AboutThiseBookePUBisanopen,industry-standardformatforeBooks.However,supportofePUBand

itsmanyfeaturesvariesacrossreadingdevicesandapplications.Useyourdeviceorappsettingstocustomizethepresentationtoyourliking.Settingsthatyoucancustomizeoftenincludefont, fontsize,singleordoublecolumn, landscapeorportraitmode,andfiguresthat you can click or tap to enlarge. For additional information about the settings andfeaturesonyourreadingdeviceorapp,visitthedevicemanufacturersWebsite.

Many titles include programming code or configuration examples. To optimize thepresentation of these elements, view the eBook in single-column, landscapemode andadjust the font size to the smallest setting. In addition to presenting code andconfigurations in the reflowable text format,we have included images of the code thatmimic the presentation found in the print book; therefore,where the reflowable formatmaycompromisethepresentationofthecodelisting,youwillseeaClickheretoviewcode image link.Click the link to view the print-fidelity code image.To return to thepreviouspageviewed,clicktheBackbuttononyourdeviceorapp.

SecurityinComputingFIFTHEDITION

CharlesP.PfleegerShariLawrencePfleegerJonathanMargulies

UpperSaddleRiver,NJBostonIndianapolisSanFranciscoNewYorkTorontoMontrealLondonMunichParisMadrid

CapetownSydneyTokyoSingaporeMexicoCity

Many of the designations used by manufacturers and sellers to distinguish theirproductsareclaimedastrademarks.Wherethosedesignationsappearinthisbook,andthepublisherwasawareofatrademarkclaim,thedesignationshavebeenprintedwithinitialcapitallettersorinallcapitals.

Theauthorsandpublisherhavetakencareinthepreparationofthisbook,butmakenoexpressed or implied warranty of any kind and assume no responsibility for errors oromissions.Noliabilityisassumedforincidentalorconsequentialdamagesinconnectionwithorarisingoutoftheuseoftheinformationorprogramscontainedherein.

For information about buying this title in bulk quantities, or for special salesopportunities(whichmayincludeelectronicversions;customcoverdesigns;andcontentparticulartoyourbusiness,traininggoals,marketingfocus,orbrandinginterests),pleasecontactourcorporatesalesdepartmentatcorpsales@pearsoned.comor(800)382-3419.

Forgovernmentsalesinquiries,pleasecontactgovernmentsales@pearsoned.com.

ForquestionsaboutsalesoutsidetheU.S.,pleasecontactinternational@pearsoned.com.

VisitusontheWeb:informit.com/ph

LibraryofCongressCataloging-in-PublicationDataPfleeger,CharlesP.,1948 Security in computing / Charles P. Pfleeger, Shari Lawrence Pfleeger, JonathanMargulies.Fifthedition.pagescmIncludesbibliographicalreferencesandindex. ISBN978-0-13-408504-3 (hardcover : alk. paper)ISBN0-13-408504-3 (hardcover :alk.paper) 1. Computer security. 2. Data protection. 3. Privacy, Right of. I. Pfleeger, ShariLawrence.II.Margulies,Jonathan.III.Title.QA76.9.A25P452015005.8dc232014038579

Copyright2015PearsonEducation,Inc.

All rights reserved. Printed in the United States of America. This publication isprotectedbycopyright,andpermissionmustbeobtainedfromthepublisherpriortoanyprohibitedreproduction,storage inaretrievalsystem,or transmission inanyformorbyany means, electronic, mechanical, photocopying, recording, or likewise. To obtainpermission to use material from this work, please submit a written request to PearsonEducation, Inc., Permissions Department, One Lake Street, Upper Saddle River, NewJersey07458,oryoumayfaxyourrequestto(201)236-3290.

ISBN-13:978-0-13-408504-3ISBN-10:0-13-408504-3TextprintedintheUnitedStatesonrecycledpaperatCourierinWestford,Massachusetts.Firstprinting,January2015

mailto:corpsales@pearsoned.commailto:governmentsales@pearsoned.commailto:international@pearsoned.comhttp://informit.com/ph

ExecutiveEditorBernardGoodwin

EditorialAssistantMichelleHousley

ManagingEditorJohnFuller

ProjectEditorElizabethRyan

CopyEditorMaryLouNohr

ProofreaderLindaBegley

CoverDesignerAlanClements

CompositorShepherd,Inc.

ToWillisWare,aheroofcomputersecurityandprivacy.

Contents

Foreword

Preface

Acknowledgments

AbouttheAuthors

Chapter1Introduction1.1WhatIsComputerSecurity?

ValuesofAssetsTheVulnerabilityThreatControlParadigm

1.2ThreatsConfidentialityIntegrityAvailabilityTypesofThreatsTypesofAttackers

1.3HarmRiskandCommonSenseMethodOpportunityMotive

1.4Vulnerabilities1.5Controls1.6Conclusion1.7WhatsNext?1.8Exercises

Chapter2Toolbox:Authentication,AccessControl,andCryptography2.1Authentication

IdentificationVersusAuthenticationAuthenticationBasedonPhrasesandFacts:

SomethingYouKnowAuthenticationBasedonBiometrics:SomethingYou

AreAuthenticationBasedonTokens:SomethingYou

HaveFederatedIdentityManagementMultifactorAuthentication

SecureAuthentication2.2AccessControl

AccessPoliciesImplementingAccessControlProcedure-OrientedAccessControlRole-BasedAccessControl

2.3CryptographyProblemsAddressedbyEncryptionTerminologyDES:TheDataEncryptionStandardAES:AdvancedEncryptionSystemPublicKeyCryptographyPublicKeyCryptographytoExchangeSecretKeysErrorDetectingCodesTrustCertificates:TrustableIdentitiesandPublicKeysDigitalSignaturesAllthePieces

2.4Exercises

Chapter3ProgramsandProgramming3.1Unintentional(Nonmalicious)Programming

OversightsBufferOverflowIncompleteMediationTime-of-ChecktoTime-of-UseUndocumentedAccessPointOff-by-OneErrorIntegerOverflowUnterminatedNull-TerminatedStringParameterLength,Type,andNumberUnsafeUtilityProgramRaceCondition

3.2MaliciousCodeMalwareMalwareViruses,TrojanHorses,andWormsTechnicalDetails:MaliciousCode

3.3CountermeasuresCountermeasuresforUsersCountermeasuresforDevelopers

CountermeasureSpecificallyforSecurityCountermeasuresthatDontWorkConclusionExercises

Chapter4TheWebUserSide4.1BrowserAttacks

BrowserAttackTypesHowBrowserAttacksSucceed:FailedIdentification

andAuthentication4.2WebAttacksTargetingUsers

FalseorMisleadingContentMaliciousWebContentProtectingAgainstMaliciousWebPages

4.3ObtainingUserorWebsiteDataCodeWithinDataWebsiteData:AUsersProblem,TooFoilingDataAttacks

4.4EmailAttacksFakeEmailFakeEmailMessagesasSpamFake(Inaccurate)EmailHeaderDataPhishingProtectingAgainstEmailAttacks

4.5Conclusion4.6Exercises

Chapter5OperatingSystems5.1SecurityinOperatingSystems

Background:OperatingSystemStructureSecurityFeaturesofOrdinaryOperatingSystemsABitofHistoryProtectedObjectsOperatingSystemToolstoImplementSecurity

Functions5.2SecurityintheDesignofOperatingSystems

SimplicityofDesignLayeredDesignKernelizedDesign

ReferenceMonitorCorrectnessandCompletenessSecureDesignPrinciplesTrustedSystemsTrustedSystemFunctionsTheResultsofTrustedSystemsResearch

5.3RootkitPhoneRootkitRootkitEvadesDetectionRootkitOperatesUncheckedSonyXCPRootkitTDSSRootkitsOtherRootkits

5.4Conclusion5.5Exercises

Chapter6Networks6.1NetworkConcepts

Background:NetworkTransmissionMediaBackground:ProtocolLayersBackground:AddressingandRouting

PartIWaronNetworks:NetworkSecurityAttacks6.2ThreatstoNetworkCommunications

Interception:EavesdroppingandWiretappingModification,Fabrication:DataCorruptionInterruption:LossofServicePortScanningVulnerabilitySummary

6.3WirelessNetworkSecurityWiFiBackgroundVulnerabilitiesinWirelessNetworksFailedCountermeasure:WEP(WiredEquivalent

Privacy)StrongerProtocolSuite:WPA(WiFiProtected

Access)6.4DenialofService

Example:MassiveEstonianWebFailureHowServiceIsDenied

FloodingAttacksinDetailNetworkFloodingCausedbyMaliciousCodeNetworkFloodingbyResourceExhaustionDenialofServicebyAddressingFailuresTrafficRedirectionDNSAttacksExploitingKnownVulnerabilitiesPhysicalDisconnection

6.5DistributedDenial-of-ServiceScriptedDenial-of-ServiceAttacksBotsBotnetsMaliciousAutonomousMobileAgentsAutonomousMobileProtectiveAgents

PartIIStrategicDefenses:SecurityCountermeasures6.6CryptographyinNetworkSecurity

NetworkEncryptionBrowserEncryptionOnionRoutingIPSecurityProtocolSuite(IPsec)VirtualPrivateNetworksSystemArchitecture

6.7FirewallsWhatIsaFirewall?DesignofFirewallsTypesofFirewallsPersonalFirewallsComparisonofFirewallTypesExampleFirewallConfigurationsNetworkAddressTranslation(NAT)DataLossPrevention

6.8IntrusionDetectionandPreventionSystemsTypesofIDSsOtherIntrusionDetectionTechnologyIntrusionPreventionSystemsIntrusionResponse

GoalsforIntrusionDetectionSystemsIDSStrengthsandLimitations

6.9NetworkManagementManagementtoEnsureServiceSecurityInformationandEventManagement(SIEM)

6.10Conclusion6.11Exercises

Chapter7Databases7.1IntroductiontoDatabases

ConceptofaDatabaseComponentsofDatabasesAdvantagesofUsingDatabases

7.2SecurityRequirementsofDatabasesIntegrityoftheDatabaseElementIntegrityAuditabilityAccessControlUserAuthenticationAvailabilityIntegrity/Confidentiality/Availability

7.3ReliabilityandIntegrityProtectionFeaturesfromtheOperatingSystemTwo-PhaseUpdateRedundancy/InternalConsistencyRecoveryConcurrency/Consistency

7.4DatabaseDisclosureSensitiveDataTypesofDisclosuresPreventingDisclosure:DataSuppressionand

ModificationSecurityVersusPrecision

7.5DataMiningandBigDataDataMiningBigData

7.6ConclusionExercises

Chapter8CloudComputing8.1CloudComputingConcepts

ServiceModelsDeploymentModels

8.2MovingtotheCloudRiskAnalysisCloudProviderAssessmentSwitchingCloudProvidersCloudasaSecurityControl

8.3CloudSecurityToolsandTechniquesDataProtectionintheCloudCloudApplicationSecurityLoggingandIncidentResponse

8.4CloudIdentityManagementSecurityAssertionMarkupLanguageOAuthOAuthforAuthentication

8.5SecuringIaaSPublicIaaSVersusPrivateNetworkSecurity

8.6ConclusionWheretheFieldIsHeadedToLearnMore

8.7Exercises

Chapter9Privacy9.1PrivacyConcepts

AspectsofInformationPrivacyComputer-RelatedPrivacyProblems

9.2PrivacyPrinciplesandPoliciesFairInformationPracticesU.S.PrivacyLawsControlsonU.S.GovernmentWebsitesControlsonCommercialWebsitesNon-U.S.PrivacyPrinciplesIndividualActionstoProtectPrivacyGovernmentsandPrivacyIdentityTheft

9.3AuthenticationandPrivacy

WhatAuthenticationMeansConclusions

9.4DataMiningGovernmentDataMiningPrivacy-PreservingDataMining

9.5PrivacyontheWebUnderstandingtheOnlineEnvironmentPaymentsontheWebSiteandPortalRegistrationsWhosePageIsThis?PrecautionsforWebSurfingSpywareShoppingontheInternet

9.6EmailSecurityWhereDoesEmailGo,andWhoCanAccessIt?InterceptionofEmailMonitoringEmailAnonymous,Pseudonymous,andDisappearing

EmailSpoofingandSpammingSummary

9.7PrivacyImpactsofEmergingTechnologiesRadioFrequencyIdentificationElectronicVotingVoIPandSkypePrivacyintheCloudConclusionsonEmergingTechnologies

9.8WheretheFieldIsHeaded9.9Conclusion9.10Exercises

Chapter10ManagementandIncidents10.1SecurityPlanning

OrganizationsandSecurityPlansContentsofaSecurityPlanSecurityPlanningTeamMembersAssuringCommitmenttoaSecurityPlan

10.2BusinessContinuityPlanning

AssessBusinessImpactDevelopStrategyDevelopthePlan

10.3HandlingIncidentsIncidentResponsePlansIncidentResponseTeams

10.4RiskAnalysisTheNatureofRiskStepsofaRiskAnalysisArgumentsForandAgainstRiskAnalysis

10.5DealingwithDisasterNaturalDisastersPowerLossHumanVandalsInterceptionofSensitiveInformationContingencyPlanningPhysicalSecurityRecap

10.6Conclusion10.7Exercises

Chapter11LegalIssuesandEthics11.1ProtectingProgramsandData

CopyrightsPatentsTradeSecretsSpecialCases

11.2InformationandtheLawInformationasanObjectLegalIssuesRelatingtoInformationTheLegalSystemSummaryofProtectionforComputerArtifacts

11.3RightsofEmployeesandEmployersOwnershipofProductsEmploymentContracts

11.4RedressforSoftwareFailuresSellingCorrectSoftwareReportingSoftwareFlaws

11.5ComputerCrime

WhyaSeparateCategoryforComputerCrimeIsNeededWhyComputerCrimeIsHardtoDefineWhyComputerCrimeIsHardtoProsecuteExamplesofStatutesInternationalDimensionsWhyComputerCriminalsAreHardtoCatchWhatComputerCrimeDoesNotAddressSummaryofLegalIssuesinComputerSecurity

11.6EthicalIssuesinComputerSecurityDifferencesBetweentheLawandEthicsStudyingEthicsEthicalReasoning

11.7IncidentAnalysiswithEthicsSituationI:UseofComputerServicesSituationII:PrivacyRightsSituationIII:DenialofServiceSituationIV:OwnershipofProgramsSituationV:ProprietaryResourcesSituationVI:FraudSituationVII:AccuracyofInformationSituationVIII:EthicsofHackingorCrackingSituationIX:TrueRepresentationConclusionofComputerEthicsConclusionExercises

Chapter12DetailsofCryptography12.1Cryptology

CryptanalysisCryptographicPrimitivesOne-TimePadsStatisticalAnalysisWhatMakesaSecureEncryptionAlgorithm?

12.2SymmetricEncryptionAlgorithmsDESAESRC2,RC4,RC5,andRC6

12.3AsymmetricEncryptionwithRSATheRSAAlgorithmStrengthoftheRSAAlgorithm

12.4MessageDigestsHashFunctionsOne-WayHashFunctionsMessageDigests

12.5DigitalSignaturesEllipticCurveCryptosystemsElGamalandDigitalSignatureAlgorithmsTheNSACryptographyControversyof2012

12.6QuantumCryptographyQuantumPhysicsPhotonReceptionCryptographywithPhotonsImplementation

12.7Conclusion

Chapter13EmergingTopics13.1TheInternetofThings

MedicalDevicesMobilePhonesSecurityintheInternetofThings

13.2EconomicsMakingaBusinessCaseQuantifyingSecurityCurrentResearchandFutureDirections

13.3ElectronicVotingWhatIsElectronicVoting?WhatIsaFairElection?WhatAretheCriticalIssues?

13.4CyberWarfareWhatIsCyberWarfare?PossibleExamplesofCyberWarfareCriticalIssues

13.5Conclusion

Bibliography

Index

Foreword

Fromtheauthors:WillisWarekindlywrotetheforewordthatwepublishedinboththethirdandfourtheditionsofSecurityinComputing.Inhisforewordhecoverssomeoftheearlydaysofcomputersecurity,describingconcernsthatareasvalidtodayastheywereinthoseearlierdays.Willis chose to sublimate his name and efforts to the greater good of the

projectsheworkedon.Infact,histhoughtfulanalysisandpersuasiveleadershipcontributedmuchtothefinaloutcomeoftheseactivities.FewpeoplerecognizeWilliss name today;more people are familiarwith theEuropeanUnionDataProtectionDirectivethatisadirectdescendantofthereport[WAR73a]fromhiscommittee for the U.S. Department of Human Services. Willis would havewanteditthatway:theemphasisontheideasandnotonhisname.Unfortunately,WillisdiedinNovember2013atage93.Wethinkthelessons

hewrote about in his Foreword are still important to our readers. Thus,withbothrespectandgratitude,werepublishhiswordshere.

Inthe1950sand1960s,theprominentconferencegatheringplacesforpractitionersandusersofcomputertechnologywerethetwiceyearlyJointComputerConferences(JCCs)initially called the Eastern andWestern JCCs, but later renamed the Spring and FallJCCs and even later, the annual National (AFIPS) Computer Conference. From thismilieu,thetopicofcomputersecuritylatertobecalledinformationsystemsecurityandcurrently also referred to as protection of the national information infrastructuremovedfromtheworldofclassifieddefenseinterestsintopublicview.

AfewpeopleRobertL.Patrick,JohnP.Haverty,andmyselfamongothersallthenat The RAND Corporation (as its name was then known) had been talking about thegrowing dependence of the country and its institutions on computer technology. Itconcernedusthattheinstalledsystemsmightnotbeabletoprotectthemselvesandtheirdata against intrusive and destructive attacks.We decided that itwas time to bring thesecurity aspect of computer systems to the attention of the technology and usercommunities.

TheenablingeventwasthedevelopmentwithintheNationalSecurityAgency(NSA)ofaremote-accesstime-sharingsystemwithafullsetofsecurityaccesscontrols,runningonaUnivac494machine,andservingterminalsandusersnotonlywithintheheadquartersbuilding at FortGeorgeG.Meade,Maryland, but alsoworldwide. Fortuitously, I knewdetailsofthesystem.

PersuadingtwoothersfromRANDtohelpDr.HaroldPetersonandDr.ReinTurnplusBernardPetersofNSA,Iorganizedagroupofpapersandpresentedit totheSJCCconferencemanagementasaready-madeadditionalpapersessiontobechairedbyme.[1]Theconferenceacceptedtheoffer,andthesessionwaspresentedattheAtlanticCity(NJ)ConventionHallin1967.

Soon thereafter and driven by a request from a defense contractor to include bothdefenseclassifiedandbusinessapplicationsconcurrently inasinglemainframemachinefunctioning in a remote-access mode, the Department of Defense, acting through theAdvancedResearchProjectsAgency(ARPA)andlatertheDefenseScienceBoard(DSB),organized a committee, which I chaired, to study the issue of security controls forcomputer systems. The intent was to produce a document that could be the basis forformulatingaDoDpolicypositiononthematter.

Thereportof thecommitteewas initiallypublishedasaclassifieddocumentandwasformallypresentedtothesponsor(theDSB)inJanuary1970.Itwaslaterdeclassifiedandrepublished (byTheRANDCorporation) inOctober 1979. [2] Itwaswidely circulatedand became nicknamed theWare report. The report and a historical introduction areavailableontheRANDwebsite.[3]

Subsequently, the United States Air Force (USAF) sponsored another committeechairedbyJamesP.Anderson. [4] Its report, published in1972, recommendeda6-yearR&Dsecurityprogramtotalingsome$8M.[5]TheUSAFrespondedandfundedseveralprojects,threeofwhichweretodesignandimplementanoperatingsystemwithsecuritycontrolsforaspecificcomputer.

Eventually theseactivities led to theCriteriaandEvaluationprogramsponsoredbytheNSA.ItculminatedintheOrangeBook[6]in1983andsubsequentlyitssupportingarrayofdocuments,whichwerenicknamedtherainbowseries.[7]Later, inthe1980sandonintothe1990s,thesubjectbecameaninternationaloneleadingtotheISOstandardknownastheCommonCriteria.[8]

It is important to understand the context inwhich system securitywas studied in theearly decades. The defense establishment had a long history of protecting classifiedinformation in document form. It had evolved a very elaborate scheme forcompartmenting material into groups, sub-groups and super-groups, each requiring aspecific personnel clearance andneed-to-knowas thebasis for access. [9] It alsohad acenturies-long legacy of encryption technology and experience for protecting classifiedinformation in transit. Finally, it understood the personnel problem and the need toestablish the trustworthiness of its people. And it certainly understood the physicalsecuritymatter.

Thus,thecomputersecurityissue,asitwasunderstoodinthe1960sandevenlater,washowtocreate inacomputersystemagroupofaccesscontrols thatwould implementoremulate the processes of the prior paperworld, plus the associated issues of protectingsuchsoftwareagainstunauthorizedchange,subversionandillicituse,andofembeddingthe entire system in a secure physical environment with appropriate managementoversights and operational doctrine and procedures. The poorly understood aspect ofsecurity was primarily the software issue with, however, a collateral hardware aspect;namely, the risk that it might malfunctionor be penetratedand subvert the properbehaviorofsoftware.Fortherelatedaspectsofcommunications,personnel,andphysicalsecurity,therewasaplethoraofrules,regulations,doctrineandexperiencetocoverthem.Itwaslargelyamatterofmergingallofitwiththehardware/softwareaspectstoyieldanoverallsecuresystemandoperatingenvironment.

However,theworldhasnowchangedandinessentialways.Thedesk-topcomputerandworkstation have appeared and proliferated widely. The Internet is flourishing and therealityof aWorldWideWeb is in place.Networkinghas exploded and communicationamongcomputersystemsistherule,nottheexception.Manycommercialtransactionsarenowweb-based;many commercial communitiesthe financial one in particularhavemovedintoawebposture.Theuserofanycomputersystemcanliterallybeanyoneinthe world. Networking among computer systems is ubiquitous; information-systemoutreachisthegoal.

Theneteffectofallofthishasbeentoexposethecomputer-basedinformationsystemitshardware,itssoftware,itssoftwareprocesses,itsdatabases,itscommunicationstoan environment overwhich no onenot end-user, not network administrator or systemowner,notevengovernmenthascontrol.Whatmustbedone is toprovideappropriatetechnical, procedural, operational and environmental safeguards against threats as theymightappearorbeimagined,embeddedinasocietallyacceptablelegalframework.

Andappearthreatsdidfromindividualsandorganizations,nationalandinternational.Themotivations topenetrate systems forevilpurposeor tocreatemalicioussoftwaregenerally with an offensive or damaging consequencevary from personal intellectualsatisfaction to espionage, to financial reward, to revenge, to civil disobedience, and toother reasons. Information-system security has moved from a largely self-containedboundedenvironmentinteractingwithagenerallyknownanddisciplinedusercommunityto one of worldwide scope with a body of users that may not be known and are notnecessarilytrusted.Importantly,securitycontrolsnowmustdealwithcircumstancesoverwhich there is largely no control or expectation of avoiding their impact. Computersecurity, as it has evolved, shares a similaritywith liability insurance; they each face athreatenvironment that isknown inaverygeneralwayandcangenerateattacksoverabroadspectrumofpossibilities;buttheexactdetailsoreventimeorcertaintyofanattackisunknownuntilaneventhasoccurred.

On the other hand, the modern world thrives on information and its flows; thecontemporary world, society and institutions cannot function without their computer-communication-basedinformationsystems.Hence,thesesystemsmustbeprotectedinalldimensionstechnical,procedural,operational,environmental.Thesystemowneranditsstaffhavebecomeresponsibleforprotectingtheorganizationsinformationassets.

Progresshasbeenslow,inlargepartbecausethethreathasnotbeenperceivedasrealoras damaging enough; but also in part because the perceived cost of comprehensiveinformation system security is seen as too high compared to the risksespecially thefinancial consequencesofnot doing it.Managements,whose supportwith appropriatefundingisessential,havebeenslowtobeconvinced.

This book addresses the broad sweep of issues above: the nature of the threat andsystem vulnerabilities (Chapter 1); cryptography (Chapters 2 and 12); softwarevulnerabilities (Chapter3); theCommonCriteria (Chapter5); theWorldWideWebandInternet (Chapters4 and6);managing risk (Chapter 10); and legal, ethical and privacyissues(Chapter11).Thebookalsodescribessecuritycontrolsthatarecurrentlyavailablesuch as encryption protocols, software development practices, firewalls, and intrusion-detection systems. Overall, this book provides a broad and sound foundation for the

information-system specialist who is charged with planning and/or organizing and/ormanagingand/orimplementingacomprehensiveinformation-systemsecurityprogram.

Yet to be solved are many technical aspects of information securityR&D forhardware, software, systems, and architecture; and the corresponding products.Notwithstanding, technology per se is not the long pole in the tent of progress.Organizationalandmanagementmotivationandcommitmenttogetthesecurityjobdoneis. Today, the collective information infrastructure of the country and of the world isslowlymovingupthelearningcurve;everymischievousormaliciouseventhelpstopushitalong.Theterrorism-basedeventsofrecenttimesarehelpingtodriveit.Isitfarenoughup the curve to have reached an appropriate balance between system safety and threat?Almostcertainly,theanswerisno,notyet;thereisalongwaytogo.[10]

WillisH.WareRAND

SantaMonica,California

Citations1.SecurityandPrivacyinComputerSystems,WillisH.Ware;RAND,SantaMonica,CA;P-3544,April1967.AlsopublishedinProceedingsofthe1967SpringJointComputerConference(laterrenamedtoAFIPSConferenceProceedings),pp279seq,Vol.30,1967.

SecurityConsiderationsinaMulti-ProgrammedComputerSystem,BernardPeters;Proceedingsofthe1967SpringJointComputerConference(laterrenamedtoAFIPSConferenceProceedings),pp283seq,vol30,1967.PracticalSolutionstothePrivacyProblem,WillisH.Ware;RAND,SantaMonica,CA;P-3544,April1967.AlsopublishedinProceedingsofthe1967SpringJointComputerConference(laterrenamedtoAFIPSConferenceProceedings),pp301seq,Vol.30,1967.SystemImplicationsofInformationPrivacy,HaroldE.PetersonandReinTurn;RAND,SantaMonica,CA;P-3504,April1967.AlsopublishedinProceedingsofthe1967SpringJointComputerConference(laterrenamedtoAFIPSConferenceProceedings),pp305seq,vol.30,1967.

2.SecurityControlsforComputerSystems,(ReportoftheDefenseScienceBoardTaskForceonComputerSecurity),RAND,R-609-1-PR.InitiallypublishedinJanuary1970asaclassifieddocument.Subsequently,declassifiedandrepublishedOctober1979.3.http://rand.org/publications/R/R609.1/R609.1.html,SecurityControlsforComputerSystems;R-609.1,RAND,1979http://rand.org/publications/R/R609.1/intro.html,HistoricalsettingforR-609.14.ComputerSecurityTechnologyPlanningStudy,JamesP.Anderson;ESD-TR-73-51,ESD/AFSC,HanscomAFB,Bedford,MA;October1972.5.Allofthesedocumentsarecitedinthebibliographyofthisbook.ForimagesofthesehistoricalpapersonaCDROM,seetheHistoryofComputerSecurityProject,EarlyPapersPart1,ProfessorMattBishop;DepartmentofComputer

http://rand.org/publications/R/R609.1/R609.1.htmlhttp://rand.org/publications/R/R609.1/intro.html

Science,UniversityofCaliforniaatDavis.http://seclab.cs.ucdavis.edu/projects/history6.DoDTrustedComputerSystemEvaluationCriteria,DoDComputerSecurityCenter,NationalSecurityAgency,FtGeorgeG.Meade,Maryland;CSC-STD-001-83;Aug15,1983.7.Sonamedbecausethecoverofeachdocumentintheserieshadauniqueanddistinctivelycoloredcoverpage.Forexample,theRedBookisTrustedNetworkInterpretation,NationalComputerSecurityCenter,NationalSecurityAgency,Ft.GeorgeG.Meade,Maryland;NCSC-TG-005,July31,1987.USGPOStocknumber008-000-00486-2.8.ARetrospectiveontheCriteriaMovement,WillisH.Ware;RAND,SantaMonica,CA;P-7949,1995.http://rand.org/pubs/papers/P7949/9.Thisschemeisnowhere,tomyknowledge,documentedexplicitly.However,itscomplexitycanbeinferredbyastudyofAppendicesAandBofR-609.1(item[2]above).

10.TheCyberpostureoftheNationalInformationInfrastructure,WillisH.Ware;RAND,SantaMonica,CA;MR-976-OSTP,1998.Availableonlineat:http://www.rand.org/publications/MR/MR976/mr976.html.

http://seclab.cs.ucdavis.edu/projects/historyhttp://rand.org/pubs/papers/P7949/http://www.rand.org/publications/MR/MR976/mr976.html

PrefaceTablets, smartphones, TV set-top boxes, GPS navigation devices, exercise monitors,

homesecuritystations,evenwashersanddryerscomewithInternetconnectionsbywhichdatafromandaboutyougotoplacesoverwhichyouhavelittlevisibilityorcontrol.Atthesametime,thelistofretailerssufferingmassivelossesofcustomerdatacontinuestogrow:HomeDepot,Target,T.J.Maxx,P.F.Changs,SallyBeauty.Ontheonehandpeoplewanttheconvenienceandbenefitsthataddedconnectivitybrings,whileontheotherhand,people are worried, and some are seriously harmed by the impact of such incidents.Computer security brings these two threads together as technology races forward withsmart products whose designers omit the basic controls that can prevent or limitcatastrophes.

Tosomeextent,peoplesighandexpectsecurityfailuresinbasicproductsandcomplexsystems.Butthesefailuresdonothavetobe.Everycomputerprofessionalcanlearnhowsuchproblemsoccurandhowtocounter them.Computersecurityhasbeenaroundasafield since the 1960s, and it has developed excellent research, leading to a goodunderstandingofthethreatandhowtomanageit.

One factor that turns off many people is the language: Complicated terms such aspolymorphic virus, advanced persistent threat, distributed denial-of-service attack,inference and aggregation, multifactor authentication, key exchange protocol, andintrusiondetectionsystemdonotexactlyrolloffthetongue.Othertermssoundintriguingbut opaque, such asworm, botnet, rootkit,man in the browser, honeynet, sandbox, andscript kiddie. The language of advanced mathematics or microbiology is no lessconfounding,andtheLatinterminologyofmedicineandlawseparatesthosewhoknowitfrom those who do not. But the terms and concepts of computer security really havestraightforward,easy-to-learnmeaninganduses.

Vulnerability:weaknessThreat:conditionthatexercisesvulnerabilityIncident:vulnerability+threatControl:reductionofthreatorvulnerablity

The premise of computer security is quite simple: Vulnerabilities are weaknesses inproducts,systems,protocols,algorithms,programs, interfaces,anddesigns.Athreat isaconditionthatcouldexerciseavulnerability.Anincidentoccurswhenathreatdoesexploitavulnerability,causingharm.Finally,peopleaddcontrolsorcountermeasurestoprevent,deflect,diminish,detect,diagnose,andrespondtothreats.Allofcomputersecurityisbuiltfrom that simple framework. This book is about bad things that can happen withcomputersandwaystoprotectourcomputing.

WhyReadThisBook?Admitit.Youknowcomputingentailsseriousriskstotheprivacyofyourpersonaldata,

theintegrityofyourdata,ortheoperationofyourcomputer.Riskisafactoflife:Crossingthestreetisrisky,perhapsmoresoinsomeplacesthanothers,butyoustillcrossthestreet.Asachildyoulearnedtostopandlookbothwaysbeforecrossing.Asyoubecameolder

you learned togauge the speedofoncoming traffic anddeterminewhetheryouhad thetime tocross.At somepointyoudevelopedasenseofwhetheranoncomingcarwouldslowdownoryield.Wehopeyouneverhadtopracticethis,butsometimesyouhavetodecide whether darting into the street without looking is the best means of escapingdanger.Thepoint isall thesemattersdependonknowledgeandexperience.Wewant tohelpyoudevelopcomparableknowledgeandexperiencewithrespecttotherisksofsecurecomputing.

The same thing can be said about computer security in everything from personaldevicestocomplexcommercialsystems:Youstartwithafewbasicterms,principles,andconcepts. Then you learn the discipline by seeing those basics reappear in numeroussituations, including programs, operating systems, networks, and cloud computing.Youpickupa fewfundamental tools, suchasauthentication,accesscontrol, andencryption,and you understand how they apply in defense strategies. You start to think like anattacker,predictingtheweaknessesthatcouldbeexploited,andthenyoushifttoselectingdefenses to counter those attacks. This last stage of playing both offense and defensemakescomputersecurityacreativeandchallengingactivity.

UsesforandUsersofThisBookThisbookisintendedforpeoplewhowanttolearnaboutcomputersecurity;ifyouhave

read this far youmaywell be such a person.This book is intended for threegroupsofpeople:collegeanduniversitystudents,computingprofessionalsandmanagers,andusersofallkindsofcomputer-basedsystems.Allwanttoknowthesamething:howtocontroltheriskofcomputersecurity.Butyoumaydifferinhowmuchinformationyouneedaboutparticular topics: Some readers want a broad survey, while others want to focus onparticulartopics,suchasnetworksorprogramdevelopment.

Thisbook shouldprovide thebreadth anddepth thatmost readerswant.Thebook isorganizedbygeneralareaofcomputing,sothatreaderswithparticularinterestscanfindinformationeasily.

OrganizationofThisBookThechaptersofthisbookprogressinanorderlymanner,fromgeneralsecurityconcerns

to theparticularneedsof specializedapplications, and then tooverarchingmanagementandlegalissues.Thus,thisbookprogressesthroughsixkeyareasofinterest:

1.Introduction:threats,vulnerabilities,andcontrols2.Thesecuritypractitionerstoolbox:identificationandauthentication,accesscontrol,andencryption3.Applicationareasofcomputersecuritypractice:programs,userInternetinteraction,operatingsystems,networks,dataanddatabases,andcloudcomputing4.Cross-cuttingdisciplines:privacy,management,lawandethics5.Detailsofcryptography6.Emergingapplicationdomains

Thefirstchapterbeginslikemanyotherexpositions:bylayinggroundwork.InChapter

1weintroducetermsanddefinitions,andgivesomeexamplestojustifyhowthesetermsareused.InChapter2webegintherealdepthofthefieldbyintroducingthreeconceptsthat form the basis of many defenses in computer security: identification andauthentication, access control, and encryption. We describe different ways ofimplementing each of these, explore strengths andweaknesses, and tell of some recentadvancesinthesetechnologies.

Then we advance through computing domains, from the individual user outward. InChapter3webeginwith individualprograms,onesyoumightwriteand thoseyouonlyuse.Both kinds are subject to potential attacks, andwe examine the nature of some ofthoseattacksandhowtheycouldhavebeenprevented.InChapter4wemoveontoatypeofprogramwithwhichmostuserstodayarequitefamiliar:thebrowser,asagatewaytothe Internet. The majority of attacks today are remote, carried from a distant attackeracross a network, usually the Internet. Thus, it makes sense to study Internet-bornemalicious code. But this chapters focus is on the harm launched remotely, not on thenetworkinfrastructurebywhichittravels;wedeferthenetworkconceptstoChapter6.InChapter 5we consider operating systems, a strong line of defense between a user andattackers.Wealsoconsiderwaystounderminethestrengthoftheoperatingsystemitself.Chapter6 returns to networks, but this timewedo look at architecture and technology,including denial-of-service attacks that can happen only in a network. Data, theircollection and protection, form the topic of Chapter 7, in which we look at databasemanagement systems and big data applications. Finally, inChapter 8we explore cloudcomputing,arelativelyrecentadditiontothecomputinglandscape,butonethatbringsitsownvulnerabilitiesandprotections.

InChapters9through11weaddresswhatwehavetermedtheintersectingdisciplines:First, in Chapter 9 we explore privacy, a familiar topic that relates to most of the sixdomainsfromprogramstoclouds.ThenChapter10 takesus to themanagementsideofcomputersecurity:howmanagementplansforandaddressescomputersecurityproblems.Finally,Chapter11exploreshowlawsandethicshelpuscontrolcomputerbehavior.

WeintroducedcryptographyinChapter2.Butthefieldofcryptographyinvolvesentirebooks,courses,conferences,journals,andpostgraduateprogramsofstudy.Andthisbookneeds to covermany important topics in addition to cryptography. Thus,wemade twocritical decisions: First, we treat cryptography as a tool, not as a field of study. Anautomobile mechanic does not study the design of cars, weighing such factors asaerodynamics, fuel consumption, interior appointment, andcrash resistance; amechanicacceptsacarasagivenand learnshowto findandfix faultswith theengineandothermechanicalparts.Similarly,wewantourreaderstobeabletousecryptographytoquicklyaddresssecurityproblems;hencewebrieflyvisitpopularusesofcryptographyinChapter2.Oursecondcriticaldecisionwastoexplorethebreadthofcryptographyslightlymoreina later chapter, Chapter 12. But as we point out, entire books have been written oncryptography,soourlaterchaptergivesanoverviewofmoredetailedworkthatinterestedreaderscanfindelsewhere.

Our final chapter detours to four areas having significant computer security hazards.These are rapidly advancing topics forwhich the computer security issues aremuch inprogress right now. The so-called Internet of Things, the concept of connecting many

devicestotheInternet,raisespotentialsecuritythreatswaitingtobeexplored.Economicsgovern many security decisions, so security professionals need to understand howeconomics and security relate. Convenience is raising interest in using computers toimplement elections; the easy steps of collecting vote totals have been done by manyjurisdictions,butthehardpartoforganizingfaironlineregistrationandballot-castinghavebeendoneinonlyasmallnumberofdemonstrationelections.Andtheuseofcomputersinwarfareisagrowingthreat.Again,asmallnumberofmodest-sizedattacksoncomputingdeviceshaveshownthefeasibilityofthistypeofcampaign,butsecurityprofessionalsandordinary citizens need to understand the potentialboth good and badof this type ofattack.

HowtoReadThisBookWhatbackgroundshouldyouhavetoappreciatethisbook?Theonlyassumptionisan

understanding of programming and computer systems. Someone who is an advancedundergraduateorgraduatestudentincomputingcertainlyhasthatbackground,asdoesaprofessionaldesignerordeveloperofcomputersystems.Auserwhowantstounderstandmoreabouthowprogramsworkcanlearnfromthisbook,too;weprovidethenecessarybackgroundonconceptsofoperatingsystemsornetworks,forexample,beforeweaddresstherelatedsecurityconcerns.

This book can be used as a textbook in a one- or two-semester course in computersecurity.Thebookfunctionsequallywellasareferenceforacomputerprofessionalorasa supplement to an intensive training course.And the index and extensivebibliographymakeitusefulasahandbooktoexplainsignificanttopicsandpointtokeyarticlesintheliterature. The book has been used in classes throughout the world; instructors oftendesignone-semestercourses that focuson topicsofparticular interest to the studentsorthatrelatewelltotherestofacurriculum.

WhatIsNewinThisBookThis is thefiftheditionofSecurity inComputing, firstpublished in1989.Since then,

the specific threats, vulnerabilities, and controls have changed, as have many of theunderlying technologies to which computer security applies. However, many basicconceptshaveremainedthesame.

Most obvious to readers familiar with earlier editions will be some new chapters,specifically,onuserwebinteractionandcloudcomputing,aswellasthetopicsweraisein the emerging topics chapter. Furthermore, pulling together the three fundamentalcontrolsinChapter2isanewstructure.Thosearethebigchanges,buteverychapterhashad many smaller changes, as we describe new attacks or expand on points that havebecomemoreimportant.

One other feature some may notice is the addition of a third coauthor. JonathanMarguliesjoinsusasanessentialmemberoftheteamthatproducedthisrevision.HeiscurrentlydirectorofthesecuritypracticeatQmulos,anewlylaunchedsecurityconsultingpractice.HebringsmanyyearsofexperiencewithSandiaNationalLabsandtheNationalInstituteforStandardsandTechnology.Hisfocusmeshesnicelywithourexistingskillstoextendthebreadthofthisbook.

AcknowledgmentsItisincreasinglydifficulttoacknowledgeallthepeoplewhohaveinfluencedthisbook.

Colleagues and friends have contributed their knowledge and insight, often withoutknowing their impact. By arguing a point or sharing explanations of concepts, ourassociateshaveforcedustoquestionorrethinkwhatweknow.

Wethankourassociatesinatleasttwoways.First,wehavetriedtoincludereferencesto their written works. References in the text cite specific papers relating to particularthoughtsorconcepts,butthebibliographyalsoincludesbroaderworksthathaveplayedamoresubtleroleinshapingourapproachtosecurity.So,toallthecitedauthors,manyofwhomarefriendsandcolleagues,wehappilyacknowledgeyourpositiveinfluenceonthisbook.

Ratherthannameindividuals,wethanktheorganizationsinwhichwehaveinteractedwith creative, stimulating, and challenging people fromwhomwe learned a lot. TheseplacesincludeTrustedInformationSystems,theContelTechnologyCenter,theCentreforSoftware Reliability of the City University of London, Arca Systems, ExodusCommunications,TheRANDCorporation, SandiaNationalLab,Cable&Wireless, theNationalInstituteofStandardsandTechnology,theInstituteforInformationInfrastructureProtection,Qmulos,andtheEditorialBoardofIEEESecurity&Privacy. Ifyouworkedwithusatanyoftheselocations,chancesarehighthatyourimprintcanbefoundinthisbook.Andforall thesideconversations,debates,arguments,andlightmoments,wearegrateful.

AbouttheAuthorsCharles P. Pfleeger is an internationally known expert on computer and

communications security.Hewas originally a professor at theUniversity ofTennessee,leaving there to join computer security research and consulting companies TrustedInformation Systems and Arca Systems (later Exodus Communications and Cable andWireless).WithTrustedInformationSystemshewasDirectorofEuropeanOperationsandSeniorConsultant.WithCableandWirelesshewasDirectorofResearchandamemberofthe staff of the Chief Security Officer. He was chair of the IEEE Computer SocietyTechnicalCommitteeonSecurityandPrivacy.

Shari Lawrence Pfleeger is widely known as a software engineering and computersecurity researcher, most recently as a Senior Computer Scientist with the RandCorporation and as Research Director of the Institute for Information InfrastructureProtection.SheiscurrentlyEditor-in-ChiefofIEEESecurity&Privacymagazine.

JonathanMargulies is the CTO of Qmulos, a cybersecurity consulting firm. AfterreceivinghismastersdegreeinComputerSciencefromCornellUniversity,Mr.MarguliesspentnineyearsatSandiaNationalLabs,researchinganddevelopingsolutionstoprotectnational securityandcritical infrastructuresystemsfromadvancedpersistent threats.Hethenwenton toNISTsNationalCybersecurityCenterofExcellence,whereheworkedwith a variety of critical infrastructure companies to create industry-standard securityarchitectures. Inhis free time,Mr.Marguliesedits theBuildingSecurity InsectionofIEEESecurity&Privacymagazine.

1.Introduction

Inthischapter:Threats,vulnerabilities,andcontrolsConfidentiality,integrity,andavailabilityAttackersandattacktypes;method,opportunity,andmotiveValuingassets

On11February2013,residentsofGreatFalls,Montanareceivedthefollowingwarningontheirtelevisions[INF13].Thetransmissiondisplayedamessagebanneronthebottomofthescreen(asdepictedinFigure1-1).

FIGURE1-1EmergencyBroadcastWarning

Andthefollowingalertwasbroadcast:

[BeepBeepBeep:thesoundpatternoftheU.S.governmentEmergencyAlertSystem.Thefollowingtextthenscrolledacrossthescreen:]

Civilauthoritiesinyourareahavereportedthatthebodiesofthedeadarerisingfromtheirgravesandattackingtheliving.Followthemessagesonscreenthatwillbeupdatedasinformationbecomesavailable.

Donotattempttoapproachorapprehendthesebodiesastheyareconsideredextremelydangerous.Thiswarningappliestoallareasreceivingthisbroadcast.

[BeepBeepBeep]

Thewarningsignalsoundedauthentic;ithadthedistinctivetonepeoplerecognizeforwarningsofseriousemergenciessuchashazardousweatheroranaturaldisaster.Andthetextwasdisplayedacrossalivebroadcasttelevisionprogram.Ontheotherhand,bodiesrisingfromtheirgravessoundssuspicious.

Whatwouldyouhavedone?

Onlyfourpeoplecontactedpoliceforassurancethatthewarningwasindeedahoax.Asyou can well imagine, however, a different message could have caused thousands ofpeople to jam the highways trying to escape. (On 30 October 1938 Orson Wellesperformeda radiobroadcastof theH.G.WellsplayWarof theWorlds thatdidcauseaminor panic of people believing thatMartians had landed andwerewreaking havoc inNewJersey.)

Theperpetratorofthishoaxwasnevercaught,norhasitbecomeclearexactlyhowitwasdone.Likelysomeonewasabletoaccessthesystemthatfeedsemergencybroadcaststo local radio and television stations. In other words, a hacker probably broke into acomputersystem.

Youencountercomputersdailyincountlesssituations,oftenincasesinwhichyouarescarcely aware a computer is involved, like the emergency alert system for broadcastmedia.Thesecomputersmovemoney,controlairplanes,monitorhealth,lockdoors,playmusic,heatbuildings,regulatehearts,deployairbags,tallyvotes,directcommunications,regulate traffic, and do hundreds of other things that affect lives, health, finances, andwell-being.Mostofthetimethesecomputersworkjustastheyshould.Butoccasionallytheydosomethinghorriblywrong,becauseofeitherabenignfailureoramaliciousattack.

Thisbookisaboutthesecurityofcomputers,theirdata,andthedevicesandobjectstowhichtheyrelate.Inthisbookyouwilllearnsomeofthewayscomputerscanfailorbemade to failandhowtoprotectagainst those failures.Webegin that study in thewayanygoodreportdoes:byansweringthebasicquestionsofwhat,who,why,andhow.

1.1WhatIsComputerSecurity?Computer security is the protection of the items you value, called the assets of a

computer or computer system. There are many types of assets, involving hardware,software,data,people,processes,orcombinationsofthese.Todeterminewhattoprotect,wemustfirstidentifywhathasvalueandtowhom.

A computer device (including hardware, added components, and accessories) iscertainlyanasset.Becausemost computerhardware isprettyuselesswithoutprograms,thesoftwareisalsoanasset.Softwareincludestheoperatingsystem,utilitiesanddevicehandlers;applicationssuchaswordprocessing,mediaplayersoremailhandlers;andevenprograms that youmay have written yourself.Much hardware and software is off-the-shelf,meaningthatit iscommerciallyavailable(notcustom-madeforyourpurpose)andthat you can easily get a replacement. The thing thatmakes your computer unique andimportant toyouis itscontent:photos, tunes,papers,emailmessages,projects,calendarinformation,ebooks (withyourannotations),contact information,codeyoucreated,andthe like. Thus, data items on a computer are assets, too. Unlike most hardware andsoftware,datacanbehardifnotimpossibletorecreateorreplace.TheseassetsareallshowninFigure1-2.

FIGURE1-2ComputerObjectsofValue

These three thingshardware, software, and datacontain or express things like thedesignforyournextnewproduct, thephotos fromyour recentvacation, thechaptersofyournewbook,orthegenomesequenceresultingfromyourrecentresearch.Allofthesethings represent intellectual endeavororproperty, and theyhavevalue that differs fromonepersonororganization toanother. It is thatvalue thatmakes themassetsworthyofprotection,andtheyaretheelementswewanttoprotect.Otherassetssuchasaccesstodata, quality of service, processes, human users, and network connectivitydeserveprotection, too; they are affected or enabled by the hardware, software, anddata. So inmostcases,protectinghardware,software,anddatacoverstheseotherassetsaswell.

Computersystemshardware,software,anddatahavevalueanddeservesecurityprotection.

In thisbook,unlesswespecificallydistinguishbetweenhardware,software,anddata,we refer toall theseassetsas thecomputer system,or sometimesas thecomputer.Andbecauseprocessorsareembedded insomanydevices,wealsoneed to thinkaboutsuchvariationsasmobilephones,implantedpacemakers,heatingcontrollers,andautomobiles.Even if the primary purpose of the device is not computing, the devices embeddedcomputer can be involved in security incidents and represents an asset worthy ofprotection.

ValuesofAssetsAfteridentifyingtheassets toprotect,wenextdeterminetheirvalue.Wemakevalue-

baseddecisionsfrequently,evenwhenwearenotawareofthem.Forexample,whenyougoforaswimyoucanleaveabottleofwaterandatowelonthebeach,butnotyourwalletorcellphone.Thedifferencerelatestothevalueoftheassets.

Thevalueofanassetdependsontheassetownersorusersperspective,anditmaybeindependentofmonetarycost,as shown inFigure1-3.Yourphotoofyour sister,worthonlyafewcentsintermsofpaperandink,mayhavehighvaluetoyouandnovaluetoyourroommate.Otheritemsvaluedependsonreplacementcost;somecomputerdataaredifficult or impossible to replace. For example, that photo of you and your friends at apartymayhavecostyounothing,butit isinvaluablebecausethereisnoothercopy.Ontheotherhand,theDVDofyourfavoritefilmmayhavecostasignificantportionofyourtake-homepay,butyoucanbuyanotheroneiftheDVDisstolenorcorrupted.Similarly,timinghasbearingonassetvalue.For example, thevalueof theplans for a companysnew product line is very high, especially to competitors. But once the new product isreleased,theplansvaluedropsdramatically.

FIGURE1-3ValuesofAssets

Assetsvaluesarepersonal,timedependent,andoftenimprecise.

TheVulnerabilityThreatControlParadigmThegoalofcomputersecurityisprotectingvaluableassets.Tostudydifferentwaysof

protection, we use a framework that describes how assets may be harmed and how tocounterormitigatethatharm.

A vulnerability is a weakness in the system, for example, in procedures, design, orimplementation, thatmightbeexploitedtocauselossorharm.For instance,aparticularsystemmaybevulnerabletounauthorizeddatamanipulationbecausethesystemdoesnotverifyausersidentitybeforeallowingdataaccess.

Avulnerabilityisaweaknessthatcouldbeexploitedtocauseharm.

Athreattoacomputingsystemisasetofcircumstancesthathasthepotentialtocauseloss or harm. To see the difference between a threat and a vulnerability, consider theillustrationinFigure1-4.Here,awallisholdingwaterback.Thewatertotheleftofthewallisathreattothemanontherightofthewall:Thewatercouldrise,overflowingontotheman,oritcouldstaybeneaththeheightofthewall,causingthewalltocollapse.Sothethreatofharmisthepotentialforthemantogetwet,gethurt,orbedrowned.Fornow,thewallisintact,sothethreattothemanisunrealized.

FIGURE1-4ThreatandVulnerability

Athreatisasetofcircumstancesthatcouldcauseharm.

However,wecanseeasmallcrackinthewallavulnerabilitythatthreatensthemanssecurity. If the water rises to or beyond the level of the crack, it will exploit thevulnerabilityandharmtheman.

Therearemanythreatstoacomputersystem,includinghuman-initiatedandcomputer-initiatedones.Wehaveallexperiencedtheresultsofinadvertenthumanerrors,hardwaredesignflaws,andsoftwarefailures.Butnaturaldisastersarethreats,too;theycanbringasystem downwhen the computer room is flooded or the data center collapses from anearthquake,forexample.

Ahumanwhoexploitsavulnerabilityperpetratesanattackon the system.Anattackcanalsobelaunchedbyanothersystem,aswhenonesystemsendsanoverwhelmingfloodofmessages to another, virtually shutting down the second systems ability to function.Unfortunately, we have seen this type of attack frequently, as denial-of-service attacksdelugeserverswithmoremessagesthantheycanhandle.(WetakeacloserlookatdenialofserviceinChapter6.)

How do we address these problems? We use a control or countermeasure as

protection.Thatis,acontrolisanaction,device,procedure,ortechniquethatremovesorreducesavulnerability.InFigure1-4,themanisplacinghisfingerinthehole,controllingthe threat of water leaks until he finds a more permanent solution to the problem. Ingeneral,wecandescribetherelationshipbetweenthreats,controls,andvulnerabilitiesinthisway:

Controlspreventthreatsfromexercisingvulnerabilities.

Athreatisblockedbycontrolofavulnerability.

Beforewecanprotectassets,weneed toknow thekindsofharmwehave toprotectthemagainst,sonowweexplorethreatstovaluableassets.

1.2ThreatsWecanconsiderpotentialharmtoassets in twoways:First,wecanlookatwhatbad

thingscanhappentoassets,andsecond,wecanlookatwhoorwhatcancauseorallowthosebadthingstohappen.Thesetwoperspectivesenableustodeterminehowtoprotectassets.

Thinkforamomentaboutwhatmakesyourcomputervaluabletoyou.First,youuseitas a tool for sending and receiving email, searching the web, writing papers, andperformingmanyothertasks,andyouexpectittobeavailableforusewhenyouwantit.Withoutyourcomputer these taskswouldbeharder, ifnot impossible.Second,yourelyheavilyonyourcomputers integrity.Whenyouwriteapaperandsaveit,youtrust thatthepaperwillreloadexactlyasyousavedit.Similarly,youexpectthatthephotoafriendpassesyouonaflashdrivewillappearthesamewhenyouloaditintoyourcomputeraswhenyousawitonyourfriendscomputer.Finally,youexpectthepersonalaspectofapersonalcomputer to staypersonal,meaningyouwant it toprotectyourconfidentiality.For example, you want your email messages to be just between you and your listedrecipients;youdontwantthembroadcasttootherpeople.Andwhenyouwriteanessay,youexpectthatnoonecancopyitwithoutyourpermission.

These three aspects, confidentiality, integrity, and availability, make your computervaluable to you. But viewed from another perspective, they are three possible ways tomake it less valuable, that is, to cause you harm. If someone steals your computer,scramblesdataonyourdisk,orlooksatyourprivatedatafiles,thevalueofyourcomputerhasbeendiminishedoryourcomputerusehasbeenharmed.Thesecharacteristicsarebothbasicsecuritypropertiesandtheobjectsofsecuritythreats.

Wecandefinethesethreepropertiesasfollows.

availability:theabilityofasystemtoensurethatanassetcanbeusedbyanyauthorizedpartiesintegrity:theabilityofasystemtoensurethatanassetismodifiedonlybyauthorizedpartiesconfidentiality:theabilityofasystemtoensurethatanassetisviewedonlybyauthorizedparties

These threeproperties,hallmarksof solid security, appear in the literatureasearlyasJames P. Andersons essay on computer security [AND73] and reappear frequently inmore recent computer securitypapers anddiscussions.Taken together (and rearranged),thepropertiesarecalledtheC-I-Atriadorthesecuritytriad.ISO7498-2[ISO89]addstothemtwomorepropertiesthataredesirable,particularlyincommunicationnetworks:

authentication:theabilityofasystemtoconfirmtheidentityofasendernonrepudiationoraccountability:theabilityofasystemtoconfirmthatasendercannotconvincinglydenyhavingsentsomething

TheU.S.DepartmentofDefense[DOD85]addsauditability:theabilityofasystemtotraceallactionsrelatedtoagivenasset.TheC-I-Atriadformsafoundationforthinkingabout security. Authenticity and nonrepudiation extend security notions to networkcommunications,andauditabilityisimportantinestablishingindividualaccountabilityforcomputeractivity.InthisbookwegenerallyusetheC-I-Atriadasoursecuritytaxonomysothatwecanframethreats,vulnerabilities,andcontrolsintermsoftheC-I-Apropertiesaffected.We highlight one of these other properties when it is relevant to a particularthreatwearedescribing.Fornow,wefocusonjustthethreeelementsofthetriad.

C-I-Atriad:confidentiality,integrity,availability

What can happen to harm the confidentiality, integrity, or availability of computerassets? If a thief steals your computer, you no longer have access, so you have lostavailability;furthermore,if thethieflooksatthepicturesordocumentsyouhavestored,yourconfidentiality iscompromised.Andif the thiefchanges thecontentofyourmusicfiles but then gives them backwith your computer, the integrity of your data has beenharmed.Youcanenvisionmanyscenariosbasedaroundthesethreeproperties.

The C-I-A triad can be viewed from a different perspective: the nature of the harmcausedtoassets.Harmcanalsobecharacterizedbyfouracts:interception,interruption,modification,andfabrication.ThesefouractsaredepictedinFigure1-5.Fromthispointof view, confidentiality can suffer if someone intercepts data, availability is lost ifsomeoneorsomethinginterruptsaflowofdataoraccesstoacomputer,andintegritycanfailifsomeoneorsomethingmodifiesdataorfabricatesfalsedata.Thinkingofthesefourkindsofactscanhelpyoudeterminewhatthreatsmightexistagainstthecomputersyouaretryingtoprotect.

FIGURE1-5FourActstoCauseSecurityHarm

To analyze harm,we next refine theC-I-A triad, lookingmore closely at each of itselements.

ConfidentialitySome thingsobviouslyneedconfidentialityprotection.Forexample, studentsgrades,

financialtransactions,medicalrecords,andtaxreturnsaresensitive.AproudstudentmayrunoutofaclassroomscreamingIgotanA!butthestudentshouldbetheonetochoosewhether to reveal that grade to others. Other things, such as diplomatic and militarysecrets, companiesmarketingandproductdevelopmentplans,andeducators tests, alsomustbecarefullycontrolled.Sometimes,however,it isnotsoobviousthatsomethingissensitive.Forexample,amilitaryfoodordermayseemlikeinnocuousinformation,butasuddenincreaseintheordercouldbeasignofincipientengagementinconflict.Purchasesof food, hourly changes in location, and access to books are not things you wouldordinarilyconsiderconfidential,buttheycanrevealsomethingthatsomeonewantstobekeptconfidential.

Thedefinitionofconfidentialityisstraightforward:Onlyauthorizedpeopleorsystemscanaccessprotecteddata.However,aswesee in laterchapters,ensuringconfidentialitycanbedifficult.Forexample,whodetermineswhichpeopleorsystemsareauthorizedtoaccessthecurrentsystem?Byaccessingdata,dowemeanthatanauthorizedpartycanaccessasinglebit?thewholecollection?piecesofdataoutofcontext?Cansomeonewhois authorizeddisclosedata to other parties?Sometimes there is even a questionofwhoownsthedata:Ifyouvisitawebpage,doyouownthefactthatyouclickedonalink,ordoesthewebpageowner,theInternetprovider,someoneelse,orallofyou?

In spite of these complicating examples, confidentiality is the security property weunderstand best because its meaning is narrower than that of the other two. We alsounderstand confidentiality well because we can relate computing examples to those of

preservingconfidentialityintherealworld.

Confidentiality relates most obviously to data, although we can think of theconfidentialityofapieceofhardware(anovelinvention)oraperson(thewhereaboutsofa wanted criminal). Here are some properties that could mean a failure of dataconfidentiality:

Anunauthorizedpersonaccessesadataitem.Anunauthorizedprocessorprogramaccessesadataitem.Apersonauthorizedtoaccesscertaindataaccessesotherdatanotauthorized(whichisaspecializedversionofanunauthorizedpersonaccessesadataitem).Anunauthorizedpersonaccessesanapproximatedatavalue(forexample,notknowingsomeonesexactsalarybutknowingthatthesalaryfallsinaparticularrangeorexceedsaparticularamount).Anunauthorizedpersonlearnstheexistenceofapieceofdata(forexample,knowingthatacompanyisdevelopingacertainnewproductorthattalksareunderwayaboutthemergeroftwocompanies).

Notice thegeneralpatternof thesestatements:Aperson,process,orprogramis(or isnot)authorizedtoaccessadataiteminaparticularway.Wecall theperson,process,orprograma subject, the data item anobject, the kind of access (such as read,write, orexecute)anaccessmode,and theauthorizationapolicy,asshowninFigure1-6.Thesefour terms reappear throughout this book because they are fundamental aspects ofcomputersecurity.

FIGURE1-6AccessControl

Onewordthatcapturesmostaspectsofconfidentialityisview,althoughyoushouldnottakethattermliterally.Afailureofconfidentialitydoesnotnecessarilymeanthatsomeone

seesanobjectand,infact,itisvirtuallyimpossibletolookatbitsinanymeaningfulway(althoughyoumaylookattheirrepresentationascharactersorpictures).Thewordviewdoes connote another aspect of confidentiality in computer security, through theassociationwithviewingamovieor apainting inamuseum: lookbutdonot touch. Incomputer security, confidentiality usually means obtaining but not modifying.Modificationisthesubjectofintegrity,whichweconsiderinthenextsection.

IntegrityExamples of integrity failures are easy to find. A number of years ago a malicious

macro in aWorddocument inserted thewordnot after some random instancesof thewordis;youcanimaginethehavocthatensued.Becausethedocumentwasgenerallysyntactically correct, people did not immediately detect the change. In another case, amodelofthePentiumcomputerchipproducedanincorrectresultincertaincircumstancesoffloating-pointarithmetic.Althoughthecircumstancesoffailurewererare,Inteldecidedto manufacture and replace the chips. Many of us receive mail that is misaddressedbecausesomeonetypedsomethingwrongwhentranscribingfromawrittenlist.Aworsesituationoccurswhenthatinaccuracyispropagatedtoothermailinglistssuchthatwecannever seem to correct the root of the problem. Other times we find that a spreadsheetseemstobewrong,onlytofindthatsomeonetypedspace123inacell,changingitfroma numeric value to text, so the spreadsheet programmisused that cell in computation.Supposesomeoneconvertednumericdatatoromannumerals:OnecouldarguethatIVisthesameas4,butIVwouldnotbeusefulinmostapplications,norwoulditbeobviouslymeaningfultosomeoneexpecting4asananswer.Thesecasesshowsomeofthebreadthofexamplesofintegrityfailures.

Integrity is harder to pin down than confidentiality. As Stephen Welke and TerryMayfield [WEL90, MAY91, NCS91a] point out, integrity means different things indifferent contexts.Whenwe survey theway somepeopleuse the term,we find severaldifferentmeanings.Forexample,ifwesaythatwehavepreservedtheintegrityofanitem,wemaymeanthattheitemis

preciseaccurateunmodifiedmodifiedonlyinacceptablewaysmodifiedonlybyauthorizedpeoplemodifiedonlybyauthorizedprocessesconsistentinternallyconsistentmeaningfulandusable

Integritycanalsomeantwoormoreoftheseproperties.WelkeandMayfieldrecognizethree particular aspects of integrityauthorized actions, separation and protection ofresources,anderrordetectionandcorrection.Integritycanbeenforcedinmuchthesamewayascanconfidentiality:byrigorouscontrolofwhoorwhatcanaccesswhichresourcesinwhatways.

AvailabilityA computer users worst nightmare: You turn on the switch and the computer does

nothing.Yourdataandprogramsarepresumablystill there,butyoucannotgetat them.Fortunately, few of us experience that failure. Many of us do experience overload,however: access gets slower and slower; the computer responds but not in a way weconsidernormaloracceptable.

Availability applies both to data and to services (that is, to information and toinformationprocessing),anditissimilarlycomplex.Aswiththenotionofconfidentiality,different people expect availability tomean different things. For example, an object orserviceisthoughttobeavailableifthefollowingaretrue:

Itispresentinausableform.Ithasenoughcapacitytomeettheservicesneeds.Itismakingclearprogress,and,ifinwaitmode,ithasaboundedwaitingtime.Theserviceiscompletedinanacceptableperiodoftime.

We can construct an overall description of availability by combining these goals.Followingaresomecriteriatodefineavailability.

Thereisatimelyresponsetoourrequest.Resourcesareallocatedfairlysothatsomerequestersarenotfavoredoverothers.Concurrencyiscontrolled;thatis,simultaneousaccess,deadlockmanagement,andexclusiveaccessaresupportedasrequired.Theserviceorsysteminvolvedfollowsaphilosophyoffaulttolerance,wherebyhardwareorsoftwarefaultsleadtogracefulcessationofserviceortowork-aroundsratherthantocrashesandabruptlossofinformation.(Cessationdoesmeanend;whetheritisgracefulornot,ultimatelythesystemisunavailable.However,withfairwarningofthesystemsstopping,theusermaybeabletomovetoanothersystemandcontinuework.)Theserviceorsystemcanbeusedeasilyandinthewayitwasintendedtobeused.(Thisisacharacteristicofusability,butanunusablesystemmayalsocauseanavailabilityfailure.)

Asyoucan see, expectationsof availabilityare far-reaching. InFigure1-7wedepictsomeofthepropertieswithwhichavailabilityoverlaps.Indeed,thesecuritycommunityisjustbeginningtounderstandwhatavailabilityimpliesandhowtoensureit.

FIGURE1-7AvailabilityandRelatedAspects

Apersonorsystemcandothreebasicthingswithadataitem:viewit,modifyit,oruseit.Thus,viewing (confidentiality),modifying (integrity), andusing (availability) are thebasicmodesofaccessthatcomputersecurityseekstopreserve.

Computersecurityseekstopreventunauthorizedviewing(confidentiality)ormodification(integrity)ofdatawhilepreservingaccess(availability).

Aparadigmofcomputer security isaccesscontrol:To implementapolicy,computersecuritycontrolsallaccessesbyallsubjectstoallprotectedobjectsinallmodesofaccess.A small, centralized control of access is fundamental to preserving confidentiality andintegrity, but it is not clear that a single access control point can enforce availability.Indeed,expertsondependabilitywillnotethatsinglepointsofcontrolcanbecomesinglepoints of failure,making it easy for an attacker to destroy availability by disabling thesingle control point. Much of computer securitys past success has focused onconfidentialityandintegrity;therearemodelsofconfidentialityandintegrity,forexample,see David Bell and Leonard La Padula [BEL73, BEL76] and Kenneth Biba [BIB77].Availabilityissecuritysnextgreatchallenge.

WehavejustdescribedtheC-I-Atriadandthethreefundamentalsecuritypropertiesitrepresents. Our description of these properties was in the context of things that needprotection.Tomotivateyourunderstandingwegavesomeexamplesofharmandthreatstocauseharm.Ournextstepistothinkaboutthenatureofthreatsthemselves.

TypesofThreatsForsomeideasofharm,lookatFigure1-8,takenfromWillisWaresreport[WAR70].

Although itwaswrittenwhen computerswere so big, so expensive, and so difficult tooperatethatonlylargeorganizationslikeuniversities,majorcorporations,orgovernmentdepartments would have one, Wares discussion is still instructive today. Ware wasconcerned primarily with the protection of classified data, that is, preservingconfidentiality. In the figure, he depicts humans such as programmers andmaintenancestaffgainingaccesstodata,aswellasradiationbywhichdatacanescapeassignals.Fromthefigureyoucanseesomeofthemanykindsofthreatstoacomputersystem.

FIGURE1-8Computer[Network]Vulnerabilities(from[WAR70])

Onewaytoanalyzeharmistoconsiderthecauseorsource.Wecallapotentialcauseofharmathreat.Harmcanbecausedbyeithernonhumaneventsorhumans.Examplesofnonhumanthreatsincludenaturaldisasterslikefiresorfloods;lossofelectricalpower;failureofacomponentsuchasacommunicationscable,processorchip,ordiskdrive;orattackbyawildboar.

Threatsarecausedbothbyhumanandothersources.

Humanthreatscanbeeitherbenign(nonmalicious)ormalicious.Nonmaliciouskindsofharmincludesomeonesaccidentallyspillingasoftdrinkona laptop,unintentionallydeletingtext,inadvertentlysendinganemailmessagetothewrongperson,andcarelesslytyping12 insteadof21whenenteringaphonenumberorclickingyes insteadofnotooverwriteafile.Theseinadvertent,humanerrorshappentomostpeople;wejusthope that theseriousnessofharmisnot toogreat,or if it is, thatwewillnot repeat themistake.

Threatscanbemaliciousornot.

Most computer security activity relates to malicious, human-caused harm: A

maliciouspersonactuallywantstocauseharm,andsoweoftenusethetermattackforamalicious computer security event. Malicious attacks can be random or directed. In arandom attack the attacker wants to harm any computer or user; such an attack isanalogous toaccosting thenextpedestrianwhowalksdownthestreet.Anexampleofarandomattackismaliciouscodepostedonawebsitethatcouldbevisitedbyanybody.

Inadirectedattack, the attacker intendsharm to specific computers, perhaps at oneorganization (thinkofattacksagainst apoliticalorganization)orbelonging toa specificindividual (think of trying to drain a specific persons bank account, for example, byimpersonation).Another class of directed attack is against a particular product, such asanycomputerrunningaparticularbrowser.(Wedonotwanttosplithairsaboutwhethersuchanattackisdirectedatthatonesoftwareproductorrandom,againstanyuserofthatproduct; thepoint isnotsemanticperfectionbutprotectingagainst theattacks.)Therangeof possible directed attacks is practically unlimited.Different kindsof threats areshowninFigure1-9.

FIGURE1-9KindsofThreats

Threatscanbetargetedorrandom.

AlthoughthedistinctionsshowninFigure1-9seemclear-cut,sometimesthenatureofan attack is not obvious until the attack is well underway, or perhaps even ended. Anormal hardware failure can seem like a directed,malicious attack to deny access, andhackers often try to conceal their activity to look like ordinary, authorized users. Ascomputersecurityexpertsweneedtoanticipatewhatbadthingsmighthappen,insteadofwaitingfortheattacktohappenordebatingwhethertheattackisintentionaloraccidental.

Neitherthisbooknoranychecklistormethodcanshowyouallthekindsofharmthatcan happen to computer assets. There are toomanyways to interferewith your use oftheseassets.Tworetrospectivelistsofknownvulnerabilitiesareofinterest,however.TheCommon Vulnerabilities and Exposures (CVE) list (see http://cve.mitre.org/) is adictionary of publicly known security vulnerabilities and exposures. CVEs commonidentifiersenabledataexchangebetweensecurityproductsandprovideabaseline indexpoint for evaluating coverage of security tools and services. To measure the extent ofharm, the Common Vulnerability Scoring System (CVSS) (seehttp://nvd.nist.gov/cvss.cfm)providesastandardmeasurementsystemthatallowsaccurateandconsistentscoringofvulnerabilityimpact.

AdvancedPersistentThreat

Security experts are becoming increasingly concerned about a type of threat calledadvancedpersistent threat.A loneattackermight createa randomattack that snaresafew,orafewmillion, individuals,but theresulting impact is limited towhat thatsingleattacker canorganizeandmanage.Acollectionof attackersthink, for example,of thecyber equivalentof a streetgangor anorganizedcrime squadmightwork together topurloincreditcardnumbersorsimilarfinancialassetstofundotherillegalactivity.Suchattackers tend to be opportunistic, picking unlucky victims pockets andmoving on tootheractivities.

Advanced persistent threat attacks come from organized, well financed, patientassailants. Often affiliated with governments or quasi-governmental groups, theseattackers engage in long term campaigns. They carefully select their targets, craftingattacks that appeal to specifically those targets; email messages called spear phishing(describedinChapter4)areintendedtoseducetheirrecipients.Typicallytheattacksaresilent, avoiding any obvious impact that would alert a victim, thereby allowing theattackertoexploitthevictimsaccessrightsoveralongtime.

Themotive of such attacks is sometimes unclear.One popular objective is economicespionage. A series of attacks, apparently organized and supported by the Chinesegovernment, was used in 2012 and 2013 to obtain product designs from aerospacecompaniesintheUnitedStates.Thereisevidencethestuboftheattackcodewasloadedintovictimmachineslonginadvanceoftheattack;then,theattackersinstalledthemorecomplexcodeandextractedthedesireddata.InMay2014theJusticeDepartmentindictedfiveChinesehackersinabsentiafortheseattacks.

Inthesummerof2014aseriesofattacksagainstJ.P.MorganChasebankanduptoadozen similar financial institutions allowed the assailants access to 76 million names,phonenumbers,andemailaddresses.Theattackersandeven theircountryoforiginremain unknown, as does the motive. Perhaps the attackers wanted more sensitivefinancialdata,suchasaccountnumbersorpasswords,butwereonlyabletogetthelessvaluablecontactinformation.Itisalsonotknownifthisattackwasrelatedtoanattackayearearlierthatdisruptedservicetothatbankandseveralothers.

Toimaginethefulllandscapeofpossibleattacks,youmayfinditusefultoconsiderthekindsofpeoplewhoattackcomputersystems.Althoughpotentiallyanyoneisanattacker,certainclassesofpeoplestandoutbecauseoftheirbackgroundsorobjectives.Thus,inthe

http://cve.mitre.org/http://nvd.nist.gov/cvss.cfm

followingsectionswelookatprofilesofsomeclassesofattackers.

TypesofAttackersWhoareattackers?Aswehaveseen,theirmotivationsrangefromchancetoaspecific

target. Putting aside attacks from natural and benign causes, we can explore who theattackersareandwhatmotivatesthem.

Moststudiesofattackersactuallyanalyzecomputercriminals,thatis,peoplewhohaveactuallybeenconvictedof a crime,primarilybecause thatgroup is easy to identifyandstudy.Theoneswhogotawayorwhocarriedoffanattackwithoutbeingdetectedmayhavecharacteristicsdifferentfromthoseofthecriminalswhohavebeencaught.Worse,bystudyingonlythecriminalswehavecaught,wemaynotlearnhowtocatchattackerswhoknowhowtoabusethesystemwithoutbeingapprehended.

Whatdoesacybercriminallooklike?Intelevisionandfilmsthevillainsworeshabbyclothes,lookedmeanandsinister,andlivedingangssomewhereoutoftown.Bycontrast,the sheriffdressedwell, stoodproudand tall,wasknownand respectedbyeveryone intown,andstruckfearintheheartsofmostcriminals.

Tobesure,somecomputercriminalsaremeanandsinistertypes.Butmanymorewearbusiness suits, have university degrees, and appear to be pillars of their communities.Somearehighschooloruniversitystudents.Othersaremiddle-agedbusinessexecutives.Somearementallyderanged,overtlyhostile,orextremelycommittedtoacause,andtheyattack computers as a symbol. Others are ordinary people tempted by personal profit,revenge,challenge,advancement,orjobsecuritylikeperpetratorsofanycrime,usingacomputer or not.Researchers have tried to find the psychological traits that distinguishattackers,asdescribedinSidebar1-1.Thesestudiesarefarfromconclusive,however,andthe traits they identifymayshowcorrelationbutnotnecessarilycausality.Toappreciatethispoint, supposea study found thatadisproportionatenumberofpeopleconvictedofcomputer crimewere left-handed.Does that result imply that all left-handedpeople arecomputercriminalsor thatonly left-handedpeopleare?Certainlynot.Nosingleprofilecaptures the characteristics of a typical computer attacker, and the characteristics ofsome notorious attackers also matchmany people who are not attackers. As shown inFigure1-10,attackerslookjustlikeanybodyinacrowd.

FIGURE1-10Attackers

Noonepatternmatchesallattackers.

Sidebar1-1AnAttackersPsychologicalProfile?TempleGrandin,aprofessorofanimalscienceatColoradoStateUniversityanda sufferer from amental disorder calledAsperger syndrome (AS), thinks thatKevin Mitnick and several other widely described hackers show classicsymptomsofAspergersyndrome.AlthoughquicktopointoutthatnoresearchhasestablishedalinkbetweenASandhacking,GrandinnotessimilarbehaviortraitsamongMitnick,herself,andotherASsufferers.AnarticleinUSAToday(29March2001)liststhefollowingAStraits:

poorsocialskills,oftenassociatedwithbeinglonersduringchildhood;theclassiccomputernerdfidgeting,restlessness,inabilitytomakeeyecontact,lackofresponsetocuesinsocialinteraction,suchasfacialexpressionsorbodylanguageexceptionalabilitytorememberlongstringsofnumbersabilitytofocusonatechnicalproblemintenselyandforalongtime,althougheasilydistractedonotherproblemsandunabletomanageseveraltasksatoncedeephonestyandrespectforlaws

Donn Parker [PAR98] has studied hacking and computer crime for many

years. He states hackers are characterized by an immature, excessivelyidealistic attitude They delight in presenting themselves to the media asidealisticdo-gooders,championsoftheunderdog.Considerthefollowingexcerptfromaninterview[SHA00]withMixter,the

GermanprogrammerwhoadmittedhewastheauthorofawidespreadpieceofattacksoftwarecalledTribalFloodNetwork(TFN)anditssequelTFN2K:

Q:Whydidyouwritethesoftware?A:IfirstheardaboutTrin00[anotherpieceofattacksoftware]inJuly99andIconsidereditasinterestingfromatechnicalperspective,butalsopotentiallypowerfulinanegativeway.IknewsomefactsofhowTrin00worked,andsinceIdidntmanagetogetTrin00sourcesorbinariesatthattime,Iwrotemyownserver-clientnetworkthatwascapableofperformingdenialofservice.Q:Wereyouinvolvedinanyoftherecenthigh-profileattacks?A:No.ThefactthatIauthoredthesetoolsdoesinnowaymeanthatIcondonetheiractiveuse.ImustadmitIwasquiteshockedtohearaboutthelatestattacks.Itseemsthattheattackersareprettycluelesspeoplewhomisusepowerfulresourcesandtoolsforgenerallyharmfulandsenselessactivitiesjustbecausetheycan.

Notice that fromsomeinformationaboutdenial-of-serviceattacks,hewrotehisownserver-clientnetworkandthenasophisticatedattack.Buthewasquiteshockedtoheartheywereusedforharm.More research is needed beforewe can define the profile of a hacker.And

even more work will be needed to extend that profile to the profile of a(malicious) attacker. Not all hackers become attackers; some hackers becomeextremely dedicated and conscientious system administrators, developers, orsecurityexperts.ButsomepsychologistsseeinAStherudimentsofahackersprofile.

Individuals

Originally,computerattackerswereindividuals,actingwithmotivesoffun,challenge,or revenge. Early attackers acted alone. Two of themost well known among them areRobertMorrisJr.,theCornellUniversitygraduatestudentwhobroughtdowntheInternetin1988[SPA89],andKevinMitnick,themanwhobrokeintoandstoledatafromdozensofcomputers,includingtheSanDiegoSupercomputerCenter[MAR95].

Organized,WorldwideGroups

Morerecentattackshaveinvolvedgroupsofpeople.AnattackagainstthegovernmentofthecountryofEstonia(describedinmoredetailinChapter13)isbelievedtohavebeenan uncoordinated outburst from a loose federation of attackers from around the world.Kevin Poulsen [POU05] quotes Tim Rosenberg, a research professor at GeorgeWashingtonUniversity,warningofmultinationalgroupsofhackersbackedbyorganizedcrime and showing the sophistication of prohibition-eramobsters.He also reports thatChristopherPainter,deputydirectorof theU.S.DepartmentofJusticescomputercrime

section,argues thatcybercriminalsandserious fraudartistsare increasinglyworking inconcert or are one and the same. According to Painter, loosely connected groups ofcriminals all over the world work together to break into systems and steal and sellinformation, such as credit card numbers. For instance, in October 2004, U.S. andCanadian authorities arrested 28 people from 6 countries involved in an international,organizedcybercrimeringtobuyandsellcreditcardinformationandidentities.

Whereas early motives for computer attackers such as Morris and Mitnick werepersonal,suchasprestigeoraccomplishment,recentattackshavebeenheavilyinfluencedby financial gain. Security firm McAfee reports Criminals have realized the hugefinancial gains to be made from the Internet with little risk. They bring the skills,knowledge, and connections needed for large scale, high-value criminal enterprise that,whencombinedwithcomputerskills,expandthescopeandriskofcybercrime.[MCA05]

OrganizedCrime

Attackersgoalsincludefraud,extortion,moneylaundering,anddrugtrafficking,areasin which organized crime has a well-established presence. Evidence is growing thatorganizedcrimegroupsareengagingincomputercrime.Infact,traditionalcriminalsarerecruitinghackerstojointhelucrativeworldofcybercrime.Forexample,AlbertGonzaleswassentencedinMarch2010to20yearsinprisonforworkingwithacrimeringtosteal40 million credit card numbers from retailer TJMaxx and others, costing over $200million(Reuters,26March2010).

Organizedcrimemayusecomputercrime(suchasstealingcreditcardnumbersorbankaccountdetails)tofinanceotheraspectsofcrime.Recentattackssuggestthatprofessionalcriminalshavediscovered justhowlucrativecomputercrimecanbe.MikeDanseglio,asecurityprojectmanagerwithMicrosoft,said,In2006,theattackerswanttopaytherent.Theydontwant towrite aworm that destroysyour hardware.Theywant to assimilateyour computers and use them to make money. [NAR06a] Mikko Hyppnen, ChiefResearchOfficerwithFinnishsecuritycompanyf-Secure,agreesthattodaysattacksoftencome fromRussia,Asia, andBrazil; themotive is nowprofit, not fame [BRA06].KenDunham,Directorof theRapidResponseTeam forVeriSign sayshe is convinced thatgroups of well-organized mobsters have taken control of a global billion-dollar crimenetworkpoweredbyskillfulhackers.[NAR06b]

Organizedcrimegroupsarediscoveringthatcomputercrimecanbelucrative.

McAfee also describes the case of a hacker-for-hire: a businessmanwho hired a 16-year-oldNewJerseyhackertoattackthewebsitesofhiscompetitors.Thehackerbarragedthesiteforafive-monthperiodanddamagednotonlythetargetcompaniesbutalsotheirInternetserviceproviders(ISPs)andotherunrelatedcompaniesthatusedthesameISPs.ByFBIestimates,theattackscostallthecompaniesover$2million;theFBIarrestedbothhackerandbusinessmaninMarch2005[MCA05].

BrianSnow[SNO05]observesthathackerswantascoreorsomekindofevidencetogivethembraggingrights.Organizedcrimewantsaresource;suchcriminalswanttostayunder the radar to be able to extract profit from the system over time. These different

objectives lead todifferent approaches tocomputer crime:Thenovicehacker canuseacrude attack, whereas the professional attacker wants a neat, robust, and undetectablemethodthatcandeliverrewardsforalongtime.

Terrorists

The link between computer security and terrorism is quite evident.We see terroristsusingcomputersinfourways:

Computerastargetofattack:Denial-of-serviceattacksandwebsitedefacementsarepopularactivitiesforanypoliticalorganizationbecausetheyattractattentiontothecauseandbringundesirednegativeattentiontotheobjectoftheattack.Anexampleisthemassivedenial-of-serviceattacklaunchedagainstthecountryofEstonia,detailedinChapter13.Computerasmethodofattack:Launchingoffensiveattacksrequirestheuseofcomputers.Stuxnet,anexampleofmaliciouscomputercodecalledaworm,isknowntoattackautomatedcontrolsystems,specificallyamodelofcontrolsystemmanufacturedbySiemens.ExpertssaythecodeisdesignedtodisablemachineryusedinthecontrolofnuclearreactorsinIran[MAR10].Thepersonsbehindtheattackareunknown,buttheinfectionisbelievedtohavespreadthroughUSBflashdrivesbroughtinbyengineersmaintainingthecomputercontrollers.(WeexaminetheStuxnetworminmoredetailinChapters6and13.)Computerasenablerofattack:Websites,weblogs,andemaillistsareeffective,fast,andinexpensivewaystoallowmanypeopletocoordinate.AccordingtotheCouncilonForeignRelations,theterroristsresponsiblefortheNovember2008attackthatkilledover200peopleinMumbaiusedGPSsystemstoguidetheirboats,Blackberriesfortheircommunication,andGoogleEarthtoplottheirroutes.Computerasenhancerofattack:TheInternethasprovedtobeaninvaluablemeansforterroriststospreadpropagandaandrecruitagents.InOctober2009theFBIarrestedColleenLaRose,alsoknownasJihadJane,aftershehadspentmonthsusingemail,YouTube,MySpace,andelectronicmessageboardstorecruitradicalsinEuropeandSouthAsiatowageviolentjihad,accordingtoafederalindictment.

We cannot accuratelymeasure the degree towhich terrorists use computers, becauseterrorists keep secret the nature of their activities and because our definitions andmeasurement toolsareratherweak.Still, incidents liketheonedescribedinSidebar1-2provideevidencethatallfouroftheseactivitiesareincreasing.

Sidebar1-2TheTerrorists,Inc.,ITDepartmentIn 2001, a reporter for theWall Street Journal bought a used computer inAfghanistan.Muchtohissurprise,hefoundthattheharddrivecontainedwhatappeared to be files from a senior al Qaeda operative. The reporter, AlanCullison[CUL04], reports thathe turned thecomputerover to theFBI. Inhisstorypublishedin2004inTheAtlantic,hecarefullyavoidsrevealinganythinghethinksmightbesensitive.

The disk contained over 1,000 documents, many of them encrypted withrelativelyweakencryption.Cullisonfounddraftmissionplansandwhitepaperssetting forth ideological and philosophical arguments for the attacks of 11September2001.Alsofoundwerecopiesofnewsstoriesonterroristactivities.Some of the found documents indicated that al Qaeda was not originallyinterested in chemical, biological, or nuclear weapons, but became interestedafterreadingpublicnewsarticlesaccusingalQaedaofhavingthosecapabilities.Perhapsmostunexpectedwereemailmessagesofthekindonewouldfindin

a typical office: recommendations for promotions, justifications for petty cashexpenditures,andargumentsconcerningbudgets.The computer appears to have been used by al Qaeda from 1999 to 2001.

Cullison notes that Afghanistan in late 2001 was a scene of chaos, and it islikelythelaptopsownerfledquickly,leavingthecomputerbehind,whereitfellintothehandsofasecondhandgoodsmerchantwhodidnotknowitscontents.But this computers contents illustrate an important aspect of computer

securityandconfidentiality:Wecanneverpredict the timeatwhichasecuritydisasterwillstrike,andthuswemustalwaysbepreparedtoactimmediatelyifitsuddenlyhappens.

Ifsomeoneontelevisionsneezes,youdonotworryaboutthepossibilityofcatchingacold.But if someone standingnext to you sneezes, youmaybecome concerned. In thenextsectionweexaminetheharmthatcancomefromthepresenceofacomputersecuritythreatonyourowncomputersystems.

1.3HarmThenegativeconsequenceofanactualizedthreatisharm;weprotectourselvesagainst

threatsinordertoreduceoreliminateharm.Wehavealreadydescribedmanyexamplesofcomputerharm:astolencomputer,modifiedorlostfile,revealedprivateletter,ordeniedaccesstodata.Theseeventscauseharmthatwewanttoavoid.

Inour earlierdiscussionof assets,wenoted thatvaluedependsonowneroroutsiderperception andneed.Someaspects ofvalue are immeasurable, such as thevalueof thepaperyouneedtosubmittoyourprofessortomorrow;ifyoulosethepaper(thatis,ifitsavailabilityislost),noamountofmoneywillcompensateyouforit.Itemsonwhichyouplacelittleornovaluemightbemorevaluable tosomeoneelse;forexample, thegroupphotographtakenatlastnightspartycanrevealthatyourfriendwasnotwherehetoldhiswifehewouldbe.Eventhoughitmaybedifficulttoassignaspecificnumberasthevalueof an asset, you can usually assign a value on a generic scale, such as moderate orminusculeorincrediblyhigh,dependingonthedegreeofharmthatlossordamagetotheobject would cause. Or you can assign a value relative to other assets, based oncomparableloss:Thisversionofthefileismorevaluabletoyouthanthatversion.

Intheir2010globalInternetthreatreport,securityfirmSymantecsurveyedthekindsofgoodsandservicesofferedforsaleonundergroundwebpages.Theitemmostfrequentlyofferedinboth2009and2008wascreditcardnumbers,atpricesrangingfrom$0.85to$30.00each. (Compare thoseprices toan individualseffort todealwith theeffectofa

stolencreditcardorthepotentialamountlostbytheissuingbank.)Secondmostfrequentwas bank account credentials, at $15 to $850; these were offered for sale at 19% ofwebsitesinbothyears.Emailaccountswerenextat$1to$20,andlistsofemailaddresseswentfor$1.70to$15.00perthousand.Atposition10in2009werewebsiteadministrationcredentials, costing only $2 to $30. These black market websites demonstrate that themarketpriceofcomputerassetscanbedramaticallydifferentfromtheirvaluetorightfulowners.

Thevalueofmanyassetscanchangeover time,so thedegreeofharm(andthereforetheseverityofathreat)canchange,too.Withunlimitedtime,money,andcapability,wemighttrytoprotectagainstallkindsofharm.Butbecauseourresourcesarelimited,wemustprioritizeourprotection,safeguardingonlyagainstserious threatsandtheoneswecan control. Choosing the threats we try to mitigate involves a process called riskmanagement, and it includesweighing the seriousnessofa threat againstourability toprotect.

Riskmanagementinvolveschoosingwhichthreatstocontrolandwhatresourcestodevotetoprotection.

RiskandCommonSenseThenumber andkindsof threats arepracticallyunlimitedbecausedevising an attack

requiresanactiveimagination,determination,persistence,andtime(aswellasaccessandresources).Thenatureandnumberofthreatsinthecomputerworldreflectlifeingeneral:The causes of harm are limitless and largely unpredictable. Natural disasters likevolcanoesandearthquakeshappenwith littleornowarning, asdoautoaccidents,heartattacks,influenza,andrandomactsofviolence.Toprotectagainstaccidentsortheflu,youmightdecidetostayindoors,neverventuringoutside.Butbydoingso,youtradeonesetofrisksforanother;whileyouareinside,youarevulnerabletobuildingcollapse.Thereare toomany possible causes of harm for us to protect ourselvesor our computerscompletelyagainstallofthem.

Inreallifewemakedecisionseverydayaboutthebestwaytoprovideoursecurity.Forexample,althoughwemaychoosetoliveinanareathatisnotpronetoearthquakes,wecannotentirelyeliminateearthquake risk.Somechoicesareconscious, suchasdecidingnot towalkdownadarkalley inanunsafeneighborhood;other timesoursubconsciousguides us, from experience or expertise, to take some precaution. We evaluate thelikelihood and severity of harm, and then consider ways (called countermeasures orcontrols)toaddressthreatsanddeterminethecontrolseffectiveness.

Computer security is similar. Because we cannot protect against everything, weprioritize:Onlysomuchtime,energy,ormoneyisavailableforprotection,soweaddresssome risks and let others slide. Or we consider alternative courses of action, such astransferringriskbypurchasinginsuranceorevendoingnothingif thesideeffectsof thecountermeasurecouldbeworsethanthepossibleharm.Theriskthatremainsuncoveredbycontrolsiscalledresidualrisk.

Abasicmodelofriskmanagementinvolvesauserscalculatingthevalueofallassets,determining the amount of harm from all possible threats, computing the costs of

protection,selectingsafeguards(thatis,controlsorcountermeasures)basedonthedegreeof riskandon limited resources, andapplying the safeguards tooptimizeharmaverted.Thisapproachtoriskmanagementisalogicalandsensibleapproachtoprotection,butithassignificantdrawbacks.Inreality,itisdifficulttoassessthevalueofeachasset;aswehave seen, value can change depending on context, timing, and a host of othercharacteristics.Evenharderisdeterminingtheimpactofallpossiblethreats.Therangeofpossible threats is effectively limitless, and it is difficult (if not impossible in somesituations)toknowtheshort-andlong-termimpactsofanaction.Forinstance,Sidebar1-3 describes a studyof the impact of security breaches over timeon corporate finances,showingthatathreatmustbeevaluatedovertime,notjustatasingleinstance.

Sidebar1-3Short-andLong-termRisksofSecurityBreachesIt was long assumed that security breaches would be bad for business: thatcustomers, fearful of losing their data, would veer away from insecurebusinessesandtowardmoresecureones.Butempiricalstudiessuggestthatthepicture ismore complicated. Early studies of the effects of security breaches,suchasthatofCampbell[CAM03],examinedtheeffectsofbreachesonstockprice. They found that a breachs impact could depend on the nature of thebreach itself; the effects were higher when the breach involved unauthorizedaccess toconfidentialdata.Cavusogluetal. [CAV04]discoveredthatabreachaffects thevaluenotonlyof thecompanyexperiencing thebreachbut alsoofsecurityenterprises:Onaverage, thebreachedfirmslost2.1percentofmarketvaluewithintwodaysofthebreachsdisclosure,butsecuritydevelopersmarketvalueactuallyincreased1.36percent.MyungKoandCarlosDorantes [KO06] lookedat the longer-termfinancial

effectsofpubliclyannouncedbreaches.BasedontheCampbelletal.study,theyexamined data for four quarters following the announcement of unauthorizedaccess to confidential data. Ko and Dorantes note many types of possiblebreach-relatedcosts:

Examplesofshort-termcostsinclu