Earlier this year at the RSA conference, RSA chief Arthur Coviello stated that, “never have the attacks been as targeted, with the aim of breaching one organization as a stepping stone to breaching others.” The last few years have seen a real increase in the rate and magnitude of cyber attacks. While there are several bills in congress slated to address cyber security, there is still much more work to be done. Most of this work will be done by employees and contractors.

If you are interested in making the move to IT security, the best way to start is to increase your security skill set. This can include classroom training, college classes, and reading online security sites and blogs. Some of the areas that I would expect to see growth in include hands-on technical skills, security management practices, risk management, applications development, and cloud security.

Increasingly, the Internet interconnects individuals and businesses which also grants unfettered access by criminals and those who wish to abuse these systems. “Cyber threats” define the attacks that compromise computers, networks, data-sets, and/or their communications. “Cyber attacks” can reach a target from local sources (ie, already on your network) or from across a wide area network link (ie, the Internet). A compromise of IT infrastructure, communications, or data stores can result in serious economic and financial losses. Additionally, security breaches can lead to privacy violations, negative publicity, a depletion of public trust, a reduction of consumer confidence, and loss of market share. Security compromises can cause a violation of regulations, place the organization at risk of losing their license to operate, cause bankruptcy, and potentially trigger criminal or civil penalties for the organization and its officers.

Organizations must take the threat and risk of computer hacking seriously. A well-trained and prepared cyber-work-force is imperative. All personnel in the organization, from the C-level executives to new interns, require cyber-awareness. All organizations benefit from having some personnel trained as cyber warriors. A well-prepared organization is able to build sufficient defenses to ward off most attacks, tune detection systems to discover attempted attacks, and respond to compromises promptly in order to contain and eradicate the violation. The best defense starts with information, knowledge, and education. You need the right-people with the right skills and expertise to counter the ever present onslaught to cyber threats and attacks. Six main security disciplines and their corresponding competencies include:

• Asset Protection
• Threat Management
• Access Control
• Incident Management
• Configuration Management
• Contingency Planning

Continuing next week, this seven part series will teach you to use and understand each of these disciplines to better protect you and your company.

Related Courses
Cybersecurity Foundations
Security+ Prep Course
Certified Ethical Hacker v7

You can think of browser exploitation as a method of taking advantage of vulnerabilities in the browser software to modify specific settings without the knowledge of the end user. The BeEF exploit framework allows penetration testers to select specific modules to target each browser in a one-two-three approach. First, a target is selected. After selecting a target, the user can load a specific module used for attack. The ‘Load Modules’ area shows what modules are available for use and, once selected, allows the code to be sent to the targeted browser. Once the module is loaded, the vulnerability can be exploited.

As an example, one module is used to target the way Apple computers insecurely handle URL schemes when initiating a Skype outbound call. If successful, BeEF will initiate a Skype call without the end user’s permission. While this is just one example of BeEF, it demonstrates the power of the tool and how it can be used by security professionals and penetration testers to test for client side vulnerabilities. Other modules include browser overflows, cross site scripting, keylogging, and clipboard theft.

I hope you will consider checking out this great piece of software. You can learn more by visiting the project page at or by reviewing the wiki.

Domain 4.0 Application, Data and Host Security

1. Fuzzing (4.1)

Fuzzing is a testing method that uses a brute force technique to send data to software or hardware inputs and then notice the response or reaction. The purpose is to discover programming or design flaws that need fixing or which can be exploited. Both security professionals and hackers use fuzzing tools. These tools can operate autonomously to craft random or sequential input data sets in order to stress test a target.

2. Cross-site Request Forgery (XSRF) prevention (4.1)

Cross-site Request Forgery (XSRF) is an attack that takes advantage of a Web server’s trust in an authenticated client. Usually attacks of this type wait until a valid client authenticates to a server before launching and making command requests to the server as if it were the client. The flaw is the server assuming that an authenticated client will only make valid and reasonable requests. This is a bad assumption. Prevention of XSRF must take place at both the client and server. Clients should avoid risky behavior to prevent malware infection and run current anti-malware scanners. Servers should limit the abilities or functions clients can access and re-request authentication when a sensitive action is requested.

3. Cable locks (4.2)

Cable locks are an important part of portable device physical security. A cable lock is used to secure a notebook or other device to a less mobile object (preferable immovable) using a looping cable along with a lock that connects into a K-slot on the device. Cable locks are not insurmountable; a good set of wire cutters or an adept lock-pick may be able to bypass the protection. However, the presence of a cable lock mandates the additional effort in a theft attack, thus reducing the attack’s success rate.

4. Mobile Devices (4.2)

There are several mobile device specifics on the objectives list, including screen lock, strong password, device encryption, remote wipe/sanitation, voice encryption, and GPS tracking. Most of these are standard security issues on desktops and notebooks. Smartphones are somewhat more vulnerable to remote wiping and GPS tracking. Often, these services must be installed and configured prior to a loss or theft event.

5. Data Loss Prevention (DLP) (4.3)

Data Loss Prevention (DLP) is the focus plan and policy to prevent data from being disclosed to unauthorized entities, especially outsiders and hackers. Most of the efforts related to data access, encryption, tracking, and confidentiality protection are part of the DLP solution. Showing sufficient DLP is also an important part of regulation compliance.

Domain 5.0 Access Control and Identity Management

1. Common Access Card (5.2)

The Common Access Card (CAC) has been commonly used by the government and military of the USA since the early 2000s; however, CACs are found in many private companies as well. The CAC is a smart card commonly used to control physical and logical access into a secured environment. It often consists of a photo ID, smart card technologies, and proximity mechanisms (such as RFID).

2. Personal identification verification card (5.2)

A personal identification verification (PIV) card is a more generic form of a CAC. It is any form of ID card that can be used to confirm or check someone’s identity. A PIV could refer to a driver’s license, an access badge, a photo ID, or a visitor’s badge, etc.

Domain 6.0 Cryptography

1. Miscellaneous Cryptography Items (6.0)

This domain contains several new topics not included on the previous exam. The topics are not new to the IT security realm as they are standard elements of most cryptography discussions. They include: block vs. stream, transport encryption, WEP vs. WPA/WPA2 and preshared key, RIPEME, HMAC, RC4, Blowfish, whole disk encryption, TwoFish, SSL, TLS, IPSec, SSH, HTTPS, and PKI.

Conclusion

The descriptions and definitions of some of the new Security+ topics listed here are designed to pique your interest. This is not an exhaustive coverage of these issues, but they point to a larger discussion of security topics that require greater context.

Related Courses

Security+ Prep Course (SYO-301)
Security+ Certification Boot Camp (SYO-301)

In early summer of 2011, the latest version SY0-301 was released. This revamped exam focuses more on risk, operational security, and mobile device security. It also clearly emphasizes security in three main areas: application, data, and host. In your efforts to prepare for SY0-301, it would be a good idea to pay special attention to the new topics and issues added for this latest revision.

This series of posts focuses on some of the new topics, terms, and issues added to the SY0-301 Security+ 2011 exam in domains 2.0 — 6.0. These domains include:

• 2.0 Compliance and Operational Security
• 3.0 Threats and Vulnerabilities
• 4.0 Application, Data and Host Security
• 5.0 Access Control and Identity Management
• 6.0 Cryptography

For the discussion of the new topics in Domain 1.0, please review the white paper Ten New Topics on Security+ 2011 (SY0-301) from Domain 1.0. (Note: The number in parenthesis after each topic is the official objective sub-domain reference as defined by CompTIA for SY0-301. Please visit www.comptia.org for a complete accounting of the objectives.)

Domain 2.0 – Compliance and Operational Security

1. Annualized Loss Expectancy (2.1)

Annualized Loss Expectancy (ALE) is one of the many calculated values crafted as part of a risk assessment process. ALEs have long been a staple concept for those pursuing CISSP, but its new addition in the Security+ content reveals a new focus on risk management rather than just a cursory nod. The ALE is calculated using three values: asset value (AV), exposure factor (EF), and annualized rate of occurrence (ARO). The AV is an assigned dollar number representing the importance or value of an asset to an organization. The EF is the percentage of loss that may be experienced if a specific threat is realized. ARO is a prediction of how many times in the next year is the threat possible to be realized. AV x EF x ARO = ALE. Once an ALE has been calculated for each pairing of asset and threat, the largest ALE points to the most significant risk to the organization and should be addressed in priority in the security response.

2. Quantitative vs. Qualitative (2.1)

Risk assessment is performed using a hybrid approach, a combination of a quantitative and a qualitative assessment of risk. A quantitative approach uses mathematical calculations to prioritize security response. A qualitative approach processes the subjective perspectives of various personnel on the state or status of security and risk. It is important to use a hybrid approach for risk assessment because performing only quantitative or qualitative assessments will produce a skewed view of the true state of risk.

3. Risks associated to Cloud Computing and Virtualization (2.1)

Virtualization was a topic in the previous exam, but cloud computing is a new addition. This objective focuses on the risks related to these technologies. Virtualization is the concept of hosting multiple operating systems (and/or their various applications) on a single set of computer hardware. Cloud computing expands on this by taking advantage of Internet (public) or private online services, which can include software, platform, or infrastructure as a service. The risks associated with cloud computing and virtualization include:

• Reduced control due to data being located outside the physical premise
• Difficulty of maintaining regulation compliance
• Lack of security training and implementation at the cloud service organization
• Potential geographic storage location issue (within your country or spread across multiple countries)
• Legal implications in the event of disclosure or breach in terms of jurisdiction,
• Method/type of encryption and who possesses the encryption keys
• In the event of a search warrant, can the cloud service organization turn over your data in plaintext
• Speed of recovery/restoration

4. Basic forensic procedures (2.3)

Basic forensic procedures were included in the previous list of exam objectives, but the new objectives list nine new specific sub-objectives: order of volatility, capture system image, network traffic and logs, capture video, record time offset, take hashes, screenshots, witnesses, and track man hours and expense. Each of these new sub-objects is fairly straightforward and self-explanatory, especially if you have a basic understanding of computer forensics (i.e., digital evidence collection and processing). For the exam, focus on understanding each of these topics on a more in-depth level since they were named specifically on the new objectives list.

5. Personally Identifiable Information (2.4)

Personally identifiable information (PII) is any information that can be linked back to an individual person. This could be due to a reference or identification being included with the information or that the information alone points to an individual. For example, the fact that someone has a favorite flavor of ice cream, such as mint chocolate chip, is not PII, unless it is on a document indicating who that person is (such as Michael). However, if the information is a phone number, e-mail, mailing address, social security number, employee ID, driver’s license number, license plate, etc., this information is PII itself as it directly points back to an individual (or nearly so). PII protection is of utmost importance as information is being gathered at an alarming rate, and often we are giving away this information without even realizing. It may be years before we fully understand the ramifications of being so open about ourselves on social networks and smart phone apps. Will your PII be harvested and used against you one day?

6. Clean desk policies (2.4)

A clean desk policy indicates that workers need to secure all materials on their computers and physical workspaces before they end their work shift. A worker should save their work, transfer files to proper locations, potentially make backups, then log out of their computer terminal. A worker should also collect and file away all paperwork from their work surface. All paperwork of any sensitive value must be secured in a locked drawer or office safe. The purpose of a clean desk policy is to reduce the risk of information theft, loss, or disclosure.

7. Zero day exploits (2.5)

Zero day exploits are new malicious attacks that have been recently released by malicious attackers. Generally, the term refers to any attack or exploit for which there is no specific or direct countermeasure or safeguard. It is called a “zero day exploit” because a victim has zero notice of the attack being imminent. Since it is a new and, therefore, unknown attack, there are no countermeasures; security solutions are unable to detect or respond to the new threat. Thus, this term can be used to describe attacks that may be days, weeks, or even months old if there is no specific defense against it. Once discovered and a protection or countermeasure exists, such a threat ceases to be a zero day exploit.

8. Succession planning (2.5)

Succession planning is the pre-determination of the next-in-line for key leadership positions within an organization. People in an organization’s top C-level hierarchy can make or break an organization. Failing to have responsible leadership can be the downfall of any organization. Since life can be chaotic, it is important to plan for the worst with a line-up of successors to any key positions. Those selected as leadership alternatives can be trained and groomed so as to be ready to take over in the event of a top position becoming vacant.

9. Hot and cold aisles (2.6)

Hot and cold aisles is a data center or computer vault air management concept. If a data center is designed so the banks of computers, servers, etc., are lined up like parallel walls or aisles, then, by alternating cold air input and hot air extraction, an otherwise difficult-to-manage situation becomes quite easy. Keeping high-end computing equipment cool is key to high-performance and long-term reliability. Allowing overheating will result in expensive downtime. This air management concept is both simple in design and effective in execution.

Domain 3.0 Threats and Vulnerabilities

1. Smurf attack (3.2)

The Smurf attack has been a staple example of DDoS (Distributed Denial of Service) for well over a decade. It is a predecessor to the modern botnet concept. Smurf uses ICMP Type 0 echo requests packets to imitate a flood of responses to a victim. This is accomplished by spoofing the source address of the ICMP echo request as the victim’s address and then setting the destination address to several different directed broadcast addresses of vulnerable networks (a.k.a. amplification networks). The amplification networks effectively multiply the inbound requests by the number of members of their network. Then, each of the network members sends back an ICMP Type 8 echo reply to the victim. This can cause so much traffic to the victim that they are cut off from the network. Generally, the Smurf attack is ineffective today, since ICMP and inbound directed broadcasts are often blocked on network boarders.

2. Spam over Instant Messaging (3.2)

Spam over Instant Messaging (SPIM) is another cute term to refer to unwanted and/or unsolicited messages appearing in any form of instant messaging or chatting service, which can include mobile device texting (i.e., SMS). SPIM is yet another way of wasting your time and money (if you are not on an unlimited data plan) just so advertising and malicious content can reach you. Also, SPAM over Internet Telephony (SPIT), which is SPAM over VoIP services, such as Vonage, Skype, or Google Video Chat, is also a time and money waster for the consumer.

3. Vishing (3.2, 3.3)

Vishing, or VoIP Phishing, is using VoIP services to support phishing attacks. A VoIP service can often falsify its caller ID, fooling you into believing that an inbound call is from someone you might know or trust, even though it is actually a call from an attacker. It is important to be extra cautious when giving up personal information over the phone. Mainly, if you are asked to give up information instead of confirming it (for example, they tell you the personal data, like your account number, and you confirm that they are correct), then you need to hang up and call the claimed organization/person on a known trusted line.

4. Xmas attack (3.2)

The Xmas attack is not actually an attack; instead, it is one of the many variants of port scanning. Its name is derived from one of the earliest forms of this port scan where every other flag in the TCP header flag byte was alternated as a 0 or 1. This is said to represent the alternating flashing lights of a Christmas (or Xmas) tree. A basic firewall is usually sufficient to render Xmas scans/attacks, as well as most other port scanning variations, worthless. However, it is important to remember that port scans using the TCP Full Connect or Half Connect methods are always successful at determining open ports. Otherwise, legitimate connections would be refused as well.

5. Pharming (3.2)

Pharming is maliciously stealing someone’s traffic. Commonly this is done against Web sites through an attack on DNS. The attack can be local or global. A local attack would only affect visitors from a specific subnet, company network, or maybe a small ISP. A global attack would affect anyone on the Internet attempting to resolve the correct domain name by returning a false IP address. In any case, the pharming attack results in victims being sent to an alternative location, often presenting a false or spoofed version of the original Web site in order to steal sales, perform phishing, or attempt identity theft.

6. Tailgating (3.3)

Tailgating is the act of gaining access to a security location by taking advantage of someone else’s valid credentials in such a way that the owner of the valid credentials is unaware that an attack just took place. This is often easiest to understand with a scenario: a worker approaches a secure door and uses his smart card to unlock the door. After the worker enters, an attacker sneaks up and grabs the door just before it closes, slips in unnoticed, and allows the door to close. Tailgating can be reduced by having workers ensure a door closes and re-locks before they leave it, positioning security guards at each entrance, and installing man-traps.

7. Whaling (3.3)

Whaling is an attack of phishing aimed at a specific individual or a small class or group of individuals. Typical phishing attacks are distributed to everyone and anyone indiscriminately. Whaling focuses on a specific individual or a group of high-value targets. Common whaling targets are company executives or persons with high net worth, who may have significant monetary funds in a bank or brokerage account.

8. Evil Twin (3.4)

Evil Twin is a wireless attack tool that will automatically duplicate the identity of a trusted wireless network. The attack tool can perform this feat because wireless devices typically retain a profile history of wireless networks that it has successfully connected to. Each time the interface is turned back on, it will seek out these known networks and attempt to re-connect. The reconnect request includes the original SSID and base station MAC address. The Evil Twin attack tool captures these reconnect requests and replies with a spoofed identity of the known network.

9. SQL Injection (3.5)

SQL injector is a form of command injection attack that takes advantage of poor programming and Web backend architecture that allows the arbitrary execution of database query expressions or even command line code provided by the hacker. Generally, using input filtering and reducing access privileges can greatly reduce the threat this attack represents. Similar to SQL injection are LDAP injection and XML injection. Both are newly listed topics, but both are similar in overall concept. LDAP injection focuses on an LDAP-based directory service. XML injection focuses on any XML-based application, processing, or results rendering.

10. MAC limiting and filtering (3.6)

MAC limiting and filtering is an important defense on switches to protect against MAC flooding and ARP spoofing attacks. Basically, MAC limiting or MAC filtering allows a switch to detect the first source MAC address seen on each physical port, then locks that address as the only device identity it will recognize off of that specific port. MAC filtering is also found on wireless access points to potentially limit wireless connectivity to known physical devices.

11. Black box, White box, Gray box (3.8)

Black box, white box, and gray box are labels given to various forms of testing, including application testing and penetration testing. Black box implies that the testers have no knowledge of the internal structure or logic of the item/network/system being tested and must learn everything on their own. This is also known as a zeroknowledge test. A white box test is when everything is known about the test target. This is also known as a full knowledge test. A gray box test is when some information about the target is known. This is also called a partial knowledge test.

Next week we’ll finish with Domains 4.0–6.0.

Related Courses

Security+ Prep Course (SYO-301)

Security+ Certification Boot Camp (SYO-301)

The bridge from technology to a secure cyberspace is a skilled and well-equipped cyber workforce. Educating and training your workforce to become cyber warriors means giving them the expertise they need to hunt for and continuously monitor networks for intrusions, think like cyber criminals, and reverse-engineer an attack. According to Jim Gosler, NSA Visiting Scientist and founding director of CIA’s Clandestine Information Technology Office, only about 1,000 security specialists in the United States have the specialized skills needed to operate effectively in cyberspace; however, the United States needs about 10,000 to 30,000 such individuals.

Building Skills and Knowledge for a Secure Cyberspace

The best investment you can make to protect your critical data and information systems is to build a skilled and knowledgeable cyber workforce. Having the right people with the right skills to tackle the ever-changing threat landscape is paramount. Keeping your workforce exceptionally skilled is crucial to safeguarding your information and information systems, and it requires continual training.

A Flexible and Scalable Training Approach

A good cybersecurity learning framework is a component-based, phased training system. It enables you to effectively identify, classify, and assess the needs of your organization and the competencies of your cyber workforce and develop a plan for skills building, maintenance, and evolution.

Identify: Identify the roles, functions, and competencies your cyber workforce must possess to effectively carry out your organization’s mission of complete and ongoing protection, while ensuring the confidentiality, integrity, and availability of your critical data.

Classify: Classify the associated roles, functions, and competencies based on level of responsibility or authority as it relates to information systems or the computing environment in which an individual operates. These position levels are also called bands.

Assess: After identifying and classifying your cyber workforce, assess each member’s expertise. Doing so provides an organizational view of your workforce that helps you determine overarching gaps in education or knowledge and to identify potential areas of security risk within the organization based on the current workforce skills and job functions.

Plan: Develop a training plan that begins by closing the gaps and evolves into a continuous training program in which your cyber workforce will follow learning tracks against specific competencies or roles.

Train: With your plan in place, move on to the critical training phase: building and maintaining the knowledge and skills of your cyber workforce.

Evolve: As job roles, technologies, and training requirements change, continuously evolve your training program to ensure a world-class security team into the future.

How Mastering These Disciplines Will Help You Protect and Defend

Whether you need general cyber security awareness, secure network design and implementation, continuous monitoring, network forensics and analysis, or smart and effective incident response training, you need to be prepared to battle the latest cyber threats and attacks.

Asset Protection – What do you have?

In order to protect your assets, you must first know where they are and understand how they are tracked and managed: How are they secured? Who has access to them? Are they tracked and managed? Do you have processes and procedures in place to respond and recover from a security breach quickly?

Threat Management – What’s coming at you?

Assess your vulnerabilities, threats, and risks. Work to mitigate this risk, and use auditing and analysis to confirm your efforts. Humans can be your weakest link. Ensure they have received adequate training to stay one step ahead of the attack.

Access Control – Who gets in?

Control who has access by locking down your systems, including hosts, networks, applications, and data flows.

Incident Management – How do you handle failures?

Perform continuous monitoring with event management tools and maximize your ability to provide an immediate response. Use strong policies that are well communicated for a consistent and uniform reaction.

Configuration Management – How do you manage the lifecycle?

Continuously managing changes to the IT landscape of your organization requires due diligence to ensure your systems are optimally organized and interconnected.

Contingency Planning — How do you plan for failures?

Ensure your organization has planned for continuity after an attack. Failures happen; how best do you respond?

IPv6 offers many improvements over IPv4 and has built in support for IPSec. However, that does not mean that attackers cannot find new and interesting ways to target the protocol. Just consider how last year a vulnerability was discovered in the IPv6 network discovery protocol that will allow a nearby attacker to intercept traffic or cause congested links to become overloaded.

It’s important to keep in mind that much of the work on IPv6 was done in the 1990’s before security had become the driving concern it is today. While moving to IPv6 does offer many advantages, it will not ease the burden of the security professional. IPv6 faces a number of very different kinds of attack strategies than IPv4. Proactive organizations will continue to need IT security specialists that understand the protocols and how they may be misused in new and emerging threats.

1. Be leery of links — Never click on a suspicious link, image, or even video that is sent to you on social networking site or through email. While it may appear to be from a friend, these links can install viruses or key loggers on your computer that can be used to target your bank account and credit card numbers.
2. Watch for Tiny URL’s — Tiny URL’s are used to shorten web addresses but can hide a malicious link. Use a URL expander first, such as http://longurl.org/.
3. Use HTTPS when possible — While many sites may offer HTTPS, not all always use it. Tools such as HTTPS Everywhere (https://www.eff.org/https-everywhere) force sites to use encryption all the time. This raises your level of protection from eavesdroppers and cyber criminals.
4. Beware offers that seem too good to be true — Hackers use this technique to lure you to a malicious site or get you to click on a link.
5. Clear out the cookies — Many sites use cookies to track where you visit on the web. While cookies have a legitimate use they can also be used to track your activity on the Internet. BetterPrivacy or NoScript are two other examples of cookie cleaners. Running these tools periodically helps protect you while browsing the Internet.

While there is no totally secure browser, there are some things you can do to help surf the web safely. Hopefully these five tips improve your browsing experience.

• Management must enforce key personnel controls that deal with hiring, managing, and terminating personnel. These controls reduce information leaks or theft from careless employees whose online habits open the door to hackers or rogue employees who try to sabotage the company when they’re terminated.
• The need for controls: Controls can be preventive, detective, and corrective. Layering controls helps a company build defense in depth through an increase in cybersecurity and information protection.
• Get your employees involved. Keeping employees involved in security can help strengthen and reinforce best practices. Employees should also complete periodic security training and awareness so that they know the latest scams and risks and how to avoid them like phishing schemes in emails or malware links in social media.
• Have a third party assess your security controls. It’s good idea to have someone review your network from the outside-in and start to consider how a hacker would see your network.

Check out this article for more tips on the protection against insider attackers.

Your business was hacked, leaving you with a persistent bot; now what? Okay, here it is: when plagued with a persistent bot you can legally use automated code outside of your network, in specific circumstances and via specific means, to eliminate the threat in an act of self-defense or defense of property.

Most cyber security experts agree that getting hacked is no longer a matter of if, but when. One hundred percent security is a myth. So what can you do? Standard responses are slow and, in many cases, not very effective. Nations can legally defend themselves but what about businesses?

A Losing Battle – Defending Against the Botnet

The presumption is that a business cannot reach outside its network in self-defense to block an attacker. I am not advocating vigilantism, but we are losing the war in cyberspace and must rethink our strategy and laws. Too much money and too many secrets are walking out of the door unchecked.

My focus is the botnet since it currently appears to pose the largest threat with millions of infected machines around the world being used to attack networks. Computers and networks are being infected through a variety of methods: phishing attacks, malware on legitimate and fake websites, employees visiting social media sites, and other methods. In 2010 and the first half of 2011, the top four botnets were:

2010–2011 (First half)

RudeWarlockMob (TDL-3) now TDL-4 SpyEye Operator (OneStreetTroop)

FreakySpiderCartel RudeWarlockMob

ZeusBotnetB FreakySpiderCartel

Monkif Neosploit Operator

So, let’s assume you found a virus/bot in your network and believed you cleaned it up but, lo and behold, it is back. For whatever reason, law enforcement was not able to assist or, for business reasons, you decide calling law enforcement is not advisable. You have not been able to determine the location of the command and control (CnC) server, which likely belongs to an innocent bystander whose network was infected and is now controlling hundreds or thousands of bots without the owner’s knowledge.

Hacking Back In Self-Defense

Although difficult but clearly feasible, what if you implanted code on the communication function of the bot so that when it communicates with the CnC server for instructions, the communication path is blocked or cut off by the code at the CnC server? Is this hacking?

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 and revised in 2001 and again in 2008. A violation of the Act is defined as anyone who “knowingly causes the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; … or intentionally accesses a protected computer without authorization, and as a result of such conduct, … causes damage and/or loss.”

This definition should raise the following questions: is placing code on the phone-home function of a bot, knowing it will eventually gain access to the CnC server, considered “gaining unauthorized access”, and is blocking the communication path causing “harm, loss or damage”? You could argue there was no intent to cause the transmission, or you could split hairs and claim you did not technically cause the transmission: it was the bot owner via the bot, and you only intended to put the code on the bot, but both arguments may be a little thin.

Your intent was to emplace the code and block the communication path but not to gain unauthorized access to the CnC server. If done correctly, you merely blocked the bot from communicating with the CnC server and not disrupted or impeded the normal function of the server. To be clear, you have not gained unauthorized access to the network or computer if you block the communication path from outside of the CnC server owner’s network (e.g., outside the network perimeter).

Hacking: Is It Legal? Should It Be?

So, what changed to make this legal? In the 1980s and later, when the CFAA was enacted and revised, hacking mostly consisted of a person breaking into and trolling through computers and networks. Today most hacking is automated, especially with the increase use of botnets.

Hackers have taken advantage of automated services and protocols that make the Internet, especially advertising, more personal, such as adware, cookies, etc. If you use automated tools outside of your own network to defend against attacks by innocent but compromised machines, is this gaining unauthorized access or a computer trespass? If it is, how is it different from the adware, spam, cookies, or others that load on your machine without your knowledge, or at least with passive consent?

Cyber Self-Defense/Defense of Property

Now, consider the law of self-defense or defense of property, which provides that you may defend property, similar to the right of self-defense, against an attacker. So why wouldn’t someone have a right to defend their computer or network from a botnet attack, other than the potential impact on innocent bystanders?

Imagine one morning you notice your car has a big dent in the rear. You happen to notice that your neighbor’s car has a similar dent in the front. You are completely dumbfounded since your neighbor is out of the country for a month. The next day you notice another dent in your car and your neighbor’s. You set up a camera to see what happens while you sleep. The video reveals that your neighbor’s car starts automatically, drives across the street, rams your car, and returns. You notify the police, but they determine that your neighbor left the door to the car unlocked, and the keys were in the ignition.

Unfortunately there is nothing the police can do. The next night you decide you are going to employ your right of self-defense or defense of property and do something. You enter your neighbor’s property, obviously trespassing, enter the car, again trespassing, and begin to investigate further. You determine someone wired the car with a remote control device and is operating it from some unknown location. You disable the remote control device thereby preventing the hacker from controlling the car. The car is still in its normal working condition.

In this scenario you trespassed and gained unauthorized access to your neighbor’s property and vehicle. But were you justified? Did a privilege of defense of property apply? It should be pretty clear that it would. You didn’t damage the normal function of your neighbor’s car. Now, answer the same questions with regard to the botnet scenario wherein you blocked or eliminated the communication path between the bot and its CnC server. But, unlike the vehicle scenario where it is clear you trespassed, is trespass clear in our botnet scenario? Not really!

Conclusion

The bottom-line is we are losing the war. Businesses must be able to defend themselves to prevent the loss of money, technology, and secrets. Technology has advanced in leaps and bounds beyond our current laws. As new laws are explored, old ones amended, and solutions sought, let’s think outside the box and give the good guys the advantage, or at least a fighting chance. Until then, let’s stop automatically assuming we are not allowed to defend ourselves. We can and the law allows it. We just need to be very careful and methodical about it and not harm our neighbor or trample on his privacy rights. Not vigilantism, but clear, forward, out-of-the-box thinking, and analysis to put us back in the game.

Excerpted from Hacking Back in Self-Defense: Is It legal? Should It Be? by David Willson

Additional Resources
Free Webinar: Hacking Back In Self-Defense: Is It Legal? Should It Be?

Related Courses
Certified Ethical Hacker v7
Cyber Security Foundations
Foundstone Ultimate Hacking