Chapter 2. Understanding And Addressing Security

At a Glance

This chapter evaluates why computer and network security are necessary. It addresses the impact of security breaches and it assesses the initial measures required to counter such breaches. The chapter also includes a list of definitions of technical terms; additional terms are defined in Annex 1.

Why are Security Measures Required?

In the early days of computing on shared systems, there were usernames, but no passwords. Passwords were added once the first malicious (or curious) users began to abuse the ability to logon via username only. Today, there are a number of reasons to think about computer and network security:

• The value of your investment in hardware equipment and software programs. Computers and software packages are expensive. Replacing them may be costly and difficult. Even if you do not lose the actual hardware and software, security problems can require a re-installation of all software programs and then re-configuration to meet your specific needs. This can be time-consuming, if not impossible, for someone with only a moderate degree of technical knowledge.
• The value of your business data. This data could include your customer lists, financial projections, or proprietary programs that you have written.
• The value of your personal data. Your personal data may not have any clear monetary value, but a loss could be expensive (see later definition of identity theft), and you should consider how much time it may take to recreate the information.
• The threat of computer criminals. As technology has advanced, a class of people who take advantage of networked computers to steal data has emerged. In some cases, they are operating for benign (or malicious) kicks or to prove to themselves or to their friends that they can do it.

In some cases, they are operating for personal gain (stealing credit card information, engaging in fraudulent transactions). In any case, these people can cause inconvenience and damage; in extreme cases they may create serious problems for individuals and businesses whose data has been compromised. Since the Internet is available to users worldwide, it can be complicated, if not impossible, to trace where the attacks are coming from and to stop the intruders permanently.

Why is security lacking?

Software programs are often developed without a focus on securing them. This happens for several reasons:

• Ignorance – the programmer or designer did not know about the need for security;
• Low priority – until recently, security issues did not have the visibility that they now do. As a result, even people who knew about security issues chose to ignore them;
• Time and expense – some people think that it is more expensive and time consuming to design, code, and test for security issues during the software development process; and
• Sloppiness – in some programming efforts, the same mistakes are made repeatedly, some of these mis takes make security breaches possible.
• People are innovative and motivated individuals will find ways to circumvent security or to discover errors that create security exposures.
• Normal users (potential victims of security breaches) are not sufficiently aware of the threats around them and do not make an effort to follow proper procedures for securing their data and their systems.
• Some users may be aware of security issues, but simply do not take them seriously – they assume that an attack will not be launched against them.

Assessing the Threat and the Cost of Loss

In order to understand how important security is to you, you may wish to consider a number of “what if” questions. Imagine each of the security incidents listed below and try to assess the likely results of the incident.

The key questions that you must answer are:

• Could you recover from the incident?
• How much time would it take?
• How much money would it cost?
• How would it impact your business?
• What hidden costs would there be (including loss of status or authority)?

Here are a few possible security incidents:

What if…

… someone broke into your home or office and stole your computer. For added impact, they might also take the backup disks found near the computer.

… all of the data on your machine was erased?

… all of your data was stolen. This data might include: your bank account information, a list of your usernames and passwords for web sites where you make online purchases, an important report that you are writing for work, or a school assignment that is due tomorrow and is worth 50% of the course grade.

… someone watched and memorized everything that you were doing on your computer? When you type a credit card number, they know it. When you browse a web site, they know it. When you log onto a web site or system, they are able to capture your username and password.

… your computer kept crashing when you were working on an important, time-sensitive project?

… you sent a malicious computer virus to everyone in your address book?

… your telephone bill arrived and showed that you owe the phone company more than your monthly salary for calls that you did not make?

… you received a bill for a credit card that you do not own, but the bank issuing the card is convinced that you applied for it. (And they have proof of “your” application.)

All of these situations highlight why computer security is important. Once you understand that security is important to you, the next step is to assess what a good security plan will entail:

• Will it cost you anything to implement security measures?
• How much time will it take?
• How inconvenient will it be?
• Are there things that you like to do on your computer that will become difficult or impossible?
• Can you put the security measures in place yourself or will you need help from others?

These are important questions because you need to approach security with a solid understanding of the costs in terms of money, time, and inconvenience. Without this knowledge, you might become discouraged in the process of securing your system and perhaps you would abandon the project, leaving yourself unprotected.

Will it cost you anything to become secure?

Many of the paths to good security do not require specific products and those available commercially are fairly inexpensive. Even virus-checkers, the most common purchased security product, are available as freeware. Some organizations that offer freeware products are listed in the Annexes.

How much time will it take?

You will need to devote some time to implementing and following security measures, although this commitment should not be overwhelming. In short, you will need to install the proper software and perform some routine maintenance tasks on a regular basis.

How inconvenient will it be?

How inconvenient it will be depends on your point of view. In a security mindset, you have to think about what you are doing and you will not presume that everything is safe. For example, if someone sends you an attachment, you will decide whether you should open it or not. However, this level of caution is taken in other aspects of life. It is more convenient to cross a street whenever and wherever you wish. Nevertheless, in many places, it makes sense to check that there are no cars coming before you step into the road.

Are there things that you like to do that will be difficult or impossible?

Yes, you will have to modify your actions to some extent. Opting for increased security will prompt you to be conscious of potential problems and to avoid them whenever possible. Contemporary software packages have many attractive capabilities, however, using certain features, especially those that enhance networking and messaging, can make you vulnerable to attack. For example, you might find a web site that offers a service that you want to use. However, to access the service, you must allow it to download and run a program on your computer. If you are not sure that the people who operate the service are trustworthy, it may be better not to download the program.

Can you put the security measures in place yourself or will you need help from others?

In theory, you can be fully responsible for all aspects of security, but in practice, it may be better to share the responsibilities with others.

• Updating software programs and patches, a necessary part of being secure, is often bandwidth intensive. For someone connected to the Internet with a link running at megabit speeds, this is not a problem. However, in developing countries, bandwidth is often severely restricted and sometimes very expensive. Dialup connectivity, while sufficient for downloads, may result in high costs for connections of a long duration. It may be better to have one person download updates for common software and then to distribute copies locally. Unfortunately, this is often not as convenient as having each user work directly online.
• Many security alerts are aimed at the computer professional (although this is changing as the world becomes more security-conscious). A novice user may not know how to access these alerts. If a new user does receive the alerts, he or she may not be able to understand them or take appropriate actions in response to them. Occasionally, you may receive malicious spam claiming to be a security update from Microsoft that contains an “update” attachment. The mail, of course, is not from Microsoft and the attachment is typically a dangerous virus.
• In environments where there are a large number of machines (businesses, schools, government offices), it makes sense to have a system administrator handle some aspects of security.

If you do choose to share the tasks of securing your systems with others, you should put a good communication plan in place. More information will be provided on systems administration in other parts of this Handbook. However, assigning clear responsibilities for security procedures to a designated individual or group of individuals is an important part of the security plan.

Deciding on a personal security plan

There are many programs that address a range of computer security needs. Once you understand the threats and decide on what kinds of risks you would like to minimize or eliminate, you can take steps to put a personal security plan in place. After assessing the issues of cost, time, and inconvenience, you may decide that there are some types of threats that you will live with, at least for the time being. Your security plan will rely, to a certain extent, on software programs, but it should also include procedures, rules, and self-discipline.

Good security is a result of multiple barriers or layers. Each layer will stop certain kinds of threats. If you use a variety of barriers, you will be more successful in eliminating a variety of problems. You can use the analogy of driving a car; what do you need to do to reduce the chance that you will have an accident? Some of the techniques are:

• Keep the car in good repair;
• Drive carefully;
• If the manufacturer alerts you that there is a safety-related defect in the car, get it fixed quickly;
• Pay attention when you drive, as other drivers may cause problems for you;
• If you read in the newspaper that a bridge is broken, do not drive over it.

None of these techniques alone will keep you safe, but by employing all of them, you will be more likely to avoid an accident. In developing a good security plan, one must take a number of partially redundant steps. Consider how you might protect a valuable piece of jewelry. You keep the jewelry in a locked box, inside your locked house, and you have an insurance policy that will replace the jewelry if it is stolen. So you have several levels of protection. Any one of these in theory would protect you from loss, but it is wiser to take all precautions. That way, if one of the methods should fail (perhaps there is an untrustworthy workman in your house – so the locked door will not help), there are still safeguards in place.

The principle that needs to be understood is that virtually all security techniques can and will fail occasionally, either due to design problems, poor implementation, or human error. This applies to tools such as virus checkers, encryption and passwords. Any tool may fail at times and you should never rely on a single method to save you from disaster.

The Role of the User in Security

The primary user of a computer clearly has a large role to play in ensuring that the computer and its software are set up with a good degree of security. In addition, other users of that computer also have a role to play in ensuring that safe computing practices are followed carefully. As we will see, one of the greatest threats to safe computing is a user who does not understand or is not sufficiently diligent about security.

Security is an Art, not a Science

There is nothing guaranteed in trying to secure your computer and network. There are always new bugs, new forms of attack, and new opportunities for breaches that arise from human error. However, if you study and follow a set of best practices in security with diligence and care, you are improving your chances at operating your system securely. It also helps to stay current with the field through web site research and the mailing lists of respected computing organizations, some of which are listed in the Annexes. Such research may help guide your security practices, particularly when new or unusual circumstances are present.