UnauthorizedModems_3
Protecting Data Networks by Securing Telephone Networks
2
There is little doubt, as Geide pointed out, that computer crime is on the
increase. According to Dick Watson, a member of the White Collar Crime
Program in Boston, between 1996 and 1998 the number of FBI cases involving
computer intrusions increased over 250%. Similar statistics are reported
elsewhere in the community. In their annual survey of over 500 security
practitioners from federal agencies, universities, financial institutions, and
corporations, the Computer Security Institute, in conjunction with the San
Francisco office of the FBI, reported over 57% of the respondents had
experienced attacks across the Internet. In the same 1999 survey, 32% of the
respondents reported they had experienced attacks serious enough to warrant
contacting a law enforcement agency. In addition, for the third year in a row,
financial losses due to breaches in computer security exceeded $100,000,000
even though only 60% of those reporting a loss could quantify their loss. What
is particularly alarming is the number of corporations that didnt even know if
they had been attacked or had their systems penetrated. In a survey of 4,255
information technology and information security managers by Ernst & Young
and Computerworld, 19% stated they were not even aware if they had been
attacked via the Internet. All of this makes it abundantly clear computer security
is, and should be, a major concern for organizations wishing to connect to the
Internet or to provide access to their computer systems or networks via dial-in
modems.
Computer System And Network
Security
In general terms, it can be said the goal of computer and network security is
simply the protection of information and information processing assets. To
accomplish this the basic objectives of computer and network security are
confidentiality, integrity, and availability.
Confidentiality involves the use of policies, procedures, and mechanisms to
ensure information is not disclosed to individuals who do not have the authority
to view it. This includes not only individuals from outside an organization but
individuals from the inside who dont have a need to know. Examples of
information for which confidentiality is crucial include personal data (especially
information covered by the Privacy Act of 1974), customer and client data,
product information, and data related to a companys research and development
efforts. Loss of confidentiality could result in lost customers and revenues, loss
of a market position and advantage, and possibly a proliferation of information
protection related lawsuits.
Integrity involves those policies, procedures, and mechanisms that ensure
information is consistent and has not been modified in an unauthorized manner
or by individuals not authorized to change it. Loss of data integrity may result in
damage to the same type of information as loss of data confidentiality, and the
consequences are often similar. Which of the two is actually more severe
depends on the type of organization involved. The Department of Defense, for
example, has traditionally been more concerned with disclosure of classified
information rather than the modification or destruction of it. While this has
changed somewhat over the last few years, it is still generally true. Financial
institutions, on the other hand, are often more concerned with the modification
of information rather than its disclosure. While it is a serious matter if
information about an individuals account is disclosed, it is much more critical if
that same account is modifiedespecially if the modification goes unnoticed.