Introduction to Security

Broadly speaking, computer security means that your computer behaves as you want it to, and that your information is used as you intend. There are always risks, and always costs associated with reducing those risks. Although technology is intimately involved, in the end it is a business decision as to how much money, time, and convenience you will spend to reduce the risk. The risk is never zero, but if you ignore it, neither will it be small.

Security is a process, not an end-point. Risks change, data changes and the costs of securing processes change. There is no point in either over-protecting or under-protecting, so the first step is to assess the risks.

What are the risks?

  • Physical loss
    • Theft of machines
    • Broken machines, crashed disks.
    • Disaster -- fire, flood, the usual bad things
  • Reveal sensitive data
    • Some data legally protected; e.g. medical data, student data, SSNs
    • Some data is financial, some simply sensitive
  • Data damaged or altered
    • Hacker can change grades or financial records
    • Hacker can erase data
  • Theft of service
    • Cracker can steal an account, use UI resources (e.g. modem/internet connection, mail, computation, storage - warez)
    • Stolen service can be illegal, such as an attack on a third party
  • Denial of Service (DOS) attack. The cracker can make it impossible to use your computer. Or he can use your computer to attack others.
  • Identity theft
    • Steal an account, can authenticate as the real owner
    • Alter a web page, make it look like UI endorses something
  • Theft of time or attention
    • spam
    • harassing email
    • virus

What are the attacks?

  • Social Engineering. Low tech, but can be very effective. Would you give your password to someone who seemed to know what he's doing?
  • Network. People worry most about attacks over the network, even if they aren't the most prevalent or dangerous.
    • DOS -- Simply flood the network to deny use to legitimate parties.
    • Intrusion (attempt to get root, password guessing) The cracker attempts to exploit some bug or vulnerability.
    • Sniffing. Unencrypted network traffic, wired as well as wireless, is susceptible to others listening in.
  • Abuse - spam.
  • Host based -- existing user tries to crack root, or enlarge authority, or abuse bandwidth, or act illegally (e.g. copyright violation)
  • Viruses

What are some defenses?

  • Education. I can't stress this enough. You don't have to be an expert, but you need some basic level of understanding.
  • Patches, Host configuration. ALL software has bugs. Yes, the software you are using right now has bugs. And even without the bugs, it can be misconfigured. You MUST keep up to date with security patches, and be care about configurations. This is not fun, but it is essential.
  • Backups. There are two kinds of users -- those that have lost data, and those that will. Make your backups early and often.
  • Encryption. Think you're not enough of a target to worry about? Think again. Every time you send a cleartext password across the network, you're exposed.
  • Virus protection. Get it. Use it. Keep it up to date.
  • Account management. If you have multiple users on your machine, make sure they only get the privileges they need.
  • Firewalls. A firewall is a device for restricting some network attacks. They come in many varieties, from personal firewalls that run on your pc to specialized hardware that sit on the network. They do NOT make things secure, but they can help.
  • Logs. Logs are a system administrator's best friend.
  • Intrusion detection, host or network based. These can be sophisticated network systems, or simply keeping a list of files so you can know what's been changed. But very useful if you want to know if you've been cracked.

Who are you?

A large part of security is making sure that the right people have the right privleges. So please keep the following terms clear:

  • Name or ID. This is simply a unique way of identifying a person. At UIC we usually use the NetID, although the i-card number would suffice. Actually SSN would be ok, except for the fact it's illegal. The point is that the ID is a public identifier, and is not secret at all.
  • Authentication. This simply means proving who you are. That is, proving that you belong to a given ID. It may involve something you know (e.g. password), something you have (e.g. smart card) or something you are (e.g. fingerprint) or some combination. Authentication does not give you any privilege, it only provides a basis for deciding privilege.
  • Authorization. Here is where the privilege is given out. Given that the system has authenticated you, now it can decide what you are allowed to do.
  • Audit. Well, even if everything else works perfected, people make mistakes. (Not to mention computers.) So we keep track of what happened.
Last updated: 

September 21, 2016