Microcomputer security and control: six inexpensive and simple techniques.MICROCOMPUTER SECURITY AND CONTROL Six inexpensive and simple techniques. The accounting professional who has worked around microcomputers for any length of time knows how difficult it is to maintain their security. With very little trouble, a user can access confidential records and change, copy or erase them. Although no internal control system will protect the microcomputer completely from a determined and sophisticated user, some simple and inexpensive techniques can substantially reduce the likelihood of security breaches. The general strategy behind security is to create layers, or levels, of obstacles through which an intruder must pass before reaching confidential data. The more layers there are, the more difficult it is to access unauthorized information and, hence, the greater the internal control. These layers need not be elaborate or tremendously sophisticated to be effective. That they are in place and it is not immediately apparent how to get around them will increase security. Some of the suggested techniques involve nothing more than using attributes of Microsoft's disk operating system See DOS. 1. (operating system) Disk Operating System - (DOS) The original disk operating system from IBM. DOS was the low-end OS of choice on the IBM 360, the high-end system was called just "OS". (MS-DOS MS-DOS in full Microsoft Disk Operating System Operating system for personal computers. MS-DOS was based on DOS, developed in 1980 by Seattle Computer Products. Microsoft Corp. bought the rights to DOS in 1981, and released MS-DOS with IBM's PC that year. ); others require purchasing a software package. All of them will increase control over valuable information. HIDDEN FILES MS-DOS for IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) and compatible machines has several obscure capabilities. For data security purposes, the best of these is the ability to hide files, directories and characters from view. Hiding a file or directory means the user can't see any part of the file or directory name. Hiding characters allows the user to see part of the file or directory name but keeps one character invisible. Hidden files and directories are considered first. Suppose you have hidden a file named Payroll.90 in the main directory. That file will not appear on the screen when the directory is listed. The advantages of this are obvious. Since the name of the file can't be seen, it's not likely anyone will be able to access it. It will be protected from accidental damage by novice users and from access by intruders, because they will not know where to find it unless an authorized person authorized person Lab medicine A person–eg a physician, who orders tests and receives test results on persons for whom payment is sought under Medicare. See CLIA 88. tells them. To enhance separation of duties and internal control, only the specific names of hidden files or directories required in an employee's job-related tasks need be disclosed. For example, staff responsible for payables would know the names of specific payables files but not of the receivables files. In general, the only way to hide a file or directory is by using a disk utility program such as Professional Master Key Utilities, Norton Utilities Widely used utility programs for Windows and Macintosh from Symantec. Used to fix problems and fine tune the machine, they include functions to restore deleted files, diagnose the disk for corrupted data, defragment the disk and clean up and track changes to the Registry. or Mace Utilities. (See the software products listing on page 86). These programs are inexpensive and easy to use because they are menu-driven and accomplish tasks that cannot be performed with DOS commands A partial list of the most common commands for Microsoft's MS-DOS operating system follows. In versions 5 and later only, the user can get help by typing HELP at the shell prompt. (Before version 6, the help displayed by this command is very basic and not interactive. alone. All utility programs will be slightly different, of course, but the basic methods for hiding a file will be the same: Access the utilities program and call up the files in any given directory. The program will display a menu of the file's "attributes." These are its special characteristics and are not visible to the user. One of these is the hidden/visible option. When the file(s) to be hidden has been located, the attribute can be changed simply from "visible" to "hidden." While hiding an entire file or a directory name is helpful, hiding a single character within a file or directory name also can be effective. Creating a file or directory with a single invisible character embedded in its name can make the file or directory difficult to access. For instance, to protect a certain directory with several accounting data files in it, an invisible character could be hidden in the directory name. Although the directory would be visible on-screen on·screen or on-screen adj. & adv. 1. As shown on a movie, television, or display screen. 2. Within public view; in public. , most users would not know how to gain access to it because they would not know about the hidden character. Embedding hidden characters in file or directory names simply requires using DOS's "ALT 255" invisible character capability. There are many ways to do this and no special software is needed. One way is to use the ALT 255 invisible character as an extension since DOS allows directory names to have three-character extensions. For example, when creating a directory named "ACCT ACCT Cardiology A clinical trial–Amlodipine Cardiovascular Community Trial–that evaluated the effect of sex and age on response to the antihypertensive, amlodipine. See Amlodipine, Antihypertensive, Hypertension. ", set it up as "ACCT. <ALT 255>". This is done simply by entering a period after ACCT, then holding down the ALT key A keyboard key that is pressed with a letter or digit key to command the computer. For example, in Windows, holding down the Alt key and pressing F displays the File menu if it is a current option on screen. Pressing Alt-Tab toggles between applications. See Flip 3D. and typing the numbers 255 on the numeric keypad A four-row keyboard of digits used on calculators, computer keyboards and telephones. See keypad. (hardware) numeric keypad - A standard feature of PC keyboards, consisting of a rectangular array of 17 extra keys at the right-hand end: 0-9, ., Num Lock, /, *, -, + and Enter. . Only the directory name ACCT will appear when it is listed on screen and its form will be indistinguishable from unprotected directory listings. The difference is, when users try to enter it, DOS will return the message "invalid directory A DOS error message that means you entered the name of a directory that does not exist. " and not allow access. This technique applies to file names as well. After the ALT 255 invisible character has been included in a file name--say, "PAYROLL <ALT 255>.RPT RPT - Unify. Report Writer Language. "--the file will look like others but will be inaccessible to unauthorized users. ALARM AND LOCKUP See hang and abend. PROCEDURES A second little-known feature of DOS is its ability to reassign its source of input using the "CTTY CTTY Control Teletype CTTY Console Teletype " command. To change the source of input from the keyboard to some other input device (for example, a communications port (hardware, communications) communications port - A connector for a communications interface, usually, a serial port. ), the user would issue a command such as "CTTY COM (1) (Computer Output Microfilm) Creating microfilm or microfiche from the computer. A COM machine receives print-image output from the computer either online or via tape or disk and creates a film image of each page. 1:". The keyboard would no longer work and the computer would accept input only from the specified communications port. This capability allows some creative security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security . Here is a simple example: Enter the "CTTY" command followed by the three letters "NUL See null. " at the DOS prompt The message DOS displays when it is ready to accept user input. The default DOS prompt (C:\>, D:\>, etc.) displays the current drive and directory. Earlier versions of DOS did not display the directory name and required that the Prompt command be used with the following parameters ; then press the return key. These commands direct the computer to seek its input from another source--in this case, a nonexistent non·ex·is·tence n. 1. The condition of not existing. 2. Something that does not exist. non source--and the keyboard no longer works. It is, in effect, locked. The only way out of this condition is to restart (reboot To reload the operating system, which restarts the computer. See boot. (operating system) reboot - (From boot) A boot with the implication that the computer has not been down for long, or that the boot is a bounce intended to clear some state of wedgitude. See warm boot. ) the computer--press the CONTROL, ALT and DELETE keys simultaneously or turn it off and reboot. So, in its simplest application, the "CTTY NUL" command can serve as an effective keyboard lock when the user leaves the computer. Used in conjunction with DOS batch files, this command can be even more effective. A batch file (1) A file containing data that is processed or transmitted from beginning to end. (2) A file containing instructions that are executed one after the other from beginning to end. See BAT file and shell script. is one that contains repetitively used DOS commands to save keystrokes; it typically is used for tasks such as changing directories, switching disk drives or executing software programs. By typing the batch file name, the user tells DOS to carry out all the commands within the file and thus does not have to type them individually. A batch file also will allow branching, which means it will check whatever it is told to check before issuing the other commands in the file. It is possible to program the batch file to branch over to check, say, a user's password. If the password is correct, the batch file will continue processing the rest of its commands as usual. If the password is incorrect, however, the batch file can be set up to issue the "CTTY NUL" command and lock the keyboard. This command can create some attention-getting effects when used in combination with DOS's alarm features, two of which are discussed. 1. DOS contains a file called "ANSI.SYS", which, among other things, changes the screen color and allows repeated flashing of the screen. This feature can be activated by including the command "DEVICE = ANSI.SYS" in the "CONFIG.SYS" file (found in the main or root directory) and then rebooting the computer. 2. DOS also can activate the computer's internal bell. Both the changed screen color and bell features can be used as an alarm within a batch file if some preestablished condition, such as entering the correct password, is violated. An illustration of this is shown in exhibit 1 A sample batch file sequence on page 87. If a user tries to access data without the proper password or command sequence, the batch file will branch to the sequence shown in the exhibit and the screen will start flashing, the bell will start ringing and the keyboard will lock. (With a monochromatic monochromatic /mono·chro·mat·ic/ (-kro-mat´ik) 1. existing in or having only one color. 2. pertaining to or affected by monochromatic vision. 3. staining with only one dye at a time. monitor, the screen will flash only one color.) The only way out of this situation is to reboot the computer. Incorporating this batch file sequence as part of a password protection or menu program and placing the batch file in a hidden directory and embedding invisible characters in its name will make it difficult for someone to find it. Any unauthorized intrusion into protected data will be obvious. PASSWORDS Password protection often is violated easily. For instance, password systems can be circumvented simply by booting from a different DOS disk. This allows a user to avoid initial execution of the password program. However, such a program can be effective when used in conjunction with some of the techniques described above. By hiding batch files, files of password lists and other sensitive data files, the password protection becomes harder to avoid. Although not primarily password protection programs, Lockit I (listed with write-protect programs) and Softsafe (listed with data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign programs) also provide protection against starting the computer from another DOS disk. Programs offering password protection, such as Automenu Software Management System, Direct Access or Precursor, are recommended because they are easy to use and essentially can control who has access to the computer. Using a series of linked menus and passwords, these programs can * Block access to DOS (to prevent someone from looking into other files on a hard disk). * Require the use of multiple passwords to gain access to different files or programs. * Allow access to files based on a user's specific authorization. For example, if an employee must use both an accounting package and spreadsheet as part of daily job requirements, the password system will allow access to the accounting program with a first password. A second password is required to access the spreadsheet. These menu programs generally work best when they are triggered by the last line in the "AUTOEXEC.BAT" file found in the root directory. DOS always checks this file first. The password program therefore will be the first program to run when the computer is turned on or rebooted. While the password approach is not foolproof, it can add another layer of protection and control to the microcomputer system. USER LOGGING User logging is a technique that, in general, enables the computer to keep track of whoever uses it and the programs or files used. A daily log of all the activity that takes place on the computer can be invaluable in finding out who has been using a particular file or program. User logging is available through commercial software such as Logit! or Logger. These programs can keep detailed records and provide written reports on * Clock times. * Elapsed times. * The number of keystrokes used. * Keystrokes per hour. * Path names employed. * Program names used. * Percentage of computer time used by a program. Such software programs can provide internal control by recording the day's computer events. In addition, they can be useful productivity monitors for such things as employee training and merit-based reward systems. DATA ENCRYPTION Used with the techniques mentioned above, data encryption adds another layer of security to highly sensitive Adj. 1. highly sensitive - readily affected by various agents; "a highly sensitive explosive is easily exploded by a shock"; "a sensitive colloid is readily coagulated" documents. This technique may not be necessary for general purposes but it is one more effective way to protect vitally important documents, such as those relating to a client's work on federal defense contracts or a CPA's litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. support files. Basically, the technique permits the computer to scramble data so that, even if someone managed to gain access to a protected document, its contents would appear as gibberish. Data encryption is, in essence, a derivative of secret coding schemes used by the government to protect documents with high-level security classification. Encryption can be accomplished only by using a commercial program such as Cipher cipher: see cryptography. (1) The core algorithm used to encrypt data. A cipher transforms regular data (plaintext) into a coded set of data (ciphertext) that is not reversible without a key. , Private Line or Softsafe. DISK-LEVEL SECURITY Finally, disk-level security implies guarding the disk itself, regardless of whether it's a hard or a floppy disk. At this level, there are three ways to protect information: * Write-protection. * Zero-disking. * Disk branding. Write-protecting a hard disk protects it by not allowing any information to be added--or written--to the disk. Examples of programs that can accomplish this are Dprotect and Lockit I. When these programs are activated, users can read whatever information is on the disk, but they will be unable to change the information in any way. As a result, write-protecting prevents tampering with information. Such protection is particularly valuable today, given the spread of computer viruses and the increasing use of laptop computers. Computer viruses will be unable to spread to the hard disk. Write-protecting the hard disk in a laptop will keep anyone from tampering with it when it's taken off-site. Zeroing-out a disk means completely erasing any information on it. The term developed because, when any information is erased or deleted using normal DOS commands, the information is not really erased. It is still on the disk. Only the first letter of the file name has been removed. Anyone with a disk utility package very easily could restore the first letter of the file name and read all the information that supposedly had been deleted. Given that floppy disks are often reused and may be sent to clients, competitors or government agencies for a variety of purposes, it is important that what the user intends to erase really gets erased. Many disk utility programs or programs such as Sweep'r will overwrite (1) A data entry mode that writes over existing characters on screen when new characters are typed in. Contrast with insert mode. (2) To record new data on top of existing data such as when a disk record or file is updated. the information with zeros--hence, the term "zeroing-out." In effect, the information will be completely and irrevocably erased. Disk branding, while it doesn't protect the actual data, allows users to imprint unused disk space with identifying information that is visible only with a disk utility program. It is possible, for example, to brand either the hard disk or floppies with a client's name and federal tax identification number. Branding a disk has the side benefit of providing a useful way to identify ownership when stolen equipment is recovered. LAYERS OF OBSTACLES Athough microcomputer security is elusive, it can be enhanced by creating layers of obstacles through which an intruder must pass before reaching vital information. Obviously, the more layers there are and the less obvious they are, the more discouraging getting through them will be to a potential intruder. The six techniques discussed here, if creatively employed, will improve the security surrounding the microcomputer and its data inexpensively. SOFTWARE PRODUCTS Disk utility programs Mace Utilities Paul Mace Software 400 Wiliamson Way Ashland, Oregon 97520 (503) 488-0224 Norton Utilities Advanced Edition Peter Norton Computing Peter Norton Computing, Inc., was a software company founded by Peter Norton. One of the most notable software packages it produced is Norton Utilities. Another very popular software was Norton Commander, especially the DOS version. In 1990, the company was acquired by Symantec. , Inc. 2210 Wilshire Boulevard Santa Monica, California For other uses, see Santa Monica (disambiguation). Santa Monica is a coastal city in western Los Angeles County, California, USA. Situated on Santa Monica Bay of the Pacific Ocean, it is surrounded by the City of Los Angeles — Pacific Palisades and Brentwood on the north, 90403 (213) 453-2361 Professional Master Key Utilities RPG (Report Program Generator) One of the first program generators designed for business reports, introduced in 1964 by IBM. In 1970, RPG II added enhancements that made it a mainstay programming language for business applications on IBM's System/3x midrange computers. Software Farm P.O. Box 9221 Columbus, Missouri 39705-9221 (Don't be misled by the price; this is a full-function utilitiy package.) Sweep'r Samkhya Corp. 47 Sixth Street Suite 3000 Petaluma, California 94953 (707) 763-2800 Password protection programs Automenu Software Management System Magee Enterprises 6577 Peachtree Industrial Boulevard Peachtree Industrial Boulevard is a very long road that runs from Peachtree Street just south of Chamblee, and ends in Buford. Major Interchanges DeKalb County Road(s) intersected Destination(s) Notes Peachtree Road Chamblee Southern terminus Norcross, Georgia 30092-3796 (404) 446-6611 Direct Access (Direct Net, for networks) Delta Technology International, Inc. P.O. Box 1104 1621 Westgate Road Eau Claire, Wisconsin Eau Claire is a city located in west-central Wisconsin. The population was 61,704 at the 2000 census. It is the county seat of Eau Claire CountyGR6, although a small portion of the city lies in neighboring Chippewa County. 54702 (715) 832-7525 Precursor The Aldridge Co. 2500 Citywest Boulevard Suite 575 Houston, Texas 77042 (713) 953-1940 User logging programs Logger System Automation Software, Inc. 8555 Sixteenth Street Silver Spring, Maryland Not to be confused with Silver Springs. Silver Spring is an urbanized, unincorporated area in Montgomery County, Maryland, USA. After Baltimore and Columbia, Silver Spring is the third most populous Census Designated Place in Maryland. 20910 (301) 565-9400 Logit! Shareware, available through Public Brand Software P.O. Box 51315 Indianapolis, Indiana 46251 (800) 426-3475 $5 duplicating fee, plus $30 user registration fee Data encryption programs Cipher Gypsy Services P.O. Box 341050 Los Angeles, California 90034 (213) 836-8914 Private Line Shareware, available through Public Brand Software P.O. Box 51315 Indianapolis, Indiana 46251 (800) 426-3475 $5 duplicating fee, plus $30 user registration fee Softsafe Software Directions, Inc. 1572 Sussex Turnpike Randolph, New Jersey
Randolph is a Township in Morris County, New Jersey, United States. 07869 (201) 584-8466 Hard disk write-protect programs Dprotect Shareware, available through Public Brand Software P.O. Box 51315 Indianapolis, Indiana 46251 (800) 426-3475 $5 duplicating fee; no user registration fee Lockit I Security Microsystems Consultants 215 Cromwell Avenue Staten Island, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of 10305 (800) 345-7390 EXHIBIT 1 A sample batch file sequence ECHO ON PROMPT $e[5;37;41m CLS (Common Language Specification) The structure and syntax of .NET and CLI programming languages. See .NET. ECHO <ALT 7> <ALT 7> <ALT 7> <ALT 7> CTTY NUL Here is what this sequence will do, line by line: ECHO ON: prepares the screen for immediate color changes. PROMPT $e[5;37;41m: When followed by "CLS," will cause the screen to flash repeatedly a white foreground on a red background. CLS: clears the screen to the new colors. ECHO <ALT 7> etc.: causes repeated bell ringing. CTTY NUL: locks the keyboard. DANA FORGIONE, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , PhD, is assistant professor of accounting at Texas A&M University, College Station. ALAN BLANKLEY is a doctoral student in accounting at Texas A&M. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion