Why Is Computer Security Necessary, Essay Example

Introduction

This paper examines the concept of computer security from three independent viewpoints, that of: Administrative Safeguards, Physical Safeguards and Technical Safeguards.  This in consideration of the security standards with particular reference to The Health Insurance Portability and Accountability Act of 1996 (HIPAA).  These set out a number of distinct security standards providing important governance over this area.

Administrative safeguards

Administrative Safeguards have been defined as those actions, policies and procedures that are considered necessary in order to manage the selection, development and implementation of security measures in electronic recording of information and the protection of the workforce appropriate to the protection of such information. (HIPAA, 2007).

There are a number of standards in place including that of:

Security Management Process.  This examines those procedures that complete an environmental scan of the security procedures in place. In particular the mandatory areas of Risk Management, Sanction Policies and Information Systems activities. Risk Analysis being one of the most critical components as these forms a baseline for most of the other security procedures that are reviewed.  The sanctions policy is the disciplinary measure that provides sanctions against those employees who do not comply with the security measures. This may include restricted access, limitation of system privileges and in some cases an outright ban from use of the system i.e. exclusion.  The Information systems review is a scan of all the systems and procedures that generate record and capture information. This looks at audit logs, tracking reports and identification of users on the system.

Assigned security responsibility

This important administrative standard looks at those officials who are responsible for the system and the roles that they perform. It is essential a policies and procedures review ensuring compliance over a number of key areas and that assigned roles and responsibilities are being carried out in accordance with the requisite standard.

Workforce Security

This important administrative standard examines the policies and procedures with regard to access of information.  This is particularly important in the health field where there is access to confidential patient records and other clinical information. Particular attention is paid towards access security panels, encryption, levels of security clearance and how these procedures are enforced.  Authorization levels and more importantly the removal of personnel who have terminated or left the organization.

Security Awareness and Training

It is important that all members of the staff be fully informed of the importance of security and the measures that are taken.  In this sense, all staff needs formal training and awareness programs. People need to be informed of the importance and risks in security breaches and the potential consequences of same.  Staff needs to be informed of the sanction procedures and possible dismissal action for any serious breaches of security.

Physical safeguards

Physical safeguard standards were put in place to cover physical measures and policies in order to protect the electronic information systems and buildings from natural and environmental hazards or unauthorized intrusion or external penetration e.g. hacking. This review includes external sites where there may be permitted linkages to the system i.e. remote dial up situations.

There are a number of standards in place including that of:

Facility Access Controls

Examination of the policies and procedures that limit the physical access to the electronic control systems and the facilities where these are housed; hence ensuring only proper access is allowed.  There is a considerable threat imposed upon the interception of communications particularly that associated with electronic media.  One of the more common threats relates to that of e-mail. The threat here is two-fold: (i) the interception of messages and communication by hackers and others who are intent on theft of intellectual copyright or business confidential information (ii) incoming messages from the outside that may have attachments and carry harmful viruses that can penetrate the organizations firewall and impose serious damage to the computer network.

Contingency Operations

Looks at the procedures that cover a potential disaster taking place and the adequacy of the Disaster Recovery and Business Continuity plan. Ensures adequate back up and failsafe procedures are in place and that these are frequently tested so that a viable plan is available in the case of an emergency.  This impact is mitigated by having the geographical architecture divided into a number of nodes or junctions allowing for components to be removed or bi-passed.  For example if a Bank Branch was subject to a fraud investigation and the court ordered seizure of the computer equipment at that Branch, then the back could just isolate that node of the network and literally shut it off allowing the remaining nodes on the network to continue operating.  In this way the entire integrity of the Banks’s systems are not compromised. (Denis Besnard, 2004)

Technical safeguards

These safeguards have become more important in recent years owing to the increasing sophistication of both technology and the perpetrators of criminal activity in the field.

There are a number of standards in place including that of:

User Safeguard and Identification

Only allow access to the network to those that have security clearance and are deemed to be authorised users of the system. Restrict external file attachments to addresses outside of the system (prevention of data transfer or theft).  All users should have a unique id number and this should be tracked within the system by matching the computers IP address to the unique id number.

Automatic Log-off

Ensure there are procedures in place to automatically terminate an expired session and not leave a portal of entry open to the system.  This prevents penetration of the system by unauthorized users that target idle workstations that may not have been properly shut down.

Audit Controls

The system should have adequate audit controls in place covering both hardware and software implementation.  This should examine any loopholes in the system that allows back doors or trap doors whereby ease of access might be obtained. Security does not cover data protection or data integrity and these are issues that must be covered elsewhere.  Audit is more concerned with aspects of risk and vulnerability.  There is a need to retain forensic information on the system so that legal actions can be taken up in the event of any detected criminal action. (Landwehr, 2001)

Computer security on the internet

Information Technology has become the life-blood of virtually every organization. Most large business operations contain Data Centre’s of expensive computer and communication systems (hardware) and important client information and programs (software). Together they provide the central backbone of the organization and as such, any threat to these systems can be extremely disruptive and costly to the business.  The need to retain security and privacy over your information and data has become of paramount concern. With e-commerce, you run a potential risk from hackers and others who may target your organization to acquire intellectual property rights or important data sets. These are often used to exploit items such as identity theft, to acquire e-mail mailing lists and to sell-on other useful information. One Japanese firm had its entire web site cloned by a Chinese firm and because of difficult legal ramifications, it proved impossible, to proceed with legal action for what otherwise is deemed a criminal offense. (Whitman)

An insecure open environment

Essentially conducting business over the internet in an unsecure environment is to place your business at severe risk.  Penetration may come from hackers, viruses, spam, communication breaches and various other media. As such, you need to screen from these intrusions by putting in place suitable firewalls, ant-virus/anti-spam software, data encryption and other security measures to prevent unauthorised illegal entry to your system.

There is a considerable threat imposed upon the interception of communications particularly that associated with electronic media.  One of the more common threats relates to that of e-mail. The threat here is two-fold: (i) the interception of messages and communication by hackers and others who are intent on theft of intellectual copyright or business confidential information (ii) incoming messages from the outside that may have attachments and carry harmful viruses that can penetrate the Banks firewall and impose serious damage to the computer network.  The first of these represents a criminal offence and is punishable under the law.  The second may be harmless or careless use of communications that have not been checked with anti-virus software.  The policies here become a little more complex but certain precautions can be taken.  The first is for the system not to accept any external e-mails that contain attachments. In addition those that contain any graphics or graphic files which are often used to harbour Trojans.

Only allow access to the network to those that have security clearance and are deemed to be authorised users of the system. Restrict external file attachments to addresses outside of the system (prevention of data transfer or theft).  The job of the Security Manager has been made much harder in recent years because of items like USB Pen Drives that have high storage capacity.  They can be plugged into virtually any USB port in the system and quickly download data.  Providing the person can gain access, they will have the ability to download confidential information files. (Internet security: firewalls and beyond).

Litigation issues

The concept of litigation seems most prevalent in the area of IT Security.  Nearly all forms of electronic media have the potential for being involved in litigation cases.  When these instances arise, one of the most important aspects will be the gathering of data or information for evidence.  Where it is believed that a criminal act has taken place the computers and network devices may be removed for evidence.  This type of confiscation can impose a serious threat and disruption to the business as the court may instruct the system to be frozen, which means that the back-up recovery system could not be immediately invoked.  Failure to comply with court orders can result in very severe penalties.  This impact is mitigated by having the geographical architecture divided into a number of nodes or junctions allowing for components to be removed or bi-passed.

Integrity of research

Search Engines like Google provide open-ended sources of information, not all of which can be relied upon for data integrity.  It is possible to use filters like that of ‘google scholar’ or ‘google books’ to find more reliable academic sources of information.  Using databases via search engines like EBSCO are a more direct means of drilling down into more reliable sources of information.  EBSCO has the ability to drill down by subject and focuses purely on reliable academic works. (EBSCO)

Criminal issues in computer security

Internet Crime and particularly illegal entry into other computer systems i.e. hacking is deemed to be a Federal Offence in the USA and falls under the investigative jurisdiction of the Federal Bureau of Investigation (FBI).  Criminal computer hacking has been legally defined as any person who willingly and knowingly commits an act of cyber terrorism, credit card fraud, malicious vandalism, identity theft or other cyber-crime by hacking into a Corporate or Government system.  Such criminal acts are treated very seriously in the USA and will be subject to harsh penalties.  Such intrusions are capable of creating a tremendous amount of malicious damage. They may potentially threaten national security, may cause serious service disruptions e.g. hospitals, emergency services etc.  May create economic and financial instability by intrusions to Banks or large Corporate Offices.

One such example is that of David Smith a computer hacker launched the Melissa Virus in March of 1999. The virus that he placed into the internet spread to over 1.2 million computers causing an estimated $80 million in financial damages to businesses. Smith was convicted of computer hacking and the courts sentenced him to 40 years in prison.  He was release some 20 months later after agreeing to work with the FBI in their fight against cyber-crime. (Criminal Law Lawyer Source)

Garry McKinnon in the UK has been found guilty of hacking into 96 US Military and Defence systems and could face up to 70 years imprisonment. He is currently awaiting extradition from the UK.  In general, terms’ hacking is a form of cyber terrorism and as such is a criminal act. There is no legal justification for this and even those individuals that attempt this for an intellectual challenge are breaking the law.  It is not only a gross invasion of privacy but also a complete act of irresponsibility that potentially can unleash very serious and grave consequences for the public.

Computer hacking

Perhaps most people think of computer hacking as the ability to decipher code and invade other systems through the internet.  Unfortunately, some of the worst recent incidents have been amazingly simple.  Consider the massive amount of damage that was caused by Wiki Leaks where 90,000 classified military documents were downloaded onto a USB pen drive and smuggled out of a secure establishment.  The leak of this information into the media was an act of insane criminal irresponsibility and may have resulted in putting thousands of active duty service men and women in harm’s way.  Media Companies need to be more responsible in the handling of such information.  The freedom of the press and publishing sensationalist material must have some bounds.  The view that the people have a right to know what is going on is not realistic where Defence or National Security information is concerned.  It is an act of social responsibility and a duty to the country and those who serve the country in the military.  -It was Mike Mullen of the Joint Chiefs of Staff who announced in Iraq that leaked US military documents place soldiers’ lives at risk (Knickerbocker)

Gawker Media are a San Francisco based firm that have a reputation for outspoken sensationalist material with little concern for social responsibility.  It enables the collection of people’s blogs and the distribution of these through other social media sites like Facebook and Twitter.  In this instance, they were the victims of a hacker who intruded their systems and extracted a large amount of information from their database that included names, addresses, e-mail addresses, passwords, source code, internal chats and even gateways into other personal accounts. A group called gnosis claimed responsibility for the attack. The obvious danger here is that of identity theft and possible fraudulent use of credit card information.

There are also more sinister implications in terms of what this information could be used or exploited for. (Jason)

Works Cited

Criminal Law Lawyer Source. Computer Hacking. 2011. 27 5 2011 <http://www.criminal-law-lawyer-source.com/terms/computer-hacking.html>.

Denis Besnard, and Budi Arief. “Computer security impaired by legitimate users .” Computers & Security, Vol 23 Issue 3 (2004): 253-264 .

EBSCO. Colleges and Universities. 2011. 8 7 2011 <http://ebscohost.com/academic>.

HIPAA. Security Standards: Administrative Safeguards. Washington DC: Centre for Medicaid and Medicare Services, Vol 2 Paper 2, 2007.

“Internet security: firewalls and beyond.” Communications, Vol 40 Iss 5 (1997): 92-102.

Jason, Mick. Daily Tech. 14 12 2010. 27 5 2011 <http://www.dailytech.com/Gawker+Media+Suffers+Massive+Data+Breach+Courtesy+of+Gnosis/article20384.htm>.

Knickerbocker, Brad. WikiLeaks: How did the Pentagon lose track of 91,000 documents? 9 7 2010. 27 5 2011 <http://www.csmonitor.com/USA/Military/2010/0729/WikiLeaks-How-did-the-Pentagon-lose-track-of-91-000-documents>.

Landwehr, Carl E. “Computer security .” International Journal of Information Security, Vol 1 No 1 (2001): 3-13.

Michael E. Whitman, Herbert J. Mattord. Principles of Information Security, 4th Ed. Boston MA: Cengage, 2011.