OS/2 eZine - http://www.os2ezine.com
16 January 2002
Andrei A. Porodko is a member of the 3rd Eye development team.

If you have a comment about the content of this article, please feel free to vent in the OS/2 eZine discussion forums.

There is also a Printer Friendly version of this page.

Previous Article
Next Article

Do you have an OS/2 product or service you'd like to advertise?

An Introduction to Security

I can't say that I am a big specialist in security, and I'm not a computer one either. I dare say this is an advantage when we talk about computer security. Why? Because computer security is a very complicated thing, so if I were a specialist in computer security we would have trouble finding a common language. Nevertheless, I have been a system administrator for many years so this is an attempt to arrange my knowledge about computer security. In this article we will talk about computer security or to be more precise - data security, but for simplicity, I will just call it security.

Security itself has its own definition. I understand it as protection for any computer equipment and information against any illegal actions. There are a lot of possible illegal actions. Security professionals call them "threats." For example: computer equipment can be exposed by a threat of destruction or theft, information can be exposed by a threat of disclosure, and of course, there are many methods of protection against those threats. Despite the differences in the nature of the threats, all methods of protection have something in common. They can be divided into three groups :

  • Organising methods, which regulate who, how, when and where can gain access to the computer equipment and data.
  • Physical methods, which limit physical access to the computer equipment and data.
  • Technical and programming methods. What equipment and programs are used for computer equipment and data protection.

There is no preferable method as you will get the maximum of security when they are all applied together.

As you can guess, the first two methods are common for all operational environments. Technical and programming methods are specific for each operation system and for each computer platform, because different equipment fits different computers and requires different drivers. The same can be said about programs. Our aim is to discuss the information security in the scope of the OS/2 operational environment. That is to say - an Intel-based computer with OS/2 installed on it. Before we start our review, we should have answers for two questions: What are we going to protect against? And what we are going to protect? For information we have three main threats:

  • disclosure
  • destruction
  • distortion

The rest are combinations of these ones. If the first question seems reasonable, but the second doesn't, then we have to ask ourselves a third question, which is: What is information? or maybe ask - in which forms do we have the information in our computers? I think, in at least two forms: as data stored on a hard drive and as data inside communication lines (networks.) To be honest, there is one extra form - electromagnetic fields all around the computer, but protection against electromagnetic fields spreading is a common problem for any type of computer equipment and is outside of the scope of the topic we are discussing. Now we can conclude that we've got three threats and two objects of protection, and we have to choose an adequate protection method for each data instance in each situation.

Data on a Storage Device

For data on a storage device the most known method is data-encryption. Even if you have special security equipment to protect information on hard drives - card-readers, and different locks; you still need to consider encryption, because such devices are almost always media and media-readers for encryption-keys. Let us look what we have in OS/2:

There is one way to keep files secret, what we always forget about - ciphering in archiving tools such as pkzip and arj. [Ed. ZIP passwords can be cracked in just a matter of hours.] Yes, it requires additional manual actions, and doesn't supply strong encryption, but it is very simple and you always have it available. For example, to zip and cipher the files in the directory \MySecretData:

D:\>pkzip /add /password=MyPassword MySecretData MySecretData\*
PKZIP(R)  Version 2.50  FAST!  Compression Utility for OS/2 5-1-1997
Copyright 1989-1997 PKWARE Inc.  All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745
Encrypting files
Using 204 compatible compression method
Using compression level 5 - Default
Creating .ZIP: MySecretData.zip
Adding File: description.lwp Deflating (16.9%), Encrypting, done.
Adding File: Normal.dot      Deflating (86.4%), Encrypting, done.
Adding File: os2mini.html    Deflating (65.2%), Encrypting, done.
Adding File: svidet.gif      Storing   ( 0.0%), Encrypting, done.

There are many other standalone utilities for directory/file encryption. They can be found, for example, in the Hobbes archive on the Internet, but in my opinion, they are useful only when you need to keep data in secret in a safe place, not for everyday use.

What threats does it protect against? All cipher methods defend your data against disclosure - because a criminal must know the password, which is not kept inside the archive file; and against distortion, a criminal can't distort information, because he doesn't have access to distort them, he can just destroy data by deleting an archive file.

The other, much more convenient way to cipher data is using special utilities to crypt-on-the-fly. These programs implement strong industry-standard encryption methods. At the moment I know two of them: ZipStream by Carbon Based Software and the Cipher plugin for NetDrive by Nickk. If somebody knows of any other, please let me know.

ZipStream itself is a bit more than an encrypting tool, it compresses data and allows you to create compressed directories and disks. Of course, from our point of view we can consider that as an additional protection. The latest version is 2.0, which supports several variants of DES encryption. For an ordinary user it is rather difficult to understand what the difference between DES and other methods is. Indeed, comparison of crypto-methods is a rather complicated task. I think there should be a separate topic devoted to this question from the final consumer's point of view. Until then it is enough to know that DES was used by the United States government. At the present time there are a lot of newer methods which are available.

The Cipher plugin for NetDrive offers varied and modern encryption, such as Blowfish and Rijndael (and many more.) Cipher allows you to add new algorithms without changing the main program.

The main drawback of those programs is the necessity to remember a password or keep a key file on a diskette. But if put on a diskette or a sheet of paper and into a safe, everything will be OK, i.e. for most commercial purposes this offers enough safety.

Like encrypted archives, encryption-on-the-fly utilities defend data against disclosure and distortion, but files can be destroyed, for instance: by a virus or a criminal. So you have to use additional methods to protect against distortion - such as limiting access to a computer, keeping backup, using antivirus programs etc.

Here I want to point out one often forgotten consideration - backup is one of the data protection methods. Don't ignore it, as you can see from my previous reasoning - security should be comprehensive. Only in this case can it be effective.

One more thought - it is an important rule in data security, that the total cost of providing security shouldn't exceed the cost of the protected objects. As far as I know that cost should be approximately ten percent of the cost of the protected system.

To be continued...

Previous Article
Next Article

Copyright (C) 2002. All Rights Reserved.