🔐 Computer and Data Security
Lesson 2: Identification and Access
Measures to protect computers and data
There are many threats to information systems used by organizations and individuals. Threats may be external, internal, accidental, or deliberate. Understanding the different kinds of threats helps in planning appropriate protections.
Encryption
Data encryption is a method of preventing unauthorized access to data that is being transmitted on a network. Encryption encodes data and renders it unreadable if it is intercepted. In United States, their government has set up a Data Encryption Standard that it uses to evaluate the effectiveness of encryption.
Cryptography
Cryptography uses a key that both the sender and the receiver posses. The sender transmits the message; it is encoded and can only be decoded if the receiver has the appropriate secret decryption key. This method identifies legitimate senders and receivers and prevents the alteration or interception of the message.
Secure Socket Layer (SSL)
Many websites use the Secure Socket Layer (SSL) to transmit data privately. Many transactions are carried out using the HTTPS protocol to ensure security.
SSL is a standard security layer for creating encrypted transactions on the Internet. SSL ensures that data transmitted between a browser and a web server is encrypted. To be able to create an SSL link, the web server requires an SSL certificate. Security companies such as Verisign sell and maintain SSL certificates and help organizations install them and use them.
Lesson 2: Identification and access
Physical security
A secure environment for an information system helps to prevent unauthorized access to such system. Physical security is one component of this access is restricted to authorized personnel. Doors and buildings can be secured by locks. Many organizations use key systems that have different levels of access for different users or smart cards to open doors. Biometrics, eg. fingerprints or retina scans can also be used for access.
The access systems are managed by computer systems. Alarms can be used to alert authorities to out-of-hours access.
What you have
Gaining entry to a building often requires some method of verification of the person’s right to enter the building. Verification of identity as a condition of entry can occur with:
- Keys
- ID cards, usually with a photographic image
- Smart cards
Keys
Most organizations use keys to secure buildings. Keys can be arranged on a hierarchical basis with a master key system. A master key gives access to a number of different locks within an organization. At the highest level, a master key will open every lock in a building.
Keys provide a first level of security. Most people are familiar with keys and they are relatively easy to use. However, for organizations requiring many buildings or rooms to be locked, the process of issuing and managing keys can be complex and time-consuming.
The loss or theft of a key can cause significant difficulty to an organization. If a master key is stolen, the organization’s buildings are made insecure. To resolve the problem, an organization may need to:
- Change every lock that the master key could access
- Recall and replace all the keys that use those locks
Electronic Keys
There are systems that use electronic keys, i.e., keys that are connected to a central keying system via a network. Keys are issued to users and the locks to which users have access depend upon the organization’s policies and the user’s needs.
The advantages of such systems are:
- In the case of loss or theft, a key can be disabled quickly and a new one issued to the user
- The use of keys can be monitored, which can be useful when there is suspected unauthorized access
Disadvantages
- Cost: the capital cost of acquiring the system
- Infrastructure: the need to have all of the locks accessible on a network
Identification cards
Identification (ID) Cards are useful in providing physical identification of members of an organization. These allow people to see quickly whether or not a person is authorized to be in a building.
Photo identification cards are used in many organizations, such as:
- Hospitals and medical centers
- Schools and universities
- Business
- Public events
ID cards can also incorporate electronic access cards. These cards operate in conjunction with electronic access systems and can be centrally controlled.
The ID card can be:
- A proximity card that is used with a special card reader to gain access
- A swipe card with a magnetic strip that is used with a reader
What you know
Personal identification number
A personal identification number (PIN) is a code used by an individual to identify that individual. Banks use PINs to authorize financial transactions, e.g., when withdrawing cash from an automatic teller machine (ATM).
A PIN can be used for access into a building or to set or turn off an alarm on a building. Many security systems use a PIN to operate alarms. Some people use a PIN on a mobile phone.
Individuals using a PIN should never:
- Disclose the PIN to another person
- Write down the PIN on paper
- Give out the PIN in reply to an email request
Passwords
A password is a series of characters, usually letters, numbers and other characters. A password is an important security measure used to identify users and to ensure that they have the correct levels of access to computer and information systems.
Most organizations have rules about passwords in terms of the length, the characters to be used and how it should be changed. Typical rules include:
- Passwords to be changed regularly, perhaps every 90 days
- Minimum number of characters in the password and the inclusion of numbers and other characters
- Not allowing a password to be reused after it has been changed
- Locking out a user after a number of unsuccessful attempts
People should not use passwords that can be guessed, e.g., someone’s name, a telephone number or a football team.
← Back to Home