Computer Security

From AAUPwiki
Jump to: navigation, search


The AAUP Business Handbook >> Part Three: Managing Operations


Physical Security

Every business needs to protect its assets from theft or harm. Although insurance will cover some or all of a loss, it cannot guarantee that a business will survive or even operate as it did before. Whereas stolen equipment can be replaced, the loss or misuse of vital or confidential information can compromise a business's viability.

The physical building must provide greater protection than can be achieved with a single lock on the doors. An entry security device should be installed with a direct hook-up to police or a security service. Such a device can be activated by a key or an electronic keypad. If a higher level of security is needed, there are more sophisticated devices that identify individuals' fingerprints, voiceprints, or eye retinas.

Security within a building can be achieved in many ways. rooms and sections can be restricted by mechanical or electronic locks. In work areas, some computer furniture can be locked.

Security on a Stand-Alone Computer

Whether a computer is used by itself or as part of a network, there are several security measures that can protect it physically. The unit can be bolted to its place so that the bolts cannot be unfastened without taking the unit apart. A cable can be attached to the computer so that it can be secured to another piece of furniture (for instance, a desk). One maker of such cables is Kabult. Most personal computers come with a locking device and keys, or have a manufacturer's option of a lock and keys.

As a type of internal lock, recent software enhancements allow users to make files hidden, as in DOS 5.0, or place locks on files, as in Word Perfect 5.0. Passwords can be a useful way to control access. The actual password has to be unique to the user and cannot be easily guessed or difficult to remember. Passwords have the drawback of being dependent upon the memory of an individual user. Users should avoid using words that can be found in a dictionary. The password should be a mixture of letters and numbers for best encryption. Changing passwords for files, particularly when there are many files, is not recommended except in cases where security has been compromised.

Some users of stand-alone computers do not routinely back up their files. This is usually be cause they have tight schedules and they see the process as time-consuming. Regular backing up, however, is good not only for security reasons but also as a precaution against hardware (disk or RAM) failure, accidental deletion, or save-file omission, and it is helpful when there is a need to retrieve the original version of a file. Data can be stored on tape backup units; it can also be kept on a removable medium that is larger than floppy diskettes (for example, a Bernoulli box or an optical disk). Network backup is also an added safeguard alternative.

An uninterrupted power supply (UPS) is not commonly found on stand-alone computers, which is unfortunate because UPS is a good feature. In some cases, users may be working with very important files for which added protection is desirable. During periods of unexpected adverse power changes (electrical storms), users may want to shut down their PCs and disconnect all connections. Surges come from not only power outlets but also printer cables, network cables, and communication cables.

Power surge protectors are usually power strips that contain some internal devices to absorb power overloads. There are many models on the market, and they have different characteristics. Since there is not always a correlation between cost and protection, users should discuss their specific needs with suppliers or consultants.

Security on the Local Area Network (LAN)

Many of the previous suggestions for stand-alone computers can be applied to network systems. However, networks add the complication of multi-users and multi-task operations.

Networks have become the choice of PC users. The growing compatibility among different systems allows for more connections than ever before. Networks not only connect PCs but also open gates to other systems through communication software. There are many advantages to the network, such as easier access to shared files, communications, shared software, larger storage, and back up. The disadvantages are misuse of access, data loss, and disruption if the file server is down.

Networks require their own maintenance, and their size determines how large a staff is needed to administer them. The network administrator has to be trustworthy and responsible. When possible, the duties of administering a network should be spread among several individuals so that the system can not be compromised. In some cases, a contract might be made with an outside source such as a VAR (Value Added Retailer); such an arrangement would provide some security and continuity in the event of the administrator's incapacity (e.g., illness, death, termination) as well as provide an alternative maintainer familiar with the system. Documentation should be maintained as required.

Network administrators should design security to best suit the business. A starting point is at the access points to the system (log-in), the software, and the files. Users should have access to information (files) as needed with appropriate levels of security (read, write, modify, create, etc.). Files should also be protected from unauthorized use.

At some presses there is a need to schedule time for access. Each user or user group is scheduled for access at a certain time during each day or each week. This scheduling is done by the network manager. (Sometimes it is easier to schedule the time based on exclusion.)

Network passwords are very critical. They allow the network to determine who the user is (and to deny access to unknown users), which files may be accessed, and perhaps even when the system can be accessed by that user. Users should have both public and private files. The latter would be in directories exclusive for the user. Some software allows users to restrict certain marked files.

Networks, particularly larger ones, should have periodic changes of password. It often happens that someone, either an acceptable user or an intruder, learns another's password. Some network systems have timers on passwords so that after a certain period the users have to change their current password. This helps to prevent access by former users or intruders. It does, however, mean that the user must learn and remember a new password. Users usually will devise changes that can be easily determined without becoming obvious to others.

Network backup is a critical function. The individual users are at risk and the press as a whole has a lot at stake. A problem at the network level can be compounded. First, there is the physical problem when hardware fails in the file server. This could be the result of an equipment failure or a power surge. If there is no backup, files may be permanently lost. There is also the less likely chance of losing files because of either malfunctions in the network wiring or collision. Unlike a stand-alone PC, the network provides frequent opportunities for unauthorized attempts to access. Once an intruder is in the system, the reliability of files and data may be compromised. An intruder can be another user, but it can also be a software bug or virus. Or sometimes a file simply has been modified so extensively that restoring a backup version would save time.

A regular schedule of backup procedures should be in place on all networks. A daily copy of all working and data files should be made. Since the backup may take some time (e.g., 30 minutes), it could be scheduled for a preprogrammed night period or during the lunch hour. A weekly backup should be made to include all files and software. This is best done toward the end of the week (Thursday afternoon or Friday) and should immediately be stored off-site. This offers the greatest protection in the event the file server is destroyed or damaged. Both daily and weekly versions of the backup files should be put into a series. That is, make a different tape for each day of the week and rotate a set of five for the weekly backup. This decreases the chances of loss if a backup copy is defective.

Another question is whether to back up only those files that have been changed since the last backup, or to do a complete backup each time. The change-only method saves a little time, but it means that when a system backup is needed, it is necessary to go through several backup copies to find the correct version of each file. It is better to copy all the files at the same time. This establishes the starting point for all users to determine which files were saved and which were not. A modified method could use complete backup for interrelated files (such as a database or directory) and append files for other files such as word processing.

A UPS is necessary for all network servers. Since there is a lot of interaction with the server, it is vital to maintain its operations at critical times. Although there is no guarantee that all user files can be saved, the server will complete as many tasks as possible while under auxiliary power. On some networks, the servers can be programmed to shut down when remaining auxiliary power has dropped to a certain level. The UPS can also help maintain minimum power requirements during utility fluctuations (brown-outs), and it acts as protection from surges.

Remote access has become common for many networks. This allows users at other sites (home, branch office, warehouse, etc.) to access needed information, but such off-site access increases the possibility of unauthorized access. While the net work offers log-in and password protection, the software that allows remote access must also have some safety features. It should at least have its own log-in and password procedure. The user should not use the same log-in and password as the network. Otherwise, if unauthorized users learn one, they will know the other. Another protection is a dial- back. A list of valid users of the remote access is kept in the software with the phone number (and location) of each user. After the user makes the correct remote access, the remote access software dials back to the user's phone. If the user does not answer, access is denied. Users may have several locations, with different log-in and passwords at each. A weakness of this software is that a traveling user (e.g., salespeople) would be limited to a certain number of locations, although this problem could be worked out.

Record locking is a standard feature on practically all network servers. Basically, it prevents two users from using the same record at the same time. If it did not, when users filed (wrote) to the server almost simultaneously, there would be a collision. In some applications, the programmer or network administrator may have to implement the record locking feature. In some networks, record locking and field locking are used in combination, and this allows two users to use the same record but in different fields.

Audit Security

As mentioned, separation of duties helps prevent internal breaches of security in a network. There are two ways to maintain security over who uses a network. Either every user/group has access (or rights) to everything except what has been marked as excluded, or every user/group has no access (or rights) to specific files/programs except as marked by the administrator. The latter method is preferred by network administrators and auditors because it limits the potential for compromising the database. Another aid in system integrity is to have a hidden file/record that maintains data of file totals. The only changes that can occur go through predesigned programs. The network administrator can review these values in single screen inquiry, which can be checked at the end of a cycle (month, year) for verification. It makes it very difficult for any user to attempt to alter a file/record without access to the system record pertaining to that file.

All of these methods and ideas are currently used by presses. For some presses, they are a good starting point. Certainly new products, in both software and hardware, are improving security. Many additional resources are available. Among them are current journals, magazines, and even college textbooks. Assistance is also available from institutional computer services, vendors, installers, and the internet. Basically, every press must consider what it has at risk as a business and then do what is necessary to minimize that risk.

The AAUP Business Handbook >> Part Three: Managing Operations

Personal tools