Carroll County Times

John Culleton: Increase internet security measures

This ever evolving era of electronics and the internet offers enormous opportunities for achievement and equally enormous opportunities for evil.

Before a volcano erupts there are unusual earthquakes and tremors. We have more than enough signs and advance tremors indicating the certainty of a series of huge Internet disasters. It is becoming all too easy to cripple a business, or even a nation, by an Internet attack. Our nation, perhaps in concert with Israel, destroyed a whole generation of Iran's centrifuges by a cyber attack. These centrifuges were a vital part of Iran's nuclear weapons program.

Retail chains like Target and Neiman Marcus have had huge amounts of customer information stolen. WikiLeaks and Edward Snowden betrayed a huge number of our secrets. A foreign government stole engineering drawings for our latest fighter plane from the computer of a minor subcontractor. Convenience and fascination with technology outweigh caution in too many cases.

Even information normally communicated by paper documents or by telephone is subject to hacking if the company or agency stores vital information in bulk on computers connected to the Internet. I speak from personal experience.

We need to make both information theft and other attacks difficult, expensive and dangerous. There are three kinds of attacks possible: transactional, hacking and trusted employee misbehavior.

■ First: An individual credit card number can be stolen at the point of sale by various means. Such single-number theft is serious for the individual, but not massive in quantity.

■ Second: If any computer is attached to the internet and a hacker breaks into it, then any information on it can be stolen, altered or erased. Any devices controlled by that computer can be rendered inoperative or possibly destroyed. No computerized security processes are infallible.

■ Third: A trusted employee, like Edward Snowden was, may filch information that he has legitimate access to because of his or her employment.

To counter these multiple threats, multiple defensive strategies need to be employed.

Transactional theft is usually frustrated by avoiding unnecessary use of your credit card. Pay locally by cash or check.

External hacking is avoided by segregating networks. Sensitive information should be stored in bulk only on dedicated networks that are not connected to the Internet. The same goes for machine controls like power plants or traffic signals.

There is still the danger of another Edward Snowden, so internal networks should be further physically segregated by need to know. Engineers need not visit personnel data and accountants need not have access to the customer database.

In large organizations, these dedicated networks should have only terminals connected to them, not desktop computers. A thumb drive can store a lot of information. And in large organizations the terminals themselves should be connected physically and electronically by uncommon means. Ethernet connections are cheap, but very easy to unplug and plug into another device. Hence even dedicated nets are vulnerable if based on today's garden variety communication technology.

Processes such as Internet sales require that sensitive information be exchanged over the internet yet ultimately stored locally. In addition to various encryption and verification means, there needs to be a physical disconnect of the external and internal electronic sales processing systems.

Older technology comes to our aid here. If the external sales system exchanges information with the big internal system using magnetic tape, printers feeding Optical Character Readers or even human intervention, access to the whole main body of data via an internet attack is impossible. The transfer media need to be erased or destroyed soon after transfer. Such an exchange method is less convenient and more expensive, but more secure.

What about the mom-and-pop store with just one computer? Use the Linux operating system. Hackers usually don't bother attacking this relatively rare OS.

Data can be made secure. First we have to get management's attention. That will take a few more disasters.