UMUC Module2 Paper-Darinswan Cybersecurity Vulnerabilities Facing IT Managers Today

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

Cybersecurity Vulnerabilities Facing IT Managers Today

Darin Swan

University of Maryland University College

1


Two factors increase the stakes of the cyber struggle. Tactically and operationally, the increasing dependence of modern technologically advanced forces (especially U.S. forces) on networks and information systems create new kinds of exploitable vulnerabilities. Second, as

modern societies including the militaries that mirror them have continued to evolve, they have become ever more dependent on a series of interconnected, increasingly vulnerable “critical

infrastructures” for their effective functioning. These infrastructures not only have significantly increased the day-to-day efficiency of almost every part of our society, but they have also

introduced new kinds of vulnerabilities.- Robert A. Miller and Daniel T. Kuehl

Connectivity in the Modern World

Today, computers connect us to our finances through online banking, mutual fund

management, stock trading services, and a variety of other online applications that provide

access to accounts twenty four hours a day. Beyond financial services, we have the ability to

connect to a wide variety of information, including social media content such as Facebook,

YouTube, and Twitter, as well as magazines, video games, and other Web 2.0 content. The

interconnectivity of such systems has not only provided individuals with access to a wide variety

of data, but now businesses have the ability to leverage the Internet as a part of their day-to-day

operations. Whether it be human resources management, email and coordinated calendar

systems, or sales tracking systems, the cloud offers opportunity to businesses for quicker,

streamlined processes and potential cost savings. Furthermore, the government uses

interconnected computer systems to manage public services such as energy systems, coordinate

public transportation logistics, synchronize emergency services, run water treatment facilities,

and leverage technology for a variety of services benefitting the public. However, personal,

business, and government use of computer systems, because of their inter-connectedness, opens

these systems up to a variety of activities that they were never intended for. Instead of a person

gaining access to his financial data, a third party could be intercepting such communication and

using it to bilk someone of their entire savings. Similarly, businesses could be storing their trade

2


secrets on their internal file servers and a hacker could be downloading their information with

the intent of selling it to one of their foreign competitors. And with respect to government

services, a state-sponsored attack could occur from a foreign country to either deny certain

services, steal information, or to take control and exploit command and control systems

unbeknownst to leadership. Martin C. Libicki, a noted authority on information warfare at the

RAND policy institute, has written Cyberdeterrence and Cyberwar (2009) a notable work

covering the current and future challenges associated with the connected world. Among the

concepts within his book, Libicki discusses security vulnerabilities associated with cyberspace.

...In theory, all computer mischief is ultimately the fault of the system’s owner—if not because of misuse or misconfiguration, then because of using a system with security bugs in the first place. In practice, all computer systems are susceptible to errors. The divergence between design and code is a consequence of the complexity of software systems and the potential for human error. The more complex the system—and they do get continually more complex—the more places there are in which errors can hide.(p. 18)

Connectedness and Vulnerability

What Libicki is referring to is vulnerability within a system which a hacker could use to

“gain access to a system or to get it to accept rogue instructions [which] is called an exploit” (p.

18). A variety of vulnerabilities occur within cyberspace because of humans, hardware,

software, and connection points that provide access to such systems. The United States

Computer Emergency Readiness Team (US-CERT) has provided a “high level overview” of

cyber vulnerabilities for control systems. Within this overview, US-CERT includes the

following vulnerabilities: wireless access points, network access points, unsecured SQL

databases, poorly configured firewalls, interconnected peer networks with weak security, and

several others. Similarly, the National Institute of Standards and Technology (NIST) has

published the “Risk Management Guide for Information Technology Systems” (2002). This

3


guide establishes a multi-step system analysis which IT managers can use to assess their network

vulnerabilities, measure the potential of each vulnerability occurring with respect to the threat’s

source, motivation, and actions, whilst developing recommendations and documentation to

counteract the vulnerabilities found within the assessment. The NIST guide views vulnerabilities

from the perspective of the potential consequence(s) of an exploited vulnerability. Following the

US-CERT overview and NIST guide can be helpful from an IT management perspective, as both

provide enterprise-level guidance on structuring network systems with respect to vulnerabilities

and both apply a system level view of analyzing vulnerability. However, both are lacking

specificity, from the sense of how an external threat can tactically exploit a system.

Cybersecurity and Exploitation: Examples

Prabhaker Mateti, in the chapter “TCP/IP Suite” from the Handbook of Information

Security (2006), provides over fifteen types of security exploits related to the TCP/IP suite that

hackers use to attack systems, including: sniffing, fingerprinting, Internet Protocol (IP) address

spoofing, and buffer overflows (pp.25-29). Stuart McClure, Joel Scambray and George Kurtz

have provided both strategy and tactics for implementing Mateti’s notable exploitations, amongst

many others, in their seminal work Hacking Exposed, now in its sixth edition. It is where

hardware, software, and the human element meet within a system that hackers try to take control

and security specialists patch vulnerabilities to deny unauthorized access and the cycle appears to

be never-ending.

Sniffing, Fingerprinting & Footprinting

From the tactical viewpoint, within the pages of Hacking Exposed the authors provide

recipes for exploiting vulnerabilities, as well as instructions on countering exploitations. With

regard to sniffing, the text covers a variety of security weaknesses and recommends several

4


software applications that can be used to find a network’s Achilles heel. Cain and KerbSniff are

two tools in particular that can be used for eavesdropping on a network password exchange in the

Windows environment (McClure et al., 2009, pp. 169-170). Furthermore, network sniffing can

be accomplished by using applications such as tcpdump, Snort, and Wireshark, which allow

anyone with the means to view traffic across a network. This can be helpful for trying to debug

network problems, but in the wrong hands it can prove to be invaluable in footprinting a system

(pp. 273-274). With regard to terminology, Mateti uses the term fingerprinting in his text,

whereas McClure et al refer to this technique as footprinting. Though similarities exist and some

confuse the two terms, Michael Greg provides clarity in his text Certified Ethical Hacker Exam

Prep: Understanding Footprinting and Scanning (2006). He defines footprinting as, “The

process of accumulating data regarding a specific network environment, usually for the purpose

of finding ways to intrude into the environment” (p.89). Whereas fingerprinting can be either

active or passive in nature. “Passive fingerprinting is the act of identifying systems without

injecting traffic or packets into the network” and active fingerprinting is the act of using tools to

“inject strangely crafted packets into the network to measure how systems respond” (Greg, 2006,

p. 89). [Note: McClure et al. use the general term of scanning versus fingerprinting (pp. 44-77).]

Essentially, both fingerprinting and footprinting are used to map accessible hardware and

software services within a network. The information gleaned from such endeavors provides

actionable intelligence on what hardware or services are susceptible to common hacking

attempts. By determining the easiest way to gain access and exploit a system while minimizing

risk of detection, the hacker can ascertain which vector of attack is worthy of his time by using a

simple cost-benefit analysis (Kshteri, 2006, pp. 36-38). Microsoft provides general guidance on

countering this threat through their online education documentation within their development

5


network. Microsoft’s guidance includes “filter[ing] incoming packets that appear to come from

an internal IP address” and “filter[ing] outgoing packets that appear to originate from an invalid

local IP address” (Meier, Mackman, Dunner, Vasireddy, Escamilla, & Murukan, 2003).

IP Spoofing

With regard to the other Mateti referenced security exploits, he points out that “IP

spoofing is an integral part of many attacks” (p. 26). Matthew Tanase provides a primer on IP

spoofing at Symantec’s website where he goes into the history of the technique and how the

structure of the TCP/IP protocol suite and packet exchanges permit this particular exploitation to

occur (2003). Tanase notes that there are several variations of IP spoofing, however they all

have a common denominator – “an attacker gains unauthorized access to a computer or a

network by making it appear that a malicious message has come from a trusted machine by

‘spoofing’ the IP address of that machine.” Computer World’s Jonathan Hassell has provided an

authoritative view on what common attacks are used through IP spoofing and what can be done

to patch them in his article “The top five ways to prevent IP spoofing” (2006). The common

attacks provided by Hassell include Blind Spoofing, Nonblind spoofing, Denial-of-service (DoS)

attack, and the Man-in-the-middle attack. Blind spoofing consists of a hacker outside of the

network perimeter who is “blind to how transmissions take place on this network”, so he must

receive sequence numbers from the target device and then falsify who he is by “injecting data

into the stream of packets without having to authenticate himself when the connection was first

established” (Hassell, 2006). Nonblind spoofing occurs when the hacker is inside of the subnet

and can sniff out existing transmission and hijack sessions without being blind to the sequence

numbers. Denial-of-service attack is when “multiple hosts are sending constant streams of

packet [sic] to the DoS target” (Hassell). This is essentially a flood of data that overwhelms a

6


system to the point its use is unavailable or inoperable. Finally, the man-in-the-middle attack is

an interception of packets between machines where the packets are read by an authorized user

and sent onward unbeknownst to either parties communicating. Particularly troubling is the fact

that neither the originating sender or intended receiver is aware that information was intercepted

during transit and therefore if secure information was gathered, no one, except the eavesdropper,

knows that data was compromised (Hassell).

Buffer Overflows

“Historically, buffer overflows have been the most common type of vulnerability. They

have been popular because buffer overflow exploits can often be carried out remotely and lead to

complete compromise of a target” (Chen & Walsh, 2009, pp. 54-55). Since many system

services susceptible to buffer overflow are running at the highest level of administration

privileges it is appropriately attributed as the “coup de grace of hacking” (McClure et al., 2009,

pp. 550-551). Essentially the hacker sends packets to the target service knowing that more data

is being transmitted than is expected by the target during communication. This extra information

is dealt with differently by different services and can either be ignored, crash the service or

system, or, if the target is susceptible to this type of vulnerability, the service may use the extra

packet data, if constructed correctly by the hacker, to run administrator-level code and allow the

hacker to control some or all of the target system (Mateti, 2006, p 558). Even though the buffer

overflow vulnerability was documented as a theoretical exploit in 1995 and fully substantiated in

1996, unpatched servers continue to populate the Internet that are still susceptible to this

weakness (McClure et al., 2009, pp. 550-551).

The Human Element

7


Overlooked as a security concern by Mateti in his essay on “TCP/IP Suite” vulnerabilities

is the human element. It is, after all, the human that manages cyberspace and provide physical

access to the terminals and systems that are interconnected. It is the human that sets up the

Internet protocols used during web communications, sets the security procedures to be adhered

to, codes the back-end server integration, creates the temporary passwords to access sensitive

information, holds resentment against employers, forgets to patch a known weakness in

sendmail, and desires to find confidential, financial information to sell to the highest bidder. It is

the human element that matters, perhaps moreso than any hardware, software, or network

connection when it comes to securing a system. To many, the hacker who has taken over a

system and stolen a database of financial information for monetary gain is normally

conceptualized as a social pariah, living in his mother’s basement, staring at a monitor all day

and night, sipping caffeinated beverages, maintaining poor hygiene and exhibiting antisocial

behavior. However, “A modern-day computer criminal could be a disgruntled, middle-aged,

white-collar worker sitting at a nice desk on the fourteenth floor of the headquarters building of a

billion-dollar software manufacturer” (Valacich & Schneider, 2012, p. 403). In Congressional

testimony by Joseph Ansanelli, a cybersecurity expert, to the United States House of

Representatives Committee on Financial Services (2003), cited a Harris Interactive survey given

to workers and managers that handle sensitive customer information at work. In this report,

surprisingly, “66% say their co-workers, not hackers, pose the greatest risk to consumer privacy

[and] only 10% said hackers were the greatest threat” (p. 5). According to Valacich and

Schneider (2012), commonalities in computer criminals have been revealed through studies and

these tend to be people that are current or former employees, people with technical knowledge

who use their skills illegally for personal gain, career criminals, and crackers who commit

8


intrusions with no particular purpose, but are merely snooping through a system (p. 405).

Ultimately, humans are susceptible to deception and can provide access to systems by disclosing

sensitive information to hackers without realizing their actions bring about terrible consequences.

Widely Publicized Vulnerabilities

Widely publicized hacking within the last decade has included aggressive attacks against

military members during the 2011 Christmas holiday (Montalbano, 2011), hackers using stolen

RSA information to breach Lockheed-Martin’s networks (Mick, 2011), secret U.S. Department

of State cables exposed through WikiLeaks that were provided by a disgruntled Army private

(Knickerbocker, 2012), the cyber attack against Iran’s nuclear processing facilities through a

unique piece of malware called STUXNET (Milevski, 2011), the 2008 compromise of the

military’s classified and unclassified network which occurred due to malicious code from a flash

drive (Lynn, 2010), and China’s hacking of Google Mail that targeted the personal accounts of

high ranking U.S. government officials (Efrati & Gorman, 2011). The referenced attacks were

known to the public not long after each compromise occurred and have become case studies for

many within the information technology sector. The reality is that the more security breach

information in the public domain is good for the security professional as it allows him to update

systems or prevent future threats based on understanding emerging attack vectors. However,

many businesses and government entities shy away from reporting intrusions for fear of

exposure to public scrutiny and because revealed exploitations may cause clients to flee, impact

potential new sales and damage their stock price. Both perspectives are valid, but the truth is

that organizations simply aren’t reporting security breaches. In the aptly titled article, “Security

trumps secrecy in cyber fight-prosecutor”, published by Reuters in January of 2012, it was

reported that “cyber security experts say that corporations rarely acknowledge breaches, and

9


often keep them secret from law enforcement…”. However, there is now a fear of prosecution

by those companies that refuse to publically disclose security compromises impacting sensitive

personal and financial data. The system of disclosure is challenging for businesses, as there is

not incentive within the market to offer full disclosure, there is only dis-incentive to come clean

about breaches. However, with more disclosure prosecutions, the culture of revealing

compromises may change over time. One company’s disclosure, could prevent hundreds of

future attacks. By sharing information it becomes a part of open source collective intelligence,

providing IT administrator’s with the information necessary to close holes within their systems

that they may never have been privy too without full disclosure.

Common Countermeasures

With reference to common attacks through the TCP/IP suite and through effective social

engineering, security professionals need to constantly maintain vigilance. Common

countermeasures are put in place and then are constantly evolving as new threats are revealed.

Some common countermeasures include, but are not limited to, using strong authentication,

avoiding storing sensitive data or passwords as plaintext, using tamper-resistant protocols,

creating secure audit trails, using strong authorization, validating and filtering network inputs,

using the principle of least privileges, updating software and firmware as patches become

available, using strong physical security for sensitive devices and system access points, using

secure protocols during sessions, educating users on appropriate security protocols, disabling

unnecessary services, and properly installing and configuring network access points, hardware,

and software (Meier, Mackman, Dunner, Vasireddy, Escamilla, and Murukan, 2003). [Note: See

Appendices A and B, which are tables provided by Microsoft, that illustrate threats and

countermeasures for a variety of known exploitations.] Ultimately, the security professional

10


must determine, based on time, budget, and other variables, where efforts should be placed in

implementing countermeasures in protecting computer systems. As mentioned prior, NIST has

provided a framework for the computer professional to consider when securing systems based on

vulnerability, threat-source, threat action, threat likelihood, and risk level (Stoneburner, Goguen,

and Alexis, 2002). It is the similar cost-benefit analysis conundrum that faces the IT

professional that faces the hacker, although the various variable and incentives differ.

Most Important Security Vulnerability Today

The debate of what is the single greatest threat to cyberspace is an oft-discussed topic

online and offline. Perspectives differ by person, business and government security expert. One

must take into consideration the vulnerability, threat source, and possible outcome. For a person

with a home business, his perspective of a DoS attack on his home computer network differs

greatly from a company focusing solely on ecommerce. Additionally, the Pentagon’s concerns

differ from that of the ecommerce company. However, from an enterprise level perspective, the

biggest threat facing IT security experts today is ensuring that hardware devices and software are

properly updated and patched. Security protocols should include routine research to ensure

systems are up-to-date with the most recent service packs. This perspective was echoed during a

recent interview with Commander Cliff Neve, the Chief of Staff of the United States Coast

Guard Cyber Command. “The answer [to ‘What is the biggest IT security challenge today?’]

is… unpatched systems. I very, very highly recommend checking” out the Australian Defence

Signals Directorate’s article “Strategies to Mitigate Targeted Cyber Intrusions” (Cdr. C. Neve,

USCG Cyber Command, personal communication, January 31, 2012). Many known vectors of

attack are well documented. If an IT manager has thousands of computers to monitor and a

patch because they are not up-to-date, his systems are at risk from the first time a new

11


vulnerability makes it to the public. However, most common attack vectors have been known

for years (i.e. buffer overflow, IP spoofing, sniffing, fingerprinting, footprinting, etc.). It is the

old software and hardware that has been deprecated, and no longer supported, that puts a

network at risk. However, there are some solutions to part of this issue. There is an entire

industry of security professionals that provide software services to ensure that newly discovered

viruses are public knowledge as soon as possible – McAfee, Kaspersky, and Symantec are well

known software providers in this industry. New libraries and patches are provided on a routine

basis through service level agreements, and for particularly well-publicized outbreaks or security

exploitations, instant updates are sometimes available. If a hacker becomes aware of a new

attack vector, after educating himself, in a few hours he can be fingerprinting and footprinting

systems to find this newly disclosed vulnerability, and perhaps be inside of a system causing

harm within a matter of 24 hours. If someone has installed a virus protection system, but does

not continue to update the library of potential threats, they will become vulnerable to any new

virus that is not already in their library. Additionally, service packs (SP) are routinely released

for operating systems, enterprise-level software, servers, and standard home software. These SPs

are normally released as an update fixing program issues that might cause it to crash.

Additionally, they can fix complaints about the user experience, user interface or possibly add

new feature sets as a benefit to the owner before an entirely new version of the software is

released to the public. However, many service packs are distributed to patch a known

vulnerability within the software. If an IT professional delays or never installs a service pack,

the software will continue to hold the vulnerabilities built into it. And as each day passes and

more hackers are aware of the vulnerability affecting unpatched systems (e.g. software without

the service pack installed), the more likely that software is likely to be exploited.

12


Beyond software, many older hardware devices have firmware on them that provides

configuration settings and software features built into them. For example, if a router made in

2004 is still on a network in 2012, the device is now 8 years old and may be susceptible to an

exploit because it hasn’t been patched since the initial firmware was placed on the device.

Sometimes network device configuration settings contribute to a hackers attempt at

fingerprinting and footprinting, responding to external requests and providing information that is

no longer a part of network best practice due to security risk. Firmware updates normally patch

known vulnerabilities in a device and sometimes allow the device to perform more efficiently.

Although the single largest vulnerability to IT professionals may be keeping hardware

and software up-to-date to ensure emerging vulnerabilities are removed, simply patching

everything on a daily basis may be too much for an enterprise level network to take on.

However, through a cost-benefit analysis, taking into consideration a variety of variables, an IT

professional can create security protocols to handle the required updates that patch vulnerabilities

that hacker’s may exploit. By not patching known vulnerabilities, a network is open to common

attacks that may cause grave damage to a person, business or government institution.

13


Appendix A: Table 1 – Microsoft’s STRIDE Threats and Countermeasures

Source: Microsoft Developer Network, Improving Web Application Security, Chapter 2: Threats and Countermeasures, http://msdn.microsoft.com/en-us/library/ff648641.aspx

Note: STRIDE is an acronym used by Microsoft for the following vulnerabilities: S poofing T ampering R epudiation I nformation Disclosure D enial of service E levation of privilege.

14


Appendix B: Table 2 – Microsoft’s Threats by Application Vulnerability Category

Source: Microsoft Developer Network, Improving Web Application Security, Chapter 2: Threats and Countermeasures, http://msdn.microsoft.com/en-us/library/ff648641.aspx

15


References2011 state of security survey. (2011, August 31). Symantec. Retrieved from

http://www.symantec.com/connect/blogs/2011-state-security-survey

Ashford, W. (2012, January 13). Public sector sees cybercrime as rising threat. Computer

Weekly. http://www.computerweekly.com/news/2240113782/Public-sector-sees-

cybercrime-as-rising-threat

Ansanelli, J. (2003, June 24). Testimony of Joseph Ansanelli, chairman and CEO of Vontu, Inc.

The Committee on Financial Services, United States House of Representatives. Retrieved

from http://financialservices.house.gov/media/pdf/062403ja.pdf

Carr, J., & Shepherd, L. (2010). Inside cyber warfare. Sebastopol, Calif: O'Reilly Media, Inc.

Chen, T. & Walsh, P. J. (2009). Guarding Against Network Intrusions. In J. R. Vacca Computer

and Information Security Handbook. Amsterdam: Elsevier.

Cliff, A. (2001, July 3). Intrusion detection systems terminology, part one: A – H. Symantec.

Retrieved from http://www.symantec.com/connect/articles/intrusion-detection-systems-

terminology-part-one-h

Coleman, K. (2011, July 7). Digital Conflict. Defense Systems. Retrieved from

http://defensesystems.com/blogs/cyber-report/2011/07/human-vulnerability-computer-

systems.aspx

The Comprehensive National Cybersecurity Initiative. (n.d.) The White House, President Barack

Obama. Retrieved from http://www.whitehouse.gov/cybersecurity/comprehensive-

national-cybersecurity-initiative

Dhamankar, R., et al (2009, September). The top cyber security risks. SANS. Retrieved from

Retrieved from http://www.sans.org/top-cyber-security-risks

16


Efrati, A and Gorman, S. (2011, June 2). Google mail hack blamed on China. Wall Street

Journal. Retrieved from

http://online.wsj.com/article/SB10001424052702303657404576359770243517568.html

FBI says hackers hit key services in three US cities. (2011, December 2011). BBC. Retrieved

from http://www.bbc.co.uk/news/technology-16157883

Gottlieb, P. J. B., CDR. (2010). Cyberspace vs. cyber strategy. American Intelligence Journal,

28 (2), 18-25.

Granger, S. (2001, December 18). Social engineering fundamentals, part 1: Hacker tactics.

Symantec. Retrieved from http://www.symantec.com/connect/articles/social-engineering-

fundamentals-part-i-hacker-tactics

Gregg, M. (2006, June 9). Certified Ethical Hacker Exam Prep: Understanding Footprinting and

Scanning. Pearson IT Certification.

Hadnagy, C. (2010). Social Engineering: The Art of Human Hacking. Indianapolis, Indiana: John

Wiley and Sons.

Hassell, J. (2006, June 8). The top five ways to prevent IP spoofing. Computer World. Retrieved

from

http://www.computerworld.com/s/article/9001021/The_top_five_ways_to_prevent_IP_sp

oofing

Hess, M. (2011, December 19). Security tips from a legendary hacker. CBS News. Retrieved

from http://www.cbsnews.com/8301-505143_162-57344282/security-tips-from-a-

legendary-hacker/

17


Ispitzner. (2011, February 7). Book review – Social engineering. SANS (Securing the Human).

Retrieved from http://www.securingthehuman.org/blog/2011/02/07/book-review-social-

engineering-2

Jackson, D. (2011, May 12). Obama team unveils cybersecurity plan. USA Today. Retrieved

from http://content.usatoday.com/communities/theoval/post/2011/05/obama-team-

unveils-new-cybersecurity-plan/1

Kim, J. (2012, January 19). Many security breaches go unreported. Fierce Compliance IT.

Retrieved from http://www.fiercecomplianceit.com/story/many-security-breaches-go-

unreported/2012-01-19

Knickerbocker, B. (2012, January 13). Bradley Manning: How alleged intelligence leaker will

defend himself. Christian Science Monitor. Retrieved from

http://www.csmonitor.com/USA/Justice/2012/0113/Bradley-Manning-How-alleged-

intelligence-leaker-will-defend-himself

Kshetri, Nir (2006), “The Simple economics of cybercrimes. IEEE Security and Privacy,

January/February, 33-39. Retrieved from http://see.xidian.edu.cn/hujianwei/papers/098-The

%20Simple%20Economics%20of%20Cybercrimes.pdf

Kroll announces top ten cyber security trends for 2012. (2011, December 14). Kroll | Cyber

Security and Information Assurance. Retrieved from

http://www.krollfraudsolutions.com/about-us/press-releases/kroll-announces-top-ten-

cyber-security-trends-for-2012.aspx

Lohrmann, D. (2012, January 4). 2012 Cybersecurity trends to watch in government.

Government Technology. Retrieved from http://www.govtech.com/blogs/lohrmann-on-

cybersecurity/2012-Cybersecurity-Trends-to-010412.html

18


Libicki, M. C. (2009). Cyberdeterrence and cyberwar. Retrieved from

http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf

Libicki, M. C. (2009). The information environment. In America’s Security Role in a Changing

World: Global Strategic Assessment 2009, 53-55.

Lynn, III, W. J. (2010, September/October). Defending a new domain: The Pentagon's

cyberstrategy. Foreign Affairs. Retrieved from

http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain

Mallery, J. (2009). Building a secure organization. In Vacca, J.R. (Ed.), Computer and

Information Security Handbook (pp 3-22). Burlington, MA: Elsevier.

Mateti, P. (2006). TCP/IP Suite. In Bidgoli, H. (Ed.), Handbook of Information Security.

Bakersfield, California: John Wile & Sons, Inc.

Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R. and Anandha Murukan.

(2003, June). Improving Web Application Security, Chapter 2: Threats and

Countermeasures. Microsoft Developer Network. Retrieved from

http://msdn.microsoft.com/en-us/library/ff648641.aspx

Mick, J. (2011, June 19). Reports: Hackers use stolen RSA information to hack Lockheed

Martin. Daily Tech. Retrieved from

http://www.dailytech.com/Reports+Hackers+Use+Stolen+RSA+Information+to+Hack+L

ockheed+Martin/article21757.htm

Milevski, L. (2011, October). Stuxnet and strategy: A space operation in cyberspace. Joint Force

Quarterly (63). Retrieved from http://www.ndu.edu/press/stuxnet-and-strategy.html

19


Miller, R. A. and Kuehl, D.T. (2009, September). Cyberspace and the “First Battle” in 21st-

century war. Defense Horizons (68). Center for Technology and National Security Policy.

Retrieved from http://www.ndu.edu/press/lib/pdf/defense-horizons/DH-68.pdf

Mills, E. (2008, July 21). Kevin Mitnick: Social engineering 101. ZDNet.

http://www.zdnet.com.au/kevin-mitnick-social-engineering-101-339290739.htm

McClure, S., Scambray, J., & Kurtz, G. (2009). Hacking exposed 6: Network security secrets &

solutions. New York: McGraw-Hill.

Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R. & Murukan, A. (2003,

June). Threats and countermeasures. Microsoft. Retrieved from

http://msdn.microsoft.com/en-us/library/ff648641.aspx

Montalbano, E. (2011, December 28). Aggressive phishing attack targets military personnel.

Information Week. Retrieved from

http://www.informationweek.com/news/government/security/232301104

Moore, R. (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew

Bender & Company.

Overview of cyber vulnerabilities. (n.d.). US-CERT (United State Computer Emergency

Readiness Team). Retrieved from http://www.us-cert.gov/control_systems/csvuls.html

Perera, D. (2011, May 9). Application vulnerabilities chief among federal cybersecurity

concerns. Fierce Government IT. Retrieved from

http://www.fiercegovernmentit.com/story/application-vulnerabilities-chief-among-

federal-cybersecurity-concerns/2011-05-09

20


Security trumps secrecy in cyber fight-prosecutor (2012, January 12). Reuters. Retrieved from

http://newsandinsight.thomsonreuters.com/Legal/News/2012/01_-_January/

Security_trumps_secrecy_in_cyber_fight-prosecutor/

Sternstein, A. (2012, January 23). Hackers manipulated railway computers, TSA memo says.

NextGov. Retrieved from http://www.nextgov.com/nextgov/ng_20120123_3491.php?

oref=topstory

Stoneburner, G., Goguen, A. and Alexis Feringa. (2002, July). Risk management guide for

information technology systems. National Institute of Standards and Technology (NIST).

Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Strategies to mitigate targeted cyber intrusions. (n.d.) Australian Government, Department of

Defence, Intelligence and Security. Retrieved from http://www.dsd.gov.au/infosec/top-

mitigations/top35mitigationstrategies-list.htm

Tanase, M. (2003, March 11). IP spoofing: An introduction. Symantec. Retrieved from

http://www.symantec.com/connect/articles/ip-spoofing-introduction

Editor Vacca, J. R. (2009). Computer and Information Security Handbook. Amsterdam: Elsevier.

Valacich, J. & Schneider, C. (2012). Information Systems Today: Managing in the Digital Word.

Boston: Prentice Hall.

Velasco, V. (2000, November 21). Introduction to IP spoofing. SANS (SysAdmin, Audit,

Network, Security) Institute. Retreieved from

ttp://www.sans.org/reading_room/whitepapers/threats/introduction-ip-spoofing_959

21

Documents

UMUC Module2 Paper-Darinswan Cybersecurity Vulnerabilities Facing IT Managers Today