To understand the similarities and differences in security and
potential security problems, we first need to define ``stand-alone systems'' and
``network of computing systems'' . As ``stand-alone computer system'' we mean a
computer with its peripherals without a permanent connection with other computer
systems and exchanging data only through printouts, scanners, typing and other
means requiring passing the information trough a human-readable format. As
``networked computer system'' we mean a computer with a permanent connection
with other computer systems and with the possibility of exchanging data without
need for direct human intervention. We then need to decide what we call
``computer network'' (in short, ``network''). An old English dictionary can
provide for the word ``network'' the definition ``1. A fabric of threads, cords,
or wires crossing each other at certain intervals, and knotted or secured at the
crossings, thus leaving spaces or meshes between them. 2. Any system of lines or
channels interlacing or crossing like the fabric of a net; as, a network of
veins; a network of railroads''1. In computer terms at the physical level we
indicate as ``network'' the medium that links the networked computers together,
while at the logical level we indicate the medium and the devices needed to
provide the computers connected with the possibility to communicate, but also
the computers connected (``networked'') and the ``language'' (protocol) spoken
by the computer systems to communicate with each other2. Table 1 allows us to see some differences in
terms of security between stand-alone systems and WAN3-connected systems.
A first major difference is in controlling the possible sources of risks:
in the case of a stand-alone computer system you can easily limit risks by
limiting access to it (e.g. putting the system in a locked secured room), and
nobody can access the computer while you are using it; in the case of a
networked computer system you cannot put it in a locked secured room and even if
you are using it someone else can have access to it through the network as well.
A second difference, linked to the first one, is establishing from where a
hostile activity is being carried out: in the case of a stand-alone system , it
can be carried out only using local input; in the case of a network, it can be
launched from any point (any system) in the network. A third difference is
control: in general a stand-alone system is under your full control, while a
network is most often not under your control. A diffused partial exception to
what just said is a local area network (or LAN), a network covering an area in
general limited to a room, floor or building, and in general under the
responsibility or control of one entity. You should note, however, that although
such a network can be useful, today the greatest benefits are seen as achievable
only connecting them with other networks. This is the reason for the explosive
growth Internet has known for years, the possibility to connect to or anyway
exchange data with people around the world through computer systems connected to
networks - it is also the reason for the wording ``partial exception'' above.
This ``upsizing'' of the networks under consideration allows us to see even more
easily the differences we listed before: when you are connected to a network
like the internet, the source of a threat or an attack can be anywhere in the
globe; even assuming you have full control over your LAN, can you control a
network which may be at the other side of the world and under control of a
different entity in a country with different laws, customs and language? This
short introduction should have provided you with an appreciation of the changes
related to the increase in size and geographical extension of the network (from
a stand-alone system, thus no network at all, to a network made of other
networks connected between themselves and covering roughly all continents like
the InterNet). In summary, with the increase in number of computer systems and
geographical area covered by a network, we pass from what we could define a
``linear deterministic environment'' (where security can be controlled, it is
mostly possible to foresee the security impact of modifications to the
environment and which is relatively static) to an increasingly ``chaotic
indeterministic environment'' (where the possibility of control is limited,
where the modifications to security may come from changes we have no control
over and which is relatively dinamic). Before we go on with other sections of
this chapter, there is one point we must touch. You may have noticed our
``stand-alone computer system'' seems to exclude the use of ``floppy'' disks to
transfer information: if you did, you won (but just a pat on the back, sorry)!
Strictly speaking, transfer of information via floppy disks is already a kind of
connection, although not permanent: a little known fact is the infamous (since
abused and misused) label ``C2'' (an indication an operating system or anything
else computer-related has been evaluated as secure enough to be used in some US
government facilities) required the computer to be without floppy; less formal
but not less truthful confirmation comes from the expression ``sneakersnet'' to
indicate the exchange of data between computer via floppy disks, used in the
80's (``sneakers'' is a name for sport shoes). Despite this, since by installing
adequate protections (e.g. antivirus software) and following adequate
precautions (e.g. using only floppies from safe sources, not running software
from floppies, not leaving the floppy in when powering up or restarting the
computer) you may still keep relative control over your environment, a
stand-alone computer system with a floppy or a similar device (e.g. Iomega zip,
CD-ROM or DVD-ROM) can be ``approximated'' to a stand-alone system. There are
two other cases which do not correspond to either of the extremes we have
discussed, the case of a computer with intermittent connection to network, like
a ``normal'' modem internet access; the case of an user with a ``flat fee'' ADSL
connection permanently connected. As you may have imagined, the first case can
be considered (depending on the frequency of connection, usage and
configuration) as relatively or even very close to the ``stand-alone computer
system'' case, the second should be considered equivalent to the networked
system in which the network is completely out of your control and covers the
planet.
Is
it possible to increase the security of a network with some prevention ? From
what we have written above, we can clearly give a positive answer - we have
already indicated the need to follow some precautions, in other words to do some
prevention. Prevention is linked to risk of attack and damage by an inverse
proportion relation - in other words, the more prevention we do, the lower the
risk of an attack and the smaller the damage. This kind of relation is showed in
Figure 1.
Figure 1: Graph giving an
idea of the relation between risk and prevention
Looking at the
first part of the graph, we could be tempted to think that by increasing
prevention enough, we can bring the risk to be practically zero. This is not
true, as showed in the graph by the curve tending toward a line without really
reaching it - prevention cannot bring the risk to zero, as there will always be
some level of risk linked to ``procedural'' problems (e.g. non respect of
procedures, errors in establishing them) or ``technical'' problems (e.g.
programmes and operating system weaknesses). We need thus to add up something
else, the something else being reaction: since we cannot be absolutely sure we
can avoid or make ineffective any and all attacks, we need to be able to react
in case we are the object of an attack or that an attack is successful. Reaction
can take many forms, principally linked to activities like stopping an attack,
identifying the attacking party and its methods, collecting evidence for legal
actions, trying to limit the damage. It can be easy, especially in case of
limited resources, to see prevention and reaction at worst as competing
activities and at best as complementary but separated activities. In reality
prevention and reaction are most often linked very strictly and mix togheter.
The most used method to have an indication about the techniques and the origin
of attacks is to use the logs5 of the operating system or of some sort of
dedicated system, but this requires the preventive configuration of the logging
mechanism or the installation and configuration of the dedicated system; to
limit the damages due to a successful attack, you may wish to recover them by
using a backup, but this requires to have preventively done the backup. In
practice, while there may be the need for a trade-off in terms of resources
available for implementation, prevention and reaction are not and should not be
seen as mutually exclusive opposites, but rather as two equally needed
complementary yet in part interlinked activities.
One of the first things done to increase the security of a network is to
try limiting access to it from ``outside'', while allowing the possibility for
systems inside to use services outside: this is most often done by installing a
firewall system6, most of the times configured as a Network
Address Translation (NAT) router7 and eventually a proxy8 . The term ``firewall'' itself shows the idea
is to create a clear cut split between internal and external network, like
building the network equivalent of a wall. This is often coupled with the
reasoning an internal network is a deterministic environment completely under
your control, thus by isolating your network from the outside and then doing
some work to make it more secure, you are going to create automatically a ``safe
island''. This is, however, mostly an illusion. Like in the real world, you can
have absolute security only by eliminating all contacts and exchanges with the
outside, which in this case would mean even eliminating everybody but yourself
from your network - a contradiction with the very purpose of the network. A
mistake sometimes made is to put all efforts and resources in trying to make the
firewall as ``resistant'' as possible, neglecting to evaluate other
possibilites, like users with authorised or unauthorised connection from the
outside or to the outside (typically through a modem), ``infected'' floppy
disks, infecting e-mail messages, and so on. Even assuming no mistakes are made
in defining the security policy or applying it (including technical
implementation), it is always possible for a new type of attack to be devised, a
new weakness found in an operating system and so on - putting all the resources
on the firewall disregarding other potential sources of problems is waiting for
troubles to happen.
In the
previous section, we have indicated more than once the need to avoid
concentrating all the efforts and resources on only one security option for our
network (in the specific the firewall). In effect, aside from what written
previously (see the part on security policies) about risk analysis and
prioritisation, the most advisable approach would be a multi-level defence - a
principle applied since old times, well before computers existed.9 A practical realisation of a multi-level
defense can be made by complementing and supplementing tools like a firewall
with a proxy and Network Address Translation, password protected personal
accounts, absence of visible shares10 on the network, installing antivirus. An
attacker will need to pass more than one defense, thus increasing the risk of
being detected, stopped and eventually identified. The levels do not have to
address all the same potential problem - what matters is that doing most types
of damage will require bypassing more than one level of protection.
There are many tools used in trying to defend a network from attacks, some
of which can in reality be used also to attack - effectively, an integral part
of preparing a defense should be doing friendly simulated attacks, otherwise
known with the trendy term ``penetration testing''. In penetration testing, a
friendly actor (be it internal or external to the organisation) tries to
identify and eventually use the weaknesses of a network, so as to expose them,
helping in their removal. While in general being meant as ``benign'', it is
possible even a penetration testing can create some sort of damages, and in some
jurisdictions the simple fact of gaining access to a system without
authorisation is a crime on itself, thus whoever or whatever entity does it
should follow some precautions and guarantee he/she/it has some form of proof
what is being done has been authorised by the target (a contract or a written
authorisation may be sufficient in most legal systems) or at least does not
imply a violation of the laws in force. In this section we are going to briefly
explain and define some categories of tools used in network security, having in
mind this is not an exaustive list.
A firewall system is a
system (which can be composed of one or more computer systems plus dedicated
hardware and software) whose purpose is to partially isolate a network from
outside systems. This is achieved by routing all the communications with outside
networks through it, most of the times also hiding completely the structure of
the network from outside networks.
A proxy is a system
whose purpose is to accelerate the access to the internet, by storing inside the
local network a copy of remote data (web pages and other available files) in
such a way that frequently requested sites are accessible faster. A proxy works
as follows: 1) a computer inside the network asks the proxy for some data, like
a web page; 2) the proxy verifies if the user and the computer have right to ask
for that information; 3) the proxy verifies if a copy of the page is already on
its hard disk; 4) if the copy on the hard disk is recent, the proxy sends the
page to the requesting computer; 5) if the copy on the proxy is not recent or
there is no such copy, the proxy will request the page on behalf of the computer
on the internal network, save it on its drive and then send it to the requesting
computer. This sequence means the first access to the page can actually be
slightly slower than if the requesting computer system was connecting directly
to the internet source, however subsequent requests for the same information
will be faster. A Proxy may also function as firewall (whether it is a
firewall/proxy or a proxy/firewall often has an impact on the resilience and
functionalities of the firewall part), and may incorporate some filtering based
on contents or addresses (to exclude access to some web sites or the execution
of potentially dangerous web contents). Often they are the only authorised
communication channel between computer systems inside and outside a network.
Port scanners are
a specific type of software, used to check what kind of services a computer
system (or a network) provides. A port is a software artifact identified by a
number, used so that when receiving data from a network the operating systems
knows to which application it should be passed. Example of TCP ports (used in
TCP/IP connections like the ones on the internet) are port 80 or (if it is a
secure HTTPS connection) 443 to connect to a web server, port 110 to connect to
a POP3 server to retrieve e-mail, port 25 to send e-mail by a SMTP connection.
Port scanners can be used as a tool to collect information on a potential target
system or network, but also to assess the security of a system or network with
the objective of improving it. In its basic form a port scanner will ask its
user to introduce the IP adress (or addresses) of the computer system (or
systems) to be scanned, the range of ports to check, and will then proceed to do
the scan, reporting the results as a list of IP addresses with the indications
of the ports and thus service which appear to be available. More sophisticated
versions (which often integrate a pure port scanner with other tools, even when
still defining themselves as ``port scanners'') can also show extra information
on the services available and a graphical map of the network.
The word
``virus''11 in computer jargon is used in analogy to
biology, to indicate a small programme which can modify other programmes by
including a copy of itself in them and becomes active once an infected programme
is executed. Since the addition by Microsoft in its office automation programmes
of a programming language now shared with the operating systems (Visual Basic)
there are also virus sent in word documents, which can affect not only word
itself and its documents but also the system as a whole. To counter this danger,
it is possible to install so called ``antivirus software'', which tries to
identify a virus before it can install itself in memory and stop it from
spreading, and also removes it from an infected computer system or from infected
files. Antivirus software can be installed locally on each computer system in
the network, on the firewall or in network versions wich integrate the networked
computers centralising functions like the software updates, software
configuration, warning messages. Some antivirus software allows the use of a
type of analysis which tries to understand what programmes do (``heuristic
analysis''), however due to the high probability of ``false positive'' (i.e. a
report a virus has been found when no virus is really present), usually they
rely on a database of ``signatures'' (i.e. small sequences of bytes specific to
each virus which allow to detect its presence in a file or in memory) which
should be constantly updated. In general, the producers of antivirus software
offer the possibility to download via the internet updates for software or at
least signatures from their web site or by using an option inside the software.
It is possible to establish a sort of taxonomy of computer virus based on their
characteristics like the methods used to avoid detection or to infect other
programmes - it is however important to notice how there is often confusion
between so called ``worms'',``trojan horses'' and virus. Worms are programmes
which use networks to spread, transferring from one computer system to the
other, and may also transfer a virus, but are not a virus (e.g. they do not
infect other programmes) even when doing some damage12. Trojan horses are programmes which advertise
themselves as doing something useful or even just funny, and instead do actions
which may somehow disrupt the operations of the computer system on which they
are run, damage the data on it or purportedly have other damaging effects (e.g.
transferring a virus)13.
``Intrusion Detection Systems'' or IDSs are a category of software whose
purpose is to allow the automatic detection of a an attempted or successful
intrusion in a computer system or network. ``Distributed IDSs'' are in general
used on networks. A distributed IDS is an IDS built with different components
installed on different computer systems on the network. An IDS collects and
integrates different tytpes of data (e.g. network traffic, logon attempts, file
modifications, running software) and tries to identify patters known to be
related to a type of attack or patterns which are unusual and potentially
indicating an intrusion. As can be deduced from the last phrase, although there
can be cases of IDSs configured to automatically follow some steps when a known
attack is detected, in general IDS are used to do a pre-screening of the data
available and flag potential problems for further analysis by an human operator.
Despite showing some promises, the technology in its most ``intelligent'' (i.e.
autonomous from human intervention) form is still relatively immature, thus not
widely diffused - a lower level version relatively easy to implement is
represented by the use of reporting systems to create system activity reports
using filters criteria so as to highlight suspicious events.
``Sniffing
software'' (often simply ``sniffers'') is a class of software used to capture a
copy of and read the contents of network traffic. It is a type of tool often
used in attempts to understand the structure of a network and capture
login/password combinations, but also to verify things like the correct
configuration of the network (e.g. if computer systems exchange password
information in an easily readable format or in encrypted format), whether there
is excessive unusual traffic between two computer systems (possible sign of one
of the two being used as a stepstone to launch an attack against the other),
whether there is a communication problem on the network.
Integrity
checkers are programmes which periodically verify whether files have been
altered in relation to an initial baseline, and signal detected modifications.
In most cases the check is done using a value calculated on the contents of the
file and parameters like date and size of the file - this since more detailed
checks could become an excessive burden on the system resources. For the same
reason, and to avoid an huge number of false alerts, integrity checkers
generally verify only a limited number of configuration or executable files,
which are considered the most probable targets of a potential attack. Like for
more general IDS systems, integrity checkers limit themselves to highlighting
which files have changed, and the human operator has to verify whether the
changes are legitimate or not. It is important that the database where the
integrity checker data is stored be made tamperproof - the risk being that
otherwise an attacker could modify it, so that eventual changes made by him/her
to the system would not be signalled.
A ``honeypot'' is a
computer system (but in some cases can be even a small network or just a
software simulating computers) designed and configured so as to lure potential
attackers to attack it while being under observation by the creator of the
honeypot. To this end, honeypots generally are configured so as to present (or
appear to present) one or more widely known vulnerabilities. There should be no
confusion between a test environment, penetration testing and a honeypot: in a
test environment the attacker, the attack and the target are fake,even when
using real techniques and tools; in penetration testing, the target is real but
the attack and the attacker are fake (keeping in mind, as indicated above, the
possibility of real damages happening); in the case of a honeypot, the target
system is fake though made to look real, but both the attacker and the
techniques and tools used by him or her are expected to be real. Care should be
taken in that honeypots could be used as an intermediate position to launch
attacks against third parties, in the same way as a real computer system or
network.
A password
checker is, like the name suggests, a programme which checks the quality of a
password from a security point of view, where ``quality'' indicates the
difficulty of guessing it - the more difficult it is to guess it directly or to
find it by trying all possibilities, the greather the quality. A password
checker can be integrated in the system, in which case in general it checks only
for the presence of the correct combination of characters (e.g at least a 8
characters, or at least one number) and eventually verifies that the password
had not been used recently. When the password checker is an external programme,
it is typically run by providing it with a file containing passwords, to see if
it can guess any of them. In this latter incarnation it is often called a
``password cracker'', since it tries to ``crack'' the password. Most multiuser
operating sytems include a password checker and the possibility to configure
what kind of checks it does.
As previously inidicated, it is possible at least in
some cases to identify the apparent potential source of attacks, for instance
because it executes a port scanning of our network, and the apparent source of
real attacks. It would thus be tempting to try doing what can be called
``preventive strikes'' and ``retaliation'' attacks, doing actions with technical
means against a computer system or network from which an attack has come. Both
courses of action would, however, be ill-advised, for various reasons including:
the real source of the port scanning or the attack can be different from
what it seems to be;
the network or computer may itself be in reality victim of an attack (the
so called ``island hopping'', consisting in finding a vulnerable system,
taking control of it, and then use it to scan or attack another network);
although all legal systems known to the author have the concept of
``legitimate defense'', there are specific limitations to its exercise, and
computer criminal codes in general do not foresee it.
The combination
of factors above, together with the possibility that an incident may include
networks and systems in different countries and under different legal systems,
mean such an action could easily make the victim itself become guilty of illegal
conduct with all the possible consequences.
Often people with a technical background in computers will refer to a
computer network using the protocol, like in ``TCP/IP network'', but computer
networks can be classified also based on the logical or physical topology,
like ``star network'', or the standard used to transfer the information on the
medium like ``token ring''
WAN stands for Wide-Area Network, a network covering an extended
geographic area. Internet as a world-wide network is often considered the apex
of the concept of wide-area network
A ``log'' is in jargon a file or a sort of register where some kind of
activities by software, the user or the system are registered automatically -
the origin being terms like logbook
``Shares'' are disks or directories (folders) in a computer made
accessible through the network to users on other computer systems - this way
to define them is often used specifically in a MS Windows environment, though
it is also used when referring to networks used to share MP3 via internet like
Kazaa or Napster
``Virus'' is a Latin word (not just a word of Latin origin) meaning
``poison''. There are at least two diffused versions of the plural: the
version used by people not knowing it is Latin is ``viruses''; the version
used by people knowing it is a Latin word but not double checking is
``virii''. Although it looks similar to a male noun of the second declension
(thus ``virii'', or better ``viri'' would be correct), it is in reality a
neuter noun and does not have plural. The correct plural of virus is simply
virus.
The reason they are named ``worms'' is that they go from one system to the
other using the network, like worms burrowing in the ground create their
tunnels to move
The origin of this name goes to mythology - the legend told in the Iliad
says that after years laying siege to Troy, the Greeks on suggesion by Ulysses
built a huge wooden horse and faked leaving. The Troyans thought the horse was
an offering made by the Greeks to the Gods and brought it in the town, but
during the night soldiers hidden in the horse came out, so the Greeks which
had been waiting on their ships could easily get in the town.
Copyright 2004 Alessandro Lofaro - Due to technical constraints, the
Latin characters may not have the correct accent (length)
