Security-Related Procedures
Procedures are specific steps to follow that are based on the computer security policy. Procedures address such topics as retrieving programs from the network, connecting to the site’s system from home or while traveling, using encryption, authentication for issuing accounts, configuration, and monitoring.

Security Practices
System administration practices play a key role in network security. Checklists and general advice on good security practices are readily available. Below are examples of commonly recommended practices:
Ensure all accounts have a password and that the passwords are difficult to guess. A one-time password system is preferable.
Use tools such as MD5 checksums (8), a strong cryptographic technique, to ensure the integrity of system software on a regular basis.
Use secure programming techniques when writing software. These can be found at security-related sites on the World Wide Web.
Be vigilant in network use and configuration, making changes as vulnerabilities become known.
Regularly check with vendors for the latest available fixes and keep systems current with upgrades and patches.
Regularly check on-line security archives, such as those maintained by incident response teams, for security alerts and technical advice.
Audit systems and networks, and regularly check logs. Many sites that suffer computer security incidents report that insufficient audit data is collected, so detecting and tracing an intrusion is difficult.

Security Technology
A variety of technologies have been developed to help organizations secure their systems and information against intruders. These technologies help protect systems and information against attacks, detect unusual or suspicious activities, and respond to events that affect security. In this section, the focus is on two core areas: operational technology and cryptography. The purpose of operational technology is to maintain and defend the availability of data resources in a secure manner. The purpose of cryptography is to secure the confidentiality, integrity, and authenticity of data resources.

Operational Technology
Intruders actively seek ways to access networks and hosts. Armed with knowledge about specific vulnerabilities, social engineering techniques, and tools to automate information gathering and systems infiltration, intruders can often gain entry into systems with disconcerting ease. System administrators face the dilemma of maximizing the availability of system services to valid users while minimizing the susceptibility of complex network infrastructures to attack. Unfortunately, services often depend on the same characteristics of systems and network protocols that make them susceptible to compromise by intruders. In response, technologies have evolved to reduce the impact of such threats. No single technology addresses all the problems. Nevertheless, organizations can significantly improve their resistance to attack by carefully preparing and strategically deploying personnel and operational technologies. Data resources and assets can be protected, suspicious activity can be detected and assessed, and appropriate responses can be made to security events as they occur.

One-Time Passwords.
Intruders often install packet sniffers to capture passwords as they traverse networks during remote log-in processes. Therefore, all passwords should at least be encrypted as they traverse networks. A better solution is to use one-time passwords because there are times when a password is required to initiate a connection before confidentiality can be protected.
One common example occurs in remote dial-up connections. Remote users, such as those traveling on business, dial in to their organization’s modem pool to access network and data resources. To identify and authenticate themselves to the dial-up server, they must enter a user ID and password. Because this initial exchange between the user and server may be monitored by intruders, it is essential that the passwords are not reusable. In other words, intruders should not be able to gain access by masquerading as a legitimate user using a password they have captured.
One-time password technologies address this problem. Remote users carry a device synchronized with software and hardware on the dial-up server. The device displays random passwords, each of which remains in effect for a limited time period (typically 60 seconds). These passwords are never repeated and are valid only for a specific user during the period that each is displayed. In addition, users are often limited to one successful use of any given password. One-time password technologies significantly reduce unauthorized entry at gateways requiring an initial password.

Firewalls
Intruders often attempt to gain access to networked systems by pretending to initiate connections from trusted hosts. They squash the emissions of the genuine host using a denial-of-service attack and then attempt to connect to a target system using the address of the genuine host. To counter these address-spoofing attacks and enforce limitations on authorized connections into the organizationÌs network, it is necessary to filter all incoming and outgoing network traffic.
A firewall is a collection of hardware and software designed to examine a stream of network traffic and service requests. Its purpose is to eliminate from the stream those packets or requests that fail to meet the security criteria established by the organization. A simple firewall may consist of a filtering router, configured to discard packets that arrive from unauthorized addresses or that represent attempts to connect to unauthorized service ports. More sophisticated implementations may include bastion hosts, on which proxy mechanisms operate on behalf of services. These mechanisms authenticate requests, verify their form and content, and relay approved service requests to the appropriate service hosts. Because firewalls are typically the first line of defense against intruders, their configuration must be carefully implemented and tested before connections are established between internal networks and the Internet.

Monitoring Tools
Continuous monitoring of network activity is required if a site is to maintain confidence in the security of its network and data resources. Network monitors may be installed at strategic locations to collect and examine information continuously that may indicate suspicious activity. It is possible to have automatic notifications alert system administrators when the monitor detects anomalous readings, such as a burst of activity that may indicate a denial-of-service attempt. Such notifications may use a variety of channels, including electronic mail and mobile paging. Sophisticated systems capable of reacting to questionable network activity may be implemented to disconnect and block suspect connections, limit or disable affected services, isolate affected systems, and collect evidence for subsequent analysis.
Tools to scan, monitor, and eradicate viruses can identify and destroy malicious programs that may have inadvertently been transmitted onto host systems. The damage potential of viruses ranges from mere annoyance (e.g., an unexpected “Happy Holidays” jingle without further effect) to the obliteration of critical data resources. To ensure continued protection, the virus identification data on which such tools depend must be kept up to date. Most virus tool vendors provide subscription services or other distribution facilities to help customers keep up to date with the latest viral strains.

Security Analysis Tools
Because of the increasing sophistication of intruder methods and the vulnerabilities present in commonly used applications, it is essential to assess periodically network susceptibility to compromise. A variety of vulnerability identification tools are available, which have garnered both praise and criticism. System administrators find these tools useful in identifying weaknesses in their systems. Critics argue that such tools, especially those freely available to the Internet community, pose a threat if acquired and misused by intruders.

Cryptography
One of the primary reasons that intruders can be successful is that most of the information they acquire from a system is in a form that they can read and comprehend. When you consider the millions of electronic messages that traverse the Internet each day, it is easy to see how a well-placed network sniffer might capture a wealth of information that users would not like to have disclosed to unintended readers. Intruders may reveal the information to others, modify it to misrepresent an individual or organization, or use it to launch an attack. One solution to this problem is, through the use of cryptography, to prevent intruders from being able to use the information that they capture.
Encryption is the process of translating information from its original form (called plaintext) into an encoded, incomprehensible form (called ciphertext). Decryption refers to the process of taking ciphertext and translating it back into plaintext. Any type of data may be encrypted, including digitized images and sounds.
Cryptography secures information by protecting its confidentiality. Cryptography can also be used to protect information about the integrity and authenticity of data. For example, checksums are often used to verify the integrity of a block of information. A checksum, which is a number calculated from the contents of a file, can be used to determine if the contents are correct. An intruder, however, may be able to forge the checksum after modifying the block of information. Unless the checksum is protected, such modification might not be detected. Cryptographic checksums (also called message digests) help prevent undetected modification of information by encrypting the checksum in a way that makes the checksum unique.
The authenticity of data can be protected in a similar way. For example, to transmit information to a colleague by E-mail, the sender first encrypts the information to protect its confidentiality and then attaches an encrypted digital signature to the message. When the colleague receives the message, he or she checks the origin of the message by using a key to verify the sender’s digital signature and decrypts the information using the corresponding decryption key. To protect against the chance of intruders modifying or forging the information in transit, digital signatures are formed by encrypting a combination of a checksum of the information and the author’s unique private key. A side effect of such authentication is the concept of nonrepudiation. A person who places their cryptographic digital signature on an electronic document cannot later claim that they did not sign it, since in theory they are the only one who could have created the correct signature.
Current laws in several countries, including the United States, restrict cryptographic technology from export or import across national borders. In the era of the Internet, it is particularly important to be aware of all applicable local and foreign regulations governing the use of cryptography.

payday loan

Until fairly recently, this has meant the use of leased lines to maintain a wide area network (WAN). Leased lines, ranging from ISDN (integrated services digital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand its private network beyond its immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines, can become quite expensive and often rises in cost as the distance between the offices increases.

As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating their own VPN (virtual private network) to accommodate the needs of remote employees and distant offices.

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost.

Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses “virtual” connections routed through the Internet from the company’s private network to the remote site or employee. In this article, you will gain a fundamental understanding of VPNs, and learn about basic VPN components, technologies, tunneling and security.

A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a “tunnel” that cannot be “entered” by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

Access VPN allows users to access corporate resources whenever and wherever they are. VPN Access line includes analog, ISDN, Digital Subscriber line (DSL), mobile IP and the various cable technologies can be separated into three types, namely:
1. Client-initiated,
2. Remote Router-initiated,
3. Network Access Server (NAS)-initiated.

The benefits of migration to Access VPN include the company’s cost reduction due to expenses associated with the modem and terminal server equipment, the use of local pulses, thereby reducing the use of long-distance relationship. In addition, Access VPN skabilitas have a high level and ease of organizing the network if there is the addition of new users, so the company can better concentrate on core business and could reduce the burden of network maintenance. Telecommuter, division sales, representative or branch offices, and employees who are on duty outside the VPN Access users.
payday advance

The tools itself are not just a CCTV, or webcam, but also a computer spy.

In a work environment, an ordinary spycam only provide your environment situation, but have you ever wonder what exactly your employee do? Did they really doing their jobs in front of a computer? Or they just pretend to be busy.
Would you be upset if someone was spying on your computer? someone might copy your valuable data without confirmed first. And you didn’t have any idea what data has copied.
A computer spy could help you to monitor their activities on the computer.

For parents, a hidden camera being placed behind a painting might be useful for monitoring your nanny activities, but to know what your children computer activities, a computer spy could help you to prevent unwanted situation.

Base on the fact that 15% of children admit to chatting with strangers online? 1/3 of divorce litigation is caused by online affairs and 25% of company time is spent by employees goofing off.
a computer spy as one of your surveillance monitoring tools beside ordinary camera are anticipation / security on your business and someone you loved.

IP telephony service providers include or soon will include local telephone companies, long distance providers such as AT&T, cable TV companies, Internet service providers (ISPs), and fixed service wireless operators. IP telephony services also affect vendors of traditional handheld devices.

Currently, unlike traditional phone service, IP telephony service is relatively unregulated by government. In the United States, the Federal Communications Commission (FCC) regulates phone-to-phone connections, but says they do not plan to regulate connections between a phone user and an IP telephony service provider.

VoIP is an organized effort to standardize IP telephony. IP telephony is an important part of the convergence of computers, telephones, and television into a single integrated information environment. Also see another general term, computer-telephony integration (CTI), which describes technologies for using computers to manage telephone calls.

Though VoIP has been challenged to comply with the traditional e911 system, the same cannot be said for new systems designed to provide seamless communication for first responders and emergency services, even when communication infrastructure has been widely destroyed by monstrosities such as a hurricanes.

Two new services -one for municipalities trying to unite disparate radio systems and another for communication in large-scale disasters-use VoIP as the unifying technology connecting the other elements of the system.

GlobalTel IP, a provider of group communications for mission-critical services, is planning to launch X-Stream Access, a managed service for emergency communication interoperability.

X-Stream Access is notable because it will include WAVE, the most widely deployed hosted group-communication software. This will enable smaller municipalities and counties to use the sophisticated features of the software service without having to deploy and maintain the complex software themselves.

WAVE enables many different emergency communication systems, such as radios (operating at many different frequencies, such as the UHF and VHF bands), traditional analog phone systems, IP phone systems, PCs, PDAs and industry-specific proprietary devices, to interoperate. Voice from each source is converted to VoIP, using small gateways placed at a strategic location for each system, and then connected under the control of WAVE.

“Doesn’t matter what frequency they are on. As long as they have one of our gateways, we can make them communicate with each other,” says Larry Reid, president & CEO of GlobalTel IP. “Chances are that, if anything is not on our list, we could make it talk to all those other devices out there.”

WAVE, a product developed by Twisted Pair, includes other features important to emergency services such as high levels of security and access control with varying levels of permissions for access to the system, the ability to support thousands of user groups, support for push-to-talk communication among disparate devices and an intuitive management interface.

One driver for GlobalTel IP to offer WAVE on a hosted basis is the availability of grants from Homeland Security under a program called SAFECOM. Smaller organizations have been at a disadvantage in applying for these grants, which require interoperable communication, because of the expense of setting up interoperable systems. With X-Stream Access they can enable WAVE interoperability for as little as $1000 a month, says Reid.

Mobile to VoIP for Disaster Relief

Rivada Networks also brings together multiple communication technologies using VoIP, but the company focuses on using existing and widely deployed wireless technology, namely CDMA, for much of the communication during emergency situations.

Bob Duncan, senior vice president for government services with Rivada was Coast Guard district commander during Katrina. He observed his junior officers using their personal Blackberries and other handhelds to communicate, not just with voice, but also with pictures and text messaging. “I thought, what a good idea! We can take advantage of what is there already.”

Rivada took stock of the available technologies and opted for CDMA because it provided enough bandwidth for voice and data, especially with EVDO, which soon will be part of the Rivada System. Rivada can use existing CDMA infrastructure or can provide portable CDMA transmitters if infrastructure has been damaged. The company has agreements with wireless operators to use their existing spectrum for emergency services.

“The real novelty is to tie everything together in a way that has not been done before,” says Duncan. “We are taking all the investment in cellular networks and putting it at the disposal of emergency providers.”

The VoIP backbone of the system is provided by Cisco, which links all the various wireless and wired technologies after they are converted to VoIP.

For radio interoperability Rivada deploys a unit by Raytheon, called the ACU-1000, that can bring in signals from multiple incompatible radio systems.

“We tie in all the LMR (land mobile radio) systems, all the walkie-talkies that are out there because you can’t leave those out. We had 76 different police units show up for Katrina, and only three had LMRs compatible with state police.”

Rivada’s portable units resemble a component home-entertainment system and can be mounted in a variety of environments, ranging from Humvees to FEMA trailers. After Katrina one unit was lifted by helicopter to the top of a large building in New Orleans to provide mobile communication. The portable units also include a satellite dish to establish communication where no landlines are available.

More and more, Duncan says, those in charge, such as state governors or even the president, want a real-time view of what’s going on. “I don’t have to know how CDMA works as long as I can do what I have to do and talk to the president, because they want to know what going on in the Ninth Ward or on the fire line.”

Oracle technology network is a vast subject and there are various things associated with the same. Therefore, if you are planning to use the same to enhance the working capabilities of your organization, it is very important for you to know plenty of things regarding that. Some of those things can are described below.

* When it comes to Oracle technology network, Java Language is the first of the few things that you should know about. Java is an object oriented language. When you develop a program in Java language, you will have to use various libraries and applications.
* Jdeveloper comes next. It also plays a very important role in the effective functionality of Oracle technology network. JDeveloper is an integrated development environment.
* Another important component is Strut. Struts are java framework and they are very useful in building various Internet applications.
* J2EE is another important component for Oracle technology network. It is in fact an architecture that describes the various standards for different applications. They are very useful in solving various enterprise level problems.
* Oracle ADF also plays an important role in Oracle technology network. It has been designed specifically to make the applications much easier.

There are plenty of other things as well that you may like to know about, such as oracle new features, oracle enterprise manager, oracle pl sql and much more. The information about all these specific things are easily available with this online guide and resource. All you need to do is juts a click and the specific information you are looking for will be at your fingertips.

Both DSL and cable speeds exceed those of competing Internet services. Are DSL or cable any faster than each other? More importantly, are you getting all of the performance you should from your Internet connection? Follow along as we explain the speed difference between DSL and cable and offer tips for maximizing your performance.

Cable modem Internet services on average promise higher levels of bandwidth than DSL Internet services, and this bandwidth roughly translates to raw speed. However, while cable Internet will theoretically run faster than DSL, several technical and business reasons can reduce or even eliminate this advantage.
In terms of theoretical peak performance, cable modem runs faster than DSL. Cable technology supports approximately 30 Mbps of bandwidth, whereas most forms of DSL cannot reach 10 Mbps.
One type of DSL technology, VDSL, can match cable’s performance, also supporting 30 Mbps. However, Internet service providers generally do not offer VDSL, but rather the cheaper and slower ADSL or SDSL services.

Comparison
In practice, cable’s speed advantage over DSL is much less than the theoretical numbers suggest. Why?

* Cable modem services can slow down significantly if many people in your neighborhood access the Internet simultaenously.
* Both cable modem and DSL performance vary from one minute to the next depending on the pattern of use and traffic congestion on the Internet.
* DSL and cable Internet providers often implement so-called “speed caps” that limit the bandwidth of their services.
* Some home networks cannot match the speed of the Internet connection, lowering your performance

Speed: Virgin Media claims its cable broadband is three times faster than its ADSL counter parts. It has upgraded its L size broadband to 4 Mbps and XL size package to 20 Mbps. With ADSL and its newer versions like ADSL 2 and ADSL+2, there is an increasing range of choice. Be, the ADSL +2 provider offers packages like Be Unlimited and Be Pro which can clock maximum speeds of 24 Mbps. There are other ISPs like UK Online, Bulldog and Sky who offer high speed packages. With ADSL +2 and its previous versions, the actual speeds you get depend upon the distance between your home and DSLAM and the service quality offered by your ISP. While the distance may not be the issue with cable, but the number of people sharing the cable network can impact the speed and the quality of service.

Monthly cost: If you want to go for a stand-alone broadband deal, definitely ADSL is the cheaper option. With monthly cost as low as 9.99 from Pipex or PlusNet and freebies like modem, free setup that come with your 12 month contract, these offers sound more attractive than any Virgin Media deal. You can also find some of the cheapest wireless broadband deals with ADSL providers like AOL or PlusNet or BT.

Cable broadband is the best option, if you consider bundling your broadband with other services like digital TV or mobile service. Virgin Media offers a wide range of broadband bundles that are cost-effective and can save a lot of money for a family.

Initial costs like modem, connection fee are common to both, however, cable connection may cost a bit more initially. With ADSL, the line rental can make your monthly cost a bit expensive.

Reliability
Both cable and DSL service providers commonly employ bandwidth / speed caps for residential customers. Bandwidth caps place an artificial limit on the maximum speed a customer can achieve by monitoring their individual traffic flow and throttling network packets if necessary. Bandwidth caps can reduce a 30 Mbps service down to 3 Mbps or even lower.

Service providers may have several motivations for imposing speed caps including the following:
1. Providers concerned about the capacity limits of their network may implement a cap so that they can accomodate more customers.
2. Providers may believe that the vast majority of customers do not actually need any more bandwidth than that allowed under the cap.
3. Providers may want to create a fair-and-equal distribution of bandwidth of customers. Without a cap, for example, some DSL subscribers would enjoy much higher bandwidth levels than others in the same neighborhood.
4. Providers may be want to charge higher or lower rates for greater or lesser bandwidth levels.

With ADSL, the connection quality depends upon the distance from the exchange or DSLAM. So, you may experience slower connection or even complete disconnection at times.

Cable broadband is capable of offering better speeds than normal ADSL connection. However, at times, the speeds of cable can be altered by the number of people sharing the cable network. If you live in an area where more cable users share the network, there are chances that you will get poor connection quality. However, you can contact your ISP to resolve this issue.

Both DSL and Cable can provide better speeds and service but tend to degrade after a certain distance, just like DSL.

Intrusion Detection
Research is underway to improve the ability of networked systems and their managers to determine that they are, or have been, under attack. Intrusion detection is recognized as a problematic area of research that is still in its infancy. There are two major areas of research in intrusion detection: anomaly detection and pattern recognition.
Research in anomaly detection is based on determining patterns of “normal” behavior for networks, hosts, and users and then detecting behavior that is significantly different (anomalous). Patterns of normal behavior are frequently determined through data collection over a period of time sufficient to obtain a good sample of the typical behavior of authorized users and processes. The basic difficulty facing researchers is that normal behavior is highly variable based on a wide variety of innocuous factors. Many of the activities of intruders are indistinguishable from the benign actions of an authorized user.
The second major area of intrusion detection research is pattern recognition. The goal here is to detect patterns of network, host, and user activity that match known intruder attack scenarios. One problem with this approach is the variability that is possible within a single overall attack strategy. A second problem is that new attacks, with new attack patterns, cannot be detected by this approach.
Finally, to support the needs of the future Internet, intrusion detection tools and techniques that can identify coordinated distributed attacks are critically needed, as are better protocols to support traceability.

Software Engineering and System Survivability
Current software engineering methods and practice have had only limited success in managing the intellectual complexity of designing and implementing software. Moreover, in the design of software systems, security concerns are typically an afterthought (addressed through add-ons and software patches) rather than being an integral part of the overall design. This means that software systems of any significant size and complexity are likely to have exploitable security flaws. Because managing the intellectual complexity of software is difficult, up-front security design in products is rare, and detailed knowledge about systems is widespread, systems will be breached in spite of our best efforts to make them invulnerable. Therefore, the concept of information systems security must encompass the specification of systems that exhibit behaviors that contribute to survivability in spite of intrusions. Only then can systems be developed that are robust in the presence of attack and are able to survive attacks that cannot be completely repelled.
System survivability is the capacity of a system to continue performing critical functions in a timely manner even if significant portions of the system are incapacitated by attack or accident. We use the term system in the broadest possible sense, which includes networks and large-scale “systems of systems”.
Although the concepts and practices associated with system survivability are embryonic, they include (but are not limited to) traditional areas of software engineering and computer science such as reliability, testing, dependability, fault tolerance, verification of correctness, performance, and information system security. Promising research in survivability encompasses a wide variety of research methods in software engineering. Inoculation tools may be developed that will automate the distribution of security fixes, throughout an entire network infrastructure, to provide comprehensive protection from a newly discovered security flaw. The concept of inoculation may be further generalized to encompass adaptive networks, which consist of distributed cooperative network elements that exchange information on security problems and actively change and adjust in response to security threats.

Web-Related Programming and Scripting Languages
Downloading interesting, informative, or entertaining “content” from a remote site to a user’s local machine is central to the activity of Web browsing (or “net surfing”). The content getting the most attention from Web users and the greatest concern from security experts is executable content, code to be executed on the local machine on download. This executable content may provide live audio of a conference in progress, a jazz tune, three-dimensional (3-D) animation effects, or hostile code that destroys the local file system. Executable code is authored using one or more Web-related programming or scripting languages designed specifically for the production of platform-independent executable content. Languages in this category include JAVA and ActiveX. Executable content is called an “applet” in JAVA and a “control panel” in ActiveX.
Web-related programming languages pose new security challenges and concerns because code is downloaded, installed, and run on a user’s machine without a review of source code (the recommended practice for secure use of publicly available software). These activities can be triggered by following any hypertext link or opening any page while browsing. A user may not even be aware that code has been downloaded and executed. Some Web-related programming languages, most notably JAVA, have built-in security features, but security experts are concerned about the adequacy of these features.
As executable content makes Web browsing even more alluring, further research in software engineering and greater user awareness will be necessary to counter security risks. Presently, the security of executable content depends upon the correctness of multiple vendors’ implementations, the inherent security of platform-independent “virtual machines,” and the safety of the source code that is executed. In the foreseeable future, users need to be educated about the risks so they can make informed choices about where to place their trust.

Intelligent Autonomous Agents – A New Computing Paradigm
The future Internet environment is likely to be increasingly dependent on an agent-based model of computing, with significant implications for Internet security. Agents are executable software objects with executions that are not tied to any specific host or computing resource or to any geographical or logical network location. Agents perform computation and communication defined by a user, but the execution platforms are typically outside the user’s administrative control (and outside the administrative control of the user’s organization). The conceptual model of agent operation is one in which an intelligent agent, at the request of a user, goes to one or more remote hosts to perform a computation or gather information and then returns to the user with the result. An agent’s mode of operation may range from partially to fully autonomous, and the degree to which an agent is autonomous may vary throughout the life of that agent.
A future agent-based computing environment may include features such as these:
Agents share information and cooperate to complete the user’s task.
Agents protect themselves with intrinsic security mechanisms but also depend on some measure of extrinsic security provided by the infrastructure and cooperating agents.
Since most of an agent’s activity takes place outside the user’s domain of administrative control (and hence outside any firewall designed to protect the user), the traditional firewall has little to contribute to security.
Replication and agent diversity provide increased survivability while under attack and under conditions of degraded or uncertain infrastructure support.
Agents communicate to enhance the detection of threats. Specialized sensor agents are specifically designed to detect particular types of threats, and groups of diverse sensor agents provide the entire agent “collective” with a comprehensive profile of current threats.
The agent-supported infrastructure protects itself and takes defensive action without user intervention.

Why the Internet Is Vulnerable
Many early network protocols that now form part of the Internet infrastructure were designed without security in mind. Without a fundamentally secure infrastructure, network defense becomes more difficult. Furthermore, the Internet is an extremely dynamic environment, in terms of both topology and emerging technology.
Because of the inherent openness of the Internet and the original design of the protocols, Internet attacks in general are quick, easy, inexpensive, and may be hard to detect or trace. An attacker does not have to be physically present to carry out the attack. In fact, many attacks can be launched readily from anywhere in the world – and the location of the attacker can easily be hidden. Nor is it always necessary to “break in” to a site (gain privileges on it) to compromise confidentiality, integrity, or availability of its information or service.
Even so, many sites place unwarranted trust in the Internet. It is common for sites to be unaware of the risks or unconcerned about the amount of trust they place in the Internet. They may not be aware of what can happen to their information and systems. They may believe that their site will not be a target or that precautions they have taken are sufficient. Because the technology is constantly changing and intruders are constantly developing new tools and techniques, solutions do not remain effective indefinitely.
Since much of the traffic on the Internet is not encrypted, confidentiality and integrity are difficult to achieve. This situation undermines not only applications (such as financial applications that are network-based) but also more fundamental mechanisms such as authentication and nonrepudiation (see the section on basic security concepts for definitions). As a result, sites may be affected by a security compromise at another site over which they have no control. An example of this is a packet sniffer that is installed at one site but allows the intruder to gather information about other domains (possibly in other countries).
Another factor that contributes to the vulnerability of the Internet is the rapid growth and use of the network, accompanied by rapid deployment of network services involving complex applications. Often, these services are not designed, configured, or maintained securely. In the rush to get new products to market, developers do not adequately ensure that they do not repeat previous mistakes or introduce new vulnerabilities.
Compounding the problem, operating system security is rarely a purchase criterion. Commercial operating system vendors often report that sales are driven by customer demand for performance, price, ease of use, maintenance, and support. As a result, off-the-shelf operating systems are shipped in an easy-to-use but insecure configuration that allows sites to use the system soon after installation. These hosts/sites are often not fully configured from a security perspective before connecting. This lack of secure configuration makes them vulnerable to attacks, which sometimes occur within minutes of connection.
Finally, the explosive growth of the Internet has expanded the need for well-trained and experienced people to engineer and manage the network in a secure manner. Because the need for network security experts far exceeds the supply, inexperienced people are called upon to secure systems, opening windows of opportunity for the intruder community.

Types of Technical Vulnerabilities
The following taxonomy is useful in understanding the technical causes behind successful intrusion techniques, and helps experts identify general solutions for addressing each type of problem.

Flaws in Software or Protocol Designs
Protocols define the rules and conventions for computers to communicate on a network. If a protocol has a fundamental design flaw, it is vulnerable to exploitation no matter how well it is implemented. An example of this is the Network File System (NFS), which allows systems to share files. This protocol does not include a provision for authentication; that is, there is no way of verifying that a person logging in really is whom he or she claims to be. NFS servers are targets for the intruder community.
When software is designed or specified, often security is left out of the initial description and is later “added on” to the system. Because the additional components were not part of the original design, the software may not behave as planned and unexpected vulnerabilities may be present.

Weaknesses in How Protocols and Software Are Implemented
Even when a protocol is well designed, it can be vulnerable because of the way it is implemented. For example, a protocol for electronic mail may be implemented in a way that permits intruders to connect to the mail port of the victim’s machine and fool the machine into performing a task not intended by the service. If intruders supply certain data for the “To:” field instead of a correct E-mail address, they may be able to fool the machine into sending them user and password information or granting them access to the victim’s machine with privileges to read protected files or run programs on the system. This type of vulnerability enables intruders to attack the victim’s machine from remote sites without access to an account on the victim’s system. This type of attack often is just a first step, leading to the exploitation of flaws in system or application software.
Software may be vulnerable because of flaws that were not identified before the software was released. This type of vulnerability has a wide range of subclasses, which intruders often exploit using their own attack tools. For readers who are familiar with software design, the following examples of subclasses are included:
race conditions in file access
non-existent checking of data content and size
non-existent checking for success or failure
inability to adapt to resource exhaustion
incomplete checking of operating environment
inappropriate use of system calls
re-use of software modules for purposes other than their intended ones
By exploiting program weaknesses, intruders at a remote site can gain access to a victim’s system. Even if they have access to a nonprivileged user account on the victim’s system, they can often gain additional, unauthorized privileges.

Weaknesses in System and Network Configurations
Vulnerabilities in the category of system and network configurations are not caused by problems inherent in protocols or software programs. Rather, the vulnerabilities are a result of the way these components are set up and used. Products may be delivered with default settings that intruders can exploit. System administrators and users may neglect to change the default settings, or they may simply set up their system to operate in a way that leaves the network vulnerable.
An example of a faulty configuration that has been exploited is anonymous File Transfer Protocol (FTP) service. Secure configuration guidelines for this service stress the need to ensure that the password file, archive tree, and ancillary software are separate from the rest of the operating system, and that the operating system cannot be reached from this staging area. When sites misconfigure their anonymous FTP archives, unauthorized users can get authentication information and use it to compromise the system.

Improving Security
In the face of the vulnerabilities and incident trends discussed above, a robust defense requires a flexible strategy that allows adaptation to the changing environment, well-defined policies and procedures, the use of robust tools, and constant vigilance.
It is helpful to begin a security improvement program by determining the current state of security at the site. Methods for making this determination in a reliable way are becoming available. Integral to a security program are documented policies and procedures, and technology that supports their implementation.

Techniques to Exploit Vulnerabilities
As intruders become more sophisticated, they identify new and increasingly complex methods of attack. For example, intruders are developing sophisticated techniques to monitor the Internet for new connections. Newly connected systems are often not fully configured from a security perspective and are, therefore, vulnerable to attacks.
The most widely publicized of the newer types of intrusion is the use of the packet sniffers described in the section above on packet sniffers. Other tools are used to construct packets with forged addresses; one use of these tools is to mount a denial-of-service attack in a way that obscures the source of the attack. Intruders also “spoof” computer addresses, masking their real identity and successfully making connections that would not otherwise be permitted. In this way, they exploit trust relationships between computers.
With their sophisticated technical knowledge and understanding of the network, intruders are increasingly exploiting network interconnections. They move through the Internet infrastructure, attacking areas on which many people and systems depend. Infrastructure attacks are even more threatening because legitimate network managers and administrators typically think about protecting systems and parts of the infrastructure rather than the infrastructure as a whole.
In the first quarter of 1996, 7.5% of 346 incidents handled by the CERT Coordination Center involved these new and sophisticated methods, including packet sniffers, spoofing, and infrastructure attacks. A full 20% involved the total compromise of systems, in which intruders gain system-level, or root, privileges. This represents a significant increase in such attacks over previous years’ attacks, and the numbers are still rising. Of 341 incidents in the third quarter of 1996, nearly 9% involved sophisticated attacks, and root compromises accounted for 33%.

Intruders’ Use of Software Tools
The tools available to launch an attack have become more effective, easier to use, and more accessible to people without an in-depth knowledge of computer systems. Often a sophisticated intruder embeds an attack procedure in a program and widely distributes it to the intruder community. Thus, people who have the desire but not the technical skill are able to break into systems. Indeed, there have been instances of intruders breaking into a UNIX system using a relatively sophisticated attack and then attempting to run DOS commands (commands that apply to an entirely different operating system).
Tools are available to examine programs for vulnerabilities even in the absence of source code. Though these tools can help system administrators identify problems, they also help intruders find new ways to break into systems.
As in many areas of computing, the tools used by intruders have become more automated, allowing intruders to gather information about thousands of Internet hosts quickly and with minimum effort. These tools can scan entire networks from a remote location and identify individual hosts with specific weaknesses. Intruders may catalog the information for later exploitation, share or trade with other intruders, or attack immediately. The increased availability and usability of scanning tools means that even technically naive, would-be intruders can find new sites and particular vulnerabilities.
Some tools automate multiphase attacks in which several small components are combined to achieve a particular end. For example, intruders can use a tool to mount a denial-of-service attack on a machine and spoof that machine’s address to subvert the intended victim’s machine. A second example is using a packet sniffer to get router or firewall passwords, logging in to the firewall to disable filters, then using a network file service to read data on an otherwise secure server.
The trend toward automation can be seen in the distribution of software packages containing a variety of tools to exploit vulnerabilities. These packages are often maintained by competent programmers and are distributed complete with version numbers and documentation.

A typical tool package might include the following:
network scanner
password cracking tool and large dictionaries
packet sniffer
variety of Trojan horse programs and libraries
tools for selectively modifying system log files
tools to conceal current activity
tools for automatically modifying system configuration files
tools for reporting bogus checksums

Sources of Incidents
It is difficult to characterize the people who cause incidents. An intruder may be an adolescent who is curious about what he or she can do on the Internet, a college student who has created a new software tool, an individual seeking personal gain, or a paid “spy” seeking information for the economic advantage of a corporation or foreign country. An incident may also be caused by a disgruntled former employee or a consultant who gained network information while working with a company. An intruder may seek entertainment, intellectual challenge, a sense of power, political attention, or financial gain.
One characteristic of the intruder community as a whole is its communication. There are electronic newsgroups and print publications on the latest intrusion techniques, as well as conferences on the topic. Intruders identify and publicize misconfigured systems; they use those systems to exchange pirated software, credit card numbers, exploitation programs, and the identity of sites that have been compromised, including account names and passwords. By sharing knowledge and easy-to-use software tools, successful intruders increase their number and their impact.

Types of Incidents
Incidents can be broadly classified into several kinds: the probe, scan, account compromise, root compromise, packet sniffer, denial of service, exploitation of trust, malicious code, and Internet infrastructure attacks.

Probe
A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. One example is an attempt to log in to an unused account. Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry. Probes are sometimes followed by a more serious security event, but they are often the result of curiosity or confusion.
Scan
A scan is simply a large number of probes done using an automated tool. Scans can sometimes be the result of a misconfiguration or other error, but they are often a prelude to a more directed attack on systems that the intruder has found to be vulnerable.
Account Compromise
An account compromise is the unauthorized use of a computer account by someone other than the account owner, without involving system-level or root-level privileges (privileges a system administrator or network manager has). An account compromise might expose the victim to serious data loss, data theft, or theft of services. The lack of root-level access means that the damage can usually be contained, but a user-level account is often an entry point for greater access to the system.
Root Compromise
A root compromise is similar to an account compromise, except that the account that has been compromised has special privileges on the system. The term root is derived from an account on UNIX systems that typically has unlimited, or “superuser”, privileges. Intruders who succeed in a root compromise can do just about anything on the victim’s system, including run their own programs, change how the system works, and hide traces of their intrusion.
Packet Sniffer
A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require privileged access. For most multi-user systems, however, the presence of a packet sniffer implies there has been a root compromise.
Denial of Service
The goal of denial-of-service attacks is not to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A denial-of-service attack can come in many forms. Attackers may “flood” a network with large volumes of data or deliberately consume a scarce or limited resource, such as process control blocks or pending network connections. They may also disrupt physical components of the network or manipulate data in transit, including encrypted data.
Exploitation of Trust
Computers on networks often have trust relationships with one another. For example, before executing some commands, the computer checks a set of files that specify which other computers on the network are permitted to use those commands. If attackers can forge their identity, appearing to be using the trusted computer, they may be able to gain unauthorized access to other computers.
Malicious Code
Malicious code is a general term for programs that, when executed, would cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage. Malicious code includes Trojan horses, viruses, and worms. Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected. Worms are self-replicating programs that spread with no human intervention after they are started. Viruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems. These sorts of programs can lead to serious data loss, downtime, denial of service, and other types of security incidents.
Internet Infrastructure Attacks
These rare but serious attacks involve key components of the Internet infrastructure rather than specific systems on the Internet. Examples are network name servers, network access providers, and large archive sites on which many users depend. Widespread automated attacks can also threaten the infrastructure. Infrastructure attacks affect a large portion of the Internet and can seriously hinder the day-to-day operation of many sites.
Incidents and Internet Growth
Since the CERT® Coordination Center began operating in 1988, the number of security incidents reported to the center has grown dramatically, from less than 100 in 1988 to almost 2,500 in 1995, the last year for which complete statistics are available as of this writing. Through 1994, the increase in incident reports roughly parallels the growth of the size of the Internet during that time. Figure 1 shows the growth of the Internet and the corresponding growth of reported security incidents.
The data for 1995 and partial data for 1996 show a slowing of the rate at which incidents are reported to the CERT/CC (perhaps because of sites’ increased security efforts or the significant increase in other response teams formed to handle incidents). However, the rate continues to increase for serious incidents, such as root compromises, services outages, and packet sniffers.

Incident Trends
In the late 1980s and early 1990s, the typical intrusion was fairly straightforward. Intruders most often exploited relatively simple weaknesses, such as poor passwords and misconfigured systems, that allowed greater access to the system than was intended. Once on a system, the intruders exploited one or another well-known, but usually unfixed, vulnerability to gain privileged access, enabling them to use the system as they wished.
There was little need to be more sophisticated because these simple techniques were effective. Vendors delivered systems with default settings that made it easy to break into systems. Configuring systems in a secure manner was not straightforward, and many system administrators did not have the time, expertise, or tools to monitor their systems adequately for intruder activity.
Unfortunately, all these activities continue in 1996; however, more sophisticated intrusions are now common. In eight years of operation, the CERT Coordination Center has seen intruders demonstrate increased technical knowledge, develop new ways to exploit system vulnerabilities, and create software tools to automate attacks. At the same time, intruders with little technical knowledge are becoming more effective as the sophisticated intruders share their knowledge and tools.