Catálogo de publicaciones - libros

Scenario 1: A post on , Threatpost, the Kaspersky Lab Security News Service, dated August 5, 2013 with the title “BREACH Compression Attack Steals HTTPS Secrets in Under 30 Seconds” by Michael Mimoso, states:

The first events in the history of exploiting security date back to the days of telephony. Telephone signals were sent via copper cables. Telephone lines could be tapped and conversations could be heard. In the early days of telephone systems, telephone operators intentionally misdirected calls and eavesdropped on conversations. In the 1970s, a set of people known as phreakers exploited the weakness of digital switching telephone systems for fun. Phreakers discovered the signal frequency at which the numbers are dialed and tried to match the frequency by blowing a whistle and fooling the electronic switching system to make calls for free. Among these phreakers, John Draper found that he could make long-distance calls for free by building an electronic box that could whistle different frequencies

Every organization or enterprise exists to achieve its objectives, both business objectives and social objectives. Its existence or continued existence is of no use unless it is able to achieve its objectives. For the continued existence of any organization, information security has become a non-negotiable necessity. However, the acceptability for information security is very low in an organization because of its arbitrary implementation. Information security will be appreciated by everybody if the same structure is implemented, keeping in mind an organization’s business objectives and business requirements. Furthermore, information technology has to enable information security which, in turn, will protect its business, customers, partners, and systems, such as its people, infrastructure (including its networks), and applications. This in turn means that all the strategies of the organization – business strategies, IT strategies, and information security strategies – have to complement each other and are to be balanced.

In general terms, providing security means “freedom from risk and danger”. In the context of information security, it is securing information against:

Today’s world is complex. Organizational environment is becoming increasingly complicated with the integration of various technologies to provide better business delivery. While one’s need of effective and efficient delivery is fulfilled through the means of new technologies, such as internet, video, audio, business presentations, and business meetings, interplaying with each other, the other need requires more focus and strengthening, that is, information security. Businesses have to protect the confidentiality, and the integrity of business information while making their systems available for continued business. A few minutes of down time of an e-commerce business site can lead to a significant amount of missed business or switching over of the business to a competitive supplier. A breach of confidentiality or integrity can lead to reputation loss, huge penalties, or significant revenue loss. To ensure information security, we need to act proactively.

As we have explored in earlier chapters, security applies to all the components of the systems including physical infrastructure like building, electricity, cables, and son on; hardware; network; software; tools / utilities; human beings including resources internal to the organization and contractors / suppliers who may be working from within the organization or outside the organization. Any part of the entire chain of components can be ignored from security perspective only at the peril of an organization.

The intent of “Malicious Software,” as the name suggests, is to create harm or damage to systems or to people or to both. As science can be used for both good and bad purposes, software can also be used for both good and bad purposes. Some person or groups use software or exploit software loopholes inappropriately, for fun or to highlight their technical skills. Many others do it for financial gains, for taking revenge, or to create fear in others. Of late, these are misused for political or religious gains or for terrorism. Even many of the countries are spying on each other. Militaries of many countries have a Cyber Warfare division.

It is easy for someone to read data if it is in a plain text, but confidential and sensitive messages in plain text can be easily compromised. Spies use secret codes to communicate with their secret agents. Julius Caesar never trusted his messengers carrying message to his generals. He used to code his message by replacing every A with a D, every B with E, and so on, so only those who knew how to decode this “shift 3” rule could decode the message.

Before we discuss network vulnerabilities and threats, we should understand why such threats exist. In order to understand this, we need to know the basics of computer communication and networking. In this chapter, we will be discussing the basics of computer networking, Open System Interconnection (OSI), and Transport Control Protocol/Internet Protocol (TCP/IP) models, and types of networking vulnerabilities that exist and then will explore on the relevant vulnerabilities and threats.

The Internet plays an important role in our daily life. Today, everyone is “connected” to everyone else almost at any given instant as we are connected to the Internet most of the time and interacting with others through e-mails or instant messengers like Skype or are using some applications on the web. With the innovation of high-speed computing devices, large-scale deployment of wireless networks, Web 3.0, Cloud computing, and social networks, “always connected” is a reality. The Internet continues to grow exponentially. Most of the businesses are connected on and through the Internet. E-commerce, e-business, and other Internet-related businesses are growing at a faster rate than ever before. According to an estimate by one of the leaders in network systems and services, the number of globally connected devices, which was around 8 billion in 2013, is expected to reach 25 billion by 2015, outnumbering the people by twice as much. And the number of devices that are going to be connected to the Internet is estimated to go as high as 50 billion by the year 2020. According to the latest statistics, more than 75% of the world’s population will be connected to the Internet by 2020. The Internet is bringing together people, processes, and data to make network connections more relevant to today’s world. Demand for network-based applications and services are exponentially growing.