. Microcomputer Security: Audit Problems and Solutions Frederick Gallegos and Daniel Basica The use of micros in business is increasing at an to steal. Modular design adds further nsks; for astounding rate as managers, clerks, and office example. a half-height dlsk drive module can workers enter the information age. Many tasks be hidden in a bnefcase. Many micros have re- that were considered too small to automate on the movable circuit cards and memory clips that company mainhme are now done with micros. could disappear just as easily. Employees may But with computing power at everyone's finger- steal micro components because they have sim- tips, auditors and management must deal with the ilar computers at home and want compatible risks and exposures of micro use. equipment. ~~ he security problems involved with micros are many, but man- With computing power at agement has audit methods and evetyone's fingertips, auditors tools available to solve them. The and management must deal with first step is to identify audit prob- Tlems. after which auditors and management the risks and exposures of micro must implement the necessary counter- me. measures Audit problems with micros A micro used at a single workstation can be secured to the workstation or locked in a cabi- Micros are vulnerable to risks of three major net specifically designed to house a micro Also types: available are rolling, lockable cabinets that al- Physical security of hardware low the unit to be used in different areas Al- Physical security of data and software though these measures do not eliminate the Data integnty possibility of theft. they do reduce nsk. A small To establish a secure micro enwronment. plan- investment in theft deterrence often provldes ners must address each of these problem types adequate protection wth the appropriate strategies and equipment. Damage. Portable micros must be moni- Physical security of hardware tored closely because they are most often used Although micros pose unique hardware se- away from the otfice Users of such equipment cunty problems, their solutions are relatively should be instructed in its proper care Prob- simple, requinng little more than good business lems can stem from heat. vibration. or shock. sense. heat damage, for example, can occur if a micro is stored in the trunk of a car on a hot day. Theft. Micros represent a large investment Some computers have a routine that must be in small, often portable. packages that are easy followed before they can be relocated. This rou- t 1' JOL'R?. AL OF 4CCOL'STING .AhD EDP tine usually involves moving the read!write tions software stored in unlocked cabinets) head on the fixed disk drive to an unused por- would not be tolerated in a mainframe tion of the disk or loclung it so that it cannot environment. damage the fixed disk dnve or delete data. Another problem with micros is their vul- nerability to fluctuations in line voltage. Power Micros represent a krge expense surges can cause equipment failure as well as in small, often portable, packages data loss. This problem can be remedied through the use of a surge protector, which fil- that are eqto steal. ters the voltage. The micro is plugged into the surge protector, which is then plugged into an Some common sense must be applied when AC wall outlet Most of these devlces are inex- micros are used to process critical or confiden- pensive and effective ual data. Diskettes containing such data should Eating. drinking, or smoking near a micro be kept in locked drawers or in a safe, depend- can cause damage as well. Food and beverages ing on the sensitiwty of the data. In addition, are obLious hazards, but problems caused by various types of data security software are avail- cigarette smoke are not as well known. Diskette able for micros, including password protection, drives are especially vulnerable to damage from encryption/decrypuon schemes, and copy pro- smoke because the space between the read/ tection programs. write head and the disk surface is much smaller than a smoke particle. A smoke particle lodged Password protection. Data files and pro- between the drive head and the disk could ruin grams can be shielded from unauthorized users both. Some users who have smoked near com- by password protection software. Software fea- puters have never experienced problems, but tures include password schemes for single-user the fact remains that smoke can be damagmg. or multiuser stations, multiple password levels, Eating, drinlung. and smoking are prohibited in and audit trails Audit trails record such data as most mainframe facilities; the same rule should user ID, files used, duration of use. rypes of be in effect for micro installations transactions performed, and denied accesses. Password protection is not as critical for Physical security of data and sojiware diskettes because they can be physically se- cured, but if the system includes a disk, pass- The physical security of company data and word protection software is highly desirable. software programs is often overlooked, yet diskettes packed with confidential information Data encryption/decryption. This type of could be camed out of the office by an employ- program scrambles data into meaningless char- ee without detection. Micros are popular in de- acters and symbols. A key must be used to re- partments that perform confidential operations, store encrypted code to a form readable by, hu- and, in the wrong hands, a confidential diskette man beings or by other computer programs. could do great damage. Company-designed Some packages use a federally approved stan- spreadsheet models are also likely candidates dard while others use their own methods. AI- for theft. The nsk increases when micros are though encrpuon software prevents data from networked or connected to the company being read, encryped data can still be destroy- mainframe. ed or copied. Many firms implement extensive security measures to protect their mainframe computers Copy protection. Copy protection pro- and data. but relatively few safeguard their mi- grams prevent data files and applicatlons soft- cros with similar controls Practices that are ware from being copied. Many different widespread in micro use (e.g.. disks wth no schemes are used. and some are harder to crack password protection, diskettes left on desktops, than others. Some vendors market packages diskettes without proper labeling, and applica- that reputedly bypass copy protection schemes: 50 Winter 1986 i i Microcomputer Secuntv nevertheless. copy protection programs reduce sofware and hardware can tie into the main- the likelihood that data wll be copied. Copy frame. find the desired information. and protection software is not appropriate for use download that data to a diskette or fixed disk on system software, however. because the copy Users can then do whatever they wsh wth the protection feature could interfere with backup data after logging off the host Thus. anyone procedures. wth access to a properly equipped micro can Many commercially available software pro- obtain mainframe data unless extensive secun- grams are protected by some type of copy pro- ty measures are taken. tection scheme to prevent users from making i1- If a micro is linked to a mainframe, extra se- legal copies. Purchased software programs for cunty steps should be taken to restnct and con- micros are protected by copynght laws. and trol access A common method of connecting a they include documentation defining the legal micro to a mainframe is to use a modem to dial uses and backup procedures to be followed. the host. A callback device can be installed on Buyers should read the documentation sup- the host that receives the incoming call from plied with the software to determine their legal the modem, breaks the connection, and then rights and obligations. In many cases. programs calls the modem back at a predetermined num- are intended for use on one machine only; pur- ber. Although this prevents outsiders from dial- chasers cannot legally make copies and use ing into the host, the host is snll vulnerable to them on several machines. data theft from inside the organization. Another problem can result with a callback device: most of the communications software packages per- Diskettes packed with confidential mit preprogrammed dial-up number and pass- data could be camed out of the word sequences, and if these sequences are not ofice secured properly. myone using the micro can without detection. call up the comn: Linications program, which wll automatically dial the host and supply the Software development companies have re- necessary password 5. cently filed successful lawsuits against firms The importance of adequate security regard- that have made multiple copies of programs In ing a micro-mainframe link cannot be oversta- one case, management was unaware that lower- ted. Secunty controls placed on the mainframe level employees were making copies for them- are useless if micro access is not properly selves. Management must verify that purchased regulated. software is used according to the legal docu- mentation provided by the manufacturer. Data intern Local area networks. When micros are Assuming that data is physically secure. how connected by means of a local area network can one be sure that it is current. accurate. and (LAN), the security risk increases, and proper complete? A major problem with regulating mi- data security measures must be taken. At a min- cros is that in many cases one person is the imum, password protection and an audit trail programmer, systems analyst. and end user. are necessary to maintain the privacy of confi- The typical separation of duties in mainframe dential files and records. In addition, the LAN systems development does not exist in the should support concurrent processing and the world of micros Moreover.