|
Section 5-2
Microcomputer and LAN Security
Chapter 5-2-1
Microcomputer and LAN Security
Stephen Cobb
INTRODUCTION
This chapter focuses on preserving the confidentiality, integrity, and availability of information in the microcomputer and local area network (LAN) environment. We often refer to this as the desktop environment, desktop computing, or PC-based computing (PC as in personal computer — we will further define our terminology in the next section). The aim is to complement the information in Section 2.2.
Why Desktop Computing Matters
Although mainframe computers continue to be used extensively for such tasks as large-scale batch processing and online transaction processing, for many organizations today, computer security is, in effect, desktop computer security. Networked desktop computers are the dominant computing platform of the late 1990s, from the Microsoft Windows-based computers that some airlines use to check in passengers at airports, to the stock transaction and account inquiry systems used in banking and financial institutions, from personal computer-controlled assembly lines to PC-based medical information systems.
In many of these applications the personal computer may appear to be working as a terminal access device for a larger system. But from a security perspective it is important to understand that every personal computer system is a complete computer system, capable of input, output, storage, and processing. As such, a PC poses a much more significant threat than a dumb terminal, should the PC be subverted or illegally accessed. Furthermore, with very few exceptions, none of the desktop computing devices deployed today were designed with security in mind. Add to this the enormous increase in both the depth and the breadth of computer literacy within society over the last ten years and you have a recipe for serious security headaches.1
1As someone you call when you get one of these headaches, I can attest to the increased frequency of the calls and the growing severity of the headaches. The opening comments in this chapter were shaped by participation in security assessments at a number of major U.S. and international corporations during the last 12 months. For a collection of recent infosec-related statistics, visit http://www.theroyfamily.com/security.html.
The Approach Taken
All major aspects of desktop security will be addressed in this chapter, beginning with the need to address desktop issues within the organization’s information security policies. Security awareness on the part of both users and managers is stressed. The need for, and implementation of, data backup systems and regimes is outlined. Passwords and other forms of authentication for desktop users are discussed, along with the use of encryption of information on desktop machines and LANs. There is a section on malicious code. The network dimensions of desktop computing security are explored, together with the problems of remote access (the security implications of Internet connection are dealt with in Section 2.3).
Centralized, Layered, and Design-Based Approaches
A good case can be made for saying that desktop computer security is best handled through automated background processes, preferably centrally managed on a network.2 Desktop computer users, so the argument goes, should not be expected to worry about backups and virus scanning and access controls. These security mechanisms should be handled for them as part of the operating system.
2For more detailed statement of this position and its weaknesses, see The NCSA Guide to PC and LAN Security, McGraw-Hill, New York, 1996.
This sounds appealing, but there are several practical reasons why an understanding of the security weaknesses of standalone PCs and undermanaged LANs remains critical, and why, in at least some cases, it is necessary to implement piecemeal solutions that lack the elegance and obvious efficiency of the automated, centrally-managed approach:
- • A lot of desktop computers are currently connected to networks that have little hope of ever being centrally managed, yet the information they handle is still important and so warrants protection.
- • Many of the methods for automating and managing security will only be applicable to, or compatible with, newer hardware and software. Older systems will remain in use and will still need to be protected.3
3For example, many new PCs today have BIOS-based boot protection, but there are plenty still in use that do not.
- • Mature tools with which to automate and centrally manage security on local area networks are only just coming to market, and many organizations are only just realizing that they need them and will have to pay for them.
- • A fairly high level of security can be achieved on both current and older personal computers with the layered approach, described next.
The layered approach to desktop security maximizes existing, but underutilized, security mechanisms, plus low-cost add-ons, through policy, awareness, and training. For example, the floppy disk drive of a PC is a major security problem. Confidential and proprietary data can be copied to a floppy diskette and smuggled out.4 Incoming diskettes may introduce pirated software, Trojan code, and viruses to the company network. Yet the BIOS in most of today’s PCs allows you to tightly control use of the floppy drive, for example, disabling boot from, read from, or write to. PC security is considerably enhanced by implementing this type of control, which is essentially free. The layered approach would extend this protection by also requiring antivirus software on the PC and putting in place a company policy governing the use of floppy disks in the office. When employees understand the threat that a serious virus outbreak or data theft poses to their jobs, most are apt to support the policy.
4Examples of this are legion, from Aldrich Ames, the CIA spy, to lists of AIDS patients made public in Florida, to company secrets valued at millions of dollars in cases brought by American Airlines and Merrill-Dow.
DESKTOP SECURITY: PROBLEMS, THREATS, ISSUES
The problems, threats, and issues of desktop security need to be placed in perspective. A common, but dangerous, mistake is to underestimate the seriousness of this aspect of information system security. A clear understanding of desktop system architecture and its security implications is required.
|
