Computer Security: You Need It, but Who Has It?
Articles and Tips: tip
01 Apr 1996
Since the dawn of the Information Age, computers have been used to store and access valuable data. As centralized mainframe computing gave way to the interconnected model of PC networks, many business databases and documents migrated to file servers. To provide a level of protection similar to that of the mainframe, network operating system vendors incorporated a wide range of security features into their products.
We are now witnessing another trend in data migration: from the network server to the workstations. Current estimates indicate that as much as 85 percent of corporate documents reside at the workstation. Increasingly, these documents are more than just word processing files and spreadsheets. They contain business secrets that must be protected from unauthorized outside access. With the value of information increasing all the time, non-disclosure is becoming just as important as the delivery of mission-critical data. Loss or disclosure of data files stored on workstations both stationary and mobile is a very significant event.
Business information is not the only information that needs protection. Many individuals keep personal financial information and other private documents on their home computers, without giving a thought to security beyond maybe a password or two. Home computer users have come to expect someone else to worry about security for them. After all, our credit cards and bank accounts are insured against loss. We take great comfort knowing that our risk is limited. But when you consider the growing numbers of home computers that are attached to public communication lines and the Internet, the threat to even "home" secrets doesn't seem quite so far-fetched.
It is naive to think anyone is immune from the effects of security breaches, whether in the form of hackers penetrating systems or data being lost due to computer software "bugs." The effects of exposure range from the merely inconvenient to the disastrous. When the local grocery store's debit card system is down, for example, that's inconvenient. When they change their policy to no longer accept debit card transactions, it's even more inconvenient. When the store goes out of business, it's bordering on disaster.
Threats Lurk Everywhere
It doesn't take a Ph.D. to understand the security threats to your business or home computing environment, and most of us are familiar with the basic countermeasures. To protect files against corruption or accidental deletion, run periodic backups. To prevent computer viruses, run a virus checker regularly, and know where all your software comes from. To prevent unauthorized overt access, don't write your password on a sticky note and post it on your monitor, don't let other people use your machine when you're not around, and lock your computer up at night.
Yet for all the security savvy we've learned by osmosis, it's still inconceivable to most people especially home-computer users that they could become the target of an intruder attack. Unfortunately, the old line "Just because you're paranoid doesn't mean they're not out to get you" applies literally when it comes to computer security. The "cyber-vader" is out there, waiting for an opportunity to strike at your sensitive data.
Currently, the most serious threat to your computer information is malicious software. Today's technology makes this both a viable attack mechanism and an effective income-generating tool in the wrong hands. Organized groups of unscrupulous hackers are using malicious software, of which software viruses are but a mild example, to break into computer networks and steal or destroy valuable data. Running largely undetected, their main purpose is to make money at the expense of their victims.
Security critics are quick to dismiss the threat of malicious software as wildly exaggerated. But it doesn't take too many meetings with national security organizations to realize that the threat is all too real. Malicious software is something we all have to worry about, especially if we are connected to public communications networks. In today's connected world, it is an inescapable truth that as your connectivity expands, so does your exposure and, consequently, the threat to your systems.
Obtaining "Real" Security
How can the average person cut through all the industry hype and misinformation and obtain "real" security for servers, workstations, and standalone computers? Few of us have the time or the inclination to undertake an extensive training regimen to learn all the ins and outs of security science. Without sufficient knowledge to evaluate the effectiveness of security offerings on our own, we need at least some "credible assurances" concerning the protections available for computer systems.
Where can you go to get these credible assurances? General industry "wisdom," such as claims that security is obtainable through cryptography alone, cannot be trusted. Software and hardware vendors have vested interests that tend to override technical considerations. Customers are not a good source, since they are usually reluctant to discuss their security vulnerabilities. Pseudo-experts and substandard security evaluation organizations aren't the answer either. Real security assurances can only come from a credible source with real experience at evaluating, not creating, security products.
The National Computer Security Center (NCSC) is a public U.S. organization that offers independent security evaluations. The NCSC is comprised of and administrated by people with real security experience. Their work is well regarded, and each security assurance evaluation is performed independently by an empaneled group with diverse security experience. Both Novell and Microsoft are working with the NCSC to enhance their credibility with corporate customers.
The NCSC publishes the results of their evaluations and makes them publicly available. They also publish a list of computer security products along with the level of security assurances they provide. You don't have to learn all about security to use this information. To find "real" workstation security and network security tools, see the NCSC's Evaluated Products List (EPL) for Class C2 evaluated products, and be sure to read about the configuration used in testing. Check out the information on Microsoft's standalone workstation and on the Cordant workstation. Also check out the Novell Cordant solution for secure networking with trusted workstations.
To obtain NCSC documents, contact:
National Computer Security Center 9800 Savage Road Fort George G. Meade, MD 20755-6000
Making an Informed Choice
Using these NCSC publications will help you find products which fit your business or home security needs for servers, workstations, and standalone machines. Many of the products are expensive, but you must weigh the costs against the potential loss of your valuable data. The right security hardware devices will protect your data from unauthorized access and prevent viruses from spreading.
A final word of caution: don't be misled by security product vendors' claims that your risk is not high enough to warrant a commercially-available, independently-evaluated computing platform. The risks are high for everyone, and it is not realistic to expect inexpensive software solutions to provide adequate protection against the sophisticated security threats that exist today. Security cannot be an add-on. It must start with the computer operating system (workstation or workstation and server), and work with the hardware platform to provide a trusted system.
When considering your computer security options, remember there is a significant difference between not feeling threatened and not being threatened. Most people do not want to know what is actually out there ready to attack their system. They would much rather know that they are sufficiently protected from whatever is out there.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.