DATA SECURITY

Businesses have a wide range of data security concerns. With the widespread use of electronic data, new security measures have been developed to protect data from uninvited or unwanted intrusion, intentional malice, human error, and physical damage. In larger companies an entire department may be devoted to maintaining data security and establishing policies for employees to follow. In some cases firms may bring in data security consultants to develop systems and procedures to ensure their data is secure.

General information security management involves taking such steps as announcing and making periodic reminders to the staff about established security policies. Companies may make a registration list of all systems and directories and who has access to them. Data security personnel may work with regular security personnel to ensure that unauthorized personnel are prevented from entering the premises. These procedures help in a general way to prevent data theft or tampering.

Security measures involving mainframe computer systems can be classified into five general types. In some cases these measures can be adapted to personal computers and local area networks (LANs). The first involves identification and authentication. Through the use of assigned passwords, companies can limit access and identify who the system's users are. The second is known as discretionary access control. These types of security measures regulate who has access to specific applications, files, and servers. Companies can restrict users to specific directories of network resources, for example, and take other restrictive measures to prevent unauthorized use and modification.

Audit control, the third security measure, makes it possible for system managers to keep track of all events on a company's computer network. While they may generate too much information, audit controls track what programs have been used, what files have been opened, and other aspects of network use. Another mainframe security measure is known as object reuse, which performs such tasks as clearing sensitive data from memory and hard disks and automatically disconnecting inactive computers and other network connections. Object reuse programs may also lock out a user who has left a workstation unattended for a certain length of time.

Secure communications, the final security measure, means protecting the network or system at the point where it meets the outside world. Techniques to secure communications include leasing private data lines instead of using public lines, using modem management programs to prevent unauthorized dial-ins over the telephone, and encrypting data before sending them over a public network or LAN.

Electronic data must also be made secure from physical as well as human threats. Power failures and surges, hardware failures, and fire and water damage are some of the physical threats against which companies must protect their data. Many companies back up their data on a daily basis and store it off-site to protect it from physical and natural disasters. A disaster recovery plan can help a company prepare for the unthinkable—a natural disaster that destroys all of its data.

The U.S. government is in the process of developing new computer security standards. For many years the existing standards were found in specifications of the U.S. Department of Defense's Orange Book, which was developed essentially for military applications. With the growing use of electronic data in business, industry, and government, a need arose for a commercial computer security standard. The National Institute of Standards and Technology is developing security standards that will address what a secure computer system is supposed to do (functional requirements) as well as how to determine that a system does what it is supposed to (assurance requirements).

DATA SECURITY AND THE INTERNET

The growth of the Internet and electronic commerce has raised the level of concern over secure data transmissions. During 1998 there was a higher level of Internet sites being infiltrated by hackers than ever before, including those of the Pentagon, NASA's Jet Propulsion Laboratory, and the New York Times. Since the Internet's infrastructure was never designed to provide secure transmissions, computer security experts have relied on some form of data encryption to ensure the integrity of data transmitted over open lines. That is, end-to-end security has become more significant than attempting to secure the infrastructure of the digital network.

Two specific aspects of Internet use have greatly increased the risk of computer security breaches. One is the increased utilization of cable modems and xDSL connections, which give users a persistent connection to the Internet. As these connections remain open for long periods, strangers may try to connect to the machine and competitors may engage in corporate espionage. An especially weak link in terms of data security involves telecommuters who connect to their company's internal network. Through the telecommuter's persistent connection, outsiders may attempt to gain access to the company's internal network.

A second area of concern involves the increased possibility of computer attacks on competing products in an attempt to discredit those products. These could involve security vendors as well as operating system vendors. Through an orchestrated attack on a competitor's product, a vendor could discredit that product for its own benefit.

Computer security experts recommend finding ways to make such attacks more dangerous for outsiders. One way of providing security against such attacks is to trace all attacks, attempted or successful, back to their source. This can be done through the attacker's IP address. Unfortunately, most companies ignore this piece of data unless the attack is successful. Tracing down every attack, even those that are unsuccessful, is a valid strategy that will discourage such attacks and provide a greater measure of data security.

The vulnerability of corporate electronic-mail systems was demonstrated with the appearance of the "Melissa" virus in March 1999. The virus attacked Microsoft's Outlook e-mail program and came in the form of a macro, a computer script for automating tasks, that was written in Microsoft Word. The infected document, disguised as an "important message," activated the macro when it was opened, which caused the same infected message to be sent to the first 50 names in the recipient's address book. Thus, infected messages appeared to be sent by someone known to the recipient. The resulting volume of e-mail traffic caused some corporate and governmental networks to become overloaded and shut down. In this case the author of the virus was quickly tracked down by the Federal Bureau of Investigation and local authorities in New Jersey, who traced the initial upload of the virus. Steve White, senior manager of antivirus research at IBM's Watson Research Center in Hawthorne, New York, told the New York Times, "It's possible that in the near future, viruses could spread around the globe in a matter of an hour or two, and if it's a destructive virus, do incredible amounts of damage."