//disclaimer – i set out to write some simple, non-comprehensive, lightweight course material for network and information security – posts (like this one) are categorized under ‘security primer’. It is still work in progress, comments welcome.
A computer system can be simply described as a system taking instructions from a user, or a communication channel (which can be seen as a type of user). Alan Turing invented (the theory behind) computers before even conceiving a possible implementation of one.
Picture the start of the widespread use of mainframe computers and personal computers. No networks available at first, just big machines, and users typing code into them, or moving tapes around. The biggest problem in that time was to find a computer and get it to run your instructions, code, scripts, aka software application. On main frames there was no easy way to debug, so many old programmers recall waiting for a week to run a piece of code, only to find out there was a typo which ruined their execution. Only a select few had the privilege to run code on these computers.
Computers became mainstream and people started to buy and exchange code often on floppies. In the 80s the first malicious code surfaced and the term “virus” was coined, referring to a piece of code which would make a computer do unwanted things. The first viruses were basically showcases, demonstrations, without causing serious harm. Of course this has now changed. There are many different words for different types of malicious code: virus, exploit, trojan, et cetera. It is not very useful to go into these details and often these terms are not clearly defined.
Mixed bag: Note that most modern cyber attacks use a combination of unsafe code made with good intentions, some social engineering, some malicious code created with bad intentions, some flaws in reputation or authentication systems, some badly designed payment systems, and so on. For example – a common attack goes as follows: Attacker sends a phishing message to a company who has been advertising on some popular websites – say a national newspaper. The attacker captures the password of the server account used by the company to upload their advertisement material. Attacker sneaks into the advertisement and modifies an ad banner to contain an exploit of, say, a browser plugin. A user visits the mainstream website and his PC is infected with a trojan, a piece of code. The trojan then dials back home to a command and control center, controlled by the attackers who then instruct the trojan to record keystrokes – in this way they can capture details like passwords or credit card numbers. Such attacks are sometimes called “malvertisement”.
Let’s try to define better what we mean by computer security or rather system security. We refer to a famous article by Butler Lampson, called “Computer Security in the Real world“. A good read. He says computer security is about three techniques:
- Authentication – Who is giving the instructions?
- Authorization – Is this user allowed to give these instructions?
- Auditing – Log each authentication and authorization so that it is possible to audit, afterwards, what happened.
He calls it the gold standard of computer security (because in chemistry Au is the acronym for a gold atom).
He explicitly leaves out availability and continuity aspects. Interestingly systems that do not implement authentication and authorization efficiently are often vulnerable to attacks where the attacker overloads the system with requests, aka Denial of Service (DoS) attacks, attacking the continuity and availability of systems. Decidability of the authorization decision and richness of the authorization language is a well-known trade-off in access control systems.