The Security Problem

Shaun M. Johnson Web Design

A. Fifty years ago, few people had access to a computer system or a network, and securing them was relatively easy. With the rise of personal computers and the advent of Internet, it is difficult to monitor or regulate access to information.
B. Fifty years ago, companies did not conduct business across the Internet. Today, companies rely on the Internet to operate and conduct business.
C. Money is transferred via networks, either in the form of bank transactions or simple credit card purchases.
1. With vast amounts of money, there are those who try to take advantage of the environment to conduct fraud or theft.
2. Online shopping, banking, investment, and leisure pursuits are now just a matter of dragging and clicking. However, this has also made attacking computers and networks easier for some people.
3. Identity theft is another common criminal activity conducted through the Internet.
II. Security Incidents
A. Crimes committed in the last dozen or so years can be analyzed to understand the threats and security issues that computer systems and networks face.
B. Electronic crime can take a number of different forms including the following two categories:
1. Crimes where the computer is the target of the attack.
2. Incidents where the computer is a means of perpetrating a criminal act.
C. The Morris Worm (November, 1988)
1. Robert Morris, then a graduate student at Cornell University, released what is known as The Internet Worm (or the Morris Worm).
2. The worm infected roughly 10 percent of the machines connected to the Internet at that time (which amounted to approximately 6000 infected machines). It caused an estimated $100 million in damage though this number has been the subject of wide debate.
3. The worm did not carry malicious payload, but it caused havoc by continually infecting computer systems until they could no longer run any programs.
D. Citibank and Vladamir Levin (June – October 1994)
1. Vladimir Levin, of St. Petersburg, Russia, made a number of bank transfers starting about June of 1994 and continuing until at least October of the same year.
2. By the time he and his accomplices were caught, they had transferred an estimated $10 million. Eventually, all but about $400,000 was recovered.
3. Levin reportedly accomplished the break-ins by dialing into Citibank’s cash management system that allowed the clients to initiate their own fund transfers to other banks.
E. Kevin Mitnick (February, 1995)
1. Kevin Mitnick’s computer activities occurred over a number of years during the 1980s and 1990s.
2. Mitnick admitted to having gained unauthorized access to a number of different computer systems belonging to companies such as Motorola, Novell, Fujitsu, and Sun Microsystems.
3. He used different tools and techniques including social engineering, sniffers, and cloned cellular telephones.
F. Omega Engineering and Timothy Lloyd (July, 1996)
1. On July 30, 1996, a software “time bomb” executed at Omega Engineering deleted all of the design and production programs of the company. It caused severe damage to the company and forced the layoff of 80 employees.
2. The program was eventually traced back to Timothy Lloyd who had left it in retaliation for his dismissal.
G. Jester and the Worcester Airport (March, 1997)
1. In March 1997, airport services to the FAA control tower as well as the emergency services at the Worcester Airport and the community of Rutland, Massachusetts, were cut off for six hours.
2. This disruption occurred as a result of a series of commands sent by a teenage computer “hacker” who went by the name of “jester”.
3. The individual had gained unauthorized access to the “loop carrier system” operated by NYNEX.
H. Solar Sunrise (February, 1998)
1. During the period of increased tensions between the United States and Iraq and subsequent military preparations, a series of computer intrusions occurred at a number of military installations in the United States.
2. Over 500 domain name servers were compromised during the course of the attacks.
3. Making it harder to track the actual origin of the attacks was the fact that the attackers made a number of “hops” between different systems, averaging eight different systems before reaching the target.
4. The attackers eventually turned out to be two teenagers from California and their mentor in Israel.
I. The Melissa Virus (March, 1999)
1. Melissa is the best known of the early macro type of virus that attaches itself to documents, which contain programs with a limited macro programming capability.
2. The virus, written and released by David Smith, infected about a million computers and caused an estimated $80 million in damages.
3. The virus, which clogged networks with the traffic it generated and caused problems for e-mail servers worldwide, was attached to Microsoft Word 97 and Word 2000 documents. Whenever the infected file was opened, the macro ran infecting the current host and sending itself to the first 50 addresses in the individual’s address book.
4. It was simple to avoid the Melissa virus. Users had to avoid opening the attached file to prevent the system from being infected.
J. The Love Letter Worm (May, 2000)
1. The worm spread via e-mail with the subject line of “ILOVEYOU”.
2. Estimates of the number of infected machines worldwide have been as high as 45 million with an estimated $10 billion in damages (it should be noted that figures like these are extremely hard to verify or calculate).
3. Like the Melissa virus, the Love Letter Worm spread via an e-mail attachment, but in this case, instead of utilizing macros, the attachments were VBScript programs.
K. The Code-Red Worm (2001)
1. On July 19, 2001, over 350,000 computers connected to the Internet were infected by the Code-Red worm.
2. This infection took only 14 hours to spread.
3. The estimated damage caused by the worm (including variations of the worm released on later dates) exceeded $2.5 billion.
L. Adil Yahya Zakaria Shakour (August, 2001 – May 2002)
1. Shakour admitted to having accessed several computers without authorization, including a server at Eglin Air Force Base (where he defaced the Web site), computers at Accenture (a Chicago-based management consulting and technology services company), a computer system at Sandia National Laboratories (a Department of Energy facility), and a computer at
2. During the break-in of, Shakour admitted to having obtained credit card and personal information which he used to purchase items worth over $7,000 for his own use.
M. The Slammer Worm (2003)
1. The Slammer virus was released on January 25, 2003.
2. It exploited buffer-overflow vulnerability in computers running Microsoft’s SQL Server or Microsoft SQL Server Desktop Engine. Like the vulnerability in Code-Red, this vulnerability was not new and in fact had been discovered in July 2002. Microsoft had released a patch for the vulnerability even before it was announced.
3. Within 24 hours of its release, the worm had infected at least 120,000 hosts and caused network outages and disruption of airline flights, elections, and ATMs.
4. At its peak, Slammer-infected hosts generated a reported 1TB of worm-related traffic every second.
a) The worm doubled in the number of infected hosts every eight seconds.
b) It is estimated that it took less than ten minutes to reach global proportions and infect 90 percent of the possible hosts it could infect.
III. Threats to Security
A. In today’s highly networked world, new threats have developed, which can be categorized based on the following factors:
1. Whether the threats come from outside the organization or from within.
2. The various levels of sophistication of the attacks, from “script kiddies” to “elite hackers”.
3. The level of organization of the various threats: from unstructured threats to highly structured threats.
B. Viruses and worms.
1. An organization may be exposed to viruses and worms because the employees may not follow certain security practices or procedures. However, it is not necessary that the employees would be involved in writing or releasing viruses and worms.
2. By far, viruses and worms will be the most common problem that an organization will face as literally thousands of such programs have been created.
3. Viruses and worms are also generally non-discriminating threats that are released on the Internet in general and are not targeted at a specific organization.
C. Intruders.
1. The act of deliberately accessing computer systems and networks without authorization is referred to as “hacking”. The term may also be used to refer to the act of exceeding an individual’s authority in a system.
2. Intruders are extremely patient as the process to gain access to a system takes persistence and dogged determination.
3. Attacks by individuals or even by small groups of attackers fall into the unstructured threat category. Attacks at this level are generally conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders, or outsiders who do not seek collusion with insiders.
4. Different kinds of intruders may attack with varying degrees of sophistication.
a) At the low end technically are script kiddies. They do not have the technical expertise to develop scripts or discover new vulnerabilities in software but have just enough understanding of computer systems to be able to download and run scripts that others have developed.
(1) These individuals are generally not as interested in attacking specific targets but simply want to find any organization that may not have patched a newly discovered vulnerability for which the script kiddie has located a script to exploit.
(2) These individuals accomplish at least 85 to 90% of the “unfriendly” activity on the Internet.
b) At the next level is the group of individuals who are capable of writing scripts to exploit known vulnerabilities.
(1) These individuals are much more technically competent than script kiddies.
(2) This group accounts for an estimated 8 to 12% of malicious Internet activity.
c) At the top end of this spectrum are elite hackers.
(1) Elite hackers are highly technical individuals capable of writing scripts to exploit vulnerabilities and discovering new vulnerabilities.
(2) This group accounts for almost 1 to 2% of the intrusive activity.
D. Insiders.
1. Insiders are more dangerous than outside intruders as they have the access and knowledge necessary to cause immediate damage to an organization.
2. Employees are not the only insiders that organizations need to be concerned with. There are often a number of other individuals who have physical access to facilities.
E. Criminal organizations.
1. Criminal activity on the Internet is similar to criminal activity in the physical world.
2. One difference between criminal groups and the “average” hacker is the level of organization that criminal elements may employ in their attack.
3. Attacks by criminal organizations can fall into the structured threat category. They are characterized by a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish, and may include corruption of, or collusion with, insiders.
F. Terrorists and information warfare.
1. The more nations become increasingly dependent on computer systems and networks, greater is the possibility of these elements becoming a target for rival organizations or nations.
2. Many nations today have developed the capability to conduct information warfare.
a) Information warfare is a warfare conducted against the information and information-processing equipment used by an adversary.
b) It falls into the highly structured threat category. It may not only include attempts to subvert insiders but may in fact include attempts to plant individuals inside of a potential target in advance of a planned attack.
c) In information warfare, the key target includes the military forces and the various infrastructures that a nation relies on for its daily existence.
d) Water, electricity, oil and gas refineries and distribution, banking and finance, and telecommunications fall into the category of critical infrastructures. Loss of critical infrastructures would have a severe detrimental impact on the nation.
e) Another aspect to consider is the potential list of attackers. It can not only include nations, but also terrorist organizations.
IV Security Trends
A. The biggest change that has occurred in security over the last 30 years has been the change in the computing environment, from large mainframes to a highly interconnected network of much smaller systems. In security, the transition is from an environment where everything was fairly contained and people operated in a closed environment to one where a computer can be accessed from anywhere.
B. The type of individual who attacks a computer system or network has also evolved over the last 30 years.
1. The rise in the number of non-affiliated intruders, such as “script-kiddies”, has greatly increased the number of individuals who probe organizations looking for vulnerabilities to exploit.
2. As the level of sophistication of attacks has increased, the level of knowledge necessary to exploit vulnerabilities has decreased. This is because an increase in the number of automated tools allows even novices to exploit highly technical and complex vulnerabilities.
C. Security studies.
1. One of the best known security surveys is the joint survey conducted annually by the Computer Security Institute (CSI) and the FBI (this survey can be obtained from
a) The number of organizations that have reported unauthorized use of their computer systems has been declining (from 70 percent in 2000 to 56 percent in 2003).
b) The number of organizations that have reported attacks from Internet connections has increased (from 59 percent in 2000 to 78 percent in 2003).
c) Organizations citing independent hackers as a likely source of attacks have also increased (from 77 percent in 2000 to 82 percent in 2003).
d) The two most frequent types of attacks have remained constant – viruses and insider abuse.
e) With the exception of Denial-of-Service attacks and telecommunication fraud, all categories had recorded a steady increase from 2000 through 2002 but then showed a sharp decline in 2003.
f) The average loss as a result of theft of proprietary information, for example, hit a high of $6.57 million in 2002 but was only $2.70 million in 2003.
g) Financial fraud plunged from $4.63 million in 2002 to $328,000 in 2003.
IV. Avenues of Attack
A. A computer system can be targeted by the attacker, or it can be an opportunistic target.
1. An attacker can target a computer system for political reasons. An example of this type of attack would be an individual in one country attacking a government system in another.
2. An attack against a target of opportunity is conducted against a site that has hardware or software vulnerable to a specific exploit. The attackers, in this case, do not target the organization, but are looking for an organization with vulnerability that they can exploit.
3. Targeted attacks are more difficult and take more time than attacks on a target of opportunity.
V. The Steps in an Attack
A. The steps an attacker takes in attempting to penetrate a targeted network are similar to the ones that a security consultant performing a penetration test would take.
1. The attacker will need to gather as much information about the organization as possible.
2. The first step in the technical part of an attack is often to determine what target systems are available and active.
a) This is often done with a ping sweep, which simply sends a “ping” (an ICMP echo request) to the target machine. If the machine responds, it is reachable.
b) The next step is often to perform a port scan. This will help identify ports that are open, which gives an indication of which services may be running on the target machine.
c) The attacker needs to determine the operating system running on the target machine, the specific application programs, and the services that are available.
d) The attacker would then have a list of possible target machines, the operating systems running on them, and some specific applications or services to target.
3. An attacker can search for known vulnerabilities and tools that exploit them, download the information and tools, and then use them against a site.
a) There are numerous Web sites that provide information on vulnerabilities of specific application programs and operating systems.
b) If the administrator for the targeted system has not installed the correct patch, the attack may be successful. If the patch has been installed, the attacker will move on to the next possible vulnerability.
4. There are many different ways a system can be attacked. However, the general process involves the following:
a) Gathering as much information about the target as possible (using both electronic and non-electronic means).
b) Gathering information about the possible exploits based on the information about the system, and then systematically attempting to use each exploit.
c) If the exploits do not work, other less system-specific attacks may be attempted.
VI. Minimizing the Possible Avenues of Attack
A. To limit the exposure of an organization’s system and to minimize the possible avenues an attacker can exploit, it is important to understand the steps an attacker will take.
1. The administrator should ensure that all patches for the operating system and the applications are installed to minimize possible attacks.
2. The administrator must limit the services running on the system.
3. The administrator must provide as little information about the organization and its computing resources as possible to minimize the possible avenues of attack.
VII. Types of Attacks
A. There are a number of ways that a computer system or a network can be attacked. As a result of an attack:
1. There can be a loss of confidentiality where information is disclosed to unauthorized individuals.
2. A loss of integrity where information is modified by unauthorized individuals.
3. A loss of availability where information or the systems processing it is not available for use by authorized users when they need them.