Since the study's publication, the software industry has changed considerably, with

measurable improvements in software quality. Yet software "horror stories" still abound,
and the basic principles and problems analyzed in the report remain the same. While
there have been great improvements in program quality, as reflected in decreasing errors
per 1000 lines of code, the concurrent growth in program size often seriously diminishes
the beneficial effects of these program quality enhancements.

Installation and maintenance errors are another source of security problems. For example,
an audit by the President's Council for Integrity and Efficiency (PCIE) in 1988 found that
every one of the ten mainframe computer sites studied had installation and maintenance
errors that introduced significant security vulnerabilities.24

Fraud and Theft

Computer systems can be exploited for both fraud and theft both by "automating"
traditional methods of fraud and by using new methods. For example, individuals may
use a computer to skim small amounts of money from a large number of financial
accounts, assuming that small discrepancies may not be investigated. Financial systems
are not the only ones at risk. Systems that control access to any resource are targets (e.g.,
time and attendance systems, inventory systems, school grading systems, and long-
distance telephone systems).

Computer fraud and theft can be committed by insiders or outsiders. Insiders (i.e.,
authorized users of a system) are responsible for the majority of fraud. A 1993
InformationWeek/Ernst and Young study found that 90 percent of Chief Information
Officers viewed employees "who do not need to know" information as threats.25 The U.S.
Department of Justice's Computer Crime Unit contends that "insiders constitute the
greatest threat to computer systems."26 Since insiders have both access to and familiarity
with the victim computer system (including what resources it controls and its flaws),
authorized system users are in a better position to commit crimes. Insiders can be both
general users (such as clerks) or technical staff members. An organization's former
employees, with their knowledge of an organization's operations, may also pose a threat,
particularly if their access is not terminated promptly.

In addition to the use of technology to commit fraud and theft, computer hardware and
software may be vulnerable to theft. For example, one study conducted by Safeware
Insurance found that $882 million worth of personal computers was lost due to theft in
1992.27

Employee Sabotage
Employees are most familiar with their employer's computers and applications, including
knowing what actions might causethe most damage, mischief, or sabotage. The
downsizing of organizations in both the public and private sectors has created a group of
individuals with organizational knowledge, who may retain potential system access (e.g.,
if system accounts are not deleted in a timely manner).28 The number of incidents of
employee sabotage is believed to be much smaller than the instances of theft, but the cost
of such incidents can be quite high.
Martin Sprouse, author of Sabotage in the American Workplace, reported that the
motivation for sabotage can range from altruism to revenge:

As long as people feel cheated, bored, harassed, endangered, or betrayed

at work, sabotage will be used as a direct method of achieving job
satisfaction the kind that never has to get the bosses' approval.29
Common examples of computer-related employee
sabotage include:
• destroying hardware or facilities,
• planting logic bombs that destroy
• programs or data,
• entering data incorrectly,
• "crashing" systems,
• deleting data,
• holding data hostage, and
• changing data.

Loss of Physical and Infrastructure Support

The loss of supporting infrastructure includes power failures (outages, spikes, and
brownouts), loss of communications, water outages and leaks, sewer problems, lack of
transportation services, fire, flood, civil unrest, and strikes. These losses include such
dramatic events as the explosion at the World Trade Center and the Chicago tunnel flood,
as well as more common events, such as broken water pipes. Many of these issues are
covered in Chapter 15. A loss of infrastructure often results in system downtime,
sometimes in unexpected ways. For example, employees may not be able to get to work
during a winter storm, although the computer system may be functional.

Malicious Hackers
The term malicious hackers, sometimes called crackers, refers to those who break into
computers without authorization. They can include both outsiders and insiders. Much of
the rise of hacker activity is often attributed to increases in connectivity in both
government and industry. One 1992 study of a particular Internet site (i.e., one computer
system) found that hackers attempted to break in at least once every other day.30

The hacker threat should be considered in terms of past and potential future damage.
Although current losses due to hacker attacks are significantly smaller than losses due to
insider theft and sabotage, the hacker problem is widespread and serious. One example of
malicious hacker activity is that directed against the public telephone system.

Studies by the National Research Council and the National Security Telecommunications
Advisory Committee show that hacker activity is not limited to toll fraud. It also includes
the ability to break into telecommunications systems (such as switches), resulting in the
degradation or disruption of system availability. While unable to reach a conclusion
about the degree of threat or risk, these studies underscore the ability of hackers to cause
serious damage.
The hacker threat often receives more attention than more common and dangerous
threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons for
this.

• First, the hacker threat is a more recently encountered threat. Organizations have
always had to worry about the actions of their own employees and could use
disciplinary measures to reduce that threat. However, these measures are
ineffective against outsiders who are not subject to the rules and regulations of the
employer.

• Second, organizations do not know the purposes of a hacker some hackers

browse, some steal, some damage. This inability to identify purposes can suggest
that hacker attacks have no limitations.

• Third, hacker attacks make people feel vulnerable, particularly because their
identity is unknown. For example, suppose a painter is hired to paint a house and,
once inside, steals a piece of jewelry. Other homeowners in the neighborhood
may not feel threatened by this crime and will protect themselves by not doing
business with that painter. But if a burglar breaks into the same house and steals
the same piece of jewelry, the entire neighborhood may feel victimized and
vulnerable

Industrial Espionage
Industrial espionage is the act of gathering proprietary data from private companies or the
government34 for the purpose of aiding another company(ies). Industrial espionage can be
perpetrated either by companies seeking to improve their competitive advantage or by
governments seeking to aid their domestic industries. Foreign industrial espionage carried
out by a government is often referred to as economic espionage. Since information is
processed and on computer systems, computer security can help protect against such
threats; it can do little, however, to reduce the threat of authorized employees selling that
information.

Industrial espionage is on the rise. A 1992 study sponsored by the American Society for
Industrial Security (ASIS) found that proprietary business information theft had increased
260 percent since 1985. The data indicated 30 percent of the reported losses in 1991 and
1992 had foreign involvement. The study also found that 58 percent of thefts were
perpetrated by current or former employees.35 The three most damaging types of stolen
information were pricing information, manufacturing process information, and product
development and specification information. Other types of information stolen included
customer lists, basic research, sales data, personnel data, compensation data, cost data,
proposals, and strategic plans.
Within the area of economic espionage, the Central Intelligence Agency has stated that
the main objective is obtaining information related to technology, but that information on
U.S. Government policy deliberations concerning foreign affairs and information on
commodities, interest rates, and other economic factors is also a target.37 The Federal
Bureau of Investigation concurs that technology-related information is the main target,
but also lists corporate proprietary information, such as negotiating positions and other
contracting data, as a target.

Malicious Code
Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other
"uninvited" software. Sometimes mistakenly associated only with personal computers,
malicious code can attack other platforms. A 1993 study of viruses found that while the
number of known viruses is increasing exponentially, the number of virus incidents is
not.39 The study concluded that viruses are becoming more prevalent, but only
gradually."

The rate of PC-DOS virus incidents in medium to large North American businesses
appears to be approximately 1 per 1000 PCs per quarter; the number of infected machines
is perhaps 3 or 4 times this figure if we assume that most such businesses are at least
weakly protected against viruses. Actual costs attributed to the presence of malicious
code have resulted primarily from system outages and staff time involved in repairing the
systems.Nonetheless, these costs can be significant.

Malicious Software: A Few Key Terms

Virus: A code segment that replicates by attaching copies of itself to existing executables. The new copy of
the virus is executed when a user executes the new host program. The virus may include an additional
"payload" that triggers when specific conditions are met. For example, some viruses display a text string on
a particular date. There are many types of viruses, including variants, overwriting, resident, stealth, and
polymorphic.

Trojan Horse: A program that performs a desired task, but that also includes unexpected (and undesirable)
functions. Consider as an example an editing program for a multiuser system. This program could be
modified to randomly delete one of the users' files each time they perform a useful function (editing), but
the deletions are unexpected and definitely undesired!

Worm: A self-replicating program that is self-contained and does not require a host program. The program
creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly use
network services to propagate to other host systems.

Foreign Government Espionage

In some instances, threats posed by foreign government intelligence services may be
present. In addition to possible economic espionage, foreign intelligence services may
target unclassified systems to further their intelligence missions. Some unclassified
information that may be of interest includes travel plans of senior officials, civil defense
and emergency preparedness, manufacturing technologies, satellite data, personnel and
payroll data, and law enforcement, investigative, and security files. Guidance should be
sought from the cognizant security office regarding such threats.

4.9 Threats to Personal Privacy

The accumulation of vast amounts of electronic information about individuals by
governments, credit bureaus, and private companies, combined with the ability of
computers to monitor, process, and aggregate large amounts of information about
individuals have created a threat to individual privacy. The possibility that all of this
information and technology may be able to be linked together has arisen as a specter of
the modern information age. This is often referred to as "Big Brother." To guard against
such intrusion, Congress has enacted legislation, over the years, such as the Privacy Act
of 1974 and the Computer Matching and Privacy Protection Act of 1988, which defines
the boundaries of the legitimate uses of personal information collected by the
government.

The threat to personal privacy arises from many sources. In several cases federal and
state employees have sold personal information to private investigators or other
"information brokers." One such case was uncovered in 1992 when the Justice
Department announced the arrest of over two dozen individuals engaged in buying and
selling information from Social Security Administration (SSA) computer files.42 During
the investigation, auditors learned that SSA employees had unrestricted access to over
130 million employment records. Another investigation found that 5 percent of the
employees in one region of the IRS had browsed through tax records of friends, relatives,
and celebrities.43 Some of the employees used the information to create fraudulent tax
refunds, but many were acting simply out of curiosity.

As more of these cases come to light, many individuals are becoming increasingly
concerned about threats to their personal privacy. A July 1993 special report in
MacWorld cited polling data taken by Louis Harris and Associates showing that in 1970
only 33 percent of respondents were concerned about personal privacy. By 1990, that
number had jumped to 79 percent.44

While the magnitude and cost to society of the personal privacy threat are difficult to
gauge, it is apparent that information technology is becoming powerful enough to warrant
fears of both government and corporate "Big Brothers." Increased awareness of the
problem is needed.
Computer security risks and Hazards

A network security incident isany network-related activity with negative security

implications. Security incidents on the Internet can come in all shapes and sizes, launched
from specific systems or networks. An intrusion may be a comparatively minor event
involving a single site or a major event in which tens of thousands of sites are
compromised. A typical attack pattern consists of gaining access to a user's account and
using the victim's system as a launch platform for attacks on other sites. The following
are other examples of security risks in the network environment.

Hacking

Hacking is any attempt by an intruder to gain unauthorised access to a computer system.

Activities carried out by hackers can include denial of service (DoS), dumping, port
scanning and sniffing. Denial of service (DoS) prevents or inhibits the normal use or
management of communication facilities. The attacker can redirect or suppress all
messages to a particular destination. DoS attacks are initiated with software and can be
launched by rival businesses or individuals with little or no computer skills (NOIE,
2002). Internet 'dumping', more applicable to small businesses, is when someone utilises
the company's modem to place calls to high-cost premium rate or international numbers.
This can be achieved by inducing users (often by promising adult content) to download
new Internet dialer software, replacing their ISP connection. Proving that dumping was
conducted without the user's knowledge can often be difficult. To prevent dumping,
telecommunications companies can place a bar on all premium calls starting with 190
(e.g., 1900, 1901, 1902, etc.) and on international phone services. If business computers
are not equipped with modems, dumping should not be a problem (NOIE, 2002).

Port Scanning and Sniffing

Port scanning scans a range of TCP (Transport Control Protocol) port numbers, UDP
(User Datagram Protocol) port numbers, or both for a single host IP (Internet Provider)
address in order to identify services running on the host computers. Sniffing programs
can be installed on computer systems to observe traffic, storing information
(ID/Passwords) that can be used to access other systems. Sniffer software tracks data
travelling over the Internet or a corporate network. Unauthorised sniffers can compromise
a network's security because they are difficult to detect and can be inserted almost
anywhere.

Viruses

A computer virus is a program that can infect other programs by modifying them to
include a copy of itself. A virus can be transmitted through an attachment to an e-mail,
and by downloading infected programs and files either from web sites, floppy disks or
CDs. Depending on the code in the virus program, some will activate as soon as the file is
opened, while others will lie dormant in the computer system until activated by a trigger
such as a specific date, execution of a particular key on the keyboard or activation by a
particular function such as forwarding an e-mail to another user in the organization.
Similar to human viruses, computer viruses can grow, replicate, travel, adapt and learn
and consume resources.
Other virus-related attacks include worms. Worms install themselves on a machine, and
actively seek to send themselves to other machines to infest those machines. Without any
human action worms can spread more quickly than viruses. On January 25, 2003 a worm
called Slammer spread with an astonishing speed on the Internet. Within ten minutes the
Slammer had infested about 90% of vulnerable hosts on the Internet. Although it was
controlled within hours, it had achieved its aim of infesting all vulnerable servers before
the world even realised what was happening. The best protection against computer
viruses is to use anti-virus software installed on all computers, and updated regularly.

Flaws in Technology and Software or Protocol Designs

If systems obtained from vendors are not aligned to the organization's security system it
can lead to easy break-in to networks. When software and systems are first installed they
come in a number of default settings, sample programs, and templates that are vulnerable
to attack. Ignorance of implementation details by system administrators, sometimes due
to a lack of time, a lack of expertise, or improper management also sacrifices security
(www.softheap.com). Protocols define the rules and conventions for computers to
communicate on a network. If a protocol has a design flaw it is vulnerable to exploitation
no matter how well it is implemented. With software implementations, if security is
added on later, it sometimes does not respond to security checks as planned, leading to
unexpected vulnerabilities.
S-HTTP is exactly what its name suggests: a security-enhanced extension of the
Hypertext Transfer Protocol. S-HTTP works at the application level, encrypting the
contents of messages relayed between a browser and a server, allowing client and server
to negotiate the strength and type of encryption to be used. S-HTTP supports end-to-end
secure transactions by incorporating cryptographic enhancements to be used for data
transfer at the application level.

Intruders' Technical Knowledge

For an intruder to achieve access to a system, he or she would have to have a good
understanding of network topology, operations, protocols, databases and information
management structures. Intruders can examine source code to discover weaknesses in
certain programs, such as those used for electronic mail. Source code sometimes is easy
to obtain from programmers who make their work freely available on the Internet.
Programs written for research purposes (with little thought for security) or written by
naive programmers become widely used, with source code available to all.
It is difficult to characterise people who cause security incidents. An intruder may be an
adolescent who is curious about what he or she can do on the Internet, a college student
who has created a new software tool, an individual seeking personal gain, or a 'paid spy'
seeking information for the economic advantage of a corporation or foreign country. A
disgruntled former employee or a consultant who gained network information while
working with a company may also cause a security incident. An intruder may also seek
entertainment, intellectual challenge, and a sense of power, political attention, or
financial gain.

Case Study On Computer security Hazards on Campuses

Focus: Duke University

Shared passwords

Educate our community that sharing is inappropriate and potentially dangerous.

One person per account.

As alternative to shared accounts for e-mail, encourage the use of mail

distribution lists and/or departmental (shared) mailboxes.

Use RACF or AFS ACLs to allow multiple user access to files.

Use "groupware" (such as Lotus Notes or calendar software) for other

collaboration of workflow.

Sniffers

Use hardware encryption.

Use software encryption.

Install switched port hubs.

Distribute secure tools (ssh, etc.) and encourage their use.

Password carelessness

Educate our community. Publicize good techniques (@=A, $=S, etc.) and
avoidance of common/guess-able passwords.

Institute password rules (force change at initial logon, force change every N days,
disallow password reuse)
Unattended workstations

Educate our community.

Use logoff timeouts, locking screen savers

Insecure workstations

Educate our community.

Use kerberos authentication on public PCs and Macs

Too many IDs/passwords

Educate our community. Encourage routine system-wide password changes.

Implement a single sign-on system.

Impersonation and forgery

Educate our community.

Require authentication at workstation.

SMTP connections accepted only from authenticated stations.

Passwords stored in files

Educate our community about proper configuration of applications (e.g.: Eudora)

and login scripts.

Laptop computers (theft and improper use)

Educate our community.

The World Wide Web

Use secure servers, SSL

 File insecurity

Educate our community.

Use RACF- Resource Access Control Facility and extended file protection
features of AFS- Andrew File System. Keep definitions/ACLs as simple as
possible.

Use suitable backup strategies.

Viruses and hoaxes

Educate our community.

Use anti-virus software.

Commonly overlooked security hazards

1. Lax policy definition and enforcement.
2. Overly permissive access policies
3. Single line of defense
4. Default installations of software
5. Default and vulnerable configurations
6. Weak authentication methods
7. Inadequate auditing, logging, analysis
8. Flawed security processes, unsecured workflows
9. Weak security testing and auditing methodologies
10. Weak incident response and business continuity plans
Identification, Authentication & Authorization

Identification is the means by which a user provides a claimed identity to the system.

Definition of Authorization.In security engineering and computer security, authorization

is the concept of allowing access to resources only to those permitted to use them. More
formally, authorization is a process that protects computer resources by only allowing
those resources to be used by resource consumers that have been granted authority to use
them. Resources include individual files’ or items’ data, computer programs, computer
devices and functionality provided by computer applications. Examples of consumers are
computer users, computer programs and other devices on the computer. Authorization
(deciding whether to grant access) is a separate concept to authentication (verifying
identity), and usually dependent on it.

Uses of Authorization
Authorization is a security measure used in network design to prevent users from gaining
information, files or resources that are beyond their security clearance. It also prevents
outsiders from gaining access to the network. All users on a network are assigned an IP
address designated for their workstation. If a computer tries to access the network from
an address not linked to authorized users, access is denied.

Definition of authentication is the act of establishing or confirming something (or

someone) as authentic, that is, that claims made by or about the thing are true. This might
involve confirming the identity of a person, the origins of an artifact, or assuring that a
computer program is a trusted one.

Uses of Authentication
Authentication technologies are commonly used to ensure that you are a human being
and not a computer program, such as a script or virus. Websites often do this with a
"captcha" -- an image of distorted letters or numbers that can be deciphered by the human
eye but not by a computer. A captcha requires you to re-enter the generated code to gain
access or submit a form.

Computer Authentication Methods

Computer authentication methods identify users at various levels of confidence.

The goal of computer authentication is to identify the user and to verify that he
has access to a computer system. Computer authentication methods have been
widespread since the personal computer was developed in the 1970s. Many
authentication methods model physical methods that have been in use for
centuries, such as identity cards, visual authentication and passwords. Breaches in
 computer authentication methods or in physical access controls comprise some of
the most devastating attacks against information technology systems.

- There are three means of authenticating a user's identity which can be used alone or in
combination:

• something the individual knows (a secret e.g., a password, Personal Identification

Number (PIN), or cryptographic key);

• something the individual possesses (a token e.g., an ATM card or a smart card);

• something the individual is (a biometric e.g., such characteristics as a voice

pattern, handwriting dynamics, or a fingerprint).

Passwords

1. Passwords are the most common form of computer-based authentication. Users

are prompted for a user identifier, email address or user name and a password
object that are authenticated against a database or ACL (access control list). Once
the user is identified, she is given access to certain areas of a system, as stored in
an authorization manifest. Websites, wireless networks, single-user machines and
email technologies frequently use user names and passwords to authenticate users.
Passwords are vulnerable to guessing, brute-force (trying every possible password
combination) and theft attacks.

PKI and Smart Cards

2. PKI (Public Key Infrastructure) provides a cryptographically secure method of

authenticating computer users. Users are given two cryptographic keys: a public
key and a private key, which are used in the authentication process. When a user
tries to authenticate to a system, he presents his public key, which is validated by
the server, then an encrypted challenge is presented by the server, which only the
user can decrypt with the private key. Since the user's private key is not shared
with anyone else, the computer is mathematically certain of the user's identity.
Smart cards are the most common method of storing secret keys for
authentication.

Knowledge-Based Authentication

3. Banks and other financial institutions often use KBA (Knowledge Based
Authentication) to verify a user based on something he knows. Secret
questions/answers, pin numbers, and challenge words are common forms of KBA,
requiring the user to provide an easily remember-able but unique answer to the
challenge question. Impostors with intimate knowledge of the victim can usually
beat KBA, as answers to security questions are usually easy to guess.
 Biometrics

4. Biometrics are authentication tools to verify a user's identity using some physical
aspect. Fingerprint scanners, facial recognition, voice print recognition, retinal
and iris scans are all widespread forms of biometric authentication. Biometric
authentication is used by the U.S. military during enlistment to verify the identity
of new recruits and to check their fingerprints against a database of criminals.
Users can occasionally bypass or spoof biometric authentication by exploiting a
weakness in the underlying technologies, for example, using a picture of the
victim to bypass facial recognition.