Rediff Logo Infotech The Rediff Music Shop Find/Feedback/Site Index
March 24, 1999


Saving Private Data: Srikant Sreenivasan writes a computer security primer for the technology greenhorns. Nicholas Negroponte of the famous Media Labs at MIT once put the value of his laptop at a figure several times higher than any portable computer could ever possibly cost.

Email this story to a friend. He was making a point. The information on the computer was significantly more valuable than the hardware that held it.

Saving Private Data
INSAT-2E is ready
Vittal on Y2K
ITT-Microsoft deal
If this wealth is to be safely locked away, it is necessary to understand the core issues involved in computer security.

In fact, such an understanding is critical to the success of computing technologies in any society.

There is bound to be significant lack of trust in computing if non-technical people like ordinary computer users to important decision makers don't make the effort to understand how information is secured on computers and computer networks.

This article, hence, is an attempt to bring the issues of security to the laity. A primer, if you will, with links for further reading.

Last year there was a computer break-in at the Bhabha Atomic Research Centre by crackers. Crackers are computer experts specialising in illegally prising open secret information on computer systems.

Some crackers had logged in over the Internet and taken control of the computers at the country's premier atomic institution!

The goal of the crackers at BARC was to publicise their political agenda. But such crackers could have quietly walked away with information and the BARC would have never known.

BARC's fall made several corporations rushing to adopt the Internet, stop and think. How safe could a mere business house be?

Yet, the real danger may not necessarily come from across continents, from the universe of undersea cables and satellite links.

The bigger threat may lie within. Disgruntled employees and ex-staffers who leave with important information can do more damage even when firewalls and other security mechanisms are well in place.

But malicious intent need not be the only bogey. A simple mistake can do substantial harm. An erased file is as much of a problem whether deleted accidentally or maliciously. After all, a foolish friend is more dangerous than a clever enemy is.

Then again, security may be compromised by non-human elements like computer viruses that could make smithereens out of the most meticulously arranged information.

It is important to evaluate both internal and external risks when deciding on a security solution.

But this is a matter of policy. A 'computer security policy' that keeps in focus all the issues involved.

To be effective, such a policy must be so realistic that it even takes into account situations where the humans involved may ignore the policy itself.

Any computer security policy must cover these few essentials:

  1. Physical access
  2. Password policies
  3. Authentication
  4. Authorisation and access control
  5. Data encryption
  6. Audit
  7. Backups
  8. Tools that are weapons of self-defence

1. Physical access

Restricting physical access to the 'computer room' and servers is perhaps the most important aspect of computer security.

Quite often third-party vendors and trainees who come in for short projects and assignments know several secrets such as server passwords and Internet passwords. Internet passwords can be had by amazingly simple operations like just scanning for .scp files in Microsoft Windows 95.

2. Password policies

It is very important to change all passwords regularly. As soon as an important staffer quits, all passwords must be changed.

Also, passwords must be chosen at random to avoid being guessed out and must be of sufficient length. Besides, it helps to not use dictionary words. The best bet is to use a nonsensical combination of numbers and letters.

Also, important passwords must be restricted to as few people in the organisation as possible. This helps in better password policy management and in case of a security compromise accountability can be ascertained easily.

While password policies are by themselves not a major deterrent for a serious cracker, it will serve to keep the curious honest ;-)

3. Authentication

Often, authentication is treated lightly. Simply put, authentication means verifying the validity of a person.

To validate the authenticity of a person you may need to have authentication systems like 'digital certificate systems' in addition to conventional password authentication.

Another authentication mechanism now gaining popularity is that of 'smart cards'. A user has to simply swipe the smart card on a device that connects to a computer.

4. Authorisation and access control

Once a person is authenticated, the privileges that can be enjoyed by that person have to be determined and fixed accordingly.

This is done using access control systems that determine the access the user has to resources such as disk space, files and printers.

Access control systems also limit the degree of access such as read-only access to sensitive files, execute privileges for applications, date and time bound access and terminal-specific login.

Most network operating systems have some level of access control systems built into them. However, if there is a need for enhanced security then special access control solutions from several third-party providers need to be investigated.

Also, authorisation levels may differ depending on whether the user is local or remote like via dial-up, a corporate WAN or a public network.

5. Data encryption

To keep data completely secure from prying eyes another popular method is data encryption. Encryption is the process of converting 'plain text' (ordinary document) to 'cypher text' (encrypted document) using a 'pass phrase' (password).

Only a person who knows the pass phrase can now decrypt the cypher text data to plain text data.

DES and RSA are amongst the more popular data securing algorithms.

In DES, or the 'data encryption standard', pass phrase has to be known to both the sender of a message and the receiver of the message.

RSA is a popular example of 'public key infrastructure' cryptography. Here both the sender and the receiver have a pair of keys, namely a private key and a public key.

The public key and the private key pair of a user are mathematically derived such that anything encrypted with the public key can be decrypted only by its corresponding private key. Hence, the public key of each user may be freely exchanged.

The sender encrypts a message using the public key of the recipient. Now the recipient decrypts the message using his private key.

The drawback in PKI is that a large number of keys need to be managed. Usually to facilitate easy securing of data, the public keys are published on a public 'key server'.

Other similar concepts in PKI include 'session keys' and 'bulk keys'. Many PKI implementations use the commercial RSA algorithm. Other open source algorithms are also gaining popularity.

6. Audit

Despite the best authentication and access control mechanisms crackers can, and do, get in. In such a scenario, the only way to detect the presence of an intruder is by the simple means of maintaining extensive logs and regular systems and network audits.

A daily log file analysis using some good intrusion detection tools will glean much information of user activities and alert administrators in case of discrepancies.

Similarly using security audit tools both the systems and the network must be monitored for unusual activities.

Remember that if you don't use such tools to safeguard your network, you can be sure that some wily hacker out there is using scanners like SATAN to get into your systems.

7. Backup

The importance of regular backups cannot be over stressed. Backups are your only hope in case of a system crash accidental or otherwise.

Make sure to have a daily backup of all important information such as user files, mail and RDBMS data.

Be sure to take backups in a reliable media such as DAT, CD-ROM (using CD writers), Iomega zip drives and Jaz drives.

Do not depend on unreliable media like floppies for your backup.

8. Tools

It is necessary to use several approaches to tackle computer security. If your Corporate Network is also connected to a public network like the Internet it is vital to use good firewall solutions to prevent intruders from getting into your systems.

With the popularity of email, an associated problem is that of 'spam'. Spamming is the nuisance practice of sending bulk unsolicited mail. You will need to use spam filters in conjunction with your mail server software to block unwanted mail.

With users indiscriminately downloading the latest screensavers, the latest games and the latest version of whatever from the Internet a major threat is from viruses and Trojans.

A good firewall will disallow certain types of downloads, but it has to be used along with good antivirus software to reduce the threat.

The antivirus software has to be regularly updated so as to increase its effectiveness as new viruses crop up almost daily.

Quite often computer professionals consider security to be a minor irritant, the excuses being "Oh, who will get into my network?" or "It cannot happen to me" or "I have the latest version of so and so firewall, therefore nobody can get into my systems."

An advice to such people: If you have not been attacked as yet, it's just because nobody has set sights on you.

Rest assured that before long somebody will, and at that point you can be saved only if you take security seriously now.

In Western countries, crackers are hired specifically for corporate espionage. In India, this phenomenon has already started in a small way. Reportedly, a leading ISP is losing more than 11 per cent of its revenue due to cracking activity.

Security does not come with the purchase of the latest security products. Security is a state of constant preparedness against intruders.

Further reading:

Tell us what you think