5.1: Information Systems Security

Last updated
Save as PDF

Page ID: 79195

$ \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } $ $ \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} $$\newcommand{\id}{\mathrm{id}}$ $ \newcommand{\Span}{\mathrm{span}}$ $ \newcommand{\kernel}{\mathrm{null}\,}$ $ \newcommand{\range}{\mathrm{range}\,}$ $ \newcommand{\RealPart}{\mathrm{Re}}$ $ \newcommand{\ImaginaryPart}{\mathrm{Im}}$ $ \newcommand{\Argument}{\mathrm{Arg}}$ $ \newcommand{\norm}[1]{\| #1 \|}$ $ \newcommand{\inner}[2]{\langle #1, #2 \rangle}$ $ \newcommand{\Span}{\mathrm{span}}$ $\newcommand{\id}{\mathrm{id}}$ $ \newcommand{\Span}{\mathrm{span}}$ $ \newcommand{\kernel}{\mathrm{null}\,}$ $ \newcommand{\range}{\mathrm{range}\,}$ $ \newcommand{\RealPart}{\mathrm{Re}}$ $ \newcommand{\ImaginaryPart}{\mathrm{Im}}$ $ \newcommand{\Argument}{\mathrm{Arg}}$ $ \newcommand{\norm}[1]{\| #1 \|}$ $ \newcommand{\inner}[2]{\langle #1, #2 \rangle}$ $ \newcommand{\Span}{\mathrm{span}}$$\newcommand{\AA}{\unicode[.8,0]{x212B}}$

Authentication and Identification

What is Authentication?

Authentication is the process of verifying whether someone (or something) is, in fact, who (or what) it is declared to be. According to the National Institute of Standards and Technology authentication is defined as "Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system". Notice that this definition does not restrict authentication to human users. It includes processes or devices.

Authentication factors

The ways in which someone may be authenticated fall into four categories, based on what is known as the factors of authentication: something the user knows, something the user has, something the user does, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.

Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified. The four factors (classes) and some of the elements of each factor are:

the knowledge factors: Something the user knows (e.g., a password, partial password, passphrase, personal identification number (PIN), challenge-response (the user must answer a question or pattern), security question).
the ownership factors: Something the user possesses (e.g., wrist band, ID card, security token, implanted device, cell phone with a built-in hardware token, software token, or cell phone holding a software token).
the inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifiers).
the location factors: Somewhere the user is (e.g. connection to a specific computing network or using a GPS signal to identify the location).

Multi-factor authentication

Multi-factor authentication is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). It protects the user from an unknown person trying to access their data such as personal ID details or financial assets.

Authentication takes place when someone tries to log into a computer resource (such as a network, device, or application). The resource requires the user to supply the identity by which the user is known to the resource, along with evidence of the authenticity of the user's claim to that identity. Simple authentication requires only one such piece of evidence (factor), typically a password. For additional security, the resource may require more than one factor—multi-factor authentication, or two-factor authentication in cases where exactly two pieces of evidence are to be supplied.

The use of multiple authentication factors to prove one's identity is based on the premise that an unauthorized actor is unlikely to be able to supply the factors required for access. If in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset (e.g., a building, or data) being protected by multi-factor authentication then remains blocked.

Knowledge

Knowledge factors are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret in order to authenticate.

A password is a secret word or string of characters that is used for user authentication. This is the most commonly used mechanism of authentication. Many multi-factor authentication techniques rely on passwords as one factor of authentication. Variations include both longer ones formed from multiple words (a passphrase) and the shorter, purely numeric, personal identification number (PIN) commonly used for ATM access. Traditionally, passwords are expected to be memorized.

Many secret questions such as "Where were you born?" are poor examples of a knowledge factor because they may be known to a wide group of people, or be able to be researched.

Possession

Possession factors ("something only the user has") have been used for authentication for centuries, in the form of a key to a lock. The basic principle is that the key embodies a secret that is shared between the lock and the key, and the same principle underlies possession factor authentication in computer systems. A security token is an example of a possession factor.

Disconnected tokens have no connections to the client's computer. They typically use a built-in screen to display the generated authentication data, which is manually typed in by the user. This type of token mostly uses a "one-time password" that can only be used for that specific session.

Connected tokens are devices that are physically connected to the computer to be used. Those devices transmit data automatically. There are a number of different types, including card readers, wireless tags, and USB tokens.

A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. (Contrast hardware tokens, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated, absent physical invasion of the device.) A soft token may not be a device the user interacts with. Typically an X.509v3 certificate is loaded onto the device and stored securely to serve this purpose.

Inherent

These are factors associated with the user and are usually biometric methods, including fingerprint, face, voice, or iris recognition. Behavioral biometrics such as keystroke dynamics can also be used.

Location

Increasingly, a fourth factor is coming into play involving the physical location of the user. While hard wired to the corporate network, a user could be allowed to log in using only a pin code while off the network entering a code from a soft token as well could be required. This could be seen as an acceptable standard where access to the office is controlled.

Systems for network admission control work in similar ways where your level of network access can be contingent on the specific network your device is connected to, such as wifi vs wired connectivity. This also allows a user to move between offices and dynamically receive the same level of network access in each.

Mutual authentication

Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It was previously referred to as “mutual entity authentication,” as two or more entities verify the others' legality before any data or information is transmitted.

Mutual authentication is a desired characteristic in verification schemes that transmit sensitive data, in order to ensure data security. Mutual authentication is found in two types of schemes: username-password-based schemes and certificate-based schemes, and these schemes are often employed in the Internet of Things (IoT). Writing effective security schemes in IoT systems can become challenging, especially when needing schemes to be lightweight and have low computational costs. Mutual authentication is a crucial security step that can defend against many adversarial attacks, which otherwise can have large consequences if IoT systems (such as e-Healthcare servers) are hacked. In scheme analyses done of past works, a lack of mutual authentication had been considered a weakness in data transmission schemes.

Password

A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity. Using the terminology of the NIST Digital Identity Guidelines, "the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity".

In general, a password is an arbitrary string of characters including letters, digits, or other symbols. If the permissible characters are constrained to be numeric, the corresponding secret is sometimes called a personal identification number (PIN).

Despite its name, a password does not need to be an actual word; indeed, a non-word (in the dictionary sense) may be harder to guess, which is a desirable property of passwords. A memorized secret consisting of a sequence of words or other text separated by spaces is sometimes called a passphrase. A passphrase is similar to a password in usage, but the former is generally longer for added security.

Choosing a secure and memorable password

The easier a password is for the owner to remember generally means it will be easier for an attacker to guess. However, passwords that are difficult to remember may also reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password across different accounts. Similarly, the more stringent the password requirements, such as "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system. Others argue longer passwords provide more security (e.g., entropy) than shorter passwords with a wide variety of characters.

In The Memorability and Security of Passwords, Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords.

Combining two or more unrelated words and altering some of the letters to special characters or numbers is another good method, but a single dictionary word is not. Having a personally designed algorithm for generating obscure passwords is another good method.

However, asking users to remember a password consisting of a "mix of uppercase and lowercase characters" is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalizes one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions that are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.

In 2013, Google released a list of the most common password types, all of which are considered insecure because they are too easy to guess (especially after researching an individual on social media):

The name of a pet, child, family member, or significant other
Anniversary dates and birthdays
Birthplace
Name of a favorite holiday
Something related to a favorite sports team
The word "password"

Strong Password

A strong password is hard to detect both by humans and by the computer. Two things make a password stronger: (1) a larger number of characters (and the more characters, the stronger the password), and (2) mixing numeric digits, upper and lower case letters, and special characters ($, #, etc.). Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase. A strong password is not a word that can be found in a dictionary or the name of a person, character, product, or organization, significantly different from your previous passwords, and easy for you to remember but difficult for others to guess. Consider using a memorable phrase like "6MonkeysRLooking^".

Factors in the security of a password system

The security of a password-protected system depends on several factors. The overall system must be designed for sound security, with protection against computer viruses, man-in-the-middle attacks, and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. Passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any of the available automatic attack schemes. See password strength and computer security for more information.

Nowadays, it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to prevent bystanders from reading the password; however, some argue that this practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.

Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token. Less extreme measures include extortion, rubber hose cryptanalysis, and side-channel attack.

The rate at which an attacker can try guessed passwords

The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords if they have been well chosen and are not easily guessed.

Many systems store a cryptographic hash of the password. If an attacker gets access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. In the example of a web-server, an online attacker can guess only at the rate at which the server will respond, while an off-line attacker (who gains access to the file) can guess at a rate limited only by the hardware on which the attack is running.

Passwords that are used to generate cryptographic keys (e.g., for disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks. See key stretching.

Limits on the number of password guesses

An alternative to limiting the rate at which an attacker can make guesses on a password is to limit the total number of guesses that can be made. The password can be disabled, requiring a reset, after a small number of consecutive bad guesses (say 5); and the user may be required to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making an arbitrarily large number of bad guesses by interspersing them between good guesses made by the legitimate password owner. Attackers may conversely use knowledge of this mitigation to implement a denial of service attack against the user by intentionally locking the user out of their own device; this denial of service may open other avenues for the attacker to manipulate the situation to their advantage via social engineering.

Identification - what is it?

Identification is basically the process of someone claiming to be a specific person. They can identify themselves as “Pat”, show an id card of some type of card with a name on it, or have an email address showing their name.

In the current context of online transactions, users “identify” themselves by providing a name, an email address, or phone number to a web request. For example, using a process of identification alone, as long as a buyer has the card’s proper information that is associated with the card being used, the user is pretty much accepted as is.

A business that allows identification by itself is essentially saying, "We have no reason to doubt that you are indeed the person you claim to be", despite having not independently verified if the information is truthful. It’s like asking, “Who are you?” and simply accepting whatever answer is given. For transactions where there is not a lot at stake, like registering for a class or checking out a book, simply having someone declare their identity without providing any verification may be good enough.

It is becoming more and more frequent that identification alone is adequate. It’s like having a username without a password.

So how can we determine the person is who they say they are? That’s where verification comes in.

What is Verification?

Verification goes beyond the basic question, “Who are you?” Identity verification goes the extra mile and asks, “Are you really who you say you are?” the response needs to provide, a high degree of confidence that, the answer is accurate.

The most accurate way to verify someone's identity is to request and validate more than one form of identification against the person standing in front of you, with at least one of them being a photo ID. A driver's license, a Social Security card, a valid passport, or military photo identification are some forms of identification. Verifying someone’s identity to a high degree of certainty takes effort. At a time when service providers want to provide a “frictionless” onboarding process, some may cut corners and require a low barrier to entry. Typical social media accounts, for example, only ask new users to provide a name, email address, username, and password. A phone number may be thrown in there for good measure.

Depending on the organization and the level of assurance needed, a university ID or other non-government issued identification card may suffice for one form of ID. Identity verification in the electronic sense also called identity "proofing" or "vetting", is used to confirm an identity where the individual is not standing before you to show some sort of picture ID. In these cases, most organizations require a real-time process that validates the personal information provided by the individual.

Apply for an online bank account, though, and you may be expected to provide a social security number, photo ID or passport, and proof of your current address. The stakes associated with a bank account are much greater than those with a TikTok account, therefore the verification requirements are more stringent. In fact, in the financial sector alone, there are numerous regulatory acts to prevent fraudsters from setting up false bank accounts, laundering money, and other unseemly criminal activities. The compliance mandates associated with these regulations are not satisfied by traditional verification methods, which is why businesses are beginning to make a shift to pairing a customer’s identity information with one of their biometric markers at the point of onboarding.

The Information Security Triad: Confidentiality, Integrity, Availability (CIA)

The Information Security Triad, also known as the CIA triad, is a guide for organizations. This guide helps them make policies to protect information security.

In this context, the CIA means the following:

Confidentiality – set of rules that limit access to information
Integrity – the assurance that the information is reliable and correct
Availability – a guarantee of reliable access to the information

Confidentiality

When protecting information, we want to be able to restrict access to those who are allowed to see it; everyone else should be disallowed from learning anything about its contents. This is the essence of confidentiality. For example, federal law requires that universities restrict access to private student information. The university must be sure that only those who are authorized have access to view the grade records.

Integrity

Integrity is the assurance that the information being accessed has not been altered and truly represents what is intended. Just as a person with integrity means what he or she says and can be trusted to consistently represent the truth, information integrity means information truly represents its intended meaning. Information can lose its integrity through malicious intent, such as when someone who is not authorized makes a change to intentionally misrepresent something. An example of this would be when a hacker is hired to go into the university’s system and change a grade.

Integrity can also be lost unintentionally, such as when a computer power surge corrupts a file or someone authorized to make a change accidentally deletes a file or enters incorrect information.

Availability

Information availability is the third part of the CIA triad. Availability means that information can be accessed and modified by anyone authorized to do so in an appropriate timeframe. Depending on the type of information, an appropriate timeframe can mean different things. For example, a stock trader needs information to be available immediately, while a salesperson may be happy to get sales numbers for the day in a report the next morning. Companies such as Amazon.com will require their servers to be available twenty-four hours a day, seven days a week. Other companies may not suffer if their web servers are down for a few minutes once in a while.

Tools for Information Security

In order to ensure the confidentiality, integrity, and availability of information, organizations can choose from a variety of tools. Each of these tools can be utilized as a part of an overall information-security policy.

Access Control

Once a user has been authenticated, the next step is to ensure that they can only access the information resources that are appropriate. This is done through the use of access control. Access control determines which users are authorized to read, modify, add, and/or delete information. Several different access control models exist. Here we will discuss two: the access control list (ACL) and role-based access control (RBAC).

For each information resource that an organization wishes to manage, a list of users who have the ability to take specific actions can be created. This is an access control list or ACL. For each user, specific capabilities are assigned, such as read, write, delete, or add. Only users with those capabilities are allowed to perform those functions. If a user is not on the list, they have no ability to even know that the information resource exists.

ACLs are simple to understand and maintain. However, they have several drawbacks. The primary drawback is that each information resource is managed separately, so if a security administrator wanted to add or remove a user to a large set of information resources, it would be quite difficult. And as the number of users and resources increases, ACLs become harder to maintain. This has led to an improved method of access control, called role-based access control, or RBAC. With RBAC, instead of giving specific users access rights to an information resource, users are assigned to roles and then those roles are assigned access. This allows the administrators to manage users and roles separately, simplifying administration and, by extension, improving security.

Encryption

Many times, an organization needs to transmit information over the Internet or transfer it on external media such as a CD or flash drive. In these cases, even with proper authentication and access control, it is possible for an unauthorized person to get access to the data. Encryption is a process of encoding data upon its transmission or storage so that only authorized individuals can read it. This encoding is accomplished by a computer program, which encodes the plain text that needs to be transmitted; then the recipient receives the ciphertext and decodes it (decryption). In order for this to work, the sender and receiver need to agree on the method of encoding so that both parties can communicate properly. Both parties share the encryption key, enabling them to encode and decode each other’s messages. This is called symmetric key encryption. This type of encryption is problematic because the key is available in two different places.

An alternative to symmetric key encryption is public-key encryption. In public-key encryption, two keys are used: a public key and a private key. To send an encrypted message, you obtain the public key, encode the message, and send it. The recipient then uses the private key to decode it. The public key can be given to anyone who wishes to send the recipient a message. Each user simply needs one private key and one public key in order to secure messages. The private key is necessary in order to decrypt something sent with the public key.

Backups

Another essential tool for information security is a comprehensive backup plan for the entire organization. Not only should the data on the corporate servers be backed up, but individual computers used throughout the organization should also be backed up. A good backup plan should consist of several components.

A full understanding of the organizational information resources. What information does the organization actually have? Where is it stored? Some data may be stored on the organization’s servers, other data on users’ hard drives, some in the cloud, and some on third-party sites. An organization should make a full inventory of all of the information that needs to be backed up and determine the best way to back it up.
Regular backups of all data. The frequency of backups should be based on how important the data is to the company, combined with the ability of the company to replace any data that is lost. Critical data should be backed up daily, while less critical data could be backed up weekly.
Offsite storage of backup data sets. If all of the backup data is being stored in the same facility as the original copies of the data, then a single event, such as an earthquake, fire, or tornado, would take out both the original data and the backup! It is essential that part of the backup plan is to store the data in an offsite location.
Test of data restoration. On a regular basis, the backups should be put to the test by having some of the data restored. This will ensure that the process is working and will give the organization confidence in the backup plan.

Besides these considerations, organizations should also examine their operations to determine what effect downtime would have on their business. If their information technology were to be unavailable for any sustained period of time, how would it impact the business?

Additional concepts related to backup include the following:

Universal Power Supply (UPS). A UPS is a device that provides battery backup to critical components of the system, allowing them to stay online longer and/or allowing the IT staff to shut them down using proper procedures in order to prevent the data loss that might occur from a power failure.
Alternate, or “hot” sites. Some organizations choose to have an alternate site where an exact replica of their critical data is always kept up to date. When the primary site goes down, the alternate site is immediately brought online so that little or no downtime is experienced.

As information has become a strategic asset, a whole industry has sprung up around the technologies necessary for implementing a proper backup strategy. A company can contract with a service provider to back up all of their data or they can purchase large amounts of online storage space and do it themselves. Technologies such as storage area networks and archival systems are now used by most large businesses.

Firewalls

Network configuration with firewalls, IDS, and a DMZ. Click to enlarge.

Another method that an organization should use to increase security on its network is a firewall. A firewall can exist as hardware or software (or both). A hardware firewall is a device that is connected to the network and filters the packets based on a set of rules. A software firewall runs on the operating system and intercepts packets as they arrive at a computer. A firewall protects all company servers and computers by stopping packets from outside the organization’s network that does not meet a strict set of criteria. A firewall may also be configured to restrict the flow of packets leaving the organization. This may be done to eliminate the possibility of employees watching YouTube videos or using Facebook from a company computer.

Some organizations may choose to implement multiple firewalls as part of their network security configuration, creating one or more sections of their network that are partially secured. This segment of the network is referred to as a DMZ, borrowing the term demilitarized zone from the military, and it is where an organization may place resources that need broader access but still need to be secured.

Intrusion Detection Systems

Another device that can be placed on the network for security purposes is an intrusion detection system or IDS. An IDS does not add any additional security; instead, it provides the functionality to identify if the network is being attacked. An IDS can be configured to watch for specific types of activities and then alert security personnel if that activity occurs. An IDS also can log various types of traffic on the network for analysis later. An IDS is an essential part of any good security setup.

Physical Security

An organization can implement the best authentication scheme in the world, develop the best access control, and install firewalls and intrusion prevention, but its security cannot be complete without the implementation of physical security. Physical security is the protection of the actual hardware and networking components that store and transmit information resources. To implement physical security, an organization must identify all of the vulnerable resources and take measures to ensure that these resources cannot be physically tampered with or stolen. These measures include the following.

Locked doors: It may seem obvious, but all the security in the world is useless if an intruder can simply walk in and physically remove a computing device. High-value information assets should be secured in a location with limited access.
Physical intrusion detection: High-value information assets should be monitored through the use of security cameras and other means to detect unauthorized access to the physical locations where they exist.
Secured equipment: Devices should be locked down to prevent them from being stolen. One employee’s hard drive could contain all of your customer information, so it is essential that it be secured.
Environmental monitoring: An organization’s servers and other high-value equipment should always be kept in a room that is monitored for temperature, humidity, and airflow. The risk of a server failure rises when these factors go out of a specified range.
Employee training: One of the most common ways thieves steal corporate information is to steal employee laptops while employees are traveling. Employees should be trained to secure their equipment whenever they are away from the office.

Security Policies

Besides the technical controls listed above, organizations also need to implement security policies as a form of administrative control. In fact, these policies should really be a starting point in developing an overall security plan. A good information-security policy lays out the guidelines for employee use of the information resources of the company and provides the company recourse in the case that an employee violates a policy.

According to the SANS Institute, a good policy is “a formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area.” Policies require compliance; failure to comply with a policy will result in disciplinary action. A policy does not lay out the specific technical details, instead it focuses on the desired results. A security policy should be based on the guiding principles of confidentiality, integrity, and availability.^[2]

A good example of a security policy that many will be familiar with is a web use policy. A web use policy lays out the responsibilities of company employees as they use company resources to access the Internet.

A security policy should also address any governmental or industry regulations that apply to the organization. For example, if the organization is a university, it must be aware of the Family Educational Rights and Privacy Act (FERPA), which restricts who has access to student information. Health care organizations are obligated to follow several regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

A good resource for learning more about security policies is the SANS Institute’s Information Security Policy Page.

Usability

When looking to secure information resources, organizations must balance the need for security with users’ need to effectively access and use these resources. If a system’s security measures make it difficult to use, then users will find ways around the security, which may make the system more vulnerable than it would have been without the security measures! Take, for example, password policies. If the organization requires an extremely long password with several special characters, an employee may resort to writing it down and putting it in a drawer since it will be impossible to memorize.

Personal Information Security

Poster from Stop. Think. Connect. Click to enlarge. (Copyright: Stop. Think. Connect. http://stopthinkconnect.org/resources)

We will end this chapter with a discussion of what measures each of us, as individual users, can take to secure our computing technologies. There is no way to have 100% security, but there are several simple steps we, as individuals, can take to make ourselves more secure.

Keep your software up to date. Whenever a software vendor determines that a security flaw has been found in their software, they will release an update to the software that you can download to fix the problem. Turn on automatic updating on your computer to automate this process.
Install antivirus software and keep it up to date. There are many good antivirus software packages on the market today, including free ones.
Be smart about your connections. You should be aware of your surroundings. When connecting to a Wi-Fi network in a public place, be aware that you could be at risk of being spied on by others sharing that network. It is advisable not to access your financial or personal data while attached to a Wi-Fi hotspot. You should also be aware that connecting USB flash drives to your device could also put you at risk. Do not attach an unfamiliar flash drive to your device unless you can scan it first with your security software.
Back up your data. Just as organizations need to back up their data, individuals need to as well. And the same rules apply: do it regularly and keep a copy of it in another location. One simple solution for this is to set up an account with an online backup service, such as Mozy or Carbonite, to automate your backups.
Secure your accounts with two-factor authentication. Most e-mail and social media providers now have a two-factor authentication option. The way this works is simple: when you log in to your account from an unfamiliar computer for the first time, it sends you a text message with a code that you must enter to confirm that you are really you. This means that no one else can log in to your accounts without knowing your password and having your mobile phone with them.
Make your passwords long, strong, and unique. For your personal passwords, you should follow the same rules that are recommended for organizations. Your passwords should be long (eight or more characters) and contain at least two of the following: upper-case letters, numbers, and special characters. You also should use different passwords for different accounts, so that if someone steals your password for one account, they still are locked out of your other accounts.
Be suspicious of strange links and attachments. When you receive an e-mail, tweet, or Facebook post, be suspicious of any links or attachments included there. Do not click on the link directly if you are at all suspicious. Instead, if you want to access the website, find it yourself and navigate to it directly.

You can find more about these steps and many other ways to be secure with your computing by going to Stop. Think. Connect. This website is part of a campaign that was launched in October of 2010 by STOP. THINK. CONNECT. Messaging Convention in partnership with the U.S. government, including the White House.

Sidebar: Mobile Security

As the use of mobile devices such as smartphones and tablets proliferates, organizations must be ready to address the unique security concerns that the use of these devices brings. One of the first questions an organization must consider is whether to allow mobile devices in the workplace at all. Many employees already have these devices, so the question becomes: Should we allow employees to bring their own devices and use them as part of their employment activities? Or should we provide the devices to our employees? Creating a BYOD (“Bring Your Own Device”) policy allows employees to integrate themselves more fully into their job and can bring higher employee satisfaction and productivity. In many cases, it may be virtually impossible to prevent employees from having their own smartphones or iPads in the workplace. If the organization provides the devices to its employees, it gains more control over use of the devices, but it also exposes itself to the possibility of an administrative (and costly) mess.

Mobile devices can pose many unique security challenges to an organization. Probably one of the biggest concerns is the theft of intellectual property. For an employee with malicious intent, it would be a very simple process to connect a mobile device either to a computer via the USB port, or wirelessly to the corporate network, and download confidential data. It would also be easy to secretly take a high-quality picture using a built-in camera.

When an employee does have permission to access and save company data on his or her device, a different security threat emerges: that device now becomes a target for thieves. Theft of mobile devices (in this case, including laptops) is one of the primary methods that data thieves use.

So what can be done to secure mobile devices? It will start with a good policy regarding their use. According to a 2013 SANS study, organizations should consider developing a mobile device policy that addresses the following issues: use of the camera, use of voice recording, application purchases, encryption at rest, Wi-Fi auto-connect settings, Bluetooth settings, VPN use, password settings, lost or stolen device reporting, and backup. ^[3]

Besides policies, there are several different tools that an organization can use to mitigate some of these risks. For example, if a device is stolen or lost, geolocation software can help the organization find it. In some cases, it may even make sense to install remote data-removal software, which will remove data from a device if it becomes a security risk.

Study Questions

Briefly define each of the three members of the information security triad.
What does the term authentication mean?
What is multi-factor authentication?
What is role-based access control?
What is the purpose of encryption?
What are two good examples of a complex password?
What is pretexting?
What are the components of a good backup plan?
What is a firewall?
What does the term physical security mean?

Exercises

Describe one method of multi-factor authentication that you have experienced and discuss the pros and cons of using multi-factor authentication.
What are some of the latest advances in encryption technologies? Conduct some independent research on encryption using scholarly or practitioner resources, then write a two- to three-page paper that describes at least two new advances in encryption technology.
What is the password policy at your place of employment or study? Do you have to change passwords every so often? What are the minimum requirements for a password?
When was the last time you backed up your data? What method did you use? In one to two pages, describe a method for backing up your data. Ask your instructor if you can get extra credit for backing up your data.
Find the information security policy at your place of employment or study. Is it a good policy? Does it meet the standards outlined in the chapter?
How are you doing on keeping your own information secure? Review the steps listed in the chapter and comment on how well you are doing.