This paper examines the major threats facing computer networks in both home and professional settings and outlines the strategies available to mitigate those threats. Drawing on documented cases of malicious intrusion, it discusses the most common attack methods β including weak passwords, malicious software downloads, and social engineering β and explains why the majority of successful breaches are attributable to human error rather than sophisticated hacking. The paper argues that adherence to basic security protocols, regular software patching, strong password practices, and staff training can prevent the vast majority of network intrusions. It also cautions against overly restrictive policies that interfere with productivity.
Computer technology has changed society tremendously in the last two decades. Today, virtually every aspect of modern business depends on computer systems and computer networks, including businesses that have no connection to high technology (Evans, 2004). Just as almost all modern automobiles depend on computerized components, so do typical ordinary businesses, such as the neighborhood bakery, florist, or dry cleaner. However, the extensive reliance on computer systems and networks also poses a security threat to organizations, especially in industries where unauthorized access to information and internal systems and processes could damage business interests.
In the same way that every home and business establishment requires a security system of door locks and bolts to guard against intruders, modern business computer systems also require appropriate safeguards to protect their data and organizational assets from unauthorized access. That is equally true of home computer systems, particularly now that so many people routinely use their home computers to conduct financial transactions and other communications involving potentially sensitive information that could be damaging in the wrong hands.
As is true of almost every technological advance in modern society, the positive and productive uses of new computer technologies have also inspired negative, destructive, and criminal exploitative uses of the same technology. An entire community exists in cyberspace dedicated to infiltrating the computer networks of private individuals and business entities for the purpose of wrongful monetary gain. In some cases, malicious computer system intruders are motivated more by the intellectual and technical challenge than by personal gain or any specific malicious intent toward their victims. Nevertheless, malicious intrusions of computer network systems are a continual threat faced by private individuals and corporate business entities alike. Therefore, all computer networks require security measures and protocols capable of protecting their assets from unauthorized access.
In some respects, private computer users and business network administrators face the same types of threats from which they must protect their computer systems and networks. Specifically, the main threat is that individuals or entities will try to gain access to their systems and networks for the purpose of acquiring private information that can be used for monetary gain (Boyce, 2002; Dam & Lin, 1996). In the realm of private computer networks, the types of information at risk include credit card numbers and bank account information that can be used to withdraw funds fraudulently or to make fraudulent purchases. Private computer network intruders also typically target identifying information such as social security numbers that can be exploited for the purpose of identity theft (Ballezza, 2007; Personick & Patterson, 2003; Schmalleger, 2009).
In the realm of professional business computer systems and networks, malicious intruders may seek similar information for monetary gain as well as proprietary information such as business secrets, strategies, privileged communications, and patents that can be exploited by other businesses for profit. They may also seek to gain remote control of computer networks for the purpose of using them to perpetrate other crimes or to add a layer of protection to hide their identity from authorities investigating their Internet-based crimes (Personick & Patterson, 2003; Schmalleger, 2009).
Generally, the principal methods of protecting computer systems and networks from unauthorized access and control include the timely updating of all software programs to eliminate known flaws and security vulnerabilities, the implementation of appropriate network security measures such as encryption of sensitive information, password protocols, and personnel practices, policies, and procedures designed to eliminate the element of human error from the equation (Boyce, 2002).
According to the largest comprehensive review of documented instances of computer network intrusions and attempted intrusions, the vast majority of malicious attacks on computer networks are perpetrated by relatively low-level "hackers" rather than sophisticated professionals (Baker, Hylender, & Valentine, 2008). Similarly, the majority of those malicious intrusion attempts exploited vulnerabilities that were identified months before by software manufacturers β and for which updates (known as "patches") had already been issued β rather than through highly sophisticated or novel means that involved complex attacks that could not have been anticipated and prevented in advance (Baker, Hylender, & Valentine, 2008).
Computer security consultants compare the computer security habits of many users, both at home and in corporate settings, to car owners who leave their vehicles in dangerous neighborhoods with the keys in the ignition and valuables in plain sight (Schmalleger, 2009). Specifically, the most common method of gaining unauthorized access to computer networks is simply by trying the most common defaults for network passwords β such as "password," "0000," or "12345" β that users never bother to change after acquiring access to their systems (Kizza, 2005; Schmalleger, 2009). Business network administrators generally try to enforce rules requiring employees to create so-called "strong" passwords (i.e., those containing both numbers and letters as well as special characters) and by programming network passwords to expire automatically and prompt for new ones periodically (Personick & Patterson, 2003).
Another common method through which malicious network intrusion is achieved is through the use of malicious software downloads (Kizza, 2005; Personick & Patterson, 2003). This method allows remote hackers to gain network access by tricking authorized users into opening attached files or visiting Internet destinations that install malicious code β such as Trojan horses and "worms" β that capture passwords and even all keystrokes of authorized users and transmit that information to the remote hacker (Kizza, 2005; Personick & Patterson, 2003). Frequently, the methods used to accomplish this exploit popular Internet applications and portals such as Facebook, MySpace, and music download sites, among others (Schmalleger, 2009). The most effective method for combating these risks in the workplace is simply enforcing rules prohibiting this type of non-work use of work computers (Boyce, 2002).
Even simpler methods involve sending users emails with attached files claiming to be something benign (such as jokes, news stories, or discount coupons for consumer products). Once the user clicks to open the attached file, a malicious piece of software is automatically installed on the unsuspecting user's computer system (Personick & Patterson, 2003; Schmalleger, 2009). The most common method of protecting computer systems and networks from these types of intrusions involves proprietary anti-virus and anti-malware software programs designed to scan computer systems on a regular basis, recognize malicious code, alert the user, and inactivate those malicious codes (Personick & Patterson, 2003; Schmalleger, 2009).
Finally, social engineering is another effective way of gaining unauthorized access to computer systems and networks (Larsen, 2007). In principle, social engineering consists of tricking others into voluntarily divulging their system and network access information without realizing it. Typical ruses used against home computer users include telephone calls or emails pretending to be from companies or banks with which the individual has an account, or from the Internet service provider. At some point during the interaction, the malicious party simply requests information such as passwords, account numbers, or social security numbers, supposedly to "verify" account details. In the workplace, social engineering may include attempts by coworkers to obtain the passwords of other employees or the unauthorized use of their computer terminals (Larsen, 2007).
"Human error as primary security vulnerability"
"Risks of overly restrictive security policies"
Computer systems and networks are potentially vulnerable to malicious intrusion attempts that can be extremely harmful to home computer users and damaging to professional organizations. The most common types of attempted system infiltrations are those that exploit long-known software vulnerabilities for which security fixes already existed long before those intrusions occurred. It is possible to substantially mitigate the risks posed to computer and network systems by malicious entities through simply implementing and adhering to basic system security precautions. In general, the sources of risk to network systems are largely a function of user and administrator error. By eliminating basic mistakes and errors at all levels of system control and access, both home computer users and business organizations can safeguard their computers and systems against the most likely threats they face.
You’re 77% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.