Susan Student stopped by the electronics store in the shopping centre to drop off her flatmate’s mobile phone to be repaired. Susan couldn’t understand why Rhonda Roommate wanted a phone in the unit. Susan used her mobile phone for all her calls and for exchanging text messages with her friends. When Susan was not using her phone, she kept connected by e-mail and instant messaging on her desktop computer (cable internet) or a lab computer at her college. As Susan walked through the store she stopped to gaze at a new notebook computer like the one she planned to purchase next week. Susan had been using the Internet to compare different notebook computers and had decided to make her purchase online, which would save her hundreds of dollars. Susan was surprised to see a long line of customers at the repair desk with their personal computers. As she waited in line, Susan overheard some of the conversations. She then remembered reading that the “Blaster” worm had been released through the Internet over the weekend. Perhaps these customer’s computers had become infected by the worm and needed to be worked on by a technician. At the desk an older gentleman was telling the repair clerk that his computer had been “hit” by the Blaster worm. The repair clerk asked the gentleman,“ Did you bring your operating systems’ recovery disk?” “What’s a recovery disk?” the man asked. Behind Susan two women struck up a conversation about their experiences. “That worm infected my computer and now it won’t turn on!” one woman complained. “The same thing happened to me,” said the other woman. “It made the color on my printer fade. I hate these worms Two young men in line next to Susan were also talking about what happened. “Someone told me that anti-virus software couldn’t stop a worm. Only a firewall will stop a worm.” The other man replied, “I tried to download the patch from Microsoft for my firewall, but the worm got to it first.” Susan was puzzled. She thought to herself, “I didn’t know a worm could do all these things.” But she wasn’t completely sure that the worm caused all these problems. After all, the color on her printer started to fade last month because it ran out of ink. Susan began to wonder if her computer had been infected. She quickly left the store and hurried back to her unit. “Why all the fuss?” asked Rhonda Roommate as Susan Student sat down at her computer. Susan repeated the conversations she overhead in the store and told Rhonda that she was worried the Internet worm had attacked her computer, too. “So what if it did? What’s the worst that could happen?” Rhonda asked. Susan said that she had heard stories of worms stealing or even erasing data off of a computer. “Can’t you just put it all back?” Rhonda said. Susan replied,” Rhonda, this is the only place I have this stuff. If it’s erased, then it’s all gone. And besides, remember when my computer broke last year and I couldn’t use it for a whole week? I was completely lost!” Susan continued feverishly clicking on her mouse and looking over her screen. After several minutes Rhonda said, “Hey Susan, how will you know if you find the worm?” Susan suddenly stopped and stared at Rhonda. “I don’t know.” Susan Student put down her fork. Several of her friends were eating lunch in the cafeteria together. The Blaster worm had attacked the college computers and forced the college to disconnect from the Internet until the damage could be repaired and new security software installed. Susan’s economics class was cancelled because they could not use the computers in the lab. “Teenagers,” said Fran Friend. “They’re the ones who write these worms. They’ve got too much free time on their hands, and all they do is play games and write worms. I’m sick of it!” “I don’t know,” said Paula Pal. “My younger brother’s really smart about computers, but I don’t think he could do that. I read that companies that sell security hardware write the worms so people will have to buy their stuff.” Just then Peter Professor walked by their table. “Who do you think writes these worms?” asked Susan. Peter smiled and said, “Teachers. They do it to cancel classes.” ! THE SECURITY POLICY SAFEGUARDING A SYSTEM Of course, knowing that your system is vulnerable is one thing. Knowing how to protect your system and minimize its vulnerabilities is quite another. There are three major steps to making something secure, whether it is a computer, a car stereo, or a mobile phone. The first step is to identify the bad things that can happen to it. The second step is to restrict who can legitimately use it. The last step is to put these all together into a plan of action. In this section, you learn the basics of safeguarding a system. To aid your understanding, the discussion will also include a parallel discussion of protecting a car radio. This is done to help you visualize the situation more clearly. Identifying, Analyzing, and Controlling Risks Susan Student was still worried about her computer being attacked by a worm but did not know what to do in order to make her computer more secure. However, she had other things to do. Susan sat down at her kitchen table with a brochure and prices for an expensive car stereo. Susan is considering buying one for her car. However, she has heard of some car break-ins at a townhouse complex nearby and is concerned about how safe a new stereo would be. Susan first thinks about where she parks her car at night. Billy Boyfriend in the unit downstairs always parks his truck underneath the security light. Susan believes that Billy would swap parking places with her so she could park her car under the security light. If that didn’t work, Susan knows that she could rent one of the separate parking garages and lock her car in it each evening. Without realizing it, Susan has performed many of the same steps that information security professionals go through when evaluating security for a computer. When Susan sat down at her kitchen table to consider the advantages and disadvantages of buying the new car stereo and how she would protect it, she was performi ng risk management. Risk management is a systematic process for identifying, analyzing, and controlling risks. Most decisions involve evaluating risk. Should I buy a new car now? (There’s a risk that I might not be able to afford it.) Is moving closer to the beach the right decision? (There’s a risk of cyclones that could destroy the house.) Should we open up a new factory this summer? (There’s a risk that there may not be enough sales to support it.) Risk assessment, which is one part of risk management, is the process of evaluating risks. It weighs the risk against the potential benefits to determine if the risk should be taken. Formalized Security Policy Because Susan’s roommate Rhonda occasionally borrows her car, Susan decides that before she buys the new stereo system she needs to make it clear to her roommate about her ideas regarding where the car is to be parked and how it is to be used. And above all, Susan wants to let her know that absolutely nobody else can borrow the car without Susan’s knowledge. The final phase is one of the most important because it ties everything together. Susan is establishing a security policy that outlines how the new stereo will be kept safe. In order for a computer system to be secure the organization must have a comprehensive and enforced security policy. This policy outlines the importance of security to the organization. It establishes the policy’s goals, how the security program is organized, and who is responsible at the various levels. A security policy will also sketch out details such as acceptable use, privacy, and password management.