Header Logo
Home   About  |   Hardware   Software   Storage   SBCs  |   AI   RISC-V   Cloud   Quantum  |   Health+Safety   Security  |   Books   Videos
Computing Security

INTRODUCTION

Computer security involves safeguarding computing resources, ensuring data integrity, limiting access to authorised users of online and other accounts, and maintaining data confidentiality. Effective computer security therefore involves taking physical security measures (to ensure hardware and media are not stolen or damaged), minimising the risk and implications of error, failure or loss (for example by developing a resilient 3-2-1 back-up strategy), appropriate user authentication (for example by implementing two-factor authentication or "2FA"), and finally the encryption of sensitive files.

We live in a world where "information wants to be free" and in which people are getting used to having access to whatever information they want anytime, anywhere and from a wider and wider range of computing devices. Unfortunately, in terms of the security and control of the resources to which computers permit access, this can prove quite a problem. Indeed, many users unfortunately often view security and control measures as inhibitors to effective computer use.

The following article discusses computer security from a range of perspectives. If you are an individual computer user, you may also find useful these two most recent ExplainingComputers security videos:

SECURITY & DATA INTEGRITY THREATS

The range of means by which the security and integrity of computing resources can be threatened is very broad, and encompasses:

  • Operator error (for example a user inadvertently deleting the wrong file).
  • Hardware or media failure (either as a result of wear-and-tear, old age or accidental damage).
  • Theft or sabotage (of hardware and/or data or its media).
  • Hackers (who obtain unauthorised access to online accounts or other systems).
  • Malware (any form of virus, including ransomware).
  • Power surges and/or outages (which are one of the most common means of hard disk corruption and hardware damage).
  • Flood, fire, storm or other natural disasters.
  • Fraud or embezzlement.
  • Industrial espionage.
  • Terrorism

Protecting against the above requires a variety of measures to be undertaken. Below we'll start with those measures required to protect online accounts, which is today what most people first think about when "computer security" is mentioned. However, as the above bullet list hopefully signals, there is a lot more to computer security than preventing unauthorized access to services access over the Internet.

PROTECTING ONLINE ACCOUNTS: PASSWORDS & BEYOND

Today, many online accounts are only protected by passwords. Security experts generally agree that passwords are not that secure, and will increasingly be supplemented or replaced by other authentication methods. Indeed, in September 2021, Microsoft announced that the “passwordless future” had arrived. This was, however, a bit premature, and so some advice on password security is warranted!

Firstly, assume that somebody is always trying to guess your password, or to discover it via a brute force attack in which they attempt all possible character combinations. You should therefore make all passwords as long as possible -- ideally a good 12 characters or more -- as well as including a mix of upper and lower case letters, numbers, and punctuation symbols. Ideally, don't include real words in a password, and never include words that are related to the user, or which could be guessed by looking at their social media accounts.

Also, always use different passwords for different accounts, so that if one account is compromised everything's not lost. Admittedly, remembering lots of passwords can be difficult. So either use a password manager. Or if you don't trust password managers, store your passwords in an encrypted document or on an encrypted device. Personally I store passwords on encrypted USB drives.

Finally it’s worth noting that whilst for years standard advice was to change passwords regularly, today this is no longer the case. In part such advice was given when it was hard to check if somebody else had accessed your account. But today it’s easy to review sign-in activity and logged-in devices, and indeed we should all do this on a regular basis, such as once a week.

Reflecting this, in 2019 Microsoft dropped its policies for regular password changes. As they noted "Periodic password expiration is an ancient and obsolete mitigation of very low value". As they further explained "If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem".

TWO-FACTOR SECURITY

In general, there are three ways to prove your identity when accessing an online account. These are something you privately know, something you possess, and a unique characteristic of your body, known as a biometric.

Today, things you privately know include passwords, one-off codes sent via SMS text or e-mail messages, and emergency back-up codes. Things you possess include phones with built-in security keys; mobile devices installed with authenticator apps or which receive verification prompts; other computers with a trusted status; and standalone USB or NFC security keys, also known as hardware authentication devices. Finally, the most common biometrics are fingerprints, facial recognition, voice prints and iris scans.

If you want to protect an online account, it should be set up so that two of the above factors are required to gain access. This provides two-factor authentication (2FA), also known as two-step verification, or 2SV.

Two-factor authentication is offered by all major e-mail and other cloud service and social media providers, including Google, Microsoft, Facebook, Apple, Amazon and Twitter/X. Usually you turn it on by accessing your account, and then a menu called something like “Login & Security”, where there will be some 2FA or 2SV settings.

Once two-factor authentication is activated, you usually log in by entering a password, before being prompted to complete a further verification step. Often this involves entering a one-off code sent via a text or e-mail message, or generated by an authenticator app. Or a prompt may be sent to a mobile device, which you need to approve. If you’ve opted-in to Microsoft’s brave new world and no longer use a password, a second verification step can be used alongside a fingerprint, face recognition, or other non-password authentication method. In most systems, you can choose to give the computer you’re working on a trusted status, so that it becomes the second verification factor for future logins.

Activating two-factor authentication significantly increases security, and indeed from November 2021, YouTube required it to be enabled for all monetizing channels. However, not all two-factor authenticationn methods are equally secure, with increasing reports of codes sent by SMS or e-mail being intercepted. Or you could fall victim to a SIMM swap attack in which your cell phone number is hijacked. For this reason, it’s better to use an authenticator app or mobile device prompts, rather than text or e-mail codes, as your second-step verification method. And if you really want to secure your online account, you should consider a hardware security key, such as a Yubikey or Google Titan device, which you plug into a computer and touch when required.

Security keys are also included in many modern smartphones, and specifically those running Android 7.0 or above, and iOS 10 or above. Security keys in phones can be used both on the device itself, and via Bluetooth or an authenticator app when you need to log-in to an account on another computer.

Security keys can be used in several different ways as either the only method used to access an account, or ideally as the second factor in two-step verification. It’s normal to have two keys, one of which serves as a backup. And once you have a set of keys, you can use them on as many different accounts as you like. Keys from Yubico, Google and other major suppliers will work with all common browsers in Windows or macOS, although some messing about is required to set things up in Linux.

Even if you use a Google Titan, Yubikey or other hardware device for 2FA, it's worth rememebring that any online account is only as secure as its weakest second factor verification method. So if you’ve added security keys to an account, for maximum security you should remove phone-based verification, so that it’s never offered as an alternative. If this makes you nervous, most accounts allow you to generate one or more one-off backup codes that you can store in a safe place -- such as on an encrypted USB drive -- just in case you ever lose access to your security keys.

It’s worth noting that if you use a Google account with two security keys -- one of which can be phone based -- you can join Google’s Advanced Protection Program. This is free, and makes your account very secure indeed. Setup is very straight-forward, and once you are enrolled you can only login using a security key as a second factor. Many apps that rely on accessing a Google account will also not work once you’re in the Advanced Protection Program, and in the event of problem, account recovery will take many days. However, in security terms, these restrictions are all a very good thing indeed, but do reflect on them before you enroll.

PHYSICAL SECURITY MEASURES

Given the breadth of the human reliance on computer technology, physical security arrangements to try and ensure that hardware and storage media are not compromised by theft or unauthorised access are more important today than ever before. And yet surprisingly they still often not taken seriously enough. Not least due to advances in mobile and cloud computing, computing resources are more vulnerable to theft than ever before. Twenty or more years ago, most computer equipment and data lived in a secure IT "glass house" well out of the reach of the casual thief, and with the hardware involved of little or no street value anyway. But today this is obviously no longer the case.

Personal and business data is now stored across a wide range of organisational, cloud vendor and personal locations, more work is conducted at home than since the rise of the modern city, and IT departments therefore have a right to be nervous. At the very least, physical computing security measures -- such as external building safeguards and the control of access to areas of a building where computers are located -- should be subject to regular formal updating and review. Most large organizations -- particularly in the public sector -- have a horror story or several to tell of computer equipment that has "walked". Many such stories suggest that people who walk out of buildings with computer equipment under their arm are rarely challenged (and sometimes even assisted!). Locking-down computer equipment and/or ensuring adequate door and window security at all computer locations should today just be pure common sense.

Physical security also needs to be particularly carefully considered in semi-public locations (such as many open plan offices). For example, it needs to be considered how easy it would be for somebody to gain access to a PC, insert a USB flash drive, and walk away with valuable or sensitive data.

Large corporate data centres in which the computer equipment is located in an air conditioned room typically have fire control systems that will hermetically seal the location and put out a fire using an inert gas. In smaller companies and domestically this clearly is not an option. However, whilst computers themselves may be at risk from fire (and indeed the cause of a fire), back-up media can be protected in a fire safe, and/or via off-site storage. The physical security of storage media against the threats of fire, flood and other forms of damage is discussed further in the following section.

Alongside theft, fire and flood, the other most significant threat that can damage computer equipment and/or the data held on it comes from power surges (voltage spikes) or power outages (brown-outs or black-outs). Many hard disk failures in particular are thought to be linked to power surge or outage issues of which users are often unaware. To protect against this very real but often ignored threat to computer equipment and data, a power surge protector and/or uninteruptable power supply (UPS) unit can be employed. Surge protectors are relatively cheap and protect against voltage spikes. They are today often built into multi-socket outlets with an insurance guarantee included for the connected equipment.

For even greater protection, a UPS unit includes a rechargeable battery that will continue to power a computer and key peripherals during a mains power brown-out or black-out. Software is usually also used to permit a controlled shut-down of equipment when a power black-out occurs. UPS units are more expensive than surge protectors, somewhat bulky, and often very heavy. However, for a server or key personal computer (such as one used to run a business or key part thereof) they are also a very good investment.

BACKUPS: MINIMISING THE IMPACT OF ERROR, FAILURE OR LOSS

Whilst physical threats need to be protected against, most data is lost or corrupted following user error or hardware failure. The best defence against this is an appropriate back-up strategy, triggered on both a time and event basis and with appropriate physical resilience.

In other words, users need to ensure that they take regular backs-ups at regular intervals and before and after making key data changes. They also need to store multiple back-ups on different media in different locations. There is no such thing as a permanent store of any form of computer data. Nor is any storage location entirely safe (although the cloud data centres run by Google, Amazon, IBM, Microsoft and other computing industry giants are pretty well protected these days!).

For many years there’s been a very helpful piece of backup guidance called the 3-2-1 rule. This states that we should keep at least three copies of our data, on at least two different media, with least one copy kept off-site. So, for example, we may have the original or working version of a file saved on a PC’s SSD or hard drive, a second copy on an external hard drive, and a third copy stored online. This makes use of local online, local offline and cloud storage, and meets the 3-2-1 rule by providing three copies of the data on at least two different media, with one copy retained off-site.

ENCRYPTION: MAINTAINING CONFIDENTIALITY

In part the confidentiality of data is protected via physical security measures and appropriate user authentication precautions as already outlined above. However, effective security should plan for what happens if these measures fail, and how data confidentiality can be protected even if computer equipment or media fall into the wrong hands. This is particularly important when it comes to the protection of sensitive information such as financial data.

The confidentiality of the data on stolen hardware or of data accessed by unauthorised users can be protected via encryption. For example, software such as the open-source VeraCrypt (available from https://www.veracrypt.fr/code/VeraCrypt//) can be used to encrypt the data on any storage device (for example a USB key carried in your pocket). Office documents can also or alternatively be protected by securing them with a password.

Data confidentiality also needs to be protected on output and disposal. In the case of the former, in an open plan office environment precautions should be taken when sending documents containing confidential information to a communal network printer. In the case of the latter, printed output containing sensitive data needs to be disposed of securely (eg via shredding and/or incineration), as do waste media (such as discarded optical disks).

At the end of a computer's life or when components are being upgraded, care also needs to be taken to ensure that discarded hard disk drives (including those located in external hard drive units) are appropriately erased before disposal.

DISASTER RECOVERY PLANNING

Both individuals and in particular businesses should have plans in place to cover the eventuality of hardware failure or loss and/or data loss or corruption. Such disaster recovery or "business continuity" plans need to address how data would be recovered, what hardware would be used to run critical applications, and by whom. Such plans particularly need to take into account any current use of out-of-date software applications that may not be able to be replaced and/or run on replacement hardware and operating systems. To recover back-ups of data that cannot be run on any available hardware and software will not in any way ensure business continuity!

Depending on the types of threat they are intended to cover, disaster recover plans may rely on one of a mix of strategies (and a mix is arguably often best). One option is on-site standby, where duplicate systems exist that can be used to run critical operations (provided that data is still available or can be recovered). Such duplicate systems need not necessarily be standing idle waiting for disaster (as they would be in a nuclear power station), but may be everyday systems used in one part of the business that are prepared to run key applications from other parts of a business if the need arises.

As an alternative to on-site standby, some sort of off-site standby is very common. If a company has multiple buildings or premises, then it makes sense both to hold off-site back-ups across these locations, and to ensure that key system functionality can be duplicated across sites.

Some businesses also have "reciprocal agreements" with other companies to make use of their computers to run key operations in the event of a disaster (such as a fire that destroys their premises). Often small and medium-sized companies make such reciprocal agreements with nearby schools who have suitable computer suites which they are prepared to offer as an off-site standby provision for a reasonable cost. For larger organizations, or those highly dependent on computing continuity, "hot-site agreements" can be made with firms that offer commercial disaster recovery as a service, and who can deliver (for a price) portable working computer rooms at very short notice.

As a final element of disaster recovery planning, replacement purchase plans should be in place. In the event of fire or theft, the last thing most individual users or companies would want to be thinking about is where to purchase new computer equipment from, and what specification to choose. Not least this is an issue because direct-specification let alone exact-model replacements for any items of computer hardware or software more than a year old are incredibly unlikely to be available.

COMPUTER SECURITY: SUMMARY

For most users and organizations, effective computer security and data integrity involves carefully considering the following key questions:

  • What would happen if your data was not available?
  • What would happen if your hardware was not available?
  • What could happen if somebody else had access to your online accounts, hardware and/or data?

Unless there are deemed to be no negative consequences that could arise, in order to address the potential implications of the above any computer user -- be they an individual or a large business organization -- needs to take the following measures.

First and foremost, a back-up strategy should be implemented that provides resilience against flood, fire theft and media failure. Such a strategy needs to ensure that back-ups are taken at regular intervals and when key events take place (for example when a major project is completed or prior to and following a company's end-of-year and audit). Resilience will be obtained by following a "3-2-1" strategy of keeping at least three backups on at least two media, with at least one of these stored off-site.

Secondly, alongside a back-up strategy, users must ensure that they have reviewed and protected their online accounts, making use of strong passwords and two-factor authentication as appropriate. To ensure good online security, it is also important to make sure that all end user computing devices are running appropriate firewalls and anti-virus software, and that their operating system remains in support and is receiving security updates.

Thirdly, it is important to ensure that files are encrypted where protection is needed against loss of data confidentially in addition to loss of data access. Many people are excellent at keeping back-ups, but have never thought about the consequences of one of their back-up devices (such as a USB key containing all of their personal files) getting lost or stolen and falling into the wrong hands.

And finally, also of critical importance for organizations in particular is the maintenance of a disaster recovery plan for ensuring a continuity of operations in the event of hardware failure or loss. This said, even for many private individuals, some form of disaster recovery plan is recommended.

You can find video content to help assist with the above here.


Security image

Computer security involves safeguarding computing resources, ensuring data integrity, limiting access to authorised users of online and other accounts, and maintaining data confidentiality.




logo line
Twit Link
YouTube