Computing: Security Primer

Almost everybody is now aware that there is wave after wave of attacks on their computer systems. For most users the greatest threat is simply viruses arriving via email, but there are many other “attack vectors”. Increasingly the security, information technology and law enforcement communities believe that organised crime is behind some attacks. No longer are hacking attacks simply the domain of the teen “script kiddy” in his parents' basement. There is real money at stake (in other words: your money!).

The larger and more famous your organisation is, the more attacks you are likely to suffer. Microsoft fends off hundreds or thousands of attacks a day. But all users need to keep their computer systems safe. A small company which is infected by a virus and in turn infects all their clients will find it very difficult to re-establish their credibility even if there is no lasting damage. An attack which leaves data damaged could take months or years to recover from.

While securing a computer system can be highly complex, with many factors involved, and whereas security is a never-ending process, fortunately a small number of basic principles will save the average business a lot of trouble. They are:

• Virus protection;

• Patches;

• Firewall;

• Passwords;

• Vigilance;

• Physical security; and

• Backups.

Anti-Virus and Spyware Protection

The need to install and maintain an anti-virus program can't be overstated. Many antivirus vendors are now releasing updated virus signature databases daily, or hourly when there's a major outbreak.

An increasing threat is so-called Spyware. Some antivirus products detect and remove it (such as McAfee Managed VirusScan), but dedicated Spyware removers (such as Malwarebytes) are usually required. Like anti-virus products, anti-spyware products require frequent updates.

Patches (Software Updates)

The greatest risk to the average user is from virus and other malcode (malicious code) which are able to enter your system via a fault in a piece of software. Why is this the greatest risk? Because you could be innocently surfing the web or reading email and in the background all sorts of crazy things are going on; made possible because the software you are using has faults which give rise to security holes.

Microsoft's Windows operating system is most famous for this, but it is by no means unique and virtually every piece of software you have ever used or are likely to use will contain a fault which allows something to happen which should not be allowed to happen. Sometimes the faults may be benign or hard to exploit, and sometimes they are dangerous and easy to exploit. But a fault is a fault, and in some cases, even anti-virus software can't (initially) stop a virus if it can exploit a severe software fault. (This is because anti-virus software assumes that software works a certain way. If there is a fault, by definition it is not behaving as expected.)

Famous viruses/worms such as Blaster, CodeRed, Nimda, BadTrans and SQL Slammer all exploited faults in software which either enabled the virus to run totally unattended or made it easier for the virus to run. Viruses are using more and more vulnerabilities to enter systems (for example, W32/Gaobot.worm can exploit 10 different software vulnerabilities according to CA). If one attack vector does not work, it will use another, and another and so on. Installing the updated software significantly impedes their progress or stops the attacks from working altogether.

So how do you know what software to install to fix your system of faults? In the case of Windows, you can simply visit http://windowsupdate.microsoft.com and it will identify the updates you need. Specific information about each piece of software you are using is much harder to obtain. But broadly speaking, you need to ensure you are using the latest version, and/or have the latest patches installed.

A complication is that simply because you have all the available patches does not mean you have all faults fixed. For example, updates are no longer published for older software such as Windows 95 and Office 97. Windows 98 and Windows NT 4.0 will soon or have already followed suit. Whereas in the past it may have been possible to keep using an old piece of software because “it did the job”, these days upgrading to get the latest security technology is very important.

There is also something to be said for the fact that by far the greatest quantum of problems have arisen on newer operating systems, in particular Windows 2000 and Windows XP. Users still with, say, Windows 95 and Internet Explorer 4.0 are almost invulnerable from the attacks that target the later versions. So simply installing the latest version is not a panacea and in practical terms is much worse unless you take the appropriate steps (such as installing patches and service packs). But the fact remains that later versions are more secure in design and updates are published to fix faults which are not published for older versions. Is it possible to simply wait until an operating system appears that is 100% secure? Perhaps, but it might mean that you need to keep using Windows 95 until Windows 2010 comes out — not a very practical solution. So the answer is generally to keep your systems rolling forward: sticking with older versions is not a good principle.

Firewall

See What is a Firewall?.

Worms such as Blaster, CodeRed and SQL Slammer were only successful because they were able to directly send certain types of data to unpatched systems. Any system with a firewall would not have been fallen victim to these worms, even if the system was otherwise vulnerable through a lack of patches or passwords.

Passwords

Use quality passwords. See Choosing A Password.

Always use different passwords for different services. Virtually everything has a password: your network login, email, online/telephone banking, Ebay, online shopping; the list is almost endless. The temptation is to use a single password for everything to make it easier to remember. This is a recipe for disaster, for two reasons:

• Phish attacks which attempt to trick you in revealing your password for various online services are increasing. If you inadvertently succumb to such an attack, not only will the account you revealed be compromised, soon everything may be compromised. Hackers know that a large number of people have a single password for many services. For example, you may think that a compromised Ebay account is not a huge problem. But if someone obtains your Ebay password, the next step is to steal some postal mail from your letterbox to obtain other information such as bank customer numbers. Far fetched? At the time of writing — April 2004 — maybe it is. But not in the future. This is potentially a hugely lucrative form of crime and it will only get worse.

• Some online services are more secure than others. What if a service you belong to is compromised by hackers and your password for that service falls into their hands? Or if an employee of a trusted online service provider decides to commit fraud and steal usernames and passwords, your other accounts could easily end up plundered by hackers. You can't control the people you provide your passwords to.

  It's worth noting that secure communications — where the website address starts with “https://” and there is a padlock icon in the corner:

  

  — is not a guarantee that the website itself is secure. It is only an indication that the data being sent back and forth is encrypted. Encrypting the data ensures that any packets captured while in transit across the internet can't be decrypted into plain text, so it's a good way to send, say, credit card information. But even this type of so-called “man in the middle” attack is possible if certain software patches on both the server and the client are not installed. Some examples are Windows 2000 Service Pack 3 and Security Bulletin MS02-050.

Vigilance

If you receive an attachment in email, or a request to click on a link and provide some login details, you should be immediately suspicious. Too many viral outbreaks arise simply because people did not stop and think what the attached file might be. A lot of problems simply do not occur if users do not click everything in sight. But not all problems can be magically solved this way and that is why it is still necessary to use software updates, firewalls and anti-virus software.

Another aspect of vigilance is understanding who the enemy is. The internet is awash with viruses, hackers and spam but many businesses will suffer their most egregious losses from employee fraud and theft. For example, can your contacts database be copied by an employee? Maybe your business is a happy ship today but there are many businesses with an employee who left under a dark cloud and then turned up at their competitor with a CD full of private information. Check with your software vendor as to the safety of your database systems from internal theft and attack.

Physical Security

No amount of protection, updates and highly complex passwords will help you if your notebook is stolen from your car or if a file server in your office is easily removed. Entire networks can be compromised if a hacker can physically put a floppy disk into a server and force a reboot. Physical security is critically important because simple, old-fashioned theft is still the technique of choice if you are being specifically targeted by hackers.

• Portable devices such as notebooks, PDAs etc are easily stolen. Do not leave them in cars. Use locking devices to prevent them being stolen from your office;

• Servers should be kept in locked rooms, accessible only by administrators;

• Servers should have floppy disk drives removed and should be configured to only boot from the hard disk. Password-protect the BIOS;

• Do not install CD-burners and ZIP drives into user machines; and

• Properly erase the hard disks in systems being sold or scrapped.

Backups

Potentially the single most important thing you can do to secure your systems is to ensure data is backed up and taken offsite. If you suffer a virus attack, or theft or any number of problems your only recourse may be to restore data from a backup. Because new viruses are always appearing, and new faults in software are being discovered, you can never assume that, at any moment, your system is 100% secure and therefore you can't assume that your system won't be attacked and that data loss will occur.

Not only are very recent backups important, older backups can be important too. What if you are attacked by a virus today and you only realise an important file is missing six months later? You will have overwritten all your backup media, unless you keep archival backups as well as emergency backups. CD-R media is best for this as it is cheap and long lasting. Minimally you would make an archival backup monthly, but depending on your environment perhaps weekly or daily is more appropriate.

Other Matters

• Configuration Is Important Too. Over a period of time each new release of operating systems, databases, web servers and so on are built to be more secure and safer, according to the “secure by default” ideology. Until about the year 2000, software tended to have all features turned on, to make it easier to use and easier to connect to. Software is being tightened up so a newly installed system may not need extensive tweaking to lock it down. However, older systems and more complex systems may need many configuration changes to fit in your environment and to operate safely. (This is more complex than can be discussed here.)

• Know The Risks. What are the risks that face your computer systems? Some are obvious: viruses in email, worm attacks via the internet. Some are less obvious and even hard to believe: perhaps your bank account will be taken over if you accidentally provide information to a phish attack, or perhaps an employee will vandalise your database or steal a copy of it. If you are in a sensitive business perhaps your rivals will steal from you or sabotage you. Consider all these and take actions appropriately.

Further Reading

• Free Security & Virus Resources

• Just what in the world is “Phishing”?

• Microsoft Security Glossary