Gaining Access to Protected Systems and Data

Individuals seeking unauthorized entry into a computer network will often engage in significant reconnaissance before attempting entry. They may, for instance, scan the target's Web sites and query online databases to find out additional information about the organization or its employees. A target's Web site can provide useful information such as contact information, corporate culture and idioms, product names, business partners, and any of the target's mergers or acquisitions. The individual can also scan list servers for questions that give more information about the network. For instance, the target's systems administrator could post a question to a security-related listserv that includes the types of hardware or software the target is using. Google or other search engines may provide additional information on the target or individual employees. "Whois" records are another resource, listing the names and contact information of employees responsible for network security and operations. Once the individual has this background information, the hacker can then use "social engineering" to fill in missing information like passwords.

Social engineering usually involves the hacker manipulating the human tendency to trust, with the goal of accessing valuable systems and the information residing on them.1 There are a variety of social engineering tricks for collecting passwords. These include impersonating a new employee or an angry manager who needs a password immediately; claiming to be an employee who needs to gain access to the system remotely; or pretending to be the systems administrator and requesting passwords from employees. Still others may pose as legitimate customers of information providers and secure confidential information through a simple ruse.2

There are other techniques for acquiring unauthorized access to networks. Some are as simple as visiting the target's company parking lot and looking for vanity tags on cars. Someone's password may be similar to the vanity tag. Other, more technical, methods include war dialing, where the individual systematically tests the target's phone numbers and extensions to locate unprotected modems, and scanning the network for unprotected ports.3 If not properly secured, infrared and wireless networks may also be vulnerabilities.

As long as the government and private companies continue to collect vast amounts of information about people, there will be individuals attempting to access it. Entities that store valuable information must be vigilant as hackers' tactics and methods will continue to evolve and change.

Standards for Data Protection

To protect its data and systems, every organization should have a well-conceived and implemented security policy. Such a policy allows for a systematic approach to security that minimizes the chance of overlooked vulnerabilities. The optimal information security policy should be based upon generally accepted public standards used in combination to best meet each company's needs. These public standards (some designed for specific industry sectors) have been articulated in the Gramm-Leach-Bliley Act (GLBA),4 the Health Insurance Portability and Accountability Act of 1996 (HIPAA)5, and the International Organization for Standardization's (ISO's) 17799.6 The GLBA standard, which is intended to protect consumers' personal financial information that is held by financial institutions, identifies 296 specific issues to be considered in 15 broad areas. HIPAA covers consumers' private information in a health care context and identifies 20 control areas with 329 discrete issues relating to data/system security.

ISO 17799 is a non-industry specific, international code of practice. The ISO describes the code's purpose as offering "guidelines and voluntary directions for information security management. It is meant to provide a high level, general description of the areas currently considered important when initiating, implementing or maintaining information security in an organization."7 It has two parts: ISO 17799, which is a code of practice, and BS7799-2, which contains security management system specifications. This standard is intended to serve as a single reference for determining the types of controls needed for the majority of situations in which information systems are used in industry and commerce. ISO 17799 identifies 10 control areas for implementation: (1) establishing organizational security policy; (2) organizational security infrastructure; (3) asset classification and control; (4) personnel security; (5) physical and environmental security; (6) communications and operations management; (7) access control; (8) systems development and maintenance; (9) business continuity management, and (10) compliance.

Organizations that collect and store data must carefully choose the standards that best fit their individual needs. An appropriate, reliable standard allows for a systematic review of information security policies and systems to better protect valuable systems and data.

Protecting Data with Cryptography

In the United States, the National Institute of Standards and Technology (NIST) establishes the standards for government agencies wishing to encrypt their data.8 If properly implemented, cryptography (the technology for keeping information secure) provides very strong data protection. With cryptography, a person can know everything about the cryptographic tool except the key and still be unable to decipher the enciphered information. Cryptography is therefore a powerful data protection tool because it allows an organization to focus on protecting just the key instead of vast amounts of information.

There are two types of algorithm keys: symmetric and asymmetric. With symmetric algorithms the encryption key and decryption key are identical. To use this type of algorithm, the sender and receiver must decide in advance what the key will be. If the key becomes known, then anyone with the key can access the encrypted information. Symmetric ciphers are typically used because information can be enciphered and deciphered relatively easily and quickly.

Asymmetric or public key algorithms have different encryption and decryption keys. In addition, the decryption key cannot usually be determined from the encryption key within a reasonable period of time. With this type of algorithm, only the decryption key must remain secret. Security for such a system is higher, but the ease of use is comparatively less.

Cryptography can provide authentication, integrity, nonrepudiation, and confidentiality. In this context, authentication means that it is impossible for someone to impersonate someone else. Integrity involves being able to verify that the data have not been modified, and nonrepudiation prevents a person from denying having sent or accessed the information. Encryption can also enhance confidentiality for stored data. The greatest problem for cryptography, however, is lost keys, and the concomitant necessity for ways to recover the key--for data without a key are utterly lost. If data are being transmitted, losing the key or data is less of a concern because either can be resent. In order to counter the possibility of lost keys, there must be systematic key management and a backup system for keys and data. Yet this backup system for recovery is often the loophole and source of greatest insecurity in the system.

While cryptography can protect data, its more valuable role is in authenticating data and messages and demonstrating their integrity. For instance, cryptographic keys can be used to prevent intentional alteration or forgery. Many cryptographic tools now automatically integrate encryption, authentication, and integrity functions, since many individuals have difficulty doing this properly on their own.

A Way to Think about Data Protection Technologies

There are gradations between the poles of complete anonymity and full identity. Many government transactions can now occur with the disclosure of a minimal amount of personal information. Just as there is a growing understanding of the concept of graduated identification, data protection technologies can provide a spectrum of access solutions for the government. Information databases can be designed to give data requesters the type and amount of information they need, and no more.

Conceptions of liberty are not based on the expectation of absolute privacy, but rather on the assumption that the government will not intrude without good cause. When a criminal or terror investigation is underway, Americans must be able to expect that scrutiny will not be focused on them without a good reason. Most interactions with the government require more than absolute anonymity, but rarely reach detailed investigation. There must be a continued expectation that the government will ensure that infringements on liberty are commensurate with necessity. Properly implemented data protection technologies allow for authentication, verification, and graduated access. They can help prevent expectations of privacy from eroding by allowing the government to avoid treating full-scale disclosure as the default for all individual interactions.

The mere implementation of new laws and systems to combat terrorism does not automatically diminish privacy. Rather such laws and practices frequently involve substituting one type or level of privacy intrusion for another. Some Americans might prefer a shortened wait in airports if airlines can check their personal information against suspected terrorist watch list databases through limited permission rather than have to endure a longer wait and investigative screening onsite. Not all data protection technologies will work for every situation--nor should they. The greatest policy challenge is finding the most effective uses of the specific data protection technology--both for liberty and security--not in labeling the collection of information as evil.

Data protection technologies can improve the safety of data and prevent abuse. As with all technology, the implementation should be thought out well in advance and designed with the appropriate protocols to ensure privacy. Protocols can be both part of the hardware and the operational guidelines and oversight mechanisms.