NEWS AT SEI
This article was originally published in News at SEI on: September 1, 2001
If your computer is connected to the Internet, you are a systems administrator, and you should take precautions just like a professional sys admin would take. That’s especially true if you want to avoid having your computer used in a distributed denial-of-service attack—and then getting sued by a corporation that was "attacked" by your computer.
Everybody who has a home computer is a system administrator—especially those who are connected to the Internet via cable modem or digital subscriber line (DSL) connections. Home computer owners have the same responsibilities—even if they don't accept them—as the professionals who take care of the computer systems at work. Home computer owners who don't take responsibility may change their perspective on security when their computer systems are used in a distributed denial-of-service attack against an organization that can afford to go after all computer systems used in the attack.
You've just purchased a state-of-the art and top-of-the-line personal computer system and you're running the latest version of your favorite operating system. To give yourself the highest speed Internet access available, you've chosen the always-on technology of a cable modem. You are ready to do some serious computing in your home. Let's go to it!
After a few weeks of enjoying your new system and your very fast Internet connection, you notice that the connection isn't so fast anymore. In fact, when you aren't doing anything on the system, you notice that the transmit light on your cable modem is on solidly. You poke around a little (or ask your child or the teenager down the street to poke around) and see some programs running that you don't recognize. With a little tinkering, you kill them off and are pleased to see that the modem's transmit light is taking a rest.
A few days later, the event repeats itself, and you counter with the same techniques that worked before. You stop the problem again, but you get a sinking feeling that you'll have to do this over and over again. Feeling a bit nervous, you look around for damage. Your applications still work and your bank account balance looks about right. That's a relief. You decide the problem is solved and you move on.
That day in the paper, you read about some high-profile attacks on well-known e-commerce sites. You learn that the sites that were attacked have suffered significant financial losses. They intend to go after the owners of the computer systems used in the attack. You think to yourself, "Corporations have deep pockets. They can afford to pay for their inability to keep hackers out of their computer systems. Serves 'em right!"
Soon after, you receive in the mail an official-looking document from an attorney's office. Upon opening it, you find "legalese" describing a suit filed on behalf of one of those e-commerce sites you read about in the paper. You find that you and your computer system are listed as one of the systems against which the suit has been filed. Whoa! Corporations may have deep pockets, but you don't, especially after just having spent your extra cash on that new computer system. Now it seems that you'll need to spend even more money for legal services to defend yourself.
Could this happen to you? Yes, it could; and the fact that it hasn't happened yet doesn't mean that it never will. I firmly believe that the time will come when an e-commerce organization like the one mentioned above will seek compensation because you neglected the standards of due care and, thus, caused their loss. It's a matter of when, not if.
Still not convinced that it could happen to you? Think about it another way. What is the difference between the computer system in your office and the brand-new system at home? Not a lot, except that within the corporate setting, there is almost always a group of employees who have administrative responsibilities for the care and well being of those computer systems. For the computer at home, you have that responsibility, whether you choose to accept it or not.
OK, so what if your machine doesn't have an administrator? After all, you believe that there is nothing on your home computer system that would be of interest to an intruder, right?
Guess again. That system has all the features needed to participate in one of those popular distributed denial-of-service attacks that, unfortunately, characterize the Internet these days. Your new machine has lots of power, plenty of disk space, a lot of memory, and a high-speed and always-on Internet connection. Most importantly, its owner (you) is probably not looking very closely at how the system is being used and potentially abused. It's a perfect target. Yesterday, you couldn't spell systems administrator. Now you are one!
What does it mean to be a systems administrator for your home computer system? It means many things, including patching software, installing a firewall, using a virus checker, and keeping up to date about what's happening on the Internet.
At the CERT® Coordination Center, we have learned that over 95% of all network intrusions could be avoided by keeping your computer systems up to date with patches from your operating system and applications vendors. If you do nothing else, you should install these patches wherever possible, and as quickly as possible.
Unfortunately, applying patches is often a hard, time-consuming task. Vendors don't always tell you whether their products will continue to work when patched. When you're not sure if you can apply a patch without repercussions, contact your vendor and ask. As more customers ask these questions, the more likely it is that the vendors will make their products work on patched systems—and publicize their efforts.
What else should you do? Your car has a physical firewall that sits between you and the engine compartment. Its purpose is to keep the bad things that can happen to and around your engine out of your lap. Your computer system ought to have a firewall too, a technological firewall. With a technological firewall, you can keep the intruders out of your lap.
There are many brands of firewalls, and they come in two basic varieties—hardware and software. The hardware firewall attaches directly to your cable modem or DSL connection, and your computer system plugs into the firewall. In 2001, they cost about $200. The software firewall is nothing more than an application that installs directly on your computer system. You can purchase them at prices of $20 and up, but there are good ones that are free. Do some research to see which firewalls meet your needs. While you're at it, consider getting one of each, especially if your home computer system is a laptop that may be attached to other networks besides the one at home. No matter where you connect that laptop to the Internet, you will have a firewall standing between you and—literally—the rest of the world.
Viruses and worms have a significant impact on computer systems. You should invest in anti-virus software and then be sure to keep the virus signatures file up to date. Most anti-virus software makes this job easy by automating the task. Money spent here is money well spent.
Finally, you need to keep up with the security issues surrounding your computer system and its applications. We suggest that you subscribe to the electronic mailing lists that are relevant to you. You need to know when there are patches, improvements, and new versions that have security implications for you.
Given the present state of technology, computer systems need attention—and lots of it—to keep them operating more securely. For your home computer systems, you are the person who has the responsibility to give that attention. You need to accept it and do what the professional systems administrators do.
In case you didn't know this already, when you are connected to the Internet, the Internet is connected to you. You need to be ready
About the Author
Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT® Coordination Center is a part of this program.
Rogers's primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware.
Before joining the SEI, Rogers worked for ten years at Princeton University, first in the Department of Computer Science on the Massive Memory Machine project, and later at the Department of Computing and Information Technology (CIT). While at CIT, he directed and managed the UNIX Systems Group, which was charged with administering the UNIX computing facilities used for undergraduate education and campus-wide services.
Rogers co-authored the Advanced Programmer's Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.