Because of the increased reliance on powerful, networked computers to
help run businesses and keep track of our personal information, industries
have been formed around the practice of network and computer
security. Enterprises have solicited the knowledge and skills of security
experts to properly audit systems and tailor solutions to fit the
operating requirements of the organization. Because most organizations are
dynamic in nature, with workers accessing company IT resources locally and
remotely, the need for secure computing environments has become more
pronounced.
Unfortunately, most organizations (as well as individual users) regard
security as an afterthought, a process that is overlooked in favor of
increased power, productivity, and budgetary concerns. Proper security
implementation is often enacted postmortem —
after an unauthorized intrusion has already occurred. Security experts
agree that the right measures taken prior to connecting a site to an
untrusted network, such as the Internet, is an effective means of
thwarting most attempts at intrusion.
Computer security is a general term that covers a wide area of
computing and information processing. Industries that depend on computer
systems and networks to conduct daily business transactions and access
crucial information regard their data as an important part of their
overall assets. Several terms and metrics have entered our daily
business vocabulary, such as total cost of ownership (TCO) and quality
of service (QoS). In these metrics, industries calculate aspects such as
data integrity and high-availability as part of their planning and
process management costs. In some industries, such as electronic
commerce, the availability and trustworthiness of data can be the
difference between success and failure.
Many readers may recall the movie "Wargames," starring Matthew
Broderick in his portrayal of a high school student who breaks into
the United States Department of Defense (DoD) supercomputer and
inadvertently causes a nuclear war threat. In this movie, Broderick
uses his modem to dial into the DoD computer (called WOPR) and plays
games with the artificially intelligent software controlling all of
the nuclear missile silos. The movie was released during the "cold
war" between the former Soviet Union and the United States and
was considered a success in its theatrical release in 1983. The
popularity of the movie inspired many individuals and groups to begin
implementing some of the methods that the young protagonist used to
crack restricted systems, including what is known as war
dialing — a method of searching phone numbers for
analog modem connections in a defined area code and phone prefix
combination.
More than 10 years later, after a four-year, multi-jurisdictional
pursuit involving the Federal Bureau of Investigation (FBI) and the
aid of computer professionals across the country, infamous computer
cracker Kevin Mitnick was arrested and charged with 25 counts of
computer and access device fraud that resulted in an estimated US$80
Million in losses of intellectual property and source code from Nokia,
NEC, Sun Microsystems, Novell, Fujitsu, and Motorola. At the time, the
FBI considered it to be the largest computer-related criminal offense
in U.S. history. He was convicted and sentenced to a combined 68
months in prison for his crimes, of which he served 60 months before
his parole on January 21, 2000. Mitnick was further barred from using
computers or doing any computer-related consulting until
2003. Investigators say that Mitnick was an expert in
social engineering — using human beings
to gain access to passwords and systems using falsified credentials.
Information security has evolved over the years due to the
increasing reliance on public networks to disclose personal,
financial, and other restricted information. There are numerous
instances such as the Mitnick and the Vladimir Levin cases (refer to
Section 1.1.2 Computer Security Timeline for more information) that
prompted organizations across all industries to rethink the way they
handle information transmission and disclosure. The popularity of the
Internet was one of the most important developments that prompted an
intensified effort in data security.
An ever-growing number of people are using their personal
computers to gain access to the resources that the Internet has to
offer. From research and information retrieval to electronic mail and
commerce transaction, the Internet has been regarded as one of the
most important developments of the 20th century.
The Internet and its earlier protocols, however, were developed as
a trust-based system. That is, the Internet
Protocol was not designed to be secure in itself. There are no
approved security standards built into the TCP/IP communications
stack, leaving it open to potentially malicious users and processes
across the network. Modern developments have made Internet
communication more secure, but there are still several incidents that
gain national attention and alert us to the fact that nothing is
completely safe.
Several key events contributed to the birth and rise of computer
security. The following timeline lists some of the more important events
that brought attention to computer and information security and its
importance today.
Polish cryptographers invent the Enigma machine in 1918, an
electro-mechanical rotor cypher device which converts plain-text
messages to an encrypted result. Originally developed to secure
banking communications, the German military finds the potential of
the device by securing communications during World War II. A
brilliant mathematician named Alan Turing develops a method for
breaking the codes of Enigma, enabling Allied forces to develop
Colossus, a machine often credited to ending the war a year
early.
Students at the Massachusetts Institute of Technology (MIT)
form the Tech Model Railroad Club (TMRC) begin exploring and
programming the school's PDP-1 mainframe computer system. The
group eventually coined the term "hacker" in the context it is
known today.
The DoD creates the Advanced Research Projects Agency
Network (ARPANet), which gains popularity in research and academic
circles as a conduit for the electronic exchange of data and
information. This paves the way for the creation of the carrier
network known today as the Internet.
Ken Thompson develops the UNIX operating system, widely
hailed as the most "hacker-friendly" OS because of its accessible
developer tools and compilers, and its supportive user
community. Around the same time, Dennis Ritchie develops the C
programming language, arguably the most popular hacking language
in computer history.
Bolt, Beranek, and Newman, a computing research and
development contractor for government and industry, develops the
Telnet protocol, a public extension of the ARPANet. This opens
doors for the public use of data networks which were once
restricted to government contractors and academic
researchers. Telnet, though, is also arguably the most insecure
protocol for public networks, according to several security
researchers.
Steve Jobs and Steve Wozniak found Apple Computer and begin
marketing the Personal Computer (PC). The PC is the springboard
for several malicious users to learn the craft of cracking
systems remotely using common PC communication hardware such as
analog modems and war dialers.
Jim Ellis and Tom Truscott create USENET, a
bulletin-board-style system for electronic communication between
disparate users. USENET quickly becomes one of the most popular
forums for the exchange of ideas in computing, networking, and, of
course, cracking.
IBM develops and markets PCs based on the Intel 8086
microprocessor, a relatively inexpensive architecture that brought
computing from the office to the home. This serves to commodify
the PC as a common and accessible tool that was fairly powerful
and easy to use, aiding in the proliferation of such hardware in
the homes and offices of malicious users.
The Transmission Control Protocol, developed by Vint Cerf,
is split into two separate parts. The Internet Protocol is born
from this split, and the combined TCP/IP protocol becomes the
standard for all Internet communication today.
Based on developments in the area of
phreaking, or exploring and hacking the
telephone system, the magazine 2600: The Hacker
Quarterly is created and begins discussion on topics
such as cracking computers and computer networks to a broad
audience.
The 414 gang (named after the area code where they lived and
hacked from) are raided by authorities after a nine-day cracking
spree where they break into systems from such top-secret
locations as the Los Alamos National Laboratory, a nuclear
weapons research facility.
The Legion of Doom and the Chaos Computer Club are two
pioneering cracker groups that begin exploiting vulnerabilities in
computers and electronic data networks.
The Computer Fraud and Abuse Act of 1986 is voted into law
by congress based on the exploits of Ian Murphy, also known as
Captain Zap, who broke into military computers, stole information
from company merchandise order databases, and used restricted
government telephone switchboards to make phone calls.
Based on the Computer Fraud and Abuse Act, the courts
convict Robert Morris, a graduate student, for unleashing the
Morris Worm to over 6,000 vulnerable computers connected to the
Internet. The next most prominent case ruled under this act was
Herbert Zinn, a high-school dropout who cracked and misused
systems belonging to AT&T and the DoD.
Based on concerns that the Morris Worm ordeal could be
replicated, the Computer Emergency Response Team (CERT) is created
to alert computer users of network security issues.
Clifford Stoll writes The Cuckoo's
Egg, Stoll's account of investigating crackers who
exploit his system.
ARPANet is decommissioned. Traffic from that network is
transferred to the Internet.
Linus Torvalds develops the Linux kernel for use with the
GNU operating system; the widespread development and adoption of
Linux is largely due to the collaboration of users and developers
communicating via the Internet. Because of its roots in UNIX,
Linux is most popular among hackers and administrators who found
it quite useful for building secure alternatives to legacy servers
running proprietary (closed-source) operating systems.
The graphical Web browser is created and sparks an
exponentially higher demand for public Internet access.
Vladimir Levin and accomplices illegally transfer US$10
Million in funds to several accounts by cracking into the CitiBank
central database. Levin is arrested by Interpol and almost all of
the money is recovered.
Possibly the most heralded of all crackers is Kevin Mitnick,
who hacked into several corporate systems, stealing everything
from personal information of celebrities to over 20,000 credit
card numbers and source code for proprietary software. He is
arrested and convicted of wire fraud charges and serves 5 years in
prison.
Kevin Poulsen and an unknown accomplice rig radio station
phone systems to win cars and cash prizes. He is convicted for
computer and wire fraud and is sentenced to 5 years in prison.
The stories of cracking and phreaking become legend, and
several prospective crackers convene at the annual DefCon
convention to celebrate cracking and exchange ideas between peers.
A 19-year-old Israeli student is arrested and convicted for
coordinating numerous break-ins to US government systems during
the Persian-Gulf conflict. Military officials call it "the most
organized and systematic attack" on government systems in US
history.
US Attorney General Janet Reno, in response to escalated
security breaches in government systems, establishes the National
Infrastructure Protection Center.
British communications satellites are taken over and
ransomed by unknown offenders. The British government eventually
seizes control of the satellites.
In February of 2000, a Distributed Denial of Service (DDoS) attack
was unleashed on several of the most heavily-trafficked sites on the
Internet. The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov,
and several other sites completely unreachable to normal users, as it
tied up routers for several hours with large-byte ICMP packet
transfers, also called a ping flood. The attack
was brought on by unknown assailants using specially created, widely
available programs that scanned vulnerable network servers, installed
client applications called trojans on the
servers, and timed an attack with every infected server flooding the
victim sites and rendering them unavailable. Many blame the attack on
fundamental flaws in the way routers and the protocols used are
structured to accept all incoming data, no matter where or for what
purpose the packets are sent.
This brings us to the new millennium, a time where an estimated
945 Million people use or have used the Internet worldwide (Computer
Industry Almanac, 2004). At the same time:
On any given day, there are approximately 225 major incidences
of security breach reported to the CERT Coordination Center at
Carnegie Mellon University.[1]
In 2003, the number of CERT reported incidences jumped to
137,529 from 82,094 in 2002 and from 52,658 in
2001.[2]
The worldwide economic impact of the three most dangerous
Internet Viruses of the last three years was estimated at US$13.2
Billion.[3]
Computer security has become a quantifiable and justifiable
expense for all IT budgets. Organizations that require data integrity
and high availability elicit the skills of system administrators,
developers, and engineers to ensure 24x7 reliability of their systems,
services, and information. Falling victim to malicious users,
processes, or coordinated attacks is a direct threat to the success of
the organization.
Unfortunately, system and network security can be a difficult
proposition, requiring an intricate knowledge of how an organization
regards, uses, manipulates, and transmits its
information. Understanding the way an organization (and the people
that make up the organization) conducts business is paramount to
implementing a proper security plan.
Enterprises in every industry rely on regulations and rules that
are set by standards making bodies such as the American Medical
Association (AMA) or the Institute of Electrical and Electronics
Engineers (IEEE). The same ideals hold true for information
security. Many security consultants and vendors agree upon the
standard security model known as CIA, or Confidentiality,
Integrity, and Availability. This three-tiered model is a
generally accepted component to assessing risks of sensitive
information and establishing security policy. The following describes
the CIA model in further detail:
Confidentiality — Sensitive information must be
available only to a set of pre-defined individuals. Unauthorized
transmission and usage of information should be restricted. For
example, confidentiality of information ensures that a customer's
personal or financial information is not obtained by an
unauthorized individual for malicious purposes such as identity
theft or credit fraud.
Integrity — Information should not be altered in ways
that render it incomplete or incorrect. Unauthorized users should
be restricted from the ability to modify or destroy sensitive
information.
Availability — Information should be accessible to
authorized users any time that it is needed. Availability is a
warranty that information can be obtained with an agreed-upon
frequency and timeliness. This is often measured in terms of
percentages and agreed to formally in Service Level Agreements
(SLAs) used by network service providers and their enterprise
clients.
