1.5 DIFFERENT TYPES OF SECURITY MEASURES

 The measures for data protection taken by an organization reflect its awareness and attitude towards information and Information Technology. The management should consider information as an important resource and shared get involved in securing essential information of the organization.

One of the best and first steps in ensuring data security is to create awareness and develop a culture within the organization towards the ways in which information can be lost or altered and what would be the consequences, of such an occurrence, to the organisation and individuals. All other steps which can be taken are:

  • · Information Technology (IT) planning: The organization must decide on a policy for introduction of IT. This must be done at the highest level and should address issues such as level of protection for various aspects of information relating to the organization.
  • · Selection of technology, keeping in mind obsolesces due to new innovations and necessity for keeping in step.
  • · Identification of points of exposure of weak links to device means to plug them.
  • · Physical protection of machine and media.

Control and Monitoring the access to data, its usage, by persons and its integrity must be clearly defined and responsibility for ensuring these must test on persons designated for these tasks; an audit procedure would go a long way in ensuring adherence to laid down guidelines.

There are four timehonored principles for ensuring security and recovery in case of breaches of security:

a) Prevent: The best method is of course stopping all breaches of security before they occur. 'Needto know' policy is an offshoot of the principle of prevention.

b) Detect: However one may try to ensure it, total security is almost impossible. The next principle, therefore, is that you must be able to detect breaches to security, whenever they occur, within the shortest possible time. This helps in damage assessment and, also, in devising further preventive measures. 

c) Minimise Damage: The aim here is to contain the damage, when losses occur, to reduce the adverse effects of such damage.

d) Recovery: There must be enough resilience in the system to recoup the losses/damage and become functional, by reinstating the status, at the earliest. 

We would now look at the various measures available to the PC user, to ensure security of machine and data, relating to the principles enumerated above.

1.5.2 Physical Security

These measures are for PCs being used in offices. The PC may be in use by an individual or being shared between two or more users. The measures available are:

  • · Physically bolt down the PC to a table so that it cannot be casually lifted and taken away.
  • · Locate the PC in such a way that it is conveniently accessible to the user but hidden from casual passersby.
  • · Have likeable cupboards for floppies and keep them locked at all times, except when used.
  • · Keyboard and PC locking devices can be fitted so that the PC cannot be operated unless these locks are opened.
  • · Keep a record of all floppies in use; do not permit alien floppies into the  
  • · Organization.
  • · Use lockable rooms for PCs, specially those handling sensitive data. Make it a practice to lock the room when leaving it even for a short time.
  • · The above apply to server, gateways and the likes.

Environmental Conditions: The PCs are fairly rugged and can tolerate wide ranges of temperatures, humidity and voltages. However, to ensure trouble free and prolonged life, consider the following measures:

  • · Have temperature and humidity gauge placed in the close proximity of PC and keep a casual watch to ensure that conditions are within limits. Switch off if the limits are exceeded;
  • · If your normal electrical supply is subject to large variations of voltage and frequency or spikes, it is prudent to have voltage and frequency stabilizers for the PC;
  • · Ensure that excessive dust or paper scrap does not accumulate near the PC;
  • · The plug sockets should fit snugly and cables leading to terminals and printers should be secured properly and not left hanging;
  • · You may consider putting a thin transparent plastic cover on the key board if it does not hamper your handling the keyboard;
  • · The most important is the use of a vacuum cleaner at regular intervals.

1.5.3 Software Security

As is apparent from the views, on security, provided on PCs of various leading magazines, there is hardly any security provided on the PC. There are some measures you can take to ensure that data is not corrupted or modified by unauthorised users and to reinitiate the database to its known status in case this happens and these are:

  • · Use original software for Operating System, compilers or software packages. You may have to pay for it, but you can then be sure that it would be bugfree, known also as "licensed" software.
  • · Use correct procedures for shutting down the PC so that all files etc. would be properly closed.
  • · If you develop your own applications, introduce passwords to access your application; these passwords should not be visible on the screen when keyedin.
  • · Keep backups of all your files. Whenever you operate on any file, (specially in update/append/alter mode), if you have your own programs they should include a "copy" procedure; this ensures that a backup of your data files would always be automatically taken.

1.5.4 Network Security

The protection required for networked systems is much more extensive as physical security measures are totally inadequate; it is also extremely difficult to know who, when and how someone is accessing your data; in LANs, generally there would be one server which holds the shareable data on network and services the requests of various nodes; the normal method used is password identity for permitting access; the measures which can be adopted for additional security, are 

  • · Keep the servers away and allow limited physical access to them.
  • · Run servers in the background mode; thus the server can be booked on, for use in the network, but, for direct use of the server, a separate password would be necessary.
  • · Some networks provide auditing facilities, which can be used to advantage.
  • · Be aware that the network cables can be tapped, so try and shield or conceal them to prevent easy access; if possible use optical fiber.
  • · Use codes and ciphers in data communication; remember, however, that this would impose considerable overheads on your resources.
  • · Use fiberoptic cables for highly sensitive networks as those are difficult to tap; however, here too it may be possible to steal data through sensing the perturbations of the fiber itself.
  • · Prohibit the use of passwords embedded in communication access scripts; if this is unavoidable, use encryption for passwords.
  • · Consider the use of seethrough devices for any system accessed through networks or through dial up.

Protection against virus: A number of measures are available for reducing the risk of being attacked by computer virus:

  • · Build employee awareness of the risk.
  • · Do not allow the use of outside programs for company PCs or networks.
  • · Do not interface company networks to outside "Bulletin Boards".
  • · Make system/server files "Read only".
  • · Try and obtain source code for important software in use and compile it inhouse.
  • · If source code is difficult to follow, it should ring a warning bell in your head.
  • · Check executable code, using "debug" or separate utilities to study code structure and check spaces for viruses.

1.5.5 Password Security

In most organisations or computer systems, the only authorisation for data access is giving the correct password; rightly speaking, this is only the first step; the whole process would be:

Identification: The Password only indicates an object with a unique identity assigned to it. Thus it should not become authorisation to access data without further checks, if some measure of security is desired.

Authentication: This process verifies that a person or object is who he, she or it claims to be. This could be achieved by asking some standard questions (from a large selection) and getting answers to them; if the answers match with those held on the systems, the person or object is authenticated.

Authorization: This is the last step in the process; through this, you can ensure that only a given user, terminal or other resource, can access data to which permission has been granted to read, write or alter; Thus a matrix can be created to indicate which users have access to which file, records or fields.

If the user request passes the matrix he/she is allowed access, otherwise he/she is denied access to some parts of the database.

1.5.6 Other Aspects

We have had a fairly close look at the measures for data protection available on stand alone as well as networked PCs. Some of the measures that we studied can be implemented only on mini and main frame systems easily, while trying to introduce them on PCs may incur too much of resource overheads. We would now take a quick look at the protection, detection and recovery mechanisms available on large systems.

This is in order to give you pointers for discerning when to go in for a larger system rather than a PC LAN and what facilities to look for.

Database Access: Larger systems provide various mechanisms to prevent access to data. User classes can be defined automatically prohibiting access to data by user class. User can be given only "query view" of the data so that he/she can have only "read" access to a limited amount of data. In some systems, certain terminal numbers can display or access only some parts of database, thus, even a user with higher access permissions cannot access some data on those terminals.

Access to Operating Systems: In some systems, the operating system is written in a lower level language and users are not given the use of that language. Thus, the user cannot alter any part of the operating system. Some operating systems follow the concept of access control levels. In this, any program which has equal or higher access control level cannot access any routines which are below that level. The operating system routines are placed at much lower level and paths are predefined for access to these, which incidentally, are via other system routines placed at a high level. From this point of view 'UNIX' is not a secure Operating System as, 'C', which is the language in which 'UNIX' is written, is also available to the user as a programming language, however, it has many good security features.

Access Control Cards: This is the latest method and is also available on PCs. Here, an additional card is inserted on the PC. This card has its own memory and software.

The user can program up to ten complex account codes. Anyone wanting access to a PC has first to pass through authentication routines through this card. Only when he/she passes, is he/she is allowed to access the PC itself. These codes can be reprogrammed whenever required. Thus the basic problem of preventing access to the operating system of the PC can be solved to a large extent.


Comments

Post a Comment

Popular posts from this blog

3.8 SECURE NETWORK DEVICES

 In this unit, we have already learnt that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around, your front door (or, firewall). Just as castlesweren't built with moats only in the front, your network needs to be protected at all of its entry points. Secure Modems, DialBack Systems If modem access is to be provided, this should be guarded carefully. The terminal server, or network device that provides dialup access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully. There are some remote access systems which have the feature of a twopart procedure to establish a connection. The first part is the remote user di...
Read more

3.5 SECURITY ISSUES FOR SMALL AND MEDIUM SIZED BUSINESSES

 Small and medium sized businesses use the Internet and networked applications to reach new customers and serve their existing ones more effectively. At the same time, new security threats and legislation puts increased pressure on business networks to be reliable and secure. Business Challenges According to recent studies, security is the biggest challenge facing small and mediumsized businesses. Everchanging security threats from both inside and outside the business network can wreak havoc on business operations, affecting profitability and customer satisfaction. Small and mediumsized businesses must also comply with new regulations and laws created to protect consumer privacy and secure electronic information. Security issues for small and medium – sized businesses are classified into 5 basic categories: Worms and Viruses As per research, Computer worms and viruses remain the most common security threat, with 75 percent of small and medium businesses affected by it.. Worms and v...
Read more

3.4 TOPOLOGIES

Image
 In computer networking, topology refers to the layout of connected devices. You can think of a topology as a structure of a network. This shape does not necessarily correspond to the actual physical layout of the devices on the network. Network Topology is the study of the arrangement or mapping of the elements (links, nodes, etc.) of a network interconnection between the nodes. It also determines the strategy for physically expanding the network, in future Topologies can be physical or logical. Physical Topology means the physical design of a network including the devices, location and cable installation. Logical Topology refers to the fact that how data actually transfers in a network as opposed to its design. Following are the considerations for choosing a Topology: · Costing: Some kind of topology may be less expensive compared to others in terms of installation (for example Bus topology). · Length of cable: It is needed to connect machines in a network. · Network scalability:...
Read more