SECURITY OF THE INTERNET cannot get access to the network or specific services provided on the program that would connect to another computer, find and
I. OVERVIEW OF INTERNET SECURITY network, they experience a denial of service. use one of several vulnerabilities to copy itself to that
A. What is Internet Security? To make information available to those who need it and who second computer, and begin to run the copy of itself at the
As of 1996, the Internet Among them are the risks can be trusted with it, organizations use authentication and new location.
connected an estimated 13 million that valuable information authorization. The original code and the copy would then repeat
computers in 195 countries on will be lost, stolen, Authentication is proving that a user is whom he or she claims these actions in an infinite loop to other computers. This
every continent. corrupted, or misused. to be. That proof may involve something the user knows (such as a “attack tool" caused a geometric explosion of copies to be
password), something the user has (such as a "smartcard"), or started at computers all around the ARPANet. As a result,
The Internet is not a single If information is recorded something about the user that proves the person's identity (such as a 10% of the U.S. computers connected to the ARPANet
network, but a worldwide electron-ically and is fingerprint). effectively stopped at about the same time.
collection of loosely connected available on networked Authorization is the act of determining whether a particular By that time, the ARPANet had grown to more than
networks that are accessible by computers, it is more user (or computer system) has the right to carry out a certain activity. 88,000 computers and was the primary means of
individual computer hosts in a vulnerable than if the Authentication and authorization go hand in hand. Users must be communication. With the ARPANET effectively down, it was
variety of ways. same information is authenticated before carrying out the activity they are authorized to difficult to coordinate a response to the worm.
printed on paper and perform. Many sites removed themselves from the ARPANet
Along with the convenience and locked in a file cabinet. Security is strong when the means of authentication cannot altogether, further hampering communication and the
easy access to information come later be refuted - the user cannot later deny that he or she performed transmission of the solution that would stop the worm.
new risks. the activity. The Morris worm prompted agencies to fund a
B. Basic Security Concepts This is known as non-repudiation. computer emergency response team, now the CERT®
Three basic security concepts important to information on the C. Why Care About Security? Coordination Center, to give experts a central point for
Internet are confidentiality, integrity and availability. Concepts relating It is easy to gain unauthorized access to information in an coordinating responses to network emergencies.
to the people who use that information are authentication, insecure networked environment, and it is hard to catch the intruders. Other teams quickly sprang up to address computer
authorization and non-repudiation. Security-related information can enable unauthorized security incidents in specific organizations or geographic
Confidentiality (Loss of) individuals to get access to important files and programs, thus regions. Within a year of their formation, these incident
When information is read or copied by someone not compromising the security of the system response teams created an informal organization now
authorized to do so, the result is known as loss of confidentiality. The consequences of a break-in cover a broad range of known as the Forum of Incident Response and Security
For some types of information, confidentiality is a very possibilities: a minor loss of time in recovering from the problem, a Teams (FIRST).
important attribute. This is particularly true for banks and loan decrease in productivity, a significant loss of money or staff-hours, a 1989: The ARPANET officially became the Internet and moved
companies, hospitals, or agencies that offer services such as devastating loss of credibility or market opportunity, a business no from a government research project to an operational
psychological counseling or drug treatment. longer able to compete, legal liability and the loss of life. network; it had grown to more than 100,000 computers.
Integrity (Loss of) II. HISTORY Security problems continued.
Information can be corrupted when it is available on an 1969: The Internet began as a project funded by the Advanced Although the Internet was originally conceived of and
insecure network. When information is modified in unexpected ways, Research Projects Agency (ARPA) of the U.S. Department designed as a research and education network, usage
the result is known as loss of integrity. Unauthorized changes are of Defense. As more locations with computers joined the patterns have radically changed. The Internet has become a
made to information, whether by human error or intentional tampering. ARPANet, the usefulness of the network grew. home for private and commercial communication, and at
Availability (Loss of) 1986: The first well-publicized international security incident was this writing it is still expanding. Increased reliance on the
Information can be erased or become inaccessible, resulting identified. A simple accounting error in the records of Internet is expected over the next five years, along with
in loss of availability. This means that people who are authorized to systems connected to the ARPANet led to uncover an increased attention to its security.
get information cannot get what they need. international effort, to connect to computers in the US and III. NETWORK SECURITY INCIDENTS
Availability is often the most important attribute in service- copy information. These U.S. computers were not only at A network security incident is any network-related activity with
oriented businesses that depend on information (e.g., airline universities, but at military and government sites all over the negative security implications. This means that the activity violates an
schedules and online inventory systems). country. explicit or implicit security policy.
Non-repudiation 1988: The ARPANet had its first automated network security Incidents come in all shapes and sizes. An intrusion may be a
Availability of the network itself is important to anyone whose incident, referred to as "the Morris worm". A student at comparatively minor event involving a single site or a major event in
business or education relies on a network connection. When a user Cornell University (Ithaca, NY), Robert T. Morris, wrote a which tens of thousands of sites are compromised.
A typical attack pattern consists of gaining access to a user's similar to an account compromise, except that the C. Incidents and Internet Growth
account, gaining privileged access, and using the victim's system as a Root account that has been compromised has special Since the CERT® Coordination Center began operating in
launch platform for attacks on other sites. Compro privileges on the system; “root” is derived from an 1988, the number of security incidents reported to the center has
It is possible to accomplish all these steps manually in as little mise account on UNIX systems that typically has grown dramatically, from less than 100 in 1988 to almost 2,500 in
as 45 seconds; with automation, the time decreases further. unlimited, or "superuser", privileges. 1995, the last year for which complete statistics are available as of
When reading accounts of incidents, note that different groups may this writing. Through 1994, the increase in incident reports roughly
use different criteria for determining the bounds of an incident. parallels the growth of the size of the Internet during that time
A. Sources of Incidents a program that captures data from The data for 1995 and partial data for 1996 show a slowing
It is difficult to characterize the people who cause incidents. An Packet Sniffer information packets as they travel over the of the rate at which incidents are reported to the CERT/CC
intruder may be an adolescent who is, a college student who has network: user names, passwords that travel (perhaps because of sites' increased security efforts or the
created a new software tool, an individual seeking personal gain, or a over the network in clear text. significant increase in other response teams formed to handle
paid "spy" seeking information for the economic advantage of a goal is to prevent legitimate users of a incidents). However, the rate continues to increase for serious
corporation or foreign country. Denial of service from using it; may "flood" a network incidents.
An incident may also be caused by a disgruntled former Service with large volumes of data or deliberately D. Incident Trends
employee or a consultant who gained network information while consume a scarce or limited resource. In the late ’80s and early ’90s, intrusion was fairly
working with a company. An intruder may seek entertainment, Exploitation of attackers can forge their identity, they may straightforward. Intruders most often exploited relatively simple
intellectual challenge, a sense of power, political attention, or financial Trust be able to gain unauthorized access to other weaknesses, such as poor passwords and misconfigured systems
gain. computers. that allowed greater access to the system.
One characteristic of the intruder community as a whole is its Malicious a general program that would cause Intruders with little technical knowledge are becoming more
communication. Intruders identify and publicize misconfigured Code undesired results on a system; users are not effective as the sophisticated intruders share their knowledge and
systems; they use those systems to exchange pirated software, credit aware of the program until they discover the tools.
card numbers, exploitation programs and the identity of sites that damage. 1. Intruders' Technical Knowledge
have been compromised, including account names and passwords. Malicious code includes Trojan horses, Intruders examine source code to discover weaknesses in
By sharing knowledge and easy-to-use software tools, viruses, and worms. programs. Programs written for research purposes (with little
successful intruders increase their number and their impact. Trojan horses and viruses are usually hidden thought for security) or written by new programmers become widely
B. Types of Incidents in legitimate programs or files that attackers used, with source code available to all. Once intruders gain access,
Incidents can be broadly classified into several kinds: have altered to do more than what is they can examine this code to discover weaknesses.
the probe, scan, account compromise, root compromise, expected. Intruders use Trojan horses to hide their activity from
packet sniffer, denial of service, exploitation of trust, malicious Worms are self-replicating programs that network administrators. They also encrypt output from their activity,
code and Internet infrastructure attacks. spread with no human intervention after they such as the information captured by packet sniffers. Even if the
characterized by unusual attempts to gain access are started. victim finds the sniffer logs, it is difficult or impossible to determine
Probe or discover information about the system; Viruses are also self-replicating programs, what information was compromised.
sometimes followed by a more serious security but usually require some action on the part 2. Techniques to Exploit Vulnerabilities
event, but are often the result of curiosity or of the user to spread to other programs or The most widely publicized of the newer types of intrusion is
confusion. systems. the use of the packet sniffers. Other tools are used to construct
simply a large number of probes done using an These sorts of programs can lead to serious packets with forged addresses. Intruders also "spoof" computer
Scan automated tool; can sometimes be the result of a data loss, downtime, denial of service and addresses, masking their real identity and successfully making
misconfiguration or other error; often a prelude to other types of security incidents. connections that would not otherwise be permitted.
a more directed attack. These rare but serious attacks involve key With sophisticated technical knowledge and understanding
unauthorized use of a computer account by Internet components of the Internet infrastructure of the network, intruders are increasingly exploiting network
Account someone; might expose the victim to serious data Infrastructure rather than specific systems. Infrastructure interconnections. Infrastructure attacks are even more threatening
Compro loss, data theft, or theft of services. Attacks attacks affect a large portion of the Internet because legitimate network managers and administrators typically
mise and can seriously hinder the day-to-day think about protecting systems and parts of the infrastructure rather
operation of many sites. than the infrastructure as a whole.
3. Intruders’ Use of Software Tools
Tools available to launch an attack have become more a wide range of subclasses, which intruders often exploit using their system from home or while traveling, using encryption,
effective, easier to use and more accessible to people without an own attack tools. authentication for issuing accounts, configuration, and monitoring.
in-depth knowledge of computer systems. People who have the 3. Weaknesses in System and Network Configurations 3. Security Practice
desire but not the technical skill are able to break into systems. Vulnerabilities in the category of system and network System administration practices play a key role in network
The trend toward automation can be seen in the distribution configurations are a result of the way these components are set up security. Checklists and general advice on good security practices
of software packages containing a variety of tools to exploit and used. Products may be delivered with default settings that are readily available. Below are examples of commonly
vulnerabilities. These packages are often maintained by competent intruders can exploit. recommended practices:
programmers and are distributed complete with version numbers An example of a faulty configuration that has been exploited Ensure all accounts have a password and are difficult to guess.
and documentation. is anonymous File Transfer Protocol (FTP) service. Be vigilant in network use and configuration,
IV. INTERNET VULENRABILITIES When sites misconfigure their anonymous FTP archives, making changes as vulnerabilities become
Vulnerability is a weakness that a person can exploit to unauthorized users can get authentication information and use it to known.
accomplish something not authorized or intended. Vulnerabilities compromise the system. Regularly check with vendors for the latest
may be caused by engineering or design errors, or faulty V. IMPROVING SECURITY available fixes and keep systems current with
implementation. In the face of vulnerabilities and incident trends, a robust upgrades and patches.
A. Why the Internet Is Vulnerable defense requires a flexible strategy that adapts to the changing Audit systems and networks, and regularly
Many early network protocols that now form part of the environment, well-defined policies and procedures, the use of check logs. Many sites that suffer computer
Internet infrastructure were designed without security in mind. robust tools and constant vigilance. security incidents report that insufficient audit
Because of the inherent openness of the Internet and the It is helpful to begin a security improvement program by data is collected, so detecting and tracing an
original design of the protocols, Internet attacks in general are quick, determining the current state of security at the site. Integral to a intrusion is difficult.
easy, inexpensive, and may be hard to detect or trace. security program are documented policies and procedures, and Safeguard your passwords!
Many sites place unwarranted trust in the Internet. It is technology that support their implementation. 1. Do not use passwords that refer to easily obtainable personal
common for sites to be unaware of the risks or unconcerned about A. Security Policy, Procedures, and Practices information, such as your name, address, phone number, or
the amount of trust they place in the Internet. 1. Security Policy birthday.
Finally, the explosive growth of the Internet has expanded A policy is a documented high-level plan for organization- 2. Avoid using common words.
the need for well-trained and experienced people to engineer and wide computer and information security. It provides a framework for 3. Passwords should be at least eight alphanumeric characters –
manage the network in a secure manner. making specific decisions, and is the basis for developing secure combine upper and lower case letters, numbers, and symbols,
Because the need for network security experts exceeds the programming guidelines and procedures for users and system Passwords are “CasE SenSITive”! e.g. 2fjm0x@Ic.
supply, inexperienced people are called upon to secure systems, administrators to follow. 4. Ideally, use a different password for each service you register
opening windows of opportunity for the intruder community. Factors that contribute to the success of a security policy with. For sensitive accounts, such as financial services, change
B. Types of Technical Vulnerabilities include management commitment, technological support for your passwords frequently.
The following taxonomy is useful in understanding the enforcing the policy, effective dissemination of the policy, and the 5. Never ever disclose your passwords. Don’t have your computer
technical causes behind successful intrusion techniques, and helps security awareness of all users. “remember your password”.
experts identify general solutions for addressing each type of Technological support for the security policy moves some E. Security Technology
problem. responsibility for enforcement from individuals to technology. A variety of technologies have been developed to help
1. Flaws in Software or Protocol Designs Technical options that support policy include (but are not limited to) organizations secure their systems and information against
Protocols define the rules and conventions for computers to challenge/response systems for authentication intruders. These technologies help protect systems and
communicate on a network. If a protocol has a fundamental design auditing systems for accountability and event reconstruction information against attacks.
flaw, it is vulnerable to exploitation no matter how well it is encryption systems for the confidential storage and transmission of 1. Operational Technology
implemented. When software is designed or specified, often data System administrators should maximize the availability of
security is left out of the initial description and is later "added on" to network tools such as firewalls and proxy servers system services to valid users while minimizing the susceptibility
the system. 2. Security-Related Procedures of complex network infrastructures to attack.
2. Weaknesses in How Protocols and Software Are Implemented Procedures are specific steps to follow that are based on No single technology addresses all the problems, but
Even when a protocol is well designed, it can be vulnerable the computer security policy. Procedures address topics as organizations can significantly improve their resistance to attack
because of the way it is implemented. This type of vulnerability has retrieving programs from the network, connecting to the site's by carefully preparing and strategically deploying personnel and
2. One-Time Passwords Defensive information warfare is the protection of your A user may not even be aware that code has been
All passwords should at least be encrypted as they information assets against attack. downloaded and executed. Some Web-related programming
traverse networks. A better solution is to use one-time Because the Internet is global, it can be an avenue of attack languages, most notably JAVA, have built-in security features,
passwords. for offensive information warfare by many governments. Intruder but security experts are concerned about the adequacy of these
These passwords are never repeated and are valid only technology could be used by a government as a weapon against features.
for a specific user during the period that each is displayed. In information resources, or used randomly by a terrorist organization As executable content makes Web browsing even more
addition, users are often limited to one successful use of any against civilian targets. alluring, further research will be necessary to counter security
given password. One-time password technologies significantly risks. Users need to be educated about the risks so they can
reduce unauthorized entry requiring an initial password. VII. THE FUTURE make informed choices about where to place their trust.
3. Firewalls Research and development efforts are underway to allow HOME NETWORK SECURITY
Intruders attempt to gain access to networked critical applications to operate in the future in a more secure This document gives an overview of the security risks and
systems by pretending to initiate connections from trusted environment than exists today. countermeasures associated with Internet connectivity.
hosts. A. Internetworking Protocols I. COMPUTER SECURITY
They squash the emissions of the genuine host using Most of the network protocols currently in use have A. What is computer security?
a denial-of-service attack and then attempt to connect to a target changed little since the early definitions of the ARPANet. To Computer security is the process of preventing and
system using the address of the genuine host. have a secure foundation for the critical Internet applications of detecting unauthorized use of your computer.
A firewall is a collection of hardware and software the future, severe weaknesses must be addressed. Prevention helps you to stop unauthorized users from
designed to examine a stream of network traffic and service New internetworking protocols are under development to accessing any part of your computer system.
requests. Its purpose is to eliminate from the stream those authenticate the originator of a packet and to protect the integrity Detection helps you to determine whether or not
packets or requests that fail to meet the security criteria and confidentiality of data. someone attempted to break into your system, if they were
established by the organization. B. Intrusion Detection successful, and what they may have done.
4. Monitoring Tools Research is underway to improve the ability of networked B. Who would want to break into my
Continuous monitoring of network activity is required if a systems. There are two major areas of research in intrusion computer at home?
site is to maintain confidence in the security of its network and detection: anomaly detection and pattern recognition. Intruders may not care about your identity. Often they
data resources. Research in anomaly detection is based on determining want to gain control of your computer so they can use it to launch
Sophisticated systems capable of reacting to patterns of "normal" behavior for networks, hosts, and users and attacks on other computer systems.
questionable network activity may be implemented to disconnect then detecting behavior that is significantly different (anomalous). Gaining control of your computer gives them the ability to
and block suspect connections. The second major area of intrusion detection research is hide their location as they launch attacks, often against high-
Tools to scan, monitor, and eradicate viruses can identify pattern recognition. The goal here is to detect patterns of profile computer systems such as government or financial
and destroy malicious programs that may have been transmitted network, host, and user activity that match known intruder attack systems.
onto host systems. scenarios. Intruders may be able to watch all your actions on the
The damage potential of viruses ranges from mere Finally, to support the needs of the future Internet, computer, or cause damage to your computer by reformatting
annoyance to destruction of critical data resources. To ensure intrusion detection tools and techniques that can identify your hard drive or changing your data.
continued protection, the virus identification data on which such coordinated distributed attacks are critically needed, as are Hacker
tools depend must be kept up to date. better protocols to support traceability. A slang term for a computer enthusiast who enjoys learning
VI. INFORMATION WARFARE C. Web-Related Programming and Scripting Languages programming languages and computer systems and can often be
Extensive and widespread dependence on the Internet Downloading interesting, informative, or entertaining considered an expert on the subject(s).
has called new attention to the importance of information to "content" is central to the activity of Web browsing. The content Hackers are individuals who gain unauthorized access to computer
national security. The term information warfare refers to the act getting the most attention from Web users and the greatest systems for the purpose of stealing and corrupting data. Hackers
of war against the information resources of an adversary. concern from security experts is executable content, code to be maintain that the proper term for such individuals is cracker.
Information warfare is divided into two categories: executed on the local machine on download. Cracker
offensive and defensive. Web-related programming languages pose new security Cracking is to break into a computer system or copy commercial
The purpose of offensive information warfare is to attack challenges and concerns because code is downloaded, installed software illegally by breaking (cracking) the various copy-protection and
the information resources of an adversary to gain dominance. and run on a user's machine without a review of source code. registration techniques being used.
The term was coined in the mid-80s by hackers who wanted to 2. Viruses
differentiate themselves from individuals whose sole purpose is to sneak Computer must Computer is always Viruses are programs or pieces of code that are loaded
through security systems. be dialed in to connected, so remote onto your computer without your knowledge and run against your
II. TECHNOLOGY control remotely control can occur anytime wishes. Viruses can also replicate themselves. All computer
This section provides a basic introduction to the viruses are manmade.
technologies that underlie the Internet and serves as a basic ISP-provided 3. Logic bomb
Little or none Little or none
primer on the relevant technologies. security A logic bomb, also called slag code, is programming
refers to high-speed network connections; What is a firewall? code, inserted intentionally, that is designed to execute (or
Broadband Internet connections via cable modem and http://www.faqs.org/faqs/firewalls-faq/ "explode") at the lapse of a certain amount of time or the failure
Digital Subscriber Line (DSL) are frequently A firewall is defined as "a system or group of systems that of a user to respond to a program command.
referred to as broadband Internet enforces an access control policy between two networks." In the 4. Trojan horse programs
connections. context of home networks, a firewall typically takes one of two A Trojan Horse is full of as much trickery as the
allows a single computer (or network of forms: mythological Trojan Horse. The Trojan Horse, at first glance will
Cable modem computers) to connect to the Internet via the Software firewall - specialized software running on an individual appear to be useful software but will actually do damage once
access cable TV network. The cable modem usually computer, or installed or run on your computer.
has an Ethernet LAN (Local Area Network) Network firewall - a dedicated device designed to protect one or 5. Denial of service
connection to the computer, and is capable of more computers. Another form of attack is called a denial-of-service (DoS)
speeds in excess of 5 Mbps Both types of firewall allow the user to define access attack. This causes your computer to crash or to become so
Digital Subscriber Line (DSL) Internet policies for inbound connections to the computers they are busy processing data that you are unable to use it.
DSL connectivity provides the user with dedicated protecting. Most firewalls intended for home use come with pre- 6. Unprotected Windows shares
bandwidth. The maximum bandwidth available configured security policies from which the user chooses, and Unprotected Windows networking shares can be
to DSL users is usually lower than the some allow the user to customize these policies for their specific exploited by intruders in an automated way to place tools on
maximum cable modem rate because of needs. large numbers of Windows-based computers attached to the
differences in their respective network What does antivirus software do? Internet.
memory of your computer that indicate the possible presence of These are programming languages that let web
Broadband VS. traditional dial-up services?
a known virus. developers write code that is executed by your web browser.
Dial-up Internet services are referred to as "dial-on-
Antivirus packages know what to look for through the use Although the code is generally useful, it can be used by intruders
demand" services. Your computer only connects to the Internet
of virus profiles (sometimes called "signatures") provided by the to gather information or to run malicious code.
when it has something to send.
vendor. 8. Email spoofing
Broadband is referred to as "always-on" services
New viruses are discovered daily. The effectiveness of Email “spoofing” is when an email message appears to
because there is no call setup when your computer has
antivirus software is dependent on having the latest virus profiles have originated from one source when it actually was sent from
something to send.
installed on your computer so that it can look for recently another source. Email spoofing is often an attempt to trick the
Dial-up Broadband user into making a damaging statement or releasing sensitive
discovered viruses. It is important to keep these profiles up to
Connection type Dial on demand Always on date. information.
III. COMPUTER SECURITY RISKS TO HOME USERS Examples:
Changes on Static or infrequently Intentional misuse of your computer ① email claiming to be from a system administrator requesting
each call changing The most common methods used by intruders to gain users to change their passwords to a specified string and
control of home computers are briefly described below. threatening to suspend their account if they do not comply
Relative ② email claiming to be from a person in authority requesting users
Low High 1. Worms
connection speed to send them a copy of a password file or other sensitive
Worms are programs or algorithms that replicate themselves. They
perform malicious actions, such as using up the computer's resources information
and possibly shutting the system down. 9. Email borne viruses
Malicious code is often spread as attachments to email
messages. Before opening any attachments, be sure you know
the source. Never run a program unless you know it to be
authored by a person or company that you trust.
10. Chat clients
Internet chat applications provide a mechanism for
information to be transmitted bi-directionally between computers
on the Internet.
Because many chat clients allow for the exchange of
executable code, they present risks similar to those of email
clients. You should be wary of exchanging files with unknown
Accidents and other risks
Risks that apply even if the computer has no network
connections at all.
1. Disk failure
All stored data can become unavailable -- if the media it’s
stored on is physically damaged, destroyed, or lost. Hard disk
crashes are a common cause of data loss on personal
computers. Regular system backups are the only effective
2. Power failure and surges
Power problems (surges, blackouts, and brown-outs) can
cause physical damage to a computer, inducing a hard disk
crash or otherwise harming the electronic components of the
computer. Common mitigation methods include using surge
suppressors and uninterruptible power supplies (UPS).
IV. ACTIONS HOME USERS CAN TAKE TO PROTECT THEIR
The CERT/CC recommends the following practices to home
Consult your system support personnel if you work from home
Use virus protection software
Use a firewall
Don’t open unknown email attachments
Don’t run programs of unknown origin
Keep all applications (including your operating system) patched
Turn off your computer or disconnect from the network when not
Disable scripting features in email programs
Make regular backups of critical data
Make a boot disk in case your computer is damaged or