Essay preview
Information Management & Computer Security
Awareness and challenges of Internet security
Steve Hawkins David C. Yen David C. Chou
Article information:
To cite this document:
Steve Hawkins David C. Yen David C. Chou, (2000),"Awareness and challenges of Internet security", Information Management & Computer Security, Vol. 8 Iss 3 pp. 131 - 143
Permanent link to this document:
http://dx.doi.org/10.1108/09685220010372564
Downloaded on: 19 September 2014, At: 06:43 (PT)
References: this document contains references to 30 other documents. To copy this document: [email protected]
The fulltext of this document has been downloaded 4869 times since 2006* Downloaded by UNIVERSITI UTARA MALAYSIA At 06:43 19 September 2014 (PT)
Users who downloaded this article also downloaded:
Godwin J. Udo, (2001),"Privacy and security concerns as major barriers for e#commerce: a survey study", Information Management & Computer Security, Vol. 9 Iss 4 pp. 165-174 David C. Chou, David C. Yen, Binshan Lin, Philip Hong#Lam Cheng, (1999),"Cyberspace security management", Industrial Management & Data Systems, Vol. 99 Iss 8 pp. 353-361
H. Joseph Wen, (1998),"Internet computer virus protection policy", Information Management & Computer Security, Vol. 6 Iss 2 pp. 66-71
Access to this document was granted through an Emerald subscription provided by 394654 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. *Related content and download information correct at time of download.
Awareness and challenges of Internet security
Downloaded by UNIVERSITI UTARA MALAYSIA At 06:43 19 September 2014 (PT)
Steve Hawkins
Technical Writer/Analyst, Dell Computers Co., Austin, Texas, USA David C. Yen
Department of Decision Sciences and MIS, Miami University, Oxford, Ohio, USA David C. Chou
Department of Business Computer Information Systems, St Cloud State University, St Cloud, Minnesota, USA
Keywords
Internet, Security,
Computer networks, Companies
Introduction
The threat of computer security is one of the
main barriers to Internet commerce. With
Internet security is an important
the current popularity and the potential
issue today. Corporate data are at
profits of e-commerce, many executives face
risk when they are exposed to the
a conflict situation. That is, connecting to the
Internet. Current technologies
Internet and expanding their business would
provide a number of ways to
secure data transmission and
risk the threat of intrusion. On the other
storage, including encryption,
hand, remaining disconnected from the
firewalls, and private networks.
Internet would sacrifice their customer
This article discusses the
awareness of Internet security and contact and services.
challenges faced in both the
Seven members of the Lopht Heavy
public and the private sectors.
Industries, an independent watchdog group
composed of seven hackers, informed the
Senate Committee on Governmental Affairs
in 1998, that ``it would take only 30 minutes
for them to render the Internet unusable for
the entire nation'' (Yasin, 1998). There is
more. Officials from the General Accounting
Office (GAO) also met with the committee
and stated that the GAO has uncovered
serious computer security weaknesses at
both the State Department and the Federal
Aviation Administration that could
jeopardize the operations of both
governmental agencies (Yasin, 1998).
Organizations in both the public and the
private sectors are aware of the needs of
Internet security. It is interesting to know
how both sectors take action to protect their
Internet data and corporate systems. Internet
security is recognized as the methods used by
an organization to protect its corporate
network from intrusion.
The best way to keep an intruder from
entering the network is to provide a security
wall between the intruder and the corporate
network. Since the intruders enter the
network through a software program (such
as a virus, trojan horse, or worm) or a direct
connection, firewalls, data encryption, and
user authentication can restrain a hacker.
Information Management &
Abstract
Computer Security
8/3 [2000] 131±143
# MCB University Press
[ISSN 0968-5227]
The current issue and full text archive of this journal is available at http://www.emerald-library.com
While many tactics provide assurance of
protection, carelessness can also be a key
factor. As a result, awareness training and
education should be used to remind staff that
an Internet security breach could have a
profound effect on the health of the
organization and, hence, their job security
(Everett, 1998).
When a company is connected to the
Internet, any user in cyberspace can have
access to its Web site. Installing firewalls,
intrusion detection systems (IDS), and user
authentication software are the necessary
precautions a company must take to protect
themselves. Ultimately, the best protection
from intrusion is to constantly keep
watching for intrusion and to employ the best
protection you can afford while travelling
through the untamed terrain of cyberspace.
This article begins with an overview of
Internet security and the technologies used
in protecting the data on a computer system.
Next, this article investigates the awareness
of Internet security in selected industries
from the public and the private sectors. New
developments and challenges regarding data
protection and Internet security are
addressed in the last sections.
Technology for Internet security
There are a variety of methods that a
company can employ to protect itself from
unauthorized access. Some of the most
popular methods are:
.
firewalls;
.
user authentication;
.
data encryption;
.
key management;
.
digital certificates;
.
intrusion detection systems (IDS);
.
virus detection;
.
virtual private networks (VPN);
.
extranets.
[ 131 ]
Steve Hawkins, David C. Yen
and David C. Chou
Awareness and challenges of
Internet security
Table I illustrates the unique features and
the limitations of all of these Internet
security methods.
Information Management &
Computer Security
8/3 [2000] 131±143
Implications of security methods
Firewalls are the first line of defense for
corporate networks. A firewall is a
combination of hardware and software that
separates a local area network (LAN) into
two or more parts for security purposes. All
public connections to and from the corporate
network initially pass through a firewall,
which acts as a gatekeeper to give access to
valid requests and, in the end, block out all
other requests and transmissions (Cantin,
1999). In addition, firewalls can be
implemented between departments to allow
certain users access to secure data.
Another line of defense is user
authentication. Basically, a user must enter a
password as a digital key to enter the
computer system. User authentication can be
incorporated into a firewall, a particular
application, a document, or a network
operating system such as Novell NetWare
and Windows NT.
Downloaded by UNIVERSITI UTARA MALAYSIA At 06:43 19 September 2014 (PT)
Table I
A comparison of Internet security components
Component
Unique features
Limitations
Firewall
Hides the corporate intranet from the
Internet
Acts as a gatekeeper to give access
to valid requests, blocking out all
other requests and transmissions
Can be implemented between
departments to provide certain users
access to secured data
Records all intrusion attempts for
future review and identification
Enforces user verification
Can be incorporated within a firewall,
application, document, or a network
OS
Software-only encryption may curtail
firewall performance
Presents a single point of failure
No guarantee to protect a network
from harm
Must be installed and configured
correctly in order to work properly
User authentication
Data encryption
Key management
Digital certificate
Intrusion detection system
Virus detection
Virtual private network
Extranet
[ 132 ]
User password could be intercepted
during transmission
User password could be related to
their lifestyle, making password
identification easier for hackers if they
know the habits and interests of the
user
Scrambles the data before transit,
Cryptology community believes that
making interception attempts futile
point to point tunnelling protocol
(PPTP) technology may be flawed and
unfixable
Acts as an electronic key to open
User may lose the key or have it fall
encrypted data
into the wrong hands
Verifies the authenticity of the e-mail Not very useful if companies do not sender
act as their own certificate authorities
Alerts the e-mail recipient if the
or get them from third-party service
message has been altered
providers
Uses static and dynamic methods to No IDS product can detect all of the attacks on a network when it is
spot attacks to the network in
heavily loaded
progress or over time, respectively
IDS products work only on sharedaccess segments, and not on switched networks
Protects computers and servers from Useless if virus definitions are not virus attacks
updated on a regular basis
An inexpensive way to connect remote Some VPN products permit use of users to an enterprise network
private addresses, while others require
Cheaper than using a dial-up
public IP addresses
Flexibility may come at a price
connection
VPN product prices vary according to
through-put and number of tunnels
supported
Provides fast data exchange between Requires security and privacy systems a company and its suppliers
to protect data during transmission
Steve Hawkins, David C. Yen
and David C. Chou
Awareness and challenges of
Internet security
Downloaded by UNIVERSITI UTARA MALAYSIA At 06:43 19 September 2014 (PT)
Information Management &
Computer Security
8/3 [2000] 131±143
A user can incorporate a data encryption
utility to protect the data while in transit.
Basically, data encryption is a method of
scrambling the data into an unreadable form
before they leave a company's network.
When the data arrive at the proper
destination, a key decodes the data bits into
understandable information.
There are basically three elements to an
encryption system:
1 a method of changing the data into code
(the algorithm);
2 a hidden place to start the algorithm (the
key);
3 control of the key (key management).
A binary number usually provides the
starting key for the algorithm. Transforming
the data into a readable format is controlled
by the key (DeVeau, 1999).
Key management, therefore, becomes an
important factor in data security. The key
must be secured in a safe place so those
unauthorized individuals cannot access it. In
most organizations, a system policy is
developed that spells out who has the keys
(and/or the power) to access sensitive data on
the network (DeVeau, 1999).
Digital certificate is an electronic credit
card that establishes the credentials for
doing business or other transactions on the
Web. A governing party called ``certification
authority'' issues the certificate. This
certificate contains the user's name, a serial
number, expiration dates, a copy of the
certificate holder's public key, and the digital
signature of the certificate-issuing authority
so that a recipient can verify that the
certificate is real (DeVeau, 1999).
Authenticated users keep these digital
certificates in registries for access.
Digital certificates are similar to
watermarks on a bank check. They not only
verify that the author of the message is the
author, but also alert the receiver if the
message has been altered while in transit.
Digital certificates are useful if the receiving
party absolutely needs to know that the
message they received is authentic (McCune,
1998).
To protect themselves from problems
within the network, a company can use
specialized software that monitors the
network for suspect activity. The software
not only detects intrusion from someone
outside the company, but also monitors and
detects any malicious activity on the network
generated from ...