|  Trends That Are Affecting SecurityOver the past decade, the computer software and the IT community at large have experienced patterns in events that threaten the security of computers worldwide. This section discusses some of these trends; later sections talk about how to deal with these threats.  The Power of CrackersIn addition to legitimate Web application users, there are those who either casually or regularly attempt to illegally access computers and their data using a variety of methods. For the purposes of this discussion, we'll refer to these people as crackers. This chapter discusses how the numbers of crackers have grown and how their tools have become much more powerful. Combine this with a proliferation of viruses and the complexity of securing Web applications, and you can see why computer security experts have become very concerned about the state of security on the Internet and overall. Years ago, crackers were considered highly skilled people who understood the internal structure of hardware platforms, operating systems, and applications. With this knowledge, they were able to uncover weaknesses in design and exploit them. They were able to share these ideas by congregating regionally. As the use of LANs and WANs became more popular, crackers were able to unleash their viruses and their counterpart worms on their unsuspecting victims. Turning the clock ahead to present times shows that their efforts have substantially increased. First, just like every other special interest group, crackers are using the Internet itself to publish weaknesses in operating systems and computer applications. Although there are mail lists to let system administrators know about these weaknesses, crackers generally subscribe to them as well and may therefore know about them before or at the same time that legitimate users are informed. Second, crackers are now building tools for novice crackers to use. In doing so, they're increasing the legions of people who have the capability to disrupt and sabotage companies' IT investments. Crackers now have tools that enable them to find vulnerable victims on the Internet and attack those victims after they're found. These tools have the capability to work with each other to attack hosts in combination as well. Stopping the use of these tools has been a cat-and-mouse game. As detection software is created, cracker tools become more automated and sophisticated, and can figure out ways to attack hosts without being stopped and without being detected. These tools have become smarter and can alter their behavior either randomly or based on certain circumstances.  The Sophistication of Today's SystemsThe number of different software packages, operating systems, and hardware platforms that are running within a company's infrastructure continues to increase each year. With each new component come security risks. Many software manufacturers have spent most of their efforts in providing new and better functionality with security being put on the back burner. Software packages such as database servers, application servers, and email servers are all written by people and, subsequently, are prone to application bugs and security oversights. Although it's common practice for software vendors to release patches for their products when these bugs are discovered, it might be too late for a system that's already been compromised. Also, due to the fact that a company is supporting so many different software packages and hardware platforms, system administrators might not have the time or the insight to apply patches when they're initially released. As crackers increasingly find more security vulnerabilities, more patches are released, and the possibility of a system administrator overlooking one goes up. Companies looking to reduce their risk tend to purchase software that has been in use for some time and whose stability has been tested. Many times, companies purchase software that has widespread use such as the Apache Web server or Microsoft's Internet Information Server. As the popularity of these applications grows, they unfortunately become a very lucrative target for people to break into because by doing so many computer systems can be compromised.  The Proliferation of VirusesAlthough there seems to be no universal definition of a computer virus, in general, a virus is executable code that, when run, produces a side effect unbeknownst to the person running the code. Sometimes this behavior does not cause any damage to the system running it, whereas other times the effects can be devastating. New viruses are coming out on a daily basis. Due to the availability of information available on the Internet, system vulnerabilities are widely published and tools for creating viruses are easily obtained—there seems to be no end to this trend. Viruses attack vulnerabilities in operating systems and software applications. Many viruses have exploited the macro languages that accompany applications such as Microsoft Word and Excel. The power of these languages makes them an easy target for crackers. By adding a self-running macro to a Word or Excel document, a cracker can cause great harm on a system. Thankfully, those applications can be configured to disallow self-running macros to execute. Most viruses share some or all of the characteristics described in the following sections.  Reproduce ThemselvesSome viruses have a means of reproducing themselves by attaching themselves to other files on a machine. Those files are then infected with the same virus and continue to reproduce themselves. Some viruses attempt to reproduce by emailing themselves either to one email address at a time or to everyone contained in an email address book. However, viruses that use this method must be opened and executed by the person reading the email. To ensure the probability of this occurrence, viruses in many cases disguise themselves as legitimate files (such as Microsoft Word documents) that have self-running code, which executes when the document is viewed.  Cause System DamageThese viruses intentionally cause damage to the systems they run on. Examples of this include deleting or altering files, collecting and distributing confidential information, degrading performance, and changing the security settings on the machine itself.  Communicate with Virus CreatorThese viruses don't cause any system damage and their existence is therefore kept secret. Their intent is to quietly communicate with the virus creator, who can then use these viruses to perform other tasks such as view confidential information and perform attacks on other machines.  Disable Security SettingsThese viruses usually install themselves on a host computer and then listen for incoming connections on specific ports. A cracker can contact the virus on these ports and direct it to perform some malicious activity.  Payload and TriggerThe payload is the destructive action that a virus performs and the trigger is an event that must occur before the virus delivers the payload. Triggers can be based on a date or system activity.  Virus HoaxThis isn't a virus but merely a rumor about a fictional virus. The intent of the rumor is to cause general panic. The best way to confirm the presence of a new virus is by contacting an authority on the subject such as Symantec or McAfee, both makers of antivirus software.  Trojan HorseThis is an application that claims to be something else and is used to unsuspectingly collect sensitive information. An example could be an electronic postcard that someone emails you. When this code is run, the postcard is displayed as expected. However, this code is also collecting confidential information from your system and sending it to a cracker.  WormThis is a virus that puts a priority on reproducing itself to other machines. The worm's author can achieve this by having the worm perform a mass emailing of itself to everyone in an address book. It then creates a situation that fools the email recipients into running the worm. An example of this was the Anna Kournikova virus. A recipient received an email from someone he knew with a subject line of Hi: Check This Out. The email had an attachment named AnnaKournikova.jpg.vbs. At first glance, this would look like an innocent JPG file and because the email was from someone the recipient knew, most people just double-clicked on the attachment to view it. However, they ended up executing the virus on their machine, and the virus then emailed itself to everyone in their address book.  The Power of WormsLike a virus, a worm is code that can either be malignant (such as reformatting a hard drive) or passive (such as changing icons on a PC desktop). In both cases, worms have the additional attribute of self-propagating. An example of this is emailing themselves to everyone in your address book or everyone on your instant messaging buddy list. Because of this, worms can infect a large number of systems in a short amount of time. The Code Red worm was able to infect more than 250,000 systems in only 9 hours. Moreover, worms can be used as denial of service tools.  Other Cracker TechniquesIn addition to viruses mentioned earlier, crackers employ numerous techniques to illegally access networks and computers and the information they contain. This includes getting login information either by stealing it, guessing it, or using password-cracking software. Crackers take advantage of bugs in software and operating systems and exploit them to get access and security rights to information that they shouldn't have. |