The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: integrity, availability, and confidentiality. The following list provides a brief description of each security goal and the consequence (or impact) of its not being met.
System and data integrity refers to the requirement that information be protected from improper modification. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. Also, violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all these reasons, loss of integrity reduces the assurance of an IT system.
If a mission-critical IT system is unavailable to its end users, the organization’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users performance of their functions in supporting the organization’s mission.
System and data confidentiality refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from the jeopardizing of national security to the disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization.
Malware – short for malicious software – refers to any malicious or unexpected program or code such as viruses, Trojans, and droppers. Not all malicious programs or codes are viruses. Viruses, however, occupy a majority of all known malware to date, including worms. The other major types of malware are Trojans, droppers, and kits.
Due to the many facets of malicious code or a malicious program, referring to it as malware helps to avoid confusion. For example, a virus that also has Trojan-like capabilities can be called malware.
Spyware refers to programs that gather information about a person or organization and relay the information to advertisers or other interested parties. Installation, tracking, and relaying typically are done without user consent or knowledge. Spyware can be legitimate or malicious in intent, and it includes keyloggers, screen captors, event loggers, and data miners.
Grayware is an industry term used to describe a broad range of spyware and other unwanted applications, such as adware, dialers, joke programs, remote access programs, hacking tools, browser hijackers, password crackers, and so forth.
A Trojan is malware that performs unexpected or unauthorized, often malicious, actions. The main difference between a Trojan and a virus is the inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but they do not replicate. If it replicates, then it should be classified as a virus.
A Trojan, coined from Greek mythology’s Trojan horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed, users will likely experience unwanted system problems in operation, and sometimes a loss of valuable data.
Programs that log “system events” for future viewing or relay to third parties.
Keyloggers can record every keystroke on a PC and steal password and other confidential information.
Cookies are text files, created on computers when visiting Web sites, that contain information on user browsing habits and allow Web sites to more precisely target advertisements or display customized information. Cookies are typically among the programs of least concern, especially those that have expiration dates, are tied to only one domain, track less sensitive information, and store information in encrypted form.
A computer virus is a program – a piece of executable code – that has the unique ability to replicate. Like biological viruses, computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to just about any type of file and are spread as files that are copied and sent from individual to individual.
In addition to replication, some computer viruses share another commonality: a damage routine that delivers the virus payload. While payloads may only display messages or images, they can also destroy files, reformat your hard drive, or cause other damage. If the virus does not contain a damage routine, it can cause trouble by consuming storage space and memory, and degrading the overall performance of your computer.
Several years ago most viruses spread primarily via floppy disk, but the Internet has introduced new virus distribution mechanisms. With email now used as an essential business communication tool, viruses are spreading faster than ever. Viruses attached to email messages can infect an entire enterprise in a matter of minutes, costing companies millions of dollars annually in lost productivity and clean-up expenses.
Viruses won’t go away anytime soon: More than 2,000,000 have been identified, and 400 new ones are created every month, according to the International Computer Security Association (ICSA). With numbers like this, it’s safe to say that most organizations will regularly encounter virus outbreaks. No one who uses computers is immune to viruses.
- Life Cycle of a Virus: The life cycle of a virus begins when it is created and ends when it is completely eradicated. The following outline describes each stage:
- Creation: Until recently, creating a virus required knowledge of a computer programming language. Today anyone with basic programming knowledge can create a virus. Typically, individuals who wish to cause widespread, random damage to computers create viruses.
- Replication: Viruses typically replicate for a long period of time before they activate, allowing plenty of time to spread.
- Activation: Viruses with damage routines will activate when certain conditions are met, for example, on a certain date or when the infected user performs a particular action. Viruses without damage routines do not activate, instead causing damage by stealing storage space.
- Discovery: This phase does not always follow activation, but typically does. When a virus is detected and isolated, it is sent to the ICSA in Washington, D.C., to be documented and distributed to antivirus software developers. Discovery normally takes place at least one year before the virus might have become a threat to the computing community.
- Assimilation – Antivirus in Action: At this point, antivirus software developers modify their software so that it can detect the new virus. This can take anywhere from one day to six months, depending on the developer and the virus type.
- Eradication: If enough users install up-to-date virus protection software, any virus can be wiped out. So far, no viruses have disappeared completely, but some have long ceased to be a major threat.
There are many things you can do to protect against malware. At the top of the list is using a powerful anti-malware product to scan all HTTP and HTTPS traffic in and out of your network. To learn more about
offerings, and find out which solution is right for you, please view the interactive secure computing diagram. You may also visit the ICSA Web site for further suggestions.
An access control list represents the rule set for controlling access to devices, resources or networks.
The log of system events and activities generated by the operating system, for a security audit.
The Border Gateway Protocol (BGP) is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems.
The border router is usually the first defense on the network perimeter of an enterprise. It frequently occupies the network connection just before the initial firewall, and provides filtering service for sanity checks on incoming (and outgoing) network packets.
Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose. Denial of service is a type of attack that consumes network or host resources and succeeds in denying those resources to legitimate users. Denial of service attacks usually do not represent a breach in security, but can inhibit the use of hosts or networks under attack. A distributed denial of service (DDoS) attack is a variation of the DoS attack. A DDoS uses a large number of distributed hosts in the attack to consume the resources of a host or network.
The DMZ is an area of a network between the border router and the perimeter defense device (firewall). The DMZ is often used for public servers and provides only limited protection to its hosts.
The domain name system translates host names into numerical IP (Internet Protocol) addresses which computers on the Internet use to communicate with each other. Resource records in the DNS directory are split into files called zones. Zones are kept on authoritative servers distributed all over the Internet, which answer queries according to DNS network protocol.
An email/network worm transmits itself via email or by exploiting network services. Unlike a virus, a worm usually does not damage the host computer but will co-opt its services to spread itself.
An email virus is a virus that is transmitted via email. It often requires the recipient to execute code on the target machine for infection to begin. The virus may co-opt the hosts’ mail system to spread itself. Unlike a worm, a virus will cause damage to the infected system.
A filter is a device such as a filtering router. A filter allows for the creation of ACLs to control access to devices, resources or networks. It is usually used to screen open ports, so that only valid data is allowed into, or out of, those ports.
Firewalk is a network auditing tool that attempts to determine what transport protocols a given gateway will pass. It is often used to determine if there are viable host machines on the other side of the firewall or router.
FTP is the user interface to the ARPANET standard File Transfer Protocol. The program allows a user to transfer files to and from a remote network site. It passes usernames and passwords as plaintext, and has a very poor security stance.
High risk implies that the problem identified will likely result in a compromise in the near future, that the problem identified may be taken advantage of by an adversary with a low skill level, or that the compromise will provide significant entry into the enterprise itself.
An informed test is a penetration test or vulnerability assessment in which the auditors have a good understanding of the system under test. Information about the system under test is provided by the customer. During a penetration test, an informed test simulates a knowledgeable attacker.
The technology concerned with monitoring computer systems in order to recognize signs of intrusions or policy violations. Pertaining to techniques, which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available on the network.
IP is the protocol on which the Internet is based. Devices using IP are addressed with an IP number.
A lame server is a (DNS) server which has been delegated a DNS zone but is not authoritative for that zone. A lame server can also be a server that claims to be authoritative for a DNS zone when it is not.
Low risk implies that it is unlikely that the problem identified will result in a compromise, or that the compromise will lead to a significant escalation of privileges.
Medium risk implies that the problem identified might result in a compromise, if the adversary has a good skill level and is determined, or if the compromise would easily lead into a higher level of intrusion.
A network device is a device, which provides network services. These services could include network switching, routing and filtering. Network devices can also include dedicated HTTP, FTP, printing and file servers. Network devices do not usually support users in the same sense that a host would.
A network topology represents the configuration and connections of a network. It is often represented graphically as a network map.
Nslookup sends queries to Internet domain name servers. It has two modes: interactive and non-interactive. Interactive mode allows the user to contact servers for information about various hosts and domains or to display a list of hosts in a domain. Non-interactive mode is used to display just the name and requested information for a host or domain.
The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users. A penetration test is similar in scope to a vulnerability assessment but is usually more aggressive in its efforts to simulate an attack.
The technique of securing a network by controlling access to all entry and exit points of the network. It is usually associated with firewalls and/or filters.
A perimeter defense is a network’s first line of defense in its connection to an untrusted network (such as the Internet). This often consists of a firewall or filtering router.
The entity from the external environment that is taken to be the cause of a risk. It is an entity in the external environment that performs an attack, i.e. hacker.
The POP protocol is used to transfer mail saved for a user to the user’s computer. Versions 3 and 2 of this protocol are most commonly used.
An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the network layer. A router is a device that directs network traffic whose destination is beyond the local network. Through the use of various routing protocols like BGP, OSPF and RIP, a router can determine the most advantageous route for the data.
The technology concerned with scanning computer systems and networks in order to find security vulnerabilities. Nessus, nmap and strobe are all well known scanners.
A search through a computer system for security problems and vulnerabilities. A security audit is a process, which evaluates and assesses the security of a network, host or enterprise.
SMTP is a protocol used to transfer email from one host to another. Commands are in a human readable form. For example the VRFY command (if enabled) will verify the existence of a user mailbox on a host. The EXPN command will expand a mailbox alias to reveal the true recipient of an email.
Simple Network Management Protocol (SNMP) is a protocol for managing, monitoring, and configuring network devices such as routers, switches, printers and some hosts. Data is accessed by providing “community strings” which are similar in use to passwords.: : Social Engineering: A computer criminal or vandal will use the easiest method to gain access to the desired data or machines. These methods may include pretending to be an employee who has forgotten a password, casually viewing passwords entered carelessly by authorized users, or by other means where the natural trust of people is taken advantage of. These methods work just as well inside or outside the enterprise. A disgruntled employee using the account of his office mate to gain inappropriate access to data after hours can be just as dangerous as the corporate spy or computer vandal.
Spoof refers to fake of forged information or communications. For example, spoofed IPs or packets consist of network packets that are generated by one host but are forged with the IP address of another host.
Secure shell provides secure (encrypted) authentication and remote sessions. SSH is preferred above Telnet or RSH due to its security features. It uses either a host key, or a long pass phrase, or both, in its authentication mechanism.
Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that’s transferred over the SSL connection. It provides authentication and confidentiality to applications.
The telnet command is used to communicate with another host using the TELNET protocol. It is a part of the TCP/IP protocol, and operates entirely in clear text. This means that it is especially vulnerable to attackers, and can easily be subverted to an attacker’s purpose.
An apparently useful and innocent program containing additional hidden code, which allows the unauthorized collection, exploitation, falsification, or destruction of data. It is an executable program that is disguised as something innocuous such as a game, amusement, or common system command. Once executed it can install services or modify the system to allow an attacker access to the host.
Examples of Trojans are Back Orifice, NetBus, and SubSeven.
A trust model represents the trust relationships between an organization or a network with other organizations or networks.
An upstream provider is an Internet Service Provider (ISP) that provides network connectivity and routing to the Internet through dedicated high-speed connections. An upstream provider usually provides access to one of the major Internet backbones, or is a major backbone provider.
Usenet is an online, public and distributed forum. Usenet consists of a large hierarchy of news groups. Archives of these news groups provide a wealth of information for the social engineer.
A virtual private network is a secure network in which data may traverse insecure or un-trusted networks. The security of this network data is protected by encryption and authentication protocols. A VPN is often used to connect two private networks via an Internet connection.
Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Whois searches for an Internet directory entry for an identifier which is either a name (such as “Smith”) or a handle (such as “SRI-NIC”). The default action, unless directed otherwise with a special name, is to do a very broad search, looking for matches to name in all types of records and most fields (name, nicknames, hostname, net address, etc.) in the database.
