3 Threats to communication networks
3.1 How have network security measures developed over the past fifty years?
To start this section it is useful to reflect on the different obstacles that an intruder, intending to eavesdrop on a telephone conversation, might face today compared with fifty years ago, before electronic processing as we now know it. I shall consider an attack first between a home telephone and its local exchange (of the order of a mile or less), and then beyond the local exchange.
Eavesdropping on a telephone conversation has never been technically difficult. In particular, ‘tapping’ the wires of the target telephone in the local circuit would have been straightforward fifty years ago, provided that physical access could be gained to the wires. In many old films eavesdropping was carried out by an intruder in the basement of an apartment block or in a wiring cabinet in the street, using a basic set of equipment that included a pair of crocodile clips making a connection to some simple listening equipment. Today, in principle, a similar approach could still be successful over the last mile of the telephone distribution system. Much of the technology is still analogue, and signals can be detected by either direct contact with the twisted-pair wires or by sensing fields radiating from the transmissions. However, where ADSL (asymmetric digital subscriber line) or ISDN (integrated services digital network) services are provided, separating a telephone conversation from data traffic would need an ADSL modem or ISDN telephone and the knowledge to connect them correctly. This information is commonly available, so should not be a major obstacle in itself.
Beyond the local exchange, signals are combined (multiplexed) for carrying over transmission links, so to eavesdrop on a particular telephone message it must be ‘unpicked’ from other multiplexed messages. In the 1950s the multiplexing of analogue voice messages relied on the use of different frequency bands (frequency division multiplexing) within a link's available bandwidth, but today time division multiplexing is widely employed to accommodate a mix of digitised voice and data traffic. In digital networks, greater difficulty may be experienced in identifying or selecting individual channels. However, agencies with an interest in selecting potentially valuable information from a mass of traffic can identify key words that are spoken or written in data streams. Digital technology makes it much easier to search for and access data in a structured manner.
Another complication is the coding algorithms that are applied for a variety of purposes, but a determined intruder should not find it difficult to reverse these processes, given that many software tools are available from the internet. In fact, it is probably the wide availability of tools that can assist intrusion that makes modern networks susceptible, despite their use of increasingly sophisticated technology.
What fundamental security measures have been traditionally used in organisations such as banks or government departments, apart from those involving computer networks, and are they relevant to network security?
Banks have always needed secure areas such as vaults protected by security codes, locks and keys, and have been concerned with the authorisation and identification of staff empowered to carry out certain activities. The honesty of staff is an important issue and careful selection and screening procedures are needed. At the appointment stage references are usually requested and other checks made on potential employees, sometimes using ‘positive vetting’ procedures for sensitive appointments. In terms of day-to-day activities, a need-to-know policy might be followed to ensure that information is not needlessly disseminated within the organisation, and that sensitive paperwork such as drawings, reports and accounts is securely locked up to minimise risk.
Customers, too, could present security concerns. Banks need to assess security threats arising from customer interactions, and government departments involved in taxation and benefits will have similar concerns. The principles behind these issues have not diminished in importance in the electronic environment of today's business world, although many of the ‘locks’ and other countermeasures take a different form.