Click here to receive your FREE subscription to Campus Technology

Home > Security: It’s Not All About Hackers

Focus

Security: It’s Not All About Hackers

8/22/2005

By Doug Gale

Sometimes, the biggest threat to security isn’t a mysterious hacker on the Net—it’s the person who just walked by.

“WHY BOTHER?” a doctor in the front row of the seminar blurted out. The topic under discussion was improving the security of patient data at a famous university hospital, but he wasn’t so sure that technology was the answer. “Why worry about fancy systems to secure computer systems, when all that’s needed to obtain patient records is a white lab coat and a clipboard—particularly if you’re a white male over the age of 35?” His point was a good one.

In our own discussions of cyber security, we often omit the simplest security of all: controlling physical access to our computer facilities. It used to be a tedious process to steal information from someone’s computer, but the proliferation of small memory devices, personal digital assistants (PDAs), and music players that plug directly into a PC’s USB port now make it possible to transfer huge amounts of information to an easily concealed gadget. It’s also pretty easy to just walk off with a laptop. In short, controlling physical access to computers— those on desks or those in the computer room—is just as important as preventing hackers from accessing our networks.

First, assess risk. The first step in controlling physical access as part of a layered campus defense is a risk assessment: What are we trying to protect? The answer is not just sensitive or proprietary information on the computer, but the computer itself. What will it cost us if either is stolen? The cost of a computer is obvious, but what is the value of the information stored on that computer? What would the theft cost our clients both directly and indirectly? What would be the damage to our reputation? Finally, what will it cost us to protect the computer or the information?

For example, the value of a computer in a public lab is little more than the cost of the computer and the software. A simple cable-lock device may be all that’s required. On the other hand, a laptop that contains sensitive information— say, the Social Security numbers of all of the institution’s students—has a value that far exceeds the cost of the laptop itself, and justifies more aggressive protection. We’re always faced with a trade-off between three variables: security, cost, and convenience.

Three Types of Security

While there is a bewildering array of secure-access techniques and technologies, they all can be easily placed into three categories: something you have, something you know, or something you are.

Something you have is fairly obvious: something in your possession to prove that you should have access, such as a key to a lock, or a photo ID. Something you know would be traditional passwords and PIN numbers. It’s common to combine something you know with something you have. To get money from an ATM machine you need both the PIN number and the ATM card.

Something you are is the newest method of security. Better known as “biometrics,” the term refers to the practice of using some part of an individual’s physical identity as an identifier. The most common example is the use of a fingerprint, while other examples are the use of retina scans and voice recognition.

Smart Cards Move to “Challenge/Response”



Recommended Reading
  • Microsoft Mends Breach in Open Source Sandcastle

    Microsoft has released all of the source code used in its Sandcastle project, which is now published at the CodePlex open source developer's Web site, according to a blog. Sandcastle helps developers of managed class libraries create uniform documentation on their projects, using MSDN style.

  • Lumens Debuts SXGA Document Camera

    Lumens Integration this week debuted a new document camera and presentation system called the DC260 SXGA Digital Visual Presenter. The new gooseneck-style system is the first in Lumens' document camera lineup to support HD output via HDMI.

  • U Liverpool Deploys iSCSI in Virtualized SAN

    The University of Liverpool Department of Computer Science is moving away from direct-attached RAIDs to a virtualized SAN environment using StorMagic's SM Series iSCSI Storage Area Network.

  • Indiana U, Wayne State Teams Capture Wins in Imagine Cup 2008

    Winners of the 2008 Imagine Cup technology competition were announced Tuesday in Paris. Student teams from American universities took top honors in two categories and earned achievement awards in other areas. Microsoft, which hosted the event, said it was the most successful run for American teams in the Cup's six-year history.

  • IE Is Least-Patched Browser, Report Says

    According to a report released last Tuesday, more than 40 percent of Internet surfers don't use browsers with up-to-date security patches--and Internet Explorer users are the biggest culprits.

  • Ballmer Wants Board Change at Yahoo

    Microsoft's executives have been talking with investor and corporate raider Carl Icahn about renewed plans for Microsoft to acquire part or all of Yahoo, provided that Yahoo's board is replaced. The details were described in an open letter issued Monday by Icahn, which is addressed to Yahoo's shareholders.

Related Articles

send e-mail link to articleEmail this article

print this articlePrintable Format