Saturday, March 13, 2010

Hacker Series Part One


“Cyber attacks pose the greatest threat to the United States after nuclear war and weapons of mass destruction -- and are increasingly hard to prevent” said Shawn Henry, assistant director of the FBI's cyber division. Of the six billion dollars that Microsoft spends annually on research and development, approximately one-third, or two billion dollars, is directly spent on security efforts (Talbot, 2005). IT managers are on the front line of a guerilla war when it comes to protecting computer technology from hackers. It is a continual game of one-upsmanship as one vulnerability closes another seems to appear. There are, however, a number of basic things that an IT manager can do to protect her company and it all starts with vigilance.

McNurlin et al 2006 indicate that security has five pillars. They are: authentication, identification, privacy, integrity and non-repudiation. Authentication means verifying someone’s authenticity: They do this by supplying information such as a password, answer to a question or the number from a digital token. It can also be done using biometrics. Current best practice suggests using two of the three methods, which is called two-factor authentication. For example, in order to get into my company computer I must enter passwords and the number from a token. However, that only gets me to a certain point. I must be identified to go into various areas of the company system. I am not authorized to go into certain areas and a notification will appear on my screen if I attempt to access them. Data privacy and integrity also have to be preserved. Not all data is for all eyes. Some is read-only format so that it may not be changed. Data is also encrypted when sent so that it cannot be intercepted and read from the Internet. The final method is non-repudiation which means that the actual sender and the actual receiver are authenticated and that fact is not deniable. All of this security has no purpose if it is not used and thus it must begin with the user.

Internal users should be included in the defense of the company through timely and repeated education. Everyone who has access to company computer systems should be taught and reminded that they are very important to the security and well-being of the company. While every company should have the very latest protection software and its current update, users should be reminded to update it frequently or better yet, it should be automatically updated. Taking human memory out of the equation as much as possible is wise. In addition “cookies” should be cleared frequently.

Users should be instructed on how to choose strong passwords. IT managers need to remind people to change their passwords frequently. It is natural and comfortable to choose a password that is easy to remember. That normally includes dates of important events in the individual’s life or other obvious words. Unfortunately, strong passwords are ones that have no mnemonic significance. Passwords that are strong are often hard to remember so the temptation is then to write them down somewhere where someone else might find them. Even then, when the user takes these precautions, hackers can use brute force for uncovering passwords if all else fails. Users need to be warned not to answer a phone call from anyone who says that they are from IT and that they need their password to perform maintenance. More and more biometric entry to computerized systems appears to be the way to go.

No comments:

Post a Comment