Skip to Content

Securing Your Data

Printer-friendly versionPrinter-friendly version
Issue: 
Fall 2013

John Porter (VCR)

Recent headlines regarding the National Security Agency (NSA), have made it abundantly clear that “data security” is always a relative term.  Does that mean we should just give up and throw open doors to our systems? Not so.  The key is to make your system secure enough that malicious parties will simply find it too expensive or inconvenient to penetrate it.  Often the key issues are not so much technical as personal. “Human engineering” is a key way hackers gain access to systems.

James Brunt has produced several excellent security-related blog entries at: http://lno.lternet.edu/blog/jbrunt. Notably “Passwords, passwords, passwords” details why passwords are both our “best friend” and our “worst enemy” when it comes to security.  “On the Road: Fear and Living with Public Computing” discusses the perils of operating on open networks and “Protecting Your Digital Research Data and Documents” addresses backups.  I’ll hit briefly on these topics, but I’d be remiss if I didn’t point you to these excellent contributions for more details.

The military term “defense-in-depth” is applicable to securing LTER systems. No single security solution is enough.  It requires a series of tools to protect your data.

Outer defense: Computers should be protected by network firewalls that only allow only needed connections. Open Internet “ports” are an invitation to hackers seeking to penetrate your system. One colleague of mine installing a FTP server found that he had attempts to break into his system from overseas less than 45 minutes after the computer was first turned on.  A firewall limiting access to specific services from specific computers or subnets can greatly limit the number of hackers banging away at your system. 

Boundary defense: Long, complex (ideally random) passwords are the best defense against “brute force” attacks.  However, they are also hell to generate, manage, and use, unless you use a password manager such as the open source “KeePass” software (http://keepass.info/). Such a manager lets you cut-and-paste passwords without having to type them at all. This makes it easier to use unique passwords (and if you are really tricky, unique login ids and security question answers) for each site you use.  Randomly generated passwords are preferred because lists of millions of commonly-used passwords are available from hacker sites on the web.  I showed a list of the top 25 passwords to a group of about 50 people – and the gasp from the audience was very audible.  Now expand that list by a few orders of magnitude and you can see the problem. Also your system is only as protected as its least security-conscious user. Once someone can get in, the ability to do damage increases exponentially!

Use of unique passwords is a must for any system that contains anything of value, since every web site knows (or could know) the password you use there. Unscrupulous web sites that ingest passwords only to sell them on the open market are not unknown.  Two-stage authentication, where a code is sent to your phone when you login from a new computer, is also a powerful way secure access and is increasingly available on commercial services.

Network encryption, including https, virtual private networks, and Secure Socket Layers (SSL) are required to keep your passwords from being intercepted in transit and should be used wherever they are supported.

Securing your electronic mail account is of special importance. This is because the password recovery functions of many web sites (including LTERnet) send you email that allows you to reset a forgotten password. Thus anyone who has access to your email account can “steal” your other accounts.  Recently publicized incidents of identity theft or computer vandalism increasingly depend on a chain of actions – and often breaking into an email account is a key feature.  Thus, encryption and a long, complex password are a must for your email account!

Internal Defense: Computers should be frequently updated to fix security holes that have been discovered in the operating systems and software.  Computers need to be running up-to-date anti-virus software that detects viruses and malware – this is especially true for computers supporting electronic mail or uploading. Be cautious regarding the use of JAVA plugins in web browsers because JAVA-based exploits make up the vast majority of web malware.  This is the reason for all the security messages have been popping up in browsers when JAVA is invoked.

Last Defense: Secure backups are the best way to prevent total disaster (e.g., total data loss). As discussed by James Brunt, backups (notice the plural – it’s important) need to be maintained at a variety of locations. Off-site (as far off-site as is feasible) backups provide the best protection.  If you are using spinning disks as your backup medium over a network keep in mind that a hacker that penetrates your main computer system could also access, and delete or alter, your backup medium. So a copy that is not available online is highly recommended. Finally, a backup is really a backup only if it works. Using your backup system to periodically recover data from a backup is a must to assure that the system is operating properly. It also helps to be familiar with the restore procedure, so that when your data are at risk, you aren't needing to experiment. 

Wrapup: Computer security, like the Red Queen in Alice in Wonderland, needs to keep running merely to stay in place. As quickly as security measures are adopted, people start working on how to circumvent them. Actually, often the reverse is true: new exploits demand new security responses. Thus computer security is always a relative, not absolute property. The key is to be at least a bit harder to penetrate than the next target!