Security: It’s Not All About Hackers
Sometimes, the biggest threat to security isn’t a mysterious hacker on the
Net—it’s the person who just walked by.
“WHY BOTHER?” a doctor in the front row of the seminar blurted out.
The topic under discussion was improving the security of patient data at a famous
university hospital, but he wasn’t so sure that technology was the answer. “Why
worry about fancy systems to secure computer systems, when all that’s needed
to obtain patient records is a white lab coat and a clipboard—particularly if
you’re a white male over the age of 35?” His point was a good one.
In our own discussions of cyber security, we often omit the simplest security
of all: controlling physical access to our computer facilities. It used to be
a tedious process to steal information from someone’s computer, but the proliferation
of small memory devices, personal digital assistants (PDAs), and music players
that plug directly into a PC’s USB port now make it possible to transfer huge
amounts of information to an easily concealed gadget. It’s also pretty easy
to just walk off with a laptop. In short, controlling physical access to computers—
those on desks or those in the computer room—is just as important as preventing
hackers from accessing our networks.
First, assess risk. The first step in controlling physical access as
part of a layered campus defense is a risk assessment: What are we trying to
protect? The answer is not just sensitive or proprietary information on the
computer, but the computer itself. What will it cost us if either is stolen?
The cost of a computer is obvious, but what is the value of the information
stored on that computer? What would the theft cost our clients both directly
and indirectly? What would be the damage to our reputation? Finally, what will
it cost us to protect the computer or the information?
For example, the value of a computer in a public lab is little more than the
cost of the computer and the software. A simple cable-lock device may be all
that’s required. On the other hand, a laptop that contains sensitive information—
say, the Social Security numbers of all of the institution’s students—has a
value that far exceeds the cost of the laptop itself, and justifies more aggressive
protection. We’re always faced with a trade-off between three variables: security,
cost, and convenience.
Three Types of Security
While there is a bewildering array of secure-access techniques and technologies,
they all can be easily placed into three categories: something you have, something
you know, or something you are.
Something you have is fairly obvious: something in your possession to
prove that you should have access, such as a key to a lock, or a photo ID. Something
you know would be traditional passwords and PIN numbers. It’s common to combine
something you know with something you have. To get money from an ATM machine
you need both the PIN number and the ATM card.
Something you are is the newest method of security. Better known as
“biometrics,” the term refers to the practice of using some part of an individual’s
physical identity as an identifier. The most common example is the use of a
fingerprint, while other examples are the use of retina scans and voice recognition.
Smart Cards Move to “Challenge/Response”
The current generation of “smart” cards makes effective use of twofactor authentication requiring “something you know” (a PIN or password) as well as “something you have” (a card). In PIN-protected memory cards, the information stored in the memory of the card can be read only after the PIN has been typed into the card or the device reading the card. But the latest two-factor smart cards are cryptographic challenge/response cards that have onboard memory and processors, and can perform encryption and decryption. In one challenge/response scheme, the host computer system and the user both know a shared secret password. The host computer sends a number to the user (the “challenge”); the user encrypts the challenge number with the shared secret password on the smart card and returns the result (the “response”) to the host computer. The host computer independently encrypts the challenge and compares the result with the user’s response. If the two agree, the user is given access. In another challenge/response scheme, the smart card has a clock, which periodically displays the encrypted time that the user types into the host computer system. In this case, the “challenge” is never sent explicitly but is understood to be the encrypted current time. If an external intruder obtains the response by listening to network traffic, that action has limited value because the correct response changes every few seconds as the time changes. Unfortunately, most smart cards can run $60 to $100 per employee, and involve other issues such as creating mechanisms to quickly replace lost cards.
Something you have. What are the relative advantages and disadvantages
of using “something you have” for security purposes? Whether it’s the use of
an old-fashioned metal key or a high-tech token, the primary advantages are
convenience and relatively modest cost. The primary disadvantage is that such
items can easily be lost or stolen, and there is no guarantee that the appropriate
individual is using them.
Something you know. Passwords have the advantage of being inexpensive,
and the concept is well understood by users. Most PCs and networks can be easily
configured to require passwords to access information. Unfortunately, passwords
can be stolen while transmitted over a network, collected by illicit software
designed to capture passwords, or even guessed by smart hackers. What’s more,
because so many passwords are required of users, many individuals opt to use
a single password for everything. When one password is compromised, multiple
accounts for a given user may be compromised.
Something you are. Biometric devices that identify individuals by fingerprint,
retinal pattern, handwriting, keystroke dynamics, or voice pattern are most
appropriate for very high-security environments, but are still relatively expensive
and as yet are not a perfect science; users complain of frequent false rejections.
(There’s nothing quite as frustrating as being locked out of your own computer
when it refuses to recognize your thumbprint.)
Secure Password Checklist
- Ideally, passwords should be long (eight characters or more) and include numbers, upper and lower case letters, special characters such as #, $, and !, and be meaningless gibberish not found in a dictionary. Unfortunately, passwords that meet these criteria are frequently hard to remember, so people write them down, thus defeating the whole idea of robust passwords. A workable compromise: a chain of abbreviated words that an individual can remember, with the addition of some meaningful but unrelated numbers and perhaps a character. For example, “For Secure Access” may help a user remember the password “4SecAcc.”
- Encourage or, better yet, require users to change passwords regularly; every 90 days or more often for sensitive applications.
- Make clear to campus users that they must never give their passwords to anyone other than security administrators or backup personnel.
- Make clear to campus users that they must never copy their actual, unencrypted passwords onto paper, for convenience. Instead, they can track their passwords via “clue” sheets that only they would understand. The clue “DadCarJ'ey” would remind the user of the password “65Blk8” (The user’s father is 65, his car is black, and his dog J'ey is eight.)
Recommendations for Higher Ed
Clearly, there is no one-size-fits-all solution to the demands for physical
security on campus. However, the following guidelines can help your institution’s
administrators choose the security practice—or combination of practices—that
will best suit campus needs.
Two-factor authentication. All points of access to facilities with computers
containing sensitive information should be controlled by checkpoints or coded
card readers using two-factor authentication that is based on both “something
you know” (PIN or password) and “something you have” (token or key), to restrict
access to authorized personnel only. Two-factor authentication is a nice compromise
between rigorous security and reasonable cost and convenience. (See “Smart Cards,”
below) Reserve biometrics for very high-security environments. The cost for
this technology will continue to fall as it matures; as that happens, it may
be considered for additional locations.
Don’t drop traditional tools; watch for internal problems. Remember
that good physical security d'esn’t eliminate the need for firewalls, antiviral
protection, or any of the other more traditional cyber-infrastructure security
tools. (And don’t forget that disgruntled employees present a much higher threat
to your institution than external hackers and thieves.)
Where there’s a will
Finally, remember that any lock can be picked
with a big enough hammer.
Think your campus is physically secure? Take this quiz.
- Have you performed a risk assessment for the loss of information on your computers, as well as the loss of the computers themselves?
- Have you developed and publicized policies governing physical access to your facilities? Your policy is your version of criminal law and serves two vital functions: it outlines the rules and provides a basis for punishing transgressions.
- Do you know who has access to your computer room or to staff offices? Do you know why?
- Have you installed physical access controls appropriate to the risks?
You passed if you answered “yes” to all questions.