OReilly computer security basics 2nd edition jun 2006 ISBN 0596006691
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (3.49 MB, 566 trang )
ComputerSecurityBasics,2ndEdition
ByRickLehtinen
...............................................
Publisher:O'Reilly
PubDate:June2006
PrintISBN-10:0-596-00669-1
PrintISBN-13:978-0-59-600669-3
Pages:310
TableofContents|Index
Thisisthemust-havebookforamust-knowfield.Today,generalsecurityknowledgeis
mandatory,and,ifyouwhoneedtounderstandthefundamentals,ComputerSecurity
Basics2ndEditionisthebooktoconsult.
Theneweditionbuildsonthewell-establishedprinciplesdevelopedintheoriginaledition
andthoroughlyupdatesthatcoreknowledge.Foranyoneinvolvedwithcomputersecurity,
includingsecurityadministrators,systemadministrators,developers,andITmanagers,
ComputerSecurityBasics2ndEditionoffersaclearoverviewofthesecurityconceptsyou
needtoknow,includingaccesscontrols,malicioussoftware,securitypolicy,cryptography,
biometrics,aswellasgovernmentregulationsandstandards.
Thishandbookdescribescomplicatedconceptssuchastrustedsystems,encryption,and
mandatoryaccesscontrolinsimpleterms.Ittellsyouwhatyouneedtoknowto
understandthebasicsofcomputersecurity,anditwillhelpyoupersuadeyouremployees
topracticesafecomputing.
Topicsinclude:
Computersecurityconcepts
Securitybreaches,suchasvirusesandothermaliciousprograms
Accesscontrols
Securitypolicy
Webattacks
Communicationsandnetworksecurity
Encryption
Physicalsecurityandbiometrics
Wirelessnetworksecurity
ComputersecurityandrequirementsoftheOrangeBook
OSIModelandTEMPEST
ComputerSecurityBasics,2ndEdition
ByRickLehtinen
...............................................
Publisher:O'Reilly
PubDate:June2006
PrintISBN-10:0-596-00669-1
PrintISBN-13:978-0-59-600669-3
Pages:310
TableofContents|Index
Copyright
Preface
PartPARTI:SecurityforToday
Chapter1.Introduction
Section1.1.TheNewInsecurity
Section1.2.WhatIsComputerSecurity?
Section1.3.ThreatstoSecurity
Section1.4.WhyBuySecurity?
Section1.5.What'saUsertoDo?
Section1.6.Summary
Chapter2.SomeSecurityHistory
Section2.1.InformationandItsControls
Section2.2.ComputerSecurity:ThenandNow
Section2.3.EarlyComputerSecurityEfforts
Section2.4.BuildingTowardStandardization
Section2.5.ComputerSecurityMandatesandLegislation
Section2.6.Summary
PartPARTII:ComputerSecurity
Chapter3.ComputerSystemSecurityandAccessControls
Section3.1.WhatMakesaSystemSecure?
Section3.2.SystemAccess:LoggingintoYourSystem
Section3.3.Summary
Chapter4.VirusesandOtherWildlife
Section4.1.FinancialEffectsofMaliciousPrograms
Section4.2.VirusesandPublicHealth
Section4.3.Viruses,Worms,andTrojans(Oh,My!)
Section4.4.WhoWritesViruses?
Section4.5.Remedies
Section4.6.TheVirusHype
Section4.7.AnOunceofPrevention
Section4.8.Summary
Chapter5.EstablishingandMaintainingaSecurityPolicy
Section5.1.AdministrativeSecurity
Section5.2.OverallPlanningandAdministration
Section5.3.Day-to-DayAdministration
Section5.4.SeparationofDuties
Section5.5.Summary
Chapter6.WebAttacksandInternetVulnerabilities
Section6.1.AbouttheInternet
Section6.2.WhatAretheNetworkProtocols?
Section6.3.TheFragileWeb
Section6.4.Summary
PartPARTIII:CommunicationsSecurity
Chapter7.Encryption
Section7.1.SomeHistory
Section7.2.WhatIsEncryption?
Section7.3.TheDataEncryptionStandard
Section7.4.OtherCryptographicAlgorithms
Section7.5.MessageAuthentication
Section7.6.GovernmentCryptographicPrograms
Section7.7.CryptographicExportRestrictions
Section7.8.Summary
Chapter8.CommunicationsandNetworkSecurity
Section8.1.WhatMakesCommunicationSecure?
Section8.2.Modems
Section8.3.Networks
Section8.4.NetworkSecurity
Section8.5.Summary
PartPARTIV:OtherTypesofSecurity
Chapter9.PhysicalSecurityandBiometrics
Section9.1.PhysicalSecurity
Section9.2.LocksandKeys:OldandNew
Section9.3.Biometrics
Section9.4.GentleReminder
Section9.5.Summary
Chapter10.WirelessNetworkSecurity
Section10.1.HowWeGotHere
Section10.2.Today'sWirelessInfrastructure
Section10.3.HowWirelessWorks
Section10.4.PlayingtheFields
Section10.5.WhatIsThisdBStuff?
Section10.6.WhyDoesAllThisMatter?
Section10.7.EncouragingDiversity
Section10.8.PhysicalLayerWirelessAttacks
Section10.9.Summary
PartPARTV:Appendixes
OSIModel
TEMPEST
SectionB.1.TheProblemofEmanations
SectionB.2.TheTEMPESTProgram
SectionB.3.TEMPESTStandards
SectionB.4.HardAsYouTry
TheOrangeBook,FIPSPUBS,andtheCommonCriteria
SectionC.1.AbouttheOrangeBook
SectionC.2.RatingbytheBook
SectionC.3.SummaryofOrangeBookClasses
SectionC.4.FIPSbytheNumbers
SectionC.5.IDon'tWantYouSmellingMyFish
AbouttheAuthor
Colophon
Index
ComputerSecurityBasics,SecondEdition
byRickLehtinen,DeborahRussell,andG.T.GangemiSr.
Copyright©2006,1991O'ReillyMedia,Inc.Allrightsreserved.
PrintedintheUnitedStatesofAmerica.
PublishedbyO'ReillyMedia,Inc.,1005GravensteinHighway
North,Sebastopol,CA95472.
O'Reillybooksmaybepurchasedforeducational,business,or
salespromotionaluse.Onlineeditionsarealsoavailablefor
mosttitles(safari.oreilly.com).Formoreinformation,contact
ourcorporate/institutionalsalesdepartment:(800)998-9938or
Editor:
TatianaApandi
DevelopmentalEditor:
MaryDageforde
ProductionEditor:
DarrenKelly
Copyeditor:
MaryAnneWeeksMayo
Proofreader:
DarrenKelly
Indexer:
JulieHawks
CoverDesigner:
EdieFreedman
InteriorDesigner:
DavidFutato
Illustrators:
RobertRomanoandJessamynRead
PrintingHistory:
July1991:
FirstEdition.
June2006:
SecondEdition.
NutshellHandbook,theNutshellHandbooklogo,andthe
O'ReillylogoareregisteredtrademarksofO'ReillyMedia,Inc.
ComputerSecurityBasics,theimageofakey,andrelatedtrade
dressaretrademarksofO'ReillyMedia,Inc.
Figure7-1isreproducedbypermissionoftheSmithsonian
Institution.Figure10-14usedbypermissionofBerkeley
VaritronicsSystems,Inc.
Manyofthedesignationsusedbymanufacturersandsellersto
distinguishtheirproductsareclaimedastrademarks.Where
thosedesignationsappearinthisbook,andO'ReillyMedia,Inc.
wasawareofatrademarkclaim,thedesignationshavebeen
printedincapsorinitialcaps.
Whileeveryprecautionhasbeentakeninthepreparationofthis
book,thepublisherandauthorsassumenoresponsibilityfor
errorsoromissions,orfordamagesresultingfromtheuseof
theinformationcontainedherein.
ISBN:0-596-00669-1
[M]
Preface
AboutThisBook
Thisbookisaboutcomputersecuritywhatitis,whereitcame
from,whereit'sgoing,andwhyweshouldcareaboutit.It
introducesthemanydifferentareasofsecurityinclearand
simpleterms:accesscontrols,wormsandviruses,
cryptography,firewalls,networkandwebsecurity,biometric
devices,andmore.Ifyou'reatallinterestedincomputer
securityorifcomputersecurityisapartofyourjob(whether
youwantittobeornot!),youshouldfindthisbookuseful.I've
triedtogiveyouthebigpictureandquiteafewhelpfuldetails.
Thisbookisnotatechnicalreference.I'vetriedtopulltogether
thebasicsaboutmanydifferentareasofcomputersecurityand
putthatinformationtogethercomprehensively.Ifyouneed
particularlytechnicalinformationaboutaspecificareaof
computersecurity(forexample,makingyourspecificsystemor
operatingsystemmoresecure,securingyourwebsite,or
configuringarouterorfirewall),youshouldrefertoother,more
specializedbooks.
SummaryofContents
Thisbookisdividedinto10chaptersand3appendixes.
PartI,SecurityforToday
Thissectionpresentsabriefoverviewofwhatcomputer
securityis,whereitcamefrom,andwhereit'sgoing.
Chapter1,Introduction
Thischapterintroducescomputersecurity:whatitisand
whyit'simportant.Itsummarizesthethreatstocomputers
andtheinformationstoredonthem,anditintroducesthe
differenttypesofcomputersecurity.
Chapter2,SomeSecurityHistory
Thischapterbrieflydescribesthehistoryofcomputer
security:whereitcamefrom,andwhatgovernment
mandates,laws,andstandardsaddressit.
PartII,ComputerSecurity
Thissectiondiscussescomputersecuritymethodsofprotecting
informationstoredinacomputersystem,primarilyby
controllingaccesstothatinformation.
Chapter3,ComputerSystemSecurityandAccessControls
Thischapterintroducescomputersystemsecurityand
describeshowthatsecuritycontrolsaccesstosystemsand
data.
Chapter4,VirusesandOtherWildlife
Thischapterexploresviruses,worms,Trojans,andother
typesofmaliciouscode.
Chapter5,EstablishingandMaintainingaSecurityPolicy
Thischapterdescribestheadministrativeproceduresthat
improvesecuritywithinanorganization.Italsointroduces
businesscontinuityanddisasterrecoveryaspartof
security.
Chapter6,WebAttacksandInternetVulnerabilities
Thischapterintroducestheperilsthatcanattackyour
systemornetworkwhileitisconnectedtotheInternet.
PartIII,CommunicationsSecurity
Thissectiondiscussescommunicationssecuritymethodsof
protectinginformationwhileit'sbeingtransmittedover
communicationslinesandnetworkbackbones.
Chapter7,Encryption
Thischapterexplainswhatencryptionisandhowitprotects
data.
Chapter8,CommunicationsandNetworkSecurity
Thischapterintroducesnetworkconceptsanddiscusses
somebasiccommunicationssecurityissues.
PartIV,OtherTypesofSecurity
Thissectiondescribesseveraladditionaltypesofsecurity.
Chapter9,PhysicalSecurityandBiometrics
Thischapterintroducesphysicalsecurityanddescribes
differenttypesofbiometricdevices.
Chapter10,WirelessNetworkSecurity
Thischapterdescribestheworkingsofwirelessnetworks
andthesecurityramificationsofthisaccessmedium.
PartV,Appendixes
Thissectionprovidesanumberofquickreferencestocomputer
securityrequirementsandprograms.
AppendixA,OSIModel
ThisappendixdescribesthesevenlayersofOSIandhow
eachrelatestosecurity.
AppendixB,TEMPEST
ThisappendixdescribeswhatTEMPESTisandwhyit's
important.
AppendixC,TheOrangeBook,FIPSPUBS,andtheCommon
Criteria
ThisappendixprovidesasummaryoflegacyOrangeBook
requirements,theFederalInformationProcessing
Publications(FIPSPUBS),andtheCommonCriteria,which
istheinternationalsuccessortotheOrangeBook.
UsingCodeExamples
Thisbookisheretohelpyougetyourjobdone.Ingeneral,you
mayusethecodeinthisbookinyourprogramsand
documentation.YoudonotneedtocontactO'Reillyfor
permissionunlessyou'rereproducingasignificantportionofthe
code.Forexample,writingaprogramthatusesseveralchunks
ofcodefromthisbookdoesnotrequirepermission.Sellingor
distributingaCD-ROMofexamplesfromO'Reillybooksdoes
requirepermission.Answeringaquestionbycitingthisbook
andquotingexamplecodedoesnotrequirepermission.
Incorporatingasignificantamountofexamplecodefromthis
bookintoyourproduct'sdocumentationdoesrequire
permission.
Weappreciate,butdonotrequire,attribution.Anattribution
usuallyincludesthetitle,author,publisher,andISBN.For
example:ComputerSecurityBasics,SecondEdition,byRick
Lehtinen,DeborahRussell,andG.T.GangemiSr.Copyright
2006O'ReillyMedia,Inc.,0-596-00669-1.
CommentsandQuestions
Pleaseaddresscommentsandquestionsconcerningthisbookto
thepublisher:
O'ReillyMedia,Inc.
1005GravensteinHighwayNorth
Sebastopol,CA95472
800-998-9938(intheUnitedStatesorCanada)
707-829-0515(internationalorlocal)
707-829-0104(fax)
Wehaveawebpageforthisbookthatlistserrata,examples,
andanyadditionalinformation.Youcanaccessthispageat:
/>Tocommentorasktechnicalquestionsaboutthisbook,send
emailto:
Formoreinformationaboutourbooks,conferences,Resource
Centers,andtheO'ReillyNetwork,seeourwebsiteat:
Safari®Enabled
WhenyouseeaSafari®Enabledicononthecover
ofyourfavoritetechnologybook,thatmeansthebookis
availableonlinethroughtheO'ReillyNetworkSafariBookshelf.
Safarioffersasolutionthat'sbetterthane-books.It'savirtual
librarythatletsyoueasilysearchthousandsoftoptechbooks,
cutandpastecodesamples,downloadchapters,andfindquick
answerswhenyouneedthemostaccurate,currentinformation.
Tryitforfreeat.
Acknowledgments
Anyauthorofasecondeditionisincrediblyindebtedtothe
authorsofthefirst.DeborahRussell,youweregreattowork
withfromstarttofinish.ThetextauthoredbyyouandG.T.
GangemiSr.gavemeanexcellentstartingpoint.Let'sdoit
againsomeday.AndtomybudsatCisco'sNetworkAcademy
andtoGwen,myCISSPcoach,whoputmeuptothiswarm
thanks,Ioweyou.
ThankstoKathy,Jana,Jon,Kyleandafewcatswhodidnotsee
enoughofmeduringthisbook'sproduction,andLouisewho
saidIshouldn'tundertakeit,butwaskindofproudonceitgot
done.
ManypeoplefromO'Reillyhelpedtoproducethissecond
edition:DeborahRussellforseeingthevalueintheprojectand
TatianaApandiforkeepingmeatitandcheeringmeonwhenit
conflictedwithmydayjob.Thankstomytechnicalreviewers:
MarkLucking,SimonBiles,andespeciallyMaryDagefordefor
allherhelp.Manythanks!
Someofthechaptersinthefirsteditionwerebasedonan
internaldocumentthatDeborahRussellpreparedforWang
Laboratories.Thankstoalotofotherpeoplewhocontributedto
thefirsteditionofthisbook:DennisK.Branstad,James
Burrows,DanielFaigin,PerryFlinn,SimsonGarfinkel,Irene
Gilbert,NickHammond,StuartW.Katzke,F.LynnMcNulty,Paul
Mei,AndrewOdlyzko,VictorOppenheimer,TimO'Reilly,Robert
Rosenthal,BradleyRoss,LenSchneider,MilesSmid,Gene
Spafford,BobTinkelman,GeneTroy,andMitchWright.
PartPARTI:SecurityforToday
Chapter1:Introduction
Chapter2:SomeSecurityHistory
Chapter1.Introduction
Section1.1.TheNewInsecurity
Section1.2.WhatIsComputerSecurity?
Section1.3.ThreatstoSecurity
Section1.4.WhyBuySecurity?
Section1.5.What'saUsertoDo?
Section1.6.Summary
1.1.TheNewInsecurity
SincetheterroristattacksonSeptember11,2001,computer
securityhastakenonsomenewmeanings.Thefirstispositive.
Aspartofaglobaltighteningofbeltsandrollingupofsleeves,
thereemergedseveraloutreachesdesignedtoprovidesecurity
trainingandcertificationtofolksinallwalksoflife,fromthe
consumerbeingalertedaboutidentitytheft,tothesoldierand
sailorandweaponsscientiststakinggreaterprecautionswith
itemsofnationalsecurity,tothecommonpersononthestreet
gainingaheightenedawarenessofhackersandcrackersand
cyberattackers.Graduallythisnewemphasisoncomputerand
networksafetyhaspercolateddowntotheordinaryuser's
computerinthedenorlivingroom.Andbecauseitreallyisa
smallInternet,andwhataffectsoneusuallyaffectsall,the
saferindividualusersare,thesafertheNetisforeverybody.
Unfortunately,inreturnforaperceptionofsecurity,both
physicalandontheInternet,somecomputerusershavebegun
toacceptunprecedentedcompromisesinprivacyasbeingpart
ofthepricetobepaidtocounteranenvisionedterroristthreat
associatedwithcomputerusage.Inreturnforafeelingof
"protection"withvaguetiestonationaldefense,moreandmore
ofwhatusedtobeprivatedataandfolks'ownbusinessisnow
availableforinspectionbycorporateandlegalobservers.Giving
uptheprovenchecksandbalancesthataretheunderpinnings
ofafreesocietymaydomoreharmthangood.Recentreports,
suchasasummer2003incidentinwhichoneormoreairlines
turnedovertoacontractfirmworkingfortheDepartmentof
Defensethetransactionrecordsofahalfmillionpassengersfor
useinanexperimentondatabaseprofiling,havedemonstrated
thatrelaxedrestraintsagainstlawenforcementagenciescan
leadtoegregiousactions.Numerouspressreportshave
indicatedthattheexpandedpowersgrantedtolawenforcement
agenciesinthenameofhomelanddefensehaveresultedin
thosepowersbeingusedincreasinglytoinvestigateand
prosecutecrimesunderlawsnotrelatedtohomelanddefenseat
all.This,inturn,hasresultedinamini-backlashdesignedto
reininthesecuritypromoters,heighteningthedebate.
Possiblyinresponsetoaperceiveddecreaseinprivacy,alarge
numberofnewlawshavecomeintoplaythatattemptto
protectindividualsagainstwidespreaddisseminationofpersonal
informationandregulatethecreationandexchangeoffinancial
informationregardingcorporations.Thesenewlawshavelong
names,suchastheHealthInsurancePortabilityand
AccountabilityAct(HIPAA),Sarbanes-Oxley,andtheFamily
EducationalRightsandPrivacyAct(FERPA).Theselawsmakeit
acrimetorevealpersonalinformationgatheredinthecourseof
doingbusiness,andoftenrequirethereportingofcomputer
crimesthatwereformerlysweptunderthecarpettoavoid
embarrassingtheagencyorcompanyallowingsuchalapse.
Theordinaryuser,suchasthesalespersonorsecretarywho
logsoninthemorningandshutsdownatnight,wouldrather
notthinktwiceaboutsecurity.Infact,shemightnotthinkofit
atalluntilawormorsomeotherattackaffectsthemachineon
whichshehastowork.
Someofthemostinvasivecomputerattacksagainstindividuals
maynotinvolveinfectingacomputer,butmerelylisteningto
one.Withmachinepatience,sniffersanddatabaseprograms
canaccumulatedataaboutpeoplelotsofpeopleoveraslonga
timeasisneededtogatherenoughinformationtomakean
attack.Usually,theattacktakestheformofmakingcreditcard
purchases,orapplyingforcreditinthenameofthevictims
whosedetailshavebeenpiecedtogether.Suchcrimes,often
calledidentitytheft,canbedevastating.Itisnotthatthevictim
isalwaysleftliableforthefraudulentpurchases;consumer
protectionlawsandtherapidclosingofaccountshelpagreat
dealtopreventthat.Itisthatthevictimmaybeleftunableto
exercisehisowncredit,orestablishmorebecausevendors
can'teasilybesureifanynewtransactionsaftertheIDtheftis
reportedarebeingmadebythecustomerorbythethief.Andit
ishighlylikelythatthevictimwillbeunawareofanyofthese
activitiesuntilthedamagehasbeendone.
Nowthatitincreasinglyimpactstheaverageuser,public
awarenessofcomputersecurityhasrisendramatically.
Computersecurityhashitthenewsstands,withmoreandmore
articleswarningthepublicaboutvirusesandotherperils.The
mediaalsodescribesanincreasingarrayofpreventatives,
rangingfromchangingnetworkhabitstoaddingfirewallsand
intrusionprotectionsystems.Mixinthespecterofterrorism,
andthestakesgetevenhigher.
1.1.1.WhoYouGonnaCall?
AnewgenerationofsecurityconsultantswhatBusinessWeek
oncetermed"hackerbusters"havehungouttheirshingles.A
numberoforganizationsstandreadytoprovideexpert
assistanceincaseacomputervirusoutbreakthreatensthe
Internet:
FundedbytheDefenseAdvancedResearchProjectsAgency
(DARPA),theComputerEmergencyResponseTeam(CERT)
attheSoftwareEngineeringInstituteatCarnegieMellon
Universitywascreatedtoprovideinformationandsupport
againstanyInternetcrises,cyberattacks,accidents,or
failures.NowofficiallynamedtheCERTCoordinationCenter,
thisclearinghouseisthemother-of-all-CERTs,andregional
andcorporateincidentresponsecentersarespringingupto
handlecriseslocally.
TheFederalComputerIncidentResponseCenter(FedCIRC)
isthefederalgovernment'strustedfocalpointforcomputer
securityincidentreporting,providingassistancewith
incidentpreventionandresponse.In2003,theFedCIRC
officiallybecamepartoftheDepartmentofHomeland
Security'sInformationAnalysisandInfrastructure
Protection(IAIP)Directorate.IAIPwillcontinuetoprovide
theFedCIRCservices.
TheDepartmentofEnergyhasalsoestablishedaComputer
IncidentAdvisoryCapability(CIAC)orientedtoitsown
agencyneeds,includinga"hoaxbusters"pagededicatedto
helpingusersrecognizewhichattacksarerealandwhich
arebasedonhysteria.Thegentlegagsclogupnetworksas
usersfranticallyalerttheirfriendsandneighborsofthe
supposedhazard.Theviciousgagsencourageuserstotake
"protectivemeasures"thatmightactuallydamagetheirown
computersinanattempttoavoidworsecalamity.
US-CERTisapartnershipbetweenCERTandtheU.S.
DepartmentofHomelandSecurity.
Othernationalincidentresponseteamshavebeenformedin
manycountries:
IntheUnitedKingdom,thereistheNationalInfrastructure
SecurityCo-ordinationCentre(NISCC),pronounced"nicey",
whichischargedwithprotectingessentialsystemand
servicesknowncollectivelyastheCriticalNational
Infrastructure(CNI).
AusCERT(AustralianCERT)monitorsandevaluatesglobal
computernetworkthreatsandvulnerabilities.
CanCERTisCanada'sfirstnationalComputerEmergency
ResponseTeam.
CERTPolskadealswithsecurity-relatedincidentsrelatedto
Polishnetworks.
SingCERT(SingaporeCERT)servesSingaporeandpartsof
SoutheastAsia.
SI-CERTistheSlovenianComputerEmergencyResponse
Team,aserviceofferedbyARNES(AcademicandResearch
NetworkofSlovenia).
Inadditiontogovernmentresponseorganizations,many
commercialprovidersofsecurityservicesandvirusprotection
systemshavealsosetuporganizationsthatarepreparedto
cometotheaidofanycustomerswhofindsecurityholesor
faceattacks.
OXCERTprovidesCERTservicesforOxfordUniversityinthe
UnitedKingdom.
LinuxandUnixusershaveampleorganizationsthatreport
newexploitsandpostcuresforeasyupdate.
1.1.1.1.InformationSharingandAnalysisCenters
AkintoCERTs,InformationSharingandAnalysisCenters
(ISACs)helpdevelopandpromulgate"bestpractices"for
protectingcriticalinfrastructuresandminimizingvulnerabilities.
ManyindustrieshaveestablishedISACstoallowthesecritical
sectorstoshareinformationandworktogethertohelpbetter
protecttheeconomy.
IntheUnitedStates,PresidentialDirectiveNumber63andthe
PatriotActestablishthattheISACswillreceivegovernmental
sponsorship.TheDepartmentofHomelandSecuritylistslinksto
variousindustryISACsonitswebsite.ISACsareestablished
forthefoodindustry,waterindustry,emergencyservices
(policeandfire),stategovernments,andthe
telecommunicationsandinformationtechnologyindustries.
TherearealsoISACsinplacefortheenergy,transportation,
bankingandfinance,chemical,andrealestateindustries.
1.1.1.2.Vulnerablebroadband
Justascorporateandgovernmentusersarebondingtogether
toprovidemutualprotection,however,ahugeemergingclass
ofusersisexpandingrapidly,andforthemostparttheyare
unprotected.AsbroadbandInternetaccessbecomes
increasinglypopular,moreuserssetuphomecomputersand
leavethemrunning24/7.Theresultistheybecometargetsfor
attackers.
Onestudyestimatedthatthetimebetweenwhenanew
computeristurnedonandthefirstattackisunderwayis
usuallylessthan10minutes.Thisisbecauseattackersoften
useautomatedscanningtoolsthatprobeconstantly,lookingfor
opportunity.Anexploitcanoftenbeplacedinseconds,often
beforecountermeasurescanbeinstalledtocompletean
installation.Otherstudiesclaimthesituationisworsestill,
figuringthetimebeforeattackisequalto2minutes.I'veseen
instancesinwhichnewlyupdatedcomputersbecameinfected
byaviruswithinafewminutes,eventhoughthecomputers
wereprotectedbyasecurenetwork.Thishappenedbecause
theinfectingcomputerswereinsidethenetwork,likely
becominginfestedbypathogenscarriedinonmediaworkers
broughtfromhome.
Asthepoolofcomputerusershasincreased,waysare
emergingtoillicitlyprofitoffofthem.Thecomputerofanaive
usermaybeforcedintoparticipatinginadistributeddenialof
service(DDoS)attackaimedtowardadesignatedtargetand
timedtofireoffwithhundredsofthousandsofotherssoasto
overwhelmthevictim.Alternatively,users'broadband
computerscanbeturnedintounwillingwebsitesfor
pornographyorotherproducts,ormadeintorelaysfor
unsolicitedemail(spam).
Fortunately,helpisontheway:
Microsoft,forinstance,offerseasysoftwaresecurity
updatesovertheInternet.
HelpsitesareavailableforeverykindofLinuxandUnix.
Manyantivirussoftwarepublishersoffernotonlyantivirus
programsbutalsosomekindofinformationservice
documentingvirusesandwhattodotopreventorhandle
specificattacks.
Mostcompaniestodayareaddingtheirowninternalsecurity
forces.Increasingly,corporatewantadsrequestacomputer
securitycertificateortwoasaprerequisiteforhiring.
1.1.1.3.Nocomputerisanisland
Whileonceitwaseasytoignoremostwarningsandscaresas
merenuisancesbecausemostsiteswereisolatedand
unconnected,intoday'sworld,fewcomputersstandalone.
Virusesoccurandspreadwithamazingspeed,sometimes
spanningtheglobeinhoursordays(usuallybystealing
information,suchasanemailaddressbookfromonevictim,
andusingittoinfectothers).
Evencorporationsthathavesecureperimeterscanfind
themselveswithsignificantinternalvirusproblems.Oftenthisis
duetouserswhobringininfectedlaptops,useremovabledata
drives,orburninformationontorecordableCDsorDVDsthat
areinfectedandthenbroughtintotheofficenetwork.
1.1.2.TheSorryTrail
Thestoryofnetworkattacks,bugs,viruses,andcriminal
actionsstretchesasfarasthecomputerindustryitself.Oneof
thefirstbugstodevelopinacomputersystemwasprecisely
that:amothwasfoundsquishedinsidesomerelaycontactsat
agovernmentinstallation.LieutenantGraceHoppercollected
thatmothanddulypasteditintothefacilitylogbookShe
eventuallybecamearearadmiral,andwentontoinventthe
computercompilerandwasthedrivingforcebehindtheCOBOL
computerlanguage.
Witheachadvanceoftechnologycamenewthreatsand
attacks.Rogueself-replicatingprogramsnearlyoverwhelmeda
researchfacilityinPaloAlto,California;theywerethefirst
computerworms.Unchecked,wormscanmultiplyuntiltheyfill
upaharddisk.Viruses,similartowormsbutrequiringahost
programofsomekindtoliveinandtakeover,camesoonafter.
Attacksandcountermeasuresfollowedoneafteranotheruntil
thepresent.Vulnerabilitiescontinuetobesniffedoutby
attackerswhocreatevirusesandwormstoexploitthem.
Manufacturersthencreatepatchesintendedtocounterthe
attacks.
Thewholeadventureofvirusesandwormscanallbesummed
upinthetermmalicioussoftwareormalware.Malwarewillbe
coveredinsomedetailinlaterchapters.
Whileearlymalwareexploitedsinglesystemsormultiuser
systems,ittooktheInternettoreallygivemalwarelife.The
Internetformsamassivedistributedenvironment.Malicious
softwarecanstealcontrolofcomputersontheInternet,direct
DDoSattacksatgivenhostsorservers,orposeassomeone
theyarenotinordertointerceptdata.Thelatteractionis
knownasamasqueradeattackorspoofing.
Themostelaboratemalwarecanscanavictimmachineforlinks
toothermachines,thenreplicateitselftothoseothermachines
whileworkingitsattackonthevictimmachine.Theinfamous
CodeRedwormworkedovertheInternetinthisway.After
replicatingitselfforthefirst20daysofeachmonth,itreplaced
webpagesonthevictimmachineswithapagethatdeclared
"HackedbyChinese,"thenlaunchedanattackontheWhite
Housewebserver.
1.1.2.1.Computercrime
Computercrimehasalsobecomeamajorthreattobusiness.
AccordingtotheFederalBureauofInvestigation,computer
crimeisthemostexpensiveformofcommercialcrime.In2003,
theftofinformationcostover$70million,withanaveragecost
of$2.6millionpertheft.Alsoin2003,denialofserviceattacks,
whichdeprivedcompaniesofrevenueandidledITinvestments,
costover$66million,withanaveragelossof$1.4million.
Estimatesofthedollarfigurefortheftbycomputerintrusion
andattacktotal$201million.
Althoughalmost75percentoforganizationsreportedsomekindof
attackin2003,onlyabout40percentofthoseattackedcouldquantify
theloss.Itisestimatedthatroughly50percentofintrusionswerenot
reportedatall,eitherbecausetheirscopewasunknownorthepublicity
wasundesired.
Eventhoughtherehasbeensubstantialpublicityinrecentyears
aboutcomputersystemrisksandattacks,itturnsoutthat
manyorganizationsareunwillingtoreportsystemintrusions.
Doingsocanresultinadversepublicity,thelossofpublic
confidence,andthepossiblechargeofmanagerial
incompetence.Manyorganizationsfearlawsuitsbasedonthe
emerging"standardofduecare."
