You are on page 1of 7

Microcomputer Security: The P in PC Stands for "Personal" CAUSE INFORMATION RESOURCES LIBRARY The attached document is provided through

the CAUSE Information Resources Library. As part of the CAUSE Information Resources Program, the Library provides CAUSE members access to a collection of information related to the development, use, management, and evaluation of information resources- technology, services, and information- in higher education. Most of the documents have not been formally published and thus are not in general distribution. Statements of fact or opinion in the attached document are made on the responsibility of the author(s) alone and do not imply an opinion on the part of the CAUSE Board of Directors, officers, staff, or membership. This document was contributed by the named organization to the CAUSE Information Resources Library. It is the intellectual property of the author(s). Permission to copy or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, that the title and organization that submitted the document appear, and that notice is given that this document was obtained from the CAUSE Information Resources Library. To copy or disseminate otherwise, or to republish in any form, requires written permission from the contributing organization. For further information: CAUSE, 4840 Pearl East Circle, Suite 302E, Boulder, CO 80301; 303449-4430; e-mail To order a hard copy of this document contact CAUSE or send e-mail to Microcomputer Security July 6, 1993 July 6, 1993 Microcomputer Security Page 1 of 6 CAUSE/EFFECT CAUSE/EFFECT Page 1 of 6 Cause/Effect Page 1 of 6 Microcomputer Security: The P in PC stands for "Personal" Daniel Arrington "Devastating Wave of Computer Theft Pushes Universities to Compare Notes and Search for Ways to Boost Security" -- This headline appeared over a story published in The Chronicle of Higher Education on June 9, 1993. Descriptions of microcomputer thefts happening in many universities and colleges are used to suggest that no one is immune.

Introduction Skilled operators protect the interests of mainframe and minicomputer users by limiting physical and logical access to campus computers. These same operators perform regular backups to save everyone's work. One of the most important differences in the world of personal computers is that you are responsible for protecting expensive investments in your microcomputer system and in your work. Making sure that no one can steal or deliberately damage part of your computer system is just about as important as knowing how to use the computer. The following information is intended to suggest a few ideas about protecting computerized resources for yourself and your department. Identifying security problems is easy. Simply try to imagine everything that could possibly interfere with doing your job. Even the most improbable scenario can represent a potential problem that threatens your security. Anticipating such problems means taking steps to avoid or minimize their effects before any happens to occur. Physical Security Theft, damage to hardware, software, or data are the most obvious physical threats to your computer system. Theft Campus police officers sometimes wander through buildings looking for unlocked office doors and unattended desks during normal office hours. Finding this situation, they may leave a card advising employees that if they were so inclined, the officers could have stolen or destroyed anything they wanted. I assure you that ever since I found one of these cards on my desk, my door remains closed and locked unless someone is in the office. Computer systems have become smaller and more transportable every year. If you aren't careful, someone can easily walk off with part or all of your computer. Tips: Add new equipment to your institution's property files as soon as possible. Place property decals in a prominent spot on the equipment. Create an equipment list containing a description, serial number and date of purchase. The easiest way to protect against theft is to keep all computers in highly visible places within rooms secured against unauthorized access. Close and lock office doors. Don't leave work areas unprotected as a matter of convenience. If other people need access to the office then distribute extra keys. Key locks on computer cases are so easy to break they don't protect against theft at all. If available, the lock's purpose is simply to make it more difficult for someone to remove anything from inside the computer's case. Consider installing physical restraints if computers have to be in an area that cannot be watched all the time. Vendors sell many kinds of locking devices ranging from steel cables to solid enclosures for computer cases. These measures can be helpful but they are not foolproof. Your continuing attentiveness is the most important form of protection because with sufficient motivation and enough time, anything can be stolen. Environmental Electrical problems are the second most common cause of computer

damage and data losses. There can be tremendous variation in electrical quality from one building to another and often, from one room or outlet to another. Everyone is aware of power outages. The feeling you get when the power unexpectedly goes off is terrible. Especially when you realize everything you've done in the past hour is gone forever. Even so, the consequences of unnoticed power fluctuations can be far more damaging. Power problems actually reduce the useful life expectancy of electronic devices and can, especially in the case of computers, cause everything from intermittent operational problems to burned out components. Tips: If you can see lightning or hear thunder, unplug all computers and peripherals including any phone lines attached to modems. Wait until the storm has dissipated before plugging the computer back into an outlet. Never plug a computer directly into an outlet. Inexpensive ($40 to $80) surge protectors that can be used as system "on-off" switches provide a little protection against some kinds of power fluctuations. Uninterruptable power supplies (UPS) are power protection devices containing a battery. A UPS gives you a few minutes to close down your system normally when the power goes out. A UPS also provides better protection against variations in the quality of electricity used by your computer. The useful life expectancy of a UPS -- one to three years -- is determined by the number of times it is actually activated to protect your computer. Most batteries cannot be replaced so the entire UPS is a recurring expense. If possible, plug your laser printer into an outlet that is not being used by a computer. Laser printers draw a lot of power and can cause brownout-like effects if a computer is drawing electricity from the same surge protector. Extension cords are a fire hazard and should not be used for permanent installations. In the same vein, never daisy-chain surge protectors or UPSs. This practice exceeds the capabilities of protective devices and can lead to damaged system components. Microcomputers can be operated safely in an extensive range of temperatures and humidity. A good rule of thumb is to operate the computer in conditions you find comfortable. Data Scientific use of the term data refers to unprocessed observations and facts. For the purposes of this discussion, any information stored on a computer is considered to be data. Discussions of data security commonly include the word backup. Backing up describes the act of copying important information to one or more places in addition to the original copy. The simplest form of backup is to copy a file from the computer's hard disk onto a floppy diskette. Alternative backup strategies rely on other media such as magnetic tape or removable disk drives (i.e., Bernoulli, floptical, or WORM disks). It is a good idea to store a copy of backup files someplace outside the building in which you use the originals. Tips: Establish and follow a schedule of regular file backups. If possible, store a copy of your backup disks in another climatecontrolled building. Backups allow you to avoid problems caused by theft or component failures in your own computer. Off-site storage

ensures protection against mishaps affecting your building. Never back up commercial programs. After all, you still have the original program disks and can always reinstall the software should anything happen to your hard disk. Use whatever you've got. That is, if the only backup media available to you are 720 Kb disks, then use them. If DOS backup and restore programs are your only alternatives to copying lots of individual files, then use them. The absence of sophisticated backup software or hardware is no excuse for avoiding your data preservation responsibilities. Floppy disks are disposable: Avoid working with files on diskettes. Copy files from the diskette to a temporary directory on your hard disk; use or modify the files as needed; and, if necessary, copy changed files back to the floppy disk. Although this procedure sounds as if it takes a lot of time, it actually saves time that would otherwise be spent waiting for the computer to read and write data using an extremely slow floppy disk drive. Disks fail on a regular basis if they are used over and over again. Individual disks are cheap. Throw them out as soon as you have a reason to question their performance. Don't store disks near a computer display or telephone. Don't use magnetic letter holders to hold paper for data entry purposes. The strong magnetic fields associated with any of these devices can completely destroy information saved on a diskette. Don't set a laser printer on top of the computer to save desk space. The printer's motor is an especially effective electromagnet and can erase information on a hard disk placed mere inches away. If information stored on backup disks is especially important, you may need to periodically restore the data and make another backup on freshly formatted disks. This is necessary because the magnetic surface of a disk deteriorates over time and data saved on the diskette can disappear or become unusable. Avoid viruses. Restrict diskette use to data files. That is, don't use disks to transport executable programs between computers. Install software from original program disks. Operating within these informal guidelines will minimize the chance of infecting your computer. Utility programs cannot provide totally effective virus-protection. People installing or using unauthorized programs acquired from computer bulletin boards or from "friends" are responsible for most infections. Intellectual Security Computer systems can help us accomplish our work faster, better and more efficiently. These attractive goals are relatively intangible but it is important to develop procedures for protecting the investment in intellectual resources that are responsible for your automated performance. Liability The finest computer in the world is useless without software. Unlike hardware, when your department buys software what you are really getting is the right to use a copy of the program. Protecting your ability to use a computer begins by making sure you are using legal copies of all programs installed on your computer. This responsibility cannot be side-stepped by claims of ignorance ("I don't know how that program got on my computer!") or by any kind of justification ("We have to have it but it's too expensive." or "Everyone does it!"). Bottom line -- software

piracy is illegal. It is unethical and is strictly against institutional policy. Tips: Maintain a list of programs installed on your computer. Include the program's name, version number, and serial number. Never allow anyone to install software on your computer unless you know where the original program disks and documentation are going to be kept. It is becoming common to buy software as an "additional license" without disks or printed documentation. If your program was bought this way, keep the official license in close proximity to your computer and note the circumstances on your program list. If your department simply buys a completely new copy of upgraded software it is perfectly O.K. to install your old program on someone else's computer. If you've taken advantage of discounted upgrade pricing, destruction of the previous copy may be a requirement. In this situation, you cannot use the old copy on another computer. You should reformat original program disks and erase related files from your hard disk. Promote a sense of personal responsibility by refusing to condone the practice of software piracy. Potential criminal and civil charges levied against pirates and their departments are far more expensive and would be a lot more embarrassing for you, your department, and your institution than any inconvenience caused by doing without a particular program will ever be. If you give any software to another user, give them everything including original and backup program disks and all documentation. Note the transfer on your program listing. Documentation Documentation can help avoid problems caused by someone's absence. It is an important tool that must be maintained as changes occur. In the days of completely manual operations, the existence of a desk manual describing procedures in cookbook-fashion and conceptual guidelines for completing tasks was a basic requirement for nearly all jobs. The arrival of automated software -- complete with how-to-use documentation, eliminated some of the reasons for constructing and maintaining desk manuals. Such programs are often used to create intermediate work that might have been done on scratch paper before the advent of personal computers. Naturally, such work is so short-lived that an office cannot possibly benefit from traditional documentation. On the other hand, these same programs can be used to build applications that are so comprehensive and complex they must be documented. New complications have been introduced by today's programs which include computer programming capabilities as an integral part of the software. Easy to construct macros and full-blown programming languages complement cross-application communication options built into Microsoft Windows. As a result, home-grown computer applications have become more common and will gain an increasingly important role in all office automation activities. Tips: Keep commercial software manuals within reach. Despite the industry's best efforts, software is not yet completely intuitive. Printed how-to-use manuals may be more complete than on-line help screens and can be easier to use. Use common sense to decide how much of your work needs to be written down. Then do it. Are there certain steps that must be

performed in a particular order to complete a task? Examples of the kinds of things that don't have to be documented include using a word processor to create memos or letters or using a graphics program to develop slides for a presentation. Using a database program to maintain a list should be documented with regard to purpose, field names, and sample output. A complex spreadsheet that is repeatedly employed to complete a specific office task might be noted in documentation citing why and when it should be used along with details about any macros. Any programmed application needs to be documented very extensively. The purpose of programming documentation is to enable someone other than the original developer to maintain and modify the system. Documentation should be complete enough to allow someone else to reconstruct the entire system. These applications also need to be described in how-to-use desk manuals. The importance of documentation cannot be overstated. This task must be done as soon as an application is created and needs to be reviewed often to ensure ongoing accuracy. Access Security systems rely on a combination of techniques to make sure users of mainframes, minicomputers, local area networks and other shared computer systems are granted access to just enough information to do their jobs. Colleges and universities must comply with a diverse array of rules and laws designed to limit the exposure of sensitive information concerning students and employees. Your awareness of security issues is the most important part of information security. Tips: Never include your password in an automated macro. This is a major security violation and besides, if you don't type the password regularly, you are very likely to forget it. Change your password frequently but choose a word that you can remember so easily you won't be tempted to write it down anywhere. The best passwords are not based on anyone's name or anything that can be guessed easily and may include a non-alphabetic character (e.g., '#', '&', '@', etc.). Never leave your computer unattended if you are attached to a shared system. Sign-off from the network even if you only expect to be gone for a few minutes. Strategies Years ago, home fire-drills were an especially popular safety strategy. The concept of anticipating problems and planning evasive or reactionary actions against the possibility that something bad might happen is even more valid today. What will you do -- no, what can you do if your computer is stolen tonight? What options do you have if the hard disk in your computer quits working right now? Do you know what to do when a coworker or employee unexpectedly calls in sick ten minutes before an important meeting in which you are supposed to provide documentation? None of these scenarios is especially far-fetched. All of them happen somewhere everyday. The real question is -- are you prepared? Summarized Tips: Assume a sense of personal responsibility for your work space. No one can take exception if you've done everything possible to protect your system against theft and natural disasters.

Continuing attentiveness is the best protection against theft. Use power protection devices whenever possible. Develop and maintain a list of your hardware and software. Backup your data according to a regular schedule and save a copy in another building. Protect system passwords as carefully as you do the PIN number on your ATM card. Prepare documentation for any application you've developed. Review your desk manuals from time to time to make sure they remain accurate. Summary Ensuring the security of your personal computer resources is an important part of doing your job. Don't treat your computer as though it were your own property. Instead, protect the computer and your work as though they belonged to someone else. A "someone" who is extremely possessive and terribly vindictive when something bad happens to anything you've borrowed from them. Accidents can happen, but with regard to security, your job is to make sure that you have done everything possible to minimize the effects of a disaster before it occurs. Remember, the P in PC stands for "Personal".