Internet security is a subset of actions aimed at securing information based on computers and in transit between them. In the modern environment the two subjects are closely linked. Neither computers nor the networks that connect them are inherently secure. Computers were subject to attack before the Internet became a public utility—because illegitimate software hidden on commercial diskettes could be fashioned to load itself on a computer and play havoc with data in memory or placed on a fixed drive. The Internet, by its very nature—initially conceived of as an open network to facilitate free exchange of ideas and information—is vulnerable. According to the Internet Systems Consortium (ISC), which conducts four surveys each year, in January 2006 there were some 395 million Internet hosts in operation—and billions of computers consulting billions of pages carried by those hosts. Despite best efforts, a system of this size and complexity will inevitably have points of entry that can be abused—and software programs frequently have unknown weaknesses that hackers (for fun) or criminals (for gain) discover and turn to their advantage until the flaws are fixed.
Computer networks hold valuable and often protected, private information, not least data on identities; credit cards; financial data; technical, trade, and government secrets; mailing lists; medical records; and the list could be continued. These data are vulnerable on the computer and in transit. The Internet, as a connector between computer systems, is also a highway of access to valuable data stores. The vulnerabilities are loss of data through malicious erasure, the acquisition of proprietary information, the manipulation of the data such as illegal withdrawals and transfers of funds, the capture and criminal use of credit cards or identities, and any and all unauthorized uses to which information may be put. Internet security breaches can also potentially have direct physical consequences if the wrong people hijack systems that control transportation or power systems. Computers have become so pervasive, and their networking so universal, that Internet security and security in general are closely linked objectives of society.
FORMS OF ATTACK
Internet security deals narrowly with one means by which computer crime (covered in more detail elsewhere in this volume) is committed. In the mid-2000s Internet-based criminal activity appears to be less of a threat than localized computer crime. This point was emphasized by Andrew Harbinson, a computer crime fighter working for Ernst & Young in Ireland. Harbinson wrote in Accountancy Ireland that the ratio between "insider" and Internet crime is roughly 3 or 4 to 1—and this despite a different trend in some reports. Since the corporate scandals of the early 2000s, many companies have been reluctant to report internal frauds fearing an adverse response from the stock market. Significant crime, according to Harbinson, reflects motive and opportu-nity—and insiders know systems much better and can exploit them more effectively than hackers fishing around from the outside.
Systems disruptions arising from the immaturity of teenaged hackers, the malicious intent of grownups, and the organized activities of pressure groups are the most common forms of Internet attack. These take the form of destructive or simply irritating software programs (viruses) that minimally "send a message," more seriously disrupt operation or cause shut downs, and in extreme forms cause serious loss of data. Other names associated with viruses are worms, Trojan horses, logic bombs, and sniffers—described further under Computer Crimes in this volume. Deliberate, organized, and sometimes automated programs to overload selected sites so that they are forced out of action are sometimes mounted by dissident groups. This type of action is known as "distributed denial of service." A common Internet-based crime is the theft of valuable lists—either for use or resale by the thief or as a means of blackmailing the target. Finally, spam, in the sense of undesired e-mail, is a nuisance and a bother but does not rise to the level of a vulnerability.
The National Institute of Standards and Technology (NIST), a government agency, defines seven categories of "incidents" (but numbered in good computer fashion from 0) used to sort out unusual network events in the federal government. These are Cat 0, Scheduled and Planned Tests (and therefore not actual breaches, even if they appear as such); Cat 1, Unauthorized Access (actual penetration without authority); Cat 2, Denial of Service (by exhausting resources); Cat 3, Malicious Code (viruses, etc.); Cat 4, Improper Usage (a user violating established policies); Cat 5, Scans/Probes/Attempted Access (unsuccessful but potentially preparatory to an attack later); and Cat 6, Investigation (unconfirmed attempts not yet fully reviewed).
Notably, perhaps—and perhaps an indication of the general health of the Internet and its chief managers (the hosts, portals, the communications companies, and the government)—no major blackout of the Internet has taken place to date literally shutting down the World Wide Web as a whole or in some region of the world.
Internet vulnerability arises from human factors, failures of "defensive" technologies, and from weaknesses in software products or their interactions.
Access to systems is usually protected by passwords. Careless assignment, use, and storage of passwords is in part a human factor leading to vulnerabilities. The MITRE Corporation, with funding from the U.S. Department of Homeland Security (DHS), maintains Common Vulnerabilities and Exposures (CVE), a dictionary and reference system to databases that hold CVE data by many other organizations. MITRE's CVE Website identifies, from among 7,000 CVE entries, 1,117 which relate to password vulnerabilities. These vulnerabilities have frequently arisen because passwords, particularly Systems Manager passwords, have been stored in forms easily recognized by outsiders.
Perhaps the best known protection technology is the firewall, a software system that monitors a network's or a single computer's interactions with the Internet. Firewalls are designed to capture, store, and analyze "on the fly" a series of recent commands received from the Internet. The firewall accepts these commands and temporarily puts them in a buffer to look at them before letting them execute. It has its own database of patterns of commands which signal trouble. When it finds such a pattern in its buffer, it ignores that set of commands and thus protects the system.
Virus detection and monitoring programs work by incorporating logic and data which enable them to scan and thus to recognize viruses in their many forms before these are able to do any damage. Virus detection software, of course, is constantly updated as malicious ingenuity creates ever newer attempts at slipping into computers disguised in innocent forms like e-mail attachments. When intruders discover ways to penetrate firewalls or slip viruses past virus detectors, the system becomes vulnerable.
By far the largest number of vulnerabilities are created by undiagnosed weaknesses in operating systems and in ordinary software. Attackers probing systems either know about these weaknesses, or chance across and then learn to exploit them. Software development takes many people. Programs of real use tend to be complex. To test or debug programs developers use so-called "back doors" to enable them to interact with a running program; such back doors are sometimes "left open" but become known in the hacker community. The same aims are usually achieved in the same way in programming as in other fields; thus skilled developers will know where to look for exploitable features of a software system.
The diagnosis and cure of security breaches is a hi-tech specialization where even the highly computer-literate—indeed skilled programmers—will be entirely at sea without help. Three examples of CVE definitions from MITRE, plucked more or less at random, will make the point. CVE 2000-1936, for example, states: "UTStarcom BAS 1000 3.1.10 creates several default or back door accounts and passwords, which allows remote attackers to gain access via (1) field account with a password of '*field', (2) guru account with a password of '*3noguru', (3) snmp account with a password of 'snmp', or (4) dbase account with a password of 'dbase'." Come again? CVE 2006-1136 states: "Buffer overflow in the PostScript file interpreter code for Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allows attackers to cause a denial of service via unknown vectors." CVE 2005-4660 states: "IPCop (aka IPCop Firewall) before 1.4.10 has world-readable permissions for the backup.key file, which might allow local users to overwrite system configuration files and gain privileges by creating a malicious encrypted backup archive owned by 'nobody', then executing ipcoprscfg to restore from this backup."
With some 7,000 such problem definitions on file, growing at the rate of around 100 per month, it is clear that the vulnerabilities of the highly sophisticated technical universe of the Internet are themselves hi-tech phenomena and therefore the preserve of specialists.
WHAT TO DO
Systems of defense against Internet attacks have evolved side-by-side with the aggression in a kind of serious version of the "Spy vs. Spy" cartoon series made famous by Mad Magazine. The three important actions available to individuals and businesses, however small, are 1) disciplined use of computer systems including careful password and e-mail control, 2) installation and upgrading of firewalls between internal networks and the Internet, 3) alertness to news stories about new viruses and breaches and promptly carrying out public recommendations, and 4) prompt reporting of breaches to the authorities as soon as they are detected.
The business owner has the chief responsibility to deny access to his or her systems to individuals who should not be using them. This is normally accomplished by using password control. In the modern environment we are required to use far too many passwords. Not surprisingly, we pick one we like and tend to stick with it. We use the same password for a number of different online accounts, at home, at the office. The capture of one somewhere can lead to its use elsewhere. In cases where good discipline is enforced, new passwords are issued at intervals—but people tend to forget them, with the consequence that they are often scribbled on the computer monitor lightly in pencil. Such careless practices, needless to say, are in part responsible for major breaches and much damage. Most viruses are transmitted as attachments to e-mails. Opening attachments from unknown e-mail transmitters is generally a bad idea—even when the message sounds plausible. A good rule to follow in such cases is that if the sender really wants me to open that mail, he or she will call. Idle curiosity causes many viruses to spread.
Most small businesses with networks will either engage a service firm to maintain and periodically check its system or will have in-house staff managing the function. Firewalls and virus-detection software require periodic maintenance and upgrading. Failure to do so can turn open the company's system to spammers who will use it as a transmission point—using up valuable processor power and eventually causing the company's own mail to be rejected by others—or worse. Old virus monitoring packages will be unaware of new worms, Trojan horses, and logic bombs. When news breaks indicating that some software program has a major flaw, producers of the software soon have "patches" ready to repair the vulnerability. It is a nuisance to download and install such patches, but failure to do so may be more costly. Pay me now or pay me later! Several Web sites provide free virus warnings and downloadable antivirus patches for Web browsers. Examples include www.symantec.com/avcenter and www.ciac.org. The Computer Security Institute provides annual surveys on security breaches at www.gocsi.com. Another useful resource is the National Computer Security Association (www.ncsa.com), which provides tips on Internet security for business owners and supplies definitions of high-tech terms.
Systems breaches should be reported promptly. The business can do so by contacting US-CERT (United States Computer Emergency Readiness Team). This federal organization, formed in 2003, works with the Internet community to raise awareness of security issues and organize the response to security threats. The CERT Web site posts the latest security alerts and also provides security-related documents, tools, and training seminars. Finally, CERT offers 24-hour technical assistance in the event of Internet security breaches. Small business owners who contact CERT about a security problem will be asked to provide their company's Internet address, the computer models affected, the types of operating systems and software used, and the security measures that were in place.
For most small businesses, the Internet is a valuable resource. The effort required to play by the rules is relatively low. The costs, minimally in time, often in dollars, can be quite high even for minor problems like having one's server hijacked for spamming. When viruses destroy disks holding valuable data, costs can skyrocket. Caution, alertness, and discipline can prevent the worst of such problems. A good security policy therefore should be high on the agenda of the business owner.
"Common Vulnerabilities and Exposures (CVE). The MITRE Corporation. 27 February 2006. Available from http://cve.mitre.org/cve/index.html. Retrieved on 1 June 2006.
Federal Bureau of Investigation. 2005 FBI Computer Crime Survey. Available from www.fbi.gov/publications/ccc2005.pdf. Retrieved on 28 May 2006.
Gordon, Lawrence A., Martin P. Loeb, William Lucyshyn, and Robert Richardson. 2005 CSI/FBI Computer Crime and Security Survey. Computer Security Institute. Available from http://www.gocsi.com. Retrieved on 29 May 2006.
Harbinson, Andrew. "Understanding Computer Crime: A beginner's guide." Accountancy Ireland. August 2005.
National Vulnerability Database. National Institute of Standards and Technology. Available from http://nvd.nist.gov/. Retrieved on 1 June 2006.
United States Department of Homeland Security. US-CERT. Available from http://www.us-cert.gov/. Retrieved on 1 June 2006.
Wallace, Ryan P., Adam M. Lusthaus, and Jong Hwan Kim. "Computer Crimes." American Criminal Law Review. Spring 2005.