CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Cybersecurity Vulnerabilities Facing IT Managers Today
Darin Swan
University of Maryland University College
1
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Two factors increase the stakes of the cyber struggle. Tactically and operationally, the increasing dependence of modern technologically advanced forces (especially U.S. forces) on networks and information systems create new kinds of exploitable vulnerabilities. Second, as
modern societies including the militaries that mirror them have continued to evolve, they have become ever more dependent on a series of interconnected, increasingly vulnerable “critical
infrastructures” for their effective functioning. These infrastructures not only have significantly increased the day-to-day efficiency of almost every part of our society, but they have also
introduced new kinds of vulnerabilities.- Robert A. Miller and Daniel T. Kuehl
Connectivity in the Modern World
Today, computers connect us to our finances through online banking, mutual fund
management, stock trading services, and a variety of other online applications that provide
access to accounts twenty four hours a day. Beyond financial services, we have the ability to
connect to a wide variety of information, including social media content such as Facebook,
YouTube, and Twitter, as well as magazines, video games, and other Web 2.0 content. The
interconnectivity of such systems has not only provided individuals with access to a wide variety
of data, but now businesses have the ability to leverage the Internet as a part of their day-to-day
operations. Whether it be human resources management, email and coordinated calendar
systems, or sales tracking systems, the cloud offers opportunity to businesses for quicker,
streamlined processes and potential cost savings. Furthermore, the government uses
interconnected computer systems to manage public services such as energy systems, coordinate
public transportation logistics, synchronize emergency services, run water treatment facilities,
and leverage technology for a variety of services benefitting the public. However, personal,
business, and government use of computer systems, because of their inter-connectedness, opens
these systems up to a variety of activities that they were never intended for. Instead of a person
gaining access to his financial data, a third party could be intercepting such communication and
using it to bilk someone of their entire savings. Similarly, businesses could be storing their trade
2
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
secrets on their internal file servers and a hacker could be downloading their information with
the intent of selling it to one of their foreign competitors. And with respect to government
services, a state-sponsored attack could occur from a foreign country to either deny certain
services, steal information, or to take control and exploit command and control systems
unbeknownst to leadership. Martin C. Libicki, a noted authority on information warfare at the
RAND policy institute, has written Cyberdeterrence and Cyberwar (2009) a notable work
covering the current and future challenges associated with the connected world. Among the
concepts within his book, Libicki discusses security vulnerabilities associated with cyberspace.
...In theory, all computer mischief is ultimately the fault of the system’s owner—if not because of misuse or misconfiguration, then because of using a system with security bugs in the first place. In practice, all computer systems are susceptible to errors. The divergence between design and code is a consequence of the complexity of software systems and the potential for human error. The more complex the system—and they do get continually more complex—the more places there are in which errors can hide.(p. 18)
Connectedness and Vulnerability
What Libicki is referring to is vulnerability within a system which a hacker could use to
“gain access to a system or to get it to accept rogue instructions [which] is called an exploit” (p.
18). A variety of vulnerabilities occur within cyberspace because of humans, hardware,
software, and connection points that provide access to such systems. The United States
Computer Emergency Readiness Team (US-CERT) has provided a “high level overview” of
cyber vulnerabilities for control systems. Within this overview, US-CERT includes the
following vulnerabilities: wireless access points, network access points, unsecured SQL
databases, poorly configured firewalls, interconnected peer networks with weak security, and
several others. Similarly, the National Institute of Standards and Technology (NIST) has
published the “Risk Management Guide for Information Technology Systems” (2002). This
3
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
guide establishes a multi-step system analysis which IT managers can use to assess their network
vulnerabilities, measure the potential of each vulnerability occurring with respect to the threat’s
source, motivation, and actions, whilst developing recommendations and documentation to
counteract the vulnerabilities found within the assessment. The NIST guide views vulnerabilities
from the perspective of the potential consequence(s) of an exploited vulnerability. Following the
US-CERT overview and NIST guide can be helpful from an IT management perspective, as both
provide enterprise-level guidance on structuring network systems with respect to vulnerabilities
and both apply a system level view of analyzing vulnerability. However, both are lacking
specificity, from the sense of how an external threat can tactically exploit a system.
Cybersecurity and Exploitation: Examples
Prabhaker Mateti, in the chapter “TCP/IP Suite” from the Handbook of Information
Security (2006), provides over fifteen types of security exploits related to the TCP/IP suite that
hackers use to attack systems, including: sniffing, fingerprinting, Internet Protocol (IP) address
spoofing, and buffer overflows (pp.25-29). Stuart McClure, Joel Scambray and George Kurtz
have provided both strategy and tactics for implementing Mateti’s notable exploitations, amongst
many others, in their seminal work Hacking Exposed, now in its sixth edition. It is where
hardware, software, and the human element meet within a system that hackers try to take control
and security specialists patch vulnerabilities to deny unauthorized access and the cycle appears to
be never-ending.
Sniffing, Fingerprinting & Footprinting
From the tactical viewpoint, within the pages of Hacking Exposed the authors provide
recipes for exploiting vulnerabilities, as well as instructions on countering exploitations. With
regard to sniffing, the text covers a variety of security weaknesses and recommends several
4
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
software applications that can be used to find a network’s Achilles heel. Cain and KerbSniff are
two tools in particular that can be used for eavesdropping on a network password exchange in the
Windows environment (McClure et al., 2009, pp. 169-170). Furthermore, network sniffing can
be accomplished by using applications such as tcpdump, Snort, and Wireshark, which allow
anyone with the means to view traffic across a network. This can be helpful for trying to debug
network problems, but in the wrong hands it can prove to be invaluable in footprinting a system
(pp. 273-274). With regard to terminology, Mateti uses the term fingerprinting in his text,
whereas McClure et al refer to this technique as footprinting. Though similarities exist and some
confuse the two terms, Michael Greg provides clarity in his text Certified Ethical Hacker Exam
Prep: Understanding Footprinting and Scanning (2006). He defines footprinting as, “The
process of accumulating data regarding a specific network environment, usually for the purpose
of finding ways to intrude into the environment” (p.89). Whereas fingerprinting can be either
active or passive in nature. “Passive fingerprinting is the act of identifying systems without
injecting traffic or packets into the network” and active fingerprinting is the act of using tools to
“inject strangely crafted packets into the network to measure how systems respond” (Greg, 2006,
p. 89). [Note: McClure et al. use the general term of scanning versus fingerprinting (pp. 44-77).]
Essentially, both fingerprinting and footprinting are used to map accessible hardware and
software services within a network. The information gleaned from such endeavors provides
actionable intelligence on what hardware or services are susceptible to common hacking
attempts. By determining the easiest way to gain access and exploit a system while minimizing
risk of detection, the hacker can ascertain which vector of attack is worthy of his time by using a
simple cost-benefit analysis (Kshteri, 2006, pp. 36-38). Microsoft provides general guidance on
countering this threat through their online education documentation within their development
5
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
network. Microsoft’s guidance includes “filter[ing] incoming packets that appear to come from
an internal IP address” and “filter[ing] outgoing packets that appear to originate from an invalid
local IP address” (Meier, Mackman, Dunner, Vasireddy, Escamilla, & Murukan, 2003).
IP Spoofing
With regard to the other Mateti referenced security exploits, he points out that “IP
spoofing is an integral part of many attacks” (p. 26). Matthew Tanase provides a primer on IP
spoofing at Symantec’s website where he goes into the history of the technique and how the
structure of the TCP/IP protocol suite and packet exchanges permit this particular exploitation to
occur (2003). Tanase notes that there are several variations of IP spoofing, however they all
have a common denominator – “an attacker gains unauthorized access to a computer or a
network by making it appear that a malicious message has come from a trusted machine by
‘spoofing’ the IP address of that machine.” Computer World’s Jonathan Hassell has provided an
authoritative view on what common attacks are used through IP spoofing and what can be done
to patch them in his article “The top five ways to prevent IP spoofing” (2006). The common
attacks provided by Hassell include Blind Spoofing, Nonblind spoofing, Denial-of-service (DoS)
attack, and the Man-in-the-middle attack. Blind spoofing consists of a hacker outside of the
network perimeter who is “blind to how transmissions take place on this network”, so he must
receive sequence numbers from the target device and then falsify who he is by “injecting data
into the stream of packets without having to authenticate himself when the connection was first
established” (Hassell, 2006). Nonblind spoofing occurs when the hacker is inside of the subnet
and can sniff out existing transmission and hijack sessions without being blind to the sequence
numbers. Denial-of-service attack is when “multiple hosts are sending constant streams of
packet [sic] to the DoS target” (Hassell). This is essentially a flood of data that overwhelms a
6
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
system to the point its use is unavailable or inoperable. Finally, the man-in-the-middle attack is
an interception of packets between machines where the packets are read by an authorized user
and sent onward unbeknownst to either parties communicating. Particularly troubling is the fact
that neither the originating sender or intended receiver is aware that information was intercepted
during transit and therefore if secure information was gathered, no one, except the eavesdropper,
knows that data was compromised (Hassell).
Buffer Overflows
“Historically, buffer overflows have been the most common type of vulnerability. They
have been popular because buffer overflow exploits can often be carried out remotely and lead to
complete compromise of a target” (Chen & Walsh, 2009, pp. 54-55). Since many system
services susceptible to buffer overflow are running at the highest level of administration
privileges it is appropriately attributed as the “coup de grace of hacking” (McClure et al., 2009,
pp. 550-551). Essentially the hacker sends packets to the target service knowing that more data
is being transmitted than is expected by the target during communication. This extra information
is dealt with differently by different services and can either be ignored, crash the service or
system, or, if the target is susceptible to this type of vulnerability, the service may use the extra
packet data, if constructed correctly by the hacker, to run administrator-level code and allow the
hacker to control some or all of the target system (Mateti, 2006, p 558). Even though the buffer
overflow vulnerability was documented as a theoretical exploit in 1995 and fully substantiated in
1996, unpatched servers continue to populate the Internet that are still susceptible to this
weakness (McClure et al., 2009, pp. 550-551).
The Human Element
7
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Overlooked as a security concern by Mateti in his essay on “TCP/IP Suite” vulnerabilities
is the human element. It is, after all, the human that manages cyberspace and provide physical
access to the terminals and systems that are interconnected. It is the human that sets up the
Internet protocols used during web communications, sets the security procedures to be adhered
to, codes the back-end server integration, creates the temporary passwords to access sensitive
information, holds resentment against employers, forgets to patch a known weakness in
sendmail, and desires to find confidential, financial information to sell to the highest bidder. It is
the human element that matters, perhaps moreso than any hardware, software, or network
connection when it comes to securing a system. To many, the hacker who has taken over a
system and stolen a database of financial information for monetary gain is normally
conceptualized as a social pariah, living in his mother’s basement, staring at a monitor all day
and night, sipping caffeinated beverages, maintaining poor hygiene and exhibiting antisocial
behavior. However, “A modern-day computer criminal could be a disgruntled, middle-aged,
white-collar worker sitting at a nice desk on the fourteenth floor of the headquarters building of a
billion-dollar software manufacturer” (Valacich & Schneider, 2012, p. 403). In Congressional
testimony by Joseph Ansanelli, a cybersecurity expert, to the United States House of
Representatives Committee on Financial Services (2003), cited a Harris Interactive survey given
to workers and managers that handle sensitive customer information at work. In this report,
surprisingly, “66% say their co-workers, not hackers, pose the greatest risk to consumer privacy
[and] only 10% said hackers were the greatest threat” (p. 5). According to Valacich and
Schneider (2012), commonalities in computer criminals have been revealed through studies and
these tend to be people that are current or former employees, people with technical knowledge
who use their skills illegally for personal gain, career criminals, and crackers who commit
8
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
intrusions with no particular purpose, but are merely snooping through a system (p. 405).
Ultimately, humans are susceptible to deception and can provide access to systems by disclosing
sensitive information to hackers without realizing their actions bring about terrible consequences.
Widely Publicized Vulnerabilities
Widely publicized hacking within the last decade has included aggressive attacks against
military members during the 2011 Christmas holiday (Montalbano, 2011), hackers using stolen
RSA information to breach Lockheed-Martin’s networks (Mick, 2011), secret U.S. Department
of State cables exposed through WikiLeaks that were provided by a disgruntled Army private
(Knickerbocker, 2012), the cyber attack against Iran’s nuclear processing facilities through a
unique piece of malware called STUXNET (Milevski, 2011), the 2008 compromise of the
military’s classified and unclassified network which occurred due to malicious code from a flash
drive (Lynn, 2010), and China’s hacking of Google Mail that targeted the personal accounts of
high ranking U.S. government officials (Efrati & Gorman, 2011). The referenced attacks were
known to the public not long after each compromise occurred and have become case studies for
many within the information technology sector. The reality is that the more security breach
information in the public domain is good for the security professional as it allows him to update
systems or prevent future threats based on understanding emerging attack vectors. However,
many businesses and government entities shy away from reporting intrusions for fear of
exposure to public scrutiny and because revealed exploitations may cause clients to flee, impact
potential new sales and damage their stock price. Both perspectives are valid, but the truth is
that organizations simply aren’t reporting security breaches. In the aptly titled article, “Security
trumps secrecy in cyber fight-prosecutor”, published by Reuters in January of 2012, it was
reported that “cyber security experts say that corporations rarely acknowledge breaches, and
9
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
often keep them secret from law enforcement…”. However, there is now a fear of prosecution
by those companies that refuse to publically disclose security compromises impacting sensitive
personal and financial data. The system of disclosure is challenging for businesses, as there is
not incentive within the market to offer full disclosure, there is only dis-incentive to come clean
about breaches. However, with more disclosure prosecutions, the culture of revealing
compromises may change over time. One company’s disclosure, could prevent hundreds of
future attacks. By sharing information it becomes a part of open source collective intelligence,
providing IT administrator’s with the information necessary to close holes within their systems
that they may never have been privy too without full disclosure.
Common Countermeasures
With reference to common attacks through the TCP/IP suite and through effective social
engineering, security professionals need to constantly maintain vigilance. Common
countermeasures are put in place and then are constantly evolving as new threats are revealed.
Some common countermeasures include, but are not limited to, using strong authentication,
avoiding storing sensitive data or passwords as plaintext, using tamper-resistant protocols,
creating secure audit trails, using strong authorization, validating and filtering network inputs,
using the principle of least privileges, updating software and firmware as patches become
available, using strong physical security for sensitive devices and system access points, using
secure protocols during sessions, educating users on appropriate security protocols, disabling
unnecessary services, and properly installing and configuring network access points, hardware,
and software (Meier, Mackman, Dunner, Vasireddy, Escamilla, and Murukan, 2003). [Note: See
Appendices A and B, which are tables provided by Microsoft, that illustrate threats and
countermeasures for a variety of known exploitations.] Ultimately, the security professional
10
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
must determine, based on time, budget, and other variables, where efforts should be placed in
implementing countermeasures in protecting computer systems. As mentioned prior, NIST has
provided a framework for the computer professional to consider when securing systems based on
vulnerability, threat-source, threat action, threat likelihood, and risk level (Stoneburner, Goguen,
and Alexis, 2002). It is the similar cost-benefit analysis conundrum that faces the IT
professional that faces the hacker, although the various variable and incentives differ.
Most Important Security Vulnerability Today
The debate of what is the single greatest threat to cyberspace is an oft-discussed topic
online and offline. Perspectives differ by person, business and government security expert. One
must take into consideration the vulnerability, threat source, and possible outcome. For a person
with a home business, his perspective of a DoS attack on his home computer network differs
greatly from a company focusing solely on ecommerce. Additionally, the Pentagon’s concerns
differ from that of the ecommerce company. However, from an enterprise level perspective, the
biggest threat facing IT security experts today is ensuring that hardware devices and software are
properly updated and patched. Security protocols should include routine research to ensure
systems are up-to-date with the most recent service packs. This perspective was echoed during a
recent interview with Commander Cliff Neve, the Chief of Staff of the United States Coast
Guard Cyber Command. “The answer [to ‘What is the biggest IT security challenge today?’]
is… unpatched systems. I very, very highly recommend checking” out the Australian Defence
Signals Directorate’s article “Strategies to Mitigate Targeted Cyber Intrusions” (Cdr. C. Neve,
USCG Cyber Command, personal communication, January 31, 2012). Many known vectors of
attack are well documented. If an IT manager has thousands of computers to monitor and a
patch because they are not up-to-date, his systems are at risk from the first time a new
11
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
vulnerability makes it to the public. However, most common attack vectors have been known
for years (i.e. buffer overflow, IP spoofing, sniffing, fingerprinting, footprinting, etc.). It is the
old software and hardware that has been deprecated, and no longer supported, that puts a
network at risk. However, there are some solutions to part of this issue. There is an entire
industry of security professionals that provide software services to ensure that newly discovered
viruses are public knowledge as soon as possible – McAfee, Kaspersky, and Symantec are well
known software providers in this industry. New libraries and patches are provided on a routine
basis through service level agreements, and for particularly well-publicized outbreaks or security
exploitations, instant updates are sometimes available. If a hacker becomes aware of a new
attack vector, after educating himself, in a few hours he can be fingerprinting and footprinting
systems to find this newly disclosed vulnerability, and perhaps be inside of a system causing
harm within a matter of 24 hours. If someone has installed a virus protection system, but does
not continue to update the library of potential threats, they will become vulnerable to any new
virus that is not already in their library. Additionally, service packs (SP) are routinely released
for operating systems, enterprise-level software, servers, and standard home software. These SPs
are normally released as an update fixing program issues that might cause it to crash.
Additionally, they can fix complaints about the user experience, user interface or possibly add
new feature sets as a benefit to the owner before an entirely new version of the software is
released to the public. However, many service packs are distributed to patch a known
vulnerability within the software. If an IT professional delays or never installs a service pack,
the software will continue to hold the vulnerabilities built into it. And as each day passes and
more hackers are aware of the vulnerability affecting unpatched systems (e.g. software without
the service pack installed), the more likely that software is likely to be exploited.
12
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Beyond software, many older hardware devices have firmware on them that provides
configuration settings and software features built into them. For example, if a router made in
2004 is still on a network in 2012, the device is now 8 years old and may be susceptible to an
exploit because it hasn’t been patched since the initial firmware was placed on the device.
Sometimes network device configuration settings contribute to a hackers attempt at
fingerprinting and footprinting, responding to external requests and providing information that is
no longer a part of network best practice due to security risk. Firmware updates normally patch
known vulnerabilities in a device and sometimes allow the device to perform more efficiently.
Although the single largest vulnerability to IT professionals may be keeping hardware
and software up-to-date to ensure emerging vulnerabilities are removed, simply patching
everything on a daily basis may be too much for an enterprise level network to take on.
However, through a cost-benefit analysis, taking into consideration a variety of variables, an IT
professional can create security protocols to handle the required updates that patch vulnerabilities
that hacker’s may exploit. By not patching known vulnerabilities, a network is open to common
attacks that may cause grave damage to a person, business or government institution.
13
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Appendix A: Table 1 – Microsoft’s STRIDE Threats and Countermeasures
Source: Microsoft Developer Network, Improving Web Application Security, Chapter 2: Threats and Countermeasures, http://msdn.microsoft.com/en-us/library/ff648641.aspx
Note: STRIDE is an acronym used by Microsoft for the following vulnerabilities: S poofing T ampering R epudiation I nformation Disclosure D enial of service E levation of privilege.
14
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Appendix B: Table 2 – Microsoft’s Threats by Application Vulnerability Category
Source: Microsoft Developer Network, Improving Web Application Security, Chapter 2: Threats and Countermeasures, http://msdn.microsoft.com/en-us/library/ff648641.aspx
15
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
References2011 state of security survey. (2011, August 31). Symantec. Retrieved from
http://www.symantec.com/connect/blogs/2011-state-security-survey
Ashford, W. (2012, January 13). Public sector sees cybercrime as rising threat. Computer
Weekly. http://www.computerweekly.com/news/2240113782/Public-sector-sees-
cybercrime-as-rising-threat
Ansanelli, J. (2003, June 24). Testimony of Joseph Ansanelli, chairman and CEO of Vontu, Inc.
The Committee on Financial Services, United States House of Representatives. Retrieved
from http://financialservices.house.gov/media/pdf/062403ja.pdf
Carr, J., & Shepherd, L. (2010). Inside cyber warfare. Sebastopol, Calif: O'Reilly Media, Inc.
Chen, T. & Walsh, P. J. (2009). Guarding Against Network Intrusions. In J. R. Vacca Computer
and Information Security Handbook. Amsterdam: Elsevier.
Cliff, A. (2001, July 3). Intrusion detection systems terminology, part one: A – H. Symantec.
Retrieved from http://www.symantec.com/connect/articles/intrusion-detection-systems-
terminology-part-one-h
Coleman, K. (2011, July 7). Digital Conflict. Defense Systems. Retrieved from
http://defensesystems.com/blogs/cyber-report/2011/07/human-vulnerability-computer-
systems.aspx
The Comprehensive National Cybersecurity Initiative. (n.d.) The White House, President Barack
Obama. Retrieved from http://www.whitehouse.gov/cybersecurity/comprehensive-
national-cybersecurity-initiative
Dhamankar, R., et al (2009, September). The top cyber security risks. SANS. Retrieved from
Retrieved from http://www.sans.org/top-cyber-security-risks
16
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Efrati, A and Gorman, S. (2011, June 2). Google mail hack blamed on China. Wall Street
Journal. Retrieved from
http://online.wsj.com/article/SB10001424052702303657404576359770243517568.html
FBI says hackers hit key services in three US cities. (2011, December 2011). BBC. Retrieved
from http://www.bbc.co.uk/news/technology-16157883
Gottlieb, P. J. B., CDR. (2010). Cyberspace vs. cyber strategy. American Intelligence Journal,
28 (2), 18-25.
Granger, S. (2001, December 18). Social engineering fundamentals, part 1: Hacker tactics.
Symantec. Retrieved from http://www.symantec.com/connect/articles/social-engineering-
fundamentals-part-i-hacker-tactics
Gregg, M. (2006, June 9). Certified Ethical Hacker Exam Prep: Understanding Footprinting and
Scanning. Pearson IT Certification.
Hadnagy, C. (2010). Social Engineering: The Art of Human Hacking. Indianapolis, Indiana: John
Wiley and Sons.
Hassell, J. (2006, June 8). The top five ways to prevent IP spoofing. Computer World. Retrieved
from
http://www.computerworld.com/s/article/9001021/The_top_five_ways_to_prevent_IP_sp
oofing
Hess, M. (2011, December 19). Security tips from a legendary hacker. CBS News. Retrieved
from http://www.cbsnews.com/8301-505143_162-57344282/security-tips-from-a-
legendary-hacker/
17
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Ispitzner. (2011, February 7). Book review – Social engineering. SANS (Securing the Human).
Retrieved from http://www.securingthehuman.org/blog/2011/02/07/book-review-social-
engineering-2
Jackson, D. (2011, May 12). Obama team unveils cybersecurity plan. USA Today. Retrieved
from http://content.usatoday.com/communities/theoval/post/2011/05/obama-team-
unveils-new-cybersecurity-plan/1
Kim, J. (2012, January 19). Many security breaches go unreported. Fierce Compliance IT.
Retrieved from http://www.fiercecomplianceit.com/story/many-security-breaches-go-
unreported/2012-01-19
Knickerbocker, B. (2012, January 13). Bradley Manning: How alleged intelligence leaker will
defend himself. Christian Science Monitor. Retrieved from
http://www.csmonitor.com/USA/Justice/2012/0113/Bradley-Manning-How-alleged-
intelligence-leaker-will-defend-himself
Kshetri, Nir (2006), “The Simple economics of cybercrimes. IEEE Security and Privacy,
January/February, 33-39. Retrieved from http://see.xidian.edu.cn/hujianwei/papers/098-The
%20Simple%20Economics%20of%20Cybercrimes.pdf
Kroll announces top ten cyber security trends for 2012. (2011, December 14). Kroll | Cyber
Security and Information Assurance. Retrieved from
http://www.krollfraudsolutions.com/about-us/press-releases/kroll-announces-top-ten-
cyber-security-trends-for-2012.aspx
Lohrmann, D. (2012, January 4). 2012 Cybersecurity trends to watch in government.
Government Technology. Retrieved from http://www.govtech.com/blogs/lohrmann-on-
cybersecurity/2012-Cybersecurity-Trends-to-010412.html
18
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Libicki, M. C. (2009). Cyberdeterrence and cyberwar. Retrieved from
http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf
Libicki, M. C. (2009). The information environment. In America’s Security Role in a Changing
World: Global Strategic Assessment 2009, 53-55.
Lynn, III, W. J. (2010, September/October). Defending a new domain: The Pentagon's
cyberstrategy. Foreign Affairs. Retrieved from
http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain
Mallery, J. (2009). Building a secure organization. In Vacca, J.R. (Ed.), Computer and
Information Security Handbook (pp 3-22). Burlington, MA: Elsevier.
Mateti, P. (2006). TCP/IP Suite. In Bidgoli, H. (Ed.), Handbook of Information Security.
Bakersfield, California: John Wile & Sons, Inc.
Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R. and Anandha Murukan.
(2003, June). Improving Web Application Security, Chapter 2: Threats and
Countermeasures. Microsoft Developer Network. Retrieved from
http://msdn.microsoft.com/en-us/library/ff648641.aspx
Mick, J. (2011, June 19). Reports: Hackers use stolen RSA information to hack Lockheed
Martin. Daily Tech. Retrieved from
http://www.dailytech.com/Reports+Hackers+Use+Stolen+RSA+Information+to+Hack+L
ockheed+Martin/article21757.htm
Milevski, L. (2011, October). Stuxnet and strategy: A space operation in cyberspace. Joint Force
Quarterly (63). Retrieved from http://www.ndu.edu/press/stuxnet-and-strategy.html
19
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Miller, R. A. and Kuehl, D.T. (2009, September). Cyberspace and the “First Battle” in 21st-
century war. Defense Horizons (68). Center for Technology and National Security Policy.
Retrieved from http://www.ndu.edu/press/lib/pdf/defense-horizons/DH-68.pdf
Mills, E. (2008, July 21). Kevin Mitnick: Social engineering 101. ZDNet.
http://www.zdnet.com.au/kevin-mitnick-social-engineering-101-339290739.htm
McClure, S., Scambray, J., & Kurtz, G. (2009). Hacking exposed 6: Network security secrets &
solutions. New York: McGraw-Hill.
Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R. & Murukan, A. (2003,
June). Threats and countermeasures. Microsoft. Retrieved from
http://msdn.microsoft.com/en-us/library/ff648641.aspx
Montalbano, E. (2011, December 28). Aggressive phishing attack targets military personnel.
Information Week. Retrieved from
http://www.informationweek.com/news/government/security/232301104
Moore, R. (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew
Bender & Company.
Overview of cyber vulnerabilities. (n.d.). US-CERT (United State Computer Emergency
Readiness Team). Retrieved from http://www.us-cert.gov/control_systems/csvuls.html
Perera, D. (2011, May 9). Application vulnerabilities chief among federal cybersecurity
concerns. Fierce Government IT. Retrieved from
http://www.fiercegovernmentit.com/story/application-vulnerabilities-chief-among-
federal-cybersecurity-concerns/2011-05-09
20
CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY
Security trumps secrecy in cyber fight-prosecutor (2012, January 12). Reuters. Retrieved from
http://newsandinsight.thomsonreuters.com/Legal/News/2012/01_-_January/
Security_trumps_secrecy_in_cyber_fight-prosecutor/
Sternstein, A. (2012, January 23). Hackers manipulated railway computers, TSA memo says.
NextGov. Retrieved from http://www.nextgov.com/nextgov/ng_20120123_3491.php?
oref=topstory
Stoneburner, G., Goguen, A. and Alexis Feringa. (2002, July). Risk management guide for
information technology systems. National Institute of Standards and Technology (NIST).
Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Strategies to mitigate targeted cyber intrusions. (n.d.) Australian Government, Department of
Defence, Intelligence and Security. Retrieved from http://www.dsd.gov.au/infosec/top-
mitigations/top35mitigationstrategies-list.htm
Tanase, M. (2003, March 11). IP spoofing: An introduction. Symantec. Retrieved from
http://www.symantec.com/connect/articles/ip-spoofing-introduction
Editor Vacca, J. R. (2009). Computer and Information Security Handbook. Amsterdam: Elsevier.
Valacich, J. & Schneider, C. (2012). Information Systems Today: Managing in the Digital Word.
Boston: Prentice Hall.
Velasco, V. (2000, November 21). Introduction to IP spoofing. SANS (SysAdmin, Audit,
Network, Security) Institute. Retreieved from
ttp://www.sans.org/reading_room/whitepapers/threats/introduction-ip-spoofing_959
21