Informational Brochure: Under Lock and Key

Under Lock and Key:
An Introduction to Computer Security

Security– a hedge against harm

        Computer crime. Hackers. Data security. Electronic fraud and embezzlement. The everyday language of business has suddenly acquired a new and disturbing set of buzzwords. But while the subject of all the concern is recent the object – security – is ancient indeed.

        Since the beginning of recorded time – and probably long before that – people have tried to keep themselves and their valuables safe from other people. Their attempts have sometimes reached colossal proportions. The Great Pyramid of Giza, for instance, contains an incredible 2.3 million blocks of granite and limestone each weighing as much as 5000 pounds. It's a monument to the divinity of the king – and to his passion for preservation against every possibility.

        The longing for security also built the Great Wall of China. In 214 B.C. the Emperor Shih Huang Ti connected a number of existing defensive walls into what is perhaps the largest construct/on project ever carried out. Built to keep out the Huns, theWall stretches 1500 miles from a gulf of the Yellow Sea to a point deep in Central Asia.

        Security strategies have evolved over the centuries, the product of the endless conflict between the keeper and the taker. Grave robbers eventually found their way to the tombs of the Pharaohs (in at least one case they were given the master plan by an informer). Invaders of China went around, through, and over the Wall. Body armor, once effective against spears and swords, grew heavier and heavier, to protect against bows and crossbows, and finally failed in the face of improved firearms. Its modern-day equivalent the bullet-proof vest – can stop standard bullets but not the new armor-piercing ones. No solution is permanent.

        But the rules of the game remain unchanged: any security apparatus will be successful only insofar as it makes the infiltrator's task difficult, thus discouraging damage in the first place – or minimizing it if it does occur.

        Primitive security systems focus heavily on prevention, often to the exclusion of other goals. But the damage, since it is never totally avoidable, must be easy to detect and to recover from. And the system itself must be flexible enough to allow the corrective procedures that will prevent a recurrence. (The pyramids didn't provide for any of that; thus once the grave robbers got in the Pharaohs' system – religious and philosophical considerations aside – was a failure.)

        The final requirement of effective security is that the cost be reasonable compared to the value of what is to be protected. Few of us are absolute rulers with unlimited funds; we need to get our money's worth.

Pyramids, walls, and computers

        Conceptually, it's not that great a leap from the security problems faced by Pharaohs and Chinese emperors to those that confront modem corporate executives and EDP professionals. Like those earlier seekers of security, you have something to protect: information. There are specific threats against which you must protect it, as well as various options that raise the level of your security at a cost which also rises. Even protecting information is not unique to modem times: encryption devices were in use as early as 400 B.C.

        Data security, then, is not a mysterious electronic labyrinth – incomprehensible, therefore to be feared and avoided. Instead, it is essentially a management problem and one that can be evaluated and solved like any other.

        True, the data (which is only a part of what you want to protect) is invisible; but it exists nevertheless – and so do the means to make it secure.

        How do you start?

        You start by actively seeking out security exposures and dealing directly with those that you find. Even though information technology is advancing rapidly, your goal is to establish security precautions and procedures that are powerful enough to foil the majority of would-be criminals, whatever the state of the art may be.

        Second, you must objectively evaluate your company's security strengths and weaknesses. We emphasize “objectively” because thinking like an outsider – perhaps even like a criminal – is your best way to discover whether your security has to be improved – and, if so, how to improve it.

        Finally you must assess computers realistically. Your electronic treasure is admittedly unique in some ways. The whole atmosphere surrounding computer crime has an eerie quiet about it: typically, there's no violent breaking and entering, no hauling away of truckloads of cash and stocks. You often don't know what's going on while it's going on.

        But in some ways, the situation is really no different from the primitive security models we've been discussing: there's something you want to keep some people from doing (and allow other people to do). And there are ways to accomplish just that.

Security axioms as they apply to computer systems

        The overall goal of maximizing difficulty and minimizing rewards for the infiltrator must be accomplished at four concentric circles of control.

• The innermost circle includes security and accuracy controls built into the EDP system itself. These controls are preventive detective and corrective. They act to keep unauthorized users out. But if a breach occurs, they identify the unauthorized user and restrict his activity. Finally, they ensure corrective action against the result of that activity, and, where appropriate, they enhance the preventive controls in order to preclude future break-ins.
• Next, the system must be protected by physical security – locks on the doors, alarms, guards, fire precautions, and so forth.
• The third circle consists of administrative controls over the use of the system. These extend beyond the EDP facility, encompassing everyone who is wired into the network including general management.
• The outermost circle is one over which corporate management has little or no direct influence: the societal environment – that is, the officially prescribed punishments and the deterrent social norms (the general attitudes toward computer hackers, for instance – whether these people are viewed as daring electronic Robin Hoods or wrongheaded electronic vandals has a great deal to do with the prevalence of hacking).

        With regard to the other side of the security equation – minimizing the cost – there is a law of diminishing returns. We believe it's possible to protect computer data and hardware with a very high degree of effectiveness, but beyond 50%, cost increases rapidly.

        Can we actually assess the cost? Yes. Through risk analysis the benefits of each security measure can be quantified in comparison to its cost. (The cost may not necessarily be measured in dollars, but in other factors, such as additional time and inconvenience. Armored knights, for example, protected themselves against slings and arrows, but they made great sacrifices in mobility.)

        But will we pay the cost? Again, yes. At least, we always have. What society wants, says Willis Ware in Computers and Privacy in the Next Decade, society agrees to pay for. We wanted interstate highways and trips to the moon, and we paid for both. And when computer security is widely perceived as necessary and feasible, then we will pay for it too.

Background; problems

        But we don't have to go to the moon to find appropriate cost/benefit parallels. Much more mundane – and germane – is the example of our municipal police and fire protection. Expensive as it is, no one doubts that it is needed or that it is worth the cost.

        Why then the furor over computer security? Why should it even be a question today?

        Much of the excitement and debate has been ignited by the relative suddenness with which EDP security has become an issue; many of us are simply not accustomed to thinking about it. But whether we're ready for it or not, it is going to be a continuing concern because of a number of problems which have either appeared or become worse over a relatively short period of time.

        To help you understand the general emotionalism and confusion, here's a brief survey of those problems.

• Commitment: Our society is irrevocably founded on information technology; it's a commitment we don't recall consciously making – and there's really no turning back.
• Centralization: Vast and ever-increasing amounts of data, much of it personal and private, much of it representing money or other negotiables, are concentrated in electronic storehouses.
• Work attitudes: Organizations are growing more and more dependent on people whose education, sophistication and attitudes toward work and company loyalty are sharply different from those of employees of years past.
• Economic hard times: Large numbers of people in the white-collar managerial class are finding themselves under severe economic pressure which pushes them toward a temptation that they might otherwise find unthinkable.
• Proliferation: Microcomputers, networks, and telecommunications links – all of which provide automated ways to attack large systems – are rapidly spreading across the land; so is computer literacy, which helps to create a large number of hackers able – and often willing – to infiltrate those systems.
• Vulnerability: Unfortunately, computers and data communications systems were designed to operate under ideal circumstances: they weren't built with security in mind.
• Dependency: More and more organizations are basing major decisions on computer-generated data.
• Mystique: There is a widespread belief that computers are completely different from anything we've ever invented or experienced.

What not to do

        This bewildering array of problems can easily lead to a head-in-the-sand attitude – or to resignation. In fact, with regard to their security-related vulnerability, organizations commonly accept a lack of control and a degree of unpredictability that they would never tolerate in their everyday business practices or their long-range strategic plans. They reach conclusions on security and controls in blind faith on inadequate information and in the hope that problems will go away.

        A 1981 survey by Frost & Sullivan, for example, found that over 20% of the respondents had no information-security systems, while 50% had one or fewer persons responsible for a security program.

What can go wrong?

        Think of yourself as playing a high-stakes chess game against an ingenious and resourceful opponent. You'll have to be able to defend yourself against whatever attack strategy he chooses. You don't know which it's going to be – but you do know the possibilities.

        Your end of the chessboard is your EDP facility. You want to protect against disclosure, modification, or destruction (of data program code equipment or facilities), either accidental or intentional.

        The accidental is important. Just as your chess opponent can make a devastatingly effective move without even meaning to, simple incompetence and inadvertency can often be more costly than crime. That's why the designer of an effective security system must not only out-think the potential wrongdoer; he must also set up checkpoints to catch human error.

        The specific risks can be divided into the human and the mechanical/natural.

        Human threats begin with unauthorized access which could lead to theft, alteration or unauthorized disclosure of information (for embezzlement, corporate, espionage, extortion, or blackmail) or to sabotage or vandalism.

        Mechanical/natural problems include power failure, fire, unacceptable levels of heat and humidity, and natural disasters. Any of the above can interrupt service or cause the system to perform wrong actions, give false results, or fail completely.

What can be done?

        There are four general (not necessarily sequential) strategies for computer security:

1. Understand the principles and goals of effective security.
2. Assign responsibilities.
3. Analyze the risks.
4. Implement specific actions.

(1) Understanding the principles and goals. Although the most basic principles were illustrated above, through analogies with primitive systems, there are other maxims to keep in mind:

• An effective security program requires that the majority of effort be expended before breach of security can take place (the Pharaohs certainly understood this).
• The more complex, intellectually stimulating problems are generally the ones with a low probability of occurrence. Thus...
• The best security measures are those that contain (or help to contain) more than one problem – especially since a specific measure may be hard to justify in terms of its ability to contain only one problem.
• Most employee crime in a given area of the organization is committed not by outsiders from other departments, but by people who are already within (and thus familiar with) the operations of that area.
• The best offense is a good defense. Simply assume that if a way exists to cheat a system, someone will indeed use it. In fact, users will generally exert constant pressure on any security system, so management must be prepared to be constantly upgrading the quality of that system. And even if you already have a good control system in place, assume that any changes in the computer system will necessitate adjustments to it.

(2) Assigning the responsibilities.

        Experts are virtually unanimous in insisting that the first step to improved EDP security is to make senior management aware of the issue. Without management support, even the best systems can fail.

        Management's overall responsibility is to see to it that the company's program (1) contains routine preventive detective and corrective security controls and (2) specifies contingency plans for dealing with catastrophes so that critical EDP operations are up and running within a delay time that is acceptable to people who depend upon the system.

        The EDP director bears a more direct responsibility. This person must admit that the system is vulnerable (if indeed it is) and take appropriate constructive action. That may well include calling in an outside expert to make assessments and recommendations.

        But whoever assumes direct responsibility for security will have to be a generalist with expertise in areas as diverse as systems hardware and corporate hiring practices.

(3) Assessing the risks.

        Risk analysis, by quantifying the benefits of each security measure in addition to its cost, attempts to measure the benefits that result from eliminating or diminishing a particular risk. It's an analytic process that’s guided by a single, elegantly simple comparison: the cost of avoiding something must be less than the cost of tolerating it.

        In risk analysis we estimate the chance that some undesirable event will occur. We then evaluate that probability against the likely cost of the event if it does occur – in other words, the cost of losses from failure of an EDP installation to provide its services in a correct and timely manner.

        Risk analysis contains a number of specific components. It assesses the extent of the organization's dependence on computer systems. It determines the degree of protection needed to secure those systems, as well as the operation of the computer facility. It evaluates the need for insurance. And it seeks to identify specific risks to the system itself; to write standards to secure the data from these risks; and to evaluate these risks in terms of their dollar impact, the appropriate preventive measures, and the organization's overall exposure.

        But risk analysis is not always this rigorous. In fact, it's often carried on as a complex and largely informal balancing of risk, probability, cost of protection, and the available technology and security products.

(4) Taking specific actions

        The following overview provides guidelines and goals for an effective security system. It addresses the generally recognized common weaknesses among organizations that use computer systems and distributed processing.

• System users must be screened and positively identified before they can use the system.
• Users' actions must be authorized and monitored by the system itself, as well as by network management. Any action must be traceable to the user who initiated it. EDP codes and passwords must be carefully assigned and administered.
• EDP and support facilities include hardware/terminals, hardware support, environment software {the operating system and application programs), documentation, computer library materials, and physical logs. These must all be protected from fire, theft, destruction, and unauthorized alteration or use.
• The integrity and confidentiality of the data must be thoroughly protected. That means supervising and controlling the dissemination, collection, and destruction of sensitive information. The data itself must be reconstructible and recoverable. And access to it must be auditable (failure in this area has made possible some of the world's largest computer crimes).
• The network and systems must be tamper-resistant, so that an ingenious programmer can't bypass the controls. Also, system development and systems maintenance of both applications and system software must be methodically supervised, so that as new components and software are added, management has procedures and policies that keep track of who's doing what.
• Transmission must be fail-safe, so that messages are not lost or garbled. It must also be private, delivering messages only to their intended destinations. Local-area networks (LANs) now in use by hundreds of organizations present a special problem: each message sent by any user can potentially be read by any other. Thus if you have a LAN, you should be concerned with such security issues as data leaking in and out, access control, and level control (that is, what privileges are allowed to whom). To prevent wiretap (unauthorized interface), network management could use protected wire or encryption.
• The computer center itself must, as far as possible, be catastrophe-proof. Ideally, its critical functions should be replicable via backup facilities, so that the entire system does not depend on one vital center.
• Dealing with the human element means establishing – and strictly adhering to – the appropriate personnel policies. Prospective employees should be screened before they are hired (in a manner that is consonant with their individual rights to privacy). Probably more important is the treatment of former employees: codes and other security procedures must be thoroughly adjusted so that these people are denied the access they once enjoyed. Finally, a major focus of your policies must be to hire, train, and retain qualified internal audit personnel. Such individuals are in great demand, and turnover is typically high.
• Organization-wide security goals should be to raise morale and increase motivation. Internal public-relations people should strive to promote a sense of community and shared endeavor – to identify the individual's welfare with that of the corporation. By doing so they will be helping management to overcome tendencies toward apathy, nonchalance, and perhaps even dishonesty before these attitudes have a chance to do harm.

        You also want to heighten the general awareness of the need for security. Consider formulating and disseminating a company policy (perhaps in the form of a practices/procedures manual).

How secure are you?

        Once management has identified major weaknesses and applied preliminary remedies, it can test the adequacy of its security by forming a project team to conduct a simulated attack on the system. The team would identify security gaps and supervise the implementation of a program to plug them. But the team should not do the implementing itself. Since internal security people may have something to lose by such a venture, this is another area in which external assistance might be appropriate. In any event, you should consider testing your protective mechanisms through annual audit by outside specialists.

Outlook: optimism?

        Will the security of computer systems and installations improve? Can we achieve a lasting and effective compromise between protection and risk?

        We can – and will – because there really is no other alternative.

        The process has been sketched in this brochure: a comprehensive understanding of security issues, followed by evaluation of security strengths and weaknesses and eventually implementation of effective security strategies.

        But even now there is reason for optimism. Despite the growth of computer literacy, the complexity of computer systems helps to keep the pool of potential wrongdoers relatively small. Second, the technology of security products is constantly improving.

        But a truly optimistic outlook depends on three big “musts.”

        First, security must become a high-priority goal in the design of information systems. It's possible to design a secure system by constructing walls around its subsystems. Unfortunately, since security features can increase initial cost and operating overhead, most designers have not been trained to build security into the systems they assemble. Consequently, it’s often added as an afterthought, instead of being integrated at the beginning.

        Second, security technology really must keep pace with the exponentially- advancing complexity of computer systems and especially of computer/ telecommunications networks.

        Finally, executives must integrate the principles of security into their business plans and operations and commit themselves to managing the people issues as well as the technological ones. The key objective is not to keep everyone out – but to allow access by properly authorized people. Exactly who is allowed in – and why – thus become critical security concerns.

        These three requirements are the guiding principles by which we at Touche Ross & Co. develop and offer security-related services. Without doubt, security is a serious problem. The cost of reported computer-related crime and fraud is now about $100 million each year. And the estimates that include the unreported incidents go as high as $10 billion.

        But security is also a manageable problem – and one that we are prepared to help you solve.

        And our purpose? To intervene in the continuing conflict between keeper and taker...to restore the balance...and ultimately, to provide the keeper with the advantage that he needs and deserves.