What Are Common Information Security Concerns?

Information security practitioners have their hands full. This section describes some of the concerns that practitioners deal with daily.

Shoulder Surfing

As mentioned previously in this chapter, shoulder surfing occurs when an attacker looks over the shoulder of another person at a computer to discover sensitive information that the attacker has no right to see. This is not a technical exploit. The attacker could be attempting to learn usernames and passwords or discover sensitive information by viewing keystrokes on a monitor or keyboard. Shoulder surfing is a concern at public places such as automated teller machines (ATMs) or self-service credit card terminals at grocery stores.

Shoulder surfing can also can be a concern at airports, coffee shops, and other places with wireless access. Computer users may attempt to access email accounts, bank accounts, and other sensitive information while in these public places. Usually the computer user is focusing on their computing device and not paying attention to the people around them. While the user’s guard is down, they may not notice that the coffee drinker at the next table is shoulder surfing and recording the computer user’s sensitive information.

Social Engineering

Social engineering describes an attack that relies heavily on human interaction. It is not a technical attack. This type of attack involves tricking other people and taking advantage of their human nature to break normal security procedures and gain sensitive information.

These attacks are sometimes simple to carry out. For instance, an attacker telephones a large organization and identifies himself as a member of that same organization’s technology group. He has a conversation with the person who answered the phone.

The attacker might ask about that person’s internet connectivity or computing equipment. The person answering the call, who is inclined to be helpful and participate in the conversation, trusts the attacker because he said that they both work for the same organization.

The attacker may ask for the person’s username, identification number, or logon name at the end of the call, claiming that this is for verification purposes. The person answering the call might provide that information because it seems to be a reasonable request. Without much effort, the attacker has gained information that could be used to access organizational resources. This is a social engineering attack.

Phishing and Targeted Phishing Scams

Phishing is a form of internet fraud that takes place in electronic communications where attackers attempt to steal valuable information from their victims. These attacks can take place via email, instant messages, or internet chat rooms. These attackers are phishing for confidential information, including:

• Credit card numbers
• SSNs
• User logon credentials
• Passwords

A phishing attack may look similar to a legitimate message from a known organization that is familiar to the intended victim. It may also attempt to look similar to a message from well-known organizations such as banks or large corporations, or even the company that the intended victim works for.

Phishing messages usually request that the recipients click on a uniform resource locator (URL) to verify their account details. When the victim clicks on the URL, a website opens that looks similar to a legitimate site and prompts the victim to enter personal information to verify his or her identity. In reality, the site that the victim navigated to is a fake website, often a copy of a trusted site, designed only to capture the victim’s personal information.

Spear phishing is a targeted phishing scam in which attackers may target a particular organization. This is a more sophisticated form of attack where a message might look as if it is from a highly trusted and authentic source. Attackers often research the targeted organization to make their messages look authentic. This background research is easy because of the wealth of information on the internet. Spear phishing messages may use an organization’s logo or terms specific to it in their attempt to obtain information about the targeted organization, such as logons and passwords to the organization’s information systems.

Whaling is a type of targeted phishing scam in which attackers target corporate executives. The federal judiciary circulated an alert in 2008 that warned that some corporate executives had received a scam email that claimed to be a grand jury subpoena. However, the email was not a real subpoena. Executives unintentionally downloaded malware onto their computer systems when they clicked on a link in the “subpoena” email.

Business email compromise (BEC) attacks are sophisticated phishing scams that target recipients who are responsible for processing payments at organizations. The goal of these types of attacks is to conduct unauthorized money transfers. The U.S. Federal Bureau of Investigation reported that BEC attacks led to the loss of over $12.5 billion across the world from October 2013 to May 2018.³

FYI

Malware

Malware is a general term that refers to any type of software that performs some sort of harmful, unauthorized, or unknown activity. The term malware is a combination of the words malicious and software. Malware is usually a computer virus or worm, or a combination of one or more viruses or worms.

Computer viruses are programs that spread by infecting applications on a computer. These types of programs are called viruses because they resemble biological viruses. They copy themselves in order to infect a computer. Viruses can spread over a computer network or the internet. They also can spread from computer to computer on infected disks, CDs, DVDs, or universal serial bus (USB) thumb drives. When the infected virus code is executed, it tries to place itself into uninfected software.

A computer worm is similar to a virus. Unlike a virus, however, a computer worm is a self-contained program that does not require external assistance to propagate. Some well-known internet worms include the Morris worm, SQL Slammer, and Blackworm.

A Trojan horse is a subset of malware that pretends to be a legitimate and desirable software file that a user wants. In reality, it is malicious. A Trojan horse spreads when a user downloads the seemingly legitimate file. While the user believes a legitimate file is downloading, the Trojan horse is actually loading. This type of malware is especially prevalent on social networking sites. Accepting virtual “gifts” on these sites can often expose users to nasty surprises.

Ransomware is a subset of malware that prevents organizations and users from accessing data or information systems until they pay a ransom. The ransomware may encrypt data to make it inaccessible, or it may lock information systems, until an organization pays the attacker to decrypt the data or unlock the system. Ransomware is not new, but its use across all industries has been growing.

Spyware and Keystroke Loggers

Spyware and keystroke loggers are also forms of malware. Spyware is any technology that secretly gathers information about a person or organization. Many users inadvertently download spyware with other programs from the internet. Spyware hides on a system, where it collects information about individuals and their internet browsing habits. Cookies set by websites can allow spyware to track the sites that a person visits. This is especially dangerous because some cookies can contain website logon and password information. Spyware can slow computer systems, hog resources, and use network bandwidth. Some spyware programs install other programs on a computer system, which can make a computer system open to other attacks.

A keystroke logger is a device or program that records keystrokes made on a keyboard or mouse. Attackers secretly install keystroke loggers and then are able to recover computer keyboard entries and sometimes even mouse clicks from them. They can review the data retrieved from a keystroke logger to find sensitive information such as usernames, passwords, and other confidential user information. The student hackers in the Florida A&M example discussed earlier in this chapter used a keystroke logger, which allowed them to obtain computer access credentials from data the logger collected. Keystroke loggers can be software-based or they can be a physical device that plugs into a computer or is hidden in a keyboard.

Logic Bombs

A logic bomb is harmful code intentionally left on a computer system that lies dormant for a certain period. When specific conditions are met, it “explodes” and carries out its malicious function. Programmers can create logic bombs that explode on a certain day or when a specific event occurs. Attackers also program logic bombs to explode in response to no action; for example, a logic bomb may explode when its creator does not log onto the target computer system for a predetermined number of days.

Upset employees sometimes use logic bombs. In October 2008, for example, Fannie Mae fired an employee from his Unix engineer position but failed to disable his computer access to Fannie Mae systems until nearly 4 hours after his firing. The engineer allegedly tried to hide a logic bomb in the computer system during that time. This logic bomb was set to activate the morning of January 31, 2009, and designed to delete 4,000 Fannie Mae servers when activated.

Fannie Mae IT professionals accidentally found the logic bomb 5 days after the former employee planted the “explosive.” The employee was indicted in January 2009 for unauthorized computer access. In October 2010 he was convicted in U.S. federal court of computer sabotage and sentenced to 3 years in prison.

Backdoors

A backdoor, also called a trapdoor, is a way to access a computer program or system that bypasses normal mechanisms. Programmers sometimes install a backdoor to access a program quickly during the development process to troubleshoot problems. This is especially helpful when developing large and complex programs. Programmers usually remove backdoors when the programming process is over. However, they can easily forget about the backdoors if they do not follow good development practices.

A backdoor is a security vulnerability regardless of its initial purpose. Attackers search for system backdoors to exploit them. Sometimes attackers install backdoors on systems they want to visit again. Attackers can have virtually unhindered access to a system through a backdoor.

Denial of Service Attacks

You learned about DoS attacks that disrupt information systems earlier in the chapter. Attackers do this so that the systems are not available for legitimate users. These attacks can disable an organization’s web page or internet-based services.

A distributed denial of service (DDoS) attack is another form of DoS attack that occurs when attackers use multiple systems to attack a targeted system. These attacks really challenge the targeted system, because it often cannot ward off an attack coming from hundreds or thousands of different computers. A DDoS attack sends so many requests for services to a targeted system that the system or website is overwhelmed and cannot respond.

In a DDoS attack, the attacker takes control of multiple systems to coordinate the attack. They call this type of attack “distributed” because it involves multiple systems to launch the attack. Usually the attacker exploits security vulnerabilities in many machines. The attacker then directs the compromised machines to attack the target. Another term for these compromised machines is zombies. Major websites are often DDoS attack victims. These systems handle a lot of traffic by design and pose an attractive target for DDoS attackers seeking to compromise a system’s availability.

Information security deals with these types of issues every day. Organizations can implement safeguards to help decrease the impact of such attacks.