In parallel with the recent growth of the use of computer resources has been the growth in number and in sophistication of those untoward individuals seeking to impermissibly access and exploit such computer resources. Recent studies indicate that in 1995 one in five companies have suffered break-ins into their computer resources, 80% have hired information security officers, and 45% have determined that restricting access to computer resources is a critical problem.
The restriction of access to computer resources is made more difficult by the fact that many institutions such as businesses, schools, and universities find it useful and often necessary to allow remote access to their computer resources. Typically, such remote access allows a user to connect to an institution's computer resources through use of the public switched telephone network. For example, a salesperson "on the road" may find it necessary to communicate with the computer resources of the home office to obtain the most recent price list. Or, for example, a university student may be required to remotely register for classes through communication with the university's computer resources. Typically, a user, such as the salesperson or university student, who wishes to access such computer resources does so in the same general fashion as if the user were making a telephone call. In fact, a communication from a device through the public switched telephone network that seeks to access computer resources is treated very much like a conventional telephone call. Of course, rather than voice communications, data is exchanged between the device (such as a computer) used by the user (calling party) and the device that houses the computer resources of the host (called party).
Allowing for remote access to computer resources increases the difficulty in restricting access to such computer resources. The difficulty increases because remote access does not allow for any direct control or inspections of the user as could be provided with on-site access. For example, the salesperson may be allowed to access the company's computer resources only through a designated computer, such as the computer in the boss's office. Or, for example, a university student may be required to show a photographic identification card to a security guard before the student is allowed to use a computer on-site in the university's computer laboratory to register for classes. With remote access to computer resources and without any security restrictions, practically any person with a minimum amount of information may use a modem and computer to dial-in to a computer resource.
It was quickly recognized by hosts that their computer resources needed guarding and that access restrictions to the computer resources, especially remote communication access restrictions, had to be put into place. Early, it was recognized by telecommunication service providers and hosts that the access restriction service offered by service providers could be used as a system to restrict communication access to computer resources. Access restriction services may include services such as call blocking. An access restriction service allows a subscriber to specify the calling party number(s) (CgPNs) from which the subscriber will accept communications. The list of CgPNs is usually maintained in a database managed at an advanced intelligent network element such as a service control point (SCP) within the public switched telephone network. Every communication over the switched telephone network is evaluated for determination as to whether the called party number (CdPN) is associated with a subscriber to the access restriction service and, if so, whether that particular CgPN is allowed access to the subscriber's line. If the CdPN is associated with a subscriber to the service, and if the CgPN is listed in the database, the communication is terminated to the device associated with the CdPN of the subscriber. If the CgPN is not authorized to access the device associated with the CdPN, the communication is generally disconnected.
For certain applications, the access restriction service provides an adequate measure of security. For many others, though, this access restriction service is inadequate. The inadequacy of the service has given rise to the development and implementation of additional or other security systems with respect to restricting access to computer resources. One such security system for communication access restriction is a code system such as a personal identification number (PIN) or password system. In a PIN system, a host's computer includes or is associated with a database that includes entries of PINs corresponding to authorized users of the guarded computer resources. To remotely access a computer resource with a PIN system, a user places a call to the computer resource. The call is "answered" by the computer resource (or affiliated device). The user then is requested or prompted to input a PIN. If the PIN matches an entry in the authorized PIN database, then the user is provided with access to the computer resource. If the PIN does not match, then the computer resource "hangs up" on the user. In other words, the computer resource disconnects itself from the completed communication by which the user was attempting to remotely access the computer resources.
Another type of security system that is in use is a caller-identification (Caller-Id) system. In this system, a user calls a CdPN associated with the host and the calling line number (CgPN) that is being used for the communication is collected by the host's device or some other device. This CgPN is compared to entries in a database. If the CgPN matches an entry in the authorized database, then the user is provided with access to the computer resource. If the CgPN does not match, then the computer resource "hangs up" on the user. In other words, the computer resource disconnects itself from the completed communication through which the user was attempting to remotely access the computer resource.
Yet another type of security system that is in use is a call-back or response system. In a call-back system, a user calls a CdPN associated with the host and the host's device collects certain information with respect to the user. A piece of information that may be collected is the CgPN. The call-back system then disconnects itself from the communication. As its name implies, the call-back system may return the call to the user based upon the information that was collected or previously stored, that was compared to database entries and query responses, and that resulted in a telephone number that is used by the call-back system to place the return call. This number may be preselected or may be the CgPN. If the information does not match or check out, the system does not return the call.
In addition to the above described systems, there are other security systems for restricting access to a subscriber's resources. These other systems include voice or fingerprint authentication as part of the restrictions to assure that only authorized users access a subscriber's resources.
All of these security systems have limitations. Most notably, the use of a PIN, CgPN or CdPN to restrict communication access to computer resources is ineffective against so-called "hackers". A hacker may possess and implement any number of methods or devices for discovering an authorized PIN, CgPN or CdPN and for improperly gaining access to computer resources.
Additionally, as noted, in the above described systems except the call block service, the communication from the hacker is "answered" by the computer resource or associated device. This "answer" takes place whether or not the communication is an authorized communication or placed by an authorized user. In other words, before the authority of the calling party has been determined, the communication has been connected over the subscriber's line to a device associated with the subscriber's resources. Thus, the hacker is, at the time of receipt of the communication by the computer resource, already on the "doorstep" of the computer resource. An unauthorized communication is able to access the periphery of the very resource from which the communication is to be shielded even before the communication can be identified as unauthorized. This access to the "doorstep" of the computer resource increases the possibility of unauthorized access to the computer resource. It may not take much effort for the hacker to push the door open.
As noted above, these referenced security systems may pose few obstacles to a hacker. But, on the other hand, these security systems may pose significant obstacles to authorized users. Generally, these obstacles take the form of inconvenience and inefficiency. For example, the PIN, CgPN or CDPN of an authorized user may not be entered in the authorized user database. As another example, it may take an inordinate amount of time to accomplish entry and query of an authorized user's relevant information in a database. A salesperson may call into the home office's computer resource. In response to a prompt, the salesperson enters his/her PIN, but the PIN is rejected. The salesperson is frustrated in his/her efforts to access the computer resource. Valuable time, effort and money is wasted. Further, to avoid wasting time and money, the salesperson may take steps to remove or circumvent the security restrictions, thereby making it easier for unauthorized users to access the computer resources.
A further limitation of these referenced systems is that they tie up telecommunication resources that may be put to other uses. These referenced systems may also inordinately delay processing of the communication placed by the user and those communications placed by others. For example, if a host uses a caller identification system to screen customers who call for access to computer resources, the caller identification system generally requires a customer to wait for two rings until the caller identification is transmitted. During this time and during the transmission time of the caller identification, the telecommunication lines and the host's device are tied up in order to perform the caller identification screen. This processing takes about fifteen seconds per call. For a host with a lot of calls to its computer resources, fifteen seconds multiplied by a lot of calls adds up to a lot of time lost and to a lot of equipment being tied up.
In addition to these operational limitations, security systems such as the PIN and other systems are costly. The high cost of such systems derives from several factors. One such factor is the high cost of equipment necessary to implement such a system. An entity desiring to avail itself of the protection afforded by one of these systems must purchase equipment capable of some or all of the following steps: detecting and answering an incoming communication; putting the communication on hold; prompting the calling party (user) to enter a PIN (or other information); comparing the input by the calling party to the authorized entries maintained in a functionally connected database; and then either connecting or disconnecting the communication depending on the results of the comparison. These functions may be performed by a device known to those knowledgeable in the art as a communications access server. Such devices are available, though at a cost of tens of thousands of dollars.
A communications access server generally requires both database management and equipment maintenance. Therefore, an entity that desires to acquire and operate any of the referenced systems must also allocate employees to be trained on both operation and maintenance requirements. Many companies, particularly small and medium-sized ones, are unable to afford (or simply want to avoid) such an outlay of capital expense and valuable employee resources. To many of these companies, unknown and unquantifiable future losses resultant from unauthorized access to computer resources are preferable to large, quantifiable outlays of financial and employee resources. Smaller companies have truly been hooked on the horns of a distressing dilemma.
Within the past several years, security-related problems with communication access restriction have been addressed by the development and commercial availability of many products, one of which is a product known as the ACE/Server system by Security Dynamics Technologies, Inc., Cambridge, Mass. Generally, the ACE/Server system is a system for the electronic generation and comparison of non-predictable codes and for the comparison of PINs for the purpose of identification of authorized users. The ACE/Server system is operated in conjunction with a "token" such as that which is available commercially under the trademark SecurID.RTM., also from Security Dynamics Technologies, Inc. A "token" is a device which is usually portable and/or personal, but is not limited to being either. A token stores machine and/or visually readable data which is usually secret. Examples of tokens include a credit card, a smart card, a photooptical data storage card, a floppy disk, touch-memory button, data key, processor memory component (i.e., RAM, ROM, electronically alterable memory), other data-containing electronic component, other data-containing IC chip, or the like. A token is also referred to as a token card. In the Ace/Server system, the SecurID.RTM. token generates a six digit passcode that changes every sixty seconds to another, randomly selected, nonpredictable six digit passcode. Although a passcode in the described Ace/Server system comprises six digits, the term "passcode" as used herein should not be so limited. Rather, the term "passcode" is used herein to denote any password, secret code, PIN, prose phrase, alpha-numeric code, or other code which may be stored and/or displayed on a token, which may be stored and/or displayed at an authentication unit, and which may be used as part of an authentication system to verify a calling party as an authorized user of a subscriber's resources. Both the timing of the change in the passcode and the passcode itself are synchronized with the access control module (ACM) of the ACE/Server system so that, at any given moment, for any given authorized user, the passcode momentarily reflected on the SecurID.RTM. token is recognized by the ACE/Server, at that corresponding moment, as the correct passcode for that particular authorized user. The ACE/Server also stores authorized PINs and compares received PINs for access authorization. A PIN may be incorporated as part of the passcode that is transmitted by the user of the token. The Ace/Server includes information to decode the PIN from the passcode and/or other information that is transmitted from the user as a result of attempts at establishing access with the subscriber's resources through the use of a token. A token that uses an embedded combination of the user's PIN and a passcode is sometimes referred to as a "PINPAD card".
To explain the general operation of the ACE/Server system, assume that the home office of the above-mentioned salesperson is equipped with an ACE/Server system in order to protect the home office's computer resources. In particular, the ACE/Server system (by hardware of software implementation) is connected to the home office's computer resources such that the ACE/Server system may be used to screen access to the computer resources. The ACM of the Ace/Server system may reside at a host, operating system, or network/client resource of communications device. The salesperson is provided with a SecurID.RTM. token and a PIN that the salesperson memorizes. Alternatively, the PIN may be incorporated as part of the passcode generated by the token. To remotely access the computer resources of the home office, the salesperson dials the appropriate CdPN of the home office. The call is answered at the home office. In response to prompts provided by the ACE/Server system, the salesperson enters his/her PIN and also enters the passcode that appears on the face of the SecurID.RTM. token. The ACE/Server system checks whether the PIN is an authorized PIN, and checks whether the passcode corresponds to the appropriate passcode as maintained in synchronicity by the ACE/Server. If the checks are positive, then the ACE/Server allows the salesperson to access the computer resources. If either of the checks are negative, then the ACE/Server hangs up on the salesperson.
Further information describing the general operating features of the ACE/Server system including the SecurID.RTM. token are available in the brochures entitled: "ACE/Server: Undefeatable Security for Enterprise Network Environments", Security Dynamic Technologies, Inc., .COPYRGT.1995 Security Dynamics Technologies, Inc. 102 15M Nov. 10, 1995; and "Securing the Information Age. Minute by Minute", Security Dynamic Technologies, Inc., .COPYRGT.1996 Security Dynamics Technologies, Inc. 101 SM Feb. 16, 1996. These brochures are incorporated by reference herein, and can otherwise be obtained from Security Dynamics Technologies, Inc., One Alewife Center, Cambridge, Mass. 02140. Both the ACE/Server system and SecurID token are discussed in further detail in the U.S. Pat. No. 5,168,520 to Weiss, which patent is also incorporated herein by reference. Other security systems that make use of a passcode generated by a token are referenced or described in the following patents, which are also incorporated herein by reference: Weiss, U.S. Pat. No. 5,485,519; Weiss, U.S. Pat. No. 4,720,860; and Weiss et al., U.S. Pat. No. 5,361,062.
When the ACE/Server system and SecurID.RTM. token are implemented interactively, they provide a defensive perimeter immediately around computer resources equipped with the ACE/Server system. Nonetheless, the ACE/Server system includes many of the same limitations of the other communication access restriction systems. As with the other systems, a communication to a computer resource that uses the ACE/Server system is "answered" by the computer resource or affiliated device. Thus, the calling party is, as early as the time of receipt of the communication, already on the "doorstep" of the computer resource. As noted, it may not take much effort for the calling party to push the door open. An additional limitation of the ACE/Server system is that it may pose the same types of obstacles to authorized users as do other referenced systems.
And a further limitation of the ACE/Server system is that it is costly in that it requires the purchase, installation and maintenance of appropriate hardware and software. It also requires the time and effort of individuals to learn how to use the ACE/Server system at the home office and "on the road", and to learn how to maintain and update the ACE/Server system as necessary for its efficient and economical use in the protection of computer resources. In particular, for a subscriber to upgrade the level of security of computer resources by adding a security server such as the ACE/Server or similar server, any or all of the following steps and costs may be involved: adding a computer; selecting and purchasing a dial-back security server software/hardware package; purchasing SecurID.RTM. (or similar) tokens; learning how to use the new security server application; distributing software that works with the new security server; training users to use the new security server; utilizing part of a computer resource to support and maintain the new server; and adding modems to the communications server designating them as dial-out only modems; and upgrading software to support the additional modems.
The foregoing discussion of the problems associated with security issues relating to remote communication access to computer resources has been focused on the need to guard such computer resources against exploitation and misuse. However, another issue with respect to remote communication access to computer resources is the maximization of a host's resources or equipment such that the host may better serve authorized users. In other words, a host may be deluged with calling parties who attempt to access the host's computer resources. Only some of this deluge may be authorized users. The host is burdened with the task of separating the wheat from the chaff in its process of determining the identity of authorized users and of providing them with access. The host generally carries this burden by purchasing, using and maintaining specialized equipment or by dedicating part of its computer resources to the process of screening authorized users. Either of these solutions cuts into the number and function of the resources that the host may bring to bear in serving users. Further, a host may have to employ additional employees to set up, maintain and run a security service with respect to the restriction of access to computer resources to only authorized users.
Accordingly, with respect to telecommunication service systems, there is a need for a system which provides greater security of computer resources. Such a system would be available at an affordable cost to those who desire such protection. For instance, there is a need for a system which eliminates the requirement for the host to purchase, operate and maintain costly security devices.
There is an additional need for a system which provides greater security of computer resources by determining whether an incoming communication is authorized to access those computer resources before accepting the attempted communication into the periphery of those computer resources at the host site.
There is yet a further need for a system which maximizes a subscriber's computer and other resources in the service of authorized users rather than in the screening of authorized users.