ebook img

Corporate Computer Security PDF

674 Pages·2014·25.669 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Corporate Computer Security

OTHeR MiS TiTLeS OF iNTeReST Introductory MIS: SyStEMS AnAlySIS And dESIgn: Managing Information technology, 7/e Modern Systems Analysis and design, 7/e Brown, DeHayes, Hoffer, Martin & Perkins ©2012 Hoffer, George & Valacich ©2014 SharePoint for Students Systems Analysis and design, 9/e Cole, Fox & Kroenke ©2012 Kendall & Kendall ©2014 Experiencing MIS, 5/e Essentials of Systems Analysis and design, 6/e Kroenke ©2015 Valacich, George & Hoffer ©2015 using MIS, 7/e dEcISIon SuPPort SyStEMS: Kroenke ©2015 business Intelligence, 3/e MIS Essentials, 4/e Sharda, Delen & Turban ©2014 Kroenke ©2015 decision Support and business Intelligence Management Information Systems, 13/e Systems, 10/e Laudon & Laudon ©2014 Sharda, Delen & Turban ©2014 Essentials of Management Information dAtA coMMunIcAtIonS & nEtWorkIng: Systems, 11/e Applied networking labs, 2/e Laudon & Laudon ©2015 Boyle ©2014 It Strategy, 3/e digital business networks McKeen & Smith ©2015 Dooley ©2014 Processes, Systems, and Information: An business driven data communications Introduction to MIS, 2/e Gendron ©2013 McKinney & Kroenke ©2015 business data networks and Security, 10/e Essentials of Processes, Systems and Information: Panko & Panko ©2015 With SAP tutorials ElEctronIc coMMErcE: McKinney & Kroenke ©2014 E-commerce: business, technology, Society, 11/e Information Systems today, 6/e Laudon & Traver ©2015 Valacich & Schneider ©2014 E-commerce Essentials Introduction to Information Systems, 2/e Laudon & Traver ©2014 Wallace ©2015 Electronic commerce 2012 dAtAbASE: Turban, King, Lee, Liang & Turban ©2012 Hands-on database, 2/e EntErPrISE rESourcE PlAnnIng: Conger ©2014 Enterprise Systems for Management, 2/e Modern database Management, 11/e Motiwalla & Thompson ©2012 Hoffer, Ramesh & Topi ©2013 ProjEct MAnAgEMEnt: database Systems: Introduction to databases and data Warehouses Project Management: Process, technology and Jukic, Vrbsky & Nestorov ©2014 Practice Vaidyanathan ©2013 Essentials of database Management Hoffer, Topi & Ramesh ©2014 SEcurIty: database concepts, 7/e Applied Information Security, 2/e Kroenke & Auer ©2015 Boyle ©2014 database Processing, 13/e corporate computer Security, 3/e Kroenke & Auer ©2014 Boyle & Panko ©2013 Fourth Edition Corporate Computer Security Randall J. Boyle Longwood University Raymond R. Panko - University of Hawai`i at M anoa Boston Columbus Indianapolis New York San Francisco Upper Saddle River Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montréal Toronto Delhi Mexico City São Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo To Courtney Boyle, thank you for your patience, kindness, and perspective on what’s most important in life. —Randy Boyle To Julia Panko, my long-time networking and security editor and one of the best technology minds I’ve ever encountered. —Ray Panko Editor in Chief: Stephanie Wall Creative Director: Jayne Conte Executive Editor: Bob Horan Cover Designer: Bruce Kenselaar Program Manager Team Lead: Ashley Santora Digital Production Project Manager: Lisa Rinaldi Program Manager: Denise Vaughn Full-Service Project Management: Prabhu Chinnasamy, Integra Director of Marketing: Maggie Moylan Software Services Pvt. Ltd. Executive Marketing Manager: Anne Fahlgren Printer/Binder: Courier/Westford Project Manager Team Lead: Judy Leale Cover Printer: Lehigh-Phoenix Project Manager: Tom Benfatti Text Font: Times, 10/12 Operations Specialist: Michelle Klein Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on the appropriate page within text. Microsoft and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published as part of the services for any purpose. All such documents and related graphics are provided “as is” without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement. In no event shall Microsoft and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from the services. The documents and related graphics contained herein could include technical inaccuracies or typographical errors. Changes are p eriodically added to the information herein. Microsoft and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time. Partial screen shots may be viewed in full within the software version specified. Microsoft® Windows®, and Microsoft Office® are registered trademarks of the Microsoft Corporation in the U.S.A. and other countries. This book is not sponsored or endorsed by or affiliated with the Microsoft Corporation. Copyright © 2015, 2013, 2010, 2004 by Pearson Education, Inc., One Lake Street, Upper Saddle River, New Jersey 07458. All rights reserved. Manufactured in the United States of America. This publication is protected by Copyright, and permission should be ob- tained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission(s) to use material from this work, please submit a written request to Pearson Education, Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you may fax your request to 201-236-3290. Many of the designations by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps. Library of Congress Cataloging-in-Publication Data on File 10 9 8 7 6 5 4 3 2 1 ISBN 10: 0-13-354519-9 ISBN 13: 978-0-13-354519-7 ContentS Preface xix About the Authors xxv Chapter 1 The Threat Environment 1 Social Engineering in Malware 23 1.1 Introduction 2 Spam 24 phiShinG 24 Basic Security Terminology 2 The ThreaT environmenT 2 Spear phiShinG 26 SecuriTy GoalS 3 hoaxeS 27 compromiSeS 3 1.4 Hackers And Attacks 27 counTermeaSureS 3 Traditional Motives 27 1.2 Employee And Ex-Employee Anatomy of a Hack 28 Threats 9 TarGeT SelecTion 28 Why Employees Are Dangerous 9 reconnaiSSance probeS 29 Employee Sabotage 11 The exploiT 30 Employee Hacking 12 SpoofinG 30 Employee Financial Theft and Theft of Social Engineering in an Attack 31 Intellectual Property 12 Denial-of-Service Attacks 33 Employee Extortion 13 Skill Levels 35 Employee Sexual or Racial 1.5 The Criminal Era 36 Harassment 14 Dominance by Career Criminals 36 Employee Computer and Internet cybercrime 36 Abuse 14 inTernaTional GanGS 37 inTerneT abuSe 14 black markeTS anD markeT non-inTerneT compuTer abuSe 15 SpecializaTion 38 Data Loss 15 Fraud, Theft, and Extortion 41 Other “Internal” Attackers 16 frauD 41 1.3 Malware 16 financial anD inTellecTual properTy Malware Writers 16 ThefT 41 Viruses 16 exTorTion aGainST corporaTionS 42 Stealing Sensitive Data about Worms 18 Customers and Employees 43 Blended Threats 20 carDinG 43 Payloads 20 bank accounT ThefT 43 Trojan Horses and Rootkits 20 online STock accounT ThefT 43 nonmobile malware 20 iDenTiTy ThefT 43 Trojan horSeS 21 The corporaTe connecTion 44 remoTe acceSS TrojanS 21 corporaTe iDenTiTy ThefT 44 DownloaDerS 22 1.6 Competitor Threats 45 Spyware 22 rooTkiTS 23 Commercial Espionage 45 Mobile Code 23 Denial-of-Service Attacks 46 iii iv Contents 1.7 Cyberwar And Cyberterror 47 2.3 Organization 72 Cyberwar 47 Chief Security Officers 72 Cyberterror 48 Should You Place Security 1.8 Conclusion 49 within IT? 72 Thought Questions 50  •  Hands- locaTinG SecuriTy wiThin iT 72 on Projects 51  •  Project placinG SecuriTy ouTSiDe iT 74 Thought Questions 52  •  Case a hybriD SoluTion 74 Study 52  •  Case Discussion Top Management Support 74 Questions 53  •  Perspective Relationships with Other Questions 53 Departments 75 Special relaTionShipS 75 Chapter 2 Planning and Policy 54 all corporaTe DeparTmenTS 75 buSineSS parTnerS 76 2.1 Introduction 55 Outsourcing IT Security 76 Defense 55 e-mail ouTSourcinG 76 Management Processes 56 manaGeD SecuriTy Service manaGemenT iS The harD parT 56 proviDer 79 comprehenSive SecuriTy 56 2.4 Risk Analysis 81 weakeST-linkS failureS 56 Reasonable Risk 81 The neeD To proTecT many reSourceS 57 Classic Risk Analysis Calculations 82 The Need for a Disciplined Security Management Process 58 aSSeT value 82 expoSure facTor 82 The Plan–Protect–Respond SinGle loSS expecTancy 82 Cycle 59 annualizeD probabiliTy (or raTe) of planninG 59 occurrence 82 proTecTion 59 annualizeD loSS expecTancy 83 reSponSe 60 counTermeaSure impacT 83 Vision in Planning 61 annualizeD counTermeaSure coST anD viewinG SecuriTy aS an enabler 61 neT value 83 DevelopinG poSiTive viSionS of Problems with Classic Risk Analysis uSerS 63 Calculations 85 Strategic IT Security Planning 63 uneven mulTiyear caSh flowS 85 2.2 Compliance Laws and ToTal coST of inciDenT 85 Regulations 64 many-To-many relaTionShipS Driving Forces 64 beTween counTermeaSureS anD reSourceS 86 Sarbanes–Oxley 65 The impoSSibiliTy of compuTinG Privacy Protection Laws 67 annualizeD raTeS of Data Breach Notification occurrence 87 Laws 70 The problem wiTh “harD-heaDeD ThinkinG” 87 The Federal Trade Commission 70 perSpecTive 88 Industry Accreditation 71 Responding to Risk 88 PCI-DSS 71 riSk reDucTion 88 FISMA 71 riSk accepTance 88 Contents v riSk TranSference (inSurance) 88 accounTabiliTy 101 riSk avoiDance 88 eThicS 102 2.5 Technical Security Architecture 89 Exception Handling 103 Technical Security Architectures 89 Oversight 104 archiTecTural DeciSionS 90 policieS anD overSiGhT 104 DealinG wiTh leGacy SecuriTy promulGaTion 105 TechnoloGy 90 elecTronic moniTorinG 105 Principles 90 SecuriTy meTricS 105 auDiTinG 106 DefenSe in DepTh 90 anonymouS proTecTeD hoTline 106 DefenSe in DepTh verSuS weakeST linkS 90 behavioral awareneSS 108 frauD 108 SinGle poinTS of vulnerabiliTy 91 SancTionS 109 minimizinG SecuriTy burDenS 92 2.7 Governance Frameworks 110 realiSTic GoalS 92 COSO 111 Elements of a Technical Security Architecture 92 The coSo framework 111 borDer manaGemenT 93 objecTiveS 112 reaSonable aSSurance 112 inTernal SiTe SecuriTy manaGemenT 93 coso framework componenTS 112 manaGemenT of remoTe CobiT 113 connecTionS 93 The cobit framework 114 inTerorGanizaTional SySTemS 93 Dominance in The uniTeD STaTeS 114 cenTralizeD SecuriTy manaGemenT 93 The ISO/IEC 27000 Family 115 2.6 Policy-Driven Implementation 93 Iso/IEc 27002 115 Iso/IEc 27001 116 Policies 94 oTher 27000 STanDarDS 116 whaT are policieS? 94 2.8 Conclusion 117 whaT, noT how 94 clariTy 94 Thought Questions 117  •   Categories of Security Policies 95 Hands-on Projects 117  •   Project Thought Questions 118 corporaTe SecuriTy policy 95 •  Case Study 119  •  Case Discus- major policieS 95 sion Questions 120  •  Perspective accepTable uSe policy 96 Questions 120 policieS for Specific counTermeaSureS or reSourceS 96 Chapter 3 Cryptography 121 Policy-Writing Teams 98 3.1 What is Cryptography? 122 Implementation Guidance 98 Encryption for Confidentiality 123 no GuiDance 98 STanDarDS anD GuiDelineS 98 Terminology 123 Types of Implementation plainTexT 123 Guidance 100 encrypTion anD cipherTexT 123 cipher 124 proceDureS 100 key 124 proceSSeS 100 keepinG The key SecreT 124 baSelineS 101 The Simple Cipher 124 beST pracTiceS anD recommenDeD pracTiceS 101 Cryptanalysis 125 vi Contents Substitution and Transposition 3.6 The Keying Stage 146 Ciphers 126 Session Keys 146 Substitution Ciphers 126 Public Key Encryption for Transposition Ciphers 126 Confidentiality 146 Real-world Encryption 127 Two keyS 146 Ciphers and Codes 127 proceSS 146 Symmetric Key Encryption 129 paDlock anD key analoGy 146 hiGh coST anD ShorT meSSaGe key lenGTh 129 lenGThS 147 Human Issues in Cryptography 131 rSa anD ecc 147 3.2 Symmetric Key Encryption key lenGTh 148 Ciphers 133 Symmetric Key Keying Using Public RC4 133 Key Encryption 148 The Data Encryption Standard Symmetric Key Keying Using (DES) 134 Diffie–Hellman Key Agreement 149 56-biT key Size 134 3.7 Message-By-Message block encrypTion 134 Authentication 150 Triple DES (3DES) 135 Electronic Signatures 150 168-biT 3DeS operaTion 135 Public Key Encryption for 112-biT 3DeS 135 Authentication 150 perSpecTive on 3DeS 136 Message-by-Message Authentication Advanced Encryption Standard with Digital Signatures 151 (AES) 136 DiGiTal SiGnaTureS 151 Other Symmetric Key Encryption haShinG To proDuce The meSSaGe Ciphers 136 DiGeST 151 3.3 Cryptographic System SiGninG The meSSaGe DiGeST To proDuce Standards 139 The DiGiTal SiGnaTure 151 Cryptographic Systems 139 SenDinG The meSSaGe wiTh confiDenTialiTy 152 Initial Handshaking Stages 139 verifyinG The SupplicanT 153 neGoTiaTion 139 meSSaGe inTeGriTy 153 iniTial auThenTicaTion 140 public key encrypTion keyinG 140 for confiDenTialiTy anD Ongoing Communication 140 auThenTicaTion 153 3.4 The Negotiation Stage 141 Digital Certificates 154 Cipher Suite Options 141 cerTificaTe auThoriTieS 154 DiGiTal cerTificaTe 155 Cipher Suite Policies 142 verifyinG The DiGiTal cerTificaTe 155 3.5 Initial Authentication Stage 142 The roleS of The DiGiTal cerTificaTe Authentication Terminology 142 anD DiGiTal SiGnaTure 157 Hashing 143 Key-Hashed Message Authentication Initial Authentication with Codes 158 MS-CHAP 144 The problem wiTh DiGiTal on The SupplicanT’S machine: SiGnaTureS 158 haShinG 144 Creating and Testing the HMAC 158 on The verifier Server 145 Nonrepudiation 160 Contents vii 3.8 Quantum Security 162 3.12 Conclusion 176 3.9 Cryptographic Systems 163 Thought Questions 178  •   Virtual Private Networks (VPNs) 164 Hands-on Projects 179  •   Project Thought Questions 180 Why VPNs? 164 •  Case Study 181  •  Case Discus- Host-to-Host VPNs 164 sion Questions 182  •  Perspective Remote Access VPNs 165 Questions 182 Site-to-Site VPNs 165 3.10 SSL/TLS 166 Chapter 4 Secure Networks 183 Nontransparent Protection 166 4.1 Introduction 184 Inexpensive Operation 167 Creating Secure Networks 184 SSL/TLS Gateways and Remote availabiliTy 184 Access VPNs 167 confiDenTialiTy 184 vpn GaTeway STanDarDS 168 funcTionaliTy 185 auThenTicaTion 168 acceSS conTrol 185 connecTinG The clienT pc To Future of Secure Networks 185 auThorizeD reSourceS 168 DeaTh of The perimeTer 185 SecuriTy for ServiceS 168 riSe of The ciTy 186 browSer on The clienT 168 4.2 DoS Attacks 187 aDvanceD ServiceS require aDminiSTraTor privileGeS on pcS 170 Denial of Service … But Not an perSpecTive 171 Attack 187 3.11 IPsec 171 FaulTy coDinG 187 Attractions of IPsec 171 referralS from larGe SiTeS 188 SSl/TlS GiveS nonTranSparenT Goal of DoS Attacks 188 TranSporT layer SecuriTy 172 STop criTical ServiceS 188 ipSec: TranSparenT inTerneT layer DeGraDe ServiceS 188 SecuriTy 172 Methods of DoS Attacks 188 ipSec in boTh ipv4 anD ipv6 172 DirecT anD inDirecT aTTackS 190 IPsec Transport Mode 173 inTermeDiary 192 hoST-To-hoST SecuriTy 173 reflecTeD aTTack 194 enD-To-enD proTecTion 173 SenDinG malformeD packeTS 195 coST of SeTup 173 Defending Against Denial-of-Service ipSec in TranSporT moDe anD Attacks 196 firewallS 173 black holinG 197 IPsec Tunnel Mode 174 valiDaTinG The hanDShake 198 proTecTion iS proviDeD by ipSec GaTewayS 174 raTe limiTinG 198 leSS expenSive Than TranSporT 4.3 ARP Poisoning 199 moDe 174 Normal ARP Operation 199 firewall-frienDly proTecTion 175 The problem 201 no proTecTion wiThin The Two ARP Poisoning 201 SiTeS 175 ARP DoS Attack 203 IPsec Security Associations (SAs) 175 SeparaTe SaS in The Two Preventing ARP Poisoning 203 DirecTionS 175 STaTic TableS 203 policy-baSeD Sa 176 limiT local acceSS 204 viii Contents 4.4 Access Control for Networks 206 TurninG off SSiD broaDcaSTinG 229 LAN Connections 206 mac acceSS conTrol liSTS 229 Access Control Threats 206 Implementing 802.11i or WPA Is Easier 229 Eavesdropping Threats 207 4.7 Conclusion 230 4.5 Ethernet Security 207 Thought Questions 232  •   Ethernet and 802.1X 207 Hands-on Projects 232  •   coST SavinGS 208 Project Thought Questions 233 conSiSTency 208 •  Case Study 233  •  Case Discus- immeDiaTe chanGeS 208 sion Questions 235  •  Perspective The Extensible Authentication Protocol Questions 235 (EAP) 209 eap operaTion 209 Chapter 5 Access Control 236 exTenSibiliTy 210 5.1 Introduction 237 RADIUS Servers 210 Access Control 237 RadIus anD eap 211 Authentication, Authorizations, and 4.6 Wireless Security 211 Auditing 237 Wireless Attacks 212 Authentication 238 Unauthorized Network Access 212 Beyond Passwords 238 prevenTinG unauThorizeD acceSS 213 Two-Factor Authentication 238 Evil Twin Access Points 215 Individual and Role-Based Access Wireless Denial of Service 216 Control 238 flooD The frequency 216 Organizational and Human flooD The acceSS poinT 218 Controls 240 SenD aTTack commanDS 218 Wireless LAN Security with Military and National Security 802.11i 218 Organization Access Controls 240 eap’S neeD for SecuriTy 219 Multilevel Security 241 aDDinG SecuriTy To eap 219 5.2 Physical Access and Security 242 eap-TlS anD peap 220 Risk Analysis 242 Core Wireless Security Protocols 221 ISO/IEC 9.1: Secure Areas 242 Wired Equivalent Privacy (WEP) 221 phySical SecuriTy perimeTer 242 Cracking WEP 221 phySical enTry conTrolS 242 ShareD keyS anD operaTional public acceSS, Delivery, anD loaDinG SecuriTy 221 areaS 243 exploiTinG wep’S weakneSS 222 SecurinG officeS, roomS, anD Perspective 223 faciliTieS 243 proTecTinG aGainST exTernal anD Wi-Fi Protected Access (WPA™) 223 environmenTal ThreaTS 244 Pre-Shared Key (PSK) Mode 226 ruleS for workinG in Secure Wireless Intrusion Detection areaS 247 Systems 228 ISO/IEC 9.2 Equipment Security 247 False 802.11 Security Measures 229 equipmenT SiTinG anD proTecTion 247 SpreaD SpecTrum operaTion anD SupporTinG uTiliTieS 248 SecuriTy 229 cablinG SecuriTy 248

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.