Step two: Understanding threats and vulnerabilities
In the second in this series of articles Stewart Twynham of Bawden Quinn, looks at 'the characteristics of the vulnerabilities that appear to make hacking so easy.
Many years ago, computers were obscure and incompatible devices, only operated by trained staff. Computer security back then was primarily concerned with equipment failure and physical loss ' for example fire or theft.
Today's modern computer networks do not exist in isolation, but are part of a complicated and unseen network of interdependent systems and services ' outside of your control. Computers are more sophisticated, and have spread to almost every desk, delivering an array of features to users who rarely receive formal training. Against this background, there will always exist those in society that are determined to wreak havoc, taking advantage of the fact that most systems are very similar ' so what breaks one computer will probably break another million'
In the coming weeks, we will discuss:
- Firewalls ' essential perimeter protection, and what they don't do
- Anti-Virus protection, its limitations, and dealing with Spam
- Good housekeeping, backup and physical security
- Training, acceptable use policies and legislation
- ISPs, Domains, Web design and Hosting
- The impact of new technology ' VPNs, WiFi, Broadband, et al
Last time, we identified Step One in securing your information systems - "identifying your assets". In this article, we explore the nature of threats and vulnerabilities, identifying some of the better known ones.
A threat is something which threatens the confidentiality, integrity or availability of an asset. Threats can be malicious or non-malicious, they can be physical, technical or operational, and may even originate from inside an organisation. Typically, however, threats are factors which are outside of your control ' e.g. a virus, a power cut, or a malicious member of staff ' they just happen.
A vulnerability is a feature of your information system that allows a threat to impact upon your assets. Unlike threats, you or your organisation may be able to exercise some degree of control over vulnerabilities ' for example, updating your systems or fitting a firewall.
Identify the threats ' who or what you are protecting your assets from
We start by exploring the more common malicious threats, as these are usually at the forefront of most people's minds when we discuss information security.
Hacking is breaking into a computer system that you are not expressly permitted to access for any purpose ' which could include: theft, fraud, as a launch pad for further crime, or simply to prove 'you can'.
Hacking is illegal, and often performed by organised groups who exchange sophisticated ideas over the Internet. These groups often write automated tools or scripts, freely downloadable by others, designed to detect and exploit the vulnerabilities they find. People that download and use these tools are often called 'script kiddies' ' lacking any real knowledge of programming, networking, or applications ' relying instead on these tools to do the hacking for them.
Many small businesses wrongly assume "hackers wouldn't be interested in them". Unfortunately, according to Symantec, 75% of hacking is now carried out using automated tools, which don't target companies ' but instead target vulnerable systems. This puts every Internet connected system (whether it be on broadband or dial-up) in the firing line.
To prove this point, Internet Service Provider PSINet recently connected an unprotected PC to the Internet using a standard broadband connection, and measured 467 malicious attacks in the first 24 hours ' one attack every three minutes. During the first few days of the MSBLAST worm, Anti-Virus company F-Secure discovered that the average time for an unprotected computer to be found and compromised was just 27 seconds.
Once a hacker has made it into your system, then just like a burglar inside your house or a joyrider inside your car, you no longer have control. The hacker has free-reign, and can steal, alter, or break whatever he or she wants. Just as your house or car never 'feels quite the same again' ' neither will your computer network.
Denial Of Service (DOS) attacks are a form of hacking attack which "overloads" an Internet connection. It's a bit like dumping 100 tons of bricks outside your front door, the hacker doesn't actually get in ' but then neither can you! Some DOS attacks are crafted to create havoc on the inside of your network ' tricking lesser firewalls into crashing your own computers.
MYTH: Denial Of Service attacks don't effect small businesses
Even if not targeted against you, DOS attacks are often targeted against the smaller Internet Service Providers (ISPs) which may be hosting your email, web site, domain name and Internet connection, resulting in your loss of service.
Computers are designed to run programs ' it's what they do. Malicious code is simply a program written to cause harm ' anything from deleting files to converting your respectable network into a repository for pornography. There are many types of malicious code ' the one most people will recognise is the computer virus ' the only difference is how they get in and what they do once they're there.
A Virus is a piece of software which has to be first executed by a user. In so doing ' the virus installs itself onto the computer in such a way as to make removal difficult for the average user, and endeavours to spread to other files / emails / computers. If the virus isn't cleaned from all potential sources (networks, program files, email systems), a cleaned computer can easily become re-infected. Viruses often have a "payload" ' where something bad happens ' for example they may delete random files at certain date and time.
Email has long since become the most effective medium for propagating viruses, however recent viruses (e.g. Sobig.F) have become yet more sophisticated ' using so-called 'blended threats'. Blended threats occur when a virus has more than one propagation method ' for example, arriving in an email box somewhere in a company, but then spreading internally across the victim's network by infecting shared files, even to machines that don't have email. Blended threats generally result in a faster spread, and the ability to spread where previously a virus might have been blocked.
A Worm is a piece of software which doesn't require a user to initiate the original 'infection'. Instead, it uses some form of exploit (more later) to gain control, before launching the same attack on other machines, 'worming' its way around the Internet. MSBLAST was an example of a worm, although the way it was written meant that it wasn't a particularly effective one, possibly only infecting around a million insecure machines in a week. The SQL-Slammer worm released earlier this year spread to 200,000 machines in just ten minutes'
A Trojan is a piece of seemingly harmless software which may be installed by a virus, worm or user, which allows third parties to take control of a computer or network remotely ' for any purpose ' without you knowing. It has been reported that at least two people in the UK have now had charges of Child Pornography dropped after it was discovered that Trojans, possibly installed by a virus, were the most likely cause of illegal images stored on their computers.
A risk for all businesses is the malicious user ' they are in a privileged position having both physical (i.e. access to a keyboard / screen) and logical (i.e. user ID and password) access to your computers. Whilst larger organisations have sophisticated controls, monitoring systems, and audit trails ' few small companies have the time and money to implement such systems or processes. In a recent survey, if asked to leave ' some 67% of people would steal information from their current employer, and 38% would steal sales leads.
We won't dwell for too long on non-malicious threats. Anything unplanned from an accidental key press through to a power cut can spell disaster for an important document or even a whole database. Here are the broad classifications:
Physical threats: Loss of or damage to equipment through fire, flood, theft, explosion, chemical attack, food and drink, etc
Technical threats: Hardware or software failure, failure of services such as an internet connection or critical air-conditioning unit causing systems to overheat, etc
Personnel threats: Accidental damage, use by untrained staff, etc.
Further reading: Information security series
- Step 1 - Identify your assets
- Step 2 - Understanding the threats and vulnerabilities
- Step 3: Things that turn threats and potential loss into risk
- Step 4: The firewall
- Step 5: Tackling viruses and spam
- Step 6: Good housekeeping
- Step 7: Training, acceptable use policies and legislation
- Step 8: Domain name purchase and protection