ACCESS CONTROLS EXIST because of the risk of unauthorized access to valuable information and resources. The consequences of unauthorized access can be serious—loss of reputation, financial losses, and even the loss of life if military or infrastructure resources are compromised. In this chapter, you will discover what happens when access controls fail.
Espionage between organizations used to be a physical act, such as stealing paper documents and making physical copies. Identity theft was only a factor if someone lost their wallet, or it was stolen. Although information technologies such as networked file servers, PDAs, and web-based Internet applications have made data easier to manage, it has also made that information far more vulnerable.
Federal and state laws have been created to act as deterrents to information theft. These laws require organizations to take steps to protect the sensitive data stored in their IT infrastructure. There are penalties for both stealing information and failing to follow the regulations in safeguarding it.
These laws add other considerations that organizations must comply with. Organizations must protect data from breaches; they must also be able to tell if an information breach has occurred. An organization may have a legal obligation to inform all stakeholders if a breach occurred and what information was compromised.
The technology breakthroughs of the information age have allowed organizations to be more productive and automate many interactions with consumers and stakeholders through the Internet. This has had unfortunate drawbacks; individuals can now utilize the Internet to gain unauthorized access to an organization, putting sensitive data at risk. An IT professional must be aware of these risks, as well as the numerous laws and regulations that his or her organization must be in compliance with.
In a previous chapter, you learned about various regulations that define an organization's obligation to secure information. This section explores a few laws that cover unauthorized access of that information: the federal Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.
The federal Computer Fraud and Abuse Act (CFAA) is a federal criminal statute designed to protect electronic data from theft. The CFAA was enacted in 1984 and was designed to protect classified information maintained on governmental computer systems as well as financial and credit information maintained at financial institutions.
In 1994 and again in 1996, Congress expanded CFAA to cover any computer used in interstate commerce. The law was also amended to allow for private civil actions to help individuals injured in criminal activity that the CFAA prohibits. In 2002, the law was further expanded to cover a system located outside of the United States that is used in a manner that affects interstate or foreign commerce activities within the United States.
The expansion of the CFAA has been an effective tool in protecting data stored on computers. This has allowed different types of civil actions to be brought against various activities. Here are some examples:
Obtaining information from a computer through unauthorized access
Trafficking in a computer password that can be used for unauthorized access
Intentionally damaging computer data
The CFAA allows an organization or individual impacted by theft or destruction of data to seek relief and restitution from the courts as well as forces the return of stolen information. The CFAA also allows organizations to prevent the use of stolen information by their competitors in the marketplace. In this manner the CFAA protects the rights of organizations and individuals that need to safeguard their sensitive information and processes from their competitors.
CFAA is based on unauthorized access to computers and information. "Unauthorized access" can be defined as using a computer to obtain or alter information in a system that the individual does not have a legitimate right to obtain or alter. For example, an employee accesses and sends valuable company information through the Internet to a competitor right before his termination in hopes of obtaining a position with the competitor.
The employee in this scenario could argue that the CFAA does not apply because he had legitimate access to the computer and data at that time. Under the CFAA, however, the courts would probably not agree with this assertion. A court could hold that the employee's legitimate access ended when he no longer held the best interest of the company in mind. When the employee accessed and sent the proprietary information to the competitor, he lost authorization to the data.
The Digital Millennium Copyright Act (DMCA) was signed into law in 1998. The purpose of the DMCA is to implement the World Intellectual Property Organization (WIPO) Copyright Treaty and the Performances and Phonograms Treaty, as well as amend Title 17 of the United States copyright code. This federal statute updates copyright laws to more effectively deal with the ever-changing technological landscape.
At its heart, the DMCA prohibits unauthorized disclosure of data by circumventing an established technological measure of the organization. Technological measures include things like product keys for software, CD and DVD copy protection, system passwords, and so on. The DMCA also prohibits the manufacture or sale of programs or devices designed to break access control measures of an organization.
The idea behind the DMCA is that unless it is illegal to break implanted technology, malicious users could manipulate access control solutions and violate copyright laws without consequence. DMCA provides for legal liabilities and attempts to ward off malicious users while providing incentives for organizations to implement access controls.
For example, let's take a look at the case of Universal City Studios v. Reimerdes, in which eight motion picture studios employed the DMCA against a defendant who posted DVD decrypting software on his Web site.
Upon the advent of DVDs, movie studios were concerned with the piracy aspect of the new technology. Unlike analog video, digital video can be replicated without any degradation in video quality. In the mid-1990s, the Content Scramble System (CSS) was created in partnership with the consumer electronics industry to help defend against piracy.
CSS provides encryption to a DVD's sound and graphics files according to predefined algorithms, making it supposedly impossible to replicate a legitimate studio-sanctioned DVD. This technology was then licensed to consumer electronics manufacturers for use in creating DVD players for retail sale.
In the fall of 1999, a teenager was able to crack the encryption. He reverse engineered an officially licensed DVD player. This allowed for the creation of a computer program capable of decrypting the DVDs. This program allowed the DVDs to be viewed on non-compliant computers. It also allowed the decrypted files to be copied. The software was then posted on the Internet where it could be downloaded from hundreds of sites.
The movie studios, using the DMCA, sought a legal solution to the problem. Using the anti-circumvention provisions of the DMCA, the courts found that the software generated to break the encryption on the DVD players constituted technology and was designed to circumvent the technology implemented by the studios for the copyright protection of their proprietary DVDs. As a result, the court ruled in favor of the studios using the DMCA.
Most states have laws that apply to unauthorized access to confidential information. Because they have many parts in common, this section covers one law in depth. The California Identity Theft Statute will give you a basic understanding of state laws designed to protect data.
The California Identity Theft Statute requires businesses operating in California to notify customers when the business has reason to believe that personal information has been disclosed through unauthorized access. Personal information is defined as Social Security number (SSN), driver's license number, physical address, that is maintained in digital form. This statute applies to all businesses operating in California.
As soon as an organization realizes that there has been an unauthorized disclosure, the organization must notify the owner of the information that a breach has occurred. The law further provides for any individual damaged by the breach to bring a lawsuit to recover any loss incurred due to the information disclosure and failure of the organization to issue a timely notification.
The purpose of the California Identity Theft Statute is to provide sufficient notice to individuals whose personal information was stolen, so that they can take appropriate actions in a timely manner to prevent further damage by the data thieves.
Note
Identity theft is one of the fastest growing crimes being committed on the Internet. Data thieves sell personal information to criminals who then open credit card accounts, purchase products, or commit to other financial obligations using the stolen identities. Early notice that identity theft has occurred and action by individuals to protect themselves following a security breach will help reduce the impact of this type of criminal activity.
The following are some of the elements of the California Identity Theft Statute that apply to data access and handling:
Any person who, with the intent to defraud, acquires, transfers, or retains possession of personally identifying information of another person, is guilty of a crime punishable by up to $1,000 and one year in jail.
Businesses are required to take reasonable steps to destroy all records containing personal information by shredding, erasing, or modifying the information to make it unreadable.
Businesses and governmental agencies must notify individuals when any of the following unencrypted personal information has been accessed in a computer security breach: SSN, driver's license number, account number, credit card number, or debit card number.
Furthermore individuals, commercial entities, and certain governmental entities including public universities and colleges may not:
Publicly display or post SSNs.
Print SSNs on ID cards or badges.
Require people to transmit SSNs over the Internet unless the connection is secure or the number is encrypted.
Require people to use their SSN to log on to the Internet without a password.
Print SSNs on mailed documents unless required by state or federal law.
Embed or encode a SSN on a card or document where it cannot otherwise be printed. This includes chips, radio frequency identification (RFID), magnetic strips, and barcodes.
Mail SSNs where the number is visible without opening the envelope.
Tip
The California Identity Theft Statute, used as an example in this section, is representative of many states' identity theft laws. If you are in a position to safeguard personally identifiable information, research the specific laws that apply in your state. You can begin by visiting your state's Office of Attorney General Web site.
Financial institutions are prohibited from sharing or selling non-directory personally identifiable information without obtaining the consumer's consent.
Computer systems and data are essential to our modern lives. The safeguards securing these assets are both logical and physical. Many times the need for physical security in a computing environment is overlooked. Unauthorized access to sensitive data and physical assets can create a significant risk for an organization.
The direct and indirect cost to an organization can be substantial. Direct costs come in the form of the cost to replace hardware, upgrade hardware and software, time and resources needed to reinstall and reconfigure the systems, as well as possible legal liabilities of having inadequate access controls. Indirect costs can come in the form of lost orders, lost customers, lost production, loss of competitive advantage, and possible legal liabilities.
Here are some examples of security policies that would be affective in limiting physical access to protect the data and assets of an organization:
All physical security must comply with all applicable regulations such as building and fire codes.
Access to secure computing facilities will be granted only to individuals with a legitimate business need for access.
All secure computing facilities that allow visitors must have an access log.
Visitors must be escorted at all times.
Every organization has sensitive areas and information that should be protected. If this information is left unsecured it is hard to claim that access is unauthorized. Most responsible organizations implement some type of access control. Unfortunately, even the most thorough and vigilant system can fail. There are two primary causes of access control failures: people and technological factors.
Even the most strict and thorough access control policies are prone to human error. This was vividly demonstrated in 2010 when a Virginia couple slipped past security and into a state dinner at the White House. The couple was subjected to all of the normal security screening procedures and was never a threat, but they were not on the guest list. They got in due to human error—the guard at the entry gate did not follow proper procedure and verify the couple was on the guest list.
Although the couple was not a threat and the situation was humorous, this type of failure could pose a grave risk. They could have been spying for a foreign government, or planning an attack on the dignitaries attending the event. This is a perfect example of failure in the human element of access control. An organization can have sound access control procedures, but without proper training and buy-in from all employees, the system can be easily defeated.
In the White House example, there were multiple layers of defense in place, including metal detectors and bomb-sniffing dogs. This ensured that even if someone got through they would not be armed. This does not mean that they could not be a threat. This is also true in computer security. Network antivirus may keep malware from infecting other systems, but a connection from an unauthorized laptop could still be a threat.
The party crashers are also a good example of social engineering. They dressed properly and acted with confidence that they belonged. These types of attacks along an organization's human vector are all too common.
In another example, a penetration testing team, called a tiger team, was testing the security and integrity of a major financial institution's customer data. The corporation had an IT office in a major metropolitan skyscraper. The bottom floor had a publicly accessible restaurant, automated teller machines (ATMs), and washrooms. Dressed as a maintenance man, one of the tiger team members hung an out-of-service sign on the public washroom.
Another tiger team member, dressed as a businessman with a briefcase, talked his way past the security at the door into the secure area of the office complex under the pretext of needing to use the washroom. This was a clear violation of security protocol. This access control failure was compounded by allowing the man to go to the washroom unescorted. Once in the washroom, the intruder accessed network cables in the drop ceiling and inserted a wireless access point into the network. From there, another member of the team sitting in the restaurant used his laptop to access the wireless network.
While inside the network, the team didn't have access to the system yet—but were able to access unencrypted data, like customer debit card numbers and Windows password hash in the supposedly secure internal network. Although there were intrusion detection systems and network-based antivirus systems running, passively sniffing network data did not trip any alarms. They were able to compromise hundreds of customer card accounts in a few minutes and leave undetected all because of a failure in the human element of physical access control procedures. Luckily, in this example, it was a tiger team working for the financial institution and not malicious data thieves. If this had been a real incident, it would have been a major problem for the institution. Needless to say this caused the team in charge of securing this information to re-evaluate their security assumptions.
Note
Penetration testing, especially utilizing an independent third party, is an invaluable tool in assessing the robustness of an organization's access controls. It allows an organization to take an honest look at its access control polices without excessive risk.
Another aspect in the human vector of access controls are rogue internal operatives. Disgruntled employees can pose a major threat to information security in the forms of theft, sabotage, vandalism, and more. The best way to handle these threats is by embracing a least-privileged access control policy. By limiting users to the least amount of access they need to accomplish their tasks, the damage they could do is limited.
There are other internal threats besides disgruntled users; here are some other common threats:
Phishing and spear phishing attacks—These are e-mails and Web sites crafted to trick a user into installing malicious code. They look like legitimate e-mails and Web sites, but redirect the user's information to the attacker. Spear phishing attacks are targeted at a specific individual or organization.
Poor physical security on systems—A hard drive, flash thumb drive, and even an entire laptop can vanish quickly if left unattended.
Physically stored passwords—A password stored on a slip of paper can easily allow for unauthorized access to an organization's systems.
File-sharing and social networking sites—As more and more people use these online services, they are becoming a major vector for social engineering attacks.
The best way to handle the human element in access control is through training and organizational buy-in. Every employee—at all levels of an organization—needs to adhere to security procedures or the access control system is useless.
Sometimes the best access control systems can be bypassed due to a failure in technology. No computer system is bug-free. Anything from an organization's operating system to its choice in Web browser or instant messaging client could be an access point for unauthorized access to its systems. Let's look at some technological failures that could lead to unauthorized access.
Microsoft Windows operating systems prior to Windows Vista had the possibility of running very weak password encryption. Passwords in Windows NT, 2000, and XP that were less than 15 characters long as well as any password on a Windows 95, 98, and ME system were stored in a file called a LAN Manager (LM) hash. This file employed Data Encryption Standard (DES) encryption; unfortunately, it did so in a predictable manner. This allowed for quick-and-easy brute-force attacks on the password files. Some systems could be accessed by brute force in a matter of seconds. Starting with Windows 2000, administrators have the ability to turn off LM passwords and use a more secure NTLM hash to handle user access.
UNIX/Linux systems had a similar issue in the late 1980s early 1990s. Password hash files and the hash salt were stored together in an unencrypted file. Using that file, a malicious user could brute-force a password offline very quickly. The common acceptance of a more secure shadow password file in 1990 provided a secure alternative.
Web browsers are a major vector for unauthorized access. Every major browser including Firefox and Internet Explorer has had bugs that allow for the arbitrary execution of code. These bugs have been exploited to allow malicious users access and elevated rights on compromised systems. A system could get compromised just by viewing a contaminated Web site.
Servers, especially Web servers and other public-facing systems, are another common entry point for unauthorized access. Not only are Web servers a risk due to the possibility of unsecure code being hosted, some of the languages used on the Web servers have had security flaws. Both PHP and .NET have had arbitrary code execution bugs that allow malicious users to access the Web server.
Note
Even in the realm of physical access control, technology can be the failure point. Recently, security researchers discovered that biometrics is not as secure as previously thought. The researchers demonstrated that most fingerprint scanners could be defeated with nothing more than a gummy bear.
Besides system bugs, there are other ways that technology can allow unauthorized access. Some file storage formats allow for the censoring and blocking of sensitive information. Unfortunately, if done incorrectly, the device used to block out words can be removed.
Radio Frequency Identification (RFID) badges can also be a vector for unauthorized access. A malicious user could use an inexpensive reader to pull information off an ID badge and then flash a new chip with the cloned information. Security researchers have already demonstrated this technique by cloning the new RFID-enabled U.S. passports.
You have seen how both technology and humans can be the cause of unauthorized access. It is important to take steps to mitigate these possibilities, never relying on just one method to secure sensitive information.
A privacy impact assessment (PIA) is a comprehensive process for determining the privacy, confidentiality, and security risks associated with the collection, use, and disclosure of personal information. It also describes the measures used to mitigate, and if possible, eliminate identified risks. The PIA process makes sure measures intended to protect privacy and security of personal information are considered at the beginning of a new program or initiative. A PIA also communicates to the public how their privacy is protected and information kept secure.
A PIA is required in the public sector for any new system that handles personally identifiable information (PII). To be successful, it is important that the PIA looks at the system in a systematic manner. It should:
Identify the key factors involved in securing PII
Emphasize the process used to secure PII as well as product
Note
In the public sector, it is mandatory for all PIAs to be published.
Have a sufficient degree of independence from the project implementing the new system
Have a degree of public exposure
Be integrated into the decision-making process
An important aspect of a PIA is looking at the access controls that will be utilized to secure the data. The assessment needs to not only look at the physical and logical access controls that will be put into place, it also needs to look at how the access control policies are implemented. Questions like "who has rights to the information," and "how will access be granted and removed" need to be asked. In a thorough PIA, the administrative, physical, and technological access control policies must be described. This is required in all PIA generated by governmental organizations.
Not only are access control systems vital to securing privacy, new access control systems should go through the PIA process as well. This is especially true in the case of physical access control.
Let's look at the example of an ID badge system. What information is stored on the ID—just name, or name and ID number? Is the information electronically readable and by what means? What does the employee ID number consist of? Because some organizations use part or all of an employee's SSN as the employee number—despite being a poor business practice—an RFID system for ID badges must be carefully examined. Starting an RFID badge project with a valid PIA ensures that the security of this information is addressed throughout the project.
A typical PIA includes the following sections:
Summary of the system under analysis—This section should include a physical or logical description of the particular system being analyzed, such as an RFID badge system, and its intended purpose. This section should also include the owner or stakeholders of the system, where the project is in its life cycle (planned, implemented, and so on), and how it will interact with the rest of the infrastructure.
List of information to be collected—Include specific examples of all information that will be collected or affected by the system.
Description of how the information will be collected—Include specific plans for collecting personal information. This section may contain copies of questionnaire forms, telephone scripts, or other tools.
Explanation of why personally identifiable information is necessary—Use this section to justify the collection and use of personally identifiable information. If the organization's goals could be achieved without the use of personally identifiable information, it should not be collected or used.
Explanation of how the information will be used—Include a specific description of how each piece of information will be used. Information should not be used except in ways described in the privacy impact assessment.
List any new information the system will create through aggregation—For example, if biometric data such as fingerprints or photographs are stored in database A and names, phone numbers, and addresses are stored in database B, and the proposed system will link the two databases, this needs to be explained in this section of the PIA.
List of groups, organizations, and individuals with whom the information will be shared—Include both those within the organization and external entities.
Opt-out opportunities—Explanation of all chances individuals will have to opt out or object to the collection of information about themselves.
Description of any information that will be provided to the individual—This section will generally include the privacy statement and specifics on how that information will be provided, such as a hard copy or in electronic format.
Description of the access controls that will be adopted to secure the information—This section should include administrative policies, physical security, and logical access controls.
Description of any potential privacy risks involved in collecting, using, and sharing information—This section should also include analysis of any risk involved in providing individuals the chance to opt out, notifying individuals of the collection of information. Finally, this section should include an evaluation of the risks posed by the proposed security measures.
By carefully and thoughtfully completing each of these sections, you should have a thorough PIA that accurately assesses the privacy impact of a proposed access control solution.
Information security breaches take many forms. These include lost or misplaced data media, stolen laptops and cell phones, "hacked" systems, data lost or stolen in transit, information taken by rogue employees, and more. Damage done by a security breach can be measured in both tangible and intangible damage.
Tangible damage is calculated based on estimates of lost business, lost productivity, labor and materials cost to repair the breach, labor and legal costs associated with the collection of forensic evidence, and the public relations costs to prepare statements. Increases in insurance premiums and legal costs related to defending the organization in liability suits can also be tangible damages.
The intangible damages refer to costs that are difficult to measure or calculate. Much of this cost is due to a loss of competitive advantage due to the breach. This can stem from a loss of customer confidence, bad press, and the possibility of proprietary information falling into the hands of competitors.
There are a number of different types of security breaches. This is also a moving target as technology evolves. Here are some of the types of security breaches an organization may have to face:
System exploits—These include Trojan horse programs, computer viruses, and other malicious code.
Eavesdropping—This is the act of passively gathering information. Eavesdropping can take the form of sniffing network and wireless traffic, intercepting Bluetooth traffic, and even using equipment to remotely pull information from CRT monitors due to electromagnetic fields (EMF).
Social engineering—This is an exploitation of human nature and human error as discussed previously.
Denial of service (DoS) attacks—These are purely damaging attacks, meant to render a system unusable.
Indirect attacks—Utilizing a third party's system to launch an attack. Distributed denial of service (DDOS) attacks are an example of this. Rather than directly attacking the target, hackers first break into other systems and use those to launch their primary attack.
Direct access attacks—These range from the technological aspects of unauthorized access discussed earlier to the utilization of devices like key loggers, to outright theft of equipment.
This isn't a comprehensive list, and new vectors of attack are always being developed, but it does give you an idea of what the IT security field is facing.
The why of a security breach is almost as diverse as the how, but can be generalized into two categories, monetary gain and vandalism of systems.
Monetary gain takes numerous forms. Intruders in a system could look for valuable data to sell, personally identifiable information to steal and use, and physical equipment can be resold. Insider information to gain an advantage in stock trading is also often targeted. Accounting and human resources are also tempting targets. There have been cases of direct deposit information being tampered with causing paychecks to get deposited into the incorrect account. DoS and DDoS attacks have even been used in extortion.
Note
A spam "re-mailer" is a hidden mail server that is used to relay spam so its origins are obscured.
Monetary gain motives may not even involve the organization attacked, just their servers. Spam re-mailers commonly get installed during Web server security breaches. Malicious code can also be injected into a company's Web site to try and infect customer computers for identity theft purposes.
Note
Monetary gain and vandalism can overlap. During the early stages of the U.S. war in Iraq, a group of Middle Eastern hackers were defacing Web sites of U.S. companies with anti-American messages. While they were in the systems, they also installed spam re-mailers to help fund their group.
Vandalism is the other major category for security breaches. This can be as harmless as kids having "fun" or trying to make a name for themselves amongst their peers, to groups making a political statement, and even individuals and groups protesting an organization.
Computer security is a critical issue for any organization. A breach in system security that damages organizations' computer systems can result in financial costs, loss of customer trust, and legal penalties.
There is also the possibility of ongoing system security issues. Did the intruder build themselves some additional backdoors for later access?
What disclosure must happen after the breach? Depending on the industry an organization is in and what was taken, an organization may be obligated to disclose the breach to the public. This must be done in a timely manner, especially if customer data was accessed. Not only is it a good business practice—allowing customers a chance to ward off identity theft—it may also be legally mandated.
An organization will also have to take a long look at its security procedures. Was it a failure in the technology utilized? If so, what will it take to mitigate the issue, and does the organization need to upgrade or change systems?
Was it due to a human failure? If it was human error, more awareness training may be in order. If it was due to malicious users or rouge employees, access audits may be in order to make sure that no one has access to information that they do not need.
The breach may also be due to a failure in procedure, if this is the case new procedures must be developed.
A credit card processing company called Acme credit card processing received notice from two of the larger card issuers that fraudulent credit card purchases were occurring. Prior to receiving the notification, Acme did not know that there was an issue.
After some investigation the problem was discovered in Acme's system. A spyware program was loaded onto Acme's system that originated with a spear phishing attack. A well-crafted e-mail was sent to an employee who clicked a link that infected his system with malicious code. The malicious program was able to pull the credit card information off Acme's system for every card that they processed. This information was sent to a remote system where data thieves were able to use the information to clone credit cards. Any consumer that used a credit card somewhere that utilized Acme's processing could potentially be affected.
The impact to Acme was significant. There was the cost of removing every trace of the spyware, both in monetary and time resources. Acme had to pay fines due to various industry and legal regulatory groups. Acme also had to communicate the breach to all consumers affected. There was also the impact to Acme's reputation. Secure transactions are vital for a processing company. A number of merchants that used Acme's services moved to other processing companies. Acme enhanced their e-mail security, and launched a user awareness program in an attempt to prove to customers that security breaches of this nature would not happen again.
As discussed above, the costs of a security breach to an organization can come in both direct and indirect forms. The direct costs to a financial breach can be easily identified. It comes in the form of equipment replacement costs, security upgrades and enhancements, additions, and other monetary costs paid to repair the damage done.
In 2007, Monster.com discovered that intruders obtained personal information from 1.3 million resumes stored there. The breach affected both Monster.com and USAJobs.gov, a governmental jobs site that Monster.com runs for the United States government. Monster.com officials estimate that it cost $80 million to upgrade security on the sites. These upgrades will include better monitoring of site access, and stricter access controls and intrusion prevention systems.
Note
The indirect costs of a security breach can be difficult to identify. The costs of contacting all of the individuals affected in the security breach, defending the organization from legal action, and loss of reputation are some examples of these costs.
The TJX Companies, Inc., which operates stores such as T.J.Maxx and Marshalls, disclosed a massive security breach in 2007. The customers affected by the security breach were offered free credit monitoring at the expense of the organization. TJX also had to settle a civil suit with MasterCard for an additional $24 million. In addition, TJX is still the defendant in other litigation and claims on behalf of customers and other credit card companies who were damaged as a result of the computer intrusions. Besides the millions in legal liabilities there are also untold costs in lost reputation and customer trust. Unknown numbers of former customers will no longer shop at T.J.Maxx due to the loss in consumer confidence.
The impact to an organization's market share due to a security breach is an additional cost. There are recovery costs to regain market share, rebuild reputation, and restore customer and shareholder confidence. The continuing potential damage to an organization could be significant if their customers and stakeholders feel that they can no longer trust the access control safeguards in place to protect sensitive information.
Information assurance is critical for any organization. The data an organization owns is a key asset and must be treated as such. Access control safeguards are essential to ensure that measures are in place to prevent unauthorized access. If data is accessed there must be mechanisms in place to identify what was accessed. TJX executives, in their initial communications, advised that they did not have enough information to estimate the extent of the data loss. Without robust auditing to determine the extent of a breach affected customers could not be alerted in a timely manner, which causes more legal liabilities. An organization needs both strong access controls and auditing mechanisms; a failure in these systems can lead to staggering direct and indirect financial losses.
Security breaches can have serious consequences for an organization. They can rely on lax physical security, inadequate logical access controls, or a combination of both. Let's look at some examples of failures in both logical access controls and physical security.
LexisNexis is a major information clearing house of newspaper, magazine, and legal documents. Customers can search the system for basically any published information. In early 2005, a number of teenage hackers were able to gain access to the system. They exposed personal information of over 300,000 individuals. Names, addresses, and SSNs were exposed in the breach. This was a failure in logical access controls on a major level.
The breach started with the account of a police officer in Florida. One of the teenagers, posing as a 14-year-old girl in a chat session, convinced the officer to download and open a Trojan horse file, claiming it was a photo. This gave the hackers access to the officer's system. While browsing his files they discovered a logon into a LexisNexis subsidiary, called Accurint, a law enforcement information database. The hackers started to search the database for themselves and celebrity information.
The hackers realized that they needed more access to effectively explore the system. They called Accurint, and posing as administrators with LexisNexis, they got account logins and passwords for an account with enhanced rights.
They used their new access to create accounts for friends, and search the system. They were able to pull at least 30,000 accounts, possibly as many as 300,000, gaining names, addresses, phone numbers, and SSNs. Lucky the teens were "joyriding," and none of the information was sold or utilized in identity theft, but the possibility was there. There were at least 57 separate breaches connected to this incident.
LexisNexis had to offer identity theft monitoring to all of the affected customers. In addition, they claimed to strengthen their customer account and password administration to make sure a breach could not happen again. LexisNexis went so far as to claim their new system was watertight.
Bank One, a major Midwest bank that is now owned by Chase Manhattan, lost around 100 employee laptops due to a failure in physical access controls. The office had one access point that was controlled with a RFID badge system. The badge system was slow, taking around 30 seconds to a minute to unlock the door. This led to impatient employees at this location assisting each other by piggybacking at the door. Employees would badge in and then hold the door open for other the employees behind them. This security flaw was further exasperated by a lack of security cameras at the door. Most employees were using laptops at this location, with no security cables or locking docking stations.
In the early 2000s, during an all hands off-site meeting, thieves gained access to the office, and stole approximately 100 laptops. After the incident, measures were taken to enhance the physical access controls at the location. Cameras were added at the entry point, and the badge system was modified so that employees had to badge in and out of the building. Policy changes were also enacted. The act of piggybacking was banned, and this was added to the code of conduct.
Sometimes security breaches happen, not because of eternal attacks, but due to internal failures. Let's take a look at an example from the United Kingdom (UK).
On November 22, 2007, the UK government admitted that one of its departments, Her Majesty's Revenue & Customs (HMRC), had lost in the mail two CDs containing the unencrypted personal details of 25 million UK residents.
In response to a request by the National Audit Office (NAO), a junior member of HMRC's staff was instructed to send details of child benefit recipients to the NAO. The details were burned onto two CDs as unencrypted files, and then sent to the NAO using regular mail. At the time this was standard procedure at HMRC. To compound the security lapses, HMRC decided it was too costly to remove unneeded information from the files before they were sent. This included addresses and bank account information. NAO explicitly requested that the bank account information be removed, and HMRC ignored the request.
The UK Data Protection Act of 1998 specifies that if information is to be sent it must be subject to safeguards, and only the necessary data required for processing be sent. In this case HMRC violated both points of this law.
Once the data loss became apparent, HMRC started an investigation of the loss. They attempted to track down the CDs and contacted law enforcement for assistance. Unfortunately, the UK does not have the same reporting laws the U.S. does. Instead of immediately reporting the data loss to the public, HMRC waited ten days, plenty of time for accounts to get compromised. The UK does have an Information Commissioner, but unfortunately with no disclosure requirements. He was not informed of the issue until well after the event. The commissioner also had very limited powers to enforce the Data Protection act. All governmental departments were exempt from prosecution, and there was no one to force HMRC to comply. The commissioner could only investigate or audit a department with HMRC's consent.
The fallout from this breach has been major: the Information Commissioner's powers have been expanded, his office can now audit departments at will, and they have enforcement powers. Due to the loss of public confidence in the HMRC, other projects have been put on hold, most notably the national ID card program. There was also the cost of the search for the disk, and affected citizens needed to close existing bank accounts.
Security breaches do not always come from targeted attacks. Untargeted, general attacks can also cause a security breach in an organization. Let's look at the CSX Corporation virus incident in August of 2003.
The SoBig computer virus infected CSX Corporation's computer network at its headquarters in Jacksonville, Florida. These infected systems flooded the internal network with infection attempts and spammed the equivalent of an internal DDoS attack. No critical systems got infected, but the network congestion disrupted signaling dispatching and other mission critical systems.
Freight trains were delayed and at least 10 Amtrak long-distance trains were canceled or delayed up to six hours, and commuter trains in Washington DC were canceled. Half-hour delays continued for the next few days. The initial damage ran into the millions in late delivery penalties, and customer refunds, and millions more were spent in updating and expanding the antivirus and network systems to mitigate any further issues.
Now that you understand the impact of a security breach and how attackers often combine several attack vectors in a single breach incident, you will be able to design access controls that mitigate those attack vectors. You will also be less likely to underestimate weak access controls.
Breach
California Identity Theft Statute
Computer Fraud and Abuse Act (CFAA)
Data Encryption Standard (DES) encryption
Digital Millennium Copyright Act (DMCA)
Hash salt
LAN Manager (LM) hash
NTLM hash
Privacy impact assessment (PIA)
Radio Frequency Identification (RFID) badges
Shadow password
World Intellectual Property Organization (WIPO)
Information security falls strictly under the jurisdiction of federal law—state law does not restrict information security practices.
True
False
The two primary federal laws that are concerned with information security are the Digital Millennium Copyright Act and the ________.
Which federal law discussed in the chapter allows civil actions to be brought against individuals who sell passwords?
CFAA
DMCA
DCMA
CFFA
Which federal law provides penalties for circumventing digital rights management?
CFAA
DMCA
DCMA
CFFA
Which law discussed in the chapter is concerned with preventing identity theft?
California Identity Theft Statute
Federal Identity Theft Statute
Idaho Identity Theft Statute
Colorado Identity Theft Statute
Which of the following are effective physical security policies?
All physical security must comply with all applicable regulations such as building and fire codes.
Access to secure computing facilities will be granted only to individuals with a legitimate business need for access.
All secure computing facilities that allow visitors must have an access log.
Visitors must be escorted at all times.
All of the above
What are the two primary causes of access control failure discussed in the chapter?
People
Planning
Technology
Implementation
Follow-up analysis
Which of the following are types of security breaches? (Select all that apply.)
System exploits
DoS attacks
PII
Eavesdropping
Social engineering
Anything from an organization's operating system to its choice of Web browser or instant messaging client could be an access point for unauthorized access to the systems.
True
False
When should a privacy impact assessment be performed?
During the planning stages of a new system
After a new system is designed
After a new system is implemented
After a security breach
The two most common motives for a security breach are monetary gain and ________.
A security breach can result in criminal penalties as well as financial losses.
True
False