Chapter 8. Attacks and Risks

Regardless of whether computer and network data are transmitted on a wired or wireless medium, the basic security concepts remain much the same. Some of the content presented here has been excerpted from the Cybersecurity Operations Handbook [1] with the permission of Digital Press, an imprint of Elsevier Science.

For those among us who are tasked with managing business, and for that ever-shrinking number of Information Technology (IT) professionals who are not directly involved in the daily struggles coping with cybersecurity issues, one might be tempted to ask,

“What is the big deal about cybersecurity, really?”

“How does it affect our company infrastructure?”

“How does it affect users in our organization?”

“Is it something our management team should worry about?”

These are all legitimate questions. More and more today, IT professionals face an ever-growing and daunting task. Attacks occur every single day [2]. The only question to be asked in today’s modern computing environment is, “Are we prepared to deal with an attack?” This book provides guidance on how to prepare for such assaults against organizational infrastructure. It will help network and systems administrators prepare to answer these types of questions and provide compelling information that can help even the most reluctant manager or administrator come to terms with the changed, threatening computing environment we face today.

8.1. Threats to Personal Privacy

Vast data stores in myriad organizations hold personal information about each of us. The accumulation of such large amounts of electronic information, combined with the increased ability of computers to monitor, process, and aggregate this information about people, creates a massive threat to our individual privacy. The reality of today is that all of this information and technology now available can be electronically linked together, allowing unknown entities to gain unabated access to even our most private information. This situation should give us reason to pause and ask ourselves if we have not created a modern information age with an unwanted byproduct some have often referred to as “Big Brother.”

Although the magnitude and cost of the threat to our personal privacy is very difficult to determine, it is readily apparent that information technology is becoming powerful enough to warrant fears of the emergence of both government and corporate “Big Brothers.” More awareness of the situation is needed at the organizational and personal level. With the increased accessibility of such information, we have created an ever-growing vulnerability that someone, such as a cyberterrorist, is likely to exploit. Another consideration of late is the recently legislated “Privacy Acts” that many different countries have enacted in order to try to protect the data assets of their citizenry. Such legislation has become an ever-growing part of this modern information age. All companies using computing resources today now need to be keenly aware of both these threats and the legal ramifications that ensue when they attempt to monitor, prevent, or provide access to their information resources.

8.2. Fraud and Theft

Computer systems can be exploited for conducting fraudulent activities and for outright theft. Such criminal acts are accomplished by “automating” traditional methods of fraud and by inventing and using new methods that are constantly being created by enterprising criminal minds. For example, individuals carrying out such criminal activity may use computers to transfer a company’s proprietary customer data to computer systems that reside outside the company premises, or they may try to use or sell this valuable customer data to that company’s competitors. Their motive may be profit or inflicting damage to the victimized company to compensate for some perceived injustice, or it may just be an act of malicious behavior for entertainment or bragging rights. Computer fraud and theft can be committed by both company insiders and outsiders, but studies have shown that most corporate fraud is committed by company insiders. [3]

In addition to the use of technology to commit fraud, computer hardware and software resources may be vulnerable to theft. Actual examples include the theft of unreleased software and storage of customer data in insecure places such as anonymous FTP accounts so that it can be accessed and stolen by outsiders. Data being exposed to these threats generates a secondary threat for a company: the loss of credibility and possible liability for damages as a result of premature release of information, exposure or loss of information, and so on. Preventive measures that should be taken here are quite simple, but are often overlooked. Implementation of efficient access control methodologies, periodic auditing, and firewall usage can, in most cases, prevent fraud from occurring or at least make it more easily detected.

8.3. Internet Fraud

The meteoric rise in fraud perpetrated over the Internet has brought about the classification of nine types of fraud, developed from the data reported to the Internet Fraud Complaint Center (IFCC) [4]. Analysts at the IFCC determine a fraud type for each Internet fraud complaint received. IFCC analysts sort complaints into one of the following nine fraud categories:

1. Financial institution fraud. Knowing misrepresentation of the truth or concealment of a material fact by a person to induce a business, organization, or other entity that manages money, credit, or capital to perform a fraudulent activity. [5] Credit/debit card fraud is an example of financial institution fraud that ranks among the most commonly reported offenses to the IFCC. Identity theft also falls into this category; cases classified under this heading tend to be those where the perpetrator possesses the complainant’s true name identification (in the form of a social security card, driver’s license, or birth certificate), but there has not been a credit or debit card fraud committed.
2. Gaming fraud. Risking something of value, especially money, for a chance to win a prize when there is a misrepresentation of the odds or events. [6] Sports tampering and claiming false bets are two examples of gaming fraud.
3. Communications fraud. A fraudulent act or process in which information is exchanged using different forms of media. Thefts of wireless, satellite, or landline services are examples of communications fraud.
4. Utility fraud. When an individual or company misrepresents or knowingly intends to harm by defrauding a government-regulated entity that performs an essential public service, such as the supply of water or electrical services. [7]
5. Insurance fraud. A misrepresentation by the provider or the insured in the indemnity against loss. Insurance fraud includes “padding” or inflating actual claims, misrepresenting facts on an insurance application, submitting claims for injuries or damage that never occurred, and staging accidents. [8]
6. Government fraud. A knowing misrepresentation of the truth, or concealment of a material fact, to induce the government to act to its own detriment. [9] Examples of government fraud include tax evasion, welfare fraud, and counterfeiting currency.
7. Investment fraud. Deceptive practices involving the use of capital to create more money, either through income-producing vehicles or through more risk-oriented ventures designed to result in capital gains. [10] Ponzi/Pyramid schemes and market manipulation are two types of investment fraud.
8. Business fraud. When a corporation or business knowingly misrepresents the truth or conceals a material fact. [11] Examples of business fraud include bankruptcy fraud and copyright infringement.
9. Confidence fraud. The reliance on another’s discretion and/or a breach in a relationship of trust resulting in financial loss. A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment. [12] Auction fraud and nondelivery of payment or merchandise are both types of confidence fraud and are the most reported offenses to the IFCC. The Nigerian Letter Scam is another offense classified under confidence fraud.

The Nigerian Letter Scam [13] has been around since the early 1980s. The scam is effected when a correspondence outlining an opportunity to receive nonexistent government funds from alleged dignitaries is sent to a “victim,” but there is a catch. The scam letter is designed to collect advance fees from the victim. This most often requires payoff money to be sent from the victim to the “dignitary” in order to bribe government officials. Although other countries may be mentioned, the correspondence typically indicates “The Government of Nigeria” as the nation of origin. This scam is also referred to as “419 Fraud” after the relevant section of the Criminal Code of Nigeria, as well as “Advance Fee Fraud.” Because of this scam, the country of Nigeria ranks second for total complaints reported at the IFCC on businesses by country. The IFCC has a policy of forwarding all Nigerian Letter Scam complaints to the U.S. Secret Service. The scam works as follows:

1. A letter, e-mail, or fax is sent from an alleged official representing a foreign government or agency.
2. The letter presents a business proposal to transfer millions of dollars in overinvoiced contract funds into your personal bank account. You are offered a certain percentage of the funds for your help.
3. The letter encourages you to travel overseas to complete the details.
4. The letter also asks you to provide blank company letterhead forms, banking account information, and telephone numbers.
5. Next, you receive various documents with official-looking stamps, seals, and logos testifying to the authenticity of the proposal.
6. Finally, they ask for upfront or advance fees for various taxes, processing fees, license fees, registration fees, attorney fees, and so on.

8.4. Employee Sabotage

Probably the easiest form of employee sabotage known to all system administrators would be “accidental” spillage. The act of intentionally spilling coffee or soda on a keyboard to make the computer unusable for some time is a criminal offense. Proving the spillage was deliberate, however, is next to impossible without the aid of hidden cameras or other surveillance techniques. Some administrators have even experienced severe cases where servers have been turned off over a weekend, resulting in unavailability, data loss, and the incurred, but needless cost, of hours of troubleshooting by someone. Employees are the people who are most familiar with their employer’s computers and applications. They know what actions can cause damage, mischief, or sabotage. The number of incidents of employee sabotage is believed to be much smaller than the instances of theft, but the cost of such incidents can be quite high. [14]

As long as people feel unjustly treated, cheated, bored, harassed, endangered, or betrayed at work, sabotage will be used as a method to achieve revenge or a twisted sense of job satisfaction. Later in this book, we show how serious sabotage acts can be prevented by implementing methods of strict access control.

8.5. Infrastructure Attacks

Devastating results can occur from the loss of supporting infrastructure. This infrastructure loss can include power failures (outages, spikes, and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, and strikes. A loss of infrastructure often results in system downtime, sometimes in the most unexpected ways. Countermeasures against loss of physical and infrastructure support include adding redundant systems and establishing recurring backup processes. Because of the damage these types of threats can cause, the Critical Infrastructure Protection Act was enacted.

8.6. Malicious Hackers

The term malicious hacker refers to those who break into computers without authorization. They can include both outsiders and insiders. The hacker threat should be considered in terms of past and potential future damage. Although current losses caused by hacker attacks are significantly smaller than losses caused by insider theft and sabotage, the hacker problem is widespread and serious. One example of malicious hacker activity is that directed against the public telephone system (which is, by the way, quite common, and the targets are usually employee voice mailboxes or special “internal-only” numbers allowing free calls to company insiders). Another common method is for hackers to attempt to gather information about internal systems by using port scanners and sniffers, password attacks, denial-of-service attacks, and various other attempts to break publicly exposed systems such as File Transfer Protocol (FTP) and World Wide Web (WWW) servers. By implementing efficient firewalls and auditing/alerting mechanisms, external hackers can be thwarted. Internal hackers are extremely difficult to contend with because they have already been granted access; however, conducting internal audits on a frequent and recurring basis will help organizations detect these activities.

8.7. Malicious Coders

Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other “uninvited” software. Sometimes mistakenly associated just with personal computers, such types of malicious code can attack other platforms. The actual costs that have been attributed to the presence of malicious code most often include the cost of system outages and the cost of staff time for those who are involved in finding the malware and repairing the systems. Frequently, these costs are quite significant.

Today, we are subject to a vast number of virus incidents. This has generated much discussion about the issues of organizational liability and must be taken into account. Viruses are the most common case of malicious code. In today’s modern computing platform, some form of antivirus software must be included in order to cope with this threat. To do otherwise can be extremely costly. In 1999, a virus named Melissa was released with devastating results. [15] The Melissa virus caused an estimated $80 million in damage and disrupted computer and network operations worldwide.

Melissa was especially damaging as viruses go because its author had deliberately created the virus to evade existing antivirus software and to exploit specific weaknesses in corporate and personal e-mail software, as well as server and desktop operating systems software. Melissa infected e-mail and propagated itself in that infected state to 50 other e-mail addresses it obtained from the existing e-mail address book it found on the victim’s machine. It immediately began sending out these infectious e-mails from every machine it touched. The Melissa infection spread across the Internet at an exponential rate. Systems were literally brought down from overload as a result of exponential propagation.

8.8. Industrial Espionage

A company might be subject to industrial espionage simply because competitors share some level of sensitive customer information, which might be worth millions for interested parties ranging from governments to corporate and private entities. It is not only the press who would be willing to pay for information. This situation might be encouraging enough for many hackers to tempt fate and attempt to obtain such information. Internal staff might consider the risk minimal and give away such information. There could be active attempts to retrieve information without authorization by hacking, sniffing, and other measures. A case of espionage can have serious consequences for a company, in terms of incurring the cost of lawsuits and resulting damage awards. This situation can also devastate a company’s reputation in the marketplace.

Formally defined, industrial espionage is the act of gathering proprietary data from private companies or governments to aid others. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is often referred to as economic espionage. Because information is processed and stored on computer systems, computer security can help protect against such threats; it can do little, however, to reduce the threat of authorized employees selling that information.

Cases of industrial espionage are on the rise, especially after the end of the Cold War, when many intelligence agencies changed their orientation toward industrial targets. A 1992 study sponsored by the American Society for Industrial Security (ASIS) found that proprietary business information theft had increased 260 percent since 1985. The data indicated that 30 percent of the reported losses in 1991 and 1992 had foreign involvement. The study also found that 58% of thefts were perpetrated by current or former employees. The three most damaging types of stolen information were pricing information, manufacturing process information, and product development and specification information. Other types of information stolen included customer lists, basic research, sales data, personnel data, compensation data, cost data, proposals, and strategic plans.

Within the area of economic espionage, the Central Intelligence Agency (CIA) has stated that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target. The Federal Bureau of Investigation (FBI) concurs that technology-related information is the main target, but also lists corporate proprietary information, such as negotiating positions and other contracting data, as targets.

Because of the increasing rise in economic and industrial espionage cases over the last decade, the Economic and Espionage Act of 1996 was passed by the U.S. government. This law, coded as 18 U.S.C. §1832, provides:

1. Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly
   1. steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
   2. without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
   3. receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;
   4. attempts to commit any offense described in paragraphs (1) through (3); or
   5. conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.
2. Any organization that commits any offense described in subsection (a) shall be fined not more than $5,000,000.

In a recent case, [16] against violators of 18 U.S.C. § 1832, convictions were upheld in the appeal of Mr. Pin-Yen Yang and his daughter Hwei Chen Yang (Sally) for industrial espionage, among other crimes. Mr. Yang owned the Four Pillars Enterprise Company, Ltd., based in Taiwan. This company specialized in the manufacture of adhesives. Mr. Yang and his daughter conspired to illegally obtain trade secrets from their chief U.S. competitor, Avery Dennison Corporation, by hiring an ex-employee of Avery Dennison, a Dr. Lee. Lee was retained as a consultant by Yang, and the group conspired to pass confidential trade secrets from Avery to Four Pillars. When the FBI confronted Lee on the matter, he agreed to be videotaped in a meeting with Mr. Yang and his daughter. During the meeting, enough evidence was gathered to result in a conviction. [17]

Measures against industrial espionage consist of the same measures companies take to counter hackers, with the added security obtained by using data encryption technology. Where this is not possible because of government regulations (e.g., in France), proprietary compression or hashing algorithms can be used, which result in the same effect as encryption, but with a higher chance of being broken by a determined adversary. Legal protections exist, of course, but were once very difficult to dissect from the vast amount of legislation in Title 18 of the U.S. Code. Congress amended the many laws dotted throughout Title 18 into a comprehensive set of laws known as the 1996 National Information Infrastructure Protection Act.

8.9. Social Engineering

The weakest link in security will always be people, and the easiest way to break into a system is to engineer your way into it through the human interface. Almost every hacker group has engaged in some form of social engineering over the years, and in combination with other activities, they have been able to break into many corporations as a result. In this type of attack, the attacker chooses a mark he or she can scam to gain a password, user ID, or other usable information. Because most administrators and employees of companies are more concerned with providing efficiency and helping users, they may be unaware that the person they are speaking to is not a legitimate user. And because there are no formal procedures for establishing whether an end user is legitimate, the attacker often gains a tremendous amount of information in a very short time, and often with no way to trace the information leak back to the attacker.

Social engineering begins with a goal of obtaining information about a person or business and can range in activities from dumpster diving to cold calls or impersonations. As acknowledged in the movies, many hackers and criminals have realized that a wealth of valuable information often lays in the trash bins waiting to be emptied by a disposal company. Most corporations do not adequately dispose of information, and trash bins often contain information that may identify employees or customers. This information is not secured and is available to anyone who is willing to dive into the dumpster at night and look for it—hence, the term dumpster diving.

Other information is readily available via deception. Most corporations do not contain security measures that address deception adequately. What happens when the protocol is followed properly, but the person being admitted is not who he says he is? Many groups utilize members of their group in a fashion that would violate protocols to gather information about a corporate admittance policy. Often, the multiperson attack results in gaining admittance to the company and ultimately the information desired. Using the bathroom or going for a drink of water is always a great excuse for exiting from a meeting, and you often will not have an escort. Most corporations do not have terminal locking policies, and this is another way an attacker can gain access or load software that may pierce the company’s firewall. So long as the people entering the corporation can act according to the role they have defined for their access and they look the part, it is unlikely that they will be detected.

Remotely, social engineering actually becomes less challenging. There are no visual expectations to meet, and people are very willing to participate with a little coaxing. As is often the case, giving away something free can always be a method for entry. Many social engineering situations involve sending along a free piece of software or something of value for free. Embedded within free software, Trojans, viruses, and worms can go undetected and can bypass system and network security. Because most security that protects the local machine has a hard time differentiating between real and fake software, it is often not risky for the attacker to deliver a keylogger or Trojan to the victim machine. Also equally effective, the customer support or employee support personnel can be duped into aiding a needy user with their passwords and access to information they do not necessarily know about.

8.9.1. Educate Staff and Security Personnel

According to NIST Publication SP800-12, [18] the purpose of computer security awareness, training, and education is to enhance security by

• Improving awareness of the need to protect system resources
• Developing skills and knowledge so computer users can perform their jobs more securely
• Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

By making computer system users aware of their security responsibilities and teaching them correct practices, it helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and how to use them), users cannot be truly accountable for their actions. The importance of this training is emphasized in the Computer Security Act, which requires training for those involved with the management, use, and operation of federal computer systems.

Awareness stimulates and motivates those being trained to care about security and reminds them of important security practices. By understanding what happens to an organization, its mission, customers, and employees when security fails, people are often motivated to take security more seriously. Awareness can take on different forms for particular audiences. Appropriate awareness for management officials might stress management’s pivotal role in establishing organizational attitudes toward security. Appropriate awareness for other groups, such as system programmers or information analysts, should address the need for security as it relates to their jobs. In today’s systems environment, almost everyone in an organization may have access to system resources and, therefore, may have the potential to cause harm.

Both dissemination and enforcement of policy are critical issues that are implemented and strengthened through training programs. Employees cannot be expected to follow policies and procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance when they are caught doing something wrong. Training employees may also be necessary to show that a standard of due care has been taken in protecting information. Simply issuing policy, with no follow-up to implement that policy, may not suffice. Many organizations use acknowledgment statements that employees have read and understand computer security requirements.

Awareness is used to reinforce the fact that security supports the organization’s mission by protecting valuable resources. If employees view security measures as just bothersome rules and procedures, they are more likely to ignore them. In addition, they may not make needed suggestions about improving security or recognize and report security threats and vulnerabilities. Awareness is also used to remind people of basic security practices, such as logging off a computer system or locking doors. A security awareness program can use many teaching methods, including videotapes, newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short reminder notices at logon, talks, or lectures. Awareness is often incorporated into basic security training and can use any method that can change employees’ attitudes. Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning-out process (also known as acclimation). For example, after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed.

Security education is more in-depth than security training and is targeted for security professionals and those whose jobs require expertise in security. Security education is normally outside the scope of most organizational awareness and training programs. It is more appropriately a part of employee career development. Security education is obtained through college or graduate classes or through specialized training programs. Because of this, most computer security programs focus primarily on awareness. An effective Computer Security Awareness and Training (CSAT) program requires proper planning, implementation, maintenance, and periodic evaluation. The following seven steps constitute one approach for developing a CSAT program:

• Step 1: Identify program scope, goals, and objectives.
• Step 2: Identify training staff.
• Step 3: Identify target audiences.
• Step 4: Motivate management and employees.
• Step 5: Administer the program.
• Step 6: Maintain the program.
• Step 7: Evaluate the program.

8.9.2. Crafting Corporate Social Engineering Policy

When you begin the process of building a corporate policy for social engineering, several important considerations need to be included in the policy. Ensure that employees are aware of the data they are making available to others and what hackers might do with the knowledge they gain from that data. Train end users in the proper handling of social engineering tactics such as the following:

• Dumpster diving
• Phone calls
• E-mail
• Instant messaging
• On-site visits

8.9.2.1. Prevention

Teach employees how to prevent intrusion attempts by verifying identification, using secure communications methods, reporting suspicious activity, establishing procedures, and shredding corporate documents. It is important to define a simple, concise set of established procedures for employees to report or respond to when they encounter any of these types of attacks.

8.9.2.2. Audits

It is a good idea to periodically employ external consultants to perform audits and social engineering attempts to test employees and the network security readiness of your organization. Define the regularity of audits conducted by external consultants in a manner that cannot become predictable, such as a rotation of the month in each quarter an audit would occur. For example, if your external audits are conducted semiannually, the first audit of the year may occur in month one of quarter one. The next audit may occur in month three of quarter three. Then, when the next year comes around, you have rotated to another month or even changed to quarters two and four. The point is not which months and quarters audits are conducted, but that they are done in an unpredictable fashion that only you and your trusted few will know.