threats to computers and networks have been an issue since computers began to be used widely by the general public. Nowadays, any computer or network that is connected to the Internet is at risk. CERT (the Computer Emergency Response Team funded by Carnegie Mellon University) cautions that:
"Intruders form groups and develop scripts that they share with each other on how to maliciously exploit vulnerabilities in systems. Intruders dedicate time to developing programs that exploit vulnerabilities and to sharing information. They have their own publications, and they regularly hold conferences that deal specifically with tools and techniques for defeating security measures in networked computer systems." The CERT/CC and the Internet Community
Breaches in library computer security are normally caused unintentionally by curious and persistent users—and sometimes intentionally by knowledgeable and malicious hackers. These threats are made more possible by software that has been installed improperly, software code that has inherent flaws (bugs), or insecure procedures.
Basic Types of Threats
Basic types of attacks include:
• Probes and scans - attempts to gain access or discover information about remote computers
• Account compromise - discovery of user accounts and their passwords
• Packet sniffing - capturing data that is sent across a network; the data can contain sensitive information like passwords
• Denial of service - flooding a network with requests that can overwhelm it and ultimately make a computer slow down or ultimately crash
• Malicious code - Trojan horses, worms, viruses
• Spoofing - making a computer look like a "trusted computer"
Probes and Scans
A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. One example is an attempt to log in to an unused account. Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry. Probes are sometimes followed by a more serious security event, but they are often the result of curiosity or confusion. A scan is a way of performing multiple probes using an automated tool. The most common kind of scan is a "port scan." This kind of scan queries for listening ports on a remote computer. Scans are often a prelude to a more directed attack on systems that the intruder has found to be vulnerable.
Account compromise is the discovery of user accounts and their passwords on a system. It allows an unauthorized user to gain access to all resources for which that user account is authorized. An account compromise might expose the victim to serious data loss, data theft, or theft of services. Limiting the amount of user accounts that have root-level access or administrative privileges minimizes potential damage; however, access to a user-level account is often an entry point for greater access to the system.
One kind of compromise better known to UNIX systems is called a root compromise. Traditionally, the administrative account for UNIX systems is called "root." Not only is it a user name, but it refers to the highest level directory on a server. If an account has root level access, it usually has access to the entire system. Intruders who succeed in a root compromise can do just about anything on the victim's system, including run their own programs, change how the system works, and hide traces of their intrusion.
A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network. If the data captured by a packet sniffer is encrypted (see Importance of Encryption), it is unlikely that someone will be able to reveal any sensitive information. However, if the data is not encrypted, just about any information sent is vulnerable to being compromised. Installing a packet sniffer does not necessarily require privileged access; however, it requires obtaining access to a network card interface somewhere in the line of communication.
Denial of Service
The goal of denial of service attacks is not to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A denial of service attack can come in many forms. Attackers may "flood" a network with large volumes of data or deliberately consume a scarce or limited resource such as process control blocks or pending network connections. They may also disrupt physical components of the network or manipulate data in transit, including encrypted data. The underlying purpose to a denial of service attack is to bog down a system by giving it too much information to process quickly enough.
Malicious code is a general term for programs that, when executed, can cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage. Malicious code includes Trojan horses, viruses, and worms. Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected. Worms are self-replicating programs that spread with no human intervention after they are started. Viruses are also self-replicating programs, but they usually require some action on the part of the user to spread inadvertently to other programs or systems. These sorts of programs can lead to serious data loss, downtime, denial of service, and other types of undesirable effects. See Antivirus Software.
Computers on networks often have trust relationships with one another. For example, before executing some commands, the computer checks a set of files that specify which other computers on the network are permitted to use those commands. If attackers can forge their identity, appearing to be using the trusted computer, they may be able to gain unauthorized access to other computers.
Basic Types of Vulnerabilities
Although there are many, many vulnerabilities in computer systems and networks today, the main vulnerabilities that are likely to cause you harm are:
1. Default software installations
2. Ineffective use of authentication
3. Patches not applied
4. Too many open ports and services running
5. Not analyzing incoming packets
6. Backups not maintained and verified
7. Lack of protection against malicious code
Default Software Installations
A default software installation is where an operating system or application software is installed using all the default settings built in by the programmers. Performing a default software installation on computers with sensitive data is not good practice, especially when the chosen software is likely to be used by many people, such as on a public access computer or web server.
Servers are installed with default user accounts. It is therefore important to:
• Disable guest accounts
• Disable the Everyone group account for Windows NT/2000/XP
• Don't run important daemons as root
• Rename the administrator account
• Set a strong password for the administrator account
Ineffective Use of Authentication
Authentication is the process of proving who you are to a system using one or more authentication methods. Authentication can be based on what you know (such as a password), based on what you have (such as a smart card), or based on who you are (such as biometrics). Most organizations rely on authentication via passwords. Passwords can be a fairly secure form of authentication when they are created properly (and, of course, when default passwords aren't used). It is depressingly easy, however, for people to create poor passwords. For more on how to create good "strong" passwords see Using Passwords Effectively.
Patches Not Applied
All too frequently, patches for known security problems are not applied during a default installation. Granted, as software vendors write increasingly complex code, it becomes harder for them to keep up with making the necessary patches. But server and systems administrators must make the effort to keep their systems patched. For information on where to find system and software patches, see vendor-specific patches.
Too Many Open Ports and Services Running
Ports are labels—ways to identify services that are running on particular machines. Ports have identification numbers which are included with every TCP or UDP packet. Services that are running on a machine are programmed to be on the alert to "listen" for packets that arrive from other computers with matching port numbers. Thus, the types of ports your server has open can give away a lot of information about it. In addition, the more ports your servers have open, the more options there are to connect to that server.
Not Analyzing Incoming Packets
A packet is the smallest unit of information that is transmitted across networks. All information—web pages, email messages, etc.—are broken down into packets before being transmitted. Each packet of a transmission has the service's port number, the sender's IP address, the destination IP address, and a packet number. All of the packets in a transmission are numbered in sequential order. Analyzing incoming packets allows you to weed out packets that don't match the rules that have been built into a network device's table of acceptable traffic, such as spoofed packets or packets utilizing the wrong port for a service. It also allows you to watch for bursts of activity indicating a denial of service attack. Analyzing your network traffic for unacceptable traffic is usually only done when there is a suspected breach of security. Proactively analyzing network traffic as a preemptive function is normally only done on networks with extremely sensitive data.
Backups Not Maintained and Verified
One of the aims of risk assessment is to show how many hours an asset such as a server can be down before it starts to impact the library's mission. If backups are not made daily, or at an interval acceptable to your library, you won't be able to quickly recover from data loss caused by security breaches, other disasters (such as utility problems), or acts of nature (like floods). Backups also should be tested to ensure that data has been backed up properly and that staff has enough familiarity with the recovery procedure. Backups should be maintained offsite along with copies of the hardware specifications and the backup software installation media.
Lack of Protection against Malicious Code: Viruses, Worms, Trojan Horses
A virus is a program that reproduces by attaching to another program. It may damage data directly, or it may degrade system performance by taking over needed system resources which are then not available to authorized users. Worms are independent programs that reproduce by copying themselves from one system to another, usually over a network. Trojan horses are programs that appear to perform a useful function but actually hide another unauthorized program inside them. When an authorized user performs the apparent function, the Trojan horse performs the unauthorized function as well (often usurping the privileges of the user).
All of these threats and vulnerabilities must be anticipated, especially when the threat is due to staff ignorance. They certainly must not be ignored—an ostrich with its head in the sand is only getting its head dirty. Threats and vulnerabilities must be carefully examined to see whether or not they apply to your library's computers and networks, staff and procedures. Then they must be analyzed to devise strategies to counter them.