CORPORATE COMPUTER AND NETWORK SECURITY

CORPORATE COMPUTER AND

NETWORK SECURITY

Raymond R. Panko

University of Hawaii

Boston Columbus Indianapolis New York San Francisco

Upper Saddle River Amsterdam Cape Town Dubai

London Madrid Milan Munich Paris Montreal Toronto

Delhi Mexico City Sao Paulo Sydney Hong Kong

Seoul Singapore Taipei Tokyo

CONTENTS

C h a p t e r 1 The Threat Environment: Attackers and their Attacks 1

Introduction 1

Basic Security Terminology 1 The TJX Data Breach 4

Employee and Ex-Employee Threats 9 Why Employees Are Dangerous 9 Employee Sabotage 9

Employee Hacking 11

Employee Financial Theft and Theft of Intellectual Property (IP) 12 Employee Extortion 13

Employee Sexual or Racial Harassment 14 Employee Computer and Internet Abuse 14 Data Loss 15

Other "Internal" Attackers 15 Traditional External Attackers I:

Malware Writers 16 Malware Writers 16 Viruses 17

Worms 18

Blended Threats 19 Payloads 19

Trojan Horses and Rootkits 20 Mobile Code 23

Social Engineering in Malware 23 Traditional External Attackers II: Hackers

and Denial-of-Service Attacks 25 Traditional Motives 25

Anatomy of a Hack 27 Social Engineering 30 Denial-of-Service (DoS)

Attacks 31 Skill Levels 33

The Criminal Era 34

Dominance by Career Criminals 34 Fraud, Theft, and Extortion 39 Stealing Sensitive Data about Customers

and Employees 41 Competitor Threats 43

Commercial Espionage 43 Den ial-of-Service Attacks 44 Cyberwar and Cyberterror 44

Cyberwar 45 Cyberterror 46

A Constantly Changing Threat Environment 46 Synopsis 47

Thought Questions 48 • Internet Exercise 49 • Project 49 • Perspective Questions 49

C h a p t e r 2 Planning 51

Introduction 51 Defense 51

Management Processes 52 The Need for a Disciplined Security

Management Process 54

The Plan-Protect-Respond Cycle 55 Vision in Planning 57

Strategic IT Security Planning 59 • BOX: Compliance Laws and Regulations 61 Organization 65

Chief Security Officers (CSOs) 65 Should You Place Security within IT? 65 Top Management Support 67

Relationships with Other Departments 68 Outsourcing IT Security 69 Risk Analysis 72

Reasonable Risk 72

Classic Risk Analysis Calculations 73 Problems with Classic Risk Analysis

Calculations 74 Responding to Risk 77

Contents xi

The Technical Security Architecture 78 Technical Security Architectures 79 Principles 79

Elements of a Technical Security Architecture 82

Policy-Driven Implementation 83 Policies 83

Categories Security Policies 85 Policy-Writing Teams 86 Implementation Guidance 86

Types of Implementation Guidance 88 Exception Handling 92

Oversight 93

Governance Frameworks 99 COSO 100

CobiT 102

The ISO/IEC 27000 Family 104 Conclusion 105

Synopsis 105

Thought Questions 106 • Perspective Questions 106 C h a p t e r 3 The Elements of Cryptography 107

What Is Cryptography? 108 Encryption for Confidentiality 108

Terminology 108 The Simple Cipher 110 Cryptanalysis 111

• BOX: Substitution and Transposition Ciphers 111

•BOX: Ciphers and Codes 113

Symmetric Key Encryption 114 Human Issues in Cryptography 116 Symmetric Key Encryption Ciphers 117

RC4 117

The Data Encryption Standard (DES) 118 Triple DES (3DES) 119

Advanced Encryption Standard (AES) 120 Other Symmetric Key Encryption Ciphers 120 Cryptographic Systems 121

Cryptographic System Standards 121 Initial Handshaking Stages 121 Ongoing Communication 123 The Negotiation Stage 124

Cipher Suite Options 124 Cipher Suite Policies 124 Initial Authentication Stage 125

Authentication Terminology 125 Hashing 125

Initial Authentication with MS-CHAP 127 The Keying Stage 129

Session Keys 129 Public Key Encryption for

Confidentiality 129

Symmetric Key Keying Using Public Key Encryption 131

Symmetric Key Keying Using Diffie-Hellman Key Agreement 132

Message-by-Message Authentication 133 Electronic Signatures 133

Public Key Encryption for Authentication 133

Message-by-Message Authentication with Digital Signatures 134

Digital Certificates 137

Key-Hashed Message Authentication Codes (HMACs) 141

• BOX: Nonrepudiation 142

• BOX: Replay Attacks and Defenses 143 Quantum Security 144

Conclusion 145 Synopsis 145

Thought Questions 147 • Harder Thought Questions 148 • Perspective Questions 148 Chapter 4 Cryptographic System Standards 149

Introduction 149 Virtual Private Networks

(VPNs) 151 Why VPNs? 151 Host-to-Host VPNs 151

Remote Access VPNs 152 Site-to-Site VPNs 152 SSUTLS 153

Introduction 153

Non-Transparent Protection 154 Inexpensive Operation 154

SSUTLS Gateways and Remote Access VPNs 154 •BOX: SSL/TLS Operation 155

IPsec 160

Attractions of IPsec 160 IPsec Transport Mode 162 IPsec Tunnel Mode 163

IPsec Security Associations (SAs) 164 Commercial WAN Carrier Security 165

•BOX: IPsec Details 166

Traditional Security in Commercial W A N Carriers 1 Multiprotocol Label Switching (MPLS) VPN

Services 169

Routed VPNs versus Cryptographic VPNs 170 Access Control for Wired and Wireless LANs 171

LAN Connections 171 Access Threats 171

Eavesdropping Threats 172 Ethernet Security 172

Ethernet and 802.1X 172

The Extensible Authentication Protocol (EAP) 174 RADIUS Servers 176

Wireless Security 177

Wireless LAN Security w i t h 802.11i 177 Core Security Protocols 179

Pre-Shared Key (PSK) Mode 181 Evil Twin Access Points 182

Wireless Intrusion Detection Systems 184 • BOX: Wired Equivalent Privacy (WEP) 185 •BOX: False802.11 Security 187

Conclusion 189 Synopsis 189

Thought Questions 191 • Project 191 • Perspective Questions 191

C h a p t e r 5 Access Control 193

Introduction 193 Access Control 193

Authentication, Authorizations, and Auditing 194 Authentication 195

Beyond Passwords 195

Two-Factor Authentication 195 Individual and Role-Based Access

Control 196

Organizational and Human Controls 196

• BOX: Military and National Security Organization Access Controls 197 Physical Access and Security 198

Risk Analysis 198

ISO/IEC 9.1: Secure Areas 198 9.2 Equipment Security 201 Other Physical Security Issues 202 Reusable Passwords 204

Password-Cracking Programs 205 Password Cracking Techniques 206 Password Policies 208

Other Password Policies 210 The End of Passwords? 213 Access Cards and Tokens 213

Access Cards 214 Tokens 215

Proximity Access Tokens 215 Addressing Loss and Theft 216 Biometrie Authentication 217

Biometrics 217 Biometrie Systems 218 Biometrie Errors 219

Verification, Identification, and Watch Lists 221

Biometrie Deception 223 Biometrie Methods 225

Cryptographic Authentication 227 Key Points from Chapters 3 227 Public Key Infrastructures (PKIs) 227

Contents

Authorization 230

The Principle of Least Permissions 230 Auditing 232

Logging 232 Log Reading 233

Central Authentication Servers 233

The Need for Centralized Authentication 233 Kerberos 234

Directory Servers 236

What Are Directory Servers? 236 Hierarchical Data Organization 236

Lightweight Data Access Protocol (LDAP) 237 Use by Authentication Servers 238

Active Directory 238 Trust 240

Toward Full Identity Management 241

Other Directory Servers and Metadirectories 241 Federated Identity Management 242

Identity Management 244 Trust and Risk 246

Conclusion 247 Synopsis 247

Thought Questions 249 • Troubleshooting Question 250 C h a p t e r 6 Firewalls 251

Introduction 251

Basic Firewall Operation 251 The Danger of Traffic Overload 253 Firewall Filtering Mechanisms 254 Static Packet Filtering 255

Looking at Packets One at a Time 255 Looking Only at Some Fields in the Internet

and Transport Headers 255

Usefulness of Static Packet Filtering 255 Perspective 257

Stateful Packet Inspection (SPI) 258 Basic Operation 258

Packets that Do Not Attempt to Open Connections 260

Packets t h a t Do A t t e m p t t o Open a Connection 262 Access Control Lists (ACLs) for Connection-Opening

Attempts 262

Perspective on SPI Firewalls 266 Network Address Translation (NAT) 267

Sniffers 267

NAT Operation 267 Perspective on NAT 268

A p p l i c a t i o n Proxy Firewalls and A p p l i c a t i o n Content Filtering 269

Application Proxy Firewall Operation 269 Application Content Filtering in Stateful Packet

Inspection Firewalls 271

• BOX: Application Proxy Firewall Protections 272

Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) 274

Intrusion Detection Systems (IDSs) 274 Intrusion Prevention Systems (IPSs) 277 IPS Actions 278

Antivirus Filtering and Unified Threat Management (UTM) 278

•BOX: Denial-of-Service(DoS) Protection 280

Firewall Architectures 281 Types of Firewalls 281

The Demilitarized Zone (DMZ) 282 Firewall Management 284

Defining Firewall Policies 284 Implementation 286

• BOX: Reading Firewall Logs 290

Difficult Problems for Firewall Filtering 293 The Death of the Perimeter 293

Attack Signatures versus Anomaly Detection 295 Conclusion 296

Synopsis 296

Thought Questions 298 • Design Question 299 •

Troubleshooting Question 299 • Perspective Questions 299

C h a p t e r 7 Host a n d D a t a Security 3 0 1

Introduction 301 W h a t Is a Host? 301

Contents xvii

Security Baselines and Image 303 Systems Administrators 304

Important Server Operating Systems 304 Windows Server Operating Systems 305 UNIX (Including LINUX) Servers 307 Vulnerabilities and Patches 310

Vulnerabilities and Exploits 310 Fixes 311

The Mechanics of Patch Installation 312 Problems with Patching 313

Managing Users and Groups 314

The Importance of Groups in Security Management 314 Creating and Managing Users and Groups

in Windows 315 Managing Permissions 318

Permissions 318

Assigning Permissions in Windows 319

Assigning Groups and Permissions in UNIX 321 Testing for Vulnerabilities 322

Windows Client PC Security 323 Client PC Security Baselines 323 The Windows Security Center 324 Automatic Updates 324

Antivirus and Spyware Protection 325 Windows Firewall 326

Protecting Notebook Computers 326 Centralized PC Security Management 328 Data Protection: Backup 331

The Importance of Backup 331 Threats 331

Scope of Backup 332

Full versus Incremental Backups 333 Backup Technologies 335

Backup Media 337

Backup Management Policies 339 Other Data Protections 341

Encryption 341 Data Destruction 343

Document Restrictions 344 Conclusion 346

Thought Questions 348 • Research Project 348 •

Applying Your Knowledge 348 • Perspective Questions 348 C h a p t e r 8 A p p l i c a t i o n Security 349

General Application Security Issues 349 Executing Commands with the Privileges

of a Compromised Application 349 Buffer Overflow Attacks 350

Few Operating Systems, Many Applications 352 Hardening Applications 352

Securing Custom Applications 355 WWW and E-Commerce Security 358

The Importance of WWW and E-Commerce Security 358 WWW Service versus E-Commerce Service 358

Some Webserver Attacks 360

Patching the Webserver and E-Commerce Software and Its Components 362

Other Website Protections 363 Controlling Deployment 363 Browser Attacks 364

Enhancing Browser Security 367 E-Mail Security 369

E-Mail Content Filtering 369

Where to Do E-Mail Malware and Spam Filtering 371 E-Mail Retention 372

User Training 375 E-Mail Encryption 376

•BOX: Voice over IP (VoIP) Security 377 •BOX: The Skype VoIP Service 384

Other User Applications 385 Database 385

Instant Messaging (IM) 386 Spreadsheets 386

TCP/IP Supervisory Applications 388 Conclusion 390

Thought Questions 390 • Troubleshooting Questions 391 • Perspective Questions 391

Contents xix

C h a p t e r 9 incident and Disaster Response 393 Introduction 393

Wal-Mart and Hurricane Katrina 393 Incidents Happen 395

Incident Severity 395 Speed and Accuracy 398

The Intrusion Response Process for Major Incidents 400

Detection, Analysis, and Escalation 401 Containment 402

Recovery 403 Apology 404 Punishment 404

Postmortem Evaluation 407 Organization of the CSIRT 407 •BOX: Legal Considerations 408

Intrusion Detection Systems (IDSs) 415 Functions of an IDS 416

Distributed IDSs 418 Network IDSs (NIDSs) 419 Host IDSs 421

Log Files 422 Managing IDSs 424 Honeypots 426

Business Continuity Planning 426 Principles of Business Continuity

Management 428

Business Process Analysis 430 Testing and Updating the Plan 430 IT Disaster Recovery 431

Types of Backup Facilities 432 Office PCs 434

Restoration of Data and Programs 434 Testing the IT Disaster Recovery Plan 435 Conclusion 435

Synopsis 435

Thought Questions 436 • Troubleshooting Question 436 • Perspective Questions 436

MODULE A Networking Concepts 437

Introduction 437

A Sampling of Networks 438 A Simple Home Network 438 A Building LAN 440

A Firm's Wide Area Networks (WANs) 442 The Internet 443

Applications 446

Network Protocols and Vulnerabilities 446 Inherent Security 446

Security Explicitly Designed into the Standard 447 Security in Older Versions of the Standard 447 Defective Implementation 447

Core Layers in Layered Standards Architecture 447 Standards Architectures 448

The TCP/IP Standards Architecture 448 The OSI Standards Architecture 449 The Hybrid TCP/IP-OSI Architecture 449 Single-Network Standards 450

The Data Link Layer 450 The Physical Layer 451 Internetworking Standards 452 The Internet Protocol (IP) 453

The IP Version 4 Packet 453 The First Row 454

The Second Row 454 The Third Row 455 Options 455

The Source and Destination IP Addresses 456 Masks 456

IP Version 6 457 IPsec 458

The Transmission Control Protocol (TCP) 458 TCP: A Connection-Oriented and Reliable

Protocol 459 Flag Fields 462

Sequence Number Field 462

Contents xxi

Window Field 463 Options 464 Port Numbers 464 TCP Security 466

The User Datagram Protocol 467 TCP/IP Supervisory Standards 468

Internet Control Message Protocol (ICMP) 468 The Domain Name System (DNS) 469

Dynamic Host Configuration Protocol (DHCP) 471 Dynamic Routing Protocols 471

Simple Network Management Protocol (SNMP) 473 Application Standards 473

Conclusion 475

Glossary 477 Index 491