CSL - Computer Systems Laboratory Bulletin March 1994 THREATS TO COMPUTER SYSTEMS: AN OVERVIEW Computer systems are vulnerable to many threats which can inflict various types of damage resulting in significant losses. Damage can range from minor errors which sap database integrity to fires which destroy entire computer centers. Losses can stem from the actions of supposedly trusted employees defrauding the system to outside hackers roaming freely through the Internet. The exact amount of computer-related losses is unknowable; many losses are never discovered and others are covered up to avoid unfavorable publicity. This bulletin increases reader awareness of threats to computer systems by giving a broad picture of the threat environment in which systems are operated today. An overview of many of today's common threats will be useful to organizations studying their own threat environments with a view toward developing solutions specific to their organization. This bulletin summarizes a chapter of the computer security handbook being developed by CSL. We have already published bulletins summarizing other chapters on establishing a computer security program, considering people issues in computer security, and developing computer security policy. Additional bulletins will be issued as chapters are finalized. Common Threats A wide variety of threats face today's computer systems and the information they process. In order to control the risks of operating an information system, managers and users must know the vulnerabilities of the system and the threats which may exploit them. Knowledge of the threat environment allows the system manager to implement the most cost-effective security measures. In some cases, managers may find it most cost-effective to simply tolerate the expected losses. The following threats and associated losses are based on their prevalence and significance in the current computing environment and their expected growth. The list is not exhaustive; some threats may combine elements from more than one area. Errors and Omissions Users, data entry clerks, system operators, and programmers frequently make unintentional errors which contribute to security problems, directly and indirectly. Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, errors create vulnerabilities. Errors can occur in all phases of the system life cycle. Programming and development errors, often called bugs, range in severity from benign to catastrophic. In the past decade, software quality has improved measurably to reduce this threat, yet software "horror stories" still abound. Installation and maintenance errors also cause security problems. Errors and omissions are important threats to data integrity. Errors are caused not only by data entry clerks processing hundreds of transactions per day, but by all users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. The computer age saying "garbage in, gospel out" contains a large measure of truth. People often assume that the information they receive from a computer system is more accurate than it really is. Many organizations address errors and omissions in their computer security, software quality, and data quality programs. Fraud and Theft Information technology is increasingly used to commit fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, thus generating a significant sum for their own use. Also, deposits may be intentionally misdirected. Financial systems are not the only ones subject to fraud. Systems which control access to any resource are targets, such as time and attendance systems, inventory systems, school grading systems, or long-distance telephone systems. Fraud can be committed by insiders or outsiders. The majority of fraud uncovered on computer systems is perpetrated by insiders who are authorized users of a system. Since insiders have both access to and familiarity with the victim computer system, including what resources it controls and where the flaws are, authorized system users are in a better position to commit crimes. An organization's former employees may also pose threats, particularly if their access is not terminated promptly. Disgruntled Employees Disgruntled employees can create both mischief and sabotage on a computer system. Employees are the group most familiar with their employer's computers and applications, including knowing what actions might cause the most damage. Organizational downsizing in both public and private sectors has created a group of individuals with organizational knowledge who may retain potential system access. System managers can limit this threat by invalidating passwords and deleting system accounts in a timely manner. However, disgruntled current employees actually cause more damage than former employees. Common examples of computer-related employee sabotage include: - Entering data incorrectly - Changing data - Deleting data - Destroying data or programs with logic bombs - "Crashing" systems - Holding data hostage - Destroying hardware or facilities Physical and Infrastructure The loss of supporting infrastructure includes power failures (including outages, spikes and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, strikes, and so forth. These losses include dramatic events such as the explosion at the World Trade Center and the Chicago tunnel flood as well as more common events such as a broken water pipe. System owners must realize that more loss is associated with fires and floods than with viruses and other more widely publicized threats. A loss of infrastructure often results in system downtime, sometimes in unexpected ways. For example, employees may not be able to get to work during a winter storm, although the computer system may be functional. Malicious Hackers Hackers, sometimes called crackers, are a real and present danger to most organizational computer systems linked by networks. From outside the organization, sometimes from another continent, hackers break into computer systems and compromise the privacy and integrity of data before the unauthorized access is even detected. Although insiders cause more damage than hackers, the hacker problem remains serious and widespread. The effect of hacker activity on the public switched telephone network has been studied in depth. Studies by the National Research Council and the National Security Telecommunications Advisory Committee show that hacker activity is not limited to toll fraud. It also includes the ability to break into telecommunications systems (such as switches) resulting in the degradation or disruption of system availability. While unable to reach a conclusion about the degree of threat or risk, these studies underscore the ability of hackers to cause serious damage. The hacker threat often receives more attention than more common and dangerous threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons. First, the hacker threat is a more recently encountered threat. Organizations have always had to worry about the actions of their own employees and could use disciplinary measures to reduce that threat. However, these controls are ineffective against outsiders who are not subject to the rules and regulations of the employer. Secondly, organizations do not know the purposes of a hacker; some hackers only browse, some steal, some damage. This inability to identify purposes can suggest that hacker attacks have no limitations. Finally, hacker attacks make people feel vulnerable because the perpetrators are unknown. Industrial Espionage Industrial espionage involves collecting proprietary data from private corporations or government agencies for the benefit of another company or organization. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is known as economic espionage. Industrial espionage is on the rise. The most damaging types of stolen information include manufacturing and product development information. Other types of information stolen include sales and cost data, client lists, and research and planning information. Within the area of economic espionage, the Central Intelligence Agency states that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target. The Federal Bureau of Investigation concurs that technology-related information is the main target, but also cites corporate proprietary information such as negotiating positions and other contracting data as a target. Malicious Code Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other "uninvited" software. Malicious code is sometimes mistakenly associated only with personal computers, but can also attack more sophisticated systems. However, actual costs attributed to the presence of malicious code have resulted primarily from system outages and staff time involved in repairing the systems. Nonetheless, these costs can be significant. Malicious Software: A Few Key Terms Virus: A code segment which replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program. The virus may include an additional "payload" that triggers when specific conditions are met. For example, some viruses display a text string on a particular date. There are many types of viruses including variants, overwriting, resident, stealth, and polymorphic. Trojan Horse: A program that performs a desired task, but also includes unexpected (and undesirable) functions. Consider as an example an editing program for a multi-user system. This program could be modified to randomly delete one of the users' files each time they perform a useful function (editing) but the deletions are unexpected and definitely undesired! Worm: A self-replicating program which is self-contained and does not require a host program. The program creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other host systems. The number of known viruses is increasing, and the rate of virus incidents is growing moderately. Most organizations use anti- virus software and other protective measures to limit the risk of virus infection. Foreign Government Espionage In some instances, threats posed by foreign government intelligence services may be present. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to further their intelligence missions. Threats to Personal Privacy The accumulation of vast amounts of electronic information about individuals by the government, credit bureaus, and private companies combined with the ability of computers to monitor, process, aggregate, and record information about individuals have created a very real threat to individual privacy. The possibility that all of this information and technology could be linked together has loomed as a specter of the modern information age. This phenomenon is known as "big brother." The threat to personal privacy arises from many sources. Several cases have been reported involving the sale of personal information by federal and state employees to private investigators or other "information brokers." One such case was uncovered in 1992 when the Justice Department announced the arrest of over two dozen individuals engaged in buying and selling information from Social Security Administration (SSA) computer files. In the course of the investigation, auditors learned that SSA employees had unrestricted access to over 130 million employment records. Just recently, an investigation found that five percent of the employees in one region of the Internal Revenue Service had browsed through tax records of friends, relatives, and celebrities. Some employees used the information to create fraudulent tax refunds, but many acted simply out of curiosity. As more of these cases come to light, many individuals express increased concern about threats to their personal privacy. Over the years, Congress has enacted legislation, such as the Privacy Act of 1974 and the Computer Matching and Privacy Protection Act of 1988, which defines the boundaries of the legitimate uses of personal information collected by the government. While the magnitude and cost to society of the personal privacy threat are difficult to gauge, information technology has become powerful enough to warrant fears of both government and corporate "big brothers." Increased awareness of the problem is needed. Conclusion Today's computer systems, linked by national and global networks, face a variety of threats which can result in significant financial and information losses. Threats vary considerably, from threats to data integrity resulting from unintentional errors and omissions to threats to system availability from malicious hackers attempting to crash a system. An understanding of the types of threats in today's computing environment can assist a security manager in selecting appropriate cost-effective controls to protect valuable information resources.