This page has been archived and is no longer updated. Back to archive.

Skip Navigation

Secure storage of confidential material

 

 
All computer users, in the University and elsewhere, need to be increasingly conscious of security, which includes both the security of data from loss or corruption, and the secure storage of confidential material. This article is concerned with the second aspect, the secure storage of confidential material. It is quite long and some of the issues are complex, but there are some simple guidelines that everyone should consider:

These points are discussed in the course of this article. It is important to realise that as well as our own practical interest in keeping information confidential, there are legal and institutional requirements operating in this field. The present article does not address the legal issues directly.

The computer-based office

Many of us have made the move from a paper-based to a computer-based office without thinking through the security implications.

These implications are not difficult to understand, and indeed some of them are quite obvious once they have been pointed out. The three most likely ways in which confidential information is likely to leak out are:

These leakages are certainly connected with our use of computers, but stopping them doesn't require any specialist computer-security expertise, only commonsense and reasonable caution.

This article will deal with keeping your data hidden not just from casual passers-by but from those who might deliberately try to find it. This is a rapidly developing field, and new technology, such as encrypted e-mail and digital signatures, as well as more secure operating systems, will become available in the near future. This article describes methods which you can deploy without waiting for these new developments, and which will continue to be sensible and necessary.

Security versus convenience

If you have anything which absolutely must not fall into anyone's hands under any circumstances whatsoever, and which is of sufficient value to make it worth someone's while to go to indefinite expense to steal it, you should seriously consider not storing it on any of the University's computers - or indeed on any computer whatsoever. Most of us have data which is less confidential than that, but which we would still like to protect or which we are legally bound to protect to the best of our ability.

Computer security is a matter of balancing the needs of confidentiality against ease of use. Measures to increase security will almost always decrease the ease of use. If you make things too difficult for your colleagues by imposing security measures, the chances are that they will take short-cuts, and these frequently undermine the whole security effort. The post-it with the password stuck to the wall is an example of this. So only adopt security measures that are proportionate to the importance and confidentiality of the data involved.

In some cases it is up to you to decide on the degree of confidentiality of your data, but there are cases where it is a matter of legal definition or where the University has taken institutional decisions.

It would make things simpler if there were a series of measures we could identify which would progressively increase security, but in fact what we have are a number of overlapping security measures to protect different parts of our operation.

There are two ways of protecting data which we shall consider here: physical protection and passwords.

Physical protection

One easy way for someone to steal data from your computer is to come to your office while you are not there, turn on your computer and search through your hard disk. So to keep your data safe, the first thing to do is to control access to your office - lock the door. But this is not the end of the story. Many of us work in shared offices, and although we trust our colleagues, there are all sorts of people from within the University or outside who need to have access from time to time. You don't rely on your room-door to protect confidential material in your filing cabinet - you also lock your filing cabinet. By the same token, you need to do something to lock your computer.

Also, remember that if your computer is networked people don't need to be in the same room in order to get at it. So turn off your computer at night or when you are away from it for long periods. Of course people can get at your computer over the network as easily while you are working at it as when you are not, but there is no sense in leaving it wide-open when you don't need to.

Some people lock away their keyboard at night, but while this might prevent a casual interloper from using your computer it would not keep out a determined thief who could bring his own keyboard. Some PCs have a physical key with which you can lock the hard disk, but this is becoming less common. You can buy removable hard disks, which you can pull out and lock away when you leave your office, but these are not easy to come by. You could open up your computer and take out your hard disk, but this is not something most of us would trust ourselves to do safely. By and large a hard disk is not usually regarded as a removable storage medium.

Note that one way to lose your data is to have your computer stolen; this might be a particular risk for a portable machine, which is comparable (in some respects) to a brief-case containing papers you wish to protect. If you stored any of your passwords on the stolen machine there might also be other security implications (see later section on Storing passwords on your Mac or PC).

Removable media

One last form of physical security is simply to remove all confidential material from your hard disk, and to store it on removable media such as floppy disks, Zip disks, (re-)writable CDs or magnetic tape. This is probably the best and easiest method of keeping a limited amount of data confidential. These removable media are inherently less secure in the other sense: they are more likely than hard disks to suffer damage or corruption. You therefore need to keep several copies of your data on removable media. This of course creates its own confidentiality problems. Every copy you make is something else that might get left lying around. You need several securely locked locations to keep the disks. But these problems are not hard to deal with, and this is the measure we would recommend for preserving the confidentiality of material such as examination questions.

Zip disks hold either 100 or 250 Megabytes and standard CDs hold 650 Megabytes. Magnetic tapes hold a very great deal more than this, but recovering individual files from a tape is not always a simple matter. Placing data on removable media is a nuisance if you have more than will fit on a single disk. It is not a suitable solution if you have very large amounts of volatile data which you need to have easily recoverable.

Passwords

We have been giving advice on passwords over the past few months, because they are at the heart of computer-security. The article on passwords (How to lose your reputation) in the January Newsletter gave information on the importance of a good password, and advice on how to choose a password. In the course of giving this advice it has emerged that many people are confused by the number of different passwords they have to use, and about what exactly is protected by them.

See also the comments below on Storing passwords on your Mac or PC.

Your Sun/Unix/e-mail password

All computer users in the University have a Unix account (sometimes known as a Sun account or e-mail account). Your Unix account gives you a username and password for the networked Sun computers (called "Sun" because they are made by a firm of that name, and called Unix systems because Unix is the name of the operating system on the Suns). Your username and password therefore control access to networked information. The following are among the types of networked access which are controlled by your username and password:

Protection of e-mail

Your e-mail is protected by your password only so long as it is on the network in your incoming mailbox. Once you have downloaded it onto your Mac or PC it is no more protected than any other information on your hard disk. Because many people have configured Eudora to ask for their password as soon as they start it up, they believe Eudora is protecting the messages stored on their hard disk. This is not so. The password is used only in order to download the messages from your incoming mailbox.

"Mapped" drives and the Windows username and password

Mapping a drive is the process of making it look as though a part of the networked disk is just another drive on your PC or Mac. On the PC this means assigning a drive letter to the networked disk. The facility to map a portion of a networked disk as a drive on a PC is now widely used, especially by administrative units in the University. It is possible to do this on a Mac, but this note refers only to the way this standard feature of Windows95/98 is used on PCs.

In order to get access to a networked disk in this way you have to tell Windows your username and password. Typically you do this by entering them in a dialogue-box that is displayed as Windows starts up. If you do not enter your Unix username at start-up time you will not usually be able to connect to the networked drive; if you do not enter your Unix password at start-up time you will be prompted for it before the disk is mapped.

Note that it is only access to the networked disk that is controlled by the username and password that you enter on the PC as it starts up. Your Unix username and password do not protect the local hard disk on your PC.

It's worth noting that although your data is more securely protected if it is stored on a network disk, this process currently introduces a different sort of insecurity: the passwords are sent in unencrypted form, so if someone were able to tap the line they would be able to pick up your password. On balance the value of the mapped drives probably outweighs the danger of unencrypted passwords, but it is not a feature that should be used where there is the highest need for security.

Security of information on the Unix disks

Mapping part of a Unix disk in the way we have been discussing is only one method of placing data on the Unix disks. A more common method is by using a File Transfer program, and of course you can log in to your Unix account using a Telnet program and create files directly in your Unix file space. Whichever method you use to place files on the Unix disks, they are protected by Unix access restrictions. By default files on our Unix disks are not world-readable. In other words, by default the confidentiality of your data is reasonably secure. But have you done anything to change this default?

If you have confidential data on the Unix disks you should make sure it is adequately protected. Unix security is an involved topic, so if in doubt you should contact the Helpdesk for advice.

In particular, when you put material on the World Wide Web you necessarily make it world-readable. This is usually what you want - why else would you be publishing it on the Web? - but you need to be sure that you have loosened the protection only for your public_html folder and its contents, not for other parts of your disk-space. In fact, in order to make your public_html folder accessible on the Web you can't avoid making a slight dent in the overall security of your whole account. This is not in itself a major problem, but confidential data should not be stored in a Unix account that is also used for a Web-site.

Another implication of Web publishing is worth noting. Many people place a password to limit access to their Web pages. This password only limits Web-access to your pages. The pages are still accessible via Unix and they are world-readable - they have to be, since otherwise the Web server could not hand them out. So do not place too much reliance on these Web-passwords: they prevent easy access to your material, but they do not keep it secure from someone who has a Sun account and knows what they are looking for.

Storing passwords on your Mac or PC

There are various points at which a Mac or PC may offer to 'remember' or 'save' your password. The purpose of this is to make various network-related activities quicker and more automatic - convenient, but very risky and not recommended. Some examples are given here.

Eudora on the Mac or PC has an option for storing your e-mail password. If you do this it will mean that anyone with physical access to your computer will be able to download your new e-mail. This means that the confidentiality of your e-mail depends solely on preventing unauthorised access to your Mac or PC.

Windows will also store the password that is used to give access to the mapped disks. This is a useful time-saving device, which means you can go and make coffee while your PC is starting up, but it leaves the networked disk vulnerable - it is only as secure as your desktop computer.

Internet Explorer will offer to store the password that you use for the Data Warehouse and Staff Information pages.

You can also set up dial-up access to SARA on your Mac or PC in such a way that it will remember the password. Again this is a time-saver, but it has dangers. If you access a mapped drive over a modem line using SARA, storing the SARA password and the password for mapping the drive can be even more risky.

Storing the password is risky not only because it leaves an open path to your e-mail and confidential data for anyone who has physical access to your Mac or PC, but also because of the way the password is stored. Although it will be stored in encrypted form, and usually buried in the files that most people never look at, it can be found by those who know where to look, and the encryption that is used is not the most rigorous sort of encryption.

Password-protecting the desktop or laptop computer

There are ways of password-protecting your own computer. There are two aspects of this: preventing unauthorised people from starting up your computer and preventing unauthorised access across the network.

A "start-up" password

You can place a password on your PC so that it will not start up unless the correct password is typed in. This is all very fine, but before taking this step you must be aware that it is almost impossible to overcome this hurdle if for any reason the password is forgotten. Most commonly this becomes a problem if the user of a particular computer leaves or is away, and someone else needs to access it. Before protecting your computer in this way you should think through these possibilities, and take care to store the password (in a secure place, not an unlocked drawer). You should not use your Unix password for this purpose.

The way to set this password on a PC varies slightly from model to model, but the general procedure is to interrupt the starting up process by pressing a key (usually it is either F2 or the Del key, but others are used on certain models). If you press this key at the right moment it lets you into the CMOS set-up, and one of the things you can set up is the start-up password.

On some models you can set two levels of password: the basic start-up password and a supervisor password. In many circumstances it is a good idea to have a supervisor who is able to go in and re-set the start-up password if for any reason it is lost.

Similar measures are possible on a Mac, using third-party software, commercially available.

Screensaver passwords

Some screensaver programs, such as AfterDark on the Mac, have a facility for imposing a password. Using these programs you can put your computer into screensaver mode when you leave it, and it will only return to normal working if you type in the correct password. This is a valuable precaution in cases where casual passers by may have access to your computer during your temporary absence, but it does not provide protection against anyone who can get access to your computer for long enough to turn it off and re-start it.

Document passwords

The measures so far considered have been for protecting whole computers or portions of networked disks. Another layer of protection can be given by placing a password on individual files. Microsoft Office allows you to do this when you are saving a document. The document is then encrypted and can only be opened if the password is entered.

If you are passing confidential information be e-mail, one way to reduce the risk of damaging leaks is to send it as a password-protected document. Note that not all versions of Word can open password-protected documents - for example, users of Word 5.1 on the Macs will not be able to open them.

Security of networked PCs

We have considered the ways in which access to information on the networked Suns is controlled by your Sun username and password. But if your PC is on the network it is not simply a terminal for accessing other host computers: it too can be a host to other computers, and its data too can be accessed across the network. Sometimes this is what you want -when you are sharing information with colleagues, for example - but you want to be able to control it. How far is this possible? How secure is the data on your PC against unauthorised access over the network?

There are several ways in which someone can get unauthorised access to your Windows95/98 PC across the network:

The first two dangers are things you can take steps to prevent. The third is not under our immediate control, but although Windows95/98 has its share of bugs and loopholes it requires a considerable level of skill and ingenuity to exploit them effectively. Most of us do not have data which is sufficiently valuable to make it worth anyone's while to expend such a degree of effort to break into it. However it is because this possibility exists that we would advise you not to keep highly confidential data on the hard disk of a networked PC. Either keep it on removable media, or on one of the Sun network disks, where it will be more closely guarded.

The important thing is to make sure you don't leave yourself open in either of the other ways, which are easily preventable.

Windows95/98 file sharing

You can install the file-sharing feature of Window95/98, and make part or all of your hard disk (or indeed any other disk drive) sharable. Your PC will then be visible in the network neighbourhood window of other networked PCs, and they will be able to access your shared drive. This is known as "peer-to-peer" file sharing. Windows will allow you to make the disk sharable without a password, but you should never do this. Always require a password.

Always restrict the sharability to just those parts of the disk that you need to share. You may think that there is nothing on your hard disk that is confidential, so you could make it all sharable, but you don't know what you might put on it later on. So just make individual folders sharable. Also, unless your colleagues need to write onto your disk, make the shared folder read-only. Finally, be careful to restrict knowledge of the password, and make sure that your colleagues are security-conscious. If you make a folder sharable so that a colleague can read it, it is only as secure as your colleague's computer.

Do not use your Unix password for this purpose.

Trojan horses

The only cases we have found where it is clear that unauthorised access has occurred across the network have been where a trojan horse has been loaded onto the computer. A trojan horse, as the name suggests, is a piece of software which seems harmless or even useful, but which in fact opens up your computer to invaders. Some merely destroy your data; others stay unobtrusively in the background steadily sending information back to their originators about your computer, your password and your data.

Trojan horses are sometimes loaded onto a computer by people who think they are useful programs and who are unaware of their potential dangers, but more often they infect a computer in the same way as other viruses - they arrive as e-mail attachments and are opened inadvertently.

The usual anti-virus advice applies here:

Conclusion

We have only touched the surface of a complex topic. The crucial points are contained in the guidelines given at the beginning.

Finally, keep a look out for developments in this field, such as digital signatures and the greater security of operating systems such as WindowsNT or Windows 2000.

Links to further on-line information

Viruses:
http://www.st-and.ac.uk/ITS/faq/virus/

Information security policy at St Andrews:
http://www.st-and.ac.uk/policies/infosecurity/

The Law:
http://www.st-and.ac.uk/ITS/law/acts.html