Abstract

The use of computer technology has become a vital part of society. Almost every service provided now relies on the usage of computer technology. If a computer system is subjected to an attack, it can create a substantial amount of economic and information losses. Therefore, precautions must be taken to ensure that the system is regularly maintained because one small glitch in the system could cause a catastrophe to occur. However, sometimes the act of maintaining the system can cause vulnerabilities that are easily exploited by attackers. This paper will identify some of the problems commonly associated with system maintenance.

SYSTEM MAINTENANCE DEFINED

System maintenance is a vital part of computer technology, and is emphasized as the best method for protecting your system. Regular maintenance of the information system can detect any irregularities in operations, but can also be the root cause of exposing vulnerabilities during the maintenance process. Fred Cohen states that "system maintenance causes periods of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations. Maintenance can also be exploited by attackers to create forgeries of sites being maintained, to exploit temporary openings in systems created by the maintenance process, or other similar purposes. Maintenance can accidentally result in the introduction of viruses, by leaving improper settings, and by other similar accidental events."[1] Therefore, system maintenance introduces the need for a significant security design which will minimize the ability for attacks to be launched during the maintenance process.

FLAWS OF SYSTEM MAINTENANCE

Vulnerabilities are exposed during the system maintenance process that makes it easy for an attacker to exploit the system. One of the problems associated with the system maintenance process is the attacker's ability to acquire unauthorized use of an unattended terminal, which has been logged on by an authorized person.[2] In order to ensure that system users have maximum capabilities to perform their task, unrestricted access is often provided to users which exceeds the necessary privileges needed to perform their task. A system that provides full programming capabilities is bound to be exploited by attackers, because the entire information system can be easily accessed by authorized and unauthorized users. Another common problem is the ability of maintenance personnel to work in an environment without scrutiny. There is an enormous need for computers to assist in the organization's day to day operations. Therefore, most maintenance personnel are encouraged to perform system maintenance after work hours in order to prevent work stoppage. This allows an attacker sufficient time to exploit the system without fear of detection.

ERRORS CAUSED BY MAINTENANCE

System maintenance allows for errors to occur during the process that leaves the system vulnerable to exploitation by attackers. Glitches in application upgrades have been known to interrupt service. In 1997, American Online members were unable to gain access to accounts after a system maintenance error. "The problem occurred in a log-in system following routine maintenance..."[3] Problematic software installed during regular maintenance can cause a system to become crippled. Intuit, Inc.'s online tax filing system was down for twelve hours in April 1999–three days before the tax filing deadline-- as the result of routine maintenance. [4]"System maintenance sometimes causes downtime, but as a rule, the downtime is worthwhile because the result is, more often than not, beneficial. In cases where downtime is unacceptable, systems that use redundancy to continue to operate during maintenance are appropriate. Inadequate maintenance is generally far worse than downtime caused during maintenance because flaws that might be prevented, detected, or corrected during maintenance occur during normal operation instead."[5] System administrators with unlimited access to sensitive files and databases can make unauthorized changes that can cause massive disruptions to the information system.

SYSTEM MAINTENANCE CAUSED ATTACK

As discussed previously, precautions must be taken during the course of system maintenance in order to prevent vulnerabilities to attacks that can be launched against a system. The slightest glitch in the process can result in massive economic loss or an enormous amount of confidential information exposure. Once an attack of this magnitude is perpetrated, it is extremely difficult to recover lost information. An example of an attack caused by system maintenance was the Western Union data heist. On the weekend of September 10th 2000 Western union–established in 1871–discovered that its telegraphic money transfer system had been attacked by thieves. The attackers had gained access to the credit card numbers of more than 15,7000 customers and transferred funds from their accounts. The attack was easily launched against the money transfer system because system administrators had left the database unprotected during a routine maintenance process. The attack occurred shortly after Western Union had initiated a program that allowed customers to transfer funds via online transactions that would charge the customers credit cards. Although many customers credit card accounts were left vulnerable to misuse, the actual amount stolen is still unknown at this time.[6]

REACTION TO MAINTENANCE FLAWS

Tom Standage states that "Digital security, once the province of geeks, is now everyone's concern. But there is much more to the problem–or the solution–than mere technology."[7] Given the small percentage of IT budgets dedicated to security, a bulk of information technology budgets are dedicated to development and maintenance. Clearly, security is not a major concern of upper management until they are victimized by an attacker.[8] "A recent survey by the Computer Security Institute of San Francisco, in conjunction with the Federal Bureau of Investigation, found that 90% of the 503 companies polled experienced security attacks in 2001; 80% of them had notable financial losses as a result. Among the 223 respondents willing and able to quantify those losses, the total cost came to $456m--nearly double their combined losses the previous year. Part of the problem has been the short shrift that companies have paid to the security of computer networks. With the notable exception of banks, health-care groups and other regulated bodies, most businesses spend paltry sums——typically no more than 0.15% of annual sales——protecting their corporate networks. Laura Koetzle, an analyst at Forrester Research in Cambridge, Massachusetts, states that is less than many of them spend on coffee for their staff. [9]

It is difficult to justify the allocation of budgeting to network security when organizations are failing to report the amount of loss caused by system maintenance vulnerabilities. Information protection can't be accomplished by merely providing security guards at the door, protection requires an organizational response to the problem. All of the crucial data and business secrets that are maintained by an information system cannot be expected to be absolutely protected by overworked system administrators. The lack of proper planning by senior management makes the break-in of information systems rather easy for attackers. Awareness is a key component for ensuring that maintenance personnel do not forget that their task does not end with providing maintenance for the system, but also includes providing protection for the information that is being processed.

SUMMARY, CONCLUSIONS, AND FURTHER WORK

It is evident that system maintenance is the root cause of many vulnerabilities created in the information system. These vulnerabilities are ideal for attackers to gain access to valuable information that can be utilized for malicious intentions. System maintenance is a necessary component of the information technology world, therefore, strategies must be devised to protect the information systems during the maintenance process. System controls must be implemented that will mitigate the possibility of attacks being easily launched during the maintenance process. In order for an effective strategy to be designed, management must stop relying solely on system administrators and security guards to protect the information system, and must begin encouraging the entire organization to become involved in the information protection process.

REFERENCES