Printer Friendly

Computer vulnerabilities.

Computer Vulnerabilities

Computer security was formally addressed by the Department of Defense (DoD) for the first time in 1973. As more and more businesses use automated information systems (AISs) to support DoD programs, computers and their vulnerabilities become increasingly important to national security.

Today's user-friendly computers are less than five years old. While easier to use than earlier models, they are also more vulnerable. A key element of good computer security is the detection and correction of these vulnerabilities.

Vulnerability refers to conditions that could result in the inadvertent disclosure of information processed on an AIS. More specifically, it is a hardware, firmware, or software weakness or design deficiency that leaves an AIS open to internal or external exploitation and allows the compromise or alteration of information or denial of service.

Some vulnerabilities are common and innocent and have been discussed in trade journals, commercial magazines, and user groups. For example, fixed disks that store software inside personal computers (PCs) minimize the shuffling of diskettes and improve system performance. What users often do not realize, however, is that many seemingly professional word processing and graphics packages as well as operating systems create temporary scratch files or holding areas for data during processing. The system then deletes these files from its directory at the end of the processing session. If the disk is not protected or overwritten at the end of each session, the internal fixed disk may contain hidden but recoverable data. A removable diskette containing similar programs is subject to the same vulnerabilities.

The standard disk operating system (DOS) for PCs contains another significant vulnerability in how certain utilities store and copy data. The DOS copy utility duplicates not only the desired data but also extraneous material. This other data might include classified or company proprietary information. In addition, its diskcopy command duplicates all hidden files and fragments on a disk. Either way, classified data could become available to an unintended recipient.

Possibly the best-known computer vulnerabilities are viruses, which have received considerable media coverage in recent years. The cost to industry and US taxpayers has been estimated at more than $1 million. Viruses can cause the loss of programs, information, or system time, which could be worth millions of dollars. The easiest way to avoid viruses is to avoid secondhand or bootlegged software and certain public bulletin boards.

Other computer vulnerabilities are less well-known and may be program or system specific. An excellent source of information about these hazards is the Computer Security Technical Vulnerability Reporting Program (CSTVRP) managed by the National Security Agency (NSA). The program was established in 1986 by the DoD as a means of collecting and distributing information about known or suspected computer vulnerabilities. The objective of this reporting program is to ensure that data processing facilities can be alerted when a vulnerability is identified.

Department of Defense Instruction DoDI 5215.2, Computer Security Technical Vulnerability Reporting Program (CSTVRP), dated November 2, 1986, established specific procedures for reporting such information within the DoD. The program focuses on technical vulnerabilities in commercially available hardware, firmware, and software products. The reporting form asks for a point of contact, nature of the vulnerability, type of system, and related factors. NSA will not disclose the source of a report as this would unfairly jeopardize the reporting facility's AIS security. After the data is evaluated, a formal report is generated by NSA and disseminated via established channels.

The instruction that established the program applies only to the DoD. Participation is voluntary for DoD contractors and the non-DoD AIS community, including government and commercial activities. Whether mandatory or voluntary, participation benefits everyone. The unauthorized disclosure of sensitive proprietary data could be as devastating to a company as the loss of sensitive or classified data would be to a government program. For additional information, cleared contractors participating in the Defense Industrial Security Program should contact their local Defense Investigative Service field office.

Understanding vulnerabilities is only one aspect of computer security - but a very important one. All data, whether proprietary, unclassified, or classified, has economic, geopolitical, or military value, which makes it a tempting target for our competitors, foreign or domestic.

Robert G. Schwalls, CPP, is deputy director of the Defense Investigative Service.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Schwalls, Robert G.
Publication:Security Management
Article Type:column
Date:Nov 1, 1989
Previous Article:Consulting versus the 3-D syndrome.
Next Article:What ever happened to right and wrong?

Related Articles
The year 2000 problem.
Systems All Fouled Up.
Computer Security in the Age of the Internet.
Twenty steps to better security: The SANS institute and the FBI have issued guidance to help companies target their most dangerous network...
ISS Vulnerability Disclosure Guidelines. (Security).
A model to quantify the return on investment of information assurance.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters