Deletion of software is a common occurrence. This mishap can be controlled by a process called configuration management. With configuration management, every change made to a program is controlled and recorded. The goal of this process is to ensure the availability of the correct version of the program. With uncontrolled modifications by numerous individuals, the original version of a program will most likely be lost.
Software alteration is another form of sabotage that is difficult to detect. Changing a few line of code in a program that is thousands of lines long are difficult to detect. Nevertheless, these few lines can alter the program and have destructive results.
Data. Because data has essentially no intrinsic value, it is difficult to put a monetary value on it, even though it is crucial to an organization and its livelihood. Reconstructing lost data can be very time-consuming and, at the least, causes measurable costs to the organization – the opportunity cost of lost computing time. An actual exposure of data may aid the competition, leak important inside information, or damage lives of personal data are revealed. Authorizing users’ access only to limited areas of data, shredding or disintegrating sensitive data after its use, and protecting data until it loses its value are a few of the commonly used safeguards.
People. They can cause a great deal of damage to any computer. For different reasons, people attack computers or, more often, the information they contain.
Intruders. Disgruntled employees can seek revenge against an organization by planting a logic bomb or any other destructive program. Many times such intruders are easy to identify; managers should keep an eye on unhappy employees or employees with personal problems, such as illness in the family or drug abuse. These people are prime candidates for computer crimes because of their need for fast cash.
Hackers. They are a different kind of computer intruder. Hackers can do a great deal of harm, but they generally are not malicious – their goal is to challenge the system and discover its vulnerabilities. Instead of prosecuting hackers, some companies hire them to penetrate the system in a controlled environment and to identify weaknesses in the system.
Computer criminals. Computer crime is big business. Some areas of computer crime include: the theft of computer time: this is a common practice that ranges from employees borrowing the computer at work to figure out personal finances to running a business for profit on the side at someone else’s expense. Theft of computer time can also include the time it takes to repair the damage done by a virus, bomb, or other destructive program. Theft of data. This category can involve physically removing data from trash receptacles or from files stored on the computer. Manipulation of data/computer programs. Changing or inserting one line of code in a program can alter the purpose of a program. Software piracy. This is the illegal copying of software ranging everywhere from games to word processing and spreadsheet packages. Most of the time the pirated software is traded among users, but some does charge a price for the illegal copies.
Methods of Defense
Encryption. The most powerful tool in providing computer security is coding. By transforming data so that it is unintelligible to the outside observer, security professionals can virtually mollify the value of an interception and the possibility of a modification or a fabrication. Encryption provides confidentiality for data. Additionally, encryption can be used to achieve integrity because data that cannot be read generally also cannot be changed in a meaningful manner. Furthermore, encryption is the basis of some protocols, which are agreed-upon sequences of actions to accomplish some task. Some protocols ensure availability of resources. Thus, encryption is at the heart of methods for ensuring all three goals of computer security.
Encryption is an important tool in computer security, but one should not overrate its importance. Users must understand that encryption does not solve all computer security problems. Furthermore, if encryption is not used properly, it may have no effect on security, or could, in fact, degrade the performance of the entire system. Weak encryption can actually be worse than no encryption because it gives an unwarranted sense of security. Thus, it is important to know the situations in which encryption is useful and to use it effectively.
Software Controls. Programs themselves are the second link in computer security. Programs must be secure enough to exclude outside attack. They must also be developed and maintained so that one can be confident of the dependability of the programs. Program controls include: Internal program controls – parts of the program that enforce security restrictions, such as access limitations n a data base management program; Operating system controls – limitations enforced by the operating system to protect each user from all other users; Development controls – quality standards under which a program is designed, coded, tested and maintained.
Policies. Some controls on computing systems are achieved through added hardware or software features. Other controls are matters of policy. In fact, some of the simplest controls, such as frequent changes of passwords, can be achieved at essentially no cost but with tremendous effect. Training and administration follow immediately after establishment of policies. Legal and ethical controls are an important part of security. The law is slow to evolve, and the technology involving computers has emerged suddenly. Although legal protection is necessary and desirable, it is not as dependable in this area as it would be in more well-understood and long-standing crimes.
The area of computer ethics is likewise unclear. It is not that computer people are unethical, but rather that society in general and the computing community in particular have not adopted formal standards of ethical behavior. Some organizations are attempting to devise codes of ethics for computer professionals. Although these are important, before codes of ethics become widely accepted and therefore effective, the computing community and the general public need to understand what kinds of behavior are inappropriate and why.
References:
Capron, H.L. (2000). Computers, Tools for an Information Age (6th Ed.) New Jersey: Prentice Hall
Pfeleger, C.P. (1997). Security in computing. New Jersey: Prentice Hall
Forcht, K.A. (1994). Computer Security Management. Massachusetts: Boyd & Fraser Publishing
Gasser, M. (1988). Building a Secure Computer System. Canada: Van Nostrand Reinhold.