Table Of ContentOTHeR MiS TiTLeS OF iNTeReST
Introductory MIS: SyStEMS AnAlySIS And dESIgn:
Managing Information technology, 7/e Modern Systems Analysis and design, 7/e
Brown, DeHayes, Hoffer, Martin & Perkins ©2012 Hoffer, George & Valacich ©2014
SharePoint for Students Systems Analysis and design, 9/e
Cole, Fox & Kroenke ©2012 Kendall & Kendall ©2014
Experiencing MIS, 5/e Essentials of Systems Analysis and design, 6/e
Kroenke ©2015 Valacich, George & Hoffer ©2015
using MIS, 7/e dEcISIon SuPPort SyStEMS:
Kroenke ©2015
business Intelligence, 3/e
MIS Essentials, 4/e Sharda, Delen & Turban ©2014
Kroenke ©2015
decision Support and business Intelligence
Management Information Systems, 13/e Systems, 10/e
Laudon & Laudon ©2014 Sharda, Delen & Turban ©2014
Essentials of Management Information dAtA coMMunIcAtIonS & nEtWorkIng:
Systems, 11/e Applied networking labs, 2/e
Laudon & Laudon ©2015 Boyle ©2014
It Strategy, 3/e digital business networks
McKeen & Smith ©2015 Dooley ©2014
Processes, Systems, and Information: An business driven data communications
Introduction to MIS, 2/e Gendron ©2013
McKinney & Kroenke ©2015 business data networks and Security, 10/e
Essentials of Processes, Systems and Information: Panko & Panko ©2015
With SAP tutorials
ElEctronIc coMMErcE:
McKinney & Kroenke ©2014
E-commerce: business, technology, Society, 11/e
Information Systems today, 6/e
Laudon & Traver ©2015
Valacich & Schneider ©2014
E-commerce Essentials
Introduction to Information Systems, 2/e
Laudon & Traver ©2014
Wallace ©2015
Electronic commerce 2012
dAtAbASE: Turban, King, Lee, Liang & Turban ©2012
Hands-on database, 2/e EntErPrISE rESourcE PlAnnIng:
Conger ©2014
Enterprise Systems for Management, 2/e
Modern database Management, 11/e Motiwalla & Thompson ©2012
Hoffer, Ramesh & Topi ©2013
ProjEct MAnAgEMEnt:
database Systems: Introduction to databases and
data Warehouses Project Management: Process, technology and
Jukic, Vrbsky & Nestorov ©2014 Practice
Vaidyanathan ©2013
Essentials of database Management
Hoffer, Topi & Ramesh ©2014 SEcurIty:
database concepts, 7/e Applied Information Security, 2/e
Kroenke & Auer ©2015 Boyle ©2014
database Processing, 13/e corporate computer Security, 3/e
Kroenke & Auer ©2014 Boyle & Panko ©2013
Fourth Edition
Corporate Computer
Security
Randall J. Boyle
Longwood University
Raymond R. Panko
-
University of Hawai`i at M anoa
Boston Columbus Indianapolis New York San Francisco Upper Saddle River
Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montréal Toronto
Delhi Mexico City São Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo
To Courtney Boyle, thank you for your patience, kindness,
and perspective on what’s most important in life.
—Randy Boyle
To Julia Panko, my long-time networking and security editor
and one of the best technology minds I’ve ever encountered.
—Ray Panko
Editor in Chief: Stephanie Wall Creative Director: Jayne Conte
Executive Editor: Bob Horan Cover Designer: Bruce Kenselaar
Program Manager Team Lead: Ashley Santora Digital Production Project Manager: Lisa Rinaldi
Program Manager: Denise Vaughn Full-Service Project Management: Prabhu Chinnasamy, Integra
Director of Marketing: Maggie Moylan Software Services Pvt. Ltd.
Executive Marketing Manager: Anne Fahlgren Printer/Binder: Courier/Westford
Project Manager Team Lead: Judy Leale Cover Printer: Lehigh-Phoenix
Project Manager: Tom Benfatti Text Font: Times, 10/12
Operations Specialist: Michelle Klein
Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on the appropriate
page within text.
Microsoft and/or its respective suppliers make no representations about the suitability of the information contained in the documents
and related graphics published as part of the services for any purpose. All such documents and related graphics are provided “as is”
without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this
information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular
purpose, title and non-infringement. In no event shall Microsoft and/or its respective suppliers be liable for any special, indirect or
consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence
or other tortious action, arising out of or in connection with the use or performance of information available from the services.
The documents and related graphics contained herein could include technical inaccuracies or typographical errors. Changes are p eriodically
added to the information herein. Microsoft and/or its respective suppliers may make improvements and/or changes in the product(s) and/or
the program(s) described herein at any time. Partial screen shots may be viewed in full within the software version specified.
Microsoft® Windows®, and Microsoft Office® are registered trademarks of the Microsoft Corporation in the U.S.A. and other countries.
This book is not sponsored or endorsed by or affiliated with the Microsoft Corporation.
Copyright © 2015, 2013, 2010, 2004 by Pearson Education, Inc., One Lake Street, Upper Saddle River, New Jersey 07458. All
rights reserved. Manufactured in the United States of America. This publication is protected by Copyright, and permission should be ob-
tained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means,
electronic, mechanical, photocopying, recording, or likewise. To obtain permission(s) to use material from this work, please submit a
written request to Pearson Education, Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you
may fax your request to 201-236-3290.
Many of the designations by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations
appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps.
Library of Congress Cataloging-in-Publication Data on File
10 9 8 7 6 5 4 3 2 1
ISBN 10: 0-13-354519-9
ISBN 13: 978-0-13-354519-7
ContentS
Preface xix
About the Authors xxv
Chapter 1 The Threat Environment 1 Social Engineering in Malware 23
1.1 Introduction 2 Spam 24
phiShinG 24
Basic Security Terminology 2
The ThreaT environmenT 2 Spear phiShinG 26
SecuriTy GoalS 3 hoaxeS 27
compromiSeS 3 1.4 Hackers And Attacks 27
counTermeaSureS 3 Traditional Motives 27
1.2 Employee And Ex-Employee Anatomy of a Hack 28
Threats 9
TarGeT SelecTion 28
Why Employees Are Dangerous 9 reconnaiSSance probeS 29
Employee Sabotage 11 The exploiT 30
Employee Hacking 12 SpoofinG 30
Employee Financial Theft and Theft of Social Engineering in an Attack 31
Intellectual Property 12 Denial-of-Service Attacks 33
Employee Extortion 13 Skill Levels 35
Employee Sexual or Racial 1.5 The Criminal Era 36
Harassment 14
Dominance by Career Criminals 36
Employee Computer and Internet
cybercrime 36
Abuse 14
inTernaTional GanGS 37
inTerneT abuSe 14
black markeTS anD markeT
non-inTerneT compuTer abuSe 15 SpecializaTion 38
Data Loss 15
Fraud, Theft, and Extortion 41
Other “Internal” Attackers 16 frauD 41
1.3 Malware 16 financial anD inTellecTual properTy
Malware Writers 16 ThefT 41
Viruses 16 exTorTion aGainST corporaTionS 42
Stealing Sensitive Data about
Worms 18
Customers and Employees 43
Blended Threats 20
carDinG 43
Payloads 20
bank accounT ThefT 43
Trojan Horses and Rootkits 20
online STock accounT ThefT 43
nonmobile malware 20 iDenTiTy ThefT 43
Trojan horSeS 21 The corporaTe connecTion 44
remoTe acceSS TrojanS 21
corporaTe iDenTiTy ThefT 44
DownloaDerS 22
1.6 Competitor Threats 45
Spyware 22
rooTkiTS 23 Commercial Espionage 45
Mobile Code 23 Denial-of-Service Attacks 46
iii
iv Contents
1.7 Cyberwar And Cyberterror 47 2.3 Organization 72
Cyberwar 47 Chief Security Officers 72
Cyberterror 48 Should You Place Security
1.8 Conclusion 49 within IT? 72
Thought Questions 50 • Hands- locaTinG SecuriTy wiThin iT 72
on Projects 51 • Project placinG SecuriTy ouTSiDe iT 74
Thought Questions 52 • Case a hybriD SoluTion 74
Study 52 • Case Discussion Top Management Support 74
Questions 53 • Perspective Relationships with Other
Questions 53 Departments 75
Special relaTionShipS 75
Chapter 2 Planning and Policy 54 all corporaTe DeparTmenTS 75
buSineSS parTnerS 76
2.1 Introduction 55
Outsourcing IT Security 76
Defense 55
e-mail ouTSourcinG 76
Management Processes 56 manaGeD SecuriTy Service
manaGemenT iS The harD parT 56 proviDer 79
comprehenSive SecuriTy 56 2.4 Risk Analysis 81
weakeST-linkS failureS 56
Reasonable Risk 81
The neeD To proTecT many
reSourceS 57 Classic Risk Analysis
Calculations 82
The Need for a Disciplined Security
Management Process 58 aSSeT value 82
expoSure facTor 82
The Plan–Protect–Respond
SinGle loSS expecTancy 82
Cycle 59
annualizeD probabiliTy (or raTe) of
planninG 59 occurrence 82
proTecTion 59 annualizeD loSS expecTancy 83
reSponSe 60 counTermeaSure impacT 83
Vision in Planning 61 annualizeD counTermeaSure coST anD
viewinG SecuriTy aS an enabler 61 neT value 83
DevelopinG poSiTive viSionS of Problems with Classic Risk Analysis
uSerS 63 Calculations 85
Strategic IT Security Planning 63 uneven mulTiyear caSh flowS 85
2.2 Compliance Laws and ToTal coST of inciDenT 85
Regulations 64 many-To-many relaTionShipS
Driving Forces 64 beTween counTermeaSureS anD
reSourceS 86
Sarbanes–Oxley 65
The impoSSibiliTy of compuTinG
Privacy Protection Laws 67 annualizeD raTeS of
Data Breach Notification occurrence 87
Laws 70 The problem wiTh “harD-heaDeD
ThinkinG” 87
The Federal Trade Commission 70
perSpecTive 88
Industry Accreditation 71
Responding to Risk 88
PCI-DSS 71 riSk reDucTion 88
FISMA 71 riSk accepTance 88
Contents v
riSk TranSference (inSurance) 88 accounTabiliTy 101
riSk avoiDance 88 eThicS 102
2.5 Technical Security Architecture 89 Exception Handling 103
Technical Security Architectures 89 Oversight 104
archiTecTural DeciSionS 90 policieS anD overSiGhT 104
DealinG wiTh leGacy SecuriTy promulGaTion 105
TechnoloGy 90 elecTronic moniTorinG 105
Principles 90 SecuriTy meTricS 105
auDiTinG 106
DefenSe in DepTh 90
anonymouS proTecTeD hoTline 106
DefenSe in DepTh verSuS weakeST
linkS 90 behavioral awareneSS 108
frauD 108
SinGle poinTS of vulnerabiliTy 91
SancTionS 109
minimizinG SecuriTy burDenS 92
2.7 Governance Frameworks 110
realiSTic GoalS 92
COSO 111
Elements of a Technical Security
Architecture 92 The coSo framework 111
borDer manaGemenT 93 objecTiveS 112
reaSonable aSSurance 112
inTernal SiTe SecuriTy
manaGemenT 93 coso framework componenTS 112
manaGemenT of remoTe CobiT 113
connecTionS 93 The cobit framework 114
inTerorGanizaTional SySTemS 93 Dominance in The uniTeD STaTeS 114
cenTralizeD SecuriTy manaGemenT 93 The ISO/IEC 27000 Family 115
2.6 Policy-Driven Implementation 93 Iso/IEc 27002 115
Iso/IEc 27001 116
Policies 94
oTher 27000 STanDarDS 116
whaT are policieS? 94
2.8 Conclusion 117
whaT, noT how 94
clariTy 94 Thought Questions 117 •
Categories of Security Policies 95 Hands-on Projects 117 •
Project Thought Questions 118
corporaTe SecuriTy policy 95
• Case Study 119 • Case Discus-
major policieS 95
sion Questions 120 • Perspective
accepTable uSe policy 96
Questions 120
policieS for Specific counTermeaSureS
or reSourceS 96
Chapter 3 Cryptography 121
Policy-Writing Teams 98
3.1 What is Cryptography? 122
Implementation Guidance 98
Encryption for Confidentiality 123
no GuiDance 98
STanDarDS anD GuiDelineS 98 Terminology 123
Types of Implementation plainTexT 123
Guidance 100 encrypTion anD cipherTexT 123
cipher 124
proceDureS 100
key 124
proceSSeS 100
keepinG The key SecreT 124
baSelineS 101
The Simple Cipher 124
beST pracTiceS anD recommenDeD
pracTiceS 101 Cryptanalysis 125
vi Contents
Substitution and Transposition 3.6 The Keying Stage 146
Ciphers 126 Session Keys 146
Substitution Ciphers 126 Public Key Encryption for
Transposition Ciphers 126 Confidentiality 146
Real-world Encryption 127 Two keyS 146
Ciphers and Codes 127 proceSS 146
Symmetric Key Encryption 129 paDlock anD key analoGy 146
hiGh coST anD ShorT meSSaGe
key lenGTh 129
lenGThS 147
Human Issues in Cryptography 131
rSa anD ecc 147
3.2 Symmetric Key Encryption key lenGTh 148
Ciphers 133 Symmetric Key Keying Using Public
RC4 133 Key Encryption 148
The Data Encryption Standard Symmetric Key Keying Using
(DES) 134 Diffie–Hellman Key Agreement 149
56-biT key Size 134 3.7 Message-By-Message
block encrypTion 134 Authentication 150
Triple DES (3DES) 135
Electronic Signatures 150
168-biT 3DeS operaTion 135
Public Key Encryption for
112-biT 3DeS 135
Authentication 150
perSpecTive on 3DeS 136
Message-by-Message Authentication
Advanced Encryption Standard
with Digital Signatures 151
(AES) 136
DiGiTal SiGnaTureS 151
Other Symmetric Key Encryption
haShinG To proDuce The meSSaGe
Ciphers 136 DiGeST 151
3.3 Cryptographic System SiGninG The meSSaGe DiGeST To proDuce
Standards 139 The DiGiTal SiGnaTure 151
Cryptographic Systems 139 SenDinG The meSSaGe wiTh
confiDenTialiTy 152
Initial Handshaking Stages 139
verifyinG The SupplicanT 153
neGoTiaTion 139 meSSaGe inTeGriTy 153
iniTial auThenTicaTion 140 public key encrypTion
keyinG 140 for confiDenTialiTy anD
Ongoing Communication 140 auThenTicaTion 153
3.4 The Negotiation Stage 141 Digital Certificates 154
Cipher Suite Options 141 cerTificaTe auThoriTieS 154
DiGiTal cerTificaTe 155
Cipher Suite Policies 142
verifyinG The DiGiTal cerTificaTe 155
3.5 Initial Authentication Stage 142
The roleS of The DiGiTal cerTificaTe
Authentication Terminology 142 anD DiGiTal SiGnaTure 157
Hashing 143 Key-Hashed Message Authentication
Initial Authentication with Codes 158
MS-CHAP 144 The problem wiTh DiGiTal
on The SupplicanT’S machine: SiGnaTureS 158
haShinG 144 Creating and Testing the HMAC 158
on The verifier Server 145 Nonrepudiation 160
Contents vii
3.8 Quantum Security 162 3.12 Conclusion 176
3.9 Cryptographic Systems 163 Thought Questions 178 •
Virtual Private Networks (VPNs) 164 Hands-on Projects 179 •
Project Thought Questions 180
Why VPNs? 164
• Case Study 181 • Case Discus-
Host-to-Host VPNs 164
sion Questions 182 • Perspective
Remote Access VPNs 165
Questions 182
Site-to-Site VPNs 165
3.10 SSL/TLS 166 Chapter 4 Secure Networks 183
Nontransparent Protection 166 4.1 Introduction 184
Inexpensive Operation 167 Creating Secure Networks 184
SSL/TLS Gateways and Remote availabiliTy 184
Access VPNs 167 confiDenTialiTy 184
vpn GaTeway STanDarDS 168 funcTionaliTy 185
auThenTicaTion 168 acceSS conTrol 185
connecTinG The clienT pc To Future of Secure Networks 185
auThorizeD reSourceS 168 DeaTh of The perimeTer 185
SecuriTy for ServiceS 168 riSe of The ciTy 186
browSer on The clienT 168
4.2 DoS Attacks 187
aDvanceD ServiceS require
aDminiSTraTor privileGeS on pcS 170 Denial of Service … But Not an
perSpecTive 171 Attack 187
3.11 IPsec 171 FaulTy coDinG 187
Attractions of IPsec 171 referralS from larGe SiTeS 188
SSl/TlS GiveS nonTranSparenT Goal of DoS Attacks 188
TranSporT layer SecuriTy 172 STop criTical ServiceS 188
ipSec: TranSparenT inTerneT layer DeGraDe ServiceS 188
SecuriTy 172 Methods of DoS Attacks 188
ipSec in boTh ipv4 anD ipv6 172 DirecT anD inDirecT aTTackS 190
IPsec Transport Mode 173
inTermeDiary 192
hoST-To-hoST SecuriTy 173 reflecTeD aTTack 194
enD-To-enD proTecTion 173 SenDinG malformeD packeTS 195
coST of SeTup 173
Defending Against Denial-of-Service
ipSec in TranSporT moDe anD
Attacks 196
firewallS 173
black holinG 197
IPsec Tunnel Mode 174
valiDaTinG The hanDShake 198
proTecTion iS proviDeD by ipSec
GaTewayS 174 raTe limiTinG 198
leSS expenSive Than TranSporT 4.3 ARP Poisoning 199
moDe 174 Normal ARP Operation 199
firewall-frienDly proTecTion 175 The problem 201
no proTecTion wiThin The Two
ARP Poisoning 201
SiTeS 175
ARP DoS Attack 203
IPsec Security Associations (SAs) 175
SeparaTe SaS in The Two Preventing ARP Poisoning 203
DirecTionS 175 STaTic TableS 203
policy-baSeD Sa 176 limiT local acceSS 204
viii Contents
4.4 Access Control for Networks 206 TurninG off SSiD broaDcaSTinG 229
LAN Connections 206 mac acceSS conTrol liSTS 229
Access Control Threats 206 Implementing 802.11i or WPA Is
Easier 229
Eavesdropping Threats 207
4.7 Conclusion 230
4.5 Ethernet Security 207
Thought Questions 232 •
Ethernet and 802.1X 207
Hands-on Projects 232 •
coST SavinGS 208
Project Thought Questions 233
conSiSTency 208
• Case Study 233 • Case Discus-
immeDiaTe chanGeS 208
sion Questions 235 • Perspective
The Extensible Authentication Protocol
Questions 235
(EAP) 209
eap operaTion 209 Chapter 5 Access Control 236
exTenSibiliTy 210
5.1 Introduction 237
RADIUS Servers 210
Access Control 237
RadIus anD eap 211
Authentication, Authorizations, and
4.6 Wireless Security 211
Auditing 237
Wireless Attacks 212
Authentication 238
Unauthorized Network Access 212
Beyond Passwords 238
prevenTinG unauThorizeD acceSS 213
Two-Factor Authentication 238
Evil Twin Access Points 215
Individual and Role-Based Access
Wireless Denial of Service 216
Control 238
flooD The frequency 216
Organizational and Human
flooD The acceSS poinT 218
Controls 240
SenD aTTack commanDS 218
Wireless LAN Security with Military and National Security
802.11i 218 Organization Access Controls 240
eap’S neeD for SecuriTy 219 Multilevel Security 241
aDDinG SecuriTy To eap 219 5.2 Physical Access and Security 242
eap-TlS anD peap 220 Risk Analysis 242
Core Wireless Security Protocols 221
ISO/IEC 9.1: Secure Areas 242
Wired Equivalent Privacy (WEP) 221 phySical SecuriTy perimeTer 242
Cracking WEP 221 phySical enTry conTrolS 242
ShareD keyS anD operaTional public acceSS, Delivery, anD loaDinG
SecuriTy 221 areaS 243
exploiTinG wep’S weakneSS 222 SecurinG officeS, roomS, anD
Perspective 223 faciliTieS 243
proTecTinG aGainST exTernal anD
Wi-Fi Protected Access (WPA™) 223
environmenTal ThreaTS 244
Pre-Shared Key (PSK) Mode 226 ruleS for workinG in Secure
Wireless Intrusion Detection areaS 247
Systems 228 ISO/IEC 9.2 Equipment Security 247
False 802.11 Security Measures 229 equipmenT SiTinG anD proTecTion 247
SpreaD SpecTrum operaTion anD SupporTinG uTiliTieS 248
SecuriTy 229 cablinG SecuriTy 248
