Previous Table of Contents Next


Preventing Misuse and Damage

Preventing misuse of and damage to a computer system or data network after an intruder has gained access depends on the system’s or network’s ability to isolate and control potentially damaging functions. Such prevention measures include security software that allows only authorized personnel to access, change, or copy specific data and programs.

Networks are particularly vulnerable to misuse and damage because they present difficulty in protecting components and communications media from access. One way to prevent misuse of the data carried on a network is to use encryption. The computer industry has devoted a great deal of work to encryption techniques, which code the messages transmitted through the network. The encrypted messages can be understood only when decoded with a key; while encrypted, the data is meaningless to those lacking the key. Access to the key must be restricted to authorized persons. There has been considerable controversy surrounding encryption, as the U.S. government has been advocating a method using the so-called “Clipper” chip, whereby government agencies can have access to the keys for all public and private communications.

Aside from physical damage, network equipment can be rendered useless if the switch settings are changed or, as such devices become more sophisticated and software controlled, if the programs are deleted or modified. In some cases, the same type of security access measures that are available for computer systems are also available for high-end communications devices.

Logical security measures should be backed up to guard against accidental or deliberate destruction of the primary system, and they should be installed on backup systems to ensure security if a disaster backup plan is invoked.

DETECTION

Detection methods have their strengths and weaknesses, as discussed in the following sections.

Detecting Unauthorized Access

Access controls are not foolproof. Given that breaches do occur, misuse or damage to the system can be prevented if intrusions are detected. A variety of techniques can be employed for detecting physical or logical access.

Physical Access. Common detection systems for physical access to facilities include video cameras connected to television monitors and videocassette records at guards’ desks. Such systems are common in banks, offices, metropolitan apartment buildings, and stores selling valuable products or located in dangerous areas. The very presence of such systems may be a deterrent to potential intruders because it is clear that offenders could be identified through the videotape. In darkened areas, where standard video cameras may not work, other technologies (e.g., infrared or ultrasonic cameras and sensors) can record or detect intrusions.

Logical Access. Remote or local logical access to a computer system or data network can be detected and sometimes traced using the various software packages that check and record all attempts to gain logical access to systems and networks and warn of any unauthorized or atypical attempts. Security programs are available separately or as options with other software from computer and communications equipment manufacturers and software vendors.

Detecting Misuse

System misuse can be difficult to detect because a perpetrator may not leave any easily detected evidence, especially if he or she has changed nothing (e.g., databases may be accessed, read, and copied but not modified). Because of this detection problem, a category of EDP audit software has been designed to monitor attempted system misuse. Such software can detect and report unauthorized attempts to access programs and data as well as determine whether the system has been used in unauthorized ways. Audit software has traditionally been available for mainframes and large networks and is now available for local area networks connecting microcomputers, workstations, and network and file servers.

Previously, organizations expressed little interest in acquiring software to detect unauthorized access to, and misuse of, microcomputer-based systems. It was believed that physical controls (e.g., locks and keys) and logical controls (e.g., passwords) were adequate. Highly publicized computer virus attacks, however, have raised organizations’ awareness that, even when physical access is prevented, a virus can be introduced into a system from a diskette or communications line. Several available software packages are designed to detect such misuse and remove its cause.

Detecting Damage

Software can also help determine whether misuse of the system has caused damage to programs or data. In general, such programs and procedures are invoked when an access attempt is known to have been made or when there is a suspicion that someone has been tampering with the programs or data.

Routine software checks should ensure that updated versions of the programs have not been installed after the last official installation date, that unauthorized programs or versions of programs are not present, and that no programs that should have been installed are missing. If any of these situations occur, all production programs should be reloaded from a protected source as soon as possible. Copies of earlier versions of all production programs should be retained in a secure place for restoration purposes.

These procedures, however, often do not detect computer viruses, which can remain dormant and therefore undiscovered until they are triggered into action. There is also a real danger that earlier versions of programs contain viruses. Unless a virus announces its existence, damage (e.g., lost data) may be blamed on such other causes as hardware failure or operator error. If an incident of damage cannot be fully explained, the data center manager or data network manager should be aware of the possibility that viruses may be present and should seek to remove them.

Mechanisms within the application programs should check the integrity of the data on a continuing basis. For example, such mechanisms should determine whether any change in the number of items or bytes in a data file or database is consistent with the number added or subtracted by any process. There should be a check to ensure that, if a file or database has been closed and then opened some time later, the number of items in the file or database has not changed during an inactive interim period. Although these are relatively simple tests, they can be effective in detecting damage. A more complete test of each system component is extremely time-consuming and expensive and is usually reserved for instances in which personnel are relatively certain that damage has occurred. In such cases, the intent of the process is to determine the nature and extent of the damage rather than its occurrence.


Previous Table of Contents Next

Copyright © CRC Press LLC