Logic Bomb

Domain 3: Security Engineering (Engineering and Management of Security)

Eric Conrad , ... Joshua Feldman , in CISSP Study Guide (Third Edition), 2016

Logic Bombs

A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date (also called a time bomb). Malware such as worms often contain logic bombs, behaving in one manner, and then changing tactics on a specific date and time.

Roger Duronio of UBS PaineWebber successfully deployed a logic bomb against his employer after becoming disgruntled due to a dispute over his annual bonus. He installed a logic bomb on 2000 UBS PaineWebber systems, triggered by the date and time of March 4, 2002 at 9:30 AM: "This was the day when 2000 of the company's servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted. Backups went down within minutes of being run."[14]

Duronio's code ran the command "/usr/sbin/mrm –r / &" (a UNIX shell command that recursively deletes the root partition, including all files and subdirectories). He was convicted, and sentenced to 8 years and 1 month in federal prison.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128024379000047

Domain 6

Eric Conrad , ... Joshua Feldman , in CISSP Study Guide (Second Edition), 2012

Logic bombs

A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed or on a specific date (also called a time bomb). Malware such as worms often contain logic bombs, which behave in one manner and then change tactics on a specific date and time.

Roger Duronio of UBS PaineWebber successfully deployed a logic bomb against his employer after becoming disgruntled due to a dispute over his annual bonus. He installed a logic bomb on 2000 UBS PaineWebber systems, triggered by the date and time of March 4, 2002, at 9:30 AM: "This was the day when 2000 of the company's servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted. Backups went down within minutes of being run." [5]

Duronio's code ran the command "/usr/sbin/mrm -r / &" (a UNIX shell command that recursively deletes the root partition, including all files and subdirectories). He was convicted of computer sabotage and securities fraud and is serving 8 years and 1 month in federal prison.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499613000078

Malware Incident Response

Cameron H. Malin , ... James M. Aquilina , in Malware Forensics Field Guide for Windows Systems, 2012

Determining Scheduled Tasks

Some malicious code variants are "event-driven," meaning that until a certain date or event triggers execution, the malware remains dormant.

► Event-driven malware is typically referred to as a logic bomb. Typically, most logic bomb malware specimens are planted and secreted by a malicious insider, particularly by those users with administrative access to systems. 42 However, some external malicious code threats have displayed logic bomb features. 43 Thus, examine a subject system for scheduled tasks to ensure that a malicious program is not hidden away waiting to execute.

Reveal discovered scheduled tasks on a subject machine using a trusted version of the native Windows utility at. 44

Confirm your findings by querying with schtasks, 45 which is also native to Windows XP and subsequent versions.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597494724000019

Malware Incident Response

James M. Aquilina , in Malware Forensics, 2008

Determining Scheduled Tasks

Some malicious code variants are "event-driven," meaning that until a certain date or event triggers execution, the malware will remain dormant. Typically, this is referred to as a logic bomb feature. Typically, most logic bomb malware specimens are planted and secreted by a malicious insider, particularly those users that have administrative access to systems. For example, in early 2008, a system administrator was sentenced to 30 months in prison for embedding malicious code designed to wipe out critical data stored on more than 70 servers. 52

However, there have been instances of external malicious code threats that have had logic bomb features. An example of such a specimen is WORM_SOHANAD.FM, which once downloaded by an unsuspecting user from a malicious Web site, installs three additional malicious code files and uses the Windows Task Scheduler to create a scheduled task to execute the files at a later time. 53 Thus, we'll want to examine our subject system for scheduled tasks to ensure that a malicious program is not hidden away waiting to execute.

We can discover scheduled tasks on a subject machine by using a few different utilities. The first we can use is a trusted version of the native Windows utility, at. To query our system with at, we need only run the utility with no switches. We learn that "There are no scheduled tasks present in the system."

We can confirm our findings by querying with schtasks, 54 which is also native to Windows XP, 2003, and Vista systems. To simply display all scheduled tasks, we can invoke schtasks with the /Query switch.

Figure 1.46. ScheduledTasks with schtasks

Our findings with schtasks confirms that there are no tasks on our subject system, but for the purpose of showing what a scheduled task looks like and how to gather additional information about the task, we set a malicious program to execute on one of our test systems. In this scenario, a Yahoo! Messenger Worm (Worm/Hakaglan.B-Worm, also known as Win32.Worm.Sohanat.AB, among other names) has embedded itself as a scheduled task that runs at predefined times. 55 We can discover the task by using schtasks.

Figure 1.47.

Now that we've identified a strange scheduled task, we can obtain "advanced properties" about the task by adding the /FO LIST (this switch formats the display for a "list" output) and /V ("verbose") switches.

Figure 1.48. Examining a Scheduled Task

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492683000013

Crime, Use of Computers in

M.E. Kabay , in Encyclopedia of Information Systems, 2003

E Logic Bombs

A logic bomb is a program which has deliberately been written or modified to produce results when certain conditions are met that are unexpected and unauthorized by legitimate users or owners of the software. Logic bombs may be within stand-alone programs or they may be part of worms or viruses. An example of a logic bomb is any program which mysteriously stops working 3 months after, say, its programmer's name has disappeared from the corporate salary database.

In 1985, a disgruntled computer security officer at an insurance brokerage firm in Texas set up a complex series of Job Control Language (JCL) and RPG programs described later as "trip wires and time bombs." For example, a routine data retrieval function was modified to cause the IBM System/ 38 midrange computer to power down. Another routine was programmed to erase random sections of main memory, change its own name, and reset itself to execute a month later.

In 1988, a software firm contracted with an Oklahoma trucking firm to write an application system. The two parties disagreed over the quality of the work and the client withheld payment, demanding that certain bugs be fixed. The vendor threatened to detonate a logic bomb which had been implanted in the programs some time before the dispute unless the client paid its invoices. The client petitioned the court for an injunction to prevent the detonation and won its case on the following grounds:

The bomb was a surprise—there was no prior agreement by the client to such a device.

The potential damage to the client was far greater than the damage to the vendor.

The client would probably win its case denying that it owed the vendor any additional payments.

In public discussions among computer programmers and consultants, some have openly admitted installing such logic bombs in their customers' systems as a tool for extorting payment.

In 1998, a network administrator for Omega Engineering was convicted of activating a digital time bomb that destroyed the company's most critical manufacturing software programs. The company claimed more than $10 million in damages and lost productivity.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B012227240400023X

Messaging Attacks and Defense

Sean-Philip Oriyano , Robert Shimonski , in Client-Side Attacks and Defense, 2012

Malicious Code

As we just mentioned, disabling scripting on your system is a good way to prevent malicious code from being delivered via a JavaScript code (as an example). In addition to worms other types of malicious code are known to be circulated via email including virus, logic bombs and others. Each of these types has at one time or another been distributed via email and caused widespread disruptions. Again, much like worms client-side defenses such as anti-virus applications and features built into the email client itself have had a large impact on these attack vectors. To prevent these types of attacks, you can use the same method of protection we learned about when protecting web browsers and email clients, disable scripting completely or add extensions that allow for scripts to be scrutinized. With Microsoft Outlook and Microsoft Live Mail, this is not always easy to achieve because the focus is on usability, not security. Security must be configured carefully.

In retrospect, Mozilla Thunderbird is much more secure in this aspect. By default, Thunderbird does not allow scripts to run within the email you receive. For example, JavaScript, Flash, and VBScript are disabled by default. Thunderbird also disabled the use of remote images from being displayed. Blocking of remote content can be toggled by adjusting a setting in the Thunderbird configuration editor. To enter the editor to change this and other settings, click on the Tools menu and then select Options, Advanced, General tab and then click the config editor button.

When you search for mailnews.message_display.disable_remote_image you can change the value from true to false which enables and disables remote content from being viewed in your emails as seen in Figure 7.10.

Figure 7.10. Disabling Remote Content in Thunderbird

Either way you slice it, make sure that your email editor of choice does not allow for malcode to poison your system by disabling scripting or by ensuring that you use an email client that does not cause you headaches from scripts such as Thunderbird.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495905000079

Control and Auditing

Mary S. Doucet , Thomas A. Doucet , in Encyclopedia of Information Systems, 2003

II.B.1.c Access Controls

Access controls need to be pervasive and apply to end users, programmers, computer operators, security administrators, network administrators, management, and any others authorized to use the organization's computing capacity, including trading partners and other outsiders. Other outsiders include interconnection to affiliates' networks and links to external networks of these affiliates' networks. Once the local area network of an affiliate has access to an organization's network, it becomes a trusted network by default and has direct access to the network and its resources.

Logical access exposures result from unauthorized access which can lead to disclosure, manipulation, or destruction of programs and data. These exposures include changing data before or as it is entered into the computer, hiding malicious code in an authorized computer program, manipulating a program for personal gain, viruses, worms, logic bombs, trap doors, asynchronous attacks, data leakage, wire tapping, and denial of service attacks.

The most widely used logical access controls, which can also be classified as preventive controls, are the use of log-on IDs and passwords. Log-on IDs provide individual identification of the user and passwords provide authentication. The computer then contains a list of log-on IDs and access rules that allow access to files and data on a "need to know, need to do" basis. If these access rules are specified at the operating system level, they are more pervasive and provide better security than if specified only at the application level. Passwords should be easy for the user to remember, but hard for a perpetrator to guess. Some critical control features for passwords are that they: (1) should be internally one-way encrypted; (2) should be changed on a regular basis; (3) should be five to eight characters long; (4) should include alpha and numeric characters; (5) should not be easy to guess, such as a spouse's name, child's name etc., (6) should be masked (not appear on the screen when typed); and (7) inactive user IDs should be deactivated and eventually deleted from the system. Additionally, logon IDs should be deactivated after several unsuccessful attempts (generally three) to enter the correct password and the system should automatically disconnect a log-on session if there is no activity for a specified length of time.

Increasing telecommuting has made remote access security critical. Dial-back procedures for personnel who are telecommuting from a set location do not work for personnel who are dialing in from various remote locations such as airports and hotel rooms. Remote access security requires the use of surround security measures such as firewalls, as well as the encryption of messages and sensitive files stored on the computer. Firewalls should filter dial-in access in such a manner as to deny access except where explicitly permitted.

Logical access controls are strengthened via the use of organization-wide classification schemes and naming conventions. These enable better control over computer files and aid in the verification and monitoring of security. Classification of data should be based on its relative sensitivity and should use a simple scheme such as high sensitivity, medium sensitivity, and low sensitivity. For example, the Department of Defense has the simple classification scheme: sensitive, but unclassified; confidential; secret; and top secret. Access should be denied to any user who does not have the appropriate level of authorization. However, even personnel who might be allowed access to highly sensitive data in their area should be denied access to highly sensitive data in another area. For example, someone might be cleared for access to highly sensitive data in production, but should be denied access to highly sensitive data in personnel or payroll. Naming conventions can be used to provide this type of filter.

Physical access exposures include unauthorized entry, damage, vandalism, or theft of equipment, copying, viewing, and abuse of data processing resources. Physical access controls should include, at a minimum, using bolting door locks to facilities that house computer equipment and hardware. More advanced physical access controls might include biometric controls, cipher locks, and electronic door locks.

Manual or electronic logging of visitors, along with escorted or controlled visitor access, also reduces physical access risks. Photo identification badges, video cameras, and security guards provide an even greater level of security. If photo identification badges are used, visitors should be required to wear a different color badge. Deadman doors, which consists of two doors and require that the first door close before the second door opens, provide a higher level of security to computer rooms and document stations. Maintenance personnel should be bonded. The location of sensitive facilities, such as the computer room, should not be advertised nor should they be identifiable or visible from the outside.

Some access problems must be addressed by the use of both logical and physical access controls. For example, many organizations operate in client/server environments. In this environment sensitive corporate data may be stored on or accessed from PCs that are not centrally located. To adequately protect PC data, both logical and physical access controls are required. The most widely used logical access controls over PC data are passwords and the use of encryption. The use of encryption will protect against any unauthorized use of the data stored on a PC even if the password protection is penetrated. Physical access controls over PC data include removing and locking up the storage medium when the PC is not in use, using lockable enclosures to protect against someone just taking the PC, and using an alarm system that will alert security if the PC is moved.

Both logical and physical access controls may also be needed to protect an organization against viruses, worms, and logic bombs. Client/server environments, local and wide area networks (LANs, WANs), and ready access to the internet, require sound control policies and procedures, as well as technical controls such as virus scanners and active monitors (active monitors look for virus-like activities and prompt the user to confirm they want to perform the activity requested). Sound internal control policies and procedures that would help protect against viruses, worms, and logic bombs include, but are not limited to, write protect all disks with .EXE or .COM extensions, allow no disk (including commercial software) to be used until it has been scanned (preferably on a stand-alone machine), boot only from disks that have been continuously write-protected, ensure antivirus software is installed on all workstations and the server, ensure that antivirus software is updated frequently, ensure that a sound backup policy is in place and operating effectively, educate users so they will comply with these good internal control policies and procedures, use hardware-based passwords, and use workstations without floppy drives.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B0122272404000198

Global Information Systems

Magid Igbaria , ... Charlie Chien-Hung Chen , in Encyclopedia of Information Systems, 2003

V.F. Security

The ubiquitous connectivity of the Internet is made possible by innumerous access points or computers. This poses a serious threat to the resources connected to the Internet communication network if there is a rapid increase in users. On the Internet, every point of access can be intruded upon or damaged in many ways by people intentionally or unintentionally. Such security threats may include human errors, computer abuse or crimes, natural and political disaster, and failures of hardware and software. Of these threats, general and application-based controls can prevent human errors, and hardware and software failure from happening. Yet, the most serious threats to today's global connection are the computer crimes or abuses. There are many forms of computer crimes. Vladimir Zwass identified the ten most common computer crimes or abuse: impersonation, the Trojan horse method, logic bomb, computer viruses, data diddling, the salami technique, superzapping, scavenging, data leakage, and wiretapping.

Of these malicious computer crimes, Kalakota and Whinston report that computer viruses, the Trojan horse method, and the worm can have a devastating effect on the Internet. What makes today's networks so vulnerable are the asymmetric security technologies of different countries. For instance, the security system of RSA is designed with various numbers of bits for different purposes—384 bits for noncommercialization, 512 bits for commercialization, and 1024 bits for military purposes. Since the United States government considers 1024-bit RSA as the technologies of national security, they are not authorized by the International Tariff in Arms Regulation (ITAR) to open to other international communities than within the borders of the United States. Thus, the export control of security technologies has prevented e-commerce from becoming a universal phenomenon.

Many other security technologies, such as PGP (Pretty Good Privacy), IDEA (International Data Encryption Algorithm), DSA (Digital Signature Algorithm), PH HPGs (handheld password generators), and Kerberos have been developed. However, they are not accessible to other countries as are RSA security technologies. Israel, for instance, is extremely advanced in Internet security technologies relative to other countries (e.g., France, and China) where security is not a priority. The operational issue, security, has to be solved before citizens of the world can trust the Internet and universally accept the Internet as a true GIS. That is why organizations that are interested in securing the Internet formed the Internet Fraud Council (IFC) (http://www.internetfraudcouncil.org/). Only through the cooperation of the private, public, and international sectors, Gates believes, can we cope with today's challenges to lessen the impact of computer crimes on the global economy and the public confidence. As explained in CyberGuard Magazine: "In the foreseeable future, a secure Internet will be the enabler for a truly global economy. Without the inforsecurity, you will see this Internet vision of global prosperity quickly reduced to that of total anarchy."

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B0122272404000794

Domain 3

Eric Conrad , ... Joshua Feldman , in Eleventh Hour CISSP® (Third Edition), 2017

System Vulnerabilities, Threats, and Countermeasures

System threats, vulnerabilities, and countermeasures describe security architecture and design vulnerabilities, as well as the corresponding exploits that may compromise system security. We will also discuss countermeasures, or mitigating actions that reduce the associated risk.

Covert Channels

A covert channel is any communication that violates security policy. The communication channel used by malware installed on a system that locates personally identifiable information (PII) such as credit card information and sends it to a malicious server is an example of a covert channel. Two specific types of covert channels are storage channels and timing channels.

Backdoors

A backdoor is a shortcut in a system that allows a user to bypass security checks, such as username/password authentication, to log in. Attackers will often install a backdoor after compromising a system.

Maintenance hooks are a type of backdoor; they are shortcuts installed by system designers and programmers to allow developers to bypass normal system checks during development, such as requiring users to authenticate.

Malicious Code (Malware)

Malicious code or malware is the generic term for any type of software that attacks an application or system. There are many types of malicious code; viruses, worms, Trojans, and logic bombs can all cause damage to targeted systems. Zero-day exploits are malicious code (ie, a threat) for which there is no vendor-supplied patch, meaning there is an unpatched vulnerability.

Computer viruses

Computer viruses are malware that does not spread automatically; they require a host (such as a file) and a carrier to spread the virus from system to system (usually a human).

Fast Facts

Types of viruses include:

Macro virus: virus written in macro language (such as Microsoft Office or Microsoft Excel macros).

Boot sector virus: virus that infects the boot sector of a PC, which ensures that the virus loads upon system startup.

Stealth virus: a virus that hides itself from the OS and other protective software, such as antivirus software.

Polymorphic virus: a virus that changes its signature upon infection of a new system, attempting to evade signature-based antivirus software.

Multipartite virus: a virus that spreads via multiple vectors. Also called multipart virus.

Worms

Worms are malware that self-propagates (spreads independently). Worms typically cause damage two ways: first by the malicious code they carry and then the loss of network availability due to aggressive self-propagation.

Trojans

A Trojan (also called a Trojan horse) is malware that performs two functions: one benign, such as a game, and one malicious. The term derives from the Trojan horse described in Virgil's poem The Aeneid.

Rootkits

A rootkit is malware that replaces portions of the kernel and/or operating system. A user-mode rootkit operates in ring 3 on most systems, replacing operating system components in "userland." A kernel-mode rootkit replaces the kernel, or loads malicious loadable kernel modules. Kernel-mode rootkits operate in ring 0 on most operating systems.

Packers

Packers provide runtime compression of executables. The original executable is compressed, and a small decompresser is prepended to the executable. Upon execution, the decompresser unpacks the compressed executable machine code and runs it. Packers are a neutral technology that is used to shrink the size of executables. Many types of malware use packers, which can be used to evade signature-based malware detection.

Logic bombs

A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date (also called a time bomb). Malware such as worms often contain logic bombs, behaving in one manner, then changing tactics on a specific date and time.

Antivirus software

Antivirus software is designed to prevent and detect malware infections. Signature-based antivirus software uses static signatures of known malware. Heuristic-based antivirus uses anomaly-based detection to attempt to identify behavioral characteristics of malware, such as altering the boot sector.

Server-Side Attacks

Server-side attacks (also called service-side attacks) are launched directly from an attacker (the client) to a listening service. Patching, system hardening, firewalls, and other forms of defense-in-depth mitigate server-side attacks. Organizations should not allow direct access to server ports from untrusted networks such as the Internet, unless the systems are hardened and placed on DMZ networks.

Client-Side Attacks

Client-side attacks occur when a user downloads malicious content. The flow of data is reversed compared to server-side attacks: client-side attacks initiate from the victim who downloads content from the attacker.

Client-side attacks are difficult to mitigate for organizations that allow Internet access. Clients include word processing software, spreadsheets, media players, Web browsers, etc. Most firewalls are far more restrictive inbound compared to outbound; they were designed to "keep the bad guys out," and mitigate server-side attacks originating from untrusted networks. They often fail to prevent client-side attacks.

Web Architecture and Attacks

The World Wide Web of 10 or more years ago was simpler. Most web pages were static, rendered in Hypertext Markup Language, or HTML. The advent of "Web 2.0," with dynamic content, multimedia, and user-created data has increased the attack surface of the Web, creating more attack vectors.

Applets

Applets are small pieces of mobile code that are embedded in other software such as web browsers. Unlike HTML, which provides a way to display content, applets are executables. The primary security concern is that applets are downloaded from servers, then run locally. Malicious applets may be able to compromise the security of the client.

Applets can be written in a variety of programming languages; two prominent applet languages are Java (by Oracle/Sun Microsystems) and ActiveX (by Microsoft). The term "applet" is used for Java and "control" for ActiveX, although they are functionally similar.

Java

Java is an object-oriented language used not only as a way to write applets, but also as a general-purpose programming language. Java platform-independent bytecode is interpreted by the Java Virtual Machine (JVM). The JVM is available for a variety of operating systems, including Linux, FreeBSD, and Microsoft Windows.

Java applets run in a sandbox, which segregates the code from the operating system. The sandbox is designed to prevent an attacker who is able to compromise a java applet from accessing system files, such as the password file.

ActiveX

ActiveX controls are the functional equivalent of Java applets. They use digital certificates instead of a sandbox to provide security. Unlike Java, ActiveX is a Microsoft technology that works on Microsoft Windows operating systems only.

Open web application security project

The Open Web Application Security Project (OWASP, see: http://www.owasp.org) represents one of the best application security resources. OWASP provides a tremendous number of free resources dedicated to improving organizations' application security posture. One of their best-known projects is the OWASP Top 10 project, which provides consensus guidance on what are considered to be the 10 most significant application security risks. The OWASP Top 10 is available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.

In addition to the wealth of information about application security threats, vulnerabilities, and defenses, OWASP also maintains a number of security tools available for free download including a leading interception proxy called the Zed Attack Proxy (ZAP).

Extensible markup language

Extensible markup language, or XML, is a markup language designed as a standard way to encode documents and data. XML is similar to HTML, but it is more universal. XML is used on the web, but is not tied to it; XML can be used to store application configuration and output from auditing tools, among other things. Extensible means users may use XML to define their own data formats.

Service-oriented architecture

Service-oriented architecture (SOA) attempts to reduce application architecture down to a functional unit of a service. SOA is intended to allow multiple heterogeneous applications to be consumers of services. The service can be used and reused throughout an organization rather than built within each individual application that needs the functionality offered by the service.

Services are expected to be platform independent and able to be called in a generic way that is also independent of a particular programming language. The intent is that that any application may leverage the service simply by using standard means available within their programming language of choice. Services are typically published in some form of a directory that provides details about how the service can be used and what the service provides.

Though web services are not the only example, they are the most common example provided for the SOA model. XML or JavaScript Object Notation (JSON) is commonly used for the underlying data structures of web services. SOAP, originally an acronym for Simple Object Access Protocol, but now simply SOAP, or REST (Representational State Transfer) provides the connectivity, and the WSDL (Web Services Description Language) provides details about how the web services are to be invoked.

Database Security

Databases present unique security challenges. The sheer amount of data that may be housed in a database requires special security consideration. As we will see shortly in the "Inference and Aggregation" section, the logical connections database users may make by creating, viewing, and comparing records may lead to inference and aggregation attacks, requiring database security precautions such as inference controls and polyinstantiation.

Polyinstantiation

Polyinstantiation allows two different objects to have the same name. The word polyinstantiation is based on the Latin roots for multiple (poly) and instances (instantiation). Database polyinstantiation means two rows may have the same primary key, but different data.

Inference and aggregation

Inference and aggregation occur when a user is able to use lower-level access to learn restricted information. These issues occur in multiple realms, including database security.

Inference requires deduction. There is a mystery to be solved, and lower level details provide the clues. Aggregation is a mathematical process; a user asks every question, receives every answer, and derives restricted information.

Data mining

Data mining searches large amounts of data to determine patterns that would otherwise get "lost in the noise." Credit card issuers have become experts in data mining, searching millions of credit card transactions stored in their databases to discover signs of fraud. Simple data mining rules, such as "X or more purchases, in Y time, in Z places" are useful in discovering stolen credit cards.

Mobile Device Attacks

A recent information security challenge is the number of mobile devices ranging from USB flash drives to laptops that are infected with malware outside of a security perimeter, then carried into an organization. Traditional network-based protection, such as firewalls and intrusion detection systems, are powerless to prevent the initial attack.

Mobile device defenses

Defenses include administrative controls such as restricting the use of mobile devices via policy. Technical controls to mitigate infected mobile computers include requiring authentication at OSI model Layer 2 via 802.1X. 802.1X authentication may be bundled with additional security functionality, such as verification of current patches and antivirus signatures.

Another mobile device security concern is the loss or theft of a mobile device, which threatens the confidentiality, integrity, and availability of the device and the data that resides on it. Backups can assure the availability and integrity of mobile data.

Full disk encryption (also known as whole disk encryption) ensures the confidentiality of mobile device data.

Remote wipe capability is another critical control, which describes the ability to erase and sometimes disable a mobile device that is lost or stolen.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128112489000036

Cyber Security Countermeasures to Combat Cyber Terrorism

Lachlan MacKinnon , ... Dimitrios Frangiskatos , in Strategic Intelligence Management, 2013

Research on Insider Threat

The research done by Moore et al. (2008) was based on 49 insider sabotage cases. They attempted to identify common patterns within these cases. Seven general observations to help to identify insiders were proposed as a result of this work. The main conclusion was that disgruntled employees were the most likely candidates, for whatever reason. But they were also facilitated by a general lack of access controls (Moore et al., 2008).

Detecting the insider is a challenging problem as these attacks are often very sophisticated. The insider's familiarity with the networks and systems of the company that they work for makes it easy for them to cover their tracks and very difficult to catch them. It is estimated that approximately one-third of all data theft is due to insiders (Pfleeger, 2008).

One of the leading authorities on insider threats is CERT, the Software Engineering Institute of Carnegie Mellon University. They have accumulated data on hundreds of cases of insider attacks over the years for analysis. As of 2011 (Cappelli, 2011), their database contained 123 cases of sabotage, 196 cases of fraud, 86 cases of intellectual property theft, and 43 miscellaneous cases. What follows is a discussion of the key findings from some of their recent work on financial fraud (Cummings et al., 2012) and intellectual property theft (Moore et al., 2012).

Motives for an attack vary. Cappelli et al. (2009) analyzed 196 cases of insider attacks that occurred in the United States and observed their cases falling into the following categories (noting that some cases fell in to more than one category):

1

IT sabotage : These occur through individuals who are motivated to harm the organization, its data, or an individual. They misuse their access to systems, data, or networks and account for 45% of cases. Attacks were primarily committed by former employees and males; however, the fact that males were the majority is unsurprising as 74% of employees in this field are males. Motives identified from this group were disgruntled employees and revenge for some negative event such as termination, disputes, new supervisors, transfers or demotions, and dissatisfaction with salary. The majority who committed this type of attack did not have authorized access at the time of the attack. Thirty percent used their own username and password, others used a compromised account, an unauthorized backdoor they had created, systems or database administrator accounts, and so forth. Attacks included logic bombs and sabotaging backups. Most attacks were carried out through remote access, out of normal working hours, and in most cases system logs were used to identify insiders.

2

Theft or modification for financial gain: These occur where insiders intentionally exceed their authorized levels of access with the intention of stealing confidential or proprietary information for financial gain and occurred in 44% of cases. Targets focused in the banking and financial sectors followed by the government sector and then the IT and telecoms sector. The vast majority of these crimes were committed by current, not former, employees working in lower level, nontechnical positions and split evenly between males and females. Collusion with other insiders and outsiders was high, a recurring pattern was an outsider recruiting an insider. Ninety-five percent stole or modified information during normal working hours and 75% used authorized access, with 85% using their own username and password. The majority of the cases were detected through nontechnical means such as data irregularities or customer alerts and were typically caught through system, database, and file access logs. Within the financial sector (Cummings et al., 2012), it was noted that:

Criminals who executed a "low and slow" approach accomplished more damage and escaped detection for longer: on average fraud started over 5 years after hiring and it took an average of 32 months to be detected.

Insiders' means were not very sophisticated; very few held a technical role or used technical means and in more than half the cases, authorized access was used in some form.

Fraud by managers differed substantially from fraud by non-managers by damage and duration. Fraud by managers caused nearly twice the financial damage than non-managers and lasted almost twice as long—33 months compared to 18 months.

Most cases do not involve collusion: 16% involved collusion and of those 69% involved outsiders.

Most incidents were detected through an audit, customer complaint, or coworker suspicion; routine or impromptu auditing was the most common route for detection.

3

Theft or modification for business advantage: This is where insiders intentionally exceed their authorized levels of access with the Intent to steal confidential or proprietary information for business advantage and occurred in 14% of cases. The vast majority of crimes were concentrated in the IT and telecoms sector; however, the banking and financial sectors, chemical and hazardous materials and the defense industrial-based sectors were also affected. All of the attacks analyzed were carried out by males, 71% in technical positions, 29% in sales, 25% former employees, and 75% current employees. Nearly 80% had accepted positions with another company or had already set up a competing company. In 25% of cases information was passed on to a foreign company or government and 88% had authorized access to the information. The majority of the cases occurred within a one month period and in approximately half the cases the insider colluded with at least one other insider. Cases were detected through emergence of competing products, informant, and so forth, and were typically proven through system, database, and file logs.

4

Miscellaneous: This is where insiders intentionally exceed their authorized levels of access with the intention of stealing confidential or proprietary information for purposes other than financial or business advantage and occurred in approximately 9% of cases.

As identified earlier, many people relate insider attacks to a disgruntled employee; however, the CERT team has noticed the following recent trends and issues related to insider threats:

1

Collusion with outsiders: Half of the insiders who stole or modified information for financial gain colluded with outsiders.

2

Business partners: The number of insider attacks from trusted business partners who have been given authorized access is increasing.

3

Merger and acquisitions: There is an increased risk from employees who are working in an uncertain climate from both the acquiring and acquired organizations.

4

Cultural issues: It is important to recognize that cultural issues can influence employee behavior.

Clearly, the range and scope of the events described in this section demands that there must be equivalent levels of countermeasure, otherwise our existing systems might fail in the face of such pressure. The next section sets out a range of countermeasures that are currently in use to address these issues.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978012407191900020X