Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This
Like this article? We recommend

Four Horsemen of the Info-Apocalypse

Unfortunately, many businesses, organizations, and institutions are unaware of the dangers of cyberterrorism and the vulnerability of their computer systems. They therefore fail to take the necessary precautions that may help prevent or at least mitigate damages caused by cyberterrorist attacks. In effect, lax security in the private sector provides an open door to anyone knowledgeable enough to wreak havoc on our information infrastructure. Computer intrusions unfortunately don't announce their presence the way a bomb does.

And what are those dangers? There are four. Let's call them the four horsemen of the info-apocalypse:

  • Intelligence gathering
  • Systems damage
  • System hijacking
  • Disinformation

Cyberterroists use 12 different security lapses to achieve their objective of mass disruption. And this "dirty dozen" can force your business, organization, or institution, if unaware of the risks to your security, to become an unwitting collaborator with the enemy in this new form of 21st century warfare.

September 11 was a wake-up call to companies, organizations, and institutions everywhere. Top government officials, including U.S. Vice President Dick Cheney and Attorney General John Ashcroft, have expressed grave concerns about the security of our nation's government and corporate networks. There is no doubt in their minds that terrorists are going to do something in response to U.S. military actions in Afghanistan.

So the question is asked: As CEO, CIO, or other top executive of your organization, are you certain that your departments understand the threat and are prepared to rein in these four horsemen? If you're in doubt, read on, and bring this checklist of actionable items (based on the following sections) to your next senior management meeting. Find out whether your IT, security, and human resource personnel have put in place the necessary security precautions to protect you from becoming an unwitting collaborator with cyberterrorists.

Intelligence Gathering

This area includes three possible security lapses that allow for penetration of systems with the goal of stealing information or sensitive data. Just recently an MSNBC article reported that teenagers used a number of ruses to obtain information about Nvidia software products, including impersonating employees of Microsoft and other companies that are entitled to technical information about the company's products.

The key here is to get your organization, company, or institution on a wartime footing and control access to your building, personnel, and information systems.

1: Identity Impersonation and/or Identity Theft

You may think this is an obvious problem, but you'd be surprised how many organizations—businesses especially—fall down on this simple yet effective threat prevention.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Access controls

Physical Plant Security Manager

Are badges, ID cards and/or other verification methods required by security and other personnel before allowing building entry?

Personnel who are not carrying proper ID should be challenged internally.

Document controls

Human Resources

Are organizational phone books and contact/vendor lists restricted to the premises?

These documents should be treated as though they contain organizational secrets. Whenever possible, shred out-of-date paper documents that reveal information about company internal activity.

Information procedures

Human Resources

Are all inquiries via phone, email, or other correspondence method checked for authenticity?

No one should ever assume that someone is who they say they are. Inquiries should always be forwarded to appropriate personnel for handling. A paper audit trail should be kept and required for any information requested.


2: Spyware

Spyware is software that sits on your system and tries to be invisible while collecting as much information as possible to be sent offsite.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Scanning programs

IT Dept.

Are systems regularly scanned for viruses, Trojan horses, etc.?

Viruses and Trojan horses have become more sophisticated, so more aggressive checking is needed.

Firewall and intrusion-detection system

IT Dept.

Is the internal network protected by a firewall coupled with intrusion detection?

Watch all inbound and outbound traffic. Look for odd or new traffic patterns.

Third-party software audits

IT Dept.

Do you regularly audit third-party software to detect unauthorized programs?

Spy-Software.org offers a system for auditing software.


3: Internal Threats

This area is often overlooked by organizations, but employees can be a great source of information-gathering for unauthorized use.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Background checks

Human Resources

Are background checks performed on job applicants before they are hired? Are references checked carefully?

Current events show that false information on résumés is nothing new. If projects are of great importance, terrorists may be interested in getting jobs that will provide access to information via computer systems or grant access to unauthorized users' malicious programs.

Corporate intelligence organizations

Human Resources, executive staff

How do you address potential threats from corporate intelligence organizations?

Organizations like SCIP (Society of Competitive Intelligence Professionals) use a systematic program for gathering, analyzing, and managing information that can affect your company's plans, decisions, and operations - otherwise known as corporate espionage.

Disgruntled employees

IT Dept.

How are you preventing the possibility of damage done by employees?

Employees can modify or destroy data. Keep good long-term backups and have a disaster recovery plan in place.

Backdoor threats

IT Dept.

How are you addressing the possibility of malicious code or products created inside the organization?

Have an audit/review process in place for data, source code, security access and procedures, and so on.

Testing backups

IT Dept.

Is our backup data recoverable? Is recovery regularly tested to make sure that the backup data and the restoration system actually work (and work correctly)?

A malicious computer user can cause small corruptions in data that, if not regularly checked by restoring backups, will not be discovered until vital information is needed. Furthermore, it's important to know that in the event of a recovery, critical data will be available - and to know what special steps may be needed to restore that data.


Systems Damage

This area includes four possible security lapses that allow for the disruption or damage of data and your information infrastructure.

4: Breakdowns in the Human Firewall

People are the weakest link in a security plan. Proper training can prevent a majority of security lapses.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Inquiries

All personnel

Are all inquiries referred to a designated point of contact?

Don't voluntarily disclose any information.

Point of contact

Human Resources

Who is designated as the single point of contact for organizational questions?

Don't allow just anyone to talk about company business. The best intelligence gatherers know how to take what looks like uninteresting pieces of information and use them to get more, or tie them together to make a bigger picture.

Awareness

All personnel, especially Security

Are you always aware of who is working around you and whether he or she belongs in that area?

For example, the soda machine being refilled is no excuse for the person doing it to be wandering around different offices unescorted.


5: System/Browser Vulnerabilities

Bugs or other code flaws can allow an unauthorized user to execute arbitrary code.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Bounds checking and code reviews

IT Dept.

Are you vigilant in checking bounds and reviewing code?

Don't let speed override good programming practices. Take the time to do periodic case reviews for security and to make sure that nothing was "slipped in."

System patches

IT Dept.

Do you keep system patches to current levels?

Every reputable vendor publishes patches to keep applications and other programs current. Keep track of vendor alerts and apply patches in a reasonable period of time and in a consistent fashion.

Alternative heterogeneous applications or platforms

IT Dept.

How can we use alternative applications (Eudora, Opera) or platforms (Mac, Linux, BSD) to prevent system infection?

Using non-mainstream applications and platforms makes system infection more difficult.

Filtering executable attachments

IT Dept.

Are executable attachments filtered from incoming and outgoing email?

If it's vital that programs be sent via email, nothing that can be executed as a program should be sent through email without being examined on a "sandbox" system that can contain an outbreak.

Educating users

IT Dept.

How are you educating users to keep them from opening unexpected or unverified attachments?

Show users what can happen. Do demonstrations and hold regular updates. To prevent hoaxes from spreading, don't let users propagate this information on their own.


6: Wireless Insecurity

Wireless networks are bring installed by organizations at a rapid rate, opening their networks to "drive-by hacking."

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Media access control (MAC) addresses

IT Dept.

Does our system use MAC addresses?

It's very easy to change a MAC address on a system to gain entry.

Wired Equivalent Privacy (WEP)

IT Dept.

Does our system use WEP to protect data?

Don't rely on WEP to protect data; it's open to compromise.

Default configs

IT Dept.

Does our system use default configuration files?

Change the default SSID to something that's difficult to guess.

Strong user authentication

IT Dept.

Does our system employ strong user authentication?

Implement an authentication system that mandates that computers and users be authenticated before they can use wireless resources.

Virtual private network (VPN) technology

IT Dept.

Can we use VPN technology to secure data sent over wireless links?

Encrypted data is very difficult to get to and enhances overall security in a wireless environment.

Wireless LANs

IT Dept.

How are you monitoring wireless LANs for hijackers?

Use tools to make sure that only authenticated users and authorized systems are on your wireless network. Audit as needed.

Wireless deployment in a DMZ (demilitarized zone)

IT Dept.

Are our wireless setups deployed in a DMZ or behind a proxy/filtering firewall?

Keep wireless traffic where it can be controlled safely, away from sensitive systems or the wired LAN.


7: Denial-of-Service (DoS) Attacks

These attacks are becoming more and more sophisticated, and in some cases initiated as a side effect of some other attack.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Filtering RFC 1918 addresses

IT Dept.

Are RFC 1918 addresses filtered both inbound and outbound?

These addresses are known non-routable addresses on the Net, meaning that if used in an attack they're untraceable.

Spoofed addresses

IT Dept.

Are spoofed addresses prevented from leaving our network?

Use documented best practices to keep RFC 1918 and smurf attacks from being able to leave through the edge routers of your LAN or WAN.

Monitor bandwidth

IT Dept.

Are you watching for spikes or high loads?

Unauthorized transfers usually show up as unexplained high bandwidth use during off-peak hours.

Scan internal hosts and devices

IT Dept.

Are you scanning regularly for any compromises or security breaches?

Use available tools and check to make sure that systems on your LAN belong there and have not been compromised by known exploits.


System Hijacking

In this area, three possible security lapses allow the use of established communications vehicles for clandestine operatives to secretly communicate with others.

8: Steganography

Steganography is the art and science of hiding the fact that communication is happening. It involves hiding messages inside text, images, sounds, or other binary files for clandestine communications.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Unauthorized software

IT Dept.

Do you regularly check for unauthorized software on organizational computers?

Use tools to control user level access and prevent software from being installed without administrator permission.

Newsgroups and web sites

IT Dept.

Do you regularly check newsgroups and web sites for comments made about us - both good and bad?

Many mailing lists and Internet information sites can raise awareness by matching activities of crackers directly and learning what they are doing in real-time.

Inbound and outbound email

IT Dept.

Are both inbound and outbound email scanned for unusual contents such as MP3 files, PIC files, and so on?

Email is the one tool that can easily pass through firewalls. All data coming in and leaving should be checked to make sure it's safe before being passed on to the user.


9: Tunneling

Tunneling allows communication in an environment where communication may not be possible due to firewalls or proxies that limit traffic. Many networks assume that having a firewall or proxy server prevents internal users from going to unauthorized sites or passing internal data to the outside world. That's a bad assumption. For example, an application called HTTP-Tunnel allows people behind a firewall (which allows only web surfing) to use any Internet application. HTTP-Tunnel runs as a SOCKS server or via port mapping and can tunnel both TCP and UDP.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Corporate espionage

IT Dept.

Do you regularly review logs and traffic passing through proxies or firewalls that are not work-related?

Theft of company secrets will continue to grow with international competition and tighter R&D budgets.

Bypassing corporate security policies

IT Dept.

Have you set limits and policies on which ports are acceptable to access?

Keep honest people honest; allow access only to the ports inside and outside your system that people really need to do their work. Publish these regularly and make it policy to regularly update employees on what they are allowed or not allowed to do.

Productivity and espionage

IT Dept.

How are you checking for unauthorized VPN traffic originating from inside our LAN?

If someone is stealing information or making unauthorized entries, a virtual private network (VPN) is one way to mask this activity. All VPN technologies use well-known ports, so look for activity that doesn't belong.


10: Worms, Trojan Horses, and Viruses

These attacks are becoming more prevalent and much more sophisticated. Next-generation worms, Trojan horses, and viruses will be more intelligent and attack through multiple methods of distribution.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Unauthorized software

IT Dept.

Do you regularly check for unauthorized software on organizational computers?

Use tools to control user level access and prevent software from being installed without administrator permission.

Anti-virus software updates

IT Dept.

Are anti-virus software updates installed in a timely manner?

Make it a point to keep updates as automatic as possible or on a daily schedule to get the latest protection available.

Alternative heterogeneous applications or platforms

IT Dept.

How can we use alternative applications (Eudora, Opera) or platforms (Mac, Linux, BSD) to prevent system infection?

Using non-mainstream applications and platforms makes system infection more difficult.

Educating users

IT Dept.

How are you educating users about how malicious programs propagate and how to prevent infection?

Publish all policies and procedures and make users acknowledge them. Keep a FAQ and encourage questions by letting question authors be anonymous.

Proxy/firewall filters

IT Dept.

Are you using filters to find malicious programs and their signatures coming into or leaving the LAN?

Check inside the firewall as aggressively as when checking at the firewall.


Disinformation

This area includes two possible security lapses that allow for the dissemination of propaganda such as the following:

  • Spreading false rumors electronically that are picked up by the media as true

  • Cracking into news servers to plant false or misleading stories

  • Entering false or misleading information in databases, thus undermining the effectiveness of organizations relying on that information

11: DNS Poisoning and Domain Hijacking

DNS poisoning is convincing a name server that a domain has a different IP address. Domain hijacking involves stealing a domain at the registrar level.

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

DNS servers

IT Dept.

Are our DNS servers secure? Do we require our DNS peers to secure their servers?

Use the latest security features of DNS and use best practices for safe deployments both inside and outside the firewall.

Passwords

IT Dept.

Do we require passwords for domain registration and changes?

Password-protect domain name information at registrars to prevent the domain from being redirected to another site or stolen.

Domain changes

IT Dept.

Can domain changes be made via email?

Email can be forged. Require an SSL-encrypted web page or PGP signed and encrypted email for all changes to domain information.

Authorized DNS zone transfers

IT Dept.

Are authorized DNS zone transfers required to prevent revealing names and IP addresses of our systems?

Viewing DNS is the first step to locating the weakest link on a LAN. Only allow DNS information to be visible to those who need to see it. Don't allow zone transfers to reveal what may be private areas of your LAN.


12: Changing Web Site Contents

Web site defacement is widespread and has evolved to being used as a method of distributing propaganda, rumors, and misinformation (as opposed to just plain vandalism).

Area of Concern

Person(s) or Group(s)

Question(s) to Ask

Notes/Rationale

Staging servers

IT Dept.

Are staging servers used to update site content?

Production servers should be read-only. This provides two security benefits:

a) There is a live copy of production data on staging servers for fast recovery.

b) Having production servers that are read-only makes them very difficult to crack or modify.

User authentication

IT Dept.

Is user authentication mandated for access to sensitive data?

Single sign-on simplifies tracking users and makes it easier for them to remember one username and password for all their access.

Software patches and security policies

IT Dept.

Do you maintain software patches and security policies on web servers?

Verify that web servers are secured by best practices and regularly review them to make sure that they match the security policy as it evolves (or as best practices evolve) to keep systems secure.

Hardened DMZ

IT Dept.

Are web servers kept in a hardened demilitarized zone with intrusion detection outside the firewall?

With this setup, if your web servers are compromised, that's as far as the intruder can get.

Code reviews

IT Dept.

Do you conduct regular code reviews to prevent common exploits such as buffer overflows from exposing the servers?

Buffer overflows or "stack smashing" has been around for a very long time. Good programming practices need to be passed on to junior programmers and practiced by all.

Separate database and application servers from web servers

IT Dept.

Are database or application servers and web servers kept separate unless on a machine that's designed for this purpose?

For example, AS400s or mainframes.


It's our government's job to concentrate on our nation's critical infrastructure and not overstep its bounds by trying to impose rules on the private sector. But the necessary protections need to have buy-in from your company, organization, or institution to succeed.

The immediate threat may be low, but the long-term threat is high. To quote Charles Neal, Vice-President of Cyberterrorism Detection and Response at Exodus Communications (and a former FBI agent), "It's coming."

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020