Is your Security enough?

Nathan Rector

Natec Systems

nater@northcoast.com

http://www.northcoast.com/~nater/

All Multi-Value Operating Systems provide tools to protect your data. Are you using them? Many systems have security problems due to the available tools not being used or applied to their full advantage. Even if you currently have security measures in place, you'll find a large security problem focussing around your users. The user is the weakest part of security system.

Why use security? Most people would say: "to keep unauthorized personnel from accessing or altering information." Yet historically, day-to-day user causes the most common security breach: theft.

The day-to-day users have easy access to your information and will know its value. The users generally have little or no restrictions on what can and cannot be accessed. Users have been know to sell company customer lists and payables and receivable files. How protected are your valuable files?

The National Computer Security Association (NCSA) determined that in the last 5 years the following areas have had a dramatic increase in Theft:

- Client or Customer information - 81%

- Trade secrets (Ie: pricing formulas, manufacturing technologies) - 77.6%

- New product plans - 76.7%

- Product descriptions - 75.7%

- Pricing data - 71.8%

How much of this information is readily accessible to your users? Most of this information is required to operate the day-to-day business. Does your existing security extend beyond the regular logon checks?

While the data alteration is a security risk, the more common threat is data theft. Most businesses are alert to data alterations and catch it before it causes too many problems. Whereas data theft has long term effects that are rarely noticed, if at all, and many times impossible to repair. What would your competition can do with your customer lists or accounting information?

Most software packages have basic security features built-in to keep information from being altered, but much of the software you find on Multi-Value systems is custom. Many custom programs over look, or bypass, existing security measures with the assumption it has already been dealt with.

If your current software has not security options, then look at the features that are built-in to the operating system itself. Most Multi-Value Operating Systems, if not all, have common security features such as passwords, file access and update codes, SYS levels, as well as debugger and TCL restrictions.

Passwords are the most commonly used security features in any system. They keep unauthorized personnel out of your data and restrict what information the average user has access to. Yet, passwords can become the weakest part of your security.

Users often create this weakness in security without knowing. To avoid this, users should be required to change their password often. Users should avoid easy to remember passwords like names, birthdays, phone numbers, addresses, and so on. They should also avoid using the same passwords repeatedly.

Writing down passwords is another common practice to be avoided. Users often write down passwords on post-it notes or desk calendars so they don't have to remember them. There is nothing like a written down password to cause security problems.

Another feature that can be found in the Multi-Value Operating systems is access and update locks. These locks allow you to create security that the users can do nothing about. Access and update locks are applied to specific files and keep people from accessing and/or changing the information. The uses of access and update locks do require a little planning to set up, but once in place, they can rarely be changed by anyone other than the creator of the security system.

Other security features that can be found on most Multi-Value Operating Systems are SYS0, SYS1, SYS2, and sometimes SYS3. These restrictions are placed on whole accounts and restrict the use of specific TCL commands.

All these security features help keep unauthorized people from accessing or altering information, but what about protection against users who do have access? This kind of protection is more statistical analysis than hard protection like passwords.

By keeping audit trails on access and changes to key information, you can define patterns, or the lack of, in data access. Audit trails allow managers to deal with system abuse as well as watch for data theft. One place that audit trails should be closely watched is system access. When are your users accessing the system? How often do they access the system after hours or on their days off?

Another place an audit trail can be placed is on customer inquiry screens or inventory inquiry screen. How often does this employee access customer information? How long do they spend in the information? Are they accessing unrelated customer accounts one right after the other? I think you get the idea.

Another feature to keep in mind is limiting the kinds of data that is allowed to be printed. By limiting access to the kinds of data that can be printed, you will limit, if not plug, a hole that is often over looked. Take a look in your accounting department. Do you see any accounts payable or receivable reports lying in the open? How about in the trash?

Since we are still far from a paperless workplace, printed information is found all over the office. Walk through your office. Count how many reports, screen dumps, or other printed material the users have on their desks or in the trash. You'll likely find some type of printout on everyone's desk. More than likely half of what you find will be key information, such as pricing or customer lists.

Every Multi-Value Operating system has security features built-in. The question is, are you using them? Security should never be limited to features that only keep unauthorized people from access or altering data. The most common theft of data will come from the people who already have access to it.

The weakest part of any security is its users.

Author's note: I would be interested in any comments or questions concerning this article. You can email me at nater@northcoast.com or fax me at 707-839-4315.

 Is your Security enough

Is your Security enough?

Nathan Rector

Natec Systems

nater@northcoast.com

http://www.northcoast.com/~nater/

All Multi-Value Operating Systems provide tools to protect your data. Are you using them? Many systems have security problems due to the available tools not being used or applied to their full advantage. Even if you currently have security measures in place, you'll find a large security problem focussing around your users. The user is the weakest part of security system.

Why use security? Most people would say: "to keep unauthorized personnel from accessing or altering information." Yet historically, day-to-day user causes the most common security breach: theft.

The day-to-day users have easy access to your information and will know its value. The users generally have little or no restrictions on what can and cannot be accessed. Users have been know to sell company customer lists and payables and receivable files. How protected are your valuable files?

The National Computer Security Association (NCSA) determined that in the last 5 years the following areas have had a dramatic increase in Theft:

- Client or Customer information - 81%

- Trade secrets (Ie: pricing formulas, manufacturing technologies) - 77.6%

- New product plans - 76.7%

- Product descriptions - 75.7%

- Pricing data - 71.8%

How much of this information is readily accessible to your users? Most of this information is required to operate the day-to-day business. Does your existing security extend beyond the regular logon checks?

While the data alteration is a security risk, the more common threat is data theft. Most businesses are alert to data alterations and catch it before it causes too many problems. Whereas data theft has long term effects that are rarely noticed, if at all, and many times impossible to repair. What would your competition can do with your customer lists or accounting information?

Most software packages have basic security features built-in to keep information from being altered, but much of the software you find on Multi-Value systems is custom. Many custom programs over look, or bypass, existing security measures with the assumption it has already been dealt with.

If your current software has not security options, then look at the features that are built-in to the operating system itself. Most Multi-Value Operating Systems, if not all, have common security features such as passwords, file access and update codes, SYS levels, as well as debugger and TCL restrictions.

Passwords are the most commonly used security features in any system. They keep unauthorized personnel out of your data and restrict what information the average user has access to. Yet, passwords can become the weakest part of your security.

Users often create this weakness in security without knowing. To avoid this, users should be required to change their password often. Users should avoid easy to remember passwords like names, birthdays, phone numbers, addresses, and so on. They should also avoid using the same passwords repeatedly.

Writing down passwords is another common practice to be avoided. Users often write down passwords on post-it notes or desk calendars so they don't have to remember them. There is nothing like a written down password to cause security problems.

Another feature that can be found in the Multi-Value Operating systems is access and update locks. These locks allow you to create security that the users can do nothing about. Access and update locks are applied to specific files and keep people from accessing and/or changing the information. The uses of access and update locks do require a little planning to set up, but once in place, they can rarely be changed by anyone other than the creator of the security system.

Other security features that can be found on most Multi-Value Operating Systems are SYS0, SYS1, SYS2, and sometimes SYS3. These restrictions are placed on whole accounts and restrict the use of specific TCL commands.

All these security features help keep unauthorized people from accessing or altering information, but what about protection against users who do have access? This kind of protection is more statistical analysis than hard protection like passwords.

By keeping audit trails on access and changes to key information, you can define patterns, or the lack of, in data access. Audit trails allow managers to deal with system abuse as well as watch for data theft. One place that audit trails should be closely watched is system access. When are your users accessing the system? How often do they access the system after hours or on their days off?

Another place an audit trail can be placed is on customer inquiry screens or inventory inquiry screen. How often does this employee access customer information? How long do they spend in the information? Are they accessing unrelated customer accounts one right after the other? I think you get the idea.

Another feature to keep in mind is limiting the kinds of data that is allowed to be printed. By limiting access to the kinds of data that can be printed, you will limit, if not plug, a hole that is often over looked. Take a look in your accounting department. Do you see any accounts payable or receivable reports lying in the open? How about in the trash?

Since we are still far from a paperless workplace, printed information is found all over the office. Walk through your office. Count how many reports, screen dumps, or other printed material the users have on their desks or in the trash. You'll likely find some type of printout on everyone's desk. More than likely half of what you find will be key information, such as pricing or customer lists.

Every Multi-Value Operating system has security features built-in. The question is, are you using them? Security should never be limited to features that only keep unauthorized people from access or altering data. The most common theft of data will come from the people who already have access to it.

The weakest part of any security is its users.

Author's note: I would be interested in any comments or questions concerning this article. You can email me at nater@northcoast.com or fax me at 707-839-4315.