Securing your information, especially electronically on a computer, is now the most important issue in IT today. Even President Bill Clinton conceded on 22 May 1998 the importance of computer-related security in the Presidential Decision Directive 63 which stated:
'[The President] ordered the strengthening of the nation's defenses against emerging unconventional threats to the United States terrorist acts, use of weapons of mass destruction, assaults on our critical infrastructures and cyber-attacks.' (1)
In fact, it may well be true that the entire future of the computer and Internet industry may hinge on the quality of its security to protect the privacy of the people who use the technology (eg. keeping credit card numbers private) and everything that they create and sell of value to society.
Is security really that important?
Well, let us put it this way. If for any reason the security of IT products cannot be guaranteed when it comes to protecting the sensitive electronic financial transactions and intellectual property of the people who use the technology, there is a good chance that the multi-billion dollar world of e-commerce could come crashing down around all the Dot.com and general IT businesses.
In the meantime, the need for greater security is now fast becoming a huge industry in its own right. Already thousands of people throughout the world are participating in hacking classes costing between A$3000 and A$10,000 just to learn how hackers actually do it. And when they've finished, many of these security-trained experts will get paid a lot of money just to find security flaws in the software and hardware used by companies.
Some people will even become well-trained private investigators and "stingers" whose sole aim is to track down and secretly watch people to see whether they are doing the right thing or not. (2)
While software manufacturers such as Apple Computer, Inc. are prepared to set up free or low-cost conferences for worldwide hackers to convene so they can learn the latest secrets from the hackers and then later try to make the manufacturer's software more secure.
Why is there so much security problems in our technology?
The best way to answer this is with a quote. Commenting on whether new security technologies today would mean the hackers days are numbered, NSW police force member and now IT security expert for PricewaterhouseCoopers John Hunter laughs at the suggestion saying:
'Technology is driven by people that don't think about security. Their priority is to get out some whiz-bang widget as soon as possible. It's a battle. Some vulnerability comes out, then they patch it. It's like a road with potholes. It rains, then you fill them in. Then it rains and there's another one.' (3)
And also the other reason why technology is riddled with so many security flaws is to allow marketers and law enforcement agencies to learn more about the people who use the technology.
What is the purpose of security?
The purpose of security on a personal level is about protecting your individuality, your ideas, and the means by which you are able to survive in modern society (ie. with the help of money in the present Westernised system of government and economics). It is not necessarily about hiding something naughty or illegal from other people. It is more about protecting (i) who you are in this moment in time by revealing only what is relevant for other people to know when achieving certain goal(s); and (ii) what you want to become or sell to the community without fear of someone else taking away your idea(s) without your consent.
On an organisational level, security is mainly about protecting the intellectual property or proprietary ideas generated by its people without having someone else outside the organisation take commercial advantage of what is being developed before those people have a chance to benefit from the work. As the Federal Bureau of Investigations (FBI) and Computer Security Institute (CSI) has discovered in a survey of US companies, theft of proprietary information is the biggest cause for financial loss to the private sector. (4)
Good security equates to saying that you are entitled to be the unique person you want to be or to develop into and to create and sell the ideas you want to contribute to society without fear of external third-party influence. We our social beings, but we all want to be individuals with something unique and important to contribute. That is why we all need some privacy and, if necessary, to have the security to maintain that privacy.
What are the fundamental principles to maximising computer security in an organisation?
If, as an organisation, you want to protect your information in electronic form and you must have all your computers containing that information kept in a building (sometimes unattended (5)) and/or constantly connected to a network (eg. an intranet or Internet), your best form of security is to develop an effective technology-based multi-level and adaptable authentication system.
Apparently the better forms of authentication system are those that combine a good password with some kind of biometrics (ie. fingerprint, eye retina tests, DNA analysis etc). When implementing a password system, it should contain some kind of a delay function of around 1 second during the process of authenticating a password to prevent hackers working it out using the brute-force method (ie. with the help of an electronic dictionary or going through a combination of letters and numbers at high speed).
Good quality encryption is the start of a respectable defense. In fact, good encryption is so powerful that the US Government classified encryption software as a weapon, and therefore illegal software to export. Well, at least not until they have developed the latest secret software tools in their own arsenal to help decipher the latest encrypted messages! But if you can find quality international encryption software not controlled by the US Government, then you may have a near impenetrable security system. You should now be looking for 448-bit or more encryption software (not the standard 128-bit encryption software) such as CyberFusion from the US company Proginet.
To emphasise the power of good encryption, The Regulation of Investigatory Powers (RIP) in the UK now has the legislation to obligate Information Service Providers (ISPs) to allow any electronic message (email or whatever) to be intercepted. If the message is encrypted, the sender - it doesn't matter if he/she is an individual or business - will be required by law to provide their private key to decrypt it. Failure to do so could result in a two-year prison sentence.
The reason for this is presumably to help police and other law enforcement agencies to combat criminal activity (if they can find evidence that you are involved in criminal activity).
|
Will a good security system stop secrets from coming out for all eternity?
Remember, there is no such thing as a perfect security system (even with biometrics added to the system — since people could chop off your finger or create a plaster cast of your fingerprint or produce a virtually perfect copy of your eye retina or iris etc — or the latest quantum communication security system(6)). You will not find a tool that will secure all your information perfectly at all times. This is because people will eventually find a vulnerability in just one part of the security system. And the biggest vulnerability of all are the people themselves. Because people can make mistakes or they can choose to set up conditions to allow others to quietly create major security breaches that the authorities may never know about until the people in question decide to confess or it becomes too late for the authorities to do anything about it.
Or people can independently recreate the secrets given enough time because of our inherent skills in creativity as well as access to the massive amount of information from other people and in nature all around us to formulate and test all the possibilities until the secrets are fully revealed. Hence you can have the perfect security system where nobody can ever eavesdrop on what you are doing and you are a perfect robot that doesn't speak the secrets to anyone. But all it takes is one creative and highly rational individual or group in another part of the world to eventually deduce the same secrets and then the security system is broken.
Security systems are only good for maintaing secrets for a finite period of time until you have reached the point of sharing the secrets with others in return for gaining something (eg. to make a profit for the commercial work you have done).
Will a good security system stop secrets from coming out for all eternity?
If you are still interested in creating a respectable security system and want to maximise the protection of your information, you have got to do things like looking after the people around you and treating them well (7) when given the responsibility of accessing sensitive information and to use several levels of security (ie. a good password and biometric security feature with strong encryption capabilities for your hard disk, another for some of your files, another for your email account etc), with each security level constantly changing and adapting to the latest security features and knowledge as well as making it difficult for unwanted people from working out the password or similar access key.
As Peter Hind, manager of the IT Experience Program at IDC Australia, said:
'Technology has a role in ensuring security. Organisations concerned with security can put in firewalls and encryption technology. They can also put in auditing practices as a way of verifying transactions.' (8)
The essential steps to greater security for an organisation involves:
- Identifying the data or information that needs security (9).
- Looking for vulnerabilities in your assets (including people). Look at things like how the system is connected to networks, who will use the system and how will they use it, and whether the people using the system are being treated well.
- Identifying potential systems in the marketplace which could protect your assets.
- Starting with the small (eg. password-protect your important files) and work to the large (eg. developing an Internet firewall, adding biometric authentication systems etc).
- Getting authentication from people who will use the sensitive information (via a password and biometric authentication system).
- Estimating the cost of the security features you will need and implementing those features as soon as you purchase them.
- Setting guidelines (ie. policies) on how the sensitive information is to be handled and processed (eg. type of personnel and software tools to be used etc).
- Repeating the above steps over time to ensure the security is updated and refined in a process known as auditing/monitoring.
There is also a lot of work being done in getting security software tools to recognise people's faces, voices, fingerprints and now eye retina patterns at the computer terminal (or recorded on identification cards via a chip) instead of the traditional password system. These are known as biometric authentication systems.
For example, for the latest in Finger Image Scanner authentication systems, visit Triton Secure at http://www.ht.com.au/cat/triton/.
## SPECIAL UPDATE ##
December 2003
In the wake of the 11 September terrorist attacks in New York, companies, governments, military and privately-run educational institutions such as universities are now looking into recording biometric data (such as the unique patterns recorded in the retina of each person's eyes) onto identification cards as a new security measure in the Western world.
|
In the end, every organisation will have to decide carefully on the type and number of levels of security considered reasonable for the nature of the information being processed and managed. As John LaVacca, head of the Australasian Supply-Chain Management Group and PricewaterhouseCoopers partner, said:
'Enterprises need to decide on the levels of security most suitable for them. They would need to also give a lot of thought into what information to put outside a firewall on their Web site.' (10)
Can I just use a standard password authentication system for what I have to do in IT?
It will depend on the importance and sensitivity of the information you are working on.
For instance, if you happen to have worked for the US Department of Defence dealing with say a crashed UFO and alien bodies from the late 1940s and you knew the political, social and economic implications of this tremendous discovery, then any information you can gather from learning about the modus operandi of the UFO and perhaps why the aliens have arrived will not only have to be protected, but also the standard password authentication system will not be sufficient to do the job of securing information from the outside world.
In this situation where fear and paranoia has set in within the US Department of Defence, it is imperative for you to use the most sophisticated and latest 'multi-level' biometric authentication systems available combined with good password authentication systems as well as securing the entire complex in a kind of underground 'electromagnetically sealed from the outside world' prison with security guards at every exit and cameras in every room for this level of sensitivity in the information to be protected.
However, for normal people on the street wanting to protect basic things like your credit card number in an electronic file on your computer (is this a good idea?), you may only need to choose a good 'multi-level' password security system and that's it! When choosing a password system, make sure the encryption level is at least 128-bits and there is a built-in delay function during the process of authenticating the passwords as nearly all consumer IT products and the less-known password hacking tools from the general public manufactured to 2003 are not likely to have the speed and capabilities of breaking into your password through the brute force method.
Or potentially it may be possible for really normal people to never have to worry about encryption and any kind of authentication system if everyone in the world had everything they needed including a roof over their heads, food on the table, a job they enjoy working in, and the knowledge that they and their family will be secure and safe in the future.
Until that day comes when the people can get their priorities right with regards to protecting the environment and looking after all living things in an appropriate way, we are unfortunately faced with a situation where the rich want to get richer and the information they create to help them get richer needs to be protected from those who are less fortunate or want to have an unfair advantage and hence deprive others of an income.
So while there are people around you wanting to get rich, famous or maintain the 'status quo' and hence will not be sufficiently responsible enough to respect your privacy, you are wise to find some kind of a good security system of a level which is considered appropriate for the kind of information you are working with.
In the end, you must decide what you think is a suitable security system for your particular circumstances.
I have too many passwords to remember!
Yes, that can be a problem when implementing a multi-level authentication (password) system. Such a system can mean people will have to remember a number of different passwords for accessing the sensitive or important information on numerous computer systems.
Fortunately, people are trying to simplify this by developing a unified security system requiring only one main password to open up and access information on systems having their own specific password requirements. For example, the Canberra-based Protocom Development Systems Pty Ltd have now developed a successful "single-sign-on" technology to help save you time in accessing all your password-protected systems such as the mainframe, an encrypted file, a PC on the network and so on.
You will need to be careful with this kind of technology. One password may be a great time saver. But it can also increase the risk of someone able to access everything. Unless the password is very good and is changing over time, "single-sign-on" technology could be seen as just another piece of technology to add to the already overburdened technology base.
Instead of paying for more technology, why not create a good password for all your needs and change it over time. In that way you won't have to worry about remembering so many different passwords. Or choose a password that can be easily modified to suit each system you are working on. Then by remembering the one piece of text that relates all your passwords, you should be able to recall the password for each of your systems.
Don't leave your computers lying around unattended!
Naturally, common sense would have told us what we already knew, but it is now official. Leaving behind computers and computer-related equipment, even if it means a simple and trivial matter of going to the toilet and back again, increases the chances of having them stolen or lost. And if by losing a computer, important information is also lost as well, it could cost a whole lot more than just losing a computer! Unless information is properly secured and there is a back-up of the information on a separate disk, the cost to government departments and other organisations could be enormous.
According to the Federal Opposition's (Labor) spokesman Senator John Faulkner who has been compiling answers to a survey he put to all government ministers over a three-month period between July and September 2000, around $A4 million worth of laptops and other computer-related equipment were either lost or stolen in Commonwealth departments within Australia in the 18 months from April 1999 to September 2000 due to the fact that they were left unattended, whether because nature was calling or there was a brief period of forgetfulness.
Of the top three departments that showed the greatest lapses in security, they were, in order of worse to better (11):
- Department of Defence
73 laptops stolen, 54 lost
Estimated value: $291,053 (not including $169,000 of other computer-related equipment that were lost or stolen);
- Department of Industry, Science and Resources
51 laptops stolen, 12 lost
Estimated value: $198,175; and
- Airservices Australia
27 laptops stolen, 2 lost
Estimated value: $128,194.
Percentage of computer equipment that were lost or stolen in Commonwealth departments within Australia in the 18 months up to June 2000. Source: Burgess 2000, p.5.
And what about the loss in sensitive government information? Shadow Minister for IT, Senator Kate Lundy, had this to say about the matter:
'In 1999-2005, Defence admitted to 54 lost and 73 stolen, several of which had classified documents.' (12)
As Senator Faulkner puts it:
'It is clear that many departments and agencies need to review their security arrangements.' (13)
Has there been a recent drop in the number of stolen or lost computers in Australian Government departments?
According to the March 2002 edition of Australian PC World, the number of stolen or lost Commonwealth-owned or leased notebook computers from Government departments seemed to have dropped from 1035 in 1999-2005 to 541 in 2000-2001. However, the failure of the Department of Defence, the Attorney-General, Health and the Tax Office to report back to the 2001 Senate estimates on IT equipment may show the real figure in stolen or lost computers to be not much different from the previous year (or perhaps even worse!).
Who knows? Perhaps the Department of Defence and the other departments had an absolute shocker for the number of lost and stolen computers for 2000-2001 and would prefer not to mention this to the public.
Whatever the truth, given the fact that the Department of Defence had already successfully topped the list in 1999-2000 for the most number of computers reported stolen or lost in the previous parliamentary enquiry by Senator Faulkner, it would certainly be embarressing for them to top the list again for 2000-2001 if they did mention the latest situation on their IT equipment.
Has there been a recent increase in the number of stolen or lost computers in Australian Government departments?
Nearing the anniversary of the terrorist bombing of the World Trade Centre in New York in September 2001, some Australian Government departments — notably Customs and the Department of Transport — have suddenly experienced a spate of laptop thefts and various security breaches from brazen thieves in early September 2003.
Setting a particularly fine example for laptop security and protecting other sensitive information at ADFA and the Department of Defence, Dr Ed Lewis of the ADFA School of Information Technology and Electrical Engineering, was quick to warn the Australian (Howard) Government and the public that this could be the first stage of a much broader attack:
'These things can be the first stage in a broader attack. It is always a possibility.
'It's like Tattslotto. You've only got one chance in eight million of winning, but someone wins every week.' (14)
Yes, but this assumes the eight million or so people who participate in the lottery game known as Tattslotto are vying for the exact same prize and are coming from outside. Clearly in this security issue not every Australian (or at least the eight million or so people) are going to be going around every week trying to break into every Government department in an attempt to win the chance of stealing equipment and sensitive information!
The probability of this happening by outsiders is still considered very low. And when it happened, one of the offices that was ransacked was apparently in the middle of being refurbished including the installation of more secure doors. Once the refurbishments are complete, however, the security threat should be reduced even further (although never perfect).
Perhaps Dr Lewis should have emphasised the real security threat from people who could be working in the Departments themselves. Because people are not infallible and definitely not the most perfect security systems in the world, it should be considered a higher probability that insiders could be deliberately doing the dirty work or may have accidentally left partially open a secure door for someone unknown to enter and steal equipment and information.
At any rate, some observers looking at these security breaches suspect it is possible for some if not all these recent events to be the work of intelligence and defence workers working on behalf of the Australian Government to test the security of various Government departments.
These incidents also come roughly a month after the city of Sydney experienced an unexpected partial blackout coinciding with more serious blackouts in London and the eastern continent of the United States.
Should we assume all these incidents are examples of an imminent attack from the terrorists? Or are the Governments testing certain scenarios for possible terrorist actions?
## SPECIAL UPDATE ##
5 April 2004
The Joint Committee of Public Accounts and Audit of the Management and Integrity of Electronic Information in the Commonwealth whose aims were to look at the physical security of IT hardware and electronic data in Commonwealth departments within Australia has tabled a report in Parliament recently. According to the report, the Committee has recommended sweeping changes to the way Commonwealth departments keep inventory records and movement logs of IT hardware (ie. tighter controls on the issuing, location and use of laptops to public servants) and how they report security breaches (preferably without the media knowing about the breaches before anyone else does). And as concerns of terrorism increases for the Australian (Howard) Government, the Committee also recommended the Defence Signals Directorate (DSD) play an expanded role in securing information held by Commonwealth departments. Another issue raised in the report is the Commonwealth's public key infrastructure security system known as Gatekeeper and the providers of Gatekeeper services. Although Gatekeeper has proved to be invaluable to public servants in securing electronic information, there is a general consensus that the product is too expensive and complex to use compared to more modern commercially available public key infrastructure products in the marketplace. The report recommends that the Department of the Prime Minister and Cabinet look for more cost-effective and simpler alternatives to Gatekeeper. As for companies seekings accreditation to supply Gatekeeper services to the Commonwealth Government, the report recommends the companies are visited and checked by ASIO, the IT systems of the companies are checked by DSD, and staff at the companies are granted with a Highly Protected security clearance by the Australian Security Vetting Service and the Australian Protective Service.
Get insurance cover for your computer-related assets
To minimise the hassles and cost in losing a computer, we recommend that you do three things:
- Use strong password encyption technology for the most sensitive files you don't want others to see;
- Backup all your data and applications onto one or a few reliable storage disk(s) and store the disk(s) in a safe and secure place (the aim is to have a copy of all your work and place it in a different location to where you are likely to use your computer. In that way, there is an extremely low probability of losing everything you've done if information is stored in two different places); and
- Get insurance cover for your computer.
Your home contents insurance should cover your computer for burglary (forcible entry into your home) and theft (stealing without forced entry) in the home. Outside of the home, this will not be enough to give you adequate cover. Look for a specialised notebook or desktop computer policy cover.
Most insurance companies that supply this kind of policy will protect your computer at another property other than your home (you can also use your Business Insurance policy for this one if the computer is used at your primary workplace or office located outside of your home), and in transit between properties, such as the shipment of your computer to or from a repairer.
The policy should also cover muggings where your computer is stolen by assault, intimidation or threat.
Remember, most companies will not insure you for the software installed on your computer (except for the operating system that was already installed on your computer at time of manufacture). The responsibility for looking after software remains with you and you should be keeping the installation software and backup disks at home or some other safe and secure location.
Furthermore, your computer is usually not insured if the item is stolen from an unlocked car, or from a locked car where the computer is in plain view of any stranger to see. If travelling overseas, the computer must be carried as an item of personal cabin luggage for the insurance policy to be effective.
For an example of a good insurance company handling specialised notebook insurance policies, try the Australian company CPF IT Insurance Specialists.
Keep the value of your assets you want secure to a minimum and employ a variety of hackers to develop their own best security system
The more security you put on a system, the more likely someone will find a way to beat the system. No security system is perfect, and people will eventually find a way through the security maze.
It is far better to provide cheap or free computer-related assets (as there is little incentive in stealing or damaging these kinds of assets) to the masses with security that basically helps people not to make the accidental mistake of going in the wrong places. And even if hackers are able to get into the wrong places, the assets that are available there should be so inexpensive and readily-available to everyone that it would be pointless to steal or damage the assets.
If you want good security, why not provide a competition for hackers to develop what they consider to be a good security system and how to make the assets look good and easy to use. Pay the hackers for their expertise or give them a top quality computer system of their own, and the hackers will have pride in their work and less likely to hack into their own system or others in the long term.
Sweeping changes to security in the software industry
Now that Microsoft has become aware of the importance of good security in software after the spate of recent viruses, hacker attackers, and generally those people not wanting to buy software that isn't secure, Microsoft has set up the Security Across the Software Development Life Cycle Task Force. But as Microsoft's chief security strategist and co-chairman of the Task Force Mr Scott Charney admitted:
'There is no silver bullet for making software secure.' (15)
Consequently a five-part US report published in March and April 2004 by the National Cyber Security Partnership proposes an education campaign in getting software developers and programmers to improve security of their software, easier installation of patches (including the ability to reverse the patches in case of problems), and propose stricter regulation of popular software from software programmers and developers to ensure they are certified to provide secure software (probably at a cost to the programmers and hence force all programmers to sell software at a price which would allow Microsoft and other companies to compete). This certification requirement is being initially tailored towards programmers who work for other companies. But there is nothing to say in the future that all programmers will be required to get certification to do their work or else face legal consequences unless you are living in Russia, Romania or some other part of the world.
Currently there is no legislation in the US being prepared to support the proposals in the report. But talk in the report of a recommendation for US Government to study the effectiveness of getting the government to act on security issues through such options as "liability, and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education, and other incentives" (16) does strongly suggest an eventual need to legislate in this area.
Proponents of the new proposals could not confirm this aspect of the report. Instead many would prefer to talk in general terms about the aims of the report. Some security experts, however, believe the report may eventually see the entire software industry regulated in the way big software manufacturers want in order to maintain reasonable control of the industry. In the meantime, some experts are also viewing the report as an attempt by commercial software manufacturers to avoid responsibility for fixing up the security problems in their current line of software products as well as to ease consumers concerns in security problems found in these products.
The National Cyber Security Partnership is the result of discussions between industry and government officials to improve cybersecurity.
