Untitled

Dictionary
●
Rainbow tables
●
Social engineering
Brute Force The application of computing and network resources to try every possible
password combination is called a brute force password attack. If attackers can narrow the
field of target accounts, they can devote more time and resources to these accounts. This is one
reason to always change the password of the manufacturer’s default administrator account.
Brute force password attacks are rarely successful against systems that have adopted the
manufacturer’s recommended security practices. Controls that limit the number of unsuc-
cessful access attempts within a certain time are very effective against brute force attacks.
As shown in Table 2-3, the strength of a password determines its ability to withstand a
brute force attack. Using best practice policies like the 10.3 password rule and systems that
allow case-sensitive passwords can greatly enhance their strength.
66 Chapter 2
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
Dictionary Attacks The dictionary password attack, or simply dictionary attack, is a
variation of the brute force attack that narrows the field by using a dictionary of com-
mon passwords and includes information related to the target user, such as names of
relatives or pets, and familiar numbers such as phone numbers, addresses, and even
Social Security numbers. Organizations can use similar dictionaries to disallow pass-
words during the reset process and thus guard against passwords that are easy to guess.
In addition, rules requiring numbers and special characters in passwords make the dic-
tionary attack less effective.
Espionage or Trespass 67
Case-Insensitive Passwords Using a Standard Alphabet Set (No Numbers or Special Characters)
Password length Odds of cracking: 1 in (based on number of
characters ^ password length):
Estimated time to crack*
8 208,827,064,576 1.9 seconds
9 5,429,503,678,976 50.8 seconds
10 141,167,095,653,376 22.0 minutes
11 3,670,344,486,987,780 11.1 hours
12 95,428,956,661,682,200 10.3 days
13 2,481,152,873,203,740,000 268.6 days
14 64,509,974,703,297,200,000 19.1 years
15 1,677,259,342,285,730,000,000 497.4 years
16 43,608,742,899,428,900,000,000 12,932.8 years
Case-Sensitive Passwords Using a Standard Alphabet Set with Numbers and 20 Special Characters
Password length Odds of cracking: 1 in (based on number of
characters ^ password length):
Estimated time to crack*
8 2,044,140,858,654,980 5.2 hours
9 167,619,550,409,708,000 18.14 days
10 13,744,803,133,596,100,000 4.1 years
11 1,127,073,856,954,880,000,000 334.3 years
12 92,420,056,270,299,900,000,000 27,408.5 years
13 7,578,444,614,164,590,000,000,000 2,247,492.6 years
14 621,432,458,361,496,000,000,000,000 184,294,395.9 years
15 50,957,461,585,642,700,000,000,000,000 15,112,140,463.3 years
16 4,178,511,850,022,700,000,000,000,000,000 1,239,195,517,993.3 years
Table 2-3 Password Power
*Estimated Time to Crack is based on an average 2013-era Intel i7 PC (3770K) chip performing 109,924 Dhrystone MIPS (million
instructions per second) at 3.9 GHz.
© Cengage Learning 2015
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Rainbow Tables A far more sophisticated and potentially much faster password attack
is possible if the attacker can gain access to an encrypted password file, such as the Security
Account Manager (SAM) data file. While these password files contain hashed represen-
tations of users’ passwords—not the actual passwords, and thus cannot be used by
themselves—the hash values for a wide variety of passwords can be looked up in a database
known as a rainbow table. These plain text files can be quickly searched, and a hash value
and its corresponding plaintext value can be easily located. Chapter 8, “Cryptography,”
describes plaintext, ciphertext, and hash values in greater detail.
Did you know that a space can change how a word is used? For example, plaintext is
a special term from the field of cryptography that refers to textual information a
cryptosystem will transmit securely. It is plaintext when it starts and plaintext when
delivered, but it is ciphertext in between. However, the phrase plain text is a term from the
field of information systems that differentiates the text characters you type from the
formatted text you see in a document. For more information about cryptosystems and
cryptography, see Chapter 8.
Social Engineering Password Attacks While social engineering is discussed in
detail later in the section called “Human Error or Failure,” it is worth mentioning here as a
mechanism to gain password information. Attackers posing as an organization’s IT profes-
sionals may attempt to gain access to systems information by contacting low-level employees
and offering to help with their computer issues. After all, what employee doesn’t have issues
with computers? By posing as a friendly helpdesk or repair technician, the attacker asks
employees for their usernames and passwords, then uses the information to gain access to
organizational systems. Some even go so far as to actually resolve the user’s issues. Social
engineering is much easier than hacking servers for password files.
Forces of Nature
Forces of nature, sometimes called acts of God, can present some of the most dangerous
threats because they usually occur with little warning and are beyond the control of
people. These threats, which include events such as fires, floods, earthquakes, and light-
ning as well as volcanic eruptions and insect infestations, can disrupt not only people’s
lives but the storage, transmission, and use of information. Severe weather was suspected
in three 2008 outages in the Mediterranean that affected Internet access to the Middle
East and India. Knowing a region’s susceptibility to certain natural disasters is a critical
planning component when selecting new facilities for an organization or considering the
location of off-site data backup.
Because it is not possible to avoid threats from forces of nature, organizations must implement
controls to limit damage and prepare contingency plans for continued operations, such as
disaster recovery plans, business continuity plans, and incident response plans. These threats
and plans are discussed in detail in Chapter 5, “Planning for Security.” Protection mechanisms
are discussed in additional detail in Chapter 9, “Physical Security.”
Another term you may encounter, force majeure, can be translated as “superior force,” which
includes forces of nature as well as civil disorder and acts of war.
68 Chapter 2
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
 Fire
A structural fire can damage a building with computing equipment that comprises all or part
of an information system. Damage can also be caused by smoke or by water from sprinkler
systems or firefighters. This threat can usually be mitigated with fire casualty insurance or
business interruption insurance.
 Floods
Water can overflow into an area that is normally dry, causing direct damage to all or part of
the information system or the building that houses it. A flood might also disrupt operations
by interrupting access to the buildings that house the information system. This threat can
sometimes be mitigated with flood insurance or business interruption insurance.
 Earthquakes
An earthquake is a sudden movement of the earth’s crust caused by volcanic activity or the
release of stress accumulated along geologic faults. Earthquakes can cause direct damage to
the information system or, more often, to the building that houses it. They can also disrupt
operations by interrupting access to the buildings that house the information system. In
2006, a large earthquake just off the coast of Taiwan severed several underwater communi-
cations cables, shutting down Internet access for more than a month in China, Hong Kong,
Taiwan, Singapore, and other countries throughout the Pacific Rim. Losses due to earth-
quakes can sometimes be mitigated with casualty insurance or business interruption insur-
ance, but earthquakes usually are covered by a separate policy.
 Lightning
Lightning is an abrupt, discontinuous natural electric discharge in the atmosphere. Lightning
usually damages all or part of the information system and its power distribution components.
It can also cause fires or other damage to the building that houses the information system,
and it can disrupt operations by interfering with access to those buildings. Damage from
lightning can usually be prevented with specialized lightning rods placed strategically on and
around the organization’s facilities and by installing special circuit protectors in the organiza-
tion’s electrical service. Losses from lightning may be mitigated with multipurpose casualty
insurance or business interruption insurance.
 Landslides or Mudslides
The downward slide of a mass of earth and rock can directly damage the information system
or, more likely, the building that houses it. Landslides or mudslides also disrupt operations
by interfering with access to the buildings that house the information system. This threat
can sometimes be mitigated with casualty insurance or business interruption insurance.
 Tornados or Severe Windstorms
A tornado is a rotating column of air that can be more than a mile wide and whirl at
destructively high speeds. Usually accompanied by a funnel-shaped downward extension of
a cumulonimbus cloud, tornados can directly damage all or part of the information system
or, more likely, the building that houses it. Tornadoes can also interrupt access to the build-
ings that house the information system. Wind shear is a much smaller and linear wind effect,
Forces of Nature 69
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
but it can have similar devastating consequences. These threats can sometimes be mitigated
with casualty insurance or business interruption insurance.
 Hurricanes, Typhoons, and Tropical Depressions
A severe tropical cyclone that originates in equatorial regions of the Atlantic Ocean or
Caribbean Sea is referred to as a hurricane, and one that originates in eastern regions of the
Pacific Ocean is called a typhoon. Many hurricanes and typhoons originate as tropical
depressions—collections of multiple thunderstorms under specific atmospheric conditions.
Excessive rainfall and high winds from these storms can directly damage all or part of the
information system or, more likely, the building that houses it. Organizations in coastal or
low-lying areas may suffer flooding as well. These storms may also disrupt operations by
interrupting access to the buildings that house the information system. This threat can some-
times be mitigated with casualty insurance or business interruption insurance.
 Tsunamis
A tsunami is a very large ocean wave caused by an underwater earthquake or volcanic eruption.
These events can directly damage the information system or the building that houses it. Organiza-
tions in coastal areas may experience tsunamis. They may also disrupt operations through inter-
ruptions in access or electrical power to the buildings that house the information system. This
threat can sometimes be mitigated with casualty insurance or business interruption insurance.
To read about technology used to save lives after tsunamis, visit the Web site of NOAA’s National
Weather Service Pacific Tsunami Warning Center. From there you can find out how state-
of-the-art satellite, computer, and network systems are used to notify people in the Pacific Rim
about emergency tsunami events. You can see the Web page at ptwc.weather.gov/.
 Electrostatic Discharge
Electrostatic discharge (ESD), also known as static electricity, is usually little more than a
nuisance. However, the mild static shock we receive when walking across a carpet can be
costly or dangerous when it ignites flammable mixtures and damages costly electronic com-
ponents. An employee walking across a carpet on a cool, dry day can generate up to 12,000
volts of electricity. Humans cannot detect static electricity until it reaches around 1,500 volts.
When it comes into contact with technology, especially computer hard drives, ESD can be
catastrophic; damage can be caused by as little as 10 volts. 18
Static electricity can draw dust into clean-room environments or cause products to stick
together. The cost of ESD-damaged electronic devices and interruptions to service can be mil-
lions of dollars for critical systems. ESD can also cause significant loss of production time in
information processing. Although ESD can disrupt information systems, it is not usually an
insurable loss unless covered by business interruption insurance.
 Dust Contamination
Some environments are not friendly to the hardware components of information systems.
Accumulation of dust and debris inside systems can dramatically reduce the effectiveness
of cooling mechanisms and potentially cause components to overheat. Some specialized
technology, such as CD or DVD optical drives, can suffer failures due to excessive dust
contamination. Because it can shorten the life of information systems or cause unplanned
downtime, this threat can disrupt normal operations.
70 Chapter 2
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
Human Error or Failure
This category includes acts performed without intent or malicious purpose or in ignorance by
an authorized user. When people use information systems, mistakes happen. Similar errors
happen when people fail to follow established policy. Inexperience, improper training, and
incorrect assumptions are just a few things that can cause human error or failure. Regardless
of the cause, even innocuous mistakes can produce extensive damage. For example, a simple
keyboarding error can cause worldwide Internet outages:
In April 1997, the core of the Internet suffered a disaster. Internet service provi-
ders lost connectivity with other ISPs due to an error in a routine Internet router-
table update process. The resulting outage effectively shut down a major portion
of the Internet for at least twenty minutes. It has been estimated that about
45 percent of Internet users were affected. In July 1997, the Internet went
through yet another more critical global shutdown for millions of users. An acci-
dental upload of a corrupt database to the Internet’s root domain servers
occurred. Since this provides the ability to address hosts on the net by name
(i.e., eds.com), it was impossible to send e-mail or access Web sites within the
.com and .net domains for several hours. The .com domain comprises a majority
of the commercial enterprise users of the Internet. 19
One of the greatest threats to an organization’s information security is its own employees,
as they are the threat agents closest to the information. Because employees use data and
information in everyday activities to conduct the organization’s business, their mistakes
represent a serious threat to the confidentiality, integrity, and availability of data—even,
as Figure 2-9 suggests, relative to threats from outsiders. Employee mistakes can easily
Human Error or Failure 71
Elite Skillz,
wannabe hacker
Harriett Allthumbs,
confused the copier with the shredder
when preparing the annual sales report
Tommy Twostory,
convicted burglar
Figure 2-9 The biggest threat—acts of human error or failure
Source: © iStockphoto/BartCo, © iStockphoto/sdominick, © iStockphoto/mikkelwilliam.
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
lead to revelation of classified data, entry of erroneous data, accidental deletion or modifi-
cation of data, storage of data in unprotected areas, and failure to protect information.
Leaving classified information in unprotected areas, such as on a desktop, on a Web site,
or even in the trash can, is as much a threat as a person who seeks to exploit the informa-
tion, because the carelessness can create a vulnerability and thus an opportunity for an
attacker. However, if someone damages or destroys data on purpose, the act belongs to a
different threat category.
In 2014, New York’s Metro-North railroad lost power when one of the two power supply
units was taken offline for repairs. Repair technicians apparently failed to note the intercon-
nection between the systems, resulting in a two-hour power loss.
Human error or failure often can be prevented with training, ongoing awareness activities,
and controls. These controls range from simple activities, such as requiring the user to type a
critical command twice, to more complex procedures, such as verifying commands by a sec-
ond party. An example of the latter is the performance of key recovery actions in PKI systems.
Many military applications have robust, dual-approval controls built in. Some systems that
have a high potential for data loss or system outages use expert systems to monitor human
actions and request confirmation of critical inputs.
Humorous acronyms are commonly used when attributing problems to human error. They
include PEBKAC (problem exists between keyboard and chair), PICNIC (problem in chair,
not in computer), and ID-10-T error (idiot).
 Social Engineering
Key Terms
advance-fee fraud (AFF) A form of social engineering, typically conducted via e-mail, in which an
organization or some third party indicates that the recipient is due an exorbitant amount of money
and needs only a small advance fee or personal banking information to facilitate the transfer.
phishing A form of social engineering in which the attacker provides what appears to be a
legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects
the reply to a third-party site in an effort to extract personal or confidential information.
pretexting A form of social engineering in which the attacker pretends to be an authority figure
who needs information to confirm the target’s identity, but the real object is to trick the target
into revealing confidential information. Pretexting is commonly performed by telephone.
social engineering The process of using social skills to convince people to reveal access credentials
or other valuable information to an attacker.
spear phishing Any highly targeted phishing attack.
In the context of information security, social engineering is used by attackers to gain system
access or information that may lead to system access. There are several social engineering
techniques, which usually involve a perpetrator posing as a person who is higher in the orga-
nizational hierarchy than the victim. To prepare for this false representation, the perpetrator
already may have used social engineering tactics against others in the organization to collect
seemingly unrelated information that, when used together, makes the false representation
more credible. For instance, anyone can check a company’s Web site or even call the main
switchboard to get the name of the CIO; an attacker may then obtain even more information
by calling others in the company and falsely asserting his or her authority by mentioning the
72 Chapter 2
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
CIO’s name. Social engineering attacks may involve people posing as new employees or as
current employees requesting assistance to prevent getting fired. Sometimes attackers
threaten, cajole, or beg to sway the target. The infamous hacker Kevin Mitnick, whose
exploits are detailed earlier in this chapter, once stated:
People are the weakest link. You can have the best technology; firewalls, intrusion-
detection systems, biometric devices … and somebody can call an unsuspecting
employee. That’s all she wrote, baby. They got everything. 20
Advance-fee Fraud Another social engineering attack called the advance-fee fraud
(AFF), internationally known as the 4-1-9 fraud, is named after a section of the Nigerian
penal code. The perpetrators of 4-1-9 schemes often use the names of fictitious companies,
such as the Nigerian National Petroleum Company. Alternatively, they may invent other
entities, such as a bank, government agency, long-lost relative, lottery, or other nongovern-
mental organization. See Figure 2-10 for a sample letter used for this type of scheme.
Human Error or Failure 73
Figure 2-10 Example of a Nigerian 4-1-9 fraud letter
© Cengage Learning 2015
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
The scam is notorious for stealing funds from credulous people, first by requiring them to par-
ticipate in a proposed money-making venture by sending money up front, and then by soliciting
an endless series of fees. These 4-1-9 schemes are even suspected to involve kidnapping, extor-
tion, and murder. According to the Secret Service, the schemes have bilked over $100 million
from unsuspecting Americans lured into disclosing personal banking information.
For more information on AFF, go to the Advance Fee Fraud Coalition’s Web site at
http://affcoalition.org.
Phishing Many other attacks involve social engineering. One such attack is described by
the Computer Emergency Response Team/Coordination Center (CERT/CC):
CERT/CC has received several incident reports concerning users receiving requests
to take an action that results in the capturing of their password. The request could
come in the form of an e-mail message, a broadcast, or a telephone call. The latest
ploy instructs the user to run a “test” program, previously installed by the
intruder, which will prompt the user for his or her password. When the user exe-
cutes the program, the user’s name and password are e-mailed to a remote site.
These messages can appear to be from a site administrator or root. In reality,
they may have been sent by an individual at a remote site, who is trying to gain
access or additional access to the local machine via the user’s account. 21
While this attack may seem crude to experienced users, the fact is that many e-mail users
have fallen for it (refer to CERT Advisory CA-91.03). These tricks and similar variants are
called phishing attacks. They gained national recognition with the AOL phishing attacks
that were widely reported in the late 1990s, in which attackers posing as AOL technicians
attempted to get logon credentials from AOL subscribers. The practice became so wide-
spread that AOL added a warning to all official correspondence that no AOL employee
would ever ask for password or billing information. Variants of phishing attacks can lever-
age their purely social engineering aspects with a technical angle, such as that used in
pharming, spoofing, and redirection attacks, as discussed later in this chapter.
Another variant is spear phishing. While normal phishing attacks target as many recipients
as possible, a spear phisher sends a message to a small group or even one person. The mes-
sage appears to be from an employer, a colleague, or other legitimate correspondent. This
attack sometimes targets users of a certain product or Web site.
Phishing attacks use two primary techniques, often in combination with one another: URL
manipulation and Web site forgery. In Uniform Resource Locator (URL) manipulation,
attackers send an HTML embedded e-mail message or a hyperlink whose HTML code opens
a forged Web site. For example, Figure 2-11 shows an e-mail that appears to have come from
Regions Bank. Phishers typically use the names of large banks or retailers because potential
targets are more likely to have accounts with them. In Figure 2-12, the link appears to be to
RegionsNetOnline, but the HTML code actually links the user to a Web site in Poland. This
is a very simple example; many phishing attackers use sophisticated simulated Web sites in
their e-mails, usually copied from actual Web sites. Companies that are commonly used in
phishing attacks include AOL, Bank of America, Microsoft, and Wachovia.
In the forged Web site shown in Figure 2-12, the page looks legitimate; when users click
either of the bottom two buttons—Personal Banking Demo or Enroll in RegionsNet—they
74 Chapter 2
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
Human Error or Failure 75
Figure 2-11 Phishing example: lure
Figure 2-12 Phishing example: fake Web site
© Cengage Learning 2015
© Cengage Learning 2015
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
are directed to the authentic bank Web page. The Access Accounts button, however, links to
another simulated page that looks just like the real bank login Web page. When victims type
their banking ID and password, the attacker records that information and displays a
message that the Web site is now offline. The attackers can use the recorded credentials to
perform transactions, including fund transfers, bill payments, or loan requests.
People can use their Web browsers to report suspicious Web sites that might have been used
in phishing attacks. Figure 2-13 shows the method to report these suspicious sites using
Microsoft’s Internet Explorer.
Pretexting, sometimes referred to as phone phishing, is pure social engineering. The attacker
calls a potential victim on the telephone and pretends to be an authority figure in order to
gain access to private or confidential information, such as health, employment, or financial
records. The attacker may impersonate someone who is known to the potential victim only
by reputation. Pretexting is generally considered pretending to be a person you are not,
whereas phishing is pretending to represent an organization via a Web site or HTML
e-mail. This can be a blurry distinction.
Information Extortion
Key Term
information extortion The act of an attacker or trusted insider who steals information from a
computer system and demands compensation for its return or for an agreement not to disclose
the information. Also known as cyberextortion.
76 Chapter 2
Figure 2-13 Microsoft’s unsafe Web site reporting feature in Internet Explorer
Source: Microsoft. Used with permission.
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
Information extortion, also known as cyberextortion, is common in the theft of credit card
numbers. For example, Web-based retailer CD Universe was victimized by a theft of data
files that contained customer credit card information. The culprit was a Russian hacker
named Maxus who hacked the online vendor and stole several hundred thousand credit card
numbers. When the company refused to pay the $100,000 blackmail, he posted the card num-
bers to a Web site, offering them to the criminal community. His Web site became so popular
he had to restrict access. 22
Another incident of extortion occurred in 2008 when pharmacy benefits manager Express
Scripts, Inc. fell victim to a hacker who demonstrated that he had access to 75 customer
records and claimed to have access to millions more. The perpetrator demanded an undis-
closed amount of money. The company notified the FBI and offered a $1 million reward
for the arrest of the perpetrator. Express Scripts notified the affected customers, as
required by various state laws. The company was obliged to pay undisclosed expenses for
the notifications, and was required to buy credit monitoring services for its customers in
some states. 23
In 2010, Anthony Digati allegedly threatened to conduct a spam attack on the insurance com-
pany New York Life. He reportedly sent dozens of e-mails to company executives threatening
to conduct a negative image campaign by sending over 6 million e-mails to people throughout
the country. He then demanded approximately $200,000 to stop the attack, and next threat-
ened to increase the demand to more than $3 million if the company ignored him. His arrest
thwarted the spam attack.
In 2012, a programmer from Walachi Innovation Technologies allegedly broke into the orga-
nization’s systems and changed the access passwords and codes, locking legitimate users out
of the system. He then reportedly demanded $300,000 in exchange for the new codes.
A court order eventually forced him to surrender the information to the organization. In
Russia, a talented hacker created malware that installed inappropriate materials on an un-
suspecting user’s system, along with a banner threatening to notify the authorities if a bribe
was not paid. At 500 rubles (about $17), victims in Russia and other countries were more
willing to pay the bribe than risk prosecution by less considerate law enforcement. 24
Sabotage or Vandalism
This category of threat involves the deliberate sabotage of a computer system or business, or
acts of vandalism to destroy an asset or damage the image of an organization. These acts can
range from petty vandalism by employees to organized sabotage against an organization.
Although they might not be financially devastating, attacks on the image of an organization
are serious. Vandalism to a Web site can erode consumer confidence, diminishing an organiza-
tion’s sales, net worth, and reputation. For example, in the early hours of July 13, 2001, a
group known as Fluffi Bunni left its mark on the front page of the SysAdmin, Audit, Net-
work, Security (SANS) Institute, a cooperative research and education organization. This
event was particularly embarrassing to SANS Institute management because the organization
provides security instruction and certification. The defacement read, “Would you really trust
these guys to teach you security?” 25 At least one member of the group was subsequently
arrested by British authorities.
Sabotage or Vandalism 77
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Online Activism
Key Terms
cyberactivist See Hacktivist.
cyberterrorist A hacker who attacks systems to conduct terrorist activities via networks or
Internet pathways.
cyberwarfare Formally sanctioned offensive operations conducted by a government or state
against information or systems of another government or state.
hacktivist A hacker who seeks to interfere with or disrupt systems to protest the operations,
policies, or actions of an organization or government agency.
There are innumerable reports of hackers accessing systems and damaging or destroying crit-
ical data. Hacked Web sites once made front-page news, as the perpetrators intended. The
impact of these acts has lessened as the volume has increased. The Web site that acts as the
clearinghouse for many hacking reports, Attrition.org, has stopped cataloging all Web site
defacements because the frequency of such acts has outstripped the ability of the volunteers
to keep the site up to date. 26
Compared to Web site defacement, vandalism within a network is more malicious in intent
and less public. Today, security experts are noticing a rise in another form of online vandal-
ism, hacktivist or cyberactivist operations. For example, in November 2009, a group calling
itself “anti-fascist hackers” defaced the Web site of Holocaust denier and Nazi sympathizer
David Irving. They also released his private e-mail correspondence, secret locations of events
on his speaking tour, and detailed information about people attending those events, among
them members of various white supremacist organizations. This information was posted on
the Web site WikiLeaks, an organization that publishes sensitive and classified information
provided by anonymous sources. 27
Figure 2-14 illustrates how Greenpeace, a well-known environmental activist organization,
once used its Web presence to recruit cyberactivists.
Cyberterrorism and Cyberwarfare A much more sinister form of hacking is
cyberterrorism. The United States and other governments are developing security measures
intended to protect critical computing and communications networks as well as physical
and power utility infrastructures.
In the 1980s, Barry Collin, a senior research fellow at the Institute for Security
and Intelligence in California, coined the term “cyberterrorism” to refer to the
convergence of cyberspace and terrorism. Mark Pollitt, special agent for the FBI,
offers a working definition: “Cyberterrorism is the premeditated, politically moti-
vated attacks against information, computer systems, computer programs, and
data which result in violence against noncombatant targets by subnational
groups or clandestine agents.” 28
Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO
Web pages during the war in Kosovo. Some industry observers have taken the position that
cyberterrorism is not a real threat, but instead is merely hype that distracts from more con-
crete and pressing information security issues that do need attention.
78 Chapter 2
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
However, further instances of cyberterrorism have begun to surface. According to
Dr. Mudawi Mukhtar Elmusharaf at the Computer Crime Research Center, “on Oct. 21,
2002, a distributed denial-of-service (DDoS) attack struck the 13 root servers that provide
the primary road map for all Internet communications. Nine servers out of these thirteen
were jammed. The problem was taken care of in a short period of time.” 29 While this attack
was significant, the results were not noticeable to most users of the Internet. A news report
shortly after the event noted that “the attack, at its peak, only caused 6 percent of domain
name service requests to go unanswered [… and the global] DNS system normally responds
almost 100 percent of the time.” 30
Internet servers were again attacked on February 6, 2007, with four Domain Name System
(DNS) servers targeted. However, the servers managed to contain the attack. It was reported
that the U.S. Department of Defense was on standby to conduct a military counterattack if
the cyberattack had succeeded. 31
Government officials are concerned that certain foreign countries are “pursuing cyberwea-
pons the same way they are pursuing nuclear weapons.” 32 Some of these cyberterrorist
Sabotage or Vandalism 79
Figure 2-14 Cyberactivists wanted
© Cengage Learning 2015
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
attacks are aimed at disrupting government agencies, while others seem designed to create
mass havoc with civilian and commercial industry targets. However, the U.S. government
conducts its own cyberwarfare actions, having reportedly targeted overseas efforts to
develop nuclear enrichment plants by hacking into and destroying critical equipment. 33
For more information about the evolving threat of cyberwarfare, visit a leading think tank,
the Rand Corporation, to read research reports and commentary from leaders in the field
(www.rand.org/topics/cyber-warfare.html.)
Positive Online Activism Not all online activism is negative. Social media outlets,
such as Facebook, MySpace, Twitter, and YouTube, are commonly used to perform fund-
raising, raise awareness of social issues, gather support for legitimate causes, and promote
involvement. Modern business organizations try to leverage social media and online activism
to improve their public image and increase awareness of socially responsible actions.
Software Attacks
Deliberate software attacks occur when an individual or group designs and deploys software
to attack a system. This attack can consist of specially crafted software that attackers trick
users into installing on their systems. This software can be used to overwhelm the processing
capabilities of online systems or to gain access to protected systems by hidden means.
 Malware
Key Terms
adware Malware intended to provide undesired marketing and advertising, including popups
and banners on a user’s screens.
boot virus Also known as a boot sector virus, a type of virus that targets the boot sector or
Master Boot Record (MBR) of a computer system’s hard drive or removable storage media.
macro virus A type of virus written in a specific macro language to target applications that use
the language. The virus is activated when the application’s product is opened. A macro virus
typically affects documents, slideshows, e-mails, or spreadsheets created by office suite
applications.
malicious code See Malware.
malicious software See Malware.
malware Computer software specifically designed to perform malicious or unwanted actions.
memory-resident virus A virus that is capable of installing itself in a computer’s operating system,
starting when the computer is activated, and residing in the system’s memory even after the host
application is terminated. Also known as a resident virus.
non-memory-resident virus A virus that terminates after it has been activated, infected its host
system, and replicated itself. NMR viruses do not reside in an operating system or memory after
executing. Also known as a non-resident virus.
polymorphic threat Malware (a virus or worm) that over time changes the way it appears to
antivirus software programs, making it undetectable by techniques that look for preconfigured
signatures.
spyware Any technology that aids in gathering information about people or organizations
without their knowledge.
80 Chapter 2
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
Trojan horse A malware program that hides its true nature and reveals its designed behavior
only when activated.
virus A type of malware that is attached to other executable programs. When activated, it
replicates and propagates itself to multiple systems, spreading by multiple communications
vectors. For example, a virus might send copies of itself to all users in the infected system’s e-mail
program.
virus hoax A message that reports the presence of a nonexistent virus or worm and wastes
valuable time as employees share the message.
worm A type of malware that is capable of activation and replication without being attached to
an existing program.
Malware is referred to as malicious code or malicious software. Other attacks that use software,
like redirect attacks and denial-of-service attacks, also fall under this threat. These software com-
ponents or programs are designed to damage, destroy, or deny service to targeted systems.
Malicious code attacks include the execution of viruses, worms, Trojan horses, and active
Web scripts with the intent to destroy or steal information. The most state-of-the-art mali-
cious code attack is the polymorphic worm, or multivector worm. These attack programs
use up to six known attack vectors to exploit a variety of vulnerabilities in common informa-
tion system devices.
Other forms of malware include covert software applications—bots, spyware, and adware—
that are designed to work out of users’ sight or be triggered by an apparently innocuous user
action. Bots are often the technology used to implement Trojan horses, logic bombs, back
doors, and spyware. 34 Spyware is placed on a computer to secretly gather information about
the user and report it. One type of spyware is a Web bug, a tiny graphic that is referenced
within the Hypertext Markup Language (HTML) content of a Web page or e-mail to collect
information about the user viewing the content. Another form of spyware is a tracking cookie,
which is placed on users’ computers to track their activity on different Web sites and create a
detailed profile of their behavior. 35 Each of these hidden code components can be used to col-
lect user information that could then be used in a social engineering or identity theft attack.
For more information about current events in malware, visit the U.S. Computer Emergency
Readiness Team (US-CERT) Web site and go to its Current Activity page, www.us-cert.gov/ncas/
current-activity. US-CERT is part of the Department of Homeland Security.
Table 2-4 draws on two recent studies to list some of the malware that has had the biggest
impact on computer users to date.
Virus A computer virus consists of code segments (programming instructions) that perform
malicious actions. This code behaves much like a virus pathogen that attacks animals and
plants, using the cell’s own replication machinery to propagate the attack beyond the initial
target. The code attaches itself to an existing program and takes control of the program’s
access to the targeted computer. The virus-controlled target program then carries out the
virus plan by replicating itself into additional targeted systems. Often, users unwittingly help
viruses get into a system. Opening infected e-mail or some other seemingly trivial action can
cause anything from random messages appearing on a user’s screen to the destruction of
entire hard drives. Just as their namesakes are passed among living bodies, computer viruses
Software Attacks 81
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
are passed from machine to machine via physical media, e-mail, or other forms of computer
data transmission. When these viruses infect a machine, they may immediately scan it for
e-mail applications or even send themselves to every user in the e-mail address book.
One of the most common methods of virus transmission is via e-mail attachment files. Most
organizations block e-mail attachments of certain types and filter all e-mail for known
viruses. Years ago, viruses were slow-moving creatures that transferred viral payloads
through the cumbersome movement of diskettes from system to system. Now computers
are networked, and e-mail programs prove to be fertile ground for computer viruses unless
suitable controls are in place. The current software marketplace has several established
vendors, such as Symantec Norton AntiVirus, Kaspersky Antivirus, AVG AntiVirus, and
McAfee VirusScan, which provide applications to help control computer viruses. Microsoft’s
Malicious Software Removal Tools is freely available to help users of Windows operating
systems remove viruses and other types of malware. Many vendors are moving to software
suites that include antivirus applications and provide other malware and nonmalware
protection, such as firewall protection programs.
Viruses can be classified by how they spread themselves. Among the most common types of
information system viruses are the macro virus, which is embedded in automatically execut-
ing macro code used by word processors, spreadsheets, and database applications, and the
boot virus, which infects the key operating system files in a computer’s boot sector. Viruses
can also be described by how their programming is stored and moved. Some are found as
82 Chapter 2
Malware Type Year
Estimated number of
systems infected
Estimated
financial damage
MyDoom Worm 2004 2 million $38 billion
Klez (and variants) Virus 2001 7.2% of Internet $19.8 billion
ILOVEYOU Virus 2000 10% of Internet $5.5 billion
Sobig F Worm 2003 1 million $3 billion
Code Red (and CR II) Worm 2001 400,000 servers $2.6 billion
SQL Slammer, a.k.a.
Sapphire
Worm 2003 75,000 $950 million to $1.2 billion
Melissa Macro virus 1999 Unknown $300 million to $600 million
CIH, a.k.a. Chernobyl Memory-resident
virus
1998 Unknown $250 million
Storm Worm Trojan horse virus 2006 10 million Unknown
Conficker Worm 2009 15 million Unknown
Nimda Multivector worm 2001 Unknown Unknown
Sasser Worm 2004 500,000 to 700,000 Unknown
Nesky Virus 2004 Under 100,000 Unknown
Leap-A/Oompa-A Virus 2006 Unknown (Apple) Unknown
Table 2-4 The Most Dangerous Malware Attacks to Date 36,37
© Cengage Learning 2015
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2
binary executables, including .exe or .com files; or as interpretable data files, such as com-
mand scripts or a specific application’s document files; or both.
Alternatively, viruses may be classified as memory-resident viruses or non-memory-resident
viruses, depending on whether they persist in a computer system’s memory after they have
been executed. Resident viruses are capable of reactivating when the computer is booted
and continuing their actions until the system is shut down, only to restart the next time the
system is booted.
In 2002, the author of the Melissa virus, David L. Smith of New Jersey, was convicted in
U.S. federal court and sentenced to 20 months in prison, a $5,000 fine, and 100 hours of
community service upon release. 38
For more information on computer criminals and their crimes and confections, visit http://en.
wikipedia.org and search on “List of Computer Criminals.”
Viruses and worms can use several attack vectors to spread copies of themselves to net-
worked peer computers, as illustrated in Table 2-5.
Worms Named for the tapeworm in John Brunner’s novel The Shockwave Rider, worms
can continue replicating themselves until they completely fill available resources, such as
memory, hard drive space, and network bandwidth. Read the nearby Offline feature about
Robert Morris to learn how much damage a worm can cause. Code Red, Sircam, Nimda
(“admin” spelled backwards), and Klez are examples of a class of worms that combine mul-
tiple modes of attack into a single package. Figure 2-15 shows sample e-mails that contain
the Nimda and Sircam worms. These newer worm variants contain multiple exploits that
Software Attacks 83
Vector Description
IP scan and attack The infected system scans a random or local range of IP addresses and targets several
vulnerabilities known to hackers or left over from previous exploits, such as Code Red,
Back Orifice, or PoizonBox.
Web browsing If the infected system has write access to any Web pages, it makes all Web content files
infectious, including .html, .asp, .cgi, and other files. Users who browse to those pages
infect their machines.
Virus Each affected machine infects common executable or script files on all computers to
which it can write, which spreads the virus code to cause further infection.
Unprotected shares Using vulnerabilities in file systems and in the way many organizations configure them,
the infected machine copies the viral component to all locations it can reach.
Mass mail By sending e-mail infections to addresses found in the address book, the affected
machine infects many other users, whose mail-reading programs automatically run the
virus program and infect even more systems.
Simple Network
Management Protocol
(SNMP)
SNMP is used for remote management of network and computer devices. By using the
widely known and common passwords that were employed in early versions of this
protocol, the attacking program can gain control of the device. Most vendors have
closed these vulnerabilities with software upgrades.
Table 2-5 Attack Replication Vectors
© Cengage Learning 2015
Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
can use any predefined distribution vector to programmatically distribute the worm. (See the
section on polymorphic threats later in this chapter for more details.)
The outbreak of Nimda in September 2001 used five of the six vectors shown in Table 2-5
to spread itself with startling speed. TruSecure Corporation, an industry source for informa-
tion security statistics and solutions, reports that Nimda spread to span the Internet address
space of 14 countries in less than 25 minutes. 39
The Klez worm, shown in Figure 2-16, delivers a double-barreled payload: It has an attach-
ment that contains the worm, and if the e-mail is viewed on an HTML-enabled browser, it
attempts to deliver a macro virus. News-making attacks, such as MyDoom and Netsky, are
variants of the multifaceted attack worms and viruses that exploit weaknesses in leading
operating systems and applications.
The complex behavior of worms can be initiated with or without the user downloading or
executing the file. Once the worm has infected a computer, it can redistribute itself to all
e-mail addresses found on the infected system. Furthermore, a worm can deposit copies of
itself onto all Web servers that the infected system can reach; users who subsequently visit
those sites become infected. Worms also take advantage of open shares found on the net-
work in which an infected system is located. The worms place working copies of their code
onto the server so that users of the open shares are likely to become infected.
In 2003, Jeffrey Lee Parson, an 18-year-old high school student from Minnesota, was
arrested for creating and distributing a variant of the Blaster worm called W32.Blaster-B.
He was sentenced to 18 months in prison, 3 years of supervised release, and 100 hours of
community service. 40 The original Blaster worm was reportedly created by a Chinese
hacker group.
Trojan Horses Trojan horses are frequently disguised as helpful, interesting, or neces-
sary pieces of software, such as the readme.exe files often included with shareware or free-
ware packages. Like their namesake in Greek legend, once Trojan horses are brought into a
84 Chapter 2
Nimda—note
garbage in the
subject
Sircam—note
stilted text
Figure 2-15 Nimda and Sircam worms