As the Internet has transformed business computing and communications, it has also given rise to unprecedented computer security

threats. Whereas traditional computer security was concerned with limiting the physical access to corporate systems and the misappropriation or vandalism of data by internal users, the Internet has opened up diverse and complex security problems on a scale much greater than that previously known. The rapid advances in the speed of corporate networks may only exacerbate this problem, as some existing security software may not be able to keep up with the higher speeds of data transfer. Annual losses from computer security breaches, although difficult to pinpoint exactly, are believed to be worth some $10 billion in the United States alone. Specific risks include

the spread of computer viruses infiltration and theft of data from external hackers engineered network overloads triggered by malicious mass e-mailing misuse of computer resources and confidential information by employees unauthorized financial transactions and other kinds of computer fraud conducted in the company's name electronic surveillance of corporate computer data by outside parties damage from malfunction, fire, or natural disasters

A host of software and hardware solutions have been developed to combat these threats, but the new and rapidly changing nature of the technology requires that corporate system security managers be extremely well versed on how the risks specifically affect their systems. With issues so complicated and security so critical, establishing a comprehensive computer security system often requires the expertise of consultants and professional computer security firms.

THE SCOPE OF THE THREAT

A widely cited annual study conducted by the Computer Security Institute and the FBI indicates that the majority of large businesses experience one or more computer security breaches, broadly defined, each year. In addition, a significant percentage of companies surveyedabout a fiftharen't sure whether they've experienced a security lapse. Given standard estimates that only a fraction of computer crimes are ever detected, it is safe to

assume that many of the companies that report not knowing have had their systems violated in some way. In the 1999 survey, only 17 percent of companies asserted that they had not experienced any form of unauthorized use of their computers. Among the 163 companies in the survey that could quantify their losses, the average annual loss was more than $750,000. While the authors of computer crimes are usually never positively identified, the overwhelming majority of companies attribute at least some of their security violations to disgruntled or crooked employees. Corporate security managers believe that independent outside hackers are the second most common group of perpetrators. Surprisingly, a large number of companies also attribute their computer security threats to domestic and foreign competitors, as well as to foreign governments. In monetary terms, the most damaging breaches of computer security involve (1) the theft of trade secrets; (2) unauthorized and fraudulent financial transactions (for instance, when an employee surreptitiously changes his rate of pay on the payroll system); (3) system break-ins by outsiders; (4) telecommunications fraud, in which an attacker gains use of a company's phone lines or other telecommunications resources and charges up large bills; and (5) computer viruses.

ORIGINS OF COMPUTER SECURITY

The computer's power to enable humans to handle mathematical and cryptological problems on an unprecedented scale has prompted governments to keep their use subject to the tightest security from the very beginning. In fact, details of the first operational digital computer, the Colossus, were not made public until 1975. Until that time, the UNI VAC I, developed at the University of Pennsylvania and operational in 1946, was thought to have been the first. The Colossus was first put into service by the British government in 1943. It was used in cryptanalysis (the breaking of codes), specifically against the German Enigma communication codes. So sensitive was the information handled by the Colossus that mere knowledge of the machine's existence was limited to a few individuals. The

computer was kept in a sealed room and was not connected to other computers or to any phone lines.

OTHER SECURITY THREATS

Not all threats to computer security are from parties with criminal intent, however. Computer supplies and hardware must also be protected from both environmental forces, such as power surges, floods, and fires, and simple operator incompetence, such as the careless handling of floppy disks. The fundamentals of any computer security program begin with the environmental conditions the computer requires to operate properly. Adequate power must first be provided. Due to the distances electricity must travel, its nominal voltage may drop 10 percent by the time it reaches the computer. In addition, drops in voltage or blackouts can occur due to utility switching problems or to lightning strikes at the utility company. Besides the potential for loss of unsaved data, there exists the possibility of "disk crashes," or damage to the disk due to contact with the read/write heads. Also dangerous are "spikes," sharp increases in voltage that can seriously damage hardware. A variety of voltage regulators, surge protectors, grounding techniques, and filters exist to combat these problems. In the 1990s, intense activity centered on the development of uninterruptible power systems that use storage batteries to ensure a smooth transition between power sources in the event of power failure. Local area networks as well as individual computers can be protected by these devices. Fire is another important threat to computer systems. Their susceptibility to fire damage is exacerbated by the flammability of paper supplies likely to be stored in close proximity. Plastics used in the manufacture of computers can produce explosive gases when exposed to high temperatures. A common safety measure, water sprinklers, can further damage computers, especially if the computers are turned on. The use of fireresistant construction materials, fire walls, vent closure systems, etc., are standard ways to mitigate the threat of fire. Special attention should be given to fire detection and personnel should be trained in the use of hand extinguishers. Carbon dioxide and Halon 1211 gas extinguishers are suited for use near electronic equipment because they do not leave a residue.

Other physical security concerns include protection against excessive heat, humidity, and water, which can be introduced by flooding, burst pipes, or "operator error" (spilled beverages, etc.). Electronics equipment can also be damaged by airborne particles and cigarette smoke; smoking is also a potential fire hazard. Plastic covers can protect the machines somewhat from dust particles and falling water. Organizations vitally dependent on data processing facilities should prepare contingency plans for disasters such as hurricanes, earthquakes, or blizzards. Ideally, backup facilities should be located far enough away to be spared the disaster, but not too far to be reached quickly.

COMPUTER VIRUSES
The next level of security involves protecting software from viruses, "logic bombs," and "Trojan horses," all of which have the capacity to disable computer systems by infecting software. In common usage all such programs are termed viruses, and as of 1998 experts believed there were some 16,000 of them in existence. A conventional computer virus is a program that is self-replicating, attaches itself to other programs, and generally performs some sort of function. An early virus demanded a "cookie," and after the word was typed it would disappear for a time. A later virus caused all the characters on the screen to fall to the bottom. Originally a hobby of programmers (an experimental virus was demonstrated as far back as 1974), viruses eventually appeared with sinister missions. The Pakistani Brain is one that can drastically affect a computer system. This virus was developed in 1986 by two brothers from Pakistan as an experiment in preventing use of unauthorized copies of software. The original strain changed the volume name of disks to "(c) BRAIN" once it has infected them; however, mutations have been produced that are not as forthcoming about their identity. The virus inserts its code into the boot sector of a disk, making it the first data loaded into the computer upon startup, before any anti-viral programs can be executed. The original version spread through bootable floppy disks; however, variations have been written that can affect hard drives. Its code is difficult to locate because of measures it uses to counteract standard anti-viral programs and its method of recording parts of its code in disk sectors marked "bad."

Another type of insidious program is the "Trojan horse," which performs an intended function but also a covert one. Computers users have become more savvy and cautious about sharing software; however, these types of programs continue to exist. Examples include a program ostensibly designed to increase monitor performance that instead erases the entire hard drive. True Trojan horses typically operate in the background of a valid program, such as a video game. Trojan horses have also been used for "salami" techniquesbanking programs that compile the results of rounding errors in a large number of computations and add them to the perpetrator's account. "Logic bombs" are viruses that are programmed to perform a task once a particular set of conditions is met; the most famous are "time bombs" set to go off on a significant date, e.g. the "Friday the 13th" virus and the "Michelangelo" virus. These viruses activate at a given date or time. Logic bombs have been set by programmers to cause damage if their names are ever deleted from payroll records. The Pakistani Brain contained a logic bomb that searched for the names of unauthorized duplicates of programs written by the authors of the virus. "Worms" spread through networks and replicate themselves but do not affect programs. They were invented in 1980 by two Xerox Corporation researchers to perform useful network choressuch as searching for computer malfunctions or idle computers. Worms disseminate themselves throughout networks. Though considered relatively benign, worms can tie up memory and bring networks to a standstill.

PREVENTING AND RECOVERING FROM VIRUSES

Many steps can be taken to prevent or recover from virus infections. Having a source of clean (i.e., uninfected by viruses) backup copies for data files and programs is as important as it is elementary. Ideally, alternating sets of backup media should be used to increase the chances of having a clean original. The manufacturer's original diskettes for programs should be kept in a safe place and the write-protect tabs should be set to prevent their erasure in case they are unknowingly installed on an infected system.

Once a system is confirmed to be infected, it should not share disks or communication lines with other computers. Disks that could have perpetuated the virus should not be used unless they are certain to contain only data files and the virus is known not to attack the boot sector. All other disks should be reformatted or destroyed. The computer itself should be shut down and rebooted with the original operating system disk, and the operating system files should be restored. If application programs have been infected, the hard disk should be reformatted. Data files may be backed up and recopied after the disk has been formatted. The capacity of both local and wide area networks to share information can be used to unwittingly disseminate viruses. If networks are to be useable, they, like disks, must be secured against viruses, Trojan horses, and unintended information transfer. Most networks employ some means of verifying a user's identity, such as passwords. One creative way hackers have bypassed password access controls is by using spell-checking dictionaries from word processing programs to supply possible passwords. Other sources of passwords include information known about network users. Smart cards have been developed to overcome these weaknesses. With these, a variation on the "call-back" system, hardware at the remote site must confirm that the correct user is calling the system from the correct terminal location. More sophisticated smart cards contain microchips within them that transmit an algorithm recognized by the network server, making their misuse even more difficult. Within an organization, multi-level password systems can ensure that individuals are granted access only to the information required for their jobs. When correctly implemented, they can prevent Trojan horse routines from using the operating system to help copy confidential information.

OTHER SAFEGUARDS
ENCRYPTION.
Encryption systems are a way to secure information as it travels over phone lines or network cables. However, these usually slow down the network, and the encryption keys

must be distributed in a secure way, a daunting task for large networks. For each user, double-key systems provide a public key, available to anyone wanting to communicate with its owner, and a private key, known only to the owner.

FIREWALLS.
The "firewall" is a software protection many corporations began to use in the mid-1990s to secure communications on large public access networks such as the Internet. As with physical fire walls, firewall software is designed to be a buffer between two spaces, in this case, the private and public areas of computers and computer networks. The software attempts to block unauthorized crossovers from public to private space. By the, late 1990s most large companies had deployed some form of firewall protections, but the technology is far from foolproof and is easily misconfigured so it doesn't provide optimal protection.

REDUCING MODEM RISKS.

Security can be particularly weak on computers with dial-up modems used to access network resources outside the corporate network. Often companies spend a great deal of time and resources securing the network itself, yet ignore the holes created by such devices that are linked to the network. Without proper security measures, an attacker can first gain control of the individual computer that has dialed out to another network, and then gain access through the backdoor to the protected corporate network. Consequently, IT security managers must take precautions for all computers that connect to outside networks in this manner.

SPOOFING PROTECTIONS.
An Internet-era liability that companies on the World Wide Web face is spoofing, the practice of replacing a company's legitimate web site with often offensive unauthorized material. This can occur in two key ways: through either a weakness in the domain name server (DNS) security or unauthorized file manipulation on the company's web server that hosts its pages. The DNS risk can be effectively minimized through proper configuration of the server, specifically to block attempts to redirect browser requests

for the company's pages to another unaffiliated site. Web server protection is more complicated because vandals may gain access to it by a variety of means, but the general protections are similar to those for any computer network resource. Most companies don't initially foresee or plan for the risk of spoofing, but a few widely publicized incidents, including one involving the New York Times site, have drawn attention to this threat.

ELECTRONIC SURVEILLANCE.
A computer isn't entirely secure even if it is not connected to any networks. Sophisticated electronic surveillance techniques have been known to recover data from the radio emissions generated by CPUs, monitors, peripheral cables, etc. The level of shielding available ranges from FCC Class A (commercial) to Class B (residential) to the federal government's Tempest standard for military contractors.

ELECTRONIC MEDIA DISPOSAL.

A strong potential for abuse also exists with improperly destroyed or recycled media. Shedders can be used to destroy various types of media, particularly paper printouts. A variety of different models are available, each a compromise between price, capacity, speed, and the thoroughness of destruction. Not all shredders can cut into diskettes. Specialized types of shredders include "pulpers" which wet the paper and "disintegrators" which repeatedly cut the documents until their particles fall through a fine screen. The information stored on magnetic media can be destroyed by overwriting. This is a more involved process than merely "erasing" files from a disk, which merely changes the disk's directory. Overwriting changes each bit of binary information to either I or 0. Precautions must be taken to ensure that all the medium is overwritten, to destroy erased information not currently listed in directories. Even this does not complete the process, however. Just as a faint whisper of previously-recorded material can be audible in audiocassettes that have been reused, so can bits of overwritten information still exist. Bits that remain the same after the overwriting may be recorded at a slightly

higher level of saturation than those that do not change; hence, most overwriting methods repeat the process, alternating between I's and 0's each time. The information on magnetic media can also be destroyed more quickly by degaussing, or driving the media through a strong magnetic field until saturation is reached. Diskettes, tapes, and other formats can be erased in bulk in less time than with overwriting. Burning is perhaps the most thorough method of destroying information recorded on paper, diskettes, punched cards, and semiconductors. Disadvantages are that the materials cannot be reused and that there is a possibility of data recovery from incomplete burning; i.e., from intact paper ash, for which techniques exist to recover printed information.

PERSONNEL.
The most important aspect of computer security involves personnel. Not only are inside jobs the greatest threat of computer crime, but if personnel are lax, security measures may be improperly and ineffectively implemented. Many security breaches at prominent companies have been precipitated by unsuspecting employeessometimes corporate officersdivulging seemingly innocent information about their computer systems to the general public or to soon-to-be hackers themselves. Other times viruses are disseminated by ostensibly harmless humorous messages and programs that are forwarded throughout a corporate e-mail system, but behind the scenes they wreak havoc on the computers. Therefore, any computer security program should include efforts to adequately screen and train new employees, and a system of accounting and administrative controls to detect and deter criminal activity should be in place.

HACKER INSURANCE.
A wise investment for any company is to insure its computer systems against various kinds of damage, physical or otherwise. One of the more recent innovations by computer security vendors has been to offer so called hacker insurance as part of a broader security management contract. Once these firms are employed to install and manage a

computer security program, they insure against unauthorized outside penetration up to a maximum amount per incident or per year. In some cases the insurance benefit may be paid on the mere basis that an incident occurred, regardless of the damage. Similar insurance policies exist for companies conducting electronic commerce over the Internet to provide protection against fraudulent transactions.