NEWS AT SEI
This article was originally published in News at SEI on: February 1, 2004
Computer security has been, is, and will continue to be a hot topic for discussion. Newspapers frequently chronicle computer security breaches and estimates of lost revenue. Bookstores carry books that describe how to secure home and work computers against would-be intruders. Television news features depict high-profile computer security incidents and show interviews with computer system owners and sometimes even those who broke in. We’re being barraged by computer security information that includes recommendations about software that we should install and other steps we should take to secure our home and office computer systems.
But when all is said and done, do we really know the problem we’re trying to solve? That is, do we really know the goal of computer security?
Simply stated, the goal of computer security is this: keep your computer-based possessions yours unless and until you explicitly give them to others. This includes your computer system (CPU cycles, memory, disk space, and Internet connectivity and speed), the software you’ve purchased, and the files and folders you’ve created. As you’ll soon see, most mitigation strategies discussed in those books and self-help articles on the Internet are ultimately aimed at keeping what belongs to you yours.
And this concept isn’t new. It’s what you’ve been doing for years with most of your other possessions. For example, the doors on your house have locks, and you use them. So do the windows and so does your car, and you use them too. You don’t give the keys to anyone who asks for them without a really good reason. You don’t leave your CD player and your CDs out for all to use. You don’t store your financial or your personal medical records on your front porch.
Why then are we so willing to give up our computer possessions to anyone who wants to take them?
Back in the days before the Internet became popular and affordable, we could treat our personal computer possessions much like anything else we owned. The computer was in a room in our house and we locked our doors. Intruders who wanted access had to come to the house, break in, and take what they wanted.
We knew how to deal with that situation. We had locks and deadbolts on our doors and security systems to notify the police when someone tried to break in. Yes, there were break ins and yes, computer assets were stolen. But the incidents were few and the signs of a break in were well understood by law enforcement. Just watch CSI or any other television programs of that genre to see how well understood they really are.
These days, with widespread and inexpensive access to the Internet, the only thing that’s changed is that intruders can be anywhere in the world and still gain access to your computer possessions. They don’t need to be where your computer is. It’s like giving your credit card to the waiter or waitress at a restaurant to pay your bill and discovering that the whole world is waiting in the kitchen, prepared to make a copy of the information on your card.
And unfortunately those computer assets are not protected like your house is. That is, they don’t always come with locks, and those that do can sometimes be too easily “picked” by an intruder. In fact, in some cases, your computer assets are shared automatically with anyone who comes knocking, and you have to do something to lock them. One of the challenges of using a computer is finding the locks that keep intruders out and making sure they work correctly and appropriately.
Another challenge, which may be even more significant, is keeping these locks working correctly. Again, we know how to deal with this type of situation. For example, if your house needs to be painted, you’d paint it after first scraping off what’s loose and doing any other necessary preparatory steps. But you know that paint job won’t last forever. In a few years, you’ll need to do it all again. You accept this as part of the responsibility of home ownership.
With your home and office computer system, it’s the same thing. You first install a piece of software, a firewall, for example, as described in Task 4 below, and then you tune it to match your Internet usage patterns. Over time, your patterns may change, as may the programs you use to access the Internet. You’ll need to tune the firewall program again. Unfortunately too many home computer system owners and users get frustrated by the attention that some software requires. Rather than mastering it, they remove it. They don’t accept this as part of their responsibility of home computer ownership.
Let’s now return to this goal of home computer security—keeping what belongs to you yours—and look at one set of recommendations to see how they support this goal. The recommendations are taken from the Home Computer Security Guide.
- Task 1 – Install and use an anti-virus program – A virus is a program that runs on your computer system without your permission. This means that when the virus runs, somebody else is using your computer possessions. A virus may also be destroying your files or disclosing them to others who aren’t otherwise allowed to see them. An anti-virus program attempts to stop this from happening.
- Task 2 – Keep your system patched – Programs that need to be patched are weak spots through which intruders can more easily gain access to your computer possessions. Patching attempts to eliminate this kind of access. To protect your possessions, you need to keep all of the software you’ve purchased patched with all of the patches provided by the vendors who write that software. Each vendor will tell you where to find and how to patch the software you’ve purchased from them.
- Task 3 – Use care when reading email with attachments – Email attachments that you weren’t expecting are usually viruses, so the comments from Task 1 also apply here. Whether they are viruses or not, they are most often programs that run on your computer system without your permission. By using care, you are attempting to stop running unwanted programs on your computer system.
- Task 4 – Install and use a firewall program – A firewall program attempts to keep outside access out and limits inside access to outside resources. That is, it works like your locked front door that keeps unwanted people out and your toddler in. If intruders can’t get to your computer resources, they can’t use them for their purposes.
- Task 5 – Make backups of important files and folders – If a file or folder is destroyed by accident, by an intruder, or in some other way, then a backup provides another copy. You are keeping what is yours yours by having more than one copy.
- Task 6 – Use strong passwords – These days, most computer resource access uses a login and a password. Selecting a complicated password makes it harder for intruders to access your computer resources, because those passwords are harder to guess.
- Task 7 – Use care when downloading and installing programs – The Internet is a powerful resource for finding and using the work of others to enhance your computing resources. Programs are one example. However, not all programs on the Internet are what they are said to be. Some programs are viruses such as those described in Task 1, while others are like the email attachments described in Task 3. By doing some research before downloading and installing programs, you are trying to improve the chances that these programs are what they are said to be, will do to your computer resources what you want them to do, and will do nothing more.
- Task 8 – Install and use a hardware firewall – A hardware firewall does the same job as the firewall program described in Task 4. It provides another layer that keeps unwanted outside access out and limits inside access to outside resources. A hardware firewall sits between your Internet connection (a cable or DSL modem) and the computer systems in your house or office. These days, a hardware firewall often comes bundled with that Internet connection hardware. Just like an airplane with two engines, where if one fails you can still fly, the combination of a hardware and software firewall give your home and office computer systems two layers of defense against intruders.
- Task 9 – Install and use a file encryption program and access controls – Access controls are attributes of files and folders that limit access to only those who should have access. As a failsafe, encryption scrambles file contents so that only those who have access to a file and know the decryption keys can see a file’s contents.
The intent of these tasks is to keep what belongs to you yours and deny access to all others. It doesn’t matter whether an intruder tries to gain access by sending you a virus as an email attachment, exploiting a program that hasn’t yet been patched, or accessing your system in a way that a firewall would normally prevent. They’re all examples of the same fundamental concept: someone is trying to access your computer resources, and you don’t want them to have that access.
Why is this important? Technology changes rapidly, as do the ways intruders take advantage of that technology. If you know the goal of computer security, you can better adapt to these inevitable technological changes. And you can better safeguard your computer resources against the inevitable intruder attacks, keeping what belongs to you yours until you say otherwise!
About the Author
Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.
This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.