12
Industry Trends

CERTIFICATION OBJECTIVES

12.01 Ongoing Security Research

12.02 Situational Awareness

12.03 Security Implications of New Business Tools

12.04 Global Information Assurance Industry/Community

12.05 Security Requirements for Contracts

Two-Minute Drill

Q&A Self Test

---

One of the more challenging aspects of computer security and information assurance is the fast-paced, ever-changing environment that security professionals have to deal with. Not only do you have to stay abreast of the latest advancements in technology, but you also have to ensure that you know about any newly discovered vulnerabilities in your applications and operating systems. Looking back at security 40 years ago, you would find that the major emphasis was on physical security because most computing environments consisted of large mainframes with devices such as card readers being used to remotely enter programs or terminal rooms with a collection of keyboards and monitors directly connected to the mainframe in a timesharing mode. A major part of protecting the system and its data was to simply restrict access to these devices to individuals who were authorized to access the system. Move forward a decade and the introduction of the personal computer, and the proliferation of bulletin board systems introduced computing to individuals’ homes through the use of telephone modems. Modems continued to be a method to gain access to computers well into the 90s and the early part of the new millennium, even as the use of the Internet was increasing at a rapid pace. Modem security—that is, making sure that nobody installed rogue modems that could lead to unauthorized access to corporate networks—was important. If you purchased a desktop or laptop computer during this period, it most likely came with a telephone modem installed. Today, finding a computer with a telephone connection would be difficult. Instead, computers generally come with a Cat-5 cable network connection to allow machines to be connected to networks directly. Machines, especially laptops, also often come with wireless cards, which allow them to directly connect to networks via wireless access points. This introduces additional security concerns that security professionals must be aware of. Looking at these examples provides an idea of why it is necessary to stay on top of current technology trends as well as current, known vulnerabilities. This chapter discusses a number of the issues that security professionals need to stay on top of. In some cases, specific examples will be utilized to discuss points; however, as has been discussed, the environment is constantly changing, so the major thrust will be on the issues that security professionals should be aware of, and not as much on specific vulnerabilities or technologies.

CERTIFICATION OBJECTIVE 12.01
Ongoing Security Research

As a security professional, it will be a constant struggle for you to stay on top of all the new trends and technologies constantly being developed. You will find a significant portion of your time is spent conducting research—either formal as part of your job to improve the security posture of your organization’s computer systems and networks, or informal to simply maintain your own level of currency and proficiency. Your research will include obtaining knowledge on the newest technologies in computer science and the potential impact they may have on your organization, both in productivity and in regard to the potential impact on security (the technology evolution from telephone modem connections to wireless network connections is an example of this). You will also need to know what security services are offered that might be useful for your organization in protecting its computer systems and networks, and what the current best practices are for both the technology and industry as a whole—especially for your given sector. For example, if you are in the banking and financial services sector, what are considered the standard best practices for banks and financial institutions specifically?

Best Practices

People are interested in lists of best practices for various aspects of security because they want to determine what others, in a similar situation, are doing. With a limited amount of time, security administrators want to address the most important issues first. Having a list of tasks that others do in a similar situation provides an idea for where they need to get started. This is also important in case of litigation that might arise because of a security breach in an organization’s computer systems or network. If the organization hasn’t at least done what others in a similar situation have done, a court might decide the organization has been negligent in its security precautions. If, on the other hand, the organization can show that it took the same steps others have taken, that it has done what might be described as the “industry standards,” then the organization is much more likely to convince a court that it took all reasonable precautions and the incident was not its fault. There are lists of best practices for many different aspects of security. The lists themselves can range from very detailed and proscriptive, describing very specific tasks that need to be done, to high-level discussions about the type of actions that should be taken but without any precise details on how to accomplish them.

One list, for example, might be aimed at security programs in general—that is, what would you need to do in order to establish a viable and sustainable security program? It might include items such as the following:

Do you have an established corporate security policy?

Do you have a designated information security officer?

Does your organization have an acceptable use policy for its computers and network?

Do you have data retention and destruction policies?

Do you have policies governing password creation and change?

Do you have computer security awareness training for all employees?

Do you have an identified incident response plan and individuals identified?

As can be seen, these are high-level items that are neither machine nor program specific. Another list might address at securing an operating system, such as Microsoft’s Windows 7. Microsoft has produced security checklists for the operating system (which can be found at http://windows.microsoft.com, where you can do a search for security checklists and obtain a number of documents) that include some system-specific but still not descriptive items, such as the following:

Enable User Account Control.

Configure the Windows Update application to search for and install updates at your desired day and time.

Enable Windows Defender.

Enable Windows Firewall.

Utilize the Windows Backup and Restore features.

Protect your files using BitLocker Drive Encryption.

This list does not contain “how-to” details on any one of the topics it presents, but rather mentions the features present in the operating system that the user should be aware of and utilizing. More detailed information can be found on these topics. For example, instructions can be found on Windows Firewall, discussing each of the options and the recommended settings for them. Microsoft recommends that the firewall be turned on (a rather obvious choice) and allows you (“for maximum protection”) to choose to block all incoming connections. You also have the choice to have the firewall contact you whenever it blocks a connection. In the case of Windows, Microsoft has done its best to provide the security applications that users will need in order to maintain the security of the system and has tried to provide them in a manner that gives user control using the easiest of interfaces. For users who don’t understand the specifics of what the system is doing, they can agree with the Microsoft recommended settings and can then expect to have a reasonable level of security. For the tech-savvy users, more granular options are provided to allow for more detailed security settings.

Linux has a number of best practices and security checklists as well, although they have a tendency to be a bit more involved and descriptive. A typical Linux security checklist might contain the following:

Ensure the latest patches and updates have been installed.

Regularly check logs for signs of suspicious activity.

Make regular backups.

Install Secure Shell (SSH).

Disable the ability to log on remotely as root.

Remove the hosts.equiv and .rhosts files.

Limit network access using iptables.

Restrict access to the X server.

Because security is constantly changing—with new operating systems, applications, and versions of existing software being released continually—the best practices, especially those that are topic specific, will change constantly. Therefore, the wise security administrator will regularly check to see what has changed in established checklists and what new items might have been added. Although there is no set period of time to accomplish this, any time new operating systems are installed or new applications loaded, it would be wise to check to see if best-practice checklists for these new packages are available. You can check a number of locations for best-practice and guideline documents, such as the Information Assurance Support Environment (IASE), hosted by the Defense Information Systems Agency (DISA), as shown in Figure 12-1; the security special publications from the National Institute of Standards and Technology (NIST); and the security benchmarks maintained by the Center for Internet Security (CIS).

FIGURE 12-1 The DISA-hosted IASE site provides information on a variety of security guidelines, along with other documents.

New Technologies

As the security threats change, so do the technologies developed to address them. Just as it is important to stay on top of the latest best practices, so too is it important to understand the new technologies that have been created that might impact the security of our computer systems and networks. For example, the introduction of wireless networks to the work environment has greatly enhanced the flexibility of the network, allowing computer systems to be connected to the network anywhere in the facility where the signal can be received. This eliminates much of the “messy” part of wired networks in that it eliminates the running of wires around, through, over, or under rooms in order to connect systems to the network. Access to other devices, such as wireless printers, is also enhanced. At the same time, when this technology is introduced into a corporate network, it also can introduce tremendous vulnerabilities. Because anybody can connect to the network as long as the signal can be received, attackers can attempt to connect to the network or to accomplish other nefarious tasks such as eavesdropping on the transmissions of authorized users of the network. The introduction of any new technology to an organization must be accomplished with an examination of the possibility for exploitation of the technology by others. Organizations that fall into the category of “early adopters” of technology will be the most vulnerable to new exploitations because the full potential for security vulnerabilities might not immediately be understood. By the time that majority of organizations adopt a new technology, most of the basic security concerns will have been examined and addressed at some level.

New Security Systems and Services

Not only do administrators need to know the potential security impact of any new technology, they also need to know something about the new security technologies that exist to both attack and defend computer systems and networks. New security devices and software are constantly being developed both to address new threats that have arisen as well as new approaches to old threats or issues. All of the security technologies that we know today, such as firewalls, intrusion detection and prevention systems, and biometric access controls, were at some point new technologies that were just being introduced. Fortunately, in order to stay in touch with what new technologies are being introduced to help address cyber security, you can subscribe to one or more of a number of technology blogs or publications that frequently not only discuss technologies in general but often will provide reviews of new products when they are released. An example of this would be the trend over the last few years that has increased the computing power found in mobile devices. These devices can no longer be considered just phones because they provide quite a bit of processing power and an ever-increasing number of applications are useable on them. This has led to their being targeted by individuals interested in gaining access to an individual’s personal information, which in turn has led to a number of new products designed to better secure the devices from attack.

In a similar manner, new security services are created and older ones improved, so security professionals need to also stay abreast of these as well. Services run the gamut from those offered as systems are being developed, before they become operational, and after they have been deployed. Service offerings might include the following:

Code testing and review

Threat modeling

Security training (at multiple levels)

Vulnerability assessment

Risk analysis and assessment

Penetration testing

Social-engineering testing

Security system monitoring and alert notification

A growing security business area is that of managed security services. Companies providing these services may be utilized to monitor security devices in your organization, providing security experts to look for signs of intrusive activity and to respond to it if found. It may also include device management in which the company will configure, update, and maintain your systems in a manner that ensures the maximum level of security within your operating environment.

One area popular among security service providers is the concept of penetration testing, or “ethical hacking,” in which security professionals take the role of an attacker attempting to gain access to an organization’s computer systems and networks. This will generally include attempting to utilize various means to gain access to the systems and networks (for example, via the Internet, wireless connections, or telephone modems). It may also, depending on the arrangement with the company hired to conduct the test, include social engineering attacks, where they try to trick employees into providing access or information useful in gaining access to the network. It may even include other nontechnical techniques employed by attackers such as “dumpster diving,” in which an organization’s trash is examined to look for clues and information that might provide access to computers and the network.

Technology Evolution

Computers, networks, and the Internet are constantly evolving as technology advances. Frequently the advancements are minor and do not require large-scale changes to the Internet operating environment and the protocols on which it relies. Occasionally, however, advances are made that can have a much broader impact. When these occur, the community has to determine how to proceed (because there is no single entity that “owns” the Internet). The way this is done is often through Requests for Comments (RFCs), which are created by organizations such as the Internet Engineering Task Force (IETF). The IETF is a large, international community of network administrators, designers, vendors, and researchers who are concerned with the evolution of the Internet and its continued operation. An example of the type of technology evolution that has a drastic impact on the Internet and that resulted in a number of RFCs being created is the change from IPv4 to IPv6. RFCs related to this topic include the following:

RFC 3177: IPv6 Address Assignment to End Sites

RFC 5855: Nameservers for IPv4 and IPv6 Reverse Zones

RFC 5739: IPv6 Configuration in Internet Key Exchange Protocol Version 2

RFC 5572: IPv6 Tunnel Broker with the Tunnel Setup Protocol (TSP)

RFC 5514: IPv6 over Social Networks

This is just a short list, but it illustrates the type of topics addressed in RFCs. It also serves to illustrate how the Internet is cooperatively designed and controlled by an open community of professionals. From a security standpoint, changes to technology and protocols can have a definite security implication, and discussions on subjects such as the preceding ones often have a security component.

After an appropriate amount of time is allowed for comments to be received on a subject, the IETF’s working group on the subject will evaluate the comments and the RFC may result in the publication of a new Internet Standard. Not all RFCs end up as standards. Some RFCs are designed as informational only. Others are intended to discuss best current practices. Even among RFCs that were intended for the “Standards” track, there are categories such as Proposed Standard, Draft Standard, and Internet Standard.

The IETF is not the only international organization impacting the Internet and security communities. The International Organization for Standardization (ISO) is another international body that establishes standards. The ISO is composed of individual representatives from a variety of national standards organizations. It produces and disseminates proprietary, industrial, and commercial standards. A significant difference between the IETF and its RFCs and standards and the ISO is that the ISO obtains funding through the sale of its standards. The standard of concern to security administrators is ISO 17799, “Information Technology – Code of Practice for Information Security Management.” This standard had its origins in BS7799, a standard first published as best practices for Information Security Management in the United Kingdom. The adoption of BS7799 as an ISO standard shows how such documents can evolve and transform.

Wireless computing is a technology that is easily added to the workplace, by either administrators installing authorized access points or individuals installing their own. It is a good security practice to periodically test to see what wireless access points are available in your organization to ensure that unsecured access points have not been added by employees.

CERTIFICATION OBJECTIVE 12.02
Situational Awareness

Usually heard of in areas such as military command and control or even air traffic control, situational awareness is a term receiving increased use over the last few years in the arena of cyber security. Situational awareness is the perception of the environment in which some system operates at the current point in time. It encompasses all elements necessary for decision makers to choose the best course of action in a given complex environment based on all known factors at the time. Situational awareness involves understanding what is happening in the environment that can impact the organization or system about which decisions are being made. For military commanders, this means understanding elements such as potential enemy location, strengths, movements, and troop morale as well as knowing the same about their own forces as well as environmental factors such as terrain and weather. For air traffic controllers, it means knowing the current location, speed heading, and fuel status of all aircraft within the zone, knowing about pending flights waiting to take off, knowing the limitations and current disposition of the airfield and its personnel, and knowing the current and pending weather forecast.

Taking a step back, we can see that situational awareness encompasses information about a system’s current status, an understanding of how its status could be impacted (its threats, vulnerabilities, and weaknesses), and factors that could adversely impact the system. Cyber security certainly is another system involving a highly dynamic and complex environment requiring the same sort of knowledge for decisions makers to be able to correctly decide on courses of action. Cyber security situational awareness includes knowledge of the system’s (the organization’s) critical information and assets, knowledge about the organization as well, an understanding of the Internet and the dependency on it, a thorough understanding of the threats and vulnerabilities pertinent to the organization and its systems, and a knowledge of the current cyber security threat environment. It is only with these elements that decision makers can effectively determine the best course of action in a given situation. Normally, in reference to cyber security situational awareness, the decisions are not as much concerned with the day-to-day operations of the organization but rather are concerned with the ability for the organization to determine when it is under attack or when there are factors that could threaten the operational status of the computer systems and networks on which the organization relies. Situational awareness of an organization’s cyber space will allow decision makers to know when their organization’s cyber infrastructure—or those on which it relies—is being threatened or is being attacked and will understand the impact of the situation and the various courses of actions available to the organization. As can be imagined from this discussion, to have an accurate situational awareness of your organization’s cyber space requires a lot of effort and information. In the fast-paced and ever-changing environment of security and the Internet, it is a constant challenge to maintain a true picture of your current environment.

Latest Client-Side Attacks

The traditional client/server architectural model has been around for years. In this architecture, there is a separation between those owning and providing resources (servers) and those requesting use of those resources (clients). Communication between the two generally takes place via a computer network, and both sides exist on separate pieces of hardware. Clients request information and services from servers, which wait for requests from clients. E-mail, web, and database access are three common examples of client/server relationships.

From a security standpoint, attacks can be targeted at either side of this relationship. At first glance it might seem that the majority of attacks should be against the server side because it is where all the information is stored. Although this is certainly true, increasingly we are seeing a number of attacks aimed at the client side for a couple reasons. First of all, there are many more clients than there are servers and thus a much larger target set to work with. Second, and related to this, is the fact that the client side is often not nearly as protected as the server side. The chances of finding a client inadequately protected is generally much greater than finding a server not protected. Servers present a single machine that administrators can concentrate on in their attempts to secure a network, whereas the clients generally run on laptops and desktops, either within the organization or at home, and present a much larger set of machines to attempt to secure—especially because in many situations the organization may not own the client hardware (such as in the example of online banking).

Generally, cyber attacks are thought of in terms of electronic incursions into systems not owned by the attacker, but in the case of client-side attacks the possibilities extend beyond this. Although stretching the definition a bit, laptop theft in many respects can be thought of as a client-side attack. The idea is to gain access to the information that may reside on a laptop, as well as the tools that may be used to access a specific server. Laptop thefts have risen over the last few years, not only because they are easily sold to make some quick money but also because of the information they may contain. A more common client-side attack method is the use of phishing attempts to lure users to websites where they will be encouraged to download software or allow programs to run on their system that are malicious in nature and can turn the user’s system into a “zombie” or “bot” as part of a larger botnet. The use of social-engineering methods and cleverly worded e-mails is common among client-side attacks today. They attempt to have the user either download or run an infected program, or run a legitimate program (such as Adobe Acrobat Reader) that may have a known security flaw in it. If the user has not loaded the most recent version of the legitimate software, a patch may not have been applied and the program may be susceptible to an exploit. Another reason that client-side attacks have been on the increase is because for the last few years the trend has been a larger number of application vulnerabilities than operating system vulnerabilities.

In terms of cyber security situational awareness, client-side attacks are a good example of the type of security “intelligence” that a security administrator needs in order to effectively protect an organization’s cyber assets. With the large number of users at a typical organization, the range of software that might have a vulnerability that could allow an attacker unauthorized access is potentially very large. Knowing the current trends, especially in terms of exploits and vulnerabilities, as well as online “fads” is critical in maintaining a current view of potential attacks and exploits.

Current methods used to address client-side attacks include, as expected, ensuring that applications and operating systems have the most current patches applied, ensuring that firewalls have rules to watch connections to websites using nontraditional or unusual ports, educating users on phishing and other attacks and things they should watch for and be aware of—especially current attack trends and methods—and ensuring that employees know what to do if they suspect they have been the target of an attack or may have inadvertently responded to an attack.

Because one of the ways client systems are attacked is through the careless actions of users, it is important that policies for things such as non-business-related Internet and e-mail usage are in place. Education of the users is another important defensive measure to help them understand to not do things such as click links to websites without knowing what they are doing or where they are going.

Threats

As has been discussed, you need to have an understanding of your own networks and what constitutes normal activity so that you can better determine when abnormal activity is occurring. This is one aspect of situational awareness; another is to know what threats exist that can impact your organization’s critical cyber systems. The term threat has different meanings and is used to mean different things in the media and security industry. Threats are actors or agents that can impact your systems. They can be natural (for example, lightning, tornados, or hurricanes) or human (for example, hackers or organized crime). You need to have an understanding of who currently may want to cause harm to your organization or may be interested in the information that the computer systems and networks your organization utilizes process and contain. The actors may change as world events change or the information that you process changes. Knowing who may want to attack your systems will help you to know what types of attacks you can expect and thus be better prepared for.

Another use of the term threat is to describe the actual vulnerabilities that exist in the systems you operate or the exploits that have been written to take advantage of specific vulnerabilities. Thus, for example, a specific vulnerability in a popular browser or operating system might be said to “threaten” your system or network. The term is also often used to describe the avenues of attack that can be used to potentially exploit specific vulnerabilities. In this case, threats would consist of things such as malware (viruses, Trojan horses, worms, logic bombs, spyware), botnets, social engineering, client-side attack techniques, man-in-the-middle attacks, or simply things such as brute-force password guessing. If the term threat is used to mean any of these other things, it is still important from a situational awareness perspective to be on top of what is currently being seen.

An example of a trend that is having an increasing impact is the use of mobile devices for both work and personal use. The increasing power of these devices has led to an increased demand for applications that allow them to be used for activities that had previously been conducted either in person or remotely using desktop or laptop computers. The problem is that these devices are often treated as phones and not computing devices, and the security of phones has not been the issue that the security of computers has been. Vulnerabilities in mobile systems software and the malware targeting these devices is on the rise and is a trend that security personnel must be aware of. How an organization addresses the use of these devices by its employees and its customers is an example of what security personnel need to be aware of. The environment is changing and, like the commander on a battlefield, security administrators need to know what technology exists, what weapons potential adversaries have at their disposal, and the potential weak spots an adversary might be able to exploit. Knowing these sorts of things will allow the administrators, like a battlefield commander, to better deploy countermeasures to address the risks and threats that are faced.

Advanced Persistent Threats

A term that has seen an increased level of use in the security community over the last few years is the advanced persistent threat (APT). The first thing to understand about an APT is that it is not a specific technology or exploit but rather a specific individual or organization. An advanced persistent threat is an individual or organization that is targeting the computer systems and networks of some high-value target such as a government or large corporation. APTs are characterized by a high level of sophistication and determination on the part of the attacker. The STUXNET attack that targeted specific control systems used in a particular industry primarily found in a very specific country is an example of the type of attack that would exemplify an advanced persistent threat. APTs present a particularly challenging problem because the attacker is very motivated and will continue to use a variety of methods over a long period of time until a flaw or weakness is eventually detected that can be exploited. Generally, the attacks are conducted in such a way as to not be obvious and are often hard to detect among the other traffic seen on a daily basis. Having situational awareness of your cyber infrastructure will allow you to better determine that an inordinate interest is being paid to your systems, which may be an indication of an advanced persistent threat.

Counter Zero Day

A zero-day vulnerability, also known as a 0-day or day zero vulnerability, occurs when a software error or hole impacting security is discovered and exploited before a patch is developed to address the vulnerability. The term comes from the fact that up until the point of it being used in an attack, the vendor and public in general knew nothing about the vulnerability. The “clock” starts when the vulnerability is made public, and how long it takes the vendor to develop a patch, and how long it takes companies to develop a signature to detect it or methods to mitigate its impact, will have a direct bearing on the amount of damage it can cause. Another factor in how much damage may be caused by the vulnerability is how much publicity is generated. If generally announced or released, the damage can be considerable because numerous individuals may attempt to exploit the vulnerability while the software vendor scrambles to develop a patch for the vulnerability and various security vendors rush to develop a signature that might be useable to detect and prevent attacks utilizing the exploit. Of course, it is also possible for a zero-day attack to go unnoticed if the result is subtle and the attacker does not do anything that causes the attack to be noticed. If everything is kept quiet, the attacker can continue to exploit the vulnerability until it is eventually noticed, until the vendor discovers the error leading to the vulnerability through their own efforts, or until another attacker discovers and exploits it in a more noticeable fashion. There have been cases where a vulnerability has gone unnoticed for several years until a vendor discovers it. It is impossible to know in a case such as this whether somebody else had previously noticed it and had been exploiting it for their own benefit. The amount of time between the point a vulnerability is detected (exploited) and the point when the vendor has a patch for the vulnerability, or vendors have a mechanism to counter it, is generally known as the vulnerability window.

Zero-day attacks are, by definition, often hard to discover and prevent. Because it is a new vulnerability, firewall and intrusion detection/prevention vendors won’t know about it and will therefore not have a signature in their database of vulnerabilities that will match it. Firewalls and signature-based IDS/IPS will therefore most likely not be able to block, detect, or prevent an attack utilizing the vulnerability. Because of the level of damage a zero-day attack can cause, the topic of how to counter zero-day exploits occupies considerable time in the security research community.

On the nontechnical side, ways to address zero-day attacks center around the speed at which information about them can be disseminated once a zero-day exploit is discovered. Discovering the exploits can occur in a number of ways. An easy one occurs when the individual who discovered the exploit and developed an exploit makes it available to the “hacking” community. Another way in which they may be discovered is if an attack utilizing the exploit is discovered and an analysis to determine how the attack occurs reveals the new vulnerability. A tool that has sometimes proven to be useful in the discovery of new exploits is the honeypot or honeynet. The concept behind both of these terms is to construct a system or network that appears to be official but in fact is not. The honeypot or honeynet can then be monitored, looking for individuals who are attempting to attack systems. Because honeypots or honeynets are not official, there shouldn’t be anybody who is trying to connect to them, so any attempted connection is likely to be somebody looking for systems and networks to attack. By monitoring the activities of the attackers, tool and methods can be observed. Therefore, should a zero-day attack be attempted, its existence may be revealed. Once a new exploit is discovered, receiving word about it becomes important in order for individuals to be prepared to address it. Some in the security community argue against the posting of information regarding the discovery of new vulnerabilities. The argument is that posting this information makes it easier for individuals in the “hacking community” to find out about them and to then use them in attacks. The counter-argument is that the owners of systems need to know about these attacks so they can be prepared. Keeping information on a new exploit secret until it is announced along with a patch from a vendor simply provides a window of opportunity for attackers during which they can utilize the vulnerability without too much fear of being discovered. Even if a patch has not been issued to fix a vulnerability, the knowledge that it exists and details on what to look for will at least let security administrators know whether their own systems have been compromised.

Although we said that signature-based security systems will generally not be able to detect a zero-day attack because it will most likely exhibit a different signature, other methods are being used to spot potential new vulnerabilities. Often, this takes the form of attempts to identify unusual traffic patterns for the system or network. Unusual patterns may very well indicate attempts to attack the system. Knowing what is unusual means that the normal activity for the system or network needs to be known. Activity outside of the normal activity can then be identified. The unusual patterns may be part of a known attack and, in fact, some activities (such as “general probing of a network”) are so common that although they are not part of the activities for which the system or network was intended, they can nonetheless be identified easily. Occasionally, however, a pattern may be discovered that is not part of the normal activity for the system or network and is also not indicative of any known attack pattern. In this case, it could be a strong indicator of a new exploit.

Of course, the best way to counter zero-day attacks is to prevent them in the first place, which means doing a better job of building bug-free software. This requires better design, coding, and testing practices. Operating systems have also taken steps to limit the damage events such as buffer overflows can have on a system. This makes it less likely that a vulnerability can have a disastrous impact on a system. Data Execution Prevention (DEP), for example, is an attempt to prevent programs from executing in memory locations that should contain data and not code. Address Space Layout Randomization (ASLR) moves pieces of programs around randomly in portions of memory in an attempt to make it harder for nefarious code segments to jump to some place in memory that they shouldn’t. Structured Exception Handler Overwrite Protection (SEHOP) attempts to make stack overflows harder to accomplish by checking to make sure that chains of exception handlers (interruptions) aren’t hijacked. These three techniques make it more difficult for any piece of code to take over a system, without knowing a precise attack signature. In newer Windows-based operating systems, DEP and ASLR can be turned on or off by the software vendor. Microsoft has released the Enhanced Mitigation Experience Toolkit (EMET), which allows administrators to override the choice set by software vendors so that all of these tools can be employed.

Whitelisting is also seen as an approach to address at some level the issue of zero-day exploitation. This is the term used to refer to the process of providing a list of approved entities that are allowed to accomplish a certain task. A common example of this is found in browser security, where lists of approved URLs or IP addresses can be used to limit the sites a user is allowed to go to. The same technique can be used to limit who may access a system as well. The concept can also be extended to systems where lists of approved applications can be provided to limit what is allowed to be run on the system.

Another approach some have taken to avoid the exploitation of zero-day vulnerabilities is to offer rewards for previously unknown vulnerabilities. Approaching the problem in this way provides a financial incentive for individuals to try and exploit systems, thus increasing the likelihood that vulnerabilities are found. This method is looked upon differently by various vendors and security companies, and it cannot be said that it is a universally accepted approach to the problem.

Emergent Issues

Information technology exists in a rapidly changing world. As a result, staying current on security issues affecting IT is a constant and ever-changing challenge. As new technologies emerge and are introduced into the environment, they often introduce new security problems that had not been planned for. It is critical for organizations to be aware of how these emerging technologies, which often hold great promise for government and industry, can impact the security of their computer systems and networks. The social networking phenomenon has introduced new avenues by which attackers can gain access to systems and information. Two other examples of emerging trends that are impacting security are the introduction of mobile computing and cloud computing into the workplace.

Mobile computing refers to the increasing use of devices such as laptops, personal digital assistants, and smartphones to connect individuals to their office and to the Internet. Not only do these devices provide additional platforms for attackers to target, the environment that they are used in—often connecting to the Internet at public locations with little to no security—adds to the complexity of securing them. Add to this the lax attitude that most individuals have for their phones, and the problem becomes even more acute. Most people still view their smartphones as phones first, and computing devices second. As such, they are used to only the most basic of security mechanisms for them, such as a password or PIN to access the device. Often, even this level of security is ignored. Individuals will also generally download and install numerous “apps” (application programs) for their devices and will often not worry about where the app originated from. Malicious software has been found targeting these devices that download personal information about the owner, replicates itself on other devices, and even destroys data. With an increasing number of exploits appearing on the security scene that target smartphones, the potential for data compromise is increasing. If these devices are used to also access data from an organization, the possibility that data will be lost is high.

Cloud computing is one of the hottest topics today. It is seen by many to be the answer to computing and electronic storage needs in today’s corporate environments. It places the responsibility of providing applications and services on a third-party vendor, eliminating the need for organizations to maintain a large number of application servers, along with the systems and personnel to support them. An end user accesses the needed applications and data by using a browser without any need of understanding the actual location of the servers or details of the supporting infrastructure. Security and privacy concerns have surrounded the movement toward cloud computing since its inception. Foremost among these is the fact that your corporation’s important business data is not being stored on systems it owns, but rather on the systems of another organization. The level of protection of this data, both at rest and in transit, is critical for the users of cloud computing. The vendors offering cloud computing services understand the importance of privacy and security to their business and take steps to ensure both. Having said that, however, there are very few examples of a large system that has never been compromised. Another interesting issue surrounding cloud computing is that of jurisdiction, especially when the provider may not reside in the same country as that of the corporation utilizing the services.

In addition to the issues introduced by emerging technologies, the movement toward increased regulations governing various sectors is also an emergent issue that organizations need to be concerned with. In the United States and elsewhere, regulations have been created addressing the protection of sensitive information in sectors such as banking and finance as well as health care and medicine. It hasn’t stopped there, however, and an ever-increasing number of laws are being proposed and passed designed to force better protection of consumer and corporate data. It has become not just a local issue but an international one as well, with the emergence of trends such as cloud computing previously discussed. Staying on top of trends in the laws and regulations in any given sector is just one more challenge that must be addressed.

CERTIFICATION OBJECTIVE 12.03
Research Security Implications of New Business Tools

There is a constant demand in organizations to find new ways to conduct business in faster, more efficient ways. As a result, organizations are continuously looking for new technology that can help them do more with less in a shorter amount of time. Plenty of vendors are developing new tools or improving on existing tools that will appeal to this demand. When an organization finds a new tool they believe will help, the possible security implications should be considered, but all too frequently they are not. As previously discussed, technology such as mobile computing provides tremendous advantages in terms of allowing employees to continue to work no matter where they may be. They can stay in touch with their office so that important e-mail and messages are not missed, and they can conduct many routine office tasks almost no matter where they are. This freedom doesn’t come without a price, however, as a new avenue for attacks on the organizations is introduced.

When an organization is considering adoption of a new product or type of technology, where can they go in order to determine the security implications of the decision? The vendor may provide information on this, but if it is not favorable to their product, this is not likely to happen. Another possibility is to hire or employ security testers who can search for security holes before the product or technology is fully deployed within the organization. Any number of security companies can provide penetration testing services both before and after deployment. Periodic outside penetration testing is considered a good security practice because it provides an additional fresh look at an organization’s security posture from individuals who have no preconceived notion of the organization’s security status. A simple search of the Internet may also provide information on security issues related to a product or new technology, and several Federal programs (such as the national Information Assurance Partnership validated products list as well as the Approved Products List kept by DISA, shown Figure 12-2) can provide information on certain products that have been evaluated.

FIGURE 12-2 The DISA Approved Products List provides a list of products that have completed interoperability and information-assurance certifications for the Department of Defense.

Social Media/Networking

Social networks at first may seem harmless because they appear to simply be a way for individuals to “stay connected” to friends and families. Unfortunately, there are a couple issues that security administrators need to be aware of associated with these networks. First is the fact that these networks are increasingly being used by attackers to attempt social-engineering attacks. These are surprisingly successful due to the nature of social networks, which encourage the sharing of information with an assumed level of trust—often misplaced. Attackers also will attempt to trick users into going to potentially malicious sites where personal information—or corporate data, if the machine accessing the site is a work system—may be extracted. The common use of shortened URLs on social networks only adds to the problem. Another issue with social networks is the possibility for employees to post sensitive information about the company. For decades, details of mergers or other important business transactions have been discussed by individuals when they weren’t supposed to. The issue today is that if done on a social networking site, the ability for it to be seen by large numbers of individuals and to quickly spread beyond an individual’s closest friends is tremendous. Interestingly enough, the first step toward getting a handle on this problem is not a technical one; it is to create a corporate social media policy to let users know what they can and can’t do from work, and to remind them of the security issues associated with social networks.

Integration within the Business

At first, organizations looked for ways to limit, or prohibit outright, the use of social networks in the workplace. As their use increased, however, and as the next generation of employees, raised on social networks, entered the workforce, most organizations have realized that social networks are now part of life, and instead of trying to prohibit their use, they need to help employees recognize the appropriate way to use them. Quite a number of scams have been designed to trick users into clicking links or running programs that might lead to an infection of their system. This sort of behavior is what needs to be controlled, and organizations should have a policy on the use of social networks in the workplace. In addition, another way that social networks can become a threat is when employees post information on a social network that might contain information that is proprietary or sensitive to a company. Employees need to understand that this type of activity can lead to great harm to a company, and they need to therefore watch what they say. Announcements about products or plans should not be made by employees on their own pages, but should be limited to official announcements by the organization itself.

CERTIFICATION OBJECTIVE 12.04
Global Information Assurance Industry/Community

The information assurance community is large—and growing. Numerous training companies, conferences, seminars, workshops, and webinars exist that can help security professionals stay on top of current security issues and developing trends. Overall, the community has a tendency to be very friendly, and any number of individuals are more than willing to help struggling security administrators having specific problems with their systems. Blogs and tips can be found discussing a variety of common security problems, which can be very useful for both those new to the community and those who are faced with a new problem they haven’t seen before. In addition, organizations such as the SANS Institute (a private U.S. company, with SANS derived from Sysadmin, Audit, Networking, and Security) provide a number of free resources in addition to their paid training that newcomers will find useful. In particular, their Reading Room (which can be found from their home page www.sans.org) includes numerous papers on dozens of topics written by security professionals going through one of their many courses. SANS also publishes a list of the top 25 programming errors and the top 20 critical controls, which can also be extremely helpful to individuals in the community. The SANS site is one that both novice and experienced security professionals will want to keep track of. Other helpful hints can also be often found in one of the hundreds of security vendor sites. Many companies have produced white papers on a variety of security topics. In addition to white papers, quite a few open source security tools can be found on numerous sites. Obviously, a word to the wise concerning downloading and running software from unknown sites—what better way to convince individuals to run your exploit malware than to disguise it as a security tool designed to help secure the very system that the exploit is designed to take advantage of. Always be careful of what sites you visit, and be especially careful of any software you might download from them.

Conventions

One of the best ways to stay on top of what is happening in the security community is to attend one of the numerous computer-security-related conferences that exist. Not all conferences aim to reach the same audience, so choosing which to attend will depend on individual goals. For security-related conferences, they can be roughly broken into three categories: industry, academic, and “hacker.” The best-known industry conference is RSA. This extremely large conference also includes one of the largest and best vendor exhibitions. The conference draws individuals from across government, academia, and industry as well as features national-level keynote speakers. Often with over a dozen simultaneous tracks, choosing the talk to attend during any given session is often challenging. Having over a dozen tracks ensures that the chance of finding a talk of interest to you will be very high. The only downside to the conference is the cost, which is fairly high in comparison to some of the other security conferences that exist. Another extremely large conference is Blackhat. The original Blackhat conference was in Las Vegas, held immediately before the annual DEFCON “hacker” conference. Las Vegas continues to be the largest Blackhat conference, but other versions exist in Europe, Asia, and the Middle East. The intent of Blackhat was to bring individuals from the different “sides” of the hacking community together. Thus, it appealed to those in the government (law enforcement) as well as the “hacking” community. Today, it probably has somewhat of an even split between the government, industry, and “hacking” sectors, with a few from academia thrown in as well. The vendor area is not as large as RSA, but it is growing. Like RSA, it also has multiple simultaneous tracks, which again sometimes makes it challenging to decide on which talk to attend.

USENIX is a computer systems professional organization that, among other things, sponsors a number of different conferences. One of these is the USENIX Security Symposium, which they’ve conducted for over 20 years. It is a large security conference and serves as a bridge between conferences more focused on industry and conferences designed for researchers and the academic community. There are a number of academic workshops, symposiums, and conferences. No matter what the security research topic is, chance are good that there is a meeting, conference, workshop, or symposium on it somewhere. Some of the better known and larger conferences include the IEEE Symposium on Security and Privacy, the Annual Computer Security Applications Conference, and the ACM Conference on Computer and Communications Security. All of these address a broad range of security topics. An example of a more focused security conference is the European Cryptology Conference (EuroCrypt) or the International Symposium on Recent Advances in Intrusion Detection (RAID).

Another type of conference focuses more on the “hacking” side of security and was originally designed more as “underground” events that appealed to those in the community. DEFCON is the best known of these conferences—although it no longer is anywhere close to being an underground conference, nor is it attended only by those in the hacking community. Today, it probably has an even balance between professional security personnel from government, academia, and industry and individuals who might fall more into a “hobbyist” category. These conferences pride themselves as being not only more technical than some of the others, but also more practical and “hands on.” An additional attribute of conferences in this category is their more relaxed nature. Another example of a conference in this category is HOPE (Hackers On Planet Earth), sponsored by the 2600 magazine. Living up to its more relaxed nature, this is not an annual event but has been held on a periodic basis. Since 2000, it has occurred every two years. Another well-known conference seeking for a more relaxed atmosphere is CanSecWest.

Attackers

A question administrators sometimes ask is, “Who would want to attack us?” The implication being that the company doesn’t do anything that the administrator would view as being worthy of interest to a cyber attacker. From the attacker’s standpoint, there are two general types of targets: targets of opportunity and explicit targets. If an organization is being targeted because of who they are or what sector they are in, they are an explicit target. If, on the other hand, the target was not specifically chosen for who they are but instead because they are running a specific piece of software or using a specific piece of hardware, then they are a target of opportunity. Targets of opportunity generally occur when an attacker is looking for somebody, anybody, who might have a system that is vulnerable to a specific exploit. The attacker is not concerned with who they are; they just want to gain access to somebody. If the attack is attempted and fails because the organization has protected itself against the exploit being used, the attacker moves on to the next organization and tries the attack against it. On the other hand, if a specific exploit fails against the chosen target in an explicit attack, the attacker doesn’t move on to another potential target but instead moves on to another exploit to try. The goal for an explicit attack is to gain access to a very specific target. The goal of an attack on targets of opportunity is to find somebody who is vulnerable to an exploit. Returning to the original question asked—who would want to attack a specific organization?—it should now be obvious that for some attackers, the organization simply doesn’t matter. It is a matter of the technology being used. What this basically means is that an organization may have nothing of any worth (which actually isn’t very likely) at all and have no competitors or enemies, but it could still be a target of a cyber attack and thus must prepare for it.

Determining who the attackers might be depends on the type of target. The vast majority of attacks are unstructured attacks against targets of opportunity. The definition of what an attack is in this case is very broad and can range from somebody simply testing to see if they can guess a password for an account, to an individual who just learned about an exploit and wants to find somebody who is vulnerable to it. A term that is often used in the community to describe the majority of individuals in this category is script kiddies—individuals who may have simply downloaded an exploitation script and are running it. They probably know very little about the vulnerability being exploited and might not have ever been able to actually create the exploit themselves; they simply have downloaded the script to run the exploit and are trying it. Unstructured attacks are generally not targeted against a single infrastructure (unless the new exploit is targeting systems only used in a specific sector) and are conducted by individuals with little to no financial backing. Two additional groups that are often placed in the unstructured threat category are hacktivists, who are individuals who attack computer systems and networks in order to promote a cause or ideology (“hacking activists”), and hacking groups. Hacking groups are simply groups of individuals interested in computer systems and security that band together to help each other learn more about the systems they attack. An example of hacktivism might be a group of individuals supporting animal rights who deface the website of a company that sells fur coats. Individuals in these categories may be loosely organized with no real financial backing, or they may, as is sometimes seen in the case of ideological hacktivists, have a bit more support and organization. Hacking groups also vary in the level of support and expertise they have. In both cases, the groups may no longer be considered to be in the unstructured threat category as they become more organized with a specific purpose in mind and if they begin to receive financial backing. A structured attack is one in which a specific organization (or sector) is being targeted and is conducted by individuals with some financial backing and who have more time in which to obtain their goal. An example might be individuals with backing from organized crime attempting to gain access to computer systems owned by a financial institution. A highly structured attack is one in which the attacker has considerable time and financial backing in order to be able to conduct the attack. Multiple vectors (including attempts to usurp insiders) may be tried, and spotting this type of attack will be extremely challenging. The idea of the advanced persistent threat will often fall into this category, and attacks in this category will generally be supported by organizations with time and money, such as nation states or organized crime going after extremely high-value targets.

Another way that attackers are sometimes categorized is in terms of what “hat” they wear. In this case, white hats are individuals in the community that perform what is often referred to as ethical hacking in order to help organizations secure their computer systems and networks. They do not break any laws in conducting their activities and work with the permission of the organization they are attacking when conducting their penetration attempts. On the other end of the spectrum are the black hats, who do violate laws with their activities and attack computer systems without permission for a variety of purposes, including theft, revenge, ideological purposes, or simply the intellectual challenge and the reputation they may obtain within the black hat community. In between these two groups are the gray hats, who may attack systems without permission from the organization (and thus are committing a crime) but are not driven by personal economic gain or other purposes, as are the black hats. Instead, they will often inform vendors of the problems or vulnerabilities they discover in software so that the vendor can fix them. Technically, they have acted illegally, though not for nefarious purposes. In all three categories, the techniques and tools are often the same (although each may have developed their own individual tools), and it is simply whether the hacker has the permission of the organization and the intent that differentiates between which hat the person is wearing.

Emerging Threat Sources

One of the factors that makes cyber security such a challenging endeavor is the fact that the cost of entry for attackers is so very low. During the Cold War era, a nation wishing to become a superpower would have to spend considerable money on weapon systems and research. To become a cyber superpower, on the other hand, requires considerably less investment. The only entities that had the type of funding that would have allowed them to become superpowers during the Cold War were nations. The same is not true of cyber superpowers. The organizations that would have been targeted by the different sides in the Cold War were confined to the military, the defense industrial base, and the national infrastructures. The same is not true during the cyber era, where many different organizations may find themselves the target of an attack. The threats are different as well. Script kiddies, who will generally have no or only loose affiliation with any entity, have already been mentioned, but other potential threats exist as well. Organizations within one of the key national infrastructure sectors may find themselves the target of attacks from nation states, such as have been seen in the power sector the last few years. Any organization that collects payment via credit cards could find itself a target of criminal organizations or individuals wishing to gain access to the credit card information. Organizations that are part of an industry that is considered controversial may find themselves the target of hacktivists who may try to deface their websites in order to obtain publicity for their cause. Another interesting and more recent threat that has impacted individuals in different sectors is the rise of organizations such as Anonymous, which claims to be a group of hackers interested in various causes. In one example, this group announced an attack on the city of Orlando, Florida because of certain activities that were going on within the city. This is an example of an emerging threat that was not heard of just a few years ago. Cities have generally not been the target of attacks, but now they may find themselves the focus of one because of any number of reasons—a specific industry in the city, a government organization with offices in the city, or policies or politics of interest to the city. What can be said of organizations and threats to them today is that no matter who you are, there is somebody who will attack you.

It should probably be mentioned that two of the issues driving the emerging threat sources are the level of dependence that society now has on computer systems and networks and the growing level of technical understanding of individuals and employees. As a result of this, individuals such as hacktivists see the opportunity to make their cause known through a new medium that arguably will have a much better chance of being seen by more individuals than traditional techniques such as protests outside of specific facilities. Disgruntled employees, instead of having no recourse or opportunity for revenge, now have a variety of easy ways they can address perceived grievances or actions taken by their heavily cyber-dependent companies. The disgruntled employee, in fact, has become one of the most dangerous threats to organizations because they will know what best to target in an organization in order to have the greatest impact on it. Nation states and terrorist organizations now no longer need to rely solely on physical attacks in order to affect adversaries. With the heavy reliance on the Internet and computer systems, they can target the cyber infrastructures of a nation’s critical infrastructures (for example, power, telecommunications, water, transportation, and so on) in order to disrupt the targeted nation. We have already seen this in attacks on both the nations of Estonia and Georgia in separate conflicts where cyber attacks were used to disrupt critical infrastructures or were used in conjunction with physical attacks. Finally, it has become painfully obvious how the dependence organizations place on the Internet in order to conduct financial transactions has led to a rise in attacks on computer systems and networks by individual criminals as well as organized crime organizations.

Never assume your computers will not be targeted because they contain no sensitive or personal information. Just because your computer systems exist makes them a potential target of opportunity should a new exploit be discovered. In addition, your geographic location, partnerships, or the product your company produces may make you a target of individuals such as hacktivists. An example of this was the attack on the city of Orlando by the group Anonymous, in which several sites were targeted, including one with information on local tourism. The attackers were not after “sensitive tourism information”; they were simply attacking a possible target within the community.

CERTIFICATION OBJECTIVE 12.05
Security Requirements for Contracts

In 1985, the Department of Defense published DoD 5200.28-STD, the “Trusted Computer System Evaluation Criteria (TCSEC).” Commonly referred to as the “Orange Book,” this well-known document was produced for a number of reasons. The two that it is probably known best for were 1) “to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems” and 2) “to provide guidance to manufacturers as to what to build into their new, widely available trusted commercial products in order to satisfy trust requirements for sensitive applications.” As a result of these two goals, a number of products were built and evaluated against the standard, ultimately receiving a rating attesting to the degree of trust that could be placed in them. A third goal, less well known to many, was “to provide a basis for specifying security requirements in acquisition specifications.” Although the Orange Book is not used by the DoD anymore (having been replaced by the international Common Criteria), the need for being able to specify security requirements in acquisition documents, and more broadly in contracts in general, is as needed today as it was when the Orange Book was in use.

RFP, RFQ, and RFI

Three basic contract documents can be used in the procurement process that we are concerned with in terms of specifying security requirements. The first is the Request for Information (RFI), which is issued by organizations that are seeking information regarding specific products or services in the marketplace that could be used to fill a specific need. They are often short documents and are sometimes used as a “pre-qualifier” to determine who to send follow-up requests to. The second document is the Request for Quotation (RFQ), which may be used to further restrict the list of companies that will receive the full request by asking for price ranges for services or products. The RFQ may also be rolled into the full Request for Proposal (RFP), which is the third document to be discussed. The RFP can be a lengthy document that takes considerable time to complete. The RFP accomplishes several goals, including informing potential vendors of a product or service that is being sought, providing specific details on what it is that the organization wishes to purchase, and providing a basis from which to evaluate interested vendors. For IT products and services, the requirements should also include specifications for expected security features that may include the following (items may not be applicable in all situations):

The need for personnel to have a background investigation or security clearance

Specific training or certification requirements for personnel

Regulations or standards that must be adhered to

Security tests or assessments that must be completed on products or networks

Specific firewall, router, or intrusion detection settings or reviews

Physical security checks

Software security checks

Threat modeling requirements

Security policy reviews

Expected best practices

Agreements

Not all contractual arrangements come in the form of an RFI, RFQ, or RFP. Many contracts and agreements are signed on a daily basis throughout the corporate world. Any of these that include an IT component should also include a section on security. Many of the possible requirement specifications that were mentioned for RFI, RFQ, or RFP documents can also be included in contracts and agreements. This also extends to any arrangements where partnerships or similar arrangements are established.

CERTIFICATION SUMMARY

In this chapter we covered nontechnical elements of security that have an impact on daily operations. With the fast pace of change inherent in the computer security field, it is a challenge for security professionals and organizations to stay up to date on the most current trends and threats. Fortunately, conferences, workshops, professional organizations such as SANS, and industry best practices can help individuals stay on top of the latest in the security field.

TWO-MINUTE DRILL

Ongoing Research

Security administrators have a limited amount of time, so best practice documents allow them to address the most important issues first.

When new technologies are introduced into a corporate network, they can also introduce tremendous new vulnerabilities that must be addressed. An example would be the introduction of wireless networks.

Requests for Comment (RFCs) can be used to seek input for security issues due to changes in technology that may have a large impact on the Internet. An example of this is the switch from IPv4 to IPv6.

Situational Awareness

Situational awareness is the perception of the environment in which some system operates at the current point in time, encompassing all elements necessary for decision makers to choose the best course of action in a given complex environment based on all known factors.

Client-side attacks are increasing because there are many more of them than there are servers and the clients are often much less protected.

A zero-day vulnerability occurs when a software error or hole impacting security is discovered and exploited before a patch is developed to address the vulnerability.

Advanced persistent threats (APTs) are characterized by a high level of sophistication and determination on the part of the attacker.

Security Implications of New Business Tools

When an organization is considering adoption of a new product or type of technology, the security implications of the decision must be considered.

Social networks are increasingly being used by attackers to attempt social-engineering attacks.

Global Information Assurance Industry/Community

One of the best ways to stay on top of what is happening in the security community is to attend one of the numerous computer-security-related conferences.

Blogs and tips can be found discussing a variety of common security problems, which can be very useful for both those new to the security community as well as more experienced professionals who are faced with a new problem they haven’t seen before.

From the attacker’s standpoint, there are two general types of targets: targets of opportunity and explicit targets.

The three different levels of threats are unstructured threats, structured threats, and highly structured threats.

Security Requirements for Contracts

Three basic contract documents can be used in the procurement process that we are concerned with in terms of specifying security requirements—the RFI, RFQ, and RFP.

The RFP accomplishes several goals, including informing potential vendors of a product or service that is being sought, providing specific details on what it is that the organization wishes to purchase, and providing a basis from which to evaluate interested vendors.

SELF TEST

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.

1. Best practice documents are useful for security personnel for which of the following reasons? (Choose all that apply.)

A. Following them will ensure that the organization will be free from security problems (breaches).

B. They allow security personnel to see what others may do in similar situations to the one they find themselves in.

C. With a limited amount of time, security personnel need to know what things to do first or to concentrate on what will yield the largest payback.

D. In case of a breach, the organization can show that they at least did what others are doing to secure their own systems, thus they have shown a reasonable level due diligence.

2. Which of the following is true about the introduction of new technologies into an organization?

A. Because the security issue has been known for a while, new technologies are produced with security in mind, and introducing them will have no adverse impact on the security of an organization.

B. The introduction of new technology to an organization will usually result in a more secure network environment.

C. New technologies can have a negative impact on the security of an organization, potentially introducing new vulnerabilities.

D. New technology is more secure than older technology but can still have security implications if not installed correctly.

3. Your network administrator has informed you that your organization will be switching from IPv4 to IPv6. You’ve been asked to determine what impact that this might have on the security of the corporate network. You know that others have also made this same move in their organizations, so you are sure that there must be some documents on what the security implications might be. Besides documents from vendors that often are obviously also trying to sell you a product or service, which of the following might you also check to learn as much about this new technology and its security implications from an objective standpoint?

A. There is no real way of determining the security implications of new technology before you implement it on your own network.

B. The National Institute of Standards and Technology (NIST) produces best practice documents for all new technology that is introduced to the Internet.

C. RFCs that are used to seek input from the community on issues and changes in technology that have an impact on the larger Internet community.

D. The International Internet Standards Organization must approve all new technology changes that will have an impact on the Internet before they are implemented. They produce standards for the implementation and use of new technologies, which you can download and follow.

4. Situational awareness is the perception of the environment in which some system operates based on __________________________, encompassing all elements necessary for decision makers to choose the best course of action in a given complex environment based on _________________________.

A. past events/knowledge of current vulnerabilities

B. the current point in time/all known factors

C. the best estimate of future events/the organization’s current security posture

D. knowledge of current threats/existing security safeguards

5. Client-side attacks are increasing because:

A. There are many more clients than there are servers.

B. There is no way to effectively protect them.

C. Clients are often much less protected.

D. Servers have all been replaced in the average corporate environment of today.

6. Which of the following are aspects of situational awareness? (Choose all that apply.)

A. It encompasses information about a system’s current status.

B. It includes an understanding of how a system or network’s status could be impacted (their threats, vulnerabilities, and weaknesses).

C. Data from the intelligence community related to pending threats.

D. It includes other factors that could adversely impact the system.

7. Your CEO just came back from a luncheon where the speaker discussed zero-day threats. Your CEO has expressed a concern that your organization could be hit by one of these and wants to know what can be done to protect the organization from such a threat. The CEO wants you to do whatever is necessary to guarantee that such an event won’t impact your organization. What is your reply?

A. You tell your CEO that you can guarantee that you will never be susceptible to a zero-day exploit, but it will require a dramatic increase in the security budget so you can employ all possible countermeasures.

B. You try to allay some of the CEO’s fears by discussing how as long as you employ what are considered the standard best practices for your industry, you should be pretty much guaranteed that you will not be hit by a zero-day exploit.

C. You use STUXNET as an example and explain that zero-day exploits are only the concern of specific sectors (such as the critical infrastructures such as power and water) and that because your company is not part of one of them, it is not going to be hit with an event such as STUXNET.

D. You explain that by their very nature, zero-day exploits are extremely difficult to detect and that there is no way you can guarantee the company will never be impacted by one. You explain that there are steps that can be taken to minimize the potential impact and to increase the likelihood that you catch one quickly, but you can’t eliminate the possibility totally.

8. Advanced persistent threats are characterized by which of the following?

A. A high level of sophistication and determination on the part of the attacker

B. A large number of obvious and disruptive attacks that are conducted over a long period of time

C. Distributed and disruptive attacks from multiple sources lasting over a considerable period of time

D. A series of low-level, but annoying, attacks by individuals who continue the attacks over a long period of time

9. Which of the following are considered threats in computer security? (Choose all that apply.)

A. Hackers

B. Organized crime

C. Insiders

D. Lightning

10. Which of the following is true of social media/networking? (Choose all that apply.)

A. Social networks are harmless and present no security concern to an organization.

B. Social networks can be used as an avenue for attackers to have users inadvertently install malware on corporate systems and networks.

C. Employees may post sensitive information on a social networking site that could harm an organization.

11. Which of the following are ways that an organization can determine the security implications of a new technology? (Choose all that apply.)

A. Check with the Better Business Bureau, which keeps a list of security vulnerabilities for products.

B. The vendor may supply information, as long as it benefits the product.

C. The organization can have a vulnerability or penetration test accomplished on the new product or technology.

D. Check to see what has been said about it on the Internet.

12. Which of the following is true about the information assurance community?

A. It is large and continually growing.

B. It has remained static for the last decade, neither growing nor shrinking.

C. With the downturn in the global economy, the security community has also been affected and has shrunk from its peak, which occurred around 2001.

13. Which of the following conferences was created to draw its audience from “both sides” of the hacking community—that is, from industry, government (including law enforcement), academia, and the hacking community?

A. DEFCON

B. RSA

C. Blackhat

D. USENIX

14. You have recently been hired as the new system administrator by a small company that produces and sells athletic shoes. They design and market the shoes, selling them nationally and internationally. They have a few hundred employees, with the manufacturing of the shoes taking place in a foreign country. In your first check of the corporate network, you find that security has been limited to access control devices. The company has no firewall, intrusion detection/prevention system, VPN for communication with foreign offices, or any other piece of security hardware or software. You bring this up to your supervisor, who tells you not to worry because they have never had an intrusion and there really is no threat because they aren’t producing products used by the military. Is your supervisor correct?

A. Your supervisor is correct. If there has been no history of intrusion, and you aren’t producing a product that would be of interest to terrorists or foreign governments, the chance that the organization’s computer systems and network would be targeted are very remote—probably not worth the cost of the security products mentioned.

B. Although the company many not have been hit by an intrusion before, there are other shoe companies out there that might target your company. This would justify a minimal amount of additional security precautions.

C. Whether the company is selling shoes or military aircraft, it at the very least could be a target of opportunity for individuals who are looking for specific systems to exploit with no concern for the actual organization they are attacking. In addition, there are competitors, both foreign and domestic, and the research that your company is involved in could be valuable to a competitor. In addition, simple protection against viruses and other types of malware should be employed to ensure accidental infection does not occur.

15. Which of the following is a characteristic of a highly structured threat? (Choose all that apply.)

A. Conducted by script kiddies.

B. Attackers will take weeks or even months to accomplish their goal.

C. The attackers have considerable time and financial backing.

D. Concentrates on only one attack vector until successful.

16. One type of attack occurs when an attacker is looking for somebody who has a system that is vulnerable to a specific exploit. The attacker is not concerned with the type of organization that is using the system but only wants to find organizations that are utilizing the specific system or software. This is known as a(n):

A. Explicit target

B. Target of opportunity

C. Non-sector-based attack

D. Sector-specific attack

17. What is a “hacktivist”?

A. An attacker who targets only controversial organizations.

B. A term used to refer to “hackers” who are not as talented and are not part of any organized group.

C. A term used to refer to individuals who are part of an organized hacking group targeting controversial organizations.

D. An attacker who “hacks” in order to obtain publicity for some cause.

18. Your supervisor has asked you to install a new technology that the CEO has recently learned something about. You know nothing about this technology, but are somewhat concerned that there might be some security implications with its use on the corporate network. What should you do?

A. Proceed with the installation. If the CEO wants it, then the decision has been made.

B. Voice your objections, but proceed with the implementation.

C. Put out an RFI regarding the technology and its installation and specifically request information about its security implications. Then, depending on the information obtained, you can make a case for not implementing it or can release an RFP that would also include specific security requirements that you may have learned about through the use of the RFI. You may also conduct your own search for more information, along with the RFI, to verify or validate the information you received.

19. What is the “Orange Book”?

A. An early DoD standard that included information that could be used for specifying security requirements in acquisition specifications.

B. A DoD standard that is still in use today to describe how to build secure computer systems and networks.

C. A DoD standard that has been generally adopted by the Federal government for specifying security requirements in contracts and agreements.

D. A standard produced and agreed upon by cooperating industry organizations that provides guidance on security specifications to include in contracts and agreements.

20. Which document(s) is (are) used to prequalify or restrict the list of vendors that will receive a full request when seeking proposals for a product or service?

A. RFI

B. RFQ

C. RFP

D. None of the above

LAB QUESTION

Your company has decided on procuring a new customer relationship management system. It will be used not just by employees who are within the physical boundaries of the company but by sales personnel who will be traveling around the world. The purchase and installation of this software is considered critical to the ongoing health of the organization, and you have been asked to be part of the team selecting the best product for your environment.

What sort of things might you want to ensure are included in the RFP and would you recommend an RFI be released in advance of the RFP?

SELF TEST ANSWERS

1. B, C, and D. All of these are reasons that following security best practices will be useful for security professionals.

A is incorrect. Even the finest of best practices documents can’t guarantee that, if followed, an organization will be free from any security problem. They can, however, help make it much less likely that a security breach will occur.

2. C. The introduction of some new technology can absolutely have an impact on the security of the system and should therefore be closely examined to see what new vulnerabilities might have been introduced. An example of this is the introduction of wireless networks to an organization.

A, B, and D are incorrect because they all ignore the very real possibility that new technology may by its very nature introduce new vulnerabilities.

3. C. RFCs are often used to seek input for security issues due to changes in technology that may have a large impact on the Internet. Although the possibility was not provided, you can also often find fairly objective white papers produced by various vendors discussing security issues related to new technology.

A, B, and D are incorrect because there is a place to go to see whether documents discussing new technology exist, but it is not a guarantee that the NIST (a real organization) has produced them. The IISO, by the way, is a fictitious organization.

4. B. This the definition of situational awareness. Basically it means all that we know about our systems and their status in the current environment at this point in time.

A, C, and D are incorrect, even though each may be partially true. They are not the definition of situational awareness.

5. A and C. These are the two main reasons client-side attacks are increasing.

B and D are incorrect because it is not impossible to protect the client systems and servers have definitely not been eliminated from the corporate computing environment.

6. A, B, and D. All three are aspects of situational awareness.

C is incorrect. Although intelligence information could be extremely useful, it is not a requirement to have in order to have situational awareness of your current security situation.

7. D. Zero-day exploits can hit any software, so there is no way to guarantee that a piece of software your organization uses won’t be impacted by one. There are certainly steps you can take to make it less likely you will suffer a catastrophic impact from them, but you simply can’t guarantee you will never be impacted by one.

A, B, and C are incorrect because (A) no amount of money will be sufficient because you simply can’t guarantee that you will not be hit by one, (B) standard best practices are always good to follow, but none of these will guarantee prevention of a zero-day exploit, and (C) zero-day exploits could hit any type of software and are not limited to a single or just a few sectors. A specific exploit, such as STUXNET, may only impact a specific sector, but zero-day exploits in general are not confined to only the critical infrastructures.

8. A. These are the characteristics of advanced persistent threats.

B, C, and D are incorrect for several reasons, but one that is common to all of them is that they all imply that the APT is obvious, which they generally are not.

9. A, B, C, and D. These are all correct and all can be considered threats to your computer systems and network.

10. B and C. Social networks can be a problem from several perspectives, including providing a new avenue for the insertion of malware and also the possibility of employees posting sensitive information.

A is incorrect. Social networks can indeed prove to be a security problem for organizations.

11. B, C, and D. The vendor may supply information on the security implications, but you can’t count on this always. If they have considered the implications, and addressed them, then they will probably be mentioned. If not, they will be avoided and you will need to check elsewhere. If you have already purchased the product, you can conduct a vulnerability or penetration test, either using your own security personnel to conduct it or by hiring a third party. Finally, don’t forget the Internet. Chances are good that somebody has written something about the technology and its security implications already.

A is incorrect. The BBB does not maintain such a list.

12. A. The community has been growing and doesn’t show any signs of a downturn.

B and C are incorrect. As mentioned, it is still growing.

13. C. Blackhat was originally created to bring together individuals from both sides to discuss security issues. It has grown to become a very large conference with attendees from all over the world and from every sector.

A, B, and D are incorrect. Although all three of these conferences certainly draw individuals from the different sectors and both sides of the hacking community, none of these were originally designed for that purpose. DEFCON was originally a conference specifically for hackers. RSA is an industry security conference. USENIX was designed as a more technical conference attracting security researchers from the UNIX community.

14. C. Everybody is a target at some level. Some organizations (such as those that are part of the military industrial sector) may be more of a target, but simply being connected to the Internet makes you a target at some level.

A and B are incorrect if for no other reason than because they don’t take into account the fact that attackers exist who are looking for targets of opportunity.

15. C. Highly structured threats are characterized by attackers who have considerable time and financial backing in order to accomplish their goal.

A, B, and D are incorrect. Script kiddies are generally considered part of the unstructured threat category. Highly structured attackers will not be limited to a few weeks or months and will use as many attack vectors as they can in order to accomplish their goal.

16. B. This is a description of a target of opportunity.

A, C, and D are incorrect because they do not have the same characteristics as described in the question.

17. D. A hacktivist has a cause to promote and will attack sites associated with that issue or cause but may also attack less protected sites in order to gain publicity.

A, B, and C are incorrect. Although a hactivist may indeed target controversial sites associated with the cause or issue of concern, other sites that may be easier targets may also be pursued in order to gain publicity for the cause.

18. C. Seeking as much information as you can obtain before releasing an RFP so that you can include specific security issues in the RFP is a good idea. This will also provide you with data that you can use to discuss with your supervisor should the technology simply not be the best idea for your organization.

A and B are incorrect. Although both of these certainly are ways to proceed, it is probably better to have information on the potential security issues so that you can do your job better.

19. A. The Orange Book was a DoD standard that has been replaced by the Common Criteria. Although it is no longer in use, it does provide an interesting perspective on building trusted computer systems and specifications that can be used in requirement documents.

B, C, and D are incorrect. The Orange book is no longer in use and was a DoD standard not adopted by industry.

20. A and B. Both the RFI (Request for Information) and RFQ (Request for Quotation) can be used to trim the list of possible vendors to send the full proposal request (the RFP, Request for Proposal) to.

C and D are incorrect.

LAB ANSWER

Obviously, there are many details that will vary, depending on a number of factors in your company, but the use of an RFI in order to obtain more information about the security aspects of various CRM systems is probably not a bad idea: Some vendors may already include information on the security aspects of their products, but others may not. The RFI will ensure that you have a good feel for the type of security issues that should be covered in the RFP when it is released.

The specifics will vary, but a number of items should be considered for inclusion in the RFP, including the following:

The need for personnel involved in the installation of the product to have a background investigation

Specific training or certification requirements for the personnel involved in the installation

Regulations or standards relating to the protection of private information that must be adhered to

Security tests or assessments that should be completed on the product

A list of specific firewall, router, or intrusion detection settings needed to use the software

Details on communication security for remote users accessing the system

Detailed description of security settings for the new system

In addition to these requirements aimed at the vendor, your company may need to consider the following when implementing the new system:

Security policy updates that may need to be considered based on the new product

Expected best practices for using the system

Training requirements