THREATS TO NETWORK SYSTEMS: A REAL CONCERN
por Manuel Cereijo
A significant security problem for networked systems is hostile, or at least unwanted, trespass by users or software. User trespass can take the form of unauthorized logon to a machine or, in the case of an authorized user, acquisition of privileges or performance of actions beyond those that have been authorized. Software trespass can take the form of a virus, worm, or Trojan horse.
All these attacks relate to network security because system entry canbe achieved by means of a network. However, these attacks are not confined to network-based attacks. A user with access to a local terminal may attempt trespass without using an intermediate network. System trespass is an area in which the concerns of network security and computer security overlap.
One of the most publicized threats to security is the intruder, generally referred to as a hacker or cracker. The other is viruses. The intruder can be a masquerader. This is an individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account. The misfeasor is a legitimate user who access data, programs, or resources for which such access is not authorized. A clandestine user is who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider.
The intruder needs information in the form of a user password. Then, he can log in to a system and exercise all the privileges accorded to the legitimate user. Some effort is needed for a potential intruder to learn passwords. Among the techniques, we have:
· Try default passwords used with standard accounts that are shipped with the system
· Exhaustively try all short passwords
· Collect information about users, such as full names, names of spouses, children, books in office, etc
· Try user’s phone numbers. Social security numbers, room numbers
· License plate numbers
· Use a Trojan horse
Guessing attacks are feasible, and indeed highly effective, when a large number of guesses can be attempted, and each guess verified, without the guess process being detectable. The professional intruder is unlikely to try those crude guessing methods.
The front line of defense against intruders is the password system. The password serves to authenticate the ID of the individual logging on to the system. The ID also determines the privileges accorded to the user. The encryption routine is designed to discourage guessing attacks. Password length is only part of the problem. Many people, when permitted to choose their own password, pick a password that is guessable, such as their own name, their street name, etc.
The goal for prevention is then to eliminate guessable passwords while allowing the user to select a password that is memorable. For basic techniques are in use:· User education
· Computer-generated password
· Reactive password checking
· Proactive password checking
One rule should be enforced. All passwords must be at least eight characters long. The passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks.