In security, an exposure is a form of possible loss or harm in a computing system; examples of exposures are unauthorized disclosure of data, modification of data, or denial of legitimate access to computing. Vulnerability is a weakness in the security system that might be exploited to cause loss or harm. A human who exploits vulnerability perpetrates an attack on the system. Threats to computing systems are circumstances that have the potential to cause loss or harm; human attacks are examples of threats, as are natural disasters, inadvertent human errors, and internal hardware or software flaws. Finally, control is a protective measure--an action, a device, a procedure, or a technique--that reduces vulnerability.
The major assets of computing systems are hardware, software, and data. There are four kinds of threats to the security of a computing system: interruption, interception, modification, and fabrication. The four threats all exploit vulnerabilities of the assets in computing systems.
(1) In an interruption, an asset of the system becomes lost or unavailable or unusable. An example is malicious destruction of a hardware device, erasure of a program or data file, or failure of an operating system file manager so that it cannot find a particular disk file.
(2) An interception means that some unauthorized party has gained access to an asset. The outside party can be a person, a program, or a computing system. Examples of this type of failure are illicit copying of program or data files, or wiretapping to obtain data in a network. While a loss may be discovered fairly quickly, a silent interceptor may leave no traces by which the interception can be readily detected.
(3) If an unauthorized party not only accesses but tampers with an asset, the failure becomes a modification. For example, someone might modify the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted electronically. It is even possible for hardware to be modified. Some cases of modification can be detected with simple measures, while other more subtle changes may be almost impossible to detect.
(4) Finally, an unauthorized party might fabricate counterfeit objects for a computing system. The intrude may wish to add spurious transactions to a network communication system, or add records to an existing database. Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing.
【Vocabulary】
disclosure
n. 揭发,败露,败露的事情
modification
n. 更改,修正,修改
legitimate
adj. 合法的,合理的,正统的
vulnerability
n. 弱点,攻击
perpetrate
v. 做,犯(坏事,过失等)
circumstance
n. 环境,详情,境况
inadvertent
adj. 不注意的,疏忽的
flaw
n. 缺点,裂纹,瑕疵
interception
n. 中途夺取,拦截,侦听
modification
n. 更改,修改,更正
asset
n. 资产,有用的东西
fabrication
n. 制作,构成,伪造物
illicit
adj. 违法的
interceptor
n. 拦截机
forgery
n. 伪造物,伪造罪,伪造
indistinguishable
adj. 不能识别的,不能区别的
【参考译文】
破坏安全的类型
在计算机系统中,泄露是一种可能使安全丧失或受到伤害的形式;泄露的例子是非授权的数据的公开、数据的修改或者是拒绝合法的计算机访问。脆弱性是安全系统中的弱点,它可能引起安全的丧失或伤害,以及利用其弱点对系统进行人为的恶意攻击。对计算机系统的威胁是引起安全丧失或伤害的环境;攻击是威胁的例子,像自然灾害、疏忽和硬件或软件缺陷等也都是对计算机系统的威胁。最后,控制是一种保护性措施(它可以是一种动作、一个设备、一个过程或一种技术),可以减少脆弱性。
计算机系统的主要资源是硬件、软件和数据。有4种对计算机系统安全的威胁:中断、截取、修改和伪造。这4种威胁都利用了计算机系统资源的脆弱性。
(1)在中断的情况下,系统资源可能丢失,不可用或不能用。例如,蓄意破坏硬件设备,删除程序或数据文件,操作系统的文件管理程序出现故障,以至不能找到某一特定的磁盘文件。
(2)截取是指某一非特许用户掌握了访问资源的权利。外界用户可以是一个人、一个程序或一个计算机系统。这种威胁的例子如程序或数据文件的非法拷贝,以及窃取网络上的数据。数据丢失可能会很快被发现,但很可能截取者并不留下任何容易检测的痕迹。
(3)如果非授权用户不仅可以访问计算机资源,而且可以篡改资源,那么这种破坏就称为修改了。例如,某人可以修改数据库中的值,更换一个程序,以便完成另外的计算,或修改正在传送的电子数据,它甚至还可能修改硬件。
某些情况下可以用简单的措施检测出所做的修改,但是许多微妙的修改几乎是不可能被检测出来的。
(4)最后,非授权用户可以伪造计算机系统的一些对象。入侵者妄图向网络通信系统加入伪造的事务处理业务,或向现有的数据库中添加记录。有时,这些增加的数据可作为伪造品被检测出来,但是如果做得很巧妙,这些数据实际上无法与真正的数据区别开。
【Reading Material】
How do you deal with Internet fraud?
Summary
Internet fraud should be addressed as two specific issues: fraud that uses Internet technology as an integral part of the fraud; fraud that is already taking place by other means and the Internet is merely another method of delivery.
Methods exist that stop fraudsters misusing the technology, which can be rapidly implemented, but factors such as industry acceptance and concerns over potential liability if previous security claims could be claimed to be inaccurate will delay introduction. Much effort is spent promoting logos and confusing self-regulation, and trying to catch fraudsters, whilst the adoption of formal standards and accreditation for security (such as ISO 17799) are only starting to take place.
New Internet environment crimes may exist, such as defrauding machines or causing business harm by denial of service or virus attacks, and these will require social and legal steps to address them. However, the Internet has provided the fraudster with access to a significantly bigger market than ever before and effort will be required to create an environment where fraud is resisted by design rather than by insurance.
Introduction
Internet fraud is said to be big business. But what is it, and does using the Internet create the fraud, or is the Internet just a different way of delivering traditional fraud.
Fraud is essentially persuading someone of something with intent to deceive, perhaps with criminal intent. The deceit may be to persuade you to part with money, goods, services, rights or information.
For the purposes of this paper we are not going to examine methods of fraud, but look at the general techniques, how they are applied, and how, if at all, the Internet can be used to make those techniques easier for the criminal to use either to carry out a fraud or to escape detection.
General techniques of fraud
The key to fraud is to persuade you that something is real, when in fact it is not. Once you accept that the fake is real then the fraud can take place--whatever it is.
