The Hindu Business Line : Human factor

A security survey found that `Three-quarters of office workers surveyed were willing to reveal their network-access password in exchange for a chocolate bar.'

COMPANIES are no longer falling victim to the `Titanic' syndrome, write Andrew Whitaker and Daniel Newman in Penetration Testing and Network Defense, from Cisco Systems (www.ciscopress.com) .

"When the Titanic was built, its engineers never thought the ship would sink," but their confidence was proved wrong. So, companies, instead of getting lulled by the stamps of staff approval that the enterprise network is secure, resort to `penetration testing'.

The phrase refers to "the practice of a trusted third-party company attempting to compromise the computer network of an organisation for the purpose of assessing its security." The tester is an `ethical hacker', not a `cracker' who hacks for offensive purposes. "A team of ethical hackers working to break into a network is called a tiger team."

Tests can be `black-box' (without prior knowledge of company network), `white-box' (with complete knowledge of the internal network), and `gray-box' (or crystal-box, where the tester simulates an inside employee). Do you know that threats can be related to CIA, short for confidentiality, integrity, or availability? Or, that attacks against CIA are called DAD, for disclosure, alteration, and destruction?

A chapter on `social engineering' informs about the result of InfoSecurity's 2004 survey in London: "Three-quarters of the office workers surveyed were willing to reveal their network-access password in exchange for a chocolate bar." The weakest link is the human factor, the authors point out.

"It does not matter how many firewalls, virtual private networks (VPNs), or encryption devices you have if your employees are willing to give out access to the systems to anyone who asks for it," warns the book. Thus, one of the jobs of penetration testers is to masquerade as a social engineer, and use "deception, persuasion, and influence to get information that would otherwise be unavailable."

Success in war involves secrecy and reconnaissance; ditto in hacking. The goal of reconnaissance is to discover "IP addresses of hosts on a target network, accessible user datagram protocol (UDP) and TCP ports on target systems, and operating systems. Passive reconnaissance relies on tapping user groups, Web site, regulatory filings, dumpster diving and so on, the active variety makes use of "DNS zone transfers and lookups, ping sweeps, traceroutes, port scans, or OS fingerprinting."

While fingerprinting is the process of determining the OS on a device, "footprinting is the combination of active and passive reconnaissance techniques for the purposes of establishing a strategy of attack."

Session hijacking is similar to pirates taking over a cargo ship, explain the authors. It is "the attempt to overtake an already active session between two hosts." The attraction of this method is that the host is `already authenticated to the target'. Though session hijacking and session replay are both MITM or man-in-the-middle attacks, the latter involves capturing packets and modifying the data before sending the same to the target.

Juggernaut, Hunt, TTY Watcher and T-Sight. What're these? Tools used in session hijacking! Heard of ACK storms? ACK packets can flood your network, warns the book. Catch up with `Kevin Mitnick's session hijack attack', a 10-step exploit against "the computers of Tsutomu Shimomura at the San Diego Supercomputer Center on Christmas day, 1994" that took 42 minutes.

The authors discuss topics such as Web server attacks, password cracking, penetration of wireless networks, Trojans and backdoor applications, and denial-of-service or DoS attacks, and also provide useful case studies. "A security policy is vital to any organisation and provides a framework inside of which people can work safely," remind Whitaker and Newman. "Establishing a security policy lessens the risk of potential security breach," they add.

Vital literature.

Data warehouse maturity

IN the early days of data warehousing, 50 GB to 100 GB of data was considered a large warehouse. Today, some data warehouses are in the petatype range." Thus recounts William H. Inmon, `the father of the data warehouse concept', in the fourth edition of Building the Data Warehouse, from Wiley Dreamtech (www.wileydreamtech.com) .

He informs that corporate spending on data warehouse and business intelligence has surpassed spending on transactional processing and OLTP. "The day of data warehouse maturity has arrived," declares Inmon.

The new topics that he discusses in the latest edition include compliance with SOX (Sarbanes Oxley), HIPAA, Basel II and so on; near line storage; multi-dimensional database design; unstructured data; end users; and ODS. The impact of SOX is that all organisations have to take the same care with their information as banks, "whether the business of the organisation warrants it or not, whether or not the organisation has honestly and successfully done business for a hundred years."

Inmon explains that the probability of access for data in a standard data warehouse is reasonably high, unlike for what is stored for compliance. Another difference is `the sensitivity to loss'. Losing data in a data warehouse can lead to problems, not catastrophes. But "if financial data is lost, the corporation is open to the charges of wrongdoing." Therefore, back up the data stored for compliance, advises the author.

For `auditing corporate communications', Inmon suggests the use of a filter to look for `words and phrases' in unstructured data and classify the results into a simple index, a context index, and a copy of the message. While the simple index holds reference to a word such as `account', the context index captures "the text before and after the phrase" such as `contingent sale'. The third category, that is copying entire message, becomes relevant if a `very important' phrase or word has been spotted, as for instance, "We have plans to embezzle the company."

CIF or corporate information factory emerged from the data warehouse, informs a chapter on `advanced topics'. After 9/11 GIF or government information factory was created, explains Inmon. GIF demanded "wide integration of data in government systems", owing to data sharing requirements. Another difference between CIF and GIF is that "data lives longer in government systems than in corporate systems".

Though there is no `end user' per se for the data warehouse environment, you can identify "an entire community of end users", writes Inmon. Four types of end users, viz. farmers, explorers, miners and tourists, constitute the community, he says. The farmer is the most predominant type of user found in the data warehouse environment, explains the author. "The type of queries the farmer submits varies only by the type of data."

The explorer is one who does not know what he or she wants, says Inmon, about the second type of user. The explorer operates in what is termed as a `heuristic mode,' that is, he doesn't know "what the next step of analysis is going to be until the results of the current step are complete."

What does a miner do? He takes an assertion and goes about determining the validity and strength of the same. And the tourist knows where to find things! He has "a breadth of knowledge, as opposed to a depth of knowledge." Collectively, all the four types of users make up the end-user community making requests of the data warehouse. Remember that an end-user may change types `on the fly'.

There's ample benefit in the contents, while the style is friendly.

Tailpiece

"Does the tablet PC come in strips or bottles?"

"I guess so; there are many models!"

Books2Byte@TheHindu.co.in

More Stories on : Books | Books | Books 2 Byte

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page