The use of computer technology has become a vital part of society. Almost every service provided now relies on the usage of computer technology. If a computer system is subjected to an attack, it can create a substantial amount of economic and information losses. Therefore, precautions must be taken to ensure that the system is regularly maintained because one small glitch in the system could cause a catastrophe to occur. However, sometimes the act of maintaining the system can cause vulnerabilities that are easily exploited by attackers. This paper will identify some of the problems commonly associated with system maintenance.
System maintenance is a vital part of computer technology, and is emphasized as the best method for protecting your system. Regular maintenance of the information system can detect any irregularities in operations, but can also be the root cause of exposing vulnerabilities during the maintenance process. Fred Cohen states that "system maintenance causes periods of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations. Maintenance can also be exploited by attackers to create forgeries of sites being maintained, to exploit temporary openings in systems created by the maintenance process, or other similar purposes. Maintenance can accidentally result in the introduction of viruses, by leaving improper settings, and by other similar accidental events."[1] Therefore, system maintenance introduces the need for a significant security design which will minimize the ability for attacks to be launched during the maintenance process.
Vulnerabilities are exposed during the system maintenance process that makes it easy for an attacker to exploit the system. One of the problems associated with the system maintenance process is the attacker's ability to acquire unauthorized use of an unattended terminal, which has been logged on by an authorized person.[2] In order to ensure that system users have maximum capabilities to perform their task, unrestricted access is often provided to users which exceeds the necessary privileges needed to perform their task. A system that provides full programming capabilities is bound to be exploited by attackers, because the entire information system can be easily accessed by authorized and unauthorized users. Another common problem is the ability of maintenance personnel to work in an environment without scrutiny. There is an enormous need for computers to assist in the organization's day to day operations. Therefore, most maintenance personnel are encouraged to perform system maintenance after work hours in order to prevent work stoppage. This allows an attacker sufficient time to exploit the system without fear of detection.
System maintenance allows for errors to occur during
the process that leaves the system vulnerable to exploitation by
attackers. Glitches in application upgrades have been known to
interrupt service. In 1997, American Online members were unable to gain
access to accounts after a system maintenance error. "The problem
occurred in a log-in system following routine maintenance..."[3] Problematic software installed during regular
maintenance can cause a system to become crippled. Intuit, Inc.'s
online tax filing system was down for twelve hours in April 1999–three
days before the tax filing deadline-- as the result of routine
maintenance. [4]
As discussed previously, precautions must be taken
during the course of system maintenance in order to prevent
vulnerabilities to attacks that can be launched against a system. The
slightest glitch in the process can result in massive economic loss or
an enormous amount of confidential information exposure. Once an attack
of this magnitude is perpetrated, it is extremely difficult to recover
lost information. An example of an attack caused by system maintenance
was the Western Union data heist. On the weekend of September 10th 2000
Western union–established in 1871–discovered that its telegraphic money
transfer system had been attacked by thieves. The attackers had gained
access to the credit card numbers of more than 15,7000 customers and
transferred funds from their accounts. The attack was easily launched
against the money transfer system because system administrators had left
the database unprotected during a routine maintenance process. The
attack occurred shortly after Western Union had initiated a program that
allowed customers to transfer funds via online transactions that would
charge the customers credit cards. Although many customers credit card
accounts were left vulnerable to misuse, the actual amount stolen is
still unknown at this time.[6]
Tom Standage states that "Digital security, once the
province of geeks, is now everyone's concern. But there is much more to
the problem–or the solution–than mere technology."[7]
Given the small percentage of IT budgets dedicated to security, a bulk
of information technology budgets are dedicated to development and
maintenance. Clearly, security is not a major concern of upper
management until they are victimized by an attacker.[8]
It is difficult to justify the allocation of
budgeting to network security when organizations are failing to report
the amount of loss caused by system maintenance vulnerabilities.
Information protection can't be accomplished by merely providing
security guards at the door, protection requires an organizational
response to the problem. All of the crucial data and business secrets
that are maintained by an information system cannot be expected to be
absolutely protected by overworked system administrators. The lack of
proper planning by senior management makes the break-in of information
systems rather easy for attackers. Awareness is a key component for
ensuring that maintenance personnel do not forget that their task does
not end with providing maintenance for the system, but also includes
providing protection for the information that is being processed.
It is evident that system maintenance is the root
cause of many vulnerabilities created in the information system. These
vulnerabilities are ideal for attackers to gain access to valuable
information that can be utilized for malicious intentions. System
maintenance is a necessary component of the information technology
world, therefore, strategies must be devised to protect the information
systems during the maintenance process. System controls must be
implemented that will mitigate the possibility of attacks being easily
launched during the maintenance process. In order for an effective
strategy to be designed, management must stop relying solely on system
administrators and security guards to protect the information system,
and must begin encouraging the entire organization to become involved in
the information protection process.
SYSTEM MAINTENANCE CAUSED ATTACK
REACTION TO MAINTENANCE FLAWS
SUMMARY, CONCLUSIONS, AND FURTHER WORK
REFERENCES
[1] Cohen, Fred., Protection and Security on the Information
Superhighway.1996http://all.net/books/superhighway/aspects.html
[2]Mixter., Protecting Against the Unknown. January 2000http://www.tlsecurity.com/Textware/Security/protecting.html
[3]Golden, Ed., Log-in System Foul-up Cuts Off AOL Users.
February 1997http://www.computerworld.com/news/1997/story/0,11280,23018,00.html
[4]Tom Diederich.,Online Tax Site Suffers Outage. April
1999
[5] Cohen, Fred. Protection and Security on the Information
Superhighway.1996 http://all.net/books/superhighway/aspects.html.
[6]ZDNET News., Western Union Data Heist: ‘Human Error'.
September 10, 2000http://zdnet.com.com/2102-11-523769.html
[7]Standage, Tom. Securing the cloud. http://www.economist.com/surveys/displaystory.cfm?story_id=1389589
[8]Ibid
[9]Ibid