ComputerSecurityBasics,2ndEdition
ByRickLehtinen
...............................................
Publisher:O'Reilly
PubDate:June2006
PrintISBN-10:0-596-00669-1
PrintISBN-13:978-0-59-600669-3
Pages:310
TableofContents|Index
Thisisthemust-havebookforamust-knowfield.Today,generalsecurityknowledgeis
mandatory,and,ifyouwhoneedtounderstandthefundamentals,ComputerSecurity
Basics2ndEditionisthebooktoconsult.
Theneweditionbuildsonthewell-establishedprinciplesdevelopedintheoriginaledition
andthoroughlyupdatesthatcoreknowledge.Foranyoneinvolvedwithcomputersecurity,
includingsecurityadministrators,systemadministrators,developers,andITmanagers,
ComputerSecurityBasics2ndEditionoffersaclearoverviewofthesecurityconceptsyou
needtoknow,includingaccesscontrols,malicioussoftware,securitypolicy,cryptography,
biometrics,aswellasgovernmentregulationsandstandards.
Thishandbookdescribescomplicatedconceptssuchastrustedsystems,encryption,and
mandatoryaccesscontrolinsimpleterms.Ittellsyouwhatyouneedtoknowto
understandthebasicsofcomputersecurity,anditwillhelpyoupersuadeyouremployees
topracticesafecomputing.
Topicsinclude:
Computersecurityconcepts
Securitybreaches,suchasvirusesandothermaliciousprograms
Accesscontrols
Securitypolicy
Webattacks
Communicationsandnetworksecurity
Encryption
Physicalsecurityandbiometrics
Wirelessnetworksecurity
ComputersecurityandrequirementsoftheOrangeBook
OSIModelandTEMPEST
ComputerSecurityBasics,2ndEdition
ByRickLehtinen
...............................................
Publisher:O'Reilly
PubDate:June2006
PrintISBN-10:0-596-00669-1
PrintISBN-13:978-0-59-600669-3
Pages:310
TableofContents|Index
Copyright
Preface
PartPARTI:SecurityforToday
Chapter1.Introduction
Section1.1.TheNewInsecurity
Section1.2.WhatIsComputerSecurity?
Section1.3.ThreatstoSecurity
Section1.4.WhyBuySecurity?
Section1.5.What'saUsertoDo?
Section1.6.Summary
Chapter2.SomeSecurityHistory
Section2.1.InformationandItsControls
Section2.2.ComputerSecurity:ThenandNow
Section2.3.EarlyComputerSecurityEfforts
Section2.4.BuildingTowardStandardization
Section2.5.ComputerSecurityMandatesandLegislation
Section2.6.Summary
PartPARTII:ComputerSecurity
Chapter3.ComputerSystemSecurityandAccessControls
Section3.1.WhatMakesaSystemSecure?
Section3.2.SystemAccess:LoggingintoYourSystem
Section3.3.Summary
Chapter4.VirusesandOtherWildlife
Section4.1.FinancialEffectsofMaliciousPrograms
Section4.2.VirusesandPublicHealth
Section4.3.Viruses,Worms,andTrojans(Oh,My!)
Section4.4.WhoWritesViruses?
Section4.5.Remedies
Section4.6.TheVirusHype
Section4.7.AnOunceofPrevention
Section4.8.Summary
Chapter5.EstablishingandMaintainingaSecurityPolicy
Section5.1.AdministrativeSecurity
Section5.2.OverallPlanningandAdministration
Section5.3.Day-to-DayAdministration
Section5.4.SeparationofDuties
Section5.5.Summary
Chapter6.WebAttacksandInternetVulnerabilities
Section6.1.AbouttheInternet
Section6.2.WhatAretheNetworkProtocols?
Section6.3.TheFragileWeb
Section6.4.Summary
PartPARTIII:CommunicationsSecurity
Chapter7.Encryption
Section7.1.SomeHistory
Section7.2.WhatIsEncryption?
Section7.3.TheDataEncryptionStandard
Section7.4.OtherCryptographicAlgorithms
Section7.5.MessageAuthentication
Section7.6.GovernmentCryptographicPrograms
Section7.7.CryptographicExportRestrictions
Section7.8.Summary
Chapter8.CommunicationsandNetworkSecurity
Section8.1.WhatMakesCommunicationSecure?
Section8.2.Modems
Section8.3.Networks
Section8.4.NetworkSecurity
Section8.5.Summary
PartPARTIV:OtherTypesofSecurity
Chapter9.PhysicalSecurityandBiometrics
Section9.1.PhysicalSecurity
Section9.2.LocksandKeys:OldandNew
Section9.3.Biometrics
Section9.4.GentleReminder
Section9.5.Summary
Chapter10.WirelessNetworkSecurity
Section10.1.HowWeGotHere
Section10.2.Today'sWirelessInfrastructure
Section10.3.HowWirelessWorks
Section10.4.PlayingtheFields
Section10.5.WhatIsThisdBStuff?
Section10.6.WhyDoesAllThisMatter?
Section10.7.EncouragingDiversity
Section10.8.PhysicalLayerWirelessAttacks
Section10.9.Summary
PartPARTV:Appendixes
OSIModel
TEMPEST
SectionB.1.TheProblemofEmanations
SectionB.2.TheTEMPESTProgram
SectionB.3.TEMPESTStandards
SectionB.4.HardAsYouTry
TheOrangeBook,FIPSPUBS,andtheCommonCriteria
SectionC.1.AbouttheOrangeBook
SectionC.2.RatingbytheBook
SectionC.3.SummaryofOrangeBookClasses
SectionC.4.FIPSbytheNumbers
SectionC.5.IDon'tWantYouSmellingMyFish
AbouttheAuthor
Colophon
Index
ComputerSecurityBasics,SecondEdition
byRickLehtinen,DeborahRussell,andG.T.GangemiSr.
Copyright©2006,1991O'ReillyMedia,Inc.Allrightsreserved.
PrintedintheUnitedStatesofAmerica.
PublishedbyO'ReillyMedia,Inc.,1005GravensteinHighway
North,Sebastopol,CA95472.
O'Reillybooksmaybepurchasedforeducational,business,or
salespromotionaluse.Onlineeditionsarealsoavailablefor
mosttitles(safari.oreilly.com).Formoreinformation,contact
ourcorporate/institutionalsalesdepartment:(800)998-9938or
Editor:
TatianaApandi
DevelopmentalEditor:
MaryDageforde
ProductionEditor:
DarrenKelly
Copyeditor:
MaryAnneWeeksMayo
Proofreader:
DarrenKelly
Indexer:
JulieHawks
CoverDesigner:
EdieFreedman
InteriorDesigner:
DavidFutato
Illustrators:
RobertRomanoandJessamynRead
PrintingHistory:
July1991:
FirstEdition.
June2006:
SecondEdition.
NutshellHandbook,theNutshellHandbooklogo,andthe
O'ReillylogoareregisteredtrademarksofO'ReillyMedia,Inc.
ComputerSecurityBasics,theimageofakey,andrelatedtrade
dressaretrademarksofO'ReillyMedia,Inc.
Figure7-1isreproducedbypermissionoftheSmithsonian
Institution.Figure10-14usedbypermissionofBerkeley
VaritronicsSystems,Inc.
Manyofthedesignationsusedbymanufacturersandsellersto
distinguishtheirproductsareclaimedastrademarks.Where
thosedesignationsappearinthisbook,andO'ReillyMedia,Inc.
wasawareofatrademarkclaim,thedesignationshavebeen
printedincapsorinitialcaps.
Whileeveryprecautionhasbeentakeninthepreparationofthis
book,thepublisherandauthorsassumenoresponsibilityfor
errorsoromissions,orfordamagesresultingfromtheuseof
theinformationcontainedherein.
ISBN:0-596-00669-1
[M]
Preface
AboutThisBook
Thisbookisaboutcomputersecuritywhatitis,whereitcame
from,whereit'sgoing,andwhyweshouldcareaboutit.It
introducesthemanydifferentareasofsecurityinclearand
simpleterms:accesscontrols,wormsandviruses,
cryptography,firewalls,networkandwebsecurity,biometric
devices,andmore.Ifyou'reatallinterestedincomputer
securityorifcomputersecurityisapartofyourjob(whether
youwantittobeornot!),youshouldfindthisbookuseful.I've
triedtogiveyouthebigpictureandquiteafewhelpfuldetails.
Thisbookisnotatechnicalreference.I'vetriedtopulltogether
thebasicsaboutmanydifferentareasofcomputersecurityand
putthatinformationtogethercomprehensively.Ifyouneed
particularlytechnicalinformationaboutaspecificareaof
computersecurity(forexample,makingyourspecificsystemor
operatingsystemmoresecure,securingyourwebsite,or
configuringarouterorfirewall),youshouldrefertoother,more
specializedbooks.
SummaryofContents
Thisbookisdividedinto10chaptersand3appendixes.
PartI,SecurityforToday
Thissectionpresentsabriefoverviewofwhatcomputer
securityis,whereitcamefrom,andwhereit'sgoing.
Chapter1,Introduction
Thischapterintroducescomputersecurity:whatitisand
whyit'simportant.Itsummarizesthethreatstocomputers
andtheinformationstoredonthem,anditintroducesthe
differenttypesofcomputersecurity.
Chapter2,SomeSecurityHistory
Thischapterbrieflydescribesthehistoryofcomputer
security:whereitcamefrom,andwhatgovernment
mandates,laws,andstandardsaddressit.
PartII,ComputerSecurity
Thissectiondiscussescomputersecuritymethodsofprotecting
informationstoredinacomputersystem,primarilyby
controllingaccesstothatinformation.
Chapter3,ComputerSystemSecurityandAccessControls
Thischapterintroducescomputersystemsecurityand
describeshowthatsecuritycontrolsaccesstosystemsand
data.
Chapter4,VirusesandOtherWildlife
Thischapterexploresviruses,worms,Trojans,andother
typesofmaliciouscode.
Chapter5,EstablishingandMaintainingaSecurityPolicy
Thischapterdescribestheadministrativeproceduresthat
improvesecuritywithinanorganization.Italsointroduces
businesscontinuityanddisasterrecoveryaspartof
security.
Chapter6,WebAttacksandInternetVulnerabilities
Thischapterintroducestheperilsthatcanattackyour
systemornetworkwhileitisconnectedtotheInternet.
PartIII,CommunicationsSecurity
Thissectiondiscussescommunicationssecuritymethodsof
protectinginformationwhileit'sbeingtransmittedover
communicationslinesandnetworkbackbones.
Chapter7,Encryption
Thischapterexplainswhatencryptionisandhowitprotects
data.
Chapter8,CommunicationsandNetworkSecurity
Thischapterintroducesnetworkconceptsanddiscusses
somebasiccommunicationssecurityissues.
PartIV,OtherTypesofSecurity
Thissectiondescribesseveraladditionaltypesofsecurity.
Chapter9,PhysicalSecurityandBiometrics
Thischapterintroducesphysicalsecurityanddescribes
differenttypesofbiometricdevices.
Chapter10,WirelessNetworkSecurity
Thischapterdescribestheworkingsofwirelessnetworks
andthesecurityramificationsofthisaccessmedium.
PartV,Appendixes
Thissectionprovidesanumberofquickreferencestocomputer
securityrequirementsandprograms.
AppendixA,OSIModel
ThisappendixdescribesthesevenlayersofOSIandhow
eachrelatestosecurity.
AppendixB,TEMPEST
ThisappendixdescribeswhatTEMPESTisandwhyit's
important.
AppendixC,TheOrangeBook,FIPSPUBS,andtheCommon
Criteria
ThisappendixprovidesasummaryoflegacyOrangeBook
requirements,theFederalInformationProcessing
Publications(FIPSPUBS),andtheCommonCriteria,which
istheinternationalsuccessortotheOrangeBook.
UsingCodeExamples
Thisbookisheretohelpyougetyourjobdone.Ingeneral,you
mayusethecodeinthisbookinyourprogramsand
documentation.YoudonotneedtocontactO'Reillyfor
permissionunlessyou'rereproducingasignificantportionofthe
code.Forexample,writingaprogramthatusesseveralchunks
ofcodefromthisbookdoesnotrequirepermission.Sellingor
distributingaCD-ROMofexamplesfromO'Reillybooksdoes
requirepermission.Answeringaquestionbycitingthisbook
andquotingexamplecodedoesnotrequirepermission.
Incorporatingasignificantamountofexamplecodefromthis
bookintoyourproduct'sdocumentationdoesrequire
permission.
Weappreciate,butdonotrequire,attribution.Anattribution
usuallyincludesthetitle,author,publisher,andISBN.For
example:ComputerSecurityBasics,SecondEdition,byRick
Lehtinen,DeborahRussell,andG.T.GangemiSr.Copyright
2006O'ReillyMedia,Inc.,0-596-00669-1.
CommentsandQuestions
Pleaseaddresscommentsandquestionsconcerningthisbookto
thepublisher:
O'ReillyMedia,Inc.
1005GravensteinHighwayNorth
Sebastopol,CA95472
800-998-9938(intheUnitedStatesorCanada)
707-829-0515(internationalorlocal)
707-829-0104(fax)
Wehaveawebpageforthisbookthatlistserrata,examples,
andanyadditionalinformation.Youcanaccessthispageat:
/>Tocommentorasktechnicalquestionsaboutthisbook,send
emailto:
Formoreinformationaboutourbooks,conferences,Resource
Centers,andtheO'ReillyNetwork,seeourwebsiteat:
Safari®Enabled
WhenyouseeaSafari®Enabledicononthecover
ofyourfavoritetechnologybook,thatmeansthebookis
availableonlinethroughtheO'ReillyNetworkSafariBookshelf.
Safarioffersasolutionthat'sbetterthane-books.It'savirtual
librarythatletsyoueasilysearchthousandsoftoptechbooks,
cutandpastecodesamples,downloadchapters,andfindquick
answerswhenyouneedthemostaccurate,currentinformation.
Tryitforfreeat.
Acknowledgments
Anyauthorofasecondeditionisincrediblyindebtedtothe
authorsofthefirst.DeborahRussell,youweregreattowork
withfromstarttofinish.ThetextauthoredbyyouandG.T.
GangemiSr.gavemeanexcellentstartingpoint.Let'sdoit
againsomeday.AndtomybudsatCisco'sNetworkAcademy
andtoGwen,myCISSPcoach,whoputmeuptothiswarm
thanks,Ioweyou.
ThankstoKathy,Jana,Jon,Kyleandafewcatswhodidnotsee
enoughofmeduringthisbook'sproduction,andLouisewho
saidIshouldn'tundertakeit,butwaskindofproudonceitgot
done.
ManypeoplefromO'Reillyhelpedtoproducethissecond
edition:DeborahRussellforseeingthevalueintheprojectand
TatianaApandiforkeepingmeatitandcheeringmeonwhenit
conflictedwithmydayjob.Thankstomytechnicalreviewers:
MarkLucking,SimonBiles,andespeciallyMaryDagefordefor
allherhelp.Manythanks!
Someofthechaptersinthefirsteditionwerebasedonan
internaldocumentthatDeborahRussellpreparedforWang
Laboratories.Thankstoalotofotherpeoplewhocontributedto
thefirsteditionofthisbook:DennisK.Branstad,James
Burrows,DanielFaigin,PerryFlinn,SimsonGarfinkel,Irene
Gilbert,NickHammond,StuartW.Katzke,F.LynnMcNulty,Paul
Mei,AndrewOdlyzko,VictorOppenheimer,TimO'Reilly,Robert
Rosenthal,BradleyRoss,LenSchneider,MilesSmid,Gene
Spafford,BobTinkelman,GeneTroy,andMitchWright.
PartPARTI:SecurityforToday
Chapter1:Introduction
Chapter2:SomeSecurityHistory
Chapter1.Introduction
Section1.1.TheNewInsecurity
Section1.2.WhatIsComputerSecurity?
Section1.3.ThreatstoSecurity
Section1.4.WhyBuySecurity?
Section1.5.What'saUsertoDo?
Section1.6.Summary
1.1.TheNewInsecurity
SincetheterroristattacksonSeptember11,2001,computer
securityhastakenonsomenewmeanings.Thefirstispositive.
Aspartofaglobaltighteningofbeltsandrollingupofsleeves,
thereemergedseveraloutreachesdesignedtoprovidesecurity
trainingandcertificationtofolksinallwalksoflife,fromthe
consumerbeingalertedaboutidentitytheft,tothesoldierand
sailorandweaponsscientiststakinggreaterprecautionswith
itemsofnationalsecurity,tothecommonpersononthestreet
gainingaheightenedawarenessofhackersandcrackersand
cyberattackers.Graduallythisnewemphasisoncomputerand
networksafetyhaspercolateddowntotheordinaryuser's
computerinthedenorlivingroom.Andbecauseitreallyisa
smallInternet,andwhataffectsoneusuallyaffectsall,the
saferindividualusersare,thesafertheNetisforeverybody.
Unfortunately,inreturnforaperceptionofsecurity,both
physicalandontheInternet,somecomputerusershavebegun
toacceptunprecedentedcompromisesinprivacyasbeingpart
ofthepricetobepaidtocounteranenvisionedterroristthreat
associatedwithcomputerusage.Inreturnforafeelingof
"protection"withvaguetiestonationaldefense,moreandmore
ofwhatusedtobeprivatedataandfolks'ownbusinessisnow
availableforinspectionbycorporateandlegalobservers.Giving
uptheprovenchecksandbalancesthataretheunderpinnings
ofafreesocietymaydomoreharmthangood.Recentreports,
suchasasummer2003incidentinwhichoneormoreairlines
turnedovertoacontractfirmworkingfortheDepartmentof
Defensethetransactionrecordsofahalfmillionpassengersfor
useinanexperimentondatabaseprofiling,havedemonstrated
thatrelaxedrestraintsagainstlawenforcementagenciescan
leadtoegregiousactions.Numerouspressreportshave
indicatedthattheexpandedpowersgrantedtolawenforcement
agenciesinthenameofhomelanddefensehaveresultedin
thosepowersbeingusedincreasinglytoinvestigateand
prosecutecrimesunderlawsnotrelatedtohomelanddefenseat
all.This,inturn,hasresultedinamini-backlashdesignedto
reininthesecuritypromoters,heighteningthedebate.
Possiblyinresponsetoaperceiveddecreaseinprivacy,alarge
numberofnewlawshavecomeintoplaythatattemptto
protectindividualsagainstwidespreaddisseminationofpersonal
informationandregulatethecreationandexchangeoffinancial
informationregardingcorporations.Thesenewlawshavelong
names,suchastheHealthInsurancePortabilityand
AccountabilityAct(HIPAA),Sarbanes-Oxley,andtheFamily
EducationalRightsandPrivacyAct(FERPA).Theselawsmakeit
acrimetorevealpersonalinformationgatheredinthecourseof
doingbusiness,andoftenrequirethereportingofcomputer
crimesthatwereformerlysweptunderthecarpettoavoid
embarrassingtheagencyorcompanyallowingsuchalapse.
Theordinaryuser,suchasthesalespersonorsecretarywho
logsoninthemorningandshutsdownatnight,wouldrather
notthinktwiceaboutsecurity.Infact,shemightnotthinkofit
atalluntilawormorsomeotherattackaffectsthemachineon
whichshehastowork.
Someofthemostinvasivecomputerattacksagainstindividuals
maynotinvolveinfectingacomputer,butmerelylisteningto
one.Withmachinepatience,sniffersanddatabaseprograms
canaccumulatedataaboutpeoplelotsofpeopleoveraslonga
timeasisneededtogatherenoughinformationtomakean
attack.Usually,theattacktakestheformofmakingcreditcard
purchases,orapplyingforcreditinthenameofthevictims
whosedetailshavebeenpiecedtogether.Suchcrimes,often
calledidentitytheft,canbedevastating.Itisnotthatthevictim
isalwaysleftliableforthefraudulentpurchases;consumer
protectionlawsandtherapidclosingofaccountshelpagreat
dealtopreventthat.Itisthatthevictimmaybeleftunableto
exercisehisowncredit,orestablishmorebecausevendors
can'teasilybesureifanynewtransactionsaftertheIDtheftis
reportedarebeingmadebythecustomerorbythethief.Andit
ishighlylikelythatthevictimwillbeunawareofanyofthese
activitiesuntilthedamagehasbeendone.
Nowthatitincreasinglyimpactstheaverageuser,public
awarenessofcomputersecurityhasrisendramatically.
Computersecurityhashitthenewsstands,withmoreandmore
articleswarningthepublicaboutvirusesandotherperils.The
mediaalsodescribesanincreasingarrayofpreventatives,
rangingfromchangingnetworkhabitstoaddingfirewallsand
intrusionprotectionsystems.Mixinthespecterofterrorism,
andthestakesgetevenhigher.
1.1.1.WhoYouGonnaCall?
AnewgenerationofsecurityconsultantswhatBusinessWeek
oncetermed"hackerbusters"havehungouttheirshingles.A
numberoforganizationsstandreadytoprovideexpert
assistanceincaseacomputervirusoutbreakthreatensthe
Internet:
FundedbytheDefenseAdvancedResearchProjectsAgency
(DARPA),theComputerEmergencyResponseTeam(CERT)
attheSoftwareEngineeringInstituteatCarnegieMellon
Universitywascreatedtoprovideinformationandsupport
againstanyInternetcrises,cyberattacks,accidents,or
failures.NowofficiallynamedtheCERTCoordinationCenter,
thisclearinghouseisthemother-of-all-CERTs,andregional
andcorporateincidentresponsecentersarespringingupto
handlecriseslocally.
TheFederalComputerIncidentResponseCenter(FedCIRC)
isthefederalgovernment'strustedfocalpointforcomputer
securityincidentreporting,providingassistancewith
incidentpreventionandresponse.In2003,theFedCIRC
officiallybecamepartoftheDepartmentofHomeland
Security'sInformationAnalysisandInfrastructure
Protection(IAIP)Directorate.IAIPwillcontinuetoprovide
theFedCIRCservices.
TheDepartmentofEnergyhasalsoestablishedaComputer
IncidentAdvisoryCapability(CIAC)orientedtoitsown
agencyneeds,includinga"hoaxbusters"pagededicatedto
helpingusersrecognizewhichattacksarerealandwhich
arebasedonhysteria.Thegentlegagsclogupnetworksas
usersfranticallyalerttheirfriendsandneighborsofthe
supposedhazard.Theviciousgagsencourageuserstotake
"protectivemeasures"thatmightactuallydamagetheirown
computersinanattempttoavoidworsecalamity.
US-CERTisapartnershipbetweenCERTandtheU.S.
DepartmentofHomelandSecurity.
Othernationalincidentresponseteamshavebeenformedin
manycountries:
IntheUnitedKingdom,thereistheNationalInfrastructure
SecurityCo-ordinationCentre(NISCC),pronounced"nicey",
whichischargedwithprotectingessentialsystemand
servicesknowncollectivelyastheCriticalNational
Infrastructure(CNI).
AusCERT(AustralianCERT)monitorsandevaluatesglobal
computernetworkthreatsandvulnerabilities.
CanCERTisCanada'sfirstnationalComputerEmergency
ResponseTeam.
CERTPolskadealswithsecurity-relatedincidentsrelatedto
Polishnetworks.
SingCERT(SingaporeCERT)servesSingaporeandpartsof
SoutheastAsia.
SI-CERTistheSlovenianComputerEmergencyResponse
Team,aserviceofferedbyARNES(AcademicandResearch
NetworkofSlovenia).
Inadditiontogovernmentresponseorganizations,many
commercialprovidersofsecurityservicesandvirusprotection
systemshavealsosetuporganizationsthatarepreparedto
cometotheaidofanycustomerswhofindsecurityholesor
faceattacks.
OXCERTprovidesCERTservicesforOxfordUniversityinthe
UnitedKingdom.
LinuxandUnixusershaveampleorganizationsthatreport
newexploitsandpostcuresforeasyupdate.
1.1.1.1.InformationSharingandAnalysisCenters
AkintoCERTs,InformationSharingandAnalysisCenters
(ISACs)helpdevelopandpromulgate"bestpractices"for
protectingcriticalinfrastructuresandminimizingvulnerabilities.
ManyindustrieshaveestablishedISACstoallowthesecritical
sectorstoshareinformationandworktogethertohelpbetter
protecttheeconomy.
IntheUnitedStates,PresidentialDirectiveNumber63andthe
PatriotActestablishthattheISACswillreceivegovernmental
sponsorship.TheDepartmentofHomelandSecuritylistslinksto
variousindustryISACsonitswebsite.ISACsareestablished
forthefoodindustry,waterindustry,emergencyservices
(policeandfire),stategovernments,andthe
telecommunicationsandinformationtechnologyindustries.
TherearealsoISACsinplacefortheenergy,transportation,
bankingandfinance,chemical,andrealestateindustries.
1.1.1.2.Vulnerablebroadband
Justascorporateandgovernmentusersarebondingtogether
toprovidemutualprotection,however,ahugeemergingclass
ofusersisexpandingrapidly,andforthemostparttheyare
unprotected.AsbroadbandInternetaccessbecomes
increasinglypopular,moreuserssetuphomecomputersand
leavethemrunning24/7.Theresultistheybecometargetsfor
attackers.
Onestudyestimatedthatthetimebetweenwhenanew
computeristurnedonandthefirstattackisunderwayis
usuallylessthan10minutes.Thisisbecauseattackersoften
useautomatedscanningtoolsthatprobeconstantly,lookingfor
opportunity.Anexploitcanoftenbeplacedinseconds,often
beforecountermeasurescanbeinstalledtocompletean
installation.Otherstudiesclaimthesituationisworsestill,
figuringthetimebeforeattackisequalto2minutes.I'veseen
instancesinwhichnewlyupdatedcomputersbecameinfected
byaviruswithinafewminutes,eventhoughthecomputers
wereprotectedbyasecurenetwork.Thishappenedbecause
theinfectingcomputerswereinsidethenetwork,likely
becominginfestedbypathogenscarriedinonmediaworkers
broughtfromhome.
Asthepoolofcomputerusershasincreased,waysare
emergingtoillicitlyprofitoffofthem.Thecomputerofanaive
usermaybeforcedintoparticipatinginadistributeddenialof
service(DDoS)attackaimedtowardadesignatedtargetand
timedtofireoffwithhundredsofthousandsofotherssoasto
overwhelmthevictim.Alternatively,users'broadband
computerscanbeturnedintounwillingwebsitesfor
pornographyorotherproducts,ormadeintorelaysfor
unsolicitedemail(spam).
Fortunately,helpisontheway:
Microsoft,forinstance,offerseasysoftwaresecurity
updatesovertheInternet.
HelpsitesareavailableforeverykindofLinuxandUnix.
Manyantivirussoftwarepublishersoffernotonlyantivirus
programsbutalsosomekindofinformationservice
documentingvirusesandwhattodotopreventorhandle
specificattacks.
Mostcompaniestodayareaddingtheirowninternalsecurity
forces.Increasingly,corporatewantadsrequestacomputer
securitycertificateortwoasaprerequisiteforhiring.
1.1.1.3.Nocomputerisanisland
Whileonceitwaseasytoignoremostwarningsandscaresas
merenuisancesbecausemostsiteswereisolatedand
unconnected,intoday'sworld,fewcomputersstandalone.
Virusesoccurandspreadwithamazingspeed,sometimes
spanningtheglobeinhoursordays(usuallybystealing
information,suchasanemailaddressbookfromonevictim,
andusingittoinfectothers).
Evencorporationsthathavesecureperimeterscanfind
themselveswithsignificantinternalvirusproblems.Oftenthisis
duetouserswhobringininfectedlaptops,useremovabledata
drives,orburninformationontorecordableCDsorDVDsthat
areinfectedandthenbroughtintotheofficenetwork.
1.1.2.TheSorryTrail
Thestoryofnetworkattacks,bugs,viruses,andcriminal
actionsstretchesasfarasthecomputerindustryitself.Oneof
thefirstbugstodevelopinacomputersystemwasprecisely
that:amothwasfoundsquishedinsidesomerelaycontactsat
agovernmentinstallation.LieutenantGraceHoppercollected
thatmothanddulypasteditintothefacilitylogbookShe
eventuallybecamearearadmiral,andwentontoinventthe
computercompilerandwasthedrivingforcebehindtheCOBOL
computerlanguage.
Witheachadvanceoftechnologycamenewthreatsand
attacks.Rogueself-replicatingprogramsnearlyoverwhelmeda
researchfacilityinPaloAlto,California;theywerethefirst
computerworms.Unchecked,wormscanmultiplyuntiltheyfill
upaharddisk.Viruses,similartowormsbutrequiringahost
programofsomekindtoliveinandtakeover,camesoonafter.
Attacksandcountermeasuresfollowedoneafteranotheruntil
thepresent.Vulnerabilitiescontinuetobesniffedoutby
attackerswhocreatevirusesandwormstoexploitthem.
Manufacturersthencreatepatchesintendedtocounterthe
attacks.
Thewholeadventureofvirusesandwormscanallbesummed
upinthetermmalicioussoftwareormalware.Malwarewillbe
coveredinsomedetailinlaterchapters.
Whileearlymalwareexploitedsinglesystemsormultiuser
systems,ittooktheInternettoreallygivemalwarelife.The
Internetformsamassivedistributedenvironment.Malicious
softwarecanstealcontrolofcomputersontheInternet,direct
DDoSattacksatgivenhostsorservers,orposeassomeone
theyarenotinordertointerceptdata.Thelatteractionis
knownasamasqueradeattackorspoofing.
Themostelaboratemalwarecanscanavictimmachineforlinks
toothermachines,thenreplicateitselftothoseothermachines
whileworkingitsattackonthevictimmachine.Theinfamous
CodeRedwormworkedovertheInternetinthisway.After
replicatingitselfforthefirst20daysofeachmonth,itreplaced
webpagesonthevictimmachineswithapagethatdeclared
"HackedbyChinese,"thenlaunchedanattackontheWhite
Housewebserver.
1.1.2.1.Computercrime
Computercrimehasalsobecomeamajorthreattobusiness.
AccordingtotheFederalBureauofInvestigation,computer
crimeisthemostexpensiveformofcommercialcrime.In2003,
theftofinformationcostover$70million,withanaveragecost
of$2.6millionpertheft.Alsoin2003,denialofserviceattacks,
whichdeprivedcompaniesofrevenueandidledITinvestments,
costover$66million,withanaveragelossof$1.4million.
Estimatesofthedollarfigurefortheftbycomputerintrusion
andattacktotal$201million.
Althoughalmost75percentoforganizationsreportedsomekindof
attackin2003,onlyabout40percentofthoseattackedcouldquantify
theloss.Itisestimatedthatroughly50percentofintrusionswerenot
reportedatall,eitherbecausetheirscopewasunknownorthepublicity
wasundesired.
Eventhoughtherehasbeensubstantialpublicityinrecentyears
aboutcomputersystemrisksandattacks,itturnsoutthat
manyorganizationsareunwillingtoreportsystemintrusions.
Doingsocanresultinadversepublicity,thelossofpublic
confidence,andthepossiblechargeofmanagerial
incompetence.Manyorganizationsfearlawsuitsbasedonthe
emerging"standardofduecare."