Computer Security
There is a lot of discussion these days about computer security as more people use email and more services such as banking, mail orders and subscriptions become available through the Internet. But how secure is the Internet and what is computer security?
Updating Software
It is very important to update your software periodically. When a program is released, particular internet browsers, it may contain flaws usually referred to as bugs. These bugs may not appear to be a problem but criminals will attempt to use these flaws for their own use. Keeping your software up to date will help keep your computer secure.
Computers & Security
Before the Internet, computer security was limited to 'closed systems' or network computers such as offices or banks where only people physically in the office could use the computer system. It was quite easy for the network supervisor to set up user names and passwords and since that time people have become used to logging on before they can use these types of computers or resources.
With the advent of the Internet, computers users can now work in an 'open system' and security has become much more complicated. Even though you can now connect your home or office computer to the Internet and perform remote transactions without leaving the building you still want to be sure that the transaction is secure. The transaction takes place through the Internet by bouncing the information through various computers before it reaches, for example, the bank's computer. You want to be sure that no one observes the transaction along the way and collects or modifies your transaction information.
This is where computer security comes in. There are many different types of security systems though most use a process called encryption. When you connect to your bank or other service to make a transaction you are often required to send your account number or user name as well as a Personal Identification Number (PIN) or password for verification. This information should only be sent after establishing a secure connection. If you are using an Internet browser you will see a small closed lock appear in the window of the browser. Once you are connected to a secure server any information you send or receive is scrambled or encrypted using a mathematical formula and then reassembled or decrypted at the other end. The computer user usually will not notice this happening as they perform their secure transaction. Anyone with criminal intent who intercepts your transaction will be treated to a stream of garbled nonsense - (e.g.. qANQR1DBwU4D560EJv6XqrMQB)!
If this is the first time you use a new service you most often will need to setup an account and possibly download a small piece of software called a plug in which allows your computer to create the secure connection or link.
The transaction often involves the exchange of a small file that keeps track of the transaction and can act a flag or bookmark when you next visit that website. These small files are called cookies and are set by the website you are visiting. They can contain information such as the type of server you are connecting from, the type of browser you are using, the last site you visited and any information you volunteer. You can view the information stored in the cookie. Try a search for 'cookie' to find the cookies folder. Windows users can view any cookies they are storing in the folder C:\Windows\Cookies\.
Setting up security
As the most people won't be setting up their own secure server the scope of this section is limited to the topics of protecting email and small business or organizational transactions.
Email can be protected using a service or an application (program). There are others but the two that stand out currently are S/MIME and PGP. S/MIME requires the user to register with a 3 party service which issues a digital id that you attach to your message. Though this is usually a commercial service there is often a free introductory period. PGP is free for personal use or a commercial application for business use and is run from your own computer.
Both methods allow users to sign or attach a digital identification to the email message which verifies, to the recipient, that the message is from the original person or organization and that the information wasn't tampered with in transit. These methods also allow the user to encrypt their message so that anyone intercepting the message wouldn't be able to read it. You can also decide the level of encryption from low; in which a nerd with some good software and enough time on their hands could possibly decrypt to high (128 bit) which would take a whole mountain of experts weeks to decrypt if even then. Most of us will choose somewhere in between as this process involves increased time and file size.
Both methods use key pairs of public and private keys. Your public keys is sent to everyone that you communicate through email with. Your public key can be sent through various methods including posting it to an internet service or sending it as part of an email message. Public keys can also be post on your website in a file. Your friends and associated can add your public key to a file called a key ring). When someone wants to send you a secure email the sender encrypts their messages with your public key. When you receive the email you must decrypt it using your private key. Many email programs will automatically verify that the message is authentic. You will need to type in your password to view the message.
Encryption also involves using the key pair but in reverse. Once your message is completed you encrypt the file using the recipient's public key ensuring that only the recipient can ever access that message with their private key. (Editor's note: Don't lose your private key!).
Small businesses and organizations that wish to offer transactions over the Internet or Ecommerce can take their chances and set up an unsecured system, set up their own secure server or purchase a service from a third party. There are various types including service that take a percentage of the transaction and/or charge a service fee and/or charge for each transaction. Some organizations are more reliable and you should always shop around before committing to a service. Because this type of service is so new the length of time a company has been operating is not always a way to decide. Things to watch for is downtime. If your companies website is operating properly yet the customer or user can't access the transaction server because it is down, too busy or misconfigured they will easily be put off perhaps entirely. Watch for contracts that lock you in as the market is still developing and prices tend to fluctuate. It is easy to switch services by simply changing the address on your website's order forms.
Security and Websites
As was stated at the beginning of this document the nature of the Internet is an open system. Having said that there are many reasons and many ways to set up a secure or closed system with in this open framework. Private or member based discussion groups, private files or folders, protected databases, copyright material to name a few all need some way of allowing them to be distributed to the intended recipient only. Also many businesses are creating Intranets which are closed systems only accessible to registered users. An Intranet can provide a way of making company information easily accessible and allow branch offices to communicate with each other easier.
Account Security
Your website itself is protected by your ISP's software. When you attempt to access your web space to change or modify a file using a shell or ftp you are challenged to send your username and password. This is the first line of protection and adequate for many website administrators.
Server Security
The server that your website is installed on is the second line of protection. Most servers have security features built in to them allowing users to password protect folders or build scripts to send a username/password challenge to a user trying to access a file or folder. This allows website administrators the ability to create discussion groups within their site or to place confidential documents or information that is made available only to registered users on their own website. Unfortunately some ISP either don't make this option available, charge a premium to use them or only allow their own employees to set them up.
Third Party Security
Another option includes contracting the protection of private files to a separate service, pay a third party to hosting a private discussion group or obtain web space on another server that allows access to security options. The entire Internet is as close as your computer connection and whether the file the user is viewing is stored in your own current web space or on another server is usually immaterial. When your customers, employees or members moves from one page to another the consistency of the website is the maintained by the design, not the address of the separate pages. It is also possible to control the address that is displayed if required.
Software Security
Another option is to use JavaScript or Java applets to control how customers or members access secure features. This option is only available to users who are using Java enabled browsers. Scripts and applets can control access to documents and databases, create content on the fly based on user input, detect the browser the visitor is using and direct them to the proper page, retrieve cookies and use that information to determine whether a user has access to a certain area or not, as well as many other uses.
Copyright
Copyright is protect using the same process as any original material (books, artwork, film, etc...). Anything that a user gets off the Internet should be treated as privately owned information unless otherwise noted. Anyone posting private information to the Internet should be aware that copyright law is not the same in every country and may be difficult to enforce. It is possible to set up a page that won't be stored on the users computer once they leave the site but that will only slow down not stop users who want to obtain information posted on a website. Notices of copyright are often added to the main page of a website sometimes with a link to a page describing the details of how the content can be used.
Is Security Necessary?
Though you may think that it is not necessary to setup security systems there are many reason to consider it. I have come across a number of examples of people forging documents and email. A digital signature will be the only way to verify whether a document is genuine or not.
Many organizations need to discuss draft articles, changes to bylaws and other documents that could cause problems if they were made public before they are approved. A secure directory within your website is an ideal spot to store sensitive material making it available for members and people who have the proper password.
I would be remiss to not point out and as all articles on the subject also point out mining the Internet with malicious intent is also possible. One common malicious acts is to search websites for email addresses and then add them to spam distribution lists. Unfortunately there is very little that can be done to counter this other than removing your email address from your web site but this makes it difficult for your customers to contact you.
Whether you decide to add a security component to your web site project initially it is a good idea to think about or have a discussion about web site security when planning the site. You should also review your security systems periodically whether that is changing your password or reviewing and updating your security system.
Wednesday, December 3, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment