Module 1: Introduction to Web Security

Chia sẻ: Mai Phuong | Ngày: | Loại File: PDF | Số trang:48

Thêm vào BST

Báo xấu

175
lượt xem 32
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

This module provides students with an overview of the terms and concepts of, along with the justification for, Web security. This explanation includes an introduction of the STRIDE model, which can be used to categorize threats to Web applications. This module also provides an overview of the technologies and best practices that can be used to build a secure solution for Web applications. After completing this module, students will be able to define the basic principals of, and motivations for, Web security. ...

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Module 1: Introduction to Web Security

Module 1: Introduction to Web Security Contents Overview 1 Lesson: Why Build Secure Web Applications? 2 Lesson: Using the STRIDE Model to Determine Threats 17 Lesson: Implementing Security: An Overview 26 Review 38
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Module 1: Introduction to Web Security iii Instructor Notes Presentation: This module provides students with an overview of the terms and concepts of, 75 minutes along with the justification for, Web security. This explanation includes an introduction of the STRIDE model, which can be used to categorize threats to Lab: Web applications. This module also provides an overview of the technologies 00 minutes and best practices that can be used to build a secure solution for Web applications. After completing this module, students will be able to define the basic principals of, and motivations for, Web security. After completing this module, students will be able to: ! Describe why it is essential to consider security during Web application development. ! Explain the STRIDE model. ! Identify the technologies and best practices that can be used to build a secure environment for running Web applications. Required materials To teach this module, you need Microsoft® PowerPoint® file 2300A_01.ppt. Preparation tasks To prepare for this module: ! Read all of the materials for this module. ! Complete the practices. ! Read Module 11, “Configuring Internet Access for a Network,” in Course 2153, Implementing a Microsoft Windows 2000 Network Infrastructure. ! Read the TechNet article, “Secure Internet Information Services 5 Checklist,” which is available at http://www.microsoft.com/technet/ security/tools/iis5chk.asp. ! Read the available information about current worms and viruses, which is available on the http://www.microsoft.com/technet/security/virus/ default.asp Web site. ! Read about the current security issues on the http://www.securityfocus.com Web site. ! For information about the monetary loss incurred by companies from viruses, search the Internet for “cost virus.” ! Read Hacking Exposed Windows 2000: Network Security Secrets & Solutions by Joel Scambray and Stuart McClure (New York, Osborne/McGraw-Hill), 2001.
iv Module 1: Introduction to Web Security How to Teach This Module This section contains information that will help you to teach this module. Lesson: Why Build Secure Web Applications? This section describes the instructional methods for teaching each topic in this lesson. Why Is Security So Begin the lesson with a story about a recent security scare or virus. Important? You can learn about current worms and viruses at http://www.microsoft.com/ technet/security/virus/default.asp. You can also receive recent virus information at http://www.ntbugtraq.com, which is a mailing list for the discussion of security exploits. To find information about the cost of not securing a Web application and being attacked, search the Internet for “cost virus.” According to many articles, billions of dollars were lost in 2001. Here are some virus examples from 2002: ! DoubleTap virus A Microsoft SQL Server™ virus was found on May 20, 2002. The virus, named DoubleTap or Spida.a.worm, targets SQL Server Web sites that have the system administrator account, sa, set to blank. The virus, written in JavaScript, adds the guest account to the administrator group and then changes the password of the administrator. Finally, this virus sends the server’s password list to an e-mail address on a central service. ! Benjamin virus A virus known as Benjamin, found in May 2002, is initiating itself from the KaZaa music file swapping service. The virus masquerades as popular songs, videos, and games. Upon infecting a computer, Benjamin creates a new directory, opens that directory to the KaZaa network, and then tries to entice others to download it. The virus is interesting because its author apparently hoped to make money from its propagation. Infected computers are instructed to visit a Web page that is clearly designed to register advertising hits. ! Code Red Internet Information Services (IIS) worm A malicious piece of code, operating as a computer worm, exploits unpatched IIS servers on the Internet. This worm, called Code Red, exploits a security vulnerability in the Microsoft Windows NT® version 4.0 and Microsoft Windows® 2000 Index Services, and may result in one of several outcomes, including Web site defacement and installation of Denial of Service (DoS) tools. The defaced Web page may contain the words “Hacked by Chinese!” and a link to http://www.worm.com, whereas the DDoS code appears to prepare the system to launch an attack against www.whitehouse.gov. Upon comprising the system, the worm attempts to propagate itself to other unpatched IIS systems on the Internet. A patch for this vulnerability was released on June 18th, 2001, and it is discussed in Microsoft Security Bulletin MS01-033.
Module 1: Introduction to Web Security v ! Nimda worm The official name of the worm is W32/Nimda@MM, but it is generally referred to as the “Nimda” worm. This virus attempts to spread through three different means: • E-mail. Infected computers attempt to spread the infection to other users by sending copies of the worm through e-mail. • Web servers. Infected computers attempt to pass the infection to Web servers by either locating an already compromised server, or by exploiting a known security vulnerability in IIS. After it is infected, a Web server will attempt to infect the computers of any users that visit it. • File shares. Infected computers will search for computers that have been configured to allow anyone to add files to these computers and, upon finding such a computer, will insert infected files onto it. ! VBS/Loveletter virus The VBS/Loveletter virus circulates through e-mail. If run, the virus attempts to overwrite .jpg, .mp3, and other file types, and to send a copy of itself to everyone in the recipient’s address book. The e-mail message that contains the virus typically carries a subject line of “ILOVEYOU.” Inside the e-mail message is a short text message that says “Kindly check the attached LOVELETTER coming from me” and an attachment named LOVE-LETTER-FOR-YOU.txt.vbs. The attachment is the virus payload. It is important to note that the virus payload cannot run by itself. For the payload to run, the recipient must open the e-mail message, launch the payload by double-clicking it, and click Yes in a dialog box that warns of the dangers of running untrusted programs. Challenges Involved in This topic discusses some of the challenges that businesses face when Implementing Security implementing security. One of the major issues is that security is often considered only after the Web application is complete, instead of during the initial design process. Relegating security to an afterthought often makes Web applications more costly to develop and less secure. Threats to Web- Define the term threat and then discuss the different types of Web-accessible Accessible Assets assets: tangible and intangible. Who Are Attackers? Note that attackers do not always come from outside the organization. Attackers are sometimes internal to the organization and can take the form of either ignorant or disgruntled employees. Discuss the different skill levels of novice, intermediate, and advanced attackers. What Are Attacks? Discuss attacker motivation, justification, and opportunity. Common Types of Ask students to think of examples of each type of attack. Students may have Attacks heard about attacks in the news or through a security bulletin, or they may have experienced attacks at their own organizations.
vi Module 1: Introduction to Web Security How Do Attacks Occur? If you have an Internet connection in the classroom, you can go to the MSNBC Web site and run the interactive video that demonstrates how a “honey pot” was used to watch an attacker hacking into a system. Go to http://www.msnbc.com/ news/437641.asp and click //HACK. You can learn more about the HoneyNet project at the http://project.honeynet.org Web site. Common Types of Note that students will learn how to address only a few of these vulnerabilities Vulnerabilities during class. Solutions for some vulnerabilities are discussed in the topic “Best Practices in Building Secure Web Applications,” which appears later in this module. Lesson: Using the STRIDE Model to Determine Threats This lesson provides an overview of the STRIDE model. Define each category of threat and provide examples of each category: ! Spoofing identity: If Basic authentication is used in IIS without requiring Secure Sockets Layer (SSL), the user name and password of an authenticated user are sent in clear text over the Internet. If an attacker obtains the user name and password, the attacker can pose as the authenticated user and access the system. ! Tampering with data: The “loveletter” virus changes all .jpg files into copies of itself. ! Repudiability: Attackers often delete event logs after they attack a system so that there is no record of the attackers accessing the system. ! Information disclosure: IIS version 4.0 had a weakness that allowed Uniform Resource Locators (URLs) ending in special characters (a trailing "." or a trailing "::$DATA") to return the script source of Active Server Pages (ASP). ! Denial of Service: The Code Red virus attacked unpatched IIS Web servers and installed Denial of Service tools. ! Elevation of privilege: The DoubleTap SQL Server virus adds the guest account to the Administrator group and then changes the password of the administrator. By doing this, attackers can log on as a guest and have the access privileges of the Administrators group. Practice: Identifying This practice provides an opportunity for students to apply the STRIDE model Threats Using STRIDE to some common scenarios. The scenarios are actual vulnerabilities that were found in earlier versions of IIS. Students will learn more about the STRIDE model in the context of designing secure Web applications and will apply this model to the design of the lab solution in Module 2, “Planning for Web Application Security,” in Course 2300, Developing Secure Web Applications.
Module 1: Introduction to Web Security vii Lesson: Implementing Security: An Overview Security Technology This topic introduces the technologies that support the various security Overview technology fields: authentication, authorization, auditing, privacy, integrity, and nonrepudiation. Students will learn more about these technologies throughout Course 2300, Developing Secure Web Applications. Best Practices in In addition to the coding best practices that the students will learn about in Building Secure Web class, there are also best practices that typically fall under the Information Applications Technology (IT) Professional job category. The purpose of this topic is to identify a few IT Professional best practices that can be employed immediately to increase the security of existing Web applications. Enabling Logging Another best practice that the students should be aware of is event logging and auditing. These tools provide defense against nonrepudiation threats. Practice: Securing the In this practice, students will make their default installation of IIS more secure IIS Default Installation by disabling some unneeded subcomponents. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. There are no labs in this module, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization.
Module 1: Introduction to Web Security 1 Overview ! Why Build Secure Web Applications? ! Using the STRIDE Model to Determine Threats ! Implementing Security: An Overview *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module provides an overview of the terms and concepts of, along with the justification for, Web security. This information forms the basis for the presentation of Web security, which will be expanded upon throughout the rest of Course 2300, Developing Secure Web Applications. This module also provides an overview of the technologies and best practices that can be used to build a secure solution for Web applications. This overview of technologies and best practices is the foundation for further discussions throughout the rest of Course 2300, Developing Secure Web Applications. Objectives After completing this module, you will be able to: ! Describe why it is essential to consider security during Web application development. ! Explain the STRIDE model. ! Identify the technologies and best practices that can be used to build a secure environment for Web applications.
2 Module 1: Introduction to Web Security Lesson: Why Build Secure Web Applications? ! Why Is Security So Important? ! Challenges Involved in Implementing Security ! Threats to Web-Accessible Assets ! Who Are Attackers? ! What Are Attacks? ! Common Types of Attacks ! How Do Attacks Occur? ! Common Types of Vulnerabilities *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson defines the term security as it applies to Web-accessible assets. Security can be separated into several categories, and each will be defined and explained in this lesson. This lesson also presents the concepts of vulnerabilities, threats, and attacks, and explains how these concepts interrelate. Finally, you will learn why security is so important by looking at some of the reasons that motivate attackers to attack a Web application, and the corresponding consequences of inadequate Web application security. Lesson objectives After completing this lesson, you will be able to: ! Describe the importance of securing a Web application. ! Identify the challenges that are involved in implementing Web application security. ! Describe some of the motivations for attacker intrusion and the consequences of inadequate Web security. ! Define the terms threat, attack, and vulnerability, and explain the interrelationship among them.
Module 1: Introduction to Web Security 3 Why Is Security So Important? ! E-mail viruses, financial fraud, network sabotage, and other security intrusions result in: " Stolen intellectual property " System downtime " Lost productivity " Damage to business reputation " Lost consumer confidence " Severe financial losses due to lost revenue *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Although the Internet makes remarkable things possible, such as e-commerce, information sharing, and business productivity, it is also a very hostile environment for businesses. The vast majority of business-related Web sites have become victims at some point to damaging security breaches, such as e-mail viruses, financial fraud, network sabotage, and more. Even as the amount of money that is spent on securing corporate networks increases, so do the losses that are accrued by businesses in terms of stolen intellectual property, system downtime, lost productivity, damage to reputation, and lost consumer confidence. If a business has an Internet presence, with either a business-to-business or business-to-consumer e-commerce Web site, the business is twice as likely to have its Web servers attacked as businesses that do not participate in e-commerce. It is possible, however, to defend your business’s Web application in this hostile environment by adding the appropriate authentication and authorization schemes, ensuring data integrity with encryption, and performing data validation.
4 Module 1: Introduction to Web Security Challenges Involved in Implementing Security Challenges Reasons Attackers # Attacker needs to understand one vulnerability; defender needs to secure all vs. entry points Defenders # Attackers outnumber defenders # Attackers have unlimited time Security # Secure systems become harder to use vs. # Complex and strong passwords are difficult to remember Usability # Users prefer simple passwords Do I need # Developers and management think that security… security does not add any business value # Managers do not build time for security Security As implementation into schedule An Afterthought *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction It is likely that all Web applications would be secure if implementing security were easy for businesses. Implementing security does not apply only to Web applications, but to the entire system on which the Web application runs. The system includes all of the components that work together to complete user requests for the Web application, including Microsoft® Windows® 2000, Internet Information Services (IIS), Microsoft SQL Server™, and COM+ components. Implementing security into this system involves several challenges, such as the following: ! An attacker needs to find only one weak point to enter the system; correspondingly, a defender needs to make sure that all possible entry points are defended. ! The usability of a system is inversely proportional to its security. ! Security is often added to a Web application as an afterthought, after the Web application development is complete. Attackers vs. defenders You can secure your system by employing several security mechanisms, such as firewalls, proxies, secure channels, and authentication schemes. However, all it takes for a security breach is for an attacker to find one weak point to access your system. Securing all of the possible entry points to the system makes security a complex proposition. Securing your system requires you to keep abreast of the environment, risks, business drivers, and the state-of-the-art security attacks that may affect your system. Failure to have this security- related knowledge will render your Web applications vulnerable to attack.
Module 1: Introduction to Web Security 5 Usability vs. security As a system becomes more secure, it also becomes harder to use. The common example of ease-of-use versus security is the use of passwords. If you force users to use complex passwords, such as T^1Qam-Za9, they tend to write them down to remember them. A simple password, although easy to remember, is also easy to guess, and therefore, it is completely insecure. Balancing usability and security is difficult, but a compromise enables you to satisfy your business requirements. Security as an Security is often an afterthought in Web application development because afterthought developers and management usually consider it as a technology that adds no business value. Adding security after the Web application development is completed makes security solutions even more difficult to create. Most developers know that adding a component to an existing technology is far more difficult than designing it into the system during the early stages of design and development.
6 Module 1: Introduction to Web Security Threats to Web-Accessible Assets ! A threat is a possibility that poses danger to business assets, such as sales data or account information ! Tangible assets " Money, source code, data, business plan, and ideas ! Intangible assets " Identity, privacy, reputation, and name *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction A threat is a possibility that poses danger to business assets, such as privacy or data integrity. An example of a threat is the possibility that an unauthorized person might get access to confidential company data or maliciously adjust account details. All threats are determined in relation to business risk. The greater the risk—that is, the greater the impact on the business should the threat be realized—the greater the threat. High-risk outcomes from threats that have been realized include public embarrassment, loss of credibility or good will, death or injury, and loss of money. Business assets Every business has assets, such as money, business plans, source code, ideas, and reputation, which it wants to protect against attacks. Some assets are tangible and have a monetary value. Other assets are intangible, but are still valuable, such as a organization’s reputation. Business assets are more prone to attack when businesses partake in e-business. Securing a Web application involves protecting the tangible and intangible assets from attackers: ! Tangible assets Tangible assets have a monetary value associated with them, and therefore, these assets should be protected from any type of attack. Tangible assets include money (actual or electronic), source code, data, business plans, and ideas. ! Intangible assets It is easy to understand the need for protecting the tangible assets, because you can measure their worth. Although it is difficult to place a value on intangible assets, certain intangible assets, such as the reputation associated with your organization, are equally important to protect. Intangible assets include identity, privacy, reputation, and name.
Module 1: Introduction to Web Security 7 Who Are Attackers? Corporate Headquarters Corporate Headquarters External Attacker Internet Internal Attacker Ability Characteristics of attackers # Possesses little programming experience Novice # Uses automated tools that are made by others # Possesses significant programming skills Intermediate # Automates tools that are created by others # Is an expert programmer Advanced # Develops tools that others use to attack networks *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Attacks on Web applications and networks can come from both nonemployees and employees. Security threats posed by humans can be broadly divided into the following two categories: ! Internal attackers ! External attackers Internal attackers Internal threats consist of possible attacks by employees or former employees. Employees are the people who are most familiar with an organization’s network and applications, and they are also the people who are most likely to know what actions might cause the most damage. Internal threats are posed by two kinds of employees: ! Malicious employees Malicious employees are those who are disgruntled with the organization and want to cause harm to it. Attacks by such employees are often the most dangerous because these employees know many of the codes and security measures that are in place to protect the assets. Such employees are likely to have specific goals and objectives for attack, and they also have legitimate access to the system. Some of the possible attacks caused by malicious employees can include: • Planting viruses, Trojan horses, or worms. • Accessing and revealing confidential information. • Causing the system to overload or crash.
8 Module 1: Introduction to Web Security ! Nonmalicious employees Nonmalicious threats usually come from employees who are unaware of the security threats and vulnerabilities. These employees are authorized users who are not aware of the actions that they are performing. Errors and omissions can cause valuable data to be lost, damaged, or altered. Often, users, data entry clerks, system operators, and programmers make unintentional errors that contribute to security problems, directly or indirectly. Sometimes the error is a threat, such as a data entry error or a programming error that crashes that system. External attackers External threats are caused by outsiders who want to acquire information to cause harm to the organization. Often, such outsiders are known as hackers or crackers. Hackers or crackers are people who illegally gain access to systems for which they have no authorization. The methods that are used for gaining access to a system include the following: ! Password cracking Password cracking is running an application that tries all password combinations to guess a user's password. ! Network spoofing Network spoofing is intercepting network packets between an authorized user and the organization, and then copying these packets to in order to obtain access to the organization in the same way. ! Exploiting known security weaknesses As hackers and security consultants find bugs in operating system and application software, they publish the security hole. If an organization is not quick about applying patches, other hackers can discover the software running and exploit known bugs.
Module 1: Introduction to Web Security 9 Types of attackers In general, there are three types of attackers: novice attackers, intermediate attackers, and advanced, attackers. Each of these attackers presents a unique challenge to Web application security: ! Novice attackers Novice attackers, also frequently called script kiddies, do not possess significant programming skills. These attackers generally use the tools and exploits that are developed by more experienced and skilled attackers. Novice attackers present a significant danger to Web applications because they are large in number. Most of the attacks that are originated by novice attackers are not meant to cause harm to businesses, but for the attacker to merely have fun. ! Intermediate attackers Intermediate attackers possess more programming skills than novice attackers, but to a certain extent, these attackers still depend on the tools and exploits that are developed by more experienced attackers. Intermediate attackers often automate tools and exploits to replicate the attacks that are developed by experienced attackers. Intermediate attackers present a significant danger to Web applications because they often plan attacks to raise their skill level or status in attacker communities. ! Advanced attackers Advanced attackers are fewer in numbers than intermediate and novice attackers. However, advanced attackers possess significant programming skills with both high-level languages, such as Perl, and lower-level languages, such as C, C++, and Assembler. Advanced attackers generally make their livelihood in developing attacks or as security consultants. Advanced attackers present a significant danger to network security because of their expertise, resources, and skills.
10 Module 1: Introduction to Web Security What Are Attacks? ! A threat that is brought to fruition through the exploitation of a vulnerability ! To instigate an attack, the attacker must have motive, justification, and opportunity " Revenge " Espionage " Publicity " Monetary gain " Exposure of vulnerabilities " Personal satisfaction *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An attack is a threat that is brought to fruition through the exploitation of a vulnerability (or vulnerabilities) in the system. What instigates an For an attack to take place, the following must occur: attack? ! The attacker must have a motive. For example, an attacker might attack your business’s Web application because he or she dislikes your stance on trade policy. Other attack motivations include revenge, espionage, publicity, monetary gain, exposure of vulnerabilities, and personal satisfaction. ! The attacker must be able to justify the attack. For example, an attacker might believe that by attacking your Web application with antitrade policy graffiti, he or she will heighten awareness, among the public, of your policies. The justification might also be as simple as “because I can” in the case of script kiddies. ! An opportunity must arise. For example, an attacker finds a weakness in the system by which he or she can attack your Web application. When a server is on the Internet, the opportunity for attack is 24 hours a day; therefore, the risk is vulnerability based, rather than time based.
Module 1: Introduction to Web Security 11 Common Types of Attacks Organizational Social Social Organizational Attacks Automated Automated Engineering Engineering Attacks Attacks Attacks Bypasses confidential to Acquire Technology Improper permissions can Harmful code, malicious Blocks access to gain Uses software data information toselftoaccess programs,servicesbusiness gain or gain a result in accessaccess network restricted network replicating Restricted or competitive advantage data Data FC DoS DoS Accidental Breaches Accidental Breaches Denial of Connection Fails In Security in Security Viruses, Trojan Horses, Viruses, Service (DoS) Trojan Horses, and Worms Denial of and WormsUser Service (DoS) 1 2 2 3 3 *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Attacks can range from nontechnological attacks to technological attacks: ! Nontechnological attacks use deception to gain access to a network and include ocial engineering or attacks from another organization. ! Technological attacks include denial of service (DoS) attacks, automated computer attacks, viruses, worms, Trojan horses, and accidental breaches in security. Organizational attacks Organizational attacks include attacks by a competitor to acquire confidential information to gain a business or competitive advantage. Social engineering Social engineering is a common form of password cracking and it can be used by both outsiders and by people within an organization. Social engineering is an attacker term for deceiving people into revealing their password or some form of security information. For example, an attacker can pose as a support engineer, call a company employee, and ask for the employee’s password. A trusting employee might disclose a password, thereby allowing an attacker to access a organization’s resources. Automated attacks Automated attacks come from scripts that are launched at network computers that have known vulnerabilities. The scripts can install viruses that automatically propagate themselves when they are launched. Denial of service (DoS) A DoS attack exploits the need to have a service available. DoS attacks are a attacks growing trend on the Internet because Web applications, in general, are accessible to the public, and therefore, they are vulnerable to attack. People can easily overload the Web server with communication to keep it busy. Therefore, companies that are connected to the Internet should be prepared for DoS attacks.
12 Module 1: Introduction to Web Security Viruses Attackers can also develop harmful code that is known as a virus. A virus is a program that searches out other programs and infects them by embedding a copy of itself into the programs, so that they become Trojan horses. When these programs are executed, the embedded virus is executed too, thus propagating the infection. This infection normally happens invisibly to the user. A virus cannot infect other computers without assistance. Using hacking techniques, attackers can break into systems and install a virus. Viruses, in general, are a threat to any computer environment. Viruses can cause different types of damage—such as deleting files or consuming hard disk space—to a system, and they can be spread through e-mail and disks. Trojan horses Trojan horses are malicious software programs or software code that is hidden inside what looks like a normal program. When a user runs a normal program, the hidden code also runs. The hidden code then starts deleting files and causing other damage to the system. Trojan horses are normally spread by e-mail attachments. For example, the Melissa virus that caused DoS attacks throughout the Information Technology (IT) world in 1999 was a type of a Trojan horse attack. Worms Worms are programs that run independently from other applications and move from computer to computer across network connections. Worms may have portions of themselves running on many different computers. Worms themselves do not change other programs, although they may carry additional code that does. Accidental breaches in If a system administrator configures a network computer with improper security permissions or weak passwords, an accidental breach in security can occur, and attackers can then gain access to restricted data. To assist attackers, there are software programs that are available that can crack a weak password in a short amount of time.