|
|
|
|
|
| HOME | INFOTECH | HEADLINES | |||
| March 24, 1999 |
In fact, such an understanding is critical to the success of computing technologies in any society. There is bound to be significant lack of trust in computing if non-technical people like ordinary computer users to important decision makers don't make the effort to understand how information is secured on computers and computer networks. This article, hence, is an attempt to bring the issues of security to the laity. A primer, if you will, with links for further reading. Last year there was a computer break-in at the Bhabha Atomic Research Centre by crackers. Crackers are computer experts specialising in illegally prising open secret information on computer systems. Some crackers had logged in over the Internet and taken control of the computers at the country's premier atomic institution! The goal of the crackers at BARC was to publicise their political agenda. But such crackers could have quietly walked away with information and the BARC would have never known. BARC's fall made several corporations rushing to adopt the Internet, stop and think. How safe could a mere business house be? Yet, the real danger may not necessarily come from across continents, from the universe of undersea cables and satellite links. The bigger threat may lie within. Disgruntled employees and ex-staffers who leave with important information can do more damage even when firewalls and other security mechanisms are well in place. But malicious intent need not be the only bogey. A simple mistake can do substantial harm. An erased file is as much of a problem whether deleted accidentally or maliciously. After all, a foolish friend is more dangerous than a clever enemy is. Then again, security may be compromised by non-human elements like computer viruses that could make smithereens out of the most meticulously arranged information. It is important to evaluate both internal and external risks when deciding on a security solution. But this is a matter of policy. A 'computer security policy' that keeps in focus all the issues involved. To be effective, such a policy must be so realistic that it even takes into account situations where the humans involved may ignore the policy itself. Any computer security policy must cover these few essentials:
1. Physical accessRestricting physical access to the 'computer room' and servers is perhaps the most important aspect of computer security. Quite often third-party vendors and trainees who come in for short projects and assignments know several secrets such as server passwords and Internet passwords. Internet passwords can be had by amazingly simple operations like just scanning for .scp files in Microsoft Windows 95.
2. It is very important to change all passwords regularly. As soon as an important staffer quits, all passwords must be changed. Also, passwords must be chosen at random to avoid being guessed out and must be of sufficient length. Besides, it helps to not use dictionary words. The best bet is to use a nonsensical combination of numbers and letters. Also, important passwords must be restricted to as few people in the organisation as possible. This helps in better password policy management and in case of a security compromise accountability can be ascertained easily. While password policies are by themselves not a major deterrent for a serious cracker, it will serve to keep the curious honest ;-)
3. Often, authentication is treated lightly. Simply put, authentication means verifying the validity of a person. To validate the authenticity of a person you may need to have authentication systems like 'digital certificate systems' in addition to conventional password authentication. Another authentication mechanism now gaining popularity is that of 'smart cards'. A user has to simply swipe the smart card on a device that connects to a computer.
4. Once a person is authenticated, the privileges that can be enjoyed by that person have to be determined and fixed accordingly. This is done using access control systems that determine the access the user has to resources such as disk space, files and printers. Access control systems also limit the degree of access such as read-only access to sensitive files, execute privileges for applications, date and time bound access and terminal-specific login. Most network operating systems have some level of access control systems built into them. However, if there is a need for enhanced security then special access control solutions from several third-party providers need to be investigated. Also, authorisation levels may differ depending on whether the user is local or remote like via dial-up, a corporate WAN or a public network.
5. To keep data completely secure from prying eyes another popular method is data encryption. Encryption is the process of converting 'plain text' (ordinary document) to 'cypher text' (encrypted document) using a 'pass phrase' (password). Only a person who knows the pass phrase can now decrypt the cypher text data to plain text data. DES and RSA are amongst the more popular data securing algorithms. In DES, or the 'data encryption standard', pass phrase has to be known to both the sender of a message and the receiver of the message. RSA is a popular example of 'public key infrastructure' cryptography. Here both the sender and the receiver have a pair of keys, namely a private key and a public key. The public key and the private key pair of a user are mathematically derived such that anything encrypted with the public key can be decrypted only by its corresponding private key. Hence, the public key of each user may be freely exchanged. The sender encrypts a message using the public key of the recipient. Now the recipient decrypts the message using his private key. The drawback in PKI is that a large number of keys need to be managed. Usually to facilitate easy securing of data, the public keys are published on a public 'key server'. Other similar concepts in PKI include 'session keys' and 'bulk keys'. Many PKI implementations use the commercial RSA algorithm. Other open source algorithms are also gaining popularity.
6. Despite the best authentication and access control mechanisms crackers can, and do, get in. In such a scenario, the only way to detect the presence of an intruder is by the simple means of maintaining extensive logs and regular systems and network audits. A daily log file analysis using some good intrusion detection tools will glean much information of user activities and alert administrators in case of discrepancies. Similarly using security audit tools both the systems and the network must be monitored for unusual activities. Remember that if you don't use such tools to safeguard your network, you can be sure that some wily hacker out there is using scanners like SATAN to get into your systems.
7. The importance of regular backups cannot be over stressed. Backups are your only hope in case of a system crash accidental or otherwise. Make sure to have a daily backup of all important information such as user files, mail and RDBMS data. Be sure to take backups in a reliable media such as DAT, CD-ROM (using CD writers), Iomega zip drives and Jaz drives. Do not depend on unreliable media like floppies for your backup.
8. It is necessary to use several approaches to tackle computer security. If your Corporate Network is also connected to a public network like the Internet it is vital to use good firewall solutions to prevent intruders from getting into your systems. With the popularity of email, an associated problem is that of 'spam'. Spamming is the nuisance practice of sending bulk unsolicited mail. You will need to use spam filters in conjunction with your mail server software to block unwanted mail. With users indiscriminately downloading the latest screensavers, the latest games and the latest version of whatever from the Internet a major threat is from viruses and Trojans. A good firewall will disallow certain types of downloads, but it has to be used along with good antivirus software to reduce the threat. The antivirus software has to be regularly updated so as to increase its effectiveness as new viruses crop up almost daily.
Q An advice to such people: If you have not been attacked as yet, it's just because nobody has set sights on you. Rest assured that before long somebody will, and at that point you can be saved only if you take security seriously now. In Western countries, crackers are hired specifically for corporate espionage. In India, this phenomenon has already started in a small way. Reportedly, a leading ISP is losing more than 11 per cent of its revenue due to cracking activity. Security does not come with the purchase of the latest security products. Security is a state of constant preparedness against intruders. Further reading:
http://developer.netscape.com/tech/security/index.html http://www.microsoft.com/security/default.asp http://www.novell.com/corp/security/ http://www.cs.princeton.edu/sip/ http://www.securezone.com/ |
||
|
HOME |
NEWS |
BUSINESS |
SPORTS |
MOVIES |
CHAT |
INFOTECH |
TRAVEL
SHOPPING HOME | BOOK SHOP | MUSIC SHOP | HOTEL RESERVATIONS PERSONAL HOMEPAGES | FREE EMAIL | FEEDBACK |
Nicholas Negroponte of the famous Media Labs at MIT once put the value of his laptop at a figure several times higher than any portable computer could ever possibly cost.
