A password to computer security.A disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see former bank employee accesses the bank's computer system and disrupts operations by shutting down the ATM network and the bank's link to the funds transfer system. * A data center employee manipulates electronic data interchange See EDI. (application, communications) electronic data interchange - (EDI) The exchange of standardised document forms between computer systems for business use. EDI is part of electronic commerce. (EDI (Electronic Data Interchange) The electronic communication of business transactions, such as orders, confirmations and invoices, between organizations. Third parties provide EDI services that enable organizations with different equipment to connect. ) messages, so funds being transferred from a bank to an insurance company go instead to personal account. * An outsider gains access to a corporation's private branch exchange (PBX (Private Branch eXchange) An inhouse telephone switching system that interconnects telephone extensions to each other as well as to the outside telephone network (PSTN). ) and makes numerous long-distance telephone calls at the company's expense. Stories of computer fraud are growing by-product by·prod·uct or by-prod·uct n. 1. Something produced in the making of something else. 2. A secondary result; a side effect. by-product Noun 1. of expanded computer use. Just how real is the threat to the security of your installation? And what means are available to you to reduce the risks you face? To understand this threat, one must understand that most computers communicate with other computers, and that integrated networks A network that supports both data and voice and/or different networking protocols. See converged network and new public network. are replacing centralized systems In telecommunications, a centralized system is one in which most communications are routed through one or more major central hubs. Such a system allows certain functions to be concentrated in the system's hubs, freeing up resources in the peripheral units. . Organizations use computer networks to gain remote access to mainframe computers, to facilitate data transfer between systems, and to link customers, suppliers, and business partners. Personal computers and workstations make the links between these networks still more complex. When data is transmitted over computer networks it is vulnerable to interception and disruption. We've all read of unauthorized incursions into both commercial and governmental data networks, resulting in significant financial loss and adverse publicity. Whether such incidents are the result of electronic trespassing by "hackers," who seek access largely as an intellectual challenge, or by technically sophisticated individuals intents on fraud, corporate systems are more and more at risk. How can your organization address such risks? Begin with the security features and access controls provided by hardware manufactures and software vendors. These controls need to match both the level of risk you are willing to accept and the level of security that can be achieved in your computer environment. That security level depends on: * The applications, such as funds transfer, that are supported by the network and such characteristics as who uses them and what they're used for. * The network's scope, the access to it, and its links to external systems, plus its hardware and software and the functionality installed in the network, such as encrytion (discussed below). * The culture of the organization and the willingness of users to comply with the controls established. It is important to recognize that network security controls exist within a hierarchy of information technology controls, which are in turn part of a company's overall internal control structure. So even the best network security will not totally protect an information systems environment if controls in the other levels of the hierarchy are lax. The challenge comes from the fact that the user-friendliness and ease of access sought in a computing environment are the very factors that can create potential risk. Making a network easier to use can also make it easier to be misused. THREATS TO SECURITY Network security must guard against breaches in three areas: * Confidentiality: Individuals intercept data, but do not attempt to modify it. Eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. is not always as innocent as it seems, and analyzing the size and frequency of transmissions may be an initial step in penetrating a network. * Integrity. Unauthorized persons modify message content, delete messages, or re-route messages. They often masquerade as authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal . * Availability. Someone penetrates the system and either shuts it down or wipes out the information it contains. (Of course, environmental factors--floods, fires, and such--and the failure of hardware or software also affect the availability of the system. I have not attempted to address these problems in this article.) METHODS OF PROTECTION Controls in the hardware or software you purchase need to be complemented by appropriate administrative procedures. Network security is most effective when you install one or more of these security mechanisms: * Encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. . This technique improves confidentiality by transforming data mathematically through the use of an algorithm and a crytographic key. Whether the data has been encryted through hardware or software, it cannot be read without the key. Companies normally do the encryption at the point where information crosses from an internal network, where access is restricted, to an external public network, where data is subject to eavesdroping Data intercepted on the public network cannot be read in clear text without access to the key. * Message authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. . At times, the party receiving a message must be certain that the source is authentic and that the contents have not been altered. Confidentiality is less important. When a network message is transmitted, an authentication code is sent along with it. The recipient compares his own code with that accompanying the message. If implemented proprly, this method would have prevented the data center fraud example at the beginning of this article. * Remote access protection. Hardware and software can be combined to restrict the ability to dial into computer networks. This method calls for user authentication--such as with a user ID or password--prior to connection, or employs a call-back device which disconnects the caller and returns the call to an authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: number. This system, properly implemented and administered, would have foiled the disgruntled bank employee at the start of this article. Increasingly popular is the "smart card," which is the size of a credit card and generates a one-time password (security) One-Time Password - (OTP) A security system that requires a new password every time a user authenticates themselves, thus protecting against an intruder replaying an intercepted password. OTP generates passwords using either the MD4 or MD5 hashing algorithms. that changes each time a person signs onto a computer. In addition, biometric devices biometric device - biometrics , the technology of the future, will authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. the user through retinal retinal /ret·i·nal/ (ret´i-n'l) 1. pertaining to the retina. 2. the aldehyde of retinol, derived from absorbed dietary carotenoids or esters of retinol and having vitamin A activity. , fingerprint fingerprint, an impression of the underside of the end of a finger or thumb, used for identification because the arrangement of ridges in any fingerprint is thought to be unique and permanent with each person (no two persons having the same prints have ever been , or keystroke-timing analyses. As the technology improves and becomes less expensive, biometric devices will become increasingly popular. To make any of these systems work, however, they must be integrated into the company's operations. Therefore, distribution of items such as crytographic keys must be tightly controlled. In addition, procedures must be established to monitor security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security , to follow up unauthorized accesses, and to identify and respond to network failures. STRATEGIES TO CONTROL RISK Security is of particular concern to organizations using networked distributed systems Distributed systems (computers) A distributed system consists of a collection of autonomous computers linked by a computer network and equipped with distributed system software. such as LANs. Two factors make this concern difficult to address. First, technology is changing rapidly, and the life cycle of both hardware and software is growing shorter. Second, installing and administering systems is often not centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. . When individuals have different levels of expertise and local policies differ, security becomes inconsistent. The system generally is as secure as its least secure link. To mitigate the risk, one can take a number of steps. One of the most important is to consider security up front, when you design your systems network. Of course, the degree of security must also match the importance of the data. Security will become especially important in open systems. In on-line systems, controls are maintained centrally and are based upon physical or logical access. In open systems--where on-line systems have evolved into real-time systems--the message is the primary component, and security is usually an inherent part of the message. When adapting open systems, corporations must assess the new technology being developed in computer security. Artificial intelligence, for example, enables user activity to be compared to historic use, and any discrepancies are analyzed to identify security violations. Finally, the commitment of top management and comprehensive information technology audits are key to a computer security program. Most breaches of security are caused not by product deficiencies but by errors or omissions in their installation or by subsequent errors in administering security. As corporate systems migrate toward multi-vendor configurations, and as the delineation between internal networks and public networks becomes less distinct, this opportunity for human error will increase. Thus, companies relying on the security of their computer networks will insist that the planning and auditing of information systems play a major role in the foreseeable future. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion