CHAPTER

5 Security Breaches and the Law

ACCESS CONTROLS EXIST to reduce the risk of unauthorized access to valuable

information and resources. The consequences of unauthorized access can be seri-
ous—loss of reputation, financial losses, and even the loss of life if military or in-
frastructure resources are compromised. In this chapter, you will discover the
ways that compromised access controls can result in security breaches. You will
also discover the legal implications of security incidents.

Chapter 5 Topics

This chapter covers the following topics and concepts:

What some U.S. federal and state laws that deter information theft are

What the costs of inadequate access controls are

How access controls fail

What a security breach is

Chapter 5 Goals

When you complete this chapter, you will be able to:

Discuss the U.S. federal and state laws passed to deter information theft

Understand the costs associated with inadequate access controls

Explain how access controls can fail

 Discuss security breaches and their implications

Laws to Deter Information Theft

Espionage between organizations used to require a physical act, such as stealing

paper documents and making physical copies. Identity theft was a factor only if
someone lost a wallet or it was stolen. Although information technologies such as
networked file servers, tablets, and Web-based applications have made data eas-
ier to manage, IT has also made that information far more vulnerable.

Federal and state laws have been created to act as deterrents to information theft.
These laws require organizations to take steps to protect the sensitive data stored,
processed, or transmitted by their IT infrastructure. There are penalties for both
stealing information and failing to follow the regulations in safeguarding it.

These laws add other considerations that organizations must comply with.
Organizations must protect data from breaches; they must also be able to tell if
an information breach has occurred. An organization may have a legal obligation
to inform all stakeholders about breaches that have occurred and any informa-
tion that may have been compromised.

U.S. Federal Laws

The technology breakthroughs of the information age have allowed organizations

to be more productive and automate many interactions with consumers and
stakeholders through the Internet. This has had unfortunate drawbacks; individu-
als can now utilize the Internet to gain unauthorized access to an organization,
putting sensitive data at risk. An IT professional must be aware of these risks, as
well as the numerous laws and regulations affecting the organization.

Various regulations define an organization’s obligation to secure information.

This section explores a few laws that cover unauthorized access of that informa-
tion: the Computer Fraud and Abuse Act and the Digital Millennium Copyright
Act.

Computer Fraud and Abuse Act (CFAA)

The Computer Fraud and Abuse Act (CFAA) is a federal criminal statute de-
signed to protect electronic data from theft. The CFAA was enacted in 1984 and
was designed to protect classified information maintained on governmental com-
puter systems as well as financial and credit information maintained at financial
institutions.

In 1994 and again in 1996, Congress expanded CFAA to cover any computer used
in interstate commerce. The law was also amended to allow for private civil ac-
tions to help individuals injured in criminal activity that the CFAA prohibits. In
2002, the law was further expanded to cover a system located outside of the
United States that is used in a manner that affects interstate or foreign commerce
activities within the United States. The most recent amendment to the CFAA oc-
curred in 2008 with the passage of the Identity Theft Enforcement and Restitution
Act. This act revised CFAA to include provisions regulating spyware and cyberex-
tortion. It also now requires identity thieves to pay restitution to their victims and
forfeit any computer equipment used in identity theft.

The expansion of the CFAA has been an effective tool in protecting data stored on
computers. This has allowed different types of civil actions to be brought against
various activities. Here are some examples:

Obtaining information from a computer through unauthorized access

Trafficking in a computer password that can be used for unauthorized access

Intentionally damaging computer data

Stealing the identity of an individual

The CFAA allows an organization or individual affected by theft or destruction of

data to seek relief and restitution from the courts as well as forces the return of
stolen information. The CFAA also allows organizations to prevent the use of
stolen information by their competitors in the marketplace. In this manner the
CFAA protects the rights of organizations and individuals that need to safeguard
their sensitive information and processes from their competitors.

CFAA is based on unauthorized access to computers and information.

“Unauthorized access” can be defined as using a computer to obtain or alter infor-
mation in a system that the individual does not have a legitimate right to obtain
or alter. For example, suppose an employee accesses and sends valuable company
information through the Internet to a competitor right before his termination in
hopes of obtaining a position with the competitor. The employee in this scenario
could argue that the CFAA does not apply because he had legitimate access to the
computer and data at that time. Under the CFAA, however, the courts would prob-
ably not agree with this assertion. A court could hold that the employee’s legiti-
mate access ended when he no longer held the best interest of the company in
mind. When the employee accessed and sent the proprietary information to the
competitor, he lost authorization to the data.

Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA), passed in 1998, is the imple-
menting legislation that facilitates the United States’ participation in World
Intellectual Property Organization (WIPO) treaties. DMCA has two major provi-
sions of interest to IT professionals. First, it makes it a crime to bypass technologi-
cal mechanisms used to enforce copyright provisions or sell equipment designed
to bypass those mechanisms. Second, it introduces requirements for Internet ser-
vice providers to receive and respond to copyright infringement complaints.

FYI

There are exceptions to the DMCA. It allows for legitimate research of reverse en-
gineering for interoperability requirements. For example, a research team could
legally attempt to figure out how access control measures were coded for the
purposes of allowing third-party applications to interface with the access con-
trols. There is also an exception if prior approval from a legitimate authority has
been granted to try to break through an access control measure. Another excep-
tion is the manufacturing and sale of parental control systems to allow parents to
restrict what their children view on the Internet. There are also exceptions for
some government activities and legitimate law enforcement actions.

Copyright Technology Protection

The DMCA prohibits unauthorized disclosure of data by circumventing an estab-

lished technological measure of the organization. Technological measures include
things like product keys for software, CD and DVD copy protection, system pass-
words, and so on. The DMCA also prohibits the manufacture or sale of programs
or devices designed to break access control measures of an organization.
The idea behind the DMCA is that unless it is illegal to break implanted technol-
ogy, malicious users could manipulate access control solutions and violate copy-
right laws without consequence. DMCA provides for legal liabilities and attempts
to ward off malicious users while providing incentives for organizations to imple-
ment access controls.

For example, let’s take a look at the case of Universal City Studios v. Reimerdes, in
which eight motion picture studios employed the DMCA against a defendant who
posted DVD decrypting software on his Web site.

Upon the advent of DVDs, movie studios were concerned with the piracy aspect of
the new technology. Unlike analog video, digital video can be replicated without
any degradation in video quality. In the mid-1990s, the Content Scramble System
(CSS) was created in partnership with the consumer electronics industry to help
defend against piracy.

CSS provides encryption to a DVD’s sound and graphics files according to prede-
fined algorithms, making it supposedly impossible to replicate a legitimate studio-
sanctioned DVD. This technology was then licensed to consumer electronics man-
ufacturers for use in creating DVD players for retail sale.

In the fall of 1999, a teenager was able to crack the encryption. He reverse engi-
neered an officially licensed DVD player. This allowed for the creation of a com-
puter program capable of decrypting the DVDs. This program allowed the DVDs to
be viewed on non-compliant computers. It also allowed the decrypted files to be
copied. The software was then posted on the Internet, where it could be down-
loaded from hundreds of sites.

The movie studios, using the DMCA, sought a legal solution to the problem. Using
the anti-circumvention provisions of the DMCA, the courts found that the soft-
ware generated to break the encryption on the DVD players constituted technol-
ogy and was designed to circumvent the technology implemented by the studios
for the copyright protection of their proprietary DVDs. As a result, the court ruled
in favor of the studios using the DMCA.

ISP Requirements

DMCA also requires that Internet service providers (ISPs) receive and respond to
copyright complaints in a timely manner. ISPs who meet the requirements of
DMCA qualify for safe harbor status, which protects them from prosecution for
the activities of their customers. The DMCA requires ISPs to:

Block access to any potentially infringing material when they receive proper no-
tice from a copyright owner

Notify users of the their policy regarding copyright infringement and the conse-
quences that may occur if users engage in unlawful activity

Implement measures to terminate the access of repeat infringers

The specific provisions of DMCA vary depending upon the services provided by
the ISP.

State Laws

Most states have laws that apply to unauthorized access to confidential informa-
tion. Because they have many parts in common, this section covers one law in
depth. The California Identity Theft Statute will give you a basic understanding
of state laws designed to protect data.

The California Identity Theft Statute requires businesses operating in California to

notify customers when the business has reason to believe that personal informa-
tion has been disclosed through unauthorized access. Personal information is de-
fined as a Social Security number (SSN), driver’s license number, or physical ad-
dress maintained in digital form.

As soon as an organization realizes that there has been an unauthorized disclo-

sure, the organization must notify the owner of the information that a breach has
occurred. The law further provides for any individual damaged by the breach to
bring a lawsuit to recover any loss incurred due to the information disclosure and
failure of the organization to issue a timely notification.

The purpose of the California Identity Theft Statute is to provide sufficient notice
to individuals whose personal information has been stolen so they can take ap-
propriate actions in a timely manner to prevent further damage by the data
thieves.

The following are some of the elements of the California Identity Theft Statute
that apply to data access and handling:
 Any person who, with the intent to defraud, acquires, transfers, or retains pos-
session of personally identifying information of another person, is guilty of a
crime punishable by up to $1,000 and one year in jail.

Businesses are required to take reasonable steps to destroy all records contain-
ing personal information by shredding, erasing, or modifying the information to
make it unreadable.

Businesses and governmental agencies must notify individuals when any of the
following unencrypted personal information has been accessed in a computer se-
curity breach: SSN, driver’s license number, account number, credit card number,
or debit card number.

NOTE

Identity theft is one of the fastest growing crimes being committed on the
Internet. Data thieves sell personal information to criminals, who then open
credit card accounts, purchase products, or commit to other financial obligations
using the stolen identities. Early notice that identity theft has occurred and ac-
tion by individuals to protect themselves following a security breach will help re-
duce the impact of this type of criminal activity.

Furthermore individuals, commercial entities, and certain governmental entities

including public universities and colleges may not:

Publicly display or post SSNs.

Print SSNs on ID cards or badges.

Require people to transmit SSNs over the Internet unless the connection is se-
cure or the number is encrypted.

Require people to use their SSN to log on to the Internet without a password.

Print SSNs on mailed documents unless required by state or federal law.

Embed or encode SSNs on a card or document where it cannot otherwise be

printed. This includes chips, radio frequency identification (RFID), magnetic
strips, and barcodes.
 Mail SSNs where the number is visible without opening the envelope.

TIP

The California Identity Theft Statute, used as an example in this section, is repre-
sentative of many states’ identity theft laws. If you are in a position to safeguard
personally identifiable information, research the specific laws that apply in your
state. You can begin by visiting your state’s Office of the Attorney General Web
site.

Financial institutions are prohibited from sharing or selling non-directory per-

sonally identifiable information without obtaining the consumer’s consent.

Cost of Inadequate Front-Door and First-Layer Access Controls

Computer systems and data are essential to our modern lives. The safeguards se-
curing these assets are both logical and physical. Many times, the need for physi-
cal security in a computing environment is overlooked. Unauthorized access to
sensitive data and physical assets can create a significant risk for an organization.

The direct and indirect cost to an organization can be substantial. Direct costs
come in the form of the cost to replace hardware, upgrade hardware and soft-
ware, time and resources needed to reinstall and reconfigure the systems, as well
as possible legal liabilities of having inadequate access controls. Indirect costs can
come in the form of lost orders, lost customers, lost production, loss of competi-
tive advantage, and possible legal liabilities.

Here are some examples of security policies that would be effective in limiting
physical access to protect the data and assets of an organization:

All physical security must comply with all applicable regulations such as build-
ing and fire codes.

Access to secure computing facilities will be granted only to individuals with a

legitimate business need for access.

All secure computing facilities that allow visitors must have an access log.

Visitors must be escorted at all times.

Access Control Failures

Every organization has sensitive areas and information that should be protected.
If this information is left unsecured, it is hard to claim that access is unautho-
rized. Most responsible organizations implement some type of access control.
Unfortunately, even the most thorough and vigilant system can fail. There are two
primary causes of access control failures: people and technological factors.

People

Even the most strict and thorough access control policies are prone to human er-
ror. This was vividly demonstrated in 2010 when a Virginia couple slipped past
security and into a state dinner at the White House. The couple was subjected to
all of the normal security screening procedures and was never a threat, but they
were not on the guest list. They got in due to human error—the guard at the entry
gate did not follow proper procedure and verify the couple was on the guest list.

Although the couple was not a threat and the situation was humorous, this type of
failure could pose a grave risk. They could have been spying for a foreign govern-
ment, or planning an attack on the dignitaries attending the event. This is a per-
fect example of failure in the human element of access control. An organization
can have sound access control procedures, but without proper training and buy-
in from all employees, the system can be easily defeated.

In the White House example, there were multiple layers of defense in place, in-
cluding metal detectors and bomb-sniffing dogs. This ensured that even if some-
one got through, that person would not be armed. This does not mean that they
could not be a threat. This is also true in computer security. Network antivirus
may keep malware from infecting other systems, but a connection from an unau-
thorized laptop could still be a threat.

The party crashers are also a good example of social engineering. They dressed
properly and acted with confidence that they belonged. These types of attacks
along an organization’s human vector are all too common.

In another example, a penetration testing team, called a tiger team, was testing
the security and integrity of a major financial institution’s customer data. The cor-
poration had an IT office in a major metropolitan skyscraper. The bottom floor
had a publicly accessible restaurant, automated teller machines (ATMs), and
washrooms. Dressed as a maintenance man, one of the tiger team members hung
an out-of-service sign on the public washroom.

Another tiger team member, dressed as a businessman with a briefcase, talked his
way past the security at the door into the secure area of the office complex under
the pretext of needing to use the washroom. This was a clear violation of security
protocol. This access control failure was compounded by allowing the man to go
to the washroom unescorted. Once in the washroom, the intruder accessed net-
work cables in the drop ceiling and inserted a wireless access point into the net-
work. From there, another member of the team sitting in the restaurant used his
laptop to access the wireless network.

While inside the network, the team didn’t have access to the system yet—but were
able to access unencrypted data, like customer debit card numbers and Windows
password hashes in the supposedly secure internal network. Although there were
intrusion detection systems and network-based antivirus systems running, pas-
sively sniffing network data did not trip any alarms. They were able to compro-
mise hundreds of customer card accounts in a few minutes and leave undetected,
all because of a failure in the human element of physical access control proce-
dures. Luckily, in this example, it was a tiger team working for the financial insti-
tution and not malicious data thieves. If this had been a real incident, it would
have been a major problem for the institution. Needless to say, this caused the
team in charge of securing this information to reevaluate its security
assumptions.

NOTE

Penetration testing, especially utilizing an independent third party, is an invalu-

able tool in assessing the robustness of an organization’s access controls. It al-
lows an organization to take an honest look at its access control polices without
excessive risk.

Rogue Internal Operatives

Another aspect in the human vector of access controls is rogue internal opera-
tives. Disgruntled employees can pose a major threat to information security in
the forms of theft, sabotage, vandalism, and more. The best way to handle these
threats is by embracing a least-privileged access control policy. If you limit users
to the least amount of access they need to accomplish their tasks, the damage they
can do is limited.

Other People-Related Threats

There are other internal threats besides disgruntled users; here are some other
common threats:

Phishing and spear phishing attacks—These are e-mails and Web sites crafted
to trick a user into installing malicious code. They look like legitimate e-mails and
Web sites, but redirect the user’s information to the attacker. Spear phishing at-
tacks are targeted at a specific individual or organization.

Poor physical security on systems—A hard drive, flash thumb drive, and even
an entire laptop can vanish quickly if left unattended.

Physically stored passwords—A password stored on a slip of paper can easily

allow for unauthorized access to an organization’s systems.

File-sharing and social networking sites—As more and more people use these
online services, they are becoming a major vector for social engineering attacks.

The best way to handle the human element in access control is through training
and organizational buy-in. Every employee—at all levels of an organization—
needs to adhere to security procedures or the access control system is useless.

Technology

Sometimes the best access control systems can be bypassed due to a failure in
technology. No computer system is bug-free. Anything from an organization’s op-
erating system to its choice in Web browser or instant messaging client could be
an access point for unauthorized access to its systems. Let’s look at some techno-
logical failures that could lead to unauthorized access.

Microsoft Windows operating systems prior to Windows Vista had the possibility
of running very weak password encryption. Passwords in Windows NT, 2000, and
XP that were fewer than 15 characters long were stored in a file called a LAN
Manager (LM) hash. This file employed Data Encryption Standard (DES) en-
cryption; unfortunately, it did so in a predictable manner. This allowed for quick-
and-easy brute-force attacks on the password files. Some systems could be ac-
cessed by brute force in a matter of seconds. Starting with Windows 2000, admin-
istrators have the ability to turn off LM passwords and use a more secure NTLM
hash to handle user access.

UNIX/Linux systems had a similar issue in the late 1990s. Password hash files and
the hash salt were stored together in an unencrypted file. Using that file, a mali-
cious user could brute-force a password offline very quickly. The common accep-
tance of a more secure shadow password file, which provided an alternative by
storing password hashes in a location unavailable to end users, solved the prob-
lem and is a very common element found in UNIX/Linux implementations today.

Web browsers are a major vector for unauthorized access. Every major browser
including Firefox and Internet Explorer has had bugs that allow for the arbitrary
execution of code. These bugs have been exploited to allow malicious users access
and elevated rights on compromised systems. A system could be compromised
just by being used to view a contaminated Web site.

NOTE

Even in the realm of physical access control, technology can be the failure point.
Recently, security researchers discovered that biometrics are not as secure as
previously thought. The researchers demonstrated that most fingerprint scan-
ners could be defeated with nothing more than a gummy bear.

Servers, especially Web servers and other public-facing systems, are another com-
mon entry point for unauthorized access. Not only are Web servers a risk due to
the possibility of unsecure code being hosted, some of the languages used on the
Web servers have had security flaws. Both PHP and .NET have had arbitrary code
execution bugs that allow malicious users to access the Web server.

Radio Frequency Identification (RFID) badges can also be a vector for unautho-
rized access. A malicious user could use an inexpensive reader to pull informa-
tion off an ID badge and then flash a new chip with the cloned information.
Security researchers have already demonstrated this technique by cloning the
new RFID-enabled U.S. passports.

You have seen how both technology and humans can be the cause of unautho-
rized access. It is important to take steps to mitigate these possibilities, never rely-
ing on just one method to secure sensitive information.
Access Control and Privacy Assessments

A privacy impact assessment (PIA) is a comprehensive process for determining

the privacy, confidentiality, and security risks associated with the collection, use,
and disclosure of personal information. It also describes the measures used to
mitigate and, if possible, eliminate identified risks. The PIA process makes sure
measures intended to protect privacy and security of personal information are
considered at the beginning of a new program or initiative. A PIA also communi-
cates to the public how their privacy is protected and information kept secure.

A PIA is required in the public sector for any new system that handles personally
identifiable information (PII). To be successful, it is important that the PIA looks at
the system in a systematic manner. It should:

Identify the key factors involved in securing PII

Emphasize the process used to secure PII as well as product

Have a sufficient degree of independence from the project implementing the

new system

Have a degree of public exposure

Be integrated into the decision-making process

NOTE

In the public sector, it is mandatory for all PIAs to be published.

An important aspect of a PIA is looking at the access controls that will be utilized
to secure the data. The assessment needs to not only look at the physical and logi-
cal access controls that will be put into place, it also needs to look at how the ac-
cess control policies are implemented. Questions like “Who has rights to the infor-
mation?” and “How will access be granted and removed?” need to be asked. In a
thorough PIA, the administrative, physical, and technological access control poli-
cies must be described. This is required in all PIA generated by governmental
organizations.

Not only are access control systems vital to securing privacy, new access control
systems should go through the PIA process as well. This is especially true in the
case of physical access control.

Let’s look at the example of an ID badge system. What information is stored on

the ID—just name, or name and ID number? Is the information electronically
readable and if so by what means? What does the employee ID number consist
of? Organizations should follow best practices for privacy protection. For exam-
ple, they should never use PII, such as a Social Security number, as an employee
identification number. Instead, best practice dictates using a random or sequen-
tial number as the employee ID. Starting an RFID badge project with a valid PIA
ensures that the security of this information is addressed throughout the project.

Structure of a PIA. A typical PIA includes the following sections:

Summary of the system under analysis—This section should include a physi-

cal or logical description of the particular system being analyzed, such as an RFID
badge system, and its intended purpose. This section should also include the
owner or stakeholders of the system, where the project is in its life cycle (planned,
implemented, and so on), and how it will interact with the rest of the
infrastructure.

List of information to be collected—Include specific examples of all informa-

tion that will be collected or affected by the system.

Description of how the information will be collected—Include specific plans

for collecting personal information. This section may contain copies of question-
naire forms, telephone scripts, or other tools.

Explanation of why personally identifiable information is necessary—Use

this section to justify the collection and use of personally identifiable information.
If the organization’s goals could be achieved without the use of personally identi-
fiable information, it should not be collected or used.

Explanation of how the information will be used—Include a specific descrip-

tion of how each piece of information will be used. Information should not be
used except in ways described in the privacy impact assessment.

List any new information the system will create through aggregation—For
example, if biometric data such as fingerprints or photographs is stored in data-
base A and names, phone numbers, and addresses are stored in database B, and
the proposed system will link the two databases, this needs to be explained in this
section of the PIA.

List of groups, organizations, and individuals with whom the information

will be shared—Include both those within the organization and external entities.

Opt-out opportunities—This should feature an explanation of all chances indi-

viduals will have to opt out or object to the collection of information about
themselves.

Description of any information that will be provided to the individual—

This section will generally include the privacy statement and specifics on how
that information will be provided, such as a hard copy or in electronic format.

Description of the access controls that will be adopted to secure the infor-
mation—This section should include administrative policies, physical security,
and logical access controls.

Description of any potential privacy risks involved in collecting, using, and

sharing information—This section should also include analysis of any risk in-
volved in providing individuals the chance to opt out, notifying individuals of the
collection of information. Finally, this section should include an evaluation of the
risks posed by the proposed security measures.

By carefully and thoughtfully completing each of these sections, you should have
a thorough PIA that accurately assesses the privacy impact of a proposed access
control solution.

Security Breaches

Information security breaches take many forms. These include lost or misplaced
data media, stolen laptops and cell phones, hacked systems, data lost or stolen in
transit, information taken by rogue employees, and more. Damage done by a se-
curity breach can be measured in both tangible and intangible terms.

Tangible damage is calculated based on estimates of lost business, lost productiv-

ity, labor and materials costs to repair the breach, labor and legal costs associated
with the collection of forensic evidence, and the public relations costs to prepare
statements. Increases in insurance premiums and legal costs related to defending
the organization in liability suits can also be tangible damages.
The intangible damages refer to costs that are difficult to measure or calculate.
Much of this cost is due to a loss of competitive advantage due to the breach. This
can stem from a loss of customer confidence, bad press, or the possibility of pro-
prietary information falling into the hands of competitors.

Kinds of Security Breaches

There are a number of different types of security breaches. This is also a moving
target as technology evolves. Here are some of the types of security breaches an
organization may have to face:

System exploits—These include Trojan horse programs, computer viruses, and

other malicious code.

Eavesdropping—This is the act of passively gathering information.

Eavesdropping can take the form of sniffing network and wireless traffic, inter-
cepting Bluetooth traffic, and even using equipment to remotely pull information
from monitors due to electromagnetic fields (EMFs).

Social engineering—This is an exploitation of human nature and human error

as discussed previously.

Denial of service (DoS) attacks—These are purely damaging attacks, meant to

render a system unusable.

Indirect attacks—This involves using a third party’s system to launch an at-

tack. Distributed denial of service (DDoS) attacks are an example of this. Rather
than directly attacking the target, hackers first compromise other systems and use
those to launch their primary attack.

Physical attacks—These range from the technological aspects of unauthorized

access, to the utilization of devices like keystroke loggers, to outright theft of
equipment.

This isn’t a comprehensive list, and new vectors of attack are always being devel-
oped, but it does give you an idea of what the IT security field is facing.

Why Security Breaches Occur

The why of a security breach is almost as diverse as the how, but can be general-
ized into two categories, monetary gain and vandalism of systems.

Hackers and Crackers

Hackers have historically been known as white-hat hackers or ethical hackers—

the good guys. They hack into systems to learn how it can be done, but not for
personal gain. Crackers have been known as black-hat hackers or malicious
hackers—the bad guys. They hack into systems to damage, steal, or commit
fraud. Many black-hat hackers present themselves as white-hat hackers, claiming
that their actions are innocent. However, most mainstream media put all hackers
in the same black-hat category. The general perception is that all hackers are bad
guys.

Be aware though that Linux users and the open source communities think of
themselves in a positive way as hackers—people who just want to create better
software. The Linux world defines people who are threats to information secu-
rity as crackers.

Monetary gain takes numerous forms. Intruders in a system could look for valu-
able data to sell, personally identifiable information to steal and use, or physical
equipment can be resold. Insider information to gain an advantage in stock trad-
ing is also often targeted. Accounting and human resources are also tempting tar-
gets. There have been cases of direct deposit information being tampered with,
causing paychecks to get deposited into the incorrect account. DoS and DDoS at-
tacks have even been used in extortion.

NOTE

A spam remailer is a hidden mail server that is used to relay spam so its origins
are obscured.

Monetary gain motives may not even involve the organization attacked, just their
servers. Spam remailers commonly get installed during Web server security
breaches. Malicious code can also be injected into a company’s Web site to try to
infect customer computers for identity theft purposes.

Vandalism is the other major category for security breaches. This can be as harm-
less as kids having “fun” or trying to make a name for themselves among their
peers, to groups making a political statement, and even individuals and groups
protesting an organization.

NOTE

Monetary gain and vandalism can overlap. During the early stages of the U.S.
war in Iraq, a group of Middle Eastern hackers were defacing Web sites of U.S.
companies with anti-American messages. While they were in the systems, they
also installed spam remailers to help fund their group.

Implications of Security Breaches

Computer security is a critical issue for any organization. A breach in system se-
curity that damages an organization’s computer systems can result in financial
costs, loss of customer trust, and legal penalties.

There is also the possibility of ongoing system security issues. Did the intruders
build themselves some additional backdoors for later access?

What disclosure must happen after the breach? Depending on the industry and
what was taken, an organization may be obligated to disclose the breach to the
public. This must be done in a timely manner, especially if customer data was ac-
cessed. Not only is it a good business practice—allowing customers a chance to
ward off identity theft—it may also be legally mandated.

An organization will also have to take a long look at its security procedures. Was
it a failure in the technology utilized? If so, what will it take to mitigate the issue,
and does the organization need to upgrade or change systems?

Was it due to a human failure? If it was human error, more awareness training
may be in order. If it was due to malicious users or rogue employees, access au-
dits may be in order to make sure that no one has access to information that they
do not need.

The breach may also be due to a failure in procedure. If this is the case, new pro-
cedures must be developed.

The Impact of a Security Breach Can Be Significant

A credit card processing company called Acme Credit Card Processing received
notice from two of the larger card issuers that fraudulent credit card purchases
were occurring. Prior to receiving the notification, Acme did not know that there
was an issue.

After some investigation, the problem was discovered in Acme’s system. A spy-
ware program was loaded onto Acme’s system that originated with a spear phish-
ing attack. A well-crafted e-mail was sent to an employee who clicked a link that
infected his system with malicious code. The malicious program was able to pull
the credit card information off Acme’s system for every card that they processed.
This information was sent to a remote system, where data thieves were able to
use the information to clone credit cards. Any consumer who used a credit card
somewhere that utilized Acme’s processing could potentially be affected.

The impact to Acme was significant. There was the cost of removing every trace of
the spyware, both in monetary and time resources. Acme had to pay fines due to
various industry and legal regulatory groups. Acme also had to communicate the
breach to all consumers affected. There was also the impact to Acme’s reputation.
Secure transactions are vital for a processing company. A number of merchants
that used Acme’s services moved to other processing companies. Acme enhanced
its e-mail security and launched a user awareness program in an attempt to prove
to customers that security breaches of this nature would not happen again.

Financial Impact of Security Breaches

As discussed above, the costs of a security breach to an organization can come in

both direct and indirect forms. The direct costs to a financial breach can be easily
identified. They come in the form of equipment replacement costs, security up-
grades and enhancements, additions, and other monetary costs paid to repair the
damage done.

Monster.com security breach. In 2007, Monster.com discovered that intruders

had obtained personal information from 1.3 million résumés stored there. The
breach affected both Monster.com and USAJobs.gov, a governmental jobs site
that Monster.com runs for the United States government. Monster.com officials
estimate that it cost $80 million to upgrade security on the sites. These upgrades
will include better monitoring of site access and stricter access controls and intru-
sion prevention systems.
 NOTE

The indirect costs of a security breach can be difficult to identify. The costs of
contacting all of the individuals affected in the security breach, defending the or-
ganization from legal action, and loss of reputation are some examples of these
costs.

TJX security breach. The TJX Companies, Inc., which operates stores such as
T.J.Maxx and Marshalls, disclosed a massive security breach in 2007. The cus-
tomers affected by the security breach were offered free credit monitoring at the
expense of the organization. TJX also had to settle a civil suit with MasterCard for
an additional $24 million. In addition, TJX is still the defendant in other litigation
and claims on behalf of customers and other credit card companies who were
damaged as a result of the computer intrusions. Besides the millions in legal lia-
bilities, there are also untold costs in lost reputation and customer trust.
Unknown numbers of former customers will no longer shop at T.J.Maxx due to
the loss in consumer confidence.

New York Times security breach. In 2013, The New York Times and other major
media outlets announced that Chinese hackers had infiltrated their internal sys-
tems, seeking information on confidential sources within the Chinese govern-
ment. While the direct financial impact of this type of attack is hard to quantify, it
is likely that it had a chilling effect on potential future sources who may question
the newspaper’s ability to maintain confidentiality.

The impact to an organization’s market share due to a security breach is an addi-

tional cost. There are recovery costs to regain market share, rebuild reputation,
and restore customer and shareholder confidence. The continuing potential dam-
age to an organization could be significant if its customers and stakeholders feel
that they can no longer trust the access control safeguards in place to protect sen-
sitive information.

Information assurance is critical for any organization. The data an organization

owns is a key asset and must be treated as such. Access control safeguards are es-
sential to ensure that measures are in place to prevent unauthorized access. If
data is accessed, there must be mechanisms in place to identify what was ac-
cessed. TJX executives, in their initial communications, advised that they did not
have enough information to estimate the extent of the data loss. Without robust
auditing to determine the extent of a breach, affected customers cannot be alerted
in a timely manner, which causes more legal liabilities. An organization needs
both strong access controls and auditing mechanisms; a failure in these systems
can lead to staggering direct and indirect financial losses.

Private Sector Case Studies

Security breaches can have serious consequences for an organization. They can
rely on lax physical security, inadequate logical access controls, or a combination
of both. Let’s look at some examples of failures in both logical access controls and
physical security.

LexisNexis

LexisNexis is a major information clearinghouse of newspaper, magazine, and le-

gal documents. Customers can search the system for basically any published in-
formation. In early 2005, a number of teenage hackers were able to gain access to
the system. They exposed personal information of over 300,000 individuals.
Names, addresses, and SSNs were exposed in the breach. This was a failure in log-
ical access controls on a major level.

The breach started with the account of a police officer in Florida. One of the
teenagers, posing as a 14-year-old girl in a chat session, convinced the officer to
download and open a Trojan horse file, claiming it was a photo. This gave the
hackers access to the officer’s system. While browsing his files, they discovered a
logon into a LexisNexis subsidiary, called Accurint, a law enforcement informa-
tion database. The hackers started to search the database for themselves and
celebrity information.

The hackers realized that they needed more access to effectively explore the sys-
tem. They called Accurint and, posing as administrators with LexisNexis, they got
account logins and passwords for an account with enhanced rights.

They used their new access to create accounts for friends and search the system.
They were able to pull at least 30,000 accounts, possibly as many as 300,000, gain-
ing names, addresses, phone numbers, and SSNs. Luckily the teens were “joyrid-
ing,” and none of the information was sold or utilized in identity theft, but the
possibility was there. There were at least 57 separate breaches connected to this
incident.
LexisNexis had to offer identity theft monitoring to all of the affected customers.
In addition, they claimed to strengthen their customer account and password ad-
ministration to make sure a breach could not happen again. LexisNexis went so
far as to claim their new system was watertight.

Bank One

Bank One, a major Midwest bank that is now owned by JPMorgan Chase, lost
around 100 employee laptops due to a failure in physical access controls. The of-
fice had one access point that was controlled with an RFID badge system. The
badge system was slow, taking around 30 seconds to a minute to unlock the door.
This led to impatient employees at this location assisting each other by piggyback-
ing at the door. Employees would badge in and then hold the door open for other
the employees behind them. This security flaw was further exacerbated by a lack
of security cameras at the door. Most employees were using laptops at this loca-
tion, with no security cables or locking docking stations.

In the early 2000s, during an all-hands off-site meeting, thieves gained access to
the office and stole approximately 100 laptops. After the incident, measures were
taken to enhance the physical access controls at the location. Cameras were added
at the entry point, and the badge system was modified so that employees had to
badge in and out of the building. Policy changes were also enacted. The act of pig-
gybacking was banned, and this was added to the code of conduct.

Public Sector Case Study

Sometimes, security breaches happen not because of external attacks, but due to
internal failures. Let’s take a look at an example from the United Kingdom (U.K.).

On November 22, 2007, the U.K. government admitted that one of its departments,
Her Majesty’s Revenue & Customs (HMRC), had lost in the mail two CDs contain-
ing the unencrypted personal details of 25 million U.K. residents.

In response to a request by the National Audit Office (NAO), a junior member of

HMRC’s staff was instructed to send details of child benefit recipients to the NAO.
The details were burned onto two CDs as unencrypted files and then sent to the
NAO using regular mail. At the time, this was standard procedure at HMRC. To
compound the security lapses, HMRC decided it was too costly to remove un-
needed information from the files before they were sent. This included addresses
and bank account information. NAO explicitly requested that the bank account in-
formation be removed, and HMRC ignored the request.

The U.K. Data Protection Act of 1998 specifies that if information is to be sent, it
must be subject to safeguards, and only the necessary data required for process-
ing may be sent. In this case, HMRC violated both points of this law.

Once the data loss became apparent, HMRC started an investigation of the loss.
They attempted to track down the CDs and contacted law enforcement for assist-
ance. Instead of immediately reporting the data loss to the public, HMRC waited
10 days, plenty of time for accounts to get compromised.

The fallout from this breach has been major: The Information Commissioner’s
powers have been expanded, his office can now audit departments at will, and
they have enforcement powers. Due to the loss of public confidence in the HMRC,
other projects have been put on hold, most notably the national ID card program.
There was also the cost of the search for the disk and affected citizens needing to
close existing bank accounts.

Critical Infrastructure Case Study

Security breaches do not always come from targeted attacks. Untargeted, general
attacks can also cause a security breach in an organization. Let’s look at the CSX
Corporation virus incident of August of 2003.

The SoBig computer virus infected CSX Corporation’s computer network at its
headquarters in Jacksonville, Florida. These infected systems flooded the internal
network with infection attempts and spammed the equivalent of an internal
DDoS attack. No critical systems got infected, but the network congestion dis-
rupted signaling dispatching and other mission critical systems.

Freight trains were delayed. At least 10 Amtrak long-distance trains were can-
celed or delayed up to six hours, and commuter trains in Washington D.C. were
canceled. Half-hour delays continued for the next few days. The initial damage
ran into the millions in late delivery penalties and customer refunds, and millions
more were spent updating and expanding the antivirus and network systems to
mitigate any further issues.

CHAPTER SUMMARY
Now that you understand the impact of a security breach and how attackers of-
ten combine several attack vectors in a single breach incident, you will be able to
design access controls that mitigate those attack vectors. You will also be less
likely to underestimate weak access controls.

KEY CONCEPTS AND TERMS

Breach

California Identity Theft Statute

Computer Fraud and Abuse Act (CFAA)

Data Encryption Standard (DES) encryption

Digital Millennium Copyright Act (DMCA)

Hash salt

LAN Manager (LM) hash

NTLM hash

Privacy impact assessment (PIA)

Radio Frequency Identification (RFID) badges

Shadow password

World Intellectual Property Organization (WIPO)

CHAPTER 5 ASSESSMENT

1. Information security falls strictly under the jurisdiction of federal law—state

law does not restrict information security practices.

A. True

B. False
2. The two primary federal laws that are concerned with information security are
the Digital Millennium Copyright Act and the ________.

3. Which federal law discussed in this chapter allows civil actions to be brought
against individuals who sell equipment designed to illegally duplicate Blu-ray
discs?

A. CFAA

B. DMCA

C. DCMA

D. CFFA

4. Under DMCA, Internet service providers must immediately block access to con-
tent that infringes the copyright of another individual or group upon receiving
proper notice from the copyright owner.

A. True

B. False

5. Which law discussed in the chapter is concerned with preventing identity

theft?

A. California Identity Theft Statute

B. Federal Identity Theft Statute

C. Idaho Identity Theft Statute

D. Colorado Identity Theft Statute

6. Which of the following are effective physical security policies?

A. All physical security must comply with all applicable regulations such as build-
ing and fire codes.

B. Access to secure computing facilities will be granted only to individuals with a

legitimate business need for access.
C. All secure computing facilities that allow visitors must have an access log.

D. Visitors must be escorted at all times.

E. All of the above.

7. What are the two primary causes of access control failure discussed in the
chapter?

A. People

B. Planning

C. Technology

D. Implementation

E. Follow-up analysis

8. Which of the following are types of security breaches? (Select all that apply.)

A. System exploits

B. DoS attacks

C. PII

D. Eavesdropping

E. Social engineering

9. Anything from an organization’s operating system to its choice of Web browser

or instant messaging client could be an access point for unauthorized access to
the systems.

A. True

B. False

10. When should a privacy impact assessment be performed?

A. During the planning stages of a new system

B. After a new system is designed

C. After a new system is implemented

D. After a security breach

11. The two most common motives for a security breach are monetary gain and
________.

12. A security breach can result in criminal penalties as well as financial losses.

A. True

B. False