April 1993 - Volume 9:6
By Dave Millar
What would happen to University operations and data if a disaster like Hurricane Andrew struck the Delaware Valley? Andrew wreaked approximately $19 million worth of damage on Florida International University. At the University of Miami, storm-related losses totaled $21.5 million. While uprooted trees blew past its data center, Miami still managed to get pay-roll checks out on time. A business continuity plan and a little luck gave computer users one less thing to worry about.
Would Penn fare as well? Findings from a recent study of Penn's disaster preparedness (see sidebar on page 11) raise concerns: Forty- two percent of desktop systems supporting business functions at Penn are not backed up. Approximately two thirds of the backups are not stored off site.
While an event like Hurricane Andrew is unlikely in Philadelphia, other, more likely disasters can still be devastating. A burst pipe, a fire, or a mischievous hacker can damage systems and data with as much finality as a natural disaster. What steps can you take to protect data on your desktop system or host computer, or in paper files? Here are some suggestions.
Back up your dataIndividual needs for number and frequency of backups vary, but think about the consequences of losing your data. How many days of work could you lose? Could your data ever be reconstructed? Would you miss critical deadlines? Compare the risks with the cost of backups. And make sure that at least one copy of your backup is stored off site. For easy off-site storage, you can arrange for the University Data Center to back up your desktop computer on Penn's IBM mainframe via PennNet (see "PENNBack," Penn Printout, March 1993, page 4).
Restrict access to your computerIf your computer is not in a locked office and you have sensitive data on it, explore access control. Alternatives include physical locks as well as software solutions.
Physically secure your computerThe University only insures against loss computers that are locked down with an approved device. Reimburse-ment for secured computers is for replacement cost, less a $500 deductible. There is no exception to this policy for alarmed office suites. If you have questions, contact Andrea Phillips, 898-3479, in the Office of Risk Management.
Be extremely careful with file sharingFile sharing can be convenient, but it poses some security risks. While products such as Novell Netware offer robust security, others such as AppleTalk offer less protection (see "The mighty LAN," Penn Printout, February 1993, page 14). If you use AppleTalk for file sharing, make sure it is off when not in use. From the Apple menu, select Control Panels, followed by the Sharing Setup icon. The status blocks in the conversation window tell you whether file sharing is on. AppleTalk users who share files should also review their file sharing rules. For further information, see Penn Printout, March 1992, page 23.
Guard against crackersBe aware of tricks that crackers use to "attack" computers. Recently, a Penn student received a message advising him to type a command "to make your computer run faster." The command would have made his account accessible without a password. Other users have received e- mail or phone calls asking them to test free software. The user is instructed to log in to the software using "your real password." The user's ID and password are then e-mailed to a remote site. Still another ploy is to send a message, apparently from the system administrator, requesting the user to change his or her password to the one specified in the mail message. If you receive such a message, verify its authenticity with your system administrator before acting on it.
Don't leave computers unattendedSome screen-saver packages prevent access without a password, but this may not be adequate protection for sensitive data.
Log off systems properlyIf you don't log off a system properly but simply disconnect from PennNet, under certain unusual circumstances the next person to connect may have access to your session on the system. That person would then have the same capabilities you have, which might include viewing or altering data, sending mail from your account, or changing your password.
Change your passwordIf you haven't changed your password in more than six months, do so now. Pick passwords that are hard to guess. English words or names (spelled forward or backward) are poor choices because system crackers use dictionaries to guess passwords. Pick a mix of at least eight alphabetic and numeric or special characters, if your system permits. See Penn Printout, September 1991, page 24, for additional information about passwords.
Protect against virusesInstall the current version of an antiviral software package on your desktop system. Vi-Spy and Disinfectant are the recommended packages for IBM PC/compatibles and Macintoshes, respectively. They are available at various campus sites. For further information, see Penn Printout, October 1992, page 4.
Protect paper filesProtect any critical paper files from unauthorized disclosure or destruction. Consider fireproof storage, optical scanning, or microfilm.
InformationFor further information or to talk about computer security concerns, contact University Information Security Officer Dave Millar, 898-2172 or firstname.lastname@example.org.
Sidebar 1: Business continuity planning
The University has undertaken a project to identify risks to critical information, to reduce those risks, and to create a plan to ensure that critical areas of the University survive a disaster. Last year, as a first step, the Comptroller's office and Information Systems and Computing (ISC) began a risk analysis of administrative functions of the University (see "Failing Safe," Penn Printout, November 1991, page 10). Dataguard Recovery Services, of Louisville, KY, was retained to assist on the project. The company conducted interviews throughout the University, analyzed more than 300 questionnaires, and conducted risk awareness seminars.
Dataguard made several recommendations to increase the survivability of the University's information infrastructure. Several have already been acted upon. Specifically, the Medical Center is building a new computer room, scheduled for occupancy by late 1993, and has provided backup power for its data center. The Office of Data Communications and Computing Services (DCCS) is taking steps to reduce the potential for outages in the PennNet Network Control Center.
Dataguard also looked at the preparedness of Penn's business functions for a potential disaster. Of the 179 functions considered critical , approximately 6 percent were considered prepared, 72 percent were considered partially prepared, and 22 percent were considered unprepared.
In the next few months, ISC and the Office of the Comptroller will initiate pilot business continuity projects. ISC will later assist other organizations with the creation of business continuity plans. In addition, ISC will address some of the remedial actions suggested by Dataguard.
Sidebar 2: Tips for system administrators
DAVE MILLAR is University Information Security Officer in the Office of Data Administration.