Computer Security in the Information Age Ronald T. Hill Cameron University Computer Security in the Information Age Computers; they are a part of or in millions of homes; they are an intricate part of just about every if not all successful businesses, the government, and the military. Computers have become common place in today's society and the lives of the people who live in it. They have crossed every national, racial, cultural, educational, and financial barrier, which consequently ushered in the information age.
A computer is a programmable electronic device that can store, retrieve and process data, and they come in all shapes, and sizes. They can be used for and in just about anything. As stated before, they are used in just about every aspect of modern society. They are so fundamental to modern society that it would be disastrous to society without them. As stated before, there are many areas in modern society that are run by computers. They play an intricate part of millions of homes in the world.
Office workers in business, government and the military may use them to write letters, keep rosters, create budgets, find information, manage projects, communicate with workers, and so on. They are used in education, medicine, music, law enforcement, and unfortunately crime. Because computers have become such a part of the world and how it operates, there is a tremendous responsibility for those who are in control of these computers and the vital information that they carry, to manage and protect them properly. This is management and protection is vital because any loss or damage could be disastrous for the affected entity. For example, a mistake or intentional alteration of a personal credit file could affect ones ability to buy a car or home, or can lead to legal actions against the affected person until the mistake or intentional alteration has been corrected. Therefore, with the advent of computers in the information age, and all of the intentional and unintentional violations against them, comes the need to safeguard them and the information they carry with strong systems and policies of computer security.
Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help to stop unauthorized users or intruders from accessing any part of a computer system. Detection helps one to determine whether or not someone attempted to break into a computer system, if they were successful, and what they may have done. Good security would keep strangers from reading one's email, using one's computer to attack other systems, sending forged email from one's computer, or examining personal information stored on one's computer, such as financial statements. There are two main areas of computer security.
They are computer network security and Internet security. A computer network consists of communications media, devices, and software needed to connect share information on two or more computer systems and / or devices. It is vitally important to secure computer networks in modern organizations for several reasons. They are: 1. Computer systems that are networked enable organizations to be more flexible and adaptable to meet rapidly changing business conditions.
2. Networks enable companies to share hardware, computer applications, and databases across the organization. 3. Networks make it possible for geographically dispersed employees and work groups to share documents, ideas, opinions, and creative insights, which encourage teamwork, innovation, and more efficient and effective interactions.
4. The network is increasingly the link between businesses and between businesses and their customers. The Internet is the largest network in the world. It is known as the network of networks. The Internet is a collection of more than 200, 000 individual computer networks owned by governments, universities, nonprofit groups, and companies.
These interconnected networks are connected via high-speed, long distance backbone networks. They exchange information using the same open, nonproprietary standards and protocols. There are three primary and three secondary objectives of computer security. The primary objectives are confidentiality, integrity, and availability. The secondary objectives are authorized, message authentication, and non-repudiation. Confidentiality requires that only authorized persons are able to access the data in a computer system, as well as the data transmitted between computer systems.
Integrity specifies that the data in a computer system, as well as the data transmitted between computer systems, be free from unauthorized modification or deletion. For example, the unauthorized insertion of false credit records could jeopardize a person's ability to obtain credit. The availability objective requires that the authorized users of the computer systems and communications media not be denied access when access is desired. The authorized use objective simply states that only authorized individuals may use the computer system and its components. When a message is received one must insure that the individual who the system claims sent the message did truly transmit it. This is called message authentication.
Finally, when one wants to know that an individual did in fact, receive a message that was transmitted is called non repudiation. All together, these objectives form the essential foundation of computer and network security. Now that the foundation has been identified and in place, the system must be implemented. However, there are several factors that hinder implementation and they must be identified and removed. The first factor is the errors or bugs found in the operating system. These bugs can be used as holes or doorways for someone to access a system and wreak havoc.
In security this is unacceptable. Also, an intruder needs only to find one of the holes that exists in an operating system in order do damage, but the programmer obviously needs to fix all of the holes in order to seal off the operating system. The second factor is a financial one. When the purchase or development of a computer system is planned, security is seldom considered. In fact, it is often not considered until later when there is a security breach that forces the issue. This problem causes the organization to retrofit the computer system after the security incident, which is a very expensive process in terms of money and labor.
One other factor in implementing security is that it is often viewed as "getting in the way" of the user. For example most systems trace the user's actions on a system resulting in an audit trail that takes up valuable disk space on the computer, which in turn takes up valuable computer time. Therefore, this security feature is thought to be an expensive overhead and can be done away with. This and other security features make it hard for intruders to gain access into the system, but it makes it hard for the authorized users as well. Thus, many security measures are viewed as worthless or burdensome. One writer for "Info World" wrote about when he was at an airport waiting for his luggage.
There he saw a businessman whose laptop was being scanned on the conveyor belt. On the laptop were post it notes that contained user, account, and password information in plain view of anyone who could see. There in one final factor that must be discussed. That factor is that people are more often the source of security problems than technology. The majority of computer violations are committed by authorized users or "insiders." A lot of times it is the user abusing his or her authority, which was granted in order to perform the assigned job. One very important issue that must be considered when implementing computer security is privacy and ethics.
For example, one method that is used to insure the confidentiality and integrity of individual records is to monitor the actions of those who have access to the system. One way of doing this is to read an individual's e-mail messages to insure that no unauthorized activity is occurring. After 9/11 and the Enron case, less privacy became common place in the business world. Software technology such as digital rights management, defense grade monitoring software, and enhanced passenger profiling software has made this fact a much easier reality. Computer and network security has received a lot of attention with each incident of computer-related crime. Intruders intentionally invade computer systems to steal information or money, destroy systems or just to see if it can be done.
They transmit computer viruses that can destroy systems. This invasion is done by hackers, corporate spies, and government or military spies. These people mainly target government systems. For example, federal investigators told a U. S.
Senate hearing that the U. S. Department of Defense computers are attacked more than 200, 000 times per year. Criminals also target competing organizations, organizations or people that they do not like, and randomly selected targets. One reason why computer crime is so attractive is because that it has such a low risk and the lack of laws governing computer crime. However, the government passed the Computer Fraud and Abuse Act of 1986, which attempted to define penalties for certain acts of computer intrusion and abuse.
Companies have also developed software to prevent intrusion and to recover systems that have been compromised. Companies have also developed software that can easily trace the criminals' trail in order to find and prosecute them. Part of the process of developing a computer security system is to develop a risk assessment or risk analysis. A risk assessment is the process of finding, evaluating, and correcting the potential damage associated with a security breach. The assessment or analysis is done in order to determine the strength of a computer system or network, and to make an educated decision as to how the security can, and should, be improved. The assessment results in improved security and the gaining of valuable knowledge regarding the system and its flaws.
The following information is gained from conducting a risk assessment. 1. Determination of the organization's sensitive and critical assets 2. Identification of threats facing the organization 3. Identification of specific system vulnerabilities 4. Identification of potential losses 5.
Identification of effective countermeasures 6. Implementation of a cost-effective security system The assessment is accomplished by analyzing three risk attributes, which are: Asset Value, Threat, and Vulnerability. Asset value is the relative importance of information on a computer or network. Threat is a means of calculating an organization's concern regarding the types of attacks that may occur. Finally, vulnerability is an actual measure of the current technology.
It is derived from a hands-on review of computer security, network security, and general operating procedures. There is no risk without any one of these three values. Once these values have been analyzed by internal and subject matter experts, a decision will be made by management on whether or how to act on the findings. Once an organization realizes that security measures are indeed required, the next step is to determine how to implement the system that was developed. In this determination, internal and external security measures need to be addressed. Internal measures are implemented in the hardware and software of the computer system such as antivirus software, sniffers, firewalls, and monitoring software.
The external measures include: physical, personnel, and administrative security. Physical security measures consist of those techniques used to secure any high-value item including locks, guards, remote surveillance cameras, and alarm systems. These security measures are used to protect the information that is stored on the computer, as well as the prevention of the theft of the computer system or its peripherals. A system is only as secure as the people who use and operate it.
Therefore, personnel security is concerned with the procedures used to determine the amount of trust the organization can place in any particular person. The military calls this a security clearance, which is granted to an individual. Administrative security describes methods to be used to implement the security policies of an organization. They describe how printouts are to be disposed of; how magnetic media will be stored, erased, and destroyed; what procedures to follow when an employee is fired; and the procedures used for temporary employees or when visitors are in the area. Computer systems are a major part of life in today's society and they will only become a greater part of life as time goes by. Consequently, as they become a greater part of life, they become more vital to the existence of many organizations.
They also become more susceptible to user errors and targets for criminals. Because of this there is a tremendous need to secure them. There are proper methods to secure them now, but as their demand and use grows, security must also grow and advance in order to protect the assets of those who use them. Works CitedBerinato, S. (2003, January 1). Big Brother IT; After 9/11 and after the Enron follies, more security (and, concomitantly, less privacy) became the order of the day.
CIO, Framingham, Vol. 16, Issue: 6, p. 41. Retrieved March 6, 2003, from Pro Quest. Capron H. L.
(2000). Computers, Tools for an Information Age. Upper Saddle River, NJ: Prentice Hall. Fisch, E. A. Ph.
D. & White, F. B. Ph. D. (2000).
Secure Computers and Networks. Boca Raton, London, New York, Washington D. C. : CRC Press. Norton, P. (1997).
Introduction to Computers Second Edition. New York, NY: Glencoe/McGraw-Hill. Peltier, T. R. (2001). Information Security Risk Analysis.
Boca Raton, London, New York, Washington D. C. : Auerbach. Potter, R. E. , Rainer, R.
K. Jr. & Turban E. (2003). Information Technology Second Edition. United States: John Wiley & Sons, Inc.
Rash, W. (2003, January 27). Stupid User Tricks. Info World, Vol. 25, Issue 4, p. 28.
Retrieved March 6, 2003 from Pro Quest.