This running case is part of book “Readings and Cases in Information Security: Law and Ethic” by Michael Whitman and Herbert Mattord. ©Cengage 1.An Introduction to Information Security Matthias Paul looked up from his monitor to glance at the clock hanging on the wall. It was 4:15 AM and he had almost four hours to go before his shift was over. From the start of his shift Matthias had been processing new account setup requests for one of the companies serviced by his employer, Advanced Topologies, Inc. Every hour he took a short break to check the logs from the client’s network. Matthias was not exactly sure he knew what he was looking for, but he thought it was a good idea to stay aware of what was happening on the client’s network. Matthias had only been on the job at ATI for a few weeks and did not consider himself a critical member of the watch team for this client. Mostly he did semiclerical tasks, like setting up new users and verifying the deactivation of the client’s former employees. “Matt.” Matthias looked up to see his supervisor, Alfonso Agostino. “Yes, Al, what’s up?” Al looked at Matthias over his glasses and said, “I just got the word that your training plan was approved by Human Resources. You start your classes next week. Your first class will be three days on the basics of information security at the corporate training center.” “Great!” said Matthias. “But why do I need information security training? Wasn’t I hired to be a network administrator?” Al responded, “Sure, but how can you do your job as a netadmin if you don’t know the company security policies and practices? The class spends two days covering basic concepts of security, and one day reviewing our company polices. Everyone in an IT-related position takes this class. You’ll get more advanced networking training over the next few months— eventually we plan to send you out for some advanced network security training, to fill in any gaps in your college classes on these subjects.” Matthias nodded. “OK. I’ll be there.” Matthias was back on the job Friday night at midnight. He had been out of the data center during his three days at the training center. He was a little sleepy, since he had attended the training during the day shift and now he was back for third shift. Al walked up and said, “Hi Matt, how was the class?” Matthias replied, “Pretty good, I guess. I really liked the stuff about the ways that systems get attacked, but I thought the threat stuff was kind of boring.” Al said, “I suppose it can seem that way, but you have to try to figure out how the information about threats can affect our work and how we do our jobs.” Questions 1. Which threat would be most likely to impact Matthias and Al in their jobs as network administrators at ATI? 2. List at least two threats you did not mention that might be encountered by a network administrator. 3. For each of the three threats you listed, list and describe two attacks that could come from these threats. 2.An Introduction toNetworking Eliana was visiting her alma mater, recruiting network administrators for her company, Advanced Topologies, Inc. The career services group at the school had contacted the Human Resources group at ATI about a month ago and invited them to participate in this information technology job fair. Now Eliana stood in front of the ATI company information board, ready to screen applicants. She greeted the first student. “Hello, I’m Eliana. I’m the supervisor of network operations at ATI. Are you interested in our company?” The student said, “Yes, what kinds of jobs do you have?” Eliana replied, “We’re looking for graduates who are interested in network operations and, eventually, network design.” “Oh, too bad,” said the young woman. “Database management and design is my area of interest.” Eliana agreed to take her résumé to the HR department, though she didn’t think ATI was hiring in that area. The next student who approached held out his hand for a business card. “Are you interested?” she asked. “Sure,” he replied. “What are you willing to pay?” Eliana hid her surprise. Maybe things were different in college recruiting than they used to be. She said, “That depends; how much experience do you have with computer networks?” Eliana waited for the student’s reply. He said, “Well, I’ve had some coursework in networking, and I’ve used networks a lot in several classes, including one on network defense. I wouldn’t call myself a network expert, but I’m well-grounded in the theory and am willing to learn.” Eliana smiled back at the student’s infectious grin and said, “Well, if you have the basic skills we need, we would make a competitive offer, and we are willing to train. It sounds like you might fit, so let me have a copy of your résumé.” Questions 1. Do you think this student is a good choice for ATI in today’s employment market? 2. How else could the student have explained his networking background to Eliana? 3. Did the student come across too strongly, bringing up salary from the beginning? 3.Security Policies, Standards, and Planning Matthias was ready to apply the firewall scripts to protect the servers belonging to ATI’s clients. The Linen Planet had hired ATI to design, configure, and operate the network and defenses used to implement the electronic commerce startup’s business plan. Matthias had a text file with more than 300 scripted instructions that had to be added to the firewall. Since this change would affect the client’s entire network, it was being tested in tonight’s third- shift change-window, a time-slot during which network technicians could interrupt the normal operation of the network for a short time. Even though Matthias had only recently become involved in this project, it had been under development for several weeks, and the activities planned for tonight had been approved by the change control committees at Linen Planet and at ATI. The plan was for Matthias to update the firewall command interface and be ready to commit the new rules at 2:30 AM. He had already made the connection and edited the file, and he was waiting to commit the new rules, so the quality assurance testing team could spend an hour furiously testing the new configuration. At the first sign of a test failure, they would tell Matthias to back out the changes and reset the firewall to its original configuration. He had a few minutes to wait, and Al sat down next to him to monitor the event. Matthias said, “Hi, Al. I have a question.” Al looked over his arm at the monitor to review Matthias’s work. Seeing it was all in order and that the commit time was still a few minutes away, he said, “OK. Shoot.” Matthias pointed at the work order with the attached script of complex firewall rules and said, “Who writes these rules, and how do they know what the rules should do?” Al looked at him and said, “One word—policy.” “Huh,” said Matthias. “What does that mean?” “Well,” said Al, “every company has a set of policies that lets everyone know what they can and can’t do with the company network. Linen Planet has an enterprise policy and a network usage policy that specify how they manage their network. Also, they have certain technical control systems in place, like intrusion detection systems that need to operate on their net- work. Our engineers take all of these factors into account and write rules that they hope will make it all work.” “Oh,” said Matthias. “Well, it’s time to commit these rules.” He pressed the Enter button on his keyboard. Matthias and Al watched the monitor for a few more minutes. The firewall at Linen Planet seemed to be running just fine. Al stood up and went on to his next task, and Matthias also moved on to his next task. After an hour, he picked up the phone and called the number for the QA team. “Hello, QA Test Team, Debbie speaking.” “Hi, Debbie,” said Matthias. “What’s the word on the Linen Planet firewall project?” “Oh, we just finished,” said Debbie. “We’re good to go. The new rules can stay in place.” Matthias said, “OK. We won’t roll back. Thanks for the info.” Debbie replied, “OK. I’ll put a note on the test log. Thanks for your help.” They both hung up the phone. As Al walked across the room, Matthias called out to him, “Is it always this easy?” Al shook his head. “Not hardly, you must be having beginner’s luck.” Questions 1. What are some of the things that might have gone wrong in the test? 2. If the test had failed, what do you think the rollback plan would have entailed? 4.Finding Network Vulnerabilities The elevator chimed as it opened and Virginia Burnett, who worked at the ATI reception area on the 14th floor, straightened a little in her chair. A tall darkhaired man dressed in coveralls and carrying a large toolbox walked off the elevator and then around Virginia’s desk with a confident stride. “Can I help you?” asked Virginia, smiling. He walked a few more steps until he was almost past her desk. Virginia raised her voice a little. “Stop! What do you want?” He stopped. “Yes. Hi. My name is Greg Reiner; I’m a contractor working for building maintenance. Someone reported a water leak in the break room.” “Can I see your photo ID and maintenance work order, please?” asked Virginia. The man turned toward her and sank his hand into his front pocket. It came out empty. Then he looked at the clipboard he was carrying. “Well, it looks like I left them in the van.” He smiled and said, “Surely you can see that I’m no thief, though.” Virginia said tightly, “I don’t know anything about a leak, and in any case, ATI has very strict policies about who can come and go in our offices. I really need your credentials before I can allow you through. I’ll be right here when you get back.” The man looked exasperated. “Well, I would hate for your attitude about my badge to cause property damage—that leak isn’t going to stop itself, so I’m sure you can make an exception.” He started to walk toward the office area. Virginia got the man’s attention by shouting, “Stop!” When he turned around, she said, “Sir, unless you leave this floor immediately, I will call security. Please get your badge and work order, and then you can do your job. I’m just doing mine.” He said, “Obviously, this is getting us nowhere.” He turned on his heel and left. Questions 1. Without knowing the ATI policy on visitors, do you think Virginia handled this situation correctly? 2. What do you think she should do now? 5.Firewall Planning and Design Matthias was grinning when he entered the conference room. Earlier in the week he had been given his first design assignment. A new client had hired ATI to build a network for them, and as part of his training, Matthias was going to work with the design team to plan the new client’s network. This meeting was the kickoff for the project. Matthias was eager to meet with the experienced network engineers from ATI. He had already begun to consider the options for this new client. Would they need to use a proxy server? Would they have to provide a reverse proxy? Would the firewall need to use a state table? Austin Tuck, a network engineer and the project manager, came into the meeting room next. He didn’t greet Matthias, and sat at the head of the table and started collating handouts for the meeting. The rest of the attendees came as a group and all of them sat down. It was obvious they all knew each other quite well. Austin called them to order and began, “Hi everyone. Let me introduce our trainee. This is Matthias Paul. He is a third-shift network admin who is training for network security design. He’ll be joining us for the project, which is why we’ll always meet at 8:30 in the morning—he meets with us after his regular shift.” Austin continued, “Let’s handle the rest of the introductions first.” The woman to Austin’s left said, “Hi Matthias, my name is Keesha Williams. I’m the security engineer for this project. I work for Andy Ying, the manager of the security consulting group.” The man to her left said, “Hello. I’m Jeff Noak, security architect.” The next person to the left said, “My name is Kaz, and I’m the senior network architect.” Andy said, “OK. That’s it for introductions. Here’s the initial design packet and the customer specs. I think this is a ‘number 3’ with a volume rating of 4. Please check out my specs and let me know what you think. I have it set for first reading at change control this Thursday.” Andy stood up and said, “Thanks everyone.” Everyone but Andy and Matthias left the room. Matthias asked, “Andy, what happened? We spent more time on introductions than on the project work. Did I miss something?” Andy said, “Nope. That’s just the way it works. In fact, the project kick-off didn’t require a face-to-face meeting; we probably could have done this one by email. There are only so many ways you can set up a network, and when you have set up and secured a hundred or so like we have in the past two years, it goes pretty quick.” Matthias nodded. Then he said, “But I was hoping to learn something from this, and that meeting didn’t really give me anything except a few new names and faces and a packet of papers.” Andy said, “That should be a start. Every one of the people you met today really knows their stuff and will be ready to help you understand the proposed design.” Questions 1. Make a list of the meeting attendees and describe what role you think each would play in a more elaborate network design project. 2. For each of the meeting attendees, list one or two questions that Matthias could ask about the proposed system design. 6.Packet Filtering Kiara Spring was bored. She was a smart seventh grader who made excellent grades and enjoyed a variety of after-school activities. Since her parents worked late quite often and her older brothers were usually out, she spent a lot of time on her own, in front of her computer. Kiara had made a discovery at school that day. When she was in the guidance office to pick up her course-planning packet for next year’s classes, she saw a Post-it note on the secretary’s desk. She had a pretty good memory, and after she left the office, she made a note of the Web address, the username, and the password that were written on the sticky note. Kiara just wanted to see if she could connect to the school system and see her own records— she had no desire to change anything, since she had good grades, but getting into the system seemed like a fun and challenging thing to do. She had watched the guidance office secretary use this program on several occasions. The same screen opened up for her now. She typed in the username and password she had written down. Instead of a screen allowing her to pick out a student record to view, a window opened that said “OFF NETWORK ACCESS ATTEMPTED—PLEASE USE DISTRICT APPROVED VPN FOR CONNECTION.” About five seconds later, the browser program on her computer was automatically redirected to the school district’s home page. Kiara’s attempt to hack the school district was over before it had really started. A few days after her attempt to connect to the school system, Kiara was back in the guidance office. She noticed the secretary was not her usual happy self. The sticky note with all the connection information was gone. Trying to be her normal, friendly self, Kiara asked the secretary, “Why so glum, Ms. Simpson?” Ms. Simpson answered, “It seems somebody tried to access the school district mainframe from the Internet and they used my username. I got in trouble for failure to properly secure my log- in credentials and had to go take a special security awareness class yesterday. My manager is really upset with me, and I’m worried about keeping my job.” Kiara said, “I’m sorry, Ms. Simpson. Do they know who did it?” Ms. Simpson said, “They didn’t really tell me, except they said something about firewalls and audit logs and some kind of investigation.” Kiara left the office quickly. Questions 1. What kind of packet filtering rule might have been set up to detect Kiara’s hacking attempt? 2. Is it possible Kiara will be found out from this hacking attempt? Is it likely? 7.Working with Proxy Servers and Application-Level Firewalls Ron Hall was dreaming of his next vacation. He had been working for Andy Ying, the man- ager of the security consulting group, on a very demanding project for nearly six months. Today he finally finished the work and had a few minutes to surf the Web to plan his upcoming trip to New Zealand. Ron knew that ATI did not allow indiscriminate Web surfing and that they used a proxy server to ensure compliance with this policy, but he felt he had earned this treat and believed that Andy would have no problems with a little recreational Web surfing. Besides, it was almost 5:00 and nearly time to go home. Google was allowed by the proxy server, so Ron went there to start his search. He typed in “new zealand vacation spots.” Faster than he could blink, the giant search engine Google came back with a list of relevant links. The first entry looked promising: “New Zealand Tourism Online: New Zealand Travel Guide.” But the second one looked even better: “New Zealand Pictures.” He clicked that URL. No pictures opened up. No green valleys. No coral reefs. No gorgeous mountains. Just a plain white screen with black letters that read: ACCESS PROHIBITED—CONTACT PROXY SERVER ADMINISTRATOR FOR INSTRUCTIONS ON HOW TO ACCESS THE REQUESTED CONTENT. Ron was not surprised, but he had hoped. He clicked the “Back” button and tried the next link. He got the same message. He tried three or four more times and then realized he was not getting any pictures today. Ron got to his desk a little early the next morning. He turned on his PC and went to get a cup of coffee while it booted up. When he got back he opened his email program. In the list of new email was a note from the network security group. He opened the message and saw it had been addressed to him and to Andy Ying, his boss. It also had a CC to the HR department. The message said: Recently, your account was used to access Web content that has not been approved for use inside ATI. We are asking you to explain your actions to your supervisor. You are encouraged to enroll in a class on appropriate use of the Internet at ATI at your earliest convenience. Until you complete the class or your supervisor contacts this office, your network privileges have been suspended. If this access attempt was for legitimate business purposes, please have your supervisor notify us at once so that this Web location can be added to the ATI approved Web locations list. What a hassle. Ron did not look forward to his conversation with Andy. Questions 1. Does the ATI policy on Web usage seem harsh to you? Why or why not? 2. Do you think Ron was justified in his actions? 3. How should Andy react to this situation if Ron is known to be a reliable and a diligent employee? 8.Firewall Configuration and Administration It was a nondescript building, in an area full of nondescript buildings. It was featureless on the outside and even though it was larger than 20,000 square feet, it seldom had more than 15 people in it. Its hard-working air-conditioning system blew a plume of heat exhaust that could be detected by thermal imaging cameras in orbit. Inside this structure was a room, a big room, which was filled with rack upon rack of quietly humming equipment. Some of the machines processed electricity to make it more reliable. Some of the machines were hooked to the exterior air-conditioning compressors to maintain a stable temperature of 21.5 degrees Celsius. In one rack was a computer. This computer was configured to run as a firewall. It was as much like its neighboring firewalls as its designers could make it. The company that owned this equipment, ATI, tried to keep all of the systems that performed a given function as much alike as possible. Standardized hardware and standardized software was the mantra at ATI. This specific computer had been running without pause for 116 days, since it was last rebooted as part of a scheduled maintenance routine. A few weeks ago, the firewall rule set was updated during a routine change window. The testing of that update seemed to show the revised rules were correct, but somehow, something went wrong. One of the rules was meant to allow customers of Linen Planet, a Webbased business, to make secure connections to the commerce server, and then, a reverse proxy connection would connect to the Web server behind the firewall, in the protected network leased by Linen Planet from ATI. This was what the firewall engineer had written. This is what was typed into the script file that was applied by Matthias Paul. These were the rules tested by Debbie Masters. This was exactly what everyone wanted to result from the change control process so carefully set up by ATI to keep Linen Planet in business. Too bad it didn’t work. The rule that “allowed” the reverse-proxy connection was written to forward both secured and nonsecured (ports 80 and 443) packets to the application server inside Linen Planet’s network. Unfortunately one of the network administrators made a last-minute bug fix that caused the secure Web server to have a different address than the firewall rule set expected. The port 80 rule still worked, but when a customer linked to the HTTPS ser- vice, the rule that handled port 443 pointed to the wrong server. The folks at Linen Planet were only now starting to hear from customers that could not connect. Even worse, some of those customers abandoned their online shopping carts, and moved on to one of their competitors. Questions 1. How could ATI make sure glitches like this do not catch them unawares in the future? 2. How should the owners of the business Linen Planet protect themselves from losing business in cases like this? 9.Encryption and Firewalls Padma Santhanam, the CTO of Linen Planet, was commuting to work her usual way—riding the train from the suburban station near her home to her office in a commercial business area across town. As she turned the page of the morning paper, her cell phone rang. She looked at the caller ID and saw it was her assistant, David Kalb. “Hello, David. What’s up?” “Hi, Padma. Crisis here as usual. Our customer service rep at ATI is on the other line. He says you have to log in to the work order system and approve the change request ASAP or they’ll miss the next change window for the new version of our online credit application.” Padma said, “OK. I’ll be in the office in 25 minutes or so. The train just left Broadmore station.” “He says they can’t wait that long. You were supposed to do this day before yesterday, and somehow it got overlooked. They say they need it now or we’ll lose a week waiting for the next change window.” Padma sighed. Then she said, “OK. I want you to browse the work order Web site, you know the one we use at linenplanet.biz/wo, and log in for me. You can approve the change order and we won’t miss the window. I’ll change my password when I get there. My username is papa, sierra, alpha, november, tango, alpha. Got that?” David said “Got it. Password?” Looking both ways first, Padma lowered her voice some and said, “Romeo, lima, eight, four, bang, zulu, india, victor, dollar sign.” David repeated it back. He said, “OK, I am logged on now and just approved the work order. I’ll tell our rep we’re good to go.” “Thanks, David.” In the row behind Padma, Maris Heath closed her pocket notepad and clicked her ballpoint pen closed. Smiling, she hefted her laptop bag and stood up to exit the train at the next station, which she knew sat right next to an Internet cafe. Maris opened her laptop and connected her browser to the Linen Planet Web server. The fire- wall asked for her username and password. She flipped open her notepad and punched in the data she had written down while eavesdropping on Padma’s cell phone call. Her browser connected in no time. She noticed that the security icon was showing at the bottom of her browser window. The encryption between her browser and the server was now in place. At least no other hackers could watch her while she put a back door into Linen Planet’s Web servers. She would spend several hours over the next few days scouting out the network and planning her raid. It looked like she would be able to buy that new game system sooner than she had planned. Questions 1. Was the firewall and Web server used by Linen Planet providing encryption services? If so, what kind of protection was in place? 2. How could the access to Linen Planet’s Web server have been better secured? 10. Intrusion Detection and Prevention Systems Matthias Paul, at the end of his graveyard shift, was reviewing and finalizing the automated intrusion event recognition report for one of ATI’s many customers, the Springdale Independent School District (SISD), for whom ATI provided hosting services and limited intrusion prevention services. SISD had its own in-house information security group, but the work of screening the automated intrusion detection and prevention system had been outsourced to ATI. Matthias opened up the intrusion event resolution application. The system correlated all of the various system logs and event recordings from the many services that ATI provided to SISD. As he worked his way through the false alarms, he came across a log entry from a Web server indicating that an external network location had tried to connect to the intranet-based student records application. The system had refused entry. Since Matthias knew that SISD allowed only remote access to student records using a VPN connection with two-factor authorization, he thought he would look at the log files from the VPN concentrator, and also at the log from the VPN authentication server. The logs showed that the user who had tried to connect to the student records system had not attempted to set up a VPN connection. Either someone was trying to hack the system, or an authorized user had forgotten all of their training about security policy and remote access. Matthias looked at the connection attempt and found the TCP/IP address of the person who had tried to access the student records system. It was registered to a pool of addresses used by the biggest Internet service provider (ISP) in the city where SISD was located. It would take a court order to get access to the detailed ISP records to find out who had tried to access the system. On the other hand, it was easy to identify the user account that had been used to attempt access. Matthias mumbled, “Hmmm … looks like a user just forgot to follow the rules.” He pulled up the screen in the intrusion event resolution system to escalate the event from a candidate incident to an actual incident. He provided all of the facts he had discovered and then moved on to the next item. He knew someone would be getting an unpleasant contact from the SISD security group in the near future. Review the earlier scenario titled “Packet Filtering,” which describes the events that led to the IDPS alert that Matthias deals with in the opening scenario of this chapter. Review also the earlier scenario “Authenticating Users,” which describes the consequences of Niki Simpson’s habit of posting her password on sticky notes. Questions 1. What type of IDPS system is ATI using for this contract? 2. Was this event the result of a honeypot or honeynet? Why or why not? 3. How realistic do you think this case is? Can and do events like this happen in real net- worked applications?