Six considerations incommunications security are: ❍ Line security: Line security is concerned with ing unauthorized access to the communication linesconnecting the various parts of the c
Trang 1Saboteur’s Tools 247
levels of confidentiality and security such as top secret, fidential, internal use only, and unrestricted Confidentialinformation should not be displayed on the screen To con-trol access to sensitive data, there should be a mapping ofaccess requirements to the system components Accessrights should be based on job function, and an appropriatesegregation of duties should exist Temporary employeesshould be restricted to a specific project, activity, system,and time period
con-FIRE SECURITY
According to insurance companies, fire is the most frequentcause of damage to computer centers Simple steps canreduce the damage caused by fire and, in the process, reduceinsurance premiums
❍ Safes for storage of documents should have a mum four-hour fire rating
mini-❍ Walls, floors, and ceilings of computer facilities shouldhave a minimum two-hour fire rating
❍ The fire alarm should ring simultaneously at the puter facility and the nearest fire department In addi-tion, fire alarm signals should be located whereprompt response is assured
com-❍ Vaults used for storing backup data and recordsshould be located in a separate building at sufficientdistance
❍ Smoke and ionization detection systems should beinstalled throughout the ceiling of the computer facil-ities Water detection systems should also be installedunder the floor of computer facilities
❍ Halon or a similar fire extinguishing system should beinstalled throughout the computer facilities Auto-matic sprinkler systems can be used in the supply andsupport areas In case of destruction, there should be adisaster recovery plan
❍ Adherence to building code and fire marshal tions is a must
regula-SABOTEUR’S TOOLS
While in recent years ingenious procedures have beendeveloped to preserve computer security, many computersystems are still astonishingly insecure Saboteurs may use
a wide variety of tools and techniques to overcome security.Some of the methods are as follows:
❍ Trojan horse: The saboteur places a hidden programwithin the normal programs of the business Thec16.fm Page 247 Tuesday, July 19, 2005 5:26 PM
Trang 2computer continues to function normally, while thehidden program is free to collect data, make secretmodifications to programs and files, erase or destroydata, and even cause a complete shutdown of opera-tions Trojan horses can be programmed to destroy alltraces of their existence after execution.
❍ Salami techniques: The perpetrator can make secretchanges to the computer program that cause verysmall changes that are unlikely to be discovered, butthe cumulative effect can be very substantial Forexample, the perpetrator may steal 10 cents from thepaycheck of each individual and transfer it to his ownaccount
❍ Back door or trap door: During the development of acomputer program, programmers sometimes insert acode to allow them to bypass the standard securityprocedures Once the programming is complete, such
a code may remain in the program either accidentally
or intentionally Attackers rely on their knowledge ofthis extra code to bypass security
❍ Time bomb/logic bomb: A code may be inserted into acomputer program that causes damages when a pre-defined condition occurs, such as a date or time
❍ Masquerade: A computer program is written that querades or simulates the real program For example,
mas-a progrmas-am mmas-ay be written to simulmas-ate the log-inscreen and related dialogue When a user attempts tolog in, the program captures the user’s ID and pass-word and displays some error message prompting theuser to log in again The second time, the programallows the user to log in and the user may never knowthat the first log-in was fake
❍ Scavenging: A computer normally does not erase datathat is no longer needed When the user “deletes”some data, that information is not actually destroyed;instead, that space is made available for the computer
to write on later A scavenger may thus be able to stealsensitive data that the user thought had been deletedbut was actually still available on the computer
❍ Viruses: Viruses are similar to Trojan horses, except theillegal code is capable of replicating itself A virus canrapidly spread throughout the system, and eradicat-ing it can be expensive and cumbersome To guardagainst viruses, there should be care in using pro-grams on disk or in copying software from bulletinboards or other sources outside the company The bestprecaution is to use a commercial virus scanner on alldownloaded files from unreliable Internet sourcesbefore using them An example is McAfee’s virus scan.Virus protection and detection is crucial
Trang 3Communications Security 249
❍ Data manipulation: The most common and easiest way
of committing fraud is to add or alter the data before
or during input The best way to detect this type ofcomputer crime is the use of audit software to scruti-nize transactions and review audit trails that indicateadditions, changes, and deletions were made to datafiles The use of batch totals, hash totals, and checkdigits can also help prevent this type of crime A batchtotal is a reconciliation between the total daily transac-tions processed by the micro and manually deter-mined totals processed by an individual other thanthe computer operator Material deviations must beinvestigated A hash total is adding values that wouldnot typically be added together, so the total has nomeaning other than for control purposes Examplesare employee and product numbers A check digit isused to ascertain whether an identification number(e.g., account number, employee number) has beencorrectly entered by adding a calculation to the identi-fication number and comparing the outcome to thecheck digit
❍ Piggybacking: Piggybacking is frequently used to gainaccess to controlled areas Physical piggybackingoccurs when an authorized employee goes through adoor using his magnetic ID card, and an authorizedemployee behind him also enters the premises Theunauthorized employee is then in a position to com-mit a crime Electronic piggybacking may also occur.For example, an authorized employee leaves her ter-minal or desktop and an authorized individual usesthat to gain access
COMMUNICATIONS SECURITY
Attacks on computer security that do not require physicalaccess fall under the domain of communications security.The increased use of computer technology has also increaseddependence on telecommunications All types of data,including sound, video, and traditional text data, are trans-ferred between computers over networks Communicationssecurity means ensuring that the physical links between thecomputer networks function at all times This also meansthat breakdowns, delays, and disturbances are preventedduring data transmission Care must be taken to preventunauthorized individuals from tapping, modifying, or oth-erwise intercepting data transmission Six considerations incommunications security are:
❍ Line security: Line security is concerned with ing unauthorized access to the communication linesconnecting the various parts of the computer systems.c16.fm Page 249 Tuesday, July 19, 2005 5:26 PM
Trang 4restrict-❍ Transmission security: Transmission security is cerned with preventing unauthorized interception ofcommunications.
con-❍ Digital signature: This is used to authenticate thesender or message integrity to the receiver A securedigital signature process is a method of signing adocument and making forgery infeasible, then vali-dating that the signature belongs to the authorizedindividual
❍ Cryptographic security: Cryptography is the science ofsecret writing The purpose of cryptographic security
is to render the information unintelligible if sion is intercepted by unauthorized individuals.When the information is to be used, it can be decoded.Security coding (encryption) of sensitive data is neces-sary A common method is the data encryption stan-dard (DES) For even greater security, doubleencryption may be used in which encryption is pro-cessed twice using two different keys (You may alsoencrypt files on a hard disk to prevent an intruderfrom reading the data.)
transmis-❍ Emission security: Electronic devices emit netic radiation that can be intercepted without wires
electromag-by unauthorized individuals Emission security is cerned with preventing the emission of such radiation
con-❍ Technical security: Technical security is concerned withpreventing the use of devices such as microphone,transmitters, or wiretaps to intercept data transmis-sion Security modems may be used that allow onlyauthorized users to access confidential data Amodem may have graduated levels of security, anddifferent users may be assigned different securitycodes There can be password and callback features.There may be built-in audit trail capabilities, allow-ing you to monitor who is accessing private files
CONTROLS
Controls are used to reduce the probability of attack oncomputer security As additional controls are placed, theoverall operating costs are likely to increase As discussedearlier, cost-benefit considerations require a careful balance
of controls There are four main classes of controls:
❍ Deterrent controls: The aim of deterrent controls is tocreate an atmosphere conducive to control compli-ance For example, the organization could imposepenalties whenever a control is disregarded, regard-less of the actual damage Deterrent controls are inex-pensive to implement However, their effectiveness is
Trang 5Controls 251
difficult to measure These controls complementother controls and are not sufficient by themselves
❍ Preventive controls: Preventive controls are designed
to reduce the probability of an attack They serve asthe first line of defense Effective preventive controlswill thwart a perpetrator from getting access to thecomputer system
❍ Detective controls: Once a system has been violated,detective controls help identify the occurrence ofharm These controls do nothing to insulate the sys-tem from harm; they only serve to focus attention onthe problem For example, a bait file will identifyunauthorized use Here, a “dummy” nonexistentrecord is put into processing There may be a compar-ison between standard run time and actual run timefor an application to spot possible misuse
❍ Corrective controls: After a loss has occurred, tive controls serve to reduce the impact of the threat.Their purpose is to aid in recovering from damage or
correc-in reduccorrec-ing the effect of damage For correc-instance, lostinformation on CDs may be restored with utilityprograms
Application Controls
Application controls are built into software to deter crimeand minimize errors Application controls typically includeinput controls, processing controls, change controls, testingcontrols, output controls, and procedural controls
❍ Input controls: The purpose of input controls is toensure that each transaction is authorized, processedcorrectly, and processed only once An edit programsubstantiates input by comparing fields to expectedvalues and by testing logical relationships A missingdata check assures that all data fields have been used
A valid character check verifies that only cal, numeric, or other special characters are present indata fields “Dual read” is an input control in whichduplicate entry or key verification verifies the accu-racy of some critical field in a record by requiring that
alphabeti-a dalphabeti-atalphabeti-a item is entered twice A valphabeti-alid code check pares a classification (e.g., asset account number) ortransaction code (e.g., credit sale entry) to a masterlist of account or transaction codes (master file refer-ence) Input controls include rejecting, correcting,and resubmitting data that were initially wrong Isinput information properly authorized? Charactervalidation tests may also be programmed to checkinput data fields to see if they contain alphanumericswhen they are supposed to have numerics A prepro-cessing edit check verifies a key entry by a secondone or a visual examination There may be a limit testc16.fm Page 251 Tuesday, July 19, 2005 5:26 PM
Trang 6com-check of input data fields to make sure that some determined limit has not been exceeded (e.g.,employee weekly hours should not be automaticallyprocessed if the sum of regular and overtime hoursper individual exceeds 60).
pre-❍ Processing controls: Processing controls are used toensure that transactions entered into the system arevalid and accurate, that external data are not lost oraltered, and that invalid transactions are reprocessedcorrectly Sequence tests may be performed to notemissing items In batch or sequential processing,batch totals are used to ensure that the counted andtotal number and value of similar data items are thesame before and after processing In a parity check,because data are processed in arrays of bits (binarydigits of 1 or 0), we add a parity bit, if needed, so as tomake the total of all the “1” bits even or odd The par-ity bit assures that bits are not lost during computerprocessing Parity checks prevent data corruption.External and internal file identification labels may beused The program may check to see if an item in arecord is within the correct range Crossfooting testsapply to logical tests for information consistency(e.g., sum totals to column totals) Application rerunsassure the initial run was correct
❍ Change controls: Change controls safeguard the rity of the system by establishing standard proce-dures for making modifications For example, a logfile can be maintained to document all changes Areport may be prepared showing the master filebefore and after each update
integ-❍ Testing controls: Testing controls ensure that reliancecan be placed on a system before the system becomesoperational For example, limited test data could beprocessed and tested using the new system Utilityprograms can be used to diagnose problems in appli-cation software
❍ Output controls: The purpose of output controls is toauthenticate the previous controls; this is used toensure that only authorized transactions are pro-cessed correctly Random comparisons can be made
of output to input to verify correct processing Forexample, an echo check involves transmitting datareceived by an output device back to its source Out-put controls presume information is not lost orimproperly distributed Errors by receivers of output,such as customers, should be investigated
❍ Procedural controls: Procedural controls safeguard puter operations, reduce the chance of processing mis-takes, and assure continued functioning if a computerfailure occurs Processing errors must be thoroughly
Trang 7com-Personnel Security 253
evaluated Output should be distributed to authorizedusers of such information A record retention andrecovery plan must also exist
ELECTRONIC DATA INTERCHANGE
Electronic data interchange (EDI) is the electronic transfer
of business information among trading partners sands of businesses use EDI to exchange information withsuppliers and customers The benefits of EDI are clear Thepaperwork is greatly reduced and the efficiency in account-ing and processing functions is greatly enhanced
Thou-The risk inherent in EDI is much greater than in dard computer processing systems An EDI security system
stan-is only as strong as the weakest link among the tradingpartners Some risks of EDI are:
❍ Data could be lost in the interchange
❍ Unauthorized changes may be made to the data
❍ The lack of paperwork means a greater likelihood thatthe audit trail may not be maintained
❍ Authorized individuals can initiate unauthorizedtransactions
❍ Unauthorized individuals can gain access to the tem through the weakest link among the tradingpartners
sys-PERSONNEL SECURITY
Each employee should sign a nondisclosure agreement not
to reveal computer security information to those outside thebusiness or to unauthorized staff within the firm If a staffmember leaves the company, certain control procedures arerequired, including returning all badges, keys, and com-pany materials Access codes, passwords, and locks mayneed to be changed
Specific procedures should be established for recruitingand hiring computer data processing professionals A secu-rity investigation should include contacting the applicant’swork references, checking the applicant’s background withappropriate authorities, and verifying the applicant’s schoolreferences The importance of computer security withrespect to every phase of computer data processing should
be emphasized to new employees For example, to nate new employees, educational seminars can be sched-uled where security professionals can communicate thecompany’s rules and procedures
indoctri-In addition, formal performance evaluation systemsshould be in place to ensure that employees’ performancesc16.fm Page 253 Tuesday, July 19, 2005 5:26 PM
Trang 8and skills are routinely reviewed An effective review dure can help prevent job frustration and stress It can alsohelp maintain employee morale Discontentment often acts as
proce-a cproce-atproce-alyst for computer crime Possible indicproce-ators of tentment include excessive absenteeism, late arrival, lowquality or low production output, complaints, putting offvacations, and excessive unwarranted overtime Quick action,such as communicating with the employee on a one-to-onebasis, can minimize if not eliminate job discontentment.Segregation of duties among staff is needed For exam-ple, a programmer should not also serve as an operator.Rotation of assignments should also exist, such as program-mers doing different assignments and operators workingdifferent shifts A function may be designed to require morethan one operator to make it more difficult for an individual
discon-to perpetrate an improper act, since others are involved.The development and testing of software should also beseparate
AUDIT TRAIL
Audit trails contain information regarding any additions,deletions, or modifications to the system, providing evidenceconcerning transactions An effective audit trail allows thedata to be retrieved and certified Audit trails will give infor-mation regarding the date and time of the transaction, whoprocessed it, and at which terminal
To establish an adequate audit trail, you must analyzetransactions related to the physical custody of assets, evalu-ate unusual transactions, and keep track of the sequentialnumbering of negotiable computer forms Controls should
be periodically tested For example, the audit trail requiresthe tracing of transactions to control totals and from thecontrol total to supporting transactions Computer-relatedrisks affect the company’s internal control structure andthereby affect the company’s audibility
Electronic data interchange (EDI) systems are online tems where computers automatically perform transactionssuch as order processing and invoice generation Althoughthis can reduce costs, it can adversely affect a company’saudibility because of the lessened audit trail
sys-The AICPA has issued control techniques to ensure theintegrity of an EDI system The AICPA recommends con-trols over accuracy and completeness at the applicationlevel of an EDI system to include checking on performance
to determine compliance with industry standards, checking
on sequence numbering for transactions, reporting larities on a timely basis, verifying adequacy of audit trails,and checking embedded headers and trailers at inter-change, functional group, and transaction set level Control
Trang 9irregu-Network Security 255
techniques at the environmental level include reviewingquality assurance of vendor software, segregating duties,ensuring that software is virus-free, procuring an auditreport from the vendor’s auditors, and obtaining evidence
of testing To ensure that all the EDI transactions are rized, the AICPA provides these authorization controls:operator identification code, operator profile, trading part-ner identifier, maintenance of user access variables, and reg-ular changing of passwords
autho-NETWORK SECURITY
Network security is needed for both local area networks(LANs) and wide area networks (WANs) There must bepositive authentication before a user can gain knowledge ofthe online applications, network environment, nature ofapplications, terminal identification, and so on Informationshould be provided on a need-to-know basis only
Access controls should exist to use a specific terminal orapplication Date and time constraints along with restrictedfile usage may be enumerated Unauthorized use may deac-tivate or lock a terminal Diskless workstations may result
in a safer network environment
There must be a secure communication link of data mission between interconnected host computer systems ofthe network A major form of communication security on thenetwork is cryptography to safeguard transmitted data con-fidentiality Cryptographic algorithms may be either sym-metric (private key) or asymmetric (public key) The twopopular encryption methods are link-level security and end-to-end security The former safeguards traffic independently
trans-on every communicatitrans-on link while the latter safeguardsmessages from the source to the ultimate destination Link-level enciphers the communications line at the bit level; data
is deciphered upon entering the nodes End-to-end phers information at the entry point to the network anddeciphers at the exit point Unlike link-level, security existsover information inside the nodes
enci-Security should be provided in different layers enci-Securitymust exist over networking facilities and telecommunica-tion elements Controls must be placed over both host com-puters and subnetworks
Network traffic may travel over many subnetworks,each having its own security levels depending on confiden-tiality and importance Therefore, different security servicesand controls may be required Security aspects of each sub-network have to be distributed to the gateways so as toincorporate security and controls in routing decisions.The architecture of a network includes hardware, soft-ware, information link controls, standards, topologies, andc16.fm Page 255 Tuesday, July 19, 2005 5:26 PM
Trang 10protocols A protocol relates to how computers cate and transfer information Security controls must existover each component within the architecture to assure reli-able and correct data exchanges Otherwise, the integrity ofthe system may be compromised Communication securitymay be in the form of:
communi-❍ Access control: Guards against improper use of the work For example, KERBEROS is commercialauthentication software that is added to an existingsecurity system to verify a user’s existence and assure
net-he or snet-he is not an imposter KERBEROS does this byencrypting passwords transmitted around networks.Password control and user authentication devicesmay be used such as Security Dynamics’ SecurID(800-SECURID) and Vasco Data Security’s Access Key
II (800-238-2726) Do not accept a prepaid call if it isnot from a network user Hackers do not typicallyspend their own funds Review data communicationsbillings and verify each host-to-host connection.Review all dial-up terminal users Are the telephonenumbers unlisted and changed periodically? Controlspecialists should try to make unauthorized access tothe network to test whether the security is properlyworking
❍ Identification: Identifies the origin of a tion within the network through digital signals ornotarization
communica-❍ Data confidentiality: Maintains confidentiality overunauthorized disclosure of information within thecommunication process
❍ Data integrity: Guards against unauthorized changes(e.g., adding, deleting) of data at both the receivingand sending points such as through cryptographicmethods Antivirus software should be installed atboth the network server and workstations Detectionprograms are available to alert users when virusesenter the system
❍ Authentication: Substantiates the identity of an nating or user entity within the network The authenti-cator verifies that the entity is actually the authorizedindividual and that the information being transmitted
origi-is appropriate Examples of security controls are words, time stamping, synchronized checks, nonrepu-diation, and multiple-way handshakes Biometricauthentication methods measure body characteristicswith the use of equipment attached to the worksta-tion Retinal laser beams may also be used Keystrokedynamics is another possibility for identification
pass-❍ Digital signature: Messages are signed with a privatekey
Trang 11Network Security 257
❍ Routing control: Inhibits data flow to insecure networkelements such as identified unsecure relays, links, orsubnetworks
❍ Traffic padding: A traffic analysis of data for ableness
reason-❍ Interference minimization: Radar/radio transmissioninterference must be eliminated or curtailed Thereare various ways to back up data in networks For asmall network, one workstation may be used as thebackup and restore for other nodes In a large net-work, backup may be done by several servers, sincethe failure of one could have disastrous effects on theentire system Access to backup files must be strictlycontrolled
An example of a network security package is IntrusionDetection Incorporated’s Kane Security Analyst, whichassesses existing security
Protect Your Company from Internet Dangers
1 Have a firewall A firewall is simply a device that
prevents hackers from gaining access to your pany network For small companies, use a broadbandrouter, like those made by Netgear, Linksys or D-Link,that has a firewall built in
com-2 Use an anti-virus program and keep it current Any
of the popular brands will work (e.g., Norton, McAfee,etc.) Renew your subscription every year or upgrade
to the latest version Make sure that your computersare automatically getting the latest virus definitions
3 Get Microsoft Windows and Office updates Microsoft
has introduced significant security improvements inService Pack 2 for Windows XP that can be updatedfor free Older versions of Windows are more suscepti-ble to spyware and Internet worms Consider upgrad-ing PCs to Windows XP or Longhorn
4 Use anti-spyware and anti-spam programs Microsoft
offers a free anti-spyware program for Windows
2000 and XP Many Internet service providers (e.g.,Cox Communications, AOL, etc.) offer complimen-tary anti-spam services If your provider doesn’t,there are spam filter programs that work with Out-look and Outlook Express
5 Secure your network A firewall won’t protect you if
a hacker can figure out the password Make sure yourcomputer technician has changed the default pass-word on your router If you have a wireless network,make sure it is using WEP or WPA encryption to pre-vent unauthorized access
c16.fm Page 257 Thursday, August 4, 2005 5:02 PM
Trang 12THE SECURITY ADMINISTRATOR
The size and needs of the company will dictate the size of thesecurity administration department This department isresponsible for the planning and execution of a computersecurity system It ensures that the information system’s data
is reliable and accurate The security administrator shouldpossess a high level of computer technical knowledge as well
as management skills and a general understanding of theorganization’s internal control structure
A security administrator should interact with otherdepartments to learn about the organization’s changingneeds and to be able to maintain and update the securitysystem efficiently The security administrator is responsiblefor enacting and customizing policies and standards for theorganization based on specific needs Checks on perfor-mance and monitoring of staff should be done to ensurecompliance with these policies and standards In develop-ing these policies and procedures, as well as the overallinformation computer security system, the security admin-istrator must perform a risk assessment (see Exhibit 16.3)
(A no response indicates a potential vulnerability.)
Organizational
1 Is management’s attitude toward microcomputersecurity, as reflected by its actions, appropriate?
2 Has the organization prepared a coordinated plan
of implementation for microcomputers, addressingsuch factors as:
❍ Hardware compatibility within and betweendepartments?
❍ Software compatibility within and betweendepartments?
❍ Future expansion?
❍ A manual of standard practices?
3 Is rotation of duties utilized to increase the chance
of exposure of errors and irregularities and to givedepth to microcomputer operations?
4 Are vacations mandatory to reduce the likelihood
of fraud or embezzlement resulting from increasedchance of exposure?
5 Do personnel policies include background checks
to reduce the likelihood of hiring dishonestemployees?
Exhibit 16.3 M S C
Trang 13The Security Administrator 259
6 Have employees who have access to sensitive databeen bonded?
7 Is there a quality-control program in existence?
8 Are exception reports to procedures and policiesprepared?
❍ Bolting computers to desks or tables?
❍ Placing lockable covers on computers?
❍ Installing alarms and motion detectors in areaswith a high concentration of computer equip-ment?
❍ Placing internal trip alarms inside computers?
3 Which of the following factors for the physical tection of hardware are present:
pro-❍ Elementary surge suppressors or noise-filteringdevices to protect against surges and spikes?
❍ Line conditioners to smooth out power?
❍ Uninterruptible power supply units to supplypower during power outages?
❍ Antistatic mats and pads to neutralize staticelectricity?
❍ Halon fire extinguishers to reduce losses fromfire?
❍ Placement away from the sprinkler system toavoid water damage?
❍ Waterproof covers to avoid water damage?
❍ Implementation of a smoking ban, or the use of
a small fan around the computer to blow anysmoke away from the system?
❍ Avoidance of other potential pollutants (e.g.,dust, food, and coffee) around the computer?
4 In the event of equipment breakdown, is substituteequipment available?
Exhibit 16.3 MICROCOMPUTER SECURITY CHECKLIST (continued)
c16.fm Page 259 Tuesday, July 19, 2005 5:26 PM
Trang 141 Does present insurance cover software?
2 Is insurance carried to cover the cost of a businessinterruption resulting from a computer mishap?
3 Are backups and working copies maintained onsite?
4 Do software backups, like originals, have protect tabs in place?
write-5 Are originals placed in off-site storage (e.g., a deposit box or the home of the owner or chief exec-utive officer)?
safe-6 Are steps taken to avoid unauthorized copying oflicensed software?
7 Are steps taken to avoid the use of bootleg ware?
soft-8 Is software tested before use?
Data and Data Integrity
1 Are backups in data files routinely prepared?
2 Is documentation duplicated?
3 Are backups placed in off-site storage (e.g., a deposit box or the home of the owner or chief exec-utive officer)? For particularly important files, athird copy may be kept
safe-4 Are backups of sensitive data that are stored off siteencrypted to reduce the chance of unauthorizedexposure?
5 Do hard disks include an external hard disk or acassette tape as a backup?
6 Is a program such as Ship or Park used whenremoving the read/write head from the hard disk
to reduce the likelihood of a crash?
7 Has the Format command been left off the harddisk?
8 Have Debug and other utilities that provide ameans of accessing restricted software or data beenleft off the disk?
9 Has data encryption been considered for sensitivedata (e.g., payroll)?
10 Is work on sensitive data limited to private offices
to reduce the likelihood of exposure?
11 Is sensitive data only placed on distinctly markeddiskettes or removable hard disks?
12 Are diskettes or cartridges removed from tended computers?
unat-Exhibit 16.3 MICROCOMPUTER SECURITY CHECKLIST (continued)
Trang 15How to Avoid Spam 261
Source: Buttress, T E., and M D Ackers, “Microcomputer Security,” Journal of Accounting and EDP, Spring 1990.
HOW TO AVOID SPAM
Spam is a computer term for unwanted e-mail In a MontyPython television skit, a group of Vikings in a restaurantsing about the meat product, “Spam, spam, spam, spam,spam, spam, spam, spam, lovely spam! Wonderful spam!”until told to shut up As a result, something that keepsbeing repeated to great annoyance is called spam, and com-puter programmers have picked up on it The spam prob-lem has reached epic levels, with users continuously
13 Does the organization have a designated custodianfor sensitive data disks?
14 Are unattended microcomputers turned off whendata is removed from the system?
15 Is reformatting of the disk or overwriting of the filerequired for destruction of sensitive data?
16 Have legally binding confidentiality agreementsbeen drafted by the employer and signed by micro-computers users with access to sensitive data (e.g.,customer lists)?
17 Are diskettes or cartridges stored in a secure net or fire-rated safe?
cabi-18 Which of the following are required before sions are made based on microcomputer-generatedreports:
deci-❍ Validating the accuracy of customized computer programs and embedded formulas?
micro-❍ Dating changes to databases?
❍ Dating reports with the date of production andthe date of the database?
❍ Independent validation of the data input?
19 In the event of downtime, are there alternative cessing arrangements with service bureaus?
pro-20 Does a preventive maintenance program exist?
21 Have data been processed out of sequence or ority?
pri-22 Do transactions not fit a trend (e.g., too little, toomuch, too often, too late, illogical)?
23 Are compiled data in conformity with legal andregulatory dictates?
24 Did anyone attempt access above their tion level?
authoriza-Exhibit 16.3 MICROCOMPUTER SECURITY CHECKLIST (continued)
c16.fm Page 261 Tuesday, July 19, 2005 5:26 PM
Trang 16barraged with unwanted mail Begin fighting the problem bylearning the basics of stopping spam and getting resources atyour disposal.
❍ Protect your e-mail address: Spammers either buy lists
of e-mail addresses or use software programs thatmine the addresses from the Internet If your address
is posted in discussion groups, on Web sites, in chatrooms, and so on, chances are it will end up on one ormore of these lists Only post your address publiclywhen absolutely necessary
❍ Set up multiple e-mail accounts: If you do participateregularly in online activities where you post youraddress, set up another e-mail account Reveal it only
to close friends and family
❍ Use spam filters: Many e-mail programs, such as look Express, have built-in tools that block messagessent from certain addresses or that filter messagesbased on key words you define Check the onlinehelp files for your e-mail software
Out-❍ Use antispam software: You can install software designed
to eliminate spam Some programs work by matchingincoming messages against a list of known spammers;others block messages that do not match an approvedlist of acceptable addresses Check out the latest anti-spam programs at Download.com
❍ Report violators: A number of government agenciesand private groups accept complaints Whether theycan do anything to stop the deluge is an unansweredquestion Forward spam to the Federal Trade Com-mission at uce@ftc.gov
THE LAW
The Computer Fraud and Abuse Act of 1996 (www.usdoj.gov)
is a federal law making it a crime for any unauthorized use(copying, damaging, obtaining database information, etc.) ofcomputer hardware or software across state lines Offenderscan be sentenced to up to 20 years in prison
Trang 17to expand a computer network or make their employeesmore mobile Major technology companies are behind itsstandards, and the price and choice of products should onlyimprove.
Two major developing technologies are changing thecomputer networking landscape: Wi-Fi (Wireless Fidelity)and Bluetooth These two forms of wireless technology canchange the entire infrastructure of business networks.Many new hardware and software products produced bymany big-name technology companies are equipped foruse with Bluetooth and Wi-Fi The Bluetooth Special Inter-est Group (SIG; www.bluetooth.com) and the Wi-Fi Alli-ance (www.weca.net) help effectively develop, integrate,and implement these wireless technologies globally Thesetwo groups have created global standards for each technol-ogy that must be met by any company producing hardware
or software to operate with Bluetooth or Wi-Fi
BLUETOOTH
Bluetooth is a radio frequency specification for short-rangedata transfer Any device containing Bluetooth technology,whether it be a handheld PC, cell phone, laptop, or stan-dard PC, receives the signal broadcasted by the network
As mentioned, the Bluetooth SIG was formed to developand maintain a global standard for Bluetooth wireless tech-nology This facilitates interoperability, advancement, anddevelopment of the technology Over 2,000 companies fromaround the globe are members of this industry group TheBluetooth SIG consists of leaders in telecommunicationsand computing including such household names as Erics-son, IBM, Intel, Microsoft, Motorola, Nokia, and Toshiba.The Bluetooth specified standard contains the informationc17.fm Page 263 Tuesday, July 19, 2005 5:47 PM
Trang 18necessary to ensure that all devices supporting Bluetoothare able to communicate with each other globally, so it doesnot matter who manufactures a device As long as it has theBluetooth logo or label on it, it can be fully synchronizedwith any other Bluetooth device This is a huge step towardfull integration Instead of using many independently oper-ating devices to accomplish one task, businesses may utilizethese devices as one tool by integrating their performance.Using Bluetooth can also give a business many moreoptions in terms of purchasing new hardware and upgrades.Because all Bluetooth devices are fully interoperable, busi-nesses are not forced to go back to the same manufacturer.They can look for the best prices as long as the alternativedevice supports Bluetooth
The current Bluetooth specified standard calls for thesupport of several elements First, there must be generalaccess among devices so that they can link, synchronize,and communicate with each other Next, cordless telephonymust be supported Cell phones with Bluetooth must beable to operate as cordless phones when they are in proxim-ity to their base station For example, the cell phone wouldact as a cordless phone and a laptop or desktop at the basestation The serial ports on Bluetooth supportive deviceswill act similar to wire serial ports Each device will also beable to receive and transmit voice data as well as send faxes.Dial-up networking between a cell phone and a laptop com-puter are part of the standard As already mentioned, Blue-tooth devices will have full wireless personal area network(WPAN) access with the ability to transfer files
Bluetooth Networks
Bluetooth provides a 10-meter personal bubble It supportsthe simultaneous transmissions of information and voicedata A network of Bluetooth devices is called a piconet.Each piconet can support a maximum of eight devices and aminimum of two Any and all devices containing Bluetoothcan be potentially networked with each other Each piconethas a master unit and slave units The master unit synchro-nizes all of the slave units The slave units are all of theother networked devices besides the master unit Piconetsmay be integrated to form a scatternet by setting up a mas-ter device to synchronize several piconet master devices.Therefore, the master device of a piconet can also be a slave
in a scatternet The gross data transfer of Bluetooth devices is
1 megabyte per second, while the actual data rate is 432 bytes per second Bluetooth technology is as secure as awire with up to 128-bit public/private key authentication.Furthermore, it supports good encryption Bluetooth trans-mits its signal for up to 10 meters when a 0 dBm radio isused When a +20 dBm radio is used, the link range can beincreased to up to 100 meters
Trang 19kilo-Wireless Fidelity (Wi-Fi) 265
Practical Uses
The most attractive feature of Bluetooth is that all productscontaining this technology will work together All manu-facturers implementing Bluetooth into their products mustget them tested and certified to ensure interoperability.Accordingly, this feature is perhaps the most attractive foryour client’s business All of a company’s hardware will beintegrated and able to share information You will be able
to synchronize your mobile computer with your desktopsimply by placing the mobile computer near the desktop.This will save much time plugging and unplugging Thistechnology is also useful outside of the office You canleave your cell phone in your pocket and dial up to theInternet using your laptop, as opposed to lining up thephone’s infrared port with that of your mobile computer.The best part is this synchronization will be unconsciousand automatic when the devices are within a certain range
of each other
Currently, Bluetooth’s most practical usages are its ity to wirelessly synchronize devices and to serve as smallnetworks Its range limits its ability to serve the needs oflarge networks For small business or sole practitionersrequiring smaller networks, Bluetooth can serve this pur-pose The main advantage of Bluetooth, though, is the abil-ity a CPA and businessperson has when making use of thistechnology A person can coordinate each piece of his or herequipment to create a more powerful and efficient businesstool For more information about Bluetooth technology, seewww.bluetooth.com/ or see the Web sites of any of the Blue-tooth SIG member companies To learn more about theBluetooth SIG and its members, go to www.bluetooth.com/sig/about.asp
abil-WIRELESS FIDELITY (Wi-Fi)
Wireless Fidelity (Wi-Fi), also known as 802.11b, has a rangethat is longer than that of Bluetooth Wi-Fi transfers data at
11 megabytes per second (However, note that Wireless-Goperates at speeds almost five times faster than 802.11b.)Wireless-G is compatible with 802.11b products Many largecorporations use Wi-Fi wireless devices to extend standardwired networks to areas such as training classrooms andlarge public spaces In addition, many companies make use
of Wi-Fi to provide wireless networks to their workers.These wireless networks may also be accessed remotelyfrom workers’ homes or other offices Wi-Fi is also used tobridge the information flow between two or more offices indifferent buildings
Wi-Fi networks are found in public places such as hotelsand airports When in an area that supports Wi-Fi, a Wi-Fic17.fm Page 265 Tuesday, July 19, 2005 5:47 PM