® InfoJur.ccj.ufsc.br

Security for Telecommuters

by M. E. Kabay, Ph.D.,ICSA Director of EducationAs telecommuting and virtual corporations become more important in today's economy, practitioners will realize how important security is for their continued success.

Information security is perhaps even more important for telecommuters than for in-house users of local area networks (LANs) and wide-area networks (WANs): To make sense of the security issues facing telecommuters, let's use the Parkerian Hexad as a conceptual framework. Donn G. Parker is a leading security expert based at SRI in Palo Alto, CA. He has set forth six fundamental concepts of information security: Confidentiality and integrity are at risk in the usual telecommuters computer setup because many, or most, home-office computers have no access control software or hardware. Without access controls, anyone can use Mommy or Daddy's computer. Little fingers can delete tomorrow's presentation file, change next week's financial report, or scramble system configurations even more than usual. Perhaps even worse, a thief can walk away with the entire computer, threatening availability permanently. If the thief is involved in industrial espionage, the telecommuter's employer and clients may be at risk; it doesn't take much to make a copy of the interesting files using, say, removable hard disks.

At the very least, telecommuters should use the password facility in their screen saver. Such passwords are not adequate when there are other users of the computer, however; when a child or spouse share the home-office computer, the hard disk should have partitions that are not accessible without authorization from access control software. Shareware and commercial packages are available with multiple login IDs and passwords, each granting access to specific regions of the hard disk.

Another threat to data integrity is computer viruses. Every home-office computer should have an anti-virus product in place to detect and prevent virus infections. Anti-virus products such as scanners, TSRs, hardware boards, and generic virus-activity detectors will prevent damage to valuable programs and data. Such tools are easily available for trial in the NCSA Anti-Virus Vendor Forum on CompuServe (GO NCSAVI).

Confidentiality and possession of information are threatened by the ease of wiretapping on ordinary phone lines. When a telecommuter logs into a remote system, it is possible for the login ID and password to be captured and reused. This vulnerability increases when telecommuters use cellular phones and modems or place calls with a wireless phone anywhere in the circuit. Those of you with wireless phones will be interested to note that the base station does not have an on/off switch; anyone with a compatible handset can tune into any conversation or modem transmission being carried out through any other phone connection on the same circuit. For higher security, disconnect the wireless unit base stations from the phone line when transmitting unencrypted data to and from a remote system.

To prevent reuse of passwords, organizations with many telecommuters will find login authentication tokens useful and inexpensive. Such units may look like credit cards with a small display window showing constantly-changing random numbers or alphanumerics. The current password shown in the display is usually valid only for a minute, so no one can reuse it even if it is captured. One brand of authentication tokens costs about $20 per year per user.

Another tool to protect confidentiality and integrity is encryption. Connections to remote systems can be encrypted as can electronic mail messages. In addition, encryption can provide digital signatures to prove the integrity and authenticity of your
e-mail messages and files. When encrypted disk drivers are used, no one but the holder of the secret encryption key can use the files on a hard disk or floppy drive--even when they are stolen. Such tools are available from the ICSA InfoSecurity Forum on CompuServe (GO NCSAFO).

Naturally, your software should be authentic too: it is a poor decision to steal proprietary software. Taking the work of people who have sweated to produce good software is not only illegal, it's immoral and dangerous. What kind of principles do software thieves teach their kids? And what is to stop anyone who finds out about theft from reporting the thief to the police or to the Software Protection Association? Anyway, people with stolen software cannot call the manufacturer's help lines without feeling nervous; the time wasted trying to get help in other ways may easily outweigh the cost of the real, up-to-date version of the software.

Another issue when thinking about the Parkerian Hexad is availability.

If you think about how much work goes into creating what you use your computer for, backing it up daily doesn't seem like such a chore. Some people do backup their computers daily but then they leave their current backup tape or disk right next to the computer they're trying to protect! Bad idea. If the computer gets stolen or melted or drowned, so will the backup. Better is to bring your backups over to a friendly neighbor so there is a better chance of saving the data than if you leave it in your computer area. Failing that--if, for instance, your nearest neighbor is miles away or is a grump--at least put the tapes in a fire-resistant safe as far from the computer as possible.

Another factor in determining availability is your filing method. Regardless of the field, there are always two extremes in any sort of classification: lumpers and splitters. Lumpers see similarities above all, so they have 742 files each of five directories. No directories have sub-directories. Everything is viewed as one giant family of related stuff. The opposite extreme is the splitter. Splitters make fine distinctions, so they have five files in 742 directories. All directories have four levels of subdirectories. Both extremes make it very difficult to find what you want when you want it.

To avoid the frustrating search for that "I'm sure it was in here somewhere" file, organize your files in some reasonable order. Maybe you have projects of radically different types--baking cakes and designing nuclear reactors, for instance. Break up the files into two directories and go on from there. When you look up files, consider sorting them by date of last modification rather than by name; sometimes that will help you locate the files you need immediately. Use indexing methods that let you locate words or expressions in a fraction of a second. Use viewers instead of word processing programs while searching for what you want--they save time and won't let you modify files you only meant to examine.

I hope this introduction has whetted your appetite for more. Please join us in the ICSA InfoSecurity Forum on CompuServe (GO NCSAFO) or on our home page on the World Wide Web (http://www.icsa.net). For e-mail information about the ICSA send any message to our infobot, info@icsa.net and you'll receive a menu of choices. Look for details of our upcoming course on "Protecting Your Home PC Against Viruses, Theft, and Pornography: How to keep your sanity while using your PC at home" which will be taught online by the ICSA's own Stephen Cobb, author of The ICSA Guide to PC and LAN Security (1995, Mc-Graw-Hill). You can reach the ICSA any time at 717-258-1816 or through e-mail to our Membership Department using membership@icsa.net. In addition, you can always get detailed information by sending a blank message to info@icsa.net to reach the National Computer Security Association infobot.


 

M. E. Kabay is the author of The ICSA Guide to Enterprise Security (1996, McGraw-Hill). He can be reached by e-mail at mkabay@icsa.net .


 

Retirado do site: http://www.icsa.net/library/research/a.shtml em jul/99