cyberterrorism prevention checklist -...

Cyberterrorism Prevention Checklist

by

Frank Fiore and Jean François

As CEO, CIO, or other top executive of your organization, you need to be certainthat your departments understand the threat of cyberterrorism. Take this checklistof actionable items to your senior management meeting. Find out whether your IT,security, and human resource personnel have put in place the necessary securityprecautions to protect you from becoming an unwitting collaborator withcyberterrorists.

Frank Fiore and Jean François 1 Cyberterrorism Prevention Checklist

Intelligence GatheringThis area includes three possible security lapses that allow for penetration of sys-tems with the goal of stealing information or sensitive data. The key here is to getyour organization, company, or institution on a wartime footing and control accessto your building, personnel, and information systems.

Cyberterrorism Prevention Checklist 2 Frank Fiore and Jean François

1: Identity Impersonation and/or Identity TheftYou may think this is an obvious problem, but you’d be surprised how manyorganizations—businesses especially—fall down on this simple yet effective threatprevention.

Area ofConcern

Person(s) orGroup(s) Question(s) to Ask Notes/Rationale

Accesscontrols

Physical PlantSecurityManager

Are badges, ID cardsand/or other verificationmethods required bysecurity and other per-sonnel before allowingbuilding entry?

Personnel who arenot carrying properID should bechallenged internally.

Documentcontrols

HumanResources

Are organizationalphone books andcontact/vendor listsrestricted to thepremises?

These documentsshould be treated asthough they containorganizationalsecrets. Wheneverpossible, shred out-of-date paper docu-ments that revealinformation aboutcompany internalactivity.

Informationprocedures

HumanResources

Are all inquiries viaphone, email, or othercorrespondence methodchecked for authenticity?

No one should everassume that someoneis who they say theyare. Inquiries shouldalways be forwardedto appropriate person-nel for handling. Apaper audit trailshould be kept andrequired for any in-formation requested.


2: SpywareSpyware is software that sits on your system and tries to be invisible while collect-ing as much information as possible to be sent offsite.

Area ofConcern


Scanningprograms

IT Dept. Are systems regularlyscanned for viruses,Trojan horses, etc.?

Viruses and Trojanhorses have becomemore sophisticated,so more aggressivechecking is needed.

Firewall andintrusion-detectionsystem

IT Dept. Is the internal networkprotected by a firewallcoupled with intrusiondetection?

Watch all inboundand outbound traffic.Look for odd or newtraffic patterns.

Third-partysoftwareaudits

IT Dept. Do you regularly auditthird-party software todetect unauthorizedprograms?

Spy-Software.orgoffers a system forauditing software.


3: Internal ThreatsThis area is often overlooked by organizations, but employees can be a greatsource of information-gathering for unauthorized use.

Area ofConcern


Backgroundchecks

HumanResources

Are background checksperformed on jobapplicants before theyare hired? Arereferences checkedcarefully?

Current events showthat false informationon résumés is nothingnew. If projects areof great importance,terrorists may beinterested in gettingjobs that will provideaccess to informationvia computer systemsor grant access tounauthorized users’malicious programs.

Corporateintelligenceorganizations

HumanResources,executivestaff

How do you addresspotential threats fromcorporate intelligenceorganizations?

Organizations likeSCIP (Society ofCompetitive Intel-ligence Professionals)use a systematic pro-gram for gathering,analyzing, and man-aging informationthat can affect yourcompany’s plans,decisions, andoperations—otherwise known ascorporate espionage.


Area ofConcern


Disgruntledemployees

IT Dept. How are youpreventing thepossibility of damagedone by employees?

Employees canmodify or destroydata. Keep goodlong-term backupsand have a disasterrecovery plan inplace.

Backdoor threats IT Dept. How are you address-ing the possibility ofmalicious code orproducts created insidethe organization?

Have an audit/reviewprocess in place fordata, source code,security access andprocedures, and soon.

Testing backups IT Dept. Is our backup datarecoverable? Is recov-ery regularly tested tomake sure that thebackup data and therestoration systemactually work (andwork correctly)?

A malicious com-puter user can causesmall corruptions indata that, if notregularly checked byrestoring backups,will not be discovereduntil vital informationis needed. Further-more, it’s importantto know that in theevent of a recovery,critical data will beavailable—and toknow what specialsteps may be neededto restore that data.


Systems DamageThis area includes four possible security lapses that allow for the disruption ordamage of data and your information infrastructure.


4: Breakdowns in the Human FirewallPeople are the weakest link in a security plan. Proper training can prevent a major-ity of security lapses.

Area ofConcern


Inquiries Allpersonnel

Are all inquiriesreferred to a designatedpoint of contact?

Don’t voluntarilydisclose anyinformation.

Point of contact HumanResources

Who is designated asthe single point ofcontact for organiza-tional questions?

Don’t allow justanyone to talk aboutcompany business.The best intelligencegatherers know howto take what lookslike uninterestingpieces of informationand use them to getmore, or tie themtogether to make abigger picture.

Awareness Allpersonnel,especiallySecurity

Are you always awareof who is workingaround you andwhether he or shebelongs in that area?

For example, thesoda machine beingrefilled is no excusefor the person doingit to be wanderingaround differentoffices unescorted.


5: System/Browser VulnerabilitiesBugs or other code flaws can allow an unauthorized user to execute arbitrary code.

Area ofConcern


Bounds checkingand code reviews

IT Dept. Are you vigilant inchecking bounds andreviewing code?

Don’t let speed over-ride good program-ming practices. Takethe time to do period-ic case reviews forsecurity and to makesure that nothing was“slipped in.”

System patches IT Dept. Do you keep systempatches to currentlevels?

Every reputablevendor publishespatches to keepapplications and otherprograms current.Keep track of vendoralerts and applypatches in a reason-able period of timeand in a consistentfashion.

Alternativeheterogeneousapplications orplatforms

IT Dept. How can we usealternative applications(Eudora, Opera) orplatforms (Mac, Linux,BSD) to preventsystem infection?

Using non-mainstreamapplications andplatforms makessystem infectionmore difficult.

continues


continued

Area ofConcern


Filteringexecutableattachments

IT Dept. Are executableattachments filteredfrom incoming andoutgoing email?

If it’s vital that pro-grams be sent viaemail, nothing thatcan be executed as aprogram should besent through emailwithout being exam-ined on a “sandbox”system that can con-tain an outbreak.

Educating users IT Dept. How are you educatingusers to keep themfrom openingunexpected orunverifiedattachments?

Show users what canhappen. Do demon-strations and holdregular updates. Toprevent hoaxes fromspreading, don’t letusers propagate thisinformation on theirown.


6: Wireless InsecurityWireless networks are bring installed by organizations at a rapid rate, opening theirnetworks to “drive-by hacking.”

Area of Concern Person(s) orGroup(s) Question(s) to Ask Notes/Rationale

Media accesscontrol (MAC)addresses

IT Dept. Does our system useMAC addresses?

It’s very easy tochange a MACaddress on a systemto gain entry.

Wired EquivalentPrivacy (WEP)

IT Dept. Does our system useWEP to protect data?

Don’t rely on WEP toprotect data; it’s opento compromise.

Default configs IT Dept. Does our system usedefault configurationfiles?

Change the defaultSSID to somethingthat’s difficult toguess.

Strong userauthentication

IT Dept. Does our systememploy strong userauthentication?

Implement an authen-tication system thatmandates that com-puters and users beauthenticated beforethey can use wirelessresources.

Virtual privatenetwork (VPN)technology

IT Dept. Can we use VPNtechnology to securedata sent overwireless links?

Encrypted data isvery difficult to get toand enhances overallsecurity in a wirelessenvironment.

continues


continued


Wireless LANs IT Dept. How are youmonitoring wirelessLANs for hijackers?

Use tools to makesure that only authen-ticated users andauthorized systemsare on your wirelessnetwork. Audit asneeded.

Wireless deploy-ment in a DMZ(demilitarizedzone)

IT Dept. Are our wirelesssetups deployed in aDMZ or behind aproxy/filteringfirewall?

Keep wireless trafficwhere it can be con-trolled safely, awayfrom sensitive sys-tems or the wiredLAN.


7: Denial-of-Service (DoS) AttacksThese attacks are becoming more and more sophisticated, and in some cases initi-ated as a side effect of some other attack.


Filtering RFC1918 addresses

IT Dept. Are RFC 1918addresses filteredboth inbound andoutbound?

These addresses areknown non-routableaddresses on the Net,meaning that if usedin an attack they’reuntraceable.

Spoofedaddresses

IT Dept. Are spoofedaddresses preventedfrom leaving ournetwork?

Use documented bestpractices to keep RFC1918 and smurfattacks from beingable to leave throughthe edge routers ofyour LAN or WAN.

Monitorbandwidth

IT Dept. Are you watching forspikes or high loads?

Unauthorized trans-fers usually show upas unexplained highbandwidth use duringoff-peak hours.

Scan internalhosts and devices

IT Dept. Are you scanningregularly for anycompromises orsecurity breaches?

Use available toolsand check to makesure that systems onyour LAN belongthere and have notbeen compromised byknown exploits.


System HijackingIn this area, three possible security lapses allow the use of established commun-ications vehicles for clandestine operatives to secretly communicate with others.


8: SteganographySteganography is the art and science of hiding the fact that communication is hap-pening. It involves hiding messages inside text, images, sounds, or other binaryfiles for clandestine communications.


Unauthorizedsoftware

IT Dept. Do you regularlycheck for unauthor-ized software onorganizationalcomputers?

Use tools to controluser level access andprevent softwarefrom being installedwithout administratorpermission.

Newsgroups andweb sites

IT Dept. Do you regularlycheck newsgroupsand web sites forcomments madeabout us—both goodand bad?

Many mailing listsand Internet infor-mation sites can raiseawareness by match-ing activities ofcrackers directlyand learning whatthey are doing inreal-time.

Inbound andoutbound email

IT Dept. Are both inbound andoutbound emailscanned for unusualcontents such as MP3files, PIC files, and soon?

Email is the one toolthat can easily passthrough firewalls. Alldata coming in andleaving should bechecked to make sureit’s safe before beingpassed on to the user.


9: TunnelingTunneling allows communication in an environment where communication maynot be possible due to firewalls or proxies that limit traffic. Many networks assumethat having a firewall or proxy server prevents internal users from going tounauthorized sites or passing internal data to the outside world. That’s a badassumption. For example, an application called HTTP-Tunnel allows peoplebehind a firewall (which allows only web surfing) to use any Internet application.HTTP-Tunnel runs as a SOCKS server or via port mapping and can tunnel bothTCP and UDP.


Corporateespionage

IT Dept. Do you regularlyreview logs andtraffic passingthrough proxies andfirewalls that are notwork-related?

Theft of companysecrets will continueto grow with inter-national competitionand tighter R&Dbudgets.

Bypassingcorporatesecurity policies

IT Dept. Have you set limitsand policies on whichports are acceptableto access?

Keep honest peoplehonest; allow accessonly to the portsinside and outsideyour system thatpeople really need todo their work. Pub-lish these regularlyand make it policy toregularly updateemployees on whatthey are allowed ornot allowed to do.

continues


continued


Productivity andespionage

IT Dept. How are youchecking forunauthorized VPNtraffic originatingfrom inside ourLAN?

If someone is stealinginformation ormaking unauthorizedentries, a virtualprivate network(VPN) is one way tomask this activity. AllVPN technologiesuse well-known ports,so look for activitythat doesn’t belong.


10: Worms, Trojan Horses, and VirusesThese attacks are becoming more prevalent and much more sophisticated. Next-generation worms, Trojan horses, and viruses will be more intelligent and attackthrough multiple methods of distribution.


Unauthorizedsoftware

IT Dept. Do you regularlycheck for unauthor-ized software onorganizationalcomputers?

Use tools to controluser level access andprevent softwarefrom being installedwithout administratorpermission.

Anti-virussoftware updates

IT Dept. Are anti-virussoftware updatesinstalled in a timelymanner?

Make it a point tokeep updates asautomatic as possibleor on a daily scheduleto get the latestprotection available.

Alternativeheterogeneousapplications orplatforms

IT Dept. How can we usealternative applic-ations (Eudora,Opera) or platforms(Mac, Linux, BSD) toprevent systeminfection?

Using non-mainstreamapplications andplatforms makessystem infectionmore difficult.

continues


continued


Educating users IT Dept. How are you educat-ing users about howmalicious programspropagate and how toprevent infection?

Publish all policiesand procedures andmake users acknowl-edge them. Keep aFAQ and encouragequestions by lettingquestion authors beanonymous.

Proxy/firewallfilters

IT Dept. Are you using filtersto find maliciousprograms and theirsignatures cominginto or leaving theLAN?

Check inside thefirewall as aggres-sively as when check-ing at the firewall.


DisinformationThis area includes two possible security lapses that allow for the dissemination ofpropaganda such as the following:

• Spreading false rumors electronically that are picked up by the media as true

• Cracking into news servers to plant false or misleading stories

• Entering false or misleading information in databases, thus undermining theeffectiveness of organizations relying on that information


11: DNS Poisoning and Domain HijackingDNS poisoning is convincing a name server that a domain has a different IPaddress. Domain hijacking involves stealing a domain at the registrar level.


DNS servers IT Dept. Are our DNS serverssecure? Do werequire our DNSpeers to secure theirservers?

Use the latest securityfeatures of DNS anduse best practices forsafe deploymentsboth inside andoutside the firewall.

Passwords IT Dept. Do we require pass-words for domainregistration andchanges?

Password-protectdomain nameinformation atregistrars to preventthe domain frombeing redirected toanother site or stolen.

Domain changes IT Dept. Can domain changesbe made via email?

Email can be forged.Require an SSL-encrypted web pageor PGP signed andencrypted email forall changes to domaininformation.



Authorized DNSzone transfers

IT Dept. Are authorized DNSzone transfersrequired to preventrevealing names andIP addresses of oursystems?

Viewing DNS is thefirst step to locatingthe weakest link on aLAN. Only allowDNS information tobe visible to thosewho need to see it.Don’t allow zonetransfers to revealwhat may be privateareas of your LAN.


12: Changing Web Site ContentsWeb site defacement is widespread and has evolved to being used as a method ofdistributing propaganda, rumors, and misinformation (as opposed to just plainvandalism).


Staging servers IT Dept. Are staging serversused to update sitecontent?

Production serversshould be read-only.This provides twosecurity benefits:a) There is a livecopy of productiondata on staging serv-ers for fast recovery.b) Having productionservers that are read-only makes them verydifficult to crack ormodify.

Userauthentication

IT Dept. Is user authenticationmandated for accessto sensitive data?

Single sign-on sim-plifies tracking usersand makes it easierfor them to rememberone username andpassword for all theiraccess.



Software patchesand securitypolicies

IT Dept. Do you maintainsoftware patches andsecurity policies onweb servers?

Verify that webservers are secured bybest practices andregularly review themto make sure that theymatch the securitypolicy as it evolves(or as best practicesevolve) to keepsystems secure.

Hardened DMZ IT Dept. Are web servers keptin a hardened demil-itarized zone withintrusion detectionoutside the firewall?

With this setup, ifyour web servers arecompromised, that’sas far as the intrudercan get.

Code reviews IT Dept. Do you conductregular code reviewsto prevent commonexploits such asbuffer overflowsfrom exposing theservers?

Buffer overflows or“stack smashing” hasbeen around for avery long time. Goodprogramming prac-tices need to bepassed on to juniorprogrammers andpracticed by all.

Separatedatabase andapplicationservers from webservers

IT Dept. Are database orapplication serversand web servers keptseparate unless on amachine that’sdesigned for thispurpose?

For example, AS400sor mainframes.


About the AuthorsFrank Fiore is an e-business expert, columnist and consultant, and author ofseveral books on e-business topics published by Pearson imprints:

• The Complete Idiot’s Guide to Starting an Online Business(Que, 2000, ISBN 0-7897-2193-7)

• e-Marketing Strategies(Que, 2000, ISBN 0-7897-2475-8)

• Successful Affiliate Marketing for Merchants(Que, 2001, ISBN 0-7897-2525-8)

• TechTV’s Starting an Online Business(Que, 2001, ISBN 0-7897-2564-9)

He is also the author of Dr. Livingston’s Online Shopping Safari Guidebook(Maximum Press, 1996).

Frank has been involved with e-business from its inception on the Net; with hisexperience as both an e-business expert and a direct marketer of products, heknows e-business from both sides of the transaction. He is currently the OfficialOnline Shopping Guide for About.com and has been interviewed for numerous TVand radio talk shows and print media on the subject of e-business and onlineshopping.

Jean François has more than 15 years of experience working in distributedcomputing environments. He has received the National Defense Medal forparticipation in Operation Desert Storm and held a Top Secret/SBI/SCI Clearancefrom 10/91 to 4/96. Jean has held positions as director of managed services forOpnix, Inc. and chief technology officer for EBIZ Enterprises, Inc., and is thepresident, CEO, and founder of MagusNet, Inc. MagusNet was founded on the ideaof using Linux to provide businesses with consulting on security systems usingproxy/filtering firewalls, as well as general UNIX system administration andapplications using GNU tools such as Linux and other free operating systems likeFreeBSD/Openbsd. Today MagusNet is primarily a security services company,providing Internet users with an anonymizing public proxy as a free Internetservice. He has been a featured expert on radio, TV, and print, and in onlineforums.

cyberterrorism prevention checklist -...

Documents