Computer Security

Computer Security, the techniques developed to protect single computers and network-linked computer systems from accidental or intentional harm. Such harm includes destruction of computer hardware and software, loss of data, and the deliberate invasion of databases and applications by unauthorized individuals.

Data may be protected by such basic methods as locking up terminals and replicating data in other storage facilities. More sophisticated methods include limiting data access by requiring the user to have an encoded card or to supply an identification number or password. Such procedures can apply to the computer-data system as a whole or may be pinpointed for particular information banks or programs. Data are frequently ranked in computer files according to degree of confidentiality.

Operating systems and programs may also incorporate built-in safeguards, and data may be encoded in various ways to prevent unauthorized people from interpreting or even copying the material. The encoding system most widely used in the United States is the Data Encryption Standard (DES) designed by IBM and approved for use by the National Institute of Standards and Technology in 1976. DES involves a number of basic encrypting procedures that are then repeated several times. Like most encryption methods, DES repeatedly applies a fixed length “key” to turn plain text into cipher text. In general, the longer the encryption key, the more secure the data. The DES key is 56 bits long, which was adequate when it was devised but can now be readily cracked. More recent encryption methods include triple-DES, which has a 112-bit key and is widely used in the finance sector, and the Advanced Encryption Standard (AES).

Very-large-scale computer systems may be broken up into smaller subsystems for security purposes, but smaller systems in government and industry are more prone to system-wide invasions. DES and its successors can be used to generate “digital certificates” that prove the identity of a computer. This affords some protection for computers interfacing over a network—in particular, for safe and secure electronic business transactions. The uniqueness of a digital certificate is assured by a “private key” that is known only to the originator of the certificate. It can be validated by anyone with a “public key” for that certificate. This use of private and public keys to identify computers on a network is referred to as Public Key Infrastructure (PKI), and an organization that issues certificates and the associated keys is a Certification Authority (CA). Verisign is a well known CA.

Most invasions of computer systems are for international or corporate spying or sabotage, but computer “hackers” may take the penetration of protected databanks as a challenge, often with no object in mind other than accomplishing a technological feat. Of growing concern is the criminal hacking of computer systems to gain access to personal information such as credit card and bank account details. The deliberate implantation in computer programs of “viruses” or “worms” can, if undetected, allow unauthorized users to retrieve this sort of data. The recent “Bugbear” virus is an example of this worrying threat to the security of computer networks. In many cases, infected programs are posted in the electronic bulletin boards available to computer users. Other viruses have been incorporated into computer software sold commercially. No real protection is available against such bugs except the vigilance of manufacturer and user and the use of digital certificates and signatures to validate the authenticity of online content.