Computer System Security: A Primer

Computer System Security: A Primer

By J. Craig Lowery, Ph.D. (March 2002)

The terms computer virus, hacker, and script kiddy have become part of the common lexicon, illustrating the pervasiveness of computer security issues. Disturbing reports of unauthorized system entry, denial of service, and information theft occur often enough to damage the public trust in computer and network security. These security threats force IT administrators to not only monitor and defend their systems, but also to reassure users that the services they depend on and the data they entrust to those services are available, intact, and protected from unauthorized access.

The most effective way for administrators to prevent and combat future security attacks is to understand commonalities of past attacks. To do this, administrators should be familiar with attack terminology, which falls into four categories: attacker types, attack goals, exploited vulnerabilities, and defenses against attacks. These four categories provide an excellent structure for studying computer system security at a high level (see Figure 1 ).

Please note that in the context of this article, the term computer system includes hardware, software, network transmission paths, and people who interact with these components. By this definition, everything from a desktop workstation to the Internet qualifies as a computer system.

Types of computer system attackers

An attacker is a person who tries to gain an advantage by exploiting a security hole. Attackers are misfeasors, masqueraders, or clandestine users.

Misfeasors. These authorized users gain additional but unauthorized access to resources on a system or otherwise misuse their authorization. Examples include programmers who use their accounts to exploit operating system (OS) vulnerabilities and gain administrative privileges, or accountants who embezzle money by falsifying records in a database to which they have regular access. A misfeasor is an "inside" person, someone within an organization who introduces a security risk or poses a threat.

Masqueraders. These people use authorized user access privileges to enter a system and then, posing as that user, attack the system. Examples include hackers who obtain usernames and passwords by cracking password files, and then use that information to gain entry to the system. Masqueraders are usually persons outside the organization.

Clandestine users. These individuals are insiders or outsiders who obtain their own, distinct unauthorized access to a system. Examples include hackers who obtain administrative access to a system long enough to create their own user accounts for subsequent access.

The concepts of access and authorization are not necessarily limited to user accounts within an OS. Physical access to an equipment closet or authorization to place orders for new telephony service are examples of other types of access and authorization. All persons who have any degree of physical or logical interaction with a system, its components, or its processes are capable of compromising system security.

Common goals of security attackers

The goals of an attacker range from innocuous to severely damaging:

Trophy grabbing. Most thrill-seeking attackers are trophy grabbing. Their intent is not to disrupt or damage a system, but to prove that they can enter the system. Such accomplishments are badges of achievement in the hacker community.

Information theft. The most common goal of a security attack is information theft. Intruders seek sensitive information such as credit card numbers, usernames, passwords, and medical records.

Service theft. This type of attack involves attackers who use computer resources without paying for them. Software pirates who crack systems to host stolen software, or warez, for others to download are guilty of service theft. Clandestine users also commit service theft by having unauthorized accounts on a server.

Identity theft. This is the act of illegally assuming the identity of another person, or masquerading, to gain control of that person's resources (usually computer and economic privileges). An example of this is an attacker who uses stolen social security numbers and credit histories to establish and exercise unauthorized lines of credit. Identity theft does not necessarily involve information theft. For example, an attacker can commit e-mail forgery without stealing sensitive information about the e-mail address owner.

Tampering. This attack is more serious than information theft because the attacker alters data rather than simply copying it. A student who changes a grade in a university registrar's database is tampering. This example is stealthy tampering-the attack is not intended to draw attention. A more extreme form of tampering is defacement, in which a hacker alters a system in a very noticeable way, usually to make a personal or political statement. The disgruntled computer operator who, upon dismissal, embeds nasty messages about management in a login script, or the activist group that hacks into a corporate Web site are typical examples.

Denial of service (DoS). DoS can be the most damaging type of security attack. It diminishes server capacity for authorized clients and temporarily disrupts access to the system. In the worst cases, DoS attacks render a system unusable for a protracted period by destroying not only its ability to communicate, but also any data that has been entrusted to it. DoS also can occur as an unintentional side effect of service theft. For example, hosting pirated warez can bring down a system because of the excessive download activity.

Vulnerabilities that attackers prey upon

Although attackers continue to create new methods for violating computer system security, the vulnerabilities they exploit remain the same. These vulnerabilities can be divided into five types (see "Common Attacks" for specific definitions of attack terms):

Implicit trust.  The unquestioning, unchecked acceptance of a person or agent. Attacks that exploit this vulnerability include: compromised system utilities, e-mail forgery, IP spoofing, keystroke monitoring, logic bomb, masquerading, shoulder surfing, social engineering, Trojan horse, trapdoor Configuration error.  An error in configuration or a failure to replace a default configuration with a more secure one. Attacks include: backdoor, bacteria, e-mail relay, IP spoofing, network, scanning, ping flooding, shell escapes, smurfing, war dialing Public information.  Leveraging well-known or easily obtainable information to expose weaknesses or to facilitate an attack. Attacks include: DNS hijack, packet sniffing, security audit tools, traffic analysis, van Eck attack, worm Weak design.  A process or system that was not designed with security as a goal. Attacks include: buffer overrun, DNS hijack, IP spoofing, mail bombing, masquerading, network scanning, ping flooding, replay attack, shell escape, smurfing, SYN flooding, virus, worm Carelessness.  Failure to observe procedures and regimens that would foster a secure environment, such as staying current with software patches or choosing good passwords. Attacks include: backdoor, buffer overrun, password cracking, shoulder surfing, war dialing, virus

Defending a system against security attacks

A defense is a countermeasure for dealing with security attacks. Administrators can employ five types of defenses (see "Common Defenses" for specific definitions of defense terms):

A defense is a countermeasure for dealing with security attacks. Administrators can employ five types of defenses (see "Common Defenses" for specific definitions of defense terms):

Obfuscation.  Confusing the attacker by obscuring publicly available information that exposes vulnerability. Examples include: anonymity, encryption, packet stuffing, public key cryptography, shielding, steganography, trash disposal Authentication and authorization.  Ensuring that a person or system claiming an identity is the real owner of the identity, and granting access on a "must have" basis. Examples include: badges and cards, biometrics, password, shared secret, signature, watermark Monitoring and auditing.  Observing system vulnerabilities, either in real time or through audit tools, to detect attacks. Examples include: filtering, firewall, integrity check, intrusion detection, misuse detection, password checker, peer review, process review, security audit tools, virus detection Currency.  Consistently using tested software updates and periodically reviewing human processes and procedures. Examples include: patching, process review, upgrading Education and enforcement.  Effectively equipping system designers and users with knowledge of security risks, and then enforcing application of this knowledge. Examples include: reminders, tip of the day, training

Moving forward

The key to preventing security attacks from diminishing system performance is knowledge. IT administrators can develop their security strategies by studying historical and contemporary attacks, appropriate defenses, and the evolving trends in the computer security industry. Online resources such as the CERT Coordination Center at Carnegie Mellon University also provide useful information about current security threats and remedies.

J. Craig Lowery, Ph.D. (craig_lowery@dell.com) is a senior engineer in the Application/Software Development Group of the Dell Enterprise Systems Group, where he currently leads the Dell PowerEdge Cache Server engineering team. Craig received an M.S. and a Ph.D. in Computer Science from Vanderbilt University, and a B.S. in Computing Science and Mathematics from Mississippi College. He is an established radio commentator on technology and his primary areas of interest include networking, programming languages, and operating systems.

For more information

CERT Coordination Center at Carnegie Mellon University: http://www.cert.org