Computer Security Basics

There is a secondary rule that says security is an on going process. No matter how well a system is designed, if it is never changed that gives any potential infiltrator all the time in the world to examine the security for flaws.

The information described here is neither detailed nor comprehensive. This should, however, serve as a good overview of the types of security measures sometimes taken. What measures are appropriate are best determined on a case by case basis.

Physical security

Computer hardware is protected from fire damage by smoke detectors and sprinkler systems just like any other equipment. Computers are unique in that the most costly damage is the loss of data which can be prevented by storing back up tapes in remote locations.

Surge protectors and uninterruptable power supplies are a low cost investment that can save very costly equipment damage. These are particularly important if the computer must be used continuously or if your region is prone to severe thunder storms or frequent power outages. Some surge protectors have the ability to protect the phone line going to a modem also. The modem and mother board can be more readily damaged by lightning hitting a phone line than by lightning hitting the power lines because the computer power supply provides a minimal amount of protection.

Data integrity

In today's world, virus protection is a necessity for any PC or Macintosh and viruses are starting to appear on UNIX systems also. No system is completely safe from viruses since manufacturers have inadvertantly shipped new computers with viruses on the hard drive and minted CDs with viruses.

For very important data, RAID systems are used. RAID stands for "Redundant Array of Inexpensive Disks". A raid system is a computer with eight or more hard drives and software for storing data on those drives. Every byte of data is spread accross all of these drives along with a parity bit that tells if it was an odd or even byte. In the event that a disk fails, it's contents can be completely reconstructed from the data on the other seven disks. This is a good way to store critical data which could not be reproduced, but the expense may not be justified otherwise.

Data security

Accounts on both multiuser machines and micro computers can be protected by passwords. Passwords can be very effective or not effective at all. Insecure password include ones that are easily guessed, never changed, shared or written down somewhere. Some systems, particularly UNIX, have password files which are encrypted but readable by all users. Hackers have developed automated programs, such as "crack", to break the passwords in these files by raw brute force, trial & error techniques. Since it could take months to crack well chosen passwords, some systems use a password aging system that requires all users to set new passwords periodically. There are also programs to prevent users from setting easily guessed passwords such as words in the dictionary, common names or permutations on the account name.

Systems holding data belonging to multiple users, such as UNIX or Windows NT, set an owner for each file and permissions defining who is allowed to read or write to it. Many hacker attacks are centered around finding flaws in the file permission system. There are ways to set default permissions and ways to control how much individual users can control their own file permissions.

Since most security attacks are now initiated from a remote location via the network, many organizations now separate their internal networks from the internet with a firewall. A firewall is a piece of software running on a dedicated machine with two network boards. The software can filter which network traffic is allowed to pass between the internal and external networks. This is a very effective security measure, but there is an unfortunate tendency for organizations to make the firewall their only security measure making any breach of security across the firewall a breach for every machine in the whole organization. An even higher level of security can be acheived by not having any connection between the internal network and the internet or not even having an internal network.

Data encryption provides a second layer of security. Once someone gains access to data, that data is useless if it has been scrambled by an encryption program which requires a second password to unscramble it. Passwords themselves should always be stored in an encrypted form. Today's encryption systems are similar to military code systems but not as sophisticated as the systems used by the armed forces. Almost all encrypted data can be unencrypted without the password by the use of a very large amount of time on very powerful computers. Security is provided by making the encryption complex enough that no one would be likely to have enough computer power to break say a message about the merger next month in less than six months, at which time the message is no longer valuable.

There must always be someone able to fix a computer system by using a second password protected account called "system", "administrator", "root" or "superuser" which bypasses the file permission system. One of the most serious security attacks is one which gains the password to this account. As well as particularily stringent security for this account, the encryption systems mentioned above ensure that there is a second layer of protection against this type of attack. This also provides for a segmented internal security system, if such is necessary.

Email is particularly insecure. Mail messages are simple ascii files that travel across the network where no password is necessary to get to them. Email is easily forged and can be altered. Of course, no one would have any particular reason for tampering with many personal messages, but people conducting sensitive business transactions over email would be wise to use some sort of email encryption system, such as PGP. These systems have several functions including encrypting the message itself, verifying who sent the message and verifying that it was not tampered with.

Audit trails are a means for the system administrators to find out if security has been breached and how much damage was done. Audit trails are records made by various pieces of software to log who logged into a system, from where and what files were accessed.

How Hackers get in

1. Learn about the system. Trying to connect to a system using networking utilities like telnet and ftp will be unsuccessful without a password, but even unsuccessful logins will often still display the machine manufacturer, and version of the operating system.
2. Look for openings. Try known security flaws on that particular machine and operating system. Unless the system administrator is very diligent about installing security patches, many machines have openings in the security just waiting to be found.
3. Try sniffing to get a password. Sniffing is when a machine has software to watch all of the network traffic and saves the messages corresponding to a valid user entering their password from a remote location.
4. Try spoofing. Many machines share disks with other machines that are classified as "trusted hosts". In order to share the data on these disks the two machines must communicate without a password. Spoofing is when someone configures a third machine to use the network address of one of the trusted hosts to impersonate that machine. If the spoofing machine responds faster than the true trusted host, communications will be carried out with it unnoticed. Spoofing requires that the infiltrator have physical access to the network in a location that falls close to the target machine in the network topology, which usually means being physically close to the target machine.
5. Get into the system and cover tracks. Once one of the above techniques is successful in gaining access to the system, the first order of business is to alter any records that would reveal the presence of an illegal entry to the system administrators.
6. Try to get superuser access. Just as there are many ways to get into a user account, there are many ways to get into the root level account or get equivalent access to the machine.
7. Make back doors. Once entry has been gained, that access can be used to intentionally install security breaches so that the hacker can still get back into the system if the original method of entry is cut off.
8. Use the system. At this point, the hacker can steal data, destroy information, alter files, use CPU time, lock everyone else out of the system, etc.

How to combat illegal entry

1. Physical security. Keep doors locked if feasible. Install locks on accessible but attended machines. Install locks and alarms on machines left unattended.
2. Back up files. This should be done on all computers.
3. Use a surge suppressor. All computers.
4. Use an uninterruptable power supply. Critical systems.
5. Periodic virus checking. All PC and Macintosh computers. High volume or critical multiuser machines.
6. Continual memory resident virus checking. PCs or Macs used by many people, such as in public labs. When data routinely comes from many sources.
7. Firewalls. For organizations that can conduct business with limits on the internet services accessible from inside the organization. Where outside access to company data could do significant harm to the business.
8. Having no internet connection or no internal network at all is done when data is particularly sensitive or reliability is of key importance. Bank record systems and air traffic control systems are some examples.
9. Programs to enforce the use of good passwords. Systems with a moderate to large number of users.
10. Password aging. Systems which have a large number of users or are a likely target for illegal entry.
11. Remove old accounts. Old, unused accounts are just that many more passwords for someone to find out. If it is not feasible to remove old accounts, the passwords can still be deleted. This is done by setting a null password for which no possible password will give acccess to the account.
12. Smart cards. There are various varieties of smart cards to act as passwords electronically. One example is a card with a number that changes every ten seconds and has its internal clock synchronized to one in the central computer. This way, even if someone get the password, it is only good for ten seconds. This expense is only warranted when someone would have a clear motive for trying to break into a system.
13. Install security patches to the operating system. Invisible security patches should be installed anytime systems are being upgraded. On systems with many users or that are likely targets for illegal entry, the system administrator should install new patches frequently or perhaps instantly when available. Many break ins occur within 24 hours of when a security flaw and patch is announced. This occurs when someone has targeted a particular machine and hopes to figure out how to take advantage of the flaw before the system administrators upgrade the system. For this reason, many flaws are not announced until a patch or temporary work around can be announced with them. Networking patches and network software uprgrades are particularily important.
14. Security checking software. There are programs, like Satan, which will test a system for many known security flaws. These programs were created so that administrators can test the integrity of the system, but they are also a favorite tool for the first step in infiltrating a system. It is a good idea to do this periodically. The software can be set to check many machines on a network without interrupting the people using those machines. There are programs to check the system from the inside as well as checking network vulnerabilities.
15. Break in detection software. There are also pieces of software to alert the system adminstrators when security is being tested by a known technique. This is a good way to know of an attack before they have gained entry.
16. Some level of audit trail should be kept on any multiuser system and any system with sensitive data. Some level of auditing is built into many multiuser operating systems. An audit trail has to be maintained before a break in occurs in order to do any good.
17. Use software to prevent sniffing, such as Kerberos or secure shell. These software packages allow remote logins to be authenticated, without sending an unencrypted password over the network. We have seen an increase in sites using these systems, particularily where many users login to machines remotely. The difficulty is setting up a system which is secure and reliable as well as not inconveniencing the users.
18. Encryption of disk files. Disk files should be kept encrypted when the data is particularly important. Passwords, social security numbers and credit card numbers should always be encrypted. Many accounting systems use encryption.
19. Do not use your credit card over the web unless your browser (not their web page) identifies it as a secure server. Even at that it is advisable only to do so with reputable companies that you are familiar with. You should never need a credit card number to get something that is free.
20. Encrypted email software should be used when someone would have a reason to want to see, forge or alter email messages.
21. Random manual monitoring. For a few businesses that deal with very sensitive information and must use networks, the security administrators will occasionally manually look at the information being passed over the network, particularly through the firewall. This probably is not warranted unless security is important enough to be paying someone solely as a security manager.
22. Hiring tiger teams. A tiger team is a group of honest expert hackers that are hired to break into your system in order to give you an analysis of your security. This is generally done by banks or others with extremely sensitive data.

References

Another good book is
J. Vacca "Internet Security Secrets" IDG (1996)

A good look at security from the system adminstrators point of view is in
AE Frisch "Essential System Administration" O'Reilley (1995)

The vendor that the computer or operating system was purchased from is also an excellent source of security information.

International Computer Security Association

American Society for Industrial Security

White papers from McAfee

Fred Cohen and Associates

Information Systems Security Association

Computer Security Technology Center

Yahoo security and encryption page

Footnote on terminology

Return to table of contents.