With every change in technology comes an opportunity to violate systems and newer intrusions are getting to be more creative and effective. In one case in 1993, a long distance telephone company card holder compromised his card and 600 unauthorised international calls were placed on that card before network specialists detected the problem and disconnected the violators. All these happened in less than two minutes. Law enforcers and security managers have to be faster and smarter. They cannot continue the traditional approach of ‘security through obscurity, which is the keeping of vulnerable data security. There is need to embrace technology and device security policies that not only dissuade the violator from breaking into the system but also catch the violator. It is such technologies and policies that are the subject for this topic.

Security is where the data (and information) are protected against unauthorized modification, capture, and destruction or disclosure. Personal data are not the only vulnerable data. Confidential data on market strategies and product development must be kept from the eyes of competitors. Large sums of money transferred daily by electronics fund transfer must be protected against theft. The very high volume of business information processed by computers today means that the rewards of industrial espionage and fraud are of much higher magnitude than in the past and are ever increasing.

Records must also be protected from accidents and natural disasters. For example a breakdown in air conditioning may cause computers to overheat, resulting in loss of computer facilities. Fire, floods, hurricanes, and even heavy snowfall causing a roof to collapse can cause the destruction of data and valuable computers. Security measures described below are designed to guard information systems from all the above threats. The measures can be envisioned as providing layers of protection. Some controls guard against infiltration for purpose of data manipulation, alteration of computer programmes, pillage or unauthorized use of the computer itself. Other measures guard against physical plant, monitor operations and telecommunications, and regulate personnel. These controls are now discussed below.

TERMINAL USER CONTROLS

Badge systems, physical barriers (locked doors, windows bars, electric fences), a buffer zone, guard dogs and security check stations are procedures common to restricted areas of manufacturing plants and government installations where work with secret or classified materials takes place. A vault for storage of files and programmes and a librarian responsible for their checkouts provides additional control. With online systems using telecommunications, security access controls to terminals may not exist at remote sites. The computer itself must therefore, ascertain the identity of persons wishing to log on and must determine whether they entitled to use the system. Identification can be based on:

1. What the user has, such as an ID card, or key;

2. Who the user is as determination by some biometric measures or physical characteristics
3. What the user knows such as passwords

KEYS AND CARDS

Locks on the terminals that require a key before they can be operated are one way to restrict access to a computer. Another way is to require users to carry an identifier that is inserted in a card reader when they went to the computer. Microprocessors make a reject or accept decision based on the card. Many types of cards, similar to credit cards with strip of magnetically encode data on the front or back. Some have a core of magnetised spots of encoded. Proximity cards contain electronic circuitry sandwiched in the card; the reader for this card must include a transmitter and a receiver. Optical cards in code data, as a pattern of light sources, such as infrared. In addition there are smarter ID cards that have an integrated circuit chip embedded in the plastic. The chip has coded memory where personal identification codes can be stored, and microprocessor intelligence.

The disadvantage of keys and cards is that they can be lost, stolen or counterfeited. In other words, their possession does not identify the holder as an authorised system user. For this reason, the use of passwords is often an added security feature of key and card system.

BIOMETRIC SYSTEM

Some terminal control systems base identification on the physical attributes of the system users. For example, an electronic scan may be made of the hand of the person requesting terminal access. This scan is then measured and stored in the computer’s memory. Only a positive match will permit systems access.

Fingerprints and palm prints can like wise be used to identify bona fide system users. Such security systems use electro-optical recognition and file matching of fingerprints and palm prints minutiae. Signature verification of the person wishing to log on the computer is yet another security option. Such systems are based on the dynamics of pen motions related to time signer signs with a wired pen or on a sensitised pad. A biometric system can also be based on a voice print. In this case a voice profile of each authorised user is recorded as an analogue signal, then converted into digital from which a set of measurements are derived that identify the voice pattern of the person wishing computer access is compared with voice profiles in the computer memory.

Biometric controls systems, of special interest to the defence industries and the police, have been under development for many years. Although technological break through that enable discrimination of complex patterns have been made recently, pattern recognition systems are still not problem free. Many have difficulty recognising patterns under less than optimal conditions. For example, a blister, inflammations even sweat on the hands, can interfere with fingerprints match. A combination of devices, such as voice plus hand analysers, might ensure positive identification; but such equipment is too expensive at the present time to be cost effective for most operations in business.

PASSWORDS

The use of passwords is one of the more popular methods of restricting terminal access. One example of a passwords system is the required use of a personal identification number to gain access to an automated teller machine at a bank. The problem with passwords is that they are subject to careless handling by users. Some users write the code on a sheet of paper that they carry in there wallet or they tape the paper on the terminal itself. When given a choice, users usually select passwords they can easily remember, such as their birth dates, house number, or names of pets, wives and children. Top on the list in Britain seem to be ‘Fred’, ‘God’, ‘Pass’, ‘Genius’.

Someone determined to access the computer will make guesses trying such obvious passwords first. Even passwords as complex as Algebraic transformation of a random number have been broken with the assistance of readily available micro-computers. Of course the longer the password is in use the higher the chances of it being compromised. On-time passwords are available alternatives but systems of this nature are difficult to administer.

AUTHORISATION CONTROLS

In addition to identification systems outlined in the preceding section, control systems can be installed to verify, whether a user is authorised to access files and data bases and to ascertain what kind of access is permitted (read, write or update).

DATA DIRECTORY

A computer can be programmed to reference a stored Data Directory Security Matrix to determine the security code needed to access specific data elements in files before processing a users job. When a user lacks the proper security clearance, access will be denied. In a similar manner, the computer might be programmed to reference tables that specify the type of access permitted or the time of the day when access is permitted.

The data elements accessible from each terminal can likewise be regulated. For example, according to a programmed rule, the terminal in the data administrator’s office might be the only terminal permitted access to all files and programmes and the only terminal with access to the security matrix itself. Samples print out form and access director, sorted by user identification number. Assigning access levels to individuals within an organisation can be a difficult task. Information is power and the right to access it is a status symbol. Employees may vie for clearance even when they do not require such clearance for their jobs. Managers should realise that security measures designed to protect confidential data and valuable computing resources may antagonise loyal employees. It is important that the need for security be understood by workers and that security controls be administered with tact.

SECURITY KERNEL

Unfortunately, the use of security matrix does not provide foolproof security. In a multi-user system, installing a ‘Trojan Horse’ programme can raid data in a file. The concept of a security kernel addresses the Trojan horse issue. A kernel is a hardware/ software mechanism that implements a reference monitor, a system component that checks each reference by a subject (user or programme) to each object (file, device or programme) and determines whether the access is valid according to the systems security policy.

A security kernel represents new technology still in development stage. Although a number of projects have attempted to demonstrate the practicality of this security approach, results have thus far been mixed.

COMMUNICATION SECURITY

Computer processing is today closely linked to telecommunications, which allows the transference of computer data through remote points. Protecting the confidentiality of this data at the initiating terminals, during transmission or when transmission is received has required the development of sophisticated security techniques. For example, a ‘Handshake’, a predetermined signal that the computer must recognise before initiating transmission, is one way to control communication. This prevents individuals from masquerading, pretending, to be legitimate user of a system. Most companies use call back boxes that phone would be users at pre-authorised number to verify access request before allowing the user to log on. A hacker who has learnt the handshake code would be denied access with such a system. Protocols, conventions, procedure for user identification and dialogue also help maintaining confidentiality of data. During transmission messages are vulnerable to wire-tapping, the electromagnetic pick-up of messages on communication lines. This may be eavesdropping, passive listening or active wire-tapping involving alteration of data, such as ‘piggy backing’ (the selective interception, modification or substitution of messages). Another form of modification is reading between the lines. An illicit user taps the connection when a bona fide user is connected to the system and is paying for computer time but is ‘thinking’, so the computer is idle. This and other uses of unauthorised time can be quite costly to a business firm. One method of preventing message interception is to encode, or encrypts, data in order to render it useless if intercepted.

CONTROLS

A combination of filters (also called screens) and gate way's) act like walls against viruses or other unauthorised traffic. They are called firewalls, and prevent unauthorised traffic (as defined as defined policies) from the inside to outside or the other way round. The main danger of all these strategies is that they may lull the potential victim into a sense of being protected. The anti-viral strategies that exist are against known viruses only. Corporate and end-users must recognise the intruder, especially the ‘intellectually motivated’ intruder, may be challenged by the control mechanism into finding new strain and a new twist to an old or device new threats to beat the systems that we have not yet heard of or even thought of.

There is also a cost to all these control strategies against viruses. There is a possible lose of morale when employees are not fully trusted. There is a loss in efficiency. Each layer and level of security has an overhead cost and loose in productivity and performance. In addition to calculating these costs one must estimate the probability of attack and value of the loss entailed if the attack is successful. This analysis is necessary before a security system is designed and implemented to combat viruses.

ENCRYPTION

From the Greek word crypt meaning to hide, it is done through transposition or substitution. In transposition, characters are exchanged by a set of rules. For example, the third and fourth characters might be switched so that 5289 become 5298.In substitution, characters are replaced. The number 1 may become a 3; so that 514 read 534 or the substitution may become more complex. A specified number may be added to a digit, making 514 read 516. Decryption restores the data to its original value. Although the principles of encryption are relatively simple most schemas are highly complex. Understanding them may require mathematical knowledge and technical expertise. A change to a message or file such as the appearance of data is changed and cannot be recognised as the original without proper processing. Polymorphism is scanners to recognise their presence. However, encryption is most often used to password-protect files, disks, mail messages, telephone conversations, cable televisions and so on.

CONSEQUENCE OF SECURITY SYSTEM FAILURE

Identity theft
Persons being wrongly accused, especially where themselves have been victims of identity theft.

Wrong information associated with individuals leading wrongful decision making; for example in emergencies, persons with altered medical records may receive the wrong treatment, loss of confidentiality; that is where a system containing a person’s personal information e.g. Fate of birth, age, full names, ID number e.t.c. the data is also required in other systems therefore his confidential information is compromised.

Security should be taken seriously to avoid all these and other negative consequences.