Computer Security's Critical Myth

Resources - Articles

Return to Articles list

Written By: Jon Chorney, Systems Administrator
Despite all of the media attention given to computer viruses, hackers, and the misuse or outright destruction of vital information, most individuals and many businesses barely lift a finger to secure their computer systems. Why is this?

The apparent reasons are many: the continuing expense, additional work load, the need for training and ongoing attention to these issues, the inconvenience of changing routines, etc.

But, at bottom, there is one common, fundamental misunderstanding that inhibits action. It is the belief that a computer virus or hacker action is a personal attack on the victim. That’s why when I ask people about their lack of action to secure their systems, I almost always get the same response: “But, who’d want to try to get into my computers? No one cares about my business!”

Of course, if that were true, then there really wouldn’t be much reason to pay attention to security - unless you’re an obvious target like a big business or a governmental agency.

But that’s precisely where the myth lies. Simply put, the vast majority of viruses and hacking attacks are completely random and impersonal.

Once a computer virus is launched into the world of e-mail or instant messaging, it spreads completely without direction. Unprotected computers are infected and they, in turn, infect others often by automatically sending contagious messages to everyone in the name and address book of the user or by trying to infect the recipient of every message sent by the user. In both scenarios, the spread of the virus takes place without the knowledge of the computer user or the virus designer.

Once started, the virus will spread endlessly until every target is infected or protected and/or all sources are cleaned. Since none of these circumstances usually occur, the anti-virus companies must enable their programs to protect against viruses that can still be found as many as 10 years after they were first launched.

To be sure, there are cases where someone deliberately attempts to infect a particular computer or network. But those numbers clearly pale in comparison to the millions infected on a completely random basis.

For the virus creator, the potential mass destruction itself is a worthy goal. The identities of the victims are immaterial, unless a well-known entity such as a media company, financial institution or governmental agency is harmed.

Likewise, the conventional image of a computer hacker is that of a highly skilled individual who, for political, personal or financial reasons, makes a concentrated effort to gain access to a specific computer or network often through the Internet. Without question, hundreds of such attacks follow this pattern on a regular basis.

The numbers of those attacks are, however, miniscule when compared to the numbers of attacks launched by amateurs. These are usually teenagers anywhere in the world who download automated tools from the Internet to collect the individual numerical addresses of open computer or network connections to the Internet. (The attack process is made easier by the growing use of high speed connections which frequently use the same Internet addresses for their connections.)

Additional automated tools then use the addresses collected by the first program as targets for attempts at forced entry. Once successful, if the hacker’s goal is to take control of the computer to use it to attack another computer on the Internet, the remote control tool is installed and the intruder leaves. The actual identity of the computer’s owner or, indeed, any particular individual information about the computer user is of no concern to the hacker. This is what happened when thousands of computers around the world were infected with the Nimda and Code Red worms (a form of virus).

Of course, once access is gained, a hacker may look around to see if there is any information worth stealing. Desirable information ranges from customer records (with confidential information of all sorts) to bank information (including account numbers, passwords and other security information) to personal information of employees (data used for identity theft). Or, the hacker may choose to simply destroy any or all data on the system.

Note: as has been shown in countless cases, much of the above is true for individual home computers, not just business or governmental systems.

The truth is that computer security is important precisely because attacks are almost always completely impersonal and therefore unpredictable. Once that unsettling fact is accepted, doing little or nothing about security is revealed as, at best, foolish and, at worst, an invitation to severe business and/or individual damage, to say nothing of potential liability claims.

Anti-virus programs, firewalls and security-aware practices and policies can all help to ameliorate the threat.

But first, we must rid ourselves of an old and sadly familiar illusion: “It can’t happen here.”