Introduction to Security
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
What can you do to secure your information resources and your intranet from unauthorized access, viruses, or theft of data? Every day we become more dependent on the Internet for information and for getting work done. Important and private information about business and finance is transmitted and maintained on corporate intranets. Understanding security issues is increasingly important. For a general overview of some key areas of information technology security and for ideas on where else to go to learn more, read on. To delve into these areas more deeply, visit the Microsoft Security Advisor Web site at http://www.microsoft.com/security/default.mspx and read the other articles in this month's Office Update focus on security.
You Can Trust Digitally Signed Programs and ActiveX Controls
Digital signatures and certificates of authenticity are the components of signed programs or ActiveX controls. They can provide you with both the assurance that what you are about to download from the Internet comes from the company it says it comes from and that it has not been tampered with. As we use the Internet more and more to publish ActiveX controls or programs and to download those that we want to run on our own systems, the question of their trustworthiness looms large.
What Is a Digital Certificate of Authenticity?
You can think of a digital certificate as the electronic counterpart of an identification card, such as a driver's license or passport. The process for validating a digital certificate is similar to the process used to issue a physical ID card. A certification authority validates information about software developers and then issues them digital certificates. The digital certificate contains information about the person to whom the certificate was issued&co; as well as information about the certifying authority that issued it. Additionally, some certifying authorities may themselves be certified by a hierarchy of one or more certifying authorities, and this information is also part of the certificate. When a digital certificate is used to sign programs, ActiveX controls, and documents, this ID information is stored with the signed item in a security enhanced and verifiable form so that it can be displayed to a user to establish a trust relationship.
Digital certificates use a cryptographic technology called public-key cryptography to sign software publications and to verify the integrity of the certificate itself. Public-key cryptography uses a matched pair of encryption and decryption keys called a public key and a private key. The public-key cryptography algorithms perform a one-way transformation of the data they are applied to, so that data that is encrypted with the private key can only be decrypted by the corresponding public key. Additionally, each key uses a sufficiently large value to make it computationally infeasible to derive a private key from its corresponding public key. For this reason, a public key can be made widely available without posing a risk to security.
To further reduce the possibility that someone will derive a private key from its public key, the certifying authority time-stamps the key pair so that they must be replaced periodically, and provides an additional mechanism to assure that a signature was applied before the certificate expired. Any signature applied during the active lifetime of the digital certificate will remain valid for an unlimited time (unless the signed item is tampered with or the signature is removed). Any signature applied after the digital certificate expires is invalid.
Who Can Apply for Certification?
Both individuals and commercial entities can obtain certification for their code. To learn about the application process and requirements, see Introduction to Code Signing at the Microsoft Authenticode™Web site http://msdn.microsoft.com/workshop/security/authcode/intro_authenticode.asp.
Macro viruses enter your documents when a document that contains one is opened and the macros are enabled. If, for example, a document arrives over the Internet from an unknown source and it contains macros, it could also contain a virus that would spread as soon as those macros are enabled. The virus can then spread from one document to another, and if you share an infected document with others it will spread to their documents. While some viruses can be pernicious and some merely annoying, they can be controlled and wiped out. To learn about macro security with Office 2000, download the Microsoft Office 2000 Macro Security White Paper at http://office.microsoft.com/downloads/2000/o2ksec.aspx.
Like viruses, worms replicate themselves. The computer worm is a program that is designed to copy itself from one computer to another over a network. For example, a worm may be created as an e-mail attachment that runs and automatically sends itself to other users when you open the attachment. Computer worms spread much more rapidly than computer viruses. Examples of worms are the Worm.Explore.Zip E-mail Virus and the ILOVEYOU virus. For additional information about the ILOVEYOU, Joke, Mother's Day, and Susitikim viruses, read Information on the VBS/Loveletter Virus at http://www.microsoft.com/technet/security/alerts/info/vbslvltr.mspx. The best defense to keeping an e-mail Worm virus from spreading is to (1) always use high-quality anti-virus scanning software and (2) delete any message containing a questionable attachment before the attachment is opened. To determine if the message contains a non-malicious attachment, contact the person who sent the message for further assistance.
For further information about how you can avoid being affected by and spreading a computer worm if you are using Microsoft Outlook, read about the Outlook 2000 SR-1 E-mail Security Update at http://office.microsoft.com/Downloads/2000/Out2ksec.aspx or the Outlook 98 E-mail Security Update at http://office.microsoft.com/downloads/9798/Out98sec.aspx.
Educating Your Team on Security Issues
Each person on the team who works collaboratively on the Web, or who downloads information from the Web, needs to be aware of the dangers of downloading programs and ActiveX controls or information from an unknown source. There are many places to go for help on security issues, to learn about the many aspects of security and which ones apply to you and your business situation.
In addition to those sites mentioned earlier, a good place to start is the Microsoft Security Advisor Web site, which gives basic information, information on security products, information on security features in Microsoft programs, reviews of books and new tools, and more.
The Microsoft Office 97 products contain security assistance and tools. For example, you can encrypt the body of an e-mail message; you can "protect" documents in Word so that the types of changes readers can make are restricted; you can limit access and changes to worksheets in Excel; and you can secure Access databases using passwords and user-level security. To find out how to enable these tools in the products, type security in the Office Assistant.