Академический Документы
Профессиональный Документы
Культура Документы
measurable improvements in software quality. Yet software "horror stories" still abound,
and the basic principles and problems analyzed in the report remain the same. While
there have been great improvements in program quality, as reflected in decreasing errors
per 1000 lines of code, the concurrent growth in program size often seriously diminishes
the beneficial effects of these program quality enhancements.
Installation and maintenance errors are another source of security problems. For example,
an audit by the President's Council for Integrity and Efficiency (PCIE) in 1988 found that
every one of the ten mainframe computer sites studied had installation and maintenance
errors that introduced significant security vulnerabilities.24
Computer fraud and theft can be committed by insiders or outsiders. Insiders (i.e.,
authorized users of a system) are responsible for the majority of fraud. A 1993
InformationWeek/Ernst and Young study found that 90 percent of Chief Information
Officers viewed employees "who do not need to know" information as threats.25 The U.S.
Department of Justice's Computer Crime Unit contends that "insiders constitute the
greatest threat to computer systems."26 Since insiders have both access to and familiarity
with the victim computer system (including what resources it controls and its flaws),
authorized system users are in a better position to commit crimes. Insiders can be both
general users (such as clerks) or technical staff members. An organization's former
employees, with their knowledge of an organization's operations, may also pose a threat,
particularly if their access is not terminated promptly.
In addition to the use of technology to commit fraud and theft, computer hardware and
software may be vulnerable to theft. For example, one study conducted by Safeware
Insurance found that $882 million worth of personal computers was lost due to theft in
1992.27
Employee Sabotage
Employees are most familiar with their employer's computers and applications, including
knowing what actions might causethe most damage, mischief, or sabotage. The
downsizing of organizations in both the public and private sectors has created a group of
individuals with organizational knowledge, who may retain potential system access (e.g.,
if system accounts are not deleted in a timely manner).28 The number of incidents of
employee sabotage is believed to be much smaller than the instances of theft, but the cost
of such incidents can be quite high.
Martin Sprouse, author of Sabotage in the American Workplace, reported that the
motivation for sabotage can range from altruism to revenge:
Malicious Hackers
The term malicious hackers, sometimes called crackers, refers to those who break into
computers without authorization. They can include both outsiders and insiders. Much of
the rise of hacker activity is often attributed to increases in connectivity in both
government and industry. One 1992 study of a particular Internet site (i.e., one computer
system) found that hackers attempted to break in at least once every other day.30
The hacker threat should be considered in terms of past and potential future damage.
Although current losses due to hacker attacks are significantly smaller than losses due to
insider theft and sabotage, the hacker problem is widespread and serious. One example of
malicious hacker activity is that directed against the public telephone system.
Studies by the National Research Council and the National Security Telecommunications
Advisory Committee show that hacker activity is not limited to toll fraud. It also includes
the ability to break into telecommunications systems (such as switches), resulting in the
degradation or disruption of system availability. While unable to reach a conclusion
about the degree of threat or risk, these studies underscore the ability of hackers to cause
serious damage.
The hacker threat often receives more attention than more common and dangerous
threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons for
this.
• First, the hacker threat is a more recently encountered threat. Organizations have
always had to worry about the actions of their own employees and could use
disciplinary measures to reduce that threat. However, these measures are
ineffective against outsiders who are not subject to the rules and regulations of the
employer.
• Third, hacker attacks make people feel vulnerable, particularly because their
identity is unknown. For example, suppose a painter is hired to paint a house and,
once inside, steals a piece of jewelry. Other homeowners in the neighborhood
may not feel threatened by this crime and will protect themselves by not doing
business with that painter. But if a burglar breaks into the same house and steals
the same piece of jewelry, the entire neighborhood may feel victimized and
vulnerable
Industrial Espionage
Industrial espionage is the act of gathering proprietary data from private companies or the
government34 for the purpose of aiding another company(ies). Industrial espionage can be
perpetrated either by companies seeking to improve their competitive advantage or by
governments seeking to aid their domestic industries. Foreign industrial espionage carried
out by a government is often referred to as economic espionage. Since information is
processed and on computer systems, computer security can help protect against such
threats; it can do little, however, to reduce the threat of authorized employees selling that
information.
Industrial espionage is on the rise. A 1992 study sponsored by the American Society for
Industrial Security (ASIS) found that proprietary business information theft had increased
260 percent since 1985. The data indicated 30 percent of the reported losses in 1991 and
1992 had foreign involvement. The study also found that 58 percent of thefts were
perpetrated by current or former employees.35 The three most damaging types of stolen
information were pricing information, manufacturing process information, and product
development and specification information. Other types of information stolen included
customer lists, basic research, sales data, personnel data, compensation data, cost data,
proposals, and strategic plans.
Within the area of economic espionage, the Central Intelligence Agency has stated that
the main objective is obtaining information related to technology, but that information on
U.S. Government policy deliberations concerning foreign affairs and information on
commodities, interest rates, and other economic factors is also a target.37 The Federal
Bureau of Investigation concurs that technology-related information is the main target,
but also lists corporate proprietary information, such as negotiating positions and other
contracting data, as a target.
Malicious Code
Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other
"uninvited" software. Sometimes mistakenly associated only with personal computers,
malicious code can attack other platforms. A 1993 study of viruses found that while the
number of known viruses is increasing exponentially, the number of virus incidents is
not.39 The study concluded that viruses are becoming more prevalent, but only
gradually."
The rate of PC-DOS virus incidents in medium to large North American businesses
appears to be approximately 1 per 1000 PCs per quarter; the number of infected machines
is perhaps 3 or 4 times this figure if we assume that most such businesses are at least
weakly protected against viruses. Actual costs attributed to the presence of malicious
code have resulted primarily from system outages and staff time involved in repairing the
systems.Nonetheless, these costs can be significant.
Trojan Horse: A program that performs a desired task, but that also includes unexpected (and undesirable)
functions. Consider as an example an editing program for a multiuser system. This program could be
modified to randomly delete one of the users' files each time they perform a useful function (editing), but
the deletions are unexpected and definitely undesired!
Worm: A self-replicating program that is self-contained and does not require a host program. The program
creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly use
network services to propagate to other host systems.
The threat to personal privacy arises from many sources. In several cases federal and
state employees have sold personal information to private investigators or other
"information brokers." One such case was uncovered in 1992 when the Justice
Department announced the arrest of over two dozen individuals engaged in buying and
selling information from Social Security Administration (SSA) computer files.42 During
the investigation, auditors learned that SSA employees had unrestricted access to over
130 million employment records. Another investigation found that 5 percent of the
employees in one region of the IRS had browsed through tax records of friends, relatives,
and celebrities.43 Some of the employees used the information to create fraudulent tax
refunds, but many were acting simply out of curiosity.
As more of these cases come to light, many individuals are becoming increasingly
concerned about threats to their personal privacy. A July 1993 special report in
MacWorld cited polling data taken by Louis Harris and Associates showing that in 1970
only 33 percent of respondents were concerned about personal privacy. By 1990, that
number had jumped to 79 percent.44
While the magnitude and cost to society of the personal privacy threat are difficult to
gauge, it is apparent that information technology is becoming powerful enough to warrant
fears of both government and corporate "Big Brothers." Increased awareness of the
problem is needed.
Computer security risks and Hazards
Hacking
Port scanning scans a range of TCP (Transport Control Protocol) port numbers, UDP
(User Datagram Protocol) port numbers, or both for a single host IP (Internet Provider)
address in order to identify services running on the host computers. Sniffing programs
can be installed on computer systems to observe traffic, storing information
(ID/Passwords) that can be used to access other systems. Sniffer software tracks data
travelling over the Internet or a corporate network. Unauthorised sniffers can compromise
a network's security because they are difficult to detect and can be inserted almost
anywhere.
Viruses
A computer virus is a program that can infect other programs by modifying them to
include a copy of itself. A virus can be transmitted through an attachment to an e-mail,
and by downloading infected programs and files either from web sites, floppy disks or
CDs. Depending on the code in the virus program, some will activate as soon as the file is
opened, while others will lie dormant in the computer system until activated by a trigger
such as a specific date, execution of a particular key on the keyboard or activation by a
particular function such as forwarding an e-mail to another user in the organization.
Similar to human viruses, computer viruses can grow, replicate, travel, adapt and learn
and consume resources.
Other virus-related attacks include worms. Worms install themselves on a machine, and
actively seek to send themselves to other machines to infest those machines. Without any
human action worms can spread more quickly than viruses. On January 25, 2003 a worm
called Slammer spread with an astonishing speed on the Internet. Within ten minutes the
Slammer had infested about 90% of vulnerable hosts on the Internet. Although it was
controlled within hours, it had achieved its aim of infesting all vulnerable servers before
the world even realised what was happening. The best protection against computer
viruses is to use anti-virus software installed on all computers, and updated regularly.
If systems obtained from vendors are not aligned to the organization's security system it
can lead to easy break-in to networks. When software and systems are first installed they
come in a number of default settings, sample programs, and templates that are vulnerable
to attack. Ignorance of implementation details by system administrators, sometimes due
to a lack of time, a lack of expertise, or improper management also sacrifices security
(www.softheap.com). Protocols define the rules and conventions for computers to
communicate on a network. If a protocol has a design flaw it is vulnerable to exploitation
no matter how well it is implemented. With software implementations, if security is
added on later, it sometimes does not respond to security checks as planned, leading to
unexpected vulnerabilities.
S-HTTP is exactly what its name suggests: a security-enhanced extension of the
Hypertext Transfer Protocol. S-HTTP works at the application level, encrypting the
contents of messages relayed between a browser and a server, allowing client and server
to negotiate the strength and type of encryption to be used. S-HTTP supports end-to-end
secure transactions by incorporating cryptographic enhancements to be used for data
transfer at the application level.
For an intruder to achieve access to a system, he or she would have to have a good
understanding of network topology, operations, protocols, databases and information
management structures. Intruders can examine source code to discover weaknesses in
certain programs, such as those used for electronic mail. Source code sometimes is easy
to obtain from programmers who make their work freely available on the Internet.
Programs written for research purposes (with little thought for security) or written by
naive programmers become widely used, with source code available to all.
It is difficult to characterise people who cause security incidents. An intruder may be an
adolescent who is curious about what he or she can do on the Internet, a college student
who has created a new software tool, an individual seeking personal gain, or a 'paid spy'
seeking information for the economic advantage of a corporation or foreign country. A
disgruntled former employee or a consultant who gained network information while
working with a company may also cause a security incident. An intruder may also seek
entertainment, intellectual challenge, and a sense of power, political attention, or
financial gain.
Shared passwords
Sniffers
Password carelessness
Educate our community. Publicize good techniques (@=A, $=S, etc.) and
avoidance of common/guess-able passwords.
Institute password rules (force change at initial logon, force change every N days,
disallow password reuse)
Unattended workstations
Insecure workstations
Use RACF- Resource Access Control Facility and extended file protection
features of AFS- Andrew File System. Keep definitions/ACLs as simple as
possible.
Identification is the means by which a user provides a claimed identity to the system.
Uses of Authorization
Authorization is a security measure used in network design to prevent users from gaining
information, files or resources that are beyond their security clearance. It also prevents
outsiders from gaining access to the network. All users on a network are assigned an IP
address designated for their workstation. If a computer tries to access the network from
an address not linked to authorized users, access is denied.
Uses of Authentication
Authentication technologies are commonly used to ensure that you are a human being
and not a computer program, such as a script or virus. Websites often do this with a
"captcha" -- an image of distorted letters or numbers that can be deciphered by the human
eye but not by a computer. A captcha requires you to re-enter the generated code to gain
access or submit a form.
The goal of computer authentication is to identify the user and to verify that he
has access to a computer system. Computer authentication methods have been
widespread since the personal computer was developed in the 1970s. Many
authentication methods model physical methods that have been in use for
centuries, such as identity cards, visual authentication and passwords. Breaches in
computer authentication methods or in physical access controls comprise some of
the most devastating attacks against information technology systems.
- There are three means of authenticating a user's identity which can be used alone or in
combination:
• something the individual possesses (a token e.g., an ATM card or a smart card);
Passwords
Knowledge-Based Authentication
3. Banks and other financial institutions often use KBA (Knowledge Based
Authentication) to verify a user based on something he knows. Secret
questions/answers, pin numbers, and challenge words are common forms of KBA,
requiring the user to provide an easily remember-able but unique answer to the
challenge question. Impostors with intimate knowledge of the victim can usually
beat KBA, as answers to security questions are usually easy to guess.
Biometrics
4. Biometrics are authentication tools to verify a user's identity using some physical
aspect. Fingerprint scanners, facial recognition, voice print recognition, retinal
and iris scans are all widespread forms of biometric authentication. Biometric
authentication is used by the U.S. military during enlistment to verify the identity
of new recruits and to check their fingerprints against a database of criminals.
Users can occasionally bypass or spoof biometric authentication by exploiting a
weakness in the underlying technologies, for example, using a picture of the
victim to bypass facial recognition.