Computer Security

The opinions expressed below are my own, and not necessarily those of my employer. The information here may be out of date since I wrote most of it in 2005.

Why computer security is important

Think about your bank account for a moment. Is it more important that...

it has the correct balance? (Integrity)
the funds are available so that you can buy things? (Availability)
it is private so that no one knows how much money you have? (Confidentiality)

You probably care about each of the issues. When we talk about security, we often evaluate it in terms of how it affects the integrity, availability and confidentiality of data. The integrity of data is usually more important than its availability. Likewise, the availability of data is usually more important than its confidentiality. (Thanks to Woody Thrower for this analogy)

For most people, viruses and worms present the greatest threats. They can delete important files on hard drives, crash computers, download pornography to your computer without your knowledge, and use your computer as a launch pad for more hacking attacks against other people's computers.

Many people shop online. They don't realize that the security of the merchant website is important. Sometimes hackers break into merchant computers and steal thousands of credit card numbers. It is important that people demand that merchants make their systems secure.

Sometimes hackers break into banks, or blackmail banks. They steal money, or they tell the bank that if they don't give the hackers a lot of money, they will cause havoc with the bank's computer systems. Usually the public never hears about security problems at banks. It would damage the bank's reputation, so the banks keep it quiet and absorb the cost of the damages.

What can you do about computer security?

There are some simple things that every computer user should do to make their computer more secure. These include:

Backup your data. This is very important, and will allow you to recover from hard drive failure and other threats. I use Mozy automated backup for my Windows machine. Other options include Carbonite, SyncBackSE, and JungleDisk.
Turn off your computer when you're not using it, especially if you have an always-on internet connection (e.g. cable modem, DSL, etc.)
If you're running Windows, run an anti-virus program. AVG is free for home, non-commercial use. I'm told that Kaspersky Anti Virus is the best of the breed commercial option.
Keep your computer up-to-date. For example, run Windows Update periodically -- it will help you install security patches.

For more basics, read the following US-CERT documents:

Learning about Security

Good security is difficult and requires vigilance. There are many companies that sell Snake Oil security solutions.

Recommended books and articles on computer security include (see below for secure programming resources)

Crypto-Gram (free monthly publication)
Beyond Fear (Process, risk analysis, tradeoffs, agendas, etc.)
Snake Oil FAQ
Trusted Computing: Promise and Risk
Applied Cryptography

Secure Programming

Education, effort and vigilance are required to write more secure programs. Here are some resources:

Secure Coding: Principles Practices (process, high level, quick read)
The Open Web Application Secuirty Project
Secure Programming for Linux and Unix HOWTO which is very comprehensive.
Secure Programming Cookbook for C and C++ (excellent; covers Windows and UNIX)
Writing Secure Code, Second Edition
Threat Modeling
Security Engineering
Secure Programming with a focus on C, C++, UNIX and Windows.
Secure UNIX Programming FAQ.
How to Write Secure Code from the Shmoo group, which has many links to other resources.

Privacy

Every time we use a computer or the internet, we leave "fingerprints" behind. It is nearly impossible to have complete privacy. Even people who use anonymity services may not have privacy. Read Net anonymity service back-doored. Nothing you do is truly anonymous.

Too much privacy can lead to a lack of accountability.

Risk

In order to make wise security decisions that require investment of time and money, it is necessary to evaluate risk. We must consider more than security threats alone. We should consider opportunity costs, the cost of mitigating the risk, etc. The NIST published document 800-30 on managing risk.

Most of us won't ever do a quantative risk analysis. Instead, we follow our hunches, or we react when something bad happens, as best as we can. We try to limit future risk. Sometimes, we do qualatative risk analysis, which is simpler than quantative analysis.

There is a NIST standard formula for calculating loss due to risks. You can read about it from

a google query on the terms "ALE, "SLE" and "risk".
Keith McCammon - Calculating Loss Expectancy.
Laura Taylor in the Intranet Journal.
Justifying the Expense of IDS, Part One from SecurityFocus.
Tim Smith in the OWASP Security Guide.
The CCCure online CISSP study guide.

Biometric Authentication Devices

Do fingerprint scanners really improve security? How about iris and retinal scanners? The companies who sell the products claim that they do. Yet independent testing of these devices show that they are easily fooled:

Return to my home page.