There are several groups of Internet users out there that will attack information systems. The three primary groups are hackers, crackers, and phreaks. While common nomenclature is to call all three of the groups “hackers,” there are some differences between the groups. There is another way of classifying types of hackers, i.e. white hat (ethical hacker), black hat (criminal hacker) and grey hat (in-between hacker). Then, there is the Script Kiddies. Thus, they can be group under 4 general types of hackers.
1.Firstly, the proper hackers are the white hat hackers. The etiquette of this type of hackers is that after they have penetrated the system, they will notify the system administrator to let the administrator know that the system has a vulnerability. It is often said that a hacker just wants security to be improved on all Internet systems.
2.The next group, the crackers, who are also the black hat hackers, are the group to really fear. These crackers have no etiquette on breaking into a system. Crackers will damage or destroy data if they are able to penetrate a system. The goal of crackers is to cause as much damage as possible to all systems on the Internet.
3.Then, we have the Script Kiddies who generally rely on previously coded scripts and pre-packaged hacking tools downloaded from the Internet to do their hacking. Script kiddies are usually individuals who are intrigued by the notion of gaining unauthorized access and are open to using untested pieces of code, especially while others (target networks and users) are at risk. Script kiddies can cause big problems against networks without truly understanding what the scripts do and what the consequences may be. This combination of irresponsible experimentation and incomplete knowledge often leads to disaster, such as the unintended loss of information.
4.The last group, phreaks, tries to break into an organization’s phone system. The phreaks can then use the free phone access to disguise the phone number from which they are calling, and also stick your organization with the bill for long-distance phone charges.
The typical profile of a hacker can be from the lone-wolf cracker seeking peer recognition to the disgruntled former employee out for revenge. A cracker’s specialty — or in some cases, his mission in life — is seeking out and exploiting vulnerabilities of an individual computer or network for their own purposes. Crackers’ intentions are normally malicious and or criminal in nature.
They usually started from the most basic of skills: software programming. The ability to write code that can control the computer is a very powerful attraction. As they gain their knowledge of operating systems, they discover the weaknesses of the OS. They also learn HTML — the code that allows them to create phony Web pages that lure unsuspecting users into revealing important financial or personal data. They can be part of a large syndicate with technical and financial support from other crackers. They have networking among themselves and exchange more and more sophisticated techniques.
In Malaysia, Act 563 - COMPUTER CRIMES ACT 1997 is the main piece of legislation for computer crime. This legislation obtained his Majesty's Royal Assent on 18 June 1997 and was Gazatted on 30 June, 1997. Thus, it has been law for 13 years now.
Among the key provisions of the ACT are:
Section 3 of Part II of the Act specified that where unauthorized access to computer material constitutes an offence under the Act. Thus, a person shall be guilty of an offence if—
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b)the access he intends to secure is unauthorized; and
(c)he knows at the time when he causes the computer to perform the function that is the case.
And, such offence if convicted shall be liable for fine and imprisonment not exceeding fifty thousand ringgit or five years or both.
The Act also specify that unauthorized access with intent to commit or facilitate commission of further offence is punishable under Section 4, and such intention constitute an offence to be read together with the Panel Code.
Hackers do not do things for no reason unless they are some teenagers trying to gain attention. Most of the time, they do for a purpose of further gain from the availability of unauthorized information by way of selling the information or using it for further action.
Hence, it is important for the Law to govern this further benefit of unauthorised access.
The Act covers the sharing of information obtained through this way to a third party in Section 4, irrespective of the time of unauthorised access or at a future time. The fine is much severe at RM150,000 or imprisonment of 10 years or both.
Section 4 of Computer Crime Act specifies a person shall be guilty of an offence under this section if he commits an offence referred to in section 3 with intent—
(a)to commit an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code [Act 574]; or
(b)to facilitate the commission of such an offence whether by himself or by any other person.
In Subsection (2), it is immaterial whether the offence to which this section applies is to be committed at the same time when the unauthorized access is secured or on any future occasion. The fine is severe to deter the person or syndicate behind the actual hacker and as mentioned in Subsection (3), fine of RM150,000 or imprisonment of 10 years can be sentenced to offenders.
The Law also made a distinction on the modification of contents under Section 5 of the Act, which many hacker would do as an attack to data integrity. Such offence is also severe at a fine of RM100,000 or imprisonment of 7 years or both.
Modification includes unauthorized modification of the contents of any computer and alteration to any particular program or data; a program or data of any kind; or a program or data held in any particular computer. Such modification is also irrespective whether permanent or merely temporary. If found guilty of an offence under this section, a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding seven years can be served.
And, as cyber crimes rage over boundaries, the Computer Crime Act also incorporates the territorial scope of offences as borderless. In fact, this Law is applicable outside as well as within Malaysia, which is normally not the case for other laws. Under Section 9 of the Act, in relation to any person, whatever his nationality or citizenship, have effect outside as well as within Malaysia, and where an offence under this Act is committed by any person in any place outside Malaysia, he may be dealt with in respect of such offence as if it was committed at any place within Malaysia.
This concept of borderless jurisdiction also covers the hardware and the software, whatsoever the computer, program or data being in Malaysia or capable of being connected to or sent to or used by or with a computer in Malaysia at the material time.
REF:
i.Chapter 2 – Threat to information security, INFORMATION SECURITY FUNDAMENTALS by Thomas R. Peltier, Justin Peltier & John Blackley
ii.Chapter 3 - Preventing System Intrusions by Michael West ; page 39 – 42. COMPUTER AND INFORMATION SECURITY HANDBOOK. John Vacca
iii.Law of Malaysia - Act 563, COMPUTER CRIMES ACT 1997 (Incorporating all amendments up to 1 January 2006)
iv.http://neworder.box.sk/news/4181
Chapter 8
Rivalry among PDA/smartphones
PDAs/smartphones are becoming the new craze in the world of cellular technology. After comparing the phones, write a brief paragraph stating which PDA/smartphone would best suit your needs and whether you would be willing to purchase it.
My choice of the smartphone would be the Nokia N97. It has neat feature of sliding and hidden keyboard, long talk time, and big storage. Its price is also less expensive than the iPhone or Samsung i8910 HD. It is not too big like the iPhone and thick enough to be of some feel. Its java enabled for web applets and can run applications like word, excel, powerpoint, PDF and video and photo editors.
Nokia is a good brand for mobile phones. My work requires frequent browsing and saving information from the Internet, therefore big storage is essentially a must. In fact, the long battery life is important as I require the phone for travelling, and sometimes, charging is not convenient at airport or train stations.
I would be purchasing it waiting for the price to come down unless Sony Ericsson comes out with similarly featured smartphone. I am a Sony Ericsson user for some time and I trust that it will have similar phone at a lower price tag.
I have used Internet Explorer (I.E.) for more than ten years prior to using Mozilla Firefox and Google Chrome. These are the three browsers in comparison and the parameters for the comparison are speed, cost, graphic interface, tabs features, additional softwares like Add-ons, and their recovery modes.
Of all three, Mozilla Firefox is my favourite. My reason for choosing firefox is cost, familiar graphic interface, security, add-ons and session restore modes as it has the best in each class. Firefox is an alternative to I.E. after the famous legal battle of Netscape Navigator and I.E. As it started in the open source camp, it embraced the philosophy of freedom from cost and free license. Chrome, a new comer in 2008 is the new kid on the block. Although Chrome has a distant relationship to Konqueror and is a cousin to the Safari web browser (mostly used in MAC OS), both share the speedy WebKit rendering engine. Chrome on Windows is my second choice.
I have been using Firefox on Windows and now on Ubuntu. Its features have improved over that of I.E., retaining certain familiar graphic interface like I.E. For example, 'Favourites' is 'Bookmarks' in Firefox. However, It is much faster compared to I.E. no matter how many tabs are opened. In fact, the tab-browsing innovation originated from Firefox in the open-source system. The tab feature increased the speed of opening image files without leaving the current window, and less disturbing as it avoids filling your desktop with new, loading and unorganised windows.The loading time is also much shorter and no background click noise, which is annoying with I.E.
My recent experience using broadband service of TIME Telecommunication Sdn Bhd differentiated the two browsers greatly. I.E. often encounters “The page cannot be displayed” notice when opening up a new window. It is frustrating to encounter such incidence, prompting to restart the browser again and again. We have encountered incidence of one successful connection every 3 wasted attempts for a new web page. Conversely, there is no such issue with Firefox running on Ubuntu at all.
Hence, I suspected that Internet Explorer being a Windows based browser is more suitable for home users. As most servers are running on Linux based OS, Firefox on Ubuntu is superior in compatibility on corporation computers. In fact, TIME Telecommunication Sdn Bhd is niche in cabling for internet lease line in major corporate buildings in Malaysia.
Firefox 3.5 is the most recent release which claims to load in 1.5s! It is almost instant in browsing frequent sites like search engines, and such demand of speed is justified with the recent upgraded broadband connections to 1.0Mbps (megabit per second) to 2.0Mbps by Streamyx. A plain page of Google Search at www.google.com.my is only 3 kilobytes, therefore it should load instantly (3/1000=0.003s!). Thus, a small programme browser would have a shorter time to load rather than a big programme browser like I.E.
Another key feature of using Firefox in Ubuntu is the open-source security strategy that finds and fix security issues in record time, making Firefox the safest way to surf. As Firefox originated from Open-Source development, the security features and continual emphasis is therefore more superior than other browser in Windows OS.
The last feature which is cool with Firefox is the session restore mode. Upon reloading the browser, the tabs will restore to the sites before previous shut down if the choice was to "Save and Quit". In case of a crash, this feature is useful as restarting the browser will restore back the respective site in exact windows and tabs. For Firefox running on Ubuntu, all these features are automatically pre-set. The danger is that the next user of computer need to be aware of such automatic restore as it may compromise personal privacy.
2. Discuss the difference between software you must purchase, freeware software, and shareware software. Why would you pay for software when you can get software free?
Example of softwares are below.
Proprietary software - Windows Microsoft Office Suite (Small Business)
Freeware software - Antivirus software: AVIRA
Shareware software - PDF reader/creator: PrimoPDF
Proprietary softwares are licensed copy of the original software developed by programmers – usually employed by a corporation, with proper copyright patent and sold for a profit. The team of programming engineers are usually deployed to work on the full research and development of the software until the software is being put to use, first as Beta Release and debugged to yield the stable programme later on. The software is updated and refined over time, with the team of programmers fully dedicated to the entire development of its life cycle.
This type of softwares are usually sold at a high cost, supported by a team of sales and marketing personnel. They usually comes packed with after sales service 24, 7 with product warranty. The proprietary softwares have legal ownership thus, are restricted in their distribution. Consequently, legal action can be exercised on its duplication or installation on other machines without specific 'product key' individually assigned to the purchaser.
Freewares like most antivirus programmes are distributed free of charge. They are commonly downloaded directly or through a mirror site like Softpedia or Cnet from the Internet. They come in various stages of the development, some stable and some are at Beta Release of development. Some are debugged and functional near to a proprietary software but many are still with some remnant issues, especially with incompatibility to certain Operating System, or later version of the OS.
Freewares are developed by individuals or corporation not-for-profit. At early stage, they are developed for one of more purposes which may have no relation to the eventual usage of the programme. In recent time, more and more corporation are developing freewares downloadable with intention to boost its presence in the IT world. As they mature over time, these developers later on earn a fee for consultation or selling variants of the freewares which are more stable and staffed with more features.
The term shareware, popularized by Bob Wallace, refers to proprietary software that is provided to users without payment on a trial basis and is often limited by any combination of functionality, availability or convenience. Shareware is usually offered as a trial version with certain features only available after the license is purchased, or as a full version, but for a trial period. I have been using PrimoPDF for half a year, and I keep on receiving pop ups on reminder to purchase, and emails on their promotion.
There are a few reasons for purchasing certain softwares despite the availability of similar softwares for free. A good example is the office suite by Microsoft Office versus Open Office by the OpenOffice.org. Despite OpenOffice which can now run on Windows platform, many are reluctant to change due to the learning curve and the inconvenience of formats between these two programmes
Alignment and fonts changes when the same file is viewed by the two different word processing programmes. User interface may be pretty similar, in fact, better off for OpenOffice.org. For example, OpenOffice Word comes with PDF and Highlighter buttons built-in. Although nearly similar in the graphic interface, the change from Office Words to OpenOffice Word Processor still requires time and effort. Bearing in mind that the saving in cost may not directly yield increased in productivity in such situation as administrative staff are not computer savvy like IT geeks. The cost saving part for using OpenOffice is the ability to open, for example, DOCX without having to upgrade to Office Suite 2007, if the organization choose to keep using the Microsoft Office 2003.
Another major issue is the support that comes along with the proprietary software, hence the 'peace of mind' when it comes to trouble shooting and issue of incompatibility with existing softwares. New security updates and signatures are automatically downloaded when connected to Internet, rendering the programme minimal disruption to daily activities. Upgrades to later version usually are supported as the developer of the proprietary software are dependable to its further sales for business continuity as well as sustainability. More proprietary softwares are also developed on the Windows platform, and though they come with a cost, using them have become a norm nowadays as most computers are running on Windows OS.
Some softwares being so well entrenched in their specialised profession, are developed for such niche and hence need to be running on certain platform only. For instance, AUTOCAD softwares are only running on Windows OS. The architects and engineers familiar with AUTOCAD softwares from their apprentice days would refuse a change that would jeopardize their productivity.
Other examples are Google Earth and Skype. They too, are already matured on Windows OS, yet at their infancy on Linux or MAC OS. Although there are available versions of Google Earth for Linux and Skype for Linux, inconvenience of setting changes and looking for drivers supports are the major obstacles to their common use. I have been trying to run Google Earth for Ubuntu on the same PC which I run Google Earth on Windows, the graphic and performance are greatly compromised.
3. Commercial Products versus Open-source Products
Commercial Product – Windows based Microsoft Office Word
Comparison product in Open-source
1. Word Processor from OpenOffice.org
2. Kword from Koffice.org
OpenOffice.org Word Processor and KWord are the programme I use to create this answer script. Click on the PDF button would enable the document to be printed into PDF format without having to install a PDF Writer like PrimoPDF. The highlighter can add your choice of colours over the text. These are the two most useful features that I like most in OpenOffice.org Word.
Comparison shows that the features in OpenOffice.org are over and above of Microsoft Office Word. For instance, it has extra buttons for PDF and highlighter incorporated in the menu icon bar. In fact, open-source software tends to include all of the major features of the commercial product and in addition, they incorporate further features for free and free of legal entanglements. Using the above example, PDF writer from another developer need to agree to incorporate into Windows Office Word. And for Microsoft, they would rather leave the legal entanglements aside by dropping the extra feature, unless it is native in its development.
Kword by Koffice.org is also an open-source word processing programme which is really 'cool'. Its approach is more graphical driven as the document is generated right from the beginning to incorporate the final print formats of colour or column type. The words are then typed into the space block out for text, with adjustment of inserting pictures, charts into a frame later on.
Kword has a unique way of managing your text and other content using frames. Clip-arts and pictures will be wrapped in a frame which make it easy to move them around, scale and rotate and even skew them in a consistent way. Frames do not have to be square and you can insert a 'smiley' and make the text run around the actual shape of the content. Also useful is that any frame can be anchored to the text flow allowing the image to move with the text while editing.
Supports from the proprietary software are both written and available from the 'Help' pulldown menu – for live help over the Internet, e.g. Microsoft Help and Support. Books are written for the proprietary softwares like Windows Microsoft Office Word, Excel, Powerpoint, etc. It is harder to find books on Kword or OpenOffice.org Word Processor, though.
For OpenOffice.org, technical support is available at their support site at www.support.openoffice.org, and the community forum is a great source of find the answers to some technical issues. Web based tutorials are also useful, and they are all available via the Internet.
The support for Kword is not as friendly as OpenOffice.org Word Processor. The site at
http://userbase.kde.org is technical and probably not suited to beginners. Again, due to its developers being from the OpenOffice.org movement, they are technically from separate schools.
Open-source software offers a viable alternative to the commercial product. As they have developed better Open-Source softwares running on Windows over the years, the Windows-Linux-MAC divide is coming down. For example, Firefox is a good example of a browser originated from Open-Source now available and stable running on Windows. OpenOffice.org is also available for Windows XP and Vista.
Another significant development is that more people are accustomed to using duo-boot computers nowadays. Apple computers offer the choice of parallel boot with MAC OS and Windows. Windows OS PC can be live boot with Ubuntu, Fedora, etc and installed as 'you feel like it'. In recent time, Linux based OS have been developed with clean graphic interface for home users. In fact, there is a trend towards the use of Ubuntu on Laptops, where DELL may pre-load all their Notebooks with Ubuntu before shipping to their customers. Affected by economic downturn, all are to cut cost and increase more features of the Open-Source Applications to boost sales.
The choice is on the users to familiarize with the new applications. Free softwares, however may come with strings attached. The connotation of 'free' carries various implications in IT. 'Free' may actually means paying more in learning curve later on, or 'a lesson' learned a hard way due to incompatibility or crashes that destroyed the storage data eventually in an enterprise computer. 'Free' may also mean the software are illegally obtained, thus bypassing payment of a fee. Such condition is unethical, but commonly done as 'pirated copies' are freely circulated in the Internet. Such 'free' softwares may be infected with malwares and the consequences can be detrimental, resulting a total destruction of corporation information infrastructure.
This assignment constitutes 30% of the total marks.
Due date: 7th August 2009
You may submit your assignment via email. Each answer should not be more than 5 pages long using Arial font type, size 12 and single spaced. Choose 1 question form each chapter
Chapter 6: Understanding and Assessing Hardware: Evaluating Your System
1. Optical Storage Some methods of optical storage, such as CDs, have become fairly commonplace for most users, whereas others, such as DVDs and the new Blu-ray technology, are not as familiar. To add to the confusion between which type of optical storage to use, optical drives are available in a variety of speeds, and the technology is available in different formats (e.g., DVD-RW vs. DVD+RW).
Use the Internet to research the various types and formats of optical storage available today. Create a table that includes the following for each type of storage (CD, DVD, etc.)
Available formats
Storage capacity
Types of data it typically stores
Key features or benefits
Then, visit the Web sites of two computer manufacturers, and determine the types of optical storage they offer for low-end systems and high-end systems. List this information in a second table, including the computer manufacturer and model, the drive speed, and if available, the cost of the drive. Finally, write a brief summary of your findings, including any mention of competing technologies, and indicate which optical drive would be your ideal choice.
Blu-ray, Optical Media, Optical Media Standards, Optical Formats
2. Online Storage You no longer have to rely on hard drives, CDs, DVDs, and so on to store or back up your data. Numerous online providers store or back up your data over the Internet. With online storage, a company provides you with space on its servers, which you use to store your backup data, photos and movies, large files—whatever you need.
Using an Internet search engine, find four different companies that provide online storage. Create a chart, and for each company, answer the following questions:
What is the name of the company?
Is there a free trial period? If so, how long is it?
What is the cost?
How much storage space is available?
What security measures are in place to protect your data?
Online Storage, Internet Storage, Web Storage, Online Data Storage, Online Backup
Chapter 7: Networking and Security: Connecting computers and keeping them safe from hackers and viruses 1. Identity Theft
Identity theft—it is such a scary term. You have no doubt heard of someone who has had his or her name, address, social security number, bank account, and/or credit card information stolen. This can ruin a person’s credit and leave him or her holding the bag and being harassed by creditors attempting to collect on the fraudulent debts. It sounds horrible, and it is.
Using the Internet, research identity theft and write a brief paper answering the following questions:
What is identity theft?
How can you prevent identity theft?
What steps should you take if your identity is stolen?
2. Hackers We know from this chapter that a hacker is anyone who unlawfully breaks into a computer system—whether an individual computer or a network. However, there is a great deal of dissension (especially among hackers themselves) as to what a hacker actually is. Using the Internet, research four different types of hackers, and define each one. As part of your research, seek information about the typical profile of a hacker. Why do hackers do what they do? What are the laws against hacking in your state?
Chapter 8: Mobile Computing: Keeping Your Data on Hand 1. Rivalry among PDA/Smartphones PDAs/smartphones are becoming the new craze in the world of cellular technology. Cell phone users want the latest technology and no longer want a phone just to talk on and send text messages from. Using the Internet, locate and research four PDA/smartphones. Create a chart comparing and contrasting the four phones based on the following characteristics:
name of the phone
manufacturer
retail price
operating system
talk time
weight
memory
input device(s)
capabilities
After comparing the phones, write a brief paragraph stating which PDA/smartphone would best suit your needs and whether you would be willing to purchase it.
2. Global Positioning Systems (GPSs) Another new craze in the world of technology is global positioning systems (GPSs). As we learned in the chapter, GPS devices use an antenna to pick up signals from satellites and special software to transform those signals into latitude and longitude. Using the information obtained from the satellites, GPS devices can determine your geographical location anywhere on the planet to within 10 feet. How neat is it that a small device can tell you exactly where you are on Earth—anytime and anywhere? We all know that you can buy a handheld device that is just a GPS, but what else can you buy that contains a GPS? In addition to tracking where we are standing, what are other uses of GPSs? Besides consumers, who else uses GPSs? How accurate are GPSs? Do you have to subscribe to use a GPS? Write a brief report of your findings.
This assignment constitutes 30% of the total marks.
You may submit your assignment via email. Each answer should not be more than 5 pages long using Arial font type, size 12 and single spaced.
1. Comparing Web Browsers
Once you are connected to the Internet, in order to locate, navigate to, and view Web pages, you need a special software—a Web browser—installed on your system. If you purchase a computer from a retail store, the computer typically has a browser installed on it. However, there are other Web browsers available as well. You can use the browser already installed on your computer, replace it with another, or have several installed on your machine.
Using the Internet, locate and research three Web browsers. Compare and contrast these browsers. With which operating systems are they compatible? What are the features of the software? What are the advantages and disadvantages? After making your comparison, decide which browser you would most likely use.
2. Discuss the difference between software you must purchase, freeware software, and shareware software. Why would you pay for software when you can get software free?
3. There are many reasons that people purchase commercial software. It may be due to brand awareness and popularity or because a particular program is commonly used in the workplace. Whatever the reason, many people are unaware of the options that open-source software presents. Open-source software is not necessarily free, but it may be less expensive than more well-known products. On the other hand, open-source software may not come with all the “bells and whistles” or as much technical support as traditional titles do.
Select a popular software title (such as Microsoft Excel or Adobe Dreamweaver), and use the Internet to locate at least two open-source alternatives. Locate knowledgeable reviews for each product. Write a brief paper that compares and contrasts the open-source products with the commercial product, being sure to document your sources. For each product, answer the following questions:
For which platforms is the software available (e.g., Windows, Linux, Mac)?
Is there a fee for the software?
What sort of technical support is available (e.g., user manuals, phone support, live help, online documentation?
Does the open-source software include all of the major features of the commercial product?
Do you think the open-source software is a viable alternative to the commercial product? Why or why not?
1. In the software environment, it includes the stage of design, development and operation. Please kindly determine and elaborate the threats to the software environment.
Answer:
Stage : Design
Threat 1: Error in Assumptions - Incorrect assumptions by the engineer, including assumptions about the capabilities, outputs, and behavioral states of the software's execution environment or about expected inputs from external entities (users, software processes). Such assumptions took the consideration of need of flexibility to end user in realistic day-to-day operation, and thus giving an option of 'bypassing' the system during critical time. This assumptions, though remain useful, post a threat to the integrity of the system. Also, sometimes the engineers designed authorized system overrides, kind of exception handling in their systems, and they didn't think about the fact that they were giving end users a way to get around the rules.
Threat 2: Flawed Design - The software's interfaces with external entities. Development mistakes of this type include inadequate (or nonexistent) input validation, error handling, and exception handling. In this multi-application system, software are designed to work with other softwares – especially in the current market of multi-operating systems. Threat of allowing other softwares to modify or add on to its source code can be used as a way to launch an attack by others.
Threat 3: Insider Threat – Software engineers who designed the software may intentionally leave 'hole' for shortcuts and future exploitations. Threat like this is usually from insiders who inserted 'backdoors' into the source code that they could then use later. So once past the design phases the vulnerabilities will be there, unless uncovered by someone else. Once the software is launch into market, the insider or people who have grievances against the firm which uses the software, could make use of this vulnerabilities to get back into the organization's network. Then, the attacker could send very malicious email to the organization's customers, alter files, alter applications, initiate a denial of service attack, and the organization could end up with massive problem.
Stage : Development
Threat 1: Insider Threat – A software engineer can sabotage the software at any point in its development life cycle through intentional exclusions from, inclusions in, or modifications of the requirements specification, the threat models, the design documents, the source code, the assembly and integration framework, the test cases and test results, or the installation and configuration instructions and tools.
Threat 2: Flawed Source Code – The software's interfaces with external entities. Development mistakes of this type include inadequate (or nonexistent) input validation, error handling, and exception handling. Unintended interactions between software components, including those provided by a third party could post threat to the software when it is deployed in actual use.
Stage : Operation
Threat 1: Insider and External threats – Any software system that runs on a network-connected platform is likely to have its vulnerabilities exposed to attackers during its operation. Attacks may take advantage of publicly known but unpatched vulnerabilities, leading to memory corruption, execution of arbitrary exploit scripts, remote code execution, and buffer overflows. For example, one insider was able to deliberately plant a virus on all of the organization's customers' systems, because he was responsible for deploying any new releases to those customer systems.
Threat 2: Flawed Software & Implementation – Software flaws, either left by software engineers during the development phase or discovered by user, can be exploited to install spyware, adware, and other malware on users' systems, on site or remote through the Internet. This software flaws or 'holes' could be made like a 'time bomb' to lie dormant until it is triggered to execute. Like in the case of Threat 1 under Design, error under assumptions, it may be discovered by accident when it is used by end customer. Such 'overwrite' is exploited for personal benefit of the system user and if there was no two-person rule or anything like audit involved, he could do whatever he wants when he accesses the system. In fact, he could manipulate and execute any application or data without anyone's knowing.
Threat 3: Proper Backup – It is like when an article is been written and modified through time, and suddenly, it is infected by a deadly virus and not retrievable. This kind of threat occurs when there is no proper backup for the software before it is deployed to the operational phase for implementation. The separation of software development and deployment, although able to mitigate the risk of software being corrupted at later stage, need to have proper access control in place. The software engineers in the operational phase of software should be restricted to access certain part of the source code only, and monitored for any modifications to the source code. In the same context, the developers should not be involved anymore with the deployment of the software during this phase. Next, a proper backup procedures should be stringently enforced, so that the insider risk for corrupting the software can be mitigated.
REF:
Software Security Engineering A Guide for Project Managers, Julia H. Allen; Sean Barnum; Robert J. Ellison; Gary McGraw; Nancy R. Mead. Addison Wesley Professional.
How to Start a Secure Software Development Program, CERT's Podcast Series: Security for Business Leaders. Carnegie Mellon University, in Pittsburgh, Pennsylvania. Interview with Gary McGraw.
Insider Threat and the Software Development Life Cycle, CERT's Podcast Series: Security for Business Leaders. Carnegie Mellon University, in Pittsburgh, Pennsylvania. Interview with Dawn Cappelli.
2. In an organization, there should be the operation security policies whereby it controls over the hardware, media, and the operators and administrators with access privileges to the resources. Meanwhile, according to Patricia AP Fisher, she has defined three (3) critical requirements for operation controls. Please kindly find and explain the three (3) critical requirements.
Answer:
Resource protection, privileged-entity control, and hardware control are the three critical requirements of operation control.
1. Resource Protection
This is the control of the how resources of an organisation, mainly the hard wares and the peripherals, are being used by their users within the organisation. Its aim is to safeguard all of the organisation's computing resources from loss or being compromised due to malicious attacks. In the networking environment, this is usually done by access control switches and specific domain or IP allocations and firewalls so that only those with such access (by authenticated entry) are allowed to use the resources. By enforcing such access control of resources, accessibility to data is monitored and thus, ensures accountability of data retrievable by the any authorized personnel. Hence, resource protection reduces the possibility of damage due to unauthorized access which could put Confidentiality and Integrity to a detriment. Of course, certain data should be guard due to certain legal requirement, for example, MEDICAL RECORDS PRIVACY and PRIVACY DATA PROTECTION ACT and hence, by having resource protection in place, such data leakage and litigation risk can be mitigated or prevented.
2. Privileged-entity control
Privilege-individuals are those who deal with systems programming, operations, and systems monitoring who are accessible to systems that general users are restricted. Such privilege can be for the entire system or certain function centered. When privileged individual makes alteration, or in case of insider who make use of certain backdoor, the total system is compromised. This means the lower-level controls and all resources are exposed regardless of any lower-level controls that may have been in place for security control. For example, if the system administrator switches on the wireless router which connects the broadband cable to allow his/her own personal use of laptop mobile browsing despite the normal accessibility solely by network cables, everyone who has the wireless connection may then access the network irrespective of authentication unless such authentication process is put in place.
Extended access can be divided into various segments, called classes, with each succeeding class more powerful than those preceding it. The class into which general system users are grouped is the lowest, most restrictive class; a class that permits someone to change the computing operating system is the least restrictive, or most powerful. Users must be specifically assigned to a class; users within one class should not be able to complete functions assigned to users in other classes. This can be accomplished by specifically defining class designations according to job functions and not permitting access ability to any lower classes except those specifically needed (e.g., all users need general user access to log on to the system). All other system support functions fall somewhere between these two.
3. Hardware Control
Hardwares themselves can have security vulnerabilities and exposures that need to be controlled. The hardware access control mechanism is supported by operating system software. However, hardware capabilities can be used to obtain access to system resources. Software-based control mechanisms, including audit trail maintenance, are ineffective against hardware-related access. Manual control procedures should be implemented to ensure that any hardware vulnerability is adequately protected. Such scenario can be illustrated below.
In the operating system of WINDOWS, all storage hard-disks are accessible as long as they are connected to the main processor. However, in the Linux system - Ubuntu, accessibility of any hard-disk within the same machine still requires authentication. Thus, when a Ubuntu operated computer falls into the hand of a data thief, by changing the OS to WINDOWS, all the hard-disks are accessible by a few simple clicks. The safeguard would be manually implement a locking system, or storage of hardware in secured place to prevent theft.
Some equipment provides hardware maintenance functions that allow main storage display and modification in addition to the ability to trace all program instructions while the system is running. Although it is possible to access business information directly from main storage, the information may be encrypted. It is simpler to obtain privileges and run programs that can turn encrypted data into understandable information. Another hardware-related exposure is the unauthorized connection of a device or communications line to a processor that can access information without interfacing with the required controls. The example of switching on the wireless function of a multi-purpose router as illustrated in 'Privileged-entity Control' section is a common pitfall.
REF:
Patricia AP Fisher, Information Security Management Handbook 6th Ed, Chapter 199: page 2629 - 2639
3. Give five (5) types of operational environment controls with short description.
Answer:
They are ways to achieve operation control which include methods to achieve resources protection, privileged-entity control and hardware control.
I. Preventive and Administrative Control - Policies and procedures that describe what actions privileged entities can do, and audit logs and monitoring processes (detective/technical) to check their actions. Segregation of duties also serves as preventive control to deter the privileged to have absolute control of the operational environment. II. Preventive and Physical Control - Hardware security controls keep unauthorized hardware out of the environment and control access and modification to authorized hardware. Examples are server rack locks (preventive/physical), configuration management (preventive/administrative), and rouge wireless access point monitoring (detective/technical).
III. Software security controls- Software includes the system operating system, applications programs, database management system, and network software. Software security controls are implemented to keep unauthorized software out and to control the installation and modification of authorized software. Antivirus systems are an example of a preventive technical control to prevent the installation of malicious code on to a system. A policy requiring a software change control process is a preventive administrative control. File integrity checking systems are detective technical controls that detect unauthorized changes to system files. Backup and Restore software and processes are recovery controls. (Backup process is administrative; backup system hardware and software is technical).
IV. Input, Processing, Output Controls - All information systems take some input and process it to produce output. Security controls are put into place to ensure that as data moves through the system it is processed correctly according to the rules of the system. An example of input security controls is to have a policy to allow only authorized users to input data. Another input security control is to have the system validate all input. For example, if a name is put into the system, it should not contain special characters, or if a month number is entered, it should be between 1 and 12 (bounds checking). Processing controls ensure that transactions are completed correctly. If processing is interrupted, processing controls ensure the system recovers and transactions are not left hanging. Output security controls guard who has access to the output and also guards the integrity of the output. An example output control is to allow printing only to certain printers in secure locations. Marking and numbering output copies is another control used to track and control distribution of sensitive output.
V. Media Controls - Media controls are concerned with protecting sensitive information while it is stored outside the information system. Media is generally considered to be tapes. Other types of media are floppy, CD, DVD, USB device, or any other removable media. Examples of media security controls are to log (or catalog) all media, control access to media by locking it up and logging use, and to control reuse and destruction of media. Media protection is the job of the Media Librarian (or Tape Librarian).
REF:
James E. Purcell, Security Control Types and Operational Security
4. Define the meaning of Cryptology and it relation to the Confidentiality, Integrity and Availability?
Answer:
Cryptology refers to the mathematical science and field of study that comprises both cryptography and cryptanalysis.
Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication.
Cryptanalysis is the study of mathematical techniques for attempting to defeat cryptographic techniques, and, more generally, information security services.
Hence, cryptology is both coding and decoding of information to enable such information be hidden from third party. The relation to Confidentiality, Integrity and Availability is explained below.
Confidentiality – the focus of cryptology has been on the use of symmetric encryption to provide confidentiality. In fact, this is the core existence of cryptography in the ancient days so that only few are able know the real information for power maneuver.
Integrity – meaning that the recipient of a message must be able to verify its authenticity and origin. In this case, one can add an authentication tag like digital signature to a message and have the recipient verify the tag before he or she accepts the message as being genuine.
Availability – availability of information as required by the users at any time and through relative ease. In such case, cryptography allows availability of secured information to be transacted through the Internet or other electronic means, to wide geographical area and almost instantly, provided that the receiver has the key to open the message.
REF:
Cryptography and Network Security Principles and Practices, Fourth Edition by William Stallings.
Contemporary cryptography by Rolf Oppliger.
Handbook of Applied Cryptography by Menezes, Van Oorschot & Vanstone,, page 1-15.
5. What is the difference between a block cipher and a stream cipher?
Answer:
A block cipher is an encryption scheme which breaks up the plain text messages to be transmitted into strings (called blocks) of a fixed length t over an alphabet A, and encrypts one block at a time.
A stream cipher applies simple encryption transformations according to the keystream being used. The keystream could be generated at random, or by an algorithm which generates the keystream from an initial small keystream (called a seed), or from a seed and previous ciphertext symbols. It processes the message bit by bit (as a stream) and simply add bits of message to random key bits. The drawback is that it requires as many key bits as message, and hence double the amount of information to be transmitted. It is difficult in practice however, more secure than block cipher, provided that the key is truly random.
Generally speaking, a stream cipher is more secured and faster than block cipher. However, block cipher is more practical and more commonly be used.
REF:
Menezes, Van Oorschot & Vanstone, Handbook of Applied Cryptography, page 15.
6. List the types of cryptanalytic attacks.
Answer:
Types of cryptanalytic attacks are listed below.
Reverse Engineering
Guessing
Frequency Analysis
Brute Force
Ciphertext-Only Attack
Known Plaintext Attack
Attack Random Number Generators
Chosen Plaintext Attack
Birthday Attack
Factoring Attack
Replay Attack
Man-in-the-middle Attack
Dictionary Attacks
Inference
REF:
Information Security Management Handbook 6th Ed. Page 1260 – 1265.
Part B: Case Study [10 Marks]
Read and understand the attached article. From your understanding, write an essay to describe how the story could illustrates the benefits of using PKI into that organization in managing information and security requirements.
Attachment Title: Deploying and Using Public Key Technology: Lessons Learned in Real Life
Answer:
The Johnson & Johnson (J&J) deployment of a Public Key Infrastructure (PKI) in its IT security system is in fact a state of the art in its implementation. In such circumstances, J&J benefited greatly the advantages of the PKI in its IT communication within its internal management, its immediate business partners and the government authorities, and to a greater community of the public, who rely on its information for decision making. The effect of such communication can be confined to internal organization, inter-organisation or even global in its effect, for example, in a pandemic of the H1N1 flu or a bio-terrorism.
A PKI is especially important for a diversified company like J&J. People from different divisions and regions or among sister companies do not usually know each other, and yet may share the same information source from the top management. This is especially the case when they share the scientific discoveries from a few research centres around the world in the same platform to speedup the process of drug discovery. Amidst, it is already a daunting task to communicate high level scientific findings to ensure flawless information transfer, and yet the concern of a secured telephone line or who’s really who at the other end of the Internet. Furthermore, certain decisions from the top management are to be executed at the regional or even local level, where co-operation and coordination from the ground level are crucial for its ultimate success. Such activities entail communications at personal level and may then, require verification of who's who for assurance of disclosure of information which may have detrimental economic effect to the entire division of the organisation or the whole J&J in the eyes of the public.
This is the core area of how PKI could benefit the organization. PKI in a nutshell, is an identity reference point, which is able to reference the who's who for the users to ensure the rightful person an email or communication is directed at. The reference point is the Certificate Authority (CA) which issues Digital Certificate to everyone in the community and keeps a record of who's who. Therefore, anyone in the J&J community or outsiders who require ascertaining who's who in the J&J organisation refers to this authority for identity verification. If MrNazri is really the MrNazri of J&J Malaysia as verified by CA J&J, it is taken as nonrepundiable that MrNazri is the MrNazri that is.
The process of such verification is the job of the CA, and much of its work is certifying who's who by referencing to a third party, by both electronic and non-electronic means for example, viewing of original copies of certificates or identity cards, passport or driving license, membership qualifications by government authorities or academic organisations. Such activities is called establishing the Root CA, in which case, is independently carried out by a department inside J&J. This segregation of duty by the CA to Root CA benefits the CA in ensuring the authenticity of the identity.
Here-in-after, the identity certificate (Digital Certificate) issued by the CA is thus authenticating the origins of all the users of the PKI, making sure that he who receive the information is the correct identity rather than a hacker or a passerby. This benefit of PKI takes away the worries of error in sending classified information to the wrong person or visiting a webpage of J&J which is in actual face, a bogus website to cheat ignorant employee or public for LoginID and Passwords as part of the tactic of social engineering.
The mechanism of PKI in closer detail is that the staff can encrypt and/or digitally sign documents. Much of the job is done by the server and the desktop which the employee uses in the organisation. In this manner, it keeps the documents safe, limits who can change them, and gives nonrepundiation to its users. Nonrepudiation is a way to guarantee that the creator of a document cannot later deny having created it. It also means that user can prove who sent and received messages.
For the good of communication via the Internet, by using a PKI system, users can encrypt and/or digitally sign e-mails. PKI can also be used for access control and authentication as well. The Digital Certificates are linked to specific individuals (or computers), and users can tell CA to configure Digital Certificates so that the individual can only use them for certain tasks. All in all, PKI is a quite sophisticated system.
PKI is an infrastructure. Therefore, it is not an easy system to maintain and operate. For small businesses which run on limited geographical area, it is advisable to outsource PKI to a professional third party because it doesn’t serve the purpose and cost is high. For the scale of Johnson & Johnson, this is definitely not the case. Conversely, it would be in fact a master piece of PKI execution to its fullest potential when given such a scale of geographical presence and the magnitude of J&J business nature. Being a major player in the medical industry, it has the most highly technical business in the world and findings in research and development are vulnerable to sabotage. All this posts tremendous financial risk not just to the company in terms of share prices but also general concerns of the public who are customers to their medical equipments and drug.
The deployment of the PKI in Johnson & Johnson chose to go with Certificate Authority (CA) fully internal, rather than some third party professional CA outside. This being the case, was explained in the case study for 3 reasons, one being which the failure of outside vendor. For the size of Johnson & Johnson which is gigantic, fully internal CA is may be more acceptable than if it is smaller. Some how, this may be compromised if the CA is given too much autonomy, in which case, it was not. The separation of the CA from the Enterprise Directory, and the involvement of separate departments of HR and IT- Microsoft Exchange Directory for Email, and the procedures of WWID and supervisor inspection of application of Digital Certificate, may provide watchdog role in the architecture integrity of CA.
From the integrity point of view, at first glance, the segregation of identity verification mentioned above almost has the CA in an irrefutable position. However, for the regulatory body who engage public trust like FDA, indeed it needs to put the whole trust in Johnson’s internal CA management. Inevitably, FDA is taking everything that is fed by Johnson & Johnson to be the truth of all truth. FDA being an independent third party may need to audit Johnson & Johnson for such an infrastructure, or else how can a theft call the police to trust his judgment? If an outside CA is engaged in this situation, such a concern may be reduced.
The biggest challenge in such a huge scale of deployment of PKI is no doubt the human inadequacy of knowledge and willingness to change. As machines are in higher level of efficiency than human, there is a difficulty of matching the two together. Therefore, the illustrated challenges of failed keys and certificate-revocation list, immense stress on the help desks, language issues and others, making such a deployment something not really meaningful for a small business, or where information is no such critical matter in sustaining the business.
It is however, interesting to mention that although Johnson & Johnson is such a diversified organization, the deployment of PKI in this organization is excitingly straight forward, both politically and financially. Imagine the polarized view of top managements and the rivalry among different IT managers from different countries and regions; the different stages of IT infrastructures across different continent, and the different types of operating system that may be running for years. It is unimaginable that a PKI of such magnitude could be implemented even.
Think of the cost of replacing the old computers, changing the hardware and upgrades, the incompatibility of operating systems, the different language used, and the different IT stage of the different geographical area and people. It is indeed a nightmare!
REF:
Cryptography for Dummies by Chey Cobb. Part II – Public Key Infrastructure, Chapters 5-7.
