Printer Friendly

Hardening the hardware.


WITH THE PROLIFERATION of computer and ancillary equipment in business, education, and households, computer theft is increasing dramatically. Not only is equipment itself stolen, but thieves are also stealing parts inside the computer. The theft of internal parts, which are often expensive, can go undetected for days, weeks, or even months.

For example, some computers have only 640K of internal memory. However, an accessory called an above-board memory can be purchased that adds additional memory to a computer. If above-board memory is removed from a computer, it may go undetected until someone attempts to access the extended memory.

The board itself is inexpensive. Purchased from an importer, it can cost as little as $35. What makes extended memory work is the chips that plug into the board. Each extended memory board uses up to 36 chips, and prior to February 1988, these chips cost about $1.85 each.

In February 1988, the cost of a 256-10 chip went from under a dollar to as high as $15. That means that the same accessory that was available for $101.60 now costs $575 and, more important, has become the easily acquired target of computer thieves. To steal this accessory, all a thief has to do is unplug it from the computer. It takes about two minutes.

In addition to theft by outsiders, theft by employees can also be a problem and is difficult to detect. For example, people who buy a home computer will often purchase the same type of computer they use at work. If someone has a problem with the home computer--perhaps the board is malfunctioning--he or she can bring the board to work and test it on the company computer. If there is a problem, the boards can be switched. This is the most insidious type of theft since it is not even suspected.

WHEN ADDRESSING THE problem of computer theft, there is no canned cure. Every business is different, and each has its unique problems. The only way to begin addressing the problem is by analyzing what the goal is: to isolate the symptom or to effect a cure?

To isolate the symptom, a number of devices are on the market to make a computer more secure from theft, ranging from $15 cables to $500 cabinets. Few of those devices will cure the problem, but all will satisfy the requirement for a security device under most of the current guidelines. These guidelines were established before computer theft became widespread.

Cables. Cables have their place in computer security. But unless they attach directly to the computer screws themselves, they provide no protection against board loss. Cables, regardless of their size or gauge, can be severed easily. Because of their vulnerability, they should be used on computers in closely monitored areas and should not be expected to prevent burglaries.

Product insurance. Some antitheft devices offer an insurance guarantee. However, it is important to make sure the offerer provides a copy of all the policy's disclaimers. There are no guarantees without disclaimers.

The purchaser should read the document carefully and ask for written explanations of vague or broad terminology. As an example, suppose a purchaser is not covered for employee theft. Who is an employee? According to Webster, an employee is "one employed by another for wages or salary." Although that definition appears straightforward, is it? What if the purchasing organization is an entity of the state? Does employee then mean any state employee? Could people on public assistance or prison furlough be considered state employees?

Some disclaimers tag or agent on to employees. Again, this is innocuous enough, unless the purchaser is a school. In some cases, students are considered agents of their school.

Alarms. Alarm systems designed to protect computers have two draw-backs. First, they are not usually preventive; they merely announce that what the purchaser is trying to prevent is happening. Second, they are usually turned off when computers are in use, thereby requiring someone to monitor the area.

However, some computer alarms remain on during use to protect against component theft. One such system is hooked through a phone line to a central location. When deciding on alarms that use phone lines, consider the cost of the device and installation as well as the yearly phone lines and maintenance fees.

If the goal is to effect a cure, instead of isolating the symptom, there are a number of manufacturers of lock-down equipment. Only a few major manufacturers, however, have broad experience and reliable products.

Lock-down devices are truly preventive. They work on the concept that even though a thief may have the ability to defeat them, the process requires considerable labor, tools, and time. Companies, however, should do their own testing to ensure that the quality and effectiveness of a particular product meet their needs.

Key control. Key control concerns all security managers. Unfortunately, it is usually practiced after keys and locking devices are delivered to a business.

It is equally important that key control begin at the factory. Only then is the key control system secure. Everybody at one time or another has known or heard of disgruntled employees and the havoc they can cause a business.

The supplier must maintain an adequate key control system (particularly if it performs installations) that is easy to understand. The purchaser should receive nothing less than a written explanation of the system, including the names of software programs used in computer-based systems.

Key changes. The purchaser should obtain a written explanation of the keying system used, including master, submaster, and the total number of changes available. The supplier should also restrict the distribution of keys within a given geographical area--for example, a 100-mile radius. Master keying is never recommended for security devices unless the customer has a detailed and effective key control system.

Testing security devices. People who supply security products will point out the invulnerable attributes of their products. A prospective buyer's first reaction will be to either prove or disprove the seller's claims. However, the buyer must not fall into the trap of testing only those points noted by the seller. A security professional often has to think like a thief to catch a thief. When testing security equipment, he or she should test the strong point, then step back and think about what a thief would test.

A perfect case of misapplied concerns is lock picking. Buyers often question whether a lock is pick resistant. The term pick resistant is as relative as the term bad luck. It depends entirely on the circumstances surrounding the question. As long as the locks being used in security devices require any expertise in picking, then it becomes a moot point. The thief who spends time to learn how to pick locks is probably more interested in taking cash or other easily marketed commodities than in stealing the equipment.

Thieves are predominantly lazy. When a particular location that has had a theft problem becomes more secure, thieves usually move on to other less secure locations. A case in point involves a city that has three large colleges within a one-mile radius. The largest college was experiencing a major computer theft problem and undertook a project to secure all computer equipment. Within a year, theft was eliminated at that location.

However, the adjacent college began losing equipment almost in proportion to the decrease in loss at the larger college. It is interesting to note that there were virtually no attempts to defeat security devices at any of the three colleges until all three were using security devices.

WHEN SECURING COMPUTER equipment, security managers should not address the problems they have today, but address tomorrow's problems. It is unfortunate that so much time and money must be spent to keep that which so much money is spent to acquire. But the problems in society are not going to lessen, and now more than ever, prevention is a lot easier and often less expensive than reacting after a computer system has been stolen.

Replacement costs of computers vary due to circumstances occurring prior to the theft. The following is an estimated cost of replacing an IBM PC-XT with the hard disk being backed up Friday evening, and the theft occurring the following Tuesday evening. In this example, the computer is used an average of three hours a day, and it requires three days to obtain a replacement unit. The losses are as follows:

* Six hours (Monday and Tuesday) of wasted input time at $7.50 an hour

* 15 hours of overtime at $11.25 an hour to catch up on normal input not completed when the computer was unavailable

* 10 hours at $7.50 an hour wasted obtaining needed information that would have been available had the computer been operational

* The cost of an IBM PC-XT--approximately $3,500

The total costs come to $3,788.75. This example does not consider what happened to the information that was in the stolen computer, and its time, inconvenience, and computer replacement cost estimates are conservative.

To find out the exact cost of replacing a stolen computer, a security manager can ask the businessperson whose computer contained accounts receivable or the hospital whose computer contained sensitive patient data. The security manager can ask anyone who has had to load information into the replacement computer while attempting to perform his or her usual daily tasks. Obviously, it is much easier to secure a system than to replace it.

About the Author . . . Lawrence F. DuGuay is vice president of CompuGard Inc. He has more than 17 years of experience in the security industry, the last eight being in computer and laboratory equipment antitheft devices.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:special section - Computer-Information Security: Getting the Protection You Need; securing computer equipment
Author:DuGuay, Lawrence F.
Publication:Security Management
Date:Mar 1, 1989
Previous Article:Here today, here tomorrow.
Next Article:Members only.

Related Articles
The perils of personal computers.
Here today, here tomorrow.
Defining the mission.
Heat treating: forecasting changes in heat treatment processing methods for the next decade.
Utilizing Community Resources: An Overview of Human Services.
Smoking out the facts on firewalls.
Year-2000 Chip Danger Looms Large.
Year-2000 Chip Danger Looms Large.
Black Hat Physical Device Security: Exploiting Hardware and Software.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters