Security+ Guide To Network Security Fundamentals, 5th Ed. Mark Ciampa Comp TIA Fundamentals

User Manual:

Open the PDF directly: View PDF .
Page Count: 724

Download
Open PDF In Browser	View PDF

CompTIA Security+ SY0-401 Examination Objectives
Objectives

Chapters

1.0: Network Security
1.1 Implement security conﬁguration parameters on network devices and other technologies

1.2 Given a scenario, use secure network administration principles

7, 8, 11, 15

1.3 Explain network design elements and components

7, 8

1.4 Given a scenario, implement common protocols and services

6, 7, 8, 15

1.5 Given a scenario, troubleshoot security issues related to wireless networking

2.0: Compliance and Operational Security
2.1 Explain the importance of risk related concepts

1, 8, 11, 13, 14

2.2 Summarize the security implications of integrating systems and data with third parties

2.3 Given a scenario, implement appropriate risk mitigation strategies

4, 14

2.4 Given a scenario, implement basic forensic procedures

2.5 Summarize common incident response procedures

2.6 Explain the importance of security related awareness and training

2.7 Compare and contrast physical security and environmental controls

4, 12, 13

2.8 Summarize risk management best practices

2.9 Given a scenario, select the appropriate control to meet the goals of security

4, 15

3.0: Threats and Vulnerabilities
3.1 Explain types of malware

3.2 Summarize various types of attacks

1, 2, 3, 12, 15

3.3 Summarize social engineering attacks and the associated eﬀectiveness with each attack

3.4 Explain types of wireless attacks

3.5 Explain types of application attacks

3, 11

3.6 Analyze a scenario and select the appropriate type of mitigation and deterrent techniques

4, 7, 8, 15

3.7 Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities

3.8 Explain the proper use of penetration testing versus vulnerability scanning

4.0: Application, Data and Host Security
4.1 Explain the importance of application security controls and techniques

4.2 Summarize mobile security concepts and technologies

10, 12, 13, 14

4.3 Given a scenario, select the appropriate solution to establish host security

4, 7, 8

4.4 Implement the appropriate controls to ensure data security

4, 5, 8, 11, 14

4.5 Compare and contrast alternative methods to mitigate security risks in static environments

5.0: Access Control and Identity Management
5.1 Compare and contrast the function and purpose of authentication services

5.2 Given a scenario, select the appropriate authentication, authorization or access control

9, 11, 12

5.3 Install and conﬁgure security controls when performing account management, based on best practices

11, 12

6.0: Cryptography
6.1 Given a scenario, utilize general cryptography concepts

5, 6

6.2 Given a scenario, use appropriate cryptographic methods

5, 6, 9

6.3 Given a scenario, use appropriate PKI, certiﬁcate management and associated components

Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

This book is intended to be sold with access codes. If this book does not contain access codes, you are
not getting the full value of your purchase.
If the access codes in this book are missing or if the package containing them has been opened, this
book is not returnable.
By opening and breaking the seal of this package, you are agreeing to be bound by the following
agreement:
The software included with this product may be copyrighted, in which case all rights are reserved
by the respective copyright holder. You are licensed to use software copyrighted by the Publisher
and its licenser on a single computer. You may copy and/or modify the software as needed to
facilitate your use of it in a single computer. Making copies of the software for any other purpose
is a violation of the United Sates copyright laws.
This software is sold as is without warranty of any kind, either expressed or implied, including
but not limited to the implied warranties of merchantability and fitness for a particular purpose.
Neither the publisher nor its dealers or distributors assume any liability for any alleged or actual
damages arising from the use of this program. (Some states do not allow for the excusing of
implied warranties, so the exclusion may not apply to you.)

CompTIA® Security+
Guide to Network
Security Fundamentals
Fifth Edition

Mark Ciampa, Ph.D.

Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States

This is an electronic version of the print textbook. Due to electronic rights restrictions,
some third party content may be suppressed. Editorial review has deemed that any suppressed
content does not materially affect the overall learning experience. The publisher reserves the right
to remove content from this title at any time if subsequent rights restrictions require it. For
valuable information on pricing, previous editions, changes to current editions, and alternate
formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for
materials in your areas of interest.

CompTIA® Security+ Guide to Network
Security Fundamentals, Fifth Edition
Mark Ciampa, Ph.D.
Senior Vice President, GM Skills & Global
Product Management: Dawn Gerrain
Product Director: Kathleen McMahon
Product Manager: Nick Lombardi
Senior Director, Development:
Marah Bellegarde
Product Development Manager:
Leigh Hefferon
Managing Content Developer:
Emma Newsom

ALL RIGHTS RESERVED. No part of this work covered by the copyright
herein may be reproduced, transmitted, stored or used in any form or by
any means graphic, electronic, or mechanical, including but not limited to
photocopying, recording, scanning, digitizing, taping, Web distribution,
information networks, or information storage and retrieval systems, except
as permitted under Section 107 or 108 of the 1976 United States Copyright
Act, without the prior written permission of the publisher.
The CompTIA Marks are the proprietary trademarks and/or service marks of
CompTIA Properties, LLC used under license from CompTIA Certifications,
LLC through participation in the CompTIA Authorized Partner Program. More
information about the program can be found at: http://www.comptia.org
/certifications/capp/login.aspx

Senior Content Developer:
Michelle Ruelos Cannistraci

For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706

Developmental Editor: Deb Kaufmann

For permission to use material from this text or product,

Product Assistant: Scott Finger

submit all requests online at cengage.com/permissions

Marketing Manager: Eric LaScola

Further permissions questions can be emailed to

Senior Director, Production:
Wendy A. Troeger
Production Director: Patty Stephan
Senior Content Project Manager:
Kara A. DiCaterino
Art Director: GEX
Cover and Interior Design Images:
©Sergey Nivens/Shutterstock.com

permissionrequest@cengage.com

Library of Congress Control Number: 2014940611
Book Only ISBN: 978-1-305-09394-2
Package ISBN: 978-1-305-09391-1
Cengage Learning
20 Channel Center Street
Boston, MA 02210
USA
Cengage Learning is a leading provider of customized learning solutions
with office locations around the globe, including Singapore, the United
Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at:
www.cengage.com/global
Cengage Learning products are represented in Canada by
Nelson Education, Ltd.
To learn more about Cengage Learning, visit
www.cengage.com
Purchase any of our products at your local college store or at our preferred
online store www.cengagebrain.com
Notice to the Reader
Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis
in connection with any of the product information contained herein. Publisher does not assume, and expressly
disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer.
The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities
described herein and to avoid all potential hazards. By following the instructions contained herein, the reader
willingly assumes all risks in connection with such instructions. The publisher makes no representations or
warranties of any kind, including but not limited to, the warranties of fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth herein, and the publisher
takes no responsibility with respect to such material. The publisher shall not be liable for any special, consequential,
or exemplary damages resulting, in whole or part, from the readers’ use of, or reliance upon, this material.

Printed in the United States of America
Print Number: 01 Print Year: 2014

Brief Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1
Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

PART I

Threats

CHAPTER 2
Malware and Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
CHAPTER 3
Application and Networking-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

PART II

Application, Data, and Host Security

135

CHAPTER 4
Host, Application, and Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

PART III

Cryptography

181

CHAPTER 5
Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
CHAPTER 6
Advanced Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

PART IV

Network Security

267

CHAPTER 7
Network Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
CHAPTER 8
Administering a Secure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

PART V

Mobile Security

357

CHAPTER 9
Wireless Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CHAPTER 10
Mobile Device Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

iii
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Brief Contents

PART VI

Access Control and Identity Management

439

CHAPTER 11
Access Control Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
CHAPTER 12
Authentication and Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

PART VII

Compliance and Operational Security

521

CHAPTER 13
Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
CHAPTER 14
Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
CHAPTER 15
Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

APPENDIX A
CompTIA SY0-401 Certification Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
APPENDIX B
Downloads and Tools for Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
APPENDIX C
Security Websites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
APPENDIX D
Selected TCP/IP Ports and Their Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
APPENDIX E
Information Security Community Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

Table of Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1
Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Challenges of Securing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Today’s Security Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Difficulties in Defending Against Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
What Is Information Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Information Security Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding the Importance of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11
11
13
14
17

Who Are the Attackers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cybercriminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Script Kiddies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Insiders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cyberterrorists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hactivists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
State-Sponsored Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21
21
22
23
23
24
24
24

Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Steps of an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Defenses Against Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

PART I

Threats

CHAPTER 2
Malware and Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Attacks Using Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Circulation/Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Concealment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Payload Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51
53
58
59

Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Psychological Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Physical Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

v
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Table of Contents
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

CHAPTER 3
Application and Networking-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Server-Side Web Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Client-Side Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Impartial Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Networking-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Denial of Service (DoS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attacks on Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

109
109
111
113
117

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

PART II

Application, Data, and Host Security

135

CHAPTER 4
Host, Application, and Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Securing the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing the Operating System Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing with Antimalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139
139
148
153

Securing Static Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Application Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Application Hardening and Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Securing Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Table of Contents

PART III

Cryptography

vii

181

CHAPTER 5
Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Defining Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
What Is Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Cryptography and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hash Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Symmetric Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Asymmetric Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189
190
194
199

Using Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Encryption Through Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Hardware Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

CHAPTER 6
Advanced Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

229
230
231
235

Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is Public Key Infrastructure (PKI)?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Public Key Cryptography Standards (PKCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

240
240
240
240
244

Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Handling Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

246
246
247
247

Cryptographic Transport Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Transport Layer Security (TLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hypertext Transport Protocol Secure (HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

249
249
249
250
251
251

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

viii

Table of Contents

PART IV

Network Security

267

CHAPTER 7
Network Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Security Through Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Standard Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Network Security Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Security Through Network Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Network Access Control (NAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Security Through Network Design Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Demilitarized Zone (DMZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual LANs (VLANs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

293
293
293
296
297

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

CHAPTER 8
Administering a Secure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Common Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Control Message Protocol (ICMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File Transfer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Storage Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetBIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

313
314
316
317
318
320
323
323
323

Network Administration Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring and Analyzing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Design Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

325
326
327
330
332

Securing Network Applications and Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

333
334
335
337

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Table of Contents

PART V

Mobile Security

357

CHAPTER 9
Wireless Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Wireless Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bluetooth Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Near Field Communication (NFC) Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wireless Local Area Network (WLAN) Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

361
361
364
366

Vulnerabilities of IEEE Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wi-Fi Protected Setup (WPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC Address Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disabling SSID Broadcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

376
376
377
377
379

Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wi-Fi Protected Access 2 (WPA2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Wireless Security Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

379
380
382
384

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

CHAPTER 10
Mobile Device Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Types of Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Portable Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tablets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Smartphones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wearable Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Legacy Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mobile Device Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

406
406
408
409
409
411
411

Mobile Device Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limited Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connecting to Public Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Location Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing Unsecured Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accessing Untrusted Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bring Your Own Device (BYOD) Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

413
414
415
415
415
417
417

Securing Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device and App Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Loss or Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

418
418
421
422

Mobile Device App Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
BYOD Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Table of Contents
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

PART VI

Access Control and Identity Management

439

CHAPTER 11
Access Control Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
What Is Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Control Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Best Practices for Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

443
444
445
450

Implementing Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

453
454
455
456

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terminal Access Control Access Control System (TACACS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lightweight Directory Access Protocol (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Assertion Markup Language (SAML) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

457
458
460
460
461
462

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

CHAPTER 12
Authentication and Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What You Know: Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What You Have: Tokens, Cards, and Cell Phones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What You Are: Biometrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What You Do: Behavioral Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Where You Are: Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

480
481
492
495
497
499

Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Open Authorization (OAuth) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

500
500
501
501

Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Table of Contents

Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

PART VII

Compliance and Operational Security

521

CHAPTER 13
Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
What Is Business Continuity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disaster Recovery Plan (DRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Redundancy and Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

526
526
529
537

Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Electromagnetic Interference (EMI) Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HVAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

540
540
543
544

Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Incident Response Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

CHAPTER 14
Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Privilege Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Risk Calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

567
569
571
572
572

Reducing Risk Through Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is a Security Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Balancing Trust and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Designing a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

574
574
575
576
579

Awareness and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Threat Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

585
585
586
586
590

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

xii

Table of Contents
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

CHAPTER 15
Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Assessing Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is Vulnerability Assessment? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assessment Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assessment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

607
608
612
614

Vulnerability Scanning vs. Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Third-Party Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Mitigating and Deterring Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Security Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Selecting Appropriate Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

626
626
626
626
627
627

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643

Introduction

The number one concern of computer professionals today continues to be information security, and
with good reason. Consider the evidence: a computer cluster for cracking passwords can generate
350 billion password guesses per second and could break any eight-character password in a maximum of 5.5 hours. Internet web servers must resist thousands of attacks every day, and an unprotected computer connected to the Internet can be infected in fewer than 60 seconds. From 2005
through early 2014, more than 666 million electronic data records in the U.S. had been breached,
exposing to attackers a range of personal electronic data, such as address, Social Security numbers,
health records, and credit card numbers.i Attackers who penetrated the network of a credit card processing company that handles prepaid debit cards manipulated the balances and limits on just five
prepaid cards. These cards were then used to withdraw almost $5 million cash from automated teller
machines (ATMs) in one month.
As attacks continue to escalate, the need for trained security personnel also increases. According to
the U.S. Bureau of Labor Statistics (BLS) “Occupational Outlook Handbook,” the job outlook for
information security analysts through the end of the decade is expected to grow by 22 percent, faster
than the average growth rate. The increase in employment will add 65,700 positions to the more
than 300,000 already in this field.ii And unlike some information technology (IT) positions, security
is rarely offshored or outsourced: because security is such a critical element in an organization, security positions generally remain within the organization. In addition, security jobs typically do not
involve “on-the-job training” where employees can learn as they go; the risk is simply too great. IT
employers want and pay a premium for certified security personnel.
To verify security competency, a vast majority of organizations use the Computing Technology
Industry Association (CompTIA) Security+ certification, a vendor-neutral credential. Security+ is
xiii
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

xiv

Introduction

one of the most widely recognized security certifications and has become the security foundation for
today’s IT professionals. It is internationally recognized as validating a foundation level of security
skills and knowledge. A successful Security+ candidate has the knowledge and skills required to identify risks and participate in risk mitigation activities; provide infrastructure, application, operational,
and information security; apply security controls to maintain confidentiality, integrity, and availability; identify appropriate technologies and products; troubleshoot security events and incidents; and
operate with an awareness of applicable policies, laws, and regulations.
CompTIA® Security+ Guide to Network Security Fundamentals, Fifth Edition is designed to equip
learners with the knowledge and skills needed to be secure IT professionals. Yet it is more than merely
an “exam prep” book. While teaching the fundamentals of information security by using the CompTIA
Security+ exam objectives as its framework, it takes an in-depth and comprehensive view of security by
examining the attacks that are launched against networks and computer systems, the necessary defense
mechanisms, and even offers end-user practical tools, tips, and techniques to counter attackers.
CompTIA® Security+ Guide to Network Security Fundamentals, Fifth Edition is a valuable tool for
those who want to learn about security and who desire to enter the field of information security by providing the foundation that will help prepare for the CompTIA Security+ certification exam.

Intended Audience
This book is designed to meet the needs of students and professionals who want to master basic information security. A fundamental knowledge of computers and networks is all that is required to use this
book. Those seeking to pass the CompTIA Security+ certification exam will find the text’s approach and
content especially helpful; all Security+ SY0-401 exam objectives are covered in the text (see Appendix A).
CompTIA® Security+ Guide to Network Security Fundamentals, Fifth Edition covers all aspects of network and computer security while satisfying the Security+ objectives.
The book’s pedagogical features are designed to provide a truly interactive learning experience to
help prepare you for the challenges of network and computer security. In addition to the information presented in the text, each chapter includes Hands-On Projects that guide you through implementing practical hardware, software, network, and Internet security configurations step by step.
Each chapter also contains case studies that place you in the role of problem solver, requiring you
to apply concepts presented in the chapter to achieve successful solutions.

Chapter Descriptions
Here is a summary of the topics covered in each chapter of this book:
Chapter 1, “Introduction to Security,” introduces the network security fundamentals that form
the basis of the Security+ certification. It begins by examining the current challenges in computer
security and why security is so difficult to achieve. It then defines information security in detail
and explores why it is important. Finally, the chapter looks at the fundamental attacks, including
who is responsible for them, and defenses.
Chapter 2, “Malware and Social Engineering Attacks,” examines attacks that use different types
of malware, such as viruses, worms, Trojans, and botnets. It also looks at the different types of
social engineering attacks.
Chapter 3, “Application and Networking-Based Attacks,” continues the discussion of threats and
vulnerabilities from the previous chapter’s coverage of malware and social engineering. First the
chapter looks at attacks that target server-side and client-side web applications; then it explores
some of the common attacks that are launched against networks today.

Introduction

Chapter 4, “Host, Application, and Data Security,” looks at security for host systems achieved
through both physical means and technology. It also examines devices beyond common generalpurpose computers, followed by an exploration of application security. Finally, it looks at how
securing the data itself can provide necessary protections.
Chapter 5, “Basic Cryptography,” explores how encryption can be used to protect data. It covers
what cryptography is and how it can be used for protection, and then examines how to protect
data using three common types of encryption algorithms: hashing, symmetric encryption, and
asymmetric encryption. It also covers how to use cryptography on files and disks to keep data
secure.
Chapter 6, “Advanced Cryptography,” examines digital certificates and how they can be used. It
also looks at public key infrastructure and key management. This chapter covers different transport cryptographic algorithms to see how cryptography is used on data that is being transported.
Chapter 7, “Network Security Fundamentals,” explores how to secure a network through standard network devices, through network technologies, and by network design elements.
Chapter 8, “Administering a Secure Network,” looks at the techniques for administering a network. This includes understanding common network protocols and employing network design
principles. It also looks at securing three popular types of network applications: IP telephony, virtualization, and cloud computing.
Chapter 9, “Wireless Network Security,” investigates the attacks on wireless devices that are common today and explores different wireless security mechanisms that have proven to be vulnerable.
It also covers several secure wireless protections.
Chapter 10, “Mobile Device Security,” looks at the different types of mobile devices and the risks
associated with these devices. It also explores how to secure these devices and the applications
running on them. Finally, it examines how users can bring their own personal mobile devices to
work and connect them to the secure corporate network without compromising that network.
Chapter 11, “Access Control Fundamentals,” introduces the principles and practices of access
control by examining access control terminology, the standard control models, and their best
practices. It also covers authentication services, which are used to verify approved users.
Chapter 12, “Authentication and Account Management,” looks at authentication and the secure
management of user accounts that enforces authentication. It covers the different types of authentication credentials that can be used to verify a user’s identity and how a single sign-on might be used. It
also examines the techniques and technology used to manage user accounts in a secure fashion.
Chapter 13, “Business Continuity,” covers the importance of keeping business processes and
communications operating normally in the face of threats and disruptions. It explores disaster
recovery, environmental controls, incident response procedures, and forensics.
Chapter 14, “Risk Mitigation,” looks at how organizations can establish and maintain security in
the face of risk. It defines risk and the steps to control it. This chapter also covers security policies
and the different types of policies that are used to reduce risk. Finally, it explores how training
and awareness can help provide the user with the tools to maintain a secure environment within
the organization.
Chapter 15, “Vulnerability Assessment,” explains what vulnerability assessment is and examines
the tools and techniques associated with it. It also explores the differences between vulnerability
scanning and penetration testing. The risks associated with third-party integration into a system
are examined as well, as are controls to mitigate and deter attacks.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

xvi

Introduction

Appendix A, “CompTIA SY0-401 Certification Examination Objectives,” provides a complete
listing of the latest CompTIA Security+ certification exam objectives and shows the chapters and
headings in the book that cover material associated with each objective.
Appendix B, “Downloads and Tools for Hands-On Projects,” lists the websites used in the chapter Hands-On Projects.
Appendix C, “Security Websites,” offers a listing of several important websites that contain
security-related information.
Appendix D, “Selected TCP/IP Ports and Their Threats,” lists common TCP/IP ports and their
security vulnerabilities.
Appendix E, “Information Security Community Site,” lists the features of the companion website
for this textbook.

Features
To aid you in fully understanding computer and network security, this book includes many features
designed to enhance your learning experience.
Maps to CompTIA Objectives. The material in this text covers all of the CompTIA Security+
SY0-401 exam objectives.
Chapter Objectives. Each chapter begins with a detailed list of the concepts to be mastered in
that chapter. This list provides you with both a quick reference to the chapter’s contents and a
useful study aid.
Today’s Attacks and Defenses. Each chapter opens with a vignette of an actual security attack
or defense mechanism that helps to introduce the material covered in that chapter.
Illustrations and Tables. Numerous illustrations of security vulnerabilities, attacks, and
defenses help you visualize security elements, theories, and concepts. In addition, the many
tables provide details and comparisons of practical and theoretical information.
Chapter Summaries. Each chapter’s text is followed by a summary of the concepts introduced
in that chapter. These summaries provide a helpful way to review the ideas covered in each
chapter.
Key Terms. All of the terms in each chapter that were introduced with bold text are gathered
in a Key Terms list with definitions at the end of the chapter, providing additional review and
highlighting key concepts.
Review Questions. The end-of-chapter assessment begins with a set of review questions that
reinforce the ideas introduced in each chapter. These questions help you evaluate and apply
the material you have learned. Answering these questions will ensure that you have mastered
the important concepts and provide valuable practice for taking CompTIA’s Security+ exam.
Hands-On Projects. Although it is important to understand the theory behind network security, nothing can improve on real-world experience. To this end, each chapter provides several
Hands-On Projects aimed at providing you with practical security software and hardware
implementation experience. These projects use the Windows 8.1 or 7 operating system, as well
as software downloaded from the Internet.
Case Projects. Located at the end of each chapter are several Case Projects. In these extensive
exercises, you implement the skills and knowledge gained in the chapter through real design
and implementation scenarios.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Introduction

xvii

New to This Edition
Fully maps to the latest CompTIA Security+ exam SY0-401
All new chapter on mobile device security
Chapters grouped by major domains: Threats, Basic Security, Cryptography, Network Security, Mobile Security, Access Control and Identity Management, and Compliance and Operational Security
Earlier coverage of cryptography and advanced cryptography
All new “Today’s Attacks and Defenses” opener in each chapter
Completely revised and updated with expanded coverage on attacks and defenses
Additional Hands-On Projects in each chapter covering some of the latest security software
More Case Projects in each chapter
Information Security Community Site activity in each chapter allows learners to interact with
other learners and security professionals from around the world

Text and Graphic Conventions
Wherever appropriate, additional information and exercises have been added to this book to help
you better understand the topic at hand. Icons throughout the text alert you to additional materials.
The icons used in this textbook are described below.
The Note icon draws your attention to additional helpful material related
to the subject being described.

Tips based on the author’s experience provide extra information about
how to attack a problem or what to do in real-world situations.

The Caution icons warn you about potential mistakes or problems, and
explain how to avoid them.

Each Hands-On Project in this book is preceded by the Hands-On icon and
a description of the exercise that follows.

Case Project icons mark Case Projects, which are scenario-based assignments. In these extensive case examples, you are asked to implement independently what you have learned.

xviii

Introduction

CertBlaster Test Prep Resources
CompTIA® Security+ Guide to Network Security Fundamentals includes CertBlaster test preparation questions that mirror the look and feel of the CompTIA Security+ certification exam.
To log in and access the CertBlaster test preparation questions for CompTIA® Security+ Guide to
Network Security Fundamentals, Fifth Edition, go to www.certblaster.com/login/.
Activate your CertBlaster license by entering your name, email address, and access code (found
on the card bound in this book) in their fields, and then click Submit.
The CertBlaster user’s online manual describes features and gives navigation instructions. CertBlaster offers three practice modes and all the types of questions required to simulate the exams:
Assessment mode—Used to determine the student’s baseline level. In this mode, the timer is on,
answers are not available, and the student gets a list of questions answered incorrectly, along
with a Personal Training Plan.
Study mode—Helps the student understand questions and the logic behind answers by giving
immediate feedback both during and after the test. Answers and explanations are available.
The timer is optional, and the student gets a list of questions answered incorrectly, along with
a Personal Training Plan.
Certification mode—A simulation of the actual exam environment. The timer as well as the
number and format of questions from the exam objectives are set according to the exam’s
format.
For more information about dti test prep products, visit the website at www.dtipublishing.com.

Instructor’s Materials
Everything you need for your course in one place! This collection of book-specific lecture and class
tools is available online. Please visit login.cengage.com and log in to access instructor-specific
resources on the Instructor Companion Site, which includes the Instructor’s Manual, Solutions Manual, test creation tools, PowerPoint Presentations, Syllabus, and figure files.
Electronic Instructor’s Manual. The Instructor’s Manual that accompanies this textbook includes
the following items: additional instructional material to assist in class preparation, including suggestions for lecture topics.
Solutions Manual. The instructor’s resources include solutions to all end-of-chapter material,
including review questions and case projects.
Cengage Learning Testing Powered by Cognero. This flexible, online system allows you to do the
following:
Author, edit, and manage test bank content from multiple Cengage Learning solutions.
Create multiple test versions in an instant.
Deliver tests from your LMS, your classroom, or wherever you want.
PowerPoint Presentations. This book comes with a set of Microsoft PowerPoint slides for each
chapter. These slides are meant to be used as a teaching aid for classroom presentations, to be
made available to students on the network for chapter review, or to be printed for classroom distribution. Instructors are also at liberty to add their own slides for other topics introduced.
Figure Files. All of the figures and tables in the book are reproduced. Similar to PowerPoint presentations, these are included as a teaching aid for classroom presentation, to make available to students for review, or to be printed for classroom distribution.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Introduction

xix

Total Solutions for Security
To access additional course materials, please visit www.cengagebrain.com. At the CengageBrain.com
home page, search for the ISBN of your title (from the back cover of your book) using the search
box at the top of the page. This will take you to the product page where these resources can be
found. Additional resources include a Lab Manual, CourseMate, CourseNotes, assessment, and digital
labs.

Information Security Community Site
Stay secure with the Information Security Community Site! Connect with students, professors, and
professionals from around the world, and stay on top of this ever-changing field.
Visit www.community.cengage.com/infosec to:
Download resources such as instructional videos and labs.
Ask authors, professors, and students the questions that are on your mind in our Discussion
Forums.
See up-to-date news, videos, and articles.
Read weekly blogs from author Mark Ciampa.
Listen to podcasts on the latest Information Security topics.
Each chapter’s Case Projects include information on a current security topic and ask the learner
to post reactions and comments to the Information Security Community Site. This allows users
from around the world to interact and learn from other users as well as security professionals and
researchers.
Additional information can be found in Appendix E, Information Security Community Site.

What’s New with CompTIA Security+ Certification
The CompTIA Security+ SY0-401 exam was updated in May 2014. Several significant changes have
been made to the exam objectives. The exam objectives have been significantly expanded to more
accurately reflect current security issues and knowledge requirements. These exam objectives place
more importance on knowing “how to” rather than just knowing or recognizing security concepts.
Here are the domains covered on the new Security+ exam:
Domain

Percentage of examination

1.0 Network Security

20%

2.0 Compliance and Operational Security

18%

3.0 Threats and Vulnerabilities

20%

4.0 Application, Data, and Host Security

15%

5.0 Access Control and Identity Management

15%

6.0 Cryptography

12%

Introduction

xxi

CompTIA is a nonprofit information technology (IT) trade association.
The Computing Technology Industry Association (CompTIA) is the voice of the world’s information
technology (IT) industry. Its members are the companies at the forefront of innovation and the professionals responsible for maximizing the benefits organizations receive from their investments in
technology.
CompTIA is dedicated to advancing industry growth through its educational programs, market
research, networking events, professional certifications, and public policy advocacy.
CompTIA is a not-for-profit trade information technology (IT) trade association. CompTIA’s
certifications are designed by subject matter experts from across the IT industry. Each CompTIA
certification is vendor-neutral, covers multiple technologies, and requires demonstration of skills
and knowledge widely sought after by the IT industry.
The CompTIA Marks are the proprietary trademarks and/or service marks of CompTIA
Properties, LLC used under license from CompTIA Certifications, LLC through participation in the
CompTIA Authorized Partner Program. More information about the program can be found at:
http://www.comptia.org/certifications/capp/login.aspx.

About the Author
Mark Ciampa, Ph.D., Security+, is Associate Professor of Information Systems at Western Kentucky
University in Bowling Green, Kentucky. Previously, he served as Associate Professor and Director of
Academic Computing for 20 years at Volunteer State Community College in Gallatin, Tennessee.
Dr. Ciampa has worked in the IT industry as a computer consultant for the U.S. Postal Service, the
Tennessee Municipal Technical Advisory Service, and the University of Tennessee. He is also the author
of many Cengage Learning textbooks, including CWNA Guide to Wireless LANs, Third Edition;
Guide to Wireless Communications; Security Awareness: Applying Practical Security in Your World,
Fourth Edition; and Networking BASICS. He holds a Ph.D. in technology management with a specialization in digital communication systems from Indiana State University.

Acknowledgments
A large team of dedicated professionals all contributed to the creation of this book. I am honored to
be part of such an outstanding group of professionals, and to everyone on the team I extend my sincere thanks. A special thanks goes to Product Manager Nick Lombardi for giving me the opportunity to work on this project and for providing his continual support. Also thanks to Senior Content
Developer Michelle Ruelos Cannistraci who was very supportive and helped keep this fast-moving
project on track, and to Serge Palladino and Danielle Shaw, Technical Editors, as well as the excellent production and permissions teams at Cengage Learning, including Kara DiCaterino, Ashley
Maynard, and Kathy Kucharek. And a big Thank-You to the team of peer reviewers who evaluated
each chapter and provided very helpful suggestions and contributions: Angela Herring, Wilson
Community College; Dan Hutcherson, Forsyth Technical Community College; Ahmad Nasraty,
Heald College; and Deanne Wesley, Forsyth Technical Community College.
Special recognition again goes to the best developmental editor any author could wish for, Deb
Kaufmann. First and foremost, Deb is a true professional in every sense of the word. She made
many helpful suggestions, found all of my errors, watched every small detail, and even took on
additional responsibilities so that this project could meet its deadlines. But even more, Deb is a joy
to work with. Without question, Deb is simply the very best there is.
And finally, I want to thank my wonderful wife, Susan. Once again her patience, support, and love
helped me through this project. I could not have written this book without her.

xxii

Introduction

Dedication
To Braden, Mia, Abby, Gabe, and Cora.

To the User
This book should be read in sequence, from beginning to end. Each chapter builds on those that
precede it to provide a solid understanding of networking security fundamentals. The book may
also be used to prepare for CompTIA’s Security+ certification exam. Appendix A pinpoints the
chapters and sections in which specific Security+ exam objectives are located.

Hardware and Software Requirements
Following are the hardware and software requirements needed to perform the end-of-chapter
Hands-On Projects.
Microsoft Windows 8.1 or 7
An Internet connection and web browser
Microsoft Office
Microsoft Office Outlook 2013

Free Downloadable Software Requirements
Free, downloadable software is required for the Hands-On Projects in the following chapters.
Appendix B lists the websites where these can be downloaded.
Chapter 1:
Oracle VirtualBox
Chapter 2:
Irongeek Thumbscrew
Kaspersky TDSSKiller
GMER
Spyrix Keylogger
Chapter 3:
GRC Securable
Chapter 4:
EICAR AntiVirus Test File
Chapter 5:
OpenPuff Steganography
MD5DEEP
HASHDEEP
HashTab
TrueCrypt

Introduction

xxiii

Chapter 6:
Comodo Digital Certificate
Chapter 7:
ThreatFire
K9 Web Protection
Chapter 8:
Sandboxie
VMware vCenter
VMware Player
Chapter 9:
Vistumbler
SMAC
Chapter 10:
Prey
Bluestacks
Chapter 12:
GreyC Keystroke
KeePass
Chapter 13:
Macrium Reflect
Briggs Software Directory Snoop
Chapter 15:
Secunia Personal Software Inspector
Nmap

References
i.

“Chronology of data breaches: Security breaches 2005–present,” Privacy Rights
Clearinghouse, updated Dec. 4, 2013, accessed Dec. 4, 2013, www.privacyrights.org/
data-breach.

ii. “Network and computer systems administrators: Occupational outlook handbook,”
Bureau of Labor Statistics, Mar. 29, 2012, accessed Mar. 30, 2013, www.bls.gov/ooh/
Computer-and-Information-Technology/Network-and-computer-systems-administrators
.htm.

chapter

Introduction to Security

After completing this chapter, you should be able
to do the following:
• Describe the challenges of securing information
• Define information security and explain why it is important
• Identify the types of attackers that are common today
• List the basic steps of an attack
• Describe the five basic principles of defense

1
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Today’s Attacks and
Defenses

What is the deadliest security attack that you can imagine? A virus that erases all the
contents of a hard disk drive? A malicious program that locks up files until the user
pays a “ransom” to have them released? The theft of millions of user passwords?
Although each of these attacks can be extremely harmful, the deadliest attacks
could result in the actual death of the victim. These deadly attacks are directed
against medical devices that sick patients rely upon to live.
An insulin pump is a small medical device worn by diabetics that administers insulin
as an alternative to multiple daily injections with an insulin syringe or pen. One security researcher, himself a diabetic, demonstrated at a security conference a wireless
attack on an insulin pump that could secretly change the delivery dosage of insulin to
the patient.1 By scanning for wireless devices in a public space up to 300 feet
(91 meters), this researcher could locate vulnerable insulin pumps made by a specific
medical device manufacturer, and then force these devices to dispense fatal insulin
doses—just as an attacker could.2 Another security researcher “hacked” into a defibrillator used to stabilize heartbeats and reprogrammed it, and also disabled its powersave mode so the battery ran down in hours instead of years. It is estimated that there
are more than 3 million pacemakers and 1.7 million Implantable Cardioverter Defibrillators (ICDs) in use today that are vulnerable to these types of wireless attacks.3 This
threat was so real that a former vice president of the U.S. had his defibrillator removed
and replaced with one that lacked capabilities that an attacker might exploit.
Other serious concerns regarding medical devices have also surfaced. A vendor that
manufactures medical ventilators maintains a website from which software updates to
the ventilators can be downloaded and installed. A security researcher discovered that
the website was infected with 48 viruses that could be installed on a user’s computer,
and 20 of the 347 pages of this website contained infections.4 And spreading medical
device malware is not limited to infecting websites. Today devices that perform medical imaging like computerized tomography (CT) scans automatically send scan results
as PDF file attachments to email accounts. This email capability can be highly vulnerable and make an ideal entry point for an attacker to install medical device malware.
The U.S. Department of Homeland Security (DHS) has issued a report entitled
“Attack Surface: Healthcare and Public Health Sector.” This report says these attacks
are “now becoming a major concern…. In a world in which communication networks
and medical devices can dictate life or death, these systems, if compromised, pose a
significant threat to the public and private sector.”5 The national Information Security and Privacy Advisory Board (ISPAB) said that the United States Computer Emergency Readiness Team (US-CERT) should create “defined reporting categories for
medical device cybersecurity incidents.”6
(continued)
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Until recently the Food and Drug Administration (FDA), which regulates the design
and manufacture of medical devices, did not have any regulations regarding how
these devices should be configured and connected to a network. Now the FDA is taking notice. It has issued an “FDA Safety Communication” document recommending
that medical device manufacturers and health care facilities should “take steps to
assure that appropriate safeguards are in place to reduce the risk of failure due to
cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices
and hospital networks.” And to make sure that these recommendations are followed,
the FDA has stated that for any medical devices that do not “appropriately address”
security risks, the FDA “might consider” withholding its approval of the device.7

Our world today is one in which all citizens been forced to continually protect themselves, their
families, and their property from attacks by invisible foes. Random shootings, suicide car bombings, airplane hijackings, and other types of physical violence occur around the world with increasing frequency. To counteract this violence, new types of security defenses have been implemented.
Passengers using public transportation are routinely searched. Fences are erected across borders.
Telephone calls are monitored. These attacks and the security defenses against them have impacted
almost every element of our daily lives and significantly affect how all of us work, play, and live.
Yet these attacks are not just physical. One area that has also been an especially frequent target of attacks is information technology (IT). A seemingly endless array of attacks is directed
at individuals, schools, businesses, and governments through desktop computers, laptops,
smartphones, and tablet computers. Internet web servers must resist thousands of attacks
every day. Identity theft using stolen electronic data has skyrocketed. An unprotected computer connected to the Internet can be infected in fewer than 60 seconds. Phishing, rootkits,
worms, zombies, and botnets—virtually unheard of just a few years ago—are now part of
our everyday security technology vocabulary.
The need to defend against these attacks directed toward our technology devices has created
an element of IT that is now at the very core of the industry. Known as information security,
it is focused on protecting the electronic information of organizations and users.
Two broad categories of information security personnel are responsible for this protection.
Information security managerial personnel administer and manage plans, policies, and people.
Information security technical personnel are concerned with designing, configuring, installing,
and maintaining technical security equipment. Within these two broad categories are four generally recognized security positions:
Chief information security officer (CISO). This person reports directly to the chief
information officer (CIO) (large organizations may have more layers of management
between this person and the CIO). This person is responsible for assessing, managing,
and implementing security.
Security manager. The security manager reports to the CISO and supervises
technicians, administrators, and security staff. Typically, a security manager works
on tasks identified by the CISO and resolves issues identified by technicians.

Chapter 1 Introduction to Security

This position requires an understanding of configuration and operation but not
necessarily technical mastery.
Security administrator. The security administrator has both technical knowledge and
managerial skills. A security administrator manages daily operations of security
technology, and may analyze and design security solutions within a specific entity as
well as identifying users’ needs.
Security technician. This position is generally an entry-level position for a person who has
the necessary technical skills. Technicians provide technical support to configure security
hardware, implement security software, and diagnose and troubleshoot problems.
Individuals in these positions are not the only ones responsible for
security. It is the job of every employee—both IT and non-IT—to
know and practice basic security defenses.

Employment trends indicate that employees with certifications in security are in high demand.
As attacks continue to escalate, the need for trained and certified security personnel also
increases. Unlike some IT positions, security is rarely offshored or outsourced: because security is such a critical element in an organization, security positions generally remain within
the organization. In addition, security jobs typically do not involve “on-the-job training”
where employees can learn as they go; the risk is simply too great. IT employers want and
pay a premium for certified security personnel.
The job outlook for security professionals is exceptionally strong.
According to the U.S. Bureau of Labor Statistics (BLS) “Occupational
Outlook Handbook,” the job outlook for information security analysts
through the end of the decade is expected to grow by 22 percent,
faster than the average growth rate. The increase in employment will
add 65,700 positions to the more than 300,000 already in this field.8

To verify security competency, a vast majority of organizations use the Computing
Technology Industry Association (CompTIA) Security+ certification. Of the more than
250 security certifications currently available, Security+ is one of the most widely recognized security certifications and has become the security foundation for today’s IT professionals. It is internationally recognized as validating a foundation level of security skills
and knowledge.
The CompTIA Security+ certification is a vendor-neutral credential that requires passing the
current certification exam SY0-401. A successful candidate has the knowledge and skills
required to identify risks and participate in risk mitigation activities; provide infrastructure,
application, operational and information security; apply security controls to maintain confidentiality, integrity, and availability; identify appropriate technologies and products; troubleshoot security events and incidents; and operate with an awareness of applicable policies,
laws, and regulations.
The CompTIA Security+ certification is aimed at an IT security professional who has a recommended background of a minimum of two years’ experience in IT administration with a focus
on security, has technical information security experience on a daily basis, and possesses a
broad knowledge of security concerns and implementation.

Chapter 1 Introduction to Security

This chapter introduces the network security fundamentals that form the basis of the Security+
certification. It begins by examining the current challenges in computer security and why it is
so difficult to achieve. It then defines information security in detail and explores why it
is important. Finally, the chapter looks at who is responsible for these attacks and what are
the fundamental attacks and defenses.

Challenges of Securing Information
A silver bullet is a specific and fail-safe solution that very quickly and easily solves a serious
problem. To a casual observer it may seem that there should be such a silver bullet for
securing computers, such as installing a better hardware device or using a more secure software application. But in reality, no single and simple solution to securing devices in order to
protect the information contained on them is available. This can be illustrated through looking at the different types of attacks that users face today as well as the difficulties in defending against these attacks.

Today’s Security Attacks
Despite the fact that information security continues to rank as the number one concern of IT
managers and tens of billions of dollars are spent annually on computer security, the number
of successful attacks continues to increase. Recent attacks include the following:
Attackers penetrated the network of a credit card processing company that handles
prepaid debit cards. They then manipulated the balances and limits on just five
prepaid cards. These cards were then distributed to “cell managers” in different
countries who were responsible for using the cards to withdraw cash from automated
teller machines (ATMs). In one month almost $5 million was fraudulently withdrawn
from ATM machines around the world in 5700 transactions. A cell in New York City
was responsible for withdrawing $400,000 in 750 fraudulent transactions at 140
ATM locations in the city in only 2.5 hours. A similar attack manipulated account
balances and withdrawal limits on 12 more cards that were distributed to cell
members to withdraw an additional $40 million from ATM machines around the
world. The New York City cell withdrew $2.4 million in 3000 ATM transactions in
just 10 hours.
Marc G. was in the kitchen when he began to hear strange sounds coming from the
nursery of his two-year-old daughter Allyson. Marc and his wife entered the nursery
and heard a stranger’s voice calling out Allyson’s name, cursing at her and calling her
vile names. The parents discovered that the voice was coming from the electronic
baby monitor in Allyson’s room that contained a camera, microphone, and speaker
connected to their home Wi-Fi network. Because they did not have any security set on
their wireless network, the attacker had been able to take control of the baby monitor
from an unknown remote location. When Marc and his wife stepped in front of the
camera, the attacker turned his verbal attack toward them. They quickly unplugged
the device. The parents surmised that the attacker knew their daughter’s name
because he saw “Allyson” spelled out on the wall in her room. This situation is not
unique: it is estimated that there are more than 100,000 wireless cameras that can
easily be exploited because they have virtually no security.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

The Twitter account of the Associated Press (AP) was broken into and a fictitious
tweet was posted claiming there were “two explosions in the White House and
[the U.S. President] is injured.” Even though the tweet was only visible for a matter
of minutes before it was removed, because of this fictitious tweet the Dow Jones
industrial average dropped immediately (it recovered later in the day). AP now
joins the ranks of many large corporate brands—including CBS television websites
60 Minutes and 48 Hours, the New York Times, the Wall Street Journal, the
Washington Post, Burger King, and Jeep—who have been victims of recent Twitter
break-ins. And these attacks will likely only escalate as social media sites become
more frequently used for distributing information. The U.S. Securities and Exchange
Commission (SEC) recently said that it would allow public companies to disclose
corporate information on social media sites like Twitter.
Malware called Ploutus that infects a bank’s ATM demonstrates how vulnerable these
cash-dispensing machines can be. The infection begins with the attacker inserting a
CD-ROM disc that contains malware into the ATM computer’s disc drive (on some
ATMs the disc drive is actually accessible from the outside). The malware then installs
a “backdoor” so that the attackers can manipulate the machine via the ATM’s
keypad. After entering the code 123456789ABCDEFG to access the malware,
instructions can be given through entering a series of numbers on the keypad. The
latest version of Ploutus malware can be instructed to print the entire ATM
configuration (if a USB printer is connected to an exposed USB port), display
information about the money currently available in the ATM, and instruct the
machine to dispense money.9
A serial server is a device that connects to a remote system through the Internet
(technically it provides remote access to serial ports over TCP/IP) so that
administrators can access the remote system as if it were connected to the local
network. The remote systems that use serial servers include not only traffic stoplight
systems but also a wide variety of industrial control applications, point of sale (POS)
terminals in retail stores, energy management devices, fueling stations, hospital
medical device monitors, and oil and gas monitoring stations. Serial servers are highly
vulnerable and can thus expose the remote systems that are connected to them. It is
estimated that there are 114,000 serial servers accessible from the Internet that expose
more than 13,000 serial ports and their connected remote systems.10
Indonesia has now overtaken China as the number one source of attack traffic. About
38 percent of all attacks now come from Indonesia. China has fallen to second place
with about 33 percent of all attacks coming from there, while the U.S. is at a distant
third place (6.9 percent but down from 8.3 percent). These three countries, combined
with seven others, now account for 89 percent of all attack traffic. The rapid ascent of
Indonesia to the top of the list is even more significant given that previously this
country accounted for only 1 percent of all attack traffic. The surge is evidently
related to the increase in the average Internet connection speed in Indonesia:
broadband access has increased 125 percent in one year.11
A security researcher demonstrated how easy it would be to manipulate any aircraft in
the sky. This is because the computers that control today’s airplanes are not protected
from attacks. The researcher, who both works in IT and is a trained commercial pilot,
demonstrated how an attacker can easily upload bogus flight plans and give detailed

Chapter 1 Introduction to Security

commands to these systems. In one demonstration he showed how to manipulate the
steering of a Boeing jet while the aircraft was in autopilot mode. He could also take
control of most of the airplane’s systems so that, for example, he could send panic
throughout the aircraft cabin by making the oxygen masks drop down. And he could
even make the plane crash by setting it on a collision course with another airplane in
the vicinity.12
Researchers have found similar weaknesses in the systems used by ocean vessels. Ships
share information about their current position and course with other ships in the area
as well as with offshore installations like harbors, and this information can be tracked
via the Internet. Because this software is not protected, an attacker could easily
modify every detail of the vessel, such as its position, course, speed, name, and status
number. Attackers could also send fake alerts that a person has fallen overboard, that
a storm is approaching, or that a collision is imminent with another ship. They could
also create a fictitious “ghost” ship that does not even exist or change information
about the type of ship or cargo it is carrying (in their test the researchers took a ship
that was physically located on the Mississippi River in Missouri but made it appear as
if the ship were on a lake in Dallas). An attacker could also alter a system that
identifies buoys and lighthouses, causing ships to wreck.13
Web browsers typically send User Agent Strings to a web server that identify such
items as the browser type and the underlying operating system so that the web server
can respond appropriately (for example, the web server can send different formats of
the requested webpage based on what the browser can display). Attackers can use a
web browser to send the User Agent String “xmlset_roodkcableoj28840ybtide” to
specific wireless routers in order to access the router’s settings through a “backdoor”
and bypass all security. As an interesting note, it appears that this backdoor was
actually implanted by the manufacturer: if the second half of the User Agent String is
reversed and the number in the middle is removed, it reads edit by joel backdoor.14
Online sites like Craigslist and eBay are very popular for buyers and sellers of items
from electronics to automobiles. However, the Federal Bureau of Investigation (FBI) is
warning buyers to beware. Attackers masquerading as legitimate sellers frequently
advertise items at “too-good-to-be-true” prices to entice a large number of victims;
however, the attackers do not post photos of the item for sale but instead offer to send
a photo as an email attachment or as a link upon request. Increasingly these
attachments contain malware: when the recipients open the attachment their computers
become infected. Potential buyers are encouraged to not ask to be sent a photo but
instead request that the original posting be modified so that it includes a photo.
A computer cluster for cracking passwords was configured that comprised five servers
and 25 graphics cards that can generate 350 billion password guesses (candidates)
per second. This cluster could break any eight-character password in a maximum of
5.5 hours.
Apple has admitted that Mac computers on its own campus became infected. Apple
employees visited an infected website for software developers and their computers
then became infected. The infection was successful because Apple’s own computers
were not updated with the latest security patches. Once the attack was identified by
Apple it released a tool that patched 30 vulnerabilities and defects and disinfected
malware on Apple Mac computers.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

The number of security breaches that have exposed users’ digital data to attackers continues
to rise. From 2005 through early 2014 over 666 million electronic data records in the U.S.
had been breached, exposing to attackers a range of personal electronic data, such as
address, Social Security numbers, health records, and credit card numbers.15 Table 1-1 lists
some of the major security breaches that occurred during a one-month period, according to
the Privacy Rights Clearinghouse.
Number of
identities
exposed

Organization

Description of security breach

University of
Washington
Medicine, WA

An employee opened an email attachment containing malicious software
that infected the employee’s computer and compromised the information on
it. Patient names, Social Security numbers, phone numbers, addresses, and
medical record numbers dating back five years may have been affected.

90,000

Maricopa
County
Community
College
District, AZ

An unspecified data breach may have exposed the information of current and
former students, employees, and vendors. Names, Social Security numbers,
bank account information, and dates of birth, as well as student academic
information, may have been viewed by unauthorized parties.

2.49 million

University of
California, San
Francisco, CA

The theft of a physician’s laptop from a car may have resulted in the
exposure of patient information, including patient names, Social Security
numbers, dates of birth, and medical record numbers.

8294

Redwood
Memorial
Hospital, CA

A USB flash drive was discovered missing that contained patient names,
report ID numbers, test indications, ages, heights, weights, and clinical
summaries of test findings for patients who were seen over a period of
12 years.

1039

Anthem Blue
Cross, CA

The Social Security numbers and tax identification numbers of California
doctors were posted in the online provider directory.

24,500

New York City
Police
Department,
NY

A former police detective pleaded guilty to paying attackers to steal
passwords associated with the email accounts of other officers. At least
43 email accounts and one cellular phone account were hacked.

Adobe
Systems, San
Jose, CA

The email addresses, encrypted passwords and password hints from Adobe
Systems customers were stolen from a backup system about to be
decommissioned.

152 million

Target
Corporation,
Minneapolis,
MN

The credit and debit card numbers, expiration dates, and 3-digit CVV
(“Card Verification Value”) numbers of customers who made purchases
during a 3-week period were stolen.

110 million

Table 1-1

Selected security breaches involving personal information in a one-month period

Difficulties in Defending Against Attacks
The challenge of keeping computers secure has never been greater, not only because of the
number of attacks but also because of the difficulties faced in defending against these attacks.
These difficulties include the following:
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Universally connected devices. It is unthinkable today for any technology device—
desktop computer, tablet, laptop, or smartphone—not to be connected to the Internet.
Although this provides enormous benefits, it also makes it easy for an attacker
halfway around world to silently launch an attack against a connected device.
Increased speed of attacks. With modern tools at their disposal, attackers can quickly
scan millions of devices to find weaknesses and launch attacks with unprecedented
speed. Most attack tools initiate new attacks without any human participation, thus
increasing the speed at which systems are attacked.
Greater sophistication of attacks. Attacks are becoming more complex, making it
more difficult to detect and defend against them. Attackers today use common
Internet protocols and applications to perform attacks, making it more difficult to
distinguish an attack from legitimate traffic. Other attack tools vary their behavior so
the same attack appears differently each time, further complicating detection.
Availability and simplicity of attack tools. Whereas in the past an attacker needed to
have an extensive technical knowledge of networks and computers as well as the
ability to write a program to generate the attack, that is no longer the case. Today’s
software attack tools do not require any sophisticated knowledge on the part of the
attacker. In fact, many of the tools, such as the Kali Linux interface shown in
Figure 1-1, have a graphical user interface (GUI) that allows the user to easily
select options from a menu. These tools are freely available or can be purchased
from other attackers at a surprisingly low cost.

Figure 1-1 Menu of attack tools
Source: Kali Linux

Chapter 1 Introduction to Security

Faster detection of vulnerabilities. Weakness in hardware and software can be more
quickly uncovered and exploited with new software tools and techniques.
Delays in security updating. Hardware and software vendors are overwhelmed trying
to keep pace with updating their products against attacks. One antivirus software
security institute receives more than 200,000 submissions of potential malware each
day.16 At this rate the antivirus vendors would have to create and distribute updates
every few seconds to keep users fully protected. This delay in distributing security
updates adds to the difficulties in defending against attacks.
Weak security update distribution. While vendors of mainstream products, such as
Microsoft, Apple, and Adobe, have a system for notifying users of security updates for
many of their products and distributing them on a regular basis, few other software
vendors have invested in these costly distribution systems. Users are generally
unaware that a security update even exists for a product because there is no reliable
means for the vendor to alert the user. Also, these vendors often do not create small
security updates that “patch” the existing software, but instead they fix the problem
in an entirely new version of the software—and then require the user to pay for the
updated version that contains the patch. Attackers today are focusing more on
uncovering and exploiting vulnerabilities in these products.
Vendors of smartphone operating systems are particularly wellknown for not providing security updates on a timely basis, if at all.
Most vendors and wireless carriers do not attempt to provide users
with significant updates (such as from version 5.6 to 5.7), instead
hoping that users will purchase an entirely new smartphone—and
service contract—to have the latest and most secure device.

Distributed attacks. Attackers can use hundreds of thousands of computers under
their control in an attack against a single server or network. This “many against one”
approach makes it virtually impossible to stop an attack by identifying and blocking a
single source.
Introduction of BYOD. Until recently IT departments were “autocratic”: they
established technology standards for users by specifying which devices could be
purchased by a department for its employees and would refuse to allow unauthorized
personal devices to be connected to the corporate networks. However, coinciding with
the introduction of modern tablet computers in 2010 and the widespread usage of
smartphones, users began to pressure IT departments to allow them to use and
connect their personal devices to the company’s network (called BYOD or bring your
own device). This trend of allowing employees to use their own personal devices to
connect to the corporate network has made it difficult for IT departments to provide
adequate security for an almost endless array of devices that they do not own.
User confusion. Increasingly, users are called upon to make difficult security decisions
regarding their computer systems, sometimes with little or no information to guide them.
It is not uncommon for a user to be asked security questions such as Do you want to
view only the content that was delivered securely? or Is it safe to quarantine this
attachment? or Do you want to install this add-on? With little or no direction, users are
inclined to provide answers to questions without understanding the security risks.
Table 1-2 summarizes the reasons why it is difficult to defend against today’s attacks.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Reason

Description

Universally connected devices

Attackers from anywhere in the world can send attacks.

Increased speed of attacks

Attackers can launch attacks against millions of computers within
minutes.

Greater sophistication of attacks

Attack tools vary their behavior so the same attack appears differently
each time.

Availability and simplicity of attack
tools

Attacks are no longer limited to highly skilled attackers.

Faster detection of vulnerabilities

Attackers can discover security holes in hardware or software more
quickly.

Delays security updating

Vendors are overwhelmed trying to keep pace updating their products
against the latest attacks.

Weak security update distribution

Many software products lack a means to distribute security updates in a
timely fashion.

Distributed attacks

Attackers use thousands of computers in an attack against a single
computer or network.

Introduction of BYOD

Organizations are having difficulty providing security for a wide array
of personal devices.

User confusion

Users are required to make difficult security decisions with little or no
instruction.

Table 1-2

Difficulties in defending against attacks

What Is Information Security?
2.1 Explain the importance of risk related concepts.
3.2 Summarize various types of attacks.

Before it is possible to defend against attacks, it is necessary to understand exactly what security is and how it relates to information security. Also knowing the terminology used can be
helpful when creating defenses for computers. Understanding the importance of information
security is also critical.

Understanding Security
A search of the Internet to define the word security will result in a variety of definitions.
Sometimes security is defined as the state of being free from danger, while at other times
security is said to be the protection of property. And another interpretation of security is the
degree of resistance from harm. The difference in these definitions actually hinges upon
whether the focus is on the process (how to achieve security) or the goal (what it means to
have security). In reality security is both: it is the goal to be free from danger as well as the
process that achieves that freedom.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Yet because complete security can never be fully achieved, most often security is viewed as a
process. In this light security may be defined as the necessary steps to protect a person or property from harm. This harm may come from one of two sources: either from a direct action that
is intended to inflict damage or from an indirect and unintentional action. Consider a typical
house: it is necessary to provide security for the house and its inhabitants from these two different sources. For example, the house and its occupants must be secure from the direct attack of a
criminal who wants to inflict bodily harm to someone inside or a burglar who wants to steal a
television. This security may be provided by locked doors, a fence, or a strong police presence.
In addition, the house must also be protected from indirect acts that are not exclusively directed
against it. That is, the house needs to be protected from a hurricane (by being built with strong
materials and installing hurricane shutters) or a storm surge (by being built off the ground).
Security usually includes both preventive measures and rapid
response. An individual who wants to be secure would take the preventive measures of keeping the doors to the house locked and leaving outside lights turned on at night. An example of a rapid
response could include the homeowner programming 911 into his
phone so that if anything suspicious begins to occur around the
house an emergency call can be made quickly to the police.

It is also important to understand the relationship between security and convenience. As security is increased, convenience is often decreased. That is, the more secure something is, the
less convenient it may become to use (security is said to be “inversely proportional” to convenience). This is illustrated in Figure 1-2. Consider again a typical house. A homeowner might
install an automated alarm system that requires a code to be entered on a keypad within
30 seconds of entering the house. Although the alarm system makes the house more secure,
it is less convenient than just walking into the house. Thus, security may be understood as
sacrificing convenience for safety. Another way to think of security is giving up short-term
comfort for long-term protection. In any case, security usually requires forgoing convenience
to achieve a greater level of safety or protection.

Convenience

High

Low
Low

High
Security

Figure 1-2 Relationship of security to convenience

Chapter 1 Introduction to Security

Defining Information Security
The term information security is frequently used to describe the tasks of securing information
that is in a digital format. This digital information is manipulated by a microprocessor (such
as on a personal computer), stored on a storage device (like a hard drive or USB flash drive),
and transmitted over a network (such as a local area network or the Internet).
Just as security can be viewed as both a goal and a process, the same is true with information
security. Information security can be best understood by examining its goals and the process
of how it is accomplished. Together these can help create a solid definition of information
security.
Information security cannot completely prevent successful attacks or guarantee that a system
is totally secure, just as the security measures taken for a house can never guarantee complete
safety from a burglar or a hurricane. The goal of information security is to ensure that protective measures are properly implemented to ward off attacks and prevent the total collapse
of the system when a successful attack does occur. Thus, information security is first
protection.
Information security should not be viewed as a war to be won or
lost. Just as crime such as burglary can never be completely eradicated, neither can attacks against technology devices. The goal is
not a complete victory but instead maintaining equilibrium: as
attackers take advantage of a weakness in a defense, defenders
must respond with an improved defense. Information security is an
endless cycle between attacker and defender.

Second, information security is intended to protect information that provides value to people
and organizations. There are three protections that must be extended over information: confidentiality, integrity, and availability—or CIA:
1. Confidentiality. It is important that only approved individuals are able to access
important information. For example, the credit card number used to make an online
purchase must be kept secure and not made available to other parties. Confidentiality
ensures that only authorized parties can view the information. Providing confidentiality
can involve several different security tools, ranging from software to “scramble” the credit
card number stored on the web server to door locks to prevent access to those servers.
2. Integrity. Integrity ensures that the information is correct and no unauthorized person
or malicious software has altered the data. In the example of the online purchase, an
attacker who could change the amount of a purchase from $10,000.00 to $1.00 would
violate the integrity of the information.
3. Availability. Information has value if the authorized parties who are assured of its
integrity can access the information. Availability ensures that data is accessible to
authorized users. This means that the information cannot be “locked up” so tight that
no one can access it. It also means that attackers have not performed an attack so that
the data cannot be reached. In this example the total number of items ordered as the
result of an online purchase must be made available to an employee in a warehouse so
that the correct items can be shipped to the customer.
In addition to CIA, another set of protections must be implemented to secure information.
These are authentication, authorization, and accounting—or AAA:
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

1. Authentication. Authentication ensures that the individual is who she claims to be (the
authentic or genuine person) and not an imposter. A person accessing the web server
that contains a user’s credit card number must prove that she is indeed who she claims
to be and not a fraudulent attacker. One way in which authentication can be performed
is by the person providing a password that only she knows.
2. Authorization. Authorization is providing permission or approval to specific technology
resources. After a person has provided authentication she may have the authority to
access the credit card number or enter a room that contains the web server, provided
she has been given prior authorization.
3. Accounting. Accounting provides tracking of events. This may include a record of who
accessed the web server, from what location, and at what specific time.
Yet information security involves more than protecting the information itself. Because this
information is stored on computer hardware, manipulated by software, and transmitted by
communications, each of these areas must also be protected. The third objective of information security is to protect the integrity, confidentiality, and availability of information on the
devices that store, manipulate, and transmit the information.
Information security is achieved through a process that is a combination of three entities. As
shown in Figure 1-3 and Table 1-3, information and the hardware, software, and communications are protected in three layers: products, people, and policies and procedures. These
three layers interact with each other: procedures enable people to understand how to use products to protect information.
A comprehensive definition of information security involves both the goals and process.
Information security may be defined as that which protects the integrity, confidentiality, and
availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures.

Information Security Terminology
As with many advanced subjects, information security has its own set of terminology. The
following scenario helps to illustrate information security terms and how they are used.
Suppose that Ellie wants to purchase a new motorized Italian scooter to ride from her apartment to school and work. However, because several scooters have been stolen near her
apartment she is concerned about its protection. Although she parks the scooter in the gated
parking lot in front of her apartment, a hole in the fence surrounding the apartment complex
makes it possible for someone to access the parking lot without restriction. Ellie’s scooter and
the threat to it are illustrated in Figure 1-4.
Ellie’s new scooter is an asset, which is defined as an item that has value. In an organization,
assets have the following qualities: they provide value to the organization; they cannot easily
be replaced without a significant investment in expense, time, worker skill, and/or resources;
and they can form part of the organization’s corporate identity. Based on these qualities not
all elements of an organization’s information technology infrastructure may be classified as
an asset. For example, a faulty desktop computer that can easily be replaced would generally
not be considered an asset, yet the information contained on that computer can be an asset.
Table 1-4 lists a description of the elements of an organization’s information technology
infrastructure and whether or not they would normally be considered as an asset.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

s (organizational se
curit
edure
y)
Proc

le
Peop

(personnel secur

ity)

ucts (physical secu
r it y
Prod
)

Communications

Confidentiality

Integrity
y

Information
Av
vailability
Availability
Hardware

Software

Figure 1-3 Information security layers

Layer

Description

Products

Form the security around the data. May be as basic as door locks or as complicated as
network security equipment.

People

Those who implement and properly use security products to protect data.

Policies and procedures

Plans and policies established by an organization to ensure that people correctly use
the products.

Table 1-3

Information security layers

What Ellie is trying to protect her scooter from is a threat, which is a type of action that has
the potential to cause harm. Information security threats are events or actions that represent
a danger to information assets. A threat by itself does not mean that security has been compromised; rather, it simply means that the potential for creating a loss is real. For Ellie the
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security
Stolen scooter (risk)
Loss of scooter (threat)
Exploit
(go through
fence hole)

Fence hole
(vulnerability)

Thief (threat agent)

Scooter (asset)

Figure 1-4 Information security components analogy

Element name

Description

Example

Critical asset?

Information

Data that has been collected,
classified, organized, and stored
in various forms

Customer, personnel,
production, sales, marketing,
and finance databases

Yes: Extremely difficult
to replace

Customized
business
software

Software that supports the
business processes of the
organization

Customized order
transaction application

Yes: Unique and
customized for the
organization

System
software

Software that provides the
foundation for application
software

Operating system

No: Can be easily
replaced

Physical items

Computers equipment,
communications equipment,
storage media, furniture, and
fixtures

Servers, routers, DVDs, and
power supplies

No: Can be easily
replaced

Services

Outsourced computing
services

Voice and data
communications

No: Can be easily
replaced

Table 1-4

Information technology assets

threat could result in the theft of her scooter; in information security a threat can result in the
corruption or theft of information, a delay in information being transmitted, or even the loss
of good will or reputation.
A threat agent is a person or element that has the power to carry out a threat. For Ellie the
threat agent is a thief. In information security, a threat agent could be a person attempting to
break into a secure computer network. It could also be a force of nature such as a hurricane
that could damage computer equipment and thus destroy information, or it could be malicious software that attacks the computer network.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Ellie wants to protect her scooter and is concerned about a hole in the fencing around her
apartment. The hole in the fencing is a vulnerability, which is a flaw or weakness that allows
a threat agent to bypass security. An example of a vulnerability that information security
must deal with is a software defect in an operating system that allows an unauthorized user
to gain control of a computer without the user’s knowledge or permission.
If a thief can get to Ellie’s scooter because of the hole in the fence, then that thief is taking
advantage of the vulnerability. This is known as exploiting the vulnerability through a threat
vector, or the means by which an attack can occur. An attacker, knowing that a flaw in a
web server’s operating system has not been patched, is using the threat vector (exploiting the
vulnerability) to steal user passwords.
Ellie must make a decision: what is the probability (threat likelihood) that the threat will
come to fruition and her scooter stolen? This can be understood in terms of risk. A risk is a
situation that involves exposure to some type of danger.
Sometimes risk is illustrated by the calculation:
Risk = Consequence × Vulnerability × Threat Likelihood.

There are different options available when dealing with risks:
Risk avoidance. Risk avoidance involves identifying the risk but making the decision
to not engage in the activity. Ellie could decide based on the risk of the scooter being
stolen that she will not purchase the new scooter.
Acceptance. Acceptance simply means that the risk is acknowledged but no steps are
taken to address it. In Ellie’s case, she could accept the risk and buy the new scooter,
knowing there is the chance of it being stolen by a thief entering through a hole in the
fence.
Mitigation. Risk mitigation is the attempt to address the risks by making risk less
serious. Ellie could complain to the apartment manager about the hole in the fence in
order to have it repaired.
Deterrence. If the apartment manager posted signs in the area that said “Trespassers
will be punished to the full extent of the law” this would be an example of risk deterrence. Risk deterrence involves understanding something about the attacker and then
informing him of the harm that may come his way if he attacks an asset.
Transference. Ellie could transfer the risk to a third party. She can do this by
purchasing insurance so that the insurance company absorbs the loss and pays if the
scooter is stolen. This is known as risk transference.
Table 1-5 summarizes these information security terms.

Understanding the Importance of Information Security
Information security is important to organizations as well as to individuals. That is because
information security can be helpful in preventing data theft, thwarting identity theft, avoiding
the legal consequences of not securing information, maintaining productivity, and foiling
cyberterrorism.

Chapter 1 Introduction to Security

Term

Example in Ellie’s scenario

Example in information security

Asset

Scooter

Employee database

Threat

Steal scooter

Steal data

Threat agent

Thief

Attacker, hurricane

Vulnerability

Hole in fence

Software defect

Threat vector

Climb through hole in fence

Access web server passwords through flaw
in operating system

Threat likelihood

Probability of scooter stolen

Likelihood of virus infection

Risk

Not purchase scooter

Not install wireless network

Table 1-5

Information security terminology

Preventing Data Theft Security is often associated with theft prevention: Ellie could
park her scooter in a locked garage in order to prevent it from being stolen. The same is
true with information security: preventing data from being stolen is often cited by organizations as a primary objective of their information security. Business data theft involves stealing proprietary business information, such as research for a new drug or a list of customers
that competitors would be eager to acquire.
Yet data theft is not limited to businesses. Individuals are often victims of data thievery. One
type of personal data that is a prime target of attackers is credit card numbers. These can be
used to purchase thousands of dollars of merchandise online—without having the actual
card—before the victim is even aware the number has been stolen.
The extent to which stolen credit card numbers are available can be
seen in the price that online thieves charge each other for stolen
card numbers. Because credit card numbers are so readily available,
1000 stolen card numbers can be purchased for as little as $6.17

Thwarting Identity Theft Identity theft involves stealing another person’s personal

information, such as a Social Security number, and then using the information to impersonate the victim, generally for financial gain. The thieves often create new bank or credit card
accounts under the victim’s name and then large purchases are charged to these accounts,
leaving the victim responsible for the debts and ruining her credit rating.
In some instances, thieves have bought cars and even houses by
taking out loans in someone else’s name.

One rapidly growing area of identity theft involves identity thieves filing fictitious income
tax returns with the U.S. Internal Revenue Service (IRS). According to the IRS, in one year
it delivered more than $5 billion in refund checks to identity thieves who filed fraudulent
tax returns. Although the IRS detected and stopped about 940,000 fraudulent returns for
that year, claiming $6.5 billion in refunds, 1.5 million undetected false returns were

Chapter 1 Introduction to Security

processed. These were filed by thieves seeking refunds after assuming the identity of a dead
person, child, or someone else who normally would not file a tax return. It is estimated that
identity theft based on tax returns could increase by another $21 billion through 2017.
IRS investigators found that a single address in Lansing, Michigan,
was used to file 2137 separate tax returns, and the IRS issued more
than $3.3 million in refunds to that address. In another instance the
IRS deposited 590 refunds totaling more than $900,000 into a single
bank account.18

Avoiding Legal Consequences Several federal and state laws have been enacted to
protect the privacy of electronic data. Businesses that fail to protect data they possess may
face serious financial penalties. Some of these laws include the following:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under the
Health Insurance Portability and Accountability Act (HIPAA), health care enterprises
must guard protected health care information and implement policies and procedures
to safeguard it, whether it be in paper or electronic format. Those who wrongfully
disclose individually identifiable health information can be fined up to $50,000 for
each violation up to a maximum of $1.5 million per calendar year and sentenced up
to 10 years in prison.
In 2013 the HIPAA regulations were expanded to include all thirdparty “business associate” organizations that handle protected health
care information. Business associates are defined as any subcontractor
that creates, receives, maintains, or transmits protected health information on behalf of a covered HIPAA entity. These associates must
now comply with the same HIPAA security and privacy procedures.

The Sarbanes-Oxley Act of 2002 (Sarbox). As a reaction to a rash of corporate fraud,
the Sarbanes-Oxley Act (Sarbox) is an attempt to fight corporate corruption. Sarbox
covers the corporate officers, auditors, and attorneys of publicly traded companies.
Stringent reporting requirements and internal controls on electronic financial
reporting systems are required. Corporate officers who willfully and knowingly certify
a false financial report can be fined up to $5 million and serve 20 years in prison.
The Gramm-Leach-Bliley Act (GLBA). Like HIPAA, the Gramm-Leach-Bliley Act
(GLBA) passed in 1999 protects private data. GLBA requires banks and financial
institutions to alert customers of their policies and practices in disclosing customer
information. All electronic and paper data containing personally identifiable financial
information must be protected. The penalty for noncompliance for a class of
individuals is up to $500,000.
Payment Card Industry Data Security Standard (PCI DSS). The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that all companies
that process, store, or transmit credit card information must follow. PCI applies to
any organization or merchant, regardless of its size or number of card transactions,
that processes transactions either online or in person. The maximum penalty for not
complying is $100,000 per month.
California’s Database Security Breach Notification Act (2003). California’s Database
Security Breach Notification Act was the first state electronic privacy law that covers
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

any state agency, person, or company that does business in California. It requires
businesses to inform California residents within 48 hours if a breach of personal
information has or is believed to have occurred. Personal information is defined as a
name with a Social Security number, driver’s license number, state ID card, account
number, credit card number, or debit card number and required security access codes.
Since this act was passed by California in 2003, all other states now have similar laws
with the exception of Alabama, Kentucky, New Mexico, and South Dakota.
The penalties for violating these laws can be sizeable. Businesses must make every effort to
keep electronic data secure from hostile outside forces to ensure compliance with these laws
and avoid serious legal consequences.

Maintaining Productivity Cleaning up after an attack diverts time, money, and other
resources away from normal activities. Employees cannot be productive and complete
important tasks during or after an attack because computers and networks cannot function
properly. Table 1-6 provides a sample estimate of the lost wages and productivity during an
attack and the subsequent cleanup.

Number of
total
employees

Average
hourly
salary

Number of
employees to
combat attack

Hours
required to
stop attack
and clean up

Total lost
salaries

Total lost hours
of productivity

100

$25

$4066

250

$25

$17,050

300

500

$30

$28,333

483

1000

$30

$220,000

1293

Table 1-6

Cost of attacks

The single most expensive malicious attack was the Love Bug in
2000, which cost an estimated $8.7 billion.19

Foiling Cyberterrorism The FBI defines cyberterrorism as any “premeditated, politically motivated attack against information, computer systems, computer programs, and data
which results in violence against noncombatant targets by subnational groups or clandestine
agents.”20 Unlike an attack that is designed to steal information or erase a user’s hard disk
drive, cyberterrorism attacks are intended to cause panic or provoke violence among citizens.
Attacks are directed at targets such as the banking industry, power plants, air traffic control
centers, and water systems. These are desirable targets because they can significantly disrupt
the normal activities of a large population. For example, disabling an electrical power plant
could cripple businesses, homes, transportation services, and communications over a wide
area. Yet one of the challenges in combatting cyberterrorism is that many of the prime targets
are not owned and managed by the federal government. Because these are not centrally controlled, it is difficult to coordinate and maintain security.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

The Department of Homeland Security has identified 7200 key industrial control systems that are part of the critical infrastructure and are
directly connected to the Internet, making them vulnerable to cyberterrorism attacks. In one year a 52 percent increase in attacks
resulted in 198 directed attacks against these systems, resulting in
several successful break-ins.21

Who Are the Attackers?
In the past the term hacker referred to a person who used advanced computer skills to
attack computers. Yet because that title often carried with it a negative connotation, it was
qualified in an attempt to distinguish between different types of the attackers. Black hat
hackers were those attackers who violated computer security for personal gain (such as to
steal credit card numbers) or to inflict malicious damage (corrupt a hard drive). White hat
hackers were described as “ethical attackers”: with an organization’s permission they
would attempt to probe a system for any weaknesses and then privately provide information
back to that organization about any uncovered vulnerabilities. In between were gray hat
hackers who would attempt to break into a computer system without the organization’s permission (an illegal activity) but not for their own advantage; instead, they would publically
disclose the vulnerability in order to shame the organization into taking action.
However, these “hat” titles did not always accurately reflect the different motives and goals of
the attackers and are not widely used in the security community. Instead, more descriptive categories of attackers are used, including cybercriminals, script kiddies, brokers, insiders, cyberterrorists, hactivists, and state-sponsored attackers.

Cybercriminals
The generic term cybercriminals is often used to describe individuals who launch attacks
against other users and their computers (another generic word is simply attackers). However,
strictly speaking cybercriminals are a loose network of attackers, identity thieves, and financial fraudsters who are highly motivated, less risk-averse, well-funded, and tenacious. Some
security experts believe that many cybercriminals belong to organized gangs of young attackers, often clustered in Eastern European, Asian, and Third World regions.
Cybercriminals often meet in online “underground” forums to trade
information and coordinate attacks.

Instead of attacking a computer to show off their technology skills (fame), cybercriminals have
a more focused goal of financial gain (fortune): cybercriminals exploit vulnerabilities to steal
information or launch attacks that can generate income. This difference makes the new attackers more dangerous and their attacks more threatening. These targeted attacks against financial networks and the theft of personal information are sometimes known as cybercrime.
Financial cybercrime is often divided into two categories. The first category focuses on individuals and businesses. Cybercriminals steal and use stolen data, credit card numbers, online
financial account information, or Social Security numbers to profit from its victims or send
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

millions of spam emails to peddle counterfeit drugs, pirated software, fake watches, and
pornography.
The second category focuses on businesses and governments. Cybercriminals attempt to steal
research on a new product from a business so that they can sell it to an unscrupulous foreign
supplier who will then build an imitation model of the product to sell worldwide. This
deprives the legitimate business of profits after investing hundreds of millions of dollars in
product development, and because these foreign suppliers are in a different country they are
beyond the reach of domestic enforcement agencies and courts. Governments are also the targets of cybercriminals: if the latest information on a new missile defense system can be stolen
it can be sold—at a high price—to that government’s enemies.
Some security experts maintain that East European cybercriminals are
mostly focused on activities to steal money from individuals and businesses, whereas cybercriminals from East Asia are more interested in
stealing data from governments or businesses. This results in different approaches to their attacks. East European cybercriminals tend
to use custom-built, highly complex malware while East Asian attackers use off-the-shelf malware and simpler techniques. Also East European attackers work in small, tightly knit teams that directly profit
from their attacks. East Asian cybercriminals usually are part of a
larger group of attackers who work at the direction of large institutions from which they receive instructions and financial backing.

The attacks by these well-resourced and trained cybercriminals often result in multiyear intrusion campaigns targeting highly sensitive economic, proprietary, or national security information. This has created a new class of attacks called Advanced Persistent Threat (APT).
Cybercriminals are successful with APTs because they use advanced tools and techniques
that can defeat many conventional computer defenses.

Script Kiddies
Script kiddies are individuals who want to attack computers yet they lack the knowledge of
computers and networks needed to do so. Script kiddies instead do their work by downloading automated attack software (scripts) from websites and using it to perform malicious acts.
Figure 1-5 illustrates the skills needed for creating attacks. Over 40 percent of attacks require
low or no skills and are frequently conducted by script kiddies.

No skills
(13%)

Low skills (28%)

High skills
(15%)

Moderate skills (44%)

Figure 1-5 Skills needed for creating attacks
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Today script kiddies can acquire entire exploit kits from other attackers to easily craft an
attack. Script kiddies can either rent or purchase the kit from its authors and then specify
various options to customize their attacks.
It is estimated that three out of every four Internet-based attacks
originate from exploit kits.22

Brokers
In recent years several software vendors have started financially rewarding individuals who
uncover vulnerabilities in their software and then privately report it back to the vendors so
that the weaknesses can be addressed. Some vendors even sponsor annual competitive contests and handsomely pay those who can successfully attack their software.
One security researcher earned over $31,000 in a “bug bounty”
program for uncovering three vulnerabilities.23

However, other individuals who uncover vulnerabilities do not report it to the software
vendor but instead sell them to the highest bidder. Known as brokers, these attackers sell
their knowledge of a vulnerability to other attackers or even governments. These buyers are
generally willing to pay a high price because this vulnerability is unknown to the software
vendor and thus is unlikely to be “patched” until after new attacks based on it are already
widespread.

Insiders
Another serious threat to an organization actually comes from an unlikely source: its employees, contractors, and business partners, often called insiders. For example, a health care
worker disgruntled over an upcoming job termination might illegally gather health records
on celebrities and sell them to the media, or a securities trader who loses billions of dollars
on bad stock bets could use her knowledge of the bank’s computer security system to conceal
the losses through fake transactions. In one study of 900 cases of business “data leakage,”
over 48 percent of the breaches were attributed to insiders who abused their right to access
corporate information.24 These attacks are harder to recognize because they come from
within the organization yet may be more costly than attacks from the outside.
Most malicious insider attacks consist of the sabotage or theft of intellectual property. One
study revealed that most cases of sabotage come from employees who have announced their
resignation or have been formally reprimanded, demoted, or fired. When theft is involved,
the offenders are usually salespeople, engineers, computer programmers, or scientists who
actually believe that the accumulated data is owned by them and not the organization (most
of these thefts occur within 30 days of the employee resigning). In some instances the employees are moving to a new job and want to take “their work” with them, while in other cases
the employees have been bribed or coerced into stealing the data. In about 8 percent of the
incidences of theft, employees have been pressured into stealing from their employer through
blackmail or the threat of violence.25

Chapter 1 Introduction to Security

In recent years insiders who worked either directly or indirectly for a
government have stolen large volumes of sensitive information and
then published it. The purpose is to alert its citizens of clandestine
governmental actions and to pressure the government to change its
policies.

Cyberterrorists
Many security experts fear that terrorists will turn their attacks to a nation’s network and
computer infrastructure to cause disruption and panic among citizens. Known as cyberterrorists, their motivation is ideological, attacking for the sake of their principles or beliefs. Cyberterrorists may be the attackers that are most feared, for it is almost impossible to predict
when or where an attack may occur. Unlike cybercriminals who continuously probe systems
or create attacks, cyberterrorists can be inactive for several years and then suddenly strike in
a new way. Their targets may include a small group of computers or networks that can affect
the largest number of users, such as the computers that control the electrical power grid of a
state or region.
One cyberterrorist attack directed at three broadcast networks and
four major banks in South Korea resulted in disruptions that were
designated as “moderate to severe.” The source behind the attacks
may have been from North Korea as retaliation for a significant and
prolonged Internet outage that North Korea suffered, which was
blamed on South Korea.

Hactivists
Another group motivated by ideology is hactivists. Unlike cyberterrorists who launch attacks
against foreign nations to incite panic, hactivists (a combination of the words hack and activism) are generally not as well-defined. Attacks by hactivists can involve breaking into a website and changing the contents on the site as a means of making a political statement against
those who oppose their beliefs. In addition to attacks as a means of protest or to promote a
political agenda, other attacks can be retaliatory. For example, hactivists may disable the
website belonging to a bank because that bank stopped accepting online payments that were
deposited into accounts belonging to the hactivists.

State-Sponsored Attackers
Instead of using an army to march across the battlefield to strike an adversary, governments are using state-sponsored attackers for launching computer attacks against their
foes. In recent years the work of some attackers appears to have been sponsored by different governments. These attackers target foreign governments or even citizens of the government who are considered hostile or threatening. The following are several examples of
these attacks:
The malware known as Flame appears to target computers in Middle Eastern
countries. One of Flame’s most ingenious tricks, which had many security researchers
in awe, created a fake Microsoft electronic document so that Flame appeared to be an
update from Microsoft and was easily distributed to any Windows computer.

Chapter 1 Introduction to Security

Perhaps the most infamous government-backed malware to date was called Stuxnet.
This malware actively targeted Windows computers that managed large-scale
industrial-control systems used at military installations, oil pipeline control systems,
manufacturing environments, and nuclear power plants. At first it was thought that
Stuxnet took advantage of a single previously unknown software vulnerability. Upon
closer inspection, it was found that Stuxnet exploited four unknown vulnerabilities,
something never seen before.
It is estimated that more than 300,000 Iranian citizens were having their email
messages read without their knowledge by the Iranian government seeking to locate
and crack down on dissidents. It appears that the government used stolen electronic
documents to permit its spies to log in directly to the email mailboxes of the victims
and read any stored emails. In addition, another program could pinpoint the exact
location of the victim.
Table 1-7 lists several characteristics of these different attackers.

Attacker category

Objective

Typical target

Sample attack

Cybercriminals

Fortune over fame

Users, businesses,
governments

Steal credit card
information

Script kiddies

Thrills, notoriety

Businesses, users

Erase data

Brokers

Sell vulnerability to highest
bidder

Any

Find vulnerability in
operating system

Insiders

Retaliate against employer,
shame government

Governments, businesses

Steal documents to publish
sensitive information

Cyberterrorists

Cause disruption and panic

Businesses

Cripple computers that
control water treatment

Hactivists

To right a perceived wrong
against them

Governments, businesses

Disrupt financial website

State-sponsored
attackers

Spy on citizens, disrupt
foreign government

Users, governments

Read user’s email messages

Table 1-7

Characteristics of attackers

Attacks and Defenses
Although a wide variety of attacks can be launched against a computer or network, the
same basic steps are used in most attacks. Protecting computers against these steps in an
attack calls for following five fundamental security principles.

Chapter 1 Introduction to Security

Steps of an Attack
A kill chain is a military term used to describe the systematic process to target and engage an
enemy. An attacker who attempts to break into a web server or computer network actually
follows these same steps. Known as the Cyber Kill Chain® it outlines these steps of an
attack:
The Cyber Kill Chain was first introduced by researchers at Lockheed
Martin in 2011. The company later trademarked the term “Cyber Kill
Chain.”

1. Reconnaissance. The first step in an attack is to probe for any information about the
system: the type of hardware used, version of operating system software, and even
personal information about the users. This can reveal if the system is a viable target for
an attack and how it could be attacked.
2. Weaponization. The attacker creates an exploit (like a virus) and packages it into a
deliverable payload (like a Microsoft Excel spreadsheet) that can be used against the
target.
3. Delivery. At this step the weapon is transmitted to the target, such as by an email
attachment or through an infected web server.
4. Exploitation. After the weapon is delivered to the victim, the exploitation stage triggers
the intruders’ exploit. Generally the exploitation targets an application or operating
system vulnerability, but it also could involve tricking the user into taking a specific
action.
5. Installation. At this step the weapon is installed to either attack the computer or install
a remote “backdoor” so the attacker can access the system.
6. Command and Control. Many times the compromised system connects back to the
attacker so that the system can be remotely controlled by the attacker and receive future
instructions.
7. Actions on Objectives. Now the attackers can start to take actions to achieve their
original objectives, such as stealing user passwords or launching attacks against other
computers.
These steps of an attack are illustrated in Figure 1-6.
The underlying purpose of the Cyber Kill Chain is to illustrate that
attacks are an integrated and end-to-end process like a “chain.” Disrupting any one of the steps will interrupt the entire attack process,
but the ability to disrupt the early steps of the chain is the most
effective and least costly.

Chapter 1 Introduction to Security

Reconnaissance

Weaponization

Delivery

Command and
Control

Installation

Exploitation

Actions on
Objectives

Figure 1-6 Cyber Kill Chain®
Cyber Kill Chain is a registered trademark of Lockheed Martin Corporation.

Defenses Against Attacks
Although multiple defenses may be necessary to withstand an attack, these defenses should
be based on five fundamental security principles: layering, limiting, diversity, obscurity, and
simplicity. These principles provide a foundation for building a secure system.

Layering The Crown Jewels of England, which are worn during coronations and impor-

tant state functions, have a dollar value of over $32 million yet are virtually priceless as
symbols of English culture. How are precious stones like the Crown Jewels protected from
theft? They are not openly displayed on a table for anyone to pick up. Instead, they are
enclosed in protective cases with 2-inch thick glass that is bullet-proof, smash-proof, and
resistant to almost any outside force. The cases are located in a special room with massive
walls and sensors that can detect slight movements or vibrations. The doors to the room
are monitored around the clock by remote security cameras, and the video images from
each camera are recorded. The room itself is in the Tower of London, surrounded by roaming guards and fences. In short, these precious stones are protected by layers of security. If
one layer is penetrated—such as the thief getting into the building—several more layers
must still be breached, and each layer is often more difficult or complicated than the

Chapter 1 Introduction to Security

previous. A layered approach has the advantage of creating a barrier of multiple defenses
that can be coordinated to thwart a variety of attacks.
The Jewel House, which holds the Crown Jewels in the Tower of
London, is actually located inside an Army barracks that is staffed
with soldiers.

Likewise, information security must be created in layers. If only one defense mechanism
is in place, an attacker only has to circumvent that single defense. Instead, a security
system must have layers, making it unlikely that an attacker has the tools and skills
to break through all the layers of defenses. A layered approach also can be useful in
resisting a variety of attacks. Layered security provides the most comprehensive
protection.

Limiting Consider again protecting the Crown Jewels of England. Although the jewels
may be on display for the general public to view, permitting anyone to touch them increases
the chances that they will be stolen. Only approved personnel should be authorized to handle the jewels. Limiting who can access the jewels reduces the threat against them.
The same is true with information security. Limiting access to information reduces the threat
against it. This means that only those personnel who must use the data should have access
to it. In addition, the type of access they have should be limited to what those people need
to perform their jobs. For example, access to the human resource database for an organization should be limited to only employees who have a genuine need to access it, such as
human resource personnel or vice presidents. And, the type of access also should be
restricted: human resource employees may be able to view employee salaries but not change
them.
What level of access should users have? The correct answer is the
least amount necessary to do their jobs, and no more.

Some ways to limit access are technology-based (such as assigning file permissions so that a
user can only read but not modify a file), while others are procedural (prohibiting an
employee from removing a sensitive document from the premises). The key is that access
must be restricted to the bare minimum.

Diversity Diversity is closely related to layering. Just as it is important to protect data

with layers of security, the layers also must be different (diverse). This means that if attackers penetrate one layer, they cannot use the same techniques to break through all other
layers. A jewel thief, for instance, might be able to foil the security camera by dressing in
black clothing but should not be able to use the same technique to trick the motion detection system. Using diverse layers of defense means that breaching one security layer does
not compromise the whole system.

Chapter 1 Introduction to Security

Information security diversity may be achieved in several ways. For example, some organizations use security products provided by different manufacturers. An attacker who can circumvent a security device from Manufacturer A could then use those same skills and knowledge to defeat all of the same devices used by the organization. However, if devices from
Manufacturer A and similar devices from Manufacturer B were both used by the same organization, the attacker would have more difficulty trying to break through both types of
devices because they would be different.

Obscurity Suppose a thief plans to steal the Crown Jewels during a shift change of
the security guards. When the thief observes the guards, however, she finds that the
guards do not change shifts at the same time each night. On a given Monday they rotate
shifts at 2:13 AM, while on Tuesday they rotate at 1:51 AM, and the following Monday
at 2:24 AM. Because the shift changes cannot be known for certain in advance, the
planned attack cannot be carried out. This technique is sometimes called security by
obscurity: obscuring to the outside world what is on the inside makes attacks that
much more difficult.
An example of obscurity in information security would be not revealing the type of computer, version of operating system, or brand of software that is used. An attacker who
knows that information could use it to determine the vulnerabilities of the system to attack
it. However, if this information is concealed it is more difficult to attack the system, since
nothing is known about it and it is hidden from the outside. Obscuring information can be
an important means of protection.
Although obscurity is an important element of defense, it is not
the only element. Sometimes the design or implementation of a
device is kept secret with the thinking that if attackers do not
know how it works, then it is secure. This attempt at “security
through obscurity” is flawed because it depends solely on secrecy
as a defense.

Simplicity Because attacks can come from a variety of sources and in many ways,

information security is by its very nature complex. Yet the more complex it becomes,
the more difficult it is to understand. A security guard who does not understand how
motion detectors interact with infrared trip lights may not know what to do when one
system alarm shows an intruder but the other does not. In addition, complex systems
allow many opportunities for something to go wrong. In short, complex systems can be
a thief’s ally.
The same is true with information security. Complex security systems can be hard to
understand, troubleshoot, and even feel secure about. As much as possible, a secure system should be simple for those on the inside to understand and use. Complex security
schemes are often compromised to make them easier for trusted users to work with, yet
this can also make it easier for the attackers. In short, keeping a system simple from
the inside, but complex on the outside, can sometimes be difficult but reaps a major
benefit.

Chapter 1 Introduction to Security

Chapter Summary
Attacks against information security have grown exponentially in recent years, despite
the fact that billions of dollars are spent annually on security. No computer system is
immune from attacks or can be considered completely secure.
It is difficult to defend against today’s attacks for several reasons. These reasons
include the fact that virtually all devices are connected to the Internet, the speed of the
attacks, greater sophistication of attacks, the availability and simplicity of attack
tools, faster detection of vulnerabilities by attackers, delays in security updating, weak
security update distribution, distributed attacks coming from multiple sources, and
user confusion.
Information security may be defined as that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit
the information through products, people, and procedures. As with many advanced
subjects, information security has its own set of terminology. A threat is an event or
action that represents a danger to information assets, which is something that has
value. A threat agent is a person or element that has the power to carry out a threat,
usually by exploiting a vulnerability, which is a flaw or weakness, through a threat
vector. A risk is the likelihood that a threat agent will exploit the vulnerability.
The main goals of information security are to prevent data theft, thwart identify theft,
avoid the legal consequences of not securing information, maintain productivity, and
foil cyberterrorism.
The types of people behind computer attacks fall into several categories. The generic
term cybercriminals describes individuals who launch attacks against other users
and their computers. Script kiddies do their work by downloading automated attack
software from websites and then using it to break into computers. A broker
uncovers a vulnerability and then sells this knowledge to other attackers or governments. One of the largest information security threats to a business actually comes
from its employees, contractors, and business partners, known as insiders. Cyberterrorists are motivated by their principles and beliefs, and turn their attacks to the
network and computer infrastructure to cause panic among citizens. Another group
motivated by ideology is hactivists, although they are generally not as well-defined.
Governments are using state-sponsored attackers for launching computer attacks
against their foes.
There are a variety of types of attacks. Seven general steps make up an attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control,
and actions on objectives. Although multiple defenses may be necessary to withstand
the steps of an attack, these defenses should be based on five fundamental security
principles: layering, limiting, diversity, obscurity, and simplicity.

Key Terms
acceptance

Acknowledging a risk but taking no action to address it.

accounting

The ability that provides tracking of events.

Chapter 1 Introduction to Security

Multiyear intrusion campaign that targets highly
sensitive economic, proprietary, or national security information.

Advanced Persistent Threat (APT)
asset

An item that has value.

authentication
authorization
availability
broker

The steps that ensure that the individual is who he or she claims to be.
The act of providing permission or approval to technology resources.

Security actions that ensure that data is accessible to authorized users.

Attacker who sells knowledge of a vulnerability to other attackers or governments.

BYOD (bring your own device) The practice of allowing users to use their own personal
devices to connect to an organizational network.
California’s Database Security Breach Notification Act The first state electronic privacy
law, which covers any state agency, person, or company that does business in California.
confidentiality

Security actions that ensure that only authorized parties can view the

information.
A systematic outline of the steps of a cyberattack, introduced at
Lockheed Martin in 2011.
Cyber Kill Chain®

cybercrime Targeted attacks against financial networks, unauthorized access to
information, and the theft of personal information.
cybercriminals

A network of attackers, identity thieves, spammers, and financial

fraudsters.
cyberterrorism A premeditated, politically motivated attack against information, computer
systems, computer programs, and data, which often results in violence.

Attacker whose motivation may be defined as ideological, or attacking for
the sake of principles or beliefs.

cyberterrorist
deterrence

Understanding the attacker and then informing him of the consequences of the

action.
exploit kit

Automated attack package that can be used without an advanced knowledge of

computers.
A U.S. law that requires banks and financial institutions
to alert customers of their policies and practices in disclosing customer information.

Gramm-Leach-Bliley Act (GLBA)

hactivist Attacker who attacks for ideological reasons that are generally not as welldefined as a cyberterrorist’s motivation.
Health Insurance Portability and Accountability Act (HIPAA) A U.S. law designed to guard
protected health information and implement policies and procedures to safeguard it.
identity theft Stealing another person’s personal information, such as a Social Security
number, and then using the information to impersonate the victim, generally for financial
gain.
information security The tasks of protecting the integrity, confidentiality, and availability
of information on the devices that store, manipulate, and transmit the information through
products, people, and procedures.
insiders

Employees, contractors, and business partners who can be responsible for an

attack.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Security actions that ensure that the information is correct and no unauthorized
person or malicious software has altered the data.

integrity

mitigation

Addressing a risk by making it less serious.

A set of security standards that
all U.S. companies processing, storing, or transmitting credit card information must follow.

Payment Card Industry Data Security Standard (PCI DSS)
risk

A situation that involves exposure to danger.

risk avoidance

Identifying the risk but making the decision to not engage in the activity.

Sarbanes-Oxley Act (Sarbox)

A U.S. law designed to fight corporate corruption.

Individual who lacks advanced knowledge of computers and networks and so
uses downloaded automated attack software to attack information systems.

script kiddie

state-sponsored attacker

Attacker commissioned by governments to attack enemies’

information systems.
threat

A type of action that has the potential to cause harm.

threat agent

A person or element that has the power to carry out a threat.

threat likelihood

The probability that a threat will actually occur.

threat vector

The means by which an attack could occur.

transference

Transferring the risk to a third party.

vulnerability

A flaw or weakness that allows a threat agent to bypass security.

Review Questions
1. Which of the following is NOT a characteristic of Advanced Persistent Threat (APT)?
a.

can span several years

b. targets sensitive proprietary information
c.

uses advanced tools and techniques

d. is only used by hactivists against foreign enemies
2. Which of the following was used to describe attackers who would break into a computer system without the owner’s permission and publicly disclose the vulnerability?
a.

white hat hackers

b. black hat hackers
c.

blue hat hackers

d. gray hat hackers
3. Which the following is NOT a reason why it is difficult to defend against today’s
attackers?
a.

increased speed of attacks

b. simplicity of attack tools
c.

greater sophistication of defense tools

d. delays in security updating
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

4. Why can brokers command such a high price for what they sell?
a.

Brokers are licensed professionals.

b. The attack targets are always wealthy corporations.
c.

The vulnerability was previously unknown and is unlikely to be patched quickly.

d. Brokers work in teams and all the members must be compensated.
5. Which phrase describes the term “security” in a general sense?
a.

protection from only direct actions

b. using reverse attack vectors (RAV) for protection
c.

only available on hardened computers and systems

d. the necessary steps to protect a person or property from harm
ensures that only authorized parties can view the information.

6.
a.

Confidentiality

b. Availability
c.

Authorization

d. Integrity
7. Each of the following is a successive layer in which information security is achieved
.
EXCEPT
a.

products

b. purposes
c.

procedures

d. people
8. What is a person or element that has the power to carry out a threat?
a.

threat agent

b. exploiter
c.

risk agent

d. vulnerability
ensures that individuals are who they claim to be.

9.
a.

Demonstration

b. Accounting
c.

Authentication

d. Certification
10. What is the difference between a hactivist and a cyberterrorist?
a.

A hactivist is motivated by ideology while a cyberterrorists is not.

b. Cyberterrorists always work in groups while hactivists work alone.
c.

The aim of a hactivist is not to incite panic like cyberterrorists.

d. Cyberterrorists are better funded than hactivists.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

11. Each of the following is a goal of information security EXCEPT
a.

avoid legal consequences

b. foil cyberterrorism
c.

prevent data theft

d. limit access control
12. Which act requires enterprises to guard protected health information and implement
policies and procedures to safeguard it?
a.

Hospital Protection and Insurance Association Agreement (HPIAA)

b. Sarbanes-Oxley Act (Sarbox)
c.

Gramm-Leach-Bliley Act (GLBA)

d. Health Insurance Portability and Accountability Act (HIPAA)
13. Why do cyberterrorists target power plants, air traffic control centers, and water
systems?
a.

These targets have notoriously weak security and are easy to penetrate.

b. They can cause significant disruption by destroying only a few targets.
c.

These targets are government-regulated and any successful attack would be considered a major victory.

d. The targets are privately owned and cannot afford high levels of security.
14. What is the first step in the Cyber Kill Chain®?
a.

weaponization

b. exploitation
c.

actions on objectives

d. reconnaissance
15. An organization that purchased security products from different vendors is demonstrating which security principle?
a.

obscurity

b. diversity
c.

limiting

d. layering
16. Each of the following can be classified as an “insider” EXCEPT
a.

business partners

b. contractors
c.

stockholders

d. employees

Chapter 1 Introduction to Security

17. What are attackers called who belong to a network of identity thieves and financial
fraudsters?
a.

cybercriminals

b. script kiddies
c.

hackers

d. brokers
18. What is an objective of state-sponsored attackers?
a.

to right a perceived wrong

b. to spy on citizens
c.

to sell vulnerabilities to the highest bidder

d. fortune instead of fame
is not revealing the type of computer, operating system,
19. An example of
software, and network connection a computer uses.
a.

layering

b. diversity
c.

obscurity

d. limiting
20. The
security.
a.

is primarily responsible for assessing, managing, and implementing

security administrator

b. security manager
c.

security technician

d. chief information security officer (CISO)

Hands-On Projects
Project 1-1: Examine Data Breaches
The Privacy Rights Clearinghouse (PRC) is a nonprofit organization whose
goals are to raise consumers’ awareness of how technology affects personal
privacy and empower consumers to take action to control their own personal
information. The PRC maintains a searchable database of security breaches
that impact consumer’s privacy. In this project you will gather information
from the PRC website.
1. Open a web browser and enter the URL www.privacyrights.org/
data-breach.
The location of content on the Internet may change without
warning. If you are no longer able to access the site through the
above web address, use a search engine to search for “Privacy Rights
Clearinghouse data breach”.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

2. First spend time reading about the PRC. Click About Us in the toolbar.
3. Scroll down to the content under Mission and Goals and also under
Services. Spend a few minutes reading about the PRC.
4. Click your browser’s Back button to return to the previous page.
5. On the Chronology of Data Breaches page scroll down and observe the
different breaches listed in chronological order.
6. Now create a customized list of the data that will only list data breaches
of educational institutions. Scroll back to the top of the page.
7. Under Select organization type(s), uncheck all organizations except EDUEducational Institutions.
8. Click GO!.
9. Scroll down to Breach Subtotal if necessary. How many breaches that
were made public pertain to educational institutions?
10. Scroll down and observe the breaches for educational institutions.
11. Scroll back to the top of the page. Click New Search, located beneath the
GO! button.
12. Now search for breaches that were a result of lost, discarded, or stolen
equipment that belonged to the government and military. Under Choose
the type of breaches to display, uncheck all types except Portable device
(PORT) - Lost, discarded or stolen laptop, PDA, smartphone, portable
memory device, CD, hard drive, data tape, etc.
13. Under Select organization type(s), uncheck all organizations except
GOV – Government and Military.
14. Click GO!.
15. Scroll down to Breach Subtotal, if necessary. How many breaches that
were made public pertain to this type?
16. Scroll down and observe the breaches for governmental institutions.
17. Scroll back to the top of the page.
18. Now create a search based on criteria that you are interested in, such as
the Payment Card Fraud against Retail/Merchants during the current year.
19. When finished, close all windows.

Project 1-2: Scan for Malware Using the Microsoft
Safety Scanner
In this project you will download and run the Microsoft Safety Scanner to
determine if there is any malware on the computer.
1. Determine which system type of Windows you are running. Click Start,
Control Panel, System and Security, and then System. Look under
System type for the description.
2. Open your web browser and enter the URL www.microsoft.com/
security/scanner/en-us/default.asp.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

The location of content on the Internet may change without warning. If you are no longer able to access the site through the above
web address, use a search engine to search for “Microsoft Safety
Scanner”.

3. Click Download Now.
4. Select either 32-bit or 64-bit, depending upon which system type of
Windows you are running.
5. When the program finishes downloading, right-click Start and click
Open Windows Explorer.
6. Click the Downloads icon in the left pane.
7. Double-click the msert.exe file.
8. Click Run. If the User Account Control dialog box appears, click Yes.
9. Click the check box to accept the license terms for this software. Click
Next.
10. Click Next.
11. Select Quick scan if necessary.
12. Click Next.
13. Depending on your computer this scan may take several minutes. Analyze the results of the scan to determine if there is any malicious software
found in your computer.
14. If you have problems you can click View detailed results of the scan.
After reviewing the results, click OK. If you do not find any problems,
click Finish.
15. If any malicious software was found on your computer run the scan
again and select Full scan. After the scan is complete, click Finish to close
the dialog box.
16. Close all windows.

Project 1-3: Create a Virtual Machine of Windows 8.1
for Security Testing—Part 1
Many users are reluctant to use their normal “production” computer for
installing and testing new security applications. As an alternative, a virtual
machine can be created on the “host” computer that runs a “guest” operating
system. Security programs and testing can be conducted within this guest operating system without any impact on the regular host operating system. In this
project you will create a virtual machine using Oracle VirtualBox.
The operating system of the host computer is not required to be different from that of the new guest operating system. That is, a computer
that already has installed Windows 8.1 as its host operating system can
still create a virtual machine of Windows 8.1 that is used for testing.

Chapter 1 Introduction to Security

The location of content on the Internet may change without
warning. If you are no longer able to access the site through the
above web address, then use a search engine to search for “Oracle
VirtualBox download”.

1. Open a web browser and enter the URL www.virtualbox.org.
2. Click Downloads.
3. Under VirtualBox platform packages select the latest version of VirtualBox for your host operating system to download that program. For
example, if you are running Windows 7, select the version for “VirtualBox x.x.x for Windows hosts.”
4. Under VirtualBox x.x.x Oracle VM VirtualBox Extension Pack click All
supported platforms to download the extension package.
5. Navigate to the folder that contains the downloads and launch the
VirtualBox installation program VirtualBox-xxx-nnnnn-hhh.exe.
6. Accept the default configurations from the installation Wizard to install
the program.
7. If you are asked “Would you like to install this device software?” on one
or more occasions, click Install.
8. When completed click Finish to launch VirtualBox, as seen in Figure 1-7.

Figure 1-7 VirtualBox
Source: VirtualBox software developed by Oracle Corporation
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

9. Now install the VirtualBox extensions. Click File and Preferences.
10. Click Extensions.
11. Click the Add a package icon on the right side of the screen.
12. Navigate to the folder that contains the extension pack downloaded earlier to select that file. Click Open.
13. Click Install. Follow the necessary steps to complete the default
installation.
14. Click File and Close to close VirtualBox. Complete the next project to
configure VirtualBox and install the guest operating system.

Project 1-4: Create a Virtual Machine of Windows 8.1
for Security Testing—Part 2
After installing VirtualBox the next step is to create the guest operating system. For this project Windows 8.1 will be installed. Different options are
available for obtaining a copy of Windows 8.1:
A retail version of the software can be purchased.
If your school is a member of the Microsoft DreamSpark program
the operating system software and a license can be downloaded
(www.dreamspark.com). See your instructor or lab supervisor for
more information.
A 90-day evaluation copy can be downloaded and installed from the
Microsoft TechNet Evaluation Center (technet.microsoft.com/en-us/
evalcenter/hh699156.aspx).
1. Obtain the ISO image of Windows 8.1 using one of the options above
and save it on the hard drive of the computer.
2. Launch VirtualBox.
3. Click New.
4. In Name: enter Windows 8.1 as the name of the virtual machine.
5. Be sure that Type: changes to Microsoft Windows and Version: changes
to Windows 8.1. Click Next.
6. Under Memory size accept the recommended size or increase the allocation if you have sufficient RAM on your computer. Click Next.
7. Under Hard drive accept Create a virtual hard drive now. Click Create.
8. Under Hard drive file type accept the default VID (VirtualBox Disk
Image). Click Next.
9. Under Storage on physical hard drive accept the default Dynamically
allocated. Click Next.
10. Under File location and size accept Windows 8.1. Click Create.

Chapter 1 Introduction to Security

11. Now the configuration settings for the virtual machine are set, as seen in
Figure 1-8.

Figure 1-8 VirtualBox virtual machine settings
Source: VirtualBox software developed by Oracle Corporation

12. Next you will load the Windows 8.1 ISO image. Click Settings.
13. In the left pane click Storage.
14. Under Controller: IDE click Empty.
15. In the right page under Attributes click the icon of the optical disc.
16. Click Choose a virtual CD/DVD disc file…
17. Navigate to the location of the Windows 8.1 ISO file and click Open.
18. Click OK.
19. Click Start to launch the Windows 8.1 ISO.
20. Follow the Windows 8.1 installation wizard to complete the installation.
21. To close the Windows 8.1 guest operating system in VirtualBox click File
and then Exit.
22. Close all windows.

Chapter 1 Introduction to Security

Case Projects

Case Project 1-1 Research Cyber Kill Chain

The Cyber Kill Chain approach to security is increasing in popularity.
Research the background of the Cyber Kill Chain and how it is being used
today. Begin by reading the original article “Intelligence-Driven Computer
Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” by Eric M. Hutchins, Michael J. Clopperty, and Rohan M.
Aminot at www.lockheedmartin.com/content/dam/lockheed/data/corporate/
documents/LM-White-Paper-Intel-Driven-Defense.pdf. Next, search the Internet
for additional information and how this approach can help improve security.
Write a one-page paper of your research.

Case Project 1-2 Attack Experiences
Based on your own personal experiences or those of someone you know (you
may have to interview other students or a friend), write a paragraph regarding
a computer attack that occurred. When did it happen? What was the attack?
What type of damage did it inflict? Using the information in Table 1-2, list
the reason or reasons you think that the attack was successful. How was the
computer fixed after the attack? What could have prevented it? Write a onepage paper about these experiences.

Case Project 1-3 Security Podcasts
Many security vendors and security researchers now post regular online podcasts on security. Using a search engine, locate three different podcasts about
computer security. Download them to your media player or computer and listen to them. Then, write a summary of what was discussed and a critique of
the podcasts. Were they beneficial to you? Would you recommend them to
someone else? Write a one-page paper on your research.

Case Project 1-4 What Are Your Layers?
Security defenses should be based on five fundamental security principles:
layering, limiting, diversity, obscurity, and simplicity. Analyze these principles for the computers that you use. Create a table that lists the five fundamental security principles across the top, and then list down the side at least
three computers that you commonly use at school, your place of employment, home, a friend’s house, etc. Then enter the security element of each
principle for each of the computers (such as, for Limiting you may indicate
the number of people who have keys to the door of the office or apartment
that contains the computer). Leave blank any box for which that security
layer does not exist. Based on your analysis, what can you say regarding
the security of these computers? Finally, for each of the elements that you
think is inadequate or missing, add what you believe would improve security. Write an analysis of your findings that is at least two paragraphs in
length.

Chapter 1 Introduction to Security

Case Project 1-5 Information Security Terminology
in Your World
The scenario of Ellie protecting her scooter was used in this chapter to introduce the six key terms used in information security: asset, threat, threat
agent, vulnerability, exploit, and risk. Create your own one-paragraph scenario with those six key terms using something that requires protection with
which you are familiar, such as protecting a television in a home from being
stolen. Also, create a table similar to Table 1-5 that lists these terms and how
they are used in your scenario.

Case Project 1-6 Security+ Certification Jobs
What types of jobs require a Security+ certification? Using online career sites
such as monster.com, careerbuilder.com, jobfactory.com, and others, research
the types of security positions that require a Security+ certification. Create a
table that lists the employer, the job title, a description of the job, and the
starting salary (if these items are provided).

Case Project 1-7 Bay Pointe Security Consulting
Bay Pointe Security Consulting (BPSC) provides security consulting services to
a wide range of businesses, individuals, schools, and organizations. Because of
its reputation and increasing demand for its services, BPSC has partnered with
a local college to hire technology students close to graduation to assist them
on specific projects. This not only helps BPSC with their projects but also provides real-world experience to students who are interested in the security field.
As part of National Cybersecurity Awareness Month a local business organization is conducting a series of “Lunch-and-Learn” meetings during the
month for citizens and small business owners to learn more about security.
BPSC has been asked to present an introductory session on the fundamentals
of security: what it is, why it is important today, who are the attackers, what
types of attacks do they launch, etc. Because you are completing your degree,
BPSC has asked you to make the presentation to the class.
1. Create a PowerPoint presentation that explains what IT security is and
why it is important today. Also include who is responsible for attacks
and their attack techniques. Your presentation should be 7 to 10 slides
in length.
2. As a follow-up to your presentation, create a Frequently Asked Questions (FAQ) sheet that outlines general principles that can be used to
protect valuable assets. Write a one-page FAQ about security
protections.

Case Project 1-8 Community Site Activity
The Information Security Community Site is an online companion to this textbook. It contains a wide variety of tools, information, discussion boards, and
other features to assist learners. In order to gain the most benefit from the
site you will need to set up a free account.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 1 Introduction to Security

Go to community.cengage.com/infosec. Click JOIN THE COMMUNITY. On
the Join the Community page, enter the requested information. For your signin name, use the first letter of your first name followed by an underscore (_)
and then your last name. For example, John Smith would create the sign-in
name as J_Smith.
Your instructor may have a different naming convention that you
should use, such as the name of your course followed by your initials. Check with your instructor before creating your sign-in name.

Explore the various features of the Information Security Community Site and
become familiar with it. Visit the blog section and read the blog postings to
learn about some of the latest events in IT security.

References
1. Radcliffe, Jerome, “Hacking medical devices for fun and insulin: Breaking the Human
SCADA System,” Blackhat Briefings & Training USA + 2011, accessed Nov. 16,
2013, www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html.
2. Finkle, Jim, “Exclusive: Medtronic probes insulin pump risks,” Reuters, Oct. 26,
2011, accessed Nov. 16, 2013, www.reuters.com/article/2011/10/26/us-medtronic
-idUSTRE79P52620111026.
3. Shchetko, Nick, “Pacemakers, cars, energy grids: The tech that should not be hackable,
is,” Minyanvlle, Jul. 31, 2013, accessed Nov. 16, 2013, www.minyanville.com/sectors/
technology/articles/The-2527Hackable2527-Devices-We-Wish-Weren2527t253A/7/31/
2013/id/51050.
4. Fu, Kevin, “Click here to download your AVEA ventilator software update. Trust
me,” Ann Arbor Research Center for Medical Device Security (blog), Jun. 8, 2012,
accessed Nov. 16, 2013, http://blog.secure-medicine.org/2012/06/click-here-to
-download-your-avea.html.
5. “DHS wireless medical devices/healthcare cyberattacks report,” Public Intelligence,
May 15, 2012, accessed Nov. 16, 2013, http://publicintelligence.net/nccic-medical
-device-cyberattacks/.
6. Chenok, Daniel, “Information Security Resource Center,” National Institute of Standards and Technology, Mar. 30, 2012, accessed Nov. 16, 2013, http://csrc.nist.gov/
groups/SMA/ispab/documents/correspondence/ispab-ltr-to-omb_med_device.pdf.
7. “FDA safety communication: Cybersecurity for medical devices and hospital networks,” U.S. Food and Drug Administration, Jun. 13, 2013, accessed Nov. 16, 2013,
www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm.
8. “Network and computer systems administrators: Occupational outlook handbook,”
Bureau of Labor Statistics, Mar. 29, 2012, accessed Mar. 30, 2013, www.bls.gov/ooh/
Computer-and-Information-Technology/Network-and-computer-systems-administrators
.htm.

Chapter 1 Introduction to Security

9. Regalado, Daniel, “Backdoor.Ploutus reloaded—Ploutus leaves Mexico,” Symantec
(blog), Oct. 25, 2013, accessed Nov. 16, 2013, www.symantec.com/connect/blogs/
backdoorploutus-reloaded-ploutus-leaves-mexico.
10. Moore, H., “Serial offenders: Widespread flaws in serial port servers,” Security
Street Rapid, Apr. 23, 2013, accessed Nov. 16, 2013, https://community.rapid7.com/
community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port
-servers.
11. “Akamai releases second quarter 2013 ‘State of the Internet’ report,” Akamai, Oct. 16,
2013, accessed Nov. 16, 2013, www.akamai.com/html/about/press/releases/2013/
press_101613.html.
12. Teso, Hug, “Aircraft hacking: Practical aero series,” Fourth Annual HITB Security
Conference in Europe, Apr. 10, 2013, accessed Nov. 16, 2013, http://conference.hitb
.org/hitbsecconf2013ams/.
13. Balduzzi, Marco, et al., “Hey captain, where’s your ship? Attacking vessel tracking
systems for fun and profit,” Eleventh Annual HITB Security Conference in Asia,
accessed Nov. 16, 2013, http://conference.hitb.org/hitbsecconf2013kul/materials/
D1T1%20-%20Marco%20Balduzzi,%20Kyle%20Wilhoit%20Alessandro%20Pasta
%20-%20Attacking%20Vessel%20Tracking%20Systems%20for%20Fun%20and%
20Profit.pdf.
14. “Reverse engineering a D-Link backdoor,” Embedded Device Hacking, Oct. 12, 2013,
accessed Nov. 16, 2013, www.devttys0.com/2013/10/reverse-engineering-a-d-link
-backdoor/.
15. “Chronology of data breaches: Security breaches 2005–present,” Privacy Rights
Clearinghouse, updated Dec. 4, 2013, accessed Dec. 4, 2013, www.privacyrights.org/
data-breach.
16. “Malware,” AVTest, Dec. 1, 2013, accessed Dec. 5, 2013, www.av-test.org/en/statistics/
malware/.
17. Finkle, Jim, “Hackers are creating and selling fake ‘likes’ on Facebook, Instagram,”
Reuters, Aug. 16, 2013, accessed Dec. 6, 2013, www.huffingtonpost.com/2013/08/16/
fake-instagram-likes_n_3769247.html?utm_hp_ref=technology.
18. “IRS missing billions in ID theft,” Chron.com, accessed Aug. 4, 2012, www.chron
.com/business/article/IRS-missing-billions-in-ID-theft-3757389.php.
19. “The cost of ‘Code Red’: $1.2 billion,” USA Today, Aug. 1, 2001, accessed Feb. 28,
2011, www.usatoday.com/tech/news/2001-08-01-code-red-costs.htm.
20. Reed, John, “Cyber terrorism now at the top of the list of security concerns,” Defensetech, accessed Jan. 27, 2013, http://defensetech.org/2011/09/12/cyber-terrorism-now
-at-the-top-of-the-list-of-security-concerns/.
21. Goldman, David, “Hacker hits on U.S. power and nuclear targets spiked in 2012,”
CNN Money, Jan. 9, 2013, accessed Jan. 27, 2014, http://money.cnn.com/2013/01/
09/technology/security/infrastructure-cyberattacks/.
22. Sweeney, Patrick, “Defending against exploit kits,” Network World, Jun. 3, 2013,
accessed Dec. 7, 2013, www.networkworld.com/news/tech/2013/060313-exploit-kits
-270404.html.

Chapter 1 Introduction to Security

23. Keizer, Gregg, “Google pays record $31K bounty for Chrome bugs,” Computerworld,
Apr. 29, 2013, accessed Dec. 7, 2013, www.computerworld.com/s/article/9238753/
Google_pays_record_31K_bounty_for_Chrome_bugs.
24. Cappelli, Dawn, “Internal review: The insider threat risk.” SC Magazine, Feb. 2, 2011,
accessed Feb. 28, 2011, http://inform.com/government-and-politics/internal-review
-insider-threat-risk-4737197a.
25. Ibid.

part

Threats

The security of the data and information contained on computers and
digital devices today is threatened by more different types of attacks
than ever before, and the threats and attacks are escalating on a daily
basis. The chapters in this part outline these threats. The chapters in
later parts will give you the network security concepts and tools you
need to prevent or defend against these types of attacks.

Chapter 2 Malware and Social Engineering Attacks
Chapter 3 Application and Networking-Based Attacks

47
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

chapter

Malware and Social Engineering
Attacks
After completing this chapter, you should be
able to do the following:
• Define malware
• List the different types of malware
• Identify payloads of malware
• Describe the types of social engineering psychological attacks
• Explain physical social engineering attacks

49
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

Today’s Attacks and
Defenses

A security test was recently conducted at a U.S. federal government agency that specializes in “offensive cybersecurity” and is charged with protecting national secrets.
Previous security tests indicated that this agency was resistant to technology-based
attacks. However, this time the testers used a completely different approach: they
created a fake online profile of an attractive and intelligent young female in the
security industry, and used it to trick several males in the organization into
compromising security in order to help her.
The testers started by creating a fake online profile of “Emily Williams,” an attractive
28-year-old who graduated from MIT and had several years of security experience. The
profile of “Emily” was posted on the social networking sites Facebook and LinkedIn,
along with a photo (in a touch of irony, the photo was actually that of a server from a
local restaurant frequented by many of the employees of this same government agency,
used with her permission). To make sure her story was complete, the testers also posted
on several of MIT’s university forums using the name Emily Williams. After only 15 hours,
Emily had 60 Facebook and 55 LinkedIn connections with employees from the targeted
government agency and its contractors (and after 24 hours she already had three job
offers from other companies). Emily then started receiving LinkedIn endorsements for
her skills, and males who worked at the government agency offered to help her get a
jump-start on a new job within the agency. These men said they would assist her in
bypassing the normal procedures for receiving a laptop computer and network access,
giving her higher levels of security access than a new hire would normally have.
The next step was to leverage the attention directed toward Emily to actually break
into the agency’s computers. During the Christmas holidays the testers created a website
with a Christmas card and posted a link to it on Emily’s social media profiles. Anyone
who visited Emily’s site was prompted to execute a program to display the card, which
actually also contained code that exploited a vulnerability on the victim’s computer.
The end result was that the testers were able to gain administrative rights over these
agency computers and capture user passwords, install applications, and steal sensitive
documents, which, in more irony, contained information about state-sponsored attacks
on foreign governments.
One of the contractors for this agency who fell for this ploy worked as a developer
for an antivirus vendor and had access to the antivirus source code, which the testers
were able to see. Later the testing team observed that two of the agency’s employees had exchanged information on Facebook about the upcoming birthday of the
agency’s head of information security. Because the head did not have a Facebook
or LinkedIn account (perhaps for security reasons), the testers sent him an email
with a birthday card that pretended to come from one of the agency’s employees.
(continued)
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

The head of security fell victim by opening the card and infecting his computer, thus
exposing the “crown jewels” of the entire system.
The testers accomplished in just one week all of their goals using “Emily Williams,”
although they extended it for three more months just to see how far they could go.
This test validated what is widely known: because attractive females often receive
special treatment in the male-dominated IT industry, attacks using this type of trickery can be very successful. The testing team also tried a similar test by planting a
fake male social media profile to see if any of the females at the agency would likewise provide assistance and circumvent security. None of them did.

Successful attacks on computers today generally consist of two elements. One element is malicious software programs that are created by attackers to silently infiltrate computers with the
intent to do harm. This software may intercept data, steal information, launch other attacks,
or damage a computer’s hard drive so that it no longer properly functions. According to a
major security vendor, one of these malicious software “events” occurs at an organization on
average once every three minutes.1
The other element of a successful attack is often overlooked but is equally deadly: tricking
users into performing a compromising action or providing sensitive information. Defeating
security through a person instead of technology is actually the most cost-effective approach
and can also generate some of the highest success rates. These attacks take advantage of user
apathy or confusion about good security practices and deceive users into opening the door for
the malicious software programs to enter.
This chapter examines attacks using these two elements, malicious software programs and
tricking users. It begins by looking at attacks that utilize malicious software. Then it explores
how attacks through users are being conducted today.
This chapter explores the background of various malware and social
engineering attacks and how attackers use them. Later chapters
cover defenses against specific attacks.

Attacks Using Malware
3.1 Explain types of malware.

Malware is software that enters a computer system without the user’s knowledge or consent
and then performs an unwanted and usually harmful action. Strictly speaking, malware uses
a threat vector to deliver a malicious “payload” that performs a harmful function once it is
invoked. However, malware is most often used as a general term that refers to a wide variety
of damaging software programs.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

In order to detect malware on an infected computer, a software scanning tool can search for
the malware, looking to match it against a known pattern of malware. In order to circumvent
this detection of their software, attackers can mask the presence of their malware by having it
“mutate” or change. Three types of mutating malware are:
Oligomorphic malware. Oligomorphic malware changes its internal code to one
of a set number of predefined mutations whenever it is executed. However, because
oligomorphic malware has only a limited number of mutations, it will eventually
change back into a previous version that may then be detected by a scanner.
Polymorphic malware. Malware code that completely changes from its original
form whenever it is executed is known as polymorphic malware. This is usually
accomplished by the malware containing “scrambled” code that, when the malware
is activated, is “unscrambled” before it is executed.
Metamorphic malware. Metamorphic malware can actually rewrite its own code and
thus appears different each time it is executed. It does this by creating a logical
equivalent of its code whenever it is run.
Different types of malware have emerged over time as a result of security defenses becoming
more sophisticated and the corresponding attacks becoming progressively more complex.
However, there has been no standard established for the classification of the different types
of malware. As a result the definitions of the different types of malware are often confusing
and may overlap. One method of classifying the various types of malware is by using the primary trait that the malware possesses. These traits are circulation, infection, concealment, and
payload capabilities.
Circulation. Some malware has as its primary trait spreading rapidly to other systems in
order to impact a large number of users. Malware can circulate through a variety of
means: by using the network to which all the devices are connected, through USB flash
drives that are shared among users, or by sending the malware as an email attachment.
Malware can be circulated automatically or it may require an action by the user.
Infection. Once the malware reaches a system through circulation, then it must “infect”
or embed itself into that system. The malware might run only one time and then store
itself in the computer’s memory, or it might remain on the system and be launched an
infinite number of times through an auto-run feature. Some malware attaches itself to a
benign program while other malware functions as a stand-alone process.
Concealment. Some malware has as its primary trait avoiding detection by concealing
its presence from scanners. Polymorphic malware attempts to avoid detection by
changing itself, while other malware can embed itself within existing processes or
modify the underlying host operating system.
Payload capabilities. When payload capabilities are the primary focus of malware, the
focus is on what nefarious action(s) the malware performs. Does it steal passwords
and other valuable data from the user’s system? Does it delete programs so the
computer can no longer function properly? Or does the malware modify the system’s
security settings? In some cases the purpose of the malware is to use the infected
system to launch attacks against other computers.
The sections that follow give more details and examples of malware classified by circulation/
infection, concealment, and payload capabilities.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

Many types of malware have more than one of these traits: that is,
the malware both circulates and carries a payload. However, in
terms of classification the primary trait of the malware is used here.

2
Circulation/Infection
Three types of malware have the primary traits of circulation and/or infection. These are
viruses, worms, and Trojans.

Viruses A biological virus is an agent that reproduces inside a cell. When a cell is infected by

a virus, the virus takes over the operation of that cell, converting it into a virtual factory to make
more copies of it. The cell is forced to produce thousands or hundreds of thousands of identical
copies of the original virus very rapidly (the polio virus can make more than one million copies
of itself inside one single infected human cell). Biologists often say that viruses exist only to
make more viruses. A computer virus (virus) is malicious computer code that, like its biological
counterpart, reproduces itself on the same computer. Strictly speaking a computer virus replicates
itself (or an evolved copy of itself) without any human intervention.
Sometimes virus and malware are used synonymously, especially by
the general news media when reporting on a security incident. However, this is incorrect: a virus is only one type of malware.

Almost all viruses “infect” by inserting themselves into a computer file. A virus that infects an
executable program file is simply called a program virus. When the program is launched the
virus is activated. A virus can also infect a data file. One of the most common data file viruses
is a macro virus that is written in a script known as a macro. A macro is a series of instructions
that can be grouped together as a single command. Often macros are used to automate a complex set of tasks or a repeated series of tasks. Macros can be written by using a macro language,
such as Visual Basic for Applications (VBA), and are stored within the user document (such
as in an Excel .XLSX worksheet or Word .DOCX file). Once the document is opened, the
macro instructions then execute, whether those instructions are benign or a macro virus.
A very large number of different file types can contain a virus. Table 2-1 lists some of the 70 different Microsoft Windows file types can be infected with a virus.
One of the first viruses found on a microcomputer was written for the
Apple II in 1982. Rich Skrenta, a ninth-grade student in Pittsburgh,
wrote “Elk Cloner,” which displayed his poem on the screen after
every 50th use of the infected floppy disk. Unfortunately, the virus
leaked out and found its way onto the computer used by Skrenta’s
math teacher.2 In 1984, the mathematician Dr. Frederick Cohen introduced the term virus based on a recommendation from his advisor,
who came up with the name from reading science fiction novels.

Early viruses were relatively straightforward in how they infected files. One basic type of infection is the appender infection. The virus first attaches or appends itself to the end of the infected
file. It then inserts at the beginning of the file a “jump” instruction that points to the end of the
file, which is the beginning of the virus code. When the program is launched, the jump instruction redirects control to the virus. Figure 2-1 shows how an appender infection works.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

File extension

Description

.DOCX, .XLSX

Microsoft Office user documents

.EXE

Executable program file

.MSI

Microsoft installer file

.MSP

Windows installer patch file

.SCR

Windows screen saver

.CPL

Windows Control Panel file

.MSC

Microsoft Management Console file

.WSF

Windows script file

.REG

Windows registry file

.PS1

Windows PowerShell script

Table 2-1

Windows file types that can be infected

Jump
Code Line 1
Code Line 2
Code Line 3
Code Line 4
etc.

Program Code

Virus Code

Figure 2-1 Appender infection

Part I Threats

However, these types of viruses could easily by detected by virus scanners. Most viruses
today go to great lengths to avoid detection; this type of virus is called an armored virus.
Some of the armored virus infection techniques include:
Swiss cheese infection. Instead of having a single “jump” instruction to the
“plain” virus code, some armored viruses perform two actions to make detection
more difficult. First they “scramble” (encrypt) the virus code to make it more
difficult to detect. Then they divide the engine to “unscramble” (decrypt) the
virus code into different pieces and inject these pieces throughout the infected
program code. When the program is launched the different pieces are then tied
together and unscramble the virus code. A Swiss cheese infection is shown in
Figure 2-2.
Split infection. Instead of inserting pieces of the decryption engine throughout the
program code, some viruses split the malicious code itself into several parts (along
with one main body of code), and then these parts are placed at random positions
throughout the program code. To make detection even more difficult these parts may
contain unnecessary “garbage” code to mask their true purpose. A split infection virus
is shown in Figure 2-3.

Jump

Decrypt
Part 1

Decrypt
Part 2

Decrypt
Part 3

Decrypt
Part 4

Decrypt
Part 5

Program Code
Virus Code
(Encrypted)

Figure 2-2 Swiss cheese infection

Chapter 2 Malware and Social Engineering Attacks

Jump

Program Code
Virus Code part C
Virus Code part B

Virus Code main body
Virus Code part D
Virus Code part A

Figure 2-3 Split infection

Some armored viruses scan for the presence of files that security
researchers typically use. If those files are present, then it is assumed
that the virus is being examined for weaknesses and the virus will
then automatically self-destruct by deleting itself.

Each time the infected program is launched or the file is opened—either by the user or the
computer’s operating system—the virus performs two actions. First, it unloads a payload to
perform a malicious action. Although early viruses often did nothing more than display an
annoying message, viruses today are much more harmful. Viruses have performed the following actions:
Caused a computer to crash repeatedly
Erased files from a hard drive
Turned off the computer’s security settings
Reformatted the hard disk drive
Sometimes a virus will remain dormant for a period of time before
unleashing its payload.

The second action a virus takes when executed is to reproduce itself by inserting its code
into another file on the same computer. A virus can only replicate itself on the host computer on which it is located; it cannot automatically spread to another computer by itself.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

Instead, it must rely on the actions of users to spread to other computers. Because viruses
are generally attached to files, viruses are spread by a user transferring those files to other
devices. For example, a user may send an infected file as an email attachment or copy an
infected file to a USB flash drive and give the drive to another user. Once the virus reaches
a new computer it begins to infect it. This means that a virus must have two “carriers”: a
file to which it attaches and a human to transport it to other computers.
Several similarities between biological and computer viruses exist:
both must enter their host passively (by relying on the action of an
outside agent), both must be on the correct host (a horse virus cannot make a human sick, just as an Apple Mac virus cannot infect a
Windows computer), both can only replicate when inside the host,
both may remain dormant for a period of time, and both types of
viruses replicate at the expense of the host.

Worms A second type of malware that has as its primary purpose to spread is a

worm. A worm is a malicious program that uses a computer network to replicate
(worms are sometimes called network viruses). A worm is designed to enter a computer
through the network and then take advantage of vulnerability in an application or an
operating system on the host computer. Once the worm has exploited the vulnerability
on one system, it immediately searches for another computer on the network that has
the same vulnerability.
One of the first wide-scale worms occurred in 1988. This worm
exploited a misconfiguration in a program that allowed commands
emailed to a remote system to be executed on that system, and it
also carried a payload that contained a program that attempted
to determine user passwords. Almost 6000 computers, or 10 percent of the devices connected to the Internet at that time, were
affected. The worm was attributed to Robert T. Morris, Jr., who
was later convicted of federal crimes in connection with this
incident.

Early worms were relatively benign and designed simply to spread quickly and not corrupt
the systems they infected. These worms slowed down the network through which they were
transmitted by replicating so quickly that they consumed all network resources. Today’s
worms can leave behind a payload on the systems they infect and cause harm, much like a
virus. Actions that worms have performed include deleting files on the computer or allowing
the computer to be remotely controlled by an attacker.
Although viruses and worms are said to be automatically selfreplicating, where they replicate is different. A virus will self-replicate
on the host computer but not to other computers. A worm will selfreplicate between computers (from one computer to another).

Trojans According to ancient legend, the Greeks won the Trojan War by hiding soldiers
in a large hollow wooden horse that was presented as a gift to the city of Troy. Once the
horse was wheeled into the fortified city, the soldiers crept out of the horse during the night
and attacked the unsuspecting defenders.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

A computer Trojan horse (or just Trojan) is an executable program that masquerades as
performing a benign activity but also does something malicious. For example, a user may
download what is advertised as a calendar program, yet when it is installed, in addition to
installing the calendar it also installs malware that scans the system for credit card numbers
and passwords, connects through the network to a remote system, and then transmits that
information to the attacker.
Unlike a virus that infects a system without the user’s knowledge or
consent, a Trojan program is installed on the computer system with
the user’s knowledge. What the Trojan conceals is its malicious
payload.

Table 2-2 lists the differences between viruses, worms, and Trojans.
Action

Virus

Worm

Trojan

What does it do?

Inserts malicious code into
a program or data file

Exploits a vulnerability
in an application or
operating system

Masquerades as
performing a benign
action but also does
something malicious

How does it spread to
other computers?

User transfers infected files
to other devices

Uses a network to travel
from one computer to
another

User transfers Trojan
file to other computers

Does it infect a file?

Yes

It can

Does there need to be user
action for it to spread?

Yes

Table 2-2

Difference between viruses, worms, and Trojans

Concealment
Some types of malware have avoiding detection as a primary trait. The most common type of
concealment malware first captured the public’s attention through music CDs.
In late 2005, Sony BMG Music Entertainment shocked the computer world by secretly installing hidden software on any computer that played one of 50 Sony music CDs. The software
that Sony installed was intended to prevent the music CDs from being copied. These CDs
created a hidden directory, installed their own device driver software on the computer, and
then rerouted normal functions away from Microsoft Windows to Sony’s own routines.
Finally, the Sony software disguised its presence from both users and the operating system.
Once this nefarious behavior was exposed Sony was forced to backpedal and withdraw the
CDs from the market.
What Sony did was install a rootkit on computers on which the CD was played. A rootkit is
a set of software tools used to hide the actions or presence of other types of software. This
software can be benign, like playing music CDs, or it can be malicious, such as Trojans,
viruses, or worms. Rootkits do this by changing the operating system to force it to ignore
their malicious files or activity. Rootkits also hide or remove all traces of evidence that may
reveal the malware, such as log entries.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

Originally the term rootkit referred to a set of modified and recompiled tools for the UNIX operating system. Root is the highest level
of privileges available in UNIX, so a rootkit described programs that
an attacker used to gain root privileges and to hide the malicious
software. Today rootkits are not limited to UNIX computers; similar
tools are available for other operating systems.

One approach used by rootkits is to alter or replace operating system files with modified
versions that are specifically designed to ignore malicious evidence. For example, scanning
software may be instructed to scan all files in a specific directory. In order to do this, the
scanning software will receive a list of those files from the operating system. A rootkit will
replace the operating system’s accurate list of files with the rootkit’s own routine that will
not display malicious files. This is illustrated in Figure 2-4. The scanning software assumes
that the operating system will willingly carry out those instructions and retrieve all files; it
does not know that the computer is only providing files that the rootkit has approved. In
essence, users can no longer trust their computer that contains a rootkit: the rootkit is in
charge and hides what is occurring on the computer.
Actual list of files
Name
Archive
Figures
Research
Rootbit Files

Date modified

Type

1/6/2014 11:27 AM
11/3/2015 6:52 AM
8/12/2014 8:32 AM
6/16/2016 4:59 AM

File folder
File folder
File folder
File folder

Files displayed to user
Name
Archive
Figures
Research

Date modified
1/6/2014 11:27 AM
11/3/2015 6:52 AM
8/12/2014 8:32 AM

Type
File folder
File folder
File folder

Figure 2-4 Computer infected with rootkit

Because a rootkit often substitutes its own files and routines in the operating system with malicious copies, it can be very difficult to detect the
presence of a rootkit; the operating system cannot be trusted to provide
accurate information. In addition, these files and routines typically operate at a very low level in the operating system and cannot easily be
repaired. Ultimately, the only safe and foolproof way to handle a rootkit
infection is to reformat the hard drive and reinstall the operating system.

Payload Capabilities
The destructive power of malware is to be found in its payload capabilities. The primary payload capabilities are to collect data, delete data, modify system security settings, and launch
attacks.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

Collect Data Different types of malware are designed to collect important data from the
user’s computer and make it available at the attacker. This malware includes spyware,
adware, and ransomware.
Spyware Spyware is a general term used to describe software that secretly spies on users by
collecting information without their consent. The Anti-Spyware Coalition defines spyware as
tracking software that is deployed without adequate notice, consent, or control by the user.3
This software uses the computer’s resources, including programs already installed on the
computer, for the purpose of collecting and distributing personal or sensitive information.
Table 2-3 lists different technologies used by spyware.

Technology

Description

Impact

Automatic download
software

Used to download and install software
without the user’s interaction

May be used to install unauthorized
applications

Passive tracking
technologies

Used to gather information about user
activities without installing any software

May collect private information
such as websites a user has visited

System modifying software

Modifies or changes user configurations,
such as the web browser home page or
search page, default media player, or
lower-level system functions

Changes configurations to settings
that the user did not approve

Tracking software

Used to monitor user behavior or gather
information about the user, sometimes
including personally identifiable or
other sensitive information

May collect personal information
that can be shared widely or stolen,
resulting in fraud or identity theft

Table 2-3

Technologies used by spyware

Not all spyware is necessarily malicious. For example, spyware monitoring tools can help parents keep track of the online activities of
their children while the children are surfing the Web.

One type of nefarious spyware is a keylogger that silently captures and stores each
keystroke that a user types on the computer’s keyboard. The attacker then searches the
captured text for any useful information such as passwords, credit card numbers, or personal information.
A keylogger can be a small hardware device or a software program. As a hardware device,
the keylogger is inserted between the computer keyboard connection and USB port, as
shown in Figure 2-5. Because the device resembles an ordinary keyboard plug and the computer keyboard USB port is often on the back of the computer, a hardware keylogger can
easily go undetected. In addition, the device is beyond the reach of the computer’s antimalware scanning software and thus raises no alarms. The attacker who installed the hardware
keylogger returns at a later time and physically removes the device in order to access the
information it has gathered.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

2
Hardware
keylogger

Figure 2-5 Hardware keylogger

Hardware keyloggers are often installed on public access computers,
such as those in a school’s open computer lab or a public library. If a
sensitive password must be entered on one of these computers,
almost all operating systems offer an on-screen “virtual” keyboard
through which the keys are clicked with a mouse or touch screen,
thus defeating a keylogger. For Windows computers it is found by
clicking on Accessories and then Ease of Use.

Software keyloggers are programs installed on the computer that silently capture sensitive
information. Software keylogger programs act like rootkits and conceal themselves so that
they cannot be detected by the user. An advantage of software keyloggers is that they do
not require physical access to the user’s computer as with a hardware keylogger. The software, often installed as a Trojan or by a virus, can routinely send captured information
back to the attacker through the computer’s Internet connection.
Today software keyloggers go far beyond just capturing a user’s keystrokes. These programs can also make screen captures of everything
that is on the user’s screen and silently turn on the computer’s web
camera to record images of the user.

Adware Adware delivers advertising content in a manner that is unexpected and unwanted
by the user. Once the adware malware becomes installed, it typically displays advertising
banners, popup ads, or opens new web browser windows at random intervals. Users generally reject adware because:
Adware may display objectionable content, such as gambling sites or
pornography.
Frequent popup ads can interfere with a user’s productivity.
Popup ads can slow a computer or even cause crashes and the loss of data.
Unwanted advertisements can be a nuisance.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

Some adware goes beyond affecting the user’s computer experience. This is because adware
programs can also perform a tracking function, which monitors and tracks a user’s online
activities and then sends a log of these activities to third parties without the user’s authorization or knowledge. For example, a user who visits online automobile sites to view specific
types of cars can be tracked by adware and classified as someone interested in buying a new
car. Based on the sequence and type of websites visited, the adware can also determine
whether the surfers’ behavior suggests they are close to making a purchase or are also looking at competitors’ cars. This information is gathered by adware and then sold to automobile
advertisers, who send the users regular mail advertisements about their cars or even call the
user on the telephone.

Ransomware One of the newest and fastest-growing types of malware is ransomware.
Ransomware prevents a user’s device from properly operating until a fee is paid. One type
of ransomware locks up a user’s computer and then displays a message that purports to
come from a law enforcement agency. This message, using official-looking imagery, states
that the user has performed an illegal action such as downloading pornography and must
immediately pay a fine online by entering a credit card number. The computer remains
“held hostage” and locked (except for the numeric keys on the keyboard) until the ransom
payment is made. Figure 2-6 shows a ransomware message from the Symantec website in its
Security Response Center.

Figure 2-6 Ransomware message
Source: Symantec Security Response

Widespread ransomware first starting appearing
about 2010.

Part I Threats

Ransomware malware is highly profitable. By one estimate nearly 3 percent of those users
who have been infected pay the ransom without question, generating almost $5 million annually from extorted victims.4 Due to its high success rate attackers have started expanding the
capabilities of this malware. Instead of just showing a message on the screen, one new
variant of ransomware plays a recorded message through the computer’s speakers using a
regionalized and semipersonalized voice message.
Another variation displays a fictitious warning that there is a problem with the computer
such as (in a touch of irony) a malware infection or imminent hard drive failure. No matter
what the condition of the computer, the ransomware always reports that there is a problem.
This ransomware variation tells users that they must immediately purchase additional
software online to fix the problem that in fact does not exist. The warning appears to be
legitimate because it mimics the appearance of genuine software and—unlawfully—uses legitimate trademarks or icons. The ransomware example in Figure 2-7 uses color schemes and
icons similar to those found on legitimate Windows software. Users who provide their credit
card number to make the purchase find that the attackers simply capture that information
and then use the card number for their own purposes.

Figure 2-7 Ransomware computer infection
Source: Microsoft Security Intelligence Report

In most instances, the ransomware embeds itself into the computer
so that the message cannot be closed and rebooting the computer
has no effect.

Delete Data The payload of other types of malware deletes data on the computer. This

may involve deleting important user data files, such as documents or photos, or erasing vital
operating system files so that the computer will no longer properly function.

Chapter 2 Malware and Social Engineering Attacks

One type of malware that is frequently used to delete data is a logic bomb. A logic bomb is
computer code that is typically added to a legitimate program but lies dormant until it is
triggered by a specific logical event. Once it is triggered, the program then deletes data or
performs other malicious activities. In one example, a Maryland government employee tried
to destroy the contents of more than 4000 servers by planting a logic bomb script that was
scheduled to activate 90 days after he was terminated.5 Other recent high-profile logic
bombs are listed in Table 2-4.

Description

Reason for attack

Results

A logic bomb was planted in a
financial services computer
network that caused 1000
computers to delete critical data.

A disgruntled employee had counted
on this to cause the company’s stock
price to drop; he planned to use that
event to earn money.

The logic bomb detonated but the
employee was caught and sentenced
to 8 years in prison and ordered to
pay $3.1 million in restitution.6

A logic bomb at a defense
contractor was designed to delete
important rocket project data.

The employee’s plan was to be
hired as a highly paid consultant to
fix the problem.

The logic bomb was discovered and
disabled before it triggered. The
employee was charged with
computer tampering and attempted
fraud and was fined $5000.7

A logic bomb at a health services
firm was set to go off on the
employee’s birthday.

The employee was angered that
he might be laid off (although he
was not).

The employee was sentenced to 30
months in a federal prison and paid
$81,200 in restitution to the
company.8

Table 2-4

Famous logic bombs

Logic bombs have sometimes been used by legitimate software companies to ensure payment for their software. If a payment is not
made by the due date, the logic bomb activates and prevents the
software from being used again. In some instances, logic bombs
even erase the software and the accompanying payroll or customer
files from the computer.

Logic bombs are difficult to detect before they are triggered. This is because logic bombs are
often embedded in very large computer programs, some containing tens of thousands of
lines of code, and a trusted employee can easily insert a few lines of computer code into a
long program without anyone detecting it. In addition, these programs are not routinely
scanned for containing malicious actions.
Logic bombs should not be confused with an Easter egg, which
refers to an undocumented, yet benign hidden feature that launches
by entering a set of special commands, key combinations, or mouse
clicks. Usually programmers insert Easter eggs for their own recreation or notoriety during the software’s development. For example, in
Microsoft Excel 95 there was actually an entire game called “The
Hall of Tortured Souls” that was embedded as an Easter egg. Microsoft ended the practice of including Easter eggs in 2002 as part of its
Trustworthy Computing initiative.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

Modify System Security The payload of some types of malware attempts to modify

the system’s security settings so that more insidious attacks can be made. One type of malware in this category is called a backdoor. A backdoor gives access to a computer, program,
or service that circumvents any normal security protections. Backdoors that are installed on
a computer allow the attacker to return at a later time and bypass security settings.
Creating a legitimate backdoor is a common practice by developers,
who may need to access a program or device on a regular basis, yet
do not want to be hindered by continual requests for passwords or
other security approvals. The intent is for the backdoor to be
removed once the application is finalized. However, in some
instances backdoors have been left installed, and attackers have
used them to bypass security.

Launch Attacks One of the most popular payloads of malware today carried by Trojans, worms, and viruses is software that will allow the infected computer to be placed
under the remote control of an attacker. This infected robot (bot) computer is known as a
zombie. When hundreds, thousands, or even hundreds of thousands of zombie computers
are gathered into a logical computer network, they create a botnet under the control of the
attacker (bot herder).
Due to the multitasking capabilities of modern computers, a computer can act as a zombie while at the same time carrying out the
tasks of its regular user. The user is completely unaware that his or
her computer is being used for malicious activities.

Infected zombie computers wait for instructions through a command and control (C&C
or C2) structure from the bot herders regarding which computers to attack and how. A
common botnet C&C mechanism used today is the Hypertext Transport Protocol
(HTTP), which is the standard protocol for Internet usage. For example, a zombie can
receive its instructions by automatically signing in to a website that the bot herder operates or to a third-party website on which information has been placed that the zombie
knows how to interpret as commands (this latter technique has an advantage in that
the bot herder does not need to have an affiliation with that website). By using HTTP,
botnet traffic may be more difficult to detect and block. Some botnets even use blogs
or send specially coded attack commands through posts on the Twitter social networking service or notes posted in Facebook.
Some bot herders are using a “dead drop” C&C mechanism. First a
bogus Google Gmail email account is set up and the zombie malware has the account username and password coded into it. The
bot herder then creates a draft email message in Gmail but never
sends it. At set times the zombie logs in to Gmail and reads the
draft to receive its instructions. The benefits of this dead drop are
that the email message is never sent so there is no record of it and
all Gmail transmissions are protected so that they cannot be viewed
by outsiders.

Table 2-5 lists some of the attacks that can be generated through botnets.

Chapter 2 Malware and Social Engineering Attacks

Type of attack

Description

Spamming

Botnets are widely recognized as the primary source of spam email. A botnet
consisting of thousands of zombies enables an attacker to send massive amounts
of spam.

Spreading malware

Botnets can be used to spread malware and create new zombies and botnets.
Zombies have the ability to download and execute a file sent by the attacker.

Manipulating online polls

Because each zombie has a unique Internet Protocol (IP) address, each “vote” by a
zombie will have the same credibility as a vote cast by a real person. Online games
can be manipulated in a similar way.

Denying services

Botnets can flood a web server with thousands of requests and overwhelm it to the
point that it cannot respond to legitimate requests.

Table 2-5

Uses of botnets

In many ways a botnet is the ideal base of operations for attackers. Zombies are designed to
operate in the background, often without any visible evidence of their existence. By keeping
a low profile, botnets are sometimes able to remain active and operational for years. The
ubiquitous always-on Internet service provided by residential broadband ensures that a
large percentage of zombies in a botnet are accessible at any given time. This has resulted
in a staggering number of botnets. One botnet contained more than 1.9 million zombies,
and botnets of 100,000 zombies are not uncommon.9 Some security experts estimate that
between 7 and 25 percent of all computers on the Internet belong to a botnet.10

Social Engineering Attacks
3.2 Summarize various types of attacks.
3.3 Summarize social engineering attacks and the associated effectiveness of each
attack.

One morning a small group of strangers walked into the corporate offices of a large shipping
firm and soon walked out with access to the firm’s entire computer network, which contained
valuable and highly sensitive information. They were able to accomplish this feat with no
technical tools or skills:
1. Before entering the building, one person of the group called the company’s Human
Resource (HR) office and asked for the names of key employees. The office willingly
gave out the information without asking any questions.
2. As the group walked up to the building, one of them pretended to have lost the key
code to the door, so a friendly employee let them in. When they entered a secured area
on the third floor, they claimed to have misplaced their identity badges, so another
smiling employee opened the door for them.
3. Because these strangers knew that the chief financial officer (CFO) was out of town
because of his voicemail greeting message, they walked unchallenged into his office
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

and gathered information from his unprotected computer. They also dug through
trash receptacles and retrieved useful documents. A custodian was even stopped and
asked for a box in which to place these documents so they could be carried out of
the building.
4. One of the group’s members then called the company’s help desk from the CFO’s office
and pretended to be the CFO (they had listened to his voice from his voicemail greeting
message and knew how he spoke). The imposter CFO claimed that he desperately
needed his password because he had forgotten it and was on his way to an important
meeting. The help desk gave out the password, and the group left the building with
complete access to the network.
This true story illustrates that technology is not always needed for attacks on IT.11 Social
engineering is a means of gathering information for an attack by relying on the weaknesses
of individuals. Social engineering attacks can involve psychological approaches as well as
physical procedures.

Psychological Approaches
Many social engineering attacks rely on psychology, which is the mental and emotional
approach rather than the physical. At its core, social engineering relies on an attacker’s
clever manipulation of human nature in order to persuade the victim to provide information or take actions. Several basic “principles” or reasons make psychological social
engineering effective. These are listed in Table 2-6 with the example of an attacker pretending to be the chief executive officer (CEO) calling the organization’s help desk to
have a password reset.

Principle

Description

Example

Authority

Directed by someone impersonating
authority figure or falsely citing their
authority

“I’m the CEO calling.”

Intimidation

To frighten and coerce by threat

“If you don’t reset my password, I will call
your supervisor.”

Consensus/social proof

Influenced by what others do

“I called last week and your colleague
reset my password.”

Scarcity

Something is in short supply

“I can’t waste time here.”

Urgency

Immediate action is needed

“My meeting with the board starts in
5 minutes.”

Familiarity/liking

Victim is well-known and well-received

“I remember reading a good evaluation
on you.”

Trust

Confidence

“You know who I am.”

Table 2-6

Social engineering effectiveness

Chapter 2 Malware and Social Engineering Attacks

Social media sites such as Facebook are popular with attackers to
create a trust relationship with a user and then gather information.

Because many of the psychological approaches involve person-to-person contact, attackers
use a variety of techniques to gain trust without moving quickly so as to become suspicious.
For example:
An attacker will not ask for too much information at one time, but instead will
gather small amounts—even from several different victims—in order to maintain the
appearance of credibility.
The request from the attacker needs to be believable. Asking a victim to go into the
CFO’s office to retrieve a document may raise suspicion, yet asking if the CFO is on
vacation would not.
Slight flattery or flirtation can be helpful to “soften up” the victim to cooperate.
An attacker works to “push the envelope” just far enough when probing for
information before the victim suspects anything unusual.
A smile and a simple question such as “I’m confused, can you please help me?” or a
“Thanks” can usually “clinch the deal.”
Social engineering psychological approaches often involve impersonation, phishing, spam,
hoaxes, typo squatting, and watering hole attacks.

Impersonation Social engineering impersonation means to masquerade as a real or fictitious character and then play out the role of that person on a victim. For example, an
attacker could impersonate a help desk support technician who calls the victim, pretends
that there is a problem with the network, and asks her for her user name and password to
reset the account.

Common roles that are often impersonated include a repairperson, IT support, a manager, a
trusted third party, or a fellow employee. Often attackers will impersonate individuals
whose roles are authoritative because victims generally resist saying “no” to anyone in
power.

Phishing One of the most common forms of social engineering is phishing. Phishing is
sending an email or displaying a web announcement that falsely claims to be from a
legitimate enterprise in an attempt to trick the user into surrendering private information. Users are asked to respond to an email or are directed to a website where they
are requested to update personal information, such as passwords, credit card numbers,
Social Security numbers, bank account numbers, or other information. However, the
email or website is actually an imposter and is set up to steal what information the user
enters.
The word phishing is a variation on the word “fishing,” with the
idea being that bait is thrown out knowing that while most will
ignore it, some will “bite.”

Part I Threats

One of the reasons that phishing succeeds is that the emails and the fake websites appear to
be legitimate. Figure 2-8 illustrates an actual phishing email message that claims the victim
has recently made a large payment to an individual. The message contains the logos, color
schemes, and wording used by the legitimate site so that it appears to be genuine. The victim
would naturally be puzzled by this message and click the links, which would then ask for a
username and password to log in, but instead of accessing a legitimate site, this information
is captured by the attacker.

Figure 2-8 Phishing email message
Source: Email sent to Dr. Mark Revels

The average phishing site only exists for 3.8 days to prevent law
enforcement agencies from tracking the attackers. In that short
period, a phishing attack can net more than $50,000.12

Chapter 2 Malware and Social Engineering Attacks

Many phishing attacks have these common features:
Deceptive web links. Phishers like to use variations of a legitimate address, such as
www.ebay_secure.com, www.e—bay.com, or www.e-baynet.com.
Logos. Phishers often include the logo of the vendor and try to make the email look
like the vendor’s website as a way to convince the recipient that it is genuine.
Urgent request. Many phishing emails include an instruction for the recipient to act
immediately or else their account will be unavailable or a large amount of money
will be deducted from their account.
Phishing is also used to validate email addresses. A phishing email
can display an image retrieved from a website that is requested
when the user opens the email message. A unique code is used to
link the image to the recipient’s email address, which then tells the
phisher that the email address is active and valid. This is the reason
why most email today does not automatically display images that
are received in emails.

Several variations on phishing attacks are:
Pharming. Instead of asking the user to visit a fraudulent website, pharming
automatically redirects the user to the fake site. This is accomplished by attackers
penetrating the servers on the Internet that direct traffic or altering a file on the
host computer.
Spear phishing. Whereas phishing involves sending millions of generic email messages
to users, spear phishing targets only specific users. The emails used in spear phishing
are customized to the recipients, including their names and personal information, in
order to make the message appear legitimate.
Whaling. One type of spear phishing is whaling. Instead of going after the “smaller
fish,” whaling targets the “big fish,” namely, wealthy individuals or senior executives
within a business who typically would have larger sums of money in a bank account
that an attacker could access if the attack is successful. By focusing upon this smaller
group, the attacker can invest more time in the attack and finely tune the message to
achieve the highest likelihood of success.
Vishing. Instead of using email to contact the potential victim, a telephone call can
be used instead. Known as vishing (voice phishing), an attacker calls a victim who,
upon answering, hears a recorded message that pretends to be from the user’s
bank stating that her credit card has experienced fraudulent activity or that her
bank account has had unusual activity. The victim is instructed to call a specific
phone number immediately (which has been set up by the attacker). When the
victim calls, it is answered by automated instructions telling her to enter her credit
card number, bank account number, Social Security number, or other information
on the telephone’s key pad.
Phishing attacks are increasing almost 60 percent annually with
global annual losses about $1.5 billion.13

Part I Threats

Spam The amount of spam, or unsolicited email, that goes through the Internet continues to
escalate. Google estimates that 9 out of every 10 email messages are spam.14 The reason why
users receive so many spam messages that advertise drugs, cheap mortgage rates, and items for
sale is because sending spam is a lucrative business. It costs spammers very little to send millions
of spam email messages. In the past, spammers would purchase a list of valid email addresses
($100 for 10 million addresses) and rent a motel room with a high-speed Internet connection
($85 per day) as a base for launching attacks. Today, however, almost all spam is sent from botnets: a spammer who does not own his own botnet can lease time from other attackers ($40 per
hour) to use a botnet of up to 100,000 infected computers to launch a spam attack. Even if spammers receive only a very small percentage of responses, they still make a large profit. For example,
if a spammer sent spam to 6 million users for a product with a sale price of $50 that cost only $5
to make, and if only 0.001 percent of the recipients responded and bought the product (a typical
response rate), the spammer would still make more than $270,000 in profit.
A Russian-owned network was widely believed to be the hosting
C&C center for five major botnets. When this network was disconnected from the Internet, all of their botnets stopped functioning
and spam volumes worldwide immediately fell by 75 percent.

Text-based spam messages that include words such as Viagra or investments can easily be
trapped by filters that look for these words and block the email. Because of the increased use
of these filters, spammers have turned to image spam, which uses graphical images of text in
order to circumvent text-based filters. Image spam cannot be filtered based on the textual content of the message because it appears as an image instead of text. These spam messages often
include nonsense text so that it appears the email message is legitimate (an email with no text
can prompt the spam filter to block it). Figure 2-9 shows an example of an image spam.

Figure 2-9 Image spam
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

Beyond just being annoying, spam significantly reduces work productivity as users spend
time reading and deleting spam messages. One report estimates that spam email, on average,
costs U.S. organizations $874 per person annually in lost productivity.15 Spam is also costly
to organizations that must install and monitor technology to block spam. However, one of
the greatest risks of spam is that it is used to widely distribute malware. A variation of
spam is spim, which targets instant messaging users instead of email users.

Hoaxes Attackers can use hoaxes as a first step in an attack. A hoax is a false warning,
often contained in an email message claiming to come from the IT department. The hoax
purports that there is a “deadly virus” circulating through the Internet and that the recipient
should erase specific files or change security configurations, and then forward the message
to other users. However, changing configurations allow an attacker to compromise the
system. Or, erasing files may make the computer unstable, prompting the victim to call the
telephone number in the hoax email message for help, which is actually the phone number
of the attacker.
Typo Squatting What happens when a user makes a typing error when entering a uni-

form resource locator (URL) address in a web browser, such as typing goggle.com (a misspelling) or google.net (incorrect domain) instead of the correct google.com? Most often
today the user will be directed to a fake look-alike site. This site may contain a visitor
survey that promises a chance to win prizes (but the attacker actually captures the entered
email addresses to sell to spammers) or be filled with ads (for which the attacker receives
money for traffic generated to the site). These fake sites exist because attackers purchase
the domain names of sites that are spelled similarly to actual sites. This is called typo
squatting or URL hijacking. A well-known site like google.com may have to deal with
more than 1000 typo squatting domains. Over 62 percent of the active domain names
based on common misspellings of facebook.com are typo squatting sites.
In one month the typo squatting site goggle.com received almost
825,000 unique visitors. It is estimated that typo squatting costs the
250 top websites $285 million annually in lost sales and other
expenses.16

While a typing error when entering a URL to visit a webpage can be a problem, an even
larger problem is the fact that attackers also receive all private email messages that had similar typing errors (such as an email sent to finances@goggle.com). Security researchers set up
fake domains based on the names of the 500 largest U.S. companies that only omitted the
period between the domain name and subdomain. In six months they received more than
120,000 private emails (or 20 gigabytes worth of email) based on this one typing error,
many containing confidential information and even lists of passwords.17

Watering Hole Attack In many regions similar types of animals are known to congre-

gate around a pool of water for refreshment. In a similar manner a watering hole attack is
directed toward a smaller group of specific individuals, such as the major executives working
for a manufacturing company. These executives all tend to visit a common website, such as
that of a parts supplier to the manufacturer. An attacker who wants to target this group of
executives will attempt to determine the common website that they frequent and then infect it
with malware that will make its way onto the group’s computers.

Part I Threats

A recent watering hole attack resulted in Mac computers located on
Apple’s main campus becoming infected. Several Apple employees
visited the same website for Apple software developers that was
infected.

Physical Procedures
Just as some social engineering attacks rely on psychological manipulation, other attacks rely
on physical acts. These attacks take advantage of user actions that can result in compromised
security. Two of the most common physical procedures are dumpster diving and tailgating.

Dumpster Diving Dumpster diving involves digging through trash receptacles to find
information that can be useful in an attack. Table 2-7 lists the different items that can be
retrieved—many of which appear to be useless—and how they can be used.
Item retrieved

Why useful

Calendars

A calendar can reveal which employees are out of town at a
particular time.

Inexpensive computer hardware, such as
USB flash drives or portable hard drives

These devices are often improperly disposed of and may contain
valuable information.

Memos

Seemingly unimportant memos can often provide small bits of useful
information for an attacker who is building an impersonation.

Organizational charts

These identify individuals within the organization who are in
positions of authority.

Phone directories

A phone directory can provide the names and telephone numbers of
individuals in the organization to target or impersonate.

Policy manuals

These may reveal the true level of security within the organization.

System manuals

A system manual can tell an attacker the type of computer system
that is being used so that other research can be conducted to
pinpoint vulnerabilities.

Table 2-7

Dumpster diving items and their usefulness

Tailgating Organizations can invest tens of thousands of dollars to install specialized doors
that only permit access to authorized users who possess a special card or who can enter a specific code. These automated access control systems are designed to restrict entry into an area.
However, a weakness of these systems is that they cannot always control how many people
enter the building when access is allowed; once an authorized person opens the door, virtually
any number of individuals can follow behind and also enter. This is known as tailgating.

Several ways in which tailgating may occur are:
A tailgater waits at the end of the sidewalk until an authorized user opens the door.
She then calls out to him to “Please hold the door!” as she hurries up to the door.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

In most cases, good etiquette wins out over good security practices, and the door is
held open for the tailgater.
A tailgater waits near the outside of the door and then quickly enters once the
authorized employee leaves the area. This technique is used most commonly during
weekends and at nights, where the actions of the more overt tailgater would be
suspicious.
A tailgater stands outside the door and waits until an employee exits the building. He
then slips behind the person as he is walking away and grabs the door just before it
closes to gain access to the building.
An employee conspires with an unauthorized person to allow him to walk in with him
through the open door (called piggybacking).
If an attacker cannot enter a building as a tailgater without raising suspicion, an alternative
is to watch an individual entering the security code on a keypad. Known as shoulder surfing, it can be used in any setting in which a user “casually observes” someone entering an
authorized code on a keypad.
A new defense against shoulder surfing is an application that uses
the computer’s web cam to watch if anyone nearby is looking at the
computer screen. If someone is detected, the user can be alerted
with a popup window message or the screen will automatically blur
so that it cannot be read.

Chapter Summary
Malware is malicious software that enters a computer system without the owner’s
knowledge or consent and includes a wide variety of damaging actions. In order to
avoid detection by scanning software, attackers mask the presence of their malware
by having it “mutate” or change. One method of classifying the various types of
malware is by using the primary trait that the malware possesses. These traits are
circulation, infection, concealment, and payload capabilities.
One of the types of malware that has the primary trait of circulation is a computer
virus. A virus is malicious computer code that reproduces itself on the same computer.
A virus inserts itself into a computer file (a data file or program) and then looks to
reproduce itself on the same computer as well as unload its malicious payload.
Another type of such malware is a worm, which travels through a network and is
designed to take advantage of vulnerability in an application or an operating system
in order to enter a user’s computer. Once the worm has exploited the vulnerability on
one system, it immediately searches for another computer that has the same vulnerability. A Trojan is a program advertised as performing one activity but in addition
does something malicious. Some malware has as its primary trait avoiding detection.
A rootkit is a set of software tools used to hide the actions or presence of other types
of software.
The destructive power of malware is to be found in its payload capabilities. Different types of malware are designed to collect important data from the user’s
computer and make it available at the attacker. Spyware is a general term used to
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

describe software that secretly spies on users by collecting information without
their consent. One type of spyware is a keylogger, which silently captures and
stores each keystroke that a user types on the computer’s keyboard. A keylogger
can be a small hardware device or a software program. Adware is a software
program that delivers advertising content in a manner that is unexpected and
unwanted by the user. Ransomware locks up a user’s computer and then
displays a message that purports to come from a law enforcement agency or
security software company and demands payment of a fine online before the
computer is released.
The payload of other types of malware deletes data on the computer. A logic bomb is
computer code that is typically added to a legitimate program but lies dormant until it
is triggered by a specific logical event. Once it is triggered, the program then deletes
data or performs other malicious activities. The payload of some types of malware
attempts to modify the system’s security settings so that more insidious attacks can be
made. One type of malware in this category is called a backdoor. A backdoor gives
access to a computer, program, or service that circumvents any normal security
protections.
One of the most popular payloads of malware today carried by Trojans, worms, and
viruses is software that will allow the infected computer to be placed under the remote
control of an attacker. This infected computer is known as a zombie. When zombie
computers are gathered into a logical computer network, they create a botnet.
Social engineering is a means of gathering information for an attack by relying on the
weaknesses of individuals. Many social engineering attacks rely on psychology, which
is the mental and emotional approach rather than the physical. At its core, social
engineering relies on an attacker’s clever manipulation of human nature in order to
persuade the victim to provide information or take actions. Several basic “principles”
or reasons make psychological social engineering effective. Social engineering impersonation means to masquerade as a real or fictitious character and then play out the
role of that person on a victim. Phishing is sending an email or displaying a web
announcement that falsely claims to be from a legitimate enterprise in an attempt to
trick the user into surrendering private information. Several variations on phishing
attacks exist. Beyond just being annoying, spam significantly reduces work productivity as users spend time reading and deleting spam messages, which are a means for
distributing malware as well.
Attackers can use hoaxes as a first step in an attack, which is a false warning, often
contained in an email message claiming to come from the IT department. Recipients
are told that they should erase specific files or change security configurations, and
then forward the message to other users. Typo squatting (URL hijacking) takes
advantage of user misspellings to direct them to fake websites. A watering hole attack
is directed toward a smaller group of specific individuals, such as the major executives
working for a manufacturing company.
Social engineering is a means of gathering information for an attack by relying
on the weaknesses of individuals. Social engineering attacks can involve psychological approaches as well as physical procedures. One of the most common
forms of social engineering is phishing. Phishing is sending an email, displaying a
web announcement, or recording a phone call that falsely claims to be from a
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

legitimate enterprise in an attempt to trick the user into surrendering private
information. Phishing is most often accomplished by sending spam, which is
unsolicited email that is annoying, disruptive, and can also pose a serious
security risk.
Some social engineering attacks rely on physical acts. Dumpster diving involves
digging through trash receptacles to find information that can be useful in an
attack. Organizations invest large sums of money to install specialized doors that
only permit access to authorized users who possess a special card or who can
enter a specific code, yet they do not always control how many people enter the
building when access is allowed. Following an authorized person through an open
door is known as tailgating. If an attacker cannot enter a building as a tailgater
without raising suspicion, an alternative is to watch an individual entering the
security code on a keypad. This is known as shoulder surfing, and it can be used
in any setting in which a user spies on a person entering an authorized code on a
keypad.

Key Terms
adware A software program that delivers advertising content in a manner that is
unexpected and unwanted by the user.
armored virus

A virus that goes to great lengths in order to avoid detection.

backdoor Software code that gives access to a program or a service that circumvents
normal security protections.
bot herder
botnet

An attacker who controls a botnet.

A logical computer network of zombies under the control of an attacker.

command and control (C&C or C2)

The structure by which a bot herder gives instructions

to zombies in a botnet.
computer virus (virus) Malicious computer code that, like its biological counterpart,
reproduces itself on the same computer.

The act of digging through trash receptacles to find information that can
be useful in an attack.

dumpster diving

hoax A false warning designed to trick users into changing security settings on their
computer.
impersonation A social engineering attack that involves masquerading as a real or
fictitious character and then playing out the role of that person on a victim.

Software or a hardware device that captures and stores each keystroke that a
user types on the computer’s keyboard.

keylogger

logic bomb

Computer code that lies dormant until it is triggered by a specific logical event.

macro A series of instructions that can be grouped together as a single command, often
used to automate a complex set of tasks or a repeated series of tasks.
macro virus

A computer virus that is written in a script known as a macro.

Part I Threats

malware Software that enters a computer system without the user’s knowledge or consent
and then performs an unwanted and usually harmful action.
metamorphic malware

Malware that rewrites its own code and thus appears different

each time it is executed.
Malware that changes its internal code to one of a set number of
predefined mutations whenever it is executed.

oligomorphic malware
pharming

A phishing attack that automatically redirects the user to a fake site.

Sending an email or displaying a web announcement that falsely claims to be
from a legitimate enterprise in an attempt to trick the user into surrendering private
information.

phishing

polymorphic malware

Malware code that completely changes from its original form

whenever it is executed.
A computer virus that infects executable program files.

program virus
ransomware

Malware that prevents a user’s device from properly operating until a fee

is paid.
A set of software tools used by an attacker to hide the actions or presence of other
types of malicious software.

rootkit

shoulder surfing

Watching an authorized user enter a security code on a keypad.

social engineering A means of gathering information for an attack by relying on the
weaknesses of individuals.

Unsolicited email.

spam

spear phishing
spim

A phishing attack that targets only specific users.

A variation of spam, which targets instant messaging users instead of email users.

spyware A general term used to describe software that spies on users by gathering
information without consent.
tailgating When an unauthorized individual enters a restricted-access building by
following an authorized user.
Trojan horse (Trojan) An executable program that is advertised as performing one activity
but which actually performs a malicious activity.
typo squatting Redirecting a user to a fictitious website based on a misspelling of the
URL. Also called URL hijacking.
URL hijacking Redirecting a user to a fictitious website based on a misspelling of the URL.
Also called typo squatting.
vishing

A phishing attack uses telephone calls instead of emails.

watering hole attack A malicious attack that is directed toward a small group of specific
individuals who visit the same website.
whaling

A phishing attack that targets only wealthy individuals.

worm A malicious program designed to enter a computer via a network to take advantage
of a vulnerability in an application or an operating system.
zombie

An infected computer that is under the remote control of an attacker.

Chapter 2 Malware and Social Engineering Attacks

Review Questions
1. A(n)
a.

requires a user to transport it from one computer to another.

worm

b. rootkit
c.

virus

d. adware
2. Which of these is NOT an action that a virus can take?
a.

transport itself through the network to another device

b. cause a computer to crash
c.

erase files from a hard drive

d. reformat the hard disk drive
3. Which malware locks up a user’s computer and then displays a message that purports
to come from a law enforcement agency?
a.

virus

b. ransomware
c.

worm

d. Trojan
4. Which of the following is an attempt to influence a user by coercion?
a.

authority

b. social proof
c.

intimidation

d. familiarity
5. A user who installs a program that prints out coupons but in the background silently
.
collects her passwords has installed a
a.

virus

b. worm
c.

Trojan

d. logic bomb
6. What should you do to completely remove a rootkit from a computer?
a.

Flash the ROM BIOS.

b. Erase and reinstall all files in the WINDOWS folder.
c.

Expand the Master Boot Record.

d. Reformat the hard drive and reinstall the operating system.

Part I Threats

7. Which of these could NOT be defined as a logic bomb?
a.

Erase all data if John Smith’s name is removed from the list of employees.

b. Reformat the hard drive three months after Susan Jones left the company.
c.

Send spam email to all users in the company on Tuesday.

d. If the company’s stock price drops below $10, then credit Jeff Brown with 10
additional years of retirement credit.
8. What is it called when a user makes a typing error when entering a URL that takes
him to an imposter website?
a.

URL variance

b. typo squatting
c.

spell scraping

d. work hijacking
9. Which of these is a general term used for describing software that gathers information
without the user’s consent?
a.

adware

b. spyware
c.

scrapeware

d. pullware
10. Which statement regarding a keylogger is NOT true?
a.

Hardware keyloggers are installed between the keyboard connector and computer
keyboard USB port.

b. Software keyloggers are easy to detect.
c.

Keyloggers can be used to capture passwords, credit card numbers, or personal
information.

d. Software keyloggers can be designed to send captured information automatically
back to the attacker through the Internet.
11. The preferred method today of bot herders for command and control of zombies
.
is
a.

Internet Relay Chat (IRC)

b. botnets
c.

Hypertext Transport Protocol (HTTP)

d. spam
12. A watering hole attack is directed against
a.

wealthy individuals

b. attackers who send spam
c.

all users of a large corporation

d. users who access a common website
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

13.

sends phishing messages only to wealthy individuals.
a.

Spear phishing

b. Target phishing
c.

Microing

d. Whaling
14. What is unsolicited instant messaging called?
a.

spim

b. spam
c.

vishing

d. SMS phishing
15. Michelle pretends to be the help desk manager and calls Steve to trick him into giving
her his password. What social engineering attack has Michelle performed?
a.

aliasing

b. impersonation
c.

luring

d. duplicity
16. How can an attacker use a hoax?
a.

By sending out a hoax, an attacker can convince a user to read his email more
often.

b. A hoax could convince a user that a bad Trojan is circulating and that he should
change his security settings.
c.

A user who receives multiple hoaxes could contact his supervisor for help.

d. Hoaxes are not used by attackers today.
17. Which of these items retrieved through dumpster diving would NOT provide useful
information?
a.

calendars

b. memos
c.

organizational charts

d. books
is following an authorized person through a secure door.

18.
a.

Tagging

b. Backpacking
c.

Tailgating

d. Caboosing

Part I Threats

19. Each of these is a reason why adware is scorned EXCEPT
a.

it displays the attacker’s programming skills

b. it can interfere with a user’s productivity
c.

it displays objectionable content

d. it can cause a computer to crash or slow down
20. What is the term used for an attacker who controls multiple zombies in a botnet?
a.

zombie shepherd

b. rogue IRC
c.

bot herder

d. cyber-robot

Hands-On Projects

If you are concerned about installing any of the software in these
projects on your regular computer, you can instead install the software in the Windows virtual machine created in the Chapter 1
Hands-On Projects 1-3 and 1-4. Software installed within the virtual
machine will not impact the host computer.

Project 2-1: Write-Protecting and Disabling a USB
Flash Drive
Viruses and other malware are often spread from one computer to another by
infected USB flash drives. This can be controlled by either disabling the USB
port or by write-protecting the drive so that no malware can be copied to it.
Disabling the port can be accomplished through changing a Windows registry
setting while write-protecting the drive can be done through third-party software that can control USB device permissions. In this project, you will download and install a software-based USB write blocker to prevent data from
being written to a USB device and also disable the USB port. You will need a
USB flash drive for this project.
1. Open your web browser and enter the URL www.irongeek.com/i.php
?page=security/thumbscrew-software-usb-write-blocker
The location of content on the Internet may change without warning.
If you are no longer able to access the program through the above
URL, use a search engine to search for “Irongeek Thumbscrew”.

2. Click Download Thumbscrew.

Chapter 2 Malware and Social Engineering Attacks

3. If the File Download dialog box appears, click Save and follow the
instructions to save this file in a location such as your desktop or a
folder designated by your instructor.
4. When the file finishes downloading, extract the files in a location such as
your desktop or a folder designated by your instructor. Navigate to that
location and double-click thumbscrew.exe and follow the default installation procedures.
5. After installation, notice that a new icon appears in the system tray in
the lower right corner of the screen.
6. Insert a USB flash drive into the computer.
7. Navigate to a document on the computer.
8. Right-click the document and then select Send to.
9. Click the appropriate Removable Disk icon of the USB flash drive to
copy the file to the flash drive.
10. Now make the USB flash drive write protected so it cannot be written to.
Click the icon in the system tray.
11. Click Make USB Read Only. Notice that a red circle now appears over
the icon to indicate that the flash drive is write protected.
12. Navigate to a document on the computer.
13. Right-click the document and then select Send to.
14. Click the appropriate Removable Disk icon of the USB flash drive to
copy the file to the flash drive. What happens?
15. Click the icon in the system tray to change the permissions so that the
USB drive is no longer read only.
16. Now disable the USB port entirely. First remove the flash drive from the
USB port.
17. In the Windows Run dialog box enter regedit.
18. In the left pane double-click HKEY_LOCAL_MACHINE to expand it.
19. Double-click SYSTEM.
20. Double-click ControlSet001.
21. Double-click USBSTOR as shown in Figure 2-10.

Figure 2-10 Windows Registry Editor
Source: Microsoft Windows
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

22. In the right pane double-click Start.
23. In Value data: change the number of 3 to 4. Be sure that Hexadecimal
under Base is selected.
24. Click OK.
25. Now insert a USB flash drive into the USB port. What happens?
26. To reactivate the port, change the Value data: back to 3 and click OK.
27. Close all windows.

Project 2-2: Scan for Rootkits Using a Basic Tool
Scanning for rootkits can help identify malware on a system. In this project,
you will download the basic rootkit scanner Kaspersky TDSSKiller.
1. Open your web browser and enter the URL
support.kaspersky.com/viruses/disinfection/5350
The location of content on the Internet may change without
warning. If you are no longer able to access the program through
the above URL, use a search engine to search for “Kaspersky
TDSSKiller”.

2. Click each plus sign to expand the information How to disinfect a
compromised system, Operating systems supported by the utility,
and List of malicious programs the utility fights. Read through this
material.
3. Under the section How to disinfect a compromised system click
TDSSKiller.exe and download it.
4. After the download is complete launch TDSSKiller.
5. Click Accept on the End User License Agreement.
6. Click Accept on the KSN Statement.
7. Click Change parameters to see the elements that will be scanned.
8. Click Loaded modules. The system will need to reboot. Click Reboot
now.
9. Click OK.
10. After the system reboots, it will automatically load the necessary features
for TDSSKiller to run.
11. Click Start scan.
12. After the scan is completed, click details. If nothing malicious is identified this will be empty. Click Close.
13. Click Report and maximize the screen. This provides a detailed analysis
of the scan. After looking through this report, click Close.
14. Close Kaspersky TDSSKiller.

Chapter 2 Malware and Social Engineering Attacks

Project 2-3: Scan for Rootkits Using an Advanced Tool
In this project, you will download and use the advanced rootkit scanner
GMER.
1. Open your web browser and enter the URL www.gmer.net
The location of content on the Internet may change without warning. If you are no longer able to access the program through the
above URL, use a search engine to search for “GMER”.

2. Click Download EXE.
Because GMER reaches deep into the operating system, some antimalware is triggered thinking that this scanner software is about to
do something malicious, while some rootkits check for the presence
of GMER and prevent it from running. Clicking the Download EXE
link will download the program with a different filename instead of
GMER.EXE in order to reduce the risk of the software being flagged.

3. Launch GMER.
4. GMER will by default run a quick scan on the system. Any hidden items
on the system that may indicate the presence of a rootkit will be displayed,
although hidden items do not necessary mean that a rootkit is present.
GMER will display a warning about a potential rootkit. To compare a listing
of hidden items against known rootkits, go to www2.gmer.net/rootkits.php.
5. Click >>> to display the main menu.
6. Click Processes to scan all of the running processes on the computer.
If any hidden processes are detected they are listed in red.
7. Click Modules to list all of the device drives loaded.
8. Click Services to see all of the Windows services that are present. Any
hidden services will be listed in red.
9. Now do a full scan of the system. Click Rootkit/Malware.
10. In the right pane click C:\.
11. Click Scan.
12. Note that this scan may take up to 30 minutes depending upon the system. Any hidden resources will be displayed after the scan is completed.
13. Close all windows.

Project 2-4: Use a Software Keylogger
A keylogger program captures everything that a user enters on a computer
keyboard. In this project, you will download and use a software keylogger.
The purpose of this activity is to provide information regarding how
these programs function in order that adequate defenses can be
designed and implemented. These programs should never be used
in a malicious fashion against another user.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

1. Open your web browser and enter the URL: www.spyrix.com
The location of content on the Internet may change without warning. If you are no longer able to access the program through the
above URL, use a search engine to search for “Spyrix Personal
Monitor”.

2. Click products and compare the features of the different Spyrix products.
3. Click download.
4. Under Spyrix Free Keylogger click Free Download.
5. When the file finishes downloading, install Spyrix and follow the default
installation procedures.
6. Click Finish to launch Spyrix.
7. Click Next to use the wizard to set the program settings.
8. The Hide everywhere is not available on the Free Keylogger version but
for the other versions this would allow Spyrix to act like a rootkit with
no traces available. Click Next.
9. Create a strong password and enter it under Password to protect access
to the program. Click Next.
10. Change Screenshot Quality to Medium Quality – Medium Size. Click
Next.
11. Check Online Monitoring (via any web-browser) to set up the ability to
view activity online. Click OK.
12. Enter your email address and create another strong password. Click
Create NEW Online Monitoring Account. When the account is set up a
message will appear. Click OK.
13. Click Test secure connection.
14. Click Try to send log.
15. Click Enter your online monitoring account.
16. Enter your username and password.
17. Click Remote computer settings.
18. Under Delivery Interval change the time to 2 minutes. Click Apply.
19. Close the web browser to return to the Spyrix
20. Under Delivery Interval change the time to 2 minutes. Click Next.
21. If prompted enter your Spyrix password.
22. Click the Spyrix icon in your system tray and enter the password.
23. Click Start.
24. Click Minimize.
25. Now use your computer for several minutes as you normally would.
26. Open your web browser and go to spyrix.net and enter your username
and password.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 2 Malware and Social Engineering Attacks

27. Under Events click ALL EVENTS to view everything that has been done
on the computer.
28. Click Screenshots. In the Value column click a screenshot.
29. Click Program Activity to view the programs that you were using.
30. Select several other options to view the keylogging and spy features of
this program.
31. Close the web browser.
32. Click the Spyrix icon in your system tray and enter the password.
33. Click Stop and then Exit.
34. Enter your password and click OK.
35. Close all windows.

Case Projects
Case Project 2-1: Researching Trojan Attacks
Trojans continue to be a highly favored means of attack today and pose a serious threat to users. Use the Internet to search for the latest information
regarding current Trojans. You may want to visit security vendor sites, like
Symantec or McAfee, or security research sites such as sans.org to find the latest information. What are the latest attacks? What type of damage can they
do? What platforms are the most vulnerable? Write a one-page paper on your
research.

Case Project 2-2: Social Engineering Psychological
Approaches
Several basic “principles” or reasons make psychological social engineering
effective. These include authority, intimidation, consensus/social proof, scarcity, urgency, familiarity/liking, and trust. Table 2-6 uses these principles in a
scenario of an attacker pretending to be the chief executive officer (CEO) calling the organization’s help desk to have a password reset. Create two additional scenarios, such as an attacker impersonating a help desk employee who
wants access to an employee’s protected information, and create a dialog
example for each of the seven principles.

Case Project 2-3: Social Engineering Attack
The opening Today’s Attacks and Defenses illustrated how attackers used a
fictitious attractive and intelligent young female to trick males into
compromising security. If you were to create your own social engineering
attack, what would it be? Using your place of employment or school, first
determine exactly what your goal would be in the attack, and then craft a
detailed description of how you would carry out the attack using only social
engineering to achieve your goal. You may want to search the Internet for

Part I Threats

examples of previously successful attacks that used social engineering. Why do
you think your attack would be successful? Who would be involved? What
would be the problems in achieving your goal? Why? Write a one-page paper
on your research.

Case Project 2-4: Comparing Keyloggers
Use the Internet to research different keyloggers. Create a table that lists five
different hardware keyloggers, their available memory, specific features, and
their cost. Then create another table of five different software keyloggers with
their features. Are you surprised at the functionality of these devices? Write a
summary of your findings.

Case Project 2-5: Ransomware Attacks
Use the Internet to research some of the different ransomware attacks that
have occurred recently. Identify at least three attacks that are current. What
do they do? Why are they so successful? How are they being spread? What
can users do to protect themselves? How can ransomware be removed from a
computer? Write a one-page summary of your research.

Case Project 2-6: Phishing Test
Detecting phishing emails can often be difficult. Point your web browser to
survey.mailfrontier.com/survey/quiztest.cgi, and then click The MailFrontier
Phishing IQ Test v 2.0. Click each hyperlink to display an email message or
website, and then decide whether or not it is phishing. When you are finished
your score will be displayed along with an explanation regarding why the
example is or is not phishing. Then, click The MailFrontier Phishing IQ Test
and take another phishing test. Did what you learn on the first test help? Did
your score on this test improve? Write a one-paragraph summary on what you
learned about phishing in this test.

Case Project 2-7: Combating Typo Squatting
What can organizations do to fight back against typo squatting? Research the
Internet to find out how companies are combating this growing problem.
How can these typo squatting sites be taken down? What must a company
do in order to stop these sites? And why has it been so difficult to do this?
What proactive steps can a company take? Write a one-page report on your
research.

Case Project 2-8: Bay Pointe Security Consulting
Bay Pointe Security Consulting (BPSC) provides security consulting services
to a wide range of businesses, individuals, schools, and organizations. BPSC
has hired you as a technology student to help them with a new project and
provide real-world experience to students who are interested in the security
field.

Chapter 2 Malware and Social Engineering Attacks

P&T Heating and Cooling installs and services residential and commercial
air conditioning and heating units in a large metropolitan area. Recently
P&T has been the victim of several different successful attacks that have
caused significant problems. P&T has contacted BPSC for assistance.
Because you are close to completing your degree, BPSC has asked for your
help.
1. Create a PowerPoint presentation that lists 15 different types of malware
and defines each type in detail regarding what the malware can do, how
it spreads, its dangers, etc. Your presentation should contain at least 10
slides.
2. After the presentation and more investigation, it appears that some of
the attacks were the result of social engineering. P&T has asked you to
create a one-page paper that describes social engineering attacks and
how they may be performed, including a list of practical tips for their
employees to resist these attacks. Create the paper for P&T.

Case Project 2-9: Community Site Activity 1
The Information Security Community Site is an online companion to this textbook. It contains a wide variety of tools, information, discussion boards, and
other features to assist learners. Go to community.cengage.com/infosec and
click JOIN THE COMMUNITY, using the login name and password that
you created in Chapter 1. Visit the Discussions section, and then read the following case study.
An auditor was hired to determine if he could gain access to the network servers of a printing company that contained important proprietary information.
The chief executive officer (CEO) of the printing company boldly proclaimed
that breaking into the servers by the auditor would be “next to impossible”
because the CEO “guarded his secrets with his life.” The auditor was able to
gather information about the servers, such as the locations of the servers in
different printing plants and their IP addresses, along with employee names
and titles, their email addresses, phone numbers, physical addresses, and other
information.
The auditor also learned that the CEO had a family member who had battled
through cancer and lived. As a result the CEO became involved in cancer
fundraising. By viewing the CEO’s entry on Facebook, he was also able to
determine his favorite restaurant and sports team.
The auditor then called the CEO and impersonated a fundraiser from a cancer
charity that the CEO had been involved with before. The auditor said that
those individuals who made donations to this year’s charity event would be
entered into a drawing for prizes, which included tickets to a game played by
the CEO’s favorite sports team and gift certificates to area restaurants, one of
which was the CEO’s favorite.
After stoking the interest of the CEO in the fake charity event, the auditor said
that he would email him a PDF document that contained more information.
When the CEO received the attachment he opened it, and a backdoor was
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

installed on his computer without his knowledge. The auditor was then able
to retrieve the company’s sensitive material. (When the CEO was later
informed of what happened, he called it “unfair”; the auditor responded by
saying, “A malicious hacker would not think twice about using that information against you.”)
Now pretend that you are an employee of that company and that it is your
job to speak with the CEO about the security breach. What would you say to
him? Why? What recommendations would you make for training and awareness for the company? Enter your answers on the InfoSec Community Server
discussion board.

Case Project 2-10: Community Site Activity 2
The Information Security Community Site is an online companion to this textbook. It contains a wide variety of tools, information, discussion boards, and
other features to assist learners. Go to community.cengage.com/infosec and
click JOIN THE COMMUNITY, using the login name and password that
you created in Chapter 1. Visit the Discussions section, and then read the following case study.
A recent attack used both social engineering and basic “detective work” to
erase journalist Mat Honan’s online Google account along with his personal
iPhone, iPad, and MacBook computer data. It all started with the attackers
following a link on Mat’s Twitter account to his personal website, which listed
his Gmail address. The attackers entered his Gmail address on Google’s password recovery page and were able to see his partially obscured alternate email
address. They correctly guessed that m****n@me.com was actually
mhonan@me.com. The site me.com was an Apple service (now called iCloud)
so the attackers now knew Mat’s Apple ID. Using a basic web search of his
website’s domain name they uncovered his billing address.
With this information they contacted Amazon.com by telephone and were
able to convince the customer service representative that it was Mat who was
calling; they tricked the representative into asking if the last four digits of his
credit number on file were 1954 (of course, the attackers said it was). With
Mat’s Apple ID, billing address, and last four digits of his credit card number,
the attackers called AppleCare by phone and convinced the representative to
issue a temporary password for Mat’s Apple account. They then reset the
password, locking Mat out, and with the mhonan@me.com name and new
password, they reset the password on his Gmail account—and then promptly
erased more than 6 GB of Google email messages. They also used iCloud’s
remote wipe service to completely erase all the data on his iPhone, iPad, and
MacBook.
What went wrong? What policies should Google, Amazon.com, and AppleCare have had in place to prevent this? What recommendations would you
make for the employees who were tricked into giving out information over
the phone? Enter your answers on the InfoSec Community Server discussion
board.

Chapter 2 Malware and Social Engineering Attacks

References
1. “FireEye advanced threat report—2H 2012,” FireEye, Apr. 3, 2013, accessed Jan. 3,
2014, www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2h2012.pdf.
2. “The first computer virus,” accessed Mar. 3, 2011, www.worldhistorysite.com/virus
.html.
3. “Anti-Spyware Coalition definitions document,” Anti-Spyware Coalition, Nov. 12, 2007,
accessed Mar. 3, 2011, www.antispywarecoalition.org/documents/definitions.htm.
4. Gorman, Gavin, and McDonald, Geoff, “Ransomware: A growing menace,” Symantec
Security Response, Nov. 8, 2012, accessed Jan. 6, 2014, www.symantec.com/connect/
blogs/ransomware-growing-menace.
5. Cluley, Graham, “Fannie Mae worker accused of planting malware timebomb,”
Naked Security Sophos Blog, accessed Mar. 3, 2011, http://nakedsecurity.sophos.com/
2009/01/29/fannie-mae-worker-accused-planting-malware-timebomb/.
6. “History and milestones,” About RSA Conference, accessed Mar. 3, 2011, www
.rsaconference.com/about-rsa-conference/history-and-milestones.htm.
7. “Logic bombs,” Computer Knowledge, accessed Mar. 3, 2011, www.cknow.com/cms/
vtutor/logic-bombs.html.
8. Vijayan, Jaikumar, “Unix admin pleads guilty to planting logic bomb,” Computerworld, Sep. 21, 2007, accessed Mar. 3, 2011, www.pcworld.com/article/137479/unix_
admin_pleads_guilty_to_planting_logic_bomb.html.
9. “Grappling with the ZeroAccess botnet,” Symantec, Sep. 30, 2013, accessed Jan. 6,
2013, www.symantec.com/connect/blogs/grappling-zeroaccess-botnet.
10. Weber, Tim, “Criminals ‘may overwhelm the web,’” BBC News, Jan. 25, 2007,
accessed Mar. 3, 2011, http://news.bbc.co.uk/2/hi/business/6298641.stm.
11. Granger, Sarah, “Social engineering fundamentals, part 1: Hacker tactics,” Symantec,
Dec. 18, 2001, accessed Mar. 3, 2011, www.symantec.com/connect/articles/social
-engineering-fundamentals-part-i-hacker-tactics.
12. Danchev, Dancho, “Average online time for phishing sites,” Dancho Danchev’s Blog—
Mind Streams of Information Security Knowledge, Jul. 31, 2007, accessed Mar. 3, 2011,
http://ddanchev.blogspot.com/2007/07/average-online-time-for-phishing-sites.html.
13. “The year in phishing,” RSA Online Fraud Report, Jan. 2013, accessed Jan. 7, 2014,
www.emc.com/collateral/fraud-report/online-rsa-fraud-report-012013.pdf.
14. “What percentage of total Internet traffic is spam?” Skeptics, Apr. 15, 2011, accessed
Aug. 28, 2012, http://skeptics.stackexchange.com/questions/2175/what-percentage-of
-total-internet-traffic-is-spam.
15. “Spam costs US employers an average of $874 per employee per year,” OUT-LAW
News, Feb. 7, 2003, accessed Mar. 3, 2011, www.out-law.com/page-3688.
16. McNichol, Tom, “Friend me on Faecbook,” Bloomberg Businessweek, Nov. 7, 2011.
17. Gee, Garrett, and Kim, Peter, “Doppelganger domains,” GodaiGroup, Sep. 6, 2011,
accessed Jan. 7, 2014, http://files.godaigroup.net/wp-content/uploads/doppelganger/
Doppelganger.Domains.pdf.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

chapter

Application and Networking-Based
Attacks
After completing this chapter, you should be
able to do the following:
• List and explain the different types of server-side web application attacks
• Define client-side attacks
• Explain how overflow attacks work
• List different types of networking-based attacks

91
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 3 Application and Networking-Based Attacks

Today’s Attacks and
Defenses

Many attacks today are developed by script kiddies, individuals who want to attack
computers yet lack the knowledge of computers and networks needed to do so.
Script kiddies do their work by downloading automated attack software (scripts)
from websites and using it to perform malicious acts. It is estimated that three out
of every four Internet-based attacks originate from these exploit kits.
But what about the other 25 percent of attacks? Where do they come from?
Skilled attackers are now creating training courses to instruct novice attackers on
how to create and launch sophisticated web application and networking attacks.
And what is interesting is that these “cybercrime professors” are modeling their
training after that typically found in today’s colleges.
It has long been common for seasoned criminals to offer advice to newcomers,
whether the crime is stealing cars or attacking a web server. Whereas that advice
was at one time free, today’s cybercriminals are likely to charge a fee to pass on
their knowledge. These attacker instructors are not just providing tips and tricks that
they have learned; they are delivering a comprehensive education on attacking.
Entire cybercrime courses, tutoring lessons, and counseling are being offered and
paid for by students’ tuition. Most of these courses, advertised in various attacker
underground sites, are taught using videoconferencing sessions to help encourage
interactivity between teacher and students.
One such course for novice attackers could be called “The Business of Fraud.” Students
learn how debit and credit cards work and the merchant infrastructure behind them,
how to avoid being caught by authorities, and what can be used against the attackers in
a court of law if they are caught. The course also covers how to find victims and even
how to avoid being scammed by other attackers. The basic cost per lecture is about $75.
Another course, which could be entitled “Anonymity 101,” covers how attackers
can remain anonymous by avoiding detection and erasing any trace of evidence.
Students learn about configuring and using anonymity tools by turning off browser
logging features on victims’ computers, eliminating traces of an attack, setting up
disposable email accounts, and remotely “liquidating” a victim’s hard drive. This
course also covers what evidence law enforcement personnel will search for and
what can be used against attackers who are caught. The cost is about $100.
Taking a page from college courses, these cybercrime professors often post strict
policies for online attendance. One course requires students to give a two-hour
notice if they cannot attend the session. Students who fail to do this forfeit half of
the course fees before being permitted to reschedule a makeup class. In addition,
some of these schools even advertise “job placement” for their graduates: instructors
will vouch for star pupils in order to help them join advanced underground attacker
communities that otherwise would be difficult to access.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

It is virtually unimaginable to think of the world today without the Internet. Perhaps no technology
over the last 50 years has impacted our lives more than this “international network of networks.”
Internet users can surf the Web for an untold wealth of information, send text messages and check
email, download electronic books, and watch online videos from virtually anywhere. Free wireless
Internet connections are available for customers in coffee shops and restaurants across the country.
Students use Internet services on their school’s campus in order to access instructional material as
well as remain connected to friends. Travelers can have wireless Internet access while waiting in
airports, traveling on airplanes and trains, and working in their hotel rooms. At work, employees
can access remote data during meetings and in conference rooms, thus significantly increasing their
productivity. The Internet has also spurred the growth of many other new technologies, such as
tablets and smartphones. Our world today is truly shaped by the Internet.
Yet the Internet also has opened the door for attackers to invisibly and instantaneously reach
around the world to launch attacks on devices connected to it. And just as users can surf the
Web without openly identifying themselves, attackers can use anonymity to cloak their identity and prevent authorities from finding and prosecuting them.
This chapter continues the discussion of threats and vulnerabilities from the previous chapter’s
coverage of malware and social engineering. First the chapter looks at attacks that target
server-side web applications and client-side applications; then it explores some of the common
attacks that are launched against networks today.

Application Attacks
3.2 Summarize various types of attacks.
3.5 Explain types of application attacks.

Figure 3-1 illustrates the conceptual view of a networked computer system. A network is used
to connect different clients and servers together. These clients and servers run an operating
system that controls applications that in turn manipulate data. Each of these represents an
attack vector for attackers to exploit. Attacks on the applications in a networked computer
system can be directed toward the server, the client, or both.

Network
Client

Server

Operating System

Application

Data

Figure 3-1 Conceptual networked computer system

Chapter 3 Application and Networking-Based Attacks

Server-Side Web Application Attacks
As its name implies, a server provides services to clients. On the Internet, a web server
provides services that are implemented as web applications. That is, the content provided for
users who are “surfing the Web” is generated by a software application running on a server.
In providing web services to clients, web servers also expose those
same services to attackers.

An important characteristic of server-side web applications is that they create dynamic content based on inputs from the user. For example, a webpage might ask a user to enter her
zip code in order to receive the latest weather forecast for that area. Thus the dynamic operations of a web application depend heavily upon inputs provided by users.
A typical dynamic web application infrastructure is shown in Figure 3-2. The client’s web
browser makes a request using the Hypertext Transport Protocol (HTTP) to a web server,
which may be connected to one or more web application servers. These application servers
run the specific “web apps,” which in turn are directly connected to databases on the internal
network. Information from these databases is retrieved and returned to the web server so that
the dynamic information can be sent back to the user’s web browser.

Database

App server

HTTP traffic
Database
Client
Web server

App server

Database

App server

Figure 3-2 Server-side web application infrastructure

Part I Threats

Securing server-side web applications is often considered more difficult than protecting
other systems. First, although traditional network security devices can block traditional
network attacks, they cannot always block web application attacks. This is because many
traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks. Second, many web application attacks (as well as other
application attacks) exploit previously unknown vulnerabilities. Known as zero-day
attacks, these attacks give victims no time—zero days—to defend against the attacks.
Finally, by design the dynamic server-side web applications accept user input, such as the
zip code of the region for which a weather forecast is needed. Most other systems would
categorically reject any user input as potentially dangerous, not knowing if the user is a
friend or foe.
Many server-side web application attacks target the input that the applications accept from
users. Such common web application attacks are cross-site scripting, SQL injection, XML
injection, and command injection/directory traversal.

Cross-Site Scripting (XSS) Not all attacks on websites are designed to steal content or
deface it. Instead, some attacks use the web server as a platform to launch attacks on other
computers that access it. One such attack is a cross-site scripting (XSS) attack. XSS injects
scripts into a web application server to direct attacks at unsuspecting clients.
Many web applications are designed to customize content for the user by taking what the
user enters and then displaying that input back to the user. Typical customized responses
are listed in Table 3-1.

User input

Variable that
contains input

Web application
response

Coding example

Search term

search_term

Search term provided in
output

“Search results for
search_term”

Incorrect input

user_input

Error message that
contains incorrect input

“user_input is not valid”

User’s name

name

Personalized response

“Welcome back name”

Table 3-1

Customized responses

Figure 3-3 illustrates a fictitious web application that allows friends to share their favorite
bookmarks with each other online. Users can enter their name, a description, and the URL
of the bookmark, and then receive a personalized “Thank You” screen. In Figure 3-4 the
code that generates the “Thank You” screen is illustrated.
XSS attacks occur when an attacker takes advantage of web applications that accept user
input without validating it and then present it back to the user. In the previous example,
the input that the user enters for Name is not verified but instead is automatically added to
a code segment that becomes part of an automated response. An attacker can use this vulnerability in an XSS attack by tricking a valid website into feeding a malicious script to
another user’s web browser, which will then execute it.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Chapter 3 Application and Networking-Based Attacks

Contoso Bookmark Page - Windows Internet Explorer
http://localhost:1416/Contoso%20Bookma

Google
Page

Contoso Bookmark Page

Tools

Contoso Bookmark Page
Welcome to the Contoso Bookmark Page where friends can share their favorite bookmarks.
Bookmarks are located in the application root App_Data folder in bookmarks.txt
Your
Name:
Description
Thank You for Your Submission! - Windows Internet Explorer

Bookmark:

http://localhost:1416/Contoso%20Bookm
Delete Bookmark File
Thank You for Your Submission!

Add New Bookmark

Thank you ABBY

for your submission!

Click here to return to the bookmark page

Figure 3-3 Bookmark page that accepts user input
Source: Microsoft Inc.

Thank You for Your Submission! - Windows Internet Explorer
http://localhost:1416/Contoso%20Bookm

Google
Page

Thank You for Your Submission!
Thank you ABBY

Tools

for your submission!

Click here to return to the bookmark page
AntiXssLibrary - Microsoft Visual Studio
File

Edit

Community

View

Befactor

Website

Build

Debug

Data

Tools

Test

Window

Help
Release

ThankYou.aspx.cs

ThankYou.aspx

Toolbox

ThankYou

Default.aspx

Page_load(object sender), Event Argse)

) && (name.Length ! = 0))

ou.Text = “Thank you” + Name + “for your submission!”;
ou.Text += “

”;
ou.Text += “Click here to return to

Figure 3-4 Input used in response
Source: Microsoft Inc.
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

Although the term cross-site scripting can be confusing, it refers to
an attack using scripting that originates on one site (the web server)
to impact another site (the user’s computer).

A typical XSS attack may take advantage of a blogger’s website that asks for user
comments. The attack begins by the attacker posting a comment. However, within the
comment the attacker crafts a script that performs a malicious action or even redirects
the user to the attacker’s website. When an unsuspecting victim visits the blogger’s site
and clicks on the attacker’s comment, the malicious script is downloaded to the victim’s
web browser where it is executed. Besides redirecting the victim to a malicious site, other
XSS attacks are designed to steal sensitive information that was retained by the browser
when visiting specific sites, such as an online site to purchase merchandise. The XSS
attack can steal this information and allow it to be used by an attacker to impersonate
the legitimate user.
Some security experts note that XSS is like a phishing attack but
without needing to trick the user into visiting a malicious website.
Instead, the user starts at a legitimate website and XSS automatically
directs her to the malicious site.

An XSS attack requires a website that meets two criteria: it accepts user input without validating it, and it uses that input in a response. Despite the fact that XSS is a widely known
type of attack, the number of websites that are vulnerable remains very large. Users can
turn off active scripting in their browsers to reduce the risk of XSS, but this limits their ability to use dynamic websites.
The malicious content of an XSS URL is not confined to material
posted on a website; it can be embedded into virtually any hyperlink, such as one in an email or instant message. That is why users
should not blindly click on a URL that they receive.

SQL Injection Another server-side web application attack that manipulates user responses
is SQL injection. SQL stands for Structured Query Language, a language used to view and
manipulate data that is stored in a relational database. SQL injection targets SQL servers by
introducing malicious commands into them.
Most webpages that require users to log in by entering a user name and password typically
offer a solution for the user who has forgotten his password by providing an online form, as
shown in Figure 3-5. The user enters a valid email address that is already on file. The submitted email address is compared to the stored email address, and if they match, a reset
URL is emailed to that address.
If the email address entered by the user into the form is stored in the variable $EMAIL, then
the underlying SQL statement to retrieve the stored email address from the database would
be similar to:
SELECT fieldlist FROM table WHERE field = ‘$EMAIL’

Chapter 3 Application and Networking-Based Attacks

Forgot your password?
Enter your username:
Enter your email address on file:
Submit

Figure 3-5 Request form for forgotten password

The WHERE clause is meant to limit the database query to only display information when
the condition is considered true (that is, when the email address in $EMAIL matches an
address in the database).
An attacker using an SQL attack would begin by first entering a fictitious email address on
this webpage that included a single quotation mark as part of the data, such as
braden.thomas@fakemail.com’. If the message E-mail Address Unknown is displayed, it
indicates that user input is being properly filtered and an SQL attack cannot be rendered
on the site. However, if the error message Server Failure is displayed, it means that the
user input is not being filtered and all user input is sent directly to the database. This
is because the Server Failure message is due to a syntax error created by the additional
single quotation mark: the fictitious email address entered would be processed as
braden.thomas@fakemail.com’ ’ (with two single quotation marks) and generate the Server
Failure error message.
Armed with the knowledge that input is sent unfiltered to the database, the attacker knows
that anything he enters into the Enter your username: field on the Forgot your password?
form would be sent to and then processed by the SQL database. Now, instead of entering a
user name, the attacker would enter this command, which would let him view all the email
addresses in the database: whatever’ or ‘a’=’a. This command is stored in the variable
$EMAIL. The expanded SQL statement would read:
SELECT fieldlist FROM table WHERE field = ‘whatever’ or ‘a’=‘a’
These values are:
‘whatever’. This can be anything meaningless.
or. The SQL or means that as long as either of the conditions are true, the entire
statement is true and will be executed.
‘a’=‘a’. This is a statement that will always be true.
Because ‘a’=‘a’ is always true, the WHERE clause is also true. It is not limited as it was
when searching for a single email address before it would become true. The result can be
that all user email addresses will then be displayed.

Part I Threats

Whereas this example shows how an attacker may retrieve all email
addresses, a more catastrophic attack would be if user passwords
were stored as plaintext and the attacker were able to use SQL injection to extract all of these values. This type of attack has been often
used to steal millions of user passwords. Plaintext passwords should
never be stored in a database.

By entering crafted SQL statements as user input, information from the database can be
extracted or the existing data can be manipulated. SQL injection statements that can be entered
and stored in $EMAIL and their pending results are shown in Table 3-2.
SQL injection statement

Result

whatever’ AND email IS NULL; --

Determine the names of different fields in the
database

whatever’ AND 1=(SELECT COUNT(*) FROM tabname); --

Discover the name of the table

whatever’ OR full_name LIKE ‘%Mia%’

Find specific users

whatever’; DROP TABLE members; --

Erase the database table

whatever’; UPDATE members SET email =
‘attacker-email@evil.net’ WHERE email = ‘Mia@good.com’;

Mail password to attacker’s email account

Table 3-2

SQL injection statements

XML Injection A markup language is a method for adding annotations to the text so

that the additions can be distinguished from the text itself. Hypertext Markup Language
(HTML) is such a markup language that uses specific words (tags) embedded in brackets
(< >) that a web browser then uses to display text in a specific format.

Another markup language is XML (Extensible Markup Language). Several significant differences between XML and HTML exist. First, XML is designed to carry data instead of indicating how to display it. Also, XML does not have a predefined set of tags; instead, users
define their own tags. An example of a partial XML file is:

James
Crockett
James_Crockett
19mv85sb
Administrator

100

Chapter 3 Application and Networking-Based Attacks

Richard
Tubbs
Richard_TubbsPPan
cbn8919
Staff

HTML is designed to display data, with the primary focus on how the
data looks. XML is for the transport and storage of data, with the
focus on what the data is.

An XML injection attack is similar to an SQL injection attack; an attacker who discovers a
website that does not filter input user data can inject XML tags and data into the database.
A specific type of XML injection attack is an XPath injection, which attempts to exploit the
XML Path Language (XPath) queries that are built from user input.

Directory Traversal/Command Injection The root directory is a specific directory
on a web server’s file system. Users who access the server are usually restricted to the root
directory or directories beneath the root directory; however, they cannot access other directories. For example, the default root directory of Microsoft’s Internet Information Services
(IIS) web server is C:\Inetpub\wwwroot. Users have access to this directory and subdirectories beneath this root (C:\Inetpub\wwwroot\news) if given permission, but do not have
access to other directories in the file system, such as C:\Windows\System32.
Do not confuse root directory with the root user account, root
password, rootkits, or root user’s home directory.

A directory traversal uses malformed input or takes advantage of a vulnerability to move
from the root directory to restricted directories. Once the attacker has accessed a restricted
directory, she can enter (inject) commands to execute on a server (called command injection) or view confidential files. A directory traversal attack is illustrated in Figure 3-6.
A directory traversal attack can be launched through a vulnerability in the web application
program that accepts user input, a vulnerability in the web server operating system software,
or a security misconfiguration on the server itself. When using input from the user as the
attack vector, a long string of characters may be entered, such as http://../../../../../../../../,
where ../ traverses up one directory level. For example, a browser requesting a
compiled dynamic webpage (dynamic.asp) from a web server (www.server.net) to retrieve a
file (display.html) in order to display it would generate the request using the URL
http://www.server.net/dynamic.asp?view=display.html
Copyright 2015 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

Part I Threats

101

C:\

Windows

System32

Inetpub
wwwroot

news
Attacker’s path to restricted directory

Figure 3-6 Directory traversal attack

However, if user input were permitted and not properly validated, the attacker could create
the input http://www.server.net/dynamic.asp?view=../../../../../TopSecret.docx which could
display the contents of a document.

Client-Side Application Attacks
Whereas server-side web application attacks target web applications on servers, client-side
attacks target vulnerabilities in client applications that interact with a compromised server
or process malicious data. Generally the client initiates the connection with the server that
results in an attack.
Client-side attacks are not limited to the Web; they can occur on any
client/server pair, such as email, File Transfer Protocol (FTP), instant
messaging (IM), or multimedia streaming.

One example of a client-side attack results in a user’s computer becoming compromised
just by viewing a webpage and not even clicking on any content. This type of attack,
known as a drive-by download, is a serious threat. Attackers first identify a vulnerable
web server and inject content by exploiting the server through vulnerable scripting applications. These vulnerabilities permit the attacker to gain direct access to the server’s
underlying operating system and then inject new content into the compromised website.
To avoid visual detection, the attackers often craft a zero-pixel IFrame. IFrame (short for
inline frame) is an HTML element that allows for embedding another HTML document

102

Chapter 3 Application and Networking-Based Attacks

inside the main document. A zero-pixel IFrame is virtually invisible to the naked eye;
when unsuspecting users visit an infected website, their browsers download the initial
exploit script that targets a vulnerability in the browser through an IFrame. If the script
can run successfully on the user’s computer, it will instruct the browser to connect to the
attacker’s web server to download malware, which is then automatically installed and
executed on the client.
Many successful drive-by downloads sites target older web browsers;
these attacks often are not as effective against newer browsers.

Client-side attacks are a favorite with attackers. Much like web application defenses, traditional network security tools cannot always effectively block client-side attacks. Common
client-side attacks include header manipulation, cookies, attachments, session hijacking, and
malicious add-ons.

Header Manipulation The HTTP header consists of fields that contain information

about the characteristics of the data being transmitted. The header fields are comprised of a
field name, a colon, and the field value, such as Content-length: 49. Although HTTP header
field names and values may be any application-specific strings, a core set of fields has been
standardized by the Internet Engineering Task Force (IETF). Table 3-3 lists some common
HTTP header fields.

HTTP field name

Source

Explanation

Example

Server

Web server

Type of web server

Server: Apache

Referer or
Referrer

Web browser

The address of the previous
webpage from which a link to the
currently requested page was
followed

Referer: http://www.askapache
.com/show-error-502/

Accept-Language

Web browser

Lists of acceptable languages for
content

Accept-Language:en-us,en;q=0.5

Set-Cookie

Web server

Parameters for setting a cookie
on the local computer

Set-Cookie: UserID=ThomasTrain;
Max-Age=3600; Version=1

Table 3-3

HTTP header fields

HTTP headers are the result of an HTTP request by a web browser to
a web server or the response back to the browser by the web server.
Usually HTTP headers are used only by the web browser and the
web server software because many web applications choose to
ignore them.

An attacker can modify the HTTP headers to create an attack using HTTP header manipulation. Strictly speaking, HTTP header manipulation is not an actual attack, but rather the

Part I Threats

103

vehicle through which other attacks, such as XSS, can be launched. HTTP header manipulation allows an attacker to pass malicious instructions from her own malicious website or
through an infected site to the web browser via HTTP headers. Examples of HTTP header
attacks include:
Referer. Because some websites check the Referer field to ensure that the request came
from a page generated by that site, an attacker can bypass this security by modifying
the Referer field to hide the fact that it came from another site.
Accept-Language. Some web applications pass the contents of this field directly to the
database. An attacker can inject an SQL command by modifying this header. In
addition, if the web application used the Accept-Language field contents to build a
filename from which to look up the correct language text, an attacker could generate
a directory traversal attack.
Response splitting. One of the most common HTTP header manipulation attacks is
response splitting. First, the application on the client computer must allow input that
contains carriage return (CR using %0d or \r) and line feed (LF using %0a or \n)
characters in the header. By inserting a CRLF in an HTTP header (%0d%0a), these
characters can not only give attackers control of the remaining HTTP headers and
body of the response but also allow them to create additional responses via HTTP
headers that are entirely under their control.

Cookies HTTP does not have a mechanism for a website to track whether a user has

previously visited that site. Any information that was entered on a previous visit, such as
site preferences or the contents of an electronic shopping cart, is not retained in order for
the web server to identify repeat customers. Instead of the web server asking the user for
the same information each time the site is visited, the server can store user-specific information in a file on the user’s local computer and then retrieve it later. This file is called a
cookie.
A cookie can contain a variety of information based on the user’s preferences when visiting a website. For example, if a user inquired about a rental car at a car agency’s website,
that site might create a cookie that contained the user’s travel itinerary. In addition, it
might record the pages visited on a site to help the site customize the view for any future
visits. Cookies also can store any personally identifiable information (name, email address,
work address, telephone number, and so on) that was provided when visiting the site;
however, a website cannot gain access to private information stored on the local
computer.
Once a cookie is created on a client computer, only the website that
created that cookie can read it.

Several different types of cookies exist:
First-party cookie. A first-party cookie is created from the website that a user is
currently viewing. For example, when viewing the website www.cengage.com, the
cookie CENGAGE could be created and saved on the user’s hard drive. Whenever the

104

Chapter 3 Application and Networking-Based Attacks

user returns to this site, that cookie would be used by the site to view the user’s
preferences and better customize the browsing experience.
Third-party cookie. Some websites attempt to place additional cookies on the local
hard drive. These cookies often come from third parties that advertise on the site and
want to record the user’s preferences. This is intended to tailor advertising to that
user. These cookies are called third-party cookies because they are created by a third
party (such as DoubleClick) that is different from the primary site.
Session cookie. A session cookie is stored in random access memory (RAM), instead
of on the hard drive, and lasts only for the duration of the visit to the website. A
session cookie expires when the user closes the browser or has not interacted with the
site after a set period of time.
Persistent cookie. The opposite of a session cookie is a persistent cookie, also called a
tracking cookie. A persistent cookie is recorded on the hard drive of the computer and
does not expire when the browser closes.
Locally shared objects. A locally shared object (LSO) is also called a Flash cookie,
named after the Adobe Flash player. These cookies are significantly different from
regular cookies in that they can store data more complex than the simple text that is
typically found in a regular cookie. By default, LSOs can store up to 100 KB of data
from a website, about 25 times as much as a regular cookie.
LSOs cannot be deleted through the browser’s normal configuration
settings as regular cookies can. Typically they are saved in multiple locations on the hard drive and also can be used to reinstate
regular cookies that a user has deleted or blocked. In mid-2011,
Adobe, after much criticism, released an online tool to delete
LSOs.

Cookies can pose both security and privacy risks. First-party cookies can be stolen and used
to impersonate the user, while third-party cookies can be used to track the browsing or buying habits of a user. When multiple websites are serviced by a single marketing organization,
cookies can be used to track browsing habits on all the client’s sites. These organizations
can track browsing habits from page to page within all their client sites and know which
pages are being viewed, how often they are viewed, and the Internet Protocol (IP) address
of the viewing computer. This information can be used to infer what items the user may be
interested in, and to target advertising to the user.
Many websites use advertising and tracking features to watch what
sites are visited in order to create a profile of user interests. When
you visit a site, it may create a unique identification number (like
BTC081208) that is associated with your browser (your true identity
is not known). Such features allow, for example, different ads to be
displayed to baseball fans who are visiting spring training sites as
opposed to those who are checking out tomorrow night’s symphony
performance. Not only does this tracking result in tailored ads being
displayed as you surf, but it also ensures that the same ads do not
keep appearing over and over.

Part I Threats

105

Attachments Although cookies are normally used for good purposes, they, as well as
attachments, can be exploited by attackers. Attachments are files that are coupled to email
messages. Malicious attachments are commonly used to spread viruses, Trojans, and other
malware when they are opened. Most users are unaware of the danger of attachments and
routinely open any email attachment that they receive, even if it is from an unknown sender.
Attackers often include information in the subject line that entices even reluctant users to
open the attachment, such as a current event (“Check out this info about yesterday’s hurricane”) or information about the recipient (“Is this really you in this picture?”).
Email-distributed malware frequently takes advantage of personal information contained on the user’s computer. For example, some malware
can replicate by sending itself as an email attachment to all of the contacts
in a user’s email address book. The unsuspecting recipients, seeing that
an email and attachment arrived from a known person, typically with a
provocative subject line, open the attachment and infect their computers.

Session Hijacking It is important that a user who is accessing a secure web application,
such as an online bookstore, can be verified so as to prevent an imposter from “jumping in” to
the interaction and ordering books that are charged to the victim but are sent to another
address. This verification is accomplished through a session token, which is a random string
assigned to that interaction between the user and the web application currently being accessed
(a session). When the user logs in to the online bookstore’s web server with her account user
name and password, the web application server assigns a unique session token, such as
64da9DACOqgoipxqQDdywg. Each subsequent request from the user’s web browser to the
web application contains the session token verifying the identity of the user until she logs out.
A session token is usually a string of letters and numbers of variable
length. It can be transmitted in different ways: in the URL, in the header
of the HTTP requisition, or in the body of the HTTP requisition.

Session hijacking is an attack in which an attacker attempts to impersonate the user by using
her session token. A session hijacking attack is shown in Figure 3-7.

Session token
64da9DACOqgoipxqQDdywg
Attacker intercepts
session token

Victim

Stolen session token
64da9DACOqgoipxqQDdywg

Attacker

Attacker uses stolen
session token

Web server

Figure 3-7 Session hijacking attack

106

Chapter 3 Application and Networking-Based Attacks

An attacker can attempt to obtain the session token in several different ways. One of the
most common methods is to use XSS or other attacks to steal the session token cookie
from the victim’s computer and then use it to impersonate the victim. Other means include
eavesdropping on the transmission or guessing the session token. Guessing is successful if
the generation of the session tokens is not truly random. In such a case, an attacker can
accumulate multiple session tokens and then make a guess at the next session token
number.
Although a session hijacking attack may seem to be a networkbased attack instead of a client-side application attack, because
most session hijacking attacks are performed using techniques
like XSS, the CompTIA exam objectives classify this attack as an
application attack.

Malicious Add-ons There are two categories of tools that can be added to enhance a

user’s interaction with a website through his web browser. A plug-in is a third-party library
that attaches to a web browser and can be embedded inside a webpage. A plug-in adds new
functionality to the page being viewed so that users can play music and other multimedia
content within the browser or view special graphical images that normally a browser could
not play or display. The most widely used plug-ins for web browsers are Java, Adobe Flash
player, Apple QuickTime, and Adobe Acrobat Reader. A plug-in, however, affects only the
specific page in which it is placed.
Plug-ins can be added to a webpage using the HTML tag
or an