Overseeing Compliance of Security Operations ◾ 239
© 2011 by Taylor & Francis Group, LLC
ere are many security constructs that do not t exclusively within people,
process, technology, or environment, and access control is one of those. People
are assigned identity credentials to gain access to physical space and technology.
Technology (e.g., a computer or specic application) may also be assigned an iden-
tity credential. e identity credential is authenticated to prove that the presenter
of the credential is indeed who or what the credential claims them to be. Usually,
privileges are coupled with identity; a privilege is the ability to do something. e
claim of privilege is authorized prior to allowing the action. For example, a claim of
privilege is to enter the front door of the corporate oce. Corporate policy states
the need to present an identity credential and authenticate that the identity belongs
to the bearer of the credential. e implementation and enforcement of this pol-
icy is the identity card reader that also requires the entry of a personal identica-
tion number (PIN) known only to the employee; this is two-factor authentication
via something the employee has (the identity card) and something the employee
knows (the PIN). e privilege to enter the front door is inherent in being a current
employee bearing a valid identity credential.
Privileges are associated with identity either individually (i.e., to that specic
identity) or via a role also assigned to that identity. To continue the example above,
entry into the lobby and past the security desk usually means you can enter the ele-
vator and exit on your oce oor. Additional presentation of an identity/ privilege
credential may be necessary to enter your oce space. Subsequent presentation of a
dierent identity/privilege credential may be necessary to log on to your computer.
e identity/privilege credential may be the same one used to enter the building;
entry into your oce or logon to the computer just requires an additional presenta-
tion and reentry of a PIN. e authentication/authorization process then checks
your ability to perform the action requested and denies/permits according to the
privileges assigned to your identity.
Perhaps a completely separate identity/privilege credential is required to log on
to the computer. For example, an identity card with an embedded radio frequency
identication (RFID) chip may provide access into the building, but a smart card
is necessary to log on to the computer. A smart card has integrated chips in the
card and metal contacts to transmit data through a reader connected to or embed-
ded in the PC. Use of a smart card may also require the entry of a pin or presenta-
tion of a biometric (e.g., ngerprint) for multifactor authentication.
e use of multiple identity/privilege credentials and multifactor authentica-
tion depends entirely on the enterprise business need. If your business is a high
visibility target such as a government installation or a bank, your security prac-
tices warrant such strong safeguards. If yours is a small business of little interna-
tional importance and of little attractiveness to criminal elements, then adjust the
strength of safeguards accordingly. Organizations of any size must also consider the
legislative mandates that govern how to protect the data they process. For example,
a small medical billing company of little international import and low criminal
240 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
attractiveness is still responsible for protecting PHI to at least the minimal degree
required by legislation.
Anti-Malware
Malware is a contraction of the phrase malicious software. Malware is a category
of software that intends to cause harm or intends to commit an unlawful act, the
key word being intent, which dierentiates malware from a software bug. Malware
consists of viruses, worms, spam, phish, spyware, root kits, Trojan Horses, back-
doors, spyware, bots, keystroke loggers, zombies, and more. What is the business
purpose of anti-malware? To keep out malware of course! Well, actually to keep out
malware is a technical purpose, not a business purpose. e main business purpose
of anti-malware is to protect intellectual property and maintain regulatory compli-
ance for the protection of data (e.g., PII and PHI).
Most malware intends to inltrate a system and provide a communications
channel to the originator. is communications channel may provide access into
the enterprise network or provide a data exltration pathway. is provides an
illicit communications channel to exltrate proprietary or sensitive data. e loss
of proprietary data may threaten the very existence of the organization, e.g., knowl-
edge of a pending business agreement that is then subverted, or knowledge of a new
engineering design that is then copied and a competitor undercuts the cost because
it didn’t have the research and development expense.
Malware includes the following:
◾ Virus, worm
◾ Spam, phish
◾ Spyware
◾ Root kit, Trojan Horse, backdoor, Easter Eggs, zombies, keystroke capture,
screen capture
◾ Bots and botnets
◾ Outbound trac and exltration
Anti-malware includes the following:
◾ Antivirus, antispyware
◾ Host-based intrusion detection
◾ Firewall
− Web application rewall, personal rewall, proxy rewall
◾ Content lter
◾ Cross-domain system (CDS)
e sections below elaborate on some malware and anti-malware safeguards to
provide examples of business threats, technical threats, and technical functionality.
Overseeing Compliance of Security Operations ◾ 241
© 2011 by Taylor & Francis Group, LLC
Anti-malware both prevents and detects malware on a system (e.g., server,
PC, gateway, rewall, or workstation). An example of anti-malware is antivirus
(AV). Virus software follows a signature pattern. is may include a le name or
more likely a sequence of binary codes. e binary code sequence may represent
executable code or data used by the executable code to entrench and spread. AV
software contains a signature le containing binary sequences of known virus soft-
ware. Managed AV software pushes updates to all instances of the AV software
throughout the enterprise. ese updates may include software executable updates
to enhance the capability of the AV software as well as signature le updates to
reect new viruses.
AV software may lter the transmission of les (e.g., e-mail) or check existing
les prior to use (e.g., Internet downloads or sneaker-net transfers). Note: Sneaker-
net transfers are les copied via oppy disk, CD, DVD, USB thumb drives,
Bluetooth, etc., and are hand carried from one computer to another.
Defense-in-depth will use anti-malware as one type of defense. Defense-in-
breadth may employ multiple anti-malware applications. One AV software package
may detect a virus that another will miss. Employing one vendor’s AV software on
the e-mail server and another AV software on PCs, workstations, and servers may
provide protection against a wider array of virus software. Be careful, though, not
to install multiple AV software packages on the same system as they may use com-
mon OS conguration parameters with dierent settings and hence interfere with
each other’s operation.
e eective use and update of anti-malware software requires active participa-
tion of the user community. Be sure to add anti-malware to user regular security
awareness and training programs.
Botnet Awareness
A bot is a term for software robot; exposure to bots is one type of vulnerability.
Successful penetration of a PC by a bot makes that PC part of a botnet, or a net-
work of software robots. Botnets are usually associated with malware or malicious
activity. Malware in spam or phishing campaigns or embedded Trojan Horses in
downloads implant a bot on an unsuspecting Internet user. at bot may then
transmit to other computers on the Internet according the direction of the master
program (bot controller, also known as a bot herder) directing the bots. e bot may
lie dormant until invoked by the controller. Bots may forward spam, thus hiding
the originator’s identity. A bot controller may perform a denial of service attack by
invoking thousands of bots to begin forwarding packets to a single Web server, thus
bringing it down because it is unable to respond to the volume of network trac.
For example, given two major on-line retailer competitors that make 50% of their
prots the two weeks before Christmas, how would competition be if one were to
bring the other down during this time? First, the attacker may gain market share
242 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
because consumers give up on the other site and transfer their business. Second, the
one being attacked may not be able to sustain itself the following scal year due to
lack of prot during a critical revenue generation period.
Bots are in essence software tools that adhere to RFC 1459 Internet Relay Chat
(IRC) Protocol: tools that may be a means applied to any end. Bots may forward
keystrokes to the controller or intermediary collection repository; keystroke logging
may result in identity theft. Bots may act in coordination with each other in a dis-
tributed denial of service attack. Bots may provide an entry point to install malware
or a launching point to distribute malware. Like any other tool, the application is
dependent upon the wielder.
Creating a Botnet
A botnet operator or botnet controller sends out viruses or worms. ese may be in
e-mail (e.g., spam, phish), embedded in downloads, or retrieved via other malware.
e bot, now installed on the unsuspecting PC, then logs into a particular server. is
server may be an intermediary device or the actual bot controller. A spammer may
then purchase access to the bot from the bot operator. Instructions are sent from the
IRC server to the bot on the infected PCs, causing the bots to send spam. Variations
on this theme are known as spambot, click fraud, and spamdexing.
A spambot collects e-mail addresses to build mailing lists. Targets for spambots
include Web sites, newsgroups, special interest groups, and chat rooms. Consider
the attractiveness of such a capability to the manufacturer of Techno-Wonder-
Widgets (TWW). ey can tap into TWWlovers.net, retrieve all e-mails of TWW
lovers, and target market them with tailored advertisements. While this may seem
like good marketing, the invasion of PCs with bot malware is certainly less than
moral if not illegal.
Click fraud is related to pay-per-click advertising, where a legitimate user click-
ing on a Web ad generates a fee from the advertising company to the host of the
Web ad; the more clicks, the more revenue generated by the Web ad host. Click
fraud is the engagement of a person, automated script, or other software that imi-
tates a legitimate user clicking on the Web ad and articially inates the fees paid
to the Web as host. Bots are one method of accomplishing click fraud.
Spamdexing manipulates the relevance and prominence of search engine results.
All search engines use key words and frequencies to both nd and order the pre-
sentation of search results. e increase in on-line retail competition also creates
an increase in competition for customer attention, especially in search engines.
Spamdexing simulates search activity with key words and site selection that arti-
cially push certain results to the top of the list so they appear on the rst page of
search results rather than later pages to which most users will not scroll.
Overseeing Compliance of Security Operations ◾ 243
© 2011 by Taylor & Francis Group, LLC
Cyber Swarm
When bees swarm in attack, one bee sets the swarm in motion with an alarm
pheromone; subsequent bees attack, sting, and set o additional alarm pheromone.
e pheromone calls additional bees to the attack; likewise, for both attack and
defense purposes, a bot may call other bots to action. If a system is under attack,
a bot may retaliate (defend) against the source of the attack while calling other
bots to swarm against the same source. Each individual bot may be more or less
insignicant, but 10,000 bots may result in a denial-of-service, or 10,000 bots with
variations of activity (e.g., each attempting variations on ports, protocols, services,
and applications) may succeed in overwhelming cyber defenses. Such retaliation
assumes accurate attribution of the attack, which is not always simply the source of
the packet. Also, the legalities of such retaliation are highly questionable. erefore,
such defensive swarming is not recommended. e same principle of cyber swarm-
ing applies in oense where one bot succeeds in penetration and calls subsequent
bots to swarm on the victim.
Botnet Employment
In analogy, consider that a bot may act like a virtual soldier. Like soldiers, bots may
group together in units like battalions or squadrons. Each group may play a tactical
role in a larger strategic picture where tactical roles may be diversionary, denial, and
objective execution. Diversionary tactics draw attention away from the objective
by adding noise over the signal; it can be very dicult to distinguish extraneous
activity from the real threat. Denial is the removal of key functions like the ability
to detect an anomaly (e.g., a denial of service attack against a rewall and intrusion
detection system). With extraneous noise coupled with denial of key monitoring
devices, execution of the actual objective becomes much harder to detect. e point
is to draw your attention to the sophistication of malware as a tactical element in
an overall strategic attack. Such oensive capability on the part of the adversary
requires a heightened awareness and defensive capabilities on your part as a protec-
tor of the enterprise.
Botnet Prevention
Bots and botnets pose a threat to the enterprise in a direct attack or incidental
attack, or introduce liability as a host of botnet activity, even as an unwitting host.
Botnet prevention includes anti-malware, intrusion detection systems (IDSs), intru-
sion prevention systems (IPSs), and Honeypots.
By nature, botnets are extremely varied in source and capability; therefore, sim-
ple IP address ltering is unlikely to be successful. Passive operating system (OS)
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.