[PDF Download] Information security planning a practical approach 2nd edition lincke full chapter pd
Information Security Planning A Practical Approach 2nd Edition Lincke
Visit to download the full and correct content document: https://textbookfull.com/product/information-security-planning-a-practical-approach-2n d-edition-lincke/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Information Security Planning A Practical Approach 2nd Edition Susan Lincke
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifcally the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microflms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specifc statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Paper in this product is recyclable.
Preface: How to Use This Book
This book is useful in organizational security planning. This text was written for people who are not computer experts, including business managers or owners with no previous IT background, or overworked IT staff and students, who are looking for a shortcut in understanding and designing security. The text has examples to help you understand each required step within the workbook. The best design will eventually involve both business and IT/security people.
This second edition of the book is an international edition, covering the worldwide standard: Payment Card Industry Data Security Standard (PCI DSS), the European GDPR, and American security laws with a special chapter on HIPAA/ HITECH. This edition also has chapters on data privacy, forensic analysis, advanced networks (cloud and zero trust), ethics, and an expanded section on secure software.
The associated Security Workbook has been designed to guide security neophytes through the security planning process. You may edit this Microsoft Word version of the Security Workbook for your own organization’s use. This tool is available from your text download site or the book’s web site at https://sn.pub/ lecturer-material.
This book can be used out of order, although it is recommended that you read Part I to understand security threats, before proceeding to later parts. Applicable chapters in Part V on regulation (European GDPR and US diverse laws) is also a good way to understand the security challenges and prioritize your required planning. Following an understanding of the threats, PCI DSS requirements and applicable regulation, Chap. 5 on Business Continuity and Chap. 7 on Information Security are very important before proceeding to Chap. 8 on Network Security and later. While you may execute the chapters out of order, each applicable chapter is important in making your organization attack-resistant.
Optional topics may be applicable to your organization. Part VI—Developing Secure Software—is only applicable for software engineers. Since this is an international edition, laws for nations outside your home country may or may not be applicable, depending on where you do business. The forensic analysis, information privacy, cloud/zero trust, and governance topics may be applicable depending on
your organizational role and technical abilities, and your company’s regulation and network confguration.
Advanced sections within some chapters are optional reading and not absolutely necessary to develop initial security plans. They offer a broader knowledge base to understand the security environment and address relevant background topics that every security professional should know.
It is important to recognize that even large well-funded organizations with fulltime professional security staff cannot fully secure their networks and computers. The best they can do is to make the organization a very diffcult target. The problem with security is that the attacker needs to fnd one hole, while the defender needs to close all holes—an impossibility. However, with this text you are well on your way to making your organization attack-resistant.
This book guides security planning for a simple-to-medium level security installation. After your design is done, you must implement your plan! While you can do much security planning without IT/security expertise, eventually IT experts are needed to implement the technical aspects of any plan. It will be useful at that time to discuss your security design with your IT specialists, be they in-house or external. Alternatively, if you are technical, you will need cooperation from business management to understand where sensitive data lies and regulatory concerns, in order to plan organizational security well.
For organizations requiring a high level of security, such as banks and military, this text is a start but is insuffcient by itself. This book is a stepping stone also for organizations that must adhere to a high level of security regulation and standards. The best implementation can start with this book, but must also address each item of each regulation or standard your organization must adhere to.
For the Educator
This book has aspects for course differentiation, to be useful to the professional, technical, business, and potentially medical educational communities; and also from lower level to introductory graduate courses.
For the security professional or service-learning educator, some chapters can be read and performed out of order (or in order of reader priority). The prerequisite understanding is always described at the beginning of each section and the beginning of each chapter.
Each chapter ends with a small set of questions and one or more case study exercises. The questions are meant for simpler levels of sophistication, such as a review of vocabulary, web research into more resources, and application of the workbook for varying industries and security regulations.
The more sophisticated course can delve into a longitudinal case study, either in an industry of the student groups’ choosing or on the Health First Doctor’s Offce,
which must adhere to HIPAA or GDPR. These case studies use the Security Workbook for organizational security planning. The case study can be used as group homework or active learning exercise in class. Alternatively, students can use the Security Workbook for service learning purposes, working with real organizational partners in the community.
For technically minded instructors and students, there is a section on Secure Software, covering threats, secure development processes, and secure designs using agile (evil user stories) or traditional (UML) styles. A special set of case studies are available just for software developers to use in combination with a Security Requirements Document for secure software planning.
Addressing Educational Criteria
For American universities wishing to achieve a National Security Agency (NSA) designation, this book attempts to address the Center of Academic Excellence Cyber Defense (CAE-CD) plan for 2020, including some Mandatory and Optional Knowledge Units (KU). While the book has not been submitted or approved by the NSA, the author has attempted to address each item in their list, to simplify the accreditation process. The book attempts to cover the entirety of the CAE-CD Nontechnical Core requirements. Often ‘Advanced’ sections cover more sophisticated topics beyond security planning. Very technical subjects (e.g., programming, networks, operating systems) are meant to be covered in other courses. CAE-CD Knowledge Units addressed include:
• Foundational: Cybersecurity Principles
• Technical Core: Network Defense
• Nontechnical Core: Cyber Threats, Cybersecurity Planning and Management, Policy, Legal, Ethics, and Compliance, Security Program Management, Security Risk Analysis
• Optional KUs: Basic Cyber Operations, Cyber Crime, Cybersecurity Ethics, Fraud Prevention and Management, IA Compliance, Life-Cycle Security, Privacy
• Optional KUs at Introductory Level: Cloud Computing, Digital Forensics, Software Assurance, Secure Programming Practices
The last category, Optional KUs at Introductory Level, introduces the vast majority of topics in the KU but generally lacks one or more deeply technical exercises that are required as outcomes.
The text also meets most 2013 ACM Information Assurance and Security “Core” requirements for Computer Science, including Foundational Concepts, Principles of Secure Design, Defensive Programming, Threats and Attacks, and some of Network Security. Addressed electives include Security Policy, Secure S/W Engineering, and most of Web Security. The mapping of requirements to chapters is outlined on the companion web site.
Preface: How to Use This Book
Finally, the base of this text is derived from ISACA’s Certifed Information Systems Auditor® (CISA) and Certifed Information Security Manager® (CISM) study guides related to security. Other parts of these guides are generally covered by other courses, such as project management, networking, and software engineering. Students may pass these exams with additional study, particularly using ISACA’s CISA or CISM question disks.
Teaching Aides for the Security Instructor
Many materials are available with this text for your teaching use. Instructor/student materials are included on the companion web site, at https://sn.pub/lecturermaterial. Extra materials include the following:
1. Lecture PowerPoints: PowerPoint lectures include end-of-lecture questions for discussion in class. These questions are patterned after ISACA’s CISA and CISM questions.
2. Security Workbook: The security workbook guides student teams through a design. There are two ways for student teams to develop a security plan. Option 1: designs a hypothetical organization of student teams’ choosing, e.g., in retail, hospitality, government, healthcare, fnancial, or software services. This has the advantage that students can contrast security plans for different types of businesses in the same course, through student presentations. Option 2: The Health First Case Study is a detailed case study. This has the advantage that details are available for the business.
3. Health First Case Study, Security Workbook, and Solution: A case study involving security planning for a hypothetical Health First doctor’s offce is available for classroom use. Each chapter on security design in this text has at least one associated case study to choose from, within the Health First Case Study. This case study includes discussion by the Health First employees, discussing the business scenario. The Security Workbook guides students through the security process. A solution is available on the companion web site for instructors. If you choose to do the case study, it is helpful to understand/present the applicable American Health Insurance Portability and Accountability Act (HIPAA) regulation or European GDPR before starting the case study.
4. Health First Requirements Document Case Study: The Secure Software chapter enthuses students who intend to be software or web developers. The Health First Case Study includes cases where students add security to a professional Requirements Document. A security-poor Requirements Document is available for download.
Teaching Aides for the Security Instructor
5. Instructor Guide: There is guide to how to use this case study in your classroom. You may also use the Security Workbook as a service learning exercise with small businesses, who often welcome the free help, if you choose.
Disclaimer
The author and publisher do not warrant or guarantee that the techniques contained in these works will meet your requirements. The author is not liable for any inaccuracy, error, or omission, regardless of cause, in the work or for any damages resulting there from. Under no circumstances shall the author be liable for any direct, indirect, incidental, special, punitive, consequential, or similar damages that result from the use of, or inability to use, these works.
Kenosha, WI, USA
Susan Lincke
Acknowledgments
Many thanks go to people who used or reviewed the materials, or assisted in the development of the case study for the frst and/or second edition. They include Matt McPherson, Viji Ramasamy, Tony Aiello, Danny Hetzel, Stephen Hawk, David Green, Heather Miles, Joseph Baum, Mary Comstock, Craig Baker, Todd Burri, Tim Dorr, Tim Knautz, Brian Genz, LeRoy Foster, Misty Lowery, and Natasha Ravnikar, as well as the University of Wisconsin-Parkside for funding my sabbatical for the frst edition. Thanks also to the National Science Foundation, who funded the development of the workbook and case study (though this work does not necessarily represent their views). Finally, thanks to the organizations and people who worked with my students in service learning projects and who must remain anonymous.
The case of Einstein University represented in this text is purely fctional and does not represent the security plan of any actual university.
Kenosha, WI, USA
Susan Lincke
5.6 Questions
5.6.1 Health First Case Study Problems
6.1 Documenting Security: Policies, Standards, Procedures and Guidelines
6.2 Maturing the Organization via Capability Maturity Models and COBIT
6.3 Strategic, Tactical and Operational
6.4 Allocating
6.5 Questions
7.1 Important Concepts and Roles
7.2 Step 1: Classify Data for CIA
7.3 Step 2: Selecting Controls
7.3.1 Selecting AAA Controls
7.3.2 Authentication: Login or Identifcation
7.3.3 Authorization: Access Control
7.3.4 Accountability: Logs
Audit
8.3.2 Authenticity & Non-Repudiation
8.3.3 Integrity Controls . .
8.3.4 Anti-Hacker Controls
8.4 Defning the Network Architecture .
Step 5: Draw the Network Diagram
8.5 Advanced: How it Works
8.6 Questions
8.6.1 Health First Case Study
15 Performing an Audit or Security Test
15.1 Testing Internally and Simple Audits
15.1.1 Step 1: Gathering Information, Planning the
15.1.2 Step 2: Reviewing Internal Controls
Step
Step 4: Preparing and Presenting the Report
15.2 Example: PCI DSS Audits and Report on Compliance
15.3 Professional and External Auditing
Variations
Part V Complying with National Regulations and Ethics
(‘Right
17.4.4
17.4.7 Right to Not Be Subject to a Decision Based Solely on Automated Processing (Article 22)
17.4.8 Rights of Remedies, Liabilities and Penalties (Articles 77–79)
17.4.9 Privilege of Notifcation (Article 13, 14)
of Communicated Response (Article 12)
Privilege of Protection of Special Groups (Article 9, 10).
17.5 Restrictions to Rights (Article 23)
22.6.1
I
The Problem of Security
This section informs why security is an issue that must be addressed. It delves into current problem areas that certain industries may specifcally need to address, related to hackers and malware (Chap. 1), social engineering and fraud (Chap. 2), and payment card standards, which organizations need to adhere to if they accept credit cards (Chap. 3). Regulation relating to security is also an area that needs to be addressed, but is in Part V, outlining United States and European Union regulation. Understanding inherent threats and security requirements well will help in later sections to defne your organization’s specifc security needs. Therefore, as you read through this section, consider which attacks might affect your industry and organization, and as part of the planning process, note them down.
Chapter 1 Security Awareness: Brave New World
When Leon Panetta, former U.S. Secretary of Defense, drive their internet-connected Lexus, he has careful (likely semi-serious) instructions for his passenger: “I tell my wife, ‘Now be careful what you say.’” – Nicole Perlroth, author, They Tell Me This Is How the World Ends, and NY Times cybersecurity writer [1]
Computer security is a challenge. An attacker only needs to fnd one hole…but a defender needs to close all holes. Since it is impossible to close all holes, you can only hope to close most holes, layer defenses (like you layer clothes when going out in the freezing cold), and hope that the intruder will fnd an easier target elsewhere. How do you close most holes? The frst step is to educate yourself about security and ways crackers attack. The next step is to ensure that all employees understand their roles in guarding security. This chapter is about educating yourself about malware, hacking and the motives of computer attackers, and how to start to defend the simplest of devices: your mobile and home computers.
1.1 With Security, Every Person Counts
Imagine you open 20+ emails daily. Today you receive one with a promising video. You click to download it. Most emails are innocuous, but this one contains hidden malware. While you enjoy your video, the video is also secretly executing a worm and turning your computer into a zombie or copying password fles. You are now, unknowingly, infected (but the video was cool!) Alternatively, an infected email, called a phish, may claim to be from someone in your organization sending you an infected Word or Excel document, but appearing to be a routine business email. Installing malware within a network is only the frst step that an attacker would take in order to get a foothold in the network. But their end goal is likely to be:
• exfltrating (or downloading) confdential or proprietary business or government information for espionage, competitive and/or fnancial cybercrime reasons;
• fnancial extortion through damaging your fles, overwhelming your servers, and/or promising to publish confdential data if their fee is not paid;
• disruption of business, by damaging equipment or overwhelming webpages e.g., for information warfare purposes;
• fnancial theft through impersonating a vendor, increasing advertising clicks, or other fraudulent activities (covered in Chap. 2).
1.2 Attackers and Motives
Business managers, a computer programmers, or others employed in an IT/Security feld, should be aware of how an organization can be attacked, beyond user security awareness. Threats may arise from disgruntled employees or contracts, political enemies, fnancially-motivated criminals and spies or spying governments. This chapter reviews each of these in turn. Consider which of these might be prioritized as risks for your organization.
1.2.1 Cybercrime
In most attacks, the attacker has criminal intent. The attacker’s goal may be extortion: encrypting crucial disks and demanding payment to unencrypt it. Ransomware (e.g., CryptoLocker) can corrupt backups before demanding payment [39]. Often there is an explicit threat that the organization’s confdential information will be released. Thus, even if there is a good backup to recover the database, extortioners may demand you pay to prevent public disclosure. In May of 2021, Colonial Pipeline’s network was ransomed, the company took down their entire gas line system, affecting sales of 45% of gasoline, diesel, and jet fuel to east coast U.S. for nearly 1 week, affecting business all along the coast [31]. Colonial Pipeline paid $5 million to the ransomers.
Extortion may also be demanded for a Distributed Denial of Service (DDOS) attack, where an organization’s network or prime web server is overwhelmed with fake transactions, and the ransomers demand payment to stop [39]. Verizon’s 2022 Data Breach Investigation Report indicates that DDOS attacks generate a median of 1.3 Gbps of packets for 4 h. The vast majority of organizations experience attacks less than 10 times per year, if not a heavy target [2].
Data breaches, whether used with ransomware or simply to obtain information for sale or use, is also primarily accessed for cybercrime purposes. Verizon’s 2022 Data Breach Investigation Report also indicates that stolen information includes personal (77%), medical (43%), other (15%) and bank (9%) [2]. Personal, medical and fnancial information can be sold or used for information theft purposes.
It is important to understand the cost of ignoring security. Company websites are also prone to breaches for cybercrime reasons. In July, 2013, fve foreign hackers
stole and sold 160 million credit card numbers from a number of companies, including J.C. Penney, 7-Eleven, JetBlue, Heartland Payment Systems (a credit/debit processing company), Citibank, PNC Bank, Nasdaq, supermarket Hannaford, and the French retailer Carrefour. The technique used by these criminals was an SQL Injection Attack, where a criminal alters database commands by manipulating forms at websites, in order to extract or change information in the database. Heartland disclosed that it lost $200 million with the credit card losses [3].
A fnal way for cybercriminals to make money is through the sale of malware (malicious software or attack software). Web cracking is lucrative, attracting organized crime who often live outside the countries they are attacking. Crime rings tend to have specialized skills, where each person has a specifc role: the skilled person who breaks into sites, the person who extracts credit card information, and the person who sells the data [3]. When caught internationally, they can be extradited to the country where the crime was committed. One well-known crime ring includes the Russian Business Network, which specializes in malware, identity theft, and child pornography [6].
An antidote to web cracking is skilled penetration testing (or pen testing). Criminals do this with your website, so you too must to fnd all security holes before they do. If an organization develops any software or frmware, it is important to have programmers who are skilled in software security, develop or review all code.
1.2.2 Espionage
Spying and disruption are the goals of some governments and hacker groups. Theft of intellectual property is a case where a company puts money into designing a product, but soon fnds it must compete with a foreign company, who stole their design. Chinese tactics to obtain information include purchasing high-tech companies, sharing trade secrets in exchange for access to the Chinese market, and theft through secret installations of Trojan horses and exfltration. Another technique is to invite Chinese nationals from U.S. or Europe to present their expertise in technologies at Chinese conferences, wine and dine them, take them on sightseeing tours all expenses paid, paying a speaker fee, and then ask for more information in a continuing relationship [33]. Defenses include prohibiting presentations on corporate technologies, with companies minimally fring employees for violations. Jail sentences have ranged between 27 months to 20–24 years for spy recruiters.
Spying also occurs for internal government information and control. It is believed that China used infected, command-and-control email against embassies, foreign ministries, Chinese dissidents and Tibetan exile centers in 2009. The Canadian government was infected with a spyware virus in 2011 that was traced back to China [23].
The New York Times has published its experience with a Chinese intrusion, which is an example of a lengthy targeted attack, called an Advanced Persistent Threat (APT). It is described here, because of the depth of information provided by their story [21]. Hackers most likely gained initial entrance through spear phishing, set up backdoors into users’ machines, and then installed 45 pieces of custom malware, the majority of which was not recognized by antivirus software. Hackers also stole passwords for every Times employee and proceeded to hack into the personal computers of 53 employees. Security experts indicate that the Chinese were interested in learning about informants for reports relating to China’s prime minister, Wen Jiabo. Fortunately, they left customer data alone. Hacker teams started their attacks at 8 AM Beijing time, and hacked continuously, sometimes until midnight. Attacks were launched through American universities, which have labs flled with computers. After 4 months of attacks, the New York Times fnally managed to eliminate the Chinese threat, through the assistance of the Mandiant Security Company. The Wall Street Journal and Washington Post have also reported being hacked [44]. Cybercrime organizations also use APT on other industries, but those stories are rarely published for privacy purposes.
One advanced persistent threat technique that emerged in 2020 was the Supply Chain attack, where a criminal organization implanted malware into a software product of a victim organization (Solarwinds), which was then unknowingly uploaded as updates into 18,000 organizations that used that software product [32, 34]. This particular attack was believed to be instigated by the Russian government corrupting a tool within the Jet Brains IDE tools. This demonstrates a vulnerability in use of third party software. However, it is still recommended that patches be applied to your software, since most patches fx security issues and defects, while supply chain attacks are still rare.
The Surveillance State is where a government monitors Internet traffc and data. In the suspicious years following the 9/11 attacks, the U.S. National Security Agency (NSA) and/or Federal Bureau of Investigation (FBI) intimidated a number of organizations, including Verizon, Google, Yahoo, Microsoft and Facebook, and gag orders prevented companies from speaking out [15]. Edward Snowden’s releases uncovered that nearly 200 million records were sent to NSA from Yahoo and Google for December, 2012, including email metadata (headers) and content [16]. The NSA has requested or manipulated companies to water down encryption algorithms; install backdoors in software products; as well as provide communication data [17].
One story that has emerged is the story of Lavabit, a company which provided secure email services [40]. Lavabit had been asked to place taps on a few accounts and had complied. However, in the spring 2013, the FBI asked Ladar Levison, Lavabit’s founder, for a tap for Snowden. They asked for passwords for all his clients, the organization’s private key (which decrypts all encryptions sent by the company), and computer code. Levison attempted to negotiate to provide Snowden’s information daily, but the FBI wanted the information in real time (minute by
minute). Levison was fned $5000 per day by a court until he provided it electronically. After 2 days, Levison provided the key electronically and closed his company down. That day, he wrote on his website: “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States. [19]” Unfortunately, this government spying and intrusion is likely to make buyers wary of products from any countries involved in information warfare or surveillance state actions, due to disintegrated trust [41]. In response to Snowden leaks, American President Obama promised to name a new senior offcial to implement new privacy measures, to protect the American people, ordinary foreign people, and foreign leaders when a “compelling national security purpose” is not evident [20].
The surveillance state is aided by the surveillance industry. Today, standard industry practices of selling customer information has in cases become illegal, as privacy regulation requirements have been instituted in many nations and states. In 2022, Instagram’s violation of children’s privacy, which included publishing children’s email addresses and phone numbers, resulted in a European Union GDPR violation that totaled €405 million [38].
1.2.3 Information Warfare
Governments fear that the next wars will involve computer attacks to infrastructure, such as power, water, fnancial systems, military systems, etc., as part of Information Warfare. A goal would be to disrupt society, and certainly the loss of electricity, gas and water would do so [35]. Cyberweapons are extremely cheap compared to the military variety, and can cause as much or more damage with less military personnel exposure and with more anonymity (and thus deniability). Thus, protecting utilities and other critical infrastructure is of crucial priority.
The frst publicized used of cyberweapons was the 2010 Stuxnet worm, reputedly developed by the U.S. and Israel. Stuxnet took out nearly 1000 Iranian centrifuges, or nearly one ffth of those in service within Iranian nuclear power plants [22]. Iran replied by attacking American banks and foreign oil companies [21].
Stuxnet was only the frst attack on electric grids. Russia attacked Ukraine’s electric utility two cold Decembers in a row, 2015 and 2016, taking the entire grid down the second year and exposing many homes to no heat [29]. An earlier Russian method of cyber-warfare is DDOS, which was used against Estonian government, fnancial institutions and newspapers in 2007, and Georgian government websites and Internet infrastructure in 2008 [23].
Some ransomware is really meant to destroy or be a decoy for espionage operations – criminals will be happy to receive your ransom payment, with no intent to recover your data. With Petya/NotPetya, ransomers inficted damage, while demanding payment. The Phonywall version served as a decoy: perpetrators stole information then wrote over disks to hide their tracks [30].
Crackers can threaten anything computerized, including personal cars and homes. Security researchers have shown that car brakes and steering could be remotely controlled [24]. Seven hundred home security cameras were hacked, and peoples’ private lives were put on display on webpages [25]. If a company does not protect its software products, by taking security very seriously, it can fnd its products hacked and its problems publicized in the news. In the U.S., the organization can then expect a very expensive visit from the Federal Trade Commission (FTC). The FTC may specify a 20-year-security compliance audit program (as it did for TRENDnet [25]) and may launch megafnes when laws are violated. You will read more about this in chapters on regulation.
Hacktivism involves non-government groups attacking to achieve specifc political causes (e.g., Mexican miner rights, Wikileak support) in illegal ways (e.g., DDOS attacks, defacing or taking down websites). For example, Anonymous is an example unorganized hacktivist organization, and Operation Payback involved a massive DDOS attack on Visa, MasterCard, Motion Pictures of America, and the Recording Industry of America for 5 months starting September 2010 [13]. Credit card companies were attacked after they suspended payment to WikiLeaks. In addition, some Anonymous members have been arrested for common credit card theft [14]. Hacktivism is a small portion of criminal cases, summing to about 1% of all forensically analyzed attacks [36].
If an organization has vital proprietary information or trade secrets, accepts credit cards, manages money, owns computers, creates products with software in them, and/or plays a vital role in a community, security is an issue. Criminals know small businesses are easier to break into. Small businesses make an attractive target because they tend to lack strong security [2], and attacks can and have put small companies out of business. Table 1.1 reveals that different exploits can be classifed as part of cybersecurity history. Unfortunately, older threat types do not disappear as new threats emerge.
Hopefully this chapter has been informative and made you think of potential threats to your organization. The Security Workbook, available with this book, enables you to document these threats as part of the Workbook’s Chap. 2. Writing them there will help with future chapters. Questions to consider include:
(a) Select the threats which are a concern in your industry: experimentation/vandalism, hacktivism, cyber-crime, information warfare, intellectual property theft, surveillance state. List your threats in priority order and describe a scenario and the potential damage for each threat.
(b) List the exploits (or attacks) that are most serious and likely to occur in your workplace. For each exploit, describe what the impact might be for your workplace.
Table 1.1 History and categories of internet crime
Threat type
Experimentation
Vandalism
Hacktivism
Cybercrime
Information warfare
Year: example threats
1984: Fred Cohen publishes “Computer Viruses: Theory and Experiments” [26]
1988: Jerusalem Virus deletes all executable fles on the system, on Friday the 13th [5]
1991: Michelangelo Virus reformats hard drives on March 6, Michelangelo’s birthday
2010: Anonymous’ Operation Payback hits credit card and communication companies with DDOS after payment cards refuse to accept payment for Wiki-Leaks
2008, 2009: Gonzales re-arrested for sniffng WLANs and implanting spyware, affecting 171 million credit cards [27]
2013: In July 160 million credit card numbers are stolen via SQL Injection Attack. Later in Dec. 70 million credit card numbers are stolen through target stores [3]
2016–2022: Uber pays $100,000 in ransom to criminals, but pretends instead to purchase bug information. For covering up a breach, Uber later pays $148 million to settle claims and the chief security offcer is tried and convicted [37]
2007, 2008: Russia launches DDOS attack against Estonia, then Georgia news, gov’t, banks [23]
2016: Russia takes down Ukraine’s entire electric grid a December evening – 2 years in a row [29]
Surveillance state/espionage 2012: State affliated actors mainly tied to China quietly attack U.S./foreign businesses to steal intellectual property secrets, summing to 19% of all forensically analyzed breaches [39]
2013: Lavabit closes secure email service rather than divulge corporate private key to NSA without customers’ knowledge 2021: Solarwinds supply chain attacks install malware into 18,000 organizations through unknowingly infected third-party software [34]
2022: Instagram is charged €405 million for publishing children’s emails and phone numbers, as part of GDPR [38]
1.3 Criminal Techniques to Enter, Investigate, and Persist in a Network
Between obtaining their frst foothold into a network and achieving their fnal goal, criminals will take a series of steps to search the network, expand their capabilities and hide their tracks. This chapter outlines some of the steps and techniques they use to enter and peruse a network.
The frst step a sophisticated attacker usually takes will be to learn a lot about an organization and network. They want to understand who works there (names, titles, rank) and the lingo used, so that they may deploy phishing and spear phishing successfully. The want to learn the deployed software, to launch effective attacks against potential vulnerabilities. They may want to learn the organizations’ fnancial 1.3
situation, e.g., to set a high but fnancially reasonable ransom price. They will learn this through web and news searches and investigating garbage (often through literal dumpster diving.)
Verizon’s 2022 Data Breach Investigation Report indicates that initial common ways to enter a targeted network and implant their initial malicious software (or malware) include web application attacks, email, carelessness (or errors) and desktop sharing software (or logging into machines remotely) [2]. Web attacks often use vulnerabilities, or software or confguration defects, that enable attackers to gain entry. Patching all software in a timely manner – network, operating system, and applications – is important to closing such vulnerabilities.
Criminals or crackers often launch attacks using email and web scams. Phishing is an email scam, where the email serves as a hook and people in your organization are the intended fsh! An email from ‘your’ bank can request immediate action, or ask you to help in transferring money from a foreign country. The email can be wellwritten to fool even the most suspicious – or poorly written to attract only the most gullible. Spear phishing is when a particular person is targeted for a special scam email, using knowledge of their interests, friends, and lifestyle. Pharming is a web scam, where a scam webpage can resemble a real webpage. Often a phishing email may include a link to a pharmed webpage. Clicking on that link causes infection –or by logging in, you may unknowingly give them account information or access. However, it is not only pharming sites that are infected with malware. Google has reported that it fags some 10,000 sites daily for infections and warns webmasters and users during Google searches [6]. A risk is that eventually someone in your department is likely to take the bait through opening an email attachment, following a link to an infected web site, or inserting an infected memory into a computer.
One specifc type of email attachment or web download could be a Trojan horse. Similar to the Greek story during the Trojan war, when the Achaean army hid inside a large wooden Trojan horse given as a gift to the city of Troy, a computer Trojan horse is a real program that is advertised to do one thing (e.g., display a video clip), while it secretly also does something malicious. For example, the Zeus Trojan turned millions of computers into Zeus bots [5], often via Facebook [6]. Zeus stays dormant on a compromised computer until the victim logs into a bank site. Then, it steals the victim’s passwords and is used to empty the victim’s accounts [6]. It also can impersonate a bank’s website in order to collect private information, such as social security numbers and/or bank account numbers, to sell on the dark web.
Once an attacker has entered a network, often they may want to expand their capabilities by learning password credentials. One option is that she may install a keystroke logger which records the keys entered. As you enter a password or credit card information, these keystrokes are secretly sent over an internet connection to the criminal. Soon you could see unusual emails coming from your account, strange charges on your credit card statement, or learn that an account has been opened in your name. In bulk, credit card numbers have been sold for as low as $1 a piece [4]. Prices are low due to successful criminal rings, such as Gonzalez’s, who cracked and exposed over 170 million credit card numbers [42].
Another random document with no related content on Scribd:
“I have thought that possible, but even then, he could easily write to me in confidence, and tell me where he is,” said the girl.
“Where does Ruthen live?” I enquired.
“In Whitehall Court,” and she gave me the number.
“You have no idea what his profession may be?”
“Like Stanley—he is independent.”
“Audley is a rich man, isn’t he?” I asked.
“No doubt. When we first met he gave me some very expensive presents merely because I happened to look after a girl he knew who was suffering from pneumonia. He’s an awfully generous boy, you know.”
“The fact is, Miss Day, I am doing all I can to discover Stanley Audley. Can you tell me any other facts—anything concerning his other friends?”
“He had another friend named Graydon, living at the same chambers in Half Moon Street, a rather stout, round-faced man. But he has also left London, I understand.”
“Graydon!” I ejaculated. So it seemed that the pair exchanged names when occasion required. At Half Moon Street Audley was Graydon, but outside, he took the name of the man who lived on the floor below!
What could have been the motive?
I afterwards took my pretty companion to the theatre, and, later, she took me to Ham-Bone Club, where we danced till nearly two.
From members there, I gleaned several facts concerning Stanley Audley He was apparently a rich young “man-about-town,” but surrounded, as all wealthy young men are, by parasites who sponged upon his generosity. Of these Harold Ruthen was undoubtedly one.
Days passed, and although I went hither and thither, making inquiries in all likely quarters, I could obtain no further knowledge.
Stanley Audley had disappeared. I felt more convinced than ever that Thelma possessed knowledge she feared to disclose.
In my perplexity, I thought, at last, of old Dr Feng. Perhaps he would be able to help me. I wrote to him in care of his solicitor and received a prompt reply asking me to go and see him at an address in Castlenau, Barnes.
The house was just across Hammersmith Bridge. The anonymous letter I had received had been posted, I remembered, at Hammersmith. It was a queer coincidence.
Doctor Feng’s house, I found, was of a large, old-fashioned detached residence which, a century ago, had probably been the dwelling-place of some rich City Merchant who drove each morning into London in his high dog-cart, his “tiger” with folded arms seated behind him.
A maid conducted me to the front sitting-room, a large, wellfurnished apartment, where a big fire blazed.
“Well, Yelverton!” exclaimed the old doctor, rising, and putting out his hand. “And how are you? I went to see my sister down at Mentone, but the weather on the Riviera was simply abominable—a mistral all the time. So I came back and took up my quarters here. Comfortable —aren’t they? Sit down. It’s real good to see you again!”
I stretched myself in a deep comfortable chair beside the fire, and we chatted for a time about Mürren.
“I wonder where Humphreys is?” he remarked. “He wasn’t a bad sort, was he? And how about your temporary bride—the ‘Little Lady,’ as you called her!”
“Well, doctor,” I said, “that is really what I came to see you about. The whole affair is a tangle and I wondered if you could help me. I have found out a lot of things about Stanley Audley that are certainly most disconcerting and mysterious.”
He passed a box of cigars. “Have a smoke over it,” he said, “if I can help you I will. But first tell me what happened after I left Mürren.”
“A lot,” I replied. “You know Thelma’s husband left for London. Well, he never came back.”
“The young cad,” said the doctor “But, after all, I more than half expected it.”
“Why?” I asked.
“Well,” he said, hesitatingly, “shall we say his sudden departure was rather suspicious? To put it plainly the excuse was a bit thin. Would any firm let an employee start on a honeymoon and three days later find he was the man for an important appointment such as Audley spoke of? Of course, such a thing might happen, but a more probable excuse would have carried more conviction. To me it suggested a story made up suddenly, in default if anything better, to explain a departure forced upon him by some much less welcome reason. However, I had no reason for saying this at the time and, after all, I might have been wrong. But as things have turned out it seems I was right and I am very sorry for his wife. After all, whatever her husband may be, she is a charming girl—much too good for him, anyhow. But go on, tell me what you have found out.”
I frankly told him, and as he smoked he sat back listening thoughtfully without a word of comment.
At last, when I had concluded, he asked—
“Have you seen Harold Ruthen?”
“Not yet. He is an enemy of Thelma’s.”
“What makes you think that?” he asked, whereupon I told him of the curious conversation I had overheard.
He bit his lip and smiled mysteriously, but said nothing. It was, however, plain that what I had described greatly interested him.
“And little Mrs. Audley will tell you nothing—eh? She refuses. She is evidently hiding some secret of her husband’s. Don’t you think so?”
“To me, she seems in deadly fear lest I should discover her husband.”
“Oh! I quite agree, Yelverton,” the old man said. “There’s more behind this curious affair than we’ve hitherto suspected. A man doesn’t leave his young wife in the hands of a stranger without some strong and very doubtful motive. Depend upon it that you were marked down as the victim.”
“Not by Thelma!” I protested.
“No, she has been your fellow victim.”
“But the motive of it all?” I asked in dismay. “What is your opinion, doctor?”
“The same that I formed when you first told me of your offer of help —that you’ve been a silly idiot, Yelverton. Didn’t I point out at the time the risks you were running?”
“Yes, you did,” I replied, “but I still intend—at all hazards—to get to the bottom of the affair.”
Feng hesitated, and then, looking me straight in the face, said very seriously—
“If you take my advice you will drop the whole affair.”
“Why?” I asked, in surprise.
“Because those men who lived at Half Moon Street and their friends are evidently a very queer lot. In any case you ought to cease visiting Mrs. Audley.”
I paused, recollecting that strange warning I had received, of which I had not told him.
“But, after all,” I protested, “we are very good friends. Surely I ought to help her by finding her husband?”
“When she probably knows where he is all the time!” scoffed Feng. “I don’t see what good you will do that way.”
“Anyhow,” I said shortly, “I’m not going to see her left in the lurch like this if I can help it.”
“Really, Yelverton, I don’t see what good you think you can do. We both believe she knows where he is. If that is so why should you
interfere? Of course, what you tell me about the girl Day is very interesting and may throw a good deal of light on Stanley Audley’s character. But, after all, men change their minds and if Audley preferred Thelma to Marigold, there was no reason why he should not have asked her to marry him.”
“None the less, take my advice, drop the whole thing. You haven’t the shadow of a legal right to interfere. The men who lived in Half Moon Street, quite obviously a shady lot, have fled, evidently frightened of something and apparently your temporary bride is as frightened as they are. I don’t see why you should run any risk in the matter.”
“But what earthly risk do I run?” I asked. “Surely I am capable of looking after myself.”
“Considerably more risk than you imagine, unless I am very much mistaken,” he replied gravely.
I wondered for a moment whether my mysterious warning had come from the doctor himself. But what could he know about the affair? I could not read anything in his inscrutable face, but his manner certainly suggested that he was in deadly earnest, and, to my intense surprise, he suddenly let fall a remark, quite unintentionally, I believed, that, I realized with a curious suspicion, showed that he knew Thelma and her mother were living at Bexhill. Here was indeed a new complication. I made no sign that I had noticed his slip, but sat as if thinking deeply, as indeed I was.
How, and for what purpose, had he obtained that information. He had professed not to know what had happened after he had left Mürren.
The idea flashed through my mind that he and Thelma were acting in collusion to “call me off,” but this seemed so absurd that I dismissed it at once.
“Now, look here, Yelverton,” he said presently. “You’ve not told me everything.”
“Yes I have,” I protested.
“You haven’t told me that you’ve fallen deeply in love with little Mrs. Audley. That is why I warned you—and still warn you—of rocks ahead.”
“I did not think that necessary,” I said with some heat. “That is surely my own affair!”
“Certainly,” he said, dryly, in the paternal tone he sometimes assumed. “But remember my first view of the situation was the correct one. I thought you extremely indiscreet to accept the trust you did. It was a highly dangerous one—for you.”
“But you agreed afterwards that I did the right thing,” I argued.
“You acted generously in the Little Lady’s interests, but you have certainly fallen into some extraordinary trap. That’s my point of view,” he answered. “In any case, you are in love with a wife whose husband is absent. That is quite enough to constitute a very grave danger to both of you. So, if I were you I’d keep away from her. Take my advice as an old man.”
His repeated warning angered me, and I fear that I did not attempt to conceal my impatience. At any rate I took my leave rather abruptly, and as I walked in the direction of Hammersmith Bridge I felt more than ever puzzled at his attitude, and more than ever determined not to deviate from the course upon which I had embarked.
CHAPTER IX CROOKED PATHS
O�� cold evening I returned from the office after a heavy day which had been devoted to the successful settlement of a very complicated and serious action for libel against a provincial newspaper which we represented.
As I entered my room, Mrs. Chapman, in her spotless black dress— just as she always wore when my father was alive—followed me in, saying—
“Oh! Mr. Rex. A gentleman called about three o’clock. He wouldn’t leave a card. He gave his name as Audley—Mr. Stanley Audley. He repeated it three times, and told me to be sure to recollect the name. He said he was extremely sorry you were not at home, but you were not to worry about him in the least.”
I started, staring blankly at her.
“Wouldn’t leave a card? Wouldn’t he call again?”
“He seemed to be in a very great hurry, sir. He said he had come from abroad to see you, but couldn’t wait and said he was very sorry Only I was to give you his urgent message.”
“What was he like?”
“Well, sir, he was a round, rather red-faced gentleman. He was evidently greatly disappointed at not meeting you, but he impressed upon me the message that he was all right, and that you were not to worry about him.”
This was indeed a surprise.
It was evident that my caller was the man who had lived on the first floor in Half Moon Street, and was the friend of the Stanley Audley who had married Thelma!
What did that amazing visit portend? It worried me. Why should a reassuring message be given to me by a man who was not the person in whom I was interested, and whom I had never met? The whole affair was becoming more and more obscure and mysterious. As a solicitor I had been brought into contact with more than one queer affair, but the Audley mystery was beyond anything in my experience.
“Couldn’t he call again, Mrs. Chapman?” I asked.
“No, sir. He said he had come to see you just for a moment, and that he was sorry that he couldn’t wait. He had a taxi outside.”
“Thanks, Mrs. Chapman. I’m sorry I was not at home to see him. Did you give him my office address?”
“I did, sir. But he said he had no time to go round to Bedford Row, and that you would no doubt understand.”
Understand! What could I understand? I was more bewildered than ever
Next day I called again upon Belton, in Half Moon Street, and questioned him more closely about his recent “Box and Cox” tenants. But he could tell me nothing more than he had already. Mr. Graydon and Mr. Audley were close friends. That was all.
“Tell me something about their visitors,” I asked. “Did Mr. Graydon, the gentleman who lived above, have many?”
“No, sir. Very few. Several of them I knew quite well when I was in service—gentlemen from the clubs. One a Canadian millionaire, came often, but Mr. Graydon never had any lady visitors except that young lady we spoke about a short time ago—the lady whose photograph you showed me, Miss Shaylor.”
“And Mr. Audley, who lived below?”
“Oh, he had quite a lot of callers—both ladies and gentlemen. He was older than Mr. Graydon, and seemed to have quite a big circle of acquaintances. They used to play bridge a lot.”
“Now, tell me, Mr Belton. What is your private opinion about your tenants?”
“Well, sir, as you are a solicitor”—he had gained that knowledge from my card,—“I can speak quite frankly. Now that they are gone I don’t mind saying I held them both in suspicion. They had plenty of money and paid well, but I don’t think they were on the straight. That’s my firm opinion and my wife thinks the same.”
“What first aroused your suspicion?”
“Their card parties. They weren’t always square. I’m sure of it. Mr. Audley had an invalid friend, an old man named Davies, who came about three times, and when he came woe betide those who played. I kept my eyes and ears open when I served their drinks, and I’m sure I am not mistaken.”
“An invalid!” I exclaimed. “What kind of man was he?”
“Oh! he was very lame, was Mr. Davies, sir. An old man, but as keen as mustard on poker.”
“Did Mr. Graydon play?” I asked.
“Very little, sir.”
“Did he ever meet this Mr. Davies?”
“I think not, sir. Because on the first occasion Mr. Davies came I recollect that Mr. Graydon was away in Norway. The next time he came, Mr. Graydon was away in Paris. No,” he went on, “as far as I can recollect Mr. Graydon never met Mr. Davies.”
“Then this Mr. Davies was a person to be avoided?” I suggested.
“Distinctly so, sir. He was a shrewd and clever gambler, and I feel certain that he was in league with Mr. Audley. Indeed, I know that on the morning after one of their sittings they divided up a thousand pounds between them. It had been won from a man named Raikes, a manufacturer from Sheffield.”
“So they shared the spoils?” I said. “But tell me more about this interesting invalid.”
“Well, sir He was a grey-bearded man of about sixty I should think, and he walked with difficulty with two sticks. He seemed to lisp when he spoke.”
It struck me at once that the ex-butler’s description would have fitted old Mr. Humphreys very closely, except that Humphreys did not lisp. I had no reason for thinking that Humphreys could have known Graydon, but he might have done so and he certainly was a very keen poker player.
“Had he a rather scraggy, pointed beard and did he wear in his tie a blue scarab pin?” I asked.
“No,” was Belton’s prompt reply, “he had a round beard and I never saw him wearing a scarab pin.”
Now old Mr. Humphreys always wore an antique pin of that description; I never saw him without it. He was immensely proud of it and used to declare it was a mascot that brought him good luck. He had a wonderful story of how he obtained it from some old Egyptian tomb. So the chance of Mr. Davies and old Humphreys being identical seemed a coincidence almost too peculiar to be true. Yet I could not get rid of a suspicion that they were one and the same person.
“You are quite certain that he never met the young gentleman you knew as Mr. Graydon?” I asked Belton.
“I’m quite certain of that, sir. One day Mr. Audley asked me not to say that Mr. Davies had been there, and asked that I would keep his visits a secret from young Graydon as he did not wish them to meet. There was, I remember, a lady named Temperley, who sometimes came with Mr. Davies. She was a stout, dark-eyed, over-dressed woman whom I put down as a retired actress. She had a young, thin rather ugly daughter, a girl with a long face, and protruding teeth. Both mother and daughter seemed to be on terms of close friendship with Mr. Davies.”
“Davies was an invalid. How did he get up these stairs?”
“With difficulty, sir. I used to help him up, and sometimes Mr. Audley helped me,” was the ex-butler’s reply. “At poker he was marvelous.
I’ve seen poker played in several families in whose service I’ve been, but I never saw a finer player. He was more like a professional than an ordinary player for amusement.”
“And your tenant, Mr. Audley?”
“He was a fine player, of course. He used to have friends in at night and sometimes they would play till dawn.”
“And did Mr. Graydon never play?” I asked.
“Very seldom; the parties usually took place when he was away.”
It was quite evident that Stanley Audley, alias Graydon, was a person of mystery and his friends were as mysterious as himself. After a moment’s reflection I decided to take Belton fully into my confidence and tell him the whole story.
“Now, look here, Belton,” I said, “you may be able to help me considerably. I will tell you the whole story so far as I know it, and perhaps you will be able to remember further facts that may help.”
So I related to him everything that had happened since I first met Stanley Audley and his bride at Mürren.
Belton listened in silence. When I had finished he asked me one or two questions.
“Well, sir,” he said at last, “I think you had better see my wife. She may know something more.”
He fetched Mrs. Belton and briefly outlined to her the facts I had given him.
“You see, Ada,” he said, “the gentleman who called himself Audley here, was not the Mr. Audley who married the daughter of Commander Shaylor. Mr. Graydon is her husband. Isn’t it a puzzle?”
“It is,” replied his wife. Then, after I had made my explanation I begged her to tell me any further fact which might be of service in my inquiry. She hesitated for a moment and at last said:
“Don’t you recollect, Jack, that Mr. Graydon, before he came to us, lived at Seton’s, in Lancaster Gate. He was very friendly with Mr.
Seton, who you remember was butler to old Lord Kenhythe at Kenhythe, in Kirkcudbrightshire. You went there one shooting season from Shawcross Castle, to oblige his lordship.”
“Oh! yes, of course!” exclaimed her husband. “Really, Ada, you’ve a long memory!”
“Well, I was head-housemaid once at Shawcross Castle. You forget that! But, don’t you recollect that young Mr. Graydon was very friendly with Mr. Seton. I don’t know why he left there and came to us, but I fancy it was because there was such a row at a party he had there, and he wouldn’t apologize, or something like that.”
“Ah! I remember it all now, of course, Ada,” exclaimed the woman’s husband. “Yes, you’re right—perfectly right! If there’s one man in London who knows about Mr. Graydon it’s Mr. Seton.”
He gave me the address of Lord Kenhythe’s ex-butler, and an hour later I called at a large private hotel facing Hyde Park, near Lancaster Gate, with a scribbled card from Belton.
The man who received me was a tall, very urbane person with small side-whiskers. He took me into his private parlor in the basement, where I told him the object of my visit.
“Yes, sir. I know Mr. Philip Graydon. A very estimable young gentleman.”
“Who is he?”
“Well, his father was the great Clyde shipbuilder, whose works are at Port Glasgow—the firm of Graydon and Hambling. When his father died, about two years ago, he left him a quarter of a million.”
“You know him well?”
“I did, sir. His father used to shoot with his lordship regularly, and Mr. Philip often came with him.”
I briefly told him that I was making inquiries into certain very curious circumstances, and said—
“I want your private opinion, Mr. Seton. Is there anything peculiar concerning Mr. Graydon? I ask this because on his marriage he took
the name of Audley.”
“His marriage! I didn’t know he’d married, sir.”
“Yes. And he is missing. It is on behalf of his wife, who is a friend of mine, that I’m making these inquiries.”
“Mr. Graydon married!” he repeated. “Pardon me, sir, but whom did he marry?”
“A young lady named Shaylor.”
“Ah!” he ejaculated. “Yes, I know. He was very fond of her—very fond! Her mother is a widow in very straitened circumstances, I’ve heard. But do you say he’s missing?”
“Yes. He disappeared while they were on their honeymoon in Switzerland.”
“And where is his wife now?”
“With her mother in Bexhill. But tell me, Mr. Seton, Mr. Graydon as you call him, was with you for some months, wasn’t he?”
“For nearly a year and a half, sir.”
“And during that time did a man named Audley ever visit him?”
“Yes, a round-faced man who lived at Belton’s. He visited Mr. Graydon first about six weeks before he left me to go and live at Belton’s.”
“Why did he leave you?”
“Well, he had a bachelor party one night—they were very noisy and I remonstrated with him, and—well, he’s only young, sir—and the fact is he insulted me. So I gave him notice. But we’re still the best of friends,” said the ex-butler.
And then Seton sprang on me perhaps the greatest surprise of my life.
“Now I know your reason for wanting to see Mr. Graydon,” he said. “I may as well tell you he is here now.”
“Here!” I gasped excitedly, “do you mean he is staying here?”
“Yes, sir,” was the reply, “he’s in number eighteen. He came here yesterday quite unexpectedly.”
At last I had run Thelma’s mysterious husband to earth!
“He came in half-an-hour ago,” Seton went on, “and I gave him a letter which came for him by express messenger. I know he’s upstairs. If you would like to see him, I will send up.”
“No, thanks,” I said. “Under the circumstances I think I would prefer to go up unannounced if you have no objection.”
“Not in the least,” replied Seton. “Number Eighteen is on the second floor.”
So I eagerly ascended the wide, thickly-carpeted stairs. I had no very clear idea as to how I should approach the man I had known as Stanley Audley, but I was determined to demand an adequate explanation of why he had married Thelma under an assumed name and so cruelly deserted her, and, if necessary, to back my demand by a threat of legal proceedings.
CHAPTER X
IN ROOM NUMBER EIGHTEEN
O� the second landing I rapped at the door of room Number 18, feeling considerable pleasure at the thought of giving my whilom friend an unwelcome surprise.
There was no reply, but I fancied I heard a movement inside. I listened eagerly.
I knocked again. Yes. I felt sure someone was within, but my knock met with no response.
A third time I knocked and more loudly, but to no avail. I tried the door—it was locked.
Five times I hammered with my fist, but there being no answer I descended the stairs and found Mr. Seton.
“But he must be up there if his door is locked,” he said. “He never takes his key but always leaves it on the peg here,” and he indicated a board on the wall in a little box-like room off the hall where visitors left their keys. To each key was attached a bulky ball of wood, in order that the key should not be carried away accidentally in the pocket.
With the landlord I reascended the stairs and Seton knocked at the door, calling his guest by name. But there was still no response.
“Do you know, I believe I heard somebody inside when I first knocked,” I remarked.
Seton bent and peered through the keyhole.
“At any rate the door is locked on the inside,” he said. Then he thundered at the door, after which we both listened. There was no sound, but I thought I detected the smell of burning paper.
All the other guests were apparently out at the time, for the noise we made attracted only the servants.
“Baker!” Seton cried to a man who was in his shirtsleeves and wore an apron of green baize, “we must force this door. There’s a crowbar down in the cellar. Go and get it.”
As the man addressed ran downstairs, the ex-butler turned to me with a scared expression upon his face, saying——
“This is very peculiar, sir. Why has he locked himself in like this? Did you really hear a noise?”
“Yes. I am sure I did, yet with the roar of the traffic out in the road, I really couldn’t quite swear to it,” was my reply.
“What I heard was like a man bustling about hurriedly, and yet trying to make no noise.”
“Surely he can’t have fainted--or--or committed suicide!” Seton remarked.
For a few minutes we stood outside the door utterly mystified, until the porter brought us a rusty bar of iron about three feet long, curved and flattened at the end—a very serviceable crow-bar.
This, Seton inserted between the door and the jamb, close to the lock, and then drew it back slowly. The woodwork groaned, creaked and cracked and with a sudden jerk the wood round the mortice lock tore away and the door flew open.
We stood amazed. The room was empty.
In a few seconds we had searched the big old-fashioned wardrobe and had looked beneath the bed and behind the curtains. But nobody was there. And, moreover, while the key was still in the door on the inside the window was closed and latched!
The fireplace was a small one with a flue through which not even a small boy could pass. In the grate were smoldering ashes of something, apparently a coat that had been hastily burned. There was an odor of consumed petrol, and it occurred to me at once that
some clothing had been hurriedly saturated from a bottle of motorspirit and set fire to—for the room was still heavy with smoke.
Seton crossed to the window and saw at once that it had not been opened. I glanced out and down. From the narrow window-sill there was a sheer drop to the paved basement forty or fifty feet below with not even a stackpipe by which an active man might have escaped.
“Well, this is extraordinary,” cried Seton. “How could Mr. Graydon possibly get out of the room and leave it still locked on the inside?”
Seton bent suddenly over the fireplace. “Well, we may as well see what he was burning,” he said as he picked up a half charred piece of paper that had apparently been crumpled up hastily and thrown into the grate. He smoothed it out and looked at it in amazement.
It was a portion of a fifty-pound Bank of England note! It was partly burned but quite enough was left to identify it without any possibility of a mistake.
“Well,” I exclaimed, “burning fifty-pound notes is certainly a new kind of pastime. What on earth can it mean?”
“I can’t imagine,” replied Seton. “And how can Mr Graydon have gone? Certainly not through the door or the window.”
“And before he went,” I added, “he burnt a coat or something of the kind and a fifty-pound note!”
In front of the window was a small early Victorian escritoire. Upon it were several loose sheets of paper from a new writing-pad, an inkstained envelope, and a couple of bills from a local chemist.
Seton opened two or three of the drawers and from one of them drew a folded wad of papers. “More notes!” he ejaculated, as he felt with his fingers the crisp familiar crackle.
There were three notes for fifty pounds each, obviously quite new. Clearly Graydon, in his hurry, had forgotten that they were there.
“It seems to me,” I said to Seton, “that Graydon must have been frightened by something and had to get away quickly.”
“Frightened, but of what?” Seton asked. “I saw him only half-an-hour before you came, and he seemed all right then.”
“Do you think my visit might have frightened him?” I asked.
“Well, sir, I don’t know. But why did he burn a fifty-pound note and how did he get out? That’s what puzzles me. I could have understood it if he had locked his door on the outside.”
“It beats me, anyhow,” I said, looking round the room. I noticed Graydon’s two suitcases stood open and some of his clothes were hanging in the wardrobe. Why, and above all how had he vanished so suddenly? But for the fact that he had actually called to see me— showing that he certainly was not afraid of meeting me—I might well have thought that he would be alarmed on recognizing my voice. But he had evidently not done so and must have thought I was someone else whom he urgently desired to avoid.
Those fifty-pound notes puzzled Lord Kenhythe’s ex-butler as completely as they did myself. Men do not usually go about burning fifty-pound notes. We knew that the young fellow who, in Switzerland, had posed as a hard-working electrical engineer welcoming the prospect of a “rise,” was on the contrary, a rich young man. But that he should burn bank-notes of such value or leave them discarded as he had done, was simply inexplicable on any hypothesis we could frame.
I was deeply chagrined. I had come within an ace of capturing the truant bridegroom and yet he had eluded me. Could it really, I asked myself, have been the same man? Again I carefully described to Seton the man I had known as Stanley Audley. He was emphatic in his assertion that it was Philip Graydon, the man who had been in that very room barely half-an-hour before. And as if to make assurance doubly sure, I found on one of his suitcases a label of the Kürhaus Hotel at Mürren and another put on at Mürren station, registering this case through to Victoria.
There could not be the slightest doubt as to the mystery man’s identity as Thelma’s husband.
“Look here!” said Seton, suddenly, as he held up a towel he had taken from the rail. It was stained with blood. The hand basin was half full of water deeply tinged with blood.
“Evidently he had cut himself badly,” was Seton’s comment.
“Perhaps,” I said, “but is this his own blood or someone else’s?”
“Surely, sir, you don’t suspect he has been guilty of a crime?” gasped Seton.
I pointed to the charred fragments of the coat. “It might be so,” I rejoined.
A few moments later, however, on making a closer search of the room we found in the waste-paper basket a broken medicine bottle and on the edge of a piece of glass was a blood stain. It told its own tale—he had cut his hand upon the glass. Further, close beside the dressing-table were three or four dark spots. I touched one, and found it to be blood.
“I wonder why he destroyed his coat?” Seton remarked. “He’s gone away leaving everything behind.”
“But how did he get out?” I persisted. “The door and window were both fastened and there is no fanlight.”
We again carefully examined the lock. It was intact, it had been locked from the inside and the key was still there.
Together we went carefully through the fugitive’s belongings, but found nothing of interest. They were merely clothes of good quality or the wardrobe of a fashionable young man. From the pocket of the suitcase that bore the label “B. O. B.”—or Bernese Oberland Bahn— I took out three one-pound Treasury notes. But we found not a scrap of writing of any sort. There was some burnt paper in the fireplace, suggesting that with the coat he had destroyed all documents that might give a clue to his identity The broken bottle smelt of petrol and apparently he had kept the spirit ready for use if he wanted quickly to destroy anything.
Our search concluded, Seton had all the things removed to an unoccupied room and locked the door.
“The Bank will pay the halfnote,” said Seton. “I shall pay the lot in and hold the money until Mr. Graydon turns up again. He has plenty of money, of course, and may not have missed it. There is no doubt some explanation. I cannot believe, knowing Mr. Graydon as I did, that there can be anything very seriously wrong.”
“But why should the note be burned?” I queried.
“It might have been accidentally among the other papers he destroyed, sir. Don’t you think so?”
This, of course, was possible. For a long time we sat in Seton’s room discussing the strange affair. At first Seton thought he ought to tell the police, but I urged him not to do so. It would get into the papers, I argued, and that was the last thing desirable for a high-class private hotel such as his. I did not want a public scandal that must involve Thelma in most unpleasant publicity.
“I wonder whether he had an inkling that you’d called, sir?” suggested Seton. “Perhaps he saw you from one of the front windows and then rushed up and prepared to bolt.”
“But why should he? I have acted towards him only as a friend and I see no reason why he should take such extreme steps to avoid me. Besides, he actually called at my flat.”
“Yes, I had forgotten that,” Seton admitted. “But still, I think something must have frightened him—and frightened him badly, too. He wouldn’t have cut his hand in opening the bottle of petrol, burned his clothes and papers, and got away so swiftly if there wasn’t some very strong motive for doing so. What’s your opinion?”
“The same as yours, Seton,” I answered. “But the affair is full of remarkable circumstances. How did he get out of that locked room? He was certainly in there when I first knocked.”
“My own belief,” said Seton, “is that he must have started to destroy his things as soon as you knocked. He was certainly in a great hurry for he smashed the neck of the petrol bottle when he found he could not get the cork out—it’s still in the neck of the broken bottle—and cut his hand in doing so.”
