|
Security Domains
Computer Security is also frequently defined in terms of several interdependent domains that roughly map to specific departments and job titles:
Physical security -- Controlling the comings and goings of people and materials; protection against the elements and natural disasters
Operational/procedural security -- Covering everything from managerial policy decisions to reporting hierarchies
Personnel security -- Hiring employees, background screening, training, security briefings, monitoring, and handling departures
System security -- User access and authentication controls, assignment of privilege, maintaining file and file system integrity, backups, monitoring processes, log-keeping, and auditing
Network security -- Protecting network and telecommunications equipment, protecting network servers and transmissions, combating eavesdropping, controlling access from untrusted networks, firewalls, and detecting intrusions
This text is solely concerned with the latter two. System and network security are difficult, if not impossible, to separate in a system. Nearly every distribution in the past fifteen years has included a TCP/IP protocol implementation as well as numerous network services such as FTP, Telnet, DNS, and, more recently, HTTP.
A Practical Definition
In the spirit of practicality, I like the straightforward definition: "A computer is secure if you can depend on it and its software to behave as you expect." In essence, a computer is secure if you can trust it. Data entered today will still be there tomorrow in unaltered form. If you made services x, y, and z available yesterday, they're still available today.
These practical definitions circumvent an obvious element: a secure system should be hard for unauthorized persons to break into -- i.e., the value of the work necessary for an unauthorized person to break in should exceed the value of the protected data. Increasing attacker workload and the risks of detection are critical elements of computer security.
For the purposes of this article, I define "system security" as:
The ongoing and redundant implementation of protections for the confidentiality and integrity of information and system resources so that an unauthorized user has to spend an unacceptable amount of time or money or absorb too much risk in order to defeat it, with the ultimate goal that the system can be trusted with sensitive information.
Defining "Computer Security" is not trivial. The difficulty lies in developing a definition that is broad enough to be valid regardless of the system being described, yet specific enough to describe what security really is. In a generic sense, security is "freedom from risk or danger." In the context of computer science, security is the prevention of, or protection against, access to information by unauthorized recipients, and intentional but unauthorized destruction or alteration of that information.
This can be re-stated: "Security is the ability of a system to protect information and system resources with respect to confidentiality and integrity." Note that the scope of this second definition includes system resources, which include CPUs, disks, and programs, in addition to information.
Taxonomy of Computer Security
Computer security is frequently associated with three core areas, which can be conveniently summarized by the acronym "CIA":
Confidentiality -- Ensuring that information is not accessed by unauthorized persons
Integrity -- Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users
Authentication -- Ensuring that users are the persons they claim to be
A strong security protocol addresses all three of these areas. It has enabled an explosion in ecommerce which is really about trust (or more precisely, about the lack of trust). SSL overcomes the lack of trust between transacting parties by ensuring confidentiality through encryption, integrity through checksums, and authentication via server certificates.
Computer security is not restricted to these three broad concepts. Additional ideas that are often considered part of the taxonomy of computer security include:
Access control -- Ensuring that users access only those resources and services that they are entitled to access and that qualified users are not denied access to services that they legitimately expect to receive
Nonrepudiation -- Ensuring that the originators of messages cannot deny that they in fact sent the messages.
Availability -- Ensuring that a system is operational and functional at a given moment, usually provided through redundancy; loss of availability is often referred to as "denial-of-service"
Privacy -- Ensuring that individuals maintain the right to control what information is collected about them, how it is used, who has used it, who maintains it, and what purpose it is used for
These additional elements don't neatly integrate into a singular definition. From one perspective, the concepts of privacy, confidentiality, and security are quite distinct and possess different attributes. Privacy is a property of individuals; confidentiality is a property of data; and security is a property assigned to computer hardware and software systems. From a practical perspective, the concepts are interwoven. A system that does not maintain data confidentiality or individual privacy could be theoretically or even mathematically "secure," but it wouldn't be wise to deploy anywhere in the real world.
A Functional View
Computer security can also be analyzed by function. It can be broken into five distinct functional areas
Risk avoidance -- A security fundamental that starts with questions like: Does my organization or business engage in activities that are too risky? Do we really need an unrestricted Internet connection? Do we really need to computerize that secure business process? Should we really standardize on a desktop operating system with no access control intrinsic?
Deterrence -- Reduces the threat to information assets through fear. Can consist of communication strategies designed to impress potential attackers of the likelihood of getting caught.
Prevention -- The traditional core of computer security. Consists of implementing safeguards like the tools covered Absolute prevention is theoretical, since there's a vanishing point where additional preventative measures are no longer cost-effective.
Detection -- Works best in conjunction with preventative measures. When prevention fails, detection should kick in, preferably while there's still time to prevent damage. Includes log-keeping and auditing activities
Recovery -- When all else fails, be prepared to pull out backup media and restore from scratch, or cut to backup servers and net connections, or fall back on a disaster recovery facility. Arguably, this function should be attended to before the others
Analyzing security by function can be a valuable part of the security planning process; a strong security policy will address all five areas, starting with recovery.
Computer Security is required because most organizations can be damaged by hostile software or intruders. There may be several forms of damage which are obviously interrelated. These include:
??? Damage or destruction of computer systems.
??? Damage or destruction of internal data.
??? Loss of sensitive information to hostile parties.
??? Use of sensitive information to steal items of monitory value.
??? Use of sensitive information against the organization's customers which may result in legal action by customers against the organization and loss of customers.
??? Damage to the reputation of an organization.
??? Monitory damage due to loss of sensitive information, destruction of data, hostile use of sensitized data, or damage to the organization's reputation.
The methods used to accomplish these unscrupulous objectives are many and varied depending on the circumstances. This guide will help administrators understand some of these methods and explain some countermeasures
Security Issues
Computer security can be very complex and may be very confusing to many people. It can even be a controversial subject. Network administrators like to believe that their network is secure and those who break into networks may like to believe that they can break into any network. I believe that overconfidence plays an important role in allowing networks to be intruded upon. There are many fallacies that network administrators may fall victim to. These fallacies may allow administrators to wrongfully believe that their network is more secure than it really is.
Your organization should be aware how physically secure every aspect of its network is because if an intruder gets physical access, they can get your data. Be sure your organization properly secures locations and consider the following:
Servers - Contain your data and information about how to access that data.
Workstations - Man contain some sensitive data and can be used to attack other computers.
Routers, switches, bridges, hubs and any other network equipment may be used as an access point to your network.
Network wiring and media and where they pass through may be used to access your network or place a wireless access point to your network.
External media which may be used between organizational sites or to other sites the organization does business with.
Locations of staff that may have information that a hostile party can use.
Some employees may take data home or may take laptops home or use laptops on the internet from home then bring them to work. Any information on these laptops should be considered to be at risk and these laptops should be secure according to proper policy when connected externally on the network.
The term Computer Security is used frequently, but the content of a computer is vulnerable to few risks unless the computer is connected to other computers on a network. As the use of computer networks, especially the Internet, has become pervasive, the concept of computer security has expanded to denote issues pertaining to the networked use of computers and their resources.
The major technical areas of computer security are usually represented by the initials CIA: confidentiality, integrity, and authentication or availability. Confidentiality means that information cannot be access by unauthorized parties. Confidentiality is also known as secrecy or privacy; breaches of confidentiality range from the embarrassing to the disastrous. Integrity means that information is protected against unauthorized changes that are not detectable to authorized users; many incidents of hacking compromise the integrity of databases and other resources. Authentication means that users are who they claim to be. Availability means that resources are accessible by authorized parties; "denial of service" attacks, which are sometimes the topic of national news, are attacks against availability. Other important concerns of computer security professionals are access control and nonrepudiation. Maintaining access control means not only that users can access only those resources and services to which they are entitled, but also that they are not denied resources that they legitimately can expect to access. Nonrepudiation implies that a person who sends a message cannot deny that he sent it and, conversely, that a person who has received a message cannot deny that he received it. In addition to these technical aspects, the conceptual reach of computer security is broad and multifaceted. Computer security touches draws from disciplines as ethics and risk analysis, and is concerned with topics such as computer crime; the prevention, and remediation of attacks; and identity and anonymity in cyberspace.
While confidentiality, integrity, and authenticity are the most important concerns of a computer security manager, privacy is perhaps the most important aspect of computer security for everyday Internet users. Although users may feel that they have nothing to hide when they are registering with an Internet site or service, privacy on the Internet is about protecting one's personal information, even if the information does not seem sensitive. Because of the ease with which information in electronic format can be shared among companies, and because small pieces of related information from different sources can be easily linked together to form a composite of, for example, a person's information seeking habits, it is now very important that individuals are able to maintain control over what information is collected about them, how it is used, who may use it, and what purpose it is used for.
Your living space has doors and windows, and perhaps most of the time they???re locked. For each lock that uses a key, chances are that each key is different. You know to lock up and not to share the keys with strangers, and probably not with most of your friends. You should not hide keys under the mat or in a flowerpot on your front porch.
Passwords for computers are much the same. For each Computer Security and service you use (online purchasing, for example), you should have a password. Each password should be unique and unrelated to any of your other passwords. You shouldn???t write them down nor should you share them with anyone, even your best friends.
Take a look at your front door key. It???s pretty complicated. There are lots of notches and grooves. If there weren???t so many possible variations, a thief could easily make a key for every possible combination and then try each on your front door. This trial-and-error method, (for computers, called brute force) is likely to be effective even if it takes a long time. Nonetheless, no matter how complicated, if the thief gets hold of your key, he or she can copy it and use that copy to open your door.
A password can also be complicated. Most schemes let you use any combination of letters, both upper and lower case, and numbers; and some also let you use punctuation marks. Lengths can vary. You can create a password to be as complicated as you want. The key (no pun intended) is to be able to remember this password whenever you need it without having to write it down to jog your memory.
Like the thief at your door, computer intruders also use trial-and-error, or brute-force techniques, to discover passwords. By bombarding a login scheme with all the words in a dictionary, they may ???discover??? the password that unlocks it. If they know something about you, such as your spouse???s name, the kind of car you drive, or your interests, clever intruders can narrow the range of possible passwords and try those first. They are often successful. Even slight variations, such as adding a digit onto the end of a word or replacing the letter o (oh) with the digit 0 (zero), don???t protect passwords. Intruders know we use tricks like this to make our passwords more difficult to guess.
Just like the front door key, even a complicated password can be copied and the copy reused. Remember the earlier discussion about information on the Internet being in the clear? Suppose that really strong password you took a long time to create ??? the one that???s 14 characters long and contains 6 letters, 4 numbers, and 4 punctuation marks, all in random order ??? goes across the Internet in the clear. An intruder may be able to see it, save it, and use it. This is called sniffing and it is a common intruder practice.
The point is that you need to follow the practice of using a unique password with every account you have. Below is a set of steps that you can use to help you create passwords for your accounts:
The Strong test: Is the password as strong (meaning length and content) as the rules allow?
The Unique test: Is the password unique and unrelated to any of your other passwords?
The Practical test: Can you remember it without having to write it down?
The Recent test: Have you changed it recently?
In spite of the SUPR tests, you need to be aware that sniffing happens, and even the best of passwords can be captured and used by an intruder.
You should use passwords not only on your home computer but also for services you use elsewhere on the Internet. All should have the strongest passwords you can use and remember, and each password should be unique and unrelated to all other passwords. A strong password is a password that is longer than it is short, that uses combinations of uppercase and lowercase letters, numbers, and punctuation, and that is usually not a word found in a dictionary. Also remember that no matter how strong a password is, it can still be captured if an intruder can see it ???in the clear??? somewhere on the Internet.
One starting point for solving home Computer Security problems is being aware of how the Internet and some of its technologies work. If you know how they work, you can evaluate solutions to the problems that come up. You can also use the Internet more safely and responsibly. In this section, we???ll talk about two topics: trust and information in the clear as it crosses the Internet.
Human beings are trusting by nature. We trust much of what we hear on the radio, see on television, and read in the newspaper. We trust the labels on packages. We trust the mail we receive. We trust our parents, our partner or spouse, and our children. We trust our co-workers. In fact, those who don???t trust much are thought to be cynical. Their opinions may be all too quickly ignored or dismissed.
The Internet was built on trust. Back in the mid 1960s, computers were very expensive and slow by today???s standards, but still quite useful. To share the expensive and scarce computers installed around the country, the U.S. government funded a research project to connect these computers together so that other researchers could use them remotely.
Key to the ARPAnet was the level of trust placed in its users; there was little thought given to malicious activity. Computers communicated using a straightforward scheme that relied on everybody playing by the rules. The idea was to make sharing ideas and resources easy and as efficient as the technology of the day provided. This philosophy of trust colors many of the practices, procedures, and technologies that are still in place today.
Only within the last few years, when Internet commerce began to spread, it has become inadequate to rely principally on trust. Since the days of the ARPAnet, we???ve changed the way we use computer networks while others have changed the underlying technologies, all in an attempt to improve the security of the Internet and the trust we place on it.
Let???s dig deeper into two examples of what we trust in our daily lives. When you receive mail through the post office, many envelopes and the letters in them contain the sender???s address. Have you ever wondered if those addresses were valid; that is, do they match the address of the person or persons who really sent them? While you could check to see that those addresses are valid and refer to the person they name, it???s not an easy task.
How would you go about it? Would you call the phone number provided with the letter? That number could also be invalid, and the person that answers the phone could be as misleading as the original address. Perhaps you could call directory assistance or the police department that has jurisdiction over the town where the letter was supposedly from. They might be helpful, but that is likely to take lots of time. Most people wouldn???t bother.
And it???s not just return addresses either. How about advertisements, news stories, or the information printed on groceries? Suppose you were on a low-fat diet. You???d want to buy foods low in fat. To select the right foods, you???d read the product label at the grocery store. How do you know that the label information is valid? What???s to say it???s not forged? And how would you know?
The Internet has many of the same issues, and email is one of the best examples. In an email message, an intruder can easily fabricate where the came from. But this information forging ??? called spoofing by intruders and security professionals ??? is not limited to just email. In fact, the basic unit of information transferred on the Internet ??? called a packet ??? can also be easily forged or spoofed.
What does this mean and why should you care? It means that any information you receive from some other computer on the Internet should not be trusted automatically and unconditionally. When you trust an email message that turns out to have a harmful virus attached to it, your computer can be infected, your files destroyed, and your work lost. And that???s why you should care.
This is how the Internet works. It was built on trust. Over time, there have been technological changes that are worthy of a higher level of our trust than before. Nonetheless, a true sense of insecurity is better than a false sense of security. So, think about the information you trust. Be critical and cautious.
To keep your home Computer Security is not a trivial task. There are many topics to consider and many steps to follow. They take time to learn and do. If you can, read this entire document before you begin to secure your computer. You???ll have a better understanding of the effort and all its facets. This ought to help you when you begin to tackle the tasks described here.
In the next part of this document, we describe two types of activities. Some you can do using the programs that came with your computer: working with passwords and email attachments, running programs, and backing up your work. For other activities, you might need to obtain some specialized programs: applying patches, and running anti-virus, firewall, and file encryption programs. Though some vendors??? products provide these features, we???ll assume your computer doesn???t have any of them so you???ll need to add all of them.
Here then is the list of tasks you need to do to secure your home computer. Their order is based on how intruders attack computers, beginning with the most-often used attack methods. By starting with the lower numbered tasks, you address the biggest problems you face in securing your home computer. Remember that most sections end with a reference to a web site that you can use to find an example of how to do the task on a computer.
Install and use anti-virus programs
Keep your system patched
Use care when reading emails with attachments
Install and use a firewall program
Make backups of important files and folders
Use strong passwords
Use care when downloading and installing programs
Install and use a hardware firewall
Install and use a file encryption program and access controls
Your home Computer Security is a popular target for intruders. Why? Because intruders want what you???ve stored there. They look for credit card numbers, bank account information, and anything else they can find. By stealing that information, intruders can use your money to buy themselves goods and services.
But it???s not just money-related information they???re after. Intruders also want your computer???s resources, meaning your hard disk space, your fast processor, and your Internet connection. They use these resources to attack other computers on the Internet. In fact, the more computers an intruder uses, the harder it is for law enforcement to figure out where the attack is really coming from. If intruders can???t be found, they can???t be stopped, and they can???t be prosecuted.
Why are intruders paying attention to home computers? Home computers are typically not very secure and are easy to break into. When combined with high-speed Internet connections that are always turned on, intruders can quickly find and then attack home computers. While intruders also attack home computers connected to the Internet through dial-in connections, high-speed connections (cable modems and DSL modems) are a favorite target.
No matter how a home computer is connected to the Internet, intruders??? attacks are often successful. Many home computer owners don???t realize that they need to pay attention to computer security. In the same way that you are responsible for having insurance when you drive a car, you need to also be responsible for your home computer???s security. This document explains how some parts of the Internet work and then describes tasks you can do to improve the security of your home computer system. The goal is to keep intruders and their programs off your computer.
How do intruders break into your computer? In some cases, they send you email with a virus. Reading that email activates the virus, creating an opening that intruders use to enter or access your computer. In other cases, they take advantage of a flaw or weakness in one of your computer???s programs vulnerability ??? to gain access.
Once they???re on your computer, they often install new programs that let them continue to use your computer ??? even after you plug the holes they used to get onto your computer in the first place. These backdoors are usually cleverly disguised so that they blend in with the other programs running on your computer.
The next section discusses concepts you need to know, especially trust. The main part of this document explains the specific issues that need your attention. There are examples of how to do some of these tasks to secure a Microsoft Windows 2000-based computer. We also provide checklists you can use to record information about the steps you have taken to secure your computer.
Whether your computer runs which kind of system, the issues are the same and will remain so as new versions of your system are released. The key is to understand the security-related problems that you need to think about and solve.
Information Computer Security is concerned with three main areas:
Confidentiality - information should be available only to those who rightfully have access to it
Integrity -- information should be modified only by those who are authorized to do so
Availability -- information should be accessible to those who need it when they need it
These concepts apply to home Internet users just as much as they would to any corporate or government network. You probably wouldn't let a stranger look through your important documents. In the same way, you may want to keep the tasks you perform on your computer confidential, whether it's tracking your investments or sending email messages to family and friends. Also, you should have some assurance that the information you enter into your computer remains intact and is available when you need it.
Some security risks arise from the possibility of intentional misuse of your computer by intruders via the Internet. Others are risks that you would face even if you weren't connected to the Internet (e.g. hard disk failures, theft, power outages). The bad news is that you probably cannot plan for every possible risk. The good news is that you can take some simple steps to reduce the chance that you'll be affected by the most common threats -- and some of those steps help with both the intentional and accidental risks you're likely to face.
Before we get to what you can do to protect your computer or home network, let???s take a closer look at some of these risks.
Intentional misuse of your computer
The most common methods used by intruders to gain control of home computers are briefly described below. More detailed information is available by reviewing the URLs listed in the References section below.
Trojan horse programs
Back door and remote administration programs
Denial of service
Being an intermediary for another attack
Unprotected Windows shares
Mobile code (Java, JavaScript, and ActiveX)
Cross-site scripting
Email spoofing
Email-borne viruses
Hidden file extensions
Chat clients
Packet sniffing
Computer Security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.
Why should I care about computer security?
We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).
Who would want to break into my computer at home?
Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.
Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.
Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.
How easy is it to break into my computer?
Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.
When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes.
Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.
Internet Security - Firewall - Security Software - Computer Security - Network Security - Intrusion Detection
|
Search This Site
Syndicate this blog site
Powered by BlogEasy
Free Blog Hosting
|