Computer Security in Information Technology
Executive Summary
In order for the banks, agencies to combat cyber crimes such as hacking, and virus spreading, many programs are being installed. These programs are used to safeguard the network system of these companies from unscrupulous acts.
Introduction
In this modern time, corporate worlds such as banks, production companies, and Information Technology companies are greatly dependent on computers and internet programs to assist and expedite their daily operation. However, very beneficial maybe to the current times – speeding up transactions from hours to split-second intervals, and providing comfort and easy-to-use features – computers and internet also pose vulnerable likelihood to be abused by some unscrupulous conmen. Somehow, people being so unfamiliar with data and computer securities are one reason why fraud and security leaks occur.
Take for example huge computer-hacking incidents in the world today. Citibank, SunTrust, credit unions to community and America’s financial institutions are scrambling now to deal with the biggest documented case of debit-card fraud to date. Apparently, a huge hacking occurrence took place a month ago that led to millions of dollars loss to the companies mentioned. These nation’s banks have quietly tried to extinguish the problem by closing hundreds of thousands of debit-card accounts and providing customers new cards, account numbers and PINs (B., Richard (2006)). Furthermore, confidential information being passed around because of the lack of tough security measures among government agencies and corporate companies. Bank of America suffered the same way like the loss of its government worker data and added to it a dash of Choicepoint’s “data leaks” occurring in April. Not to mention the Troj/BankAsh-A virus – a Trojan set up that stole bank account passwords (B., Lauren (2005)).
And not only that this Information Technology we have is also vulnerable with different computer viruses – intentionally or intentionally made. One of the most astounding computer virus that swept around the globe, across the country and into Hampton Roads was the virus slyly titled ‘ILOVEYOU”. Suspected of originating in the Philippines, the nefarious e-mail message staggered electronic communications, with effects ranging from minor inconvenience to a complete halt of email systems and the destruction of audio and graphic files (L., Krauskopf (2000)). The virus had been reported to have had caused America billions of dollars.
And with this, top corporations and agencies nowadays are now so hell-bent on fortifying security counter-measures in order to prevent and combat these dilemmas. Time matters as to finding solutions how to hinder these kinds of anomalous activities.
Main Body
Security Measures and Counter Measures
Again, the application of information technology (IT) in organizations is a tremendous success, its maintaining competitive advantage has already been discussed earlier. IT can either be a product or service provided by the company, or a part of the organizational support for a product or service. Companies using IT as a product or service pursued to remain competitive (Heide, Dorothy (1992)).
But, as what have been established earlier, the joys of having Information Technology helping in our daily tasks has also been tarnished and endangered with different malicious acts with just as malicious people. Thus the need for security among institutions – public and private – is needed.
We can define security to be the state of being free from danger and not exposed to damage from accidents or attacks, or it can be defined as the process for achieving that desirable state (B., Seymour et. al.). It is indeed one of the major concerns in Information Technology nowadays. The lack of security always undermines the integrity of data which has a direct impact on the organization itself. Virtual businesses require that proper and adequate security systems be in place to ensure that threats can be brought down to a minimum.
Moreover, computer security means denying unauthorized persons access to information. A total security policy matches the need-to-know requirements of a user to the sensitivity of the information he or she is allowed to access (C., Paul (1992)).
According to Business Computing book, computer security is broken down to different components namely: Physical and environmental security, personal security, operations security, communications security, and network security.
Physical and environmental security addresses the issues necessary to protect the physical items, objects or areas of an organization from unauthorized access and/or misuse, damage, and interference to business premises and information.
Personal security addresses the protection of individual or group of individuals who are authorized to have access in the organization and its operations.
Operations Security refers and focuses on the protection of a particular operation or series of activities.
Communications security addresses the protection of an organizations communications media, technology, and content.
Network security, on the other hand, is the protection of components, connections, contents, systems, and hardware that are used to store, and transmit information.
Misuse of technology by hackers as well as employees has presented a threat to financial institutions from the earliest days of computers. In his 1989 book The Cuckoo's Egg, Cliff Stoll, formerly an astrophysicist/systems manager at the Lawrence Berkeley Laboratory in California, describes how, in tracking down a 75-cent irregularity in an accounting program, he ended up fighting an international group of spies who were cracking computer systems across the United States. (The group exploited the program s system of rounding dollars to deposit small amounts from numerous accounts into a private account, which over time added up to big money in the account set up to receive the rounded cents.) (S., Jeffrey (2001)).
Different ways and means have been implemented by different organizations to counter measure anomalous activities. Different organizations have made stringent measures in their computer system to prevent hackers entering the organizations’ systems, they have installed different anti-virus computer programs to fortify the “wall” of the system they are using from viruses, and, again, from hackers.
It is inevitable, as well, that some of the banks or any organization’s personnel need to have high-level access to the network by the nature of their work for they will be the ones who will be operating it. Thus institutions must very well know the firms they hire as well as the backgrounds of the individuals who will handle the job (S., Jeffrery (2001)).
With regards to the accounting systems of every firm, there will be system of checks and balances to protect from hacking attacks. For instance, bank use a dual control system similar to the one they use in money handling, teaming up a contractor with an internal employee. The two would work together, but the company employee would be responsible for reviewing and remaining aware of what the contractor was doing.
Password Policy
Banks, government offices, and private sectors often have stringent measures when it comes to passwords for their vaults, computers, and online records.
Some of these policies are: sharing passwords is a security risk. In Albert Einstein Cancer Center, the administration made it a point that sharing passwords will have their accounts disabled. Storing passwords in a file on any computer system (including Palm Pilots or similar devices) without encryption is absolutely disallowed. The same with the use of the same passwords for AECOM accounts as for other access, or using ‘remember password” feature of applications (e.g. Eudora, Outlook, and Netscape Messenger.
Furthermore, in the same institute, passwords for their employees are requested to truncate at eight (8) characters, with an acceptable password of at least seven (7) characters, shorter passwords are easier to guess, longer passwords are harder to guess; with five different characters, repeated characters can make for palindromes and reduce the search space; with an acceptable password that have characters from at least three (3) different character types – upper case, lower case, digits, punctuation, etc., a password that includes a sample from a rich character set is difficult to crack, as the search space is very large.
Also the acceptable password for the institute to their employees must have alphabetic sequence any longer than three (3) characters, the intent is to male sure that dictionary words are avoided; a digit sequence any longer than two (2) characters, long digit sequences reduce the search plate; and a few characters that will cause problems if used in a password, for example, the “delete” character is one of the obvious ones. Passwords that should not be are the following: dictionary words (including foreign and technical dictionaries), anyone’s or anything’s name, a place, a proper noun, a phone number, simple pattern of letters on keyboards, any of the above reversed or concatenated, and any of the above with digits prepended or appended. The possible method for picking a good password is to make up some acronym. For example: gPanth2c, it is hard to choose. As with the rule of the thumb no one should write down a password, someone might discover the password.
For the access codes inside the bank, passwords and access codes are changed daily, for example when it comes to authorization codes for their employee to gain access to their tasks. Banks would perhaps use the four seasons of the year and the current day’s date. Like today was the tenth of May: Summer 10.
Moreover, reusable, or static, passwords offer weak security. To address that problem, banks are turning to dynamic passwords, which are created by a user token and verified using an algorithm synchronized with a central computer server. The user's token generates a password that can only be used in a one-minute span. If this password were stolen by someone looking over a coworker's shoulder or monitoring the system electronically, the network would not be at risk, because the password's usefulness would expire before it could be used by the thief (S., Jeffrey (2001)).
Internet access policy
And as for the internet access policy, banks like Citigroup Private Bank used “cookies”. A “cookie” is a small piece of information that a web site stores on your web browser on your PC and can later retrieve. These cookies are used for a number of administrative purposes, including storing the client’s preferences for certain kinds of information. No cookie, however, will be set by the website on the web browser that will contain information that could enable any third party to contact the client via telephone, email, or postal mail.
According to Citibank’s Private and Security guidelines the methods how to protect online security is strong encryption, securing user name and password (the client preferred user name and password for the client website, and these items must be entered every time the client sign-in to the Priva, automatic “time-out” (when there is no activity 15 minutes, the session will be terminated to help protect against unauthorized access, and Client-Driven Authentication Questions. (with questions about the web-site, the bank must first confirm the client’s identity on the phone before discussing his account information.
Other methods to combat fraud and malicious attacks against are encryption, authentication, firewalls, and dial-back, among others.
Encryption is used by most banks to ensure the security data during transmission and transactions. It is used for in-house protection as well as for online banking services. Not only financial information but also account information being encrypted while being stored and in transit (S., Jeffrey (2001)). It involves the translations of data into secret code, in such a way that only the computer with the key can decode it. Most computer encryption systems are either symmetric-key encryption or public-key encryption (Plant Engineering 4/1/2002).
Authentication, on the other hand, is another data security process being used by different agencies to verify that the information comes from a trusted source. This is very important especially in banks so as to know the message come from the authorized sender and no other data is being divulged to a culprit. It involves adding an extra field to a record, with the contents of this field derived from the remainder of the record by applying an algorithm that has previously been agreed between the senders and recipients of data. Moreover, Encryption and authentication (2002) work hand-in-hand to create a secure environment. Authentication can be done using passwords; pass cards, or digital signatures. The digital signature standard (DSS) is based on a type of public-key encryption method that uses the digital signature algorithm (DSA).
And as for Firewall, it is being used by some big organization to prevent unwelcome intrusions into company systems. A firewall is an instrumental component in helping to formulate secure corporate communications. It can be equipped with parameters to make sure that repeated attacks formed around the same code cannot be successful, so it is a useful damage limitation tool (Communicate 6/1/2000). Or, the company could somehow install Virtual Private Networks. VPN is a private network that's privately owned and used. In other words, it's a network that's not open to the public. Most office networks are private networks. As a company grows, it might expand into several countries. The main drawback, however, with VPN is that it’s public, one that raises question of data security. In order to solve the problem, security measures such as encrypting the data are used to protect the integrity and security of the data transferred from one office to another.
Further on, Dial-back is essential for the organizations to have security that operates by requiring the person wanting access to the network to dial into it and identify themselves first. The system then dials the person back on their authorized number before allowing them access.
As for the problems of spam and virus infection in the computers, so many antivirus programs and hardware have been developed to combat viruses by top corporations. Research for evidence of a virus program (by checking for appearances or behavior that are characteristic of computer viruses), isolate infected files, and remove viruses from a computer's software. Other methods to combat viruses and hackers are Adware/Spyware scanners. Spam e-mail, pop-up ads, viruses and worms make computing irritating enough at times. With "spyware," a problem that isn't new, but gains notoriety and attention as use of free, downloadable software increases. Spyware and "adware" describe software that ends up on your computer, maybe without your knowledge that can track where you go online and report the trends back to a company or advertiser. This way, the user’s routine in his PC is recorded. Other way is to disable unnecessary services. Especially during online, it happens often that the site you visited asked you to install a program so you can go on with your surfing. It might be a virus-infected program, so it is better not to install it. So much connection online services have the wider chance to “catch” different viruses.
Recommendation
There are always a problem regarding security and more so, in computers. Now that computers play a bigger part in today’s technology, its role in the advancement of humanity is increasing, but just how increasing its role, its vulnerability has always been tested. Attacks like hacking, virus, spamming, and other malicious occurrences intensify too.
It is vigilance among agencies in the knowledge of computer security to be able to combat. Without these, although programs like spyware, firewall, and encryption are there, hackers would always find their way to break into the system to sow destruction, and in a way, rob truckload of cash.
Employees in the banks, financial firms, security agencies, among others, have to be well-trained about security.
Banks must continue to develop new methods for fighting cybercrime as the threat evolves. For example, cooperation between Internet service providers (ISPs) and financial institutions needs to increase. This way, there are ways how to combat hackers. And in this way, they can exchange information about methods. Also, e-commerce products created by financial institutions are not typically thoroughly tested for security hazards within the institution's computer environment, a situation that will change as financial losses, as well as blows to banks' reputations, encourage them to strengthen security systems worldwide.
Conclusion
Information Technology has come a long way. Before, computers were not so advantageous. Now, advantageous would be an understatement to describe the benefits of information technology like computers and internet. It is now necessary. Bank could no longer operate without computers nowadays.
And just how the information technology came in a long way, the threats of destroying it and taking advantage of this brilliant work has gone a long way also. No longer a hacker just peeped through someone else’s data and information, they can sabotage plethora of banks and earn them millions overnight.
And so, stringent measures are made to combat these unscrupulous people and malicious programs in sabotaging the system of today’s top corporations. Password policies are being implemented, anti-virus and hacking programs are being installed, and other stringent ways and means made to happen.
But even if a company invented the most powerful tool to safeguard their system from anomalous occurrences, without vigilance among their part, hackers and virus programs would always find their way to break through that system. It is continuous vigilance of today’s computer security that would prevent, if not solve, these cyber crimes.
