Network Security Assessment: From Vulnerability to Patch > References

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

Network Security Assessment: From Vulnerability to Patch

Search

Visit us at: www.syngress.com

Acknowledgments

Lead Author and Technical Editor

Coauthor and Technical Editor

Contributing Authors

Foreword

Ch. 1. Windows of Vulnerability

Ch. 2. Vulnerability Assessment 101

Ch. 3. Vulnerability Assessment Tools

Ch. 4. Vulnerability Assessment: Step One

Ch. 5. Vulnerability Assessment: Step Two

Ch. 6. Going Further

Ch. 7. Vulnerability Management

Ch. 8. Vulnerability Management Tools

Ch. 9. Vulnerability and Configuration Management

Ch. 10. Regulatory Compliance

Ch. 11. Tying It All Together

Appx. A. Legal Principles for Information Security Evaluations[1]

Introduction

Uncle Sam Wants You: How Your Company’s Information Security Can Affect U.S. National Security (and Vice Versa)

Legal Standards Relevant to Information Security

Do It Right or Bet the Company: Tools to Mitigate Legal Liability

What to Cover in Security Evalutaion Contracts[64]

The First Thing We Do...? Why You Want Your Lawyers Involved From Start to Finish

Solutions Fast Track

Frequently Asked Questions

References

Appx. B. Examples of INFOSEC Tools by Baseline Activity

Index

References

1.	This chapter was written jointly by: Bryan Cunningham, Principal at Morgan & Cunningham LLC, a Denver-based homeland security consulting and law firm, and formerly Deputy Legal Adviser to the U.S. National Security Council and Assistant General Counsel, Central Intelligence Agency; C. Forrest Morgan, Principal at Morgan & Cunningham LLC, and Amanda Hubbard, Trial Attorney, U.S. Department of Justice with extensive experience in the U.S. Intelligence Community. The authors also gratefully acknowledge the research and analysis assistance of Nir D. Yarden. The views expressed herein are solely those of the authors and do not necessarily represent the views of the publisher or the U.S. government.
2.	This section drew, in part, from portions of pages 7-11 of Security Assessment: Case Studies for Implementing the NSA IAM, used by permission of Syngress Publishing, Inc.
3.	Kennedy v. Mendoza-Martinez, 372 U.S. 144, 160 (1963).
4.	See, e.g., the 1993 opinion of the U.S. Department of Justice Office of Legal Counsel: “The concept of ‘enforcement’ is a broad one, and a given statute may be ‘enforced’ by means other than criminal prosecutions brought directly under it.” Admissibility of Alien Amnesty Application Information in Prosecutions of Third Parties, 17 Op. O.L.C. (1993); see also the 1898 opinion of Acting Attorney General John K. Richards: The preservation of our territorial integrity and the protection of our foreign interests is intrusted, in the first instance, to the President. ... In the protection of these fundamental rights, which are based upon the Constitution and grow out of the jurisdiction of this nation over its own territory and its international rights and obligations as a distinct sovereignty, the President is not limited to the enforcement of specific acts of Congress. [The President] must preserve, protect, and defend those fundamental rights which flow from the Constitution itself and belong to the sovereignty it created. Foreign Cables, 22 Op. Att’y Gen. 13, 25-26 (1898); see also Cunningham v. Neagle, 135 U.S. 1, 64 (1890).
5.	As Discussed in FN 13.
6.	United States National Strategy to Secure Cyberspace, February 14, 2003 (hereinafter “National Strategy”) at 10. The National Strategy is available at: http://www.whitehouse.gov/pcipb/.
7.	See Testimony of Keith Lourdeau, Deputy Assistant Director, Cyber Division, FBI Before the Senate Judiciary Subcommittee on Terrorism, Technology, and Homeland Security, February 24, 2004 (“The FBI assesses the cyberterrorism threat to the U.S. to be rapidly expanding, as the number of actors with the ability to utilize computers for illegal, harmful, and possibly devastating purposes is on the rise. Terrorist groups have shown a clear interest in developing basic hacking tools and the FBI predicts that terrorist groups will either develop or hire hackers, particularly for the purpose of complimenting large physical attacks with cyber attacks.”); Robert Lenzner and Nathan Vardi, Cyber-nightmare, http://protectia.co.uk/html/cybernightmare.html.

8.	Id.
9.	Frontline interview conducted March 18, 2003, at http://mmv.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html.
10.	http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html.
11.	http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html; Hildreth, CRS Report for Congress, Cyberwarfare, Updated June 19, 2001, at 18, at http://www.fas.org/irp/crs/RL30735.pdf
12.	Cyberwarfare. at 2.
13.	The idea of a catastrophic cyber attack against the U.S. by terrorist groups is far from universally accepted. See, e.g., James A. Lewis, Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats, Center for Strategic and International Studies, December 2002, at http://www.csis.org/tech/021i_lewis.pdf. Indeed, as noted above, one of the three authors of this chapter believes that, while technically possible, this threat is often overstated, at least as a near-term possibility. For information security professionals and their customers, however, the prudent course—given our adversaries’ capability, intent, and opportunity and the stated U.S. Government policy of being prepared to respond to cyber attack—is to assume the possibility of such an attack. In addition, the plethora of known active threats to information security, including extortionists, identity thieves, gangs attempting to amass and sell financial and other valuable personal information, malicious hackers, and others, provide precisely the same incentive to secure information systems’ as do would-be cyber-terrorists.
14.	See, e.g., Law of Armed Conflict and Information Warfare—How Does the Rule Regarding Reprisals Apply to an Information Warfare, Attack?, Major Daniel M. Vadnais, March 1997, at 25 (“To the extent that information warfare is manifested by traditionally understood damage to sovereign integrity, the law of armed conflict should apply, and proportional reprisals may be justified. On the other hand, to the extent that damage to a sovereign’s integrity is not physical, there is a gap in the law.”), http://www.fas.org/irp/threat/cyber/97-01i6.pdf
15.	Id.
16.	National Strategy at p. 59 (A/R 5-4).
17.	National Strategy at p. 49 (Priority V: National Security and International Cyberspace Security Cooperation).

18.	Nearly as dangerous for our Nation as attacks from within the U.S. directed at us, would be if zombied servers here were being used to launch an attack against another nation. Imagine the reaction of China or Iran if servers inside the U.S. were being used to damage their infrastructure or harm their people. First, they likely would not believe denials by our government that these acts of war were being carried out deliberately by our government. Second, even if they did believe such denials, they still might feel compelled to respond with force to disable or destroy the systems of, and/or punish, those they perceived to be their attackers.

19.	Particularly in the wake of the 2005 publicity surrounding security breaches at ChoicePoint, LexisNexis, MasterCard, major banks, other commercial entities, and universities, a number of pieces of legislation requiring disclosure of information security breaches and/or enhanced information security measures were working their way through the U.S. Congress, or were threatened in the near future. See Roy Mark, Data Brokers Step Into Senate Panel’s Fire, e-Security Planet.com, http://66.102.7.104/search?q=cache:REXdffBCvEYJ:www.esecurityplanet.com/trends/article.php/3497591+specter+and+information+security+and+disclosure&hl=en.
20.	15 U.S.C. §§ 6801,et.seq.
21.	15 U.S.C. § 6801(b).
22.	15 U.S.C. §§ 6804 - 6805.
23.	Available at http://www.ffiec.gov/ffiecinfobase/resources/elect_bank/frb-12_cfr_225_appx_f_bank_holdingjnon-bank_affiliates.pdf.
24.	Guidelines.
25.	Id.
26.	Id.
27.	Id.
28.	Id.
29.	EPHI is defined in the law as individually identifiable health information that is transmitted by, or maintained in, electronic media, except several narrow categories of educational, employment, and other records. 45 C.F.R. part 106.103. Note, however, that the separate HIPAA Privacy Rule also requires “appropriate security” for all PHI, even if it is not in electronic form.
30.	45 C.F.R. part 164.
31.	Compliance with the Security Rule became mandatory for all but small health care plans in April 2005. “Small” health care plans have until April 2006 to comply.
32.	45 C.F.R. part 164.

33.	Id. One reason it is crucial for information security professionals to retain, on an ongoing basis, qualified, experienced counsel is that “reasonably anticipated” is essentially a legal standard best understood and explained by legal counsel and because what is “reasonably anticipated” is constantly evolving as new threats are discovered and publicized, and information security programs must evolve with it in order to mitigate legal liability,

34.	Id.
35.	Id.
36.	It is worth remembering that a significant majority of the process and procedural requirements are not technical. This, among other considerations, counsels the use of multidisciplinary teams, of which technical experts are only one part, to conduct and document information security evaluations.
37.	45 C.F.R. Part 164.308.
38.	45 C.F.R. Part 164.310.
39.	45 C.F.R. Part 164.312.
40.	18 U.S.C. § 1350.
41.	SOX § 404.
42.	SOX § 302.
43.	FISMA, Title III of the E-Government Act of 2002, Public Law No. 107-347.
44.	FN: 20 U.S.C § 1232g
45.	As enacted, the TEACH Act amended Section 110 of the Copyright Act. 17 U.S.C. §110.
46.	18 U.S.C. § 2510, et. seq.
47.	18 U.S.C. § 1030, et. seq.
48.	Other federal laws and regulations potentially relevant to the work of information security professionals and their customers include, but are not limited to, the Children’s Online Privacy Protection Act of 1998, information security standards promulgated by the National Institute of Standards, Presidential Decision Directive 63 (May 22, 1998), and Homeland Security Presidential Directive 7 (December 17, 2003). In addition, numerous state laws, including provisions of the Uniform Commercial Code and Uniform Financial Transactions Act, as enacted in the various states, implicate information security requirements for specific economic sectors and/or types of transactions.
49.	Colorado Revised Statutes § 18-5.5-102.
50.	Colorado Revised Statutes § 6-1-105.
51.	Colorado Revised Statutes § 6-1-105(e).
52.	Colorado Revised Statutes § 6-1-105(u).
53.	Between 2001 and 2005 such actions included those against: Microsoft Corporation, Victoria’s Secret, Eli Lilly, and Ziff Davis Media, Inc., among others. See, e.g., http://www.ftc.gov/os/2002/08/microsoftagree.pdf http://www.oag.state,ny.us/press/2002/aug/aug28a_02_attach.pdf.
54.	Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities of 23 November 1995 No L. 281, 31, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html.

55.	See, e.g., Transcript of Hearing Before U.S. District Judge Royce Lamberth, in which an information security consultant is examined and cross-examined under oath, in public, for multiple days, concerning penetration test work done for the U.S. Bureau of Indian Affairs. http://66.102.7.104/search?q=cache:d30x73ieDSwJ:www.indiantrust.com/_pdfs/3am.pdf+lam-berth+and+cobell+and+transcript+and+miles&hl=en
56.	For example, B. Grimes The Right Ways to Protect Your Net PC World Magazine, September 2001, offers tips for tightening your security and protecting your enterprise from backdoor hackers and thieves.
57.	http://wsbradio.com/news/0223choicepointsuit.html.
58.	Harrington v. ChoicePoint Inc., CD. Cal., No. CV 05-1294 (SJO) (JWJx), 2/22/05).
59.	Generally, a post-hoc calculation of “reasonability” will be based on balancing such factors as: (1) the probability of reasonably anticipated damage occurring; (2) the expected severity of the damage if it does occur; (3) reasonably available risk mitigation measures; and (4) the cost of implementing such measures.
60.	See, e.g., Assurance of Discontinuance, In the Matter of Ziff Davis Media Inc., at 7, available at http://www.oag.state.ny.us/press/2002/aug/aug28a_02_attach.pdf; Agreement Containing Consent Order, In the Matter of Microsoft Corporation, at 5, available at http://www.ftc.gov/os/2002/08/microsoftagree.pdf
61.	California Civil Code Sections 1798.29 and 1798.82 accessible at http://www.leginfo.ca.gov/calaw.html.
62.	2005 Breach of Information Legislation. http://www.ncsl.org/programs/lis/CIP/priv/breach.htm.
63.	P. Britt, Protecting Private Information Information Today (Vo. 22 No. 5 May, 2005) http://www.infotoday.com/it/may05/britt.shtml.
64.	This section drew, in part, from portions of pages 7–11 of Security Assessment: Case Studies for Implementing the NSA IAM, used by permission of Syngress Publishing, Inc.
65.	Assuming the NSA IAM is used, of course, much of this critical work will already have been documented prior to initiation of the IEM.

66.	The issue of securing complete authorization for all types of information and systems (internal and external) that may be impacted by evaluation and testing, is intentionally covered in multiple parts of this section. It is absolutely critical to the legal well being of both the consultant and the customer to ensure clarity of responsibility for these, which is why this section provides multiple different avenues for addressing this problem. Equally critical is a clear understanding of the “division of liability” for any damage that, notwithstanding best efforts of both sides, may result to external systems. This should be taken care of through a combination of indemnification (described below), clear statements of responsibility in the contract, written agreements with third parties, and insurance.

67.	See, e.g., Management Recruiters, Inc. v. Miller, 762 P.2d 763, 766 (Colo.App. 1988).
68.	Board of County Commissioners of Adams County v. City and County of Denver, 40 P.3d 25 (Colo.App., 2001).
69.	See, e.g., Butler Manufacturing Co. v.Americold Corp., 835 F.Supp. 1274 (D.Kan. 1993).
70.	See, e.g., Elsken v. Network Multi-Family Sec. Corp., 838 P.2d 1007 (Okla. 1992)
71.	National Conference of State Legislatures information page accessible at http://www.ncsl.org/programs/lis/cip/hacklaw.htm.
72.	Henry VI, Part 2, act iv, scene ii.
73.	See, e.g., Seth Finkelstein, “The first thing we do, let’s kill all the lawyers” — It’s a Lawyer Joke, The Ethical Spectator, July 1997., available at: http://www.sethf.com/essays/major/killlawyers.php.
74.	Koscove v. Bolte, 30 P.3d 784 (Colo.App. 2001).
75.	See, e.g. Rule 238(c), Colorado Court Rules (2004).
76.	See, e.g., Pacamor Bearings, Inc. v. Minebea Co., Ltd., 918 F.Supp. 491, 509–510 (D. N.H. 1996).
77.	Id.
78.	See, e.g., Diversified Indus., Inc. v. Meredith, 572 F.2d 596, 602 (8th Cir. 1978;.
79.	See, e.g., People v. Benney, 757 P.2d 1078 (Colo.App. 1987).
80.	See, e.g., Southern Bell Telephone & Telegraph Co. v. Deason, 632 So. 2d 1377 (Fla. 1994); McCaugherty v. Sifferman, 132 F.R.D. 234 (N.D. Cal. 1990). United States v. Davis 132 F.R.D. 12 (S.D.N.Y. 1990).
81.	See, e.g., United States v. Chevron, No. C-94-1885 SBA, 1996 WL 264769 (N.D. Cal. Mar. 13, 1996).
82.	See, e.g., Gerrits v. Brannen Banks of Florida 138 F.R.D. 574, 577 (D. Colo. 1991).
83.	See, e.g., id.
84.	See, e.g., Sneider v. Kimberly-Clark Corp., 91 F.R.D. 1, 5 (N.D. 111. 1980)
85.	See, e.g., In re Grand Jury Proceedings, 857 F.2d 710, 712 (10^th Cir. 1988).
86.	See, e.g., Winchester Capital Management Co. vs. Manufacturers Hanover Trust Co., 144 F.R.D.170, 174 (D. Mass. 1992).
87.	U.S. Department of Justice, Federal Prosecution of Business Organizations in Criminal Resource Manual No. 162 (2003) available at http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title9/crm00162.html and amended and available at http://www.usdoj.gov/dag/cftf/corporate_guidelines.html.
88.	See, e.g., Union Carbide Corp. v. Dow Chem. Co., 619 F. Supp. 1036, 1046 (D. Del. 1985)

89.	A related protection to that of the attorney-client privilege is the so-called “work product” doctrine. This protection for materials that might tend to show the strategies or other “mental impressions” of attorneys when such materials are prepared “in anticipation of litigation” would cover the work of information security consultants assisting attorneys in preparing materials for use at a trial or to deal with regulators or law enforcement officials. Work-product protection is significantly more susceptible to being held inapplicable by the court, upon a sufficiently high showing of need by your adversary, than is the attorney-client privilege.

90.	See, e.g., United States v. Gonzales, 58 F.3d 506, 512 (10^th Cir. 1995).
91.	Id.
92.	Entire books could be written on this topic, and some have, at least on the broader topic of IT ethics. See, e.g., IT Ethics Handbook: Right and Wrong for IT Professionals, Syngress Publishing, Inc. A comprehensive discussion of Information Security Evaluation ethics is beyond the scope of this book. This discussion is simply to remind us all of some things we learned from our parents that translate into our business relationships.
93.	Available at http://en.thinkexist.com/quotation/in_law_a_man_is_guilty_when_he_violates_the/7854.html.
94.	This section drew, in part,, from portions of pages 7–11 of Security Assessment: Case Studies for Implementing the NSA IAM, used by permission of Syngress Publishing, Inc.

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial