Printer Friendly

A password to computer security.

A disgruntled former bank employee accesses the bank's computer system and disrupts operations by shutting down the ATM network and the bank's link to the funds transfer system.

* A data center employee manipulates electronic data interchange (EDI) messages, so funds being transferred from a bank to an insurance company go instead to personal account.

* An outsider gains access to a corporation's private branch exchange (PBX) and makes numerous long-distance telephone calls at the company's expense.

Stories of computer fraud are growing by-product of expanded computer use. Just how real is the threat to the security of your installation? And what means are available to you to reduce the risks you face?

To understand this threat, one must understand that most computers communicate with other computers, and that integrated networks are replacing centralized systems. Organizations use computer networks to gain remote access to mainframe computers, to facilitate data transfer between systems, and to link customers, suppliers, and business partners. Personal computers and workstations make the links between these networks still more complex.

When data is transmitted over computer networks it is vulnerable to interception and disruption. We've all read of unauthorized incursions into both commercial and governmental data networks, resulting in significant financial loss and adverse publicity. Whether such incidents are the result of electronic trespassing by "hackers," who seek access largely as an intellectual challenge, or by technically sophisticated individuals intents on fraud, corporate systems are more and more at risk.

How can your organization address such risks? Begin with the security features and access controls provided by hardware manufactures and software vendors. These controls need to match both the level of risk you are willing to accept and the level of security that can be achieved in your computer environment. That security level depends on:

* The applications, such as funds transfer, that are supported by the network and such characteristics as who uses them and what they're used for.

* The network's scope, the access to it, and its links to external systems, plus its hardware and software and the functionality installed in the network, such as encrytion (discussed below).

* The culture of the organization and the willingness of users to comply with the controls established.

It is important to recognize that network security controls exist within a hierarchy of information technology controls, which are in turn part of a company's overall internal control structure. So even the best network security will not totally protect an information systems environment if controls in the other levels of the hierarchy are lax. The challenge comes from the fact that the user-friendliness and ease of access sought in a computing environment are the very factors that can create potential risk. Making a network easier to use can also make it easier to be misused.


Network security must guard against breaches in three areas:

* Confidentiality: Individuals intercept data, but do not attempt to modify it. Eavesdropping is not always as innocent as it seems, and analyzing the size and frequency of transmissions may be an initial step in penetrating a network.

* Integrity. Unauthorized persons modify message content, delete messages, or re-route messages. They often masquerade as authorized users.

* Availability. Someone penetrates the system and either shuts it down or wipes out the information it contains. (Of course, environmental factors--floods, fires, and such--and the failure of hardware or software also affect the availability of the system. I have not attempted to address these problems in this article.)


Controls in the hardware or software you purchase need to be complemented by appropriate administrative procedures. Network security is most effective when you install one or more of these security mechanisms:

* Encryption. This technique improves confidentiality by transforming data mathematically through the use of an algorithm and a crytographic key. Whether the data has been encryted through hardware or software, it cannot be read without the key.

Companies normally do the encryption at the point where information crosses from an internal network, where access is restricted, to an external public network, where data is subject to eavesdroping Data intercepted on the public network cannot be read in clear text without access to the key.

* Message authentication. At times, the party receiving a message must be certain that the source is authentic and that the contents have not been altered. Confidentiality is less important. When a network message is transmitted, an authentication code is sent along with it. The recipient compares his own code with that accompanying the message. If implemented proprly, this method would have prevented the data center fraud example at the beginning of this article.

* Remote access protection. Hardware and software can be combined to restrict the ability to dial into computer networks. This method calls for user authentication--such as with a user ID or password--prior to connection, or employs a call-back device which disconnects the caller and returns the call to an authorized number. This system, properly implemented and administered, would have foiled the disgruntled bank employee at the start of this article.

Increasingly popular is the "smart card," which is the size of a credit card and generates a one-time password that changes each time a person signs onto a computer. In addition, biometric devices, the technology of the future, will authenticate the user through retinal, fingerprint, or keystroke-timing analyses. As the technology improves and becomes less expensive, biometric devices will become increasingly popular.

To make any of these systems work, however, they must be integrated into the company's operations. Therefore, distribution of items such as crytographic keys must be tightly controlled. In addition, procedures must be established to monitor security measures, to follow up unauthorized accesses, and to identify and respond to network failures.


Security is of particular concern to organizations using networked distributed systems such as LANs. Two factors make this concern difficult to address. First, technology is changing rapidly, and the life cycle of both hardware and software is growing shorter. Second, installing and administering systems is often not centralized. When individuals have different levels of expertise and local policies differ, security becomes inconsistent. The system generally is as secure as its least secure link.

To mitigate the risk, one can take a number of steps. One of the most important is to consider security up front, when you design your systems network. Of course, the degree of security must also match the importance of the data.

Security will become especially important in open systems. In on-line systems, controls are maintained centrally and are based upon physical or logical access. In open systems--where on-line systems have evolved into real-time systems--the message is the primary component, and security is usually an inherent part of the message.

When adapting open systems, corporations must assess the new technology being developed in computer security. Artificial intelligence, for example, enables user activity to be compared to historic use, and any discrepancies are analyzed to identify security violations.

Finally, the commitment of top management and comprehensive information technology audits are key to a computer security program. Most breaches of security are caused not by product deficiencies but by errors or omissions in their installation or by subsequent errors in administering security.

As corporate systems migrate toward multi-vendor configurations, and as the delineation between internal networks and public networks becomes less distinct, this opportunity for human error will increase. Thus, companies relying on the security of their computer networks will insist that the planning and auditing of information systems play a major role in the foreseeable future.
COPYRIGHT 1992 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Special Report: Information Management
Author:Goldfarb, Michael G.
Publication:Financial Executive
Date:Jul 1, 1992
Previous Article:Living in the past.
Next Article:Capturing the benefits of high-tech leasing.

Related Articles
Stop, thief! How to protect your laptop and its data.
How secure is your case-management software?
Guarding computer data.
Confessions of an Internet hacker: Stealing your personal information was hard to resist.
Operation e-workplace protection. (Up front: news, trends & analysis).
Kaspersky Security for PDA. (Security).
Travel Tech: Playing It Safe With Security.
Is your laptop telling secrets? In a WiFi world, logging into your computer on the road is risky business.
Privileged password management: combating the insider threat and meeting compliance regulations for the enterprise.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters