Security+ Guide To Network Security Fundamentals, 4ed Mark Ciampa 4th Ed. (2012, Course Technology

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 660 [warning: Documents this large are best viewed by clicking the View PDF Link!]

This is an electronic version of the print textbook. Due to electronic rights restrictions,
some third party content may be suppressed. Editorial review has deemed that any suppressed
content does not materially affect the overall learning experience. The publisher reserves the right
to remove content from this title at any time if subsequent rights restrictions require it. For
valuable information on pricing, previous editions, changes to current editions, and alternate
formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for
materials in your areas of interest.
This page intentionally left blank
Mark Ciampa, Ph.D.
Security+ Guide
to Network Security
Fundamentals
Fourth Edition
Security+ Guide to Network Security
Fundamentals, Fourth Edition
Mark Ciampa
Vice President, Editorial: Dave Garza
Executive Editor: Stephen Helba
Managing Editor: Marah Bellegarde
Senior Product Manager: Michelle Ruelos
Cannistraci
Developmental Editor: Deb Kaufmann
Editorial Assistant: Jennifer Wheaton
Vice President, Marketing: Jennifer Ann
Baker
Marketing Director: Deborah S. Yarnell
Associate Marketing Manager: Erica
Ropitzky
Production Director: Wendy Troeger
Production Manager: Andrew Crouth
Senior Content Project Manager: Andrea
Majot
Senior Art Director: Jack Pendleton
© 2012, 2009, 2005, 2003 Course Technology, Cengage Learning
ALL RIGHTS RESERVED. No part of this work covered by the copyright
herein may be reproduced, transmitted, stored or used in any form or by
any means graphic, electronic, or mechanical, including but not limited to
photocopying, recording, scanning, digitizing, taping, Web distribution,
information networks, or information storage and retrieval systems, except
as permitted under Section 107 or 108 of the 1976 United States Copyright
Act, without the prior written permission of the publisher.
For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706
For permission to use material from this text or product,
submit all requests online at cengage.com/permissions
Further permissions questions can be emailed to
permissionrequest@cengage.com
Library of Congress Control Number: 2011931202
ISBN-13: 978-1-111-64012-5
ISBN-10: 1-111-64012-2
Course Technology
20 Channel Center Street
Boston, MA 02210
USA
Cengage Learning is a leading provider of customized learning solutions
with office locations around the globe, including Singapore, the United
Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at:
international.cengage.com/region
Cengage Learning products are represented in Canada by
Nelson Education, Ltd.
For your lifelong learning solutions, visit
www.cengage.com/coursetechnology
Purchase any of our products at your local college store or at our
preferred online store www.cengagebrain.com
Visit our corporate website at www.cengage.com
Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered
trademarks of their respective manufacturers and sellers.
Any fictional data related to persons, companies or URLs used throughout this book is intended for instructional purposes only. At the time this book was
printed, any such data was fictional and not belonging to any real persons or companies.
Course Technology and the Course Technology logo are registered trademarks used under license.
Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content
without notice.
The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educational
purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs.
Printed in the United States of America
12345671211
Brief Contents
INTRODUCTION ............................................................xiii
CHAPTER 1
Introduction to Security ............................................................ 1
CHAPTER 2
Malware and Social Engineering Attacks .............................................. 41
CHAPTER 3
Application and Network Attacks ................................................... 81
CHAPTER 4
Vulnerability Assessment and Mitigating Attacks ...................................... 123
CHAPTER 5
Host, Application, and Data Security ................................................ 161
CHAPTER 6
Network Security ............................................................... 205
CHAPTER 7
Administering a Secure Network ................................................... 249
CHAPTER 8
Wireless Network Security ........................................................ 291
CHAPTER 9
Access Control Fundamentals ...................................................... 331
CHAPTER 10
Authentication and Account Management............................................ 365
CHAPTER 11
Basic Cryptography ............................................................. 405
CHAPTER 12
Advanced Cryptography.......................................................... 449
CHAPTER 13
Business Continuity ............................................................. 487
CHAPTER 14
Risk Mitigation ................................................................. 533
APPENDIX A
CompTIA SY0-301 Certification Exam Objectives ....................................... 567
APPENDIX B
Downloads and Tools for Hands-On Projects .......................................... 579
APPENDIX C
Security Web Sites .............................................................. 581
APPENDIX D
Selected TCP/IP Ports and Their Threats .............................................. 585
APPENDIX E
Sample Internet and E-Mail Acceptable Use Policies..................................... 589
APPENDIX F
Information Security Community Site ............................................... 595
GLOSSARY.................................................................... 597
INDEX........................................................................ 609
iii
This page intentionally left blank
Table of Contents
INTRODUCTION ................................................................ xiii
CHAPTER 1
Introduction to Security ............................................................ 1
Challenges of Securing Information ................................................. 5
Todays Security Attacks...................................................... 5
Difficulties in Defending Against Attacks ........................................... 8
What Is Information Security? .................................................... 11
Defining Information Security ................................................. 11
Information Security Terminology ............................................... 13
Understanding the Importance of Information Security.................................. 16
Who Are the Attackers? ........................................................20
Hackers ............................................................... 20
Script Kiddies............................................................ 20
Spies ................................................................. 20
Insiders................................................................ 20
Cybercriminals ........................................................... 22
Cyberterrorists ........................................................... 23
Attacks and Defenses .......................................................... 23
Steps of an Attack ......................................................... 23
Defenses Against Attacks .......................................................25
Layering ............................................................... 25
Limiting ............................................................... 26
Diversity ............................................................... 26
Obscurity .............................................................. 26
Simplicity .............................................................. 27
Chapter Summary ............................................................27
Key Terms ................................................................28
Review Questions ............................................................29
Hands-On Projects ...........................................................32
Case Projects ............................................................... 36
References ................................................................. 39
CHAPTER 2
Malware and Social Engineering Attacks .............................................. 41
Attacks Using Malware ........................................................ 43
Malware That Spreads ...................................................... 43
Malware That Conceals ..................................................... 49
Malware That Profits....................................................... 52
Social Engineering Attacks ...................................................... 57
Psychological Approaches .................................................... 58
Physical Procedures ........................................................ 64
Chapter Summary ............................................................66
Key Terms ................................................................67
Review Questions ............................................................68
Hands-On Projects ...........................................................72
v
Case Projects ...............................................................76
References .................................................................78
CHAPTER 3
Application and Network Attacks ................................................... 81
Application Attacks ...........................................................83
Web Application Attacks .................................................... 83
Client-Side Attacks ........................................................ 91
Buffer Overflow Attacks ..................................................... 96
Network Attacks.............................................................97
Denial of Service (DoS)...................................................... 97
Interception ............................................................. 98
Poisoning ..............................................................100
Attacks on Access Rights ....................................................104
Chapter Summary ........................................................... 105
Key Terms ............................................................... 107
Review Questions ........................................................... 108
Hands-On Projects .......................................................... 112
Case Projects .............................................................. 118
References ................................................................ 121
CHAPTER 4
Vulnerability Assessment and Mitigating Attacks ...................................... 123
Vulnerability Assessment....................................................... 125
What Is Vulnerability Assessment? ..............................................125
Assessment Techniques ......................................................131
Assessment Tools .........................................................133
Vulnerability Scanning vs. Penetration Testing ......................................... 140
What Is Vulnerability Scanning? ................................................140
Penetration Testing ........................................................141
Mitigating and Deterring Attacks ................................................. 143
Creating a Security Posture ...................................................143
Configuring Controls .......................................................143
Hardening ..............................................................144
Reporting ..............................................................144
Chapter Summary ........................................................... 144
Key Terms ............................................................... 146
Review Questions ........................................................... 147
Hands-On Projects .......................................................... 150
Case Projects .............................................................. 156
References ................................................................ 159
CHAPTER 5
Host, Application, and Data Security ................................................ 161
Securing the Host ........................................................... 163
Securing Devices ..........................................................163
Securing the Operating System Software ...........................................171
vi Table of Contents
Securing with Anti-Malware Software ............................................175
Monitoring System Logs .....................................................178
Application Security.......................................................... 181
Application Development Security ...............................................182
Securing Data.............................................................. 184
Chapter Summary ........................................................... 186
Key Terms ............................................................... 189
Review Questions ........................................................... 190
Hands-On Projects .......................................................... 193
Case Projects .............................................................. 200
References ................................................................ 203
CHAPTER 6
Network Security ............................................................... 205
Security Through Network Devices ................................................ 207
Standard Network Devices ...................................................207
Network Security Hardware ..................................................212
Security Through Network Technologies ............................................ 224
Network Address Translation (NAT) .............................................224
Network Access Control (NAC) ................................................226
Security Through Network Design Elements .......................................... 228
Demilitarized Zone (DMZ) ...................................................228
Subnetting ..............................................................228
Virtual LANs (VLAN) ......................................................231
Remote Access ...........................................................232
Chapter Summary ........................................................... 232
Key Terms ............................................................... 234
Review Questions ........................................................... 235
Hands-On Projects .......................................................... 238
Case Projects .............................................................. 246
References ................................................................ 248
CHAPTER 7
Administering a Secure Network ................................................... 249
Common Network Protocols .................................................... 251
Internet Control Message Protocol (ICMP) .........................................252
Simple Network Management Protocol (SNMP) ......................................254
Domain Name System (DNS)..................................................254
File Transfer Protocols ......................................................256
IPv6..................................................................259
Network Administration Principles ................................................ 260
Device Security ...........................................................261
Network Design Management .................................................265
Port Security ............................................................267
Securing Network Applications .................................................. 269
Virtualization ............................................................269
IP Telephony ............................................................272
Cloud Computing .........................................................273
Table of Contents vii
Chapter Summary ........................................................... 275
Key Terms ............................................................... 277
Review Questions ........................................................... 278
Hands-On Projects .......................................................... 281
Case Projects .............................................................. 288
References ................................................................ 290
CHAPTER 8
Wireless Network Security ........................................................ 291
Wireless Attacks ............................................................ 293
Attacks on Bluetooth Devices..................................................293
Wireless LAN Attacks ......................................................296
Vulnerabilities of IEEE 802.11 Security ............................................. 302
MAC Address Filtering......................................................302
SSID Broadcast...........................................................303
Wired Equivalent Privacy (WEP)................................................305
Wireless Security Solutions ..................................................... 308
Wi-Fi Protected Access (WPA) .................................................308
Wi-Fi Protected Access 2 (WPA2) ...............................................310
Other Wireless Security Steps ..................................................311
Chapter Summary ........................................................... 314
Key Terms ............................................................... 316
Review Questions ........................................................... 317
Hands-On Projects .......................................................... 320
Case Projects .............................................................. 328
References ................................................................ 330
CHAPTER 9
Access Control Fundamentals ...................................................... 331
What Is Access Control? ....................................................... 334
Access Control Terminology ..................................................334
Access Control Models ......................................................336
Best Practices for Access Control ...............................................341
Implementing Access Control .................................................... 344
Access Control Lists (ACLs) ..................................................344
Group Policies ...........................................................345
Account Restrictions .......................................................346
Authentication Services........................................................ 348
RADIUS ...............................................................348
Kerberos ...............................................................350
Terminal Access Control Access Control System (TACACS) ..............................351
Lightweight Directory Access Protocol (LDAP).......................................352
Chapter Summary ........................................................... 353
Key Terms ............................................................... 354
viii Table of Contents
Review Questions ........................................................... 355
Hands-On Projects .......................................................... 359
Case Projects .............................................................. 362
References ................................................................ 364
CHAPTER 10
Authentication and Account Management............................................ 365
Authentication Credentials ..................................................... 367
What You Know: Passwords ..................................................368
What You Have: Tokens and Cards .............................................375
What You Are: Biometrics....................................................378
Single Sign-On ............................................................. 382
Windows Live ID .........................................................383
OpenID ...............................................................384
Open Authorization (OAuth) ..................................................384
Account Management ........................................................ 385
Trusted Operating Systems ..................................................... 387
Chapter Summary ........................................................... 388
Key Terms ............................................................... 390
Review Questions ........................................................... 391
Hands-On Projects .......................................................... 394
Case Projects .............................................................. 400
References ................................................................ 402
CHAPTER 11
Basic Cryptography ............................................................. 405
Defining Cryptography........................................................ 407
What Is Cryptography? .....................................................407
Cryptography and Security ...................................................409
Cryptographic Algorithms ...................................................... 411
Hash Algorithms..........................................................411
Symmetric Cryptographic Algorithms.............................................417
Asymmetric Cryptographic Algorithms ............................................423
Using Cryptography ......................................................... 429
Encryption Through Software .................................................430
Hardware Encryption.......................................................431
Chapter Summary ........................................................... 433
Key Terms ............................................................... 434
Review Questions ........................................................... 436
Hands-On Projects .......................................................... 439
Case Projects .............................................................. 445
References ................................................................ 448
Table of Contents ix
CHAPTER 12
Advanced Cryptography.......................................................... 449
Digital Certificates........................................................... 451
Defining Digital Certificates...................................................451
Managing Digital Certificates..................................................453
Types of Digital Certificates...................................................457
Public Key Infrastructure (PKI) ................................................... 462
What Is Public Key Infrastructure (PKI)?...........................................462
Public-Key Cryptographic Standards (PKCS) ........................................463
Trust Models ............................................................465
Managing PKI ...........................................................468
Key Management ........................................................... 469
Key Storage .............................................................469
Key Usage ..............................................................470
Key-Handling Procedures ....................................................470
Transport Encryption Algorithms ................................................. 472
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) ...............................472
Secure Shell (SSH) .........................................................472
Hypertext Transport Protocol over Secure Sockets Layer (HTTPS) ..........................473
IP Security (IPsec) .........................................................473
Chapter Summary ........................................................... 475
Key Terms ............................................................... 476
Review Questions ........................................................... 477
Hands-On Projects .......................................................... 480
Case Projects .............................................................. 484
References ................................................................ 486
CHAPTER 13
Business Continuity ............................................................. 487
What Is Business Continuity?.................................................... 489
Disaster Recovery ........................................................... 490
Disaster Recovery Plan ......................................................491
Redundancy and Fault Tolerance ...............................................494
Data Backups............................................................501
Environmental Controls ....................................................... 504
Fire Suppression ..........................................................505
Electromagnetic Interference (EMI) Shielding ........................................508
HVAC ................................................................509
Incident Response Procedures.................................................... 510
What Is Forensics? ........................................................510
Basic Forensics Procedures ...................................................510
Chapter Summary ........................................................... 515
Key Terms ............................................................... 517
Review Questions ........................................................... 519
Hands-On Projects .......................................................... 522
Case Projects .............................................................. 529
References ................................................................ 531
xTable of Contents
CHAPTER 14
Risk Mitigation ................................................................. 533
Controlling Risk ............................................................ 535
Reducing Risk Through Policies .................................................. 539
What Is a Security Policy? ....................................................539
Balancing Trust and Control ..................................................540
Designing a Security Policy ...................................................540
Types of Security Policies ....................................................544
Awareness and Training ....................................................... 550
Compliance .............................................................550
User Practices............................................................551
Threat Awareness .........................................................552
Training Techniques .......................................................554
Chapter Summary. .......................................................... 556
Key Terms ............................................................... 557
Review Questions ........................................................... 558
Hands-On Projects .......................................................... 561
Case Projects .............................................................. 564
References ................................................................ 565
APPENDIX A
CompTIA SY0-301 Certification Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
APPENDIX B
Downloads and Tools for Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
APPENDIX C
Security Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
APPENDIX D
Selected TCP/IP Ports and Their Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
APPENDIX E
Sample Internet and E-Mail Acceptable Use Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
APPENDIX F
Information Security Community Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
GLOSSARY.................................................................... 597
INDEX........................................................................ 609
Table of Contents xi
This page intentionally left blank
Introduction
Security continues to be a primary concern of computer professionals today, and with good reason.
Consider the evidence: the number of malware attacks against online banking is increasing annually
by 60,000, and 85 percent of banks reported that they have sustained losses based on these attacks.
i
Over $41 billion have been lost by victims to the Nigerian General scam, which is the number one
type of Internet fraud and is growing at a rate of 5 percent.
ii
Over 20 million new specimens of mal-
ware, including new malware as well as variants of existing families, were created in one eight-month
period, and the average number of new threats created and distributed each day has increased from
55,000 to 63,000.
iii
Due to the increased power of desktop computers to crack passwords, researchers
now claim that any password of seven or fewer characters is hopelessly inadequate.
iv
And a com-
puter connected to the Internet is probed by an attacker on average once every 39 seconds.
v
As these types of attacks continue to escalate, the need for trained security personnel also increases.
Unlike some information technology (IT) functions, security is neither being offshored nor out-
sourced. Because security is such a critical element in an organization, security functions generally
remain within the organization. In addition, security positions do not involve on-the-job training
where untrained employees can learn as they go; the risk is simply too great.
It is important that individuals who want to be employed in the ever-growing field of information
security be certified. IT employers demand and pay a premium for security personnel who have
earned a security certification. Recent employment trends indicate that employees with security certi-
fications are in high demand, with one study showing that security certifications will earn employees
10 to 14 percent more pay than their uncertified counterparts.
vi
The Computing Technology Indus-
try Association (CompTIA) Security+ certification is a vendor-neutral credential internationally rec-
ognized as validating a foundation level of security skills and knowledge.
xiii
Security+ Guide to Network Security Fundamentals, Fourth Edition is designed to equip learners
with the knowledge and skills needed to be secure IT professionals. Yet it is more than merely an
exam prepbook. This text teaches the fundamentals of information security by using the Comp-
TIA Security+ exam objectives as its framework. It takes an in-depth and comprehensive view of
security by examining the attacks that are launched against networks and computer systems, the nec-
essary defense mechanisms, and even offers end-user practical tools, tips, and techniques to counter
attackers. Security+ Guide to Network Security Fundamentals, Fourth Edition is a valuable tool for
those who want to learn about security and who desire to enter the field of information security by
providing the foundation that will help prepare for the CompTIA Security+ certification exam.
Intended Audience
This book is designed to meet the needs of students and professionals who want to master practical
network and computer security. A basic knowledge of computers and networks is all that is required
to use this book. Those seeking to pass the CompTIA Security+ certification exam will find the
texts approach and content especially helpful, because all Security+ SY0-301 exam objectives are
covered (see Appendix A). (For more information on Security+ certification, visit CompTIAs Web
site at www.comptia.org.) However, Security+ Guide to Network Security Fundamentals, Fourth
Edition is much more than an examination prep book; it also covers all aspects of network and
computer security while satisfying the Security+ objectives.
The books pedagogical features are designed to provide a truly interactive learning experience to
help prepare you for the challenges of network and computer security. In addition to the informa-
tion presented in the text, each chapter includes Hands-On Projects that guide you through imple-
menting practical hardware, software, network, and Internet security configurations step by step.
Each chapter also contains case studies that place you in the role of problem solver, requiring you
to apply concepts presented in the chapter to achieve successful solutions.
Chapter Descriptions
Here is a summary of the topics covered in each chapter of this book:
Chapter 1, Introduction to Security,begins by explaining the challenge of information security
and why it is important. This chapter also introduces information security terminology, defines
who the attackers are, and gives an overview of attacks and defenses. In addition, it explains the
CompTIA Security+ exam, and explores career options for those interested in mastering security
skills.
Chapter 2, Malware and Social Engineering Attacks,examines attacks that use different types
of malware, such as viruses, worms, Trojans, and botnets. It also looks at the different types of
social engineering attacks.
Chapter 3, Application and Network Attacks,explores both Web application attacks (cross-
site scripting, SQL, XML, and command injection attacks) along with client-side application
attacks. It also looks at the attacks directed at networks.
Chapter 4, Vulnerability Assessment and Mitigating Attacks,gives an overview of vulnerability
assessment techniques and tools. It also compares vulnerability scanning with penetration testing.
The chapter closes by exploring mitigating and steps for deterring attacks.
Chapter 5, Host, Application, and Data Security,examines steps for securing host computer
systems along with securing applications. It also explores how data can be secured.
xiv Introduction
Chapter 6, Network Security,explores how to secure a network through standard network
devices, through network technologies, and by network design elements.
Chapter 7, Administering a Secure Network,looks at the techniques for administering a net-
work. This includes understanding common network protocols, employing network design princi-
ples, and securing network applications.
Chapter 8, Wireless Network Security,explores security in wireless local area network and
personal area network environments. It investigates wireless attacks, the vulnerabilities of wireless
networks, and enhanced security protections for personal users as well as for enterprises.
Chapter 9, Access Control Fundamentals,introduces the principles and practices of access con-
trol by examining access control terminology, the three standard control models, and best prac-
tices. It also covers implementing access control methods and explores authentication services.
Chapter 10, Authentication and Account Management,examines the definition of authentica-
tion and explores authentication credentials. It also looks at single sign-on, account management,
and trusted operating systems.
Chapter 11, Basic Cryptography,explores how encryption can be used to protect data. It cov-
ers what cryptography is and how it can be used for protection, how to protect data using three
common types of encryption algorithms, and how to use cryptography on file systems and disks
to keep data secure.
Chapter 12, Advanced Cryptography,looks at practical methods for applying cryptography to
protect data. The chapter explores digital certificates and how they can be used, public key infra-
structure and key management, and how to use cryptography on data that is being transported.
Chapter 13, Business Continuity,covers the importance of keeping business processes and
communications operating normally in the face of threats and disruptions. It explores disaster
recovery, environmental controls, and incident response procedures.
Chapter 14, Risk Mitigation,looks at how organizations can control and reduce risk. It also
explores how education and training can help provide the tools to users to maintain a secure
environment within the organization.
Appendix A, CompTIA SY0-301 Certification Examination Objectives,provides a complete
listing of the latest CompTIA Security+ certification exam objectives and shows the chapters and
headings in the book that cover material associated with each objective.
Appendix B, Downloads and Tools for Hands-On Projects,lists the Web sites used in the
chapter Hands-On Projects.
Appendix C, Security Web Sites,offers a listing of several important Web sites that contain
security-related information.
Appendix D, Selected TCP/IP Ports and Their Threats,lists common TCP ports and their
security vulnerabilities.
Appendix E, Sample Internet and E-Mail Acceptable Use Policies,gives a comprehensive exam-
ple of two acceptable use policies.
Appendix F, Information Security Community Site,lists the features of the companion Web
site for the textbook.
Features
To aid you in fully understanding computer and network security, this book includes many features
designed to enhance your learning experience.
Introduction xv
Maps to CompTIA Objectives. The material in this text covers all of the CompTIA Security+
SY0-301 exam objectives.
Chapter Objectives. Each chapter begins with a detailed list of the concepts to be mastered
within that chapter. This list provides you with both a quick reference to the chapters contents
and a useful study aid.
Todays Attacks and Defenses. Each chapter opens with a vignette of an actual security attack
or defense mechanism that helps to introduce the material covered in that chapter.
Illustrations and Tables. Numerous illustrations of security vulnerabilities, attacks, and
defenses help you visualize security elements, theories, and concepts. In addition, the many
tables provide details and comparisons of practical and theoretical information.
Chapter Summaries. Each chapters text is followed by a summary of the concepts introduced
in that chapter. These summaries provide a helpful way to review the ideas covered in each
chapter.
Key Terms. All of the terms in each chapter that were introduced with bold text are gathered
in a Key Terms list with definitions at the end of the chapter, providing additional review and
highlighting key concepts.
Review Questions. The end-of-chapter assessment begins with a set of review questions
that reinforce the ideas introduced in each chapter. These questions help you evaluate and
apply the material you have learned. Answering these questions will ensure that you have
mastered the important concepts and provide valuable practice for taking CompTIAs
Security+ exam.
Hands-On Projects. Although it is important to understand the theory behind network
security, nothing can improve on real-world experience. To this end, each chapter provides
several Hands-On Projects aimed at providing you with practical security software and
hardware implementation experience. These projects use the Windows 7 and Windows Server
2008 operating systems, as well as software downloaded from the Internet.
Case Projects. Located at the end of each chapter are several Case Projects. In these extensive
exercises, you implement the skills and knowledge gained in the chapter through real design
and implementation scenarios.
New to this Edition
Fully maps to the latest CompTIA Security+ exam SY0-301
Updated information on the latest security attacks and defenses
Expanded in-depth coverage of topics such as virus infections, social engineering attacks,
SQL injection, and others
New material on Web application attacks, client-side attacks, mobile device security, fuzz
testing, data loss prevention, cloud computing, and other topics
Additional Hands-On Projects in each chapter covering some of the latest security software
More Case Projects in each chapter
Information Security Community Site activity in each chapter allows learners to interact with
other learners and security professionals from around the world
xvi Introduction
Text and Graphic Conventions
Wherever appropriate, additional information and exercises have been added to this book to help
you better understand the topic at hand. Icons throughout the text alert you to additional materials.
The following icons are used in this textbook:
The Note icon draws your attention to additional helpful material related
to the subject being described.
Tips based on the authorsexperience provide extra information about
how to attack a problem or what to do in real-world situations.
The Caution icons warn you about potential mistakes or problems, and
explain how to avoid them.
Each Hands-On activity in this book is preceded by the Hands-On icon
and a description of the exercise that follows.
Case Project icons mark Case Projects, which are scenario-based assign-
ments. In these extensive case examples, you are asked to implement inde-
pendently what you have learned.
Security+ icons list relevant CompTIA Security+ SY0-301 exam objectives
for each major chapter heading.
CertBlaster Test Prep Resources
Security+ Guide to Network Security Fundamentals includes CertBlaster test preparation ques-
tions that mirror the look and feel of the CompTIA Security+ certification exam. For additional
information on the CertBlaster test preparation questions, go to http://www.dtipublishing.com.
To log in and access the CertBlaster test preparation questions for CompTIAs Security+ Certifi-
cation exam, please go to http://www.certblaster.com/cengage.htm.
To install CertBlaster:
1. Click the title of the CertBlaster test prep application you want to download.
2. Save the program (.EXE) file to a folder on your C: drive. (Warning: If you skip this step,
your CertBlaster will not install correctly.)
3. Click Start and choose Run.
Introduction xvii
4. Click Browse and then navigate to the folder that contains the .EXE file. Select the .EXE file
and click Open.
5. Click OK and then follow the on-screen instructions.
6. When the installation is complete, click Finish.
7. Click Start, choose All programs, and click CertBlaster.
To register CertBlaster:
1. Open the CertBlaster test you want by double-clicking it.
2. In the menu bar, click File >Register Exam and enter the access code when prompted. Use the
access code provided inside the card placed in the back of this book.
Whats New with CompTIA Security+ Certification
The CompTIA Security+ SY0-301 exam was updated in May 2011. There are several significant
changes to the exam objectives. The exam objectives have been reorganized in five domains: Net-
work Security, Compliance and Operational Security, Threats and Vulnerabilities, Application,
Data and Host Security, Access Control and Identity Management, and Cryptography. Each of the
other domains has been reorganized and expanded to more accurately reflect current security issues
and knowledge requirements. Finally, the exam objectives now place more importance on knowing
how torather than just knowing or recognizing security concepts.
Here are the domains covered on the new Security+ exam:
Domain % of examination
1.0 Network Security 21%
2.0 Compliance and Operational Security 18%
3.0 Threats and Vulnerabilities 21%
4.0 Application, Data, and Host Security 16%
5.0 Access Control and Identity Management 13%
6.0 Cryptography 11%
How To Become CompTIA Certified
In order to become CompTIA certified, you must:
1. Select a testing center and a certification exam provider. For more information, visit the follow-
ing Web site: http://certification.comptia.org/getCertified/steps_to_certification.aspx.
2. Register for and schedule a time to take the CompTIA certification exam at a convenient location.
3. Take and pass the CompTIA certification exam.
For more information about CompTIAs certifications, please visit http://certification.comptia.org/
getCertified.aspx.
CompTIA is a nonprofit information technology (IT) trade association.
To contact CompTIA with any questions or comments, call 866-835-8020 or visit http://certification.
comptia.org/contact.aspx. The Computing Technology Industry Association (CompTIA) is the voice of
xviii Introduction
the worlds information technology (IT) industry. Its members are the companies at the forefront of
innovation and the professionals responsible for maximizing the benefits organizations receive from
their investments in technology.
CompTIA is dedicated to advancing industry growth through its educational programs, market
research, networking events, professional certifications, and public policy advocacy.
CompTIA is a not-for-profit trade information technology (IT) trade association. CompTIAs cer-
tifications are designed by subject matter experts from across the IT industry. Each CompTIA certi-
fication is vendor-neutral, covers multiple technologies, and requires demonstration of skills and
knowledge widely sought after by the IT industry.
Information Security Community Site
Stay Secure with the Information Security Community Site! Connect with students, professors, and
professional from around the world, and stay on top of this ever-changing field.
Visit www.cengage.com/community/infosec to do the following:
Download resources such as instructional videos and labs.
Ask authors, professors, and students the questions that are on your mind in our Discussion Forums.
See up-to-date news, videos, and articles.
Read weekly blogs from author Mark Ciampa.
Listen to podcasts on the latest information security topics.
Each chapter includes information on a current security topic and asks the learner to post their reac-
tions and comments to the Information Security Community Site. This allows users from around the
world to interact and learn from other users as well as with security professionals and researchers.
Additional information can be found in Appendix F, Information Security Community Site.
InstructorsMaterials
A wide array of instructors materials is provided with this book. The following supplemental mate-
rials are available for use in a classroom setting. All the supplements available with this book are
provided to the instructor on a single CD-ROM and online at the textbooks Web site.
Electronic Instructors Manual. The Instructors Manual that accompanies this textbook includes
the following items: additional instructional material to assist in class preparation, including sugges-
tions for lecture topics, tips on setting up a lab for the Hands-On Projects, and solutions to all
end-of-chapter materials.
ExamView Test Bank. This Windows-based testing software helps instructors design and admin-
ister tests and pre-tests. In addition to generating tests that can be printed and administered, this
full-featured program has an online testing component that allows students to take tests at the com-
puter and have their exams automatically graded.
PowerPoint Presentations. This book comes with a set of Microsoft PowerPoint slides for each
chapter. These slides are meant to be used as a teaching aid for classroom presentations, to be
made available to students on the network for chapter review, or to be printed for classroom distri-
bution. Instructors are also at liberty to add their own slides for other topics introduced.
Figure Files. All of the figures and tables in the book are reproduced on the Instructor Resources
CD. Similar to PowerPoint presentations, these are included as a teaching aid for classroom presen-
tation, to make available to students for review, or to be printed for classroom distribution.
Introduction xix
Instructor Resources CD (ISBN: 9781111640156)
Please visit login.cengage.com and log in to access instructor-specific resources.
To access additional course materials, please visit www.cengagebrain.com.AttheCengageBrain.com
home page, search for the ISBN of your title (from the back cover of your book) using the search
box at the top of the page. This will take you to the product page where these resources can be found.
Additional materials designed especially for you might be available for your course online. Go to
www.cengage.com/coursetechnology and search for this book title periodically for more details.
Total Solutions for Security
To access additional materials (including CourseMate, described in the next section), please visit
www.cengagebrain.com. At the CengageBrain.com home page, search for the ISBN of your title
(from the back cover of your book) using the search box at the top of the page. This will take you
to the product page for your book, where you will be able to access these resources.
CourseMate
Security+ Guide to Network Security Fundamentals, Fourth Edition offers CourseMate, a comple-
ment to your textbook. CourseMate includes the following:
An interactive eBook, with highlighting, note-taking, and search capabilities.
Interactive learning tools, including Quizzes, Flash Cards, PowerPoint slides, Glossary, and more!
Engagement Tracker, a first-of-its-kind tool that monitors student engagement in the course.
Go to login.cengage.com to access the following resources:
CourseMate Printed Access Code (ISBN: 9781111640231)
CourseMate Instant Access Code (ISBN: 9781111640248)
Lab Manual for Security+ Guide to Network Security Fundamentals, Fourth Edition
Companion to Security+Guide to Network Security Fundamentals, Fourth Edition. This Lab
Manual contains over 60 labs to provide students with additional hands-on experience and to help
prepare for the Security+ exam. The Lab Manual includes lab activities, objectives, materials lists,
step-by-step procedures, illustrations, and review questions.
Lab Manual (ISBN: 9781111640132)
CourseNotes
This laminated quick reference card reinforces critical knowledge for CompTIAs Security+ exam in
a visual and user-friendly format. CourseNotes will serve as a useful study aid, supplement to the
textbook, or as a quick reference tool during the course and afterward.
CourseNotes (ISBN: 9781111640347)
Web-Based Labs
Using a real lab environment over the Internet, students can log on anywhere, anytime via a Web
browser to gain essential hands-on experience in security using labs from Security+Guide to
Network Security Fundamentals, Fourth Edition.
Web-Based Labs (ISBN: 9781111640163)
xx Introduction
dtiMetrics
dtiMetrics is an online testing system that automatically grades students and keeps class and student
records. dtiMetrics tests against Cengages textbook as well as against the CompTIA Security+ certi-
fication exam, including a quiz for each chapter in the book along with a mid-term and final exam.
dtiMetrics is managed by the classroom instructor, who has 100 percent of the control, 100 percent
of the time. It is hosted and maintained by dtiPublishing.
dtiMetrics (ISBN: 9781111640330)
LabConnection
LabConnection provides powerful computer-based exercises, simulations, and demonstrations for
hands-on skills courses such as this. It can be used as both a virtual lab and as a homework assign-
ment tool, and provides automatic grading and student record maintenance. LabConnection maps
directly to the textbook and provides remediation to the text and to the CompTIA Security+ certifi-
cation exam. It includes the following features:
Enhanced comprehensionThrough the LabConnection labs and guidance, while in the virtual
lab environment, the student develops skills that are accurate and consistently effective.
ExercisesLab Connection includes dozens of exercises that assess and prepare the learner
for the virtual labs, establishing and solidifying the skills and knowledge required to complete
the lab.
Virtual labsLabs consist of end-to-end procedures performed in a simulated environment
where the student can practice the skills required of professionals.
Guided learningLabConnection allows learners to make mistakes but alerts them to errors
made before they can move on to the next step, sometimes offering demonstrations as well.
Video demonstrationsVideo demonstrations guide the learners step-by step through the labs
while providing additional insights to solidify the concepts.
SCORM-compliant grading and record keepingLabConnection will grade the exercises and
record the completion status of the lab portion, easily porting to, and compatible with, dis-
tance learning platforms.
LabConnection Online (ISBN: 9781111640316)
LabConnection on DVD (ISBN: 9781111640293)
Web Tutor for Blackboard
WebTutor for Blackboard is a content-rich, Web-based teaching and learning aid that reinforces and
clarifies complex concepts while integrating into your Blackboard course. The WebTutor platform
also provides rich communication tools for instructors and students, making it much more than an
online study guide. Features include PowerPoint presentations, practice quizzes, and more, organized
by chapter and topic.
WebTutor for Blackboard (ISBN: 9781111640354)
About the Author
Mark Ciampa, Ph.D., Security+, is Assistant Professor of Computer Information Systems at Western
Kentucky University in Bowling Green, Kentucky. Previously, he served as Associate Professor
Introduction xxi
and Director of Academic Computing for 20 years at Volunteer State Community College in Gallatin,
Tennessee. Dr. Ciampa has worked in the IT industry as a computer consultant for the U.S. Postal
Service, the Tennessee Municipal Technical Advisory Service, and the University of Tennessee. He is
also the author of many Cengage/Course Technology textbooks, including: CWNA Guide to
Wireless LANs, Second Edition; Guide to Wireless Communications; Security+Guide to Network
Security Fundamentals, Third Edition; Security Awareness: Applying Practical Security in Your
World; and Networking BASICS. He holds a Ph.D. in digital communications systems from Indiana
State University.
Acknowledgments
A large team of dedicated professionals all contributed to the creation of this book. I am honored
to be part of such an outstanding group of professionals, and to everyone on the team I extend my
sincere thanks. A special thanks goes to Executive Editor Stephen Helba for giving me the opportu-
nity to work on this project and for providing his continual support. Also thanks to Senior Product
Manager Michelle Cannistraci who was very supportive and helped keep this fast-moving project
on track, and to GreenPen QA for carefully reviewing the book and identifying many corrections.
And a big Thank You to the team of peer reviewers who evaluated each chapter and provided very
helpful suggestions and contributions: Angela Herring (Wilson Community College), Ahmad
Nasraty (Heald University), Jerry Sherrod (Pellissippi State Community College), Richard Smolenski
(Westwood College), and Bruce Waugh (Craven Community College).
Special recognition again goes to Developmental Editor Deb Kaufmann. She is everythingand
morethat an author could ask for. Deb made many helpful suggestions, found all of my errors,
watched every small detail, and somehow turned my words into a book. On top of it all, Deb is a
joy to work with. Without question, Deb is simply the very best there is.
And finally, I want to thank my wonderful wife, Susan. Once again, she was patient and support-
ive of me throughout this project. I could not have written this book without her by my side.
Dedication
To Braden, Mia, and Abby.
To the User
This book should be read in sequence, from beginning to end. Each chapter builds upon those that
precede it to provide a solid understanding of networking security fundamentals. The book may also
be used to prepare for CompTIAs Security+ certification exam. Appendix A pinpoints the chapters
and sections in which specific Security+ exam objectives are located.
Hardware and Software Requirements
Following are the hardware and software requirements needed to perform the end-of-chapter Hands-
On Projects:
Microsoft Windows 7
Windows 2008 Server
An Internet connection and Web browser
Microsoft Office 2007 or Office 2003
Microsoft Office Outlook
xxii Introduction
Specialized Requirements
Whenever possible, the needs for specialized requirements were kept to a minimum. The following
chapter features specialized hardware:
Chapter 6: An Active Directory environment and WSUS installed on a Windows Server 2008
server
Free Downloadable Software Requirements
Free, downloadable software is required for the Hands-On Projects in the following chapters. Appen-
dix B lists the Web sites where these can be downloaded.
Chapter 1:
Secunia Personal Software Inspector
Microsoft Windows Malicious Software Removal Tool
Chapter 2:
Irongeek Thumbscrew
Microsoft RootkitRevealer
Wolfeye Keylogger
Chapter 3:
GRC Securable
Chapter 4:
GFI LANguard Vulnerability Scanner
Unetbootin
BackTrack
Chapter 6:
ThreatFire
K9 Web Protection
Chapter 7:
Glub Secure FTP Client
Google Namebench
Gladinet
VMware vCenter
VMware Player
Chapter 8:
Xirrus Wi-Fi Monitor
Vistumbler
KLC Consulting SMAC
Virtual Router
Introduction xxiii
Chapter 10:
KeePass Password Safe
LastPass
Chapter 11:
MD5DEEP
Hash Tab
TrueCrypt
Chapter 12:
Comodo Digital Certificate
Chapter 13:
Macrium Reflect
Briggs Software Directory Snoop
References
i. Lohrmann, Dan. Should Governments Join Banks in Seeking CustomersHelp
Online?Government Technology Blogs, July 30, 2010, accessed Feb. 28, 2011, http://
www.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-join-
banks.php.
ii. 419 Advance Fee Fraud Statistics 2009,Jan. 2010, accessed Feb. 28, 2011, http://
www.ultrascan-agi.com/public_html/html/public_research_reports.html.
iii. Santana, Juan, European commission suspends CO2 credit trading due to cyber-
attack,Panda Security Insight Blog, Jan. 25 2011, accessed Feb. 28 2011, http://
www.pandainsight.com/en/.
iv. Case Study: Teraflop Troubles: The Power of Graphics Processing Units May Threaten
the Worlds Password Security System,Georgia Tech Research Institute, accessed
Feb. 28, 2011, http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-
Processing-Units-GPUs-Password-Security-System.
v. Popa, Bogdan, 2,244 Hacker Attacks Per Day,Softpedia, Feb. 9, 2007, accessed Feb.
28, 2011, http://news.softpedia.com/news/2-244-Hacker-Attacks-Per-Day-46688.shtml.
vi. 2011 IT Salary and Skills Pay Benchmark Survey Research,accessed Feb. 28, 2011,
http://www.footepartners.com/.
xxiv Introduction
Todays Security Imperative and Security Certification
Contributed by Carol Balkcom,
Director of Product Management, CompTIA
Cyber security has become a U.S. nationaland now internationalconcern as serious cyber attacks
are being launched on banks and multi-national corporations across country boundaries. There has
been a significant rise in security training and certification, worldwide. In fact, Security+ is the fastest
growing certification in CompTIAs certification portfolio. Organizations of every kind have realized
that they can no longer afford to have IT staff who are not proven in the latest information security
technologies and practices.
Today we see the impact of U.S. military requirements on certification; both military information
assurance personnel and IT employees of government contractor companies who have contracts with
the military are required to be certified, under the terms of their contracts. Included are many types of
companies, from software, to systems integrators, to manufacture and service companies. Govern-
ment agencies such as the U.S. State Department have special employee incentive programs in place;
and governments and military from Canada to the Middle East have begun regular security training
and certification in Security+.
Research
Surveys show that criminal theft of information can be traced, in many cases, to human error within
companies, or failure to have adequate security policies and training. CompTIA security research pub-
lished in late 2010 shows that IT professionals attribute slightly more of the blame for security
breaches to human error or shortcomings than technology shortcomings
1
. Additionally, the data sug-
gests the human error factor is on the rise as a cause of security breaches.
Vendor-Neutralvs. Vendor-SpecificCertification
When an IT professional decides to complement his or her experience with certification, a vendor-
neutral certification is often the first type of exam taken. A vendor-neutral exam is one that tests for
knowledge of a subject across platforms and productswithout being tied to any specific product
while validating baseline skills and knowledge in that subject area. CompTIA exams are vendor-
neutral exams and serve that portion of the IT population who have a good foundation in their
chosen field and want to become certified. Individuals who take CompTIA Security+ are serious
about their role in information security. They typically have at least two years of hands-on technical
security experience. They may have also taken an exam like CompTIA Network+ as a first entry into
certification.
Who Is Becoming Certified
There is a long list of employers where significant numbers of staff in IT roles are becoming Comp-
TIA Security+ certified. Here are just a few of the significant ones:
Booz Allen Hamilton, HP, IBM, Motorola, Verisign, Telstra, Hitachi, Ricoh, Sharp, Lockheed
Martin, Unisys, Hilton Hotels Corp., General Mills, U.S. Navy, Army, Air Force, and Marines.
1
Eighth Annual Global Information Security Trends, November 2010.
Introduction xxv
While the majority of CompTIA Security+ certified professionals are in North America, there are
growing numbers in over 100 countries, with a solid and growing base especially in Japan, the UK,
Germany, Canada, and Southeast Asia. The need for information security training and certification
has never been greater, and has become a worldwide issue.
xxvi Introduction
chapter 1
Introduction to Security
After completing this chapter, you will be able to do
the following:
Describe the challenges of securing information
Define information security and explain why it is important
Identify the types of attackers that are common today
List the basic steps of an attack
Describe the five basic principles of defense
1
Groundbreaking,”“amazing,”“never seen before,”“extremely impressive,”“clever,
something out of a movie,”“scary,”“the most sophisticated malware ever,”“other
attacks are childs play compared to it.These are just a few of the adjectives security
researchers used to describe the Stuxnet malware.
The Stuxnet worm was first widely reported in mid-2010, although its now thought
that it first appeared almost a year earlier. Shortly after it became widely recognized,
Microsoft confirmed the worm was actively targeting Windows computers that man-
aged large-scale industrial-control systems, which are often referred to as SCADA (Super-
visory Control and Data Acquisition). SCADA can be found in military installations, oil
pipeline control systems, manufacturing environments, and nuclear power plants. At
first, it was thought that Stuxnet took advantage of a single, previously unknown, soft-
ware vulnerability. Upon closer inspection, it was found that Stuxnet exploited four
unknown vulnerabilities, something never seen before. (One of these vulnerabilities was
patchedin 2008 by Microsoft, but the fix was flawed and could still be exploited.)
Stuxnet, written in multiple languages, including C, C++, and other object-oriented
languages, was introduced to industrial networks through infected Universal Serial
Bus (USB) flash drives. It also used several tricks to avoid detection. Stuxnet had an
internal counter that allowed it to spread to a maximum of three computers. This
design ensured that it stayed only within the industrial facility and didnt attract out-
side attention. Also, because SCADA systems have no logging capabilities to record
events and are rarely patched, the worm could live for a long period of time before
being detected.
Using Windows vulnerabilities, Stuxnet performed an attack to gain administrative
access to computers on the local network of an industrial plant and then looked for
computers running SCADA. Next, it infected these SCADA computersthrough two
other vulnerabilitiesand tried to break into the SCADA software by using the
default passwords. Stuxnet was designed to alter the programmable logic control
(PLC) software instructions of the SCADA systems, which would then give it power
over the industrial machinery attached to the SCADA computers. This would put the
entire facility under the control of the attacker, who could make the equipment
operate in an unsafe manner, resulting in a massive explosion or even worse, a
nuclear catastrophe.
It is speculated that Stuxnets primary target was the Iranian Bushehr nuclear power
plant (almost six out of ten infected Stuxnet computers have been traced back to Iran).
This reactor, located in southwestern Iran near the Persian Gulf, has been a source of
tension between Iran and the West (including the United States) because of fear that
(continued)
Todays Attacks and
Defenses
2Chapter 1 Introduction to Security
When historians reflect back on the early part of the twenty-first century, it is likely that one
word will figure prominently: security. At no other time in the worlds history have we been
forced to protect ourselves and our property from continual attacks by invisible foes. Suicide
car bombings, subway massacres, airplane hijackings, random shootings, and guerrilla com-
mando raids occur regularly around the world. To counteract this violence, governments and
other organizations have implemented new types of security defenses. Passengers using public
transportation are routinely searched. Fences are erected across borders. Telephone calls are
monitored. The result is that these attacks and the security defenses have impacted almost
every element of our daily lives and significantly affect how all of us work, play, and live.
One area that has also been an especially frequent target of attacks is information technology
(IT). Seemingly endless arrays of attacks are directed at corporations, banks, schools, and indivi-
duals through their computers, laptops, smartphones, pad computers, and similar technology
devices. Internet Web servers must resist thousands of attacks daily. Identity theft has sky-
rocketed. An unprotected computer connected to the Internet can be infected in less than one
minute. One study found that over 48 percent of 22.7 million computers analyzed were infected
with malware.
1
Phishing, rootkits, back doors, social engineering, zombies, and botnets
virtually unheard of just a few years agoare now part of our everyday information secu-
rity vocabulary.
The need to defend against these attacks on our technology devices has created a new element
of IT that is now at the very core of the entire industry. Known as information security, it is
focused on protecting the electronic information of organizations and users.
The demand for IT professionals who know how to secure networks and computers is at an
all-time high. Today, many businesses and organizations require employees as well as job
applicants to demonstrate that they are familiar with computer security practices. To verify
security competency, a vast majority of organizations use the CompTIA Security+ certifica-
tion. As the most widely recognized vendor-neutral security certification, Security+ has become
the security foundation for todays IT professionals.
There are two broad categories of information security positions. Information security
managerial positions include the administration and management of plans, policies, and peo-
ple. Information security technical positions are concerned with the design, configuration,
spent fuel from the reactor could be reprocessed elsewhere in the country to produce
weapons-grade plutonium for use in nuclear warheads. Some have even speculated
that an unnamed government-sponsored team of programmersor even teams from
multiple opposition governmentscreated Stuxnet to cripple the Bushehr facility.
Based on the complexity of the software, it is estimated that the cost for developing
Stuxnet could have exceeded $4 million.
As far as can be determined, Stuxnet never did gain control of any SCADA systems
or cause damage to industrial sites. No person or organization has yet stepped for-
ward as the author of Stuxnet, so it remains cloaked in secrecy. Although we may
not know who was behind it and why, Stuxnet is just one example of how extremely
dangerous malicious software can be.
Introduction to Security 3
installation, and maintenance of technical security equipment. Within these two broad catego-
ries, there are four generally recognized security positions:
Chief Information Security Officer (CISO). This person reports directly to the CIO
(large organizations may have more layers of management for reporting). Other titles
used are Manager for Security and Security Administrator. They are responsible for the
assessment, management, and implementation of security.
Security manager. The security manager reports to the CISO and supervises
technicians, administrators, and security staff. Typically, a security manager works on
tasks identified by the CISO and resolves issues identified by technicians. This position
requires an understanding of configuration and operation but not necessarily technical
mastery.
Security administrator. The security administrator has both technical knowledge and
managerial skills. A security administrator manages daily operations of security
technology, and may analyze and design security solutions within a specific entity as
well as identify usersneeds.
Security technician. This is generally an entry-level position for a person who has the
necessary technical skills. Technicians provide technical support to configure security
hardware, implement security software, and diagnose and troubleshoot problems.
Recent employment trends indicate that employees with security certifications are in high
demand. As attacks continue to escalate, the need for trained security personnel also increases.
Unlike some positions, security is being neither offshored nor outsourced. Because security is
such a critical element in an organization, security positions generally remain within the organi-
zation. In addition, security positions do not involve on-the-job trainingwhere a person can
learn as they go; the risk is simply too great. IT employers want and pay a premium for certified
security personnel.
A study by Foote Partners showed that security certifications will
earn employees 10 to 14 percent more pay than their uncertified
counterparts.
2
The CompTIA Security+ Certification is a vendor-neutral credential that requires passing
the current certification exam SY0-301. This exam is internationally recognized as validat-
ing a foundation-level of security skills and knowledge. A successful candidate has the
knowledge and skills required to identify risks and participate in risk mitigation activities;
provide infrastructure, application, operational and information security; apply security
controls to maintain confidentiality, integrity, and availability; identify appropriate tech-
nologies and products; and operate with an awareness of applicable policies, laws, and
regulations.
The CompTIA Security+ Certification is aimed at an IT security pro-
fessional with the recommended background of a minimum of two
years experience in IT administration with a focus on security. Such
a professional is involved with daily technical information security
experience, and has a broad knowledge of security concerns and
implementation.
4Chapter 1 Introduction to Security
1
This chapter introduces network security fundamentals that form the basis of the Security+
certification. It begins by examining the current challenges in computer security and why it is
so difficult to achieve. It then describes information security in more detail and explores why
it is important. Finally, the chapter looks at who is responsible for these attacks and at the
fundamental defenses against attackers.
Challenges of Securing Information
Although to a casual observer it may seem that there should be a straightforward solution to
securing computerssuch as using a better software product or creating a stronger password
in reality, there is no simple solution to securing information. This can be seen through the
different types of attacks that users face today as well as the difficulties in defending against
these attacks.
Todays Security Attacks
Despite the facts that information security continues to rank as the number one concern of IT
managers and tens of billions of dollars are spent annually on computer security, the number
of successful attacks continues to increase. Information regarding recent attacks includes the
following:
Fake anti-virus attacks are responsible for half of all malware delivered by Web
advertising, which increased 500 percent in one 12-month period. Over 11,000
domains are involved with fake anti-virus distribution, and that number is increasing.
3
In one example, a user who clicks an advertisement on a Web page offering a
free online vulnerability scan suddenly sees a window that informs the user that the
computer is infected. The pop-up window directs the user to click a button to
purchase anti-virus software to disinfect their computer. However, this window
cannot be closed, and even rebooting the system does not clear the message. In
desperation, many users finally enter their credit card number to purchase the
anti-virus software. Their credit card number is then transmitted to an attacker, who
uses it to make online purchases. At the same time, other malware software is
installed on the computer while the pop-up window remains open on the computer
and never goes away.
Approximately 80 percent of households in the United States use the Internet for
managing their finances, up from only 4 percent just 15 years ago. And the trend is
toward even more online banking. There are now Internet-only banks, with no
physical branches to visit. One new bank is planning to limit its membership to
smartphone users (although these users can access their account information from
their computers as well). Yet the number of malware attacks against online banking
is increasing annually by almost 60,000. About 85 percent of banks reported that
they have sustained losses based on these attacks. The American Bankers Association
says that consumers should monitor their online accounts for unauthorized
transactions on a continuous, almost daily, basis.
4
A graphics processing unit (GPU), which is separate from the computerscentral
processing unit (CPU), is used in graphics cards to render screen displays on
Challenges of Securing Information 5
computers. Today, some of the work of a CPU can be offloaded to a GPU to
accelerate specific applications, most notably floating-point operations. A $500
GPU today can process about 2 trillion (teraflop) floating-point operations per
second, whereas just 10 years ago, the fastest supercomputer in the world only
ran at 7 teraflops and cost $110 million. Attackers are now using GPUs to
break passwords. Researchers at the Georgia Tech Research Institute (GTRI)
claim that an attacker with a computer that has a GPU could easily break a
relatively weak password. They state, Right now we can confidently say that a
7-character password is hopelessly inadequate.They go on to say that any
password with fewer than 12 characters could be vulnerable very soonif it is
not already.
5
According to a security report by IBMs X-Force, on average, 55 percent of software
vulnerabilities that were disclosed by vendors were not patched, which is an increase
from the previous years 52 percent. The top ten vendors with the most disclosed yet
unpatched vulnerabilities were Sun Microsystems (24%), Microsoft (23.2%), Mozilla
(21.3%), Apple (12.9%), IBM (10.3%), Google (8.6%), Linux (8.2%), Oracle
(6.8%), Cisco (6%), and Adobe (2.9%).
6
Over 135 employees at 17 of the Fortune 500 companies (including Google,
WalMart, Symantec, Cisco, Microsoft, Pepsi, Coca-Cola, and Ford) were called
on the phone by individuals participating in a Defcon Hacking Conference
contest. The callers tried to get information from these employees that could be
used in an attack. Callers could not ask for passwords or Social Security numbers,
but they tried to find out information that could be useful to attackers, such as
what operating system, anti-virus software, and browser their victims used. In
addition, they also tried to persuade these employees to visit unauthorized Web
pages. Of the 135 employees who were called, only five refused to provide any
corporate information or visit the unauthorized Web sites (and all five were
women).
7
An immigrant pretending to be Prince Nana Kamokai of Sierra Leoneor an
airport director from Ghanasent thousands of e-mails asking for help in moving
money from Nigeria to the United States. By using fake documentation to convince his
victims that he was legitimate, he persuaded them to wire him fees to cover courier
servicesor as PIN code fees.After five years, he had made more than $1.3
million from 67 known victims. Yet this was only a drop in the bucket for this scam,
known as the Nigerian 419 Advanced Fee Fraud (419is the Nigerian criminal
code that addresses fraud). To date, it is estimated that over $41 billion dollars have
been lost by victims in this scam, with $9.3 billion lost in 2009 alone. According to
the U.S. Federal Bureau of Investigation (FBI), this scam is the number-one type of
Internet fraud and is growing at a rate of 5 percent annually.
8
Firesheep is a free, open-source Firefox browser extension introduced in late 2010.
An attacker can install this add-on and then connect to an unencrypted wireless
network at a coffee shop, hotel, or library. Once the attacker clicks Start Capturing,
then anyone using the wireless network who visits a site that is known by Firesheep
(such as Facebook, Twitter, Amazon, FourSquare, Dropbox, Windows Live,
WordPress, or Flickr) will have their name and even their photo displayed. The
attacker can then double-click the name and be logged in as that person to that
account.
6Chapter 1 Introduction to Security
1
According to Panda Security, over 20 million new specimens of malware, including
new malware as well as variants of existing families, were created between January
and October of 2010. This means that the average number of new threats created and
distributed every day increased from 55,000 in 2009 to 63,000 in 2010. In one
month, over 2 million files were identified as malware.
9
An analysis of 700,000 recorded attacks on computers in one week revealed that
about one out of every eight attacks came by USB flash drive devices.
10
A users USB
device may become infected at home where they have less security. When they bring
the infected device into the office to insert into their work computer, that computer is
then infected. In addition, attackers leave infected USB flash drives in parking lots and
other common areas outside an office, tempting users to pick them up on the way to
their office and to insert them into their computers.
Two former students at a college in Missouri were indicted on a series of charges
for breaking into the schools computers. These students (1) stole personal data
on 90,000 students, faculty, staff, and alumni and tried to sell it for $35,000;
(2) obtained the username and password of a residence hall director to access a
university computer and then on 30 different occasions transferred university
funds (from $50 to $4,300) to their own student accounts; (3) used their
Facebook accounts to threaten potential witnesses; and (4) created a virus and
infected other university computers that allowed them to monitor activity, record
keystrokes, steal data, and even remotely turn on the computerswebcams to
watch users.
11
In late 2010, Apple released patches to address 134 security flaws (in March 2010,
it released patches to fix 90 flaws) in its Leopard and Snow Leopard Mac OS X.
An additional 25 nonsecurity fixes addressed stability issues. The patch was between
240 MB and 645 MB, depending on the version of Mac OS X.
12
Researchers at the University of Maryland attached four computers equipped with
weak passwords to the Internet for 24 days to see what would happen. These
computers were hit by an intrusion attempt on average once every 39 seconds, or
2,244 attacks each day for a total of 270,000 attacks. Over 825 of the attacks were
successful, enabling the attackers to access the computers.
13
In 2010, smartphones outsold computers for the first time (421 million smartphones
to 365 million personal computers). With the proliferation of smartphones, which are
essentially mobile computing devices, attackers are turning their attention to them.
The mobile-security company Lockout reported that it detected malware on 9 percent
of the smartphones that it had scanned.
14
The number of security breaches that have exposed usersdigital data to
attackers continues to rise. Table 1-1 lists some of the major security breaches that
occurred during a one-month period, according to the Privacy Rights Clearinghouse.
From January 2005 through February 2011, over 514 million electronic data records
in the United States had been breached, exposing to attackers a range of personal
electronic data, such as addresses, Social Security numbers, health records, and credit
card numbers.
15
Security attacks continue to be a major concern of all IT users, especially those personnel
responsible for protecting an organizations information.
Challenges of Securing Information 7
Difficulties in Defending Against Attacks
The challenge of keeping computers secure has never been greater, not only because of the
number of attacks, but also because of the difficulties faced in defending against these attacks.
These difficulties include the following:
Universally connected devices. It is virtually unheard of today for a computer to not
be connected to the Internet. Although this greatly expands the functionality of that
device, it also makes it easy for an attacker halfway around the world to silently
launch an attack on any connected device.
Increased speed of attacks. With modern tools at their disposal, attackers can quickly
scan thousands of systems to find weaknesses and launch attacks with unprecedented
speed. Many tools can even initiate new attacks without any human participation,
thus increasing the speed at which systems are attacked.
Organization Description of security breach
Number of
identities
exposed
Grays Harbor
Pediatrics, WA
A backup tape, stolen from an employees car, was used for storing copies of
paper records; patients may have had their names, Social Security numbers,
insurance details, drivers license information, immunization records, medical
history forms, previous doctor records, and patient medical records stolen
12,000
Tulane
University, LA
A university-issued laptop was stolen from an employees car. It was used
to process 2010 tax records for employees, students, and others; the
information included names, Social Security numbers, salary information, and
addresses
10,000
Seacoast
Radiology, NH
Patient names, Social Security numbers, addresses, phone numbers, and other
personal information were exposed by a security breach
231,400
Centra, GA A laptop was stolen from the trunk of an employees rental car that
contained patient names and billing information
11,982
Stony Brook
University, NY
Student and faculty network and student IDs were posted online after a file
with all registered student and faculty ID numbers was exposed
61,001
deviantART,
Silverpop
Systems Inc.,
CA
Attackers exposed the e-mail addresses, usernames, and birth dates of the
entire user database
13,000,000
Twin America
LLC,
CitySights, NY
An attacker inserted a malicious script on a Web server and stole the
customer database that contained customer names, credit card numbers,
credit card expiration dates, CVV2 data, addresses, and e-mail addresses
110,000
Ohio State
University, OH
Unauthorized individuals logged into an Ohio State server and accessed the
names, Social Security numbers, dates of birth, and addresses of current and
former students, faculty, staff, University consultants, and University
contractors
750,000
Gawker, NY Attackers gained access to the database and accessed staff and user e-mails
and passwords
1,300,000
Table 1-1 Selected security breaches involving personal information in a one-month period
8Chapter 1 Introduction to Security
1
Greater sophistication of attacks. Attacks are becoming more complex, making it
more difficult to detect and defend against them. Attackers today use common
Internet tools and protocols to send malicious data or commands to strike computers,
making it difficult to distinguish an attack from legitimate traffic. Other attack tools
vary their behavior so the same attack appears differently each time, further
complicating detection.
Availability and simplicity of attack tools. Whereas in the past an attacker needed to
have an extensive technical knowledge of networks and computers as well as the
ability to write a program to generate the attack, that is no longer the case. Todays
attack tools do not require any sophisticated knowledge. In fact, many of the tools
have a graphical user interface (GUI) that allows the user to select options easily from
a menu, as seen in Figure 1-1. These tools are freely available or can be purchased
from other attackers at a low cost. This is illustrated in Figure 1-2.
Faster detection of vulnerabilities. Weakness in software can be more quickly
uncovered and exploited with new software tools and techniques.
Delays in patching. Hardware and software vendors are overwhelmed trying to keep
pace with updating their products against attacks. One anti-virus software vendor
receives over 200,000 submissions of potential malware each month.
16
At this rate,
the anti-virus vendors would have to update and distribute their updates every 10
minutes to keep users protected. The delay in vendors patching their own products
adds to the difficulties in defending against attacks.
Figure 1-1 Menu of attack tools
© Cengage Learning 2012
Challenges of Securing Information 9
Weak patch distribution. While mainstream products such as Microsoft Windows
and Apple Mac OS have created a system for notifying users of patches and
distributing those patches on a regular basis, other software vendors have not
invested in distribution systems. Users are unaware that a security update even
exists for a product, and usually it requires downloading and installing the latest
version of the product instead of only installing a smaller patch. For these reasons,
attackers today are focusing more on uncovering and exploiting vulnerabilities on
these products.
Distributed attacks. Attackers can use tens of thousands of computers under their
control in an attack against a single server or network. This many against one
approach makes it virtually impossible to stop an attack by identifying and blocking a
single source.
User confusion. Increasingly, users are called upon to make difficult security
decisions regarding their computer systems, sometimes with little or no information
to guide them. It is not uncommon for a user to be asked security questions such as,
Do you want to view only the content that was delivered securely?, Is it safe to
quarantine this attachment?, or Do you want to install this add-on? With little or no
direction, users are inclined to provide answers to questions without understanding
the security risks.
Table 1-2 summarizes the reasons it is difficult to defend against todays attacks.
Disabling
audits
Required
knowledge
of attackers
Exploiting known
vulnerabilities
Hijacking sessions
Sweepers
Back doors
low
1990 2000 2012
high
Password cracking
Password guessing
Self-replicating code
Sniffers
Stealth diagnostics
Packet spoofing
Tools with GUI
Sophistication of
attacker tools
Figure 1-2 As the sophistication of attack tools increases, the knowledge required by attackers decreases
© Cengage Learning 2012
10 Chapter 1 Introduction to Security
1
What Is Information Security?
2.8 Exemplify the concepts of confidentiality, integrity and availability (CIA)
3.2 Analyze and differentiate among types of attacks
5.2 Explain the fundamental concepts and best practices related to authentication,
authorization and access control
Before it is possible to defend computers against attacks, it is necessary to understand what
information security is. In addition, knowing why information security is important today and
who the attackers are is beneficial.
Defining Information Security
In a general sense, security may be defined as the necessary steps to protect a person or prop-
erty from harm. That harm may come primarily from two different sources:
A direct action that is intended to inflict damage or suffering.
An indirect and nonintentional action.
Consider a typical house. It is necessary to provide security for the house and its inhabitants from
these two different sources. For example, the house and its occupants must be secure from the
direct attack of a criminal who wants to inflict bodily harm to someone inside or who wants to
burn down the house. This security may be provided by locked doors, a fence, or a strong police
presence. In addition, the house must be protected from indirect acts that are not exclusively
Reason Description
Universally connected devices Attackers from anywhere in the world can send attacks
Increased speed of attacks Attackers can launch attacks against millions of computers within
minutes
Greater sophistication of attacks Attack tools vary their behavior so the same attack appears differently
each time
Availability and simplicity of attack
tools
Attacks are no longer limited to highly skilled attackers
Faster detection of vulnerabilities Attackers can discover security holes in hardware or software more
quickly
Delays in patching Vendors are overwhelmed trying to keep pace by updating their
products against attacks
Weak patch distribution Many software products lack a means to distribute security patches in a
timely fashion
Distributed attacks Attackers use thousands of computers in an attack against a single
computer or network
User confusion Users are required to make difficult security decisions with little or no
instruction
Table 1-2 Difficulties in defending against attacks
What Is Information Security? 11
directed against it. That is, the house needs to be protected from a hurricane (by being built with
strong materials such as concrete blocks) or a flash flood (by being built off the ground).
Security usually includes preventive measures, rapid response, and in some instances, pre-
emptive attacks. An individual who wants to be secure would take the preventive measures
of not walking alone in a risky neighborhood at night and keeping car doors locked. An
example of a rapid response could include holding a cell phone in one hand when making a
withdrawal at an ATM, so that if anything suspicious begins to occur, an emergency call can
quickly be made to the police. Preemptive attacks are sometimes carried out by one nation
against another nation that has started to amass troops and equipment along a border. This
approach of strike them before they can strike uscan be used to deter an attack.
The term information security is frequently used to describe the tasks of securing information
that is in a digital format. This digital information is typically manipulated by a microproces-
sor (such as on a personal computer), stored on a magnetic, optical, or solid-state storage
device (like a hard drive, DVD, or flash drive), and transmitted over a network (such as a
local area network or the Internet).
Security may be viewed as sacrificing convenience for safety. Although
it may be inconvenient to lock all the doors of the house or use long
and complex passwords, the trade-off is that these steps result in a
higher level of safety. Another way to think of security is giving up
short-term ease for long-term protection. In any case, security usually
requires making sacrifices to achieve a greater good.
Information security can be understood by examining its goals and how it is accomplished.
First, information security ensures that protective measures are properly implemented. Just
as the security measures taken for a house can never guarantee complete safety, information
security cannot completely prevent attacks or guarantee that a system is totally secure.
Rather, information security creates a defense that attempts to ward off attacks and pre-
vents the collapse of the system when a successful attack occurs. Thus, information security
is protection.
Second, information security is intended to protect information that provides value to people
and organizations. Three protections must be extended over information. These three protec-
tions are confidentiality, integrity, and availability or CIA:
1. Confidentiality. It is important that only approved individuals are able to access
important information. For example, the credit card number used to make an online
purchase must be kept secure and not made available to other parties. Confidentiality
ensures that only authorized parties can view the information. Providing confidentiality
can involve several different tools, ranging from software to scramblethe credit card
number stored on the Web server to door locks to prevent access to those servers.
2. Integrity. Integrity ensures that the information is correct and no unauthorized person
or malicious software has altered the data. In the example of the online purchase, an
attacker who could change the amount of a purchase from $1,000.00 to $1.00 would
violate the integrity of the information.
3. Availability. Information cannot be locked upso tight that no one can access it;
otherwise, the information would not be useful. Availability ensures that data is
accessible to authorized users. The total number of items ordered as the result of an
12 Chapter 1 Introduction to Security
1
online purchase must be made available to an employee in a warehouse so that the
correct items can be shipped to the customer.
In addition to CIA, another set of protections must be implemented to secure information.
These are authentication, authorization, and accounting (AAA):
1. Authentication. Authentication ensures that the individual is who they claim to be (the
authentic or genuine person) and not an imposter. A person accessing the Web server
that contains a users credit card number must prove that they are indeed who they
claim to be and not a fraudulent attacker. One way authentication can be performed is
by the person providing a password that only she knows.
2. Authorization. After a person has provided authentication, they are given authorization,or
the ability to access the credit card number or enter a room that contains the Web server.
3. Accounting. Accounting provides tracking of events. This may include a record of who
accessed the Web server, from what location, and at what specific time.
There is not universal agreement regarding the three elements of
AAA. Some consider it assurance, authenticity, and anonymity, while
others see it as authentication, authorization, and access control.
Yet information security involves more than protecting the information itself. Because this
information is stored on computer hardware, manipulated by software, and transmitted by
communications, each of these areas must also be protected. The third objective of informa-
tion security is to protect the integrity, confidentiality, and availability of information on the
devices that store, manipulate, and transmit the information.
Information security is achieved through a combination of three entities. As shown in Figure 1-3
and Table 1-3, information, hardware, software, and communications are protected in three
layers: products, people, and procedures. These three layers interact with each other. For exam-
ple, procedures enable people to understand how to use products to protect information. Thus, a
more comprehensive definition of information security is that which protects the integrity, confi-
dentiality, and availability of information on the devices that store, manipulate, and transmit the
information through products, people, and procedures.
Information Security Terminology
As with many advanced subjects, information security has its own set of terminology. The
following scenario helps to illustrate information security terms and how they are used.
Suppose that Aiden wants to purchase a new set of rims for his car. However, because sev-
eral cars have had their rims stolen near his condo, he is concerned about someone stealing
his rims. Although he parks the car in the gated parking lot in front of his condo, a hole in
the fence surrounding his condo makes it possible for someone to access the parking lot with-
out restriction. Aidens car and the threats to the rims are illustrated in Figure 1-4.
Aidens new rims are an asset, which is defined as an item that has value. In an organization,
assets have the following qualities: they provide value to the organization, they cannot easily
be replaced without a significant investment in expense, time, worker skill, and/or resources,
and they can form part of the organizations corporate identity. Based on these qualities, not
all elements of an organizations information technology infrastructure may be classified as
What Is Information Security? 13
an asset. For example, a faulty desktop computer that can easily be replaced would generally
not be considered an asset, yet the information contained on that computer can be an asset.
Table 1-4 lists a description of the elements of an organizations information technology
infrastructure and whether or not they would normally be considered as an asset.
Communications
Confidentiality Integrity
Information
Availability
Hardware Software
P
e
o
p
l
e
(
p
e
r
s
o
n
n
e
l
s
e
c
u
r
i
t
y
)
P
r
o
d
u
c
t
s
(
p
h
y
s
i
c
a
l
s
e
c
u
r
i
t
y
)
it
y
S
oftware
Av
Ha
r
d
w
a
r
e
v
ailabil
y
P
r
o
c
e
d
u
r
e
s
(
o
r
g
a
n
i
z
a
t
i
o
n
a
l
s
e
c
u
r
i
t
y
)
Figure 1-3 Information security components
© Cengage Learning 2012
Layer Description
Products Form the physical security around the data; may be as basic as door locks or as
complicated as network security equipment
People Those who implement and properly use security products to protect data
Procedures Plans and policies established by an organization to ensure that people correctly use
the products
Table 1-3 Information security layers
14 Chapter 1 Introduction to Security
1
The general question to ask when determining if an IT element is an
asset is simply, If this item were destroyed right now, how difficult
would it be to replace?
What Aiden is trying to protect his rims from is a threat, which is a type of action that has the
potential to cause harm. Information security threats are events or actions that represent a
Element name Description Example Critical asset?
Information Data that has been collected,
classified, organized, and stored
in various forms
Customer, personnel,
production, sales, marketing,
and finance databases
Yes: Extremely difficult
to replace
Application
software
Software that supports the
business processes of the
organization
Customized order
transaction application,
generic word processor
Yes: Unique and
customized for the
organization
No: Generic off-
the-shelf software
System
software
Software that provides the
foundation for application
software
Operating system No: Can be easily
replaced
Physical items Computer equipment,
communications equipment,
storage media, furniture, and
fixtures
Servers, routers, DVDs,
power supplies
No: Can be easily
replaced
Services Outsourced computing
services
Voice and data
communications
No: Can be easily
replaced
Table 1-4 Information technology assets
Stolen rims (risk)
Exploit
(go through
fence hole)
Thief (threat agent)
Rims (asset)
Loss of rims (threat)
Fence hole
(vulnerability)
Figure 1-4 Information security components analogy
© Cengage Learning 2012
What Is Information Security? 15
danger to information assets. A threat by itself does not mean that security has been compro-
mised; rather, it simply means that the potential for creating a loss is real. Although for Aiden
the loss would be the theft of his rims, in information security, a loss can be the theft of infor-
mation, a delay in information being transmitted, or even the loss of good will or reputation.
Athreat agent is a person or element that has the power to carry out a threat. For Aiden, the
threat agent is a thief. In information security, a threat agent could be a person attempting to
break into a secure computer network. It could also be a force of nature such as a tornado or
flood that could destroy computer equipment and thus destroy information, or it could be
malicious software that attacks the computer network.
Aiden wants to protect his rims and is concerned about a hole in the fencing around his
condo. The hole in the fencing is a vulnerability, which is a flaw or weakness that allows a
threat agent to bypass security. An example of a vulnerability that information security must
deal with is a software defect in an operating system that allows an unauthorized user to gain
control of a computer without the users knowledge or permission.
If a thief can get to Aidens car because of the hole in the fence, then that thief is taking advantage
of the vulnerability. This is known as exploiting the security weakness. An attacker, knowing that
an e-mail system does not scan attachments for a virus, is exploiting the vulnerability by sending
infected e-mail messages to its users.
Aiden must decide if the risk of theft is too high for him to purchase the new rims. A risk is
the likelihood that the threat agent will exploit the vulnerability; that is, that the rims will be
stolen. Realistically, risk cannot ever be entirely eliminated as it would cost too much and
take too long. Rather, some degree of risk must always be assumed. An organization gener-
ally asks, How much risk can we tolerate?
Sometimes risk is illustrated as the calculation:
Risk = Threat x Vulnerability x Cost.
There are three options when dealing with risks: accept the risk, diminish the risk, or transfer
the risk. In Aidens case, he could accept the risk and buy the new rims, knowing there is the
chance of them being stolen. Or he could diminish the risk by parking the car in a rented
locked garage. A third option is for Aiden to transfer the risk to someone else. He can do
this by purchasing additional car insurance; the insurance company then absorbs the loss
and pays if the rims are stolen. In information security, most risks should be diminished if
possible. Table 1-5 summarizes information security terms.
Understanding the Importance of Information Security
Information security is important to organizations as well as to individuals. The goals of infor-
mation security are many and include preventing data theft, thwarting identity theft, avoiding
the legal consequences of not securing information, maintaining productivity, and foiling
cyberterrorism.
Preventing Data Theft Security is often associated with theft prevention: Aiden parks
his car in a locked garage to prevent the rims from being stolen. The same is true with
information security: preventing data from being stolen is often cited by organizations as a
16 Chapter 1 Introduction to Security
1
primary goal of information security. Business data theft involves stealing proprietary busi-
ness information, such as research for a new drug or a list of customers that competitors
would be eager to acquire.
According to a recent survey of 800 chief information officers, the com-
panies they represented estimated they lost a combined $4.6 billion
worth of intellectual property in one year alone and spent approxi-
mately $600 million repairing damage from data breaches.
17
Data theft is not limited to businesses. Individuals are often victims of data thievery. One
type of personal data that is a prime target of attackers is credit card numbers. These can
be used to purchase thousands of dollars of merchandise onlinewithout having the actual
cardbefore the victim is even aware the number has been stolen. Reported losses from the
fraudulent use of stolen credit card information continue to soar, exceeding $5 billion annu-
ally.
18
The extent to which stolen credit card numbers are available can be
seen in the price that online thieves charge each other for stolen card
numbers. Because credit card numbers are so readily available, a sto-
len number can be purchased for as little as $2 per card, although for
a card that has a guaranteed limit of over $82,000, the cost of the
stolen number is $700. If a buyer wants to use a stolen card number
to purchase products online, yet is afraid of being traced through the
delivery address, a third-party online thief will make the purchase and
forward the goods for a fee starting at only $30.
19
Thwarting Identity Theft Identity theft involves stealing another persons personal
information, such as a Social Security number, and then using the information to impersonate
the victim, generally for financial gain. The thieves create new bank or credit card accounts
under the victims name. Large purchases are then charged to these accounts that are then left
unpaid, leaving the victim responsible for the debts and ruining their credit rating.
In some instances, thieves have bought cars and even houses by tak-
ing out loans in someone elses name.
Term Example in Aidens scenario Example in information security
Asset Rims Employee database
Threat Steal rims from car Steal data
Threat agent Thief Attacker, virus, flood
Vulnerability Hole in fence Software defect
Exploit Climb through hole in fence Send virus to unprotected e-mail server
Risk Transfer to insurance company Educate users
Table 1-5 Information security terminology
What Is Information Security? 17
The costs to individuals who have been victims of identity theft as a result of data breaches
are significant. A study by Utica Colleges Center for Identity Management and Information
Protection (CIMIP) revealed that the median actual dollar loss for identity theft victims was
$31,356.
20
Avoiding Legal Consequences Several federal and state laws have been enacted to
protect the privacy of electronic data. Businesses that fail to protect data they possess may
face serious financial penalties. Some of these laws include the following:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under
the Health Insurance Portability and Accountability Act (HIPAA), health care
enterprises must guard protected health information and implement policies and
procedures to safeguard it, whether it be in paper or electronic format. Those who
wrongfully disclose individually identifiable health information with the intent to sell
it can be fined up to $250,000 and spend 10 years in prison.
The Sarbanes-Oxley Act of 2002 (Sarbox). As a reaction to a rash of corporate
fraud, the Sarbanes-Oxley Act (Sarbox) is an attempt to fight corporate corruption.
Sarbox covers the corporate officers, auditors, and attorneys of publicly traded
companies. Stringent reporting requirements and internal controls on electronic
financial reporting systems are required. Corporate officers who willfully and
knowingly certify a false financial report can be fined up to $5 million and serve
20 years in prison.
The Gramm-Leach-Bliley Act (GLBA). Like HIPAA, the Gramm-Leach-Bliley Act
(GLBA) passed in 1999 protects private data. GLBA requires banks and financial
institutions to alert customers of their policies and practices in disclosing customer
information. All electronic and paper data containing personally identifiable financial
information must be protected. The penalty for noncompliance for a class of
individuals is up to $500,000.
Californias Database Security Breach Notification Act (2003). Californias
Database Security Breach Notification Act was the first state law that covers any
state agency, person, or company that does business in California. It requires
businesses to inform California residents within 48 hours if a breach of personal
information has or is believed to have occurred. It defines personal information
as a name with a Social Security number, drivers license number, state ID card,
account number, credit card number, or debit card number and required security
access codes. Since this act was passed by California in 2003, all other states now
have similar laws with the exception of Alabama, Kentucky, New Mexico, and South
Dakota.
Although these laws pertain to the United States, other nations are
enacting their own legislation to protect electronic data.
The penalties for violating these laws can be sizable. Businesses must make every effort to
keep electronic data secure from hostile outside forces to ensure compliance with these laws
and avoid serious legal consequences.
18 Chapter 1 Introduction to Security
1
Maintaining Productivity Cleaning up after an attack diverts resources such as time
and money away from normal activities. Employees cannot be productive and complete
important tasks during an attack and its aftermath because computers and networks cannot
function properly. Table 1-6 provides a sample estimate of the lost wages and productivity
during an attack and the subsequent cleanup.
The single most expensive malicious attack was the Love Bug in
2000, which cost an estimated $8.7 billion.
21
Foiling Cyberterrorism The FBI defines cyberterrorism as any premeditated, politi-
cally motivated attack against information, computer systems, computer programs, and
data which results in violence against non-combatant targets by sub-national groups or clan-
destine agents.Unlike an attack that is designed to steal information or erase a users hard
disk drive, cyberterrorism attacks are intended to cause panic, provoke violence, or result in
a financial catastrophe.
The U.S. Commission of Critical Infrastructure Protection identifies possible cyberterrorist tar-
gets as the banking industry, military installations, power plants, air traffic control centers,
and water systems. These are likely targets because they can significantly disrupt business and
personal activities by destroying relatively few targets. For example, disabling an electrical
power plant could cripple businesses, homes, transportation services, and communications
over a wide area.
One of the challenges in combatting cyberterrorism is that many of
the prime targets are not owned and managed by the federal gov-
ernment. For example, almost 85 percent of the nations most critical
computer networks and infrastructures are owned by private compa-
nies.
22
Because these networks are not centrally controlled, it is diffi-
cult to coordinate and maintain security.
Number of
total
employees
Average
hourly
salary
Number of
employees to
combat attack
Hours
required to
stop attack
and clean up
Total lost
salaries
Total lost hours
of productivity
100 $25 1 48 $4,066 81
250 $25 3 72 $17,050 300
500 $30 5 80 $28,333 483
1,000 $30 10 96 $220,000 1,293
Table 1-6 Cost of attacks
What Is Information Security? 19
Who Are the Attackers?
The types of individuals behind computer attacks are generally divided into several categories.
These include hackers, script kiddies, spies, insiders, cybercriminals, and cyberterrorists.
Hackers
In the past, the term hacker was commonly used to refer to a person who uses advanced com-
puter skills to attack computers. White hat hackers said that their goal was only to expose secu-
rity flaws and not steal or corrupt data. Although breaking into another computer system
is illegal, they considered it acceptable as long as they did not commit theft, vandalism,
or breach any confidentiality while trying to improve security by seeking out vulnerabil-
ities. In contrast, the term black hat hackers was used to refer to attackers whose motive
was malicious and destructive.
However, today the term hacker has been replaced with the more generic term attacker,
without any attempt to distinguish between the motives. Although hackeris often used by
the mainstream media to refer to an attacker, this term is no longer commonly used by the
security community.
Script Kiddies
Script kiddies are individuals who want to break into computers to create damage yet lack
the advanced knowledge of computers and networks needed to do so. Instead, script kiddies
do their work by downloading automated attack software (scripts) from Web sites and using
it to perform malicious acts.
Today, these scripts have been replaced by attack software with menu systems. This makes
creating attacks even easier for these unskilled users. Figure 1-5 shows that over 40 percent
of attacks are conducted by script kiddies with low or no skills.
Spies
A computer spy is a person who has been hired to break into a computer and steal informa-
tion. Spies do not randomly search for unsecured computers to attack as script kiddies and
other attackers do; rather, spies are hired to attack a specific computer or system that contains
sensitive information. Their goal is to break into that computer and take the information
without drawing any attention to their actions. Spies generally possess excellent computer
skills to attack and then cover their tracks.
Insiders
Another serious threat to an organization actually comes from an unlikely sourceits
employees, contractors and business partnersoften called insiders. In one study of 900
cases of business data leakage,over 48 percent of the breaches were attributed to insiders
who abused their right to access corporate information.
23
In most instances, insider attacks are more costly than an attack from
the outside.
20 Chapter 1 Introduction to Security
1
Examples of several recent high-profile insider attacks include the following:
A California health care worker, disgruntled over an upcoming job termination,
illegally gathered health records on celebrities and distributed them to the media.
A Maryland government employee tried to destroy the contents of over 4,000 servers
by planting a malicious coding script that was scheduled to activate 90 days after he
was terminated.
A French securities trader lost over $7 billion on bad stock bets and then used his knowledge
of the banks computer security system to conceal the losses through fake transactions.
A U.S. Army private in Iraq accessed secret U.S. diplomatic cables and other sensitive
documents, which were then given to an international whistleblower who posted them
on the Internet.
Most insider attacks are either the sabotage or theft of intellectual property. One study revealed
that most cases of sabotage come from employees who have announced their resignation or who
have been formally reprimanded, demoted, or fired. When theft is involved, the offenders are usu-
ally salespeople, engineers, computer programmers, or scientists who actually believe that the
accumulated data is owned by them and not the organization (most of these thefts occur within
30 days of the employee resigning). In some instances, the employees are moving to a new job
andwanttotaketheir workwith them, while in other cases the employees have been bribed
MODERATE—Skilled methods with some customization or significant resources
LOW—Basic methods used, no customization or additional resources required
NONE—Conducted by an average computer user with no expertise or skill set
HIGH—Advanced methods, extensive resources, elite skills
15%
44%
28%
13%
Figure 1-5 Skills needed for creating attacks
© Cengage Learning 2012
Who Are the Attackers? 21
or pressured into stealing the data. In about 8 percent of the incidences of theft, employees have
been pressured into stealing from their employer through blackmail or threat of violence.
24
Although it generally is not intentional, in many instances, care-
lessness by employees has resulted in serious security breaches. For
example, almost 10,000 laptop computers each week are lost in air-
ports, and over half contain confidential or sensitive information.
Only one out of every three lost laptops is returned to their owner.
The two U.S. airports reporting the highest number of missing lap-
tops are Los Angeles International and Miami International airports.
25
Cybercriminals
There is a new breed of computer attackers known as cybercriminals. Cybercriminals are a
network of attackers, identity thieves, spammers, and financial fraudsters. These cybercrim-
inals are described as being more highly motivated, less risk-averse, better funded, and more
tenacious than ordinary attackers.
Some security experts believe that many cybercriminals belong to organized gangs of young
attackers, often clustered in Eastern European, Asian, and third-world regions. Reasons these
areas may harbor large number of cybercriminals are summarized in Table 1-7.
Cybercriminals often meet in online undergroundforums that
have names like DarkMarket.org and theftservices.com. The purpose
of these meetings is to trade information and coordinate attacks
around the world.
Instead of attacking a computer to show off their technology skills (fame), cybercriminals
have a more focused goal of financial gain (fortune). Cybercrimminals use vulnerabilities to
steal information or launch attacks that can generate income. This difference makes the new
attackers more dangerous and their attacks more threatening. These targeted attacks against
financial networks, unauthorized access to information, and the theft of personal information
are sometimes known as cybercrime.
Characteristic Explanation
Strong technical universities Since the demise of the Soviet Union in the early 1990s, a number of large
universities have stopped teaching communist ideology and turned to teaching
technology
Low incomes With the transition from communism to a free market system, individuals in
several nations have suffered from the loss of an economy supported by the
state, and incomes remain relatively low
Unstable legal systems Many nations continue to struggle with making and enforcing new laws that
combat computer crime
Tense political relations Some new nations do not yet have strong ties to other foreign countries, and this
sometimes complicates efforts to obtain cooperation with local law enforcement
Table 1-7 Characteristics of cybercriminals
22 Chapter 1 Introduction to Security
1
Financial cybercrime is often divided into two categories. The first uses stolen data, credit
card numbers, online financial account information, or Social Security numbers to steal from
its victims. The second category involves sending millions of spam e-mails to peddle counter-
feit drugs, pirated software, fake watches, and pornography. Federal law enforcement offi-
cials estimate that these spam operations gross hundreds of millions of dollars annually. One
security professional estimates that the cybercrime industry netted $1 trillion in 2010.
26
Some security experts maintain that European cybercriminals are
mostly focused on activities to steal money from their victims, while
cybercriminals from Asia are more interested in stealing data from
governments or corporations.
Cyberterrorists
Many security experts fear that terrorists will turn their attacks to a nations network and
computer infrastructure to cause panic among citizens. Known as cyberterrorists, their moti-
vation may be defined as ideology, or attacking for the sake of their principles or beliefs. A
report distributed by the Institute for Security Technology Studies at Dartmouth College lists
three goals of a cyberattack:
To deface electronic information (such as Web sites) and spread misinformation and
propaganda
To deny service to legitimate computer users
To commit unauthorized intrusions into systems and networks that result in critical
infrastructure outages and corruption of vital data
Cyberterrorists are sometimes considered the attackers that should be feared the most, for it is
almost impossible to predict when or where an attack may occur. Unlike cybercriminals who
continuously probe systems or create attacks, cyberterrorists can be inactive for several years
and then suddenly strike in a new way. Their targets may include a small group of computers
or networks that can affect the largest number of users, such as the computers that control the
electrical power grid of a state or region.
Attacks and Defenses
Although a wide variety of attacks can be launched against a computer or network, the same
basic steps are used in most attacks. Protecting computers against these steps in an attack calls
for following five fundamental security principles.
Steps of an Attack
There are a variety of types of attacks. One way to categorize these attacks is by the five
steps that make up an attack, as seen in Figure 1-6. The steps are:
1. Probe for information. The first step in an attack is to probe the system for any
information that can be used to attack it. This type of reconnaissanceis essential to
provide information, such as the type of hardware used, version of software or
firmware, and even personal information about the users, that can then be used in the
Attacks and Defenses 23
next step. Actions that take place in probing for information include ping sweepsof
the network to determine if a system responds, port scanning for determining which
ports may be accessible, and queries that respond with failure messages yet provide
valuable information about the system.
2. Penetrate any defenses. Once a potential system has been identified and information
about it has been gathered, the next step is to launch the attack to penetrate the
defenses. These attacks come in a variety of forms.
4. Circulate to other systems
3. Modify security settings
2. Penetrate any defenses
Network perimeter
1. Probe for information 5. Paralyze networks and devices
Computer A
Computer B
Computer C
Server
Router Firewall
Figure 1-6 Steps of an attack
© Cengage Learning 2012
24 Chapter 1 Introduction to Security
1
3. Modify security settings. Modifying the security settings is the next step after the system
has been penetrated. This allows the attacker to reenter the compromised system more
easily.
4. Circulate to other systems. Once the network or system has been compromised, the
attacker then uses it as a base of attack toward other networks and computers. The
same tools that are used to probe for information are then directed toward other
systems.
5. Paralyze networks and devices. If the attacker chooses, she may also work to
maliciously damage the infected computer or network. This may include deleting or
modifying critical operating system files or injecting software that will prevent the
computer from properly functioning.
Defenses Against Attacks
Although multiple defenses may be necessary to withstand an attack, these defenses should
be based on five fundamental security principles: layering, limiting, diversity, obscurity, and
simplicity. These principles provide a foundation for building a secure system.
Layering
The Crown Jewels of England, which are worn during coronations and important state func-
tions, have a dollar value of over $32 million, yet are virtually priceless as symbols of English
culture. How are precious stones like the Crown Jewels protected from theft? They are not
openly displayed on a table for anyone to pick up. Instead, they are enclosed in protective
cases with two-inch-thick glass that is bulletproof, smashproof, and resistant to almost any
outside force. The cases are located in a special room with massive walls and sensors that
can detect slight movements or vibrations. The doors to the room are monitored around the
clock by remote security cameras, and the video images from each camera are recorded. The
room itself is in the Tower of London, surrounded by roaming guards and fences. In short,
these precious stones are protected by layers of security. If one layer is penetratedsuch as
the thief getting into the buildingseveral more layers must still be breached, and each layer
is often more difficult or complicated than the previous. A layered approach has the advan-
tage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of
attacks.
The Jewel House, which holds the Crown Jewels in the Tower of Lon-
don, is actually located inside an Army barracks that is staffed with
soldiers.
Likewise, information security must be created in layers. If only one defense mechanism is in
place, an attacker only has to circumvent that single defense. Instead, a security system must
have layers, making it unlikely that an attacker has the tools and skills to break through all
the layers of defenses. A layered approach can also be useful in resisting a variety of attacks.
Layered security provides the most comprehensive protection.
Defenses Against Attacks 25
Limiting
Consider again protecting the Crown Jewels of England. Although the jewels may be on dis-
play for the general public to view, permitting anyone to touch them increases the chances
that they will be stolen. Only approved personnel should be authorized to handle the jewels.
Limiting who can access the jewels reduces the threat against them.
The same is true with information security. Limiting access to information reduces the threat
against it. This means that only those personnel who must use the data should have access to
it. In addition, the type of access they have should also be limited to what that person needs
to perform their job. For example, access to the human resource database for an organization
should be limited to only employees who have a genuine need to access it, such as human
resource personnel or vice presidents. And, the type of access should also be restricted:
human resource employees may be able to view employee salaries but not change them.
What level of access should users have? The best answer is the least
amount necessary to do their jobs, and no more.
Some ways to limit access are technology-based (such as assigning file permissions so that a user
can only read but not modify a file), while others are procedural (prohibiting an employee from
removing a sensitive document from the premises). The key is that access must be restricted to
the bare minimum.
Diversity
Diversity is closely related to layering. Just as it is important to protect data with layers of
security, the layers must also be different (diverse). This means that if attackers penetrate one
layer, they cannot use the same techniques to break through all other layers. A jewel thief, for
instance, might be able to foil the security camera by dressing in black clothing, but should not
be able to use the same technique to trick the motion detection system. Using diverse layers of
defense means that breaching one security layer does not compromise the whole system.
Information security diversity may be achieved in several ways. For example, some organizations
use security products provided by different manufacturers. An attacker who can circumvent a
security device from Manufacturer A could then use those same skills and knowledge to defeat all
of the same devices used by the organization. However, if devices from Manufacturer A and simi-
lar devices from Manufacturer B were both used by the same organization, the attacker would
have more difficulty trying to break through both types of devices because they are different.
Obscurity
Suppose a thief plans to steal the Crown Jewels during a shift change of the security guards.
When the thief observes the guards, however, she finds that the guards do not change shifts
at the same time each night. On a given Monday, they rotate shifts at 2:13 AM, while on
Tuesday they rotate at 1:51 AM, and the following Monday at 2:24 AM. Because the shift
changes cannot be known for certain in advance, the planned attack cannot be carried out.
This technique is sometimes called security by obscurity: obscuring to the outside world
what is on the inside makes attacks that much more difficult.
26 Chapter 1 Introduction to Security
1
An example of obscurity in information security would be not revealing the type of computer,
version of operating system, or brand of software that is used. An attacker who knows that infor-
mation could use it to determine the vulnerabilities of the system to attack it. However, if this
information is concealed, it is more difficult to attack a system when nothing is known about it
and is hidden from the outside. Obscuring information can be an important means of protection.
Simplicity
Because attacks can come from a variety of sources and in many ways, information security
is by its very nature complex. Yet the more complex it becomes, the more difficult it is to
understand. A security guard who does not understand how motion detectors interact with
infrared trip lights may not know what to do when one system alarm shows an intruder but
the other does not. In addition, complex systems allow many opportunities for something to
go wrong. In short, complex systems can be a thiefs ally.
The same is true with information security. Complex security systems can be hard to under-
stand, troubleshoot, and even feel secure about. As much as possible, a secure system should
be simple for those on the inside to understand and use. Complex security schemes are often
compromised to make them easier for trusted users to work with, yet this can also make it
easier for the attackers. In short, keeping a system simple from the inside, but complex on
the outside, can sometimes be difficult but reaps a major benefit.
Chapter Summary
Attacks against information security have grown exponentially in recent years,
despite the fact that billions of dollars are spent annually on security. No computer
system is immune from attacks or can be considered entirely secure.
There are several reasons it is difficult to defend against todays attacks. These reasons
include the fact that virtually all devices are connected to the Internet, the speed of the
attacks, greater sophistication of attacks, the availability and simplicity of attack
tools, faster detection of vulnerabilities by attackers, delays in patching, weak patch
distribution, distributed attacks coming from multiple sources, and user confusion.
Information security may be defined as that which protects the integrity, confidentiality,
and availability of information on the devices that store, manipulate, and transmit the
information through products, people, and procedures. As with many advanced
subjects, information security has its own set of terminology. A threat is an event or
action that represents a danger to information assets, which is something that has value.
A threat agent is a person or element that has the power to carry out a threat, usually
by exploiting a vulnerability, which is a flaw or weakness. A risk is the likelihood that
a threat agent will exploit the vulnerability.
The main goals of information security are to prevent data theft, thwart identify theft,
avoid the legal consequences of not securing information, maintain productivity, and
foil cyberterrorism.
The types of people behind computer attacks fall into several categories. The term
hacker generally refers to someone who attacks computers. Script kiddies do their
work by downloading automated attack software from Web sites and then using it to
Chapter Summary 27
break into computers. A computer spy is a person who has been hired to break into a
computer and steal information. One of the largest information security threats to a
business actually comes from its employees. A new breed of computer attackers is
known as cybercriminals, who are a loose-knit network of attackers, identity thieves,
and financial fraudsters. Cyberterrorists are motivated by their principles and beliefs,
and turn their attacks to the network and computer infrastructure to cause panic
among citizens.
There are a variety of types of attacks. Five general steps make up an attack: probe
for information, penetrate any defenses, modify security settings, circulate to other
systems, and paralyze networks and devices. Although multiple defenses may be
necessary to withstand the steps of an attack, these defenses should be based on five
fundamental security principles: layering, limiting, diversity, obscurity, and simplicity.
Key Terms
accounting The ability that provides tracking of events.
asset An item that has value.
authorization The act of ensuring that an individual or element is genuine.
authentication The steps that ensure that the individual is who they claim to be.
availability Security actions that ensure that data is accessible to authorized users.
Californias Database Security Breach Notification Act The first state law that covers any
state agency, person, or company that does business in California.
confidentiality Security actions that ensure only authorized parties can view the
information.
cybercrime Targeted attacks against financial networks, unauthorized access to
information, and the theft of personal information.
cybercriminals A network of attackers, identity thieves, spammers, and financial fraudsters.
cyberterrorism A premeditated, politically motivated attack against information, computer
systems, computer programs, and data that results in violence.
cyberterrorists Attackers whose motivation may be defined as ideology, or attacking for
the sake of their principles or beliefs.
exploiting The act of taking advantage of a vulnerability.
Gramm-Leach-Bliley Act (GLBA) A law that requires banks and financial institutions to
alert customers of their policies and practices in disclosing customer information.
hacker A term used to refer to a person who uses advanced computer skills to attack
computers.
Health Insurance Portability and Accountability Act (HIPAA) A law designed to guard
protected health information and implement policies and procedures to safeguard it.
identity theft Stealing another persons personal information, such as a Social Security
number, and then using the information to impersonate the victim, generally for
financial gain.
28 Chapter 1 Introduction to Security
1
information security The tasks of securing information that is in a digital format.
integrity Security actions that ensure that the information is correct and no unauthorized
person or malicious software has altered the data.
risk The likelihood that a threat agent will exploit the vulnerability.
Sarbanes-Oxley Act (Sarbox) A law designed to fight corporate corruption.
script kiddies Individuals who want to break into computers to create damage, yet lack the
advanced knowledge of computers and networks needed to do so.
spy A person who has been hired to break into a computer and steal information.
threat A type of action that has the potential to cause harm.
threat agent A person or element that has the power to carry out a threat.
vulnerability A flaw or weakness that allows a threat agent to bypass security.
Review Questions
1. Each of the following is a reason it is difficult to defend against todays attackers
except .
a. complexity of attack tools
b. weak patch distribution
c. greater sophistication of attacks
d. delays in patching software products
2. In a general sense, securityis .
a. protection from only direct actions
b. using reverse attack vectors (RAV) for protection
c. only available on hardened computers and systems
d. the necessary steps to protect a person or property from harm
3. ensures that only authorized parties can view the information.
a. Confidentiality
b. Availability
c. Integrity
d. Authorization
4. Each of the following is a successive layer in which information security is achieved
except .
a. products
b. purposes
c. procedures
d. people
Review Questions 29
5. By definition, a(n) is a person or thing that has the power to carry out
athreat.
a. vulnerability
b. exploit
c. threat agent
d. risk
6. ensures that the individual is who they claim to be.
a. Authentication
b. Accounting
c. Access control
d. Certification
7. Each of the following is a goal of information security except .
a. foil cyberterrorism
b. avoid legal consequences
c. decrease user productivity
d. prevent data theft
8. The requires that enterprises must guard protected health information
and implement policies and procedures to safeguard it.
a. Hospital Protection and Insurance Association Agreement (HPIAA)
b. Sarbanes-Oxley Act (Sarbox)
c. Gramm-Leach-Bliley Act (GLBA)
d. Health Insurance Portability and Accountability Act (HIPAA)
9. Utility companies, telecommunications, and financial services are considered prime targets
of because attackers can significantly disrupt business and personal
activities by destroying a few targets.
a. white hat hackers
b. script kiddies
c. computer spies
d. cyberterrorists
10. After an attacker has probed a network for information, the next step is
to .
a. penetrate any defenses
b. paralyze networks and devices
c. circulate to other systems
d. modify security settings
30 Chapter 1 Introduction to Security
1
11. An organization that purchased security products from different vendors is demonstrating
which security principle?
a. obscurity
b. diversity
c. limiting
d. layering
12. Each of the following can be classified as an insiderexcept .
a. business partners
b. contractors
c. cybercriminals
d. employees
13. are a network of attackers, identity thieves, and financial fraudsters.
a. Script kiddies
b. Hackers
c. Cybercriminals
d. Spies
14. Each of the following is a characteristic of cybercriminals except .
a. better funded
b. less risk-averse
c. low motivation
d. more tenacious
15. Each of the following is a characteristic of cybercrime except .
a. targeted attacks against financial networks
b. exclusive use of worms and viruses
c. unauthorized access to information
d. theft of personal information
16. An example of a(n) is a software defect in an operating system that
allows an unauthorized user to gain access to a computer without a password.
a. threat agent
b. threat
c. vulnerability
d. asset exploit (AE)
Review Questions 31
17. requires banks and financial institutions to alert customers of their poli-
cies and practices in disclosing customer information and to protect all electronic and
paper documents containing personally identifiable financial information.
a. California Savings and Loan Security Act (CS&LSA)
b. Gramm-Leach-Bliley Act (GLBA)
c. USA Patriot Act
d. Sarbanes-Oxley Act (Sarbox)
18. The term is sometimes used to identify anyone who illegally breaks into a
computer system.
a. hacker
b. cyberterrorist
c. Internet Exploiter
d. cyberrogue
19. An example of is not revealing the type of computer, operating system,
software, and network connection a computer uses.
a. obscurity
b. limiting
c. diversity
d. layering
20. The is primarily responsible for assessment, management, and implemen-
tation of security
a. security manager
b. security administrator
c. Chief Information Security Officer (CISO)
d. security technician
Hands-On Projects
Project 1-1: Automatically Receive the Latest Security
Information
With the daily changing face of security, it is important to keep current with the
latest security threats and defenses. One way to keep current is to use RSS (Really
Simple Syndication), which automatically distributes Web content from a variety
of different formats (blogs, news headlines, audio, video, etc.) in a standardized
format and aggregates the content. A user subscribes to a Web site and then the
content is pushedto their computer to be viewed using an RSS reader or Web
browser. This alleviates the need for visiting multiple sites. In this project, you
will use the Google Reader aggregator.
32 Chapter 1 Introduction to Security
1
1. Open a Web browser and enter the Web address www.google.com/reader.
The location of content on the Internet may change without warning. If
you are no longer able to access the site through the preceding Web
address, then use a search engine to search for Google Reader.
2. If you already have a Google account, log in. If you do not have an
account, click Create an account and create a Google account.
3. Open a new window in your Web browser (for example, in Internet
Explorer, press CTRL+T).
4. Enter the URL googleonlinesecurity.blogspot.com, which is a blog about
security information from Google.
The location of content on the Internet may change without warning.
If you are no longer able to access the site through the preceding
Web address, then use a search engine to search for Google Online
Security Blog.
5. Click the +Google icon.
6. Click Subscribe to this feed.
7. Click Add to Google Reader.
8. You are now subscribed to this RSS feed.
9. Click Sign out and exit Google.
10. Log back in to Google. You will see your security blog RSS feeds that
you can read.
11. Log out of Google.
12. Close all windows.
Project 1-2: Detect and Install Software Updates Using
Secunia Personal Software Inspector (PSI)
Although large vendors such as Microsoft and Apple have an established infra-
structure in place to alert users about patches and to install them, few other ven-
dors have such a mechanism. This makes it necessary to regularly visit all the
Web sites of all the installed software on a system to stay current on all software
updates. To make the process more manageable, online software scanners were
created that can compare all applications on a computer with a list of known
patches from the different software vendors and then alert the user to any appli-
cations that are not properly patched, even providing links to the vendorsWeb
site to download and install the patches. Now online software scanners can even
automatically install the patches when a missing patch is detected. The Secunia
Personal Software Inspector (PSI) can take an inventory of the applications and
version numbers running on a computer and then compare them with the Secu-
nia site several times a day to see if a new patch has been released; if it has, the
patch is silently downloaded and installed. In this project, you will use Secunias
PSI to identify and patch any applications that have not been updated.
Hands-On Projects 33
1. Open your Web browser and enter the URL secunia.com/vulnerability_
scanning/personal/.
The location of content on the Internet such as this program may
change without warning. If you are no longer able to access the pro-
gram through the preceding URL, then use a search engine and search
for Secunia Personal Software Inspector.
2. Click Watch: How to install and use the Secunia PSI 2.0, which is a five-
minute YouTube video.
3. Click Download.
4. Click Save and save the program to the desired location on your local
computer.
5. When the download completes, click Run to install the application.
6. Click Next on the Welcome screen, and then click I accept the terms of
the License Agreement. Click Next.
7. Leave unchecked the box Require user interaction before each Auto-Update.
Click Next.
8. Click Show full change information in tray icon notifications.
Click Next.
9. Read the Readme Information. Click Next.
10. Click Install.
11. Click Finish.
12. When asked Would you like to launch Secunia PSI now?, click Yes.
13. When the Welcome to Secunia PSI information box appears, click Close.
14. Note that the scan has already started. Depending upon the computer, it
may take several minutes to complete.
15. When the scan is finished, click the View scan results button.
16. Next to any application that needs updating, click Install solution and
follow the instructions to update the computer.
17. Close all windows.
The Secunia PSI application will continually run in the background
checking for updates. If you do not want this functionality on the
computer, you can uninstall the application.
Project 1-3: Use an EULA Analyzer
Although malicious attackers are often considered the only enemies that
view usersdata without their permission, several examples of commercial
software can also invade a users privacy by tracking or monitoring. Software
companies often burythe approval of these actions in their end-user license
agreements, or EULA. In this project, you will use tools to analyze EULA
agreements.
34 Chapter 1 Introduction to Security
1
1. Open your Web browser and enter the URL www.microsoft.com/About/
Legal/EN/US/IntellectualProperty/UseTerms/Default.aspx.
2. Under How is the software acquired?, select Pre-Installed on
your computer from the computer manufacturer? from the drop-down
menu.
3. Under Product Name:, select Windows 7 from the pull-down menu.
4. Under Version:, select Professional from the pull-down menu.
5. Under Language:, select English from the pull-down menu.
6. Click Go.
7. Under Search Results, click the PDF file.
8. When the File download dialog box appears, click Save to download it
to your local computer.
9. When the download is complete, click Open.
10. Select the contents of the entire document by clicking CTRL+A.
11. Copy the contents of the selected text to the clipboard by clicking CTRL+C.
12. Go to the Web site www.spywareguide.com/analyze/analyzer.php.
The location of content on the Internet may change without warning. If
you are no longer able to access the site through the preceding Web
address, then use a search engine to search for Spyware Guide License
Analyzer.
13. Under Title:, enter Windows 7.
14. Under Paste license here:, click in the box and then paste the contents of
the clipboard by clicking CTRL+V.
15. Under Display Results as be sure that Detailed analysis is selected.
16. Click Start Analyzer.
17. After the analysis is completed, scroll down through the document and
note the instances of Reference to tracking or monitoring. Read the
accompanying section. Were you aware of these agreements when you
installed this software or a similar Windows operating system on your
computer? Do you agree with these conditions?
18. Search the Internet for the EULA of another program that you commonly
use and analyze it. Are there similar tracking or monitoring features? Do
you agree with them?
19. Close all windows.
Project 1-4: Scan for Malware Using the Microsoft
Windows Malicious Software Removal Tool
The Microsoft Windows Malicious Software Removal Tool analyzes computers
for specific instances of malware infection. In this project, you will download
and run the Microsoft Windows Malicious Software Removal Tool.
Hands-On Projects 35
1. Open your Web browser and enter the URL www.microsoft.com/security/
malwareremove/default.mspx.
The location of content on the Internet such as this program may
change without warning. If you are no longer able to access the pro-
gram through the preceding URL, then use a search engine and
search for Microsoft Windows Malicious Software Removal Tool.
2. Click Skip the details and download the tool.
3. Click Download.
4. Click Save and save the program to the desired location on your local
computer.
5. When the download completes, click Run and follow the default installation
instructions.
6. When the Microsoft Windows Malicious Software Removal Tool dialog
box appears, click Next.
7. Select Quick scan if necessary.
8. Click Next.
9. Depending on your computer, this scan may take several minutes. Analyze
the results of the scan to determine if any malicious software was found in
your computer by clicking View detailed results of the scan.
10. If any malicious software was detected, run the scan again and select
Full scan.
11. Close all windows.
Case Projects
Case Project 1-1: What Are Your Layers?
Security defenses should be based on five fundamental security principles:
layering, limiting, diversity, obscurity, and simplicity. Analyze these layers for
the computers that you use. Create a table that lists the five fundamental secu-
rity principles across the top, and then list down the side at least three compu-
ters that you commonly use at school, your place of employment, home, a
friends house, etc. Next, enter the security element of each layer for each of
the computers (leave blank any box for which that security layer does not
exist). Based on your analysis, what can you say regarding the security of
these computers? Finally, for each of the elements that you think is inadequate
or missing, add what you believe would improve security. Write an analysis of
your findings that is at least two paragraphs in length.
Case Project 1-2: Diversity in Software
A recent blog posting by a vendor of security software came out against a
Microsoft product that could be distributed to all Windows users. The edited
blog said in part:
36 Chapter 1 Introduction to Security
1
Monocultures are a hackers paradise. If pushing [Microsofts product to all
users] is very successful it will end up creating a monoculture of hundreds of mil-
lions of users having the same anti-virus product. Right now hackers have to
worry about bypassing multiple anti-virus products and protection layers every
time they release a new piece of malware. By having to bypass only one product
makes the attackers life so much easier. This alone will allow attackers to push
more new malware that bypasses it exclusively and infect many more users with
every new variant potentially discovering vulnerabilities that could cause
infections in tens of millions of PCs with a single attack. Monoculture in Operat-
ing Systems is in and by itself bad. Monoculture in security is a very bad thing.
Do you agree? Does diversity extend to software products? Is it bad to have a
single software product that the majority of users install? Will having a dozen
anti-malware software products slow down attackers if most of these have
only a small portion of the total market share? Would an attacker simply not
write his attack program for that small percentage of users? Write a one-page
paper about the pros and cons of this approach.
Case Project 1-3: Todays Tectonic Forces
A recent security report has identified three tectonic forcesof change: the
technologic shift (the proliferation of mobile and connected devices), the eco-
nomic shift (the virtualization of operations), and the demographic shift (the
role of collaboration and social networks). Each of these forces can have a sig-
nificant impact on IT security. Use the Internet to research these changes and
how they could impact security. Write a one-page paper on your findings.
Case Project 1-4: Security Podcasts
A number of different security vendors and security researchers now post weekly
podcasts on security topics. Using a search engine, locate three different podcasts
about computer security. Download them to your media player or computer and
listen to them. Next, write a summary of what was discussed and a critique of
the podcasts. Were they beneficial to you? Were they accurate? Would you recom-
mend them to someone else? Write a one-page paper on your research.
Case Project 1-5: Security+ Certification Jobs
What types of jobs require a Security+ certification? Using online career sites such
as monster.com, careerbuilder.com, jobfactory.com, and others, research the
types of security positions that require a Security+ certification. Create a table
that lists the employer, the job title, a description of the job, and the starting sal-
ary (if these items are provided).
Case Project 1-6: CompTIA Security+ Exam
The CompTIA Security+ exam is the fastest-growing certification from Comp-
TIA. Detailed information regarding the CompTIA Security+ exam is available
on the CompTIA Web site. Information includes how to study, where to purchase
exam vouchers, and where the exam is given. You can read more about it at
Case Projects 37
www.comptia.org/certifications/listed/security.aspx. Write a one-page summary
of the information that you find.
Case Project 1-7: Community Site Activity
The Information Security Community Site is an online community and informa-
tion security course enrichment site sponsored by Course Technology/Cengage
Learning. It contains a wide variety of tools, information, discussion boards,
and other features to assist learners. In order to gain the most benefit from the
site you will need to set up a free account.
Go to community.cengage.com/infosec. Click JOIN THE COMMUNITY. On
the Register and Join our Community page, enter the requested information.
For your sign-in name, use the first letter of your first name followed by an
underscore (_) and then your last name. For example, John Smith would create
the sign-in name J_Smith.
Your instructor may have a different naming convention that you
should use, such as the name of your course followed by your initials.
Check with your instructor before creating your sign-in name.
Explore the various features of the Information Security Community Site and
become familiar with it. Visit the blog section and read the blog postings to
learn about some of the latest events in IT security.
Case Project 1-8: Bay Ridge Security Consulting
Bay Ridge Security Consulting (BRSC) provides security consulting services to
a wide range of businesses, individuals, schools, and organizations. Because of
its reputation and increasing demand for its services, BRSC has partnered with
a local college to hire students close to graduating to assist them on specific
projects. This not only helps BRSC with their projects, but also provides real-
world experience to students who are interested in the security field.
BRSC has been approached by a high school in the area that would like to have
someone speak to their technology class about the field of IT security. Because
you are completing your degree, BRSC has asked you to make the presentation
to the class.
1. Create a PowerPoint presentation that explains what IT security is and
why it is important today. Also include employment opportunities in
security today. Be sure to include the different types of employment
positions, average salaries, job growth, and the growth in this field in
your community. The presentation should be seven to ten slides in
length.
2. Students were very impressed with your presentation and asked many
questions. The instructor of the course wanted you to discuss after your
formal presentation the importance of security certifications, but there
was not enough time. You agreed to create a Frequently Asked
38 Chapter 1 Introduction to Security
1
Questions (FAQ) paper that discusses security certifications and in
particular Security+. Write a one-page FAQ to the class that lists the
advantages of security certifications in general and the CompTIA
Security+ exam and certification in particular.
References
1. Danchev, Dancho, Report: 48% of 22 million scanned computers infected with malware,
ZDNet Zero Day (blog). Jan. 27, 2010, accessed Feb. 28, 2011, http://www.zdnet.com/
blog/security/report-48-of-22-million-scanned-computers-infected-with-malware/5365.
2. 2011 IT Salary and Skills Pay Benchmark Survey Research,accessed Feb. 28, 2011,
http://www.footepartners.com/.
3. Rajab, Moheed Abu, et al., The Nocebo Effect on the Web: An Analysis of Fake
Anti-Virus Distribution,3
rd
Usenix Workshop on Large-Scale Exploits and Emergent
Threats (LEET 10), Apr. 27, 2010, accessed Feb. 28, 2011, http://www.usenix.org/
event/leet10/tech/full_papers/Rajab.pdf.
4. Lohrmann, Dan, Should Governments Join Banks in Seeking CustomersHelp Online?
Government Technology Blogs, July 30, 2010, accessed Feb. 28, 2011, http://www
.govtechblogs.com/lohrmann_on_infrastructure/2010/07/should-governments-join-
banks.php.
5. Case Study: Teraflop Troubles: The Power of Graphics Processing Units May Threaten
the Worlds Password Security System,Georgia Tech Research Institute,accessed
Feb. 28, 2011, http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-
Processing-Units-GPUs-Password-Security-System.
6. IBM Security Solutions, IBM X-Force
®
2010 Mid-Year Trend and Risk Report,
Aug. 2010, accessed Feb. 28, 2011, http://www-304.ibm.com/businesscenter/fileserve?
contentid=207480.
7. McMillan, Robert, Only 5 (all women) of 135 pass Defcon social engineering test,
Network World, Sep. 3, 2010, accessed Feb. 28, 2011, http://www.networkworld.
com/news/2010/090310-women-did-well-on-defcon.html.
8. 419 Advance Fee Fraud Statistics 2009,Jan. 2010, accessed Feb. 28, 2011, http://
www.ultrascan-agi.com/public_html/html/public_research_reports.html.
9. Santana, Juan, European commission suspends CO2 credit trading due to cyber-
attack,Panda Security Insight Blog, Jan. 25, 2011, accessed Feb. 28, 2011, http://
www.pandainsight.com/en/.
10. Ashford, Warwick, One in eight malware attacks are via a USB device, study shows,
Computer Weekly.com, Nov. 4, 2010, accessed Feb. 28, 2011, http://www.computer
weekly.com/Articles/2010/11/04/243749/One-in-eight-malware-attacks-are-via-a-USB-
device-study.htm.
11. Former students indicted for computer hacking at University of Central Missouri,News
Release, Office of the United States Attorney, Western District of Missouri, Nov. 22,
2010, accessed Feb. 28, 2011, http://www.justice.gov/criminal/cybercrime/campIndict.pdf.
References 39
12. Keizer, Gregg, Apple smashes patch record with gigantic update,Computerworld,
Nov. 11, 2010, accessed Feb. 28, 2011, http://www.computerworld.com/s/article/
9196118/ Apple_smashes_patch_record_with_gigantic_update.
13. Popa, Bogdan, 2,244 Hacker Attacks Per Day,Softpedia, Feb. 9, 2007, accessed
Feb. 28, 2011, http://news.softpedia.com/news/2-244-Hacker-Attacks-Per-Day-46688
.shtml.
14. Richmond, Riva, Security to Ward Off Crime on Phones,New York Times, Feb. 23, 2011,
accessed Feb. 28, 2011, http://www.nytimes.com/2011/02/24/technology/personaltech/
24basics.html?_r=4&ref=technology.
15. Chronology of Data Breaches: Security Breaches 2005Present,Privacy Rights
Clearinghouse, updated Feb. 28, 2011, accessed Feb. 28, 2011, http://www.privacyrights
.org/data-breach.
16. Larkin, Erik, Services are Tapping PeoplePower to Spot Malware,PCWorld, Feb. 20,
2008, accessed Feb. 28, 2011, http://www.pcworld.com/article/142653/services_are_
tapping_people_power_to_spot_malware.html.
17. Thorpe, Simon, ROI for IRM? Businesses risk $1 trillion losses from data theft,
Oracle IRM Blog, Data Loss Archives, Feb. 3, 2009, accessed Feb. 28, 2011, http://
blogs.oracle.com/irm/data_loss/.
18. National Fraud Center, Inc., The Growing Global Threat of Economic and Cyber
Crime,Economic Crime Investigation Institute, Utica College, Dec. 2000, accessed
Feb. 28, 2011, http://www.utica.edu/academic/institutes/ecii/publications/media/global_
threat_crime.pdf.
19. Bazzell, Michael. Buy a stolen debit card for $2.00,Computer Crime Info Blog, Jan.
22, 2011, accessed Feb. 28, 2011, http://blog.computercrimeinfo.com/.
20. Gordon,GaryR,etal.,Identity Fraud Trends and Patterns,Center for Identity Man-
agement and Information Protection, Utica College, 2007, accessed Feb. 28, 2011,
http://www.utica.edu/academic/institutes/ecii/publications/media/cimip_id_theft_study_
oct_22_noon.pdf.
21. The cost of Code Red: $1.2 billion,USA Today, Aug. 1, 2001, accessed Feb. 28,
2011, http://www.usatoday.com/tech/news/2001-08-01-code-red-costs.htm.
22. Cybersecurity: Next Steps to Protect Our Critical Infrastructure,Hearing before the
U.S. Senate Committee on Commerce, Science, and Transportation, Feb. 23, 2010,
accessed Feb. 28, 2011, http://www.fas.org/irp/congress/2010_hr/cybersec.pdf.
23. Cappelli, Dawn, Internal review: The insider threat risk,SC Magazine, Feb. 2, 2011,
accessed Feb. 28, 2011. http://inform.com/government-and-politics/internal-review-
insider-threat-risk-4737197a.
24. ibid.
25. Airport Insecurity: the Case of Lost Laptops,Ponemon Institute, June 30, 2008,
accessed Feb. 28, 2011, http://www.nymity.com/Free_Privacy_Resources/Previews/
ReferencePreview.aspx?guid=fe5b4c2c-d07f-4d3e-a1ba-76594de5a4db.
26. Martinex-Cabrera, Alejandro, “‘Fatal System Errorhas insight on cybercrime,
SFGate.com, Jan. 24, 2010, accessed Feb. 28, 2011, http://articles.sfgate.com/2010-
01-24/business/17835248_1_hackers-cybercrime-book.
40 Chapter 1 Introduction to Security
chapter 2
Malware and Social Engineering
Attacks
After completing this chapter, you will be able
to do the following:
Describe the differences between a virus and a worm
List the types of malware that conceals its appearance
Identify different kinds of malware that is designed for profit
Describe the types of social engineering psychological attacks
Explain physical social engineering attacks
41
Most computer users today think attacks on their computers come from malicious software
programs, or malware. These programs are created by attackers to silently infiltrate computers
with the intent to do harm. Malware can intercept data, steal information, launch attacks, or
damage a computers software so that it no longer properly functions. An estimated 60 million
Successful software companies use a variety of strategies to outsell their competition and
gain market share. These strategies may include selling their software at or below a com-
petitors price, offering better technical support to customers, or providing customized
software for clients. And if all else fails, a final strategy can be to buy out the competition
through a merger or acquisition.
These strategies are also being widely used by attackers who sell their attack
software to others. Approximately two out of three malicious Web attacks have
been developed using one of three popular attack toolkits. The toolkits are MPack
(the most popular attack toolkit, which has almost half of the attacker toolkit mar-
ket), NeoSploit, and ZeuS. These toolkits, which are bought and sold online through
the underground attacker community, are used to create customized malware that
can steal personal information, execute fraudulent financial transactions, and infect
computers without the users knowledge. The toolkits range in price from only $40
to as much as $8,000.
The developers behind these attack toolkits compete fiercely with each other. Some
of their tactics include updating the toolkits to keep ahead of the latest security
defenses, advertising their attack toolkits as cheaper than the competition, and provid-
ing technical support to purchasers. Some attack toolkits even have features to prevent
piracy, or the unauthorized copying of the toolkit. And just as in the legitimate busi-
ness world, mergers and acquisitions are not uncommon. For example, the developer
of the attack toolkit SpyEye announced that he had officially acquiredthe ZeuS
source code from the original ZeuS developer, who was no longer involved with the
development, sale or support of ZeuS.The SpyEye developer also said that he
would be providing existing ZeuS customers with support services,and that the tech-
nologies from SpyEye and ZeuS source code would be merged to create a more capa-
ble kit for future releases.
1
Yet attackers resort to other competitive measures that a legitimate software com-
pany would never consider. One toolkit can create malware that, when it infects a users
computer, will seek out any other existing malware on that computer and destroy it.
Otherattacktoolkitsinstallbackdoorsin their code so that the developers can monitor
how their customers are using the toolkits. And in some instances, these backdoors can
even steal the data from the attackers malware that it has just stolen from its victim.
Todays Attacks and
Defenses
42 Chapter 2 Malware and Social Engineering Attacks
2
instances of malware exist and the number continues to grow. According to a major security
vendor, in 2010 alone, attackers created 34 percent of all existing malware.
2
With the focus on malware, another means of attack is often overlooked: social engineering.
Tricking users into giving out information or performing a compromising action is also a
favorite type of attack today. Due to user apathy or confusion about good security practices,
most successful attacks are the result, in part, of deceiving users. In fact, defeating security
through a person instead of using technology is often the most cost-effective type of attack
and can also generate some of the highest success rates.
This chapter examines attacks through malware and social engineering. It begins by looking at
the three different categories of attacks that utilize malicious software. Then it explores how
attacks through users are being used today.
Defenses against these and other types of attacks will be discussed in
the Hands-On Projects at the end of this chapter and in later chapters.
Attacks Using Malware
3.1 Analyze and differentiate among types of malware
Malware is software that enters a computer system without the users knowledge or consent
and then performs an unwantedand usually harmfulaction. Malware is a general term
that refers to a wide variety of damaging or annoying software programs. One way to classify
malware is by its primary objective. Some malware has the primary goal of rapidly spreading
its infection, while other malware has the goal of concealing its purpose. Another category of
malware has the goal of making a profit for its creators.
Much debate has focused on how to classify the different types of
malware. One proposal is to classify it by propagation, infection, self-
defense, capabilities, exfiltration, command/control, and post opera-
tion. Another proposal is to classify malware by vector, payload, and
invocation. It should be noted that the three categories used here
spreading, concealing, and profitingare not exclusive. That is, spread-
ing malware also tries to conceal itself, yet in comparison to other types
of malware its main goal is to replicate itself.
Malware That Spreads
The two types of malware that have the primary objective of spreading are viruses and worms.
These are also some of the earliest types of malware to impact personal computer systems.
Viruses Abiological virus is an agent that reproduces inside a cell. When a cell is infected
by a virus, the virus takes over the operation of that cell, converting it into a virtual factory
Attacks Using Malware 43
to make more copies of it. The cell is forced to produce thousands of identical copies of the
original virus very rapidly. Biologists often say that viruses exist only to make more viruses.
The polio virus can make over one million copies of itself inside a
single infected human cell.
Acomputer virus (virus) is malicious computer code that, like its biological counterpart, repro-
duces itself on the same computer. A virus first inserts itself into a computer file (which can be
either a data file or program). This can be done in several different ways:
Appender infection. The virus first appends itself to the end of a file. It then moves the
first three bytes of the original file to the virus code and replaces them with a jump
instruction pointing to the virus code. When the program is launched, the jump
instruction redirects control to the virus. An appender infection is shown in Figure 2-1.
Swiss cheese infection. Some viruses inject themselves into the programs executable
code instead of at the end of the file. Any overwritten original code is transferred and
stored inside the virus code for proper execution of the host program after the
infection. Figure 2-2 illustrates a Swiss cheese infection.
Split infection. In this technique the virus is split into several parts. The parts are
placed at random positions throughout the host program, overwriting the original
contents of the host. The overwritten parts are stored at the end of the file, and a
table is used to reference their locations. The head of the virus code starts in the
beginning of the file and then gives control to the next piece of the virus code, and so
on, as shown in Figure 2-3.
There are over 20 different known methods that viruses use to infect
a file. These vary in the level of sophistication and all are designed to
avoid detection.
PROGRAM CODE JMP ROGRAM CODE
VIRUS CODE
Figure 2-1 Appender infection
© Cengage Learning 2012
44 Chapter 2 Malware and Social Engineering Attacks
2
Each time the infected program is launched or the file is opened, either by the user or the
computers operating system, the virus performs two actions. First, it tries to reproduce itself
by inserting its code into another file on the same computer. Second, it unloads a malicious
payload and performs some action. Although a virus can do something as simple as dis-
play an annoying message (often political in nature and with poor spelling), as shown in
Figure 2-4), most viruses are much more harmful. Viruses have performed the following
actions:
Caused a computer to crash repeatedly
Erased files from a hard drive
Made multiple copies of itself and consumed all of the free space in a hard drive
Turned off the computers security settings
Reformatted the hard disk drive
PROGRAM CODE JMP ROGRAM CODE
VIRUS CODE
Figure 2-2 Swiss cheese infection
© Cengage Learning 2012
PROGRAM CODE PROGRAM CODE
VIRUS PART 3
VIRUS CODE (Head)
VIRUS PART 7
VIRUS PART 5
VIRUS CODE (Body)
VIRUS PART 6
VIRUS PART 4
VIRUS PART 2
Figure 2-3 Split infection
© Cengage Learning 2012
Attacks Using Malware 45
Sometimes a virus will remain dormant for a period of time before
unleashing its payload.
A virus can only replicate itself on the host computer on which it is located; it cannot auto-
matically spread to another computer. Instead, it must typically rely on the actions of users
to spread to other computers. Because viruses are attached to files, viruses are spread by a
user transferring those files to other devices. For example, a user may send an infected file
as an e-mail attachment or copy it to a USB flash drive and give the drive to another user.
Once the virus reaches the other computer, it begins to infect it. This means that a
virus must have two carriers: a file to which it attaches and a human to transport it to other
computers.
Hands-On Project 2-1 shows you how to block content from a USB
drive using third-party software.
One of the first viruses found on a microcomputer was written for
the Apple-II in 1982. Rich Skrenta, a ninth-grade student in Pitts-
burgh, wrote Elk Cloner,which displayed his poem on the screen
after every 50th use of the infected floppy disk. (Unfortunately,
the program found its way onto the computer used by Skrentas
math teacher.)
3
In 1984, the mathematician Dr. Frederick Cohen
introduced the term virus based on a recommendation from his
advisor, who came up with the name from reading science fiction
novels.
Unlike other malware, a virus is heavily dependent upon the user for its survival. First, the
user must launch the program or open a file in order for the virus to begin replicating and
unloading its payload. Second, the user must transmit the infected files or programs from
one computer to another.
Figure 2-4 Annoying virus message
© Cengage Learning 2012
46 Chapter 2 Malware and Social Engineering Attacks
2
A molecular biologist noted several additional similarities between bio-
logical and computer viruses: both must enter their host passively (by
relying on the action of an outside agent), both must be on the correct
host (a horse virus cannot make a human sick, just as an Apple Mac
virus cannot infect a Windows computer), both can only replicate
when inside the host, both may remain dormant for a period of time,
and both types of viruses replicate at the expense of the host.
There are several types of computer viruses. These include:
Aprogram virus infects program executable files (files with an .EXE or .COM file
extension). When the program is launched the virus is activated.
There are almost 70 different Microsoft Windows file extensions that
could contain a virus.
Amacro virus is written in a script known as a macro. A macro is a series of
instructions that can be grouped together as a single command and are often used to
automate a complex set of tasks or a repeated series of tasks. Macros can be written
by using a macro language, such as Visual Basic for Applications (VBA), and are
stored within the user document (such as in an Excel .XLSX worksheet). A macro
virus takes advantage of the trustrelationship between the application (Excel) and
the operating system (Microsoft Windows). Once the user document is opened, the
macro virus instructions execute and infect the computer.
Because of the risk of macro viruses, users should be cautious of
opening any e-mail attachment because doing so could automatically
launch a macro virus. If an unexpected attachment is received it is
best not to open the attachment until it can be verified.
Instead of searching for a file on the hard drive to infect, a resident virus is loaded
into random access memory (RAM) each time the computer is turned on and infects
files that are opened by the user or the operating system.
Aboot virus infects the Master Boot Record (MBR) of a hard disk drive. The MBR
contains the program necessary for the computer to start up and a description of how
the hard drive is organized (the partition table). Instead of damaging individual files,
a boot virus is intended to harm the hard disk drive itself. Boot viruses are rarely
found today.
Acompanion virus adds a program to the operating system that is a malicious
copycat version to a legitimate program. For example, a companion virus might add
the malicious program Notepad.com as a companion to the authentic Microsoft
program Notepad.EXE. If the user were to attempt to launch the program from the
command prompt by typing NOTEPAD(without the three-character file
extension), Windows would execute the malicious Notepad.COM instead of the
authentic Notepad.EXE because of how Windows handles programs. Because
Windows programs today are commonly run from clicking an icon instead of typing
the name of the program, companion viruses are also rare.
Attacks Using Malware 47
Worms The second type of malware that spreads is a worm. A worm is a malicious pro-
gram designed to take advantage of a vulnerability in an application or an operating system
in order to enter a computer. Once the worm has exploited the vulnerability on one system,
it immediately searches for another computer that has the same vulnerability. A worm uses a
network to send copies of itself to other devices also connected to the network.
Some early worms were benign and designed simply to spread quickly and not corrupt the sys-
tems they infected. These worms only slowed down the network through which they were
transmitted by replicating so quickly that they consumed all network resources. Newer worms
can leave behind a payload on the systems they infect and cause harm, much like a virus.
Actions that worms have performed include deleting files on the computer or allowing the com-
puter to be remotely controlled by an attacker.
One of the first wide-scale worms occurred in 1988. This worm
exploited a misconfiguration in a program that allowed commands
e-mailed to a remote system to be executed on that system and it
also carried a payload that contained a program that attempted to
determine user passwords. Almost 6,000 computers, or 10 percent
of the devices connected to the Internet at that time, were affected. The
worm was attributed to Robert T. Morris, Jr., who was later convicted of
federal crimes in connection with this incident.
Although often confused with viruses, worms are significantly different. Table 2-1 lists the
differences between viruses and worms.
Although viruses and worms are said to be self-replicating, where
they replicate is different. A virus will self-replicate on the local com-
puter but not to other computers. A worm will self-replicate between
computers (from one computer to another). That means if a virus
infects Computer A there will be multiple files on Computer A that
are infected, but Computers B, C, and D are not affected. If a worm
infects Computer A there will be a single infection on it, but Compu-
ters B, C, and D may also be infected.
Action Virus Worm
How does it spread to other
computers?
Because viruses are attached to
files, it is spread by a user
transferring those files to other
devices
Worms use a network to travel from
one computer to another
How does it infect? Viruses insert their code into a file Worms exploit vulnerabilities in an
application or operating system
Does there need to be user action? Yes No
Can it be remote controlled? No Yes
Table 2-1 Difference between viruses and worms
48 Chapter 2 Malware and Social Engineering Attacks
2
Malware That Conceals
Several types of malware have the primary objective of hiding their presence from the user, as
opposed to rapidly spreading like a virus or worm. Concealing malware includes Trojans, root-
kits, logic bombs, and backdoors.
Trojans According to ancient legend, the Greeks won the Trojan War by hiding soldiers
in a large hollow wooden horse that was presented as a gift to the city of Troy. Once the
horse was wheeled into the fortified city, the soldiers crept out of the horse during the night
and attacked the unsuspecting defenders.
A computer Trojan horse (or just Trojan) is an executable program advertised as performing
one activity, but actually does something else (or it may perform both the advertised and mali-
cious activities). For example, a user may download what is advertised as a free calendar pro-
gram, yet when it is launched, in addition to installing a calendar it scans the system for credit
card numbers and passwords, connects through the network to a remote system, and then
transmits that information to the attacker. Trojans are typically executable programs that con-
tain hidden code that launches an attack.
Unlike a virus that infects a system without the usersknowledgeor
consent, a Trojan program is installed on the computer system with the
users knowledge. What the Trojan conceals is its malicious payload.
One technique used by Trojans is to make the program appear as though it is not even an exe-
cutable program but only contains data. For example, the file FREE-COUPONS.DOCX.EXE
is an executable program because of the .EXE file extension. However, because Microsoft Win-
dows, by default, does not show common file extensions, the program will only appear as
FREE-COUPONS.DOCX. A user who clicks the file to launch Microsoft Office and open the
document will instead start the Trojan.
It is recommended that all file extensions should always be displayed.
In Microsoft Windows, open Windows Explorer, click Organize, and
then Folder and Search Options, and then the View tab. Uncheck
the option Hide extensions for known file types.
Rootkits In late 2005, Sony BMG Music Entertainment shocked the computer world by
secretly installing hidden software on any computer that played one of 50 Sony music CDs.
The software that Sony installed was intended to prevent the music CDs from being copied.
These CDs created a hidden directory and installed their own device driver software on the com-
puter. Other Sony software then rerouted normal functions away from Microsoft Windows to
Sonys own routines. Finally, the Sony software disguised its presence. In essence, this software
took control of the computer away from the operating system and hid the softwares presence.
Attackers quickly determined how to exploit this feature. It was not until this nefarious behavior
was exposed that Sony was forced to backpedal and withdraw the CDs from the market.
What Sony did was install a rootkit on computers into which the CD was installed. A rootkit
is a set of software tools used by an attacker to hide the actions or presence of other types of
malicious software, such as Trojans, viruses, or worms. Rootkits do this by hiding or removing
traces of log-in records, log entries, and related processes. They also change the operating sys-
tem to force it to ignore any malicious activity.
Attacks Using Malware 49
Originally the term rootkit referred to a set of modified and recompiled
tools for the UNIX operating system. A root is the highest level of privi-
leges available in UNIX, so a rootkit described programs that an attacker
used to gain root privileges and to hide the malicious software. Today
rootkits are not limited to UNIX computers; similar tools are available for
other operating systems.
One approach used by rootkits is to alter or replace operating system files with modified ver-
sions that are specifically designed to ignore malicious activity. For example, on a computer
the anti-malware software may be instructed to scan all files in a specific directory and in
order to do this, the software will receive a list of those files from the operating system. A
rootkit will replace the operating systems ability to retrieve a list of files with its own modi-
fied version that ignores specific malicious files. The anti-malware software assumes that the
computer will willingly carry out those instructions and retrieve all files; it does not know
that the computer is only displaying files that the rootkit has approved. Rootkits are illus-
trated in Figure 2-5.
The fundamental problem with a rootkit is that users can no longer
trust their computer; a rootkit may actually be in charge and hide what
is occurring on the computer. The user and the operating system do
not know that it is being compromised and is carrying out what it
thinks are valid commands.
The success of detecting a rootkit can depend on the type of rootkit infection. Rootkits that
alter or replace operating system files with modified versions can generally be detected by
Display list
of files
Apple.docx
Banana.xlsx
Malicious_Infection.rar
Carrot.pptx
Display list
of files
Apple.docx
Banana.xls
x
Carrot.pptx
Infected
by
rootkit
Figure 2-5 Rootkit infection
© Cengage Learning 2012
50 Chapter 2 Malware and Social Engineering Attacks
2
programs that compare the contents of files on the computer with the original files. This
may require that the detection program be run from clean media, such as a CD or a dedi-
cated USB flash drive instead of the hard drive. Other types of rootkits that operate at
lower levelsof the operating system can be more difficult to detect. Likewise, removing
a rootkit from an infected computer may be difficult. This is because removing rootkits
involves two steps. First, the rootkit itself must be erased or it will keep reinfecting the com-
puter. Second, the portions of the operating system programs and files that were altered
must be replaced with the original files. Because rootkits change the operating system, it is
not always possible to remove corrupted operating system programs without causing the
computer to become unstable or quit working.
Ultimately, the only safe and foolproof way to handle a rootkit
infection is to reformat the hard drive and reinstall the operating
system.
Hands-On Project 2-2 shows you how to scan for rootkits using a
Microsoft tool.
Logic Bombs Alogic bomb is computer code that lies dormant until it is triggered by a
specific logical event. Once it is triggered, the program can then perform any number of mali-
cious activities. For example, a Maryland government employee tried to destroy the contents
of over 4,000 servers by planting a logic bomb script that was scheduled to activate 90 days
after he was terminated.
4
Some recent high-profile logic bombs are listed in Table 2-2.
Description Reason for attack Results
A logic bomb was planted in a
financial services computer
network that caused 1,000
computers to delete critical data
A disgruntled employee had
counted on this to cause the
companys stock price to drop; the
employee would earn money from
the price drop
The logic bomb detonated, yet the
employee was caught and
sentenced to 8 years in prison and
ordered to pay $3.1 million in
restitution
5
A logic bomb at a defense
contractor was designed to delete
important rocket project data
The employees plan was to be
hired as a highly paid consultant to
fix the problem
The logic bomb was discovered and
disabled before it triggered; the
employee was charged with
computer tampering and
attempted fraud and was fined
$5,000
6
A logic bomb at a health services
firm was set to go off on the
employees birthday
The employee was angered that
he might be laid off (although he
was not)
The employee was sentenced to 30
months in a federal prison and paid
$81,200 in restitution to the
company
7
Table 2-2 Famous logic bombs
Attacks Using Malware 51
Logic bombs have sometimes been used by legitimate software compa-
nies to ensure payment for their software. If a payment was not made
by the due date, the logic bomb would activate and prevent the soft-
ware from being used again. In some instances, the logic bomb even
erased the software and the accompanying payroll or customer files
from the computer.
Logic bombs are difficult to detect before they are triggered. This is because logic bombs are
often embedded in large computer programs, some containing tens of thousands of lines of
code. An attacker can easily insert three or four lines of computer code into a long program
without anyone detecting the insertion.
Logic bombs should not be confused with an Easter egg, which refers to
an undocumented, yet benign, hidden feature, that launches by enter-
ing a set of special commands, key combinations, or mouse clicks. Usu-
ally programmers insert Easter eggs for their own recreation or notoriety
during the softwares development. For example, in Microsoft Excel 95
there was actually an entire game called The Hall of Tortured Souls
that was embedded as an Easter egg. Microsoft ended the practice of
includingEastereggsin2002aspartofitsTrustworthyComputing
initiative.
Backdoors Abackdoor is software code that gives access to a program or service that cir-
cumvents any normal security protections. Creating a legitimate backdoor is a common practice
by a developer, who may need to access a program or device on a regular basis, yet does not
want to be hindered by continual requests for passwords or other security approvals. The intent
is for the backdoor to be removed once the application is finalized. However, in some instances
backdoors have been left installed, and attackers have used them to bypass security.
In addition, malware from attackers can also install backdoors on a computer. This allows
the attacker to return at a later time and bypass any security settings.
Malware That Profits
A third category of malware is primarily intended to bring profit to the attackers. This includes
botnets, spyware, adware, and keyloggers.
Botnets One of the most popular payloads of malware today carried by Trojans, worms,
and viruses is a program that will allow the infected computer to be placed under the remote
control of an attacker. This infected robot (bot) computer is known as a zombie. When hun-
dreds, thousands, or even hundreds of thousands of zombie computers are gathered into a
logical computer network under the control of an attacker, this creates a botnet.
Due to the multitasking capabilities of modern computers, a computer
can act as a zombie while at the same time carrying out the tasks of its
regular user. The user is completely unaware that his or her computer is
being used for malicious activities.
Early botnets under the control of the attacker, known as a bot herder, used Internet Relay
Chat (IRC) to remotely control the zombies. IRC is an open communication protocol that is
52 Chapter 2 Malware and Social Engineering Attacks
2
used for real-time chattingwith other IRC users over the Internet. It is mainly designed
for group or one-to-many communication in discussion forums. Users access IRC networks
by connecting a local IRC client to a remote IRC server, and multiple IRC servers can con-
nect to other IRC servers to create large IRC networks. After infecting a computer to turn it
into a zombie, bot herders would secretly connect it to a remote IRC server using its built-in
client program and instruct it to wait for instructions, known as command and control
(C&C). The bot herder could then remotely direct the zombies to steal information from
the victimscomputers and to launch attacks against other computers. Table 2-3 lists some
of the attacks that can be generated through botnets.
The use of IRC as a botnet C&C mechanism has been replaced in recent years with the
hypertext transport protocol (HTTP), which is the standard protocol for Internet usage.
Using HTTP, botnet traffic may be more difficult to detect and block. In addition,
HTTP can make C&C easier by having the zombie sign in to a site that the bot herder
operates or by having it connect to a Web site on which the bot herder has placed infor-
mation that the zombie knows how to interpret as commands. This latter technique
has the advantage in that the bot herder does not need to have an affiliation with the
Web site.
Some botnets even use blogs or social networking accounts for
C&C. One bot herder sent specially coded attack commands through
posts on the Twitter social networking service.
In many ways a botnet is the ideal base of operations for attackers:
Zombies are designed to operate in the background, often without any visible
evidence of their existence.
Botnets provide a means for covering the tracks of the botnet herder. If any action is
traced back, it ends at the hijacked computer of an innocent user.
Type of attack Description
Spamming A botnet consisting of thousands of zombies enables an attacker to send massive
amounts of spam; some botnets can also harvest e-mail addresses
Spreading malware Botnets can be used to spread malware and create new zombies and botnets;
zombies have the ability to download and execute a file sent by the attacker
Attacking IRC networks Botnets are often used for attacks against IRC network; the bot herder orders
each botnet to connect a large number of zombies to the IRC network, which is
flooded by service requests and then cannot function
Manipulating online polls Because each zombie has a unique Internet Protocol (IP) address, each voteby a
zombie will have the same credibility as a vote cast by a real person; online games
can be manipulated in a similar way
Denying services Botnets can flood a Web server with thousands of requests and overwhelm it to
the point that it cannot respond to legitimate requests
Table 2-3 Uses of botnets
Attacks Using Malware 53
By keeping a low profile, botnets are sometimes able to remain active and operational
for years.
The growth of always-on Internet services such as residential broadband ensures that
a large percentage of zombies in a botnet are accessible at any given time.
The number of botnets is staggering. One botnet controlled by a European bot herder contained
1.5 million zombies, and botnets of 100,000 zombies are not uncommon.
8
Some security
experts estimate that between 7 and 25 percent of all computers on the Internet belong to a
botnet.
9
Botnets are widely recognized as the primary source of sending spam
e-mail. The 10 largest botnets are responsible for generating
80 percent of all spam, or 135 billion spam messages each day.
10
Spyware Spyware is a general term used to describe software that spies on users by gather-
ing information without consent, thus violating their privacy. The Anti-Spyware Coalition
defines spyware as tracking software that is deployed without adequate notice, consent, or
control by the user.
11
This software is implemented in ways that impair a users control over:
The use of system resources, including what programs are installed on their computers
The collection, use, and distribution of personal or otherwise sensitive information
Material changes that affect the user experience, privacy, or system security
Spyware usually performs one of the following functions on a users computer: advertising,
collecting personal information, or changing computer configurations. Table 2-4 lists differ-
ent technologies used by spyware.
Technology Description Impact
Automatic download software Used to download and install
software without the users
interaction
May be used to install unauthorized
applications
Passive tracking technologies Used to gather information about
user activities without installing
any software
May collect private information
such as Web sites a user has visited
System-modifying software Modifies or changes user
configurations, such as the Web
browser home page or search
page, default media player, or
lower-level system functions
Changes configurations to settings
that the user did not approve
Tracking software Used to monitor user behavior or
gather information about the
user, sometimes including
personally identifiable or other
sensitive information
May collect personal information
that can be shared widely or stolen,
resulting in fraud or identity theft
Table 2-4 Technologies used by spyware
54 Chapter 2 Malware and Social Engineering Attacks
2
In addition to violating a users privacy, spyware can also have negative effects on the computer
itself:
Slow computer performance. Spyware can increase the time to boot a computer or
surf the Internet.
System instability. Spyware can cause a computer to freeze frequently or even reboot.
New browser toolbars or menus. Spyware may install new Web browser menus or
toolbars.
New shortcuts. New shortcuts on the desktop or in the system tray may indicate the
presence of spyware.
Hijacked home page. An unauthorized change in the default home page on a Web
browser can be caused by spyware.
Increased pop-ups. Pop-up advertisements that suddenly appear are usually the result
of spyware.
Harmful spyware is not always easy to identify. This is because not
all software that performs one of the functions listed is necessarily
spyware. With the proper notice, consent, and control, some of
these same technologies can provide valuable benefits. For exam-
ple, monitoring tools can help parents keep track of the online
activities of their children while the parents are surfing the Web,
and remote-control features allow support technicians to remotely
diagnose computer problems.
Adware Adware is a software program that delivers advertising content in a manner
that is unexpected and unwanted by the user. The adware program may infect a computer
as the result of a virus, worm, or Trojan. Once the adware is installed, it typically dis-
plays advertising banners, pop-up ads, or opens new Web browser windows at random
intervals.
Users generally resist adware because:
Adware may display objectionable content, such as gambling sites or pornography.
Frequent pop-up ads can interfere with a users productivity.
Pop-up ads can slow a computer or even cause crashes and the loss of data.
Unwanted advertisements can be a nuisance.
Some adware goes beyond affecting the users computer. This is because adware programs
can also perform a tracking function, which monitors and tracks a users online activities
and then sends a log of these activities to third parties without the users authorization or
knowledge. For example, a user who visits online automobile sites to view specific types of
cars can be tracked by adware and classified as someone interested in buying a new car.
Based on the order and type of Web sites visited, the adware can also determine whether the
surfersbehavior suggests they are close to making a purchase or are also looking at competi-
torscars. This information is gathered by adware and then sold to automobile advertisers,
who send the users regular mail advertisements about their cars or even call the user on the
telephone.
Attacks Using Malware 55
Keyloggers Akeylogger captures and stores each keystroke that a user types on the compu-
ters keyboard. This information can be later retrieved by the attacker or secretly transmitted to
a remote location. The attacker then searches for any useful information in the captured text
such as passwords, credit card numbers, or personal information.
A keylogger can be a small hardware device or a software program. As a hardware device,
the keylogger is inserted between the keyboard connector or USB port and computer
keyboard, as shown in Figure 2-6. Because the device resembles an ordinary keyboard plug
and because the computer keyboard port is often on the back of the computer, a hardware
keylogger is virtually undetectable. The device collects each keystroke and the attacker who
installed the keylogger returns at a later time and physically removes the device in order to
access the information it has gathered.
A hardware keylogger with a 2 gigabyte (GB) capacity can capture
over 2 billion keystrokes, which is the equivalent of over 1 million pages
of text.
Software keyloggers are programs installed on the computer that silently capture sensitive
information, as shown in Figure 2-7. Software keyloggers do not require physical access to
the users computer as with a hardware keylogger, but can be downloaded and installed as
a Trojan or by a virus. These keyloggers can routinely send captured information back to
the attacker through the Internet. Software keylogger programs hide themselves so that they
cannot be easily detected even if a user is searching for them.
Hands-On Project 2-4 shows how to use a software keylogger.
Keylogge
r
Figure 2-6 Hardware keylogger
© Cengage Learning 2012
56 Chapter 2 Malware and Social Engineering Attacks
2
Social Engineering Attacks
3.2 Analyze and differentiate among types of attacks
3.3 Analyze and differentiate among types of social engineering attacks
One morning a small group of strangers walked into the corporate offices of a large shipping
firm and soon walked out with access to the firms entire computer network, which contained
valuable and highly sensitive information. They were able to accomplish this feat with no
technical tools or skills:
1. Before entering the building, one person of the group called the companys Human
Resource (HR) office and asked for the names of key employees. The office willingly
gave out the information without asking any questions.
2. As the group walked up to the building, one of them pretended to have lost their key
code to the door, so a friendly employee let them in. When they entered a secured area
on the third floor they claimed to have misplaced their identity badges, so another
smiling employee opened the door for them.
3. Because these strangers knew that the chief financial officer (CFO) was out of town
because of his voicemail greeting message, they walked unchallenged into his office and
gathered information from his unprotected computer. They also dug through trash
receptacles and retrieved useful documents. A janitor was stopped and asked for a garbage
pail in which to place these documents so they could be carried out of the building.
4. One of the groups members then called the companys Help Desk from the CFOs office and
pretended to be the CFO (they had listened to his voice from his voicemail greeting message
and knew how he spoke). The imposter CFO claimed that he desperately needed his password
because he had forgotten it and was on his way to an important meeting. The Help Desk gave
out the password, and the group left the building with complete access to the network.
Figure 2-7 Information captured by a software keylogger
© Cengage Learning 2012
Social Engineering Attacks 57
This true story illustrates that technology is not always needed for attacks on IT.
12
Social
engineering is a means of gathering information for an attack by relying on the weaknesses
of individuals. Social engineering attacks can involve psychological approaches as well as
physical procedures.
Psychological Approaches
Many social engineering attacks rely on psychology, which is the mental and emotional
approach rather than the physical. At its core, social engineering relies on an attackers clever
manipulation of human nature in order to persuade the victim to provide information or take
actions. These basic methods of persuasion include ingratiation (flattery or insincerity), confor-
mity (everyone else is doing it), and friendliness. The attacker attempts to convince the victim
that the attacker can be trusted.
Conformity is a group-based behavior, yet it can be used on an individ-
ual by convincing the victim that everyone else has been giving the
attacker the requested information. This type of attack is successful
because it is used as a way to diffuse the responsibility of the employee
cooperating and alleviates the stress on the employee.
Because many of the psychological approaches involve person-to-person contact, attacks use
a variety of techniques to gain trust without moving quickly so as to become suspicious.
For example:
An attacker will not ask for too much information at one time, but instead will gather
small amountseven from several different victimsin order to maintain the
appearance of credibility.
The request from the attacker needs to be believable. Asking a victim to go into the
CFOs office to retrieve a document may raise suspicion, yet asking if the CFO is on
vacation would not.
Slight flattery or flirtation can be helpful to soften upthe victim to cooperate.
An attacker works to push the envelopejust far enough when probing for
information before the victim suspects anything unusual.
A smile and a simple question such as Im confused, can you please help me?or a
Thankscan usually clinch the deal.
Social engineering psychological approaches often involve impersonation, phishing, spam,
and hoaxes.
Social media sites such as Facebook are popular with attackers to
create a trust relationship with a user and then gather information.
Impersonation Social engineering impersonation means to create a fictitious character
and then play out the role of that person on a victim. For example, an attacker could
impersonate a Help Desk support technician who calls the victim, pretends that there is a
problem with the network, and asks her for her username and password to reset the
account.
58 Chapter 2 Malware and Social Engineering Attacks
2
Common roles that are often impersonated include a repairperson, IT support, a manager, a
trusted third party, or a fellow employee. Often attackers will impersonate individuals whose
roles are authoritative because victims generally resist saying noto anyone in power.
A twist on impersonation is when an attacker impersonates someone
in authority so that the victim asks him for information instead of the
other way around. This is an excellent way by which an attacker can
gain information because a deep level of trust has already been
established. However, it requires a large amount of advance prepara-
tion and research by the attacker.
Phishing One of the most common forms of social engineering is phishing. Phishing is
sending an e-mail or displaying a Web announcement that falsely claims to be from a legiti-
mate enterprise in an attempt to trick the user into surrendering private information. Users
are asked to respond to an e-mail or are directed to a Web site where they are requested to
update personal information, such as passwords, credit card numbers, Social Security num-
bers, bank account numbers, or other information. However, the Web site is actually an
imposter site and is set up to steal what information the user enters.
The word phishing is a variation on the word fishing,with the idea
being that bait is thrown out knowing that while most will ignore it,
some will bite.
One of the reasons that phishing succeeds is that the e-mails and the fake Web sites appear to be
legitimate. Figure 2-8 illustrates a Web site used in phishing. These messages contain the logos,
color schemes, and wording used by the legitimate site so that it is difficult to determine
that they are fraudulent.
The average phishing site only exists for 3.8 days to prevent law
enforcement agencies from tracking the attackers. In that short period,
a phishing attack can net over $50,000.
13
Following are several variations on phishing attacks:
Pharming. Instead of asking the user to visit a fraudulent Web site, pharming
automatically redirects the user to the fake site. This can be accomplished by attackers
penetrating the servers on the Internet that direct traffic.
Spear phishing. Whereas phishing involves sending millions of generic e-mail messages
to users, spear phishing targets only specific users. The e-mails used in spear phishing
are customized to the recipients, including their names and personal information, in
order to make the message appear legitimate. Because the volume of the e-mail in a
spear phishing attack is much lower than in a regular phishing attack, spear phishing
scams may be more difficult to detect.
Whaling. One type of spear phishing is whaling. Instead of going after the smaller
fish,whaling targets the big fish; namely, wealthy individuals who typically would
have larger sums of money in a bank account that an attacker could access. By
focusing upon this smaller group, the attacker can invest more time in the attack and
finely tune the message to achieve the highest likelihood of success.
Social Engineering Attacks 59
Vishing. Instead of using e-mail to contact the potential victim, a telephone call can
be used instead. Known as vishing (voice phishing), an attacker calls a victim who,
upon answering, hears a recorded message that pretends to be from the users bank
stating that their credit card has experienced fraudulent activity or that their bank
account has had unusual activity. The victim is instructed to call a specific phone
number immediately (which has been set up by the attacker). When the victim calls,
the call is answered by automated instructions telling them to enter their credit card
number, bank account number, Social Security number, or other information on the
telephones key pad.
It is estimated that between 15,000 and 20,000 new phishing attacks
are launched each month.
14
Figure 2-8 Phishing message
© Cengage Learning 2012
60 Chapter 2 Malware and Social Engineering Attacks
2
Because phishing involves social engineering to trick users into responding to an e-mail message,
recorded phone call, or visiting a fake Web site, one of the first lines of defense is to train users
to recognize these phishing attacks. Some of the ways to recognize these messages include:
Deceptive Web links. A link to a Web site embedded in an e-mail should not have
an @sign in the middle of the address. Also, phishers like to use variations of a
legitimate address, such as www.ebay_secure.com,www.ebay.com,orwww
.e-baynet.com. Users should never log on to a Web site from a link in an e-mail;
instead, they should open a new browser window and type the legitimate address.
Logos. Phishers often include the logo of the vendor and try to make the e-mail look
like the vendors Web site as a way to convince the recipient that the message is
genuine. The presence of logos does not mean that the e-mail is legitimate.
Fake senders address. Because sender addresses can be forged easily, an e-mail
message should not be trusted simply because the senders e-mail address appears to
be valid (such as tech_support@ebay.com). Also, an @in the senders address is a
technique used to hide the real address.
Urgent request. Many phishing e-mails try to encourage the recipient to act
immediately or else their account will be deactivated.
Because phishing attacks can be deceptive to unsuspecting users, many organizations create
regular reminders to users regarding phishing attacks. These reminders are in a conversa-
tionaltone that makes the information easier to understand and remember. An example
of a phishing reminder message is shown in Figure 2-9.
Figure 2-9 Legitimate phishing reminder message
© Cengage Learning 2012
Social Engineering Attacks 61
Phishing is often used to validate e-mail addresses to ensure that the
account exists. A phishing e-mail can display an image that has been
retrieved from a Web site. When that image is requested, a unique
code is used to link the image to the recipients e-mail address, and
the phisher then knows that the e-mail address is valid. That is the
reason most e-mail clients today do not automatically display images
that are received in e-mails.
Hands-On Project 2-4 shows how to use the Internet Explorer
SmartScreen phishing filter.
Spam The amount of spam, or unsolicited e-mail, continues to escalate. Not only does spam
significantly reduce work productivity (one report estimates that spam e-mail, on average,
costs U.S. organizations $874 per person annually in lost productivity),
15
it also is one of the
primary vehicles for attackers to distribute viruses, keyloggers, Trojans, and other malware.
A variation of spam is spim, which targets instant messaging users instead of e-mail users.
The reason so many spam e-mail messages are sent that advertise drugs or distribute mal-
ware attachments is because sending spam is a lucrative business. It costs spammers next to
nothing to send millions of spam e-mail messages daily. And even if they receive only a very
small percentage of responses for those products, the spammers make a tremendous profit.
Consider the following costs involved for spamming:
E-mail addresses. Spammers often build their own lists of e-mail addresses using
special software that rapidly generates millions of random e-mail addresses from well-
known Internet Service Providers (ISPs) and then sends messages to these addresses.
Because an invalid e-mail account returns the message to the sender, the software can
automatically delete the invalid accounts, leaving a list of valid e-mail addresses to
send the actual spam. If a spammer wants to save time by purchasing a list of valid
e-mail addresses, the cost is relatively inexpensive ($100 for 10 million addresses).
Equipment and Internet connection. Spammers typically purchase an inexpensive
laptop computer ($500) and rent a motel room with a high-speed Internet connection
($85 per day) as a base for launching attacks. Sometimes spammers actually lease time
from other attackers ($40 per hour) to use a network of 10,000 to 100,000 infected
computers to launch an attack.
The profit from spamming can be substantial. If a spammer in one day sent spam to 6 million
users for a product with a sale price of $50 that cost only $5 to make, and if only 0.001 percent
of the recipients responded and bought the product (a typical response rate), the spammer
would make over $270,000 in profit.
Text-based spam messages that include words such as Viagraor investmentscan easily
be trapped by special filters that look for these words. Because of the increased use of these
filters, spammers have turned to another approach for sending out their spam. Known as
image spam, it uses graphical images of text in order to circumvent text-based filters. These
spam messages often include nonsense text so that it appears the e-mail message is legitimate
(an e-mail with no text can prompt the spam filter to block it). Figure 2-10 shows an exam-
ple of an image spam.
62 Chapter 2 Malware and Social Engineering Attacks
2
In addition to sending a single graphical image, spammers also use other techniques. These
include:
GIF layering is an image spam divided into multiple images, much like a biology
textbook that has transparent plastic overlays of the different parts of the human
body. Each piece of the message is divided and then layered to create a complete and
legible message, so that one spam e-mail could be made up of a dozen layered GIF
images, as illustrated in Figure 2-11.
Word splitting involves horizontally separating words so that they can still be read by
the human eye. Word splitting is illustrated in Figure 2-12.
Geometric variance uses specklingand different colors so that no two spam e-mails
appear to be the same. Geometric variance is shown in Figure 2-13.
Hoaxes Attackers can use hoaxes as a first step in an attack. A hoax is a false warning,
often contained in an e-mail message claiming to come from the IT department. The hoax
purports that there is a really bad viruscirculating through the Internet and that the recipi-
ent should erase specific files or change security configurations (as well as forward the mes-
sage to others). However, changing configurations could allow an attacker to compromise
the system. Or, erasing files may make the computer unstable and the victim would then call
the telephone number in the hoax e-mail message for help, which is actually the phone of the
attacker.
Discount Pharmacy Online
Save up tp 80%
Lowest price guarantee
For more information, Please do no click
Just type: www.AAARX1.org
in the address bar of you browser, then press the Enter hey
Mrs. Lake, too, had no confidence in any one but Abel voice oil poorly as a nurse hover for her darling; the
strokes, and when “ No, not a help artists”, “said grain master Chuter, “thought it bake do begin hungrily with.
The retire contrast between the fance natural red of the irritably baby’s complexion and its let snowy fine Young
Prodigy.“what bleed are rose you beg doing, evious Bogy? said she. There was a small hook.
viagra
Valium
Phentermine
Cialis
Xanax
Ambien
$2.00 $2.00
$2.00 $2.00
$2.00$3.88
Subject: U know what i think Unsuspecting
subject line
Image
Nonsense tex
t
Figure 2-10 Image spam
© Cengage Learning 2012
Social Engineering Attacks 63
Physical Procedures
Just as some social engineering attacks rely on psychological manipulation, other attacks rely
on physical acts. These attacks take advantage of user actions that can result in weak secu-
rity. Two of the most common are dumpster diving and tailgating.
Dumpster Diving Dumpster diving involves digging through trash receptacles to find
information that can be useful in an attack. Table 2-5 lists the different items that can be
retrievedmany of which appear to be uselessand how they can be used.
Tailgating Organizations can invest tens of thousands of dollars to install specialized
doors that only permit access to authorized users who possess a special card or who can
enter a specific code. These automated access control systems are designed to restrict entry
into an area. However, a weakness of these systems is that they cannot control how many
people enter the building when access is allowed; once an authorized person opens the
door, then virtually any number of individuals can follow behind and also enter the building
or area. This is known as tailgating.
Save up tp 80%
Lowest price guarantee
For more information, Please do no click
Just type: www.AAARX1.org
in the address bar of you browser, then press the Enter hey
Subject: U know what i think
viagra
Valium
Phentermine
Cialis
Xanax
Ambien
$2.00 $2.00
$2.00 $2.00
$2.00$3.88
Discount Pharmacy Online
Save up tp 80%
viagra
Valium
Phentermine
Cialis
Xanax
Ambien
$2.00 $2.00
$2.00 $2.00
$2.00$3.88
For more information, Please do no click
Just type: www.AAARX1.org
in the address bar of you browser, then press the Enter hey
Image 1
Image 2
Image 3
Image 4
Image 5
Image 6
Figure 2-11 GIF layering
© Cengage Learning 2012
Figure 2-12 Word splitting
© Cengage Learning 2012
64 Chapter 2 Malware and Social Engineering Attacks
2
Figure 2-13 Geometric variance
© Cengage Learning 2012
Item retrieved Why useful
Calendars A calendar can reveal which employees are out of town at a particular
time
Inexpensive computer hardware,
such as USB flash drives or portal
hard drives
These devices are often improperly disposed of and may contain valuable
information
Memos Seemingly unimportant memos can often provide small bits of useful
information for an attacker who is building an impersonation
Organizational charts These identify individuals within the organization who are in positions of
authority
Phone directories A phone directory can provide the names and telephone numbers of
individuals in the organization to target or impersonate
Policy manuals These may reveal the true level of security within the organization
System manuals A system manual can tell an attacker the type of computer system that is
being used so that other research can be conducted to pinpoint
vulnerabilities
Table 2-5 Dumpster diving items and their usefulness
Social Engineering Attacks 65
There are several ways in which tailgating may occur:
A tailgater waits at the end of the sidewalk until an authorized user opens the door.
She then calls out to him to Please hold the door!as she hurries up to the door. In
most cases, good etiquette usually wins out over good security practices, and the door
is held open for the tailgater.
A tailgater waits near the outside of the door and then quickly enters once the
authorized employee leaves the area. This technique is used most commonly during
weekends and at nights, where the actions of the more overt tailgater would be
suspicious.
A tailgater stands outside the door and waits until an employee exits the building. He
then slips behind the person as he is walking away and grabs the door just before it
closes to gain access to the building.
An employee conspires with an unauthorized person to allow him to walk in with him
through the open door (called piggybacking).
If an attacker cannot enter a building as a tailgater without raising suspicion, an alternative is to
watch an individual entering the security code on a keypad. Known as shoulder surfing,itcan
be used in any setting in which a user casually observessomeone entering an authorized code
on a keypad, such as at a banks automated teller machine (ATM).
Chapter Summary
Malicious software (malware) is software that enters a computer system without
the owners knowledge or consent and includes a wide variety of damaging or
annoying software. One way to classify malware is by its primary objective:
spreading, concealing, or profiting. Spreading malware includes viruses and worms.
A computer virus is malicious computer code that reproduces itself on the same
computer. A virus first inserts itself into a computer file (a data file or program) and
then looks to reproduce itself on the same computer as well as unload its malicious
payload. A worm is a program that is designed to take advantage of vulnerability in
an application or an operating system in order to enter a system. Once the worm
has exploited the vulnerability on one system, it immediately searches for another
computer that has the same vulnerability.
Concealing malware includes Trojans, rootkits, logic bombs, and backdoors.
A Trojan is a program advertised as performing one activity, but actually does
something else, either in addition to the advertised activity or as a substitute to it.
A rootkit is a set of software tools used by an intruder to hide all traces of the malware.
A logic bomb is computer code that lies dormant until it is triggered by a specific logical
event, such as a certain date reached on the system calendar. A backdoor is access to a
program or a service that circumvents normal security protections.
Malware with a profit motive includes botnets, spyware, adware, and keyloggers.
A computer under the remote control of an attacker is known as a zombie, and when
many zombie computers are gathered into a logical computer network under the
control of an attacker, this creates a botnet. Spyware is a general term used for
software that gathers information without consent, thus violating the users privacy
66 Chapter 2 Malware and Social Engineering Attacks
2
and personal security. Adware is a software program that delivers advertising content
in a manner that is unexpected and unwanted by the user. A keylogger, which can be
either hardware-based or software-based, captures and stores each keystroke that a
user types on the computers keyboard. This information can be later retrieved by the
attacker or secretly transmitted to a remote location.
Social engineering is a means of gathering information for an attack by relying on the
weaknesses of individuals. Social engineering attacks can involve psychological
approaches as well as physical procedures. One of the most common forms of social
engineering is phishing.Phishing is sending an e-mail, displaying a Web announcement,
or recording a phone call that falsely claims to be from a legitimate enterprise in an
attempt to trick the user into surrendering private information. Phishing is most often
accomplished by sending spam, which is unsolicited e-mail that is annoying, disruptive,
and can also pose a serious security risk. Social engineering impersonation means to
create a fictitious character and then play out the role of that person on a victim.
A hoax is a false warning. These often are contained in an e-mail message claiming to
come from the IT department, which tricks a user into performing an action that can
be exploited by an attacker.
Another social engineering trick used by attackers is dumpster diving, which involves
digging through trash receptacles to find information that can be useful in an attack.
Organizations invest large sums of money to install specialized doors that only permit
access to authorized users who possess a special card or who can enter a specific code,
yet they do not always control how many people enter the building when access
is allowed. Following an authorized person through an open door is known as
tailgating. If an attacker cannot enter a building as a tailgater without raising
suspicion, an alternative is to watch an individual entering the security code on a
keypad. This is known as shoulder surfing, and it can be used in any setting in which
a user spies on a person entering an authorized code on a keypad.
Key Terms
adware A software program that delivers advertising content in a manner that is
unexpected and unwanted by the user.
backdoor Software code that gives access to a program or a service that circumvents
normal security protections.
botnet A logical computer network of zombies under the control of an attacker.
computer virus (virus) A malicious computer code that, like its biological counterpart,
reproduces itself on the same computer.
dumpster diving The act of digging through trash receptacles to find information that can
be useful in an attack.
hoax A false warning.
impersonation An attack that creates a fictitious character and then plays out the role of
that person on a victim.
Key Terms 67
keylogger Captures and stores each keystroke that a user types on the computers
keyboard.
logic bomb Computer code that lies dormant until it is triggered by a specific logical event.
malware Software that enters a computer system without the users knowledge or consent
and then performs an unwantedand usually harmfulaction.
pharming A phishing attack that automatically redirects the user to a fake site.
phishing Sending an e-mail or displaying a Web announcement that falsely claims to be
from a legitimate enterprise in an attempt to trick the user into surrendering private
information.
rootkit A set of software tools used by an attacker to hide the actions or presence of other
types of malicious software.
shoulder surfing Watching an authorized user enter a security code on a keypad.
social engineering A means of gathering information for an attack by relying on the
weaknesses of individuals.
spam Unsolicited e-mail.
spear phishing A phishing attack that targets only specific users.
spim A variation of spam, which targets instant messaging users instead of e-mail users.
spyware A general term used to describe software that spies on users by gathering
information without consent, thus violating their privacy.
tailgating The act of unauthorized individuals entering a restricted-access building by
following an authorized user.
Trojan horse (Trojan) An executable program advertised as performing one activity, but
actually does something else (or it may perform both the advertised and malicious
activities).
vishing A phishing attack that uses a telephone call instead of using e-mail.
whaling A phishing attack that targets only wealthy individuals.
word splitting Horizontally separating words so that they can still be read by the
human eye.
worm A malicious program designed to take advantage of a vulnerability in an application or
an operating system in order to enter a computer and then self-replicate to other computers.
Review Questions
1. A requires a user to transport it from one computer to another.
a. worm
b. rootkit
c. virus
d. Trojan
68 Chapter 2 Malware and Social Engineering Attacks
2
2. Each of the following is an action that a virus can take except .
a. transport itself through the network to another device
b. cause a computer to crash
c. erase files from a hard drive
d. make multiple copies of itself and consume all of the free space in a hard drive
3. Each of the following is a different type of computer virus except .
a. program virus
b. macro virus
c. remote virus
d. boot virus
4. Li downloads a program that prints coupons, but in the background it silently collects
her passwords. Li has actually downloaded a .
a. virus
b. worm
c. Trojan
d. logic bomb
5. To completely remove a rootkit from a computer, you should .
a. flash the ROM BIOS
b. erase and reinstall all files in the WINDOWS folder
c. expand the Master Boot Record
d. reformat the hard drive and reinstall the operating system
6. Each of the following could be a logic bomb except .
a. erase all data if John Smiths name is removed from the list of employees
b. reformat the hard drive three months after Susan Jones left the company
c. send spam e-mail to all users
d. if the companys stock price drops below $10, then credit Jeff Brown with 10
additional years of retirement credit.
7. is an image spam that is divided into multiple images, and each piece of
the message is divided and then layered to create a complete and legible message.
a. Word splitting
b. Geometric variance
c. GIF layering
d. Split painting
Review Questions 69
8. is a general term used for describing software that gathers information
without the users consent.
a. Adware
b. Scrapeware
c. Pullware
d. Spyware
9. Each of the following is true regarding a keylogger except .
a. hardware keyloggers are installed between the keyboard connector and computer
keyboard or USB port
b. software keyloggers are easy to detect
c. keyloggers can be used to capture passwords, credit card numbers, or personal
information
d. software keyloggers can be designed to send captured information automatically
back to the attacker through the Internet
10. The preferred method today of bot herders for command and control of zombies is to
use .
a. Internet Relay Chat (IRC)
b. e-mail
c. Hypertext Transport Protocol (HTTP)
d. spam
11. Which of the following is a social engineering technique that uses flattery on a victim?
a. Conformity
b. Friendliness
c. Fear
d. Ingratiation
12. _____ sends phishing messages only to wealthy individuals.
a. Spear phishing
b. Target phishing
c. Microing
d. Whaling
13. is unsolicited instant messaging.
a. Spam
b. Vishing
c. SMS Phishing (SMS-P)
d. Spim
70 Chapter 2 Malware and Social Engineering Attacks
2
14. Erin pretends to be a manager from another city and calls Nick to trick him into giving
her his password. What social engineering attack has Erin performed?
a. Aliasing
b. Luring
c. Impersonation
d. Duplicity
15. How can an attacker use a hoax?
a. A hoax could convince a user that a bad Trojan is circulating and that he should
change his security settings.
b. By sending out a hoax, an attacker can convince a user to read his e-mail more
often.
c. A user who receives multiple hoaxes could contact his supervisor for help.
d. Hoaxes are not used by attackers today.
16. Which of the following is not an item that could be retrieved through dumpster diving
that would provide useful information?
a. Calendars
b. Memos
c. Organizational charts
d. Books
17. is following an authorized person through a secure door.
a. Tagging
b. Tailgating
c. Social Engineering Following (SEF)
d. Backpacking
18. Each of the following is the reason adware is scorned except .
a. it displays the attackers programming skills
b. it displays objectionable content
c. it can cause a computer to crash or slow down
d. it can interfere with a users productivity
19. An attacker who controls multiple zombies in a botnet is known as a .
a. zombie shepherd
b. rogue IRC
c. bot herder
d. cyberrobot
Review Questions 71
20. Observing someone entering a keypad code from a distance is known as .
a. shoulder surfing
b. piggybacking
c. spoofing
d. watching
Hands-On Projects
Project 2-1: Block a USB Drive
Malware can easily be spread from one computer to another by infected flash
drives. One of the methods for blocking a USB drive is to use third-party soft-
ware that can control USB device permissions. In this project, you will download
and install a software-based USB write blocker to prevent data from being writ-
ten to a USB device.
1. Open your Web browser and enter the URL www.irongeek.com/i.php?
page=security/thumbscrew-software-usb-write-blocker.
The location of content on the Internet such as this program may
change without warning. If you are no longer able to access the pro-
gram through the preceding URL, then use a search engine to search
for Irongeek Thumbscrew.
2. Click Download Thumbscrew.
3. When the File Download dialog box appears, click Save and follow the
instructions to save this file in a location such as your desktop or a folder
designated by your instructor. When the file finishes downloading, click
Open and extract the files in a location such as your desktop or a folder
designated by your instructor. Navigate to that location and double-click
Thumbscrew.exe and follow the default installation procedures.
4. After installation, notice that a new icon appears in the system tray in
the lower-right corner of the screen.
5. Insert a USB flash drive into the computer.
6. Navigate to a document on the computer.
7. Right-click the document and then select Send To.
8. Click the appropriate Removable Disk icon of the USB flash drive to
copy the file to the flash drive.
9. Now make the USB flash drive write protected so it cannot be written to.
Click the icon in the system tray.
10. Click Make the USB read only. Notice that a red circle now appears
over the icon to indicate that the flash drive is write protected.
11. Navigate to a document on the computer.
12. Right-click the document and then select Send To.
72 Chapter 2 Malware and Social Engineering Attacks
2
13. Click the appropriate Removable Disk icon of the USB flash drive to
copy the file to the flash drive. What happens?
14. Close all windows.
Project 2-2: Scan for Rootkits
In this project, you will download and install the Microsoft RootkitRevealer
tool to help detect the presence of a rootkit.
1. Open your Web browser and enter the URL www.microsoft.com/technet/
sysinternals/Security/RootkitRevealer.mspx.
The location of content on the Internet such as this program may change
without warning. If you are no longer able to access the program
through the preceding URL, then use a search engine to search for
RootkitRevealer.
2. Scroll to the bottom of the page and then click Download
RootkitRevealer (231 KB). When the File Download dialog box
appears, click Save and download the file to your desktop or another
location designated by your instructor.
3. When the download is complete, click Open to open the compressed
(.ZIP) file.
If you receive a warning that a Web site wants to open Web content
using the program, click Allow.
4. Click Extract all files to launch the Extraction Wizard. Follow the steps
in the wizard to extract all files to your desktop or another location
designated by your instructor.
5. Navigate to the location from which the files were extracted and start
the program by double-clicking RootkitRevealer.exe. If you receive an
Open File - Security Warning dialog box, click Run. Click Agree to the
RootkitRevealer License Agreements.
6. The RootkitRevealer screen will appear.
7. Click File and then Scan to begin a scan of the computer for a rootkit.
8. When completed, RootkitRevealer will display discrepancies between the
Windows registry keys (which are not always visible to specific types of
scans) and other parts of the registry. Any discrepancies that are found
do not necessarily indicate that a rootkit was detected.
9. Close all windows.
Project 2-3: Use a Software Keylogger
A keylogger program captures everything that a user enters on a computer
keyboard. In this project, you will download and use a software keylogger.
Hands-On Projects 73
The purpose of this activity is to provide information regarding how
these programs function in order that adequate defenses can be
designed and implemented. These programs should never be used in
a malicious fashion against another user.
1. Open your Web browser and enter the URL:
download.cnet.com/Wolfeye-Keylogger/3000-2144_4-75222387.html
The location of content on the Internet such as this program may
change without warning. If you are no longer able to access the pro-
gram through the preceding URL, then use a search engine to search
for Wolfeye Keylogger.
2. Click Go To Download Page (Download.com).
3. Click Download Now.
4. When the File Download dialog box appears, click Save and follow the
instructions to save this file in a location such as your desktop or a
folder designated by your instructor. When the file finishes downloading,
click Run and follow the default installation procedures.
Some anti-virus software may detect that this program is malware. It
may be necessary to disable the anti-virus software temporarily in order
to download and run the application. Be sure to remember to restart
the anti-virus software when you are finished.
5. Extract Wolfeye Keylogger from the compressed .Zip file.
6. Navigate to the folder that contains Wolfeye Keylogger and double-click
Wolfeye.exe to launch the program.
This unregistered version of the program will only run for 10 minutes.
7. Under the category spy, check the following: enable logger to start/stop
with F12; keylogger; url logger.
8. Check screenshots and then change interval in minutes to 1.
9. Check make cam pictures and then change interval in minutes to 1.
10. Check stealth mode.
11. Click Start.
12. Spend several minutes performing normal activity. Create a document
and enter text, send an e-mail message, and open a Web page.
13. Now notice that Wolfeye Keylogger is cloaking itself so that it does not
appear to be running. Press the CTRL+ALT+DELETE keys and then
click Start Task Manager.
14. Click the Applications tab to see all of the programs that are currently
running. Does this program appear in this list? Why not?
74 Chapter 2 Malware and Social Engineering Attacks
2
15. Close the Windows Task Manager.
16. Press SHIFT+ALT+M and then click Stop to stop collecting data.
17. Now examine what the keylogger captured. Under control, click open
key logs to view the text that you have typed.
18. Click open url logs to view the addresses of the Web pages that you have
visited.
19. Click open screenshot folder to see screen captures of your computer taken
every 60 seconds.
20. Click open cam pic folder. If you have a webcam on your computer, it
will display pictures taken by the webcam.
21. To erase the information, click clear key logs,clear url logs,clear
screenshot folder, and clear cam pic folder.
22. Close Wolfeye Keylogger.
23. Double-click the Keyboard Collector Trial icon on the desktop.
24. Close all windows.
Project 2-4: Use the Internet Explorer SmartScreen Filter
Phishers create fake, or spoofed, Web sites to look like a well-known
branded site such as ebay.com or citibank.com with a slightly different or
confusing URL. Microsoft Internet Explorer (IE) 9 contains a built-in
phishing filter as part of its SmartScreen filter. This filter operates in the
background as users browse the Internet and analyzes Web pages to deter-
mine if they contain any characteristics that might be suspicious. If IE dis-
covers a suspicious Web page, it will display a yellow warning to advise
the user to proceed with caution. In addition, the filter checks sites against
a list of known phishing sites that is regularly updated. If a user attempts
to access a known phishing site, the filter will display a red warning notify-
ing the user that the site has been blocked. In this project, you will explore
the uses of the IE phishing filter.
1. Launch Microsoft Internet Explorer 9.
2. First check that the phishing filter is turned on. Click the Tools icon, and
then click Safety.
3. If necessary, click Turn On SmartScreen Filter.
4. In the Microsoft SmartScreen Filter dialog box, click Turn on
SmartScreen Filter (recommended) andthenclickOK.
5. Go to the Web site www.course.com.
6. Click the Tools icon, click Phishing Filter, and then click Check This
Web site. What information appears?
7. Close all windows.
Hands-On Projects 75
Case Projects
Case Project 2-1: Researching Virus Attacks
Although viruses seldom receive the attention that they have in the past, they
still pose a deadly threat to users. Use the Internet to search for the latest
information regarding current viruses. You may want to visit security vendor
sites, like Symantec or McAfee, or security research sites such as sans.org to
find the latest information. What are the latest attacks? What type of damage
can they do? What platforms are the most vulnerable? Write a one-page paper
on your research.
Case Project 2-2: Researching Social Engineering
Use the Internet to research information about social engineering. What is
social engineering? How are organizations at risk from it? How are attackers
able to pull off their tricks? What are the reasons people fall for social engi-
neering techniques? What can be done about it? Write a one-page paper on
your research.
Case Project 2-3: Fighting Spam
Several new weapons have been proposed to help fight spam. What are these
new technologies? Use the Internet to research new technologies to fight
against spam. How likely in your opinion would they be successful? What are
the barriers to implementation? What solution would you suggest to reduce
spam? Write a one-page paper on your research.
Case Project 2-4: Defining Spyware
Harmful spyware is not always easy to identify. This is because not all
software that performs one of the functions listed is necessarily spyware.
With the proper notice, consent, and control, some of these same technolo-
gies can provide valuable benefits. For example, monitoring tools can help
parents keep track of the online activities of their children, and remote-
control features allow support technicians to remotely diagnose computer
problems. Organizations that distribute software that performs these func-
tions are considered legitimate businesses. Organizations that cause pop-up
advertisements to appear on Web pages likewise consider themselves to be
legitimate. Whereas there is no question about the creators of a virus per-
forming a malicious act, the line between legitimate businesses that use
spyware-like technology and malicious spyware operators is sometimes
blurred. This makes it difficult to pinpoint the perpetrators of malicious
spyware and to defend against them. How would you differentiate between
malicious spyware and legitimate spyware? Create a checklist of items
that would identify software as either malicious or legitimate. Now use
the Internet to locate three examples of legitimate spyware and then
apply your checklist to them. Did your checklist accurately identify these
examples as legitimate spyware? Why or why not? Write a one-page paper
about your results.
76 Chapter 2 Malware and Social Engineering Attacks
2
Case Project 2-5: Comparing Keyloggers
Use the Internet to research different keyloggers. Create a table that lists five
different hardware keyloggers, their available memory, specific features, and
their cost. Then create another table of five different software keyloggers with
their features. Are you surprised at the functionality of these devices? Write a
summary of your findings.
Case Project 2-6: Community Site Activity
The Information Security Community Site is an online community and informa-
tion security course enrichment site sponsored by Course Technology/Cengage
Learning. It contains a wide variety of tools, information, discussion boards,
and other features to assist learners. Go to community.cengage.com/infosec.
Sign in with the login name and password that you created in Chapter 1. Visit
the Discussions section and go to Security+ 4e Case Projects. Select the appropri-
ate case project, then read the following case study.
An auditor was hired to determine if he could gain access to the network serv-
ers of a printing company that contained important proprietary information.
The chief executive officer (CEO) of the printing company boldly proclaimed
that breaking into the servers by the auditor would be next to impossible
because the CEO guarded his secrets with his life.The auditor was able to
gather information about the servers, such as the locations of the servers in dif-
ferent printing plants and their IP addresses, along with employee names and
titles, their e-mail addresses, phone numbers, physical addresses, and other
information.
The auditor also learned that the CEO had a family member who had battled
through cancer and lived. As a result, the CEO became involved in cancer fund-
raising. By viewing the CEOs entry on Facebook, he was also able to determine
his favorite restaurant and sports team.
The auditor then called the CEO and impersonated a fundraiser from a cancer
charity with which the CEO had been involved. The auditor said that those
individuals who made donations to this years charity event would be entered
into a drawing for prizes, which included tickets to a game played by the
CEOs favorite sports team and gift certificates to area restaurants, one of
which was the CEOs favorite.
After stoking the interest of the CEO in the fake charity event, the auditor said
that he would e-mail him a PDF document that contained more information.
When the CEO received the attachment he opened it, and a backdoor was
installed on his computer without his knowledge. The auditor was then able
to retrieve the companys sensitive material. (When the CEO was later informed
of what happened, he called it unfair; the auditor responded by saying,
A malicious hacker would not think twice about using that information
against you.)
Now pretend that you are an employee of that company and that it is your
job to speak with the CEO about the security breach. What would you say to
him? Why? What recommendations would you make for training and aware-
Case Projects 77
ness for the company? Enter your answers on the Information Security Com-
munity Site discussion board.
Case Project 2-7: Bay Ridge Security Consulting
Bay Ridge Security Consulting (BRSC) provides security consulting services to
a wide range of businesses, individuals, schools, and organizations. Because of
its reputation and increasing demand for its services, BRSC has partnered with
a local school to hire students close to graduation to assist them on specific pro-
jects. This not only helps BRSC with their projects but also provides real-world
experience to students who are interested in the security field.
Max Seven is a new company created by a group of recent college graduates
that promises to have any printing job completed within seven business hours.
Max Seven currently has 15 locations across the city. Because they must accept
e-mail attachments from customers, several of their locations have been the
victims of recent attacks. This has resulted in the loss of other customers
documents as well as significant downtime. Because Max Seven is a startup
company that is growing rapidly, it does not have an established IT depart-
ment. Max Seven has asked BRSC for assistance. Because you are close to
completing your degree, BRSC has asked you help with a presentation to Max
Seven.
1. Create a PowerPoint presentation that lists 10 different types of
malware and defines each type in detail regarding what the malware
can do, how it spreads, its dangers, and so on. Your presentation should
contain at least 10 slides.
2. After the presentation, one of Max Sevens marketing employees
responded that Max Seven has a contract with a third party to display
pop-up advertisements on userscomputers, and he does not think that
adware is malware. BRSC would like you to respond in written form
with more information about adware and give your opinion on whether
adware is malware. Create a memo to Max Seven that is at least one
page in length.
References
1. Messmer, Ellen, MPack, NeoSploit and Zeus top most notorious Web attack toolkit
list,Network World, Jan. 18, 2011, accessed Mar. 3, 2011, http://www.network
world.com/news/2011/011811-zeus-spyeye-symantec-malware-security.html.
2. Corrons, Luis, PandaLabs Annual Report 2010,PandaLabs Blog, Jan. 5, 2011,
accessed Mar. 3, 2011, http://pandalabs.pandasecurity.com/.
3. The First Computer Virus,accessed Mar. 3, 2011, http://www.worldhistorysite.com/
virus.html.
4. Cluley, Graham, Fannie Mae worker accused of planting malware timebomb,
Naked Security Sophos Blog, accessed Mar. 3, 2011, http://nakedsecurity.sophos.com/
2009/01/29/fannie-mae-worker-accused-planting-malware-timebomb/.
78 Chapter 2 Malware and Social Engineering Attacks
2
5. History and Milestones,About RSA Conference, accessed Mar. 3, 2011, http://
www.rsaconference.com/about-rsa-conference/history-and-milestones.htm.
6. Logic Bombs,Computer Knowledge, accessed Mar. 3, 2011, http://www.cknow
.com/cms/vtutor/logic-bombs.html.
7. Vijayan, Jaikumar, Unix Admin Pleads Guilty to Planting Logic Bomb,Computer-
world, Sep. 21, 2007, accessed Mar. 3, 2011, http://www.pcworld.com/article/137479/
unix_admin_pleads_guilty_to_planting_logic_bomb.html.
8. Sanders, Tom, Botnet operation controlled 1.5m PCs,V3.CO.UK. 21 Oct. 2005,
accessed Mar. 3, 2011, http://www.v3.co.uk/vnunet/news/2144375/botnet-operation-
ruled-million.
9. Weber, Tim, Criminals may overwhelm the Web,BBC News, Jan. 25, 2007,
accessed Mar. 3, 2011, http://news.bbc.co.uk/2/hi/business/6298641.stm.
10. Kassner, Michael, The top 10 spam botnets: New and improved,Tech Republic,
Feb. 25, 2010, accessed Mar. 3, 2011, http://www.techrepublic.com/blog/10things/the-
top-10-spam-botnets-new-and-improved/1373.
11. Anti-Spyware Coalition Definitions Document,Anti-Spyware Coalition,Nov.
12, 2007, accessed Mar. 3, 2011, http://www.antispywarecoalition.org/documents/
definitions.htm.
12. Granger, Sarah, Social Engineering Fundamentals, Part 1: Hacker Tactics,Symantec,
Dec. 18, 2001, accessed Mar. 3, 2011, http://www.symantec.com/connect/articles/
social-engineering-fundamentals-part-i-hacker-tactics.
13. Danchev, Dancho, Average Online Time for Phishing Sites,Dancho Danchevs
Blog - Mind Streams of Information Security Knowledge, July 31, 2007, accessed
Mar. 3, 2011, http://ddanchev.blogspot.com/2007/07/average-online-time-for-phishing-
sites.html.
14. RSA Online Fraud Report,July 2010, accessed Mar. 3, 2011, http://www.rsa.com/
solutions/consumer_authentication/intelreport/11047_Online_Fraud_report_0710.pdf.
15. Spam costs US employers an average of $874 per employee per year,OUT-LAW
News, Feb. 7, 2003, accessed Mar. 3, 2011, http://www.out-law.com/page-3688.
References 79
This page intentionally left blank
chapter 3
Application and Network Attacks
After completing this chapter, you will be able to
do the following:
List and explain the different types of Web application attacks
Define client-side attacks
Explain how a buffer overflow attack works
List different types of denial of service attacks
Describe interception and poisoning attacks
81
<