Introduction, Classification and Implementation of Honeypots

This chapter discusses the basic aspects of Honeypots, how they are implemented in modern computer networks, as well as their practical uses and implementation in educational environments, providing the reader with the most important points regarding the main characteristics of Honeypots and Honeynets. Honeypots are defined as “closely monitored network decoys” that can be set by network administrators to deal with a wide variety of attacks and interact with users in different levels (Provos, 2004). The implementation of Honeypots provides an answer to a common question posted by the field of information security and forensics: How to dissect the elements that make up an attack against a computer system. The chapter will summarizes the different features and capabilities of Honeypots once they are set up in a production environment to clarify the elements that are needed to be configured in order for a Honeypot to accomplish its main tasks and in order for it to be considered an effective tool. The end of the chapter will shift towards the analysis of virtualization as an important tool that maximizes the practical use of Honeypots in controlled environments that are focused towards the study of attacks, responses and analysis methods.

A Repeatable Collaboration Process for Incident Response Planning

This chapter presents a repeatable collaboration process as an approach for developing a comprehensive Incident Response Plan for an organization or team. Despite the process of incident response planning being an essential ingredient in security planning procedures in organizations, extensive literature reviews have not yielded any collaborative processes for such a crucial activity. As such, this chapter will discuss the background of incident response planning as well as Collaboration Engineering, which is an approach to design repeatable collaborative work practices. We then present a collaboration process for incident response planning that was designed using Collaboration Engineering principles, followed by a discussion of the application process in three cases. The presented process is applicable across organizations in various sectors and domains, and consist of codified “best facilitation practices” that can be easily transferred to and adopted by security managers. The chapter describes the process in detail and highlights research results obtained during initial applications of the process.

Human Factors in Security

The goal of our study is to contribute to a better understanding of role conflict, skill expectations, and the value of information technology (IT) security professionals in organizations. Previous literature has focused primarily on the role of information professionals in general but has not evaluated the specific role expectations and skills required by IT security professionals in today’s organizations. In this chapter, we take into consideration the internal and external factors that affect the security infrastructure of an organization and therefore influence the role expectations and skills required by those who are in charge of the security of network infrastructures in organizations. First, we describe the factors discussed in the literature and support them with quotes gathered from interviews conducted with information security professionals in small organizations in Central New York. Then, we present a set of common themes that expand the understanding of this role and finally we provide practical recommendations that would facilitate the management of these professionals within organizations.

Data Smog, Techno Creep and the Hobbling of the Cognitive Dimension

Information overload is an increasingly familiar phenomenon, but evolving United States military doctrine provides a new analytical approach and a unifying taxonomy organizational leaders and academicians may find useful in conducting further study of this subject. The overabundance of information, relentless stream of interruptions, and potent distractive quality of the internet draw knowledge workers away from productive cognitive engagement like an addictive drug, hobbling the quality and timeliness of decisions and causing considerable economic waste. Evolving U.S. military doctrine addressing “Information Operations” applies time tested principles regarding the defense of physical resources to an information age center of gravity—the decision making capacity of people and organizations, or the “cognitive dimension.” Using military doctrine and thinking to underscore the potential seriousness of this evolving threat should inspire organizational leaders to recognize the criticality of its impact and motivate them to help clear the data smog, reduce information overload, and communicate for effect.

Insider Threat Prevention, Detection and Mitigation

The purpose of this chapter is to introduce the insider threat and discuss methods for preventing, detecting, and responding to the threat. Trusted insiders present one of the most significant risks to an organization. They possess elevated privileges when compared to external users, have knowledge about technical and non-technical control measures, and potentially can bypass security measures designed to prevent, detect, or react to unauthorized access. In this chapter, we define the insider threat and summarize various case studies of insider attacks in order to highlight the severity of the problem. We then discuss best practices for preventing, detecting, and mitigating insider attacks, to include application of risk management principles specific to the insider threat. Finally, we provide a survey of ongoing research into detecting irregular activities that are potentially harmful to an organization.

An Attack Graph Based Approach for Threat Identification of an Enterprise Network

As networks continue to grow in size and complexity, automatic assessment of the security vulnerability becomes increasingly important. The typical means by which an attacker breaks into a network is through a series of exploits, where each exploit in the series satisfies the pre-condition for subsequent exploits and makes a causal relationship among them. Such a series of exploits constitutes an attack path where the set of all possible attack paths form an attack graph. Attack graphs reveal the threat by enumerating all possible sequences of exploits that can be followed to compromise a given critical resource. The contribution of this chapter is to identify the most probable attack path based on the attack surface measures of the individual hosts for a given network and also identify the minimum possible network securing options for a given attack graph in an automated fashion. The identified network securing options are exhaustive and the proposed approach aims at detecting cycles in forward reachable attack graphs. As a whole, the chapter deals with identification of probable attack path and risk mitigation which may facilitate in improving the overall security of an enterprise network.

Trusted Computing

Computer attacks of all sorts are commonplace in today’s interconnected, globalized society. A computer worm, written and released in one part of the world, can now traverse cyberspace in mere minutes creating havoc and untold financial hardship and loss. To effectively combat such threats and other novel and sophisticated assaults, our network defenses must be equipped to thwart such attacks. Yet, our software-dominated defenses are woefully inadequate (Bellovin, 2001). The Trusted Computing Group (TCG) has embarked on a mission to use an open standards-based interoperability framework utilizing both hardware and software implementations to defend against computer attacks. Specifically, the TCG uses a trusted hardware called the trusted platform module (TPM) in conjunction with TPM-enhanced software to provide better protection against such attacks. While millions of TPMs have been shipped with more expected annually, adoption of trusted computing technology enabled by the devices has been slow, despite escalating security infractions. This chapter will detail a brief history of trusted computing (TC), the goals of the TCG, and the workings of trusted platforms. The chapter will also look into how the TPM enables roots of trust to afford improved trust and security.

The Adoption of Information Security Management Standards

This chapter introduces major information security management methods and standards, and particularly ISO/IEC 27001 and 27002 standards. A literature review was conducted in order to understand the reasons for the low level of adoption of information security standards by companies, and to identify the drivers and the success factors in implementation of these standards. Based on the findings of the literature review, we provide recommendations on how to successfully implement and stimulate diffusion of information security standards in the dynamic business market environment, where companies vary in their size and organizational culture. The chapter concludes with an identification of future trends and areas for further research.

Server Hardening Model Development

In this chapter the authors present essential server security components and develop a set of logical steps to build hardened servers. The authors outline techniques to examine servers in both the Linux/ UNIX and the Windows Environment for security flaws from both the internal and external perspectives. Ultimately, the chapter builds a complete model which includes advice on tools, tactics, and techniques that system administrators can use to harden a server against compromise and attack.

An Overview of the Community Cyber Security Maturity Model

The protection of cyberspace is essential to ensure that the critical infrastructures a nation relies on are not corrupted or disrupted. Government efforts generally focus on securing cyberspace at the national level. In the United States, states and communities have not seen the same concentrated effort and are now the weak link in the security chain. Until recently there has been no program for states and communities to follow in order to establish a viable security program. Now, however, the Community Cyber Security Maturity Model has been developed to provide a framework for states and communities to follow to prepare for, prevent, detect, respond to, and recover from potential cyber attacks. This model has a broad applicability and can be adapted to be used in other nations as well.