Chapter Eleven 1 ONLINE FILE W11.1 CSI/FBI 2002 COMPUTER SECURITY SURVEY The best known and most widely cited annual survey of computer security is conducted by the Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation s (FBI) Computer Intrusion Squad. The results from the 2002 survey were based on the responses of 538 security practitioners. Of these respondents, approximately 50 percent worked for organizations that conducted e-commerce on their Web sites. Their responses reinforced patterns that have appeared over the past 5 to 6 years. More specifically (CSI and FBI 2002): 1. Organizations continue to experience cyber attacks from inside and outside of the organization. Of the organizations surveyed, about 90 percent of the respondents indicated that they had detected security breaches over the past 12 months. 2. The types of cyber attacks that organizations experienced were varied. For example, 85 percent detected computer viruses, 78 percent detected Net abuse (unauthorized uses of the Internet) by employees, and 40 percent were the victims of denial-of-service attacks. 3. The financial losses from a cyber attack can be substantial: 80 percent of the respondents acknowledged that they had experienced financial losses due to various cyber attacks. Of these respondents, 44 percent were willing to detail their losses. The combined loss for these respondents was approximately $455 million. As in previous years, the theft of proprietary information and financial fraud accounted for more than half of the losses. 4. It takes more than one type of technology to defend against cyber attacks. Virtually all of the respondents indicated that they employed physical security devices, firewalls, access control, and a number of other techniques and technologies to reduce or thwart cyber attacks from both the inside and outside the organization. In response to the growing incidents of cyber attacks and cyber crime that occurred up to and including 2002, the FBI formed the National Infrastructure Protection Center (NIPC), which is located at FBI headquarters. This is a joint partnership between government and private industry and is designed to prevent attacks and protect the nation s infrastructure telecommunications, energy, transportation, banking and finance, and emergency and governmental operations. The FBI also established Regional Computer Intrusion Squads, which are located at different FBI offices throughout the United States. These are charged with the task of investigating violations of the Computer Fraud and Abuse Act. This Act and the Intrusion Squads activities are focused on intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software, and other cyber crimes. Source: CSI and FBI. Computer Crime and Security Survey. 2002. gocsi.com (accessed December 2004). Adapted with permission. 1. What is the Computer Security Institute? 2. What units does the FBI have for combating cyber attacks? 3. Based on the 2002 CSI/FBI survey data, what were the major patterns and trends in cyber attacks?
2 Part 5 ONLINE FILE W11.2 IT SECURITY SPENDING PATTERNS A survey of 2,196 IT security professionals conducted in 2002 by Information Security Magazine (Briney and Prince 2002) looked specifically at the security practices of organizations of various sizes. The results were surprising: Small organizations (10 to 100 computers). Small organizations tend to be divided into the haves and havenots. The haves are centrally organized, devote a sizeable percentage of their IT budgets to security, spend the most amount of money on security per employee, have well-established incident response plans, and base their security decisions on management-approved policies. Their major problem is that they are dependent on one or two people to manage their IT security. Their success or failure depends on these individuals. In contrast to the haves, the have-nots are basically clueless when it comes to IT security. This makes them extremely vulnerable to cyber attacks and intrusions. Fortunately, for most small organizations, the chance of an attack is lower than it is for other organizations, and the chance of loss also is smaller. Unfortunately, if they do suffer an attack, the results can be catastrophic. Medium organizations (100 to 1,000 computers). The systems of medium-sized organizations are more complex than those of smaller organizations. These organizations rarely rely on managerial policies in making security decisions, and they have little managerial support for their IT policies. Their budgets and staffing are comparatively less than other organizations of any size. The staff they do have is poorly educated and poorly trained. As a consequence, their overall exposure to cyber attacks and intrusion is substantially greater than smaller organizations (70 percent said they suffered damage or loss). Large organizations (1,000 to 10,000 computers). Large organizations have complex infrastructures and substantial exposure on the Internet. Although their aggregate IT security expenditures are fairly large, their security expenditures per employee are low. Where they skimp is on security head count. In general, IT security is part-time and undertrained. As a consequence, a sizeable percentage of the large organizations suffer loss or damage due to incidents. Despite these obstacles, large organizations do base their security decisions on organizational policies. Very large organizations (more than 10,000 computers). The average IT security budget of very large organizations was $6 million, which is substantially greater than those of other organizations. However, the average IT security expenditure per employee is the least. Organizations of this size rely on managerial policies in making IT security decisions, although only a small percentage have a well-coordinated incident response plan. The major difficulty is that these are extremely complex environments that are difficult to manage even with a larger staff. Based on these findings, the survey concluded that while there is increasing security awareness among organizations of all sizes, IT security is still trying to gain a foothold in the day-to-day activities that impact the organization. Even though spending has increased, it has not kept pace with security demands, especially in large, complex organizations. Although most organizations have managementapproved security policies, these policies have little impact on the way in which organizations respond to specific security incidents. Source: Briney, A., and F. Prince. 2002 ISM Survey. Information Security, September 2002. infosecuritymag.com/2002/sep/ 2002survey.pdf (accessed December 2004). Adapted with permission. 1. Based on the Information Security Magazine survey results, what are some of the major differences in security issues facing small, medium, large, and very large organizations? 2. Does the amount of money that an organization spends on security have an impact on the chance of an organization suffering loss or damage due to cyber attacks? Explain.
Chapter Eleven 3 ONLINE FILE W11.3 BRUTE FORCE CREDIT CARD ATTACK On September 12, 2002, Spitfire Novelties fell victim to what is called a brute force credit card attack. On a normal day, the Los Angeles-based company generates between 5 and 30 transactions. That Thursday, Spitfire s credit card transaction processor, Online Data Corporation, processed 140,000 fake credit card charges worth $5.07 each. Of these, 62,000 were approved. The total value of the approved charges was around $300,000. Spitfire found out about the transactions only when it was called by a credit card owner who had been checking his statement online and had noticed the $5.07 charge. Brute force credit card attacks require minimal skill. Hackers simply run thousands of small charges through merchant accounts, picking numbers at random. Although the number of valid transactions is likely to be miniscule, when the perpetrator finds a valid credit card number the number can then be sold on the black market. Some modern-day black markets are actually member-only Web sites where hackers trade illicit information such as stolen credit card numbers. A brute force attack rests on the perpetrator s ability to pose as a merchant requesting authorization for a credit card purchase. This requires either a merchant ID, a password, or both. In the case of Online Data s credit card processing services, all a perpetrator needed was a merchant s password in order to request authorization. Online Data is a reseller of VeriSign Inc. credit card gateway services. Although VeriSign actually handles the transactions, Online Data issues passwords to its merchant customers. VeriSign blamed Online Data for the incident. Online Data blamed Spitfire for not changing its initial starter password. Spitfire reported that its password was OnlneAp16501, which was the one Online Data had given it originally. Most likely, many of the other merchants being serviced by Online Data also had failed to change their passwords. At a minimum, Online Data ought to assign strong passwords at the start. In turn, its customers need to modify those passwords frequently. Like Online Data, other credit card processors have fallen prey to similar brute force attacks. In April 2002, hackers got into the Authorize.Net card processing system, executing 13,000 credit card transactions, of which 7,000 succeeded. A number of the merchants that had been victimized indicated that entry into the Authorize.Net system required only a logon name, not a password. Once the hackers obtained the merchant ID, they could test as many credit cards numbers as they wanted. Several thousand merchants use Authorize.Net, performing millions of transactions per month. It is the largest gateway payment system on the Internet. The method used to access the Authorize.Net system really depends on the processes used by the resellers issuing the merchant IDs. Regardless, good security practices dictate that authorization ought to require more than a log-on ID. Even if a merchant s log-on ID and password fall into the hands of a hacker, authorization services such as VeriSign and Authorize.Net should have built in safeguards that recognize brute force attacks. Any time a merchant issues an extraordinary number of requests, it ought to automatically trigger a more extensive authorization process. Repeated requests for small amounts emanating from the same merchant should be an automatic signal that something is amiss. Fortunately for Spitfire, VeriSign halted the transactions before they were settled, saving the merchant $316,000 in charges. The other merchants using the Authorize.Net system were not so lucky. Although the transactions were only for pennies, these merchants were charged $0.35 for each transaction. The only ones who really made out were the criminals perpetrating the assault. The transactions that were approved gave them thousands of valid credit card numbers to sell on the black market. Any type of EC involves a number of players who use a variety of network and application services that provide access to a variety of data sources. The sheer numbers are what make EC security so difficult. A perpetrator needs only a single weakness in order to attack a system. Some attacks require sophisticated techniques and technologies. Most, however, are like the brute force method used in the attack on Spitfire simple techniques preying on poor security practices and human weaknesses. Because most attacks are not sophisticated, standard security risk management procedures can be used to minimize their probability and impact. Sources: Sullivan (2002a, 2002b). 1. What is a brute force credit card attack? 2. How is a brute force credit card attack perpetrated? 3. What was the primary security gap that enabled hackers to break into Spitfire Novelties credit card transaction processor? 4. What sorts of steps could have been taken to avoid the credit card attack on Spitfire Novelties credit card transaction processor?
4 Part 5 ONLINE FILE W11.4 BIOMETRIC AUTHENTICATION AT THRIFTWAY In May 2002, West Seattle Thriftway, a privately owned supermarket, deployed biometric technology at its cash registers. Instead of using credit cards or checks, customers could pay with a fingerprint scan. To participate in the Pay By Touch program, customers first registered by filling out various forms; providing a credit card, debit card, or checking account number; selecting a seven-digit passcode (known only to them); and allowing their fingerprint to be scanned. Once they signed up, every time they checked out at a cash register, they simply provided the seven-digit passcode and had their fingerprint scanned. Once the system had verified their identity, the amount of their bill was automatically deducted from their credit card, debit card, or checking account. Indivos, an Oakland, California software company, developed the biometric system used in the Pay By Touch program. The cost to implement the system is between $150 and $200 per sensor. There is one sensor per cash register. The fingerprint scanning system not only speeds the checkout process, but also reduces the interchange fees that the company would pay if customers used their credit cards. Unlike the credit card companies that charge for every transaction, Indivos only charges a fee for every four transactions. The Pay By Touch system is a verification system. In the system, the user makes a claim by entering a passcode number. The fingerprint template associated with that number is then checked against the actual fingerprint scan. This eliminates the need for the system to search through the database of fingerprint templates comparing the actual scan against all the scans in the database. All biometric systems have their problems. The chance that the fingerprints of any two Thriftway customers are the same is infinitesimal. For Thriftway, this means that the probability that one person can falsely charge his or her bill to another person s account is extremely small. However, what happens if a customer has a cut on their finger, a broken finger, or oily or dry hands? These changes can preclude the use of the fingerprint device or can lead the system to reject the customer even though the system should authorize their payment. Thriftway has a number of backups to the system. If the system does not work, the customer can pay by check, credit card, or debit card. The same is true with other biometric systems. Because there is always the possibility of a false rejection, many systems offer fallback authentication, whether to a live operator, a password, or another biometric method. Sources: U.S. Banker (2002) and Alga (2002). 1. Explain how a fingerprint-scanning system works. 2. Why would Thriftway have chosen a verification systems rather than an identification system? 3. What are some of the complications that might arise in using a fingerprint-scanning system to verify a person s identify?
Chapter Eleven 5 ONLINE FILE W11.5 IS IT A QUESTION OF COMMON SENSE? On September 9, 2002, the Internet Security Alliance (ISAlliance; isalliance.org) released results from a security survey conducted jointly with the National Association of Manufacturers (NAM) and RedSiren Technologies Inc. (Durkovich 2002). The survey asked 227 information security specialists from North America, Europe, the Middle East, and the Pacific Rim regions to compare their current attitudes toward information security with their attitudes prior to the 2001 terrorist attacks on the World Trade Center and the U.S. Pentagon. Overall, the results showed that information security was crucial to the survival of the organization or business. However, most were still inadequately prepared to meet their current security challenges, and just as importantly, most lacked senior management commitment to address these challenges. The following are some of the specific survey findings: The overwhelming majority (91 percent) recognize the importance of information security. Most of the organizations reported at least one attack in the past year, with approximately 30 percent reporting more than six attacks. Almost half (48 percent) said that the terrorist attacks made them more concerned about information security, while an equal number (48 percent) said there had been no change in their attitudes. Forty-seven percent said that they had increased spending on information security since the attacks. Forty percent said that they had improved their physical security, electronic security, network security, and security policies since the attacks Thirty percent indicated that their companies are still inadequately prepared to deal with security attacks. Based on the results of the survey, the ISAlliance and its partners concluded that it is clear that many organizations need to revise how security risks, threats and costs are identified, measured and managed and that information security specialists must work together to identify and implement more effective ways to communicate these pertinent issues to senior executives and also, to ensure these issues are given adequate visibility and priority in all organizations (Durkovich 2002). Based on the results of this and similar surveys, along with their general knowledge of the security industry, the Best Practices Working Group of the Internet Security Alliance has identified 10 of the highest priority and most frequently recommended practices necessary for implementation of a successful security process. The practices encompass policy, process, people, and technology. They include (ISAlliance 2002): 1. General management. Information security is a normal part of everyone s responsibilities managers and employees alike. Managers must ensure that there are adequate resources, that security policies are well defined, and that the policies are reviewed regularly. 2. Policy. Security policies must address key areas such as security risk management, identification of critical assets, physical security, network security, authentication and authorization, vulnerability and incident management, privacy, and the like. Policies need to be embedded in standard procedures, practices, training, and architectures. 3. Risk management. The impacts of various risks need to be identified and quantified. A management plan needs to be developed to mitigate those risks with the greatest impact. The plan needs to be reviewed on a regular basis. 4. Security architecture and design. An enterprisewide security architecture is required to protect critical information assets. High-risk areas (e.g., power supplies) should employ diverse and redundant solutions. 5. User issues. The user community includes general employees, IT staff, partners, suppliers, vendors, and other parties who have access to critical information systems. Users should be trained to understand and be held accountable for the consequences of their actions. Adequate in-house or outsourced expertise to manage and support all security technologies and policies also is needed. 6. System and network management. The key lines of defense include access control for all network devices and data, encrypted communications and VPNs where required, and perimeter protection (e.g., firewalls) based on security policies. Any software, files, and directories on the network should be verified on a regular basis. Procedures and mechanisms must be put in place that ensure that software patches are applied to correct existing problems; adequate levels of system logging are deployed; systems changes are analyzed from a security perspective; and vulnerability assessments are performed on a periodic basis. Software and data must also be backed up on a regular schedule. 7. Authentication and authorization. Strict policies must be formulated and implemented for authenticating and authorizing network access. Special attention must be given to those employees accessing the network from home and on the road and to partners, contractors, and service providers who are accessing the network remotely. 8. Monitor and audit. Network events and conditions must be monitored, audited, and inspected on a regular basis. (continued)
6 Part 5 ONLINE FILE W11.5 (continued) Standards should be in place for responding to suspicious or unusual behavior. 9. Physical security. Physical access to key information assets, IT services, and resources should be controlled by two-factor authentication. 10. Continuity planning and disaster recovery. Business continuity and recovery plans need to be implemented and periodically tested to ensure that they are effective. Increasingly, organizations must cope with a variety of cyber intrusions and losses. Organizations need to learn that security is not a one-time affair, but a continuous process. Information survivability is the key to an effective security process. The best practices recommended by the Internet Security Alliance indicate that there is nothing complex or highly technical about ensuring information survivability. It is more a matter of common sense that requires straightforward procedures and active involvement across the organization. 1. How do the results of the ISAlliance survey compare with the results of the CSI/FBI survey reported in Section 11.1? Explain the similarities and differences. 2. Most of the ISAlliance recommendations seem like common sense. Why do you think that commonsense advice is required? What types of businesses do you think these standards are aimed at? Based on what you know about information security, what other recommendations would you make? 3. Given the breadth of known vulnerabilities, what sort of impact will any set of security standards have on the rise in cyber attacks? 4. For any organization, why is the involvement of senior management crucial to the success of their security information practices? Sources: Durkovich (2002) and ISAlliance (2002).