Information security is the intentional process of protecting stored information from unauthorized viewing or use. Proper information security procedures protect the following properties of information stores or sources:
- Availability: authorized users are able to access the information when they need it.
- Confidentiality: unauthorized users can not gain access to the information.
- Integrity: the information is not altered or destroyed in an unauthorized manner.
Proper information security involves all of the following considerations:
- Environment controls: Physical protection of information stores from intruders, natural disasters, etc.
- Interface controls: Limiting the means of connecting to the computer network and its data stores to known, guarded pathways
- Authentication controls: Identifying users attempting to gain access to information. There are three major methods.
- Tokens: The user possesses a physical object that identifies him or her to the system.
- Passwords: The user knows a secret word or phrase for identification.
- Biometrics: The system recognizes a physical attribute of the user, such as a fingerprint.
- Authorization controls: Verifying that users have the appropriate permission before granting access
Information security in Star Trek
Federation starships store virtually all information in a central computer system. This system relies primarily on voice-recognition (a biometric method) to authenticate users, although users may also set personal passwords to further control access to sensitive data or computer functions.
The Federation has repeatedly demonstrated unreliable information security protocols.
- In TNG "The Hunted", for example, Roga Danar was able to disable a security force field by disabling one of the ship's security personnel and using the guard's communicator (a security token) to order the computer to drop the force field. Roga Danar was also able to access consoles in the ship's engineering section to reroute power to transporters and to determine where to plant a bomb to disable the Enterprise-D's sensor network, even though he lacked legitimate user credentials.
- The Enterprise's computer has downloaded and executed untrusted code on multiple occasions (examples: TNG "Contagion" and TNG "Masks").
- In TNG "Brothers", Commander Data was able to seize control of all of the Enterprise's command functions by mimicking the voice of Captain Picard.
- In TNG "Conundrum", an alien Satarran was able to alter the content of the ship's database to mislead the crew into attacking the Lysians.
- Federation starships are known to allow remote access to their command functions via a prefix code that can be transmitted from other starships, and remote commands can actually override orders issued from the target starship's bridge. Why the Federation would include such a dangerous feature in their warships is unclear.
Collectively, these failures indicate poor interface controls and inadequate authentication controls. The Federation's authorization controls have generally been successful.
Many of the Federation's neighbors have similarly shown incompetent security measures.
- In Star Trek: Nemesis, Data is able to try several different codes on a secured door on the Scimitar and it allows him to continue trying codes, no matter how many wrong ones he enters. On most real life security systems, Data would have been locked out of the system after the third wrong attempt.
- In TNG "Sins of the Fathers" Geordi accidentally breaks into the Klingon government security network in minutes.
- In TNG "Unification pt 2" Spock is able to perform a similar feat with the Romulan security network. Data is also able to piggy-back signals to the Enterprise on Romulan signals.
Information security in Star Wars
The access protocols for Republic and Imperial computers are not clear, but their primary weakness seems to be inadequate authorization controls for low priority systems.
- The astromech droid R2-D2 was granted access to the Death Star's computer network without legitimate credentials, but he was denied access to some information. For instance, he could remotely deactivate the station's garbage compactors, but he could not remotely cut the power to the station's tractor beams (although he could determine where to disable them manually).
- Similarly, R2-D2 was able to determine that Leia Organa was a prisoner on the station and where she was being held, but he could not locate an exit from her cell block other than the main entrance, and he admitted that much of the information he sought was restricted.
Taken together, these incidents indicate that Imperial networks have "guest" accounts that provide unnecessary access to some systems, and a proficient hacker can exploit these accounts.
It may be worth noting that R2-D2 has been allowed to operate for decades without a memory erasure. This may have allowed the droid to accumulate an exceptionally large store of cracking tools and techniques, something that his various owners (Padmé Amidala, Anakin Skywalker, Bail Organa, Leia Organa, and Luke Skywalker) have probably encouraged.
However, some of R2-D2's computer "hacks" may not be indications of poor security measures. Shutting down dangerous machinery, like garbage compactors and droid assembly lines, might have minimal authorization requirements by design, allowing any worker to shut down the system in the event of a safety issue. Also, it is fairly conclusive that Darth Vader wanted Leia to be rescued in order to learn the location of the rebel base. As such, much of the information R2 obtained from the Death Star computer may have been deliberately left unprotected for him to discover with relative ease.
The nature of Star Wars computer networks may also change the nature of computer "hacking". Central computers, like droids, seem to be AI's, so obtaining access or information from them may be more like social engineering than actual "hacking". The computer system of Cloud City, for example, volunteered information about the state of the Millennium Falcon's hyperdrive to R2-D2.