Handbook of Information Security Management:Computer Architecture and System Security

Previous Table of Contents Next


Clearly the first step is to ensure that proper site and system access controls are in place. The next step is to decide who needs to use a particular channel and then restrict access to authorized users. In network terms, this might be a matter of using password-controlled log-on procedures, or two-part token authentication. Password protection can be used for mainframe connections as well. Most commercial online services require an account number and password for access, and these should be closely guarded. However, system access control should be particularly tight on all personal computers equipped with modems.

Channel Verification

To be on the safe side, you should think of a channel of communication as a path through enemy territory. Whatever passes along that route runs the risk of being ambushed. Secure communications involves ongoing verification of:

  The identity of users.
  The integrity of data.
  The integrity of the channel.

Users of a communication channel should be required to identify themselves, whether the connection is a network hookup, a modem, or a mainframe link. When you are on the receiving end of intercomputer communications, that is, acting as the host for users calling in, you need to be able to verify the claimed identity. Network nodes need to be able to verify the legitimacy of packets received.

One of the most important requirements for secure communications between computers is verification of identity. On a local area network, this might mean that each user has an ID number and a password, both of which must be entered before log-in can be completed. Of course, entry of a valid ID number/password combination does not guarantee the identity of the person using them, but the network software will tell the administrator who claims to be using the system. In small sites, a tour of the LAN can provide visual verification of these claims. In large installations, where the administrator might not be expected to put a name to every face, assistance might be provided in the form of photo-ID tags or biometric controls.

When data are being transferred via a communications channel, they are subject to possible distortion, tampering, or theft. Verifying the integrity of the channel means making sure that this does not happen. Most communications software includes some form of error checking. At a rudimentary level, this can check that the amount of data received matches the amount transmitted. More sophisticated methods confirm details of the transmission.

Verifying the integrity of the channel also means making sure nobody is listening in, or preventing the theft of anything useful if someone is. This is best accomplished by encryption. You will need to assess the likelihood of anyone attempting to intercept or overhear your communications. If the risk is high enough, then you can encrypt important communications, using a variety of devices. Some software systems encrypt all network and telephone line traffic. Hardware encryption/decryption devices can be placed at each end of a communications link. Some of these are combined with data verification systems.

Channel Support

Intercomputer communications can only be established when a large number of different parameters are properly coordinated. Once established, communications need to be maintained. This requires a high degree of reliability in communications hardware and software. The need for reliability and protection centers on those components that serve more than one user, in proportion to the number of users served. For example, in a local area network where one personal computer is acting as a file server for others, disruption or failure of the server can have far greater consequences than the breakdown of a single personal computer working on its own. Once established, channels of communication must be supported, or else those tasks that depend upon them will be jeopardized.

Business Recovery for LANs and Desktop Systems

One of the biggest challenges facing information systems professionals today is the recovery of desktop/LAN-based systems following disasters such as fires and floods (for more about the topic of business continuity planning, see Section 3.2). As noted earlier in this chapter, a significant percentage of mission-critical applications are now running on desktop systems, which are inherently more complex when it comes to recovery. Unlike mainframe systems, which tend to conform to certain standards as far as equipment and code are concerned, and can thus be duplicated by a hot site with relative ease, each LAN represents a unique configuration of hardware and software.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.