It is impossible to provide absolute security for our computers just as it is impossible to provide absolute security for ourselves and our possessions in the physical world. No technology, configuration, or product will completely eliminate risk. Additionally, an open network with free choice in communications, computing platforms, and applications implies acceptance of additional risk beyond that experienced in a tightly controlled, restricted environment.
There are 600 million people connected to the Internet and we cannot control their actions. They have world-wide, almost instantaneous and anonymous access to our computers' network ports. There are practical compromises in the design of our computers and networks that may leave them vulnerable to certain activities. Accordingly, we must temper our actions with awareness and take some precautions.
Keep up to date with current threats and scams
It is difficult to solve or avoid a problem we don't know about. The Computer Security Hot Topics list summarizes current threats and scams.
Enable Data Recovery through Backups
Whether we lose computer data because of hardware failure, mistakes, or system compromise, it is important that we have a means to restore the data if it is critical or hard to reproduce. Accordingly, regular backups are important:
- If network drive file space doesn't suffice, desktop operators should backup critical files to floppy disks or other removal media on a regular basis. Writable CDROMS are now cheap and hold a significant amount of data.
- Multi-user systems should have regularly scheduled backups to external media to ensure the services provided by these systems and the user data resident on these systems can be quickly restored.
- For all types of backups it is important to regularly test the restore process to ensure the backups are being performed properly and that it is possible to restore the system to the desired state in a timely fashion.
Be Careful About Whom and What You Trust
- Most common electronic communications methods are notoriously easy to fake. Don't believe everything you see on the web or in email messages. Use caution when performing actions based on information contained in electronic media...particularly revealing sensitive information or downloading files. There are those among the 600 million people on the Internet who will take advantage of you.
- Shared passwords can quickly be abused and passed on. Don't share your password with anyone.
- Whatever you type into a computer may be recorded. Don't type sensitive information such as passwords into untrusted computers.
- If you allow someone to use your computer, they have the ability to alter it to collect your passwords and other data. Don't allow untrusted individuals to use your computer without supervision.
Do Not Ignore Warning Messages
Several system compromises have come about because warning messages were ignored.
- If anti-virus software continually warns of a virus, it means something is wrong. Contact support personnel.
- If you use SSH clients, such as Putty, F-Secure, or SecureCRT, and you get a warning about a host key changing, it may mean someone is trying to obtain your password and/or hijack your session. Tools to do so are in circulation and relatively easy to use. Contact the system administrator of the host you're trying to reach or security personnel and verify keys were changed.
- If, while using a web browser on a "secure site", you get a message about a new certificate, read the message carefully. Be particularly cautious if you get a message stating that the contents of the certificate do not match the host information. It could mean someone is attempting to hijack your connection and read your passwords. Tools for doing so are in circulation and are relatively easy to use. Contact the system administrator of the host you're trying to reach or security personnel if you are unsure and you will be passing sensitive passwords or other information over the connection.
Incorporate Security in Decisions, Design, and Development
Decision makers, designers, developers, and service providers have special responsibilities. They affect the types of things we do with our computers as part of our day to day activities and likely control access to our data and services. These people must elevate security to the same level of concern as they do ease of use, supportability, and functionality during the design and development process. Just as they have a responsibility to provide a usable, supportable, functional service, they also have a responsibility to provide confidentiality, privacy, data integrity, and availability. Security must be an integral factor in all design decisions...not an add-on.
Every product and platform has its own security issues just as they have their own configuration, interoperability, and performance issues. The product expert's expertise and responsibility must not be limited to getting it running, improving its appearance, or making it easy to use and support. They must make sure it is running safely. Here are a few generic issues to consider:
- Are authentication credentials protected sufficiently? How?
- Is data adequately protected against unauthorized access? How?
- How will backups, upgrades, and system monitoring be accomplished?
- Is the service protected against malicious user supplied data?
- What are the known threats against this type of service and how can the risk of those threats be minimized?
Regularly Check System Security Status
A good system administrator regularly check logs and other monitoring tools to determine the operating status of their computer. The proactive monitoring may head off a surprising hardware failure, capacity bottleneck, or system break-in. Similarly, the system should be checked against external benchmarks occasionally to determine the system's level of vulnerability.
The Center for Internet Security is publishing benchmarks for various systems. At this time, the following are available:
Watch for Intrusions
Even in the real world, preventive security measures are not expected to provide protection indefinitely. An assumption is made that an intrusion event will be detected and that someone will intervene in a finite amount of time. The protective device or procedure only needs to provide protection for the time it takes to detect and respond to the event. We must set up alarm systems and response mechanisms for our computers because our systems are not impervious to attack no matter how careful we are or how much money we spend on preventive measures.
For desktop systems, intrusion detection and response may simply consist of becoming aware of unexpected operation and notification of support staff. Anti virus tools and desktop firewalls can be viewed as intrusion attempt detection systems. Similar tools like the chkrootkit, NIPCs ddostool, ipchains, and iptables exist for unix systems. Critical and shared systems probably require more stringent measures.
If a system provides a critical service and/or one that many people depend upon, the system generally needs more professional administration. Things like capacity planning, account management, error monitoring, and performance tuning are expected. In addition to these tasks, a system requires regular audits and event detection in order to help ensure its integrity.
System logs, system configuration, and operational characteristics should be regularly monitored for signs of attempted or successful system compromise.
While this monitoring can be done manually, such efforts result in response times that are tied to the manual procedures which may not be appropriate for critical or sensitive systems. In addition, the monitoring is often tedious, complex, and detail oriented which can lead to mistakes and oversights.
Examples of the checks that need to be performed on a system, whether manually or automatically, are included in CERT's Windows NT Intruder Detection Checklist and Unix Intruder Detection Checklist. Aftermarket software can automate this functionality and should be considered part of the cost of providing a service along with the hardware and functional software.
Report Security Incidents
With a population of 300,000,000 people, cyberspace is a very large community with the inevitable result that some folks will perform actions that we may not agree with. If you suspect computer abuse, you can submit a violation report through the web or report it via email at email@example.com. This will trigger a formal security incident report which will be assessed by the JMU Computer Incident Response Team.
If you suspect your computer has been broken into or if you suspect your computer is infected with a virus and it is running Norton Anti-Virus:
- Disconnect the computer from the network.
- Preserve evidence. Do not alter anything on the computer.
- Try to write down everything you know about the incident while it is fresh in your memory.
Whether consciously or not, we humans constantly assess our environment for threats and adjust our actions accordingly. Put into an unfamiliar environment, with unfamiliar rules, our defensive systems may become disoriented and ineffective. As we increasingly depend upon interactions with computers and their associated information, we are going to need to become familiar with the threats in this complex, fast changing environment. R.U.N.S.A.F.E. is an attempt to bring the most important issues to your attention.
A Frequently Asked Questions list of computer security related issues is available at http://www.jmu.edu/computing/info-security/engineering/issues/jmufaq.shtml