Tài liệu Securing the Information Infrastructure doc
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.51 MB, 387 trang )
i
Securing the
Information
Infrastructure
Joseph M. Kizza
University of Tennessee at Chattanooga, USA
Florence M. Kizza
Freelance Writer, USA
Hershey • New York
Cybertech Publishing
ii
Acquisition Editor: Kristin Klinger
Senior Managing Editor: Jennifer Neidig
Managing Editor: Sara Reed
Development Editor: Kristin Roth
Copy Editor: Heidi Hormel
Typesetter: Michael Brehm
Cover Design: Lisa Tosheff
Printed at: Yurchak Printing Inc.
Published in the United States of America by
CyberTech Publishing (an imprint of IGI Global)
701 E. Chocolate Avenue
Hershey PA 17033
Tel: 717-533-8845
Fax: 717-533-8661
E-mail:
Web site:
and in the United Kingdom by
CyberTech Publishing (an imprint of IGI Global)
3 Henrietta Street
Covent Garden
London WC2E 8LU
Tel: 44 20 7240 0856
Fax: 44 20 7379 0609
Web site:
Copyright © 2008 by IGI Global. All rights reserved. No part of this book may be reproduced in any form or
by any means, electronic or mechanical, including photocopying, without written permission from the publisher.
Product or company names used in this book are for identication purposes only. Inclusion of the names of
the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered
trademark.
Library of Congress Cataloging-in-Publication Data
Kizza, Joseph Migga.
Securing the information infrastructure / Joseph Kizza and Florence Migga Kizza, authors.
p. cm.
Summary: “This book examines how internet technology has become an integral part of our daily lives and as
it does, the security of these systems is essential. With the ease of accessibility, the dependence to a computer
has sky-rocketed, which makes security crucial”--Provided by publisher.
Includes bibliographical references and index.
ISBN 978-1-59904-379-1 (hardcover) -- ISBN 978-1-59904-381-4 (ebook)
1. Cyberterrorism. 2. Internet--Security measures. 3. Computer networks--Security measures. 4. Information
superhighway--Security measures. I. Kizza, Florence Migga. II. Title.
HV6773.K59 2008
005.8--dc22
2007007405
British Cataloguing in Publication Data
A Cataloguing in Publication record for this book is available from the British Library.
All work contributed to this book is new, previously-unpublished material. The views expressed in this book are
those of the authors, but not necessarily of the publisher.
iii
To Immaculate, a wonderful mother and wife
iv
Securing the
Information
Infrastructure
Table of Contents
Preface............................................................................................................................ix
Acknowledgment.........................................................................................................xiv
Section.I:.
Security.Through.Moral.and.Ethical.Education
Chapter.I
Building.Trust.in.the.Information.Infrastructure......................................................1
Introduction...........................................................................................................1
. Problems.with.Building.Trust................................................................................2
Steps.to.Building.Trust..........................................................................................7
Conclustion...........................................................................................................8
References.............................................................................................................9
Chapter.II
Need.for.Morality.and.Ethics......................................................................................10
Introduction.........................................................................................................10
. Morality............................................................................................................... 11
. Ethics................................................................................................................... 11
Codes.of.Professional.Responsibility..................................................................18
The.Relevancy.of.Ethics.in.Modern.Life.............................................................20
. Conclusion..........................................................................................................21
. References...........................................................................................................21
v
Chapter.III
Building.an.Ethical.Framework.for.Decision.Making.............................................22
Introduction.........................................................................................................22
. Principle.of.Duty.of.Care....................................................................................23
. Work.and.Decision.Making.................................................................................23
. Pillars.of.a.Working.Life.....................................................................................25
. Need.for.an.Ethical.Education............................................................................28
Decision.Making.and.the.Ethical.Framework....................................................35
Conclusion..........................................................................................................39
References...........................................................................................................40
Chapter.IV
Security,.Anonymity,.and.Privacy..............................................................................41
Introduction.........................................................................................................41
. Security................................................................................................................42
. The.Importance.of.Information.Security.............................................................49
. Government.and.International.Security.Standards.............................................50
. Information.Security.Evaluation.Criteria...........................................................53
Privacy................................................................................................................56
Privacy.and.Security.in.Cyberspace...................................................................59
Conclusion..........................................................................................................63
References...........................................................................................................64
Section.II:.
Security.Through.Innovative.Hardware.and.Software.Systems
Chapter.V
Software.Standards,.Reliability,.Safety,.and.Risk....................................................66
Introduction.........................................................................................................66
The.Role.of.Software.in.the.Security.of.Computing.Systems...............................67
Software.Standards..............................................................................................70
. Reliability............................................................................................................76
Software.Security.................................................................................................79
Causes.of.Software.Failures................................................................................82
Conclusion..........................................................................................................86
References...........................................................................................................87
Chapter.VI
Network.Basics.and.Securing.the.Network.Infrastructure......................................88
Introduction.........................................................................................................88
. Computer.Network.Basics...................................................................................89
Network.Protocols.and.Layering........................................................................97
Network.Services...............................................................................................104
Network.Connecting.Devices............................................................................108
Securing.the.Network.Infrastructure:.Best.Practices.......................................114
Conclusion........................................................................................................118
References.........................................................................................................118
vi
Chapter.VII
Security.Threats.and.Vulnerabilities........................................................................ 119
Introduction.......................................................................................................119
. Types.of.Threats.and.Vulnerabilities.................................................................120
. Sources.of.Information.Security.Threats...........................................................122
. Best.Practices.of.Online.Security......................................................................133
Conclusion........................................................................................................134
. References.........................................................................................................134
Appendix:.Additional.Reading..........................................................................135
Chapter.VIII
Security.Policies.and.Risk.Analysis..........................................................................137
Introduction.......................................................................................................137
. Information.Security.Policy..............................................................................138
Aspects.of.Security.Policies..............................................................................139
Building.a.Security.Policy.................................................................................142
Types.of.Security.Policies..................................................................................157
Conclusion........................................................................................................160
References.........................................................................................................160
Chapter.IX
Security.Analysis,.Assessment,.and.Assurance........................................................161
Introduction.......................................................................................................161
ThreatIdentication..........................................................................................162
Security.by.Analysis..........................................................................................168
Security.Assessment.and.Assurance..................................................................171
Conclusion........................................................................................................179
References.........................................................................................................179
Chapter.X
Access.Control,.Authentication,.and.Authorization...............................................180
Introduction.......................................................................................................180
Denitions.........................................................................................................181
Access.Control...................................................................................................181
Authentication...................................................................................................191
Authorization.....................................................................................................203
Conclusion........................................................................................................207
References.........................................................................................................207
Chapter.XI
Perimeter.Defense:.The.Firewall..............................................................................209
Introduction.......................................................................................................209
. Types.of.Firewalls.............................................................................................212
Other.Firewalls.................................................................................................227
Virtual.Private.Network....................................................................................230
Firewall.Issues.Before.Installation...................................................................231
CongurationandImplementationofaFirewall.............................................232
Advantages.of.Firewalls....................................................................................234
vii
Disadvantages.of.Firewalls...............................................................................235
Securing.a.Network.by.a.Firewall.....................................................................236
Conclusion........................................................................................................237
References.........................................................................................................238
Chapter.XII
Intrusion.Detection.and.Prevention.Systems..........................................................239
Introduction.......................................................................................................239
Denitions.........................................................................................................240
Background.of.Intrusion.Detection...................................................................242
Basic.Modules.of.an.Intrusion.Detection.System..............................................243
Intrusion.Detection.Models...............................................................................244
Responses.to.Intrusion.Detection.Reports........................................................247
Types.of.Intrusion.Detection.Systems................................................................248
Challenges.for.Intrusion.Detection...................................................................254
Intrusion.Prevention.Systems.(IPSs).................................................................255
Conclusion........................................................................................................258
References.........................................................................................................258
Chapter.XIII
Security.in.Wireless.Systems.....................................................................................259
Introduction.......................................................................................................259
. Types.of.Wireless.Technology............................................................................260
The.Wireless.Communication.Infrastructure....................................................260
Wireless.Local.Area.Network.(WLAN):.Wireless.Fidelity.(Wi-Fi)....................265
Security.Issues.in.Wireless.Systems...................................................................270
Best.Practices.for.Wi-Fi.Security......................................................................276
Conclusion........................................................................................................278
References.........................................................................................................278
Chapter.XIV
Biometrics.for.Access.Control...................................................................................280
Introduction.......................................................................................................280
. History.of.Biometrics........................................................................................281
Biometric.Authentication.System .....................................................................282
BiometricIdentiers..........................................................................................284
Advantages.of.Biometrics..................................................................................292
Disadvantages.of.Biometrics............................................................................293
Why.Biometrics.are.Not.Truly.Accepted...........................................................294
The.Future.of.Biometrics...................................................................................295
Conclusion........................................................................................................296
References.........................................................................................................296
Section.III:.
Security.Through.the.Legal.System
Chapter.XV
Digital.Evidence.and.Computer.Crime....................................................................298
Introduction.......................................................................................................298
Denitions.........................................................................................................299
Nature.of.Digital.Evidence................................................................................299
Importance.of.Digital.Evidence........................................................................300
Reliability.of.Digital.Evidence..........................................................................301
The.Need.for.Standardization...........................................................................302
Proposed.Standards.for.the.Exchange.of.Digital.Evidence..............................303
The.Process.of.Digital.Evidence.Acquisition....................................................305
Investigative.Procedures...................................................................................306
Conclusion........................................................................................................316
References.........................................................................................................316.
Chapter.XVI
Digital.Crime.Investigation.and.Forensics..............................................................318
Denition...........................................................................................................318
. Computer.Forensics..........................................................................................319
History.of.Computer.Forensics.........................................................................319
Network.Forensics.............................................................................................320
Forensics.Analysis.............................................................................................321
Forensics.Tools..................................................................................................324
Conclusion........................................................................................................334
References.........................................................................................................334
Section.IV:.
What.Next?
Chapter.XVII
Trends.in.Information.Assurance.............................................................................336
Introduction.......................................................................................................336
. Global.Information.Assurance.Initiatives.and.Trends......................................337
National.and.International.Information.Security.Initiatives............................342
CerticationPrograms......................................................................................350
Conclusion........................................................................................................352
References.........................................................................................................353
Appendix:.Additional.Reading..........................................................................354
Glossary.of.Terms......................................................................................................355
About.the.Authors......................................................................................................362
Index............................................................................................................................363
ix
Preface
The frequent headlines involvingincidents of stolen or hacked user records from company
and government institutions, like the recent Veteran Affairs episode, have brought prob-
ably unwanted attention the constant problem of securing vital, essential, and condential
personal, business, and national records from the hands of hackers and thieves. However,
to many in the security community, such news has refocused the attention of the nation, if
not the whole world, and re-ignited the debate about how far we need to go and what we
need to do in order to secure the information infrastructure upon which all vital information
happens to reside and is transported.
Two fundamental developments have brought us to where we are today. First Internet tech-
nology has become an integral part of our daily lives, and as it has, comprehensive security
for systems upon which we have come to depend has become essential. The tremendous
increase in connectivity, now driven more by new Wi-Fi technologies than xed networks,
has led to an increase in remote access and consequently increased system vulnerability.
These forces have, together with the plummeting prices of information processing and
indexing devices and the development of sprawling global networks, made the generation,
collection, processing, indexing, and storage of and access to information easy. Second,
as the popularity of computer use has grown, our dependence on computers and computer
technology has sky rocketed to new heights and is hovering toward total dependence. There
x
are serious consequences to total dependence on the information infrastructure and its as-
sociated technologies. As we have all witnessed in the last several years, Internet technolo-
gies have been like a large cruise ship in the middle of the ocean with all its enmities but
without a captain. The 21
st
century has, thus far, the most machine-dependent generation.
This dependence, though for convenience, is turning out to be one of the main sources of
our security problems and a potential privacy concern. It is leading to the loss of our privacy,
security, and autonomy.
These two developments, taken together, have created an even more tempting environment
for online digital crimes than ever before. The annual Computer Crime Survey by the Com-
puter Security Institute/Federal Bureau of Investigations (CSI/FBI) typically is a barometer
of computer crime within the United States and every year presents alarming statistics about
rising digital crime rates over our public networks. The survey results always paint a picture
of cyber crimes bleeding the nation. The CSI/FBI Computer Crime and Security surveys
are always targeted to computer security practitioners in U.S. corporations, government
agencies, nancial institutions, medical institutions, and universities. Recent data from these
surveys show some disturbing developments, including:
• There has been a shift from both virus attacks and denial of service, which previously
outpaced all others, to theft of proprietary information.
• The percentage of organizations reporting computer intrusions to law enforcement
in recent years has declined. The key reason cited for not reporting intrusions to law
enforcement is the concern for negative publicity.
• Although the vast majority of the organizations view security awareness training as
important, respondents from all sectors do not believe that their organizations invest
enough in this area.
• Security budgets in organizations are still very low, indicating a low priority given to
security.
Data like these point to perhaps the core reason why there is mounting uneasiness and fear of
the developing information infrastructure. The main question arising out of this new fear is
whether we should trust our new information infrastructure medium. We are at a crossroads,
unable to proceed without deciding whether we should trust the path we are taking or not.
If we are to trust it, how much trust must we give? Ironically, if we decide to trust, we are
trusting a system we know very little about and we understand less.
Through the pages of this book, we try to give the reader reasons for trusting the information
infrastructure in spite of limited user knowledge and familiarity, poor infrastructure proto-
col, lack of fundamental system blue prints, and its open-architecture, open-source nature.
Yes, we believe that users with a strong ethical framework from a good ethics education
can make sound decisions that are good for the security of the information infrastructure.
Along with a strong ethical framework for decision making, we also need a tool kit of sound
hardware and software security protocols and best practices that will enhance the informa-
tion infrastructure’s security. Finally, we believe that a strong and adoptive legal system,
supported by good forensics technologies and an effective apprehension of the offenders,
can create secure the environment in which we can trust the information infrastructure.
xi
The book is, therefore, a survey of these issues in four parts. In the four chapters of Section
I: Security through Moral and Ethical Education, we focus on moral and ethics education
and also discuss related issues of security, privacy, and anonymity as they affect the creation
of a strong ethical framework for decision making:
• In Chapter.I:.Building.Trust.in.the.Information.Infrastructure,
we outline the
problems we as members of cyberspace are facing, problems that are challenging our
individual self and society, in general. We also outline a summary of what we think
is the best approach to bringing trust to an infrastructure with a runaway security
problem.
• In.Chapter.II:.Need.for.Morality.and.Ethics, we discussed the rising rate of com-
puter-related crime and, in particular, information-related crimes. We point out that
information infrastructure is made up of two components; the man-made component,
consisting of hardware and software, and the humanware component, consisting of
users. A good solution to the information infrastructure problem must address problems
in both of these components.
• In.Chapter.III:.Building.an.Ethical.Framework.for.Decision.Making, we build on
the discussion in Chapter II about building a good ethical framework and its central
role in securing the information infrastructure. We show that a good ethical framework
is essential for good decision making.
• In.Chapter.IV:.Security,.Anonymity,.and.Privacy, we discuss the centrality of
security and privacy in the information infrastructure and also the role anonymity
plays. The threat to privacy and security is at the core of the problem of securing the
information infrastructure. We cannot talk about a secure information infrastructure,
if we cannot guarantee the security and privacy of individuals and the information on
the infrastructure.
Within the.10 chapters of Section II: Security through Innovative Hardware and Software
Systems,.we cover all practical techniques, protocols, and best practices in use today for a
secure information infrastructure. These include techniques like the issues related to soft-
ware reliability and risk; security threats and vulnerabilities; information security policies
and risk analysis and management; access control and authentication; rewalls, intrusion
detection, and prevention; and biometrics:
• In.Chapter.V:.Software.Standards,.Reliability,.Safety,.and.Risk; we focus on
software’s role in the security of systems and how we can keep software safe, de-
pendable, and secure, as we struggle to make the information communication infra-
structure secure. Software, more than anything else, is at the heart of the information
communication infrastructure. It is, in fact, one of the three main components of the
infrastructure, together with hardware and humanware.
• In.Chapter.VI:.Network.Basics.and.Securing.the.Network.Infrastructure, we
give a very elementary treatment of the theory of networks and then outline the best
network security solutions. This is intended to address one of the security concerns
we discuss in Chapter I—users have little knowledge of the workings of the com-
munication infrastructure.
xii
• In.Chapter.VII:.Security.Threats.and.Vulnerabilities, we dene and discuss threats
and vulnerabilities for the ICT infrastructure. We do this by rst identifying threats
and vulnerabilities that are exploited by people like hackers.
• In.Chapter.VIII:.Security.Policies.and.Risk.Analysis, we study the central role of a
security policy in securing an enterprise network as has been pointed out by many se-
curity specialists, scholars, and security organizations. We further discuss several other
issues about the security policy. This includes issues like what constitutes a good policy
and how to formulate, develop, write, implement, and maintain a security policy.
• In.Chapter.IX:.Security.Analysis,.Assessment,.and.Assurance,
we look at the issues
of the implantation of a security policy we discussed in Chapter VIII, starting with se-
curity assessment and analysis. The risks and potential for security breaches involving
sabotage, vandalism, and resource theft are high. For security assurance of networked
systems, there must be a comprehensive security evaluation to determine the status of
security and ways to improve it through mitigation of security threats. So an examina-
tion and evaluation of the various factors affecting security status must be carried out
and assessed to determine the adequacy of existing security measures and safeguards,
and also to determine if improvements in the existing measures are needed.
• In.Chapter.X:.Access.Control,.Authentication,.and.Authorization; we focus on
three major security mechanisms from our security tool kit. We cover access control,
authentication, and authorization.
• In.Chapter.XI:.Perimeter.Defense:.The.Firewall, we continue with our discussion
of technical controls and techniques, which we started in Chapter X, by focusing on
securing the perimeter of the enterprise network. This discussion consists of two parts:
access control and rewalls.
• In.Chapter.XII:.Intrusion.Detection.and.Prevention.Systems, we look at intru-
sion detection, one of the principles that denes security. Since computer networks
have come to be pots of honey, attracting many, the stampede for information from
computer networks is great and must be met with strong mechanisms. First there is
detecting those trying to penetrate the system; second is preventing them from trying;
and third is responding to the attempt, successfully or not. Although these three are the
fundamental ingredients of security, most resources have been devoted to detection
and prevention, because if we are able to detect all security threats and prevent them,
then there is no need for a response.
• In.Chapter.XIII:.Security.in.Wireless.Systems, we follow the prediction by so many
that the next dominant generation of computing technology is going to be wireless.
We are already witnessing the beginning of this with the tremendous growth of wire-
less technology in the last few years. Along with the marvels of a new technology
and more so with wireless technology, there comes an avalanche of security concerns
and problems. This is also the case with wired technology. So we carefully look at the
current security protocols and best practices.
• In.Chapter.XIV:.Biometrics.for.Access.Control, we look at other emerging security
technologies. New technologies and new techniques must be found to create a more
reliable and more secure environment. In the quest for a superior solution, biometrics
verication techniques are fast emerging as the most reliable and practical method of
individual identity verication. Biometrics refer to technologies and techniques that
rely on measurable physiological and personal characteristics and attributes that can
uniquely identify and authenticate an individual.
xiii
In the two chapters of Section III: Security through the Legal System, we discuss digital
evidence and computer crime, digital crime investigations and forensics, and writing in-
vestigative reports.
• In.Chapter.XV:.Digital.Evidence.and.Computer.Crime,
we shift the discussion
from moral and ethical education that forms an ethical framework in decision mak-
ing and from implementation of security technologies, tools, and best practices, to
focus on the legal and law enforcement approaches. We believe, despite the fact that
the technology has outpaced the legal system and the technology the criminals use
is sometimes years ahead of that of law enforcement, that the legal system can play
a very positive and effective role in the security of networks and the communication
infrastructure.
• In.Chapter.XVI:.Digital.Crime.Investigations.and.Forensics, we focus on the in-
vestigative process. We divide the discussion into two parts. First we look at a process
known as computer forensics in which we investigate crime scenes that involve data
on computers. We look at the different parts of the computer and how digital evidence
can be either hidden or extracted from the computer. In the second process, we consider
the crime scene as not one computer but a network of computers. Our investigation
then goes beyond one computer to include the infrastructure of the network and all
points in the network where evidence can be either hidden or extracted. We refer to
this second process as network forensics.
Finally in Section IV: What Next?, we conclude with an interesting discourse:
• In.Chapter.XVII:.Trends.in.Information.Assurance, we discuss all of the security
best practices, the possible trends in security protocols and best practices, their viability,
and their growth in light of rapidly developing technology. We conclude the chapter
and the book by a discussion of the possibilities of new technologies and what they
should cover.
We believe this kind of approach to the information infrastructure will result in a secure
information infrastructure that can be trusted by all of its users and, hence, will be secured
for all of us and our children to come.
Joseph.Migga.Kizza
Chattanooga,.TN
Florence.Migga.Kizza
Boca.Raton,.FL
xiv
Acknowledgment
This is a very comprehensive book covering a wide spectrum of interests in information
security. It is, therefore, a challenge to the authors to present materials that will interest
and challenge the majority of the intended readers. We made every effort in collecting and
presenting materials that we think will go a long way to accomplish this. Along the way as
we did this, we encountered many helpful and sometimes unforgettable people who went
out of their way just to help by either answering one question or 10, providing a reference,
questioning a statement, correcting grammar, or just pointing out a direction. We are grateful
to hundreds of these unnamed heroes of this book.
Since early in its inception, this book has taken many turns and forms to get to its present
form. This evolution has been a result of both content and syntax reviews, sometimes casual
but many times serious. In particular, we want to thank the nameless IGI Global reviewers
who made many invaluable suggestions. To all reviewers, we thank you from the bottom of
our hearts for the small and large part you played. Whatever your part, you have contributed
tremendously to the nal product.
Finally, in a great way, we want to thank Immaculate Kizza, a mother, wife, and a gifted
reviewer, for the many contributions she has made to the book. As usual you made it happen
for us.
xv
Section.I
Security Through Moral
and Ethical Education
xvi
Building Trust in the Information Infrastructure 1
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
Chapter.I
Building.Trust.in.the.
Information.Infrastructure
Introduction
The rapid advances in computer technology, the plummeting prices of in-
formation processing and indexing devices, and the development of sprawl-
ing global networks have all made the generation, collection, processing,
indexing, and storage of and access to information easy and have made
the information infrastructure an enjoyable environment. The information.
infrastructure consists of computer or computer-related hardware, software
to run on the hardware, and humanware to run both. The human component
in the information infrastructure is essential because humans create the life
and dynamism in the infrastructure that has made it what it is. However,
humans also create all the problems facing the infrastructure as we will see
throughout the book. Note that the infrastructure we have just dened is
actually cyberspace. So throughout the book, we will use cyberspace and
2 Kizza & Kizza
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
information infrastructure interchangeably. Cyberspace technology has
brought more excitement to humanity than ever before. Communication has
become almost instantaneous. The speed of data access is chasing the speed
of light. Humanity could not have gotten a better technology. However,
with the excitement and “bewilderness,” there has come a realization, after
rough experiences, that the new technology has a serious downside. Based
on individual experiences, the fear of the new technology on which we have
come to depend is on the rise. But because there are more benets of the new
technology to humanity, trust of the technology must be cultivated among
the users of the technology. Webster’s Dictionary (1989) denes trust, as a
noun as condence or faith in a person or a thing and as a verb as having
condence or faith in someone or something. For us, we want users of the
information infrastructure to have condence in it.
Numerous studies have indicated that the bad experiences encountered by
users of cyberspace technology form a small fraction of all the wonderful
experiences offered to users by cyberspace. There are many wonderful and
benecial services that are overshadowed by sometimes sensational report-
ing of new, but undeniably widespread, bad incidents in cyberspace. These
few, sometimes overblown, incidents have created fear and an image of an
insecure and out-of-control cyberspace. This, in turn, has resulted in many
users and would-be users starting to not trust cyberspace. In fact, the opposite
of this is truer. There is a lot to gain from cyberspace, both as an individual
and as a community. We need to pass the message along that cyberspace is
safe, offers lots of benets, and should be trusted. We have built the proto-
cols and we have identied the best practices to safeguard the information
infrastructure for every genuine user. We believe that with rising user trust
of cyberspace, the security of cyberspace will be enhanced. However, the
road to getting this message across is not easy.
Problems.with.Building.Trust
Probably, many of you who have been around in the last 10 years have
experienced two scary and turbulent periods in computing. The rst period
probably started around 1990 and lasted through 2000. This period saw an
unprecedented growth in computer networks around the globe. It was charac-
terized by frightening, often very devastating, and widespread virus attacks on
Building Trust in the Information Infrastructure 3
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
global computer networks. These interconnected and interdependent networks
provided a very good conduit for these virus attacks. As the world became a
mesh of thousands of interdependent computers, more individuals, businesses,
organizations, and nations were becoming more dependent on them.
This period experienced monstrous and increasingly diverse, sophisticated, and
coordinated virus and distrusted denial of service attacks that included attacks
like Melissa, The Goodtimes, the distributed denial of services (DDoS), The
Love Bug, Code Red, and the Bagle, to name but a few. The inputs fuelling
the rise and the destructive power of these attacks were the large volume of
free hacker tools on the Internet that made it easier than ever for amateurs to
create and launch a virus; the easy availability of such tools; the widespread
use of computers in homes, organizations, and businesses; the large numbers
of young people growing up with computers in their bedrooms; the growing
“over interest” in computers; the anonymity of users of the Internet; and the
ever-growing dependence on computers and computer networks. All these
put together contributed to the wild, wild cyberspace of the 1990s.
Since 2000, we have been in a new period; and we are experiencing new at-
tack techniques. This period is, so far, characterized by small less powerful
but selective and targeted attacks. The targets are preselected to maximize
personal gains. The targets are carefully chosen for personal.identity, which
leads to nancial gains. Attacks so far in this period are overwhelmingly
targeting nancial institutions and institution and businesses that store per-
sonal information. The list of victims is long and growing. For example in
this period:
• Bank of America Corp. reported computer tapes containing credit card re-
cords of U.S. senators and more than a million U.S. government employees
went missing, putting the customers at increased risk of identity theft.
• ChoicePoint Inc., a Georgia-based credit reporting company, had a breach
of their computer databases, which rendered nearly 145,000 people vulner-
able to identity theft.
• Data wholesaler LexisNexis, a division of Reed Elsevier, admitted having
personal information of about 310,000 of its U.S. customers stolen.
• ChoicePoint, another credit reporting company, had lost account of up to
100,000 people.
4 Kizza & Kizza
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
This rapid stream of attack publicity is not new. It has always been like
this, but because of strict reporting laws being enacted in a number of state
legislatures like California, more and more companies and institutions are
reporting the loss of personal accounts. Among the latest companies and in-
stitutions are: PayMaxx, health care heavyweight San Jose Medical Group,
California State University at Chico, Boston College, and the University of
California at Berkeley (Sullivan, 2006). These made the headlines, but many
more do not.
Personal information has become so valuable that hackers, thieves, and
some businesses are trading over legal lines to collect personal information.
The recent disappearance of a small disk containing personal information
on almost 4.5 million veterans and army personnel, including their social
security numbers and even home addresses, has probably brought some
needed awareness to the huge problem, which had not made it to a spot on
the evening news previously. The rate at which new ways of information
gathering, like pretexting, which is a remake of the old social engineering,
are being developed is indicative of the value of personal information.
Armed with this information, hackers and information thieves, or information
brokers as they want to call themselves, using information like the social
security numbers to access bank accounts, illegally acquire houses and use
them to get mortgage credit lines. The possibilities for using personal infor-
mation are endless.
Another threat that is characteristic of this period, again with a avor of
searching for personal information, is the growing problem of spyware.
Spyware is not only threatening enterprise networks and small home-built
networks, it is turning computers on these networks into spam-generating
machines, which wreak havoc on home personal computers (PCs). Spyware is
software for which no purchase or license is necessary. It is normally installed
on a computer without knowledge or consent of the user. It has no set time
to install or specied source from which to download. It installs on the user
computer, without authorization, with the main mission of monitoring some
of the information on the computer and making that information available
to outside sources as needed. It may send the information once, periodically,
or continuously for a long time.
Spyware is usually distributed through user Web site visits and le down-
loads. Following these Web site visits and casual downloads, malware, a
more destructive form of spyware, is downloaded onto the user’s computer
or server. Also, downloading free software, such as peer-to-peer le sharing
Building Trust in the Information Infrastructure 5
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
programs, screen savers, backgrounds, and media les, increases the chances
of acquiring malware. Once deposited on a corporate computer, spyware
starts to track keystrokes, scan hard drives, and change system and registry
settings. Actions like these can lead to identity theft, data corruption, and
even theft of a company’s trade secrets.
Based on the latest study, two-thirds of consumer computers are infected with
spyware (Plante, 2006). Because they are widespread, they have become a
huge security problem to system administrators and chief security ofcers
(CSOs). They are a management problem and a security nightmare because
they (Plante, 2006):
• Are a loss to network bandwidth due to unsolicited advertising trafc
• Overload the security and help-desk staff with the job of cleaning adware
from all corporate computers
• Are keystroke logger/screen capture software that hides on a user com-
puter and then records the user keystrokes and screenshots that later can
be used to reconstruct a user session, which may lead to theft of personal
condential information, like passwords, social security numbers, and
banking and other nancial information
• May be hacking software, like password crackers and Trojan horses,
that can unscrupulously be used to remotely enter the system
Spam is yet another menacing security problem to systems. Spam is unso-
licited bulk e-mail. Unlike a penetration and a DDOS attack, which affect
the system security through a variety of ways, spam does not penetrate a
system without authorization or deny system services to users. According
to The Yankee Group, a Boston-based research and consulting rm, Spam
costs U.S. businesses $4 billion annually in lost productivity (Plante, 2006).
Spam comes in the form of e-mails, hundreds or thousands of them, sent to a
mail server. So many e-mails can become a problem in many ways, including
clogging of networks and servers, so that other security threats can exploit
the clogged server.
The fourth major problem that stranded the two periods is our dependence on
information technology (IT). This dependence is unfortunately ever increas-
ing and our trust in the technology that seems to do wonders is total. We buy
stocks online; we bank online; we keep all our personal records online. We
routinely get our news online. Very few of us take a minute to question the
6 Kizza & Kizza
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
reliability and integrity of the online information we access and give. For
the current dynamism of the digital information and electronic commerce
(e-commerce) to survive, we need to have and maintain this trust. We must
trust online information as we trust the brick-and-mortal printed and broad-
cast information.
There are other problems, including those listed below, that have made the
information age and cyberspace a replay of the old wild, wild West, and I
discuss them more fully in Network.Security.and.Cyber.Ethics (2002).
• Network.operating.systems.and.software.vulnerabilities
• Limited.knowledge.of.users.and.system.administrators: The lim-
ited knowledge computer users and system administrators have about
computer network infrastructure and the working of its protocols does
not help advance network security. Rather, it increases the dangers.
• Lack.of.planning: There is no clear plan, direction, or blueprint to guide
the national efforts in nding a solution to information infrastructure
problems.
• Complacent.society: The public has yet to come to terms with the fact
that cyberspace is dangerous and one ought to be cautious.
• Inadequate.security.mechanism.and.solutions: The existing solu-
tions are best practices and are not comprehensive enough; they are
still technology or application specic. Also, they are so far not really
solutions but patches.
• Poor.reporting.of.computer.crimes: The number of reported cyber crimes
tracked by CERT, the FBI, and local enforcement authorities is low.
• Solution.overload:.There are just too many “solutions” and “best prac-
tices” to be fully trusted. It takes more time looking for a more effective
solution.
Internationally, the picture is no better; in fact, it is worse in some aspects
than it is in the United States, according to The.Global.State.of.Information.
Security.2005, a worldwide study by CIO, CSO, and PricewaterhouseCoo-
pers (PwC) in the CSO.Online.Magazine.(Berinato, 2005). In the report, the
author compares the global information security picture to an escaped wild-
re, where the reghters are desperately trying to outank the re line and
prevent are ups and restorms. Just holding your ground is a victory. In the
Building Trust in the Information Infrastructure 7
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
third annual report in which they surveyed more than 8,200 IT and security
executives from 63 countries on six continents, the data shows disturbing
patterns. It shows:
• A notable lack of focus on actions and strategies that could prevent these
incidents in the rst place
• A remarkable ambivalence among respondents about compliance with
government regulations
• A clear lack of risk management discipline
• A continuing inability to create actionable security intelligence out of
mountains of security data
For example, the survey reveals that just 37 percent of respondents reported
that they had an information security strategy, and only 24 percent of the rest
say that creating one is in the plans for next year.
The report also revealed that while the numbers on incidents, down time,
and damages have remained steady, there is an increase in other numbers
that are cause for alarm:
• The sharply rising number of respondents who report damages as “un-
known”—up to 47 percent
• During the past year, could also contribute to the rising “unknown”
group
• Increased sophistication and complexity of attacks, hitting more complex
targets
Steps.to.Building.Trust
Against this background, efforts need to be and are being taken to protect
online data and information and enhance user trust of the information infra-
structure. Such trust will create condence in the information infrastructure
leading to enhanced privacy, security, reliability, and integrity of informa-
tion, which forms the core of a secure information infrastructure. One way
to accomplish this is by building a strong ethical framework for all users of
8 Kizza & Kizza
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission
of IGI Global is prohibited.
the information infrastructure, developing tools and best practices to protect
hardware and software products that make up the information infrastructure,
and creating and enforcing a strong legal framework. Such approaches would
involve measures, such as:
• Developing a culture neutral and nonreligious value-based moral frame-
work
• Developing effective security protocols, including security policies and
models of security governance, assessment of the security treats, intru-
sion detection and prevention ,and authentication and access control
regimens
• Enacting legislation
• Providing self-regulation
• Developing an effective and enforceable legal framework that involves
computer forensics
Without rm security controls and best practices like these, we will never
be able to secure the ever growing information infrastructure upon which all
societies and individuals have come to depend.
Conclusion
This is an introductory chapter where we have dened both the information
infrastructure and trust, and outlined the problems that cause users to fail to
trust the information infrastructure. We also have discussed the need for users
to trust the information infrastructure. Without this trust, the infrastructure
cannot be secure. Finally we have outlined the steps needed to build the
trust in the information infrastructure. In the remainder of the chapters, we
are going to open a dialogue with the reader as we survey the landscape of
possible solutions and best practices as we all strive to build an environment
we can all trust.
