Computer Security

The challenge of keeping information systems secure

June 1999

Editor's Note: A previous CSIS Liaison / Awareness Brief Economic Espionage: The Risk of Conducting Business in the International Marketplace (April 1998), identified some economic espionage methodologies used to disadvantage Canadian interests. The purpose of this brief is to highlight some of the computer security issues that impact upon individuals and organizations who rely more and more on information technology to conduct business. The vulnerability of Canadian organizations to acts of economic espionage can be reduced through timely information about computer security issues and the adoption of computer security practices.

This brief is published as part of CSIS's national Liaison/Awareness Program. Through this program, the Service seeks to establish ongoing dialogue with organizations, both public and private, concerning the threat posed by those engaging in computer-based attacks against Canadian interests and by foreign government involvement in economic espionage.

Introduction

Advances in telecommunications and in computer technology have caused an information revolution, the impact of which may be as profound as that of the industrial revolution of the nineteenth century. The rapid evolution of telephone, cable, satellite and computer networks and software, combined with technological breakthroughs in computer processing have made this latest revolution possible.

Apart from the rapid evolution of personal computers (PCs), the computing environment today allows for a sophisticated and complex interconnection of PCs, networks and hosts. Many organizations now have PCs connected to different networks with the additional capability of accessing a mainframe. Laptops and notebook computers add to the risk factor by providing the ability to easily remove sensitive information from the workplace. The loss of sensitive information, whether deliberate or inadvertent, can carry a price tag far beyond the cost of platform hardware.

The Internet

The Internet is a global network interconnecting thousands of dissimilar computer networks and millions of computers worldwide. Over the past 20 years, it has evolved from its relatively obscure use by scientists and researchers to its significant role today as a popular, user-friendly and cost-effective means of communication and information exchange. Millions of people conduct business over the Internet, and millions more use it for entertainment.

Internet use has been more than doubled annually for the last several years to an estimated 40 million users in nearly every country today. Connections are growing at an ever increasing rate with the Internet adding a new network about every 30 minutes.

Because the Internet strives to be a seamless Web of networks, it is virtually impossible today to distinguish where one network ends and another begins. Local, provincial and federal government networks, for example, are interconnected with commercial networks, which in turn are interconnected with military networks, financial networks, utilities networks and so on.

The only equipment required for Internet access is a PC with a modem and a telephone line. As more people get connected, the attractiveness of the Internet as a convenient, cheap, quick and intriguing way of communicating increases. With more participants, the amount of available information (news groups, program and data files, graphic and multimedia documents, and government and industry documents) increases and attracts even more users.

Security problems associated with the Internet are usually not specifically caused by the Internet itself. The result can be uninvited browsing, copying or the destruction of valuable information, not to mention the rapid widespread migration of viruses. The most prevalent vulnerability is the reliance on user passwords. They provide a weak security mechanism that can be exploited. Another is the lack of security knowledge and training of users and system managers. The relatively simple exploitation by hackers of vulnerabilities in operating systems or application code is also a concern.

Portable PCs / Laptops

These days, many government officials, senior corporate executives and sales negotiators travel abroad with their own communication terminals such as a laptop with its own fax/data modem. It is no longer necessary to travel with bulky and heavy quantities of documents which can be instantly recalled from the home office. During business negotiations, a vast amount of technical details concerning, for instance, bidding information, client lists and negotiation strategies, can now be made available over a telephone line. These lines can be subjected to attack or interception by a competitor or foreign state.

Laptop computers are increasingly prime targets for theft, especially for domestic and international travellers. Travellers who anticipate carrying such items should be particularly wary while transiting airports and be alert to any sudden diversions. Two recent incidents at separate airports show the modus operandi of thieves operating in pairs that target laptop computers:

• While waiting to go through the security check at the x-ray machines, a traveller was preceded by the first thief, who then loitered around the area where security examines carry-on luggage. When the traveller placed his laptop computer on the conveyor belt of the x-ray machine, the second thief stepped in front of the traveller and set off the metal detector. With the traveller now delayed, the first thief removed the traveller's laptop from the conveyor belt just after it passed through the x-ray machine, and disappeared;

• A traveller carrying a laptop computer in his roll bag did not notice a thief position himself to walk in front of him. The thief stopped abruptly as the traveller passed by a crowd of people, causing the traveller also to stop. A second thief, who was following close behind, quickly removed the traveller's laptop and disappeared into the crowd.

Information Operations

One of the main problems with Information Operations (IO) is that there exists a wide variety of definitions. Initially the term Information Warfare (IW), coined by the American military, was used. Overtime, IW was replaced with IO, a term which included scenarios which could be applied outside the military theatre.

Generally speaking, IO can be defined as any tool or technique used to identify and/or exploit the vulnerabilities of any computer infrastructure, including government departments, commercial entities, institutions, groups, and individuals for a variety of reasons, dependant on the intent of the user.

IO tools and techniques could be used by foreign governments, terrorists and politically-motivated extremists to do anything from stealing proprietary information and technology, to launching an attack against Canada's national information infrastructure, which includes banking systems, airport air traffic systems, and power grids.

IO opens new horizons of cost effectiveness for terrorists and hostile foreign governments. IO is not only a relatively cheap and feasible means of attack, but it can originate thousands of miles away from an intended target. An offender can attack a computer system with a modest investment of finance and equipment.

Our society is increasingly dependent on interconnected infrastructures which, if destroyed, could adversely affect Canada's national security and economic stability.

Type of Threats

For most organizations, the major threat to computers remains internal. This includes disgruntled or dishonest employees who have the knowledge and the access needed to subvert corporate information systems. According to a 1998 Computer Security Institute (CSI) survey on information security, 44% of respondents reported hacking attempts from inside their organization making this the biggest threat to information security.

Of increasing concern are casual hackers with social or political motives. An American juvenile computer hacker pleaded guilty to disabling a Worcester airport control tower and other airport facilities for six hours and disrupting phone service in Rutland, Massachusetts on 10 March 1997. The juvenile also hacked into a Worcester pharmacy computer and stole prescription details from a local pharmacist. Both attacks occurred when computer systems were made accessible through the Internet so that system administrators could work remotely.

Also, organized crime is using computers and there are some indications that computer criminals are hooking up with hackers for illegal activities. In September 1996, Russian hackers apparently succeeded in siphoning about $10 million (U.S.) into foreign bank accounts, but bungled their attempts to extract cash from these electronic, fraudulent deposits. All but $400,000 (U.S.) of the stolen funds were recovered.

Security

Internet security can parallel the security concept we use every day. We lock our doors and windows in our houses for safety. Internet security (or any other information networks and standalone PCs) should follow the same philosophy. An organization must secure all access points between an internal network and the outside world and cannot rely on any security mechanism which it does not control. Completely securing the Internet is an impossible task and an easy step-by-step checklist for Internet security cannot exist when attacks are constantly changing. There are methods, techniques and guidelines that can reduce the risk considerably, and those who remember that keeping systems "secure" is an ongoing program can counter most problems.

Hackers will find and attack the weakest and most easily exploitable point of a network. Usually this is the initial point of contact within the company, its computer network. One way to prevent some of the corporate information from "leaking out" is to ensure that Internet terminals are completely separated from the company's other computer systems. Without a direct link to the company's operating systems, a potential hacker will only get into the company's Internet computer and not its core computer system. When risk is assessed as too high, the only safe connection to the Internet is none at all.

Every organization that connects computers to the Internet (or any other external networks) should develop a security policy for each of its systems. The policy should consist of directives or rules which reflect the organization's overall view on what is allowed and what is not. It should describe the types of access available, the applications allowed to be run, and who is allowed access. The directives should be based on an analysis of the assets of an organization's system, and should assess the impact of a loss or compromise of a system, as well as the threats the system needs to be protected from. Identification authentication, accountability (audit), confidentiality, integrity and availability concerns should all be considered when setting a security policy. This policy should be unique for each system, and should be reviewed when changes in the system or organization occur.

Conclusion

On a global scale, a country's national information infrastructure is vulnerable to a malevolent individual, group or foreign government intent on destruction. On a smaller scale, private citizens and corporation are also susceptible to an IO attack.

---

Comments on this brief are welcome, and should be directed to the National Coordinator, Economic and Information Security, Box 9732, Station "T", Ottawa, K1G 4G4, phone 613-231-0100, fax 613-842-1390. If you'd like to talk to CSIS regarding a particular security concern, please contact the local Economic and Information Security Coordinator at one of the CSIS offices listed below: