Securing New Information Technology Previous Screen Louis Fried Payoff New Information Technologies Mean New Information Security Risks

82-10-10 Securing New Information Technology Previous screen Louis Fried Payoff New information technologies mean new information security risks. This article helps data center managers to keep up with new information technology and the security risks this technology presents.

Introduction The job of the IS security specialist has gone from protecting information within the organization to protecting information in the extended enterprise. Controlled offices and plants have given way to a porous, multiconnected, global environment. The pace at which new information technology capabilities are being introduced in the corporate setting also creates a situation in which the potential of new security risks isn't well thought out. Data center managers must be aware of these threats before adopting new technologies so that they can take adequate countermeasures. Information security is concerned with protecting: á The availability of information and information processing resources. á The integrity and confidentiality of information. Unless adequate protection is in place when new business applications are developed, one or both of these characteristics of information security may be threatened. Availability alone is a major issue. Among US companies, the cost of systems downtime has been placed by some estimates at $4 billion a year, with a loss of 37 million hours in worker productivity. The application of information security methods has long been viewed as insurance against potential losses. Senior management has applied the principle that it should not spend more for insurance than the potential loss could cost. In many cases, management is balancing information security costs against the potential for a single loss incident, rather than multiple occurrences of loss. This fallacious reasoning can lead to a failure to protect information assets continuously or to upgrade that protection as technology changes and exposes new opportunities for losses. Those who would intentionally damage or steal information also follow some basic economic principles. Amateur hackers may not place a specific value on their time and thus may be willing to put substantial effort into penetrating information systems. A professional clearly places an implicit value on time by seeking the easiest way to penetrate a system or by balancing potential profit against the time and effort necessary to carry out a crime. New technologies that create new (and possibly easier) ways to penetrate a system invite such professionals and fail to deter the amateurs. This article describes some of the potential threats to information security that may arise in the next few years. The article concludes by pointing out the opportunities for employing new countermeasures.

New Threats to Information Security

Document Imaging Systems The capabilities of document imaging systems include: á Reading and storing images of paper documents. Previous screen á Character recognition of text for abstracting or indexing. á Retrieval of stored documents by index entry. á Manipulation of stored images. á Appending notes to stored images (either text or voice). á Workflow management tools to program the distribution of documents as action steps are needed. Workflow management is critical to taking full advantage of image processing for business process applications in which successive or parallel steps are required to process the document. Successful applications include loan processing, insurance application or claims processing, and many others that depend on the movement of documents through review and approval steps. Image processing usually requires a mainframe or minicomputer for processing any serious volume of information, though desktop and workstation versions also exist for limited use. In addition, a full image processing system requires document readers (i.e., scanners), a local area network (LAN), workstations or personal computers, andlaser printer as output devices. It is possible to operate image processing over a Wide Area Network; however, because of the bandwidth required for reasonable response times, this is not usually done. As a result, most configurations are located within a single building or building complex. Two years ago, an insurance company installed an imaging application for processing claims. The system was installed on a LAN linked to a minicomputer in the claims processing area. A manager who had received a layoff notice accessed the parameter-driven work-flow management system and randomly realigned the processing steps into new sequences, reassigning the process steps in an equally random fashion to the hundred or so claims processing clerks using the system. He then took the backup tapes, which were rotated weekly, and backed up the revised system files on all the tapes, replacing them in the tape cabinet. The individual did not steal any information or delete any information from the system. The next morning, he called the personnel department and requested that his final paycheck be sent to his home. The cost to the insurance company? Tens of thousands of dollars in clerical time wasted and professional and managerial time lost in finding and correcting the problem. Even worse, there were weeks of delays in processing claims and handling the resultant complaint letters. No one at the company can estimate the loss of goodwill in the customer base. Workflow Management's Weaknesses. The techniques of workflow management that make image processing systems so effective are also their Achilles' heel. Potential threats to image processing systems may come from disruption of the workflow by unauthorized changes to sequence or approval levels in workflow management systems or from the disruption of the workflow by component failure or damage. Information contained on documents may be stolen by the unauthorized copying (downloading of the image to the workstation) and release of document images by users of workstations. These potential threats raise issues that must be considered in the use of image processing technology. The legal status of stored images may be questioned in court because of the potential for undetectable change. In addition, there are the threats to the business from loss of confidentiality of documents, loss of availability of the system during Previous screen working hours, damage to the integrity of the images and notes appended to them, and questions about authenticity of stored documents.

Minisupercomputers Massively parallel minisupercomputers are capable of providing relatively inexpensive, large computational capacity for such applications as signal processing, image recognition processing, orneural network processing. Massively parallel processors are generally designed to work as attached processors or in conjunction with workstations. Currently available minisupercomputers can provide 4,096 processors for$85,000 or 8,192 processors for $150,000. They can interface to such devices as workstations, file servers, and LANs. These machines can be an inexpensive computational resource for cracking encryption codes or computer-access codes; consequently, organizations that own them are well advised to limit access control for resource use to authorized users. This is especially true if the processor is attached to a mainframe with wide area network (WAN) connectivity. Such connectivity may allow unauthorized users to obtain access to the attached processor through the host machine. Even without using a minisupercomputer but by simply stealing unauthorized time on conventional computers, a European hacker group bragged that it had figured out the access codes to all the major North American telephone switches. This allows them to make unlimited international telephone calls at no cost (or, if they are so inclined, to destroy the programming in the switches and deny service to millions of telephone users).

Neural Network Systems Neural network systems are software (or hardware/software combinations) capable of heuristic learning within limited domains. These systems are an outgrowth of artificial intelligence research and are currently available at different levels of capacity on systems ranging from personal computers to mainframes. With their heuristic learning capabilities, neural networks can learn how to penetrate a network or computer system. Small systems are already in the hands of hobbyists and hackers. The capability ofneural networks programs will increase as greater amounts of main memory and processing power become easily affordable for desktop machines.

Wireless Local Area Networks Wireless LANs support connectivity of devices by using radio frequency (RF) or infrared (IR) transmission between devices located in an office or office building. Wireless LANs consist of a LAN controller and signal generators or receivers that are either attached to devices or embedded in them. Wireless LANs have the advantage of allowing easy movement of connected devices so that office space can be reallocated or modified without the constraints of hard wiring. They can connect all sizes of computers and some peripherals. As portable computers become more intensively used, they can be easily connected to PCs or workstations in the office for transmission of files in either direction. Wireless LANs may be subject to signal interruption or message capture by unauthorized parties. Radio frequency LANs operate throughout a transmitting area and are therefore more vulnerable than infrared transmission, which is line-of-sight only. Among the major issues of concern in using this technology are retaining confidentiality and privacy of transmissions and avoiding business interruption in the event of a failure. The potential also exists, however, for other kinds of damage to wireless LAN users. For example, supermarkets are now experimenting with wireless terminals affixed to supermarket shopping carts that broadcast the price specials on that aisle to the shopper. As Previous screen this technology is extended to the inventory control function and eventually to other functions in the store, it will not be long before some clever persons find a way to reduce their shopping costs and share the method over the underground networks.

WAN Radio Communications Wide Area Network (WAN) radio communications enable handheld or portable devices to access remote computers and exchange messages(including fax messages). Wireless wide area network (WAN) may use satellite transmission through roof-mounted antennas or regional radiotelephone technology. Access to wireless wide area network (WAN) is supported by internal radio modems in notebook and handheld computers or wireless modems/pagers on Personal Computer Memory Card International Association cards for optional use. Many users think that telephone land lines offer some protection from intrusion because wiretaps can often be detected and tapping into a fiber-optic line is impossible without temporarily interrupting the service. Experience shows that most intrusions result from logical—not physical—attacks on networks. Hackers usually break in through remote maintenance ports on Private Branch eXchange, voice-mail systems, or remote-access features that permit travelers to place outgoing calls. The threat to information security from the use of wireless wide area network (WAN) is that direct connectivity is no longer needed to connect to networks. Intruders may be able to fake legitimate calls once they have been able to determine access codes. Users need to consider such protective means as encryption for certain messages, limitations on the use of wireless wide area network (WAN) transmission for confidential material, and enforcement for encrypted password and user authentication controls.

Videoconferencing Travel costs for nonsales activities is of growing concern to many companies. Companies are less concerned about the costs of travel and subsistence than they are about the costs to the company of having key personnel away from their jobs. Crossing the US or traveling to foreign countries for a one-day meeting often requires a key employee to be away from the job for three days. Videoconferencing is increasingly used to reduce travel to only those trips that are essential for hands-on work. The capabilities of videoconferencing include slow-scan video for sharing documents or interactive video for conferencing. Videoconferencing equipment is now selling for as little as$30,000 per installation. At that price, saving a few trips a year can quickly pay off. However, videoconferencing is potentially vulnerable to penetration of phone switches to tap open lines and receive both ends of the conferencing transmissions. Protection against tapping lines requires additional equipment at both ends to scramble communications during transmission. It further requires defining when to scramble communications, making users aware of the risks, and enforcing rules.

Embedded Systems Embedding computers into mechanical devices was pioneered by the military for applications ranging from autopilots on aircraft to smart bombs and missiles. In the civilian sector, process controls, robots, and automated machine tools were early applications. Manufacturers now embed intelligence and communications capabilities in products ranging from automobiles to microwave ovens. Computers from single-chip size to minicomputers are being integrated into the equipment that they direct. In factory automation systems, embedded systems are linked through LANs to area computers and to corporate hosts. One security concern is that penetration of host computers can lead to penetration of Previous screen automated factory units, which could interrupt productive capacity and create potential hazards for workers. In the past, the need for information security controls rarely reached the factory floor or the products that were produced because there was no connection to computers that resided on wide area network (WAN). Now, however, organizations must use techniques that enforce access controls and segment LANs on the factory floor to minimize the potential for unauthorized access through the company's host computers. Furthermore, as computers and communications devices are used more in products, program bugs or device failure could endanger the customers who buy these products. With computer-controlled medical equipment or automobiles, for example, potential liability from malfunction may be enormous. Information security techniques must extend to the environment in which embedded systems software is developed to protect this software from corruption and the company from potential liability resulting from product failures.

PCMCIA Cards Personal computer memory card international association (PCMCIA)cards are small computer boards on which chips are mounted to provide memory and processing capacity. They can be inserted (i.e., docked)into slots on portable computers to add memory capacity, processing capacity, data base capacity, or communications functions such as pagers, electronic mail, or facsimile transmission. personal computer memory card international association (PCMCIA) cards now contain up to 4M bytes of storage; by 1997, they can be expected to provide up to 20M bytes of storage in a 1.8-inch drive and can be inserted into portable devices with double Personal Computer Memory Card International Association card slots. The small format of personal computer memory card international association (PCMCIA) cards and their use in portable devices such as notebook or handheld computers makes them especially vulnerable to theft or loss. Such theft or loss can cause business interruption or breach of confidentiality through loss of the information contained on the card. In addition, poor work habits, such as failing to back up the data on another device, can result in the loss of data if the card fails or if the host device fails in a manner that damages the card. Data recovery methods are notoriously nonexistent for small portable computers.

Smart Cards Smart cards, consisting of a computer chip mounted on a plastic card similar to a credit card, have limited intelligence and storage compared to Personal Computer Memory Card International Association cards. Smart cards are increasingly used for health records, debit cards, and stored value cards. When inserted into an access device (reader), they may be used in pay telephones, transit systems, retail stores, health care providers, and Asynchronous Transfer Mode, as well as being used to supplement memory in handheld computers. The risks in using this technology are the same as those for personal computer memory card international association (PCMCIA) cards but may be exacerbated by the fact that smart cards can be easily carried in wallets along with credit cards. Because smart cards are used in stored value card systems, loss or damage to the card can deprive the owner of the value recorded. Both personal computer memory card international association (PCMCIA) cards and smart cards must contain means for authenticating the user in order to protect against loss of confidentiality, privacy, or monetary value. Notebook and Palmtop Computers Previous screen Notebook and palmtop computers are small portable personal computers, often supporting wireless connection to LANs and wide area network (WAN) or modems and providing communications capability for docking to desktop computers for uploading or downloading of files (either data or programs). These devices have flat panel displays and may include 1.8-inch microdisks with 20M- to 80M-byte capacity. Some models support handwriting input. Smart cards, Personal Computer Memory Card International Association cards, or flashcards may be used to add functionality or memory. By the end of the decade, speech recognition capability should be available as a result of more powerful processors and greater memory capacity. As with the cards that may be inserted into these machines, portable computers are vulnerable to loss or theft—both of the machine and of the information contained in its memory. In addition, their use in public places (such as on airplanes) may breach confidentiality or privacy. It is vital that companies establish information security guidelines for use of these machines as they become ubiquitous. Guidelines should include means for authentication of the user to the device before it can be used, etching or otherwise imprinting the owner's name indelibly onto the machine, and rules for protected storage of the machine when it is not in the user's possession(as in travel or at hotel stays). One problem is that most hotel safes do not have deposit boxes large enough to hold notebook computers. Portable computers combined with communications capability may create the single largest area of information security exposure in the future. Portable computers can go wherever the user goes. Scenarios of business use are stressing advantages but not security issues. Portable computers are used in many business functions including marketing, distribution field service, public safety, health care, transportation, financial services, publishing, wholesale and retail sales, insurance sales, and others. As the use of portable computers spreads, the opportunities for information loss or damage increase. Portable computers, combined with communications that permit access to company data bases, require companies to adopt protective techniques to protect information bases from external access and prevent intelligence from being collected by repeated access. In addition, techniques are needed for avoiding loss of confidentiality and privacy by device theft and business interruption through device failure. New uses create new business vulnerabilities. New hospitals, for example, are being designed with patient-centered systems in which the services are brought to the patient (to the extent possible) rather than having the patient moved from one laboratory to another. This approach requires the installation of LANs throughout the hospital so that specialized terminals or diagnostic devices can be connected to the computers processing the data collected. Handheld computers may be moved with the patient or carried by attendants and plugged into the LAN to access patient records or doctors' orders. It is easy to anticipate abuses that range from illegal access to patient information to illegal dispensing of drugs to unauthorized persons.

New Opportunities for Defense New technology should not, however, be seen solely as a security threat. New technology also holds opportunities for better means of protection and detection. Many capabilities provided by the IT department can support defensive techniques for information or information processing facilities. Expert Systems, Neural Networks, and Minisupercomputers. Used individually or in combination, these technologies may enable intrusion detection of information systems. These technologies can be used to recognize unusual behavior patterns on the part of the intruder, configure the human interface to suit individual users and their permitted accesses, detect physical intrusion or emergencies by signal analysis of Previous screen sensor input and pattern recognition, and reconfigure networks and systems to maintain availability and circumvent failed components. In the future, these techniques may be combined with closed-circuit video to authenticate authorized personnel by comparing digitally stored images of persons wishing to enter facilities. Smart Cards or PCMCIA Cards. Used with card readers and carrying their own software data cards may enable authentication of a card owner through various means, including recognition of pressure, speed, and patterns of signatures; questions about personal history (the answers to which are stored on the card); use of a digitized picture of the owner; or cryptographic codes, access keys, and algorithms. Within five years, signature recognition capabilities may be used to limit access to pen-based handheld computers to authorized users only, by recognizing a signature on log-in. Personal Computer Networks (PCNs). PCNs, enabled by nationwide wireless data communications networks, will permit a personal phone number to be assigned so that calls may reach individuals wherever they (and the instrument) are located in the US. PCNs will permit additional authentication methods and allow call-back techniques to work in a portable device environment. Voice Recognition. When implemented along with continuous speech understanding, voice recognition may be used to authenticate users of voice input systems—for example, for inquiry systems in banking and brokerages. By the end of this decade voice recognition may be used to limit access to handheld computers to authorized users only by recognizing the owner's voice on log-in. Wireless Tokens. Wireless tokens used as company identity badges can pinpoint the location of employees on plant sites and monitor restricted plant areas and work check-in and check-out. They may also support paging capability for messages or hazard warnings. Reducing Password Risks. The Obvious Password Utility System (OPUS) project at Purdue University has created a file compression technique that makes it possible to quickly check a proposed password against a list of prohibited passwords. With this technique, the check takes the same amount of time no matter how long the list. OPUS may allow prohibited password lists to be placed on small servers and improve password control so that systems are harder to crack. >Third-Party Authentication Methods. Systems like Kerberos and Sesame provide a third-party authentication mechanism that operates in an open network environment but does not permit access unless the user and the application are authenticated to each other by a separate, independent computer. (Third- party refers to a separate computer, not a legal entity.) Such systems may be a defense for the threats caused by portable systems and open networks. Users of portable computers may call the third-party machine and request access to a specific application on the remote host. The Kerberos or Sesame machine authenticates the user to the application and the application to the user before permitting access. Conclusion Previous screen To stay ahead of security threats, data center managers must maintain a knowledge of technology advances, anticipate the potential threats and vulnerabilities, and develop the protective measures in advance. In well-run systems development functions, information security specialists are consulted during the systems specification and design phases to ensure that adequate provisions are made for the security of information in applications. Data center managers must be aware of the potential threats implicit in the adoption of new technologies and the defensive measures available in order to critique the design of new applications and to inform their senior management of hazards. The combination of advanced computer capabilities and communications is making information available to corporate executives and managers on an unprecedented scale. The availability of information mandates its use by decision makers. Corporate officers could find that they are no longer just liable for prudent protection of the company's information assets but that they are liable for prudent use of the information available to the company in order to protect its customers and employees. Such conditions may alter the way systems are designed and information is used and the way the company chooses to protect its information assets. Author Biographies Louis Fried Louis Fried is vice president of IT consulting at SRI International, Menlo Park CA.