The Ubiquitous Micro

Historically, desktop computers have been on the fringe of information security, which has its roots in the protection of very expensive, highly centralized, multi-user information processing systems. Today, desktop computers performing distributed computing are no longer on the fringe. Failure to realize this will undermine your ability to protect any information system, big or small, for four reasons:

1.  A significant percentage of mission-critical computing is now performed on personal computers deployed as LAN workstations and network file servers.⁵

---

⁵About 76% of survey respondents said they were running “mission critical” applications on local area networks. Ernst & Young survey of 1,271 technology and business executives, January, 1995.

---

2.  Most large-scale computer systems are at some point connected to one or more desktop systems. Even when PC connectivity is not specifically provided to a large system, PC access may be possible, for example, via a remote maintenance line.

3.  Inexpensive and widely available desktop systems now have the power to mount attacks that endanger the security of large-scale systems, such as brute force cryptanalysis, password-cracking, and denial-of-service attacks.⁶

---

⁶For example, a modest 486 and a modem is all it takes to mount a very effective denial of service attack on a Web site, mail gateway, or even an Internet Service Provider such as the New York provider, PANIX, which was disrupted for more than a week in 1996.

---

4.  Knowledge about how to use, and abuse, desktop computers is widely dispersed throughout most areas of society and most countries of the world. This is a far less homogeneous, and thus less predictable, population than previous generations of computer users.⁷

---

⁷“After 1998, the widespread availability of inexpensive disruptive technology and the broadening base of home computer users will put threat capabilities into the hands of a wider, less-privileged class, dramatically increasing the risk for intermediate-size organizations (0.8 probability).” Gartner Group.

---

5.  Such knowledge, particularly new developments in software techniques that can be abused to compromise security, is instantly accessible via the Internet.⁸

---

⁸For example, instructions for mounting the type of attack suffered by PANIX were posted on the Internet and recently an easy-to-use Windows attack program was released.

---

Clearly, an understanding of desktop security is more important than ever. Desktop machines are an integral part of the client-server distributed computing paradigm that dominates the late 1990s. In the vast majority of systems, the clients to which servers serve up data are microcomputers; the primary topology by which they do this is the local area network. Furthermore, in an increasing number of systems, the servers themselves are essentially beefed-up microcomputers. This is particularly true of the Internet, which is beginning to rival leased lines and private value-added networks as the data communication channel of choice.

Desktop System Architecture

Although you may be familiar with the following definitions they are stated here because they have important security implications which are not always understood.⁹ A microcomputer is a computer system in miniature, a collection of hardware and software that is small enough to fit on a desk (or into a briefcase or even a shirt pocket) but able to perform the four major functions that define a computer system: input, processing, storage, and output. Note that processing requires both a processor and random access memory (RAM). Also note that RAM is different from storage (data that are stored remains accessible after system reset or reboot, data held in RAM are typically not accessible after system reset or reboot).

---

⁹For example, it is relatively easy to configure a dumb terminal so that the screen is the only output device which is ideal for transitory lookup access to confidential data, such as medical records. But it is relatively difficult to lobotomize a PC so that it cannot retain or redirect whatever data it receives. I still meet mainframe-oriented systems people who have not yet grasped this distinction.

---

Soon after microcomputers were developed, the term “personal computer” was coined to describe these self-contained computer systems. This was later shortened to “PC” although this term is often used to refer to a specific type of personal computer, that is, one based on the nonproprietary architecture developed by IBM around the Intel 8086 family of processors (including the 80286, 80386, 80486, and Pentium chips).