www.dbebooks.com - Free Books & magazines




Securing the
Information
Infrastructure
Joseph M. Kzza
Unversty of Tennessee at Chattanooga, USA
Florence M. Kzza
Freelance Wrter, USA

Cybertech Publishing
Hershey • New York



Acquisition Editor:
Senior Managing Editor:
Managing Editor:
Development Editor:
Copy Editor:
Typesetter:
Cover Design:
Printed at:

Kristin Klinger
Jennifer Neidig
Sara Reed
Kristin Roth

Heidi Hormel
Michael Brehm
Lisa Tosheff
Yurchak Printing Inc.

Published in the United States of America by
CyberTech Publishing (an imprint of IGI Global)
701 E. Chocolate Avenue
Hershey PA 17033
Tel: 717-533-8845
Fax: 717-533-8661
E-mail:
Web site:
and in the United Kingdom by
CyberTech Publishing (an imprint of IGI Global)
3 Henrietta Street
Covent Garden
London WC2E 8LU
Tel: 44 20 7240 0856
Fax: 44 20 7379 0609
Web site:
Copyright © 2008 by IGI Global. All rights reserved. No part of this book may be reproduced in any form or
by any means, electronic or mechanical, including photocopying, without written permission from the publisher.
Product or company names used in this book are for identification purposes only. Inclusion of the names of
the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered
trademark.
Library of Congress Cataloging-in-Publication Data
Kizza, Joseph Migga.
Securing the information infrastructure / Joseph Kizza and Florence Migga Kizza, authors.
p. cm.

Summary: “This book examines how internet technology has become an integral part of our daily lives and as
it does, the security of these systems is essential. With the ease of accessibility, the dependence to a computer
has sky-rocketed, which makes security crucial”--Provided by publisher.
Includes bibliographical references and index.
ISBN 978-1-59904-379-1 (hardcover) -- ISBN 978-1-59904-381-4 (ebook)
1. Cyberterrorism. 2. Internet--Security measures. 3. Computer networks--Security measures. 4. Information
superhighway--Security measures. I. Kizza, Florence Migga. II. Title.
HV6773.K59 2008
005.8--dc22
2007007405
British Cataloguing in Publication Data
A Cataloguing in Publication record for this book is available from the British Library.
All work contributed to this book is new, previously-unpublished material. The views expressed in this book are
those of the authors, but not necessarily of the publisher.




To Immaculate, a wonderful mother and wife


v

Securing the
Information
Infrastructure
Table of Contents

Preface............................................................................................................................ix
Acknowledgment.........................................................................................................xiv


Section.I:.
Security.Through.Moral.and.Ethical.Education
Chapter.I
Building.Trust.in.the.Information.Infrastructure...................................................... 1
Introduction........................................................................................................... 1
.
Problems.with.Building.Trust................................................................................ 2
Steps.to.Building.Trust.......................................................................................... 7
Conclustion........................................................................................................... 8
References............................................................................................................. 9
Chapter.II
Need.for.Morality.and.Ethics...................................................................................... 10
Introduction......................................................................................................... 10
.
Morality............................................................................................................... 11
.
Ethics................................................................................................................... 11
Codes.of.Professional.Responsibility.................................................................. 18
The.Relevancy.of.Ethics.in.Modern.Life............................................................. 20
.
Conclusion.......................................................................................................... 21
.
References........................................................................................................... 21


v

Chapter.III
Building.an.Ethical.Framework.for.Decision.Making............................................. 22

Introduction......................................................................................................... 22
.
Principle.of.Duty.of.Care.................................................................................... 23
.
Work.and.Decision.Making................................................................................. 23
.
Pillars.of.a.Working.Life..................................................................................... 25
.
Need.for.an.Ethical.Education............................................................................ 28
Decision.Making.and.the.Ethical.Framework.................................................... 35
Conclusion.......................................................................................................... 39
References........................................................................................................... 40
Chapter.IV
Security,.Anonymity,.and.Privacy.............................................................................. 41
Introduction......................................................................................................... 41
.
Security................................................................................................................ 42
.
The.Importance.of.Information.Security............................................................. 49
.
Government.and.International.Security.Standards............................................. 50
.
Information.Security.Evaluation.Criteria........................................................... 53
Privacy................................................................................................................ 56
Privacy.and.Security.in.Cyberspace................................................................... 59
Conclusion.......................................................................................................... 63
References........................................................................................................... 64

Section.II:.
Security.Through.Innovative.Hardware.and.Software.Systems

Chapter.V
Software.Standards,.Reliability,.Safety,.and.Risk.................................................... 66
Introduction......................................................................................................... 66
The.Role.of.Software.in.the.Security.of.Computing.Systems............................... 67
Software.Standards.............................................................................................. 70
.
Reliability............................................................................................................ 76
Software.Security................................................................................................. 79
Causes.of.Software.Failures................................................................................ 82
Conclusion.......................................................................................................... 86
References........................................................................................................... 87
Chapter.VI
Network.Basics.and.Securing.the.Network.Infrastructure...................................... 88
Introduction......................................................................................................... 88
.
Computer.Network.Basics................................................................................... 89
Network.Protocols.and.Layering........................................................................ 97
Network.Services............................................................................................... 104
Network.Connecting.Devices............................................................................ 108
Securing.the.Network.Infrastructure:.Best.Practices....................................... 114
Conclusion........................................................................................................ 118
References......................................................................................................... 118


v

Chapter.VII
Security.Threats.and.Vulnerabilities........................................................................ 119
Introduction....................................................................................................... 119
.

Types.of.Threats.and.Vulnerabilities................................................................. 120
.
Sources.of.Information.Security.Threats........................................................... 122
.
Best.Practices.of.Online.Security...................................................................... 133
Conclusion........................................................................................................ 134
.
References......................................................................................................... 134
Appendix:.Additional.Reading.......................................................................... 135
Chapter.VIII
Security.Policies.and.Risk.Analysis.......................................................................... 137
Introduction....................................................................................................... 137
.
Information.Security.Policy.............................................................................. 138
Aspects.of.Security.Policies.............................................................................. 139
Building.a.Security.Policy................................................................................. 142
Types.of.Security.Policies.................................................................................. 157
Conclusion........................................................................................................ 160
References......................................................................................................... 160
Chapter.IX
Security.Analysis,.Assessment,.and.Assurance........................................................ 161
Introduction....................................................................................................... 161

ThreatIdentification.......................................................................................... 162
Security.by.Analysis.......................................................................................... 168
Security.Assessment.and.Assurance.................................................................. 171
Conclusion........................................................................................................ 179
References......................................................................................................... 179
Chapter.X
Access.Control,.Authentication,.and.Authorization............................................... 180

Introduction....................................................................................................... 180

Definitions......................................................................................................... 181
Access.Control................................................................................................... 181
Authentication................................................................................................... 191
Authorization..................................................................................................... 203
Conclusion........................................................................................................ 207
References......................................................................................................... 207
Chapter.XI
Perimeter.Defense:.The.Firewall.............................................................................. 209
Introduction....................................................................................................... 209
.
Types.of.Firewalls............................................................................................. 212
Other.Firewalls................................................................................................. 227
Virtual.Private.Network.................................................................................... 230
Firewall.Issues.Before.Installation................................................................... 231
ConfigurationandImplementationofaFirewall............................................. 232
Advantages.of.Firewalls.................................................................................... 234


v

Disadvantages.of.Firewalls............................................................................... 235
Securing.a.Network.by.a.Firewall..................................................................... 236
Conclusion........................................................................................................ 237
References......................................................................................................... 238
Chapter.XII
Intrusion.Detection.and.Prevention.Systems.......................................................... 239
Introduction....................................................................................................... 239


Definitions......................................................................................................... 240
Background.of.Intrusion.Detection................................................................... 242
Basic.Modules.of.an.Intrusion.Detection.System.............................................. 243
Intrusion.Detection.Models............................................................................... 244
Responses.to.Intrusion.Detection.Reports........................................................ 247
Types.of.Intrusion.Detection.Systems................................................................ 248
Challenges.for.Intrusion.Detection................................................................... 254
Intrusion.Prevention.Systems.(IPSs)................................................................. 255
Conclusion........................................................................................................ 258
References......................................................................................................... 258
Chapter.XIII
Security.in.Wireless.Systems..................................................................................... 259
Introduction....................................................................................................... 259
.
Types.of.Wireless.Technology............................................................................ 260
The.Wireless.Communication.Infrastructure.................................................... 260
Wireless.Local.Area.Network.(WLAN):.Wireless.Fidelity.(Wi-Fi).................... 265
Security.Issues.in.Wireless.Systems................................................................... 270
Best.Practices.for.Wi-Fi.Security...................................................................... 276
Conclusion........................................................................................................ 278
References......................................................................................................... 278
Chapter.XIV
Biometrics.for.Access.Control................................................................................... 280
Introduction....................................................................................................... 280
.
History.of.Biometrics........................................................................................ 281
Biometric.Authentication.System ..................................................................... 282
BiometricIdentifiers.......................................................................................... 284
Advantages.of.Biometrics.................................................................................. 292
Disadvantages.of.Biometrics............................................................................ 293

Why.Biometrics.are.Not.Truly.Accepted........................................................... 294
The.Future.of.Biometrics................................................................................... 295
Conclusion........................................................................................................ 296
References......................................................................................................... 296


Section.III:.
Security.Through.the.Legal.System
Chapter.XV
Digital.Evidence.and.Computer.Crime.................................................................... 298
Introduction....................................................................................................... 298

Definitions......................................................................................................... 299
Nature.of.Digital.Evidence................................................................................ 299
Importance.of.Digital.Evidence........................................................................ 300
Reliability.of.Digital.Evidence.......................................................................... 301
The.Need.for.Standardization........................................................................... 302
Proposed.Standards.for.the.Exchange.of.Digital.Evidence.............................. 303
The.Process.of.Digital.Evidence.Acquisition.................................................... 305
Investigative.Procedures................................................................................... 306
Conclusion........................................................................................................ 316
References......................................................................................................... 316.
Chapter.XVI
Digital.Crime.Investigation.and.Forensics.............................................................. 318
Definition........................................................................................................... 318
.
Computer.Forensics.......................................................................................... 319
History.of.Computer.Forensics......................................................................... 319
Network.Forensics............................................................................................. 320
Forensics.Analysis............................................................................................. 321

Forensics.Tools.................................................................................................. 324
Conclusion........................................................................................................ 334
References......................................................................................................... 334

Section.IV:.
What.Next?
Chapter.XVII
Trends.in.Information.Assurance............................................................................. 336
Introduction....................................................................................................... 336
.
Global.Information.Assurance.Initiatives.and.Trends...................................... 337
National.and.International.Information.Security.Initiatives............................ 342
CertificationPrograms...................................................................................... 350
Conclusion........................................................................................................ 352
References......................................................................................................... 353
Appendix:.Additional.Reading.......................................................................... 354

Glossary.of.Terms...................................................................................................... 355
About.the.Authors...................................................................................................... 362
Index............................................................................................................................ 363


x

Preface

The frequent headlines involvingincidents of stolen or hacked user records from company
and government institutions, like the recent Veteran Affairs episode, have brought probably unwanted attention the constant problem of securing vital, essential, and confidential
personal, business, and national records from the hands of hackers and thieves. However,
to many in the security community, such news has refocused the attention of the nation, if

not the whole world, and re-ignited the debate about how far we need to go and what we
need to do in order to secure the information infrastructure upon which all vital information
happens to reside and is transported.
Two fundamental developments have brought us to where we are today. First Internet technology has become an integral part of our daily lives, and as it has, comprehensive security
for systems upon which we have come to depend has become essential. The tremendous
increase in connectivity, now driven more by new Wi-Fi technologies than fixed networks,
has led to an increase in remote access and consequently increased system vulnerability.
These forces have, together with the plummeting prices of information processing and
indexing devices and the development of sprawling global networks, made the generation,
collection, processing, indexing, and storage of and access to information easy. Second,
as the popularity of computer use has grown, our dependence on computers and computer
technology has sky rocketed to new heights and is hovering toward total dependence. There


x

are serious consequences to total dependence on the information infrastructure and its associated technologies. As we have all witnessed in the last several years, Internet technologies have been like a large cruise ship in the middle of the ocean with all its enmities but
without a captain. The 21st century has, thus far, the most machine-dependent generation.
This dependence, though for convenience, is turning out to be one of the main sources of
our security problems and a potential privacy concern. It is leading to the loss of our privacy,
security, and autonomy.
These two developments, taken together, have created an even more tempting environment
for online digital crimes than ever before. The annual Computer Crime Survey by the Computer Security Institute/Federal Bureau of Investigations (CSI/FBI) typically is a barometer
of computer crime within the United States and every year presents alarming statistics about
rising digital crime rates over our public networks. The survey results always paint a picture
of cyber crimes bleeding the nation. The CSI/FBI Computer Crime and Security surveys
are always targeted to computer security practitioners in U.S. corporations, government
agencies, financial institutions, medical institutions, and universities. Recent data from these
surveys show some disturbing developments, including:
•


There has been a shift from both virus attacks and denial of service, which previously
outpaced all others, to theft of proprietary information.

•

The percentage of organizations reporting computer intrusions to law enforcement
in recent years has declined. The key reason cited for not reporting intrusions to law
enforcement is the concern for negative publicity.

•

Although the vast majority of the organizations view security awareness training as
important, respondents from all sectors do not believe that their organizations invest
enough in this area.

•

Security budgets in organizations are still very low, indicating a low priority given to
security.

Data like these point to perhaps the core reason why there is mounting uneasiness and fear of
the developing information infrastructure. The main question arising out of this new fear is
whether we should trust our new information infrastructure medium. We are at a crossroads,
unable to proceed without deciding whether we should trust the path we are taking or not.
If we are to trust it, how much trust must we give? Ironically, if we decide to trust, we are
trusting a system we know very little about and we understand less.
Through the pages of this book, we try to give the reader reasons for trusting the information
infrastructure in spite of limited user knowledge and familiarity, poor infrastructure protocol, lack of fundamental system blue prints, and its open-architecture, open-source nature.
Yes, we believe that users with a strong ethical framework from a good ethics education

can make sound decisions that are good for the security of the information infrastructure.
Along with a strong ethical framework for decision making, we also need a tool kit of sound
hardware and software security protocols and best practices that will enhance the information infrastructure’s security. Finally, we believe that a strong and adoptive legal system,
supported by good forensics technologies and an effective apprehension of the offenders,
can create secure the environment in which we can trust the information infrastructure.


x

The book is, therefore, a survey of these issues in four parts. In the four chapters of Section
I: Security through Moral and Ethical Education, we focus on moral and ethics education
and also discuss related issues of security, privacy, and anonymity as they affect the creation
of a strong ethical framework for decision making:
•

In Chapter.I:.Building.Trust.in.the.Information.Infrastructure, we outline the
problems we as members of cyberspace are facing, problems that are challenging our
individual self and society, in general. We also outline a summary of what we think
is the best approach to bringing trust to an infrastructure with a runaway security
problem.

•

In.Chapter.II:.Need.for.Morality.and.Ethics, we discussed the rising rate of computer-related crime and, in particular, information-related crimes. We point out that
information infrastructure is made up of two components; the man-made component,
consisting of hardware and software, and the humanware component, consisting of
users. A good solution to the information infrastructure problem must address problems
in both of these components.

•


In.Chapter.III:.Building.an.Ethical.Framework.for.Decision.Making, we build on
the discussion in Chapter II about building a good ethical framework and its central
role in securing the information infrastructure. We show that a good ethical framework
is essential for good decision making.

•

In. Chapter. IV:. Security,.Anonymity,. and. Privacy, we discuss the centrality of
security and privacy in the information infrastructure and also the role anonymity
plays. The threat to privacy and security is at the core of the problem of securing the
information infrastructure. We cannot talk about a secure information infrastructure,
if we cannot guarantee the security and privacy of individuals and the information on
the infrastructure.

Within the.10 chapters of Section II: Security through Innovative Hardware and Software
Systems,.we cover all practical techniques, protocols, and best practices in use today for a
secure information infrastructure. These include techniques like the issues related to software reliability and risk; security threats and vulnerabilities; information security policies
and risk analysis and management; access control and authentication; firewalls, intrusion
detection, and prevention; and biometrics:
•

In. Chapter. V:. Software. Standards,. Reliability,. Safety,. and. Risk; we focus on
software’s role in the security of systems and how we can keep software safe, dependable, and secure, as we struggle to make the information communication infrastructure secure. Software, more than anything else, is at the heart of the information
communication infrastructure. It is, in fact, one of the three main components of the
infrastructure, together with hardware and humanware.

•

In.Chapter.VI:.Network.Basics.and.Securing.the.Network.Infrastructure, we

give a very elementary treatment of the theory of networks and then outline the best
network security solutions. This is intended to address one of the security concerns
we discuss in Chapter I—users have little knowledge of the workings of the communication infrastructure.


x

•

In.Chapter.VII:.Security.Threats.and.Vulnerabilities, we define and discuss threats
and vulnerabilities for the ICT infrastructure. We do this by first identifying threats
and vulnerabilities that are exploited by people like hackers.

•

In.Chapter.VIII:.Security.Policies.and.Risk.Analysis, we study the central role of a
security policy in securing an enterprise network as has been pointed out by many security specialists, scholars, and security organizations. We further discuss several other
issues about the security policy. This includes issues like what constitutes a good policy
and how to formulate, develop, write, implement, and maintain a security policy.

•

In.Chapter.IX:.Security.Analysis,.Assessment,.and.Assurance, we look at the issues
of the implantation of a security policy we discussed in Chapter VIII, starting with security assessment and analysis. The risks and potential for security breaches involving
sabotage, vandalism, and resource theft are high. For security assurance of networked
systems, there must be a comprehensive security evaluation to determine the status of
security and ways to improve it through mitigation of security threats. So an examination and evaluation of the various factors affecting security status must be carried out
and assessed to determine the adequacy of existing security measures and safeguards,
and also to determine if improvements in the existing measures are needed.


•

In.Chapter.X:.Access.Control,.Authentication,.and.Authorization; we focus on
three major security mechanisms from our security tool kit. We cover access control,
authentication, and authorization.

•

In.Chapter.XI:.Perimeter.Defense:.The.Firewall, we continue with our discussion
of technical controls and techniques, which we started in Chapter X, by focusing on
securing the perimeter of the enterprise network. This discussion consists of two parts:
access control and firewalls.

•

In.Chapter.XII:.Intrusion.Detection.and.Prevention.Systems, we look at intrusion detection, one of the principles that defines security. Since computer networks
have come to be pots of honey, attracting many, the stampede for information from
computer networks is great and must be met with strong mechanisms. First there is
detecting those trying to penetrate the system; second is preventing them from trying;
and third is responding to the attempt, successfully or not. Although these three are the
fundamental ingredients of security, most resources have been devoted to detection
and prevention, because if we are able to detect all security threats and prevent them,
then there is no need for a response.

•

In.Chapter.XIII:.Security.in.Wireless.Systems, we follow the prediction by so many
that the next dominant generation of computing technology is going to be wireless.
We are already witnessing the beginning of this with the tremendous growth of wireless technology in the last few years. Along with the marvels of a new technology
and more so with wireless technology, there comes an avalanche of security concerns

and problems. This is also the case with wired technology. So we carefully look at the
current security protocols and best practices.

•

In.Chapter.XIV:.Biometrics.for.Access.Control, we look at other emerging security
technologies. New technologies and new techniques must be found to create a more
reliable and more secure environment. In the quest for a superior solution, biometrics
verification techniques are fast emerging as the most reliable and practical method of
individual identity verification. Biometrics refer to technologies and techniques that
rely on measurable physiological and personal characteristics and attributes that can
uniquely identify and authenticate an individual.


x

In the two chapters of Section III: Security through the Legal System, we discuss digital
evidence and computer crime, digital crime investigations and forensics, and writing investigative reports.
•

In.Chapter.XV:.Digital.Evidence.and.Computer.Crime, we shift the discussion
from moral and ethical education that forms an ethical framework in decision making and from implementation of security technologies, tools, and best practices, to
focus on the legal and law enforcement approaches. We believe, despite the fact that
the technology has outpaced the legal system and the technology the criminals use
is sometimes years ahead of that of law enforcement, that the legal system can play
a very positive and effective role in the security of networks and the communication
infrastructure.

•


In.Chapter.XVI:.Digital.Crime.Investigations.and.Forensics, we focus on the investigative process. We divide the discussion into two parts. First we look at a process
known as computer forensics in which we investigate crime scenes that involve data
on computers. We look at the different parts of the computer and how digital evidence
can be either hidden or extracted from the computer. In the second process, we consider
the crime scene as not one computer but a network of computers. Our investigation
then goes beyond one computer to include the infrastructure of the network and all
points in the network where evidence can be either hidden or extracted. We refer to
this second process as network forensics.

Finally in Section IV: What Next?, we conclude with an interesting discourse:
•

In.Chapter.XVII:.Trends.in.Information.Assurance, we discuss all of the security
best practices, the possible trends in security protocols and best practices, their viability,
and their growth in light of rapidly developing technology. We conclude the chapter
and the book by a discussion of the possibilities of new technologies and what they
should cover.

We believe this kind of approach to the information infrastructure will result in a secure
information infrastructure that can be trusted by all of its users and, hence, will be secured
for all of us and our children to come.
Joseph.Migga.Kizza
Chattanooga,.TN
Florence.Migga.Kizza
Boca.Raton,.FL


xv

Acknowledgment


This is a very comprehensive book covering a wide spectrum of interests in information
security. It is, therefore, a challenge to the authors to present materials that will interest
and challenge the majority of the intended readers. We made every effort in collecting and
presenting materials that we think will go a long way to accomplish this. Along the way as
we did this, we encountered many helpful and sometimes unforgettable people who went
out of their way just to help by either answering one question or 10, providing a reference,
questioning a statement, correcting grammar, or just pointing out a direction. We are grateful
to hundreds of these unnamed heroes of this book.
Since early in its inception, this book has taken many turns and forms to get to its present
form. This evolution has been a result of both content and syntax reviews, sometimes casual
but many times serious. In particular, we want to thank the nameless IGI Global reviewers
who made many invaluable suggestions. To all reviewers, we thank you from the bottom of
our hearts for the small and large part you played. Whatever your part, you have contributed
tremendously to the final product.
Finally, in a great way, we want to thank Immaculate Kizza, a mother, wife, and a gifted
reviewer, for the many contributions she has made to the book. As usual you made it happen
for us.


xv

Section.I
Security Through Moral
and Ethical Education


xv



Buldng Trust n the Informaton Infrastructure 

Chapter.I

Building.Trust.in.the.
Information.Infrastructure

Introduction
The rapid advances in computer technology, the plummeting prices of information processing and indexing devices, and the development of sprawling global networks have all made the generation, collection, processing,
indexing, and storage of and access to information easy and have made
the information infrastructure an enjoyable environment. The information.
infrastructure consists of computer or computer-related hardware, software
to run on the hardware, and humanware to run both. The human component
in the information infrastructure is essential because humans create the life
and dynamism in the infrastructure that has made it what it is. However,
humans also create all the problems facing the infrastructure as we will see
throughout the book. Note that the infrastructure we have just defined is
actually cyberspace. So throughout the book, we will use cyberspace and
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.


 Kzza & Kzza

information infrastructure interchangeably. Cyberspace technology has
brought more excitement to humanity than ever before. Communication has
become almost instantaneous. The speed of data access is chasing the speed
of light. Humanity could not have gotten a better technology. However,
with the excitement and “bewilderness,” there has come a realization, after
rough experiences, that the new technology has a serious downside. Based

on individual experiences, the fear of the new technology on which we have
come to depend is on the rise. But because there are more benefits of the new
technology to humanity, trust of the technology must be cultivated among
the users of the technology. Webster’s Dictionary (1989) defines trust, as a
noun as confidence or faith in a person or a thing and as a verb as having
confidence or faith in someone or something. For us, we want users of the
information infrastructure to have confidence in it.
Numerous studies have indicated that the bad experiences encountered by
users of cyberspace technology form a small fraction of all the wonderful
experiences offered to users by cyberspace. There are many wonderful and
beneficial services that are overshadowed by sometimes sensational reporting of new, but undeniably widespread, bad incidents in cyberspace. These
few, sometimes overblown, incidents have created fear and an image of an
insecure and out-of-control cyberspace. This, in turn, has resulted in many
users and would-be users starting to not trust cyberspace. In fact, the opposite
of this is truer. There is a lot to gain from cyberspace, both as an individual
and as a community. We need to pass the message along that cyberspace is
safe, offers lots of benefits, and should be trusted. We have built the protocols and we have identified the best practices to safeguard the information
infrastructure for every genuine user. We believe that with rising user trust
of cyberspace, the security of cyberspace will be enhanced. However, the
road to getting this message across is not easy.

Problems.with.Building.Trust
Probably, many of you who have been around in the last 10 years have
experienced two scary and turbulent periods in computing. The first period
probably started around 1990 and lasted through 2000. This period saw an
unprecedented growth in computer networks around the globe. It was characterized by frightening, often very devastating, and widespread virus attacks on
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.



Buldng Trust n the Informaton Infrastructure 

global computer networks. These interconnected and interdependent networks
provided a very good conduit for these virus attacks. As the world became a
mesh of thousands of interdependent computers, more individuals, businesses,
organizations, and nations were becoming more dependent on them.
This period experienced monstrous and increasingly diverse, sophisticated, and
coordinated virus and distrusted denial of service attacks that included attacks
like Melissa, The Goodtimes, the distributed denial of services (DDoS), The
Love Bug, Code Red, and the Bagle, to name but a few. The inputs fuelling
the rise and the destructive power of these attacks were the large volume of
free hacker tools on the Internet that made it easier than ever for amateurs to
create and launch a virus; the easy availability of such tools; the widespread
use of computers in homes, organizations, and businesses; the large numbers
of young people growing up with computers in their bedrooms; the growing
“over interest” in computers; the anonymity of users of the Internet; and the
ever-growing dependence on computers and computer networks. All these
put together contributed to the wild, wild cyberspace of the 1990s.
Since 2000, we have been in a new period; and we are experiencing new attack techniques. This period is, so far, characterized by small less powerful
but selective and targeted attacks. The targets are preselected to maximize
personal gains. The targets are carefully chosen for personal.identity, which
leads to financial gains. Attacks so far in this period are overwhelmingly
targeting financial institutions and institution and businesses that store personal information. The list of victims is long and growing. For example in
this period:
•

•

•
•


Bank of America Corp. reported computer tapes containing credit card records of U.S. senators and more than a million U.S. government employees
went missing, putting the customers at increased risk of identity theft.
ChoicePoint Inc., a Georgia-based credit reporting company, had a breach
of their computer databases, which rendered nearly 145,000 people vulnerable to identity theft.
Data wholesaler LexisNexis, a division of Reed Elsevier, admitted having
personal information of about 310,000 of its U.S. customers stolen.
ChoicePoint, another credit reporting company, had lost account of up to
100,000 people.

Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.


 Kzza & Kzza

This rapid stream of attack publicity is not new. It has always been like
this, but because of strict reporting laws being enacted in a number of state
legislatures like California, more and more companies and institutions are
reporting the loss of personal accounts. Among the latest companies and institutions are: PayMaxx, health care heavyweight San Jose Medical Group,
California State University at Chico, Boston College, and the University of
California at Berkeley (Sullivan, 2006). These made the headlines, but many
more do not.
Personal information has become so valuable that hackers, thieves, and
some businesses are trading over legal lines to collect personal information.
The recent disappearance of a small disk containing personal information
on almost 4.5 million veterans and army personnel, including their social
security numbers and even home addresses, has probably brought some
needed awareness to the huge problem, which had not made it to a spot on
the evening news previously. The rate at which new ways of information

gathering, like pretexting, which is a remake of the old social engineering,
are being developed is indicative of the value of personal information.
Armed with this information, hackers and information thieves, or information
brokers as they want to call themselves, using information like the social
security numbers to access bank accounts, illegally acquire houses and use
them to get mortgage credit lines. The possibilities for using personal information are endless.
Another threat that is characteristic of this period, again with a flavor of
searching for personal information, is the growing problem of spyware.
Spyware is not only threatening enterprise networks and small home-built
networks, it is turning computers on these networks into spam-generating
machines, which wreak havoc on home personal computers (PCs). Spyware is
software for which no purchase or license is necessary. It is normally installed
on a computer without knowledge or consent of the user. It has no set time
to install or specified source from which to download. It installs on the user
computer, without authorization, with the main mission of monitoring some
of the information on the computer and making that information available
to outside sources as needed. It may send the information once, periodically,
or continuously for a long time.
Spyware is usually distributed through user Web site visits and file downloads. Following these Web site visits and casual downloads, malware, a
more destructive form of spyware, is downloaded onto the user’s computer
or server. Also, downloading free software, such as peer-to-peer file sharing
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.


Buldng Trust n the Informaton Infrastructure 

programs, screen savers, backgrounds, and media files, increases the chances
of acquiring malware. Once deposited on a corporate computer, spyware
starts to track keystrokes, scan hard drives, and change system and registry

settings. Actions like these can lead to identity theft, data corruption, and
even theft of a company’s trade secrets.
Based on the latest study, two-thirds of consumer computers are infected with
spyware (Plante, 2006). Because they are widespread, they have become a
huge security problem to system administrators and chief security officers
(CSOs). They are a management problem and a security nightmare because
they (Plante, 2006):
•
•
•

•

Are a loss to network bandwidth due to unsolicited advertising traffic
Overload the security and help-desk staff with the job of cleaning adware
from all corporate computers
Are keystroke logger/screen capture software that hides on a user computer and then records the user keystrokes and screenshots that later can
be used to reconstruct a user session, which may lead to theft of personal
confidential information, like passwords, social security numbers, and
banking and other financial information
May be hacking software, like password crackers and Trojan horses,
that can unscrupulously be used to remotely enter the system

Spam is yet another menacing security problem to systems. Spam is unsolicited bulk e-mail. Unlike a penetration and a DDOS attack, which affect
the system security through a variety of ways, spam does not penetrate a
system without authorization or deny system services to users. According
to The Yankee Group, a Boston-based research and consulting firm, Spam
costs U.S. businesses $4 billion annually in lost productivity (Plante, 2006).
Spam comes in the form of e-mails, hundreds or thousands of them, sent to a
mail server. So many e-mails can become a problem in many ways, including

clogging of networks and servers, so that other security threats can exploit
the clogged server.
The fourth major problem that stranded the two periods is our dependence on
information technology (IT). This dependence is unfortunately ever increasing and our trust in the technology that seems to do wonders is total. We buy
stocks online; we bank online; we keep all our personal records online. We
routinely get our news online. Very few of us take a minute to question the
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.


 Kzza & Kzza

reliability and integrity of the online information we access and give. For
the current dynamism of the digital information and electronic commerce
(e-commerce) to survive, we need to have and maintain this trust. We must
trust online information as we trust the brick-and-mortal printed and broadcast information.
There are other problems, including those listed below, that have made the
information age and cyberspace a replay of the old wild, wild West, and I
discuss them more fully in Network.Security.and.Cyber.Ethics (2002).
•
•

•

•
•

•
•


Network.operating.systems.and.software.vulnerabilities
Limited.knowledge.of.users.and.system.administrators: The limited knowledge computer users and system administrators have about
computer network infrastructure and the working of its protocols does
not help advance network security. Rather, it increases the dangers.
Lack.of.planning: There is no clear plan, direction, or blueprint to guide
the national efforts in finding a solution to information infrastructure
problems.
Complacent.society: The public has yet to come to terms with the fact
that cyberspace is dangerous and one ought to be cautious.
Inadequate. security. mechanism. and. solutions: The existing solutions are best practices and are not comprehensive enough; they are
still technology or application specific. Also, they are so far not really
solutions but patches.
Poor.reporting.of.computer.crimes: The number of reported cyber crimes
tracked by CERT, the FBI, and local enforcement authorities is low.
Solution.overload:.There are just too many “solutions” and “best practices” to be fully trusted. It takes more time looking for a more effective
solution.

Internationally, the picture is no better; in fact, it is worse in some aspects
than it is in the United States, according to The.Global.State.of.Information.
Security.2005, a worldwide study by CIO, CSO, and PricewaterhouseCoopers (PwC) in the CSO.Online.Magazine.(Berinato, 2005). In the report, the
author compares the global information security picture to an escaped wildfire, where the firefighters are desperately trying to outflank the fire line and
prevent flare ups and firestorms. Just holding your ground is a victory. In the
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.


Buldng Trust n the Informaton Infrastructure 

third annual report in which they surveyed more than 8,200 IT and security
executives from 63 countries on six continents, the data shows disturbing

patterns. It shows:
•
•
•
•

A notable lack of focus on actions and strategies that could prevent these
incidents in the first place
A remarkable ambivalence among respondents about compliance with
government regulations
A clear lack of risk management discipline
A continuing inability to create actionable security intelligence out of
mountains of security data

For example, the survey reveals that just 37 percent of respondents reported
that they had an information security strategy, and only 24 percent of the rest
say that creating one is in the plans for next year.
The report also revealed that while the numbers on incidents, down time,
and damages have remained steady, there is an increase in other numbers
that are cause for alarm:
•
•
•

The sharply rising number of respondents who report damages as “unknown”—up to 47 percent
During the past year, could also contribute to the rising “unknown”
group
Increased sophistication and complexity of attacks, hitting more complex
targets


Steps.to.Building.Trust
Against this background, efforts need to be and are being taken to protect
online data and information and enhance user trust of the information infrastructure. Such trust will create confidence in the information infrastructure
leading to enhanced privacy, security, reliability, and integrity of information, which forms the core of a secure information infrastructure. One way
to accomplish this is by building a strong ethical framework for all users of
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.


 Kzza & Kzza

the information infrastructure, developing tools and best practices to protect
hardware and software products that make up the information infrastructure,
and creating and enforcing a strong legal framework. Such approaches would
involve measures, such as:
•
•

•
•
•

Developing a culture neutral and nonreligious value-based moral framework
Developing effective security protocols, including security policies and
models of security governance, assessment of the security treats, intrusion detection and prevention ,and authentication and access control
regimens
Enacting legislation
Providing self-regulation
Developing an effective and enforceable legal framework that involves
computer forensics


Without firm security controls and best practices like these, we will never
be able to secure the ever growing information infrastructure upon which all
societies and individuals have come to depend.

Conclusion
This is an introductory chapter where we have defined both the information
infrastructure and trust, and outlined the problems that cause users to fail to
trust the information infrastructure. We also have discussed the need for users
to trust the information infrastructure. Without this trust, the infrastructure
cannot be secure. Finally we have outlined the steps needed to build the
trust in the information infrastructure. In the remainder of the chapters, we
are going to open a dialogue with the reader as we survey the landscape of
possible solutions and best practices as we all strive to build an environment
we can all trust.

Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.