropriate port number, and. . . A ping sweep and a port scan may be combined to
produce a list of open ports for every computer within
• That program sent a response back to our ping a range of IP addresses. This can bring to light some
program. rather interesting facts. For example, this author once
discovered that 16 computers at a customer’s facility
were infected by the Nachi worm, because port 707
Ping programs accept either a computer name such as was open on those computers.
“google.com”or an IP address such as“72.14.207.99”.
So you could have typed “ping 72.14.207.99” in- If you are interested in Nmap you can visit its web site
stead of “ping google.com”. (http://www.insecure.org/nmap/).

19
 PART 5. INTERNET & NETWORK THREATS

5.4 Vulnerabilities, Exploits & Windows used to be famous in network security cir-
cles for its wide-open port configuration “out of the
Patches box” [4]. For example, previously to Service Pack 2’s
(SP2’s) arrival, Windows XP Home Edition’s default
Now, we can finally address how cybercriminals or configuration opened the “messenger service” port.
worms find vulnerable computers on a network. That service is traditionally used by corporate system
administrators to send official announcements to em-
Cybercriminals (or worms) can simply perform a ping ployees. But why enable that service in XP’s home
sweep to locate active computers. Then, for each cor- edition? Did Microsoft think that each home contains
responding IP address, they can run a port scan to multiple PCs supervised by a system administrator?
locate open ports. Interestingly, cybercriminals can
Furthermore, most home computers have Internet ac-
also use search engines such as Google to discover vul-
cess, which means that “average Joe” has all kinds of
nerable servers [2].
ports open on the Internet. So it was easy for dis-
reputable companies to set up automated ping sweeps
If a well-known port number is open, it’s clear that a
and ports scans to find every open messenger service
specific type of program is running on that computer.
port on the Internet, so that advertisements could be
For example, if port 465 is open then one can assume
sent continuously to every available home computer in
that a mail server program is running.
America. Thanks, Microsoft!
Cybercriminals and security experts alike know that
At least Microsoft’s SP2 closed that security hole.
some programs are known to have certain vulnerabili-
But what about other open ports? You have several
ties, which can be exploited in specific ways.
choices:
A cybercriminal or worm need simply transmit a spe-
cially crafted message to a vulnerable program, to 1. Learn about network security so that you can
cause that program to malfunction in a predictable manage port-related security risks yourself. Ad-
way, resulting in a highly desired result: external con- vantages: Your port configuration will match your
trol of that computer [13]. specific requirements. You won’t be blindly fol-
lowing someone else’s advice for better or worse.
That’s why it is critically important for vendors to dis- Disadvantages: The learning process is time-
cover and immediately fix vulnerabilities in their soft- consuming. Your initial security fixes will be de-
ware. layed until you know what you’re doing.

And, that’s why it is critically important for you to 2. Have a computer geek close them for you. Ad-
apply security updates to all of your software the very vantages: You will get expert help in short order.
instant these become available. Disadvantages: You must blindly trust that geek,
for better or worse.
3. Install a firewall. Advantages: You will be pro-
tected in short order. Later, you can“tweak”your
5.5 Port Management firewall to match your specific requirements. Dis-
advantages: At least initially, you must blindly
Imagine this dialog: trust your firewall vendor’s default configuration,
for better or worse. Some firewalls are themselves
vulnerable to attacks by cybercriminals or their
Patient: “It hurts for hours every time some- worms.
one kicks me in the shins. What can I do
about it? ”
Doctor: “Stop letting people kick you in the 5.6 Firewalls
shins!”

A firewall is a software or hardware means to block

If open ports will expose vulnerabilities, why keep them certain types of network traffic while allowing other
open? types to pass. Therefore, a firewall can place a large

20
 5.6. FIREWALLS

obstacle in the path of cybercriminals and worms [2, 3, Disadvantages of a hardware firewall include:
4]. Interestingly, the recent increase in firewall usage
has caused many cybercriminals to shift their focus to
• It costs $50-200.
social engineering techniques (see section 5.7.10).
• An extra piece of equipment must be maintained.
Two types of firewalls exist: Hardware, and software. • It introduces an extra point of failure.
You can use both at the same time to get the best of
both worlds, which is precisely what this author rec- • It cannot be configured to disallow specific soft-
ommends. ware programs from obtaining network (or Inter-
net) access.
• It will not notify you when a new type of software
program running on your computer attempts to
Hardware Firewalls
obtain an outbound connection to a remote com-
puter. Many types of malware will try to “phone
A hardware firewall is a piece of electronic equipment home”, and you don’t want them to do that.
designed to block common types of network threats.
Hence you must connect it in-line between a “dirty”
network (such the Internet) and your computer, so that Software Firewalls
all network (or Internet) communications must pass
through the firewall. A software firewall is a program designed to block com-
mon types of network threats. You must install this
The best hardware firewalls employ Network Address program on every computer connected to a network
Translation (NAT) and Stateful Packet Inspection (or the Internet).
(SPI), which prevent unsolicited external network or In-
The best software firewalls employ Stateful Packet In-
ternet traffic—such as attack probes generated by cy-
spection (SPI), which provides additional protection
bercriminals or worms—from ever reaching your com-
against attacks mounted by cybercriminals or worms.
puter.
Advantages of a software firewall include:
Firewall using both NAT and SPI are not that expen-
sive ($100 & up). Do yourself a favor and insist on
• No extra equipment is required.
both NAT and SPI when purchasing a hardware fire-
wall. • No hardware failure can occur.
• Some are available free of charge (within the
Advantages of a hardware firewall include: terms of their license).
• It can be configured to disallow specific software
programs from obtaining network (or Internet) ac-
• One device can protect an entire private network.
cess.
• It provides a central “control panel”. All comput- • It will notify you when a new type of software
ers behind the firewall will receive the same type program running on your computer attempts to
of protection. obtain an outbound connection to a remote com-
puter.
• It is less vulnerable to attack than software fire-
walls.
Disadvantages of a software firewall include:
• It usually has a built-in Internet sharing fea-
ture, automatically providing Internet access to • It is vulnerable to attack, just like any other soft-
all computers behind the firewall. ware. As of April 2005, almost 80 vulnerabili-
ties had been discovered in defensive (firewall and
• It can usually be configured to block certain anti-virus) software products sold by Symantec,
communications protocols, IP addresses, web site F-Secure, CheckPoint Software Technologies, and
URLs, web page keywords, etc. others.

21
 PART 5. INTERNET & NETWORK THREATS

• If you have more than one computer you may have Anti-virus software, firewalls and other technological
to pay additional license fees. protection methods are strong and important links in
your chain of protection. However, your computing
• You must manually ensure that every firewall is habits are chain links, too, and if they are weak then
set up the same (there is no central “control your chain will break.
panel”).
You can tremendously strengthen your chain of pro-
• If you use an Apple Mac and a Windows PC, you tection by establishing safe computing habits [3, 31].
must buy and learn two entirely different types of
software firewalls.
5.7.1 Good Habits

5.7 Safe Computing Safe computing habits include:

So far we have been focusing on how cybercriminals or 1. Use strong user ID / password combinations (see
malware invisibly attempt to get into your computer, section 5.7.9).
and what defenses you can mount to keep them out.
2. Shred every printed page before throwing it out
(see section 7.1.8).
But what if you unwittingly invite them into your com-
puter? 3. Guard mobile electronic devices (such as PDAs
and laptops) as if they were your wallet or purse.
This is more common than you may think. First, con- Don’t store PINs and passwords in these devices.
sider this fictional story: See section 6.3.
4. Use a safe web browser such as Firefox to surf the
web (see section 5.7.3).
To keep out criminals you have fortified your
property by erecting a barbed-wire fence with 5. Use a safe e-mail client such as Thunderbird to
a locked gate. Every day you unlock that send and receive e-mail (see section 5.7.5).
gate and cross the road to fetch your news-
paper and your mail. One day, you pause to 6. Put a firewall on your Internet connection (see
read a startling front-page story before re- section 5.6).
turning home, where you discover that your
7. Turn off your computer when you’re not using it,
wallet is no longer on the kitchen table!
especially if your computer has a continuous con-
nection to the Internet. Configure your computer
to blank its screen and lock itself after a few min-
Now, consider this analogous but true story:
utes of inactivity (requiring a password to restore
normal operation).
To keep out cybercriminals you have fortified 8. Encrypt confidential data stored in your com-
your computer by installing anti-virus soft- puter or on external media such as disks or USB
ware and a firewall. Every day you check your memory sticks, as described in section 7.1.9 [3, 4].
e-mail and surf the web to read top news sto- Use a strong password (see section 5.7.9).
ries. One day, you receive a startling e-mail
message from your bank, stating that your 9. Destroy old disks and tapes so that no one can
account will be suspended unless you verify read their contents (see section 7.1.6).
your account information. You click the e- 10. Use a Mac or a Linux PC when using the Internet
mail’s web page link and fill out their form. (see section 4.6). Update every software program
Later, you discover that your bank account you own the instant an update is available (see
is empty! section 5.4).
11. Never click on any web page link you find in any
Remember, a weak link in a chain will cause that chain e-mail. Instead, type the web page address (URL)
to break. into your browser yourself. See section 5.7.10.

22
 5.7. SAFE COMPUTING

12. Avoid online accounts if you can. Otherwise, try which one can easily create “a rich browsing experi-
to minimize the amount of personal information ence” when surfing the web.
you provide to web sites. Lie if you must provide
extra information that seems to have no bearing Simply put, Microsoft’s ActiveX technology is a pro-
on your account. Absolutely avoid “secret ques- gramming interface between Internet Explorer and
tions” (a.k.a. “security questions”). See section your computer’s resources (disk drives, memory, files,
5.7.9. sound cards, etc.). So, through the miracle of ActiveX,
when you use Internet Explorer to view a web page con-
13. Obtain a credit card with an extremely low credit taining a suitable program, that program can reach
limit, which you will use only for online shopping. deep into your computer and do all sorts of things
Fraudulent charges will be much easier to spot [2, 18]. It can even reboot your computer!
that way. Make sure you never use a debit card
for online purchases. One software engineer was so aghast at the power of
14. Disable all “macros” in office document-related ActiveX that he created an informative web page titled
programs (such as Microsoft Office). Configure “ActiveX: Or how to put nuclear bombs in web pages”
those programs to also warn you if a macro is [27]. Obviously Microsoft was unhappy about that,
present in a document. Macros can be put to and threatened legal action against the engineer—for
bad uses as well as good uses. simply telling the truth.

15. Never open e-mail attachments unless you abso- Among other things, ActiveX can allow a disreputable
lutely have to. Never open any attachment di- web site to engage in a “drive-by download attack”,
rectly by clicking on it (see section 5.7.4). in which malware is quietly installed whenever a user
visits that site.
16. Occasionally check your computer and web
browser security levels by running free online tests The good news is that (as of July 2006), ActiveX only
offered by computer security firms [3]. For exam- works with Internet Explorer. All other browsers—
ple, PC Flank Ltd. (http://www.pcflank.com) of- Firefox, Netscape, Opera and others—are, perhaps de-
fers six on-line tests: Quick Test, Advanced Port liberately, incompatible with ActiveX. Therefore, no
Scanner, Stealth Test, Browser Test, Trojans Test other browser permits web page programs to reach so
and Exploits Test. deeply into your computer.

This author recommends against using Internet Ex-

5.7.2 Web Page Landmines plorer for that reason (see section 5.7.3).

People use search engines such as Google and Yahoo!

Java
every day. Unfortunately, people mistakenly assume
that search engines will find only quality web sites run
by reputable individuals or companies. Java, not to be confused with JavaScript, is a general-
purpose, standalone programming language invented
In reality, search engines don’t filter search results to by Sun Microsystems.
weed out web sites created by cybercriminals.
Java normally has nothing to do with web browsing.
Even so, you may wonder what harm there could possi- However, all modern web browsers contain a built-in
bly be in simply viewing a web page. After all, it’s not interface to whatever Java run-time environment is in-
as if viewing a web page could force malicious software stalled on the computer. That interface allows Java
down your computer’s throat, right? programs to be embedded into web pages, introducing
two additional security risks.

ActiveX: A Nuclear Bomb First, it’s possible that a flaw in Java’s run-time en-
vironment may be discovered and exploited. For-
tunately, its run-time environment has suffered few
According to Microsoft, ActiveX is one of many “ex- known vulnerabilities, but new exploits are being seen
citing and powerful features of Internet Explorer”, with on all fronts every year.

23
 PART 5. INTERNET & NETWORK THREATS

Second, Java can permit a disreputable web site to Windows Update web site. And that is why you can’t
launch a “drive-by download attack” in an effort to perform updates using any other browser.
install malware whenever a user visits that site.
Think about it: Why would you want to stumble
Non-malicious Java programs are found in very few across www.cybercrime-central.com using the same
web pages, so this author recommends that you change web browser that Microsoft uses to update Windows?
your web browser’s configuration settings to disable
Java. If you have occasional need to visit a reputable, You can close that huge gap in your security fence
Java-enhanced web site, simply re-enable Java long quite simply:
enough to view that web content. Then disable it
again.
1. Obtain and install the Firefox web browser by vis-
iting www.mozilla.com, downloading Firefox, and
installing it according to Mozilla’s instructions.
Jscript
2. Set up Windows’ Internet Options as follows:
Before discussing Jscript it is necessary to briefly men- (a) Put only microsoft.com into Windows’
tion its cousin, JavaScript. In 1995, Netscape Com- “Trusted Sites” zone.
munications invented JavaScript to enable simple pro-
grams to be embedded in web pages. Later, JavaScript (b) Disable every feature in all other zones (“In-
was adopted as an international standard. JavaScript ternet”, “Local Intranet”, “Restricted”, etc.).
was designed with the user’s security in mind from the You may have to ask a computer geek for
very beginning. help with this [3].

3. Never use IE again, except to obtain software

Jscript is Microsoft’s version of JavaScript. That
updates directly from Microsoft’s web site (which
means it does not follow the actual international stan-
is why step“2a”is included in the procedure shown
dard. Due to Microsoft’s “embrace and extend” phi-
above).
losophy, Jscript offers many more powerful capabilities
than does JavaScript. 4. Use only Firefox when you surf the web [4].

While this extra power may allow one to have “a

rich browsing experience” it also allows one to have a
5.7.4 E-mail Landmines
greater risk when surfing the web, because more power
generally equates to more security risks and vulnerabil-
ities. Therefore this author believes the use of Jscript E-mail messages and attachments carry a huge amount
is another reason to avoid using Internet Explorer (see of malware right through defensive systems such as
section 5.7.3). firewalls and anti-virus software (as if spam weren’t
enough to deal with) [2].

Never click on any attachment to open it—save it to

5.7.3 Internet Explorer
disk instead. Why? Because various techniques allow
cybercriminals to mask part of an attachment’s name,
Internet Explorer (IE) is one of of two missing sections so recipients cannot easily determine an attached file’s
of chain-link security fence surrounding your computer, true name or type. For example, you might think an
big enough for a Mack truck [4]. That’s why some attached file’s name is “CoworkersNaked.bmp” when
people call it “Internet Exploder”. its name is actually “CoworkersNaked.bmp.exe”. You
wouldn’t want to click on the latter!
IE is Microsoft Windows’ native web browser, and, like
many Microsoft software products, it is tightly inte- After the attached file is saved, do not find that file
grated with Windows itself. on your hard drive and then click on it! That would
be the same as clicking on the attachment, and you
So tightly integrated, in fact, that IE allows web sites don’t want to do that.
to have full access to—and control of—Windows it-
self. That is why you can update Windows (and other Instead, simply open the application program designed
Microsoft products) by using IE to visit Microsoft’s to handle that type of file, and use the application’s

24
 5.7. SAFE COMPUTING

“File - Open” dialog to find and open that file. Image 5.7.7 Flash Landmines
programs that will open“BMP”files will refuse to open
“EXE” files, thereby saving you from inadvertently ex-
ecuting malware. Macromedia’s Flash (SWF) file format allows movies
to be embedded into web pages. This requires Macro-
media’s Flash Player “plug-in” software to be down-
loaded and installed, which almost everyone has al-
5.7.5 Outlook ready done.

Outlook and Outlook Express are Microsoft’s e-mail Unfortunately, Macromedia has occasionally reported
clients for enterprises and home (or small businesses) some rather serious security risks due to software bugs
users, respectively. Here we will simply call them both within their Flash Player software. Cybercriminals can
“Outlook” since they share the same roots. literally take over a computer by exploiting those vul-
nerabilities.
Outlook also happens to be the other missing section
of chain-link fence [4]. It is is tightly integrated with Worse, the Flash Player plug-in cannot be disabled and
Windows and IE, and so it suffers from many of the is difficult to remove once installed. But this author
same vulnerabilities as they do. strongly recommends that you search Adobe’s web site
(adobe.com) to learn how to remove the Flash Player
(or just its browser plug-in component).
You can close that huge gap in your security fence
quite simply:

5.7.8 Multimedia Landmines

1. Obtain and install the Thunderbird e-mail client
by visiting www.mozilla.com, downloading Thun-
derbird, and installing it according to Mozilla’s In 2004, RealNetworks reported a serious vulnerability
instructions. in its RealPlayer software, which is used to play music
and video files. If a specially crafted music or movie file
2. Never use Outlook again. Yes, really! is played it can cause that player software to malfunc-
tion in a predictable way, resulting in a highly desired
3. Use only Thunderbird for e-mail [4].
result: external control of that computer.

Unfortunately, flaws have been found in almost every

5.7.6 PDF Landmines media player software available, at one time or another.
You should think twice about using your computer to
listen to music or watch a movie.
Adobe’s Portable Document Format (PDF) file format
is ubiquitous on the World Wide Web. However, most
More importantly, you should never play any media
people don’t realize that, for years now, JavaScript
file you receive in an e-mail (even if it’s from someone
programs can be embedded into PDF files.
you know), because a cybercriminal could have cre-
ated it! Burying a rootkit in a funny video would be
Adobe has occasionally reported vulnerabilities in its an excellent example of social engineering (see section
version of JavaScript, which cybercriminals were able 5.7.10).
to exploit to give PDF files a virus-like behavior when
they are opened with Adobe’s Acrobat Reader.

Few PDF files contain any JavaScript code. There- 5.7.9 Passwords and User IDs
fore, this author recommends that you change your
Acrobat Reader’s configuration settings to disable
JavaScript. If you have a legitimate need to view People obviously know that their user ID and password
a trusted, JavaScript-enhanced PDF file, simply re- are supposed to guard their account from unauthorized
enable JavaScript long enough to view that one docu- access, but most people fail to understand five critical
ment. Then disable it again. concepts:

25
 PART 5. INTERNET & NETWORK THREATS

1. Someone may actually try to get into their ac- Weak User IDs and Passwords
count.
A user ID or password is weak when it can be easily
2. Their user ID is just as important as their pass-
guessed by someone, or easily computed by password-
word.
cracking software.
3. Most user IDs and passwords are weak (easy to
Before we learn about what makes a user ID or pass-
guess or compute).
word strong, let’s stop to consider why most people
have weak user IDs and passwords, so that we can
4. “Security questions” are a curse.
learn what not to do.
5. Cybercriminals have all the time in the world. People have weak user IDs for two main reasons:

Let’s discuss these concepts one by one. • A user ID was assigned to them when its account
was established. Very interesting, because people
don’t realize that in many cases an“assigned”user
ID is simply a recommended or default user ID. If
Online Break-ins so, they could have overridden that default when
the account was established.

• They chose their own user ID when its account

The Gartner Group has reported that $2.4 billion had was established, but they followed the common
been robbed from Internet-accessible bank accounts but foolish practice of basing their user ID on their
between June 2003 and May 2004 [18]. Newer statis- name.
tics are probably higher because of the trend towards
ubiquitous online banking.
In either case, people usually end up with a weak user
Therefore, we can conclude that cybercriminals do, in ID such as“jsmith”, which even a six-year old child can
fact, break into password-protected accounts. guess.

When a user ID is weak, the password is all that

protects that account, and so the password abso-
User IDs lutely must be strong. A better solution would be to
strengthen your user ID if possible. Some accounts let
you change both user ID and password at any time.
Most people think every account is protected by its
password. This is false! In fact, it is the combination Similarly, there are seven main reasons that people
of user ID and password that protects an account. choose weak passwords:

To increase your account’s security you must learn to • They don’t understand how some passwords are
regard a user ID and a password as being the same kind stronger than others.
of thing. They are both the same sort of combination
lock. • They think their password is so clever that no
one could possibly guess it, such as “GR8-ONE”,
“SteveRocks”, “kennwort” (which is German for
Common sense tells us to secure a door with two locks
“password”), or simply “z”.
instead of just one. We know that our security suf-
fers when one of those locks is missing or is extremely • They want a password that’s easy to remember,
cheap. Similarly, we should realize that every account like “grapefruit”.
should be secured with both user ID and password,
instead of just the user ID. We should know that our • They desire a password that represents something
security suffers when the password is missing, or when (or someone) meaningful to them, like “69mus-
the user ID or password is weak. tang” or “angeleyes”.

26
 5.7. SAFE COMPUTING

• They think they don’t need a password, so they dictionary attack strategy, where passwords are gen-
just leave it blank. erated based on common words found in the dictionary
[4]. Or, a “brute-force” method can be used, in which
• A default password was provided to them, and every possible combination of characters is tried, one
they think it’s good enough. by one.
• They don’t realize that cybercriminals use social
engineering techniques and automated password- Password-cracking software is surprisingly effective,
cracking software to discover user IDs and pass- but only because most people use weak passwords!
words.

That last reason is key, for it directly addresses all of

the other reasons. The Curse of the Secret Question

Cybercriminals commonly use three different methods

to obtain illegal access to someone’s account. First, a In recent years, online accounts have sported a new
cybercriminal will check to see if the account’s pass- “feature”designed to help you log on should you forget
word is either blank (missing) or is set to a well- your password. This is usually based on a“secret ques-
known default value (which can be discovered via some tion” (a.k.a. “security question”), which you are asked
Googling). to define when setting up your account.

Second, a cybercriminal may use a targeted attack

For example, you might be asked to select one of four
based on social engineering. Here, a cybercriminal will
“secret questions” (such as “What was your first pet’s
assemble dossiers by collecting odd tidbits of personal
name?”). Then, you will be asked to provide an answer
information. When a sufficient amount is collected,
to that question (such as “Wolfie”).
the cybercriminal will have found his next “mark”(vic-
tim) [30].
This is a really stupid idea! Here’s why:
For example, if someone whose online nickname is
“Jeb69” posts a message on a web site complaining
about the First National Bank of Briar Patch, it’s
likely that ”Jeb” has an account there. Some extra 1. It creates a “back door” that deliberately circum-
Googling may bring to light that this same person’s vents your password.
e-mail address is [email protected], that he has a
German Shepherd named “Lilly”, and that he owns a 2. It offers only a very limited set of simple questions,
’69 Harley Sportster motorcycle. As a result, a cyber- each of which can only have a very limited set of
criminal would target Jeb Smith’s bank account, using simple answers.
passwords based on his dog or bike. Perhaps the cy-
bercriminal would try to find and answer the account’s 3. Cybercriminals can use a targeted attack to ob-
“secret question”, as discussed later. tain (or guess) answers to those simple questions.

In some cases, the “cybercriminal”is actually someone 4. The answer to a secret question never changes,
relatively close to the victim, such as a neighborhood which means the“back door”will continue to work
teen, an estranged brother, or a coworker. In that case even if you change your password.
the cybercriminal is able to more easily collect personal
information about the victim. Regardless of how they
are done, targeted attacks are surprisingly effective.
The solution is to deactivate the “back door” [36]. To
Third, a cybercriminal may use easily available but do this, select any “secret question” at random, and
sophisticated password-cracking software to generate then answer that question by simply hitting a bunch
lists of likely passwords. Some password-cracking soft- of keys at random to generate something like ”awrop-
ware permits “hints” to be specified, which could be uqwpegjhvkl”. If you should ever forget your password,
“Jeb”, “Smith”, “Lilly”, “German”, “Shepard”, “1969”, simply contact tech support personnel and provide suf-
“69”, “Harley” and “Sportster” for the previous exam- ficient credentials to allow them to reset your pass-
ple. Other password-cracking software simply uses a word.

27
 PART 5. INTERNET & NETWORK THREATS

Time is on Their Side, Not Yours Since strong passwords can’t be easily remembered,
you will want to write these down and store that list so
that it cannot be found by untrusted persons. For ex-
When setting up an account we usually have only a few ample, you could store the list in an unmarked manila
seconds in which to choose a new user ID or password. folder within a locked file cabinet in your locked of-
But cybercriminals face no time limit at all when trying fice. A cybercriminal is unlikely to travel to your state
to break into an account. They can keep trying for (or even your country), break into your home and find
hours if they wish. your password list before draining your bank account.

That is why we must be prepared to select strong user

IDs and passwords ahead of time. We cannot wait to
ponder such things until a new account setup screen 5.7.10 Social Engineering
is staring us in the face. If we do, we will likely pick
weak user IDs or passwords. Social engineering is a relatively new attack method.
It is designed to bypass technological security mea-
When we pick a strong user ID and password, cyber- sures (such as firewalls and anti-virus software) by us-
criminals will likely give up after a while and move on ing human psychology to trick people into letting a
to the next person’s account. There’s far more profit cybercriminal gain access to computers or information
to be made by plucking many“low-hanging fruit” than systems [2, 4].
by focusing on one difficult target.
Social engineering techniques are most often used in
connection with the Internet, but such techniques can
Strong User IDs and Passwords also be used in many other ways (see section 6.1).
Internet-related social engineering techniques such as
phishing appeal to basic human instincts such as cu-
Now that we have examined weak user IDs and pass- riosity and fear.
words, let’s see how to create strong ones [3, 17]. A
user ID or password is strong if it:
Phishing
1. Contains no common word(s) in any major lan-
guage in the world, and Phishing is a social engineering technique involving
the use of fake but seemingly authentic e-mail or in-
2. Uses both uppercase and lowercase letters, and stant messages to obtain someone’s confidential infor-
mation, such as credit card numbers or passwords [3].
3. Includes numeric digits, and

4. Has punctuation characters such as “!”, and In June 2004 The Gartner Group estimated that 1.98
million adults in America had suffered losses from
5. Contains at least eight (preferably 10) characters phishing scams [18]. As of July, 2006, more than
in length, and 40 million phishing scams were being attempted ev-
ery week.
6. Is seemingly too difficult to remember, and
Phishing usually relies on e-mail address spoofing,
7. Is not used for any other account, and
which is the creation of a false “From:” address for
8. Is changed frequently. an e-mail. As a joke, this author once sent his wife a
“threatening”e-mail message that was apparently from
Bill Gates at Microsoft. Unfortunately, she was quite
Here are some examples of strong user IDs or pass- shaken because she had believed the message was gen-
words (no kidding!): uine!

Phishing also makes extensive use of e-mail messages

• @^H~6Bx@9i that are coded in HTML (HyperText Markup Lan-
guage), which allows logos, web page links and other
• f~4fj*wCrK features to be incorporated into a message.

28
 5.8. THREATS TO WIRELESS NETWORKS

The tricky thing about HTML-based web page links 5.8 Threats to Wireless Net-
is that the link’s URL doesn’t have to match the
link’s human-readable text. Therefore, it’s easy
works
to create a link saying “http://news.google.com” or
“Bank of America”that actually points to“www.nasty- Wireless access points (WAPs) create a cable-free
spyware.com” instead. That is why you should never “bridge”between conventional wired networks and mo-
click on any link in any e-mail message! bile devices such as laptop computers. WAPs have
been deployed worldwide by corporations, libraries,
stores, schools and homeowners alike.
A classic example of a phishing attempt is an e-mail
message that is carefully constructed to mimic what
According to a Federal Bureau of Investigation (FBI)
a bank would normally send to its customers. This
security presentation in 2005, about 70% of the mil-
message might inform the recipient that his account
lions of WAPs in the U.S. are completely unprotected
would be suspended if he didn’t confirm certain critical
against random access by strangers [18].
facts (such as his Social Security Number, his bank
account number, online banking password, etc.). A
If protected at all, most WAPs use an encryption
link to a fake “bank” website is usually provided so
method known as Wired Equivalent Privacy (WEP).
that gullible recipients can fill out a form to provide
Unfortunately, WEP can be cracked in minutes using
cybercriminals with all the information needed to drain
software that is freely available on the Internet [2, 18].
the recipient’s bank account.
This was demonstrated by the FBI when they pene-
trated a wireless network in three minutes during their
presentation. It should also be mentioned that many
A less-obvious example of a phishing attempt would
people enable WEP but don’t change the default pass-
be an e-mail supposedly from CNN or another news
word provided by their WAP’s manufacturer!
agency, containing a copy of an actual or fictitious
news story with a web site link so that you can ”Read
In 2003, WEP was superseded by Wi-fi Protected Ac-
More”. People will click on that link without even
cess (WPA or WPA2), which is thought to offer su-
questioning why they would ever receive an e-mail from
perior security. Everyone should use WPA instead of
CNN, and a few seconds later “www.fooled-you.com”
WEP [3]. However, new attacks are being invented
will begin to load malware into their computer.
daily, so one cannot simply set up WPA and then for-
get about it [13].

You may think it unnecessary to bother with WEP

or WPA, because after all, how would a cybercriminal
Other Trickery
even know where to find your WAP? Surely that would
be like finding the proverbial needle in a haystack!

To demonstrate the effectiveness of social engineering You can directly answer that question by clicking
techniques, some bank security auditors placed 20 USB on the “Web Maps” link on wigle.net’s home page
memory sticks at random locations in a bank’s park- (http://wigle.net).
ing lot, as if someone had lost them. Within hours,
bank personnel had used bank computers to execute There, you easily “zoom in” to see your city or your
completely unfamiliar software stored in 15 of those neighborhood. Each colored dot on the map represents
devices. a WAP; green indicates an unprotected WAP, while red
represents one that uses WEP or WPA encryption. It’s
possible that you may even see your own WAP.
Fortunately, the software was not dangerous, but had
cybercriminals planted those devices instead, all sorts So much for your “needle in the haystack” theory!
of malware would have been installed behind the
bank’s firewall. This would have been a really bad In case you’re curious (or even enraged) at this point,
thing because firewalls generally allow outbound traf- all of the WAPs in wigle.net’s database were discovered
fic, so it is possible that the malware would have been by people who engage in a hobby called wardriving [2].
able to “phone home” (to the bank’s severe disadvan-
tage).

29
Part 6

Non-technological Threats

Ask any elder about what financial or business troubles • Pretending to be a janitor, maintenance man, cof-
he or she faced earlier in life, and you will hear noth- fee machine repairman, landscaper, city code in-
ing about losses due to online account break-ins, or spector, flower deliverer, or exterminator, to gain
contract penalties due to hard drive crashes. Instead, entry to a facility. Once inside, a cybercriminal
you will hear about property theft and con-men, which can attempt to gain access to important company
are still problems today. The more things change, the information.
more they stay the same!
• Wearing a fake ID badge, possibly fashioned after
an actual sample that was photographed through
a telephoto lens. Many employees will open a
6.1 Social Engineering door for a “fellow employee”whose ID badge fails
to scan correctly.

As mentioned in section 5.7.10, social engineering is

the use of human psychology to trick people into ex-
posing vulnerabilities. While the term “social engi- 6.2 Facility Security
neering” is new, the techniques themselves are quite
ancient. Every con man throughout history has used
social engineering techniques. Many business facilities are wide open to intruders.
For some reason, no one seems to know or care about
The problem with social engineering is that criminals things like:
such as con artists know all about this technique, but
honest people do not! Fortunately, some books and
• Rear doors propped open for ventilation, or for
web sites on social engineering are available, which
smokers’ convenience.
may shock you but at least will educate you [5, 30, 39].
• Front doors unguarded by receptionists who are
Social engineering techniques used by corporate spies often away from their desk.
and other criminals include:
• Exterior door mechanisms that are prone to being
“jimmied”because they are in such poor condition.
• Pretending to be a woman by using a voice
changer during telephone calls. Male targets • Out-opening doors with no latch guards. A screw-
will more often provide critical information to a driver or ice pick is all it takes to open such doors.
woman than to a man, especially if she appears • Shipping bays that are wide open most of the time
to be flirting with him. (day or night).
• Sending a letter to obtain information. For some • Automatic door closers that take 10 seconds to
reason, people trust the written word and let down cycle. It is easy to walk in after someone else has
their guard. Some con artists mail out fake sweep- unlocked the door.
stakes forms (etc.) to obtain personal information
such as mothers’ maiden names and Social Secu- • Keys left in unlocked company vehicles, possibly
rity Numbers! with facility keys on the same keyring.

30
 6.3. PROPERTY THEFT

Since information is stored everywhere—on disks, in

notebooks, and on paper—it is not hard for a cor-
porate spy or common thief to grab some important
information and run out the door [39].

6.3 Property Theft

Thieves and corporate spies rely on poor facility secu-

rity and employees’ unfamiliarity with social engineer-
ing techniques, to steal loads of equipment, prototypes
or files from businesses [38]. Examples:

• Many laptop computers, video projectors and

even purses or wallets are stolen from offices and
conference rooms near unsecured doors, because
thieves can simply walk in and grab these during
lunchtime.
• Thieves almost always dress to blend in with their
victims, and sometimes even take lunch with them
before stealing something.
• Some thieves enter a building and then hide inside
until after employees leave.

Security experts recommend:

• Hiding purses, wallets, USB memory sticks, PDAs

and other valuables every time you step away from
your office.
• Using a security cable on each computer (whether
desktop or laptop), and on other equipment such
as video projectors.
• Informing a manager when a “stranger” is found
inside or outside the building.
• Not holding the door open for someone unfamiliar
to you, even if they sport a badge.
• Watching automatic doors close so that no one
can sneak in.

31
Part 7

Data Leaks, Data Loss & Privacy

You should stop distributing Microsoft Office docu- computer hardware information, e-mail headers and/or
ments via e-mail and web sites—immediately—unless web server information [6, 20, 21].
you “scrub” those documents using a reputable third-
party tool. In 2003 the British government published a Microsoft
Word document which was supposedly their dossier
on Iraq’s security and intelligence services. Dr. Glen
Rangwala of Cambridge University dissected that file
7.1 Data Leaks and discovered much of its text was plagiarized directly
from a U.S researcher on Iraq. Worse, the document’s
revision history identified its last ten authors plus their
Enterprises and individuals can inadvertently allow im- edits and commentary [19].
portant information to fall into the wrong hands. For
example, an employee can e-mail a spreadsheet file While it is true that later versions of Microsoft Office
to a customer, not knowing that the spreadsheet con- programs can be configured to not save personal data
tains hidden information such as profit margins or even in document files, only a fool would trust that feature
derogatory statements about that customer. to scrub documents completely clean.

Many third-party tools are available to remove meta-

Or, company personnel can store proprietary docu- data [21]. These include:
ments and photographs in a“hidden”corner of a com-
pany’s web server, not knowing that Google and other
search engines might easily find such items and make • iScrub by Esquire Innovations
them publicly visible in search results [2]. (http://www.esqinc.com).
• ezClean by Kraft Kennedy & Lesser
Finally, it is a sad fact that competing companies (http://www.kklsoftware.com).
sometimes hire cybercriminals to steal or discover in-
formation so that a competitive advantage can be • Metadata Assistant by Payne Group
gained [5, 39]. (http://www.payneconsulting.com).
• Doc Scrubber by Javacool Software LLC
Such “data leaks” have consequences such as embar- (http://www.docscrubber.com).
rassment, termination, blackmail, lawsuits or even fi-
nancial ruin. • Out-of-Sight by SoftWise
(http://www.softwise.net).
• Workshare Protect by Workshare
7.1.1 Meta-data (http://www.workshare.com).
• Metadata Scrubber by BEC Legal Systems
Microsoft Word documents (.DOC files) contain a (http://www.beclegal.com).
wealth of hidden meta-data including deleted text,
employee names and computer user IDs, text from Note: This author has evaluated none of these tools
other (unrelated) documents, company information, and can offer no recommendations for or against any
computer filename and pathname, local printer names, of these.

32
 7.1. DATA LEAKS

7.1.2 E-mail active for years, long after IT staff has upgraded to a
modern Virtual Private Network (VPN) connection.
In 2002, Internet security journalist Brian McWilliams
The good news is that a simple security audit can be
decided to try “hacking into” Saddam Hussein’s e-
performed to determine if any network access is avail-
mail account on the official Iraqi government web
able in public areas of the company.
site. McWilliams succeeded, simply by using the word
“press” for both user ID and password! [25] Once “in”,
McWilliams saw many e-mail messages from business-
men and corporate executives who wanted to do busi- 7.1.4 Voice-mail
ness in Iraq.

From this lesson we should learn to secure every e- During Hewlett Packard’s merger with Compaq in
mail account with strong user IDs and passwords (see 2002, an intruder obtained access to the HP CEO’s
section 5.7.9). But e-mail-related data leaks can occur voice-mail account and leaked voice-mail messages to
in other, more insidious ways. the press [24].

For example, e-mail messages and their attachments Voice-mail accounts are usually protected by simple
are often forwarded and re-forwarded to third parties user-defined numeric access codes. New accounts are
without much thought, which can create quite a siz- usually set up with well-known default codes that any
able data leak. This can be mitigated two ways: cybercriminal can find via Google. When phone sys-
tem administrators reset someone’s access code, it is
usually set to the same default.
• Mandatory encryption for attached files, as de-
scribed in section 7.1.9 [3, 4]. Unfortunately, people generally fall into the same sort
of traps when choosing a voice-mail access code, as
• E-mail forwarding policies set and enforced by they do when choosing a computer account user ID or
management.
password (see section 5.7.9).

Many companies have a web-based e-mail portal set In short, you should not leave the default access code in
up so that employees can check their mail from home place; you should not choose your birth year or another
or while on the road. Such e-mail servers should be personal datum as your code; you should not choose
configured to require strong passwords, and to lock an stupid codes like “123”; and you should not choose a
account if three or more incorrect login attempts are code based on any physical pattern of button presses
seen. on a keypad (like “159” or “258”). Believe it or not,
some books and web sites list every possible pattern
of telephone button presses, so a cybercriminal doesn’t
even have to invent these himself!
7.1.3 Corporate Networks
Your phone system administrator should configure your
Company personnel are not so stupid as to install net- phone system to lock an account if three or more in-
work jacks in their parking lots. But many do install correct access codes are entered.
jacks in publicly-accessible conference rooms, lobbies,
cafeterias and libraries. Or, they install wireless access
points in or near those areas (see section 5.8). Out- 7.1.5 Web Servers
siders can simply plug right into the corporate network.

Even if no network jacks or wireless access points are Most businesses and many individuals have a web site,
accessible, cybercriminals may still find a “back door” which of course is stored as individual files on a web
or alternate way in. For example, sometimes an old- server computer. Since a file is just a file, it is possible
fashioned analog modem will be installed on a server so to store a large number of files—and many different
that Information Technology (IT) staff members can kinds of files—on a web server. In fact, some com-
establish a remote administrative connection via tele- panies use their web server as a sort of file server for
phone line. Such modem connections are often left their employees’ convenience.

33
 PART 7. DATA LEAKS, DATA LOSS & PRIVACY

This begs the following questions: 7.1.6 Equipment Disposal & Repair

1. What files are currently stored on your web

server? Tons of electronic equipment and data storage me-
dia are sold, donated or put into the trash every day.
2. Which files are currently required? Therefore,“tons”of stored data are also being sold, do-
nated or put into the trash every day, causing a massive
3. Which files are obsolete (dead wood)?
data leak.
4. Which files are not related to any web page?
5. Which files are confidential? For example, an Ohio couple had taken their com-
puter to Best Buy to have its hard drive replaced.
6. Which files are publicly visible? The company assured them that the old hard drive
would be physically destroyed. Almost a year later,
Most employees (including company web design staff) the couple received a phone call from a Chicago man
don’t really know the correct answer to most, or even who had bought that same “destroyed” hard drive at
all, of these questions. Worse, they don’t even have a flea market. The Chicago man had found the cou-
the ability to find out. And even worse, they think that ple’s phone number (as well as Social Security num-
none of these questions is important because, after all, bers, bank statements and investment records) stored
their web site “works the way it’s supposed to”. on the hard drive, but was conscientious enough to
notify its original owners [9].
As a result, from many web servers spring a great num-
ber of data leaks. It is important to find and destroy all stored data before
If you or your company have a web site, here’s an taking a device in for repair, or before disposing of
experiment that you can try right now : anything. However, that is easier said than done:

1. Open your web browser and bring up Google’s

main page (google.com). • We often delegate to, or rely on, other people who
may not know or care about information security.
2. Suppose your web site’s URL is “www.abc.com”. The Ohio couple fell into this category.
Into Google’s search text box, simply type
“site:abc.com” (with no double-quotes and no • It’s hard to locate where data is stored in modern
spaces). devices. Do you know where your cell phone’s
address book is physically stored? Have you ever
You will see every page and file that Google has found removed the cover from your computer, let alone
on your web server. It’s possible that you will find replaced a hard drive?
some stuff that shouldn’t really be there, such as:
• Simple erasure (deleting or even reformatting)
doesn’t actually destroy data [34]. Simple soft-
• Confidential spreadsheet files.
ware tools are often all that’s needed to recover
• Obsolete web pages. data.
• Customer databases. • Dead hard drives do tell tales. Drives that will no
• Half-finished web pages still being worked on by longer “boot up” a computer are usually totally
your web designer. readable by plugging them into another computer
as a“slave”drive. Even drives that are unreadable
• Internal PowerPoint presentations for last as slaves can be sent to a data recovery service.
month’s sales meetings.
• Destroying a data storage device—such as a
• Proprietary documentation intended for Field Ser-
CDROM disk or hard drive—is physically messy
vice personnel.
and potentially dangerous.
• “Private” web pages meant for some specific use.

The moral of this story is: Never put sensitive data on The bottom line is that data destruction must be a
a web server! part of everyone’s information security plan.

34
 7.2. DATA LOSS

7.1.7 Bluetooth Devices Shredding services: This is a way to “farm out”your

shredding chores to a third party. For security rea-
sons this author does not recommend outsourcing
Did you know that malicious passers-by can plant a basic security tasks such as shredding.
virus on, or obtain confidential data from, your Blue-
tooth-enabled phone or PDA? It takes only 15 seconds
for someone to locate and copy your phone’s address Note that most (if not all) shredders are able to destroy
book via Bluetooth. credit cards as well as paper. Some will also destroy
CDROMs and DVDs.
One security auditor visited Britain’s House of Parlia-
ment, where he had the opportunity (which he didn’t Once you have got a shredder or a shredding service,
take) to use Bluetooth to obtain the address books it’s important to define a shredding policy. What gets
and calendars of several prominent politicians. His re- shredded and what doesn’t? This author simply rec-
port resulted in a mandate that all Bluetooth devices ommends shredding everything that isn’t public knowl-
be turned off in the House of Parliament. edge.

As cell phones become smarter and begin to converge

with PDAs, malware such as worms and spyware will 7.1.9 Encryption
begin to spread via Bluetooth and other mobile com-
munications media. As of July 2006 there were only a
few known cell phone viruses, and these were still rare. Encryption is the reversible process of using a pass-
They were transmitted via Bluetooth and only infected word as the basis for translating information into an
smart phones running Symbian’s operating system. undecipherable form to ensure secrecy. The reverse
process is known as decryption.
You may want to examine your own phone. Is it a
smart phone? Do you even need a smart phone? Does Some encryption methods are inherently weak, mean-
it have Bluetooth capability? Do you even need that ing that cryptographers can eventually perform decryp-
feature? Can you permanently disable Bluetooth? Can tion without knowing the password. Other encryption
you turn on Bluetooth only when you need to use an methods are strong, which is desirable.
accessory such as a wireless headset? Do you need to
store confidential information in your phone at all? The easiest, cheapest universally available way to en-
crypt a data file is to simply put that file into a
password-protected “zip” file. Well-known programs
such as PKZIP, WinZip and others are readily available
7.1.8 Shredding and fully compatible with the “zip” file standard.

It’s true that many “zip” file password cracking pro-

When Iranians stormed the U.S. Embassy in 1979, em- grams are widely available, but they all use techniques
bassy officers shredded everything they could, but Ira- such as the dictionary attack and others described in
nians managed to reassemble and publish 70 volumes section 5.7.9. Therefore, you absolutely need to use a
of those documents [23]. strong password when encrypting a file.

Many people don’t bother shredding at all, causing a

great data leak. Three basic types of shredders exist:
7.2 Data Loss
Strip-cut: These inexpensive and fast shredders of-
fer a lot more security than not shredding at all. We can be our own best enemy when it comes to in-
However, the U.S. Embassy had used strip-cut formation security, for we constantly trust that our
shredders, which did not stop the Iranians for critical paper files and data storage devices will always
long. be there for us.

Cross-cut, diamond-cut or oval-cut: These offer But what would happen if some (or all) of your paper
superior security compared to the strip-cut type, files or data storage devices were lost, stolen, damaged,
but are significantly slower and more expensive. corrupted, burned, or flooded? Would your projects

35
 PART 7. DATA LEAKS, DATA LOSS & PRIVACY

fail? Would your job be in jeopardy? Would customers with legal and 11x17 originals. You may have to
tolerate the consequences? Would your business sur- use a color copier for some items.
vive?

Let’s take a look at some important considerations for Once you have“backed up”your paper copies, you will
preserving your data. need to carefully consider how and where to store those
backups. This is covered in section 7.2.5.

7.2.1 Paper Files

7.2.2 Computers, Cell Phones, PDAs
Before the digital era, people used to “back up” all
Unfortunately, it can be difficult to “back up” data
paper hardcopy on film (usually using microfilm or
stored in some cell phones or PDAs. You will need
microfiche formats). An enormous number of pages
to figure out the best way to do this, based on your
could be stored in each roll or fiche. Duplicate copies
specific phone or PDA.
could be stored off-site to protect intellectual property
and legal evidence in case of a fire or flood. Cell phones and PDAs are often misplaced because
they are so small. You should always stand ready to
Today, people use a lot of paper but act like it’s no
lose any data they contain, unless you find a way to
longer important. They seem to forget that a legal
perform backups.
“paper trail” may still be required to demonstrate“due
diligence”in a court of law. They forget that specifica- In contrast, it’s fairly unlikely that you will misplace
tions, reports and contracts are still signed, stamped your laptop computer, but the rise in popularity of
and annotated. laptop computers have made them a likely target for
thieves. Also, let’s face it: laptop computers aren’t
They may back up their data but fail to“back up”their built to withstand much abuse despite their mobile
paper! nature. Basically, you need to be always ready to“lose”
your laptop computer, by constantly back up its data
There are three fairly inexpensive and quick ways to
(see section 7.2.4).
“back up” your paper copies:
But, more importantly, you need to ensure that if a
• Invest in an old-fashioned photographic copy thief takes your laptop or PDA, he will not have access
stand, plus a suitable low- to mid-priced digital to your data. You absolutely need to encrypt your
camera. Mount the camera on the copy stand personal, proprietary or confidential data as discussed
and take a“snapshot”of each printed page. Back in section 7.1.9 [3, 4].
up the digital photo files as you would normally
Thieves need to work fast to avoid getting caught,
back up any other files. Snapping a photo of a
so they won’t waste much time trying to crack your
document is quick and easy, plus it captures a
encrypted files. They will more likely take a quick look
full-color image of any document regardless of its
around to see if any valuable unencrypted information
size. This is the author’s preferred way to back
can be copied off for future use (and possibly sold for
up paper copies.
identity theft purposes).
• Buy a scanner for your computer, and use it to
scan each document to a file. Back up these It is a mistake to believe that you need not encrypt
files as you would normally back up any other files if your computer requires a log-in password to
files. Unfortunately, scanning a document can be “boot up”. To the contrary, it’s quite easy to boot a
a painfully slow process even if you use a sheet-fed computer using a separate operating system—usually
scanner (which can jam), and you will be unable DOS or Linux—stored on a floppy disk, CDROM or
to scan anything much larger than a letter-sized USB key. This completely bypasses your normal log-in
original. and gives one complete access to your computer’s hard
drive.
• Use a copier to create paper copies. This can
be painfully slow, and it creates many pounds of Once you have backed up your phone, PDA or laptop,
paper. You may have trouble with oversized doc- you will need to decide how and where to store your
uments, although many copiers seem to work well backup media (see section 7.2.5).

36
 7.2. DATA LOSS

7.2.3 Media and Memory Sticks Three main backup methods exist:

We tend to consider floppies, CDROMs, DVDs, • Bare-metal backups create a so-called “image”
portable hard drives and USB “memory sticks” as var- file, which is perfect bit-for-bit copy of an entire
ious sorts of backup devices, but in fact they often hard drive. Later, the image can be written onto
contain original copies of files that are not backed up a new or existing hard drive, which can then be
anywhere else. It’s important to manage all those files installed in a computer to restore normal oper-
on all those media and memory devices. Fortunately, ation. An image contains everything your orig-
files on these devices can be copied quite easily using inal hard drive contained: boot sector(s), par-
one of the backup methods described in section 7.2.4. tition table(s), operating system(s), application
software and user-created data files. A bare-metal
Small devices and disks can be misplaced, lost or backup can consume hours. Some bare-metal
stolen, so you need to ensure that if someone finds backup software allow individual files to be re-
or steals these, he will not have access to your data. covered from the backup, while others require a
You absolutely need to encrypt your personal, propri- complete restoration of the entire hard drive just
etary or confidential data as described in section 7.1.9 to gain access to a single file.
[3, 4].
• User-file backups record only user-produced data
files such as documents and pictures. Operat-
Once you have backed up your media and memory ing system and application software files won’t be
sticks, you will need to think about how and where to backed up. If you have only a few user files then a
store your backups. This is covered in section 7.2.5. backup could take just a few minutes. But most
people accumulate tons of user files, so backups
can take hours. Individual files can usually be re-
stored from a user-file backup. However, if your
7.2.4 Backup & Restoration hard drive fails or becomes corrupted, you will
have to completely re-install the operating sys-
tem and all application software from scratch, and
Everyone might agree that religiously backing up data then apply all patches and updates, before you
is important, but in reality this task is often overlooked can restore your user-file backup. This can take
in today’s fast-moving world. Establishing a solid com- hours, and after it is done your computer will likely
puter backup method and a backup schedule is actually operate differently than you were accustomed to.
harder than it sounds [3, 16]. Difficulties include:
• Incremental backups record only those files that
have changed since the last full backup, which
• Most hard disks hold more data than will fit on means that this type of backup must be used in
common backup media. combination with a full (bare-metal or user-file)
backup. Incremental backups are generally very
• Backing up a large amount of data can take many quick.
hours.

• Many backup methods don’t verify that data was Once you have backed up your digital data, you will
written correctly. need a plan for how and where you will store your
backups. This is covered in section 7.2.5.
• Backups require supervision so that problems can
be corrected. A critical but often-overlooked part of the backup and
restoration process is the backup validation process.
• Validating a backup is difficult and time- Some people back up data all the time, but have never
consuming. had to actually restore it. It is quite a shock to dis-
cover that all of your backups are useless, because
• Reusable backup media can eventually become something was wrong with your methodology or imple-
unreliable. mentation. Validating a backup process can be quite
time-consuming but it absolutely must be done before
• Management of backup media is not trivial. it’s too late.

37
 PART 7. DATA LEAKS, DATA LOSS & PRIVACY

Finally, we should mention that the backup and 7.2.6 Uninterruptible Power Supplies
restoration process plays a vital role when you buy new
equipment such as computers or memory sticks, for it An Uninterruptible Power Supply (UPS) is a piece of
provides an easy and familiar way to transplant data electrical equipment designed to continuously supply
from old devices to new ones. 120VAC to a load, even during a power failure. Most,
if not all, UPS units also contain transient suppressors
Backups also play a vital role when you need to send in and power filters to reduce power line noise. Some
your computer for repair. Most people don’t know that UPS units will also auto-correct for voltage sags or
computer warranties usually cover only hardware, not surges.
software. If software is covered, it will clearly be only
software included with the original purchase. Many All UPS units contain one or more lead-acid gel cell
vendors would rather replace than repair, which means batteries and a power inverter circuit that produces
that you have only a slim chance of getting your orig- a crude approximation of a sine wave during power
inal computer or hard drive back. At that point you outages. Otherwise, normal“wall”power flows through
would have lost a lot of data and created a massive the UPS to the load, charging the UPS’s batteries at
data leak at the same time (see section 7.1.6). the same time. UPS units will normally run for 20-60
minutes at full load.

UPS units are commonly connected to computers and

7.2.5 Storage of Backup Media related equipment so that computers can stay running
during a power failure. Most UPS units can, via a
separate cable, send battery status data to a computer
An amazing number of people store their backups right connected to the UPS. This allows for an orderly but
next to their computer. What if upon arriving at their automatic shutdown of that computer should the UPS
office one day they find a burnt-out shell instead of a batteries become exhausted during a power failure.
cubicle?
To preserve your data, you should strongly consider
It’s extremely important to store backup copies at a buying one or more UPS units for your computers and
secure off-site location that is unlikely to be affected related equipment.
by the same disaster as might affect your home, office
or business. Here are some important points to consider when buy-
ing and using UPS units:
If no off-site storage facility is available, you should
strongly consider buying fire-resistant storage units, • Each unit is designed to carry a maximum load,
such as those made by companies like Sentry Group usually expressed in Volt-Amperes (VA). You
(http://www.sentrysafe.com). Some are fairly inex- should not buy a UPS that would operate close
pensive (under $100). You should place these stor- to its limit. It is best to have some headroom.
age units far from your office in a location that is un-
likely to be flooded, so that it is less likely that your • Two or more UPS units may be more practical
backup would be destroyed along with your computer and cost-effective than one big unit.
and other devices. • You should connect most, if not all, of your com-
puter peripherals to a UPS too. This includes net-
You may want to purchase some of these storage units working equipment, analog phone line modems,
for off-site storage purposes as well. DSL and cable modems, scanners, small ink-jet
printers, speakers, PDA cradles, etc.
While fire-resistant storage units are primarily designed
• Never connect a laser printer to a UPS unit. A
to protect paper documents during a typical fire, disk
laser printer’s fuser draws way more current than
media and small electronic devices can survive too if
any UPS can provide.
these are inserted into flattened, zipper-sealed, airtight
heavy-duty plastic bags. This prevents damage from • A separate UPS unit can be used to provide power
high humidity levels found inside fire-resistant storage to various office equipment other than computers,
units during a fire. Flattening the bags allows for con- such as cordless phone base stations, cell phone
siderable air expansion due to higher than normal tem- chargers, clocks, radios, telephone answering ma-
peratures, while still maintaining an airtight seal. chines, and small FAX machines.

38
 7.4. POLICIES

• Batteries in brand-new UPS units typically last • Put extraneous paperwork into drawers before you
two or three years, but even brand-name replace- leave your office to take lunch, attend a meeting
ment batteries seldom last more than 18 months. or leave for home. This is called a “clean desk”
Worse, UPS battery-condition indicators simply policy.
cannot be trusted. It is a good practice to run a
full-load power-failure test on each UPS every six • Turn off computers and other electronic devices
months to determine its run time. You can use at night.
one or more light bulbs as a load if you wish. • Lock your office, drawers and/or file cabinets
• If you are really crazy about continuous power, when you leave the office.
you can consider buying a gasoline- or natural gas- • Make sure your online (web) accounts do not au-
powered generator to power your UPS during an tomatically log you in when you visit. Configure
extended power failure. them to require you to enter a user ID and pass-
word every time.
• Don’t leave your password list under your key-
7.3 Privacy board or in an unlocked drawer.
• And no exceptions for executive management!
Privacy is a small but important part of information
security. There is no reason to accidentally share per-
sonal, confidential or business data with those who Side note: Privacy addicts can learn a lot by look-
really don’t need to know [3, 4, 5]. Doing so can ing into the field of digital forensics (a.k.a. computer
increase your risk of identity theft, jealous acts, intel- forensics), which deals with ways to learn all about
lectual property theft, fraud, and so on. someone’s computer or online activities. Practitioners
in this field are often employed by prosecutors to obtain
Some simple tactics and a few accessories can help vital evidence by “digging into” someone’s hard drive.
prevent accidental sharing of information: Forensics investigators know that everyone produces a
continuous, invisible, detailed and accurate electronic
“paper trail” while using a computer to create docu-
• Password-protect all electronic devices (PDAs, ments, play games, surf the web. . .
computers, memory sticks, etc.).

• Don’t leave opened mail or paychecks lying

around. 7.4 Policies
• Don’t face your PC’s display screen towards win-
dows or doorways. One can best address data leaks, data loss and privacy
issues by taking the time to write—and then enforce—
• Use a password-protected screensaver that kicks
specific information security policies.
in within a few minutes of inactivity.

• Shred all unwanted junk mail or statements relat- Before writing these you will want to review Parts 2
ing to financial matters, to reduce risk of identity and 3 of this White Paper. Several organizations men-
theft. tioned in Part 3 offer useful security checklists that can
supplement your policies.
• Install a privacy filter on your computer display to
prevent passers-by from seeing your screen.

• Hide all computer backup media.

• Don’t mount whiteboards, drafting tables or pro-

totypes so that they face doorways or windows.

• Encrypt files and e-mail attachments.

• Close office blinds, shades, curtains or drapes at

night.

39
Part 8

Glossary

Air Gap: A term used in the network security field, Denial of Service: A type of attack on a remote
referring to the absolute isolation of one or more computer, usually characterized by a massive
computers from any kind of external network flood of network traffic aimed at that computer,
(whether private or Internet, wireless or wired). which causes that computer to virtually cease net-
Worms and other network-borne malware require work operations. This can be disastrous for busi-
some sort of network connection to propagate; nesses that rely on online shopping for much of
they cannot cross an air gap. their revenue.

Anti-virus: Originally, a type of software designed to Dictionary Attack: One of several automated or
locate and deactivate computer viruses. Today, semi-automated password-cracking methods
“anti-virus” software typically recognizes several based on the use of word dictionaries for popular
types of malware, not just viruses. languages such as English or Spanish. For
example, the password “maverick1975” would fall
Attack: An attempt to gain unauthorized access to an
prey to a dictionary attack.
information system. Sometimes an attack vehi-
cle is employed during the attempt.
Distributed Denial Of Service: A Denial of Ser-
Attack Vehicle: A technological or other means to vice attack simultaneously mounted by many
gain access to an information system. Commonly, computers on the Internet (usually members of
malware such as worms and spyware are used a botnet).
as attack vehicles.
Data Leak: An unauthorized or accidental disclosure
Bluetooth: A form of wireless network used by mobile of important information to a third party. A data
devices such as cell phones, PDAs, laptop com- leak can occur when a confidential document is
puters and even automobiles. stored on a public web server (which Google might
find), or when incriminating meta-data is allowed
Botnet: An organized collection of zombie comput- to remain hidden inside a document (which spe-
ers, possibly including thousands or tens of thou- cial tools can extract).
sands of zombies.
Encryption: The reversible process of using a pass-
Corporate Spy: A person hired by one company to
word as the basis for translating information into
provide inside information and/or to steal intel-
an undecipherable form to ensure secrecy. The
lectual property from another company.
reverse process is known as decryption. Some
Cybercriminal: A person who commits a crime using encryption methods are inherently weak, mean-
computers and (usually) a network such as the ing that cryptographers can eventually perform
Internet. decryption without knowing the password. Other
encryption methods are strong, which is desirable.
Decryption: The process of using a password as the
basis for translating secret information from an Firewall: A software or hardware means to block cer-
undecipherable form to its original, normal form. tain types of network traffic while allowing other
Decryption is the reverse of encryption. types to pass.

40
Hacker: A person with a passionate interest in learn- Network Security: A subset of Information Secu-
ing and modifying the technical aspects of various rity that deals specifically with securing private
things, typically electronic, mechanical, computer networks and/or Internet access.
or software devices. “White Hat”hackers are those
who find, report and possibly solve flaws and se- Packet Sniffer: A network security software tool
curity vulnerabilities in products such as software. that reveals many low-level details of communica-
“Black Hats” find and exploit flaws and security tions transmissions in wired or wireless networks.
vulnerabilities to boost their ego, and/or to en- A packet sniffer allows one to see the exact con-
gage in criminal activities for profit or for revenge. tents of messages sent over a network.

Identity Theft: The criminal act of obtaining a vic- Phishing: A social engineering technique that uses
tim’s personal information so that purchases, spam e-mail messages to dupe unsuspecting vic-
transactions or other fraudulent actions can be ac- tims into providing cybercriminals with pass-
complished in the victim’s name (and at his risk). words, account information, etc.

Ransomware: A form of malware designed to take

Information System: Any type of system designed to
a victim’s data hostage by encrypting every com-
store and process digital information. Includes
mon type of data file stored on a victim’s com-
desktop and notebook computers, smart phones,
puter. After this is accomplished a ransom de-
network storage devices, servers, etc. It also in-
mand will be made known to the victim. Money
cludes various digital products sold to end users
is usually demanded in exchange for a decryption
(customers).
key with which to restore the victim’s data.
Information Security (InfoSec): The U.S. National Risk Management: The ongoing process of identi-
Information Systems Security Glossary’s definition fying risks and implementing mitigation plans to
is: “The protection of information systems against address them.
unauthorized access to or modification of infor-
mation, whether in storage, processing or transit, Rootkit: Malware that hides itself in a computer, ob-
and against the denial of service to authorized tains administrative privileges and then replaces
users or the provision of service to unauthorized some normal operating system functions with its
users, including those measures necessary to de- own. Rootkits are undetectable by many experts
tect, document, and counter such threats”. Risk and usually cannot be removed without destroy-
management is the foundation on which infor- ing the operating system’s ability to function nor-
mation security rests. mally. Rootkits have been traditionally used by
cybercriminals to gain remote “super-user” ac-
InfoSec: An abbreviation for Information Security. cess to a computer, but recently some companies
like Sony have begun to use rootkits for Digital
Keystroke Logger: Malware, usually of the spyware Rights Management purposes to control people’s
type, that logs every pressed key and then for- access to digital data such as software, music and
wards that log to a cybercriminal. Keystroke movies.
loggers help cybercriminals discover vast amounts
of personal information, such as user IDs, pass- Social Engineering: A new attack method designed
words, account numbers, etc. to bypass technological security measures by us-
ing human psychology to trick people into letting
Malware: Malicious software such as worms, a cybercriminal gain access to information sys-
viruses, spyware, ransomware, Trojans or tems. Phishing is an example of a social engi-
rootkits. neering technique.

Meta-data: Data that describes other data. Exam- Script Kiddie: A disparaging term for inexperienced
ples of meta-data include a disk file’s time stamp, hackers or budding cybercriminals who use
a JPEG file’s image resolution, and a document’s other people’s software to break into computers
author. Verbose meta-data is often hidden inside or to launch “denial of service” attacks on web
disk files, allowing anyone with meta-data extrac- servers. Most script kiddies haven’t a clue about
tion tools to easily discover facts that the file’s how such software works, and have no ability to
creator might consider highly confidential. See write their own. Script kiddies usually launch their
data leak. attacks on remote computers via the Internet.

41
 PART 8. GLOSSARY

Spyware: A form of malware that, with human assis- Zombie: An Internet-connected computer that was
tance, gains entry to a computer through e-mail, successfully attacked in a manner designed to
web sites or application software. Therefore, spy- place it under the remote control of a cyber-
ware cannot infect a computer unless someone criminal. Owners of zombies are usually unaware
surfs the web, opens an e-mail attachment or in- that their computers were compromised. Zombies
stalls application software. commonly become members of a botnet.

Trojan: A free and appealing (or potentially useful)

software program that actually contains malware.
Trojan software was named after the legendary
Trojan Horse of Greek mythology. A Trojan can-
not infect a computer unless someone deliberately
obtains and installs such software.

Virus: A form of self-replicating malware that, when

activated, is able to attach copies of itself to
nearby executable computer files. A virus be-
comes active only when its host file is executed
(most often by humans). Hence viruses usually
spread only with human help.

Wardriving: A hobby that involves driving around in a

car with a Global Positioning System (GPS) unit
and a wireless laptop, looking for wireless access
points. Wardrivers usually feed their findings into
massive online public databases of wireless access
points (such as wigle.net). Your personal and/or
corporate wireless access point locations can most
likely be found in such databases. Yes, really.

Wireless Access Point: A piece of network equip-

ment that forms a bridge between a normal, wired
network (such as a private network or the Inter-
net) and laptop computers, PDAs or other mobile
devices.

Worm: A form of self-replicating malware that is

able to automatically penetrate a remote com-
puter on a network, by exploiting a vulnerability
found within that computer’s network-aware soft-
ware. Once penetration is accomplished a worm
will permanently install itself in its victim, and
then immediately attempt to find other victims
on the network. Worms do not need human help
to propagate. Worms move fast; in 2003 the
Slammer worm infected every vulnerable Internet-
connected computer in the world within 15 min-
utes.

Zero-day Exploit: The exploit of a newly discovered

security vulnerability within hours after the dis-
covery of that vulnerability. The term “zero-day”
refers to the practical inability of software ven-
dors to provide security updates (patches) quickly
enough to prevent a vulnerability from being ex-
ploited.

42
References

[1] 2005 CSI/FBI Computer Crime and Security Survey (Computer Security Institute and Federal Bureau of
Investigation); Gordon, Loeb, Lucyshyn and Richardson.
[2] Hacking Exposed Fifth Edition: Network Security Secrets & Solutions; McClure, Scambray and Kurtz.

[3] Geeks On Call Security and Privacy: 5-Minute Fixes; Geeks On Call.
[4] Computer Security for the Home and Small Office; Thomas Greene.
[5] The Art of Intrusion; Mitnick and Simon.
[6] Information Leakage Caused by Hidden Data in Published Documents (IEEE Security & Privacy magazine);
Simon Byers.
[7] The Year of Breaches (“News Track” item); Communications of the ACM.
[8] The Windows Malicious Software Removal Tool: Progress Made, Trends Observed (June 2006); Rapid
Response Team, Waggener Edstrom Worldwide.
[9] Ohio Couple’s “Destroyed” Hard Drive Purchased in Chicago (plus similar news titles); WLWT-TV reporter
Tom Sussi et al.
[10] Security Company Recommends Macs (http://www.toptechnews.com/story.xhtml?story id=01100000AFT3)
[11] Data losses may spark lawsuits (eWEEK Magazine June 12, 2006); Matt Hines.
[12] The Simple Economics of Cybercrimes (IEEE Security & Privacy magazine); Nir Kshetri.
[13] Learning from Information Security History (IEEE Security & Privacy magazine); Dragos Ruiu.

[14] Information Security (http://en.wikipedia.org/wiki/Information security); Wikipedia, The Free Encyclope-

dia.

[15] An Introduction to Information Risk Assessment (SANS Institute); Vishal Visintine.

[16] GIAC Enterprises - Data Backup Security Policies and Procedures (SANS Institute); Martin A. Reymer.
[17] Password Management: Awareness and Training (SANS Institute); Neil Witek.
[18] Security Absurdity (http://www.securityabsurdity.com/failure.php); Noam Eppel.
[19] Microsoft Word Bytes Tony Blair in the Butt
(http://www.computerbyesman.com/privacy/blair.htm); Richard M. Smith.
[20] Hidden Text Shows SCO Prepped Lawsuit Against BofA
(http://news.com.com/2100-7344 3-5170073.html); Stephen Shankland and Scott Ard.
[21] Hidden Data in Electronic Documents (SANS Institute); Deborah Kernan.

43
 REFERENCES

[22] FBI busts alleged DDoS Mafia (http://www.securityfocus.com/news/9411); Kevin Poulsen.

[23] 20 Years after the Hostages: Declassified Documents on Iran and the United States
(http://www.gwu.edu/˜nsarchiv/NSAEBB/NSAEBB21/); The National Security Archive of The George
Washington University (edited by Malcolm Byrne).
[24] H-P CEO’s merger comments surface
(http://www.washtimes.com/upi-breaking/10042002-070323-8042r.htm); The Washington Times.
[25] Internet security journalist hacks Saddam’s e-mail
(http://www.showmenews.com/2002/Nov/20021124News014.asp); The Associated Press.
[26] Risk Management Guide for Information Systems (Special Publication 800-30); National Institute of Stan-
dards and Technology.
[27] ActiveX: Or how to put nuclear bombs in web pages (http://www.halcyon.com/mclain/ActiveX/); Fred
McLain.
[28] The Many Facets of an Information Security Program (SANS Institute); Robert L Behm, Jr.
[29] Sophos Security Report reveals Trojan domination in first half of 2006; Malware statistics suggest it is time
for home users to switch to Macs
(http://www.sophos.com/pressoffice/news/articles/2006/07/securityreportmid2006.html); Sophos Plc.
[30] The Complete Social Engineering FAQ! (http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt); Un-
known.
[31] Safe Personal Computing (http://www.schneier.com/blog/archives/2004/12/safe personal c.html); Bruce
Schnier.
[32] Rootkits, Part 1 of 3: The Growing Threat; McAfee, Inc.
[33] Inside the Slammer Worm (IEEE Security & Privacy magazine); Moore, Paxson, Savage, Shannon, Staniford
and Weaver.
[34] Remembrance of Data Passed: A Study of Disk Sanitization Practices (IEEE Security & Privacy magazine);
Garfinkel and Shelat.
[35] The State of Information Security 2004: Best Practices (CIO Magazine); Ware.
[36] The Curse of the Secret Question
(http://www.schneier.com/blog/archives/2005/02/the curse of th.html); Bruce Schneier.
[37] Spyware Researchers Discover ID Theft Ring
(http://www.eweek.com/article2/0,1895,1845248,00.asp); Ryan Naraine.
[38] Computer theft in businesses becoming a growth industry (The Associated Press)
(http://www.crime-research.org/news/2003/11/Mess2901.html); Mark Niesse.
[39] Confessions of a corporate spy (Computerworld magazine)
(http://www.computerworld.com/securitytopics/security/story/0,10801,100252,00.html); Gary Anthers.

44