Computer Security BasicsDavid Young
Cytoclonal Pharmaceutics Inc.
No one thing makes a computer secure.
There is a secondary rule that says security is an on going process. No matter how well a system is designed, if it is never changed that gives any potential infiltrator all the time in the world to examine the security for flaws.
The information described here is neither detailed nor comprehensive. This should, however, serve as a good overview of the types of security measures sometimes taken. What measures are appropriate are best determined on a case by case basis.
Physical securityTheft is the physical threat of most concern and rightfully so. Keeping rooms locked is a good idea, but not always feasible. Keeping computers locked to a wall or table is a good deterrent against a casual, shoplifting style, theft but it will not deter a professional with a shopping list. We have seen a thief use a crow bar to remove a computer along with a portion of the formica table top (they were then foolish enough to take it to a repair shop with the table top still attached). There are very loud alarms which sound when the power cable is unplugged. A combination of locks and alarms is an excellent theft prevention system for computer labs which must be publicly accessible, particularly at late hours.
Computer hardware is protected from fire damage by smoke detectors and sprinkler systems just like any other equipment. Computers are unique in that the most costly damage is the loss of data which can be prevented by storing back up tapes in remote locations.
Surge protectors and uninterruptable power supplies are a low cost investment that can save very costly equipment damage. These are particularly important if the computer must be used continuously or if your region is prone to severe thunder storms or frequent power outages. Some surge protectors have the ability to protect the phone line going to a modem also. The modem and mother board can be more readily damaged by lightning hitting a phone line than by lightning hitting the power lines because the computer power supply provides a minimal amount of protection.
Data integrityBacking up data is the single most important step in preventing data loss. Entire companies have gone out of business due to losing valuable information. An enormous amount of man hours are spent every year reproducing information which was lost in some manner. Back ups can be on removable disks, tapes, paper printouts or other computer systems. It is important to periodically put copies of these back ups in remote physical locations to prevent loosing the orignal and back up data through fire, etc.
In today's world, virus protection is a necessity for any PC or Macintosh and viruses are starting to appear on UNIX systems also. No system is completely safe from viruses since manufacturers have inadvertantly shipped new computers with viruses on the hard drive and minted CDs with viruses.
For very important data, RAID systems are used. RAID stands for "Redundant Array of Inexpensive Disks". A raid system is a computer with eight or more hard drives and software for storing data on those drives. Every byte of data is spread accross all of these drives along with a parity bit that tells if it was an odd or even byte. In the event that a disk fails, it's contents can be completely reconstructed from the data on the other seven disks. This is a good way to store critical data which could not be reproduced, but the expense may not be justified otherwise.
Data securityThe primary threat to data security is illegal computer hackers. Studies show that the largest percentage of hackers are young men motivated by status with other hackers, malicious intent or the excitement of a challenging game. There have also been even more harmful cases of corporate spying and embezzlement of funds.
Accounts on both multiuser machines and micro computers can be protected by passwords. Passwords can be very effective or not effective at all. Insecure password include ones that are easily guessed, never changed, shared or written down somewhere. Some systems, particularly UNIX, have password files which are encrypted but readable by all users. Hackers have developed automated programs, such as "crack", to break the passwords in these files by raw brute force, trial & error techniques. Since it could take months to crack well chosen passwords, some systems use a password aging system that requires all users to set new passwords periodically. There are also programs to prevent users from setting easily guessed passwords such as words in the dictionary, common names or permutations on the account name.
Systems holding data belonging to multiple users, such as UNIX or Windows NT, set an owner for each file and permissions defining who is allowed to read or write to it. Many hacker attacks are centered around finding flaws in the file permission system. There are ways to set default permissions and ways to control how much individual users can control their own file permissions.
Since most security attacks are now initiated from a remote location via the network, many organizations now separate their internal networks from the internet with a firewall. A firewall is a piece of software running on a dedicated machine with two network boards. The software can filter which network traffic is allowed to pass between the internal and external networks. This is a very effective security measure, but there is an unfortunate tendency for organizations to make the firewall their only security measure making any breach of security across the firewall a breach for every machine in the whole organization. An even higher level of security can be acheived by not having any connection between the internal network and the internet or not even having an internal network.
Data encryption provides a second layer of security. Once someone gains access to data, that data is useless if it has been scrambled by an encryption program which requires a second password to unscramble it. Passwords themselves should always be stored in an encrypted form. Today's encryption systems are similar to military code systems but not as sophisticated as the systems used by the armed forces. Almost all encrypted data can be unencrypted without the password by the use of a very large amount of time on very powerful computers. Security is provided by making the encryption complex enough that no one would be likely to have enough computer power to break say a message about the merger next month in less than six months, at which time the message is no longer valuable.
There must always be someone able to fix a computer system by using a second password protected account called "system", "administrator", "root" or "superuser" which bypasses the file permission system. One of the most serious security attacks is one which gains the password to this account. As well as particularily stringent security for this account, the encryption systems mentioned above ensure that there is a second layer of protection against this type of attack. This also provides for a segmented internal security system, if such is necessary.
Email is particularly insecure. Mail messages are simple ascii files that travel across the network where no password is necessary to get to them. Email is easily forged and can be altered. Of course, no one would have any particular reason for tampering with many personal messages, but people conducting sensitive business transactions over email would be wise to use some sort of email encryption system, such as PGP. These systems have several functions including encrypting the message itself, verifying who sent the message and verifying that it was not tampered with.
Audit trails are a means for the system administrators to find out if security has been breached and how much damage was done. Audit trails are records made by various pieces of software to log who logged into a system, from where and what files were accessed.
How Hackers get inHere is the typical sequence of steps used to gain illegal entry into a computer system.
How to combat illegal entryHere are a list of ways to make computers more secure and some minimal suggestions for when they should be used. For systems that are critical to operation, all of these and more may be warranted.
ReferencesA very comprehensive book is
D. Atkins, P. Buis, C. Hare, R. Kelly, C. Nachenberg, A. B. Nelson, P. Phillips, T. Ritchey, W. Steen "Internet Security Professional Reference" New Riders (1996)
Another good book is
A good look at security from the system adminstrators point of view is in
The vendor that the computer or operating system was purchased from is also an excellent source of security information.
Footnote on terminologyOne term which people often object to is "hacker". Some people choose to use the term "cracker" for illegal activities and "hacker" for a computer expert. We have chosen the more common usage and qualify it with the adjective "illegal". Don't get all bent out of shape folks.
|Modified: Thu Jan 4 02:29:27 2001 GMT|
|Page accessed 9058 times since Thu Jan 4 21:39:08 2001 GMT|