COMPUTER SECURITY ----------------- Notes of the presentation to The Institution of Production Engineers March 21, 1990 by E.A.Bedwell, E.D.P. Specialist ORTECH International (NRC/IRAP) 2395 Speakman Dr., Mississauga L5K 1B3 (416) 822-4111, Ext. 261 The writer wishes to thank the Institution of Production Engineers and it's President for the invitation to make this presentation, and to express sincere appreciation to David Stang, Ph.D., Director of Research, National Computer Security Association, for his contribution both to this paper and to computer security in general. And I would be very remiss if I neglected to mention the professional secretarial assistance provided by Jane Templeman, who makes our whole team tick like the NRC official time clock - the one that gives the CBC time signal. This document is, hopefully, written softly: after all, it might be easier to digest if I have to eat my words. I do not profess to be "the expert" in the field of computer security; an expert is someone who knows more and more about less and less until s/he knows absolutely everything about nothing. I hope never to stop learning, which means (thankfully) I'll never be an expert. INDEX PAGE ----- ---- 1. Definition/Scope of "COMPUTER SECURITY" 2 2. Why Should You Be Concerned? 2 3. Types of Security Breaches 3 4. Reasons for Exposure 7 5. General Security Rules (all computer systems) 8 6. Viruses: 9 6.1 History 9 6.2 Effect 10 6.3 Why do people do it? 10 6.4 Symptoms 10 6.5 Concerns 11 6.6 Known Virus Software (1) 11 6.7 Quick Guide to Virus Names (1) 12 6.8 Table of Virus Effects 16 6.9 Virus Detector/Antidote software 19 6.10 Trojan Horses 20 7. PC Rules of Thumb 22 8. Easy Tricks for PC Security 23 9. So You're Infected (Cure) 24 10. Summary: What Can You Do? 25 11. Security Policy: Points for Consideration 26 12. To run SCAN (included on this diskette) 29 (1) David Stang, Ph.D, "Network Security in the Federal Government,", January, 1990, p.168-169 (updated by E.A.Bedwell, March, 1990) - 2 - Tonight's topic is "Computer Security," a subject near and dear to my heart after catching fraud a few times, and cracking system security a few times. The only unfortunate part of this evening is that I have enough material to cover an intensive 2 or 3 day seminar and I only have something over an hour, so in addition to extensive notes from this presentation, I've put an article on viruses, and a PC virus detector program on diskette for you. 1. SCOPE OF COMPUTER SECURITY Computer security relates to any potential loss of information or your ability to operate, regardless of the source of the problem. Of course, all the publicity about computer security is going to the virus situation. I don't want to dissuade anyone from their concerns about viruses, because it's definitely a growing problem, and if you get hit, you'll be sorry you ever laid eyes on a computer. But, current estimates indicate that viruses represent only 3% of all the computer problems now occurring. Of course, if you're one of the 3%, like CNIB or Barclay's Bank Canada were last fall, you'll feel like you're the only one on earth. The difference between viruses and other computer security issues is apparently one of control: I hope to convince you that you have as much control over viruses and as little control over the other 97% of problems as to make them equal threats to the safety of your computer. I'm going to get to viruses later, their prevention, detection and cure, but I'd like first like to cover the other major problems that affect computer security - the other 97% - and I'd like to start with reasons why you should be concerned about security. 2. WHY SHOULD YOU BE CONCERNED? Your data is a valuable asset, just like premises, equipment, raw materials and inventory. Because so much of modern business depends on computers - financial systems, engineering design, medical diagnosis, production and safety control - the destructive potential is greater every year. There has been more than one company that's suffered great losses, and even gone under because of the loss of things like their accounts receivable records: no one is going to pay you if you don't send them a bill, and if they get word of your inability to invoice them, their darned unlikely to volunteer payment - so you're in a financial mess. The same goes for your design information, production data, the consequences if safety control systems malfunction, or even the simple loss of your customer list. Another reason why you should be concerned is, too often, people don't think about computer security until it's too late. There's a saying in my industry that, "He who laughs last probably made a backup." Another saying is, "Experience is something you don't get until just after you needed it the most." Well, if it means the life of your company, or the loss of potentially millions of dollars, or even just the information on your home computer, it might be wise to get at least some basic knowledge before the disaster strikes. - 3 - 3. TYPES OF SECURITY BREACHES Now that the 'why' is out of the way, let's break down the 97% of problems. These are not in a specific order, but just as they came to me. Nor have I attempted to attach percentages to each type of risk, because very few computer crimes are actually reported, so any figures that anyone could estimate would not be realistic: FRAUD/THEFT By far the biggest problem is fraud or theft. Some examples of this are: CHAOS - 1987 - Hamburg -> NASA data bank info sold to USSR Foreign exchange } famous because of big $ Electronic Funds Transfer } amounts, and because of the Insider Trading } publicity they've received Most common: Cookie jar technique - e.g., interest, income tax (aka 'Salami' technique - take a little and no one will notice) Specific examples I've caught were in Payroll (no crash on < or =), Accounts Payable (dummy companies), Purchasing (failed reasonableness test), and Accounts Receivable (failed balance routine). These were all thefts of money. Another example of theft which is very interesting is the 28-year-old Canadian who was arrested at UNISYS in Pittsburgh on Dec. 13/89 - what he is alleged to have stolen was NCR's trade secrets - to the tune of US$68M, which comes under a different Canadian law from monetary theft. MALICIOUS DAMAGE / VANDALISM The next major type of computer security breach is the disgruntled employee syndrome. Their favourite is the logic bomb or time bomb: on a certain date or condition after they leave the company, something's going to happen, such as at the health centre in LA where all prescriptions suddenly multiplied by 2. That's really serious, even compared to the logic bomb that superzaps all your files off the face of the earth, because someone could die. At least with a superzap, you can recover if you've been backing up and have a disaster recovery plan in effect. Pure physical vandalism occurs more often at educational institutions, but is still a serious threat. I wouldn't let me near your machine if I was angry with you - my vandalism would be difficult to detect (and expensive to repair). A simple application of a magnetized screwdriver ...... LACK OF SECURITY PLANNING IN SYSTEM DESIGN STAGE One of the biggest logic bombs that's going to occur is on January 1/2000. Do you know how many computer systems use a 2 digit number for the year? Do you know how much work it's going to be to adapt systems to recognize 00 as being greater than 99? My grandmother was born in 1886, and most systems show her birth year as 99. If she lives to the year 1999, I wonder if they'll start sending her the baby bonus. This time bomb is not malicious damage, it's pure lack of planning at the system design stage. - 4 - (Lack of Security Planning - continued) Things like balance checks and reasonableness tests are not built into the system from the beginning, and it's not easy to put them in later. Users must participate at the system design stage, because only they know what's reasonable and what can be balanced. Don't expect a computer technician to know everything there is to know about your job. DISTORTED SENSE OF HUMOUR Then there's the practical joker - the one who thinks it's funny to break into the system to see what he can change, or create some dumb message to appear on your screen. That's what happened at IBM when the infamous Christmas tree appeared 2 years ago (1987). The joke was three-fold - first it analyzed your ...
sentinell