Physical Security

An important item to keep in mind at this point is the need for physical security. Imagine the following scenario: You return home from work one day and see that a break-in has occurred. Not only are several valuable items missing, but your home computer has disappeared as well. Most people immediately begin thinking about their data that was lost. But wait, backups were religiously made according to a schedule. But where are those backups? In most cases, they were probably left unsecured next to the computer. Businesses often spend a great deal of money addressing these issues on a larger scale with off-site backup and recovery processes, and as an individual, these same issues should be addressed, although on a smaller scale.

Think about all the data that resides on the computer that was stolen from your home. Do you keep your family budget on the computer? Do you use TurboTax, Quicken, Microsoft Money, or any other personal finance or tax software? Do you keep personal letters and correspondence on the machine? Does your computer contain files of historical or sentimental value? All of this information is potentially disclosed to that third party. It's come to the point where the data is more valuable and important than the computer. A PC can be purchased for less than $1,000 today, but the cost of losing the data can easily exceed several times that amount. Not so long ago, it was the other way around.

Our example, albeit a bit of scare tactic, illustrates the importance of physical security. All of the information noted in the previous scenario—the family budgets, tax and financial data—can also be stolen or disclosed over a network, which relates to logical security. As long as the machine is connected to some sort of network, an office local area network (LAN), to the Internet via an ISP account or through your cable modem, it's possible that an unauthorized person can access that data through logical means.

One of the most obvious, but frequently ignored steps of computer security is that of the physical realm. Computer security experts often say, “If I have physical access to the machine, all bets are off.” These experts are referring to the ease of breaking into a computer that is sitting in front of you, as opposed to connecting to the same machine over the Internet. One of the easiest methods of accessing a computer through physical means is by using a floppy disk, which can bypass any login user ID and password scheme being used. Someone with a floppy and physical access can do anything from access the data to format the hard drive. That is when you hope that all of your personal files are encrypted! (We talk more about encryption in Chapter 12, “Securing Your Standalone PC: Viruses, Chat, and Encryption.”) Although it is unlikely that a home user actually situates his home computer in a secure room (do you store your computer in a vault?), the house must be secure from unwanted entry and access to your computer.

One of the easiest things a physical intruder can do is open up the computer and remove its hard drive. The hard drive, which contains all your data, is about the size of an average paperback novel. That hard drive can then be loaded and read in any of a number of ways. All the data can be copied to another hard drive. If you were the target of corporate espionage, and your home computer had company data on it (many of us work at home these days), someone could break into your house, copy the hard drive, and replace it without your even knowing it. True, this is unlikely, but it is possible. The bottom line is that computer security starts at the physical layer.

BIOS and the Bootup Process

Because a computer is typically not physically secured or locked up at all times, such as in an office environment, we will look at several other ways to protect the unattended computer.

When a computer is powered on, the initial actions it takes are based on its basic input/output system (BIOS) settings. BIOS is the fundamental set of instructions for that individual computer. Every PC has BIOS settings. Whether the PC is running Windows 95/98, NT, or 2000, BIOS settings govern the basic operation of the computer. The BIOS performs such functions as memory and hardware checks. The BIOS also provides a place for the user to configure the date and time, hardware setup, order of boot devices (that is, whether the computer boot from the floppy drive or the CD-ROM drive first), and power management. The settings we will be focusing on are the security options within the BIOS settings.

How Do You Get to and Configure the BIOS Security Settings?

When you turn on your computer and it goes through the boot process, pay attention to the messages that appear on the screen. One message usually says something to the effect of Press the Del key to enter Setup. On some machines, it might be the Esc, F1, or F2 key. The key to press differs for BIOS manufacturers. Machine manufacturers (Dell, Gateway, IBM, Compaq, and so on) select and install a BIOS for each one of their computers. Different models produced by the same manufacturer might use different BIOSes. Sometimes the word “Setup” is used, and at other times, it might say “Diagnostics.” In any case, a similar message usually pops up. If you don't see a message like that, try holding down the Delete, Esc, or any of the function keys to enter the BIOS settings. Typically, a user has a few seconds to press the proper key sequence to enter the BIOS setup. If no key is pressed, or if the improper key sequence is pressed, the computer continues to boot from the hard drive.

When you are in the setup screen, look for a Security Options area. In this configuration area, you should be able to set different passwords. If a security setting can be made, a System or Boot-Up password can usually be set. This password controls access to the system at bootup. To continue the boot process and boot from the hard drive, a password must be entered. This helps prevent unauthorized users from walking up to the machine, turning it on and then being able to access the hard drive or operating system. With this option set, the user of the system is required to enter a password during bootup. Other security settings that can be found in the BIOS include disk access password (prevents access to the hard drive), setup password (controls access to BIOS), and various user-level passwords. These options will vary from BIOS manufacturer to BIOS manufacturer.

Assigning a BIOS password to your machine helps prevent unauthorized access at the console. Even with physical access to the computer, an intruder will have a hard time accessing your data. If the boot sequence did not have the floppy drive listed first, an intruder with a bootable floppy could not access your data if you had a BIOS password set at boot time.

Computer Backups

Computer backups, if performed properly, contain all your data from your computer. Creating backups of machines on a regular basis is typically a tedious task. If the user even performs this valuable function, little thought is usually given to where those backup tapes should be stored or secured. Backup tapes should be afforded the same level of security given to the physical machine—if not more. If those tapes fell into the evil hands of a hacker, they could be used to create an exact copy of the machine as it existed at the time of backup. Even if the data on the tapes were old, the tape would still contain much relevant data related to the user: account numbers, usernames, password files, Quicken financial information, and so on. Think about how often you change all the data on your hard drive. It's probably not very often in most cases. Old copies of your data will contain private, relevant information about you. Thought and planning should be given not only to how you perform your backups, but also to how they are stored and secured. Many backup programs mandate using a password to restore the information, which is an added security feature.

Many operating systems have built in backup utilities. Figures 10.1, 10.2 and 10.3 show the backup programs that come built-in with Windows 98, Windows NT, and Windows 2000, respectively.

To access the backup program in Windows 98, select Start, Programs, Accessories, System Tools, Backup. In Windows NT, select Start, Programs, Administrative Tools, Backup. In Windows 2000, select Start, Run. In the Run box, type ntbackup.

The backup medium can be a Zip drive, a writable CD-ROM drive, another networked computer with a large hard drive, or a tape backup device. Some backup software packages allow for the use of encryption. During the backup process, the data being written to the backup medium is stored in an encrypted form. If the encrypted backup tapes fall into the wrong hands, the data on the backups remains incomprehensible. The legitimate user who knows the proper password can decrypt the data during the data recovery process. Although weak encryption schemes can be cracked, the typical user can get by with basic encryption schemes because the odds of someone sophisticated getting your backup tapes are rather slim. To crack encryption schemes, sophisticated software and powerful hardware are usually necessary.

Backup media is just as important as the original data on your computer. Store your backups in a secure place away from the machine. To keep that information secure, you will need to use encryption and passwords to add extra layers of protection on your personal information.