Security: It’s Not All About Hackers
Sometimes, the biggest threat to security isn’t a mysterious hacker on the
Net—it’s the person who just walked by.
“WHY BOTHER?” a doctor in the front row of the seminar blurted out.
The topic under discussion was improving the security of patient data at a famous
university hospital, but he wasn’t so sure that technology was the answer. “Why
worry about fancy systems to secure computer systems, when all that’s needed
to obtain patient records is a white lab coat and a clipboard—particularly if
you’re a white male over the age of 35?” His point was a good one.
In our own discussions of cyber security, we often omit the simplest security
of all: controlling physical access to our computer facilities. It used to be
a tedious process to steal information from someone’s computer, but the proliferation
of small memory devices, personal digital assistants (PDAs), and music players
that plug directly into a PC’s USB port now make it possible to transfer huge
amounts of information to an easily concealed gadget. It’s also pretty easy
to just walk off with a laptop. In short, controlling physical access to computers—
those on desks or those in the computer room—is just as important as preventing
hackers from accessing our networks.
First, assess risk. The first step in controlling physical access as
part of a layered campus defense is a risk assessment: What are we trying to
protect? The answer is not just sensitive or proprietary information on the
computer, but the computer itself. What will it cost us if either is stolen?
The cost of a computer is obvious, but what is the value of the information
stored on that computer? What would the theft cost our clients both directly
and indirectly? What would be the damage to our reputation? Finally, what will
it cost us to protect the computer or the information?
For example, the value of a computer in a public lab is little more than the
cost of the computer and the software. A simple cable-lock device may be all
that’s required. On the other hand, a laptop that contains sensitive information—
say, the Social Security numbers of all of the institution’s students—has a
value that far exceeds the cost of the laptop itself, and justifies more aggressive
protection. We’re always faced with a trade-off between three variables: security,
cost, and convenience.
Three Types of Security
While there is a bewildering array of secure-access techniques and technologies,
they all can be easily placed into three categories: something you have, something
you know, or something you are.
Something you have is fairly obvious: something in your possession to
prove that you should have access, such as a key to a lock, or a photo ID. Something
you know would be traditional passwords and PIN numbers. It’s common to combine
something you know with something you have. To get money from an ATM machine
you need both the PIN number and the ATM card.
Something you are is the newest method of security. Better known as
“biometrics,” the term refers to the practice of using some part of an individual’s
physical identity as an identifier. The most common example is the use of a
fingerprint, while other examples are the use of retina scans and voice recognition.
Smart Cards Move to “Challenge/Response”