132 What Every Engineer Should Know About Cyber Security
7.2.1.3 What to Do Differently Next Time
These can also be called the after action items:
1. Make sure the intrusion detection system has current signature les.
Signature les will help the system recognize known malicious
threats. This is similar to the way in which antivirus applications
detect malware.
2. Migrate into an enterprise server format where the technical con-
trols would be more rigorous. In other words, the company needs a
centralized server resource as opposed to having each department
run its own servers. This will help the company analyze and secure
the servers in a consistent manner. In addition, a company should
hire people to manage that effort.
3. Implement incident response training for all of the IT administrators.
This will help them recognize incidents as well as understand
the importance of ensuring that the incident response process is
followed.
4. Review and update the change management request process to
ensure that proper access control is implemented.
5. Conduct regular vulnerability scans.
The 2012 LinkedIn database breach where hackers obtained millions upon
millions of access credentials was a wake-up call to companies that have not
kept a close enough eye on their organization’s security plan. Here are nine
techniques that a CISO can employ to improve the effectiveness of an orga-
nization’s security posture (Schwartz 2012):
1. Deploy CISOs in advance: This is part of being prepared. Would
you move to a town that did not have a re department, police
department, or hospital? Hire the CISO before the security breach
happens—not after.
2. Acknowledge how CISOs reduce security costs: According to the
Ponemon Institute (2012), the cost of data breach attacks has declined
from $7.2 million to $5.5 million. In addition, they reported that the
organizations that employed CISOs had an $80 cost savings per
compromised record. Companies that outsourced this function only
saved $41 per compromised record. The reason a CISO reduces costs
is that he or she can help facilitate security best practices that have
been proven successful.
3. Allow CISOs to help guide new technology decisions: The evolu-
tion of technology is ongoing. The CISO needs to be accepting of
new technologies in order to factor them into the organization’s
overall security prole.
133Theory to Practice
4. Make CEOs demand security posture details: Effective communi-
cation between the CEO and CISO is a must. In other words, the
CEO needs to have an appreciation and understanding of the orga-
nization’s security posture just as he or she has an appreciation and
understanding of the organization’s current sales.
5. Treat information security as a risk: Something as simple as a
phishing attack on a company can compromise the security of
critical information. The CISO needs to be well informed of all
vulnerabilities in the organization as well as vulnerabilities at
organizations that share any of his or her organization’s comput-
ing resources.
6. Consider a placeholder CISO: If your company does not have a
CISO, consider outsourcing the position to a reputable security com-
pany until the needs of the organization are determined.
7. Identify crown jewels: In part of the risk analysis, determine the
value of the critical assets. In addition, risk should be reassessed
periodically. For example, if apassword le has doubled the number
of users, increasing its protection should be a priority.
8. Beware of a false sense of security: Use a third party, who may see
things that you do not, to assess the risk and security posture of the
organization.
9. Treat advanced threats as common: Consider advanced persistent
threats (APTs, discussed earlier) as more prevalent than ever. The
standard information security defense should never be standard; it
needs to evolve as the threats evolve.
7.3 Case Study 2: How Is This Working for You?
Let us fast-forward two years at the same organization and see how well the
CISO’s security plan has worked out. Over the two years, a few people have
been hired for the computer incident response team (CIRT), so we have a
new cast of characters in our story. We have Jenny leading the CIRT team and
Alex and Justin working with her. We also still have David, who continues in
his IT administrator role but has since been trained in incident response per
one of the after action items in our last case study.
Another one of the changes the CISO instated was to write and enforce
an acceptable use policy (AUP). We discussed AUPs in Chapter 4. One of
the restrictions at this organization, according to the AUP, was that instant
messaging (IM) is not allowed. It was felt that IM was a distraction to the
employee and, more important, it was deemed a security risk to the network.
IM tools are security risks because they can circumvent the security measures
134 What Every Engineer Should Know About Cyber Security
(e.g., employee can casually send out condential information) of the organi-
zation as well as become a conduit for worms
*
and viruses.
The exact AUP excerpt read as follows:
INSTANT MESSAGING and CHAT Services:
Use of instant messaging or chat applications on the company network
is not acceptable.
To monitor the IM restriction, the intrusion detection system was
congured to generate an alert if IM was being utilized. Well, one afternoon,
Alex informed Jenny that the IM alarm had been triggered. Upon analysis,
the identity of the employee was discovered, but the CIRT needed to analyze
the hard drive to determine the nature of the messages. If the messages
were inappropriate, this would be grounds for the employee’s dismissal.
Alex informed Jenny of the situation and they made a plan. They needed
to inform the director of Human Resources (HR) of the violation and plan
atime to approach the employee to conscate the employee’s hard drive. The
team decided to approach the employee within the hour.
The CIRT team and director of HR gathered and approached the employee.
Jenny said, “It has come to our attention that you are in violation of this
organization’s acceptable use policy. We will need to conscate your hard
drive.” The employee obviously was stunned, but was cooperative.
The CIRT team brought the hard drive back to their lab, made a
forensically sound
†
copy of the hard drive, and began their analysis. They
knew the instant massager client, so they needed to analyze the application
to determine the messages that were received and sent. They discovered
that the messages were of an inappropriate nature, which is grounds for
dismissal. They needed to follow appropriate procedures to store the evi-
dence in the event that the employee decided to contest the dismissal.
For now, the situation was handed over to Human Resources to dismiss
theemployee.
7.3.1 After Action Report
7.3.1.1 What Worked Well?
The CISO has done an excellent job implementing industry’s best practices
into this organization’s security prole. An AUP policy was written,
implemented, and followed. The organization had a dedicated team to
respond to the incident and they followed forensically sound procedures to
analyze the situation.
*
The terms worms and viruses are often used interchangeably but are in fact different. A virus
is distributed by making copies of itself. A worm uses a computer network to replicate itself.
It searches for servers with security holes and makes copies of itself there.
†
“Forensically sound” refers to the manner in which the electronic information was acquired.
The process ensures that the acquired information is as it was originally discovered and thus
reliable enough to be evidence in a court proceeding.
135Theory to Practice
7.3.1.2 Lessons Learned
The importance of implementing industry best practices both to secure the
company assets and to be able to respond to incidents is priceless.
7.3.1.3 What to Do Differently Next Time
Nothing! Well done!
To Outsource or Not
Some companies choose to outsource the security function to a third party
because they can save money or the third party can do a better job for the
same money. Examples of outsourced functions could be hiring consul-
tants to help deal with a data breach or hiring them to store your data.
Outsourcing needs to be thought about carefully because your com-
pany is ultimately responsible in the case of a security breach. Conducting
a risk assessment to help with that decision is necessary (Condon 2007):
Determine the potential impact on the organization if a data breach occurs
and determine if the outsourcing company will make your data vulnerable.
According to the Ponemon Institute (2012), 41 percent of organizations had a
data breach caused by a third party (outsourcers having access to protected
data, cloud providers, and/or business partners). Most likely, determining
the quality of service you will get from the security rm will be conrmed
by references from other customers and a site visit (Burson 2010).
7.4 Case Study 3: The Weakest Link
*
7.4.1 Background
Roger Duronio was dissatised with his yearly bonus from his employer, the
nancial services company, UBS-Painewebber (UBS-PW). Like many compa-
nies, after the events of nine/eleven, prots were down at UBS-PW, which
affected the employee bonus program. On February 22, 2002, the bonuses
were distributed. Duronio’s bonus was $15,000 less (his compensation for
the year would be $160,000 instead of $175,000) than what he expected, even
*
The information from this case was provided by Keith J. Jones: the court indictment and
articles written by Sharon Gaudin (all are referenced at the end of the chapter). Mr. Jones is
owner and senior partner with Jones Dykstra & Associates, Inc. (http://www.jonesdykstra.
com/). JDA is a company specializing in computer forensics, e-discovery, litigation support,
and training services. He is on the board of directors of the Consortium of Digital Forensics
Specialists (CDFS; developing standards for the digital forensics profession). He is also
the author of Real Digital Forensics: Computer Security and Incident Response (2005) and The
Anti-Hacker Toolkit (2002).
136 What Every Engineer Should Know About Cyber Security
though the employees were informed previously that this bonus reduction
would be happening. Duronio had a history of being dissatised with his pay.
The prior year he had approached his boss for a raise. His boss was able to
approve a $10,000 salary raise; however, the boss felt Duronio was still unsat-
ised with his compensation. This was apparent when Duronio received his
bonus on February 22, 2002. After receiving his bonus, he went straight to his
boss and demanded the remainder be awarded. Otherwise, he would quit
that very day. The boss made an attempt to have the full bonus awarded, but
was not successful. When he went back to give Duronio the bad news, his
boxes were already packed. His vengeful plan was already in the works.
Duronio’s revenge on UBS-PW caused him to be charged with securities
fraud (count 1), mail fraud (counts 2 and 3), and fraud and related activity in
connection with computers (count 4). In the high-prole case, the US Department
of Justice hired computer forensics expert Keith Jones to testify on behalf of
the prosecution. The defense hired Kevin Faulkner as their forensics expert.
7.4.2 The Crime
On Monday, March 4, 2002, Duronio, a former systems administrator for
UBS-PW, executed a logic bomb within its network that disabled nearly 2,000
of the company’s servers. He planted the logic bomb prior to his exit from the
company. A logic bomb is malicious code inserted into an application that
will execute when the specied condition is met. His logic bomb was set to
execute when the stock market opened at 9:30 a.m. EST on March 4, 2002. The
code had four components:
1. Destruction: The server would delete all les.
2. Distribution: The bomb would be pushed from the central server to
370 branch ofces.
3. Persistence: The bomb would continue to run regardless of a reboot
or power down.
4. Backup trigger: If the logic bomb code was discovered, another code
bomb would execute the destruction.
The logic bomb was only the rst part of the plan. The second part of his
plan was to prot from this attack. Duronio purchased 330 PUT
*
options
($25,000 worth) of UBS-PW shares. He was essentially betting on the fact
*
A “PUT” option is purchased when someone thinks a stock will decrease in value by a cer-
tain date. In other words, it is essentially a contract between two parties to exchange an
asset at a specied price by a certain date. For example, party A can purchase the stock at
the decreased rate (specied in the contract) and sell it at the strike price (specied in the
contract). The prot = (strike price) – (decreased rate) – (the cost of the PUT option). If the
stock does not decrease in value, party A loses the cost of the PUT option.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.