Printer Friendly

Who goes there?


THE MEDIA HAS TURNED ITS attention to the computer security issue in recent months. Time, Business Week, and other major publications have run feature articles on computer security, often focusing on computer viruses.

However, although they can be extremely destructive, viruses are not the only peril for computer networks, nor are they the most common. Viruses require sophisticated computer knowledge and programming to develop, much more than the average user possesses. To date, viruses have been limited to specific classes of operating systems.

Unauthorized access to data by persons with less technical knowledge --including employees--is a more common problem for organizations. In fact, disgruntled employees are probably the most prevalent threat to corporate America. In corporate networks, the desktop personal computer (PC) acts as a gateway to an organization's mainframe or minicomputer where valuable data is stored.

Unauthorized users can gain access to confidential documents and tamper with data. Unauthorized access may be unintentional, but the potential for damage exists nonetheless. Financial records, employment data, product specifications, formulas, and other strategic information are vulnerable.

Restricting access to computers or applications is an effective way to protect data against unauthorized users and, in many cases, against viruses. One computer security approach is to require a user to be verified before gaining access to a computer system or application. This is commonly known as a user-authentication system.

BASICALLY, THERE ARE THREE types of user-authentication security systems for computers in network environments: logic-based systems, hand-held key token devices, and biometric systems. Each system functions by confirming that the user who wants to gain access to the terminal or network is, in fact, authorized to gain access.

Logic-based systems. These are typically software-based systems using passwords that rely on what a user knows to determine authentication. While easy to implement, password systems are very difficult to secure. For one thing, passwords can be fairly simple to decipher. People often use names, anniversary dates, and other passwords that are easy for the user to remember--and also easy for someone else to figure out.

In addition, users write passwords down so they don't forget them. Once written, the password may be seen by anyone and, once public, all protection is lost. Repeated use of the same password and the sharing of passwords among users also threaten their effectiveness.

For management and administration, password security systems can be more trouble than they are worth. Management must assign and eliminate passwords to keep pace with employee turnover. They may also want to issue multiple IDs to grant individual users special privileges, depending on their job functions.

An extended password algorithm system offers an alternative to memorized passwords, but it also is difficult to administer. In an algorithm-based security system, the user responds to a challenge, or logic question, from the system. A correct answer from the user gains access.

An example helps illustrate the algorithm concept. If the algorithm is "Respond with the antonym of the third word in the sentence," and the challenge is "The black cat walked across the room," the correct response is "dog."

In the algorithm system, each challenge is unique, so the problem of exposing passwords is limited. However, administration of the algorithm system is cumbersome and raises some difficult questions. For example, is a unique type of algorithm needed for each user? Who codes and installs the algorithms, and how are they distributed?

Key token authentication devices. These are external devices similar to a key for a door. Security is based on what the user possesses instead of what he or she knows. This security technology combines hardware and software. Key token devices are programmable, hand-held devices, which are used in conjunction with a user ID and password. A separate key is assigned to each user. Then, when software on the host computer issues a challenge, the key is used to provide a proper response.

In one particular key token authentication device system, the host issues a challenge via a flashing light pattern that represents a random number challenge. The key has optical sensing circuits that, when held up to the flashing pattern, read and process the random number. The access key then displays a password on its LCD screen. The user enters this password on the computer terminal keyboard. If the correct key has been used for the corresponding user ID, access will be granted.

One of the benefits of this system is that the software generates a unique password with each use, making it impossible for a user to guess a password. The key will operate on mainframes, minicomputers, and PCs.

In addition, management can allow a user a specific time (such as a week or month) for which the key will work. A limited usage period can be particularly important in a setting with temporary employees or occasional users. In addition to restricting log-on access at the terminal, the key can be used to protect or restrict specific data bases, applications, and networks.

The token key approach provides greater security than the password approach and is suitable in settings that require moderate levels of security and in mobile or remote situations. This technology may be used to protect a company's proprietary product information, financial data, and consumer market information.

Biometric authentication systems. These systems provide the highest level of security. They incorporate hardware and software and are often used to protect highly sensitive data and applications, such as payroll and corporate accounting records. Corporations with large, centralized data bases are becoming more common users of biometric security systems.

Active biometric systems analyze the user's personal characteristics to determine whether access is permissible. Characteristics such as fingerprints, hand geometry, retina pattern, voice pattern, and signature are unique to the individual; they cannot be stolen, forgotten, written down, misplaced, or duplicated. Hence, biometric systems that use these characteristics provide an extremely high level of security. Passive biometric systems analyze characteristics related to behaviors to authenticate user identification. For example, a typing sensor system measures a person's typing pressure and speed.

Typically, an authorized user is enrolled into the system by taking a baseline scan of the physical characteristic. The user's fingerprint, for example, is scanned, and the image is digitized and encrypted. This encrypted data is stored in the host computer and referenced during future access attempts. To gain access, the user places the same finger on the scanner, which then digitizes the image, encrypts the data, and compares it to the stored fingerprint data.

From an administrative perspective, a biometric system requires minimal management. Unlike the password system where the user must routinely protect and change his or her password, a biometric characteristic will not change, so user IDs do not have to be changed periodically. (However, a person's voice and signature do change. The baseline scan is updated with each successful authentication to keep it accurate with aging.) Of course, users must be taken off the system when they leave the company and are no longer authorized to access the network.

Both false positives, in which the system mistakenly grants access to an unauthorized user, and false denials were a problem for early biometric systems. Today's technology has improved on the accuracy of early versions. However, the technology is not fail-safe. Factors such as dirty or wounded fingers, a sore throat, and alcohol can alter the user's physical characteristics and affect system accuracy. Even mood swings can alter voice characteristics and hinder accuracy of voice recognition systems.

WITH SO MANY SECURITY options available, how does one choose a system that is best for the organization's needs? Clearly, cost will influence the decision to some degree. But, for the system to be successful, the company's needs and the effectiveness of each technology should be considered. Passwords, token devices, and biometrics provide different levels of security. It is not necessary to purchase a high-level security system when moderate security is required for a company's needs. On the other hand, a less expensive, lower-level security system is not appropriate if computer security is a critical concern for an organization.

Eight key factors, if considered early in the planning process, will help make implementation of a user-authentication system successful. These factors should be considered for any extended user authentication system, whether token-based or biometric.

First, define precisely what should be protected and to what degree. Should all organizational data be protected or only financial information? Distinguish which personnel will be allowed access to which types of data. Perhaps senior management should be granted access to all data. Or, perhaps managers should have access only to data relevant to their area of responsibility, and network-wide access should be kept in the CEO's domain. Determine whether terminals and data will be protected from local or remote sites.

Evaluate security systems and vendors. A mix of authentication systems may be most appropriate. A combination of token systems and biometrics provides a higher level of security. Or, different technologies may be applied to computers that are dedicated to the most confidential and threatened data.

Determine hardware requirements. Remember: A new authentication system may require changes in hardware configuration.

Determine an acceptable level of increased access time for the authentication process. Users will no longer be able to turn on their computers and begin working immediately. Access will require more steps and time with a security system. But, depending on the system, increased access time may only be a matter of seconds.

Determine the budget. How much does the organization want to spend on system selection, purchase, installation, and follow-up service?

Address administrative issues. Consider who will be responsible for user enrollment procedures and data base management. Identify people who will have authority to grant or deny access to users, and determine how to implement these procedures.

Develop a plan for user education and reinforcement. It will be important for employees to understand the security system and be comfortable working with it. Communicate clearly how the system operates and why it is necessary. Be sure someone from either the manufacturer or the vendor is available to answer questions.

Allow for phased implementation of the security system. This will help users accept the system, become comfortable with it, and learn to work with it.

Security is an issue that can no longer be ignored. Growing numbers of people with access to organizational data make in-house data bases and networks vulnerable to tampering.

Password protection may be the solution, or it may be too vulnerable and labor-intensive for the company's requirements. Key token devices provide a higher level of security and are particularly well suited for dial-up networks. Biometrics provide the highest level of user verification and can not only augment but in some cases actually replace password protection.

Whichever solution the company chooses, the most important point is to secure access to a company's computers, data, applications, and communications networks. They are what the company relies on to stay in business.

About the Author...Charles Mayfield is manager of customer support for ThumbScan Inc. in Lombard, IL. ThumbScan produces a variety of computer security products.

PHOTO : Analyzing unique fingerprint data is just one method of determining authorized access.

Charles Mayfield is manager of customer support for ThumbScan Inc. in Lombard, IL. ThumbScan produces a variety of computer security products.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:special section - Computer-Information Security: Getting the Protection You Need; user-verification systems to restrict access to computer data
Author:Mayfield, Charles
Publication:Security Management
Date:Mar 1, 1989
Previous Article:Cloak and data.
Next Article:A computer and information security directory.

Related Articles
The new image of corporate badging.
A password to computer security.
Data security.
Security -- An Issue That Should Concern You! PART 2.
Cybercrime. (Australia-International).
Seven top security tips.
Beyond compliance: protecting sensitive data on the mainframe environment: in the light of the British Government data loss, part two of a rather...

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters