In my opinion, there are several fundamental issues regarding computer security. One such issue is that systems are not updated as often as they should be in order to make code more secure against certain types of attacks. Because many popular programs are written in C and C++, it is only natural that exploits such as buffer overflows are a favorite among individuals trying to gain access to systems illegally; C and C++ provide no built-in protection against accessing or overwriting data in any part of memory. C and C++ do not check that data written to an array is within the boundaries of that array. It is also common knowledge that an attack such as a buffer overflow is very easy to execute on many platforms. In his article: Smashing The Stack For Fun And Profit , Aleph One gives step-by-step instructions on how to do a buffer-overflow attack.
I believe this is another fundamental issue regarding computer security: information is very readily available and is written in such a manner that anybody with medium-to-advanced computer knowledge can write a little code and gain access to information they shouldn’t have access to. With information on phreaking, double free() exploits and heap overflows being readily available to anyone over the internet, it is an absolute necessity for system and program engineers to be diligent in creating secure environments that can be more easily updated/modified to combat the growing number of individuals attempting to gain access to the information contained within these structures.
My last example of a fundamental issue regarding computer security is the storage of sensitive data with data that may be accessed by a larger pool of individuals with a lower need-to-know than that of the sensitive data. As an example, I work for a group that separates sensitive information from other, non-sensitive information by maintaining entire separate networks for each. There are even directives in place to specify cable separation between the two networks; cables going from one network must be a specific distance from cables going to the other network; this is to prevent cross-talk through the Ethernet cables. I believe that it’s a common practice to mix both sensitive and non-sensitive data in work environments because of convenience and cost effectiveness; it’s easier and cheaper to have one server with all of the company’s information, even though it puts the company’s sensitive data at risk. As an example, an individual running an attack on a company’s website can possibly gain access to sensitive personnel information if it’s stored on the same server. A better solution would be to have a local intranet that’s not accessible from the outside world to store sensitive information. The downside is that this type of setup can be expensive and inconvenient for employees.
In conclusion I don’t believe there are easy answers to any of the fundamental issues regarding computer security. I believe there must be a balance between convenience, cost and security, with security being the major factor in determining how a system is designed and maintained. I also believe that system maintenance and data separation are not practiced nearly enough by companies and individuals alike.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment