NEWS AT SEI
This library item is related to the following area(s) of work:Security and Survivability
This article was originally published in News at SEI on: February 1, 2004
Computer security has been, is, and will continue to be a hot topic for discussion. Newspapers frequently chronicle computer security breaches and estimates of lost revenue. Bookstores carry books that describe how to secure home and work computers against would-be intruders. Television news features depict high-profile computer security incidents and show interviews with computer system owners and sometimes even those who broke in. We’re being barraged by computer security information that includes recommendations about software that we should install and other steps we should take to secure our home and office computer systems.
But when all is said and done, do we really know the problem we’re trying to solve? That is, do we really know the goal of computer security?
Simply stated, the goal of computer security is this: keep your computer-based possessions yours unless and until you explicitly give them to others. This includes your computer system (CPU cycles, memory, disk space, and Internet connectivity and speed), the software you’ve purchased, and the files and folders you’ve created. As you’ll soon see, most mitigation strategies discussed in those books and self-help articles on the Internet are ultimately aimed at keeping what belongs to you yours.
And this concept isn’t new. It’s what you’ve been doing for years with most of your other possessions. For example, the doors on your house have locks, and you use them. So do the windows and so does your car, and you use them too. You don’t give the keys to anyone who asks for them without a really good reason. You don’t leave your CD player and your CDs out for all to use. You don’t store your financial or your personal medical records on your front porch.
Why then are we so willing to give up our computer possessions to anyone who wants to take them?
Back in the days before the Internet became popular and affordable, we could treat our personal computer possessions much like anything else we owned. The computer was in a room in our house and we locked our doors. Intruders who wanted access had to come to the house, break in, and take what they wanted.
We knew how to deal with that situation. We had locks and deadbolts on our doors and security systems to notify the police when someone tried to break in. Yes, there were break ins and yes, computer assets were stolen. But the incidents were few and the signs of a break in were well understood by law enforcement. Just watch CSI or any other television programs of that genre to see how well understood they really are.
These days, with widespread and inexpensive access to the Internet, the only thing that’s changed is that intruders can be anywhere in the world and still gain access to your computer possessions. They don’t need to be where your computer is. It’s like giving your credit card to the waiter or waitress at a restaurant to pay your bill and discovering that the whole world is waiting in the kitchen, prepared to make a copy of the information on your card.
And unfortunately those computer assets are not protected like your house is. That is, they don’t always come with locks, and those that do can sometimes be too easily “picked” by an intruder. In fact, in some cases, your computer assets are shared automatically with anyone who comes knocking, and you have to do something to lock them. One of the challenges of using a computer is finding the locks that keep intruders out and making sure they work correctly and appropriately.
Another challenge, which may be even more significant, is keeping these locks working correctly. Again, we know how to deal with this type of situation. For example, if your house needs to be painted, you’d paint it after first scraping off what’s loose and doing any other necessary preparatory steps. But you know that paint job won’t last forever. In a few years, you’ll need to do it all again. You accept this as part of the responsibility of home ownership.
With your home and office computer system, it’s the same thing. You first install a piece of software, a firewall, for example, as described in Task 4 below, and then you tune it to match your Internet usage patterns. Over time, your patterns may change, as may the programs you use to access the Internet. You’ll need to tune the firewall program again. Unfortunately too many home computer system owners and users get frustrated by the attention that some software requires. Rather than mastering it, they remove it. They don’t accept this as part of their responsibility of home computer ownership.
Let’s now return to this goal of home computer security—keeping what belongs to you yours—and look at one set of recommendations to see how they support this goal. The recommendations are taken from the Home Computer Security Guide.
The intent of these tasks is to keep what belongs to you yours and deny access to all others. It doesn’t matter whether an intruder tries to gain access by sending you a virus as an email attachment, exploiting a program that hasn’t yet been patched, or accessing your system in a way that a firewall would normally prevent. They’re all examples of the same fundamental concept: someone is trying to access your computer resources, and you don’t want them to have that access.
Why is this important? Technology changes rapidly, as do the ways intruders take advantage of that technology. If you know the goal of computer security, you can better adapt to these inevitable technological changes. And you can better safeguard your computer resources against the inevitable intruder attacks, keeping what belongs to you yours until you say otherwise!
Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.
This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.