Introduction to Computer Security

After completing this topic you should be able to do the following:

• Define information security and explain why it is important

• Describe the challenges of securing information

• Identify the types of attackers that are common today

• List the basic steps of an attack

• Describe the five steps in a defense

Information security is frequently used to describe the tasks of guarding information that is in a digital format. This
digital information is typically manipulated by a microprocessor (such as on a personal computer), stored on a
magnetic or optical storage device (like a hard drive or a DVD), and transmitted over a network (such as a local area
network or the Internet). Information security can be understood by examining its goals and how it is accomplished.
First, information security ensures that protective measures are properly implemented. Just as with national security,
information security cannot completely prevent attacks or guarantee that a system is totally secure. Rather,
information security creates a defense that attempts to ward off attacks and prevents the collapse of the system when
an attack does occur. Thus, information security is protection.
Second, information security is intended to protect information that has value to people and organizations, and that
value comes from the characteristics of the information. Three of the characteristics of information that must be
protected by information security are:
1. Confidentiality—Confidentiality ensures that only authorized parties can view the information.
2. Integrity—Integrity ensures that the information is correct and no unauthorized person
or malicious software has altered that data.
3. Availability—Availability ensures that data is accessible to authorized users.
Information security attempts to safeguard these three characteristics of information.

However, information security involves more than protecting the information itself. Because this information is
stored on computer hardware, manipulated by software, and transmitted by communications, each of these areas
must also be protected. The third objective of information security is to protect the confidentiality, integrity, and
availability of information on the devices that store, manipulate, and transmit the information.

1
Challenges of securing information

Difficulties in Defending against Attacks.

The challenge of keeping computers secure has never been greater, not only because of the number of attacks but
also because of the difficulties faced in defending against these attacks.
These difficulties include:
• Speed of attacks—with modern tools at their disposal, attackers can quickly scan systems to find weaknesses and
launch attacks with unprecedented speed. For example,
the Slammer worm infected 75,000 computers in the first 11 minutes after it was released and the number of
infections doubled every 8.5 seconds. At its peak, Slammer was scanning 55 million computers per second looking
for another computer to infect. The Blaster worm infected 138,000 computers in the first four hours and ended up
infecting over 1.4 million computers. Many attack tools can now initiate new attacks without any human initiative,
thus increasing the speed at which systems are attacked.
• Greater sophistication of attacks—Attacks are becoming more complex, making it more difficult to detect and
defend against. Attackers today use common Internet tools and protocols to send malicious data or commands to
attack computers, making it difficult to distinguish an attack from legitimate traffic. Other attack tools vary their
behavior so the same attack appears differently each time, further complicating detection.
• Simplicity of attack tools—In the past, an attacker needed to have a technical knowledge of attack tools before they
could be used. Today, however, many attack tools are freely available and do not require any technical knowledge,
as seen in
Figure 1-1. Any attacker can easily obtain these tools through the Internet, and they increasingly have simple menu
structures from which the attacker can simply pick the desired attack,

2
• Attackers can detect vulnerabilities more quickly and more readily exploit these vulnerabilities—the number of
newly discovered system vulnerabilities doubles annually. This has resulted in an increasing number of zero day
attacks. While most attacks take advantage of vulnerabilities that someone has already uncovered, a zero day attack
occurs when an attacker discovers and exploits a previously unknown flaw. Providing “zero days” of warning, a
zero day attack can be especially crippling to networks and computers because the attack runs rampant while
precious time is spent trying to identify the vulnerability.
• Delays in patching hardware and software products—Software vendors are often overwhelmed with trying to keep
pace with updating their products against attacks. For example, the flood of potential malware each month has
increased to the point that the traditional signature-based defense method of detecting viruses and other malware
is increasingly seen as an insufficient defense. (A signature-based defense identifies malware on a computer by
matching it to an antivirus signature file that must be updated regularly.) One antivirus software vendor receives
over 200,000 submissions of potential malware each month. At this rate, the antivirus vendors would have to
update and distribute their signature files every 10 minutes to keep users protected.
The delay in vendors patching their own products adds to the difficulties in defending against attacks.
• Most attacks are now distributed attacks, instead of coming from only one source— Attackers can now use
thousands of computers in an attack against a single computer or network. This “many against one” approach makes
it impossible to stop an attack by identifying and blocking a single source.
• User confusion—increasingly, users are called upon to make difficult security decisions regarding their computer
systems, sometimes with little or no information to direct them. It is not uncommon for a user to be asked security
questions such as “Is it okay to open this port?”, “Is it safe to quarantine this attachment?”, or “Do you want to
permit your bank to install this add-in?” With little or no direction, users are inclined to answer “Yes” to these
questions without understanding the implications.

3
 Understanding the Importance of Information Security
Information security is important to businesses and individuals. The main goals of information security are to
prevent data theft, thwart identity theft, avoid the legal consequences of not securing information, maintain
productivity, and foil cyberterrorism.

Who Are the Attackers?

The types of people behind computer attacks are generally divided into several categories.
These include hackers, script kiddies, spies, employees, cybercriminals, and cyberterrorists.
Hackers
although the term hacker is commonly used, computer experts and others debate its definition. Some use “hacker”
in a generic sense to identify anyone who illegally breaks into or attempts to break into a computer system. Used in
this way “hacker” is synonymous with “attacker.” Others use the term more narrowly to mean a person who uses
advanced computer skills to attack computers only to expose security flaws. Although breaking into another
person’s computer system is illegal, some hackers believe it is ethical as long as they do not commit theft,
vandalism, or breach any confidentiality. These hackers (who like to call themselves “White Hats”) claim that their
motive is to improve security by seeking out security holes so that they can be fixed.
Security vulnerabilities, however, can be exposed in ways other than attacking another computer without the
owner’s consent, and most security professionals would not refer to themselves as hackers. The general use of the
term hacker to refer to someone who attacks computers is the more widely accepted usage of this word.
Script Kiddies
Script kiddies want to break into computers to create damage. However, whereas hackers have an advanced
knowledge of computers and networks, script kiddies are unskilled users. Script kiddies do their work by
downloading automated hacking software (scripts) from Web sites and using it to break into computers.
While script kiddies lack the technical skills of hackers, they are sometimes considered more dangerous. Script
kiddies tend to be computer users who have almost unlimited amounts of leisure time, which they can use to attack
systems. Their success in using automated software scripts tends to fuel their desire to break into more computers
and cause even more harm. Because script kiddies do not understand the technology behind what they are
doing, they often indiscriminately target a wide range of computers, causing problems for a large audience.
Spies
A computer spy is a person who has been hired to break into a computer and steal information. Spies do not
randomly search for unsecured computers to attack as script kiddies and hackers do. Rather, spies are hired to attack
a specific computer or system that contains sensitive information. Their goal is to break into that computer or system

4
and take the information without drawing any attention to their actions. Spies, like hackers, possess excellent
computer skills.
Employees
one of the largest information security threats to a business actually comes from an unlikely source: its employees.
Why would employees break into their company’s computer? Sometimes an employee might want to show the
company a weakness in their security. On other occasions, disgruntled employees may be intent on retaliating
against the company. Some employees may be motivated by money. A competitor might approach an employee and
offer money in exchange for stealing information. In some instances, employees have even been blackmailed into
stealing from their employer. In addition, carelessness by employees, who have left laptop computers in airports or
who have failed to password protect sensitive data, has also resulted in information being stolen.
Cybercriminals
There is a new breed of computer attackers known as cybercriminals. Cybercriminals are a loose-knit network of
attackers, identity thieves, and financial fraudsters. These cybercriminals are described as being more highly
motivated, less risk-averse, better funded, and more tenacious than hackers. Many security experts believe that
cybercriminals belong to organized gangs of young and mostly Eastern European attackers

Cyberterrorists
many security experts fear that terrorists will turn their attacks to the network and computer infrastructure to cause
panic among citizens. Known as cyberterrorists, their motivation may be defined as ideology, or attacking for the
sake of their principles or beliefs. A report distributed by the Institute for Security Technology Studies at Dartmouth
College lists three goals of a cyberattack:
• To deface electronic information (such as Web sites) and spread misinformation and propaganda
• To deny service to legitimate computer users
• To commit unauthorized intrusions into systems and networks that result in critical infrastructure outages and
corruption of vital data
Cyberterrorists are sometimes considered the attackers that should be feared the most, for it is almost impossible to
predict when or where an attack may occur. Unlike hackers who continuously probe systems or create attacks,
cyberterrorists can be inactive for several years and then suddenly strike a network in a new way. Their targets may
include a small group of computers or networks that can affect the largest number of users, such as the computers
that control the electrical power grid of a state or region. An isolated attack could cause a power
blackout that could affect tens of millions of people.

Attacks and Defenses.

Although there are a wide variety of attacks that can be launched against a computer or network, the same basic
steps are used in most attacks. Protecting computers against these steps in an attack calls for five fundamental
security principles.
Steps of an Attack
There are a variety of types of attacks. One way to categorize these attacks is by the five steps that make up an
attack. The steps are:
1. Probe for information—The first step in an attack is to probe the system for any information that can be used to
attack it. This type of “reconnaissance” is essential to provide information, such as the type of hardware used,
version of software or firmware, and even personal information about the users, that can then be used in the next
step. Actions that take place in probing for information include ping sweeps of the network to determine if a system
responds, port scanning for seeing what ports may be open, queries that send failure messages back to a system
when a delivery problem has been detected, and password guessing.
2. Penetrate any defenses. Once a potential system has been identified and information about it has been gathered,
the next step is to launch the attack to penetrate the defenses.
These attacks come in a variety of forms, such as manipulating or breaking a password.
3. Modify security settings. Modifying the security settings is the next step after the system has been penetrated. This
allows the attacker to re-enter the compromised system more easily. Also known as privilege escalation tools, there
are many programs that helpaccomplish this task.

5
4. Circulate to other systems. Once the network or system has been compromised, the attacker then uses it as a base
to attack other networks and computers. The same tools that are used to probe for information are then directed
toward other systems.
5. Paralyze networks and devices—If the attacker chooses, he or she may also work to maliciously damage the
infected computer or network. This may include deleting or modifying files, stealing valuable data, crashing the
computer, or performing denial of service attacks.

Defenses against Attacks.

Although multiple defenses may be necessary to withstand an attack, these defenses should be based on five
fundamental security principles: protecting systems by layering, limiting, diversity, obscurity, and simplicity. This
section examines each of these principles, which provide a foundation for building a secure system.
Layering
The Hope diamond is a massive (45 carat) stone that by some estimates is worth one-quarter of a billion dollars.
How are precious stones like the Hope diamond protected from theft? They are not openly displayed in public with a
single security guard standing at the door. Instead, they are enclosed in protective cases that are bullet-proof, smash-
proof, and resistant to almost any outside force. The cases are located in special rooms with massive walls and
sensors that can detect slight movements or vibrations. The doors to the rooms are monitored around the
clock by remote security cameras, and the video images from each camera are recorded on tape. The rooms are in
buildings surrounded by roaming guards and fences. In short, precious stones are protected by layers of security. If
one layer is penetrated—such as the thief getting into the building—several more layers must still be breached, with
each layer being more difficult or complicated than the previous layer. A layered approach has the advantage of
creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks.

6
The Hope diamond has not always had multiple layers of security. In 1958, this priceless diamond was placed in a plain brown
paper wrapper and sent by registered first-class U.S. mail to the Smithsonian Institution! The envelope in which it was sent is on
display at the Smithsonian along with the diamond itself.
Information security must likewise be created in layers. One defense mechanism may be relatively easy for an
attacker to circumvent. Instead, a security system must have layers, making it unlikely that an attacker has the tools
and skills to break through all the layers of defenses. A layered approach can also be useful in resisting a variety of
attacks. Layered security provides the most comprehensive protection.
Limiting
Consider again protecting a precious diamond. Although a diamond may be on display for the general public to
view, permitting anyone to touch the stone increases the chances that it will be stolen. Only approved personnel
should be authorized to handle the diamond. Limiting who can access the diamond reduces the threat against it.
The same is true with information security. Limiting access to information reduces the threat against it. Only those
who must use data should have access to it. In addition, the amount of access granted to someone should be limited
to what that person needs to know. For example, access to the human resource database for an organization should
be limited to approved employees, including department managers and vice presidents. An entry-level computer
technician might back up the database every day, but he should not be able to view the data such as the salaries of
the vice presidents, because he has no job-related need to do so. What level of access should users have? The best answer
is the least amount necessary to do their jobs, and no more.
Some ways to limit access are technology-based (such as assigning file permissions so that a user can only read but
not modify a file), while others are procedural (prohibiting an employee from removing a sensitive document from
the premises). The key is that access must be restricted to the bare minimum.
Diversity.
Diversity is closely related to layering. Just as it is important to protect data with layers of security, so too must the
layers be different (diverse) so that if attackers penetrate one layer, they cannot use the same techniques to break
through all other layers. A jewel thief, for instance, might be able to foil the security camera by dressing in black
clothes but should not be able to use the same technique to trick the motion detection system.
Using diverse layers of defense means that breaching one security layer does not compromise the whole system.
Diversity may be achieved in several ways. For example, some organizations use security products provided by
different vendors. An attacker who can circumvent a Brand A device would have more difficulty trying to break
through both Brand A and Brand B devices because they are different.
Obscurity
Suppose a thief plans to steal a precious diamond during a shift change of the security guards. When the thief
observes the guards, however, she finds that the guards do not change shifts at the same time each night. On Monday
they rotate shifts at 7:15 PM, while on Tuesday they rotate at 6:50 PM, and the following Monday at 6:25 PM. The
thief cannot find out the times of these changes because they are kept secret. The thief, not knowing when a change
takes place, cannot detect a clear pattern of times. Because the shift changes are confusing and not well known, an
attack becomes more difficult. This technique is sometimes called “security by obscurity.” Obscuring what goes on
inside a system or organization and avoiding clear patterns of behavior make attacks from the outside much more
difficult.
An example of obscurity would be not revealing the type of computer, operating system, software, and network
connection a computer uses. An attacker who knows that information can more easily determine the weaknesses of
the system to attack it. However, if this information is hidden, it takes much more effort to acquire the information
and, in many instances, an attacker will then move on to another computer in which the information is
easily available. Obscuring information can be an important way to protect information.
Simplicity.
Because attacks can come from a variety of sources and in many ways, information security is by its very nature
complex. The more complex something becomes, the more difficult it is to understand. A security guard who does
not understand how motion detectors interact with infrared trip lights may not know what to do when one system
alarm shows an intruder but the other does not. In addition, complex systems allow many opportunities for
something to go wrong. In short, complex systems can be a thief’s ally.
The same is true with information security. Complex security systems can be hard to understand, troubleshoot, and

7
feel secure about. As much as possible, a secure system should be simple for those on the inside to understand and
use. Complex security schemes are often compromised to make them easier for trusted users to work with—yet this
can also make it easier for the attackers. In short, keeping a system simple from the inside but complex on the
outside can sometimes be difficult but reaps a major benefit.

Chapter Summary

■ Attacks against information security have grown exponentially in recent years, despite the fact that
billions of dollars are spent annually on security defenses. Computer systems based on Microsoft
Windows and Apple Macintosh operating systems, as well as other types of operating systems, are all
vulnerable to attacks.

■ There are several reasons why it is difficult to defend against today’s attacks. These include the speed
of the attacks, greater sophistication of attacks, increased simplicity of attack tools, faster detection of
vulnerabilities by attackers, delays in patching hardware and software products, distributed attacks
coming from multiple sources, and user confusion.

■ Information security may be defined as that which protects the integrity, confidentiality, and
availability of information on the devices that store, manipulate, and transmit the information through
products, people, and procedures. As with many advanced subjects, information security has its own set
of terminology.

■ The main goals of information security are to prevent data theft, thwart identity theft, avoid the legal
consequences of not securing information, maintain productivity, and foil cyberterrorism.

■ The types of people behind computer attacks are generally divided into several categories. The term
hacker generally refers to someone who attacks computers. Script kiddies do their work by downloading
automated hacking software (scripts) from Web sites and then using it to break into computers. A
computer spy is a person who has been hired to break into a computer and steal information. One of
the largest information security threats to a business actually comes from its employees. A new breed of
computer attackers is known as cybercriminals, who are a loose-knit network of attackers, identity
thieves, and financial fraudsters. Cyberterrorists turn their attacks to the network and computer
infrastructure to cause panic among citizens for the sake of their principles or beliefs.

■ There are a variety of types of attacks. There are five general steps that make up an attack: probe for
information, penetrate any defenses, modify security settings, circulate to other systems, and paralyze
networks and devices. Although multiple defenses may be necessary to withstand the steps of an attack,
these defenses should be based on five fundamental security principles: layering, limiting, diversity,
obscurity, and simplicity.

Key Terms

Asset. An entity that has value.

Availability. Ensures that data is accessible to authorized users

Confidentiality. Ensures that only authorized parties can view the information.

cybercrime Targeted attacks against financial networks, unauthorized access to information, and the
theft of personal information.

8
Cybercriminals. A loose-knit network of attackers, identity thieves, and financial fraudsters that are
more highly motivated, less risk-averse, better funded, and more tenacious than hackers.

Cyberterrorism. Attacks launched by cyberterrorists that could cripple a nation’s electronic and
commercial infrastructure.

Cyberterrorist. An attacker motivated by ideology to attack computers or infrastructure networks.

Exploit to take advantage of a vulnerability.

Hacker (1). Anyone who illegally breaks into or attempts to break into a computer system; (2) A person
who uses advanced computer skills to attack computers but not with malicious intent.

Integrity. Ensures that the information is correct and no unauthorized person or malicious software has
altered that data.

Risk. The likelihood that a threat agent will exploit a vulnerability.

Script kiddie. An unskilled user who downloads automated attack software to attack computers.

Signature-based defense. A method that identifies malware on a computer by matching it to an antivirus

signature file.

Spy. A person who has been hired to break into a computer and steal information.

Threat. An event or action that may defeat the security measures in place and result in a loss.

Threat agent. A person or thing that has the power to carry out a threat.

Vulnerability. A weakness that allows a threat agent to bypass security.

Zero day attack. An attack that occurs when an attacker discovers and exploits a previously unknown
flaw, providing “zero days” of warning.