Computer Security (Encyclopedia of Management)
Computers have become such a big part of everyday lifeoth at work and at homeor many people around the world. These days, computers are an essential part of practically every type of business, from small, home-based businesses to large multinational corporations. In the business world, companies use computers to store information, design and manufacture products, run complex calculations, etc. On a personal level, many people rely on their home computers to store important information, watch movies, play games, communicate with others, and shop over the Internet.
Because so much valuable information is stored on computers, a new type of criminal has emerged in recent years. These criminals, sometimes called "hackers" or "scammers," use their computers to "break in" to companies' or other people's computers to steal information, such as credit card numbers. The incidence of identity theft is on the rise as computer criminals find increasingly sophisticated ways to obtain personal information and use it in malicious ways. However, not all hackers are interested in stealing information. Instead, some send viruses through websites or email to damage the receivers' computers.
Information stored in a computer system is subject to a variety of threats. It was not long ago that the biggest concern about computer data was protecting it from physical disasters such as floods and fires, technology failures, and human errors. Most organizations develop contingency plans whereby they examine the possibilities of losing computer operations, and formulate procedures for minimizing damage. A disaster recovery plan is typically adopted to outline how the organization will carry on business in the event of a catastrophic loss. Data backup is an essential element of disaster recovery and involves the regular, systematic backing up of data to media that may include floppy disks, removable hard disks, CD-ROMs, or magnetic tape. Ideally, the backup files are then stored in a safe that is fireproof, heatproof, waterproof, and preferably protected at an off-premise location.
While the threat to computer files from disasters is real, research shows that employees are frequent culprits in the destruction or alteration of company information. Customer information, new-product plans, company financial information, and legal information can be stolen and sold to other organizations. Former or disgruntled workers who want revenge on their employer or supervisor have been known to resort to computer crime. The victim of information theft rarely learns of the problem until afterward, since copying information does not alter the original in any way. For this reason, prosecution is rare and frequently results in mild treatment. In some cases, perpetrators have taken new jobs as security consultants after receiving minor punishments.
Although records protection is still of concern today, there are many more concerns about the safety of computer data, both at work and at home. Because so much business is now conducted over the Internet, computer criminals have discovered ways to steal that information. Terms such as spyware, phishing, pharming, viruses, firewalls, and spam are practically household words among computer users, especially those who use the Internet.
Spyware is a term used to describe a program that is put on a computer without the user's permission, and usually without the user's knowledge. A spyware program runs in the background and keeps track of the programs the user runs and the websites the user visits. Some spyware tracks the user's keystrokes and extracts passwords and other information as they type. It then uses the information gathered to display certain advertisements or forces the user's browser to display certain websites or search results. Most spyware is written for the Windows operating system.
Spyware can be installed on an unsuspecting user's computer in any of the following ways:
- Piggybacked software installation: Some software applications install spyware as part of the program installation. This is especially true of "free" software that users download onto their computers.
- Drive-by download: Some websites automatically try to download and install spyware on the user's machine. Sometimes when this happens, the user's browser may display a standard popup message that tells the name of the software and asks if the user wants to install it. But if the user's security setting is low enough, his browser may not display the message.
- Browser add-ons: This type of spyware adds enhancements, such as a toolbar, an animated pal, or additional search boxes, to the user's web browser. While the user may like these enhancements, some of them embed themselves deep in the user's computer and are very hard to remove from the computer. These embedded spyware programs are also known as browser hijackers.
- Masquerading as anti-spyware: Some spyware claim to be anti-spyware software, but in reality are spyware programs themselves. They trick users into thinking that they remove spyware, when they actually install additional spyware of their own.
Not only does spyware infringe upon users' privacy, but it can also slow down their computers. Many spyware programs use up most of the computer's random access memory (RAM) and processor power, preventing other applications from using these resources. In addition, many spyware programs generate popup advertisements that slow down the user's web browser, reset the user's homepage to display advertisements every time she opens the web browser, and redirect the user's web searches. Some spyware programs even modify the user's Internet settings for modem connections to dial out to expensive, pay telephone numbers. Some of the more malicious spyware programs modify the user's firewall settings, increasing the opportunities for more spyware and viruses to enter the user's computer.
Spyware has become such a problem that many states are taking action to explicitly ban spyware. Several federal laws deal with spyware. These include the Computer Fraud and Abuse Act, which covers any unauthorized software installations; The Federal Trade Commission Act, which deals with deceptive trade practices; and the Electronic Communications Privacy Act, which makes it illegal for companies to violate the security of customers' personal information. Unfortunately, these laws are very hard to enforce.
Phishing is a term used to describe email scams that attempt to trick consumers into disclosing personal and/or financial information. The email messages appear to be from legitimate sources, such as banks, credit card issuers, or well-known Internet sites (such as America Online, Paypal, and eBay). The content of the messages varies, but often they tell the consumer that he needs to update personal information or that there is a problem with the consumer's account. The messages usually contain links to fake websites. When the user clicks the link, they are taken to websites that look official, and may even include images from the legitimate websites. These fake websites often instruct the unsuspecting user to enter credit card numbers, social security numbers, bank personal identification numbers (PINs), and other valuable information. Once the user enters that information, the violators use it or sell it. This leads to what is known as identity theft. The scammers use this information to assume the identity of the victims to make purchases in that person's name.
It is estimated that between July and October of 2004, the number of new phishing websites grew approximately 25 percent per month. The amount of money that phishers collected from victims in a twelve-month period (April 2003 through April 2004) is estimated to be $1.2 billion.
In an effort to stop phishing, U.S. Senator Patrick Leahy introduced the Anti-Phishing Act of 2005, which allows law enforcement officials to prosecute scammers before the actual fraud takes place. The bill also addresses pharming, which occurs when scammers redirect a user's browser to a fake banking or e-commerce site that asks for personal information. According to Leahy, "Some phishers and pharmers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only when someone has been defrauded. For most of these criminals, that leaves plenty of time to cover their tracks. Moreover, the mere threat of these attacks undermines everyone's confidence in the Internet. When people cannot trust that websites are what they appear to be, they will not use the Internet for their secure transactions."
In December 2004 several financial institutions, Internet service providers (ISPs), online auctions, IT vendors, and law enforcement agencies came together to form an anti-phishing consortium. This group, called the Digital PhishNet group, includes big names such as Microsoft Corp.; America Online, Inc.; VeriSign, Inc.; EarthLink, Inc.; the Federal Bureau of Investigation (FBI); the Federal Trade Commission; and the U.S. Secret Service; the U.S. Postal Inspection Service. According to the consortium's website (<<a href="http://www.digitalphishnet.org">http://www.digitalphishnet.org>), it is a "joint enforcement initiative between industry and law enforcement" designed to catch phishing perpertrators.
The Anti-Phishing Working Group (APWG) also formed in response to the growing number of phishing complaints. According to the APWG website (<<a href="http://www.antiphishing.org">http://www.antiphishing.org>), the group is "the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types." The APWG has more than 1,200 members, including nearly 800 companies and agencies, eight of the top ten U.S. banks, four of the top five U.S. Internet service providers, hundreds of technology vendors, and national and provincial law enforcement agencies worldwide.
Spam is a term used to describe unsolicited email messages that usually contain an advertisement for some product or service, such as mortgage loans, pornography, or prescription drugs. Spammers send the messages to email addresses on wide-scale mailing lists, which could mean that each message is sent to thousands of people. Spam has become such an annoying problem for so many people that software programmers have developed spam filters to block or delete some email messages before they reach the recipient's email account. Most ISPs offer some level of spam filtering to their customers. However, even with these filters, hundreds of spam messages get through.
Practically everyone with a public email address receives spam every day. According to BusinessWeek Online (June 10, 2003), "in a single day in May , No. 1 Internet service provider AOL Time Warner (AOL) blocked 2 billion spam messages8 per subscriberrom hitting its customers' e-mail accounts. Microsoft, which operates No. 2 Internet service provider MSN plus e-mailbox service Hotmail, says it blocks an average of 2.4 billion spams per day."
Where do spammers get email addresses? Hundreds of companies compile lists of email address and put them on CDs, which they sell to anyone who is willing to pay for them. Each CD can contain millions of email addresses. These companies use programs to pull out screen names and email addresses from newsgroups and chat rooms or the Internet itself. Some spammers use spambots, which are programs that go through the web and look for the @ symbol and pull the email addresses associated with each one. Another method spammers use to obtain email addresses is to create websites specifically designed to attract web surfers. These websites may ask you to enter your email address to see what the site has to offer (for example, large amounts of money).
And finally, perhaps the most common method spammers use to get email addresses is to conduct a dictionary search of the mail servers and large ISPs. Dictionary searches use a program that establishes a connection with the target mail server and then submits millions of random email addresses. Often they will vary these email addresses very slightly (such as by adding a number somewhere in the address). The program then collects the email addresses for which the message actually goes through.
There are hundreds of companies around the world that have formed specifically to cater to spammers. They offer services for sending bulk email. Some of the larger companies can send billions of messages a day. Many of these companies are set up outside the United States to avoid U.S. laws. Some claim to be "spam free." This means that the email addresses they use are taken from the list of users who requested to receive bulk email, or "opt-in" email. A user's email address can be placed on an opt-in list when ordering something online. Many online stores include a checkbox near the bottom of the order page that asks the user to clear the checkbox if they do not want to receive email offers from their partners. If a user does not see that or misinterprets the checkbox, they may be placed on an opt-in list.
As mentioned above, there are many different spam filtering software programs on the market. These filters check email as it arrives in the user's electronic mailbox. The user can set up the filter to check for specific words or specific email addresses or specific types of attachments. If the filter detects any of these, it will either delete the message or place it in a separate folder. Unfortunately, spammers often find ways around these filters. Another problem with filters is that they sometimes filter out legitimate messages.
In 1998, Spamhaus.org was formed to track and stop spammers around the world. Australian-based Spamhaus (<<a href="http://www.spamhaus.org">http://www.spamhaus.org>) calls itself "an international non-profit organization whose mission is to track the Internet's Spam Gangs." Spamhaus.org also says it seeks to provide "dependable realtime anti-spam protection," works with law enforcement agencies to "identify and pursue spammers worldwide," and lobbies for "effective anti-spam legislation."
Today, Spamhaus continues to fight spam. The group publishes the Register Of Known Spam Operations (ROKSO), which lists the Internet Protocol (IP) addresses of the 200 worst spam gangs worldwide. ISPs can use this list to avoid signing up known spammers, and Law Enforcement Agencies can use the list to help target and prosecute spam gangs. Spamhaus also publishes two spam-blocking databaseshe Spamhaus Block List (SBL) and the Exploits Block List (XBL).
Computer viruses are programs that spread from one computer to another, causing problems on each computer it touches. As viruses propagate, they use up so much memory that it can slow down computer systems to the point that they are unusable. Some viruses actually attack files on the computer by deleting them or modifying them in some way that renders the computer unusable.
The extent of damage caused by a virus varies. Some affect a relatively small number of computers. Others have been so devastating that they can even cripple large companies. For example, in March 1999, when the Melissa virus hit, it was so destructive that it forced Microsoft and other large companies to completely shut down their email systems until the virus could be contained.
There are four general types of computer viruses:
- Viruses. These are small programs that attach themselves to other programs. When a user runs the legitimate program, the virus program runs, too. Once on a computer, some viruses find other vulnerable programs and attach to them as well, causing even more damage. The virus spreads to other computers when the unknowing user shares or passes on an infected program via CD, for example.
- Email viruses. These are viruses that are transmitted via email. When users open an email message or an email attachment containing a virus, they release it onto their computers. Some email viruses replicate themselves by emailing themselves to people listed in a victim's email address book.
- Worms. These are small programs that usually take advantage of networks and spread to all computers on the network. Worms scan networks for computers with security holes in programs or operating systems, replicate themselves on those computers, and then start all over from there. Because worms usually spread through networks, they can affect multiple computers in a very short amount of time. The Slammer worm, released in January 2003, spread more rapidly than any other virus before it. Within 15 minutes, it had shut down cell phone and Internet service for millions of people around the world.
- Trojan horses. These are computer programs that claim to be one thing but are actually viruses that damage the computer when the user runs it. Trojan horses cannot replicate automatically.
Because viruses have the potential to wreak havoc on computer networks and individual computers, many virus-protection products have been developed to prevent this. Most virus-protection software scans the computer when it is first turned on and looks for known viruses. As new viruses are discovered, virus protection providers have to update their virus definitions.
A firewall is basically a barrier that prevents damaging files or programs from reaching the user's computer. Many operating systems now include a built-in firewall. There are also many after-market firewall products available for purchase. Firewalls filter the data that comes through an Internet connection. If the firewall detects any suspicious information, it does not allow that information through. Most companies and many individuals who have Internet access use firewalls to protect their computers and networks. Although some firewalls protect against computer viruses, many experts recommend that companies and individuals invest in a separate anti-virus software package.
Firewalls control the flow of network traffic using one or more of the following methods:
- Packet filtering: The term "packet" is used to describe a small group of data. With the packet filtering method, a firewall compares the packets of incoming and outgoing data against a set of specific rules. If the packets meet the acceptable criteria, the firewall lets the data through. Any data that does not make it through the firewall is discarded.
- Proxy service: Proxy servers are used to access web pages by other computers. When a computer requests a web page, the proxy server retrieves the information and then sends it to the user's computer. With a proxy server, the computer hosting the website does not come into direct contact with the user's computer.
- Stateful inspection: This newer method compares only certain key parts of the packet to a database of trusted information. The firewall compares outgoing data against specific criteria and then compares incoming data against the same criteria. If the two comparisons match, the firewall lets the information through.
Several criteria that firewalls use to compare incoming and outgoing data are listed below:
- Internet Protocol (IP) addresses: Each computer on the Internet has a unique IP address, which consists of 32-bit numbers. If a firewall detects too many files being read by a certain IP address outside of the company, it may block all traffic to and from that IP address.
- Domain names: Each server on the Internet has its own domain name, which is the website address most people recognize (as opposed to the IP address). If a company knows that certain domain names are not "safe," they will set up the firewall to block access to that domain name. On the other hand, the company may set up the firewall to allow access to only certain domain names.
- Protocols: Protocol is a term used to describe the way a program communicates with a web browser. Some of the more common protocols include IP (Internet Protocol), which is the main delivery system for information over the Internet; TCP (Transmission Control Protocol), which breaks apart and rebuilds information from the Internet; HTTP (Hyper Text Transfer Protocol), which is used for web pages; FTP (File Transfer Protocol), which is used to download and upload files; and many more. A company may set up a firewall that allows only one or two machines to handle certain protocol and prohibit that protocol on all other machines.
- Specific words or phrases: Companies can set up firewalls to search for specific words or phrases. If the firewall encountered packets containing any of those words, it would not allow the packet through.
As more people buy computers and connect to the Internet, the number of potential computer theft victims grows. However, as users become more well-informed about the dangers that exist, they will take precautions to avoid becoming a victim. And as governments and law enforcement agencies around the world are learning more about these crimes and how to deal with them, they are taking action to prosecute the perpetrators.
Black, Jane. "Before Spam Brings the Web to Its Knees." BusinessWeek Online, 10 June 2003. Available from <<a href="http://www.businessweek.com/technology/content/jun2003/tc20030610_1670_tc104.htm">http://www.businessweek.com/technology/content/jun2003/tc20... >.
Boutin, Paul. "Slammed! An Inside View of the Worm that Crashed the Internet in 15 Minutes." Wired Magazine, July 2003.
Coustan, Dave. "How Spyware Works." How Stuff Works, Inc., 2005. Available from <<a href="http://computer.howstuffworks.com/spyware.htm">http://computer.howstuffworks.com/spyware.htm>.
Gross, Grant. "U.S. Senator Introduces Phishing Penalties Bill." IDG News Service, 4 March 2005. Available from <<a href="http://www.infoworld.com/article/05/03/04/HNphishingbill_1.html">http://www.infoworld.com/article/05/03/04/HNphishingbill_1.... >.
Jaikumar, Vijayan. "Fight Against Phishing Moves to a New Level: Consortium Brings Together Companies, Law Enforcement to Target e-Mail Scams." Computerworld, 13 December 2004, 10.
"Phishing Fraud." Available from <<a href="http://securities-fraud.org/phishing-attacks.htm">http://securities-fraud.org/phishing-attacks.htm>.
Tyson, Jeff. "How Firewalls Work." How Stuff Works, Inc., 2005. Available from <<a href="http://computer.howstuffworks.com/firewall.htm">http://computer.howstuffworks.com/firewall.htm>.
Computer Security (Encyclopedia of Business)
- ORIGINS OF COMPUTER SECURITY
- OTHER SECURITY THREATS
- PREVENTING AND RECOVERING FROM VIRUSES
- FURTHER READING:
As the Internet has transformed business computing and communications, it has also given rise to unprecedented computer security threats. Whereas traditional computer security was concerned with limiting the physical access to corporate systems and the misappropriation or vandalism of data by internal users, the Internet has opened up diverse and complex security problems on a scale much greater than that previously known. The rapid advances in the speed of corporate networks may only exacerbate this problem, as some existing security software may not be able to keep up with the higher speeds of data transfer. Annual losses from computer security breaches, although difficult to pinpoint exactly, are believed to be worth some $10 billion in the United States alone. Specific risks include
- the spread of computer viruses
- infiltration and theft of data from external hackers
- engineered network overloads triggered by malicious mass e-mailing
- misuse of computer resources and confidential information by employees
- unauthorized financial transactions and other kinds of computer fraud conducted in the company's name
- electronic surveillance of corporate computer data by outside parties
- damage from malfunction, fire, or natural disasters
A host of software and hardware solutions have been developed to combat these threats, but the new and rapidly changing nature of the technology requires that corporate system security managers be extremely well versed on how the risks specifically affect their systems. With issues so complicated and security so critical, establishing a comprehensive computer security system often requires the expertise of consultants and professional computer security firms.
THE SCOPE OF THE THREAT
A widely cited annual study conducted by the Computer Security Institute and the FBI indicates that the majority of large businesses experience one or more computer security breaches, broadly defined, each year. In addition, a significant percentage of companies surveyedbout a fifthren't sure whether they've experienced a security lapse. Given standard estimates that only a fraction of computer crimes are ever detected, it is safe to assume that many of the companies that report not knowing have had their systems violated in some way. In the 1999 survey, only 17 percent of companies asserted that they had not experienced any form of unauthorized use of their computers. Among the 163 companies in the survey that could quantify their losses, the average annual loss was more than $750,000.
While the authors of computer crimes are usually never positively identified, the overwhelming majority of companies attribute at least some of their security violations to disgruntled or crooked employees. Corporate security managers believe that independent outside hackers are the second most common group of perpetrators. Surprisingly, a large number of companies also attribute their computer security threats to domestic and foreign competitors, as well as to foreign governments.
In monetary terms, the most damaging breaches of computer security involve (1) the theft of trade secrets; (2) unauthorized and fraudulent financial transactions (for instance, when an employee surreptitiously changes his rate of pay on the payroll system); (3) system break-ins by outsiders; (4) telecommunications fraud, in which an attacker gains use of a company's phone lines or other telecommunications resources and charges up large bills; and (5) computer viruses.
ORIGINS OF COMPUTER SECURITY
The computer's power to enable humans to handle mathematical and cryptological problems on an unprecedented scale has prompted governments to keep their use subject to the tightest security from the very beginning. In fact, details of the first operational digital computer, the Colossus, were not made public until 1975. Until that time, the UNI VAC I, developed at the University of Pennsylvania and operational in 1946, was thought to have been the first.
The Colossus was first put into service by the British government in 1943. It was used in cryptanalysis (the breaking of codes), specifically against the German Enigma communication codes. So sensitive was the information handled by the Colossus that mere knowledge of the machine's existence was limited to a few individuals. The computer was kept in a sealed room and was not connected to other computers or to any phone lines.
CRIMINAL THREATS AND HACKING
The postwar use of computers for business produced two important developments: timesharing and remote connections. Economies of scale required that early computers, which were rare and very costly, be kept running as much as possible. One way to do this was to allow users access at different times, facilitated by the use of either dedicated lines or public telephone lines connecting the computer to remote users. However, the security vulnerabilities these measures produced would be exploited by a new breed of bandit, the hacker.
Early use of the term "hacker" was applied to computer hobbyists who spent their spare time creating video games and other basic computer programs. However, this term acquired a pejorative connotation when some of these amateurs created a scare by violating important databanks in the 1980s through hacking. Databases at the Los Alamos National Laboratory (a center of nuclear weapons research) and the Sloan-Kettering Cancer Center in New York City were among their targets. The introduction of relatively inexpensive personal computers and modems helped make this pastime affordable; the use of regular telephone lines as accessways made it possible. Automatic dialing programs, used to call all numbers in an exchange and to determine the ones answered by computers, were among many tools hackers used to simplify their work. The designation "hacker" has also been given to programmers and disseminators of computer viruses. The military and some corporations have used "tiger teams" employing some of the same tactics as hackers to test the security of their networks.
Even more serious threats exist than the highly publicized hackers. The vital information kept in computers have made them a target of government and corporate espionage, as well as fraud and embezzlement. Computer hardware itself has been a target of vandalism by disgruntled employees and even terrorists.
Security has been defined as "the protection of assets." Assets that can be stored or transmitted by computers include electronic fund transfers between banks. Proprietary information, such as product designs and databases containing information about clients, as well as other data files and computer programs themselves, must also be protected; they can be easily destroyed by computer viruses or unauthorized hacking. It can be difficult to place a dollar value on these assets, especially when such factors as potential loss of reputation or liability issues are considered. In some cases (e.g., military and hospital applications) there is a potential for loss of life due to misplaced or destroyed data; this cannot be adequately conveyed by risk analysis formulas. The question most users face is not whether to practice computer security measures, but how much time and effort to invest. Larger firms must incorporate procedures and policies for dealing with computer security issues; however, some basic principles apply to most applications regardless of scale.
Information is vulnerable to theft or misappropriation whether it is stored in memory or transmitted over cables. It must also be guarded once it reaches peripherals such as printers; one woman was able to print 200 paychecks for herself by simply pressing the repeat button on a printer. Data has also been gleaned from printouts found in trash baskets. This was one of many ways a teenager stole information from a telephone company in southern California in the 1970s and used it in a scheme to order supplies charged the company's account, much like using a stolen credit card. The criminal merely picked up the merchandise at the company's loading dock, taking advantage of the premise's lack of security controls.
Law enforcement agencies have developed specialized techniques for prosecuting crimes specific to computers. Since 1976, computer crime fighting techniques have been part of standard FBI training. The Computer Fraud and Abuse Act of 1986, passed 10 years after the first federally prosecuted case involving criminal use of a computer, attempted to address this type of crime; most states have adopted similar statutes. A decade later the federal Economic Espionage Act of 1996 added greater penalties for stealing trade secrets, whether electronically or otherwise. The 1996 act, backed by a few high-profile FBI corporate espionage busts under its provisions, was believed to have strengthened companies' resolve to prosecute computer breaches and other attacks on their privileged information.
Physical access to computers can be limited using automated office security devices, including power-on passwords; magnetic card readers; proximity readers; and biometrics, which verifies the user's identity through matching patterns in hand geometry, signature or keystroke dynamics, DNA fingerprinting, retinal imaging, or voice recognition. More traditional site-control methods such as sign-in logs and security badges can also be useful.
OTHER SECURITY THREATS
Not all threats to computer security are from parties with criminal intent, however. Computer supplies and hardware must also be protected from both environmental forces, such as power surges, floods, and fires, and simple operator incompetence, such as the careless handling of floppy disks.
The fundamentals of any computer security program begin with the environmental conditions the computer requires to operate properly. Adequate power must first be provided. Due to the distances electricity must travel, its nominal voltage may drop 10 percent by the time it reaches the computer. In addition, drops in voltage or blackouts can occur due to utility switching problems or to lightning strikes at the utility company. Besides the potential for loss of unsaved data, there exists the possibility of "disk crashes," or damage to the disk due to contact with the read/write heads. Also dangerous are "spikes," sharp increases in voltage that can seriously damage hardware. A variety of voltage regulators, surge protectors, grounding techniques, and filters exist to combat these problems. In the 1990s, intense activity centered on the development of uninterruptible power systems that use storage batteries to ensure a smooth transition between power sources in the event of power failure. Local area networks as well as individual computers can be protected by these devices.
Fire is another important threat to computer systems. Their susceptibility to fire damage is exacerbated by the flammability of paper supplies likely to be stored in close proximity. Plastics used in the manufacture of computers can produce explosive gases when exposed to high temperatures. A common safety measure, water sprinklers, can further damage computers, especially if the computers are turned on. The use of fire-resistant construction materials, fire walls, vent closure systems, etc., are standard ways to mitigate the threat of fire. Special attention should be given to fire detection and personnel should be trained in the use of hand extinguishers. Carbon dioxide and Halon 1211 gas extinguishers are suited for use near electronic equipment because they do not leave a residue.
Other physical security concerns include protection against excessive heat, humidity, and water, which can be introduced by flooding, burst pipes, or "operator error" (spilled beverages, etc.). Electronics equipment can also be damaged by airborne particles and cigarette smoke; smoking is also a potential fire hazard. Plastic covers can protect the machines somewhat from dust particles and falling water. Organizations vitally dependent on data processing facilities should prepare contingency plans for disasters such as hurricanes, earthquakes, or blizzards. Ideally, backup facilities should be located far enough away to be spared the disaster, but not too far to be reached quickly.
The next level of security involves protecting software from viruses, "logic bombs," and "Trojan horses," all of which have the capacity to disable computer systems by infecting software. In common usage all such programs are termed viruses, and as of 1998 experts believed there were some 16,000 of them in existence. A conventional computer virus is a program that is self-replicating, attaches itself to other programs, and generally performs some sort of function. An early virus demanded a "cookie," and after the word was typed it would disappear for a time. A later virus caused all the characters on the screen to fall to the bottom. Originally a hobby of programmers (an experimental virus was demonstrated as far back as 1974), viruses eventually appeared with sinister missions.
The Pakistani Brain is one that can drastically affect a computer system. This virus was developed in 1986 by two brothers from Pakistan as an experiment in preventing use of unauthorized copies of software. The original strain changed the volume name of disks to "(c) BRAIN" once it has infected them; however, mutations have been produced that are not as forthcoming about their identity. The virus inserts its code into the boot sector of a disk, making it the first data loaded into the computer upon startup, before any anti-viral programs can be executed. The original version spread through bootable floppy disks; however, variations have been written that can affect hard drives. Its code is difficult to locate because of measures it uses to counteract standard anti-viral programs and its method of recording parts of its code in disk sectors marked "bad."
Another type of insidious program is the "Trojan horse," which performs an intended function but also a covert one. Computers users have become more savvy and cautious about sharing software; however, these types of programs continue to exist. Examples include a program ostensibly designed to increase monitor performance that instead erases the entire hard drive. True Trojan horses typically operate in the background of a valid program, such as a video game. Trojan horses have also been used for "salami" techniquesanking programs that compile the results of rounding errors in a large number of computations and add them to the perpetrator's account.
"Logic bombs" are viruses that are programmed to perform a task once a particular set of conditions is met; the most famous are "time bombs" set to go off on a significant date, e.g. the "Friday the 13th" virus and the "Michelangelo" virus. These viruses activate at a given date or time. Logic bombs have been set by programmers to cause damage if their names are ever deleted from payroll records. The Pakistani Brain contained a logic bomb that searched for the names of unauthorized duplicates of programs written by the authors of the virus.
"Worms" spread through networks and replicate themselves but do not affect programs. They were invented in 1980 by two Xerox Corporation researchers to perform useful network choresuch as searching for computer malfunctions or idle computers. Worms disseminate themselves throughout networks. Though considered relatively benign, worms can tie up memory and bring networks to a standstill.
PREVENTING AND RECOVERING FROM VIRUSES
Many steps can be taken to prevent or recover from virus infections. Having a source of clean (i.e., uninfected by viruses) backup copies for data files and programs is as important as it is elementary. Ideally, alternating sets of backup media should be used to increase the chances of having a clean original. The manufacturer's original diskettes for programs should be kept in a safe place and the write-protect tabs should be set to prevent their erasure in case they are unknowingly installed on an infected system.
Once a system is confirmed to be infected, it should not share disks or communication lines with other computers. Disks that could have perpetuated the virus should not be used unless they are certain to contain only data files and the virus is known not to attack the boot sector. All other disks should be reformatted or destroyed.
The computer itself should be shut down and rebooted with the original operating system disk, and the operating system files should be restored. If application programs have been infected, the hard disk should be reformatted. Data files may be backed up and recopied after the disk has been formatted.
The capacity of both local and wide area networks to share information can be used to unwittingly disseminate viruses. If networks are to be useable, they, like disks, must be secured against viruses, Trojan horses, and unintended information transfer. Most networks employ some means of verifying a user's identity, such as passwords. One creative way hackers have bypassed password access controls is by using spell-checking dictionaries from word processing programs to supply possible passwords. Other sources of passwords include information known about network users. Smart cards have been developed to overcome these weaknesses. With these, a variation on the "call-back" system, hardware at the remote site must confirm that the correct user is calling the system from the correct terminal location. More sophisticated smart cards contain microchips within them that transmit an algorithm recognized by the network server, making their misuse even more difficult.
Within an organization, multi-level password systems can ensure that individuals are granted access only to the information required for their jobs. When correctly implemented, they can prevent Trojan horse routines from using the operating system to help copy confidential information.
Encryption systems are a way to secure information as it travels over phone lines or network cables. However, these usually slow down the network, and the encryption keys must be distributed in a secure way, a daunting task for large networks. For each user, double-key systems provide a public key, available to anyone wanting to communicate with its owner, and a private key, known only to the owner.
The "firewall" is a software protection many corporations began to use in the mid-1990s to secure communications on large public access networks such as the Internet. As with physical fire walls, firewall software is designed to be a buffer between two spaces, in this case, the private and public areas of computers and computer networks. The software attempts to block unauthorized crossovers from public to private space. By the, late 1990s most large companies had deployed some form of firewall protections, but the technology is far from foolproof and is easily misconfigured so it doesn't provide optimal protection.
REDUCING MODEM RISKS.
Security can be particularly weak on computers with dial-up modems used to access network resources outside the corporate network. Often companies spend a great deal of time and resources securing the network itself, yet ignore the holes created by such devices that are linked to the network. Without proper security measures, an attacker can first gain control of the individual computer that has dialed out to another network, and then gain access through the backdoor to the protected corporate network. Consequently, IT security managers must take precautions for all computers that connect to outside networks in this manner.
An Internet-era liability that companies on the World Wide Web face is spoofing, the practice of replacing a company's legitimate web site with often offensive unauthorized material. This can occur in two key ways: through either a weakness in the domain name server (DNS) security or unauthorized file manipulation on the company's web server that hosts its pages. The DNS risk can be effectively minimized through proper configuration of the server, specifically to block attempts to redirect browser requests for the company's pages to another unaffiliated site. Web server protection is more complicated because vandals may gain access to it by a variety of means, but the general protections are similar to those for any computer network resource. Most companies don't initially foresee or plan for the risk of spoofing, but a few widely publicized incidents, including one involving the New York Times site, have drawn attention to this threat.
A computer isn't entirely secure even if it is not connected to any networks. Sophisticated electronic surveillance techniques have been known to recover data from the radio emissions generated by CPUs, monitors, peripheral cables, etc. The level of shielding available ranges from FCC Class A (commercial) to Class B (residential) to the federal government's Tempest standard for military contractors.
ELECTRONIC MEDIA DISPOSAL.
A strong potential for abuse also exists with improperly destroyed or recycled media. Shedders can be used to destroy various types of media, particularly paper printouts. A variety of different models are available, each a compromise between price, capacity, speed, and the thoroughness of destruction. Not all shredders can cut into diskettes. Specialized types of shredders include "pulpers" which wet the paper and "disintegrators" which repeatedly cut the documents until their particles fall through a fine screen.
The information stored on magnetic media can be destroyed by overwriting. This is a more involved process than merely "erasing" files from a disk, which merely changes the disk's directory. Overwriting changes each bit of binary information to either I or 0. Precautions must be taken to ensure that all the medium is overwritten, to destroy erased information not currently listed in directories. Even this does not complete the process, however. Just as a faint whisper of previously-recorded material can be audible in audiocassettes that have been reused, so can bits of overwritten information still exist. Bits that remain the same after the overwriting may be recorded at a slightly higher level of saturation than those that do not change; hence, most overwriting methods repeat the process, alternating between I's and 0's each time.
The information on magnetic media can also be destroyed more quickly by degaussing, or driving the media through a strong magnetic field until saturation is reached. Diskettes, tapes, and other formats can be erased in bulk in less time than with overwriting.
Burning is perhaps the most thorough method of destroying information recorded on paper, diskettes, punched cards, and semiconductors. Disadvantages are that the materials cannot be reused and that there is a possibility of data recovery from incomplete burning; i.e., from intact paper ash, for which techniques exist to recover printed information.
The most important aspect of computer security involves personnel. Not only are inside jobs the greatest threat of computer crime, but if personnel are lax, security measures may be improperly and ineffectively implemented. Many security breaches at prominent companies have been precipitated by unsuspecting employeesometimes corporate officersivulging seemingly innocent information about their computer systems to the general public or to soon-to-be hackers themselves. Other times viruses are disseminated by ostensibly harmless humorous messages and programs that are forwarded throughout a corporate e-mail system, but behind the scenes they wreak havoc on the computers. Therefore, any computer security program should include efforts to adequately screen and train new employees, and a system of accounting and administrative controls to detect and deter criminal activity should be in place.
A wise investment for any company is to insure its computer systems against various kinds of damage, physical or otherwise. One of the more recent innovations by computer security vendors has been to offer so called hacker insurance as part of a broader security management contract. Once these firms are employed to install and manage a computer security program, they insure against unauthorized outside penetration up to a maximum amount per incident or per year. In some cases the insurance benefit may be paid on the mere basis that an incident occurred, regardless of the damage. Similar insurance policies exist for companies conducting electronic commerce over the Internet to provide protection against fraudulent transactions.
SEE ALSO: Computer Fraud; Data Security; White Collar Crime
[Frederick C. Ingram]
Cree, Mark. "Don't Give Up Network Control for Network Speed." Business Communication Review. April 1999.
Davy, Jo Ann. "Virus Protection: Today's Software Keeps Computers and Networks Healthy." Managing Office Technology, September 1998.
Lawson, Nate, and John Garris. "Plug Your Company's Common Security Holes." PC Magazine, 25 May 1999.
Pipkin, Donald L. Halting the Hacker: A Practical Guide to Computer Security. Upper Saddle River, NJ: Prentice Hall. 1998.
Power, Richard. "1999 CSI/FBI Computer Crime and Security Survey." Computer Security Issues & Trends, winter 1999.