jump to navigation

Improving Computer System Security November 8, 2013

Posted by patrickcallan2013 in Security.

The article, “The Internet Worm Program: An Analysis”, provides several suggestions to improve computer system security. [1] Some of Spafford’s advice is directed at end users. The need to download and install patches to fix flaws in software remains an important, but often forgotten, defensive measure. Since the article’s publication in the late 1980’s some software vendors, such as Microsoft and McAfee, have implemented automated downloads using the user’s Internet connection to frequently check for available software updates or patches. However, not all software vendors automate the update process leaving security vulnerabilities on many computing systems where users do not manually check for important software updates. To enhance computer security all software should implement automated updates of any security related patches to maintain overall system security. Many users do not recognize the importance of software updates and few know updates repair software flaws and/or security vulnerabilities. Security related software updates are an important element of maintaining secure systems.

Spafford also offers suggestions directed at IT professionals. While discussing sendmail, Spafford commented “… sendmail is fundamentally flawed, not because of anything related to function, but because it is too complex and difficult to understand.” [1] Designing computing resources that are “too complex and difficult to understand” has adverse consequences because IT professionals responsible for maintaining these resources avoid investigating settings and making any configuration changes. [1] Compounding this problem is often poor quality documentation created by vendors. Few IT professionals have time to struggle with poorly designed products and poor documentation which may ultimately compromise system security. Perhaps more thorough product evaluations need to be performed prior to purchase that include careful inhouse review of a working version of the product and the documentation by IT professionals and end users. Some organizations request 30 to 90 day review periods to evaluate operating versions of computing products prior to committing to the purchase. This is a prudent strategy which will often reveal a product’s true strengths and weaknesses, quality of product support and documentation before the organization makes the final purchasing decision.

The issue of adequate passwords applies to end users as well as IT professionals. As Spafford noted in the article, words found in dictionaries, common names or practices like reversing the username for the password are not effective. Spafford also noted the security risk “… that many system services have configuration and command files owned by a common userid … This means that if it is possible to abuse one of the services, it might be possible to abuse many.” [1] Despite end user and IT professional staff resistance to multiple complex passwords, we should continue enforcing strong password policies until a strong alternative like biometric identification becomes widespread. Strong passwords remain an important method to maintain information system security.

Spafford makes an important point which might be overlooked as one considers only technology based security solutions, that ethical and moral, responsible computer users are central to computing security. Spafford states “The Worm was caused by a breakdown of ethics as well as lapses in security – a purely technological attempt at prevention will not address the full problem, and may just cause new difficulties.” [1] Spafford makes several additional comments highlighting every computer users’ responsibility to insure their actions do not harm the organization or others in society by compromising system security, commenting “…The Worm has shown us that we are all affected by events in our shared environment….” and “Entire businesses are now dependent, wisely or not, on computer systems. People’s money, careers, and possibly even their lives may be dependent on the undisturbed functioning of computers. As a society, we cannot afford the consequences of condoning or encouraging behavior that threatens or damages computer systems.” [1]

Unfortunately, despite many security breaches since the original article’s publication and Spafford’s clear security warnings, he recently commented in an interview “Based on what people have done since then in terms of security, I don’t think it [the Morris Worm] taught us a lot. … I don’t think we learned anything from it, and we’re still not learning anything from it.” [2] Society is on a very dangerous trajectory with increasingly severe consequences for computer driven financial systems, communication and utility grids, and military weapons systems in an interconnected environment of inadequate security. Over the past 25 years, our reliance upon computer systems has increased substantially and the higher degree of interconnection via the Internet among our systems magnifies the importance of maintaining security and conscious ethical use of computer systems by every user. To secure computer systems will require attention to people, processes and technology. Strong security cannot be created solely upon technology. Failure to proactively improve security will ultimately cause far more serious problems than the Worm.

[1] Spafford, Eugene H.. “The Internet Worm Program: An Analysis”. SIGCOMM Computer Communication Review Volume 19 Issue 1. January 1989.

[2] “Lessons from the First Major Computer Virus”. Accessed on 10/25/2013 at http://www.intelfreepress.com/news/lessons-from-the-first-computer-virus-the-morris-worm/7223 .



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: