Computer Security Basics | O'Reilly Media

BUY THIS BOOK

Print Book $39.99

Safari Books Online

What is this?

Print Book £28.50

What is this?

Looking to Reprint this content?

Tell a friend

Computer Security Basics, Second Edition By Rick Lehtinen, G.T. Gangemi, Sr.
June 2006
Pages: 310

Cover | Table of Contents

Chapter 1: Introduction

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Since the terrorist attacks on September 11, 2001, computer security has taken on some new meanings. The first is positive. As part of a global tightening of belts and rolling up of sleeves, there emerged several outreaches designed to provide security training and certification to folks in all walks of life, from the consumer being alerted about identity theft, to the soldier and sailor and weapons scientists taking greater precautions with items of national security, to the common person on the street gaining a heightened awareness of hackers and crackers and cyber attackers. Gradually this new emphasis on computer and network safety has percolated down to the ordinary user's computer in the den or living room. And because it really is a small Internet, and what affects one usually affects all, the safer individual users are, the safer the Net is for everybody.

Unfortunately, in return for a perception of security, both physical and on the Internet, some computer users have begun to accept unprecedented compromises in privacy as being part of the price to be paid to counter an envisioned terrorist threat associated with computer usage. In return for a feeling of "protection" with vague ties to national defense, more and more of what used to be private data and folks' own business is now available for inspection by corporate and legal observers. Giving up the proven checks and balances that are the underpinnings of a free society may do more harm than good. Recent reports, such as a summer 2003 incident in which one or more airlines turned over to a contract firm working for the Department of Defense the transaction records of a half million passengers for use in an experiment on database profiling, have demonstrated that relaxed restraints against law enforcement agencies can lead to egregious actions. Numerous press reports have indicated that the expanded powers granted to law enforcement agencies in the name of homeland defense have resulted in those powers being used increasingly to investigate and prosecute crimes under laws not related to homeland defense at all. This, in turn, has resulted in a mini-backlash designed to rein in the security promoters, heightening the debate.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The New Insecurity

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Is Computer Security?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The term computer security has different interpretations based on what era the term describes. Early on, computer security specialized in keeping the glass houses in which the computer core was positioned safe from vandalism, along with providing constant cooling and electricity. As computers became more dispersed, security became more of an issue of preserving data and protecting its validity, as well as keeping the secrets secret. As computers moved onto the desktop and into the home, computer security took the form of protection against data thieves and network attackers. Modern computer security includes considerations of business continuity. This ability mitigates interruption or loss regardless of the threat, and more importantly, develops rational systems that estimate and offset risk. These values are incorporated into procedures and policies that make computer security a priority from the top down. Today, industrial security, in terms of loss control due to theft, vandalism, and espionage, involves the same personnel controls and physical security provisions that protect the enterprise as a whole.

You can get a good thumbnail sketch of computer and network security by examining the principles on which it is founded. Computer and network security are built on three pillars, commonly referred to by the C-I-A acronym:

Confidentiality
Integrity
Availability

Data is confidential if it stays obscure to all but those authorized to use it. Data has integrity as long as it remains identical to its state when the last authorized user finished with it. Data is available when it is accessible by authorized users in a convenient format and within a reasonable time. (Note: the C-I-A acronym will be repeated like a mantra throughout the course of this book.)

Following shortly on the heels of C-I-A are a host of other terms and acronyms. Each of these has its own shade of meaning, but all of them are part of the C-I-A model:

Identification

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Threats to Security

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There are three key words that come up in discussions of computer security issues: vulnerabilities, threats and countermeasures. A vulnerability is a point where a system is susceptible to attack. A threat is a possible danger to the system. The danger might be a person (a system cracker or a spy), a thing (a faulty piece of equipment), or an event (a fire or a flood) that might exploit a vulnerability of the system. The more vulnerability you see in your system, and the more threats you believe are out there, the more carefully you'll need to consider how to protect your system and its information. Techniques for protecting your system are called countermeasures.

Computer security is concerned with identifying vulnerabilities in systems and protecting against threats to those systems.

Every computer and network is vulnerable to attack. Security policies and products may reduce the likelihood that an attack will actually be able to penetrate your system's defenses, or they may require an intruder to invest so much time and so many resources that it's just not worth it—but there's no such thing as a completely secure system.

The following sections demonstrate the typical points of vulnerability in a computer system.

Section 1.3.1.1: Physical vulnerabilities

Your buildings and equipment rooms are vulnerable. Intruders can break into your server room, just as they can break into your home. Once in, they can sabotage and vandalize your network equipment, and they can steal backup media and printouts, or obtain information that will allow them to more easily hack their way in at a later time.

Locks, guards, and biometric devices (devices that test a physical or behavioral trait—for example, a fingerprint, a voiceprint, or a signature—and compare it with the traits on file to determine whether you are who you claim to be) provide an important first defense against break-ins. Burglar alarms and other ordinary types of protection are also effective deterrents.

Section 1.3.1.2: Natural vulnerabilities

Computers are very vulnerable to natural disasters and to environmental threats. Disasters such as fire, flood, earthquakes, lightning, and power loss can wreck your computer and destroy your data. Dust, humidity, and uneven temperature conditions can also do damage.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Why Buy Security?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer security has historically been viewed as being an unnecessary impediment to getting work done. With pressure from the government, the courts, and the press, security now seems to have graduated to a necessary evil. In the latest versions of the Linux and the Windows operating systems, security is automated and is becoming a full-fledged system feature.

Estimates of the size of the computer security market vary. The Freedonia group estimates that computer security now represents roughly a $9 billion a year market opportunity for the United States, and this number is expected to increase dramatically over the next decade. As you'd expect, the U.S. government drives much of the security market. Because of its special concern for classified information relating to national defense and intelligence, the U.S. government has historically been the major force behind security research and technology. The government has a great many secrets (millions of new pieces of information are classified each year!), and computer security products thrive on secrecy.

It's difficult to get hard numbers on government security spending because military and other classified programs account for a large piece of the security market, and dollar figures for those classified programs aren't publicly available. Best estimates are that as much as half the total computer security purchases are government-related, but this ratio ebbs and flows as security concerns enter and leave the public mind.

The Department of Defense, the intelligence agencies, and government contractors are particularly heavy users of security products—especially cryptographic products, highly secure computer systems, and systems that use TEMPEST technology. (The TEMPEST market is almost exclusively a government one, although the private sector is likely to wake up to it as decoding systems decrease in complexity and increase in availability.) Virtually every government department and agency buys security products. Most of them have little choice; they're required by government regulations to protect the information they process. (Not to say that the security of every government entity is exemplary; numerous "report cards" frequently implicate government watchdogs as being somewhat behind the security curve.)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What's a User to Do?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

If you use a computer of any kind, anywhere, computer security not only affects you, it is your responsibility. If your device is compromised, you could be an unwitting partner in crime, or at least a source of inconvenience. And before you can even worry about computer abuse, you need to worry about power failures, natural disasters, making backups in case of a disk failure or virus attack, and making sure no one walks off with your equipment or backup media. If you work on a network, you have to observe network access and security regulations. You'll find that as quickly as manufacturers release cures for network or computer exploits, you will need to adopt them and incorporate them into your daily routine.

If your organization has installed a highly secure system, you may have to accept substantial restrictions on the administrative tasks you might have performed in the past—sheer torture for power users used to configuring their systems or at least their desktops to be just the way they want them. If your system supports mandatory access controls, you'll find that even if another user wants to let you read or print one of her files, the system may not let you.

Conversely, some organizations that really should know better sometimes display a stunning lack of security. In this case, you're on your own recognizance: sure, you could reprogram the boss's spreadsheet and plot yourself a big raise, but you would not want to be you the day you are caught.

Computer security is a multibillion dollar industry that addresses a threat that now impacts everyone. Major software companies warn users to install personal firewall software on their PCs in addition to performing frequent software updates to avoid the latest hazards. These days, only a fool or one uninformed would go too long without periodically updating his virus definition tables.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Summary

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Hopefully, you are now convinced that security is good for you and your data—that it's worth it for you to spend a small amount of extra time worrying about viruses, protecting your login account, and otherwise practicing safe computing to the best of your ability. Remember that security means more than keeping the bad guys out. It also means doing what you can to protect, or at least to avoid endangering, the network and computers used by yourself and others.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Some Security History

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer security is a hot issue today, but it's an issue that's been simmering for many years. The development of government security regulations and standards, research into security mechanisms, and debates over the threats to information and the costs of protecting against these threats—all of these activities are well into their fourth decade. Computer security itself isn't new. What's new is security's broader focus (security means more than just keeping outsiders out) and its wider appeal (security is important to business and folks at home as well as government).

This chapter describes how we got to where we are today. It summarizes key events in the history of computer security, discusses some of the government standards and programs involved with computer security, and introduces the concept of computer databases and the preservation of privacy.

Information security is almost as old as information itself. Whenever people develop new methods of recording, storing, or transmitting information, these innovations are almost inevitably followed by methods of harnessing the new technologies and protecting the information they process. They're also followed by government investigations and controls. For example:

In 1793, the first commercial semaphore system (use of mechanized flags) was established between two locations near Paris. Semaphore signaling came to be used throughout France, Italy, Germany, and Russia. Thousands were employed manning the stations, which operated at a speed of about 15 characters per minute. Code books were used so that whole sentences could be represented by a few characters. Semaphores weren't very successful in England because of fog and smoke, but in the United States, systems of this kind are the reason so many communities have geographic names such as Signal Hill, Beacon Rock, Signal Butte, and Semaphore Pointe.
With Samuel F.B. Morse's introduction of the telegraph came concerns for protecting the confidentiality of transmitted messages. In 1845, just a year after the invention, a commercial encryption code was developed to keep the transmitted messages secret.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Information and Its Controls

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In 1793, the first commercial semaphore system (use of mechanized flags) was established between two locations near Paris. Semaphore signaling came to be used throughout France, Italy, Germany, and Russia. Thousands were employed manning the stations, which operated at a speed of about 15 characters per minute. Code books were used so that whole sentences could be represented by a few characters. Semaphores weren't very successful in England because of fog and smoke, but in the United States, systems of this kind are the reason so many communities have geographic names such as Signal Hill, Beacon Rock, Signal Butte, and Semaphore Pointe.
With Samuel F.B. Morse's introduction of the telegraph came concerns for protecting the confidentiality of transmitted messages. In 1845, just a year after the invention, a commercial encryption code was developed to keep the transmitted messages secret.
Within five years of the introduction of the telephone in 1881, a patent application was filed for a voice scrambler.
In the 1920s, the use of telephone wiretaps by both government and criminal forces resulted in a public outcry, Congressional hearings, and, ultimately, legislation prohibiting most wiretapping.
In the 1930s, Title VI of the Communications Act of 1934 prohibited unauthorized interception and publication of communications by wire or radio, while giving the President certain powers to deal with communication matters in the event of war or other national emergency.
In the 1940s, concerns about controlling the proliferation of information about atomic energy led to the Atomic Energy Act of 1946. This act created a Restricted Data category of information requiring special protection and penalties for dissemination. Similar controls have been imposed on new advances in other scientific fields.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Computer Security: Then and Now

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In the early days of computing, computer systems were large, rare, and very expensive. Naturally enough, those organizations lucky enough to have a computer tried their best to protect it. Computer security was simply one aspect of general plant security. Computer buildings, floors, and rooms were guarded and alarmed to prevent outsiders from intruding and disrupting computer operations. Security concerns focused on physical break-ins, the theft of computer equipment, and the physical theft or destruction of disk packs, tape reels, punched cards, and other media. (This was in the day when you could destroy a program by grabbing its card deck and scattering it to the wind. Incorrect reassembly of the card deck could cause some memorable computer errors. It was important to choose carefully one's victim in such a prank, lest they be faster or stronger than they appeared.)

Insiders were also kept at bay. Few people knew how to use computers, and only those who knew the secrets of the machine were privileged to stand in its presence. Most users never saw the computers that crunched their numbers. Batch processing meant that users submitted carefully screened jobs—often through protected slots in the doors of computer rooms—to operators who actually put the machine through its paces.

Times changed. During the late 1960s and 1970s, computer technology was transformed, and with it the ways in which users related to computers and data. Multi-programming, time-sharing, and networking dramatically changed the rules of the game. Users could now interact directly with a computer system via a terminal, giving them more power and flexibility but also opening up new possibilities for abuse. Acoustic couplers—modems with foam pads into which a telephone handset was inserted—allowed connectivity not just in the computer room or building, but from cities far away.

Telecommunications—the ability to access computers from remote locations and to share programs and data—radically changed computer usage. Large businesses began to automate and store online information about their customers, vendors, and commercial transactions. Networks linked minicomputers together and allowed them to communicate with each other and with mainframes containing large online databases. It became much easier to make wholesale changes to data—and much easier for errors to wreak widespread damage. Banking and the transfer of assets became an electronic business.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Early Computer Security Efforts

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The earliest computer-related security activities began in the 1950s, with the development of the first TEMPEST security standard, the consideration of security issues in some of the earliest computer system designs, and the establishment of the first government security organization, the U.S. Communications Security (COMSEC) Board. The board, which consisted of representatives from many different branches of the government, oversaw the protection of classified information.

Although these events set the scene for later computer security advances, the 1960s marked the true beginning of the age of computer security, with initiatives by the Department of Defense, the National Security Agency, and the National Bureau of Standards (now the National Institute of Standards and Technology or NIST), coupled with the first public awareness of security. The Spring Joint Computer Conference of 1967 is generally recognized as being the locale for the first comprehensive computer security presentation for a technical audience. Willis H. Ware of the RAND Corporation chaired a session that addressed the wide variety of vulnerabilities present in resource-sharing, remote-access computer systems. The session addressed threats ranging from electromagnetic radiation to bugs on communications lines to unauthorized programmer and user access to systems and data.

The Department of Defense, because of its strong interest in protecting military computers and classified information, was an early partisan of computer security efforts. In 1967, DoD began to study the potential threats to DoD computer systems and information. In October of that year, DoD assembled a task force under the auspices of the Defense Science Board within the Advanced Research Projects Agency (ARPA), now known as the Defense Advanced Research Projects Agency, or DARPA. The task force worked for the next two years examining systems and networks, identifying vulnerabilities and threats, and introducing methods of safeguarding and controlling access to defense computers, systems, networks, and information. Published as a classified document in 1970, the task force report,

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Building Toward Standardization

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Late in the 1970s, two important government initiatives significantly affected the development of computer security standards and methods. In 1977, the Department of Defense announced the DoD Computer Security Initiative under the auspices of the Under Secretary of Defense for Research and Engineering. The goal was to focus national attention and resources on computer security issues. The initiative was launched in 1978 when DoD called together government and industry participants in a series of seminars. The goal of the seminars was to answer these questions:

Are secure computer systems useful and feasible?
What mechanisms should be developed to evaluate and approve secure computer systems?
How can computer vendors be encouraged to develop secure computer systems?

The second important initiative came from the National Bureau of Standards (NBS), now known as the National Institute of Standards and Technology. NIST has historically been responsible for the development of standards of all kinds. As a consequence of the Brooks Act of 1965 (described in "Computer Security Act" later in this chapter), NIST (as NBS) became the agency responsible for researching and developing standards for federal computer purchase and use, and for assisting other agencies in implementing these standards. The bureau has published many federal standards known as Federal Information Processing Standards publications (FIPS PUBs) in all areas of computer technology, including computer security. Over the course of the next decade or so after the Brooks Act, NBS focused on two distinct security standardization efforts: development of standards for building and evaluating secure computer systems, and development of a national standard for cryptography.

NBS's first charge was to evaluate the federal government's overall computer security needs and to begin to find ways to meet them. Early efforts, based on NBS's Brooks Act mandate, included the following:

1968: NBS performed an initial study to evaluate the government's computer security needs.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Computer Security Mandates and Legislation

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Throughout history, new advances in the availability, processing, and transmission of information have inevitably been followed by new security methods, federal laws, and procedural controls. These are typically aimed at protecting information that's considered to be essential to national security or other national interests.

In the 1970s and into the 1980s, national concerns about the Soviet interception of domestic communications intensified. Since the 1990s, that threat has diminished, but other nations, primarily those in the Middle East, but certainly Communist China and North Korea as well, have become threats. All this has led to a large number of security-related pieces of legislation, Presidential directives, and national policy statements. These fall into several categories:

Protection of classified or sensitive information: Legislation mandating computer security practices by federal agencies and contractors. The idea of this legislation is that organizations that process classified or sensitive unclassified government information must be careful to protect that information from unauthorized access.
Computer crime: Legislation defining computer crime as an offense and extending other regulations to cover thefts and other abuses carried out by computers and other new techniques. In addition to federal policies, virtually all U.S. states have enacted their own legislation prohibiting computer crime and abuse.
Privacy: Legislation protecting the privacy of information maintained about individuals (e.g., health and financial records). Another consideration for computer privacy is the practice of merging records from multiple, seemingly benign databases into profiles that may reveal devastating amounts of information about an individual.

Although it may be a mischaracterization, much of the concern about computer security centers on the government. Data needs to be classified to avoid exposing sensitive information and the means used to collect it, or protected to avoid allowing unfriendly investigators to compile data and expose national weaknesses. In addition, the communications of terrorists and criminals can be a rich source of information to prevent or solve crime, but access to that information by law enforcement or military agencies can constitute an infringement of personal liberty (which is one of the principles upon which this country was founded). Thus government is both the protector and the cause of concern, and untying the hands of enforcement agencies that protect us while keeping their agents from scrounging secrets out of our trash is one of the enduring concerns of national computer policy.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Summary

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer security, originally envisioned to protect the denizens and equipment contained in the "glass houses" of computer centers has grown into a network of laws, standards, and best practices designed to promote the protection of the computer and its network from internal and external attack, as well as the misuse of its contents by owners and protectors alike.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: Computer System Security and Access Controls

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer security covers a lot of territory: locking your server and telecommunications rooms, locking your machine, protecting your login accounts with strong passwords, using file protection and adhering to a regular backup schedule to keep your data from being destroyed, encrypting network communications lines, and using special shields to keep electromagnetic emanations from leaking out of your computer (TEMPEST). But when people talk about computer security, they usually mean what is called computer system security, which is a fancy way of saying data protection.

In the most basic sense, computer system security ensures that your computer does what it's supposed to do—even if its users don't do what they're supposed to do. It protects the information stored in it from being lost, changed either maliciously or accidentally, or read or modified by those not authorized to access it.

How does computer system security provide protection? There are four primary methods:

System access controls: These methods ensure that unauthorized users don't get into the system and encourage (sometimes force) authorized users to be security-conscious—for example, by changing their passwords on a regular basis. The system also protects password data and keeps track of who's doing what in the system, especially if what they're doing is security-related (e.g., logging in, trying to open a file, using special privileges). System access controls are the soul of authentication.
The next section introduces the basics of system access controls. Appendix C describes the Orange Book accountability requirements, which specify the system access controls definedfor different levels of secure systems. The Orange Book is still an important reference for computer security, although technically it has been replaced by the Common Criteria.
Data access controls: These methods monitor who can access what data, and for what purpose. Another word for this is

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Makes a System Secure?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

How does computer system security provide protection? There are four primary methods:

System access controls: These methods ensure that unauthorized users don't get into the system and encourage (sometimes force) authorized users to be security-conscious—for example, by changing their passwords on a regular basis. The system also protects password data and keeps track of who's doing what in the system, especially if what they're doing is security-related (e.g., logging in, trying to open a file, using special privileges). System access controls are the soul of authentication.
The next section introduces the basics of system access controls. Appendix C describes the Orange Book accountability requirements, which specify the system access controls definedfor different levels of secure systems. The Orange Book is still an important reference for computer security, although technically it has been replaced by the Common Criteria.
Data access controls: These methods monitor who can access what data, and for what purpose. Another word for this is authorization, that is, what you can do once you are authenticated. Your system might support discretionary access controls; with these, you determine whether other people can read or change your data. Your system might support mandatory access controls; with these, the system determines access rules based on the security levels of the people, the files, and the other objects in your system. Role-based access controls are a hybrid system; these methods extend individual authorization to group memberships.
System and Security Administration

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

System Access: Logging into Your System

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The first way a system provides computer security is by controlling access to that system. Who's allowed to log in? How does the system decide whether a user is legitimate? How does the system keep track of who's doing what in the system?

Trying to log into a system is a kind of challenge/response scenario. You tell the system who you are, and the system requests that you prove it by providing information that matches what the computer has stored about you. In security terms, this two-step process is called identification and authentication.

Identification is the way you tell the system who you are. Authentication is the way you prove to the system that you are who you say you are. In just about any multi-user system that involves local area networks, and in most desktop and laptop PCs, you must identify yourself, and the system must authenticate your identity, before you can use the system. There are three classic ways to do so:

What you know: The most familiar example is a password. The theory is that if you know the secret password for an account, you must be the owner of that account. There is a problem with this theory: you might give your password away or have it stolen from you. If you write it down, someone might read it. If you tell someone, that person might tell someone else. If you have a simple, easy-to-guess password, someone might guess it or systematically crack it.
What you have: Examples are keys, tokens, badges, and smart cards you must use to unlock your terminal or your account. The theory is that if you have the key or equivalent, you must be the owner of it. The problem with this theory is that you might lose the key, it might be stolen from you, or someone might borrow it and duplicate it. Electronic keys, badges, and smart cards can be used as authentication devices and as access devices for buildings and computer rooms. Some of the most sophisticated new security tokens are physical devices that continually calculate new passwords based on time-of-day or according to secure algorithms. These passwords are similarly calculated back to the system for which entrance is sought, and the password from the petitioning party must match the password calculated locally.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Summary

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter began with an introduction of simple username/password authentication systems, and continued into various authentication and authorization systems, including RADIUS, TACACS, DIAMETER, and Kerberos. The development of authentication, authorization, and accounting system continued on to the directory-based systems, X.500 and LDAP. Finally, we discussed the wave of the future, identity management.

Proper passwords are an effective first layer in the organization's security policy. It is not difficult to develop strong passwords and change them frequently, but users tend to resist the practice, or else subvert it by writing the passwords down and leaving them where they can be seen. Multifactor authentication schemes, including biometrics, promise to greatly increase the security of networks and facilities.

If the need for increased security is needed, tokens can be added to the login process. This multifactor authentication method adds yet another layer to the defense in depth concept. Other factors discussed included using one-time passwords, Kerberos, and biometrics as a secure means to be authenticated.

Current directory-based login systems offer authentication, authorization, and accounting. As multiple authentication databases merge into federated identity management systems providing single-point login, increasing amounts of private information about users can be incorporated into the login process.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 4: Viruses and Other Wildlife

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The word virus has become a generic term describing a number of different types of attacks on computers using malicious code. Just about everybody has heard of computer viruses, worms, Trojan horses, and other malicious software. Many have been infected at least once, either by one of the famous attacks such as Melissa, ExploreZip, MiniZip, Code Red, NIMDA, BubbleBoy, I LoveYou, NewLove, KillerResume, Kournikova, NakedWife, or Klez; or perhaps by a lowly pest picked up in an email or through visiting some web site. A virus or worm could even be active in your machine right now, lying dormant until some trigger activates it. And in today's world, the line is blurred between viruses and marketing tools, such as pop-ups, adware, or spyware, each of which uses a certain amount of the computer's resources to display or gather data about the user.

Although estimates vary widely, it is a safe bet that billions of dollars worth of damage have been done over the two decades since malicious code hit the big time. While some of this harm has been due to destruction of data and even damage to hardware, the bulk of the loss is likely lost time.

Spending time recovering from a virus steals opportunity in a few ways:

The time and effort it takes to takes to root out the virus and repair the damage.
The diversion of time and effort from what may have been revenue production.
The out and out loss of computer hardware (rare these days) or documents, files, and applications that either cannot be recovered, or for which the time and expense of recovery can't be justified.

Putting an actual dollar value on the loss due to viruses requires a lot of guesswork. This is because one affected machine may be used mainly for trivial pursuits and can be easily repaired by simply reloading the machine with fresh copies of applications and any available data, while another may contain the details of an elaborate business deal, your contact book, your masters' thesis, or digital pictures of your loved ones, which must be carefully located, scanned for infections, and copied onto the machine after replacing or repairing any infected files.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Financial Effects of Malicious Programs

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Spending time recovering from a virus steals opportunity in a few ways:

The time and effort it takes to takes to root out the virus and repair the damage.
The diversion of time and effort from what may have been revenue production.
The out and out loss of computer hardware (rare these days) or documents, files, and applications that either cannot be recovered, or for which the time and expense of recovery can't be justified.

Thus the hard number of actual dollar losses due to malware activity is obscured by emotional losses. Just because the actual amount of damage is fuzzy, however, does not degrade the importance of malicious software.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Viruses and Public Health

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A primary reason today to care about malicious code, such as viruses and worms, is the same reason it is important to keep one's vaccination records up to date while traveling. You would not want to become a carrier of some awful disease. Most malicious code today is concerned not only with trashing your machine, but also in using your machine to infect others.

A classic example is the software used to create a DDoS attack. After hiding itself in your computer, modern malware typically seeks information from you to use to infect others, and it usually finds it in your address book or by prowling your local area network. The malware then stalks its new victims, often by sending an email in your name and infects them as well. This is akin to the way a virus may propagate itself in a living organism, and it may be a separate operation from executing the payload—performing the dirty work of the virus—which follows.

Upon command, your machine and all of those you have inadvertently helped infect may then zero in on some target (such as the White House, or a critical server that helps make the Internet function) with tens of thousands of commands and requests coming from all directions. This brings the target to its knees, accomplishing the attacker's goal. To avoid this, every machine must be a healthy one, so that it does not unwittingly infect its neighbor, which may be you.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Viruses, Worms, and Trojans (Oh, My!)

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

While historically important, the classification of malicious code into categories such as "virus" or "worm" is today somewhat quaint. Attackers who want to harm your system will get there any way they can and whipping up a software half-breed that blurs definitions would be the least of their worries.

For this reason, modern attack tools tend to be labeled by their function more than their genealogy. Hence there are rootkits, Trojan horses, exploits, password sniffers, and zombies, more than there are viruses and worms. Although we will briefly explore the historic roots and definitions of such malicious programming in a moment, in this book we shall call all such programs malicious code, or for short, malware. And to keep in sync with the general public, we will use the term virus as its synonym.

This chapter will define many modern attacks, but here are some brief definitions:

Denial of service attack (DoS): Attack that produces so many requests of system resources in the computer under attack—such as calls to the operating system, or opening dialogs with other machines and then hanging onto the line to tie it up—that normal functions on the targeted computer are overwhelmed and cease.
Distributed DoS attack (DDoS): DoS attack launched from many different computers, usually zombies hijacked for this purpose.
Exploit: Malware that capitalizes on known or undiscovered vulnerabilities, which are bugs or weakness in software applications or operating systems.
Rootkit: Malware, usually a small suite of programs, that install a new account or steal an existing one, and then elevate the security level of that account to the highest degree (root for Unix, Administrator for Windows) so that attackers can do their will without obstruction.
Script: File containing specific instructions of the attacker and commands to make them occur.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Who Writes Viruses?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In the early days, most virus-like programs were written by geniuses, mainly computer scientists at major corporations and labs, who were still exploring the theoretical limits of computing. The question "What do computers do?" had not been answered. Attempts at producing independent, self-replicating program elements were a valid inquiry into the question of how computers should be used and organized. Nothing was easy about programming in these pioneering days. Assembly language, often considered today the most arcane of the programming arts, was still a bit of a dream. So, by and large, the early experimenters with viral technology, operating before the metaphor was even coined, were the giants.

In today's world, you buy a computer; you plug it in, or have the kid who sold it to you come out and do so; you connect it to the Internet via a broadband connection; and you are flying. For many, it is an entertainment and communications tool, on which to write the occasional letter, using self-correcting, autoformatting, and grammar-checking office software. The computer has become as far removed from its early users as has the automobile from most of its drivers. True, most mechanics and automotive engineers drive to work, and some shade tree mechanics tinker in the innards, and a few actually make improvements. Most, however, decide on their choice of colors, and whether or not they want chrome rims or white sidewalls for their wheels. Customization has replaced engineering, and in many cases, disposal has replaced repair.

It is in this environment that the new breed of virus writer has emerged. The computer is no longer an awe-inspiring oracle in a glass enclosed tabernacle, into which only the chosen may enter. Today the computer, in the United States at least, is ubiquitous. Almost as many homes have computers as subscribe to newspapers and magazines. And as the entertainment value of the Internet increases, that number may begin to approach the market penetration of the telephone and television, which in the early 1990s was already present in slightly more homes than the number having indoor plumbing. There are so many computers in use today that states such as California have adopted laws concerning their disposal, so that old PCs don't clog landfills.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Remedies

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There are many programs that can help you keep viruses and other wildlife away from your system—and can wipe out the critters if they gain access. Known as virus protection programs, these programs are available from both commercial and public domain sources. These products, and the system administration procedures that go along with them, have two overlapping goals: they don't let you run a program that's infected, and they keep infected programs from damaging your system.

A firewall protects your computer by examining each information packet that travels over the network. Clues to a packet's purpose can be read from its destination address. Firewalls contain a list of allowed and disallowed destinations and functions. If a packet is heading for a forbidden address or comes from one, the firewall stops it. If a packet is heading for a valid address, but its port identifier (the clue to packet function) is unknown or disallowed, the firewall stops that packet as well. Advanced firewalls even keep track of outgoing packets, and open up only if a packet is expected and returning.

The role of a packet in stopping the prevention of active threats such as worms and viruses is that these pests often attempt to enter a computer using forbidden paths, such as port numbers that are unmonitored or unusual. The firewall examines each packet, and it quashes those that are unexpected or disallowed.

Virus protection software uses two main techniques. The first uses signatures, which are snapshots of the code patterns of the virus. The antivirus program lurks in the background watching files come and go until it detects a pattern that aligns with one of its stored signatures, and then it sounds the alarm and maybe isolates or quarantines the code. Alternatively, the virus protection program can go looking for trouble. It can periodically scan the various disks and memories of the computer, detecting and reporting suspicious code segments, and placing them in quarantine.

One problem with signature-based virus protection programs is that they require a constant flow of new signatures in response to evolving attacks. Their publishers stay alert for new viruses, determine the signatures, and then make them available as updated virus definition tables to their users. To access the new tables, users typically download them from the World Wide Web.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Virus Hype

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Unfortunately, a backlash has recently started against virus alarmists. Like those who too many times cry "wolf" when there is no wolf and so must face danger alone when a wolf actually appears, those who trumpet the dangers of viruses often find the public to be increasingly apathetic when new attacks are discovered. The issue is not helped by an industry that is faintly tainted. Many journalists have noticed that often those who raise loudest the warning cry are owners of companies that publish virus protection software. It makes sense to scare the public into buying protection, but the practice may have questionable ethics.

Almost as troublesome are those who pass on emails that contain warnings of viruses to everybody in their address lists. Often these users are somewhat new to computers. Fearful of losing or damaging their own investments, they wish to spare their friends from calamity. The result is a big stream of well-intentioned junk email, often followed by a chagrined stream of "oops" emails, once they become aware of their apparent naiveté.

The result is that fear of viruses can often be as devastating as the viruses themselves. Not to say that viruses do not wreak havoc. Any administrator who has followed up on the results of a really wicked one, such as the Majester virus that has infected law firms, can tell stories about computers that were crippled beyond recovery. This means that failure to install at least some form of antivirus protection is simply negligent. However, it must be part of a balanced program that includes user education, regular backups, normal security precautions, and intrusion detection software or hardware.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

An Ounce of Prevention

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A final issue, and perhaps the most important one, is to determine why viruses spread in the first place. These days, software manufacturers are alert to the threat of security holes. Hordes of hackers regularly test network defenses or code vulnerabilities. When a hole is found, in most cases a warning is raised before an exploit is published. Manufacturers scramble to produce small updates, or patches, that improve the affected code and eliminate the vulnerability. It is a sad statement that today many attacks come days or months after a manufacturer learns of a problem and posts a cure.

In short, most people who have virus problems have them because they have not availed themselves of available protections. In most cases, all that would have been needed to prevent a disruption is to have obtained virus protection software. This can be done either by purchasing a commercial product, by downloading a free product from the Web, or by periodically logging on to a web-based scanning service. Also, make sure to keep your virus definition tables updated, and install patches and security updates on operating systems and applications as required.

Do this, and the virus problems that make headlines will for the most part pass you by. To some, the cure must seem worse than the disease. The phenomenon roughly parallels that of smoking, which even some tobacco manufacturers now acknowledge has adverse effects. To some, the risks seem acceptable—until the consequence arrives.

Additional content appearing in this section has been removed.
Purchase this book now or read it online