Guide to Firewalls & VPN's 3rd Edition pdf pdf

(1)

(2)

Michael E. Whitman

Herbert J. Mattord

Andrew Green

Guide to Firewalls and VPNs

(3)

(4)

Guide to Firewalls and VPNs, Third Edition

Michael E. Whitman, Herbert J. Mattord, Andrew Green

Vice President, Editorial: Dave Garza

Executive Editor: Stephen Helba

Acquisitions Editor: Stephen Helba

Managing Editor: Marah Bellegarde

Senior Product Manager: Michelle Ruelos Cannistraci

Developmental Editor: Kent Williams

Editorial Assistant: Jennifer Wheaton

Vice President, Marketing: Jennifer Ann Baker

Marketing Director: Deborah S. Yarnell

Marketing Manager: Erin Coffin

Marketing Coordinator: Erica Ropitzky

Production Manager: Andrew Crouth

Senior Content Project Manager: Andrea Majot

Senior Art Director: Jack Pendleton

ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.

For product information and technology assistance, contact us at

Cengage Learning Customer & Sales Support, 1-800-354-9706

For permission to use material from this text or product, submit all requests online atcengage.com/permissions

Further permissions questions can be emailed to

permissionrequest@cengage.com

Library of Congress Control Number: 2011927669

ISBN-13: 978-1-111-13539-3

Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at:

international.cengage.com/region

Cengage Learning products are represented in Canada by Nelson Education, Ltd.

For your lifelong learning solutions, visit

www.cengage.com/coursetechnology

Purchase any of our products at your local college store or at our preferred online storewww.cengagebrain.com

Visit our corporate website atwww.cengage.com

Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers.

Microsoft and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Course Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated with Microsoft in any manner. Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only. At the time this book was printed, any such data was fictional and not belonging to any real persons or companies.

Course Technology and the Course Technology logo are registered trademarks used under license.

Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice.

The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs.

(5)

“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers—

organizing your lives, staying in touch with people, being creative—

if we don’t solve these security problems, then people will hold back._”

—Bill Gates

chapter

1

Introduction to

Information Security

After reading this chapter and completing

the exercises, you will be able to:

● Explain the component parts of information security in general and network security in particular ● Define the key terms and critical concepts of information and network security

● Describe the organizational roles of information and network security professionals ● Discuss the business need for information and network security

● Identify the threats posed to information and network security, as well as the common attacks

associated with those threats

● Differentiate threats to information within systems from attacks against information within

systems

(6)

Running Case: You Must Be Joking

Meghan Sanders couldn_’t believe her eyes. She blinked twice, and then looked back at Alex to be sure it wasn’t a joke.

“Well, do you think you can help me?_”Alex Truman asked, with a hint of desperation in his voice.

“This is your current perimeter defense?”Meghan asked, hesitantly. “Have you reconfigured the device in any way?_”

“Yes, that’s it, and no, it was installed out of the box,”Alex replied.“I bought the best one they had on the shelf at the time! We know we need to consider an upgrade, but it_’s been working pretty well so far._”

That’s the understatement of the year, Meghan thought. She took a deep breath. “Okay, I think I know what we need to do, but it_’s going to take some time and effort. Let me check in with my team and I’ll send over an estimate.”

As she walked back to her car, Meghan mulled over the issues at hand. Her company, Onsite Security Services, was doing well so far. She_’d built a small but solid base of customers, including several small businesses, work-at-home professionals, and even a few local retail chain vendors. But this was going to be the most challenging job yet. Most of her work involved helping clients update and secure computers, servers, printers, and the occasional network configuration. She’d worked with small firewalls for the home users, but had never really gotten involved in commercial-grade security appliances. _“I guess it_’s time I upgraded my service offerings,_”she told herself.

What Meghan couldn’t believe was that a local data center, with over 50 servers providing data collection and data mining services for local businesses, was protected at the perimeter with a residential-grade firewall, the same inexpensive device most people used at home. All that data, residing behind a piece of technology bought on sale for $49.99, she thought to herself.

Meghan called her office manager. _“Rachel?_” she said, _“I just left Data Mart. I need you to see if Mike can schedule an appointment with Alex Truman to start educating him on effec-tive security profiles. This job is going to take some real work, and I think we need to start with the basics._”

Introduction

(7)

security has matured rapidly in the past 20 years. Those who don’t understand the concep-tual basis of information security risk being unable to make the best business decisions regarding network security. This chapter offers an overview of the entire field of information security and of how that broader field influences current trends in network security.

What Is Information Security?

Information security (InfoSec) is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.1To protect information and its related systems, each organization must implement controls such as policy, awareness training, security education, and technical controls. These security controls are organized into topical areas, and any successful organization will be able to integrate them into a unified process that encompasses the following:

● Network security—The protection of networking components, connections, and con-tents (the broader topic within which this textbook falls)

● Physical security—The protection of the physical items, objects, or areas of an organi-zation from unauthorized access and misuse

● Personnel security—The protection of the people who are authorized to access the organization and its operations

● Operations security—The protection of the details of a particular operation or series of activities

● Communications security—The protection of an organization’s communications media, technology, and content

Modern information security has evolved from a concept known as the C.I.A. triangle. The

C.I.A. triangle, an industry standard for computer security since the development of the main-frame, is based on the three characteristics of information that make it valuable to organiza-tions: confidentiality, integrity, and availability. These three characteristics of information are as important today as they have always been, but the model of the C.I.A. triangle no longer adequately addresses the constantly changing environment of the information technology (IT) industry. The current environment has many emerging and constantly evolving threats. These threats may be accidental or intentional. The resulting losses may be from damage or destruc-tion to IT systems or data, or they may involve theft, unintended or unauthorized modifica-tion, or any one of the many other ways that IT systems can experience loss. This has prompted the expansion of the C.I.A. triangle into a more robust model that addresses the complexities of the current information security environment. This expanded list of critical characteristics of information is described in the next section.

Critical Characteristics of Information

The value of information comes from the characteristics it possesses. A change to one of the characteristics of information changes the value of that information. The value either increases or, more commonly, decreases. Although information security professionals and end users

Critical Characteristics of Information 3

(8)

have the same understanding of the characteristics of information, tensions can arise when the need to secure the confidentiality or integrity of information conflicts with the end users’need for unhindered access to the information (availability). The following are some of the impor-tant characteristics of information you should know when discussing the security and integrity of information2:

● Availability—The information is accessible by authorized users (persons or computer systems) without interference or obstruction, and they receive it in the required format.

● Accuracy—Information is free from mistakes or errors, and it has the value that the end user expects.

● Authenticity—The information is genuine or original rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

● Confidentiality—The information is protected from disclosure or exposure to unauthorized individuals or systems. This means that only those with the rights and privileges to access information are able to do so. To protect against a breach in the confidentiality of information, a number of measures can be used:

● Information classification

● Secure document storage

● Application of general security policies

● Education of information custodians and end users

● Integrity—The information remains whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

● Utility—The information has value for some purpose or end. To have utility, informa-tion must be in a format meaningful to the end user. For example, U.S. Census data can be overwhelming and difficult to understand; however, when properly interpreted, it reveals valuable information about the voters in a district, what political parties they belong to, their race, gender, age, and so on.

● Possession—The information object or item is owned or controlled by somebody. Information is said to be in one’s possession if one obtains it, independent of format or other characteristics.

CNSS Security Model

(9)

various areas that must be addressed to secure today’s information systems. For example, the cell that represents the intersection of technology, integrity, and storage calls for a control or safeguard that addresses the need to use technology to protect the integrity of information while it is in storage. One such control is a system for detecting host intrusion that protects the integrity of information by alerting the security administrators to the potential modifica-tion of a critical file. What is commonly left out of a model like the McCumber Cube is the need for guidelines and policies that provide direction for the practices and implementations of technologies. The need for policy is a critical element for all organizations, and you will find that it is mentioned frequently throughout this textbook.

Balancing Information Security and Access

Even with the best efforts of planning and implementation, it is not possible to achieve per-fect information security. Information security is a process, not an end state. Information security must balance protection of information and information assets with the availability of that information to its authorized users. It is possible to permit access to a system so that it is available to anyone, anywhere, anytime, through any means—that is, maximum avail-ability. However, this poses a danger to both the confidentiality and the integrity of the information. On the other hand, to achieve the maximum confidentiality and integrity found in a completely secure information system would require that the system not allow access to anyone.

To achieve balance—that is, to operate an information system that meets the high level of availability sought by system users as well as the confidentiality and integrity needs of system owners and security professionals—the level of security must allow reasonable access, yet protect against threats. An imbalance between access and security often occurs when the accessibility needs of the end user fall short due to requirements for protecting the informa-tion or when security has been neglected to improve accessibility. Both sides in this trade-off must exercise patience and cooperation when interacting with the other, as both should rec-ognize that they have the same overall goal—to ensure that the data is available when, where, and how it is needed, with minimal delays or obstacles. Using the principles of infor-mation security, it is possible to address that level of availability, even with consideration of the concerns for loss, damage, interception, or destruction.

Policy Education Technology

Confidentiality

Integrity

Availability

Policy Education Technology

Storage Processing Transmission Confidentiality

Integrity

Availability

Storage Processing Transmission

Figure 1-1 The McCumber Cube

Critical Characteristics of Information 5

(10)

Business Needs First

Information security performs these four important organizational functions:

1. Protects the organization’s ability to function

2. Enables the safe operation of applications implemented on the organization’s IT systems 3. Protects the data the organization collects and uses

4. Safeguards the technology assets in use at the organization

Protecting the Functionality of an Organization

Both general management

and IT management are responsible for implementing information security to protect the organization’s ability to function. Although many managers shy away from addressing information security because they perceive it to be a technically complex task, information security has more to do with management than with technology. Just as managing payroll has more to do with management than with mathematical wage computations, managing information security has more to do with policy and enforcement of policy than with the technology of its implementation.

Enabling the Safe Operation of Applications

Organizations are under immense

pressure to acquire and operate integrated, efficient, and capable information systems. They need to safeguard applications, particularly those that serve as important elements of the infra-structure of the organization, such as operating system platforms, electronic mail (e-mail), instant messaging (IM), and all the other applications that make up the current IT environment.

Protecting Data That Organizations Collect and Use

Almost all organizations

rely on information systems to support their essential functions. Even if a transaction is not online, information systems and the data they process enable the creation and movement of goods and services. Therefore, protecting data in motion, data at rest, and data while it is being processed is a critical aspect of information security. The value of data motivates attack-ers to steal, sabotage, or corrupt it. An effective information security program directed by man-agement is essential to the protection of the integrity and value of the organization_’s data.

Safeguarding Technology Assets in Organizations

To perform effectively,

orga-nizations must provide secure infrastructure services to meet the needs of the enterprise. In general, as the organization’s network grows to accommodate changing needs, it may need more robust technology solutions. An example of a robust solution is a firewall, a device that keeps certain kinds of network traffic out of the internal network. Another example is caching network appliances, which are devices that store local copies of Internet content, such as Web pages that employees frequently refer to. The appliance displays the cached pages to users rather than accessing the pages on the remote server each time.

Security Professionals and the Organization

(11)

also needed to develop and execute specific security policies and procedures, and technical expertise is needed to implement the details of the information security program.

We will now describe the various professional positions that are involved in a typical organi-zation’s information security.

Thechief information officer (CIO)is often the senior technology officer. Other titles, such as vice president (VP) of information, VP of information technology, or VP of systems, may be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization.

The chief information security officer (CISO) is the individual primarily responsible for the assessment, management, and implementation of information security in the organization. The CISO may also be referred to as the manager for IT security, the security administrator, information security officer (ISO), chief security officer (CSO), or by a similar title. The CISO usually reports directly to the CIO, although in larger organizations it is not uncommon for one or more layers of management to exist between the two.

The information securityproject team consists of a number of individuals experienced in one or more facets of the vast array of required technical and nontechnical areas. Many of the same skills needed to manage and implement security are also needed to design it. Members of the security project team assume the following roles:

● Champion—A senior executive who promotes the project and ensures that it is sup-ported, both financially and administratively, at the highest levels of the organization.

● Team leader—An individual, perhaps a departmental line manager or a staff unit manager, who understands project management, personnel management, and infor-mation security technical requirements.

● Security policy developers—Individuals who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.

● Risk assessment specialists—Individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.

● Security professionals—Specialists in all aspects of information security, both technical and nontechnical.

● Systems, network, and storage administrators—Individuals with the primary responsi-bility for administering the systems, storage, and networks that house and provide access to the organization’s information.

● End users—Those who will be most directly affected by new implementations and changes to existing systems. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge will help the team focus on realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

Data Management

Every information asset and piece of data used by the organization was developed by someone for a particular purpose. The use of that data involves three categories of data managers, whose very specific responsibilities with regard to the protection and use of that data are as follows:

Security Professionals and the Organization 7

(12)

● Data owners—Data owners own the data and are responsible for the security and use of a particular set of information. They are usually members of senior management and are usually business division managers. Data owners are responsible for determin-ing who can access the data, and under what circumstances. Data owners work with data custodians to oversee the day-to-day administration of the data.

● Data custodians—Data custodians work directly with data owners and are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, the custodian may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific practices and procedures specified in the security policies and plans, and reporting to the data owner.

● Data users—Data users are those in the organization who are allowed by the data owner to access and use the information to perform their daily jobs supporting the mission of the organization. Data users therefore share the responsibility for data security.

Key Information Security Terminology

In order to effectively support any information security effort, including the design, implemen-tation, and administration of an effective perimeter defense, the security professional must be familiar with certain common terms.

Threats and Attacks

In general, athreatis a category of object, person, or other entity that poses a potential risk of loss to an asset—that is, the organizational resource that is being protected. Examples of threats are presented later in this chapter.

Anasset is anything that has value for the organization. It can be physical, such as a person, computer system, or other tangible object. Alternatively, an asset can be logical, such as a computer program, a Web site, or a set of information. Anattack is an intentional or unin-tentional action that could represent the unauthorized modification, damage, or loss of an information asset. Some common attacks are presented later in this chapter.

(13)

Vulnerabilities and Exploits

A threat agent is a specific instance of a general threat. As an example, an act of electronic trespass could be considered a general threat, whereas the threat agent would be a particular hacker. The threat agent exploits vulnerabilities in the controls that protect an asset. A vul-nerability is a weakness or fault in the mechanisms that are intended to protect information and information assets from attack or damage. Vulnerabilities that have been examined, documented, and published are referred to as well-known vulnerabilities. Some vulnerabil-ities are latent, however, and thus are not revealed until they are later discovered.

There are two common uses of the term _“exploit” in security. One use is for when threat agents attempt to exploit a system or information asset. For example, we may say a hacker exploits a known flaw in a program to complete a successful attack. The other use is for the specific recipe that an attacker creates to formulate an attack. For example, we might say that an elite hacker has posted an exploit for a new vulnerability on a Web site, thus allowing some script kiddies to make attacks otherwise beyond their skill level. Defenders try to prevent attacks by applying controls, safeguards, or countermeasures. These terms, all synonymous, refer to security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and generally improve the security within an organization.

Risk

Risk is the state of being unsecure, either partially or totally, and thus susceptible to attack, as in _“at risk._” Risk is usually described in terms of likelihood, which is the possibility or probability of unwanted action on an information asset. This is usually a concern for the loss, damage, unwanted modification, or disclosure of information assets. Dealing with risk is the task ofrisk management, which involves risk identification, risk assessment or analysis, and risk control. All organizations must live with some level of risk. The amount of risk an organization chooses to live with is called its risk appetite or risk tolerance. The amount of risk that remains after an organization takes precautions, implements controls and safe-guards, and performs other security activities is termedresidual risk.

Organizations control risk by implementing options from among the following four major strategies:

● Self-protection

—Applying safeguards that eliminate or reduce the remaining uncontrolled risks. This is the main task of the information security professional: implementing effec-tive controls to reduce risk. These steps are most often preveneffec-tive in nature.

● Risk transfer

—Shifting the risk to other areas or to outside entities, such as insurance companies or security management firms.

Hacker using a computer as the subject of an attack

Hacker request Stolen information

Remote system that is the object of an attack Internet

Figure 1-2 Computer as the Subject and Object of an Attack

Key Information Security Terminology 9

(14)

● Self-insurance or acceptance—Understanding the consequences and acknowledging the risk without attempting to control or mitigate it. Acceptance is a viable solution only if the organization has evaluated the risk and determined that the implementation of additional controls or strategies is not justified, due to cost or other organizational issues. Another aspect of this strategy involves reducing the impact should an attacker successfully exploit the vulnerability. This reduction in impact is done through the implementation of Incident Response, Disaster Recovery, and Business Continuity plans.

● Avoidance—Not engaging in certain types of activities to avoid the risk that those activities might bring with them. For example, a company that sells products using a catalog and mail-order model may choose not to engage in e-commerce because it wants to avoid the risks from operating an online business-to-consumer Web presence. If a company wanted to avoid the risks of handling credit card transactions, it might avoid that part of an e-commerce application by outsourcing it to another business entity, perhaps a bank or an online payment service.

Security Perimeter and Defense in Depth

An organization will often create a network security perimeter, which defines the boundary between the outer limit of an organization’s security and the beginning of the outside network. A security perimeter attempts to protect internal systems from outside threats, as pictured in Figure 1-3. Unfortunately, the perimeter does not protect against internal attacks from employee threats or on-site physical threats. There can be both an electronic security perimeter, usually at the organization’s exterior network or Internet connection, and a physical security perimeter, usually at the gate to the organization’s offices. Both require forms of perimeter security.

Security perimeters may be implemented in multiple layers, with graduations in the level of secu-rity; they may also be implemented using multiple technologies (see the discussion of defense in depth that follows). These efforts seek to separate the protected information from potential

Buffer or DMZ

External filtering router

Trusted network

Security perimeter Untrusted

network

Figure 1-3 Security Perimeter

(15)

attackers. Within the established security perimeters, the organization may choose to set up security domains—that is, areas of trust within which users can freely communicate. In this approach, users with access to one system within a security domain have access to all systems within that particular domain. The security perimeter is an essential element of the overall secu-rity framework, and its implementation details are the core of the secusecu-rity blueprint. The key components of the perimeter include firewalls, DMZs, proxy servers, and intrusion detection systems. It should be noted that network endpoints are proliferating outside the usually defined perimeter. This includes mobile devices and remote computing solutions used by employees and business partners to gain increased availability to critical business data. This is a challenge to the traditional definition of an organization’s perimeter.4Enterprises must carefully consider how these new technologies can redefine the location of the perimeter.

One of the basic tenets of security architecture is the layered implementation of security. This layered approach is called defense in depth. To achievedefense in depth, an organization must establish multiple layers of security controls and safeguards, which can be organized into pol-icy, training and education, and technology, as per the CNSS model discussed earlier. While policy itself may not prevent attacks, it certainly prepares the organization to handle them; and coupled with other layers, it can deter attacks. This is true of training and education, which can also provide some defense against nontechnical attacks such as employee ignorance and social engineering. Social engineering occurs when attackers try to use social interaction with members of the organization to acquire information that can be used to make further exploits against information assets possible. It will be further discussed later in this chapter.

Technology is also implemented in layers, with detection equipment working in tandem with reaction technology, all operating behind access control mechanisms. Implementing multiple types of technology, thereby preventing one system’s failure from compromising the security of information, is referred to as redundancy. Redundancy can be implemented at a number of points throughout the security architecture, such as firewalls, proxy servers, and access controls. Figure 1-4 illustrates the concept of building controls in multiple, sometimes redundant layers. The figure shows the use of firewalls and intrusion detection systems (IDS) that use both packet-level rules (shown as the header in the diagram) and data content analysis (shown as 0100101011).

Header

0100101011

Network intrusion detection system External

filtering router

Internal filtering router Dual-homed host

Firewall

Trusted network Host IDS

Untrusted network

Figure 1-4 Defense in Depth

Key Information Security Terminology 11

(16)

Threats to Information Security

Around 500 B.C., the Chinese general Sun Tzu wrote a treatise on warfare, Art of War. It contains military strategies still studied by military leaders and students today. In one

of his most famous passages, Sun Tzu writes, “If you know the enemy and know

your-self, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”5 In the battle to protect informa-tion, you must know yourself_—that is, be familiar with the information to be protected, and the systems that store, transport, and process it. You must also know the enemy. To make sound decisions about information security, management must be informed about the various threats facing the organization, its people, applications, data, and informa-tion systems_—that is, the enemy.

As defined earlier, a threat poses a potential risk of loss to an asset_—that is, the organizational resource that is being protected. Threats use attacks on information to cause damage to or otherwise compromise the information and/or the systems that support it. To understand the wide range of threats that pervade the interconnected world, researchers have interviewed practicing information security personnel and examined information security literature on threats. While the categorizations may vary, threats are relatively well researched and, conse-quently, fairly well understood.

The Computer Security Institute (CSI) Computer Crime and Security Survey, the results of which are shown in Table 1-1, is a representative study that reveals how many organiza-tions have experienced the listed types of attack or misuse. As you can see, the line between threats and attacks is sometimes blurred, such as when a systems penetration also results in a loss of customer data. However, you can also see that a number of threats have been dominant for some time.

Type of Attack or Misuse

2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Malware infection (renamed 2009)

64% 50% 52% 65% 74% 78% 82% 85% 94% 85% 90% Laptop or mobile

hardware theft or loss

42% 42% 50% 47% 48% 49% 59% 55% 64% 60% 69% Being fraudulently

represented as sender of phishing message (new category in 2007)

34% 31% 26%

Insider abuse of Net access or e-mail

30% 44% 59% 42% 48% 59% 80% 78% 91% 79% 97% Denial of service 29% 21% 25% 25% 32% 39% 42% 40% 36% 27% 31% Botswithin the organization

(new category in 2007)

23% 20% 21%

(17)

Financial fraud 20% 12% 12% 9% 7% 8% 15% 12% 12% 11% 14% access to PII or PHI due to all other causes access to IP due to all other causes (new Exploit of user’s social

network profile (new access to IP due to mobile device theft or

2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Table 1-1 CSI/FBI Computer Crime and Security Survey (continues)

Threats to Information Security 13

(18)

Another approach to defining threat categories is the scheme shown in Table 1-2. This table

illustrates 12 categories that represent a clear and present danger to an organization_’s people, information, and systems.6Each organization must prioritize the dangers it faces, based on the particular security situation in which it operates, its organizational strategy regarding risk, and the exposure levels in which its assets operate. Keep in mind, while looking at Table 1-2, that many threats could be listed in more than one category. For example, an act of theft per-formed by a hacker would fall into the theft category, but because theft is often accompanied by defacement actions to delay discovery, it might also fall into the sabotage-or-vandalism category.

The TVA Triple

As part of risk management, mentioned earlier, the need to“know yourself” involves identi-fying and prioritizing your information assets, which is a complex process. The next step is identifying and prioritizing the threats to those assets. Finally, you need to identify the

vari-Type of Attack or Misuse

2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Theft of or unauthorized access to PII or PHI due to mobile device theft or loss (new category in 2008)

6% 8%

Extortion or blackmail associated with threat of attack or release of stolen data (new category in 2009)

3%

The following categories were replaced or dropped in subsequent years.

Unauthorized access to information

29% 25% 32% 32% 37% 45% 38% 49% 71% 55% Theft/loss of customer/

employee data (new category in 2007)

17% 17%

System penetration 13% 13% 15% 14% 17% 36% 40% 40% 25% 30% Misuse of public Web

applications (new category in 2004)

11% 9% 6% 5% 10%

Theft/Loss of proprietary information

9% 8% 9% 9% 10% 21% 20% 26% 20% 25% Telecommunications fraud 5% 5% 8% 10% 10% 10% 9% 10% 11% 17% Sabotage 2% 4% 3% 2% 5% 21% 8% 18% 17% 13% Telecomm eavesdropping 6% 6% 10% 7% 14% Active wiretap 1% 1% 2% 1% 2%

Table 1-1 CSI/FBI Computer Crime and Security Survey (continued)

(19)

ous vulnerabilities that each threat poses to each asset. This gives you a _“TVA Triple_” of Threat-Vulnerability-Asset that you can use to prioritize your work, each vulnerability being expressed as the intersection of a particular threat and a particular asset. Here are the first three examples, which could be continued indefinitely:

T1-V1-A1_—Vulnerability 1 that exists between Threat 1 and Asset 1 T1-V2-A1_—Vulnerability 2 that exists between Threat 1 and Asset 1 T1-V1-A2_—Vulnerability 1 that exists between Threat 1 and Asset 2

These triples can be organized in a TVA worksheet, in preparation for adding the vulnerabil-ity and control information during risk assessment. Table 1-3, an example of such a work-sheet, shows the placement of assets along the horizontal axis, with the most important asset at the left. The prioritized list of threats is placed along the vertical axis, with the most important or most dangerous threat listed at the top. The resulting grid provides a convenient method for examining the_“exposure_”of the various assets, allowing for a simple vulnerabil-ity assessment. We now have a starting point for our efforts_—that is, addressing the highest prioritized TVA triple.

The next step in the risk management process is to examine whether or not the organization has sufficient controls to protect the assets in the triples from their corresponding threats, or at least mitigate the losses that may occur. Cataloging and categorizing these controls is the next step in the TVA worksheet. The final document becomes a valuable tool in planning the work effort in the security department.

Category of Threat Examples

1. Human error or failure Accidents, employee mistakes, or failure to follow established policies or procedures

2. Compromises to intellectual property Theft or unauthorized use of written documents, trade secrets, copyrights, trademarks, and patents, including software piracy 3. Espionage or trespass Unauthorized access and/or data collection, hacking

4. Information extortion Blackmail or information disclosure 5. Sabotage or vandalism Destruction of systems or information

6. Theft Illegal confiscation of equipment or information

7. Software attacks Malicious code or malware attacks, including viruses, worms, macros, denial-of-service, and Trojan horses

8. Forces of nature Fire, flood, earthquake, lightning, and electrostatic discharge 9. Deviations in quality of service ISP, power, or WAN service issues from service providers 10. Hardware failures or errors Equipment failure

11. Software failures or errors Bugs, code problems, unknown loopholes 12. Obsolescence Antiquated or outdated technologies

Table 1-2 Threats to Information Security7

Threats to Information Security 15

(20)

Other Ways to View Threats

In addition to viewing threats from the perspective of the assets being attached, we can view them from the following perspectives:

● Intellectual property—The control of ideas and innovation, known as intellectual property, or IP, is an important part of the value of assets that organizations control. When organizations use the intellectual property of others under licensing or other arrangements, they should be mindful of the rights of the owner of that intellectual property. Whether or not we pay for the right to use the ideas of others, we“should always include proper credit to the source.”8

● Software piracy—The most common IP breach; the unlawful use or duplication of software-based intellectual property

● Shoulder surfing—Observing another’s password by watching system login activities

● Hackers—Individuals who gain access to information or systems without explicit authorization, often illegally. Hackers are often described by the skill levels they possess, with so-called elite hackers being the most skilled

● Script kiddies—Hackers of limited skill who use expertly written software to attack a system ● Packet monkeys—Script kiddies who use automated exploits to engage in distributed

denial-of-service attacks

Asset 1 Asset 2 ... ... ... ... ... ... ... ... ... Asset n

Threat 1

Threat 2

...

Threat n

Priority of Controls

1 2 3 4 5 6

These bands of controls should be continued through all asset–threat pairs.

(21)

● Cracker—An individual who “cracks” (i.e., removes) software protection that is designed to prevent unauthorized duplication or use

● Phreaker—An individual who hacks the public telephone network to make free calls or disrupt services

● Hacktivist or cyberactivist—An individual who, sometimes working with others, interferes with or disrupts systems to protest the operations, policies, or actions of an organization or government agency

● Cyberterrorist—An individual who, sometimes working with others, hacks systems to conduct terrorist activities through a network or Internet pathway

● Malicious code,malicious software, ormalware

—Software components or programs

designed to damage, destroy, or deny service to the target systems; examples include:

● Computer viruses—Segments of code that perform malicious actions; examples include:

● macro virus

—A virus that is embedded in the automatically executing macro code common in word processors, spreadsheets, and database applications

● boot virus

—A virus that infects the key operating system files located in a computer’s boot sector

● worms—Malicious programs that replicate themselves constantly, without requiring another program to provide a safe environment for replication

● Trojan horses—Software programs that reveal their designed behavior only when activated

● back door,trap door, ormaintenance hook—A component in a system that allows the attacker to access the system at will, bypassing standard login controls

● Rootkit—A collection of software tools and a recipe used to gain control of a system by bypassing its legitimate security controls

● Power irregularities—Variations in the 120–volt, 60–cycle power provided to most businesses through a 15 or 20 amp circuit. Variations include:

● Spike—A momentary increase in power ● Surge—A prolonged increase in power ● Sag—A momentary drop in voltage level

● Brownout—A more prolonged drop in voltage level ● Fault—A complete loss of power for a moment ● Blackout—A lengthy loss of power

Attacks on Information Assets

As defined earlier, an attack is an act that takes advantage of a vulnerability to compromise a controlled system. A threat is brought closer to realization by a threat agent that attempts to damage or steal an organization_’s information or physical asset. Unlike threats, which are ever

Attacks on Information Assets 17

(22)

present, attacks occur through a specific act that may cause a potential loss. For example, the threat of damage from a thunderstorm is present during most of the summer in many places, but an attack and its associated risk of loss only exist for the duration of an actual thunderstorm. The following sections discuss each of the major types of attack used against controlled systems.

Malicious Code

Malicious codeincludes viruses, worms, Trojan horses, and active Web scripts that are executed with the intent to destroy or steal information. The state-of-the-art malicious code attack is the polymorphic (having many shapes), multivector (attacks in many ways) worm, which constantly changes the way it looks and then uses multiple attack vectors to exploit a variety of vulnerabil-ities in commonly used software. When malware is polymorphic, it is more difficult to detect and intercept. Likewise, when malware uses multiple attack vectors, it becomes more complicated and expensive to defend against. Table 1-4 outlines the six categories of attack vectors.

Compromising Passwords

There are a number of attacks that attempt to bypass access controls by guessing passwords. Their methods range from attempting to make educated guesses based on the background of the individual to guessing every possible combination of letters, numbers, and special characters. The most common password attacks are cracking, the brute force attack, and the dictionary attack.

Cracking

Attempting to guess a password is often calledcracking. A cracking attack is a

component of many dictionary attacks, which are discussed shortly. It is used when a copy of a system password file is obtained. The attacker then uses cracking techniques to search that file for a match. When a match is found, the password has been cracked.

Vector Description

IP scan and attack The infected system scans a random or local range of IP addresses and targets any of several vulnerabilities known to hackers or left over from previous exploits such as Code Red, Back Orifice, or PoizonBox.

Web browsing If the infected system has write access to any Web pages, it makes all Web content files (.html, .asp, .cgi, and others) infectious, so that users who browse to those pages become infected.

Virus Each infected machine infects certain common executable or script files on all the computers to which it has write access with virus code that can cause infection.

Unprotected shares Using vulnerabilities in file systems and the way many organizations configure them, the infected machine copies the viral component to all locations it can reach.

Mass mail By sending e-mail infections to recipients in the address book, the infected machine infects many users, whose mail-reading programs also automatically run the program and infect other systems.

Simple Network Management Protocol (SNMP)

By using the common passwords that were employed in early versions of this protocol, which was widely used for remote management of network and computer devices, the attacker program can gain control of a device.

(23)

Brute Force

The application of computing and network resources to try every possible combination of options for a password is called a brute force attack. Since this often involves repeatedly guessing passwords for commonly used accounts, it is sometimes called a password attack. If attackers can narrow the field of target accounts, they can devote more time and resources to attacking fewer accounts. That is one reason to change account names for common accounts from the manufacturer’s default.

While often effective against low-security systems, brute force attacks are often not useful against systems that have adopted the usual security practices recommended by manufac-turers. Controls that limit the number of attempts allowed per unit of elapsed time are very effective at combating brute force attacks. Defenses against brute force attacks are usually adopted early on in any security effort and are thoroughly covered in the SANS/FBI list of the 20 most critical Internet security vulnerabilities.9

Dictionary

Thedictionary attack, which is a variation on the brute force attack, narrows

the field by selecting specific target accounts and using a list of commonly used passwords (the dictionary) instead of random combinations. Organizations can use such dictionaries themselves to disallow passwords during the reset process and thus guard against easy-to-guess passwords. In addition, rules requiring additional numbers and/or special characters make the dictionary attack less effective. Another variant, called a rainbow attack, makes use of a precomputed hash using a time-memory tradeoff technique that uses a database of precomputed hashes from sequentially calculated passwords to look up the hashed password and read out the text version, with no brute force required.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target (see Figure 1-5). So many requests are made that the tar-get system cannot handle them along with other, legitimate requests for service. The system may crash, or it may simply be unable to perform ordinary functions. Adistributed denial-of-service

In a denial-of-service attack, a hacker compromises a system and uses that system to attack the target computer, flooding it with more requests for services than the target can handle.

In a distributed denial-of-service attack, dozens or even hundreds of computers (known as zombies) are compromised, loaded with DoS attack software, and then remotely activated by the hacker to conduct a coordinated attack.

Figure 1-5 Denial-of-Service Attacks

(24)

(DDoS) launches a coordinated stream of requests against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, per-haps thousands, are compromised. The compromised machines are turned into zombies (or

bots), machines that are directed remotely (usually by a transmitted command) by the attacker to participate in the attack. DDoS attacks are the most difficult to defend against, and there are presently no controls that any single organization can apply. There are, however, some coopera-tive efforts to enable DDoS defenses among groups of service providers. (Among them is the

“Consensus Roadmap for Defeating Distributed Denial of Service Attacks”.10) To use a popular metaphor, DDoS is considered a weapon of mass destruction on the Internet.11

Any system connected to the Internet that provides TCP-based network services (such as a Web server, an FTP server, or mail server) is a potential target for denial-of-service attacks. Note that in addition to attacks launched at specific hosts, these attacks can be launched against routers or other network server systems if these hosts enable (or turn on) other TCP services (e.g., echo). Even though such attacks make use of a fundamental element of the TCP protocol used by all systems, the consequences of the attacks may vary, depending on the system.12

Spoofing

Spoofing is a technique used to gain unauthorized access to computers, wherein the intruder sends messages to IP addresses that indicate to the recipient that the messages are coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers (see Figure 1-6) to make it appear that the packets are coming from that host.13 Newer routers and firewall arrangements offer protection against IP spoofing.

Man-in-the-Middle

In the well-knownman-in-the-middleattack, the attacker monitors (or sniffs) packets from the network, modifies them using IP spoofing techniques, and then inserts them back into the net-work, which allows the attacker to eavesdrop as well as change, delete, reroute, add, forge, or divert data.14 _{In a variant attack, the spoofing involves the interception of an encryption key} exchange, which enables the hacker to act as an invisible man-in-the-middle_—that is, an

(25)

dropper—in encrypted exchanges. Figure 1-7 illustrates these attacks by showing how a hacker uses public and private encryption keys to intercept messages.

E-Mail Attacks

A number of attacks focus on the use of e-mail to deny service to the user (a form of denial of service), to exploit the inexperience of the user, or to trick the user into installing back doors or viruses. In general, e-mail is the vehicle for attacks rather than the attack itself. However, there are also specific e-mail attacks, which are described next.

Spam

Spam, or unsolicited commercial e-mail, has been used as a means to make mali-cious code attacks more effective. In some cases, malimali-cious code is embedded in MP3 files that are included as attachments to spam.15 _{The most significant impact of spam, however,} is the waste of both computer and human resources. Many organizations attempt to cope with the flood of spam by using filtering technologies to stem the flow. Other organizations simply tell users of their mail systems to delete unwanted messages.

Mail Bombing

Amail bombis an e-mail attack in which the attacker routes large

quanti-ties of e-mail to the target system. This can be accomplished through social engineering (to be discussed shortly) or by exploiting various technical flaws in the Simple Mail Transport Pro-tocol. The target of the attack receives unmanageably large volumes of unsolicited e-mail. By sending large e-mails with forged header information, attackers can take advantage of poorly configured e-mail systems and trick them into sending many e-mails to an address chosen by the attacker. If many such systems are tricked into participating in the event, the target e-mail address is buried under thousands or even millions of unwanted e-mails.

Sniffers

Asnifferis a program or device that can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information from a network. Unauthorized sniffers can be extremely dangerous to a network’s security,

(1) Company A attempts to establish an encrypted session with Company B.

(2) Hacker intercepts transmission, and poses as Company B. Hacker exchanges his own keys with Company A. Hacker then establishes a session with Company B, posing as Company A.

(3) Company B sends all messages to the hacker who receives, decrypts, copies, and forwards copies (possibly modified) to Company A.

Figure 1-7 Man-in-the-Middle Attack

(26)

because they are impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker’s arsenal. Sniffers often work on TCP/IP networks, where they are sometimes referred to as packet sniffers.16Sniffers add risk to the network, because many systems and users send information on local networks in clear text. A sniffer program shows all the data going by, including passwords, the data inside files (such as word-processing documents), and screens full of sensitive data.

Social Engineering

Within the context of information security, social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker. This can be done in several ways and usually involves the perpetrator posing as a person higher in the organizational hierarchy than the victim. To prepare for this false repre-sentation, the perpetrator may have used social engineering against others in the organization by collecting seemingly unrelated information that, when used together, makes the false representation more credible. For instance, anyone can call the main switchboard of a com-pany and get the name of the CIO, but an attacker may find it just as easy to get even more information by calling others in the company and asserting his or her (false) authority by mentioning the CIO_’s name. Social engineering attacks may involve individuals posing as new employees or as current employees desperately requesting assistance to avoid getting fired. Sometimes, attackers threaten, cajole, or beg in order to sway the target.

An example of a social engineering attack is the so-called Advance Fee Fraud (AFF), which is known internationally as the “4-1-9” fraud (named after a section of the Niger-ian penal code). The perpetrators of 4-1-9 schemes often use fictitious companies, such as the Nigerian National Petroleum Company. Alternatively, they may invent other entities, such as a bank, a government agency, or a nongovernmental organization such as a lot-tery corporation. This scam is notorious for stealing funds from gullible individuals, first by requiring them to send money up-front in order to participate in a proposed money-making venture, and then by charging an endless series of fees. These 4-1-9 schemes have even been linked to kidnapping, extortion, and murder; and they have, according to the United States Secret Service, bilked over $100 million from unsuspecting Ameri-cans lured into disclosing personal banking information.

The infamous hacker Kevin Mitnick once stated:_“People are the weakest link. You can have the best technology, [then] somebody call[s] an unsuspecting employee. That’s all she wrote, baby. They got everything.”17

Buffer Overflow

Abuffer overflowis an application error that occurs when more data is sent to a buffer than it can handle. During a buffer overflow, the attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure. Sometimes, this is limited to a denial-of-service attack, when the attacked system crashes and is (until it’s restarted) unavailable to users. In either case, data on the attacked system loses integrity.18 In 1998, Microsoft revealed that it had been vulnerable to a buffer overflow problem, as described here:

(27)

can be executed on the computer. This maneuver, known as a buffer overrun, is just about the oldest hacker trick in the book. Tack some malicious code (say, an executable version of the Pentium-crashing FooF code) onto the end of the URL, and you have the makings of a disaster.19

Running Case: Connecting the Dots

Mike Edwards, Jr. looked across the table at Alex Truman, IT manager for Data Mart.

“And that’s how you build a comprehensive security program, including an effective perime-ter defense,”he told Alex after several hours of explaining.

“Wow,”Alex said, leaning back in his chair. “I thought I understood the terminology, but I never realized it was so complicated. You’ve laid everything out so well, I think I now under-stand why we’re in such trouble.”

Mike smiled.“That’s what you pay us for, to help connect the dots.”

“So where do we start?”Alex laughed.

“We’ll start with risk management—identifying your information assets, and then looking at the threats to those assets. Then we’ll look for vulnerabilities in those assets that could be attacked by those threats.”

“Ah!”Alex nodded.“That I understand.”

Chapter Summary

■ Firewalls and network security have become essential components for securing the

sys-tems that businesses use to run their day-to-day operations. Before learning how to plan, design, and implement firewalls and network security, it is important to under-stand the larger issue of information security.

■ Information security is the protection of information and its critical elements, including

the systems and hardware that use, store, and transmit that information. The C.I.A. triangle is based on the confidentiality, integrity, and availability of information and the systems that process it.

■ The value of information comes from the characteristics it possesses. When a

charac-teristic of information changes, the value of that information either increases or, more commonly, decreases.

■ The CNSS security model is known as the McCumber Cube and was created by John

McCumber in 1991. It provides a graphical description of the architectural approach widely used in computer and information security.

■ Securing information and its systems entails securing all components and protecting them from potential misuse and abuse by unauthorized users. When considering the security of information systems components, it is important to understand that a com-puter can be the subject of an attack or the object of an attack. There are also two types of attacks: direct attacks and indirect attacks.

Chapter Summary 23

(28)

■ Information security cannot be an absolute: it is a process, not a goal. Information secu-rity should balance protection and availability. To achieve balance—that is, to operate an information system to the satisfaction of the user and the security professional—the level of security must allow reasonable access, yet protect against threats.

■ Information security performs four important organizational functions: protecting

the organization’s ability to function, enabling the safe operation of applications implemented on the organization’s IT systems, protecting the data the organization collects and uses, and safeguarding the technology assets in use at the organization.

■ It takes a wide range of professionals to support the information security program:

senior managers, system administrator support, and technical experts.

■ A threat is an object, person, or other entity that represents a constant danger to an

asset. Threats to information security fall into 12 categories: (1) human error or fail-ure, (2) compromises to intellectual property, (3) espionage or trespass, (4) information extortion, (5) sabotage or vandalism, (6) theft, (7) software attacks, (8) forces of nature, (9) deviations in quality of service, (10) hardware failures or errors, (11) soft-ware failures or errors, and (12) obsolescence.

■ An attack is an act that takes advantage of a vulnerability to compromise a controlled system. A vulnerability is an identified weakness in a controlled system. Attacks occur as a specific act that may cause a potential loss. There are major types of attacks, including: malicious code, back doors, password cracking, denial-of-service (DoS) and distributed denial-of-service (DDoS), spoofing, man-in-the-middle, spam, mail bomb-ing, sniffers, social engineerbomb-ing, buffer overflow, and timing attacks.

■ In order to most effectively secure its networks, an organization must establish

a functional and well-designed information security program in the context of a well-planned and fully defined information policy and planning environment. The creation of an information security program requires information security policies, standards and practices, an information security architecture, and a detailed infor-mation security blueprint.

Review Questions

1. What is the difference between a threat agent and a threat?

2. What is the difference between vulnerability and exposure?

3. What is a hacker? What is a phreaker?

4. What are the three components of the C.I.A. triangle? What are they used for?

5. If the C.I.A. triangle no longer adequately addresses the constantly changing environ-ment of the information technology industry, why is it still commonly used in security?

6. Who is ultimately responsible for the security of information in an organization?

7. What does it mean to discover an exploit? How does an exploit differ from a vulnerability?

(29)

9. It is important to protect data in motion (transmission) and data at rest (storage). In what other state must data be protected? In which of the three states is data most dif-ficult to protect?

10. How does a threat to information security differ from an attack? How can the two overlap?

11. List the vectors that malicious code uses to infect or compromise other systems. Which of these do you think is the one most commonly encountered in a typical organization?

12. Why do employees constitute one of the greatest threats to information security?

13. What measures can individuals take to protect against shoulder surfing?

14. What is the difference between a skilled hacker and an unskilled hacker (other than the lack of skill)? How might the defenses you create against each differ?

15. What is malware? How do worms differ from viruses? Do Trojan horses carry viruses or worms?

16. Why does polymorphism cause greater concern than traditional malware? How does it affect detection?

17. What is the most common way that intellectual property is violated? How does an organization protect against it?

18. What are the various forces of nature? Which type would be of greatest concern to an organization based in Las Vegas? Oklahoma City? Miami? Los Angeles?

19. How does obsolescence constitute a threat to information security? How can an organi-zation protect against it?

20. What are the most common types of password attacks? What can a systems administra-tor do to protect against them?

21. What is the difference between a of-service (DoS) attack and a distributed denial-of-service (DDoS) attack? Which is potentially more dangerous and devastating? Why?

22. For a sniffer attack to succeed, what must the attacker do? How can an attacker gain access to a network to use the sniffer system?

23. What is a buffer overflow, and how is it used against a Web server?

Real World Exercises

1. Assume that a security model is needed for the protection of information in your class. Using the CNSS model (McCumber Cube), write a brief statement on how you would address the three components represented in each cell.

2. Consider the most important item among all the categories of information stored on your personal computer. As it applies to that item of information (your information asset), identify an example of a corresponding threat, threat agent, vulnerability, exposure, risk, attack, and exploit.

Real World Exercises 25

(30)

3. Using the Web, identify the chief information officer, chief information security officer, and one systems administrator for your school. Which of these individuals represents the data owner? Data custodian?

4. Using the Web, find out who Kevin Mitnick is. What did he do? Who caught him? Write a short summary of his activities and why he is infamous.

5. If a hacker hacks into a network, copies a few files, defaces the Web page, and steals credit card numbers, identify the different threat categories encompassed by this attack.

6. The chapter discussed many threats to information security. Using the Web, find at least two other sources of information on threats.

Hands-On Projects

Project 1-1 Getting to Know Your Web Browser:

Internet Explorer

Throughout this text, if not your entire academic and professional career, you will be using a Web browser with some expectation of protection. But how well configured is your Web browser? This project shows you how to look at your browser_’s security configurations.

Internet Explorer (IE) uses a number of settings to manage your security profile. One of the areas of configuration setting inside IE are Security Zones, which enable users to define sites they know to be safe as well as sites they know to be unsafe. It is possible to define lists of approved and/or disapproved sites, ones that are unique to a user_’s local network or intranet, as well as more general Internet (or external) sites. Other settings that can be configured include the acceptable encryption level, how cookies are used and/or stored, and a content rating system called Content Advisor. How you set them is up to you.

System Configuration: For this exercise, you need a computer with a version of Microsoft Internet Explorer installed. (Note: Versions will vary slightly since updates are released frequently.) This example uses I.E. 8.0.

1. Open an Internet Explorer window. ClickTools,Internet Options, and then click the

Securitytab. You see four distinct security zones listed. The Internet zone is the default for all sites not found in other zones. The Local intranet zone is for local network sites and files. The Trusted sites zone is for sites that the user explicitly defines, normally vis-ited frequently and needing ActiveX controls or Flash animation, and so on. Finally, the Restricted sites zone is for sites that are known to have pop-up animations and win-dows, may contain malicious or corrupt content, and so on. These are also defined by the individual user. For each zone, there is a default level and a custom level. Browse through the various icons and options.

(31)

3. Click theAdvancedbutton. Click theOverride automatic cookie handlingcheck box. You see the following three options: Accept, Block, or Prompt for each of the two classes of cookies (first-party and third-party).“First-party cookies”are cookies from the actual target domain, and“third-party cookies”are from any other domain. You may also choose an option to always allow“session cookies.”Session cookies are not stored on your hard drive, whereas persistent cookies are. Now, clickOK, and then clickOKagain. 4. In the open Internet Explorer window, clickTools, Internet Options, and then click the

Contenttab. The first area is labeled Content Advisor. Click theEnablebutton. You see a screen describing various categories and ratings. ClickCanceltwice to exit Content Advisor and restore the computer to its original settings.

5. If needed, close all windows. (Note: You may want to turn off the Content Advisor or the next person who uses this computer may not be able to access the Microsoft site!)

Project 1-2 Getting to Know Your Web Browser: Firefox

Now that you’ve examined IE, it’s time to look at another popular Web browser: Firefox. Firefox has a number of features that can be customized to increase the security of the browser. By default it is a very secure application. However, misconfiguration can reduce the application’s security. There are a number of options in Firefox. Here, we will focus on those with a security impact.

System Configuration: For this exercise, you need a computer with a version of Mozilla’s Firefox installed. (Note: Versions may vary slightly since updates are released frequently.) This example uses Firefox 3.6.13.

1. Open Firefox by clicking Start,All Programs,Mozilla Firefox, and thenMozilla Firefox

again. Then open the Options menu by selectingTools,Options.

2. Open the Content tab by clicking theContenticon at the top of the Options window. To prevent pop-up windows, check theBlock pop-up windowsbox. (Note: I may be checked by default.) Other important boxes to have checked are:

● Load images automatically

● Enable JavaScript—If you are concerned about a problem similar to Active

X malware, Firefox works differently with JavaScript and is inherently more secure.

● Enable Java

3. Click the Exceptionsbutton next to the Load images automatically option. Review the options contained here, and then clickClose. Click theAdvancedbutton to the right of Enable JavaScript. This reveals additional configuration options.

4. Uncheck theDisable or replace context menusoption to prevent Web pages from disabling or changing the Firefox context menu. Click OKto continue.

5. Open the Privacy tab by clicking thePrivacyicon at the top of the Options window. For shared computers, it is important to uncheck these options under the History section:

● Remember download history ● Remember search and form history ● Accept cookies from sites

Note: You can also set this option to:

● Keep until:SelectI close Firefox

Hands-On Projects 27