Chapter 1. Security Overview
Because of the increased reliance on powerful, networked computers to help run businesses and keep track of our personal information, industries have been formed around the practice of network and computer security. Enterprises have solicited the knowledge and skills of security experts to properly audit systems and tailor solutions to fit the operating requirements of the organization. Because most organizations are dynamic in nature, with workers accessing company IT resources locally and remotely, the need for secure computing environments has become more pronounced.
Unfortunately, most organizations (as well as individual users) regard security as an afterthought, a process that is overlooked in favor of increased power, productivity, and budgetary concerns. Proper security implementation is often enacted postmortem — after an unauthorized intrusion has already occurred. Security experts agree that the right measures taken prior to connecting a site to an untrusted network, such as the Internet, is an effective means of thwarting most attempts at intrusion.
1.1. What is Computer Security?
Computer security is a general term that covers a wide area of computing and information processing. Industries that depend on computer systems and networks to conduct daily business transactions and access crucial information regard their data as an important part of their overall assets. Several terms and metrics have entered our daily business vocabulary, such as total cost of ownership (TCO) and quality of service (QoS). In these metrics, industries calculate aspects such as data integrity and high-availability as part of their planning and process management costs. In some industries, such as electronic commerce, the availability and trustworthiness of data can be the difference between success and failure.
1.1.1. How did Computer Security Come about?
Many readers may recall the movie "Wargames," starring Matthew Broderick in his portrayal of a high school student who breaks into the United States Department of Defense (DoD) supercomputer and inadvertently causes a nuclear war threat. In this movie, Broderick uses his modem to dial into the DoD computer (called WOPR) and plays games with the artificially intelligent software controlling all of the nuclear missile silos. The movie was released during the "cold war" between the former Soviet Union and the United States and was considered a success in its theatrical release in 1983. The popularity of the movie inspired many individuals and groups to begin implementing some of the methods that the young protagonist used to crack restricted systems, including what is known as war dialing — a method of searching phone numbers for analog modem connections in a defined area code and phone prefix combination.
More than 10 years later, after a four-year, multi-jurisdictional pursuit involving the Federal Bureau of Investigation (FBI) and the aid of computer professionals across the country, infamous computer cracker Kevin Mitnick was arrested and charged with 25 counts of computer and access device fraud that resulted in an estimated US$80 Million in losses of intellectual property and source code from Nokia, NEC, Sun Microsystems, Novell, Fujitsu, and Motorola. At the time, the FBI considered it to be the largest computer-related criminal offense in U.S. history. He was convicted and sentenced to a combined 68 months in prison for his crimes, of which he served 60 months before his parole on January 21, 2000. Mitnick was further barred from using computers or doing any computer-related consulting until 2003. Investigators say that Mitnick was an expert in social engineering — using human beings to gain access to passwords and systems using falsified credentials.
Information security has evolved over the years due to the increasing reliance on public networks to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick and the Vladimir Levin cases (refer to Section 1.1.2, “Computer Security Timeline” for more information) that prompted organizations across all industries to rethink the way they handle information transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
An ever-growing number of people are using their personal computers to gain access to the resources that the Internet has to offer. From research and information retrieval to electronic mail and commerce transaction, the Internet has been regarded as one of the most important developments of the 20th century.
The Internet and its earlier protocols, however, were developed as a trust-based system. That is, the Internet Protocol was not designed to be secure in itself. There are no approved security standards built into the TCP/IP communications stack, leaving it open to potentially malicious users and processes across the network. Modern developments have made Internet communication more secure, but there are still several incidents that gain national attention and alert us to the fact that nothing is completely safe.
1.1.2. Computer Security Timeline
Several key events contributed to the birth and rise of computer security. The following timeline lists some of the more important events that brought attention to computer and information security and its importance today.
1.1.2.1. The 1960s
- Students at the Massachusetts Institute of Technology (MIT) form the Tech Model Railroad Club (TMRC) begin exploring and programming the school's PDP-1 mainframe computer system. The group eventually coined the term "hacker" in the context it is known today.
- The DoD creates the Advanced Research Projects Agency Network (ARPANet), which gains popularity in research and academic circles as a conduit for the electronic exchange of data and information. This paves the way for the creation of the carrier network known today as the Internet.
- Ken Thompson develops the UNIX operating system, widely hailed as the most "hacker-friendly" OS because of its accessible developer tools and compilers, and its supportive user community. Around the same time, Dennis Ritchie develops the C programming language, arguably the most popular hacking language in computer history.
1.1.2.2. The 1970s
- Bolt, Beranek, and Newman, a computing research and development contractor for government and industry, develops the Telnet protocol, a public extension of the ARPANet. This opens doors for the public use of data networks which were once restricted to government contractors and academic researchers. Telnet, though, is also arguably the most insecure protocol for public networks, according to several security researchers.
- Steve Jobs and Steve Wozniak found Apple Computer and begin marketing the Personal Computer (PC). The PC is the springboard for several malicious users to learn the craft of cracking systems remotely using common PC communication hardware such as analog modems and war dialers.
- Jim Ellis and Tom Truscott create USENET, a bulletin-board-style system for electronic communication between disparate users. USENET quickly becomes one of the most popular forums for the exchange of ideas in computing, networking, and, of course, cracking.
1.1.2.3. The 1980s
- IBM develops and markets PCs based on the Intel 8086 microprocessor, a relatively inexpensive architecture that brought computing from the office to the home. This serves to commodify the PC as a common and accessible tool that was fairly powerful and easy to use, aiding in the proliferation of such hardware in the homes and offices of malicious users.
- The Transmission Control Protocol, developed by Vint Cerf, is split into two separate parts. The Internet Protocol is born from this split, and the combined TCP/IP protocol becomes the standard for all Internet communication today.
- Based on developments in the area of phreaking, or exploring and hacking the telephone system, the magazine 2600: The Hacker Quarterly is created and begins discussion on topics such as cracking computers and computer networks to a broad audience.
- The 414 gang (named after the area code where they lived and hacked from) are raided by authorities after a nine-day cracking spree where they break into systems from such top-secret locations as the Los Alamos National Laboratory, a nuclear weapons research facility.
- The Legion of Doom and the Chaos Computer Club are two pioneering cracker groups that begin exploiting vulnerabilities in computers and electronic data networks.
- The Computer Fraud and Abuse Act of 1986 is voted into law by congress based on the exploits of Ian Murphy, also known as Captain Zap, who broke into military computers, stole information from company merchandise order databases, and used restricted government telephone switchboards to make phone calls.
- Based on the Computer Fraud and Abuse Act, the courts convict Robert Morris, a graduate student, for unleashing the Morris Worm to over 6,000 vulnerable computers connected to the Internet. The next most prominent case ruled under this act was Herbert Zinn, a high-school dropout who cracked and misused systems belonging to AT&T and the DoD.
- Based on concerns that the Morris Worm ordeal could be replicated, the Computer Emergency Response Team (CERT) is created to alert computer users of network security issues.
- Clifford Stoll writes The Cuckoo's Egg, Stoll's account of investigating crackers who exploit his system.
1.1.2.4. The 1990s
- ARPANet is decommissioned. Traffic from that network is transferred to the Internet.
- Linus Torvalds develops the Linux kernel for use with the GNU operating system; the widespread development and adoption of Linux is largely due to the collaboration of users and developers communicating via the Internet. Because of its roots in UNIX, Linux is most popular among hackers and administrators who found it quite useful for building secure alternatives to legacy servers running proprietary (closed-source) operating systems.
- The graphical Web browser is created and sparks an exponentially higher demand for public Internet access.
- Vladimir Levin and accomplices illegally transfer US$10 Million in funds to several accounts by cracking into the CitiBank central database. Levin is arrested by Interpol and almost all of the money is recovered.
- Possibly the most heralded of all crackers is Kevin Mitnick, who hacked into several corporate systems, stealing everything from personal information of celebrities to over 20,000 credit card numbers and source code for proprietary software. He is arrested and convicted of wire fraud charges and serves 5 years in prison.
- Kevin Poulsen and an unknown accomplice rig radio station phone systems to win cars and cash prizes. He is convicted for computer and wire fraud and is sentenced to 5 years in prison.
- The stories of cracking and phreaking become legend, and several prospective crackers convene at the annual DefCon convention to celebrate cracking and exchange ideas between peers.
- A 19-year-old Israeli student is arrested and convicted for coordinating numerous break-ins to US government systems during the Persian-Gulf conflict. Military officials call it "the most organized and systematic attack" on government systems in US history.
- US Attorney General Janet Reno, in response to escalated security breaches in government systems, establishes the National Infrastructure Protection Center.
- British communications satellites are taken over and ransomed by unknown offenders. The British government eventually seizes control of the satellites.
1.1.3. Security Today
In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for several hours with large-byte ICMP packet transfers, also called a ping flood. The attack was brought on by unknown assailants using specially created, widely available programs that scanned vulnerable network servers, installed client applications called trojans on the servers, and timed an attack with every infected server flooding the victim sites and rendering them unavailable. Many blame the attack on fundamental flaws in the way routers and the protocols used are structured to accept all incoming data, no matter where or for what purpose the packets are sent.
This brings us to the new millennium, a time where an estimated 945 Million people use or have used the Internet worldwide (Computer Industry Almanac, 2004). At the same time:
- On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University.[1]
- In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in 2002 and from 52,658 in 2001.[2]
- The worldwide economic impact of the three most dangerous Internet Viruses of the last three years was estimated at US$13.2 Billion.[3]
Computer security has become a quantifiable and justifiable expense for all IT budgets. Organizations that require data integrity and high availability elicit the skills of system administrators, developers, and engineers to ensure 24x7 reliability of their systems, services, and information. Falling victim to malicious users, processes, or coordinated attacks is a direct threat to the success of the organization.
Unfortunately, system and network security can be a difficult proposition, requiring an intricate knowledge of how an organization regards, uses, manipulates, and transmits its information. Understanding the way an organization (and the people that make up the organization) conducts business is paramount to implementing a proper security plan.
1.1.4. Standardizing Security
Enterprises in every industry rely on regulations and rules that are set by standards making bodies such as the American Medical Association (AMA) or the Institute of Electrical and Electronics Engineers (IEEE). The same ideals hold true for information security. Many security consultants and vendors agree upon the standard security model known as CIA, or Confidentiality, Integrity, and Availability. This three-tiered model is a generally accepted component to assessing risks of sensitive information and establishing security policy. The following describes the CIA model in further detail:
- Confidentiality — Sensitive information must be available only to a set of pre-defined individuals. Unauthorized transmission and usage of information should be restricted. For example, confidentiality of information ensures that a customer's personal or financial information is not obtained by an unauthorized individual for malicious purposes such as identity theft or credit fraud.
- Integrity — Information should not be altered in ways that render it incomplete or incorrect. Unauthorized users should be restricted from the ability to modify or destroy sensitive information.
- Availability — Information should be accessible to authorized users any time that it is needed. Availability is a warranty that information can be obtained with an agreed-upon frequency and timeliness. This is often measured in terms of percentages and agreed to formally in Service Level Agreements (SLAs) used by network service providers and their enterprise clients.