To Trust or Not To Trust?
While taking a knowledge management course in school, one thing that struck me was the common theme among classmates of, “…as long as the knowledge is there, timely, and relevant…I’m good.” Each time I posted a situation where I would tell them, for example, I’m a hacker who just went in and manipulated your data; however, you don’t know it. Better yet, I would tell them I just copied very a sensitive report pertaining to your company and, again, you have no idea.
It struck me as very concerning how very few of my classmates would respond to my challenges. After some time, upon approval from my instructor, I decided to write about looking at a topic from a security perspective rather than a knowledge management perspective. So, how does a company ensure the accuracy of information or knowledge produced by their personnel? How does the company mitigate the chances of the information or knowledge being tampered with by a computer hacker whether internal or external to the company? This discussion will focus on practical steps that can be taken towards authenticating and protecting the integrity of information or knowledge; software available for performing encryption as well as producing hashes on materials; and how knowledge management systems display information on who touched what information last.
First, I will admit that not too many regular people out there really think about what they’re downloading these days even from friends via email. Website downloads are very tempting as well as BitTorrent (sharing files), especially when they’re FREE. FREE means no money involved, maybe just an email address; never mind the risk of obtaining a Trojan Horse or other compromising security threat…it works, let’s use it! However, when a company has information or knowledge stored on IT systems, the company wants the accuracy of that information to be true to form, unaltered, or authentic and accurate.
Another issue that comes up is when people open email from people they know (or don’t know) and think it’s just another email with a link or attachment; yet their computer is compromised. This is due to the fact that they did not truly validate that it was their friend who sent the email (or they are very curious about people sending email whom they don’t know).
So, when we talk about authentication, what do we mean? Authenticating something involves three factors: something a person knows, something a person has, or something a person is (wikipedia.org, 2011). It is better to have at least two of these factors for authenticating, but three is ideal. For example, in the United States government, personnel are issued a Common Access Card identification with a picture, name, and a computer chip embedded into the card. This chip contains some personal information about the individual; it also contains different types of identification on it. Personnel need these CACs to access their computer and to obtain network access from their computer as well.
The network will authenticate the individual when they insert their card (something they have) into a reader and, once prompted, the individual must enter their personal identification number (PIN) (something they know) which will give the person access to the computer and other resources. The CAC identification is also utilized to associate the individual to information or knowledge stored on a knowledge management system (KMS) allowing a person to modify, upload, or download electronic material (i.e. documents) leaving a “time stamp” with the individual’s name next to the material’s icon for accountability purposes. This is one step companies can do to authenticate their employees not only onto the network, but the KMS as well and know who touched what last as well as the date and time they touched it.
Now associated with authenticating the individual is going back to a previous article I wrote on access control. So, a system can authenticate individuals all day long, but if they have been provided access to everything, including material they don’t have any business in, then their level of access control also needs to be looked at and adjusted accordingly.
If you want to go a step further in “general” authentication, you can password protect materials in Open Office ® and Microsoft Office ® products. This just adds another layer of authentication for a person to go through to further mitigate the possibility of the compromise of data. To do this in Open Office version 3.4.1, you would create a document, then follow the instructions at http://onlineitpro.com/?p=617 (note the current version will save in a .doc format if you intend to utilize Microsoft Word). When opening the document, you will open the document as normal, then you are presented with the screen in Figure 1.
Enter your password for the document (my example is Vortex code.doc) and click OK and the document will open. One thing you will notice in Open Office is the document will be in (read only). To edit the document, simply click the “Edit File” button as shown in the upper left of Figure 2.
As for Microsoft products this link http://office.microsoft.com/en-us/word-help/password-protect-documents-workbooks-and-presentations-HA010148333.aspx provides an excellent tutorial.
Verifying that your friend sent a document to you can be as easy as picking up the phone and asking them if it is OK to open the attachment they sent you (let’s not forget the “not so high-tech” way of verification). However, a person can also go as far as utilizing an asynchronous key structure (i.e. public/private key) allowing the person to know that (to the best of their knowledge) their friend truly sent them the document and their friend can also encrypt to ensure better security. One of the most popular versions of public/private key with encryption for utilization with email is Pretty Good Privacy or PGP. Additional information for PGP products can be found at http://philzimmermann.com/EN/findpgp/.
Now, let’s assume the user has downloaded a document or software (via email or the Internet), they will also want to ensure, as much as possible, that the document or software is unaltered. This can be done by performing a Message Digest 5 (MD5), Secure Hash Algorithm 256 (SHA256), or other type of hash on the material. Provided there are no “collisions” (same hash for a different piece of material), MD5 and other hash algorithms allow a person to do a one-way hash of a document, program, spreadsheet, etc. and compare their generated hash to the hash provided by the owner of the material to ensure, to the maximum possible extent, the integrity of the material.
One way of accomplishing a hash is by visiting http://hash.online-convert.com/md5-generator or other hash generator website. A person only needs to input their “unique” document or type a message into the generator, press the “Convert file” button, and the hash is generated (something the unique message or document generates which is unique). For example, typing in, “Hello Sam, how are you?” generates, “3d3988ee366c77ca5dd07e99860281fc” for an MD5 hash. However, if you want to keep your document or message a little more private versus uploading it onto the Internet, software can be downloaded at http://md5deep.sourceforge.net/ which actually provides different hashes for the user and has a variety of different options.
When a user downloads the program (i.e. Windows binary for Windows platform), the user can actually take the “md5deep-4.3.zip” file and upload to http://hash.online-convert.com/sha256-generator to generate the SHA256 file hash. After this, the user can visually (only takes 5 minutes) compare the generated SHA256 hash to the SHA256 hash presented at http://md5deep.sourceforge.net/ located to the right of the downloaded file.
Again, this just helps to ensure integrity of the file the user downloaded. Keep in mind, there are other websites out there that post one or more hashes for the downloaded software such as http://www.openoffice.org/download/checksums/3.4.1_checksums.html. Of course, if the hashes do NOT match, there could be an issue with the downloaded program (possibly a virus is contained in the download).
Now, for those more “private” documents the user does not really want to upload for the hash, as discussed, the “Hashdeep” software is available. The software is a command line tool providing various functions for the user including comparing hashes, computing hashes, and auditing. Once the software is “unzipped”, there are text files explaining the various functionality. There are 32 and 64-bit versions of the software and the executed 32-bit program will kindly let the 64-bit machine user know they will probably want to execute the 64-bit version.
For example, utilizing “fileformat.txt” from the “Hashdeep” software folder, when a user types in “hashdeep -c md5 fileformat.txt”, “Hashdeep” will compute (-c) the md5 hash on the file “fileformat.txt” followed by a friendly message about utilizing the 64-bit version. So, putting everything together, utilizing encryption software along with public and private keys as well as performing a hash on materials sent can all be steps company personnel can take to validate the integrity of information or knowledge and authenticate who the materials came from.
Now, outside of verifying the person and the hash, there are simple things a person can do to ensure their own documents and other valuables on the computer are kept somewhat safe. For example, go to a Starbucks® and observe how many people are not disconnected from the wireless Internet while grabbing their coffee; this happens at home too even when the computer is not in use and wireless is usually the press of a button or two.
If that is too inconvenient for a person, then having a trusted USB drive around to pull the document(s) to and from and disconnecting it when you are finished writing to or pulling from the drive can help (having the Internet disconnected during this time is a plus as well). Then, there is the obvious locking the computer when not in use with password protection; utilizing a separate administrator account for full privileges; and encrypting files when not in use, so even if the hacker grabs a file, the chances are mitigated they can get into it.
In conclusion, this discussion has looked at the security perspective of managing information or knowledge by going into practical steps that can be taken and software that can be utilized towards validating the integrity of information or knowledge as well as encrypting or password protecting materials. When it comes down to it, knowing who the person is and knowing the information or knowledge they are sharing is authentic helps ensure the security of a knowledge management system.
In addition, having the ability to encrypt materials while passing them over a wire can put a person a little more at ease knowing the possibility of data manipulation has been reduced. Lastly, having the data hash is one more element of information assurance that assures the person the data should be valid.
Wikipedia.org. en.wikipedia.org. Authentication. Retrieved from http://en.wikipedia.org/wiki/Authentication