Showing papers on "Vulnerability (computing) published in 1989"

Integrating security in a large distributed system

Abstract: Andrew is a distributed computing environment that is a synthesis of the personal computing and timesharing paradigms. When mature, it is expected to encompass over 5,000 workstations spanning the Carnegie Mellon University campus. This paper examines the security issues that arise in such an environment and describes the mechanisms that have been developed to address them. These mechanisms include the logical and physical separation of servers and clients, support for secure communication at the remote procedure call level, a distributed authentication service, a file-protection scheme that combines access lists with UNIX mode bits, and the use of encryption as a basic building block. The paper also discusses the assumptions underlying security in Andrew and analyzes the vulnerability of the system. Usage experience reveals that resource control, particularly of workstation CPU cycles, is more important than originally anticipated and that the mechanisms available to address this issue are rudimentary.

Electronic surveillance system vulnerability to advanced weapon threats

Abstract: The primary focus of this paper is on the effects of phenomena produced by advanced weapons on physical security system performance. The types stressed in the paper are the high-altitude electromagnetic pulse, high-power microwaves, and lasers. Topics include generation mechanisms, interactions with security system components and possible effects, and illustrative counter measures. This paper is not intended to imply that the types of threats discussed are applicable to all types of security systems and that all systems should be designed to withstand them. For example, they would not be applicable to a residential burglar alarm. The threats in this paper might be available to a Government activity or to a well financed terrorist or sabotage organization, and are applicable to systems designed to protect against such groups. Also, although in some instances they might be used to assist in covert penetration, in most instances it is not expected that they would be used for that purpose. These threats will have the capability to render the total system or major components thereof inoperative, and this is the manner in which it is expected that they would be encountered.

UNIX security in a supercomputing environment

Abstract: @ operating system is designed for collaborative work and not for security. Vendors have modified this operating system (in some cases, radically) to provide levels of security acceptable to their customers, but the versions used in supercomputing environments would benefit from enhancements present in so-called secure versions. This paper discusses the need for security in a supercomputing environment and suggests modifications to the UNIX operating system that would decrease the vulnerability of those sites to attacks. Among the issues are additional auditing controls, changes to network programs, improved user authentication, and better application of the principle of least privilege.

Security on networks: Do we really need it?

Abstract: In order to clarify the question of whether we need security for our networks, we need to identify the assets we have in our networks. It will be pointed out that the trusted partner relation plays a key role in secure communication. We will look at the threats against our assets. We also need to make visible the vulnerability, i.e. to identify the weak points of our networks. It will be shown, that security is not only “against” threats but also “for” a new quality of communication. Concrete steps how to improve security in RARE networks are described. The problem of trusted hard- and software will also be mentioned. Finally, security will be be presented as a concept of responsibility.

Computer Security Risk Analysis and Management

Abstract: • evaluation of the effectiveness of existing computing security measures; • estimation of the cost to the organization if current defences are inadequate; • selection of appropriate, cost-effective countermeasures.

Countermeasures development in the physical security design process: an anti-terrorist perspective

Abstract: The practice of terrorism has grown more prevalent and far more sophisticated during the past several decades, It has become one of the primary means used by disaffected groups to attempt to so compiish their political objectives. High value govern ment and private assets present particularly attrac tive targets for a variety of these sophisticated threats. Likewise, soaring manpower costs and the insider threat dictate the increasing need to apply efficient combinations of state-of-the-art physical security countermeasures at critical locations to reduce vulnerability of assets and provide for protection in-depth. The user must be provided with a workable tool to assist in the planning and design of appro priate physical security countermeasures against terrorist and other attacks. The most effective design model examines assets from both the user's and the potential aggressors' perspective. The process begins with the selection of assets deemed critical. The process then proceeds through the determination of potential aggressor characteristics, attractiveness of assets to various aggressors and their potential at tack modes, and concludes with threat/vulnerability analysis and the identification of appropriate counter measures. Included within this Countermeasures Development Process is an assessment of existing protec tive measures and consideration of constraints on the design solution. This paper approaches the security Countermeasures Development Process from the user's perspective and identifies key inputs and decision points. Particular emphasis is placed upon terrorist threat dynamics and countermeasures development in the context of the need to develop a fully integrated physical security system that provides diversity, re dundancy and collective resource management, and assures protection in-depth of critical assets.

Is Your PC Infected

Abstract: Is your PC infected? Banks expand efforts to reduce threat of crippling computer "viruses" Early in November 1988, much of the computer world's attention was focused briefly on a computer "virus" that had "infected" a major government and scientific computer network, called ARPANET. It systematically slowed down and, in some cases, completely immobilized, computer operations at universities, research centers, and government agencies throughout the U.S. and in many overseas locations. The virus was created by a young computer sciences graduate student at Cornell University, Ithaca, N.Y. It is believed to have affected more than 6,000 computers. Estimated cost of its removal from those systems ranges from $256 million to $1.1 billion. Can it happen here? Banks and most other business organizations were unaffected by that virus, but widespread publicity alerted their managements to the potential danger. Computer security officers at many banks had been well aware of the dangers long before the ARPANET incident. Many had instituted special procedures and training to prevent the introduction of viruses into their systems. However, until that incident, few members of top management devoted much time to worrying about such arcane matters. That all changed last November. All of the bank computer security managers interviewed for this article reported concerned inquiries from their managements about the vulnerability of their systems after ARPANET. "We don't ever wish that things like ARPANET happen," says Albert R. Belisle, deputy director, corporate computer security, Bank of Boston, Mass. "But one of the beneficial by-products of the widespread publicity that event received has been heightened awareness on the part of top management, and others in the bank, of the need for tight security and strict operating procedures for all data processing and information sharing." Belisle, a member of the executive committee of ABA's Security and Risk Management Division, adds, "We are constantly preaching the importance of information systems security, but our warnings are not always taken seriously by everyone in the bank. The ARPANET event was very helpful in convincing many people." Leslie S. Chalmers, vice-president, Bank of California, San Francisco, and current chairman of ABA's Information Systems Security Committee, echoes that thought. "Since ARPANET, people in the bank no longer think I'm just `blowing smoke' when I talk about computer viruses and other security matters," says Chalmers. "In fact, now when I go out to talk to user groups throughout the bank about information systems security, I find that it helps get everyone's attention if I bring up that incident right from the start." Are you infected? One reason financial institutions have become increasingly susceptible to computer virus infestation is the rapid introduction of personal computers and information system networking throughout the organizations. With the single exception of the ARPANET virus, all known computer viruses have originated on personal computers. They are generally first introduced to those systems on floppy disks used to enter operating or application programs into memory. Although there is always the danger that data in a bank's mainframe can be contaminated by a virus through data communications networks, there appears to be little chance at this time that the operating systems or applications programs that control the operation of large computers will be contaminated. The presence of a virus isn't always obvious. But there are warning signs: (1) Gradual loss of available storage without the user adding any new programs or data. (2) Loss of program functionality, which usually manifests itself in an unusual number of error messages. Sometimes certain program functions just stop working. (3) Unusual screen activity, such as blackouts or unusual messages. …

Computer assurance: security, safety, and economics

Abstract: The author identifies some common objectives, activities, key issues, and problems of software system assurance, security, safety, and integrity, and approaches to dealing with them. Risk assessment and software product assurance and risk levels are discussed. It is argued that a key problem for computer assurance of security, safety, and economics is to provide visibility of information about software issues at upper management levels. A solution to this problem requires cooperation among the federal agencies, industry, and academia. >

The assessment of surface ship vulnerability to underwater attack

Abstract: A description is given of a computer code that can be used to assess the vulnerability of a surface ship to underwater attack by blast weapons. Some indication is given of how this code could be used to assist the ship designer.

The security of computerized information systems

Abstract: It is clear that information, the basis of all decisions and actions, must be protected, and its integrity, confidentiality and availability ensured. Yet the years have seen an inexorable rise in the cost of direct or indirect losses resulting from computerized information systems. This trend is mainly attributable to a general increase in criminal activity, abetted by low levels of security. The complexity and vulnerability of computer systems are first discussed, after which recommendations are presented regarding ways in which the level of security can be upgraded.

An Integrated Knowledge System of Seismic Vulnerability and Risk for Engineered Facilities

Abstract: This paper describes an integrated knowledge system for the assessment of the seismic vulnerability and risk of engineered facilities. The system integrates knowledge from many fields including earth science, seismology, geology, risk management, structural engineering, planning, the insurance/banking profession, and facility management. It uses state-of-the-art methodologies in earthquake engineering, data management, graphics and artificial intelligence to provide the following desirable features: user-friendliness, easy access, flexibility, dynamic updating, and adaptation to diverse environments. An immediate result of this system is that advance technology in seismic risk management is now available to government agencies and the insurance/investment banking industries. In the long run, the system will help revolutionize technical communication among engineering/science disciplines and between the knowledge producers and users.