© 1998, Evelyn Zayas
The proliferation of personal computer (PC) networks and the booming use of the Internet for business conduct have created a huge demand for information security experts who can protect company, government and university computer systems and data. Reports of computer attacks and break-in attempts have been growing at an alarming rate over the past decade, prompting organizations to seriously and proactively establish and enforce computer security guidelines. Threats to computer and network security can come from both outside or inside an organization - bad guys in cyberspace or a disgruntled employee. The information security expert's job is to detect suspicious activity and find weak links in a computer network, the same way a security guard jiggles a door or window to make sure that they are locked. PC networks mean anyone with one machine has easy access to the entire network -- unauthorized access to personal, proprietary and perhaps highly secret information, as well as the computers' executable programs that generate or maintain that information.
Security threats are broken down into three general categories: disclosure, integrity and denial-of-service threats. The methods by which threats to computers that result in attacks are varied. Today, new kinds of attacks pop up frequently, and recurrences of past attack types are attempted constantly. In many cases, attacks are carried out by direct, uncomplicated means, such as an unauthorized user reading sensitive information that is unprotected by such compromise. Some types of attacks take advantage of computer or network vulnerabilities that are known within the technically-inclined user community.
Probably the most common type of security attack is through what's known as a "Trojan Horse", a computer program that is expected to have some desirable function, but that actually performs some unexpected and undesirable function. An example is a password spoof program that involves spoofing a user into believing a computer terminal is correctly prompting that user for login and password information. In this attack, a Trojan horse program is used to fake the normal login sequence that a user expects. Computer viruses are one type of Trojan horse programs, designed to self-reproduce and propagate through computer networks or floppy diskettes that are exchanged between computers. Just last year, the National Computer Security Association (NCSA) annual computer virus survey of 300 medium to large American companies revealed that computers were 3 times more likely to be hit by a virus than they were the previous year. For every ten PCs, a company could expect 4.6 virus infections per year. The popularity of electronic mail for business and personal communications over the last few years has dramatically increased the onslaught of computer viruses. Attachments to electronic mail messages may contain viruses that come alive when an unsuspecting reader opens the attached file for review. Computer viruses have been likened to "electronic graffiti"; the effects usually more annoying than harmful. However, computer viruses represent only one type of security threat to electronic information.
The need for network security policies and procedures first came into the spotlight in November, 1988, when a malicious program, later known as the Morris Worm, attacked thousands of computers on the Internet. The earliest attempts against computer attacks were the deployment of Internet "firewalls" between the internal computer network and its Internet connection. The security policy for these access control mechanisms was basically to allow anyone within the internal computer network to access the Internet, but disallow unauthorized users access into the internal network from the Internet. Firewall technology has become more sophisticated, and a must-have for organizations with multiple internal networks or Internet connectivity. However, firewalls provide only one layer of preventive protection for a security policy that must employ multi-layered, multi-dimensional techniques to ensure a comprehensive security system. In the event of a firewall breach, analogous to an intruder breaking through a locked window, everything "inside" is then vulnerable. Layers of firewalls with different filtering techniques are now being deployed to further insulate against unauthorized access. Other techniques that add multiple dimensions to a comprehensive security policy include audit tracking, intrusion detection, data encryption, anti-virus software, and public/private key protocols.
Organizations that utilize computer networks, even if they are not connected to the Internet, must instill safeguards and countermeasures against computer attacks through preventive, detective and responsive defense measures. According to the FBI, employees who are "inside" the firewall are often the perpetrators of computer and network crimes. The first step in security management involves the analysis of business needs (i.e. information access requirements) and risks (i.e. "what am I trying to protect and what is it worth?"). After these analyses, an organization can then design a security policy that stipulates what is and what isn't allowed, and the methods and mechanisms that will be used to enforce these stipulations. It should address security policies, measures and procedures in the areas of prevention, detection and response to computer and network vulnerabilities, threats and attacks. The never-ending final step in security management is the ongoing research and analysis needed to stay abreast of changes in business needs, technology, and attack methodologies.
The information security expert must diligently monitor and assess computer and network activities to identify any weaknesses in the security policy, as well as the adherence to the policies by the organization's computer/network users. At times, the information security expert must play the role of the "professional hacker" to test the systems defense mechanisms, poking and probing into system event logs to uncover suspicious or abnormal activities. As reported in the Chicago Tribune, in April 1998, computer hackers, some recovering computer criminals, are turning their coveted expertise into entrepreneurial endeavors or corporate careers as information security experts. Computer and network security is a booming business.
Additional information on network security can be obtained from the:
Computer Security Institute, 600 Harrison Street, San Francisco, CA 94107
(415) 905-2626; http://www.gocsi.com/
Established in 1974, the Computer Security Institute is the oldest international membership organization offering training specifically targeted to information security professionals.
CERT (Computer Emergency Response Team), Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3839.
(412) 268-7090 (24-hour hotline); http://www.cert.org/
The CERT* Coordination Center studies Internet security vulnerabilities, provides incident response services to sites that have been the victims of attacks, and publishes a variety of security alerts and information to improve security.
NIST Computer Security Resource Clearinghouse,
The CSRC collects and disseminates computer security information and resources to help users, systems administrators, managers, and security professionals better protect their data and systems.
About the Author
Ms. Evelyn Zayas has a Masters degree in Software Engineering and is working towards a Ph.D. in Computing Technology in Education. She is a member of the Association for the Advancement of Computing in Education, and the Society for Information Technology and Teacher Education. She is also a volunteer with the US Tech Corps (http://techcorps.org).