P1: JDV
Michael WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:10 Char Count= 0
PHYSICALMEANS OFMISAPPROPRIATINGRESOURCES 69are with a vendor from whom equipment has been bought
or leased or with a contractor to whom services have been
outsourced. A different kind of discontinuity in human ex-
pertise can come with a change of vendors or contractors.
Even the temporary absence or decreased productivity
of individuals soon adds up to a major business expense.
Employers may be held responsible for a wide range of oc-
cupational safety issues. Those specific to the computing
environment include- carpal tunnel syndrome (from repetitive actions, no-
tably typing), - back and neck pain (from extended use of improper
seating), and - eye strain and headaches (from staring at a computer
screen for long periods).
PHYSICAL MEANS OF
MISAPPROPRIATING RESOURCES
I now turn to the misappropriation of assets that can be
possessed in some sense—physical objects, information,
and computing power. (Some acts, such as physical theft,
also impinge on availability). Misuse may entail use by
the wrong people or by the right people in the wrong
way. The transgressions may be without malice. A pil-
ferer of “excess” computing power may view his or her
actions as a “victimless crime.” In other cases, insiders
create new points of presence (and, therefore, new weak
points) in an attempt to possess improved, legitimate ac-
cess. See Skoudis (2002) for discussions of many of these
issues.Unauthorized Movement of Resources
For computing resources, theft comes in several forms.
Outsiders may break or sneak into a facility. Insiders may
aid a break-in, may break into an area or safe where (or
when) they are not entitled to access, or they may abuse
access privileges that are a normal part of their job. Physi-
cal objects may be removed. Information, whether digital
or printed, may be duplicated or merely memorized; this
is classified as theft by copying.
A different situation is when items containing recov-
erable data have been intentionally discarded or desig-
nated for recycling. The termdumpster divingconjures
up images of an unauthorized person recovering items
from trash bins outside a building (although perhaps still
on an organization’s property). In fact, discarded items
can also be recovered from sites inside the facility by a
malicious insider. At the other extreme, recovery could,
in theory, take place thousands of miles from the point at
which an object was initially discarded. A large fraction of
the “recycled” components from industrialized countries
actually end up in trash heaps in Third World countries.
The legality of dumpster diving depends on local laws and
on the circumstances under which an item was discarded
and recovered.
Perhaps the most obvious candidate for theft is remov-
able storage media. As the data density of removable stor-
age media increases, so does the volume of information
that can be stored on one item and, therefore, the easewith which a vast amount of information can be stolen.
Likewise, downloading from fixed media to removable
media can also be done on a larger scale, facilitating theft
by copying.
By comparison, stealing hardware usually involves re-
moving bigger, more obvious objects, such as computers
and peripherals, with the outcome being more apparent to
the victim. Garfinkel (2002) reports thefts of random ac-
cess memory (RAM); if not all the RAM is removed from
a machine, the loss in performance might not be noticed
immediately.Social Engineering and Information Mining
Human knowledge is an asset less tangible than data on
a disk but worth possessing, especially if one is mounting
a cyberattack. An attacker can employ a variety of cre-
ative ways to obtain information.Social engineeringin-
volves duping someone else to achieve one’s own illegit-
imate end. The perpetrator—who may or may not be an
outsider—typically impersonates an insider having some
privileges (“I forgot my password...”). Therequest may
be for privileged information (“Please remind me of my
password...”)orforanaction requiring greater privileges
(“Please reset my password...”).Larger organizations are
easier targets for outsiders because no one knows every-
one in the firm. Less famous than social engineering are
methods of mining public information. Some informa-
tion must necessarily remain public, some should not be
revealed, and some should be obfuscated.
Domain name service information related to an
organization—domain names,IP(Internet protocol) ad-
dresses, and contact information for key information
technology (IT) personnel—must be stored in an online
“whois” database. If the name of a server is imprudently
chosen, it may reveal the machine’s maker, software, or
role. Such information makes the IP addresses more use-
ful for cyberattacks. Knowing the key IT personnel may
make it easier to pose as an insider for social engineering
purposes.
Currently, the most obvious place to look for pub-
lic information is an organization’s own Web site. Un-
less access is controlled so that only specific users can
view specific pages, anyone might learn about corporate
hardware, software, vendors, and clients. The organi-
zational chart and other, subtler clues about corporate
culture may also aid a social engineering attack. Of
course, this information and more may be available in
print.
Another dimension of the Internet in which one can
snoop is newsgroup bulletin boards. By passively search-
ing these public discussions (“lurking”), an attacker might
infer which company is running which software on which
hardware. He or she may instead fish actively for infor-
mation. An even more active approach is to provide dis-
information, leading someone to incorrectly configure a
system.Unauthorized Connections and Use
Wiretappinginvolves making physical contact with guided
transmission media for the purposes of intercepting in-
formation. Wired media are relatively easy to tap, and