Computer Security

Computer security involves the technical and administrative safeguards required to protect a computer-based system (hardware, personnel, and data) against the major hazards to which most computer systems are exposed and to control access to information.

PHYSICAL THREATS TO SECURITY: Physical computer systems and data on storage devices are vulnerable to several hazards: fire, natural disaster, environmental problems, and sabotage.

Fire: Fire is a problem because most computer installations use combustible materials such as magnetic tape, paper, and so on. If a fire starts, water cannot be used to extinguish it, because water can damage magnetic storage media and hardware. Carbon-dioxide fire-extinguisher systems are hazardous because they would endanger employees, if any were trapped in the computer room. Halon, a nonpoisonous chemical gas, can be used in fire extinguishers, but such extinguishers are costly.

Natural Disasters: Many computer centers have been damaged or destroyed by floods, cyclones, hurricanes, and earthquakes. Floods pose a serious threat to the computer hardware and wiring. However, water in the absence of heat will not destroy magnetic tapes unless the tapes are allowed to retain moisture over an extended period of time. Protection against natural disasters should be a consideration when the location for the computer center is chosen; for example, the center should not be located in an area prone to flooding.

Environmental Problems: Usually, computers are installed in buildings that were not originally planned to accommodate them. This practice may lead to environmental problems. For example, water and steam pipes may run through a computer room; bursting pipes could result in extensive damage. Pipes on floors above the computer room are also potentially hazardous, so all ceiling holes should be sealed. Data on magnetic media can be destroyed by magnetic fields created by electric motors in the vicinity of the computer room. Other environmental problems include power failures, temporary surges or drops in power, and external radiation.

Sabotage: Sabotage represents the greatest physical risk to computer installations, Saboteurs can do great damage to computer centers with little risk of apprehension. For example, magnets can be used to scramble code on tapes, bombs can be planted, and communication lines can be cut. Providing adequate security against such acts of sabotage is extremely difficult and expensive.

DATA SECURITY MEASURES: In addition to safeguarding their computer systems from these physical difficulties, companies must protect stored data against illegitimate use by controlling access to it. There is no simple solution to these security problems. Organizations such as government agencies and businesses have instituted various security measures most to restrict access to computerized records, others to provide for reconstruction of destroyed data. Some examples follow:

• Backup copies of data are stored outside the organization's location, and recovery procedures are established.
• Authorized users are given special passwords. Users are only given access to areas or levels of the system warranted by their job responsibilities. Codes and passwords should be changed frequently.
• The scope of access to the computer system is proportionate to the user's security clearance and job responsibility. Access to specific portions of the data base can be gained only by those whose jobs necessitate it.
• Installations are guarded by internal security forces. For example, access to the data-processing department may be restricted to personnel with special badges and keys (see picture below).

• Computer professionals are hired to test security. They try to break into a computer system in order to point out weak spots in the system's security.
• Data is encrypted, or translated into a secret code, by complex coding devices that scramble information before it is transmitted or stored. When data is transmitted to or from remote terminals, it is encrypted at one end and decrypted, or translated back into plain text, at the other. Files can also be protected by the data's being encrypted before it is stored and decrypted after it has been retrieved. Data is principally encrypted on its way out of the computer and decrypted on its way back in.
• Computer installations use detectors that identify legitimate individual computer users by fingerprints or voice patterns. For example, computer makers have developed attachments that grant access only to operators who put proper thumbprints on glass plates. Adoption of these expensive devices is slow, however, because they deter the main objectives of using computers: economy and convenience.
• Call-back modems are used that restrict usage to authorized terminals only. The user calls in to connect to the system, and then the system hangs up and calls back on a predetermined number allocated only to the location of the user's terminal.

ESTABLISHING COMPUTER SECURITY: While these security measures help protect data, they are not complete. They may not prevent internal sabotage, fraud, or embezzlement. For example, an employee with a special access code may steal classified information. Banks and insurance companies are especially susceptible. Often, these companies do not wish to report the incidents because of the resulting bad publicity and the difficulty in solving such crimes.

How, then, can organizations establish computer security? First, computer users must recognize their role in security. If a high-level priority is assigned to security in the company, employees must be made aware of it and of the security measures that are being taken.

Second, many organizations recognize the need to have a well-trained security force; a department of security guards who specialize in maintaining data security, conducting system audits, and asking the right kinds of questions on a daily basis. Computerized records should be scrutinized regularly to see that everything is in order.

Third, a company should exercise a great deal of care in the selection and screening of the people who will have access to computers, terminals, and computer-stored data. Companies should choose programmers as carefully as they select attorneys or accountants.

Last, companies must discharge employees who stray beyond legal and ethical boundaries. Whenever these incidents occur, it is imperative that it be shown that they will not be tolerated and that, however hard the necessary course of action, those responsible for security and protection have the integrity to follow through.

Last Updated Jan.7/99