IT security: the basics

The importance of effective security to your business

Information is an essential resource for all businesses today and is the

key to growth and success. However, you need to ensure that the
information held on your IT systems is secure.

The impact of a security breach may be far greater than you would
expect. The loss of sensitive or critical information may not only affect
your competitiveness and cashflow but also damage your reputation -
something which may have taken you years to establish and which
may be impossible to restore.

Information also needs to be protected if you share it with other

organisations. For many businesses, the internet has replaced
traditional paper-based ways of exchanging information. It can be sent
and received faster, more frequently and in greater volume.

However, the internet brings its own security issues which businesses
must consider. Some of the threats posed by hackers on the internet
include:

• gaining access to sensitive data such as employee records, price

lists, catalogues and valuable intellectual property, and then
altering, destroying or copying them
• altering your website to damage your reputation or direct your
customers to another site
• gaining access to financial information about your business,
employees or your customers for the purposes of fraud

The security threats to your IT systems

There are many threats posed to your IT and e-commerce systems.
People from both inside and outside your business - employees and
hackers - may try to gain unauthorised access to your applications
and information. Once they have accessed your systems, they can
compromise your data and applications, either unintentionally or
maliciously. See our guide on application security.
One of the biggest causes of security breaches in the workplace is the
mishandling of log-in details or passwords by employees. Typical
instances of security breaches occur when passwords are:

• written down
• shared with other people
• not changed frequently enough

Other risks are computer viruses, which are programs that alter the
way a computer operates, without the knowledge or consent of the
user. Viruses are often contained in email attachments. These are
often seen as '.exe' (an executable file) or '.scr' which is the file
extension used for Windows screensavers. These files can contain
viruses, worms or Trojans that can infect your computer.

These have to be opened in order for the virus to infect any

computers, but may also be picked up when visiting malicious
websites. Viruses can also be transferred between computers via
infected USB flash drives and other external media such as infected
CDs.

There are huge numbers of viruses in existence. Some are extremely

malicious, with the ability to delete or damage files and programs.
Others are less destructive, but can jam resources, causing systems to
crash with a consequent loss of data.

Some viruses can be used by hackers to take remote control of

computers, turning them into what are known as 'bots' or 'zombie
computers'. Collectively, these groups of computers are known as
botnets and they can be used for malicious activities, such as denial-
of-service attacks, click fraud and identity theft. See our guide on
keeping your systems and data secure.

Increasing numbers of frauds and illegal scams are directed at small

businesses and individuals. This increase is largely due to the
widespread use of the internet.

Another potential risk can come from the use of social networking
websites. These have been targeted by hackers who add links in their
posts that point to popular current events or entertainment news
websites. These links can take you to phishing websites, ie imitation
websites. These websites have the potential to infect your computer
with viruses, worms or Trojans. More commonly these websites are
used to obtain confidential information or install keystroke logging
or 'keyloggers' on your computer - software that records your
keyboard strokes as you type. This way, your personal details can be
stolen for malicious purposes.

Biometric Security Technology

Authentication plays a very critical role in security-related
applications like e-commerce. There are a number of methods and
techniques for accomplishing this key process. In this regard,
biometrics is gaining increasing attention these days. Security
systems, having realized the value of biometrics, use biometrics for
two basic purposes: to verify or identify users. There are a number of
biometrics and different applications need different biometrics.

What is a Biometric

Biometric is the most secure and convenient authentication tool.

It can not be borrowed, stolen, or forgotten and forging one is
practically impossible. Biometrics measure individual's unique physical
or behavioral characteristics to recognize or authenticate their identity.
Common physical biometrics include fingerprints, hand or palm
geometry, retina, iris, and facial characteristics. Behavioral characters
characteristics include signature, voice, keystroke pattern, and gait. Of
this class of biometrics, technologies for signature and voice are the
most developed.

Biometric Technologies

Fingerprints - A fingerprint looks at the patterns found on a fingertip.

There are a variety of approaches to fingerprint verification, such as
traditional police method, using pattern-matching devices, and things
like moire fringe patterns and ultrasonics. This seems to be a very
good choice for in-house systems.
Hand geometry - This involves analyzing and measuring the shape of
the hand. It might be suitable where there are more users or where
user access the system infrequently. Accuracy can be very high if
desired, and flexible performance tuning and configuration can
accommodate a wide range of applications. Organizations are using
hand geometry readers in various scenarios, including time and
attendance recording.

Uses of Biometrics

Biometric technology is one area that no segment of the IT

industry can afford to ignore. Biometrics provide security benefits
across the spectrum, from IT vendors to end users, and from security
system developers to security system users. Here we discuss a
number of critical applications that are in need of biometrics. For
decades, many highly secure environments have used biometric
technology for entry access. Today, the primary application of
biometrics is in physical security: to control access to secure locations
(rooms or buildings). Biometrics permit unmanned access
control.Biometric devices, typically hand geometry readers, are in
office buildings, hospitals, casinos, health clubs and lodges. Biometrics
are useful for high-volume access control. There are several promising
prototype biometric applications. One of them, EyeTicket, links a
passenger's frequent-flyer number to an iris scan. After the passenger
enrolls in the system, an unmanned kiosk performs ticketing and
check-in of course without luggage. Some of the US airports use a sort
of hand geometry biometric technology for performing citizen-
verification functions.

It is also expected that virtual access as the application that will

provide the critical mass to move biometrics for network and computer
access. Physical lock-downs can protect hardware, and passwords are
currently the most popular way to protect data on a network.
Biometrics can increase a company's ability to protect its sensitive
data by implementing a more secure key than a password. Using
biometrics also allows a hierarchical structure of data protection,
making the data even more secure. Biometric technologies further help
to enhance security levels of access to network data.

E-commerce developers are exploring the use of biometrics and

smart cards to more accurately verify a trading party's identity. Banks
are bound to use this combination to better authenticate customers
and ensure non-repudiation of online banking, trading and purchasing
transactions. Point-of-sales (POS) system vendors are working on the
cardholder verification method, which would enlist smart cards and
biometrics to replace signature verification. Biometrics can help to
obtain secure services over the telephone through voice
authentication..

Selecting a Biometric Technology

There are a number of biometric technologies available at the
moment. It is very critical to pick up the one which meets the user
profiles, the need to interface with other systems or databases,
environmental conditions, and a host of other application-specific
parameters. Here comes some of the key points to be taken into
account before selecting one:

1. Ease of use - some biometric devices are difficult to handle

unless there is proper training.

2. Error incidence - Time and environmental conditions may

affect the accuracy of biometric data. For instance, biometrics may
change as an individual becomes old. Environmental conditions may
either alter the biometric directly (if a finger is cut and scarred) or
interfere with the data collection (background noise when using a voice
biometric).

3. Accuracy - Vendors often use two different methods to rate

biometric accuracy: false-acceptance rate (FAR) or false-rejection rate
(FRR). Both methods focus on the system's ability to allow limited
entry to authorized users. However, these measures can vary
significantly depending on how one adjust the sensitivity of the
mechanism that matches the biometric. There may be instances where
FAR decreases and FRR increases. Thus we have to be careful to
understand how the biometrics vendors arrive at quoted values of FAR
and FRR. Because FAR and FRR are interdependent, we can draw a
plot, which can facilitate to determine the crossover error rate (CER).
The lower the CER, the more accurate the system
There are some other vital ingredients to be analyzed :

1. Cost - biometrics devices and their related things, such as

installation, connection, user system integration, research and test of
the biometric system, system maintenance, etc.

2. User acceptance - certain user groups reject biometric technologies

on various grounds because of privacy concerns.

Some application-specific requirements like security level, which

can be low, moderate or high. This decision will greatly impact which
biometric is most appropriate for this kind of applications.

Finally organizations should consider a biometric's stability

including maturity of the technology, degree of standardization, level
of vendor and governmental support, market share and other support
factors. Mature and standardized biometric technologies usually have
stronger stability.

Future Research Directions

Although companies are using biometrics for authentication in a

variety of situations, biometric technologies are evolving and emerging
towards a large scale of use. Standards are coming out to provide a
common software interface to allow sharing of biometric templates and
to permit effective comparison and evaluation of different biometric
technologies. One of them is the Common Biometric Exchange File
Format, which defines a common means of exchanging and storing
templates collected from a variety of biometric devices.

Biometric assurance - confidence that a biometric can achieve

the intended level of security - is another active research area.
Another interesting thing to be examined is combining biometrics with
smart cards and public-key infrastructure (PKI). A major problem with
biometrics is how and where to store the user's template. Because the
template represents the user's personal characters, its storage
introduces privacy concerns. Also storing the template in a centralized
database paves for attack and compromise. On the other hand, storing
the template on a smart card enhances individual privacy and
increased protection from attack, because individual users control their
own templates. Vendors enhance security by placing more biometric
functions directly on the smart card. Some vendors like Biometric
Associates, have built a fingerprint sensor directly into the smart card
reader, which in turn passes the biometric to the smart card for
verification.

PKI uses public- and private-key cryptography for user

identification and authentication. It has some advantages over
biometrics as it is mathematically more secure and it can be used
across the Internet. The main drawback of PKI is the management of
the user's private key. To be secure, the private key must be protected
from compromise and to be useful, the private key must be portable.
The solution is to store the private key on a smart card and protect it
with biometric. There are proposals for integrating biometrics, smart
cards and PKI technology for designing Smart Access common
government ID cards.

On concluding, the technologies devices and products for

biometrics started to appear on steady pace towards facilitating
widespread use. This article gives a snapshot of the dynamics under
way in this popular biometrics market.