|PATRICK JAMES McFADDEN, CPA, CIA, CISA, heads AM&PM Consulting, Inc., an Internet security and audit consulting firm in Westlake, Ohio. He is a former director of the Northwest Ohio chapter of the Information Systems Audit and Control Association. He has an interactive Internet site at ampmconsul.com and his e-mail address is firstname.lastname@example.org.|
How safe are your computer files or documents? Do you protect them from prying eyes or, worse, from hackers who try to steal or destroy the data? Considering the priceless nature of your information, safeguarding data should be high on your priority list. But thats easier said than done—unless you know some software tricks. If you dont, read on.
The problem with security is that if its too loose—easy to violate, that is—its useless. If its too tight, itll be too difficult even for you to access. The goal is to have a security system thats just right: too hard for an outsider to gain entry but easy enough for you.
This article is about ways to design a just-right security system. It outlines the different levels of security for different functions so you can pick the ones that best serve your needs. Be advised, though, they are not designed to block the experienced hacker. At best, they will block the curious onlooker or the average computer user. These techniques include password protection, masking and information-change detection. Masking techniques include disguising files inside the computer, hiding ranges of information inside a file and making information appear unreadable or even invisible. Change-detection techniques include audit trails—such as byte count, hash-control totals and formula-difference locators, all of which are explained later.
Its important to understand that an effective security system should not rely on a single technique. The most effective strategy is to use security layering—placing many walls between an unauthorized user and sensitive information. Many people use password protection, mistakenly thinking that it alone will keep most, if not all, intruders at bay. Passwords can be sidestepped by reloading the computers operating system and application software.
Lets look at each software application and see what security options are available and which ones meet your special needs.
SPREADSHEET PROTECTION TECHNIQUES
Of all types of applications, spreadsheet software offers the most built-in security features. Both Lotus 1-2-3 and Microsoft Excel contain essentially the same protection methods. At the simplest level, a password can block an intruder from opening or changing a file. Also, both programs have a number of features for hiding, filtering or otherwise masking information. Excel has a slight edge in the number of features for detecting changes—so youll know if an intruder has altered the file.
Password protecting spreadsheets (in Excel they are called worksheets) is easy. One password prevents opening a file and is activated when saving a file. For Lotus, a user clicks on File, Save As, checks the With Password box and enters a password. In Excel, a user clicks on File, Save As and Options and enters a password.
To allow another Lotus user to input over a certain range of data, a user first unprotects the range by clicking Style Protection . The user then specifies the range, and checks the Keep Data Unprotected box. Next, the user clicks on File, Protect , checks the Seal box and enters a password of up to 15 characters. Excel uses the same basic technique. The user must unprotect the input range by highlighting the range, clicking on Format, Protection and then clearing the Locked box. The user then pulls down the Tools menu, selects Protection, Worksheet Protection and enters an appropriate password. In addition, Excel users can render a file read only by entering a password in the Write Reservation box of the Save As panel. Lotus provides a similar feature for networked users.
Spreadsheets provide excellent information-masking techniques. It takes only a few keystrokes for a user to hide rows, columns, cells, graphics and even entire spreadsheets.
Another element of security is the intruder alarm: It lets you know if someone has gained admission to your file and changed it. Spreadsheets offer some advanced tools for detecting inadvertent or intentional changes. In a protected section of a spreadsheet, the sum of all number and date cells can be used as a hash-control total, which is a method for ensuring the accuracy of processed data. The components of a hash total include several fields of data in a file, including fields not normally used in calculations, such as an account number. At various stages in the processing, the hash total is recalculated and compared with the original. If any data have been lost or changed, the program signals a mismatch.
Another change-detection measure is the date and time stamp. Automatic date and time stamping should be used with the spreadsheet title to detect any updates. With Lotus, be sure to evoke automatic recalculation or the date will not be updated. If a user is concerned with accidental or intentional formula tampering, Excel allows him or her to compare all formulas in a row or column. To check for slight formula changes, a user clicks on Edit, Goto, Special and Row or Column Differences. Any cells with faulty formulas will be highlighted.
WORD PROCESSING PROTECTION TECHNIQUES
As with spreadsheets, there are three safeguards for protecting word processing documents: passwords, masking techniques and change detection. Both WordPerfect and Word documents can be easily password protected and masked. In addition, both offer audit trails for determining whether inadvertent or unauthorized changes have occurred.
To password protect WordPerfect documents, start by pulling down the File menu, check the Password box, type in a password of up to 23 characters and click on Set. Or the user can change the attributes of a file, making it read only. To evoke the read only attribute, open the File Manager , click on File, File Manager, Change Attributes and check the Read Only box. In Word, select File, Save As, click on Options and enter a password in the Password box. If you want others to read the file but not change it, enter a password in the Write Reservation box. This protection is applied by clicking on Tools and Protect Document and entering a password.
To mask all or parts of a Word document, a user can hide highlighted text by pulling down Format , clicking on Font and checking the Hidden box . Both word processors can make a document indiscernible or even invisible to the uninvited. To "encrypt" a document in Word, highlight the entire document and save it in an unreadable font such as MT-Extra; of course, a computer-knowledgeable person will recognize the ploy and convert it to a readable font. To make a document "invisible," simply highlight the document and use a clear white font.
To mask files in WordPerfect and Word, go into File Manager (in Windows 3.x)or Explorer (in Windows 95), click on File and Change Attributes and check the Hidden box. WordPerfect also permits a user to remove sensitive files from appearing in the Quick List. In Word, the recently used file list can be eliminated altogether by clicking on Tools, Options and the General tab. Another way to mask documents is to save them in ambiguous directories or use cryptic names, making them hard to find.
When it comes to detecting changes, Word has an advantage over WordPerfect because it offers a greater number of audit trails. With Word, changes can be detected by entering an automatic date and time stamp in a file or by counting its words, bytes, lines, characters and paragraphs and then checking for any changes. Together, these audit trails, when compared, clearly identify any unauthorized changes. These audit trails can be printed by clicking on File, Print and selecting Summary Information in the Print What box. WordPerfect provides date, time, word and byte count audit trails—enough to detect most changes.
Also, if a word processing document is linked to a spreadsheet or database, be sure that the spreadsheet or database is as secure as the document. Otherwise an intruder can see the data in the secure file by looking in the unsecured linked file.
SECURITY WHILE WORKING IN THE INTERNET
To protect computer information from being pirated during Internet sessions, make all networked disks read only. In Windows 95, this can be done through the Control Panel under Network . By making the disks read only, Internet intruders cannot appear as just another locally networked personal computer.
For serious security, use firewalls. A firewall is a separate computer that guards and actually translates all communication between the Internet and a local network or personal computer. The firewall computer monitors all internal and external requests and allows entry only to designated users.
OPERATING SYSTEMS SECURITY
Surprisingly, operating systems are not particularly good at providing security. Their designers were more concerned with locking out legitimate users who forgot their passwords than unauthorized users. For the individual user, Windows 95 and OS/2 offer password protection only after a screen saver blankets the screen. While this technique protects against the curious onlooker, it can be overcome by rebooting the computer. Networked systems, particularly with Windows 95, require individual sign-on and printer passwords. Check to see that your system password can be bypassed simply by clicking on a Cancel key.
To lock up a screen saver in Windows 95, first pull down the Start menu and select Settings . Then click on Control Panel, Display and Screen Saver . Next, check the Password Protection box and type in a password. For the OS/2 operating system, click on the desktop using the righthand mouse button, click on the arrow adjacent to Open and click on Settings. Then select the Lockup tab and click on Automatic Lockup .
Newer database programs, such as Microsofts Access, provide a wide assortment of password protection on three levels: for administrators and users and, within the application, for specific database files. Older software lacks that multilayered protection: Aside from the feeble operating system security, users of older software have to write special programs to block the uninvited.
Adding security for Access, for example, requires only a few keystrokes. For administrator and user password protection, click on Tools, Security and User or Group Accounts or Permission . For database file protection, click on Tools, Security and Set Database Password .
When it comes to computer security, it usually takes more common sense than high technology. For example, change passwords periodically. Make them at least six characters long. Dont use obvious passwords, such as your own name or birth date. Also, since passwords are often case-sensitive, mix upper- and lowercase letters with numbers to make them less vulnerable to hackers. Also, be aware that when you forget a password, the data may not be recoverable.
For network environments, plan to have the computer server and any related equipment and modems in a room that can be locked. In addition, use a key lock for the network server. Lock all system, network, application software and information backups in a cabinet or drawer. Do regular, automatic backups so if your data are stolen or corrupted, you can reconstruct them from the backup. Be sure to keep backups in a separate, secure location—off-site, if possible.
Contrary to popular views, security does not have to be onerous. It can be set up so users are not terribly inconvenienced—only the would-be information pirate or troublemaker is put out. It takes a little planning and effort but, compared with the potential savings, that effort is a small investment with huge dividends.