Frequently Asked Questions About Computer Security
1. What do we mean by computer security anyway?
The goals of computer security are:
- Keep privileged and private information confidential and available only to authorized people.
-
- This is generally accomplished by identifying the individual requesting access with a
login ID, authenticating their identity with a password, configuring
computer access
controls to match authorization rules (i.e. limit login IDs to particular files), and
encrypting data which may travel outside the computer access controls (over the network, for
example). Note that most desktop computers do not require a login ID and password.
Therefore all access control for confidentiality depends upon the operator's actions
rather than computer controlled mechanisms. In particular, if a program is
run on most desktops, it turns control of the desktop over the author of
the program... for better or worse.
-
- Keep data intact.
-
- This is done primarily through the same mechanisms that keep the data confidential with
additional access controls to limit who can change the data and, perhaps, mechanisms to
alert that the data has been changed. Data that travels outside the computer (over the
network, for example) can be protected by cryptographic methods which make it difficult
or impossible for the data to be modified without detection. As with confidentiality, most
desktop computers depend upon operator actions rather than computer controlled access
control to ensure data integrity.
-
- Keep services available.
-
- A variety of things come into play here. Access controls limit the number of avenues of
potential attack. Redundant power and hardware limit the effect of failures. Backups serve
as a recovery mechanism when the inevitable failure occurs. Capacity planning in concert
with access controls help prevent service overloads. Constant monitoring provides trend
data and ongoing operational status which in turn improve response to events or changes in
use.
The various mechanisms described above (passwords, encryption, access control rules,
etc.) are preventive measures that can never be foolproof against any attack. Just like
any other preventive measure (locks, guards, safes, etc.), a measurable amount of time,
money, and motivation can circumvent them. This doesn't even take into account mistakes in
the preventive measures' designs or implementations, or compromises we accept in the
protective measures to enable easier access to functionality. Therefore, to help ensure
our security goals are being met, we check up on them with audits, logs, and monitoring
software.
Back to Contents ->
2. I only have a Windows or Macintosh PC, why should I be concerned about
computer security?
In the days of standalone computers, cavalier, reckless, or unauthorized use of a computer just affected
one computer. With a networked computer and its access to networked resources and shared
communications lines, the same recklessness or outside access may affect many computers,
accounts, services, or people. For example, those not so innocent screen savers and games we
once downloaded with abandon can cause much more damage and affect many more people. Or
a compromised personal web server may be used to access our PeopleSoft and email accounts or
attack a company's web server making front page headlines.
With our computers interconnected and our resources shared, we are somewhat interdependent
upon one another. One clicked attachment, downloaded file, or poorly maintained computer can
quickly result in the compromise of that computer and associated accounts. One compromised
account can lead to the compromise of other accounts, shared disk space, or an entire server.
One compromised computer can lead to another compromised computer right across campus or
an attack on a computer on the other side of the world.
Your particular computer may not seem to be a desirable target of a compromise attempt but
any computer is attractive as a stepping stone or attack
vehicle. In addition, computer vandals and their code don't need a reason to attack a specific
computer...many are just out to do as much opportunistic mischief or damage as possible.
Newer technology turns compromised computers into armies of drones that do
the bidding of their masters. They may be used to seed viruses, send SPAM,
distribute child pornography and copyrighted materials, or extort money from web
sites they threaten with traffic overload. News
articles on these types of activities can be found here.
As long as we want to continue to have relatively open computing and communications choices,
each one of us must do his or her part to help ensure the integrity of our network. The only
person in control of each of the 13,000 or so desktop computers on this campus is the person in
front of the keyboard. That person has the freedom to run any code they wish and communicate
with anyone around the world. RUNSAFE
Back to Contents ->
3. How do I safely operate and secure my computer?
The STARTSAFE recommendations will
help you set up a computer in a manner that reduces risk and the
R.U.N.S.A.F.E. information is
provided to inform you of ways you can reduce risk in day to day operation of
your computer.
Back to Contents ->
4. Can't someone do this for me?
To a degree yes. Someone could limit network access, put limits on
functionality and sharing (no email attachments or dynamic documents, no file
sharing, no unauthorized web servers, etc.), enforce strong identification
measures (long and frequently changed passwords, in-person authentication,
etc.), and strictly mandate the software and operation of your desktop (no file
downloads, no floppies, no unauthorized configuration changes, etc.). This would
decrease, but not eliminate, the need for security awareness on the part of
individual computer operators.
However, these steps are not generally compatible with the open environment
of an academic institution. They're not even compatible with the growing desire
for instant and open access, communications, innovation, and sharing in the
wider computing marketplace.
To provide security in an environment encouraging freedom of choice,
innovation, access, and open communication, personal involvement and
responsibility is necessary. Even if we were willing to give up those things,
today's technology, for the most part, was designed with those goals in mind
(think Internet and personal computers) so there are limits to what even
draconian external security measures can accomplish without the help of the
individual computer operators.
With that said, JMU IT does take some centralized measures to decrease
vulnerability. Most of these are rather transparent and consist of things like
desktop management of anti-virus software, network access controls on high-risk,
infrequently used services, and blocking of infrequently used email attachments.
Computers are with us to stay. Their incorporation into our personal lives,
our jobs, and into society in general produces a complex environment that each
of us will have to take some steps to understand in order to function safely and
effectively.
Back to Contents ->
5. What are viruses, worms, spyware, and Trojan horses? How can I prevent them?
What do I do if I get one?
See
http://www.jmu.edu/computing/security/index.shtml#virus
6. Virus Hoaxes
See
http://www.jmu.edu/computing/security/index.shtml#virus
Back to Contents ->
7. What's all this about SubSeven, Back Orifice, IRCBOTS, and Netbus (or why is my CD-ROM
opening and my mouse moving around by itself)?
If one of these programs, or one of the tens of thousands like them, are installed on your
computer, anyone on the Internet can control your computer and do things like:
- Read, modify, and/or delete all your local and network files and make them sharable with
the rest of the world
- See your screen
- Capture your keystrokes including all your passwords and subsequently access any servers
you can access
- Turn on your microphone and camera
Back to Contents ->
8. Is my email secure?
In some ways, its security is comparable to postal mail:
- You really don't know who a letter is from. A person can write anything as a return
address and falsely sign it.
- When you leave email in a mail server for delivery, its similar to dropping it off at a
post office. As long as its in the post office/server, its relatively safe. To pick up
your mail from the post office, you need to present ID for authentication. To pick it up
from the server you need to present a password for authentication.
- Mail traveling to other mail servers is susceptible to compromise at the various ISPs and
organizations it goes through. Its security depends upon the security and integrity of
those organizations just as postal mail depends upon the security and integrity of postal
carriers.
- If you leave your mail lying on your desk, its only as secure as your desk. Similarly,
if you leave your computer logged in to the email server, your email is only as secure as
your computer keyboard.
- Just as someone can send you a bomb via postal mail, someone can send you a program that
can take complete control of your computer.
Back to Contents ->
9. Is my email reader/web browser safe to use?
Lately, many, many critical security defects have been found in Microsoft's Internet Explorer
and Outlook email clients. Almost every other month. To safely use these products, they must be regularly
updated. The easiest way to do this is via the
Windows
Update Service. Other browsers and email clients should be similarly kept up
to date as they too have regularly discovered defects though they're not as
often exploited.
More and more web and email clients are getting increasingly sophisticated and
complicated with a wealth of automated functionality. Some folks have taken advantage of
this to devise ways of making you run a program on your computer. Once they can get you to
run a program on your computer, they can do anything that you can do and maybe more. So
how do they do this and what can you do to prevent it?
- The most common method is social engineering. Basically, they talk you into doing
something that isn't in your (or JMU's) best interest. They may make
something available to you that looks attractive or innocent so you do what
they want. This may involve downloading and running a picture, sound, movie,
or program file, clicking a button, or typing in passwords or other personal
information that ultimately results in you compromising yourself. They may
send you mail that looks like it comes from someone you trust urging you to
run the attached program.
- Added to the social engineering aspect, there are increasingly devious
ways to exploit architectural problems in today's technology. The complexity
of today's products and the desire to provide easy to use yet powerful
features results in defects and vulnerabilities. It is important to keep your computer up to date. Critical
updates will usually be posted to the
Hot Topics
List. Windows operators should set up their computers to auto update their
Windows software. Instructions are on the
STARTSAFE web page.
- Today's web and email clients have numerous internal programming languages that may
provide unwanted access to your computer through intentional functionality or
unintentional defects. JavaScript, Visual Basic for Applications, VB Scripting, and various
application macro programming languages are all potential exploit vectors.
Use the minimum functionality you can fulfill your purpose and
be more cautious of those functions that require the languages mentioned.
- You may want to
turn off scripting, ActiveX, and Java
as you're browsing the web unless you're on a known, trusted web site.
Similarly, you may want to configure your other applications so as to disable
scripting languages and automated executions and downloads. If you find you
need the functionality, it may be worth the couple extra mouse clicks to
manually re-enable it to make sure you're only getting what you want and not
any additional surprise packages.
Back to Contents ->
10. Why is it so hard to secure computers?
If you're told to "secure your home" you may lock the doors, put up
some security lights, install an alarm system, and consider your home secure.
But how secure would it be if someone could "teleport" themselves into your
home.... from their living room across the world...in milliseconds...with near anonymity?
How secure would it be if someone really wanted to get in? My
guess is not very. It boils down to opportunity and the degree of motivation.
Unfortunately, as the opportunities increase, the amount of motivation needed to take
advantage of them probably decreases...maybe to that provided by a few beers and the
desire for some excitement.
What if you were told to secure your home from flies and ants? How would you go about
finding and sealing the hundreds of places the insects could invade your home? How would
you prevent them from accompanying you when you enter your home? What about gnats or
fleas?
Consider the job of securing your car. You want to be able to travel anywhere. You want
to be able to see through windows. How do you protect it from vandalism when its parked?
How do you prevent it or its contents from being stolen? How do you prevent someone from
following you around, recording your license number, and documenting your travels and
passengers? Worse, consider the problems of public transportation.
How about a public sporting event. You want the public to attend. You don't want to
alienate them with searches and long lines. You want them to be able to feel free to move
around, visit refreshment vendors, use bathroom facilities, and visit with other fans.
Some will be drunk and disorderly. Others have varying expectations, experience, and
values regarding social interaction. Can you prevent insults, irritations, and harassment?
Can you prevent theft and bodily harm? I think not. You depend upon social mores and the
threat of punishment. What common social mores exist in cyberspace? What behavior actually
breaks a law and what can or will enforcement agencies do about it?
Providing complete security to publicly networked computers presents similar challenges to
those scenarios:
- When connected to the Internet, millions of people around the world have access to the
front door of your computer. If the door is unlocked or has insufficient strength to
protect against a motivated attacker, your computer can be compromised in milliseconds
from anywhere in the world with near anonymity.
Firewalls
limit access to computers through the network just as gates do at a closed community.
However, the purpose of a network is to communicate. Foiling communications breaks the
network. When it is possible to finely define the types of communications that are
desired, then firewall rules can be formulated that limit access to only those
communications. However, this is nearly impossible to do in an organization consisting of
a diverse population with diverse jobs, needs, and desires. Without a block on
communications, we're dependant upon social mores and the threat of punishment to prevent
this type of behavior. If we can't prevent it, we're dependant upon imperfect technology
and our own reaction times to clean up any mess. Even if we have firewalls, some
communications must get through or we wouldn't need a network. The fly may come in the
email, off a web page, through instant messaging software, or some other desired and
permitted communications mechanisms.
- Today's desktops have tens of millions of lines of code, tens of thousands of files, and
many applications. The pieces are supplied by many different vendors. The operator of the
computer has thousands of configuration options. An ant (or hacker) only has to find one
opening. Completely ridding the computer of holes would involve testing every line of code in every
possible application configuration with every possible operator action. In today's fast paced
market, this just isn't going to be done. There will be holes for ants to get in and
they'll have to be patched as they're found. Even if all the holes could be plugged,
insects often piggyback through authorized doors. When you run a new program or allow
programs to be run by your browser or email reader, it provides a way for ants to get in
without having to find an obscure hole.
- Today's desktop computers had "ease of use" and functionality as prime
design goals. They try to let their operators do what they want with as few
steps as possible. They often come out of the box in their most lenient
configuration. Sometimes, this makes them as susceptible to risk as a public
sporting event, public transportation, or your local grocery store. They are
subject to a wide variety of risks due to their free access.
Computer security is a compromise between safety and freedom just as are other areas of
day to day life. However, there are some aspects of computer security that cause
difficulties unique to the field.
There are no comparisons (except perhaps those related to radio communications or air
attack) to the global, instantaneous, and anonymous access associated with networked
computer security.
Laws may not exist. Our computers can be scanned and probed from around the world
virtually without fear of breaking a law. Networks can be mapped and vulnerability
databases created that can be used later by automated exploitation tools to
compromise and/or disable systems in milliseconds. If we want to retain full network
functionality and access, we're accepting the risk of being the target of such behavior.
Even if the laws exist, jurisdictional issues may render them ineffective. Political
considerations or misunderstandings may result in contradicting, vague, or otherwise
troublesome legislation. Law enforcement agencies and prosecutors are hesitant to pursue
crimes having hard to estimate or relatively low financial losses which may involve
expensive, complex, and time consuming investigations.
Finally, with 600 million or more people on the Internet, and a lot of them relatively
new and inexperienced, it is difficult to educate them on acceptable behavior...assuming
we could get everyone to agree on what acceptable behavior actually is.
Finally, the bad guys only have to find one hole or mistake in our network
consisting of tens of thousands of computers, hundreds of thousands of network
ports, and millions, if not billions, of lines of software.
So, in summary, the difficulties with computer security are:
- Global access without global social mores or education.
- Ineffective law enforcement deterrent due to lack of resources, lack of jurisdiction,
and/or lack of legislation.
- Instantaneous, anonymous access negating any social mores or fear of punishment.
- Ease of use features combined with the aforementioned access traits decrease the needed
motivation to the level of spurious curiosity or thrill seeking.
- Holes that constantly need to be filled in our complex technology environment.
- The constant compromise between risk, freedom, usability, and access.
For an economic viewpoint, check out the paper "Why
Information Security is Hard - An Economic Viewpoint" Ross Anderson
(pdf format)
Back to Contents ->
11. How often does JMU have problems?
Our most common computer security incidents and abuse are email spam, malware
(viruses, IRCBOTs, spyware, etc.) and inappropriate use of electronic messaging. The fingertip accessibility of email
and instant messaging and its quick delivery
conspire to create an environment where it is tempting to send things without thinking
that you'd never consider sending over the phone or postal mail. Think twice before you
send something. Harassment and threats are as illegal over email as they are over the
phone or postal mail. A complaint may result in your having to deal with state or federal
penalties and law enforcement officials...not your local RA or JMU Judicial
Affairs. A few summers ago, a person was
sentenced to two years in jail for emailing threatening messages.
Our router logs show daily, and often hourly, scanning by people all over the
world looking for vulnerable systems. Basically, they "touch" each and every one
of our computers to "rattle the doorknob" to see if its locked. Many of these
probes are blocked by the router filters
and intrusion prevention devices
but many are let through as blocking them would keep the associated service from
working. This is why computers must be properly configured, kept up to date, and
monitored.
Back to Contents ->
12. What computer security organizations exist within
JMU?
Information Technology is
responsible for overall IT planning. The Information Security Officer oversees
policy and risk assessment. Audit and Management Review provides audit
reports on the security of our technology environment to senior management.
Various Information Technology operating areas
are
responsible for ongoing operational and system administration issues as well as
researching, developing, and implementing security related procedures and products. They
also perform evidence gathering activities for internal and external complainants for
delivery to internal and external enforcement and prosecution organizations.
The Computer Incident Response Team is responsible for assessing computer security
incidents, assisting recovery, helping to gather information for prosecution, and helping
to perform an autopsy to learn how to prevent future events. It is made up of individuals
from several areas.
Public Safety, Judicial Affairs, Honor Council, and external law enforcement
organizations may be involved in evidence gathering, prosecuting offenders, and/or
assessing punishment and damage restitution.
Back to Contents ->
13. What are the rules regarding computer security at JMU?
Policy 1207 Appropriate Use of
Information Technology Resources
Policy 1201 Information Technology
Resource Management
Policy 1202 Systems Implementation
& Project Management
Policy 1203 End-User Computing
Policy 1204 Information Security
Policy 1205 University Data Stewardship
Policy 1206 Contingency Management for
Information-Based Applications
Policy 1208 Password Management
Policy 1209 Electronic Messaging
Also see the FBI National Infrastructure
Protection Center's page on ethics and laws
Back to Contents ->
14. How do I report a security incident?
Email abuse@jmu.edu or submit
a violation report on the web
Back to Contents ->
15. What happend to Yahoo, E-Bay, Amazon, etc. in early February
2000? Can it happen here?
Present reports indicate it was a distributed denial of service
attack. Yes, if someone wanted to target us.
Back to Contents ->
16. How can I detect if my computer has been compromised?
It depends upon how sure you want to be.
If a computer has been compromised, all the tools and data on that computer that you
may want to use to determine the integrity of the machine are suspect. Sophisticated
tools, commonly referred to as root-kits, are
widely available that replace all the commands a person would use to investigate a unix
machine. Similar kits are being developed for Windows machines.
A careful and sophisticated system cracker will not leave any evidence for you to find.
Others may leave traces that may be picked up, but you will need to be familiar with the
operation and layout of your particular system. Since most computers nowadays have tens of
thousands of files and multiple running processes that vary widely during operation this
can be a complex and tedious process. Its like finding a needle in a haystack. The cracker
only has to plant one needle to get into your system and you have to examine every straw.
If you're using your system to look at the straws, there is a chance that the cracker can
effectively force you to wear rose colored glasses causing you to miss the needle.
That said, many compromises are done by relatively unsophisticated
individuals, by random execution of mass produced hostile code, and/or on
untargeted computers. In those cases, the compromises leave readily identifiable
fingerprints for us to find.
Some areas to check are:
- Anti-virus tools on Windows machines (Symantec) can detect known remote
control trojans
- The chkrootkit tool will detect
some rootkits.
- List of running processes (unix - ps command, windows - tasklist )
- List of programs with open doors on the network - Netstat -anp (linux), lsof
(unix),
TCPViewPro
(Windows), FPort
(Windows), netstat -o (Windows XP)
- Desktop firewalls can tell you what network activity they're seeing.
Windows desktop firewalls may tell you what applications are accessing the
network.
- Access logs to see what systems have accessed your system
- Audit logs if you have auditing turned on
- Unix shell histories
- Startup files (unix inittab/rc/inetd, windows
registry/win.ini/system.ini/autoexec/startup folders - tools like StartupCop
and msconfig make this easier) to see what processes are being
started at boot time
- Unix crontab or NT AT entries to see what regularly scheduled processes are being run
- Additional
instructions on detecting remote control trojans on Windows machines
- Unix .rlogin files, particular the one for root
- Unix NFS and Windows file shares
There are two basic ways to determine what your system is doing independently
of the
system itself:
- Analyze network traffic to and from your machine with an external protocol analyzer or
firewall logs. This is not a practical option for most system owners and won't detect
actions by locally logged on operators.
- Compare the contents and attributes of the files on your computer with the contents and
attributes of the files that are supposed to be there. This requires advance preparation.
Tools like tripwire will allow you to compute file
information for files on your computer. These should be stored off the computer to be used
for later comparisons. Scripts can compare the information nightly and alert you if
something has changed. However, you must be aware of which files change during the normal
course of operating your computer and adjust your monitoring and reaction accordingly.
Files that should be checked include at a minimum:
- Startup files
- Unix RC files, inittab, shell profiles, and inetd.conf
- Windows registry entries, win.ini, system.ini, autoexec, and startup folders
- System binaries
- Unix bin, etc, and lib directories. Unix operating system image and loaders. System and
root path variable settings.
- Windows \windows and system folders containing system DLLs. Command folder. Windows
operating system images and loaders. System and administrator path variable settings.
- Security and audit information
- Unix syslog configuration, ipchains configuration, audit configuration, tcpwrappers
configuration
- Windows event log configuration, audit configuration
- Critical services
- Unix cron configuration, web server configuration, NFS configuration, FTP server
configuration, etc.
- Windows At configuration, web server configuration, file sharing configuration
RedHat Linux has a utility called RPM that can
be used to check the installed files against prepared packages available from the vendor's
web site or from CDROM distribution media.
There are several open source and commercial file/system integrity
checkers.
Because of the difficulty in being sure all backdoors are closed, a compromised system
should be rebuilt from scratch.
CERT has published both a Windows
NT Intruder Detection Checklist and a Unix
Intruder Detection Checklist.
Back to Contents ->
17. How is my privacy affected when using a computer?
To be provided.
18. What about personal firewalls?
General information about personal firewalls can be found
here.
Back to Contents ->
|