Computers 84 Security, 11 (1992) 21 I-21 5

Concerns in Computer Security Belden Menkus l’orr Offer Bos 129, Hillsboro lN37342, U&l

The major concerns in computer secur-

ity deal with software threats, con-

tingency response and disaster recovery,

the impact of terroristic activirics, access control provisions, data encryption, and

integrity controls.

Software Threats

C omputer security threats that have their origin in

software are the result of some sort of malevolent action by a

human being. (Attempts to rationalize or justify the dclibcr- ate creation or activation of one of these threats is an exercise in ethical obscurantism.) These threats arc implicit in the arclli- tectural or philosophical concepts under which computing occurs. To eliminate absolutely the possible occurrcncc of thcsc threats will require major modifications in the way in which computing is done.

Software threats can take any one of four forms:

(1) Viruses. Also known in some segments of the computing com- munity as crabs, these arc code

fragments that attach thcmsclves to some larger block of code-in what is described as an act of infection. In most instances the virus code modifies its host code in some fashion. (This typically will result in a degradation in code performance or the destruction of either program code or data.) After completing

this modification the virus code fragment then rcplicatcs itself and attaches itself to some other code block. Theoretically, this process could continue indcfinitcly until the operation of the virus is intcrruptcd or it is dcstroycd. The various phases of the infection process may occur in a continuous scqucnce, or they may bc carried with long periods of dormancy separating them.

There appears to bc no limit upon either the type of media or

mechanism that can be infcctcd or the means by which viruses

may bc transmitted. Virus forms exist by the hundreds. Variant forms of existing viruses arc being introduced regularly. The goal of the individuals engaged

in this activity appears to bc improving the construction and pcrformancc of some existing virus form. This process has made viruses difficult to control and eradicate.

(2) Worm. Thcsc also arc known in various scgmcnts of the com- puting community as bacteria, rabbits and creepers. Worms are independently functioning code scgmcnts that copy thcmsclvcs repeatedly through networked computing proccsscs. They do not attach thcmsclvcs to other code blocks and they do not

modify or destroy code or data. But worms do bind great quan- titics of computing resourccs- often of sufficient volume to render the system of which they are a part inopcrablc. (Thcorcti- tally worms may bc used for bcncficial purposes, but they have proven to bc difficult to control and to eradicate when they begin to prolifcratc.)

(3) Trojan horses and bombs. Thcsc arc code fragments that hide within some other code block

0167-4048/92/$5.00 0 1992, Elsevier Science Publishers Ltd. 211

B. Menkuslconcerns in Computer Security

and perform a disguised func- tion. They have been used widely to capture system user passwords to aid in later compromises of the system’s security. Trojan horses have also been used to disguise the introduction of viruses and worms into comput- ing facilities and networks. Trojan horses arc also used to syoclf‘or trick an individual into giving away access rights, file ownership or other privilcgcs. They arc used to masquerade as someone else-to exercise rights or privileges to which an indi- vidual othcrwisc might not bc cntitlcd.

A variant of the Trojan horsc- rcferrcd to as a Trojan mde-

destroys itself after it completes its surreptitious task. Howcvcr, in its pure form the Trojan horse will continue to function until it is discovcrcd and cradicatcd.

Bombs are variants of the Trojan horse. They can be designed to operate indcpcndcntly; they do not have to attach thcmsclvcs to another code block in order to function. They arc activated when a date cvcnt or condition occurs or when some period of time has clapscd since the occurrcncc of a date, event or particular condition. Typically a

bomb is designed to destroy data, program code or both. Howcvcr, it may be dcsigncd to take malicious actions or to give sonic form of inaccurate mcssagc.

(4) Trap doors. Usually crcatcd by the designer of a program, these

arc undocumcntcd entry points-sometimes also known as bark doors-that pcrmi t this individual to evade the program’s operational and protcctivc fcaturcs. (This sort of activity is known bv some programmers as e_uksir!y God

rights.) Typically trap doors arc created at some point in the software dcvclopmcnt process to facilitate such things as monitoring program

pcrformancc, testing its features. and making corrections and improvements in the program code. When thcsc entry points arc not removed at the end of the dcvelopmcnt process they compromise the inhcrcnt integrity of the program, since they arc subject to accidental discovery and exploitation by any number of third partics.

Contingency Response and Disaster Recovery

AI organization should create a contingency response and disaster recovery plan and a mechanism for carrying it out when neccssaq. The goals of such an effort are twofold. Firstly, to ensure that the impact of a disaster on the organization’s data processing activities is contained. Secondly, to minimize the disruption of the organization’s basic activities by this event.

This data processing contingency planning and disaster rccovcry process has four basic phases:

(1) Risk assessment. This should be a realistic appraisal of the feasible impact of potentially catastroph cvcnts upon both the preservation of the organization’s information assets and the continuity of its access to, and USC of, them. The relevant threats and vuhrcrabilitics should be identified. Changes in both the cnvironmcnt in which data processing is carried out and the pertinent rnanagcmcnt practices that might mitigate both these cxposurcs and the organization’s potential liability should bc

considcrcd.

Consider the impact on thcsc cxposurcs of likely near-term changes in the organization’s data processing cnviromncnt. Rank order both the threats and the vulncrabilitics. Dcvclop realistic estimates of their economic impact on the organization. Avoid any temptation to arzmrnlizc thcsc figures. There is no realistic way to spread the costs and economic losses associated with a disaster over time.

(2) Confirr~erzcypkan~~;~~~. This begins with a consideration of the feasibility of employing some combination of thcsc recovery options: reciprocal agrccmcnts, cold sites, warm sites, hot sites, and tclccommunication expansion. Develop alternative rcsponscs to each threat and vulrrerability. (Sonic can be handled in the same way.) Dctcrmine the cost cffcctivencss of each possible response.

212

Computers and Security, Vol. II, No. 3

Identify such things as equipment costs and electricity and telecommunication expenses.

Present an analysis of what is at risk to the organization’s senior exccu tivcs, verify their understanding of it, and sccurc their endorsement of the planned response strategies. Develop a realistic set of recovery procedures. Prcparc a plan document that fits the specific needs of the organization. Clarify such actions as declaring an emergency and terminating the disaster recovery process. This is the point at which

the judicious use of specialized microcomputer-based plan preparation software may be called for. Howcvcr, simply loading and running one of thcsc packages may result in nothing more than the creation of a mass of documentation of questionable value in preparing an organization to deal effectively with a real disaster.

Distribute the finished plan to those who are cxpcctcd to use it

during the disaster recovery process. Create processes for:

l indoctrinating the plan participants in their roles in carrying it out;

l maintaining the plan in a current condition to ensure that it reflects modifications in both the threats and vulncrabilitics and the nature of the

organization’s data processing

practices.

If commercial disaster recovery services are required to carry out the plan, negotiate the contract and develop an ongoing mechanism for ensuring that the vendor will be able to comply with it.

(3) Testing. Conduct periodic realistic training in implementing the plan. Modify the plan, if necessary.

(4) Recoverypreparation. Acquire the equipment and facilities needed to carry out the plan. This should include:

l establishing an alternative site for the staff, including space, furniture, security provisions, transportation, and medical, food and sanitary services;

l arranging for any needed temporary staff additions or rcplaccmcnts;

l providing for the modification of relevant labor agreement provisions;

l ensuring that adcquatc provisions exist for site cleanup and equipment and supply salvage.

Terrorist Activities

Terrorism is an inherently malicious act that may be defined in terms of its motivation: ideology, politics or

economics. (Those in the last category are essentially mercenaries, available for hire, primarily to groups that fall into either of the first two categories.)

0 Ideological terrorists arc more likely to attack computing activities than those in the other two groups. They arc usually

expressing their opposition to some perceived belief that information processing is being used as a means for oppression. Their action would bc in

furtherance of a special goal.

l Political terrorists may attack a

computing facility, but they arc more likely to assault sonic aspect of society-such as a tclccommunication or electric power-whose damage or destruction they perceive as having a broad social impact. Their action would bc incidental to the specific goal that they are seeking to realize.

l Economic terrorists will do

whatever they are paid enough to

do.

A committed terrorist is ahnost impossible to thwart. Howcvcr, it will prove helpful in combatting the threat that such a person poses to harden the building in which data processing is being done. This can bc done by:

l reducing the number of doors and windows that it contains, using blast-resistant door construction and window

213

B. MenkuslConcerns in Computer Security

glazing materials as much as possible;

l limiting access to the site and circulation within it, paying particular attention to restricting parcel and supply dclivcrics;

l encouraging cmployccs to challenge unfamiliar individuals and to report the presence of any unfamiliar objects.

Data Security Resources

Thcrc arc three aspects to thcsc:

access control, data cncryprion, and integrity controls.

Access Control

While it is used commonly in computing, this term is misleading. It dots not involve active restriction of access to data or program processes. Rather, it involves identification of an individual as somconc who can bc permitted to use a particular information asset. This idcntificarion process typically is based on:

(1) Something that a person knows, such as a password.

(2) Something that a person posscsscs, such as a key. badge, so-called smart card or other token.

(3) Something that charactcrizcs a person, c’ .A. having a unique J physical characteristic such as a fingerprint, handprint, thumb structure, retinal pattern. lip print or voice. (It also may

involve the individual’s customary manner of performing some common task, such as signing their name or the rhythm used in keying a alphanumeric character string.) This aspect of identification is based upon biometrics.

Ideally, thcsc three approaches should bc used in concert. None of them provides an adequate lcvcl of personal security on its own. Biometrics is less fallible an identification procedure than tither of the other two since it is tied directly to some difficult to alter aspect of the existence of the person in question. Howcvcr, it is not absolutely infallible.

Every type of biometric identification dcvicc currently in USC is subject, to some dcgrcc, to giving false readings. (Thcsc can involve either authenticating somconc who is not who they purport to bc or rcjccting somconc as a fraudstcr, when that person is authentic.)

Passwords may bc poorly sclectcd, not changed with suffcicnt frcqucncy, or inadcquatcly safcguardcd. Thus, they may bccomc known to potential intruders and may be used by somconc other than the individual to which they lcgitimatcly pertain. Permitting password sharing through the USC of so-called ~~rorrppmstuords and access rmrrol licts is of qucstionablc value at best. In sonic situations, this sort of activity borders on irresponsibility.

Tokens may bc borrowed or stolen and thus they too may be used by somconc other than the individual to which they legitimately pertain.

Encryption

This is one part of a two-part activity known as crypqraphy, which means basically sccrct writing. Encrypfion is the process of transforming the structure of a data string into what appears to be randomness. It is an inhcrcntly rcvcrsiblc process. Decryprim, the other part of this activity, must be fcasiblc if the original structure-and thus the meaning-of the data string is to

be restored.

The cffcctivencss of cryptography relics on the sclcction and USC of a k<y data string, which is used to initiate

cithcr encryption or decryption. The only cryptographic process that is not inhcrcntly compromisablc is the so-call4 one-thepad, in which a particular key is used for only one cxchangc of data and is

ncvcr used by the communicating partics again.

Crypfanalysis is the process of attempting to dcrivc the content of an cncryptcd data string when one dots not possess the key rcquircd to carry out such a transformation directly. This process is based on identifying the pattern or structure of the underlying data.

Currently two types of cryptographic tcchniqucs arc

214

Computers and Security., Vol. 1 I, No. 3

used in computing. They are known as private key and public key processes. Both processes have serious weaknesses. They are based upon research and technology that is more than 20

years old. In particular, their inherent integrity is being undermined by rapid advances in mathematical theory and in the power and performance characteristics of the clcctronic technology used in computing.

Both processes rely heavily upon the cart with which the keys used arc sclccted, safeguarded and changed. (This mechanism is known as key management. It is expensive to sustain cffcctivcly, but it is critical to any successful USC of cryptography.) Both proccsscs place significant reliance upon the USC of psedo- random numbergenerators in carrying out cryptographic operations. The structure of all such mechanisms is inhcrcntly flawed. Ncithcr cryptographic process provides an cffcctivc means for dctccting and correcting the cffcct of transmission process-induced noise on mcssagc content. Noise can introduce significant inaccuracies. Whcrc an all- alphabetic mcssagc is involved,

some errors can bc idcntificd by inspection. Howcvcr, whcrc an all-numeric message is involved, it is cffectivcly impossible to identify any nonalphabetic errors that may be introduced into its content.

Neither the private key nor the public key mechanism allows for the spread of the knowlcdgc of cryptographic tcchniqucs among potential attackers. Neither of these two cryptographic techniques is infallible. (The world’s military intclligcncc

community has given many indications that it does not want this situation to change.) Botlr cryptographic processes have been compromised or ‘Lracked” numerous times.

Private key cryptography is the older of the two tcchniqucs. It also is known as symmetric key encryption. Both participants in a communication process carried out with this form of cryptography USC the same key. The so-called U.S. Data Encryption Stamfard (DES) is the most widely used form of private key cryptography. Public key cryptoCqraplry is a more rcccnt dcvclopment. It also is known as asymmetric key encryption. Two

keys-one that is public and one that must remain private-arc used to carry out this form of cryptography. Each participant has both types of key. (The public key may actually bc disclosed in a gcncrally available directory.) The two types of keys arc complcmcntary mathematically. A data string cncryptcd with the USC of one type of key, may be dccryptcd with the other, cvcn though the parties to the communication process arc not aware of each

other’s private keys. The KS4 Encryption .4/@rir/rrrr is the most widely used form of public key cryptography. (Its commercial

version uses the DES in part.)

Integrity Controls

These arc intcndcd to cnsurc that the result of the computing process remains consistently both error free and trustworthy. Collcctivcly they arc the common concern of information systems auditors, information systems security specialists, and information systems quality practitioners. Thcsc controls must bc built into the structure of both software and databases and must bc sustained throughout the maintcnancc phases of their lift cycle.

215