logo search
Jack H

4.3.3 Security

In normal situations the main focus of security is to protect access to data systems and the information they contain. When dealing with automated systems security issues could lead to major economic losses through damaged equipment, or even loss of life!

Security violations normally come from disgruntled employees, but recently anonymous crackers (incorrectly called hackers in the press) have become a significant threat. Modern operating systems and software are often designed with some security features. Most assume that there is limited physical access to the computer. The most elaborate security system doesn’t work if the the hard drive is stolen. The best strategy to keep a system safe is to understand how hackers can break into a computer. What follows are the most common type of attacks.

Social engineering involves the use of people and trust to get access to a computer. This often involves understanding the psychology of trust and exploiting it to get passwords and other information. A common ruse to get an employee password is as follows. Call an employee in a company likely to have a high level of software access, such as a secretary of a high level executive. Claim to be from the IT (Information Technology) department, talk for a while and then ask for help solving a problem with the password account. When agreement is obtained, ask the secretary to change the account password, and let you know what the new one is.

Crackers will also practice ’surfing’. Shoulder surfing involves peeking over the shoulder of users as they enter passwords. Garbage surfing involves taking a garbage can before being emptied and searching the contents for useful information, such as credit card numbers. Cubicle surfing involves checking for posted passwords around computers. Some users hate to remember passwords and will post them for all to see (or sometimes taped to the bottom of the keyboard). To protect against these types of problems the following strategies help,

• inform users that their passwords are to be given to NOBODY, especially unseen.