Computer Security

As organizations increasingly rely on microcomputers, they lose the control of information processing that was present in the traditional data center. As the control of computing information moves to the desk top and remote sites via networking, it is essential that managers understand the threats to this information and create security plans that will meet this new challenge.

Recent strides in microcomputer technology have increased the vulnerability of this equipment. The latest generation of PC’s has 512 MB of RAM standard, a Pentium 4 processor, and 80 GB of disk space.

Microcomputer security controls work with a different set of variables than those used for mainframes. For example, control over program changes, data security, system documentation, backup, recovery plans, and system testing are inherent in most mainframe environments. However, microcomputer systems seldom have this protection.

One of the most critical security issues, one that has been compounded by the micro and LAN/WAN revolution, is a lack of awareness, by executives and users, to the vulnerability of their critical and sensitive information. Microcomputers have unique security problems that must be understood for effective implementation of security measures. These problems include;

• Physical Accessibility

• Hardware

• Software

• Data Communications

• Networking

• Disaster Recovery

Several approaches need implementing in order to provide the necessary security for microcomputers.

Hardware Solutions

• Locks

• Desk Mounts

• Enclosures

• Steel Cables

Disk locks are also available to prevent access to hard drives and diskette drives. Planning and diligent administration are the keys to securing microcomputers and the information they process.

An increasing problem in most organizations is microcomputer and/or component theft involving personnel within the company as well as outsiders. Some of these components are easy to carry away in a purse, briefcase, or coat pocket. Organizations that lack accurate or current inventories of their PC equipment, components and peripherals are the most vulnerable.

A situation similar to automobile "chop shops" has become prevalent in the PC industry. Black market sales of "hot" PC parts are costing corporate America over $8 billion a year.


Things to consider in regards to system security;

1. Can the Casing on the equipment be removed by unauthorized personnel.

2. Are notebook and laptop computers secured to desk tops.

3. Is peripheral equipment such as CD ROM readers, tape back up units and speakers secured to desk tops.

4. Are floppy drives secure from the introduction of unauthorized software, viruses or the removal of confidential corporate information.

Software Solutions

Viruses have left a number of corporations sadder but all the wiser. A virus can change data within a file, erase a disk, or direct a computer to perform system-slowing calculations. Viruses may be spread by downloading programs off of a bulletin board, sharing floppy diskettes, or communicating with an infected computer through a network, by telephone or through the Internet. Anti-virus products are a necessity for the detection, eradication and prevention of viruses. In addition, micro security policy should define permissible software sources, bulletin board use, and the types of applications that can be run on company computers. The policy should also provide standards for testing unknown applications and limit diskette sharing.

Data Residue is data that is stored on erased media. Such data can often be read by subsequent users of that media. This presents a danger in sharing files on diskettes that once contained sensitive or confidential data. This problem also exists for hard drives. One solution available to companies is the use of degaussing products. Primarily used by the US government, corporate America is now finding these effective tools for preventing the disclosure of sensitive information.



Communications Protection

It is astonishing to think, that in today’s competitive environment, corporate America exposes it self by sending sensitive information through E-mail on the Internet. Everything from price lists, strategic plans, budgets, customer lists, mergers and proposals. Bank’s, financial institution’s and the US government have been using encryption technology for years, but not until recently has the technology been available to everyone. With intellectual capital the creator of wealth in the 21st century, it is imperative for companies to protect themselves from threats of misuse, abuse or theft of their sensitive information.

One type of protection you can use for the communication of sensitive information is cryptograph (encryption). Cryptography comes from the Greek words hidden or secret and writing. Thus, cryptography is the art of secret writing. The basic service provided by cryptography is the ability to send information between participants in a way that prevents others from reading it.

Cryptographic systems tend to involve both an algorithm and a secret value. The secret value is known as the key. The reason for having a key in addition to algorithm is that it is difficult to keep devising new algorithms that will allow reversible scrambling of information, and it is difficult to quickly explain a newly devised algorithm to the person with whom you would like to start communicating securely.

The concept of a key is analogous to the combination for a combination lock. You dial in the secret numbers in the correct sequence and the lock opens, you can’t open a combination lock without knowing the combination.

Today there are both hardware devices and software packages available for encrypting users’ data files, hard drives and E-mail messages.



Disaster Recovery

The primary objective of disaster recovery planing is for continuity of business activities. There is special consideration for PC’s because the equipment is widely dispersed and many people are involved. Systems users should be encouraged to protect themselves by developing and maintaining their own fallback procedures. In situations where locally stored backup copies would be lost with originals, special consideration should be given to storing periodic archival copies at some location unlikely to be jointly affected by common emergencies such as fire, flooding or earthquake.

Many companies maintain three copies of all microcomputer information, referred to as grandfather, father, and son. The son is the working copy; the father is kept close at hand (it is the backup needed most frequently); and the grandfather is kept off-site in a location that the company can easily access. The grandfather copy should be stored in a fireproof corporate vault located in a different building, or in a bank safe-deposit box.



The Future

The introduction of security planning and countermeasures must be accompanied by a strong awareness training program. It is extremely important to create an awareness of security and inform your users of the procedures they need to maintain for adequate safeguards.

The cause of most data security problems is lack of management concern. Security will always be a managerial rather than a technical problem. To guard against costly and embarrassing breaches of security, management must clearly establish and enforce security policy, plans, and procedures.

Securing Your Companies Network

Today’s corporate networks are complex and diverse. They connect mainframes, minis, PC’s, LAN’s and peripherals over ever-widening geographic boundaries. This diversity, both technically and geographically, means that devising an effective corporate-wide security plan involves adapting security techniques and procedures from the various systems currently incorporated in your company.

Objectives of Network Security

• Ensure that any message sent, arrives at the proper destination.

• Ensure that any message received was in fact the one that was sent. (nothing added or deleted)

• Control access to your network and all its related parts. (this means terminals, switches, modems, gateways, bridges, routers, even printers)

• Protect information in-transit, from being seen, altered, or removed by an unauthorized person or device.

• Any breaches of security that occur on the network should be revealed, reported and receive the appropriate response.

• Have a recovery plan, should both your primary and backup communications avenues fail.

Things to consider in designing a network security policy

• Who should be involved in this process?
  

• What resources are you trying to protect? (Identify your assets)
  

• Which people do you need to protect the resources from?
  

• What are the possible threats? (Risk assessment)
  

• How important is each resource?
  

Unless your local network is completely isolated, (standalone) Your will need to address the issue of how to handle local security problems that result from a remote site. As well as problems that occur on remote systems as a result of a local host or user.

What security measures can you implement today? and further down the road?

*Always re-examine your network security policy to see if your objectives and network circumstances have changed. (every 6 months is ideal.)

NIST Checklist for functions to consider when developing a security system

The National Institute for Standards and Technology (NIST) has developed a list for what they refer to as Minimal Security Functional Requirements for Multi-User Operational Systems. The major functions are listed below.

1. Identification and authentication - Use of a password or some other form of identification to screen users and check their authorization.
   

2. Access Control - Keeping authorized and unauthorized users from gaining access to material they should not see.
   

3. Accountability - Links all of the activities on the network to the users identity.
   

4. Audit Trails - Means by which to determine whether a security breach has occurred and what if anything was lost.
   

5. Object Reuse - Securing resources for the use of multiple users.
   

6. Accuracy - Guarding against errors and unauthorized modifications.
   

7. Reliability - Protection against the monopolization by any user.
   

8. Data Exchange - Securing transmissions over communication channels.

Set Priorities

You can’t possibly do everything at once. Assign responsibilities and tackle the most urgent needs first. This usually means controlling workstation access. Use key’s, passwords, or identification cards to ensure that only authorized personnel can start up a system.

Basic levels of network access:

• Network Supervisor- has access to all functions including security.
  

• Administrative Users- a small group given adequate rights to maintain and support the network.
  

• Trusted Users- users that need access to sensitive information.
  

• Vulnerable Users- users that only need access to information within their job responsibilities.
  

Auditing the Process

Making sure your security measures work is imperative to successfully securing your data and users. You have to make sure you know who’s doing what on the network. Components of a good audit will include;

• A log of all attempts to gain access to the system.
  
  

• A chronological log of all network activity.
  
  

• Flags to identify unusual activity and variations from established procedures.
  

Handling Security Violations and Breaches

Your first responsibility is to define what an “insider” and “outsider” is, based on administrative, legal and political boundaries within your organization. These boundaries will then become your course of action against an offending party; from a written warning, to filing formal legal charges. Therefore, you need to define actions based on the specific type of violation, as well as, defining the series of actions based on the kind of user that violates your computer security policy.

Keep in mind, that education is going to be your best defense. Make sure that your corporate security policy statement is widely disseminated and discussed. The policy should be reinforced with internal education, training for all new-hires, on-going workshops, and review sessions. Make sure that all personnel clearly understands the policy and it’s language. Try to clarify things so that there is no ambiguity or inconsistencies within the policy.

These meetings should be open to all of your network users and upper management, who may need to make decisions on significant questions as they arise. With this type of forum, you will increase user participation and interest. This will also lead better understanding of your policy, which will also make users more likely to follow it.

If a company cannot show “due Diligence” in protecting its trade secrets, directors and officers may be held accountable by the stockholders. Some executives are pushing their luck by failing to report such actions as misappropriation of trade secrets, theft of confidential data, or even theft of hardware and PC components.

Evaluating your security policy

• Does your policy comply with law and with duties to third parties?
  

• Does your policy compromise the interest of your employees, your company or third parties?
  

• Is your policy practical, workable and likely to be enforced?
  

• Does your policy address all of the different forms of communication and record keeping within your organization?
  

• Has your policy been properly presented and agreed to by all concerned parties?

With adequate policies, passwords, and precautions in place, the next step is to insist that every vender, supplier, and consultants with access to your system secure their computers as adequately as you secure yours. Also, work with your legal department or legal advisors to draft a document that upon signing it would recognize that the data they are in contact with is yours.

© Innovative Security Products Inc.