Computer Security Basics
Cytoclonal Pharmaceutics Inc.
The cardinal rule of security is that
No one thing makes a computer secure.
Making a computer secure requires a list of different actions for
There is a secondary rule that says security is an on going process.
No matter how well a system is designed, if it is never changed that
gives any potential infiltrator all the time in the world to examine
the security for flaws.
The information described here is neither detailed nor comprehensive.
This should, however, serve as a good overview of the types of security
measures sometimes taken. What measures are appropriate are best determined
on a case by case basis.
Theft is the physical threat of most concern and rightfully so. Keeping
rooms locked is a good idea, but not always feasible. Keeping computers
locked to a wall or table is a good deterrent against a casual, shoplifting
style, theft but it will not deter a professional with a shopping list.
We have seen a thief use a crow bar to remove a computer along with a portion
of the formica table top (they were then foolish enough to take it to
a repair shop with the table top still attached). There are very loud
alarms which sound when the power cable is unplugged. A combination
of locks and alarms is an excellent theft prevention system for computer
labs which must be publicly accessible, particularly at late hours.
Computer hardware is protected from fire damage by smoke detectors and
sprinkler systems just like any other equipment. Computers are unique in that
the most costly damage is the loss of data which can be prevented by storing
back up tapes in remote locations.
Surge protectors and uninterruptable power supplies are a low cost investment
that can save very costly equipment damage. These are particularly important
if the computer must be used continuously or if your region is prone to
severe thunder storms or frequent power outages. Some surge protectors have
the ability to protect the phone line going to a modem also. The modem and
mother board can be more readily damaged by lightning hitting a phone line
than by lightning hitting the power lines because the computer power supply
provides a minimal amount of protection.
Backing up data is the single most important step in preventing data loss.
Entire companies have gone out of business due to losing valuable information.
An enormous amount of man hours are spent every year reproducing information
which was lost in some manner. Back ups can be on removable disks, tapes,
paper printouts or other computer systems. It is important to periodically
put copies of these back ups in remote physical locations to prevent loosing
the orignal and back up data through fire, etc.
In today's world, virus protection is a necessity for any PC or Macintosh and
viruses are starting to appear on UNIX systems also. No system is completely
safe from viruses since manufacturers have inadvertantly shipped new
computers with viruses on the hard drive and minted CDs with viruses.
For very important data, RAID systems are used. RAID stands for "Redundant
Array of Inexpensive Disks". A raid system is a computer with eight or
more hard drives and software for storing data on those drives.
Every byte of data is spread accross all of these drives
along with a parity bit that tells if it was an odd or even byte. In the
event that a disk fails, it's contents can be completely reconstructed from
the data on the other seven disks. This is a good way to store critical data
which could not be reproduced, but the expense may not be justified otherwise.
The primary threat to data security is illegal computer hackers. Studies
show that the largest percentage of hackers are young men motivated
by status with other hackers, malicious intent or the excitement of a
challenging game. There have also been even more harmful cases of
corporate spying and embezzlement of funds.
Accounts on both multiuser machines and micro computers can be protected by
passwords. Passwords can be very effective or not effective at all.
Insecure password include ones that are easily guessed, never changed,
shared or written down somewhere. Some systems, particularly UNIX, have
password files which are encrypted but readable by all users. Hackers
have developed automated programs, such as "crack", to break the
passwords in these files by raw brute force, trial & error techniques.
Since it could take months to crack well chosen passwords, some systems
use a password aging system that requires all users to set new passwords
periodically. There are also programs to prevent users from setting
easily guessed passwords such as words in the dictionary, common names or
permutations on the account name.
Systems holding data belonging to multiple users, such as UNIX or Windows NT,
set an owner for each file and permissions defining
who is allowed to read or write to it.
Many hacker attacks are centered around finding flaws in the file
permission system. There are ways to set default permissions and ways
to control how much individual users can control their own file permissions.
Since most security attacks are now initiated from a remote location via
the network, many organizations now separate their internal networks from
the internet with a firewall. A firewall is a piece of software running on
a dedicated machine with two network boards. The software can filter which
network traffic is allowed to pass between the internal and external networks.
This is a very effective security measure, but there is an unfortunate
tendency for organizations to make the firewall their only security measure
making any breach of security across the firewall a breach for every machine
in the whole organization. An even higher level of security can be
acheived by not having any connection between the internal network and
the internet or not even having an internal network.
Data encryption provides a second layer of security. Once someone gains
access to data, that data is useless if it has been scrambled by an
encryption program which requires a second password to unscramble it.
Passwords themselves should always be stored in an encrypted form. Today's
encryption systems are similar to military code systems but not as
sophisticated as the systems used by the armed forces. Almost all encrypted
data can be unencrypted without the password by the use of a very large
amount of time on very powerful computers. Security is provided
by making the encryption complex enough that no one would be likely to have
enough computer power to break say a message about the merger next month in
less than six months, at which time the message is no longer valuable.
There must always be someone able to fix a computer system by using a
second password protected account called "system", "administrator", "root"
or "superuser" which bypasses the file permission system. One of the most
serious security attacks is one which gains the password to this account.
As well as particularily stringent security for this account, the encryption
systems mentioned above ensure that there is a second layer of protection
against this type of attack. This also provides for a segmented internal
security system, if such is necessary.
Email is particularly insecure. Mail messages are simple ascii files that
travel across the network where no password is necessary to get to them.
Email is easily forged and can be altered. Of course, no one would
have any particular reason for tampering with many personal messages, but
people conducting sensitive business transactions over email would be wise
to use some sort of email encryption system, such as PGP. These systems
have several functions including encrypting the message itself, verifying
who sent the message and verifying that it was not tampered with.
Audit trails are a means for the system administrators to find out if
security has been breached and how much damage was done. Audit trails are
records made by various pieces of software to log who logged into a system,
from where and what files were accessed.
How Hackers get in
Here is the typical sequence of steps used to gain illegal entry into a
- Learn about the system. Trying to connect to a system using networking
utilities like telnet and ftp will be unsuccessful without a password,
but even unsuccessful logins will often still display the machine manufacturer,
and version of the operating system.
- Look for openings. Try known security flaws on that particular machine
and operating system. Unless the system administrator is very diligent
about installing security patches, many machines have openings in the
security just waiting to be found.
- Try sniffing to get a password. Sniffing is when a machine has software
to watch all of the network traffic and saves the messages corresponding
to a valid user entering their password from a remote location.
- Try spoofing. Many machines share disks with other machines that are
classified as "trusted hosts". In order to share the data on these disks
the two machines must communicate without a password. Spoofing is when
someone configures a third machine to use the network address of one of
the trusted hosts to impersonate that machine. If the spoofing machine
responds faster than the true trusted host, communications will be
carried out with it unnoticed. Spoofing requires that the infiltrator
have physical access to the network in a location that falls close to
the target machine in the network topology, which usually means being
physically close to the target machine.
- Get into the system and cover tracks. Once one of the above techniques
is successful in gaining access to the system, the first order of business
is to alter any records that would reveal the presence of an illegal entry
to the system administrators.
- Try to get superuser access. Just as there are many ways to get
into a user account, there are many ways to get into the root level
account or get equivalent access to the machine.
- Make back doors. Once entry has been gained, that access can be
used to intentionally install security breaches so that the hacker
can still get back into the system if the original method of entry is
- Use the system. At this point, the hacker can steal data, destroy
information, alter files, use CPU time, lock everyone else out of the
How to combat illegal entry
Here are a list of ways to make computers more secure and some minimal
suggestions for when they should be used. For systems that are critical
to operation, all of these and more may be warranted.
- Physical security. Keep doors locked if feasible. Install locks
on accessible but attended machines. Install locks and alarms on machines
- Back up files. This should be done on all computers.
- Use a surge suppressor. All computers.
- Use an uninterruptable power supply. Critical systems.
- Periodic virus checking. All PC and Macintosh computers. High volume
or critical multiuser machines.
- Continual memory resident virus checking. PCs or Macs used by many
people, such as in public labs. When data routinely comes from many sources.
- Firewalls. For organizations that can conduct business with limits
on the internet services accessible from inside the organization. Where
outside access to company data could do significant harm to the business.
- Having no internet connection or no internal network at all is done
when data is particularly sensitive or reliability is of key importance.
Bank record systems and air traffic control systems are some examples.
- Programs to enforce the use of good passwords. Systems with a moderate
to large number of users.
- Password aging. Systems which have a large number of users or are
a likely target for illegal entry.
- Remove old accounts. Old, unused accounts are just that many more
passwords for someone to find out. If it is not feasible to remove old
accounts, the passwords can still be deleted. This is done by setting
a null password for which no possible password will give acccess to the
- Smart cards. There are various varieties of smart cards to act as
passwords electronically. One example is a card with a number that changes
every ten seconds and has its internal clock synchronized to one in the
central computer. This way, even if someone get the password, it is only
good for ten seconds. This expense is only warranted when someone would
have a clear motive for trying to break into a system.
- Install security patches to the operating system. Invisible security
patches should be installed anytime systems are being upgraded.
On systems with many users or that are likely targets for illegal entry,
the system administrator should install new patches frequently or perhaps
instantly when available. Many break ins occur within 24 hours of when
a security flaw and patch is announced. This occurs when someone has
targeted a particular machine and hopes to figure out how to take advantage
of the flaw before the system administrators upgrade the system. For this
reason, many flaws are not announced until a patch or temporary work around
can be announced with them. Networking patches and network software
uprgrades are particularily important.
- Security checking software. There are programs, like Satan, which will
test a system for many known security flaws. These programs were created
so that administrators can test the integrity of the system, but they are
also a favorite tool for the first step in infiltrating a system.
It is a good idea to do this periodically. The software can be set to
check many machines on a network without interrupting the people using
those machines. There are programs to check the system
from the inside as well as checking network vulnerabilities.
- Break in detection software. There are also pieces of software to
alert the system adminstrators when security is being tested by a known
technique. This is a good way to know of an attack before they have gained
- Some level of audit trail should be kept on any multiuser system
and any system with sensitive data. Some level of auditing is built into
many multiuser operating systems. An audit trail has to be maintained
before a break in occurs in order to do any good.
- Use software to prevent sniffing, such as Kerberos or secure shell.
These software packages allow remote logins to be authenticated, without
sending an unencrypted password over the network. We have seen an increase
in sites using these systems, particularily where many users login to
machines remotely. The difficulty is setting up a system which is
secure and reliable as well as not inconveniencing the users.
- Encryption of disk files. Disk files should be kept encrypted when
the data is particularly important. Passwords, social security numbers
and credit card numbers should always be encrypted. Many accounting
systems use encryption.
- Do not use your credit card over the web unless your browser (not their
web page) identifies it as a secure server. Even at that it is advisable
only to do so with reputable companies that you are familiar with. You
should never need a credit card number to get something that is free.
- Encrypted email software should be used when someone would have a reason
to want to see, forge or alter email messages.
- Random manual monitoring. For a few businesses that deal with very
sensitive information and must use networks, the security administrators will
occasionally manually look at the information being passed over the network,
particularly through the firewall. This probably is not warranted unless
security is important enough to be paying someone solely as a security
- Hiring tiger teams. A tiger team is a group of honest expert hackers
that are hired to break into your system in order to give you an analysis of
your security. This is generally done by banks or others with extremely
A very comprehensive book is
D. Atkins, P. Buis, C. Hare, R. Kelly, C. Nachenberg, A. B. Nelson,
P. Phillips, T. Ritchey, W. Steen "Internet Security Professional
Reference" New Riders (1996)
Another good book is
J. Vacca "Internet Security Secrets" IDG (1996)
A good look at security from the system adminstrators point of view is in
AE Frisch "Essential System Administration" O'Reilley (1995)
The vendor that the computer or operating system was purchased from is also
an excellent source of security information.
International Computer Security Association
American Society for Industrial Security
White papers from McAfee
Fred Cohen and Associates
Information Systems Security Association
Computer Security Technology Center
Yahoo security and encryption page
Footnote on terminology
One term which people often object to is "hacker". Some people choose
to use the term "cracker" for illegal activities and "hacker" for a
computer expert. We have chosen the more common usage and qualify
it with the adjective "illegal". Don't get all bent out of shape folks.
Return to table of contents.