User guide

Chapter 1. Security Overview

The Internet and its earlier protocols, however, were developed as a trust-based system. That is,

the Internet Protocol (IP) was not designed to be secure in itself. There are no approved security

standards built into the TCP/IP communications stack, leaving it open to potentially malicious users

and processes across the network. Modern developments have made Internet communication more

secure, but there are still several incidents that gain national attention and alert us to the fact that

nothing is completely safe.

1.1.1.2. Security Today

In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the

most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com,

fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for

several hours with large-byte ICMP packet transfers, also called a ping flood. The attack was brought

on by unknown assailants using specially created, widely available programs that scanned vulnerable

network servers, installed client applications called trojans on the servers, and timed an attack with

every infected server flooding the victim sites and rendering them unavailable. Many blame the attack

on fundamental flaws in the way routers and the protocols used are structured to accept all incoming

data, no matter where or for what purpose the packets are sent.

In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent Privacy

(WEP) wireless encryption protocol resulted in the theft from a global financial institution of over 45

million credit card numbers.

In a separate incident, the billing records of over 2.2 million patients stored on a backup tape were

stolen from the front seat of a courier's car.

Currently, an estimated 1.4 billion people use or have used the Internet worldwide.

At the same time:

• On any given day, there are approximately 225 major incidences of security breach reported to the

CERT Coordination Center at Carnegie Mellon University.

• The number of CERT reported incidences jumped from 52,658 in 2001, 82,094 in 2002 and to

137,529 in 2003.

• According to the FBI, computer-related crimes cost US businesses $67.2 Billion dollars in 2006.

From a 2009 global survey of security and information technology professionals, "Why Security

Matters Now"

, undertaken by CIO Magazine, some notable results are:

• Just 23% of respondents have policies for using Web 2.0 technologies. These technologies, such

as Twitter, Facebook and LinkedIn may provide a convenient way for companies and individuals

to communicate and collaborate, however they open new vulnerabilities, primarily the leaking of

confidential data.

• Even during the recent financial crisis of 2009, security budgets were found in the survey to be

mostly at the same amount or increasing over previous years (nearly 2 out of 3 respondents expect

spending to increase or remain the same). This is good news and reflects the importance that

organizations are placing on information security today.

These results enforce the reality that computer security has become a quantifiable and justifiable

expense for IT budgets. Organizations that require data integrity and high availability elicit the skills of

http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/

http://www.fudzilla.com/content/view/7847/1/

http://www.internetworldstats.com/stats.htm

http://www.cio.com/article/504837/Why_Security_Matters_Now