Security: It’s Not All About Hackers

Sometimes, the biggest threat to security isn’t a mysterious hacker on the Net—it’s the person who just walked by.

“WHY BOTHER?” a doctor in the front row of the seminar blurted out. The topic under discussion was improving the security of patient data at a famous university hospital, but he wasn’t so sure that technology was the answer. “Why worry about fancy systems to secure computer systems, when all that’s needed to obtain patient records is a white lab coat and a clipboard—particularly if you’re a white male over the age of 35?” His point was a good one.

In our own discussions of cyber security, we often omit the simplest security of all: controlling physical access to our computer facilities. It used to be a tedious process to steal information from someone’s computer, but the proliferation of small memory devices, personal digital assistants (PDAs), and music players that plug directly into a PC’s USB port now make it possible to transfer huge amounts of information to an easily concealed gadget. It’s also pretty easy to just walk off with a laptop. In short, controlling physical access to computers— those on desks or those in the computer room—is just as important as preventing hackers from accessing our networks.

First, assess risk. The first step in controlling physical access as part of a layered campus defense is a risk assessment: What are we trying to protect? The answer is not just sensitive or proprietary information on the computer, but the computer itself. What will it cost us if either is stolen? The cost of a computer is obvious, but what is the value of the information stored on that computer? What would the theft cost our clients both directly and indirectly? What would be the damage to our reputation? Finally, what will it cost us to protect the computer or the information?

For example, the value of a computer in a public lab is little more than the cost of the computer and the software. A simple cable-lock device may be all that’s required. On the other hand, a laptop that contains sensitive information— say, the Social Security numbers of all of the institution’s students—has a value that far exceeds the cost of the laptop itself, and justifies more aggressive protection. We’re always faced with a trade-off between three variables: security, cost, and convenience.

Three Types of Security

While there is a bewildering array of secure-access techniques and technologies, they all can be easily placed into three categories: something you have, something you know, or something you are.

Something you have is fairly obvious: something in your possession to prove that you should have access, such as a key to a lock, or a photo ID. Something you know would be traditional passwords and PIN numbers. It’s common to combine something you know with something you have. To get money from an ATM machine you need both the PIN number and the ATM card.

Something you are is the newest method of security. Better known as “biometrics,” the term refers to the practice of using some part of an individual’s physical identity as an identifier. The most common example is the use of a fingerprint, while other examples are the use of retina scans and voice recognition.

Smart Cards Move to “Challenge/Response”

The current generation of “smart” cards makes effective use of twofactor authentication requiring “something you know” (a PIN or password) as well as “something you have” (a card). In PIN-protected memory cards, the information stored in the memory of the card can be read only after the PIN has been typed into the card or the device reading the card. But the latest two-factor smart cards are cryptographic challenge/response cards that have onboard memory and processors, and can perform encryption and decryption. In one challenge/response scheme, the host computer system and the user both know a shared secret password. The host computer sends a number to the user (the “challenge”); the user encrypts the challenge number with the shared secret password on the smart card and returns the result (the “response”) to the host computer. The host computer independently encrypts the challenge and compares the result with the user’s response. If the two agree, the user is given access. In another challenge/response scheme, the smart card has a clock, which periodically displays the encrypted time that the user types into the host computer system. In this case, the “challenge” is never sent explicitly but is understood to be the encrypted current time. If an external intruder obtains the response by listening to network traffic, that action has limited value because the correct response changes every few seconds as the time changes. Unfortunately, most smart cards can run $60 to $100 per employee, and involve other issues such as creating mechanisms to quickly replace lost cards.

Advantages/Disadvantages

Something you have. What are the relative advantages and disadvantages of using “something you have” for security purposes? Whether it’s the use of an old-fashioned metal key or a high-tech token, the primary advantages are convenience and relatively modest cost. The primary disadvantage is that such items can easily be lost or stolen, and there is no guarantee that the appropriate individual is using them.

Something you know. Passwords have the advantage of being inexpensive, and the concept is well understood by users. Most PCs and networks can be easily configured to require passwords to access information. Unfortunately, passwords can be stolen while transmitted over a network, collected by illicit software designed to capture passwords, or even guessed by smart hackers. What’s more, because so many passwords are required of users, many individuals opt to use a single password for everything. When one password is compromised, multiple accounts for a given user may be compromised.

Something you are. Biometric devices that identify individuals by fingerprint, retinal pattern, handwriting, keystroke dynamics, or voice pattern are most appropriate for very high-security environments, but are still relatively expensive and as yet are not a perfect science; users complain of frequent false rejections. (There’s nothing quite as frustrating as being locked out of your own computer when it refuses to recognize your thumbprint.)

Secure Password Checklist

  • Ideally, passwords should be long (eight characters or more) and include numbers, upper and lower case letters, special characters such as #, $, and !, and be meaningless gibberish not found in a dictionary. Unfortunately, passwords that meet these criteria are frequently hard to remember, so people write them down, thus defeating the whole idea of robust passwords. A workable compromise: a chain of abbreviated words that an individual can remember, with the addition of some meaningful but unrelated numbers and perhaps a character. For example, “For Secure Access” may help a user remember the password “4SecAcc.”
  • Encourage or, better yet, require users to change passwords regularly; every 90 days or more often for sensitive applications.
  • Make clear to campus users that they must never give their passwords to anyone other than security administrators or backup personnel.
  • Make clear to campus users that they must never copy their actual, unencrypted passwords onto paper, for convenience. Instead, they can track their passwords via “clue” sheets that only they would understand. The clue “DadCarJ'ey” would remind the user of the password “65Blk8” (The user’s father is 65, his car is black, and his dog J'ey is eight.)
Recommendations for Higher Ed

Clearly, there is no one-size-fits-all solution to the demands for physical security on campus. However, the following guidelines can help your institution’s administrators choose the security practice—or combination of practices—that will best suit campus needs.

Two-factor authentication. All points of access to facilities with computers containing sensitive information should be controlled by checkpoints or coded card readers using two-factor authentication that is based on both “something you know” (PIN or password) and “something you have” (token or key), to restrict access to authorized personnel only. Two-factor authentication is a nice compromise between rigorous security and reasonable cost and convenience. (See “Smart Cards,” below) Reserve biometrics for very high-security environments. The cost for this technology will continue to fall as it matures; as that happens, it may be considered for additional locations.

Don’t drop traditional tools; watch for internal problems. Remember that good physical security d'esn’t eliminate the need for firewalls, antiviral protection, or any of the other more traditional cyber-infrastructure security tools. (And don’t forget that disgruntled employees present a much higher threat to your institution than external hackers and thieves.)

Where there’s a will… Finally, remember that any lock can be picked with a big enough hammer.

Get Secure

Think your campus is physically secure? Take this quiz.

  • Have you performed a risk assessment for the loss of information on your computers, as well as the loss of the computers themselves?
  • Have you developed and publicized policies governing physical access to your facilities? Your policy is your version of criminal law and serves two vital functions: it outlines the rules and provides a basis for punishing transgressions.
  • Do you know who has access to your computer room or to staff offices? Do you know why?
  • Have you installed physical access controls appropriate to the risks?

You passed if you answered “yes” to all questions.

comments powered by Disqus