Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next SECURITY VERSUS CONVENIENCE Computer security can be and usually is conversely related to usability. There is no glory in computer security. Network administrators are not thanked when security works, but are certainly questioned if it fails. However, computer hackers are lurking and they have more time and better information than administrators do. Why Worry? There are organizations dedicated to breaking into networks. There are literally thousands of computer hackers that roam the Internet and bulletin board systems (BBSs) trading information about how to hack. Fortunately, most do not know what they are doing. I have witnessed supposed hackers follow cookbook examples of how to obtain root (i.e., the super-user account on the Unix Operating System) on a Unix system and then type dir. The recent explosion of the World Wide Web has provided them with nearly unlimited places to play and prey on administrators ignorant of basic Internet security. Administrators and designers must ask the following question: What is the worst thing that could happen if a malicious or greedy person had complete, privileged access to their computer network? Could it embarrass or compromise their company? Their clients? Their country? How much productivity would the company lose if all of its hard drives were erased? There are often times when management must be convinced of the need for network security. Simple investments of labor and equipment can be easily qualified as productivity insurance. Suppose there is a company where 500 employees depend on the computer network to perform their jobs. Also suppose that they make an average of $20,000 per year. If every user was down for eight hours, the loss would be about $38,000 of labor. This sort of formula can be used to justify time, training, and equipment purchases. The time lost is not the only value destroyed by the malicious hacker; company data can also be lost. If a business loses a trade secret (possibly derived after millions of R&D spending), there may not be a company to protect. Some data is also legally required to be confidential (e.g., credit information or patient data). INTERNAL SECURITY This section describes security problems that are local to computers. These include basic LAN insecurity, user passwords, and computer viruses and worms. In most environments, it cannot be assumed that every user is trustworthy. Disgruntled employees, corporate spies, and part-time hackers can wreak havoc on a system. This can be true in an open-access network, particularly one where people come and go (e.g., a university). Legal Defense If computer security is the administrator’s responsibility, he or she must familiarize themselves with some legal processes. There are countless laws that could affect the way a company operates. New laws and case decisions are introduced daily. Although they are beyond the scope of this chapter, it is strongly recommended that a company and its data are protected legally. In most environments, it is typically not unreasonable to have some expectation that the users will behave responsibly. The responsibility of the users should be expressed explicitly in the form of a network use agreement. Many companies now engage in the practice of having their users sign such an agreement. These documents not only serve to inform the user of the established policies and laws, but also act as an insurance policies if a user breaks the rules. For example, the form in Exhibit 8-1-1 is signed by each user at the University of South Florida (USF) before they are permitted to access the network. In addition, USF has enacted a policy concerning computer use that further strengthens their legal position (see Exhibit 8-1-2). Laws vary between countries and states. Corporate legal council should advise administrators before they have any users sign any document. Exhibit 8-1-1.  Sample Network Use Agreement Exhibit 8-1-2.  USF Computer Use Policy Exhibit 8-1-2.  (Continued) Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.