Since the terrorist attacks on September 11, 2001, computer security has taken on some new meanings. The first is positive. As part of a global tightening of belts and rolling up of sleeves, there emerged several outreaches designed to provide security training and certification to folks in all walks of life, from the consumer being alerted about identity theft, to the soldier and sailor and weapons scientists taking greater precautions with items of national security, to the common person on the street gaining a heightened awareness of hackers and crackers and cyber attackers. Gradually this new emphasis on computer and network safety has percolated down to the ordinary user’s computer in the den or living room. And because it really is a small Internet, and what affects one usually affects all, the safer individual users are, the safer the Net is for everybody.
Unfortunately, in return for a perception of security, both physical and on the Internet, some computer users have begun to accept unprecedented compromises in privacy as being part of the price to be paid to counter an envisioned terrorist threat associated with computer usage. In return for a feeling of “protection” with vague ties to national defense, more and more of what used to be private data and folks’ own business is now available for inspection by corporate and legal observers. Giving up the proven checks and balances that are the underpinnings of a free society may do more harm than good. Recent reports, such as a summer 2003 incident in which one or more airlines turned over to a contract firm working for the Department of Defense the transaction records of a half million passengers for use in an experiment on database profiling, have demonstrated that relaxed restraints against law enforcement agencies can lead to egregious actions. Numerous press reports have indicated that the expanded powers granted to law enforcement agencies in the name of homeland defense have resulted in those powers being used increasingly to investigate and prosecute crimes under laws not related to homeland defense at all. This, in turn, has resulted in a mini-backlash designed to rein in the security promoters, heightening the debate.
Possibly in response to a perceived decrease in privacy, a large number of new laws have come into play that attempt to protect individuals against widespread dissemination of personal information and regulate the creation and exchange of financial information regarding corporations. These new laws have long names, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Family Educational Rights and Privacy Act (FERPA). These laws make it a crime to reveal personal information gathered in the course of doing business, and often require the reporting of computer crimes that were formerly swept under the carpet to avoid embarrassing the agency or company allowing such a lapse.
The ordinary user, such as the salesperson or secretary who logs on in the morning and shuts down at night, would rather not think twice about security. In fact, she might not think of it at all until a worm or some other attack affects the machine on which she has to work.
Some of the most invasive computer attacks against individuals may not involve infecting a computer, but merely listening to one. With machine patience, sniffers and database programs can accumulate data about people—lots of people—over as long a time as is needed to gather enough information to make an attack. Usually, the attack takes the form of making credit card purchases, or applying for credit in the name of the victims whose details have been pieced together. Such crimes, often called identity theft, can be devastating. It is not that the victim is always left liable for the fraudulent purchases; consumer protection laws and the rapid closing of accounts help a great deal to prevent that. It is that the victim may be left unable to exercise his own credit, or establish more because vendors can’t easily be sure if any new transactions after the ID theft is reported are being made by the customer or by the thief. And it is highly likely that the victim will be unaware of any of these activities until the damage has been done.
Now that it increasingly impacts the average user, public awareness of computer security has risen dramatically. Computer security has hit the newsstands, with more and more articles warning the public about viruses and other perils. The media also describes an increasing array of preventatives, ranging from changing network habits to adding firewalls and intrusion protection systems. Mix in the specter of terrorism, and the stakes get even higher.
A new generation of security consultants —what Business Week once termed “hackerbusters” —have hung out their shingles. A number of organizations stand ready to provide expert assistance in case a computer virus outbreak threatens the Internet:
Funded by the Defense Advanced Research Projects Agency (DARPA), the Computer Emergency Response Team (CERT) at the Software Engineering Institute at Carnegie Mellon University was created to provide information and support against any Internet crises, cyber attacks, accidents, or failures. Now officially named the CERT Coordination Center, this clearinghouse is the mother-of-all-CERTs, and regional and corporate incident response centers are springing up to handle crises locally.
The Federal Computer Incident Response Center (FedCIRC) is the federal government’s trusted focal point for computer security incident reporting, providing assistance with incident prevention and response. In 2003, the FedCIRC officially became part of the Department of Homeland Security’s Information Analysis and Infrastructure Protection (IAIP) Directorate. IAIP will continue to provide the FedCIRC services.
The Department of Energy has also established a Computer Incident Advisory Capability (CIAC) oriented to its own agency needs, including a “hoaxbusters” page dedicated to helping users recognize which attacks are real and which are based on hysteria. The gentle gags clog up networks as users frantically alert their friends and neighbors of the supposed hazard. The vicious gags encourage users to take “protective measures” that might actually damage their own computers in an attempt to avoid worse calamity.
Other national incident response teams have been formed in many countries:
In the United Kingdom, there is the National Infrastructure Security Co-ordination Centre (NISCC), pronounced “nicey”, which is charged with protecting essential system and services known collectively as the Critical National Infrastructure (CNI).
In addition to government response organizations, many commercial providers of security services and virus protection systems have also set up organizations that are prepared to come to the aid of any customers who find security holes or face attacks.
Akin to CERTs, Information Sharing and Analysis Centers (ISACs) help develop and promulgate “best practices” for protecting critical infrastructures and minimizing vulnerabilities. Many industries have established ISACs to allow these critical sectors to share information and work together to help better protect the economy.
In the United States, Presidential Directive Number 63 and the Patriot Act establish that the ISACs will receive governmental sponsorship. The Department of Homeland Security lists links to various industry ISACs on its web site. ISACs are established for the food industry, water industry, emergency services (police and fire), state governments, and the telecommunications and information technology industries. There are also ISACs in place for the energy, transportation, banking and finance, chemical, and real estate industries.
Just as corporate and government users are bonding together to provide mutual protection, however, a huge emerging class of users is expanding rapidly, and for the most part they are unprotected. As broadband Internet access becomes increasingly popular, more users set up home computers and leave them running 24/7. The result is they become targets for attackers.
One study estimated that the time between when a new computer is turned on and the first attack is underway is usually less than 10 minutes. This is because attackers often use automated scanning tools that probe constantly, looking for opportunity. An exploit can often be placed in seconds, often before countermeasures can be installed to complete an installation. Other studies claim the situation is worse still, figuring the time before attack is equal to 2 minutes. I’ve seen instances in which newly updated computers became infected by a virus within a few minutes, even though the computers were protected by a secure network. This happened because the infecting computers were inside the network, likely becoming infested by pathogens carried in on media workers brought from home.
As the pool of computer users has increased, ways are emerging to illicitly profit off of them. The computer of a naive user may be forced into participating in a distributed denial of service (DDoS) attack aimed toward a designated target and timed to fire off with hundreds of thousands of others so as to overwhelm the victim. Alternatively, users’ broadband computers can be turned into unwilling web sites for pornography or other products, or made into relays for unsolicited email (spam).
Fortunately, help is on the way:
Microsoft, for instance, offers easy software security updates over the Internet.
Help sites are available for every kind of Linux and Unix.
Many antivirus software publishers offer not only antivirus programs but also some kind of information service documenting viruses and what to do to prevent or handle specific attacks.
Most companies today are adding their own internal security forces. Increasingly, corporate want ads request a computer security certificate or two as a prerequisite for hiring.
While once it was easy to ignore most warnings and scares as mere nuisances because most sites were isolated and unconnected, in today’s world, few computers stand alone. Viruses occur and spread with amazing speed, sometimes spanning the globe in hours or days (usually by stealing information, such as an email address book from one victim, and using it to infect others).
Even corporations that have secure perimeters can find themselves with significant internal virus problems. Often this is due to users who bring in infected laptops, use removable data drives, or burn information onto recordable CDs or DVDs that are infected and then brought into the office network.
The story of network attacks, bugs, viruses, and criminal actions stretches as far as the computer industry itself. One of the first bugs to develop in a computer system was precisely that: a moth was found squished inside some relay contacts at a government installation. Lieutenant Grace Hopper collected that moth and duly pasted it into the facility logbook She eventually became a rear admiral, and went on to invent the computer compiler and was the driving force behind the COBOL computer language.
With each advance of technology came new threats and attacks. Rogue self-replicating programs nearly overwhelmed a research facility in Palo Alto, California; they were the first computer worms. Unchecked, worms can multiply until they fill up a hard disk. Viruses, similar to worms but requiring a host program of some kind to live in and take over, came soon after. Attacks and countermeasures followed one after another until the present. Vulnerabilities continue to be sniffed out by attackers who create viruses and worms to exploit them. Manufacturers then create patches intended to counter the attacks.
While early malware exploited single systems or multiuser systems, it took the Internet to really give malware life. The Internet forms a massive distributed environment. Malicious software can steal control of computers on the Internet, direct DDoS attacks at given hosts or servers, or pose as someone they are not in order to intercept data. The latter action is known as a masquerade attack or spoofing.
The most elaborate malware can scan a victim machine for links to other machines, then replicate itself to those other machines while working its attack on the victim machine. The infamous Code Red worm worked over the Internet in this way. After replicating itself for the first 20 days of each month, it replaced web pages on the victim machines with a page that declared “Hacked by Chinese,” then launched an attack on the White House web server.
Computer crime has also become a major threat to business. According to the Federal Bureau of Investigation, computer crime is the most expensive form of commercial crime. In 2003, theft of information cost over $70 million, with an average cost of $2.6 million per theft. Also in 2003, denial of service attacks, which deprived companies of revenue and idled IT investments, cost over $66 million, with an average loss of $1.4 million. Estimates of the dollar figure for theft by computer intrusion and attack total $201 million.
Although almost 75 percent of organizations reported some kind of attack in 2003, only about 40 percent of those attacked could quantify the loss. It is estimated that roughly 50 percent of intrusions were not reported at all, either because their scope was unknown or the publicity was undesired.
Even though there has been substantial publicity in recent years about computer system risks and attacks, it turns out that many organizations are unwilling to report system intrusions. Doing so can result in adverse publicity, the loss of public confidence, and the possible charge of managerial incompetence. Many organizations fear lawsuits based on the emerging “standard of due care.”
In fact, there are reports that in the days before regulations such as Sarbanes-Oxley, which requires increased justification of the figures used in business accounting, some businesses paid hush money to intruders. In London, a number of firms have reportedly signed agreements with computer criminals offering them amnesty for returning part of the money stolen and, more importantly, for keeping quiet about their thefts. In one case, an assistant programmer at a merchant bank diverted eight million pounds to a Swiss account. In an agreement that protected him from prosecution, the programmer promised not to disclose the system penetration—and he got to keep one million pounds!
Recent statistics indicate that payment of hush money is decreasing, often due to increasingly automated nature of the attacks. Most attacks today are run by unsophisticated youth who learn a few tricks and gather a few scripts from true gurus, and then do what amounts to vandalism for the thrill of it. However, the thrill of penetration and creating havoc is increasingly offset by the penalities. The legal fate of some big time virus writers has been widely reported on TV and in the newspapers. Some murderers and rapists have gotten away with lighter sentences.
More recently, skillful intruders are attacking computers with criminal or military goals in mind. These attackers may outwit even sophisticated security systems, and can leave dormant sleeper programs that will lay low to avoid detection until their owners summon them to action.
The term computer security has different interpretations based on what era the term describes. Early on, computer security specialized in keeping the glass houses in which the computer core was positioned safe from vandalism, along with providing constant cooling and electricity. As computers became more dispersed, security became more of an issue of preserving data and protecting its validity, as well as keeping the secrets secret. As computers moved onto the desktop and into the home, computer security took the form of protection against data thieves and network attackers. Modern computer security includes considerations of business continuity. This ability mitigates interruption or loss regardless of the threat, and more importantly, develops rational systems that estimate and offset risk. These values are incorporated into procedures and policies that make computer security a priority from the top down. Today, industrial security, in terms of loss control due to theft, vandalism, and espionage, involves the same personnel controls and physical security provisions that protect the enterprise as a whole.
You can get a good thumbnail sketch of computer and network security by examining the principles on which it is founded. Computer and network security are built on three pillars, commonly referred to by the C-I-A acronym:
Data is confidential if it stays obscure to all but those authorized to use it. Data has integrity as long as it remains identical to its state when the last authorized user finished with it. Data is available when it is accessible by authorized users in a convenient format and within a reasonable time. (Note: the C-I-A acronym will be repeated like a mantra throughout the course of this book.)
Following shortly on the heels of C-I-A are a host of other terms and acronyms. Each of these has its own shade of meaning, but all of them are part of the C-I-A model:
Who do you say you are?
How do I know it’s really you?
Now that you are here, what are you allowed to do?
Who did what, and, perhaps, who pays the bill?
Different groups emphasize different combinations. To “simple is best” administrators, a favored authentication would likely be the username (who you say you are) and password (prove it to me!) combination. Devotees of biometric security identification, on the other hand, who use some physical attribute as a means of identification, point with pride to the fact that a retina scan can identify and authenticate simply by taking a picture of the blood vessels in the back of someone’s eye. (The crack to this system was demonstrated by actor Tom Cruise in the film Minority Report. It lent a whole new meaning to the phrase “He’s got his father’s eyes.”) Other groups promote acronyms within acronyms. For example, “authentication, authorization, and accounting” (AAA) is Cisco shorthand meaning that user verification and rights determination can be accomplished in the same process as transaction record keeping, or audit logging.
Computer security and network security are part of a larger undertaking that protects your computer and everything associated with it—your building, your terminals and printers, your cabling, and your disks and tapes. Most importantly, computer security protects the information you’ve stored in your system. That’s why computer security is often called information security.
The International Information Systems Security Certification Consortium, or (ISC)2, encompasses the following 10 domains in its common body of knowledge:
Information security management
Access control systems and methodology
Enterprise security architecture
Telecommunications, network, and internet security
Law, investigation, and ethics
Business continuity planning
Each domain includes five functional areas:
Information protection requirements
Information protections environment
Security technology and tools
Assurance, trust, and confidence mechanisms
Information protection and management services
The popular conception of computer security is that its only goal is secrecy, such as keeping the names of secret agents from falling into the hands of the enemy, or keeping a nationwide fast food chain’s new advertising strategy from being revealed to a competitor. Secrecy is a very important aspect of computer security, but it’s not the whole story.
In some systems or application environments, one aspect of security may be more important than others. Your own assessment of what type of security your organization requires will influence your choice of the particular security techniques and products needed to meet those requirements.
A secure computer system must not allow information to be disclosed to anyone who is not authorized to access it. For example, in highly secure government systems, secrecy ensures that users access only information that they are allowed, by the nature of their security clearances, to access. Similarly, in business environments, confidentiality ensures the protection of private information (such as payroll data) as well as sensitive corporate data (such as internal memos and competitive strategy documents).
Of course, secrecy is of paramount importance in protecting national defense information and highly proprietary business information. In such environments, other aspects of security (e.g., integrity and availability), while important, may be less critical. Chapter 3 discusses several major methods of enforcing secrecy or confidentiality in your system, including controlling who gets access and specifying what individual users are able to do. Chapter 7 discusses encryption, another excellent way to keep information a secret.
A secure computer system must maintain the continuing integrity of the information stored in it. Accuracy or integrity means that the system must not corrupt the information or allow any unauthorized malicious or accidental changes to it. It wasn’t deliberate, but when a simple software error changed entries in Bank of New York transactions many years ago, the bank had to borrow $24 billion to cover its accounts until things got straightened out—and the mistake cost $5 million in extra interest.
In network communications, a related variant of accuracy known as authenticity provides a way to verify the origin of data by determining who entered or sent it, and by recording when it was sent and received.
In financial environments, accuracy is usually the most important aspect of security. In banking, for example, the confidentiality of funds transfers and other financial transactions is usually less important than the verifiable accuracy of these transactions. Chapter 7 discusses message authentication, a method that ensures the accuracy of a transmission. With this method, a code is calculated and appended to a message when that message is sent across a network. At the receiving end, the code is calculated again. If the two codes are identical, the message sent is the same as the message received—proof that it wasn’t forged or modified during transmission.
A secure computer system must keep information available to its users. Availability means that the computer system’s hardware and software keeps working efficiently and that the system is able to recover quickly and completely if a disaster occurs.
The opposite of availability is denial of service, or DoS. Denial of service means system users are unable to get the resources they need. The computer may have crashed. There may not be enough memory or processes to run a program. Needed disks, tapes, or printers may not be available. DoS attacks can be every bit as disruptive as actual information theft, attacking system availability by spreading through networks, creating new processes, and effectively blocking all other work on the infected computers.
In some ways, availability is a baseline security need for everyone. If you can’t use your computer, you won’t be able to tell whether your secrecy and accuracy goals are being met. Even users who abhor “security” agree that their computer systems have to keep working. Many of them don’t realize that keeping systems running is also a type of security.
There are three key words that come up in discussions of computer security issues: vulnerabilities, threats and countermeasures. A vulnerability is a point where a system is susceptible to attack. A threat is a possible danger to the system. The danger might be a person (a system cracker or a spy), a thing (a faulty piece of equipment), or an event (a fire or a flood) that might exploit a vulnerability of the system. The more vulnerability you see in your system, and the more threats you believe are out there, the more carefully you’ll need to consider how to protect your system and its information. Techniques for protecting your system are called countermeasures.
Computer security is concerned with identifying vulnerabilities in systems and protecting against threats to those systems.
Every computer and network is vulnerable to attack. Security policies and products may reduce the likelihood that an attack will actually be able to penetrate your system’s defenses, or they may require an intruder to invest so much time and so many resources that it’s just not worth it—but there’s no such thing as a completely secure system.
The following sections demonstrate the typical points of vulnerability in a computer system.
Your buildings and equipment rooms are vulnerable. Intruders can break into your server room, just as they can break into your home. Once in, they can sabotage and vandalize your network equipment, and they can steal backup media and printouts, or obtain information that will allow them to more easily hack their way in at a later time.
Locks, guards, and biometric devices (devices that test a physical or behavioral trait—for example, a fingerprint, a voiceprint, or a signature—and compare it with the traits on file to determine whether you are who you claim to be) provide an important first defense against break-ins. Burglar alarms and other ordinary types of protection are also effective deterrents.
Computers are very vulnerable to natural disasters and to environmental threats. Disasters such as fire, flood, earthquakes, lightning, and power loss can wreck your computer and destroy your data. Dust, humidity, and uneven temperature conditions can also do damage.
In areas where obtaining stable power is a problem, facilities employ back-up generators. These can also help during times of extreme weather. Localized protection can be obtained through installing an uninterruptible power supply (UPS). A properly sized UPS will keep a computer energized long enough to shut down properly and without data loss, and provide power conditioning as well. Dust and other hazards are usually controlled by proper filters on the air conditioning and heating systems. If the environment itself tends to be dusty, a simple cloth cover can protect the computer when not in use. Do not cover a computer while it is operating, however, to avoid blocking the internal cooling fans and let the case radiate excess heat. Even temperature will help eliminate some problems, as well. The components and cards in a computer may expand and contract at different rates; they can become loose in their sockets. Avoid dampness in areas where removable media, such as floppy disks, CDs, DVDs, and backup tapes, are stored; mold and fungus are lethal to some media.
Certain kinds of hardware failures can compromise the security of an entire computer system. If protection features fail, they wreak havoc with your system, and they open security holes. It is also possible to open some “locked” systems by introducing extra hardware, or to use external devices to make a copy of the contents of disks or memory.
Software failures of any kind may cause your system to fail, open your system to penetration, or simply make the system so unreliable that it can’t be trusted to work properly and efficiently. Thriving exploration into vulnerabilities by the hacking community means that exploits will be published in online forums, paving the way for those who wish to write and publish viruses or other malicious software to do so. In particular, bugs in security features can open the floodgates to intrusion.
Even if individual hardware and software components are secure, an entire system can be compromised if the hardware components are connected improperly or if the software isn’t installed correctly.
Backup media, such as disk packs, tape reels, cartridges, and printouts, can be stolen, or can be damaged by such mundane perils as dust and stray magnetic and electromagnetic fields. Most hard-drive erase operations involve rewriting header files, not actually erasing the entire disk, so sensitive data may be left on magnetic media, easily decoded after a computer is retired or discarded. Even the memory chips in some electronic devices can be scanned for remnants of data or files.
All electronic equipment emits electrical and electromagnetic radiation. Electronic eavesdroppers can intercept the signals emanating from computers, networks, and wireless systems, and decipher them. The information stored and transmitted by the systems and networks then becomes vulnerable.
If your computer is attached to a network or if it can be accessed by a dial-in modem or over the Internet, you greatly increase the risk that someone will penetrate your system. Messages can be intercepted, misrouted, and forged. Communications lines connecting computers to each other, or connecting terminals to a central computer, can be tapped or physically damaged. Radio transmissions, the basis of wireless interconnections such as IEEE 802.11 (Wi-Fi) or IEEE 802.15 (Bluetooth), are particularly susceptible to surreptitious interception.
The people who administer and use your computer system represent the greatest vulnerability of all. If your administrator is poorly trained, or decides to take to a life of crime, your network is in grave peril. Ordinary computer users, operators, and other people on your staff can also be bribed or coerced into giving away passwords, opening doors, or otherwise jeopardizing security in your system.
There’s a lot of variation in how easy it is to exploit different types of vulnerabilities. For example, tapping a wireless network can require nothing more than special software installed on a laptop. Logging into a system that has no password protection, minimal controls, or inadequate password policies (e.g., allowing users to leave passwords on sticky notes at their workstations) is almost as easy. Tapping an encrypted fiber-optic communications link, on the other hand, or intercepting emanations from TEMPEST-shielded equipment is much more difficult, even for a dedicated intelligence operation. (See Appendix B for more information on TEMPEST.)
These threats imperil every physical plant and piece of equipment: fires, floods, power failures, and other disasters. You can’t always prevent such disasters, but you can find out quickly when one occurs (with fire alarms, temperature gauges, and surge protectors). You can minimize the chance that the damage will be severe (e.g., with certain types of sprinkler systems). You can institute policies that guard against hazards posing special dangers to computers (such as smoking or soda spills). You can also plan for a disaster by backing up critical data off-site and by arranging for the use of a backup system that can be used if an emergency does occur.
Ignorance creates dangers: for example, a user or a system administrator who hasn’t been trained properly, who hasn’t read the documentation, and who doesn’t understand the importance of following proper security procedures. A user might inadvertently delete a file, or a system administrator might change the protection on the password file or on critical system software, locking out programs and applications that need to access that data. Generally, more information is compromised, corrupted, or lost through ignorance than through malice.
These villains come in two varieties: outsiders and insiders. Some types of attacks are feasible only for certain types of attackers. For example, a casual “browser” isn’t likely to intercept and decipher electromagnetic emanations, or to perform a determined cryptographic analysis. Attacks of those kinds can typically be mounted only by sophisticated attackers who have substantial skill and resources (in computing power, money, time, and personnel) behind them.
Outsiders include a number of different categories:
They’re not lurking behind every bush, but they really do exist! Products using sophisticated encryption devices are most appropriate at installations where attacks on classified information are a realistic threat.
Luckily, we haven’t seen too much computer terrorism yet, though there have been attacks on university computers, various DoD networks and web sites, court buildings, and the like. The government worries about computer terrorism. So do airlines, oil companies, and other businesses that protect information that’s vital to the national interest. While some experts repeatedly predict that an “electronic Pearl Harbor” is imminent, others feel that computer terrorism, if it ever occurs, will just be a diversion, augmenting any terrorist attack by slowing down the communications needed to respond to the attack.
That said, there is evidence that some nations increasingly engage in routine interruption of communications within other nations, apparently with the intention of advancing political agendas. Mirroring offline diplomatic clashes, Internet users in Japan, China, and Korea have reportedly launched cyber attacks against each other. Information can be beamed into countries that suppress it. Denial of service attacks can be launched against government and company web sites. Often these attacks coincide with national holidays or protests.
Computer crime is lucrative, and, unlike many other types of crimes, can be carried out in a tidy, anonymous electronic fashion. The goal may be outright theft or embezzlement, or it may be extortion of some kind; for example, “I have just encrypted an important hard drive that is part of your important database. If you don’t pay me, I will throw away the key and tell the world that you could not keep your corporate data secure.”
Corporations rely on computers, network connections, and electronic mail. Corporate records, memos, and informal messages have become more vulnerable than ever to attacks by competitors intent on ferreting out weaknesses and plans.
This category consists of “computer joy riders.” When people talk about crackers, or hackers, they usually mean intruders who are more interested in the challenge of breaking in than in the spoils of victory. These intruders may browse through systems, peeking at interesting data and programs, but they usually don’t do it for monetary or political gain. More typically, they break into systems for the challenge of defeating each new security feature they encounter. They may share their knowledge with other crackers via electronic bulletin boards, newsgroups, IRC channels, and web logs (blogs). They may also document their successes in hardcopy or electronic publications such as 2600 Magazine, Phrack, and the Computer Underground Digest.
Outsiders may penetrate systems in a variety of ways: simple break-ins of buildings and computer rooms; disguised entry as maintenance personnel; anonymous, electronic entry through modems and network connections; and bribery or coercion of inside personnel.
Although most security mechanisms protect best against outside intruders, survey after survey indicates that most attacks are by insiders. Estimates are that as many as 80 percent of system penetrations are by fully authorized users who abuse their access privileges to perform unauthorized functions. As Robert H. Courtney Jr. put it, “The enemy is already in—we hired them.”
There are a number of different types of insiders. The fired or disgruntled employee might be trying to steal; more likely, he’s just trying to wreak revenge by disrupting office operations. The coerced employee might have been blackmailed or bribed by foreign or corporate enemy agents. The greedy employee might use her inside knowledge to divert corporate or customer funds for personal benefit. The insider might be an operator, a systems programmer, or even a casual user who is willing to share a password.
Don’t forget, one of the most dangerous insiders may simply be lazy or untrained. He doesn’t bother changing passwords, doesn’t learn how to encrypt email messages and other files, leaves sensitive printouts in piles on desks and floors, and ignores the paper shredder when disposing of documents. More energetic types may take advantage of this laziness and do serious damage.
Often, the most effective system attacks are those that combine a strong outside strategy (for example, breaking into competitors’ files to steal their marketing plans) with access by an insider (for example, a marketing assistant who’s been bribed to give away a password or steal reports).
There are many different types of countermeasures—methods of protecting computers and information. This book provides a survey of these methods in several basic categories.
Earlier in this chapter, the term “computer security” was used in a broad sense to cover the protection of computers and everything associated with them. It’s more precise to say that computer security is the protection of the information stored in a computer system, as opposed to protecting information that’s being transmitted (which is network security), or protecting the equipment and the facility itself (physical security). Computer security focuses on operating system features that control who can access a system and the data stored in it.
Part II of this book discusses computer security controls—including passwords, auditing of security actions, and administrative procedures such as backups that protect stored data. That part also draws distinctions between the various types of security policies available in multiuser computer systems: discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). Part II also briefly discusses how the government sets standards for computer security and certifies products that meet those standards. Additional coverage is included in Appendix C.
Communications security is the protection of information while it’s being transmitted by telephone, cabling, microwave, satellite, or any other means. This branch of security focuses on network access to computer systems, and the technologies that increase the security of systems allowing such connections to the outside world.
Part III of this book describes encryption, a highly effective method of protecting data either in storage or during transmission. Encryption takes many forms and is applied in several different ways. Part III also discusses a number of other ways to increase network security.
Physical security is the protection of physical computer equipment from damage by natural disasters and intruders. Physical security methods include old-fashioned locks and keys, as well as more advanced technologies such as smart cards and biometric devices. Part IV of this book discusses physical security and wireless security (steps that can be taken to protect information during wireless transmission).
Computer security has historically been viewed as being an unnecessary impediment to getting work done. With pressure from the government, the courts, and the press, security now seems to have graduated to a necessary evil. In the latest versions of the Linux and the Windows operating systems, security is automated and is becoming a full-fledged system feature.
Estimates of the size of the computer security market vary. The Freedonia group estimates that computer security now represents roughly a $9 billion a year market opportunity for the United States, and this number is expected to increase dramatically over the next decade. As you’d expect, the U.S. government drives much of the security market. Because of its special concern for classified information relating to national defense and intelligence, the U.S. government has historically been the major force behind security research and technology. The government has a great many secrets (millions of new pieces of information are classified each year!), and computer security products thrive on secrecy.
It’s difficult to get hard numbers on government security spending because military and other classified programs account for a large piece of the security market, and dollar figures for those classified programs aren’t publicly available. Best estimates are that as much as half the total computer security purchases are government-related, but this ratio ebbs and flows as security concerns enter and leave the public mind.
The Department of Defense, the intelligence agencies, and government contractors are particularly heavy users of security products—especially cryptographic products, highly secure computer systems, and systems that use TEMPEST technology. (The TEMPEST market is almost exclusively a government one, although the private sector is likely to wake up to it as decoding systems decrease in complexity and increase in availability.) Virtually every government department and agency buys security products. Most of them have little choice; they’re required by government regulations to protect the information they process. (Not to say that the security of every government entity is exemplary; numerous “report cards” frequently implicate government watchdogs as being somewhat behind the security curve.)
Businesses and government agencies have different goals and different cost/risk tradeoffs. Because financial considerations are the focus of business, security has to be cost-effective, or business won’t buy or build it. A big market question is who will be willing to pay for security over time—both in dollars and in potential loss of convenience and user friendliness.
Why buy security? There are two especially good reasons, described next.
If you sell to the government, you almost certainly need to use many of the security technologies described in this book. If you’re a computer vendor who’s trying to sell a lot of computer workstations, for example, you may be forced to build security into your products or to buy the technology from others.
Most government requisitions specify security requirements along with operational requirements. Most operating systems must conform to a specified level of the Common Criteria for security. Common Criteria has replaced the security levels specified in the former “Orange Book” (see Appendix C for more information) standard for trusted systems, but the language of the Orange Book still permeates the security business.
You may need to use a particular form of encryption to protect stored and transmitted data; for high-security applications, consider using TEMPEST shielding.
In addition to being the major purchaser of computer security, the government has historically been the driving force behind the development of security products and the standardization of what makes a system “secure.” Chapter 2 describes what these security standards are and how they developed.
Government agencies are required by law to protect both classified information and also what’s called “sensitive unclassified” information. Examples include such information as productivity statistics (from the Department of Commerce), currency production and transfer information (Department of the Treasury), and embassy personnel information (Department of State). What makes this information sensitive is the fact that its theft or modification could potentially disrupt the nation’s economy or compromise its employees. Similarly, the breach of individual health and financial records maintained by such agencies as the Social Security Administration, the FBI, the IRS, and others could have severe legal and personal repercussions.
If your business uses sensitive corporate information, you need security too. In some cases, you need to keep information secret. Obvious examples of such information include banking funds transfers, oil resource data, stock futures strategies, medical research data, personal medical data, and airline reservation information.
In other cases, you need to ensure the integrity of the information. A primary example is electronic funds transfer (EFT). The Society for Worldwide Interbank Financial Telecommunications (SWIFT), for example, provides EFT services for over 7,500 financial institutions in 200 countries, securely completing millions of transactions a day, and billions of transactions each year (2 billion in 2003 alone). SWIFT and other financial institutions require absolute accuracy in their transactions. As described earlier, message authentication and related techniques play an important part in ensuring the accuracy of such financial information.
Even if your business doesn’t involve national defense secrets or international funds transfers, the information you process is critical to your own business. Information may well be your most important business asset. Any theft or compromise of information is as much an attack on your business as is the theft of any other company asset. And the loss of information is more likely to damage your business than would a more tangible loss. Even if you’re not convinced that you need security, your insurance company and your shareholders may be. The concept of “reasonable safeguards” is having an impact on users of computer systems now. You may find that if you do not provide adequate security for your information, your insurance may not cover a loss, and you may lose a court battle over “computer malpractice,” “preventable loss,” or the “standard of due care.”
If you use a computer of any kind, anywhere, computer security not only affects you, it is your responsibility. If your device is compromised, you could be an unwitting partner in crime, or at least a source of inconvenience. And before you can even worry about computer abuse, you need to worry about power failures, natural disasters, making backups in case of a disk failure or virus attack, and making sure no one walks off with your equipment or backup media. If you work on a network, you have to observe network access and security regulations. You’ll find that as quickly as manufacturers release cures for network or computer exploits, you will need to adopt them and incorporate them into your daily routine.
If your organization has installed a highly secure system, you may have to accept substantial restrictions on the administrative tasks you might have performed in the past—sheer torture for power users used to configuring their systems or at least their desktops to be just the way they want them. If your system supports mandatory access controls, you’ll find that even if another user wants to let you read or print one of her files, the system may not let you.
Conversely, some organizations that really should know better sometimes display a stunning lack of security. In this case, you’re on your own recognizance: sure, you could reprogram the boss’s spreadsheet and plot yourself a big raise, but you would not want to be you the day you are caught.
Computer security is a multibillion dollar industry that addresses a threat that now impacts everyone. Major software companies warn users to install personal firewall software on their PCs in addition to performing frequent software updates to avoid the latest hazards. These days, only a fool or one uninformed would go too long without periodically updating his virus definition tables.
Hopefully, you are now convinced that security is good for you and your data—that it’s worth it for you to spend a small amount of extra time worrying about viruses, protecting your login account, and otherwise practicing safe computing to the best of your ability. Remember that security means more than keeping the bad guys out. It also means doing what you can to protect, or at least to avoid endangering, the network and computers used by yourself and others.
 The word “hacker” has a long and honorable history. It originally meant anyone with a strong interest in computers and an eagerness to experiment with them and test their limits. More recently, the word has been used to refer to those who break into systems in an unlawful way. Because many law-abiding “hackers” object to this pejorative meaning of the word, I’ve chosen to call those who deliberately break into systems “attackers” or “intruders,” rather than “hackers.”