Page 436 - Using MIS
P. 436
404 Chapter 10 Information Systems Security
account information, and Social Security Numbers are being compromised at a staggering rate,
11
endangering the identities of consumers nationwide.” Because of these problems, some organiza-
tions choose to use smart cards and biometric authentication in addition to passwords.
Smart Cards
A smart card is a plastic card similar to a credit card. Unlike credit, debit, and ATM cards, which
have a magnetic strip, smart cards have a microchip. The microchip, which holds far more data
than a magnetic strip, is loaded with identifying data. Users of smart cards are required to enter
a personal identification number (PIN) to be authenticated.
Biometric Authentication
Biometric authentication uses personal physical characteristics such as fingerprints, facial
features, and retinal scans to authenticate users. Biometric authentication provides strong au-
thentication, but the required equipment is expensive. Often, too, users resist biometric identifi-
cation because they feel it is invasive.
Biometric authentication is in the early stages of adoption. Because of its strength, it likely
will see increased usage in the future. It is also likely that legislators will pass laws governing the
use, storage, and protection requirements for biometric data. For more on biometrics, search for
biometrics at http://searchsecurity.techtarget.com.
Note that authentication methods fall into three categories: what you know (password or
PIN), what you have (smart card), and what you are (biometric).
Single Sign-on for Multiple Systems
Information systems often require multiple sources of authentication. For example, when you
sign on to your personal computer, you need to be authenticated. When you access the LAN in
your department, you need to be authenticated again. When you traverse your organization’s
WAN, you will need to be authenticated to even more networks. Also, if your request requires
database data, the DBMS server that manages that database will authenticate you yet again.
It would be annoying to enter a name and password for every one of these resources. You
might have to use and remember five or six different passwords just to access the data you need
to perform your job. It would be equally undesirable to send your password across all of these
networks. The further your password travels, the greater the risk it can be compromised.
Instead, today’s operating systems have the capability to authenticate you to networks and
other servers. You sign on to your local computer and provide authentication data; from that
point on your operating system authenticates you to another network or server, which can au-
thenticate you to yet another network and server, and so forth. Because this is so, your identity
and passwords open many doors beyond those on your local computer; remember this when
you choose your passwords!
Encryption
Encryption is the process of transforming clear text into coded, unintelligible text for secure
storage or communication. Considerable research has gone into developing encryption algo-
rithms (procedures for encrypting data) that are difficult to break. Commonly used methods
are DES, 3DES, and AES; search the Web for these terms if you want to know more about them.
A key is a number used to encrypt the data. It is called a key because it unlocks a message,
but it is a number used with an encryption algorithm and not a physical thing like the key to
your apartment.
11 Verizon 2014 Data Breach Investigations Report, accessed June 2014, www.verizonenterprise.com/DBIR/2014/.
